Merge branch '3541-have-named-v-report-supported-algorithms' into 'main'

Report supported crypto algorithms

Closes #3541

See merge request isc-projects/bind9!6771

CHANGES

@@ -1,3 +1,7 @@
+5984.	[func]		'named -V' now reports the list of supported
+			DNSSEC/DS/HMAC algorithms and the supported TKEY modes.
+			[GL #3541]
+
 5983.	[bug]		Changing just the TSIG key names for primaries in
 			catalog zones' member zones was not effective.
 			[GL #3557]

bin/confgen/keygen.c

@@ -34,29 +34,6 @@
 
 #include "util.h"
 
-/*%
- * Convert algorithm type to string.
- */
-const char *
-alg_totext(dns_secalg_t alg) {
-	switch (alg) {
-	case DST_ALG_HMACMD5:
-		return ("hmac-md5");
-	case DST_ALG_HMACSHA1:
-		return ("hmac-sha1");
-	case DST_ALG_HMACSHA224:
-		return ("hmac-sha224");
-	case DST_ALG_HMACSHA256:
-		return ("hmac-sha256");
-	case DST_ALG_HMACSHA384:
-		return ("hmac-sha384");
-	case DST_ALG_HMACSHA512:
-		return ("hmac-sha512");
-	default:
-		return ("(unknown)");
-	}
-}
-
 /*%
  * Convert string to algorithm type.
  */
@@ -175,7 +152,7 @@ void
 write_key_file(const char *keyfile, const char *user, const char *keyname,
 	       isc_buffer_t *secret, dns_secalg_t alg) {
 	isc_result_t result;
-	const char *algname = alg_totext(alg);
+	const char *algname = dst_hmac_algorithm_totext(alg);
 	FILE *fd = NULL;
 
 	DO("create keyfile", isc_file_safecreate(keyfile, &fd));

bin/confgen/rndc-confgen.c

@@ -222,7 +222,7 @@ main(int argc, char **argv) {
 	if (keysize < 0) {
 		keysize = alg_bits(alg);
 	}
-	algname = alg_totext(alg);
+	algname = dst_hmac_algorithm_totext(alg);
 
 	isc_mem_create(&mctx);
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));

bin/confgen/tsig-keygen.c

@@ -208,7 +208,7 @@ main(int argc, char **argv) {
 	}
 
 	/* Use canonical algorithm name */
-	algname = alg_totext(alg);
+	algname = dst_hmac_algorithm_totext(alg);
 
 	isc_mem_create(&mctx);
 

bin/named/main.c

@@ -462,11 +462,104 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
 	}
 }
 
+static void
+list_dnssec_algorithms(isc_buffer_t *b) {
+	for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) {
+		if (i == DST_ALG_DH || i == DST_ALG_GSSAPI ||
+		    (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST))
+		{
+			continue;
+		}
+		if (dst_algorithm_supported(i)) {
+			isc_buffer_putstr(b, " ");
+			(void)dns_secalg_totext(i, b);
+		}
+	}
+}
+
+static void
+list_ds_algorithms(isc_buffer_t *b) {
+	for (size_t i = 0; i < 256; i++) {
+		if (dst_ds_digest_supported(i)) {
+			isc_buffer_putstr(b, " ");
+			(void)dns_dsdigest_totext(i, b);
+		}
+	}
+}
+
+static void
+list_hmac_algorithms(isc_buffer_t *b) {
+	isc_buffer_t sb = *b;
+	for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST;
+	     i++) {
+		if (dst_algorithm_supported(i)) {
+			isc_buffer_putstr(b, " ");
+			isc_buffer_putstr(b, dst_hmac_algorithm_totext(i));
+		}
+	}
+	for (unsigned char *s = isc_buffer_used(&sb); s != isc_buffer_used(b);
+	     s++) {
+		*s = toupper(*s);
+	}
+}
+
+static void
+logit(isc_buffer_t *b) {
+	isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+		      NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, "%.*s",
+		      (int)isc_buffer_usedlength(b),
+		      (char *)isc_buffer_base(b));
+}
+
+static void
+printit(isc_buffer_t *b) {
+	printf("%.*s\n", (int)isc_buffer_usedlength(b),
+	       (char *)isc_buffer_base(b));
+}
+
+static void
+format_supported_algorithms(void (*emit)(isc_buffer_t *b)) {
+	isc_buffer_t b;
+	char buf[512];
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_putstr(&b, "DNSSEC algorithms:");
+	list_dnssec_algorithms(&b);
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_putstr(&b, "DS algorithms:");
+	list_ds_algorithms(&b);
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_putstr(&b, "HMAC algorithms:");
+	list_hmac_algorithms(&b);
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s",
+			  (dst_algorithm_supported(DST_ALG_DH) &&
+			   dst_algorithm_supported(DST_ALG_HMACMD5))
+				  ? "yes"
+				  : "non");
+	(*emit)(&b);
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+	isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s",
+			  dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes"
+								  : "no");
+	(*emit)(&b);
+}
+
 static void
 printversion(bool verbose) {
 	char rndcconf[PATH_MAX], *dot = NULL;
-#if defined(HAVE_GEOIP2)
 	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char buf[512];
+#if defined(HAVE_GEOIP2)
 	cfg_parser_t *parser = NULL;
 	cfg_obj_t *config = NULL;
 	const cfg_obj_t *defaults = NULL, *obj = NULL;
@@ -538,7 +631,18 @@ printversion(bool verbose) {
 	printf("compiled with protobuf-c version: %s\n", PROTOBUF_C_VERSION);
 	printf("linked to protobuf-c version: %s\n", protobuf_c_version());
 #endif /* if defined(HAVE_DNSTAP) */
-	printf("threads support is enabled\n\n");
+	printf("threads support is enabled\n");
+
+	isc_mem_create(&mctx);
+	result = dst_lib_init(mctx, named_g_engine);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_init(&b, buf, sizeof(buf));
+		format_supported_algorithms(printit);
+		printf("\n");
+	} else {
+		printf("DST initialization failure: %s\n",
+		       isc_result_totext(result));
+	}
 
