1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and

HMACSHA512 support. [RT #13606]

1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]
c6d4f781 · Mark Andrews · d0207ee7 · c6d4f781 · c6d4f781 · c6d4f781
Commit c6d4f781 authored Jan 27, 2006 by Mark Andrews
38 changed files
--- a/CHANGES
+++ b/CHANGES
+1973.	[func]		TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
+			HMACSHA512 support. [RT #13606]
+
 1972.	[contrib]	DBUS dynamic forwarders integation from
 			Jason Vas Dias <jvdias@redhat.com>.


--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dig.c,v 1.210 2006/01/07 00:23:35 marka Exp $ */
+/* $Id: dig.c,v 1.211 2006/01/27 02:35:14 marka Exp $ */

 /*! \file */

@@ -42,6 +42,7 @@
 #include <dns/rdatatype.h>
 #include <dns/rdataclass.h>
 #include <dns/result.h>
+#include <dns/tsig.h>

 #include <bind9/getaddresses.h>

@@ -152,7 +153,7 @@ help(void) {
 "                 -t type             (specify query type)\n"
 "                 -c class            (specify query class)\n"
 "                 -k keyfile          (specify tsig key file)\n"
-"                 -y name:key         (specify named base64 tsig key)\n"
+"                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
 "                 -4                  (use IPv4 query transport only)\n"
 "                 -6                  (use IPv6 query transport only)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
@@ -1105,7 +1106,7 @@ static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
 	    isc_boolean_t *open_type_class, isc_boolean_t config_only)
 {
-	char opt, *value, *ptr;
+	char opt, *value, *ptr, *ptr2, *ptr3;
 	isc_result_t result;
 	isc_boolean_t value_from_next;
 	isc_textregion_t tr;
@@ -1295,16 +1296,83 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				 value);
 		return (value_from_next);
 	case 'y':
-		ptr = next_token(&value,":");
+		ptr = next_token(&value,":");	/* hmac type or name */
 		if (ptr == NULL) {
 			usage();
 		}
+		ptr2 = next_token(&value, ":");	/* name or secret */
+		if (ptr2 == NULL)
+			usage();
+		ptr3 = next_token(&value,":"); /* secret or NULL */
+		if (ptr3 != NULL) {	
+			if (strcasecmp(ptr, "hmac-md5") == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = parse_uint(&ptr[9],
+							"digest-bits [0..128]",
+							128);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = parse_uint(&ptr[10],
+							"digest-bits [0..160]",
+							160);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..224]",
+							224);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..256]",
+							256);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..384]",
+							384);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..512]",
+							512);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else {
+				fprintf(stderr, ";; Warning, ignoring "
+					"invalid TSIG algorithm %s\n", ptr);
+				return (value_from_next);
+			}
+			ptr = ptr2;
+			ptr2 = ptr3;
+		} else  {
+			hmacname = DNS_TSIG_HMACMD5_NAME;
+			digestbits = 0;
+		}
 		strncpy(keynametext, ptr, sizeof(keynametext));
 		keynametext[sizeof(keynametext)-1]=0;
-		ptr = next_token(&value, "");
-		if (ptr == NULL)
-			usage();
-		strncpy(keysecret, ptr, sizeof(keysecret));
+		strncpy(keysecret, ptr2, sizeof(keysecret));
 		keysecret[sizeof(keysecret)-1]=0;
 		return (value_from_next);
 	case 'x':

--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: dig.docbook,v 1.28 2005/10/26 04:35:53 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.29 2006/01/27 02:35:14 marka Exp $ -->
 <refentry id="man.dig">

  <refentryinfo>
@@ -63,7 +63,7 @@
      <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
      <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-      <arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
+      <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
      <arg><option>-4</option></arg>
      <arg><option>-6</option></arg>
      <arg choice="opt">name</arg>
@@ -281,6 +281,7 @@
      responses using transaction signatures (TSIG), specify a TSIG key file
      using the <option>-k</option> option.  You can also specify the TSIG
      key itself on the command line using the <option>-y</option> option;
+      <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
      <parameter>name</parameter> is the name of the TSIG key and
      <parameter>key</parameter> is the actual key.  The key is a
      base-64

--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dighost.c,v 1.290 2006/01/07 00:23:35 marka Exp $ */
+/* $Id: dighost.c,v 1.291 2006/01/27 02:35:14 marka Exp $ */

