tsig.c revision 1f1d36a87b65186d9f89aac7f456ab1fd2a39ef6
/*
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* $Id: tsig.c,v 1.115 2001/11/30 01:59:20 gson Exp $
*/
#include <config.h>
#include <stdlib.h>
#include <isc/refcount.h>
#include <dns/keyvalues.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#define algname_is_allocated(algname) \
((algname) != dns_tsig_hmacmd5_name && \
(algname) != dns_tsig_gssapi_name && \
#define BADTIMELEN 6
static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
static dns_name_t hmacmd5 = {
{(void *)-1, (void *)-1},
};
static unsigned char gsstsig_ndata[] = "\010gss-tsig";
static unsigned char gsstsig_offsets[] = { 0, 9 };
static dns_name_t gsstsig = {
{(void *)-1, (void *)-1},
};
/* It's nice of Microsoft to conform to their own standard. */
static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
static dns_name_t gsstsigms = {
{(void *)-1, (void *)-1},
};
static isc_result_t
static void
static void
char message[4096];
char namestr[DNS_NAME_FORMATSIZE];
return;
else
}
{
unsigned int refs = 0;
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
ret = DNS_R_BADALG;
goto cleanup_name;
}
ret = DNS_R_BADALG;
goto cleanup_name;
}
ret = DNS_R_BADALG;
goto cleanup_name;
}
} else {
ret = DNS_R_BADALG;
goto cleanup_name;
}
goto cleanup_name;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_algorithm;
NULL);
}
goto cleanup_algorithm;
}
if (ret != ISC_R_SUCCESS) {
goto cleanup_algorithm;
}
} else
if (ret != ISC_R_SUCCESS) {
goto cleanup_algorithm;
}
refs++;
}
refs++;
char namestr[DNS_NAME_FORMATSIZE];
"the key '%s' is too short to be secure",
namestr);
}
return (ISC_R_SUCCESS);
}
return (ret);
}
{
if (length > 0)
return (DNS_R_BADALG);
isc_buffer_t b;
isc_buffer_add(&b, length);
if (result != ISC_R_SUCCESS)
return (result);
}
return (result);
}
void
}
static void
}
}
}
void
unsigned int refs;
if (refs == 0)
}
void
}
static void
}
unsigned char data[128];
isc_region_t r;
unsigned char badtimedata[BADTIMELEN];
unsigned int sigsize = 0;
/*
* If this is a response, there should be a query tsig.
*/
return (DNS_R_EXPECTEDTSIG);
if (is_response(msg))
else
} else {
}
unsigned char header[DNS_MESSAGE_HEADERLEN];
if (ret != ISC_R_SUCCESS)
return (ret);
/*
* If this is a response, digest the query signature.
*/
if (is_response(msg)) {
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (isc_buffer_availablelength(&databuf) <
{
ret = ISC_R_NOSPACE;
goto cleanup_context;
}
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
/*
* Digest the header.
*/
isc_buffer_usedregion(&headerbuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the remainder of the message.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the name, class, ttl, alg.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
/* Digest the timesigned and fudge */
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the error and other data length.
*/
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the error and other data.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
goto cleanup_context;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
} else {
}
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
== ISC_R_SUCCESS);
return (ISC_R_SUCCESS);
return (ret);
}
{
unsigned char data[32];
unsigned char header[DNS_MESSAGE_HEADERLEN];
if (msg->tcp_continuation)
/*
* There should be a TSIG record...
*/
return (DNS_R_EXPECTEDTSIG);
/*
* If this is a response and there's no key or query TSIG, there
* shouldn't be one on the response.
*/
if (is_response(msg) &&
return (DNS_R_UNEXPECTEDTSIG);
/*
* If we're here, we know the message is well formed and contains a
* TSIG record.
*/
if (ret != ISC_R_SUCCESS)
return (ret);
if (ret != ISC_R_SUCCESS)
return (ret);
if (is_response(msg)) {
if (ret != ISC_R_SUCCESS)
return (ret);
if (ret != ISC_R_SUCCESS)
return (ret);
}
/*
* Do the key name and algorithm match that of the query?
*/
if (is_response(msg) &&
{
"key name and algorithm do not match");
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Get the current time.
*/
/*
* Find dns_tsigkey_t based on keyname.
*/
if (ret != ISC_R_SUCCESS) {
if (ret != ISC_R_SUCCESS)
return (ret);
return (DNS_R_TSIGVERIFYFAILURE);
}
}
/*
* Is the time ok?
*/
return (DNS_R_CLOCKSKEW);
return (DNS_R_CLOCKSKEW);
}
if (ret != ISC_R_SUCCESS)
return (ret);
if (is_response(msg)) {
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
/*
* Decrement the additional field counter.
*/
/*
* Put in the original id.
*/
/*
* Digest the modified header.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key name.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key algorithm.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
if (ret == DST_R_VERIFYFAILURE) {
"signature failed to verify");
goto cleanup_context;
} else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
{
return (DNS_R_TSIGVERIFYFAILURE);
}
return (DNS_R_CLOCKSKEW);
else
return (DNS_R_TSIGERRORSET);
}
return (ISC_R_SUCCESS);
return (ret);
}
static isc_result_t
unsigned char data[32];
unsigned char header[DNS_MESSAGE_HEADERLEN];
/*
* Extract and parse the previous TSIG
*/
if (ret != ISC_R_SUCCESS)
return (ret);
if (ret != ISC_R_SUCCESS)
return (ret);
/*
* If there is a TSIG in this message, do some checks.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
/*
* Do the key name and algorithm match that of the query?
*/
{
"key name and algorithm do not match");
goto cleanup_querystruct;
}
/*
* Is the time ok?
*/
goto cleanup_querystruct;
{
"signature is in the future");
goto cleanup_querystruct;
}
}
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
/*
* Digest the length of the query signature
*/
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the data of the query signature
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
/*
* Decrement the additional field counter if necessary.
*/
if (has_tsig) {
}
/*
* Put in the original id.
*/
/* XXX Can TCP transfers be forwarded? How would that work? */
if (has_tsig) {
}
/*
* Digest the modified header.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
if (has_tsig)
else
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the time signed and fudge.
*/
if (has_tsig) {
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
else
} else {
"signature is empty");
}
goto cleanup_context;
}
if (ret == DST_R_VERIFYFAILURE) {
"signature failed to verify");
goto cleanup_context;
}
else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
return (ISC_R_SUCCESS);
return (ret);
}
{
return (ISC_R_NOTFOUND);
}
return (ISC_R_NOTFOUND);
}
/*
* The key has expired.
*/
return (ISC_R_NOTFOUND);
}
return (ISC_R_SUCCESS);
}
static void
}
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS) {
"isc_rwlock_init() failed: %s",
return (ISC_R_UNEXPECTED);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
return (ISC_R_SUCCESS);
}
void
}