|
 |
c88997 |
From 85938345f9da377e903de0e99b36eaa2a98d99c7 Mon Sep 17 00:00:00 2001
|
|
|
c88997 |
From: Evan Hunt <each@isc.org>
|
|
|
c88997 |
Date: Wed, 13 Mar 2013 17:53:11 -0700
|
|
|
c88997 |
Subject: [PATCH] algorithm flexibility for rndc
|
|
|
c88997 |
|
|
|
c88997 |
3525. [func] Support for additional signing algorithms in rndc:
|
|
|
c88997 |
hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
|
|
|
c88997 |
The -A option to rndc-confgen can be used to
|
|
|
c88997 |
select the algorithm for the generated key.
|
|
|
c88997 |
(The default is still hmac-md5; this may
|
|
|
c88997 |
change in a future release.) [RT #20363]
|
|
|
c88997 |
---
|
|
|
c88997 |
bin/confgen/rndc-confgen.c | 27 +-
|
|
|
c88997 |
bin/confgen/rndc-confgen.docbook | 18 +-
|
|
|
c88997 |
bin/named/controlconf.c | 22 +-
|
|
|
c88997 |
bin/rndc/rndc.c | 38 ++-
|
|
|
c88997 |
bin/rndc/rndc.conf | 4 +-
|
|
|
c88997 |
bin/rndc/rndc.conf.docbook | 16 +-
|
|
|
c88997 |
bin/rndc/rndc.docbook | 14 +-
|
|
|
c88997 |
bin/tests/system/autosign/ns1/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/autosign/ns2/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/autosign/ns3/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/cacheclean/ns2/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/common/controls.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/common/rndc.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/common/rndc.key | 2 +-
|
|
|
c88997 |
bin/tests/system/conf.sh.in | 1 +
|
|
|
c88997 |
bin/tests/system/database/ns1/named.conf1 | 2 +-
|
|
|
c88997 |
bin/tests/system/database/ns1/named.conf2 | 2 +-
|
|
|
c88997 |
bin/tests/system/dlv/ns5/named.conf | 4 +-
|
|
|
c88997 |
bin/tests/system/dlv/ns5/rndc.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/dlvauto/ns2/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/dlzexternal/ns1/named.conf.in | 2 +-
|
|
|
c88997 |
bin/tests/system/dnssec/ns3/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/dnssec/ns4/named1.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/dnssec/ns4/named2.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/dnssec/ns4/named3.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named1.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named10.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named11.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named2.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named3.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named4.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named5.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named6.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named7.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named8.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/geoip/ns2/named9.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/ixfr/ns3/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/ixfr/ns4/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/ixfr/setup.sh | 2 +-
|
|
|
c88997 |
bin/tests/system/logfileconfig/ns1/named.dirconf | 2 +-
|
|
|
c88997 |
bin/tests/system/logfileconfig/ns1/named.pipeconf | 2 +-
|
|
|
c88997 |
bin/tests/system/logfileconfig/ns1/named.plain | 2 +-
|
|
|
c88997 |
bin/tests/system/logfileconfig/ns1/named.symconf | 2 +-
|
|
|
c88997 |
bin/tests/system/logfileconfig/ns1/rndc.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/nsupdate/ns1/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/pkcs11/ns1/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/resolver/ns4/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/rndc/clean.sh | 2 +
|
|
|
c88997 |
bin/tests/system/rndc/ns2/named.conf | 4 +-
|
|
|
c88997 |
bin/tests/system/rndc/ns2/secondkey.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/rndc/ns3/named.conf | 4 +-
|
|
|
c88997 |
bin/tests/system/rndc/ns4/3bf305731dd26307.nta | 3 +
|
|
|
c88997 |
bin/tests/system/rndc/ns4/named.conf.in | 28 +++
|
|
|
c88997 |
bin/tests/system/rndc/setup.sh | 24 +-
|
|
|
c88997 |
bin/tests/system/rndc/tests.sh | 60 +++++
|
|
|
c88997 |
bin/tests/system/rpz/ns3/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/rpz/ns5/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/rrl/ns2/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/staticstub/ns3/named.conf.in | 2 +-
|
|
|
c88997 |
bin/tests/system/stress/ns3/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/tkey/ns1/named.conf.in | 2 +-
|
|
|
c88997 |
bin/tests/system/tsiggss/ns1/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/views/ns3/named1.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/views/ns3/named2.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/xfer/ns3/named.conf | 2 +-
|
|
|
c88997 |
bin/tests/system/xfer/ns4/named.conf.base | 2 +-
|
|
|
c88997 |
lib/isccc/cc.c | 289 ++++++++++++++++++----
|
|
|
c88997 |
lib/isccc/include/isccc/cc.h | 26 +-
|
|
|
c88997 |
68 files changed, 526 insertions(+), 158 deletions(-)
|
|
|
c88997 |
create mode 100644 bin/tests/system/rndc/ns4/3bf305731dd26307.nta
|
|
|
c88997 |
create mode 100644 bin/tests/system/rndc/ns4/named.conf.in
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
|
|
|
c88997 |
index e2ac079..3fd54fe 100644
|
|
|
c88997 |
--- a/bin/confgen/rndc-confgen.c
|
|
|
c88997 |
+++ b/bin/confgen/rndc-confgen.c
|
|
|
c88997 |
@@ -57,7 +57,6 @@
|
|
|
c88997 |
#include "util.h"
|
|
|
c88997 |
#include "keygen.h"
|
|
|
c88997 |
|
|
|
c88997 |
-#define DEFAULT_KEYLENGTH 128 /*% Bits. */
|
|
|
c88997 |
#define DEFAULT_KEYNAME "rndc-key"
|
|
|
c88997 |
#define DEFAULT_SERVER "127.0.0.1"
|
|
|
c88997 |
#define DEFAULT_PORT 953
|
|
|
c88997 |
@@ -80,7 +79,8 @@ Usage:\n\
|
|
|
c88997 |
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
|
|
|
c88997 |
[-s addr] [-t chrootdir] [-u user]\n\
|
|
|
c88997 |
-a: generate just the key clause and write it to keyfile (%s)\n\
|
|
|
c88997 |
- -b bits: from 1 through 512, default %d; total length of the secret\n\
|
|
|
c88997 |
+ -A alg: algorithm (default hmac-md5)\n\
|
|
|
c88997 |
+ -b bits: from 1 through 512, default 256; total length of the secret\n\
|
|
|
c88997 |
-c keyfile: specify an alternate key file (requires -a)\n\
|
|
|
c88997 |
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
|
|
|
c88997 |
-p port: the port named will listen on and rndc will connect to\n\
|
|
|
c88997 |
@@ -88,7 +88,7 @@ Usage:\n\
|
|
|
c88997 |
-s addr: the address to which rndc should connect\n\
|
|
|
c88997 |
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
|
|
|
c88997 |
-u user: set the keyfile owner to \"user\" (requires -a)\n",
|
|
|
c88997 |
- progname, keydef, DEFAULT_KEYLENGTH);
|
|
|
c88997 |
+ progname, keydef);
|
|
|
c88997 |
|
|
|
c88997 |
exit (status);
|
|
|
c88997 |
}
|
|
|
c88997 |
@@ -103,12 +103,12 @@ main(int argc, char **argv) {
|
|
|
c88997 |
const char *keyname = NULL;
|
|
|
c88997 |
const char *randomfile = NULL;
|
|
|
c88997 |
const char *serveraddr = NULL;
|
|
|
c88997 |
- dns_secalg_t alg = DST_ALG_HMACMD5;
|
|
|
c88997 |
- const char *algname = alg_totext(alg);
|
|
|
c88997 |
+ dns_secalg_t alg;
|
|
|
c88997 |
+ const char *algname;
|
|
|
c88997 |
char *p;
|
|
|
c88997 |
int ch;
|
|
|
c88997 |
int port;
|
|
|
c88997 |
- int keysize;
|
|
|
c88997 |
+ int keysize = -1;
|
|
|
c88997 |
struct in_addr addr4_dummy;
|
|
|
c88997 |
struct in6_addr addr6_dummy;
|
|
|
c88997 |
char *chrootdir = NULL;
|
|
|
c88997 |
@@ -124,18 +124,25 @@ main(int argc, char **argv) {
|
|
|
c88997 |
progname = program;
|
|
|
c88997 |
|
|
|
c88997 |
keyname = DEFAULT_KEYNAME;
|
|
|
c88997 |
- keysize = DEFAULT_KEYLENGTH;
|
|
|
c88997 |
+ alg = DST_ALG_HMACMD5;
|
|
|
c88997 |
serveraddr = DEFAULT_SERVER;
|
|
|
c88997 |
port = DEFAULT_PORT;
|
|
|
c88997 |
|
|
|
c88997 |
isc_commandline_errprint = ISC_FALSE;
|
|
|
c88997 |
|
|
|
c88997 |
while ((ch = isc_commandline_parse(argc, argv,
|
|
|
c88997 |
- "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
|
|
|
c88997 |
+ "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
|
|
|
c88997 |
+ {
|
|
|
c88997 |
switch (ch) {
|
|
|
c88997 |
case 'a':
|
|
|
c88997 |
keyonly = ISC_TRUE;
|
|
|
c88997 |
break;
|
|
|
c88997 |
+ case 'A':
|
|
|
c88997 |
+ algname = isc_commandline_argument;
|
|
|
c88997 |
+ alg = alg_fromtext(algname);
|
|
|
c88997 |
+ if (alg == DST_ALG_UNKNOWN)
|
|
|
c88997 |
+ fatal("Unsupported algorithm '%s'", algname);
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
case 'b':
|
|
|
c88997 |
keysize = strtol(isc_commandline_argument, &p, 10);
|
|
|
c88997 |
if (*p != '\0' || keysize < 0)
|
|
|
c88997 |
@@ -203,6 +210,10 @@ main(int argc, char **argv) {
|
|
|
c88997 |
if (argc > 0)
|
|
|
c88997 |
usage(1);
|
|
|
c88997 |
|
|
|
c88997 |
+ if (keysize < 0)
|
|
|
c88997 |
+ keysize = alg_bits(alg);
|
|
|
c88997 |
+ algname = alg_totext(alg);
|
|
|
c88997 |
+
|
|
|
c88997 |
DO("create memory context", isc_mem_create(0, 0, &mctx));
|
|
|
c88997 |
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
|
|
|
c88997 |
index af2cc43..f367b94 100644
|
|
|
c88997 |
--- a/bin/confgen/rndc-confgen.docbook
|
|
|
c88997 |
+++ b/bin/confgen/rndc-confgen.docbook
|
|
|
c88997 |
@@ -1,6 +1,6 @@
|
|
|
c88997 |
|
|
|
c88997 |
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
|
|
c88997 |
- []>
|
|
|
c88997 |
+ []>
|
|
|
c88997 |
|
|
|
c88997 |
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
|
|
|
c88997 |
- Copyright (C) 2001, 2003 Internet Software Consortium.
|
|
|
c88997 |
@@ -41,6 +41,7 @@
|
|
|
c88997 |
<year>2005</year>
|
|
|
c88997 |
<year>2007</year>
|
|
|
c88997 |
<year>2009</year>
|
|
|
c88997 |
+ <year>2013</year>
|
|
|
c88997 |
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
|
c88997 |
</copyright>
|
|
|
c88997 |
<copyright>
|
|
|
c88997 |
@@ -54,6 +55,7 @@
|
|
|
c88997 |
<cmdsynopsis>
|
|
|
c88997 |
<command>rndc-confgen</command>
|
|
|
c88997 |
<arg><option>-a</option></arg>
|
|
|
c88997 |
+ <arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
|
|
|
c88997 |
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
|
|
|
c88997 |
<arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
|
|
|
c88997 |
<arg><option>-h</option></arg>
|
|
|
c88997 |
@@ -129,11 +131,23 @@
|
|
|
c88997 |
</varlistentry>
|
|
|
c88997 |
|
|
|
c88997 |
<varlistentry>
|
|
|
c88997 |
+ <term>-A <replaceable class="parameter">algorithm</replaceable></term>
|
|
|
c88997 |
+ <listitem>
|
|
|
c88997 |
+ <para>
|
|
|
c88997 |
+ Specifies the algorithm to use for the TSIG key. Available
|
|
|
c88997 |
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
|
|
|
c88997 |
+ hmac-sha384 and hmac-sha512. The default is hmac-md5.
|
|
|
c88997 |
+ </para>
|
|
|
c88997 |
+ </listitem>
|
|
|
c88997 |
+ </varlistentry>
|
|
|
c88997 |
+
|
|
|
c88997 |
+ <varlistentry>
|
|
|
c88997 |
<term>-b <replaceable class="parameter">keysize</replaceable></term>
|
|
|
c88997 |
<listitem>
|
|
|
c88997 |
<para>
|
|
|
c88997 |
Specifies the size of the authentication key in bits.
|
|
|
c88997 |
- Must be between 1 and 512 bits; the default is 128.
|
|
|
c88997 |
+ Must be between 1 and 512 bits; the default is the
|
|
|
c88997 |
+ hash size.
|
|
|
c88997 |
</para>
|
|
|
c88997 |
</listitem>
|
|
|
c88997 |
</varlistentry>
|
|
|
c88997 |
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
|
|
|
c88997 |
index ef32790..b4176c9 100644
|
|
|
c88997 |
--- a/bin/named/controlconf.c
|
|
|
c88997 |
+++ b/bin/named/controlconf.c
|
|
|
c88997 |
@@ -71,6 +71,7 @@ typedef ISC_LIST(controllistener_t) controllistenerlist_t;
|
|
|
c88997 |
|
|
|
c88997 |
struct controlkey {
|
|
|
c88997 |
char * keyname;
|
|
|
c88997 |
+ isc_uint32_t algorithm;
|
|
|
c88997 |
isc_region_t secret;
|
|
|
c88997 |
ISC_LINK(controlkey_t) link;
|
|
|
c88997 |
};
|
|
|
c88997 |
@@ -325,6 +326,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
isccc_sexpr_t *request = NULL;
|
|
|
c88997 |
isccc_sexpr_t *response = NULL;
|
|
|
c88997 |
isccc_region_t ccregion;
|
|
|
c88997 |
+ isc_uint32_t algorithm;
|
|
|
c88997 |
isccc_region_t secret;
|
|
|
c88997 |
isc_stdtime_t now;
|
|
|
c88997 |
isc_buffer_t b;
|
|
|
c88997 |
@@ -343,6 +345,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
|
|
|
c88997 |
conn = event->ev_arg;
|
|
|
c88997 |
listener = conn->listener;
|
|
|
c88997 |
+ algorithm = DST_ALG_UNKNOWN;
|
|
|
c88997 |
secret.rstart = NULL;
|
|
|
c88997 |
|
|
|
c88997 |
/* Is the server shutting down? */
|
|
|
c88997 |
@@ -369,7 +372,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
goto cleanup;
|
|
|
c88997 |
memcpy(secret.rstart, key->secret.base, key->secret.length);
|
|
|
c88997 |
secret.rend = secret.rstart + key->secret.length;
|
|
|
c88997 |
- result = isccc_cc_fromwire(&ccregion, &request, &secret);
|
|
|
c88997 |
+ algorithm = key->algorithm;
|
|
|
c88997 |
+ result = isccc_cc_fromwire(&ccregion, &request,
|
|
|
c88997 |
+ algorithm, &secret);
|
|
|
c88997 |
if (result == ISC_R_SUCCESS)
|
|
|
c88997 |
break;
|
|
|
c88997 |
isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
|
|
|
c88997 |
@@ -480,7 +485,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
|
|
|
c88997 |
ccregion.rstart = conn->buffer + 4;
|
|
|
c88997 |
ccregion.rend = conn->buffer + sizeof(conn->buffer);
|
|
|
c88997 |
- result = isccc_cc_towire(response, &ccregion, &secret);
|
|
|
c88997 |
+ result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
|
|
|
c88997 |
if (result != ISC_R_SUCCESS)
|
|
|
c88997 |
goto cleanup_response;
|
|
|
c88997 |
isc_buffer_init(&b, conn->buffer, 4);
|
|
|
c88997 |
@@ -693,6 +698,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
|
|
|
c88997 |
if (key == NULL)
|
|
|
c88997 |
goto cleanup;
|
|
|
c88997 |
key->keyname = newstr;
|
|
|
c88997 |
+ key->algorithm = DST_ALG_UNKNOWN;
|
|
|
c88997 |
key->secret.base = NULL;
|
|
|
c88997 |
key->secret.length = 0;
|
|
|
c88997 |
ISC_LINK_INIT(key, link);
|
|
|
c88997 |
@@ -737,6 +743,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
|
|
|
c88997 |
const cfg_obj_t *secretobj = NULL;
|
|
|
c88997 |
const char *algstr = NULL;
|
|
|
c88997 |
const char *secretstr = NULL;
|
|
|
c88997 |
+ unsigned int algtype;
|
|
|
c88997 |
|
|
|
c88997 |
(void)cfg_map_get(keydef, "algorithm", &algobj);
|
|
|
c88997 |
(void)cfg_map_get(keydef, "secret", &secretobj);
|
|
|
c88997 |
@@ -745,8 +752,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
|
|
|
c88997 |
algstr = cfg_obj_asstring(algobj);
|
|
|
c88997 |
secretstr = cfg_obj_asstring(secretobj);
|
|
|
c88997 |
|
|
|
c88997 |
- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
|
|
|
c88997 |
- ISC_R_SUCCESS)
|
|
|
c88997 |
+ if (ns_config_getkeyalgorithm2(algstr, NULL,
|
|
|
c88997 |
+ &algtype, NULL) != ISC_R_SUCCESS)
|
|
|
c88997 |
{
|
|
|
c88997 |
cfg_obj_log(control, ns_g_lctx,
|
|
|
c88997 |
ISC_LOG_WARNING,
|
|
|
c88997 |
@@ -759,6 +766,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
|
|
|
c88997 |
continue;
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
+ keyid->algorithm = algtype;
|
|
|
c88997 |
isc_buffer_init(&b, secret, sizeof(secret));
|
|
|
c88997 |
result = isc_base64_decodestring(secretstr, &b);
|
|
|
c88997 |
|
|
|
c88997 |
@@ -809,6 +817,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
|
|
c88997 |
const char *secretstr = NULL;
|
|
|
c88997 |
controlkey_t *keyid = NULL;
|
|
|
c88997 |
char secret[1024];
|
|
|
c88997 |
+ unsigned int algtype;
|
|
|
c88997 |
isc_buffer_t b;
|
|
|
c88997 |
|
|
|
c88997 |
CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
|
|
|
c88997 |
@@ -822,6 +831,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
|
|
c88997 |
cfg_obj_asstring(cfg_map_getname(key)));
|
|
|
c88997 |
keyid->secret.base = NULL;
|
|
|
c88997 |
keyid->secret.length = 0;
|
|
|
c88997 |
+ keyid->algorithm = DST_ALG_UNKNOWN;
|
|
|
c88997 |
ISC_LINK_INIT(keyid, link);
|
|
|
c88997 |
if (keyid->keyname == NULL)
|
|
|
c88997 |
CHECK(ISC_R_NOMEMORY);
|
|
|
c88997 |
@@ -835,7 +845,8 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
|
|
c88997 |
algstr = cfg_obj_asstring(algobj);
|
|
|
c88997 |
secretstr = cfg_obj_asstring(secretobj);
|
|
|
c88997 |
|
|
|
c88997 |
- if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
|
|
|
c88997 |
+ if (ns_config_getkeyalgorithm2(algstr, NULL,
|
|
|
c88997 |
+ &algtype, NULL) != ISC_R_SUCCESS) {
|
|
|
c88997 |
cfg_obj_log(key, ns_g_lctx,
|
|
|
c88997 |
ISC_LOG_WARNING,
|
|
|
c88997 |
"unsupported algorithm '%s' in "
|
|
|
c88997 |
@@ -845,6 +856,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
|
|
|
c88997 |
goto cleanup;
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
+ keyid->algorithm = algtype;
|
|
|
c88997 |
isc_buffer_init(&b, secret, sizeof(secret));
|
|
|
c88997 |
result = isc_base64_decodestring(secretstr, &b);
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
|
|
|
c88997 |
index be198b1..c67223b 100644
|
|
|
c88997 |
--- a/bin/rndc/rndc.c
|
|
|
c88997 |
+++ b/bin/rndc/rndc.c
|
|
|
c88997 |
@@ -77,6 +77,7 @@ static unsigned int remoteport = 0;
|
|
|
c88997 |
static isc_socketmgr_t *socketmgr = NULL;
|
|
|
c88997 |
static unsigned char databuf[2048];
|
|
|
c88997 |
static isccc_ccmsg_t ccmsg;
|
|
|
c88997 |
+static isc_uint32_t algorithm;
|
|
|
c88997 |
static isccc_region_t secret;
|
|
|
c88997 |
static isc_boolean_t failed = ISC_FALSE;
|
|
|
c88997 |
static isc_boolean_t c_flag = ISC_FALSE;
|
|
|
c88997 |
@@ -250,7 +251,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
source.rstart = isc_buffer_base(&ccmsg.buffer);
|
|
|
c88997 |
source.rend = isc_buffer_used(&ccmsg.buffer);
|
|
|
c88997 |
|
|
|
c88997 |
- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
|
|
|
c88997 |
+ DO("parse message",
|
|
|
c88997 |
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
|
|
|
c88997 |
|
|
|
c88997 |
data = isccc_alist_lookup(response, "_data");
|
|
|
c88997 |
if (!isccc_alist_alistp(data))
|
|
|
c88997 |
@@ -305,7 +307,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
"* the remote server is using an older version of"
|
|
|
c88997 |
" the command protocol,\n"
|
|
|
c88997 |
"* this host is not authorized to connect,\n"
|
|
|
c88997 |
- "* the clocks are not synchronized, or\n"
|
|
|
c88997 |
+ "* the clocks are not synchronized,\n"
|
|
|
c88997 |
+ "* the the key signing algorithm is incorrect, or\n"
|
|
|
c88997 |
"* the key is invalid.");
|
|
|
c88997 |
|
|
|
c88997 |
if (ccmsg.result != ISC_R_SUCCESS)
|
|
|
c88997 |
@@ -314,7 +317,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
source.rstart = isc_buffer_base(&ccmsg.buffer);
|
|
|
c88997 |
source.rend = isc_buffer_used(&ccmsg.buffer);
|
|
|
c88997 |
|
|
|
c88997 |
- DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
|
|
|
c88997 |
+ DO("parse message",
|
|
|
c88997 |
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
|
|
|
c88997 |
|
|
|
c88997 |
_ctrl = isccc_alist_lookup(response, "_ctrl");
|
|
|
c88997 |
if (!isccc_alist_alistp(_ctrl))
|
|
|
c88997 |
@@ -341,7 +345,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
}
|
|
|
c88997 |
message.rstart = databuf + 4;
|
|
|
c88997 |
message.rend = databuf + sizeof(databuf);
|
|
|
c88997 |
- DO("render message", isccc_cc_towire(request, &message, &secret));
|
|
|
c88997 |
+ DO("render message",
|
|
|
c88997 |
+ isccc_cc_towire(request, &message, algorithm, &secret));
|
|
|
c88997 |
len = sizeof(databuf) - REGION_SIZE(message);
|
|
|
c88997 |
isc_buffer_init(&b, databuf, 4);
|
|
|
c88997 |
isc_buffer_putuint32(&b, len - 4);
|
|
|
c88997 |
@@ -403,7 +408,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
|
|
|
c88997 |
fatal("out of memory");
|
|
|
c88997 |
message.rstart = databuf + 4;
|
|
|
c88997 |
message.rend = databuf + sizeof(databuf);
|
|
|
c88997 |
- DO("render message", isccc_cc_towire(request, &message, &secret));
|
|
|
c88997 |
+ DO("render message",
|
|
|
c88997 |
+ isccc_cc_towire(request, &message, algorithm, &secret));
|
|
|
c88997 |
len = sizeof(databuf) - REGION_SIZE(message);
|
|
|
c88997 |
isc_buffer_init(&b, databuf, 4);
|
|
|
c88997 |
isc_buffer_putuint32(&b, len - 4);
|
|
|
c88997 |
@@ -483,7 +489,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
|
|
|
c88997 |
const cfg_obj_t *address = NULL;
|
|
|
c88997 |
const cfg_listelt_t *elt;
|
|
|
c88997 |
const char *secretstr;
|
|
|
c88997 |
- const char *algorithm;
|
|
|
c88997 |
+ const char *algorithmstr;
|
|
|
c88997 |
static char secretarray[1024];
|
|
|
c88997 |
const cfg_type_t *conftype = &cfg_type_rndcconf;
|
|
|
c88997 |
isc_boolean_t key_only = ISC_FALSE;
|
|
|
c88997 |
@@ -587,10 +593,22 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
|
|
|
c88997 |
fatal("key must have algorithm and secret");
|
|
|
c88997 |
|
|
|
c88997 |
secretstr = cfg_obj_asstring(secretobj);
|
|
|
c88997 |
- algorithm = cfg_obj_asstring(algorithmobj);
|
|
|
c88997 |
-
|
|
|
c88997 |
- if (strcasecmp(algorithm, "hmac-md5") != 0)
|
|
|
c88997 |
- fatal("unsupported algorithm: %s", algorithm);
|
|
|
c88997 |
+ algorithmstr = cfg_obj_asstring(algorithmobj);
|
|
|
c88997 |
+
|
|
|
c88997 |
+ if (strcasecmp(algorithmstr, "hmac-md5") == 0)
|
|
|
c88997 |
+ algorithm = ISCCC_ALG_HMACMD5;
|
|
|
c88997 |
+ else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
|
|
|
c88997 |
+ algorithm = ISCCC_ALG_HMACSHA1;
|
|
|
c88997 |
+ else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
|
|
|
c88997 |
+ algorithm = ISCCC_ALG_HMACSHA224;
|
|
|
c88997 |
+ else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
|
|
|
c88997 |
+ algorithm = ISCCC_ALG_HMACSHA256;
|
|
|
c88997 |
+ else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
|
|
|
c88997 |
+ algorithm = ISCCC_ALG_HMACSHA384;
|
|
|
c88997 |
+ else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
|
|
|
c88997 |
+ algorithm = ISCCC_ALG_HMACSHA512;
|
|
|
c88997 |
+ else
|
|
|
c88997 |
+ fatal("unsupported algorithm: %s", algorithmstr);
|
|
|
c88997 |
|
|
|
c88997 |
secret.rstart = (unsigned char *)secretarray;
|
|
|
c88997 |
secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
|
|
|
c88997 |
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
|
|
|
c88997 |
index 67542b9..c463b96 100644
|
|
|
c88997 |
--- a/bin/rndc/rndc.conf
|
|
|
c88997 |
+++ b/bin/rndc/rndc.conf
|
|
|
c88997 |
@@ -31,7 +31,7 @@ server localhost {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "34f88008d07deabbe65bd01f1d233d47";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
@@ -42,6 +42,6 @@ server "test1" {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "key" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
|
|
c88997 |
};
|
|
|
c88997 |
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
|
|
|
c88997 |
index 9de1995..5753378 100644
|
|
|
c88997 |
--- a/bin/rndc/rndc.conf.docbook
|
|
|
c88997 |
+++ b/bin/rndc/rndc.conf.docbook
|
|
|
c88997 |
@@ -40,6 +40,7 @@
|
|
|
c88997 |
<year>2004</year>
|
|
|
c88997 |
<year>2005</year>
|
|
|
c88997 |
<year>2007</year>
|
|
|
c88997 |
+ <year>2013</year>
|
|
|
c88997 |
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
|
c88997 |
</copyright>
|
|
|
c88997 |
<copyright>
|
|
|
c88997 |
@@ -119,11 +120,12 @@
|
|
|
c88997 |
<para>
|
|
|
c88997 |
The <option>key</option> statement begins with an identifying
|
|
|
c88997 |
string, the name of the key. The statement has two clauses.
|
|
|
c88997 |
- <option>algorithm</option> identifies the encryption algorithm
|
|
|
c88997 |
+ <option>algorithm</option> identifies the authentication algorithm
|
|
|
c88997 |
for <command>rndc</command> to use; currently only HMAC-MD5
|
|
|
c88997 |
- is
|
|
|
c88997 |
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
|
|
|
c88997 |
+ (default), HMAC-SHA384 and HMAC-SHA512 are
|
|
|
c88997 |
supported. This is followed by a secret clause which contains
|
|
|
c88997 |
- the base-64 encoding of the algorithm's encryption key. The
|
|
|
c88997 |
+ the base-64 encoding of the algorithm's authentication key. The
|
|
|
c88997 |
base-64 string is enclosed in double quotes.
|
|
|
c88997 |
</para>
|
|
|
c88997 |
<para>
|
|
|
c88997 |
@@ -166,14 +168,14 @@
|
|
|
c88997 |
</para>
|
|
|
c88997 |
<para><programlisting>
|
|
|
c88997 |
key samplekey {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
|
|
|
c88997 |
};
|
|
|
c88997 |
</programlisting>
|
|
|
c88997 |
</para>
|
|
|
c88997 |
<para><programlisting>
|
|
|
c88997 |
key testkey {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
|
|
|
c88997 |
};
|
|
|
c88997 |
</programlisting>
|
|
|
c88997 |
@@ -186,8 +188,8 @@
|
|
|
c88997 |
Commands to the localhost server will use the samplekey key, which
|
|
|
c88997 |
must also be defined in the server's configuration file with the
|
|
|
c88997 |
same name and secret. The key statement indicates that samplekey
|
|
|
c88997 |
- uses the HMAC-MD5 algorithm and its secret clause contains the
|
|
|
c88997 |
- base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
|
|
|
c88997 |
+ uses the HMAC-SHA256 algorithm and its secret clause contains the
|
|
|
c88997 |
+ base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
|
|
|
c88997 |
</para>
|
|
|
c88997 |
<para>
|
|
|
c88997 |
If <command>rndc -s testserver</command> is used then <command>rndc</command> will
|
|
|
c88997 |
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
|
|
|
c88997 |
index 27645b5..5f97749 100644
|
|
|
c88997 |
--- a/bin/rndc/rndc.docbook
|
|
|
c88997 |
+++ b/bin/rndc/rndc.docbook
|
|
|
c88997 |
@@ -76,12 +76,14 @@
|
|
|
c88997 |
arguments.
|
|
|
c88997 |
</para>
|
|
|
c88997 |
<para><command>rndc</command>
|
|
|
c88997 |
- communicates with the name server
|
|
|
c88997 |
- over a TCP connection, sending commands authenticated with
|
|
|
c88997 |
- digital signatures. In the current versions of
|
|
|
c88997 |
+ communicates with the name server over a TCP connection, sending
|
|
|
c88997 |
+ commands authenticated with digital signatures. In the current
|
|
|
c88997 |
+ versions of
|
|
|
c88997 |
<command>rndc</command> and <command>named</command>,
|
|
|
c88997 |
- the only supported authentication algorithm is HMAC-MD5,
|
|
|
c88997 |
- which uses a shared secret on each end of the connection.
|
|
|
c88997 |
+ the only supported authentication algorithms are HMAC-MD5
|
|
|
c88997 |
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
|
|
|
c88997 |
+ (default), HMAC-SHA384 and HMAC-SHA512.
|
|
|
c88997 |
+ They use a shared secret on each end of the connection.
|
|
|
c88997 |
This provides TSIG-style authentication for the command
|
|
|
c88997 |
request and the name server's response. All commands sent
|
|
|
c88997 |
over the channel must be signed by a key_id known to the
|
|
|
c88997 |
@@ -145,7 +147,7 @@
|
|
|
c88997 |
<command>rndc</command>. If no server is supplied on the
|
|
|
c88997 |
command line, the host named by the default-server clause
|
|
|
c88997 |
in the options statement of the <command>rndc</command>
|
|
|
c88997 |
- configuration file will be used.
