From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Date: Wed, 3 Jan 2018 18:04:17 +0000 (+0100)
Subject: Forbid creating algo 5/8/10 keys with out-of-spec sizes
X-Git-Tag: dnsdist-1.3.0~173^2~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=86783480b50c1870197b08b1675131a742f68991;p=pdns

Forbid creating algo 5/8/10 keys with out-of-spec sizes
---

diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
index 8e3bb547b..633c25278 100644
--- a/pdns/opensslsigners.cc
+++ b/pdns/opensslsigners.cc
@@ -32,6 +32,7 @@
 #include <openssl/opensslv.h>
 #include "opensslsigners.hh"
 #include "dnssecinfra.hh"
+#include "dnsseckeeper.hh"
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL || defined LIBRESSL_VERSION_NUMBER)
 /* OpenSSL < 1.1.0 needs support for threading/locking in the calling application. */
@@ -211,6 +212,19 @@ private:
 
 void OpenSSLRSADNSCryptoKeyEngine::create(unsigned int bits)
 {
+  if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (bits < 512 || bits > 4096)) {
+    /* RFC3110 */
+    throw runtime_error(getName()+" RSASHA1 key generation failed for invalid bits size " + std::to_string(bits));
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA256 && (bits < 512 || bits > 4096)) {
+    /* RFC5702 */
+    throw runtime_error(getName()+" RSASHA256 key generation failed for invalid bits size " + std::to_string(bits));
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA512 && (bits < 1024 || bits > 4096)) {
+    /* RFC5702 */
+    throw runtime_error(getName()+" RSASHA512 key generation failed for invalid bits size " + std::to_string(bits));
+  }
+
   BIGNUM *e = BN_new();
   if (!e) {
     throw runtime_error(getName()+" key generation failed, unable to allocate e");
diff --git a/regression-tests.api/test_cryptokeys.py b/regression-tests.api/test_cryptokeys.py
index 553f2198d..49c4b400d 100644
--- a/regression-tests.api/test_cryptokeys.py
+++ b/regression-tests.api/test_cryptokeys.py
@@ -112,11 +112,11 @@ class Cryptokeys(ApiTestCase):
 
     # Test POST to add a key with specific algorithm number
     def test_post_specific_number(self):
-        self.post_helper(algo=10, bits=512)
+        self.post_helper(algo=10, bits=1024)
 
     # Test POST to add a key with specific name and bits
     def test_post_specific_name_bits(self):
-        self.post_helper(algo="rsasha256", bits=256)
+        self.post_helper(algo="rsasha256", bits=2048)
 
     # Test POST to add a key with specific name
     def test_post_specific_name(self):