Commit d0f52e7c authored by Daniel Salzman's avatar Daniel Salzman

libdnssec: increase minimum allowed RSA key length to 1024

Solved Issue C from the security audit
parent b330e1da
......@@ -33,12 +33,6 @@ struct limits {
static const struct limits *get_limits(dnssec_key_algorithm_t algorithm)
{
static const struct limits RSA = {
.min = 512,
.max = 4096,
.def = 2048,
};
static const struct limits RSA_SHA512 = {
.min = 1024,
.max = 4096,
.def = 2048,
......@@ -72,9 +66,8 @@ static const struct limits *get_limits(dnssec_key_algorithm_t algorithm)
case DNSSEC_KEY_ALGORITHM_RSA_SHA1:
case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3:
case DNSSEC_KEY_ALGORITHM_RSA_SHA256:
return &RSA;
case DNSSEC_KEY_ALGORITHM_RSA_SHA512:
return &RSA_SHA512;
return &RSA;
case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
return &EC256;
case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
......
......@@ -38,7 +38,7 @@ static void null_range(void)
r = dnssec_algorithm_key_size_range(algo, NULL, NULL);
ok(r == DNSSEC_EINVAL, "dnssec_algorithm_key_size_range() all null");
r = dnssec_algorithm_key_size_range(algo, &val, NULL);
ok(r == DNSSEC_EOK && val == 512, "dnssec_algorithm_key_size_range() min only");
ok(r == DNSSEC_EOK && val == 1024, "dnssec_algorithm_key_size_range() min only");
r = dnssec_algorithm_key_size_range(algo, NULL, &val);
ok(r == DNSSEC_EOK && val == 4096, "dnssec_algorithm_key_size_range() max only");
}
......@@ -47,9 +47,9 @@ static void check_borders(void)
{
dnssec_key_algorithm_t rsa = DNSSEC_KEY_ALGORITHM_RSA_SHA1;
ok(dnssec_algorithm_key_size_check(rsa, 511) == false, "rsa 511");
ok(dnssec_algorithm_key_size_check(rsa, 512) == true, "rsa 512");
ok(dnssec_algorithm_key_size_check(rsa, 513) == true, "rsa 513");
ok(dnssec_algorithm_key_size_check(rsa, 1023) == false, "rsa 1023");
ok(dnssec_algorithm_key_size_check(rsa, 1024) == true, "rsa 1024");
ok(dnssec_algorithm_key_size_check(rsa, 1025) == true, "rsa 1025");
ok(dnssec_algorithm_key_size_check(rsa, 4095) == true, "rsa 4095");
ok(dnssec_algorithm_key_size_check(rsa, 4096) == true, "rsa 4096");
ok(dnssec_algorithm_key_size_check(rsa, 4097) == false, "rsa 4097");
......@@ -69,8 +69,7 @@ int main(void)
plan_lazy();
// ranges
ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA256, 512, 4096, "RSA/SHA256");
ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA512, 1024, 4096, "RSA/SHA512");
ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA512, 1024, 4096, "RSA/SHA256");
ok_range(DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, 384, 384, "ECDSA/SHA384");
#ifdef HAVE_ED25519
ok_range(DNSSEC_KEY_ALGORITHM_ED25519, 256, 256, "ED25519");
......
/* Copyright (C) 2014 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -163,7 +163,8 @@ int main(void)
// write
char *gen_id = NULL;
r = dnssec_keystore_generate_key(store, DNSSEC_KEY_ALGORITHM_RSA_SHA256, 512, &gen_id);
r = dnssec_keystore_generate_key(store, DNSSEC_KEY_ALGORITHM_RSA_SHA256,
1024, &gen_id);
ok(r == DNSSEC_EOK, "dnssec_keystore_generate_key()");
ok(test_write_ok, "test_write() called");
is_string(gen_id, test_write_id, "test_write() correct key ID");
......
This diff is collapsed.
......@@ -30,14 +30,20 @@ static const dnssec_binary_t input_data = {
.data = (uint8_t *)"Very good, young padawan."
