NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
The following reply was made to PR bin/49138; it has been noted by GNATS.
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Mon, 8 Sep 2014 12:11:17 -0500 (CDT)
From ISC:
x
diff --git a/RELNOTES b/RELNOTES
index 3593975..991c2c1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -54,6 +54,11 @@ by Eric Young (eay%cryptsoft.com@localhost).
Changes since 4.3.1
+- TSIG-authenticated dynamic DNS updates now support the use of these
+ additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
+ and hmac-sha512
+ [ISC-Bugs #36947]
+
- Corrected rate limiting checks for bad packet logging.
[ISC-Bugs #36897]
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index 831047a..caa388a 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -3,7 +3,7 @@
connections to the isc and dns libraries */
/*
- * Copyright (c) 2009,2013 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -106,6 +106,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
#define DHCP_MAXDNS_WIRE 256
#define DHCP_MAXNS 3
#define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
isc_result_t dhcp_isc_name(unsigned char *namestr,
dns_fixedname_t *namefix,
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 69edc2e..3e5e1c2 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -289,12 +289,24 @@ isclib_make_dst_key(char *inname,
dns_name_t *name;
dns_fixedname_t name0;
isc_buffer_t b;
+ unsigned int algorithm_code;
isc_buffer_init(&b, secret, length);
isc_buffer_add(&b, length);
- /* We only support HMAC_MD5 currently */
- if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
+ if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACMD5;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA1;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA224;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA256;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA384;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA512;
+ } else {
return(DHCP_R_INVALIDARG);
}
@@ -303,7 +315,7 @@ isclib_make_dst_key(char *inname,
return(result);
}
- return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
+ return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
&b, dhcp_gbl_ctx.mctx, dstkey));
}
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
index 2c63f9c..3a7739e 100644
--- a/server/dhcpd.conf.5
+++ b/server/dhcpd.conf.5
@@ -1,6 +1,6 @@
.\" dhcpd.conf.5
.\"
-.\" Copyright (c) 2004-2013 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 2004-2014 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 1996-2003 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -1305,6 +1305,18 @@ dnssec-keygen, the above key would be created as
follows:
dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
.fi
.PP
+The key name, algorithm, and secret must match that being used by the DNS
+server. The DHCP server currently supports the following algorithms:
+.nf
+
+ HMAC-MD5
+ HMAC-SHA1
+ HMAC-SHA224
+ HMAC-SHA256
+ HMAC-SHA384
+ HMAC-SHA512
+.fi
+.PP
You may wish to enable logging of DNS updates on your DNS server.
To do so, you might write a logging statement like the following:
.PP
Home |
Main Index |
Thread Index |
Old Index