From: Jelte Jansen <jeltejan@NLnetLabs.nl>
Date: Thu, 3 Mar 2005 12:01:03 +0000 (+0000)
Subject: added functionality to sign answer packets too, tested with own verify and with dig
X-Git-Tag: release-0.50~310
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1bbff0cfb1fd647f1845ffa8e05b3f37cb42a268;p=thirdparty%2Fldns.git

added functionality to sign answer packets too, tested with own verify and with dig
only verifying answers of named doesn't work yet
---

diff --git a/dnssec.c b/dnssec.c
index ddeb3a81..cc1f4c25 100644
--- a/dnssec.c
+++ b/dnssec.c
@@ -447,7 +447,8 @@ ldns_create_tsig_mac(
 	ldns_rdf *algorithm_rdf,
 	ldns_rdf *time_signed_rdf,
 	ldns_rdf *error_rdf,
-	ldns_rdf *other_data_rdf
+	ldns_rdf *other_data_rdf,
+	ldns_rdf *orig_mac_rdf
 )
 {
 	ldns_buffer *data_buffer;
@@ -463,6 +464,10 @@ ldns_create_tsig_mac(
 	 * prepare the digestable information
 	 */
 	data_buffer = ldns_buffer_new(MAX_PACKETLEN);
+	/* if orig_buf is not NULL, add it too */
+	if (orig_mac_rdf && ldns_pkt_qr(pkt)) {
+		(void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
+	}
 	(void) ldns_pkt2buffer_wire(data_buffer, pkt);
 	(void) ldns_rdf2buffer_wire(data_buffer, key_name_rdf);
 	ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
@@ -502,7 +507,10 @@ ldns_create_tsig_mac(
  * @return true if tsig is correct, false if not, or if tsig is not set
  */
 bool
-ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data)
+ldns_pkt_tsig_verify(ldns_pkt *pkt, 
+                     const char *key_name, 
+                     const char *key_data, 
+                     ldns_rdf *orig_mac_rdf)
 {
 	ldns_rdf *fudge_rdf;
 	ldns_rdf *algorithm_rdf;
@@ -510,10 +518,10 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data)
 	ldns_rdf *orig_id_rdf;
 	ldns_rdf *error_rdf;
 	ldns_rdf *other_data_rdf;
-	ldns_rdf *orig_mac_rdf;
+	ldns_rdf *pkt_mac_rdf;
 	ldns_rdf *my_mac_rdf;
 	ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
-	uint16_t pkt_id;
+	uint16_t pkt_id, orig_pkt_id;
 	
 	size_t i;
 	ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
@@ -525,7 +533,7 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data)
 	algorithm_rdf = ldns_rr_rdf(orig_tsig, 0);
 	time_signed_rdf = ldns_rr_rdf(orig_tsig, 1);
 	fudge_rdf = ldns_rr_rdf(orig_tsig, 2);
-	orig_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
+	pkt_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
 	orig_id_rdf = ldns_rr_rdf(orig_tsig, 4);
 	error_rdf = ldns_rr_rdf(orig_tsig, 5);
 	other_data_rdf = ldns_rr_rdf(orig_tsig, 6);
@@ -533,7 +541,11 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data)
 	/* remove temporarily */
 	ldns_pkt_set_tsig(pkt, NULL);
 	/* TODO temporarily change the id */
+	/* TODO rdf2native? */
 	pkt_id = ldns_pkt_id(pkt);
+	memcpy(&orig_pkt_id, ldns_rdf_data(orig_id_rdf), 2);
+	orig_pkt_id = ntohs(orig_pkt_id);
+	ldns_pkt_set_id(pkt, orig_pkt_id);
 
 	my_mac_rdf = ldns_create_tsig_mac(pkt,
 	                                  key_data, 
@@ -542,19 +554,52 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data)
 	                                  algorithm_rdf,
 	                                  time_signed_rdf,
 	                                  error_rdf,
-	                                  other_data_rdf);
+	                                  other_data_rdf,
+	                                  orig_mac_rdf
+	                                  );
 	
 	ldns_pkt_set_tsig(pkt, orig_tsig);
-
+	ldns_pkt_set_id(pkt, pkt_id);
+	
 	/* TODO: ldns_rdf_cmp in rdata.[ch] */
-	if (ldns_rdf_size(orig_mac_rdf) != ldns_rdf_size(my_mac_rdf)) {
+	if (ldns_rdf_size(pkt_mac_rdf) != ldns_rdf_size(my_mac_rdf)) {
+		/*
+		printf("Mac mismatch:\npkt mac: ");
+		ldns_rdf_print(stdout, pkt_mac_rdf);
+		printf("\n");
+		for(i=0; i<ldns_rdf_size(pkt_mac_rdf); i++) {
+			printf("%02x ", ldns_rdf_data(pkt_mac_rdf)[i]);
+		}
+		printf("\nmy mac:  ");
+		ldns_rdf_print(stdout, my_mac_rdf);
+		printf("\n");
+		for(i=0; i<ldns_rdf_size(my_mac_rdf); i++) {
+			printf("%02x ", ldns_rdf_data(my_mac_rdf)[i]);
+		}
+		printf("\n");
+		*/
 		return false;
 	} else {
-		for (i = 0; i < ldns_rdf_size(orig_mac_rdf); i++) {
+		for (i = 0; i < ldns_rdf_size(pkt_mac_rdf); i++) {
 			if (
-				ldns_rdf_data(orig_mac_rdf)[i] !=
+				ldns_rdf_data(pkt_mac_rdf)[i] !=
 				ldns_rdf_data(my_mac_rdf)[i]
 			) {
+				/*
+				printf("Mac mismatch:\npkt mac: ");
+				ldns_rdf_print(stdout, pkt_mac_rdf);
+				printf("\n");
+				for(i=0; i<ldns_rdf_size(pkt_mac_rdf); i++) {
+					printf("%02x ", ldns_rdf_data(pkt_mac_rdf)[i]);
+				}
+				printf("\nmy mac:  ");
+				ldns_rdf_print(stdout, my_mac_rdf);
+				printf("\n");
+				for(i=0; i<ldns_rdf_size(my_mac_rdf); i++) {
+					printf("%02x ", ldns_rdf_data(my_mac_rdf)[i]);
+				}
+				printf("\n");
+				*/
 				return false;
 			}
 		}
@@ -573,11 +618,12 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data)
  * @param key_data the key in base 64 format
  * @param fudge seconds of error permitted in time signed
  * @param algorithm_name the name of the algorithm used (TODO more than only hmac-md5.sig-alg.reg.int.?)
+ * @param querymac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers)
  * @return status (OK if success)
  */
 /* TODO: memory :p */
 ldns_status
-ldns_pkt_tsig_sign_query(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name)
+ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac)
 {
 	unsigned char *key_bytes;
 	int key_size;
@@ -633,7 +679,6 @@ ldns_pkt_tsig_sign_query(ldns_pkt *pkt, const char *key_name, const char *key_da
 	other_data = XMALLOC(uint8_t, 2);
 	write_uint16(other_data, 0);
 	other_data_rdf = ldns_rdf_new(2, LDNS_RDF_TYPE_INT16_DATA, other_data);
-
 	mac_rdf = ldns_create_tsig_mac(pkt, 
 				       key_data,
 	                               key_name_rdf, 
@@ -641,7 +686,9 @@ ldns_pkt_tsig_sign_query(ldns_pkt *pkt, const char *key_name, const char *key_da
 	                               algorithm_rdf,
 	                               time_signed_rdf,
 	                               error_rdf,
-	                               other_data_rdf);
+	                               other_data_rdf,
+	                               query_mac
+	                               );
 	
 	if (!mac_rdf) {
 		return LDNS_STATUS_ERR;
diff --git a/host2str.c b/host2str.c
index dbd32e54..db628475 100644
--- a/host2str.c
+++ b/host2str.c
@@ -227,6 +227,7 @@ ldns_status
 ldns_rdf2buffer_str_b64(ldns_buffer *output, ldns_rdf *rdf)
 {
 	/*ldns_buffer_printf(output, "%s", ldns_rdf_data(rdf));*/
+	/*TODO easyness function for size */
 	size_t size = (((ldns_rdf_size(rdf) + 2) / 3) * 4) + 1;
 	char *b64 = XMALLOC(char, size);
 	if (b64_ntop(ldns_rdf_data(rdf), ldns_rdf_size(rdf), b64, size)) {
@@ -632,8 +633,22 @@ ldns_rdf2buffer_str_todo(ldns_buffer *output, ldns_rdf *rdf)
 ldns_status
 ldns_rdf2buffer_str_int16_data(ldns_buffer *output, ldns_rdf *rdf)
 {
-	ldns_buffer_printf(output, "%u ", ldns_rdf_size(rdf));
-	return ldns_rdf2buffer_str_b64(output, rdf);
+	/* TODO size function, don't forget to do -2 if we have that */
+	size_t size = (((ldns_rdf_size(rdf)) / 3) * 4) + 1;
+	char *b64 = XMALLOC(char, size);
+
+	ldns_buffer_printf(output, "%u ", ldns_rdf_size(rdf)-2);
+	
+	if (b64_ntop(ldns_rdf_data(rdf)+2, ldns_rdf_size(rdf)-2, b64, size)) {
+		ldns_buffer_printf(output, "%s", b64);
+	}
+	FREE(b64);
+/*
+	if (ldns_rdf_size > 2) {
+		ldns_rdf2buffer_str_b64(output, rdf);
+	}
+*/	
+	return ldns_buffer_status(output);
 }
 
 ldns_status
diff --git a/ldns/dnssec.h b/ldns/dnssec.h
index 5c10f9b2..4d203a05 100644
--- a/ldns/dnssec.h
+++ b/ldns/dnssec.h
@@ -41,8 +41,8 @@ uint16_t ldns_keytag(ldns_rr *);
 ldns_rr_list *ldns_sign(ldns_rr_list*, ldns_rr_list*);
 DSA *ldns_key_buf2dsa(ldns_buffer *);
 RSA *ldns_key_buf2rsa(ldns_buffer *);
-bool ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data);
-ldns_status ldns_pkt_tsig_sign_query(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name);
+bool ldns_pkt_tsig_verify(ldns_pkt *pkt, const char *key_name, const char *key_data, ldns_rdf *mac);
+ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac);
 
 
 #endif /* _DNSSEC_H_ */
diff --git a/packet.c b/packet.c
index 05ce996b..a580b309 100644
--- a/packet.c
+++ b/packet.c
@@ -295,12 +295,6 @@ ldns_rr *ldns_pkt_tsig(const ldns_pkt *pkt) {
 	return pkt->_tsig_rr;
 }
 
-ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt) {
-	pkt = pkt;
-	return LDNS_STATUS_OK;
-}
-
-
 /* write */
 void
 ldns_pkt_set_id(ldns_pkt *packet, uint16_t id)
diff --git a/run-test15.c b/run-test15.c
index 91354f7c..ebee424f 100644
--- a/run-test15.c
+++ b/run-test15.c
@@ -25,6 +25,7 @@ main(int argc, char **argv)
 
         ldns_resolver *res;
         ldns_rdf *nameserver;
+        ldns_rdf *mac;
 
         char *server_ip = NULL;
         char *name = NULL;
@@ -44,10 +45,11 @@ main(int argc, char **argv)
 
 	ldns_pkt_set_id(pkt, 46789);
 
-	ldns_pkt_tsig_sign_query(pkt, "jelte.", "vBUWJnkgDw4YTobXtbUD6XED5Qg74tnghYX3tzKzfsI=", 300, "hmac-md5.sig-alg.reg.int");
+	ldns_pkt_tsig_sign(pkt, "jelte.", "vBUWJnkgDw4YTobXtbUD6XED5Qg74tnghYX3tzKzfsI=", 300, "hmac-md5.sig-alg.reg.int", NULL);
 
+	mac = ldns_rr_rdf(ldns_pkt_tsig(pkt), 3);
 	/* test our own sign */
-	if (!ldns_pkt_tsig_verify(pkt, "jelte.", "vBUWJnkgDw4YTobXtbUD6XED5Qg74tnghYX3tzKzfsI=")) {
+	if (!ldns_pkt_tsig_verify(pkt, "jelte.", "vBUWJnkgDw4YTobXtbUD6XED5Qg74tnghYX3tzKzfsI=", NULL)) {
 		printf("Can't verify my own sig :(\n");
 		exit(-1);
 	}
@@ -72,6 +74,14 @@ main(int argc, char **argv)
         
         printf("\n\nANSWER:\n");
         ldns_pkt_print(stdout, answer);
+
+        printf("\nVerifying...\n");
+        
+        if (ldns_pkt_tsig_verify(answer, "jelte.", "vBUWJnkgDw4YTobXtbUD6XED5Qg74tnghYX3tzKzfsI=", mac)) {
+        	printf("Success!\n");
+	} else {
+		printf("Failed.\n");
+	}
 /*
         ldns_rdf_free(nameserver);
         ldns_rdf_free(qname);
diff --git a/run-test2.c b/run-test2.c
index af59e0c7..b83529d0 100644
--- a/run-test2.c
+++ b/run-test2.c
@@ -207,6 +207,13 @@ main(int argc, char **argv)
 	} else {
 		printf("\n");
 	}
+
+	if (!ldns_pkt_tsig_verify(pkt, "jelte.", "vBUWJnkgDw4YTobXtbUD6XED5Qg74tnghYX3tzKzfsI=", NULL)) {
+		printf("Bad sig :(\n");
+		exit(-1);
+	} else {
+		printf("SIG VERIFIED!\n");
+	}
 	
 	printf("And back to wire:\n");
 	/*buffer = ldns_buffer_new(65535);*/
diff --git a/wire2host.c b/wire2host.c
index 8a83e2e1..8653c779 100644
--- a/wire2host.c
+++ b/wire2host.c
@@ -323,8 +323,8 @@ printf("\n");
 			   (TODO: check for that)
 			   this would deprecate the general tsig type
 			*/
-			cur_rdf_length = (size_t) read_uint16(&wire[*pos]);
-			*pos += 2;
+			cur_rdf_length = (size_t) read_uint16(&wire[*pos])+2;
+/*			*pos += 2;*/
 			break;
 		case LDNS_RDF_TYPE_APL:
 		case LDNS_RDF_TYPE_B64: