Skip to content

GitLab

BIND
BIND
Commit b984520a authored by Brian Wellington's avatar Brian Wellington
Browse files
Options

major TSIG/TKEY cleanup

parent 4380033d
Hide whitespace changes
Inline Side-by-side
Showing with 387 additions and 193 deletions
lib/dns/include/dns/message.h
View file @ b984520a
......@@ -190,6 +190,7 @@ struct dns_message {
ISC_LIST(dns_rdata_t) freerdata;
ISC_LIST(dns_rdatalist_t) freerdatalist;
dns_tsig_keyring_t *ring;
dns_rcode_t tsigstatus;
dns_rcode_t querytsigstatus;
dns_rdata_any_tsig_t *tsig;
......@@ -272,9 +273,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
* DNS message.
*
* OPT records are detected and stored in the pseudo-section "opt".
* TSIGs are detected and stored in the pseudo-section "tsig". At detection
* time, the TSIG is verified (XXX) and the message fails if the TSIG fails
* to verify.
* TSIGs are detected and stored in the pseudo-section "tsig".
*
* If 'preserve_order' is true, or if the opcode of the message is UPDATE,
* a separate dns_name_t object will be created for each RR in the message.
......@@ -887,6 +886,26 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer);
* the signature has not been verified yet
*/
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view);
/*
* If this message was signed, verify the signature.
*
* Requires:
*
* msg is a valid parsed message.
* view is a valid view
*
* Returns:
*
* ISC_R_SUCCESS - the message was unsigned, or the message
* was signed correctly.
*
* DNS_R_EXPECTEDTSIG - A TSIG was expected, but not seen
* DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
* DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
*/
ISC_LANG_ENDDECLS
#endif /* DNS_MESSAGE_H */
lib/dns/include/dns/tkey.h
View file @ b984520a
......@@ -36,15 +36,22 @@ ISC_LANG_BEGINDECLS
#define DNS_TKEYMODE_RESOLVERASSIGNED 4
#define DNS_TKEYMODE_DELETE 5
struct dns_tkey_ctx {
dst_key_t *dhkey;
dns_name_t *domain;
isc_mem_t *mctx;
};
isc_result_t
dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx);
dns_tkey_init(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctx);
/*
* Obtains TKEY configuration information, including default DH key
* and default domain from the configuration, if it's not NULL.
*
* Requires:
* 'lctx' is not NULL
* 'mctx' is not NULL
* 'tctx' is not NULL
* '*tctx' is NULL
*
* Returns
* ISC_R_SUCCESS
......@@ -53,19 +60,26 @@ dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx);
*/
void
dns_tkey_destroy(void);
dns_tkey_destroy(dns_tkey_ctx_t **tctx);
/*
* Frees all data associated with the TKEY subsystem
* Frees all data associated with the TKEY context
*
* Requires:
* 'tctx' is not NULL
* '*tctx' is not NULL
*/
isc_result_t
dns_tkey_processquery(dns_message_t *msg);
dns_tkey_processquery(dns_message_t *msg, dns_tkey_ctx_t *tctx,
dns_tsig_keyring_t *ring);
/*
* Processes a query containing a TKEY record, adding or deleting TSIG
* keys if necessary, and modifies the message to contain the response.
*
* Requires:
* 'msg' is a valid message
* 'tctx' is a valid TKEY context
* 'ring' is a valid TSIG keyring
*
* Returns
* ISC_R_SUCCESS msg was updated (the TKEY operation succeeded,
......@@ -117,7 +131,8 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
isc_result_t
dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dst_key_t *key, dns_tsigkey_t **outkey);
dst_key_t *key, isc_buffer_t *nonce,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
/*
* Processes a response to a query containing a TKEY that was
* designed to generate a shared secret using a Diffie-Hellman key
......@@ -129,6 +144,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
* 'rmsg' is a valid message (the response)
* 'key' is a valid Diffie Hellman dst key
* 'outkey' is either NULL or a pointer to NULL
* 'ring' is not NULL
*
* Returns:
* ISC_R_SUCCESS the shared key was successfully added
......@@ -137,7 +153,8 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
*/
isc_result_t
dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg);
dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
dns_tsig_keyring_t *ring);
/*
* Processes a response to a query containing a TKEY that was
* designed to delete a shared secret. If the query was successful,
......@@ -146,6 +163,7 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg);
* Requires:
* 'qmsg' is a valid message (the query)
* 'rmsg' is a valid message (the response)
* 'ring' is not NULL
*
* Returns:
* ISC_R_SUCCESS the shared key was successfully deleted
......
