ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

2834. [bug] HMAC-SHA* keys that were longer than the algorithm

Browse Source 
digest length were used incorrectly, leading to
			interoperability problems with other DNS
			implementations.  This has been corrected.
			(Note: If an oversize key is in use, and
			compatibility is needed with an older release of
			BIND, the new tool "isc-hmac-fixup" can convert
			the key secret to a form that will work with all
			versions.) [RT #20751]
This commit is contained in:
Evan Hunt
2010-01-07 21:52:12 +00:00
parent da42475564
commit 0f66aced26
19 changed files with 1080 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGES
View File

@@ -1,3 +1,13 @@
2834. [bug] HMAC-SHA* keys that were longer than the algorithm
digest length were used incorrectly, leading to
interoperability problems with other DNS
implementations. This has been corrected.
(Note: If an oversize key is in use, and
compatibility is needed with an older release of
BIND, the new tool "isc-hmac-fixup" can convert
the key secret to a form that will work with all
versions.) [RT #20751]
2833. [cleanup] Fix usage messages in dnssec-keygen and dnssec-settime.
[RT #20851]

1
bin/tools/.cvsignore
View File

@@ -1,5 +1,6 @@
Makefile
arpaname
genrandom
isc-hmac-fixup
named-journalprint
nsec3hash

19
bin/tools/Makefile.in
View File

@@ -12,7 +12,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.11 2009/12/05 23:31:40 each Exp $
# $Id: Makefile.in,v 1.12 2010/01/07 21:52:11 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -43,12 +43,14 @@ NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
TARGETS = arpaname@EXEEXT@ named-journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
genrandom@EXEEXT@
SRCS = arpaname.c named-journalprint.c nsec3hash.c genrandom.c
genrandom@EXEEXT@ isc-hmac-fixup@EXEEXT@
SRCS = arpaname.c named-journalprint.c nsec3hash.c genrandom.c \
isc-hmac-fixup.c
MANPAGES = arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8
MANPAGES = arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8 \
isc-hmac-fixup.8
HTMLPAGES = arpaname.html named-journalprint.html nsec3hash.html \
genrandom.html
genrandom.html isc-hmac-fixup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@@ -67,6 +69,11 @@ nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
export BASEOBJS="isc-hmac-fixup.@O@"; \
export LIBS0="${ISCLIBS}"; \
${FINALBUILDCMD}
genrandom@EXEEXT@: genrandom.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
@@ -85,7 +92,9 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8

59
bin/tools/isc-hmac-fixup.8 Normal file
View File

@@ -0,0 +1,59 @@
.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: isc-hmac-fixup.8,v 1.1 2010/01/07 21:52:11 each Exp $
.\"
.hy 0
.ad l
.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "ISC-HMAC-FIXUP" 1 "January 5, 2010" "" ""
.SH NAME
isc-hmac-fixup \- fixes HMAC keys generated by older versions of BIND
.SH "SYNOPSIS"
.HP 15
\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
.SH "DESCRIPTION"
.PP
Versions of BIND 9 up to and including BIND 9\&.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i\&.e\&., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations\&.
.PP
This bug has been fixed in BIND 9\&.7\&. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys\&. \fBisc\-hmac\-fixup\fR modifies those keys to restore compatibility\&.
.PP
To modify a key, run \fBisc\-hmac\-fixup\fR and specify the key's algorithm and secret on the command line\&. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret\&. (If the secret did not require conversion, then it will be printed without modification\&.)
.SH "SECURITY CONSIDERATIONS"
.PP
Secrets that have been converted by \fBisc\-hmac\-fixup\fR are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security\&. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength\&."
.SH "SEE ALSO"
.PP
BIND 9 Administrator Reference Manual, RFC 2104\&.
.SH "AUTHOR"
.PP
Internet Systems Consortium

