2 * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
19 * $Id: tsig.c,v 1.117.18.14 2008/01/17 23:46:03 tbox Exp $
25 #include <isc/buffer.h>
27 #include <isc/print.h>
28 #include <isc/refcount.h>
29 #include <isc/string.h> /* Required for HP/UX (and others?) */
32 #include <dns/keyvalues.h>
34 #include <dns/message.h>
36 #include <dns/rdata.h>
37 #include <dns/rdatalist.h>
38 #include <dns/rdataset.h>
39 #include <dns/rdatastruct.h>
40 #include <dns/result.h>
43 #include <dst/result.h>
45 #define TSIG_MAGIC ISC_MAGIC('T', 'S', 'I', 'G')
46 #define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC)
48 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
49 #define algname_is_allocated(algname) \
50 ((algname) != dns_tsig_hmacmd5_name && \
51 (algname) != dns_tsig_hmacsha1_name && \
52 (algname) != dns_tsig_hmacsha224_name && \
53 (algname) != dns_tsig_hmacsha256_name && \
54 (algname) != dns_tsig_hmacsha384_name && \
55 (algname) != dns_tsig_hmacsha512_name && \
56 (algname) != dns_tsig_gssapi_name && \
57 (algname) != dns_tsig_gssapims_name)
61 static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
62 static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
64 static dns_name_t hmacmd5 = {
67 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
68 hmacmd5_offsets, NULL,
69 {(void *)-1, (void *)-1},
73 dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
75 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
76 static unsigned char gsstsig_offsets[] = { 0, 9 };
78 static dns_name_t gsstsig = {
81 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
82 gsstsig_offsets, NULL,
83 {(void *)-1, (void *)-1},
87 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
89 /* It's nice of Microsoft to conform to their own standard. */
90 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
91 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
93 static dns_name_t gsstsigms = {
95 gsstsigms_ndata, 19, 4,
96 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
97 gsstsigms_offsets, NULL,
98 {(void *)-1, (void *)-1},
102 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
104 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
105 static unsigned char hmacsha1_offsets[] = { 0, 10 };
107 static dns_name_t hmacsha1 = {
109 hmacsha1_ndata, 11, 2,
110 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
111 hmacsha1_offsets, NULL,
112 {(void *)-1, (void *)-1},
116 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
118 static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
119 static unsigned char hmacsha224_offsets[] = { 0, 12 };
121 static dns_name_t hmacsha224 = {
123 hmacsha224_ndata, 13, 2,
124 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
125 hmacsha224_offsets, NULL,
126 {(void *)-1, (void *)-1},
130 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
132 static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
133 static unsigned char hmacsha256_offsets[] = { 0, 12 };
135 static dns_name_t hmacsha256 = {
137 hmacsha256_ndata, 13, 2,
138 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
139 hmacsha256_offsets, NULL,
140 {(void *)-1, (void *)-1},
144 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
146 static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
147 static unsigned char hmacsha384_offsets[] = { 0, 12 };
149 static dns_name_t hmacsha384 = {
151 hmacsha384_ndata, 13, 2,
152 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
153 hmacsha384_offsets, NULL,
154 {(void *)-1, (void *)-1},
158 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
160 static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
161 static unsigned char hmacsha512_offsets[] = { 0, 12 };
163 static dns_name_t hmacsha512 = {
165 hmacsha512_ndata, 13, 2,
166 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
167 hmacsha512_offsets, NULL,
168 {(void *)-1, (void *)-1},
172 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
175 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
178 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
179 ISC_FORMAT_PRINTF(3, 4);
182 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
185 char namestr[DNS_NAME_FORMATSIZE];
187 if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
190 dns_name_format(&key->name, namestr, sizeof(namestr));
192 strcpy(namestr, "<null>");
194 vsnprintf(message, sizeof(message), fmt, ap);
196 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
197 level, "tsig key '%s': %s", namestr, message);
201 dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
202 dst_key_t *dstkey, isc_boolean_t generated,
203 dns_name_t *creator, isc_stdtime_t inception,
204 isc_stdtime_t expire, isc_mem_t *mctx,
205 dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
209 unsigned int refs = 0;
211 REQUIRE(key == NULL || *key == NULL);
212 REQUIRE(name != NULL);
213 REQUIRE(algorithm != NULL);
214 REQUIRE(mctx != NULL);
215 REQUIRE(key != NULL || ring != NULL);
217 tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
219 return (ISC_R_NOMEMORY);
221 dns_name_init(&tkey->name, NULL);
222 ret = dns_name_dup(name, mctx, &tkey->name);
223 if (ret != ISC_R_SUCCESS)
225 (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
227 if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
228 tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
229 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
233 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
234 tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
235 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
239 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
240 tkey->algorithm = DNS_TSIG_HMACSHA224_NAME;
241 if (dstkey != NULL &&
242 dst_key_alg(dstkey) != DST_ALG_HMACSHA224) {
246 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
247 tkey->algorithm = DNS_TSIG_HMACSHA256_NAME;
248 if (dstkey != NULL &&
249 dst_key_alg(dstkey) != DST_ALG_HMACSHA256) {
253 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
254 tkey->algorithm = DNS_TSIG_HMACSHA384_NAME;
255 if (dstkey != NULL &&
256 dst_key_alg(dstkey) != DST_ALG_HMACSHA384) {
260 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
261 tkey->algorithm = DNS_TSIG_HMACSHA512_NAME;
262 if (dstkey != NULL &&
263 dst_key_alg(dstkey) != DST_ALG_HMACSHA512) {
267 } else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
268 tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
269 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
273 } else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
274 tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
275 if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
280 if (dstkey != NULL) {
284 tkey->algorithm = isc_mem_get(mctx, sizeof(dns_name_t));
285 if (tkey->algorithm == NULL) {
286 ret = ISC_R_NOMEMORY;
289 dns_name_init(tkey->algorithm, NULL);
290 ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
291 if (ret != ISC_R_SUCCESS)
292 goto cleanup_algorithm;
293 (void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
297 if (creator != NULL) {
298 tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
299 if (tkey->creator == NULL) {
300 ret = ISC_R_NOMEMORY;
301 goto cleanup_algorithm;
303 dns_name_init(tkey->creator, NULL);
304 ret = dns_name_dup(creator, mctx, tkey->creator);
305 if (ret != ISC_R_SUCCESS) {
306 isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
307 goto cleanup_algorithm;
310 tkey->creator = NULL;
319 ret = isc_refcount_init(&tkey->refs, refs);
320 if (ret != ISC_R_SUCCESS)
321 goto cleanup_creator;
323 tkey->generated = generated;
324 tkey->inception = inception;
325 tkey->expire = expire;
327 isc_mem_attach(mctx, &tkey->mctx);
329 tkey->magic = TSIG_MAGIC;
332 RWLOCK(&ring->lock, isc_rwlocktype_write);
333 ret = dns_rbt_addname(ring->keys, name, tkey);
334 if (ret != ISC_R_SUCCESS) {
335 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
338 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
341 if (dstkey != NULL && dst_key_size(dstkey) < 64) {
342 char namestr[DNS_NAME_FORMATSIZE];
343 dns_name_format(name, namestr, sizeof(namestr));
344 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
345 DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
346 "the key '%s' is too short to be secure",
352 return (ISC_R_SUCCESS);
357 isc_refcount_decrement(&tkey->refs, NULL);
358 isc_refcount_destroy(&tkey->refs);
360 if (tkey->creator != NULL) {
361 dns_name_free(tkey->creator, mctx);
362 isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
365 if (algname_is_allocated(tkey->algorithm)) {
366 if (dns_name_dynamic(tkey->algorithm))
367 dns_name_free(tkey->algorithm, mctx);
368 isc_mem_put(mctx, tkey->algorithm, sizeof(dns_name_t));
371 dns_name_free(&tkey->name, mctx);
373 isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
379 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
380 unsigned char *secret, int length, isc_boolean_t generated,
381 dns_name_t *creator, isc_stdtime_t inception,
382 isc_stdtime_t expire, isc_mem_t *mctx,
383 dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
385 dst_key_t *dstkey = NULL;
388 REQUIRE(length >= 0);
390 REQUIRE(secret != NULL);
392 if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
393 if (secret != NULL) {
396 isc_buffer_init(&b, secret, length);
397 isc_buffer_add(&b, length);
398 result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
403 if (result != ISC_R_SUCCESS)
406 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
407 if (secret != NULL) {
410 isc_buffer_init(&b, secret, length);
411 isc_buffer_add(&b, length);
412 result = dst_key_frombuffer(name, DST_ALG_HMACSHA1,
417 if (result != ISC_R_SUCCESS)
420 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
421 if (secret != NULL) {
424 isc_buffer_init(&b, secret, length);
425 isc_buffer_add(&b, length);
426 result = dst_key_frombuffer(name, DST_ALG_HMACSHA224,
431 if (result != ISC_R_SUCCESS)
434 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
435 if (secret != NULL) {
438 isc_buffer_init(&b, secret, length);
439 isc_buffer_add(&b, length);
440 result = dst_key_frombuffer(name, DST_ALG_HMACSHA256,
445 if (result != ISC_R_SUCCESS)
448 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
449 if (secret != NULL) {
452 isc_buffer_init(&b, secret, length);
453 isc_buffer_add(&b, length);
454 result = dst_key_frombuffer(name, DST_ALG_HMACSHA384,
459 if (result != ISC_R_SUCCESS)
462 } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
463 if (secret != NULL) {
466 isc_buffer_init(&b, secret, length);
467 isc_buffer_add(&b, length);
468 result = dst_key_frombuffer(name, DST_ALG_HMACSHA512,
473 if (result != ISC_R_SUCCESS)
476 } else if (length > 0)
477 return (DNS_R_BADALG);
479 result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
481 inception, expire, mctx, ring, key);
482 if (result != ISC_R_SUCCESS && dstkey != NULL)
483 dst_key_free(&dstkey);
488 dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
489 REQUIRE(VALID_TSIG_KEY(source));
490 REQUIRE(targetp != NULL && *targetp == NULL);
492 isc_refcount_increment(&source->refs, NULL);
497 tsigkey_free(dns_tsigkey_t *key) {
498 REQUIRE(VALID_TSIG_KEY(key));
501 dns_name_free(&key->name, key->mctx);
502 if (algname_is_allocated(key->algorithm)) {
503 dns_name_free(key->algorithm, key->mctx);
504 isc_mem_put(key->mctx, key->algorithm, sizeof(dns_name_t));
506 if (key->key != NULL)
507 dst_key_free(&key->key);
508 if (key->creator != NULL) {
509 dns_name_free(key->creator, key->mctx);
510 isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
512 isc_refcount_destroy(&key->refs);
513 isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
517 dns_tsigkey_detach(dns_tsigkey_t **keyp) {
521 REQUIRE(keyp != NULL);
522 REQUIRE(VALID_TSIG_KEY(*keyp));
525 isc_refcount_decrement(&key->refs, &refs);
534 dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
535 REQUIRE(VALID_TSIG_KEY(key));
536 REQUIRE(key->ring != NULL);
538 RWLOCK(&key->ring->lock, isc_rwlocktype_write);
539 (void)dns_rbt_deletename(key->ring->keys, &key->name, ISC_FALSE);
540 RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
544 buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
548 valhi = (isc_uint16_t)(val >> 32);
549 vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
550 isc_buffer_putuint16(b, valhi);
551 isc_buffer_putuint32(b, vallo);
555 dns_tsig_sign(dns_message_t *msg) {
557 dns_rdata_any_tsig_t tsig, querytsig;
558 unsigned char data[128];
559 isc_buffer_t databuf, sigbuf;
560 isc_buffer_t *dynbuf;
562 dns_rdata_t *rdata = NULL;
563 dns_rdatalist_t *datalist;
564 dns_rdataset_t *dataset;
568 dst_context_t *ctx = NULL;
570 unsigned char badtimedata[BADTIMELEN];
571 unsigned int sigsize = 0;
573 REQUIRE(msg != NULL);
574 REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg)));
577 * If this is a response, there should be a query tsig.
579 if (is_response(msg) && msg->querytsig == NULL)
580 return (DNS_R_EXPECTEDTSIG);
585 key = dns_message_gettsigkey(msg);
588 tsig.common.rdclass = dns_rdataclass_any;
589 tsig.common.rdtype = dns_rdatatype_tsig;
590 ISC_LINK_INIT(&tsig.common, link);
591 dns_name_init(&tsig.algorithm, NULL);
592 dns_name_clone(key->algorithm, &tsig.algorithm);
594 isc_stdtime_get(&now);
595 tsig.timesigned = now + msg->timeadjust;
596 tsig.fudge = DNS_TSIG_FUDGE;
598 tsig.originalid = msg->id;
600 isc_buffer_init(&databuf, data, sizeof(data));
602 if (is_response(msg))
603 tsig.error = msg->querytsigstatus;
605 tsig.error = dns_rcode_noerror;
607 if (tsig.error != dns_tsigerror_badtime) {
611 isc_buffer_t otherbuf;
613 tsig.otherlen = BADTIMELEN;
614 tsig.other = badtimedata;
615 isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
616 buffer_putuint48(&otherbuf, tsig.timesigned);
619 if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
620 unsigned char header[DNS_MESSAGE_HEADERLEN];
621 isc_buffer_t headerbuf;
622 isc_uint16_t digestbits;
624 ret = dst_context_create(key->key, mctx, &ctx);
625 if (ret != ISC_R_SUCCESS)
629 * If this is a response, digest the query signature.
631 if (is_response(msg)) {
632 dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
634 ret = dns_rdataset_first(msg->querytsig);
635 if (ret != ISC_R_SUCCESS)
636 goto cleanup_context;
637 dns_rdataset_current(msg->querytsig, &querytsigrdata);
638 ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
640 if (ret != ISC_R_SUCCESS)
641 goto cleanup_context;
642 isc_buffer_putuint16(&databuf, querytsig.siglen);
643 if (isc_buffer_availablelength(&databuf) <
647 goto cleanup_context;
649 isc_buffer_putmem(&databuf, querytsig.signature,
651 isc_buffer_usedregion(&databuf, &r);
652 ret = dst_context_adddata(ctx, &r);
653 if (ret != ISC_R_SUCCESS)
654 goto cleanup_context;
660 isc_buffer_init(&headerbuf, header, sizeof(header));
661 dns_message_renderheader(msg, &headerbuf);
662 isc_buffer_usedregion(&headerbuf, &r);
663 ret = dst_context_adddata(ctx, &r);
664 if (ret != ISC_R_SUCCESS)
665 goto cleanup_context;
668 * Digest the remainder of the message.
670 isc_buffer_usedregion(msg->buffer, &r);
671 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
672 ret = dst_context_adddata(ctx, &r);
673 if (ret != ISC_R_SUCCESS)
674 goto cleanup_context;
676 if (msg->tcp_continuation == 0) {
678 * Digest the name, class, ttl, alg.
680 dns_name_toregion(&key->name, &r);
681 ret = dst_context_adddata(ctx, &r);
682 if (ret != ISC_R_SUCCESS)
683 goto cleanup_context;
685 isc_buffer_clear(&databuf);
686 isc_buffer_putuint16(&databuf, dns_rdataclass_any);
687 isc_buffer_putuint32(&databuf, 0); /* ttl */
688 isc_buffer_usedregion(&databuf, &r);
689 ret = dst_context_adddata(ctx, &r);
690 if (ret != ISC_R_SUCCESS)
691 goto cleanup_context;
693 dns_name_toregion(&tsig.algorithm, &r);
694 ret = dst_context_adddata(ctx, &r);
695 if (ret != ISC_R_SUCCESS)
696 goto cleanup_context;
699 /* Digest the timesigned and fudge */
700 isc_buffer_clear(&databuf);
701 if (tsig.error == dns_tsigerror_badtime)
702 tsig.timesigned = querytsig.timesigned;
703 buffer_putuint48(&databuf, tsig.timesigned);
704 isc_buffer_putuint16(&databuf, tsig.fudge);
705 isc_buffer_usedregion(&databuf, &r);
706 ret = dst_context_adddata(ctx, &r);
707 if (ret != ISC_R_SUCCESS)
708 goto cleanup_context;
710 if (msg->tcp_continuation == 0) {
712 * Digest the error and other data length.
714 isc_buffer_clear(&databuf);
715 isc_buffer_putuint16(&databuf, tsig.error);
716 isc_buffer_putuint16(&databuf, tsig.otherlen);
718 isc_buffer_usedregion(&databuf, &r);
719 ret = dst_context_adddata(ctx, &r);
720 if (ret != ISC_R_SUCCESS)
721 goto cleanup_context;
724 * Digest the error and other data.
726 if (tsig.otherlen > 0) {
727 r.length = tsig.otherlen;
729 ret = dst_context_adddata(ctx, &r);
730 if (ret != ISC_R_SUCCESS)
731 goto cleanup_context;
735 ret = dst_key_sigsize(key->key, &sigsize);
736 if (ret != ISC_R_SUCCESS)
737 goto cleanup_context;
738 tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
739 if (tsig.signature == NULL) {
740 ret = ISC_R_NOMEMORY;
741 goto cleanup_context;
744 isc_buffer_init(&sigbuf, tsig.signature, sigsize);
745 ret = dst_context_sign(ctx, &sigbuf);
746 if (ret != ISC_R_SUCCESS)
747 goto cleanup_signature;
748 dst_context_destroy(&ctx);
749 digestbits = dst_key_getbits(key->key);
750 if (digestbits != 0) {
751 unsigned int bytes = (digestbits + 1) / 8;
752 if (is_response(msg) && bytes < querytsig.siglen)
753 bytes = querytsig.siglen;
754 if (bytes > isc_buffer_usedlength(&sigbuf))
755 bytes = isc_buffer_usedlength(&sigbuf);
758 tsig.siglen = isc_buffer_usedlength(&sigbuf);
761 tsig.signature = NULL;
764 ret = dns_message_gettemprdata(msg, &rdata);
765 if (ret != ISC_R_SUCCESS)
766 goto cleanup_signature;
767 ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
768 if (ret != ISC_R_SUCCESS)
770 ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
771 dns_rdatatype_tsig, &tsig, dynbuf);
772 if (ret != ISC_R_SUCCESS)
775 dns_message_takebuffer(msg, &dynbuf);
777 if (tsig.signature != NULL) {
778 isc_mem_put(mctx, tsig.signature, sigsize);
779 tsig.signature = NULL;
783 ret = dns_message_gettempname(msg, &owner);
784 if (ret != ISC_R_SUCCESS)
786 dns_name_init(owner, NULL);
787 ret = dns_name_dup(&key->name, msg->mctx, owner);
788 if (ret != ISC_R_SUCCESS)
792 ret = dns_message_gettemprdatalist(msg, &datalist);
793 if (ret != ISC_R_SUCCESS)
796 ret = dns_message_gettemprdataset(msg, &dataset);
797 if (ret != ISC_R_SUCCESS)
798 goto cleanup_rdatalist;
799 datalist->rdclass = dns_rdataclass_any;
800 datalist->type = dns_rdatatype_tsig;
801 datalist->covers = 0;
803 ISC_LIST_INIT(datalist->rdata);
804 ISC_LIST_APPEND(datalist->rdata, rdata, link);
805 dns_rdataset_init(dataset);
806 RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
809 msg->tsigname = owner;
811 return (ISC_R_SUCCESS);
814 dns_message_puttemprdatalist(msg, &datalist);
816 dns_message_puttempname(msg, &owner);
819 isc_buffer_free(&dynbuf);
821 dns_message_puttemprdata(msg, &rdata);
823 if (tsig.signature != NULL)
824 isc_mem_put(mctx, tsig.signature, sigsize);
827 dst_context_destroy(&ctx);
832 dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
833 dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
835 dns_rdata_any_tsig_t tsig, querytsig;
836 isc_region_t r, source_r, header_r, sig_r;
837 isc_buffer_t databuf;
838 unsigned char data[32];
840 dns_rdata_t rdata = DNS_RDATA_INIT;
843 dns_tsigkey_t *tsigkey;
844 dst_key_t *key = NULL;
845 unsigned char header[DNS_MESSAGE_HEADERLEN];
846 dst_context_t *ctx = NULL;
848 isc_uint16_t addcount, id;
852 REQUIRE(source != NULL);
853 REQUIRE(DNS_MESSAGE_VALID(msg));
854 tsigkey = dns_message_gettsigkey(msg);
855 REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
857 msg->verify_attempted = 1;
859 if (msg->tcp_continuation) {
860 if (tsigkey == NULL || msg->querytsig == NULL)
861 return (DNS_R_UNEXPECTEDTSIG);
862 return (tsig_verify_tcp(source, msg));
866 * There should be a TSIG record...
868 if (msg->tsig == NULL)
869 return (DNS_R_EXPECTEDTSIG);
872 * If this is a response and there's no key or query TSIG, there
873 * shouldn't be one on the response.
875 if (is_response(msg) &&
876 (tsigkey == NULL || msg->querytsig == NULL))
877 return (DNS_R_UNEXPECTEDTSIG);
882 * If we're here, we know the message is well formed and contains a
886 keyname = msg->tsigname;
887 ret = dns_rdataset_first(msg->tsig);
888 if (ret != ISC_R_SUCCESS)
890 dns_rdataset_current(msg->tsig, &rdata);
891 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
892 if (ret != ISC_R_SUCCESS)
894 dns_rdata_reset(&rdata);
895 if (is_response(msg)) {
896 ret = dns_rdataset_first(msg->querytsig);
897 if (ret != ISC_R_SUCCESS)
899 dns_rdataset_current(msg->querytsig, &rdata);
900 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
901 if (ret != ISC_R_SUCCESS)
906 * Do the key name and algorithm match that of the query?
908 if (is_response(msg) &&
909 (!dns_name_equal(keyname, &tsigkey->name) ||
910 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
912 msg->tsigstatus = dns_tsigerror_badkey;
913 tsig_log(msg->tsigkey, 2,
914 "key name and algorithm do not match");
915 return (DNS_R_TSIGVERIFYFAILURE);
919 * Get the current time.
921 isc_stdtime_get(&now);
924 * Find dns_tsigkey_t based on keyname.
926 if (tsigkey == NULL) {
927 ret = ISC_R_NOTFOUND;
929 ret = dns_tsigkey_find(&tsigkey, keyname,
930 &tsig.algorithm, ring1);
931 if (ret == ISC_R_NOTFOUND && ring2 != NULL)
932 ret = dns_tsigkey_find(&tsigkey, keyname,
933 &tsig.algorithm, ring2);
934 if (ret != ISC_R_SUCCESS) {
935 msg->tsigstatus = dns_tsigerror_badkey;
936 ret = dns_tsigkey_create(keyname, &tsig.algorithm,
937 NULL, 0, ISC_FALSE, NULL,
939 mctx, NULL, &msg->tsigkey);
940 if (ret != ISC_R_SUCCESS)
942 tsig_log(msg->tsigkey, 2, "unknown key");
943 return (DNS_R_TSIGVERIFYFAILURE);
945 msg->tsigkey = tsigkey;
953 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
954 msg->tsigstatus = dns_tsigerror_badtime;
955 tsig_log(msg->tsigkey, 2, "signature has expired");
956 return (DNS_R_CLOCKSKEW);
957 } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
958 msg->tsigstatus = dns_tsigerror_badtime;
959 tsig_log(msg->tsigkey, 2, "signature is in the future");
960 return (DNS_R_CLOCKSKEW);
964 * Check digest length.
