unsigned int
dst__entropy_status(void) {
#ifndef PKCS11CRYPTO
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
unsigned char buf[32];
static isc_boolean_t first = ISC_TRUE;
if (dst_entropy_pool == NULL)
return (0);
if (first) {
/* Someone believes RAND_status() initializes the PRNG */
flags &= ~ISC_ENTROPY_GOODONLY;
ret = isc_entropy_getdata(dst_entropy_pool, buf,
sizeof(buf), NULL, flags);
INSIST(ret == ISC_R_SUCCESS);
isc_entropy_putdata(dst_entropy_pool, buf,
sizeof(buf), 2 * sizeof(buf));
first = ISC_FALSE;
}
#endif
return (isc_entropy_status(dst_entropy_pool));
#else
return (0);
#endif
}
isc_result_t
dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
unsigned int flags = dst_entropy_flags;
if (pseudo)
flags &= ~ISC_ENTROPY_GOODONLY;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
}
int
main(int argc, char **argv) {
isc_mem_t *mctx;
unsigned char buffer[512];
isc_entropy_t *ent;
isc_entropysource_t *source;
unsigned int returned;
unsigned int flags;
isc_result_t result;
isc_keyboard_t kbd;
UNUSED(argc);
UNUSED(argv);
mctx = NULL;
CHECK("isc_mem_create()",
isc_mem_create(0, 0, &mctx));
ent = NULL;
CHECK("isc_entropy_create()",
isc_entropy_create(mctx, &ent));
isc_entropy_stats(ent, stderr);
source = NULL;
result = isc_entropy_createcallbacksource(ent, start, get, stop, &kbd,
&source);
CHECK("isc_entropy_createcallbacksource()", result);
fprintf(stderr,
"Reading 32 bytes of GOOD random data only, partial OK\n");
flags = 0;
flags |= ISC_ENTROPY_GOODONLY;
flags |= ISC_ENTROPY_PARTIAL;
flags |= ISC_ENTROPY_BLOCKING;
returned = 0;
result = isc_entropy_getdata(ent, buffer, 32, &returned, flags);
if (result == ISC_R_NOENTROPY) {
fprintf(stderr, "No entropy.\r\n");
}
isc_entropy_stopcallbacksources(ent);
hex_dump("good data only:", buffer, returned);
isc_entropy_stats(ent, stderr);
isc_entropy_destroysource(&source);
isc_entropy_detach(&ent);
isc_mem_stats(mctx, stderr);
isc_mem_destroy(&mctx);
return (0);
}
void
isc_hash_ctxinit(isc_hash_t *hctx) {
LOCK(&hctx->lock);
if (hctx->initialized == ISC_TRUE)
goto out;
if (hctx->entropy) {
#ifdef BIND9
isc_result_t result;
result = isc_entropy_getdata(hctx->entropy,
hctx->rndvector, hctx->vectorlen,
NULL, 0);
INSIST(result == ISC_R_SUCCESS);
#else
INSIST(0);
#endif
} else {
isc_uint32_t pr;
unsigned int i, copylen;
unsigned char *p;
p = (unsigned char *)hctx->rndvector;
for (i = 0; i < hctx->vectorlen; i += copylen, p += copylen) {
isc_random_get(&pr);
if (i + sizeof(pr) <= hctx->vectorlen)
copylen = sizeof(pr);
else
copylen = hctx->vectorlen - i;
memcpy(p, &pr, copylen);
}
INSIST(p == (unsigned char *)hctx->rndvector +
hctx->vectorlen);
}
hctx->initialized = ISC_TRUE;
out:
UNLOCK(&hctx->lock);
}
isc_result_t
dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
#ifdef BIND9
unsigned int flags = dst_entropy_flags;
if (len == 0)
return (ISC_R_SUCCESS);
if (pseudo)
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
#else
UNUSED(buf);
UNUSED(len);
UNUSED(pseudo);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
isc_result_t
dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
unsigned int flags = dst_entropy_flags;
if (dst_entropy_pool == NULL)
return (ISC_R_FAILURE);
if (len == 0)
return (ISC_R_SUCCESS);
#ifdef PKCS11CRYPTO
UNUSED(pseudo);
UNUSED(flags);
return (pk11_rand_bytes(buf, len));
#else /* PKCS11CRYPTO */
if (pseudo)
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
#endif /* PKCS11CRYPTO */
}
int
main(int argc, char *argv[]) {
char *ourkeyname;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
isc_socket_t *sock;
unsigned int attrs, attrmask;
isc_sockaddr_t bind_any;
dns_dispatchmgr_t *dispatchmgr;
dns_dispatch_t *dispatchv4;
dns_view_t *view;
isc_entropy_t *ectx;
dns_tkeyctx_t *tctx;
isc_log_t *log;
isc_logconfig_t *logconfig;
isc_task_t *task;
isc_result_t result;
int type;
RUNCHECK(isc_app_start());
if (argc < 2) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
ourkeyname = argv[1];
if (argc >= 3)
ownername_str = argv[2];
dns_result_register();
mctx = NULL;
RUNCHECK(isc_mem_create(0, 0, &mctx));
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
RUNCHECK(isc_entropy_createfilesource(ectx, "random.data"));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
log = NULL;
logconfig = NULL;
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
task = NULL;
RUNCHECK(isc_task_create(taskmgr, 0, &task));
timermgr = NULL;
RUNCHECK(isc_timermgr_create(mctx, &timermgr));
socketmgr = NULL;
RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
dispatchmgr = NULL;
RUNCHECK(dns_dispatchmgr_create(mctx, NULL, &dispatchmgr));
isc_sockaddr_any(&bind_any);
attrs = DNS_DISPATCHATTR_UDP |
DNS_DISPATCHATTR_MAKEQUERY |
DNS_DISPATCHATTR_IPV4;
attrmask = DNS_DISPATCHATTR_UDP |
DNS_DISPATCHATTR_TCP |
DNS_DISPATCHATTR_IPV4 |
DNS_DISPATCHATTR_IPV6;
dispatchv4 = NULL;
RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
&bind_any, 4096, 4, 2, 3, 5,
attrs, attrmask, &dispatchv4));
requestmgr = NULL;
RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
dispatchmgr, dispatchv4, NULL,
&requestmgr));
ring = NULL;
RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
tctx = NULL;
RUNCHECK(dns_tkeyctx_create(mctx, ectx, &tctx));
view = NULL;
RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
dns_view_setkeyring(view, ring);
dns_tsigkeyring_detach(&ring);
sock = NULL;
RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
&sock));
RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL));
ourkey = NULL;
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey);
CHECK("dst_key_fromnamedfile", result);
isc_buffer_init(&nonce, noncedata, sizeof(noncedata));
result = isc_entropy_getdata(ectx, noncedata, sizeof(noncedata),
NULL, ISC_ENTROPY_BLOCKING);
CHECK("isc_entropy_getdata", result);
isc_buffer_add(&nonce, sizeof(noncedata));
(void)isc_app_run();
dns_requestmgr_shutdown(requestmgr);
dns_requestmgr_detach(&requestmgr);
dns_dispatch_detach(&dispatchv4);
dns_dispatchmgr_destroy(&dispatchmgr);
isc_task_shutdown(task);
isc_task_detach(&task);
isc_taskmgr_destroy(&taskmgr);
isc_socket_detach(&sock);
isc_socketmgr_destroy(&socketmgr);
isc_timermgr_destroy(&timermgr);
dst_key_free(&ourkey);
dns_tsigkey_detach(&initialkey);
dns_tsigkey_detach(&tsigkey);
dns_tkeyctx_destroy(&tctx);
dns_view_detach(&view);
isc_log_destroy(&log);
dst_lib_destroy();
isc_hash_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
isc_app_finish();
return (0);
}
isc_result_t
dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
dns_tsig_keyring_t *ring)
{
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_tkey_t tkeyin, tkeyout;
isc_boolean_t freetkeyin = ISC_FALSE;
dns_name_t *qname, *name, *keyname, *signer, tsigner;
dns_fixedname_t fkeyname;
dns_rdataset_t *tkeyset;
dns_rdata_t rdata;
dns_namelist_t namelist;
char tkeyoutdata[512];
isc_buffer_t tkeyoutbuf;
REQUIRE(msg != NULL);
REQUIRE(tctx != NULL);
REQUIRE(ring != NULL);
ISC_LIST_INIT(namelist);
/*
* Interpret the question section.
*/
result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
if (result != ISC_R_SUCCESS)
return (DNS_R_FORMERR);
qname = NULL;
dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
/*
* Look for a TKEY record that matches the question.
*/
tkeyset = NULL;
name = NULL;
result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
dns_rdatatype_tkey, 0, &name, &tkeyset);
if (result != ISC_R_SUCCESS) {
/*
* Try the answer section, since that's where Win2000
* puts it.
*/
name = NULL;
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
tkey_log("dns_tkey_processquery: couldn't find a TKEY "
"matching the question");
goto failure;
}
}
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
goto failure;
}
dns_rdata_init(&rdata);
dns_rdataset_current(tkeyset, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
freetkeyin = ISC_TRUE;
if (tkeyin.error != dns_rcode_noerror) {
result = DNS_R_FORMERR;
goto failure;
}
/*
* Before we go any farther, verify that the message was signed.
* GSSAPI TKEY doesn't require a signature, the rest do.
*/
dns_name_init(&tsigner, NULL);
result = dns_message_signer(msg, &tsigner);
if (result != ISC_R_SUCCESS) {
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
result == ISC_R_NOTFOUND)
signer = NULL;
else {
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
result = DNS_R_FORMERR;
goto failure;
}
} else
signer = &tsigner;
tkeyout.common.rdclass = tkeyin.common.rdclass;
tkeyout.common.rdtype = tkeyin.common.rdtype;
ISC_LINK_INIT(&tkeyout.common, link);
tkeyout.mctx = msg->mctx;
dns_name_init(&tkeyout.algorithm, NULL);
dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
tkeyout.inception = tkeyout.expire = 0;
tkeyout.mode = tkeyin.mode;
tkeyout.error = 0;
tkeyout.keylen = tkeyout.otherlen = 0;
tkeyout.key = tkeyout.other = NULL;
/*
* A delete operation must have a fully specified key name. If this
* is not a delete, we do the following:
* if (qname != ".")
* keyname = qname + defaultdomain
* else
* keyname = <random hex> + defaultdomain
*/
if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
dns_tsigkey_t *tsigkey = NULL;
if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
tkey_log("dns_tkey_processquery: tkey-domain not set");
result = DNS_R_REFUSED;
goto failure;
}
dns_fixedname_init(&fkeyname);
keyname = dns_fixedname_name(&fkeyname);
if (!dns_name_equal(qname, dns_rootname)) {
unsigned int n = dns_name_countlabels(qname);
RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
== ISC_R_SUCCESS);
dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
} else {
static char hexdigits[16] = {
'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
unsigned char randomdata[16];
char randomtext[32];
isc_buffer_t b;
unsigned int i, j;
result = isc_entropy_getdata(tctx->ectx,
randomdata,
sizeof(randomdata),
NULL, 0);
if (result != ISC_R_SUCCESS)
goto failure;
for (i = 0, j = 0; i < sizeof(randomdata); i++) {
unsigned char val = randomdata[i];
randomtext[j++] = hexdigits[val >> 4];
randomtext[j++] = hexdigits[val & 0xF];
}
isc_buffer_init(&b, randomtext, sizeof(randomtext));
isc_buffer_add(&b, sizeof(randomtext));
result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
/* Yup. This is a hack */
result = dns_name_concatenate(keyname, dns_rootname,
