Commit e6ffc27f authored by Thomas Markwalder's avatar Thomas Markwalder
Browse files

[master] Adds key-algorithm statement to omshell

    Merges in rt46771.
parent 25e4af8b
......@@ -291,6 +291,13 @@ dhcp-users@lists.isc.org.
[ISC-Bugs #42621]
[ISC-Bugs #44753]
- A "key-algorithm <algorithm>" statement has been added to omshell to
allow the specification of the key algorithm to use during transaction
authentication. Prior to this it was hard-coded to be hmac-md5. It now
supports all of the same algorithms as the dhcpd server: hmac-md5 (the
default), hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512.
[ISC-Bugs #46771]
Changes since 4.3.0 (bug fixes)
- Tidy up several small tickets.
......
......@@ -1104,6 +1104,8 @@ intern(char *atom, enum dhcp_token dfv) {
}
if (!strcasecmp (atom + 1, "ey"))
return KEY;
if (!strcasecmp (atom + 1, "ey-algorithm"))
return KEY_ALGORITHM;
break;
case 'l':
if (!strcasecmp (atom + 1, "case"))
......
.\" $Id: omshell.1,v 1.6 2009/11/24 02:06:56 sar Exp $
.\"
.\" Copyright (c) 2012,2014 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 2001-2003 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
......@@ -81,7 +80,24 @@ where number is the port that OMAPI listens on. By default, this is 7911.
This specifies the TSIG key to use to authenticate the OMAPI transactions.
\fIname\fR is the name of a key defined in \fIdhcpd.conf\fR with the
\fBomapi-key\fR statement. The \fIsecret\fR is the secret key generated from
\fBdnssec-keygen\fR or another key generation program.
\fBdnssec-keygen\fR or another key generation program. The key algorithm is
assumed to be HMAC-MD5 key. If a different algorithm was specified in dhcpd.conf
file for the key, then it must be specified via the \fIkey-algorithm\fR statement.
.RE
.PP
.B key-algorithm \fIalgorithm\fR
.RS 0.5i
This specifies the cryptographic algorithm for the key used when authenticating OMAPI
transactions. Supported values for \fIalgorithm\fR are:
.nf
HMAC-MD5
HMAC-SHA1
HMAC-SHA224
HMAC-SHA256
HMAC-SHA384
HMAC-SHA512
fi
The default is HMAC-MD5. (Value is not case sensitive).
.RE
.PP
.B connect
......@@ -253,7 +269,7 @@ name = "some-host"
hardware-address = 00:80:c7:84:b1:94
hardware-type = 00:00:00:01
ip-address = c0:a8:04:28
>
>
.fi
.PP
Your dhcpd.leases file would then have an entry like this in it:
......@@ -267,7 +283,7 @@ host some-host {
.fi
.PP
The \fIdynamic;\fR line is to denote that this host entry did not come from
dhcpd.conf, but was created dynamically via OMAPI.
dhcpd.conf, but was created dynamically via OMAPI.
.SH RESETTING ATTRIBUTES
.PP
If you want to remove an attribute from an object, you can do this with the
......@@ -288,7 +304,7 @@ name = "some-host"
hardware-address = 00:80:c7:84:b1:94
hardware-type = 00:00:00:01
ip-address = <null>
>
>
.fi
.SH REFRESHING OBJECTS
.PP
......@@ -300,7 +316,7 @@ particularly useful for hosts.
.PP
Any remote object that can be created can also be destroyed. This is done by
creating a new local object, setting attributes, associating the local and
remote object using \fBopen\fR, and then using the \fBremove\fR command.
remote object using \fBopen\fR, and then using the \fBremove\fR command.
If the host "some-host" from before was created in error, this could be
corrected as follows:
.nf
......@@ -312,7 +328,7 @@ hardware-type = 00:00:00:01
ip-address = c0:a8:04:28
> remove
obj: <null>
>
>
.fi
.SH HELP
.PP
......
......@@ -321,12 +321,42 @@ main(int argc, char **argv) {
}
break;
case KEY_ALGORITHM:
/* Algorithm is optional */
token = next_token (&val, (unsigned *)0, cfile);
if (token != NAME || !is_identifier(token)) {
printf ("missing or invalid algorithm name\n");
printf ("usage: key-algoritm <algorithm name>\n");
skip_to_semi (cfile);
break;
}
s = dmalloc (strlen (val) + 1, MDL);
if (!s) {
printf ("no memory for algorithm name.\n");
skip_to_semi (cfile);
break;
}
strcpy (s, val);
algorithm = s;
token = next_token (&val, (unsigned *)0, cfile);
if (token != END_OF_FILE && token != EOL) {
printf ("extra information after %s\n", algorithm);
printf ("usage: key-algorithm <algorithm name>\n");
skip_to_semi (cfile);
break;
}
break;
case KEY:
token = peek_token(&val, (unsigned *)0, cfile);
if (token == STRING) {
token = next_token (&val, (unsigned *)0, cfile);
if (!is_identifier (token)) {
printf ("usage: key <name> <value>\n");
printf ("usage: key <name> <value>\n");
skip_to_semi (cfile);
break;
}
......@@ -340,7 +370,7 @@ main(int argc, char **argv) {
} else {
s = parse_host_name(cfile);
if (s == NULL) {
printf ("usage: key <name> <value>\n");
printf ("usage: key <name> <value>\n");
skip_to_semi(cfile);
break;
}
......@@ -352,12 +382,14 @@ main(int argc, char **argv) {
skip_to_semi (cfile);
break;
}
token = next_token (&val, (unsigned *)0, cfile);
if (token != END_OF_FILE && token != EOL) {
printf ("usage: key <name> <secret>\n");
printf ("usage: key <name> <value> {algorithm}\n");
skip_to_semi (cfile);
break;
}
break;
case CONNECT:
......
......@@ -375,7 +375,8 @@ enum dhcp_token {
TOKEN_BIG_ENDIAN = 675,
LEASE_ID_FORMAT = 676,
TOKEN_HEX = 677,
TOKEN_OCTAL = 678
TOKEN_OCTAL = 678,
KEY_ALGORITHM = 679
};
#define is_identifier(x) ((x) >= FIRST_TOKEN && \
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment