diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 06940123dc..9f5742a2d8 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -2457,7 +2457,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; digestbits = 0; } /* XXXONDREJ: FIXME */ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index beac0c0c1b..206c166a6b 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -138,7 +138,7 @@ char keyfile[MXNAME] = ""; char keysecret[MXNAME] = ""; unsigned char cookie_secret[33]; unsigned char cookie[8]; -const dns_name_t *hmacname = NULL; +dst_algorithm_t hmac = DST_ALG_UNKNOWN; unsigned int digestbits = 0; isc_buffer_t *namebuf = NULL; dns_tsigkey_t *tsigkey = NULL; @@ -874,7 +874,7 @@ setup_text_key(void) { secretsize = isc_buffer_usedlength(&secretbuf); - if (hmacname == NULL) { + if (hmac == DST_ALG_UNKNOWN) { result = DST_R_UNSUPPORTEDALG; goto failure; } @@ -884,7 +884,7 @@ setup_text_key(void) { goto failure; } - result = dns_tsigkey_create(&keyname, hmacname, secretstore, + result = dns_tsigkey_create(&keyname, hmac, secretstore, (int)secretsize, mctx, &tsigkey); failure: if (result != ISC_R_SUCCESS) { @@ -1021,50 +1021,50 @@ done: * Parse HMAC algorithm specification */ void -parse_hmac(const char *hmac) { +parse_hmac(const char *algname) { char buf[20]; size_t len; - REQUIRE(hmac != NULL); + REQUIRE(algname != NULL); - len = strlen(hmac); + len = strlen(algname); if (len >= sizeof(buf)) { - fatal("unknown key type '%.*s'", (int)len, hmac); + fatal("unknown key type '%.*s'", (int)len, algname); } - strlcpy(buf, hmac, sizeof(buf)); + strlcpy(buf, algname, sizeof(buf)); digestbits = 0; if (strcasecmp(buf, "hmac-md5") == 0) { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); } else if (strcasecmp(buf, "hmac-sha1") == 0) { - hmacname = DNS_TSIG_HMACSHA1_NAME; + hmac = DST_ALG_HMACSHA1; digestbits = 0; } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { - hmacname = DNS_TSIG_HMACSHA1_NAME; + hmac = DST_ALG_HMACSHA1; digestbits = parse_bits(&buf[10], "digest-bits [0..160]", 160); } else if (strcasecmp(buf, "hmac-sha224") == 0) { - hmacname = DNS_TSIG_HMACSHA224_NAME; + hmac = DST_ALG_HMACSHA224; } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA224_NAME; + hmac = DST_ALG_HMACSHA224; digestbits = parse_bits(&buf[12], "digest-bits [0..224]", 224); } else if (strcasecmp(buf, "hmac-sha256") == 0) { - hmacname = DNS_TSIG_HMACSHA256_NAME; + hmac = DST_ALG_HMACSHA256; } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA256_NAME; + hmac = DST_ALG_HMACSHA256; digestbits = parse_bits(&buf[12], "digest-bits [0..256]", 256); } else if (strcasecmp(buf, "hmac-sha384") == 0) { - hmacname = DNS_TSIG_HMACSHA384_NAME; + hmac = DST_ALG_HMACSHA384; } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA384_NAME; + hmac = DST_ALG_HMACSHA384; digestbits = parse_bits(&buf[12], "digest-bits [0..384]", 384); } else if (strcasecmp(buf, "hmac-sha512") == 0) { - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = DST_ALG_HMACSHA512; } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = DST_ALG_HMACSHA512; digestbits = parse_bits(&buf[12], "digest-bits [0..512]", 512); } else { fprintf(stderr, @@ -1165,38 +1165,29 @@ setup_file_key(void) { switch (dst_key_alg(dstkey)) { case DST_ALG_HMACMD5: - hmacname = DNS_TSIG_HMACMD5_NAME; - break; case DST_ALG_HMACSHA1: - hmacname = DNS_TSIG_HMACSHA1_NAME; - break; case DST_ALG_HMACSHA224: - hmacname = DNS_TSIG_HMACSHA224_NAME; - break; case DST_ALG_HMACSHA256: - hmacname = DNS_TSIG_HMACSHA256_NAME; - break; case DST_ALG_HMACSHA384: - hmacname = DNS_TSIG_HMACSHA384_NAME; - break; case DST_ALG_HMACSHA512: - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = dst_key_alg(dstkey); break; + default: + dst_key_attach(dstkey, &sig0key); + dst_key_free(&dstkey); + return; } - if (hmacname != NULL) { - result = dns_tsigkey_createfromkey( - dst_key_name(dstkey), hmacname, dstkey, false, false, - NULL, 0, 0, mctx, &tsigkey); + if (dstkey != NULL) { + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac, + dstkey, false, false, NULL, + 0, 0, mctx, &tsigkey); if (result != ISC_R_SUCCESS) { printf(";; Couldn't create key %s: %s\n", keynametext, isc_result_totext(result)); - goto failure; } - } else { - dst_key_attach(dstkey, &sig0key); - dst_key_free(&dstkey); } + failure: if (dstkey != NULL) { dst_key_free(&dstkey); diff --git a/bin/dig/dighost.h b/bin/dig/dighost.h index 5daffbc500..af4379ce4c 100644 --- a/bin/dig/dighost.h +++ b/bin/dig/dighost.h @@ -259,7 +259,7 @@ extern isc_sockaddr_t localaddr; extern char keynametext[MXNAME]; extern char keyfile[MXNAME]; extern char keysecret[MXNAME]; -extern const dns_name_t *hmacname; +extern dst_algorithm_t hmac; extern unsigned int digestbits; extern dns_tsigkey_t *tsigkey; extern bool validated; @@ -341,7 +341,7 @@ isc_result_t parse_netprefix(isc_sockaddr_t **sap, const char *value); void -parse_hmac(const char *hmacstr); +parse_hmac(const char *algname); dig_lookup_t * requeue_lookup(dig_lookup_t *lookold, bool servers); diff --git a/bin/named/config.c b/bin/named/config.c index 12b00891ca..7e981f85d1 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -922,14 +922,8 @@ struct keyalgorithms { { NULL, hmacnone, DST_ALG_UNKNOWN, 0 } }; isc_result_t -named_config_getkeyalgorithm(const char *str, const dns_name_t **name, +named_config_getkeyalgorithm(const char *str, unsigned int *typep, uint16_t *digestbits) { - return (named_config_getkeyalgorithm2(str, name, NULL, digestbits)); -} - -isc_result_t -named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, - unsigned int *typep, uint16_t *digestbits) { int i; size_t len = 0; uint16_t bits; @@ -960,31 +954,6 @@ named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, } else { bits = algorithms[i].size; } - - if (name != NULL) { - switch (algorithms[i].hmac) { - case hmacmd5: - *name = dns_tsig_hmacmd5_name; - break; - case hmacsha1: - *name = dns_tsig_hmacsha1_name; - break; - case hmacsha224: - *name = dns_tsig_hmacsha224_name; - break; - case hmacsha256: - *name = dns_tsig_hmacsha256_name; - break; - case hmacsha384: - *name = dns_tsig_hmacsha384_name; - break; - case hmacsha512: - *name = dns_tsig_hmacsha512_name; - break; - default: - UNREACHABLE(); - } - } if (typep != NULL) { *typep = algorithms[i].type; } diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index fd1201c41f..57783d19af 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -742,8 +742,8 @@ register_keys(const cfg_obj_t *control, const cfg_obj_t *keylist, algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - result = named_config_getkeyalgorithm2(algstr, NULL, - &algtype, NULL); + result = named_config_getkeyalgorithm(algstr, &algtype, + NULL); if (result != ISC_R_SUCCESS) { cfg_obj_log(control, named_g_lctx, ISC_LOG_WARNING, @@ -836,7 +836,7 @@ get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) { algstr = cfg_obj_asstring(algobj); secretstr = cfg_obj_asstring(secretobj); - result = named_config_getkeyalgorithm2(algstr, NULL, &algtype, NULL); + result = named_config_getkeyalgorithm(algstr, &algtype, NULL); if (result != ISC_R_SUCCESS) { cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING, "unsupported algorithm '%s' in " diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h index 076a67f71f..c6ba4eae96 100644 --- a/bin/named/include/named/config.h +++ b/bin/named/include/named/config.h @@ -66,8 +66,5 @@ named_config_getport(const cfg_obj_t *config, const char *type, in_port_t *portp); isc_result_t -named_config_getkeyalgorithm(const char *str, const dns_name_t **name, +named_config_getkeyalgorithm(const char *str, unsigned int *typep, uint16_t *digestbits); -isc_result_t -named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, - unsigned int *typep, uint16_t *digestbits); diff --git a/bin/named/server.c b/bin/named/server.c index 058a85f6a3..ea45def9d4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -4024,28 +4024,6 @@ minimal_cache_allowed(const cfg_obj_t *maps[4], static const char *const response_synonyms[] = { "response", NULL }; -static const dns_name_t * -algorithm_name(unsigned int alg) { - switch (alg) { - case DST_ALG_HMACMD5: - return (dns_tsig_hmacmd5_name); - case DST_ALG_HMACSHA1: - return (dns_tsig_hmacsha1_name); - case DST_ALG_HMACSHA224: - return (dns_tsig_hmacsha224_name); - case DST_ALG_HMACSHA256: - return (dns_tsig_hmacsha256_name); - case DST_ALG_HMACSHA384: - return (dns_tsig_hmacsha384_name); - case DST_ALG_HMACSHA512: - return (dns_tsig_hmacsha512_name); - case DST_ALG_GSSAPI: - return (dns_tsig_gssapi_name); - default: - UNREACHABLE(); - } -} - /* * Configure 'view' according to 'vconfig', taking