1 /* $NetBSD: tsig.c,v 1.12 2023/01/25 21:43:30 christos Exp $ */
2
3 /*
4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5 *
6 * SPDX-License-Identifier: MPL-2.0
7 *
8 * This Source Code Form is subject to the terms of the Mozilla Public
9 * License, v. 2.0. If a copy of the MPL was not distributed with this
10 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11 *
12 * See the COPYRIGHT file distributed with this work for additional
13 * information regarding copyright ownership.
14 */
15
16 /*! \file */
17
18 #include <inttypes.h>
19 #include <stdbool.h>
20 #include <stdlib.h>
21
22 #include <isc/buffer.h>
23 #include <isc/mem.h>
24 #include <isc/print.h>
25 #include <isc/refcount.h>
26 #include <isc/serial.h>
27 #include <isc/string.h> /* Required for HP/UX (and others?) */
28 #include <isc/time.h>
29 #include <isc/util.h>
30
31 #include <pk11/site.h>
32
33 #include <dns/fixedname.h>
34 #include <dns/keyvalues.h>
35 #include <dns/log.h>
36 #include <dns/message.h>
37 #include <dns/rbt.h>
38 #include <dns/rdata.h>
39 #include <dns/rdatalist.h>
40 #include <dns/rdataset.h>
41 #include <dns/rdatastruct.h>
42 #include <dns/result.h>
43 #include <dns/tsig.h>
44
45 #include <dst/result.h>
46
47 #include "tsig_p.h"
48
49 #define TSIG_MAGIC ISC_MAGIC('T', 'S', 'I', 'G')
50 #define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC)
51
52 #ifndef DNS_TSIG_MAXGENERATEDKEYS
53 #define DNS_TSIG_MAXGENERATEDKEYS 4096
54 #endif /* ifndef DNS_TSIG_MAXGENERATEDKEYS */
55
56 #define is_response(msg) ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
57
58 #define BADTIMELEN 6
59
60 static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
61 static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
62
63 static dns_name_t const hmacmd5 = DNS_NAME_INITABSOLUTE(hmacmd5_ndata,
64 hmacmd5_offsets);
65 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
66
67 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
68 static unsigned char gsstsig_offsets[] = { 0, 9 };
69 static dns_name_t const gsstsig = DNS_NAME_INITABSOLUTE(gsstsig_ndata,
70 gsstsig_offsets);
71 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_gssapi_name = &gsstsig;
72
73 /*
74 * Since Microsoft doesn't follow its own standard, we will use this
75 * alternate name as a second guess.
76 */
77 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
78 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
79 static dns_name_t const gsstsigms = DNS_NAME_INITABSOLUTE(gsstsigms_ndata,
80 gsstsigms_offsets);
81 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
82
83 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
84 static unsigned char hmacsha1_offsets[] = { 0, 10 };
85 static dns_name_t const hmacsha1 = DNS_NAME_INITABSOLUTE(hmacsha1_ndata,
86 hmacsha1_offsets);
87 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
88
89 static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
90 static unsigned char hmacsha224_offsets[] = { 0, 12 };
91 static dns_name_t const hmacsha224 = DNS_NAME_INITABSOLUTE(hmacsha224_ndata,
92 hmacsha224_offsets);
93 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
94
95 static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
96 static unsigned char hmacsha256_offsets[] = { 0, 12 };
97 static dns_name_t const hmacsha256 = DNS_NAME_INITABSOLUTE(hmacsha256_ndata,
98 hmacsha256_offsets);
99 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
100
101 static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
102 static unsigned char hmacsha384_offsets[] = { 0, 12 };
103 static dns_name_t const hmacsha384 = DNS_NAME_INITABSOLUTE(hmacsha384_ndata,
104 hmacsha384_offsets);
105 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
106
107 static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
108 static unsigned char hmacsha512_offsets[] = { 0, 12 };
109 static dns_name_t const hmacsha512 = DNS_NAME_INITABSOLUTE(hmacsha512_ndata,
110 hmacsha512_offsets);
111 LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
112
113 static const struct {
114 const dns_name_t *name;
115 unsigned int dstalg;
116 } known_algs[] = { { &hmacmd5, DST_ALG_HMACMD5 },
117 { &gsstsig, DST_ALG_GSSAPI },
118 { &gsstsigms, DST_ALG_GSSAPI },
119 { &hmacsha1, DST_ALG_HMACSHA1 },
120 { &hmacsha224, DST_ALG_HMACSHA224 },
121 { &hmacsha256, DST_ALG_HMACSHA256 },
122 { &hmacsha384, DST_ALG_HMACSHA384 },
123 { &hmacsha512, DST_ALG_HMACSHA512 } };
124
125 static isc_result_t
126 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
127
128 static void
129 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
130 ISC_FORMAT_PRINTF(3, 4);
131
132 static void
133 cleanup_ring(dns_tsig_keyring_t *ring);
134 static void
135 tsigkey_free(dns_tsigkey_t *key);
136
137 bool
dns__tsig_algvalid(unsigned int alg)138 dns__tsig_algvalid(unsigned int alg) {
139 return (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
140 alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
141 alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512);
142 }
143
144 static void
tsig_log(dns_tsigkey_t * key,int level,const char * fmt,...)145 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
146 va_list ap;
147 char message[4096];
148 char namestr[DNS_NAME_FORMATSIZE];
149 char creatorstr[DNS_NAME_FORMATSIZE];
150
151 if (!isc_log_wouldlog(dns_lctx, level)) {
152 return;
153 }
154 if (key != NULL) {
155 dns_name_format(&key->name, namestr, sizeof(namestr));
156 } else {
157 strlcpy(namestr, "<null>", sizeof(namestr));
158 }
159
160 if (key != NULL && key->generated && key->creator) {
161 dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
162 } else {
163 strlcpy(creatorstr, "<null>", sizeof(creatorstr));
164 }
165
166 va_start(ap, fmt);
167 vsnprintf(message, sizeof(message), fmt, ap);
168 va_end(ap);
169 if (key != NULL && key->generated) {
170 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
171 DNS_LOGMODULE_TSIG, level,
172 "tsig key '%s' (%s): %s", namestr, creatorstr,
173 message);
174 } else {
175 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
176 DNS_LOGMODULE_TSIG, level, "tsig key '%s': %s",
177 namestr, message);
178 }
179 }
180
181 static void
remove_fromring(dns_tsigkey_t * tkey)182 remove_fromring(dns_tsigkey_t *tkey) {
183 if (tkey->generated) {
184 ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
185 tkey->ring->generated--;
186 }
187 (void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, false);
188 }
189
190 static void
adjust_lru(dns_tsigkey_t * tkey)191 adjust_lru(dns_tsigkey_t *tkey) {
192 if (tkey->generated) {
193 RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
194 /*
195 * We may have been removed from the LRU list between
196 * removing the read lock and acquiring the write lock.
197 */
198 if (ISC_LINK_LINKED(tkey, link) && tkey->ring->lru.tail != tkey)
199 {
200 ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
201 ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
202 }
203 RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
204 }
205 }
206
207 /*
208 * A supplemental routine just to add a key to ring. Note that reference
209 * counter should be counted separately because we may be adding the key
210 * as part of creation of the key, in which case the reference counter was
211 * already initialized. Also note we don't need RWLOCK for the reference
212 * counter: it's protected by a separate lock.
213 */
214 static isc_result_t
keyring_add(dns_tsig_keyring_t * ring,const dns_name_t * name,dns_tsigkey_t * tkey)215 keyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
216 dns_tsigkey_t *tkey) {
217 isc_result_t result;
218
219 RWLOCK(&ring->lock, isc_rwlocktype_write);
220 ring->writecount++;
221
222 /*
223 * Do on the fly cleaning. Find some nodes we might not
224 * want around any more.
225 */
226 if (ring->writecount > 10) {
227 cleanup_ring(ring);
228 ring->writecount = 0;
229 }
230
231 result = dns_rbt_addname(ring->keys, name, tkey);
232 if (result == ISC_R_SUCCESS && tkey->generated) {
233 /*
234 * Add the new key to the LRU list and remove the least
235 * recently used key if there are too many keys on the list.
236 */
237 ISC_LIST_APPEND(ring->lru, tkey, link);
238 if (ring->generated++ > ring->maxgenerated) {
239 remove_fromring(ISC_LIST_HEAD(ring->lru));
240 }
241 }
242 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
243
244 return (result);
245 }
246
247 isc_result_t
dns_tsigkey_createfromkey(const dns_name_t * name,const dns_name_t * algorithm,dst_key_t * dstkey,bool generated,const dns_name_t * creator,isc_stdtime_t inception,isc_stdtime_t expire,isc_mem_t * mctx,dns_tsig_keyring_t * ring,dns_tsigkey_t ** key)248 dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
249 dst_key_t *dstkey, bool generated,
250 const dns_name_t *creator, isc_stdtime_t inception,
251 isc_stdtime_t expire, isc_mem_t *mctx,
252 dns_tsig_keyring_t *ring, dns_tsigkey_t **key) {
253 dns_tsigkey_t *tkey;
254 isc_result_t ret;
255 unsigned int refs = 0;
256 unsigned int dstalg = 0;
257
258 REQUIRE(key == NULL || *key == NULL);
259 REQUIRE(name != NULL);
260 REQUIRE(algorithm != NULL);
261 REQUIRE(mctx != NULL);
262 REQUIRE(key != NULL || ring != NULL);
263
264 tkey = isc_mem_get(mctx, sizeof(dns_tsigkey_t));
265
266 dns_name_init(&tkey->name, NULL);
267 dns_name_dup(name, mctx, &tkey->name);
268 (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
269
270 /* Check against known algorithm names */
271 dstalg = dns__tsig_algfromname(algorithm);
272 if (dstalg != 0) {
273 /*
274 * 'algorithm' must be set to a static pointer
275 * so that dns__tsig_algallocated() can compare them.
276 */
277 tkey->algorithm = dns__tsig_algnamefromname(algorithm);
278 if (dstkey != NULL && dst_key_alg(dstkey) != dstalg) {
279 ret = DNS_R_BADALG;
280 goto cleanup_name;
281 }
282 } else {
283 dns_name_t *tmpname;
284 if (dstkey != NULL) {
285 ret = DNS_R_BADALG;
286 goto cleanup_name;
287 }
288 tmpname = isc_mem_get(mctx, sizeof(dns_name_t));
289 dns_name_init(tmpname, NULL);
290 dns_name_dup(algorithm, mctx, tmpname);
291 (void)dns_name_downcase(tmpname, tmpname, NULL);
292 tkey->algorithm = tmpname;
293 }
294
295 if (creator != NULL) {
296 tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
297 dns_name_init(tkey->creator, NULL);
298 dns_name_dup(creator, mctx, tkey->creator);
299 } else {
300 tkey->creator = NULL;
301 }
302
303 tkey->key = NULL;
304 if (dstkey != NULL) {
305 dst_key_attach(dstkey, &tkey->key);
306 }
307 tkey->ring = ring;
308
309 if (key != NULL) {
310 refs = 1;
311 }
312 if (ring != NULL) {
313 refs++;
314 }
315
316 isc_refcount_init(&tkey->refs, refs);
317
318 tkey->generated = generated;
319 tkey->inception = inception;
320 tkey->expire = expire;
321 tkey->mctx = NULL;
322 isc_mem_attach(mctx, &tkey->mctx);
323 ISC_LINK_INIT(tkey, link);
324
325 tkey->magic = TSIG_MAGIC;
326
327 if (ring != NULL) {
328 ret = keyring_add(ring, name, tkey);
329 if (ret != ISC_R_SUCCESS) {
330 goto cleanup_refs;
331 }
332 }
333
334 /*
335 * Ignore this if it's a GSS key, since the key size is meaningless.
336 */
337 if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
338 dstalg != DST_ALG_GSSAPI)
339 {
340 char namestr[DNS_NAME_FORMATSIZE];
341 dns_name_format(name, namestr, sizeof(namestr));
342 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
343 DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
344 "the key '%s' is too short to be secure",
345 namestr);
346 }
347
348 if (key != NULL) {
349 *key = tkey;
350 }
351
352 return (ISC_R_SUCCESS);
353
354 cleanup_refs:
355 tkey->magic = 0;
356 while (refs-- > 0) {
357 isc_refcount_decrement0(&tkey->refs);
358 }
359 isc_refcount_destroy(&tkey->refs);
360
361 if (tkey->key != NULL) {
362 dst_key_free(&tkey->key);
363 }
364 if (tkey->creator != NULL) {
365 dns_name_free(tkey->creator, mctx);
366 isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
367 }
368 if (dns__tsig_algallocated(tkey->algorithm)) {
369 dns_name_t *tmpname;
370 DE_CONST(tkey->algorithm, tmpname);
371 if (dns_name_dynamic(tmpname)) {
372 dns_name_free(tmpname, mctx);
373 }
374 isc_mem_put(mctx, tmpname, sizeof(dns_name_t));
375 }
376 cleanup_name:
377 dns_name_free(&tkey->name, mctx);
378 isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
379
380 return (ret);
381 }
382
383 /*
384 * Find a few nodes to destroy if possible.
385 */
386 static void
cleanup_ring(dns_tsig_keyring_t * ring)387 cleanup_ring(dns_tsig_keyring_t *ring) {
388 isc_result_t result;
389 dns_rbtnodechain_t chain;
390 dns_name_t foundname;
391 dns_fixedname_t fixedorigin;
392 dns_name_t *origin;
393 isc_stdtime_t now;
394 dns_rbtnode_t *node;
395 dns_tsigkey_t *tkey;
396
397 /*
398 * Start up a new iterator each time.
