You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1962 lines
63 KiB
1962 lines
63 KiB
7 years ago
|
From 85938345f9da377e903de0e99b36eaa2a98d99c7 Mon Sep 17 00:00:00 2001
|
||
|
From: Evan Hunt <each@isc.org>
|
||
|
Date: Wed, 13 Mar 2013 17:53:11 -0700
|
||
|
Subject: [PATCH] algorithm flexibility for rndc
|
||
|
|
||
|
3525. [func] Support for additional signing algorithms in rndc:
|
||
|
hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
|
||
|
The -A option to rndc-confgen can be used to
|
||
|
select the algorithm for the generated key.
|
||
|
(The default is still hmac-md5; this may
|
||
|
change in a future release.) [RT #20363]
|
||
|
---
|
||
|
bin/confgen/rndc-confgen.c | 27 +-
|
||
|
bin/confgen/rndc-confgen.docbook | 18 +-
|
||
|
bin/named/controlconf.c | 22 +-
|
||
|
bin/rndc/rndc.c | 38 ++-
|
||
|
bin/rndc/rndc.conf | 4 +-
|
||
|
bin/rndc/rndc.conf.docbook | 16 +-
|
||
|
bin/rndc/rndc.docbook | 14 +-
|
||
|
bin/tests/system/autosign/ns1/named.conf | 2 +-
|
||
|
bin/tests/system/autosign/ns2/named.conf | 2 +-
|
||
|
bin/tests/system/autosign/ns3/named.conf | 2 +-
|
||
|
bin/tests/system/cacheclean/ns2/named.conf | 2 +-
|
||
|
bin/tests/system/common/controls.conf | 2 +-
|
||
|
bin/tests/system/common/rndc.conf | 2 +-
|
||
|
bin/tests/system/common/rndc.key | 2 +-
|
||
|
bin/tests/system/conf.sh.in | 1 +
|
||
|
bin/tests/system/database/ns1/named.conf1 | 2 +-
|
||
|
bin/tests/system/database/ns1/named.conf2 | 2 +-
|
||
|
bin/tests/system/dlv/ns5/named.conf | 4 +-
|
||
|
bin/tests/system/dlv/ns5/rndc.conf | 2 +-
|
||
|
bin/tests/system/dlvauto/ns2/named.conf | 2 +-
|
||
|
bin/tests/system/dlzexternal/ns1/named.conf.in | 2 +-
|
||
|
bin/tests/system/dnssec/ns3/named.conf | 2 +-
|
||
|
bin/tests/system/dnssec/ns4/named1.conf | 2 +-
|
||
|
bin/tests/system/dnssec/ns4/named2.conf | 2 +-
|
||
|
bin/tests/system/dnssec/ns4/named3.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named1.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named10.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named11.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named2.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named3.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named4.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named5.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named6.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named7.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named8.conf | 2 +-
|
||
|
bin/tests/system/geoip/ns2/named9.conf | 2 +-
|
||
|
bin/tests/system/ixfr/ns3/named.conf | 2 +-
|
||
|
bin/tests/system/ixfr/ns4/named.conf | 2 +-
|
||
|
bin/tests/system/ixfr/setup.sh | 2 +-
|
||
|
bin/tests/system/logfileconfig/ns1/named.dirconf | 2 +-
|
||
|
bin/tests/system/logfileconfig/ns1/named.pipeconf | 2 +-
|
||
|
bin/tests/system/logfileconfig/ns1/named.plain | 2 +-
|
||
|
bin/tests/system/logfileconfig/ns1/named.symconf | 2 +-
|
||
|
bin/tests/system/logfileconfig/ns1/rndc.conf | 2 +-
|
||
|
bin/tests/system/nsupdate/ns1/named.conf | 2 +-
|
||
|
bin/tests/system/pkcs11/ns1/named.conf | 2 +-
|
||
|
bin/tests/system/resolver/ns4/named.conf | 2 +-
|
||
|
bin/tests/system/rndc/clean.sh | 2 +
|
||
|
bin/tests/system/rndc/ns2/named.conf | 4 +-
|
||
|
bin/tests/system/rndc/ns2/secondkey.conf | 2 +-
|
||
|
bin/tests/system/rndc/ns3/named.conf | 4 +-
|
||
|
bin/tests/system/rndc/ns4/3bf305731dd26307.nta | 3 +
|
||
|
bin/tests/system/rndc/ns4/named.conf.in | 28 +++
|
||
|
bin/tests/system/rndc/setup.sh | 24 +-
|
||
|
bin/tests/system/rndc/tests.sh | 60 +++++
|
||
|
bin/tests/system/rpz/ns3/named.conf | 2 +-
|
||
|
bin/tests/system/rpz/ns5/named.conf | 2 +-
|
||
|
bin/tests/system/rrl/ns2/named.conf | 2 +-
|
||
|
bin/tests/system/staticstub/ns3/named.conf.in | 2 +-
|
||
|
bin/tests/system/stress/ns3/named.conf | 2 +-
|
||
|
bin/tests/system/tkey/ns1/named.conf.in | 2 +-
|
||
|
bin/tests/system/tsiggss/ns1/named.conf | 2 +-
|
||
|
bin/tests/system/views/ns3/named1.conf | 2 +-
|
||
|
bin/tests/system/views/ns3/named2.conf | 2 +-
|
||
|
bin/tests/system/xfer/ns3/named.conf | 2 +-
|
||
|
bin/tests/system/xfer/ns4/named.conf.base | 2 +-
|
||
|
lib/isccc/cc.c | 289 ++++++++++++++++++----
|
||
|
lib/isccc/include/isccc/cc.h | 26 +-
|
||
|
68 files changed, 526 insertions(+), 158 deletions(-)
|
||
|
create mode 100644 bin/tests/system/rndc/ns4/3bf305731dd26307.nta
|
||
|
create mode 100644 bin/tests/system/rndc/ns4/named.conf.in
|
||
|
|
||
|
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
|
||
|
index e2ac079..3fd54fe 100644
|
||
|
--- a/bin/confgen/rndc-confgen.c
|
||
|
+++ b/bin/confgen/rndc-confgen.c
|
||
|
@@ -57,7 +57,6 @@
|
||
|
#include "util.h"
|
||
|
#include "keygen.h"
|
||
|
|
||
|
-#define DEFAULT_KEYLENGTH 128 /*% Bits. */
|
||
|
#define DEFAULT_KEYNAME "rndc-key"
|
||
|
#define DEFAULT_SERVER "127.0.0.1"
|
||
|
#define DEFAULT_PORT 953
|
||
|
@@ -80,7 +79,8 @@ Usage:\n\
|
||
|
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
|
||
|
[-s addr] [-t chrootdir] [-u user]\n\
|
||
|
-a: generate just the key clause and write it to keyfile (%s)\n\
|
||
|
- -b bits: from 1 through 512, default %d; total length of the secret\n\
|
||
|
+ -A alg: algorithm (default hmac-md5)\n\
|
||
|
+ -b bits: from 1 through 512, default 256; total length of the secret\n\
|
||
|
-c keyfile: specify an alternate key file (requires -a)\n\
|
||
|
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
|
||
|
-p port: the port named will listen on and rndc will connect to\n\
|
||
|
@@ -88,7 +88,7 @@ Usage:\n\
|
||
|
-s addr: the address to which rndc should connect\n\
|
||
|
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
|
||
|
-u user: set the keyfile owner to \"user\" (requires -a)\n",
|
||
|
- progname, keydef, DEFAULT_KEYLENGTH);
|
||
|
+ progname, keydef);
|
||
|
|
||
|
exit (status);
|
||
|
}
|
||
|
@@ -103,12 +103,12 @@ main(int argc, char **argv) {
|
||
|
const char *keyname = NULL;
|
||
|
const char *randomfile = NULL;
|
||
|
const char *serveraddr = NULL;
|
||
|
- dns_secalg_t alg = DST_ALG_HMACMD5;
|
||
|
- const char *algname = alg_totext(alg);
|
||
|
+ dns_secalg_t alg;
|
||
|
+ const char *algname;
|
||
|
char *p;
|
||
|
int ch;
|
||
|
int port;
|
||
|
- int keysize;
|
||
|
+ int keysize = -1;
|
||
|
struct in_addr addr4_dummy;
|
||
|
struct in6_addr addr6_dummy;
|
||
|
char *chrootdir = NULL;
|
||
|
@@ -124,18 +124,25 @@ main(int argc, char **argv) {
|
||
|
progname = program;
|
||
|
|
||
|
keyname = DEFAULT_KEYNAME;
|
||
|
- keysize = DEFAULT_KEYLENGTH;
|
||
|
+ alg = DST_ALG_HMACMD5;
|
||
|
serveraddr = DEFAULT_SERVER;
|
||
|
port = DEFAULT_PORT;
|
||
|
|
||
|
isc_commandline_errprint = ISC_FALSE;
|
||
|
|
||
|
while ((ch = isc_commandline_parse(argc, argv,
|
||
|
- "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
|
||
|
+ "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
|
||
|
+ {
|
||
|
switch (ch) {
|
||
|
case 'a':
|
||
|
keyonly = ISC_TRUE;
|
||
|
break;
|
||
|
+ case 'A':
|
||
|
+ algname = isc_commandline_argument;
|
||
|
+ alg = alg_fromtext(algname);
|
||
|
+ if (alg == DST_ALG_UNKNOWN)
|
||
|
+ fatal("Unsupported algorithm '%s'", algname);
|
||
|
+ break;
|
||
|
case 'b':
|
||
|
keysize = strtol(isc_commandline_argument, &p, 10);
|
||
|
if (*p != '\0' || keysize < 0)
|
||
|
@@ -203,6 +210,10 @@ main(int argc, char **argv) {
|
||
|
if (argc > 0)
|
||
|
usage(1);
|
||
|
|
||
|
+ if (keysize < 0)
|
||
|
+ keysize = alg_bits(alg);
|
||
|
+ algname = alg_totext(alg);
|
||
|
+
|
||
|
DO("create memory context", isc_mem_create(0, 0, &mctx));
|
||
|
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
|
||
|
|
||
|
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
|
||
|
index af2cc43..f367b94 100644
|
||
|
--- a/bin/confgen/rndc-confgen.docbook
|
||
|
+++ b/bin/confgen/rndc-confgen.docbook
|
||
|
@@ -1,6 +1,6 @@
|
||
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
||
|
- [<!ENTITY mdash "—">]>
|
||
|
+ [<!ENTITY mdash "—">]>
|
||
|
<!--
|
||
|
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
||
|
- Copyright (C) 2001, 2003 Internet Software Consortium.
