37 #include <dns/tsig.h>
81 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
166 			      level, "tsig key '%s' (%s): %s",
171 			      level, "tsig key '%s': %s", namestr, message);
471 				tsig_log(tkey, 2, "tsig expire: deleting");
841 	dns_rdata_any_tsig_t tsig, querytsig;
863 	 * If this is a response, there should be a query tsig.
873 	tsig.mctx = mctx;
874 	tsig.common.rdclass = dns_rdataclass_any;
875 	tsig.common.rdtype = dns_rdatatype_tsig;
876 	ISC_LINK_INIT(&tsig.common, link);
877 	dns_name_init(&tsig.algorithm, NULL);
878 	dns_name_clone(key->algorithm, &tsig.algorithm);
881 	tsig.timesigned = now + msg->timeadjust;
882 	tsig.fudge = DNS_TSIG_FUDGE;
884 	tsig.originalid = msg->id;
889 		tsig.error = msg->querytsigstatus;
891 		tsig.error = dns_rcode_noerror;
893 	if (tsig.error != dns_tsigerror_badtime) {
894 		tsig.otherlen = 0;
895 		tsig.other = NULL;
899 		tsig.otherlen = BADTIMELEN;
900 		tsig.other = badtimedata;
901 		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
902 		isc_buffer_putuint48(&otherbuf, tsig.timesigned);
906 	    (tsig.error != dns_tsigerror_badsig) &&
907 	    (tsig.error != dns_tsigerror_badkey))
997 			dns_name_toregion(&tsig.algorithm, &r);
1005 		if (tsig.error == dns_tsigerror_badtime) {
1007 			tsig.timesigned = querytsig.timesigned;
1009 		isc_buffer_putuint48(&databuf, tsig.timesigned);
1010 		isc_buffer_putuint16(&databuf, tsig.fudge);
1021 			isc_buffer_putuint16(&databuf, tsig.error);
1022 			isc_buffer_putuint16(&databuf, tsig.otherlen);
1032 			if (tsig.otherlen > 0) {
1033 				r.length = tsig.otherlen;
1034 				r.base = tsig.other;
1044 		tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
1045 		if (tsig.signature == NULL) {
1050 		isc_buffer_init(&sigbuf, tsig.signature, sigsize);
1073 			tsig.siglen = bytes;
1075 			tsig.siglen = isc_buffer_usedlength(&sigbuf);
1077 		tsig.siglen = 0;
1078 		tsig.signature = NULL;
1088 				   dns_rdatatype_tsig, &tsig, dynbuf);
1094 	if (tsig.signature != NULL) {
1095 		isc_mem_put(mctx, tsig.signature, sigsize);
1096 		tsig.signature = NULL;
1121 	msg->tsig = dataset;
1124 	/* Windows does not like the tsig name being compressed. */
1139 	if (tsig.signature != NULL)
1140 		isc_mem_put(mctx, tsig.signature, sigsize);
1151 	dns_rdata_any_tsig_t tsig, querytsig;
1189 	if (msg->tsig == NULL)
1207 	ret = dns_rdataset_first(msg->tsig);
1210 	dns_rdataset_current(msg->tsig, &rdata);
1211 	ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1237 	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
1256 					       &tsig.algorithm, ring1);
1259 					       &tsig.algorithm, ring2);
1262 			ret = dns_tsigkey_create(keyname, &tsig.algorithm,
1291 		if (tsig.siglen > siglen) {
1295 		if (tsig.siglen > 0 &&
1296 		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
1304 	if (tsig.siglen > 0) {
1307 		sig_r.base = tsig.signature;
1308 		sig_r.length = tsig.siglen;
1350 		id = htons(tsig.originalid);
1381 		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
1382 		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
1397 		isc_buffer_putuint48(&databuf, tsig.timesigned);
1398 		isc_buffer_putuint16(&databuf, tsig.fudge);
1399 		isc_buffer_putuint16(&databuf, tsig.error);
1400 		isc_buffer_putuint16(&databuf, tsig.otherlen);
1406 		if (tsig.otherlen > 0) {
1407 			r.base = tsig.other;
1408 			r.length = tsig.otherlen;
1424 	} else if (tsig.error != dns_tsigerror_badsig &&
1425 		   tsig.error != dns_tsigerror_badkey) {
1440 	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1445 	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
1472 		if (tsig.siglen > 0 && digestbits != 0 &&
1473 		    tsig.siglen < ((digestbits + 1) / 8))
1481 		if (tsig.siglen > 0 && digestbits == 0 &&
1482 		    tsig.siglen < siglen)
1491 	if (tsig.error != dns_rcode_noerror) {
1492 		msg->tsigstatus = tsig.error;
1493 		if (tsig.error == dns_tsigerror_badtime)
1512 	dns_rdata_any_tsig_t tsig, querytsig;
1561 	if (msg->tsig != NULL) {
1565 		ret = dns_rdataset_first(msg->tsig);
1568 		dns_rdataset_current(msg->tsig, &rdata);
1569 		ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1577 		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
1603 			if (tsig.siglen > siglen) {
1609 			if (tsig.siglen > 0 &&
1610 			    (tsig.siglen < 10 ||
1611 			     tsig.siglen < ((siglen + 1) / 2)))
1674 		id = htons(tsig.originalid);
1705 		isc_buffer_putuint48(&databuf, tsig.timesigned);
1706 		isc_buffer_putuint16(&databuf, tsig.fudge);
1712 		sig_r.base = tsig.signature;
1713 		sig_r.length = tsig.siglen;
1714 		if (tsig.siglen == 0) {
1715 			if (tsig.error != dns_rcode_noerror) {
1716 				msg->tsigstatus = tsig.error;
1717 				if (tsig.error == dns_tsigerror_badtime) {
1753 		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1759 			   tsig.timesigned - tsig.fudge)
1795 			if (tsig.siglen > 0 && digestbits != 0 &&
1796 			    tsig.siglen < ((digestbits + 1) / 8))
1805 			if (tsig.siglen > 0 && digestbits == 0 &&
1806 			    tsig.siglen < siglen)
1816 		if (tsig.error != dns_rcode_noerror) {
1817 			msg->tsigstatus = tsig.error;
1818 			if (tsig.error == dns_tsigerror_badtime)

Indexes created Tue Jul 24 14:28:13 CEST 2018