keyname, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
} else {
result = dns_name_concatenate(keyname, tctx->domain,
keyname, NULL);
if (result != ISC_R_SUCCESS)
goto failure;
}
result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
if (result == ISC_R_SUCCESS) {
tkeyout.error = dns_tsigerror_badname;
dns_tsigkey_detach(&tsigkey);
goto failure_with_tkey;
} else if (result != ISC_R_NOTFOUND)
goto failure;
} else
int
main(int argc, char **argv) {
isc_mem_t *mctx;
unsigned char buffer[512];
isc_entropy_t *ent;
unsigned int returned;
unsigned int flags;
isc_result_t result;
UNUSED(argc);
UNUSED(argv);
mctx = NULL;
CHECK("isc_mem_create()",
isc_mem_create(0, 0, &mctx));
ent = NULL;
CHECK("isc_entropy_create()",
isc_entropy_create(mctx, &ent));
isc_entropy_stats(ent, stderr);
#if 1
CHECK("isc_entropy_createfilesource() 1",
isc_entropy_createfilesource(ent, "/dev/random"));
CHECK("isc_entropy_createfilesource() 2",
isc_entropy_createfilesource(ent, "/dev/random"));
#else
CHECK("isc_entropy_createfilesource() 3",
isc_entropy_createfilesource(ent, "/tmp/foo"));
#endif
fprintf(stderr,
"Reading 32 bytes of GOOD random data only, partial OK\n");
flags = 0;
flags |= ISC_ENTROPY_GOODONLY;
flags |= ISC_ENTROPY_PARTIAL;
result = isc_entropy_getdata(ent, buffer, 32, &returned, flags);
if (result == ISC_R_NOENTROPY) {
fprintf(stderr, "No entropy.\n");
goto any;
}
hex_dump("good data only:", buffer, returned);
any:
isc_entropy_stats(ent, stderr);
CHECK("isc_entropy_getdata() pseudorandom",
isc_entropy_getdata(ent, buffer, 128, NULL, 0));
hex_dump("pseudorandom data", buffer, 128);
isc_entropy_stats(ent, stderr);
flags = 0;
flags |= ISC_ENTROPY_GOODONLY;
flags |= ISC_ENTROPY_BLOCKING;
result = isc_entropy_getdata(ent, buffer, sizeof(buffer), &returned,
flags);
CHECK("good data only, blocking mode", result);
hex_dump("blocking mode data", buffer, sizeof(buffer));
{
isc_entropy_t *entcopy1 = NULL;
isc_entropy_t *entcopy2 = NULL;
isc_entropy_t *entcopy3 = NULL;
isc_entropy_attach(ent, &entcopy1);
isc_entropy_attach(ent, &entcopy2);
isc_entropy_attach(ent, &entcopy3);
isc_entropy_stats(ent, stderr);
isc_entropy_detach(&entcopy1);
isc_entropy_detach(&entcopy2);
isc_entropy_detach(&entcopy3);
}
isc_entropy_detach(&ent);
isc_mem_stats(mctx, stderr);
isc_mem_destroy(&mctx);
return (0);
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS)
continue;
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset)) {
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
found_key = ISC_TRUE;
ttl = keyset->ttl;
break;
} else
found_incompatible = ISC_TRUE;
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
if (randomdata == NULL)
goto failure;
result = isc_entropy_getdata(tctx->ectx, randomdata,
TKEY_RANDOM_AMOUNT, NULL, 0);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
isc_buffer_base(&secret),
isc_buffer_usedlength(&secret),
ISC_TRUE, signer, tkeyin->inception,
tkeyin->expire, ring->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist))
free_namelist(msg, namelist);
if (shared != NULL)
isc_buffer_free(&shared);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (randomdata != NULL)
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
return (result);
}