 /*! \file
 *  \note
@@ -161,6 +161,8 @@ int fatalexit = 0;
 char keynametext[MXNAME];
 char keyfile[MXNAME] = "";
 char keysecret[MXNAME] = "";
+dns_name_t *hmacname = NULL;
+unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
 dns_tsigkey_t *key = NULL;
 isc_boolean_t validated = ISC_TRUE;
@@ -890,14 +892,15 @@ setup_text_key(void) {
 	if (result != ISC_R_SUCCESS)
 		goto failure;

-	result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
-				    secretstore, secretsize,
-				    ISC_FALSE, NULL, 0, 0, mctx,
+	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
+				    secretsize, ISC_FALSE, NULL, 0, 0, mctx,
 				    NULL, &key);
 failure:
 	if (result != ISC_R_SUCCESS)
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
+	else
+		dst_key_setbits(key->key, digestbits);

 	isc_mem_free(mctx, secretstore);
 	dns_name_invalidate(&keyname);
@@ -918,8 +921,31 @@ setup_file_key(void) {
 		goto failure;
 	}

-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-					   dns_tsig_hmacmd5_name,
+	switch (dst_key_alg(dstkey)) {
+	case DST_ALG_HMACMD5:
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		break;
+	case DST_ALG_HMACSHA1:
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		break;
+	case DST_ALG_HMACSHA224:
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		break;
+	case DST_ALG_HMACSHA256:
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		break;
+	case DST_ALG_HMACSHA384:
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		break;
+	case DST_ALG_HMACSHA512:
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		break;
+	default:
+		printf(";; Couldn't create key %s: bad algorithm\n",
+		       keynametext);
+		goto failure;
+	}
+	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
 					   dstkey, ISC_FALSE, NULL, 0, 0,
 					   mctx, NULL, &key);
 	if (result != ISC_R_SUCCESS) {

--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dig.h,v 1.96 2005/08/25 00:40:50 marka Exp $ */
+/* $Id: dig.h,v 1.97 2006/01/27 02:35:14 marka Exp $ */

 #ifndef DIG_H
 #define DIG_H
@@ -257,6 +257,8 @@ extern isc_sockaddr_t bind_address;
 extern char keynametext[MXNAME];
 extern char keyfile[MXNAME];
 extern char keysecret[MXNAME];
+extern dns_name_t *hmacname;
+extern unsigned int digestbits;
 #ifdef DIG_SIGCHASE
 extern char trustedkey[MXNAME];
 #endif

--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -16,7 +16,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-keygen.c,v 1.72 2006/01/04 00:37:24 marka Exp $ */
+/* $Id: dnssec-keygen.c,v 1.73 2006/01/27 02:35:14 marka Exp $ */

 /*! \file */

@@ -49,7 +49,9 @@
 const char *program = "dnssec-keygen";
 int verbose;

-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
+			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
+			  " HMAC-SHA384 | HMAC-SHA512";

 static isc_boolean_t
 dsa_size_ok(int size) {
@@ -70,10 +72,16 @@ usage(void) {
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
+	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
+	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
+	fprintf(stderr, "        HMAC-SHA256:\t[1..256]\n");
+	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
+	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
 	fprintf(stderr, "    -f keyflag: KSK\n");
 	fprintf(stderr, "    -g <generator> use specified generator "
@@ -117,6 +125,7 @@ main(int argc, char **argv) {
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+	int		dbits = 0;

 	if (argc == 1)
 		usage();
@@ -126,7 +135,7 @@ main(int argc, char **argv) {
 	dns_result_register();

