Esempio n. 1
0
static void parse_qname(const char *flag, uint8_t *qname) {
    char buffer[XT_DNS_MAXSIZE];
    char *fp;
    fp = buffer;
    while (*flag != '\0') {
        *fp++ = tolower(*flag++);
    }
    *fp = '\0';
    if (ns_name_pton(buffer, qname, XT_DNS_MAXSIZE)) {
        xtables_error(PARAMETER_PROBLEM, "Invalid qname %s '%s'", flag, qname);
    }
}
Esempio n. 2
0
int
ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
	 const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
	 time_t in_timesigned, u_char **dnptrs, u_char **lastdnptr)
{
	HEADER *hp = (HEADER *)msg;
	DST_KEY *key = (DST_KEY *)k;
	u_char *cp, *eob;
	u_char *lenp;
	u_char *alg;
	int n;
	time_t timesigned;
        u_char name[NS_MAXCDNAME];

	dst_init();
	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
		return (-1);

	cp = msg + *msglen;
	eob = msg + msgsize;

	/* Name. */
	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		n = ns_name_pton(key->dk_key_name, name, sizeof name);
		if (n != -1)
			n = ns_name_pack(name, cp, eob - cp,
					 (const u_char **)dnptrs,
					 (const u_char **)lastdnptr);

	} else {
		n = ns_name_pton("", name, sizeof name);
		if (n != -1)
			n = ns_name_pack(name, cp, eob - cp, NULL, NULL);
	}
	if (n < 0)
		return (NS_TSIG_ERROR_NO_SPACE);
	cp += n;

	/* Type, class, ttl, length (not filled in yet). */
	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
	PUTSHORT(ns_t_tsig, cp);
	PUTSHORT(ns_c_any, cp);
	PUTLONG(0, cp);		/*%< TTL */
	lenp = cp;
	cp += 2;

	/* Alg. */
	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		if (key->dk_alg != KEY_HMAC_MD5)
			return (-ns_r_badkey);
		n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, eob - cp, NULL, NULL);
	}
	else
		n = dn_comp("", cp, eob - cp, NULL, NULL);
	if (n < 0)
		return (NS_TSIG_ERROR_NO_SPACE);
	alg = cp;
	cp += n;
	
	/* Time. */
	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
	PUTSHORT(0, cp);
	timesigned = time(NULL);
	if (error != ns_r_badtime)
		PUTLONG(timesigned, cp);
	else
		PUTLONG(in_timesigned, cp);
	PUTSHORT(NS_TSIG_FUDGE, cp);

	/* Compute the signature. */
	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		void *ctx;
		u_char buf[NS_MAXCDNAME], *cp2;
		int n;

		dst_sign_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);

		/* Digest the query signature, if this is a response. */
		if (querysiglen > 0 && querysig != NULL) {
			u_int16_t len_n = htons(querysiglen);
			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
				      (u_char *)&len_n, INT16SZ, NULL, 0);
			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
				      querysig, querysiglen, NULL, 0);
		}

		/* Digest the message. */
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, msg, *msglen,
			      NULL, 0);

		/* Digest the key name. */
		n = ns_name_ntol(name, buf, sizeof(buf));
		INSIST(n > 0);
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);

		/* Digest the class and TTL. */
		cp2 = buf;
		PUTSHORT(ns_c_any, cp2);
		PUTLONG(0, cp2);
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
			      NULL, 0);

		/* Digest the algorithm. */
		n = ns_name_ntol(alg, buf, sizeof(buf));
		INSIST(n > 0);
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);

		/* Digest the time signed, fudge, error, and other data */
		cp2 = buf;
		PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
		if (error != ns_r_badtime)
			PUTLONG(timesigned, cp2);
		else
			PUTLONG(in_timesigned, cp2);
		PUTSHORT(NS_TSIG_FUDGE, cp2);
		PUTSHORT(error, cp2);	/*%< Error */
		if (error != ns_r_badtime)
			PUTSHORT(0, cp2);	/*%< Other data length */
		else {
			PUTSHORT(INT16SZ+INT32SZ, cp2);	/*%< Other data length */
			PUTSHORT(0, cp2);	/*%< Top 16 bits of time */
			PUTLONG(timesigned, cp2);
		}
		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
			      NULL, 0);

		n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
				  sig, *siglen);
		if (n < 0)
			return (-ns_r_badkey);
		*siglen = n;
	} else
		*siglen = 0;

