Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
BIND
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
635
Issues
635
List
Boards
Labels
Service Desk
Milestones
Merge Requests
105
Merge Requests
105
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ISC Open Source Projects
BIND
Commits
b984520a
Commit
b984520a
authored
Jan 21, 2000
by
Brian Wellington
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
major TSIG/TKEY cleanup
parent
4380033d
Changes
9
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
387 additions
and
193 deletions
+387
-193
lib/dns/include/dns/message.h
lib/dns/include/dns/message.h
+22
-3
lib/dns/include/dns/tkey.h
lib/dns/include/dns/tkey.h
+25
-7
lib/dns/include/dns/tsig.h
lib/dns/include/dns/tsig.h
+27
-30
lib/dns/include/dns/types.h
lib/dns/include/dns/types.h
+2
-0
lib/dns/include/dns/view.h
lib/dns/include/dns/view.h
+37
-0
lib/dns/message.c
lib/dns/message.c
+23
-11
lib/dns/tkey.c
lib/dns/tkey.c
+134
-76
lib/dns/tsig.c
lib/dns/tsig.c
+87
-66
lib/dns/view.c
lib/dns/view.c
+30
-0
No files found.
lib/dns/include/dns/message.h
View file @
b984520a
...
...
@@ -190,6 +190,7 @@ struct dns_message {
ISC_LIST
(
dns_rdata_t
)
freerdata
;
ISC_LIST
(
dns_rdatalist_t
)
freerdatalist
;
dns_tsig_keyring_t
*
ring
;
dns_rcode_t
tsigstatus
;
dns_rcode_t
querytsigstatus
;
dns_rdata_any_tsig_t
*
tsig
;
...
...
@@ -272,9 +273,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
* DNS message.
*
* OPT records are detected and stored in the pseudo-section "opt".
* TSIGs are detected and stored in the pseudo-section "tsig". At detection
* time, the TSIG is verified (XXX) and the message fails if the TSIG fails
* to verify.
* TSIGs are detected and stored in the pseudo-section "tsig".
*
* If 'preserve_order' is true, or if the opcode of the message is UPDATE,
* a separate dns_name_t object will be created for each RR in the message.
...
...
@@ -887,6 +886,26 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer);
* the signature has not been verified yet
*/
isc_result_t
dns_message_checksig
(
dns_message_t
*
msg
,
dns_view_t
*
view
);
/*
* If this message was signed, verify the signature.
*
* Requires:
*
* msg is a valid parsed message.
* view is a valid view
*
* Returns:
*
* ISC_R_SUCCESS - the message was unsigned, or the message
* was signed correctly.
*
* DNS_R_EXPECTEDTSIG - A TSIG was expected, but not seen
* DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
* DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
*/
ISC_LANG_ENDDECLS
#endif
/* DNS_MESSAGE_H */
lib/dns/include/dns/tkey.h
View file @
b984520a
...
...
@@ -36,15 +36,22 @@ ISC_LANG_BEGINDECLS
#define DNS_TKEYMODE_RESOLVERASSIGNED 4
#define DNS_TKEYMODE_DELETE 5
struct
dns_tkey_ctx
{
dst_key_t
*
dhkey
;
dns_name_t
*
domain
;
isc_mem_t
*
mctx
;
};
isc_result_t
dns_tkey_init
(
isc_log_t
*
lctx
,
dns_c_ctx_t
*
cfg
,
isc_mem_t
*
m
ctx
);
dns_tkey_init
(
dns_c_ctx_t
*
cfg
,
isc_mem_t
*
mctx
,
dns_tkey_ctx_t
**
t
ctx
);
/*
* Obtains TKEY configuration information, including default DH key
* and default domain from the configuration, if it's not NULL.
*
* Requires:
* 'lctx' is not NULL
* 'mctx' is not NULL
* 'tctx' is not NULL
* '*tctx' is NULL
*
* Returns
* ISC_R_SUCCESS
...
...
@@ -53,19 +60,26 @@ dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx);
*/
void
dns_tkey_destroy
(
void
);
dns_tkey_destroy
(
dns_tkey_ctx_t
**
tctx
);
/*
* Frees all data associated with the TKEY subsystem
* Frees all data associated with the TKEY context
*
* Requires:
* 'tctx' is not NULL
* '*tctx' is not NULL
*/
isc_result_t
dns_tkey_processquery
(
dns_message_t
*
msg
);
dns_tkey_processquery
(
dns_message_t
*
msg
,
dns_tkey_ctx_t
*
tctx
,
dns_tsig_keyring_t
*
ring
);
/*
* Processes a query containing a TKEY record, adding or deleting TSIG
* keys if necessary, and modifies the message to contain the response.
