Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
ISC Open Source Projects
BIND
Commits
c6d4f781
Commit
c6d4f781
authored
Jan 27, 2006
by
Mark Andrews
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]
parent
d0207ee7
Changes
38
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
38 changed files
with
4727 additions
and
171 deletions
+4727
-171
CHANGES
CHANGES
+3
-0
bin/dig/dig.c
bin/dig/dig.c
+76
-8
bin/dig/dig.docbook
bin/dig/dig.docbook
+3
-2
bin/dig/dighost.c
bin/dig/dighost.c
+32
-6
bin/dig/include/dig/dig.h
bin/dig/include/dig/dig.h
+3
-1
bin/dnssec/dnssec-keygen.c
bin/dnssec/dnssec-keygen.c
+93
-4
bin/named/config.c
bin/named/config.c
+60
-10
bin/named/controlconf.c
bin/named/controlconf.c
+3
-3
bin/named/include/named/config.h
bin/named/include/named/config.h
+3
-2
bin/named/tsigconf.c
bin/named/tsigconf.c
+13
-6
bin/nsupdate/nsupdate.c
bin/nsupdate/nsupdate.c
+132
-16
bin/nsupdate/nsupdate.docbook
bin/nsupdate/nsupdate.docbook
+23
-34
bin/tests/system/tsig/clean.sh
bin/tests/system/tsig/clean.sh
+23
-0
bin/tests/system/tsig/ns1/example.db
bin/tests/system/tsig/ns1/example.db
+152
-0
bin/tests/system/tsig/ns1/named.conf
bin/tests/system/tsig/ns1/named.conf
+96
-0
bin/tests/system/tsig/tests.sh
bin/tests/system/tsig/tests.sh
+219
-0
doc/arm/Bv9ARM-book.xml
doc/arm/Bv9ARM-book.xml
+15
-11
lib/bind9/check.c
lib/bind9/check.c
+75
-5
lib/dns/dst_api.c
lib/dns/dst_api.c
+22
-1
lib/dns/dst_internal.h
lib/dns/dst_internal.h
+7
-1
lib/dns/dst_parse.c
lib/dns/dst_parse.c
+80
-8
lib/dns/dst_parse.h
lib/dns/dst_parse.h
+24
-2
lib/dns/hmac_link.c
lib/dns/hmac_link.c
+1398
-14
lib/dns/include/dns/tsig.h
lib/dns/include/dns/tsig.h
+11
-1
lib/dns/include/dns/types.h
lib/dns/include/dns/types.h
+3
-2
lib/dns/include/dst/dst.h
lib/dns/include/dst/dst.h
+24
-1
lib/dns/key.c
lib/dns/key.c
+19
-1
lib/dns/rcode.c
lib/dns/rcode.c
+2
-1
lib/dns/tsig.c
lib/dns/tsig.c
+244
-16
lib/isc/Makefile.in
lib/isc/Makefile.in
+7
-7
lib/isc/hmacmd5.c
lib/isc/hmacmd5.c
+8
-2
lib/isc/hmacsha.c
lib/isc/hmacsha.c
+438
-0
lib/isc/include/isc/Makefile.in
lib/isc/include/isc/Makefile.in
+4
-4
lib/isc/include/isc/hmacmd5.h
lib/isc/include/isc/hmacmd5.h
+4
-1
lib/isc/include/isc/hmacsha.h
lib/isc/include/isc/hmacsha.h
+156
-0
lib/isc/include/isc/sha2.h
lib/isc/include/isc/sha2.h
+125
-0
lib/isc/sha2.c
lib/isc/sha2.c
+1119
-0
util/copyrights
util/copyrights
+8
-1
No files found.
CHANGES
View file @
c6d4f781
1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]
1972. [contrib] DBUS dynamic forwarders integation from
Jason Vas Dias <jvdias@redhat.com>.
...
...
bin/dig/dig.c
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.c,v 1.21
0
2006/01/
0
7 0
0:23:35
marka Exp $ */
/* $Id: dig.c,v 1.21
1
2006/01/
2
7 0
2:35:14
marka Exp $ */
/*! \file */
...
...
@@ -42,6 +42,7 @@
#include <dns/rdatatype.h>
#include <dns/rdataclass.h>
#include <dns/result.h>
#include <dns/tsig.h>
#include <bind9/getaddresses.h>
...
...
@@ -152,7 +153,7 @@ help(void) {
" -t type (specify query type)
\n
"
" -c class (specify query class)
\n
"
" -k keyfile (specify tsig key file)
\n
"
" -y name:key
(specify named base64 tsig key)
\n
"
" -y
[hmac:]
name:key (specify named base64 tsig key)
\n
"
" -4 (use IPv4 query transport only)
\n
"
" -6 (use IPv6 query transport only)
\n
"
" d-opt is of the form +keyword[=value], where keyword is:
\n
"
...
...
@@ -1105,7 +1106,7 @@ static isc_boolean_t
dash_option
(
char
*
option
,
char
*
next
,
dig_lookup_t
**
lookup
,
isc_boolean_t
*
open_type_class
,
isc_boolean_t
config_only
)
{
char
opt
,
*
value
,
*
ptr
;
char
opt
,
*
value
,
*
ptr
,
*
ptr2
,
*
ptr3
;
isc_result_t
result
;
isc_boolean_t
value_from_next
;
isc_textregion_t
tr
;
...
...
@@ -1295,16 +1296,83 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
value
);
return
(
value_from_next
);
case
'y'
:
ptr
=
next_token
(
&
value
,
":"
);
ptr
=
next_token
(
&
value
,
":"
);
/* hmac type or name */
if
(
ptr
==
NULL
)
{
usage
();
}
ptr2
=
next_token
(
&
value
,
":"
);
/* name or secret */
if
(
ptr2
==
NULL
)
usage
();
ptr3
=
next_token
(
&
value
,
":"
);
/* secret or NULL */
if
(
ptr3
!=
NULL
)
{
if
(
strcasecmp
(
ptr
,
"hmac-md5"
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACMD5_NAME
;
digestbits
=
0
;
}
else
if
(
strncasecmp
(
ptr
,
"hmac-md5-"
,
9
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACMD5_NAME
;
digestbits
=
parse_uint
(
&
ptr
[
9
],
"digest-bits [0..128]"
,
128
);
digestbits
=
(
digestbits
+
7
)
&
~
0x7U
;
}
else
if
(
strcasecmp
(
ptr
,
"hmac-sha1"
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA1_NAME
;
digestbits
=
0
;
}
else
if
(
strncasecmp
(
ptr
,
"hmac-sha1-"
,
10
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA1_NAME
;
digestbits
=
parse_uint
(
&
ptr
[
10
],
"digest-bits [0..160]"
,
160
);
digestbits
=
(
digestbits
+
7
)
&
~
0x7U
;
}
else
if
(
strcasecmp
(
ptr
,
"hmac-sha224"
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA224_NAME
;
digestbits
=
0
;
}
else
if
(
strncasecmp
(
ptr
,
"hmac-sha224-"
,
12
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA224_NAME
;
digestbits
=
parse_uint
(
&
ptr
[
12
],
"digest-bits [0..224]"
,
224
);
digestbits
=
(
digestbits
+
7
)
&
~
0x7U
;
}
else
if
(
strcasecmp
(
ptr
,
"hmac-sha256"
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA256_NAME
;
digestbits
=
0
;
}
else
if
(
strncasecmp
(
ptr
,
"hmac-sha256-"
,
12
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA256_NAME
;
digestbits
=
parse_uint
(
&
ptr
[
12
],
"digest-bits [0..256]"
,
256
);
digestbits
=
(
digestbits
+
7
)
&
~
0x7U
;
}
else
if
(
strcasecmp
(
ptr
,
"hmac-sha384"
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA384_NAME
;
digestbits
=
0
;
}
else
if
(
strncasecmp
(
ptr
,
"hmac-sha384-"
,
12
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA384_NAME
;
digestbits
=
parse_uint
(
&
ptr
[
12
],
"digest-bits [0..384]"
,
384
);
digestbits
=
(
digestbits
+
7
)
&
~
0x7U
;
}
else
if
(
strcasecmp
(
ptr
,
"hmac-sha512"
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA512_NAME
;
digestbits
=
0
;
}
else
if
(
strncasecmp
(
ptr
,
"hmac-sha512-"
,
12
)
==
0
)
{
hmacname
=
DNS_TSIG_HMACSHA512_NAME
;
digestbits
=
parse_uint
(
&
ptr
[
12
],
"digest-bits [0..512]"
,
512
);
digestbits
=
(
digestbits
+
7
)
&
~
0x7U
;
}
else
{
fprintf
(
stderr
,
";; Warning, ignoring "
"invalid TSIG algorithm %s
\n
"
,
ptr
);
return
(
value_from_next
);
}
ptr
=
ptr2
;
ptr2
=
ptr3
;
}
else
{
hmacname
=
DNS_TSIG_HMACMD5_NAME
;
digestbits
=
0
;
}
strncpy
(
keynametext
,
ptr
,
sizeof
(
keynametext
));
keynametext
[
sizeof
(
keynametext
)
-
1
]
=
0
;
ptr
=
next_token
(
&
value
,
""
);
if
(
ptr
==
NULL
)
usage
();
strncpy
(
keysecret
,
ptr
,
sizeof
(
keysecret
));
strncpy
(
keysecret
,
ptr2
,
sizeof
(
keysecret
));
keysecret
[
sizeof
(
keysecret
)
-
1
]
=
0
;
return
(
value_from_next
);
case
'x'
:
...
