|
 |
37f44c |
From e6ffc27f24321017a5ad9af3707f4e2e54bbac74 Mon Sep 17 00:00:00 2001
|
|
|
37f44c |
From: Thomas Markwalder <tmark@isc.org>
|
|
|
37f44c |
Date: Mon, 11 Dec 2017 07:19:43 -0500
|
|
|
37f44c |
Subject: [PATCH] [master] Adds key-algorithm statement to omshell
|
|
|
37f44c |
|
|
|
37f44c |
Merges in rt46771.
|
|
|
37f44c |
---
|
|
|
37f44c |
RELNOTES | 7 +++++++
|
|
|
37f44c |
common/conflex.c | 2 ++
|
|
|
37f44c |
dhcpctl/omshell.1 | 32 ++++++++++++++++++++++++--------
|
|
|
37f44c |
dhcpctl/omshell.c | 38 +++++++++++++++++++++++++++++++++++---
|
|
|
37f44c |
includes/dhctoken.h | 3 ++-
|
|
|
37f44c |
5 files changed, 70 insertions(+), 12 deletions(-)
|
|
|
37f44c |
|
|
|
37f44c |
diff --git a/common/conflex.c b/common/conflex.c
|
|
|
37f44c |
index 8ce024af..045b655d 100644
|
|
|
37f44c |
--- a/common/conflex.c
|
|
|
37f44c |
+++ b/common/conflex.c
|
|
|
37f44c |
@@ -1104,6 +1104,8 @@ intern(char *atom, enum dhcp_token dfv) {
|
|
|
37f44c |
}
|
|
|
37f44c |
if (!strcasecmp (atom + 1, "ey"))
|
|
|
37f44c |
return KEY;
|
|
|
37f44c |
+ if (!strcasecmp (atom + 1, "ey-algorithm"))
|
|
|
37f44c |
+ return KEY_ALGORITHM;
|
|
|
37f44c |
break;
|
|
|
37f44c |
case 'l':
|
|
|
37f44c |
if (!strcasecmp (atom + 1, "case"))
|
|
|
37f44c |
diff --git a/dhcpctl/omshell.1 b/dhcpctl/omshell.1
|
|
|
37f44c |
index 4846272a..2f55e965 100644
|
|
|
37f44c |
--- a/dhcpctl/omshell.1
|
|
|
37f44c |
+++ b/dhcpctl/omshell.1
|
|
|
37f44c |
@@ -1,7 +1,6 @@
|
|
|
37f44c |
.\" $Id: omshell.1,v 1.6 2009/11/24 02:06:56 sar Exp $
|
|
|
37f44c |
.\"
|
|
|
37f44c |
-.\" Copyright (c) 2012,2014 by Internet Systems Consortium, Inc. ("ISC")
|
|
|
37f44c |
-.\" Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. ("ISC")
|
|
|
37f44c |
+.\" Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
|
|
|
37f44c |
.\" Copyright (c) 2001-2003 by Internet Software Consortium
|
|
|
37f44c |
.\"
|
|
|
37f44c |
.\" Permission to use, copy, modify, and distribute this software for any
|
|
|
37f44c |
@@ -81,7 +80,24 @@ where number is the port that OMAPI listens on. By default, this is 7911.
|
|
|
37f44c |
This specifies the TSIG key to use to authenticate the OMAPI transactions.
|
|
|
37f44c |
\fIname\fR is the name of a key defined in \fIdhcpd.conf\fR with the
|
|
|
37f44c |
\fBomapi-key\fR statement. The \fIsecret\fR is the secret key generated from
|
|
|
37f44c |
-\fBdnssec-keygen\fR or another key generation program.
|
|
|
37f44c |
+\fBdnssec-keygen\fR or another key generation program. The key algorithm is
|
|
|
37f44c |
+assumed to be HMAC-MD5 key. If a different algorithm was specified in dhcpd.conf
|
|
|
37f44c |
+file for the key, then it must be specified via the \fIkey-algorithm\fR statement.
|
|
|
37f44c |
+.RE
|
|
|
37f44c |
+.PP
|
|
|
37f44c |
+.B key-algorithm \fIalgorithm\fR
|
|
|
37f44c |
+.RS 0.5i
|
|
|
37f44c |
+This specifies the cryptographic algorithm for the key used when authenticating OMAPI
|
|
|
37f44c |
+transactions. Supported values for \fIalgorithm\fR are:
|
|
|
37f44c |
+.nf
|
|
|
37f44c |
+ HMAC-MD5
|
|
|
37f44c |
+ HMAC-SHA1
|
|
|
37f44c |
+ HMAC-SHA224
|
|
|
37f44c |
+ HMAC-SHA256
|
|
|
37f44c |
+ HMAC-SHA384
|
|
|
37f44c |
+ HMAC-SHA512
|
|
|
37f44c |
+fi
|
|
|
37f44c |
+The default is HMAC-MD5. (Value is not case sensitive).
|
|
|
37f44c |
.RE
|
|
|
37f44c |
.PP
|
|
|
37f44c |
.B connect
|
|
|
37f44c |
@@ -253,7 +269,7 @@ name = "some-host"
|
|
|
37f44c |
hardware-address = 00:80:c7:84:b1:94
|
|
|
37f44c |
hardware-type = 00:00:00:01
|
|
|
37f44c |
ip-address = c0:a8:04:28
|
|
|
37f44c |
->
|
|
|
37f44c |
+>
|
|
|
37f44c |
.fi
|
|
|
37f44c |
.PP
|
|
|
37f44c |
Your dhcpd.leases file would then have an entry like this in it:
|
|
|
37f44c |
@@ -267,7 +283,7 @@ host some-host {
|
|
|
37f44c |
.fi
|
|
|
37f44c |
.PP
|
|
|
37f44c |
The \fIdynamic;\fR line is to denote that this host entry did not come from
|
|
|
37f44c |
-dhcpd.conf, but was created dynamically via OMAPI.
|
|
|
37f44c |
+dhcpd.conf, but was created dynamically via OMAPI.
|
|
|
37f44c |
.SH RESETTING ATTRIBUTES
|
|
|
37f44c |
.PP
|
|
|
37f44c |
If you want to remove an attribute from an object, you can do this with the
|
|
|
37f44c |
@@ -288,7 +304,7 @@ name = "some-host"
|
|
|
37f44c |
hardware-address = 00:80:c7:84:b1:94
|
|
|
37f44c |
hardware-type = 00:00:00:01
|
|
|
37f44c |
ip-address = <null>
|
|
|
37f44c |
->
|
|
|
37f44c |
+>
|
|
|
37f44c |
.fi
|
|
|
37f44c |
.SH REFRESHING OBJECTS
|
|
|
37f44c |
.PP
|
|
|
37f44c |
@@ -300,7 +316,7 @@ particularly useful for hosts.
|
|
|
37f44c |
.PP
|
|
|
37f44c |
Any remote object that can be created can also be destroyed. This is done by
|
|
|
37f44c |
creating a new local object, setting attributes, associating the local and
|
|
|
37f44c |
-remote object using \fBopen\fR, and then using the \fBremove\fR command.
|
|
|
37f44c |
+remote object using \fBopen\fR, and then using the \fBremove\fR command.
|
|
|
37f44c |
If the host "some-host" from before was created in error, this could be
|
|
|
37f44c |
corrected as follows:
|
|
|
37f44c |
.nf
|
|
|
37f44c |
@@ -312,7 +328,7 @@ hardware-type = 00:00:00:01
|
|
|
37f44c |
ip-address = c0:a8:04:28
|
|
|
37f44c |
> remove
|
|
|
37f44c |
obj: <null>
|
|
|
37f44c |
->
|
|
|
37f44c |
+>
|
|
|
37f44c |
.fi
|
|
|
37f44c |
.SH HELP
|
|
|
37f44c |
.PP
|
|
|
37f44c |
diff --git a/dhcpctl/omshell.c b/dhcpctl/omshell.c
|
|
|
37f44c |
index c42bab1a..9233f50e 100644
|
|
|
37f44c |
--- a/dhcpctl/omshell.c
|
|
|
37f44c |
+++ b/dhcpctl/omshell.c
|
|
|
37f44c |
@@ -321,12 +321,42 @@ main(int argc, char **argv) {
|
|
|
37f44c |
}
|
|
|
37f44c |
break;
|
|
|
37f44c |
|
|
|
37f44c |
+ case KEY_ALGORITHM:
|
|
|
37f44c |
+ /* Algorithm is optional */
|
|
|
37f44c |
+ token = next_token (&val, (unsigned *)0, cfile);
|
|
|
37f44c |
+ if (token != NAME || !is_identifier(token)) {
|
|
|
37f44c |
+ printf ("missing or invalid algorithm name\n");
|
|
|
37f44c |
+ printf ("usage: key-algoritm <algorithm name>\n");
|
|
|
37f44c |
+ skip_to_semi (cfile);
|
|
|
37f44c |
+ break;
|
|
|
37f44c |
+ }
|
|
|
37f44c |