*
* Requires:
* 'msg' is a valid message
* 'tctx' is a valid TKEY context
* 'ring' is a valid TSIG keyring
*
* Returns
* ISC_R_SUCCESS msg was updated (the TKEY operation succeeded,
...
...
@@ -117,7 +131,8 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
isc_result_t
dns_tkey_processdhresponse
(
dns_message_t
*
qmsg
,
dns_message_t
*
rmsg
,
dst_key_t
*
key
,
dns_tsigkey_t
**
outkey
);
dst_key_t
*
key
,
isc_buffer_t
*
nonce
,
dns_tsigkey_t
**
outkey
,
dns_tsig_keyring_t
*
ring
);
/*
* Processes a response to a query containing a TKEY that was
* designed to generate a shared secret using a Diffie-Hellman key
...
...
@@ -129,6 +144,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
* 'rmsg' is a valid message (the response)
* 'key' is a valid Diffie Hellman dst key
* 'outkey' is either NULL or a pointer to NULL
* 'ring' is not NULL
*
* Returns:
* ISC_R_SUCCESS the shared key was successfully added
...
...
@@ -137,7 +153,8 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
*/
isc_result_t
dns_tkey_processdeleteresponse
(
dns_message_t
*
qmsg
,
dns_message_t
*
rmsg
);
dns_tkey_processdeleteresponse
(
dns_message_t
*
qmsg
,
dns_message_t
*
rmsg
,
dns_tsig_keyring_t
*
ring
);
/*
* Processes a response to a query containing a TKEY that was
* designed to delete a shared secret. If the query was successful,
...
...
@@ -146,6 +163,7 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg);
* Requires:
* 'qmsg' is a valid message (the query)
* 'rmsg' is a valid message (the response)
* 'ring' is not NULL
*
* Returns:
* ISC_R_SUCCESS the shared key was successfully deleted
...
...
lib/dns/include/dns/tsig.h
View file @
b984520a
...
...
@@ -20,7 +20,7 @@
#include <isc/types.h>
#include <isc/lang.h>
#include <isc/
log
.h>
#include <isc/
rwlock
.h>
#include <dns/types.h>
#include <dns/name.h>
...
...
@@ -38,6 +38,12 @@ extern dns_name_t *dns_tsig_hmacmd5_name;
/* Default fudge value. */
#define DNS_TSIG_FUDGE 300
struct
dns_tsig_keyring
{
ISC_LIST
(
dns_tsigkey_t
)
keys
;
isc_rwlock_t
lock
;
isc_mem_t
*
mctx
;
};
struct
dns_tsigkey
{
/* Unlocked */
unsigned
int
magic
;
/* Magic number. */
...
...
@@ -62,10 +68,11 @@ struct dns_tsigkey {
isc_result_t
dns_tsigkey_create
(
dns_name_t
*
name
,
dns_name_t
*
algorithm
,
unsigned
char
*
secret
,
int
length
,
isc_boolean_t
generated
,
dns_name_t
*
creator
,
isc_mem_t
*
mctx
,
dns_tsigkey_t
**
key
);
dns_name_t
*
creator
,
isc_mem_t
*
mctx
,
dns_tsig_keyring_t
*
ring
,
dns_tsigkey_t
**
key
);
/*
* Creates a
nd saves a tsig key structure. If key is not NULL, *key
* will contain a copy of the key.
* Creates a
tsig key structure and saves it in the keyring. If key is
*
not NULL, *key *
will contain a copy of the key.
*
* Requires:
* 'name' is a valid dns_name_t
...
...
@@ -74,6 +81,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
* 'length' is an integer greater than 0
* 'creator' points to a valid dns_name_t or is NULL
* 'mctx' is a valid memory context
* 'ring' is a valid TSIG keyring
* 'key' or '*key' must be NULL
*
* Returns:
...
...
@@ -84,12 +92,13 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
*/
void
dns_tsigkey_free
(
dns_tsigkey_t
**
key
);
dns_tsigkey_free
(
dns_tsigkey_t
**
key
,
dns_tsig_keyring_t
*
ring
);
/*
* Frees the tsig key structure pointed to by 'key'.
*
* Requires:
* 'key' is a valid TSIG key
* 'ring' is a valid TSIG keyring containing the key
*/
void
...
...
@@ -119,7 +128,8 @@ dns_tsig_sign(dns_message_t *msg);
*/
isc_result_t
dns_tsig_verify
(
isc_buffer_t
*
source
,
dns_message_t
*
msg
);
dns_tsig_verify
(
isc_buffer_t
*
source
,
dns_message_t
*
msg
,
dns_tsig_keyring_t
*
sring
,
dns_tsig_keyring_t
*
dring
);
/*
* Verifies the TSIG record in this message
*
...
...
@@ -129,6 +139,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg);
* 'msg->tsigkey' is a valid TSIG key if this is a response
* 'msg->tsig' is NULL
* 'msg->querytsig' is not NULL if this is a response
* 'sring' is a valid keyring or NULL
* 'dring' is a valid keyring or NULL
*
* Returns:
* DNS_R_SUCCESS
...
...
@@ -140,28 +152,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg);
* DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
*/
isc_result_t
dns_tsig_verify_tcp
(
isc_buffer_t
*
source
,
dns_message_t
*
msg
);
/*
* Verifies the TSIG record in this continuation of a TCP response,
* if there is one.
*
* Requires:
* 'source' is a valid buffer containing the unparsed message
* 'msg' is a valid message
* 'msg->tsigkey' is a valid TSIG key
* 'msg->tsig' is NULL
* 'msg->querytsig' is not NULL
*
* Returns:
* DNS_R_SUCCESS
* ISC_R_NOMEMORY
* DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
*/
isc_result_t
dns_tsigkey_find
(
dns_tsigkey_t
**
tsigkey
,
dns_name_t
*
name
,
dns_name_t
*
algorithm
);
dns_name_t
*
algorithm
,
dns_tsig_keyring_t
*
ring
);
/*
* Returns the TSIG key corresponding to this name and (possibly)
* algorithm. Also increments the key's reference counter.
...
...
@@ -171,6 +164,7 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
* '*tsigkey' is NULL
* 'name' is a valid dns_name_t
* 'algorithm' is a valid dns_name_t or NULL
* 'ring' is a valid keyring
*
* Returns:
* ISC_R_SUCCESS
...
...
@@ -179,15 +173,15 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
isc_result_t
dns_tsig_init
(
isc_log_t
*
lctx
,
dns_c_ctx_t
*
confctx
,
isc_mem_t
*
mctx
);
dns_tsig_init
(
dns_c_ctx_t
*
confctx
,
isc_mem_t
*
mctx
,
dns_tsig_keyring_t
**
ring
);
/*
* Initializes the TSIG subsystem. If confctx is not NULL, any
* specified keys are loaded.
*
* Requires:
* 'lctx' is not NULL
* 'mctx' is not NULL
* 'ring' is not NULL, and '*ring' is NULL
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
...
...
@@ -195,9 +189,12 @@ dns_tsig_init(isc_log_t *lctx, dns_c_ctx_t *confctx, isc_mem_t *mctx);
void
dns_tsig_destroy
(
void
);
dns_tsig_destroy
(
dns_tsig_keyring_t
**
ring
);
/*
* Frees all data associated with the TSIG subsystem
*
* Requires:
* 'ring' is not NULL
*/
ISC_LANG_ENDDECLS
...
...
lib/dns/include/dns/types.h
View file @
b984520a
...
...
@@ -78,6 +78,8 @@ typedef struct dns_dispatch dns_dispatch_t;
typedef
struct
dns_dispentry
dns_dispentry_t
;
typedef
struct
dns_dispatchevent
dns_dispatchevent_t
;
typedef
struct
dns_tsigkey
dns_tsigkey_t
;
typedef
struct
dns_tsig_keyring
dns_tsig_keyring_t
;
typedef
struct
dns_tkey_ctx
dns_tkey_ctx_t
;
typedef
struct
dns_view
dns_view_t
;
typedef
ISC_LIST
(
dns_view_t
)
dns_viewlist_t
;
typedef
struct
dns_zone
dns_zone_t
;
...
...
lib/dns/include/dns/view.h
View file @
b984520a
...
...
@@ -88,6 +88,8 @@ struct dns_view {
isc_task_t
*
task
;
isc_event_t
resevent
;
isc_event_t
adbevent
;
dns_tsig_keyring_t
*
statickeys
;
dns_tsig_keyring_t
*
dynamickeys
;
/* Locked by lock. */
unsigned
int
references
;
unsigned
int
attributes
;
...
...
@@ -226,6 +228,26 @@ dns_view_sethints(dns_view_t *view, dns_db_t *hints);
* The hints database of 'view' is 'hints'.
*/
void
dns_view_setkeyring
(
dns_view_t
*
view
,
dns_tsig_keyring_t
*
ring
);
/*
* Set the view's static TSIG keys
*
* Requires:
*
* 'view' is a valid, unfrozen view, whose static TSIG keyring has not
* been set.
*
* 'ring' is a valid TSIG keyring
*
* Ensures:
*
* The static TSIG keyring of 'view' is 'ring'.
*/
isc_result_t
dns_view_addzone
(
dns_view_t
*
view
,
dns_zone_t
*
zone
);
/*
...
...
@@ -421,6 +443,21 @@ dns_view_load(dns_view_t *view);
* 'view' is a valid.
*/
isc_result_t
dns_view_checksig
(
dns_view_t
*
view
,
isc_buffer_t
*
source
,
dns_message_t
*
msg
);
/*
* Verifies the signature of a message.
*
* Requires:
*
* 'view' is a valid view.
* 'source' is a valid buffer containing the message
* 'msg' is a valid message
*
* Returns:
* see dns_tsig_verify()
*/
ISC_LANG_ENDDECLS
#endif
/* DNS_VIEW_H */
lib/dns/message.c
View file @
b984520a
...
...
@@ -38,6 +38,7 @@
#include <dns/compress.h>
#include <dns/tsig.h>
#include <dns/dnssec.h>
#include <dns/view.h>
#define DNS_MESSAGE_OPCODE_MASK 0x7800U
#define DNS_MESSAGE_OPCODE_SHIFT 11
...
...
@@ -287,6 +288,7 @@ msginitprivate(dns_message_t *m)
static
inline
void
msginittsig
(
dns_message_t
*
m
)
{
m
->
ring
=
NULL
;
m
->
tsigstatus
=
m
->
querytsigstatus
=
dns_rcode_noerror
;
m
->
tsig
=
m
->
querytsig
=
NULL
;
m
->
tsigkey
=
NULL
;
...
...
@@ -455,7 +457,7 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
}
if
(
msg
->
tsigkey
!=
NULL
)
{
dns_tsigkey_free
(
&
msg
->
tsigkey
);
dns_tsigkey_free
(
&
msg
->
tsigkey
,
msg
->
ring
);
msg
->
tsigkey
=
NULL
;
}
...
...
@@ -1317,17 +1319,9 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
if
(
r
.
length
!=
0
)
return
(
DNS_R_FORMERR
);
if
(
msg
->
tsigkey
!=
NULL
||
!
ISC_LIST_EMPTY
(
msg
->
sections
[
DNS_SECTION_
TSIG
]))
if
(
!
ISC_LIST_EMPTY
(
msg
->
sections
[
DNS_SECTION_TSIG
])
||
!
ISC_LIST_EMPTY
(
msg
->
sections
[
DNS_SECTION_
SIG0
]))
{
if
(
!
msg
->
tcp_continuation
)
ret
=
dns_tsig_verify
(
source
,
msg
);
else
ret
=
dns_tsig_verify_tcp
(
source
,
msg
);
if
(
ret
!=
DNS_R_SUCCESS
)
return
ret
;
}
else
if
(
!
ISC_LIST_EMPTY
(
msg
->
sections
[
DNS_SECTION_SIG0
]))
{
msg
->
saved
=
isc_mem_get
(
msg
->
mctx
,
sizeof
(
isc_region_t
));
if
(
msg
->
saved
==
NULL
)
return
(
ISC_R_NOMEMORY
);
...
...
@@ -2148,3 +2142,21 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
return
(
result
);
}
isc_result_t
dns_message_checksig
(
dns_message_t
*
msg
,
dns_view_t
*
view
)
{
isc_buffer_t
b
;
REQUIRE
(
DNS_MESSAGE_VALID
(
msg
));
REQUIRE
(
view
!=
NULL
);
if
(
msg
->
tsigkey
==
NULL
&&
ISC_LIST_EMPTY
(
msg
->
sections
[
DNS_SECTION_TSIG
]))
return
(
ISC_R_SUCCESS
);
if
(
msg
->
saved
==
NULL
)
return
(
DNS_R_EXPECTEDTSIG
);
isc_buffer_init
(
&
b
,
msg
->
saved
->
base
,
msg
->
saved
->
length
,
ISC_BUFFERTYPE_BINARY
);
isc_buffer_add
(
&
b
,
msg
->
saved
->
length
);
return
dns_view_checksig
(
view
,
&
b
,
msg
);
}
lib/dns/tkey.c
View file @
b984520a
...
...
@@ -16,7 +16,7 @@
*/
/*
* $Id: tkey.c,v 1.1
5 1999/12/06 12:40:30 brister
Exp $
* $Id: tkey.c,v 1.1
6 2000/01/21 20:18:36 bwelling
Exp $
* Principal Author: Brian Wellington
*/
...
...
@@ -31,6 +31,7 @@
#include <isc/error.h>
#include <isc/list.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/result.h>
#include <isc/rwlock.h>
...
...
@@ -63,12 +64,8 @@
} while (0)
static
dst_key_t
*
tkey_dhkey
=
NULL
;
static
dns_name_t
*
tkey_domain
=
NULL
;
static
isc_mem_t
*
tkey_mctx
=
NULL
;
isc_result_t
dns_tkey_init
(
isc_log_t
*
lctx
,
dns_c_ctx_t
*
cfg
,
isc_mem_t
*
m
ctx
)
{
dns_tkey_init
(
dns_c_ctx_t
*
cfg
,
isc_mem_t
*
mctx
,
dns_tkey_ctx_t
**
t
ctx
)
{
isc_result_t
result
;
char
*
s
;
int
n
;
...
...
@@ -76,11 +73,16 @@ dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx) {
unsigned
char
data
[
1024
];
dns_name_t
domain
;
RUNTIME_CHECK
(
tkey_domain
==
NULL
);
RUNTIME_CHECK
(
tkey_dhkey
==
NULL
);
REQUIRE
(
lctx
!=
NULL
);
/* XXX lctx is now unused. */
REQUIRE
(
mctx
!=
NULL
);
REQUIRE
(
tctx
!=
NULL
);
REQUIRE
(
*
tctx
==
NULL
);
*
tctx
=
isc_mem_get
(
mctx
,
sizeof
(
dns_tkey_ctx_t
));
if
(
*
tctx
==
NULL
)
return
(
ISC_R_NOMEMORY
);
(
*
tctx
)
->
mctx
=
mctx
;
(
*
tctx
)
->
dhkey
=
NULL
;
(
*
tctx
)
->
domain
=
NULL
;
if
(
cfg
==
NULL
)
return
(
ISC_R_SUCCESS
);
...
...
@@ -91,47 +93,50 @@ dns_tkey_init(isc_log_t *lctx, dns_c_ctx_t *cfg, isc_mem_t *mctx) {
return
(
ISC_R_SUCCESS
);
RETERR
(
dst_key_fromfile
(
s
,
n
,
DNS_KEYALG_DH
,
DST_TYPE_PUBLIC
|
DST_TYPE_PRIVATE
,
mctx
,
&
tkey_
dhkey
));
mctx
,
&
(
*
tctx
)
->
dhkey
));
s
=
NULL
;
RETERR
(
dns_c_ctx_gettkeydomain
(
cfg
,
&
s
));
dns_name_init
(
&
domain
,
NULL
);
tkey_
domain
=
(
dns_name_t
*
)
isc_mem_get
(
mctx
,
sizeof
(
dns_name_t
));
if
(
tkey_
domain
==
NULL
)
(
*
tctx
)
->
domain
=
(
dns_name_t
*
)
isc_mem_get
(
mctx
,
sizeof
(
dns_name_t
));
if
(
(
*
tctx
)
->
domain
==
NULL
)
return
(
ISC_R_NOMEMORY
);
dns_name_init
(
tkey_
domain
,
NULL
);
dns_name_init
(
(
*
tctx
)
->
domain
,
NULL
);
