From ea648e70a989cca190cd7403fe892fd2dcc290b4 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 5 May 2024 20:37:14 +0200
Subject: Adding upstream version 1:9.11.5.P4+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 bin/tools/isc-hmac-fixup.docbook | 102 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 bin/tools/isc-hmac-fixup.docbook

(limited to 'bin/tools/isc-hmac-fixup.docbook')

diff --git a/bin/tools/isc-hmac-fixup.docbook b/bin/tools/isc-hmac-fixup.docbook
new file mode 100644
index 0000000..ecf32f3
--- /dev/null
+++ b/bin/tools/isc-hmac-fixup.docbook
@@ -0,0 +1,102 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.isc-hmac-fixup">
+  <info>
+    <date>2013-04-28</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>isc-hmac-fixup</application></refname>
+    <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2010</year>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>isc-hmac-fixup</command>
+      <arg choice="req" rep="norepeat"><replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req" rep="norepeat"><replaceable class="parameter">secret</replaceable></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+      HMAC-SHA* TSIG keys which were longer than the digest length of the
+      hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+      longer than 256 bits, etc) to be used incorrectly, generating a
+      message authentication code that was incompatible with other DNS
+      implementations.
+    </para>
+    <para>
+      This bug was fixed in BIND 9.7.  However, the fix may
+      cause incompatibility between older and newer versions of
+      BIND, when using long keys.  <command>isc-hmac-fixup</command>
+      modifies those keys to restore compatibility.
+    </para>
+    <para>
+      To modify a key, run <command>isc-hmac-fixup</command> and
+      specify the key's algorithm and secret on the command line.  If the
+      secret is longer than the digest length of the algorithm (64 bytes
+      for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+      new secret will be generated consisting of a hash digest of the old
+      secret.  (If the secret did not require conversion, then it will be
+      printed without modification.)
+    </para>
+  </refsection>
+
+  <refsection><info><title>SECURITY CONSIDERATIONS</title></info>
+
+    <para>
+      Secrets that have been converted by <command>isc-hmac-fixup</command>
+      are shortened, but as this is how the HMAC protocol works in
+      operation anyway, it does not affect security.  RFC 2104 notes,
+      "Keys longer than [the digest length] are acceptable but the
+      extra length would not significantly increase the function
+      strength."
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para>
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2104</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>
-- 
cgit v1.2.3