From 09f7e0607a34d90eae53f862954e98c31b5ae532 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 15 Sep 2022 19:18:53 +1000 Subject: [PATCH 1/9] Convert DST_ALG defines to enum and group HMAC algorithms The HMACs and GSSAPI are just using unallocated values. Moving them around shouldn't cause issues. Only the dnssec system test knew the internal number in use for hmacmd5. --- bin/tests/system/dnssec/tests.sh | 2 +- lib/dns/include/dst/dst.h | 56 +++++++++++++++++--------------- lib/isccc/Makefile.am | 1 + lib/isccc/include/isccc/cc.h | 19 ++++++----- 4 files changed, 43 insertions(+), 35 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 9f36160c8a..10e5fa224d 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3387,7 +3387,7 @@ do 2) # Diffie Helman alg=$((alg+1)) continue;; - 157|160|161|162|163|164|165) # private - non standard + 159|160|161|162|163|164|165) # private - non standard alg=$((alg+1)) continue;; 1|5|7|8|10) # RSA algorithms diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index fdd2122b20..4e2437e11e 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -78,32 +78,36 @@ typedef enum dst_key_state { } dst_key_state_t; /* DST algorithm codes */ -#define DST_ALG_UNKNOWN 0 -#define DST_ALG_RSA 1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ -#define DST_ALG_RSAMD5 1 -#define DST_ALG_DH 2 -#define DST_ALG_DSA 3 -#define DST_ALG_ECC 4 -#define DST_ALG_RSASHA1 5 -#define DST_ALG_NSEC3DSA 6 -#define DST_ALG_NSEC3RSASHA1 7 -#define DST_ALG_RSASHA256 8 -#define DST_ALG_RSASHA512 10 -#define DST_ALG_ECCGOST 12 -#define DST_ALG_ECDSA256 13 -#define DST_ALG_ECDSA384 14 -#define DST_ALG_ED25519 15 -#define DST_ALG_ED448 16 -#define DST_ALG_HMACMD5 157 -#define DST_ALG_GSSAPI 160 -#define DST_ALG_HMACSHA1 161 /* XXXMPA */ -#define DST_ALG_HMACSHA224 162 /* XXXMPA */ -#define DST_ALG_HMACSHA256 163 /* XXXMPA */ -#define DST_ALG_HMACSHA384 164 /* XXXMPA */ -#define DST_ALG_HMACSHA512 165 /* XXXMPA */ -#define DST_ALG_INDIRECT 252 -#define DST_ALG_PRIVATE 254 -#define DST_MAX_ALGS 256 +typedef enum dst_algorithm { + DST_ALG_UNKNOWN = 0, + DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ + DST_ALG_RSAMD5 = 1, + DST_ALG_DH = 2, + DST_ALG_DSA = 3, + DST_ALG_ECC = 4, + DST_ALG_RSASHA1 = 5, + DST_ALG_NSEC3DSA = 6, + DST_ALG_NSEC3RSASHA1 = 7, + DST_ALG_RSASHA256 = 8, + DST_ALG_RSASHA512 = 10, + DST_ALG_ECCGOST = 12, + DST_ALG_ECDSA256 = 13, + DST_ALG_ECDSA384 = 14, + DST_ALG_ED25519 = 15, + DST_ALG_ED448 = 16, + DST_ALG_GSSAPI = 159, + DST_ALG_HMACMD5 = 160, + DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5, + DST_ALG_HMACSHA1 = 161, /* XXXMPA */ + DST_ALG_HMACSHA224 = 162, /* XXXMPA */ + DST_ALG_HMACSHA256 = 163, /* XXXMPA */ + DST_ALG_HMACSHA384 = 164, /* XXXMPA */ + DST_ALG_HMACSHA512 = 165, /* XXXMPA */ + DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512, + DST_ALG_INDIRECT = 252, + DST_ALG_PRIVATE = 254, + DST_MAX_ALGS = 256, +} dst_algorithm_t; /*% A buffer of this size is large enough to hold any key */ #define DST_KEY_MAXSIZE 1280 diff --git a/lib/isccc/Makefile.am b/lib/isccc/Makefile.am index 10a0ec1c98..7877bfbb18 100644 --- a/lib/isccc/Makefile.am +++ b/lib/isccc/Makefile.am @@ -27,6 +27,7 @@ libisccc_la_SOURCES = \ libisccc_la_CPPFLAGS = \ $(AM_CPPFLAGS) \ $(LIBISC_CFLAGS) \ + $(LIBDNS_CFLAGS) \ $(LIBISCCC_CFLAGS) libisccc_la_LIBADD = \ diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h index a50b1dea20..f597276756 100644 --- a/lib/isccc/include/isccc/cc.h +++ b/lib/isccc/include/isccc/cc.h @@ -37,19 +37,22 @@ #include #include +#include #include ISC_LANG_BEGINDECLS -/*% from lib/dns/include/dst/dst.h */ - +/*% + * The HMAC algorithms supported by isccc_cc_fromwire and + * isccc_cc_towire as implemented in DST. + */ #define ISCCC_ALG_UNKNOWN 0 -#define ISCCC_ALG_HMACMD5 157 -#define ISCCC_ALG_HMACSHA1 161 -#define ISCCC_ALG_HMACSHA224 162 -#define ISCCC_ALG_HMACSHA256 163 -#define ISCCC_ALG_HMACSHA384 164 -#define ISCCC_ALG_HMACSHA512 165 +#define ISCCC_ALG_HMACMD5 DST_ALG_HMACMD5 +#define ISCCC_ALG_HMACSHA1 DST_ALG_HMACSHA1 +#define ISCCC_ALG_HMACSHA224 DST_ALG_HMACSHA224 +#define ISCCC_ALG_HMACSHA256 DST_ALG_HMACSHA256 +#define ISCCC_ALG_HMACSHA384 DST_ALG_HMACSHA384 +#define ISCCC_ALG_HMACSHA512 DST_ALG_HMACSHA512 /*% Maximum Datagram Package */ #define ISCCC_CC_MAXDGRAMPACKET 4096 From 151cc2fff99efe11e284ce3ae0796523ce1975e5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 16 Sep 2022 00:42:15 +1000 Subject: [PATCH 2/9] Replace alg_totext with dst_hmac_algorithm_totext The new library function will be reused by subsequent commits. --- bin/confgen/keygen.c | 25 +------------------------ bin/confgen/rndc-confgen.c | 2 +- bin/confgen/tsig-keygen.c | 2 +- lib/dns/dst_api.c | 20 ++++++++++++++++++++ lib/dns/include/dst/dst.h | 7 +++++++ 5 files changed, 30 insertions(+), 26 deletions(-) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 345933d374..97dfa34667 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -34,29 +34,6 @@ #include "util.h" -/*% - * Convert algorithm type to string. - */ -const char * -alg_totext(dns_secalg_t alg) { - switch (alg) { - case DST_ALG_HMACMD5: - return ("hmac-md5"); - case DST_ALG_HMACSHA1: - return ("hmac-sha1"); - case DST_ALG_HMACSHA224: - return ("hmac-sha224"); - case DST_ALG_HMACSHA256: - return ("hmac-sha256"); - case DST_ALG_HMACSHA384: - return ("hmac-sha384"); - case DST_ALG_HMACSHA512: - return ("hmac-sha512"); - default: - return ("(unknown)"); - } -} - /*% * Convert string to algorithm type. */ @@ -175,7 +152,7 @@ void write_key_file(const char *keyfile, const char *user, const char *keyname, isc_buffer_t *secret, dns_secalg_t alg) { isc_result_t result; - const char *algname = alg_totext(alg); + const char *algname = dst_hmac_algorithm_totext(alg); FILE *fd = NULL; DO("create keyfile", isc_file_safecreate(keyfile, &fd)); diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index e0786be782..817929544e 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -222,7 +222,7 @@ main(int argc, char **argv) { if (keysize < 0) { keysize = alg_bits(alg); } - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); diff --git a/bin/confgen/tsig-keygen.c b/bin/confgen/tsig-keygen.c index dd39ad8726..f6c5b2e272 100644 --- a/bin/confgen/tsig-keygen.c +++ b/bin/confgen/tsig-keygen.c @@ -208,7 +208,7 @@ main(int argc, char **argv) { } /* Use canonical algorithm name */ - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index bb98c16a4e..8f230eef36 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2747,3 +2747,23 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) { dst_key_setmodified(to, dst_key_ismodified(from)); } + +const char * +dst_hmac_algorithm_totext(dst_algorithm_t alg) { + switch (alg) { + case DST_ALG_HMACMD5: + return ("hmac-md5"); + case DST_ALG_HMACSHA1: + return ("hmac-sha1"); + case DST_ALG_HMACSHA224: + return ("hmac-sha224"); + case DST_ALG_HMACSHA256: + return ("hmac-sha256"); + case DST_ALG_HMACSHA384: + return ("hmac-sha384"); + case DST_ALG_HMACSHA512: + return ("hmac-sha512"); + default: + return ("unknown"); + } +} diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 4e2437e11e..62192a9be7 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -1225,4 +1225,11 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from); * 'to' and 'from' to be valid. */ +const char * +dst_hmac_algorithm_totext(dst_algorithm_t alg); +/*$< + * Return the name associtated with the HMAC algorithm 'alg' + * or return "unknown". + */ + ISC_LANG_ENDDECLS From b308f866c0bddfd8be293b7f11f03315558fd2d8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 17:35:47 +1000 Subject: [PATCH 3/9] Have 'named -V' report supported algorithms These cover DNSSEC, DS, HMAC and TKEY algorithms. --- bin/named/main.