2 * Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2001, 2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
21 #include <isc/buffer.h>
22 #include <isc/entropy.h>
25 #include <isc/print.h>
26 #include <isc/string.h>
29 #include <dns/dnssec.h>
30 #include <dns/fixedname.h>
31 #include <dns/keyvalues.h>
33 #include <dns/message.h>
35 #include <dns/rdata.h>
36 #include <dns/rdatalist.h>
37 #include <dns/rdataset.h>
38 #include <dns/rdatastruct.h>
39 #include <dns/result.h>
44 #include <dst/gssapi.h>
46 #define TEMP_BUFFER_SZ 8192
47 #define TKEY_RANDOM_AMOUNT 16
49 #define RETERR(x) do { \
51 if (result != ISC_R_SUCCESS) \
56 tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
59 tkey_log(const char *fmt, ...) {
63 isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
64 DNS_LOGMODULE_REQUEST, ISC_LOG_DEBUG(4), fmt, ap);
69 dumpmessage(dns_message_t *msg) {
71 unsigned char *output;
72 int len = TEMP_BUFFER_SZ;
76 output = isc_mem_get(msg->mctx, len);
80 isc_buffer_init(&outbuf, output, len);
81 result = dns_message_totext(msg, &dns_master_style_debug,
83 if (result == ISC_R_NOSPACE) {
84 isc_mem_put(msg->mctx, output, len);
89 if (result == ISC_R_SUCCESS)
91 (int)isc_buffer_usedlength(&outbuf),
92 (char *)isc_buffer_base(&outbuf));
94 tkey_log("Warning: dns_message_totext: %s",
95 dns_result_totext(result));
100 isc_mem_put(msg->mctx, output, len);
104 dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
108 REQUIRE(mctx != NULL);
109 REQUIRE(ectx != NULL);
110 REQUIRE(tctxp != NULL && *tctxp == NULL);
112 tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
114 return (ISC_R_NOMEMORY);
116 isc_mem_attach(mctx, &tctx->mctx);
118 isc_entropy_attach(ectx, &tctx->ectx);
121 tctx->gsscred = NULL;
122 tctx->gssapi_keytab = NULL;
125 return (ISC_R_SUCCESS);
129 dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
133 REQUIRE(tctxp != NULL && *tctxp != NULL);
138 if (tctx->dhkey != NULL)
139 dst_key_free(&tctx->dhkey);
140 if (tctx->domain != NULL) {
141 if (dns_name_dynamic(tctx->domain))
142 dns_name_free(tctx->domain, mctx);
143 isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
145 if (tctx->gssapi_keytab != NULL) {
146 isc_mem_free(mctx, tctx->gssapi_keytab);
148 if (tctx->gsscred != NULL)
149 dst_gssapi_releasecred(&tctx->gsscred);
150 isc_entropy_detach(&tctx->ectx);
151 isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
152 isc_mem_detach(&mctx);
157 add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
158 isc_uint32_t ttl, dns_namelist_t *namelist)
161 isc_region_t r, newr;
162 dns_rdata_t *newrdata = NULL;
163 dns_name_t *newname = NULL;
164 dns_rdatalist_t *newlist = NULL;
165 dns_rdataset_t *newset = NULL;
166 isc_buffer_t *tmprdatabuf = NULL;
168 RETERR(dns_message_gettemprdata(msg, &newrdata));
170 dns_rdata_toregion(rdata, &r);
171 RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
172 isc_buffer_availableregion(tmprdatabuf, &newr);
173 memmove(newr.base, r.base, r.length);
174 dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
175 dns_message_takebuffer(msg, &tmprdatabuf);
177 RETERR(dns_message_gettempname(msg, &newname));
178 dns_name_init(newname, NULL);
179 RETERR(dns_name_dup(name, msg->mctx, newname));
181 RETERR(dns_message_gettemprdatalist(msg, &newlist));
182 newlist->rdclass = newrdata->rdclass;
183 newlist->type = newrdata->type;
185 ISC_LIST_APPEND(newlist->rdata, newrdata, link);
187 RETERR(dns_message_gettemprdataset(msg, &newset));
188 dns_rdataset_init(newset);
189 RETERR(dns_rdatalist_tordataset(newlist, newset));
191 ISC_LIST_INIT(newname->list);
192 ISC_LIST_APPEND(newname->list, newset, link);
194 ISC_LIST_APPEND(*namelist, newname, link);
196 return (ISC_R_SUCCESS);
199 if (newrdata != NULL) {
200 if (ISC_LINK_LINKED(newrdata, link)) {
201 INSIST(newlist != NULL);
202 ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
204 dns_message_puttemprdata(msg, &newrdata);
207 dns_message_puttempname(msg, &newname);
208 if (newset != NULL) {
209 dns_rdataset_disassociate(newset);
210 dns_message_puttemprdataset(msg, &newset);
213 dns_message_puttemprdatalist(msg, &newlist);
218 free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
222 while (!ISC_LIST_EMPTY(*namelist)) {
223 name = ISC_LIST_HEAD(*namelist);
224 ISC_LIST_UNLINK(*namelist, name, link);
225 while (!ISC_LIST_EMPTY(name->list)) {
226 set = ISC_LIST_HEAD(name->list);
227 ISC_LIST_UNLINK(name->list, set, link);
228 dns_message_puttemprdataset(msg, &set);
230 dns_message_puttempname(msg, &name);
235 compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
236 isc_region_t *serverrandomness, isc_buffer_t *secret)
240 unsigned char digests[32];
243 isc_buffer_usedregion(shared, &r);
246 * MD5 ( query data | DH value ).
248 isc_md5_init(&md5ctx);
249 isc_md5_update(&md5ctx, queryrandomness->base,
250 queryrandomness->length);
251 isc_md5_update(&md5ctx, r.base, r.length);
252 isc_md5_final(&md5ctx, digests);
255 * MD5 ( server data | DH value ).
257 isc_md5_init(&md5ctx);
258 isc_md5_update(&md5ctx, serverrandomness->base,
259 serverrandomness->length);
260 isc_md5_update(&md5ctx, r.base, r.length);
261 isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]);
264 * XOR ( DH value, MD5-1 | MD5-2).
266 isc_buffer_availableregion(secret, &r);
267 isc_buffer_usedregion(shared, &r2);
268 if (r.length < sizeof(digests) || r.length < r2.length)
269 return (ISC_R_NOSPACE);
270 if (r2.length > sizeof(digests)) {
271 memmove(r.base, r2.base, r2.length);
272 for (i = 0; i < sizeof(digests); i++)
273 r.base[i] ^= digests[i];
274 isc_buffer_add(secret, r2.length);
276 memmove(r.base, digests, sizeof(digests));
277 for (i = 0; i < r2.length; i++)
278 r.base[i] ^= r2.base[i];
279 isc_buffer_add(secret, sizeof(digests));
281 return (ISC_R_SUCCESS);
286 process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
287 dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
288 dns_rdata_tkey_t *tkeyout,
289 dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
291 isc_result_t result = ISC_R_SUCCESS;
292 dns_name_t *keyname, ourname;
293 dns_rdataset_t *keyset = NULL;
294 dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
295 isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
296 dst_key_t *pubkey = NULL;
297 isc_buffer_t ourkeybuf, *shared = NULL;
298 isc_region_t r, r2, ourkeyr;
299 unsigned char keydata[DST_KEY_MAXSIZE];
300 unsigned int sharedsize;
302 unsigned char *randomdata = NULL, secretdata[256];
305 if (tctx->dhkey == NULL) {
306 tkey_log("process_dhtkey: tkey-dhkey not defined");
307 tkeyout->error = dns_tsigerror_badalg;
308 return (DNS_R_REFUSED);
311 if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
312 tkey_log("process_dhtkey: algorithms other than "
313 "hmac-md5 are not supported");
314 tkeyout->error = dns_tsigerror_badalg;
315 return (ISC_R_SUCCESS);
319 * Look for a DH KEY record that will work with ours.
321 for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
322 result == ISC_R_SUCCESS && !found_key;
323 result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
325 dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
327 result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
329 if (result != ISC_R_SUCCESS)
332 for (result = dns_rdataset_first(keyset);
333 result == ISC_R_SUCCESS && !found_key;
334 result = dns_rdataset_next(keyset)) {
335 dns_rdataset_current(keyset, &keyrdata);
337 result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
339 if (result != ISC_R_SUCCESS) {
340 dns_rdata_reset(&keyrdata);
343 if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
344 if (dst_key_paramcompare(pubkey, tctx->dhkey))
346 found_key = ISC_TRUE;
350 found_incompatible = ISC_TRUE;
352 dst_key_free(&pubkey);
353 dns_rdata_reset(&keyrdata);
358 if (found_incompatible) {
359 tkey_log("process_dhtkey: found an incompatible key");
360 tkeyout->error = dns_tsigerror_badkey;
361 return (ISC_R_SUCCESS);
363 tkey_log("process_dhtkey: failed to find a key");
364 return (DNS_R_FORMERR);
368 RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
370 isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
371 RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
372 isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
373 dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
374 dns_rdatatype_key, &ourkeyr);
376 dns_name_init(&ourname, NULL);
377 dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
380 * XXXBEW The TTL should be obtained from the database, if it exists.
382 RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
384 RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
385 RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
387 result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
388 if (result != ISC_R_SUCCESS) {
389 tkey_log("process_dhtkey: failed to compute shared secret: %s",
390 isc_result_totext(result));
393 dst_key_free(&pubkey);
395 isc_buffer_init(&secret, secretdata, sizeof(secretdata));
397 randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
398 if (randomdata == NULL)
401 result = isc_entropy_getdata(tctx->ectx, randomdata,
402 TKEY_RANDOM_AMOUNT, NULL, 0);
403 if (result != ISC_R_SUCCESS) {
404 tkey_log("process_dhtkey: failed to obtain entropy: %s",
405 isc_result_totext(result));
410 r.length = TKEY_RANDOM_AMOUNT;
411 r2.base = tkeyin->key;
412 r2.length = tkeyin->keylen;
413 RETERR(compute_secret(shared, &r2, &r, &secret));
414 isc_buffer_free(&shared);
416 RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
417 isc_buffer_base(&secret),
418 isc_buffer_usedlength(&secret),
419 ISC_TRUE, signer, tkeyin->inception,
420 tkeyin->expire, ring->mctx, ring, NULL));
422 /* This key is good for a long time */
423 tkeyout->inception = tkeyin->inception;
424 tkeyout->expire = tkeyin->expire;
426 tkeyout->key = randomdata;
427 tkeyout->keylen = TKEY_RANDOM_AMOUNT;
429 return (ISC_R_SUCCESS);
432 if (!ISC_LIST_EMPTY(*namelist))
433 free_namelist(msg, namelist);
435 isc_buffer_free(&shared);
437 dst_key_free(&pubkey);
438 if (randomdata != NULL)
439 isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
444 process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
445 dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
446 dns_tsig_keyring_t *ring)
448 isc_result_t result = ISC_R_SUCCESS;
449 dst_key_t *dstkey = NULL;
450 dns_tsigkey_t *tsigkey = NULL;
451 dns_fixedname_t principal;
453 isc_region_t intoken;
454 isc_buffer_t *outtoken = NULL;
455 gss_ctx_id_t gss_ctx = NULL;
458 * You have to define either a gss credential (principal) to
459 * accept with tkey-gssapi-credential, or you have to
460 * configure a specific keytab (with tkey-gssapi-keytab) in
461 * order to use gsstkey
463 if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
464 tkey_log("process_gsstkey(): no tkey-gssapi-credential "
465 "or tkey-gssapi-keytab configured");
466 return (ISC_R_NOPERM);
469 if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
470 !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
471 tkeyout->error = dns_tsigerror_badalg;
472 tkey_log("process_gsstkey(): dns_tsigerror_badalg"); /* XXXSRA */
473 return (ISC_R_SUCCESS);
477 * XXXDCL need to check for key expiry per 4.1.1
478 * XXXDCL need a way to check fully established, perhaps w/key_flags
481 intoken.base = tkeyin->key;
482 intoken.length = tkeyin->keylen;
484 result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
485 if (result == ISC_R_SUCCESS)
486 gss_ctx = dst_key_getgssctx(tsigkey->key);
488 dns_fixedname_init(&principal);
491 * Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
493 result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
496 dns_fixedname_name(&principal),
498 if (result == DNS_R_INVALIDTKEY) {
500 dns_tsigkey_detach(&tsigkey);
501 tkeyout->error = dns_tsigerror_badkey;
502 tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA */
503 return (ISC_R_SUCCESS);
505 if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
508 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
511 isc_stdtime_get(&now);
513 if (tsigkey == NULL) {
515 OM_uint32 gret, minor, lifetime;
519 RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx,
522 * Limit keys to 1 hour or the context's lifetime whichever
527 gret = gss_context_time(&minor, gss_ctx, &lifetime);
528 if (gret == GSS_S_COMPLETE && now + lifetime < expire)
529 expire = now + lifetime;
531 RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
533 dns_fixedname_name(&principal),
534 now, expire, ring->mctx, ring,
536 dst_key_free(&dstkey);
537 tkeyout->inception = now;
538 tkeyout->expire = expire;
540 tkeyout->inception = tsigkey->inception;
541 tkeyout->expire = tsigkey->expire;
542 dns_tsigkey_detach(&tsigkey);
546 tkeyout->key = isc_mem_get(tkeyout->mctx,
547 isc_buffer_usedlength(outtoken));
548 if (tkeyout->key == NULL) {
549 result = ISC_R_NOMEMORY;
552 tkeyout->keylen = isc_buffer_usedlength(outtoken);
553 memmove(tkeyout->key, isc_buffer_base(outtoken),
554 isc_buffer_usedlength(outtoken));
555 isc_buffer_free(&outtoken);
557 tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
558 if (tkeyout->key == NULL) {
559 result = ISC_R_NOMEMORY;
562 tkeyout->keylen = tkeyin->keylen;
563 memmove(tkeyout->key, tkeyin->key, tkeyin->keylen);
566 tkeyout->error = dns_rcode_noerror;
568 tkey_log("process_gsstkey(): dns_tsigerror_noerror"); /* XXXSRA */
570 return (ISC_R_SUCCESS);
574 dns_tsigkey_detach(&tsigkey);
577 dst_key_free(&dstkey);
579 if (outtoken != NULL)
580 isc_buffer_free(&outtoken);
582 tkey_log("process_gsstkey(): %s",
583 isc_result_totext(result)); /* XXXSRA */
589 process_deletetkey(dns_name_t *signer, dns_name_t *name,
590 dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
591 dns_tsig_keyring_t *ring)
594 dns_tsigkey_t *tsigkey = NULL;
595 dns_name_t *identity;
597 result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
598 if (result != ISC_R_SUCCESS) {
599 tkeyout->error = dns_tsigerror_badname;
600 return (ISC_R_SUCCESS);
604 * Only allow a delete if the identity that created the key is the
605 * same as the identity that signed the message.
