Changed to use polarssl HMAC for SHA

PowerDNS · Sep 3, 2013 · 9101035 · 9101035
1 parent a56bc64
commit 9101035
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 52 deletions.
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb
diff --git a/modules/tinydnsbackend/generate-data.sh b/modules/tinydnsbackend/generate-data.sh
@@ -47,6 +47,7 @@ do
 	cat $zone.out >> data
 	rm $zone.out
 done
-$tinydnsdata
 
-kill $(cat ../../regression-tests/pdns.pid)
+$tinydnsdata  
+
+kill $(cat ../../regression-tests/pdns.pid)
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
@@ -452,72 +452,51 @@ string calculateMD5HMAC(const std::string& key_, const std::string& text)
   return md5_2.get();
 }
 
-string calculateSHAHMAC(const std::string& key_, const std::string& text, TSIGHashEnum hasher)
+string calculateSHAHMAC(const std::string& key, const std::string& text, TSIGHashEnum hasher)
 {
-  unsigned char key[64] = {0};
+  std::string res;
-  key_.copy((char*)key,64); 
+  unsigned char hash[64];
-  unsigned char keyIpad[64];
-  unsigned char keyOpad[64];
 
-  //~ cerr<<"Key: "<<makeHexDump(key_)<<endl;
-  //~ cerr<<"txt: "<<makeHexDump(text)<<endl;
-
-  for(unsigned int n=0; n < 64; ++n) {
-    if(n < key_.length()) {
-      keyIpad[n] = (unsigned char)(key[n] ^ 0x36);
-      keyOpad[n] = (unsigned char)(key[n] ^ 0x5c);
-    }
-    else  {
-      keyIpad[n]=0x36;
-      keyOpad[n]=0x5c;
-    }
-  }
-
   switch(hasher) {
   case TSIG_SHA1:
   {
-      SHA1Summer s1,s2;
+      sha1_context ctx;
-      s1.feed((const char*)keyIpad, 64);
+      sha1_hmac_starts(&ctx, reinterpret_cast<const unsigned char*>(key.c_str()), key.size());
-      s1.feed(text);
+      sha1_hmac_update(&ctx, reinterpret_cast<const unsigned char*>(text.c_str()), text.size());
-      s2.feed((const char*)keyOpad, 64);
+      sha1_hmac_finish(&ctx, hash);
-      s2.feed(s1.get());
+      res.assign(reinterpret_cast<const char*>(hash), 20);
-      return s2.get();
   };
   case TSIG_SHA224:
   {
-      SHA224Summer s1,s2;
+      sha2_context ctx;
-      s1.feed((const char*)keyIpad, 64);
+      sha2_hmac_starts(&ctx, reinterpret_cast<const unsigned char*>(key.c_str()), key.size(), 1);
-      s1.feed(text);
+      sha2_hmac_update(&ctx, reinterpret_cast<const unsigned char*>(text.c_str()), text.size());
-      s2.feed((const char*)keyOpad, 64);
+      sha2_hmac_finish(&ctx, hash);
-      s2.feed(s1.get());
+      res.assign(reinterpret_cast<const char*>(hash), 32);
-      return s2.get();
   };
   case TSIG_SHA256:
   {
-      SHA256Summer s1,s2;
+      sha2_context ctx;
-      s1.feed((const char*)keyIpad, 64);
+      sha2_hmac_starts(&ctx, reinterpret_cast<const unsigned char*>(key.c_str()), key.size(), 0);
-      s1.feed(text);
+      sha2_hmac_update(&ctx, reinterpret_cast<const unsigned char*>(text.c_str()), text.size());
-      s2.feed((const char*)keyOpad, 64);
+      sha2_hmac_finish(&ctx, hash);
-      s2.feed(s1.get());
+      res.assign(reinterpret_cast<const char*>(hash), 32);
-      return s2.get();
   };
   case TSIG_SHA384:
   {
-      SHA384Summer s1,s2;
+      sha4_context ctx;
-      s1.feed((const char*)keyIpad, 64);
+      sha4_hmac_starts(&ctx, reinterpret_cast<const unsigned char*>(key.c_str()), key.size(), 1);
-      s1.feed(text);
+      sha4_hmac_update(&ctx, reinterpret_cast<const unsigned char*>(text.c_str()), text.size());
-      s2.feed((const char*)keyOpad, 64);
+      sha4_hmac_finish(&ctx, hash);
-      s2.feed(s1.get());
+      res.assign(reinterpret_cast<const char*>(hash), 64);
-      return s2.get();
   };
   case TSIG_SHA512:
   {
-      SHA512Summer s1,s2;
+      sha4_context ctx;
-      s1.feed((const char*)keyIpad, 64);
+      sha4_hmac_starts(&ctx, reinterpret_cast<const unsigned char*>(key.c_str()), key.size(), 0);
-      s1.feed(text);
+      sha4_hmac_update(&ctx, reinterpret_cast<const unsigned char*>(text.c_str()), text.size());
-      s2.feed((const char*)keyOpad, 64);
+      sha4_hmac_finish(&ctx, hash);
-      s2.feed(s1.get());
+      res.assign(reinterpret_cast<const char*>(hash), 64);
-      return s2.get();
   };
   default:
     throw new PDNSException("Unknown hash algorithm requested for SHA");

diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -6,5 +6,5 @@ a2dd754820cb88fdd3d80b54a212a270  ../regression-tests/test.com
 42dd3a56c7d268e75836371878819ec4  ../regression-tests/delegated.dnssec-parent.com
 a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/secure-delegated.dnssec-parent.com
 24514dc104b22206daeb973ff9303545  ../regression-tests/minimal.com
-f77817aafda5cd6a8e3d4ac998be6fff  ../modules/tinydnsbackend/data.cdb
 0b20d7a0250576451135483b863750bf  ../regression-tests/tsig.com
+3dfdde25a811ab2d769b6e0838280e61  ../modules/tinydnsbackend/data.cdb