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 84 insertions(+), 3 deletions(-) diff --git a/bin/named/main.c b/bin/named/main.c index af9b7b9c93..6a355cf750 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -462,11 +462,55 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { } } +static void +list_dnssec_algorithms(isc_buffer_t *b) { + for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) { + if (i == DST_ALG_DH || i == DST_ALG_GSSAPI || + (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST)) + { + continue; + } + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_secalg_totext(i, b); + } + } +} + +static void +list_ds_algorithms(isc_buffer_t *b) { + for (size_t i = 0; i < 256; i++) { + if (dst_ds_digest_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_dsdigest_totext(i, b); + } + } +} + +static void +list_hmac_algorithms(isc_buffer_t *b) { + isc_buffer_t sb = *b; + for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST; + i++) { + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + isc_buffer_putstr(b, dst_hmac_algorithm_totext(i)); + } + } + for (unsigned char *s = isc_buffer_used(&sb); s != isc_buffer_used(b); + s++) { + *s = toupper(*s); + } +} + static void printversion(bool verbose) { char rndcconf[PATH_MAX], *dot = NULL; -#if defined(HAVE_GEOIP2) isc_mem_t *mctx = NULL; + isc_result_t result; + isc_buffer_t b; + char buf[512]; +#if defined(HAVE_GEOIP2) cfg_parser_t *parser = NULL; cfg_obj_t *config = NULL; const cfg_obj_t *defaults = NULL, *obj = NULL; @@ -538,7 +582,45 @@ printversion(bool verbose) { printf("compiled with protobuf-c version: %s\n", PROTOBUF_C_VERSION); printf("linked to protobuf-c version: %s\n", protobuf_c_version()); #endif /* if defined(HAVE_DNSTAP) */ - printf("threads support is enabled\n\n"); + printf("threads support is enabled\n"); + + isc_mem_create(&mctx); + result = dst_lib_init(mctx, named_g_engine); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + if (result == ISC_R_SUCCESS) { + list_dnssec_algorithms(&b); + } + printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + if (result == ISC_R_SUCCESS) { + list_ds_algorithms(&b); + } + printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + if (result == ISC_R_SUCCESS) { + list_hmac_algorithms(&b); + } + printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); + + printf("TKEY mode 2 support (Diffie-Hellman): %s\n", + (result == ISC_R_SUCCESS && + dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "no"); + + printf("TKEY mode 3 support (GSS-API): %s\n", + (result == ISC_R_SUCCESS && + dst_algorithm_supported(DST_ALG_GSSAPI)) + ? "yes" + : "no"); + printf("\n"); /* * The default rndc.conf and rndc.key paths are in the same @@ -564,7 +646,6 @@ printversion(bool verbose) { printf(" named lock file: %s\n", named_g_defaultlockfile); #if defined(HAVE_GEOIP2) #define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - isc_mem_create(&mctx); RTC(cfg_parser_create(mctx, named_g_lctx, &parser)); RTC(named_config_parsedefaults(parser, &config)); RTC(cfg_map_get(config, "options", &defaults)); From cb1515e71f295da79e885172c7e512dfea285009 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 18:33:42 +1000 Subject: [PATCH 4/9] Report algorithms supported by named at startup --- bin/named/main.