Merge branch 'master' into fix_mutex_nsp

hickory-dns · Sep 23, 2017 · 3d9911c · 3d9911c
2 parents 2ffe6a3 + 7a7dbca
commit 3d9911c
Show file tree

Hide file tree

Showing 19 changed files with 489 additions and 280 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,5 @@
 [workspace]
-members = ["client", "compatibility-tests", "integration-tests", "native-tls", "resolver", "rustls", "server"]
+members = ["client", "compatibility-tests", "integration-tests", "native-tls", "resolver", "rustls", "server", "util"]
 
 [replace]
 #"native-tls:0.1.1" = { path = "../rust-native-tls" }

diff --git a/client/Cargo.toml b/client/Cargo.toml
@@ -50,16 +50,9 @@ tls = ["openssl", "tokio-openssl"]
 name = "trust_dns"
 path = "src/lib.rs"
 
-[[bin]]
-name = "dnskey-to-pem"
-required-features = ["openssl"]
-path = "src/dnskey_to_pem.rs"
-
 [dependencies]
 chrono = "^0.4"
-clap = "^2.23.3"
 data-encoding = "^1.2.0"
-env_logger = "0.4.2"
 error-chain = "0.1.12"
 futures = "^0.1.6"
 lazy_static = "^0.2.1"

diff --git a/client/src/client/secure_client_handle.rs b/client/src/client/secure_client_handle.rs
@@ -124,13 +124,16 @@ where
 
                 // send along the algorithms which are supported by this client
                 let mut algorithms = SupportedAlgorithms::new();
+                #[cfg(feature = "ring")]
+                {
+                    algorithms.set(Algorithm::ED25519);
+                }
+                algorithms.set(Algorithm::ECDSAP256SHA256);
+                algorithms.set(Algorithm::ECDSAP384SHA384);
                 #[cfg(feature = "openssl")]
                 {
                     algorithms.set(Algorithm::RSASHA256);
-                    algorithms.set(Algorithm::ECDSAP256SHA256);
-                    algorithms.set(Algorithm::ECDSAP384SHA384);
                 }
-                #[cfg(feature = "ring")] algorithms.set(Algorithm::ED25519);
 
                 let dau = EdnsOption::DAU(algorithms);
                 let dhu = EdnsOption::DHU(algorithms);

diff --git a/client/src/rr/dnssec/digest_type.rs b/client/src/rr/dnssec/digest_type.rs
@@ -15,12 +15,16 @@
  */
 #[cfg(feature = "openssl")]
 use openssl::hash;
-#[cfg(feature = "openssl")]
-use openssl::hash::{DigestBytes, MessageDigest};
+
+#[cfg(feature = "ring")]
+use ring::digest;
 
 use rr::dnssec::Algorithm;
 use error::*;
 
+#[cfg(any(feature = "openssl", feature = "ring"))]
+use super::Digest;
+
 /// This is the digest format for the
 ///
 ///```text
@@ -62,29 +66,77 @@ impl DigestType {
 
     /// The OpenSSL counterpart for the digest
     #[cfg(feature = "openssl")]
-    pub fn to_openssl_digest(&self) -> DnsSecResult<MessageDigest> {
+    pub fn to_openssl_digest(&self) -> DnsSecResult<hash::MessageDigest> {
         match *self {
-            DigestType::SHA1 => Ok(MessageDigest::sha1()),
-            DigestType::SHA256 => Ok(MessageDigest::sha256()),
-            DigestType::SHA384 => Ok(MessageDigest::sha384()),
-            DigestType::SHA512 => Ok(MessageDigest::sha512()),
+            DigestType::SHA1 => Ok(hash::MessageDigest::sha1()),
+            DigestType::SHA256 => Ok(hash::MessageDigest::sha256()),
+            DigestType::SHA384 => Ok(hash::MessageDigest::sha384()),
+            DigestType::SHA512 => Ok(hash::MessageDigest::sha512()),
             _ => {
                 Err(DnsSecErrorKind::Msg(format!("digest not supported by openssl: {:?}", self))
                         .into())
             }
         }
     }
 
+    /// The *ring* counterpart for the digest
+    #[cfg(feature = "ring")]
+    pub fn to_ring_digest_alg(&self) -> DnsSecResult<&'static digest::Algorithm> {
+        match *self {
+            DigestType::SHA1 => Ok(&digest::SHA1),
+            DigestType::SHA256 => Ok(&digest::SHA256),
+            DigestType::SHA384 => Ok(&digest::SHA384),
+            DigestType::SHA512 => Ok(&digest::SHA512),
+            _ =>
+                Err(DnsSecErrorKind::Msg(format!("digest not supported by ring: {:?}", self))
+                    .into())
+        }
+    }
+
     /// Hash the data
-    #[cfg(feature = "openssl")]
-    pub fn hash(&self, data: &[u8]) -> DnsSecResult<DigestBytes> {
+    #[cfg(all(not(feature = "ring"), feature = "openssl"))]
+    pub fn hash(&self, data: &[u8]) -> DnsSecResult<Digest> {
         hash::hash2(try!(self.to_openssl_digest()), data).map_err(|e| e.into())
     }
 
+    /// Hash the data
+    #[cfg(feature = "ring")]
+    pub fn hash(&self, data: &[u8]) -> DnsSecResult<Digest> {
+        let alg = try!(self.to_ring_digest_alg());
+        Ok(digest::digest(alg, data))
+    }
+
     /// This will always error, enable openssl feature at compile time
-    #[cfg(not(feature = "openssl"))]
+    #[cfg(not(any(feature = "openssl", feature = "ring")))]
     pub fn hash(&self, _: &[u8]) -> DnsSecResult<Vec<u8>> {
-        Err(DnsSecErrorKind::Message("openssl feature not enabled").into())
+        Err(DnsSecErrorKind::Message("The openssl and ring features are both disabled").into())
+    }
+
+    /// Digest all the data.
+    #[cfg(all(not(feature = "ring"), feature = "openssl"))]
+    pub fn digest_all(&self, data: &[&[u8]]) -> DnsSecResult<Digest> {
+        use std::io::Write;
+
+        let digest_type = try!(self.to_openssl_digest());
+        hash::Hasher::new(digest_type)
+            .map_err(|e| e.into())
+            .and_then(|mut hasher| {
+                for d in data {
+                    try!(hasher.write_all(d));
+                }
+                hasher.finish2().map_err(|e| e.into())
+            })
+    }
+
+    /// Digest all the data.
+    #[cfg(feature = "ring")]
+    pub fn digest_all(&self, data: &[&[u8]]) -> DnsSecResult<Digest> {
+        let alg = try!(self.to_ring_digest_alg());
+        let mut ctx = digest::Context::new(alg);
+        for d in data {
+            ctx.update(d);
+        }
+        Ok(ctx.finish())
     }
 }
 

diff --git a/client/src/rr/dnssec/ec_public_key.rs b/client/src/rr/dnssec/ec_public_key.rs
@@ -0,0 +1,47 @@
+// Copyright 2017 Brian Smith <brian@briansmith.org>
+//
+// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
+// http://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
+// http://opensource.org/licenses/MIT>, at your option. This file may not be
+// copied, modified, or distributed except according to those terms.
+
+use error::*;
+use super::Algorithm;
+
+pub struct ECPublicKey {
+    buf: [u8; MAX_LEN],
+    len: usize,
+}
+
+// The length of the longest supported EC public key (P-384).
+const MAX_LEN: usize = 1 + (2 * 48);
+
+impl ECPublicKey {
+    // DNSSEC encodes uncompressed EC public keys without the standard 0x04
+    // prefix that indicates they are uncompressed, but crypto libraries
+    // require that prefix.
+    pub fn from_unprefixed(without_prefix: &[u8], algorithm: Algorithm)
+                           -> DnsSecResult<Self> {
+        let field_len = match algorithm {
+            Algorithm::ECDSAP256SHA256 => 32,
+            Algorithm::ECDSAP384SHA384 => 48,
+            _ => return Err("only ECDSAP256SHA256 and ECDSAP384SHA384 are supported by Ec".into()),
+        };
+        let len = 1 + (2 * field_len);
+        if len - 1 != without_prefix.len() {
+            return Err("EC public key is the wrong length".into());
+        }
+        let mut buf = [0x04u8; MAX_LEN];
+        buf[1..len].copy_from_slice(without_prefix);
+        Ok( ECPublicKey { buf, len })
+    }
+
+    pub fn prefixed_bytes(&self) -> &[u8] {
+        &self.buf[..self.len]
+    }
+
+    #[cfg(feature = "ring")]
+    pub fn unprefixed_bytes(&self) -> &[u8] {
+        &self.buf[1..self.len]
+    }
+}