964723
From 85938345f9da377e903de0e99b36eaa2a98d99c7 Mon Sep 17 00:00:00 2001
964723
From: Evan Hunt <each@isc.org>
964723
Date: Wed, 13 Mar 2013 17:53:11 -0700
964723
Subject: [PATCH] algorithm flexibility for rndc
964723
964723
3525.	[func]		Support for additional signing algorithms in rndc:
964723
			hmac-sha1, -sha224, -sha256, -sha384, and -sha512.
964723
			The -A option to rndc-confgen can be used to
964723
			select the algorithm for the generated key.
964723
			(The default is still hmac-md5; this may
964723
			change in a future release.) [RT #20363]
964723
---
964723
 bin/confgen/rndc-confgen.c                        |  27 +-
964723
 bin/confgen/rndc-confgen.docbook                  |  18 +-
964723
 bin/named/controlconf.c                           |  22 +-
964723
 bin/rndc/rndc.c                                   |  38 ++-
964723
 bin/rndc/rndc.conf                                |   4 +-
964723
 bin/rndc/rndc.conf.docbook                        |  16 +-
964723
 bin/rndc/rndc.docbook                             |  14 +-
964723
 bin/tests/system/autosign/ns1/named.conf          |   2 +-
964723
 bin/tests/system/autosign/ns2/named.conf          |   2 +-
964723
 bin/tests/system/autosign/ns3/named.conf          |   2 +-
964723
 bin/tests/system/cacheclean/ns2/named.conf        |   2 +-
964723
 bin/tests/system/common/controls.conf             |   2 +-
964723
 bin/tests/system/common/rndc.conf                 |   2 +-
964723
 bin/tests/system/common/rndc.key                  |   2 +-
964723
 bin/tests/system/conf.sh.in                       |   1 +
964723
 bin/tests/system/database/ns1/named.conf1         |   2 +-
964723
 bin/tests/system/database/ns1/named.conf2         |   2 +-
964723
 bin/tests/system/dlv/ns5/named.conf               |   4 +-
964723
 bin/tests/system/dlv/ns5/rndc.conf                |   2 +-
964723
 bin/tests/system/dlvauto/ns2/named.conf           |   2 +-
964723
 bin/tests/system/dlzexternal/ns1/named.conf.in    |   2 +-
964723
 bin/tests/system/dnssec/ns3/named.conf            |   2 +-
964723
 bin/tests/system/dnssec/ns4/named1.conf           |   2 +-
964723
 bin/tests/system/dnssec/ns4/named2.conf           |   2 +-
964723
 bin/tests/system/dnssec/ns4/named3.conf           |   2 +-
964723
 bin/tests/system/geoip/ns2/named1.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named10.conf           |   2 +-
964723
 bin/tests/system/geoip/ns2/named11.conf           |   2 +-
964723
 bin/tests/system/geoip/ns2/named2.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named3.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named4.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named5.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named6.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named7.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named8.conf            |   2 +-
964723
 bin/tests/system/geoip/ns2/named9.conf            |   2 +-
964723
 bin/tests/system/ixfr/ns3/named.conf              |   2 +-
964723
 bin/tests/system/ixfr/ns4/named.conf              |   2 +-
964723
 bin/tests/system/ixfr/setup.sh                    |   2 +-
964723
 bin/tests/system/logfileconfig/ns1/named.dirconf  |   2 +-
964723
 bin/tests/system/logfileconfig/ns1/named.pipeconf |   2 +-
964723
 bin/tests/system/logfileconfig/ns1/named.plain    |   2 +-
964723
 bin/tests/system/logfileconfig/ns1/named.symconf  |   2 +-
964723
 bin/tests/system/logfileconfig/ns1/rndc.conf      |   2 +-
964723
 bin/tests/system/nsupdate/ns1/named.conf          |   2 +-
964723
 bin/tests/system/pkcs11/ns1/named.conf            |   2 +-
964723
 bin/tests/system/resolver/ns4/named.conf          |   2 +-
964723
 bin/tests/system/rndc/clean.sh                    |   2 +
964723
 bin/tests/system/rndc/ns2/named.conf              |   4 +-
964723
 bin/tests/system/rndc/ns2/secondkey.conf          |   2 +-
964723
 bin/tests/system/rndc/ns3/named.conf              |   4 +-
964723
 bin/tests/system/rndc/ns4/3bf305731dd26307.nta    |   3 +
964723
 bin/tests/system/rndc/ns4/named.conf.in           |  28 +++
964723
 bin/tests/system/rndc/setup.sh                    |  24 +-
964723
 bin/tests/system/rndc/tests.sh                    |  60 +++++
964723
 bin/tests/system/rpz/ns3/named.conf               |   2 +-
964723
 bin/tests/system/rpz/ns5/named.conf               |   2 +-
964723
 bin/tests/system/rrl/ns2/named.conf               |   2 +-
964723
 bin/tests/system/staticstub/ns3/named.conf.in     |   2 +-
964723
 bin/tests/system/stress/ns3/named.conf            |   2 +-
964723
 bin/tests/system/tkey/ns1/named.conf.in           |   2 +-
964723
 bin/tests/system/tsiggss/ns1/named.conf           |   2 +-
964723
 bin/tests/system/views/ns3/named1.conf            |   2 +-
964723
 bin/tests/system/views/ns3/named2.conf            |   2 +-
964723
 bin/tests/system/xfer/ns3/named.conf              |   2 +-
964723
 bin/tests/system/xfer/ns4/named.conf.base         |   2 +-
964723
 lib/isccc/cc.c                                    | 289 ++++++++++++++++++----
964723
 lib/isccc/include/isccc/cc.h                      |  26 +-
964723
 68 files changed, 526 insertions(+), 158 deletions(-)
964723
 create mode 100644 bin/tests/system/rndc/ns4/3bf305731dd26307.nta
964723
 create mode 100644 bin/tests/system/rndc/ns4/named.conf.in
964723
964723
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
964723
index e2ac079..3fd54fe 100644
964723
--- a/bin/confgen/rndc-confgen.c
964723
+++ b/bin/confgen/rndc-confgen.c
964723
@@ -57,7 +57,6 @@
964723
 #include "util.h"
964723
 #include "keygen.h"
964723
 
964723
-#define DEFAULT_KEYLENGTH	128		/*% Bits. */
964723
 #define DEFAULT_KEYNAME		"rndc-key"
964723
 #define DEFAULT_SERVER		"127.0.0.1"
964723
 #define DEFAULT_PORT		953
964723
@@ -80,7 +79,8 @@ Usage:\n\
964723
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
964723
 [-s addr] [-t chrootdir] [-u user]\n\
964723
   -a:		 generate just the key clause and write it to keyfile (%s)\n\
964723
-  -b bits:	 from 1 through 512, default %d; total length of the secret\n\
964723
+  -A alg:	 algorithm (default hmac-md5)\n\
964723
+  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
964723
   -c keyfile:	 specify an alternate key file (requires -a)\n\
964723
   -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
964723
   -p port:	 the port named will listen on and rndc will connect to\n\
964723
@@ -88,7 +88,7 @@ Usage:\n\
964723
   -s addr:	 the address to which rndc should connect\n\
964723
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
964723
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
964723
-		 progname, keydef, DEFAULT_KEYLENGTH);
964723
+		 progname, keydef);
964723
 
964723
 	exit (status);
964723
 }
964723
@@ -103,12 +103,12 @@ main(int argc, char **argv) {
964723
 	const char *keyname = NULL;
964723
 	const char *randomfile = NULL;
964723
 	const char *serveraddr = NULL;
964723
-	dns_secalg_t alg = DST_ALG_HMACMD5;
964723
-	const char *algname = alg_totext(alg);
964723
+	dns_secalg_t alg;
964723
+	const char *algname;
964723
 	char *p;
964723
 	int ch;
964723
 	int port;
964723
-	int keysize;
964723
+	int keysize = -1;
964723
 	struct in_addr addr4_dummy;
964723
 	struct in6_addr addr6_dummy;
964723
 	char *chrootdir = NULL;
964723
@@ -124,18 +124,25 @@ main(int argc, char **argv) {
964723
 	progname = program;
964723
 
964723
 	keyname = DEFAULT_KEYNAME;
964723
-	keysize = DEFAULT_KEYLENGTH;
964723
+	alg = DST_ALG_HMACMD5;
964723
 	serveraddr = DEFAULT_SERVER;
964723
 	port = DEFAULT_PORT;
964723
 
964723
 	isc_commandline_errprint = ISC_FALSE;
964723
 
964723
 	while ((ch = isc_commandline_parse(argc, argv,
964723
-					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
964723
+					   "aA:b:c:hk:Mmp:r:s:t:u:Vy")) != -1)
964723
+	{
964723
 		switch (ch) {
964723
 		case 'a':
964723
 			keyonly = ISC_TRUE;
964723
 			break;
964723
+		case 'A':
964723
+			algname = isc_commandline_argument;
964723
+			alg = alg_fromtext(algname);
964723
+			if (alg == DST_ALG_UNKNOWN)
964723
+				fatal("Unsupported algorithm '%s'", algname);
964723
+			break;
964723
 		case 'b':
964723
 			keysize = strtol(isc_commandline_argument, &p, 10);
964723
 			if (*p != '\0' || keysize < 0)
964723
@@ -203,6 +210,10 @@ main(int argc, char **argv) {
964723
 	if (argc > 0)
964723
 		usage(1);
964723
 
964723
+	if (keysize < 0)
964723
+		keysize = alg_bits(alg);
964723
+	algname = alg_totext(alg);
964723
+
964723
 	DO("create memory context", isc_mem_create(0, 0, &mctx));
964723
 	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
964723
 
964723
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
964723
index af2cc43..f367b94 100644
964723
--- a/bin/confgen/rndc-confgen.docbook
964723
+++ b/bin/confgen/rndc-confgen.docbook
964723
@@ -1,6 +1,6 @@
964723
 
964723
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
964723
-	       []>
964723
+               []>
964723
 
964723
  - Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
964723
  - Copyright (C) 2001, 2003  Internet Software Consortium.
964723
@@ -41,6 +41,7 @@
964723
       <year>2005</year>
964723
       <year>2007</year>
964723
       <year>2009</year>
964723
+      <year>2013</year>
964723
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
964723
     </copyright>
964723
     <copyright>
964723
@@ -54,6 +55,7 @@
964723
     <cmdsynopsis>
964723
       <command>rndc-confgen</command>
964723
       <arg><option>-a</option></arg>
964723
+      <arg><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
964723
       <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
964723
       <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
964723
       <arg><option>-h</option></arg>
964723
@@ -129,11 +131,23 @@
964723
       </varlistentry>
964723
 
964723
       <varlistentry>
964723
+        <term>-A <replaceable class="parameter">algorithm</replaceable></term>
964723
+        <listitem>
964723
+          <para>
964723
+            Specifies the algorithm to use for the TSIG key.  Available
964723
+            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
964723
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5.
964723
+          </para>
964723
+        </listitem>
964723
+      </varlistentry>
964723
+
964723
+      <varlistentry>
964723
         <term>-b <replaceable class="parameter">keysize</replaceable></term>
964723
         <listitem>
964723
           <para>
964723
             Specifies the size of the authentication key in bits.
964723
-            Must be between 1 and 512 bits; the default is 128.
964723
+            Must be between 1 and 512 bits; the default is the
964723
+            hash size.
964723
           </para>
964723
         </listitem>
964723
       </varlistentry>
964723
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
964723
index ef32790..b4176c9 100644
964723
--- a/bin/named/controlconf.c
964723
+++ b/bin/named/controlconf.c
964723
@@ -71,6 +71,7 @@ typedef ISC_LIST(controllistener_t) controllistenerlist_t;
964723
 
964723
 struct controlkey {
964723
 	char *				keyname;
964723
+	isc_uint32_t			algorithm;
964723
 	isc_region_t			secret;
964723
 	ISC_LINK(controlkey_t)		link;
964723
 };
964723
@@ -325,6 +326,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
964723
 	isccc_sexpr_t *request = NULL;
964723
 	isccc_sexpr_t *response = NULL;
964723
 	isccc_region_t ccregion;
964723
+	isc_uint32_t algorithm;
964723
 	isccc_region_t secret;
964723
 	isc_stdtime_t now;
964723
 	isc_buffer_t b;
964723
@@ -343,6 +345,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
964723
 
964723
 	conn = event->ev_arg;
964723
 	listener = conn->listener;
964723
+	algorithm = DST_ALG_UNKNOWN;
964723
 	secret.rstart = NULL;
964723
 
964723
 	/* Is the server shutting down? */
964723
@@ -369,7 +372,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
964723
 			goto cleanup;
964723
 		memcpy(secret.rstart, key->secret.base, key->secret.length);
964723
 		secret.rend = secret.rstart + key->secret.length;
964723
-		result = isccc_cc_fromwire(&ccregion, &request, &secret);
964723
+		algorithm = key->algorithm;
964723
+		result = isccc_cc_fromwire(&ccregion, &request,
964723
+					   algorithm, &secret);
964723
 		if (result == ISC_R_SUCCESS)
964723
 			break;
964723
 		isc_mem_put(listener->mctx, secret.rstart, REGION_SIZE(secret));
964723
@@ -480,7 +485,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
964723
 
964723
 	ccregion.rstart = conn->buffer + 4;
964723
 	ccregion.rend = conn->buffer + sizeof(conn->buffer);
964723
-	result = isccc_cc_towire(response, &ccregion, &secret);
964723
+	result = isccc_cc_towire(response, &ccregion, algorithm, &secret);
964723
 	if (result != ISC_R_SUCCESS)
964723
 		goto cleanup_response;
964723
 	isc_buffer_init(&b, conn->buffer, 4);
964723
@@ -693,6 +698,7 @@ controlkeylist_fromcfg(const cfg_obj_t *keylist, isc_mem_t *mctx,
964723
 		if (key == NULL)
964723
 			goto cleanup;
964723
 		key->keyname = newstr;
964723
+		key->algorithm = DST_ALG_UNKNOWN;
964723
 		key->secret.base = NULL;
964723
 		key->secret.length = 0;
964723
 		ISC_LINK_INIT(key, link);
964723
@@ -737,6 +743,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
964723
 			const cfg_obj_t *secretobj = NULL;
964723
 			const char *algstr = NULL;
964723
 			const char *secretstr = NULL;
964723
+			unsigned int algtype;
964723
 
964723
 			(void)cfg_map_get(keydef, "algorithm", &algobj);
964723
 			(void)cfg_map_get(keydef, "secret", &secretobj);
964723
@@ -745,8 +752,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
964723
 			algstr = cfg_obj_asstring(algobj);
964723
 			secretstr = cfg_obj_asstring(secretobj);
964723
 
964723
-			if (ns_config_getkeyalgorithm(algstr, NULL, NULL) !=
964723
-			    ISC_R_SUCCESS)
964723
+			if (ns_config_getkeyalgorithm2(algstr, NULL,
964723
+					&algtype, NULL) != ISC_R_SUCCESS)
964723
 			{
964723
 				cfg_obj_log(control, ns_g_lctx,
964723
 					    ISC_LOG_WARNING,
964723
@@ -759,6 +766,7 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist,
964723
 				continue;
964723
 			}
964723
 
964723
+			keyid->algorithm = algtype;
964723
 			isc_buffer_init(&b, secret, sizeof(secret));
964723
 			result = isc_base64_decodestring(secretstr, &b);
964723
 
964723
@@ -809,6 +817,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
964723
 	const char *secretstr = NULL;
964723
 	controlkey_t *keyid = NULL;
964723
 	char secret[1024];
964723
+	unsigned int algtype;
964723
 	isc_buffer_t b;
964723
 
964723
 	CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
964723
@@ -822,6 +831,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
964723
 					cfg_obj_asstring(cfg_map_getname(key)));
964723
 	keyid->secret.base = NULL;
964723
 	keyid->secret.length = 0;
964723
+	keyid->algorithm = DST_ALG_UNKNOWN;
964723
 	ISC_LINK_INIT(keyid, link);
964723
 	if (keyid->keyname == NULL)
964723
 		CHECK(ISC_R_NOMEMORY);
964723
@@ -835,7 +845,8 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
964723
 	algstr = cfg_obj_asstring(algobj);
964723
 	secretstr = cfg_obj_asstring(secretobj);
964723
 
964723
-	if (ns_config_getkeyalgorithm(algstr, NULL, NULL) != ISC_R_SUCCESS) {
964723
+	if (ns_config_getkeyalgorithm2(algstr, NULL,
964723
+				       &algtype, NULL) != ISC_R_SUCCESS) {
964723
 		cfg_obj_log(key, ns_g_lctx,
964723
 			    ISC_LOG_WARNING,
964723
 			    "unsupported algorithm '%s' in "
964723
@@ -845,6 +856,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
964723
 		goto cleanup;
964723
 	}
964723
 
964723
+	keyid->algorithm = algtype;
964723
 	isc_buffer_init(&b, secret, sizeof(secret));
964723
 	result = isc_base64_decodestring(secretstr, &b);
964723
 
964723
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
964723
index be198b1..c67223b 100644
964723
--- a/bin/rndc/rndc.c
964723
+++ b/bin/rndc/rndc.c
964723
@@ -77,6 +77,7 @@ static unsigned int remoteport = 0;
964723
 static isc_socketmgr_t *socketmgr = NULL;
964723
 static unsigned char databuf[2048];
964723
 static isccc_ccmsg_t ccmsg;
964723
+static isc_uint32_t algorithm;
964723
 static isccc_region_t secret;
964723
 static isc_boolean_t failed = ISC_FALSE;
964723
 static isc_boolean_t c_flag = ISC_FALSE;
964723
@@ -250,7 +251,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
964723
 	source.rstart = isc_buffer_base(&ccmsg.buffer);
964723
 	source.rend = isc_buffer_used(&ccmsg.buffer);
964723
 
964723
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
964723
+	DO("parse message",
964723
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
964723
 
