Commit c6d4f781 authored by Mark Andrews's avatar Mark Andrews

1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and

                        HMACSHA512 support. [RT #13606]
parent d0207ee7
1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606]
1972. [contrib] DBUS dynamic forwarders integation from
Jason Vas Dias <jvdias@redhat.com>.
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.c,v 1.210 2006/01/07 00:23:35 marka Exp $ */
/* $Id: dig.c,v 1.211 2006/01/27 02:35:14 marka Exp $ */
/*! \file */
......@@ -42,6 +42,7 @@
#include <dns/rdatatype.h>
#include <dns/rdataclass.h>
#include <dns/result.h>
#include <dns/tsig.h>
#include <bind9/getaddresses.h>
......@@ -152,7 +153,7 @@ help(void) {
" -t type (specify query type)\n"
" -c class (specify query class)\n"
" -k keyfile (specify tsig key file)\n"
" -y name:key (specify named base64 tsig key)\n"
" -y [hmac:]name:key (specify named base64 tsig key)\n"
" -4 (use IPv4 query transport only)\n"
" -6 (use IPv6 query transport only)\n"
" d-opt is of the form +keyword[=value], where keyword is:\n"
......@@ -1105,7 +1106,7 @@ static isc_boolean_t
dash_option(char *option, char *next, dig_lookup_t **lookup,
isc_boolean_t *open_type_class, isc_boolean_t config_only)
{
char opt, *value, *ptr;
char opt, *value, *ptr, *ptr2, *ptr3;
isc_result_t result;
isc_boolean_t value_from_next;
isc_textregion_t tr;
......@@ -1295,16 +1296,83 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
value);
return (value_from_next);
case 'y':
ptr = next_token(&value,":");
ptr = next_token(&value,":"); /* hmac type or name */
if (ptr == NULL) {
usage();
}
ptr2 = next_token(&value, ":"); /* name or secret */
if (ptr2 == NULL)
usage();
ptr3 = next_token(&value,":"); /* secret or NULL */
if (ptr3 != NULL) {
if (strcasecmp(ptr, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_uint(&ptr[9],
"digest-bits [0..128]",
128);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = parse_uint(&ptr[10],
"digest-bits [0..160]",
160);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
hmacname = DNS_TSIG_HMACSHA224_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA224_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..224]",
224);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
hmacname = DNS_TSIG_HMACSHA256_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA256_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..256]",
256);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
hmacname = DNS_TSIG_HMACSHA384_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA384_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..384]",
384);
digestbits = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
hmacname = DNS_TSIG_HMACSHA512_NAME;
digestbits = 0;
} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
hmacname = DNS_TSIG_HMACSHA512_NAME;
digestbits = parse_uint(&ptr[12],
"digest-bits [0..512]",
512);
digestbits = (digestbits + 7) & ~0x7U;
} else {
fprintf(stderr, ";; Warning, ignoring "
"invalid TSIG algorithm %s\n", ptr);
return (value_from_next);
}
ptr = ptr2;
ptr2 = ptr3;
} else {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = 0;
}
strncpy(keynametext, ptr, sizeof(keynametext));
keynametext[sizeof(keynametext)-1]=0;
ptr = next_token(&value, "");
if (ptr == NULL)
usage();
strncpy(keysecret, ptr, sizeof(keysecret));
strncpy(keysecret, ptr2, sizeof(keysecret));
keysecret[sizeof(keysecret)-1]=0;
return (value_from_next);
case 'x':
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dig.docbook,v 1.28 2005/10/26 04:35:53 marka Exp $ -->
<!-- $Id: dig.docbook,v 1.29 2006/01/27 02:35:14 marka Exp $ -->
<refentry id="man.dig">
<refentryinfo>
......@@ -63,7 +63,7 @@
<arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg choice="opt">name</arg>
......@@ -281,6 +281,7 @@
responses using transaction signatures (TSIG), specify a TSIG key file
using the <option>-k</option> option. You can also specify the TSIG
key itself on the command line using the <option>-y</option> option;
<parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
