tsig.c revision 6028d1ce0380d0ba7f6c6ecd1ad20b31ddd1becb
/*
* Copyright (C) 1999, 2000 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
/*
* $Id: tsig.c,v 1.56 2000/05/08 19:23:20 tale Exp $
* Principal Author: Brian Wellington
*/
#include <config.h>
#include <dns/keyvalues.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
static dns_name_t hmacmd5_name;
static isc_result_t
{
isc_buffer_t b, nameb;
char namestr[1025];
isc_region_t r;
if (length > 0)
return (ISC_R_NOTFOUND);
else
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
if (ret != ISC_R_SUCCESS)
goto cleanup_name;
goto cleanup_algorithm;
}
if (ret != ISC_R_SUCCESS) {
goto cleanup_algorithm;
}
}
else
if (ret != ISC_R_SUCCESS)
goto cleanup_algorithm;
isc_buffer_usedregion(&nameb, &r);
if (length > 0) {
isc_buffer_add(&b, length);
if (ret != ISC_R_SUCCESS)
goto cleanup_algorithm;
{
ret = ISC_R_EXISTS;
goto cleanup_algorithm;
}
}
}
else {
}
if (ret != ISC_R_SUCCESS) {
"isc_mutex_init() failed: %s",
return (ISC_R_UNEXPECTED);
}
return (ISC_R_SUCCESS);
return (ret);
}
static void
}
}
}
void
return;
}
}
void
}
unsigned char data[128];
isc_region_t r, r2;
/*
* If this is a response, there should be a query tsig.
*/
return (DNS_R_EXPECTEDTSIG);
tsig = (dns_rdata_any_tsig_t *)
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
if (is_response(msg))
else
}
else {
goto cleanup_other;
}
0xFFFFFFFF));
}
unsigned char header[DNS_MESSAGE_HEADERLEN];
unsigned int sigsize;
if (ret != ISC_R_SUCCESS)
goto cleanup_algorithm;
/*
* If this is a response, digest the query signature.
*/
if (is_response(msg)) {
return (ISC_R_NOSPACE);
isc_buffer_usedregion(&databuf, &r);
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_algorithm;
}
/*
* Digest the header.
*/
isc_buffer_usedregion(&headerbuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
/*
* Digest the remainder of the message.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
if (msg->tcp_continuation == 0) {
/*
* Digest the name, class, ttl, alg.
*/
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
isc_buffer_usedregion(&databuf, &r);
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
}
/* Digest the timesigned and fudge */
32));
0xFFFFFFFF));
}
else {
(isc_uint16_t)(querysigned >>
32));
0xFFFFFFFF));
}
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
if (msg->tcp_continuation == 0) {
/*
* Digest the error and other data length.
*/
isc_buffer_usedregion(&databuf, &r);
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
/*
* Digest the error and other data.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
}
}
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_other;
}
&sigbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
}
else {
}
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
return (ISC_R_SUCCESS);
return (ret);
}
{
unsigned char data[32];
unsigned char header[DNS_MESSAGE_HEADERLEN];
if (msg->tcp_continuation)
/*
* There should be a TSIG record...
*/
return (DNS_R_EXPECTEDTSIG);
/*
* If this is a response and there's no key or query TSIG, there
* shouldn't be one on the response.
*/
if (is_response(msg) &&
return (DNS_R_UNEXPECTEDTSIG);
/*
* If we're here, we know the message is well formed and contains a
* TSIG record.
*/
if (ret != ISC_R_SUCCESS)
return (ret);
tsig = (dns_rdata_any_tsig_t *)
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS)
goto cleanup_emptystruct;
/*
* Do the key name and algorithm match that of the query?
*/
if (is_response(msg) &&
{
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Get the current time.
*/
/*
* Find dns_tsigkey_t based on keyname.
*/
if (ret != ISC_R_SUCCESS) {
goto cleanup_struct;
}
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
return (DNS_R_TSIGVERIFYFAILURE);
}
}
else
/*
* Is the time ok?
*/
return (DNS_R_TSIGVERIFYFAILURE);
}
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
if (is_response(msg)) {
isc_buffer_usedregion(&databuf, &r);
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
/*
* Decrement the additional field counter.
*/
/*
* Put in the original id.
*/
/*
* Digest the modified header.
*/
&sig_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
/*
* Digest all non-TSIG records.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
/*
* Digest the key name.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
isc_buffer_usedregion(&databuf, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
/*
* Digest the key algorithm.
*/
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
>> 32));
& 0xFFFFFFFF));
isc_buffer_usedregion(&databuf, &r);
&sig_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
}
if (ret == DST_R_VERIFYFINALFAILURE) {
return (DNS_R_TSIGVERIFYFAILURE);
}
else if (ret != ISC_R_SUCCESS)
goto cleanup_key;
}
{
return (DNS_R_TSIGVERIFYFAILURE);
}
if (is_response(msg)) {
/* XXXBEW Log a message */
return (ISC_R_SUCCESS);
}
else
return (DNS_R_TSIGERRORSET);
}
return (ISC_R_SUCCESS);
}
return (ret);
}
static isc_result_t
unsigned char data[32];
unsigned char header[DNS_MESSAGE_HEADERLEN];
if (ret != ISC_R_SUCCESS)
return (ret);
tsig = (dns_rdata_any_tsig_t *)
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS)
goto cleanup_emptystruct;
/*
* Do the key name and algorithm match that of the query?
*/
{
return (DNS_R_TSIGVERIFYFAILURE);
}
/*
* Is the time ok?
*/
return (DNS_R_TSIGVERIFYFAILURE);
}
}
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
isc_buffer_usedregion(&databuf, &r);
&r, NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
}
}
/*
* Extract the header.
*/
isc_buffer_usedregion(source, &r);
/*
* Decrement the additional field counter if necessary.
*/
if (has_tsig) {
}
/*
* Put in the original id.
*/
/* XXX Can TCP transfers be forwarded? How would that work? */
}
/*
* Digest the modified header.
*/
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
/*
* Digest all non-TSIG records.
*/
if (has_tsig)
else
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
/*
* Digest the time signed and fudge.
*/
if (has_tsig) {
>> 32));
& 0xFFFFFFFF));
isc_buffer_usedregion(&databuf, &r);
NULL);
else
goto cleanup_struct;
}
&sig_r);
if (ret == DST_R_VERIFYFINALFAILURE) {
return (DNS_R_TSIGVERIFYFAILURE);
}
else if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
}
return (ISC_R_SUCCESS);
return (ret);
}
{
{
{
/*
* The key has expired.
*/
continue;
}
return (ISC_R_SUCCESS);
}
}
return (ISC_R_NOTFOUND);
}
static void
isc_region_t r;
char *str = "\010HMAC-MD5\007SIG-ALG\003REG\003INT";
dns_name_fromregion(&hmacmd5_name, &r);
}
{
return (ISC_R_NOMEMORY);
if (ret != ISC_R_SUCCESS) {
"isc_rwlock_init() failed: %s",
return (ISC_R_UNEXPECTED);
}
return (ISC_R_SUCCESS);
}
void
tsigkey_free(&key);
}
}