964723
 	data = isccc_alist_lookup(response, "_data");
964723
 	if (!isccc_alist_alistp(data))
964723
@@ -305,7 +307,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
964723
 		      "* the remote server is using an older version of"
964723
 		      " the command protocol,\n"
964723
 		      "* this host is not authorized to connect,\n"
964723
-		      "* the clocks are not synchronized, or\n"
964723
+		      "* the clocks are not synchronized,\n"
964723
+		      "* the the key signing algorithm is incorrect, or\n"
964723
 		      "* the key is invalid.");
964723
 
964723
 	if (ccmsg.result != ISC_R_SUCCESS)
964723
@@ -314,7 +317,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
964723
 	source.rstart = isc_buffer_base(&ccmsg.buffer);
964723
 	source.rend = isc_buffer_used(&ccmsg.buffer);
964723
 
964723
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
964723
+	DO("parse message",
964723
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
964723
 
964723
 	_ctrl = isccc_alist_lookup(response, "_ctrl");
964723
 	if (!isccc_alist_alistp(_ctrl))
964723
@@ -341,7 +345,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
964723
 	}
964723
 	message.rstart = databuf + 4;
964723
 	message.rend = databuf + sizeof(databuf);
964723
-	DO("render message", isccc_cc_towire(request, &message, &secret));
964723
+	DO("render message",
964723
+	   isccc_cc_towire(request, &message, algorithm, &secret));
964723
 	len = sizeof(databuf) - REGION_SIZE(message);
964723
 	isc_buffer_init(&b, databuf, 4);
964723
 	isc_buffer_putuint32(&b, len - 4);
964723
@@ -403,7 +408,8 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
964723
 		fatal("out of memory");
964723
 	message.rstart = databuf + 4;
964723
 	message.rend = databuf + sizeof(databuf);
964723
-	DO("render message", isccc_cc_towire(request, &message, &secret));
964723
+	DO("render message",
964723
+	   isccc_cc_towire(request, &message, algorithm, &secret));
964723
 	len = sizeof(databuf) - REGION_SIZE(message);
964723
 	isc_buffer_init(&b, databuf, 4);
964723
 	isc_buffer_putuint32(&b, len - 4);
964723
@@ -483,7 +489,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
964723
 	const cfg_obj_t *address = NULL;
964723
 	const cfg_listelt_t *elt;
964723
 	const char *secretstr;
964723
-	const char *algorithm;
964723
+	const char *algorithmstr;
964723
 	static char secretarray[1024];
964723
 	const cfg_type_t *conftype = &cfg_type_rndcconf;
964723
 	isc_boolean_t key_only = ISC_FALSE;
964723
@@ -587,10 +593,22 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
964723
 		fatal("key must have algorithm and secret");
964723
 
964723
 	secretstr = cfg_obj_asstring(secretobj);
964723
-	algorithm = cfg_obj_asstring(algorithmobj);
964723
-
964723
-	if (strcasecmp(algorithm, "hmac-md5") != 0)
964723
-		fatal("unsupported algorithm: %s", algorithm);
964723
+	algorithmstr = cfg_obj_asstring(algorithmobj);
964723
+
964723
+	if (strcasecmp(algorithmstr, "hmac-md5") == 0)
964723
+		algorithm = ISCCC_ALG_HMACMD5;
964723
+	else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
964723
+		algorithm = ISCCC_ALG_HMACSHA1;
964723
+	else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
964723
+		algorithm = ISCCC_ALG_HMACSHA224;
964723
+	else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
964723
+		algorithm = ISCCC_ALG_HMACSHA256;
964723
+	else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
964723
+		algorithm = ISCCC_ALG_HMACSHA384;
964723
+	else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
964723
+		algorithm = ISCCC_ALG_HMACSHA512;
964723
+	else
964723
+		fatal("unsupported algorithm: %s", algorithmstr);
964723
 
964723
 	secret.rstart = (unsigned char *)secretarray;
964723
 	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
964723
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
964723
index 67542b9..c463b96 100644
964723
--- a/bin/rndc/rndc.conf
964723
+++ b/bin/rndc/rndc.conf
964723
@@ -31,7 +31,7 @@ server localhost {
964723
 };
964723
 
964723
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 	secret "34f88008d07deabbe65bd01f1d233d47";
964723
 };
964723
 
964723
@@ -42,6 +42,6 @@ server "test1" {
964723
 };
964723
 
964723
 key "key" {
964723
-        algorithm       hmac-md5;
964723
+        algorithm       hmac-sha256;
964723
         secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
964723
 };
964723
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
964723
index 9de1995..5753378 100644
964723
--- a/bin/rndc/rndc.conf.docbook
964723
+++ b/bin/rndc/rndc.conf.docbook
964723
@@ -40,6 +40,7 @@
964723
       <year>2004</year>
964723
       <year>2005</year>
964723
       <year>2007</year>
964723
+      <year>2013</year>
964723
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
964723
     </copyright>
964723
     <copyright>
964723
@@ -119,11 +120,12 @@
964723
     <para>
964723
       The <option>key</option> statement begins with an identifying
964723
       string, the name of the key.  The statement has two clauses.
964723
-      <option>algorithm</option> identifies the encryption algorithm
964723
+      <option>algorithm</option> identifies the authentication algorithm
964723
       for <command>rndc</command> to use; currently only HMAC-MD5
964723
-      is
964723
+      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
964723
+      (default), HMAC-SHA384 and HMAC-SHA512 are
964723
       supported.  This is followed by a secret clause which contains
964723
-      the base-64 encoding of the algorithm's encryption key.  The
964723
+      the base-64 encoding of the algorithm's authentication key.  The
964723
       base-64 string is enclosed in double quotes.
964723
     </para>
964723
     <para>
964723
@@ -166,14 +168,14 @@
964723
     </para>
964723
     <para><programlisting>
964723
       key samplekey {
964723
-        algorithm       hmac-md5;
964723
+        algorithm       hmac-sha256;
964723
         secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
964723
       };
964723
 </programlisting>
964723
     </para>
964723
     <para><programlisting>
964723
       key testkey {
964723
-        algorithm	hmac-md5;
964723
+        algorithm	hmac-sha256;
964723
         secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
964723
       };
964723
     </programlisting>
964723
@@ -186,8 +188,8 @@
964723
       Commands to the localhost server will use the samplekey key, which
964723
       must also be defined in the server's configuration file with the
964723
       same name and secret.  The key statement indicates that samplekey
964723
-      uses the HMAC-MD5 algorithm and its secret clause contains the
964723
-      base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
964723
+      uses the HMAC-SHA256 algorithm and its secret clause contains the
964723
+      base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
964723
     </para>
964723
     <para>
964723
       If <command>rndc -s testserver</command> is used then <command>rndc</command> will
964723
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
964723
index 27645b5..5f97749 100644
964723
--- a/bin/rndc/rndc.docbook
964723
+++ b/bin/rndc/rndc.docbook
964723
@@ -76,12 +76,14 @@
964723
       arguments.
964723
     </para>
964723
     <para><command>rndc</command>
964723
-      communicates with the name server
964723
-      over a TCP connection, sending commands authenticated with
964723
-      digital signatures.  In the current versions of
964723
+      communicates with the name server over a TCP connection, sending
964723
+      commands authenticated with digital signatures.  In the current
964723
+      versions of
964723
       <command>rndc</command> and <command>named</command>,
964723
-      the only supported authentication algorithm is HMAC-MD5,
964723
-      which uses a shared secret on each end of the connection.
964723
+      the only supported authentication algorithms are HMAC-MD5
964723
+      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
964723
+      (default), HMAC-SHA384 and HMAC-SHA512.
964723
+      They use a shared secret on each end of the connection.
964723
       This provides TSIG-style authentication for the command
964723
       request and the name server's response.  All commands sent
964723
       over the channel must be signed by a key_id known to the
964723
@@ -145,7 +147,7 @@
964723
             <command>rndc</command>.  If no server is supplied on the
964723
             command line, the host named by the default-server clause
964723
             in the options statement of the <command>rndc</command>
964723
-	    configuration file will be used.
964723
+            configuration file will be used.
964723
           </para>
964723
         </listitem>
964723
       </varlistentry>
964723
diff --git a/bin/tests/system/autosign/ns1/named.conf b/bin/tests/system/autosign/ns1/named.conf
964723
index 2fbe62f..e67c4e4 100644
964723
--- a/bin/tests/system/autosign/ns1/named.conf
964723
+++ b/bin/tests/system/autosign/ns1/named.conf
964723
@@ -36,7 +36,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/autosign/ns2/named.conf b/bin/tests/system/autosign/ns2/named.conf
964723
index 5e9ad8f..826bb91 100644
964723
--- a/bin/tests/system/autosign/ns2/named.conf
964723
+++ b/bin/tests/system/autosign/ns2/named.conf
964723
@@ -37,7 +37,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/autosign/ns3/named.conf b/bin/tests/system/autosign/ns3/named.conf
964723
index 542a81e..89b7ece 100644
964723
--- a/bin/tests/system/autosign/ns3/named.conf
964723
+++ b/bin/tests/system/autosign/ns3/named.conf
964723
@@ -39,7 +39,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/cacheclean/ns2/named.conf b/bin/tests/system/cacheclean/ns2/named.conf
964723
index cb675d2..6f0fba0 100644
964723
--- a/bin/tests/system/cacheclean/ns2/named.conf
964723
+++ b/bin/tests/system/cacheclean/ns2/named.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf
964723
index b5d619e..b9b6311 100644
964723
--- a/bin/tests/system/common/controls.conf
964723
+++ b/bin/tests/system/common/controls.conf
964723
@@ -19,7 +19,7 @@
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/common/rndc.conf b/bin/tests/system/common/rndc.conf
964723
index 3704ae7..5661b26 100644
964723
--- a/bin/tests/system/common/rndc.conf
964723
+++ b/bin/tests/system/common/rndc.conf
964723
@@ -22,6 +22,6 @@ options {
964723
 };
964723
 
964723
 key rndc_key {
964723
-        algorithm       hmac-md5;
964723
+        algorithm       hmac-sha256;
964723
         secret          "1234abcd8765";
964723
 };
964723
diff --git a/bin/tests/system/common/rndc.key b/bin/tests/system/common/rndc.key
964723
index 1239e93..d5a7a9f 100644
964723
--- a/bin/tests/system/common/rndc.key
964723
+++ b/bin/tests/system/common/rndc.key
964723
@@ -18,5 +18,5 @@
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
964723
index 49c5686..2bd42f9 100644
964723
--- a/bin/tests/system/conf.sh.in
964723
+++ b/bin/tests/system/conf.sh.in
964723
@@ -36,6 +36,7 @@ DIG=$TOP/bin/dig/dig
964723
 RNDC=$TOP/bin/rndc/rndc
964723
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
964723
 DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
964723
+RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
964723
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
964723
 KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
964723
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
964723
diff --git a/bin/tests/system/database/ns1/named.conf1 b/bin/tests/system/database/ns1/named.conf1
964723
index 08dedc8..9270d56 100644
964723
--- a/bin/tests/system/database/ns1/named.conf1
964723
+++ b/bin/tests/system/database/ns1/named.conf1
964723
@@ -20,7 +20,7 @@
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/database/ns1/named.conf2 b/bin/tests/system/database/ns1/named.conf2
964723
index c79bf9b..ed1bdfb 100644
964723
--- a/bin/tests/system/database/ns1/named.conf2
964723
+++ b/bin/tests/system/database/ns1/named.conf2
964723
@@ -20,7 +20,7 @@
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/dlv/ns5/named.conf b/bin/tests/system/dlv/ns5/named.conf
964723
index d886331..954fb37 100644
964723
--- a/bin/tests/system/dlv/ns5/named.conf
964723
+++ b/bin/tests/system/dlv/ns5/named.conf
964723
@@ -23,7 +23,7 @@
964723
  *
964723
  * e.g.
964723
  *	key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
964723
- *		algorithm hmac-md5;
964723
+ *		algorithm hmac-sha256;
964723
  *		secret "34f88008d07deabbe65bd01f1d233d47";
964723
  *	}; 
964723
  *
964723
@@ -36,7 +36,7 @@
964723
  */
964723
 
964723
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 	secret "34f88008d07deabbe65bd01f1d233d47";
964723
 };
964723
 
964723
diff --git a/bin/tests/system/dlv/ns5/rndc.conf b/bin/tests/system/dlv/ns5/rndc.conf
964723
index 958ee98..ecc29b3 100644
964723
--- a/bin/tests/system/dlv/ns5/rndc.conf
964723
+++ b/bin/tests/system/dlv/ns5/rndc.conf
964723
@@ -17,7 +17,7 @@
964723
 /* $Id: rndc.conf,v 1.5 2007/06/19 23:47:02 tbox Exp $ */
964723
 
964723
 key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 	secret "34f88008d07deabbe65bd01f1d233d47";
964723
 }; 
964723
  
964723
diff --git a/bin/tests/system/dlvauto/ns2/named.conf b/bin/tests/system/dlvauto/ns2/named.conf
964723
index a7b86d0..fce5d85 100644
964723
--- a/bin/tests/system/dlvauto/ns2/named.conf
964723
+++ b/bin/tests/system/dlvauto/ns2/named.conf
964723
@@ -37,7 +37,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
964723
index 6577761..01a4a3b 100644
964723
--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
964723
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
964723
@@ -33,7 +33,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 include "ddns.key";
964723
diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf
964723
index 37d23c1..6ef21b3 100644
964723
--- a/bin/tests/system/dnssec/ns3/named.conf
964723
+++ b/bin/tests/system/dnssec/ns3/named.conf
964723
@@ -38,7 +38,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/dnssec/ns4/named1.conf b/bin/tests/system/dnssec/ns4/named1.conf
964723
index 432d3f6..542266f 100644
964723
--- a/bin/tests/system/dnssec/ns4/named1.conf
964723
+++ b/bin/tests/system/dnssec/ns4/named1.conf
964723
@@ -47,7 +47,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/dnssec/ns4/named2.conf b/bin/tests/system/dnssec/ns4/named2.conf
964723
index cc395be..f7e812c 100644
964723
--- a/bin/tests/system/dnssec/ns4/named2.conf
964723
+++ b/bin/tests/system/dnssec/ns4/named2.conf
964723
@@ -37,7 +37,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/dnssec/ns4/named3.conf b/bin/tests/system/dnssec/ns4/named3.conf
964723
index 2d40740..d391aac 100644
964723
--- a/bin/tests/system/dnssec/ns4/named3.conf
964723
+++ b/bin/tests/system/dnssec/ns4/named3.conf
964723
@@ -38,7 +38,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named1.conf b/bin/tests/system/geoip/ns2/named1.conf
964723
index 66aca6f..e4c8eca 100644
964723
--- a/bin/tests/system/geoip/ns2/named1.conf
964723
+++ b/bin/tests/system/geoip/ns2/named1.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf
964723
index 2dd52ae..6f3fdee 100644
964723
--- a/bin/tests/system/geoip/ns2/named10.conf
964723
+++ b/bin/tests/system/geoip/ns2/named10.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf
964723
index af87edf..149e19a 100644
964723
--- a/bin/tests/system/geoip/ns2/named11.conf
964723
+++ b/bin/tests/system/geoip/ns2/named11.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named2.conf b/bin/tests/system/geoip/ns2/named2.conf
964723
index 67a5155..5dc3848 100644
964723
--- a/bin/tests/system/geoip/ns2/named2.conf
964723
+++ b/bin/tests/system/geoip/ns2/named2.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named3.conf b/bin/tests/system/geoip/ns2/named3.conf
964723
index 65113a6..ebf96a9 100644
964723
--- a/bin/tests/system/geoip/ns2/named3.conf
964723
+++ b/bin/tests/system/geoip/ns2/named3.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named4.conf b/bin/tests/system/geoip/ns2/named4.conf
964723
index d2393d5..cc79dde 100644
964723
--- a/bin/tests/system/geoip/ns2/named4.conf
964723
+++ b/bin/tests/system/geoip/ns2/named4.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named5.conf b/bin/tests/system/geoip/ns2/named5.conf
964723
index 011e310..acbbdb1 100644
964723
--- a/bin/tests/system/geoip/ns2/named5.conf
964723
+++ b/bin/tests/system/geoip/ns2/named5.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named6.conf b/bin/tests/system/geoip/ns2/named6.conf
964723
index 7ef7b19..5e93510 100644
964723
--- a/bin/tests/system/geoip/ns2/named6.conf
964723
+++ b/bin/tests/system/geoip/ns2/named6.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named7.conf b/bin/tests/system/geoip/ns2/named7.conf
964723
index 118bdbe..508a650 100644
964723
--- a/bin/tests/system/geoip/ns2/named7.conf
964723
+++ b/bin/tests/system/geoip/ns2/named7.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named8.conf b/bin/tests/system/geoip/ns2/named8.conf
964723
index 9cb5c0a..60dcef2 100644
964723
--- a/bin/tests/system/geoip/ns2/named8.conf
964723
+++ b/bin/tests/system/geoip/ns2/named8.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/geoip/ns2/named9.conf b/bin/tests/system/geoip/ns2/named9.conf
964723
index af2f7ff..605b1ff 100644
964723
--- a/bin/tests/system/geoip/ns2/named9.conf
964723
+++ b/bin/tests/system/geoip/ns2/named9.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/ixfr/ns3/named.conf b/bin/tests/system/ixfr/ns3/named.conf
964723
index c01ce54..b164968 100644
964723
--- a/bin/tests/system/ixfr/ns3/named.conf
964723
+++ b/bin/tests/system/ixfr/ns3/named.conf
964723
@@ -31,7 +31,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/ixfr/ns4/named.conf b/bin/tests/system/ixfr/ns4/named.conf
964723
index b8c8e8c..073d1a9 100644
964723
--- a/bin/tests/system/ixfr/ns4/named.conf
964723
+++ b/bin/tests/system/ixfr/ns4/named.conf
964723
@@ -30,7 +30,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/ixfr/setup.sh b/bin/tests/system/ixfr/setup.sh
964723
index 7e68ebc..9b3b96d 100644
964723
--- a/bin/tests/system/ixfr/setup.sh
964723
+++ b/bin/tests/system/ixfr/setup.sh
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/logfileconfig/ns1/named.dirconf b/bin/tests/system/logfileconfig/ns1/named.dirconf
964723
index 9cbd039..3621c2f 100644
964723
--- a/bin/tests/system/logfileconfig/ns1/named.dirconf
964723
+++ b/bin/tests/system/logfileconfig/ns1/named.dirconf
964723
@@ -46,7 +46,7 @@ controls {
964723
 };
964723
 
964723
 key "rndc-key" {
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
         secret "Am9vCg==";
964723
 };
964723
 
964723
diff --git a/bin/tests/system/logfileconfig/ns1/named.pipeconf b/bin/tests/system/logfileconfig/ns1/named.pipeconf
964723
index bf5d02f..94c10f4 100644
964723
--- a/bin/tests/system/logfileconfig/ns1/named.pipeconf
964723
+++ b/bin/tests/system/logfileconfig/ns1/named.pipeconf
964723
@@ -46,7 +46,7 @@ controls {
964723
 };
964723
 
964723
 key "rndc-key" {
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
         secret "Am9vCg==";
964723
 };
964723
 
964723
diff --git a/bin/tests/system/logfileconfig/ns1/named.plain b/bin/tests/system/logfileconfig/ns1/named.plain
964723
index 64cfbfa..a404577 100644
964723
--- a/bin/tests/system/logfileconfig/ns1/named.plain
964723
+++ b/bin/tests/system/logfileconfig/ns1/named.plain
964723
@@ -46,7 +46,7 @@ controls {
964723
 };
964723
 
964723
 key "rndc-key" {
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
         secret "Am9vCg==";
964723
 };
964723
 
964723
diff --git a/bin/tests/system/logfileconfig/ns1/named.symconf b/bin/tests/system/logfileconfig/ns1/named.symconf
964723
index fc3f9bd..7c42619 100644
964723
--- a/bin/tests/system/logfileconfig/ns1/named.symconf
964723
+++ b/bin/tests/system/logfileconfig/ns1/named.symconf
964723
@@ -46,7 +46,7 @@ controls {
964723
 };
964723
 
964723
 key "rndc-key" {
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
         secret "Am9vCg==";
964723
 };
964723
 
964723
diff --git a/bin/tests/system/logfileconfig/ns1/rndc.conf b/bin/tests/system/logfileconfig/ns1/rndc.conf
964723
index f7fe7aa..2f3d0ab 100644
964723
--- a/bin/tests/system/logfileconfig/ns1/rndc.conf
964723
+++ b/bin/tests/system/logfileconfig/ns1/rndc.conf
964723
@@ -26,6 +26,6 @@ server localhost {
964723
 };
964723
 
964723
 key "rndc-key" {
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
         secret "Am9vCg==";
964723
 };
964723
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
964723
index 3492b4c..86fe91d 100644
964723
--- a/bin/tests/system/nsupdate/ns1/named.conf
964723
+++ b/bin/tests/system/nsupdate/ns1/named.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/pkcs11/ns1/named.conf b/bin/tests/system/pkcs11/ns1/named.conf
964723
index 48b8adf..0c8bdec 100644
964723
--- a/bin/tests/system/pkcs11/ns1/named.conf
964723
+++ b/bin/tests/system/pkcs11/ns1/named.conf
964723
@@ -32,7 +32,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf
964723
index 353cfe7..7fe14df 100644
964723
--- a/bin/tests/system/resolver/ns4/named.conf
964723
+++ b/bin/tests/system/resolver/ns4/named.conf
964723
@@ -59,7 +59,7 @@ zone "broken" {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/rndc/clean.sh b/bin/tests/system/rndc/clean.sh
964723
index 2fcfcfb..7e16cb4 100644
964723
--- a/bin/tests/system/rndc/clean.sh
964723
+++ b/bin/tests/system/rndc/clean.sh
964723
@@ -22,3 +22,5 @@ rm -f ns2/named.stats
964723
 rm -f ns3/named_dump.db
964723
 rm -f ns*/named.memstats
964723
 rm -f ns*/named.run
964723
+rm -f random.data
964723
+rm -f ns4/*.conf
964723
diff --git a/bin/tests/system/rndc/ns2/named.conf b/bin/tests/system/rndc/ns2/named.conf
964723
index 12d6f14..e94bfe9 100644
964723
--- a/bin/tests/system/rndc/ns2/named.conf
964723
+++ b/bin/tests/system/rndc/ns2/named.conf
964723
@@ -29,12 +29,12 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 key secondkey {
964723
 	secret "abcd1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/rndc/ns2/secondkey.conf b/bin/tests/system/rndc/ns2/secondkey.conf
964723
index 99a876c..0445299 100644
964723
--- a/bin/tests/system/rndc/ns2/secondkey.conf
964723
+++ b/bin/tests/system/rndc/ns2/secondkey.conf
964723
@@ -22,5 +22,5 @@ options {
964723
 
964723
 key secondkey {
964723
         secret "abcd1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
diff --git a/bin/tests/system/rndc/ns3/named.conf b/bin/tests/system/rndc/ns3/named.conf
964723
index 9feefac..b8e0780 100644
964723
--- a/bin/tests/system/rndc/ns3/named.conf
964723
+++ b/bin/tests/system/rndc/ns3/named.conf
964723
@@ -28,12 +28,12 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 key secondkey {
964723
 	secret "abcd1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/rndc/ns4/3bf305731dd26307.nta b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
964723
new file mode 100644
964723
index 0000000..2f5d3cd
964723
--- /dev/null
964723
+++ b/bin/tests/system/rndc/ns4/3bf305731dd26307.nta
964723
@@ -0,0 +1,3 @@
964723
+nta1.example. regular 20171113185318
964723
+nta2.example. regular 20171114165318
964723
+nta3.example. regular 20171120165318
964723
diff --git a/bin/tests/system/rndc/ns4/named.conf.in b/bin/tests/system/rndc/ns4/named.conf.in
964723
new file mode 100644
964723
index 0000000..9f926f6
964723
--- /dev/null
964723
+++ b/bin/tests/system/rndc/ns4/named.conf.in
964723
@@ -0,0 +1,28 @@
964723
+/*
964723
+ * Copyright (C) 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
964723
+ *
964723
+ * Permission to use, copy, modify, and/or distribute this software for any
964723
+ * purpose with or without fee is hereby granted, provided that the above
964723
+ * copyright notice and this permission notice appear in all copies.
964723
+ *
964723
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
964723
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
964723
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
964723
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
964723
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
964723
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
964723
+ * PERFORMANCE OF THIS SOFTWARE.
964723
+ */
964723
+
964723
+/* $Id$ */
964723
+
964723
+controls { /* empty */ };
964723
+
964723
+options {
964723
+	port 5300;
964723
+	pid-file "named.pid";
964723
+	listen-on { 10.53.0.4; };
964723
+	listen-on-v6 { none; };
964723
+        recursion no;
964723
+};
964723
+
964723
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
964723
index aed84af..ce80005 100644
964723
--- a/bin/tests/system/rndc/setup.sh
964723
+++ b/bin/tests/system/rndc/setup.sh
964723
@@ -10,14 +10,36 @@
964723
 # REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
964723
 # AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
964723
 # INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
964723
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
964723
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGEN
964723
+# -r random.dataCE
964723
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
964723
 # PERFORMANCE OF THIS SOFTWARE.
964723
 
964723
 # $Id: setup.sh,v 1.2 2011/03/21 18:06:06 each Exp $
964723
 
964723
+SYSTEMTESTTOP=..
964723
+. $SYSTEMTESTTOP/conf.sh
964723
+
964723
 sh clean.sh
964723
 
964723
+../../../tools/genrandom 400 random.data
964723
+
964723
 sh ../genzone.sh 2 >ns2/nil.db
964723
 sh ../genzone.sh 2 >ns2/other.db
964723
 sh ../genzone.sh 2 >ns2/static.db
964723
+
964723
+cat ns4/named.conf.in > ns4/named.conf
964723
+
964723
+make_key () {
964723
+    $RNDCCONFGEN -r random.data -k key$1 -A $2 -s 10.53.0.4 -p 995${1} \
964723
+            > ns4/key${1}.conf
964723
+    egrep -v '(Start|End|Use|^[^#])' ns4/key$1.conf | cut -c3- | \
964723
+            sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
964723
+}
964723
+
964723
+make_key 1 hmac-md5
964723
+make_key 2 hmac-sha1
964723
+make_key 3 hmac-sha224
964723
+make_key 4 hmac-sha256
964723
+make_key 5 hmac-sha384
964723
+make_key 6 hmac-sha512
964723
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
964723
index a558e19..947987b 100644
964723
--- a/bin/tests/system/rndc/tests.sh
964723
+++ b/bin/tests/system/rndc/tests.sh
964723
@@ -245,5 +245,65 @@ done
964723
 if [ $ret != 0 ]; then echo "I:failed"; fi
964723
 status=`expr $status + $ret`
964723
 
964723
+echo "I:testing rndc with hmac-md5"
964723
+ret=0
964723
+$RNDC -s 10.53.0.4 -p 9951 -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
964723
+for i in 2 3 4 5 6
964723
+do
964723
+        $RNDC -s 10.53.0.4 -p 9951 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
964723
+done
964723
+if [ $ret != 0 ]; then echo "I:failed"; fi
964723
+status=`expr $status + $ret`
964723
+
964723
+echo "I:testing rndc with hmac-sha1"
964723
+ret=0
964723
+$RNDC -s 10.53.0.4 -p 9952 -c ns4/key2.conf status > /dev/null 2>&1 || ret=1
964723
+for i in 1 3 4 5 6
964723
+do
964723
+        $RNDC -s 10.53.0.4 -p 9952 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
964723
+done
964723
+if [ $ret != 0 ]; then echo "I:failed"; fi
964723
+status=`expr $status + $ret`
964723
+
964723
+echo "I:testing rndc with hmac-sha224"
964723
+ret=0
964723
+$RNDC -s 10.53.0.4 -p 9953 -c ns4/key3.conf status > /dev/null 2>&1 || ret=1
964723
+for i in 1 2 4 5 6
964723
+do
964723
+        $RNDC -s 10.53.0.4 -p 9953 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
964723
+done
964723
+if [ $ret != 0 ]; then echo "I:failed"; fi
964723
+status=`expr $status + $ret`
964723
+
964723
+echo "I:testing rndc with hmac-sha256"
964723
+ret=0
964723
+$RNDC -s 10.53.0.4 -p 9954 -c ns4/key4.conf status > /dev/null 2>&1 || ret=1
964723
+for i in 1 2 3 5 6
964723
+do
964723
+        $RNDC -s 10.53.0.4 -p 9954 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
964723
+done
964723
+if [ $ret != 0 ]; then echo "I:failed"; fi
964723
+status=`expr $status + $ret`
964723
+
964723
+echo "I:testing rndc with hmac-sha384"
964723
+ret=0
964723
+$RNDC -s 10.53.0.4 -p 9955 -c ns4/key5.conf status > /dev/null 2>&1 || ret=1
964723
+for i in 1 2 3 4 6
964723
+do
964723
+        $RNDC -s 10.53.0.4 -p 9955 -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
964723
+done
964723
+if [ $ret != 0 ]; then echo "I:failed"; fi
964723
+status=`expr $status + $ret`
964723
+
964723
+echo "I:testing rndc with hmac-sha512"
964723
+ret=0
964723
+$RNDC -s 10.53.0.4 -p 9956 -c ns4/key6.conf status > /dev/null 2>&1 || ret=1
964723
+for i in 1 2 3 4 5
964723
+do
964723
+        $RNDC -s 10.53.0.4 -p 9956 -c ns4/key${i}.conf status > /dev/null 2>&1 2>&1 && ret=1
964723
+done
964723
+if [ $ret != 0 ]; then echo "I:failed"; fi
964723
+status=`expr $status + $ret`
964723
+
964723
 echo "I:exit status: $status"
964723
 exit $status
964723
diff --git a/bin/tests/system/rpz/ns3/named.conf b/bin/tests/system/rpz/ns3/named.conf
964723
index 4553b97..1e73a88 100644
964723
--- a/bin/tests/system/rpz/ns3/named.conf
964723
+++ b/bin/tests/system/rpz/ns3/named.conf
964723
@@ -52,7 +52,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 controls {
964723
 	inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
964723
diff --git a/bin/tests/system/rpz/ns5/named.conf b/bin/tests/system/rpz/ns5/named.conf
964723
index 82b6fde..df63189 100644
964723
--- a/bin/tests/system/rpz/ns5/named.conf
964723
+++ b/bin/tests/system/rpz/ns5/named.conf
964723
@@ -40,7 +40,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 controls {
964723
 	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
964723
diff --git a/bin/tests/system/rrl/ns2/named.conf b/bin/tests/system/rrl/ns2/named.conf
964723
index cc261cb..748639c 100644
964723
--- a/bin/tests/system/rrl/ns2/named.conf
964723
+++ b/bin/tests/system/rrl/ns2/named.conf
964723
@@ -44,7 +44,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 controls {
964723
 	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
964723
diff --git a/bin/tests/system/staticstub/ns3/named.conf.in b/bin/tests/system/staticstub/ns3/named.conf.in
964723
index 159a4be..dbf9b17 100644
964723
--- a/bin/tests/system/staticstub/ns3/named.conf.in
964723
+++ b/bin/tests/system/staticstub/ns3/named.conf.in
964723
@@ -32,7 +32,7 @@
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf
964723
index 9ff09d7..f8695bc 100644
964723
--- a/bin/tests/system/stress/ns3/named.conf
964723
+++ b/bin/tests/system/stress/ns3/named.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
964723
index b0f1700..6225563 100644
964723
--- a/bin/tests/system/tkey/ns1/named.conf.in
964723
+++ b/bin/tests/system/tkey/ns1/named.conf.in
964723
@@ -37,7 +37,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/tsiggss/ns1/named.conf b/bin/tests/system/tsiggss/ns1/named.conf
964723
index 645d578..3084a1b 100644
964723
--- a/bin/tests/system/tsiggss/ns1/named.conf
964723
+++ b/bin/tests/system/tsiggss/ns1/named.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/views/ns3/named1.conf b/bin/tests/system/views/ns3/named1.conf
964723
index 9723e08..8071dbf 100644
964723
--- a/bin/tests/system/views/ns3/named1.conf
964723
+++ b/bin/tests/system/views/ns3/named1.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/views/ns3/named2.conf b/bin/tests/system/views/ns3/named2.conf
964723
index 27d4955..2804059 100644
964723
--- a/bin/tests/system/views/ns3/named2.conf
964723
+++ b/bin/tests/system/views/ns3/named2.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/xfer/ns3/named.conf b/bin/tests/system/xfer/ns3/named.conf
964723
index 5f742d2..0ea4663 100644
964723
--- a/bin/tests/system/xfer/ns3/named.conf
964723
+++ b/bin/tests/system/xfer/ns3/named.conf
964723
@@ -34,7 +34,7 @@ options {
964723
 
964723
 key rndc_key {
964723
         secret "1234abcd8765";
964723
-        algorithm hmac-md5;
964723
+        algorithm hmac-sha256;
964723
 };
964723
 
964723
 controls {
964723
diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
964723
index 231fcfa..ecab46a 100644
964723
--- a/bin/tests/system/xfer/ns4/named.conf.base
964723
+++ b/bin/tests/system/xfer/ns4/named.conf.base
964723
@@ -30,7 +30,7 @@ options {
964723
 
964723
 key rndc_key {
964723
 	secret "1234abcd8765";
964723
-	algorithm hmac-md5;
964723
+	algorithm hmac-sha256;
964723
 };
964723
 
964723
 key unused_key. {
964723
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
964723
index 10e5dc9..9428374 100644
964723
--- a/lib/isccc/cc.c
964723
+++ b/lib/isccc/cc.c
964723
@@ -41,6 +41,7 @@
964723
 
964723
 #include <isc/assertions.h>
964723
 #include <isc/hmacmd5.h>
964723
+#include <isc/hmacsha.h>
964723
 #include <isc/print.h>
964723
 #include <isc/safe.h>
964723
 #include <isc/stdlib.h>
964723
@@ -78,6 +79,34 @@ static unsigned char auth_hmd5[] = {
964723
 #define HMD5_OFFSET	21		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
964723
 #define HMD5_LENGTH	22
964723
 
964723
+static unsigned char auth_hsha[] = {
964723
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/*%< len + _auth */
964723
+	ISCCC_CCMSGTYPE_TABLE,				/*%< message type */
964723
+	0x00, 0x00, 0x00, 0x63,				/*%< length == 99 */
964723
+	0x04, 0x68, 0x73, 0x68, 0x61,			/*%< len + hsha */
964723
+	ISCCC_CCMSGTYPE_BINARYDATA,			/*%< message type */
964723
+	0x00, 0x00, 0x00, 0x59,				/*%< length == 89 */
964723
+	0x00,						/*%< algorithm */
964723
+	/*
964723
+	 * The base64 encoding of one of our HMAC-SHA* signatures is
964723
+	 * 88 bytes.
964723
+	 */
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
964723
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
964723
+};
964723
+
964723
+#define HSHA_OFFSET	22		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
964723
+#define HSHA_LENGTH	88
964723
+
964723
 static isc_result_t
964723
 table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
964723
 
964723
@@ -205,53 +234,133 @@ list_towire(isccc_sexpr_t *list, isccc_region_t *target)
964723
 }
964723
 
964723
 static isc_result_t
964723
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
964723
-     isccc_region_t *secret)
964723
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
964723
+     isc_uint32_t algorithm, isccc_region_t *secret)
964723
 {
964723
-	isc_hmacmd5_t ctx;
964723
+	union {
964723
+		isc_hmacmd5_t hmd5;
964723
+		isc_hmacsha1_t hsha;
964723
+		isc_hmacsha224_t h224;
964723
+		isc_hmacsha256_t h256;
964723
+		isc_hmacsha384_t h384;
964723
+		isc_hmacsha512_t h512;
964723
+	} ctx;
964723
 	isc_result_t result;
964723
 	isccc_region_t source, target;
964723
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
964723
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
964723
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
964723
+	unsigned char digestb64[HSHA_LENGTH + 4];
964723
 
