isc_result_t
ns_tsigkeyring_fromconfig (const cfg_obj_t * config, const cfg_obj_t * vconfig,
isc_mem_t * mctx, dns_tsig_keyring_t ** ringp)
{
const cfg_obj_t *maps[3];
const cfg_obj_t *keylist;
dns_tsig_keyring_t *ring = NULL;
isc_result_t result;
int i;
REQUIRE (ringp != NULL && *ringp == NULL);
i = 0;
if (config != NULL)
maps[i++] = config;
if (vconfig != NULL)
maps[i++] = cfg_tuple_get (vconfig, "options");
maps[i] = NULL;
result = dns_tsigkeyring_create (mctx, &ring);
if (result != ISC_R_SUCCESS)
return (result);
for (i = 0;; i++)
{
if (maps[i] == NULL)
break;
keylist = NULL;
result = cfg_map_get (maps[i], "key", &keylist);
if (result != ISC_R_SUCCESS)
continue;
result = add_initial_keys (keylist, ring, mctx);
if (result != ISC_R_SUCCESS)
goto failure;
}
*ringp = ring;
return (ISC_R_SUCCESS);
failure:
dns_tsigkeyring_detach (&ring);
return (result);
}
isc_result_t
dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
const char *name, dns_view_t **viewp)
{
dns_view_t *view;
isc_result_t result;
/*
* Create a view.
*/
REQUIRE(name != NULL);
REQUIRE(viewp != NULL && *viewp == NULL);
view = isc_mem_get(mctx, sizeof(*view));
if (view == NULL)
return (ISC_R_NOMEMORY);
view->mctx = NULL;
isc_mem_attach(mctx, &view->mctx);
view->name = isc_mem_strdup(mctx, name);
if (view->name == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_view;
}
result = isc_mutex_init(&view->lock);
if (result != ISC_R_SUCCESS)
goto cleanup_name;
view->zonetable = NULL;
if (isc_bind9) {
result = dns_zt_create(mctx, rdclass, &view->zonetable);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"dns_zt_create() failed: %s",
isc_result_totext(result));
result = ISC_R_UNEXPECTED;
goto cleanup_mutex;
}
}
view->secroots_priv = NULL;
view->fwdtable = NULL;
result = dns_fwdtable_create(mctx, &view->fwdtable);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"dns_fwdtable_create() failed: %s",
isc_result_totext(result));
result = ISC_R_UNEXPECTED;
goto cleanup_zt;
}
view->acache = NULL;
view->cache = NULL;
view->cachedb = NULL;
ISC_LIST_INIT(view->dlz_searched);
ISC_LIST_INIT(view->dlz_unsearched);
view->hints = NULL;
view->resolver = NULL;
view->adb = NULL;
view->requestmgr = NULL;
view->rdclass = rdclass;
view->frozen = ISC_FALSE;
view->task = NULL;
result = isc_refcount_init(&view->references, 1);
if (result != ISC_R_SUCCESS)
goto cleanup_fwdtable;
view->weakrefs = 0;
view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
DNS_VIEWATTR_REQSHUTDOWN);
view->statickeys = NULL;
view->dynamickeys = NULL;
view->matchclients = NULL;
view->matchdestinations = NULL;
view->matchrecursiveonly = ISC_FALSE;
result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
if (result != ISC_R_SUCCESS)
goto cleanup_references;
view->peers = NULL;
view->order = NULL;
view->delonly = NULL;
view->rootdelonly = ISC_FALSE;
view->rootexclude = NULL;
view->adbstats = NULL;
view->resstats = NULL;
view->resquerystats = NULL;
view->cacheshared = ISC_FALSE;
ISC_LIST_INIT(view->dns64);
view->dns64cnt = 0;
/*
* Initialize configuration data with default values.
