}
static isc_result_t
-process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
+process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
dns_tsig_keyring_t *ring)
{
* You have to define either a gss credential (principal) to
* accept with tkey-gssapi-credential, or you have to
* configure a specific keytab (with tkey-gssapi-keytab) in
- * order to use gsstkey
+ * order to use gsstkey.
*/
if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
tkey_log("process_gsstkey(): no tkey-gssapi-credential "
RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
dstkey, true, principal,
now, expire, ring->mctx, ring,
- NULL));
+ &tsigkey));
dst_key_free(&dstkey);
tkeyout->inception = now;
tkeyout->expire = expire;
tkey_log("process_gsstkey(): dns_tsigerror_noerror"); /* XXXSRA */
+ /*
+ * We found a TKEY to respond with. If the request is not TSIG signed,
+ * we need to make sure the response is signed (see RFC 3645, Section
+ * 2.2).
+ */
+ if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
+ dns_message_settsigkey(msg, tsigkey);
+ }
+
return (ISC_R_SUCCESS);
failure:
result = dns_message_signer(msg, &tsigner);
if (result != ISC_R_SUCCESS) {
if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
- result == ISC_R_NOTFOUND)
- signer = NULL;
- else {
+ result == ISC_R_NOTFOUND) {
+ signer = NULL;
+ } else {
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
result = DNS_R_FORMERR;
break;
case DNS_TKEYMODE_GSSAPI:
tkeyout.error = dns_rcode_noerror;
- RETERR(process_gsstkey(keyname, &tkeyin, tctx,
+ RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx,
&tkeyout, ring));
break;
case DNS_TKEYMODE_DELETE:
}
failure_with_tkey:
+
dns_rdata_init(&rdata);
isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
return (ISC_R_SUCCESS);
failure:
+
if (freetkeyin)
dns_rdata_freestruct(&tkeyin);
if (!ISC_LIST_EMPTY(namelist))
isc_result_t
dns_tsig_sign(dns_message_t *msg) {
- dns_tsigkey_t *key;
+ dns_tsigkey_t *key = NULL;
dns_rdata_any_tsig_t tsig, querytsig;
unsigned char data[128];
isc_buffer_t databuf, sigbuf;
- isc_buffer_t *dynbuf;
+ isc_buffer_t *dynbuf = NULL;
dns_name_t *owner;
dns_rdata_t *rdata = NULL;
- dns_rdatalist_t *datalist;
- dns_rdataset_t *dataset;
+ dns_rdatalist_t *datalist = NULL;
+ dns_rdataset_t *dataset = NULL;
isc_region_t r;
isc_stdtime_t now;
isc_mem_t *mctx;
REQUIRE(VALID_TSIG_KEY(key));
/*
- * If this is a response, there should be a query tsig.
+ * If this is a response, there should be a TSIG in the query with the
+ * the exception if this is a TKEY request (see RFC 3645, Section 2.2).
*/
response = is_response(msg);
- if (response && msg->querytsig == NULL)
- return (DNS_R_EXPECTEDTSIG);
-
- dynbuf = NULL;
+ if (response && msg->querytsig == NULL) {
+ if (msg->tkey != 1) {
+ return (DNS_R_EXPECTEDTSIG);
+ }
+ }
mctx = msg->mctx;
return (ret);
/*
- * If this is a response, digest the request's MAC.
+ * If this is a response, and if there was a TSIG in
+ * the query, digest the request's MAC.
+ *
+ * (Note: querytsig should be non-NULL for all
+ * responses except TKEY responses. Those may be signed
+ * with the newly-negotiated TSIG key even if the query
+ * wasn't signed.)
*/
- if (response) {
+ if (response && msg->querytsig != NULL) {
dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
INSIST(msg->verified_sig);
projects / thirdparty / bind9.git / commitdiff