|
|
|
c88997 |
+ configuration file will be used.
|
|
|
c88997 |
</para>
|
|
|
c88997 |
</listitem>
|
|
|
c88997 |
</varlistentry>
|
|
|
c88997 |
diff --git a/bin/tests/system/autosign/ns1/named.conf b/bin/tests/system/autosign/ns1/named.conf
|
|
|
c88997 |
index 2fbe62f..e67c4e4 100644
|
|
|
c88997 |
--- a/bin/tests/system/autosign/ns1/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/autosign/ns1/named.conf
|
|
|
c88997 |
@@ -36,7 +36,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf
|
|
|
c88997 |
index 5e9ad8f..826bb91 100644
|
|
|
c88997 |
--- a/bin/tests/system/autosign/ns2/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/autosign/ns2/named.conf
|
|
|
c88997 |
@@ -37,7 +37,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
|
|
|
c88997 |
index 542a81e..89b7ece 100644
|
|
|
c88997 |
--- a/bin/tests/system/autosign/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/autosign/ns3/named.conf
|
|
|
c88997 |
@@ -39,7 +39,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
|
|
|
c88997 |
index cb675d2..6f0fba0 100644
|
|
|
c88997 |
--- a/bin/tests/system/cacheclean/ns2/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/cacheclean/ns2/named.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf
|
|
|
c88997 |
index b5d619e..b9b6311 100644
|
|
|
c88997 |
--- a/bin/tests/system/common/controls.conf
|
|
|
c88997 |
+++ b/bin/tests/system/common/controls.conf
|
|
|
c88997 |
@@ -19,7 +19,7 @@
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
|
|
|
c88997 |
index 3704ae7..5661b26 100644
|
|
|
c88997 |
--- a/bin/tests/system/common/rndc.conf
|
|
|
c88997 |
+++ b/bin/tests/system/common/rndc.conf
|
|
|
c88997 |
@@ -22,6 +22,6 @@ options {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
};
|
|
|
c88997 |
diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key
|
|
|
c88997 |
index 1239e93..d5a7a9f 100644
|
|
|
c88997 |
--- a/bin/tests/system/common/rndc.key
|
|
|
c88997 |
+++ b/bin/tests/system/common/rndc.key
|
|
|
c88997 |
@@ -18,5 +18,5 @@
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
|
|
c88997 |
index 49c5686..2bd42f9 100644
|
|
|
c88997 |
--- a/bin/tests/system/conf.sh.in
|
|
|
c88997 |
+++ b/bin/tests/system/conf.sh.in
|
|
|
c88997 |
@@ -36,6 +36,7 @@ DIG=$TOP/bin/dig/dig
|
|
|
c88997 |
RNDC=$TOP/bin/rndc/rndc
|
|
|
c88997 |
NSUPDATE=$TOP/bin/nsupdate/nsupdate
|
|
|
c88997 |
DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
|
|
|
c88997 |
+RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
|
|
|
c88997 |
KEYGEN=$TOP/bin/dnssec/dnssec-keygen
|
|
|
c88997 |
KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
|
|
|
c88997 |
SIGNER=$TOP/bin/dnssec/dnssec-signzone
|
|
|
c88997 |
diff --git a/bin/tests/system/database/ns1/named.conf1 b/bin/tests/system/database/ns1/named.conf1
|
|
|
c88997 |
index 08dedc8..9270d56 100644
|
|
|
c88997 |
--- a/bin/tests/system/database/ns1/named.conf1
|
|
|
c88997 |
+++ b/bin/tests/system/database/ns1/named.conf1
|
|
|
c88997 |
@@ -20,7 +20,7 @@
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/database/ns1/named.conf2 b/bin/tests/system/database/ns1/named.conf2
|
|
|
c88997 |
index c79bf9b..ed1bdfb 100644
|
|
|
c88997 |
--- a/bin/tests/system/database/ns1/named.conf2
|
|
|
c88997 |
+++ b/bin/tests/system/database/ns1/named.conf2
|
|
|
c88997 |
@@ -20,7 +20,7 @@
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
|
|
|
c88997 |
index d886331..954fb37 100644
|
|
|
c88997 |
--- a/bin/tests/system/dlv/ns5/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dlv/ns5/named.conf
|
|
|
c88997 |
@@ -23,7 +23,7 @@
|
|
|
c88997 |
*
|
|
|
c88997 |
* e.g.
|
|
|
c88997 |
* key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
|
|
c88997 |
- * algorithm hmac-md5;
|
|
|
c88997 |
+ * algorithm hmac-sha256;
|
|
|
c88997 |
* secret "34f88008d07deabbe65bd01f1d233d47";
|
|
|
c88997 |
* };
|
|
|
c88997 |
*
|
|
|
c88997 |
@@ -36,7 +36,7 @@
|
|
|
c88997 |
*/
|
|
|
c88997 |
|
|
|
c88997 |
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "34f88008d07deabbe65bd01f1d233d47";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf
|
|
|
c88997 |
index 958ee98..ecc29b3 100644
|
|
|
c88997 |
--- a/bin/tests/system/dlv/ns5/rndc.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dlv/ns5/rndc.conf
|
|
|
c88997 |
@@ -17,7 +17,7 @@
|
|
|
c88997 |
/* $Id: rndc.conf,v 1.5 2007/06/19 23:47:02 tbox Exp $ */
|
|
|
c88997 |
|
|
|
c88997 |
key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "34f88008d07deabbe65bd01f1d233d47";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf
|
|
|
c88997 |
index a7b86d0..fce5d85 100644
|
|
|
c88997 |
--- a/bin/tests/system/dlvauto/ns2/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dlvauto/ns2/named.conf
|
|
|
c88997 |
@@ -37,7 +37,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
|
|
|
c88997 |
index 6577761..01a4a3b 100644
|
|
|
c88997 |
--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
|
|
|
c88997 |
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
|
|
|
c88997 |
@@ -33,7 +33,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
include "ddns.key";
|
|
|
c88997 |
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
|
|
|
c88997 |
index 37d23c1..6ef21b3 100644
|
|
|
c88997 |
--- a/bin/tests/system/dnssec/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dnssec/ns3/named.conf
|
|
|
c88997 |
@@ -38,7 +38,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/dnssec/ns4/named1.conf b/bin/tests/system/dnssec/ns4/named1.conf
|
|
|
c88997 |
index 432d3f6..542266f 100644
|
|
|
c88997 |
--- a/bin/tests/system/dnssec/ns4/named1.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dnssec/ns4/named1.conf
|
|
|
c88997 |
@@ -47,7 +47,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/dnssec/ns4/named2.conf b/bin/tests/system/dnssec/ns4/named2.conf
|
|
|
c88997 |
index cc395be..f7e812c 100644
|
|
|
c88997 |
--- a/bin/tests/system/dnssec/ns4/named2.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dnssec/ns4/named2.conf
|
|
|
c88997 |
@@ -37,7 +37,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/dnssec/ns4/named3.conf b/bin/tests/system/dnssec/ns4/named3.conf
|
|
|
c88997 |
index 2d40740..d391aac 100644
|
|
|
c88997 |
--- a/bin/tests/system/dnssec/ns4/named3.conf
|
|
|
c88997 |
+++ b/bin/tests/system/dnssec/ns4/named3.conf
|
|
|
c88997 |
@@ -38,7 +38,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf
|
|
|
c88997 |
index 66aca6f..e4c8eca 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named1.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named1.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
|
|
|
c88997 |
index 2dd52ae..6f3fdee 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named10.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named10.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
|
|
|
c88997 |
index af87edf..149e19a 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named11.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named11.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named2.conf b/bin/tests/system/geoip/ns2/named2.conf
|
|
|
c88997 |
index 67a5155..5dc3848 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named2.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named2.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named3.conf b/bin/tests/system/geoip/ns2/named3.conf
|
|
|
c88997 |
index 65113a6..ebf96a9 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named3.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named3.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named4.conf b/bin/tests/system/geoip/ns2/named4.conf
|
|
|
c88997 |
index d2393d5..cc79dde 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named4.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named4.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named5.conf b/bin/tests/system/geoip/ns2/named5.conf
|
|
|
c88997 |
index 011e310..acbbdb1 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named5.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named5.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named6.conf b/bin/tests/system/geoip/ns2/named6.conf
|
|
|
c88997 |
index 7ef7b19..5e93510 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named6.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named6.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named7.conf b/bin/tests/system/geoip/ns2/named7.conf
|
|
|
c88997 |
index 118bdbe..508a650 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named7.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named7.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named8.conf b/bin/tests/system/geoip/ns2/named8.conf
|
|
|
c88997 |
index 9cb5c0a..60dcef2 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named8.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named8.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/geoip/ns2/named9.conf b/bin/tests/system/geoip/ns2/named9.conf
|
|
|
c88997 |
index af2f7ff..605b1ff 100644
|
|
|
c88997 |
--- a/bin/tests/system/geoip/ns2/named9.conf
|
|
|
c88997 |
+++ b/bin/tests/system/geoip/ns2/named9.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/ixfr/ns3/named.conf b/bin/tests/system/ixfr/ns3/named.conf
|
|
|
c88997 |
index c01ce54..b164968 100644
|
|
|
c88997 |
--- a/bin/tests/system/ixfr/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/ixfr/ns3/named.conf
|
|
|
c88997 |
@@ -31,7 +31,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/ixfr/ns4/named.conf b/bin/tests/system/ixfr/ns4/named.conf
|
|
|
c88997 |
index b8c8e8c..073d1a9 100644
|
|
|
c88997 |
--- a/bin/tests/system/ixfr/ns4/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/ixfr/ns4/named.conf
|
|
|
c88997 |
@@ -30,7 +30,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
|
|
|
c88997 |
index 7e68ebc..9b3b96d 100644
|
|
|
c88997 |
--- a/bin/tests/system/ixfr/setup.sh
|
|
|
c88997 |
+++ b/bin/tests/system/ixfr/setup.sh
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf b/bin/tests/system/logfileconfig/ns1/named.dirconf
|
|
|
c88997 |
index 9cbd039..3621c2f 100644
|
|
|
c88997 |
--- a/bin/tests/system/logfileconfig/ns1/named.dirconf
|
|
|
c88997 |
+++ b/bin/tests/system/logfileconfig/ns1/named.dirconf
|
|
|
c88997 |
@@ -46,7 +46,7 @@ controls {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "rndc-key" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "Am9vCg==";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf b/bin/tests/system/logfileconfig/ns1/named.pipeconf
|
|
|
c88997 |
index bf5d02f..94c10f4 100644
|
|
|
c88997 |
--- a/bin/tests/system/logfileconfig/ns1/named.pipeconf
|
|
|
c88997 |
+++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf
|
|
|
c88997 |
@@ -46,7 +46,7 @@ controls {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "rndc-key" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "Am9vCg==";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/tests/system/logfileconfig/ns1/named.plain b/bin/tests/system/logfileconfig/ns1/named.plain
|
|
|
c88997 |
index 64cfbfa..a404577 100644
|
|
|
c88997 |
--- a/bin/tests/system/logfileconfig/ns1/named.plain
|
|
|
c88997 |
+++ b/bin/tests/system/logfileconfig/ns1/named.plain
|
|
|
c88997 |
@@ -46,7 +46,7 @@ controls {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "rndc-key" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "Am9vCg==";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf b/bin/tests/system/logfileconfig/ns1/named.symconf
|
|
|
c88997 |
index fc3f9bd..7c42619 100644
|
|
|
c88997 |
--- a/bin/tests/system/logfileconfig/ns1/named.symconf
|
|
|
c88997 |
+++ b/bin/tests/system/logfileconfig/ns1/named.symconf
|
|
|
c88997 |
@@ -46,7 +46,7 @@ controls {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "rndc-key" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "Am9vCg==";
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
diff --git a/bin/tests/system/logfileconfig/ns1/rndc.conf b/bin/tests/system/logfileconfig/ns1/rndc.conf
|
|
|
c88997 |
index f7fe7aa..2f3d0ab 100644
|
|
|
c88997 |
--- a/bin/tests/system/logfileconfig/ns1/rndc.conf
|
|
|
c88997 |
+++ b/bin/tests/system/logfileconfig/ns1/rndc.conf
|
|
|
c88997 |
@@ -26,6 +26,6 @@ server localhost {
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key "rndc-key" {
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
secret "Am9vCg==";
|
|
|
c88997 |
};
|
|
|
c88997 |
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
|
|
|
c88997 |
index 3492b4c..86fe91d 100644
|
|
|
c88997 |
--- a/bin/tests/system/nsupdate/ns1/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/nsupdate/ns1/named.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
|
|
|
c88997 |
index 48b8adf..0c8bdec 100644
|
|
|
c88997 |
--- a/bin/tests/system/pkcs11/ns1/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/pkcs11/ns1/named.conf
|
|
|
c88997 |
@@ -32,7 +32,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf
|
|
|
c88997 |
index 353cfe7..7fe14df 100644
|
|
|
c88997 |
--- a/bin/tests/system/resolver/ns4/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/resolver/ns4/named.conf
|
|
|
c88997 |
@@ -59,7 +59,7 @@ zone "broken" {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh
|
|
|
c88997 |
index 2fcfcfb..7e16cb4 100644
|
|
|
c88997 |
--- a/bin/tests/system/rndc/clean.sh
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/clean.sh
|
|
|
c88997 |
@@ -22,3 +22,5 @@ rm -f ns2/named.stats
|
|
|
c88997 |
rm -f ns3/named_dump.db
|
|
|
c88997 |
rm -f ns*/named.memstats
|
|
|
c88997 |
rm -f ns*/named.run
|
|
|
c88997 |
+rm -f random.data
|
|
|
c88997 |
+rm -f ns4/*.conf
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/ns2/named.conf b/bin/tests/system/rndc/ns2/named.conf
|
|
|
c88997 |
index 12d6f14..e94bfe9 100644
|
|
|
c88997 |
--- a/bin/tests/system/rndc/ns2/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/ns2/named.conf
|
|
|
c88997 |
@@ -29,12 +29,12 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key secondkey {
|
|
|
c88997 |
secret "abcd1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf
|
|
|
c88997 |
index 99a876c..0445299 100644
|
|
|
c88997 |
--- a/bin/tests/system/rndc/ns2/secondkey.conf
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/ns2/secondkey.conf
|
|
|
c88997 |
@@ -22,5 +22,5 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key secondkey {
|
|
|
c88997 |
secret "abcd1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/ns3/named.conf b/bin/tests/system/rndc/ns3/named.conf
|
|
|
c88997 |
index 9feefac..b8e0780 100644
|
|
|
c88997 |
--- a/bin/tests/system/rndc/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/ns3/named.conf
|
|
|
c88997 |
@@ -28,12 +28,12 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key secondkey {
|
|
|
c88997 |
secret "abcd1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/ns4/3bf305731dd26307.nta b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
|
|
|
c88997 |
new file mode 100644
|
|
|
c88997 |
index 0000000..2f5d3cd
|
|
|
c88997 |
--- /dev/null
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
|
|
|
c88997 |
@@ -0,0 +1,3 @@
|
|
|
c88997 |
+nta1.example. regular 20171113185318
|
|
|
c88997 |
+nta2.example. regular 20171114165318
|
|
|
c88997 |
+nta3.example. regular 20171120165318
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in
|
|
|
c88997 |
new file mode 100644
|
|
|
c88997 |
index 0000000..9f926f6
|
|
|
c88997 |
--- /dev/null
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/ns4/named.conf.in
|
|
|
c88997 |
@@ -0,0 +1,28 @@
|
|
|
c88997 |
+/*
|
|
|
c88997 |
+ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
|
|
|
c88997 |
+ *
|
|
|
c88997 |
+ * Permission to use, copy, modify, and/or distribute this software for any
|
|
|
c88997 |
+ * purpose with or without fee is hereby granted, provided that the above
|
|
|
c88997 |
+ * copyright notice and this permission notice appear in all copies.
|
|
|
c88997 |
+ *
|
|
|
c88997 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
|
c88997 |
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
c88997 |
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
c88997 |
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
c88997 |
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
c88997 |
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
c88997 |
+ * PERFORMANCE OF THIS SOFTWARE.
|
|
|
c88997 |
+ */
|
|
|
c88997 |
+
|
|
|
c88997 |
+/* $Id$ */
|
|
|
c88997 |
+
|
|
|
c88997 |
+controls { /* empty */ };
|
|
|
c88997 |
+
|
|
|
c88997 |
+options {
|
|
|
c88997 |
+ port 5300;
|
|
|
c88997 |
+ pid-file "named.pid";
|
|
|
c88997 |
+ listen-on { 10.53.0.4; };
|
|
|
c88997 |
+ listen-on-v6 { none; };
|
|
|
c88997 |
+ recursion no;
|
|
|
c88997 |
+};
|
|
|
c88997 |
+
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
|
|
c88997 |
index aed84af..ce80005 100644
|
|
|
c88997 |
--- a/bin/tests/system/rndc/setup.sh
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/setup.sh
|
|
|
c88997 |
@@ -10,14 +10,36 @@
|
|
|
c88997 |
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
c88997 |
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
c88997 |
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
c88997 |
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
c88997 |
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGEN
|
|
|
c88997 |
+# -r random.dataCE
|
|
|
c88997 |
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
c88997 |
# PERFORMANCE OF THIS SOFTWARE.
|
|
|
c88997 |
|
|
|
c88997 |
# $Id: setup.sh,v 1.2 2011/03/21 18:06:06 each Exp $
|
|
|
c88997 |
|
|
|
c88997 |
+SYSTEMTESTTOP=..
|
|
|
c88997 |
+. $SYSTEMTESTTOP/conf.sh
|
|
|
c88997 |
+
|
|
|
c88997 |
sh clean.sh
|
|
|
c88997 |
|
|
|
c88997 |
+../../../tools/genrandom 400 random.data
|
|
|
c88997 |
+
|
|
|
c88997 |
sh ../genzone.sh 2 >ns2/nil.db
|
|
|
c88997 |
sh ../genzone.sh 2 >ns2/other.db
|
|
|
c88997 |
sh ../genzone.sh 2 >ns2/static.db
|
|
|
c88997 |
+
|
|
|
c88997 |
+cat ns4/named.conf.in > ns4/named.conf
|
|
|
c88997 |
+
|
|
|
c88997 |
+make_key () {
|
|
|
c88997 |
+ $RNDCCONFGEN -r random.data -k key$1 -A $2 -s 10.53.0.4 -p 995${1} \
|
|
|
c88997 |
+ > ns4/key${1}.conf
|
|
|
c88997 |
+ egrep -v '(Start|End|Use|^[^#])' ns4/key$1.conf | cut -c3- | \
|
|
|
c88997 |
+ sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
|
|
c88997 |
+}
|
|
|
c88997 |
+
|
|
|
c88997 |
+make_key 1 hmac-md5
|
|
|
c88997 |
+make_key 2 hmac-sha1
|
|
|
c88997 |
+make_key 3 hmac-sha224
|
|
|
c88997 |
+make_key 4 hmac-sha256
|
|
|
c88997 |
+make_key 5 hmac-sha384
|
|
|
c88997 |
+make_key 6 hmac-sha512
|
|
|
c88997 |
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
|
|
c88997 |
index a558e19..947987b 100644
|
|
|
c88997 |
--- a/bin/tests/system/rndc/tests.sh
|
|
|
c88997 |
+++ b/bin/tests/system/rndc/tests.sh
|
|
|
c88997 |
@@ -245,5 +245,65 @@ done
|
|
|
c88997 |
if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
status=`expr $status + $ret`
|
|
|
c88997 |
|
|
|
c88997 |
+echo "I:testing rndc with hmac-md5"
|
|
|
c88997 |
+ret=0
|
|
|
c88997 |
+$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
|
|
c88997 |
+for i in 2 3 4 5 6
|
|
|
c88997 |
+do
|
|
|
c88997 |
+ $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
c88997 |
+done
|
|
|
c88997 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
+status=`expr $status + $ret`
|
|
|
c88997 |
+
|
|
|
c88997 |
+echo "I:testing rndc with hmac-sha1"
|
|
|
c88997 |
+ret=0
|
|
|
c88997 |
+$RNDC -s 10.53.0.4 -p 9952 -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
|
|
|
c88997 |
+for i in 1 3 4 5 6
|
|
|
c88997 |
+do
|
|
|
c88997 |
+ $RNDC -s 10.53.0.4 -p 9952 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
c88997 |
+done
|
|
|
c88997 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
+status=`expr $status + $ret`
|
|
|
c88997 |
+
|
|
|
c88997 |
+echo "I:testing rndc with hmac-sha224"
|
|
|
c88997 |
+ret=0
|
|
|
c88997 |
+$RNDC -s 10.53.0.4 -p 9953 -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
|
|
|
c88997 |
+for i in 1 2 4 5 6
|
|
|
c88997 |
+do
|
|
|
c88997 |
+ $RNDC -s 10.53.0.4 -p 9953 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
c88997 |
+done
|
|
|
c88997 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
+status=`expr $status + $ret`
|
|
|
c88997 |
+
|
|
|
c88997 |
+echo "I:testing rndc with hmac-sha256"
|
|
|
c88997 |
+ret=0
|
|
|
c88997 |
+$RNDC -s 10.53.0.4 -p 9954 -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
|
|
|
c88997 |
+for i in 1 2 3 5 6
|
|
|
c88997 |
+do
|
|
|
c88997 |
+ $RNDC -s 10.53.0.4 -p 9954 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
c88997 |
+done
|
|
|
c88997 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
+status=`expr $status + $ret`
|
|
|
c88997 |
+
|
|
|
c88997 |
+echo "I:testing rndc with hmac-sha384"
|
|
|
c88997 |
+ret=0
|
|
|
c88997 |
+$RNDC -s 10.53.0.4 -p 9955 -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
|
|
|
c88997 |
+for i in 1 2 3 4 6
|
|
|
c88997 |
+do
|
|
|
c88997 |
+ $RNDC -s 10.53.0.4 -p 9955 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
|
|
c88997 |
+done
|
|
|
c88997 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
+status=`expr $status + $ret`
|
|
|
c88997 |
+
|
|
|
c88997 |
+echo "I:testing rndc with hmac-sha512"
|
|
|
c88997 |
+ret=0
|
|
|
c88997 |
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
|
|
|
c88997 |
+for i in 1 2 3 4 5
|
|
|
c88997 |
+do
|
|
|
c88997 |
+ $RNDC -s 10.53.0.4 -p 9956 -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
|
|
|
c88997 |
+done
|
|
|
c88997 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
c88997 |
+status=`expr $status + $ret`
|
|
|
c88997 |
+
|
|
|
c88997 |
echo "I:exit status: $status"
|
|
|
c88997 |
exit $status
|
|
|
c88997 |
diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf
|
|
|
c88997 |
index 4553b97..1e73a88 100644
|
|
|
c88997 |
--- a/bin/tests/system/rpz/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/rpz/ns3/named.conf
|
|
|
c88997 |
@@ -52,7 +52,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
controls {
|
|
|
c88997 |
inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
|
|
|
c88997 |
diff --git a/bin/tests/system/rpz/ns5/named.conf b/bin/tests/system/rpz/ns5/named.conf
|
|
|
c88997 |
index 82b6fde..df63189 100644
|
|
|
c88997 |
--- a/bin/tests/system/rpz/ns5/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/rpz/ns5/named.conf
|
|
|
c88997 |
@@ -40,7 +40,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
controls {
|
|
|
c88997 |
inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
|
|
|
c88997 |
diff --git a/bin/tests/system/rrl/ns2/named.conf b/bin/tests/system/rrl/ns2/named.conf
|
|
|
c88997 |
index cc261cb..748639c 100644
|
|
|
c88997 |
--- a/bin/tests/system/rrl/ns2/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/rrl/ns2/named.conf
|
|
|
c88997 |
@@ -44,7 +44,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
controls {
|
|
|
c88997 |
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
|
|
|
c88997 |
diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in
|
|
|
c88997 |
index 159a4be..dbf9b17 100644
|
|
|
c88997 |
--- a/bin/tests/system/staticstub/ns3/named.conf.in
|
|
|
c88997 |
+++ b/bin/tests/system/staticstub/ns3/named.conf.in
|
|
|
c88997 |
@@ -32,7 +32,7 @@
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
|
|
|
c88997 |
index 9ff09d7..f8695bc 100644
|
|
|
c88997 |
--- a/bin/tests/system/stress/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/stress/ns3/named.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
|
|
|
c88997 |
index b0f1700..6225563 100644
|
|
|
c88997 |
--- a/bin/tests/system/tkey/ns1/named.conf.in
|
|
|
c88997 |
+++ b/bin/tests/system/tkey/ns1/named.conf.in
|
|
|
c88997 |
@@ -37,7 +37,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/tsiggss/ns1/named.conf b/bin/tests/system/tsiggss/ns1/named.conf
|
|
|
c88997 |
index 645d578..3084a1b 100644
|
|
|
c88997 |
--- a/bin/tests/system/tsiggss/ns1/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/tsiggss/ns1/named.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/views/ns3/named1.conf b/bin/tests/system/views/ns3/named1.conf
|
|
|
c88997 |
index 9723e08..8071dbf 100644
|
|
|
c88997 |
--- a/bin/tests/system/views/ns3/named1.conf
|
|
|
c88997 |
+++ b/bin/tests/system/views/ns3/named1.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/views/ns3/named2.conf b/bin/tests/system/views/ns3/named2.conf
|
|
|
c88997 |
index 27d4955..2804059 100644
|
|
|
c88997 |
--- a/bin/tests/system/views/ns3/named2.conf
|
|
|
c88997 |
+++ b/bin/tests/system/views/ns3/named2.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
|
|
|
c88997 |
index 5f742d2..0ea4663 100644
|
|
|
c88997 |
--- a/bin/tests/system/xfer/ns3/named.conf
|
|
|
c88997 |
+++ b/bin/tests/system/xfer/ns3/named.conf
|
|
|
c88997 |
@@ -34,7 +34,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
controls {
|
|
|
c88997 |
diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
|
|
|
c88997 |
index 231fcfa..ecab46a 100644
|
|
|
c88997 |
--- a/bin/tests/system/xfer/ns4/named.conf.base
|
|
|
c88997 |
+++ b/bin/tests/system/xfer/ns4/named.conf.base
|
|
|
c88997 |
@@ -30,7 +30,7 @@ options {
|
|
|
c88997 |
|
|
|
c88997 |
key rndc_key {
|
|
|
c88997 |
secret "1234abcd8765";
|
|
|
c88997 |
- algorithm hmac-md5;
|
|
|
c88997 |
+ algorithm hmac-sha256;
|
|
|
c88997 |
};
|
|
|
c88997 |
|
|
|
c88997 |
key unused_key. {
|
|
|
c88997 |
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
|
|
|
c88997 |
index 10e5dc9..9428374 100644
|
|
|
c88997 |
--- a/lib/isccc/cc.c
|
|
|
c88997 |
+++ b/lib/isccc/cc.c
|
|
|
c88997 |
@@ -41,6 +41,7 @@
|
|
|
c88997 |
|
|
|
c88997 |
#include <isc/assertions.h>
|
|
|
c88997 |
#include <isc/hmacmd5.h>
|
|
|
c88997 |
+#include <isc/hmacsha.h>
|
|
|
c88997 |
#include <isc/print.h>
|
|
|
c88997 |
#include <isc/safe.h>
|
|
|
c88997 |
#include <isc/stdlib.h>
|
|
|
c88997 |
@@ -78,6 +79,34 @@ static unsigned char auth_hmd5[] = {
|
|
|
c88997 |
#define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
|
|
|
c88997 |
#define HMD5_LENGTH 22
|
|
|
c88997 |
|
|
|
c88997 |
+static unsigned char auth_hsha[] = {
|
|
|
c88997 |
+ 0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
|
|
|
c88997 |
+ ISCCC_CCMSGTYPE_TABLE, /*%< message type */
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x63, /*%< length == 99 */
|
|
|
c88997 |
+ 0x04, 0x68, 0x73, 0x68, 0x61, /*%< len + hsha */
|
|
|
c88997 |
+ ISCCC_CCMSGTYPE_BINARYDATA, /*%< message type */
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x59, /*%< length == 89 */
|
|
|
c88997 |
+ 0x00, /*%< algorithm */
|
|
|
c88997 |
+ /*
|
|
|
c88997 |
+ * The base64 encoding of one of our HMAC-SHA* signatures is
|
|
|
c88997 |
+ * 88 bytes.
|
|
|
c88997 |
+ */
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
c88997 |
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
|
c88997 |
+};
|
|
|
c88997 |
+
|
|
|
c88997 |
+#define HSHA_OFFSET 22 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
|
|
|
c88997 |
+#define HSHA_LENGTH 88
|
|
|
c88997 |
+
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
|
|
|
c88997 |
|
|
|
c88997 |
@@ -205,53 +234,133 @@ list_towire(isccc_sexpr_t *list, isccc_region_t *target)
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
|
|
|
c88997 |
- isccc_region_t *secret)
|
|
|
c88997 |
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
|
|
c88997 |
{
|
|
|
c88997 |
- isc_hmacmd5_t ctx;
|
|
|
c88997 |
+ union {
|
|
|
c88997 |
+ isc_hmacmd5_t hmd5;
|
|
|
c88997 |
+ isc_hmacsha1_t hsha;
|
|
|
c88997 |
+ isc_hmacsha224_t h224;
|
|
|
c88997 |
+ isc_hmacsha256_t h256;
|
|
|
c88997 |
+ isc_hmacsha384_t h384;
|
|
|
c88997 |
+ isc_hmacsha512_t h512;
|
|
|
c88997 |
+ } ctx;
|
|
|
c88997 |
isc_result_t result;
|
|
|
c88997 |
isccc_region_t source, target;
|
|
|
c88997 |
- unsigned char digest[ISC_MD5_DIGESTLENGTH];
|
|
|
c88997 |
- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
|
|
|
c88997 |
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
|
|
|
c88997 |
+ unsigned char digestb64[HSHA_LENGTH + 4];
|
|
|
c88997 |
|
|
|
c88997 |
- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
|
|
|
c88997 |
- isc_hmacmd5_update(&ctx, data, length);
|
|
|
c88997 |
- isc_hmacmd5_sign(&ctx, digest);
|
|
|
c88997 |
source.rstart = digest;
|
|
|
c88997 |
- source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ switch (algorithm) {
|
|
|
c88997 |
+ case ISCCC_ALG_HMACMD5:
|
|
|
c88997 |
+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacmd5_update(&ctx.hmd5, data, length);
|
|
|
c88997 |
+ isc_hmacmd5_sign(&ctx.hmd5, digest);
|
|
|
c88997 |
+ source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA1:
|
|
|
c88997 |
+ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha1_update(&ctx.hsha, data, length);
|
|
|
c88997 |
+ isc_hmacsha1_sign(&ctx.hsha, digest,
|
|
|
c88997 |
+ ISC_SHA1_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA224:
|
|
|
c88997 |
+ isc_hmacsha224_init(&ctx.h224, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha224_update(&ctx.h224, data, length);
|
|
|
c88997 |
+ isc_hmacsha224_sign(&ctx.h224, digest,
|
|
|
c88997 |
+ ISC_SHA224_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA256:
|
|
|
c88997 |
+ isc_hmacsha256_init(&ctx.h256, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha256_update(&ctx.h256, data, length);
|
|
|
c88997 |
+ isc_hmacsha256_sign(&ctx.h256, digest,
|
|
|
c88997 |
+ ISC_SHA256_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA384:
|
|
|
c88997 |
+ isc_hmacsha384_init(&ctx.h384, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha384_update(&ctx.h384, data, length);
|
|
|
c88997 |
+ isc_hmacsha384_sign(&ctx.h384, digest,
|
|
|
c88997 |
+ ISC_SHA384_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA512:
|
|
|
c88997 |
+ isc_hmacsha512_init(&ctx.h512, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha512_update(&ctx.h512, data, length);
|
|
|
c88997 |
+ isc_hmacsha512_sign(&ctx.h512, digest,
|
|
|
c88997 |
+ ISC_SHA512_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ default:
|
|
|
c88997 |
+ return (ISC_R_FAILURE);
|
|
|
c88997 |
+ }
|
|
|
c88997 |
+
|
|
|
c88997 |
+ memset(digestb64, 0, sizeof(digestb64));
|
|
|
c88997 |
target.rstart = digestb64;
|
|
|
c88997 |
- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
|
|
|
c88997 |
+ target.rend = digestb64 + sizeof(digestb64);
|
|
|
c88997 |
result = isccc_base64_encode(&source, 64, "", &target);
|
|
|
c88997 |
if (result != ISC_R_SUCCESS)
|
|
|
c88997 |
return (result);
|
|
|
c88997 |
- PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
|
|
|
c88997 |
-
|
|
|
c88997 |
+ if (algorithm == ISCCC_ALG_HMACMD5)
|
|
|
c88997 |
+ PUT_MEM(digestb64, HMD5_LENGTH, hmac);
|
|
|
c88997 |
+ else
|
|
|
c88997 |
+ PUT_MEM(digestb64, HSHA_LENGTH, hmac);
|
|
|
c88997 |
return (ISC_R_SUCCESS);
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
|
|
|
c88997 |
- isccc_region_t *secret)
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
|
|
c88997 |
{
|
|
|
c88997 |
- unsigned char *hmd5_rstart, *signed_rstart;
|
|
|
c88997 |
+ unsigned char *hmac_rstart, *signed_rstart;
|
|
|
c88997 |
isc_result_t result;
|
|
|
c88997 |
|
|
|
c88997 |
- if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
|
|
|
c88997 |
- return (ISC_R_NOSPACE);
|
|
|
c88997 |
+ if (algorithm == ISCCC_ALG_HMACMD5) {
|
|
|
c88997 |
+ if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
|
|
|
c88997 |
+ return (ISC_R_NOSPACE);
|
|
|
c88997 |
+ } else {
|
|
|
c88997 |
+ if (REGION_SIZE(*target) < 4 + sizeof(auth_hsha))
|
|
|
c88997 |
+ return (ISC_R_NOSPACE);
|
|
|
c88997 |
+ }
|
|
|
c88997 |
+
|
|
|
c88997 |
/*
|
|
|
c88997 |
* Emit protocol version.
|
|
|
c88997 |
*/
|
|
|
c88997 |
PUT32(1, target->rstart);
|
|
|
c88997 |
if (secret != NULL) {
|
|
|
c88997 |
/*
|
|
|
c88997 |
- * Emit _auth section with zeroed HMAC-MD5 signature.
|
|
|
c88997 |
+ * Emit _auth section with zeroed HMAC signature.
|
|
|
c88997 |
* We'll replace the zeros with the real signature once
|
|
|
c88997 |
* we know what it is.
|
|
|
c88997 |
*/
|
|
|
c88997 |
- hmd5_rstart = target->rstart + HMD5_OFFSET;
|
|
|
c88997 |
- PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
|
|
|
c88997 |
+ if (algorithm == ISCCC_ALG_HMACMD5) {
|
|
|
c88997 |
+ hmac_rstart = target->rstart + HMD5_OFFSET;
|
|
|
c88997 |
+ PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
|
|
|
c88997 |
+ } else {
|
|
|
c88997 |
+ unsigned char *hmac_alg;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ hmac_rstart = target->rstart + HSHA_OFFSET;
|
|
|
c88997 |
+ hmac_alg = hmac_rstart - 1;
|
|
|
c88997 |
+ PUT_MEM(auth_hsha, sizeof(auth_hsha), target->rstart);
|
|
|
c88997 |
+ PUT8(algorithm, hmac_alg);
|
|
|
c88997 |
+ }
|
|
|
c88997 |
} else
|
|
|
c88997 |
- hmd5_rstart = NULL;
|
|
|
c88997 |
+ hmac_rstart = NULL;
|
|
|
c88997 |
signed_rstart = target->rstart;
|
|
|
c88997 |
/*
|
|
|
c88997 |
* Delete any existing _auth section so that we don't try
|
|
|
c88997 |
@@ -266,21 +375,28 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
|
|
|
c88997 |
return (result);
|
|
|
c88997 |
if (secret != NULL)
|
|
|
c88997 |
return (sign(signed_rstart, (target->rstart - signed_rstart),
|
|
|
c88997 |
- hmd5_rstart, secret));
|
|
|
c88997 |
+ hmac_rstart, algorithm, secret));
|
|
|
c88997 |
return (ISC_R_SUCCESS);
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
|
|
c88997 |
- isccc_region_t *secret)
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
|
|
c88997 |
{
|
|
|
c88997 |
- isc_hmacmd5_t ctx;
|
|
|
c88997 |
+ union {
|
|
|
c88997 |
+ isc_hmacmd5_t hmd5;
|
|
|
c88997 |
+ isc_hmacsha1_t hsha;
|
|
|
c88997 |
+ isc_hmacsha224_t h224;
|
|
|
c88997 |
+ isc_hmacsha256_t h256;
|
|
|
c88997 |
+ isc_hmacsha384_t h384;
|
|
|
c88997 |
+ isc_hmacsha512_t h512;
|
|
|
c88997 |
+ } ctx;
|
|
|
c88997 |
isccc_region_t source;
|
|
|
c88997 |
isccc_region_t target;
|
|
|
c88997 |
isc_result_t result;
|
|
|
c88997 |
- isccc_sexpr_t *_auth, *hmd5;
|
|
|
c88997 |
- unsigned char digest[ISC_MD5_DIGESTLENGTH];
|
|
|
c88997 |
- unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
|
|
|
c88997 |
+ isccc_sexpr_t *_auth, *hmac;
|
|
|
c88997 |
+ unsigned char digest[ISC_SHA512_DIGESTLENGTH];
|
|
|
c88997 |
+ unsigned char digestb64[HSHA_LENGTH * 4];
|
|
|
c88997 |
|
|
|
c88997 |
/*
|
|
|
c88997 |
* Extract digest.
|
|
|
c88997 |
@@ -288,40 +404,107 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
|
|
c88997 |
_auth = isccc_alist_lookup(alist, "_auth");
|
|
|
c88997 |
if (!isccc_alist_alistp(_auth))
|
|
|
c88997 |
return (ISC_R_FAILURE);
|
|
|
c88997 |
- hmd5 = isccc_alist_lookup(_auth, "hmd5");
|
|
|
c88997 |
- if (!isccc_sexpr_binaryp(hmd5))
|
|
|
c88997 |
+ if (algorithm == ISCCC_ALG_HMACMD5)
|
|
|
c88997 |
+ hmac = isccc_alist_lookup(_auth, "hmd5");
|
|
|
c88997 |
+ else
|
|
|
c88997 |
+ hmac = isccc_alist_lookup(_auth, "hsha");
|
|
|
c88997 |
+ if (!isccc_sexpr_binaryp(hmac))
|
|
|
c88997 |
return (ISC_R_FAILURE);
|
|
|
c88997 |
/*
|
|
|
c88997 |
* Compute digest.
|
|
|
c88997 |
*/
|
|
|
c88997 |
- isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
|
|
|
c88997 |
- isc_hmacmd5_update(&ctx, data, length);
|
|
|
c88997 |
- isc_hmacmd5_sign(&ctx, digest);
|
|
|
c88997 |
source.rstart = digest;
|
|
|
c88997 |
- source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
|
|
c88997 |
target.rstart = digestb64;
|
|
|
c88997 |
- target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
|
|
|
c88997 |
+ switch (algorithm) {
|
|
|
c88997 |
+ case ISCCC_ALG_HMACMD5:
|
|
|
c88997 |
+ isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacmd5_update(&ctx.hmd5, data, length);
|
|
|
c88997 |
+ isc_hmacmd5_sign(&ctx.hmd5, digest);
|
|
|
c88997 |
+ source.rend = digest + ISC_MD5_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA1:
|
|
|
c88997 |
+ isc_hmacsha1_init(&ctx.hsha, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha1_update(&ctx.hsha, data, length);
|
|
|
c88997 |
+ isc_hmacsha1_sign(&ctx.hsha, digest,
|
|
|
c88997 |
+ ISC_SHA1_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA1_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA224:
|
|
|
c88997 |
+ isc_hmacsha224_init(&ctx.h224, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha224_update(&ctx.h224, data, length);
|
|
|
c88997 |
+ isc_hmacsha224_sign(&ctx.h224, digest,
|
|
|
c88997 |
+ ISC_SHA224_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA224_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA256:
|
|
|
c88997 |
+ isc_hmacsha256_init(&ctx.h256, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha256_update(&ctx.h256, data, length);
|
|
|
c88997 |
+ isc_hmacsha256_sign(&ctx.h256, digest,
|
|
|
c88997 |
+ ISC_SHA256_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA256_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA384:
|
|
|
c88997 |
+ isc_hmacsha384_init(&ctx.h384, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha384_update(&ctx.h384, data, length);
|
|
|
c88997 |
+ isc_hmacsha384_sign(&ctx.h384, digest,
|
|
|
c88997 |
+ ISC_SHA384_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA384_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ case ISCCC_ALG_HMACSHA512:
|
|
|
c88997 |
+ isc_hmacsha512_init(&ctx.h512, secret->rstart,
|
|
|
c88997 |
+ REGION_SIZE(*secret));
|
|
|
c88997 |
+ isc_hmacsha512_update(&ctx.h512, data, length);
|
|
|
c88997 |
+ isc_hmacsha512_sign(&ctx.h512, digest,
|
|
|
c88997 |
+ ISC_SHA512_DIGESTLENGTH);
|
|
|
c88997 |
+ source.rend = digest + ISC_SHA512_DIGESTLENGTH;
|
|
|
c88997 |
+ break;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ default:
|
|
|
c88997 |
+ return (ISC_R_FAILURE);
|
|
|
c88997 |
+ }
|
|
|
c88997 |
+ target.rstart = digestb64;
|
|
|
c88997 |
+ target.rend = digestb64 + sizeof(digestb64);
|
|
|
c88997 |
+ memset(digestb64, 0, sizeof(digestb64));
|
|
|
c88997 |
result = isccc_base64_encode(&source, 64, "", &target);
|
|
|
c88997 |
if (result != ISC_R_SUCCESS)
|
|
|
c88997 |
return (result);
|
|
|
c88997 |
- /*
|
|
|
c88997 |
- * Strip trailing == and NUL terminate target.