607 identity = dns_tsigkey_identity(tsigkey);
608 if (identity == NULL || !dns_name_equal(identity, signer)) {
609 dns_tsigkey_detach(&tsigkey);
610 return (DNS_R_REFUSED);
614 * Set the key to be deleted when no references are left. If the key
615 * was not generated with TKEY and is in the config file, it may be
618 dns_tsigkey_setdeleted(tsigkey);
620 /* Release the reference */
621 dns_tsigkey_detach(&tsigkey);
623 return (ISC_R_SUCCESS);
627 dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
628 dns_tsig_keyring_t *ring)
630 isc_result_t result = ISC_R_SUCCESS;
631 dns_rdata_tkey_t tkeyin, tkeyout;
632 isc_boolean_t freetkeyin = ISC_FALSE;
633 dns_name_t *qname, *name, *keyname, *signer, tsigner;
634 dns_fixedname_t fkeyname;
635 dns_rdataset_t *tkeyset;
637 dns_namelist_t namelist;
638 char tkeyoutdata[512];
639 isc_buffer_t tkeyoutbuf;
641 REQUIRE(msg != NULL);
642 REQUIRE(tctx != NULL);
643 REQUIRE(ring != NULL);
645 ISC_LIST_INIT(namelist);
648 * Interpret the question section.
650 result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
651 if (result != ISC_R_SUCCESS)
652 return (DNS_R_FORMERR);
655 dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
658 * Look for a TKEY record that matches the question.
662 result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
663 dns_rdatatype_tkey, 0, &name, &tkeyset);
664 if (result != ISC_R_SUCCESS) {
666 * Try the answer section, since that's where Win2000
670 if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
671 dns_rdatatype_tkey, 0, &name,
672 &tkeyset) != ISC_R_SUCCESS) {
673 result = DNS_R_FORMERR;
674 tkey_log("dns_tkey_processquery: couldn't find a TKEY "
675 "matching the question");
679 result = dns_rdataset_first(tkeyset);
680 if (result != ISC_R_SUCCESS) {
681 result = DNS_R_FORMERR;
684 dns_rdata_init(&rdata);
685 dns_rdataset_current(tkeyset, &rdata);
687 RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
688 freetkeyin = ISC_TRUE;
690 if (tkeyin.error != dns_rcode_noerror) {
691 result = DNS_R_FORMERR;
696 * Before we go any farther, verify that the message was signed.
697 * GSSAPI TKEY doesn't require a signature, the rest do.
699 dns_name_init(&tsigner, NULL);
700 result = dns_message_signer(msg, &tsigner);
701 if (result != ISC_R_SUCCESS) {
702 if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
703 result == ISC_R_NOTFOUND)
706 tkey_log("dns_tkey_processquery: query was not "
707 "properly signed - rejecting");
708 result = DNS_R_FORMERR;
714 tkeyout.common.rdclass = tkeyin.common.rdclass;
715 tkeyout.common.rdtype = tkeyin.common.rdtype;
716 ISC_LINK_INIT(&tkeyout.common, link);
717 tkeyout.mctx = msg->mctx;
719 dns_name_init(&tkeyout.algorithm, NULL);
720 dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
722 tkeyout.inception = tkeyout.expire = 0;
723 tkeyout.mode = tkeyin.mode;
725 tkeyout.keylen = tkeyout.otherlen = 0;
726 tkeyout.key = tkeyout.other = NULL;
729 * A delete operation must have a fully specified key name. If this
730 * is not a delete, we do the following:
732 * keyname = qname + defaultdomain
734 * keyname = <random hex> + defaultdomain
736 if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
737 dns_tsigkey_t *tsigkey = NULL;
739 if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
740 tkey_log("dns_tkey_processquery: tkey-domain not set");
741 result = DNS_R_REFUSED;
745 dns_fixedname_init(&fkeyname);
746 keyname = dns_fixedname_name(&fkeyname);
748 if (!dns_name_equal(qname, dns_rootname)) {
749 unsigned int n = dns_name_countlabels(qname);
750 RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
752 dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
754 static char hexdigits[16] = {
755 '0', '1', '2', '3', '4', '5', '6', '7',
756 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
757 unsigned char randomdata[16];
762 result = isc_entropy_getdata(tctx->ectx,
766 if (result != ISC_R_SUCCESS)
769 for (i = 0, j = 0; i < sizeof(randomdata); i++) {
770 unsigned char val = randomdata[i];
771 randomtext[j++] = hexdigits[val >> 4];
772 randomtext[j++] = hexdigits[val & 0xF];
774 isc_buffer_init(&b, randomtext, sizeof(randomtext));
775 isc_buffer_add(&b, sizeof(randomtext));
776 result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
777 if (result != ISC_R_SUCCESS)
781 if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
782 /* Yup. This is a hack */
783 result = dns_name_concatenate(keyname, dns_rootname,
785 if (result != ISC_R_SUCCESS)
788 result = dns_name_concatenate(keyname, tctx->domain,
790 if (result != ISC_R_SUCCESS)
794 result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
796 if (result == ISC_R_SUCCESS) {
797 tkeyout.error = dns_tsigerror_badname;
798 dns_tsigkey_detach(&tsigkey);
799 goto failure_with_tkey;
800 } else if (result != ISC_R_NOTFOUND)
805 switch (tkeyin.mode) {
806 case DNS_TKEYMODE_DIFFIEHELLMAN:
807 tkeyout.error = dns_rcode_noerror;
808 RETERR(process_dhtkey(msg, signer, keyname, &tkeyin,
809 tctx, &tkeyout, ring,
812 case DNS_TKEYMODE_GSSAPI:
813 tkeyout.error = dns_rcode_noerror;
814 RETERR(process_gsstkey(keyname, &tkeyin, tctx,
817 case DNS_TKEYMODE_DELETE:
818 tkeyout.error = dns_rcode_noerror;
819 RETERR(process_deletetkey(signer, keyname, &tkeyin,
822 case DNS_TKEYMODE_SERVERASSIGNED:
823 case DNS_TKEYMODE_RESOLVERASSIGNED:
824 result = DNS_R_NOTIMP;
827 tkeyout.error = dns_tsigerror_badmode;
831 dns_rdata_init(&rdata);
832 isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
833 result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
834 tkeyout.common.rdtype, &tkeyout,
838 dns_rdata_freestruct(&tkeyin);
839 freetkeyin = ISC_FALSE;
842 if (tkeyout.key != NULL)
843 isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
844 if (tkeyout.other != NULL)
845 isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
846 if (result != ISC_R_SUCCESS)
849 RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
851 RETERR(dns_message_reply(msg, ISC_TRUE));
853 name = ISC_LIST_HEAD(namelist);
854 while (name != NULL) {
855 dns_name_t *next = ISC_LIST_NEXT(name, link);
856 ISC_LIST_UNLINK(namelist, name, link);
857 dns_message_addname(msg, name, DNS_SECTION_ANSWER);
861 return (ISC_R_SUCCESS);
865 dns_rdata_freestruct(&tkeyin);
866 if (!ISC_LIST_EMPTY(namelist))
867 free_namelist(msg, &namelist);
872 buildquery(dns_message_t *msg, dns_name_t *name,
873 dns_rdata_tkey_t *tkey, isc_boolean_t win2k)
875 dns_name_t *qname = NULL, *aname = NULL;
876 dns_rdataset_t *question = NULL, *tkeyset = NULL;
877 dns_rdatalist_t *tkeylist = NULL;
878 dns_rdata_t *rdata = NULL;
879 isc_buffer_t *dynbuf = NULL, *anamebuf = NULL, *qnamebuf = NULL;
883 REQUIRE(msg != NULL);
884 REQUIRE(name != NULL);
885 REQUIRE(tkey != NULL);
887 RETERR(dns_message_gettempname(msg, &qname));
888 RETERR(dns_message_gettempname(msg, &aname));
890 RETERR(dns_message_gettemprdataset(msg, &question));
891 dns_rdataset_init(question);
892 dns_rdataset_makequestion(question, dns_rdataclass_any,
895 len = 16 + tkey->algorithm.length + tkey->keylen + tkey->otherlen;
896 RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, len));
897 RETERR(isc_buffer_allocate(msg->mctx, &anamebuf, name->length));
898 RETERR(isc_buffer_allocate(msg->mctx, &qnamebuf, name->length));
899 RETERR(dns_message_gettemprdata(msg, &rdata));
901 RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
902 dns_rdatatype_tkey, tkey, dynbuf));
903 dns_message_takebuffer(msg, &dynbuf);
905 RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
906 tkeylist->rdclass = dns_rdataclass_any;
907 tkeylist->type = dns_rdatatype_tkey;
908 ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
910 RETERR(dns_message_gettemprdataset(msg, &tkeyset));
911 dns_rdataset_init(tkeyset);
912 RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
914 dns_name_init(qname, NULL);
915 RETERR(dns_name_copy(name, qname, qnamebuf));
917 dns_name_init(aname, NULL);
918 RETERR(dns_name_copy(name, aname, anamebuf));
920 ISC_LIST_APPEND(qname->list, question, link);
921 ISC_LIST_APPEND(aname->list, tkeyset, link);
923 dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
924 dns_message_takebuffer(msg, &qnamebuf);
927 * Windows 2000 needs this in the answer section, not the additional
928 * section where the RFC specifies.
