static inline isc_result_t
totext_keydata(ARGS_TOTEXT) {
isc_region_t sr;
char buf[sizeof("64000")];
unsigned int flags;
unsigned char algorithm;
unsigned long refresh, add, remove;
char algbuf[DNS_NAME_FORMATSIZE];
const char *keyinfo;
REQUIRE(rdata->type == 65533);
if ((tctx->flags & DNS_STYLEFLAG_KEYDATA) == 0 || rdata->length < 16)
return (unknown_totext(rdata, tctx, target));
dns_rdata_toregion(rdata, &sr);
/* refresh timer */
refresh = uint32_fromregion(&sr);
isc_region_consume(&sr, 4);
RETERR(dns_time32_totext(refresh, target));
RETERR(str_totext(" ", target));
/* add hold-down */
add = uint32_fromregion(&sr);
isc_region_consume(&sr, 4);
RETERR(dns_time32_totext(add, target));
RETERR(str_totext(" ", target));
/* remove hold-down */
remove = uint32_fromregion(&sr);
isc_region_consume(&sr, 4);
RETERR(dns_time32_totext(remove, target));
RETERR(str_totext(" ", target));
/* flags */
flags = uint16_fromregion(&sr);
isc_region_consume(&sr, 2);
sprintf(buf, "%u", flags);
RETERR(str_totext(buf, target));
RETERR(str_totext(" ", target));
if ((flags & DNS_KEYFLAG_KSK) != 0) {
if (flags & DNS_KEYFLAG_REVOKE)
keyinfo = "revoked KSK";
else
keyinfo = "KSK";
} else
keyinfo = "ZSK";
/* protocol */
sprintf(buf, "%u", sr.base[0]);
isc_region_consume(&sr, 1);
RETERR(str_totext(buf, target));
RETERR(str_totext(" ", target));
/* algorithm */
algorithm = sr.base[0];
sprintf(buf, "%u", algorithm);
isc_region_consume(&sr, 1);
RETERR(str_totext(buf, target));
/* No Key? */
if ((flags & 0xc000) == 0xc000)
return (ISC_R_SUCCESS);
/* key */
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" (", target));
RETERR(str_totext(tctx->linebreak, target));
if (tctx->width == 0) /* No splitting */
RETERR(isc_base64_totext(&sr, 60, "", target));
else
RETERR(isc_base64_totext(&sr, tctx->width - 2,
tctx->linebreak, target));
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
RETERR(str_totext(tctx->linebreak, target));
else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" ", target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(")", target));
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
isc_region_t tmpr;
char rbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
char abuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
char dbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
isc_time_t t;
RETERR(str_totext(" ; ", target));
RETERR(str_totext(keyinfo, target));
dns_secalg_format((dns_secalg_t) algorithm, algbuf,
sizeof(algbuf));
RETERR(str_totext("; alg = ", target));
RETERR(str_totext(algbuf, target));
RETERR(str_totext("; key id = ", target));
dns_rdata_toregion(rdata, &tmpr);
/* Skip over refresh, addhd, and removehd */
isc_region_consume(&tmpr, 12);
sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
RETERR(str_totext(buf, target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
isc_stdtime_t now;
isc_stdtime_get(&now);
RETERR(str_totext(tctx->linebreak, target));
RETERR(str_totext("; next refresh: ", target));
isc_time_set(&t, refresh, 0);
isc_time_formathttptimestamp(&t, rbuf, sizeof(rbuf));
RETERR(str_totext(rbuf, target));
if (add == 0) {
RETERR(str_totext(tctx->linebreak, target));
RETERR(str_totext("; no trust", target));
} else {
RETERR(str_totext(tctx->linebreak, target));
if (add < now) {
RETERR(str_totext("; trusted since: ",
target));
} else {
RETERR(str_totext("; trust pending: ",
target));
}
isc_time_set(&t, add, 0);
isc_time_formathttptimestamp(&t, abuf,
sizeof(abuf));
RETERR(str_totext(abuf, target));
}
if (remove != 0) {
RETERR(str_totext(tctx->linebreak, target));
RETERR(str_totext("; removal pending: ",
target));
isc_time_set(&t, remove, 0);
isc_time_formathttptimestamp(&t, dbuf,
sizeof(dbuf));
RETERR(str_totext(dbuf, target));
}
}
}
return (ISC_R_SUCCESS);
}
/* loads a CSV file from disk */
csv_file *csv_load(const char *filename, int *err, int *line)
{
csv_file *csv;
char *buffer, *p;
int r = 0, c = 0;
if(err) *err = ER_OK;
if(line) *line = 1;
if(!filename)
RETERR(ER_INV_PARAM);
csv = csv_create(0,0);
if(!csv)
RETERR(ER_MEM_FAIL);
/* My approach is to read the entire file into memory and then
* parse it from there.
* I Acknowledge that this is not the most efficient way of doing it,
* but it does simplify the parsing somewhat.
*/
buffer = my_readfile(filename);
if(!buffer)
ERREND(ER_IOR_FAIL);
for(p = buffer; *p;)
{
if(strchr(" \t",p[0]))
{
/* This is to prevent space between the start of a field
and a " from confusing the parser */
char *q;
for(q = p + 1; strchr(" \t",q[0]); q++);
if(q[0] == '\"')
p = q;
}
if(!strncmp(p,"\r\n", 2))
{
/* official line endings */
r++;
c = 0;
p+=2;
if(line) (*line)++;
}
else if(strchr("\r\n",p[0]))
{
/* alternative line endings */
r++;
c = 0;
p++;
if(line) (*line)++;
}
else if(*p == ',')
{
/* A new or empty field */
c++;
p++;
}
else if(*p == '\"')
{
/* A quoted field */
char *q = p, *s, *t;
do {
q++;
if(*q == '\0')
ERREND(ER_EXPECTED_EOS);
else if(q[0] == '\"' && q[1] == '\"')
q+=2;
} while(*q != '\"');
s = malloc(q - p);
if(!s)
ERREND(ER_MEM_FAIL);
t = s;
p++;
while(p < q)
{
if(*p == '\"' && *(p+1) == '\"')
{
*(t++) = *(p++);
p++;
}
else
*(t++) = *(p++);
}
*t = '\0';
/* Skip any whitespace after the closing quote */
for(p++; p[0] && !strchr(",\r\n",p[0]);p++)
if(!strchr(" \t",p[0]))
ERREND(ER_BAD_QUOTEEND);
csv_set_int(csv, r, c, s);
}
else
{
/* A normal field */
char *q, *s, *t;
#if TRIM_SPACES
/* Trim leading whitespace */
while(p[0] && strchr(" \t",p[0])) p++;
#endif
for(q = p;q[0] && !strchr(",\r\n",q[0]); q++);
s = malloc(q - p + 1);
if(!s)
ERREND(ER_MEM_FAIL);
t = s;
while(p < q)
{
*(t++) = *(p++);
}
*t = '\0';
#if TRIM_SPACES
/* Trim trailing whitespace */
while(t > s && strchr(" \t",t[-1]))
*(--t) = '\0';
#endif
csv_set_int(csv, r, c, s);
}
}
free(buffer);
return csv;
error:
csv_free(csv);
return NULL;
}
static inline isc_result_t
fromtext_keydata(ARGS_FROMTEXT) {
isc_result_t result;
isc_token_t token;
dns_secalg_t alg;
dns_secproto_t proto;
dns_keyflags_t flags;
isc_uint32_t refresh, addhd, removehd;
REQUIRE(type == 65533);
UNUSED(type);
UNUSED(rdclass);
UNUSED(origin);
UNUSED(options);
UNUSED(callbacks);
/* refresh timer */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &refresh));
RETERR(uint32_tobuffer(refresh, target));
/* add hold-down */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &addhd));
RETERR(uint32_tobuffer(addhd, target));
/* remove hold-down */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &removehd));
RETERR(uint32_tobuffer(removehd, target));
/* flags */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
RETERR(uint16_tobuffer(flags, target));
/* protocol */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &proto, 1));
/* algorithm */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &alg, 1));
/* No Key? */
if ((flags & 0xc000) == 0xc000)
return (ISC_R_SUCCESS);
result = isc_base64_tobuffer(lexer, target, -1);
if (result != ISC_R_SUCCESS)
return (result);
/* Ensure there's at least enough data to compute a key ID for MD5 */
if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 19)
return (ISC_R_UNEXPECTEDEND);
return (ISC_R_SUCCESS);
}
isc_result_t
dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
dns_tsig_keyring_t *ring)
{
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_tkey_t tkeyin, tkeyout;
isc_boolean_t freetkeyin = ISC_FALSE;
dns_name_t *qname, *name, *keyname, *signer, tsigner;
dns_fixedname_t fkeyname;
dns_rdataset_t *tkeyset;
dns_rdata_t rdata;
dns_namelist_t namelist;
char tkeyoutdata[512];
isc_buffer_t tkeyoutbuf;
REQUIRE(msg != NULL);
REQUIRE(tctx != NULL);
REQUIRE(ring != NULL);
ISC_LIST_INIT(namelist);
/*
* Interpret the question section.
*/
result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
if (result != ISC_R_SUCCESS)
return (DNS_R_FORMERR);
qname = NULL;
dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
/*
* Look for a TKEY record that matches the question.
*/
tkeyset = NULL;
name = NULL;
result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
dns_rdatatype_tkey, 0, &name, &tkeyset);
if (result != ISC_R_SUCCESS) {
/*
* Try the answer section, since that's where Win2000
* puts it.
*/
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
tkey_log("dns_tkey_processquery: couldn't find a TKEY "
"matching the question");
goto failure;
}
}
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
goto failure;
}
dns_rdata_init(&rdata);
dns_rdataset_current(tkeyset, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
freetkeyin = ISC_TRUE;
if (tkeyin.error != dns_rcode_noerror) {
result = DNS_R_FORMERR;
goto failure;
}
/*
* Before we go any farther, verify that the message was signed.
* GSSAPI TKEY doesn't require a signature, the rest do.
*/
dns_name_init(&tsigner, NULL);
result = dns_message_signer(msg, &tsigner);
if (result != ISC_R_SUCCESS) {
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
result == ISC_R_NOTFOUND)
signer = NULL;
else {
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
result = DNS_R_FORMERR;
goto failure;
}
} else
signer = &tsigner;
tkeyout.common.rdclass = tkeyin.common.rdclass;
tkeyout.common.rdtype = tkeyin.common.rdtype;
ISC_LINK_INIT(&tkeyout.common, link);
tkeyout.mctx = msg->mctx;
dns_name_init(&tkeyout.algorithm, NULL);
dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
tkeyout.inception = tkeyout.expire = 0;
tkeyout.mode = tkeyin.mode;
tkeyout.error = 0;
tkeyout.keylen = tkeyout.otherlen = 0;
tkeyout.key = tkeyout.other = NULL;
/*
* A delete operation must have a fully specified key name. If this
* is not a delete, we do the following:
* if (qname != ".")