isc_buffer_init
(
&
b
,
s
,
strlen
(
s
),
ISC_BUFFERTYPE_TEXT
);
isc_buffer_add
(
&
b
,
strlen
(
s
));
isc_buffer_init
(
&
namebuf
,
data
,
sizeof
(
data
),
ISC_BUFFERTYPE_BINARY
);
RETERR
(
dns_name_fromtext
(
&
domain
,
&
b
,
dns_rootname
,
ISC_FALSE
,
&
namebuf
));
RETERR
(
dns_name_dup
(
&
domain
,
mctx
,
tkey_domain
));
tkey_mctx
=
mctx
;
RETERR
(
dns_name_dup
(
&
domain
,
mctx
,
(
*
tctx
)
->
domain
));
return
(
ISC_R_SUCCESS
);
failure:
if
(
tkey_
dhkey
!=
NULL
)
{
dst_key_free
(
tkey_
dhkey
);
tkey_
dhkey
=
NULL
;
if
(
(
*
tctx
)
->
dhkey
!=
NULL
)
{
dst_key_free
(
(
*
tctx
)
->
dhkey
);
(
*
tctx
)
->
dhkey
=
NULL
;
}
if
(
tkey_
domain
!=
NULL
)
{
dns_name_free
(
tkey_
domain
,
mctx
);
isc_mem_put
(
mctx
,
tkey_
domain
,
sizeof
(
dns_name_t
));
tkey_
domain
=
NULL
;
if
(
(
*
tctx
)
->
domain
!=
NULL
)
{
dns_name_free
(
(
*
tctx
)
->
domain
,
mctx
);
isc_mem_put
(
mctx
,
(
*
tctx
)
->
domain
,
sizeof
(
dns_name_t
));
(
*
tctx
)
->
domain
=
NULL
;
}
return
(
result
);
}
void
dns_tkey_destroy
(
void
)
{
if
(
tkey_mctx
==
NULL
)
return
;
if
(
tkey_dhkey
!=
NULL
)
dst_key_free
(
tkey_dhkey
);
if
(
tkey_domain
!=
NULL
)
isc_mem_put
(
tkey_mctx
,
tkey_domain
,
sizeof
(
dns_name_t
));
tkey_mctx
=
NULL
;
dns_tkey_destroy
(
dns_tkey_ctx_t
**
tctx
)
{
isc_mem_t
*
mctx
;
REQUIRE
(
tctx
!=
NULL
);
REQUIRE
(
*
tctx
!=
NULL
);
if
((
*
tctx
)
->
dhkey
!=
NULL
)
dst_key_free
((
*
tctx
)
->
dhkey
);
if
((
*
tctx
)
->
domain
!=
NULL
)
isc_mem_put
((
*
tctx
)
->
mctx
,
(
*
tctx
)
->
domain
,
sizeof
(
dns_name_t
));
mctx
=
(
*
tctx
)
->
mctx
;
isc_mem_put
(
mctx
,
*
tctx
,
sizeof
(
dns_tkey_ctx_t
));
}
static
isc_result_t
...
...
@@ -169,6 +174,7 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
RETERR
(
dns_message_gettemprdatalist
(
msg
,
&
newlist
));
newlist
->
rdclass
=
newrdata
->
rdclass
;
newlist
->
type
=
newrdata
->
type
;
newlist
->
covers
=
0
;
newlist
->
ttl
=
ttl
;
ISC_LIST_INIT
(
newlist
->
rdata
);
ISC_LIST_APPEND
(
newlist
->
rdata
,
newrdata
,
link
);
...
...
@@ -191,27 +197,59 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
dns_message_puttempname
(
msg
,
&
newname
);
if
(
newlist
!=
NULL
)
dns_message_puttemprdatalist
(
msg
,
&
newlist
);
if
(
newset
!=
NULL
)
if
(
newset
!=
NULL
)
{
dns_rdataset_disassociate
(
newset
);
dns_message_puttemprdataset
(
msg
,
&
newset
);
}
return
(
result
);
}
static
isc_result_t
compute_secret
(
isc_buffer_t
*
shared
,
isc_region_t
*
randomness
,
isc_buffer_t
*
secret
)
compute_secret
(
isc_buffer_t
*
shared
,
isc_region_t
*
query
randomness
,
isc_
region_t
*
serverrandomness
,
isc_
buffer_t
*
secret
)
{
dst_context_t
ctx
;
isc_result_t
result
;
isc_region_t
r
;
isc_region_t
r
,
r2
;
char
digests
[
32
];
isc_buffer_t
b
;
unsigned
int
i
;
isc_buffer_init
(
&
b
,
digests
,
sizeof
(
digests
),
ISC_BUFFERTYPE_BINARY
);
isc_buffer_used
(
shared
,
&
r
);
/* MD5 ( query data | DH value ) */
RETERR
(
dst_digest
(
DST_SIGMODE_INIT
,
DST_DIGEST_MD5
,
&
ctx
,
NULL
,
NULL
));
RETERR
(
dst_digest
(
DST_SIGMODE_UPDATE
,
DST_DIGEST_MD5
,
&
ctx
,
queryrandomness
,
NULL
));
RETERR
(
dst_digest
(
DST_SIGMODE_UPDATE
,
DST_DIGEST_MD5
,
&
ctx
,
&
r
,
NULL
));
RETERR
(
dst_digest
(
DST_SIGMODE_FINAL
,
DST_DIGEST_MD5
,
&
ctx
,
NULL
,
&
b
));
/* MD5 ( server data | DH value ) */
RETERR
(
dst_digest
(
DST_SIGMODE_INIT
,
DST_DIGEST_MD5
,
&
ctx
,
NULL
,
NULL
));
RETERR
(
dst_digest
(
DST_SIGMODE_UPDATE
,
DST_DIGEST_MD5
,
&
ctx
,
serverrandomness
,
NULL
));
RETERR
(
dst_digest
(
DST_SIGMODE_UPDATE
,
DST_DIGEST_MD5
,
&
ctx
,
&
r
,
NULL
));
if
(
randomness
->
length
!=
0
)
RETERR
(
dst_digest
(
DST_SIGMODE_UPDATE
,
DST_DIGEST_MD5
,
&
ctx
,
randomness
,
secret
));
RETERR
(
dst_digest
(
DST_SIGMODE_FINAL
,
DST_DIGEST_MD5
,
&
ctx
,
NULL
,
secret
));
RETERR
(
dst_digest
(
DST_SIGMODE_FINAL
,
DST_DIGEST_MD5
,
&
ctx
,
NULL
,
&
b
));
/* XOR ( DH value, MD5-1 | MD5-2) */
isc_buffer_available
(
secret
,
&
r
);
isc_buffer_used
(
shared
,
&
r2
);
if
(
r
.
length
<
sizeof
(
digests
)
||
r
.
length
<
r2
.
length
)
return
(
ISC_R_NOSPACE
);
if
(
r2
.
length
>
sizeof
(
digests
))
{
memcpy
(
r
.
base
,
r2
.
base
,
r2
.
length
);
for
(
i
=
0
;
i
<
sizeof
(
digests
);
i
++
)
r
.
base
[
i
]
^=
digests
[
i
];
isc_buffer_add
(
secret
,
r2
.
length
);
}
else
{
memcpy
(
r
.
base
,
digests
,
sizeof
(
digests
));
for
(
i
=
0
;
i
<
r2
.
length
;
i
++
)
r
.
base
[
i
]
^=
r2
.
base
[
i
];
isc_buffer_add
(
secret
,
sizeof
(
digests
));
}
failure:
return
result
;
...
...
@@ -219,8 +257,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *randomness,
static
isc_result_t
process_dhtkey
(
dns_message_t
*
msg
,
dns_name_t
*
name
,
dns_rdata_generic_tkey_t
*
tkeyin
,
dns_rdata_generic_tkey_t
*
tkeyout
,
dns_namelist_t
*
namelist
)
dns_rdata_generic_tkey_t
*
tkeyin
,
dns_tkey_ctx_t
*
tctx
,
dns_rdata_generic_tkey_t
*
tkeyout
,
dns_tsig_keyring_t
*
ring
,
dns_namelist_t
*
namelist
)
{
isc_result_t
result
=
ISC_R_SUCCESS
;
dns_name_t
*
keyname
,
ourname
,
signer
,
*
creator
;
...
...
@@ -229,14 +268,14 @@ process_dhtkey(dns_message_t *msg, dns_name_t *name,
isc_boolean_t
found_key
=
ISC_FALSE
,
found_incompatible
=
ISC_FALSE
;
dst_key_t
*
pubkey
=
NULL
;
isc_buffer_t
ourkeybuf
,
ournamein
,
ournameout
,
*
shared
=
NULL
;
isc_region_t
r
,
ourkeyr
;
isc_region_t
r
,
r2
,
ourkeyr
;
isc_uint32_t
ourttl
;
unsigned
char
keydata
[
DST_KEY_MAXSIZE
];
unsigned
char
namedata
[
1024
];
dns_tsigkey_t
*
tsigkey
;
unsigned
int
sharedsize
;
isc_buffer_t
randombuf
,
secret
;