Blame SOURCES/dhcp-4.2.5-additional_hmac_tsig.patch

45d60a
commit 71c56235c6fbdeed3ba5a75bb379a34394106619
45d60a
Author: Pavel Zhukov <pzhukov@redhat.com>
45d60a
Date:   Mon Apr 10 12:59:07 2017 +0200
45d60a
45d60a
    Backported upstream commit e4a2cb79b2679738f56b3803a44c9899f6982c09
45d60a
45d60a
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
45d60a
index ddefeb5..4dffcb9 100644
45d60a
--- a/includes/omapip/isclib.h
45d60a
+++ b/includes/omapip/isclib.h
45d60a
@@ -104,6 +104,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
45d60a
 #define DHCP_MAXDNS_WIRE 256
45d60a
 #define DHCP_MAXNS         3
45d60a
 #define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
45d60a
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
45d60a
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
45d60a
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
45d60a
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
45d60a
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
45d60a
 
45d60a
 isc_result_t dhcp_isc_name(unsigned char    *namestr,
45d60a
 			   dns_fixedname_t  *namefix,
45d60a
diff --git a/omapip/isclib.c b/omapip/isclib.c
45d60a
index 1534dde..be1982e 100644
45d60a
--- a/omapip/isclib.c
45d60a
+++ b/omapip/isclib.c
45d60a
@@ -198,21 +198,34 @@ isclib_make_dst_key(char          *inname,
45d60a
 	dns_name_t *name;
45d60a
 	dns_fixedname_t name0;
45d60a
 	isc_buffer_t b;
45d60a
+        unsigned int algorithm_code;
45d60a
 
45d60a
 	isc_buffer_init(&b, secret, length);
45d60a
 	isc_buffer_add(&b, length);
45d60a
 
45d60a
-	/* We only support HMAC_MD5 currently */
45d60a
-	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
45d60a
+        if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
45d60a
+		algorithm_code =  DST_ALG_HMACMD5;
45d60a
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
45d60a
+		algorithm_code =  DST_ALG_HMACSHA1;
45d60a
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
45d60a
+		algorithm_code =  DST_ALG_HMACSHA224;
45d60a
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
45d60a
+		algorithm_code =  DST_ALG_HMACSHA256;
45d60a
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
45d60a
+		algorithm_code =  DST_ALG_HMACSHA384;
45d60a
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
45d60a
+		algorithm_code =  DST_ALG_HMACSHA512;
45d60a
+	} else {
45d60a
 		return(DHCP_R_INVALIDARG);
45d60a
 	}
45d60a
 
45d60a
+
45d60a
 	result = dhcp_isc_name((unsigned char *)inname, &name0, &name);
45d60a
 	if (result != ISC_R_SUCCESS) {
45d60a
 		return(result);
45d60a
 	}
45d60a
 
45d60a
-	return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
45d60a
+        return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
45d60a
 				  DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
45d60a
 				  &b, dhcp_gbl_ctx.mctx, dstkey));
45d60a
 }
45d60a
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
45d60a
index 0cb50a6..74393c2 100644
45d60a
--- a/server/dhcpd.conf.5
45d60a
+++ b/server/dhcpd.conf.5
45d60a
@@ -1398,6 +1398,18 @@ generate a key as seen above:
45d60a
 	dnskeygen -H 128 -u -c -n DHCP_UPDATER
45d60a
 .fi
45d60a
 .PP
45d60a
+The key name, algorithm, and secret must match that being used by the DNS
45d60a
+server. The DHCP server currently supports the following algorithms:
45d60a
+.nf
45d60a
+
45d60a
+        HMAC-MD5
45d60a
+        HMAC-SHA1
45d60a
+        HMAC-SHA224
45d60a
+        HMAC-SHA256
45d60a
+        HMAC-SHA384
45d60a
+        HMAC-SHA512
45d60a
+.fi
45d60a
+.PP
45d60a
 You may wish to enable logging of DNS updates on your DNS server.
45d60a
 To do so, you might write a logging statement like the following:
45d60a
 .PP