148
bin/tools/isc-hmac-fixup.c Normal file
View File

@@ -0,0 +1,148 @@
/*
* Portions Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/md5.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sha1.h>
#include <isc/sha2.h>
#include <isc/stdio.h>
#include <isc/string.h>
#define HMAC_LEN 64
int
main(int argc, char **argv) {
isc_buffer_t buf;
unsigned char key[1024];
char secret[1024];
char base64[(1024*4)/3];
isc_region_t r;
isc_result_t result;
if (argc != 3) {
fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
"SHA256 | SHA384 | SHA512)\n");
return (1);
}
isc_buffer_init(&buf, secret, sizeof(secret));
result = isc_base64_decodestring(argv[2], &buf);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "error: %s\n", isc_result_totext(result));
return (1);
}
isc__buffer_usedregion(&buf, &r);
if (!strcasecmp(argv[1], "md5") ||
!strcasecmp(argv[1], "hmac-md5")) {
if (r.length > HMAC_LEN) {
isc_md5_t md5ctx;
isc_md5_init(&md5ctx);
isc_md5_update(&md5ctx, r.base, r.length);
isc_md5_final(&md5ctx, key);
r.base = key;
r.length = ISC_MD5_DIGESTLENGTH;
}
} else if (!strcasecmp(argv[1], "sha1") ||
!strcasecmp(argv[1], "hmac-sha1")) {
if (r.length > ISC_SHA1_DIGESTLENGTH) {
isc_sha1_t sha1ctx;
isc_sha1_init(&sha1ctx);
isc_sha1_update(&sha1ctx, r.base, r.length);
isc_sha1_final(&sha1ctx, key);
r.base = key;
r.length = ISC_SHA1_DIGESTLENGTH;
}
} else if (!strcasecmp(argv[1], "sha224") ||
!strcasecmp(argv[1], "hmac-sha224")) {
if (r.length > ISC_SHA224_DIGESTLENGTH) {
isc_sha224_t sha224ctx;
isc_sha224_init(&sha224ctx);
isc_sha224_update(&sha224ctx, r.base, r.length);
isc_sha224_final(key, &sha224ctx);
r.base = key;
r.length = ISC_SHA224_DIGESTLENGTH;
}
} else if (!strcasecmp(argv[1], "sha256") ||
!strcasecmp(argv[1], "hmac-sha256")) {
if (r.length > ISC_SHA256_DIGESTLENGTH) {
isc_sha256_t sha256ctx;
isc_sha256_init(&sha256ctx);
isc_sha256_update(&sha256ctx, r.base, r.length);
isc_sha256_final(key, &sha256ctx);
r.base = key;
r.length = ISC_SHA256_DIGESTLENGTH;
}
} else if (!strcasecmp(argv[1], "sha384") ||
!strcasecmp(argv[1], "hmac-sha384")) {
if (r.length > ISC_SHA384_DIGESTLENGTH) {
isc_sha384_t sha384ctx;
isc_sha384_init(&sha384ctx);
isc_sha384_update(&sha384ctx, r.base, r.length);
isc_sha384_final(key, &sha384ctx);
r.base = key;
r.length = ISC_SHA384_DIGESTLENGTH;
}
} else if (!strcasecmp(argv[1], "sha512") ||
!strcasecmp(argv[1], "hmac-sha512")) {
if (r.length > ISC_SHA512_DIGESTLENGTH) {
isc_sha512_t sha512ctx;
isc_sha512_init(&sha512ctx);
isc_sha512_update(&sha512ctx, r.base, r.length);
isc_sha512_final(key, &sha512ctx);
r.base = key;
r.length = ISC_SHA512_DIGESTLENGTH;
}
} else {
fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]);
return (1);
}
isc_buffer_init(&buf, base64, sizeof(base64));
result = isc_base64_totext(&r, 0, "", &buf);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "error: %s\n", isc_result_totext(result));
return (1);
}
fprintf(stdout, "%.*s\n", isc_buffer_usedlength(&buf), base64);
return (0);
}

109
bin/tools/isc-hmac-fixup.docbook Normal file
View File

@@ -0,0 +1,109 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: isc-hmac-fixup.docbook,v 1.2 2010/01/07 21:52:11 each Exp $ -->
<refentry id="man.isc-hmac-fixup">
<refentryinfo>
<date>January 5, 2010</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>isc-hmac-fixup</application></refname>
<refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>isc-hmac-fixup</command>
<arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
longer than 256 bits, etc) to be used incorrectly, generating a
message authentication code that was incompatible with other DNS
implementations.
</para>
<para>
This bug has been fixed in BIND 9.7. However, the fix may
cause incompatibility between older and newer versions of
BIND, when using long keys. <command>isc-hmac-fixup</command>
modifies those keys to restore compatibility.
</para>
<para>
To modify a key, run <command>isc-hmac-fixup</command> and
specify the key's algorithm and secret on the command line. If the
secret is longer than the digest length of the algorithm (64 bytes
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
new secret will be generated consisting of a hash digest of the old
secret. (If the secret did not require conversion, then it will be
printed without modification.)
</para>
</refsect1>
<refsect1>
<title>SECURITY CONSIDERATIONS</title>
<para>
Secrets that have been converted by <command>isc-hmac-fixup</command>
are shortened, but as this is how the HMAC protocol works in
operation anyway, it does not affect security. RFC 2104 notes,
"Keys longer than [the digest length] are acceptable but the
extra length would not significantly increase the function
strength."
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2104</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

