isc_result_t
dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
{
dns_rdata_any_tsig_t tsig, querytsig;
isc_region_t r, source_r, header_r, sig_r;
isc_buffer_t databuf;
unsigned char data[32];
dns_name_t *keyname;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_stdtime_t now;
isc_result_t ret;
dns_tsigkey_t *tsigkey;
dst_key_t *key = NULL;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_uint16_t addcount, id;
unsigned int siglen;
unsigned int alg;
isc_boolean_t response;
REQUIRE(source != NULL);
REQUIRE(DNS_MESSAGE_VALID(msg));
tsigkey = dns_message_gettsigkey(msg);
response = is_response(msg);
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
msg->verify_attempted = 1;
if (msg->tcp_continuation) {
if (tsigkey == NULL || msg->querytsig == NULL)
return (DNS_R_UNEXPECTEDTSIG);
return (tsig_verify_tcp(source, msg));
}
/*
* There should be a TSIG record...
*/
if (msg->tsig == NULL)
return (DNS_R_EXPECTEDTSIG);
/*
* If this is a response and there's no key or query TSIG, there
* shouldn't be one on the response.
*/
if (response && (tsigkey == NULL || msg->querytsig == NULL))
return (DNS_R_UNEXPECTEDTSIG);
mctx = msg->mctx;
/*
* If we're here, we know the message is well formed and contains a
* TSIG record.
*/
keyname = msg->tsigname;
ret = dns_rdataset_first(msg->tsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->tsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdata_reset(&rdata);
if (response) {
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(msg->querytsig, &rdata);
ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
}
#if defined(__clang__) && \
( __clang_major__ < 3 || \
(__clang_major__ == 3 && __clang_minor__ < 2) || \
(__clang_major__ == 4 && __clang_minor__ < 2))
/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
else memset(&querytsig, 0, sizeof(querytsig));
#endif
/*
* Do the key name and algorithm match that of the query?
*/
if (response &&
(!dns_name_equal(keyname, &tsigkey->name) ||
!dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
msg->tsigstatus = dns_tsigerror_badkey;
tsig_log(msg->tsigkey, 2,
"key name and algorithm do not match");
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Get the current time.
*/
isc_stdtime_get(&now);
/*
* Find dns_tsigkey_t based on keyname.
*/
if (tsigkey == NULL) {
ret = ISC_R_NOTFOUND;
if (ring1 != NULL)
ret = dns_tsigkey_find(&tsigkey, keyname,
&tsig.algorithm, ring1);
if (ret == ISC_R_NOTFOUND && ring2 != NULL)
ret = dns_tsigkey_find(&tsigkey, keyname,
&tsig.algorithm, ring2);
if (ret != ISC_R_SUCCESS) {
msg->tsigstatus = dns_tsigerror_badkey;
ret = dns_tsigkey_create(keyname, &tsig.algorithm,
NULL, 0, ISC_FALSE, NULL,
now, now,
mctx, NULL, &msg->tsigkey);
if (ret != ISC_R_SUCCESS)
return (ret);
tsig_log(msg->tsigkey, 2, "unknown key");
return (DNS_R_TSIGVERIFYFAILURE);
}
msg->tsigkey = tsigkey;
}
key = tsigkey->key;
/*
* Is the time ok?
*/
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired");
return (DNS_R_CLOCKSKEW);
} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature is in the future");
return (DNS_R_CLOCKSKEW);
}
/*
* Check digest length.
*/
alg = dst_key_alg(key);
ret = dst_key_sigsize(key, &siglen);
if (ret != ISC_R_SUCCESS)
return (ret);
if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
isc_uint16_t digestbits = dst_key_getbits(key);
if (tsig.siglen > siglen) {
tsig_log(msg->tsigkey, 2, "signature length too big");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 &&
(tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
tsig_log(msg->tsigkey, 2,
"signature length below minimum");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 && digestbits != 0 &&
tsig.siglen < ((digestbits + 1) / 8)) {
msg->tsigstatus = dns_tsigerror_badtrunc;
tsig_log(msg->tsigkey, 2,
"truncated signature length too small");
return (DNS_R_TSIGVERIFYFAILURE);
}
if (tsig.siglen > 0 && digestbits == 0 &&
tsig.siglen < siglen) {
msg->tsigstatus = dns_tsigerror_badtrunc;
tsig_log(msg->tsigkey, 2, "signature length too small");
return (DNS_R_TSIGVERIFYFAILURE);
}
}
if (tsig.siglen > 0) {
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_FALSE, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
if (response) {
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (querytsig.siglen > 0) {
r.length = querytsig.siglen;
r.base = querytsig.signature;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter.