* keyname = qname + defaultdomain
* else
* keyname = <random hex> + defaultdomain
*/
if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
dns_tsigkey_t *tsigkey = NULL;
if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
tkey_log("dns_tkey_processquery: tkey-domain not set");
result = DNS_R_REFUSED;
goto failure;
}
dns_fixedname_init(&fkeyname);
keyname = dns_fixedname_name(&fkeyname);
if (!dns_name_equal(qname, dns_rootname)) {
unsigned int n = dns_name_countlabels(qname);
RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
== ISC_R_SUCCESS);
dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
} else {
static char hexdigits[16] = {
'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
unsigned char randomdata[16];
char randomtext[32];
isc_buffer_t b;
unsigned int i, j;
result = isc_entropy_getdata(tctx->ectx,
randomdata,
sizeof(randomdata),
NULL, 0);
if (result != ISC_R_SUCCESS)
goto failure;
for (i = 0, j = 0; i < sizeof(randomdata); i++) {
unsigned char val = randomdata[i];
randomtext[j++] = hexdigits[val >> 4];
randomtext[j++] = hexdigits[val & 0xF];
}
isc_buffer_init(&b, randomtext, sizeof(randomtext));
isc_buffer_add(&b, sizeof(randomtext));
result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
/* Yup. This is a hack */
result = dns_name_concatenate(keyname, dns_rootname,
keyname, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
} else {
result = dns_name_concatenate(keyname, tctx->domain,
keyname, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
if (result == ISC_R_SUCCESS) {
tkeyout.error = dns_tsigerror_badname;
dns_tsigkey_detach(&tsigkey);
goto failure_with_tkey;
} else if (result != ISC_R_NOTFOUND)
goto failure;
} else
static inline isc_result_t
generic_totext_key(ARGS_TOTEXT) {
isc_region_t sr;
char buf[sizeof("[key id = 64000]")];
unsigned int flags;
unsigned char algorithm;
char algbuf[DNS_NAME_FORMATSIZE];
const char *keyinfo;
isc_region_t tmpr;
REQUIRE(rdata->length != 0);
dns_rdata_toregion(rdata, &sr);
/* flags */
flags = uint16_fromregion(&sr);
isc_region_consume(&sr, 2);
sprintf(buf, "%u", flags);
RETERR(str_totext(buf, target));
RETERR(str_totext(" ", target));
if ((flags & DNS_KEYFLAG_KSK) != 0) {
if (flags & DNS_KEYFLAG_REVOKE)
keyinfo = "revoked KSK";
else
keyinfo = "KSK";
} else
keyinfo = "ZSK";
/* protocol */
sprintf(buf, "%u", sr.base[0]);
isc_region_consume(&sr, 1);
RETERR(str_totext(buf, target));
RETERR(str_totext(" ", target));
/* algorithm */
algorithm = sr.base[0];
sprintf(buf, "%u", algorithm);
isc_region_consume(&sr, 1);
RETERR(str_totext(buf, target));
/* No Key? */
if ((flags & 0xc000) == 0xc000)
return (ISC_R_SUCCESS);
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 &&
algorithm == DNS_KEYALG_PRIVATEDNS) {
dns_name_t name;
dns_name_init(&name, NULL);
dns_name_fromregion(&name, &sr);
dns_name_format(&name, algbuf, sizeof(algbuf));
} else {
dns_secalg_format((dns_secalg_t) algorithm, algbuf,
sizeof(algbuf));
}
/* key */
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" (", target));
RETERR(str_totext(tctx->linebreak, target));
if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
if (tctx->width == 0) /* No splitting */
RETERR(isc_base64_totext(&sr, 60, "", target));
else
RETERR(isc_base64_totext(&sr, tctx->width - 2,
tctx->linebreak, target));
} else {
dns_rdata_toregion(rdata, &tmpr);
snprintf(buf, sizeof(buf), "[key id = %u]",
dst_region_computeid(&tmpr, algorithm));
RETERR(str_totext(buf, target));
}
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
RETERR(str_totext(tctx->linebreak, target));
else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(" ", target));
if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
RETERR(str_totext(")", target));
