tkey.c revision c40906dfad6dd6e3a3e3c94b8c8847bc9bc064e5
/*
* Copyright (C) 1999-2001, 2003-2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/*! \file */
#include <config.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include "dst_internal.h"
#define TEMP_BUFFER_SZ 8192
#define TKEY_RANDOM_AMOUNT 16
#ifdef PKCS11CRYPTO
#endif
#define RETERR(x) do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
goto failure; \
} while (0)
static void
static void
}
static void
unsigned char *output;
int len = TEMP_BUFFER_SZ;
for (;;) {
return;
0, &outbuf);
if (result == ISC_R_NOSPACE) {
len *= 2;
continue;
}
if (result == ISC_R_SUCCESS)
tkey_log("%.*s",
(int)isc_buffer_usedlength(&outbuf),
(char *)isc_buffer_base(&outbuf));
else
tkey_log("Warning: dns_message_totext: %s",
break;
}
}
{
return (ISC_R_NOMEMORY);
return (ISC_R_SUCCESS);
}
void
}
}
}
static isc_result_t
{
isc_region_t r, newr;
dns_rdata_toregion(rdata, &r);
return (ISC_R_SUCCESS);
}
}
}
return (result);
}
static void
while (!ISC_LIST_EMPTY(*namelist)) {
}
}
}
static isc_result_t
{
#ifndef PK11_MD5_DISABLE
isc_region_t r, r2;
unsigned char digests[32];
unsigned int i;
isc_buffer_usedregion(shared, &r);
/*
* MD5 ( query data | DH value ).
*/
/*
* MD5 ( server data | DH value ).
*/
/*
* XOR ( DH value, MD5-1 | MD5-2).
*/
return (ISC_R_NOSPACE);
for (i = 0; i < sizeof(digests); i++)
} else {
}
return (ISC_R_SUCCESS);
#else
return (ISC_R_NOTIMPLEMENTED);
#endif
}
static isc_result_t
{
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned int sharedsize;
tkey_log("process_dhtkey: tkey-dhkey not defined");
return (DNS_R_REFUSED);
}
#ifndef PK11_MD5_DISABLE
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
return (ISC_R_SUCCESS);
}
#else
tkey_log("process_dhtkey: MD5 was disabled");
return (ISC_R_SUCCESS);
#endif
/*
* Look for a DH KEY record that will work with ours.
*/
&keyset);
if (result != ISC_R_SUCCESS)
continue;
if (result != ISC_R_SUCCESS) {
continue;
}
#ifndef PK11_DH_DISABLE
{
break;
} else
}
#endif
}
}
if (!found_key) {
if (found_incompatible) {
tkey_log("process_dhtkey: found an incompatible key");
return (ISC_R_SUCCESS);
} else {
tkey_log("process_dhtkey: failed to find a key");
return (DNS_R_FORMERR);
}
}
/*
* XXXBEW The TTL should be obtained from the database, if it exists.
*/
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to compute shared secret: %s",
goto failure;
}
if (randomdata == NULL)
goto failure;
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
goto failure;
}
r.base = randomdata;
r.length = TKEY_RANDOM_AMOUNT;
/* This key is good for a long time */
return (ISC_R_SUCCESS);
if (!ISC_LIST_EMPTY(*namelist))
if (randomdata != NULL)
return (result);
}
static isc_result_t
{
/*
* You have to define either a gss credential (principal) to
* accept with tkey-gssapi-credential, or you have to
* configure a specific keytab (with tkey-gssapi-keytab) in
* order to use gsstkey
*/
tkey_log("process_gsstkey(): no tkey-gssapi-credential "
"or tkey-gssapi-keytab configured");
return (ISC_R_NOPERM);
}
return (ISC_R_SUCCESS);
}
/*
* XXXDCL need to check for key expiry per 4.1.1
*/
if (result == ISC_R_SUCCESS)
/*
* Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
*/
if (result == DNS_R_INVALIDTKEY) {
return (ISC_R_SUCCESS);
}
goto failure;
/*
* XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
*/
if (dns_name_countlabels(principal) == 0U) {
#ifdef GSSAPI
#endif
/*
* Limit keys to 1 hour or the context's lifetime whichever
* is smaller.
*/
#ifdef GSSAPI
#endif
NULL));
} else {
}
if (outtoken) {
goto failure;
}
} else {
goto failure;
}
}
return (ISC_R_SUCCESS);
tkey_log("process_gsstkey(): %s",
return (result);
}
static isc_result_t
{
if (result != ISC_R_SUCCESS) {
return (ISC_R_SUCCESS);
}
/*
* Only allow a delete if the identity that created the key is the
* same as the identity that signed the message.
*/
return (DNS_R_REFUSED);
}
/*
* Set the key to be deleted when no references are left. If the key
* was not generated with TKEY and is in the config file, it may be
* reloaded later.
*/
/* Release the reference */
return (ISC_R_SUCCESS);
}
{
char tkeyoutdata[512];
/*
* Interpret the question section.
*/
if (result != ISC_R_SUCCESS)
return (DNS_R_FORMERR);
/*
* Look for a TKEY record that matches the question.
*/
if (result != ISC_R_SUCCESS) {
/*
* Try the answer section, since that's where Win2000
* puts it.
*/
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {
tkey_log("dns_tkey_processquery: couldn't find a TKEY "
"matching the question");
goto failure;
}
}
if (result != ISC_R_SUCCESS) {
goto failure;
}
goto failure;
}
/*
* Before we go any farther, verify that the message was signed.
* GSSAPI TKEY doesn't require a signature, the rest do.
*/
if (result != ISC_R_SUCCESS) {
result == ISC_R_NOTFOUND)
else {
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
goto failure;
}
} else
/*
* A delete operation must have a fully specified key name. If this
* is not a delete, we do the following:
* if (qname != ".")
* keyname = qname + defaultdomain
* else
* keyname = <random hex> + defaultdomain
*/
tkey_log("dns_tkey_processquery: tkey-domain not set");
goto failure;
}
unsigned int n = dns_name_countlabels(qname);
== ISC_R_SUCCESS);
} else {
static char hexdigits[16] = {
'0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
unsigned char randomdata[16];
char randomtext[32];
isc_buffer_t b;
unsigned int i, j;
sizeof(randomdata),
NULL, 0);
if (result != ISC_R_SUCCESS)
goto failure;
for (i = 0, j = 0; i < sizeof(randomdata); i++) {
unsigned char val = randomdata[i];
}
isc_buffer_add(&b, sizeof(randomtext));
if (result != ISC_R_SUCCESS)
goto failure;
}
/* Yup. This is a hack */
if (result != ISC_R_SUCCESS)
goto failure;
} else {
if (result != ISC_R_SUCCESS)
goto failure;
}
if (result == ISC_R_SUCCESS) {
goto failure_with_tkey;
} else if (result != ISC_R_NOTFOUND)
goto failure;
} else
&namelist));
break;
case DNS_TKEYMODE_GSSAPI:
break;
case DNS_TKEYMODE_DELETE:
break;
goto failure;
default:
}
&tkeyoutbuf);
if (freetkeyin) {
}
if (result != ISC_R_SUCCESS)
goto failure;
}
return (ISC_R_SUCCESS);
if (freetkeyin)
if (!ISC_LIST_EMPTY(namelist))
return (result);
}
static isc_result_t
{
unsigned int len;
/*
* Windows 2000 needs this in the answer section, not the additional
* section where the RFC specifies.
*/
if (win2k)
else
return (ISC_R_SUCCESS);
}
return (result);
}
{
isc_region_t r;
isc_buffer_usedregion(nonce, &r);
else {
r.length = 0;
}
isc_buffer_usedregion(dynbuf, &r);
dns_rdatatype_key, &r);
}
return (ISC_R_SUCCESS);
return (result);
}
{
unsigned char array[TEMP_BUFFER_SZ];
mctx, err_message);
return (result);
if (win2k)
else
}
}
static isc_result_t
int section)
{
while (result == ISC_R_SUCCESS) {
&tkeyset);
if (result == ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS)
return (result);
return (ISC_R_SUCCESS);
}
}
if (result == ISC_R_NOMORE)
return (ISC_R_NOTFOUND);
return (result);
}
{
unsigned char secretdata[256];
unsigned int sharedsize;
isc_region_t r, r2;
tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
"or error set(1)");
goto failure;
}
ourkeyname = NULL;
dns_rdatatype_key, 0, &ourkeyname,
&ourkeyset));
while (result == ISC_R_SUCCESS) {
theirkeyname = NULL;
&theirkeyname);
goto next;
theirkeyset = NULL;
0, &theirkeyset);
if (result == ISC_R_SUCCESS) {
break;
}
next:
}
if (theirkeyset == NULL) {
tkey_log("dns_tkey_processdhresponse: failed to find server "
"key");
goto failure;
}
else {
}
isc_buffer_usedregion(&secret, &r);
return (result);
if (freertkey)
return (result);
}
{
unsigned char array[TEMP_BUFFER_SZ];
/*
* Win2k puts the item in the ANSWER section, while the RFC
* specifies it should be in the ADDITIONAL section. Check first
* where it should be, and then where it may be.
*/
if (result == ISC_R_NOTFOUND)
if (result != ISC_R_SUCCESS)
goto failure;
tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
goto failure;
}
return (result);
/*
* XXXSRA This probably leaks memory from rtkey and qtkey.
*/
return (result);
}
{
tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
"or error set(3)");
goto failure;
}
/*
* Mark the key as deleted.
*/
/*
* Release the reference.
*/
return (result);
}
{
unsigned char array[TEMP_BUFFER_SZ];
else
{
tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
"or error set(4)");
goto failure;
}
return (result);
if (result == DNS_R_CONTINUE) {
if (win2k)
else
return (DNS_R_CONTINUE);
}
/*
* XXXSRA This seems confused. If we got CONTINUE from initctx,
* the GSS negotiation hasn't completed yet, so we can't sign
* anything yet.
*/
return (result);
/*
* XXXSRA This probably leaks memory from qtkey.
*/
if (freertkey)
return (result);
}