Commit 62258ada authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] auto-generate salt

3781.	[func]		Specifying "auto" as the salt when using
			"rndc signing -nsec3param" causes named to
			generate a 64-bit salt at random. [RT #35322]
parent ffbd79e9
3781. [func] Specifying "auto" as the salt when using
"rndc signing -nsec3param" causes named to
generate a 64-bit salt at random. [RT #35322]
3781. [tuning] Use adaptive mutex locks when available; this
has been found to improve performance under load
on many systems. "configure --with-locktype=standard"
......
......@@ -9265,6 +9265,40 @@ newzone_cfgctx_destroy(void **cfgp) {
*cfgp = NULL;
}
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
int i, num_ints;
union {
unsigned char rnd[256];
isc_uint32_t rnd32[64];
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
isc_buffer_t buf;
if (saltlen > 256)
return (ISC_R_RANGE);
num_ints = (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
for (i = 0; i < num_ints; i++)
isc_random_get(&rnd.rnd32[i]);
memcpy(salt, rnd.rnd, saltlen);
r.base = rnd.rnd;
r.length = saltlen;
isc_buffer_init(&buf, text, sizeof(text));
isc_hex_totext(&r, 2, "", &buf);
text[saltlen * 2] = 0;
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
"generated salt: %s", text);
return (ISC_R_SUCCESS);
}
isc_result_t
ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
isc_result_t result = ISC_R_SUCCESS;
......@@ -9334,9 +9368,18 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
return (ISC_R_RANGE);
ptr = next_token(&args, " \t");
if (ptr == NULL)
if (ptr == NULL) {
return (ISC_R_UNEXPECTEDEND);
if (strcmp(ptr, "-") != 0) {
} else if (strcasecmp(ptr, "auto") == 0) {
/* Auto-generate a random salt.
* XXXMUKS: This currently uses the
* minimum recommended length by RFC
* 5155 (64 bits). It should be made
* configurable.
*/
saltlen = 8;
CHECK(generate_salt(salt, saltlen));
} else if (strcmp(ptr, "-") != 0) {
isc_buffer_t buf;
isc_buffer_init(&buf, salt, sizeof(salt));
......
......@@ -723,8 +723,10 @@
defines the number of additional times to apply
the algorithm when generating an NSEC3 hash. The
<option>salt</option> is a string of data expressed
in hexadecimal, or a hyphen (`-') if no salt is
to be used.
in hexadecimal, a hyphen (`-') if no salt is
to be used, or the keyword <literal>auto</literal>,
which causes <command>named</command> to generate a
random 64-bit salt.
</para>
<para>
So, for example, to create an NSEC3 chain using
......
......@@ -1898,7 +1898,7 @@ ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
if [ "$salt" = "-" ]; then
break;
fi
......@@ -1910,6 +1910,39 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
[ -n "$salt" -a "$salt" != "-" ] && break
echo "I:sleeping ...."
sleep 1
done;
[ "$salt" != "-" ] || ret=1
[ `expr length $salt` -eq 16 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)"
ret=0
oldsalt=$salt
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 ; do
salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'`
[ -n "$salt" -a "$salt" != "$oldsalt" ] && break
echo "I:sleeping ...."
sleep 1
done;
[ "$salt" != "$oldsalt" ] || ret=1
[ `expr length $salt` -eq 16 ] || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check rndc signing -list output ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment