+3525. [func] Support for additional signing algorithms in rndc:
+ hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
+ The -A option to rndc-confgen can be used to
+ select the algorithm for the generated key.
+ (The default is still hmac-md5; this may
+ change in a future release.) [RT #20363]
+
3524. [func] Added an alternate statistics channel in JSON format,
when the server is built with the json-c library:
http://[address]:[port]/json. [RT #32630]
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};
<year>2008</year>
<year>2009</year>
<year>2010</year>
+ <year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<informalexample>
<programlisting>
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};</programlisting>
</informalexample>
#include "util.h"
#include "keygen.h"
-#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
#define DEFAULT_SERVER "127.0.0.1"
#define DEFAULT_PORT 953
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
- -b bits: from 1 through 512, default %d; total length of the secret\n\
+ -A alg: algorithm (default hmac-md5)\n\
+ -b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
- progname, keydef, DEFAULT_KEYLENGTH);
+ progname, keydef);
exit (status);
}
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
- dns_secalg_t alg = DST_ALG_HMACMD5;
- const char *algname = alg_totext(alg);
+ dns_secalg_t alg;
+ const char *algname;
char *p;
int ch;
int port;
- int keysize;
+ int keysize = -1;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
progname = program;
keyname = DEFAULT_KEYNAME;
- keysize = DEFAULT_KEYLENGTH;
+ alg = DST_ALG_HMACMD5;
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
- "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
+ "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
+ {
switch (ch) {
case 'a':
keyonly = ISC_TRUE;
break;
+ case 'A':
+ algname = isc_commandline_argument;
+ alg = alg_fromtext(algname);
+ if (alg == DST_ALG_UNKNOWN)
+ fatal("Unsupported algorithm '%s'", algname);
+ break;
case 'b':
keysize = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || keysize < 0)
if (argc > 0)
usage(1);
+ if (keysize < 0)
+ keysize = alg_bits(alg);
+ algname = alg_totext(alg);
+
DO("create memory context", isc_mem_create(0, 0, &mctx));
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
- [<!ENTITY mdash "—">]>
+ [<!ENTITY mdash "—">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
<year>2005</year>
<year>2007</year>
<year>2009</year>
+ <year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<cmdsynopsis>
<command>rndc-confgen</command>
<arg><option>-a</option></arg>
+ <arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg><option>-h</option></arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-A <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-md5.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the size of the authentication key in bits.
- Must be between 1 and 512 bits; the default is 128.
+ Must be between 1 and 512 bits; the default is the
+ hash size.
</para>
</listitem>
</varlistentry>
struct controlkey {
char * keyname;
+ isc_uint32_t algorithm;
isc_region_t secret;
ISC_LINK(controlkey_t) link;
};
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
isccc_region_t ccregion;
+ isc_uint32_t algorithm;
isccc_region_t secret;
isc_stdtime_t now;
isc_buffer_t b;
conn = event->ev_arg;
listener = conn->listener;
+ algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
/* Is the server shutting down? */
goto cleanup;
memcpy(secret.rstart, key->secret.base, key->secret.length);
secret.rend = secret.rstart + key->secret.length;
- result = isccc_cc_fromwire(&ccregion, &request, &secret);
+ algorithm = key->algorithm;
+ result = isccc_cc_fromwire(&ccregion, &request,
+ algorithm, &secret);
if (result == ISC_R_SUCCESS)
break;
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
ccregion.rstart = conn->buffer + 4;
ccregion.rend = conn->buffer + sizeof(conn->buffer);
- result = isccc_cc_towire(response, &ccregion, &secret);
+ result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
if (result != ISC_R_SUCCESS)
goto cleanup_response;
isc_buffer_init(&b, conn->buffer, 4);
if (key == NULL)
goto cleanup;
key->keyname = newstr;
+ key->algorithm = DST_ALG_UNKNOWN;
key->secret.base = NULL;
key->secret.length = 0;
ISC_LINK_INIT(key, link);
const cfg_obj_t *secretobj = NULL;
const char *algstr = NULL;
const char *secretstr = NULL;
+ unsigned int algtype;
(void)cfg_map_get(keydef, "algorithm", &algobj);
(void)cfg_map_get(keydef, "secret", &secretobj);
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