|
||
|
@@ -41,6 +41,7 @@
|
||
|
<year>2005</year>
|
||
|
<year>2007</year>
|
||
|
<year>2009</year>
|
||
|
+ <year>2013</year>
|
||
|
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||
|
</copyright>
|
||
|
<copyright>
|
||
|
@@ -54,6 +55,7 @@
|
||
|
<cmdsynopsis>
|
||
|
<command>rndc-confgen</command>
|
||
|
<arg><option>-a</option></arg>
|
||
|
+ <arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
|
||
|
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
||
|
<arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
|
||
|
<arg><option>-h</option></arg>
|
||
|
@@ -129,11 +131,23 @@
|
||
|
</varlistentry>
|
||
|
|
||
|
<varlistentry>
|
||
|
+ <term>-A <replaceable class="parameter">algorithm</replaceable></term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Specifies the algorithm to use for the TSIG key. Available
|
||
|
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
|
||
|
+ hmac-sha384 and hmac-sha512. The default is hmac-md5.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
+
|
||
|
+ <varlistentry>
|
||
|
<term>-b <replaceable class="parameter">keysize</replaceable></term>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Specifies the size of the authentication key in bits.
|
||
|
- Must be between 1 and 512 bits; the default is 128.
|
||
|
+ Must be between 1 and 512 bits; the default is the
|
||
|
+ hash size.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</varlistentry>
|
||
|
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
|
||
|
index ef32790..b4176c9 100644
|
||
|
--- a/bin/named/controlconf.c
|
||
|
+++ b/bin/named/controlconf.c
|
||
|
@@ -71,6 +71,7 @@ typedef ISC_LIST(controllistener_t) controllistenerlist_t;
|
||
|
|
||
|
struct controlkey {
|
||
|
char * keyname;
|
||
|
+ isc_uint32_t algorithm;
|
||
|
isc_region_t secret;
|
||
|
ISC_LINK(controlkey_t) link;
|
||
|
};
|
||
|
@@ -325,6 +326,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||
|
isccc_sexpr_t *request = NULL;
|
||
|
isccc_sexpr_t *response = NULL;
|
||
|
isccc_region_t ccregion;
|
||
|
+ isc_uint32_t algorithm;
|
||
|
isccc_region_t secret;
|
||
|
isc_stdtime_t now;
|
||
|
isc_buffer_t b;
|
||
|
@@ -343,6 +345,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||
|
|
||
|
conn = event->ev_arg;
|
||
|
listener = conn->listener;
|
||
|
+ algorithm = DST_ALG_UNKNOWN;
|
||
|
secret.rstart = NULL;
|
||
|
|
||
|
/* Is the server shutting down? */
|
||
|
@@ -369,7 +372,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||
|
goto cleanup;
|
||
|
memcpy(secret.rstart, key->secret.base, key->secret.length);
|
||
|
secret.rend = secret.rstart + key->secret.length;
|
||
|
- result = isccc_cc_fromwire(&ccregion, &request, &secret);
|
||
|
+ algorithm = key->algorithm;
|
||
|
+ result = isccc_cc_fromwire(&ccregion, &request,
|
||
|
+ algorithm, &secret);
|
||
|
if (result == ISC_R_SUCCESS)
|
||
|
break;
|
||
|
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
|
||
|
@@ -480,7 +485,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||
|
|
||
|
ccregion.rstart = conn->buffer + 4;
|
||
|
ccregion.rend = conn->buffer + sizeof(conn->buffer);
|
||
|
- result = isccc_cc_towire(response, &ccregion, &secret);
|
||
|
+ result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
|
||
|
if (result != ISC_R_SUCCESS)
|
||
|
goto cleanup_response;
|
||
|
isc_buffer_init(&b, conn->buffer, 4);
|
||
|
@@ -693,6 +698,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
|
||
|
if (key == NULL)
|
||
|
goto cleanup;
|
||
|
key->keyname = newstr;
|
||
|
+ key->algorithm = DST_ALG_UNKNOWN;
|
||
|
key->secret.base = NULL;
|
||
|
key->secret.length = 0;
|
||
|
ISC_LINK_INIT(key, link);
|
||
|
@@ -737,6 +743,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
|
||
|
const cfg_obj_t *secretobj = NULL;
|
||
|
const char *algstr = NULL;
|
||
|
const char *secretstr = NULL;
|
||
|
+ unsigned int algtype;
|
||
|
|
||
|
(void)cfg_map_get(keydef, "algorithm", &algobj);
|
||
|
(void)cfg_map_get(keydef, "secret", &secretobj);
|
||
|
@@ -745,8 +752,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
|
||
|
algstr = cfg_obj_asstring(algobj);
|
||
|
secretstr = cfg_obj_asstring(secretobj);
|
||
|
|
||
|
- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
|
||
|
- ISC_R_SUCCESS)
|
||
|
+ if (ns_config_getkeyalgorithm2(algstr, NULL,
|
||
|
+ &algtype, NULL) != ISC_R_SUCCESS)
|
||
|
{
|
||
|
cfg_obj_log(control, ns_g_lctx,
|
||
|
ISC_LOG_WARNING,
|
||
|
@@ -759,6 +766,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
+ keyid->algorithm = algtype;
|
||
|
isc_buffer_init(&b, secret, sizeof(secret));
|
||
|
result = isc_base64_decodestring(secretstr, &b);
|
||
|
|
||
|
@@ -809,6 +817,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
||
|
const char *secretstr = NULL;
|
||
|
controlkey_t *keyid = NULL;
|
||
|
char secret[1024];
|
||
|
+ unsigned int algtype;
|
||
|
isc_buffer_t b;
|
||
|
|
||
|
CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
|
||
|
@@ -822,6 +831,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
||
|
cfg_obj_asstring(cfg_map_getname(key)));
|
||
|
keyid->secret.base = NULL;
|
||
|
keyid->secret.length = 0;
|
||
|
+ keyid->algorithm = DST_ALG_UNKNOWN;
|
||
|
ISC_LINK_INIT(keyid, link);
|
||
|
if (keyid->keyname == NULL)
|
||
|
CHECK(ISC_R_NOMEMORY);
|
||
|
@@ -835,7 +845,8 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
||
|
algstr = cfg_obj_asstring(algobj);
|
||
|
secretstr = cfg_obj_asstring(secretobj);
|
||
|
|
||
|
- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
|
||
|
+ if (ns_config_getkeyalgorithm2(algstr, NULL,
|
||
|
+ &algtype, NULL) != ISC_R_SUCCESS) {
|
||
|
cfg_obj_log(key, ns_g_lctx,
|
||
|
ISC_LOG_WARNING,
|
||
|
"unsupported algorithm '%s' in "
|
||
|
@@ -845,6 +856,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
+ keyid->algorithm = algtype;
|
||
|
isc_buffer_init(&b, secret, sizeof(secret));
|
||
|
result = isc_base64_decodestring(secretstr, &b);
|
||
|
|
||
|
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
|
||
|
index be198b1..c67223b 100644
|
||
|
--- a/bin/rndc/rndc.c
|
||
|
+++ b/bin/rndc/rndc.c
|
||
|
@@ -77,6 +77,7 @@ static unsigned int remoteport = 0;
|
||
|
static isc_socketmgr_t *socketmgr = NULL;
|
||
|
static unsigned char databuf[2048];
|
||
|
static isccc_ccmsg_t ccmsg;
|
||
|
+static isc_uint32_t algorithm;
|
||
|
static isccc_region_t secret;
|
||
|
static isc_boolean_t failed = ISC_FALSE;
|
||
|
static isc_boolean_t c_flag = ISC_FALSE;
|
||
|
@@ -250,7 +251,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
|
||
|
source.rstart = isc_buffer_base(&ccmsg.buffer);
|
||
|
source.rend = isc_buffer_used(&ccmsg.buffer);
|
||
|
|
||
|
- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
|
||
|
+ DO("parse message",
|
||
|
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
|
||
|
|
||
|
data = isccc_alist_lookup(response, "_data");
|
||
|
if (!isccc_alist_alistp(data))
|
||
|
@@ -305,7 +307,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
||
|
"* the remote server is using an older version of"
|
||
|
" the command protocol,\n"
|
||
|
"* this host is not authorized to connect,\n"
|
||
|
- "* the clocks are not synchronized, or\n"
|
||
|
+ "* the clocks are not synchronized,\n"
|
||
|
+ "* the the key signing algorithm is incorrect, or\n"
|
||
|
"* the key is invalid.");
|
||
|
|
||
|
if (ccmsg.result != ISC_R_SUCCESS)
|
||
|
@@ -314,7 +317,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
||
|
source.rstart = isc_buffer_base(&ccmsg.buffer);
|
||
|
source.rend = isc_buffer_used(&ccmsg.buffer);
|
||
|
|
||
|
- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
|
||
|
+ DO("parse message",
|
||
|
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
|
||
|
|
||
|
_ctrl = isccc_alist_lookup(response, "_ctrl");
|
||
|
if (!isccc_alist_alistp(_ctrl))
|
||
|
@@ -341,7 +345,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
||
|
}
|
||
|
message.rstart = databuf + 4;
|
||
|
message.rend = databuf + sizeof(databuf);
|
||
|
- DO("render message", isccc_cc_towire(request, &message, &secret));
|
||
|
+ DO("render message",
|
||
|
+ isccc_cc_towire(request, &message, algorithm, &secret));
|
||
|
len = sizeof(databuf) - REGION_SIZE(message);
|
||
|
isc_buffer_init(&b, databuf, 4);
|
||
|
isc_buffer_putuint32(&b, len - 4);
|
||
|
@@ -403,7 +408,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
|
||
|
fatal("out of memory");
|
||
|
message.rstart = databuf + 4;
|
||
|
message.rend = databuf + sizeof(databuf);
|
||
|
- DO("render message", isccc_cc_towire(request, &message, &secret));
|
||
|
+ DO("render message",
|
||
|
+ isccc_cc_towire(request, &message, algorithm, &secret));
|
||
|
len = sizeof(databuf) - REGION_SIZE(message);
|
||
|
isc_buffer_init(&b, databuf, 4);
|
||
|
isc_buffer_putuint32(&b, len - 4);
|
||
|
@@ -483,7 +489,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
|
||
|
const cfg_obj_t *address = NULL;
|
||
|
const cfg_listelt_t *elt;
|
||
|
const char *secretstr;
|
||
|
- const char *algorithm;
|
||
|
+ const char *algorithmstr;
|
||
|
static char secretarray[1024];
|
||
|
const cfg_type_t *conftype = &cfg_type_rndcconf;
|
||
|
isc_boolean_t key_only = ISC_FALSE;
|
||
|
@@ -587,10 +593,22 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
|
||
|
fatal("key must have algorithm and secret");
|
||
|
|
||
|
secretstr = cfg_obj_asstring(secretobj);
|
||
|
- algorithm = cfg_obj_asstring(algorithmobj);
|
||
|
-
|
||
|
- if (strcasecmp(algorithm, "hmac-md5") != 0)
|
||
|
- fatal("unsupported algorithm: %s", algorithm);
|
||
|
+ algorithmstr = cfg_obj_asstring(algorithmobj);
|
||
|
+
|
||
|
+ if (strcasecmp(algorithmstr, "hmac-md5") == 0)
|
||
|
+ algorithm = ISCCC_ALG_HMACMD5;
|
||
|
+ else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
|
||
|
+ algorithm = ISCCC_ALG_HMACSHA1;
|
||
|
+ else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
|
||
|
+ algorithm = ISCCC_ALG_HMACSHA224;
|
||
|
+ else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
|
||
|
+ algorithm = ISCCC_ALG_HMACSHA256;
|
||
|
+ else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
|
||
|
+ algorithm = ISCCC_ALG_HMACSHA384;
|
||
|
+ else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
|
||
|
+ algorithm = ISCCC_ALG_HMACSHA512;
|
||
|
+ else
|
||
|
+ fatal("unsupported algorithm: %s", algorithmstr);
|
||
|
|
||
|
secret.rstart = (unsigned char *)secretarray;
|
||
|
secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
|
||
|
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
|
||
|
index 67542b9..c463b96 100644
|
||
|
--- a/bin/rndc/rndc.conf
|
||
|
+++ b/bin/rndc/rndc.conf
|
||
|
@@ -31,7 +31,7 @@ server localhost {
|
||
|
};
|
||
|
|
||
|
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "34f88008d07deabbe65bd01f1d233d47";
|
||
|
};
|
||
|
|
||
|
@@ -42,6 +42,6 @@ server "test1" {
|
||
|
};
|
||
|
|
||
|
key "key" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
||
|
};
|
||
|
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
|
||
|
index 9de1995..5753378 100644
|
||
|
--- a/bin/rndc/rndc.conf.docbook
|
||
|
+++ b/bin/rndc/rndc.conf.docbook
|
||
|
@@ -40,6 +40,7 @@
|
||
|
<year>2004</year>
|
||
|
<year>2005</year>
|
||
|
<year>2007</year>
|
||
|
+ <year>2013</year>
|
||
|
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
||
|
</copyright>
|
||
|
<copyright>
|
||
|
@@ -119,11 +120,12 @@
|
||
|
<para>
|
||
|
The <option>key</option> statement begins with an identifying
|
||
|
string, the name of the key. The statement has two clauses.
|
||
|
- <option>algorithm</option> identifies the encryption algorithm
|
||
|
+ <option>algorithm</option> identifies the authentication algorithm
|
||
|
for <command>rndc</command> to use; currently only HMAC-MD5
|
||
|
- is
|
||
|
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
|
||
|
+ (default), HMAC-SHA384 and HMAC-SHA512 are
|
||
|
supported. This is followed by a secret clause which contains
|
||
|
- the base-64 encoding of the algorithm's encryption key. The
|
||
|
+ the base-64 encoding of the algorithm's authentication key. The
|
||
|
base-64 string is enclosed in double quotes.
|
||
|
</para>
|
||
|
<para>
|
||
|
@@ -166,14 +168,14 @@
|
||
|
</para>
|
||
|
<para><programlisting>
|
||
|
key samplekey {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
|
||
|
};
|
||
|
</programlisting>
|
||
|
</para>
|
||
|
<para><programlisting>
|
||
|
key testkey {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
|
||
|
};
|
||
|
</programlisting>
|
||
|
@@ -186,8 +188,8 @@
|
||
|
Commands to the localhost server will use the samplekey key, which
|
||
|
must also be defined in the server's configuration file with the
|
||
|
same name and secret. The key statement indicates that samplekey
|
||
|
- uses the HMAC-MD5 algorithm and its secret clause contains the
|
||
|
- base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
|
||
|
+ uses the HMAC-SHA256 algorithm and its secret clause contains the
|
||
|
+ base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
|
||
|
</para>
|
||
|
<para>
|
||
|
If <command>rndc -s testserver</command> is used then <command>rndc</command> will
|
||
|
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
|
||
|
index 27645b5..5f97749 100644
|
||
|
--- a/bin/rndc/rndc.docbook
|
||
|
+++ b/bin/rndc/rndc.docbook
|
||
|
@@ -76,12 +76,14 @@
|
||
|
arguments.
|
||
|
</para>
|
||
|
<para><command>rndc</command>
|
||
|
- communicates with the name server
|
||
|
- over a TCP connection, sending commands authenticated with
|
||
|
- digital signatures. In the current versions of
|
||
|
+ communicates with the name server over a TCP connection, sending
|
||
|
+ commands authenticated with digital signatures. In the current
|
||
|
+ versions of
|
||
|
<command>rndc</command> and <command>named</command>,
|
||
|
- the only supported authentication algorithm is HMAC-MD5,
|
||
|
- which uses a shared secret on each end of the connection.
|
||
|
+ the only supported authentication algorithms are HMAC-MD5
|
||
|
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
|
||
|
+ (default), HMAC-SHA384 and HMAC-SHA512.
|
||
|
+ They use a shared secret on each end of the connection.
|
||
|
This provides TSIG-style authentication for the command
|
||
|
request and the name server's response. All commands sent
|
||
|
over the channel must be signed by a key_id known to the
|
||
|
@@ -145,7 +147,7 @@
|
||
|
<command>rndc</command>. If no server is supplied on the
|
||
|
command line, the host named by the default-server clause
|
||
|
in the options statement of the <command>rndc</command>
|
||
|
- configuration file will be used.
|
||
|
+ configuration file will be used.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</varlistentry>
|
||
|
diff --git a/bin/tests/system/autosign/ns1/named.conf b/bin/tests/system/autosign/ns1/named.conf
|
||
|
index 2fbe62f..e67c4e4 100644
|
||
|
--- a/bin/tests/system/autosign/ns1/named.conf
|
||
|
+++ b/bin/tests/system/autosign/ns1/named.conf
|
||
|
@@ -36,7 +36,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf
|
||
|
index 5e9ad8f..826bb91 100644
|
||
|
--- a/bin/tests/system/autosign/ns2/named.conf
|
||
|
+++ b/bin/tests/system/autosign/ns2/named.conf
|
||
|
@@ -37,7 +37,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
|
||
|
index 542a81e..89b7ece 100644
|
||
|
--- a/bin/tests/system/autosign/ns3/named.conf
|
||
|
+++ b/bin/tests/system/autosign/ns3/named.conf
|
||
|
@@ -39,7 +39,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
|
||
|
index cb675d2..6f0fba0 100644
|
||
|
--- a/bin/tests/system/cacheclean/ns2/named.conf
|
||
|
+++ b/bin/tests/system/cacheclean/ns2/named.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf
|
||
|
index b5d619e..b9b6311 100644
|
||
|
--- a/bin/tests/system/common/controls.conf
|
||
|
+++ b/bin/tests/system/common/controls.conf
|
||
|
@@ -19,7 +19,7 @@
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
|
||
|
index 3704ae7..5661b26 100644
|
||
|
--- a/bin/tests/system/common/rndc.conf
|
||
|
+++ b/bin/tests/system/common/rndc.conf
|
||
|
@@ -22,6 +22,6 @@ options {
|
||
|
};
|
||
|
|
||
|
key rndc_key {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "1234abcd8765";
|
||
|
};
|
||
|
diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key
|
||
|
index 1239e93..d5a7a9f 100644
|
||
|
--- a/bin/tests/system/common/rndc.key
|
||
|
+++ b/bin/tests/system/common/rndc.key
|
||
|
@@ -18,5 +18,5 @@
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||
|
index 49c5686..2bd42f9 100644
|
||
|
--- a/bin/tests/system/conf.sh.in
|
||
|
+++ b/bin/tests/system/conf.sh.in
|
||
|
@@ -36,6 +36,7 @@ DIG=$TOP/bin/dig/dig
|
||
|
RNDC=$TOP/bin/rndc/rndc
|
||
|
NSUPDATE=$TOP/bin/nsupdate/nsupdate
|
||
|
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
|
||
|
+RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
|
||
|
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
|
||
|
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
|
||
|
SIGNER=$TOP/bin/dnssec/dnssec-signzone
|
||
|
diff --git a/bin/tests/system/database/ns1/named.conf1 b/bin/tests/system/database/ns1/named.conf1
|
||
|
index 08dedc8..9270d56 100644
|
||
|
--- a/bin/tests/system/database/ns1/named.conf1
|
||
|
+++ b/bin/tests/system/database/ns1/named.conf1
|
||
|
@@ -20,7 +20,7 @@
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/database/ns1/named.conf2 b/bin/tests/system/database/ns1/named.conf2
|
||
|
index c79bf9b..ed1bdfb 100644
|
||
|
--- a/bin/tests/system/database/ns1/named.conf2
|
||
|
+++ b/bin/tests/system/database/ns1/named.conf2
|
||
|
@@ -20,7 +20,7 @@
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
|
||
|
index d886331..954fb37 100644
|
||
|
--- a/bin/tests/system/dlv/ns5/named.conf
|
||
|
+++ b/bin/tests/system/dlv/ns5/named.conf
|
||
|
@@ -23,7 +23,7 @@
|
||
|
*
|
||
|
* e.g.
|
||
|
* key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
||
|
- * algorithm hmac-md5;
|
||
|
+ * algorithm hmac-sha256;
|
||
|
* secret "34f88008d07deabbe65bd01f1d233d47";
|
||
|
* };
|
||
|
*
|
||
|
@@ -36,7 +36,7 @@
|
||
|
*/
|
||
|
|
||
|
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "34f88008d07deabbe65bd01f1d233d47";
|
||
|
};
|
||
|
|
||
|
diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf
|
||
|
index 958ee98..ecc29b3 100644
|
||
|
--- a/bin/tests/system/dlv/ns5/rndc.conf
|
||
|
+++ b/bin/tests/system/dlv/ns5/rndc.conf
|
||
|
@@ -17,7 +17,7 @@
|
||
|
/* $Id: rndc.conf,v 1.5 2007/06/19 23:47:02 tbox Exp $ */
|
||
|
|
||
|
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "34f88008d07deabbe65bd01f1d233d47";
|
||
|
};
|
||
|
|
||
|
diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf
|
||
|
index a7b86d0..fce5d85 100644
|
||
|
--- a/bin/tests/system/dlvauto/ns2/named.conf
|
||
|
+++ b/bin/tests/system/dlvauto/ns2/named.conf
|
||
|
@@ -37,7 +37,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
|
||
|
index 6577761..01a4a3b 100644
|
||
|
--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
|
||
|
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
|
||
|
@@ -33,7 +33,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
include "ddns.key";
|
||
|
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
|
||
|
index 37d23c1..6ef21b3 100644
|
||
|
--- a/bin/tests/system/dnssec/ns3/named.conf
|
||
|
+++ b/bin/tests/system/dnssec/ns3/named.conf
|
||
|
@@ -38,7 +38,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/dnssec/ns4/named1.conf b/bin/tests/system/dnssec/ns4/named1.conf
|
||
|
index 432d3f6..542266f 100644
|
||
|
--- a/bin/tests/system/dnssec/ns4/named1.conf
|
||
|
+++ b/bin/tests/system/dnssec/ns4/named1.conf
|
||
|
@@ -47,7 +47,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/dnssec/ns4/named2.conf b/bin/tests/system/dnssec/ns4/named2.conf
|
||
|
index cc395be..f7e812c 100644
|
||
|
--- a/bin/tests/system/dnssec/ns4/named2.conf
|
||
|
+++ b/bin/tests/system/dnssec/ns4/named2.conf
|
||
|
@@ -37,7 +37,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/dnssec/ns4/named3.conf b/bin/tests/system/dnssec/ns4/named3.conf
|
||
|
index 2d40740..d391aac 100644
|
||
|
--- a/bin/tests/system/dnssec/ns4/named3.conf
|
||
|
+++ b/bin/tests/system/dnssec/ns4/named3.conf
|
||
|
@@ -38,7 +38,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf
|
||
|
index 66aca6f..e4c8eca 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named1.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named1.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
|
||
|
index 2dd52ae..6f3fdee 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named10.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named10.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
|
||
|
index af87edf..149e19a 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named11.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named11.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named2.conf b/bin/tests/system/geoip/ns2/named2.conf
|
||
|
index 67a5155..5dc3848 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named2.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named2.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named3.conf b/bin/tests/system/geoip/ns2/named3.conf
|
||
|
index 65113a6..ebf96a9 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named3.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named3.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named4.conf b/bin/tests/system/geoip/ns2/named4.conf
|
||
|
index d2393d5..cc79dde 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named4.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named4.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named5.conf b/bin/tests/system/geoip/ns2/named5.conf
|
||
|
index 011e310..acbbdb1 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named5.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named5.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named6.conf b/bin/tests/system/geoip/ns2/named6.conf
|
||
|
index 7ef7b19..5e93510 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named6.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named6.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named7.conf b/bin/tests/system/geoip/ns2/named7.conf
|
||
|
index 118bdbe..508a650 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named7.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named7.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named8.conf b/bin/tests/system/geoip/ns2/named8.conf
|
||
|
index 9cb5c0a..60dcef2 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named8.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named8.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/geoip/ns2/named9.conf b/bin/tests/system/geoip/ns2/named9.conf
|
||
|
index af2f7ff..605b1ff 100644
|
||
|
--- a/bin/tests/system/geoip/ns2/named9.conf
|
||
|
+++ b/bin/tests/system/geoip/ns2/named9.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/ixfr/ns3/named.conf b/bin/tests/system/ixfr/ns3/named.conf
|
||
|
index c01ce54..b164968 100644
|
||
|
--- a/bin/tests/system/ixfr/ns3/named.conf
|
||
|
+++ b/bin/tests/system/ixfr/ns3/named.conf
|
||
|
@@ -31,7 +31,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/ixfr/ns4/named.conf b/bin/tests/system/ixfr/ns4/named.conf
|
||
|
index b8c8e8c..073d1a9 100644
|
||
|
--- a/bin/tests/system/ixfr/ns4/named.conf
|
||
|
+++ b/bin/tests/system/ixfr/ns4/named.conf
|
||
|
@@ -30,7 +30,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
|
||
|
index 7e68ebc..9b3b96d 100644
|
||
|
--- a/bin/tests/system/ixfr/setup.sh
|
||
|
+++ b/bin/tests/system/ixfr/setup.sh
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf b/bin/tests/system/logfileconfig/ns1/named.dirconf
|
||
|
index 9cbd039..3621c2f 100644
|
||
|
--- a/bin/tests/system/logfileconfig/ns1/named.dirconf
|
||
|
+++ b/bin/tests/system/logfileconfig/ns1/named.dirconf
|
||
|
@@ -46,7 +46,7 @@ controls {
|
||
|
};
|
||
|
|
||
|
key "rndc-key" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "Am9vCg==";
|
||
|
};
|
||
|
|
||
|
diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf b/bin/tests/system/logfileconfig/ns1/named.pipeconf
|
||
|
index bf5d02f..94c10f4 100644
|
||
|
--- a/bin/tests/system/logfileconfig/ns1/named.pipeconf
|
||
|
+++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf
|
||
|
@@ -46,7 +46,7 @@ controls {
|
||
|
};
|
||
|
|
||
|
key "rndc-key" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "Am9vCg==";
|
||
|
};
|
||
|
|
||
|
diff --git a/bin/tests/system/logfileconfig/ns1/named.plain b/bin/tests/system/logfileconfig/ns1/named.plain
|
||
|
index 64cfbfa..a404577 100644
|
||
|
--- a/bin/tests/system/logfileconfig/ns1/named.plain
|
||
|
+++ b/bin/tests/system/logfileconfig/ns1/named.plain
|
||
|
@@ -46,7 +46,7 @@ controls {
|
||
|
};
|
||
|
|
||
|
key "rndc-key" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "Am9vCg==";
|
||
|
};
|
||
|
|
||
|
diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf b/bin/tests/system/logfileconfig/ns1/named.symconf
|
||
|
index fc3f9bd..7c42619 100644
|
||
|
--- a/bin/tests/system/logfileconfig/ns1/named.symconf
|
||
|
+++ b/bin/tests/system/logfileconfig/ns1/named.symconf
|
||
|
@@ -46,7 +46,7 @@ controls {
|
||
|
};
|
||
|
|
||
|
key "rndc-key" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "Am9vCg==";
|
||
|
};
|
||
|
|
||
|
diff --git a/bin/tests/system/logfileconfig/ns1/rndc.conf b/bin/tests/system/logfileconfig/ns1/rndc.conf
|
||
|
index f7fe7aa..2f3d0ab 100644
|
||
|
--- a/bin/tests/system/logfileconfig/ns1/rndc.conf
|
||
|
+++ b/bin/tests/system/logfileconfig/ns1/rndc.conf
|
||
|
@@ -26,6 +26,6 @@ server localhost {
|
||
|
};
|
||
|
|
||
|
key "rndc-key" {
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
secret "Am9vCg==";
|
||
|
};
|
||
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
|
||
|
index 3492b4c..86fe91d 100644
|
||
|
--- a/bin/tests/system/nsupdate/ns1/named.conf
|
||
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
|
||
|
index 48b8adf..0c8bdec 100644
|
||
|
--- a/bin/tests/system/pkcs11/ns1/named.conf
|
||
|
+++ b/bin/tests/system/pkcs11/ns1/named.conf
|
||
|
@@ -32,7 +32,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf
|
||
|
index 353cfe7..7fe14df 100644
|
||
|
--- a/bin/tests/system/resolver/ns4/named.conf
|
||
|
+++ b/bin/tests/system/resolver/ns4/named.conf
|
||
|
@@ -59,7 +59,7 @@ zone "broken" {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh
|
||
|
index 2fcfcfb..7e16cb4 100644
|
||
|
--- a/bin/tests/system/rndc/clean.sh
|
||
|
+++ b/bin/tests/system/rndc/clean.sh
|
||
|
@@ -22,3 +22,5 @@ rm -f ns2/named.stats
|
||
|
rm -f ns3/named_dump.db
|
||
|
rm -f ns*/named.memstats
|
||
|
rm -f ns*/named.run
|
||
|
+rm -f random.data
|
||
|
+rm -f ns4/*.conf
|
||
|
diff --git a/bin/tests/system/rndc/ns2/named.conf b/bin/tests/system/rndc/ns2/named.conf
|
||
|
index 12d6f14..e94bfe9 100644
|
||
|
--- a/bin/tests/system/rndc/ns2/named.conf
|
||
|
+++ b/bin/tests/system/rndc/ns2/named.conf
|
||
|
@@ -29,12 +29,12 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
key secondkey {
|
||
|
secret "abcd1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf
|
||
|
index 99a876c..0445299 100644
|
||
|
--- a/bin/tests/system/rndc/ns2/secondkey.conf
|
||
|
+++ b/bin/tests/system/rndc/ns2/secondkey.conf
|
||
|
@@ -22,5 +22,5 @@ options {
|
||
|
|
||
|
key secondkey {
|
||
|
secret "abcd1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
diff --git a/bin/tests/system/rndc/ns3/named.conf b/bin/tests/system/rndc/ns3/named.conf
|
||
|
index 9feefac..b8e0780 100644
|
||
|
--- a/bin/tests/system/rndc/ns3/named.conf
|
||
|
+++ b/bin/tests/system/rndc/ns3/named.conf
|
||
|
@@ -28,12 +28,12 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
key secondkey {
|
||
|
secret "abcd1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/rndc/ns4/3bf305731dd26307.nta b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
|
||
|
new file mode 100644
|
||
|
index 0000000..2f5d3cd
|
||
|
--- /dev/null
|
||
|
+++ b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
|
||
|
@@ -0,0 +1,3 @@
|
||
|
+nta1.example. regular 20171113185318
|
||
|
+nta2.example. regular 20171114165318
|
||
|
+nta3.example. regular 20171120165318
|
||
|
diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in
|
||
|
new file mode 100644
|
||
|
index 0000000..9f926f6
|
||
|
--- /dev/null
|
||
|
+++ b/bin/tests/system/rndc/ns4/named.conf.in
|
||
|
@@ -0,0 +1,28 @@
|
||
|
+/*
|
||
|
+ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
|
||
|
+ *
|
||
|
+ * Permission to use, copy, modify, and/or distribute this software for any
|
||
|
+ * purpose with or without fee is hereby granted, provided that the above
|
||
|
+ * copyright notice and this permission notice appear in all copies.
|
||
|
+ *
|
||
|
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||
|
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||
|
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||
|
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||
|
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||
|
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||
|
+ * PERFORMANCE OF THIS SOFTWARE.
|
||
|
+ */
|
||
|
+
|
||
|
+/* $Id$ */
|
||
|
+
|
||
|
+controls { /* empty */ };
|
||
|
+
|
||
|
+options {
|
||
|
+ port 5300;
|
||
|
+ pid-file "named.pid";
|
||
|
+ listen-on { 10.53.0.4; };
|
||
|
+ listen-on-v6 { none; };
|
||
|
+ recursion no;
|
||
|
+};
|
||
|
+
|
||
|
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||
|
index aed84af..ce80005 100644
|
||
|
--- a/bin/tests/system/rndc/setup.sh
|
||
|
+++ b/bin/tests/system/rndc/setup.sh
|
||
|
@@ -10,14 +10,36 @@
|
||
|
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||
|
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||
|
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||
|
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||
|
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGEN
|
||
|
+# -r random.dataCE
|
||
|
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||
|
# PERFORMANCE OF THIS SOFTWARE.
|
||
|
|
||
|
# $Id: setup.sh,v 1.2 2011/03/21 18:06:06 each Exp $
|
||
|
|
||
|
+SYSTEMTESTTOP=..
|
||
|
+. $SYSTEMTESTTOP/conf.sh
|
||
|
+
|
||
|
sh clean.sh
|
||
|
|
||
|
+../../../tools/genrandom 400 random.data
|
||
|
+
|
||
|
sh ../genzone.sh 2 >ns2/nil.db
|
||
|
sh ../genzone.sh 2 >ns2/other.db
|
||
|
sh ../genzone.sh 2 >ns2/static.db
|
||
|
+
|
||
|
+cat ns4/named.conf.in > ns4/named.conf
|
||
|
+
|
||
|
+make_key () {
|
||
|
+ $RNDCCONFGEN -r random.data -k key$1 -A $2 -s 10.53.0.4 -p 995${1} \
|
||
|
+ > ns4/key${1}.conf
|
||
|
+ egrep -v '(Start|End|Use|^[^#])' ns4/key$1.conf | cut -c3- | \
|
||
|
+ sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||
|
+}
|
||
|
+
|
||
|
+make_key 1 hmac-md5
|
||
|
+make_key 2 hmac-sha1
|
||
|
+make_key 3 hmac-sha224
|
||
|
+make_key 4 hmac-sha256
|
||
|
+make_key 5 hmac-sha384
|
||
|
+make_key 6 hmac-sha512
|
||
|
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||
|
index a558e19..947987b 100644
|
||
|
--- a/bin/tests/system/rndc/tests.sh
|
||
|
+++ b/bin/tests/system/rndc/tests.sh
|
||
|
@@ -245,5 +245,65 @@ done
|
||
|
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
status=`expr $status + $ret`
|
||
|
|
||
|
+echo "I:testing rndc with hmac-md5"
|
||
|
+ret=0
|
||
|
+$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||
|
+for i in 2 3 4 5 6
|
||
|
+do
|
||
|
+ $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||
|
+done
|
||
|
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
+status=`expr $status + $ret`
|
||
|
+
|
||
|
+echo "I:testing rndc with hmac-sha1"
|
||
|
+ret=0
|
||
|
+$RNDC -s 10.53.0.4 -p 9952 -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
|
||
|
+for i in 1 3 4 5 6
|
||
|
+do
|
||
|
+ $RNDC -s 10.53.0.4 -p 9952 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||
|
+done
|
||
|
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
+status=`expr $status + $ret`
|
||
|
+
|
||
|
+echo "I:testing rndc with hmac-sha224"
|
||
|
+ret=0
|
||
|
+$RNDC -s 10.53.0.4 -p 9953 -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
|
||
|
+for i in 1 2 4 5 6
|
||
|
+do
|
||
|
+ $RNDC -s 10.53.0.4 -p 9953 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||
|
+done
|
||
|
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
+status=`expr $status + $ret`
|
||
|
+
|
||
|
+echo "I:testing rndc with hmac-sha256"
|
||
|
+ret=0
|
||
|
+$RNDC -s 10.53.0.4 -p 9954 -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
|
||
|
+for i in 1 2 3 5 6
|
||
|
+do
|
||
|
+ $RNDC -s 10.53.0.4 -p 9954 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||
|
+done
|
||
|
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
+status=`expr $status + $ret`
|
||
|
+
|
||
|
+echo "I:testing rndc with hmac-sha384"
|
||
|
+ret=0
|
||
|
+$RNDC -s 10.53.0.4 -p 9955 -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
|
||
|
+for i in 1 2 3 4 6
|
||
|
+do
|
||
|
+ $RNDC -s 10.53.0.4 -p 9955 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||
|
+done
|
||
|
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
+status=`expr $status + $ret`
|
||
|
+
|
||
|
+echo "I:testing rndc with hmac-sha512"
|
||
|
+ret=0
|
||
|
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
|
||
|
+for i in 1 2 3 4 5
|
||
|
+do
|
||
|
+ $RNDC -s 10.53.0.4 -p 9956 -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
|
||
|
+done
|
||
|
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
||
|
+status=`expr $status + $ret`
|
||
|
+
|
||
|
echo "I:exit status: $status"
|
||
|
exit $status
|
||
|
diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf
|
||
|
index 4553b97..1e73a88 100644
|
||
|
--- a/bin/tests/system/rpz/ns3/named.conf
|
||
|
+++ b/bin/tests/system/rpz/ns3/named.conf
|
||
|
@@ -52,7 +52,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
controls {
|
||
|
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
|
||
|
diff --git a/bin/tests/system/rpz/ns5/named.conf b/bin/tests/system/rpz/ns5/named.conf
|
||
|
index 82b6fde..df63189 100644
|
||
|
--- a/bin/tests/system/rpz/ns5/named.conf
|
||
|
+++ b/bin/tests/system/rpz/ns5/named.conf
|
||
|
@@ -40,7 +40,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
controls {
|
||
|
inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
|
||
|
diff --git a/bin/tests/system/rrl/ns2/named.conf b/bin/tests/system/rrl/ns2/named.conf
|
||
|
index cc261cb..748639c 100644
|
||
|
--- a/bin/tests/system/rrl/ns2/named.conf
|
||
|
+++ b/bin/tests/system/rrl/ns2/named.conf
|
||
|
@@ -44,7 +44,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
controls {
|
||
|
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
|
||
|
diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in
|
||
|
index 159a4be..dbf9b17 100644
|
||
|
--- a/bin/tests/system/staticstub/ns3/named.conf.in
|
||
|
+++ b/bin/tests/system/staticstub/ns3/named.conf.in
|
||
|
@@ -32,7 +32,7 @@
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
|
||
|
index 9ff09d7..f8695bc 100644
|
||
|
--- a/bin/tests/system/stress/ns3/named.conf
|
||
|
+++ b/bin/tests/system/stress/ns3/named.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
|
||
|
index b0f1700..6225563 100644
|
||
|
--- a/bin/tests/system/tkey/ns1/named.conf.in
|
||
|
+++ b/bin/tests/system/tkey/ns1/named.conf.in
|
||
|
@@ -37,7 +37,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/tsiggss/ns1/named.conf b/bin/tests/system/tsiggss/ns1/named.conf
|
||
|
index 645d578..3084a1b 100644
|
||
|
--- a/bin/tests/system/tsiggss/ns1/named.conf
|
||
|
+++ b/bin/tests/system/tsiggss/ns1/named.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/views/ns3/named1.conf b/bin/tests/system/views/ns3/named1.conf
|
||
|
index 9723e08..8071dbf 100644
|
||
|
--- a/bin/tests/system/views/ns3/named1.conf
|
||
|
+++ b/bin/tests/system/views/ns3/named1.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/views/ns3/named2.conf b/bin/tests/system/views/ns3/named2.conf
|
||
|
index 27d4955..2804059 100644
|
||
|
--- a/bin/tests/system/views/ns3/named2.conf
|
||
|
+++ b/bin/tests/system/views/ns3/named2.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
|
||
|
index 5f742d2..0ea4663 100644
|
||
|
--- a/bin/tests/system/xfer/ns3/named.conf
|
||
|
+++ b/bin/tests/system/xfer/ns3/named.conf
|
||
|
@@ -34,7 +34,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
controls {
|
||
|
diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
|
||
|
index 231fcfa..ecab46a 100644
|
||
|
--- a/bin/tests/system/xfer/ns4/named.conf.base
|
||
|
+++ b/bin/tests/system/xfer/ns4/named.conf.base
|
||
|
@@ -30,7 +30,7 @@ options {
|
||
|
|
||
|
key rndc_key {
|
||
|
secret "1234abcd8765";
|
||
|
- algorithm hmac-md5;
|
||
|
+ algorithm hmac-sha256;
|
||
|
};
|
||
|
|
||
|
key unused_key. {
|
||
|
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
|
||
|
index 10e5dc9..9428374 100644
|
||
|
--- a/lib/isccc/cc.c
|
||
|
+++ b/lib/isccc/cc.c
|
||
|
@@ -41,6 +41,7 @@
|
||
|
|
||
|
#include <isc/assertions.h>
|
||
|
#include <isc/hmacmd5.h>
|
||
|
+#include <isc/hmacsha.h>
|
||
|
#include <isc/print.h>
|
||
|
#include <isc/safe.h>
|
||
|
#include <isc/stdlib.h>
|
||
|
@@ -78,6 +79,34 @@ static unsigned char auth_hmd5[] = {
|
||
|
#define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
|
||
|
#define HMD5_LENGTH 22
|
||
|
|
||
|
+static unsigned char auth_hsha[] = {
|
||
|
+ 0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
|
||
|
+ ISCCC_CCMSGTYPE_TABLE, /*%< message type */
|
||
|
+ 0x00, 0x00, 0x00, 0x63, /*%< length == 99 */
|
||
|
+ 0x04, 0x68, 0x73, 0x68, 0x61, /*%< len + hsha */
|
||
|
+ ISCCC_CCMSGTYPE_BINARYDATA, /*%< message type */
|
||
|
+ 0x00, 0x00, 0x00, 0x59, /*%< length == 89 */
|
||
|
+ 0x00, /*%< algorithm */
|
||
|
+ /*
|
||
|
+ * The base64 encoding of one of our HMAC-SHA* signatures is
|
||
|
+ * 88 bytes.