...
bin/dig/dig.docbook
View file @
c6d4f781
...
...
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dig.docbook,v 1.2
8
200
5/10
/2
6
0
4
:35:
53
marka Exp $ -->
<!-- $Id: dig.docbook,v 1.2
9
200
6/01
/2
7
0
2
:35:
14
marka Exp $ -->
<refentry
id=
"man.dig"
>
<refentryinfo>
...
...
@@ -63,7 +63,7 @@
<arg><option>
-q
<replaceable
class=
"parameter"
>
name
</replaceable></option></arg>
<arg><option>
-t
<replaceable
class=
"parameter"
>
type
</replaceable></option></arg>
<arg><option>
-x
<replaceable
class=
"parameter"
>
addr
</replaceable></option></arg>
<arg><option>
-y
<replaceable
class=
"parameter"
>
name:key
</replaceable></option></arg>
<arg><option>
-y
<replaceable
class=
"parameter"
>
<optional>
hmac:
</optional>
name:key
</replaceable></option></arg>
<arg><option>
-4
</option></arg>
<arg><option>
-6
</option></arg>
<arg
choice=
"opt"
>
name
</arg>
...
...
@@ -281,6 +281,7 @@
responses using transaction signatures (TSIG), specify a TSIG key file
using the
<option>
-k
</option>
option. You can also specify the TSIG
key itself on the command line using the
<option>
-y
</option>
option;
<parameter>
hmac
</parameter>
is the type of the TSIG, default HMAC-MD5,
<parameter>
name
</parameter>
is the name of the TSIG key and
<parameter>
key
</parameter>
is the actual key. The key is a
base-64
...
...
bin/dig/dighost.c
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dighost.c,v 1.29
0
2006/01/
0
7 0
0:23:35
marka Exp $ */
/* $Id: dighost.c,v 1.29
1
2006/01/
2
7 0
2:35:14
marka Exp $ */
/*! \file
* \note
...
...
@@ -161,6 +161,8 @@ int fatalexit = 0;
char
keynametext
[
MXNAME
];
char
keyfile
[
MXNAME
]
=
""
;
char
keysecret
[
MXNAME
]
=
""
;
dns_name_t
*
hmacname
=
NULL
;
unsigned
int
digestbits
=
0
;
isc_buffer_t
*
namebuf
=
NULL
;
dns_tsigkey_t
*
key
=
NULL
;
isc_boolean_t
validated
=
ISC_TRUE
;
...
...
@@ -890,14 +892,15 @@ setup_text_key(void) {
if
(
result
!=
ISC_R_SUCCESS
)
goto
failure
;
result
=
dns_tsigkey_create
(
&
keyname
,
dns_tsig_hmacmd5_name
,
secretstore
,
secretsize
,
ISC_FALSE
,
NULL
,
0
,
0
,
mctx
,
result
=
dns_tsigkey_create
(
&
keyname
,
hmacname
,
secretstore
,
secretsize
,
ISC_FALSE
,
NULL
,
0
,
0
,
mctx
,
NULL
,
&
key
);
failure:
if
(
result
!=
ISC_R_SUCCESS
)
printf
(
";; Couldn't create key %s: %s
\n
"
,
keynametext
,
isc_result_totext
(
result
));
else
dst_key_setbits
(
key
->
key
,
digestbits
);
isc_mem_free
(
mctx
,
secretstore
);
dns_name_invalidate
(
&
keyname
);
...
...
@@ -918,8 +921,31 @@ setup_file_key(void) {
goto
failure
;
}
result
=
dns_tsigkey_createfromkey
(
dst_key_name
(
dstkey
),
dns_tsig_hmacmd5_name
,
switch
(
dst_key_alg
(
dstkey
))
{
case
DST_ALG_HMACMD5
:
hmacname
=
DNS_TSIG_HMACMD5_NAME
;
break
;
case
DST_ALG_HMACSHA1
:
hmacname
=
DNS_TSIG_HMACSHA1_NAME
;
break
;
case
DST_ALG_HMACSHA224
:
hmacname
=
DNS_TSIG_HMACSHA224_NAME
;
break
;
case
DST_ALG_HMACSHA256
:
hmacname
=
DNS_TSIG_HMACSHA256_NAME
;
break
;
case
DST_ALG_HMACSHA384
:
hmacname
=
DNS_TSIG_HMACSHA384_NAME
;
break
;
case
DST_ALG_HMACSHA512
:
hmacname
=
DNS_TSIG_HMACSHA512_NAME
;
break
;
default:
printf
(
";; Couldn't create key %s: bad algorithm
\n
"
,
keynametext
);
goto
failure
;
}
result
=
dns_tsigkey_createfromkey
(
dst_key_name
(
dstkey
),
hmacname
,
dstkey
,
ISC_FALSE
,
NULL
,
0
,
0
,
mctx
,
NULL
,
&
key
);
if
(
result
!=
ISC_R_SUCCESS
)
{
...
...
bin/dig/include/dig/dig.h
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.h,v 1.9
6
200
5
/0
8
/2
5
0
0:40:50
marka Exp $ */
/* $Id: dig.h,v 1.9
7
200
6
/0
1
/2
7
0
2:35:14
marka Exp $ */
#ifndef DIG_H
#define DIG_H
...
...
@@ -257,6 +257,8 @@ extern isc_sockaddr_t bind_address;
extern
char
keynametext
[
MXNAME
];
extern
char
keyfile
[
MXNAME
];
extern
char
keysecret
[
MXNAME
];
extern
dns_name_t
*
hmacname
;
extern
unsigned
int
digestbits
;
#ifdef DIG_SIGCHASE
extern
char
trustedkey
[
MXNAME
];
#endif
...
...
bin/dnssec/dnssec-keygen.c
View file @
c6d4f781
...
...
@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.7
2
2006/01/
04
0
0
:3
7:2
4 marka Exp $ */
/* $Id: dnssec-keygen.c,v 1.7
3
2006/01/
27
0
2
:3
5:1
4 marka Exp $ */
/*! \file */
...
...
@@ -49,7 +49,9 @@
const
char
*
program
=
"dnssec-keygen"
;
int
verbose
;
static
const
char
*
algs
=
"RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5"
;
static
const
char
*
algs
=
"RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
" HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
" HMAC-SHA384 | HMAC-SHA512"
;
static
isc_boolean_t
dsa_size_ok
(
int
size
)
{
...
...
@@ -70,10 +72,16 @@ usage(void) {
fprintf
(
stderr
,
" DH:
\t\t
[128..4096]
\n
"
);
fprintf
(
stderr
,
" DSA:
\t\t
[512..1024] and divisible by 64
\n
"
);
fprintf
(
stderr
,
" HMAC-MD5:
\t
[1..512]
\n
"
);
fprintf
(
stderr
,
" HMAC-SHA1:
\t
[1..160]
\n
"
);
fprintf
(
stderr
,
" HMAC-SHA224:
\t
[1..224]
\n
"
);
fprintf
(
stderr
,
" HMAC-SHA256:
\t
[1..256]
\n
"
);
fprintf
(
stderr
,
" HMAC-SHA384:
\t
[1..384]
\n
"
);
fprintf
(
stderr
,
" HMAC-SHA512:
\t
[1..512]
\n
"
);
fprintf
(
stderr
,
" -n nametype: ZONE | HOST | ENTITY | USER | OTHER
\n
"
);
fprintf
(
stderr
,
" name: owner of the key
\n
"
);
fprintf
(
stderr
,
"Other options:
\n
"
);
fprintf
(
stderr
,
" -c <class> (default: IN)
\n
"
);
fprintf
(
stderr
,
" -d <digest bits> (0 => max, default)
\n
"
);
fprintf
(
stderr
,
" -e use large exponent (RSAMD5/RSASHA1 only)
\n
"
);
fprintf
(
stderr
,
" -f keyflag: KSK
\n
"
);
fprintf
(
stderr
,
" -g <generator> use specified generator "
...