 	/*
 	 * The default rndc.conf and rndc.key paths are in the same
@@ -564,7 +668,6 @@ printversion(bool verbose) {
 	printf("  named lock file:      %s\n", named_g_defaultlockfile);
 #if defined(HAVE_GEOIP2)
 #define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS)
-	isc_mem_create(&mctx);
 	RTC(cfg_parser_create(mctx, named_g_lctx, &parser));
 	RTC(named_config_parsedefaults(parser, &config));
 	RTC(cfg_map_get(config, "options", &defaults));
@@ -1193,6 +1296,12 @@ setup(void) {
 	ENSURE(named_g_server != NULL);
 	sctx = named_g_server->sctx;
 
+	/*
+	 * Report supported algorithms now that dst_lib_init() has
+	 * been called via named_server_create().
+	 */
+	format_supported_algorithms(logit);
+
 	/*
 	 * Modify server context according to command line options
 	 */
@@ -1432,6 +1541,7 @@ main(int argc, char *argv[]) {
 
 	setup();
 	isc_mem_setname(named_g_mctx, "main");
+	INSIST(named_g_server != NULL);
 
 	/*
 	 * Start things running

bin/named/named.rst

@@ -203,7 +203,8 @@ Options
 
 .. option:: -V
 
-   This option reports the version number and build options, and exits.
+   This option reports the version number, build options, supported
+   cryptographics algorithms, and exits.
 
 .. option:: -X lock-file
 

bin/tests/system/dnssec/tests.sh

@@ -3387,7 +3387,7 @@ do
 	2) # Diffie Helman
 	    alg=$((alg+1))
 	    continue;;
-	157|160|161|162|163|164|165) # private - non standard
+	159|160|161|162|163|164|165) # private - non standard
 	    alg=$((alg+1))
 	    continue;;
 	1|5|7|8|10) # RSA algorithms

doc/man/named.8in

@@ -244,7 +244,8 @@ This option reports the version number and exits.
 .INDENT 0.0
 .TP
 .B \-V
-This option reports the version number and build options, and exits.
+This option reports the version number, build options, supported
+cryptographics algorithms, and exits.
 .UNINDENT
 .INDENT 0.0
 .TP

doc/notes/notes-current.rst

@@ -40,6 +40,9 @@ New Features
 
 - The ``nsupdate`` tool now supports DNS-over-TLS (DoT). :gl:`#1781`
 
+- :iscman:`named` now logs the supported cryptographic algorithms during
+  startup and in the output of :option:`named -V`. :gl:`#3541`
+
 Removed Features
 ~~~~~~~~~~~~~~~~
 

lib/dns/dst_api.c

@@ -2747,3 +2747,23 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) {
 
 	dst_key_setmodified(to, dst_key_ismodified(from));
 }
+
+const char *
+dst_hmac_algorithm_totext(dst_algorithm_t alg) {
+	switch (alg) {
+	case DST_ALG_HMACMD5:
+		return ("hmac-md5");
+	case DST_ALG_HMACSHA1:
+		return ("hmac-sha1");
+	case DST_ALG_HMACSHA224:
+		return ("hmac-sha224");
+	case DST_ALG_HMACSHA256:
+		return ("hmac-sha256");
+	case DST_ALG_HMACSHA384:
+		return ("hmac-sha384");
+	case DST_ALG_HMACSHA512:
+		return ("hmac-sha512");
+	default:
+		return ("unknown");
+	}
+}

lib/dns/include/dst/dst.h

@@ -78,32 +78,36 @@ typedef enum dst_key_state {
 } dst_key_state_t;
 
 /* DST algorithm codes */
-#define DST_ALG_UNKNOWN	     0
-#define DST_ALG_RSA	     1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
-#define DST_ALG_RSAMD5	     1
-#define DST_ALG_DH	     2
-#define DST_ALG_DSA	     3
-#define DST_ALG_ECC	     4
-#define DST_ALG_RSASHA1	     5
-#define DST_ALG_NSEC3DSA     6
-#define DST_ALG_NSEC3RSASHA1 7
-#define DST_ALG_RSASHA256    8
-#define DST_ALG_RSASHA512    10
-#define DST_ALG_ECCGOST	     12
-#define DST_ALG_ECDSA256     13
-#define DST_ALG_ECDSA384     14
-#define DST_ALG_ED25519	     15
-#define DST_ALG_ED448	     16
-#define DST_ALG_HMACMD5	     157
-#define DST_ALG_GSSAPI	     160
-#define DST_ALG_HMACSHA1     161 /* XXXMPA */
-#define DST_ALG_HMACSHA224   162 /* XXXMPA */
-#define DST_ALG_HMACSHA256   163 /* XXXMPA */
-#define DST_ALG_HMACSHA384   164 /* XXXMPA */
-#define DST_ALG_HMACSHA512   165 /* XXXMPA */
-#define DST_ALG_INDIRECT     252
-#define DST_ALG_PRIVATE	     254
-#define DST_MAX_ALGS	     256
+typedef enum dst_algorithm {
+	DST_ALG_UNKNOWN = 0,
+	DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
+	DST_ALG_RSAMD5 = 1,
+	DST_ALG_DH = 2,
+	DST_ALG_DSA = 3,
+	DST_ALG_ECC = 4,
+	DST_ALG_RSASHA1 = 5,
+	DST_ALG_NSEC3DSA = 6,
+	DST_ALG_NSEC3RSASHA1 = 7,
+	DST_ALG_RSASHA256 = 8,
+	DST_ALG_RSASHA512 = 10,
+	DST_ALG_ECCGOST = 12,
+	DST_ALG_ECDSA256 = 13,
+	DST_ALG_ECDSA384 = 14,
+	DST_ALG_ED25519 = 15,
+	DST_ALG_ED448 = 16,
+	DST_ALG_GSSAPI = 159,
+	DST_ALG_HMACMD5 = 160,
+	DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5,
+	DST_ALG_HMACSHA1 = 161,	  /* XXXMPA */
+	DST_ALG_HMACSHA224 = 162, /* XXXMPA */
+	DST_ALG_HMACSHA256 = 163, /* XXXMPA */
+	DST_ALG_HMACSHA384 = 164, /* XXXMPA */
+	DST_ALG_HMACSHA512 = 165, /* XXXMPA */
+	DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512,
+	DST_ALG_INDIRECT = 252,
+	DST_ALG_PRIVATE = 254,
+	DST_MAX_ALGS = 256,
+} dst_algorithm_t;
 
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE 1280
@@ -1221,4 +1225,11 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from);
  *	'to' and 'from' to be valid.
  */
 
+const char *
+dst_hmac_algorithm_totext(dst_algorithm_t alg);
+/*$<
+ * Return the name associtated with the HMAC algorithm 'alg'
+ * or return "unknown".
+ */
+
 ISC_LANG_ENDDECLS

lib/isccc/Makefile.am

@@ -27,6 +27,7 @@ libisccc_la_SOURCES =		\
 libisccc_la_CPPFLAGS =		\
 	$(AM_CPPFLAGS)		\
 	$(LIBISC_CFLAGS)	\
+	$(LIBDNS_CFLAGS)	\
 	$(LIBISCCC_CFLAGS)
 
 libisccc_la_LIBADD =	\

lib/isccc/include/isccc/cc.h

@@ -37,19 +37,22 @@
 #include <isc/buffer.h>
 #include <isc/lang.h>
 
+#include <dst/dst.h>
 #include <isccc/types.h>
 
 ISC_LANG_BEGINDECLS
 
-/*% from lib/dns/include/dst/dst.h */
-
+/*%
+ * The HMAC algorithms supported by isccc_cc_fromwire and
+ * isccc_cc_towire as implemented in DST.
+ */
 #define ISCCC_ALG_UNKNOWN    0
-#define ISCCC_ALG_HMACMD5    157
-#define ISCCC_ALG_HMACSHA1   161
-#define ISCCC_ALG_HMACSHA224 162
-#define ISCCC_ALG_HMACSHA256 163
-#define ISCCC_ALG_HMACSHA384 164
-#define ISCCC_ALG_HMACSHA512 165
+#define ISCCC_ALG_HMACMD5    DST_ALG_HMACMD5
+#define ISCCC_ALG_HMACSHA1   DST_ALG_HMACSHA1
+#define ISCCC_ALG_HMACSHA224 DST_ALG_HMACSHA224
+#define ISCCC_ALG_HMACSHA256 DST_ALG_HMACSHA256
+#define ISCCC_ALG_HMACSHA384 DST_ALG_HMACSHA384
+#define ISCCC_ALG_HMACSHA512 DST_ALG_HMACSHA512
 
 /*% Maximum Datagram Package */
 #define ISCCC_CC_MAXDGRAMPACKET 4096