]>
git.ipfire.org Git - thirdparty/pdns.git/blob - pdns/tsigverifier.cc
2 #include "tsigverifier.hh"
3 #include "dnssecinfra.hh"
4 #include "gss_context.hh"
6 bool TSIGTCPVerifier :: check ( const string
& data
, const MOADNSParser
& mdp
)
8 if ( d_tt
. name
. empty ()) { // TSIG verify message
13 bool checkTSIG
= false ;
14 // If we have multiple messages, we need to concatenate them together. We also need to make sure we know the location of
15 // the TSIG record so we can remove it in makeTSIGMessageFromTSIGPacket
16 d_signData
. append ( data
);
17 if ( mdp
. getTSIGPos () == 0 ) {
18 d_tsigPos
+= data
. size ();
21 d_tsigPos
+= mdp
. getTSIGPos ();
24 for ( const auto & answer
: mdp
. d_answers
) {
25 if ( answer
. first
. d_type
== QType :: SOA
) {
26 // A SOA is either the first or the last record. We need to check TSIG if that's the case.
30 if ( answer
. first
. d_type
== QType :: TSIG
) {
31 shared_ptr
< TSIGRecordContent
> trc
= getRR
< TSIGRecordContent
>( answer
. first
);
33 theirMac
= trc
-> d_mac
;
34 d_trc
. d_time
= trc
-> d_time
;
35 d_trc
. d_fudge
= trc
-> d_fudge
;
36 d_trc
. d_eRcode
= trc
-> d_eRcode
;
37 d_trc
. d_origID
= trc
-> d_origID
;
43 if (! checkTSIG
&& d_nonSignedMessages
> 99 ) { // We're allowed to get 100 digest without a TSIG.
44 throw std :: runtime_error ( "No TSIG message received in last 100 messages of AXFR transfer." );
48 if ( theirMac
. empty ()) {
49 throw std :: runtime_error ( "No TSIG on AXFR response from " + d_remote
. toStringWithPort ()+ " , should be signed with TSIG key '" + d_tt
. name
. toString ()+ "'" );
53 if (! d_prevMac
. empty ()) {
54 validateTSIG ( d_signData
, d_tsigPos
, d_tt
, d_trc
, d_prevMac
, theirMac
, true , d_signData
. size ()- data
. size ());
57 validateTSIG ( d_signData
, d_tsigPos
, d_tt
, d_trc
, d_trc
. d_mac
, theirMac
, false );
60 catch ( const std :: runtime_error
& err
) {
61 throw std :: runtime_error ( "Error while validating TSIG signature on AXFR response from " + d_remote
. toStringWithPort ()+ ":" + err
. what ());
64 // Reset and store some values for the next chunks.
66 d_nonSignedMessages
= 0 ;
71 d_nonSignedMessages
++;