mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity
bind/lib/dns/tkey.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

744 lines
20 KiB
C
Raw Normal View History

tkey snapshot
1999-10-26 15:39:59 +00:00
/*
update copyright notice
2011-01-08 23:47:01 +00:00
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
tkey snapshot
1999-10-26 15:39:59 +00:00
*
* SPDX-License-Identifier: MPL-2.0
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files.
2021-06-03 08:37:05 +02:00
*
tkey snapshot
1999-10-26 15:39:59 +00:00
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
Update license headers to not include years in copyright in all applicable files
2018-02-23 09:53:12 +01:00
*
tkey snapshot
1999-10-26 15:39:59 +00:00
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
1851. [doc] Doxygen comment markup. [RT #11398]
2005-04-27 04:57:32 +00:00
/*! \file */
tkey snapshot
1999-10-26 15:39:59 +00:00
Replace custom isc_u?intNN_t types with C99 u?intNN_t types
2018-03-28 14:19:37 +02:00
#include <inttypes.h>
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
#include <stdbool.h>
Replace custom isc_u?intNN_t types with C99 u?intNN_t types
2018-03-28 14:19:37 +02:00
Complete rewrite the BIND 9 build system The rewrite of BIND 9 build system is a large work and cannot be reasonable split into separate merge requests. Addition of the automake has a positive effect on the readability and maintainability of the build system as it is more declarative, it allows conditional and we are able to drop all of the custom make code that BIND 9 developed over the years to overcome the deficiencies of autoconf + custom Makefile.in files. This squashed commit contains following changes: - conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am by using automake - the libtool is now properly integrated with automake (the way we used it was rather hackish as the only official way how to use libtool is via automake - the dynamic module loading was rewritten from a custom patchwork to libtool's libltdl (which includes the patchwork to support module loading on different systems internally) - conversion of the unit test executor from kyua to automake parallel driver - conversion of the system test executor from custom make/shell to automake parallel driver - The GSSAPI has been refactored, the custom SPNEGO on the basis that all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations support SPNEGO mechanism. - The various defunct tests from bin/tests have been removed: bin/tests/optional and bin/tests/pkcs11 - The text files generated from the MD files have been removed, the MarkDown has been designed to be readable by both humans and computers - The xsl header is now generated by a simple sed command instead of perl helper - The <irs/platform.h> header has been removed - cleanups of configure.ac script to make it more simpler, addition of multiple macros (there's still work to be done though) - the tarball can now be prepared with `make dist` - the system tests are partially able to run in oot build Here's a list of unfinished work that needs to be completed in subsequent merge requests: - `make distcheck` doesn't yet work (because of system tests oot run is not yet finished) - documentation is not yet built, there's a different merge request with docbook to sphinx-build rst conversion that needs to be rebased and adapted on top of the automake - msvc build is non functional yet and we need to decide whether we will just cross-compile bind9 using mingw-w64 or fix the msvc build - contributed dlz modules are not included neither in the autoconf nor automake
2018-08-07 16:46:53 +02:00
#if HAVE_GSSAPI_GSSAPI_H
#include <gssapi/gssapi.h>
#elif HAVE_GSSAPI_H
#include <gssapi.h>
#endif
include isc/buffer.h, dns/name.h, dns/rdatastruct.h
2000-05-30 22:28:37 +00:00
#include <isc/buffer.h>
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
#include <isc/hex.h>
Convert all categories and modules into static lists Remove the complicated mechanism that could be (in theory) used by external libraries to register new categories and modules with statically defined lists in <isc/log.h>. This is similar to what we have done for <isc/result.h> result codes. All the libraries are now internal to BIND 9, so we don't need to provide a mechanism to register extra categories and modules.
2024-08-14 13:25:50 +02:00
#include <isc/log.h>
Add generic message digest API (isc_md) to replace specific MD functions md5/sha1/sha256
2018-06-01 09:31:59 +02:00
#include <isc/md.h>
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
#include <isc/mem.h>
Change isc_random() to be just PRNG, and add isc_nonce_buf() that uses CSPRNG This commit reverts the previous change to use system provided entropy, as (SYS_)getrandom is very slow on Linux because it is a syscall. The change introduced in this commit adds a new call isc_nonce_buf that uses CSPRNG from cryptographic library provider to generate secure data that can be and must be used for generating nonces. Example usage would be DNS cookies. The isc_random() API has been changed to use fast PRNG that is not cryptographically secure, but runs entirely in user space. Two contestants have been considered xoroshiro family of the functions by Villa&Blackman and PCG by O'Neill. After a consideration the xoshiro128starstar function has been used as uint32_t random number provider because it is very fast and has good enough properties for our usage pattern. The other change introduced in the commit is the more extensive usage of isc_random_uniform in places where the usage pattern was isc_random() % n to prevent modulo bias. For usage patterns where only 16 or 8 bits are needed (DNS Message ID), the isc_random() functions has been renamed to isc_random32(), and isc_random16() and isc_random8() functions have been introduced by &-ing the isc_random32() output with 0xffff and 0xff. Please note that the functions that uses stripped down bit count doesn't pass our NIST SP 800-22 based random test.
2018-05-28 15:22:23 +02:00
#include <isc/nonce.h>
Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. The three functions has been modeled after the arc4random family of functions, and they will always return random bytes. The isc_random family of functions internally use these CSPRNG (if available): 1. getrandom() libc call (might be available on Linux and Solaris) 2. SYS_getrandom syscall (might be available on Linux, detected at runtime) 3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X) 4. crypto library function: 4a. RAND_bytes in case OpenSSL 4b. pkcs_C_GenerateRandom() in case PKCS#11 library
2018-04-22 14:56:28 +02:00
#include <isc/random.h>
Make isc_result a static enum Remove the dynamic registration of result codes. Convert isc_result_t from unsigned + #defines into 32-bit enum type in grand unified <isc/result.h> header. Keep the existing values of the result codes even at the expense of the description and identifier tables being unnecessary large. Additionally, add couple of: switch (result) { [...] default: break; } statements where compiler now complains about missing enum values in the switch statement.
2021-10-04 17:14:53 +02:00
#include <isc/result.h>
Megacommit of dozens of files. Cleanup of redundant/useless header file inclusion. ISC style lint, primarily for function declarations and standalone comments -- ie, those that appear on a line without any code, which should be written as follows: /* * This is a comment. */
2000-05-08 14:38:29 +00:00
#include <isc/string.h>
include isc/util.h
2000-04-28 01:12:23 +00:00
#include <isc/util.h>
tkey snapshot
1999-10-26 15:39:59 +00:00
#include <dns/dnssec.h>
general cleanup
2001-02-14 00:43:10 +00:00
#include <dns/fixedname.h>
tkey snapshot
1999-10-26 15:39:59 +00:00
#include <dns/keyvalues.h>
#include <dns/message.h>
include isc/buffer.h, dns/name.h, dns/rdatastruct.h
2000-05-30 22:28:37 +00:00
#include <dns/name.h>
tkey snapshot
1999-10-26 15:39:59 +00:00
#include <dns/rdata.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
include isc/buffer.h, dns/name.h, dns/rdatastruct.h
2000-05-30 22:28:37 +00:00
#include <dns/rdatastruct.h>
Redundant header work, mostly removing <dns/result.h> from installed headers and adding it to source files that need it.
2000-05-02 03:54:17 +00:00
#include <dns/result.h>
tkey snapshot
1999-10-26 15:39:59 +00:00
#include <dns/tkey.h>
#include <dns/tsig.h>
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
#include <dst/dst.h>
#include <dst/gssapi.h>
Use the new sorting rules to regroup #include headers
2020-03-09 16:17:26 +01:00
#include "dst_internal.h"
use algorithm number instead of name to create TSIG keys the prior practice of passing a dns_name containing the expanded name of an algorithm to dns_tsigkey_create() and dns_tsigkey_createfromkey() is unnecessarily cumbersome; we can now pass the algorithm number instead.
2023-04-11 19:01:31 -07:00
#include "tsig_p.h"
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031]
2014-01-14 15:40:56 -08:00
4175. [bug] TKEY with GSS-API keys needed bigger buffers. [RT #40333]
2015-08-14 08:20:01 +10:00
#define TEMP_BUFFER_SZ 8192
Creating a TSIG key from a Diffie Hellman exchange is now tkey-01 compatible
1999-10-28 20:00:04 +00:00
#define TKEY_RANDOM_AMOUNT 16
fix macro problems
1999-10-26 17:25:07 +00:00
#define RETERR(x) \
do { \
tkey snapshot
1999-10-26 15:39:59 +00:00
result = (x); \
if (result != ISC_R_SUCCESS) \
goto failure; \
} while (0)
format string bugs and improved format string checking [RT #1578]
2001-08-08 22:54:55 +00:00
static void
tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
Add some log messages
2000-06-23 01:51:35 +00:00
static void
tkey_log(const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
Remove logging context (isc_log_t) from the public namespace Now that the logging uses single global context, remove the isc_log_t from the public namespace.
2024-08-13 18:20:26 +02:00
isc_log_vwrite(DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_REQUEST,
Add some log messages
2000-06-23 01:51:35 +00:00
ISC_LOG_DEBUG(4), fmt, ap);
va_end(ap);
}
tkey snapshot
1999-10-26 15:39:59 +00:00
clean up uses of ISC_R_NOMEMORY the isc_mem allocation functions can no longer fail; as a result, ISC_R_NOMEMORY is now rarely used: only when an external library such as libjson-c or libfstrm could return NULL. (even in these cases, arguably we should assert rather than returning ISC_R_NOMEMORY.) code and comments that mentioned ISC_R_NOMEMORY have been cleaned up, and the following functions have been changed to type void, since (in most cases) the only value they could return was ISC_R_SUCCESS: - dns_dns64_create() - dns_dyndb_create() - dns_ipkeylist_resize() - dns_kasp_create() - dns_kasp_key_create() - dns_keystore_create() - dns_order_create() - dns_order_add() - dns_peerlist_new() - dns_tkeyctx_create() - dns_view_create() - dns_zone_setorigin() - dns_zone_setfile() - dns_zone_setstream() - dns_zone_getdbtype() - dns_zone_setjournal() - dns_zone_setkeydirectory() - isc_lex_openstream() - isc_portset_create() - isc_symtab_create() (the exception is dns_view_create(), which could have returned other error codes in the event of a crypto library failure when calling isc_file_sanitize(), but that should be a RUNTIME_CHECK anyway.)
2025-01-07 19:03:07 -08:00
void
Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. The three functions has been modeled after the arc4random family of functions, and they will always return random bytes. The isc_random family of functions internally use these CSPRNG (if available): 1. getrandom() libc call (might be available on Linux and Solaris) 2. SYS_getrandom syscall (might be available on Linux, detected at runtime) 3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X) 4. crypto library function: 4a. RAND_bytes in case OpenSSL 4b. pkcs_C_GenerateRandom() in case PKCS#11 library
2018-04-22 14:56:28 +02:00
dns_tkeyctx_create(isc_mem_t *mctx, dns_tkeyctx_t **tctxp) {
tkey snapshot
1999-10-26 15:39:59 +00:00
REQUIRE(mctx != NULL);
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
REQUIRE(tctxp != NULL && *tctxp == NULL);
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
Remove TKEY Mode 2 (Diffie-Hellman) Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from BIND 9 (from named, named.conf and all the tools). The TKEY usage is fringe at best and in all known cases, GSSAPI is being used as it should. The draft-eastlake-dnsop-rfc2930bis-tkey specifies that: 4.2 Diffie-Hellman Exchanged Keying (Deprecated) The use of this mode (#2) is NOT RECOMMENDED for the following two reasons but the specification is still included in Appendix A in case an implementation is needed for compatibility with old TKEY implementations. See Section 4.6 on ECDH Exchanged Keying. The mixing function used does not meet current cryptographic standards because it uses MD5 [RFC6151]. RSA keys must be excessively long to achieve levels of security required by current standards. We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key exchange mode 6 if the draft ever reaches the RFC status. Meanwhile the insecure DH mode needs to be removed.
2023-02-28 16:05:34 +01:00
dns_tkeyctx_t *tctx = isc_mem_get(mctx, sizeof(*tctx));
*tctx = (dns_tkeyctx_t){
.mctx = NULL,
};
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
isc_mem_attach(mctx, &tctx->mctx);
*tctxp = tctx;
tkey snapshot
1999-10-26 15:39:59 +00:00
}
added dns_tkey_destroy, other minor fixes
1999-11-05 16:53:47 +00:00
void
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
isc_mem_t *mctx = NULL;
dns_tkeyctx_t *tctx = NULL;
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
REQUIRE(tctxp != NULL && *tctxp != NULL);
tctx = *tctxp;
Clear the pointer to destroyed object early using the semantic patch Also disable the semantic patch as the code needs tweaks here and there because some destroy functions might not destroy the object and return early if the object is still in use.
2020-02-08 04:37:54 -08:00
*tctxp = NULL;
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
mctx = tctx->mctx;
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
if (tctx->domain != NULL) {
Various hacks to allow (at some point in the future) interoperability with Windows 2000's broken implementation of TKEY.
2000-10-12 00:40:52 +00:00
if (dns_name_dynamic(tctx->domain)) {
dns_name_free(tctx->domain, mctx);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
}
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
if (tctx->gssapi_keytab != NULL) {
isc_mem_free(mctx, tctx->gssapi_keytab);
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (tctx->gsscred != NULL) {
dst_gssapi_releasecred(&tctx->gsscred);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
Replace usage of isc_mem_put+isc_mem_detach with isc_mem_putanddetach Using isc_mem_put(mctx, ...) + isc_mem_detach(mctx) required juggling with the local variables when mctx was part of the freed object. The isc_mem_putanddetach function can handle this case internally, but it wasn't used everywhere. This commit apply the semantic patching plus bit of manual work to replace all such occurrences with proper usage of isc_mem_putanddetach().
2019-07-23 17:16:57 -04:00
isc_mem_putanddetach(&mctx, tctx, sizeof(dns_tkeyctx_t));
added dns_tkey_destroy, other minor fixes
1999-11-05 16:53:47 +00:00
}
dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() can not fail Clean up dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() functions by making them return void, because they cannot fail. Clean up other functions that subsequently cannot fail.
2022-07-29 12:40:45 +00:00
static void
tkey snapshot
1999-10-26 15:39:59 +00:00
add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
Replace custom isc_u?intNN_t types with C99 u?intNN_t types
2018-03-28 14:19:37 +02:00
uint32_t ttl, dns_namelist_t *namelist) {
tkey snapshot
1999-10-26 15:39:59 +00:00
isc_region_t r, newr;
dns_rdata_t *newrdata = NULL;
dns_name_t *newname = NULL;
dns_rdatalist_t *newlist = NULL;
dns_rdataset_t *newset = NULL;
clean up suspicious looking and incorrect uses of dns_name_fromregion
2000-10-07 00:09:28 +00:00
isc_buffer_t *tmprdatabuf = NULL;
tkey snapshot
1999-10-26 15:39:59 +00:00
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettemprdata(msg, &newrdata);
tkey snapshot
1999-10-26 15:39:59 +00:00
dns_rdata_toregion(rdata, &r);
Refactor the isc_buffer_allocate() usage using the semantic patch The isc_buffer_allocate() function now cannot fail with ISC_R_MEMORY. This commit removes all the checks on the return code using the semantic patch from previous commit, as isc_buffer_allocate() now returns void.
2020-02-02 08:35:46 +01:00
isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length);
103. [func] libisc buffer API changes for <isc/buffer.h>: Added: isc_buffer_base(b) (pointer) isc_buffer_current(b) (pointer) isc_buffer_active(b) (pointer) isc_buffer_used(b) (pointer) isc_buffer_length(b) (int) isc_buffer_usedlength(b) (int) isc_buffer_consumedlength(b) (int) isc_buffer_remaininglength(b) (int) isc_buffer_activelength(b) (int) isc_buffer_availablelength(b) (int) Removed: ISC_BUFFER_USEDCOUNT(b) ISC_BUFFER_AVAILABLECOUNT(b) isc_buffer_type(b) Changed names: isc_buffer_used(b, r) -> isc_buffer_usedregion(b, r) isc_buffer_available(b, r) -> isc_buffer_available_region(b, r) isc_buffer_consumed(b, r) -> isc_buffer_consumedregion(b, r) isc_buffer_active(b, r) -> isc_buffer_activeregion(b, r) isc_buffer_remaining(b, r) -> isc_buffer_remainingregion(b, r) Buffer types were removed, so the ISC_BUFFERTYPE_* macros are no more, and the type argument to isc_buffer_init and isc_buffer_allocate were removed. isc_buffer_putstr is now void (instead of isc_result_t) and requires that the caller ensure that there is enough available buffer space for the string.
2000-04-27 00:03:12 +00:00
isc_buffer_availableregion(tmprdatabuf, &newr);
[master] replace memcpy() with memmove(). 3698. [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120]
2014-01-08 16:27:10 -08:00
memmove(newr.base, r.base, r.length);
tkey snapshot
1999-10-26 15:39:59 +00:00
dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
dns_message_takebuffer(msg, &tmprdatabuf);
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettempname(msg, &newname);
rename dns_name_copynf() to dns_name_copy() dns_name_copy() is now the standard name-copying function.
2021-05-21 17:20:44 -07:00
dns_name_copy(name, newname);
tkey snapshot
1999-10-26 15:39:59 +00:00
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettemprdatalist(msg, &newlist);
tkey snapshot
1999-10-26 15:39:59 +00:00
newlist->rdclass = newrdata->rdclass;
newlist->type = newrdata->type;
newlist->ttl = ttl;
ISC_LIST_APPEND(newlist->rdata, newrdata, link);
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettemprdataset(msg, &newset);
dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() can not fail Clean up dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() functions by making them return void, because they cannot fail. Clean up other functions that subsequently cannot fail.
2022-07-29 12:40:45 +00:00
dns_rdatalist_tordataset(newlist, newset);
tkey snapshot
1999-10-26 15:39:59 +00:00
ISC_LIST_INIT(newname->list);
ISC_LIST_APPEND(newname->list, newset, link);
ISC_LIST_APPEND(*namelist, newname, link);
}
675. [func] TKEY queries could cause the server to leak memory.
2001-01-11 04:23:39 +00:00
static void
free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
dns_name_t *name = NULL;
675. [func] TKEY queries could cause the server to leak memory.
2001-01-11 04:23:39 +00:00
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
while ((name = ISC_LIST_HEAD(*namelist)) != NULL) {
dns_rdataset_t *set = NULL;
675. [func] TKEY queries could cause the server to leak memory.
2001-01-11 04:23:39 +00:00
ISC_LIST_UNLINK(*namelist, name, link);
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
while ((set = ISC_LIST_HEAD(name->list)) != NULL) {
675. [func] TKEY queries could cause the server to leak memory.
2001-01-11 04:23:39 +00:00
ISC_LIST_UNLINK(name->list, set, link);
disassociate rdatasets when cleaning up free_namelist could be passed names with associated rdatasets when handling errors. These need to be disassociated before calling dns_message_puttemprdataset.
2021-12-21 12:44:17 +11:00
if (dns_rdataset_isassociated(set)) {
dns_rdataset_disassociate(set);
}
675. [func] TKEY queries could cause the server to leak memory.
2001-01-11 04:23:39 +00:00
dns_message_puttemprdataset(msg, &set);
}
dns_message_puttempname(msg, &name);
}
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
static isc_result_t
Some thoughts on a solution
2019-01-29 18:10:27 +01:00
process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
2976. [bug] named die on exit after negotiating a GSS-TSIG key. [RT #3415]
2010-12-02 23:22:42 +00:00
dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
use ISC_REFCOUNT_IMPL for dns_tsigkey and dns_tsigkeyring use the ISC_REFCOUNT attach/detach implementation in dns/tsig.c so that detailed tracing can be used during refactoring. dns_tsig_keyring_t has been renamed dns_tsigkeyring_t so the type and the attach/detach function names will match.
2023-04-11 11:35:01 -07:00
dns_tsigkeyring_t *ring) {
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
isc_result_t result = ISC_R_SUCCESS;
dst_key_t *dstkey = NULL;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
dns_tsigkey_t *tsigkey = NULL;
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
dns_fixedname_t fprincipal;
dns_name_t *principal = dns_fixedname_initname(&fprincipal);
Apply the semantic patch to remove isc_stdtime_get() This is a simple replacement using the semantic patch from the previous commit and as added bonus, one removal of previously undetected unused variable in named/server.c.
2023-03-30 21:13:41 +02:00
isc_stdtime_t now = isc_stdtime_now();
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
isc_region_t intoken;
better mcxt handling. remove buffer handling layer violation
2006-12-05 21:59:12 +00:00
isc_buffer_t *outtoken = NULL;
Stop including gssapi.h from dst/gssapi.h header The only reason for including the gssapi.h from the dst/gssapi.h header was to get the typedefs of gss_cred_id_t and gss_ctx_id_t. Instead of using those types directly this commit introduces dns_gss_cred_id_t and dns_gss_ctx_id_t types that are being used in the public API and privately retyped to their counterparts when we actually call the gss api. This also conceals the gssapi headers, so users of the libdns library doesn't have to add GSSAPI_CFLAGS to the Makefile when including libdns dst API.
2021-02-11 14:40:59 +01:00
dns_gss_ctx_id_t gss_ctx = NULL;
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
update copyright notice
2010-12-18 23:47:11 +00:00
/*
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
* You have to define either a gss credential (principal) to
* accept with tkey-gssapi-credential, or you have to
* configure a specific keytab (with tkey-gssapi-keytab) in
Some thoughts on a solution
2019-01-29 18:10:27 +01:00
* order to use gsstkey.
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
*/
if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
tkey_log("process_gsstkey(): no tkey-gssapi-credential "
"or tkey-gssapi-keytab configured");
Return REFUSED if GSSAPI is not configured Return REFUSED if neither a keytab nor a gssapi credential is configured to GSSAPI/TKEY requests.
2023-07-27 08:34:45 +10:00
return DNS_R_REFUSED;
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
}
update copyright notice
2010-12-18 23:47:11 +00:00
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME)) {
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
tkeyout->error = dns_tsigerror_badalg;
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
tkey_log("process_gsstkey(): dns_tsigerror_badalg");
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
return ISC_R_SUCCESS;
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
/*
* XXXDCL need to check for key expiry per 4.1.1
* XXXDCL need a way to check fully established, perhaps w/key_flags
*/
result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
if (result == ISC_R_SUCCESS) {
gss_ctx = dst_key_getgssctx(tsigkey->key);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
/*
update copyright notice
2010-12-18 23:47:11 +00:00
* Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
*/
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
intoken = (isc_region_t){ tkeyin->key, tkeyin->keylen };
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
&intoken, &outtoken, &gss_ctx, principal,
tctx->mctx);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (result == DNS_R_INVALIDTKEY) {
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
if (tsigkey != NULL) {
dns_tsigkey_detach(&tsigkey);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
tkeyout->error = dns_tsigerror_badkey;
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkey_log("process_gsstkey(): dns_tsigerror_badkey");
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
return ISC_R_SUCCESS;
3300. [bug] Named could die if gssapi was enabled in named.conf but was not compiled in. [RT #28338]
2012-03-29 09:49:58 +11:00
}
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) {
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
goto failure;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
/*
* XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
*/
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
if (dns_name_countlabels(principal) == 0U) {
Change #4148 wasn't complete - there was a memory leak when using negotiated TSIG keys. - TKEY responses could only be signed when using a newly negotiated key; if an existent matching TSIG was found in in the keyring it would not be used.
2019-01-30 15:42:04 -08:00
if (tsigkey != NULL) {
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
dns_tsigkey_detach(&tsigkey);
Change #4148 wasn't complete - there was a memory leak when using negotiated TSIG keys. - TKEY responses could only be signed when using a newly negotiated key; if an existent matching TSIG was found in in the keyring it would not be used.
2019-01-30 15:42:04 -08:00
}
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
} else if (tsigkey == NULL) {
Complete rewrite the BIND 9 build system The rewrite of BIND 9 build system is a large work and cannot be reasonable split into separate merge requests. Addition of the automake has a positive effect on the readability and maintainability of the build system as it is more declarative, it allows conditional and we are able to drop all of the custom make code that BIND 9 developed over the years to overcome the deficiencies of autoconf + custom Makefile.in files. This squashed commit contains following changes: - conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am by using automake - the libtool is now properly integrated with automake (the way we used it was rather hackish as the only official way how to use libtool is via automake - the dynamic module loading was rewritten from a custom patchwork to libtool's libltdl (which includes the patchwork to support module loading on different systems internally) - conversion of the unit test executor from kyua to automake parallel driver - conversion of the system test executor from custom make/shell to automake parallel driver - The GSSAPI has been refactored, the custom SPNEGO on the basis that all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations support SPNEGO mechanism. - The various defunct tests from bin/tests have been removed: bin/tests/optional and bin/tests/pkcs11 - The text files generated from the MD files have been removed, the MarkDown has been designed to be readable by both humans and computers - The xsl header is now generated by a simple sed command instead of perl helper - The <irs/platform.h> header has been removed - cleanups of configure.ac script to make it more simpler, addition of multiple macros (there's still work to be done though) - the tarball can now be prepared with `make dist` - the system tests are partially able to run in oot build Here's a list of unfinished work that needs to be completed in subsequent merge requests: - `make distcheck` doesn't yet work (because of system tests oot run is not yet finished) - documentation is not yet built, there's a different merge request with docbook to sphinx-build rst conversion that needs to be rebased and adapted on top of the automake - msvc build is non functional yet and we need to decide whether we will just cross-compile bind9 using mingw-w64 or fix the msvc build - contributed dlz modules are not included neither in the autoconf nor automake
2018-08-07 16:46:53 +02:00
#if HAVE_GSSAPI
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
OM_uint32 gret, minor, lifetime;
Complete rewrite the BIND 9 build system The rewrite of BIND 9 build system is a large work and cannot be reasonable split into separate merge requests. Addition of the automake has a positive effect on the readability and maintainability of the build system as it is more declarative, it allows conditional and we are able to drop all of the custom make code that BIND 9 developed over the years to overcome the deficiencies of autoconf + custom Makefile.in files. This squashed commit contains following changes: - conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am by using automake - the libtool is now properly integrated with automake (the way we used it was rather hackish as the only official way how to use libtool is via automake - the dynamic module loading was rewritten from a custom patchwork to libtool's libltdl (which includes the patchwork to support module loading on different systems internally) - conversion of the unit test executor from kyua to automake parallel driver - conversion of the system test executor from custom make/shell to automake parallel driver - The GSSAPI has been refactored, the custom SPNEGO on the basis that all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations support SPNEGO mechanism. - The various defunct tests from bin/tests have been removed: bin/tests/optional and bin/tests/pkcs11 - The text files generated from the MD files have been removed, the MarkDown has been designed to be readable by both humans and computers - The xsl header is now generated by a simple sed command instead of perl helper - The <irs/platform.h> header has been removed - cleanups of configure.ac script to make it more simpler, addition of multiple macros (there's still work to be done though) - the tarball can now be prepared with `make dist` - the system tests are partially able to run in oot build Here's a list of unfinished work that needs to be completed in subsequent merge requests: - `make distcheck` doesn't yet work (because of system tests oot run is not yet finished) - documentation is not yet built, there's a different merge request with docbook to sphinx-build rst conversion that needs to be rebased and adapted on top of the automake - msvc build is non functional yet and we need to decide whether we will just cross-compile bind9 using mingw-w64 or fix the msvc build - contributed dlz modules are not included neither in the autoconf nor automake
2018-08-07 16:46:53 +02:00
#endif /* HAVE_GSSAPI */
Replace custom isc_u?intNN_t types with C99 u?intNN_t types
2018-03-28 14:19:37 +02:00
uint32_t expire;
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx, &dstkey,
&intoken));
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
/*
* Limit keys to 1 hour or the context's lifetime whichever
* is smaller.
*/
expire = now + 3600;
Complete rewrite the BIND 9 build system The rewrite of BIND 9 build system is a large work and cannot be reasonable split into separate merge requests. Addition of the automake has a positive effect on the readability and maintainability of the build system as it is more declarative, it allows conditional and we are able to drop all of the custom make code that BIND 9 developed over the years to overcome the deficiencies of autoconf + custom Makefile.in files. This squashed commit contains following changes: - conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am by using automake - the libtool is now properly integrated with automake (the way we used it was rather hackish as the only official way how to use libtool is via automake - the dynamic module loading was rewritten from a custom patchwork to libtool's libltdl (which includes the patchwork to support module loading on different systems internally) - conversion of the unit test executor from kyua to automake parallel driver - conversion of the system test executor from custom make/shell to automake parallel driver - The GSSAPI has been refactored, the custom SPNEGO on the basis that all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations support SPNEGO mechanism. - The various defunct tests from bin/tests have been removed: bin/tests/optional and bin/tests/pkcs11 - The text files generated from the MD files have been removed, the MarkDown has been designed to be readable by both humans and computers - The xsl header is now generated by a simple sed command instead of perl helper - The <irs/platform.h> header has been removed - cleanups of configure.ac script to make it more simpler, addition of multiple macros (there's still work to be done though) - the tarball can now be prepared with `make dist` - the system tests are partially able to run in oot build Here's a list of unfinished work that needs to be completed in subsequent merge requests: - `make distcheck` doesn't yet work (because of system tests oot run is not yet finished) - documentation is not yet built, there's a different merge request with docbook to sphinx-build rst conversion that needs to be rebased and adapted on top of the automake - msvc build is non functional yet and we need to decide whether we will just cross-compile bind9 using mingw-w64 or fix the msvc build - contributed dlz modules are not included neither in the autoconf nor automake
2018-08-07 16:46:53 +02:00
#if HAVE_GSSAPI
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
gret = gss_context_time(&minor, gss_ctx, &lifetime);
if (gret == GSS_S_COMPLETE && now + lifetime < expire) {
expire = now + lifetime;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
Complete rewrite the BIND 9 build system The rewrite of BIND 9 build system is a large work and cannot be reasonable split into separate merge requests. Addition of the automake has a positive effect on the readability and maintainability of the build system as it is more declarative, it allows conditional and we are able to drop all of the custom make code that BIND 9 developed over the years to overcome the deficiencies of autoconf + custom Makefile.in files. This squashed commit contains following changes: - conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am by using automake - the libtool is now properly integrated with automake (the way we used it was rather hackish as the only official way how to use libtool is via automake - the dynamic module loading was rewritten from a custom patchwork to libtool's libltdl (which includes the patchwork to support module loading on different systems internally) - conversion of the unit test executor from kyua to automake parallel driver - conversion of the system test executor from custom make/shell to automake parallel driver - The GSSAPI has been refactored, the custom SPNEGO on the basis that all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations support SPNEGO mechanism. - The various defunct tests from bin/tests have been removed: bin/tests/optional and bin/tests/pkcs11 - The text files generated from the MD files have been removed, the MarkDown has been designed to be readable by both humans and computers - The xsl header is now generated by a simple sed command instead of perl helper - The <irs/platform.h> header has been removed - cleanups of configure.ac script to make it more simpler, addition of multiple macros (there's still work to be done though) - the tarball can now be prepared with `make dist` - the system tests are partially able to run in oot build Here's a list of unfinished work that needs to be completed in subsequent merge requests: - `make distcheck` doesn't yet work (because of system tests oot run is not yet finished) - documentation is not yet built, there's a different merge request with docbook to sphinx-build rst conversion that needs to be rebased and adapted on top of the automake - msvc build is non functional yet and we need to decide whether we will just cross-compile bind9 using mingw-w64 or fix the msvc build - contributed dlz modules are not included neither in the autoconf nor automake
2018-08-07 16:46:53 +02:00
#endif /* HAVE_GSSAPI */
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
RETERR(dns_tsigkey_createfromkey(
use algorithm number instead of name to create TSIG keys the prior practice of passing a dns_name containing the expanded name of an algorithm to dns_tsigkey_create() and dns_tsigkey_createfromkey() is unnecessarily cumbersome; we can now pass the algorithm number instead.
2023-04-11 19:01:31 -07:00
name, dns__tsig_algfromname(&tkeyin->algorithm), dstkey,
true, false, principal, now, expire, ring->mctx,
&tsigkey));
convert TSIG keyring storage from RBT to hash table since it is not necessary to find partial matches when looking up names in a TSIG keyring, we can use a hash table instead of an RBT to store them. the tsigkey object now stores the key name as a dns_fixedname rather than allocating memory for it. the `name` parameter to dns_tsigkeyring_add() has been removed; it was unneeded since the tsigkey object already contains a copy of the name. the opportunistic cleanup_ring() function has been removed; it was only slowing down lookups.
2023-04-12 00:14:04 -07:00
RETERR(dns_tsigkeyring_add(ring, tsigkey));
2982. [bug] Reference count dst keys. dst_key_attach() can be used increment the reference count. Note: dns_tsigkey_createfromkey() callers should now always call dst_key_free() rather than setting it to NULL on success. [RT #22672]
2010-12-09 00:54:34 +00:00
dst_key_free(&dstkey);
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
tkeyout->inception = now;
tkeyout->expire = expire;
} else {
tkeyout->inception = tsigkey->inception;
3069. [cleanup] Silence warnings messages from clang static analysis. [RT #20256]
2011-03-11 06:11:27 +00:00
tkeyout->expire = tsigkey->expire;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
if (outtoken != NULL) {
better mcxt handling. remove buffer handling layer violation
2006-12-05 21:59:12 +00:00
tkeyout->key = isc_mem_get(tkeyout->mctx,
isc_buffer_usedlength(outtoken));
tkeyout->keylen = isc_buffer_usedlength(outtoken);
[master] replace memcpy() with memmove(). 3698. [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120]
2014-01-08 16:27:10 -08:00
memmove(tkeyout->key, isc_buffer_base(outtoken),
better mcxt handling. remove buffer handling layer violation
2006-12-05 21:59:12 +00:00
isc_buffer_usedlength(outtoken));
isc_buffer_free(&outtoken);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
} else {
better mcxt handling. remove buffer handling layer violation
2006-12-05 21:59:12 +00:00
tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
tkeyout->keylen = tkeyin->keylen;
[master] replace memcpy() with memmove(). 3698. [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120]
2014-01-08 16:27:10 -08:00
memmove(tkeyout->key, tkeyin->key, tkeyin->keylen);
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
Some thoughts on a solution
2019-01-29 18:10:27 +01:00
/*
Harden checks
2019-01-30 11:12:49 +01:00
* We found a TKEY to respond with. If the request is not TSIG signed,
* we need to make sure the response is signed (see RFC 3645, Section
* 2.2).
Some thoughts on a solution
2019-01-29 18:10:27 +01:00
*/
Change #4148 wasn't complete - there was a memory leak when using negotiated TSIG keys. - TKEY responses could only be signed when using a newly negotiated key; if an existent matching TSIG was found in in the keyring it would not be used.
2019-01-30 15:42:04 -08:00
if (tsigkey != NULL) {
if (msg->tsigkey == NULL && msg->sig0key == NULL) {
dns_message_settsigkey(msg, tsigkey);
}
dns_tsigkey_detach(&tsigkey);
allow TSIG key to be added to message structure after parsing up until now, message->tsigkey could only be set during parsing of the request, but gss-tsig allows one to be created afterward. this commit adds a new flag to the message structure, `new_tsigkey`, which indicates that in this case it's okay for `dns_message_settsigkey()` to be run on a message after parsing, without hitting any assertions due to the lack of a TSIG in the request. this allows us to keep the current restriction in place generally, but add an exception for TKEY processing. it's probably better to just remove the restriction entirely (see next commit).
2019-01-29 11:39:06 -08:00
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
return ISC_R_SUCCESS;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
failure:
2929. [bug] Improved handling of GSS security contexts: - added LRU expiration for generated TSIGs - added the ability to use a non-default realm - added new "realm" keyword in nsupdate - limited lifetime of generated keys to 1 hour or the lifetime of the context (whichever is smaller) [RT #19737]
2010-07-09 05:13:15 +00:00
if (tsigkey != NULL) {
dns_tsigkey_detach(&tsigkey);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
if (dstkey != NULL) {
dst_key_free(&dstkey);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
better mcxt handling. remove buffer handling layer violation
2006-12-05 21:59:12 +00:00
if (outtoken != NULL) {
isc_buffer_free(&outtoken);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkey_log("process_gsstkey(): %s", isc_result_totext(result));
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
return result;
}
tkey snapshot
1999-10-26 15:39:59 +00:00
static isc_result_t
2976. [bug] named die on exit after negotiating a GSS-TSIG key. [RT #3415]
2010-12-02 23:22:42 +00:00
process_deletetkey(dns_name_t *signer, dns_name_t *name,
dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
use ISC_REFCOUNT_IMPL for dns_tsigkey and dns_tsigkeyring use the ISC_REFCOUNT attach/detach implementation in dns/tsig.c so that detailed tracing can be used during refactoring. dns_tsig_keyring_t has been renamed dns_tsigkeyring_t so the type and the attach/detach function names will match.
2023-04-11 11:35:01 -07:00
dns_tsigkeyring_t *ring) {
tkey snapshot
1999-10-26 15:39:59 +00:00
isc_result_t result;
dns_tsigkey_t *tsigkey = NULL;
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
const dns_name_t *identity = NULL;
tkey snapshot
1999-10-26 15:39:59 +00:00
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
Don't die when trying to delete a nonexistent key [RT #1392]
2001-06-08 18:29:31 +00:00
if (result != ISC_R_SUCCESS) {
tkey snapshot
1999-10-26 15:39:59 +00:00
tkeyout->error = dns_tsigerror_badname;
Don't die when trying to delete a nonexistent key [RT #1392]
2001-06-08 18:29:31 +00:00
return ISC_R_SUCCESS;
}
tkey snapshot
1999-10-26 15:39:59 +00:00
/*
fill in creator on new TSIG, improved identity handling
1999-11-03 16:53:56 +00:00
* Only allow a delete if the identity that created the key is the
* same as the identity that signed the message.
tkey snapshot
1999-10-26 15:39:59 +00:00
*/
Require incoming TKEY queries to be signed.
2000-03-08 20:15:16 +00:00
identity = dns_tsigkey_identity(tsigkey);
general cleanup
2001-02-14 00:43:10 +00:00
if (identity == NULL || !dns_name_equal(identity, signer)) {
dns_tsigkey_detach(&tsigkey);
tkey snapshot
1999-10-26 15:39:59 +00:00
return DNS_R_REFUSED;
general cleanup
2001-02-14 00:43:10 +00:00
}
tkey snapshot
1999-10-26 15:39:59 +00:00
/*
* Set the key to be deleted when no references are left. If the key
* was not generated with TKEY and is in the config file, it may be
* reloaded later.
*/
use ISC_REFCOUNT_IMPL for dns_tsigkey and dns_tsigkeyring use the ISC_REFCOUNT attach/detach implementation in dns/tsig.c so that detailed tracing can be used during refactoring. dns_tsig_keyring_t has been renamed dns_tsigkeyring_t so the type and the attach/detach function names will match.
2023-04-11 11:35:01 -07:00
dns_tsigkey_delete(tsigkey);
general cleanup
2001-02-14 00:43:10 +00:00
tkey snapshot
1999-10-26 15:39:59 +00:00
/* Release the reference */
Added dns_tsigkey_attach & _detach, to simplify reference counting. Added dns_message_get/settsigkey to deuglify tsig key handling in message code.
2000-05-26 00:16:46 +00:00
dns_tsigkey_detach(&tsigkey);
tkey snapshot
1999-10-26 15:39:59 +00:00
added dns_tkey_destroy, other minor fixes
1999-11-05 16:53:47 +00:00
return ISC_R_SUCCESS;
tkey snapshot
1999-10-26 15:39:59 +00:00
}
isc_result_t
tkey cleanups and conversion to the entropy api
2000-06-09 22:33:08 +00:00
dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
use ISC_REFCOUNT_IMPL for dns_tsigkey and dns_tsigkeyring use the ISC_REFCOUNT attach/detach implementation in dns/tsig.c so that detailed tracing can be used during refactoring. dns_tsig_keyring_t has been renamed dns_tsigkeyring_t so the type and the attach/detach function names will match.
2023-04-11 11:35:01 -07:00
dns_tsigkeyring_t *ring) {
tkey snapshot
1999-10-26 15:39:59 +00:00
isc_result_t result = ISC_R_SUCCESS;
119. [cleanup] structure definitions for generic rdata stuctures do not have _generic_ in their names.
2000-04-28 02:08:37 +00:00
dns_rdata_tkey_t tkeyin, tkeyout;
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
dns_name_t *qname = NULL, *name = NULL;
dns_name_t *keyname = NULL, *signer = NULL;
dns_name_t tsigner = DNS_NAME_INITEMPTY;
general cleanup
2001-02-14 00:43:10 +00:00
dns_fixedname_t fkeyname;
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
dns_rdataset_t *tkeyset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_namelist_t namelist = ISC_LIST_INITIALIZER;
general cleanup
2001-02-14 00:43:10 +00:00
char tkeyoutdata[512];
isc_buffer_t tkeyoutbuf;
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
dns_tsigkey_t *tsigkey = NULL;
tkey snapshot
1999-10-26 15:39:59 +00:00
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
REQUIRE(msg != NULL);
REQUIRE(tctx != NULL);
REQUIRE(ring != NULL);
Megacommit of dozens of files. Cleanup of redundant/useless header file inclusion. ISC style lint, primarily for function declarations and standalone comments -- ie, those that appear on a line without any code, which should be written as follows: /* * This is a comment. */
2000-05-08 14:38:29 +00:00
/*
* Interpret the question section.
*/
tkey snapshot
1999-10-26 15:39:59 +00:00
result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
if (result != ISC_R_SUCCESS) {
return DNS_R_FORMERR;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
tkey snapshot
1999-10-26 15:39:59 +00:00
dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
Megacommit of dozens of files. Cleanup of redundant/useless header file inclusion. ISC style lint, primarily for function declarations and standalone comments -- ie, those that appear on a line without any code, which should be written as follows: /* * This is a comment. */
2000-05-08 14:38:29 +00:00
/*
* Look for a TKEY record that matches the question.
*/
tkey snapshot
1999-10-26 15:39:59 +00:00
result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
dns_rdatatype_tkey, 0, &name, &tkeyset);
if (result != ISC_R_SUCCESS) {
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
result = DNS_R_FORMERR;
tkey_log("dns_tkey_processquery: couldn't find a TKEY "
"matching the question");
goto failure;
tkey snapshot
1999-10-26 15:39:59 +00:00
}
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkey snapshot
1999-10-26 15:39:59 +00:00
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
result = DNS_R_FORMERR;
goto failure;
}
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
dns_rdataset_current(tkeyset, &rdata);
general cleanup
2001-02-14 00:43:10 +00:00
RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
tkey snapshot
1999-10-26 15:39:59 +00:00
if (tkeyin.error != dns_rcode_noerror) {
result = DNS_R_FORMERR;
goto failure;
}
Require incoming TKEY queries to be signed.
2000-03-08 20:15:16 +00:00
/*
* Before we go any farther, verify that the message was signed.
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
* DNS_TKEYMODE_GSSAPI doesn't require a signature, but other
* modes do.
Require incoming TKEY queries to be signed.
2000-03-08 20:15:16 +00:00
*/
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
result = dns_message_signer(msg, &tsigner);
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
if (result == ISC_R_SUCCESS) {
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
signer = &tsigner;
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
} else if (result != ISC_R_NOTFOUND ||
tkeyin.mode != DNS_TKEYMODE_GSSAPI)
{
tkey_log("dns_tkey_processquery: query was not "
"properly signed - rejecting");
result = DNS_R_FORMERR;
goto failure;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
Require incoming TKEY queries to be signed.
2000-03-08 20:15:16 +00:00
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkeyout = (dns_rdata_tkey_t){
.common.rdclass = tkeyin.common.rdclass,
.common.rdtype = tkeyin.common.rdtype,
.common.link = ISC_LINK_INITIALIZER,
.mctx = msg->mctx,
.algorithm = DNS_NAME_INITEMPTY,
.mode = tkeyin.mode,
};
general cleanup
2001-02-14 00:43:10 +00:00
dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
tkey snapshot
1999-10-26 15:39:59 +00:00
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
switch (tkeyin.mode) {
case DNS_TKEYMODE_DELETE:
/*
* A delete operation uses the fully specified qname.
*/
RETERR(process_deletetkey(signer, qname, &tkeyin, &tkeyout,
ring));
break;
case DNS_TKEYMODE_GSSAPI:
/*
* For non-delete operations we do this:
*
* if (qname != ".")
* keyname = qname + defaultdomain
* else
* keyname = <random hex> + defaultdomain
*/
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI)
{
general cleanup
2001-02-14 00:43:10 +00:00
tkey_log("dns_tkey_processquery: tkey-domain not set");
result = DNS_R_REFUSED;
goto failure;
}
Use dns_fixedname_initname() where possible Replace dns_fixedname_init() calls followed by dns_fixedname_name() calls with calls to dns_fixedname_initname() where it is possible without affecting current behavior and/or performance. This patch was mostly prepared using Coccinelle and the following semantic patch: @@ expression fixedname, name; @@ - dns_fixedname_init(&fixedname); ... - name = dns_fixedname_name(&fixedname); + name = dns_fixedname_initname(&fixedname); The resulting set of changes was then manually reviewed to exclude false positives and apply minor tweaks. It is likely that more occurrences of this pattern can be refactored in an identical way. This commit only takes care of the low-hanging fruit.
2018-03-28 14:38:09 +02:00
keyname = dns_fixedname_initname(&fkeyname);
tkey snapshot
1999-10-26 15:39:59 +00:00
if (!dns_name_equal(qname, dns_rootname)) {
unsigned int n = dns_name_countlabels(qname);
rename dns_name_copynf() to dns_name_copy() dns_name_copy() is now the standard name-copying function.
2021-05-21 17:20:44 -07:00
dns_name_copy(qname, keyname);
fix assertion in tkey code [RT #1866]
2001-10-09 17:26:33 +00:00
dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
brace style
2001-12-03 19:44:08 +00:00
} else {
general cleanup
2001-02-14 00:43:10 +00:00
unsigned char randomdata[16];
char randomtext[32];
isc_buffer_t b;
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
isc_region_t r = {
.base = randomdata,
.length = sizeof(randomdata),
};
tkey snapshot
1999-10-26 15:39:59 +00:00
Change isc_random() to be just PRNG, and add isc_nonce_buf() that uses CSPRNG This commit reverts the previous change to use system provided entropy, as (SYS_)getrandom is very slow on Linux because it is a syscall. The change introduced in this commit adds a new call isc_nonce_buf that uses CSPRNG from cryptographic library provider to generate secure data that can be and must be used for generating nonces. Example usage would be DNS cookies. The isc_random() API has been changed to use fast PRNG that is not cryptographically secure, but runs entirely in user space. Two contestants have been considered xoroshiro family of the functions by Villa&Blackman and PCG by O'Neill. After a consideration the xoshiro128starstar function has been used as uint32_t random number provider because it is very fast and has good enough properties for our usage pattern. The other change introduced in the commit is the more extensive usage of isc_random_uniform in places where the usage pattern was isc_random() % n to prevent modulo bias. For usage patterns where only 16 or 8 bits are needed (DNS Message ID), the isc_random() functions has been renamed to isc_random32(), and isc_random16() and isc_random8() functions have been introduced by &-ing the isc_random32() output with 0xffff and 0xff. Please note that the functions that uses stripped down bit count doesn't pass our NIST SP 800-22 based random test.
2018-05-28 15:22:23 +02:00
isc_nonce_buf(randomdata, sizeof(randomdata));
103. [func] libisc buffer API changes for <isc/buffer.h>: Added: isc_buffer_base(b) (pointer) isc_buffer_current(b) (pointer) isc_buffer_active(b) (pointer) isc_buffer_used(b) (pointer) isc_buffer_length(b) (int) isc_buffer_usedlength(b) (int) isc_buffer_consumedlength(b) (int) isc_buffer_remaininglength(b) (int) isc_buffer_activelength(b) (int) isc_buffer_availablelength(b) (int) Removed: ISC_BUFFER_USEDCOUNT(b) ISC_BUFFER_AVAILABLECOUNT(b) isc_buffer_type(b) Changed names: isc_buffer_used(b, r) -> isc_buffer_usedregion(b, r) isc_buffer_available(b, r) -> isc_buffer_available_region(b, r) isc_buffer_consumed(b, r) -> isc_buffer_consumedregion(b, r) isc_buffer_active(b, r) -> isc_buffer_activeregion(b, r) isc_buffer_remaining(b, r) -> isc_buffer_remainingregion(b, r) Buffer types were removed, so the ISC_BUFFERTYPE_* macros are no more, and the type argument to isc_buffer_init and isc_buffer_allocate were removed. isc_buffer_putstr is now void (instead of isc_result_t) and requires that the caller ensure that there is enough available buffer space for the string.
2000-04-27 00:03:12 +00:00
isc_buffer_init(&b, randomtext, sizeof(randomtext));
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
RETERR(isc_hex_totext(&r, 2, "", &b));
RETERR(dns_name_fromtext(keyname, &b, NULL, 0, NULL));
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
}
remove 'target' parameter from dns_name_concatenate() the target buffer passed to dns_name_concatenate() was never used (except for one place in dig, where it wasn't actually needed, and has already been removed in a prior commit). we can safely remove the parameter.
2025-02-21 00:56:47 -08:00
RETERR(dns_name_concatenate(keyname, dns_rootname, keyname));
tkey snapshot
1999-10-26 15:39:59 +00:00
major TSIG/TKEY cleanup
2000-01-21 20:18:41 +00:00
result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
tkey snapshot
1999-10-26 15:39:59 +00:00
if (result == ISC_R_SUCCESS) {
tkeyout.error = dns_tsigerror_badname;
Added dns_tsigkey_attach & _detach, to simplify reference counting. Added dns_message_get/settsigkey to deuglify tsig key handling in message code.
2000-05-26 00:16:46 +00:00
dns_tsigkey_detach(&tsigkey);
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
break;
} else if (result == ISC_R_NOTFOUND) {
RETERR(process_gsstkey(msg, keyname, &tkeyin, tctx,
&tkeyout, ring));
break;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
goto failure;
tkey snapshot
1999-10-26 15:39:59 +00:00
case DNS_TKEYMODE_SERVERASSIGNED:
case DNS_TKEYMODE_RESOLVERASSIGNED:
- Return the generated key from dns_tkey_processdhresponse - Check for NOERROR in dns_tkey_process*
1999-10-26 21:57:53 +00:00
result = DNS_R_NOTIMP;
tkey snapshot
1999-10-26 15:39:59 +00:00
goto failure;
default:
tkeyout.error = dns_tsigerror_badmode;
}
general cleanup
2001-02-14 00:43:10 +00:00
dns_rdata_init(&rdata);
isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
tkeyout.common.rdtype, &tkeyout,
&tkeyoutbuf);
changes to the rdata_tostruct api had broken tsig/tkey
2000-05-19 22:11:20 +00:00
if (tkeyout.key != NULL) {
better mcxt handling. remove buffer handling layer violation
2006-12-05 21:59:12 +00:00
isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
RETERR(result);
tkey snapshot
1999-10-26 15:39:59 +00:00
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
RETERR(dns_message_reply(msg, true));
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
add_rdata_to_list(msg, keyname, &rdata, 0, &namelist);
while ((name = ISC_LIST_HEAD(namelist)) != NULL) {
tkey snapshot
1999-10-26 15:39:59 +00:00
ISC_LIST_UNLINK(namelist, name, link);
TKEYs go in the answer section of responses.
2000-03-28 03:16:40 +00:00
dns_message_addname(msg, name, DNS_SECTION_ANSWER);
tkey snapshot
1999-10-26 15:39:59 +00:00
}
return ISC_R_SUCCESS;
failure:
improve code flow the code in dns_tkey_processquery() was unnecessarily hard to follow.
2023-04-13 17:46:49 -07:00
free_namelist(msg, &namelist);
tkey snapshot
1999-10-26 15:39:59 +00:00
return result;
}
static isc_result_t
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey) {
tkey snapshot
1999-10-26 15:39:59 +00:00
dns_name_t *qname = NULL, *aname = NULL;
dns_rdataset_t *question = NULL, *tkeyset = NULL;
dns_rdatalist_t *tkeylist = NULL;
dns_rdata_t *rdata = NULL;
use a fixedname buffer in dns_message_gettempname() dns_message_gettempname() now returns a pointer to an initialized name associated with a dns_fixedname_t object. it is no longer necessary to allocate a buffer for temporary names associated with the message object.
2021-05-19 17:18:22 -07:00
isc_buffer_t *dynbuf = NULL;
tkey snapshot
1999-10-26 15:39:59 +00:00
isc_result_t result;
4175. [bug] TKEY with GSS-API keys needed bigger buffers. [RT #40333]
2015-08-14 08:20:01 +10:00
unsigned int len;
tkey snapshot
1999-10-26 15:39:59 +00:00
REQUIRE(msg != NULL);
REQUIRE(name != NULL);
REQUIRE(tkey != NULL);
Refactor tkey.c:buildquery() error handling After an earlier code cleanup, `dns_rdatalist_tordataset()` always succeeds, so the `RETERR` error handling macro below the function call was removed. After that change the `dynbuf` variable can never be `NULL` in the error handling code path under the `failure` label. *** CID 355779: Null pointer dereferences (REVERSE_INULL) /lib/dns/tkey.c: 997 in buildquery() 991 dns_message_puttempname(msg, &aname); 992 } 993 if (question != NULL) { 994 dns_rdataset_disassociate(question); 995 dns_message_puttemprdataset(msg, &question); 996 } >>> CID 355779: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "dynbuf" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 997 if (dynbuf != NULL) { 998 isc_buffer_free(&dynbuf); 999 } 1000 return (result); 1001 } 1002 Refactor the `buildquery()` function to simplify its error handling.
2022-08-11 18:27:11 +00:00
len = 16 + tkey->algorithm.length + tkey->keylen + tkey->otherlen;
isc_buffer_allocate(msg->mctx, &dynbuf, len);
dns_message_gettemprdata(msg, &rdata);
result = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
dns_rdatatype_tkey, tkey, dynbuf);
if (result != ISC_R_SUCCESS) {
dns_message_puttemprdata(msg, &rdata);
isc_buffer_free(&dynbuf);
return result;
}
dns_message_takebuffer(msg, &dynbuf);
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettempname(msg, &qname);
dns_message_gettempname(msg, &aname);
tkey snapshot
1999-10-26 15:39:59 +00:00
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettemprdataset(msg, &question);
- generated TSIG keys can expire - TKEY actually uses class ANY now
2000-01-24 22:22:51 +00:00
dns_rdataset_makequestion(question, dns_rdataclass_any,
dst_secret_size updates temporarily use dns_rdataclass_in instead of class 0
1999-10-26 19:32:37 +00:00
dns_rdatatype_tkey);
tkey snapshot
1999-10-26 15:39:59 +00:00
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettemprdatalist(msg, &tkeylist);
- generated TSIG keys can expire - TKEY actually uses class ANY now
2000-01-24 22:22:51 +00:00
tkeylist->rdclass = dns_rdataclass_any;
tkey snapshot
1999-10-26 15:39:59 +00:00
tkeylist->type = dns_rdatatype_tkey;
ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
Cleanup dns_message_gettemp*() functions - they cannot fail The dns_message_gettempname(), dns_message_gettemprdata(), dns_message_gettemprdataset(), and dns_message_gettemprdatalist() always succeeds because the memory allocation cannot fail now. Change the API to return void and cleanup all the use of aforementioned functions.
2022-05-16 13:28:13 +02:00
dns_message_gettemprdataset(msg, &tkeyset);
dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() can not fail Clean up dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() functions by making them return void, because they cannot fail. Clean up other functions that subsequently cannot fail.
2022-07-29 12:40:45 +00:00
dns_rdatalist_tordataset(tkeylist, tkeyset);
tkey snapshot
1999-10-26 15:39:59 +00:00
rename dns_name_copynf() to dns_name_copy() dns_name_copy() is now the standard name-copying function.
2021-05-21 17:20:44 -07:00
dns_name_copy(name, qname);
dns_name_copy(name, aname);
tkey snapshot
1999-10-26 15:39:59 +00:00
ISC_LIST_APPEND(qname->list, question, link);
ISC_LIST_APPEND(aname->list, tkeyset, link);
dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
tkey snapshot
1999-10-26 15:39:59 +00:00
return ISC_R_SUCCESS;
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
isc_result_t
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
const dns_name_t *gname, uint32_t lifetime,
dns_gss_ctx_id_t *context, isc_mem_t *mctx,
char **err_message) {
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
dns_rdata_tkey_t tkey;
isc_result_t result;
Apply the semantic patch to remove isc_stdtime_get() This is a simple replacement using the semantic patch from the previous commit and as added bonus, one removal of previously undetected unused variable in named/server.c.
2023-03-30 21:13:41 +02:00
isc_stdtime_t now = isc_stdtime_now();
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
isc_buffer_t token;
4175. [bug] TKEY with GSS-API keys needed bigger buffers. [RT #40333]
2015-08-14 08:20:01 +10:00
unsigned char array[TEMP_BUFFER_SZ];
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
REQUIRE(msg != NULL);
REQUIRE(name != NULL);
REQUIRE(gname != NULL);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
REQUIRE(context != NULL);
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
REQUIRE(mctx != NULL);
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
isc_buffer_init(&token, array, sizeof(array));
3005. [port] Solaris: Work around the lack of gsskrb5_register_acceptor_identity() by setting the KRB5_KTNAME environment variable to the contents of tkey-gssapi-keytab. Also fixed test errors on MacOSX. [RT #22853]
2011-01-08 00:33:12 +00:00
result = dst_gssapi_initctx(gname, NULL, &token, context, mctx,
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
err_message);
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) {
return result;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
use algorithm number instead of name to create TSIG keys the prior practice of passing a dns_name containing the expanded name of an algorithm to dns_tsigkey_create() and dns_tsigkey_createfromkey() is unnecessarily cumbersome; we can now pass the algorithm number instead.
2023-04-11 19:01:31 -07:00
tkey = (dns_rdata_tkey_t){
.common.rdclass = dns_rdataclass_any,
.common.rdtype = dns_rdatatype_tkey,
.common.link = ISC_LINK_INITIALIZER,
.inception = now,
.expire = now + lifetime,
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
.algorithm = DNS_NAME_INITEMPTY,
use algorithm number instead of name to create TSIG keys the prior practice of passing a dns_name containing the expanded name of an algorithm to dns_tsigkey_create() and dns_tsigkey_createfromkey() is unnecessarily cumbersome; we can now pass the algorithm number instead.
2023-04-11 19:01:31 -07:00
.mode = DNS_TKEYMODE_GSSAPI,
.key = isc_buffer_base(&token),
.keylen = isc_buffer_usedlength(&token),
};
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
return buildquery(msg, name, &tkey);
current snapshot of gss-tsig code. I'd be surprised if this works with w2k, but a bind9 client and server can talk.
2000-10-06 17:08:15 +00:00
}
tkey snapshot
1999-10-26 15:39:59 +00:00
static isc_result_t
TKEYs go in the answer section of responses.
2000-03-28 03:16:40 +00:00
find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
int section) {
tkey snapshot
1999-10-26 15:39:59 +00:00
isc_result_t result;
TKEYs go in the answer section of responses.
2000-03-28 03:16:40 +00:00
result = dns_message_firstname(msg, section);
tkey snapshot
1999-10-26 15:39:59 +00:00
while (result == ISC_R_SUCCESS) {
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
dns_rdataset_t *tkeyset = NULL;
dns_name_t *cur = NULL;
dns_message_currentname(msg, section, &cur);
result = dns_message_findtype(cur, dns_rdatatype_tkey, 0,
tkey snapshot
1999-10-26 15:39:59 +00:00
&tkeyset);
if (result == ISC_R_SUCCESS) {
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
break;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkey snapshot
1999-10-26 15:39:59 +00:00
dns_rdataset_current(tkeyset, rdata);
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
*name = cur;
tkey snapshot
1999-10-26 15:39:59 +00:00
return ISC_R_SUCCESS;
}
TKEYs go in the answer section of responses.
2000-03-28 03:16:40 +00:00
result = dns_message_nextname(msg, section);
tkey snapshot
1999-10-26 15:39:59 +00:00
}
if (result == ISC_R_NOMORE) {
return ISC_R_NOTFOUND;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
tkey snapshot
1999-10-26 15:39:59 +00:00
return result;
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
Stop including gssapi.h from dst/gssapi.h header The only reason for including the gssapi.h from the dst/gssapi.h header was to get the typedefs of gss_cred_id_t and gss_ctx_id_t. Instead of using those types directly this commit introduces dns_gss_cred_id_t and dns_gss_ctx_id_t types that are being used in the public API and privately retyped to their counterparts when we actually call the gss api. This also conceals the gssapi headers, so users of the libdns library doesn't have to add GSSAPI_CFLAGS to the Makefile when including libdns dst API.
2021-02-11 14:40:59 +01:00
const dns_name_t *server, dns_gss_ctx_id_t *context,
use ISC_REFCOUNT_IMPL for dns_tsigkey and dns_tsigkeyring use the ISC_REFCOUNT attach/detach implementation in dns/tsig.c so that detailed tracing can be used during refactoring. dns_tsig_keyring_t has been renamed dns_tsigkeyring_t so the type and the attach/detach function names will match.
2023-04-11 11:35:01 -07:00
dns_tsigkey_t **outkey, dns_tsigkeyring_t *ring,
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
char **err_message) {
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
isc_result_t result;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
further dns_tsigkey API tweaks - remove the 'ring' parameter from dns_tsigkey_createfromkey(), and use dns_tsigkeyring_add() to add key objects to a keyring instead. - add a magic number to dns_tsigkeyring_t - change dns_tsigkeyring_dumpanddetach() to dns_tsigkeyring_dump(); we now call dns_tsigkeyring_detach() separately. - remove 'maxgenerated' from dns_tsigkeyring_t since it never changes.
2023-04-11 16:10:07 -07:00
dns_name_t *tkeyname = NULL;
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
dns_rdata_tkey_t rtkey, qtkey, tkey;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
isc_buffer_t intoken, outtoken;
dst_key_t *dstkey = NULL;
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
unsigned char array[TEMP_BUFFER_SZ];
further dns_tsigkey API tweaks - remove the 'ring' parameter from dns_tsigkey_createfromkey(), and use dns_tsigkeyring_add() to add key objects to a keyring instead. - add a magic number to dns_tsigkeyring_t - change dns_tsigkeyring_dumpanddetach() to dns_tsigkeyring_dump(); we now call dns_tsigkeyring_detach() separately. - remove 'maxgenerated' from dns_tsigkeyring_t since it never changes.
2023-04-11 16:10:07 -07:00
dns_tsigkey_t *tsigkey = NULL;
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
REQUIRE(qmsg != NULL);
REQUIRE(rmsg != NULL);
REQUIRE(server != NULL);
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
REQUIRE(outkey == NULL || *outkey == NULL);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (rmsg->rcode != dns_rcode_noerror) {
Make isc_result a static enum Remove the dynamic registration of result codes. Convert isc_result_t from unsigned + #defines into 32-bit enum type in grand unified <isc/result.h> header. Keep the existing values of the result codes even at the expense of the description and identifier tables being unnecessary large. Additionally, add couple of: switch (result) { [...] default: break; } statements where compiler now complains about missing enum values in the switch statement.
2021-10-04 17:14:53 +02:00
return dns_result_fromrcode(rmsg->rcode);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
if (rtkey.error != dns_rcode_noerror ||
rtkey.mode != DNS_TKEYMODE_GSSAPI ||
!dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
{
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkey_log("dns_tkey_gssnegotiate: tkey mode invalid "
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
"or error set(4)");
result = DNS_R_INVALIDTKEY;
goto failure;
}
isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
isc_buffer_init(&outtoken, array, sizeof(array));
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
3005. [port] Solaris: Work around the lack of gsskrb5_register_acceptor_identity() by setting the KRB5_KTNAME environment variable to the contents of tkey-gssapi-keytab. Also fixed test errors on MacOSX. [RT #22853]
2011-01-08 00:33:12 +00:00
ring->mctx, err_message);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) {
return result;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
if (result == DNS_R_CONTINUE) {
minor tkey-related fixups - style fixes and general tidying-up in tkey.c - remove the unused 'intoken' parameter from dns_tkey_buildgssquery() - remove an unnecessary call to dns_tkeyctx_create() in ns_server_create() (the TKEY context that was created there would soon be destroyed and another one created when the configuration was loaded).
2023-04-13 01:22:09 -07:00
tkey = (dns_rdata_tkey_t){
.common.rdclass = dns_rdataclass_any,
.common.rdtype = dns_rdatatype_tkey,
.common.link = ISC_LINK_INITIALIZER,
.inception = qtkey.inception,
.expire = qtkey.expire,
.algorithm = DNS_NAME_INITEMPTY,
.mode = DNS_TKEYMODE_GSSAPI,
.key = isc_buffer_base(&outtoken),
.keylen = isc_buffer_usedlength(&outtoken),
};
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
dns_message_reset(qmsg, DNS_MESSAGE_INTENTRENDER);
remove win2k gss-tsig hacks Remove the code implementing nonstardard behaviors that were formerly needed to allow GSS-TSIG to work with Windows 2000, which passed End-of-Life in 2010. Deprecate the "oldgsstsig" command and "-o" command line option to nsupdate; these are now treated as synonyms for "gsstsig" and "-g" respectively.
2023-04-14 12:56:24 -07:00
RETERR(buildquery(qmsg, tkeyname, &tkey));
4413. [bug] GSSAPI negotiation could fail if GSS_S_CONTINUE_NEEDED was returned. [RT #42733]
2016-07-14 15:06:28 +10:00
return DNS_R_CONTINUE;
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, &dstkey,
2989. [func] Added support for writable DLZ zones. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation of external DLZ drivers that can be loaded as shared objects at runtime rather than linked with named. Currently this is switched on via a compile-time option, "configure --with-dlz-dlopen". Note: the syntax for configuring DLZ zones is likely to be refined in future releases. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629] 2987. [func] Improve ease of configuring TKEY/GSS updates by adding a "tkey-gssapi-keytab" option. If set, updates will be allowed with any key matching a principal in the specified keytab file. "tkey-gssapi-credential" is no longer required and is expected to be deprecated. (Contributed by Andrew Tridgell of the Samba project.) [RT #22629]
2010-12-18 01:56:23 +00:00
NULL));
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
/*
* XXXSRA This seems confused. If we got CONTINUE from initctx,
* the GSS negotiation hasn't completed yet, so we can't sign
* anything yet.
*/
use algorithm number instead of name to create TSIG keys the prior practice of passing a dns_name containing the expanded name of an algorithm to dns_tsigkey_create() and dns_tsigkey_createfromkey() is unnecessarily cumbersome; we can now pass the algorithm number instead.
2023-04-11 19:01:31 -07:00
RETERR(dns_tsigkey_createfromkey(tkeyname, DST_ALG_GSSAPI, dstkey, true,
false, NULL, rtkey.inception,
further dns_tsigkey API tweaks - remove the 'ring' parameter from dns_tsigkey_createfromkey(), and use dns_tsigkeyring_add() to add key objects to a keyring instead. - add a magic number to dns_tsigkeyring_t - change dns_tsigkeyring_dumpanddetach() to dns_tsigkeyring_dump(); we now call dns_tsigkeyring_detach() separately. - remove 'maxgenerated' from dns_tsigkeyring_t since it never changes.
2023-04-11 16:10:07 -07:00
rtkey.expire, ring->mctx, &tsigkey));
convert TSIG keyring storage from RBT to hash table since it is not necessary to find partial matches when looking up names in a TSIG keyring, we can use a hash table instead of an RBT to store them. the tsigkey object now stores the key name as a dns_fixedname rather than allocating memory for it. the `name` parameter to dns_tsigkeyring_add() has been removed; it was unneeded since the tsigkey object already contains a copy of the name. the opportunistic cleanup_ring() function has been removed; it was only slowing down lookups.
2023-04-12 00:14:04 -07:00
RETERR(dns_tsigkeyring_add(ring, tsigkey));
further dns_tsigkey API tweaks - remove the 'ring' parameter from dns_tsigkey_createfromkey(), and use dns_tsigkeyring_add() to add key objects to a keyring instead. - add a magic number to dns_tsigkeyring_t - change dns_tsigkeyring_dumpanddetach() to dns_tsigkeyring_dump(); we now call dns_tsigkeyring_detach() separately. - remove 'maxgenerated' from dns_tsigkeyring_t since it never changes.
2023-04-11 16:10:07 -07:00
if (outkey == NULL) {
dns_tsigkey_detach(&tsigkey);
} else {
*outkey = tsigkey;
}
2982. [bug] Reference count dst keys. dst_key_attach() can be used increment the reference count. Note: dns_tsigkey_createfromkey() callers should now always call dst_key_free() rather than setting it to NULL on success. [RT #22672]
2010-12-09 00:54:34 +00:00
dst_key_free(&dstkey);
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
return result;
failure:
further dns_tsigkey API tweaks - remove the 'ring' parameter from dns_tsigkey_createfromkey(), and use dns_tsigkeyring_add() to add key objects to a keyring instead. - add a magic number to dns_tsigkeyring_t - change dns_tsigkeyring_dumpanddetach() to dns_tsigkeyring_dump(); we now call dns_tsigkeyring_detach() separately. - remove 'maxgenerated' from dns_tsigkeyring_t since it never changes.
2023-04-11 16:10:07 -07:00
if (tsigkey != NULL) {
dns_tsigkey_detach(&tsigkey);
}
2976. [bug] named die on exit after negotiating a GSS-TSIG key. [RT #3415]
2010-12-02 23:22:42 +00:00
if (dstkey != NULL) {
dst_key_free(&dstkey);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2105. [func] GSS-TSIG support (RFC 3645).
2006-12-04 01:54:53 +00:00
return result;
}
Reference in New Issue Copy Permalink