| CC: | Ivan Shmakov <oneingray [...] gmail.com> |
| Subject: | Net::DNS::TSIG: please support hmac-sha1 .. hmac-sha512 |
| Date: | Sat, 06 Apr 2013 12:28:04 +0000 |
| To: | bug-Net-DNS [...] rt.cpan.org |
| From: | Ivan Shmakov <oneingray [...] gmail.com> |
[Forwarding Debian Bug#700618.]
Please add support for the hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384, hmac-sha512 algorithms (as per RFC 4635.)
An example algorithm switcher is MIME'd. Please note, however,
that it relies on a patched version of Digest::HMAC, which
allows passing an instantiated Digest object to the
Digest::HMAC->new () constructor (as per CPAN RT#84467,
Debian Bug#700617.)
The code as given is untested, although I've used a similar hack
in my (yet to be released) project, to successfully communicate
with BIND9 using hmac-sha512.
--
FSF associate member #7257 http://hfday.org/
require Digest;
require Digest::HMAC;
require MIME::Base64;
## based on Net::DNS::RR::TSIG::sign_hmac
sub new_sign_hmac {
my ($digest, $block_size) = @_;
## .
sub {
my ($key_s, $data) = @_;
$key_s =~ s/\s//g;
my $key
= MIME::Base64::decode_base64 ($key_s);
my $hmac
= Digest::HMAC->new ($key, $digest, $block_size);
$hmac->add ($data);
## .
$hmac->digest ();
}
}
## NB: a value is either a CODE reference, or [ "digest", block_size ]
our $rr_tsig_algo_info = {
"HMAC-MD5.SIG-ALG.REG.INT" => [ "MD5", 64 ],
"hmac-sha1" => [ "SHA-1", 64 ],
"hmac-sha224" => [ "SHA-224", 64 ],
"hmac-sha256" => [ "SHA-256", 64 ],
"hmac-sha384" => [ "SHA-384", 128 ],
"hmac-sha512" => [ "SHA-512", 128 ]
};
sub rr_tsig_algo {
my ($tsig, $algo) = @_;
my $hmac
= $rr_tsig_algo_info->{$algo};
## .
return undef
unless (defined ($hmac));
$tsig->{"sign_func"}
= (ref ($hmac) eq "CODE"
? $hmac
: new_sign_hmac (Digest->new ($hmac->[0]), $hmac->[1]));
$tsig->{"algorithm"}
= $algo;
## .
$tsig;
}
# my $tsig
# = Net::DNS::TSIG->new (...)
# or die ();
# rr_tsig_algo ($tsig, "hmac-sha512")
# or die ();