tsig.c revision 368b37b616234fce3d23099eb180f1dd38e1fb62
/*
* Copyright (C) 1999, 2000 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* $Id: tsig.c,v 1.95 2000/10/31 03:22:01 marka Exp $
* Principal Author: Brian Wellington
*/
#include <config.h>
#include <stdlib.h> /* Required for abs(). */
#include <dns/keyvalues.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#define algname_is_allocated(algname) \
((algname) != dns_tsig_hmacmd5_name && \
(algname) != dns_tsig_gssapi_name && \
#define BADTIMELEN 6
/* Copied from name.c */
struct dns_constname {
unsigned char const_ndata[30];
unsigned char const_offsets[5];
};
static struct dns_constname hmacmd5 = {
{
{(void *)-1, (void *)-1},
},
{ "\010hmac-md5\007sig-alg\003reg\003int" }, /* const_ndata */
{ 0, 9, 17, 21, 25 } /* const_offsets */
};
static struct dns_constname gsstsig = {
{
{(void *)-1, (void *)-1},
},
{ "\010gss-tsig" }, /* const_ndata */
{ 0, 9 } /* const_offsets */
};
/* It's nice of Microsoft to conform to their own standard. */
static struct dns_constname gsstsigms = {
{
{(void *)-1, (void *)-1},
},
{ "\003gss\011microsoft\003com" }, /* const_ndata */
{ 0, 4, 14, 18 } /* const_offsets */
};
static isc_result_t
{
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
else {
goto cleanup_name;
}
goto cleanup_name;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_algorithm;
}
goto cleanup_algorithm;
}
if (ret != ISC_R_SUCCESS) {
goto cleanup_algorithm;
}
} else
if (ret != ISC_R_SUCCESS) {
goto cleanup_algorithm;
}
}
if (ret != ISC_R_SUCCESS) {
"isc_mutex_init() failed: %s",
return (ISC_R_UNEXPECTED);
}
char namestr[DNS_NAME_FORMATSIZE];
"the TSIG key for '%s' is too short to "
"be secure", namestr);
}
return (ISC_R_SUCCESS);
}
return (ret);
}
{
if (length > 0)
return (ISC_R_NOTIMPLEMENTED);
if (length > 0) {
isc_buffer_t b;
isc_buffer_add(&b, length);
if (result != ISC_R_SUCCESS)
return (result);
}
return (result);
}
void
}
static void
}
}
}
void
if (should_free)
}
void
}
static void
}
unsigned char data[128];
isc_region_t r;
unsigned char badtimedata[BADTIMELEN];
unsigned int sigsize = 0;
/*
* If this is a response, there should be a query tsig.
*/
return (DNS_R_EXPECTEDTSIG);
if (is_response(msg))
else
} else {
}
unsigned char header[DNS_MESSAGE_HEADERLEN];
if (ret != ISC_R_SUCCESS)
return (ret);
/*
* If this is a response, digest the query signature.
*/
if (is_response(msg)) {
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (isc_buffer_availablelength(&databuf) <
{
ret = ISC_R_NOSPACE;
goto cleanup_context;
}
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
/*
* Digest the header.
*/
isc_buffer_usedregion(&headerbuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the remainder of the message.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the name, class, ttl, alg.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
/* Digest the timesigned and fudge */
else
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the error and other data length.
*/
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the error and other data.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
goto cleanup_context;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
} else {
}
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
return (ISC_R_SUCCESS);
return (ret);
}
{
unsigned char data[32];
unsigned char header[DNS_MESSAGE_HEADERLEN];
if (msg->tcp_continuation)
/*
* There should be a TSIG record...
*/
return (DNS_R_EXPECTEDTSIG);
/*
* If this is a response and there's no key or query TSIG, there
* shouldn't be one on the response.
*/
if (is_response(msg) &&
return (DNS_R_UNEXPECTEDTSIG);
/*
* If we're here, we know the message is well formed and contains a
* TSIG record.
*/
if (ret != ISC_R_SUCCESS)
return (ret);
if (ret != ISC_R_SUCCESS)
return (ret);
if (is_response(msg)) {
if (ret != ISC_R_SUCCESS)
return (ret);
if (ret != ISC_R_SUCCESS)
return (ret);
}
/*
* Do the key name and algorithm match that of the query?
*/
if (is_response(msg) &&
{
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Get the current time.
*/
/*
* Find dns_tsigkey_t based on keyname.
*/
if (ret != ISC_R_SUCCESS) {
if (ret != ISC_R_SUCCESS)
return (ret);
return (DNS_R_TSIGVERIFYFAILURE);
}
}
/*
* Is the time ok?
*/
return (DNS_R_TSIGVERIFYFAILURE);
}
if (ret != ISC_R_SUCCESS)
return (ret);
if (is_response(msg)) {
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
/*
* Decrement the additional field counter.
*/
/*
* Put in the original id.
*/
/*
* Digest the modified header.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key name.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the key algorithm.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
if (ret == DST_R_VERIFYFAILURE) {
goto cleanup_context;
} else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
{
return (DNS_R_TSIGVERIFYFAILURE);
}
return (DNS_R_TSIGERRORSET);
return (ISC_R_SUCCESS);
return (ret);
}
static isc_result_t
unsigned char data[32];
unsigned char header[DNS_MESSAGE_HEADERLEN];
/*
* Extract and parse the previous TSIG
*/
if (ret != ISC_R_SUCCESS)
return (ret);
if (ret != ISC_R_SUCCESS)
return (ret);
/*
* If there is a TSIG in this message, do some checks.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
/*
* Do the key name and algorithm match that of the query?
*/
{
goto cleanup_querystruct;
}
/*
* Is the time ok?
*/
goto cleanup_querystruct;
}
}
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
/*
* Digest the length of the query signature
*/
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the data of the query signature
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
/*
* Decrement the additional field counter if necessary.
*/
if (has_tsig) {
}
/*
* Put in the original id.
*/
/* XXX Can TCP transfers be forwarded? How would that work? */
if (has_tsig) {
}
/*
* Digest the modified header.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest all non-TSIG records.
*/
if (has_tsig)
else
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the time signed and fudge.
*/
if (has_tsig) {
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
else
goto cleanup_context;
}
if (ret == DST_R_VERIFYFAILURE) {
goto cleanup_context;
}
else if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
return (ISC_R_SUCCESS);
return (ret);
}
{
return (ISC_R_NOTFOUND);
}
return (ISC_R_NOTFOUND);
}
/*
* The key has expired.
*/
return (ISC_R_NOTFOUND);
}
return (ISC_R_SUCCESS);
}
static void
}
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS) {
"isc_rwlock_init() failed: %s",
return (ISC_R_UNEXPECTED);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
return (ISC_R_SUCCESS);
}
void
}