	/* Add the signature. */
	BOUNDS_CHECK(cp, INT16SZ + (*siglen));
	PUTSHORT(*siglen, cp);
	memcpy(cp, sig, *siglen);
	cp += (*siglen);

	/* The original message ID & error. */
	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
	PUTSHORT(ntohs(hp->id), cp);	/*%< already in network order */
	PUTSHORT(error, cp);

	/* Other data. */
	BOUNDS_CHECK(cp, INT16SZ);
	if (error != ns_r_badtime)
		PUTSHORT(0, cp);	/*%< Other data length */
	else {
		PUTSHORT(INT16SZ+INT32SZ, cp);	/*%< Other data length */
		BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
		PUTSHORT(0, cp);	/*%< Top 16 bits of time */
		PUTLONG(timesigned, cp);
	}

	/* Go back and fill in the length. */
	PUTSHORT(cp - lenp - INT16SZ, lenp);

	hp->arcount = htons(ntohs(hp->arcount) + 1);
	*msglen = (cp - msg);
	return (0);
}
Esempio n. 3
0
/*
 * Set the TSIG params for this name server
 * Format is:
 * name:alg:fudge:key
 */
int
res_set_ns_tsig(struct name_server *ns, char *tsigstr)
{
    struct ns_tsig *tsig = NULL;
    int rr_hlen, rr_rdatalen;

    char *name_s; 
    char *fudge_s;
    char *key_s;
    const char *alg_s; 
    int i;

    char *buf, *c, *n;
    if (ns == NULL || tsigstr == NULL)
        return SR_TS_CALL_ERROR;

    tsig = (struct ns_tsig *) MALLOC (sizeof(struct ns_tsig));
    if (tsig == NULL)
        return SR_TS_FAIL;

    buf = strdup(tsigstr);
    if (buf == NULL) {
        FREE(tsig);
        return SR_TS_FAIL;
    }
    c = buf;

    /* Parse the tsig string */
    name_s = c;
    if (!(n = strchr(c,':'))) {
        goto err;
    }
    *n = '\0';
    c = n+1;

    alg_s = c;
    if (!(n = strchr(c,':'))) {
        goto err;
    }
    *n = '\0';
    c = n+1;

    fudge_s = c;
    if (!(n = strchr(c,':'))) {
        goto err;
    }
    *n = '\0';
    c = n+1;
    key_s = c;

    for(i = 0; name_s[i]; i++){
        if (isupper(name_s[i]))
            name_s[i] = tolower(name_s[i]);
    }
    if (ns_name_pton(name_s, tsig->name_n, sizeof(tsig->name_n)) == -1) { 
        goto err;
    }

    /* check for alg sanity */
    if (!strcmp(alg_s, "")) {
        alg_s = TSIG_ALG_HMAC_MD5_STR;
        tsig->alg = TSIG_ALG_HMAC_MD5;
        tsig->mac_size = MD5_DIGEST_LENGTH;
    } else if (!strcmp(alg_s, TSIG_ALG_HMAC_MD5_STR)) {
        tsig->alg = TSIG_ALG_HMAC_MD5;
        tsig->mac_size = MD5_DIGEST_LENGTH;
    } else if (!strcmp(alg_s, TSIG_ALG_HMAC_SHA1_STR)) {
        tsig->alg = TSIG_ALG_HMAC_SHA1;
        tsig->mac_size = SHA_DIGEST_LENGTH;
    } else if (!strcmp(alg_s, TSIG_ALG_HMAC_SHA256_STR)) {
        tsig->alg = TSIG_ALG_HMAC_SHA256;
        tsig->mac_size = SHA256_DIGEST_LENGTH;
    } else {
        goto err;
    }
    for(i = 0; alg_s[i]; i++){
        if (isupper(alg_s[i]))
            name_s[i] = tolower(alg_s[i]);
    }
    if (ns_name_pton(alg_s, tsig->alg_n, sizeof(tsig->alg_n)) == -1) { 
        goto err;
    }
   
