From: Willem Toorop Date: Tue, 18 Oct 2016 15:23:25 +0000 (-0500) Subject: bugfix: #771: hmac-sha224, -sha384 and -sha512 keys. X-Git-Tag: release-1.7.0-rc1~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1eb44ba0665dd48802c5089c2879776739aac07e;p=thirdparty%2Fldns.git bugfix: #771: hmac-sha224, -sha384 and -sha512 keys. Thanks Harald Jenny --- diff --git a/Changelog b/Changelog index cab9031b..e5f9b0df 100644 --- a/Changelog +++ b/Changelog @@ -88,6 +88,8 @@ TBD Thanks Xiali Yan * bugfix #661: Fail NSEC3 signing when NSEC domainname length would overflow. Thanks Jan-Piet Mens. + * bugfix #771: hmac-sha224, hmac-sha384 and hmac-sha512 keys. + Thanks Harald Jenny 1.6.17 2014-01-10 * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c index 4ec8244d..e6088fbb 100644 --- a/examples/ldns-keygen.c +++ b/examples/ldns-keygen.c @@ -57,6 +57,7 @@ main(int argc, char *argv[]) /* default key size */ uint16_t def_bits = 1024; uint16_t bits = def_bits; + bool had_bits = false; bool ksk; FILE *file; @@ -98,7 +99,8 @@ main(int argc, char *argv[]) if (bits == 0) { fprintf(stderr, "%s: %s %d", prog, "Can not parse the -b argument, setting it to the default\n", (int) def_bits); bits = def_bits; - } + } else + had_bits = true; break; case 'k': ksk = true; @@ -142,7 +144,7 @@ main(int argc, char *argv[]) case LDNS_SIGN_RSASHA512: if (bits < 512 || bits > 4096) { fprintf(stderr, "For RSA, the key size must be between "); - fprintf(stderr, " 512 and 4096 bytes. Aborting.\n"); + fprintf(stderr, " 512 and 4096 bits. Aborting.\n"); exit(1); } break; @@ -150,7 +152,7 @@ main(int argc, char *argv[]) case LDNS_SIGN_DSA_NSEC3: if (bits < 512 || bits > 1024) { fprintf(stderr, "For DSA, the key size must be between "); - fprintf(stderr, " 512 and 1024 bytes. Aborting.\n"); + fprintf(stderr, " 512 and 1024 bits. Aborting.\n"); exit(1); } break; @@ -165,10 +167,66 @@ main(int argc, char *argv[]) #ifdef USE_ECDSA case LDNS_SIGN_ECDSAP256SHA256: case LDNS_SIGN_ECDSAP384SHA384: + break; #endif case LDNS_SIGN_HMACMD5: + if (!had_bits) { + bits = 512; + } else if (bits < 1 || bits > 512) { + fprintf(stderr, "For hmac-md5, the key size must be "); + fprintf(stderr, "between 1 and 512 bits. Aborting.\n"); + exit(1); + } + break; case LDNS_SIGN_HMACSHA1: + if (!had_bits) { + bits = 160; + } else if (bits < 1 || bits > 160) { + fprintf(stderr, "For hmac-sha1, the key size must be "); + fprintf(stderr, "between 1 and 160 bits. Aborting.\n"); + exit(1); + } + break; + + case LDNS_SIGN_HMACSHA224: + if (!had_bits) { + bits = 224; + } else if (bits < 1 || bits > 224) { + fprintf(stderr, "For hmac-sha224, the key size must be "); + fprintf(stderr, "between 1 and 224 bits. Aborting.\n"); + exit(1); + } + break; + case LDNS_SIGN_HMACSHA256: + if (!had_bits) { + bits = 256; + } else if (bits < 1 || bits > 256) { + fprintf(stderr, "For hmac-sha256, the key size must be "); + fprintf(stderr, "between 1 and 256 bits. Aborting.\n"); + exit(1); + } + break; + + case LDNS_SIGN_HMACSHA384: + if (!had_bits) { + bits = 384; + } else if (bits < 1 || bits > 384) { + fprintf(stderr, "For hmac-sha384, the key size must be "); + fprintf(stderr, "between 1 and 384 bits. Aborting.\n"); + exit(1); + } + break; + + case LDNS_SIGN_HMACSHA512: + if (!had_bits) { + bits = 512; + } else if (bits < 1 || bits > 512) { + fprintf(stderr, "For hmac-sha512, the key size must be "); + fprintf(stderr, "between 1 and 512 bits. Aborting.