[nsd-users] more hmac-sha types for TSIG
David Gwynne
david at gwynne.id.au
Wed May 13 08:10:13 UTC 2015
ola,
i recently suffered some pain trying to get nsd to interoperate
with a 7 year old version of bind using very long keys with tsig
for zone transfers, but noted that nsd only supported the mandantory
ciphers.
it seems easy to add more of them though, so this diff adds
hmac-sha224, hmac-sha384, and hmac-sha512.
it may not even work, but throwing it out here for feedback.
note that this is a diff against the openbsd source tree. i can
rejig it against svn if you want.
Index: config.h.in
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/config.h.in,v
retrieving revision 1.17
diff -u -p -r1.17 config.h.in
--- config.h.in 3 Feb 2015 10:40:01 -0000 1.17
+++ config.h.in 6 May 2015 12:30:03 -0000
@@ -85,12 +85,6 @@
/* Define to 1 if you have the <event.h> header file. */
#undef HAVE_EVENT_H
-/* Define to 1 if you have the `EVP_sha1' function. */
-#undef HAVE_EVP_SHA1
-
-/* Define to 1 if you have the `EVP_sha256' function. */
-#undef HAVE_EVP_SHA256
-
/* Define to 1 if you have the `ev_default_loop' function. */
#undef HAVE_EV_DEFAULT_LOOP
Index: configure
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configure,v
retrieving revision 1.21
diff -u -p -r1.21 configure
--- configure 3 Feb 2015 10:40:02 -0000 1.21
+++ configure 6 May 2015 12:30:03 -0000
@@ -8553,18 +8553,6 @@ else
fi
- for ac_func in EVP_sha1 EVP_sha256
-do :
- as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
fi
fi
Index: configure.ac
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/configure.ac,v
retrieving revision 1.20
diff -u -p -r1.20 configure.ac
--- configure.ac 3 Feb 2015 10:40:02 -0000 1.20
+++ configure.ac 6 May 2015 12:30:03 -0000
@@ -320,7 +320,6 @@ AC_DEFUN([CHECK_SSL], [
AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
])
- AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
fi
AC_SUBST(HAVE_SSL)
fi
Index: tsig-openssl.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/tsig-openssl.c,v
retrieving revision 1.1.1.6
diff -u -p -r1.1.1.6 tsig-openssl.c
--- tsig-openssl.c 26 Nov 2013 12:50:14 -0000 1.1.1.6
+++ tsig-openssl.c 6 May 2015 12:30:03 -0000
@@ -61,14 +61,19 @@ tsig_openssl_init(region_type *region)
int count = 0;
OpenSSL_add_all_digests();
- count += tsig_openssl_init_algorithm(region, "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.");
-#ifdef HAVE_EVP_SHA1
- count += tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1", "hmac-sha1.");
-#endif /* HAVE_EVP_SHA1 */
+ count += tsig_openssl_init_algorithm(region,
+ "md5", "hmac-md5","hmac-md5.sig-alg.reg.int.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha1", "hmac-sha1", "hmac-sha1.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha224", "hmac-sha224", "hmac-sha224.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha256", "hmac-sha256", "hmac-sha256.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha384", "hmac-sha384", "hmac-sha384.");
+ count += tsig_openssl_init_algorithm(region,
+ "sha512", "hmac-sha512", "hmac-sha512.");
-#ifdef HAVE_EVP_SHA256
- count += tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256", "hmac-sha256.");
-#endif /* HAVE_EVP_SHA256 */
return count;
}
More information about the nsd-users
mailing list