00001
00002
00003
00004
00005
00006
00007
00008
00009
00010 #include <ldns/config.h>
00011
00012 #include <ldns/ldns.h>
00013
00014 #include <strings.h>
00015
00016 #ifdef HAVE_SSL
00017 #include <openssl/hmac.h>
00018 #include <openssl/md5.h>
00019 #endif
00020
00021 char *
00022 ldns_tsig_algorithm(ldns_tsig_credentials *tc)
00023 {
00024 return tc->algorithm;
00025 }
00026
00027 char *
00028 ldns_tsig_keyname(ldns_tsig_credentials *tc)
00029 {
00030 return tc->keyname;
00031 }
00032
00033 char *
00034 ldns_tsig_keydata(ldns_tsig_credentials *tc)
00035 {
00036 return tc->keydata;
00037 }
00038
00039 char *
00040 ldns_tsig_keyname_clone(ldns_tsig_credentials *tc)
00041 {
00042 return strdup(tc->keyname);
00043 }
00044
00045 char *
00046 ldns_tsig_keydata_clone(ldns_tsig_credentials *tc)
00047 {
00048 return strdup(tc->keydata);
00049 }
00050
00051
00052
00053
00054 uint8_t *
00055 ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
00056 {
00057 uint8_t *wire2 = NULL;
00058 uint16_t qd_count;
00059 uint16_t an_count;
00060 uint16_t ns_count;
00061 uint16_t ar_count;
00062 ldns_rr *rr;
00063
00064 size_t pos;
00065 uint16_t i;
00066
00067 ldns_status status;
00068
00069 if(wire_len < LDNS_HEADER_SIZE) {
00070 return NULL;
00071 }
00072
00073 qd_count = LDNS_QDCOUNT(wire);
00074 an_count = LDNS_ANCOUNT(wire);
00075 ns_count = LDNS_NSCOUNT(wire);
00076 ar_count = LDNS_ARCOUNT(wire);
00077
00078 if (ar_count > 0) {
00079 ar_count--;
00080 } else {
00081 return NULL;
00082 }
00083
00084 pos = LDNS_HEADER_SIZE;
00085
00086 for (i = 0; i < qd_count; i++) {
00087 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
00088 if (status != LDNS_STATUS_OK) {
00089 return NULL;
00090 }
00091 ldns_rr_free(rr);
00092 }
00093
00094 for (i = 0; i < an_count; i++) {
00095 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
00096 if (status != LDNS_STATUS_OK) {
00097 return NULL;
00098 }
00099 ldns_rr_free(rr);
00100 }
00101
00102 for (i = 0; i < ns_count; i++) {
00103 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
00104 if (status != LDNS_STATUS_OK) {
00105 return NULL;
00106 }
00107 ldns_rr_free(rr);
00108 }
00109
00110 for (i = 0; i < ar_count; i++) {
00111 status = ldns_wire2rr(&rr, wire, wire_len, &pos,
00112 LDNS_SECTION_ADDITIONAL);
00113 if (status != LDNS_STATUS_OK) {
00114 return NULL;
00115 }
00116 ldns_rr_free(rr);
00117 }
00118
00119 *result_len = pos;
00120 wire2 = LDNS_XMALLOC(uint8_t, *result_len);
00121 if(!wire2) {
00122 return NULL;
00123 }
00124 memcpy(wire2, wire, *result_len);
00125
00126 ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
00127
00128 return wire2;
00129 }
00130
00131 #ifdef HAVE_SSL
00132 static const EVP_MD *
00133 ldns_digest_function(char *name)
00134 {
00135
00136
00137 if (strlen(name) == 12
00138 && strncasecmp(name, "hmac-sha256.", 11) == 0) {
00139 #ifdef HAVE_EVP_SHA256
00140 return EVP_sha256();
00141 #else
00142 return NULL;
00143 #endif
00144 } else if (strlen(name) == 10
00145 && strncasecmp(name, "hmac-sha1.", 9) == 0) {
00146 return EVP_sha1();
00147 } else if (strlen(name) == 25
00148 && strncasecmp(name, "hmac-md5.sig-alg.reg.int.", 25)
00149 == 0) {
00150 return EVP_md5();
00151 } else {
00152 return NULL;
00153 }
00154 }
00155 #endif
00156
00157 #ifdef HAVE_SSL
00158 static ldns_status
00159 ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size,
00160 const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf,
00161 ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf,
00162 ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00163 {
00164 ldns_status status;
00165 char *wireformat;
00166 int wiresize;
00167 unsigned char *mac_bytes = NULL;
00168 unsigned char *key_bytes = NULL;
00169 int key_size;
00170 const EVP_MD *digester;
00171 char *algorithm_name = NULL;
00172 unsigned int md_len = EVP_MAX_MD_SIZE;
00173 ldns_rdf *result = NULL;
00174 ldns_buffer *data_buffer = NULL;
00175 ldns_rdf *canonical_key_name_rdf = NULL;
00176 ldns_rdf *canonical_algorithm_rdf = NULL;
00177
00178 if (key_name_rdf == NULL || algorithm_rdf == NULL) {
00179 return LDNS_STATUS_NULL;
00180 }
00181 canonical_key_name_rdf = ldns_rdf_clone(key_name_rdf);
00182 if (canonical_key_name_rdf == NULL) {
00183 return LDNS_STATUS_MEM_ERR;
00184 }
00185 canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf);
00186 if (canonical_algorithm_rdf == NULL) {
00187 ldns_rdf_deep_free(canonical_key_name_rdf);
00188 return LDNS_STATUS_MEM_ERR;
00189 }
00190
00191
00192
00193 data_buffer = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00194 if (!data_buffer) {
00195 status = LDNS_STATUS_MEM_ERR;
00196 goto clean;
00197 }
00198
00199 if (orig_mac_rdf) {
00200 (void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
00201 }
00202 ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size);
00203 if (!tsig_timers_only) {
00204 ldns_dname2canonical(canonical_key_name_rdf);
00205 (void)ldns_rdf2buffer_wire(data_buffer,
00206 canonical_key_name_rdf);
00207 ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
00208 ldns_buffer_write_u32(data_buffer, 0);
00209 ldns_dname2canonical(canonical_algorithm_rdf);
00210 (void)ldns_rdf2buffer_wire(data_buffer,
00211 canonical_algorithm_rdf);
00212 }
00213 (void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf);
00214 (void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf);
00215 if (!tsig_timers_only) {
00216 (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);
00217 (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);
00218 }
00219
00220 wireformat = (char *) data_buffer->_data;
00221 wiresize = (int) ldns_buffer_position(data_buffer);
00222
00223 algorithm_name = ldns_rdf2str(algorithm_rdf);
00224 if(!algorithm_name) {
00225 status = LDNS_STATUS_MEM_ERR;
00226 goto clean;
00227 }
00228
00229
00230 key_bytes = LDNS_XMALLOC(unsigned char,
00231 ldns_b64_pton_calculate_size(strlen(key_data)));
00232 if(!key_bytes) {
00233 status = LDNS_STATUS_MEM_ERR;
00234 goto clean;
00235 }
00236 key_size = ldns_b64_pton(key_data, key_bytes,
00237 ldns_b64_pton_calculate_size(strlen(key_data)));
00238 if (key_size < 0) {
00239 status = LDNS_STATUS_INVALID_B64;
00240 goto clean;
00241 }
00242
00243
00244 mac_bytes = LDNS_XMALLOC(unsigned char, md_len+2);
00245 if(!mac_bytes) {
00246 status = LDNS_STATUS_MEM_ERR;
00247 goto clean;
00248 }
00249 memset(mac_bytes, 0, md_len+2);
00250
00251 digester = ldns_digest_function(algorithm_name);
00252
00253 if (digester) {
00254 (void) HMAC(digester, key_bytes, key_size, (void *)wireformat,
00255 (size_t) wiresize, mac_bytes + 2, &md_len);
00256
00257 ldns_write_uint16(mac_bytes, md_len);
