dhcp/0023-dhcp-4.2.x-ddns-tsig-hmac-sha-support.890731.patch

Author: Thomas Markwalder <tmark@isc.org>
Subject: Addes addtional HMAC TSIG algorithms to DDNS
References: bsc#890731, ISC-Bugs#36947
Upstream: yes

TSIG-authenticated dynamic DNS updates now support the use of these
additional algorithms: hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384,
and hmac_sha512. [ISC-Bugs #36947]

RFC4635 updates RFC2845 and mandates hmac-sha1 and hmac-sha256 support.

diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index fc45ef3..a9df110 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -104,6 +104,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
 #define DHCP_MAXDNS_WIRE 256
 #define DHCP_MAXNS         3
 #define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
 
 isc_result_t dhcp_isc_name(unsigned char    *namestr,
 			   dns_fixedname_t  *namefix,
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 9b7ff5f..e9cb321 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -230,12 +230,24 @@ isclib_make_dst_key(char          *inname,
 	dns_name_t *name;
 	dns_fixedname_t name0;
 	isc_buffer_t b;
+	unsigned int algorithm_code;
 
 	isc_buffer_init(&b, secret, length);
 	isc_buffer_add(&b, length);
 
-	/* We only support HMAC_MD5 currently */
-	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
+	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACMD5;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA1;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA224;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA256;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA384;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA512;
+	} else {
 		return(DHCP_R_INVALIDARG);
 	}
 
@@ -244,7 +256,7 @@ isclib_make_dst_key(char          *inname,
 		return(result);
 	}
 
-	return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
+	return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
 				  DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
 				  &b, dhcp_gbl_ctx.mctx, dstkey));
 }
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
index e639db6..def7bec 100644
--- a/server/dhcpd.conf.5
+++ b/server/dhcpd.conf.5
@@ -1388,11 +1388,16 @@ dnssec-keygen, the above key would be created as follows:
 	dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
 .fi
 .PP
-If you are using the BIND 8 dnskeygen program, the following command will
-generate a key as seen above:
-.PP
+The key name, algorithm, and secret must match that being used by the DNS
+server. The DHCP server currently supports the following algorithms:
 .nf
-	dnskeygen -H 128 -u -c -n DHCP_UPDATER
+
+        HMAC-MD5
+        HMAC-SHA1
+        HMAC-SHA224
+        HMAC-SHA256
+        HMAC-SHA384
+        HMAC-SHA512
 .fi
 .PP
 You may wish to enable logging of DNS updates on your DNS server.
- Applied contrib/ldap/dhcpd-conf-to-ldap patch by Ales Novak to reorder config to add all global options or option declarations to the dhcpService object instead to create new service object (bsc#886094,ISC-Bugs#37876). [+ dhcp-4.2.x-contrib-conf-to-ldap-reorder.886094.patch] - Applied an upstream patch by Thomas Markwalder adding missed mapping of SHA TSIG algorithm names to their constants to enable hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384 and hmac_sha512 authenticated dynamic DNS updates (bsc#890731, ISC-Bugs#36947). [+ dhcp-4.2.x-ddns-tsig-hmac-sha-support.890731.patch] - Decline IPv6 addresses on Duplicate Address Detection failure and stop client message exchanges on reached MRD rather than at some point after it. Applied fedora patches by Jiri Popelka and added DAD reporting via exit 3 to the dhclient-script and a fix to use correct address variables in the DEPREF6 action (bsc#872609,ISC-Bugs#26735,ISC-Bugs#21238). [+ dhcp-4.2.x-dhcpv6-decline-on-DAD-failure.872609.patch, + dhcp-4.2.x-dhcpv6-retransmission-until-MRD.872609.patch] - Applied backport patch by William Preston avoiding to bind ddns socket in the server when ddns-update-style is none (bsc#891655). [+ dhcp-4.2.x-disable-unused-ddns-port-in-server.891655.patch] - Applied patch for the contrib/ldap/dhcpd-conf-to-ldap script fixing subclass statement handling (bnc#878846,[ISC-Bugs #36409]) [+ dhcp-4.2.4-P2-bnc878846-conf-to-ldap.patch] - Updated licence statement and FSF address in our scripts. - Added missed service_add_pre macro calls for dhcrelay services OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=141 2014-11-21 12:33:30 +01:00			`Author: Thomas Markwalder <tmark@isc.org>`
			`Subject: Addes addtional HMAC TSIG algorithms to DDNS`
			`References: bsc#890731, ISC-Bugs#36947`
			`Upstream: yes`

			`TSIG-authenticated dynamic DNS updates now support the use of these`
			`additional algorithms: hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384,`
			`and hmac_sha512. [ISC-Bugs #36947]`

			`RFC4635 updates RFC2845 and mandates hmac-sha1 and hmac-sha256 support.`

			`diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h`
			`index fc45ef3..a9df110 100644`
			`--- a/includes/omapip/isclib.h`
			`+++ b/includes/omapip/isclib.h`
			`@@ -104,6 +104,11 @@ extern dhcp_context_t dhcp_gbl_ctx;`
			`#define DHCP_MAXDNS_WIRE 256`
			`#define DHCP_MAXNS 3`
			`#define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."`
			`+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."`
			`+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."`
			`+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."`
			`+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."`
			`+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."`

			`isc_result_t dhcp_isc_name(unsigned char *namestr,`
			`dns_fixedname_t *namefix,`
			`diff --git a/omapip/isclib.c b/omapip/isclib.c`
			`index 9b7ff5f..e9cb321 100644`
			`--- a/omapip/isclib.c`
			`+++ b/omapip/isclib.c`
			`@@ -230,12 +230,24 @@ isclib_make_dst_key(char *inname,`
			`dns_name_t *name;`
			`dns_fixedname_t name0;`
			`isc_buffer_t b;`
			`+ unsigned int algorithm_code;`

			`isc_buffer_init(&b, secret, length);`
			`isc_buffer_add(&b, length);`

			`- /* We only support HMAC_MD5 currently */`
			`- if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {`
			`+ if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {`
			`+ algorithm_code = DST_ALG_HMACMD5;`
			`+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {`
			`+ algorithm_code = DST_ALG_HMACSHA1;`
			`+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {`
			`+ algorithm_code = DST_ALG_HMACSHA224;`
			`+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {`
			`+ algorithm_code = DST_ALG_HMACSHA256;`
			`+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {`
			`+ algorithm_code = DST_ALG_HMACSHA384;`
			`+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {`
			`+ algorithm_code = DST_ALG_HMACSHA512;`
			`+ } else {`
			`return(DHCP_R_INVALIDARG);`
			`}`

			`@@ -244,7 +256,7 @@ isclib_make_dst_key(char *inname,`
			`return(result);`
			`}`

			`- return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,`
			`+ return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,`
			`DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,`
			`&b, dhcp_gbl_ctx.mctx, dstkey));`
			`}`
			`diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5`
			`index e639db6..def7bec 100644`
			`--- a/server/dhcpd.conf.5`
			`+++ b/server/dhcpd.conf.5`
			`@@ -1388,11 +1388,16 @@ dnssec-keygen, the above key would be created as follows:`
			`dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER`
			`.fi`
			`.PP`
			`-If you are using the BIND 8 dnskeygen program, the following command will`
			`-generate a key as seen above:`
			`-.PP`
			`+The key name, algorithm, and secret must match that being used by the DNS`
			`+server. The DHCP server currently supports the following algorithms:`
			`.nf`
			`- dnskeygen -H 128 -u -c -n DHCP_UPDATER`
			`+`
			`+ HMAC-MD5`
			`+ HMAC-SHA1`
			`+ HMAC-SHA224`
			`+ HMAC-SHA256`
			`+ HMAC-SHA384`
			`+ HMAC-SHA512`
			`.fi`
			`.PP`
			`You may wish to enable logging of DNS updates on your DNS server.`