};
static const dnssec_binary_t signed_rsa = { .size = 64, .data = (uint8_t []) {
0x93, 0x93, 0x5f, 0xd8, 0xa1, 0x2b, 0x4c, 0x0b, 0xf3, 0x67,
0x42, 0x13, 0x52, 0x00, 0x35, 0xdc, 0x09, 0xe0, 0xdf, 0xe0,
0x3e, 0xc2, 0xcf, 0x64, 0xab, 0x9f, 0x9f, 0x51, 0x5f, 0x5c,
0x27, 0xbe, 0x13, 0xd6, 0x17, 0x07, 0xa6, 0xe4, 0x3b, 0x63,
0x44, 0x85, 0x06, 0x13, 0xaa, 0x01, 0x3c, 0x58, 0x52, 0xa3,
0x98, 0x20, 0x65, 0x03, 0xd0, 0x40, 0xc8, 0xa0, 0xe9, 0xd2,
0xc0, 0x03, 0x5a, 0xab,
static const dnssec_binary_t signed_rsa = { .size = 128, .data = (uint8_t []) {
0x21, 0xba, 0xff, 0x0c, 0x15, 0x10, 0x73, 0x25, 0xa7, 0x8e,
0xf4, 0x71, 0x4b, 0xd3, 0x97, 0x6d, 0x95, 0x52, 0xc2, 0x0b,
0x43, 0xb3, 0x7d, 0x82, 0xe4, 0x3e, 0x2a, 0xc3, 0xb7, 0x17,
0x5b, 0x05, 0xe9, 0x1e, 0x13, 0xac, 0x27, 0x6f, 0x20, 0x93,
0x1a, 0xeb, 0xe2, 0x2c, 0x72, 0x70, 0x14, 0xe6, 0x49, 0xa7,
0x62, 0xdd, 0x4c, 0x72, 0x1e, 0x1d, 0xd8, 0xf9, 0xba, 0xbc,
0x96, 0x0e, 0xc3, 0xd4, 0xc1, 0x8f, 0x95, 0xdb, 0x01, 0x18,
0x24, 0x43, 0xbd, 0x2b, 0x52, 0x9b, 0x10, 0x1f, 0xba, 0x0a,
0x76, 0xbe, 0x0e, 0xaa, 0x91, 0x27, 0x7b, 0x9f, 0xed, 0x5a,
0xad, 0x96, 0x1a, 0x02, 0x97, 0x42, 0x91, 0x30, 0x03, 0x2b,
0x5c, 0xb8, 0xcc, 0x6b, 0xcf, 0x39, 0x62, 0x5e, 0x47, 0xae,
0x6d, 0x5b, 0x43, 0xd2, 0xc2, 0xd8, 0x22, 0x5d, 0xf5, 0x5e,
0x0a, 0x97, 0x65, 0x41, 0xc7, 0xaa, 0x28, 0x67,
}};
static const dnssec_binary_t signed_ecdsa = { .size = 64, .data = (uint8_t []) {
......
......@@ -13,18 +13,18 @@ t.link(zones, knot)
t.start()
# one KSK
knot.gen_key(zones[0], ksk=True, alg="RSASHA256", key_len="512")
knot.gen_key(zones[0], ksk=True, alg="ECDSAP256SHA256", key_len="256")
# one ZSK no longer supported
# multiple KSKs
knot.gen_key(zones[1], ksk=True, alg="RSASHA512", key_len="1024")
knot.gen_key(zones[1], ksk=True, alg="RSASHA256", key_len="512")
knot.gen_key(zones[1], ksk=True, alg="ECDSAP384SHA384", key_len="384")
knot.gen_key(zones[1], ksk=True, alg="ECDSAP256SHA256", key_len="256")
# different algorithms: KSK+ZSK pair, one KSK
knot.gen_key(zones[2], ksk=True, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[2], ksk=False, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[2], ksk=True, alg="RSASHA512", key_len="1024")
knot.gen_key(zones[2], ksk=True, alg="ECDSAP256SHA256", key_len="256")
knot.gen_key(zones[2], ksk=False, alg="ECDSAP256SHA256", key_len="256")
knot.gen_key(zones[2], ksk=True, alg="ECDSAP384SHA384", key_len="384")
for zone in zones[:-1]:
knot.dnssec(zone).enable = True
......
......@@ -15,7 +15,7 @@ knot = t.server("knot")
zones = t.zone_rnd(2, dnssec=False, records=5)
t.link(zones, knot)
knot.add_module(zones[0], ModOnlineSign())
knot.add_module(zones[1], ModOnlineSign("RSASHA256", key_size="512"))
knot.add_module(zones[1], ModOnlineSign("ECDSAP384SHA384", key_size="384"))
def check_zone(zone, dnskey_rdata_start):
# Check SOA record.
......@@ -67,7 +67,7 @@ t.start()
knot.zones_wait(zones)
check_zone(zones[0], "257 3 13")
check_zone(zones[1], "257 3 8")
check_zone(zones[1], "257 3 14")
t.end()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment