00001
00002
00003
00004
00005
00006
00007
00008
00009
00010 #include <ldns/config.h>
00011
00012 #include <ldns/ldns.h>
00013
00014 #include <strings.h>
00015
00016 #ifdef HAVE_SSL
00017 #include <openssl/hmac.h>
00018 #include <openssl/md5.h>
00019 #endif
00020
00021 char *
00022 ldns_tsig_algorithm(ldns_tsig_credentials *tc)
00023 {
00024 return tc->algorithm;
00025 }
00026
00027 char *
00028 ldns_tsig_keyname(ldns_tsig_credentials *tc)
00029 {
00030 return tc->keyname;
00031 }
00032
00033 char *
00034 ldns_tsig_keydata(ldns_tsig_credentials *tc)
00035 {
00036 return tc->keydata;
00037 }
00038
00039 char *
00040 ldns_tsig_keyname_clone(ldns_tsig_credentials *tc)
00041 {
00042 return strdup(tc->keyname);
00043 }
00044
00045 char *
00046 ldns_tsig_keydata_clone(ldns_tsig_credentials *tc)
00047 {
00048 return strdup(tc->keydata);
00049 }
00050
00051
00052
00053
00054 uint8_t *
00055 ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
00056 {
00057 uint8_t *wire2 = NULL;
00058 uint16_t qd_count;
00059 uint16_t an_count;
00060 uint16_t ns_count;
00061 uint16_t ar_count;
00062 ldns_rr *rr;
00063
00064 size_t pos;
00065 uint16_t i;
00066
00067 ldns_status status;
00068
00069
00070 qd_count = LDNS_QDCOUNT(wire);
00071 an_count = LDNS_ANCOUNT(wire);
00072 ns_count = LDNS_NSCOUNT(wire);
00073 ar_count = LDNS_ARCOUNT(wire);
00074
00075 if (ar_count > 0) {
00076 ar_count--;
00077 } else {
00078 return NULL;
00079 }
00080
00081 pos = LDNS_HEADER_SIZE;
00082
00083 for (i = 0; i < qd_count; i++) {
00084 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
00085 if (status != LDNS_STATUS_OK) {
00086 return NULL;
00087 }
00088 ldns_rr_free(rr);
00089 }
00090
00091 for (i = 0; i < an_count; i++) {
00092 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
00093 if (status != LDNS_STATUS_OK) {
00094 return NULL;
00095 }
00096 ldns_rr_free(rr);
00097 }
00098
00099 for (i = 0; i < ns_count; i++) {
00100 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
00101 if (status != LDNS_STATUS_OK) {
00102 return NULL;
00103 }
00104 ldns_rr_free(rr);
00105 }
00106
00107 for (i = 0; i < ar_count; i++) {
00108 status = ldns_wire2rr(&rr, wire, wire_len, &pos,
00109 LDNS_SECTION_ADDITIONAL);
00110 if (status != LDNS_STATUS_OK) {
00111 return NULL;
00112 }
00113 ldns_rr_free(rr);
00114 }
00115
00116 *result_len = pos;
00117 wire2 = LDNS_XMALLOC(uint8_t, *result_len);
00118 memcpy(wire2, wire, *result_len);
00119
00120 ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
00121
00122 return wire2;
00123 }
00124
00125 #ifdef HAVE_SSL
00126 static const EVP_MD *
00127 ldns_digest_function(char *name)
00128 {
00129
00130
00131
00132 if (strlen(name) == 10 && strncasecmp(name, "hmac-sha1.", 9) == 0)
00133 return EVP_sha1();
00134 else if (strlen(name) == 25 && strncasecmp(name,
00135 "hmac-md5.sig-alg.reg.int.", 25) == 0)
00136 return EVP_md5();
00137 else
00138 return NULL;
00139 }
00140 #endif
00141
00142 #ifdef HAVE_SSL
00143 static ldns_status
00144 ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size,
00145 const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf,
00146 ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf,
00147 ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf)
00148 {
00149 char *wireformat;
00150 int wiresize;
00151 unsigned char *mac_bytes;
00152 unsigned char *key_bytes;
00153 int key_size;
00154 const EVP_MD *digester;
00155 char *algorithm_name;
00156 unsigned int md_len = EVP_MAX_MD_SIZE;
00157 ldns_rdf *result = NULL;
00158 ldns_buffer *data_buffer = NULL;
00159
00160
00161
00162
00163 data_buffer = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00164
00165 if (orig_mac_rdf) {
00166 (void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
00167 }
00168 ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size);
00169 (void)ldns_rdf2buffer_wire(data_buffer, key_name_rdf);
00170 ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
00171 ldns_buffer_write_u32(data_buffer, 0);
00172 (void)ldns_rdf2buffer_wire(data_buffer, algorithm_rdf);
00173 (void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf);
00174 (void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf);
00175 (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);
00176 (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);
00177
00178 wireformat = (char *) data_buffer->_data;
00179 wiresize = (int) ldns_buffer_position(data_buffer);
00180
00181 algorithm_name = ldns_rdf2str(algorithm_rdf);
00182
00183
00184 key_bytes = LDNS_XMALLOC(unsigned char,
00185 b64_pton_calculate_size(strlen(key_data)));
00186 key_size = b64_pton(key_data, key_bytes, strlen(key_data) * 2);
00187 if (key_size < 0) {
00188
00189 return LDNS_STATUS_INVALID_B64;
00190 }
00191
00192
00193 mac_bytes = LDNS_XMALLOC(unsigned char, md_len);
00194 memset(mac_bytes, 0, md_len);
00195
00196 digester = ldns_digest_function(algorithm_name);
00197
00198 if (digester) {
00199 (void) HMAC(digester, key_bytes, key_size, (void *)wireformat, wiresize,
00200 mac_bytes + 2, &md_len);
00201
00202 ldns_write_uint16(mac_bytes, md_len);
00203 result = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16_DATA, md_len + 2,
00204 mac_bytes);
00205 } else {
00206 return LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
00207 }
00208
00209 LDNS_FREE(algorithm_name);
00210 LDNS_FREE(mac_bytes);
00211 LDNS_FREE(key_bytes);
00212 ldns_buffer_free(data_buffer);
00213
00214 *tsig_mac = result;
00215
00216 return LDNS_STATUS_OK;
00217 }
00218 #endif
00219
00220
00221 #ifdef HAVE_SSL
00222 bool
00223 ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen,
00224 const char *key_name, const char *key_data, ldns_rdf *orig_mac_rdf)
00225 {
00226 ldns_rdf *fudge_rdf;
00227 ldns_rdf *algorithm_rdf;
00228 ldns_rdf *time_signed_rdf;
00229 ldns_rdf *orig_id_rdf;
00230 ldns_rdf *error_rdf;
00231 ldns_rdf *other_data_rdf;
00232 ldns_rdf *pkt_mac_rdf;
00233 ldns_rdf *my_mac_rdf;
00234 ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00235 uint16_t pkt_id, orig_pkt_id;
00236 ldns_status status;
00237
00238 uint8_t *prepared_wire = NULL;
00239 size_t prepared_wire_size = 0;
00240
00241 ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
00242
00243 if (!orig_tsig) {
00244 ldns_rdf_deep_free(key_name_rdf);
00245 return false;
00246 }
00247 algorithm_rdf = ldns_rr_rdf(orig_tsig, 0);
00248 time_signed_rdf = ldns_rr_rdf(orig_tsig, 1);
00249 fudge_rdf = ldns_rr_rdf(orig_tsig, 2);
00250 pkt_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
00251 orig_id_rdf = ldns_rr_rdf(orig_tsig, 4);
00252 error_rdf = ldns_rr_rdf(orig_tsig, 5);
00253 other_data_rdf = ldns_rr_rdf(orig_tsig, 6);
00254
00255
00256 ldns_pkt_set_tsig(pkt, NULL);
00257
00258 pkt_id = ldns_pkt_id(pkt);
00259 orig_pkt_id = ldns_rdf2native_int16(orig_id_rdf);
00260 ldns_pkt_set_id(pkt, orig_pkt_id);
00261
00262 prepared_wire = ldns_tsig_prepare_pkt_wire(wire, wirelen, &prepared_wire_size);
00263
00264 status = ldns_tsig_mac_new(&my_mac_rdf, prepared_wire, prepared_wire_size,
00265 key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00266 time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf);
00267
00268 LDNS_FREE(prepared_wire);
00269
00270 if (status != LDNS_STATUS_OK) {
00271 ldns_rdf_deep_free(key_name_rdf);
00272 return false;
00273 }
00274
00275 ldns_pkt_set_tsig(pkt, orig_tsig);
00276 ldns_pkt_set_id(pkt, pkt_id);
00277
00278 ldns_rdf_deep_free(key_name_rdf);
00279
00280 if (ldns_rdf_compare(pkt_mac_rdf, my_mac_rdf) == 0) {
00281 ldns_rdf_deep_free(my_mac_rdf);
00282 return true;
00283 } else {
00284 ldns_rdf_deep_free(my_mac_rdf);
00285 return false;
00286 }
00287 }
00288 #endif
00289
00290 #ifdef HAVE_SSL
00291
00292 ldns_status
00293 ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data,
00294 uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac)
00295 {
00296 ldns_rr *tsig_rr;
00297 ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00298 ldns_rdf *fudge_rdf = NULL;
00299 ldns_rdf *orig_id_rdf = NULL;
00300 ldns_rdf *algorithm_rdf;
00301 ldns_rdf *error_rdf = NULL;
00302 ldns_rdf *mac_rdf = NULL;
00303 ldns_rdf *other_data_rdf = NULL;
00304
00305 ldns_status status = LDNS_STATUS_OK;
00306
00307 uint8_t *pkt_wire = NULL;
00308 size_t pkt_wire_len;
00309
00310 struct timeval tv_time_signed;
00311 uint8_t *time_signed = NULL;
00312 ldns_rdf *time_signed_rdf = NULL;
00313
00314 algorithm_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, algorithm_name);
00315
00316
00317
00318 if (gettimeofday(&tv_time_signed, NULL) == 0) {
00319 time_signed = LDNS_XMALLOC(uint8_t, 6);
00320 ldns_write_uint64_as_uint48(time_signed,
00321 (uint64_t)tv_time_signed.tv_sec);
00322 } else {
00323 status = LDNS_STATUS_INTERNAL_ERR;
00324 goto clean;
00325 }
00326
00327 time_signed_rdf = ldns_rdf_new(LDNS_RDF_TYPE_TSIGTIME, 6, time_signed);
00328
00329 fudge_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, fudge);
00330
00331 orig_id_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_pkt_id(pkt));
00332
00333 error_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 0);
00334
00335 other_data_rdf = ldns_native2rdf_int16_data(0, NULL);
00336
00337 if (ldns_pkt2wire(&pkt_wire, pkt, &pkt_wire_len) != LDNS_STATUS_OK) {
00338 status = LDNS_STATUS_ERR;
00339 goto clean;
00340 }
00341
00342 status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len,
00343 key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00344 time_signed_rdf, error_rdf, other_data_rdf, query_mac);
00345
00346 if (!mac_rdf) {
00347 goto clean;
00348 }
00349
00350 LDNS_FREE(pkt_wire);
00351
00352
00353 tsig_rr = ldns_rr_new();
00354 ldns_rr_set_owner(tsig_rr, key_name_rdf);
00355 ldns_rr_set_class(tsig_rr, LDNS_RR_CLASS_ANY);
00356 ldns_rr_set_type(tsig_rr, LDNS_RR_TYPE_TSIG);
00357 ldns_rr_set_ttl(tsig_rr, 0);
00358
00359 ldns_rr_push_rdf(tsig_rr, algorithm_rdf);
00360 ldns_rr_push_rdf(tsig_rr, time_signed_rdf);
00361 ldns_rr_push_rdf(tsig_rr, fudge_rdf);
00362 ldns_rr_push_rdf(tsig_rr, mac_rdf);
00363 ldns_rr_push_rdf(tsig_rr, orig_id_rdf);
00364 ldns_rr_push_rdf(tsig_rr, error_rdf);
00365 ldns_rr_push_rdf(tsig_rr, other_data_rdf);
00366
00367 ldns_pkt_set_tsig(pkt, tsig_rr);
00368
00369 return status;
00370
00371 clean:
00372 ldns_rdf_free(key_name_rdf);
00373 ldns_rdf_free(algorithm_rdf);
00374 ldns_rdf_free(time_signed_rdf);
00375 ldns_rdf_free(fudge_rdf);
00376 ldns_rdf_free(orig_id_rdf);
00377 ldns_rdf_free(error_rdf);
00378 ldns_rdf_free(other_data_rdf);
00379 return status;
00380 }
00381 #endif