964723
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
964723
-	isc_hmacmd5_update(&ctx, data, length);
964723
-	isc_hmacmd5_sign(&ctx, digest);
964723
 	source.rstart = digest;
964723
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
964723
+
964723
+	switch (algorithm) {
964723
+	case ISCCC_ALG_HMACMD5:
964723
+		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
964723
+				 REGION_SIZE(*secret));
964723
+		isc_hmacmd5_update(&ctx.hmd5, data, length);
964723
+		isc_hmacmd5_sign(&ctx.hmd5, digest);
964723
+		source.rend = digest + ISC_MD5_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA1:
964723
+		isc_hmacsha1_init(&ctx.hsha, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha1_update(&ctx.hsha, data, length);
964723
+		isc_hmacsha1_sign(&ctx.hsha, digest,
964723
+				    ISC_SHA1_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA1_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA224:
964723
+		isc_hmacsha224_init(&ctx.h224, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha224_update(&ctx.h224, data, length);
964723
+		isc_hmacsha224_sign(&ctx.h224, digest,
964723
+				    ISC_SHA224_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA224_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA256:
964723
+		isc_hmacsha256_init(&ctx.h256, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha256_update(&ctx.h256, data, length);
964723
+		isc_hmacsha256_sign(&ctx.h256, digest,
964723
+				    ISC_SHA256_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA256_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA384:
964723
+		isc_hmacsha384_init(&ctx.h384, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha384_update(&ctx.h384, data, length);
964723
+		isc_hmacsha384_sign(&ctx.h384, digest,
964723
+				    ISC_SHA384_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA384_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA512:
964723
+		isc_hmacsha512_init(&ctx.h512, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha512_update(&ctx.h512, data, length);
964723
+		isc_hmacsha512_sign(&ctx.h512, digest,
964723
+				    ISC_SHA512_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA512_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	default:
964723
+		return (ISC_R_FAILURE);
964723
+	}
964723
+
964723
+	memset(digestb64, 0, sizeof(digestb64));
964723
 	target.rstart = digestb64;
964723
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
964723
+	target.rend = digestb64 + sizeof(digestb64);
964723
 	result = isccc_base64_encode(&source, 64, "", &target);
964723
 	if (result != ISC_R_SUCCESS)
964723
 		return (result);
964723
-	PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
964723
-
964723
+	if (algorithm == ISCCC_ALG_HMACMD5)
964723
+		PUT_MEM(digestb64, HMD5_LENGTH, hmac);
964723
+	else
964723
+		PUT_MEM(digestb64, HSHA_LENGTH, hmac);
964723
 	return (ISC_R_SUCCESS);
964723
 }
964723
 
964723
 isc_result_t
964723
 isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
964723
-	      isccc_region_t *secret)
964723
+		isc_uint32_t algorithm, isccc_region_t *secret)
964723
 {
964723
-	unsigned char *hmd5_rstart, *signed_rstart;
964723
+	unsigned char *hmac_rstart, *signed_rstart;
964723
 	isc_result_t result;
964723
 
964723
-	if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
964723
-		return (ISC_R_NOSPACE);
964723
+	if (algorithm == ISCCC_ALG_HMACMD5) {
964723
+		if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
964723
+			return (ISC_R_NOSPACE);
964723
+	} else {
964723
+		if (REGION_SIZE(*target) < 4 + sizeof(auth_hsha))
964723
+			return (ISC_R_NOSPACE);
964723
+	}
964723
+
964723
 	/*
964723
 	 * Emit protocol version.
964723
 	 */
964723
 	PUT32(1, target->rstart);
964723
 	if (secret != NULL) {
964723
 		/*
964723
-		 * Emit _auth section with zeroed HMAC-MD5 signature.
964723
+		 * Emit _auth section with zeroed HMAC signature.
964723
 		 * We'll replace the zeros with the real signature once
964723
 		 * we know what it is.
964723
 		 */
964723
-		hmd5_rstart = target->rstart + HMD5_OFFSET;
964723
-		PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
964723
+		if (algorithm == ISCCC_ALG_HMACMD5) {
964723
+			hmac_rstart = target->rstart + HMD5_OFFSET;
964723
+			PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
964723
+		} else {
964723
+			unsigned char *hmac_alg;
964723
+
964723
+			hmac_rstart = target->rstart + HSHA_OFFSET;
964723
+			hmac_alg = hmac_rstart - 1;
964723
+			PUT_MEM(auth_hsha, sizeof(auth_hsha), target->rstart);
964723
+			PUT8(algorithm, hmac_alg);
964723
+		}
964723
 	} else
964723
-		hmd5_rstart = NULL;
964723
+		hmac_rstart = NULL;
964723
 	signed_rstart = target->rstart;
964723
 	/*
964723
 	 * Delete any existing _auth section so that we don't try
964723
@@ -266,21 +375,28 @@ isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
964723
 		return (result);
964723
 	if (secret != NULL)
964723
 		return (sign(signed_rstart, (target->rstart - signed_rstart),
964723
-			     hmd5_rstart, secret));
964723
+			     hmac_rstart, algorithm, secret));
964723
 	return (ISC_R_SUCCESS);
964723
 }
964723
 
964723
 static isc_result_t
964723
 verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
964723
-       isccc_region_t *secret)
964723
+       isc_uint32_t algorithm, isccc_region_t *secret)
964723
 {
964723
-	isc_hmacmd5_t ctx;
964723
+	union {
964723
+		isc_hmacmd5_t hmd5;
964723
+		isc_hmacsha1_t hsha;
964723
+		isc_hmacsha224_t h224;
964723
+		isc_hmacsha256_t h256;
964723
+		isc_hmacsha384_t h384;
964723
+		isc_hmacsha512_t h512;
964723
+	} ctx;
964723
 	isccc_region_t source;
964723
 	isccc_region_t target;
964723
 	isc_result_t result;
964723
-	isccc_sexpr_t *_auth, *hmd5;
964723
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
964723
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
964723
+	isccc_sexpr_t *_auth, *hmac;
964723
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
964723
+	unsigned char digestb64[HSHA_LENGTH * 4];
964723
 
964723
 	/*
964723
 	 * Extract digest.
964723
@@ -288,40 +404,107 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
964723
 	_auth = isccc_alist_lookup(alist, "_auth");
964723
 	if (!isccc_alist_alistp(_auth))
964723
 		return (ISC_R_FAILURE);
964723
-	hmd5 = isccc_alist_lookup(_auth, "hmd5");
964723
-	if (!isccc_sexpr_binaryp(hmd5))
964723
+	if (algorithm == ISCCC_ALG_HMACMD5)
964723
+		hmac = isccc_alist_lookup(_auth, "hmd5");
964723
+	else
964723
+		hmac = isccc_alist_lookup(_auth, "hsha");
964723
+	if (!isccc_sexpr_binaryp(hmac))
964723
 		return (ISC_R_FAILURE);
964723
 	/*
964723
 	 * Compute digest.
964723
 	 */
964723
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
964723
-	isc_hmacmd5_update(&ctx, data, length);
964723
-	isc_hmacmd5_sign(&ctx, digest);
964723
 	source.rstart = digest;
964723
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
964723
 	target.rstart = digestb64;
964723
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
964723
+	switch (algorithm) {
964723
+	case ISCCC_ALG_HMACMD5:
964723
+		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
964723
+				 REGION_SIZE(*secret));
964723
+		isc_hmacmd5_update(&ctx.hmd5, data, length);
964723
+		isc_hmacmd5_sign(&ctx.hmd5, digest);
964723
+		source.rend = digest + ISC_MD5_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA1:
964723
+		isc_hmacsha1_init(&ctx.hsha, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha1_update(&ctx.hsha, data, length);
964723
+		isc_hmacsha1_sign(&ctx.hsha, digest,
964723
+				    ISC_SHA1_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA1_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA224:
964723
+		isc_hmacsha224_init(&ctx.h224, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha224_update(&ctx.h224, data, length);
964723
+		isc_hmacsha224_sign(&ctx.h224, digest,
964723
+				    ISC_SHA224_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA224_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA256:
964723
+		isc_hmacsha256_init(&ctx.h256, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha256_update(&ctx.h256, data, length);
964723
+		isc_hmacsha256_sign(&ctx.h256, digest,
964723
+				    ISC_SHA256_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA256_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA384:
964723
+		isc_hmacsha384_init(&ctx.h384, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha384_update(&ctx.h384, data, length);
964723
+		isc_hmacsha384_sign(&ctx.h384, digest,
964723
+				    ISC_SHA384_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA384_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	case ISCCC_ALG_HMACSHA512:
964723
+		isc_hmacsha512_init(&ctx.h512, secret->rstart,
964723
+				    REGION_SIZE(*secret));
964723
+		isc_hmacsha512_update(&ctx.h512, data, length);
964723
+		isc_hmacsha512_sign(&ctx.h512, digest,
964723
+				    ISC_SHA512_DIGESTLENGTH);
964723
+		source.rend = digest + ISC_SHA512_DIGESTLENGTH;
964723
+		break;
964723
+
964723
+	default:
964723
+		return (ISC_R_FAILURE);
964723
+	}
964723
+	target.rstart = digestb64;
964723
+	target.rend = digestb64 + sizeof(digestb64);
964723
+	memset(digestb64, 0, sizeof(digestb64));
964723
 	result = isccc_base64_encode(&source, 64, "", &target);
964723
 	if (result != ISC_R_SUCCESS)
964723
 		return (result);
964723
-	/*
964723
-	 * Strip trailing == and NUL terminate target.
964723
-	 */
964723
-	target.rstart -= 2;
964723
-	*target.rstart++ = '\0';
964723
+
964723
 	/*
964723
 	 * Verify.
964723
 	 */
964723
-	if (!isc_safe_memcmp((unsigned char *) isccc_sexpr_tostring(hmd5),
964723
-			     digestb64, HMD5_LENGTH))
964723
-		return (ISCCC_R_BADAUTH);
964723
+	if (algorithm == ISCCC_ALG_HMACMD5) {
964723
+		unsigned char *value;
964723
+
964723
+		value = (unsigned char *) isccc_sexpr_tostring(hmac);
964723
+		if (memcmp(value, digestb64, HMD5_LENGTH) != 0)
964723
+			return (ISCCC_R_BADAUTH);
964723
+	} else {
964723
+		unsigned char *value;
964723
+		isc_uint32_t valalg;
964723
+
964723
+		value = (unsigned char *) isccc_sexpr_tostring(hmac);
964723
+		GET8(valalg, value);
964723
+		if ((valalg != algorithm) ||
964723
+		    (memcmp(value, digestb64, HSHA_LENGTH) != 0))
964723
+			return (ISCCC_R_BADAUTH);
964723
+	}
964723
 
