search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Sync usage with man page.
[netbsd-mini2440.git] / external / bsd / bind / dist / lib / dns / tkey.c
blob6b32a256032e27efd559707c637affc96898b0c6
1 /* $NetBSD$ */
2
3 /*
4 * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
5 * Copyright (C) 1999-2001, 2003 Internet Software Consortium.
6 *
7 * Permission to use, copy, modify, and/or distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 * PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 /*
21 * Id: tkey.c,v 1.92 2009/09/02 23:48:02 tbox Exp
22 */
23 /*! \file */
24 #include <config.h>
25
26 #include <isc/buffer.h>
27 #include <isc/entropy.h>
28 #include <isc/md5.h>
29 #include <isc/mem.h>
30 #include <isc/string.h>
31 #include <isc/util.h>
32
33 #include <dns/dnssec.h>
34 #include <dns/fixedname.h>
35 #include <dns/keyvalues.h>
36 #include <dns/log.h>
37 #include <dns/message.h>
38 #include <dns/name.h>
39 #include <dns/rdata.h>
40 #include <dns/rdatalist.h>
41 #include <dns/rdataset.h>
42 #include <dns/rdatastruct.h>
43 #include <dns/result.h>
44 #include <dns/tkey.h>
45 #include <dns/tsig.h>
46
47 #include <dst/dst.h>
48 #include <dst/gssapi.h>
49
50 #define TKEY_RANDOM_AMOUNT 16
51
52 #define RETERR(x) do { \
53 result = (x); \
54 if (result != ISC_R_SUCCESS) \
55 goto failure; \
56 } while (0)
57
58 static void
59 tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
60
61 static void
62 tkey_log(const char *fmt, ...) {
63 va_list ap;
64
65 va_start(ap, fmt);
66 isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
67 DNS_LOGMODULE_REQUEST, ISC_LOG_DEBUG(4), fmt, ap);
68 va_end(ap);
69 }
70
71 static void
72 _dns_tkey_dumpmessage(dns_message_t *msg) {
73 isc_buffer_t outbuf;
74 unsigned char output[4096];
75 isc_result_t result;
76
77 isc_buffer_init(&outbuf, output, sizeof(output));
78 result = dns_message_totext(msg, &dns_master_style_debug, 0,
79 &outbuf);
80 /* XXXMLG ignore result */
81 fprintf(stderr, "%.*s\n", (int)isc_buffer_usedlength(&outbuf),
82 (char *)isc_buffer_base(&outbuf));
83 }
84
85 isc_result_t
86 dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
87 {
88 dns_tkeyctx_t *tctx;
89
90 REQUIRE(mctx != NULL);
91 REQUIRE(ectx != NULL);
92 REQUIRE(tctxp != NULL && *tctxp == NULL);
93
94 tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
95 if (tctx == NULL)
96 return (ISC_R_NOMEMORY);
97 tctx->mctx = NULL;
98 isc_mem_attach(mctx, &tctx->mctx);
99 tctx->ectx = NULL;
100 isc_entropy_attach(ectx, &tctx->ectx);
101 tctx->dhkey = NULL;
102 tctx->domain = NULL;
103 tctx->gsscred = NULL;
104
105 *tctxp = tctx;
106 return (ISC_R_SUCCESS);
107 }
108
109 void
110 dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
111 isc_mem_t *mctx;
112 dns_tkeyctx_t *tctx;
113
114 REQUIRE(tctxp != NULL && *tctxp != NULL);
115
116 tctx = *tctxp;
117 mctx = tctx->mctx;
118
119 if (tctx->dhkey != NULL)
120 dst_key_free(&tctx->dhkey);
121 if (tctx->domain != NULL) {
122 if (dns_name_dynamic(tctx->domain))
123 dns_name_free(tctx->domain, mctx);
124 isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
125 }
126 if (tctx->gsscred != NULL)
127 dst_gssapi_releasecred(&tctx->gsscred);
128 isc_entropy_detach(&tctx->ectx);
129 isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
130 isc_mem_detach(&mctx);
131 *tctxp = NULL;
132 }
133
134 static isc_result_t
135 add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
136 isc_uint32_t ttl, dns_namelist_t *namelist)
137 {
138 isc_result_t result;
139 isc_region_t r, newr;
140 dns_rdata_t *newrdata = NULL;
141 dns_name_t *newname = NULL;
142 dns_rdatalist_t *newlist = NULL;
143 dns_rdataset_t *newset = NULL;
144 isc_buffer_t *tmprdatabuf = NULL;
145
146 RETERR(dns_message_gettemprdata(msg, &newrdata));
147
148 dns_rdata_toregion(rdata, &r);
149 RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
150 isc_buffer_availableregion(tmprdatabuf, &newr);
151 memcpy(newr.base, r.base, r.length);
152 dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
153 dns_message_takebuffer(msg, &tmprdatabuf);
154
155 RETERR(dns_message_gettempname(msg, &newname));
156 dns_name_init(newname, NULL);
157 RETERR(dns_name_dup(name, msg->mctx, newname));
158
159 RETERR(dns_message_gettemprdatalist(msg, &newlist));
160 newlist->rdclass = newrdata->rdclass;
161 newlist->type = newrdata->type;
162 newlist->covers = 0;
163 newlist->ttl = ttl;
164 ISC_LIST_INIT(newlist->rdata);
165 ISC_LIST_APPEND(newlist->rdata, newrdata, link);
166
167 RETERR(dns_message_gettemprdataset(msg, &newset));
168 dns_rdataset_init(newset);
169 RETERR(dns_rdatalist_tordataset(newlist, newset));
170
171 ISC_LIST_INIT(newname->list);
172 ISC_LIST_APPEND(newname->list, newset, link);
173
174 ISC_LIST_APPEND(*namelist, newname, link);
175
176 return (ISC_R_SUCCESS);
177
178 failure:
179 if (newrdata != NULL) {
180 if (ISC_LINK_LINKED(newrdata, link))
181 ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
182 dns_message_puttemprdata(msg, &newrdata);
183 }
184 if (newname != NULL)
185 dns_message_puttempname(msg, &newname);
186 if (newset != NULL) {
187 dns_rdataset_disassociate(newset);
188 dns_message_puttemprdataset(msg, &newset);
189 }
190 if (newlist != NULL)
191 dns_message_puttemprdatalist(msg, &newlist);
192 return (result);
193 }
194
195 static void
196 free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
197 dns_name_t *name;
198 dns_rdataset_t *set;
199
200 while (!ISC_LIST_EMPTY(*namelist)) {
201 name = ISC_LIST_HEAD(*namelist);
202 ISC_LIST_UNLINK(*namelist, name, link);
203 while (!ISC_LIST_EMPTY(name->list)) {
204 set = ISC_LIST_HEAD(name->list);
205 ISC_LIST_UNLINK(name->list, set, link);
206 dns_message_puttemprdataset(msg, &set);
207 }
208 dns_message_puttempname(msg, &name);
209 }
210 }
211
212 static isc_result_t
213 compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
214 isc_region_t *serverrandomness, isc_buffer_t *secret)
215 {
216 isc_md5_t md5ctx;
217 isc_region_t r, r2;
218 unsigned char digests[32];
219 unsigned int i;
220
221 isc_buffer_usedregion(shared, &r);
222
223 /*
224 * MD5 ( query data | DH value ).