- ISC_R_SUCCESS)
+ if (ns_config_getkeyalgorithm2(algstr, NULL,
+ &algtype, NULL) != ISC_R_SUCCESS)
{
cfg_obj_log(control, ns_g_lctx,
ISC_LOG_WARNING,
continue;
}
+ keyid->algorithm = algtype;
isc_buffer_init(&b, secret, sizeof(secret));
result = isc_base64_decodestring(secretstr, &b);
const char *secretstr = NULL;
controlkey_t *keyid = NULL;
char secret[1024];
+ unsigned int algtype;
isc_buffer_t b;
CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
cfg_obj_asstring(cfg_map_getname(key)));
keyid->secret.base = NULL;
keyid->secret.length = 0;
+ keyid->algorithm = DST_ALG_UNKNOWN;
ISC_LINK_INIT(keyid, link);
if (keyid->keyname == NULL)
CHECK(ISC_R_NOMEMORY);
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
+ if (ns_config_getkeyalgorithm2(algstr, NULL,
+ &algtype, NULL) != ISC_R_SUCCESS) {
cfg_obj_log(key, ns_g_lctx,
ISC_LOG_WARNING,
"unsupported algorithm '%s' in "
goto cleanup;
}
+ keyid->algorithm = algtype;
isc_buffer_init(&b, secret, sizeof(secret));
result = isc_base64_decodestring(secretstr, &b);
static isc_socketmgr_t *socketmgr = NULL;
static unsigned char databuf[2048];
static isccc_ccmsg_t ccmsg;
+static isc_uint32_t algorithm;
static isccc_region_t secret;
static isc_boolean_t failed = ISC_FALSE;
static isc_boolean_t c_flag = ISC_FALSE;
source.rstart = isc_buffer_base(&ccmsg.buffer);
source.rend = isc_buffer_used(&ccmsg.buffer);
- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
+ DO("parse message",
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
data = isccc_alist_lookup(response, "_data");
if (data == NULL)
"* the remote server is using an older version of"
" the command protocol,\n"
"* this host is not authorized to connect,\n"
- "* the clocks are not synchronized, or\n"
+ "* the clocks are not synchronized,\n"
+ "* the the key signing algorithm is incorrect, or\n"
"* the key is invalid.");
if (ccmsg.result != ISC_R_SUCCESS)
source.rstart = isc_buffer_base(&ccmsg.buffer);
source.rend = isc_buffer_used(&ccmsg.buffer);
- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
+ DO("parse message",
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
_ctrl = isccc_alist_lookup(response, "_ctrl");
if (_ctrl == NULL)
}
message.rstart = databuf + 4;
message.rend = databuf + sizeof(databuf);
- DO("render message", isccc_cc_towire(request, &message, &secret));
+ DO("render message",
+ isccc_cc_towire(request, &message, algorithm, &secret));
len = sizeof(databuf) - REGION_SIZE(message);
isc_buffer_init(&b, databuf, 4);
isc_buffer_putuint32(&b, len - 4);
fatal("out of memory");
message.rstart = databuf + 4;
message.rend = databuf + sizeof(databuf);
- DO("render message", isccc_cc_towire(request, &message, &secret));
+ DO("render message",
+ isccc_cc_towire(request, &message, algorithm, &secret));
len = sizeof(databuf) - REGION_SIZE(message);
isc_buffer_init(&b, databuf, 4);
isc_buffer_putuint32(&b, len - 4);
const cfg_obj_t *address = NULL;
const cfg_listelt_t *elt;
const char *secretstr;
- const char *algorithm;
+ const char *algorithmstr;
static char secretarray[1024];
const cfg_type_t *conftype = &cfg_type_rndcconf;
isc_boolean_t key_only = ISC_FALSE;
fatal("key must have algorithm and secret");
secretstr = cfg_obj_asstring(secretobj);
- algorithm = cfg_obj_asstring(algorithmobj);
-
- if (strcasecmp(algorithm, "hmac-md5") != 0)
- fatal("unsupported algorithm: %s", algorithm);
+ algorithmstr = cfg_obj_asstring(algorithmobj);
+
+ if (strcasecmp(algorithmstr, "hmac-md5") == 0)
+ algorithm = ISCCC_ALG_HMACMD5;
+ else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+ algorithm = ISCCC_ALG_HMACSHA1;
+ else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
+ algorithm = ISCCC_ALG_HMACSHA224;
+ else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
+ algorithm = ISCCC_ALG_HMACSHA256;
+ else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
+ algorithm = ISCCC_ALG_HMACSHA384;
+ else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
+ algorithm = ISCCC_ALG_HMACSHA512;
+ else
+ fatal("unsupported algorithm: %s", algorithmstr);
secret.rstart = (unsigned char *)secretarray;
secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
};
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "34f88008d07deabbe65bd01f1d233d47";
};
};
key "key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
<year>2004</year>
<year>2005</year>
<year>2007</year>
+ <year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<para>
The <option>key</option> statement begins with an identifying
string, the name of the key. The statement has two clauses.
