static void parse_qname(const char *flag, uint8_t *qname) {
char buffer[XT_DNS_MAXSIZE];
char *fp;
fp = buffer;
while (*flag != '\0') {
*fp++ = tolower(*flag++);
}
*fp = '\0';
if (ns_name_pton(buffer, qname, XT_DNS_MAXSIZE)) {
xtables_error(PARAMETER_PROBLEM, "Invalid qname %s '%s'", flag, qname);
}
}
int
ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
time_t in_timesigned, u_char **dnptrs, u_char **lastdnptr)
{
HEADER *hp = (HEADER *)msg;
DST_KEY *key = (DST_KEY *)k;
u_char *cp, *eob;
u_char *lenp;
u_char *alg;
int n;
time_t timesigned;
u_char name[NS_MAXCDNAME];
dst_init();
if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
return (-1);
cp = msg + *msglen;
eob = msg + msgsize;
/* Name. */
if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
n = ns_name_pton(key->dk_key_name, name, sizeof name);
if (n != -1)
n = ns_name_pack(name, cp, eob - cp,
(const u_char **)dnptrs,
(const u_char **)lastdnptr);
} else {
n = ns_name_pton("", name, sizeof name);
if (n != -1)
n = ns_name_pack(name, cp, eob - cp, NULL, NULL);
}
if (n < 0)
return (NS_TSIG_ERROR_NO_SPACE);
cp += n;
/* Type, class, ttl, length (not filled in yet). */
BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
PUTSHORT(ns_t_tsig, cp);
PUTSHORT(ns_c_any, cp);
PUTLONG(0, cp); /*%< TTL */
lenp = cp;
cp += 2;
/* Alg. */
if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
if (key->dk_alg != KEY_HMAC_MD5)
return (-ns_r_badkey);
n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, eob - cp, NULL, NULL);
}
else
n = dn_comp("", cp, eob - cp, NULL, NULL);
if (n < 0)
return (NS_TSIG_ERROR_NO_SPACE);
alg = cp;
cp += n;
/* Time. */
BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
PUTSHORT(0, cp);
timesigned = time(NULL);
if (error != ns_r_badtime)
PUTLONG(timesigned, cp);
else
PUTLONG(in_timesigned, cp);
PUTSHORT(NS_TSIG_FUDGE, cp);
/* Compute the signature. */
if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
void *ctx;
u_char buf[NS_MAXCDNAME], *cp2;
int n;
dst_sign_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
/* Digest the query signature, if this is a response. */
if (querysiglen > 0 && querysig != NULL) {
u_int16_t len_n = htons(querysiglen);
dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
(u_char *)&len_n, INT16SZ, NULL, 0);
dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
querysig, querysiglen, NULL, 0);
}
/* Digest the message. */
dst_sign_data(SIG_MODE_UPDATE, key, &ctx, msg, *msglen,
NULL, 0);
/* Digest the key name. */
n = ns_name_ntol(name, buf, sizeof(buf));
INSIST(n > 0);
dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
/* Digest the class and TTL. */
cp2 = buf;
PUTSHORT(ns_c_any, cp2);
PUTLONG(0, cp2);
dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
NULL, 0);
/* Digest the algorithm. */
n = ns_name_ntol(alg, buf, sizeof(buf));
INSIST(n > 0);
dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
/* Digest the time signed, fudge, error, and other data */
cp2 = buf;
PUTSHORT(0, cp2); /*%< Top 16 bits of time */
if (error != ns_r_badtime)
PUTLONG(timesigned, cp2);
else
PUTLONG(in_timesigned, cp2);
PUTSHORT(NS_TSIG_FUDGE, cp2);
