[v4_2] Addes addtional HMAC TSIG algorithms to DDNS

Merges in rt36947
author: Thomas Markwalder <tmark@isc.org> 2014-09-08 11:41:44 -0400
committer: Thomas Markwalder <tmark@isc.org> 2014-09-08 11:41:44 -0400
commit: e4a2cb79b2679738f56b3803a44c9899f6982c09 (patch)
tree: 3cb1e07cec34ec934bbd67f6406dda99dfe47ec8
parent: 1fdd3f00e44c70094047a1f629ebd7215b196023 (diff)
download: isc-dhcp-e4a2cb79b2679738f56b3803a44c9899f6982c09.tar.gz
4 files changed, 42 insertions, 5 deletions
diff --git a/RELNOTES b/RELNOTES
index 00f56e55..5e10f50a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -45,12 +45,20 @@ by Eric Young (eay@cryptsoft.com).
 
 			Changes since 4.2.7
 
+- TSIG-authenticated dynamic DNS updates now support the use of these
+  additional algorithms: hmac-sha1, hmac_sha224, hmac_sha256, hmac_sha384,
+  and hmac_sha512
+  [ISC-Bugs #36947]
+
 - Added check for invalid failover message type.
   [ISC-Bugs #36653]
 
 - Corrected rate limiting checks for bad packet logging.
   [ISC-Bugs #36897]
 
+- Corrected rate limiting checks for bad packet logging.
+  [ISC-Bugs #36897]
+
 - Addressed Coverity issues reported as of 07-31-2014:
   [ISC-Bugs #36712] Corrects Coverity reported "high" impact issues
   [ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues
diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
index fc45ef3d..30abacd9 100644
--- a/includes/omapip/isclib.h
+++ b/includes/omapip/isclib.h
@@ -3,7 +3,7 @@
    connections to the isc and dns libraries */
 
 /*
- * Copyright (c) 2009,2013 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2009,2013,2014 by Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -104,6 +104,11 @@ extern dhcp_context_t dhcp_gbl_ctx;
 #define DHCP_MAXDNS_WIRE 256
 #define DHCP_MAXNS         3
 #define DHCP_HMAC_MD5_NAME "HMAC-MD5.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA1_NAME "HMAC-SHA1.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA224_NAME "HMAC-SHA224.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA256_NAME "HMAC-SHA256.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA384_NAME "HMAC-SHA384.SIG-ALG.REG.INT."
+#define DHCP_HMAC_SHA512_NAME "HMAC-SHA512.SIG-ALG.REG.INT."
 
 isc_result_t dhcp_isc_name(unsigned char    *namestr,
 			   dns_fixedname_t  *namefix,
diff --git a/omapip/isclib.c b/omapip/isclib.c
index 645c4700..486f70c2 100644
--- a/omapip/isclib.c
+++ b/omapip/isclib.c
@@ -203,12 +203,24 @@ isclib_make_dst_key(char          *inname,
 	dns_name_t *name;
 	dns_fixedname_t name0;
 	isc_buffer_t b;
+	unsigned int algorithm_code;
 
 	isc_buffer_init(&b, secret, length);
 	isc_buffer_add(&b, length);
 
-	/* We only support HMAC_MD5 currently */
-	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) != 0) {
+	if (strcasecmp(algorithm, DHCP_HMAC_MD5_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACMD5;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA1_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA1;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA224_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA224;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA256_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA256;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA384_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA384;
+	} else if (strcasecmp(algorithm, DHCP_HMAC_SHA512_NAME) == 0) {
+		algorithm_code =  DST_ALG_HMACSHA512;
+	} else {
 		return(DHCP_R_INVALIDARG);
 	}
 
@@ -217,7 +229,7 @@ isclib_make_dst_key(char          *inname,
 		return(result);
 	}
 
-	return(dst_key_frombuffer(name, DST_ALG_HMACMD5, DNS_KEYOWNER_ENTITY,
+	return(dst_key_frombuffer(name, algorithm_code, DNS_KEYOWNER_ENTITY,
 				  DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
 				  &b, dhcp_gbl_ctx.mctx, dstkey));
 }
diff --git a/server/dhcpd.conf.5 b/server/dhcpd.conf.5
index 23bca36f..cc33976e 100644
--- a/server/dhcpd.conf.5
+++ b/server/dhcpd.conf.5
@@ -1,6 +1,6 @@
 .\"	dhcpd.conf.5
 .\"
-.\" Copyright (c) 2004-2012 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 2004-2014 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 1996-2003 by Internet Software Consortium
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -1391,6 +1391,18 @@ generate a key as seen above:
 	dnskeygen -H 128 -u -c -n DHCP_UPDATER
 .fi
 .PP
+The key name, algorithm, and secret must match that being used by the DNS
+server. The DHCP server currently supports the following algorithms:
+.nf
+
+        HMAC-MD5
+        HMAC-SHA1
+        HMAC-SHA224
+        HMAC-SHA256
+        HMAC-SHA384
+        HMAC-SHA512
+.fi
+.PP
 You may wish to enable logging of DNS updates on your DNS server.
 To do so, you might write a logging statement like the following:
 .PP
author	Thomas Markwalder <tmark@isc.org>	2014-09-08 11:41:44 -0400
committer	Thomas Markwalder <tmark@isc.org>	2014-09-08 11:41:44 -0400
commit	e4a2cb79b2679738f56b3803a44c9899f6982c09 (patch)
tree	3cb1e07cec34ec934bbd67f6406dda99dfe47ec8
parent	1fdd3f00e44c70094047a1f629ebd7215b196023 (diff)
download	isc-dhcp-e4a2cb79b2679738f56b3803a44c9899f6982c09.tar.gz