 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
+					   "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -140,6 +149,11 @@ main(int argc, char **argv) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+		case 'd':
+			dbits = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || dbits < 0)
+				fatal("-d requires a non-negative number");
+			break;
 		case 'e':
 			rsa_exp = 1;
 			break;
@@ -221,6 +235,21 @@ main(int argc, char **argv) {
 	} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
 		options |= DST_TYPE_KEY;
 		alg = DST_ALG_HMACMD5;
+	} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA1;
+	} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA224;
+	} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA256;
+	} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA384;
+	} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACSHA512;
 	} else {
 		r.base = algname;
 		r.length = strlen(algname);
@@ -267,6 +296,56 @@ main(int argc, char **argv) {
 	case DST_ALG_HMACMD5:
 		if (size < 1 || size > 512)
 			fatal("HMAC-MD5 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 80 || dbits > 128))
+			fatal("HMAC-MD5 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-MD5 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA1:
+		if (size < 1 || size > 160)
+			fatal("HMAC-SHA1 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 80 || dbits > 160))
+			fatal("HMAC-SHA1 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA1 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA224:
+		if (size < 1 || size > 224)
+			fatal("HMAC-SHA224 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 112 || dbits > 224))
+			fatal("HMAC-SHA224 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA224 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA256:
+		if (size < 1 || size > 256)
+			fatal("HMAC-SHA256 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 128 || dbits > 256))
+			fatal("HMAC-SHA256 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA256 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA384:
+		if (size < 1 || size > 384)
+			fatal("HMAC-384 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 192 || dbits > 384))
+			fatal("HMAC-SHA384 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA384 digest bits %d not divisible by 8",
+			      dbits);
+		break;
+	case DST_ALG_HMACSHA512:
+		if (size < 1 || size > 512)
+			fatal("HMAC-SHA512 key size %d out of range", size);
+		if (dbits != 0 && (dbits < 256 || dbits > 512))
+			fatal("HMAC-SHA512 digest bits %d out of range", dbits);
+		if ((dbits % 8) != 0)
+			fatal("HMAC-SHA512 digest bits %d not divisible by 8",
+			      dbits);
 		break;
 	}

@@ -313,7 +392,10 @@ main(int argc, char **argv) {
 	}

 	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
+	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 ||
+	     alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 ||
+	     alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 ||
+	     alg == DST_ALG_HMACSHA512))
 		fatal("a key with algorithm '%s' cannot be a zone key",
 		      algname);

@@ -337,6 +419,11 @@ main(int argc, char **argv) {
 		break;
 	case DNS_KEYALG_DSA:
 	case DST_ALG_HMACMD5:
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
 		param = 0;
 		break;
 	}
@@ -365,6 +452,8 @@ main(int argc, char **argv) {
 			exit(-1);
 		}

+		dst_key_setbits(key, dbits);
+
 		/*
 		 * Try to read a key with the same name, alg and id from disk.
 		 * If there is one we must continue generating a new one

--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.67 2006/01/05 23:45:33 marka Exp $ */
+/* $Id: config.c,v 1.68 2006/01/27 02:35:14 marka Exp $ */

 /*! \file */

@@ -27,6 +27,7 @@
 #include <isc/buffer.h>
 #include <isc/log.h>
 #include <isc/mem.h>
+#include <isc/parseint.h>
 #include <isc/region.h>
 #include <isc/result.h>
 #include <isc/sockaddr.h>
@@ -724,16 +725,65 @@ ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
 	return (ISC_R_SUCCESS);
 }

+struct keyalgorithms {
+	const char *str;
+	enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
+	       hmacsha256, hmacsha384, hmacsha512 } hmac;
+	isc_uint16_t size;
+} algorithms[] = {
+	{ "hmac-md5", hmacmd5, 128 },
+	{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
+	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
+	{ "hmac-sha1", hmacsha1, 160 },
+	{ "hmac-sha224", hmacsha224, 224 },
+	{ "hmac-sha256", hmacsha256, 256 },
+	{ "hmac-sha384", hmacsha384, 384 },
+	{ "hmac-sha512", hmacsha512, 512 },
+	{  NULL, hmacnone, 0 }
+};
+
 isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name)
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+			  isc_uint16_t *digestbits)
 {
-	if (strcasecmp(str, "hmac-md5") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0)
-	{
-		if (name != NULL)
-			*name = dns_tsig_hmacmd5_name;
-		return (ISC_R_SUCCESS);
+	int i;
+	size_t len = 0;
+	isc_uint16_t bits;
+	isc_result_t result;
+
+	for (i = 0; algorithms[i].str != NULL; i++) {
+		len = strlen(algorithms[i].str);
+		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
+		    (str[len] == '\0' ||
+		     (algorithms[i].size != 0 && str[len] == '-')))
+			break;
 	}
-	return (ISC_R_NOTFOUND);
+	if (algorithms[i].str == NULL)
+		return (ISC_R_NOTFOUND);
+	if (str[len] == '-') {
+		result = isc_parse_uint16(&bits, str + len + 1, 10);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (bits > algorithms[i].size)
+			return (ISC_R_RANGE);
+	} else if (algorithms[i].size == 0)
+		bits = 128;
+	else
+		bits = algorithms[i].size;
+
+	if (name != NULL) {
+		switch (algorithms[i].hmac) {
+		case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
+		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
+		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
+		case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
+		case hmacsha384: *name = dns_tsig_hmacsha384_name; break;
+		case hmacsha512: *name = dns_tsig_hmacsha512_name; break;
+		default:
+			INSIST(0);
+		}
+	}
+	if (digestbits != NULL)
+		*digestbits = bits;
+	return (ISC_R_SUCCESS);
 }
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: controlconf.c,v 1.47 2005/11/30 03:36:45 marka Exp $ */
+/* $Id: controlconf.c,v 1.48 2006/01/27 02:35:14 marka Exp $ */