966 alg = dst_key_alg(key);
967 ret = dst_key_sigsize(key, &siglen);
968 if (ret != ISC_R_SUCCESS)
970 if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
971 alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
972 alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
973 isc_uint16_t digestbits = dst_key_getbits(key);
974 if (tsig.siglen > siglen) {
975 tsig_log(msg->tsigkey, 2, "signature length to big");
976 return (DNS_R_FORMERR);
978 if (tsig.siglen > 0 &&
979 (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
980 tsig_log(msg->tsigkey, 2,
981 "signature length below minimum");
982 return (DNS_R_FORMERR);
984 if (tsig.siglen > 0 && digestbits != 0 &&
985 tsig.siglen < ((digestbits + 1) / 8)) {
986 msg->tsigstatus = dns_tsigerror_badtrunc;
987 tsig_log(msg->tsigkey, 2,
988 "truncated signature length too small");
989 return (DNS_R_TSIGVERIFYFAILURE);
991 if (tsig.siglen > 0 && digestbits == 0 &&
992 tsig.siglen < siglen) {
993 msg->tsigstatus = dns_tsigerror_badtrunc;
994 tsig_log(msg->tsigkey, 2, "signature length too small");
995 return (DNS_R_TSIGVERIFYFAILURE);
999 if (tsig.siglen > 0) {
1000 sig_r.base = tsig.signature;
1001 sig_r.length = tsig.siglen;
1003 ret = dst_context_create(key, mctx, &ctx);
1004 if (ret != ISC_R_SUCCESS)
1007 if (is_response(msg)) {
1008 isc_buffer_init(&databuf, data, sizeof(data));
1009 isc_buffer_putuint16(&databuf, querytsig.siglen);
1010 isc_buffer_usedregion(&databuf, &r);
1011 ret = dst_context_adddata(ctx, &r);
1012 if (ret != ISC_R_SUCCESS)
1013 goto cleanup_context;
1014 if (querytsig.siglen > 0) {
1015 r.length = querytsig.siglen;
1016 r.base = querytsig.signature;
1017 ret = dst_context_adddata(ctx, &r);
1018 if (ret != ISC_R_SUCCESS)
1019 goto cleanup_context;
1024 * Extract the header.
1026 isc_buffer_usedregion(source, &r);
1027 memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
1028 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1031 * Decrement the additional field counter.
1033 memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1034 addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
1035 memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1038 * Put in the original id.
1040 id = htons(tsig.originalid);
1041 memcpy(&header[0], &id, 2);
1044 * Digest the modified header.
1046 header_r.base = (unsigned char *) header;
1047 header_r.length = DNS_MESSAGE_HEADERLEN;
1048 ret = dst_context_adddata(ctx, &header_r);
1049 if (ret != ISC_R_SUCCESS)
1050 goto cleanup_context;
1053 * Digest all non-TSIG records.
1055 isc_buffer_usedregion(source, &source_r);
1056 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1057 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1058 ret = dst_context_adddata(ctx, &r);
1059 if (ret != ISC_R_SUCCESS)
1060 goto cleanup_context;
1063 * Digest the key name.
1065 dns_name_toregion(&tsigkey->name, &r);
1066 ret = dst_context_adddata(ctx, &r);
1067 if (ret != ISC_R_SUCCESS)
1068 goto cleanup_context;
1070 isc_buffer_init(&databuf, data, sizeof(data));
1071 isc_buffer_putuint16(&databuf, tsig.common.rdclass);
1072 isc_buffer_putuint32(&databuf, msg->tsig->ttl);
1073 isc_buffer_usedregion(&databuf, &r);
1074 ret = dst_context_adddata(ctx, &r);
1075 if (ret != ISC_R_SUCCESS)
1076 goto cleanup_context;
1079 * Digest the key algorithm.
1081 dns_name_toregion(tsigkey->algorithm, &r);
1082 ret = dst_context_adddata(ctx, &r);
1083 if (ret != ISC_R_SUCCESS)
1084 goto cleanup_context;
1086 isc_buffer_clear(&databuf);
1087 buffer_putuint48(&databuf, tsig.timesigned);
1088 isc_buffer_putuint16(&databuf, tsig.fudge);
1089 isc_buffer_putuint16(&databuf, tsig.error);
1090 isc_buffer_putuint16(&databuf, tsig.otherlen);
1091 isc_buffer_usedregion(&databuf, &r);
1092 ret = dst_context_adddata(ctx, &r);
1093 if (ret != ISC_R_SUCCESS)
1094 goto cleanup_context;
1096 if (tsig.otherlen > 0) {
1097 r.base = tsig.other;
1098 r.length = tsig.otherlen;
1099 ret = dst_context_adddata(ctx, &r);
1100 if (ret != ISC_R_SUCCESS)
1101 goto cleanup_context;
1104 ret = dst_context_verify(ctx, &sig_r);
1105 if (ret == DST_R_VERIFYFAILURE) {
1106 msg->tsigstatus = dns_tsigerror_badsig;
1107 ret = DNS_R_TSIGVERIFYFAILURE;
1108 tsig_log(msg->tsigkey, 2,
1109 "signature failed to verify");
1110 goto cleanup_context;
1111 } else if (ret != ISC_R_SUCCESS)
1112 goto cleanup_context;
1114 dst_context_destroy(&ctx);
1115 } else if (tsig.error != dns_tsigerror_badsig &&
1116 tsig.error != dns_tsigerror_badkey)
1118 msg->tsigstatus = dns_tsigerror_badsig;
1119 tsig_log(msg->tsigkey, 2, "signature was empty");
1120 return (DNS_R_TSIGVERIFYFAILURE);
1123 msg->tsigstatus = dns_rcode_noerror;
1125 if (tsig.error != dns_rcode_noerror) {
1126 if (tsig.error == dns_tsigerror_badtime)
1127 return (DNS_R_CLOCKSKEW);
1129 return (DNS_R_TSIGERRORSET);
1132 msg->verified_sig = 1;
1134 return (ISC_R_SUCCESS);
1138 dst_context_destroy(&ctx);
1144 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
1145 dns_rdata_any_tsig_t tsig, querytsig;
1146 isc_region_t r, source_r, header_r, sig_r;
1147 isc_buffer_t databuf;
1148 unsigned char data[32];
1149 dns_name_t *keyname;
1150 dns_rdata_t rdata = DNS_RDATA_INIT;
1153 dns_tsigkey_t *tsigkey;
1154 dst_key_t *key = NULL;
1155 unsigned char header[DNS_MESSAGE_HEADERLEN];
1156 isc_uint16_t addcount, id;
1157 isc_boolean_t has_tsig = ISC_FALSE;
1160 REQUIRE(source != NULL);
1161 REQUIRE(msg != NULL);
1162 REQUIRE(dns_message_gettsigkey(msg) != NULL);
1163 REQUIRE(msg->tcp_continuation == 1);
1164 REQUIRE(msg->querytsig != NULL);
1166 if (!is_response(msg))
1167 return (DNS_R_EXPECTEDRESPONSE);
1171 tsigkey = dns_message_gettsigkey(msg);
1174 * Extract and parse the previous TSIG
1176 ret = dns_rdataset_first(msg->querytsig);
1177 if (ret != ISC_R_SUCCESS)
1179 dns_rdataset_current(msg->querytsig, &rdata);
1180 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1181 if (ret != ISC_R_SUCCESS)
1183 dns_rdata_reset(&rdata);
1186 * If there is a TSIG in this message, do some checks.
1188 if (msg->tsig != NULL) {
1189 has_tsig = ISC_TRUE;
1191 keyname = msg->tsigname;
1192 ret = dns_rdataset_first(msg->tsig);
1193 if (ret != ISC_R_SUCCESS)
1194 goto cleanup_querystruct;
1195 dns_rdataset_current(msg->tsig, &rdata);
1196 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1197 if (ret != ISC_R_SUCCESS)
1198 goto cleanup_querystruct;
1201 * Do the key name and algorithm match that of the query?
1203 if (!dns_name_equal(keyname, &tsigkey->name) ||
1204 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
1206 msg->tsigstatus = dns_tsigerror_badkey;
1207 ret = DNS_R_TSIGVERIFYFAILURE;
1208 tsig_log(msg->tsigkey, 2,
1209 "key name and algorithm do not match");
1210 goto cleanup_querystruct;
1216 isc_stdtime_get(&now);
1218 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1219 msg->tsigstatus = dns_tsigerror_badtime;
1220 tsig_log(msg->tsigkey, 2, "signature has expired");
1221 ret = DNS_R_CLOCKSKEW;
1222 goto cleanup_querystruct;
1223 } else if (now + msg->timeadjust <
1224 tsig.timesigned - tsig.fudge)
1226 msg->tsigstatus = dns_tsigerror_badtime;
1227 tsig_log(msg->tsigkey, 2,
1228 "signature is in the future");
1229 ret = DNS_R_CLOCKSKEW;
1230 goto cleanup_querystruct;
1236 if (msg->tsigctx == NULL) {
1237 ret = dst_context_create(key, mctx, &msg->tsigctx);
1238 if (ret != ISC_R_SUCCESS)
1239 goto cleanup_querystruct;
1242 * Digest the length of the query signature
1244 isc_buffer_init(&databuf, data, sizeof(data));
1245 isc_buffer_putuint16(&databuf, querytsig.siglen);
1246 isc_buffer_usedregion(&databuf, &r);
1247 ret = dst_context_adddata(msg->tsigctx, &r);
1248 if (ret != ISC_R_SUCCESS)
1249 goto cleanup_context;
1252 * Digest the data of the query signature
1254 if (querytsig.siglen > 0) {
1255 r.length = querytsig.siglen;
1256 r.base = querytsig.signature;
1257 ret = dst_context_adddata(msg->tsigctx, &r);
1258 if (ret != ISC_R_SUCCESS)
1259 goto cleanup_context;
1264 * Extract the header.
1266 isc_buffer_usedregion(source, &r);
1267 memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
1268 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1271 * Decrement the additional field counter if necessary.
1274 memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1275 addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
1276 memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1280 * Put in the original id.
1282 /* XXX Can TCP transfers be forwarded? How would that work? */
1284 id = htons(tsig.originalid);
1285 memcpy(&header[0], &id, 2);
1289 * Digest the modified header.
1291 header_r.base = (unsigned char *) header;
1292 header_r.length = DNS_MESSAGE_HEADERLEN;
1293 ret = dst_context_adddata(msg->tsigctx, &header_r);
1294 if (ret != ISC_R_SUCCESS)
1295 goto cleanup_context;
1298 * Digest all non-TSIG records.
1300 isc_buffer_usedregion(source, &source_r);
1301 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1303 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1305 r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
1306 ret = dst_context_adddata(msg->tsigctx, &r);
1307 if (ret != ISC_R_SUCCESS)
1308 goto cleanup_context;
1311 * Digest the time signed and fudge.
1314 isc_buffer_init(&databuf, data, sizeof(data));
1315 buffer_putuint48(&databuf, tsig.timesigned);
1316 isc_buffer_putuint16(&databuf, tsig.fudge);
1317 isc_buffer_usedregion(&databuf, &r);
1318 ret = dst_context_adddata(msg->tsigctx, &r);
1319 if (ret != ISC_R_SUCCESS)
1320 goto cleanup_context;
1322 sig_r.base = tsig.signature;
1323 sig_r.length = tsig.siglen;
1324 if (tsig.siglen == 0) {
1325 if (tsig.error != dns_rcode_noerror) {
1326 if (tsig.error == dns_tsigerror_badtime)
1327 ret = DNS_R_CLOCKSKEW;
1329 ret = DNS_R_TSIGERRORSET;
1331 tsig_log(msg->tsigkey, 2,
1332 "signature is empty");
1333 ret = DNS_R_TSIGVERIFYFAILURE;
1335 goto cleanup_context;
1338 ret = dst_context_verify(msg->tsigctx, &sig_r);
1339 if (ret == DST_R_VERIFYFAILURE) {
1340 msg->tsigstatus = dns_tsigerror_badsig;
1341 tsig_log(msg->tsigkey, 2,
1342 "signature failed to verify");
1343 ret = DNS_R_TSIGVERIFYFAILURE;
1344 goto cleanup_context;
1346 else if (ret != ISC_R_SUCCESS)
1347 goto cleanup_context;
1349 dst_context_destroy(&msg->tsigctx);
1352 msg->tsigstatus = dns_rcode_noerror;
1353 return (ISC_R_SUCCESS);
1356 dst_context_destroy(&msg->tsigctx);
1358 cleanup_querystruct:
1359 dns_rdata_freestruct(&querytsig);
1366 dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
1367 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
1371 isc_result_t result;
1373 REQUIRE(tsigkey != NULL);
1374 REQUIRE(*tsigkey == NULL);
1375 REQUIRE(name != NULL);
1376 REQUIRE(ring != NULL);
1378 isc_stdtime_get(&now);
1379 RWLOCK(&ring->lock, isc_rwlocktype_read);
1381 result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
1382 if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
1383 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1384 return (ISC_R_NOTFOUND);
1386 if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
1387 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1388 return (ISC_R_NOTFOUND);
1390 if (key->inception != key->expire && key->expire < now) {
1392 * The key has expired.
1394 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1395 RWLOCK(&ring->lock, isc_rwlocktype_write);
1396 (void) dns_rbt_deletename(ring->keys, name, ISC_FALSE);
1397 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1398 return (ISC_R_NOTFOUND);
1401 isc_refcount_increment(&key->refs, NULL);
1402 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1404 return (ISC_R_SUCCESS);
1408 free_tsignode(void *node, void *_unused) {
1413 REQUIRE(node != NULL);
1416 dns_tsigkey_detach(&key);
1420 dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
1421 isc_result_t result;
1422 dns_tsig_keyring_t *ring;
1424 REQUIRE(mctx != NULL);
1425 REQUIRE(ringp != NULL);
1426 REQUIRE(*ringp == NULL);
1428 ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
1430 return (ISC_R_NOMEMORY);
1432 result = isc_rwlock_init(&ring->lock, 0, 0);
1433 if (result != ISC_R_SUCCESS) {
1434 isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
1439 result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
1440 if (result != ISC_R_SUCCESS) {
1441 isc_rwlock_destroy(&ring->lock);
1442 isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
1447 isc_mem_attach(mctx, &ring->mctx);
1450 return (ISC_R_SUCCESS);
1454 dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
1455 dns_tsig_keyring_t *ring;
1457 REQUIRE(ringp != NULL);
1458 REQUIRE(*ringp != NULL);
1463 dns_rbt_destroy(&ring->keys);
1464 isc_rwlock_destroy(&ring->lock);
1465 isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));