From de5890da9b87cb4b91aca033db0e25b1fdb68c77 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 5 Dec 2012 16:36:58 -0800
Subject: [PATCH] [master] support all algorithms in ddns-confgen

3431.	[bug]		ddns-confgen: Some valid key algorithms were
			not accepted. [RT #31927]
---
 CHANGES                                  |  3 +++
 bin/confgen/keygen.c                     | 16 ++++++++++++++++
 bin/tests/system/nsupdate/clean.sh       |  4 +++-
 bin/tests/system/nsupdate/ns1/named.conf | 19 +++++++++++++++++++
 bin/tests/system/nsupdate/setup.sh       |  8 ++++++++
 bin/tests/system/nsupdate/tests.sh       | 19 +++++++++++++++++++
 6 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 2245e8ce94..0c71c541ed 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3431.	[bug]		ddns-confgen: Some valid key algorithms were
+			not accepted. [RT #31927]
+
 3430.	[bug]		win32: isc_time_formatISO8601 was missing the
 			'T' between the date and time. [RT #32044]
 
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index a5db317700..32e5b595e4 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -126,6 +126,7 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 
 	switch (alg) {
 	    case DST_ALG_HMACMD5:
+	    case DST_ALG_HMACSHA512:
 		if (keysize < 1 || keysize > 512)
 			fatal("keysize %d out of range (must be 1-512)\n",
 			      keysize);
@@ -135,6 +136,21 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 			fatal("keysize %d out of range (must be 1-256)\n",
 			      keysize);
 		break;
+	    case DST_ALG_HMACSHA1:
+		if (keysize < 1 || keysize > 160)
+			fatal("keysize %d out of range (must be 1-160)\n",
+			      keysize);
+		break;
+	    case DST_ALG_HMACSHA224:
+		if (keysize < 1 || keysize > 224)
+			fatal("keysize %d out of range (must be 1-224)\n",
+			      keysize);
+		break;
+	    case DST_ALG_HMACSHA384:
+		if (keysize < 1 || keysize > 384)
+			fatal("keysize %d out of range (must be 1-384)\n",
+			      keysize);
+		break;
 	    default:
 		fatal("unsupported algorithm %d\n", alg);
 	}
diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index 84af5e7b0b..f8654d65d3 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -22,7 +22,9 @@
 #
 
 rm -f ns1/*.jnl ns2/*.jnl
-rm -f ns1/example.db ns1/unixtime.db ns1/update.db ns1/other.db ns1/ddns.key
+rm -f ns1/example.db ns1/unixtime.db ns1/update.db ns1/other.db ns1/keytests.db
+rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
+rm -f ns1/sha512.key ns1/ddns.key
 rm -f nsupdate.out
 rm -f random.data
 rm -f ns2/example.bk
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index 0132c2259a..9722be814b 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -90,3 +90,22 @@ zone "unixtime.nil" {
 	serial-update-method unixtime;
 };
 
+include "md5.key";
+include "sha1.key";
+include "sha224.key";
+include "sha256.key";
+include "sha384.key";
+include "sha512.key";
+
+zone "keytests.nil" {
+        type master;
+        file "keytests.db";
+        update-policy {
+            grant md5-key name md5.keytests.nil. ANY;
+            grant sha1-key name sha1.keytests.nil. ANY;
+            grant sha224-key name sha224.keytests.nil. ANY;
+            grant sha256-key name sha256.keytests.nil. ANY;
+            grant sha384-key name sha384.keytests.nil. ANY;
+            grant sha512-key name sha512.keytests.nil. ANY;
+        };
+};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 16c030c765..bb015142da 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -31,6 +31,7 @@ rm -f ns3/example.db.jnl
 cp -f ns1/example1.db ns1/example.db
 sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
 sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
+sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
 cp -f ns3/example.db.in ns3/example.db
 
 # update_test.pl has its own zone file because it
@@ -53,4 +54,11 @@ EOF
 ../../../tools/genrandom 400 random.data
 $DDNSCONFGEN -q -r random.data -z example.nil > ns1/ddns.key
 
+$DDNSCONFGEN -q -r random.data -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+$DDNSCONFGEN -q -r random.data -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
+$DDNSCONFGEN -q -r random.data -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
+$DDNSCONFGEN -q -r random.data -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
+$DDNSCONFGEN -q -r random.data -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/sha384.key
+$DDNSCONFGEN -q -r random.data -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key
+
 (cd ns3; sh -e sign.sh)
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index bd5590e8e3..77caccf633 100644
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -504,5 +504,24 @@ if [ $ret -ne 0 ]; then
     status=1
 fi
 
+n=`expr $n + 1`
+ret=0
+echo "I:check TSIG key algorithms ($n)"
+for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+    $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
+server 10.53.0.1 5300
+update add ${alg}.keytests.nil. 600 A 10.10.10.3
+send
+END
+done
+sleep 2
+for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+    $DIG +short @10.53.0.1 -p 5300 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+done
+if [ $ret -ne 0 ]; then
+    echo "I:failed"
+    status=1
+fi
+
 echo "I:exit status: $status"
 exit $status