Re: lib/49138: "libdns" cannot use "hmac-sha512" keys

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,tron%zhadum.org.uk@localhost
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Mon, 8 Sep 2014 17:15:01 +0000 (UTC)

The following reply was made to PR bin/49138; it has been noted by GNATS.

From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Date: Mon, 8 Sep 2014 12:11:17 -0500 (CDT)

 From ISC:
 x
 diff --git a/RELNOTES b/RELNOTES
 index 3593975..991c2c1 100644
 --- a/RELNOTES
 +++ b/RELNOTES
 @@ -54,6 +54,11 @@ by Eric Young (eay%cryptsoft.com@localhost).
  
                        Changes since 4.3.1
  
 +- TSIG-authenticated dynamic DNS updates now support the use of these
 +  additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
 +  and hmac-sha512
 +  [ISC-Bugs #36947]
 +
  - Corrected rate limiting checks for bad packet logging. 
    [ISC-Bugs #36897]
  
 diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
 index 831047a..caa388a 100644
 --- a/includes/omapip/isclib.h
 +++ b/includes/omapip/isclib.h
 @@ -3,7 +3,7 @@
     connections to the isc and dns libraries */
  
  /*
 - * Copyright (c) 2009,2013 by Internet Systems Consortium, Inc. ("ISC")
 + * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
   *
   * Permission to use, copy, modify, and distribute this software for any
   * purpose with or without fee is hereby granted, provided that the above
 @@ -106,6 +106,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
  #define DHCP_MAXDNS_WIRE 256
  #define DHCP_MAXNS         3
  #define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
 +#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
 +#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
 +#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
 +#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
 +#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
  
  isc_result_t dhcp_isc_name(unsigned char    *namestr,
                           dns_fixedname_t  *namefix,
 diff --git a/omapip/isclib.c b/omapip/isclib.c
 index 69edc2e..3e5e1c2 100644
 --- a/omapip/isclib.c
 +++ b/omapip/isclib.c
 @@ -289,12 +289,24 @@ isclib_make_dst_key(char          *inname,
        dns_name_t *name;
        dns_fixedname_t name0;
        isc_buffer_t b;
 +      unsigned int algorithm_code;
  
        isc_buffer_init(&b, secret, length);
        isc_buffer_add(&b, length);
  
 -      /* We only support HMAC_MD5 currently */
 -      if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
 +      if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
 +              algorithm_code =  DST_ALG_HMACMD5;
 +      } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
 +              algorithm_code =  DST_ALG_HMACSHA1;
 +      } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
 +              algorithm_code =  DST_ALG_HMACSHA224;
 +      } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
 +              algorithm_code =  DST_ALG_HMACSHA256;
 +      } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
 +              algorithm_code =  DST_ALG_HMACSHA384;
 +      } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
 +              algorithm_code =  DST_ALG_HMACSHA512;
 +      } else {
                return(DHCP_R_INVALIDARG);
        }
  
 @@ -303,7 +315,7 @@ isclib_make_dst_key(char          *inname,
                return(result);
        }
  
 -      return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
 +      return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
                                  DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
                                  &b, dhcp_gbl_ctx.mctx, dstkey));
  }
 diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
 index 2c63f9c..3a7739e 100644
 --- a/server/dhcpd.conf.5
 +++ b/server/dhcpd.conf.5
 @@ -1,6 +1,6 @@
  .\"   dhcpd.conf.5
  .\"
 -.\" Copyright (c) 2004-2013 by Internet Systems Consortium, Inc. ("ISC")
 +.\" Copyright (c) 2004-2014 by Internet Systems Consortium, Inc. ("ISC")
  .\" Copyright (c) 1996-2003 by Internet Software Consortium
  .\"
  .\" Permission to use, copy, modify, and distribute this software for any
 @@ -1305,6 +1305,18 @@ dnssec-keygen, the above key would be created as 
follows:
        dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
  .fi
  .PP
 +The key name, algorithm, and secret must match that being used by the DNS
 +server. The DHCP server currently supports the following algorithms:
 +.nf
 +
 +        HMAC-MD5
 +        HMAC-SHA1
 +        HMAC-SHA224
 +        HMAC-SHA256
 +        HMAC-SHA384
 +        HMAC-SHA512
 +.fi
 +.PP
  You may wish to enable logging of DNS updates on your DNS server.
  To do so, you might write a logging statement like the following:
  .PP

Prev by Date: Re: lib/49185: strvisx: Handle zero-length input strings gracefully.
Next by Date: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Previous by Thread: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Next by Thread: Re: lib/49138: "libdns" cannot use "hmac-sha512" keys
Indexes:

Home | Main Index | Thread Index | Old Index