83
bin/tools/isc-hmac-fixup.html Normal file
View File

@@ -0,0 +1,83 @@
<!--
- Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: isc-hmac-fixup.html,v 1.1 2010/01/07 21:52:11 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id215034"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
longer than 256 bits, etc) to be used incorrectly, generating a
message authentication code that was incompatible with other DNS
implementations.
</p>
<p>
This bug has been fixed in BIND 9.7. However, the fix may
cause incompatibility between older and newer versions of
BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
modifies those keys to restore compatibility.
</p>
<p>
To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
specify the key's algorithm and secret on the command line. If the
secret is longer than the digest length of the algorithm (64 bytes
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
new secret will be generated consisting of a hash digest of the old
secret. (If the secret did not require conversion, then it will be
printed without modification.)
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215065"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
operation anyway, it does not affect security. RFC 2104 notes,
"Keys longer than [the digest length] are acceptable but the
extra length would not significantly increase the function
strength."
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215080"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id215096"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

103
bin/tools/win32/ischmacfix.dsp Normal file
View File

@@ -0,0 +1,103 @@
# Microsoft Developer Studio Project File - Name="ischmacfixup" - Package Owner=<4>
# Microsoft Developer Studio Generated Build File, Format Version 6.00
# ** DO NOT EDIT **
# TARGTYPE "Win32 (x86) Console Application" 0x0103
CFG=ischmacfixup - Win32 Debug
!MESSAGE This is not a valid makefile. To build this project using NMAKE,
!MESSAGE use the Export Makefile command and run
!MESSAGE
!MESSAGE NMAKE /f "ischmacfixup.mak".
!MESSAGE
!MESSAGE You can specify a configuration when running NMAKE
!MESSAGE by defining the macro CFG on the command line. For example:
!MESSAGE
!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"
!MESSAGE
!MESSAGE Possible choices for configuration are:
!MESSAGE
!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")
!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")
!MESSAGE
# Begin Project
# PROP AllowPerConfigDependencies 0
# PROP Scc_ProjName ""
# PROP Scc_LocalPath ""
CPP=cl.exe
RSC=rc.exe
!IF "$(CFG)" == "ischmacfixup - Win32 Release"
# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 0
# PROP BASE Output_Dir "Release"
# PROP BASE Intermediate_Dir "Release"
# PROP BASE Target_Dir ""
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 0
# PROP Output_Dir "Release"
# PROP Intermediate_Dir "Release"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe"
!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"
# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 1
# PROP BASE Output_Dir "Debug"
# PROP BASE Intermediate_Dir "Debug"
# PROP BASE Target_Dir ""
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 1
# PROP Output_Dir "Debug"
# PROP Intermediate_Dir "Debug"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
# SUBTRACT CPP /X /YX
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept
!ENDIF
# Begin Target
# Name "ischmacfixup - Win32 Release"
# Name "ischmacfixup - Win32 Debug"
# Begin Group "Source Files"
# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
# Begin Source File
SOURCE="..\isc-hmac-fixup.c"
# End Source File
# End Group
# Begin Group "Header Files"
# PROP Default_Filter "h;hpp;hxx;hm;inl"
# End Group
# Begin Group "Resource Files"
# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
# End Group
# End Target
# End Project

29
bin/tools/win32/ischmacfix.dsw Normal file
View File

@@ -0,0 +1,29 @@
Microsoft Developer Studio Workspace File, Format Version 6.00
# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
###############################################################################
Project: "ischmacfixup"=".\ischmacfixup.dsp" - Package Owner=<4>
Package=<5>
{{{
}}}
Package=<4>
{{{
}}}
###############################################################################
Global:
Package=<5>
{{{
}}}
Package=<3>
{{{
}}}
###############################################################################