if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
if (rdata->type == dns_rdatatype_dnskey ||
rdata->type == dns_rdatatype_cdnskey) {
RETERR(str_totext(" ; ", target));
RETERR(str_totext(keyinfo, target));
}
RETERR(str_totext("; alg = ", target));
RETERR(str_totext(algbuf, target));
RETERR(str_totext(" ; key id = ", target));
dns_rdata_toregion(rdata, &tmpr);
sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
RETERR(str_totext(buf, target));
}
return (ISC_R_SUCCESS);
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS)
continue;
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset)) {
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
found_key = ISC_TRUE;
ttl = keyset->ttl;
break;
} else
found_incompatible = ISC_TRUE;
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
if (randomdata == NULL)
goto failure;
result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
ISC_FALSE);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
isc_buffer_base(&secret),
isc_buffer_usedlength(&secret),
ISC_TRUE, signer, tkeyin->inception,
tkeyin->expire, ring->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist))
free_namelist(msg, namelist);
if (shared != NULL)
isc_buffer_free(&shared);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (randomdata != NULL)
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
return (result);
}
static isc_result_t
process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring)
{
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *dstkey = NULL;
dns_tsigkey_t *tsigkey = NULL;
dns_fixedname_t principal;
isc_stdtime_t now;
isc_region_t intoken;
isc_buffer_t *outtoken = NULL;
gss_ctx_id_t gss_ctx = NULL;
/*
* You have to define either a gss credential (principal) to
* accept with tkey-gssapi-credential, or you have to
* configure a specific keytab (with tkey-gssapi-keytab) in
* order to use gsstkey
*/
if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
tkey_log("process_gsstkey(): no tkey-gssapi-credential "
"or tkey-gssapi-keytab configured");
return (ISC_R_NOPERM);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
tkeyout->error = dns_tsigerror_badalg;
tkey_log("process_gsstkey(): dns_tsigerror_badalg"); /* XXXSRA */
return (ISC_R_SUCCESS);
}
/*
* XXXDCL need to check for key expiry per 4.1.1
* XXXDCL need a way to check fully established, perhaps w/key_flags
*/
intoken.base = tkeyin->key;
intoken.length = tkeyin->keylen;
result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
if (result == ISC_R_SUCCESS)
gss_ctx = dst_key_getgssctx(tsigkey->key);
dns_fixedname_init(&principal);
/*
* Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
*/
result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
&intoken,
&outtoken, &gss_ctx,
dns_fixedname_name(&principal),
tctx->mctx);
if (result == DNS_R_INVALIDTKEY) {
if (tsigkey != NULL)
dns_tsigkey_detach(&tsigkey);
tkeyout->error = dns_tsigerror_badkey;
tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA */
return (ISC_R_SUCCESS);
}
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
goto failure;
/*
* XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
*/
isc_stdtime_get(&now);
if (tsigkey == NULL) {
#ifdef GSSAPI
OM_uint32 gret, minor, lifetime;
#endif
isc_uint32_t expire;
RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx,
&dstkey, &intoken));
/*
* Limit keys to 1 hour or the context's lifetime whichever
* is smaller.
*/
expire = now + 3600;
#ifdef GSSAPI
gret = gss_context_time(&minor, gss_ctx, &lifetime);
if (gret == GSS_S_COMPLETE && now + lifetime < expire)
expire = now + lifetime;
#endif
RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
dstkey, ISC_TRUE,
dns_fixedname_name(&principal),
now, expire, ring->mctx, ring,
NULL));
dst_key_free(&dstkey);
tkeyout->inception = now;
tkeyout->expire = expire;
} else {
tkeyout->inception = tsigkey->inception;
tkeyout->expire = tsigkey->expire;
dns_tsigkey_detach(&tsigkey);
}
if (outtoken) {
tkeyout->key = isc_mem_get(tkeyout->mctx,
isc_buffer_usedlength(outtoken));
if (tkeyout->key == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
tkeyout->keylen = isc_buffer_usedlength(outtoken);
memmove(tkeyout->key, isc_buffer_base(outtoken),
isc_buffer_usedlength(outtoken));
isc_buffer_free(&outtoken);
} else {
tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
if (tkeyout->key == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
tkeyout->keylen = tkeyin->keylen;
memmove(tkeyout->key, tkeyin->key, tkeyin->keylen);
}
tkeyout->error = dns_rcode_noerror;
tkey_log("process_gsstkey(): dns_tsigerror_noerror"); /* XXXSRA */
return (ISC_R_SUCCESS);
failure:
if (tsigkey != NULL)
dns_tsigkey_detach(&tsigkey);
if (dstkey != NULL)
dst_key_free(&dstkey);
if (outtoken != NULL)
isc_buffer_free(&outtoken);
tkey_log("process_gsstkey(): %s",
isc_result_totext(result)); /* XXXSRA */
return (result);
}
static isc_result_t
add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
isc_uint32_t ttl, dns_namelist_t *namelist)
{
isc_result_t result;
isc_region_t r, newr;
dns_rdata_t *newrdata = NULL;
dns_name_t *newname = NULL;
dns_rdatalist_t *newlist = NULL;
dns_rdataset_t *newset = NULL;
isc_buffer_t *tmprdatabuf = NULL;
RETERR(dns_message_gettemprdata(msg, &newrdata));
dns_rdata_toregion(rdata, &r);
RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
isc_buffer_availableregion(tmprdatabuf, &newr);
memmove(newr.base, r.base, r.length);
dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
dns_message_takebuffer(msg, &tmprdatabuf);
RETERR(dns_message_gettempname(msg, &newname));
dns_name_init(newname, NULL);
RETERR(dns_name_dup(name, msg->mctx, newname));
RETERR(dns_message_gettemprdatalist(msg, &newlist));
newlist->rdclass = newrdata->rdclass;
newlist->type = newrdata->type;
newlist->covers = 0;
newlist->ttl = ttl;
ISC_LIST_INIT(newlist->rdata);
ISC_LIST_APPEND(newlist->rdata, newrdata, link);
RETERR(dns_message_gettemprdataset(msg, &newset));
dns_rdataset_init(newset);
RETERR(dns_rdatalist_tordataset(newlist, newset));
ISC_LIST_INIT(newname->list);
ISC_LIST_APPEND(newname->list, newset, link);
ISC_LIST_APPEND(*namelist, newname, link);
return (ISC_R_SUCCESS);
failure:
if (newrdata != NULL) {
if (ISC_LINK_LINKED(newrdata, link)) {
INSIST(newlist != NULL);
ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
}
dns_message_puttemprdata(msg, &newrdata);
}
if (newname != NULL)
dns_message_puttempname(msg, &newname);
if (newset != NULL) {
dns_rdataset_disassociate(newset);
dns_message_puttemprdataset(msg, &newset);
}
if (newlist != NULL)
dns_message_puttemprdatalist(msg, &newlist);
return (result);
}
static inline isc_result_t
fromtext_naptr(ARGS_FROMTEXT) {
isc_token_t token;
dns_name_t name;
isc_buffer_t buffer;
unsigned char *regex;
REQUIRE(type == 35);
UNUSED(type);
UNUSED(rdclass);
UNUSED(callbacks);
/*
* Order.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
if (token.value.as_ulong > 0xffffU)
RETTOK(ISC_R_RANGE);
RETERR(uint16_tobuffer(token.value.as_ulong, target));
/*
* Preference.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
if (token.value.as_ulong > 0xffffU)
RETTOK(ISC_R_RANGE);
RETERR(uint16_tobuffer(token.value.as_ulong, target));
/*
* Flags.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
ISC_FALSE));
RETTOK(txt_fromtext(&token.value.as_textregion, target));
/*
* Service.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
ISC_FALSE));
RETTOK(txt_fromtext(&token.value.as_textregion, target));
/*
* Regexp.
*/
regex = isc_buffer_used(target);
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
ISC_FALSE));
RETTOK(txt_fromtext(&token.value.as_textregion, target));
RETTOK(txt_valid_regex(regex));
/*
* Replacement.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
dns_name_init(&name, NULL);
buffer_fromregion(&buffer, &token.value.as_region);
origin = (origin != NULL) ? origin : dns_rootname;
RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
return (ISC_R_SUCCESS);
}
int
ns_parserr(ns_msg *handle, ns_sect section, int rrnum, ns_rr *rr)
{
int b;
int tmp;
/* Make section right. */
tmp = section;
if (tmp < 0 || section >= ns_s_max) {
RETERR(ENODEV);
}
if (section != handle->_sect) {
setsection(handle, section);
}
/* Make rrnum right. */
if (rrnum == -1) {
rrnum = handle->_rrnum;
}
if (rrnum < 0 || rrnum >= handle->_counts[(int) section]) {
RETERR(ENODEV);
}
if (rrnum < handle->_rrnum) {
setsection(handle, section);
}
if (rrnum > handle->_rrnum) {
b = ns_skiprr(handle->_msg_ptr, handle->_eom, section,
rrnum - handle->_rrnum);
if (b < 0) {
return (-1);
}
handle->_msg_ptr += b;
handle->_rrnum = rrnum;
}
/* Do the parse. */
b = dn_expand(handle->_msg, handle->_eom,
handle->_msg_ptr, rr->name, NS_MAXDNAME);
if (b < 0) {
return (-1);
}
handle->_msg_ptr += b;
if (handle->_msg_ptr + NS_INT16SZ + NS_INT16SZ > handle->_eom) {
RETERR(EMSGSIZE);
}
NS_GET16(rr->type, handle->_msg_ptr);
NS_GET16(rr->rr_class, handle->_msg_ptr);
if (section == ns_s_qd) {
rr->ttl = 0;
rr->rdlength = 0;
rr->rdata = NULL;
} else {
if (handle->_msg_ptr + NS_INT32SZ + NS_INT16SZ > handle->_eom) {
RETERR(EMSGSIZE);
}
NS_GET32(rr->ttl, handle->_msg_ptr);
NS_GET16(rr->rdlength, handle->_msg_ptr);
if (handle->_msg_ptr + rr->rdlength > handle->_eom) {
RETERR(EMSGSIZE);
}
rr->rdata = handle->_msg_ptr;
handle->_msg_ptr += rr->rdlength;
}
if (++handle->_rrnum > handle->_counts[(int) section]) {
setsection(handle, (ns_sect) ((int) section + 1));
}
/* All done. */
return (0);
}
isc_result_t
dst_gssapi_acceptctx(gss_cred_id_t cred,
isc_region_t *intoken, isc_buffer_t **outtoken,
gss_ctx_id_t *ctxout, dns_name_t *principal,
isc_mem_t *mctx)
{
#ifdef GSSAPI
isc_region_t r;
isc_buffer_t namebuf;
gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
gouttoken = GSS_C_EMPTY_BUFFER;
OM_uint32 gret, minor;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_name_t gname = NULL;
isc_result_t result;
char buf[1024];
REQUIRE(outtoken != NULL && *outtoken == NULL);
log_cred(cred);
REGION_TO_GBUFFER(*intoken, gintoken);
if (*ctxout == NULL)
context = GSS_C_NO_CONTEXT;
else
context = *ctxout;
gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
GSS_C_NO_CHANNEL_BINDINGS, &gname,
NULL, &gouttoken, NULL, NULL, NULL);
result = ISC_R_FAILURE;
switch (gret) {
case GSS_S_COMPLETE:
result = ISC_R_SUCCESS;
break;
case GSS_S_CONTINUE_NEEDED:
result = DNS_R_CONTINUE;
break;
case GSS_S_DEFECTIVE_TOKEN:
case GSS_S_DEFECTIVE_CREDENTIAL:
case GSS_S_BAD_SIG:
case GSS_S_DUPLICATE_TOKEN:
case GSS_S_OLD_TOKEN:
case GSS_S_NO_CRED:
case GSS_S_CREDENTIALS_EXPIRED:
case GSS_S_BAD_BINDINGS:
case GSS_S_NO_CONTEXT:
case GSS_S_BAD_MECH:
case GSS_S_FAILURE:
result = DNS_R_INVALIDTKEY;
/* fall through */
default:
gss_log(3, "failed gss_accept_sec_context: %s",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
return (result);
}
if (gouttoken.length > 0) {
RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length));
GBUFFER_TO_REGION(gouttoken, r);
RETERR(isc_buffer_copyregion(*outtoken, &r));
(void)gss_release_buffer(&minor, &gouttoken);
}
if (gret == GSS_S_COMPLETE) {
gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed gss_display_name: %s",
gss_error_tostring(gret, minor,
buf, sizeof(buf)));
RETERR(ISC_R_FAILURE);
}
/*
* Compensate for a bug in Solaris8's implementation
* of gss_display_name(). Should be harmless in any
* case, since principal names really should not
* contain null characters.
