tsig.c

Go to the documentation of this file.
00001 /*
00002  * tsig.c
00003  *
00004  * contains the functions needed for TSIG [RFC2845]
00005  *
00006  * (c) 2005-2006 NLnet Labs
00007  * See the file LICENSE for the license
00008  */
00009 
00010 #include <ldns/config.h>
00011 
00012 #include <ldns/ldns.h>
00013 
00014 #include <strings.h>
00015 
00016 #ifdef HAVE_SSL
00017 #include <openssl/hmac.h>
00018 #include <openssl/md5.h>
00019 #endif /* HAVE_SSL */
00020 
00021 char *
00022 ldns_tsig_algorithm(ldns_tsig_credentials *tc)
00023 {
00024         return tc->algorithm;
00025 }
00026 
00027 char *
00028 ldns_tsig_keyname(ldns_tsig_credentials *tc)
00029 {
00030         return tc->keyname;
00031 }
00032 
00033 char *
00034 ldns_tsig_keydata(ldns_tsig_credentials *tc)
00035 {
00036         return tc->keydata;
00037 }
00038 
00039 char *
00040 ldns_tsig_keyname_clone(ldns_tsig_credentials *tc)
00041 {
00042         return strdup(tc->keyname);
00043 }
00044 
00045 char *
00046 ldns_tsig_keydata_clone(ldns_tsig_credentials *tc)
00047 {
00048         return strdup(tc->keydata);
00049 }
00050 
00051 /*
00052  *  Makes an exact copy of the wire, but with the tsig rr removed
00053  */
00054 uint8_t *
00055 ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
00056 {
00057         uint8_t *wire2 = NULL;
00058         uint16_t qd_count;
00059         uint16_t an_count;
00060         uint16_t ns_count;
00061         uint16_t ar_count;
00062         ldns_rr *rr;
00063 
00064         size_t pos;
00065         uint16_t i;
00066 
00067         ldns_status status;
00068 
00069         if(wire_len < LDNS_HEADER_SIZE) {
00070                 return NULL;
00071         }
00072         /* fake parse the wire */
00073         qd_count = LDNS_QDCOUNT(wire);
00074         an_count = LDNS_ANCOUNT(wire);
00075         ns_count = LDNS_NSCOUNT(wire);
00076         ar_count = LDNS_ARCOUNT(wire);
00077 
00078         if (ar_count > 0) {
00079                 ar_count--;
00080         } else {
00081                 return NULL;
00082         }
00083 
00084         pos = LDNS_HEADER_SIZE;
00085 
00086         for (i = 0; i < qd_count; i++) {
00087                 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
00088                 if (status != LDNS_STATUS_OK) {
00089                         return NULL;
00090                 }
00091                 ldns_rr_free(rr);
00092         }
00093 
00094         for (i = 0; i < an_count; i++) {
00095                 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
00096                 if (status != LDNS_STATUS_OK) {
00097                         return NULL;
00098                 }
00099                 ldns_rr_free(rr);
00100         }
00101 
00102         for (i = 0; i < ns_count; i++) {
00103                 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
00104                 if (status != LDNS_STATUS_OK) {
00105                         return NULL;
00106                 }
00107                 ldns_rr_free(rr);
00108         }
00109 
00110         for (i = 0; i < ar_count; i++) {
00111                 status = ldns_wire2rr(&rr, wire, wire_len, &pos,
00112                                 LDNS_SECTION_ADDITIONAL);
00113                 if (status != LDNS_STATUS_OK) {
00114                         return NULL;
00115                 }
00116                 ldns_rr_free(rr);
00117         }
00118 
00119         *result_len = pos;
00120         wire2 = LDNS_XMALLOC(uint8_t, *result_len);
00121         if(!wire2) {
00122                 return NULL;
00123         }
00124         memcpy(wire2, wire, *result_len);
00125 
00126         ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
00127 
00128         return wire2;
00129 }
00130 
00131 #ifdef HAVE_SSL
00132 static const EVP_MD *
00133 ldns_digest_function(char *name)
00134 {
00135         /* these are the mandatory algorithms from RFC4635 */
00136         /* The optional algorithms are not yet implemented */
00137         if (strlen(name) == 12 
00138                         && strncasecmp(name, "hmac-sha256.", 11) == 0) {
00139 #ifdef HAVE_EVP_SHA256
00140                 return EVP_sha256();
00141 #else
00142                 return NULL;
00143 #endif
00144         } else if (strlen(name) == 10
00145                         && strncasecmp(name, "hmac-sha1.", 9) == 0) {
00146                 return EVP_sha1();
00147         } else if (strlen(name) == 25 
00148                         && strncasecmp(name, "hmac-md5.sig-alg.reg.int.", 25) 
00149                         == 0) {
00150                 return EVP_md5();
00151         } else {
00152                 return NULL;
00153         }
00154 }
00155 #endif
00156 
00157 #ifdef HAVE_SSL
00158 static ldns_status
00159 ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size,
00160                 const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf,
00161                 ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf,
00162                 ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00163 {
00164         ldns_status status;
00165         char *wireformat;
00166         int wiresize;
00167         unsigned char *mac_bytes = NULL;
00168         unsigned char *key_bytes = NULL;
00169         int key_size;
00170         const EVP_MD *digester;
00171         char *algorithm_name = NULL;
00172         unsigned int md_len = EVP_MAX_MD_SIZE;
00173         ldns_rdf *result = NULL;
00174         ldns_buffer *data_buffer = NULL;
00175         ldns_rdf *canonical_key_name_rdf = NULL;
00176         ldns_rdf *canonical_algorithm_rdf = NULL;
00177         
00178         if (key_name_rdf == NULL || algorithm_rdf == NULL) {
00179                 return LDNS_STATUS_NULL;
00180         }
00181         canonical_key_name_rdf  = ldns_rdf_clone(key_name_rdf);
00182         canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf);
00183 
00184         if (canonical_key_name_rdf == NULL 
00185                         || canonical_algorithm_rdf  == NULL) {
00186                 return LDNS_STATUS_MEM_ERR;
00187         }
00188         /*
00189          * prepare the digestable information
00190          */
00191         data_buffer = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00192         if (!data_buffer) {
00193                 status = LDNS_STATUS_MEM_ERR;
00194                 goto clean;
00195         }
00196         /* if orig_mac is not NULL, add it too */
00197         if (orig_mac_rdf) {
00198                 (void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
00199         }
00200         ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size);
00201         if (!tsig_timers_only) {
00202                 ldns_dname2canonical(canonical_key_name_rdf);
00203                 (void)ldns_rdf2buffer_wire(data_buffer, 
00204                                 canonical_key_name_rdf);
00205                 ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
00206                 ldns_buffer_write_u32(data_buffer, 0);
00207                 ldns_dname2canonical(canonical_algorithm_rdf);
00208                 (void)ldns_rdf2buffer_wire(data_buffer, 
00209                                 canonical_algorithm_rdf);
00210         }
00211         (void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf);
00212         (void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf);
00213         if (!tsig_timers_only) {
00214                 (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);
00215                 (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);
00216         }
00217 
00218         wireformat = (char *) data_buffer->_data;
00219         wiresize = (int) ldns_buffer_position(data_buffer);
00220 
00221         algorithm_name = ldns_rdf2str(algorithm_rdf);
00222         if(!algorithm_name) {
00223                 status = LDNS_STATUS_MEM_ERR;
00224                 goto clean;
00225         }
00226 
00227         /* prepare the key */
00228         key_bytes = LDNS_XMALLOC(unsigned char,
00229                         ldns_b64_pton_calculate_size(strlen(key_data)));
00230         if(!key_bytes) {
00231                 status = LDNS_STATUS_MEM_ERR;
00232                 goto clean;
00233         }
00234         key_size = ldns_b64_pton(key_data, key_bytes,
00235         ldns_b64_pton_calculate_size(strlen(key_data)));
00236         if (key_size < 0) {
00237                 status = LDNS_STATUS_INVALID_B64;
00238                 goto clean;
00239         }
00240         /* hmac it */
00241         /* 2 spare bytes for the length */
00242         mac_bytes = LDNS_XMALLOC(unsigned char, md_len+2);
00243         if(!mac_bytes) {
00244                 status = LDNS_STATUS_MEM_ERR;
00245                 goto clean;
00246         }
00247         memset(mac_bytes, 0, md_len+2);
00248 
00249         digester = ldns_digest_function(algorithm_name);
00250 
00251         if (digester) {
00252                 (void) HMAC(digester, key_bytes, key_size, (void *)wireformat,
00253                             (size_t) wiresize, mac_bytes + 2, &md_len);
00254 
00255                 ldns_write_uint16(mac_bytes, md_len);
00256                 result = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16_DATA, md_len + 2,
00257                                 mac_bytes);
00258         } else {
00259                 status = LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
00260                 goto clean;
00261         }
00262         *tsig_mac = result;
00263         status = LDNS_STATUS_OK;
00264   clean:
00265         LDNS_FREE(mac_bytes);
00266         LDNS_FREE(key_bytes);
00267         LDNS_FREE(algorithm_name);
00268         ldns_buffer_free(data_buffer);
00269         ldns_rdf_free(canonical_algorithm_rdf);
00270         ldns_rdf_free(canonical_key_name_rdf);
00271         return status;
00272 }
00273 #endif /*  HAVE_SSL */
00274 
00275 
00276 #ifdef HAVE_SSL
00277 bool
00278 ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char *key_name,
00279         const char *key_data, ldns_rdf *orig_mac_rdf)
00280 {
00281         return ldns_pkt_tsig_verify_next(pkt, wire, wirelen, key_name, key_data, orig_mac_rdf, 0);
00282 }
00283 
00284 bool
00285 ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char* key_name,
00286         const char *key_data, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00287 {
00288         ldns_rdf *fudge_rdf;
00289         ldns_rdf *algorithm_rdf;
00290         ldns_rdf *time_signed_rdf;
00291         ldns_rdf *orig_id_rdf;
00292         ldns_rdf *error_rdf;
00293         ldns_rdf *other_data_rdf;
00294         ldns_rdf *pkt_mac_rdf;
00295         ldns_rdf *my_mac_rdf;
00296         ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00297         uint16_t pkt_id, orig_pkt_id;
00298         ldns_status status;
00299 
00300         uint8_t *prepared_wire = NULL;
00301         size_t prepared_wire_size = 0;
00302 
00303         ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
00304 
00305         if (!orig_tsig || ldns_rr_rd_count(orig_tsig) <= 6) {
00306                 ldns_rdf_deep_free(key_name_rdf);
00307                 return false;
00308         }
00309         algorithm_rdf = ldns_rr_rdf(orig_tsig, 0);
00310         time_signed_rdf = ldns_rr_rdf(orig_tsig, 1);
00311         fudge_rdf = ldns_rr_rdf(orig_tsig, 2);
00312         pkt_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
00313         orig_id_rdf = ldns_rr_rdf(orig_tsig, 4);
00314         error_rdf = ldns_rr_rdf(orig_tsig, 5);
00315         other_data_rdf = ldns_rr_rdf(orig_tsig, 6);
00316 
00317         /* remove temporarily */
00318         ldns_pkt_set_tsig(pkt, NULL);
00319         /* temporarily change the id to the original id */
00320         pkt_id = ldns_pkt_id(pkt);
00321         orig_pkt_id = ldns_rdf2native_int16(orig_id_rdf);
00322         ldns_pkt_set_id(pkt, orig_pkt_id);
00323 
00324         prepared_wire = ldns_tsig_prepare_pkt_wire(wire, wirelen, &prepared_wire_size);
00325 
00326         status = ldns_tsig_mac_new(&my_mac_rdf, prepared_wire, prepared_wire_size,
00327                         key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00328                         time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, tsig_timers_only);
00329 
00330         LDNS_FREE(prepared_wire);
00331 
00332         if (status != LDNS_STATUS_OK) {
00333                 ldns_rdf_deep_free(key_name_rdf);
00334                 return false;
00335         }
00336         /* Put back the values */
00337         ldns_pkt_set_tsig(pkt, orig_tsig);
00338         ldns_pkt_set_id(pkt, pkt_id);
00339 
00340         ldns_rdf_deep_free(key_name_rdf);
00341 
00342         if (ldns_rdf_compare(pkt_mac_rdf, my_mac_rdf) == 0) {
00343                 ldns_rdf_deep_free(my_mac_rdf);
00344                 return true;
00345         } else {
00346                 ldns_rdf_deep_free(my_mac_rdf);
00347                 return false;
00348         }
00349 }
00350 #endif /* HAVE_SSL */
00351 
00352 #ifdef HAVE_SSL
00353 ldns_status
00354 ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data,
00355         uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac)
00356 {
00357         return ldns_pkt_tsig_sign_next(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0);
00358 }
00359 
00360 ldns_status
00361 ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data,
00362         uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only)
00363 {
00364         ldns_rr *tsig_rr;
00365         ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00366         ldns_rdf *fudge_rdf = NULL;
00367         ldns_rdf *orig_id_rdf = NULL;
00368         ldns_rdf *algorithm_rdf;
00369         ldns_rdf *error_rdf = NULL;
00370         ldns_rdf *mac_rdf = NULL;
00371         ldns_rdf *other_data_rdf = NULL;
00372 
00373         ldns_status status = LDNS_STATUS_OK;
00374 
00375         uint8_t *pkt_wire = NULL;
00376         size_t pkt_wire_len;
00377 
00378         struct timeval tv_time_signed;
00379         uint8_t *time_signed = NULL;
00380         ldns_rdf *time_signed_rdf = NULL;
00381 
00382         algorithm_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, algorithm_name);
00383         if(!key_name_rdf || !algorithm_rdf) {
00384                 status = LDNS_STATUS_MEM_ERR;
00385                 goto clean;
00386         }
00387 
00388         /* eww don't have create tsigtime rdf yet :( */
00389         /* bleh :p */
00390         if (gettimeofday(&tv_time_signed, NULL) == 0) {
00391                 time_signed = LDNS_XMALLOC(uint8_t, 6);
00392                 if(!time_signed) {
00393                         status = LDNS_STATUS_MEM_ERR;
00394                         goto clean;
00395                 }
00396                 ldns_write_uint64_as_uint48(time_signed,
00397                                 (uint64_t)tv_time_signed.tv_sec);
00398         } else {
00399                 status = LDNS_STATUS_INTERNAL_ERR;
00400                 goto clean;
00401         }
00402 
00403         time_signed_rdf = ldns_rdf_new(LDNS_RDF_TYPE_TSIGTIME, 6, time_signed);
00404         if(!time_signed_rdf) {
00405                 LDNS_FREE(time_signed);
00406                 status = LDNS_STATUS_MEM_ERR;
00407                 goto clean;
00408         }
00409 
00410         fudge_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, fudge);
00411 
00412         orig_id_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_pkt_id(pkt));
00413 
00414         error_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 0);
00415 
00416         other_data_rdf = ldns_native2rdf_int16_data(0, NULL);
00417 
00418         if(!fudge_rdf || !orig_id_rdf || !error_rdf || !other_data_rdf) {
00419                 status = LDNS_STATUS_MEM_ERR;
00420                 goto clean;
00421         }
00422 
00423         if (ldns_pkt2wire(&pkt_wire, pkt, &pkt_wire_len) != LDNS_STATUS_OK) {
00424                 status = LDNS_STATUS_ERR;
00425                 goto clean;
00426         }
00427 
00428         status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len,
00429                         key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00430                         time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only);
00431 
00432         if (!mac_rdf) {
00433                 goto clean;
00434         }
00435 
00436         LDNS_FREE(pkt_wire);
00437 
00438         /* Create the TSIG RR */
00439         tsig_rr = ldns_rr_new();
00440         if(!tsig_rr) {
00441                 status = LDNS_STATUS_MEM_ERR;
00442                 goto clean;
00443         }
00444         ldns_rr_set_owner(tsig_rr, key_name_rdf);
00445         ldns_rr_set_class(tsig_rr, LDNS_RR_CLASS_ANY);
00446         ldns_rr_set_type(tsig_rr, LDNS_RR_TYPE_TSIG);
00447         ldns_rr_set_ttl(tsig_rr, 0);
00448 
00449         ldns_rr_push_rdf(tsig_rr, algorithm_rdf);
00450         ldns_rr_push_rdf(tsig_rr, time_signed_rdf);
00451         ldns_rr_push_rdf(tsig_rr, fudge_rdf);
00452         ldns_rr_push_rdf(tsig_rr, mac_rdf);
00453         ldns_rr_push_rdf(tsig_rr, orig_id_rdf);
00454         ldns_rr_push_rdf(tsig_rr, error_rdf);
00455         ldns_rr_push_rdf(tsig_rr, other_data_rdf);
00456 
00457         ldns_pkt_set_tsig(pkt, tsig_rr);
00458 
00459         return status;
00460 
00461   clean:
00462         LDNS_FREE(pkt_wire);
00463         ldns_rdf_free(key_name_rdf);
00464         ldns_rdf_free(algorithm_rdf);
00465         ldns_rdf_free(time_signed_rdf);
00466         ldns_rdf_free(fudge_rdf);
00467         ldns_rdf_free(orig_id_rdf);
00468         ldns_rdf_free(error_rdf);
00469         ldns_rdf_free(other_data_rdf);
00470         return status;
00471 }
00472 #endif /* HAVE_SSL */

Generated on Thu Apr 5 23:03:55 2012 for ldns by  doxygen 1.4.7