299
bin/tools/win32/ischmacfix.mak Normal file
View File

@@ -0,0 +1,299 @@
# Microsoft Developer Studio Generated NMAKE File, Based on ischmacfixup.dsp
!IF "$(CFG)" == ""
CFG=ischmacfixup - Win32 Debug
!MESSAGE No configuration specified. Defaulting to ischmacfixup - Win32 Debug.
!ENDIF
!IF "$(CFG)" != "ischmacfixup - Win32 Release" && "$(CFG)" != "ischmacfixup - Win32 Debug"
!MESSAGE Invalid configuration "$(CFG)" specified.
!MESSAGE You can specify a configuration when running NMAKE
!MESSAGE by defining the macro CFG on the command line. For example:
!MESSAGE
!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"
!MESSAGE
!MESSAGE Possible choices for configuration are:
!MESSAGE
!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")
!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")
!MESSAGE
!ERROR An invalid configuration is specified.
!ENDIF
!IF "$(OS)" == "Windows_NT"
NULL=
!ELSE
NULL=nul
!ENDIF
!IF "$(CFG)" == "ischmacfixup - Win32 Release"
_VC_MANIFEST_INC=0
_VC_MANIFEST_BASENAME=__VC80
!ELSE
_VC_MANIFEST_INC=1
_VC_MANIFEST_BASENAME=__VC80.Debug
!ENDIF
####################################################
# Specifying name of temporary resource file used only in incremental builds:
!if "$(_VC_MANIFEST_INC)" == "1"
_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
!else
_VC_MANIFEST_AUTO_RES=
!endif
####################################################
# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
!if "$(_VC_MANIFEST_INC)" == "1"
#MT_SPECIAL_RETURN=1090650113
#MT_SPECIAL_SWITCH=-notify_resource_update
MT_SPECIAL_RETURN=0
MT_SPECIAL_SWITCH=
_VC_MANIFEST_EMBED_EXE= \
if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
link $** /out:$@ $(LFLAGS)
!else
_VC_MANIFEST_EMBED_EXE= \
if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
!endif
####################################################
# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
!if "$(_VC_MANIFEST_INC)" == "1"
#MT_SPECIAL_RETURN=1090650113
#MT_SPECIAL_SWITCH=-notify_resource_update
MT_SPECIAL_RETURN=0
MT_SPECIAL_SWITCH=
_VC_MANIFEST_EMBED_EXE= \
if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
link $** /out:$@ $(LFLAGS)
!else
_VC_MANIFEST_EMBED_EXE= \
if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
!endif
####################################################
# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
!if "$(_VC_MANIFEST_INC)" == "1"
_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
$(_VC_MANIFEST_BASENAME).auto.rc \
$(_VC_MANIFEST_BASENAME).auto.manifest
!else
_VC_MANIFEST_CLEAN=
!endif
!IF "$(CFG)" == "ischmacfixup - Win32 Release"
OUTDIR=.\Release
INTDIR=.\Release
ALL : "..\..\..\Build\Release\isc-hmac-fixup.exe"
CLEAN :
-@erase "$(INTDIR)\isc-hmac-fixup.obj"
-@erase "$(INTDIR)\vc60.idb"
-@erase "..\..\..\Build\Release\isc-hmac-fixup.exe"
-@$(_VC_MANIFEST_CLEAN)
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\isc-hmac-fixup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
.c{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cpp{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cxx{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.c{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cpp{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cxx{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
<<
RSC=rc.exe
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc"
BSC32_SBRS= \
LINK32=link.exe
LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe"
LINK32_OBJS= \
"$(INTDIR)\isc-hmac-fixup.obj"
"..\..\..\Build\Release\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
$(LINK32) @<<
$(LINK32_FLAGS) $(LINK32_OBJS)
<<
$(_VC_MANIFEST_EMBED_EXE)
!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"
OUTDIR=.\Debug
INTDIR=.\Debug
# Begin Custom Macros
OutDir=.\Debug
# End Custom Macros
ALL : "..\..\..\Build\Debug\isc-hmac-fixup.exe" "$(OUTDIR)\isc-hmac-fixup.bsc"
CLEAN :
-@erase "$(INTDIR)\isc-hmac-fixup.obj"
-@erase "$(INTDIR)\isc-hmac-fixup.sbr"
-@erase "$(INTDIR)\vc60.idb"
-@erase "$(INTDIR)\vc60.pdb"
-@erase "$(OUTDIR)\isc-hmac-fixup.pdb"
-@erase "$(OUTDIR)\isc-hmac-fixup.bsc"
-@erase "..\..\..\Build\Debug\isc-hmac-fixup.exe"
-@erase "..\..\..\Build\Debug\isc-hmac-fixup.ilk"
-@$(_VC_MANIFEST_CLEAN)
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
.c{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cpp{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cxx{$(INTDIR)}.obj::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.c{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cpp{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
<<
.cxx{$(INTDIR)}.sbr::
$(CPP) @<<
$(CPP_PROJ) $<
<<
RSC=rc.exe
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc"
BSC32_SBRS= \
"$(INTDIR)\isc-hmac-fixup.sbr"
"$(OUTDIR)\isc-hmac-fixup.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
$(BSC32) @<<
$(BSC32_FLAGS) $(BSC32_SBRS)
<<
LINK32=link.exe
LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept
LINK32_OBJS= \
"$(INTDIR)\isc-hmac-fixup.obj"
"..\..\..\Build\Debug\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
$(LINK32) @<<
$(LINK32_FLAGS) $(LINK32_OBJS)
<<
$(_VC_MANIFEST_EMBED_EXE)
!ENDIF
!IF "$(NO_EXTERNAL_DEPS)" != "1"
!IF EXISTS("isc-hmac-fixup.dep")
!INCLUDE "isc-hmac-fixup.dep"
!ELSE
!MESSAGE Warning: cannot find "isc-hmac-fixup.dep"
!ENDIF
!ENDIF
!IF "$(CFG)" == "ischmacfixup - Win32 Release" || "$(CFG)" == "ischmacfixup - Win32 Debug"
SOURCE="..\isc-hmac-fixup.c"
!IF "$(CFG)" == "ischmacfixup - Win32 Release"
"$(INTDIR)\isc-hmac-fixup.obj" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"
"$(INTDIR)\isc-hmac-fixup.obj" "$(INTDIR)\isc-hmac-fixup.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
!ENDIF
####################################################
# Commands to generate initial empty manifest file and the RC file
# that references it, and for generating the .res file:
$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
type <<$@
#include <winuser.h>
1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
<< KEEP
$(_VC_MANIFEST_BASENAME).auto.manifest :
type <<$@
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
</assembly>
<< KEEP