|
||
|
+ */
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||
|
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
||
|
+};
|
||
|
+
|
||
|
+#define HSHA_OFFSET 22 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
|
||
|
+#define HSHA_LENGTH 88
|
||
|
+
|
||
|
static isc_result_t
|
||
|
table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
|
||
|
|
||
|
@@ -205,53 +234,133 @@ list_towire(isccc_sexpr_t *list, isccc_region_t *target)
|
||
|
}
|
||
|
|
||
|
static isc_result_t
|
||
|
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
|
||
|
- isccc_region_t *secret)
|
||
|
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
|
||
|
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
||
|
{
|
||
|
- isc_hmacmd5_t ctx;
|
||
|
+ union {
|
||
|
+ isc_hmacmd5_t hmd5;
|
||
|
+ isc_hmacsha1_t hsha;
|
||
|
+ isc_hmacsha224_t h224;
|
||
|
+ isc_hmacsha256_t h256;
|
||
|
+ isc_hmacsha384_t h384;
|
||
|
+ isc_hmacsha512_t h512;
|
||
|
+ } ctx;
|
||
|
isc_result_t result;
|
||
|
isccc_region_t source, target;
|
||
|
- unsigned char digest[ISC_MD5_DIGESTLENGTH];
|
||
|
- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
|
||
|
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
|
||
|
+ unsigned char digestb64[HSHA_LENGTH + 4];
|
||
|
|
||
|
- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
|
||
|
- isc_hmacmd5_update(&ctx, data, length);
|
||
|
- isc_hmacmd5_sign(&ctx, digest);
|
||
|
source.rstart = digest;
|
||
|
- source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
||
|
+
|
||
|
+ switch (algorithm) {
|
||
|
+ case ISCCC_ALG_HMACMD5:
|
||
|
+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacmd5_update(&ctx.hmd5, data, length);
|
||
|
+ isc_hmacmd5_sign(&ctx.hmd5, digest);
|
||
|
+ source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA1:
|
||
|
+ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha1_update(&ctx.hsha, data, length);
|
||
|
+ isc_hmacsha1_sign(&ctx.hsha, digest,
|
||
|
+ ISC_SHA1_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA224:
|
||
|
+ isc_hmacsha224_init(&ctx.h224, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha224_update(&ctx.h224, data, length);
|
||
|
+ isc_hmacsha224_sign(&ctx.h224, digest,
|
||
|
+ ISC_SHA224_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA256:
|
||
|
+ isc_hmacsha256_init(&ctx.h256, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha256_update(&ctx.h256, data, length);
|
||
|
+ isc_hmacsha256_sign(&ctx.h256, digest,
|
||
|
+ ISC_SHA256_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA384:
|
||
|
+ isc_hmacsha384_init(&ctx.h384, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha384_update(&ctx.h384, data, length);
|
||
|
+ isc_hmacsha384_sign(&ctx.h384, digest,
|
||
|
+ ISC_SHA384_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA512:
|
||
|
+ isc_hmacsha512_init(&ctx.h512, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha512_update(&ctx.h512, data, length);
|
||
|
+ isc_hmacsha512_sign(&ctx.h512, digest,
|
||
|
+ ISC_SHA512_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ default:
|
||
|
+ return (ISC_R_FAILURE);
|
||
|
+ }
|
||
|
+
|
||
|
+ memset(digestb64, 0, sizeof(digestb64));
|
||
|
target.rstart = digestb64;
|
||
|
- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
|
||
|
+ target.rend = digestb64 + sizeof(digestb64);
|
||
|
result = isccc_base64_encode(&source, 64, "", &target);
|
||
|
if (result != ISC_R_SUCCESS)
|
||
|
return (result);
|
||
|
- PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
|
||
|
-
|
||
|
+ if (algorithm == ISCCC_ALG_HMACMD5)
|
||
|
+ PUT_MEM(digestb64, HMD5_LENGTH, hmac);
|
||
|
+ else
|
||
|
+ PUT_MEM(digestb64, HSHA_LENGTH, hmac);
|
||
|
return (ISC_R_SUCCESS);
|
||
|
}
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
|
||
|
- isccc_region_t *secret)
|
||
|
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
||
|
{
|
||
|
- unsigned char *hmd5_rstart, *signed_rstart;
|
||
|
+ unsigned char *hmac_rstart, *signed_rstart;
|
||
|
isc_result_t result;
|
||
|
|
||
|
- if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
|
||
|
- return (ISC_R_NOSPACE);
|
||
|
+ if (algorithm == ISCCC_ALG_HMACMD5) {
|
||
|
+ if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
|
||
|
+ return (ISC_R_NOSPACE);
|
||
|
+ } else {
|
||
|
+ if (REGION_SIZE(*target) < 4 + sizeof(auth_hsha))
|
||
|
+ return (ISC_R_NOSPACE);
|
||
|
+ }
|
||
|
+
|
||
|
/*
|
||
|
* Emit protocol version.
|
||
|
*/
|
||
|
PUT32(1, target->rstart);
|
||
|
if (secret != NULL) {
|
||
|
/*
|
||
|
- * Emit _auth section with zeroed HMAC-MD5 signature.
|
||
|
+ * Emit _auth section with zeroed HMAC signature.
|
||
|
* We'll replace the zeros with the real signature once
|
||
|
* we know what it is.
|
||
|
*/
|
||
|
- hmd5_rstart = target->rstart + HMD5_OFFSET;
|
||
|
- PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
|
||
|
+ if (algorithm == ISCCC_ALG_HMACMD5) {
|
||
|
+ hmac_rstart = target->rstart + HMD5_OFFSET;
|
||
|
+ PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
|
||
|
+ } else {
|
||
|
+ unsigned char *hmac_alg;
|
||
|
+
|
||
|
+ hmac_rstart = target->rstart + HSHA_OFFSET;
|
||
|
+ hmac_alg = hmac_rstart - 1;
|
||
|
+ PUT_MEM(auth_hsha, sizeof(auth_hsha), target->rstart);
|
||
|
+ PUT8(algorithm, hmac_alg);
|
||
|
+ }
|
||
|
} else
|
||
|
- hmd5_rstart = NULL;
|
||
|
+ hmac_rstart = NULL;
|
||
|
signed_rstart = target->rstart;
|
||
|
/*
|
||
|
* Delete any existing _auth section so that we don't try
|
||
|
@@ -266,21 +375,28 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
|
||
|
return (result);
|
||
|
if (secret != NULL)
|
||
|
return (sign(signed_rstart, (target->rstart - signed_rstart),
|
||
|
- hmd5_rstart, secret));
|
||
|
+ hmac_rstart, algorithm, secret));
|
||
|
return (ISC_R_SUCCESS);
|
||
|
}
|
||
|
|
||
|
static isc_result_t
|
||
|
verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
||
|
- isccc_region_t *secret)
|
||
|
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
||
|
{
|
||
|
- isc_hmacmd5_t ctx;
|
||
|
+ union {
|
||
|
+ isc_hmacmd5_t hmd5;
|
||
|
+ isc_hmacsha1_t hsha;
|
||
|
+ isc_hmacsha224_t h224;
|
||
|
+ isc_hmacsha256_t h256;
|
||
|
+ isc_hmacsha384_t h384;
|
||
|
+ isc_hmacsha512_t h512;
|
||
|
+ } ctx;
|
||
|
isccc_region_t source;
|
||
|
isccc_region_t target;
|
||
|
isc_result_t result;
|
||
|
- isccc_sexpr_t *_auth, *hmd5;
|
||
|
- unsigned char digest[ISC_MD5_DIGESTLENGTH];
|
||
|
- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
|
||
|
+ isccc_sexpr_t *_auth, *hmac;
|
||
|
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
|
||
|
+ unsigned char digestb64[HSHA_LENGTH * 4];
|
||
|
|
||
|
/*
|
||
|
* Extract digest.
|
||
|
@@ -288,40 +404,107 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
||
|
_auth = isccc_alist_lookup(alist, "_auth");
|
||
|
if (!isccc_alist_alistp(_auth))
|
||
|
return (ISC_R_FAILURE);
|
||
|
- hmd5 = isccc_alist_lookup(_auth, "hmd5");
|
||
|
- if (!isccc_sexpr_binaryp(hmd5))
|
||
|
+ if (algorithm == ISCCC_ALG_HMACMD5)
|
||
|
+ hmac = isccc_alist_lookup(_auth, "hmd5");
|
||
|
+ else
|
||
|
+ hmac = isccc_alist_lookup(_auth, "hsha");
|
||
|
+ if (!isccc_sexpr_binaryp(hmac))
|
||
|
return (ISC_R_FAILURE);
|
||
|
/*
|
||
|
* Compute digest.
|
||
|
*/
|
||
|
- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
|
||
|
- isc_hmacmd5_update(&ctx, data, length);
|
||
|
- isc_hmacmd5_sign(&ctx, digest);
|
||
|
source.rstart = digest;
|
||
|
- source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
||
|
target.rstart = digestb64;
|
||
|
- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
|
||
|
+ switch (algorithm) {
|
||
|
+ case ISCCC_ALG_HMACMD5:
|
||
|
+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacmd5_update(&ctx.hmd5, data, length);
|
||
|
+ isc_hmacmd5_sign(&ctx.hmd5, digest);
|
||
|
+ source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA1:
|
||
|
+ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha1_update(&ctx.hsha, data, length);
|
||
|
+ isc_hmacsha1_sign(&ctx.hsha, digest,
|
||
|
+ ISC_SHA1_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA224:
|
||
|
+ isc_hmacsha224_init(&ctx.h224, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha224_update(&ctx.h224, data, length);
|
||
|
+ isc_hmacsha224_sign(&ctx.h224, digest,
|
||
|
+ ISC_SHA224_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA256:
|
||
|
+ isc_hmacsha256_init(&ctx.h256, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha256_update(&ctx.h256, data, length);
|
||
|
+ isc_hmacsha256_sign(&ctx.h256, digest,
|
||
|
+ ISC_SHA256_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA384:
|
||
|
+ isc_hmacsha384_init(&ctx.h384, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha384_update(&ctx.h384, data, length);
|
||
|
+ isc_hmacsha384_sign(&ctx.h384, digest,
|
||
|
+ ISC_SHA384_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ case ISCCC_ALG_HMACSHA512:
|
||
|
+ isc_hmacsha512_init(&ctx.h512, secret->rstart,
|
||
|
+ REGION_SIZE(*secret));
|
||
|
+ isc_hmacsha512_update(&ctx.h512, data, length);
|
||
|
+ isc_hmacsha512_sign(&ctx.h512, digest,
|
||
|
+ ISC_SHA512_DIGESTLENGTH);
|
||
|
+ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
|
||
|
+ break;
|
||
|
+
|
||
|
+ default:
|
||
|
+ return (ISC_R_FAILURE);
|
||
|
+ }
|
||
|
+ target.rstart = digestb64;
|
||
|
+ target.rend = digestb64 + sizeof(digestb64);
|
||
|
+ memset(digestb64, 0, sizeof(digestb64));
|
||
|
result = isccc_base64_encode(&source, 64, "", &target);
|
||
|
if (result != ISC_R_SUCCESS)
|
||
|
return (result);
|
||
|
- /*
|
||
|
- * Strip trailing == and NUL terminate target.
|
||
|
- */
|
||
|
- target.rstart -= 2;
|
||
|
- *target.rstart++ = '\0';
|
||
|
+
|
||
|
/*
|
||
|
* Verify.
|
||
|
*/
|
||
|
- if (!isc_safe_memcmp((unsigned char *) isccc_sexpr_tostring(hmd5),
|
||
|
- digestb64, HMD5_LENGTH))
|
||
|
- return (ISCCC_R_BADAUTH);
|
||
|
+ if (algorithm == ISCCC_ALG_HMACMD5) {
|
||
|
+ unsigned char *value;
|
||
|
+
|
||
|
+ value = (unsigned char *) isccc_sexpr_tostring(hmac);
|
||
|
+ if (memcmp(value, digestb64, HMD5_LENGTH) != 0)
|
||
|
+ return (ISCCC_R_BADAUTH);
|
||
|
+ } else {
|
||
|
+ unsigned char *value;
|
||
|
+ isc_uint32_t valalg;
|
||
|
+
|
||
|
+ value = (unsigned char *) isccc_sexpr_tostring(hmac);
|
||
|
+ GET8(valalg, value);
|
||
|
+ if ((valalg != algorithm) ||
|
||
|
+ (memcmp(value, digestb64, HSHA_LENGTH) != 0))
|
||
|
+ return (ISCCC_R_BADAUTH);
|
||
|
+ }
|
||
|
|
||
|
return (ISC_R_SUCCESS);
|
||
|
}
|
||
|
|
||
|
static isc_result_t
|
||
|
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||
|
- isccc_sexpr_t **alistp);
|
||
|
+ isc_uint32_t algorithm, isccc_sexpr_t **alistp);
|
||
|
|
||
|
static isc_result_t
|
||
|
list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
|
||
|
@@ -352,7 +535,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
|
||
|
} else
|
||
|
result = ISC_R_NOMEMORY;
|
||
|
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
|
||
|
- result = table_fromwire(&active, NULL, valuep);
|
||
|
+ result = table_fromwire(&active, NULL, 0, valuep);
|
||
|
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
|
||
|
result = list_fromwire(&active, valuep);
|
||
|
else
|
||
|
@@ -363,7 +546,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
|
||
|
|
||
|
static isc_result_t
|
||
|
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||
|
- isccc_sexpr_t **alistp)
|
||
|
+ isc_uint32_t algorithm, isccc_sexpr_t **alistp)
|
||
|
{
|
||
|
char key[256];
|
||
|
isc_uint32_t len;
|
||
|
@@ -405,7 +588,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||
|
if (checksum_rstart != NULL)
|
||
|
result = verify(alist, checksum_rstart,
|
||
|
(source->rend - checksum_rstart),
|
||
|
- secret);
|
||
|
+ algorithm, secret);
|
||
|
else
|
||
|
result = ISCCC_R_BADAUTH;
|
||
|
} else
|
||
|
@@ -448,7 +631,7 @@ list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
||
|
- isccc_region_t *secret)
|
||
|
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
||
|
{
|
||
|
unsigned int size;
|
||
|
isc_uint32_t version;
|
||
|
@@ -460,7 +643,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
||
|
if (version != 1)
|
||
|
return (ISCCC_R_UNKNOWNVERSION);
|
||
|
|
||
|
- return (table_fromwire(source, secret, alistp));
|
||
|
+ return (table_fromwire(source, secret, algorithm, alistp));
|
||
|
}
|
||
|
|
||
|
static isc_result_t
|
||
|
@@ -523,8 +706,8 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
|
||
|
- isc_uint32_t serial, isccc_time_t now,
|
||
|
- isccc_time_t expires, isccc_sexpr_t **alistp)
|
||
|
+ isc_uint32_t serial, isccc_time_t now,
|
||
|
+ isccc_time_t expires, isccc_sexpr_t **alistp)
|
||
|
{
|
||
|
return (createmessage(version, from, to, serial, now, expires,
|
||
|
alistp, ISC_TRUE));
|
||
|
@@ -532,7 +715,7 @@ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
|
||
|
- isccc_sexpr_t **ackp)
|
||
|
+ isccc_sexpr_t **ackp)
|
||
|
{
|
||
|
char *_frm, *_to;
|
||
|
isc_uint32_t serial;
|
||
|
@@ -610,7 +793,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
|
||
|
- isccc_time_t expires, isccc_sexpr_t **alistp)
|
||
|
+ isccc_time_t expires, isccc_sexpr_t **alistp)
|
||
|
{
|
||
|
char *_frm, *_to, *type = NULL;
|
||
|
isc_uint32_t serial;
|
||
|
@@ -720,7 +903,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
|
||
|
- isc_uint32_t *uintp)
|
||
|
+ isc_uint32_t *uintp)
|
||
|
{
|
||
|
isccc_sexpr_t *kv, *v;
|
||
|
|
||
|
@@ -798,7 +981,7 @@ has_whitespace(const char *str)
|
||
|
|
||
|
isc_result_t
|
||
|
isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
|
||
|
- isccc_time_t now)
|
||
|
+ isccc_time_t now)
|
||
|
{
|
||
|
const char *_frm;
|
||
|
const char *_to;
|
||
|
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
|
||
|
index 79393be..777e675 100644
|
||
|
--- a/lib/isccc/include/isccc/cc.h
|
||
|
+++ b/lib/isccc/include/isccc/cc.h
|
||
|
@@ -41,6 +41,16 @@
|
||
|
|
||
|
ISC_LANG_BEGINDECLS
|
||
|
|
||
|
+/*% from lib/dns/include/dst/dst.h */
|
||
|
+
|
||
|
+#define ISCCC_ALG_UNKNOWN 0
|
||
|
+#define ISCCC_ALG_HMACMD5 157
|
||
|
+#define ISCCC_ALG_HMACSHA1 161
|
||
|
+#define ISCCC_ALG_HMACSHA224 162
|
||
|
+#define ISCCC_ALG_HMACSHA256 163
|
||
|
+#define ISCCC_ALG_HMACSHA384 164
|
||
|
+#define ISCCC_ALG_HMACSHA512 165
|
||
|
+
|
||
|
/*% Maximum Datagram Package */
|
||
|
#define ISCCC_CC_MAXDGRAMPACKET 4096
|
||
|
|
||
|
@@ -56,23 +66,23 @@ ISC_LANG_BEGINDECLS
|
||
|
/*% Send to Wire */
|
||
|
isc_result_t
|
||
|
isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
|
||
|
- isccc_region_t *secret);
|
||
|
+ isc_uint32_t algorithm, isccc_region_t *secret);
|
||
|
|
||
|
/*% Get From Wire */
|
||
|
isc_result_t
|
||
|
isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
||
|
- isccc_region_t *secret);
|
||
|
+ isc_uint32_t algorithm, isccc_region_t *secret);
|
||
|
|
||
|
/*% Create Message */
|
||
|
isc_result_t
|
||
|
isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
|
||
|
- isc_uint32_t serial, isccc_time_t now,
|
||
|
- isccc_time_t expires, isccc_sexpr_t **alistp);
|
||
|
+ isc_uint32_t serial, isccc_time_t now,
|
||
|
+ isccc_time_t expires, isccc_sexpr_t **alistp);
|
||
|
|
||
|
/*% Create Acknowledgment */
|
||
|
isc_result_t
|
||
|
isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
|
||
|
- isccc_sexpr_t **ackp);
|
||
|
+ isccc_sexpr_t **ackp);
|
||
|
|
||
|
/*% Is Ack? */
|
||
|
isc_boolean_t
|
||
|
@@ -85,7 +95,7 @@ isccc_cc_isreply(isccc_sexpr_t *message);
|
||
|
/*% Create Response */
|
||
|
isc_result_t
|
||
|
isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
|
||
|
- isccc_time_t expires, isccc_sexpr_t **alistp);
|
||
|
+ isccc_time_t expires, isccc_sexpr_t **alistp);
|
||
|
|
||
|
/*% Define String */
|
||
|
isccc_sexpr_t *
|
||
|
@@ -102,7 +112,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
|
||
|
/*% Lookup uint 32 */
|
||
|
isc_result_t
|
||
|
isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
|
||
|
- isc_uint32_t *uintp);
|
||
|
+ isc_uint32_t *uintp);
|
||
|
|
||
|
/*% Create Symbol Table */
|
||
|
isc_result_t
|
||
|
@@ -115,7 +125,7 @@ isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
|
||
|
/*% Check for Duplicates */
|
||
|
isc_result_t
|
||
|
isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
|
||
|
- isccc_time_t now);
|
||
|
+ isccc_time_t now);
|
||
|
|
||
|
ISC_LANG_ENDDECLS
|
||
|
|
||
|
--
|
||
|
2.9.5
|
||
|
|