Author: Thomas Markwalder Subject: Addes addtional HMAC TSIG algorithms to DDNS References: bsc#890731, ISC-Bugs#36947 Upstream: yes TSIG-authenticated dynamic DNS updates now support the use of these additional algorithms: hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384, and hmac_sha512. [ISC-Bugs #36947] RFC4635 updates RFC2845 and mandates hmac-sha1 and hmac-sha256 support. diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h index fc45ef3..a9df110 100644 --- a/includes/omapip/isclib.h +++ b/includes/omapip/isclib.h @@ -104,6 +104,11 @@ extern dhcp_context_t dhcp_gbl_ctx; #define DHCP_MAXDNS_WIRE 256 #define DHCP_MAXNS 3 #define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT." +#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT." +#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT." +#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT." +#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT." +#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT." isc_result_t dhcp_isc_name(unsigned char *namestr, dns_fixedname_t *namefix, diff --git a/omapip/isclib.c b/omapip/isclib.c index 9b7ff5f..e9cb321 100644 --- a/omapip/isclib.c +++ b/omapip/isclib.c @@ -230,12 +230,24 @@ isclib_make_dst_key(char *inname, dns_name_t *name; dns_fixedname_t name0; isc_buffer_t b; + unsigned int algorithm_code; isc_buffer_init(&b, secret, length); isc_buffer_add(&b, length); - /* We only support HMAC_MD5 currently */ - if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) { + if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) { + algorithm_code = DST_ALG_HMACMD5; + } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) { + algorithm_code = DST_ALG_HMACSHA1; + } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) { + algorithm_code = DST_ALG_HMACSHA224; + } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) { + algorithm_code = DST_ALG_HMACSHA256; + } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) { + algorithm_code = DST_ALG_HMACSHA384; + } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) { + algorithm_code = DST_ALG_HMACSHA512; + } else { return(DHCP_R_INVALIDARG); } @@ -244,7 +256,7 @@ isclib_make_dst_key(char *inname, return(result); } - return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY, + return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY, DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b, dhcp_gbl_ctx.mctx, dstkey)); } diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5 index e639db6..def7bec 100644 --- a/server/dhcpd.conf.5 +++ b/server/dhcpd.conf.5 @@ -1388,11 +1388,16 @@ dnssec-keygen, the above key would be created as follows: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER .fi .PP -If you are using the BIND 8 dnskeygen program, the following command will -generate a key as seen above: -.PP +The key name, algorithm, and secret must match that being used by the DNS +server. The DHCP server currently supports the following algorithms: .nf - dnskeygen -H 128 -u -c -n DHCP_UPDATER + + HMAC-MD5 + HMAC-SHA1 + HMAC-SHA224 + HMAC-SHA256 + HMAC-SHA384 + HMAC-SHA512 .fi .PP You may wish to enable logging of DNS updates on your DNS server.