2
bin/tools/win32/journalprint.mak
View File

@@ -271,7 +271,7 @@ SOURCE="..\named-journalprint.c"
!ELSEIF "$(CFG)" == "journalprint - Win32 Debug"
"$(INTDIR)\named-journalprint.obj" "$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"
"$(INTDIR)\named-journalprint.obj" "$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)

3
bin/win32/BINDInstall/BINDInstallDlg.cpp
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: BINDInstallDlg.cpp,v 1.46 2009/12/04 21:59:23 marka Exp $ */
/* $Id: BINDInstallDlg.cpp,v 1.47 2010/01/07 21:52:12 each Exp $ */
/*
* Copyright (c) 1999-2000 by Nortel Networks Corporation
@@ -158,6 +158,7 @@ const FileData installFiles[] =
{"named-checkzone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"named-compilezone.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"named-journalprint.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"isc-hmax-fixup.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-destroy.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-list.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},

3
doc/arm/Bv9ARM-book.xml
View File

@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.451 2009/12/18 07:56:29 each Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.452 2010/01/07 21:52:12 each Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -15673,6 +15673,7 @@ zone "example.com" {
<xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
<xi:include href="../../bin/tools/arpaname.docbook"/>
<xi:include href="../../bin/tools/genrandom.docbook"/>
<xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/>
<xi:include href="../../bin/tools/nsec3hash.docbook"/>
</reference>

122
doc/arm/man.isc-hmac-fixup.html Normal file
View File

@@ -0,0 +1,122 @@
<!--
- Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: man.isc-hmac-fixup.html,v 1.1 2010/01/07 21:52:12 each Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>isc-hmac-fixup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.67.2">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
<link rel="prev" href="man.genrandom.html" title="genrandom">
<link rel="next" href="man.nsec3hash.html" title="nsec3hash">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">isc-hmac-fixup</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry" lang="en">
<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">isc-hmac-fixup</span> &#8212; fixes HMAC keys generated by older versions of BIND</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id302013"></a><h2>DESCRIPTION</h2>
<p>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
longer than 256 bits, etc) to be used incorrectly, generating a
message authentication code that was incompatible with other DNS
implementations.
</p>
<p>
This bug has been fixed in BIND 9.7. However, the fix may
cause incompatibility between older and newer versions of
BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
modifies those keys to restore compatibility.
</p>
<p>
To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
specify the key's algorithm and secret on the command line. If the
secret is longer than the digest length of the algorithm (64 bytes
for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
new secret will be generated consisting of a hash digest of the old
secret. (If the secret did not require conversion, then it will be
printed without modification.)
</p>
</div>
<div class="refsect1" lang="en">
<a name="id272868"></a><h2>SECURITY CONSIDERATIONS</h2>
<p>
Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
are shortened, but as this is how the HMAC protocol works in
operation anyway, it does not affect security. RFC 2104 notes,
"Keys longer than [the digest length] are acceptable but the
extra length would not significantly increase the function
strength."
</p>
</div>
<div class="refsect1" lang="en">
<a name="id306719"></a><h2>SEE ALSO</h2>
<p>
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2104</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id317945"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.genrandom.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="man.nsec3hash.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">genrandom</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">nsec3hash</span>
</td>
</tr>
</table>
</div>
</body>
</html>

144
lib/dns/hmac_link.c
View File

@@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: hmac_link.c,v 1.15 2009/10/24 09:46:19 fdupont Exp $
* $Id: hmac_link.c,v 1.16 2010/01/07 21:52:12 each Exp $
*/
#include <config.h>
@@ -50,14 +50,10 @@
#include "dst_internal.h"
#include "dst_parse.h"
#define HMAC_LEN 64
#define HMAC_IPAD 0x36
#define HMAC_OPAD 0x5c
static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacmd5_key {
unsigned char key[HMAC_LEN];
unsigned char key[ISC_MD5_BLOCK_LENGTH];
};
static isc_result_t
@@ -79,7 +75,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
if (hmacmd5ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
return (ISC_R_SUCCESS);
}
@@ -142,7 +138,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
if (memcmp(hkey1->key, hkey2->key, HMAC_LEN) == 0)
if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -152,18 +148,18 @@ static isc_result_t
hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
unsigned int bytes;
unsigned char data[ISC_SHA1_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
if (bytes > HMAC_LEN) {
bytes = HMAC_LEN;
key->key_size = HMAC_LEN * 8;
if (bytes > ISC_SHA1_BLOCK_LENGTH) {
bytes = ISC_SHA1_BLOCK_LENGTH;
key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
}
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -172,7 +168,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacmd5_fromdns(key, &b);
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
return (ret);
}
@@ -186,6 +182,7 @@ hmacmd5_isprivate(const dst_key_t *key) {
static void
hmacmd5_destroy(dst_key_t *key) {
dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
key->keydata.hmacmd5 = NULL;
@@ -225,7 +222,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
if (r.length > HMAC_LEN) {
if (r.length > ISC_SHA1_BLOCK_LENGTH) {
isc_md5_init(&md5ctx);
isc_md5_update(&md5ctx, r.base, r.length);
isc_md5_final(&md5ctx, hkey->key);
@@ -341,7 +338,7 @@ dst__hmacmd5_init(dst_func_t **funcp) {
static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha1_key {
unsigned char key[ISC_SHA1_DIGESTLENGTH];
unsigned char key[ISC_SHA1_BLOCK_LENGTH];
};
static isc_result_t
@@ -352,7 +349,7 @@ hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
if (hmacsha1ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
return (ISC_R_SUCCESS);
}
@@ -415,7 +412,7 @@ hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_DIGESTLENGTH) == 0)
if (memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -425,18 +422,18 @@ static isc_result_t
hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
unsigned int bytes;
unsigned char data[ISC_SHA1_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
if (bytes > HMAC_LEN) {
bytes = HMAC_LEN;
key->key_size = HMAC_LEN * 8;
if (bytes > ISC_SHA1_BLOCK_LENGTH) {
bytes = ISC_SHA1_BLOCK_LENGTH;
key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
}
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -445,7 +442,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha1_fromdns(key, &b);
memset(data, 0, ISC_SHA1_DIGESTLENGTH);
memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
return (ret);
}
@@ -459,6 +456,7 @@ hmacsha1_isprivate(const dst_key_t *key) {
static void
hmacsha1_destroy(dst_key_t *key) {
dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
key->keydata.hmacsha1 = NULL;
@@ -498,7 +496,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
if (r.length > ISC_SHA1_DIGESTLENGTH) {
if (r.length > ISC_SHA1_BLOCK_LENGTH) {
isc_sha1_init(&sha1ctx);
isc_sha1_update(&sha1ctx, r.base, r.length);
isc_sha1_final(&sha1ctx, hkey->key);
@@ -614,7 +612,7 @@ dst__hmacsha1_init(dst_func_t **funcp) {
static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha224_key {
unsigned char key[ISC_SHA224_DIGESTLENGTH];
unsigned char key[ISC_SHA224_BLOCK_LENGTH];
};
static isc_result_t
@@ -625,7 +623,7 @@ hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
if (hmacsha224ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
return (ISC_R_SUCCESS);
}
@@ -688,7 +686,7 @@ hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_DIGESTLENGTH) == 0)
if (memcmp(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -700,18 +698,18 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
unsigned int bytes;
unsigned char data[ISC_SHA224_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
if (bytes > HMAC_LEN) {
bytes = HMAC_LEN;
key->key_size = HMAC_LEN * 8;
if (bytes > ISC_SHA224_BLOCK_LENGTH) {
bytes = ISC_SHA224_BLOCK_LENGTH;
key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
}
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -720,7 +718,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha224_fromdns(key, &b);
memset(data, 0, ISC_SHA224_DIGESTLENGTH);
memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
return (ret);
}
@@ -734,6 +732,7 @@ hmacsha224_isprivate(const dst_key_t *key) {
static void
hmacsha224_destroy(dst_key_t *key) {
dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
key->keydata.hmacsha224 = NULL;
@@ -773,7 +772,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
if (r.length > ISC_SHA224_DIGESTLENGTH) {
if (r.length > ISC_SHA224_BLOCK_LENGTH) {
isc_sha224_init(&sha224ctx);
isc_sha224_update(&sha224ctx, r.base, r.length);
isc_sha224_final(hkey->key, &sha224ctx);