 /*! \file */

@@ -758,7 +758,7 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
 			algstr = cfg_obj_asstring(algobj);
 			secretstr = cfg_obj_asstring(secretobj);

-			if (ns_config_getkeyalgorithm(algstr, NULL) !=
+			if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
 			    ISC_R_SUCCESS)
 			{
 				cfg_obj_log(control, ns_g_lctx,
@@ -848,7 +848,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
 	algstr = cfg_obj_asstring(algobj);
 	secretstr = cfg_obj_asstring(secretobj);

-	if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) {
+	if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
 		cfg_obj_log(key, ns_g_lctx,
 			    ISC_LOG_WARNING,
 			    "unsupported algorithm '%s' in "

--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.h,v 1.9 2005/04/29 00:22:30 marka Exp $ */
+/* $Id: config.h,v 1.10 2006/01/27 02:35:14 marka Exp $ */

 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
@@ -72,6 +72,7 @@ isc_result_t
 ns_config_getport(cfg_obj_t *config, in_port_t *portp);

 isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
+			  isc_uint16_t *digestbits);

 #endif /* NAMED_CONFIG_H */
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: tsigconf.c,v 1.25 2005/08/23 02:36:07 marka Exp $ */
+/* $Id: tsigconf.c,v 1.26 2006/01/27 02:35:14 marka Exp $ */

 /*! \file */

@@ -38,6 +38,7 @@

 static isc_result_t
 add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
+	dns_tsigkey_t *tsigkey = NULL;
 	cfg_listelt_t *element;
 	cfg_obj_t *key = NULL;
 	const char *keyid = NULL;
@@ -46,6 +47,7 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 	int secretlen = 0;
 	isc_result_t ret;
 	isc_stdtime_t now;
+	isc_uint16_t bits;

 	for (element = cfg_list_first(list);
 	     element != NULL;
@@ -86,10 +88,11 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 		 * Create the algorithm.
 		 */
 		algstr = cfg_obj_asstring(algobj);
-		if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) {
+		if (ns_config_getkeyalgorithm(algstr, &alg, &bits)
+		    != ISC_R_SUCCESS) {
 			cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "key '%s': the only supported algorithm "
-				    "is hmac-md5", keyid);
+				    "key '%s': has a unsupported algorithm '%s'",
+				    keyid, algstr);
 			ret = DNS_R_BADALG;
 			goto failure;
 		}
@@ -110,11 +113,16 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 		isc_stdtime_get(&now);
 		ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
 					 ISC_FALSE, NULL, now, now,
-					 mctx, ring, NULL);
+					 mctx, ring, &tsigkey);
 		isc_mem_put(mctx, secret, secretalloc);
 		secret = NULL;
 		if (ret != ISC_R_SUCCESS)
 			goto failure;
+		/*
+		 * Set digest bits.
+		 */
+		dst_key_setbits(tsigkey->key, bits);
+		dns_tsigkey_detach(&tsigkey);
 	}

 	return (ISC_R_SUCCESS);
@@ -127,7 +135,6 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
 	if (secret != NULL)
 		isc_mem_put(mctx, secret, secretalloc);
 	return (ret);
-
 }

 isc_result_t

--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: nsupdate.c,v 1.141 2006/01/07 00:23:35 marka Exp $ */
+/* $Id: nsupdate.c,v 1.142 2006/01/27 02:35:14 marka Exp $ */

 /*! \file */

@@ -284,6 +284,74 @@ reset_system(void) {
 	updatemsg->opcode = dns_opcode_update;
 }

+static isc_uint16_t
+parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
+	isc_uint16_t digestbits = 0;
+	isc_result_t result;
+	char buf[20];
+