* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: message.c,v 1.151 2000/10/11 23:57:38 bwelling Exp $ */
+/* $Id: message.c,v 1.152 2000/10/12 00:40:48 bwelling Exp $ */
/***
*** Imports
if (msg->opcode != dns_opcode_update
&& rdtype != dns_rdatatype_tsig
&& rdtype != dns_rdatatype_opt
- && rdtype != dns_rdatatype_key /* XXX in a TKEY query */
- && rdtype != dns_rdatatype_sig /* XXX SIG(0) */
+ && rdtype != dns_rdatatype_key /* in a TKEY query */
+ && rdtype != dns_rdatatype_sig /* SIG(0) */
+ && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
&& msg->rdclass != rdclass)
DO_FORMERR;
/*
* A TKEY must be in the additional section if this
* is a query, and the answer section if this is a
- * response.
+ * response. Unless it's a Win2000 client.
+ *
* Its class is ignored.
*/
dns_section_t tkeysection;
tkeysection = DNS_SECTION_ADDITIONAL;
else
tkeysection = DNS_SECTION_ANSWER;
- if (sectionid != tkeysection)
+ if (sectionid != tkeysection &&
+ sectionid != DNS_SECTION_ANSWER)
DO_FORMERR;
}
*/
/*
- * $Id: tkey.c,v 1.53 2000/10/07 00:09:25 bwelling Exp $
+ * $Id: tkey.c,v 1.54 2000/10/12 00:40:50 bwelling Exp $
*/
#include <config.h>
if (tctx->dhkey != NULL)
dst_key_free(&tctx->dhkey);
if (tctx->domain != NULL) {
- dns_name_free(tctx->domain, mctx);
+ if (dns_name_dynamic(tctx->domain))
+ dns_name_free(tctx->domain, mctx);
isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
}
isc_entropy_detach(&tctx->ectx);
unsigned char *randomdata = NULL, secretdata[256];
isc_stdtime_t now;
+ if (tctx->dhkey == NULL) {
+ tkey_log("process_dhtkey: tkey-dhkey not defined");
+ tkeyout->error = dns_tsigerror_badalg;
+ return (DNS_R_REFUSED);
+ }
+
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
if (tctx->gsscred == NULL)
return (ISC_R_NOPERM);
- if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME)) {
+ if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
+ !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
dns_rdatatype_tkey, 0, &name, &tkeyset);
if (result != ISC_R_SUCCESS) {
- result = DNS_R_FORMERR;
- tkey_log("dns_tkey_processquery: couldn't find a TKEY "
- "matching the question");
- goto failure;
+ /*
+ * Try the answer section, since that's where Win2000
+ * puts it.
+ */
+ if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+ dns_rdatatype_tkey, 0, &name,
+ &tkeyset) != ISC_R_SUCCESS)
+ {
+ result = DNS_R_FORMERR;
+ tkey_log("dns_tkey_processquery: couldn't find a TKEY "
+ "matching the question");
+ goto failure;
+ }
}
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
goto failure;
}
}
+ if (tctx->domain == NULL) {
+ tkey_log("dns_tkey_processquery: tkey-domain not set");
+ result = DNS_R_REFUSED;
+ goto failure;
+ }
result = dns_name_concatenate(&prefix, tctx->domain,
keyname, buf);
dns_message_takebuffer(msg, &buf);
dns_name_t *gname, void *cred, void **context,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
{
- dns_rdata_t rtkeyrdata;
+ dns_rdata_t rtkeyrdata, qtkeyrdata;
dns_name_t *tkeyname;
- dns_rdata_tkey_t rtkey;
+ dns_rdata_tkey_t rtkey, qtkey;
isc_buffer_t outtoken;
dst_key_t *dstkey = NULL;
isc_region_t r;
REQUIRE(*outkey == NULL);
REQUIRE(ring != NULL);
- UNUSED(qmsg);
-
if (rmsg->rcode != dns_rcode_noerror)
return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+ RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+ DNS_SECTION_ADDITIONAL));
+ RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
if (rtkey.error != dns_rcode_noerror ||
rtkey.mode != DNS_TKEYMODE_GSSAPI ||
- !dns_name_equal(&rtkey.algorithm, DNS_TSIG_GSSAPI_NAME))
+ !dns_name_equal(&rtkey.algorithm, &rtkey.algorithm))
{
tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
"or error set");
*/
/*
- * $Id: tsig.c,v 1.92 2000/10/07 00:09:27 bwelling Exp $
+ * $Id: tsig.c,v 1.93 2000/10/12 00:40:51 bwelling Exp $
* Principal Author: Brian Wellington
*/
#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
#define algname_is_allocated(algname) \
((algname) != dns_tsig_hmacmd5_name && \
- (algname) != dns_tsig_gssapi_name)
+ (algname) != dns_tsig_gssapi_name && \
+ (algname) != dns_tsig_gssapims_name)
#define BADTIMELEN 6
dns_name_t *dns_tsig_gssapi_name = &gsstsig.name;
+/* It's nice of Microsoft to conform to their own standard. */
+static struct dns_constname gsstsigms = {
+ {
+ DNS_NAME_MAGIC,
+ gsstsigms.const_ndata, 19, 4,
+ DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+ gsstsigms.const_offsets, NULL,
+ {(void *)-1, (void *)-1},
+ {NULL, NULL}
+ },
+ { "\003gss\011microsoft\003com" }, /* const_ndata */
+ { 0, 4, 14, 18 } /* const_offsets */
+};
+
+dns_name_t *dns_tsig_gssapims_name = &gsstsigms.name;
+
static isc_result_t
tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME))
tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
+ else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME))
+ tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
else {
if (key != NULL) {
ret = ISC_R_NOTIMPLEMENTED;
projects / thirdparty / bind9.git / commitdiff