00258 result = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16_DATA, md_len + 2,
00259 mac_bytes);
00260 } else {
00261 status = LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
00262 goto clean;
00263 }
00264 *tsig_mac = result;
00265 status = LDNS_STATUS_OK;
00266 clean:
00267 LDNS_FREE(mac_bytes);
00268 LDNS_FREE(key_bytes);
00269 LDNS_FREE(algorithm_name);
00270 ldns_buffer_free(data_buffer);
00271 ldns_rdf_deep_free(canonical_algorithm_rdf);
00272 ldns_rdf_deep_free(canonical_key_name_rdf);
00273 return status;
00274 }
00275 #endif
00276
00277
00278 #ifdef HAVE_SSL
00279 bool
00280 ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char *key_name,
00281 const char *key_data, ldns_rdf *orig_mac_rdf)
00282 {
00283 return ldns_pkt_tsig_verify_next(pkt, wire, wirelen, key_name, key_data, orig_mac_rdf, 0);
00284 }
00285
00286 bool
00287 ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char* key_name,
00288 const char *key_data, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00289 {
00290 ldns_rdf *fudge_rdf;
00291 ldns_rdf *algorithm_rdf;
00292 ldns_rdf *time_signed_rdf;
00293 ldns_rdf *orig_id_rdf;
00294 ldns_rdf *error_rdf;
00295 ldns_rdf *other_data_rdf;
00296 ldns_rdf *pkt_mac_rdf;
00297 ldns_rdf *my_mac_rdf;
00298 ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00299 uint16_t pkt_id, orig_pkt_id;
00300 ldns_status status;
00301
00302 uint8_t *prepared_wire = NULL;
00303 size_t prepared_wire_size = 0;
00304
00305 ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
00306
00307 if (!orig_tsig || ldns_rr_rd_count(orig_tsig) <= 6) {
00308 ldns_rdf_deep_free(key_name_rdf);
00309 return false;
00310 }
00311 algorithm_rdf = ldns_rr_rdf(orig_tsig, 0);
00312 time_signed_rdf = ldns_rr_rdf(orig_tsig, 1);
00313 fudge_rdf = ldns_rr_rdf(orig_tsig, 2);
00314 pkt_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
00315 orig_id_rdf = ldns_rr_rdf(orig_tsig, 4);
00316 error_rdf = ldns_rr_rdf(orig_tsig, 5);
00317 other_data_rdf = ldns_rr_rdf(orig_tsig, 6);
00318
00319
00320 ldns_pkt_set_tsig(pkt, NULL);
00321
00322 pkt_id = ldns_pkt_id(pkt);
00323 orig_pkt_id = ldns_rdf2native_int16(orig_id_rdf);
00324 ldns_pkt_set_id(pkt, orig_pkt_id);
00325
00326 prepared_wire = ldns_tsig_prepare_pkt_wire(wire, wirelen, &prepared_wire_size);
00327
00328 status = ldns_tsig_mac_new(&my_mac_rdf, prepared_wire, prepared_wire_size,
00329 key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00330 time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, tsig_timers_only);
00331
00332 LDNS_FREE(prepared_wire);
00333
00334 if (status != LDNS_STATUS_OK) {
00335 ldns_rdf_deep_free(key_name_rdf);
00336 return false;
00337 }
00338
00339 ldns_pkt_set_tsig(pkt, orig_tsig);
00340 ldns_pkt_set_id(pkt, pkt_id);
00341
00342 ldns_rdf_deep_free(key_name_rdf);
00343
00344 if (ldns_rdf_compare(pkt_mac_rdf, my_mac_rdf) == 0) {
00345 ldns_rdf_deep_free(my_mac_rdf);
00346 return true;
00347 } else {
00348 ldns_rdf_deep_free(my_mac_rdf);
00349 return false;
00350 }
00351 }
00352 #endif
00353
00354 #ifdef HAVE_SSL
00355 ldns_status
00356 ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data,
00357 uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac)
00358 {
00359 return ldns_pkt_tsig_sign_next(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0);
00360 }
00361
00362 ldns_status
00363 ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data,
00364 uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only)
00365 {
00366 ldns_rr *tsig_rr;
00367 ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00368 ldns_rdf *fudge_rdf = NULL;
00369 ldns_rdf *orig_id_rdf = NULL;
00370 ldns_rdf *algorithm_rdf;
00371 ldns_rdf *error_rdf = NULL;
00372 ldns_rdf *mac_rdf = NULL;
00373 ldns_rdf *other_data_rdf = NULL;
00374
00375 ldns_status status = LDNS_STATUS_OK;
00376
00377 uint8_t *pkt_wire = NULL;
00378 size_t pkt_wire_len;
00379
00380 struct timeval tv_time_signed;
00381 uint8_t *time_signed = NULL;
00382 ldns_rdf *time_signed_rdf = NULL;
00383
00384 algorithm_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, algorithm_name);
00385 if(!key_name_rdf || !algorithm_rdf) {
00386 status = LDNS_STATUS_MEM_ERR;
00387 goto clean;
00388 }
00389
00390
00391
00392 if (gettimeofday(&tv_time_signed, NULL) == 0) {
00393 time_signed = LDNS_XMALLOC(uint8_t, 6);
00394 if(!time_signed) {
00395 status = LDNS_STATUS_MEM_ERR;
00396 goto clean;
00397 }
00398 ldns_write_uint64_as_uint48(time_signed,
00399 (uint64_t)tv_time_signed.tv_sec);
00400 } else {
00401 status = LDNS_STATUS_INTERNAL_ERR;
00402 goto clean;
00403 }
00404
00405 time_signed_rdf = ldns_rdf_new(LDNS_RDF_TYPE_TSIGTIME, 6, time_signed);
00406 if(!time_signed_rdf) {
00407 LDNS_FREE(time_signed);
00408 status = LDNS_STATUS_MEM_ERR;
00409 goto clean;
00410 }
00411
00412 fudge_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, fudge);
00413
00414 orig_id_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_pkt_id(pkt));
00415
00416 error_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 0);
00417
00418 other_data_rdf = ldns_native2rdf_int16_data(0, NULL);
00419
00420 if(!fudge_rdf || !orig_id_rdf || !error_rdf || !other_data_rdf) {
00421 status = LDNS_STATUS_MEM_ERR;
00422 goto clean;
00423 }
00424
00425 if (ldns_pkt2wire(&pkt_wire, pkt, &pkt_wire_len) != LDNS_STATUS_OK) {
00426 status = LDNS_STATUS_ERR;
00427 goto clean;
00428 }
00429
00430 status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len,
00431 key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00432 time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only);
00433
00434 if (!mac_rdf) {
00435 goto clean;
00436 }
00437
00438 LDNS_FREE(pkt_wire);
00439
00440
00441 tsig_rr = ldns_rr_new();
00442 if(!tsig_rr) {
00443 status = LDNS_STATUS_MEM_ERR;
00444 goto clean;
00445 }
00446 ldns_rr_set_owner(tsig_rr, key_name_rdf);
00447 ldns_rr_set_class(tsig_rr, LDNS_RR_CLASS_ANY);
00448 ldns_rr_set_type(tsig_rr, LDNS_RR_TYPE_TSIG);
00449 ldns_rr_set_ttl(tsig_rr, 0);
00450
00451 ldns_rr_push_rdf(tsig_rr, algorithm_rdf);
00452 ldns_rr_push_rdf(tsig_rr, time_signed_rdf);
00453 ldns_rr_push_rdf(tsig_rr, fudge_rdf);
00454 ldns_rr_push_rdf(tsig_rr, mac_rdf);
00455 ldns_rr_push_rdf(tsig_rr, orig_id_rdf);
00456 ldns_rr_push_rdf(tsig_rr, error_rdf);
00457 ldns_rr_push_rdf(tsig_rr, other_data_rdf);
00458
00459 ldns_pkt_set_tsig(pkt, tsig_rr);
00460
00461 return status;
00462
00463 clean:
00464 LDNS_FREE(pkt_wire);
00465 ldns_rdf_free(key_name_rdf);
00466 ldns_rdf_free(algorithm_rdf);
00467 ldns_rdf_free(time_signed_rdf);
00468 ldns_rdf_free(fudge_rdf);
00469 ldns_rdf_free(orig_id_rdf);
00470 ldns_rdf_free(error_rdf);
00471 ldns_rdf_free(other_data_rdf);
00472 return status;
00473 }
00474 #endif