[nsd-users] more hmac-sha types for TSIG

Wouter Wijngaards wouter at nlnetlabs.nl
Thu May 14 10:37:03 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

On 05/13/2015 10:10 AM, David Gwynne wrote:
> ola,
> 
> i recently suffered some pain trying to get nsd to interoperate 
> with a 7 year old version of bind using very long keys with tsig 
> for zone transfers, but noted that nsd only supported the
> mandantory ciphers.
> 
> it seems easy to add more of them though, so this diff adds 
> hmac-sha224, hmac-sha384, and hmac-sha512.

Thank you, I have committed this for future releases.

Best regards,
   Wouter

> 
> it may not even work, but throwing it out here for feedback.
> 
> note that this is a diff against the openbsd source tree. i can 
> rejig it against svn if you want.
> 
> Index: config.h.in 
> ===================================================================
>
> 
RCS file: /cvs/src/usr.sbin/nsd/config.h.in,v
> retrieving revision 1.17 diff -u -p -r1.17 config.h.in ---
> config.h.in	3 Feb 2015 10:40:01 -0000	1.17 +++ config.h.in	6 May
> 2015 12:30:03 -0000 @@ -85,12 +85,6 @@ /* Define to 1 if you have
> the <event.h> header file. */ #undef HAVE_EVENT_H
> 
> -/* Define to 1 if you have the `EVP_sha1' function. */ -#undef
> HAVE_EVP_SHA1 - -/* Define to 1 if you have the `EVP_sha256'
> function. */ -#undef HAVE_EVP_SHA256 - /* Define to 1 if you have
> the `ev_default_loop' function. */ #undef HAVE_EV_DEFAULT_LOOP
> 
> Index: configure 
> ===================================================================
>
> 
RCS file: /cvs/src/usr.sbin/nsd/configure,v
> retrieving revision 1.21 diff -u -p -r1.21 configure --- configure
> 3 Feb 2015 10:40:02 -0000	1.21 +++ configure	6 May 2015 12:30:03
> -0000 @@ -8553,18 +8553,6 @@ else
> 
> fi
> 
> -		for ac_func in EVP_sha1 EVP_sha256 -do : -  as_ac_var=`$as_echo
> "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO"
> "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes";
> then : -  cat >>confdefs.h <<_ACEOF -#define `$as_echo
> "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - fi
> 
> fi Index: configure.ac 
> ===================================================================
>
> 
RCS file: /cvs/src/usr.sbin/nsd/configure.ac,v
> retrieving revision 1.20 diff -u -p -r1.20 configure.ac ---
> configure.ac	3 Feb 2015 10:40:02 -0000	1.20 +++ configure.ac	6 May
> 2015 12:30:03 -0000 @@ -320,7 +320,6 @@ AC_DEFUN([CHECK_SSL], [ 
> AC_CHECK_LIB(crypto, HMAC_CTX_init,, [ AC_MSG_ERROR([OpenSSL found
> in $ssldir, but version 0.9.7 or higher is required]) ]) -
> AC_CHECK_FUNCS([EVP_sha1 EVP_sha256]) fi AC_SUBST(HAVE_SSL) fi 
> Index: tsig-openssl.c 
> ===================================================================
>
> 
RCS file: /cvs/src/usr.sbin/nsd/tsig-openssl.c,v
> retrieving revision 1.1.1.6 diff -u -p -r1.1.1.6 tsig-openssl.c ---
> tsig-openssl.c	26 Nov 2013 12:50:14 -0000	1.1.1.6 +++
> tsig-openssl.c	6 May 2015 12:30:03 -0000 @@ -61,14 +61,19 @@
> tsig_openssl_init(region_type *region) int count = 0; 
> OpenSSL_add_all_digests();
> 
> -	count += tsig_openssl_init_algorithm(region, "md5",
> "hmac-md5","hmac-md5.sig-alg.reg.int."); -#ifdef HAVE_EVP_SHA1 -
> count += tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1",
> "hmac-sha1."); -#endif /* HAVE_EVP_SHA1 */ +	count +=
> tsig_openssl_init_algorithm(region, +	    "md5",
> "hmac-md5","hmac-md5.sig-alg.reg.int."); +	count +=
> tsig_openssl_init_algorithm(region, +	    "sha1", "hmac-sha1",
> "hmac-sha1."); +	count += tsig_openssl_init_algorithm(region, +
> "sha224", "hmac-sha224", "hmac-sha224."); +	count +=
> tsig_openssl_init_algorithm(region, +	    "sha256", "hmac-sha256",
> "hmac-sha256."); +	count += tsig_openssl_init_algorithm(region, +
> "sha384", "hmac-sha384", "hmac-sha384."); +	count +=
> tsig_openssl_init_algorithm(region, +	    "sha512", "hmac-sha512",
> "hmac-sha512.");
> 
> -#ifdef HAVE_EVP_SHA256 -	count +=
> tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256",
> "hmac-sha256."); -#endif /* HAVE_EVP_SHA256 */ return count; }
> 
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVVHrOAAoJEJ9vHC1+BF+NQssP/1mWJO+i9El9dRngO0fRL/yX
61uQ7hSyNcjb+ySgdRjSXHoPbsQUHlilSJwfz3AmZHhK6b4JH9PA+BFuhOtvpqZF
teufsDY39kFQIx/0MQ+ip/IkWfnfX8ymbv/PReiwNOHIBdIRvoLmu9/muzTPJwkX
6KMRIvLU/z0QN2guSlXKS5k4bjXgjEIEYkq4xBKw7BE6eVDO9PVNIGczkizas6MN
mXtMthQwthMc2EME7Vm2KzlD5Kxu58x3CQD2p/NMSEiTmUlppZ6LRme+6ZL6jL2C
dgiIzLW5g3gpP7Pynr0wbRArjAK3cORPX0mnGORXZXa5r0yctlAbwiUgzthdrlJm
k4J8zaHLfTb5ehDRYyL9a9Ea0WnFMvoUoyIUuZRZfjHlArjJnrWYLQb4i1JNSUhi
WY7+KtXaISb9bbOrgRdESMsGV+loXFoMf4iO4f6PQvCrLnHr5N/FJzv7ZazBCz8X
fFWwdQEOkBuQI3LZXVJgsKyWe2zotDIn4r6A9zF8eXF7T2lcjCegwAPObMdMn67L
duHGiUZK3DGmJNmWokC0MYB0BtUsWa0Yzcwr3XWhrlSCnh7LDCJJkGlJzqTYMdq+
6zEr6QDnuuyYRrp0VLWMsqFmPD5jmqQJV9jlhVcL9JydkunKYG50q9iYJs/0eVfT
zJloMVDSfuAR8s2T9omL
=kGTO
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list