- <option>algorithm</option> identifies the encryption algorithm
+ <option>algorithm</option> identifies the authentication algorithm
for <command>rndc</command> to use; currently only HMAC-MD5
- is
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+ (default), HMAC-SHA384 and HMAC-SHA512 are
supported. This is followed by a secret clause which contains
- the base-64 encoding of the algorithm's encryption key. The
+ the base-64 encoding of the algorithm's authentication key. The
base-64 string is enclosed in double quotes.
</para>
<para>
</para>
<para><programlisting>
key samplekey {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
</programlisting>
</para>
<para><programlisting>
key testkey {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
</programlisting>
Commands to the localhost server will use the samplekey key, which
must also be defined in the server's configuration file with the
same name and secret. The key statement indicates that samplekey
- uses the HMAC-MD5 algorithm and its secret clause contains the
- base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+ uses the HMAC-SHA256 algorithm and its secret clause contains the
+ base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
</para>
<para>
If <command>rndc -s testserver</command> is used then <command>rndc</command> will
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
- [<!ENTITY mdash "—">]>
+ [<!ENTITY mdash "—">]>
<!--
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000, 2001 Internet Software Consortium.
<year>2004</year>
<year>2005</year>
<year>2007</year>
+ <year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
arguments.
</para>
<para><command>rndc</command>
- communicates with the name server
- over a TCP connection, sending commands authenticated with
- digital signatures. In the current versions of
+ communicates with the name server over a TCP connection, sending
+ commands authenticated with digital signatures. In the current
+ versions of
<command>rndc</command> and <command>named</command>,
- the only supported authentication algorithm is HMAC-MD5,
- which uses a shared secret on each end of the connection.
+ the only supported authentication algorithms are HMAC-MD5
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+ (default), HMAC-SHA384 and HMAC-SHA512.
+ They use a shared secret on each end of the connection.
This provides TSIG-style authentication for the command
request and the name server's response. All commands sent
over the channel must be signed by a key_id known to the
<command>rndc</command>. If no server is supplied on the
command line, the host named by the default-server clause
in the options statement of the <command>rndc</command>
- configuration file will be used.
+ configuration file will be used.
</para>
</listitem>
</varlistentry>
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
};
key rndc_key {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
RNDC=$TOP/bin/rndc/rndc
NSUPDATE=$TOP/bin/nsupdate/nsupdate
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
+RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
SIGNER=$TOP/bin/dnssec/dnssec-signzone
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
*
* e.g.
* key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
- * algorithm hmac-md5;
+ * algorithm hmac-sha256;
* secret "34f88008d07deabbe65bd01f1d233d47";
* };
*
*/
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "34f88008d07deabbe65bd01f1d233d47";
};
/* $Id: rndc.conf,v 1.5 2007/06/19 23:47:02 tbox Exp $ */
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "34f88008d07deabbe65bd01f1d233d47";
};
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
include "ddns.key";
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
};
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "Am9vCg==";
};
};
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "Am9vCg==";
};
};
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "Am9vCg==";
};
};
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "Am9vCg==";
};
};
key "rndc-key" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "Am9vCg==";
};
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
rm -f ns3/named_dump.db
rm -f ns*/named.memstats
rm -f ns*/named.run
+rm -f random.data
+rm -f ns4/*.conf
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
key secondkey {
secret "abcd1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key secondkey {
secret "abcd1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
key secondkey {
secret "abcd1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
--- /dev/null
+/*
+ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+controls { /* empty */ };
+
+options {
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion no;
+};
+
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGEN
+# -r random.dataCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: setup.sh,v 1.2 2011/03/21 18:06:06 each Exp $
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
sh clean.sh
+../../../tools/genrandom 400 random.data
+
sh ../genzone.sh 2 >ns2/nil.db
sh ../genzone.sh 2 >ns2/other.db
sh ../genzone.sh 2 >ns2/static.db
+
+cat ns4/named.conf.in > ns4/named.conf
+
+make_key () {
+ $RNDCCONFGEN -r random.data -k key$1 -A $2 -s 10.53.0.4 -p 995${1} \
+ > ns4/key${1}.conf
+ egrep -v '(Start|End|Use|^[^#])' ns4/key$1.conf | cut -c3- | \
+ sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
+}
+
+make_key 1 hmac-md5
+make_key 2 hmac-sha1
+make_key 3 hmac-sha224
+make_key 4 hmac-sha256
+make_key 5 hmac-sha384
+make_key 6 hmac-sha512
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:testing rndc with hmac-md5"
+ret=0
+$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+for i in 2 3 4 5 6
+do
+ $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha1"
+ret=0
+$RNDC -s 10.53.0.4 -p 9952 -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
+for i in 1 3 4 5 6
+do
+ $RNDC -s 10.53.0.4 -p 9952 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha224"
+ret=0
+$RNDC -s 10.53.0.4 -p 9953 -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 4 5 6
+do
+ $RNDC -s 10.53.0.4 -p 9953 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha256"
+ret=0
+$RNDC -s 10.53.0.4 -p 9954 -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 5 6
+do
+ $RNDC -s 10.53.0.4 -p 9954 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha384"
+ret=0
+$RNDC -s 10.53.0.4 -p 9955 -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 4 6
+do
+ $RNDC -s 10.53.0.4 -p 9955 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:testing rndc with hmac-sha512"
+ret=0
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
+for i in 1 2 3 4 5
+do
+ $RNDC -s 10.53.0.4 -p 9956 -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
+done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
key unused_key. {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
key rndc_key {
secret "1234abcd8765";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
controls {
<command>algorithm</command> and <command>secret</command>.
While the configuration parser will accept any string as the
argument
- to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
- has any meaning. The secret is a base-64 encoded string
+ to algorithm, currently only the strings
+ "<userinput>hmac-md5</userinput>",
+ "<userinput>hmac-sha1</userinput>",
+ "<userinput>hmac-sha224</userinput>",
+ "<userinput>hmac-sha256</userinput>",
+ "<userinput>hmac-sha384</userinput>"
+ and "<userinput>hmac-sha512</userinput>"
+ have any meaning. The secret is a base-64 encoded string
as specified in RFC 3548.
</para>
<programlisting>
key rndc_key {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret
"c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
#include <isc/assertions.h>
#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
#include <isc/print.h>
#include <isc/stdlib.h>
#define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
#define HMD5_LENGTH 22
+static unsigned char auth_hsha[] = {
+ 0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
+ ISCCC_CCMSGTYPE_TABLE, /*%< message type */
+ 0x00, 0x00, 0x00, 0x63, /*%< length == 99 */
+ 0x04, 0x68, 0x73, 0x68, 0x61, /*%< len + hsha */
+ ISCCC_CCMSGTYPE_BINARYDATA, /*%< message type */
+ 0x00, 0x00, 0x00, 0x59, /*%< length == 89 */
+ 0x00, /*%< algorithm */
+ /*
+ * The base64 encoding of one of our HMAC-SHA* signatures is
+ * 88 bytes.
