Merge branch 'tsig_default_sha256' into 'master'

utils: tsig argument: if alg unspecified, using sha256

Closes #514

See merge request !698

doc/man/kdig.1in

@@ -112,7 +112,7 @@ and type is set automatically.
 .TP
 \fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
 Use the TSIG key named \fIname\fP to authenticate the request. The \fIalg\fP
-part specifies the algorithm (the default is hmac\-md5) and \fIkey\fP specifies
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
 the shared secret encoded in Base64.
 .TP
 \fB\-E\fP \fItapfile\fP
@@ -227,10 +227,10 @@ Set EDNS buffer size in bytes (default is 512 bytes).
 .TP
 \fB+\fP[\fBno\fP]\fBpadding\fP[=\fIB\fP]
 Use EDNS(0) padding option to pad queries, optionally to a specific
-size.  The default is to pad queries with a sensible amount when using
+size. The default is to pad queries with a sensible amount when using
 +tls, and not to pad at all when queries are sent without TLS.  With
 no argument (i.e., just +padding) pad every query with a sensible
-amount regardless of the use of TLS.  With +nopadding, never pad.
+amount regardless of the use of TLS. With +nopadding, never pad.
 .TP
 \fB+\fP[\fBno\fP]\fBalignment\fP[=\fIB\fP]
 Align the query to B\-byte\-block message using the EDNS(0) padding option

doc/man/knsupdate.1in

@@ -75,7 +75,7 @@ Print the program version.
 .TP
 \fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
 Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
-part specifies the algorithm (the default is hmac\-md5) and \fIkey\fP specifies
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
 the shared secret encoded in Base64.
 .UNINDENT
 .SS Commands

doc/man_kdig.rst

@@ -89,7 +89,7 @@ Options
 
 **-y** [*alg*:]\ *name*:*key*
   Use the TSIG key named *name* to authenticate the request. The *alg*
-  part specifies the algorithm (the default is hmac-md5) and *key* specifies
+  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
   the shared secret encoded in Base64.
 
 **-E** *tapfile*

doc/man_knsupdate.rst

@@ -52,7 +52,7 @@ Options
 
 **-y** [*alg*:]\ *name*:*key*
   Use the TSIG key with a name *name* to authenticate the request. The *alg*
-  part specifies the algorithm (the default is hmac-md5) and *key* specifies
+  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
   the shared secret encoded in Base64.
 
 Commands

src/libknot/tsig.c

@@ -47,7 +47,7 @@ int knot_tsig_key_init(knot_tsig_key_t *key, const char *algorithm_name,
 		return KNOT_EINVAL;
 	}
 
-	dnssec_tsig_algorithm_t algorithm = DNSSEC_TSIG_HMAC_MD5;
+	dnssec_tsig_algorithm_t algorithm = DNSSEC_TSIG_HMAC_SHA256;
 	if (algorithm_name != NULL) {
 		algorithm = dnssec_tsig_algorithm_from_name(algorithm_name);
 		if (algorithm == DNSSEC_TSIG_UNKNOWN) {

tests/libknot/test_tsig.c

@@ -94,7 +94,7 @@ int main(int argc, char *argv[])
 	test_init("invalid HMAC", NULL, "hmac-sha11", "name", "Wg==");
 	{
 		static const knot_tsig_key_t key = {
-			.algorithm = DNSSEC_TSIG_HMAC_MD5,
+			.algorithm = DNSSEC_TSIG_HMAC_SHA256,
 			.name = (uint8_t *)"\x3""key""\x4""name",
 			.secret.size = 1,
 			.secret.data = (uint8_t *)"\x5a"
@@ -118,7 +118,7 @@ int main(int argc, char *argv[])
 	test_init_str("invalid HMAC", NULL, "hmac-sha51299:key:Wg==");
 	{
 		static const knot_tsig_key_t key = {
-			.algorithm = DNSSEC_TSIG_HMAC_MD5,
+			.algorithm = DNSSEC_TSIG_HMAC_SHA256,
 			.name = (uint8_t *)"\x4""tsig""\x3""key",
 			.secret.size = 9,
 			.secret.data = (uint8_t *)"bananakey"