2 * Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
19 * $Id: tsig.c,v 1.136.18.5 2010-12-09 01:12:55 marka Exp $
25 #include <isc/buffer.h>
27 #include <isc/print.h>
28 #include <isc/refcount.h>
29 #include <isc/serial.h>
30 #include <isc/string.h> /* Required for HP/UX (and others?) */
34 #include <dns/keyvalues.h>
36 #include <dns/message.h>
37 #include <dns/fixedname.h>
39 #include <dns/rdata.h>
40 #include <dns/rdatalist.h>
41 #include <dns/rdataset.h>
42 #include <dns/rdatastruct.h>
43 #include <dns/result.h>
46 #include <dst/result.h>
48 #define TSIG_MAGIC ISC_MAGIC('T', 'S', 'I', 'G')
49 #define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC)
51 #ifndef DNS_TSIG_MAXGENERATEDKEYS
52 #define DNS_TSIG_MAXGENERATEDKEYS 4096
55 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
56 #define algname_is_allocated(algname) \
57 ((algname) != dns_tsig_hmacmd5_name && \
58 (algname) != dns_tsig_hmacsha1_name && \
59 (algname) != dns_tsig_hmacsha224_name && \
60 (algname) != dns_tsig_hmacsha256_name && \
61 (algname) != dns_tsig_hmacsha384_name && \
62 (algname) != dns_tsig_hmacsha512_name && \
63 (algname) != dns_tsig_gssapi_name && \
64 (algname) != dns_tsig_gssapims_name)
68 static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
69 static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
71 static dns_name_t hmacmd5 = {
74 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
75 hmacmd5_offsets, NULL,
76 {(void *)-1, (void *)-1},
80 dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
82 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
83 static unsigned char gsstsig_offsets[] = { 0, 9 };
84 static dns_name_t gsstsig = {
87 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
88 gsstsig_offsets, NULL,
89 {(void *)-1, (void *)-1},
92 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
95 remove_fromring(dns_tsigkey_t *tkey) {
96 if (tkey->generated) {
97 ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
98 tkey->ring->generated--;
100 (void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, ISC_FALSE);
104 adjust_lru(dns_tsigkey_t *tkey) {
105 if (tkey->generated) {
106 RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
108 * We may have been removed from the LRU list between
109 * removing the read lock and aquiring the write lock.
111 if (ISC_LINK_LINKED(tkey, link)) {
112 ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
113 ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
115 RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
120 * Since Microsoft doesn't follow its own standard, we will use this
121 * alternate name as a second guess.
123 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
124 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
125 static dns_name_t gsstsigms = {
127 gsstsigms_ndata, 19, 4,
128 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
129 gsstsigms_offsets, NULL,
130 {(void *)-1, (void *)-1},
133 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
135 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
136 static unsigned char hmacsha1_offsets[] = { 0, 10 };
138 static dns_name_t hmacsha1 = {
140 hmacsha1_ndata, 11, 2,
141 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
142 hmacsha1_offsets, NULL,
143 {(void *)-1, (void *)-1},
147 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
149 static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
150 static unsigned char hmacsha224_offsets[] = { 0, 12 };
152 static dns_name_t hmacsha224 = {
154 hmacsha224_ndata, 13, 2,
155 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
156 hmacsha224_offsets, NULL,
157 {(void *)-1, (void *)-1},
161 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
163 static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
164 static unsigned char hmacsha256_offsets[] = { 0, 12 };
166 static dns_name_t hmacsha256 = {
168 hmacsha256_ndata, 13, 2,
169 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
170 hmacsha256_offsets, NULL,
171 {(void *)-1, (void *)-1},
175 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
177 static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
178 static unsigned char hmacsha384_offsets[] = { 0, 12 };
180 static dns_name_t hmacsha384 = {
182 hmacsha384_ndata, 13, 2,
183 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
184 hmacsha384_offsets, NULL,
185 {(void *)-1, (void *)-1},
189 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
191 static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
192 static unsigned char hmacsha512_offsets[] = { 0, 12 };
194 static dns_name_t hmacsha512 = {
196 hmacsha512_ndata, 13, 2,
197 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
198 hmacsha512_offsets, NULL,
199 {(void *)-1, (void *)-1},
203 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
206 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
209 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
210 ISC_FORMAT_PRINTF(3, 4);
213 cleanup_ring(dns_tsig_keyring_t *ring);
215 tsigkey_free(dns_tsigkey_t *key);
218 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
221 char namestr[DNS_NAME_FORMATSIZE];
222 char creatorstr[DNS_NAME_FORMATSIZE];
224 if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
227 dns_name_format(&key->name, namestr, sizeof(namestr));
229 strcpy(namestr, "<null>");
231 if (key != NULL && key->generated)
232 dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
235 vsnprintf(message, sizeof(message), fmt, ap);
237 if (key != NULL && key->generated)
238 isc_log_write(dns_lctx,
239 DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
240 level, "tsig key '%s' (%s): %s",
241 namestr, creatorstr, message);
243 isc_log_write(dns_lctx,
244 DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
245 level, "tsig key '%s': %s", namestr, message);
249 dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
250 dst_key_t *dstkey, isc_boolean_t generated,
251 dns_name_t *creator, isc_stdtime_t inception,
252 isc_stdtime_t expire, isc_mem_t *mctx,
253 dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
257 unsigned int refs = 0;
259 REQUIRE(key == NULL || *key == NULL);
260 REQUIRE(name != NULL);
261 REQUIRE(algorithm != NULL);
262 REQUIRE(mctx != NULL);
263 REQUIRE(key != NULL || ring != NULL);
265 tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
267 return (ISC_R_NOMEMORY);
269 dns_name_init(&tkey->name, NULL);
270 ret = dns_name_dup(name, mctx, &tkey->name);
271 if (ret != ISC_R_SUCCESS)
273 (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
275 if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
276 tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
277 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
281 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
282 tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
283 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
287 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
288 tkey->algorithm = DNS_TSIG_HMACSHA224_NAME;
289 if (dstkey != NULL &&
290 dst_key_alg(dstkey) != DST_ALG_HMACSHA224) {
294 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
295 tkey->algorithm = DNS_TSIG_HMACSHA256_NAME;
296 if (dstkey != NULL &&
297 dst_key_alg(dstkey) != DST_ALG_HMACSHA256) {
301 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
302 tkey->algorithm = DNS_TSIG_HMACSHA384_NAME;
303 if (dstkey != NULL &&
304 dst_key_alg(dstkey) != DST_ALG_HMACSHA384) {
308 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
309 tkey->algorithm = DNS_TSIG_HMACSHA512_NAME;
310 if (dstkey != NULL &&
311 dst_key_alg(dstkey) != DST_ALG_HMACSHA512) {
315 } else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
316 tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
317 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
321 } else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
322 tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
323 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
328 if (dstkey != NULL) {
332 tkey->algorithm = isc_mem_get(mctx, sizeof(dns_name_t));
333 if (tkey->algorithm == NULL) {
334 ret = ISC_R_NOMEMORY;
337 dns_name_init(tkey->algorithm, NULL);
338 ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
339 if (ret != ISC_R_SUCCESS)
340 goto cleanup_algorithm;
341 (void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
345 if (creator != NULL) {
346 tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
347 if (tkey->creator == NULL) {
348 ret = ISC_R_NOMEMORY;
349 goto cleanup_algorithm;
351 dns_name_init(tkey->creator, NULL);
352 ret = dns_name_dup(creator, mctx, tkey->creator);
353 if (ret != ISC_R_SUCCESS) {
354 isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
355 goto cleanup_algorithm;
358 tkey->creator = NULL;
362 dst_key_attach(dstkey, &tkey->key);
369 ret = isc_refcount_init(&tkey->refs, refs);
370 if (ret != ISC_R_SUCCESS)
371 goto cleanup_creator;
373 tkey->generated = generated;
374 tkey->inception = inception;
375 tkey->expire = expire;
377 isc_mem_attach(mctx, &tkey->mctx);
379 tkey->magic = TSIG_MAGIC;
382 RWLOCK(&ring->lock, isc_rwlocktype_write);
386 * Do on the fly cleaning. Find some nodes we might not
387 * want around any more.
389 if (ring->writecount > 10) {
391 ring->writecount = 0;
394 ret = dns_rbt_addname(ring->keys, name, tkey);
395 if (ret != ISC_R_SUCCESS) {
396 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
400 if (tkey->generated) {
402 * Add the new key to the LRU list and remove the
403 * least recently used key if there are too many
406 ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
407 if (ring->generated++ > ring->maxgenerated)
408 remove_fromring(ISC_LIST_HEAD(ring->lru));
411 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
415 * Ignore this if it's a GSS key, since the key size is meaningless.
417 if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
418 !dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME) &&
419 !dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
420 char namestr[DNS_NAME_FORMATSIZE];
421 dns_name_format(name, namestr, sizeof(namestr));
422 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
423 DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
424 "the key '%s' is too short to be secure",
430 return (ISC_R_SUCCESS);
435 isc_refcount_decrement(&tkey->refs, NULL);
436 isc_refcount_destroy(&tkey->refs);
438 if (tkey->key != NULL)
439 dst_key_free(&tkey->key);
440 if (tkey->creator != NULL) {
441 dns_name_free(tkey->creator, mctx);
442 isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
445 if (algname_is_allocated(tkey->algorithm)) {
446 if (dns_name_dynamic(tkey->algorithm))
447 dns_name_free(tkey->algorithm, mctx);
448 isc_mem_put(mctx, tkey->algorithm, sizeof(dns_name_t));
451 dns_name_free(&tkey->name, mctx);
453 isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
459 * Find a few nodes to destroy if possible.
462 cleanup_ring(dns_tsig_keyring_t *ring)
465 dns_rbtnodechain_t chain;
466 dns_name_t foundname;
467 dns_fixedname_t fixedorigin;
474 * Start up a new iterator each time.
476 isc_stdtime_get(&now);
477 dns_name_init(&foundname, NULL);
478 dns_fixedname_init(&fixedorigin);
479 origin = dns_fixedname_name(&fixedorigin);
482 dns_rbtnodechain_init(&chain, ring->mctx);
483 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
485 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
486 dns_rbtnodechain_invalidate(&chain);
492 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
496 && isc_refcount_current(&tkey->refs) == 1
497 && tkey->inception != tkey->expire
498 && tkey->expire < now) {
499 tsig_log(tkey, 2, "tsig expire: deleting");
501 dns_rbtnodechain_invalidate(&chain);
502 remove_fromring(tkey);
506 result = dns_rbtnodechain_next(&chain, &foundname,
508 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
509 dns_rbtnodechain_invalidate(&chain);
516 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
517 unsigned char *secret, int length, isc_boolean_t generated,
518 dns_name_t *creator, isc_stdtime_t inception,
519 isc_stdtime_t expire, isc_mem_t *mctx,
520 dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
522 dst_key_t *dstkey = NULL;
525 REQUIRE(length >= 0);
527 REQUIRE(secret != NULL);
529 if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
530 if (secret != NULL) {
533 isc_buffer_init(&b, secret, length);
534 isc_buffer_add(&b, length);
535 result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
540 if (result != ISC_R_SUCCESS)
543 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
544 if (secret != NULL) {
547 isc_buffer_init(&b, secret, length);
548 isc_buffer_add(&b, length);
549 result = dst_key_frombuffer(name, DST_ALG_HMACSHA1,
554 if (result != ISC_R_SUCCESS)
557 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
558 if (secret != NULL) {
561 isc_buffer_init(&b, secret, length);
562 isc_buffer_add(&b, length);
563 result = dst_key_frombuffer(name, DST_ALG_HMACSHA224,
568 if (result != ISC_R_SUCCESS)
571 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
572 if (secret != NULL) {
575 isc_buffer_init(&b, secret, length);
576 isc_buffer_add(&b, length);
577 result = dst_key_frombuffer(name, DST_ALG_HMACSHA256,
582 if (result != ISC_R_SUCCESS)
585 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
586 if (secret != NULL) {
589 isc_buffer_init(&b, secret, length);
590 isc_buffer_add(&b, length);
591 result = dst_key_frombuffer(name, DST_ALG_HMACSHA384,
596 if (result != ISC_R_SUCCESS)
599 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
600 if (secret != NULL) {
603 isc_buffer_init(&b, secret, length);
604 isc_buffer_add(&b, length);
605 result = dst_key_frombuffer(name, DST_ALG_HMACSHA512,
610 if (result != ISC_R_SUCCESS)
613 } else if (length > 0)
614 return (DNS_R_BADALG);
616 result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
618 inception, expire, mctx, ring, key);
620 dst_key_free(&dstkey);
625 dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
626 REQUIRE(VALID_TSIG_KEY(source));
627 REQUIRE(targetp != NULL && *targetp == NULL);
629 isc_refcount_increment(&source->refs, NULL);
634 tsigkey_free(dns_tsigkey_t *key) {
635 REQUIRE(VALID_TSIG_KEY(key));
638 dns_name_free(&key->name, key->mctx);
639 if (algname_is_allocated(key->algorithm)) {
640 dns_name_free(key->algorithm, key->mctx);
641 isc_mem_put(key->mctx, key->algorithm, sizeof(dns_name_t));
643 if (key->key != NULL)
644 dst_key_free(&key->key);
645 if (key->creator != NULL) {
646 dns_name_free(key->creator, key->mctx);
647 isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
649 isc_refcount_destroy(&key->refs);
650 isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
654 dns_tsigkey_detach(dns_tsigkey_t **keyp) {
658 REQUIRE(keyp != NULL);
659 REQUIRE(VALID_TSIG_KEY(*keyp));
662 isc_refcount_decrement(&key->refs, &refs);
671 dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
672 REQUIRE(VALID_TSIG_KEY(key));
673 REQUIRE(key->ring != NULL);
675 RWLOCK(&key->ring->lock, isc_rwlocktype_write);
676 remove_fromring(key);
677 RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
681 dns_tsig_sign(dns_message_t *msg) {
683 dns_rdata_any_tsig_t tsig, querytsig;
684 unsigned char data[128];
685 isc_buffer_t databuf, sigbuf;
686 isc_buffer_t *dynbuf;
688 dns_rdata_t *rdata = NULL;
689 dns_rdatalist_t *datalist;
690 dns_rdataset_t *dataset;
694 dst_context_t *ctx = NULL;
696 unsigned char badtimedata[BADTIMELEN];
697 unsigned int sigsize = 0;
699 REQUIRE(msg != NULL);
700 REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg)));
703 * If this is a response, there should be a query tsig.
705 if (is_response(msg) && msg->querytsig == NULL)
706 return (DNS_R_EXPECTEDTSIG);
711 key = dns_message_gettsigkey(msg);
714 tsig.common.rdclass = dns_rdataclass_any;
715 tsig.common.rdtype = dns_rdatatype_tsig;
716 ISC_LINK_INIT(&tsig.common, link);
717 dns_name_init(&tsig.algorithm, NULL);
718 dns_name_clone(key->algorithm, &tsig.algorithm);
720 isc_stdtime_get(&now);
721 tsig.timesigned = now + msg->timeadjust;
722 tsig.fudge = DNS_TSIG_FUDGE;
724 tsig.originalid = msg->id;
726 isc_buffer_init(&databuf, data, sizeof(data));
728 if (is_response(msg))
729 tsig.error = msg->querytsigstatus;
731 tsig.error = dns_rcode_noerror;
733 if (tsig.error != dns_tsigerror_badtime) {
737 isc_buffer_t otherbuf;
739 tsig.otherlen = BADTIMELEN;
740 tsig.other = badtimedata;
741 isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
742 isc_buffer_putuint48(&otherbuf, tsig.timesigned);
745 if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
746 unsigned char header[DNS_MESSAGE_HEADERLEN];
747 isc_buffer_t headerbuf;
748 isc_uint16_t digestbits;
750 ret = dst_context_create(key->key, mctx, &ctx);
751 if (ret != ISC_R_SUCCESS)
755 * If this is a response, digest the query signature.
757 if (is_response(msg)) {
758 dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
760 ret = dns_rdataset_first(msg->querytsig);
761 if (ret != ISC_R_SUCCESS)
762 goto cleanup_context;
763 dns_rdataset_current(msg->querytsig, &querytsigrdata);
764 ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
766 if (ret != ISC_R_SUCCESS)
767 goto cleanup_context;
768 isc_buffer_putuint16(&databuf, querytsig.siglen);
769 if (isc_buffer_availablelength(&databuf) <
772 goto cleanup_context;
774 isc_buffer_putmem(&databuf, querytsig.signature,
776 isc_buffer_usedregion(&databuf, &r);
777 ret = dst_context_adddata(ctx, &r);
778 if (ret != ISC_R_SUCCESS)
779 goto cleanup_context;
785 isc_buffer_init(&headerbuf, header, sizeof(header));
786 dns_message_renderheader(msg, &headerbuf);
787 isc_buffer_usedregion(&headerbuf, &r);
788 ret = dst_context_adddata(ctx, &r);
789 if (ret != ISC_R_SUCCESS)
790 goto cleanup_context;
793 * Digest the remainder of the message.
795 isc_buffer_usedregion(msg->buffer, &r);
796 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
797 ret = dst_context_adddata(ctx, &r);
798 if (ret != ISC_R_SUCCESS)
799 goto cleanup_context;
801 if (msg->tcp_continuation == 0) {
803 * Digest the name, class, ttl, alg.
805 dns_name_toregion(&key->name, &r);
806 ret = dst_context_adddata(ctx, &r);
807 if (ret != ISC_R_SUCCESS)
808 goto cleanup_context;
810 isc_buffer_clear(&databuf);
811 isc_buffer_putuint16(&databuf, dns_rdataclass_any);
812 isc_buffer_putuint32(&databuf, 0); /* ttl */
813 isc_buffer_usedregion(&databuf, &r);
814 ret = dst_context_adddata(ctx, &r);
815 if (ret != ISC_R_SUCCESS)
816 goto cleanup_context;
818 dns_name_toregion(&tsig.algorithm, &r);
819 ret = dst_context_adddata(ctx, &r);
820 if (ret != ISC_R_SUCCESS)
821 goto cleanup_context;
824 /* Digest the timesigned and fudge */
825 isc_buffer_clear(&databuf);
826 if (tsig.error == dns_tsigerror_badtime)
827 tsig.timesigned = querytsig.timesigned;
828 isc_buffer_putuint48(&databuf, tsig.timesigned);
829 isc_buffer_putuint16(&databuf, tsig.fudge);
830 isc_buffer_usedregion(&databuf, &r);
831 ret = dst_context_adddata(ctx, &r);
832 if (ret != ISC_R_SUCCESS)
833 goto cleanup_context;
835 if (msg->tcp_continuation == 0) {
837 * Digest the error and other data length.
839 isc_buffer_clear(&databuf);
840 isc_buffer_putuint16(&databuf, tsig.error);
841 isc_buffer_putuint16(&databuf, tsig.otherlen);
843 isc_buffer_usedregion(&databuf, &r);
844 ret = dst_context_adddata(ctx, &r);
845 if (ret != ISC_R_SUCCESS)
846 goto cleanup_context;
849 * Digest the error and other data.
851 if (tsig.otherlen > 0) {
852 r.length = tsig.otherlen;
854 ret = dst_context_adddata(ctx, &r);
855 if (ret != ISC_R_SUCCESS)
856 goto cleanup_context;
860 ret = dst_key_sigsize(key->key, &sigsize);
861 if (ret != ISC_R_SUCCESS)
862 goto cleanup_context;
863 tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
864 if (tsig.signature == NULL) {
865 ret = ISC_R_NOMEMORY;
866 goto cleanup_context;
869 isc_buffer_init(&sigbuf, tsig.signature, sigsize);
870 ret = dst_context_sign(ctx, &sigbuf);
871 if (ret != ISC_R_SUCCESS)
872 goto cleanup_signature;
873 dst_context_destroy(&ctx);
874 digestbits = dst_key_getbits(key->key);
875 if (digestbits != 0) {
876 unsigned int bytes = (digestbits + 1) / 8;
877 if (is_response(msg) && bytes < querytsig.siglen)
878 bytes = querytsig.siglen;
879 if (bytes > isc_buffer_usedlength(&sigbuf))
880 bytes = isc_buffer_usedlength(&sigbuf);
883 tsig.siglen = isc_buffer_usedlength(&sigbuf);
886 tsig.signature = NULL;
889 ret = dns_message_gettemprdata(msg, &rdata);
890 if (ret != ISC_R_SUCCESS)
891 goto cleanup_signature;
892 ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
893 if (ret != ISC_R_SUCCESS)
895 ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
896 dns_rdatatype_tsig, &tsig, dynbuf);
897 if (ret != ISC_R_SUCCESS)
900 dns_message_takebuffer(msg, &dynbuf);
902 if (tsig.signature != NULL) {
903 isc_mem_put(mctx, tsig.signature, sigsize);
904 tsig.signature = NULL;
908 ret = dns_message_gettempname(msg, &owner);
909 if (ret != ISC_R_SUCCESS)
911 dns_name_init(owner, NULL);
912 ret = dns_name_dup(&key->name, msg->mctx, owner);
913 if (ret != ISC_R_SUCCESS)
917 ret = dns_message_gettemprdatalist(msg, &datalist);
918 if (ret != ISC_R_SUCCESS)
921 ret = dns_message_gettemprdataset(msg, &dataset);
922 if (ret != ISC_R_SUCCESS)
923 goto cleanup_rdatalist;
924 datalist->rdclass = dns_rdataclass_any;
925 datalist->type = dns_rdatatype_tsig;
926 datalist->covers = 0;
928 ISC_LIST_INIT(datalist->rdata);
929 ISC_LIST_APPEND(datalist->rdata, rdata, link);
930 dns_rdataset_init(dataset);
931 RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
934 msg->tsigname = owner;
936 /* Windows does not like the tsig name being compressed. */
937 msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
939 return (ISC_R_SUCCESS);
942 dns_message_puttemprdatalist(msg, &datalist);
944 dns_message_puttempname(msg, &owner);
947 isc_buffer_free(&dynbuf);
949 dns_message_puttemprdata(msg, &rdata);
951 if (tsig.signature != NULL)
952 isc_mem_put(mctx, tsig.signature, sigsize);
955 dst_context_destroy(&ctx);
960 dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
961 dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
963 dns_rdata_any_tsig_t tsig, querytsig;
964 isc_region_t r, source_r, header_r, sig_r;
965 isc_buffer_t databuf;
966 unsigned char data[32];
968 dns_rdata_t rdata = DNS_RDATA_INIT;
971 dns_tsigkey_t *tsigkey;
972 dst_key_t *key = NULL;
973 unsigned char header[DNS_MESSAGE_HEADERLEN];
974 dst_context_t *ctx = NULL;
976 isc_uint16_t addcount, id;
980 REQUIRE(source != NULL);
981 REQUIRE(DNS_MESSAGE_VALID(msg));
982 tsigkey = dns_message_gettsigkey(msg);
984 REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
986 msg->verify_attempted = 1;
988 if (msg->tcp_continuation) {
989 if (tsigkey == NULL || msg->querytsig == NULL)
990 return (DNS_R_UNEXPECTEDTSIG);
991 return (tsig_verify_tcp(source, msg));
995 * There should be a TSIG record...
997 if (msg->tsig == NULL)
998 return (DNS_R_EXPECTEDTSIG);
1001 * If this is a response and there's no key or query TSIG, there
1002 * shouldn't be one on the response.
1004 if (is_response(msg) &&
1005 (tsigkey == NULL || msg->querytsig == NULL))
1006 return (DNS_R_UNEXPECTEDTSIG);
1011 * If we're here, we know the message is well formed and contains a
1015 keyname = msg->tsigname;
1016 ret = dns_rdataset_first(msg->tsig);
1017 if (ret != ISC_R_SUCCESS)
1019 dns_rdataset_current(msg->tsig, &rdata);
1020 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1021 if (ret != ISC_R_SUCCESS)
1023 dns_rdata_reset(&rdata);
1024 if (is_response(msg)) {
1025 ret = dns_rdataset_first(msg->querytsig);
1026 if (ret != ISC_R_SUCCESS)
1028 dns_rdataset_current(msg->querytsig, &rdata);
1029 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1030 if (ret != ISC_R_SUCCESS)
1035 * Do the key name and algorithm match that of the query?
1037 if (is_response(msg) &&
1038 (!dns_name_equal(keyname, &tsigkey->name) ||
1039 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
1040 msg->tsigstatus = dns_tsigerror_badkey;
1041 tsig_log(msg->tsigkey, 2,
1042 "key name and algorithm do not match");
1043 return (DNS_R_TSIGVERIFYFAILURE);
1047 * Get the current time.
1049 isc_stdtime_get(&now);
1052 * Find dns_tsigkey_t based on keyname.
1054 if (tsigkey == NULL) {
1055 ret = ISC_R_NOTFOUND;
1057 ret = dns_tsigkey_find(&tsigkey, keyname,
1058 &tsig.algorithm, ring1);
1059 if (ret == ISC_R_NOTFOUND && ring2 != NULL)
1060 ret = dns_tsigkey_find(&tsigkey, keyname,
1061 &tsig.algorithm, ring2);
1062 if (ret != ISC_R_SUCCESS) {
1063 msg->tsigstatus = dns_tsigerror_badkey;
1064 ret = dns_tsigkey_create(keyname, &tsig.algorithm,
1065 NULL, 0, ISC_FALSE, NULL,
1067 mctx, NULL, &msg->tsigkey);
1068 if (ret != ISC_R_SUCCESS)
1070 tsig_log(msg->tsigkey, 2, "unknown key");
1071 return (DNS_R_TSIGVERIFYFAILURE);
1073 msg->tsigkey = tsigkey;
1081 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1082 msg->tsigstatus = dns_tsigerror_badtime;
1083 tsig_log(msg->tsigkey, 2, "signature has expired");
1084 return (DNS_R_CLOCKSKEW);
1085 } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
1086 msg->tsigstatus = dns_tsigerror_badtime;
1087 tsig_log(msg->tsigkey, 2, "signature is in the future");
1088 return (DNS_R_CLOCKSKEW);
1092 * Check digest length.
1094 alg = dst_key_alg(key);
1095 ret = dst_key_sigsize(key, &siglen);
1096 if (ret != ISC_R_SUCCESS)
1098 if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
1099 alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
1100 alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
1101 isc_uint16_t digestbits = dst_key_getbits(key);
1102 if (tsig.siglen > siglen) {
1103 tsig_log(msg->tsigkey, 2, "signature length to big");
1104 return (DNS_R_FORMERR);
1106 if (tsig.siglen > 0 &&
1107 (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
1108 tsig_log(msg->tsigkey, 2,
1109 "signature length below minimum");
1110 return (DNS_R_FORMERR);
1112 if (tsig.siglen > 0 && digestbits != 0 &&
1113 tsig.siglen < ((digestbits + 1) / 8)) {
1114 msg->tsigstatus = dns_tsigerror_badtrunc;
1115 tsig_log(msg->tsigkey, 2,
1116 "truncated signature length too small");
1117 return (DNS_R_TSIGVERIFYFAILURE);
1119 if (tsig.siglen > 0 && digestbits == 0 &&
1120 tsig.siglen < siglen) {
1121 msg->tsigstatus = dns_tsigerror_badtrunc;
1122 tsig_log(msg->tsigkey, 2, "signature length too small");
1123 return (DNS_R_TSIGVERIFYFAILURE);
1127 if (tsig.siglen > 0) {
1128 sig_r.base = tsig.signature;
1129 sig_r.length = tsig.siglen;
1131 ret = dst_context_create(key, mctx, &ctx);
1132 if (ret != ISC_R_SUCCESS)
1135 if (is_response(msg)) {
1136 isc_buffer_init(&databuf, data, sizeof(data));
1137 isc_buffer_putuint16(&databuf, querytsig.siglen);
1138 isc_buffer_usedregion(&databuf, &r);
1139 ret = dst_context_adddata(ctx, &r);
1140 if (ret != ISC_R_SUCCESS)
1141 goto cleanup_context;
1142 if (querytsig.siglen > 0) {
1143 r.length = querytsig.siglen;
1144 r.base = querytsig.signature;
1145 ret = dst_context_adddata(ctx, &r);
1146 if (ret != ISC_R_SUCCESS)
1147 goto cleanup_context;
1152 * Extract the header.
1154 isc_buffer_usedregion(source, &r);
1155 memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
1156 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1159 * Decrement the additional field counter.
1161 memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1162 addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
1163 memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1166 * Put in the original id.
1168 id = htons(tsig.originalid);
1169 memcpy(&header[0], &id, 2);
1172 * Digest the modified header.
1174 header_r.base = (unsigned char *) header;
1175 header_r.length = DNS_MESSAGE_HEADERLEN;
1176 ret = dst_context_adddata(ctx, &header_r);
1177 if (ret != ISC_R_SUCCESS)
1178 goto cleanup_context;
1181 * Digest all non-TSIG records.
1183 isc_buffer_usedregion(source, &source_r);
1184 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1185 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1186 ret = dst_context_adddata(ctx, &r);
1187 if (ret != ISC_R_SUCCESS)
1188 goto cleanup_context;
1191 * Digest the key name.
1193 dns_name_toregion(&tsigkey->name, &r);
1194 ret = dst_context_adddata(ctx, &r);
1195 if (ret != ISC_R_SUCCESS)
1196 goto cleanup_context;
1198 isc_buffer_init(&databuf, data, sizeof(data));
1199 isc_buffer_putuint16(&databuf, tsig.common.rdclass);
1200 isc_buffer_putuint32(&databuf, msg->tsig->ttl);
1201 isc_buffer_usedregion(&databuf, &r);
1202 ret = dst_context_adddata(ctx, &r);
1203 if (ret != ISC_R_SUCCESS)
1204 goto cleanup_context;
1207 * Digest the key algorithm.
1209 dns_name_toregion(tsigkey->algorithm, &r);
1210 ret = dst_context_adddata(ctx, &r);
1211 if (ret != ISC_R_SUCCESS)
1212 goto cleanup_context;
1214 isc_buffer_clear(&databuf);
1215 isc_buffer_putuint48(&databuf, tsig.timesigned);
1216 isc_buffer_putuint16(&databuf, tsig.fudge);
1217 isc_buffer_putuint16(&databuf, tsig.error);
1218 isc_buffer_putuint16(&databuf, tsig.otherlen);
1219 isc_buffer_usedregion(&databuf, &r);
1220 ret = dst_context_adddata(ctx, &r);
1221 if (ret != ISC_R_SUCCESS)
1222 goto cleanup_context;
1224 if (tsig.otherlen > 0) {
1225 r.base = tsig.other;
1226 r.length = tsig.otherlen;
1227 ret = dst_context_adddata(ctx, &r);
1228 if (ret != ISC_R_SUCCESS)
1229 goto cleanup_context;
1232 ret = dst_context_verify(ctx, &sig_r);
1233 if (ret == DST_R_VERIFYFAILURE) {
1234 msg->tsigstatus = dns_tsigerror_badsig;
1235 ret = DNS_R_TSIGVERIFYFAILURE;
1236 tsig_log(msg->tsigkey, 2,
1237 "signature failed to verify(1)");
1238 goto cleanup_context;
1239 } else if (ret != ISC_R_SUCCESS)
1240 goto cleanup_context;
1242 dst_context_destroy(&ctx);
1243 } else if (tsig.error != dns_tsigerror_badsig &&
1244 tsig.error != dns_tsigerror_badkey) {
1245 msg->tsigstatus = dns_tsigerror_badsig;
1246 tsig_log(msg->tsigkey, 2, "signature was empty");
1247 return (DNS_R_TSIGVERIFYFAILURE);
1250 msg->tsigstatus = dns_rcode_noerror;
1252 if (tsig.error != dns_rcode_noerror) {
1253 if (tsig.error == dns_tsigerror_badtime)
1254 return (DNS_R_CLOCKSKEW);
1256 return (DNS_R_TSIGERRORSET);
1259 msg->verified_sig = 1;
1261 return (ISC_R_SUCCESS);
1265 dst_context_destroy(&ctx);
1271 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
1272 dns_rdata_any_tsig_t tsig, querytsig;
1273 isc_region_t r, source_r, header_r, sig_r;
1274 isc_buffer_t databuf;
1275 unsigned char data[32];
1276 dns_name_t *keyname;
1277 dns_rdata_t rdata = DNS_RDATA_INIT;
1280 dns_tsigkey_t *tsigkey;
1281 dst_key_t *key = NULL;
1282 unsigned char header[DNS_MESSAGE_HEADERLEN];
1283 isc_uint16_t addcount, id;
1284 isc_boolean_t has_tsig = ISC_FALSE;
1287 REQUIRE(source != NULL);
1288 REQUIRE(msg != NULL);
1289 REQUIRE(dns_message_gettsigkey(msg) != NULL);
1290 REQUIRE(msg->tcp_continuation == 1);
1291 REQUIRE(msg->querytsig != NULL);
1293 if (!is_response(msg))
1294 return (DNS_R_EXPECTEDRESPONSE);
1298 tsigkey = dns_message_gettsigkey(msg);
1301 * Extract and parse the previous TSIG
1303 ret = dns_rdataset_first(msg->querytsig);
1304 if (ret != ISC_R_SUCCESS)
1306 dns_rdataset_current(msg->querytsig, &rdata);
1307 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1308 if (ret != ISC_R_SUCCESS)
1310 dns_rdata_reset(&rdata);
1313 * If there is a TSIG in this message, do some checks.
1315 if (msg->tsig != NULL) {
1316 has_tsig = ISC_TRUE;
1318 keyname = msg->tsigname;
1319 ret = dns_rdataset_first(msg->tsig);
1320 if (ret != ISC_R_SUCCESS)
1321 goto cleanup_querystruct;
1322 dns_rdataset_current(msg->tsig, &rdata);
1323 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1324 if (ret != ISC_R_SUCCESS)
1325 goto cleanup_querystruct;
1328 * Do the key name and algorithm match that of the query?
1330 if (!dns_name_equal(keyname, &tsigkey->name) ||
1331 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
1332 msg->tsigstatus = dns_tsigerror_badkey;
1333 ret = DNS_R_TSIGVERIFYFAILURE;
1334 tsig_log(msg->tsigkey, 2,
1335 "key name and algorithm do not match");
1336 goto cleanup_querystruct;
1342 isc_stdtime_get(&now);
1344 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1345 msg->tsigstatus = dns_tsigerror_badtime;
1346 tsig_log(msg->tsigkey, 2, "signature has expired");
1347 ret = DNS_R_CLOCKSKEW;
1348 goto cleanup_querystruct;
1349 } else if (now + msg->timeadjust <
1350 tsig.timesigned - tsig.fudge) {
1351 msg->tsigstatus = dns_tsigerror_badtime;
1352 tsig_log(msg->tsigkey, 2,
1353 "signature is in the future");
1354 ret = DNS_R_CLOCKSKEW;
1355 goto cleanup_querystruct;
1361 if (msg->tsigctx == NULL) {
1362 ret = dst_context_create(key, mctx, &msg->tsigctx);
1363 if (ret != ISC_R_SUCCESS)
1364 goto cleanup_querystruct;
1367 * Digest the length of the query signature
1369 isc_buffer_init(&databuf, data, sizeof(data));
1370 isc_buffer_putuint16(&databuf, querytsig.siglen);
1371 isc_buffer_usedregion(&databuf, &r);
1372 ret = dst_context_adddata(msg->tsigctx, &r);
1373 if (ret != ISC_R_SUCCESS)
1374 goto cleanup_context;
1377 * Digest the data of the query signature
1379 if (querytsig.siglen > 0) {
1380 r.length = querytsig.siglen;
1381 r.base = querytsig.signature;
1382 ret = dst_context_adddata(msg->tsigctx, &r);
1383 if (ret != ISC_R_SUCCESS)
1384 goto cleanup_context;
1389 * Extract the header.
1391 isc_buffer_usedregion(source, &r);
1392 memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
1393 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1396 * Decrement the additional field counter if necessary.
1399 memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1400 addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
1401 memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1405 * Put in the original id.
1407 /* XXX Can TCP transfers be forwarded? How would that work? */
1409 id = htons(tsig.originalid);
1410 memcpy(&header[0], &id, 2);
1414 * Digest the modified header.
1416 header_r.base = (unsigned char *) header;
1417 header_r.length = DNS_MESSAGE_HEADERLEN;
1418 ret = dst_context_adddata(msg->tsigctx, &header_r);
1419 if (ret != ISC_R_SUCCESS)
1420 goto cleanup_context;
1423 * Digest all non-TSIG records.
1425 isc_buffer_usedregion(source, &source_r);
1426 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1428 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1430 r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
1431 ret = dst_context_adddata(msg->tsigctx, &r);
1432 if (ret != ISC_R_SUCCESS)
1433 goto cleanup_context;
1436 * Digest the time signed and fudge.
1439 isc_buffer_init(&databuf, data, sizeof(data));
1440 isc_buffer_putuint48(&databuf, tsig.timesigned);
1441 isc_buffer_putuint16(&databuf, tsig.fudge);
1442 isc_buffer_usedregion(&databuf, &r);
1443 ret = dst_context_adddata(msg->tsigctx, &r);
1444 if (ret != ISC_R_SUCCESS)
1445 goto cleanup_context;
1447 sig_r.base = tsig.signature;
1448 sig_r.length = tsig.siglen;
1449 if (tsig.siglen == 0) {
1450 if (tsig.error != dns_rcode_noerror) {
1451 if (tsig.error == dns_tsigerror_badtime)
1452 ret = DNS_R_CLOCKSKEW;
1454 ret = DNS_R_TSIGERRORSET;
1456 tsig_log(msg->tsigkey, 2,
1457 "signature is empty");
1458 ret = DNS_R_TSIGVERIFYFAILURE;
1460 goto cleanup_context;
1463 ret = dst_context_verify(msg->tsigctx, &sig_r);
1464 if (ret == DST_R_VERIFYFAILURE) {
1465 msg->tsigstatus = dns_tsigerror_badsig;
1466 tsig_log(msg->tsigkey, 2,
1467 "signature failed to verify(2)");
1468 ret = DNS_R_TSIGVERIFYFAILURE;
1469 goto cleanup_context;
1471 else if (ret != ISC_R_SUCCESS)
1472 goto cleanup_context;
1474 dst_context_destroy(&msg->tsigctx);
1477 msg->tsigstatus = dns_rcode_noerror;
1478 return (ISC_R_SUCCESS);
1481 dst_context_destroy(&msg->tsigctx);
1483 cleanup_querystruct:
1484 dns_rdata_freestruct(&querytsig);
1491 dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
1492 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
1496 isc_result_t result;
1498 REQUIRE(tsigkey != NULL);
1499 REQUIRE(*tsigkey == NULL);
1500 REQUIRE(name != NULL);
1501 REQUIRE(ring != NULL);
1503 RWLOCK(&ring->lock, isc_rwlocktype_write);
1505 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1507 isc_stdtime_get(&now);
1508 RWLOCK(&ring->lock, isc_rwlocktype_read);
1510 result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
1511 if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
1512 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1513 return (ISC_R_NOTFOUND);
1515 if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
1516 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1517 return (ISC_R_NOTFOUND);
1519 if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
1521 * The key has expired.
1523 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1524 RWLOCK(&ring->lock, isc_rwlocktype_write);
1525 remove_fromring(key);
1526 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1527 return (ISC_R_NOTFOUND);
1531 * MPAXXX We really should look at the inception time.
1533 if (key->inception != key->expire &&
1534 isc_serial_lt(key->inception, now)) {
1535 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1537 return (ISC_R_NOTFOUND);
1540 isc_refcount_increment(&key->refs, NULL);
1541 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1544 return (ISC_R_SUCCESS);
1548 free_tsignode(void *node, void *_unused) {
1553 REQUIRE(node != NULL);
1556 dns_tsigkey_detach(&key);
1560 dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
1561 isc_result_t result;
1562 dns_tsig_keyring_t *ring;
1564 REQUIRE(mctx != NULL);
1565 REQUIRE(ringp != NULL);
1566 REQUIRE(*ringp == NULL);
1568 ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
1570 return (ISC_R_NOMEMORY);
1572 result = isc_rwlock_init(&ring->lock, 0, 0);
1573 if (result != ISC_R_SUCCESS) {
1574 isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
1579 result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
1580 if (result != ISC_R_SUCCESS) {
1581 isc_rwlock_destroy(&ring->lock);
1582 isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
1586 ring->writecount = 0;
1588 ring->generated = 0;
1589 ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
1590 ISC_LIST_INIT(ring->lru);
1591 isc_mem_attach(mctx, &ring->mctx);
1594 return (ISC_R_SUCCESS);
1598 dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
1599 dns_tsig_keyring_t *ring;
1601 REQUIRE(ringp != NULL);
1602 REQUIRE(*ringp != NULL);
1607 dns_rbt_destroy(&ring->keys);
1608 isc_rwlock_destroy(&ring->lock);
1609 isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));