lib/dns/include/dns/tsig.h
View file @ b984520a
......@@ -20,7 +20,7 @@
#include <isc/types.h>
#include <isc/lang.h>
#include <isc/log.h>
#include <isc/rwlock.h>
#include <dns/types.h>
#include <dns/name.h>
......@@ -38,6 +38,12 @@ extern dns_name_t *dns_tsig_hmacmd5_name;
/* Default fudge value. */
#define DNS_TSIG_FUDGE 300
struct dns_tsig_keyring {
ISC_LIST(dns_tsigkey_t) keys;
isc_rwlock_t lock;
isc_mem_t *mctx;
};
struct dns_tsigkey {
/* Unlocked */
unsigned int magic; /* Magic number. */
......@@ -62,10 +68,11 @@ struct dns_tsigkey {
isc_result_t
dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
unsigned char *secret, int length, isc_boolean_t generated,
dns_name_t *creator, isc_mem_t *mctx, dns_tsigkey_t **key);
dns_name_t *creator, isc_mem_t *mctx,
dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
/*
* Creates and saves a tsig key structure. If key is not NULL, *key
* will contain a copy of the key.
* Creates a tsig key structure and saves it in the keyring. If key is
* not NULL, *key * will contain a copy of the key.
*
* Requires:
* 'name' is a valid dns_name_t
......@@ -74,6 +81,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
* 'length' is an integer greater than 0
* 'creator' points to a valid dns_name_t or is NULL
* 'mctx' is a valid memory context
* 'ring' is a valid TSIG keyring
* 'key' or '*key' must be NULL
*
* Returns:
......@@ -84,12 +92,13 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
*/
void
dns_tsigkey_free(dns_tsigkey_t **key);
dns_tsigkey_free(dns_tsigkey_t **key, dns_tsig_keyring_t *ring);
/*
* Frees the tsig key structure pointed to by 'key'.
*
* Requires:
* 'key' is a valid TSIG key
* 'ring' is a valid TSIG keyring containing the key
*/
void
......@@ -119,7 +128,8 @@ dns_tsig_sign(dns_message_t *msg);
*/
isc_result_t
dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg);
dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
dns_tsig_keyring_t *sring, dns_tsig_keyring_t *dring);
/*
* Verifies the TSIG record in this message
*
......@@ -129,6 +139,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg);
* 'msg->tsigkey' is a valid TSIG key if this is a response
* 'msg->tsig' is NULL
* 'msg->querytsig' is not NULL if this is a response
* 'sring' is a valid keyring or NULL
* 'dring' is a valid keyring or NULL
*
* Returns:
* DNS_R_SUCCESS
......@@ -140,28 +152,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg);
* DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
*/
isc_result_t
dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
/*
* Verifies the TSIG record in this continuation of a TCP response,
* if there is one.
*
* Requires:
* 'source' is a valid buffer containing the unparsed message
* 'msg' is a valid message
* 'msg->tsigkey' is a valid TSIG key
* 'msg->tsig' is NULL
* 'msg->querytsig' is not NULL
*
* Returns:
* DNS_R_SUCCESS
* ISC_R_NOMEMORY
* DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
*/
isc_result_t
dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
dns_name_t *algorithm);
dns_name_t *algorithm, dns_tsig_keyring_t *ring);
/*
* Returns the TSIG key corresponding to this name and (possibly)
* algorithm. Also increments the key's reference counter.
......@@ -171,6 +164,7 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
* '*tsigkey' is NULL
* 'name' is a valid dns_name_t
* 'algorithm' is a valid dns_name_t or NULL
* 'ring' is a valid keyring
*
* Returns:
* ISC_R_SUCCESS
......@@ -179,15 +173,15 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
isc_result_t
dns_tsig_init(isc_log_t *lctx, dns_c_ctx_t *confctx, isc_mem_t *mctx);
dns_tsig_init(dns_c_ctx_t *confctx, isc_mem_t *mctx, dns_tsig_keyring_t **ring);
/*
* Initializes the TSIG subsystem. If confctx is not NULL, any
* specified keys are loaded.
*
* Requires:
* 'lctx' is not NULL
* 'mctx' is not NULL
* 'ring' is not NULL, and '*ring' is NULL
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
......@@ -195,9 +189,12 @@ dns_tsig_init(isc_log_t *lctx, dns_c_ctx_t *confctx, isc_mem_t *mctx);
void
dns_tsig_destroy(void);
dns_tsig_destroy(dns_tsig_keyring_t **ring);
/*
* Frees all data associated with the TSIG subsystem
*
* Requires:
* 'ring' is not NULL
*/
ISC_LANG_ENDDECLS
......
lib/dns/include/dns/types.h
View file @ b984520a
......@@ -78,6 +78,8 @@ typedef struct dns_dispatch dns_dispatch_t;
typedef struct dns_dispentry dns_dispentry_t;
typedef struct dns_dispatchevent dns_dispatchevent_t;
typedef struct dns_tsigkey dns_tsigkey_t;
typedef struct dns_tsig_keyring dns_tsig_keyring_t;
typedef struct dns_tkey_ctx dns_tkey_ctx_t;
typedef struct dns_view dns_view_t;
typedef ISC_LIST(dns_view_t) dns_viewlist_t;
typedef struct dns_zone dns_zone_t;
......
lib/dns/include/dns/view.h
View file @ b984520a
......@@ -88,6 +88,8 @@ struct dns_view {
isc_task_t * task;
isc_event_t resevent;
isc_event_t adbevent;
dns_tsig_keyring_t * statickeys;
dns_tsig_keyring_t * dynamickeys;
/* Locked by lock. */
unsigned int references;
unsigned int attributes;
......@@ -226,6 +228,26 @@ dns_view_sethints(dns_view_t *view, dns_db_t *hints);
* The hints database of 'view' is 'hints'.
*/
void
dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
/*
* Set the view's static TSIG keys
*
* Requires:
*
* 'view' is a valid, unfrozen view, whose static TSIG keyring has not
* been set.
*
* 'ring' is a valid TSIG keyring
*
* Ensures:
*
* The static TSIG keyring of 'view' is 'ring'.
*/
isc_result_t
dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
/*
......@@ -421,6 +443,21 @@ dns_view_load(dns_view_t *view);
* 'view' is a valid.
*/
isc_result_t
dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
/*
* Verifies the signature of a message.
*
* Requires:
*
* 'view' is a valid view.
* 'source' is a valid buffer containing the message
* 'msg' is a valid message
*
* Returns:
* see dns_tsig_verify()
*/
ISC_LANG_ENDDECLS
#endif /* DNS_VIEW_H */
lib/dns/message.c
View file @ b984520a
......@@ -38,6 +38,7 @@
#include <dns/compress.h>
#include <dns/tsig.h>
#include <dns/dnssec.h>
#include <dns/view.h>
#define DNS_MESSAGE_OPCODE_MASK 0x7800U
#define DNS_MESSAGE_OPCODE_SHIFT 11
......@@ -287,6 +288,7 @@ msginitprivate(dns_message_t *m)
static inline void
msginittsig(dns_message_t *m)
{
m->ring = NULL;
m->tsigstatus = m->querytsigstatus = dns_rcode_noerror;
m->tsig = m->querytsig = NULL;
m->tsigkey = NULL;
......@@ -455,7 +457,7 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
}
if (msg->tsigkey != NULL) {
dns_tsigkey_free(&msg->tsigkey);
dns_tsigkey_free(&msg->tsigkey, msg->ring);
msg->tsigkey = NULL;
}
......@@ -1317,17 +1319,9 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
if (r.length != 0)
return (DNS_R_FORMERR);
if (msg->tsigkey != NULL ||
!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]) ||
!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0]))
{
if (!msg->tcp_continuation)
ret = dns_tsig_verify(source, msg);
else
ret = dns_tsig_verify_tcp(source, msg);
if (ret != DNS_R_SUCCESS)
return ret;
}
else if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) {
msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t));
if (msg->saved == NULL)
return (ISC_R_NOMEMORY);
......@@ -2148,3 +2142,21 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
return (result);
}
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
isc_buffer_t b;
REQUIRE(DNS_MESSAGE_VALID(msg));
REQUIRE(view != NULL);
if (msg->tsigkey == NULL &&
ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
return (ISC_R_SUCCESS);
if (msg->saved == NULL)
return (DNS_R_EXPECTEDTSIG);
isc_buffer_init(&b, msg->saved->base, msg->saved->length,
ISC_BUFFERTYPE_BINARY);
isc_buffer_add(&b, msg->saved->length);
return dns_view_checksig(view, &b, msg);
}
lib/dns/tkey.c
View file @ b984520a
......@@ -16,7 +16,7 @@
*/
/*
* $Id: tkey.c,v 1.15 1999/12/06 12:40:30 brister Exp $
* $Id: tkey.c,v 1.16 2000/01/21 20:18:36 bwelling Exp $
* Principal Author: Brian Wellington
*/
......@@ -31,6 +31,7 @@
#include <isc/error.h>
#include <isc/list.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/result.h>
#include <isc/rwlock.h>
......@@ -63,12 +64,8 @@
} while (0)
static dst_key_t *tkey_dhkey = NULL;
static dns_name_t *tkey_domain = NULL;
static isc_mem_t *tkey_mctx = NULL;
isc_result_t
dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx) {
dns_tkey_init(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctx) {
isc_result_t result;
char *s;
int n;
......@@ -76,11 +73,16 @@ dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx) {
unsigned char data[1024];
dns_name_t domain;
RUNTIME_CHECK(tkey_domain == NULL);
RUNTIME_CHECK(tkey_dhkey == NULL);
REQUIRE(lctx != NULL); /* XXX lctx is now unused. */
REQUIRE(mctx != NULL);
REQUIRE(tctx != NULL);
REQUIRE(*tctx == NULL);
*tctx = isc_mem_get(mctx, sizeof(dns_tkey_ctx_t));
if (*tctx == NULL)
return (ISC_R_NOMEMORY);
(*tctx)->mctx = mctx;
(*tctx)->dhkey = NULL;
(*tctx)->domain = NULL;
if (cfg == NULL)
return (ISC_R_SUCCESS);
......@@ -91,47 +93,50 @@ dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx) {
return (ISC_R_SUCCESS);
RETERR(dst_key_fromfile(s, n, DNS_KEYALG_DH,
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
mctx, &tkey_dhkey));
mctx, &(*tctx)->dhkey));
s = NULL;
RETERR(dns_c_ctx_gettkeydomain(cfg, &s));
dns_name_init(&domain, NULL);
tkey_domain = (dns_name_t *) isc_mem_get(mctx, sizeof(dns_name_t));
if (tkey_domain == NULL)
(*tctx)->domain = (dns_name_t *) isc_mem_get(mctx, sizeof(dns_name_t));
if ((*tctx)->domain == NULL)
return (ISC_R_NOMEMORY);
dns_name_init(tkey_domain, NULL);
dns_name_init((*tctx)->domain, NULL);
isc_buffer_init(&b, s, strlen(s), ISC_BUFFERTYPE_TEXT);
isc_buffer_add(&b, strlen(s));
isc_buffer_init(&namebuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY);
RETERR(dns_name_fromtext(&domain, &b, dns_rootname, ISC_FALSE,
&namebuf));
RETERR(dns_name_dup(&domain, mctx, tkey_domain));
tkey_mctx = mctx;
RETERR(dns_name_dup(&domain, mctx, (*tctx)->domain));
return (ISC_R_SUCCESS);
failure:
if (tkey_dhkey != NULL) {
dst_key_free(tkey_dhkey);
tkey_dhkey = NULL;
if ((*tctx)->dhkey != NULL) {
dst_key_free((*tctx)->dhkey);
(*tctx)->dhkey = NULL;
}
if (tkey_domain != NULL) {
dns_name_free(tkey_domain, mctx);
isc_mem_put(mctx, tkey_domain, sizeof(dns_name_t));
tkey_domain = NULL;
if ((*tctx)->domain != NULL) {
dns_name_free((*tctx)->domain, mctx);
isc_mem_put(mctx, (*tctx)->domain, sizeof(dns_name_t));
(*tctx)->domain = NULL;
}
return (result);
}
void
dns_tkey_destroy(void) {
if (tkey_mctx == NULL)
return;
if (tkey_dhkey != NULL)
dst_key_free(tkey_dhkey);
if (tkey_domain != NULL)
isc_mem_put(tkey_mctx, tkey_domain, sizeof(dns_name_t));
tkey_mctx = NULL;
dns_tkey_destroy(dns_tkey_ctx_t **tctx) {
isc_mem_t *mctx;
REQUIRE(tctx != NULL);
REQUIRE(*tctx != NULL);
if ((*tctx)->dhkey != NULL)
dst_key_free((*tctx)->dhkey);
if ((*tctx)->domain != NULL)
isc_mem_put((*tctx)->mctx, (*tctx)->domain, sizeof(dns_name_t));
mctx = (*tctx)->mctx;
isc_mem_put(mctx, *tctx, sizeof(dns_tkey_ctx_t));
}
static isc_result_t
......@@ -169,6 +174,7 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
RETERR(dns_message_gettemprdatalist(msg, &newlist));
newlist->rdclass = newrdata->rdclass;
newlist->type = newrdata->type;
newlist->covers = 0;
newlist->ttl = ttl;
ISC_LIST_INIT(newlist->rdata);
ISC_LIST_APPEND(newlist->rdata, newrdata, link);
......@@ -191,27 +197,59 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
dns_message_puttempname(msg, &newname);
if (newlist != NULL)
dns_message_puttemprdatalist(msg, &newlist);
if (newset != NULL)
if (newset != NULL) {
dns_rdataset_disassociate(newset);
dns_message_puttemprdataset(msg, &newset);
}
return (result);
}
static isc_result_t
compute_secret(isc_buffer_t *shared, isc_region_t *randomness,
isc_buffer_t *secret)
compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_region_t *serverrandomness, isc_buffer_t *secret)
{
dst_context_t ctx;
isc_result_t result;
isc_region_t r;
isc_region_t r, r2;
char digests[32];
isc_buffer_t b;
unsigned int i;
isc_buffer_init(&b, digests, sizeof(digests), ISC_BUFFERTYPE_BINARY);
isc_buffer_used(shared, &r);
/* MD5 ( query data | DH value ) */
RETERR(dst_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL, NULL));
RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
queryrandomness, NULL));
RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r, NULL));
RETERR(dst_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL, &b));
/* MD5 ( server data | DH value ) */
RETERR(dst_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL, NULL));
RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
serverrandomness, NULL));
RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r, NULL));
if (randomness->length != 0)
RETERR(dst_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5,
&ctx, randomness, secret));
RETERR(dst_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
secret));
RETERR(dst_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL, &b));
/* XOR ( DH value, MD5-1 | MD5-2) */
isc_buffer_available(secret, &r);
isc_buffer_used(shared, &r2);
if (r.length < sizeof(digests) || r.length < r2.length)
return (ISC_R_NOSPACE);
if (r2.length > sizeof(digests)) {
memcpy(r.base, r2.base, r2.length);
for (i = 0; i < sizeof(digests); i++)
r.base[i] ^= digests[i];
isc_buffer_add(secret, r2.length);
}
else {
memcpy(r.base, digests, sizeof(digests));
for (i = 0; i < r2.length; i++)
r.base[i] ^= r2.base[i];
isc_buffer_add(secret, sizeof(digests));
}
failure:
return result;
......@@ -219,8 +257,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *randomness,
static isc_result_t
process_dhtkey(dns_message_t *msg, dns_name_t *name,
dns_rdata_generic_tkey_t *tkeyin,
dns_rdata_generic_tkey_t *tkeyout, dns_namelist_t *namelist)
dns_rdata_generic_tkey_t *tkeyin, dns_tkey_ctx_t *tctx,
dns_rdata_generic_tkey_t *tkeyout,
dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
{
isc_result_t result = ISC_R_SUCCESS;
dns_name_t *keyname, ourname, signer, *creator;
......@@ -229,14 +268,14 @@ process_dhtkey(dns_message_t *msg, dns_name_t *name,
isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
dst_key_t *pubkey = NULL;
isc_buffer_t ourkeybuf, ournamein, ournameout, *shared = NULL;
isc_region_t r, ourkeyr;
isc_region_t r, r2, ourkeyr;
isc_uint32_t ourttl;
unsigned char keydata[DST_KEY_MAXSIZE];
unsigned char namedata[1024];
dns_tsigkey_t *tsigkey;
unsigned int sharedsize;
isc_buffer_t randombuf, secret;
unsigned char *randomdata = NULL, secretdata[TKEY_RANDOM_AMOUNT];
unsigned char *randomdata = NULL, secretdata[256];
/* Look for a DH KEY record that will work with ours */
result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
......@@ -261,7 +300,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *name,
}
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey,
tkey_dhkey))
tctx->dhkey))
{
found_key = ISC_TRUE;
goto got_key;
......@@ -290,13 +329,13 @@ process_dhtkey(dns_message_t *msg, dns_name_t *name,
isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata),
ISC_BUFFERTYPE_BINARY);
RETERR(dst_key_todns(tkey_dhkey, &ourkeybuf));
RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
isc_buffer_used(&ourkeybuf, &ourkeyr);
dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_in,
dns_rdatatype_key, &ourkeyr);
isc_buffer_init(&ournamein, dst_key_name(tkey_dhkey),
strlen(dst_key_name(tkey_dhkey)), ISC_BUFFERTYPE_TEXT);