diff --git a/CHANGES b/CHANGES index 6afcc66316..10fbe1e068 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5984. [func] 'named -V' now reports the list of supported + DNSSEC/DS/HMAC algorithms and the supported TKEY modes. + [GL #3541] + 5983. [bug] Changing just the TSIG key names for primaries in catalog zones' member zones was not effective. [GL #3557] diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 345933d374..97dfa34667 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -34,29 +34,6 @@ #include "util.h" -/*% - * Convert algorithm type to string. - */ -const char * -alg_totext(dns_secalg_t alg) { - switch (alg) { - case DST_ALG_HMACMD5: - return ("hmac-md5"); - case DST_ALG_HMACSHA1: - return ("hmac-sha1"); - case DST_ALG_HMACSHA224: - return ("hmac-sha224"); - case DST_ALG_HMACSHA256: - return ("hmac-sha256"); - case DST_ALG_HMACSHA384: - return ("hmac-sha384"); - case DST_ALG_HMACSHA512: - return ("hmac-sha512"); - default: - return ("(unknown)"); - } -} - /*% * Convert string to algorithm type. */ @@ -175,7 +152,7 @@ void write_key_file(const char *keyfile, const char *user, const char *keyname, isc_buffer_t *secret, dns_secalg_t alg) { isc_result_t result; - const char *algname = alg_totext(alg); + const char *algname = dst_hmac_algorithm_totext(alg); FILE *fd = NULL; DO("create keyfile", isc_file_safecreate(keyfile, &fd)); diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index e0786be782..817929544e 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -222,7 +222,7 @@ main(int argc, char **argv) { if (keysize < 0) { keysize = alg_bits(alg); } - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); diff --git a/bin/confgen/tsig-keygen.c b/bin/confgen/tsig-keygen.c index dd39ad8726..f6c5b2e272 100644 --- a/bin/confgen/tsig-keygen.c +++ b/bin/confgen/tsig-keygen.c @@ -208,7 +208,7 @@ main(int argc, char **argv) { } /* Use canonical algorithm name */ - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); diff --git a/bin/named/main.c b/bin/named/main.c index af9b7b9c93..541564b98f 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -462,11 +462,104 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { } } +static void +list_dnssec_algorithms(isc_buffer_t *b) { + for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) { + if (i == DST_ALG_DH || i == DST_ALG_GSSAPI || + (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST)) + { + continue; + } + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_secalg_totext(i, b); + } + } +} + +static void +list_ds_algorithms(isc_buffer_t *b) { + for (size_t i = 0; i < 256; i++) { + if (dst_ds_digest_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_dsdigest_totext(i, b); + } + } +} + +static void +list_hmac_algorithms(isc_buffer_t *b) { + isc_buffer_t sb = *b; + for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST; + i++) { + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + isc_buffer_putstr(b, dst_hmac_algorithm_totext(i)); + } + } + for (unsigned char *s = isc_buffer_used(&sb); s != isc_buffer_used(b); + s++) { + *s = toupper(*s); + } +} + +static void +logit(isc_buffer_t *b) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, "%.*s", + (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +printit(isc_buffer_t *b) { + printf("%.*s\n", (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +format_supported_algorithms(void (*emit)(isc_buffer_t *b)) { + isc_buffer_t b; + char buf[512]; + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + list_dnssec_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + list_ds_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + list_hmac_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", + (dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "non"); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s", + dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" + : "no"); + (*emit)(&b); +} + static void printversion(bool verbose) { char rndcconf[PATH_MAX], *dot = NULL; -#if defined(HAVE_GEOIP2) isc_mem_t *mctx = NULL; + isc_result_t result; + isc_buffer_t b; + char buf[512]; +#if defined(HAVE_GEOIP2) cfg_parser_t *parser = NULL; cfg_obj_t *config = NULL; const cfg_obj_t *defaults = NULL, *obj = NULL; @@ -538,7 +631,18 @@ printversion(bool verbose) { printf("compiled with protobuf-c version: %s\n", PROTOBUF_C_VERSION); printf("linked to protobuf-c version: %s\n", protobuf_c_version()); #endif /* if defined(HAVE_DNSTAP) */ - printf("threads support is enabled\n\n"); + printf("threads support is enabled\n"); + + isc_mem_create(&mctx); + result = dst_lib_init(mctx, named_g_engine); + if (result == ISC_R_SUCCESS) { + isc_buffer_init(&b, buf, sizeof(buf)); + format_supported_algorithms(printit); + printf("\n"); + } else { + printf("DST initialization failure: %s\n", + isc_result_totext(result)); + } /* * The default rndc.conf and rndc.key paths are in the same @@ -564,7 +668,6 @@ printversion(bool verbose) { printf(" named lock file: %s\n", named_g_defaultlockfile); #if defined(HAVE_GEOIP2) #define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - isc_mem_create(&mctx); RTC(cfg_parser_create(mctx, named_g_lctx, &parser)); RTC(named_config_parsedefaults(parser, &config)); RTC(cfg_map_get(config, "options", &defaults)); @@ -1193,6 +1296,12 @@ setup(void) { ENSURE(named_g_server != NULL); sctx = named_g_server->sctx; + /* + * Report supported algorithms now that dst_lib_init() has + * been called via named_server_create(). + */ + format_supported_algorithms(logit); + /* * Modify server context according to command line options */ @@ -1432,6 +1541,7 @@ main(int argc, char *argv[]) { setup(); isc_mem_setname(named_g_mctx, "main"); + INSIST(named_g_server != NULL); /* * Start things running diff --git a/bin/named/named.rst b/bin/named/named.rst index 78af512fff..dc6e46d3f6 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -203,7 +203,8 @@ Options .. option:: -V - This option reports the version number and build options, and exits. + This option reports the version number, build options, supported + cryptographics algorithms, and exits. .. option:: -X lock-file diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 9f36160c8a..10e5fa224d 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3387,7 +3387,7 @@ do 2) # Diffie Helman alg=$((alg+1)) continue;; - 157|160|161|162|163|164|165) # private - non standard + 159|160|161|162|163|164|165) # private - non standard alg=$((alg+1)) continue;; 1|5|7|8|10) # RSA algorithms diff --git a/doc/man/named.8in b/doc/man/named.8in index 26722d2c1f..2b55eeeed9 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -244,7 +244,8 @@ This option reports the version number and exits. .INDENT 0.0 .TP .B \-V -This option reports the version number and build options, and exits. +This option reports the version number, build options, supported +cryptographics algorithms, and exits. .UNINDENT .INDENT 0.0 .TP diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 367d5b3e8c..babef0ad71 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -40,6 +40,9 @@ New Features - The ``nsupdate`` tool now supports DNS-over-TLS (DoT). :gl:`#1781` +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of :option:`named -V`. :gl:`#3541` + Removed Features ~~~~~~~~~~~~~~~~ diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index bb98c16a4e..8f230eef36 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2747,3 +2747,23 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) { dst_key_setmodified(to, dst_key_ismodified(from)); } + +const char * +dst_hmac_algorithm_totext(dst_algorithm_t alg) { + switch (alg) { + case DST_ALG_HMACMD5: + return ("hmac-md5"); + case DST_ALG_HMACSHA1: + return ("hmac-sha1"); + case DST_ALG_HMACSHA224: + return ("hmac-sha224"); + case DST_ALG_HMACSHA256: + return ("hmac-sha256"); + case DST_ALG_HMACSHA384: + return ("hmac-sha384"); + case DST_ALG_HMACSHA512: + return ("hmac-sha512"); + default: + return ("unknown"); + } +} diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index fdd2122b20..62192a9be7 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -78,32 +78,36 @@ typedef enum dst_key_state { } dst_key_state_t; /* DST algorithm codes */ -#define DST_ALG_UNKNOWN 0 -#define DST_ALG_RSA 1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ -#define DST_ALG_RSAMD5 1 -#define DST_ALG_DH 2 -#define DST_ALG_DSA 3 -#define DST_ALG_ECC 4 -#define DST_ALG_RSASHA1 5 -#define DST_ALG_NSEC3DSA 6 -#define DST_ALG_NSEC3RSASHA1 7 -#define DST_ALG_RSASHA256 8 -#define DST_ALG_RSASHA512 10 -#define DST_ALG_ECCGOST 12 -#define DST_ALG_ECDSA256 13 -#define DST_ALG_ECDSA384 14 -#define DST_ALG_ED25519 15 -#define DST_ALG_ED448 16 -#define DST_ALG_HMACMD5 157 -#define DST_ALG_GSSAPI 160 -#define DST_ALG_HMACSHA1 161 /* XXXMPA */ -#define DST_ALG_HMACSHA224 162 /* XXXMPA */ -#define DST_ALG_HMACSHA256 163 /* XXXMPA */ -#define DST_ALG_HMACSHA384 164 /* XXXMPA */ -#define DST_ALG_HMACSHA512 165 /* XXXMPA */ -#define DST_ALG_INDIRECT 252 -#define DST_ALG_PRIVATE 254 -#define DST_MAX_ALGS 256 +typedef enum dst_algorithm { + DST_ALG_UNKNOWN = 0, + DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ + DST_ALG_RSAMD5 = 1, + DST_ALG_DH = 2, + DST_ALG_DSA = 3, + DST_ALG_ECC = 4, + DST_ALG_RSASHA1 = 5, + DST_ALG_NSEC3DSA = 6, + DST_ALG_NSEC3RSASHA1 = 7, + DST_ALG_RSASHA256 = 8, + DST_ALG_RSASHA512 = 10, + DST_ALG_ECCGOST = 12, + DST_ALG_ECDSA256 = 13, + DST_ALG_ECDSA384 = 14, + DST_ALG_ED25519 = 15, + DST_ALG_ED448 = 16, + DST_ALG_GSSAPI = 159, + DST_ALG_HMACMD5 = 160, + DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5, + DST_ALG_HMACSHA1 = 161, /* XXXMPA */ + DST_ALG_HMACSHA224 = 162, /* XXXMPA */ + DST_ALG_HMACSHA256 = 163, /* XXXMPA */ + DST_ALG_HMACSHA384 = 164, /* XXXMPA */ + DST_ALG_HMACSHA512 = 165, /* XXXMPA */ + DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512, + DST_ALG_INDIRECT = 252, + DST_ALG_PRIVATE = 254, + DST_MAX_ALGS = 256, +} dst_algorithm_t; /*% A buffer of this size is large enough to hold any key */ #define DST_KEY_MAXSIZE 1280 @@ -1221,4 +1225,11 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from); * 'to' and 'from' to be valid. */ +const char * +dst_hmac_algorithm_totext(dst_algorithm_t alg); +/*$< + * Return the name associtated with the HMAC algorithm 'alg' + * or return "unknown". + */ + ISC_LANG_ENDDECLS diff --git a/lib/isccc/Makefile.am b/lib/isccc/Makefile.am index 10a0ec1c98..7877bfbb18 100644 --- a/lib/isccc/Makefile.am +++ b/lib/isccc/Makefile.am @@ -27,6 +27,7 @@ libisccc_la_SOURCES = \ libisccc_la_CPPFLAGS = \ $(AM_CPPFLAGS) \ $(LIBISC_CFLAGS) \ + $(LIBDNS_CFLAGS) \ $(LIBISCCC_CFLAGS) libisccc_la_LIBADD = \ diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h index a50b1dea20..f597276756 100644 --- a/lib/isccc/include/isccc/cc.h +++ b/lib/isccc/include/isccc/cc.h @@ -37,19 +37,22 @@ #include #include +#include #include ISC_LANG_BEGINDECLS -/*% from lib/dns/include/dst/dst.h */ - +/*% + * The HMAC algorithms supported by isccc_cc_fromwire and + * isccc_cc_towire as implemented in DST. + */ #define ISCCC_ALG_UNKNOWN 0 -#define ISCCC_ALG_HMACMD5 157 -#define ISCCC_ALG_HMACSHA1 161 -#define ISCCC_ALG_HMACSHA224 162 -#define ISCCC_ALG_HMACSHA256 163 -#define ISCCC_ALG_HMACSHA384 164 -#define ISCCC_ALG_HMACSHA512 165 +#define ISCCC_ALG_HMACMD5 DST_ALG_HMACMD5 +#define ISCCC_ALG_HMACSHA1 DST_ALG_HMACSHA1 +#define ISCCC_ALG_HMACSHA224 DST_ALG_HMACSHA224 +#define ISCCC_ALG_HMACSHA256 DST_ALG_HMACSHA256 +#define ISCCC_ALG_HMACSHA384 DST_ALG_HMACSHA384 +#define ISCCC_ALG_HMACSHA512 DST_ALG_HMACSHA512 /*% Maximum Datagram Package */ #define ISCCC_CC_MAXDGRAMPACKET 4096