From 0bbc0c61e3c98aded2e2b230b52c1d66c8bbd5fe Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 15 Sep 2022 19:18:53 +1000 Subject: [PATCH 1/9] Convert DST_ALG defines to enum and group HMAC algorithms The HMACs and GSSAPI are just using unallocated values. Moving them around shouldn't cause issues. Only the dnssec system test knew the internal number in use for hmacmd5. (cherry picked from commit 09f7e0607a34d90eae53f862954e98c31b5ae532) --- bin/tests/system/dnssec/tests.sh | 2 +- lib/dns/include/dst/dst.h | 56 +++++++++++++++++--------------- lib/isccc/Makefile.am | 1 + lib/isccc/include/isccc/cc.h | 19 ++++++----- 4 files changed, 43 insertions(+), 35 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 14451f18ae..308bc70468 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3373,7 +3373,7 @@ do 2) # Diffie Helman alg=$((alg+1)) continue;; - 157|160|161|162|163|164|165) # private - non standard + 159|160|161|162|163|164|165) # private - non standard alg=$((alg+1)) continue;; 1|5|7|8|10) # RSA algorithms diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index fdd2122b20..4e2437e11e 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -78,32 +78,36 @@ typedef enum dst_key_state { } dst_key_state_t; /* DST algorithm codes */ -#define DST_ALG_UNKNOWN 0 -#define DST_ALG_RSA 1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ -#define DST_ALG_RSAMD5 1 -#define DST_ALG_DH 2 -#define DST_ALG_DSA 3 -#define DST_ALG_ECC 4 -#define DST_ALG_RSASHA1 5 -#define DST_ALG_NSEC3DSA 6 -#define DST_ALG_NSEC3RSASHA1 7 -#define DST_ALG_RSASHA256 8 -#define DST_ALG_RSASHA512 10 -#define DST_ALG_ECCGOST 12 -#define DST_ALG_ECDSA256 13 -#define DST_ALG_ECDSA384 14 -#define DST_ALG_ED25519 15 -#define DST_ALG_ED448 16 -#define DST_ALG_HMACMD5 157 -#define DST_ALG_GSSAPI 160 -#define DST_ALG_HMACSHA1 161 /* XXXMPA */ -#define DST_ALG_HMACSHA224 162 /* XXXMPA */ -#define DST_ALG_HMACSHA256 163 /* XXXMPA */ -#define DST_ALG_HMACSHA384 164 /* XXXMPA */ -#define DST_ALG_HMACSHA512 165 /* XXXMPA */ -#define DST_ALG_INDIRECT 252 -#define DST_ALG_PRIVATE 254 -#define DST_MAX_ALGS 256 +typedef enum dst_algorithm { + DST_ALG_UNKNOWN = 0, + DST_ALG_RSA = 1, /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */ + DST_ALG_RSAMD5 = 1, + DST_ALG_DH = 2, + DST_ALG_DSA = 3, + DST_ALG_ECC = 4, + DST_ALG_RSASHA1 = 5, + DST_ALG_NSEC3DSA = 6, + DST_ALG_NSEC3RSASHA1 = 7, + DST_ALG_RSASHA256 = 8, + DST_ALG_RSASHA512 = 10, + DST_ALG_ECCGOST = 12, + DST_ALG_ECDSA256 = 13, + DST_ALG_ECDSA384 = 14, + DST_ALG_ED25519 = 15, + DST_ALG_ED448 = 16, + DST_ALG_GSSAPI = 159, + DST_ALG_HMACMD5 = 160, + DST_ALG_HMAC_FIRST = DST_ALG_HMACMD5, + DST_ALG_HMACSHA1 = 161, /* XXXMPA */ + DST_ALG_HMACSHA224 = 162, /* XXXMPA */ + DST_ALG_HMACSHA256 = 163, /* XXXMPA */ + DST_ALG_HMACSHA384 = 164, /* XXXMPA */ + DST_ALG_HMACSHA512 = 165, /* XXXMPA */ + DST_ALG_HMAC_LAST = DST_ALG_HMACSHA512, + DST_ALG_INDIRECT = 252, + DST_ALG_PRIVATE = 254, + DST_MAX_ALGS = 256, +} dst_algorithm_t; /*% A buffer of this size is large enough to hold any key */ #define DST_KEY_MAXSIZE 1280 diff --git a/lib/isccc/Makefile.am b/lib/isccc/Makefile.am index 10a0ec1c98..7877bfbb18 100644 --- a/lib/isccc/Makefile.am +++ b/lib/isccc/Makefile.am @@ -27,6 +27,7 @@ libisccc_la_SOURCES = \ libisccc_la_CPPFLAGS = \ $(AM_CPPFLAGS) \ $(LIBISC_CFLAGS) \ + $(LIBDNS_CFLAGS) \ $(LIBISCCC_CFLAGS) libisccc_la_LIBADD = \ diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h index a50b1dea20..f597276756 100644 --- a/lib/isccc/include/isccc/cc.h +++ b/lib/isccc/include/isccc/cc.h @@ -37,19 +37,22 @@ #include #include +#include #include ISC_LANG_BEGINDECLS -/*% from lib/dns/include/dst/dst.h */ - +/*% + * The HMAC algorithms supported by isccc_cc_fromwire and + * isccc_cc_towire as implemented in DST. + */ #define ISCCC_ALG_UNKNOWN 0 -#define ISCCC_ALG_HMACMD5 157 -#define ISCCC_ALG_HMACSHA1 161 -#define ISCCC_ALG_HMACSHA224 162 -#define ISCCC_ALG_HMACSHA256 163 -#define ISCCC_ALG_HMACSHA384 164 -#define ISCCC_ALG_HMACSHA512 165 +#define ISCCC_ALG_HMACMD5 DST_ALG_HMACMD5 +#define ISCCC_ALG_HMACSHA1 DST_ALG_HMACSHA1 +#define ISCCC_ALG_HMACSHA224 DST_ALG_HMACSHA224 +#define ISCCC_ALG_HMACSHA256 DST_ALG_HMACSHA256 +#define ISCCC_ALG_HMACSHA384 DST_ALG_HMACSHA384 +#define ISCCC_ALG_HMACSHA512 DST_ALG_HMACSHA512 /*% Maximum Datagram Package */ #define ISCCC_CC_MAXDGRAMPACKET 4096 From 3d223e0338f28156fd0a150fecab031afd43fc92 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 16 Sep 2022 00:42:15 +1000 Subject: [PATCH 2/9] Replace alg_totext with dst_hmac_algorithm_totext The new library function will be reused by subsequent commits. (cherry picked from commit 151cc2fff99efe11e284ce3ae0796523ce1975e5) --- bin/confgen/keygen.c | 25 +------------------------ bin/confgen/rndc-confgen.c | 2 +- bin/confgen/tsig-keygen.c | 2 +- lib/dns/dst_api.c | 20 ++++++++++++++++++++ lib/dns/include/dst/dst.h | 7 +++++++ 5 files changed, 30 insertions(+), 26 deletions(-) diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 345933d374..97dfa34667 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -34,29 +34,6 @@ #include "util.h" -/*% - * Convert algorithm type to string. - */ -const char * -alg_totext(dns_secalg_t alg) { - switch (alg) { - case DST_ALG_HMACMD5: - return ("hmac-md5"); - case DST_ALG_HMACSHA1: - return ("hmac-sha1"); - case DST_ALG_HMACSHA224: - return ("hmac-sha224"); - case DST_ALG_HMACSHA256: - return ("hmac-sha256"); - case DST_ALG_HMACSHA384: - return ("hmac-sha384"); - case DST_ALG_HMACSHA512: - return ("hmac-sha512"); - default: - return ("(unknown)"); - } -} - /*% * Convert string to algorithm type. */ @@ -175,7 +152,7 @@ void write_key_file(const char *keyfile, const char *user, const char *keyname, isc_buffer_t *secret, dns_secalg_t alg) { isc_result_t result; - const char *algname = alg_totext(alg); + const char *algname = dst_hmac_algorithm_totext(alg); FILE *fd = NULL; DO("create keyfile", isc_file_safecreate(keyfile, &fd)); diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c index e0786be782..817929544e 100644 --- a/bin/confgen/rndc-confgen.c +++ b/bin/confgen/rndc-confgen.c @@ -222,7 +222,7 @@ main(int argc, char **argv) { if (keysize < 0) { keysize = alg_bits(alg); } - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret)); diff --git a/bin/confgen/tsig-keygen.c b/bin/confgen/tsig-keygen.c index dd39ad8726..f6c5b2e272 100644 --- a/bin/confgen/tsig-keygen.c +++ b/bin/confgen/tsig-keygen.c @@ -208,7 +208,7 @@ main(int argc, char **argv) { } /* Use canonical algorithm name */ - algname = alg_totext(alg); + algname = dst_hmac_algorithm_totext(alg); isc_mem_create(&mctx); diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 39fcbf1fa6..c13463ffd1 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2747,3 +2747,23 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) { dst_key_setmodified(to, dst_key_ismodified(from)); } + +const char * +dst_hmac_algorithm_totext(dst_algorithm_t alg) { + switch (alg) { + case DST_ALG_HMACMD5: + return ("hmac-md5"); + case DST_ALG_HMACSHA1: + return ("hmac-sha1"); + case DST_ALG_HMACSHA224: + return ("hmac-sha224"); + case DST_ALG_HMACSHA256: + return ("hmac-sha256"); + case DST_ALG_HMACSHA384: + return ("hmac-sha384"); + case DST_ALG_HMACSHA512: + return ("hmac-sha512"); + default: + return ("unknown"); + } +} diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 4e2437e11e..62192a9be7 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -1225,4 +1225,11 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from); * 'to' and 'from' to be valid. */ +const char * +dst_hmac_algorithm_totext(dst_algorithm_t alg); +/*$< + * Return the name associtated with the HMAC algorithm 'alg' + * or return "unknown". + */ + ISC_LANG_ENDDECLS From c0e59be1257693c0639f1bd5a6886aa656665a13 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 17:35:47 +1000 Subject: [PATCH 3/9] Have 'named -V' report supported algorithms These cover DNSSEC, DS, HMAC and TKEY algorithms. (cherry picked from commit b308f866c0bddfd8be293b7f11f03315558fd2d8) --- bin/named/main.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 84 insertions(+), 3 deletions(-) diff --git a/bin/named/main.c b/bin/named/main.c index 2645489aee..18c5394b4b 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -462,11 +462,55 @@ set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) { } } +static void +list_dnssec_algorithms(isc_buffer_t *b) { + for (dst_algorithm_t i = DST_ALG_UNKNOWN; i < DST_MAX_ALGS; i++) { + if (i == DST_ALG_DH || i == DST_ALG_GSSAPI || + (i >= DST_ALG_HMAC_FIRST && i <= DST_ALG_HMAC_LAST)) + { + continue; + } + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_secalg_totext(i, b); + } + } +} + +static void +list_ds_algorithms(isc_buffer_t *b) { + for (size_t i = 0; i < 256; i++) { + if (dst_ds_digest_supported(i)) { + isc_buffer_putstr(b, " "); + (void)dns_dsdigest_totext(i, b); + } + } +} + +static void +list_hmac_algorithms(isc_buffer_t *b) { + isc_buffer_t sb = *b; + for (dst_algorithm_t i = DST_ALG_HMAC_FIRST; i <= DST_ALG_HMAC_LAST; + i++) { + if (dst_algorithm_supported(i)) { + isc_buffer_putstr(b, " "); + isc_buffer_putstr(b, dst_hmac_algorithm_totext(i)); + } + } + for (unsigned char *s = isc_buffer_used(&sb); s != isc_buffer_used(b); + s++) { + *s = toupper(*s); + } +} + static void printversion(bool verbose) { char rndcconf[PATH_MAX], *dot = NULL; -#if defined(HAVE_GEOIP2) isc_mem_t *mctx = NULL; + isc_result_t result; + isc_buffer_t b; + char buf[512]; +#if defined(HAVE_GEOIP2) cfg_parser_t *parser = NULL; cfg_obj_t *config = NULL; const cfg_obj_t *defaults = NULL, *obj = NULL; @@ -538,7 +582,45 @@ printversion(bool verbose) { printf("compiled with protobuf-c version: %s\n", PROTOBUF_C_VERSION); printf("linked to protobuf-c version: %s\n", protobuf_c_version()); #endif /* if defined(HAVE_DNSTAP) */ - printf("threads support is enabled\n\n"); + printf("threads support is enabled\n"); + + isc_mem_create(&mctx); + result = dst_lib_init(mctx, named_g_engine); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + if (result == ISC_R_SUCCESS) { + list_dnssec_algorithms(&b); + } + printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + if (result == ISC_R_SUCCESS) { + list_ds_algorithms(&b); + } + printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + if (result == ISC_R_SUCCESS) { + list_hmac_algorithms(&b); + } + printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); + + printf("TKEY mode 2 support (Diffie-Hellman): %s\n", + (result == ISC_R_SUCCESS && + dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "no"); + + printf("TKEY mode 3 support (GSS-API): %s\n", + (result == ISC_R_SUCCESS && + dst_algorithm_supported(DST_ALG_GSSAPI)) + ? "yes" + : "no"); + printf("\n"); /* * The default rndc.conf and rndc.key paths are in the same @@ -564,7 +646,6 @@ printversion(bool verbose) { printf(" named lock file: %s\n", named_g_defaultlockfile); #if defined(HAVE_GEOIP2) #define RTC(x) RUNTIME_CHECK((x) == ISC_R_SUCCESS) - isc_mem_create(&mctx); RTC(cfg_parser_create(mctx, named_g_lctx, &parser)); RTC(named_config_parsedefaults(parser, &config)); RTC(cfg_map_get(config, "options", &defaults)); From 450a8ed5d524be1ae975fb0b9a64cefc1decbfd0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 18:33:42 +1000 Subject: [PATCH 4/9] Report algorithms supported by named at startup (cherry picked from commit cb1515e71f295da79e885172c7e512dfea285009) --- bin/named/main.