Commit 4271dbb6 authored by Karel Slaný's avatar Karel Slaný Committed by Ondřej Surý
Browse files

HMAC-SHA256-64 uses libnettle.

parent 37168032
......@@ -19,7 +19,7 @@ $(eval $(call find_lib,libknot,2.1))
$(eval $(call find_lib,lmdb))
$(eval $(call find_lib,libzscanner,2.1))
$(eval $(call find_lib,libuv,1.0))
$(eval $(call find_lib,libcrypto))
$(eval $(call find_lib,nettle))
$(eval $(call find_alt,lua,luajit))
$(eval $(call find_lib,cmocka))
$(eval $(call find_bin,doxygen))
......@@ -62,10 +62,10 @@ ifneq (,$(findstring luajit, $(lua_LIBS)))
endif
endif
BUILD_CFLAGS += $(libknot_CFLAGS) $(libuv_CFLAGS) $(libcrypto_CFLAGS) $(cmocka_CFLAGS) $(lua_CFLAGS) $(libdnssec_CFLAGS) $(libsystemd_CFLAGS)
BUILD_CFLAGS += $(libknot_CFLAGS) $(libuv_CFLAGS) $(nettle_CFLAGS) $(cmocka_CFLAGS) $(lua_CFLAGS) $(libdnssec_CFLAGS) $(libsystemd_CFLAGS)
BUILD_CFLAGS += $(addprefix -I,$(wildcard contrib/ccan/*) contrib/murmurhash3)
ifeq ($(HAS_libcrypto),yes)
ifeq ($(HAS_nettle),yes)
BUILD_CFLAGS += -DENABLE_COOKIES
endif
......@@ -95,7 +95,7 @@ info:
$(info [$(HAS_lua)] luajit (daemon))
$(info [$(HAS_libuv)] libuv (daemon))
$(info [$(HAS_gnutls)] libgnutls (daemon))
$(info [$(HAS_libcrypto)] crypto (DNS cookies))
$(info [$(HAS_nettle)] nettle (DNS cookies))
$(info )
$(info Optional)
$(info --------)
......
......@@ -14,12 +14,10 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <arpa/inet.h> /* htonl(), ... */
#include <assert.h>
#include <nettle/hmac.h>
#include <stdint.h>
#include <stdlib.h>
#include <openssl/hmac.h>
#include <openssl/sha.h>
#include <libknot/errcode.h>
#include <libknot/rrtype/opt-cookie.h>
......@@ -38,7 +36,7 @@
static int cc_gen_hmac_sha256_64(const struct knot_cc_input *input,
uint8_t *cc_out, uint16_t *cc_len)
{
if (!input || !cc_out || !cc_len) {
if (!input || !cc_out || !cc_len || *cc_len < KNOT_OPT_COOKIE_CLNT) {
return KNOT_EINVAL;
}
......@@ -50,31 +48,14 @@ static int cc_gen_hmac_sha256_64(const struct knot_cc_input *input,
const uint8_t *addr = NULL;
int addr_len = 0; /* Address length. */
uint8_t digest[SHA256_DIGEST_LENGTH];
unsigned int digest_len = SHA256_DIGEST_LENGTH;
/* text: (client IP | server IP)
* key: client secret */
HMAC_CTX ctx;
HMAC_CTX_init(&ctx);
int ret = HMAC_Init_ex(&ctx, input->secret_data, input->secret_len,
EVP_sha256(), NULL);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
struct hmac_sha256_ctx ctx;
hmac_sha256_set_key(&ctx, input->secret_len, input->secret_data);
if (input->clnt_sockaddr) {
addr = (uint8_t *)kr_inaddr(input->clnt_sockaddr);
addr_len = kr_inaddr_len(input->clnt_sockaddr);
if (addr && addr_len > 0) {
ret = HMAC_Update(&ctx, addr, addr_len);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
hmac_sha256_update(&ctx, addr_len, addr);
}
}
......@@ -82,37 +63,22 @@ static int cc_gen_hmac_sha256_64(const struct knot_cc_input *input,
addr = (uint8_t *)kr_inaddr(input->srvr_sockaddr);
addr_len = kr_inaddr_len(input->srvr_sockaddr);
if (addr && addr_len > 0) {
ret = HMAC_Update(&ctx, addr, addr_len);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
hmac_sha256_update(&ctx, addr_len, addr);
}
}
if (1 != HMAC_Final(&ctx, digest, &digest_len)) {
ret = KNOT_EINVAL;
goto fail;
}
assert(KNOT_OPT_COOKIE_CLNT <= SHA256_DIGEST_LENGTH);
if (*cc_len < KNOT_OPT_COOKIE_CLNT) {
return KNOT_ESPACE;
}
assert(KNOT_OPT_COOKIE_CLNT <= SHA256_DIGEST_SIZE);
*cc_len = KNOT_OPT_COOKIE_CLNT;
memcpy(cc_out, digest, *cc_len);
ret = KNOT_EOK;
hmac_sha256_digest(&ctx, *cc_len, cc_out);
fail:
HMAC_CTX_cleanup(&ctx);
return ret;
return KNOT_EOK;
}
#define SRVR_HMAC_SHA256_64_HASH_SIZE 8
/**
* @brief Compute server cookie using HMAC-SHA256-64).
* @brief Compute server cookie hash using HMAC-SHA256-64).
* @note Server cookie = nonce | time | HMAC-SHA256-64( server secret, client cookie | nonce| time | client IP )
* @param input data to compute cookie from
* @param hash_out hash cookie output buffer
......@@ -133,63 +99,32 @@ static int sc_gen_hmac_sha256_64(const struct knot_sc_input *input,
}
const uint8_t *addr = NULL;
size_t addr_len = 0; /* Address length. */
uint8_t digest[SHA256_DIGEST_LENGTH];
unsigned int digest_len = SHA256_DIGEST_LENGTH;
HMAC_CTX ctx;
HMAC_CTX_init(&ctx);
int addr_len = 0; /* Address length. */
int ret = HMAC_Init_ex(&ctx, input->srvr_data->secret_data,
input->srvr_data->secret_len,
EVP_sha256(), NULL);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
struct hmac_sha256_ctx ctx;
hmac_sha256_set_key(&ctx, input->srvr_data->secret_len,
input->srvr_data->secret_data);
ret = HMAC_Update(&ctx, input->cc, input->cc_len);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
hmac_sha256_update(&ctx, input->cc_len, input->cc);
if (input->nonce && input->nonce_len) {
ret = HMAC_Update(&ctx, (void *)input->nonce, input->nonce_len);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
hmac_sha256_update(&ctx, input->nonce_len, input->nonce);
}
if (input->srvr_data->clnt_sockaddr) {
addr = (uint8_t *)kr_inaddr(input->srvr_data->clnt_sockaddr);
addr_len = kr_inaddr_len(input->srvr_data->clnt_sockaddr);
if (addr && addr_len > 0) {
ret = HMAC_Update(&ctx, addr, addr_len);
if (ret != 1) {
ret = KNOT_EINVAL;
goto fail;
}
hmac_sha256_update(&ctx, addr_len, addr);
}
}
if (1 != HMAC_Final(&ctx, digest, &digest_len)) {
ret = KNOT_EINVAL;
goto fail;
}
assert(SRVR_HMAC_SHA256_64_HASH_SIZE <= SHA256_DIGEST_LENGTH);
assert(SRVR_HMAC_SHA256_64_HASH_SIZE < SHA256_DIGEST_SIZE);
*hash_len = SRVR_HMAC_SHA256_64_HASH_SIZE;
memcpy(hash_out, digest, *hash_len);
ret = KNOT_EOK;
hmac_sha256_digest(&ctx, *hash_len, hash_out);
fail:
HMAC_CTX_cleanup(&ctx);
return ret;
return KNOT_EOK;
}
const struct knot_cc_alg knot_cc_alg_hmac_sha256_64 = { KNOT_OPT_COOKIE_CLNT, cc_gen_hmac_sha256_64 };
......
......@@ -44,7 +44,7 @@ libkres_CFLAGS := -fvisibility=hidden -fPIC $(lmdb_CFLAGS)
libkres_LIBS := $(contrib_TARGET) $(libknot_LIBS) $(libdnssec_LIBS) $(lmdb_LIBS)
libkres_TARGET := -L$(abspath lib) -lkres
ifeq ($(HAS_libcrypto),yes)
ifeq ($(HAS_nettle),yes)
libkres_SOURCES += \
lib/layer/cookiemonster.c \
lib/cookies/alg_containers.c \
......@@ -62,7 +62,7 @@ libkres_HEADERS += \
lib/cookies/helper.h \
lib/cookies/nonce.h
libkres_LIBS += $(libcrypto_LIBS)
libkres_LIBS += $(nettle_LIBS)
endif
# Make library
......
......@@ -3,7 +3,7 @@ modules_TARGETS := hints \
stats
# DNS cookies
ifeq ($(HAS_libcrypto),yes)
ifeq ($(HAS_nettle),yes)
modules_TARGETS += cookiectl
endif
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment