00001
00002
00003
00004
00005
00006
00007
00008
00009
00010 #include <ldns/config.h>
00011
00012 #include <ldns/ldns.h>
00013
00014 #include <strings.h>
00015
00016 #ifdef HAVE_SSL
00017 #include <openssl/hmac.h>
00018 #include <openssl/md5.h>
00019 #endif
00020
00021 char *
00022 ldns_tsig_algorithm(ldns_tsig_credentials *tc)
00023 {
00024 return tc->algorithm;
00025 }
00026
00027 char *
00028 ldns_tsig_keyname(ldns_tsig_credentials *tc)
00029 {
00030 return tc->keyname;
00031 }
00032
00033 char *
00034 ldns_tsig_keydata(ldns_tsig_credentials *tc)
00035 {
00036 return tc->keydata;
00037 }
00038
00039 char *
00040 ldns_tsig_keyname_clone(ldns_tsig_credentials *tc)
00041 {
00042 return strdup(tc->keyname);
00043 }
00044
00045 char *
00046 ldns_tsig_keydata_clone(ldns_tsig_credentials *tc)
00047 {
00048 return strdup(tc->keydata);
00049 }
00050
00051
00052
00053
00054 static uint8_t *
00055 ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
00056 {
00057 uint8_t *wire2 = NULL;
00058 uint16_t qd_count;
00059 uint16_t an_count;
00060 uint16_t ns_count;
00061 uint16_t ar_count;
00062 ldns_rr *rr;
00063
00064 size_t pos;
00065 uint16_t i;
00066
00067 ldns_status status;
00068
00069 if(wire_len < LDNS_HEADER_SIZE) {
00070 return NULL;
00071 }
00072
00073 qd_count = LDNS_QDCOUNT(wire);
00074 an_count = LDNS_ANCOUNT(wire);
00075 ns_count = LDNS_NSCOUNT(wire);
00076 ar_count = LDNS_ARCOUNT(wire);
00077
00078 if (ar_count > 0) {
00079 ar_count--;
00080 } else {
00081 return NULL;
00082 }
00083
00084 pos = LDNS_HEADER_SIZE;
00085
00086 for (i = 0; i < qd_count; i++) {
00087 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
00088 if (status != LDNS_STATUS_OK) {
00089 return NULL;
00090 }
00091 ldns_rr_free(rr);
00092 }
00093
00094 for (i = 0; i < an_count; i++) {
00095 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
00096 if (status != LDNS_STATUS_OK) {
00097 return NULL;
00098 }
00099 ldns_rr_free(rr);
00100 }
00101
00102 for (i = 0; i < ns_count; i++) {
00103 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
00104 if (status != LDNS_STATUS_OK) {
00105 return NULL;
00106 }
00107 ldns_rr_free(rr);
00108 }
00109
00110 for (i = 0; i < ar_count; i++) {
00111 status = ldns_wire2rr(&rr, wire, wire_len, &pos,
00112 LDNS_SECTION_ADDITIONAL);
00113 if (status != LDNS_STATUS_OK) {
00114 return NULL;
00115 }
00116 ldns_rr_free(rr);
00117 }
00118
00119 *result_len = pos;
00120 wire2 = LDNS_XMALLOC(uint8_t, *result_len);
00121 if(!wire2) {
00122 return NULL;
00123 }
00124 memcpy(wire2, wire, *result_len);
00125
00126 ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
00127
00128 return wire2;
00129 }
00130
00131 #ifdef HAVE_SSL
00132 static const EVP_MD *
00133 ldns_digest_function(char *name)
00134 {
00135
00136
00137 if (strcasecmp(name, "hmac-sha256.") == 0) {
00138 #ifdef HAVE_EVP_SHA256
00139 return EVP_sha256();
00140 #else
00141 return NULL;
00142 #endif
00143 } else if (strcasecmp(name, "hmac-sha1.") == 0) {
00144 return EVP_sha1();
00145 } else if (strcasecmp(name, "hmac-md5.sig-alg.reg.int.") == 0) {
00146 return EVP_md5();
00147 } else {
00148 return NULL;
00149 }
00150 }
00151 #endif
00152
00153 #ifdef HAVE_SSL
00154 static ldns_status
00155 ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size,
00156 const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf,
00157 ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf,
00158 ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00159 {
00160 ldns_status status;
00161 char *wireformat;
00162 int wiresize;
00163 unsigned char *mac_bytes = NULL;
00164 unsigned char *key_bytes = NULL;
00165 int key_size;
00166 const EVP_MD *digester;
00167 char *algorithm_name = NULL;
00168 unsigned int md_len = EVP_MAX_MD_SIZE;
00169 ldns_rdf *result = NULL;
00170 ldns_buffer *data_buffer = NULL;
00171 ldns_rdf *canonical_key_name_rdf = NULL;
00172 ldns_rdf *canonical_algorithm_rdf = NULL;
00173
00174 if (key_name_rdf == NULL || algorithm_rdf == NULL) {
00175 return LDNS_STATUS_NULL;
00176 }
00177 canonical_key_name_rdf = ldns_rdf_clone(key_name_rdf);
00178 if (canonical_key_name_rdf == NULL) {
00179 return LDNS_STATUS_MEM_ERR;
00180 }
00181 canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf);
00182 if (canonical_algorithm_rdf == NULL) {
00183 ldns_rdf_deep_free(canonical_key_name_rdf);
00184 return LDNS_STATUS_MEM_ERR;
00185 }
00186
00187
00188
00189 data_buffer = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00190 if (!data_buffer) {
00191 status = LDNS_STATUS_MEM_ERR;
00192 goto clean;
00193 }
00194
00195 if (orig_mac_rdf) {
00196 (void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
00197 }
00198 ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size);
00199 if (!tsig_timers_only) {
00200 ldns_dname2canonical(canonical_key_name_rdf);
00201 (void)ldns_rdf2buffer_wire(data_buffer,
00202 canonical_key_name_rdf);
00203 ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
00204 ldns_buffer_write_u32(data_buffer, 0);
00205 ldns_dname2canonical(canonical_algorithm_rdf);
00206 (void)ldns_rdf2buffer_wire(data_buffer,
00207 canonical_algorithm_rdf);
00208 }
00209 (void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf);
00210 (void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf);
00211 if (!tsig_timers_only) {
00212 (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);
00213 (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);
00214 }
00215
00216 wireformat = (char *) data_buffer->_data;
00217 wiresize = (int) ldns_buffer_position(data_buffer);
00218
00219 algorithm_name = ldns_rdf2str(algorithm_rdf);
00220 if(!algorithm_name) {
00221 status = LDNS_STATUS_MEM_ERR;
00222 goto clean;
00223 }
00224
00225
00226 key_bytes = LDNS_XMALLOC(unsigned char,
00227 ldns_b64_pton_calculate_size(strlen(key_data)));
00228 if(!key_bytes) {
00229 status = LDNS_STATUS_MEM_ERR;
00230 goto clean;
00231 }
00232 key_size = ldns_b64_pton(key_data, key_bytes,
00233 ldns_b64_pton_calculate_size(strlen(key_data)));
00234 if (key_size < 0) {
00235 status = LDNS_STATUS_INVALID_B64;
00236 goto clean;
00237 }
00238
00239
00240 mac_bytes = LDNS_XMALLOC(unsigned char, md_len+2);
00241 if(!mac_bytes) {
00242 status = LDNS_STATUS_MEM_ERR;
00243 goto clean;
00244 }
00245 memset(mac_bytes, 0, md_len+2);
00246
00247 digester = ldns_digest_function(algorithm_name);
00248
00249 if (digester) {
00250 (void) HMAC(digester, key_bytes, key_size, (void *)wireformat,
00251 (size_t) wiresize, mac_bytes + 2, &md_len);
00252
00253 ldns_write_uint16(mac_bytes, md_len);
00254 result = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16_DATA, md_len + 2,
00255 mac_bytes);
00256 } else {
00257 status = LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
00258 goto clean;
00259 }
00260 *tsig_mac = result;
00261 status = LDNS_STATUS_OK;
00262 clean:
00263 LDNS_FREE(mac_bytes);
00264 LDNS_FREE(key_bytes);
00265 LDNS_FREE(algorithm_name);
00266 ldns_buffer_free(data_buffer);
00267 ldns_rdf_deep_free(canonical_algorithm_rdf);
00268 ldns_rdf_deep_free(canonical_key_name_rdf);
00269 return status;
00270 }
00271 #endif
00272
00273
00274 #ifdef HAVE_SSL
00275 bool
00276 ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char *key_name,
00277 const char *key_data, ldns_rdf *orig_mac_rdf)
00278 {
00279 return ldns_pkt_tsig_verify_next(pkt, wire, wirelen, key_name, key_data, orig_mac_rdf, 0);
00280 }
00281
00282 bool
00283 ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char* key_name,
00284 const char *key_data, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00285 {
00286 ldns_rdf *fudge_rdf;
00287 ldns_rdf *algorithm_rdf;
00288 ldns_rdf *time_signed_rdf;
00289 ldns_rdf *orig_id_rdf;
00290 ldns_rdf *error_rdf;
00291 ldns_rdf *other_data_rdf;
00292 ldns_rdf *pkt_mac_rdf;
00293 ldns_rdf *my_mac_rdf;
00294 ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00295 uint16_t pkt_id, orig_pkt_id;
00296 ldns_status status;
00297
00298 uint8_t *prepared_wire = NULL;
00299 size_t prepared_wire_size = 0;
00300
00301 ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
00302
00303 if (!orig_tsig || ldns_rr_rd_count(orig_tsig) <= 6) {
00304 ldns_rdf_deep_free(key_name_rdf);
00305 return false;
00306 }
00307 algorithm_rdf = ldns_rr_rdf(orig_tsig, 0);
00308 time_signed_rdf = ldns_rr_rdf(orig_tsig, 1);
00309 fudge_rdf = ldns_rr_rdf(orig_tsig, 2);
00310 pkt_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
00311 orig_id_rdf = ldns_rr_rdf(orig_tsig, 4);
00312 error_rdf = ldns_rr_rdf(orig_tsig, 5);
00313 other_data_rdf = ldns_rr_rdf(orig_tsig, 6);
00314
00315
00316 ldns_pkt_set_tsig(pkt, NULL);
00317
00318 pkt_id = ldns_pkt_id(pkt);
00319 orig_pkt_id = ldns_rdf2native_int16(orig_id_rdf);
00320 ldns_pkt_set_id(pkt, orig_pkt_id);
00321
00322 prepared_wire = ldns_tsig_prepare_pkt_wire(wire, wirelen, &prepared_wire_size);
00323
00324 status = ldns_tsig_mac_new(&my_mac_rdf, prepared_wire, prepared_wire_size,
00325 key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00326 time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, tsig_timers_only);
00327
00328 LDNS_FREE(prepared_wire);
00329
00330 if (status != LDNS_STATUS_OK) {
00331 ldns_rdf_deep_free(key_name_rdf);
00332 return false;
00333 }
00334
00335 ldns_pkt_set_tsig(pkt, orig_tsig);
00336 ldns_pkt_set_id(pkt, pkt_id);
00337
00338 ldns_rdf_deep_free(key_name_rdf);
00339
00340 if (ldns_rdf_compare(pkt_mac_rdf, my_mac_rdf) == 0) {
00341 ldns_rdf_deep_free(my_mac_rdf);
00342 return true;
00343 } else {
00344 ldns_rdf_deep_free(my_mac_rdf);
00345 return false;
00346 }
00347 }
00348 #endif
00349
00350 #ifdef HAVE_SSL
00351 ldns_status
00352 ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data,
00353 uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac)
00354 {
00355 return ldns_pkt_tsig_sign_next(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0);
00356 }
00357
00358 ldns_status
00359 ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data,
00360 uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only)
00361 {
00362 ldns_rr *tsig_rr;
00363 ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00364 ldns_rdf *fudge_rdf = NULL;
00365 ldns_rdf *orig_id_rdf = NULL;
00366 ldns_rdf *algorithm_rdf;
00367 ldns_rdf *error_rdf = NULL;
00368 ldns_rdf *mac_rdf = NULL;
00369 ldns_rdf *other_data_rdf = NULL;
00370
00371 ldns_status status = LDNS_STATUS_OK;
00372
00373 uint8_t *pkt_wire = NULL;
00374 size_t pkt_wire_len;
00375
00376 struct timeval tv_time_signed;
00377 uint8_t *time_signed = NULL;
00378 ldns_rdf *time_signed_rdf = NULL;
00379
00380 algorithm_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, algorithm_name);
00381 if(!key_name_rdf || !algorithm_rdf) {
00382 status = LDNS_STATUS_MEM_ERR;
00383 goto clean;
00384 }
00385
00386
00387
00388 if (gettimeofday(&tv_time_signed, NULL) == 0) {
00389 time_signed = LDNS_XMALLOC(uint8_t, 6);
00390 if(!time_signed) {
00391 status = LDNS_STATUS_MEM_ERR;
00392 goto clean;
00393 }
00394 ldns_write_uint64_as_uint48(time_signed,
00395 (uint64_t)tv_time_signed.tv_sec);
00396 } else {
00397 status = LDNS_STATUS_INTERNAL_ERR;
00398 goto clean;
00399 }
00400
00401 time_signed_rdf = ldns_rdf_new(LDNS_RDF_TYPE_TSIGTIME, 6, time_signed);
00402 if(!time_signed_rdf) {
00403 LDNS_FREE(time_signed);
00404 status = LDNS_STATUS_MEM_ERR;
00405 goto clean;
00406 }
00407
00408 fudge_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, fudge);
00409
00410 orig_id_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_pkt_id(pkt));
00411
00412 error_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 0);
00413
00414 other_data_rdf = ldns_native2rdf_int16_data(0, NULL);
00415
00416 if(!fudge_rdf || !orig_id_rdf || !error_rdf || !other_data_rdf) {
00417 status = LDNS_STATUS_MEM_ERR;
00418 goto clean;
00419 }
00420
00421 if (ldns_pkt2wire(&pkt_wire, pkt, &pkt_wire_len) != LDNS_STATUS_OK) {
00422 status = LDNS_STATUS_ERR;
00423 goto clean;
00424 }
00425
00426 status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len,
00427 key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00428 time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only);
00429
00430 if (!mac_rdf) {
00431 goto clean;
00432 }
00433
00434 LDNS_FREE(pkt_wire);
00435
00436
00437 tsig_rr = ldns_rr_new();
00438 if(!tsig_rr) {
00439 status = LDNS_STATUS_MEM_ERR;
00440 goto clean;
00441 }
00442 ldns_rr_set_owner(tsig_rr, key_name_rdf);
00443 ldns_rr_set_class(tsig_rr, LDNS_RR_CLASS_ANY);
00444 ldns_rr_set_type(tsig_rr, LDNS_RR_TYPE_TSIG);
00445 ldns_rr_set_ttl(tsig_rr, 0);
00446
00447 ldns_rr_push_rdf(tsig_rr, algorithm_rdf);
00448 ldns_rr_push_rdf(tsig_rr, time_signed_rdf);
00449 ldns_rr_push_rdf(tsig_rr, fudge_rdf);
00450 ldns_rr_push_rdf(tsig_rr, mac_rdf);
00451 ldns_rr_push_rdf(tsig_rr, orig_id_rdf);
00452 ldns_rr_push_rdf(tsig_rr, error_rdf);
00453 ldns_rr_push_rdf(tsig_rr, other_data_rdf);
00454
00455 ldns_pkt_set_tsig(pkt, tsig_rr);
00456
00457 return status;
00458
00459 clean:
00460 LDNS_FREE(pkt_wire);
00461 ldns_rdf_free(key_name_rdf);
00462 ldns_rdf_free(algorithm_rdf);
00463 ldns_rdf_free(time_signed_rdf);
00464 ldns_rdf_free(fudge_rdf);
00465 ldns_rdf_free(orig_id_rdf);
00466 ldns_rdf_free(error_rdf);
00467 ldns_rdf_free(other_data_rdf);
00468 return status;
00469 }
00470 #endif