...
@@ -117,6 +125,7 @@ main(int argc, char **argv) {
isc_entropy_t
*
ectx
=
NULL
;
dns_rdataclass_t
rdclass
;
int
options
=
DST_TYPE_PRIVATE
|
DST_TYPE_PUBLIC
;
int
dbits
=
0
;
if
(
argc
==
1
)
usage
();
...
...
@@ -126,7 +135,7 @@ main(int argc, char **argv) {
dns_result_register
();
while
((
ch
=
isc_commandline_parse
(
argc
,
argv
,
"a:b:c:ef:g:kn:t:p:s:r:v:h"
))
!=
-
1
)
"a:b:c:
d:
ef:g:kn:t:p:s:r:v:h"
))
!=
-
1
)
{
switch
(
ch
)
{
case
'a'
:
...
...
@@ -140,6 +149,11 @@ main(int argc, char **argv) {
case
'c'
:
classname
=
isc_commandline_argument
;
break
;
case
'd'
:
dbits
=
strtol
(
isc_commandline_argument
,
&
endp
,
10
);
if
(
*
endp
!=
'\0'
||
dbits
<
0
)
fatal
(
"-d requires a non-negative number"
);
break
;
case
'e'
:
rsa_exp
=
1
;
break
;
...
...
@@ -221,6 +235,21 @@ main(int argc, char **argv) {
}
else
if
(
strcasecmp
(
algname
,
"HMAC-MD5"
)
==
0
)
{
options
|=
DST_TYPE_KEY
;
alg
=
DST_ALG_HMACMD5
;
}
else
if
(
strcasecmp
(
algname
,
"HMAC-SHA1"
)
==
0
)
{
options
|=
DST_TYPE_KEY
;
alg
=
DST_ALG_HMACSHA1
;
}
else
if
(
strcasecmp
(
algname
,
"HMAC-SHA224"
)
==
0
)
{
options
|=
DST_TYPE_KEY
;
alg
=
DST_ALG_HMACSHA224
;
}
else
if
(
strcasecmp
(
algname
,
"HMAC-SHA256"
)
==
0
)
{
options
|=
DST_TYPE_KEY
;
alg
=
DST_ALG_HMACSHA256
;
}
else
if
(
strcasecmp
(
algname
,
"HMAC-SHA384"
)
==
0
)
{
options
|=
DST_TYPE_KEY
;
alg
=
DST_ALG_HMACSHA384
;
}
else
if
(
strcasecmp
(
algname
,
"HMAC-SHA512"
)
==
0
)
{
options
|=
DST_TYPE_KEY
;
alg
=
DST_ALG_HMACSHA512
;
}
else
{
r
.
base
=
algname
;
r
.
length
=
strlen
(
algname
);
...
...
@@ -267,6 +296,56 @@ main(int argc, char **argv) {
case
DST_ALG_HMACMD5
:
if
(
size
<
1
||
size
>
512
)
fatal
(
"HMAC-MD5 key size %d out of range"
,
size
);
if
(
dbits
!=
0
&&
(
dbits
<
80
||
dbits
>
128
))
fatal
(
"HMAC-MD5 digest bits %d out of range"
,
dbits
);
if
((
dbits
%
8
)
!=
0
)
fatal
(
"HMAC-MD5 digest bits %d not divisible by 8"
,
dbits
);
break
;
case
DST_ALG_HMACSHA1
:
if
(
size
<
1
||
size
>
160
)
fatal
(
"HMAC-SHA1 key size %d out of range"
,
size
);
if
(
dbits
!=
0
&&
(
dbits
<
80
||
dbits
>
160
))
fatal
(
"HMAC-SHA1 digest bits %d out of range"
,
dbits
);
if
((
dbits
%
8
)
!=
0
)
fatal
(
"HMAC-SHA1 digest bits %d not divisible by 8"
,
dbits
);
break
;
case
DST_ALG_HMACSHA224
:
if
(
size
<
1
||
size
>
224
)
fatal
(
"HMAC-SHA224 key size %d out of range"
,
size
);
if
(
dbits
!=
0
&&
(
dbits
<
112
||
dbits
>
224
))
fatal
(
"HMAC-SHA224 digest bits %d out of range"
,
dbits
);
if
((
dbits
%
8
)
!=
0
)
fatal
(
"HMAC-SHA224 digest bits %d not divisible by 8"
,
dbits
);
break
;
case
DST_ALG_HMACSHA256
:
if
(
size
<
1
||
size
>
256
)
fatal
(
"HMAC-SHA256 key size %d out of range"
,
size
);
if
(
dbits
!=
0
&&
(
dbits
<
128
||
dbits
>
256
))
fatal
(
"HMAC-SHA256 digest bits %d out of range"
,
dbits
);
if
((
dbits
%
8
)
!=
0
)
fatal
(
"HMAC-SHA256 digest bits %d not divisible by 8"
,
dbits
);
break
;
case
DST_ALG_HMACSHA384
:
if
(
size
<
1
||
size
>
384
)
fatal
(
"HMAC-384 key size %d out of range"
,
size
);
if
(
dbits
!=
0
&&
(
dbits
<
192
||
dbits
>
384
))
fatal
(
"HMAC-SHA384 digest bits %d out of range"
,
dbits
);
if
((
dbits
%
8
)
!=
0
)
fatal
(
"HMAC-SHA384 digest bits %d not divisible by 8"
,
dbits
);
break
;
case
DST_ALG_HMACSHA512
:
if
(
size
<
1
||
size
>
512
)
fatal
(
"HMAC-SHA512 key size %d out of range"
,
size
);
if
(
dbits
!=
0
&&
(
dbits
<
256
||
dbits
>
512
))
fatal
(
"HMAC-SHA512 digest bits %d out of range"
,
dbits
);
if
((
dbits
%
8
)
!=
0
)
fatal
(
"HMAC-SHA512 digest bits %d not divisible by 8"
,
dbits
);
break
;
}
...
...
@@ -313,7 +392,10 @@ main(int argc, char **argv) {
}
if
((
flags
&
DNS_KEYFLAG_OWNERMASK
)
==
DNS_KEYOWNER_ZONE
&&
(
alg
==
DNS_KEYALG_DH
||
alg
==
DST_ALG_HMACMD5
))
(
alg
==
DNS_KEYALG_DH
||
alg
==
DST_ALG_HMACMD5
||
alg
==
DST_ALG_HMACSHA1
||
alg
==
DST_ALG_HMACSHA224
||
alg
==
DST_ALG_HMACSHA256
||
alg
==
DST_ALG_HMACSHA384
||
alg
==
DST_ALG_HMACSHA512
))
fatal
(
"a key with algorithm '%s' cannot be a zone key"
,
algname
);
...
...
@@ -337,6 +419,11 @@ main(int argc, char **argv) {
break
;
case
DNS_KEYALG_DSA
:
case
DST_ALG_HMACMD5
:
case
DST_ALG_HMACSHA1
:
case
DST_ALG_HMACSHA224
:
case
DST_ALG_HMACSHA256
:
case
DST_ALG_HMACSHA384
:
case
DST_ALG_HMACSHA512
:
param
=
0
;
break
;
}
...
...
@@ -365,6 +452,8 @@ main(int argc, char **argv) {
exit
(
-
1
);
}
dst_key_setbits
(
key
,
dbits
);
/*
* Try to read a key with the same name, alg and id from disk.
* If there is one we must continue generating a new one
...
...
bin/named/config.c
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.6
7
2006/01/
05 23:45:33
marka Exp $ */
/* $Id: config.c,v 1.6
8
2006/01/
27 02:35:14
marka Exp $ */
/*! \file */
...
...
@@ -27,6 +27,7 @@
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
...
...
@@ -724,16 +725,65 @@ ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
return
(
ISC_R_SUCCESS
);
}
struct
keyalgorithms
{
const
char
*
str
;
enum
{
hmacnone
,
hmacmd5
,
hmacsha1
,
hmacsha224
,
hmacsha256
,
hmacsha384
,
hmacsha512
}
hmac
;
isc_uint16_t
size
;
}
algorithms
[]
=
{
{
"hmac-md5"
,
hmacmd5
,
128
},
{
"hmac-md5.sig-alg.reg.int"
,
hmacmd5
,
0
},
{
"hmac-md5.sig-alg.reg.int."
,
hmacmd5
,
0
},
{
"hmac-sha1"
,
hmacsha1
,
160
},
{
"hmac-sha224"
,
hmacsha224
,
224
},
{
"hmac-sha256"
,
hmacsha256
,
256
},
{
"hmac-sha384"
,
hmacsha384
,
384
},
{
"hmac-sha512"
,
hmacsha512
,
512
},
{
NULL
,
hmacnone
,
0
}
};
isc_result_t
ns_config_getkeyalgorithm
(
const
char
*
str
,
dns_name_t
**
name
)
ns_config_getkeyalgorithm
(
const
char
*
str
,
dns_name_t
**
name
,
isc_uint16_t
*
digestbits
)
{
if
(
strcasecmp
(
str
,
"hmac-md5"
)
==
0
||
strcasecmp
(
str
,
"hmac-md5.sig-alg.reg.int"
)
==
0
||
strcasecmp
(
str
,
"hmac-md5.sig-alg.reg.int."
)
==
0
)
{
if
(
name
!=
NULL
)
*
name
=
dns_tsig_hmacmd5_name
;
return
(
ISC_R_SUCCESS
);
int
i
;
size_t
len
=
0
;
isc_uint16_t
bits
;
isc_result_t
result
;
for
(
i
=
0
;
algorithms
[
i
].
str
!=
NULL
;
i
++
)
{
len
=
strlen
(
algorithms
[
i
].
str
);
if
(
strncasecmp
(
algorithms
[
i
].
str
,
str
,
len
)
==
0
&&
(
str
[
len
]
==
'\0'
||
(
algorithms
[
i
].
size
!=
0
&&
str
[
len
]
==
'-'
)))
break
;
}
return
(
ISC_R_NOTFOUND
);
if
(
algorithms
[
i
].
str
==
NULL
)
return
(
ISC_R_NOTFOUND
);
if
(
str
[
len
]
==
'-'
)
{
result
=
isc_parse_uint16
(
&
bits
,
str
+
len
+
1
,
10
);
if
(
result
!=
ISC_R_SUCCESS
)
return
(
result
);
if
(
bits
>
algorithms
[
i
].
size
)
return
(
ISC_R_RANGE
);
}
else
if
(
algorithms
[
i
].
size
==
0
)
bits
=
128
;
else
bits
=
algorithms
[
i
].
size
;
if
(
name
!=
NULL
)
{
switch
(
algorithms
[
i
].
hmac
)
{
case
hmacmd5
:
*
name
=
dns_tsig_hmacmd5_name
;
break
;
case
hmacsha1
:
*
name
=
dns_tsig_hmacsha1_name
;
break
;
case
hmacsha224
:
*
name
=
dns_tsig_hmacsha224_name
;
break
;
case
hmacsha256
:
*
name
=
dns_tsig_hmacsha256_name
;
break
;
case
hmacsha384
:
*
name
=
dns_tsig_hmacsha384_name
;
break
;
case
hmacsha512
:
*
name
=
dns_tsig_hmacsha512_name
;
break
;
default:
INSIST
(
0
);
}
}
if
(
digestbits
!=
NULL
)
*
digestbits
=
bits
;
return
(
ISC_R_SUCCESS
);
}
bin/named/controlconf.c
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: controlconf.c,v 1.4
7
200
5/11/30
0
3
:3
6:45
marka Exp $ */
/* $Id: controlconf.c,v 1.4
8
200
6/01/27
0
2
:3
5:14
marka Exp $ */
/*! \file */
...
...