*/
if (gnamebuf.length > 0 &&
((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
gnamebuf.length--;
gss_log(3, "gss-api source name (accept) is %.*s",
(int)gnamebuf.length, (char *)gnamebuf.value);
GBUFFER_TO_REGION(gnamebuf, r);
isc_buffer_init(&namebuf, r.base, r.length);
isc_buffer_add(&namebuf, r.length);
RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
0, NULL));
if (gnamebuf.length != 0) {
gret = gss_release_buffer(&minor, &gnamebuf);
if (gret != GSS_S_COMPLETE)
gss_log(3, "failed gss_release_buffer: %s",
gss_error_tostring(gret, minor, buf,
sizeof(buf)));
}
}
*ctxout = context;
out:
if (gname != NULL) {
gret = gss_release_name(&minor, &gname);
if (gret != GSS_S_COMPLETE)
gss_log(3, "failed gss_release_name: %s",
gss_error_tostring(gret, minor, buf,
sizeof(buf)));
}
return (result);
#else
UNUSED(cred);
UNUSED(intoken);
UNUSED(outtoken);
UNUSED(ctxout);
UNUSED(principal);
UNUSED(mctx);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
isc_result_t
dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
isc_buffer_t *outtoken, gss_ctx_id_t *gssctx)
{
#ifdef GSSAPI
isc_region_t r;
isc_buffer_t namebuf;
gss_name_t gname;
OM_uint32 gret, minor, ret_flags, flags;
gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
isc_result_t result;
gss_buffer_desc gnamebuf;
unsigned char array[DNS_NAME_MAXTEXT + 1];
char buf[1024];
/* Client must pass us a valid gss_ctx_id_t here */
REQUIRE(gssctx != NULL);
isc_buffer_init(&namebuf, array, sizeof(array));
name_to_gbuffer(name, &namebuf, &gnamebuf);
/* Get the name as a GSS name */
gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
if (gret != GSS_S_COMPLETE) {
result = ISC_R_FAILURE;
goto out;
}
if (intoken != NULL) {
/* Don't call gss_release_buffer for gintoken! */
REGION_TO_GBUFFER(*intoken, gintoken);
gintokenp = &gintoken;
} else {
gintokenp = NULL;
}
/*
* Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
* servers don't like it.
*/
flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
GSS_C_INTEG_FLAG;
gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
gname, GSS_SPNEGO_MECHANISM, flags,
0, NULL, gintokenp,
NULL, &gouttoken, &ret_flags, NULL);
if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
gss_log(3, "Failure initiating security context");
gss_log(3, "%s", gss_error_tostring(gret, minor,
buf, sizeof(buf)));
result = ISC_R_FAILURE;
goto out;
}
/*
* XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
* MUTUAL and INTEG flags, fail if either not set.
*/
/*
* RFC 2744 states the a valid output token has a non-zero length.
*/
if (gouttoken.length != 0) {
GBUFFER_TO_REGION(gouttoken, r);
RETERR(isc_buffer_copyregion(outtoken, &r));
(void)gss_release_buffer(&minor, &gouttoken);
}
(void)gss_release_name(&minor, &gname);
if (gret == GSS_S_COMPLETE)
result = ISC_R_SUCCESS;
else
result = DNS_R_CONTINUE;
out:
return (result);
#else
UNUSED(name);
UNUSED(intoken);
UNUSED(outtoken);
UNUSED(gssctx);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