*/
memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
/*
* Put in the original id.
*/
id = htons(tsig.originalid);
memmove(&header[0], &id, 2);
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(ctx, &header_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
isc_buffer_usedregion(source, &source_r);
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key name.
*/
dns_name_toregion(&tsigkey->name, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, tsig.common.rdclass);
isc_buffer_putuint32(&databuf, msg->tsig->ttl);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key algorithm.
*/
dns_name_toregion(tsigkey->algorithm, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_clear(&databuf);
isc_buffer_putuint48(&databuf, tsig.timesigned);
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_putuint16(&databuf, tsig.error);
isc_buffer_putuint16(&databuf, tsig.otherlen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (tsig.otherlen > 0) {
r.base = tsig.other;
r.length = tsig.otherlen;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
msg->tsigstatus = dns_tsigerror_badsig;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(1)");
goto cleanup_context;
} else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dst_context_destroy(&ctx);
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
msg->tsigstatus = dns_rcode_noerror;
if (tsig.error != dns_rcode_noerror) {
if (tsig.error == dns_tsigerror_badtime)
return (DNS_R_CLOCKSKEW);
else
return (DNS_R_TSIGERRORSET);
}
msg->verified_sig = 1;
return (ISC_R_SUCCESS);
cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
return (ret);
}
static void
sendquery(isc_task_t *task, isc_event_t *event) {
struct in_addr inaddr;
isc_sockaddr_t address;
isc_region_t r;
isc_result_t result;
dns_fixedname_t keyname;
dns_fixedname_t ownername;
isc_buffer_t namestr, keybuf;
unsigned char keydata[9];
dns_message_t *query;
dns_request_t *request;
static char keystr[] = "0123456789ab";
isc_event_free(&event);
result = ISC_R_FAILURE;
if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
CHECK("inet_pton", result);
isc_sockaddr_fromin(&address, &inaddr, PORT);
dns_fixedname_init(&keyname);
isc_buffer_init(&namestr, "tkeytest.", 9);
isc_buffer_add(&namestr, 9);
result = dns_name_fromtext(dns_fixedname_name(&keyname), &namestr,
NULL, 0, NULL);
CHECK("dns_name_fromtext", result);
dns_fixedname_init(&ownername);
isc_buffer_init(&namestr, ownername_str, strlen(ownername_str));
isc_buffer_add(&namestr, strlen(ownername_str));
result = dns_name_fromtext(dns_fixedname_name(&ownername), &namestr,
NULL, 0, NULL);
CHECK("dns_name_fromtext", result);
isc_buffer_init(&keybuf, keydata, 9);
result = isc_base64_decodestring(keystr, &keybuf);
CHECK("isc_base64_decodestring", result);
isc_buffer_usedregion(&keybuf, &r);
initialkey = NULL;
result = dns_tsigkey_create(dns_fixedname_name(&keyname),
DNS_TSIG_HMACMD5_NAME,
isc_buffer_base(&keybuf),
isc_buffer_usedlength(&keybuf),
ISC_FALSE, NULL, 0, 0, mctx, ring,
&initialkey);
CHECK("dns_tsigkey_create", result);
query = NULL;
result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &query);
CHECK("dns_message_create", result);
result = dns_tkey_builddhquery(query, ourkey,
dns_fixedname_name(&ownername),
DNS_TSIG_HMACMD5_NAME, &nonce, 3600);
CHECK("dns_tkey_builddhquery", result);
request = NULL;
result = dns_request_create(requestmgr, query, &address,
0, initialkey, TIMEOUT, task,
recvquery, query, &request);
CHECK("dns_request_create", result);
}
ATF_TC_BODY(tsig_tcp, tc) {
const dns_name_t *tsigowner = NULL;
dns_fixedname_t fkeyname;
dns_message_t *msg = NULL;
dns_name_t *keyname;
dns_tsig_keyring_t *ring = NULL;
dns_tsigkey_t *key = NULL;
isc_buffer_t *buf = NULL;
isc_buffer_t *querytsig = NULL;
isc_buffer_t *tsigin = NULL;
isc_buffer_t *tsigout = NULL;
isc_result_t result;
unsigned char secret[16] = { 0 };
dst_context_t *tsigctx = NULL;
dst_context_t *outctx = NULL;
UNUSED(tc);
result = dns_test_begin(stderr, ISC_TRUE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/* isc_log_setdebuglevel(lctx, 99); */
dns_fixedname_init(&fkeyname);
keyname = dns_fixedname_name(&fkeyname);
result = dns_name_fromstring(keyname, "test", 0, NULL);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_tsigkeyring_create(mctx, &ring);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
secret, sizeof(secret), ISC_FALSE,
NULL, 0, 0, mctx, ring, &key);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/*
* Create request.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, 0, key, &tsigout, &querytsig, NULL);
isc_buffer_free(&buf);
/*
* Create response message 1.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
/*
* Process response message 1.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_create: %s",
dns_result_totext(result));
result = dns_message_settsigkey(msg, key);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_settsigkey: %s",
dns_result_totext(result));
result = dns_message_parse(msg, buf, 0);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_parse: %s",
dns_result_totext(result));
printmessage(msg);
result = dns_message_setquerytsig(msg, querytsig);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_setquerytsig: %s",
dns_result_totext(result));
result = dns_tsig_verify(buf, msg, NULL, NULL);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_tsig_verify: %s",
dns_result_totext(result));
ATF_CHECK_EQ(msg->verified_sig, 1);
ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
/*
* Check that we have a TSIG in the first message.
*/
ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
result = dns_message_getquerytsig(msg, mctx, &tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_getquerytsig: %s",
dns_result_totext(result));
tsigctx = msg->tsigctx;
msg->tsigctx = NULL;
isc_buffer_free(&buf);
dns_message_destroy(&msg);
result = dst_context_create3(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
ISC_FALSE, &outctx);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/*
* Start digesting.
*/
result = add_mac(outctx, tsigout);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/*
* Create response message 2.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
/*
* Process response message 2.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_create: %s",
dns_result_totext(result));
msg->tcp_continuation = 1;
msg->tsigctx = tsigctx;
tsigctx = NULL;
result = dns_message_settsigkey(msg, key);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_settsigkey: %s",
dns_result_totext(result));
result = dns_message_parse(msg, buf, 0);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_parse: %s",
dns_result_totext(result));
printmessage(msg);
result = dns_message_setquerytsig(msg, tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_setquerytsig: %s",
dns_result_totext(result));
result = dns_tsig_verify(buf, msg, NULL, NULL);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_tsig_verify: %s",
dns_result_totext(result));
ATF_CHECK_EQ(msg->verified_sig, 1);
ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
/*
* Check that we don't have a TSIG in the second message.
*/
tsigowner = NULL;
ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL);
tsigctx = msg->tsigctx;
msg->tsigctx = NULL;
isc_buffer_free(&buf);
dns_message_destroy(&msg);
/*
* Create response message 3.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
result = add_tsig(outctx, key, buf);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"add_tsig: %s",
dns_result_totext(result));
/*
* Process response message 3.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_create: %s",
dns_result_totext(result));
msg->tcp_continuation = 1;
msg->tsigctx = tsigctx;
tsigctx = NULL;
result = dns_message_settsigkey(msg, key);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_settsigkey: %s",
dns_result_totext(result));
result = dns_message_parse(msg, buf, 0);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_parse: %s",
dns_result_totext(result));
printmessage(msg);
/*
* Check that we had a TSIG in the third message.
*/
ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
result = dns_message_setquerytsig(msg, tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_setquerytsig: %s",
dns_result_totext(result));
result = dns_tsig_verify(buf, msg, NULL, NULL);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_tsig_verify: %s",
dns_result_totext(result));
ATF_CHECK_EQ(msg->verified_sig, 1);
ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
if (tsigin != NULL)
isc_buffer_free(&tsigin);
result = dns_message_getquerytsig(msg, mctx, &tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_getquerytsig: %s",
dns_result_totext(result));
isc_buffer_free(&buf);
dns_message_destroy(&msg);
if (outctx != NULL)
dst_context_destroy(&outctx);
if (querytsig != NULL)
isc_buffer_free(&querytsig);
if (tsigin != NULL)
isc_buffer_free(&tsigin);
if (tsigout != NULL)
isc_buffer_free(&tsigout);
if (buf != NULL)
isc_buffer_free(&buf);
if (msg != NULL)
dns_message_destroy(&msg);
if (key != NULL)
dns_tsigkey_detach(&key);
if (ring != NULL)
dns_tsigkeyring_detach(&ring);
dns_test_end();
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS)
continue;
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset)) {
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
found_key = ISC_TRUE;
ttl = keyset->ttl;
break;
} else
found_incompatible = ISC_TRUE;
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
if (randomdata == NULL)
goto failure;
result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
ISC_FALSE);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
isc_buffer_base(&secret),
isc_buffer_usedlength(&secret),
ISC_TRUE, signer, tkeyin->inception,
tkeyin->expire, ring->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist))
free_namelist(msg, namelist);
if (shared != NULL)
isc_buffer_free(&shared);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (randomdata != NULL)
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
return (result);
}
static isc_result_t
add_initial_keys(const cfg_obj_t *list, dns_tsig_keyring_t *ring,
isc_mem_t *mctx)
{
dns_tsigkey_t *tsigkey = NULL;
const cfg_listelt_t *element;
const cfg_obj_t *key = NULL;
const char *keyid = NULL;
unsigned char *secret = NULL;
int secretalloc = 0;
int secretlen = 0;
isc_result_t ret;
isc_stdtime_t now;
isc_uint16_t bits;
for (element = cfg_list_first(list);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *algobj = NULL;
const cfg_obj_t *secretobj = NULL;
dns_name_t keyname;
dns_name_t *alg;
const char *algstr;
char keynamedata[1024];
isc_buffer_t keynamesrc, keynamebuf;
const char *secretstr;
isc_buffer_t secretbuf;
key = cfg_listelt_value(element);
keyid = cfg_obj_asstring(cfg_map_getname(key));
algobj = NULL;
secretobj = NULL;
(void)cfg_map_get(key, "algorithm", &algobj);
(void)cfg_map_get(key, "secret", &secretobj);
INSIST(algobj != NULL && secretobj != NULL);
/*
* Create the key name.
*/
dns_name_init(&keyname, NULL);
isc_buffer_init(&keynamesrc, keyid, strlen(keyid));
isc_buffer_add(&keynamesrc, strlen(keyid));
isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
ISC_TRUE, &keynamebuf);
if (ret != ISC_R_SUCCESS)
goto failure;
/*
* Create the algorithm.
*/
algstr = cfg_obj_asstring(algobj);
if (ns_config_getkeyalgorithm(algstr, &alg, &bits)
!= ISC_R_SUCCESS) {
cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
"key '%s': has a unsupported algorithm '%s'",
keyid, algstr);
ret = DNS_R_BADALG;
goto failure;
}
secretstr = cfg_obj_asstring(secretobj);
secretalloc = secretlen = strlen(secretstr) * 3 / 4;
secret = isc_mem_get(mctx, secretlen);
if (secret == NULL) {
ret = ISC_R_NOMEMORY;
goto failure;
}
isc_buffer_init(&secretbuf, secret, secretlen);
ret = isc_base64_decodestring(secretstr, &secretbuf);
if (ret != ISC_R_SUCCESS)
goto failure;
secretlen = isc_buffer_usedlength(&secretbuf);
isc_stdtime_get(&now);
ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
ISC_FALSE, NULL, now, now,
mctx, ring, &tsigkey);
isc_mem_put(mctx, secret, secretalloc);
secret = NULL;
if (ret != ISC_R_SUCCESS)
goto failure;
/*
* Set digest bits.
*/
dst_key_setbits(tsigkey->key, bits);
dns_tsigkey_detach(&tsigkey);
}
return (ISC_R_SUCCESS);
failure:
cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
"configuring key '%s': %s", keyid,
isc_result_totext(ret));
if (secret != NULL)
isc_mem_put(mctx, secret, secretalloc);
return (ret);
}