225 */
226 isc_md5_init(&md5ctx);
227 isc_md5_update(&md5ctx, queryrandomness->base,
228 queryrandomness->length);
229 isc_md5_update(&md5ctx, r.base, r.length);
230 isc_md5_final(&md5ctx, digests);
231
232 /*
233 * MD5 ( server data | DH value ).
234 */
235 isc_md5_init(&md5ctx);
236 isc_md5_update(&md5ctx, serverrandomness->base,
237 serverrandomness->length);
238 isc_md5_update(&md5ctx, r.base, r.length);
239 isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]);
240
241 /*
242 * XOR ( DH value, MD5-1 | MD5-2).
243 */
244 isc_buffer_availableregion(secret, &r);
245 isc_buffer_usedregion(shared, &r2);
246 if (r.length < sizeof(digests) || r.length < r2.length)
247 return (ISC_R_NOSPACE);
248 if (r2.length > sizeof(digests)) {
249 memcpy(r.base, r2.base, r2.length);
250 for (i = 0; i < sizeof(digests); i++)
251 r.base[i] ^= digests[i];
252 isc_buffer_add(secret, r2.length);
253 } else {
254 memcpy(r.base, digests, sizeof(digests));
255 for (i = 0; i < r2.length; i++)
256 r.base[i] ^= r2.base[i];
257 isc_buffer_add(secret, sizeof(digests));
258 }
259 return (ISC_R_SUCCESS);
260
261 }
262
263 static isc_result_t
264 process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
265 dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
266 dns_rdata_tkey_t *tkeyout,
267 dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
268 {
269 isc_result_t result = ISC_R_SUCCESS;
270 dns_name_t *keyname, ourname;
271 dns_rdataset_t *keyset = NULL;
272 dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
273 isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
274 dst_key_t *pubkey = NULL;
275 isc_buffer_t ourkeybuf, *shared = NULL;
276 isc_region_t r, r2, ourkeyr;
277 unsigned char keydata[DST_KEY_MAXSIZE];
278 unsigned int sharedsize;
279 isc_buffer_t secret;
280 unsigned char *randomdata = NULL, secretdata[256];
281 dns_ttl_t ttl = 0;
282
283 if (tctx->dhkey == NULL) {
284 tkey_log("process_dhtkey: tkey-dhkey not defined");
285 tkeyout->error = dns_tsigerror_badalg;
286 return (DNS_R_REFUSED);
287 }
288
289 if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
290 tkey_log("process_dhtkey: algorithms other than "
291 "hmac-md5 are not supported");
292 tkeyout->error = dns_tsigerror_badalg;
293 return (ISC_R_SUCCESS);
294 }
295
296 /*
297 * Look for a DH KEY record that will work with ours.
298 */
299 for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
300 result == ISC_R_SUCCESS && !found_key;
301 result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
302 keyname = NULL;
303 dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
304 keyset = NULL;
305 result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
306 &keyset);
307 if (result != ISC_R_SUCCESS)
308 continue;
309
310 for (result = dns_rdataset_first(keyset);
311 result == ISC_R_SUCCESS && !found_key;
312 result = dns_rdataset_next(keyset)) {
313 dns_rdataset_current(keyset, &keyrdata);
314 pubkey = NULL;
315 result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
316 msg->mctx, &pubkey);
317 if (result != ISC_R_SUCCESS) {
318 dns_rdata_reset(&keyrdata);
319 continue;
320 }
321 if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
322 if (dst_key_paramcompare(pubkey, tctx->dhkey))
323 {
324 found_key = ISC_TRUE;
325 ttl = keyset->ttl;
326 break;
327 } else
328 found_incompatible = ISC_TRUE;
329 }
330 dst_key_free(&pubkey);
331 dns_rdata_reset(&keyrdata);
332 }
333 }
334
335 if (!found_key) {
336 if (found_incompatible) {
337 tkey_log("process_dhtkey: found an incompatible key");
338 tkeyout->error = dns_tsigerror_badkey;
339 return (ISC_R_SUCCESS);
340 } else {
341 tkey_log("process_dhtkey: failed to find a key");
342 return (DNS_R_FORMERR);
343 }
344 }
345
346 RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
347
348 isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
349 RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
350 isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
351 dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
352 dns_rdatatype_key, &ourkeyr);
353
354 dns_name_init(&ourname, NULL);
355 dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
356
357 /*
358 * XXXBEW The TTL should be obtained from the database, if it exists.