@@ -889,7 +888,7 @@ dst__hmacsha224_init(dst_func_t **funcp) {
static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha256_key {
unsigned char key[ISC_SHA256_DIGESTLENGTH];
unsigned char key[ISC_SHA256_BLOCK_LENGTH];
};
static isc_result_t
@@ -900,7 +899,7 @@ hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
if (hmacsha256ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
return (ISC_R_SUCCESS);
}
@@ -963,7 +962,7 @@ hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_DIGESTLENGTH) == 0)
if (memcmp(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -975,18 +974,18 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
unsigned int bytes;
unsigned char data[ISC_SHA256_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
if (bytes > HMAC_LEN) {
bytes = HMAC_LEN;
key->key_size = HMAC_LEN * 8;
if (bytes > ISC_SHA256_BLOCK_LENGTH) {
bytes = ISC_SHA256_BLOCK_LENGTH;
key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
}
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -995,7 +994,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha256_fromdns(key, &b);
memset(data, 0, ISC_SHA256_DIGESTLENGTH);
memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
return (ret);
}
@@ -1009,6 +1008,7 @@ hmacsha256_isprivate(const dst_key_t *key) {
static void
hmacsha256_destroy(dst_key_t *key) {
dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
key->keydata.hmacsha256 = NULL;
@@ -1048,7 +1048,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
if (r.length > ISC_SHA256_DIGESTLENGTH) {
if (r.length > ISC_SHA256_BLOCK_LENGTH) {
isc_sha256_init(&sha256ctx);
isc_sha256_update(&sha256ctx, r.base, r.length);
isc_sha256_final(hkey->key, &sha256ctx);
@@ -1164,7 +1164,7 @@ dst__hmacsha256_init(dst_func_t **funcp) {
static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha384_key {
unsigned char key[ISC_SHA384_DIGESTLENGTH];
unsigned char key[ISC_SHA384_BLOCK_LENGTH];
};
static isc_result_t
@@ -1175,7 +1175,7 @@ hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
if (hmacsha384ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
return (ISC_R_SUCCESS);
}
@@ -1238,7 +1238,7 @@ hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_DIGESTLENGTH) == 0)
if (memcmp(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -1250,18 +1250,18 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
unsigned int bytes;
unsigned char data[ISC_SHA384_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
if (bytes > HMAC_LEN) {
bytes = HMAC_LEN;
key->key_size = HMAC_LEN * 8;
if (bytes > ISC_SHA384_BLOCK_LENGTH) {
bytes = ISC_SHA384_BLOCK_LENGTH;
key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
}
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -1270,7 +1270,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha384_fromdns(key, &b);
memset(data, 0, ISC_SHA384_DIGESTLENGTH);
memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
return (ret);
}
@@ -1284,6 +1284,7 @@ hmacsha384_isprivate(const dst_key_t *key) {
static void
hmacsha384_destroy(dst_key_t *key) {
dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
key->keydata.hmacsha384 = NULL;
@@ -1323,7 +1324,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
if (r.length > ISC_SHA384_DIGESTLENGTH) {
if (r.length > ISC_SHA384_BLOCK_LENGTH) {
isc_sha384_init(&sha384ctx);
isc_sha384_update(&sha384ctx, r.base, r.length);
isc_sha384_final(hkey->key, &sha384ctx);
@@ -1439,7 +1440,7 @@ dst__hmacsha384_init(dst_func_t **funcp) {
static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacsha512_key {
unsigned char key[ISC_SHA512_DIGESTLENGTH];
unsigned char key[ISC_SHA512_BLOCK_LENGTH];
};
static isc_result_t
@@ -1450,7 +1451,7 @@ hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
if (hmacsha512ctx == NULL)
return (ISC_R_NOMEMORY);
isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
return (ISC_R_SUCCESS);
}
@@ -1513,7 +1514,7 @@ hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_DIGESTLENGTH) == 0)
if (memcmp(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH) == 0)
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -1525,18 +1526,18 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
{
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
unsigned int bytes;
unsigned char data[ISC_SHA512_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
if (bytes > HMAC_LEN) {
bytes = HMAC_LEN;
key->key_size = HMAC_LEN * 8;
if (bytes > ISC_SHA512_BLOCK_LENGTH) {
bytes = ISC_SHA512_BLOCK_LENGTH;
key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
}
memset(data, 0, HMAC_LEN);
memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -1545,7 +1546,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacsha512_fromdns(key, &b);
memset(data, 0, ISC_SHA512_DIGESTLENGTH);
memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
return (ret);
}
@@ -1559,6 +1560,7 @@ hmacsha512_isprivate(const dst_key_t *key) {
static void
hmacsha512_destroy(dst_key_t *key) {
dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
key->keydata.hmacsha512 = NULL;
@@ -1598,7 +1600,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
if (r.length > ISC_SHA512_DIGESTLENGTH) {
if (r.length > ISC_SHA512_BLOCK_LENGTH) {
isc_sha512_init(&sha512ctx);
isc_sha512_update(&sha512ctx, r.base, r.length);
isc_sha512_final(hkey->key, &sha512ctx);