    /* check for fudge sanity */ 
    if (0 == (tsig->fudge = (u_int16_t)atoi(fudge_s))) {
       tsig->fudge = TSIG_FUDGE_DEFAULT; 
    }

    /* Decode the base64 key */
    tsig->key = (u_char *) MALLOC (strlen(key_s)+1);
    if (tsig->key == NULL) {
        goto err;
    }
    if ((tsig->keylen = decode_tsig_key(key_s, tsig->key, strlen(key_s))) <= 0) {
        FREE(tsig->key);
        goto err;
    }

    rr_hlen = wire_name_length(tsig->name_n) + /*Name*/
                     sizeof(u_int16_t) +  /*type*/
                     sizeof(u_int16_t) +  /*class*/
                     sizeof(u_int32_t);  /*ttl*/

    rr_rdatalen = wire_name_length(tsig->alg_n) + /*alg*/
                    sizeof(u_int32_t) + sizeof(u_int16_t) + /*time signed is u_int48_t*/
                    sizeof(u_int16_t) + /*fudge*/
                    sizeof(u_int16_t) + /*mac size*/
                    tsig->mac_size + /*mac*/
                    sizeof(u_int16_t) + /*original ID*/
                    sizeof(u_int16_t) + /*error*/
                    sizeof(u_int16_t) ; /*other len*/

    tsig->rdatalen = rr_rdatalen;
    tsig->buf_size = rr_hlen + sizeof(u_int16_t) + rr_rdatalen;

    ns->ns_tsig = tsig;
    ns->ns_security_options |= ZONE_USE_TSIG;

    free(buf);
    return SR_TS_OK;

err:
    free(buf);
    FREE(tsig);
    return SR_TS_FAIL;

}
Esempio n. 4
0
/* ns_verify
 *
 * Parameters:
 *\li	statp		res stuff
 *\li	msg		received message
 *\li	msglen		length of message
 *\li	key		tsig key used for verifying.
 *\li	querysig	(response), the signature in the query
 *\li	querysiglen	(response), the length of the signature in the query
 *\li	sig		(query), a buffer to hold the signature
 *\li	siglen		(query), input - length of signature buffer
 *				 output - length of signature
 *
 * Errors:
 *\li	- bad input (-1)
 *\li	- invalid dns message (NS_TSIG_ERROR_FORMERR)
 *\li	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
 *\li	- key doesn't match (-ns_r_badkey)
 *\li	- TSIG verification fails with BADKEY (-ns_r_badkey)
 *\li	- TSIG verification fails with BADSIG (-ns_r_badsig)
 *\li	- TSIG verification fails with BADTIME (-ns_r_badtime)
 *\li	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
 *\li	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
 *\li	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
 */
int
ns_verify(u_char *msg, int *msglen, void *k,
	  const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
	  time_t *timesigned, int nostrip)
{
	HEADER *hp = (HEADER *)msg;
	DST_KEY *key = (DST_KEY *)k;
	u_char *cp = msg, *eom;
	char name[MAXDNAME], alg[MAXDNAME];
	u_char *recstart, *rdatastart;
	u_char *sigstart, *otherstart;
	int n;
	int error;
	u_int16_t type, length;
	u_int16_t fudge, sigfieldlen, otherfieldlen;

	dst_init();
	if (msg == NULL || msglen == NULL || *msglen < 0)
		return (-1);

	eom = msg + *msglen;

	recstart = ns_find_tsig(msg, eom);
	if (recstart == NULL)
		return (NS_TSIG_ERROR_NO_TSIG);

	cp = recstart;

	/* Read the key name. */
	n = dn_expand(msg, eom, cp, name, MAXDNAME);
	if (n < 0)
		return (NS_TSIG_ERROR_FORMERR);
	cp += n;

	/* Read the type. */
	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
	GETSHORT(type, cp);
	if (type != ns_t_tsig)
		return (NS_TSIG_ERROR_NO_TSIG);

	/* Skip the class and TTL, save the length. */
	cp += INT16SZ + INT32SZ;
	GETSHORT(length, cp);
	if (eom - cp != length)
		return (NS_TSIG_ERROR_FORMERR);

	/* Read the algorithm name. */
	rdatastart = cp;
	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
	if (n < 0)
		return (NS_TSIG_ERROR_FORMERR);
	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
		return (-ns_r_badkey);
	cp += n;

	/* Read the time signed and fudge. */
	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
	cp += INT16SZ;
	GETLONG((*timesigned), cp);
	GETSHORT(fudge, cp);

	/* Read the signature. */
	BOUNDS_CHECK(cp, INT16SZ);
	GETSHORT(sigfieldlen, cp);
	BOUNDS_CHECK(cp, sigfieldlen);
	sigstart = cp;
	cp += sigfieldlen;

	/* Skip id and read error. */
	BOUNDS_CHECK(cp, 2*INT16SZ);
	cp += INT16SZ;
	GETSHORT(error, cp);

	/* Parse the other data. */
	BOUNDS_CHECK(cp, INT16SZ);
	GETSHORT(otherfieldlen, cp);
	BOUNDS_CHECK(cp, otherfieldlen);
	otherstart = cp;
	cp += otherfieldlen;

	if (cp != eom)
		return (NS_TSIG_ERROR_FORMERR);

	/* Verify that the key used is OK. */
	if (key != NULL) {
		if (key->dk_alg != KEY_HMAC_MD5)
			return (-ns_r_badkey);
		if (error != ns_r_badsig && error != ns_r_badkey) {
			if (ns_samename(key->dk_key_name, name) != 1)
				return (-ns_r_badkey);
		}
	}

	hp->arcount = htons(ntohs(hp->arcount) - 1);

	/*
	 * Do the verification.
	 */

	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
		void *ctx;
		u_char buf[MAXDNAME];
		u_char buf2[MAXDNAME];

		/* Digest the query signature, if this is a response. */
		dst_verify_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
		if (querysiglen > 0 && querysig != NULL) {
			u_int16_t len_n = htons(querysiglen);
			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
					(u_char *)&len_n, INT16SZ, NULL, 0);
			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
					querysig, querysiglen, NULL, 0);
		}
		
 		/* Digest the message. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, msg, recstart - msg,
				NULL, 0);

		/* Digest the key name. */
		n = ns_name_pton(name, buf2, sizeof(buf2));
		if (n < 0)
			return (-1);
		n = ns_name_ntol(buf2, buf, sizeof(buf));
		if (n < 0)
			return (-1);
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);

		/* Digest the class and TTL. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
				recstart + dn_skipname(recstart, eom) + INT16SZ,
				INT16SZ + INT32SZ, NULL, 0);

		/* Digest the algorithm. */
		n = ns_name_pton(alg, buf2, sizeof(buf2));
		if (n < 0)
			return (-1);
		n = ns_name_ntol(buf2, buf, sizeof(buf));
		if (n < 0)
			return (-1);
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);

		/* Digest the time signed and fudge. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
				rdatastart + dn_skipname(rdatastart, eom),
				INT16SZ + INT32SZ + INT16SZ, NULL, 0);

		/* Digest the error and other data. */
		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
				otherstart - INT16SZ - INT16SZ,
				otherfieldlen + INT16SZ + INT16SZ, NULL, 0);

		n = dst_verify_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
				    sigstart, sigfieldlen);

		if (n < 0)
			return (-ns_r_badsig);

		if (sig != NULL && siglen != NULL) {
			if (*siglen < sigfieldlen)
				return (NS_TSIG_ERROR_NO_SPACE);
			memcpy(sig, sigstart, sigfieldlen);
			*siglen = sigfieldlen;
		}
	} else {
		if (sigfieldlen > 0)
			return (NS_TSIG_ERROR_FORMERR);
		if (sig != NULL && siglen != NULL)
			*siglen = 0;
	}

	/* Reset the counter, since we still need to check for badtime. */
	hp->arcount = htons(ntohs(hp->arcount) + 1);

	/* Verify the time. */
	if (abs((*timesigned) - time(NULL)) > fudge)
		return (-ns_r_badtime);

	if (nostrip == 0) {
		*msglen = recstart - msg;
		hp->arcount = htons(ntohs(hp->arcount) - 1);
	}

	if (error != NOERROR)
		return (error);

	return (0);
}