|
|
|
c88997 |
- */
|
|
|
c88997 |
- target.rstart -= 2;
|
|
|
c88997 |
- *target.rstart++ = '\0';
|
|
|
c88997 |
+
|
|
|
c88997 |
/*
|
|
|
c88997 |
* Verify.
|
|
|
c88997 |
*/
|
|
|
c88997 |
- if (!isc_safe_memcmp((unsigned char *) isccc_sexpr_tostring(hmd5),
|
|
|
c88997 |
- digestb64, HMD5_LENGTH))
|
|
|
c88997 |
- return (ISCCC_R_BADAUTH);
|
|
|
c88997 |
+ if (algorithm == ISCCC_ALG_HMACMD5) {
|
|
|
c88997 |
+ unsigned char *value;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ value = (unsigned char *) isccc_sexpr_tostring(hmac);
|
|
|
c88997 |
+ if (memcmp(value, digestb64, HMD5_LENGTH) != 0)
|
|
|
c88997 |
+ return (ISCCC_R_BADAUTH);
|
|
|
c88997 |
+ } else {
|
|
|
c88997 |
+ unsigned char *value;
|
|
|
c88997 |
+ isc_uint32_t valalg;
|
|
|
c88997 |
+
|
|
|
c88997 |
+ value = (unsigned char *) isccc_sexpr_tostring(hmac);
|
|
|
c88997 |
+ GET8(valalg, value);
|
|
|
c88997 |
+ if ((valalg != algorithm) ||
|
|
|
c88997 |
+ (memcmp(value, digestb64, HSHA_LENGTH) != 0))
|
|
|
c88997 |
+ return (ISCCC_R_BADAUTH);
|
|
|
c88997 |
+ }
|
|
|
c88997 |
|
|
|
c88997 |
return (ISC_R_SUCCESS);
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
|
|
c88997 |
- isccc_sexpr_t **alistp);
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_sexpr_t **alistp);
|
|
|
c88997 |
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
|
|
|
c88997 |
@@ -352,7 +535,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
|
|
|
c88997 |
} else
|
|
|
c88997 |
result = ISC_R_NOMEMORY;
|
|
|
c88997 |
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
|
|
|
c88997 |
- result = table_fromwire(&active, NULL, valuep);
|
|
|
c88997 |
+ result = table_fromwire(&active, NULL, 0, valuep);
|
|
|
c88997 |
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
|
|
|
c88997 |
result = list_fromwire(&active, valuep);
|
|
|
c88997 |
else
|
|
|
c88997 |
@@ -363,7 +546,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
|
|
|
c88997 |
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
|
|
c88997 |
- isccc_sexpr_t **alistp)
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_sexpr_t **alistp)
|
|
|
c88997 |
{
|
|
|
c88997 |
char key[256];
|
|
|
c88997 |
isc_uint32_t len;
|
|
|
c88997 |
@@ -405,7 +588,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
|
|
c88997 |
if (checksum_rstart != NULL)
|
|
|
c88997 |
result = verify(alist, checksum_rstart,
|
|
|
c88997 |
(source->rend - checksum_rstart),
|
|
|
c88997 |
- secret);
|
|
|
c88997 |
+ algorithm, secret);
|
|
|
c88997 |
else
|
|
|
c88997 |
result = ISCCC_R_BADAUTH;
|
|
|
c88997 |
} else
|
|
|
c88997 |
@@ -448,7 +631,7 @@ list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
|
|
c88997 |
- isccc_region_t *secret)
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_region_t *secret)
|
|
|
c88997 |
{
|
|
|
c88997 |
unsigned int size;
|
|
|
c88997 |
isc_uint32_t version;
|
|
|
c88997 |
@@ -460,7 +643,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
|
|
c88997 |
if (version != 1)
|
|
|
c88997 |
return (ISCCC_R_UNKNOWNVERSION);
|
|
|
c88997 |
|
|
|
c88997 |
- return (table_fromwire(source, secret, alistp));
|
|
|
c88997 |
+ return (table_fromwire(source, secret, algorithm, alistp));
|
|
|
c88997 |
}
|
|
|
c88997 |
|
|
|
c88997 |
static isc_result_t
|
|
|
c88997 |
@@ -523,8 +706,8 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
|
|
|
c88997 |
- isc_uint32_t serial, isccc_time_t now,
|
|
|
c88997 |
- isccc_time_t expires, isccc_sexpr_t **alistp)
|
|
|
c88997 |
+ isc_uint32_t serial, isccc_time_t now,
|
|
|
c88997 |
+ isccc_time_t expires, isccc_sexpr_t **alistp)
|
|
|
c88997 |
{
|
|
|
c88997 |
return (createmessage(version, from, to, serial, now, expires,
|
|
|
c88997 |
alistp, ISC_TRUE));
|
|
|
c88997 |
@@ -532,7 +715,7 @@ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
|
|
|
c88997 |
- isccc_sexpr_t **ackp)
|
|
|
c88997 |
+ isccc_sexpr_t **ackp)
|
|
|
c88997 |
{
|
|
|
c88997 |
char *_frm, *_to;
|
|
|
c88997 |
isc_uint32_t serial;
|
|
|
c88997 |
@@ -610,7 +793,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
|
|
|
c88997 |
- isccc_time_t expires, isccc_sexpr_t **alistp)
|
|
|
c88997 |
+ isccc_time_t expires, isccc_sexpr_t **alistp)
|
|
|
c88997 |
{
|
|
|
c88997 |
char *_frm, *_to, *type = NULL;
|
|
|
c88997 |
isc_uint32_t serial;
|
|
|
c88997 |
@@ -720,7 +903,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
|
|
|
c88997 |
- isc_uint32_t *uintp)
|
|
|
c88997 |
+ isc_uint32_t *uintp)
|
|
|
c88997 |
{
|
|
|
c88997 |
isccc_sexpr_t *kv, *v;
|
|
|
c88997 |
|
|
|
c88997 |
@@ -798,7 +981,7 @@ has_whitespace(const char *str)
|
|
|
c88997 |
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
|
|
|
c88997 |
- isccc_time_t now)
|
|
|
c88997 |
+ isccc_time_t now)
|
|
|
c88997 |
{
|
|
|
c88997 |
const char *_frm;
|
|
|
c88997 |
const char *_to;
|
|
|
c88997 |
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
|
|
|
c88997 |
index 79393be..777e675 100644
|
|
|
c88997 |
--- a/lib/isccc/include/isccc/cc.h
|
|
|
c88997 |
+++ b/lib/isccc/include/isccc/cc.h
|
|
|
c88997 |
@@ -41,6 +41,16 @@
|
|
|
c88997 |
|
|
|
c88997 |
ISC_LANG_BEGINDECLS
|
|
|
c88997 |
|
|
|
c88997 |
+/*% from lib/dns/include/dst/dst.h */
|
|
|
c88997 |
+
|
|
|
c88997 |
+#define ISCCC_ALG_UNKNOWN 0
|
|
|
c88997 |
+#define ISCCC_ALG_HMACMD5 157
|
|
|
c88997 |
+#define ISCCC_ALG_HMACSHA1 161
|
|
|
c88997 |
+#define ISCCC_ALG_HMACSHA224 162
|
|
|
c88997 |
+#define ISCCC_ALG_HMACSHA256 163
|
|
|
c88997 |
+#define ISCCC_ALG_HMACSHA384 164
|
|
|
c88997 |
+#define ISCCC_ALG_HMACSHA512 165
|
|
|
c88997 |
+
|
|
|
c88997 |
/*% Maximum Datagram Package */
|
|
|
c88997 |
#define ISCCC_CC_MAXDGRAMPACKET 4096
|
|
|
c88997 |
|
|
|
c88997 |
@@ -56,23 +66,23 @@ ISC_LANG_BEGINDECLS
|
|
|
c88997 |
/*% Send to Wire */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
|
|
|
c88997 |
- isccc_region_t *secret);
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_region_t *secret);
|
|
|
c88997 |
|
|
|
c88997 |
/*% Get From Wire */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
|
|
c88997 |
- isccc_region_t *secret);
|
|
|
c88997 |
+ isc_uint32_t algorithm, isccc_region_t *secret);
|
|
|
c88997 |
|
|
|
c88997 |
/*% Create Message */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
|
|
|
c88997 |
- isc_uint32_t serial, isccc_time_t now,
|
|
|
c88997 |
- isccc_time_t expires, isccc_sexpr_t **alistp);
|
|
|
c88997 |
+ isc_uint32_t serial, isccc_time_t now,
|
|
|
c88997 |
+ isccc_time_t expires, isccc_sexpr_t **alistp);
|
|
|
c88997 |
|
|
|
c88997 |
/*% Create Acknowledgment */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
|
|
|
c88997 |
- isccc_sexpr_t **ackp);
|
|
|
c88997 |
+ isccc_sexpr_t **ackp);
|
|
|
c88997 |
|
|
|
c88997 |
/*% Is Ack? */
|
|
|
c88997 |
isc_boolean_t
|
|
|
c88997 |
@@ -85,7 +95,7 @@ isccc_cc_isreply(isccc_sexpr_t *message);
|
|
|
c88997 |
/*% Create Response */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
|
|
|
c88997 |
- isccc_time_t expires, isccc_sexpr_t **alistp);
|
|
|
c88997 |
+ isccc_time_t expires, isccc_sexpr_t **alistp);
|
|
|
c88997 |
|
|
|
c88997 |
/*% Define String */
|
|
|
c88997 |
isccc_sexpr_t *
|
|
|
c88997 |
@@ -102,7 +112,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
|
|
|
c88997 |
/*% Lookup uint 32 */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
|
|
|
c88997 |
- isc_uint32_t *uintp);
|
|
|
c88997 |
+ isc_uint32_t *uintp);
|
|
|
c88997 |
|
|
|
c88997 |
/*% Create Symbol Table */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
@@ -115,7 +125,7 @@ isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
|
|
|
c88997 |
/*% Check for Duplicates */
|
|
|
c88997 |
isc_result_t
|
|
|
c88997 |
isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
|
|
|
c88997 |
- isccc_time_t now);
|
|
|
c88997 |
+ isccc_time_t now);
|
|
|
c88997 |
|
|
|
c88997 |
ISC_LANG_ENDDECLS
|
|
|
c88997 |
|
|
|
c88997 |
--
|
|
|
c88997 |
2.9.5
|
|
|
c88997 |
|