tkey.c revision 9b0c4bf7003db929fe00a345fc96fb97677d29e0
/*
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* $Id: tkey.c,v 1.60 2001/01/11 04:23:39 bwelling Exp $
*/
#include <config.h>
#include <dns/keyvalues.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#define TKEY_RANDOM_AMOUNT 16
#define RETERR(x) do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
goto failure; \
} while (0)
static void
}
{
return (ISC_R_NOMEMORY);
return (ISC_R_SUCCESS);
}
void
}
}
static isc_result_t
{
isc_region_t r, newr;
dns_rdata_toregion(rdata, &r);
return (ISC_R_SUCCESS);
}
}
return (result);
}
static void
while (!ISC_LIST_EMPTY(*namelist)) {
}
}
}
static isc_result_t
{
isc_region_t r, r2;
unsigned char digests[32];
unsigned int i;
isc_buffer_usedregion(shared, &r);
/*
* MD5 ( query data | DH value ).
*/
/*
* MD5 ( server data | DH value ).
*/
/*
* XOR ( DH value, MD5-1 | MD5-2).
*/
return (ISC_R_NOSPACE);
for (i = 0; i < sizeof(digests); i++)
}
else {
}
return (ISC_R_SUCCESS);
}
static isc_result_t
{
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
tkey_log("process_dhtkey: tkey-dhkey not defined");
return (DNS_R_REFUSED);
}
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
return (ISC_R_SUCCESS);
}
/*
* Look for a DH KEY record that will work with ours.
*/
while (result == ISC_R_SUCCESS) {
&keyset);
if (result == ISC_R_SUCCESS) {
while (result == ISC_R_SUCCESS) {
&keyrdata,
&pubkey);
if (result != ISC_R_SUCCESS) {
continue;
}
{
goto got_key;
}
else
}
}
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
return (ISC_R_SUCCESS);
} else
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
namelist));
ourttl = 0;
#if 0
/*
* Not sure how to do this without a view...
*/
if (result == ISC_R_SUCCESS) {
DNS_DBFIND_NOWILD, 0, NULL,
if (result == ISC_R_SUCCESS) {
}
}
#endif
namelist));
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
goto failure;
}
if (randomdata == NULL) {
goto failure;
}
TKEY_RANDOM_AMOUNT, NULL, 0);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
isc_buffer_usedregion(&secret, &r);
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS)
goto failure;
/* This key is good for a long time */
return (ISC_R_SUCCESS);
if (!ISC_LIST_EMPTY(*namelist)) {
}
}
return (result);
}
static isc_result_t
{
unsigned char array[1024];
return (ISC_R_NOPERM);
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS)
goto failure;
if (result == ISC_R_NOTFOUND) {
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS)
goto failure;
/* This key is good for a long time */
goto failure;
}
return (ISC_R_SUCCESS);
return (result);
}
static isc_result_t
{
if (result != ISC_R_SUCCESS)
/*
* Only allow a delete if the identity that created the key is the
* same as the identity that signed the message.
*/
return (DNS_R_REFUSED);
/*
* Set the key to be deleted when no references are left. If the key
* was not generated with TKEY and is in the config file, it may be
* reloaded later.
*/
/* Release the reference */
return (ISC_R_SUCCESS);
}
{
/*
* Need to do this to determine if this should be freed later.
*/
/*
* Interpret the question section.
*/
if (result != ISC_R_SUCCESS)
return (DNS_R_FORMERR);
/*
* Look for a TKEY record that matches the question.
*/
if (result != ISC_R_SUCCESS) {
/*
* Try the answer section, since that's where Win2000
* puts it.
*/
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS)
{
tkey_log("dns_tkey_processquery: couldn't find a TKEY "
"matching the question");
goto failure;
}
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
goto failure;
}
/*
* Before we go any farther, verify that the message was signed.
* GSSAPI TKEY doesn't require a signature, the rest do.
*/
if (result != ISC_R_SUCCESS) {
result == ISC_R_NOTFOUND)
else {
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
goto failure;
}
} else
/*
* A delete operation must have a fully specified key name. If this
* is not a delete, we do the following:
* if (qname != ".")
* keyname = qname + defaultdomain
* else
* keyname = <random hex> + defaultdomain
*/
unsigned char tdata[64];
keyname = &tempkeyname;
unsigned int n = dns_name_countlabels(qname);
}
else {
static char hexdigits[16] = {
'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
unsigned char randomtext[32];
isc_buffer_t b, b2;
int i;
sizeof(randomtext),
NULL, 0);
if (result != ISC_R_SUCCESS) {
goto failure;
}
}
isc_buffer_add(&b, sizeof(randomtext));
if (result != ISC_R_SUCCESS) {
goto failure;
}
}
tkey_log("dns_tkey_processquery: tkey-domain not set");
goto failure;
}
if (result != ISC_R_SUCCESS)
goto failure;
if (result == ISC_R_SUCCESS) {
goto failure_with_tkey;
}
else if (result != ISC_R_NOTFOUND)
goto failure;
}
else
&namelist));
break;
case DNS_TKEYMODE_GSSAPI:
&namelist));
break;
case DNS_TKEYMODE_DELETE:
break;
goto failure;
default:
}
if (result != ISC_R_SUCCESS)
goto failure;
}
return (ISC_R_SUCCESS);
if (freealg)
if (!ISC_LIST_EMPTY(namelist))
return (result);
}
static isc_result_t
{
return (ISC_R_SUCCESS);
}
return (result);
}
{
isc_region_t r;
isc_buffer_usedregion(nonce, &r);
else {
r.length = 0;
}
isc_buffer_usedregion(dynbuf, &r);
dns_rdatatype_key, &r);
return (ISC_R_SUCCESS);
return (result);
}
{
unsigned char array[1024];
return (result);
return (ISC_R_SUCCESS);
return (result);
}
}
static isc_result_t
int section)
{
while (result == ISC_R_SUCCESS) {
&tkeyset);
if (result == ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS)
return (result);
return (ISC_R_SUCCESS);
}
}
if (result == ISC_R_NOMORE)
return (ISC_R_NOTFOUND);
return (result);
}
{
unsigned char secretdata[256];
unsigned int sharedsize;
isc_region_t r, r2;
{
tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
"or error set");
goto failure;
}
ourkeyname = NULL;
dns_rdatatype_key, 0, &ourkeyname,
&ourkeyset));
while (result == ISC_R_SUCCESS) {
theirkeyname = NULL;
&theirkeyname);
goto next;
theirkeyset = NULL;
0, &theirkeyset);
if (result == ISC_R_SUCCESS) {
break;
}
next:
}
if (theirkeyset == NULL) {
tkey_log("dns_tkey_processdhresponse: failed to find server "
"key");
goto failure;
}
else {
}
isc_buffer_usedregion(&secret, &r);
return (result);
if (freertkey)
return (result);
}
{
isc_region_t r;
unsigned char array[1024];
{
tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
"or error set");
goto failure;
}
&dstkey));
return (result);
return (result);
}
{
{
tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
"or error set");
goto failure;
}
/*
* Mark the key as deleted.
*/
/*
* Release the reference.
*/
return (result);
}