399 */
400 isc_stdtime_get(&now);
401 dns_name_init(&foundname, NULL);
402 origin = dns_fixedname_initname(&fixedorigin);
403
404 again:
405 dns_rbtnodechain_init(&chain);
406 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
407 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
408 dns_rbtnodechain_invalidate(&chain);
409 return;
410 }
411
412 for (;;) {
413 node = NULL;
414 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
415 tkey = node->data;
416 if (tkey != NULL) {
417 if (tkey->generated &&
418 isc_refcount_current(&tkey->refs) == 1 &&
419 tkey->inception != tkey->expire &&
420 tkey->expire < now)
421 {
422 tsig_log(tkey, 2, "tsig expire: deleting");
423 /* delete the key */
424 dns_rbtnodechain_invalidate(&chain);
425 remove_fromring(tkey);
426 goto again;
427 }
428 }
429 result = dns_rbtnodechain_next(&chain, &foundname, origin);
430 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
431 dns_rbtnodechain_invalidate(&chain);
432 return;
433 }
434 }
435 }
436
437 static void
destroyring(dns_tsig_keyring_t * ring)438 destroyring(dns_tsig_keyring_t *ring) {
439 isc_refcount_destroy(&ring->references);
440 dns_rbt_destroy(&ring->keys);
441 isc_rwlock_destroy(&ring->lock);
442 isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
443 }
444
445 /*
446 * Look up the DST_ALG_ constant for a given name.
447 */
448 unsigned int
dns__tsig_algfromname(const dns_name_t * algorithm)449 dns__tsig_algfromname(const dns_name_t *algorithm) {
450 int i;
451 int n = sizeof(known_algs) / sizeof(*known_algs);
452 for (i = 0; i < n; ++i) {
453 const dns_name_t *name = known_algs[i].name;
454 if (algorithm == name || dns_name_equal(algorithm, name)) {
455 return (known_algs[i].dstalg);
456 }
457 }
458 return (0);
459 }
460
461 /*
462 * Convert an algorithm name into a pointer to the
463 * corresponding pre-defined dns_name_t structure.
464 */
465 const dns_name_t *
dns__tsig_algnamefromname(const dns_name_t * algorithm)466 dns__tsig_algnamefromname(const dns_name_t *algorithm) {
467 int i;
468 int n = sizeof(known_algs) / sizeof(*known_algs);
469 for (i = 0; i < n; ++i) {
470 const dns_name_t *name = known_algs[i].name;
471 if (algorithm == name || dns_name_equal(algorithm, name)) {
472 return (name);
473 }
474 }
475 return (NULL);
476 }
477
478 /*
479 * Test whether the passed algorithm is NOT a pointer to one of the
480 * pre-defined known algorithms (and therefore one that has been
481 * dynamically allocated).
482 *
483 * This will return an incorrect result if passed a dynamically allocated
484 * dns_name_t that happens to match one of the pre-defined names.
485 */
486 bool
dns__tsig_algallocated(const dns_name_t * algorithm)487 dns__tsig_algallocated(const dns_name_t *algorithm) {
488 int i;
489 int n = sizeof(known_algs) / sizeof(*known_algs);
490 for (i = 0; i < n; ++i) {
491 const dns_name_t *name = known_algs[i].name;
492 if (algorithm == name) {
493 return (false);
494 }
495 }
496 return (true);
497 }
498
499 static isc_result_t
restore_key(dns_tsig_keyring_t * ring,isc_stdtime_t now,FILE * fp)500 restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) {
501 dst_key_t *dstkey = NULL;
502 char namestr[1024];
503 char creatorstr[1024];
504 char algorithmstr[1024];
505 char keystr[4096];
506 unsigned int inception, expire;
507 int n;
508 isc_buffer_t b;
509 dns_name_t *name, *creator, *algorithm;
510 dns_fixedname_t fname, fcreator, falgorithm;
511 isc_result_t result;
512 unsigned int dstalg;
513
514 n = fscanf(fp, "%1023s %1023s %u %u %1023s %4095s\n", namestr,
515 creatorstr, &inception, &expire, algorithmstr, keystr);
516 if (n == EOF) {
517 return (ISC_R_NOMORE);
518 }
519 if (n != 6) {
520 return (ISC_R_FAILURE);
521 }
522
523 if (isc_serial_lt(expire, now)) {
524 return (DNS_R_EXPIRED);
525 }
526
527 name = dns_fixedname_initname(&fname);
528 isc_buffer_init(&b, namestr, strlen(namestr));
529 isc_buffer_add(&b, strlen(namestr));
530 result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
531 if (result != ISC_R_SUCCESS) {
532 return (result);
533 }
534
535 creator = dns_fixedname_initname(&fcreator);
536 isc_buffer_init(&b, creatorstr, strlen(creatorstr));
537 isc_buffer_add(&b, strlen(creatorstr));
538 result = dns_name_fromtext(creator, &b, dns_rootname, 0, NULL);
539 if (result != ISC_R_SUCCESS) {
540 return (result);
541 }
542
543 algorithm = dns_fixedname_initname(&falgorithm);
544 isc_buffer_init(&b, algorithmstr, strlen(algorithmstr));
545 isc_buffer_add(&b, strlen(algorithmstr));
546 result = dns_name_fromtext(algorithm, &b, dns_rootname, 0, NULL);
547 if (result != ISC_R_SUCCESS) {
548 return (result);
549 }
550
551 dstalg = dns__tsig_algfromname(algorithm);
552 if (dstalg == 0) {
553 return (DNS_R_BADALG);
554 }
555
556 result = dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
557 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
558 ring->mctx, keystr, &dstkey);
559 if (result != ISC_R_SUCCESS) {
560 return (result);
561 }
562
563 result = dns_tsigkey_createfromkey(name, algorithm, dstkey, true,
564 creator, inception, expire,
565 ring->mctx, ring, NULL);
566 if (dstkey != NULL) {
567 dst_key_free(&dstkey);
568 }
569 return (result);
570 }
571
572 static void
dump_key(dns_tsigkey_t * tkey,FILE * fp)573 dump_key(dns_tsigkey_t *tkey, FILE *fp) {
574 char *buffer = NULL;
575 int length = 0;
576 char namestr[DNS_NAME_FORMATSIZE];
577 char creatorstr[DNS_NAME_FORMATSIZE];
578 char algorithmstr[DNS_NAME_FORMATSIZE];
579 isc_result_t result;
580
581 REQUIRE(tkey != NULL);
582 REQUIRE(fp != NULL);
583
584 dns_name_format(&tkey->name, namestr, sizeof(namestr));
585 dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr));
586 dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));
587 result = dst_key_dump(tkey->key, tkey->mctx, &buffer, &length);
588 if (result == ISC_R_SUCCESS) {
589 fprintf(fp, "%s %s %u %u %s %.*s\n", namestr, creatorstr,
590 tkey->inception, tkey->expire, algorithmstr, length,
591 buffer);
592 }
593 if (buffer != NULL) {
594 isc_mem_put(tkey->mctx, buffer, length);
595 }
596 }
597
598 isc_result_t
dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t ** ringp,FILE * fp)599 dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
600 isc_result_t result;
601 dns_rbtnodechain_t chain;
602 dns_name_t foundname;
603 dns_fixedname_t fixedorigin;
604 dns_name_t *origin;
605 isc_stdtime_t now;
606 dns_rbtnode_t *node;
607 dns_tsigkey_t *tkey;
608 dns_tsig_keyring_t *ring;
609
610 REQUIRE(ringp != NULL && *ringp != NULL);
611
612 ring = *ringp;
613 *ringp = NULL;
614
615 if (isc_refcount_decrement(&ring->references) > 1) {
616 return (DNS_R_CONTINUE);
617 }
618
619 isc_stdtime_get(&now);
620 dns_name_init(&foundname, NULL);
621 origin = dns_fixedname_initname(&fixedorigin);
622 dns_rbtnodechain_init(&chain);
623 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
624 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
625 dns_rbtnodechain_invalidate(&chain);
626 goto destroy;
627 }
628
629 for (;;) {
630 node = NULL;
631 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
632 tkey = node->data;
633 if (tkey != NULL && tkey->generated && tkey->expire >= now) {
634 dump_key(tkey, fp);
635 }
636 result = dns_rbtnodechain_next(&chain, &foundname, origin);
637 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
638 dns_rbtnodechain_invalidate(&chain);
639 if (result == ISC_R_NOMORE) {
640 result = ISC_R_SUCCESS;
641 }
642 goto destroy;
643 }
644 }
645
646 destroy:
647 destroyring(ring);
648 return (result);
649 }
650
651 const dns_name_t *
dns_tsigkey_identity(const dns_tsigkey_t * tsigkey)652 dns_tsigkey_identity(const dns_tsigkey_t *tsigkey) {
653 REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
654
655 if (tsigkey == NULL) {
656 return (NULL);
657 }
658 if (tsigkey->generated) {
659 return (tsigkey->creator);
660 } else {
661 return (&tsigkey->name);
662 }
663 }
664
665 isc_result_t
dns_tsigkey_create(const dns_name_t * name,const dns_name_t * algorithm,unsigned char * secret,int length,bool generated,const dns_name_t * creator,isc_stdtime_t inception,isc_stdtime_t expire,isc_mem_t * mctx,dns_tsig_keyring_t * ring,dns_tsigkey_t ** key)666 dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
667 unsigned char *secret, int length, bool generated,
668 const dns_name_t *creator, isc_stdtime_t inception,
669 isc_stdtime_t expire, isc_mem_t *mctx,
670 dns_tsig_keyring_t *ring, dns_tsigkey_t **key) {
671 dst_key_t *dstkey = NULL;
672 isc_result_t result;
673 unsigned int dstalg = 0;
674
675 REQUIRE(length >= 0);
676 if (length > 0) {
677 REQUIRE(secret != NULL);
678 }
679
680 dstalg = dns__tsig_algfromname(algorithm);
681 if (dns__tsig_algvalid(dstalg)) {
682 if (secret != NULL) {
683 isc_buffer_t b;
684
685 isc_buffer_init(&b, secret, length);
686 isc_buffer_add(&b, length);
687 result = dst_key_frombuffer(
688 name, dstalg, DNS_KEYOWNER_ENTITY,
689 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b,
690 mctx, &dstkey);
691 if (result != ISC_R_SUCCESS) {
692 return (result);
693 }
694 }
695 } else if (length > 0) {
696 return (DNS_R_BADALG);
697 }
698
699 result = dns_tsigkey_createfromkey(name, algorithm, dstkey, generated,
700 creator, inception, expire, mctx,
701 ring, key);
702 if (dstkey != NULL) {
703 dst_key_free(&dstkey);
704 }
705 return (result);
706 }
707
708 void
dns_tsigkey_attach(dns_tsigkey_t * source,dns_tsigkey_t ** targetp)709 dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
710 REQUIRE(VALID_TSIG_KEY(source));
711 REQUIRE(targetp != NULL && *targetp == NULL);
712
713 isc_refcount_increment(&source->refs);
714 *targetp = source;
715 }
716
717 static void
tsigkey_free(dns_tsigkey_t * key)718 tsigkey_free(dns_tsigkey_t *key) {
719 REQUIRE(VALID_TSIG_KEY(key));
720
721 key->magic = 0;
722 dns_name_free(&key->name, key->mctx);
723 if (dns__tsig_algallocated(key->algorithm)) {
724 dns_name_t *name;
725 DE_CONST(key->algorithm, name);
726 dns_name_free(name, key->mctx);
727 isc_mem_put(key->mctx, name, sizeof(dns_name_t));
728 }
729 if (key->key != NULL) {
730 dst_key_free(&key->key);
731 }
732 if (key->creator != NULL) {
733 dns_name_free(key->creator, key->mctx);
734 isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
735 }
736 isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
737 }
738
739 void
dns_tsigkey_detach(dns_tsigkey_t ** keyp)740 dns_tsigkey_detach(dns_tsigkey_t **keyp) {
741 REQUIRE(keyp != NULL && VALID_TSIG_KEY(*keyp));
742 dns_tsigkey_t *key = *keyp;
743 *keyp = NULL;
744
745 if (isc_refcount_decrement(&key->refs) == 1) {
746 isc_refcount_destroy(&key->refs);
747 tsigkey_free(key);
748 }
749 }
750
751 void
dns_tsigkey_setdeleted(dns_tsigkey_t * key)752 dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
753 REQUIRE(VALID_TSIG_KEY(key));
754 REQUIRE(key->ring != NULL);
755
756 RWLOCK(&key->ring->lock, isc_rwlocktype_write);
757 remove_fromring(key);
758 RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
759 }
760
761 isc_result_t
dns_tsig_sign(dns_message_t * msg)762 dns_tsig_sign(dns_message_t *msg) {
763 dns_tsigkey_t *key = NULL;
764 dns_rdata_any_tsig_t tsig, querytsig;
765 unsigned char data[128];
766 isc_buffer_t databuf, sigbuf;
767 isc_buffer_t *dynbuf = NULL;
768 dns_name_t *owner = NULL;
769 dns_rdata_t *rdata = NULL;
770 dns_rdatalist_t *datalist = NULL;
771 dns_rdataset_t *dataset = NULL;
772 isc_region_t r;
773 isc_stdtime_t now;
774 isc_mem_t *mctx;
775 dst_context_t *ctx = NULL;
776 isc_result_t ret;
777 unsigned char badtimedata[BADTIMELEN];
778 unsigned int sigsize = 0;
779 bool response;
780
781 REQUIRE(msg != NULL);
782 key = dns_message_gettsigkey(msg);
783 REQUIRE(VALID_TSIG_KEY(key));
784
785 /*
786 * If this is a response, there should be a TSIG in the query with the
787 * the exception if this is a TKEY request (see RFC 3645, Section 2.2).
788 */
789 response = is_response(msg);
790 if (response && msg->querytsig == NULL) {
791 if (msg->tkey != 1) {
792 return (DNS_R_EXPECTEDTSIG);
793 }
794 }
795
796 mctx = msg->mctx;
797
798 tsig.mctx = mctx;
799 tsig.common.rdclass = dns_rdataclass_any;
800 tsig.common.rdtype = dns_rdatatype_tsig;
801 ISC_LINK_INIT(&tsig.common, link);
802 dns_name_init(&tsig.algorithm, NULL);
803 dns_name_clone(key->algorithm, &tsig.algorithm);
804
805 isc_stdtime_get(&now);
806 tsig.timesigned = now + msg->timeadjust;
807 tsig.fudge = DNS_TSIG_FUDGE;
808
809 tsig.originalid = msg->id;
810
811 isc_buffer_init(&databuf, data, sizeof(data));
812
813 if (response) {
814 tsig.error = msg->querytsigstatus;
815 } else {
816 tsig.error = dns_rcode_noerror;
817 }
818
819 if (tsig.error != dns_tsigerror_badtime) {
820 tsig.otherlen = 0;
821 tsig.other = NULL;
822 } else {
823 isc_buffer_t otherbuf;
824
825 tsig.otherlen = BADTIMELEN;
826 tsig.other = badtimedata;
827 isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
828 isc_buffer_putuint48(&otherbuf, tsig.timesigned);
829 }
830
831 if ((key->key != NULL) && (tsig.error != dns_tsigerror_badsig) &&
832 (tsig.error != dns_tsigerror_badkey))
833 {
834 unsigned char header[DNS_MESSAGE_HEADERLEN];
835 isc_buffer_t headerbuf;
836 uint16_t digestbits;
837 bool querytsig_ok = false;
838
839 /*
840 * If it is a response, we assume that the request MAC
841 * has validated at this point. This is why we include a
842 * MAC length > 0 in the reply.
843 */
844 ret = dst_context_create(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
845 true, 0, &ctx);
846 if (ret != ISC_R_SUCCESS) {
847 return (ret);
848 }
849
850 /*
851 * If this is a response, and if there was a TSIG in
852 * the query, digest the request's MAC.
853 *
854 * (Note: querytsig should be non-NULL for all
855 * responses except TKEY responses. Those may be signed
856 * with the newly-negotiated TSIG key even if the query
857 * wasn't signed.)
858 */
859 if (response && msg->querytsig != NULL) {
860 dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
861
862 INSIST(msg->verified_sig);
863
864 ret = dns_rdataset_first(msg->querytsig);
865 if (ret != ISC_R_SUCCESS) {
866 goto cleanup_context;
867 }
868 dns_rdataset_current(msg->querytsig, &querytsigrdata);
869 ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
870 NULL);
871 if (ret != ISC_R_SUCCESS) {
872 goto cleanup_context;
873 }
874 isc_buffer_putuint16(&databuf, querytsig.siglen);
875 if (isc_buffer_availablelength(&databuf) <
876 querytsig.siglen)
877 {
878 ret = ISC_R_NOSPACE;
879 goto cleanup_context;
880 }
881 isc_buffer_putmem(&databuf, querytsig.signature,
882 querytsig.siglen);
883 isc_buffer_usedregion(&databuf, &r);
884 ret = dst_context_adddata(ctx, &r);
885 if (ret != ISC_R_SUCCESS) {
886 goto cleanup_context;
887 }
888 querytsig_ok = true;
889 }
890
891 /*
892 * Digest the header.
893 */
894 isc_buffer_init(&headerbuf, header, sizeof(header));
895 dns_message_renderheader(msg, &headerbuf);
896 isc_buffer_usedregion(&headerbuf, &r);
897 ret = dst_context_adddata(ctx, &r);
898 if (ret != ISC_R_SUCCESS) {
899 goto cleanup_context;
900 }
901
902 /*
903 * Digest the remainder of the message.
904 */
905 isc_buffer_usedregion(msg->buffer, &r);
906 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
907 ret = dst_context_adddata(ctx, &r);
908 if (ret != ISC_R_SUCCESS) {
909 goto cleanup_context;
910 }
911
912 if (msg->tcp_continuation == 0) {
913 /*
914 * Digest the name, class, ttl, alg.
915 */
916 dns_name_toregion(&key->name, &r);
917 ret = dst_context_adddata(ctx, &r);
918 if (ret != ISC_R_SUCCESS) {
919 goto cleanup_context;
920 }
921
922 isc_buffer_clear(&databuf);
923 isc_buffer_putuint16(&databuf, dns_rdataclass_any);
924 isc_buffer_putuint32(&databuf, 0); /* ttl */
925 isc_buffer_usedregion(&databuf, &r);
926 ret = dst_context_adddata(ctx, &r);
927 if (ret != ISC_R_SUCCESS) {
928 goto cleanup_context;
929 }
930
931 dns_name_toregion(&tsig.algorithm, &r);
932 ret = dst_context_adddata(ctx, &r);
933 if (ret != ISC_R_SUCCESS) {
934 goto cleanup_context;
935 }
936 }
937 /* Digest the timesigned and fudge */
938 isc_buffer_clear(&databuf);
939 if (tsig.error == dns_tsigerror_badtime && querytsig_ok) {
940 tsig.timesigned = querytsig.timesigned;
941 }
942 isc_buffer_putuint48(&databuf, tsig.timesigned);
943 isc_buffer_putuint16(&databuf, tsig.fudge);
944 isc_buffer_usedregion(&databuf, &r);
945 ret = dst_context_adddata(ctx, &r);
946 if (ret != ISC_R_SUCCESS) {
947 goto cleanup_context;
948 }
949
950 if (msg->tcp_continuation == 0) {
951 /*
952 * Digest the error and other data length.
953 */
954 isc_buffer_clear(&databuf);
955 isc_buffer_putuint16(&databuf, tsig.error);
956 isc_buffer_putuint16(&databuf, tsig.otherlen);
957
958 isc_buffer_usedregion(&databuf, &r);
959 ret = dst_context_adddata(ctx, &r);
960 if (ret != ISC_R_SUCCESS) {
961 goto cleanup_context;
962 }
963
964 /*
965 * Digest other data.
