static isc_result_t
hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
isc_buffer_t b;
isc_result_t ret;
int bytes;
unsigned char data[HMAC_LEN];
bytes = (key->key_size + 7) / 8;
if (bytes > 64) {
bytes = 64;
key->key_size = 512;
}
memset(data, 0, HMAC_LEN);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
return (ret);
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacmd5_fromdns(key, &b);
memset(data, 0, HMAC_LEN);
return (ret);
}
static isc_result_t
openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
DSA *dsa;
unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
isc_result_t result;
#if OPENSSL_VERSION_NUMBER > 0x00908000L
BN_GENCB cb;
union {
void *dptr;
void (*fptr)(int);
} u;
#else
UNUSED(callback);
#endif
UNUSED(unused);
result = dst__entropy_getdata(rand_array, sizeof(rand_array),
ISC_FALSE);
if (result != ISC_R_SUCCESS)
return (result);
#if OPENSSL_VERSION_NUMBER > 0x00908000L
dsa = DSA_new();
if (dsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
if (callback == NULL) {
BN_GENCB_set_old(&cb, NULL, NULL);
} else {
u.fptr = callback;
BN_GENCB_set(&cb, &progress_cb, u.dptr);
}
if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
ISC_SHA1_DIGESTLENGTH, NULL, NULL,
&cb))
{
DSA_free(dsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
#else
dsa = DSA_generate_parameters(key->key_size, rand_array,
ISC_SHA1_DIGESTLENGTH, NULL, NULL,
NULL, NULL);
if (dsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
#endif
if (DSA_generate_key(dsa) == 0) {
DSA_free(dsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
key->keydata.dsa = dsa;
return (ISC_R_SUCCESS);
}
static int
entropy_getpseudo(unsigned char *buf, int num) {
isc_result_t result;
if (num < 0)
return (-1);
result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
return (result == ISC_R_SUCCESS ? 1 : -1);
}
static isc_result_t
openssldsa_generate(dst_key_t *key, int unused) {
#if OPENSSL_VERSION_NUMBER > 0x00908000L
BN_GENCB cb;
#endif
DSA *dsa;
unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
isc_result_t result;
UNUSED(unused);
result = dst__entropy_getdata(rand_array, sizeof(rand_array),
ISC_FALSE);
if (result != ISC_R_SUCCESS)
return (result);
#if OPENSSL_VERSION_NUMBER > 0x00908000L
dsa = DSA_new();
if (dsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
BN_GENCB_set_old(&cb, NULL, NULL);
if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
ISC_SHA1_DIGESTLENGTH, NULL, NULL,
&cb))
{
DSA_free(dsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
#else
dsa = DSA_generate_parameters(key->key_size, rand_array,
ISC_SHA1_DIGESTLENGTH, NULL, NULL,
NULL, NULL);
if (dsa == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
#endif
if (DSA_generate_key(dsa) == 0) {
DSA_free(dsa);
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
key->opaque = dsa;
return (ISC_R_SUCCESS);
}
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname;
dns_rdataset_t *keyset = NULL;
dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, *shared = NULL;
isc_region_t r, r2, ourkeyr;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
isc_buffer_t secret;
unsigned char *randomdata = NULL, secretdata[256];
dns_ttl_t ttl = 0;
if (tctx->dhkey == NULL) {
tkey_log("process_dhtkey: tkey-dhkey not defined");
tkeyout->error = dns_tsigerror_badalg;
return (DNS_R_REFUSED);
}
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
result == ISC_R_SUCCESS && !found_key;
result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
keyset = NULL;
result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
&keyset);
if (result != ISC_R_SUCCESS)
continue;
for (result = dns_rdataset_first(keyset);
result == ISC_R_SUCCESS && !found_key;
result = dns_rdataset_next(keyset)) {
dns_rdataset_current(keyset, &keyrdata);
pubkey = NULL;
result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
msg->mctx, &pubkey);
if (result != ISC_R_SUCCESS) {
dns_rdata_reset(&keyrdata);
continue;
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
found_key = ISC_TRUE;
ttl = keyset->ttl;
break;
} else
found_incompatible = ISC_TRUE;
}
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
tkeyout->error = dns_tsigerror_badkey;
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
dns_rdatatype_key, &ourkeyr);
dns_name_init(&ourname, NULL);
dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
isc_result_totext(result));
goto failure;
}
dst_key_free(&pubkey);
isc_buffer_init(&secret, secretdata, sizeof(secretdata));
randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
if (randomdata == NULL)
goto failure;
result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
ISC_FALSE);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
isc_buffer_free(&shared);
RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
isc_buffer_base(&secret),
isc_buffer_usedlength(&secret),
ISC_TRUE, signer, tkeyin->inception,
tkeyin->expire, ring->mctx, ring, NULL));
/* This key is good for a long time */
tkeyout->inception = tkeyin->inception;
tkeyout->expire = tkeyin->expire;
tkeyout->key = randomdata;
tkeyout->keylen = TKEY_RANDOM_AMOUNT;
return (ISC_R_SUCCESS);
failure:
if (!ISC_LIST_EMPTY(*namelist))
free_namelist(msg, namelist);
if (shared != NULL)
isc_buffer_free(&shared);
if (pubkey != NULL)
dst_key_free(&pubkey);
if (randomdata != NULL)
isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
return (result);
}
