ptr = ptr2;
ptr2 = ptr3;
} else {
- hmacname = DNS_TSIG_HMACMD5_NAME;
+ hmac = DST_ALG_HMACMD5;
digestbits = 0;
}
/* XXXONDREJ: FIXME */
char keysecret[MXNAME] = "";
unsigned char cookie_secret[33];
unsigned char cookie[8];
-const dns_name_t *hmacname = NULL;
+dst_algorithm_t hmac = DST_ALG_UNKNOWN;
unsigned int digestbits = 0;
isc_buffer_t *namebuf = NULL;
dns_tsigkey_t *tsigkey = NULL;
secretsize = isc_buffer_usedlength(&secretbuf);
- if (hmacname == NULL) {
+ if (hmac == DST_ALG_UNKNOWN) {
result = DST_R_UNSUPPORTEDALG;
goto failure;
}
goto failure;
}
- result = dns_tsigkey_create(&keyname, hmacname, secretstore,
+ result = dns_tsigkey_create(&keyname, hmac, secretstore,
(int)secretsize, mctx, &tsigkey);
failure:
if (result != ISC_R_SUCCESS) {
* Parse HMAC algorithm specification
*/
void
-parse_hmac(const char *hmac) {
+parse_hmac(const char *algname) {
char buf[20];
size_t len;
- REQUIRE(hmac != NULL);
+ REQUIRE(algname != NULL);
- len = strlen(hmac);
+ len = strlen(algname);
if (len >= sizeof(buf)) {
- fatal("unknown key type '%.*s'", (int)len, hmac);
+ fatal("unknown key type '%.*s'", (int)len, algname);
}
- strlcpy(buf, hmac, sizeof(buf));
+ strlcpy(buf, algname, sizeof(buf));
digestbits = 0;
if (strcasecmp(buf, "hmac-md5") == 0) {
- hmacname = DNS_TSIG_HMACMD5_NAME;
+ hmac = DST_ALG_HMACMD5;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
- hmacname = DNS_TSIG_HMACMD5_NAME;
+ hmac = DST_ALG_HMACMD5;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
- hmacname = DNS_TSIG_HMACSHA1_NAME;
+ hmac = DST_ALG_HMACSHA1;
digestbits = 0;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
- hmacname = DNS_TSIG_HMACSHA1_NAME;
+ hmac = DST_ALG_HMACSHA1;
digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160);
} else if (strcasecmp(buf, "hmac-sha224") == 0) {
- hmacname = DNS_TSIG_HMACSHA224_NAME;
+ hmac = DST_ALG_HMACSHA224;
} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA224_NAME;
+ hmac = DST_ALG_HMACSHA224;
digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224);
} else if (strcasecmp(buf, "hmac-sha256") == 0) {
- hmacname = DNS_TSIG_HMACSHA256_NAME;
+ hmac = DST_ALG_HMACSHA256;
} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA256_NAME;
+ hmac = DST_ALG_HMACSHA256;
digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256);
} else if (strcasecmp(buf, "hmac-sha384") == 0) {
- hmacname = DNS_TSIG_HMACSHA384_NAME;
+ hmac = DST_ALG_HMACSHA384;
} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA384_NAME;
+ hmac = DST_ALG_HMACSHA384;
digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384);
} else if (strcasecmp(buf, "hmac-sha512") == 0) {
- hmacname = DNS_TSIG_HMACSHA512_NAME;
+ hmac = DST_ALG_HMACSHA512;
} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
- hmacname = DNS_TSIG_HMACSHA512_NAME;
+ hmac = DST_ALG_HMACSHA512;
digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512);
} else {
fprintf(stderr,
switch (dst_key_alg(dstkey)) {
case DST_ALG_HMACMD5:
- hmacname = DNS_TSIG_HMACMD5_NAME;
- break;
case DST_ALG_HMACSHA1:
- hmacname = DNS_TSIG_HMACSHA1_NAME;
- break;
case DST_ALG_HMACSHA224:
- hmacname = DNS_TSIG_HMACSHA224_NAME;
- break;
case DST_ALG_HMACSHA256:
- hmacname = DNS_TSIG_HMACSHA256_NAME;
- break;
case DST_ALG_HMACSHA384:
- hmacname = DNS_TSIG_HMACSHA384_NAME;
- break;
case DST_ALG_HMACSHA512:
- hmacname = DNS_TSIG_HMACSHA512_NAME;
+ hmac = dst_key_alg(dstkey);
break;
+ default:
+ dst_key_attach(dstkey, &sig0key);
+ dst_key_free(&dstkey);
+ return;
}
- if (hmacname != NULL) {
- result = dns_tsigkey_createfromkey(
- dst_key_name(dstkey), hmacname, dstkey, false, false,
- NULL, 0, 0, mctx, &tsigkey);
+ if (dstkey != NULL) {
+ result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac,
+ dstkey, false, false, NULL,
+ 0, 0, mctx, &tsigkey);
if (result != ISC_R_SUCCESS) {
printf(";; Couldn't create key %s: %s\n", keynametext,
isc_result_totext(result));
- goto failure;
}
- } else {
- dst_key_attach(dstkey, &sig0key);
- dst_key_free(&dstkey);
}
+
failure:
if (dstkey != NULL) {
dst_key_free(&dstkey);
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
-extern const dns_name_t *hmacname;
+extern dst_algorithm_t hmac;
extern unsigned int digestbits;
extern dns_tsigkey_t *tsigkey;
extern bool validated;
parse_netprefix(isc_sockaddr_t **sap, const char *value);
void
-parse_hmac(const char *hmacstr);
+parse_hmac(const char *algname);
dig_lookup_t *
requeue_lookup(dig_lookup_t *lookold, bool servers);
{ NULL, hmacnone, DST_ALG_UNKNOWN, 0 } };
isc_result_t
-named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
+named_config_getkeyalgorithm(const char *str, unsigned int *typep,
uint16_t *digestbits) {
- return (named_config_getkeyalgorithm2(str, name, NULL, digestbits));
-}
-
-isc_result_t
-named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
- unsigned int *typep, uint16_t *digestbits) {
int i;
size_t len = 0;
uint16_t bits;
} else {
bits = algorithms[i].size;
}
-
- if (name != NULL) {
- switch (algorithms[i].hmac) {
- case hmacmd5:
- *name = dns_tsig_hmacmd5_name;
- break;
- case hmacsha1:
- *name = dns_tsig_hmacsha1_name;
- break;
- case hmacsha224:
- *name = dns_tsig_hmacsha224_name;
- break;
- case hmacsha256:
- *name = dns_tsig_hmacsha256_name;
- break;
- case hmacsha384:
- *name = dns_tsig_hmacsha384_name;
- break;
- case hmacsha512:
- *name = dns_tsig_hmacsha512_name;
- break;
- default:
- UNREACHABLE();
- }
- }
if (typep != NULL) {
*typep = algorithms[i].type;
}
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
- result = named_config_getkeyalgorithm2(algstr, NULL,
- &algtype, NULL);
+ result = named_config_getkeyalgorithm(algstr, &algtype,
+ NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(control, named_g_lctx,
ISC_LOG_WARNING,
algstr = cfg_obj_asstring(algobj);
secretstr = cfg_obj_asstring(secretobj);
- result = named_config_getkeyalgorithm2(algstr, NULL, &algtype, NULL);
+ result = named_config_getkeyalgorithm(algstr, &algtype, NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"unsupported algorithm '%s' in "
in_port_t *portp);
isc_result_t
-named_config_getkeyalgorithm(const char *str, const dns_name_t **name,
+named_config_getkeyalgorithm(const char *str, unsigned int *typep,
uint16_t *digestbits);
-isc_result_t
-named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
- unsigned int *typep, uint16_t *digestbits);
static const char *const response_synonyms[] = { "response", NULL };
-static const dns_name_t *
-algorithm_name(unsigned int alg) {
- switch (alg) {
- case DST_ALG_HMACMD5:
- return (dns_tsig_hmacmd5_name);
- case DST_ALG_HMACSHA1:
- return (dns_tsig_hmacsha1_name);
- case DST_ALG_HMACSHA224:
- return (dns_tsig_hmacsha224_name);
- case DST_ALG_HMACSHA256:
- return (dns_tsig_hmacsha256_name);
- case DST_ALG_HMACSHA384:
- return (dns_tsig_hmacsha384_name);
- case DST_ALG_HMACSHA512:
- return (dns_tsig_hmacsha512_name);
- case DST_ALG_GSSAPI:
- return (dns_tsig_gssapi_name);
- default:
- UNREACHABLE();
- }
-}
-
/*
* Configure 'view' according to 'vconfig', taking defaults from
* 'config' where values are missing in 'vconfig'.
