From: Willem Toorop Date: Mon, 23 Jan 2017 11:25:50 +0000 (+0100) Subject: ldns-notify can use all supported hash algorithms X-Git-Tag: release-1.7.1-rc1~89 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb67676fec32891bd29a1f8b9c540b3ca4733373;p=thirdparty%2Fldns.git ldns-notify can use all supported hash algorithms --- diff --git a/Changelog b/Changelog index efda95e1..c7caf69f 100644 --- a/Changelog +++ b/Changelog @@ -1,4 +1,5 @@ 1.7.1 ????-??-?? + * ldns-notify can use all supported hash algorithms with -y. * bugfix #1209: make install ldns.pc file Thanks Oleksandr Natalenko diff --git a/examples/ldns-notify.c b/examples/ldns-notify.c index ee8d8174..320dc08c 100644 --- a/examples/ldns-notify.c +++ b/examples/ldns-notify.c @@ -29,7 +29,9 @@ usage(void) fprintf(stderr, " Supported options:\n"); fprintf(stderr, "\t-z zone\t\tThe zone\n"); fprintf(stderr, "\t-s version\tSOA version number to include\n"); - fprintf(stderr, "\t-y key:data\tTSIG sign the query\n"); + fprintf(stderr, "\t-y \tspecify named base64 tsig key" + ", and optional an\n\t\t\t" + "algorithm (defaults to hmac-md5.sig-alg.reg.int)\n"); fprintf(stderr, "\t-p port\t\tport to use to send to\n"); fprintf(stderr, "\t-v\t\tPrint version information\n"); fprintf(stderr, "\t-d\t\tPrint verbose debug information\n"); @@ -177,12 +179,12 @@ main(int argc, char **argv) const char *zone_name = NULL; int include_soa = 0; uint32_t soa_version = 0; - ldns_tsig_credentials tsig_cred = {0,0,0}; int do_hexdump = 1; uint8_t *wire = NULL; size_t wiresize = 0; const char *port = "53"; - char *keydata; + char *tsig_sep; + const char *tsig_name = NULL, *tsig_data = NULL, *tsig_algo = NULL; srandom(time(NULL) ^ getpid()); @@ -202,18 +204,52 @@ main(int argc, char **argv) soa_version = (uint32_t)atoi(optarg); break; case 'y': - tsig_cred.algorithm = (char*)"hmac-md5.sig-alg.reg.int."; - tsig_cred.keyname = optarg; - keydata = strchr(optarg, ':'); - if (keydata == NULL) { + if (!(tsig_sep = strchr(optarg, ':'))) { printf("TSIG argument is not in form " - "key:data: %s\n", optarg); + " %s\n", optarg); exit(1); } - *keydata++ = '\0'; - tsig_cred.keydata = keydata; - printf("Sign with %s : %s\n", tsig_cred.keyname, - tsig_cred.keydata); + tsig_name = optarg; + *tsig_sep++ = '\0'; + tsig_data = tsig_sep; + if ((tsig_sep = strchr(tsig_sep, ':'))) { + *tsig_sep++ = '\0'; + tsig_algo = tsig_sep; + } else { + tsig_algo = "hmac-md5.sig-alg.reg.int."; + } + /* With dig TSIG keys are also specified with -y, + * but format with drill is: -y + * and with dig: -y [hmac:]name:key + * + * When we detect an unknown tsig algorithm in algo, + * but a known algorithm in name, we cane assume dig + * order was used. + * + * Following if statement is to anticipate and correct + * dig order + */ + if (strcasecmp(tsig_algo, "hmac-md5.sig-alg.reg.int")&& + strcasecmp(tsig_algo, "hmac-md5") && + strcasecmp(tsig_algo, "hmac-sha1") && + strcasecmp(tsig_algo, "hmac-sha256") && + strcasecmp(tsig_algo, "hmac-sha384") && + strcasecmp(tsig_algo, "hmac-sha512") && + ! (strcasecmp(tsig_name, "hmac-md5.sig-alg.reg.int") + && strcasecmp(tsig_name, "hmac-md5") + && strcasecmp(tsig_name, "hmac-sha1") + && strcasecmp(tsig_name, "hmac-sha256") + && strcasecmp(tsig_name, "hmac-sha384") + && strcasecmp(tsig_name, "hmac-sha512"))) { + + /* Roll options */ + const char *tmp_tsig_algo = tsig_name; + tsig_name = tsig_data; + tsig_data = tsig_algo; + tsig_algo = tmp_tsig_algo; + } + printf("Sign with name: %s, data: %s, algorithm: %s\n" + , tsig_name, tsig_data, tsig_algo); break; case 'z': zone_name = optarg; @@ -272,11 +308,10 @@ main(int argc, char **argv) ldns_pkt_push_rr(notify, LDNS_SECTION_ANSWER, soa_rr); } - if(tsig_cred.keyname) { + if(tsig_name && tsig_data) { #ifdef HAVE_SSL - status = ldns_pkt_tsig_sign(notify, tsig_cred.keyname, - tsig_cred.keydata, 300, tsig_cred.algorithm, - NULL); + status = ldns_pkt_tsig_sign(notify, tsig_name, + tsig_data, 300, tsig_algo, NULL); if(status != LDNS_STATUS_OK) { printf("Error TSIG sign query: %s\n", ldns_get_errorstr_by_id(status));