<parameter>name</parameter> is the name of the TSIG key and
<parameter>key</parameter> is the actual key. The key is a
base-64
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dighost.c,v 1.290 2006/01/07 00:23:35 marka Exp $ */
/* $Id: dighost.c,v 1.291 2006/01/27 02:35:14 marka Exp $ */
/*! \file
* \note
......@@ -161,6 +161,8 @@ int fatalexit = 0;
char keynametext[MXNAME];
char keyfile[MXNAME] = "";
char keysecret[MXNAME] = "";
dns_name_t *hmacname = NULL;
unsigned int digestbits = 0;
isc_buffer_t *namebuf = NULL;
dns_tsigkey_t *key = NULL;
isc_boolean_t validated = ISC_TRUE;
......@@ -890,14 +892,15 @@ setup_text_key(void) {
if (result != ISC_R_SUCCESS)
goto failure;
result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
secretstore, secretsize,
ISC_FALSE, NULL, 0, 0, mctx,
result = dns_tsigkey_create(&keyname, hmacname, secretstore,
secretsize, ISC_FALSE, NULL, 0, 0, mctx,
NULL, &key);
failure:
if (result != ISC_R_SUCCESS)
printf(";; Couldn't create key %s: %s\n",
keynametext, isc_result_totext(result));
else
dst_key_setbits(key->key, digestbits);
isc_mem_free(mctx, secretstore);
dns_name_invalidate(&keyname);
......@@ -918,8 +921,31 @@ setup_file_key(void) {
goto failure;
}
result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
dns_tsig_hmacmd5_name,
switch (dst_key_alg(dstkey)) {
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
case DST_ALG_HMACSHA224:
hmacname = DNS_TSIG_HMACSHA224_NAME;
break;
case DST_ALG_HMACSHA256:
hmacname = DNS_TSIG_HMACSHA256_NAME;
break;
case DST_ALG_HMACSHA384:
hmacname = DNS_TSIG_HMACSHA384_NAME;
break;
case DST_ALG_HMACSHA512:
hmacname = DNS_TSIG_HMACSHA512_NAME;
break;
default:
printf(";; Couldn't create key %s: bad algorithm\n",
keynametext);
goto failure;
}
result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
dstkey, ISC_FALSE, NULL, 0, 0,
mctx, NULL, &key);
if (result != ISC_R_SUCCESS) {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.h,v 1.96 2005/08/25 00:40:50 marka Exp $ */
/* $Id: dig.h,v 1.97 2006/01/27 02:35:14 marka Exp $ */
#ifndef DIG_H
#define DIG_H
......@@ -257,6 +257,8 @@ extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern dns_name_t *hmacname;
extern unsigned int digestbits;
#ifdef DIG_SIGCHASE
extern char trustedkey[MXNAME];
#endif
......
......@@ -16,7 +16,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.72 2006/01/04 00:37:24 marka Exp $ */
/* $Id: dnssec-keygen.c,v 1.73 2006/01/27 02:35:14 marka Exp $ */
/*! \file */
......@@ -49,7 +49,9 @@
const char *program = "dnssec-keygen";
int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
" HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
" HMAC-SHA384 | HMAC-SHA512";
static isc_boolean_t
dsa_size_ok(int size) {
......@@ -70,10 +72,16 @@ usage(void) {
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
fprintf(stderr, " HMAC-SHA256:\t[1..256]\n");
fprintf(stderr, " HMAC-SHA384:\t[1..384]\n");
fprintf(stderr, " HMAC-SHA512:\t[1..512]\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -c <class> (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -e use large exponent (RSAMD5/RSASHA1 only)\n");
fprintf(stderr, " -f keyflag: KSK\n");
fprintf(stderr, " -g <generator> use specified generator "
......@@ -117,6 +125,7 @@ main(int argc, char **argv) {
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
if (argc == 1)
usage();
......@@ -126,7 +135,7 @@ main(int argc, char **argv) {
dns_result_register();
while ((ch = isc_commandline_parse(argc, argv,
"a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
"a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
{
switch (ch) {
case 'a':
......@@ -140,6 +149,11 @@ main(int argc, char **argv) {
case 'c':
classname = isc_commandline_argument;
break;
case 'd':
dbits = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || dbits < 0)
fatal("-d requires a non-negative number");
break;
case 'e':
rsa_exp = 1;
break;
......@@ -221,6 +235,21 @@ main(int argc, char **argv) {
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACMD5;
} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA1;
} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA224;
} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA256;
} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA384;
} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA512;
} else {
r.base = algname;
r.length = strlen(algname);
......@@ -267,6 +296,56 @@ main(int argc, char **argv) {
case DST_ALG_HMACMD5:
if (size < 1 || size > 512)
fatal("HMAC-MD5 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 128))
fatal("HMAC-MD5 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-MD5 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA1:
if (size < 1 || size > 160)
fatal("HMAC-SHA1 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 160))
fatal("HMAC-SHA1 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA1 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA224:
if (size < 1 || size > 224)
fatal("HMAC-SHA224 key size %d out of range", size);
if (dbits != 0 && (dbits < 112 || dbits > 224))
fatal("HMAC-SHA224 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA224 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA256:
if (size < 1 || size > 256)
fatal("HMAC-SHA256 key size %d out of range", size);
if (dbits != 0 && (dbits < 128 || dbits > 256))
fatal("HMAC-SHA256 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA256 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA384:
if (size < 1 || size > 384)
fatal("HMAC-384 key size %d out of range", size);
if (dbits != 0 && (dbits < 192 || dbits > 384))
fatal("HMAC-SHA384 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA384 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA512:
if (size < 1 || size > 512)
fatal("HMAC-SHA512 key size %d out of range", size);
if (dbits != 0 && (dbits < 256 || dbits > 512))
fatal("HMAC-SHA512 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA512 digest bits %d not divisible by 8",
dbits);
break;
}
......@@ -313,7 +392,10 @@ main(int argc, char **argv) {
}
if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
(alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
(alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 ||
alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 ||
alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 ||
alg == DST_ALG_HMACSHA512))
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
......@@ -337,6 +419,11 @@ main(int argc, char **argv) {
break;
case DNS_KEYALG_DSA:
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
param = 0;
break;
}
......@@ -365,6 +452,8 @@ main(int argc, char **argv) {
exit(-1);
}
dst_key_setbits(key, dbits);
/*
* Try to read a key with the same name, alg and id from disk.
* If there is one we must continue generating a new one
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.67 2006/01/05 23:45:33 marka Exp $ */
/* $Id: config.c,v 1.68 2006/01/27 02:35:14 marka Exp $ */
/*! \file */
......@@ -27,6 +27,7 @@
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
......@@ -724,16 +725,65 @@ ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
return (ISC_R_SUCCESS);
}
struct keyalgorithms {
const char *str;
enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
hmacsha256, hmacsha384, hmacsha512 } hmac;
isc_uint16_t size;
} algorithms[] = {
{ "hmac-md5", hmacmd5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, 0 },
{ "hmac-sha1", hmacsha1, 160 },
{ "hmac-sha224", hmacsha224, 224 },
{ "hmac-sha256", hmacsha256, 256 },
{ "hmac-sha384", hmacsha384, 384 },
{ "hmac-sha512", hmacsha512, 512 },
{ NULL, hmacnone, 0 }
};
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name)
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits)
{
if (strcasecmp(str, "hmac-md5") == 0 ||
strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 ||
strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0)
{
if (name != NULL)
*name = dns_tsig_hmacmd5_name;
return (ISC_R_SUCCESS);
int i;
size_t len = 0;
isc_uint16_t bits;
isc_result_t result;
for (i = 0; algorithms[i].str != NULL; i++) {
len = strlen(algorithms[i].str);
