SHA256
1
0
forked from pool/dhcp
dhcp/0023-dhcp-4.2.x-ddns-tsig-hmac-sha-support.890731.patch
Marius Tomaschewski 348f524f0a - Applied contrib/ldap/dhcpd-conf-to-ldap patch by Ales Novak to
reorder config to add all global options or option declarations
  to the dhcpService object instead to create new service object
  (bsc#886094,ISC-Bugs#37876).
  [+ dhcp-4.2.x-contrib-conf-to-ldap-reorder.886094.patch]
- Applied an upstream patch by Thomas Markwalder adding missed
  mapping of SHA TSIG algorithm names to their constants to enable
  hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384 and hmac_sha512
  authenticated dynamic DNS updates (bsc#890731, ISC-Bugs#36947).
  [+ dhcp-4.2.x-ddns-tsig-hmac-sha-support.890731.patch]
- Decline IPv6 addresses on Duplicate Address Detection failure
  and stop client message exchanges on reached MRD rather than
  at some point after it. Applied fedora patches by Jiri Popelka
  and added DAD reporting via exit 3 to the dhclient-script and
  a fix to use correct address variables in the DEPREF6 action
  (bsc#872609,ISC-Bugs#26735,ISC-Bugs#21238).
  [+ dhcp-4.2.x-dhcpv6-decline-on-DAD-failure.872609.patch,
   + dhcp-4.2.x-dhcpv6-retransmission-until-MRD.872609.patch]
- Applied backport patch by William Preston avoiding to bind ddns
  socket in the server when ddns-update-style is none (bsc#891655).
  [+ dhcp-4.2.x-disable-unused-ddns-port-in-server.891655.patch]
- Applied patch for the contrib/ldap/dhcpd-conf-to-ldap script
  fixing subclass statement handling (bnc#878846,[ISC-Bugs #36409])
  [+ dhcp-4.2.4-P2-bnc878846-conf-to-ldap.patch]
- Updated licence statement and FSF address in our scripts.
- Added missed service_add_pre macro calls for dhcrelay services

OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=141
2014-11-21 11:33:30 +00:00

93 lines
3.3 KiB
Diff

Author: Thomas Markwalder <tmark@isc.org>
Subject: Addes addtional HMAC TSIG algorithms to DDNS
References: bsc#890731, ISC-Bugs#36947
Upstream: yes
TSIG-authenticated dynamic DNS updates now support the use of these
additional algorithms: hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384,
and hmac_sha512. [ISC-Bugs #36947]
RFC4635 updates RFC2845 and mandates hmac-sha1 and hmac-sha256 support.
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index fc45ef3..a9df110 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -104,6 +104,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
#define DHCP_MAXDNS_WIRE 256
#define DHCP_MAXNS 3
#define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
isc_result_t dhcp_isc_name(unsigned char *namestr,
dns_fixedname_t *namefix,
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 9b7ff5f..e9cb321 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -230,12 +230,24 @@ isclib_make_dst_key(char *inname,
dns_name_t *name;
dns_fixedname_t name0;
isc_buffer_t b;
+ unsigned int algorithm_code;
isc_buffer_init(&b, secret, length);
isc_buffer_add(&b, length);
- /* We only support HMAC_MD5 currently */
- if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
+ if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACMD5;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA1;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA224;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA256;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA384;
+ } else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
+ algorithm_code = DST_ALG_HMACSHA512;
+ } else {
return(DHCP_R_INVALIDARG);
}
@@ -244,7 +256,7 @@ isclib_make_dst_key(char *inname,
return(result);
}
- return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
+ return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
&b, dhcp_gbl_ctx.mctx, dstkey));
}
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
index e639db6..def7bec 100644
--- a/server/dhcpd.conf.5
+++ b/server/dhcpd.conf.5
@@ -1388,11 +1388,16 @@ dnssec-keygen, the above key would be created as follows:
dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
.fi
.PP
-If you are using the BIND 8 dnskeygen program, the following command will
-generate a key as seen above:
-.PP
+The key name, algorithm, and secret must match that being used by the DNS
+server. The DHCP server currently supports the following algorithms:
.nf
- dnskeygen -H 128 -u -c -n DHCP_UPDATER
+
+ HMAC-MD5
+ HMAC-SHA1
+ HMAC-SHA224
+ HMAC-SHA256
+ HMAC-SHA384
+ HMAC-SHA512
.fi
.PP
You may wish to enable logging of DNS updates on your DNS server.