defaults from * 'config' where values are missing in 'vconfig'. @@ -5067,9 +5045,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, dns_tsigkey_t *tsigkey = NULL; result = dns_tsigkey_createfromkey( named_g_server->session_keyname, - algorithm_name(named_g_server->session_keyalg), + named_g_server->session_keyalg, named_g_server->sessionkey, false, false, NULL, 0, 0, - mctx, NULL, &tsigkey); + mctx, &tsigkey); if (result == ISC_R_SUCCESS) { result = dns_tsigkeyring_add( ring, named_g_server->session_keyname, tsigkey); @@ -7480,9 +7458,9 @@ cleanup_session_key(named_server_t *server, isc_mem_t *mctx) { static isc_result_t generate_session_key(const char *filename, const char *keynamestr, - const dns_name_t *keyname, const char *algstr, - unsigned int algtype, uint16_t bits, isc_mem_t *mctx, - bool first_time, dst_key_t **keyp) { + const dns_name_t *keyname, dst_algorithm_t alg, + uint16_t bits, isc_mem_t *mctx, bool first_time, + dst_key_t **keyp) { isc_result_t result = ISC_R_SUCCESS; dst_key_t *key = NULL; isc_buffer_t key_txtbuffer; @@ -7497,9 +7475,8 @@ generate_session_key(const char *filename, const char *keynamestr, "generating session key for dynamic DNS"); /* generate key */ - result = dst_key_generate(keyname, algtype, bits, 1, 0, - DNS_KEYPROTO_ANY, dns_rdataclass_in, mctx, - &key, NULL); + result = dst_key_generate(keyname, alg, bits, 1, 0, DNS_KEYPROTO_ANY, + dns_rdataclass_in, mctx, &key, NULL); if (result != ISC_R_SUCCESS) { return (result); } @@ -7528,12 +7505,12 @@ generate_session_key(const char *filename, const char *keynamestr, "key \"%s\" {\n" "\talgorithm %s;\n" "\tsecret \"%.*s\";\n};\n", - keynamestr, algstr, (int)isc_buffer_usedlength(&key_txtbuffer), + keynamestr, dst_hmac_algorithm_totext(alg), + (int)isc_buffer_usedlength(&key_txtbuffer), (char *)isc_buffer_base(&key_txtbuffer)); CHECK(isc_stdio_flush(fp)); result = isc_stdio_close(fp); - fp = NULL; if (result != ISC_R_SUCCESS) { goto cleanup; } @@ -7561,14 +7538,13 @@ cleanup: static isc_result_t configure_session_key(const cfg_obj_t **maps, named_server_t *server, isc_mem_t *mctx, bool first_time) { - const char *keyfile, *keynamestr, *algstr; + const char *keyfile = NULL, *keynamestr = NULL, *algstr = NULL; unsigned int algtype; dns_fixedname_t fname; - dns_name_t *keyname; - const dns_name_t *algname; + dns_name_t *keyname = NULL; isc_buffer_t buffer; uint16_t bits; - const cfg_obj_t *obj; + const cfg_obj_t *obj = NULL; bool need_deleteold = false; bool need_createnew = false; isc_result_t result; @@ -7601,9 +7577,7 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server, result = named_config_get(maps, "session-keyalg", &obj); INSIST(result == ISC_R_SUCCESS); algstr = cfg_obj_asstring(obj); - algname = NULL; - result = named_config_getkeyalgorithm2(algstr, &algname, &algtype, - &bits); + result = named_config_getkeyalgorithm(algstr, &algtype, &bits); if (result != ISC_R_SUCCESS) { const char *s = " (keeping current key)"; @@ -7654,7 +7628,7 @@ configure_session_key(const cfg_obj_t **maps, named_server_t *server, server->session_keyalg = algtype; server->session_keybits = bits; - CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr, + CHECK(generate_session_key(keyfile, keynamestr, keyname, algtype, bits, mctx, first_time, &server->sessionkey)); } diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c index cfa934f0e1..a1ed24ef93 100644 --- a/bin/named/tsigconf.c +++ b/bin/named/tsigconf.c @@ -47,7 +47,7 @@ add_initial_keys(const cfg_obj_t *list, dns_tsigkeyring_t *ring, const cfg_obj_t *algobj = NULL; const cfg_obj_t *secretobj = NULL; dns_name_t keyname; - const dns_name_t *alg = NULL; + dst_algorithm_t alg = DST_ALG_UNKNOWN; const char *algstr = NULL; char keynamedata[1024]; isc_buffer_t keynamesrc, keynamebuf; diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 424dfce293..eaf74b39a4 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -378,13 +378,13 @@ reset_system(void) { } static bool -parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, +parse_hmac(const char *hmacstr, size_t len, dst_algorithm_t *hmac, uint16_t *digestbitsp) { uint16_t digestbits = 0; isc_result_t result; char buf[20]; - REQUIRE(hmac != NULL && *hmac == NULL); + REQUIRE(hmac != NULL); REQUIRE(hmacstr != NULL); if (len >= sizeof(buf)) { @@ -396,9 +396,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); if (strcasecmp(buf, "hmac-md5") == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; + *hmac = DST_ALG_HMACMD5; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - *hmac = DNS_TSIG_HMACMD5_NAME; + *hmac = DST_ALG_HMACMD5; result = isc_parse_uint16(&digestbits, &buf[9], 10); if (result != ISC_R_SUCCESS || digestbits > 128) { error("digest-bits out of range [0..128]"); @@ -406,9 +406,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha1") == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; + *hmac = DST_ALG_HMACSHA1; } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { - *hmac = DNS_TSIG_HMACSHA1_NAME; + *hmac = DST_ALG_HMACSHA1; result = isc_parse_uint16(&digestbits, &buf[10], 10); if (result != ISC_R_SUCCESS || digestbits > 160) { error("digest-bits out of range [0..160]"); @@ -416,9 +416,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha224") == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; + *hmac = DST_ALG_HMACSHA224; } else if (strncasecmp(buf, "hmac-sha224-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA224_NAME; + *hmac = DST_ALG_HMACSHA224; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 224) { error("digest-bits out of range [0..224]"); @@ -426,9 +426,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha256") == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; + *hmac = DST_ALG_HMACSHA256; } else if (strncasecmp(buf, "hmac-sha256-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA256_NAME; + *hmac = DST_ALG_HMACSHA256; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 256) { error("digest-bits out of range [0..256]"); @@ -436,9 +436,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha384") == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; + *hmac = DST_ALG_HMACSHA384; } else if (strncasecmp(buf, "hmac-sha384-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA384_NAME; + *hmac = DST_ALG_HMACSHA384; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 384) { error("digest-bits out of range [0..384]"); @@ -446,9 +446,9 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, } *digestbitsp = (digestbits + 7) & ~0x7U; } else if (strcasecmp(buf, "hmac-sha512") == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; + *hmac = DST_ALG_HMACSHA512; } else if (strncasecmp(buf, "hmac-sha512-", 12) == 0) { - *hmac = DNS_TSIG_HMACSHA512_NAME; + *hmac = DST_ALG_HMACSHA512; result = isc_parse_uint16(&digestbits, &buf[12], 10); if (result != ISC_R_SUCCESS || digestbits > 512) { error("digest-bits out of range [0..512]"); @@ -483,12 +483,12 @@ setup_keystr(void) { isc_buffer_t secretbuf; isc_result_t result; isc_buffer_t keynamesrc; - char *secretstr; - char *s, *n; + char *secretstr = NULL; + char *s = NULL, *n = NULL; dns_fixedname_t fkeyname; - dns_name_t *mykeyname; - char *name; - const dns_name_t *hmacname = NULL; + dns_name_t *mykeyname = NULL; + char *name = NULL; + dst_algorithm_t hmac; uint16_t digestbits = 0; mykeyname = dns_fixedname_initname(&fkeyname); @@ -507,11 +507,11 @@ setup_keystr(void) { } name = secretstr; secretstr = n + 1; - if (!parse_hmac(&hmacname, keystr, s - keystr, &digestbits)) { + if (!parse_hmac(keystr, s - keystr, &hmac, &digestbits)) { exit(1); } } else { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; name = keystr; n = s; } @@ -538,8 +538,8 @@ setup_keystr(void) { secretlen = isc_buffer_usedlength(&secretbuf); debug("keycreate"); - result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen, - gmctx, &tsigkey); + result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx, + &tsigkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s: %s\n", keystr, isc_result_totext(result)); @@ -622,7 +622,7 @@ static void setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { dst_key_t *dstkey = NULL; isc_result_t result; - const dns_name_t *hmacname = NULL; + dst_algorithm_t hmac = DST_ALG_UNKNOWN; debug("Creating key..."); @@ -653,37 +653,26 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { switch (dst_key_alg(dstkey)) { case DST_ALG_HMACMD5: - hmacname = DNS_TSIG_HMACMD5_NAME; - break; case DST_ALG_HMACSHA1: - hmacname = DNS_TSIG_HMACSHA1_NAME; - break; case DST_ALG_HMACSHA224: - hmacname = DNS_TSIG_HMACSHA224_NAME; - break; case DST_ALG_HMACSHA256: - hmacname = DNS_TSIG_HMACSHA256_NAME; - break; case DST_ALG_HMACSHA384: - hmacname = DNS_TSIG_HMACSHA384_NAME; - break; case DST_ALG_HMACSHA512: - hmacname = DNS_TSIG_HMACSHA512_NAME; + hmac = dst_key_alg(dstkey); break; - } - if (hmacname != NULL) { - result = dns_tsigkey_createfromkey( - dst_key_name(dstkey), hmacname, dstkey, false, false, - NULL, 0, 0, mctx, &tsigkey); - dst_key_free(&dstkey); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "could not create key from %s: %s\n", - keyfile, isc_result_totext(result)); - return; - } - } else { + default: dst_key_attach(dstkey, &sig0key); dst_key_free(&dstkey); + return; + } + + result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmac, dstkey, + false, false, NULL, 0, 0, mctx, + &tsigkey); + dst_key_free(&dstkey); + if (result != ISC_R_SUCCESS) { + fprintf(stderr, "could not create key from %s: %s\n", keyfile, + isc_result_totext(result)); } } @@ -1650,7 +1639,7 @@ evaluate_key(char *cmdline) { int secretlen; unsigned char *secret = NULL; isc_buffer_t secretbuf; - const dns_name_t *hmacname = NULL; + dst_algorithm_t hmac = DST_ALG_UNKNOWN; uint16_t digestbits = 0; char *n; @@ -1664,12 +1653,12 @@ evaluate_key(char *cmdline) { n = strchr(namestr, ':'); if (n != NULL) { - if (!parse_hmac(&hmacname, namestr, n - namestr, &digestbits)) { + if (!parse_hmac(namestr, n - namestr, &hmac, &digestbits)) { return (STATUS_SYNTAX); } namestr = n + 1; } else { - hmacname = DNS_TSIG_HMACMD5_NAME; + hmac = DST_ALG_HMACMD5; } isc_buffer_init(&b, namestr, strlen(namestr)); @@ -1701,8 +1690,8 @@ evaluate_key(char *cmdline) { if (tsigkey != NULL) { dns_tsigkey_detach(&tsigkey); } - result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen, - gmctx, &tsigkey); + result = dns_tsigkey_create(mykeyname, hmac, secret, secretlen, gmctx, + &tsigkey); isc_mem_free(gmctx, secret); if (result != ISC_R_SUCCESS) { fprintf(stderr, "could not create key from %s %s: %s\n", diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 72f50cc24a..1f4417eb77 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -264,7 +264,7 @@ LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) { return (1); } - result = dns_tsigkey_create(name, dns_tsig_hmacsha256_name, secret, + result = dns_tsigkey_create(name, DST_ALG_HMACSHA256, secret, sizeof(secret), mctx, &tsigkey); if (result != ISC_R_SUCCESS) { fprintf(stderr, "dns_tsigkey_create failed: %s\n", diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 4c7068acf9..c975c236ed 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -109,12 +109,12 @@ dns_tsigkey_identity(const dns_tsigkey_t *tsigkey); */ isc_result_t -dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm, +dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm, unsigned char *secret, int length, isc_mem_t *mctx, dns_tsigkey_t **key); isc_result_t -dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm, +dns_tsigkey_createfromkey(const dns_name_t *name, dst_algorithm_t algorithm, dst_key_t *dstkey, bool generated, bool restored, const dns_name_t *creator, isc_stdtime_t inception, isc_stdtime_t expire, isc_mem_t *mctx, diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index f1426d40eb..1ec1898e7a 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -49,6 +49,7 @@ #include #include "dst_internal.h" +#include "tsig_p.h" #define TEMP_BUFFER_SZ 8192 #define TKEY_RANDOM_AMOUNT 16 @@ -264,8 +265,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, } #endif /* HAVE_GSSAPI */ RETERR(dns_tsigkey_createfromkey( - name, &tkeyin->algorithm, dstkey, true, false, - principal, now, expire, ring->mctx, &tsigkey)); + name, dns__tsig_algfromname(&tkeyin->algorithm), dstkey, + true, false, principal, now, expire, ring->mctx, + &tsigkey)); RETERR(dns_tsigkeyring_add(ring, name, tsigkey)); dst_key_free(&dstkey); tkeyout->inception = now; @@ -680,20 +682,18 @@ dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name, return (result); } - tkey.common.rdclass = dns_rdataclass_any; - tkey.common.rdtype = dns_rdatatype_tkey; - ISC_LINK_INIT(&tkey.common, link); - tkey.mctx = NULL; + tkey = (dns_rdata_tkey_t){ + .common.rdclass = dns_rdataclass_any, + .common.rdtype = dns_rdatatype_tkey, + .common.link = ISC_LINK_INITIALIZER, + .inception = now, + .expire = now + lifetime, + .mode = DNS_TKEYMODE_GSSAPI, + .key = isc_buffer_base(&token), + .keylen = isc_buffer_usedlength(&token), + }; dns_name_init(&tkey.algorithm, NULL); dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm); - tkey.inception = now; - tkey.expire = now + lifetime; - tkey.mode = DNS_TKEYMODE_GSSAPI; - tkey.error = 0; - tkey.key = isc_buffer_base(&token); - tkey.keylen = isc_buffer_usedlength(&token); - tkey.other = NULL; - tkey.otherlen = 0; return (buildquery(msg, name, &tkey)); } @@ -816,8 +816,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, * anything yet. */ - RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey, - true, false, NULL, rtkey.inception, + RETERR(dns_tsigkey_createfromkey(tkeyname, DST_ALG_GSSAPI, dstkey, true, + false, NULL, rtkey.inception, rtkey.expire, ring->mctx, &tsigkey)); RETERR(dns_tsigkeyring_add(ring, tkeyname, tsigkey)); if (outkey == NULL) { diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index f5c4a149d5..4ae37e764a 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -187,19 +187,39 @@ adjust_lru(dns_tsigkey_t *tkey) { } } +static const dns_name_t * +namefromalg(dst_algorithm_t alg) { + switch (alg) { + case DST_ALG_HMACMD5: + return (dns_tsig_hmacmd5_name); + case DST_ALG_HMACSHA1: + return (dns_tsig_hmacsha1_name); + case DST_ALG_HMACSHA224: + return (dns_tsig_hmacsha224_name); + case DST_ALG_HMACSHA256: + return (dns_tsig_hmacsha256_name); + case DST_ALG_HMACSHA384: + return (dns_tsig_hmacsha384_name); + case DST_ALG_HMACSHA512: + return (dns_tsig_hmacsha512_name); + case DST_ALG_GSSAPI: + return (dns_tsig_gssapi_name); + default: + return (NULL); + } +} + isc_result_t -dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm, +dns_tsigkey_createfromkey(const dns_name_t *name, dst_algorithm_t algorithm, dst_key_t *dstkey, bool generated, bool restored, const dns_name_t *creator, isc_stdtime_t inception, isc_stdtime_t expire, isc_mem_t *mctx, dns_tsigkey_t **keyp) { dns_tsigkey_t *tkey = NULL; isc_result_t ret; - unsigned int dstalg = 0; REQUIRE(keyp != NULL && *keyp == NULL); REQUIRE(name != NULL); - REQUIRE(algorithm != NULL); REQUIRE(mctx != NULL); tkey = isc_mem_get(mctx, sizeof(dns_tsigkey_t)); @@ -215,31 +235,18 @@ dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm, dns_name_dup(name, mctx, &tkey->name); (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); - /* Check against known algorithm names */ - dstalg = dns__tsig_algfromname(algorithm); - if (dstalg != 0) { - /* - * 'algorithm' must be set to a static pointer - * so that dns__tsig_algallocated() can compare them. - */ - tkey->algorithm = dns__tsig_algnamefromname(algorithm); - if (dstkey != NULL && dst_key_alg(dstkey) != dstalg) { + if (algorithm != DST_ALG_UNKNOWN) { + if (dstkey != NULL && dst_key_alg(dstkey) != algorithm) { ret = DNS_R_BADALG; goto cleanup_name; } - } else { - dns_name_t *tmpname = NULL; - if (dstkey != NULL) { - ret = DNS_R_BADALG; - goto cleanup_name; - } - tmpname = isc_mem_get(mctx, sizeof(dns_name_t)); - dns_name_init(tmpname, NULL); - dns_name_dup(algorithm, mctx, tmpname); - (void)dns_name_downcase(tmpname, tmpname, NULL); - tkey->algorithm = tmpname; + } else if (dstkey != NULL) { + ret = DNS_R_BADALG; + goto cleanup_name; } + tkey->algorithm = namefromalg(algorithm); + if (creator != NULL) { tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t)); dns_name_init(tkey->creator, NULL); @@ -257,7 +264,7 @@ dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm, * Ignore this if it's a GSS key, since the key size is meaningless. */ if (dstkey != NULL && dst_key_size(dstkey) < 64 && - dstalg != DST_ALG_GSSAPI) + algorithm != DST_ALG_GSSAPI) { char namestr[DNS_NAME_FORMATSIZE]; dns_name_format(name, namestr, sizeof(namestr)); @@ -360,34 +367,15 @@ ISC_REFCOUNT_IMPL(dns_tsigkeyring, destroyring); /* * Look up the DST_ALG_ constant for a given name. */ -unsigned int +dst_algorithm_t dns__tsig_algfromname(const dns_name_t *algorithm) { - int i; - int n = sizeof(known_algs) / sizeof(*known_algs); - for (i = 0; i < n; ++i) { + for (size_t i = 0; i < ARRAY_SIZE(known_algs); ++i) { const dns_name_t *name = known_algs[i].name; if (algorithm == name || dns_name_equal(algorithm, name)) { return (known_algs[i].dstalg); } } - return (0); -} - -/* - * Convert an algorithm name into a pointer to the - * corresponding pre-defined dns_name_t structure. - */ -const dns_name_t * -dns__tsig_algnamefromname(const dns_name_t *algorithm) { - int i; - int n = sizeof(known_algs) / sizeof(*known_algs); - for (i = 0; i < n; ++i) { - const dns_name_t *name = known_algs[i].name; - if (algorithm == name || dns_name_equal(algorithm, name)) { - return (name); - } - } - return (NULL); + return (DST_ALG_UNKNOWN); } /* @@ -465,7 +453,7 @@ restore_key(dns_tsigkeyring_t *ring, isc_stdtime_t now, FILE *fp) { } dstalg = dns__tsig_algfromname(algorithm); - if (dstalg == 0) { + if (dstalg == DST_ALG_UNKNOWN) { return (DNS_R_BADALG); } @@ -476,7 +464,7 @@ restore_key(dns_tsigkeyring_t *ring, isc_stdtime_t now, FILE *fp) { return (result); } - result = dns_tsigkey_createfromkey(name, algorithm, dstkey, true, true, + result = dns_tsigkey_createfromkey(name, dstalg, dstkey, true, true, creator, inception, expire, ring->mctx, &tkey); if (result == ISC_R_SUCCESS) { @@ -573,27 +561,25 @@ dns_tsigkey_identity(const dns_tsigkey_t *tsigkey) { } isc_result_t -dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm, +dns_tsigkey_create(const dns_name_t *name, dst_algorithm_t algorithm, unsigned char *secret, int length, isc_mem_t *mctx, dns_tsigkey_t **key) { dst_key_t *dstkey = NULL; isc_result_t result; - unsigned int dstalg = 0; REQUIRE(length >= 0); if (length > 0) { REQUIRE(secret != NULL); } - dstalg = dns__tsig_algfromname(algorithm); - if (dns__tsig_algvalid(dstalg)) { + if (dns__tsig_algvalid(algorithm)) { if (secret != NULL) { isc_buffer_t b; isc_buffer_init(&b, secret, length); isc_buffer_add(&b, length); result = dst_key_frombuffer( - name, dstalg, DNS_KEYOWNER_ENTITY, + name, algorithm, DNS_KEYOWNER_ENTITY, DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b, mctx, &dstkey); if (result != ISC_R_SUCCESS) { @@ -685,36 +671,24 @@ dns_tsig_sign(dns_message_t *msg) { mctx = msg->mctx; - tsig.mctx = mctx; - tsig.common.rdclass = dns_rdataclass_any; - tsig.common.rdtype = dns_rdatatype_tsig; - ISC_LINK_INIT(&tsig.common, link); + now = msg->fuzzing ? msg->fuzztime : isc_stdtime_now(); + tsig = (dns_rdata_any_tsig_t){ + .mctx = mctx, + .common.rdclass = dns_rdataclass_any, + .common.rdtype = dns_rdatatype_tsig, + .common.link = ISC_LINK_INITIALIZER, + .timesigned = now + msg->timeadjust, + .fudge = DNS_TSIG_FUDGE, + .originalid = msg->id, + .error = response ? msg->querytsigstatus : dns_rcode_noerror, + }; + dns_name_init(&tsig.algorithm, NULL); dns_name_clone(key->algorithm, &tsig.algorithm); - if (msg->fuzzing) { - now = msg->fuzztime; - } else { - now = isc_stdtime_now(); - } - - tsig.timesigned = now + msg->timeadjust; - tsig.fudge = DNS_TSIG_FUDGE; - - tsig.originalid = msg->id; - isc_buffer_init(&databuf, data, sizeof(data)); - if (response) { - tsig.error = msg->querytsigstatus; - } else { - tsig.error = dns_rcode_noerror; - } - - if (tsig.error != dns_tsigerror_badtime) { - tsig.otherlen = 0; - tsig.other = NULL; - } else { + if (tsig.error == dns_tsigerror_badtime) { isc_buffer_t otherbuf; tsig.otherlen = BADTIMELEN; @@ -1067,8 +1041,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, } if (ret != ISC_R_SUCCESS) { msg->tsigstatus = dns_tsigerror_badkey; - ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL, - 0, mctx, &msg->tsigkey); + ret = dns_tsigkey_create( + keyname, dns__tsig_algfromname(&tsig.algorithm), + NULL, 0, mctx, &msg->tsigkey); if (ret != ISC_R_SUCCESS) { return (ret); } @@ -1714,6 +1689,7 @@ dns_tsigkeyring_add(dns_tsigkeyring_t *ring, const dns_name_t *name, REQUIRE(VALID_TSIGKEY(tkey)); REQUIRE(VALID_TSIGKEYRING(ring)); + REQUIRE(tkey->ring == NULL); REQUIRE(name != NULL); RWLOCK(&ring->lock, isc_rwlocktype_write); diff --git a/lib/dns/tsig_p.h b/lib/dns/tsig_p.h index a19688c54e..80e7323736 100644 --- a/lib/dns/tsig_p.h +++ b/lib/dns/tsig_p.h @@ -30,10 +30,8 @@ ISC_LANG_BEGINDECLS bool dns__tsig_algvalid(unsigned int alg); -unsigned int +dst_algorithm_t dns__tsig_algfromname(const dns_name_t *algorithm); -const dns_name_t * -dns__tsig_algnamefromname(const dns_name_t *algorithm); bool dns__tsig_algallocated(const dns_name_t *algorithm); diff --git a/lib/ns/client.c b/lib/ns/client.c index 395ebde6bf..d4bd311766 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2095,8 +2095,7 @@ ns_client_request(isc_nmhandle_t *handle, isc_result_t eresult, signame = NULL; if (dns_message_gettsig(client->message, &signame) != NULL) { char namebuf[DNS_NAME_FORMATSIZE]; - char cnamebuf[DNS_NAME_FORMATSIZE]; - dns_name_format(signame, namebuf, sizeof(namebuf)); + status = client->message->tsigstatus; isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); tresult = dns_tsigrcode_totext(status, &b); @@ -2105,23 +2104,17 @@ ns_client_request(isc_nmhandle_t *handle, isc_result_t eresult, if (client->message->tsigkey->generated) { dns_name_format( client->message->tsigkey->creator, - cnamebuf, sizeof(cnamebuf)); - ns_client_log( - client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "request has invalid signature: " - "TSIG %s (%s): %s (%s)", - namebuf, cnamebuf, - isc_result_totext(result), tsigrcode); + namebuf, sizeof(namebuf)); } else { - ns_client_log( - client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, - "request has invalid signature: " - "TSIG %s: %s (%s)", - namebuf, isc_result_totext(result), - tsigrcode); + dns_name_format(signame, namebuf, + sizeof(namebuf)); } + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + "request has invalid signature: " + "TSIG %s: %s (%s)", + namebuf, isc_result_totext(result), + tsigrcode); } else { status = client->message->sig0status; isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1); diff --git a/tests/dns/tsig_test.c b/tests/dns/tsig_test.c index 65837fc39b..fdc9ed3989 100644 --- a/tests/dns/tsig_test.c +++ b/tests/dns/tsig_test.c @@ -293,7 +293,7 @@ ISC_RUN_TEST_IMPL(tsig_tcp) { result = dns_tsigkeyring_create(mctx, &ring); assert_int_equal(result, ISC_R_SUCCESS); - result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name, secret, + result = dns_tsigkey_create(keyname, DST_ALG_HMACSHA256, secret, sizeof(secret), mctx, &key); assert_int_equal(result, ISC_R_SUCCESS); result = dns_tsigkeyring_add(ring, keyname, key); @@ -485,63 +485,6 @@ ISC_RUN_TEST_IMPL(algvalid) { assert_false(dns__tsig_algvalid(DST_ALG_GSSAPI)); } -/* Tests the dns__tsig_algfromname function */ -ISC_RUN_TEST_IMPL(algfromname) { - UNUSED(state); - - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME), - DST_ALG_HMACMD5); - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME), - DST_ALG_HMACSHA1); - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME), - DST_ALG_HMACSHA224); - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME), - DST_ALG_HMACSHA256); - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA384_NAME), - DST_ALG_HMACSHA384); - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_HMACSHA512_NAME), - DST_ALG_HMACSHA512); - - assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPI_NAME), - DST_ALG_GSSAPI); - - assert_int_equal(dns__tsig_algfromname(dns_rootname), 0); -} - -/* Tests the dns__tsig_algnamefromname function */ - -/* - * Helper function to create a dns_name_t from a string and see if - * the dns__tsig_algnamefromname function can correctly match it against the - * static table of known algorithms. - */ -static void -test_name(const char *name_string, const dns_name_t *expected) { - dns_name_t name; - dns_name_init(&name, NULL); - assert_int_equal(dns_name_fromstring(&name, name_string, 0, mctx), - ISC_R_SUCCESS); - assert_ptr_equal(dns__tsig_algnamefromname(&name), expected); - dns_name_free(&name, mctx); -} - -ISC_RUN_TEST_IMPL(algnamefromname) { - UNUSED(state); - - /* test the standard algorithms */ - test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME); - test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME); - test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME); - test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME); - test_name("hmac-sha384", DNS_TSIG_HMACSHA384_NAME); - test_name("hmac-sha512", DNS_TSIG_HMACSHA512_NAME); - - test_name("gss-tsig", DNS_TSIG_GSSAPI_NAME); - - /* try another name that isn't a standard algorithm name */ - assert_null(dns__tsig_algnamefromname(dns_rootname)); -} - /* Tests the dns__tsig_algallocated function */ ISC_RUN_TEST_IMPL(algallocated) { UNUSED(state); @@ -564,8 +507,6 @@ ISC_RUN_TEST_IMPL(algallocated) { ISC_TEST_LIST_START ISC_TEST_ENTRY_CUSTOM(tsig_tcp, setup_test, teardown_test) ISC_TEST_ENTRY(algvalid) -ISC_TEST_ENTRY(algfromname) -ISC_TEST_ENTRY_CUSTOM(algnamefromname, setup_test, teardown_test) ISC_TEST_ENTRY(algallocated) ISC_TEST_LIST_END