359 */
360 RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
361
362 RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
363 RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
364
365 result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
366 if (result != ISC_R_SUCCESS) {
367 tkey_log("process_dhtkey: failed to compute shared secret: %s",
368 isc_result_totext(result));
369 goto failure;
370 }
371 dst_key_free(&pubkey);
372
373 isc_buffer_init(&secret, secretdata, sizeof(secretdata));
374
375 randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
376 if (randomdata == NULL)
377 goto failure;
378
379 result = isc_entropy_getdata(tctx->ectx, randomdata,
380 TKEY_RANDOM_AMOUNT, NULL, 0);
381 if (result != ISC_R_SUCCESS) {
382 tkey_log("process_dhtkey: failed to obtain entropy: %s",
383 isc_result_totext(result));
384 goto failure;
385 }
386
387 r.base = randomdata;
388 r.length = TKEY_RANDOM_AMOUNT;
389 r2.base = tkeyin->key;
390 r2.length = tkeyin->keylen;
391 RETERR(compute_secret(shared, &r2, &r, &secret));
392 isc_buffer_free(&shared);
393
394 RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
395 isc_buffer_base(&secret),
396 isc_buffer_usedlength(&secret),
397 ISC_TRUE, signer, tkeyin->inception,
398 tkeyin->expire, ring->mctx, ring, NULL));
399
400 /* This key is good for a long time */
401 tkeyout->inception = tkeyin->inception;
402 tkeyout->expire = tkeyin->expire;
403
404 tkeyout->key = randomdata;
405 tkeyout->keylen = TKEY_RANDOM_AMOUNT;
406
407 return (ISC_R_SUCCESS);
408
409 failure:
410 if (!ISC_LIST_EMPTY(*namelist))
411 free_namelist(msg, namelist);
412 if (shared != NULL)
413 isc_buffer_free(&shared);
414 if (pubkey != NULL)
415 dst_key_free(&pubkey);
416 if (randomdata != NULL)
417 isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
418 return (result);
419 }
420
421 static isc_result_t
422 process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
423 dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
424 dns_rdata_tkey_t *tkeyout,
425 dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
426 {
427 isc_result_t result = ISC_R_SUCCESS;
428 dst_key_t *dstkey = NULL;
429 dns_tsigkey_t *tsigkey = NULL;
430 dns_fixedname_t principal;
431 isc_stdtime_t now;
432 isc_region_t intoken;
433 isc_buffer_t *outtoken = NULL;
434 gss_ctx_id_t gss_ctx = NULL;
435
436 UNUSED(namelist);
437 UNUSED(signer);
438
439 if (tctx->gsscred == NULL)
440 return (ISC_R_NOPERM);
441
442 if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
443 !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
444 tkeyout->error = dns_tsigerror_badalg;
445 tkey_log("process_gsstkey(): dns_tsigerror_badalg"); /* XXXSRA */
446 return (ISC_R_SUCCESS);
447 }
448
449 /*
450 * XXXDCL need to check for key expiry per 4.1.1
451 * XXXDCL need a way to check fully established, perhaps w/key_flags
452 */
453
454 intoken.base = tkeyin->key;
455 intoken.length = tkeyin->keylen;
456
457 result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
458 if (result == ISC_R_SUCCESS)
459 gss_ctx = dst_key_getgssctx(tsigkey->key);
460
461
462 dns_fixedname_init(&principal);
463
464 result = dst_gssapi_acceptctx(tctx->gsscred, &intoken,
465 &outtoken, &gss_ctx,
466 dns_fixedname_name(&principal),
467 tctx->mctx);
468
469 if (tsigkey != NULL)
470 dns_tsigkey_detach(&tsigkey);
471
472 if (result == DNS_R_INVALIDTKEY) {
473 tkeyout->error = dns_tsigerror_badkey;
474 tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA */
475 return (ISC_R_SUCCESS);
476 } else if (result == ISC_R_FAILURE)
477 goto failure;
478 ENSURE(result == DNS_R_CONTINUE || result == ISC_R_SUCCESS);
479 /*
480 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
481 */
482
483 if (tsigkey == NULL) {
484 RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey));
485 RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
486 dstkey, ISC_TRUE,
487 dns_fixedname_name(&principal),
488 tkeyin->inception,
489 tkeyin->expire,
490 ring->mctx, ring, NULL));
491 }
492
493 isc_stdtime_get(&now);
494 tkeyout->inception = tkeyin->inception;
495 tkeyout->expire = tkeyin->expire;
496
497 if (outtoken) {
498 tkeyout->key = isc_mem_get(tkeyout->mctx,
499 isc_buffer_usedlength(outtoken));
500 if (tkeyout->key == NULL) {
501 result = ISC_R_NOMEMORY;
502 goto failure;
503 }
504 tkeyout->keylen = isc_buffer_usedlength(outtoken);
505 memcpy(tkeyout->key, isc_buffer_base(outtoken),
506 isc_buffer_usedlength(outtoken));
507 isc_buffer_free(&outtoken);
508 } else {
509 tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
510 if (tkeyout->key == NULL) {
511 result = ISC_R_NOMEMORY;
512 goto failure;
513 }
514 tkeyout->keylen = tkeyin->keylen;
515 memcpy(tkeyout->key, tkeyin->key, tkeyin->keylen);
516 }
517
518 tkeyout->error = dns_rcode_noerror;
519
520 tkey_log("process_gsstkey(): dns_tsigerror_noerror"); /* XXXSRA */
521
522 return (ISC_R_SUCCESS);
523
524 failure:
525 if (dstkey != NULL)
526 dst_key_free(&dstkey);
527
528 if (outtoken != NULL)
529 isc_buffer_free(&outtoken);
530
531 tkey_log("process_gsstkey(): %s",
532 isc_result_totext(result)); /* XXXSRA */
533
534 return (result);
535 }
536
537 static isc_result_t
538 process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
539 dns_rdata_tkey_t *tkeyin,
540 dns_rdata_tkey_t *tkeyout,
541 dns_tsig_keyring_t *ring,
542 dns_namelist_t *namelist)
543 {
544 isc_result_t result;
545 dns_tsigkey_t *tsigkey = NULL;
546 dns_name_t *identity;
547
548 UNUSED(msg);
549 UNUSED(namelist);
550
551 result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
552 if (result != ISC_R_SUCCESS) {
553 tkeyout->error = dns_tsigerror_badname;
554 return (ISC_R_SUCCESS);
555 }
556
557 /*
558 * Only allow a delete if the identity that created the key is the
559 * same as the identity that signed the message.
560 */
561 identity = dns_tsigkey_identity(tsigkey);
562 if (identity == NULL || !dns_name_equal(identity, signer)) {
563 dns_tsigkey_detach(&tsigkey);
564 return (DNS_R_REFUSED);
565 }
566
567 /*
568 * Set the key to be deleted when no references are left. If the key
569 * was not generated with TKEY and is in the config file, it may be
570 * reloaded later.
571 */
572 dns_tsigkey_setdeleted(tsigkey);
573
574 /* Release the reference */
575 dns_tsigkey_detach(&tsigkey);
576
577 return (ISC_R_SUCCESS);
578 }
579
580 isc_result_t
581 dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
582 dns_tsig_keyring_t *ring)
583 {
584 isc_result_t result = ISC_R_SUCCESS;
585 dns_rdata_tkey_t tkeyin, tkeyout;
586 isc_boolean_t freetkeyin = ISC_FALSE;
587 dns_name_t *qname, *name, *keyname, *signer, tsigner;
588 dns_fixedname_t fkeyname;
589 dns_rdataset_t *tkeyset;
590 dns_rdata_t rdata;
591 dns_namelist_t namelist;
592 char tkeyoutdata[512];
593 isc_buffer_t tkeyoutbuf;
594
595 REQUIRE(msg != NULL);
596 REQUIRE(tctx != NULL);
597 REQUIRE(ring != NULL);
598
599 ISC_LIST_INIT(namelist);
600
601 /*
602 * Interpret the question section.
603 */
604 result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
605 if (result != ISC_R_SUCCESS)
606 return (DNS_R_FORMERR);
607
608 qname = NULL;
609 dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
610
611 /*
612 * Look for a TKEY record that matches the question.
613 */
614 tkeyset = NULL;
615 name = NULL;
616 result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
617 dns_rdatatype_tkey, 0, &name, &tkeyset);
618 if (result != ISC_R_SUCCESS) {
619 /*
620 * Try the answer section, since that's where Win2000
621 * puts it.
622 */
623 if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
624 dns_rdatatype_tkey, 0, &name,
625 &tkeyset) != ISC_R_SUCCESS) {
626 result = DNS_R_FORMERR;
627 tkey_log("dns_tkey_processquery: couldn't find a TKEY "
628 "matching the question");
629 goto failure;
630 }
631 }
632 result = dns_rdataset_first(tkeyset);
633 if (result != ISC_R_SUCCESS) {
634 result = DNS_R_FORMERR;
635 goto failure;
636 }
637 dns_rdata_init(&rdata);
638 dns_rdataset_current(tkeyset, &rdata);
639
640 RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
641 freetkeyin = ISC_TRUE;
642
643 if (tkeyin.error != dns_rcode_noerror) {
644 result = DNS_R_FORMERR;
645 goto failure;
646 }
647
648 /*
649 * Before we go any farther, verify that the message was signed.
650 * GSSAPI TKEY doesn't require a signature, the rest do.
651 */
652 dns_name_init(&tsigner, NULL);
653 result = dns_message_signer(msg, &tsigner);
654 if (result != ISC_R_SUCCESS) {
655 if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
656 result == ISC_R_NOTFOUND)
657 signer = NULL;
658 else {
659 tkey_log("dns_tkey_processquery: query was not "
660 "properly signed - rejecting");
661 result = DNS_R_FORMERR;
662 goto failure;
663 }
664 } else
665 signer = &tsigner;
666
667 tkeyout.common.rdclass = tkeyin.common.rdclass;
668 tkeyout.common.rdtype = tkeyin.common.rdtype;
669 ISC_LINK_INIT(&tkeyout.common, link);
670 tkeyout.mctx = msg->mctx;
671
672 dns_name_init(&tkeyout.algorithm, NULL);
673 dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
674
675 tkeyout.inception = tkeyout.expire = 0;
676 tkeyout.mode = tkeyin.mode;
677 tkeyout.error = 0;
678 tkeyout.keylen = tkeyout.otherlen = 0;
679 tkeyout.key = tkeyout.other = NULL;
680
681 /*
682 * A delete operation must have a fully specified key name. If this
683 * is not a delete, we do the following:
684 * if (qname != ".")
685 * keyname = qname + defaultdomain
686 * else
687 * keyname = <random hex> + defaultdomain
688 */
689 if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
690 dns_tsigkey_t *tsigkey = NULL;
691
692 if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
693 tkey_log("dns_tkey_processquery: tkey-domain not set");
694 result = DNS_R_REFUSED;
695 goto failure;
696 }
697
698 dns_fixedname_init(&fkeyname);
699 keyname = dns_fixedname_name(&fkeyname);
700
701 if (!dns_name_equal(qname, dns_rootname)) {
702 unsigned int n = dns_name_countlabels(qname);
703 RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
704 == ISC_R_SUCCESS);
705 dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
706 } else {
707 static char hexdigits[16] = {
708 '0', '1', '2', '3', '4', '5', '6', '7',
709 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
710 unsigned char randomdata[16];
711 char randomtext[32];
712 isc_buffer_t b;
713 unsigned int i, j;
714
715 result = isc_entropy_getdata(tctx->ectx,
716 randomdata,
717 sizeof(randomdata),
718 NULL, 0);
719 if (result != ISC_R_SUCCESS)
720 goto failure;
721
722 for (i = 0, j = 0; i < sizeof(randomdata); i++) {
723 unsigned char val = randomdata[i];
724 randomtext[j++] = hexdigits[val >> 4];
725 randomtext[j++] = hexdigits[val & 0xF];
726 }
727 isc_buffer_init(&b, randomtext, sizeof(randomtext));
728 isc_buffer_add(&b, sizeof(randomtext));
729 result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
730 if (result != ISC_R_SUCCESS)
731 goto failure;
732 }
733
734 if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
735 /* Yup. This is a hack */
736 result = dns_name_concatenate(keyname, dns_rootname,
737 keyname, NULL);
738 if (result != ISC_R_SUCCESS)
739 goto failure;
740 } else {
741 result = dns_name_concatenate(keyname, tctx->domain,
742 keyname, NULL);
743 if (result != ISC_R_SUCCESS)
744 goto failure;
745 }
746
747 result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
748
749 if (result == ISC_R_SUCCESS) {
750 tkeyout.error = dns_tsigerror_badname;
751 dns_tsigkey_detach(&tsigkey);
752 goto failure_with_tkey;
753 } else if (result != ISC_R_NOTFOUND)
754 goto failure;
755 } else
756 keyname = qname;
757
758 switch (tkeyin.mode) {
759 case DNS_TKEYMODE_DIFFIEHELLMAN:
760 tkeyout.error = dns_rcode_noerror;
761 RETERR(process_dhtkey(msg, signer, keyname, &tkeyin,
762 tctx, &tkeyout, ring,
763 &namelist));
764 break;
765 case DNS_TKEYMODE_GSSAPI:
766 tkeyout.error = dns_rcode_noerror;
767 RETERR(process_gsstkey(msg, signer, keyname, &tkeyin,
768 tctx, &tkeyout, ring,
769 &namelist));
770
771 break;
772 case DNS_TKEYMODE_DELETE:
773 tkeyout.error = dns_rcode_noerror;
774 RETERR(process_deletetkey(msg, signer, keyname,
775 &tkeyin, &tkeyout,
776 ring, &namelist));
777 break;
778 case DNS_TKEYMODE_SERVERASSIGNED:
779 case DNS_TKEYMODE_RESOLVERASSIGNED:
780 result = DNS_R_NOTIMP;
781 goto failure;
782 default:
783 tkeyout.error = dns_tsigerror_badmode;
784 }
785
786 failure_with_tkey:
787 dns_rdata_init(&rdata);
788 isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
789 result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
790 tkeyout.common.rdtype, &tkeyout,
791 &tkeyoutbuf);
792
793 if (freetkeyin) {
794 dns_rdata_freestruct(&tkeyin);
795 freetkeyin = ISC_FALSE;
796 }
797
798 if (tkeyout.key != NULL)
799 isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
800 if (tkeyout.other != NULL)
801 isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
802 if (result != ISC_R_SUCCESS)
803 goto failure;
804
805 RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
806
807 RETERR(dns_message_reply(msg, ISC_TRUE));
808
809 name = ISC_LIST_HEAD(namelist);
810 while (name != NULL) {
811 dns_name_t *next = ISC_LIST_NEXT(name, link);
812 ISC_LIST_UNLINK(namelist, name, link);
813 dns_message_addname(msg, name, DNS_SECTION_ANSWER);
814 name = next;
815 }
816
817 return (ISC_R_SUCCESS);
818
819 failure:
820 if (freetkeyin)
821 dns_rdata_freestruct(&tkeyin);
822 if (!ISC_LIST_EMPTY(namelist))
823 free_namelist(msg, &namelist);
824 return (result);
825 }
826
827 static isc_result_t
828 buildquery(dns_message_t *msg, dns_name_t *name,
829 dns_rdata_tkey_t *tkey, isc_boolean_t win2k)
830 {
831 dns_name_t *qname = NULL, *aname = NULL;
832 dns_rdataset_t *question = NULL, *tkeyset = NULL;
833 dns_rdatalist_t *tkeylist = NULL;
834 dns_rdata_t *rdata = NULL;
835 isc_buffer_t *dynbuf = NULL;
836 isc_result_t result;
837
838 REQUIRE(msg != NULL);
839 REQUIRE(name != NULL);
840 REQUIRE(tkey != NULL);
841
842 RETERR(dns_message_gettempname(msg, &qname));
843 RETERR(dns_message_gettempname(msg, &aname));
844
845 RETERR(dns_message_gettemprdataset(msg, &question));
846 dns_rdataset_init(question);
847 dns_rdataset_makequestion(question, dns_rdataclass_any,
848 dns_rdatatype_tkey);
849
850 RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 4096));
851 RETERR(dns_message_gettemprdata(msg, &rdata));
852
853 RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
854 dns_rdatatype_tkey, tkey, dynbuf));
855 dns_message_takebuffer(msg, &dynbuf);
856
857 RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
858 tkeylist->rdclass = dns_rdataclass_any;
859 tkeylist->type = dns_rdatatype_tkey;
860 tkeylist->covers = 0;
861 tkeylist->ttl = 0;
862 ISC_LIST_INIT(tkeylist->rdata);
863 ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
864
865 RETERR(dns_message_gettemprdataset(msg, &tkeyset));
866 dns_rdataset_init(tkeyset);
867 RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
868
869 dns_name_init(qname, NULL);
870 dns_name_clone(name, qname);
871
872 dns_name_init(aname, NULL);
873 dns_name_clone(name, aname);
874
875 ISC_LIST_APPEND(qname->list, question, link);
876 ISC_LIST_APPEND(aname->list, tkeyset, link);
877
878 dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
879
880 /*
881 * Windows 2000 needs this in the answer section, not the additional
882 * section where the RFC specifies.
883 */
884 if (win2k)
885 dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
886 else
887 dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
888
889 return (ISC_R_SUCCESS);
890
891 failure:
892 if (qname != NULL)
893 dns_message_puttempname(msg, &qname);
894 if (aname != NULL)
895 dns_message_puttempname(msg, &aname);
896 if (question != NULL) {
897 dns_rdataset_disassociate(question);
898 dns_message_puttemprdataset(msg, &question);
899 }
900 if (dynbuf != NULL)
901 isc_buffer_free(&dynbuf);
902 printf("buildquery error\n");
903 return (result);
904 }
905
906 isc_result_t
907 dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
908 dns_name_t *algorithm, isc_buffer_t *nonce,
909 isc_uint32_t lifetime)
910 {
911 dns_rdata_tkey_t tkey;
912 dns_rdata_t *rdata = NULL;
913 isc_buffer_t *dynbuf = NULL;
914 isc_region_t r;
915 dns_name_t keyname;
916 dns_namelist_t namelist;
917 isc_result_t result;
918 isc_stdtime_t now;
919
920 REQUIRE(msg != NULL);
921 REQUIRE(key != NULL);
922 REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
923 REQUIRE(dst_key_isprivate(key));
924 REQUIRE(name != NULL);
925 REQUIRE(algorithm != NULL);
926
927 tkey.common.rdclass = dns_rdataclass_any;
928 tkey.common.rdtype = dns_rdatatype_tkey;
929 ISC_LINK_INIT(&tkey.common, link);
930 tkey.mctx = msg->mctx;
931 dns_name_init(&tkey.algorithm, NULL);
932 dns_name_clone(algorithm, &tkey.algorithm);
933 isc_stdtime_get(&now);
934 tkey.inception = now;
935 tkey.expire = now + lifetime;
936 tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
937 if (nonce != NULL)
938 isc_buffer_usedregion(nonce, &r);
939 else {
940 r.base = isc_mem_get(msg->mctx, 0);
941 r.length = 0;
942 }
943 tkey.error = 0;
944 tkey.key = r.base;
945 tkey.keylen = r.length;
946 tkey.other = NULL;
947 tkey.otherlen = 0;
948
949 RETERR(buildquery(msg, name, &tkey, ISC_FALSE));
950
951 if (nonce == NULL)
952 isc_mem_put(msg->mctx, r.base, 0);
953
954 RETERR(dns_message_gettemprdata(msg, &rdata));
955 RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
956 RETERR(dst_key_todns(key, dynbuf));
957 isc_buffer_usedregion(dynbuf, &r);
958 dns_rdata_fromregion(rdata, dns_rdataclass_any,
959 dns_rdatatype_key, &r);
960 dns_message_takebuffer(msg, &dynbuf);
961
962 dns_name_init(&keyname, NULL);
963 dns_name_clone(dst_key_name(key), &keyname);
964
965 ISC_LIST_INIT(namelist);
966 RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
967 dns_message_addname(msg, ISC_LIST_HEAD(namelist),
968 DNS_SECTION_ADDITIONAL);
969
970 return (ISC_R_SUCCESS);
971
972 failure:
973
974 if (dynbuf != NULL)
975 isc_buffer_free(&dynbuf);
976 return (result);
977 }
978
979 isc_result_t
980 dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
981 isc_buffer_t *intoken, isc_uint32_t lifetime,
982 gss_ctx_id_t *context, isc_boolean_t win2k)
983 {
984 dns_rdata_tkey_t tkey;
985 isc_result_t result;
986 isc_stdtime_t now;
987 isc_buffer_t token;
988 unsigned char array[4096];
989
990 UNUSED(intoken);
991
992 REQUIRE(msg != NULL);
993 REQUIRE(name != NULL);
994 REQUIRE(gname != NULL);
995 REQUIRE(context != NULL);
996
997 isc_buffer_init(&token, array, sizeof(array));
998 result = dst_gssapi_initctx(gname, NULL, &token, context);
999 if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
1000 return (result);
1001
1002 tkey.common.rdclass = dns_rdataclass_any;
1003 tkey.common.rdtype = dns_rdatatype_tkey;
1004 ISC_LINK_INIT(&tkey.common, link);
1005 tkey.mctx = NULL;
1006 dns_name_init(&tkey.algorithm, NULL);
1007
1008 if (win2k)
1009 dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
1010 else
1011 dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
1012
1013 isc_stdtime_get(&now);
1014 tkey.inception = now;
1015 tkey.expire = now + lifetime;
1016 tkey.mode = DNS_TKEYMODE_GSSAPI;
1017 tkey.error = 0;
1018 tkey.key = isc_buffer_base(&token);
1019 tkey.keylen = isc_buffer_usedlength(&token);
1020 tkey.other = NULL;
1021 tkey.otherlen = 0;
1022
1023 RETERR(buildquery(msg, name, &tkey, win2k));
1024
1025 return (ISC_R_SUCCESS);
1026
1027 failure:
1028 return (result);
1029 }
1030
1031 isc_result_t
1032 dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
1033 dns_rdata_tkey_t tkey;
1034
1035 REQUIRE(msg != NULL);
1036 REQUIRE(key != NULL);
1037
1038 tkey.common.rdclass = dns_rdataclass_any;
1039 tkey.common.rdtype = dns_rdatatype_tkey;
1040 ISC_LINK_INIT(&tkey.common, link);
1041 tkey.mctx = msg->mctx;
1042 dns_name_init(&tkey.algorithm, NULL);
1043 dns_name_clone(key->algorithm, &tkey.algorithm);
1044 tkey.inception = tkey.expire = 0;
1045 tkey.mode = DNS_TKEYMODE_DELETE;
1046 tkey.error = 0;
1047 tkey.keylen = tkey.otherlen = 0;
1048 tkey.key = tkey.other = NULL;
1049
1050 return (buildquery(msg, &key->name, &tkey, ISC_FALSE));
1051 }
1052
1053 static isc_result_t
1054 find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
1055 int section)
1056 {
1057 dns_rdataset_t *tkeyset;
1058 isc_result_t result;
1059
1060 result = dns_message_firstname(msg, section);
1061 while (result == ISC_R_SUCCESS) {
1062 *name = NULL;
1063 dns_message_currentname(msg, section, name);
1064 tkeyset = NULL;
1065 result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
1066 &tkeyset);
1067 if (result == ISC_R_SUCCESS) {
1068 result = dns_rdataset_first(tkeyset);
1069 if (result != ISC_R_SUCCESS)
1070 return (result);
1071 dns_rdataset_current(tkeyset, rdata);
1072 return (ISC_R_SUCCESS);
1073 }
1074 result = dns_message_nextname(msg, section);
1075 }
1076 if (result == ISC_R_NOMORE)
1077 return (ISC_R_NOTFOUND);
1078 return (result);
1079 }
1080
1081 isc_result_t
1082 dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
1083 dst_key_t *key, isc_buffer_t *nonce,
1084 dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
1085 {
1086 dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
1087 dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
1088 dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
1089 dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
1090 dst_key_t *theirkey = NULL;
1091 dns_rdata_tkey_t qtkey, rtkey;
1092 unsigned char secretdata[256];
1093 unsigned int sharedsize;
1094 isc_buffer_t *shared = NULL, secret;
1095 isc_region_t r, r2;
1096 isc_result_t result;
1097 isc_boolean_t freertkey = ISC_FALSE;
1098
1099 REQUIRE(qmsg != NULL);
1100 REQUIRE(rmsg != NULL);
1101 REQUIRE(key != NULL);
1102 REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
1103 REQUIRE(dst_key_isprivate(key));
1104 if (outkey != NULL)
1105 REQUIRE(*outkey == NULL);
1106
1107 if (rmsg->rcode != dns_rcode_noerror)
1108 return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1109 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1110 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1111 freertkey = ISC_TRUE;
1112
1113 RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
1114 DNS_SECTION_ADDITIONAL));
1115 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1116
1117 if (rtkey.error != dns_rcode_noerror ||
1118 rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
1119 rtkey.mode != qtkey.mode ||
1120 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
1121 rmsg->rcode != dns_rcode_noerror) {
1122 tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
1123 "or error set(1)");
1124 result = DNS_R_INVALIDTKEY;
1125 dns_rdata_freestruct(&qtkey);
1126 goto failure;
1127 }
1128
1129 dns_rdata_freestruct(&qtkey);
1130
1131 dns_name_init(&keyname, NULL);
1132 dns_name_clone(dst_key_name(key), &keyname);
1133
1134 ourkeyname = NULL;
1135 ourkeyset = NULL;
1136 RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
1137 dns_rdatatype_key, 0, &ourkeyname,
1138 &ourkeyset));
1139
1140 result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
1141 while (result == ISC_R_SUCCESS) {
1142 theirkeyname = NULL;
1143 dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
1144 &theirkeyname);
1145 if (dns_name_equal(theirkeyname, ourkeyname))
1146 goto next;
1147 theirkeyset = NULL;
1148 result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
1149 0, &theirkeyset);
1150 if (result == ISC_R_SUCCESS) {
1151 RETERR(dns_rdataset_first(theirkeyset));
1152 break;
1153 }
1154 next:
1155 result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
1156 }
1157
1158 if (theirkeyset == NULL) {
1159 tkey_log("dns_tkey_processdhresponse: failed to find server "
1160 "key");
1161 result = ISC_R_NOTFOUND;
1162 goto failure;
1163 }
1164
1165 dns_rdataset_current(theirkeyset, &theirkeyrdata);
1166 RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
1167 rmsg->mctx, &theirkey));
1168
1169 RETERR(dst_key_secretsize(key, &sharedsize));
1170 RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
1171
1172 RETERR(dst_key_computesecret(theirkey, key, shared));
1173
1174 isc_buffer_init(&secret, secretdata, sizeof(secretdata));
1175
1176 r.base = rtkey.key;
1177 r.length = rtkey.keylen;
1178 if (nonce != NULL)
1179 isc_buffer_usedregion(nonce, &r2);
1180 else {
1181 r2.base = isc_mem_get(rmsg->mctx, 0);
1182 r2.length = 0;
1183 }
1184 RETERR(compute_secret(shared, &r2, &r, &secret));
1185 if (nonce == NULL)
1186 isc_mem_put(rmsg->mctx, r2.base, 0);
1187
1188 isc_buffer_usedregion(&secret, &r);
1189 result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
1190 r.base, r.length, ISC_TRUE,
1191 NULL, rtkey.inception, rtkey.expire,
1192 rmsg->mctx, ring, outkey);
1193 isc_buffer_free(&shared);
1194 dns_rdata_freestruct(&rtkey);
1195 dst_key_free(&theirkey);
1196 return (result);
1197
1198 failure:
1199 if (shared != NULL)
1200 isc_buffer_free(&shared);
1201
1202 if (theirkey != NULL)
1203 dst_key_free(&theirkey);
1204
1205 if (freertkey)
1206 dns_rdata_freestruct(&rtkey);
1207
1208 return (result);
1209 }
1210
1211 isc_result_t
1212 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
1213 dns_name_t *gname, gss_ctx_id_t *context,
1214 isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
1215 dns_tsig_keyring_t *ring)
1216 {
1217 dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
1218 dns_name_t *tkeyname;
1219 dns_rdata_tkey_t rtkey, qtkey;
1220 dst_key_t *dstkey = NULL;
1221 isc_buffer_t intoken;
1222 isc_result_t result;
1223 unsigned char array[1024];
1224
1225 REQUIRE(outtoken != NULL);
1226 REQUIRE(qmsg != NULL);
1227 REQUIRE(rmsg != NULL);
1228 REQUIRE(gname != NULL);
1229 if (outkey != NULL)
1230 REQUIRE(*outkey == NULL);
1231
1232 if (rmsg->rcode != dns_rcode_noerror)
1233 return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1234 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1235 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1236
1237 /*
1238 * Win2k puts the item in the ANSWER section, while the RFC
1239 * specifies it should be in the ADDITIONAL section. Check first
1240 * where it should be, and then where it may be.
1241 */
1242 result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1243 DNS_SECTION_ADDITIONAL);
1244 if (result == ISC_R_NOTFOUND)
1245 result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1246 DNS_SECTION_ANSWER);
1247 if (result != ISC_R_SUCCESS)
1248 goto failure;
1249
1250 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1251
1252 if (rtkey.error != dns_rcode_noerror ||
1253 rtkey.mode != DNS_TKEYMODE_GSSAPI ||
1254 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
1255 tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
1256 "or error set(2) %d", rtkey.error);
1257 _dns_tkey_dumpmessage(qmsg);
1258 _dns_tkey_dumpmessage(rmsg);
1259 result = DNS_R_INVALIDTKEY;
1260 goto failure;
1261 }
1262
1263 isc_buffer_init(outtoken, array, sizeof(array));
1264 isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
1265 RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context));
1266
1267 dstkey = NULL;
1268 RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
1269 &dstkey));
1270
1271 RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
1272 dstkey, ISC_FALSE, NULL,
1273 rtkey.inception, rtkey.expire,
1274 ring->mctx, ring, outkey));
1275
1276 dns_rdata_freestruct(&rtkey);
1277 return (result);
1278
1279 failure:
1280 /*
1281 * XXXSRA This probably leaks memory from rtkey and qtkey.
1282 */
1283 return (result);
1284 }
1285
1286 isc_result_t
1287 dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
1288 dns_tsig_keyring_t *ring)
1289 {
1290 dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
1291 dns_name_t *tkeyname, *tempname;
1292 dns_rdata_tkey_t qtkey, rtkey;
1293 dns_tsigkey_t *tsigkey = NULL;
1294 isc_result_t result;
1295
1296 REQUIRE(qmsg != NULL);
1297 REQUIRE(rmsg != NULL);
1298
1299 if (rmsg->rcode != dns_rcode_noerror)
1300 return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1301
1302 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1303 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1304
1305 RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
1306 DNS_SECTION_ADDITIONAL));
1307 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1308
1309 if (rtkey.error != dns_rcode_noerror ||
1310 rtkey.mode != DNS_TKEYMODE_DELETE ||
1311 rtkey.mode != qtkey.mode ||
1312 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
1313 rmsg->rcode != dns_rcode_noerror) {
1314 tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
1315 "or error set(3)");
1316 result = DNS_R_INVALIDTKEY;
1317 dns_rdata_freestruct(&qtkey);
1318 dns_rdata_freestruct(&rtkey);
1319 goto failure;
1320 }
1321
1322 dns_rdata_freestruct(&qtkey);
1323
1324 RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
1325
1326 dns_rdata_freestruct(&rtkey);
1327
1328 /*
1329 * Mark the key as deleted.
1330 */
1331 dns_tsigkey_setdeleted(tsigkey);
1332 /*
1333 * Release the reference.
1334 */
1335 dns_tsigkey_detach(&tsigkey);
1336
1337 failure:
1338 return (result);
1339 }
1340
1341 isc_result_t
1342 dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
1343 dns_name_t *server, gss_ctx_id_t *context,
1344 dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
1345 isc_boolean_t win2k)
1346 {
1347 dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
1348 dns_name_t *tkeyname;
1349 dns_rdata_tkey_t rtkey, qtkey;
1350 isc_buffer_t intoken, outtoken;
1351 dst_key_t *dstkey = NULL;
1352 isc_result_t result;
1353 unsigned char array[1024];
1354
1355 REQUIRE(qmsg != NULL);
1356 REQUIRE(rmsg != NULL);
1357 REQUIRE(server != NULL);
1358 if (outkey != NULL)
1359 REQUIRE(*outkey == NULL);
1360
1361 if (rmsg->rcode != dns_rcode_noerror)
1362 return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
1363
1364 RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
1365 RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
1366
1367 if (win2k == ISC_TRUE)
1368 RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1369 DNS_SECTION_ANSWER));
1370 else
1371 RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
1372 DNS_SECTION_ADDITIONAL));
1373
1374 RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
1375
1376 if (rtkey.error != dns_rcode_noerror ||
1377 rtkey.mode != DNS_TKEYMODE_GSSAPI ||
1378 !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
1379 {
1380 tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
1381 "or error set(4)");
1382 result = DNS_R_INVALIDTKEY;
1383 goto failure;
1384 }
1385
1386 isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
1387 isc_buffer_init(&outtoken, array, sizeof(array));
1388
1389 result = dst_gssapi_initctx(server, &intoken, &outtoken, context);
1390 if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
1391 return (result);
1392
1393 dstkey = NULL;
1394 RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
1395 &dstkey));
1396
1397 /*
1398 * XXXSRA This seems confused. If we got CONTINUE from initctx,
1399 * the GSS negotiation hasn't completed yet, so we can't sign
1400 * anything yet.
1401 */
1402
1403 RETERR(dns_tsigkey_createfromkey(tkeyname,
1404 (win2k
1405 ? DNS_TSIG_GSSAPIMS_NAME
1406 : DNS_TSIG_GSSAPI_NAME),
1407 dstkey, ISC_TRUE, NULL,
1408 rtkey.inception, rtkey.expire,
1409 ring->mctx, ring, outkey));
1410
1411 dns_rdata_freestruct(&rtkey);
1412 return (result);
1413
1414 failure:
1415 /*
1416 * XXXSRA This probably leaks memory from qtkey.
1417 */
1418 dns_rdata_freestruct(&rtkey);
1419 return (result);
1420 }
NetBSD on the FriendlyARM MINI2440