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/bin/named/main.c b/bin/named/main.c index 18c5394b4b..08eab7cb42 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -1029,6 +1029,8 @@ setup(void) { #ifdef HAVE_LIBSCF char *instance = NULL; #endif /* ifdef HAVE_LIBSCF */ + isc_buffer_t b; + char buf[512]; /* * Get the user and group information before changing the root @@ -1293,6 +1295,49 @@ setup(void) { ENSURE(named_g_server != NULL); sctx = named_g_server->sctx; + /* + * Report supported algorithms now that dst_lib_init() has + * been called via named_server_create(). + */ + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + list_dnssec_algorithms(&b); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + list_ds_algorithms(&b); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + list_hmac_algorithms(&b); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s\n", + (dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "no"); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s\n", + dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" + : "no"); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", + (int)isc_buffer_usedlength(&b), buf); + /* * Modify server context according to command line options */ From 09910d25a9c454ea468961c4ecb4b9a39578a6fb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 15 Sep 2022 18:04:52 +1000 Subject: [PATCH 5/9] silence scan-build false positive (cherry picked from commit 3156d36495a646b6e50dfdf7a1aac3343732f27b) --- bin/named/main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/named/main.c b/bin/named/main.c index 08eab7cb42..693c70e552 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -1581,6 +1581,7 @@ main(int argc, char *argv[]) { isc_mem_setname(named_g_mctx, "main"); setup(); + INSIST(named_g_server != NULL); /* * Start things running and then wait for a shutdown request From 2f9a5049981d1cd2e7a9f65207951cbff1707daa Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 17:53:21 +1000 Subject: [PATCH 6/9] Add CHANGES entry for [GL #3541] (cherry picked from commit e876de442e38b481600054c1a51ede67c69a3766) --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index f6c3465385..40ca49c092 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5984. [func] 'named -V' now reports the list of supported + DNSSEC/DS/HMAC algorithms and the supported TKEY modes. + [GL #3541] + 5983. [bug] Changing just the TSIG key names for primaries in catalog zones' member zones was not effective. [GL #3557] From 70606149c6e93afdecc615cfa710a81b12fff91e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 17:35:47 +1000 Subject: [PATCH 7/9] Deduplicate string formating (cherry picked from commit d34ecdb366efd6ea35a91236d3337301fd178366) --- bin/named/main.c | 129 ++++++++++++++++++++--------------------------- 1 file changed, 56 insertions(+), 73 deletions(-) diff --git a/bin/named/main.c b/bin/named/main.c index 693c70e552..b8122401d0 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -503,6 +503,55 @@ list_hmac_algorithms(isc_buffer_t *b) { } } +static void +logit(isc_buffer_t *b) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_WARNING, "%.*s", + (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +printit(isc_buffer_t *b) { + printf("%.*s\n", (int)isc_buffer_usedlength(b), + (char *)isc_buffer_base(b)); +} + +static void +format_supported_algorithms(void (*emit)(isc_buffer_t *b)) { + isc_buffer_t b; + char buf[512]; + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DNSSEC algorithms:"); + list_dnssec_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "DS algorithms:"); + list_ds_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_putstr(&b, "HMAC algorithms:"); + list_hmac_algorithms(&b); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s", + (dst_algorithm_supported(DST_ALG_DH) && + dst_algorithm_supported(DST_ALG_HMACMD5)) + ? "yes" + : "non"); + (*emit)(&b); + + isc_buffer_init(&b, buf, sizeof(buf)); + isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s", + dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" + : "no"); + (*emit)(&b); +} + static void printversion(bool verbose) { char rndcconf[PATH_MAX], *dot = NULL; @@ -586,41 +635,14 @@ printversion(bool verbose) { isc_mem_create(&mctx); result = dst_lib_init(mctx, named_g_engine); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DNSSEC algorithms:"); if (result == ISC_R_SUCCESS) { - list_dnssec_algorithms(&b); + isc_buffer_init(&b, buf, sizeof(buf)); + format_supported_algorithms(printit); + printf("\n"); + } else { + printf("DST initialization failure: %s\n", + isc_result_totext(result)); } - printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DS algorithms:"); - if (result == ISC_R_SUCCESS) { - list_ds_algorithms(&b); - } - printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "HMAC algorithms:"); - if (result == ISC_R_SUCCESS) { - list_hmac_algorithms(&b); - } - printf("%.*s\n", (int)isc_buffer_usedlength(&b), buf); - - printf("TKEY mode 2 support (Diffie-Hellman): %s\n", - (result == ISC_R_SUCCESS && - dst_algorithm_supported(DST_ALG_DH) && - dst_algorithm_supported(DST_ALG_HMACMD5)) - ? "yes" - : "no"); - - printf("TKEY mode 3 support (GSS-API): %s\n", - (result == ISC_R_SUCCESS && - dst_algorithm_supported(DST_ALG_GSSAPI)) - ? "yes" - : "no"); - printf("\n"); /* * The default rndc.conf and rndc.key paths are in the same @@ -1029,8 +1051,6 @@ setup(void) { #ifdef HAVE_LIBSCF char *instance = NULL; #endif /* ifdef HAVE_LIBSCF */ - isc_buffer_t b; - char buf[512]; /* * Get the user and group information before changing the root @@ -1299,44 +1319,7 @@ setup(void) { * Report supported algorithms now that dst_lib_init() has * been called via named_server_create(). */ - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DNSSEC algorithms:"); - list_dnssec_algorithms(&b); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "DS algorithms:"); - list_ds_algorithms(&b); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_putstr(&b, "HMAC algorithms:"); - list_hmac_algorithms(&b); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_printf(&b, "TKEY mode 2 support (Diffie-Hellman): %s\n", - (dst_algorithm_supported(DST_ALG_DH) && - dst_algorithm_supported(DST_ALG_HMACMD5)) - ? "yes" - : "no"); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); - - isc_buffer_init(&b, buf, sizeof(buf)); - isc_buffer_printf(&b, "TKEY mode 3 support (GSS-API): %s\n", - dst_algorithm_supported(DST_ALG_GSSAPI) ? "yes" - : "no"); - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "%.*s", - (int)isc_buffer_usedlength(&b), buf); + format_supported_algorithms(logit); /* * Modify server context according to command line options From af5f4bacf69a552d98a2cfbed84dfcfb0416ba80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 15:10:58 +0200 Subject: [PATCH 8/9] Document list of crypto algorithms in named -V output (cherry picked from commit c648e280e46e6fe2068fa690dc6f3b0c94bc12a3) --- bin/named/named.rst | 3 ++- doc/man/named.8in | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/named/named.rst b/bin/named/named.rst index 78af512fff..dc6e46d3f6 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -203,7 +203,8 @@ Options .. option:: -V - This option reports the version number and build options, and exits. + This option reports the version number, build options, supported + cryptographics algorithms, and exits. .. option:: -X lock-file diff --git a/doc/man/named.8in b/doc/man/named.8in index 26722d2c1f..2b55eeeed9 100644 --- a/doc/man/named.8in +++ b/doc/man/named.8in @@ -244,7 +244,8 @@ This option reports the version number and exits. .INDENT 0.0 .TP .B \-V -This option reports the version number and build options, and exits. +This option reports the version number, build options, supported +cryptographics algorithms, and exits. .UNINDENT .INDENT 0.0 .TP From 81c8cc37aa712b70d53f6381c89a729783eac7b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 15:13:13 +0200 Subject: [PATCH 9/9] Add release note for new crypto algorithm logging (cherry picked from commit c138a8aa59b4329253c5d50938465f8d0e5a7bc6) --- doc/notes/notes-current.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index a6fea55e07..6436c16ec7 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -29,6 +29,9 @@ New Features - None. +- :iscman:`named` now logs the supported cryptographic algorithms during + startup and in the output of :option:`named -V`. :gl:`#3541` + Removed Features ~~~~~~~~~~~~~~~~