2 * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
19 * $Id: tsig.c,v 1.131.2.3 2008/11/04 22:28:45 marka Exp $
25 #include <isc/buffer.h>
27 #include <isc/print.h>
28 #include <isc/refcount.h>
29 #include <isc/string.h> /* Required for HP/UX (and others?) */
33 #include <dns/keyvalues.h>
35 #include <dns/message.h>
36 #include <dns/fixedname.h>
38 #include <dns/rdata.h>
39 #include <dns/rdatalist.h>
40 #include <dns/rdataset.h>
41 #include <dns/rdatastruct.h>
42 #include <dns/result.h>
45 #include <dst/result.h>
47 #define TSIG_MAGIC ISC_MAGIC('T', 'S', 'I', 'G')
48 #define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC)
50 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
51 #define algname_is_allocated(algname) \
52 ((algname) != dns_tsig_hmacmd5_name && \
53 (algname) != dns_tsig_hmacsha1_name && \
54 (algname) != dns_tsig_hmacsha224_name && \
55 (algname) != dns_tsig_hmacsha256_name && \
56 (algname) != dns_tsig_hmacsha384_name && \
57 (algname) != dns_tsig_hmacsha512_name && \
58 (algname) != dns_tsig_gssapi_name && \
59 (algname) != dns_tsig_gssapims_name)
63 static unsigned char hmacmd5_ndata
[] = "\010hmac-md5\007sig-alg\003reg\003int";
64 static unsigned char hmacmd5_offsets
[] = { 0, 9, 17, 21, 25 };
66 static dns_name_t hmacmd5
= {
69 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
70 hmacmd5_offsets
, NULL
,
71 {(void *)-1, (void *)-1},
75 dns_name_t
*dns_tsig_hmacmd5_name
= &hmacmd5
;
77 static unsigned char gsstsig_ndata
[] = "\010gss-tsig";
78 static unsigned char gsstsig_offsets
[] = { 0, 9 };
79 static dns_name_t gsstsig
= {
82 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
83 gsstsig_offsets
, NULL
,
84 {(void *)-1, (void *)-1},
87 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_gssapi_name
= &gsstsig
;
90 * Since Microsoft doesn't follow its own standard, we will use this
91 * alternate name as a second guess.
93 static unsigned char gsstsigms_ndata
[] = "\003gss\011microsoft\003com";
94 static unsigned char gsstsigms_offsets
[] = { 0, 4, 14, 18 };
95 static dns_name_t gsstsigms
= {
97 gsstsigms_ndata
, 19, 4,
98 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
99 gsstsigms_offsets
, NULL
,
100 {(void *)-1, (void *)-1},
103 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_gssapims_name
= &gsstsigms
;
105 static unsigned char hmacsha1_ndata
[] = "\011hmac-sha1";
106 static unsigned char hmacsha1_offsets
[] = { 0, 10 };
108 static dns_name_t hmacsha1
= {
110 hmacsha1_ndata
, 11, 2,
111 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
112 hmacsha1_offsets
, NULL
,
113 {(void *)-1, (void *)-1},
117 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_hmacsha1_name
= &hmacsha1
;
119 static unsigned char hmacsha224_ndata
[] = "\013hmac-sha224";
120 static unsigned char hmacsha224_offsets
[] = { 0, 12 };
122 static dns_name_t hmacsha224
= {
124 hmacsha224_ndata
, 13, 2,
125 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
126 hmacsha224_offsets
, NULL
,
127 {(void *)-1, (void *)-1},
131 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_hmacsha224_name
= &hmacsha224
;
133 static unsigned char hmacsha256_ndata
[] = "\013hmac-sha256";
134 static unsigned char hmacsha256_offsets
[] = { 0, 12 };
136 static dns_name_t hmacsha256
= {
138 hmacsha256_ndata
, 13, 2,
139 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
140 hmacsha256_offsets
, NULL
,
141 {(void *)-1, (void *)-1},
145 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_hmacsha256_name
= &hmacsha256
;
147 static unsigned char hmacsha384_ndata
[] = "\013hmac-sha384";
148 static unsigned char hmacsha384_offsets
[] = { 0, 12 };
150 static dns_name_t hmacsha384
= {
152 hmacsha384_ndata
, 13, 2,
153 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
154 hmacsha384_offsets
, NULL
,
155 {(void *)-1, (void *)-1},
159 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_hmacsha384_name
= &hmacsha384
;
161 static unsigned char hmacsha512_ndata
[] = "\013hmac-sha512";
162 static unsigned char hmacsha512_offsets
[] = { 0, 12 };
164 static dns_name_t hmacsha512
= {
166 hmacsha512_ndata
, 13, 2,
167 DNS_NAMEATTR_READONLY
| DNS_NAMEATTR_ABSOLUTE
,
168 hmacsha512_offsets
, NULL
,
169 {(void *)-1, (void *)-1},
173 LIBDNS_EXTERNAL_DATA dns_name_t
*dns_tsig_hmacsha512_name
= &hmacsha512
;
176 tsig_verify_tcp(isc_buffer_t
*source
, dns_message_t
*msg
);
179 tsig_log(dns_tsigkey_t
*key
, int level
, const char *fmt
, ...)
180 ISC_FORMAT_PRINTF(3, 4);
183 cleanup_ring(dns_tsig_keyring_t
*ring
);
185 tsigkey_free(dns_tsigkey_t
*key
);
188 tsig_log(dns_tsigkey_t
*key
, int level
, const char *fmt
, ...) {
191 char namestr
[DNS_NAME_FORMATSIZE
];
192 char creatorstr
[DNS_NAME_FORMATSIZE
];
194 if (isc_log_wouldlog(dns_lctx
, level
) == ISC_FALSE
)
197 dns_name_format(&key
->name
, namestr
, sizeof(namestr
));
199 strcpy(namestr
, "<null>");
201 if (key
!= NULL
&& key
->generated
)
202 dns_name_format(key
->creator
, creatorstr
, sizeof(creatorstr
));
205 vsnprintf(message
, sizeof(message
), fmt
, ap
);
207 if (key
!= NULL
&& key
->generated
)
208 isc_log_write(dns_lctx
,
209 DNS_LOGCATEGORY_DNSSEC
, DNS_LOGMODULE_TSIG
,
210 level
, "tsig key '%s' (%s): %s",
211 namestr
, creatorstr
, message
);
213 isc_log_write(dns_lctx
,
214 DNS_LOGCATEGORY_DNSSEC
, DNS_LOGMODULE_TSIG
,
215 level
, "tsig key '%s': %s", namestr
, message
);
219 dns_tsigkey_createfromkey(dns_name_t
*name
, dns_name_t
*algorithm
,
220 dst_key_t
*dstkey
, isc_boolean_t generated
,
221 dns_name_t
*creator
, isc_stdtime_t inception
,
222 isc_stdtime_t expire
, isc_mem_t
*mctx
,
223 dns_tsig_keyring_t
*ring
, dns_tsigkey_t
**key
)
227 unsigned int refs
= 0;
229 REQUIRE(key
== NULL
|| *key
== NULL
);
230 REQUIRE(name
!= NULL
);
231 REQUIRE(algorithm
!= NULL
);
232 REQUIRE(mctx
!= NULL
);
233 REQUIRE(key
!= NULL
|| ring
!= NULL
);
235 tkey
= (dns_tsigkey_t
*) isc_mem_get(mctx
, sizeof(dns_tsigkey_t
));
237 return (ISC_R_NOMEMORY
);
239 dns_name_init(&tkey
->name
, NULL
);
240 ret
= dns_name_dup(name
, mctx
, &tkey
->name
);
241 if (ret
!= ISC_R_SUCCESS
)
243 (void)dns_name_downcase(&tkey
->name
, &tkey
->name
, NULL
);
245 if (dns_name_equal(algorithm
, DNS_TSIG_HMACMD5_NAME
)) {
246 tkey
->algorithm
= DNS_TSIG_HMACMD5_NAME
;
247 if (dstkey
!= NULL
&& dst_key_alg(dstkey
) != DST_ALG_HMACMD5
) {
251 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA1_NAME
)) {
252 tkey
->algorithm
= DNS_TSIG_HMACSHA1_NAME
;
253 if (dstkey
!= NULL
&& dst_key_alg(dstkey
) != DST_ALG_HMACSHA1
) {
257 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA224_NAME
)) {
258 tkey
->algorithm
= DNS_TSIG_HMACSHA224_NAME
;
259 if (dstkey
!= NULL
&&
260 dst_key_alg(dstkey
) != DST_ALG_HMACSHA224
) {
264 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA256_NAME
)) {
265 tkey
->algorithm
= DNS_TSIG_HMACSHA256_NAME
;
266 if (dstkey
!= NULL
&&
267 dst_key_alg(dstkey
) != DST_ALG_HMACSHA256
) {
271 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA384_NAME
)) {
272 tkey
->algorithm
= DNS_TSIG_HMACSHA384_NAME
;
273 if (dstkey
!= NULL
&&
274 dst_key_alg(dstkey
) != DST_ALG_HMACSHA384
) {
278 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA512_NAME
)) {
279 tkey
->algorithm
= DNS_TSIG_HMACSHA512_NAME
;
280 if (dstkey
!= NULL
&&
281 dst_key_alg(dstkey
) != DST_ALG_HMACSHA512
) {
285 } else if (dns_name_equal(algorithm
, DNS_TSIG_GSSAPI_NAME
)) {
286 tkey
->algorithm
= DNS_TSIG_GSSAPI_NAME
;
287 if (dstkey
!= NULL
&& dst_key_alg(dstkey
) != DST_ALG_GSSAPI
) {
291 } else if (dns_name_equal(algorithm
, DNS_TSIG_GSSAPIMS_NAME
)) {
292 tkey
->algorithm
= DNS_TSIG_GSSAPIMS_NAME
;
293 if (dstkey
!= NULL
&& dst_key_alg(dstkey
) != DST_ALG_GSSAPI
) {
298 if (dstkey
!= NULL
) {
302 tkey
->algorithm
= isc_mem_get(mctx
, sizeof(dns_name_t
));
303 if (tkey
->algorithm
== NULL
) {
304 ret
= ISC_R_NOMEMORY
;
307 dns_name_init(tkey
->algorithm
, NULL
);
308 ret
= dns_name_dup(algorithm
, mctx
, tkey
->algorithm
);
309 if (ret
!= ISC_R_SUCCESS
)
310 goto cleanup_algorithm
;
311 (void)dns_name_downcase(tkey
->algorithm
, tkey
->algorithm
,
315 if (creator
!= NULL
) {
316 tkey
->creator
= isc_mem_get(mctx
, sizeof(dns_name_t
));
317 if (tkey
->creator
== NULL
) {
318 ret
= ISC_R_NOMEMORY
;
319 goto cleanup_algorithm
;
321 dns_name_init(tkey
->creator
, NULL
);
322 ret
= dns_name_dup(creator
, mctx
, tkey
->creator
);
323 if (ret
!= ISC_R_SUCCESS
) {
324 isc_mem_put(mctx
, tkey
->creator
, sizeof(dns_name_t
));
325 goto cleanup_algorithm
;
328 tkey
->creator
= NULL
;
337 ret
= isc_refcount_init(&tkey
->refs
, refs
);
338 if (ret
!= ISC_R_SUCCESS
)
339 goto cleanup_creator
;
341 tkey
->generated
= generated
;
342 tkey
->inception
= inception
;
343 tkey
->expire
= expire
;
345 isc_mem_attach(mctx
, &tkey
->mctx
);
347 tkey
->magic
= TSIG_MAGIC
;
350 RWLOCK(&ring
->lock
, isc_rwlocktype_write
);
354 * Do on the fly cleaning. Find some nodes we might not
355 * want around any more.
357 if (ring
->writecount
> 10) {
359 ring
->writecount
= 0;
361 ret
= dns_rbt_addname(ring
->keys
, name
, tkey
);
362 if (ret
!= ISC_R_SUCCESS
) {
363 RWUNLOCK(&ring
->lock
, isc_rwlocktype_write
);
366 RWUNLOCK(&ring
->lock
, isc_rwlocktype_write
);
370 * Ignore this if it's a GSS key, since the key size is meaningless.
372 if (dstkey
!= NULL
&& dst_key_size(dstkey
) < 64 &&
373 !dns_name_equal(algorithm
, DNS_TSIG_GSSAPI_NAME
) &&
374 !dns_name_equal(algorithm
, DNS_TSIG_GSSAPIMS_NAME
)) {
375 char namestr
[DNS_NAME_FORMATSIZE
];
376 dns_name_format(name
, namestr
, sizeof(namestr
));
377 isc_log_write(dns_lctx
, DNS_LOGCATEGORY_DNSSEC
,
378 DNS_LOGMODULE_TSIG
, ISC_LOG_INFO
,
379 "the key '%s' is too short to be secure",
385 return (ISC_R_SUCCESS
);
390 isc_refcount_decrement(&tkey
->refs
, NULL
);
391 isc_refcount_destroy(&tkey
->refs
);
393 if (tkey
->creator
!= NULL
) {
394 dns_name_free(tkey
->creator
, mctx
);
395 isc_mem_put(mctx
, tkey
->creator
, sizeof(dns_name_t
));
398 if (algname_is_allocated(tkey
->algorithm
)) {
399 if (dns_name_dynamic(tkey
->algorithm
))
400 dns_name_free(tkey
->algorithm
, mctx
);
401 isc_mem_put(mctx
, tkey
->algorithm
, sizeof(dns_name_t
));
404 dns_name_free(&tkey
->name
, mctx
);
406 isc_mem_put(mctx
, tkey
, sizeof(dns_tsigkey_t
));
412 * Find a few nodes to destroy if possible.
415 cleanup_ring(dns_tsig_keyring_t
*ring
)
418 dns_rbtnodechain_t chain
;
419 dns_name_t foundname
;
420 dns_fixedname_t fixedorigin
;
427 * Start up a new iterator each time.
429 isc_stdtime_get(&now
);
430 dns_name_init(&foundname
, NULL
);
431 dns_fixedname_init(&fixedorigin
);
432 origin
= dns_fixedname_name(&fixedorigin
);
435 dns_rbtnodechain_init(&chain
, ring
->mctx
);
436 result
= dns_rbtnodechain_first(&chain
, ring
->keys
, &foundname
,
438 if (result
!= ISC_R_SUCCESS
&& result
!= DNS_R_NEWORIGIN
) {
439 dns_rbtnodechain_invalidate(&chain
);
445 dns_rbtnodechain_current(&chain
, &foundname
, origin
, &node
);
449 && isc_refcount_current(&tkey
->refs
) == 1
450 && tkey
->inception
!= tkey
->expire
451 && tkey
->expire
< now
) {
452 tsig_log(tkey
, 2, "tsig expire: deleting");
454 dns_rbtnodechain_invalidate(&chain
);
455 (void)dns_rbt_deletename(ring
->keys
,
461 result
= dns_rbtnodechain_next(&chain
, &foundname
,
463 if (result
!= ISC_R_SUCCESS
&& result
!= DNS_R_NEWORIGIN
) {
464 dns_rbtnodechain_invalidate(&chain
);
472 dns_tsigkey_create(dns_name_t
*name
, dns_name_t
*algorithm
,
473 unsigned char *secret
, int length
, isc_boolean_t generated
,
474 dns_name_t
*creator
, isc_stdtime_t inception
,
475 isc_stdtime_t expire
, isc_mem_t
*mctx
,
476 dns_tsig_keyring_t
*ring
, dns_tsigkey_t
**key
)
478 dst_key_t
*dstkey
= NULL
;
481 REQUIRE(length
>= 0);
483 REQUIRE(secret
!= NULL
);
485 if (dns_name_equal(algorithm
, DNS_TSIG_HMACMD5_NAME
)) {
486 if (secret
!= NULL
) {
489 isc_buffer_init(&b
, secret
, length
);
490 isc_buffer_add(&b
, length
);
491 result
= dst_key_frombuffer(name
, DST_ALG_HMACMD5
,
496 if (result
!= ISC_R_SUCCESS
)
499 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA1_NAME
)) {
500 if (secret
!= NULL
) {
503 isc_buffer_init(&b
, secret
, length
);
504 isc_buffer_add(&b
, length
);
505 result
= dst_key_frombuffer(name
, DST_ALG_HMACSHA1
,
510 if (result
!= ISC_R_SUCCESS
)
513 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA224_NAME
)) {
514 if (secret
!= NULL
) {
517 isc_buffer_init(&b
, secret
, length
);
518 isc_buffer_add(&b
, length
);
519 result
= dst_key_frombuffer(name
, DST_ALG_HMACSHA224
,
524 if (result
!= ISC_R_SUCCESS
)
527 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA256_NAME
)) {
528 if (secret
!= NULL
) {
531 isc_buffer_init(&b
, secret
, length
);
532 isc_buffer_add(&b
, length
);
533 result
= dst_key_frombuffer(name
, DST_ALG_HMACSHA256
,
538 if (result
!= ISC_R_SUCCESS
)
541 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA384_NAME
)) {
542 if (secret
!= NULL
) {
545 isc_buffer_init(&b
, secret
, length
);
546 isc_buffer_add(&b
, length
);
547 result
= dst_key_frombuffer(name
, DST_ALG_HMACSHA384
,
552 if (result
!= ISC_R_SUCCESS
)
555 } else if (dns_name_equal(algorithm
, DNS_TSIG_HMACSHA512_NAME
)) {
556 if (secret
!= NULL
) {
559 isc_buffer_init(&b
, secret
, length
);
560 isc_buffer_add(&b
, length
);
561 result
= dst_key_frombuffer(name
, DST_ALG_HMACSHA512
,
566 if (result
!= ISC_R_SUCCESS
)
569 } else if (length
> 0)
570 return (DNS_R_BADALG
);
572 result
= dns_tsigkey_createfromkey(name
, algorithm
, dstkey
,
574 inception
, expire
, mctx
, ring
, key
);
575 if (result
!= ISC_R_SUCCESS
&& dstkey
!= NULL
)
576 dst_key_free(&dstkey
);
581 dns_tsigkey_attach(dns_tsigkey_t
*source
, dns_tsigkey_t
**targetp
) {
582 REQUIRE(VALID_TSIG_KEY(source
));
583 REQUIRE(targetp
!= NULL
&& *targetp
== NULL
);
585 isc_refcount_increment(&source
->refs
, NULL
);
590 tsigkey_free(dns_tsigkey_t
*key
) {
591 REQUIRE(VALID_TSIG_KEY(key
));
594 dns_name_free(&key
->name
, key
->mctx
);
595 if (algname_is_allocated(key
->algorithm
)) {
596 dns_name_free(key
->algorithm
, key
->mctx
);
597 isc_mem_put(key
->mctx
, key
->algorithm
, sizeof(dns_name_t
));
599 if (key
->key
!= NULL
)
600 dst_key_free(&key
->key
);
601 if (key
->creator
!= NULL
) {
602 dns_name_free(key
->creator
, key
->mctx
);
603 isc_mem_put(key
->mctx
, key
->creator
, sizeof(dns_name_t
));
605 isc_refcount_destroy(&key
->refs
);
606 isc_mem_putanddetach(&key
->mctx
, key
, sizeof(dns_tsigkey_t
));
610 dns_tsigkey_detach(dns_tsigkey_t
**keyp
) {
614 REQUIRE(keyp
!= NULL
);
615 REQUIRE(VALID_TSIG_KEY(*keyp
));
618 isc_refcount_decrement(&key
->refs
, &refs
);
627 dns_tsigkey_setdeleted(dns_tsigkey_t
*key
) {
628 REQUIRE(VALID_TSIG_KEY(key
));
629 REQUIRE(key
->ring
!= NULL
);
631 RWLOCK(&key
->ring
->lock
, isc_rwlocktype_write
);
632 (void)dns_rbt_deletename(key
->ring
->keys
, &key
->name
, ISC_FALSE
);
633 RWUNLOCK(&key
->ring
->lock
, isc_rwlocktype_write
);
637 dns_tsig_sign(dns_message_t
*msg
) {
639 dns_rdata_any_tsig_t tsig
, querytsig
;
640 unsigned char data
[128];
641 isc_buffer_t databuf
, sigbuf
;
642 isc_buffer_t
*dynbuf
;
644 dns_rdata_t
*rdata
= NULL
;
645 dns_rdatalist_t
*datalist
;
646 dns_rdataset_t
*dataset
;
650 dst_context_t
*ctx
= NULL
;
652 unsigned char badtimedata
[BADTIMELEN
];
653 unsigned int sigsize
= 0;
655 REQUIRE(msg
!= NULL
);
656 REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg
)));
659 * If this is a response, there should be a query tsig.
661 if (is_response(msg
) && msg
->querytsig
== NULL
)
662 return (DNS_R_EXPECTEDTSIG
);
667 key
= dns_message_gettsigkey(msg
);
670 tsig
.common
.rdclass
= dns_rdataclass_any
;
671 tsig
.common
.rdtype
= dns_rdatatype_tsig
;
672 ISC_LINK_INIT(&tsig
.common
, link
);
673 dns_name_init(&tsig
.algorithm
, NULL
);
674 dns_name_clone(key
->algorithm
, &tsig
.algorithm
);
676 isc_stdtime_get(&now
);
677 tsig
.timesigned
= now
+ msg
->timeadjust
;
678 tsig
.fudge
= DNS_TSIG_FUDGE
;
680 tsig
.originalid
= msg
->id
;
682 isc_buffer_init(&databuf
, data
, sizeof(data
));
684 if (is_response(msg
))
685 tsig
.error
= msg
->querytsigstatus
;
687 tsig
.error
= dns_rcode_noerror
;
689 if (tsig
.error
!= dns_tsigerror_badtime
) {
693 isc_buffer_t otherbuf
;
695 tsig
.otherlen
= BADTIMELEN
;
696 tsig
.other
= badtimedata
;
697 isc_buffer_init(&otherbuf
, tsig
.other
, tsig
.otherlen
);
698 isc_buffer_putuint48(&otherbuf
, tsig
.timesigned
);
701 if (key
->key
!= NULL
&& tsig
.error
!= dns_tsigerror_badsig
) {
702 unsigned char header
[DNS_MESSAGE_HEADERLEN
];
703 isc_buffer_t headerbuf
;
704 isc_uint16_t digestbits
;
706 ret
= dst_context_create(key
->key
, mctx
, &ctx
);
707 if (ret
!= ISC_R_SUCCESS
)
711 * If this is a response, digest the query signature.
713 if (is_response(msg
)) {
714 dns_rdata_t querytsigrdata
= DNS_RDATA_INIT
;
716 ret
= dns_rdataset_first(msg
->querytsig
);
717 if (ret
!= ISC_R_SUCCESS
)
718 goto cleanup_context
;
719 dns_rdataset_current(msg
->querytsig
, &querytsigrdata
);
720 ret
= dns_rdata_tostruct(&querytsigrdata
, &querytsig
,
722 if (ret
!= ISC_R_SUCCESS
)
723 goto cleanup_context
;
724 isc_buffer_putuint16(&databuf
, querytsig
.siglen
);
725 if (isc_buffer_availablelength(&databuf
) <
728 goto cleanup_context
;
730 isc_buffer_putmem(&databuf
, querytsig
.signature
,
732 isc_buffer_usedregion(&databuf
, &r
);
733 ret
= dst_context_adddata(ctx
, &r
);
734 if (ret
!= ISC_R_SUCCESS
)
735 goto cleanup_context
;
741 isc_buffer_init(&headerbuf
, header
, sizeof(header
));
742 dns_message_renderheader(msg
, &headerbuf
);
743 isc_buffer_usedregion(&headerbuf
, &r
);
744 ret
= dst_context_adddata(ctx
, &r
);
745 if (ret
!= ISC_R_SUCCESS
)
746 goto cleanup_context
;
749 * Digest the remainder of the message.
751 isc_buffer_usedregion(msg
->buffer
, &r
);
752 isc_region_consume(&r
, DNS_MESSAGE_HEADERLEN
);
753 ret
= dst_context_adddata(ctx
, &r
);
754 if (ret
!= ISC_R_SUCCESS
)
755 goto cleanup_context
;
757 if (msg
->tcp_continuation
== 0) {
759 * Digest the name, class, ttl, alg.
761 dns_name_toregion(&key
->name
, &r
);
762 ret
= dst_context_adddata(ctx
, &r
);
763 if (ret
!= ISC_R_SUCCESS
)
764 goto cleanup_context
;
766 isc_buffer_clear(&databuf
);
767 isc_buffer_putuint16(&databuf
, dns_rdataclass_any
);
768 isc_buffer_putuint32(&databuf
, 0); /* ttl */
769 isc_buffer_usedregion(&databuf
, &r
);
770 ret
= dst_context_adddata(ctx
, &r
);
771 if (ret
!= ISC_R_SUCCESS
)
772 goto cleanup_context
;
774 dns_name_toregion(&tsig
.algorithm
, &r
);
775 ret
= dst_context_adddata(ctx
, &r
);
776 if (ret
!= ISC_R_SUCCESS
)
777 goto cleanup_context
;
780 /* Digest the timesigned and fudge */
781 isc_buffer_clear(&databuf
);
782 if (tsig
.error
== dns_tsigerror_badtime
)
783 tsig
.timesigned
= querytsig
.timesigned
;
784 isc_buffer_putuint48(&databuf
, tsig
.timesigned
);
785 isc_buffer_putuint16(&databuf
, tsig
.fudge
);
786 isc_buffer_usedregion(&databuf
, &r
);
787 ret
= dst_context_adddata(ctx
, &r
);
788 if (ret
!= ISC_R_SUCCESS
)
789 goto cleanup_context
;
791 if (msg
->tcp_continuation
== 0) {
793 * Digest the error and other data length.
795 isc_buffer_clear(&databuf
);
796 isc_buffer_putuint16(&databuf
, tsig
.error
);
797 isc_buffer_putuint16(&databuf
, tsig
.otherlen
);
799 isc_buffer_usedregion(&databuf
, &r
);
800 ret
= dst_context_adddata(ctx
, &r
);
801 if (ret
!= ISC_R_SUCCESS
)
802 goto cleanup_context
;
805 * Digest the error and other data.
807 if (tsig
.otherlen
> 0) {
808 r
.length
= tsig
.otherlen
;
810 ret
= dst_context_adddata(ctx
, &r
);
811 if (ret
!= ISC_R_SUCCESS
)
812 goto cleanup_context
;
816 ret
= dst_key_sigsize(key
->key
, &sigsize
);
817 if (ret
!= ISC_R_SUCCESS
)
818 goto cleanup_context
;
819 tsig
.signature
= (unsigned char *) isc_mem_get(mctx
, sigsize
);
820 if (tsig
.signature
== NULL
) {
821 ret
= ISC_R_NOMEMORY
;
822 goto cleanup_context
;
825 isc_buffer_init(&sigbuf
, tsig
.signature
, sigsize
);
826 ret
= dst_context_sign(ctx
, &sigbuf
);
827 if (ret
!= ISC_R_SUCCESS
)
828 goto cleanup_signature
;
829 dst_context_destroy(&ctx
);
830 digestbits
= dst_key_getbits(key
->key
);
831 if (digestbits
!= 0) {
832 unsigned int bytes
= (digestbits
+ 1) / 8;
833 if (is_response(msg
) && bytes
< querytsig
.siglen
)
834 bytes
= querytsig
.siglen
;
835 if (bytes
> isc_buffer_usedlength(&sigbuf
))
836 bytes
= isc_buffer_usedlength(&sigbuf
);
839 tsig
.siglen
= isc_buffer_usedlength(&sigbuf
);
842 tsig
.signature
= NULL
;
845 ret
= dns_message_gettemprdata(msg
, &rdata
);
846 if (ret
!= ISC_R_SUCCESS
)
847 goto cleanup_signature
;
848 ret
= isc_buffer_allocate(msg
->mctx
, &dynbuf
, 512);
849 if (ret
!= ISC_R_SUCCESS
)
851 ret
= dns_rdata_fromstruct(rdata
, dns_rdataclass_any
,
852 dns_rdatatype_tsig
, &tsig
, dynbuf
);
853 if (ret
!= ISC_R_SUCCESS
)
856 dns_message_takebuffer(msg
, &dynbuf
);
858 if (tsig
.signature
!= NULL
) {
859 isc_mem_put(mctx
, tsig
.signature
, sigsize
);
860 tsig
.signature
= NULL
;
864 ret
= dns_message_gettempname(msg
, &owner
);
865 if (ret
!= ISC_R_SUCCESS
)
867 dns_name_init(owner
, NULL
);
868 ret
= dns_name_dup(&key
->name
, msg
->mctx
, owner
);
869 if (ret
!= ISC_R_SUCCESS
)
873 ret
= dns_message_gettemprdatalist(msg
, &datalist
);
874 if (ret
!= ISC_R_SUCCESS
)
877 ret
= dns_message_gettemprdataset(msg
, &dataset
);
878 if (ret
!= ISC_R_SUCCESS
)
879 goto cleanup_rdatalist
;
880 datalist
->rdclass
= dns_rdataclass_any
;
881 datalist
->type
= dns_rdatatype_tsig
;
882 datalist
->covers
= 0;
884 ISC_LIST_INIT(datalist
->rdata
);
885 ISC_LIST_APPEND(datalist
->rdata
, rdata
, link
);
886 dns_rdataset_init(dataset
);
887 RUNTIME_CHECK(dns_rdatalist_tordataset(datalist
, dataset
)
890 msg
->tsigname
= owner
;
892 return (ISC_R_SUCCESS
);
895 dns_message_puttemprdatalist(msg
, &datalist
);
897 dns_message_puttempname(msg
, &owner
);
900 isc_buffer_free(&dynbuf
);
902 dns_message_puttemprdata(msg
, &rdata
);
904 if (tsig
.signature
!= NULL
)
905 isc_mem_put(mctx
, tsig
.signature
, sigsize
);
908 dst_context_destroy(&ctx
);
913 dns_tsig_verify(isc_buffer_t
*source
, dns_message_t
*msg
,
914 dns_tsig_keyring_t
*ring1
, dns_tsig_keyring_t
*ring2
)
916 dns_rdata_any_tsig_t tsig
, querytsig
;
917 isc_region_t r
, source_r
, header_r
, sig_r
;
918 isc_buffer_t databuf
;
919 unsigned char data
[32];
921 dns_rdata_t rdata
= DNS_RDATA_INIT
;
924 dns_tsigkey_t
*tsigkey
;
925 dst_key_t
*key
= NULL
;
926 unsigned char header
[DNS_MESSAGE_HEADERLEN
];
927 dst_context_t
*ctx
= NULL
;
929 isc_uint16_t addcount
, id
;
933 REQUIRE(source
!= NULL
);
934 REQUIRE(DNS_MESSAGE_VALID(msg
));
935 tsigkey
= dns_message_gettsigkey(msg
);
937 REQUIRE(tsigkey
== NULL
|| VALID_TSIG_KEY(tsigkey
));
939 msg
->verify_attempted
= 1;
941 if (msg
->tcp_continuation
) {
942 if (tsigkey
== NULL
|| msg
->querytsig
== NULL
)
943 return (DNS_R_UNEXPECTEDTSIG
);
944 return (tsig_verify_tcp(source
, msg
));
948 * There should be a TSIG record...
950 if (msg
->tsig
== NULL
)
951 return (DNS_R_EXPECTEDTSIG
);
954 * If this is a response and there's no key or query TSIG, there
955 * shouldn't be one on the response.
957 if (is_response(msg
) &&
958 (tsigkey
== NULL
|| msg
->querytsig
== NULL
))
959 return (DNS_R_UNEXPECTEDTSIG
);
964 * If we're here, we know the message is well formed and contains a
968 keyname
= msg
->tsigname
;
969 ret
= dns_rdataset_first(msg
->tsig
);
970 if (ret
!= ISC_R_SUCCESS
)
972 dns_rdataset_current(msg
->tsig
, &rdata
);
973 ret
= dns_rdata_tostruct(&rdata
, &tsig
, NULL
);
974 if (ret
!= ISC_R_SUCCESS
)
976 dns_rdata_reset(&rdata
);
977 if (is_response(msg
)) {
978 ret
= dns_rdataset_first(msg
->querytsig
);
979 if (ret
!= ISC_R_SUCCESS
)
981 dns_rdataset_current(msg
->querytsig
, &rdata
);
982 ret
= dns_rdata_tostruct(&rdata
, &querytsig
, NULL
);
983 if (ret
!= ISC_R_SUCCESS
)
988 * Do the key name and algorithm match that of the query?
990 if (is_response(msg
) &&
991 (!dns_name_equal(keyname
, &tsigkey
->name
) ||
992 !dns_name_equal(&tsig
.algorithm
, &querytsig
.algorithm
))) {
993 msg
->tsigstatus
= dns_tsigerror_badkey
;
994 tsig_log(msg
->tsigkey
, 2,
995 "key name and algorithm do not match");
996 return (DNS_R_TSIGVERIFYFAILURE
);
1000 * Get the current time.
1002 isc_stdtime_get(&now
);
1005 * Find dns_tsigkey_t based on keyname.
1007 if (tsigkey
== NULL
) {
1008 ret
= ISC_R_NOTFOUND
;
1010 ret
= dns_tsigkey_find(&tsigkey
, keyname
,
1011 &tsig
.algorithm
, ring1
);
1012 if (ret
== ISC_R_NOTFOUND
&& ring2
!= NULL
)
1013 ret
= dns_tsigkey_find(&tsigkey
, keyname
,
1014 &tsig
.algorithm
, ring2
);
1015 if (ret
!= ISC_R_SUCCESS
) {
1016 msg
->tsigstatus
= dns_tsigerror_badkey
;
1017 ret
= dns_tsigkey_create(keyname
, &tsig
.algorithm
,
1018 NULL
, 0, ISC_FALSE
, NULL
,
1020 mctx
, NULL
, &msg
->tsigkey
);
1021 if (ret
!= ISC_R_SUCCESS
)
1023 tsig_log(msg
->tsigkey
, 2, "unknown key");
1024 return (DNS_R_TSIGVERIFYFAILURE
);
1026 msg
->tsigkey
= tsigkey
;
1034 if (now
+ msg
->timeadjust
> tsig
.timesigned
+ tsig
.fudge
) {
1035 msg
->tsigstatus
= dns_tsigerror_badtime
;
1036 tsig_log(msg
->tsigkey
, 2, "signature has expired");
1037 return (DNS_R_CLOCKSKEW
);
1038 } else if (now
+ msg
->timeadjust
< tsig
.timesigned
- tsig
.fudge
) {
1039 msg
->tsigstatus
= dns_tsigerror_badtime
;
1040 tsig_log(msg
->tsigkey
, 2, "signature is in the future");
1041 return (DNS_R_CLOCKSKEW
);
1045 * Check digest length.
1047 alg
= dst_key_alg(key
);
1048 ret
= dst_key_sigsize(key
, &siglen
);
1049 if (ret
!= ISC_R_SUCCESS
)
1051 if (alg
== DST_ALG_HMACMD5
|| alg
== DST_ALG_HMACSHA1
||
1052 alg
== DST_ALG_HMACSHA224
|| alg
== DST_ALG_HMACSHA256
||
1053 alg
== DST_ALG_HMACSHA384
|| alg
== DST_ALG_HMACSHA512
) {
1054 isc_uint16_t digestbits
= dst_key_getbits(key
);
1055 if (tsig
.siglen
> siglen
) {
1056 tsig_log(msg
->tsigkey
, 2, "signature length to big");
1057 return (DNS_R_FORMERR
);
1059 if (tsig
.siglen
> 0 &&
1060 (tsig
.siglen
< 10 || tsig
.siglen
< ((siglen
+ 1) / 2))) {
1061 tsig_log(msg
->tsigkey
, 2,
1062 "signature length below minimum");
1063 return (DNS_R_FORMERR
);
1065 if (tsig
.siglen
> 0 && digestbits
!= 0 &&
1066 tsig
.siglen
< ((digestbits
+ 1) / 8)) {
1067 msg
->tsigstatus
= dns_tsigerror_badtrunc
;
1068 tsig_log(msg
->tsigkey
, 2,
1069 "truncated signature length too small");
1070 return (DNS_R_TSIGVERIFYFAILURE
);
1072 if (tsig
.siglen
> 0 && digestbits
== 0 &&
1073 tsig
.siglen
< siglen
) {
1074 msg
->tsigstatus
= dns_tsigerror_badtrunc
;
1075 tsig_log(msg
->tsigkey
, 2, "signature length too small");
1076 return (DNS_R_TSIGVERIFYFAILURE
);
1080 if (tsig
.siglen
> 0) {
1081 sig_r
.base
= tsig
.signature
;
1082 sig_r
.length
= tsig
.siglen
;
1084 ret
= dst_context_create(key
, mctx
, &ctx
);
1085 if (ret
!= ISC_R_SUCCESS
)
1088 if (is_response(msg
)) {
1089 isc_buffer_init(&databuf
, data
, sizeof(data
));
1090 isc_buffer_putuint16(&databuf
, querytsig
.siglen
);
1091 isc_buffer_usedregion(&databuf
, &r
);
1092 ret
= dst_context_adddata(ctx
, &r
);
1093 if (ret
!= ISC_R_SUCCESS
)
1094 goto cleanup_context
;
1095 if (querytsig
.siglen
> 0) {
1096 r
.length
= querytsig
.siglen
;
1097 r
.base
= querytsig
.signature
;
1098 ret
= dst_context_adddata(ctx
, &r
);
1099 if (ret
!= ISC_R_SUCCESS
)
1100 goto cleanup_context
;
1105 * Extract the header.
1107 isc_buffer_usedregion(source
, &r
);
1108 memcpy(header
, r
.base
, DNS_MESSAGE_HEADERLEN
);
1109 isc_region_consume(&r
, DNS_MESSAGE_HEADERLEN
);
1112 * Decrement the additional field counter.
1114 memcpy(&addcount
, &header
[DNS_MESSAGE_HEADERLEN
- 2], 2);
1115 addcount
= htons((isc_uint16_t
)(ntohs(addcount
) - 1));
1116 memcpy(&header
[DNS_MESSAGE_HEADERLEN
- 2], &addcount
, 2);
1119 * Put in the original id.
1121 id
= htons(tsig
.originalid
);
1122 memcpy(&header
[0], &id
, 2);
1125 * Digest the modified header.
1127 header_r
.base
= (unsigned char *) header
;
1128 header_r
.length
= DNS_MESSAGE_HEADERLEN
;
1129 ret
= dst_context_adddata(ctx
, &header_r
);
1130 if (ret
!= ISC_R_SUCCESS
)
1131 goto cleanup_context
;
1134 * Digest all non-TSIG records.
1136 isc_buffer_usedregion(source
, &source_r
);
1137 r
.base
= source_r
.base
+ DNS_MESSAGE_HEADERLEN
;
1138 r
.length
= msg
->sigstart
- DNS_MESSAGE_HEADERLEN
;
1139 ret
= dst_context_adddata(ctx
, &r
);
1140 if (ret
!= ISC_R_SUCCESS
)
1141 goto cleanup_context
;
1144 * Digest the key name.
1146 dns_name_toregion(&tsigkey
->name
, &r
);
1147 ret
= dst_context_adddata(ctx
, &r
);
1148 if (ret
!= ISC_R_SUCCESS
)
1149 goto cleanup_context
;
1151 isc_buffer_init(&databuf
, data
, sizeof(data
));
1152 isc_buffer_putuint16(&databuf
, tsig
.common
.rdclass
);
1153 isc_buffer_putuint32(&databuf
, msg
->tsig
->ttl
);
1154 isc_buffer_usedregion(&databuf
, &r
);
1155 ret
= dst_context_adddata(ctx
, &r
);
1156 if (ret
!= ISC_R_SUCCESS
)
1157 goto cleanup_context
;
1160 * Digest the key algorithm.
1162 dns_name_toregion(tsigkey
->algorithm
, &r
);
1163 ret
= dst_context_adddata(ctx
, &r
);
1164 if (ret
!= ISC_R_SUCCESS
)
1165 goto cleanup_context
;
1167 isc_buffer_clear(&databuf
);
1168 isc_buffer_putuint48(&databuf
, tsig
.timesigned
);
1169 isc_buffer_putuint16(&databuf
, tsig
.fudge
);
1170 isc_buffer_putuint16(&databuf
, tsig
.error
);
1171 isc_buffer_putuint16(&databuf
, tsig
.otherlen
);
1172 isc_buffer_usedregion(&databuf
, &r
);
1173 ret
= dst_context_adddata(ctx
, &r
);
1174 if (ret
!= ISC_R_SUCCESS
)
1175 goto cleanup_context
;
1177 if (tsig
.otherlen
> 0) {
1178 r
.base
= tsig
.other
;
1179 r
.length
= tsig
.otherlen
;
1180 ret
= dst_context_adddata(ctx
, &r
);
1181 if (ret
!= ISC_R_SUCCESS
)
1182 goto cleanup_context
;
1185 ret
= dst_context_verify(ctx
, &sig_r
);
1186 if (ret
== DST_R_VERIFYFAILURE
) {
1187 msg
->tsigstatus
= dns_tsigerror_badsig
;
1188 ret
= DNS_R_TSIGVERIFYFAILURE
;
1189 tsig_log(msg
->tsigkey
, 2,
1190 "signature failed to verify(1)");
1191 goto cleanup_context
;
1192 } else if (ret
!= ISC_R_SUCCESS
)
1193 goto cleanup_context
;
1195 dst_context_destroy(&ctx
);
1196 } else if (tsig
.error
!= dns_tsigerror_badsig
&&
1197 tsig
.error
!= dns_tsigerror_badkey
) {
1198 msg
->tsigstatus
= dns_tsigerror_badsig
;
1199 tsig_log(msg
->tsigkey
, 2, "signature was empty");
1200 return (DNS_R_TSIGVERIFYFAILURE
);
1203 msg
->tsigstatus
= dns_rcode_noerror
;
1205 if (tsig
.error
!= dns_rcode_noerror
) {
1206 if (tsig
.error
== dns_tsigerror_badtime
)
1207 return (DNS_R_CLOCKSKEW
);
1209 return (DNS_R_TSIGERRORSET
);
1212 msg
->verified_sig
= 1;
1214 return (ISC_R_SUCCESS
);
1218 dst_context_destroy(&ctx
);
1224 tsig_verify_tcp(isc_buffer_t
*source
, dns_message_t
*msg
) {
1225 dns_rdata_any_tsig_t tsig
, querytsig
;
1226 isc_region_t r
, source_r
, header_r
, sig_r
;
1227 isc_buffer_t databuf
;
1228 unsigned char data
[32];
1229 dns_name_t
*keyname
;
1230 dns_rdata_t rdata
= DNS_RDATA_INIT
;
1233 dns_tsigkey_t
*tsigkey
;
1234 dst_key_t
*key
= NULL
;
1235 unsigned char header
[DNS_MESSAGE_HEADERLEN
];
1236 isc_uint16_t addcount
, id
;
1237 isc_boolean_t has_tsig
= ISC_FALSE
;
1240 REQUIRE(source
!= NULL
);
1241 REQUIRE(msg
!= NULL
);
1242 REQUIRE(dns_message_gettsigkey(msg
) != NULL
);
1243 REQUIRE(msg
->tcp_continuation
== 1);
1244 REQUIRE(msg
->querytsig
!= NULL
);
1246 if (!is_response(msg
))
1247 return (DNS_R_EXPECTEDRESPONSE
);
1251 tsigkey
= dns_message_gettsigkey(msg
);
1254 * Extract and parse the previous TSIG
1256 ret
= dns_rdataset_first(msg
->querytsig
);
1257 if (ret
!= ISC_R_SUCCESS
)
1259 dns_rdataset_current(msg
->querytsig
, &rdata
);
1260 ret
= dns_rdata_tostruct(&rdata
, &querytsig
, NULL
);
1261 if (ret
!= ISC_R_SUCCESS
)
1263 dns_rdata_reset(&rdata
);
1266 * If there is a TSIG in this message, do some checks.
1268 if (msg
->tsig
!= NULL
) {
1269 has_tsig
= ISC_TRUE
;
1271 keyname
= msg
->tsigname
;
1272 ret
= dns_rdataset_first(msg
->tsig
);
1273 if (ret
!= ISC_R_SUCCESS
)
1274 goto cleanup_querystruct
;
1275 dns_rdataset_current(msg
->tsig
, &rdata
);
1276 ret
= dns_rdata_tostruct(&rdata
, &tsig
, NULL
);
1277 if (ret
!= ISC_R_SUCCESS
)
1278 goto cleanup_querystruct
;
1281 * Do the key name and algorithm match that of the query?
1283 if (!dns_name_equal(keyname
, &tsigkey
->name
) ||
1284 !dns_name_equal(&tsig
.algorithm
, &querytsig
.algorithm
)) {
1285 msg
->tsigstatus
= dns_tsigerror_badkey
;
1286 ret
= DNS_R_TSIGVERIFYFAILURE
;
1287 tsig_log(msg
->tsigkey
, 2,
1288 "key name and algorithm do not match");
1289 goto cleanup_querystruct
;
1295 isc_stdtime_get(&now
);
1297 if (now
+ msg
->timeadjust
> tsig
.timesigned
+ tsig
.fudge
) {
1298 msg
->tsigstatus
= dns_tsigerror_badtime
;
1299 tsig_log(msg
->tsigkey
, 2, "signature has expired");
1300 ret
= DNS_R_CLOCKSKEW
;
1301 goto cleanup_querystruct
;
1302 } else if (now
+ msg
->timeadjust
<
1303 tsig
.timesigned
- tsig
.fudge
) {
1304 msg
->tsigstatus
= dns_tsigerror_badtime
;
1305 tsig_log(msg
->tsigkey
, 2,
1306 "signature is in the future");
1307 ret
= DNS_R_CLOCKSKEW
;
1308 goto cleanup_querystruct
;
1314 if (msg
->tsigctx
== NULL
) {
1315 ret
= dst_context_create(key
, mctx
, &msg
->tsigctx
);
1316 if (ret
!= ISC_R_SUCCESS
)
1317 goto cleanup_querystruct
;
1320 * Digest the length of the query signature
1322 isc_buffer_init(&databuf
, data
, sizeof(data
));
1323 isc_buffer_putuint16(&databuf
, querytsig
.siglen
);
1324 isc_buffer_usedregion(&databuf
, &r
);
1325 ret
= dst_context_adddata(msg
->tsigctx
, &r
);
1326 if (ret
!= ISC_R_SUCCESS
)
1327 goto cleanup_context
;
1330 * Digest the data of the query signature
1332 if (querytsig
.siglen
> 0) {
1333 r
.length
= querytsig
.siglen
;
1334 r
.base
= querytsig
.signature
;
1335 ret
= dst_context_adddata(msg
->tsigctx
, &r
);
1336 if (ret
!= ISC_R_SUCCESS
)
1337 goto cleanup_context
;
1342 * Extract the header.
1344 isc_buffer_usedregion(source
, &r
);
1345 memcpy(header
, r
.base
, DNS_MESSAGE_HEADERLEN
);
1346 isc_region_consume(&r
, DNS_MESSAGE_HEADERLEN
);
1349 * Decrement the additional field counter if necessary.
1352 memcpy(&addcount
, &header
[DNS_MESSAGE_HEADERLEN
- 2], 2);
1353 addcount
= htons((isc_uint16_t
)(ntohs(addcount
) - 1));
1354 memcpy(&header
[DNS_MESSAGE_HEADERLEN
- 2], &addcount
, 2);
1358 * Put in the original id.
1360 /* XXX Can TCP transfers be forwarded? How would that work? */
1362 id
= htons(tsig
.originalid
);
1363 memcpy(&header
[0], &id
, 2);
1367 * Digest the modified header.