dns_tsigkey_t *tsigkey = NULL;
result = dns_tsigkey_createfromkey(
named_g_server->session_keyname,
- algorithm_name(named_g_server->session_keyalg),
+ named_g_server->session_keyalg,
named_g_server->sessionkey, false, false, NULL, 0, 0,
- mctx, NULL, &tsigkey);
+ mctx, &tsigkey);
if (result == ISC_R_SUCCESS) {
result = dns_tsigkeyring_add(
ring, named_g_server->session_keyname, tsigkey);
static isc_result_t
generate_session_key(const char *filename, const char *keynamestr,
- const dns_name_t *keyname, const char *algstr,
- unsigned int algtype, uint16_t bits, isc_mem_t *mctx,
- bool first_time, dst_key_t **keyp) {
+ const dns_name_t *keyname, dst_algorithm_t alg,
+ uint16_t bits, isc_mem_t *mctx, bool first_time,
+ dst_key_t **keyp) {
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *key = NULL;
isc_buffer_t key_txtbuffer;
"generating session key for dynamic DNS");
/* generate key */
- result = dst_key_generate(keyname, algtype, bits, 1, 0,
- DNS_KEYPROTO_ANY, dns_rdataclass_in, mctx,
- &key, NULL);
+ result = dst_key_generate(keyname, alg, bits, 1, 0, DNS_KEYPROTO_ANY,
+ dns_rdataclass_in, mctx, &key, NULL);
if (result != ISC_R_SUCCESS) {
return (result);
}
"key \"%s\" {\n"
"\talgorithm %s;\n"
"\tsecret \"%.*s\";\n};\n",
- keynamestr, algstr, (int)isc_buffer_usedlength(&key_txtbuffer),
+ keynamestr, dst_hmac_algorithm_totext(alg),
+ (int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer));
CHECK(isc_stdio_flush(fp));
result = isc_stdio_close(fp);
- fp = NULL;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
static isc_result_t
configure_session_key(const cfg_obj_t **maps, named_server_t *server,
isc_mem_t *mctx, bool first_time) {
- const char *keyfile, *keynamestr, *algstr;
+ const char *keyfile = NULL, *keynamestr = NULL, *algstr = NULL;
unsigned int algtype;
dns_fixedname_t fname;
- dns_name_t *keyname;
- const dns_name_t *algname;
+ dns_name_t *keyname = NULL;
isc_buffer_t buffer;
uint16_t bits;
- const cfg_obj_t *obj;
+ const cfg_obj_t *obj = NULL;
bool need_deleteold = false;
bool need_createnew = false;
isc_result_t result;
result = named_config_get(maps, "session-keyalg", &obj);
INSIST(result == ISC_R_SUCCESS);
algstr = cfg_obj_asstring(obj);
- algname = NULL;
- result = named_config_getkeyalgorithm2(algstr, &algname, &algtype,
- &bits);
+ result = named_config_getkeyalgorithm(algstr, &algtype, &bits);
if (result != ISC_R_SUCCESS) {
const char *s = " (keeping current key)";
server->session_keyalg = algtype;
server->session_keybits = bits;
- CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
+ CHECK(generate_session_key(keyfile, keynamestr, keyname,
algtype, bits, mctx, first_time,
&server->sessionkey));
}
const cfg_obj_t *algobj = NULL;
const cfg_obj_t *secretobj = NULL;
dns_name_t keyname;
- const dns_name_t *alg = NULL;
+ dst_algorithm_t alg = DST_ALG_UNKNOWN;
const char *algstr = NULL;
char keynamedata[1024];
isc_buffer_t keynamesrc, keynamebuf;
}
static bool
-parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
+parse_hmac(const char *hmacstr, size_t len, dst_algorithm_t *hmac,
uint16_t *digestbitsp) {
uint16_t digestbits = 0;
isc_result_t result;
char buf[20];
- REQUIRE(hmac != NULL && *hmac == NULL);
+ REQUIRE(hmac != NULL);
REQUIRE(hmacstr != NULL);
if (len >= sizeof(buf)) {
strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
if (strcasecmp(buf, "hmac-md5") == 0) {
- *hmac = DNS_TSIG_HMACMD5_NAME;
+ *hmac = DST_ALG_HMACMD5;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
- *hmac = DNS_TSIG_HMACMD5_NAME;
+ *hmac = DST_ALG_HMACMD5;
result = isc_parse_uint16(&digestbits, &buf[9], 10);
if (result != ISC_R_SUCCESS || digestbits > 128) {
error("digest-bits out of range [0..128]");
}
*digestbitsp = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
- *hmac = DNS_TSIG_HMACSHA1_NAME;
+ *hmac = DST_ALG_HMACSHA1;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
- *hmac = DNS_TSIG_HMACSHA1_NAME;
+ *hmac = DST_ALG_HMACSHA1;
result = isc_parse_uint16(&digestbits, &buf[10], 10);
if (result != ISC_R_SUCCESS || digestbits > 160) {
error("digest-bits out of range [0..160]");
}
*digestbitsp = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha224") == 0) {
- *hmac = DNS_TSIG_HMACSHA224_NAME;
+ *hmac = DST_ALG_HMACSHA224;
} else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) {
- *hmac = DNS_TSIG_HMACSHA224_NAME;
+ *hmac = DST_ALG_HMACSHA224;
result = isc_parse_uint16(&digestbits, &buf[12], 10);
if (result != ISC_R_SUCCESS || digestbits > 224) {
error("digest-bits out of range [0..224]");
}
*digestbitsp = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha256") == 0) {
- *hmac = DNS_TSIG_HMACSHA256_NAME;
+ *hmac = DST_ALG_HMACSHA256;
} else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) {
- *hmac = DNS_TSIG_HMACSHA256_NAME;
+ *hmac = DST_ALG_HMACSHA256;
result = isc_parse_uint16(&digestbits, &buf[12], 10);
if (result != ISC_R_SUCCESS || digestbits > 256) {
error("digest-bits out of range [0..256]");
}
*digestbitsp = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha384") == 0) {
- *hmac = DNS_TSIG_HMACSHA384_NAME;
+ *hmac = DST_ALG_HMACSHA384;
} else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) {
- *hmac = DNS_TSIG_HMACSHA384_NAME;
+ *hmac = DST_ALG_HMACSHA384;
result = isc_parse_uint16(&digestbits, &buf[12], 10);
if (result != ISC_R_SUCCESS || digestbits > 384) {
error("digest-bits out of range [0..384]");
}
*digestbitsp = (digestbits + 7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha512") == 0) {
- *hmac = DNS_TSIG_HMACSHA512_NAME;
+ *hmac = DST_ALG_HMACSHA512;
} else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) {
- *hmac = DNS_TSIG_HMACSHA512_NAME;
+ *hmac = DST_ALG_HMACSHA512;
result = isc_parse_uint16(&digestbits, &buf[12], 10);
if (result != ISC_R_SUCCESS || digestbits > 512) {
error("digest-bits out of range [0..512]");
isc_buffer_t secretbuf;
isc_result_t result;
isc_buffer_t keynamesrc;
- char *secretstr;
- char *s, *n;
+ char *secretstr = NULL;
+ char *s = NULL, *n = NULL;
dns_fixedname_t fkeyname;
- dns_name_t *mykeyname;
- char *name;
- const dns_name_t *hmacname = NULL;
+ dns_name_t *mykeyname = NULL;
+ char *name = NULL;
+ dst_algorithm_t hmac;
uint16_t digestbits = 0;
mykeyname = dns_fixedname_initname(&fkeyname);
}
name = secretstr;
secretstr = n + 1;
- if (!parse_hmac(&hmacname, keystr, s - keystr, &digestbits)) {
+ if (!parse_hmac(keystr, s - keystr, &hmac, &digestbits)) {
exit(1);
}
} else {
- hmacname = DNS_TSIG_HMACMD5_NAME;
+ hmac = DST_ALG_HMACMD5;
name = keystr;
n = s;
}
secretlen = isc_buffer_usedlength(&secretbuf);
debug("keycreate");
- result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
- gmctx, &tsigkey);
+ result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx,
+ &tsigkey);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "could not create key from %s: %s\n", keystr,
isc_result_totext(result));
setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
dst_key_t *dstkey = NULL;
isc_result_t result;
- const dns_name_t *hmacname = NULL;
+ dst_algorithm_t hmac = DST_ALG_UNKNOWN;
debug("Creating key...");
switch (dst_key_alg(dstkey)) {
case DST_ALG_HMACMD5:
- hmacname = DNS_TSIG_HMACMD5_NAME;
- break;
case DST_ALG_HMACSHA1:
- hmacname = DNS_TSIG_HMACSHA1_NAME;
- break;
case DST_ALG_HMACSHA224:
- hmacname = DNS_TSIG_HMACSHA224_NAME;
- break;
case DST_ALG_HMACSHA256:
- hmacname = DNS_TSIG_HMACSHA256_NAME;
- break;
case DST_ALG_HMACSHA384:
- hmacname = DNS_TSIG_HMACSHA384_NAME;
- break;
case DST_ALG_HMACSHA512:
- hmacname = DNS_TSIG_HMACSHA512_NAME;
+ hmac = dst_key_alg(dstkey);
break;
- }
- if (hmacname != NULL) {
- result = dns_tsigkey_createfromkey(
- dst_key_name(dstkey), hmacname, dstkey, false, false,
- NULL, 0, 0, mctx, &tsigkey);
- dst_key_free(&dstkey);
- if (result != ISC_R_SUCCESS) {
- fprintf(stderr, "could not create key from %s: %s\n",
- keyfile, isc_result_totext(result));
- return;
- }
- } else {
+ default:
dst_key_attach(dstkey, &sig0key);
dst_key_free(&dstkey);
+ return;
+ }
+
+ result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac, dstkey,
+ false, false, NULL, 0, 0, mctx,
+ &tsigkey);
+ dst_key_free(&dstkey);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "could not create key from %s: %s\n", keyfile,
+ isc_result_totext(result));
}
}
int secretlen;
unsigned char *secret = NULL;
isc_buffer_t secretbuf;
- const dns_name_t *hmacname = NULL;
+ dst_algorithm_t hmac = DST_ALG_UNKNOWN;
uint16_t digestbits = 0;
char *n;
n = strchr(namestr, ':');
if (n != NULL) {
- if (!parse_hmac(&hmacname, namestr, n - namestr, &digestbits)) {
+ if (!parse_hmac(namestr, n - namestr, &hmac, &digestbits)) {
return (STATUS_SYNTAX);
}
namestr = n + 1;
} else {
- hmacname = DNS_TSIG_HMACMD5_NAME;
+ hmac = DST_ALG_HMACMD5;
}
isc_buffer_init(&b, namestr, strlen(namestr));
if (tsigkey != NULL) {
dns_tsigkey_detach(&tsigkey);
}
- result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,
- gmctx, &tsigkey);
+ result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx,
+ &tsigkey);
isc_mem_free(gmctx, secret);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "could not create key from %s %s: %s\n",
return (1);
}
- result = dns_tsigkey_create(name, dns_tsig_hmacsha256_name, secret,
+ result = dns_tsigkey_create(name, DST_ALG_HMACSHA256, secret,
sizeof(secret), mctx, &tsigkey);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "dns_tsigkey_create failed: %s\n",
*/
isc_result_t
-dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm,
unsigned char *secret, int length, isc_mem_t *mctx,
dns_tsigkey_t **key);
isc_result_t
-dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_createfromkey(const dns_name_t *name, dst_algorithm_t algorithm,
dst_key_t *dstkey, bool generated, bool restored,
const dns_name_t *creator, isc_stdtime_t inception,
isc_stdtime_t expire, isc_mem_t *mctx,
#include <dst/gssapi.h>
#include "dst_internal.h"
+#include "tsig_p.h"
#define TEMP_BUFFER_SZ 8192
#define TKEY_RANDOM_AMOUNT 16
}
#endif /* HAVE_GSSAPI */
RETERR(dns_tsigkey_createfromkey(
- name, &tkeyin->algorithm, dstkey, true, false,
- principal, now, expire, ring->mctx, &tsigkey));
+ name, dns__tsig_algfromname(&tkeyin->algorithm), dstkey,
+ true, false, principal, now, expire, ring->mctx,
+ &tsigkey));
RETERR(dns_tsigkeyring_add(ring, name, tsigkey));
dst_key_free(&dstkey);
tkeyout->inception = now;
return (result);
}
- tkey.common.rdclass = dns_rdataclass_any;
- tkey.common.rdtype = dns_rdatatype_tkey;
- ISC_LINK_INIT(&tkey.common, link);
- tkey.mctx = NULL;
+ tkey = (dns_rdata_tkey_t){
+ .common.rdclass = dns_rdataclass_any,
+ .common.rdtype = dns_rdatatype_tkey,
+ .common.link = ISC_LINK_INITIALIZER,
+ .inception = now,
+ .expire = now + lifetime,
+ .mode = DNS_TKEYMODE_GSSAPI,
+ .key = isc_buffer_base(&token),
+ .keylen = isc_buffer_usedlength(&token),
+ };
dns_name_init(&tkey.algorithm, NULL);
dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
- tkey.inception = now;
- tkey.expire = now + lifetime;
- tkey.mode = DNS_TKEYMODE_GSSAPI;
- tkey.error = 0;
- tkey.key = isc_buffer_base(&token);
- tkey.keylen = isc_buffer_usedlength(&token);
- tkey.other = NULL;
- tkey.otherlen = 0;
return (buildquery(msg, name, &tkey));
}
* anything yet.
*/
- RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey,
- true, false, NULL, rtkey.inception,
+ RETERR(dns_tsigkey_createfromkey(tkeyname, DST_ALG_GSSAPI, dstkey, true,
+ false, NULL, rtkey.inception,
rtkey.expire, ring->mctx, &tsigkey));
RETERR(dns_tsigkeyring_add(ring, tkeyname, tsigkey));
if (outkey == NULL) {
}
}
+static const dns_name_t *
+namefromalg(dst_algorithm_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return (dns_tsig_hmacmd5_name);
+ case DST_ALG_HMACSHA1:
+ return (dns_tsig_hmacsha1_name);
+ case DST_ALG_HMACSHA224:
+ return (dns_tsig_hmacsha224_name);
+ case DST_ALG_HMACSHA256:
+ return (dns_tsig_hmacsha256_name);
+ case DST_ALG_HMACSHA384:
+ return (dns_tsig_hmacsha384_name);
+ case DST_ALG_HMACSHA512:
+ return (dns_tsig_hmacsha512_name);
+ case DST_ALG_GSSAPI:
+ return (dns_tsig_gssapi_name);
+ default:
+ return (NULL);
+ }
+}
+
isc_result_t
-dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_createfromkey(const dns_name_t *name, dst_algorithm_t algorithm,
dst_key_t *dstkey, bool generated, bool restored,
const dns_name_t *creator, isc_stdtime_t inception,
isc_stdtime_t expire, isc_mem_t *mctx,
dns_tsigkey_t **keyp) {
dns_tsigkey_t *tkey = NULL;
isc_result_t ret;
- unsigned int dstalg = 0;
REQUIRE(keyp != NULL && *keyp == NULL);
REQUIRE(name != NULL);
- REQUIRE(algorithm != NULL);
REQUIRE(mctx != NULL);
tkey = isc_mem_get(mctx, sizeof(dns_tsigkey_t));
dns_name_dup(name, mctx, &tkey->name);
(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
- /* Check against known algorithm names */
- dstalg = dns__tsig_algfromname(algorithm);
- if (dstalg != 0) {
- /*
- * 'algorithm' must be set to a static pointer
- * so that dns__tsig_algallocated() can compare them.
- */
- tkey->algorithm = dns__tsig_algnamefromname(algorithm);
- if (dstkey != NULL && dst_key_alg(dstkey) != dstalg) {
- ret = DNS_R_BADALG;
- goto cleanup_name;
- }
- } else {
- dns_name_t *tmpname = NULL;
- if (dstkey != NULL) {
+ if (algorithm != DST_ALG_UNKNOWN) {
+ if (dstkey != NULL && dst_key_alg(dstkey) != algorithm) {
ret = DNS_R_BADALG;
goto cleanup_name;
}
- tmpname = isc_mem_get(mctx, sizeof(dns_name_t));
- dns_name_init(tmpname, NULL);
- dns_name_dup(algorithm, mctx, tmpname);
- (void)dns_name_downcase(tmpname, tmpname, NULL);
- tkey->algorithm = tmpname;
+ } else if (dstkey != NULL) {
+ ret = DNS_R_BADALG;
+ goto cleanup_name;
}
+ tkey->algorithm = namefromalg(algorithm);
+
if (creator != NULL) {
tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
dns_name_init(tkey->creator, NULL);
* Ignore this if it's a GSS key, since the key size is meaningless.
*/
if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
- dstalg != DST_ALG_GSSAPI)
+ algorithm != DST_ALG_GSSAPI)
{
char namestr[DNS_NAME_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
/*
* Look up the DST_ALG_ constant for a given name.
*/
-unsigned int
+dst_algorithm_t
dns__tsig_algfromname(const dns_name_t *algorithm) {
- int i;
- int n = sizeof(known_algs) / sizeof(*known_algs);
- for (i = 0; i < n; ++i) {
+ for (size_t i = 0; i < ARRAY_SIZE(known_algs); ++i) {
const dns_name_t *name = known_algs[i].name;
if (algorithm == name || dns_name_equal(algorithm, name)) {
return (known_algs[i].dstalg);
}
}
- return (0);
-}
-
-/*
- * Convert an algorithm name into a pointer to the
- * corresponding pre-defined dns_name_t structure.