PUTSHORT(error, cp2); /*%< Error */
if (error != ns_r_badtime)
PUTSHORT(0, cp2); /*%< Other data length */
else {
PUTSHORT(INT16SZ+INT32SZ, cp2); /*%< Other data length */
PUTSHORT(0, cp2); /*%< Top 16 bits of time */
PUTLONG(timesigned, cp2);
}
dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
NULL, 0);
n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
sig, *siglen);
if (n < 0)
return (-ns_r_badkey);
*siglen = n;
} else
*siglen = 0;
/* Add the signature. */
BOUNDS_CHECK(cp, INT16SZ + (*siglen));
PUTSHORT(*siglen, cp);
memcpy(cp, sig, *siglen);
cp += (*siglen);
/* The original message ID & error. */
BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
PUTSHORT(ntohs(hp->id), cp); /*%< already in network order */
PUTSHORT(error, cp);
/* Other data. */
BOUNDS_CHECK(cp, INT16SZ);
if (error != ns_r_badtime)
PUTSHORT(0, cp); /*%< Other data length */
else {
PUTSHORT(INT16SZ+INT32SZ, cp); /*%< Other data length */
BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
PUTSHORT(0, cp); /*%< Top 16 bits of time */
PUTLONG(timesigned, cp);
}
/* Go back and fill in the length. */
PUTSHORT(cp - lenp - INT16SZ, lenp);
hp->arcount = htons(ntohs(hp->arcount) + 1);
*msglen = (cp - msg);
return (0);
}
/*
* Set the TSIG params for this name server
* Format is:
* name:alg:fudge:key
*/
int
res_set_ns_tsig(struct name_server *ns, char *tsigstr)
{
struct ns_tsig *tsig = NULL;
int rr_hlen, rr_rdatalen;
char *name_s;
char *fudge_s;
char *key_s;
const char *alg_s;
int i;
char *buf, *c, *n;
if (ns == NULL || tsigstr == NULL)
return SR_TS_CALL_ERROR;
tsig = (struct ns_tsig *) MALLOC (sizeof(struct ns_tsig));
if (tsig == NULL)
return SR_TS_FAIL;
buf = strdup(tsigstr);
if (buf == NULL) {
FREE(tsig);
return SR_TS_FAIL;
}
c = buf;
/* Parse the tsig string */
name_s = c;
if (!(n = strchr(c,':'))) {
goto err;
}
*n = '\0';
c = n+1;
alg_s = c;
if (!(n = strchr(c,':'))) {
goto err;
}
*n = '\0';
c = n+1;
fudge_s = c;
if (!(n = strchr(c,':'))) {
goto err;
}
*n = '\0';
c = n+1;
key_s = c;
for(i = 0; name_s[i]; i++){
if (isupper(name_s[i]))
name_s[i] = tolower(name_s[i]);
}
if (ns_name_pton(name_s, tsig->name_n, sizeof(tsig->name_n)) == -1) {
goto err;
}
/* check for alg sanity */
if (!strcmp(alg_s, "")) {
alg_s = TSIG_ALG_HMAC_MD5_STR;
tsig->alg = TSIG_ALG_HMAC_MD5;
tsig->mac_size = MD5_DIGEST_LENGTH;
} else if (!strcmp(alg_s, TSIG_ALG_HMAC_MD5_STR)) {
tsig->alg = TSIG_ALG_HMAC_MD5;
tsig->mac_size = MD5_DIGEST_LENGTH;
} else if (!strcmp(alg_s, TSIG_ALG_HMAC_SHA1_STR)) {
tsig->alg = TSIG_ALG_HMAC_SHA1;
tsig->mac_size = SHA_DIGEST_LENGTH;
} else if (!strcmp(alg_s, TSIG_ALG_HMAC_SHA256_STR)) {
tsig->alg = TSIG_ALG_HMAC_SHA256;
tsig->mac_size = SHA256_DIGEST_LENGTH;
} else {
goto err;
}
for(i = 0; alg_s[i]; i++){
if (isupper(alg_s[i]))
name_s[i] = tolower(alg_s[i]);
}
if (ns_name_pton(alg_s, tsig->alg_n, sizeof(tsig->alg_n)) == -1) {
goto err;
}
/* check for fudge sanity */
if (0 == (tsig->fudge = (u_int16_t)atoi(fudge_s))) {
tsig->fudge = TSIG_FUDGE_DEFAULT;
}
/* Decode the base64 key */
tsig->key = (u_char *) MALLOC (strlen(key_s)+1);
if (tsig->key == NULL) {
goto err;
}
if ((tsig->keylen = decode_tsig_key(key_s, tsig->key, strlen(key_s))) <= 0) {
FREE(tsig->key);
goto err;
}
rr_hlen = wire_name_length(tsig->name_n) + /*Name*/
sizeof(u_int16_t) + /*type*/
sizeof(u_int16_t) + /*class*/
sizeof(u_int32_t); /*ttl*/
rr_rdatalen = wire_name_length(tsig->alg_n) + /*alg*/
sizeof(u_int32_t) + sizeof(u_int16_t) + /*time signed is u_int48_t*/
sizeof(u_int16_t) + /*fudge*/
sizeof(u_int16_t) + /*mac size*/
tsig->mac_size + /*mac*/
sizeof(u_int16_t) + /*original ID*/
sizeof(u_int16_t) + /*error*/
sizeof(u_int16_t) ; /*other len*/
tsig->rdatalen = rr_rdatalen;
tsig->buf_size = rr_hlen + sizeof(u_int16_t) + rr_rdatalen;
ns->ns_tsig = tsig;
ns->ns_security_options |= ZONE_USE_TSIG;
free(buf);
return SR_TS_OK;
err:
free(buf);
FREE(tsig);
return SR_TS_FAIL;
}
/* ns_verify
*
* Parameters:
*\li statp res stuff
*\li msg received message
*\li msglen length of message
*\li key tsig key used for verifying.
*\li querysig (response), the signature in the query
*\li querysiglen (response), the length of the signature in the query
*\li sig (query), a buffer to hold the signature
*\li siglen (query), input - length of signature buffer
* output - length of signature
*
* Errors:
*\li - bad input (-1)
*\li - invalid dns message (NS_TSIG_ERROR_FORMERR)
*\li - TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
*\li - key doesn't match (-ns_r_badkey)
*\li - TSIG verification fails with BADKEY (-ns_r_badkey)
*\li - TSIG verification fails with BADSIG (-ns_r_badsig)
*\li - TSIG verification fails with BADTIME (-ns_r_badtime)
*\li - TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
*\li - TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
*\li - TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
*/
int
ns_verify(u_char *msg, int *msglen, void *k,
const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
time_t *timesigned, int nostrip)
{
HEADER *hp = (HEADER *)msg;
DST_KEY *key = (DST_KEY *)k;
u_char *cp = msg, *eom;
char name[MAXDNAME], alg[MAXDNAME];
u_char *recstart, *rdatastart;
u_char *sigstart, *otherstart;
int n;
int error;
u_int16_t type, length;
u_int16_t fudge, sigfieldlen, otherfieldlen;
dst_init();
if (msg == NULL || msglen == NULL || *msglen < 0)
return (-1);
eom = msg + *msglen;
recstart = ns_find_tsig(msg, eom);
if (recstart == NULL)
return (NS_TSIG_ERROR_NO_TSIG);
cp = recstart;
/* Read the key name. */
n = dn_expand(msg, eom, cp, name, MAXDNAME);
if (n < 0)
return (NS_TSIG_ERROR_FORMERR);
cp += n;
/* Read the type. */
BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
GETSHORT(type, cp);
if (type != ns_t_tsig)
return (NS_TSIG_ERROR_NO_TSIG);
/* Skip the class and TTL, save the length. */
cp += INT16SZ + INT32SZ;
GETSHORT(length, cp);
if (eom - cp != length)
return (NS_TSIG_ERROR_FORMERR);
/* Read the algorithm name. */
rdatastart = cp;
n = dn_expand(msg, eom, cp, alg, MAXDNAME);
if (n < 0)
return (NS_TSIG_ERROR_FORMERR);
if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
return (-ns_r_badkey);
cp += n;
/* Read the time signed and fudge. */
BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
cp += INT16SZ;
GETLONG((*timesigned), cp);
GETSHORT(fudge, cp);
/* Read the signature. */
BOUNDS_CHECK(cp, INT16SZ);
GETSHORT(sigfieldlen, cp);
BOUNDS_CHECK(cp, sigfieldlen);
sigstart = cp;
cp += sigfieldlen;
/* Skip id and read error. */
BOUNDS_CHECK(cp, 2*INT16SZ);
cp += INT16SZ;
GETSHORT(error, cp);
/* Parse the other data. */
BOUNDS_CHECK(cp, INT16SZ);
GETSHORT(otherfieldlen, cp);
BOUNDS_CHECK(cp, otherfieldlen);
otherstart = cp;
cp += otherfieldlen;
if (cp != eom)
return (NS_TSIG_ERROR_FORMERR);
/* Verify that the key used is OK. */
if (key != NULL) {
if (key->dk_alg != KEY_HMAC_MD5)
return (-ns_r_badkey);
if (error != ns_r_badsig && error != ns_r_badkey) {
if (ns_samename(key->dk_key_name, name) != 1)
return (-ns_r_badkey);
}
}
hp->arcount = htons(ntohs(hp->arcount) - 1);
/*
* Do the verification.
*/
if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
void *ctx;
u_char buf[MAXDNAME];
u_char buf2[MAXDNAME];
/* Digest the query signature, if this is a response. */
dst_verify_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
if (querysiglen > 0 && querysig != NULL) {
u_int16_t len_n = htons(querysiglen);
dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
(u_char *)&len_n, INT16SZ, NULL, 0);
dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
querysig, querysiglen, NULL, 0);
}
/* Digest the message. */
dst_verify_data(SIG_MODE_UPDATE, key, &ctx, msg, recstart - msg,
NULL, 0);
/* Digest the key name. */
n = ns_name_pton(name, buf2, sizeof(buf2));
if (n < 0)
return (-1);
n = ns_name_ntol(buf2, buf, sizeof(buf));
if (n < 0)
return (-1);
dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
/* Digest the class and TTL. */
dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
recstart + dn_skipname(recstart, eom) + INT16SZ,
INT16SZ + INT32SZ, NULL, 0);
/* Digest the algorithm. */
n = ns_name_pton(alg, buf2, sizeof(buf2));
if (n < 0)
return (-1);
n = ns_name_ntol(buf2, buf, sizeof(buf));
if (n < 0)
return (-1);
dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
/* Digest the time signed and fudge. */
dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
rdatastart + dn_skipname(rdatastart, eom),
INT16SZ + INT32SZ + INT16SZ, NULL, 0);
/* Digest the error and other data. */
dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
otherstart - INT16SZ - INT16SZ,
otherfieldlen + INT16SZ + INT16SZ, NULL, 0);
n = dst_verify_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
sigstart, sigfieldlen);
if (n < 0)
return (-ns_r_badsig);
if (sig != NULL && siglen != NULL) {
if (*siglen < sigfieldlen)
return (NS_TSIG_ERROR_NO_SPACE);
memcpy(sig, sigstart, sigfieldlen);
*siglen = sigfieldlen;
}
} else {
if (sigfieldlen > 0)
return (NS_TSIG_ERROR_FORMERR);
if (sig != NULL && siglen != NULL)
*siglen = 0;
}
/* Reset the counter, since we still need to check for badtime. */
hp->arcount = htons(ntohs(hp->arcount) + 1);
/* Verify the time. */
if (abs((*timesigned) - time(NULL)) > fudge)
return (-ns_r_badtime);
if (nostrip == 0) {
*msglen = recstart - msg;
hp->arcount = htons(ntohs(hp->arcount) - 1);
}
if (error != NOERROR)
return (error);
return (0);
}