+ */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#define HSHA_OFFSET 22 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
+#define HSHA_LENGTH 88
+
static isc_result_t
table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
}
static isc_result_t
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
- isccc_region_t *secret)
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
+ isc_uint32_t algorithm, isccc_region_t *secret)
{
- isc_hmacmd5_t ctx;
+ union {
+ isc_hmacmd5_t hmd5;
+ isc_hmacsha1_t hsha;
+ isc_hmacsha224_t h224;
+ isc_hmacsha256_t h256;
+ isc_hmacsha384_t h384;
+ isc_hmacsha512_t h512;
+ } ctx;
isc_result_t result;
isccc_region_t source, target;
- unsigned char digest[ISC_MD5_DIGESTLENGTH];
- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+ unsigned char digestb64[HSHA_LENGTH + 4];
- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
- isc_hmacmd5_update(&ctx, data, length);
- isc_hmacmd5_sign(&ctx, digest);
source.rstart = digest;
- source.rend = digest + ISC_MD5_DIGESTLENGTH;
+
+ switch (algorithm) {
+ case ISCCC_ALG_HMACMD5:
+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacmd5_update(&ctx.hmd5, data, length);
+ isc_hmacmd5_sign(&ctx.hmd5, digest);
+ source.rend = digest + ISC_MD5_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA1:
+ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha1_update(&ctx.hsha, data, length);
+ isc_hmacsha1_sign(&ctx.hsha, digest,
+ ISC_SHA1_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA224:
+ isc_hmacsha224_init(&ctx.h224, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha224_update(&ctx.h224, data, length);
+ isc_hmacsha224_sign(&ctx.h224, digest,
+ ISC_SHA224_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA256:
+ isc_hmacsha256_init(&ctx.h256, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha256_update(&ctx.h256, data, length);
+ isc_hmacsha256_sign(&ctx.h256, digest,
+ ISC_SHA256_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA384:
+ isc_hmacsha384_init(&ctx.h384, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha384_update(&ctx.h384, data, length);
+ isc_hmacsha384_sign(&ctx.h384, digest,
+ ISC_SHA384_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA512:
+ isc_hmacsha512_init(&ctx.h512, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha512_update(&ctx.h512, data, length);
+ isc_hmacsha512_sign(&ctx.h512, digest,
+ ISC_SHA512_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
+ break;
+
+ default:
+ return (ISC_R_FAILURE);
+ }
+
+ memset(digestb64, 0, sizeof(digestb64));
target.rstart = digestb64;
- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
+ target.rend = digestb64 + sizeof(digestb64);
result = isccc_base64_encode(&source, 64, "", &target);
if (result != ISC_R_SUCCESS)
return (result);
- PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
-
+ if (algorithm == ISCCC_ALG_HMACMD5)
+ PUT_MEM(digestb64, HMD5_LENGTH, hmac);
+ else
+ PUT_MEM(digestb64, HSHA_LENGTH, hmac);
return (ISC_R_SUCCESS);
}
isc_result_t
isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
- isccc_region_t *secret)
+ isc_uint32_t algorithm, isccc_region_t *secret)
{
- unsigned char *hmd5_rstart, *signed_rstart;
+ unsigned char *hmac_rstart, *signed_rstart;
isc_result_t result;
- if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
- return (ISC_R_NOSPACE);
+ if (algorithm == ISCCC_ALG_HMACMD5) {
+ if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
+ return (ISC_R_NOSPACE);
+ } else {
+ if (REGION_SIZE(*target) < 4 + sizeof(auth_hsha))
+ return (ISC_R_NOSPACE);
+ }
+
/*
* Emit protocol version.
*/
PUT32(1, target->rstart);
if (secret != NULL) {
/*
- * Emit _auth section with zeroed HMAC-MD5 signature.
+ * Emit _auth section with zeroed HMAC signature.
* We'll replace the zeros with the real signature once
* we know what it is.
*/
- hmd5_rstart = target->rstart + HMD5_OFFSET;
- PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
+ if (algorithm == ISCCC_ALG_HMACMD5) {
+ hmac_rstart = target->rstart + HMD5_OFFSET;
+ PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
+ } else {
+ unsigned char *hmac_alg;
+
+ hmac_rstart = target->rstart + HSHA_OFFSET;
+ hmac_alg = hmac_rstart - 1;
+ PUT_MEM(auth_hsha, sizeof(auth_hsha), target->rstart);
+ PUT8(algorithm, hmac_alg);
+ }
} else
- hmd5_rstart = NULL;
+ hmac_rstart = NULL;
signed_rstart = target->rstart;
/*
* Delete any existing _auth section so that we don't try
return (result);
if (secret != NULL)
return (sign(signed_rstart, (target->rstart - signed_rstart),
- hmd5_rstart, secret));
+ hmac_rstart, algorithm, secret));
return (ISC_R_SUCCESS);
}
static isc_result_t
verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
- isccc_region_t *secret)
+ isc_uint32_t algorithm, isccc_region_t *secret)
{
- isc_hmacmd5_t ctx;
+ union {
+ isc_hmacmd5_t hmd5;
+ isc_hmacsha1_t hsha;
+ isc_hmacsha224_t h224;
+ isc_hmacsha256_t h256;
+ isc_hmacsha384_t h384;
+ isc_hmacsha512_t h512;
+ } ctx;
isccc_region_t source;
isccc_region_t target;
isc_result_t result;
- isccc_sexpr_t *_auth, *hmd5;
- unsigned char digest[ISC_MD5_DIGESTLENGTH];
- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
+ isccc_sexpr_t *_auth, *hmac;
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+ unsigned char digestb64[HSHA_LENGTH * 4];
/*
* Extract digest.
