From: Matthijs Mekking Date: Mon, 8 Sep 2008 09:36:27 +0000 (+0000) Subject: hmac-sha1 support for ldns-keygen X-Git-Tag: release-1.4.0~64 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f0b75eeca347db4e3fdd028cbabf4414e718c20d;p=thirdparty%2Fldns.git hmac-sha1 support for ldns-keygen --- diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c index 342c7e99..2172e850 100644 --- a/examples/ldns-keygen.c +++ b/examples/ldns-keygen.c @@ -76,7 +76,7 @@ main(int argc, char *argv[]) algorithm = 0; random = NULL; ksk = false; /* don't create a ksk per default */ - + while ((c = getopt(argc, argv, "a:kb:r:v25")) != -1) { switch (c) { case 'a': @@ -138,7 +138,7 @@ main(int argc, char *argv[]) if (argc != 1) { usage(stderr, prog); exit(EXIT_FAILURE); - } + } free(prog); /* check whether key size is within RFC boundaries */ @@ -159,10 +159,11 @@ main(int argc, char *argv[]) } break; case LDNS_SIGN_HMACMD5: + case LDNS_SIGN_HMACSHA1: default: break; } - + if (!random) { random = fopen("/dev/random", "r"); if (!random) { @@ -179,7 +180,7 @@ main(int argc, char *argv[]) /* generate a new key */ key = ldns_key_new_frm_algorithm(algorithm, bits); - + /* set the owner name in the key - this is a /seperate/ step */ ldns_key_set_pubkey_owner(key, domain); diff --git a/host2str.c b/host2str.c index c0bbf0ae..77db9c60 100644 --- a/host2str.c +++ b/host2str.c @@ -1174,7 +1174,7 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) /* copied by looking at dnssec-keygen output */ /* header */ rsa = ldns_key_rsa_key(k); - + ldns_buffer_printf(output,"Private-key-format: v1.2\n"); switch(ldns_key_algorithm(k)) { case LDNS_SIGN_RSAMD5: @@ -1435,6 +1435,19 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) ldns_rdf_deep_free(b64_bignum); ldns_buffer_printf(output, "\n"); break; + case LDNS_SIGN_HMACSHA1: + /* is the filefmt specified for TSIG.. don't know */ + ldns_buffer_printf(output, "Private-key-format: v1.2\n"); + ldns_buffer_printf(output, "Algorithm: 158 (HMAC_SHA1)\n"); + ldns_buffer_printf(output, "Key: "); + i = ldns_key_hmac_size(k); + b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, ldns_key_hmac_key(k)); + if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { + goto error; + } + ldns_rdf_deep_free(b64_bignum); + ldns_buffer_printf(output, "\n"); + break; } #endif /* HAVE_SSL */ } else { diff --git a/keys.c b/keys.c index 5004dc94..0b8c9878 100644 --- a/keys.c +++ b/keys.c @@ -6,7 +6,7 @@ * handling * * (c) NLnet Labs, 2004-2006 - * + * * See the file LICENSE for the license */ @@ -29,10 +29,11 @@ ldns_lookup_table ldns_signing_algorithms[] = { #endif { LDNS_SIGN_DSA, "DSA" }, { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" }, + { LDNS_SIGN_HMACSHA1, "hmac-sha1" }, { 0, NULL } }; -#ifdef HAVE_SSL +#ifdef HAVE_SSL ldns_key_list * ldns_key_list_new() { @@ -69,7 +70,7 @@ ldns_key_new() return NULL; } -ldns_status +ldns_status ldns_key_new_frm_fp(ldns_key **k, FILE *fp) { return ldns_key_new_frm_fp_l(k, fp, NULL); @@ -80,7 +81,7 @@ ldns_status ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg) { ldns_key *k; - + k = ldns_key_new(); k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL); ldns_key_set_algorithm(k, alg); @@ -111,9 +112,9 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) if (!k || !d) { return LDNS_STATUS_MEM_ERR; } - + alg = 0; - + /* the file is highly structured. Do this in sequence */ /* RSA: * Private-key-format: v1.2 @@ -132,7 +133,7 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) /* get the algorithm type, our file function strip ( ) so there are * not in the return string! */ - if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n", + if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { /* no alg information */ return LDNS_STATUS_SYNTAX_ALG_ERR; @@ -142,21 +143,21 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) alg = LDNS_SIGN_RSAMD5; } if (strncmp(d, "2 DH", 2) == 0) { - alg = LDNS_DH; + alg = LDNS_DH; } if (strncmp(d, "3 DSA", 2) == 0) { - alg = LDNS_SIGN_DSA; + alg = LDNS_SIGN_DSA; } if (strncmp(d, "4 ECC", 2) == 0) { - alg = LDNS_ECC; + alg = LDNS_ECC; } if (strncmp(d, "5 RSASHA1", 2) == 0) { alg = LDNS_SIGN_RSASHA1; } - if (strncmp(d, "6 DSA", 4) == 0) { - alg = LDNS_DSA_NSEC3; + if (strncmp(d, "6 DSA", 2) == 0) { + alg = LDNS_DSA_NSEC3; } - if (strncmp(d, "7 RSASHA1", 4) == 0) { + if (strncmp(d, "7 RSASHA1", 2) == 0) { alg = LDNS_RSASHA1_NSEC3; } @@ -179,6 +180,9 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) if (strncmp(d, "157 HMAC-MD5", 4) == 0) { alg = LDNS_SIGN_HMACMD5; } + if (strncmp(d, "158 HMAC-SHA1", 4) == 0) { + alg = LDNS_SIGN_HMACSHA1; + } LDNS_FREE(d); @@ -203,6 +207,7 @@ ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) DSA_free(dsa); break; case LDNS_SIGN_HMACMD5: + case LDNS_SIGN_HMACSHA1: ldns_key_set_algorithm(k, alg); hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size); ldns_key_set_hmac_size(k, hmac_size); @@ -235,14 +240,14 @@ RSA * ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) { /* we parse - * Modulus: - * PublicExponent: - * PrivateExponent: - * Prime1: - * Prime2: - * Exponent1: - * Exponent2: - * Coefficient: + * Modulus: + * PublicExponent: + * PrivateExponent: + * Prime1: + * Prime2: + * Exponent1: + * Exponent2: + * Coefficient: * * man 3 RSA: * @@ -272,7 +277,7 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) } /* I could use functions again, but that seems an overkill, - * allthough this also looks tedious + * allthough this also looks tedious */ /* Modules, rsa->n */ @@ -314,7 +319,7 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) if (!rsa->p) { goto error; } - + /* Prime2, rsa->q */ if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; @@ -334,7 +339,7 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) if (!rsa->dmp1) { goto error; } - + /* Exponent2, rsa->dmq1 */ if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; @@ -354,7 +359,7 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) if (!rsa->iqmp) { goto error; } - + LDNS_FREE(buf); LDNS_FREE(d); return rsa; @@ -468,7 +473,7 @@ ldns_key_new_frm_fp_hmac_l(FILE *f, int *line_nr, size_t *hmac_size) d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); buf = LDNS_XMALLOC(unsigned char, LDNS_MAX_LINELEN); - + if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } @@ -476,7 +481,7 @@ ldns_key_new_frm_fp_hmac_l(FILE *f, int *line_nr, size_t *hmac_size) *hmac_size = i; return buf; - + error: LDNS_FREE(d); LDNS_FREE(buf); @@ -511,7 +516,7 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) if (RSA_check_key(r) != 1) { return NULL; } - + ldns_key_set_rsa_key(k, r); break; case LDNS_SIGN_DSA: @@ -526,10 +531,11 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) ldns_key_set_dsa_key(k, d); break; case LDNS_SIGN_HMACMD5: + case LDNS_SIGN_HMACSHA1: k->_key.key = NULL; size = size / 8; ldns_key_set_hmac_size(k, size); - + hmac = LDNS_XMALLOC(unsigned char, size); #ifdef HAVE_SSL if (RAND_bytes(hmac, size) != 1) { @@ -549,7 +555,7 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) } #endif /* HAVE_SSL */ ldns_key_set_hmac_key(k, hmac); - + ldns_key_set_flags(k, 0); break; } @@ -571,7 +577,7 @@ ldns_key_print(FILE *output, const ldns_key *k) void -ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l) +ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l) { k->_alg = l; } @@ -907,6 +913,7 @@ ldns_key2rr(const ldns_key *k) switch (ldns_key_algorithm(k)) { case LDNS_SIGN_HMACMD5: + case LDNS_SIGN_HMACSHA1: ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY); break; default: @@ -915,16 +922,16 @@ ldns_key2rr(const ldns_key *k) } /* zero-th rdf - flags */ ldns_rr_push_rdf(pubkey, - ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, + ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_key_flags(k))); /* first - proto */ - ldns_rr_push_rdf(pubkey, + ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO)); - + if (ldns_key_pubkey_owner(k)) { ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k))); } - + /* third - da algorithm */ switch(ldns_key_algorithm(k)) { case LDNS_RSAMD5: @@ -966,12 +973,14 @@ ldns_key2rr(const ldns_key *k) } break; case LDNS_SIGN_HMACMD5: + case LDNS_SIGN_HMACSHA1: /* tja */ ldns_rr_push_rdf(pubkey, - ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_SIGN_HMACMD5)); + ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, + ldns_key_algorithm(k))); size = ldns_key_hmac_size(k); - bin = LDNS_XREALLOC(bin, unsigned char, size); - memcpy(bin, ldns_key_hmac_key(k), size); + bin = LDNS_XREALLOC(bin, unsigned char, size); + memcpy(bin, ldns_key_hmac_key(k), size); break; } /* fourth the key bin material */ @@ -1017,7 +1026,7 @@ ldns_key_deep_free(ldns_key *key) } if (ldns_key_hmac_key(key)) { free(ldns_key_hmac_key(key)); - } + } LDNS_FREE(key); } diff --git a/ldns/keys.h b/ldns/keys.h index 71d365f0..a9cfd21c 100644 --- a/ldns/keys.h +++ b/ldns/keys.h @@ -75,8 +75,9 @@ enum ldns_enum_signing_algorithm LDNS_SIGN_RSASHA512 = LDNS_RSASHA512, LDNS_SIGN_DSA = LDNS_DSA, LDNS_SIGN_RSASHA1_NSEC3 = LDNS_RSASHA1_NSEC3, - LDNS_SIGN_DSA_NSEC3 = LDNS_DSA_NSEC3, - LDNS_SIGN_HMACMD5 = 157 /* not official! This type is for TSIG, not DNSSEC */ + LDNS_SIGN_DSA_NSEC3 = LDNS_DSA_NSEC3, + LDNS_SIGN_HMACMD5 = 157, /* not official! This type is for TSIG, not DNSSEC */ + LDNS_SIGN_HMACSHA1 = 158 /* not official! This type is for TSIG, not DNSSEC */ }; typedef enum ldns_enum_signing_algorithm ldns_signing_algorithm; diff --git a/ldns/tsig.h b/ldns/tsig.h index 26e148a4..c3a10a6a 100644 --- a/ldns/tsig.h +++ b/ldns/tsig.h @@ -47,7 +47,7 @@ bool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const * \param[in] key_name the name of the shared key * \param[in] key_data the key in base 64 format * \param[in] fudge seconds of error permitted in time signed - * \param[in] algorithm_name the name of the algorithm used + * \param[in] algorithm_name the name of the algorithm used * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers) * \return status (OK if success) */ diff --git a/tsig.c b/tsig.c index 1e323322..bd66129b 100644 --- a/tsig.c +++ b/tsig.c @@ -60,10 +60,10 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) uint16_t ns_count; uint16_t ar_count; ldns_rr *rr; - + size_t pos; uint16_t i; - + ldns_status status; /* fake parse the wire */ @@ -71,7 +71,7 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) an_count = LDNS_ANCOUNT(wire); ns_count = LDNS_NSCOUNT(wire); ar_count = LDNS_ARCOUNT(wire); - + if (ar_count > 0) { ar_count--; } else { @@ -79,7 +79,7 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) } pos = LDNS_HEADER_SIZE; - + for (i = 0; i < qd_count; i++) { status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION); if (status != LDNS_STATUS_OK) { @@ -87,7 +87,7 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) } ldns_rr_free(rr); } - + for (i = 0; i < an_count; i++) { status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER); if (status != LDNS_STATUS_OK) { @@ -95,7 +95,7 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) } ldns_rr_free(rr); } - + for (i = 0; i < ns_count; i++) { status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY); if (status != LDNS_STATUS_OK) { @@ -103,22 +103,22 @@ ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len) } ldns_rr_free(rr); } - + for (i = 0; i < ar_count; i++) { - status = ldns_wire2rr(&rr, wire, wire_len, &pos, + status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ADDITIONAL); if (status != LDNS_STATUS_OK) { return NULL; } ldns_rr_free(rr); } - + *result_len = pos; wire2 = LDNS_XMALLOC(uint8_t, *result_len); memcpy(wire2, wire, *result_len); - + ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count); - + return wire2; }