931 dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
933 dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
934 dns_message_takebuffer(msg, &anamebuf);
936 return (ISC_R_SUCCESS);
940 dns_message_puttempname(msg, &qname);
942 dns_message_puttempname(msg, &aname);
943 if (question != NULL) {
944 dns_rdataset_disassociate(question);
945 dns_message_puttemprdataset(msg, &question);
948 isc_buffer_free(&dynbuf);
949 if (qnamebuf != NULL)
950 isc_buffer_free(&qnamebuf);
951 if (anamebuf != NULL)
952 isc_buffer_free(&anamebuf);
957 dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
958 dns_name_t *algorithm, isc_buffer_t *nonce,
959 isc_uint32_t lifetime)
961 dns_rdata_tkey_t tkey;
962 dns_rdata_t *rdata = NULL;
963 isc_buffer_t *dynbuf = NULL;
966 dns_namelist_t namelist;
970 REQUIRE(msg != NULL);
971 REQUIRE(key != NULL);
972 REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
973 REQUIRE(dst_key_isprivate(key));
974 REQUIRE(name != NULL);
975 REQUIRE(algorithm != NULL);
977 tkey.common.rdclass = dns_rdataclass_any;
978 tkey.common.rdtype = dns_rdatatype_tkey;
979 ISC_LINK_INIT(&tkey.common, link);
980 tkey.mctx = msg->mctx;
981 dns_name_init(&tkey.algorithm, NULL);
982 dns_name_clone(algorithm, &tkey.algorithm);
983 isc_stdtime_get(&now);
984 tkey.inception = now;
985 tkey.expire = now + lifetime;
986 tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
988 isc_buffer_usedregion(nonce, &r);
995 tkey.keylen = r.length;
999 RETERR(buildquery(msg, name, &tkey, ISC_FALSE));
1001 RETERR(dns_message_gettemprdata(msg, &rdata));
1002 RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
1003 RETERR(dst_key_todns(key, dynbuf));
1004 isc_buffer_usedregion(dynbuf, &r);
1005 dns_rdata_fromregion(rdata, dns_rdataclass_any,
1006 dns_rdatatype_key, &r);
1007 dns_message_takebuffer(msg, &dynbuf);
1009 dns_name_init(&keyname, NULL);
1010 dns_name_clone(dst_key_name(key), &keyname);
1012 ISC_LIST_INIT(namelist);
1013 RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
1014 name = ISC_LIST_HEAD(namelist);
1015 while (name != NULL) {
1016 dns_name_t *next = ISC_LIST_NEXT(name, link);
1017 ISC_LIST_UNLINK(namelist, name, link);
1018 dns_message_addname(msg, name, DNS_SECTION_ADDITIONAL);
1022 return (ISC_R_SUCCESS);
1027 isc_buffer_free(&dynbuf);
1032 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
1033 isc_buffer_t *intoken, isc_uint32_t lifetime,
1034 gss_ctx_id_t *context, isc_boolean_t win2k,
1035 isc_mem_t *mctx, char **err_message)
1037 dns_rdata_tkey_t tkey;
1038 isc_result_t result;
1041 unsigned char array[TEMP_BUFFER_SZ];
1045 REQUIRE(msg != NULL);
1046 REQUIRE(name != NULL);
1047 REQUIRE(gname != NULL);
1048 REQUIRE(context != NULL);
1049 REQUIRE(mctx != NULL);
1051 isc_buffer_init(&token, array, sizeof(array));
1052 result = dst_gssapi_initctx(gname, NULL, &token, context,
1054 if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
1057 tkey.common.rdclass = dns_rdataclass_any;
1058 tkey.common.rdtype = dns_rdatatype_tkey;
1059 ISC_LINK_INIT(&tkey.common, link);
1061 dns_name_init(&tkey.algorithm, NULL);
1064 dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
1066 dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
1068 isc_stdtime_get(&now);
1069 tkey.inception = now;
1070 tkey.expire = now + lifetime;
1071 tkey.mode = DNS_TKEYMODE_GSSAPI;
1073 tkey.key = isc_buffer_base(&token);
1074 tkey.keylen = isc_buffer_usedlength(&token);
1078 return (buildquery(msg, name, &tkey, win2k));
1082 dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
1083 dns_rdata_tkey_t tkey;
1085 REQUIRE(msg != NULL);
1086 REQUIRE(key != NULL);
1088 tkey.common.rdclass = dns_rdataclass_any;
1089 tkey.common.rdtype = dns_rdatatype_tkey;
1090 ISC_LINK_INIT(&tkey.common, link);
1091 tkey.mctx = msg->mctx;
1092 dns_name_init(&tkey.algorithm, NULL);
1093 dns_name_clone(key->algorithm, &tkey.algorithm);
1094 tkey.inception = tkey.expire = 0;
1095 tkey.mode = DNS_TKEYMODE_DELETE;
1097 tkey.keylen = tkey.otherlen = 0;
1098 tkey.key = tkey.other = NULL;
1100 return (buildquery(msg, &key->name, &tkey, ISC_FALSE));
1104 find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
1107 dns_rdataset_t *tkeyset;
1108 isc_result_t result;
1110 result = dns_message_firstname(msg, section);
1111 while (result == ISC_R_SUCCESS) {
1113 dns_message_currentname(msg, section, name);
1115 result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
1117 if (result == ISC_R_SUCCESS) {
1118 result = dns_rdataset_first(tkeyset);
1119 if (result != ISC_R_SUCCESS)
1121 dns_rdataset_current(tkeyset, rdata);
1122 return (ISC_R_SUCCESS);
1124 result = dns_message_nextname(msg, section);
1126 if (result == ISC_R_NOMORE)
1127 return (ISC_R_NOTFOUND);
1132 dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
1133 dst_key_t *key, isc_buffer_t *nonce,
1134 dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
1136 dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
1137 dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
1138 dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
1139 dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
1140 dst_key_t *theirkey = NULL;
1141 dns_rdata_tkey_t qtkey, rtkey;
1142 unsigned char secretdata[256];
1143 unsigned int sharedsize;
1144 isc_buffer_t *shared = NULL, secret;
1146 isc_result_t result;
1147 isc_boolean_t freertkey = ISC_FALSE;
1149 REQUIRE(qmsg != NULL);
1150 REQUIRE(rmsg != NULL);
1151 REQUIRE(key != NULL);
1152 REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
1153 REQUIRE(dst_key_isprivate(key));
1155 REQUIRE(*outkey == NULL);
1157 if (rmsg->rcode != dns_rcode_noerror)
1158 return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1159 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1160 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1161 freertkey = ISC_TRUE;
1163 RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
1164 DNS_SECTION_ADDITIONAL));
1165 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1167 if (rtkey.error != dns_rcode_noerror ||
1168 rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
1169 rtkey.mode != qtkey.mode ||
1170 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
1171 rmsg->rcode != dns_rcode_noerror) {
1172 tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
1174 result = DNS_R_INVALIDTKEY;
1175 dns_rdata_freestruct(&qtkey);
1179 dns_rdata_freestruct(&qtkey);
1181 dns_name_init(&keyname, NULL);
1182 dns_name_clone(dst_key_name(key), &keyname);
1186 RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
1187 dns_rdatatype_key, 0, &ourkeyname,
1190 result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
1191 while (result == ISC_R_SUCCESS) {
1192 theirkeyname = NULL;
1193 dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
1195 if (dns_name_equal(theirkeyname, ourkeyname))
1198 result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
1200 if (result == ISC_R_SUCCESS) {
1201 RETERR(dns_rdataset_first(theirkeyset));
1205 result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
1208 if (theirkeyset == NULL) {
1209 tkey_log("dns_tkey_processdhresponse: failed to find server "
1211 result = ISC_R_NOTFOUND;
1215 dns_rdataset_current(theirkeyset, &theirkeyrdata);
1216 RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
1217 rmsg->mctx, &theirkey));
1219 RETERR(dst_key_secretsize(key, &sharedsize));
1220 RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
1222 RETERR(dst_key_computesecret(theirkey, key, shared));
1224 isc_buffer_init(&secret, secretdata, sizeof(secretdata));
1227 r.length = rtkey.keylen;
1229 isc_buffer_usedregion(nonce, &r2);
1234 RETERR(compute_secret(shared, &r2, &r, &secret));
1236 isc_buffer_usedregion(&secret, &r);
1237 result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
1238 r.base, r.length, ISC_TRUE,
1239 NULL, rtkey.inception, rtkey.expire,
1240 rmsg->mctx, ring, outkey);
1241 isc_buffer_free(&shared);
1242 dns_rdata_freestruct(&rtkey);
1243 dst_key_free(&theirkey);
1248 isc_buffer_free(&shared);
1250 if (theirkey != NULL)
1251 dst_key_free(&theirkey);
1254 dns_rdata_freestruct(&rtkey);
1260 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
1261 dns_name_t *gname, gss_ctx_id_t *context,
1262 isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
1263 dns_tsig_keyring_t *ring, char **err_message)
1265 dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
1266 dns_name_t *tkeyname;
1267 dns_rdata_tkey_t rtkey, qtkey;
1268 dst_key_t *dstkey = NULL;
1269 isc_buffer_t intoken;
1270 isc_result_t result;
1271 unsigned char array[1024];
1273 REQUIRE(outtoken != NULL);
1274 REQUIRE(qmsg != NULL);
1275 REQUIRE(rmsg != NULL);
1276 REQUIRE(gname != NULL);
1277 REQUIRE(ring != NULL);
1279 REQUIRE(*outkey == NULL);
1281 if (rmsg->rcode != dns_rcode_noerror)
1282 return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1283 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1284 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1287 * Win2k puts the item in the ANSWER section, while the RFC
1288 * specifies it should be in the ADDITIONAL section. Check first
1289 * where it should be, and then where it may be.