_auth = isccc_alist_lookup(alist, "_auth");
if (_auth == NULL)
return (ISC_R_FAILURE);
- hmd5 = isccc_alist_lookup(_auth, "hmd5");
- if (hmd5 == NULL)
+ if (algorithm == ISCCC_ALG_HMACMD5)
+ hmac = isccc_alist_lookup(_auth, "hmd5");
+ else
+ hmac = isccc_alist_lookup(_auth, "hsha");
+ if (hmac == NULL)
return (ISC_R_FAILURE);
/*
* Compute digest.
*/
- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
- isc_hmacmd5_update(&ctx, data, length);
- isc_hmacmd5_sign(&ctx, digest);
source.rstart = digest;
- source.rend = digest + ISC_MD5_DIGESTLENGTH;
target.rstart = digestb64;
- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
+ switch (algorithm) {
+ case ISCCC_ALG_HMACMD5:
+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacmd5_update(&ctx.hmd5, data, length);
+ isc_hmacmd5_sign(&ctx.hmd5, digest);
+ source.rend = digest + ISC_MD5_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA1:
+ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha1_update(&ctx.hsha, data, length);
+ isc_hmacsha1_sign(&ctx.hsha, digest,
+ ISC_SHA1_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA224:
+ isc_hmacsha224_init(&ctx.h224, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha224_update(&ctx.h224, data, length);
+ isc_hmacsha224_sign(&ctx.h224, digest,
+ ISC_SHA224_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA256:
+ isc_hmacsha256_init(&ctx.h256, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha256_update(&ctx.h256, data, length);
+ isc_hmacsha256_sign(&ctx.h256, digest,
+ ISC_SHA256_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA384:
+ isc_hmacsha384_init(&ctx.h384, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha384_update(&ctx.h384, data, length);
+ isc_hmacsha384_sign(&ctx.h384, digest,
+ ISC_SHA384_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
+ break;
+
+ case ISCCC_ALG_HMACSHA512:
+ isc_hmacsha512_init(&ctx.h512, secret->rstart,
+ REGION_SIZE(*secret));
+ isc_hmacsha512_update(&ctx.h512, data, length);
+ isc_hmacsha512_sign(&ctx.h512, digest,
+ ISC_SHA512_DIGESTLENGTH);
+ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
+ break;
+
+ default:
+ return (ISC_R_FAILURE);
+ }
+ target.rstart = digestb64;
+ target.rend = digestb64 + sizeof(digestb64);
+ memset(digestb64, 0, sizeof(digestb64));
result = isccc_base64_encode(&source, 64, "", &target);
if (result != ISC_R_SUCCESS)
return (result);
- /*
- * Strip trailing == and NUL terminate target.
- */
- target.rstart -= 2;
- *target.rstart++ = '\0';
+
/*
* Verify.
*/
- if (strcmp((char *)digestb64, isccc_sexpr_tostring(hmd5)) != 0)
- return (ISCCC_R_BADAUTH);
+ if (algorithm == ISCCC_ALG_HMACMD5) {
+ unsigned char *value;
+
+ value = (unsigned char *) isccc_sexpr_tostring(hmac);
+ if (memcmp(value, digestb64, HMD5_LENGTH) != 0)
+ return (ISCCC_R_BADAUTH);
+ } else {
+ unsigned char *value;
+ isc_uint32_t valalg;
+
+ value = (unsigned char *) isccc_sexpr_tostring(hmac);
+ GET8(valalg, value);
+ if ((valalg != algorithm) ||
+ (memcmp(value, digestb64, HSHA_LENGTH) != 0))
+ return (ISCCC_R_BADAUTH);
+ }
return (ISC_R_SUCCESS);
}
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- isccc_sexpr_t **alistp);
+ isc_uint32_t algorithm, isccc_sexpr_t **alistp);
static isc_result_t
list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
} else
result = ISC_R_NOMEMORY;
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
- result = table_fromwire(&active, NULL, valuep);
+ result = table_fromwire(&active, NULL, 0, valuep);
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
result = list_fromwire(&active, valuep);
else
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- isccc_sexpr_t **alistp)
+ isc_uint32_t algorithm, isccc_sexpr_t **alistp)
{
char key[256];
isc_uint32_t len;
if (checksum_rstart != NULL)
result = verify(alist, checksum_rstart,
(source->rend - checksum_rstart),
- secret);
+ algorithm, secret);
else
result = ISCCC_R_BADAUTH;
} else
isc_result_t
isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
- isccc_region_t *secret)
+ isc_uint32_t algorithm, isccc_region_t *secret)
{
unsigned int size;
isc_uint32_t version;
if (version != 1)
return (ISCCC_R_UNKNOWNVERSION);
- return (table_fromwire(source, secret, alistp));
+ return (table_fromwire(source, secret, algorithm, alistp));
}
static isc_result_t
isc_result_t
isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
- isc_uint32_t serial, isccc_time_t now,
- isccc_time_t expires, isccc_sexpr_t **alistp)
+ isc_uint32_t serial, isccc_time_t now,
+ isccc_time_t expires, isccc_sexpr_t **alistp)
{
return (createmessage(version, from, to, serial, now, expires,
alistp, ISC_TRUE));
isc_result_t
isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
- isccc_sexpr_t **ackp)
+ isccc_sexpr_t **ackp)
{
char *_frm, *_to;
isc_uint32_t serial;
isc_result_t
isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
- isccc_time_t expires, isccc_sexpr_t **alistp)
+ isccc_time_t expires, isccc_sexpr_t **alistp)
{
char *_frm, *_to, *type = NULL;
isc_uint32_t serial;
isc_result_t
isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
- isc_uint32_t *uintp)
+ isc_uint32_t *uintp)
{
isccc_sexpr_t *kv, *v;
isc_result_t
isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
- isccc_time_t now)
+ isccc_time_t now)
{
const char *_frm;
const char *_to;
ISC_LANG_BEGINDECLS
+/*% from lib/dns/include/dst/dst.h */
+
+#define ISCCC_ALG_UNKNOWN 0
+#define ISCCC_ALG_HMACMD5 157
+#define ISCCC_ALG_HMACSHA1 161
+#define ISCCC_ALG_HMACSHA224 162
+#define ISCCC_ALG_HMACSHA256 163
+#define ISCCC_ALG_HMACSHA384 164
+#define ISCCC_ALG_HMACSHA512 165
+
/*% Maximum Datagram Package */
#define ISCCC_CC_MAXDGRAMPACKET 4096
/*% Send to Wire */
isc_result_t
isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
- isccc_region_t *secret);
+ isc_uint32_t algorithm, isccc_region_t *secret);
/*% Get From Wire */
isc_result_t
isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
- isccc_region_t *secret);
+ isc_uint32_t algorithm, isccc_region_t *secret);
/*% Create Message */
isc_result_t
isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
- isc_uint32_t serial, isccc_time_t now,
- isccc_time_t expires, isccc_sexpr_t **alistp);
+ isc_uint32_t serial, isccc_time_t now,
+ isccc_time_t expires, isccc_sexpr_t **alistp);
/*% Create Acknowledgment */
isc_result_t
isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
- isccc_sexpr_t **ackp);
+ isccc_sexpr_t **ackp);
/*% Is Ack? */
isc_boolean_t
/*% Create Response */
isc_result_t
isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
- isccc_time_t expires, isccc_sexpr_t **alistp);
+ isccc_time_t expires, isccc_sexpr_t **alistp);
/*% Define String */
isccc_sexpr_t *
/*% Lookup uint 32 */
isc_result_t
isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
- isc_uint32_t *uintp);
+ isc_uint32_t *uintp);
/*% Create Symbol Table */
isc_result_t
/*% Check for Duplicates */
isc_result_t
isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
- isccc_time_t now);
+ isccc_time_t now);
ISC_LANG_ENDDECLS
The additions look like the following:
-key "rndc-key" { algorithm hmac-md5; secret "xxxxxxxxx=="; };
+key "rndc-key" { algorithm hmac-sha256; secret "xxxxxxxxx=="; };
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };
projects / thirdparty / bind9.git / commitdiff
