bugfix: #771: hmac-sha224, -sha384 and -sha512 keys.

Thanks Harald Jenny

diff --git a/Changelog b/Changelog
index cab9031b4395de5b6e95d23bb4ea18a86cd00e3e..e5f9b0df88bbfc7fd6199fd21263648879398649 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -88,6 +88,8 @@ TBD
          Thanks Xiali Yan
        * bugfix #661: Fail NSEC3 signing when NSEC domainname length
          would overflow.  Thanks Jan-Piet Mens.
+       * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys.
+         Thanks Harald Jenny
 
 1.6.17 2014-01-10
        * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a

diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c
index 4ec8244dad71239affe52fc428631abb243f9cfb..e6088fbb316d927cb64fa8460aaa29d55410ba7d 100644 (file)
--- a/examples/ldns-keygen.c
+++ b/examples/ldns-keygen.c
@@ -57,6 +57,7 @@ main(int argc, char *argv[])
        /* default key size */
        uint16_t def_bits = 1024;
        uint16_t bits = def_bits;
+       bool had_bits = false;
        bool ksk;
 
        FILE *file;
@@ -98,7 +99,8 @@ main(int argc, char *argv[])
                        if (bits == 0) {
                                fprintf(stderr, "%s: %s %d", prog, "Can not parse the -b argument, setting it to the default\n", (int) def_bits);
                                bits = def_bits;
-                       }
+                       } else
+                               had_bits = true;
                        break;
                case 'k':
                        ksk = true;
@@ -142,7 +144,7 @@ main(int argc, char *argv[])
        case LDNS_SIGN_RSASHA512:
                if (bits < 512 || bits > 4096) {
                        fprintf(stderr, "For RSA, the key size must be between ");
-                       fprintf(stderr, " 512 and 4096 bytes. Aborting.\n");
+                       fprintf(stderr, " 512 and 4096 bits. Aborting.\n");
                        exit(1);
                }
                break;
@@ -150,7 +152,7 @@ main(int argc, char *argv[])
        case LDNS_SIGN_DSA_NSEC3:
                if (bits < 512 || bits > 1024) {
                        fprintf(stderr, "For DSA, the key size must be between ");
-                       fprintf(stderr, " 512 and 1024 bytes. Aborting.\n");
+                       fprintf(stderr, " 512 and 1024 bits. Aborting.\n");
                        exit(1);
                }
                break;
@@ -165,10 +167,66 @@ main(int argc, char *argv[])
 #ifdef USE_ECDSA
        case LDNS_SIGN_ECDSAP256SHA256:
        case LDNS_SIGN_ECDSAP384SHA384:
+               break;
 #endif
        case LDNS_SIGN_HMACMD5:
+               if (!had_bits) {
+                       bits = 512;
+               } else if (bits < 1 || bits > 512) {
+                       fprintf(stderr, "For hmac-md5, the key size must be ");
+                       fprintf(stderr, "between 1 and 512 bits. Aborting.\n");
+                       exit(1);
+               }
+               break;
        case LDNS_SIGN_HMACSHA1:
+               if (!had_bits) {
+                       bits = 160;
+               } else if (bits < 1 || bits > 160) {
+                       fprintf(stderr, "For hmac-sha1, the key size must be ");
+                       fprintf(stderr, "between 1 and 160 bits. Aborting.\n");
+                       exit(1);
+               }
+               break;
+
+       case LDNS_SIGN_HMACSHA224:
+               if (!had_bits) {
+                       bits = 224;
+               } else if (bits < 1 || bits > 224) {
+                       fprintf(stderr, "For hmac-sha224, the key size must be ");
+                       fprintf(stderr, "between 1 and 224 bits. Aborting.\n");
+                       exit(1);
+               }
+               break;
+
        case LDNS_SIGN_HMACSHA256:
+               if (!had_bits) {
+                       bits = 256;
+               } else if (bits < 1 || bits > 256) {
+                       fprintf(stderr, "For hmac-sha256, the key size must be ");
+                       fprintf(stderr, "between 1 and 256 bits. Aborting.\n");
+                       exit(1);
+               }
+               break;
+
+       case LDNS_SIGN_HMACSHA384:
+               if (!had_bits) {
+                       bits = 384;
+               } else if (bits < 1 || bits > 384) {
+                       fprintf(stderr, "For hmac-sha384, the key size must be ");
+                       fprintf(stderr, "between 1 and 384 bits. Aborting.\n");
+                       exit(1);
+               }
+               break;
+
+       case LDNS_SIGN_HMACSHA512:
+               if (!had_bits) {
+                       bits = 512;
+               } else if (bits < 1 || bits > 512) {
+                       fprintf(stderr, "For hmac-sha512, the key size must be ");
+                       fprintf(stderr, "between 1 and 512 bits. Aborting.\n");
+                       exit(1);
+               }
+               break;
        default:
                break;
        }