964723
 	return (ISC_R_SUCCESS);
964723
 }
964723
 
964723
 static isc_result_t
964723
 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
964723
-	       isccc_sexpr_t **alistp);
964723
+	       isc_uint32_t algorithm, isccc_sexpr_t **alistp);
964723
 
964723
 static isc_result_t
964723
 list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
964723
@@ -352,7 +535,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
964723
 		} else
964723
 			result = ISC_R_NOMEMORY;
964723
 	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
964723
-		result = table_fromwire(&active, NULL, valuep);
964723
+		result = table_fromwire(&active, NULL, 0, valuep);
964723
 	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
964723
 		result = list_fromwire(&active, valuep);
964723
 	else
964723
@@ -363,7 +546,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
964723
 
964723
 static isc_result_t
964723
 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
964723
-	       isccc_sexpr_t **alistp)
964723
+	       isc_uint32_t algorithm, isccc_sexpr_t **alistp)
964723
 {
964723
 	char key[256];
964723
 	isc_uint32_t len;
964723
@@ -405,7 +588,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
964723
 		if (checksum_rstart != NULL)
964723
 			result = verify(alist, checksum_rstart,
964723
 					(source->rend - checksum_rstart),
964723
-					secret);
964723
+					algorithm, secret);
964723
 		else
964723
 			result = ISCCC_R_BADAUTH;
964723
 	} else
964723
@@ -448,7 +631,7 @@ list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
964723
 
964723
 isc_result_t
964723
 isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
964723
-		isccc_region_t *secret)
964723
+		  isc_uint32_t algorithm, isccc_region_t *secret)
964723
 {
964723
 	unsigned int size;
964723
 	isc_uint32_t version;
964723
@@ -460,7 +643,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
964723
 	if (version != 1)
964723
 		return (ISCCC_R_UNKNOWNVERSION);
964723
 
964723
-	return (table_fromwire(source, secret, alistp));
964723
+	return (table_fromwire(source, secret, algorithm, alistp));
964723
 }
964723
 
964723
 static isc_result_t
964723
@@ -523,8 +706,8 @@ createmessage(isc_uint32_t version, const char *from, const char *to,
964723
 
964723
 isc_result_t
964723
 isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
964723
-		     isc_uint32_t serial, isccc_time_t now,
964723
-		     isccc_time_t expires, isccc_sexpr_t **alistp)
964723
+		       isc_uint32_t serial, isccc_time_t now,
964723
+		       isccc_time_t expires, isccc_sexpr_t **alistp)
964723
 {
964723
 	return (createmessage(version, from, to, serial, now, expires,
964723
 			      alistp, ISC_TRUE));
964723
@@ -532,7 +715,7 @@ isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
964723
 
964723
 isc_result_t
964723
 isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
964723
-		 isccc_sexpr_t **ackp)
964723
+		   isccc_sexpr_t **ackp)
964723
 {
964723
 	char *_frm, *_to;
964723
 	isc_uint32_t serial;
964723
@@ -610,7 +793,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
964723
 
964723
 isc_result_t
964723
 isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
964723
-		      isccc_time_t expires, isccc_sexpr_t **alistp)
964723
+			isccc_time_t expires, isccc_sexpr_t **alistp)
964723
 {
964723
 	char *_frm, *_to, *type = NULL;
964723
 	isc_uint32_t serial;
964723
@@ -720,7 +903,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
964723
 
964723
 isc_result_t
964723
 isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
964723
-		       isc_uint32_t *uintp)
964723
+		      isc_uint32_t *uintp)
964723
 {
964723
 	isccc_sexpr_t *kv, *v;
964723
 
964723
@@ -798,7 +981,7 @@ has_whitespace(const char *str)
964723
 
964723
 isc_result_t
964723
 isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
964723
-		isccc_time_t now)
964723
+		  isccc_time_t now)
964723
 {
964723
 	const char *_frm;
964723
 	const char *_to;
964723
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
964723
index 79393be..777e675 100644
964723
--- a/lib/isccc/include/isccc/cc.h
964723
+++ b/lib/isccc/include/isccc/cc.h
964723
@@ -41,6 +41,16 @@
964723
 
964723
 ISC_LANG_BEGINDECLS
964723
 
964723
+/*% from lib/dns/include/dst/dst.h */
964723
+
964723
+#define ISCCC_ALG_UNKNOWN	0
964723
+#define ISCCC_ALG_HMACMD5	157
964723
+#define ISCCC_ALG_HMACSHA1	161
964723
+#define ISCCC_ALG_HMACSHA224	162
964723
+#define ISCCC_ALG_HMACSHA256	163
964723
+#define ISCCC_ALG_HMACSHA384	164
964723
+#define ISCCC_ALG_HMACSHA512	165
964723
+
964723
 /*% Maximum Datagram Package */
964723
 #define ISCCC_CC_MAXDGRAMPACKET		4096
964723
 
964723
@@ -56,23 +66,23 @@ ISC_LANG_BEGINDECLS
964723
 /*% Send to Wire */
964723
 isc_result_t
964723
 isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
964723
-	      isccc_region_t *secret);
964723
+		isc_uint32_t algorithm, isccc_region_t *secret);
964723
 
964723
 /*% Get From Wire */
964723
 isc_result_t
964723
 isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
964723
-		isccc_region_t *secret);
964723
+		  isc_uint32_t algorithm, isccc_region_t *secret);
964723
 
964723
 /*% Create Message */
964723
 isc_result_t
964723
 isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
964723
-		     isc_uint32_t serial, isccc_time_t now,
964723
-		     isccc_time_t expires, isccc_sexpr_t **alistp);
964723
+		       isc_uint32_t serial, isccc_time_t now,
964723
+		       isccc_time_t expires, isccc_sexpr_t **alistp);
964723
 
964723
 /*% Create Acknowledgment */
964723
 isc_result_t
964723
 isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
964723
-		 isccc_sexpr_t **ackp);
964723
+		   isccc_sexpr_t **ackp);
964723
 
964723
 /*% Is Ack? */
964723
 isc_boolean_t
964723
@@ -85,7 +95,7 @@ isccc_cc_isreply(isccc_sexpr_t *message);
964723
 /*% Create Response */
964723
 isc_result_t
964723
 isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
964723
-		      isccc_time_t expires, isccc_sexpr_t **alistp);
964723
+			isccc_time_t expires, isccc_sexpr_t **alistp);
964723
 
964723
 /*% Define String */
964723
 isccc_sexpr_t *
964723
@@ -102,7 +112,7 @@ isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
964723
 /*% Lookup uint 32 */
964723
 isc_result_t
964723
 isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
964723
-		    isc_uint32_t *uintp);
964723
+		      isc_uint32_t *uintp);
964723
 
964723
 /*% Create Symbol Table */
964723
 isc_result_t
964723
@@ -115,7 +125,7 @@ isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
964723
 /*% Check for Duplicates */
964723
 isc_result_t
964723
 isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
964723
-		   isccc_time_t now);
964723
+		  isccc_time_t now);
964723
 
964723
 ISC_LANG_ENDDECLS
964723
 
964723
-- 
964723
2.9.5
964723