966 */
967 if (tsig.otherlen > 0) {
968 r.length = tsig.otherlen;
969 r.base = tsig.other;
970 ret = dst_context_adddata(ctx, &r);
971 if (ret != ISC_R_SUCCESS) {
972 goto cleanup_context;
973 }
974 }
975 }
976
977 ret = dst_key_sigsize(key->key, &sigsize);
978 if (ret != ISC_R_SUCCESS) {
979 goto cleanup_context;
980 }
981 tsig.signature = isc_mem_get(mctx, sigsize);
982
983 isc_buffer_init(&sigbuf, tsig.signature, sigsize);
984 ret = dst_context_sign(ctx, &sigbuf);
985 if (ret != ISC_R_SUCCESS) {
986 goto cleanup_signature;
987 }
988 dst_context_destroy(&ctx);
989 digestbits = dst_key_getbits(key->key);
990 if (digestbits != 0) {
991 unsigned int bytes = (digestbits + 7) / 8;
992 if (querytsig_ok && bytes < querytsig.siglen) {
993 bytes = querytsig.siglen;
994 }
995 if (bytes > isc_buffer_usedlength(&sigbuf)) {
996 bytes = isc_buffer_usedlength(&sigbuf);
997 }
998 tsig.siglen = bytes;
999 } else {
1000 tsig.siglen = isc_buffer_usedlength(&sigbuf);
1001 }
1002 } else {
1003 tsig.siglen = 0;
1004 tsig.signature = NULL;
1005 }
1006
1007 ret = dns_message_gettemprdata(msg, &rdata);
1008 if (ret != ISC_R_SUCCESS) {
1009 goto cleanup_signature;
1010 }
1011 isc_buffer_allocate(msg->mctx, &dynbuf, 512);
1012 ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
1013 dns_rdatatype_tsig, &tsig, dynbuf);
1014 if (ret != ISC_R_SUCCESS) {
1015 goto cleanup_dynbuf;
1016 }
1017
1018 dns_message_takebuffer(msg, &dynbuf);
1019
1020 if (tsig.signature != NULL) {
1021 isc_mem_put(mctx, tsig.signature, sigsize);
1022 tsig.signature = NULL;
1023 }
1024
1025 ret = dns_message_gettempname(msg, &owner);
1026 if (ret != ISC_R_SUCCESS) {
1027 goto cleanup_rdata;
1028 }
1029 dns_name_copynf(&key->name, owner);
1030
1031 ret = dns_message_gettemprdatalist(msg, &datalist);
1032 if (ret != ISC_R_SUCCESS) {
1033 goto cleanup_owner;
1034 }
1035
1036 ret = dns_message_gettemprdataset(msg, &dataset);
1037 if (ret != ISC_R_SUCCESS) {
1038 goto cleanup_rdatalist;
1039 }
1040 datalist->rdclass = dns_rdataclass_any;
1041 datalist->type = dns_rdatatype_tsig;
1042 ISC_LIST_APPEND(datalist->rdata, rdata, link);
1043 RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) ==
1044 ISC_R_SUCCESS);
1045 msg->tsig = dataset;
1046 msg->tsigname = owner;
1047
1048 /* Windows does not like the tsig name being compressed. */
1049 msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
1050
1051 return (ISC_R_SUCCESS);
1052
1053 cleanup_rdatalist:
1054 dns_message_puttemprdatalist(msg, &datalist);
1055 cleanup_owner:
1056 dns_message_puttempname(msg, &owner);
1057 goto cleanup_rdata;
1058 cleanup_dynbuf:
1059 isc_buffer_free(&dynbuf);
1060 cleanup_rdata:
1061 dns_message_puttemprdata(msg, &rdata);
1062 cleanup_signature:
1063 if (tsig.signature != NULL) {
1064 isc_mem_put(mctx, tsig.signature, sigsize);
1065 }
1066 cleanup_context:
1067 if (ctx != NULL) {
1068 dst_context_destroy(&ctx);
1069 }
1070 return (ret);
1071 }
1072
1073 isc_result_t
dns_tsig_verify(isc_buffer_t * source,dns_message_t * msg,dns_tsig_keyring_t * ring1,dns_tsig_keyring_t * ring2)1074 dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
1075 dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2) {
1076 dns_rdata_any_tsig_t tsig, querytsig;
1077 isc_region_t r, source_r, header_r, sig_r;
1078 isc_buffer_t databuf;
1079 unsigned char data[32];
1080 dns_name_t *keyname;
1081 dns_rdata_t rdata = DNS_RDATA_INIT;
1082 isc_stdtime_t now;
1083 isc_result_t ret;
1084 dns_tsigkey_t *tsigkey;
1085 dst_key_t *key = NULL;
1086 unsigned char header[DNS_MESSAGE_HEADERLEN];
1087 dst_context_t *ctx = NULL;
1088 isc_mem_t *mctx;
1089 uint16_t addcount, id;
1090 unsigned int siglen;
1091 unsigned int alg;
1092 bool response;
1093
1094 REQUIRE(source != NULL);
1095 REQUIRE(DNS_MESSAGE_VALID(msg));
1096 tsigkey = dns_message_gettsigkey(msg);
1097 response = is_response(msg);
1098
1099 REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
1100
1101 msg->verify_attempted = 1;
1102 msg->verified_sig = 0;
1103 msg->tsigstatus = dns_tsigerror_badsig;
1104
1105 if (msg->tcp_continuation) {
1106 if (tsigkey == NULL || msg->querytsig == NULL) {
1107 return (DNS_R_UNEXPECTEDTSIG);
1108 }
1109 return (tsig_verify_tcp(source, msg));
1110 }
1111
1112 /*
1113 * There should be a TSIG record...
1114 */
1115 if (msg->tsig == NULL) {
1116 return (DNS_R_EXPECTEDTSIG);
1117 }
1118
1119 /*
1120 * If this is a response and there's no key or query TSIG, there
1121 * shouldn't be one on the response.
1122 */
1123 if (response && (tsigkey == NULL || msg->querytsig == NULL)) {
1124 return (DNS_R_UNEXPECTEDTSIG);
1125 }
1126
1127 mctx = msg->mctx;
1128
1129 /*
1130 * If we're here, we know the message is well formed and contains a
1131 * TSIG record.
1132 */
1133
1134 keyname = msg->tsigname;
1135 ret = dns_rdataset_first(msg->tsig);
1136 if (ret != ISC_R_SUCCESS) {
1137 return (ret);
1138 }
1139 dns_rdataset_current(msg->tsig, &rdata);
1140 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1141 if (ret != ISC_R_SUCCESS) {
1142 return (ret);
1143 }
1144 dns_rdata_reset(&rdata);
1145 if (response) {
1146 ret = dns_rdataset_first(msg->querytsig);
1147 if (ret != ISC_R_SUCCESS) {
1148 return (ret);
1149 }
1150 dns_rdataset_current(msg->querytsig, &rdata);
1151 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1152 if (ret != ISC_R_SUCCESS) {
1153 return (ret);
1154 }
1155 }
1156
1157 /*
1158 * Do the key name and algorithm match that of the query?
