47 #include <arpa/inet.h>
49 #define TSIG_SIGNED_TIME_FUDGE 300
51 static const char* tsig_str =
"tsig";
69 static size_t max_algo_digest_size = 0;
76 #ifdef HAVE_EVP_SHA256
98 entry->
next = tsig_key_table;
99 tsig_key_table = entry;
120 entry->
next = tsig_algo_table;
121 tsig_algo_table = entry;
140 tsig_allocator = allocator;
141 tsig_key_table = NULL;
142 tsig_algo_table = NULL;
145 return tsig_handler_openssl_init(allocator);
162 tsig_handler_openssl_finalize();
165 aentry = tsig_algo_table;
167 anext = aentry->
next;
174 kentry = tsig_key_table;
176 knext = kentry->
next;
177 ldns_rdf_deep_free(kentry->
key->
dname);
195 ldns_rdf* dname = NULL;
196 uint8_t* data = NULL;
198 if (!allocator || !tsig || !tsig->
name || !tsig->
secret) {
205 dname = ldns_dname_new_frm_str(tsig->
name);
212 ldns_rdf_deep_free(dname);
215 size = b64_pton(tsig->
secret, data,
218 ods_log_error(
"[%s] unable to create tsig key %s: failed to parse "
219 "secret", tsig_str, tsig->
name);
220 ldns_rdf_deep_free(dname);
239 if (!allocator || !name || !algo || !secret) {
244 ods_log_error(
"[%s] unable to create tsig: allocator_alloc() "
254 ods_log_error(
"[%s] unable to create tsig: tsig_key_create() "
271 if (!tsig || !name) {
293 for (entry = tsig_algo_table; entry; entry = entry->
next) {
315 ods_log_error(
"[%s] unable to create tsig rr: allocator_alloc() "
367 uint16_t dname_len = 0;
368 ldns_rr_type type = 0;
369 ldns_rr_class klass = 0;
386 trr->
key_name = ldns_dname_new_frm_data(dname_len,
401 if (type != LDNS_RR_TYPE_TSIG || klass != LDNS_RR_CLASS_ANY) {
420 ods_log_debug(
"[%s] parse: skip algo name failed", tsig_str);
426 trr->
algo_name = ldns_dname_new_frm_data(dname_len,
429 ods_log_debug(
"[%s] parse: read algo name failed", tsig_str);
481 size_t saved_pos = 0;
495 for (i=0; i < rrcount - 1; i++) {
518 uint64_t current_time = 0;
519 uint64_t signed_time = 0;
524 for (kentry = tsig_key_table; kentry; kentry = kentry->
next) {
530 for (aentry = tsig_algo_table; aentry; aentry = aentry->
next) {
537 if (!key || !algorithm) {
543 if ((trr->
algo && algorithm != trr->
algo) ||
544 (trr->
key && key != trr->
key)) {
546 ods_log_debug(
"[%s] algorithm or key has changed", tsig_str);
552 current_time = (uint64_t)
time_now();
553 if ((current_time < signed_time - trr->signed_time_fudge) ||
555 uint16_t current_time_high;
556 uint32_t current_time_low;
558 current_time_high = (uint16_t) (current_time >> 32);
559 current_time_low = (uint32_t) current_time;
562 sizeof(uint16_t) +
sizeof(uint32_t));
563 write_uint16(trr->
other_data, current_time_high);
564 write_uint32(trr->
other_data + 2, current_time_low);
568 trr->
algo = algorithm;
608 uint16_t original_query_id = 0;
616 sizeof(original_query_id));
618 buffer_at(buffer,
sizeof(original_query_id)),
619 length -
sizeof(original_query_id));
633 tsig_rr_digest_variables(
tsig_rr_type* trr,
int tsig_timers_only)
635 uint16_t klass = htons(LDNS_RR_CLASS_ANY);
636 uint32_t ttl = htonl(0);
645 if (!tsig_timers_only) {
656 sizeof(signed_time_high));
658 sizeof(signed_time_low));
660 sizeof(signed_time_fudge));
661 if (!tsig_timers_only) {
680 uint64_t current_time = (uint64_t)
time_now();
724 size_t rdlength_pos = 0;
725 if (!trr || !buffer) {
780 + max_algo_digest_size
815 return "NOT PRESENT";
832 static char message[1000];
838 return "Bad Signature";
849 return (
const char*) ldns_pkt_rcode2str(error);
851 snprintf(message,
sizeof(message),
"Unknown Error %d", error);
905 if (!tsig || !allocator) {