From: Evan Hunt Date: Tue, 11 Mar 2014 15:46:58 +0000 (-0700) Subject: [master] auto-generate salt X-Git-Tag: v9.10.0b2~29 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=62258ada486dfe76afc3f0f3835d3a45d2d8105c;p=thirdparty%2Fbind9.git [master] auto-generate salt 3781. [func] Specifying "auto" as the salt when using "rndc signing -nsec3param" causes named to generate a 64-bit salt at random. [RT #35322] --- diff --git a/CHANGES b/CHANGES index d1a58a95ea0..084a47f62f6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3781. [func] Specifying "auto" as the salt when using + "rndc signing -nsec3param" causes named to + generate a 64-bit salt at random. [RT #35322] + 3781. [tuning] Use adaptive mutex locks when available; this has been found to improve performance under load on many systems. "configure --with-locktype=standard" diff --git a/bin/named/server.c b/bin/named/server.c index c7dcf2fbc57..32aeb770bad 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -9265,6 +9265,40 @@ newzone_cfgctx_destroy(void **cfgp) { *cfgp = NULL; } +static isc_result_t +generate_salt(unsigned char *salt, size_t saltlen) { + int i, num_ints; + union { + unsigned char rnd[256]; + isc_uint32_t rnd32[64]; + } rnd; + unsigned char text[512 + 1]; + isc_region_t r; + isc_buffer_t buf; + + if (saltlen > 256) + return (ISC_R_RANGE); + + num_ints = (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t); + for (i = 0; i < num_ints; i++) + isc_random_get(&rnd.rnd32[i]); + + memcpy(salt, rnd.rnd, saltlen); + + r.base = rnd.rnd; + r.length = saltlen; + + isc_buffer_init(&buf, text, sizeof(text)); + isc_hex_totext(&r, 2, "", &buf); + text[saltlen * 2] = 0; + + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, + NS_LOGMODULE_SERVER, ISC_LOG_INFO, + "generated salt: %s", text); + + return (ISC_R_SUCCESS); +} + isc_result_t ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { isc_result_t result = ISC_R_SUCCESS; @@ -9334,9 +9368,18 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) { return (ISC_R_RANGE); ptr = next_token(&args, " \t"); - if (ptr == NULL) + if (ptr == NULL) { return (ISC_R_UNEXPECTEDEND); - if (strcmp(ptr, "-") != 0) { + } else if (strcasecmp(ptr, "auto") == 0) { + /* Auto-generate a random salt. + * XXXMUKS: This currently uses the + * minimum recommended length by RFC + * 5155 (64 bits). It should be made + * configurable. + */ + saltlen = 8; + CHECK(generate_salt(salt, saltlen)); + } else if (strcmp(ptr, "-") != 0) { isc_buffer_t buf; isc_buffer_init(&buf, salt, sizeof(salt)); diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook index 6fa6a41d32f..e53159d2b6a 100644 --- a/bin/rndc/rndc.docbook +++ b/bin/rndc/rndc.docbook @@ -723,8 +723,10 @@ defines the number of additional times to apply the algorithm when generating an NSEC3 hash. The is a string of data expressed - in hexadecimal, or a hyphen (`-') if no salt is - to be used. + in hexadecimal, a hyphen (`-') if no salt is + to be used, or the keyword auto, + which causes named to generate a + random 64-bit salt. So, for example, to create an NSEC3 chain using diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 494a5c7a9a0..64e6cf662aa 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1898,7 +1898,7 @@ ret=0 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` if [ "$salt" = "-" ]; then break; fi @@ -1910,6 +1910,39 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" +ret=0 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + [ -n "$salt" -a "$salt" != "-" ] && break + echo "I:sleeping ...." + sleep 1 +done; +[ "$salt" != "-" ] || ret=1 +[ `expr length $salt` -eq 16 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" +ret=0 +oldsalt=$salt +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 +$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 status > /dev/null || ret=1 +for i in 1 2 3 4 5 6 7 8 9 10 ; do + salt=`$DIG $DIGOPTS +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}'` + [ -n "$salt" -a "$salt" != "$oldsalt" ] && break + echo "I:sleeping ...." + sleep 1 +done; +[ "$salt" != "$oldsalt" ] || ret=1 +[ `expr length $salt` -eq 16 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:check rndc signing -list output ($n)" ret=0 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -list dynamic.example 2>&1 > signing.out