Commit 640c5b98 authored by Mark Andrews's avatar Mark Andrews

compute hmac when sending

parent ab25d5ab
Pipeline #4793 failed with stages
in 12 seconds
......@@ -20,6 +20,131 @@ You have another version of autoconf. It may work, but is not guaranteed to.
If you have problems, you may need to regenerate the build system entirely.
To do so, use the procedure documented by the package, typically 'autoreconf'.])])
# ===========================================================================
# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
#
# DESCRIPTION
#
# Look for OpenSSL in a number of default spots, or in a user-selected
# spot (via --with-openssl). Sets
#
# OPENSSL_INCLUDES to the include directives required
# OPENSSL_LIBS to the -l directives required
# OPENSSL_LDFLAGS to the -L or -R flags required
#
# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
#
# This macro sets OPENSSL_INCLUDES such that source files should use the
# openssl/ directory in include directives:
#
# #include <openssl/hmac.h>
#
# LICENSE
#
# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
#
# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved. This file is offered as-is, without any
# warranty.
#serial 10
AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
AC_DEFUN([AX_CHECK_OPENSSL], [
found=false
AC_ARG_WITH([openssl],
[AS_HELP_STRING([--with-openssl=DIR],
[root of the OpenSSL directory])],
[
case "$withval" in
"" | y | ye | yes | n | no)
AC_MSG_ERROR([Invalid --with-openssl value])
;;
*) ssldirs="$withval"
;;
esac
], [
# if pkg-config is installed and openssl has installed a .pc file,
# then use that information and don't search ssldirs
AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
if test x"$PKG_CONFIG" != x""; then
OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
if test $? = 0; then
OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
found=true
fi
fi
# no such luck; use some default ssldirs
if ! $found; then
ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
fi
]
)
# note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
# an 'openssl' subdirectory
if ! $found; then
OPENSSL_INCLUDES=
for ssldir in $ssldirs; do
AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
if test -f "$ssldir/include/openssl/ssl.h"; then
OPENSSL_INCLUDES="-I$ssldir/include"
OPENSSL_LDFLAGS="-L$ssldir/lib"
OPENSSL_LIBS="-lssl -lcrypto"
found=true
AC_MSG_RESULT([yes])
break
else
AC_MSG_RESULT([no])
fi
done
# if the file wasn't found, well, go ahead and try the link anyway -- maybe
# it will just work!
fi
# try the preprocessor and linker with our new flags,
# being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
"OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
save_LIBS="$LIBS"
save_LDFLAGS="$LDFLAGS"
save_CPPFLAGS="$CPPFLAGS"
LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
LIBS="$OPENSSL_LIBS $LIBS"
CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
[
AC_MSG_RESULT([yes])
$1
], [
AC_MSG_RESULT([no])
$2
])
CPPFLAGS="$save_CPPFLAGS"
LDFLAGS="$save_LDFLAGS"
LIBS="$save_LIBS"
AC_SUBST([OPENSSL_INCLUDES])
AC_SUBST([OPENSSL_LIBS])
AC_SUBST([OPENSSL_LDFLAGS])
])
# Copyright (C) 2002-2018 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
......
......@@ -10,6 +10,10 @@ AC_SEARCH_LIBS([res_mkquery],[resolv bind])
AC_SEARCH_LIBS([res_9_mkquery],[resolv bind])
AC_SEARCH_LIBS([__res_mkquery],[resolv bind])
AC_CHECK_HEADERS(sys/types.h netinet/in.h arpa/nameser.h resolv.h)
AX_CHECK_OPENSSL([:],[AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])
CFLAGS="$CFLAGS $OPENSSL_INCLUDES"
LIBS="$LIBS $OPENSSL_LIBS"
LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
AC_MSG_CHECKING(for res_getservers)
AC_TRY_COMPILE([
#include <sys/types.h>
......
......@@ -43,6 +43,8 @@
#include <resolv.h>
#include <signal.h>
#include <openssl/hmac.h>
#ifndef FD_COPY
#define FD_COPY(x, y) memmove(y, x, sizeof(*x))
#endif
......@@ -619,6 +621,7 @@ struct workitem {
int read; /* how much has been read so far */
unsigned char buf[512]; /* the question we sent */
unsigned char tcpbuf[0x10000]; /* where to accumulate the tcp response */
unsigned char mac[32]; /* tsig hmac-sha256 mac */
struct summary *summary; /* where this test is summaried */
};
......@@ -1243,20 +1246,39 @@ dotest(struct workitem *item) {
*/
if (n > 0 && strcmp(opts[item->test].name, "dnswkk") == 0) {
time_t now;
unsigned char buf[32] = { 0 };
unsigned char *rdlen;
#define ALGNAME "\013hmac-sha256"
unsigned char key[32] = { 0 }; /* all zeros */
unsigned char *rdlen; /* rdata len pointer */
unsigned char *dp; /* digest start pointer */
unsigned char *mp; /* pointer to MAC */
HMAC_CTX *hmctx;
#define ALGNAME "\013hmac-sha256" /* lower case */
hmctx = HMAC_CTX_new();
if (hmctx == NULL)
goto error;
if (!HMAC_Init_ex(hmctx, key, sizeof(key), EVP_sha256(), NULL))
goto error;
if (!HMAC_Update(hmctx, item->buf, n))
goto error;
cp = item->buf + n;
dp = cp;
*cp++ = 0; /* name "." */
if (!HMAC_Update(hmctx, dp, cp - dp)) /* name */
goto error;
ns_put16(ns_t_tsig, cp); /* type */
cp += 2;
dp = cp;
ns_put16(ns_t_any, cp); /* class */
cp += 2;
ns_put32(0, cp); /* ttl */
cp += 4;
if (!HMAC_Update(hmctx, dp, cp - dp)) /* class ttl */
goto error;
rdlen = cp; /* save rdlen ptr */
cp += 2;
dp = cp;
memcpy(cp, ALGNAME, sizeof(ALGNAME));
cp += sizeof(ALGNAME);
ns_put16(0, cp); /* high time */
......@@ -1266,19 +1288,31 @@ dotest(struct workitem *item) {
cp += 4;
ns_put16(300, cp); /* fudge */
cp += 2;
ns_put16(sizeof(buf), cp); /* mac size */
if (!HMAC_Update(hmctx, dp, cp - dp)) /* alg, time, fudge*/
goto error;
ns_put16(sizeof(item->mac), cp); /* mac size */
cp += 2;
memcpy(cp, buf, sizeof(buf)); /* mac */
cp += sizeof(buf);
mp = cp;
cp += sizeof(item->mac);
memcpy(cp, item->buf, id); /* id */
cp += 2;
dp = cp;
ns_put16(0, cp); /* error */
cp += 2;
ns_put16(0, cp); /* other len */
cp += 2;
/* no other data */
if (!HMAC_Update(hmctx, dp, cp - dp)) /* error, other len */
goto error;
if (!HMAC_Final(hmctx, item->mac, NULL))
goto error;
memcpy(mp, item->mac, sizeof(item->mac)); /* mac */
ns_put16(cp - rdlen - 2, rdlen); /* rdlen */
item->buf[11] += 1; /* adcount */
n = cp - item->buf; /* total length */
HMAC_CTX_free(hmctx);
}
if (n > 0) {
......@@ -1321,6 +1355,7 @@ dotest(struct workitem *item) {
APPEND(work, item, link);
APPEND(ids[item->id], item, idlink);
} else {
error:
addtag(item, "failed");
item->summary->allok = 0;
item->summary->seenfailure = 1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment