45 #include <arpa/inet.h>
47 #define TSIG_SIGNED_TIME_FUDGE 300
49 static const char* tsig_str =
"tsig";
67 static size_t max_algo_digest_size = 0;
74 #ifdef HAVE_EVP_SHA256
96 entry->
next = tsig_key_table;
97 tsig_key_table = entry;
118 entry->
next = tsig_algo_table;
119 tsig_algo_table = entry;
138 tsig_allocator = allocator;
139 tsig_key_table = NULL;
140 tsig_algo_table = NULL;
143 return tsig_handler_openssl_init(allocator);
160 tsig_handler_openssl_finalize();
163 aentry = tsig_algo_table;
165 anext = aentry->
next;
172 kentry = tsig_key_table;
174 knext = kentry->
next;
175 ldns_rdf_deep_free(kentry->
key->
dname);
193 ldns_rdf* dname = NULL;
194 uint8_t* data = NULL;
196 if (!allocator || !tsig || !tsig->
name || !tsig->
secret) {
203 dname = ldns_dname_new_frm_str(tsig->
name);
210 ldns_rdf_deep_free(dname);
213 size = b64_pton(tsig->
secret, data,
216 ods_log_error(
"[%s] unable to create tsig key %s: failed to parse "
217 "secret", tsig_str, tsig->
name);
218 ldns_rdf_deep_free(dname);
237 if (!allocator || !name || !algo || !secret) {
242 ods_log_error(
"[%s] unable to create tsig: allocator_alloc() "
252 ods_log_error(
"[%s] unable to create tsig: tsig_key_create() "
269 if (!tsig || !name) {
291 for (entry = tsig_algo_table; entry; entry = entry->
next) {
313 ods_log_error(
"[%s] unable to create tsig rr: allocator_alloc() "
365 uint16_t dname_len = 0;
366 ldns_rr_type type = 0;
367 ldns_rr_class klass = 0;
384 trr->
key_name = ldns_dname_new_frm_data(dname_len,
399 if (type != LDNS_RR_TYPE_TSIG || klass != LDNS_RR_CLASS_ANY) {
418 ods_log_debug(
"[%s] parse: skip algo name failed", tsig_str);
424 trr->
algo_name = ldns_dname_new_frm_data(dname_len,
427 ods_log_debug(
"[%s] parse: read algo name failed", tsig_str);
479 size_t saved_pos = 0;
493 for (i=0; i < rrcount - 1; i++) {
516 uint64_t current_time = 0;
517 uint64_t signed_time = 0;
522 for (kentry = tsig_key_table; kentry; kentry = kentry->
next) {
528 for (aentry = tsig_algo_table; aentry; aentry = aentry->
next) {
535 if (!key || !algorithm) {
541 if ((trr->
algo && algorithm != trr->
algo) ||
542 (trr->
key && key != trr->
key)) {
544 ods_log_debug(
"[%s] algorithm or key has changed", tsig_str);
550 current_time = (uint64_t)
time_now();
551 if ((current_time < signed_time - trr->signed_time_fudge) ||
553 uint16_t current_time_high;
554 uint32_t current_time_low;
556 current_time_high = (uint16_t) (current_time >> 32);
557 current_time_low = (uint32_t) current_time;
560 sizeof(uint16_t) +
sizeof(uint32_t));
561 write_uint16(trr->
other_data, current_time_high);
562 write_uint32(trr->
other_data + 2, current_time_low);
566 trr->
algo = algorithm;
606 uint16_t original_query_id = 0;
614 sizeof(original_query_id));
616 buffer_at(buffer,
sizeof(original_query_id)),
617 length -
sizeof(original_query_id));
631 tsig_rr_digest_variables(
tsig_rr_type* trr,
int tsig_timers_only)
633 uint16_t klass = htons(LDNS_RR_CLASS_ANY);
634 uint32_t ttl = htonl(0);
643 if (!tsig_timers_only) {
654 sizeof(signed_time_high));
656 sizeof(signed_time_low));
658 sizeof(signed_time_fudge));
659 if (!tsig_timers_only) {
678 uint64_t current_time = (uint64_t)
time_now();
722 size_t rdlength_pos = 0;
723 if (!trr || !buffer) {
778 + max_algo_digest_size
813 return "NOT PRESENT";
830 static char message[1000];
836 return "Bad Signature";
847 return (
const char*) ldns_pkt_rcode2str(error);
849 snprintf(message,
sizeof(message),
"Unknown Error %d", error);
903 if (!tsig || !allocator) {