3
lib/isc/include/isc/md5.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: md5.h,v 1.18 2009/02/06 23:47:42 tbox Exp $ */
/* $Id: md5.h,v 1.19 2010/01/07 21:52:12 each Exp $ */
/*! \file isc/md5.h
* \brief This is the header file for the MD5 message-digest algorithm.
@@ -48,6 +48,7 @@
#include <isc/types.h>
#define ISC_MD5_DIGESTLENGTH 16U
#define ISC_MD5_BLOCK_LENGTH 64U
#ifdef ISC_PLATFORM_OPENSSLHASH
#include <openssl/evp.h>

7
util/copyrights
View File

@@ -1055,6 +1055,10 @@
./bin/tools/genrandom.c C 2000,2001,2002,2003,2004,2005,2007,2009
./bin/tools/genrandom.docbook SGML 2009
./bin/tools/genrandom.html HTML 2009
./bin/tools/isc-hmac-fixup.8 MAN 2010
./bin/tools/isc-hmac-fixup.c C 2010
./bin/tools/isc-hmac-fixup.docbook SGML 2010
./bin/tools/isc-hmac-fixup.html HTML 2010
./bin/tools/named-journalprint.8 MAN 2009
./bin/tools/named-journalprint.c C 2000,2001,2004,2005,2006,2007,2008,2009
./bin/tools/named-journalprint.docbook SGML 2009
@@ -1069,6 +1073,9 @@
./bin/tools/win32/genrandom.dsp X 2009
./bin/tools/win32/genrandom.dsw X 2009
./bin/tools/win32/genrandom.mak X 2009
./bin/tools/win32/ischmacfix.dsp X 2010
./bin/tools/win32/ischmacfix.dsw X 2010
./bin/tools/win32/ischmacfix.mak X 2010
./bin/tools/win32/journalprint.dsp X 2009
./bin/tools/win32/journalprint.dsw X 2009
./bin/tools/win32/journalprint.mak X 2009

15
win32utils/BINDBuild.dsw
View File

@@ -660,6 +660,21 @@ Package=<4>
###############################################################################
Project: "ischmacfixup"="..\bin\tools\win32\ischmacfixup.dsp" - Package Owner=<4>
Package=<5>
{{{
}}}
Package=<4>
{{{
Begin Project Dependency
Project_Dep_Name libisc
End Project Dependency
}}}
###############################################################################
Global:
Package=<5>

1
win32utils/BuildAll.bat
View File

@@ -124,6 +124,7 @@ nmake /nologo -f arpaname.mak CFG="arpaname - Win32 Release" NO_EXTERNAL_DEPS="
nmake /nologo -f genrandom.mak CFG="genrandom - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f nsec3hash.mak CFG="nsec3hash - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f journalprint.mak CFG="journalprint - Win32 Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f ischmacfixup.mak CFG="ischmacfixup - Win32 Release" NO_EXTERNAL_DEPS="1"
cd ..\..
rem This is the BIND 9 Installer