[master] Adds key-algorithm statement to omshell

Merges in rt46771.
2025-08-22 09:57:20 +00:00 · 2017-12-11 07:19:43 -05:00 · 2017-12-11 07:19:43 -05:00 · e6ffc27f24
commit e6ffc27f24
parent 25e4af8b19
5 changed files with 70 additions and 12 deletions
--- a/7
+++ b/7
@ -291,6 +291,13 @@ dhcp-users@lists.isc.org.
  [ISC-Bugs #42621]
  [ISC-Bugs #44753]

+- A "key-algorithm <algorithm>" statement has been added to omshell to
+  allow the specification of the key algorithm to use during transaction
+  authentication.  Prior to this it was hard-coded to be hmac-md5. It now
+  supports all of the same algorithms as the dhcpd server: hmac-md5 (the
+  default), hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512.
+  [ISC-Bugs #46771]
+
 			Changes since 4.3.0 (bug fixes)

 - Tidy up several small tickets.
--- a/common/conflex.c
+++ b/common/conflex.c
@ -1104,6 +1104,8 @@ intern(char *atom, enum dhcp_token dfv) {
 		}
 		if (!strcasecmp (atom + 1, "ey"))
 			return KEY;
+		if (!strcasecmp (atom + 1, "ey-algorithm"))
+			return KEY_ALGORITHM;
 		break;
 	      case 'l':
 		if (!strcasecmp (atom + 1, "case"))
--- a/dhcpctl/omshell.1
+++ b/dhcpctl/omshell.1
@ -1,7 +1,6 @@
 .\"	$Id: omshell.1,v 1.6 2009/11/24 02:06:56 sar Exp $
 .\"
-.\" Copyright (c) 2012,2014 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 2004,2009 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (c) 2001-2003 by Internet Software Consortium
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@ -81,7 +80,24 @@ where number is the port that OMAPI listens on.  By default, this is 7911.
 This specifies the TSIG key to use to authenticate the OMAPI transactions.
 \fIname\fR is the name of a key defined in \fIdhcpd.conf\fR with the
 \fBomapi-key\fR statement.  The \fIsecret\fR is the secret key generated from
-\fBdnssec-keygen\fR or another key generation program.
+\fBdnssec-keygen\fR or another key generation program.  The key algorithm is
+assumed to be HMAC-MD5 key. If a different algorithm was specified in dhcpd.conf
+file for the key, then it must be specified via the \fIkey-algorithm\fR statement.
+.RE
+.PP
+.B key-algorithm \fIalgorithm\fR
+.RS 0.5i
+This specifies the cryptographic algorithm for the key used when authenticating OMAPI
+transactions. Supported values for \fIalgorithm\fR are:
+.nf
+        HMAC-MD5
+        HMAC-SHA1
+        HMAC-SHA224
+        HMAC-SHA256
+        HMAC-SHA384
+        HMAC-SHA512
+fi
+The default is HMAC-MD5. (Value is not case sensitive).
 .RE
 .PP
 .B connect
--- a/dhcpctl/omshell.c
+++ b/dhcpctl/omshell.c
@ -321,12 +321,42 @@ main(int argc, char **argv) {
 		    }
 		    break;

+		  case KEY_ALGORITHM:
+		    /* Algorithm is optional */
+		    token = next_token (&val, (unsigned *)0, cfile);
+		    if (token != NAME || !is_identifier(token)) {
+			printf ("missing or invalid algorithm name\n");
+			printf ("usage: key-algoritm <algorithm name>\n");
+			skip_to_semi (cfile);
+			break;
+		    }
+
+		    s = dmalloc (strlen (val) + 1, MDL);
+		    if (!s) {
+			printf ("no memory for algorithm name.\n");
+			skip_to_semi (cfile);
+			break;
+		    }
+
+		    strcpy (s, val);
+		    algorithm = s;
+
+		    token = next_token (&val, (unsigned *)0, cfile);
+		    if (token != END_OF_FILE && token != EOL) {
+			    printf ("extra information after %s\n", algorithm);
+			    printf ("usage: key-algorithm <algorithm name>\n");
+			    skip_to_semi (cfile);
+			    break;
+		    }
+
+		    break;
+
 		  case KEY:
 		    token = peek_token(&val, (unsigned *)0, cfile);
 		    if (token == STRING) {
 			    token = next_token (&val, (unsigned *)0, cfile);
 			    if (!is_identifier (token)) {
-				    printf ("usage: key <name> <value>\n");
+			            printf ("usage: key <name> <value>\n");
 				    skip_to_semi (cfile);
 				    break;
 			    }
@ -340,7 +370,7 @@ main(int argc, char **argv) {
 		    } else {
 			    s = parse_host_name(cfile);
 			    if (s == NULL) {
-				    printf ("usage: key <name> <value>\n");
+			            printf ("usage: key <name> <value>\n");
 				    skip_to_semi(cfile);
 				    break;
 			    }
@ -352,12 +382,14 @@ main(int argc, char **argv) {
 			    skip_to_semi (cfile);
 			    break;
 		    }
+
 		    token = next_token (&val, (unsigned *)0, cfile);
 		    if (token != END_OF_FILE && token != EOL) {
-			    printf ("usage: key <name> <secret>\n");
+			    printf ("usage: key <name> <value> {algorithm}\n");
 			    skip_to_semi (cfile);
 			    break;
 		    }
+
 		    break;

 		  case CONNECT:
--- a/includes/dhctoken.h
+++ b/includes/dhctoken.h
@ -375,7 +375,8 @@ enum dhcp_token {
 	TOKEN_BIG_ENDIAN = 675,
 	LEASE_ID_FORMAT = 676,
 	TOKEN_HEX = 677,
-	TOKEN_OCTAL = 678
+	TOKEN_OCTAL = 678,
+	KEY_ALGORITHM = 679
 };

 #define is_identifier(x)	((x) >= FIRST_TOKEN &&	\