1291 result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1292 DNS_SECTION_ADDITIONAL);
1293 if (result == ISC_R_NOTFOUND)
1294 result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1295 DNS_SECTION_ANSWER);
1296 if (result != ISC_R_SUCCESS)
1299 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1301 if (rtkey.error != dns_rcode_noerror ||
1302 rtkey.mode != DNS_TKEYMODE_GSSAPI ||
1303 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
1304 tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
1305 "or error set(2) %d", rtkey.error);
1308 result = DNS_R_INVALIDTKEY;
1312 isc_buffer_init(outtoken, array, sizeof(array));
1313 isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
1314 RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
1315 ring->mctx, err_message));
1317 RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
1320 RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
1321 dstkey, ISC_FALSE, NULL,
1322 rtkey.inception, rtkey.expire,
1323 ring->mctx, ring, outkey));
1324 dst_key_free(&dstkey);
1325 dns_rdata_freestruct(&rtkey);
1330 * XXXSRA This probably leaks memory from rtkey and qtkey.
1333 dst_key_free(&dstkey);
1338 dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
1339 dns_tsig_keyring_t *ring)
1341 dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
1342 dns_name_t *tkeyname, *tempname;
1343 dns_rdata_tkey_t qtkey, rtkey;
1344 dns_tsigkey_t *tsigkey = NULL;
1345 isc_result_t result;
1347 REQUIRE(qmsg != NULL);
1348 REQUIRE(rmsg != NULL);
1350 if (rmsg->rcode != dns_rcode_noerror)
1351 return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1353 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1354 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1356 RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
1357 DNS_SECTION_ADDITIONAL));
1358 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1360 if (rtkey.error != dns_rcode_noerror ||
1361 rtkey.mode != DNS_TKEYMODE_DELETE ||
1362 rtkey.mode != qtkey.mode ||
1363 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
1364 rmsg->rcode != dns_rcode_noerror) {
1365 tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
1367 result = DNS_R_INVALIDTKEY;
1368 dns_rdata_freestruct(&qtkey);
1369 dns_rdata_freestruct(&rtkey);
1373 dns_rdata_freestruct(&qtkey);
1375 RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
1377 dns_rdata_freestruct(&rtkey);
1380 * Mark the key as deleted.
1382 dns_tsigkey_setdeleted(tsigkey);
1384 * Release the reference.
1386 dns_tsigkey_detach(&tsigkey);
1393 dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
1394 dns_name_t *server, gss_ctx_id_t *context,
1395 dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
1396 isc_boolean_t win2k, char **err_message)
1398 dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
1399 dns_name_t *tkeyname;
1400 dns_rdata_tkey_t rtkey, qtkey;
1401 isc_buffer_t intoken, outtoken;
1402 dst_key_t *dstkey = NULL;
1403 isc_result_t result;
1404 unsigned char array[1024];
1405 isc_boolean_t freertkey = ISC_FALSE;
1407 REQUIRE(qmsg != NULL);
1408 REQUIRE(rmsg != NULL);
1409 REQUIRE(server != NULL);
1411 REQUIRE(*outkey == NULL);
1413 if (rmsg->rcode != dns_rcode_noerror)
1414 return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1416 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1417 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1418 freertkey = ISC_TRUE;
1420 if (win2k == ISC_TRUE)
1421 RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1422 DNS_SECTION_ANSWER));
1424 RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1425 DNS_SECTION_ADDITIONAL));
1427 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1429 if (rtkey.error != dns_rcode_noerror ||
1430 rtkey.mode != DNS_TKEYMODE_GSSAPI ||
1431 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
1433 tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
1435 result = DNS_R_INVALIDTKEY;
1439 isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
1440 isc_buffer_init(&outtoken, array, sizeof(array));
1442 result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
1443 ring->mctx, err_message);
1444 if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
1447 RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
1451 * XXXSRA This seems confused. If we got CONTINUE from initctx,
1452 * the GSS negotiation hasn't completed yet, so we can't sign
1456 RETERR(dns_tsigkey_createfromkey(tkeyname,
1458 ? DNS_TSIG_GSSAPIMS_NAME
1459 : DNS_TSIG_GSSAPI_NAME),
1460 dstkey, ISC_TRUE, NULL,
1461 rtkey.inception, rtkey.expire,
1462 ring->mctx, ring, outkey));
1463 dst_key_free(&dstkey);
1464 dns_rdata_freestruct(&rtkey);
1469 * XXXSRA This probably leaks memory from qtkey.
1472 dns_rdata_freestruct(&rtkey);
1474 dst_key_free(&dstkey);