if (strncasecmp(algorithms[i].str, str, len) == 0 &&
(str[len] == '\0' ||
(algorithms[i].size != 0 && str[len] == '-')))
break;
}
return (ISC_R_NOTFOUND);
if (algorithms[i].str == NULL)
return (ISC_R_NOTFOUND);
if (str[len] == '-') {
result = isc_parse_uint16(&bits, str + len + 1, 10);
if (result != ISC_R_SUCCESS)
return (result);
if (bits > algorithms[i].size)
return (ISC_R_RANGE);
} else if (algorithms[i].size == 0)
bits = 128;
else
bits = algorithms[i].size;
if (name != NULL) {
switch (algorithms[i].hmac) {
case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
case hmacsha384: *name = dns_tsig_hmacsha384_name; break;
case hmacsha512: *name = dns_tsig_hmacsha512_name; break;
default:
INSIST(0);
}
}
if (digestbits != NULL)
*digestbits = bits;
return (ISC_R_SUCCESS);
}
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: controlconf.c,v 1.47 2005/11/30 03:36:45 marka Exp $ */
/* $Id: controlconf.c,v 1.48 2006/01/27 02:35:14 marka Exp $ */
/*! \file */
......@@ -758,7 +758,7 @@ register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
if (ns_config_getkeyalgorithm(algstr, NULL) !=
if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
ISC_R_SUCCESS)
{
cfg_obj_log(control, ns_g_lctx,
......@@ -848,7 +848,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) {
if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
cfg_obj_log(key, ns_g_lctx,
ISC_LOG_WARNING,
"unsupported algorithm '%s' in "
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.h,v 1.9 2005/04/29 00:22:30 marka Exp $ */
/* $Id: config.h,v 1.10 2006/01/27 02:35:14 marka Exp $ */
#ifndef NAMED_CONFIG_H
#define NAMED_CONFIG_H 1
......@@ -72,6 +72,7 @@ isc_result_t
ns_config_getport(cfg_obj_t *config, in_port_t *portp);
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits);
#endif /* NAMED_CONFIG_H */
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: tsigconf.c,v 1.25 2005/08/23 02:36:07 marka Exp $ */
/* $Id: tsigconf.c,v 1.26 2006/01/27 02:35:14 marka Exp $ */
/*! \file */
......@@ -38,6 +38,7 @@
static isc_result_t
add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
dns_tsigkey_t *tsigkey = NULL;
cfg_listelt_t *element;
cfg_obj_t *key = NULL;
const char *keyid = NULL;
......@@ -46,6 +47,7 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
int secretlen = 0;
isc_result_t ret;
isc_stdtime_t now;
isc_uint16_t bits;
for (element = cfg_list_first(list);
element != NULL;
......@@ -86,10 +88,11 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
* Create the algorithm.
*/
algstr = cfg_obj_asstring(algobj);
if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) {
if (ns_config_getkeyalgorithm(algstr, &alg, &bits)
!= ISC_R_SUCCESS) {
cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
"key '%s': the only supported algorithm "
"is hmac-md5", keyid);
"key '%s': has a unsupported algorithm '%s'",
keyid, algstr);
ret = DNS_R_BADALG;
goto failure;
}
......@@ -110,11 +113,16 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
isc_stdtime_get(&now);
ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
ISC_FALSE, NULL, now, now,
mctx, ring, NULL);
mctx, ring, &tsigkey);
isc_mem_put(mctx, secret, secretalloc);
secret = NULL;
if (ret != ISC_R_SUCCESS)
goto failure;
/*
* Set digest bits.
*/
dst_key_setbits(tsigkey->key, bits);
dns_tsigkey_detach(&tsigkey);
}
return (ISC_R_SUCCESS);
......@@ -127,7 +135,6 @@ add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
if (secret != NULL)
isc_mem_put(mctx, secret, secretalloc);
return (ret);
}
isc_result_t
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.141 2006/01/07 00:23:35 marka Exp $ */
/* $Id: nsupdate.c,v 1.142 2006/01/27 02:35:14 marka Exp $ */
/*! \file */
......@@ -284,6 +284,74 @@ reset_system(void) {
updatemsg->opcode = dns_opcode_update;
}
static isc_uint16_t
parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
isc_uint16_t digestbits = 0;
isc_result_t result;
char buf[20];
REQUIRE(hmac != NULL && *hmac == NULL);
REQUIRE(hmacstr != NULL);
if (len >= sizeof(buf))
fatal("unknown key type '%.*s'", (int)(len), hmacstr);