From: Matthijs Mekking Date: Mon, 18 Oct 2010 12:48:13 +0000 (+0000) Subject: functions for tsig signing/verifying subsequent messages X-Git-Tag: release-1.6.7~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8a3343d0984b01e9bfbe9c782aca3a8564f3e70f;p=thirdparty%2Fldns.git functions for tsig signing/verifying subsequent messages --- diff --git a/ldns/tsig.h b/ldns/tsig.h index 421d6e27..f985153f 100644 --- a/ldns/tsig.h +++ b/ldns/tsig.h @@ -45,6 +45,9 @@ char *ldns_tsig_keydata_clone(ldns_tsig_credentials *); */ bool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac); +bool ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const char *key_name, const char *key_data, ldns_rdf *mac, + int tsig_timers_only); + /** * creates a tsig rr for the given packet and key. * \param[in] pkt the packet to sign @@ -55,7 +58,11 @@ bool ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wire_size, const * \param[in] query_mac is added to the digest if not NULL (so NULL is for signing queries, not NULL is for signing answers) * \return status (OK if success) */ -ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac); +ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, + const char *algorithm_name, ldns_rdf *query_mac); + +ldns_status ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data, uint16_t fudge, + const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only); #ifdef __cplusplus } diff --git a/ldns_symbols.def b/ldns_symbols.def index c48c6db9..2cd9a087 100644 --- a/ldns_symbols.def +++ b/ldns_symbols.def @@ -354,6 +354,7 @@ ldns_pkt_tc ldns_pkt_timestamp ldns_pkt_tsig ldns_pkt_tsig_sign +ldns_pkt_tsig_sign_next ldns_pkt_tsig_verify ldns_pkt_verify ldns_print_rr_rdf diff --git a/tsig.c b/tsig.c index 1acaa221..40839609 100644 --- a/tsig.c +++ b/tsig.c @@ -1,4 +1,4 @@ -/* +/* * tsig.c * * contains the functions needed for TSIG [RFC2845] @@ -149,7 +149,7 @@ static ldns_status ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size, const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf, ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf, - ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf) + ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only) { char *wireformat; int wiresize; @@ -174,14 +174,18 @@ ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size, (void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf); } ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size); - (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf); - ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY); - ldns_buffer_write_u32(data_buffer, 0); - (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf); + if (!tsig_timers_only) { + (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf); + ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY); + ldns_buffer_write_u32(data_buffer, 0); + (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf); + } (void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf); (void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf); - (void)ldns_rdf2buffer_wire(data_buffer, error_rdf); - (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf); + if (!tsig_timers_only) { + (void)ldns_rdf2buffer_wire(data_buffer, error_rdf); + (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf); + } wireformat = (char *) data_buffer->_data; wiresize = (int) ldns_buffer_position(data_buffer); @@ -251,8 +255,15 @@ ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size, #ifdef HAVE_SSL bool -ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, - const char *key_name, const char *key_data, ldns_rdf *orig_mac_rdf) +ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char *key_name, + const char *key_data, ldns_rdf *orig_mac_rdf) +{ + return ldns_pkt_tsig_verify_next(pkt, wire, wirelen, key_name, key_data, orig_mac_rdf, 0); +} + +bool +ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char* key_name, + const char *key_data, ldns_rdf *orig_mac_rdf, int tsig_timers_only) { ldns_rdf *fudge_rdf; ldns_rdf *algorithm_rdf; @@ -294,7 +305,7 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, status = ldns_tsig_mac_new(&my_mac_rdf, prepared_wire, prepared_wire_size, key_data, key_name_rdf, fudge_rdf, algorithm_rdf, - time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf); + time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, tsig_timers_only); LDNS_FREE(prepared_wire); @@ -322,7 +333,14 @@ ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, /* TODO: memory :p */ ldns_status ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, - uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac) + uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac) +{ + return ldns_pkt_tsig_sign_next(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0); +} + +ldns_status +ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data, + uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only) { ldns_rr *tsig_rr; ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name); @@ -372,7 +390,7 @@ ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data, status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len, key_data, key_name_rdf, fudge_rdf, algorithm_rdf, - time_signed_rdf, error_rdf, other_data_rdf, query_mac); + time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only); if (!mac_rdf) { goto clean;