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/bin/named/main.c b/bin/named/main.c index 6a355cf750..6d7c1b5afa 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -1020,6 +1020,8 @@ setup(void) { #ifdef HAVE_LIBSCF char *instance = NULL; #endif /* ifdef HAVE_LIBSCF */ + isc_buffer_t b; + char buf[512]; /* * Get the user and group information before changing the root @@ -1274,6 +1276,49 @@ setup(void) { ENSURE(named_g_server != NULL); sctx = named_g_server->sctx; + /* + * Report supported algorithms now that dst_lib_init() has + * been called via named_server_create(). + */ + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + list_dnssec_algorithms(&b); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + list_ds_algorithms(&b); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + list_hmac_algorithms(&b); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s\n", + (dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "no"); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s\n", + dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" + : "no"); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + /* * Modify server context according to command line options */ From 3156d36495a646b6e50dfdf7a1aac3343732f27b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 15 Sep 2022 18:04:52 +1000 Subject: [PATCH 5/9] silence scan-build false positive --- bin/named/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/named/main.c b/bin/named/main.c index 6d7c1b5afa..db310881b2 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -1558,6 +1558,7 @@ main(int argc, char *argv[]) { setup(); isc_mem_setname(named_g_mctx, "main"); + INSIST(named_g_server != NULL); /* * Start things running From e876de442e38b481600054c1a51ede67c69a3766 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 17:53:21 +1000 Subject: [PATCH 6/9] Add CHANGES entry for [GL #3541] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 6afcc66316..10fbe1e068 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5984. [func] 'named -V' now reports the list of supported + DNSSEC/DS/HMAC algorithms and the supported TKEY modes. + [GL #3541] + 5983. [bug] Changing just the TSIG key names for primaries in catalog zones' member zones was not effective. [GL #3557] From d34ecdb366efd6ea35a91236d3337301fd178366 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 17:35:47 +1000 Subject: [PATCH 7/9] Deduplicate string formating --- bin/named/main.c | 129 ++++++++++++++++++++--------------------------- 1 file changed, 56 insertions(+), 73 deletions(-) diff --git a/bin/named/main.c b/bin/named/main.c index db310881b2..541564b98f 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -503,6 +503,55 @@ list_hmac_algorithms(isc_buffer_t *b) { } } +static void +logit(isc_buffer_t *b) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, "%.*s", + (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +printit(isc_buffer_t *b) { + printf("%.*s\n", (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +format_supported_algorithms(void (*emit)(isc_buffer_t *b)) { + isc_buffer_t b; + char buf[512]; + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + list_dnssec_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + list_ds_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + list_hmac_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", + (dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "non"); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s", + dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" + : "no"); + (*emit)(&b); +} + static void printversion(bool verbose) { char rndcconf[PATH_MAX], *dot = NULL; @@ -586,41 +635,14 @@ printversion(bool verbose) { isc_mem_create(&mctx); result = dst_lib_init(mctx, named_g_engine); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DNSSEC algorithms:"); if (result == ISC_R_SUCCESS) { - list_dnssec_algorithms(&b); + isc_buffer_init(&b, buf, sizeof(buf)); + format_supported_algorithms(printit); + printf("\n"); + } else { + printf("DST initialization failure: %s\n", + isc_result_totext(result)); } - printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DS algorithms:"); - if (result == ISC_R_SUCCESS) { - list_ds_algorithms(&b); - } - printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "HMAC algorithms:"); - if (result == ISC_R_SUCCESS) { - list_hmac_algorithms(&b); - } - printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); - - printf("TKEY mode 2 support (Diffie-Hellman): %s\n", - (result == ISC_R_SUCCESS && - dst_algorithm_supported(DST_ALG_DH) && - dst_algorithm_supported(DST_ALG_HMACMD5)) - ? "yes" - : "no"); - - printf("TKEY mode 3 support (GSS-API): %s\n", - (result == ISC_R_SUCCESS && - dst_algorithm_supported(DST_ALG_GSSAPI)) - ? "yes" - : "no"); - printf("\n"); /* * The default rndc.conf and rndc.key paths are in the same @@ -1020,8 +1042,6 @@ setup(void) { #ifdef HAVE_LIBSCF char *instance = NULL; #endif /* ifdef HAVE_LIBSCF */ - isc_buffer_t b; - char buf[512]; /* * Get the user and group information before changing the root @@ -1280,44 +1300,7 @@ setup(void) { * Report supported algorithms now that dst_lib_init() has * been called via named_server_create(). */ - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DNSSEC algorithms:"); - list_dnssec_algorithms(&b); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DS algorithms:"); - list_ds_algorithms(&b); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "HMAC algorithms:"); - list_hmac_algorithms(&b); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s\n", - (dst_algorithm_supported(DST_ALG_DH) && - dst_algorithm_supported(DST_ALG_HMACMD5)) - ? "yes" - : "no"); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s\n", - dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" - : "no"); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); + format_supported_algorithms(logit); /* * Modify server context according to command line options From c648e280e46e6fe2068fa690dc6f3b0c94bc12a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 15:10:58 +0200 Subject: [PATCH 8/9] Document list of crypto algorithms in named -V output --- bin/named/named.rst | 3 ++- doc/man/named.8in | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/named/named.rst b/bin/named/named.rst index 78af512fff..dc6e46d3f6 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -203,7 +203,8 @@ Options .. option:: -V - This option reports the version number and build options, and exits. + This option reports the version number, build options, supported + cryptographics algorithms, and exits. .. option:: -X lock-file diff --git a/doc/man/named.8in b/doc/man/named.8in index 26722d2c1f..2b55eeeed9 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -244,7 +244,8 @@ This option reports the version number and exits. .INDENT 0.0 .TP .B \-V -This option reports the version number and build options, and exits. +This option reports the version number, build options, supported +cryptographics algorithms, and exits. .UNINDENT .INDENT 0.0 .TP From c138a8aa59b4329253c5d50938465f8d0e5a7bc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 15:13:13 +0200 Subject: [PATCH 9/9] Add release note for new crypto algorithm logging --- doc/notes/notes-current.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 367d5b3e8c..babef0ad71 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -40,6 +40,9 @@ New Features - The ``nsupdate`` tool now supports DNS-over-TLS (DoT). :gl:`#1781` +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of :option:`named -V`. :gl:`#3541` + Removed Features ~~~~~~~~~~~~~~~~