1369 header_r
.base
= (unsigned char *) header
;
1370 header_r
.length
= DNS_MESSAGE_HEADERLEN
;
1371 ret
= dst_context_adddata(msg
->tsigctx
, &header_r
);
1372 if (ret
!= ISC_R_SUCCESS
)
1373 goto cleanup_context
;
1376 * Digest all non-TSIG records.
1378 isc_buffer_usedregion(source
, &source_r
);
1379 r
.base
= source_r
.base
+ DNS_MESSAGE_HEADERLEN
;
1381 r
.length
= msg
->sigstart
- DNS_MESSAGE_HEADERLEN
;
1383 r
.length
= source_r
.length
- DNS_MESSAGE_HEADERLEN
;
1384 ret
= dst_context_adddata(msg
->tsigctx
, &r
);
1385 if (ret
!= ISC_R_SUCCESS
)
1386 goto cleanup_context
;
1389 * Digest the time signed and fudge.
1392 isc_buffer_init(&databuf
, data
, sizeof(data
));
1393 isc_buffer_putuint48(&databuf
, tsig
.timesigned
);
1394 isc_buffer_putuint16(&databuf
, tsig
.fudge
);
1395 isc_buffer_usedregion(&databuf
, &r
);
1396 ret
= dst_context_adddata(msg
->tsigctx
, &r
);
1397 if (ret
!= ISC_R_SUCCESS
)
1398 goto cleanup_context
;
1400 sig_r
.base
= tsig
.signature
;
1401 sig_r
.length
= tsig
.siglen
;
1402 if (tsig
.siglen
== 0) {
1403 if (tsig
.error
!= dns_rcode_noerror
) {
1404 if (tsig
.error
== dns_tsigerror_badtime
)
1405 ret
= DNS_R_CLOCKSKEW
;
1407 ret
= DNS_R_TSIGERRORSET
;
1409 tsig_log(msg
->tsigkey
, 2,
1410 "signature is empty");
1411 ret
= DNS_R_TSIGVERIFYFAILURE
;
1413 goto cleanup_context
;
1416 ret
= dst_context_verify(msg
->tsigctx
, &sig_r
);
1417 if (ret
== DST_R_VERIFYFAILURE
) {
1418 msg
->tsigstatus
= dns_tsigerror_badsig
;
1419 tsig_log(msg
->tsigkey
, 2,
1420 "signature failed to verify(2)");
1421 ret
= DNS_R_TSIGVERIFYFAILURE
;
1422 goto cleanup_context
;
1424 else if (ret
!= ISC_R_SUCCESS
)
1425 goto cleanup_context
;
1427 dst_context_destroy(&msg
->tsigctx
);
1430 msg
->tsigstatus
= dns_rcode_noerror
;
1431 return (ISC_R_SUCCESS
);
1434 dst_context_destroy(&msg
->tsigctx
);
1436 cleanup_querystruct
:
1437 dns_rdata_freestruct(&querytsig
);
1444 dns_tsigkey_find(dns_tsigkey_t
**tsigkey
, dns_name_t
*name
,
1445 dns_name_t
*algorithm
, dns_tsig_keyring_t
*ring
)
1449 isc_result_t result
;
1451 REQUIRE(tsigkey
!= NULL
);
1452 REQUIRE(*tsigkey
== NULL
);
1453 REQUIRE(name
!= NULL
);
1454 REQUIRE(ring
!= NULL
);
1456 RWLOCK(&ring
->lock
, isc_rwlocktype_write
);
1458 RWUNLOCK(&ring
->lock
, isc_rwlocktype_write
);
1460 isc_stdtime_get(&now
);
1461 RWLOCK(&ring
->lock
, isc_rwlocktype_read
);
1463 result
= dns_rbt_findname(ring
->keys
, name
, 0, NULL
, (void *)&key
);
1464 if (result
== DNS_R_PARTIALMATCH
|| result
== ISC_R_NOTFOUND
) {
1465 RWUNLOCK(&ring
->lock
, isc_rwlocktype_read
);
1466 return (ISC_R_NOTFOUND
);
1468 if (algorithm
!= NULL
&& !dns_name_equal(key
->algorithm
, algorithm
)) {
1469 RWUNLOCK(&ring
->lock
, isc_rwlocktype_read
);
1470 return (ISC_R_NOTFOUND
);
1472 if (key
->inception
!= key
->expire
&& key
->expire
< now
) {
1474 * The key has expired.
1476 RWUNLOCK(&ring
->lock
, isc_rwlocktype_read
);
1477 RWLOCK(&ring
->lock
, isc_rwlocktype_write
);
1478 (void)dns_rbt_deletename(ring
->keys
, name
, ISC_FALSE
);
1479 RWUNLOCK(&ring
->lock
, isc_rwlocktype_write
);
1480 return (ISC_R_NOTFOUND
);
1483 isc_refcount_increment(&key
->refs
, NULL
);
1484 RWUNLOCK(&ring
->lock
, isc_rwlocktype_read
);
1486 return (ISC_R_SUCCESS
);
1490 free_tsignode(void *node
, void *_unused
) {
1495 REQUIRE(node
!= NULL
);
1498 dns_tsigkey_detach(&key
);
1502 dns_tsigkeyring_create(isc_mem_t
*mctx
, dns_tsig_keyring_t
**ringp
) {
1503 isc_result_t result
;
1504 dns_tsig_keyring_t
*ring
;
1506 REQUIRE(mctx
!= NULL
);
1507 REQUIRE(ringp
!= NULL
);
1508 REQUIRE(*ringp
== NULL
);
1510 ring
= isc_mem_get(mctx
, sizeof(dns_tsig_keyring_t
));
1512 return (ISC_R_NOMEMORY
);
1514 result
= isc_rwlock_init(&ring
->lock
, 0, 0);
1515 if (result
!= ISC_R_SUCCESS
) {
1516 isc_mem_put(mctx
, ring
, sizeof(dns_tsig_keyring_t
));
1521 result
= dns_rbt_create(mctx
, free_tsignode
, NULL
, &ring
->keys
);
1522 if (result
!= ISC_R_SUCCESS
) {
1523 isc_rwlock_destroy(&ring
->lock
);
1524 isc_mem_put(mctx
, ring
, sizeof(dns_tsig_keyring_t
));
1528 ring
->writecount
= 0;
1530 isc_mem_attach(mctx
, &ring
->mctx
);
1533 return (ISC_R_SUCCESS
);
1537 dns_tsigkeyring_destroy(dns_tsig_keyring_t
**ringp
) {
1538 dns_tsig_keyring_t
*ring
;
1540 REQUIRE(ringp
!= NULL
);
1541 REQUIRE(*ringp
!= NULL
);
1546 dns_rbt_destroy(&ring
->keys
);
1547 isc_rwlock_destroy(&ring
->lock
);
1548 isc_mem_putanddetach(&ring
->mctx
, ring
, sizeof(dns_tsig_keyring_t
));