\n"); + exit(1); + } + break; default: break; } diff --git a/host2str.c b/host2str.c index 04b9ddbb..a6f84746 100644 --- a/host2str.c +++ b/host2str.c @@ -2202,11 +2202,26 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) ldns_buffer_printf(output, "Algorithm: 158 (HMAC_SHA1)\n"); status = ldns_hmac_key2buffer_str(output, k); break; + case LDNS_SIGN_HMACSHA224: + ldns_buffer_printf(output, "Private-key-format: v1.2\n"); + ldns_buffer_printf(output, "Algorithm: 162 (HMAC_SHA224)\n"); + status = ldns_hmac_key2buffer_str(output, k); + break; case LDNS_SIGN_HMACSHA256: ldns_buffer_printf(output, "Private-key-format: v1.2\n"); ldns_buffer_printf(output, "Algorithm: 159 (HMAC_SHA256)\n"); status = ldns_hmac_key2buffer_str(output, k); break; + case LDNS_SIGN_HMACSHA384: + ldns_buffer_printf(output, "Private-key-format: v1.2\n"); + ldns_buffer_printf(output, "Algorithm: 164 (HMAC_SHA384)\n"); + status = ldns_hmac_key2buffer_str(output, k); + break; + case LDNS_SIGN_HMACSHA512: + ldns_buffer_printf(output, "Private-key-format: v1.2\n"); + ldns_buffer_printf(output, "Algorithm: 165 (HMAC_SHA512)\n"); + status = ldns_hmac_key2buffer_str(output, k); + break; } #endif /* HAVE_SSL */ } else { diff --git a/keys.c b/keys.c index 6a23cb5d..70aaa90f 100644 --- a/keys.c +++ b/keys.c @@ -48,6 +48,9 @@ ldns_lookup_table ldns_signing_algorithms[] = { { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" }, { LDNS_SIGN_HMACSHA1, "hmac-sha1" }, { LDNS_SIGN_HMACSHA256, "hmac-sha256" }, + { LDNS_SIGN_HMACSHA224, "hmac-sha224" }, + { LDNS_SIGN_HMACSHA384, "hmac-sha384" }, + { LDNS_SIGN_HMACSHA512, "hmac-sha512" }, { 0, NULL } }; @@ -619,7 +622,23 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) if (strncmp(d, "159 HMAC-SHA256", 4) == 0) { alg = LDNS_SIGN_HMACSHA256; } - + /* For compatibility with dnssec-keygen */ + if (strncmp(d, "161 ", 4) == 0) { + alg = LDNS_SIGN_HMACSHA1; + } + if (strncmp(d, "162 HMAC-SHA224", 4) == 0) { + alg = LDNS_SIGN_HMACSHA224; + } + /* For compatibility with dnssec-keygen */ + if (strncmp(d, "163 ", 4) == 0) { + alg = LDNS_SIGN_HMACSHA256; + } + if (strncmp(d, "164 HMAC-SHA384", 4) == 0) { + alg = LDNS_SIGN_HMACSHA384; + } + if (strncmp(d, "165 HMAC-SHA512", 4) == 0) { + alg = LDNS_SIGN_HMACSHA512; + } LDNS_FREE(d); switch(alg) { @@ -656,7 +675,10 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) #endif /* USE_DSA */ case LDNS_SIGN_HMACMD5: case LDNS_SIGN_HMACSHA1: + case LDNS_SIGN_HMACSHA224: case LDNS_SIGN_HMACSHA256: + case LDNS_SIGN_HMACSHA384: + case LDNS_SIGN_HMACSHA512: ldns_key_set_algorithm(k, alg); #ifdef HAVE_SSL hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size); @@ -1190,7 +1212,10 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) break; case LDNS_SIGN_HMACMD5: case LDNS_SIGN_HMACSHA1: + case LDNS_SIGN_HMACSHA224: case LDNS_SIGN_HMACSHA256: + case LDNS_SIGN_HMACSHA384: + case LDNS_SIGN_HMACSHA512: #ifdef HAVE_SSL #ifndef S_SPLINT_S k->_key.key = NULL; @@ -1792,7 +1817,10 @@ ldns_key2rr(const ldns_key *k) switch (ldns_key_algorithm(k)) { case LDNS_SIGN_HMACMD5: case LDNS_SIGN_HMACSHA1: + case LDNS_SIGN_HMACSHA224: case LDNS_SIGN_HMACSHA256: + case LDNS_SIGN_HMACSHA384: + case LDNS_SIGN_HMACSHA512: ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY); break; default: @@ -1981,7 +2009,10 @@ ldns_key2rr(const ldns_key *k) #endif case LDNS_SIGN_HMACMD5: case LDNS_SIGN_HMACSHA1: + case LDNS_SIGN_HMACSHA224: case LDNS_SIGN_HMACSHA256: + case LDNS_SIGN_HMACSHA384: + case LDNS_SIGN_HMACSHA512: bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k)); if (!bin) { ldns_rr_free(pubkey); diff --git a/ldns/keys.h b/ldns/keys.h index db2c485f..df4bb22b 100644 --- a/ldns/keys.h +++ b/ldns/keys.h @@ -106,7 +106,10 @@ enum ldns_enum_signing_algorithm #endif LDNS_SIGN_HMACMD5 = 157, /* not official! This type is for TSIG, not DNSSEC */ LDNS_SIGN_HMACSHA1 = 158, /* not official! This type is for TSIG, not DNSSEC */ - LDNS_SIGN_HMACSHA256 = 159 /* ditto */ + LDNS_SIGN_HMACSHA256 = 159, /* ditto */ + LDNS_SIGN_HMACSHA224 = 162, /* ditto */ + LDNS_SIGN_HMACSHA384 = 164, /* ditto */ + LDNS_SIGN_HMACSHA512 = 165 /* ditto */ }; typedef enum ldns_enum_signing_algorithm ldns_signing_algorithm;