diff --git a/host2str.c b/host2str.c
index 04b9ddbb37f5ae3facd6acf283ce64205bd42bc4..a6f84746be9bdb80ca66b27385d8ed34093a01af 100644 (file)
--- a/host2str.c
+++ b/host2str.c
@@ -2202,11 +2202,26 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k)
                        ldns_buffer_printf(output, "Algorithm: 158 (HMAC_SHA1)\n");
                                status = ldns_hmac_key2buffer_str(output, k);
                                break;
+                       case LDNS_SIGN_HMACSHA224:
+                       ldns_buffer_printf(output, "Private-key-format: v1.2\n");
+                       ldns_buffer_printf(output, "Algorithm: 162 (HMAC_SHA224)\n");
+                               status = ldns_hmac_key2buffer_str(output, k);
+                               break;
                        case LDNS_SIGN_HMACSHA256:
                        ldns_buffer_printf(output, "Private-key-format: v1.2\n");
                        ldns_buffer_printf(output, "Algorithm: 159 (HMAC_SHA256)\n");
                                status = ldns_hmac_key2buffer_str(output, k);
                                break;
+                       case LDNS_SIGN_HMACSHA384:
+                       ldns_buffer_printf(output, "Private-key-format: v1.2\n");
+                       ldns_buffer_printf(output, "Algorithm: 164 (HMAC_SHA384)\n");
+                               status = ldns_hmac_key2buffer_str(output, k);
+                               break;
+                       case LDNS_SIGN_HMACSHA512:
+                       ldns_buffer_printf(output, "Private-key-format: v1.2\n");
+                       ldns_buffer_printf(output, "Algorithm: 165 (HMAC_SHA512)\n");
+                               status = ldns_hmac_key2buffer_str(output, k);
+                               break;
                }
 #endif /* HAVE_SSL */
        } else {

diff --git a/keys.c b/keys.c
index 6a23cb5ddf6cc437a3fe65c0091ba80c7323d3f7..70aaa90fe4c4da5300f33745207ffa04255ab96b 100644 (file)
--- a/keys.c
+++ b/keys.c
@@ -48,6 +48,9 @@ ldns_lookup_table ldns_signing_algorithms[] = {
         { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
         { LDNS_SIGN_HMACSHA1, "hmac-sha1" },
         { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
+        { LDNS_SIGN_HMACSHA224, "hmac-sha224" },
+        { LDNS_SIGN_HMACSHA384, "hmac-sha384" },
+        { LDNS_SIGN_HMACSHA512, "hmac-sha512" },
         { 0, NULL }
 };
 
@@ -619,7 +622,23 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
        if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
                alg = LDNS_SIGN_HMACSHA256;
        }
-
+       /* For compatibility with dnssec-keygen */
+       if (strncmp(d, "161 ", 4) == 0) {
+               alg = LDNS_SIGN_HMACSHA1;
+       }
+       if (strncmp(d, "162 HMAC-SHA224", 4) == 0) {
+               alg = LDNS_SIGN_HMACSHA224;
+       }
+       /* For compatibility with dnssec-keygen */
+       if (strncmp(d, "163 ", 4) == 0) {
+               alg = LDNS_SIGN_HMACSHA256;
+       }
+       if (strncmp(d, "164 HMAC-SHA384", 4) == 0) {
+               alg = LDNS_SIGN_HMACSHA384;
+       }
+       if (strncmp(d, "165 HMAC-SHA512", 4) == 0) {
+               alg = LDNS_SIGN_HMACSHA512;
+       }
        LDNS_FREE(d);
 
        switch(alg) {
@@ -656,7 +675,10 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
 #endif /* USE_DSA */
                case LDNS_SIGN_HMACMD5:
                case LDNS_SIGN_HMACSHA1:
+               case LDNS_SIGN_HMACSHA224:
                case LDNS_SIGN_HMACSHA256:
+               case LDNS_SIGN_HMACSHA384:
+               case LDNS_SIGN_HMACSHA512:
                        ldns_key_set_algorithm(k, alg);
 #ifdef HAVE_SSL
                        hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
@@ -1190,7 +1212,10 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
                        break;
                case LDNS_SIGN_HMACMD5:
                case LDNS_SIGN_HMACSHA1:
+               case LDNS_SIGN_HMACSHA224:
                case LDNS_SIGN_HMACSHA256:
+               case LDNS_SIGN_HMACSHA384:
+               case LDNS_SIGN_HMACSHA512:
 #ifdef HAVE_SSL
 #ifndef S_SPLINT_S
                        k->_key.key = NULL;
@@ -1792,7 +1817,10 @@ ldns_key2rr(const ldns_key *k)
        switch (ldns_key_algorithm(k)) {
        case LDNS_SIGN_HMACMD5:
        case LDNS_SIGN_HMACSHA1:
+       case LDNS_SIGN_HMACSHA224:
        case LDNS_SIGN_HMACSHA256:
+       case LDNS_SIGN_HMACSHA384:
+       case LDNS_SIGN_HMACSHA512:
                ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
                break;
        default:
@@ -1981,7 +2009,10 @@ ldns_key2rr(const ldns_key *k)
 #endif
                case LDNS_SIGN_HMACMD5:
                case LDNS_SIGN_HMACSHA1:
+               case LDNS_SIGN_HMACSHA224:
                case LDNS_SIGN_HMACSHA256:
+               case LDNS_SIGN_HMACSHA384:
+               case LDNS_SIGN_HMACSHA512:
                        bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k));
                        if (!bin) {
                                 ldns_rr_free(pubkey);

diff --git a/ldns/keys.h b/ldns/keys.h
index db2c485ff1700766916c0f39882bfc5ded9b7e42..df4bb22b2650f169f7250519690bdc5d91ee72c3 100644 (file)
--- a/ldns/keys.h
+++ b/ldns/keys.h
@@ -106,7 +106,10 @@ enum ldns_enum_signing_algorithm
 #endif
        LDNS_SIGN_HMACMD5        = 157, /* not official! This type is for TSIG, not DNSSEC */
        LDNS_SIGN_HMACSHA1       = 158, /* not official! This type is for TSIG, not DNSSEC */
-       LDNS_SIGN_HMACSHA256 = 159  /* ditto */
+       LDNS_SIGN_HMACSHA256 = 159,  /* ditto */
+       LDNS_SIGN_HMACSHA224 = 162,  /* ditto */
+       LDNS_SIGN_HMACSHA384 = 164,  /* ditto */
+       LDNS_SIGN_HMACSHA512 = 165  /* ditto */
 };
 typedef enum ldns_enum_signing_algorithm ldns_signing_algorithm;