1159 */
1160 if (response &&
1161 (!dns_name_equal(keyname, &tsigkey->name) ||
1162 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
1163 {
1164 msg->tsigstatus = dns_tsigerror_badkey;
1165 tsig_log(msg->tsigkey, 2,
1166 "key name and algorithm do not match");
1167 return (DNS_R_TSIGVERIFYFAILURE);
1168 }
1169
1170 /*
1171 * Get the current time.
1172 */
1173 isc_stdtime_get(&now);
1174
1175 /*
1176 * Find dns_tsigkey_t based on keyname.
1177 */
1178 if (tsigkey == NULL) {
1179 ret = ISC_R_NOTFOUND;
1180 if (ring1 != NULL) {
1181 ret = dns_tsigkey_find(&tsigkey, keyname,
1182 &tsig.algorithm, ring1);
1183 }
1184 if (ret == ISC_R_NOTFOUND && ring2 != NULL) {
1185 ret = dns_tsigkey_find(&tsigkey, keyname,
1186 &tsig.algorithm, ring2);
1187 }
1188 if (ret != ISC_R_SUCCESS) {
1189 msg->tsigstatus = dns_tsigerror_badkey;
1190 ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL,
1191 0, false, NULL, now, now, mctx,
1192 NULL, &msg->tsigkey);
1193 if (ret != ISC_R_SUCCESS) {
1194 return (ret);
1195 }
1196 tsig_log(msg->tsigkey, 2, "unknown key");
1197 return (DNS_R_TSIGVERIFYFAILURE);
1198 }
1199 msg->tsigkey = tsigkey;
1200 }
1201
1202 key = tsigkey->key;
1203
1204 /*
1205 * Check digest length.
1206 */
1207 alg = dst_key_alg(key);
1208 ret = dst_key_sigsize(key, &siglen);
1209 if (ret != ISC_R_SUCCESS) {
1210 return (ret);
1211 }
1212 if (dns__tsig_algvalid(alg)) {
1213 if (tsig.siglen > siglen) {
1214 tsig_log(msg->tsigkey, 2, "signature length too big");
1215 return (DNS_R_FORMERR);
1216 }
1217 if (tsig.siglen > 0 &&
1218 (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
1219 {
1220 tsig_log(msg->tsigkey, 2,
1221 "signature length below minimum");
1222 return (DNS_R_FORMERR);
1223 }
1224 }
1225
1226 if (tsig.siglen > 0) {
1227 uint16_t addcount_n;
1228
1229 sig_r.base = tsig.signature;
1230 sig_r.length = tsig.siglen;
1231
1232 ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
1233 false, 0, &ctx);
1234 if (ret != ISC_R_SUCCESS) {
1235 return (ret);
1236 }
1237
1238 if (response) {
1239 isc_buffer_init(&databuf, data, sizeof(data));
1240 isc_buffer_putuint16(&databuf, querytsig.siglen);
1241 isc_buffer_usedregion(&databuf, &r);
1242 ret = dst_context_adddata(ctx, &r);
1243 if (ret != ISC_R_SUCCESS) {
1244 goto cleanup_context;
1245 }
1246 if (querytsig.siglen > 0) {
1247 r.length = querytsig.siglen;
1248 r.base = querytsig.signature;
1249 ret = dst_context_adddata(ctx, &r);
1250 if (ret != ISC_R_SUCCESS) {
1251 goto cleanup_context;
1252 }
1253 }
1254 }
1255
1256 /*
1257 * Extract the header.
1258 */
1259 isc_buffer_usedregion(source, &r);
1260 memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
1261 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1262
1263 /*
1264 * Decrement the additional field counter.
1265 */
1266 memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1267 addcount_n = ntohs(addcount);
1268 addcount = htons((uint16_t)(addcount_n - 1));
1269 memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1270
1271 /*
1272 * Put in the original id.
1273 */
1274 id = htons(tsig.originalid);
1275 memmove(&header[0], &id, 2);
1276
1277 /*
1278 * Digest the modified header.
1279 */
1280 header_r.base = (unsigned char *)header;
1281 header_r.length = DNS_MESSAGE_HEADERLEN;
1282 ret = dst_context_adddata(ctx, &header_r);
1283 if (ret != ISC_R_SUCCESS) {
1284 goto cleanup_context;
1285 }
1286
1287 /*
1288 * Digest all non-TSIG records.
1289 */
1290 isc_buffer_usedregion(source, &source_r);
1291 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1292 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1293 ret = dst_context_adddata(ctx, &r);
1294 if (ret != ISC_R_SUCCESS) {
1295 goto cleanup_context;
1296 }
1297
1298 /*
1299 * Digest the key name.
1300 */
1301 dns_name_toregion(&tsigkey->name, &r);
1302 ret = dst_context_adddata(ctx, &r);
1303 if (ret != ISC_R_SUCCESS) {
1304 goto cleanup_context;
1305 }
1306
1307 isc_buffer_init(&databuf, data, sizeof(data));
1308 isc_buffer_putuint16(&databuf, tsig.common.rdclass);
1309 isc_buffer_putuint32(&databuf, msg->tsig->ttl);
1310 isc_buffer_usedregion(&databuf, &r);
1311 ret = dst_context_adddata(ctx, &r);
1312 if (ret != ISC_R_SUCCESS) {
1313 goto cleanup_context;
1314 }
1315
1316 /*
1317 * Digest the key algorithm.
1318 */
1319 dns_name_toregion(tsigkey->algorithm, &r);
1320 ret = dst_context_adddata(ctx, &r);
1321 if (ret != ISC_R_SUCCESS) {
1322 goto cleanup_context;
1323 }
1324
1325 isc_buffer_clear(&databuf);
1326 isc_buffer_putuint48(&databuf, tsig.timesigned);
1327 isc_buffer_putuint16(&databuf, tsig.fudge);
1328 isc_buffer_putuint16(&databuf, tsig.error);
1329 isc_buffer_putuint16(&databuf, tsig.otherlen);
1330 isc_buffer_usedregion(&databuf, &r);
1331 ret = dst_context_adddata(ctx, &r);
1332 if (ret != ISC_R_SUCCESS) {
1333 goto cleanup_context;
1334 }
1335
1336 if (tsig.otherlen > 0) {
1337 r.base = tsig.other;
1338 r.length = tsig.otherlen;
1339 ret = dst_context_adddata(ctx, &r);
1340 if (ret != ISC_R_SUCCESS) {
1341 goto cleanup_context;
1342 }
1343 }
1344
1345 ret = dst_context_verify(ctx, &sig_r);
1346 if (ret == DST_R_VERIFYFAILURE) {
1347 ret = DNS_R_TSIGVERIFYFAILURE;
1348 tsig_log(msg->tsigkey, 2,
1349 "signature failed to verify(1)");
1350 goto cleanup_context;
1351 } else if (ret != ISC_R_SUCCESS) {
1352 goto cleanup_context;
1353 }
1354 msg->verified_sig = 1;
1355 } else if (!response || (tsig.error != dns_tsigerror_badsig &&
1356 tsig.error != dns_tsigerror_badkey))
1357 {
1358 tsig_log(msg->tsigkey, 2, "signature was empty");
1359 return (DNS_R_TSIGVERIFYFAILURE);
1360 }
1361
1362 /*
1363 * Here at this point, the MAC has been verified. Even if any of
1364 * the following code returns a TSIG error, the reply will be
1365 * signed and WILL always include the request MAC in the digest
1366 * computation.