@@ -758,7 +758,7 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
algstr
=
cfg_obj_asstring
(
algobj
);
secretstr
=
cfg_obj_asstring
(
secretobj
);
if
(
ns_config_getkeyalgorithm
(
algstr
,
NULL
)
!=
if
(
ns_config_getkeyalgorithm
(
algstr
,
NULL
,
NULL
)
!=
ISC_R_SUCCESS
)
{
cfg_obj_log
(
control
,
ns_g_lctx
,
...
...
@@ -848,7 +848,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
algstr
=
cfg_obj_asstring
(
algobj
);
secretstr
=
cfg_obj_asstring
(
secretobj
);
if
(
ns_config_getkeyalgorithm
(
algstr
,
NULL
)
!=
ISC_R_SUCCESS
)
{
if
(
ns_config_getkeyalgorithm
(
algstr
,
NULL
,
NULL
)
!=
ISC_R_SUCCESS
)
{
cfg_obj_log
(
key
,
ns_g_lctx
,
ISC_LOG_WARNING
,
"unsupported algorithm '%s' in "
...
...
bin/named/include/named/config.h
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h,v 1.
9
200
5
/0
4
/2
9
0
0:22:30
marka Exp $ */
/* $Id: config.h,v 1.
10
200
6
/0
1
/2
7
0
2:35:14
marka Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
...
...
@@ -72,6 +72,7 @@ isc_result_t
ns_config_getport
(
cfg_obj_t
*
config
,
in_port_t
*
portp
);
isc_result_t
ns_config_getkeyalgorithm
(
const
char
*
str
,
dns_name_t
**
name
);
ns_config_getkeyalgorithm
(
const
char
*
str
,
dns_name_t
**
name
,
isc_uint16_t
*
digestbits
);
#endif
/* NAMED_CONFIG_H */
bin/named/tsigconf.c
View file @
c6d4f781
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: tsigconf.c,v 1.2
5
200
5
/0
8
/2
3
02:3
6:07
marka Exp $ */
/* $Id: tsigconf.c,v 1.2
6
200
6
/0
1
/2
7
02:3
5:14
marka Exp $ */
/*! \file */
...
...
@@ -38,6 +38,7 @@
static
isc_result_t
add_initial_keys
(
cfg_obj_t
*
list
,
dns_tsig_keyring_t
*
ring
,
isc_mem_t
*
mctx
)
{
dns_tsigkey_t
*
tsigkey
=
NULL
;
cfg_listelt_t
*
element
;
cfg_obj_t
*
key
=
NULL
;
const
char
*
keyid
=
NULL
;
...
...
@@ -46,6 +47,7 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
int
secretlen
=
0
;
isc_result_t
ret
;
isc_stdtime_t
now
;
isc_uint16_t
bits
;
for
(
element
=
cfg_list_first
(
list
);
element
!=
NULL
;
...
...
@@ -86,10 +88,11 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
* Create the algorithm.
*/
algstr
=
cfg_obj_asstring
(
algobj
);
if
(
ns_config_getkeyalgorithm
(
algstr
,
&
alg
)
!=
ISC_R_SUCCESS
)
{
if
(
ns_config_getkeyalgorithm
(
algstr
,
&
alg
,
&
bits
)
!=
ISC_R_SUCCESS
)
{
cfg_obj_log
(
algobj
,
ns_g_lctx
,
ISC_LOG_ERROR
,
"key '%s':
the only
supported algorithm
"
"is hmac-md5"
,
keyid
);
"key '%s':
has a un
supported algorithm
'%s'"
,
keyid
,
algstr
);
ret
=
DNS_R_BADALG
;
goto
failure
;
}
...
...
@@ -110,11 +113,16 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
isc_stdtime_get
(
&
now
);
ret
=
dns_tsigkey_create
(
&
keyname
,
alg
,
secret
,
secretlen
,
ISC_FALSE
,
NULL
,
now
,
now
,
mctx
,
ring
,
NULL
);
mctx
,
ring
,
&
tsigkey
);
isc_mem_put
(
mctx
,
secret
,
secretalloc
);
secret
=
NULL
;
if
(
ret
!=
ISC_R_SUCCESS
)
goto
failure
;
/*
* Set digest bits.
*/
dst_key_setbits
(
tsigkey
->
key
,
bits
);
dns_tsigkey_detach
(
&
tsigkey
);
}
return
(
ISC_R_SUCCESS
);
...
...
@@ -127,7 +135,6 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
if
(
secret
!=
NULL
)