+
|
|
|
37f44c |
+ s = dmalloc (strlen (val) + 1, MDL);
|
|
|
37f44c |
+ if (!s) {
|
|
|
37f44c |
+ printf ("no memory for algorithm name.\n");
|
|
|
37f44c |
+ skip_to_semi (cfile);
|
|
|
37f44c |
+ break;
|
|
|
37f44c |
+ }
|
|
|
37f44c |
+
|
|
|
37f44c |
+ strcpy (s, val);
|
|
|
37f44c |
+ algorithm = s;
|
|
|
37f44c |
+
|
|
|
37f44c |
+ token = next_token (&val, (unsigned *)0, cfile);
|
|
|
37f44c |
+ if (token != END_OF_FILE && token != EOL) {
|
|
|
37f44c |
+ printf ("extra information after %s\n", algorithm);
|
|
|
37f44c |
+ printf ("usage: key-algorithm <algorithm name>\n");
|
|
|
37f44c |
+ skip_to_semi (cfile);
|
|
|
37f44c |
+ break;
|
|
|
37f44c |
+ }
|
|
|
37f44c |
+
|
|
|
37f44c |
+ break;
|
|
|
37f44c |
+
|
|
|
37f44c |
case KEY:
|
|
|
37f44c |
token = peek_token(&val, (unsigned *)0, cfile);
|
|
|
37f44c |
if (token == STRING) {
|
|
|
37f44c |
token = next_token (&val, (unsigned *)0, cfile);
|
|
|
37f44c |
if (!is_identifier (token)) {
|
|
|
37f44c |
- printf ("usage: key <name> <value>\n");
|
|
|
37f44c |
+ printf ("usage: key <name> <value>\n");
|
|
|
37f44c |
skip_to_semi (cfile);
|
|
|
37f44c |
break;
|
|
|
37f44c |
}
|
|
|
37f44c |
@@ -340,7 +370,7 @@ main(int argc, char **argv) {
|
|
|
37f44c |
} else {
|
|
|
37f44c |
s = parse_host_name(cfile);
|
|
|
37f44c |
if (s == NULL) {
|
|
|
37f44c |
- printf ("usage: key <name> <value>\n");
|
|
|
37f44c |
+ printf ("usage: key <name> <value>\n");
|
|
|
37f44c |
skip_to_semi(cfile);
|
|
|
37f44c |
break;
|
|
|
37f44c |
}
|
|
|
37f44c |
@@ -352,12 +382,14 @@ main(int argc, char **argv) {
|
|
|
37f44c |
skip_to_semi (cfile);
|
|
|
37f44c |
break;
|
|
|
37f44c |
}
|
|
|
37f44c |
+
|
|
|
37f44c |
token = next_token (&val, (unsigned *)0, cfile);
|
|
|
37f44c |
if (token != END_OF_FILE && token != EOL) {
|
|
|
37f44c |
- printf ("usage: key <name> <secret>\n");
|
|
|
37f44c |
+ printf ("usage: key <name> <value> {algorithm}\n");
|
|
|
37f44c |
skip_to_semi (cfile);
|
|
|
37f44c |
break;
|
|
|
37f44c |
}
|
|
|
37f44c |
+
|
|
|
37f44c |
break;
|
|
|
37f44c |
|
|
|
37f44c |
case CONNECT:
|
|
|
37f44c |
diff --git a/includes/dhctoken.h b/includes/dhctoken.h
|
|
|
37f44c |
index 6fc4df3..ca24d4c 100644
|
|
|
37f44c |
--- a/includes/dhctoken.h
|
|
|
37f44c |
+++ b/includes/dhctoken.h
|
|
|
37f44c |
@@ -374,8 +374,9 @@ enum dhcp_token {
|
|
|
37f44c |
LEASE_ID_FORMAT = 676,
|
|
|
37f44c |
TOKEN_HEX = 677,
|
|
|
37f44c |
TOKEN_OCTAL = 678,
|
|
|
37f44c |
- BOOTP_BROADCAST_ALWAYS = 679,
|
|
|
37f44c |
- DESTINATION_DESCRIPTOR = 680
|
|
|
37f44c |
+ KEY_ALGORITHM = 679,
|
|
|
37f44c |
+ BOOTP_BROADCAST_ALWAYS = 680,
|
|
|
37f44c |
+ DESTINATION_DESCRIPTOR = 681
|
|
|
37f44c |
};
|
|
|
37f44c |
|
|
|
37f44c |
#define is_identifier(x) ((x) >= FIRST_TOKEN && \
|