fprintf(stream, "\t-r <file>\t\tuse file as root servers hint file\n");
fprintf(stream, "\t-t\t\tsend the query with tcp (connected)\n");
fprintf(stream, "\t-d <domain>\t\tuse domain as the start point for the trace\n");
- fprintf(stream, "\t-y <name:key[:algo]>\tspecify named base64 tsig key, and optional an\n\t\t\talgorithm (defaults to hmac-md5.sig-alg.reg.int)\n");
+ fprintf(stream, "\t-y <name:key[:algo]>\tspecify named base64 tsig key, and optional an\n\t\t\talgorithm (defaults to hmac-md5.sig-alg.reg.int)\n");
fprintf(stream, "\t-z\t\tdon't randomize the nameservers before use\n");
fprintf(stream, "\n [*] = enables/implies DNSSEC\n");
fprintf(stream, " [**] = can be given more than once\n");
fprintf(fp, " generate a new key pair for domain\n");
fprintf(fp, " -a <alg>\tuse the specified algorithm (-a list to");
fprintf(fp, " show a list)\n");
- /*
- fprintf(fp, " -D\t\tgenerate a DSA key\n");
- fprintf(fp, " -R\t\tgenerate an RSA key\n");
- fprintf(fp, " -H\t\tgenerate an HMAC-MD5 key (for TSIG)\n");
- */
fprintf(fp, " -k\t\tset the flags to 257; key signing key\n");
fprintf(fp, " -b <bits>\tspecify the keylength\n");
fprintf(fp, " -r <random>\tspecify a random device (defaults to /dev/random)\n");
break;
case LDNS_SIGN_HMACMD5:
case LDNS_SIGN_HMACSHA1:
+ case LDNS_SIGN_HMACSHA256:
default:
break;
}
}
/* print the DS to .ds */
- if (algorithm != LDNS_SIGN_HMACMD5) {
+ if (algorithm != LDNS_SIGN_HMACMD5 &&
+ algorithm != LDNS_SIGN_HMACSHA1 &&
+ algorithm != LDNS_SIGN_HMACSHA256) {
filename = LDNS_XMALLOC(char, strlen(owner) + 16);
snprintf(filename, strlen(owner) + 15, "K%s+%03u+%05u.ds", owner, algorithm, (unsigned int) ldns_key_keytag(key));
file = fopen(filename, "w");
return status;
}
+static ldns_status
+ldns_hmac_key2buffer_str(ldns_buffer *output, const ldns_key *k)
+{
+ ldns_status status;
+ size_t i;
+ ldns_rdf *b64_bignum;
+
+ ldns_buffer_printf(output, "Key: ");
+
+ i = ldns_key_hmac_size(k);
+ b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, ldns_key_hmac_key(k));
+ status = ldns_rdf2buffer_str(output, b64_bignum);
+ ldns_rdf_deep_free(b64_bignum);
+ ldns_buffer_printf(output, "\n");
+ return status;
+}
+
+
ldns_status
ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k)
{
}
break;
case LDNS_SIGN_HMACMD5:
- /* is the filefmt specified for TSIG.. don't know */
- ldns_buffer_printf(output, "Private-key-format: v1.2\n");
- ldns_buffer_printf(output, "Algorithm: 157 (HMAC_MD5)\n");
- ldns_buffer_printf(output, "Key: ");
- i = ldns_key_hmac_size(k);
- b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, ldns_key_hmac_key(k));
- if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) {
- goto error;
- }
- ldns_rdf_deep_free(b64_bignum);
- ldns_buffer_printf(output, "\n");
+ /* there's not much of a format defined for TSIG */
+ /* It's just a binary blob, Same for all algorithms */
+ ldns_buffer_printf(output, "Private-key-format: v1.2\n");
+ ldns_buffer_printf(output, "Algorithm: 157 (HMAC_MD5)\n");
+ status = ldns_hmac_key2buffer_str(output, k);
break;
case LDNS_SIGN_HMACSHA1:
- /* is the filefmt specified for TSIG.. don't know */
- ldns_buffer_printf(output, "Private-key-format: v1.2\n");
- ldns_buffer_printf(output, "Algorithm: 158 (HMAC_SHA1)\n");
- ldns_buffer_printf(output, "Key: ");
- i = ldns_key_hmac_size(k);
- b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, ldns_key_hmac_key(k));
- if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) {
- goto error;
- }
- ldns_rdf_deep_free(b64_bignum);
- ldns_buffer_printf(output, "\n");
+ ldns_buffer_printf(output, "Private-key-format: v1.2\n");
+ ldns_buffer_printf(output, "Algorithm: 158 (HMAC_SHA1)\n");
+ status = ldns_hmac_key2buffer_str(output, k);
+ break;
+ case LDNS_SIGN_HMACSHA256:
+ ldns_buffer_printf(output, "Private-key-format: v1.2\n");
+ ldns_buffer_printf(output, "Algorithm: 158 (HMAC_SHA256)\n");
+ status = ldns_hmac_key2buffer_str(output, k);
break;
}
#endif /* HAVE_SSL */
{ LDNS_SIGN_DSA, "DSA" },
{ LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
{ LDNS_SIGN_HMACSHA1, "hmac-sha1" },
+ { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
{ 0, NULL }
};
if (strncmp(d, "158 HMAC-SHA1", 4) == 0) {
alg = LDNS_SIGN_HMACSHA1;
}
+ if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
+ alg = LDNS_SIGN_HMACSHA256;
+ }
LDNS_FREE(d);
break;
case LDNS_SIGN_HMACMD5:
case LDNS_SIGN_HMACSHA1:
+ case LDNS_SIGN_HMACSHA256:
ldns_key_set_algorithm(k, alg);
hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
ldns_key_set_hmac_size(k, hmac_size);
break;
case LDNS_SIGN_HMACMD5:
case LDNS_SIGN_HMACSHA1:
+ case LDNS_SIGN_HMACSHA256:
k->_key.key = NULL;
size = size / 8;
ldns_key_set_hmac_size(k, size);
switch (ldns_key_algorithm(k)) {
case LDNS_SIGN_HMACMD5:
case LDNS_SIGN_HMACSHA1:
+ case LDNS_SIGN_HMACSHA256:
ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
break;
default:
break;
case LDNS_SIGN_HMACMD5:
case LDNS_SIGN_HMACSHA1:
+ case LDNS_SIGN_HMACSHA256:
/* tja */
ldns_rr_push_rdf(pubkey,
ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
LDNS_SIGN_RSASHA1_NSEC3 = LDNS_RSASHA1_NSEC3,
LDNS_SIGN_DSA_NSEC3 = LDNS_DSA_NSEC3,
LDNS_SIGN_HMACMD5 = 157, /* not official! This type is for TSIG, not DNSSEC */
- LDNS_SIGN_HMACSHA1 = 158 /* not official! This type is for TSIG, not DNSSEC */
+ LDNS_SIGN_HMACSHA1 = 158, /* not official! This type is for TSIG, not DNSSEC */
+ LDNS_SIGN_HMACSHA256 = 159 /* ditto */
};
typedef enum ldns_enum_signing_algorithm ldns_signing_algorithm;
static const EVP_MD *
ldns_digest_function(char *name)
{
- /* TODO replace with openssl's EVP_get_digestbyname
- (need init somewhere for that)
- */
- if (strlen(name) == 10 && strncasecmp(name, "hmac-sha1.", 9) == 0)
+ /* these are the mandatory algorithms from RFC4635 */
+ /* The optional algorithms are not yet implemented */
+ if (strlen(name) == 12 && strncasecmp(name, "hmac-sha256.", 11) == 0) {
+#ifdef SHA256_DIGEST_LENGTH
+ return EVP_sha256();
+#else
+ return NULL;
+#endif
+ } else if (strlen(name) == 10 && strncasecmp(name, "hmac-sha1.", 9) == 0)
return EVP_sha1();
else if (strlen(name) == 25 && strncasecmp(name,
"hmac-md5.sig-alg.reg.int.", 25) == 0)
projects / thirdparty / ldns.git / commitdiff