*/
view->recursion = ISC_TRUE;
view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
view->additionalfromcache = ISC_TRUE;
view->additionalfromauth = ISC_TRUE;
view->enablednssec = ISC_TRUE;
view->enablevalidation = ISC_TRUE;
view->acceptexpired = ISC_FALSE;
view->minimalresponses = ISC_FALSE;
view->transfer_format = dns_one_answer;
view->cacheacl = NULL;
view->cacheonacl = NULL;
view->queryacl = NULL;
view->queryonacl = NULL;
view->recursionacl = NULL;
view->recursiononacl = NULL;
view->sortlist = NULL;
view->transferacl = NULL;
view->notifyacl = NULL;
view->updateacl = NULL;
view->upfwdacl = NULL;
view->denyansweracl = NULL;
view->nocasecompress = NULL;
view->answeracl_exclude = NULL;
view->denyanswernames = NULL;
view->answernames_exclude = NULL;
view->rrl = NULL;
view->provideixfr = ISC_TRUE;
view->maxcachettl = 7 * 24 * 3600;
view->maxncachettl = 3 * 3600;
view->dstport = 53;
view->preferred_glue = 0;
view->flush = ISC_FALSE;
view->dlv = NULL;
view->maxudp = 0;
view->situdp = 0;
view->maxbits = 0;
view->v4_aaaa = dns_aaaa_ok;
view->v6_aaaa = dns_aaaa_ok;
view->aaaa_acl = NULL;
view->rpzs = NULL;
dns_fixedname_init(&view->dlv_fixed);
view->managed_keys = NULL;
view->redirect = NULL;
view->requestnsid = ISC_FALSE;
view->requestsit = ISC_TRUE;
view->new_zone_file = NULL;
view->new_zone_config = NULL;
view->cfg_destroy = NULL;
if (isc_bind9) {
result = dns_order_create(view->mctx, &view->order);
if (result != ISC_R_SUCCESS)
goto cleanup_dynkeys;
}
result = dns_peerlist_new(view->mctx, &view->peers);
if (result != ISC_R_SUCCESS)
goto cleanup_order;
result = dns_aclenv_init(view->mctx, &view->aclenv);
if (result != ISC_R_SUCCESS)
goto cleanup_peerlist;
ISC_LINK_INIT(view, link);
ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
view, NULL, NULL, NULL);
ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
view, NULL, NULL, NULL);
ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
view, NULL, NULL, NULL);
view->viewlist = NULL;
view->magic = DNS_VIEW_MAGIC;
*viewp = view;
return (ISC_R_SUCCESS);
cleanup_peerlist:
if (view->peers != NULL)
dns_peerlist_detach(&view->peers);
cleanup_order:
if (view->order != NULL)
dns_order_detach(&view->order);
cleanup_dynkeys:
if (view->dynamickeys != NULL)
dns_tsigkeyring_detach(&view->dynamickeys);
cleanup_references:
isc_refcount_destroy(&view->references);
cleanup_fwdtable:
if (view->fwdtable != NULL)
dns_fwdtable_destroy(&view->fwdtable);
cleanup_zt:
if (view->zonetable != NULL)
dns_zt_detach(&view->zonetable);
cleanup_mutex:
DESTROYLOCK(&view->lock);
cleanup_name:
isc_mem_free(mctx, view->name);
cleanup_view:
isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
return (result);
}
int
main(int argc, char *argv[]) {
char *ourkeyname;
isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr;
isc_socket_t *sock;
unsigned int attrs, attrmask;
isc_sockaddr_t bind_any;
dns_dispatchmgr_t *dispatchmgr;
dns_dispatch_t *dispatchv4;
dns_view_t *view;
isc_entropy_t *ectx;
dns_tkeyctx_t *tctx;
isc_log_t *log;
isc_logconfig_t *logconfig;
isc_task_t *task;
isc_result_t result;
int type;
RUNCHECK(isc_app_start());
if (argc < 2) {
fprintf(stderr, "I:no DH key provided\n");
exit(-1);
}
ourkeyname = argv[1];
if (argc >= 3)
ownername_str = argv[2];
dns_result_register();
mctx = NULL;
RUNCHECK(isc_mem_create(0, 0, &mctx));
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
RUNCHECK(isc_entropy_createfilesource(ectx, "random.data"));
RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
log = NULL;
logconfig = NULL;
RUNCHECK(isc_log_create(mctx, &log, &logconfig));
RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
task = NULL;
RUNCHECK(isc_task_create(taskmgr, 0, &task));
timermgr = NULL;
RUNCHECK(isc_timermgr_create(mctx, &timermgr));
socketmgr = NULL;
RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
dispatchmgr = NULL;
RUNCHECK(dns_dispatchmgr_create(mctx, NULL, &dispatchmgr));
isc_sockaddr_any(&bind_any);
attrs = DNS_DISPATCHATTR_UDP |
DNS_DISPATCHATTR_MAKEQUERY |
DNS_DISPATCHATTR_IPV4;
attrmask = DNS_DISPATCHATTR_UDP |
DNS_DISPATCHATTR_TCP |
DNS_DISPATCHATTR_IPV4 |
DNS_DISPATCHATTR_IPV6;
dispatchv4 = NULL;
RUNCHECK(dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
&bind_any, 4096, 4, 2, 3, 5,
attrs, attrmask, &dispatchv4));
requestmgr = NULL;
RUNCHECK(dns_requestmgr_create(mctx, timermgr, socketmgr, taskmgr,
dispatchmgr, dispatchv4, NULL,
&requestmgr));
ring = NULL;
RUNCHECK(dns_tsigkeyring_create(mctx, &ring));
tctx = NULL;
RUNCHECK(dns_tkeyctx_create(mctx, ectx, &tctx));
view = NULL;
RUNCHECK(dns_view_create(mctx, 0, "_test", &view));
dns_view_setkeyring(view, ring);
dns_tsigkeyring_detach(&ring);
sock = NULL;
RUNCHECK(isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp,
&sock));
RUNCHECK(isc_app_onrun(mctx, task, sendquery, NULL));
ourkey = NULL;
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(ourkeyname, NULL, type, mctx, &ourkey);
CHECK("dst_key_fromnamedfile", result);
isc_buffer_init(&nonce, noncedata, sizeof(noncedata));
result = isc_entropy_getdata(ectx, noncedata, sizeof(noncedata),
NULL, ISC_ENTROPY_BLOCKING);
CHECK("isc_entropy_getdata", result);
isc_buffer_add(&nonce, sizeof(noncedata));
(void)isc_app_run();
dns_requestmgr_shutdown(requestmgr);
dns_requestmgr_detach(&requestmgr);
dns_dispatch_detach(&dispatchv4);
dns_dispatchmgr_destroy(&dispatchmgr);
isc_task_shutdown(task);
isc_task_detach(&task);
isc_taskmgr_destroy(&taskmgr);
isc_socket_detach(&sock);
isc_socketmgr_destroy(&socketmgr);
isc_timermgr_destroy(&timermgr);
dst_key_free(&ourkey);
dns_tsigkey_detach(&initialkey);
dns_tsigkey_detach(&tsigkey);
dns_tkeyctx_destroy(&tctx);
dns_view_detach(&view);
isc_log_destroy(&log);
dst_lib_destroy();
isc_hash_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
isc_app_finish();
return (0);
}
ATF_TC_BODY(tsig_tcp, tc) {
const dns_name_t *tsigowner = NULL;
dns_fixedname_t fkeyname;
dns_message_t *msg = NULL;
dns_name_t *keyname;
dns_tsig_keyring_t *ring = NULL;
dns_tsigkey_t *key = NULL;
isc_buffer_t *buf = NULL;
isc_buffer_t *querytsig = NULL;
isc_buffer_t *tsigin = NULL;
isc_buffer_t *tsigout = NULL;
isc_result_t result;
unsigned char secret[16] = { 0 };
dst_context_t *tsigctx = NULL;
dst_context_t *outctx = NULL;
UNUSED(tc);
result = dns_test_begin(stderr, ISC_TRUE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/* isc_log_setdebuglevel(lctx, 99); */
dns_fixedname_init(&fkeyname);
keyname = dns_fixedname_name(&fkeyname);
result = dns_name_fromstring(keyname, "test", 0, NULL);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_tsigkeyring_create(mctx, &ring);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
secret, sizeof(secret), ISC_FALSE,
NULL, 0, 0, mctx, ring, &key);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/*
* Create request.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, 0, key, &tsigout, &querytsig, NULL);
isc_buffer_free(&buf);
/*
* Create response message 1.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
/*
* Process response message 1.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_create: %s",
dns_result_totext(result));
result = dns_message_settsigkey(msg, key);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_settsigkey: %s",
dns_result_totext(result));
result = dns_message_parse(msg, buf, 0);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_parse: %s",
dns_result_totext(result));
printmessage(msg);
result = dns_message_setquerytsig(msg, querytsig);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_setquerytsig: %s",
dns_result_totext(result));
result = dns_tsig_verify(buf, msg, NULL, NULL);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_tsig_verify: %s",
dns_result_totext(result));
ATF_CHECK_EQ(msg->verified_sig, 1);
ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
/*
* Check that we have a TSIG in the first message.
*/
ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
result = dns_message_getquerytsig(msg, mctx, &tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_getquerytsig: %s",
dns_result_totext(result));
tsigctx = msg->tsigctx;
msg->tsigctx = NULL;
isc_buffer_free(&buf);
dns_message_destroy(&msg);
result = dst_context_create3(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
ISC_FALSE, &outctx);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/*
* Start digesting.
*/
result = add_mac(outctx, tsigout);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/*
* Create response message 2.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
/*
* Process response message 2.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_create: %s",
dns_result_totext(result));
msg->tcp_continuation = 1;
msg->tsigctx = tsigctx;
tsigctx = NULL;
result = dns_message_settsigkey(msg, key);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_settsigkey: %s",
dns_result_totext(result));
result = dns_message_parse(msg, buf, 0);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_parse: %s",
dns_result_totext(result));
printmessage(msg);
result = dns_message_setquerytsig(msg, tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_setquerytsig: %s",
dns_result_totext(result));
result = dns_tsig_verify(buf, msg, NULL, NULL);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_tsig_verify: %s",
dns_result_totext(result));
ATF_CHECK_EQ(msg->verified_sig, 1);
ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
/*
* Check that we don't have a TSIG in the second message.
*/
tsigowner = NULL;
ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL);
tsigctx = msg->tsigctx;
msg->tsigctx = NULL;
isc_buffer_free(&buf);
dns_message_destroy(&msg);
/*
* Create response message 3.
*/
result = isc_buffer_allocate(mctx, &buf, 65535);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
result = add_tsig(outctx, key, buf);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"add_tsig: %s",
dns_result_totext(result));
/*
* Process response message 3.
*/
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_create: %s",
dns_result_totext(result));
msg->tcp_continuation = 1;
msg->tsigctx = tsigctx;
tsigctx = NULL;
result = dns_message_settsigkey(msg, key);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_settsigkey: %s",
dns_result_totext(result));
result = dns_message_parse(msg, buf, 0);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_parse: %s",
dns_result_totext(result));
printmessage(msg);
/*
* Check that we had a TSIG in the third message.
*/
ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
result = dns_message_setquerytsig(msg, tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_setquerytsig: %s",
dns_result_totext(result));
result = dns_tsig_verify(buf, msg, NULL, NULL);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_tsig_verify: %s",
dns_result_totext(result));
ATF_CHECK_EQ(msg->verified_sig, 1);
ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
if (tsigin != NULL)
isc_buffer_free(&tsigin);
result = dns_message_getquerytsig(msg, mctx, &tsigin);
ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
"dns_message_getquerytsig: %s",
dns_result_totext(result));
isc_buffer_free(&buf);
dns_message_destroy(&msg);
if (outctx != NULL)
dst_context_destroy(&outctx);
if (querytsig != NULL)
isc_buffer_free(&querytsig);
if (tsigin != NULL)
isc_buffer_free(&tsigin);
if (tsigout != NULL)
isc_buffer_free(&tsigout);
if (buf != NULL)
isc_buffer_free(&buf);
if (msg != NULL)
dns_message_destroy(&msg);
if (key != NULL)
dns_tsigkey_detach(&key);
if (ring != NULL)
dns_tsigkeyring_detach(&ring);
dns_test_end();
}