- */
-const dns_name_t *
-dns__tsig_algnamefromname(const dns_name_t *algorithm) {
- int i;
- int n = sizeof(known_algs) / sizeof(*known_algs);
- for (i = 0; i < n; ++i) {
- const dns_name_t *name = known_algs[i].name;
- if (algorithm == name || dns_name_equal(algorithm, name)) {
- return (name);
- }
- }
- return (NULL);
+ return (DST_ALG_UNKNOWN);
}
/*
}
dstalg = dns__tsig_algfromname(algorithm);
- if (dstalg == 0) {
+ if (dstalg == DST_ALG_UNKNOWN) {
return (DNS_R_BADALG);
}
return (result);
}
- result = dns_tsigkey_createfromkey(name, algorithm, dstkey, true, true,
+ result = dns_tsigkey_createfromkey(name, dstalg, dstkey, true, true,
creator, inception, expire,
ring->mctx, &tkey);
if (result == ISC_R_SUCCESS) {
}
isc_result_t
-dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
+dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm,
unsigned char *secret, int length, isc_mem_t *mctx,
dns_tsigkey_t **key) {
dst_key_t *dstkey = NULL;
isc_result_t result;
- unsigned int dstalg = 0;
REQUIRE(length >= 0);
if (length > 0) {
REQUIRE(secret != NULL);
}
- dstalg = dns__tsig_algfromname(algorithm);
- if (dns__tsig_algvalid(dstalg)) {
+ if (dns__tsig_algvalid(algorithm)) {
if (secret != NULL) {
isc_buffer_t b;
isc_buffer_init(&b, secret, length);
isc_buffer_add(&b, length);
result = dst_key_frombuffer(
- name, dstalg, DNS_KEYOWNER_ENTITY,
+ name, algorithm, DNS_KEYOWNER_ENTITY,
DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b,
mctx, &dstkey);
if (result != ISC_R_SUCCESS) {
mctx = msg->mctx;
- tsig.mctx = mctx;
- tsig.common.rdclass = dns_rdataclass_any;
- tsig.common.rdtype = dns_rdatatype_tsig;
- ISC_LINK_INIT(&tsig.common, link);
+ now = msg->fuzzing ? msg->fuzztime : isc_stdtime_now();
+ tsig = (dns_rdata_any_tsig_t){
+ .mctx = mctx,
+ .common.rdclass = dns_rdataclass_any,
+ .common.rdtype = dns_rdatatype_tsig,
+ .common.link = ISC_LINK_INITIALIZER,
+ .timesigned = now + msg->timeadjust,
+ .fudge = DNS_TSIG_FUDGE,
+ .originalid = msg->id,
+ .error = response ? msg->querytsigstatus : dns_rcode_noerror,
+ };
+
dns_name_init(&tsig.algorithm, NULL);
dns_name_clone(key->algorithm, &tsig.algorithm);
- if (msg->fuzzing) {
- now = msg->fuzztime;
- } else {
- now = isc_stdtime_now();
- }
-
- tsig.timesigned = now + msg->timeadjust;
- tsig.fudge = DNS_TSIG_FUDGE;
-
- tsig.originalid = msg->id;
-
isc_buffer_init(&databuf, data, sizeof(data));
- if (response) {
- tsig.error = msg->querytsigstatus;
- } else {
- tsig.error = dns_rcode_noerror;
- }
-
- if (tsig.error != dns_tsigerror_badtime) {
- tsig.otherlen = 0;
- tsig.other = NULL;
- } else {
+ if (tsig.error == dns_tsigerror_badtime) {
isc_buffer_t otherbuf;
tsig.otherlen = BADTIMELEN;
}
if (ret != ISC_R_SUCCESS) {
msg->tsigstatus = dns_tsigerror_badkey;
- ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL,
- 0, mctx, &msg->tsigkey);
+ ret = dns_tsigkey_create(
+ keyname, dns__tsig_algfromname(&tsig.algorithm),
+ NULL, 0, mctx, &msg->tsigkey);
if (ret != ISC_R_SUCCESS) {
return (ret);
}
REQUIRE(VALID_TSIGKEY(tkey));
REQUIRE(VALID_TSIGKEYRING(ring));
+ REQUIRE(tkey->ring == NULL);
REQUIRE(name != NULL);
RWLOCK(&ring->lock, isc_rwlocktype_write);
bool
dns__tsig_algvalid(unsigned int alg);
-unsigned int
+dst_algorithm_t
dns__tsig_algfromname(const dns_name_t *algorithm);
-const dns_name_t *
-dns__tsig_algnamefromname(const dns_name_t *algorithm);
bool
dns__tsig_algallocated(const dns_name_t *algorithm);
signame = NULL;
if (dns_message_gettsig(client->message, &signame) != NULL) {
char namebuf[DNS_NAME_FORMATSIZE];
- char cnamebuf[DNS_NAME_FORMATSIZE];
- dns_name_format(signame, namebuf, sizeof(namebuf));
+
status = client->message->tsigstatus;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
tresult = dns_tsigrcode_totext(status, &b);
if (client->message->tsigkey->generated) {
dns_name_format(
client->message->tsigkey->creator,
- cnamebuf, sizeof(cnamebuf));
- ns_client_log(
- client, DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
- "request has invalid signature: "
- "TSIG %s (%s): %s (%s)",
- namebuf, cnamebuf,
- isc_result_totext(result), tsigrcode);
+ namebuf, sizeof(namebuf));
} else {
- ns_client_log(
- client, DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
- "request has invalid signature: "
- "TSIG %s: %s (%s)",
- namebuf, isc_result_totext(result),
- tsigrcode);
+ dns_name_format(signame, namebuf,
+ sizeof(namebuf));
}
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+ "request has invalid signature: "
+ "TSIG %s: %s (%s)",
+ namebuf, isc_result_totext(result),
+ tsigrcode);
} else {
status = client->message->sig0status;
isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
result = dns_tsigkeyring_create(mctx, &ring);
assert_int_equal(result, ISC_R_SUCCESS);
- result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name, secret,
+ result = dns_tsigkey_create(keyname, DST_ALG_HMACSHA256, secret,
sizeof(secret), mctx, &key);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_tsigkeyring_add(ring, keyname, key);
assert_false(dns__tsig_algvalid(DST_ALG_GSSAPI));
}
-/* Tests the dns__tsig_algfromname function */
-ISC_RUN_TEST_IMPL(algfromname) {
- UNUSED(state);
-
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME),
- DST_ALG_HMACMD5);
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME),
- DST_ALG_HMACSHA1);
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME),
- DST_ALG_HMACSHA224);
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME),
- DST_ALG_HMACSHA256);
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA384_NAME),
- DST_ALG_HMACSHA384);
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA512_NAME),
- DST_ALG_HMACSHA512);
-
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPI_NAME),
- DST_ALG_GSSAPI);
-
- assert_int_equal(dns__tsig_algfromname(dns_rootname), 0);
-}
-
-/* Tests the dns__tsig_algnamefromname function */
-
-/*
- * Helper function to create a dns_name_t from a string and see if
- * the dns__tsig_algnamefromname function can correctly match it against the
- * static table of known algorithms.
- */
-static void
-test_name(const char *name_string, const dns_name_t *expected) {
- dns_name_t name;
- dns_name_init(&name, NULL);
- assert_int_equal(dns_name_fromstring(&name, name_string, 0, mctx),
- ISC_R_SUCCESS);
- assert_ptr_equal(dns__tsig_algnamefromname(&name), expected);
- dns_name_free(&name, mctx);
-}
-
-ISC_RUN_TEST_IMPL(algnamefromname) {
- UNUSED(state);
-
- /* test the standard algorithms */
- test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME);
- test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME);
- test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME);
- test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME);
- test_name("hmac-sha384", DNS_TSIG_HMACSHA384_NAME);
- test_name("hmac-sha512", DNS_TSIG_HMACSHA512_NAME);
-
- test_name("gss-tsig", DNS_TSIG_GSSAPI_NAME);
-
- /* try another name that isn't a standard algorithm name */
- assert_null(dns__tsig_algnamefromname(dns_rootname));
-}
-
/* Tests the dns__tsig_algallocated function */
ISC_RUN_TEST_IMPL(algallocated) {
UNUSED(state);
ISC_TEST_LIST_START
ISC_TEST_ENTRY_CUSTOM(tsig_tcp, setup_test, teardown_test)
ISC_TEST_ENTRY(algvalid)
-ISC_TEST_ENTRY(algfromname)
-ISC_TEST_ENTRY_CUSTOM(algnamefromname, setup_test, teardown_test)
ISC_TEST_ENTRY(algallocated)
ISC_TEST_LIST_END
projects / thirdparty / bind9.git / commitdiff
