[nsd-users] more hmac-sha types for TSIG
Wouter Wijngaards
wouter at nlnetlabs.nl
Thu May 14 10:37:03 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi David,
On 05/13/2015 10:10 AM, David Gwynne wrote:
> ola,
>
> i recently suffered some pain trying to get nsd to interoperate
> with a 7 year old version of bind using very long keys with tsig
> for zone transfers, but noted that nsd only supported the
> mandantory ciphers.
>
> it seems easy to add more of them though, so this diff adds
> hmac-sha224, hmac-sha384, and hmac-sha512.
Thank you, I have committed this for future releases.
Best regards,
Wouter
>
> it may not even work, but throwing it out here for feedback.
>
> note that this is a diff against the openbsd source tree. i can
> rejig it against svn if you want.
>
> Index: config.h.in
> ===================================================================
>
>
RCS file: /cvs/src/usr.sbin/nsd/config.h.in,v
> retrieving revision 1.17 diff -u -p -r1.17 config.h.in ---
> config.h.in 3 Feb 2015 10:40:01 -0000 1.17 +++ config.h.in 6 May
> 2015 12:30:03 -0000 @@ -85,12 +85,6 @@ /* Define to 1 if you have
> the <event.h> header file. */ #undef HAVE_EVENT_H
>
> -/* Define to 1 if you have the `EVP_sha1' function. */ -#undef
> HAVE_EVP_SHA1 - -/* Define to 1 if you have the `EVP_sha256'
> function. */ -#undef HAVE_EVP_SHA256 - /* Define to 1 if you have
> the `ev_default_loop' function. */ #undef HAVE_EV_DEFAULT_LOOP
>
> Index: configure
> ===================================================================
>
>
RCS file: /cvs/src/usr.sbin/nsd/configure,v
> retrieving revision 1.21 diff -u -p -r1.21 configure --- configure
> 3 Feb 2015 10:40:02 -0000 1.21 +++ configure 6 May 2015 12:30:03
> -0000 @@ -8553,18 +8553,6 @@ else
>
> fi
>
> - for ac_func in EVP_sha1 EVP_sha256 -do : - as_ac_var=`$as_echo
> "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO"
> "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes";
> then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo
> "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - fi
>
> fi Index: configure.ac
> ===================================================================
>
>
RCS file: /cvs/src/usr.sbin/nsd/configure.ac,v
> retrieving revision 1.20 diff -u -p -r1.20 configure.ac ---
> configure.ac 3 Feb 2015 10:40:02 -0000 1.20 +++ configure.ac 6 May
> 2015 12:30:03 -0000 @@ -320,7 +320,6 @@ AC_DEFUN([CHECK_SSL], [
> AC_CHECK_LIB(crypto, HMAC_CTX_init,, [ AC_MSG_ERROR([OpenSSL found
> in $ssldir, but version 0.9.7 or higher is required]) ]) -
> AC_CHECK_FUNCS([EVP_sha1 EVP_sha256]) fi AC_SUBST(HAVE_SSL) fi
> Index: tsig-openssl.c
> ===================================================================
>
>
RCS file: /cvs/src/usr.sbin/nsd/tsig-openssl.c,v
> retrieving revision 1.1.1.6 diff -u -p -r1.1.1.6 tsig-openssl.c ---
> tsig-openssl.c 26 Nov 2013 12:50:14 -0000 1.1.1.6 +++
> tsig-openssl.c 6 May 2015 12:30:03 -0000 @@ -61,14 +61,19 @@
> tsig_openssl_init(region_type *region) int count = 0;
> OpenSSL_add_all_digests();
>
> - count += tsig_openssl_init_algorithm(region, "md5",
> "hmac-md5","hmac-md5.sig-alg.reg.int."); -#ifdef HAVE_EVP_SHA1 -
> count += tsig_openssl_init_algorithm(region, "sha1", "hmac-sha1",
> "hmac-sha1."); -#endif /* HAVE_EVP_SHA1 */ + count +=
> tsig_openssl_init_algorithm(region, + "md5",
> "hmac-md5","hmac-md5.sig-alg.reg.int."); + count +=
> tsig_openssl_init_algorithm(region, + "sha1", "hmac-sha1",
> "hmac-sha1."); + count += tsig_openssl_init_algorithm(region, +
> "sha224", "hmac-sha224", "hmac-sha224."); + count +=
> tsig_openssl_init_algorithm(region, + "sha256", "hmac-sha256",
> "hmac-sha256."); + count += tsig_openssl_init_algorithm(region, +
> "sha384", "hmac-sha384", "hmac-sha384."); + count +=
> tsig_openssl_init_algorithm(region, + "sha512", "hmac-sha512",
> "hmac-sha512.");
>
> -#ifdef HAVE_EVP_SHA256 - count +=
> tsig_openssl_init_algorithm(region, "sha256", "hmac-sha256",
> "hmac-sha256."); -#endif /* HAVE_EVP_SHA256 */ return count; }
>
> _______________________________________________ nsd-users mailing
> list nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVVHrOAAoJEJ9vHC1+BF+NQssP/1mWJO+i9El9dRngO0fRL/yX
61uQ7hSyNcjb+ySgdRjSXHoPbsQUHlilSJwfz3AmZHhK6b4JH9PA+BFuhOtvpqZF
teufsDY39kFQIx/0MQ+ip/IkWfnfX8ymbv/PReiwNOHIBdIRvoLmu9/muzTPJwkX
6KMRIvLU/z0QN2guSlXKS5k4bjXgjEIEYkq4xBKw7BE6eVDO9PVNIGczkizas6MN
mXtMthQwthMc2EME7Vm2KzlD5Kxu58x3CQD2p/NMSEiTmUlppZ6LRme+6ZL6jL2C
dgiIzLW5g3gpP7Pynr0wbRArjAK3cORPX0mnGORXZXa5r0yctlAbwiUgzthdrlJm
k4J8zaHLfTb5ehDRYyL9a9Ea0WnFMvoUoyIUuZRZfjHlArjJnrWYLQb4i1JNSUhi
WY7+KtXaISb9bbOrgRdESMsGV+loXFoMf4iO4f6PQvCrLnHr5N/FJzv7ZazBCz8X
fFWwdQEOkBuQI3LZXVJgsKyWe2zotDIn4r6A9zF8eXF7T2lcjCegwAPObMdMn67L
duHGiUZK3DGmJNmWokC0MYB0BtUsWa0Yzcwr3XWhrlSCnh7LDCJJkGlJzqTYMdq+
6zEr6QDnuuyYRrp0VLWMsqFmPD5jmqQJV9jlhVcL9JydkunKYG50q9iYJs/0eVfT
zJloMVDSfuAR8s2T9omL
=kGTO
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list