From 0cb72000f8c97ed2c3d307a686480380b24c756f Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Thu, 11 Aug 2022 12:26:41 +0200
Subject: [PATCH] Avoid using old OpenSSL HMAC functions

---
 src/gnutls/tls-internal.h  |  6 ----
 src/gnutls/tls.c           | 49 -----------------------------
 src/openssl/tls-internal.h |  8 -----
 src/openssl/tls.c          | 64 --------------------------------------
 src/request-internal.c     | 38 +++++++++++++++-------
 src/tls.h                  | 33 --------------------
 6 files changed, 27 insertions(+), 171 deletions(-)

diff --git a/src/gnutls/tls-internal.h b/src/gnutls/tls-internal.h
index bfc563ef..3d8b389c 100644
--- a/src/gnutls/tls-internal.h
+++ b/src/gnutls/tls-internal.h
@@ -94,10 +94,4 @@ typedef struct _getdns_tls_x509
 	gnutls_datum_t tls;
 } _getdns_tls_x509;
 
-typedef struct _getdns_tls_hmac
-{
-	gnutls_hmac_hd_t tls;
-	unsigned int md_len;
-} _getdns_tls_hmac;
-
 #endif /* _GETDNS_TLS_INTERNAL_H */
diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c
index b5280155..d1f6fff8 100644
--- a/src/gnutls/tls.c
+++ b/src/gnutls/tls.c
@@ -869,55 +869,6 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	return res;
 }
 
-_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
-{
-	gnutls_mac_algorithm_t alg;
-	_getdns_tls_hmac* res;
-
-	if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
-		return NULL;
-
-	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
-		return NULL;
-
-	if (gnutls_hmac_init(&res->tls, alg, key, key_size) < 0) {
-		GETDNS_FREE(*mfs, res);
-		return NULL;
-	}
-	res->md_len = gnutls_hmac_get_len(alg);
-	return res;
-}
-
-getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
-{
-	if (!h || !h->tls || !data)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	if (gnutls_hmac(h->tls, data, data_size) < 0)
-		return GETDNS_RETURN_GENERIC_ERROR;
-	else
-		return GETDNS_RETURN_GOOD;
-}
-
-unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
-{
-	unsigned char* res;
-
-	if (!h || !h->tls)
-		return NULL;
-
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, h->md_len);
-	if (!res)
-		return NULL;
-
-	gnutls_hmac_deinit(h->tls, res);
-	if (output_size)
-		*output_size = h->md_len;
-
-	GETDNS_FREE(*mfs, h);
-	return res;
-}
-
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 {
 	gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);
diff --git a/src/openssl/tls-internal.h b/src/openssl/tls-internal.h
index fc3d48e5..53584e3f 100644
--- a/src/openssl/tls-internal.h
+++ b/src/openssl/tls-internal.h
@@ -81,12 +81,4 @@ typedef struct _getdns_tls_x509
 	X509* ssl;
 } _getdns_tls_x509;
 
-typedef struct _getdns_tls_hmac
-{
-	HMAC_CTX *ctx;
-#ifndef HAVE_HMAC_CTX_NEW
-	HMAC_CTX ctx_space;
-#endif
-} _getdns_tls_hmac;
-
 #endif /* _GETDNS_TLS_INTERNAL_H */
diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 12384eed..ffabb201 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -1197,70 +1197,6 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
 	return res;
 }
 
-_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
-{
-	const EVP_MD *digester = get_digester(algorithm);
-	_getdns_tls_hmac* res;
-
-	if (!digester)
-		return NULL;
-
-	if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
-		return NULL;
-
-#ifdef HAVE_HMAC_CTX_NEW
-	res->ctx = HMAC_CTX_new();
-	if (!res->ctx) {
-		GETDNS_FREE(*mfs, res);
-		return NULL;
-	}
-#else
-	res->ctx = &res->ctx_space;
-	HMAC_CTX_init(res->ctx);
-#endif
-	if (!HMAC_Init_ex(res->ctx, key, key_size, digester, NULL)) {
-#ifdef HAVE_HMAC_CTX_NEW
-		HMAC_CTX_free(res->ctx);
-#endif
-		GETDNS_FREE(*mfs, res);
-		return NULL;
-	}
-
-	return res;
-}
-
-getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
-{
-	if (!h || !h->ctx || !data)
-		return GETDNS_RETURN_INVALID_PARAMETER;
-
-	if (!HMAC_Update(h->ctx, data, data_size))
-		return GETDNS_RETURN_GENERIC_ERROR;
-	else
-		return GETDNS_RETURN_GOOD;
-}
-
-unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
-{
-	unsigned char* res;
-	unsigned int md_len;
-
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
-	if (!res)
-		return NULL;
-
-	(void) HMAC_Final(h->ctx, res, &md_len);
-
-#ifdef HAVE_HMAC_CTX_NEW
-	HMAC_CTX_free(h->ctx);
-#endif
-	GETDNS_FREE(*mfs, h);
-
-	if (output_size)
-		*output_size = md_len;
-	return res;
-}
-
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 {
 	SHA1(data, data_size, buf);
diff --git a/src/request-internal.c b/src/request-internal.c
index 52157e0b..4fba325e 100644
--- a/src/request-internal.c
+++ b/src/request-internal.c
@@ -500,7 +500,9 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	unsigned char  *result_mac;
 	size_t result_mac_len;
 	uint16_t original_id;
-	_getdns_tls_hmac *hmac;
+	size_t data_size;
+	uint8_t *data;
+
 
 	DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__);
 	for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
@@ -607,19 +609,33 @@ _getdns_network_validate_tsig(getdns_network_req *req)
 	    gldns_read_uint16(req->response + 10) - 1);
 	gldns_write_uint16(req->response, original_id);
 
-	hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
-	if (!hmac)
+	data_size = request_mac_len + 2
+	          + (size_t)(rr->pos - req->response) 
+	          + gldns_buffer_position(&gbuf);
+	data = GETDNS_XMALLOC(req->owner->my_mf, uint8_t, data_size);
+	if (!data) {
+		DEBUG_STUB("%s %-35s: Error allocating %d bytes\n",
+			   STUB_DEBUG_TSIG, __FUNC__, (int)(data_size));
 		return;
+	}
+	memcpy(data , request_mac - 2 , request_mac_len + 2);
+	memcpy(data + request_mac_len + 2, req->response, rr->pos - req->response);
+	memcpy(data + request_mac_len + 2 + (size_t)(rr->pos - req->response)
+	                                 , tsig_vars, gldns_buffer_position(&gbuf));
 
-	_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
-	_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
-	_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
-	result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len);
-	if (!result_mac)
+	result_mac = _getdns_tls_hmac_hash(&req->owner->my_mf
+	                                  , req->upstream->tsig_alg
+					  , req->upstream->tsig_key
+					  , req->upstream->tsig_size
+					  , data, data_size , &result_mac_len);
+	GETDNS_FREE(req->owner->my_mf, data);
+	if (!result_mac) {
+		DEBUG_STUB("%s %-35s: Error calculating TSIG digest\n",
+			   STUB_DEBUG_TSIG, __FUNC__);
 		return;
-
-	DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
-	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len));
+	}
+	DEBUG_STUB("%s %-35s: Result MAC length: %d for %d bytes of data\n",
+	           STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len), (int)data_size);
 	if (result_mac_len == response_mac_len &&
 	    memcmp(result_mac, response_mac, result_mac_len) == 0)
 		req->tsig_status = GETDNS_DNSSEC_SECURE;
diff --git a/src/tls.h b/src/tls.h
index a9be6a16..567d5137 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -408,39 +408,6 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
  */
 unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
 
-/**
- * Return a new HMAC handle.
- *
- * @param mfs		pointer to getdns memory functions.
- * @param algorithm	hash algorithm to use (<code>GETDNS_HMAC_?</code>).
- * @param key		the key.
- * @param key_size	the key size.
- * @return HMAC handle or NULL on error.
- */
-_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size);
-
-/**
- * Add data to a HMAC.
- *
- * @param h		the HMAC.
- * @param data		the data to add.
- * @param data_size	the size of data to add.
- * @return GETDNS_RETURN_GOOD if added.
- * @return GETDNS_RETURN_INVALID_PARAMETER if h is null or has no HMAC.
- * @return GETDNS_RETURN_GENERIC_ERROR on error.
- */
-getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size);
-
-/**
- * Return the HMAC digest and free the handle.
- *
- * @param mfs		pointer to getdns memory functions.
- * @param h		the HMAC.
- * @param output_size	the output size will be written here if not NULL.
- * @return output	malloc'd buffer with output, NULL on error.
- */
-unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
-
 /**
  * Calculate a SHA1 hash.
  *