mirror of https://github.com/getdnsapi/getdns.git
Avoid using old OpenSSL HMAC functions
This commit is contained in:
parent
1748ca4c29
commit
0cb72000f8
|
@ -94,10 +94,4 @@ typedef struct _getdns_tls_x509
|
||||||
gnutls_datum_t tls;
|
gnutls_datum_t tls;
|
||||||
} _getdns_tls_x509;
|
} _getdns_tls_x509;
|
||||||
|
|
||||||
typedef struct _getdns_tls_hmac
|
|
||||||
{
|
|
||||||
gnutls_hmac_hd_t tls;
|
|
||||||
unsigned int md_len;
|
|
||||||
} _getdns_tls_hmac;
|
|
||||||
|
|
||||||
#endif /* _GETDNS_TLS_INTERNAL_H */
|
#endif /* _GETDNS_TLS_INTERNAL_H */
|
||||||
|
|
|
@ -869,55 +869,6 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
|
|
||||||
{
|
|
||||||
gnutls_mac_algorithm_t alg;
|
|
||||||
_getdns_tls_hmac* res;
|
|
||||||
|
|
||||||
if (get_gnu_mac_algorithm(algorithm, &alg) != GETDNS_RETURN_GOOD)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
if (gnutls_hmac_init(&res->tls, alg, key, key_size) < 0) {
|
|
||||||
GETDNS_FREE(*mfs, res);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
res->md_len = gnutls_hmac_get_len(alg);
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
|
|
||||||
{
|
|
||||||
if (!h || !h->tls || !data)
|
|
||||||
return GETDNS_RETURN_INVALID_PARAMETER;
|
|
||||||
|
|
||||||
if (gnutls_hmac(h->tls, data, data_size) < 0)
|
|
||||||
return GETDNS_RETURN_GENERIC_ERROR;
|
|
||||||
else
|
|
||||||
return GETDNS_RETURN_GOOD;
|
|
||||||
}
|
|
||||||
|
|
||||||
unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
|
|
||||||
{
|
|
||||||
unsigned char* res;
|
|
||||||
|
|
||||||
if (!h || !h->tls)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, h->md_len);
|
|
||||||
if (!res)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
gnutls_hmac_deinit(h->tls, res);
|
|
||||||
if (output_size)
|
|
||||||
*output_size = h->md_len;
|
|
||||||
|
|
||||||
GETDNS_FREE(*mfs, h);
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
|
void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
|
||||||
{
|
{
|
||||||
gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);
|
gnutls_hash_fast(GNUTLS_DIG_SHA1, data, data_size, buf);
|
||||||
|
|
|
@ -81,12 +81,4 @@ typedef struct _getdns_tls_x509
|
||||||
X509* ssl;
|
X509* ssl;
|
||||||
} _getdns_tls_x509;
|
} _getdns_tls_x509;
|
||||||
|
|
||||||
typedef struct _getdns_tls_hmac
|
|
||||||
{
|
|
||||||
HMAC_CTX *ctx;
|
|
||||||
#ifndef HAVE_HMAC_CTX_NEW
|
|
||||||
HMAC_CTX ctx_space;
|
|
||||||
#endif
|
|
||||||
} _getdns_tls_hmac;
|
|
||||||
|
|
||||||
#endif /* _GETDNS_TLS_INTERNAL_H */
|
#endif /* _GETDNS_TLS_INTERNAL_H */
|
||||||
|
|
|
@ -1197,70 +1197,6 @@ unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const
|
||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size)
|
|
||||||
{
|
|
||||||
const EVP_MD *digester = get_digester(algorithm);
|
|
||||||
_getdns_tls_hmac* res;
|
|
||||||
|
|
||||||
if (!digester)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
if (!(res = GETDNS_MALLOC(*mfs, struct _getdns_tls_hmac)))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
#ifdef HAVE_HMAC_CTX_NEW
|
|
||||||
res->ctx = HMAC_CTX_new();
|
|
||||||
if (!res->ctx) {
|
|
||||||
GETDNS_FREE(*mfs, res);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
res->ctx = &res->ctx_space;
|
|
||||||
HMAC_CTX_init(res->ctx);
|
|
||||||
#endif
|
|
||||||
if (!HMAC_Init_ex(res->ctx, key, key_size, digester, NULL)) {
|
|
||||||
#ifdef HAVE_HMAC_CTX_NEW
|
|
||||||
HMAC_CTX_free(res->ctx);
|
|
||||||
#endif
|
|
||||||
GETDNS_FREE(*mfs, res);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size)
|
|
||||||
{
|
|
||||||
if (!h || !h->ctx || !data)
|
|
||||||
return GETDNS_RETURN_INVALID_PARAMETER;
|
|
||||||
|
|
||||||
if (!HMAC_Update(h->ctx, data, data_size))
|
|
||||||
return GETDNS_RETURN_GENERIC_ERROR;
|
|
||||||
else
|
|
||||||
return GETDNS_RETURN_GOOD;
|
|
||||||
}
|
|
||||||
|
|
||||||
unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size)
|
|
||||||
{
|
|
||||||
unsigned char* res;
|
|
||||||
unsigned int md_len;
|
|
||||||
|
|
||||||
res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
|
|
||||||
if (!res)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
(void) HMAC_Final(h->ctx, res, &md_len);
|
|
||||||
|
|
||||||
#ifdef HAVE_HMAC_CTX_NEW
|
|
||||||
HMAC_CTX_free(h->ctx);
|
|
||||||
#endif
|
|
||||||
GETDNS_FREE(*mfs, h);
|
|
||||||
|
|
||||||
if (output_size)
|
|
||||||
*output_size = md_len;
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
|
void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
|
||||||
{
|
{
|
||||||
SHA1(data, data_size, buf);
|
SHA1(data, data_size, buf);
|
||||||
|
|
|
@ -500,7 +500,9 @@ _getdns_network_validate_tsig(getdns_network_req *req)
|
||||||
unsigned char *result_mac;
|
unsigned char *result_mac;
|
||||||
size_t result_mac_len;
|
size_t result_mac_len;
|
||||||
uint16_t original_id;
|
uint16_t original_id;
|
||||||
_getdns_tls_hmac *hmac;
|
size_t data_size;
|
||||||
|
uint8_t *data;
|
||||||
|
|
||||||
|
|
||||||
DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__);
|
DEBUG_STUB("%s %-35s: Validate TSIG\n", STUB_DEBUG_TSIG, __FUNC__);
|
||||||
for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
|
for ( rr = _getdns_rr_iter_init(&rr_spc, req->query,
|
||||||
|
@ -607,19 +609,33 @@ _getdns_network_validate_tsig(getdns_network_req *req)
|
||||||
gldns_read_uint16(req->response + 10) - 1);
|
gldns_read_uint16(req->response + 10) - 1);
|
||||||
gldns_write_uint16(req->response, original_id);
|
gldns_write_uint16(req->response, original_id);
|
||||||
|
|
||||||
hmac = _getdns_tls_hmac_new(&req->owner->my_mf, req->upstream->tsig_alg, req->upstream->tsig_key, req->upstream->tsig_size);
|
data_size = request_mac_len + 2
|
||||||
if (!hmac)
|
+ (size_t)(rr->pos - req->response)
|
||||||
|
+ gldns_buffer_position(&gbuf);
|
||||||
|
data = GETDNS_XMALLOC(req->owner->my_mf, uint8_t, data_size);
|
||||||
|
if (!data) {
|
||||||
|
DEBUG_STUB("%s %-35s: Error allocating %d bytes\n",
|
||||||
|
STUB_DEBUG_TSIG, __FUNC__, (int)(data_size));
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
memcpy(data , request_mac - 2 , request_mac_len + 2);
|
||||||
|
memcpy(data + request_mac_len + 2, req->response, rr->pos - req->response);
|
||||||
|
memcpy(data + request_mac_len + 2 + (size_t)(rr->pos - req->response)
|
||||||
|
, tsig_vars, gldns_buffer_position(&gbuf));
|
||||||
|
|
||||||
_getdns_tls_hmac_add(hmac, request_mac - 2, request_mac_len + 2);
|
result_mac = _getdns_tls_hmac_hash(&req->owner->my_mf
|
||||||
_getdns_tls_hmac_add(hmac, req->response, rr->pos - req->response);
|
, req->upstream->tsig_alg
|
||||||
_getdns_tls_hmac_add(hmac, tsig_vars, gldns_buffer_position(&gbuf));
|
, req->upstream->tsig_key
|
||||||
result_mac = _getdns_tls_hmac_end(&req->owner->my_mf, hmac, &result_mac_len);
|
, req->upstream->tsig_size
|
||||||
if (!result_mac)
|
, data, data_size , &result_mac_len);
|
||||||
|
GETDNS_FREE(req->owner->my_mf, data);
|
||||||
|
if (!result_mac) {
|
||||||
|
DEBUG_STUB("%s %-35s: Error calculating TSIG digest\n",
|
||||||
|
STUB_DEBUG_TSIG, __FUNC__);
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
DEBUG_STUB("%s %-35s: Result MAC length: %d\n",
|
DEBUG_STUB("%s %-35s: Result MAC length: %d for %d bytes of data\n",
|
||||||
STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len));
|
STUB_DEBUG_TSIG, __FUNC__, (int)(result_mac_len), (int)data_size);
|
||||||
if (result_mac_len == response_mac_len &&
|
if (result_mac_len == response_mac_len &&
|
||||||
memcmp(result_mac, response_mac, result_mac_len) == 0)
|
memcmp(result_mac, response_mac, result_mac_len) == 0)
|
||||||
req->tsig_status = GETDNS_DNSSEC_SECURE;
|
req->tsig_status = GETDNS_DNSSEC_SECURE;
|
||||||
|
|
33
src/tls.h
33
src/tls.h
|
@ -408,39 +408,6 @@ getdns_return_t _getdns_tls_get_api_information(getdns_dict* dict);
|
||||||
*/
|
*/
|
||||||
unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
|
unsigned char* _getdns_tls_hmac_hash(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size, const void* data, size_t data_size, size_t* output_size);
|
||||||
|
|
||||||
/**
|
|
||||||
* Return a new HMAC handle.
|
|
||||||
*
|
|
||||||
* @param mfs pointer to getdns memory functions.
|
|
||||||
* @param algorithm hash algorithm to use (<code>GETDNS_HMAC_?</code>).
|
|
||||||
* @param key the key.
|
|
||||||
* @param key_size the key size.
|
|
||||||
* @return HMAC handle or NULL on error.
|
|
||||||
*/
|
|
||||||
_getdns_tls_hmac* _getdns_tls_hmac_new(struct mem_funcs* mfs, int algorithm, const void* key, size_t key_size);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Add data to a HMAC.
|
|
||||||
*
|
|
||||||
* @param h the HMAC.
|
|
||||||
* @param data the data to add.
|
|
||||||
* @param data_size the size of data to add.
|
|
||||||
* @return GETDNS_RETURN_GOOD if added.
|
|
||||||
* @return GETDNS_RETURN_INVALID_PARAMETER if h is null or has no HMAC.
|
|
||||||
* @return GETDNS_RETURN_GENERIC_ERROR on error.
|
|
||||||
*/
|
|
||||||
getdns_return_t _getdns_tls_hmac_add(_getdns_tls_hmac* h, const void* data, size_t data_size);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Return the HMAC digest and free the handle.
|
|
||||||
*
|
|
||||||
* @param mfs pointer to getdns memory functions.
|
|
||||||
* @param h the HMAC.
|
|
||||||
* @param output_size the output size will be written here if not NULL.
|
|
||||||
* @return output malloc'd buffer with output, NULL on error.
|
|
||||||
*/
|
|
||||||
unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h, size_t* output_size);
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Calculate a SHA1 hash.
|
* Calculate a SHA1 hash.
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in New Issue