1367 */
1368
1369 /*
1370 * Is the time ok?
1371 */
1372 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1373 msg->tsigstatus = dns_tsigerror_badtime;
1374 tsig_log(msg->tsigkey, 2, "signature has expired");
1375 ret = DNS_R_CLOCKSKEW;
1376 goto cleanup_context;
1377 } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
1378 msg->tsigstatus = dns_tsigerror_badtime;
1379 tsig_log(msg->tsigkey, 2, "signature is in the future");
1380 ret = DNS_R_CLOCKSKEW;
1381 goto cleanup_context;
1382 }
1383
1384 if (dns__tsig_algvalid(alg)) {
1385 uint16_t digestbits = dst_key_getbits(key);
1386
1387 if (tsig.siglen > 0 && digestbits != 0 &&
1388 tsig.siglen < ((digestbits + 7) / 8))
1389 {
1390 msg->tsigstatus = dns_tsigerror_badtrunc;
1391 tsig_log(msg->tsigkey, 2,
1392 "truncated signature length too small");
1393 ret = DNS_R_TSIGVERIFYFAILURE;
1394 goto cleanup_context;
1395 }
1396 if (tsig.siglen > 0 && digestbits == 0 && tsig.siglen < siglen)
1397 {
1398 msg->tsigstatus = dns_tsigerror_badtrunc;
1399 tsig_log(msg->tsigkey, 2, "signature length too small");
1400 ret = DNS_R_TSIGVERIFYFAILURE;
1401 goto cleanup_context;
1402 }
1403 }
1404
1405 if (response && tsig.error != dns_rcode_noerror) {
1406 msg->tsigstatus = tsig.error;
1407 if (tsig.error == dns_tsigerror_badtime) {
1408 ret = DNS_R_CLOCKSKEW;
1409 } else {
1410 ret = DNS_R_TSIGERRORSET;
1411 }
1412 goto cleanup_context;
1413 }
1414
1415 msg->tsigstatus = dns_rcode_noerror;
1416 ret = ISC_R_SUCCESS;
1417
1418 cleanup_context:
1419 if (ctx != NULL) {
1420 dst_context_destroy(&ctx);
1421 }
1422
1423 return (ret);
1424 }
1425
1426 static isc_result_t
tsig_verify_tcp(isc_buffer_t * source,dns_message_t * msg)1427 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
1428 dns_rdata_any_tsig_t tsig, querytsig;
1429 isc_region_t r, source_r, header_r, sig_r;
1430 isc_buffer_t databuf;
1431 unsigned char data[32];
1432 dns_name_t *keyname;
1433 dns_rdata_t rdata = DNS_RDATA_INIT;
1434 isc_stdtime_t now;
1435 isc_result_t ret;
1436 dns_tsigkey_t *tsigkey;
1437 dst_key_t *key = NULL;
1438 unsigned char header[DNS_MESSAGE_HEADERLEN];
1439 uint16_t addcount, id;
1440 bool has_tsig = false;
1441 isc_mem_t *mctx;
1442 unsigned int siglen;
1443 unsigned int alg;
1444
1445 REQUIRE(source != NULL);
1446 REQUIRE(msg != NULL);
1447 REQUIRE(dns_message_gettsigkey(msg) != NULL);
1448 REQUIRE(msg->tcp_continuation == 1);
1449 REQUIRE(msg->querytsig != NULL);
1450
1451 msg->verified_sig = 0;
1452 msg->tsigstatus = dns_tsigerror_badsig;
1453
1454 if (!is_response(msg)) {
1455 return (DNS_R_EXPECTEDRESPONSE);
1456 }
1457
1458 mctx = msg->mctx;
1459
1460 tsigkey = dns_message_gettsigkey(msg);
1461 key = tsigkey->key;
1462
1463 /*
1464 * Extract and parse the previous TSIG
1465 */
1466 ret = dns_rdataset_first(msg->querytsig);
1467 if (ret != ISC_R_SUCCESS) {
1468 return (ret);
1469 }
1470 dns_rdataset_current(msg->querytsig, &rdata);
1471 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1472 if (ret != ISC_R_SUCCESS) {
1473 return (ret);
1474 }
1475 dns_rdata_reset(&rdata);
1476
1477 /*
1478 * If there is a TSIG in this message, do some checks.
1479 */
1480 if (msg->tsig != NULL) {
1481 has_tsig = true;
1482
1483 keyname = msg->tsigname;
1484 ret = dns_rdataset_first(msg->tsig);
1485 if (ret != ISC_R_SUCCESS) {
1486 goto cleanup_querystruct;
1487 }
1488 dns_rdataset_current(msg->tsig, &rdata);
1489 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1490 if (ret != ISC_R_SUCCESS) {
1491 goto cleanup_querystruct;
1492 }
1493
1494 /*
1495 * Do the key name and algorithm match that of the query?
1496 */
1497 if (!dns_name_equal(keyname, &tsigkey->name) ||
1498 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
1499 {
1500 msg->tsigstatus = dns_tsigerror_badkey;
1501 ret = DNS_R_TSIGVERIFYFAILURE;
1502 tsig_log(msg->tsigkey, 2,
1503 "key name and algorithm do not match");
1504 goto cleanup_querystruct;
1505 }
1506
1507 /*
1508 * Check digest length.
1509 */
1510 alg = dst_key_alg(key);
1511 ret = dst_key_sigsize(key, &siglen);
1512 if (ret != ISC_R_SUCCESS) {
1513 goto cleanup_querystruct;
1514 }
1515 if (dns__tsig_algvalid(alg)) {
1516 if (tsig.siglen > siglen) {
1517 tsig_log(tsigkey, 2,
1518 "signature length too big");
1519 ret = DNS_R_FORMERR;
1520 goto cleanup_querystruct;
1521 }
1522 if (tsig.siglen > 0 &&
1523 (tsig.siglen < 10 ||
1524 tsig.siglen < ((siglen + 1) / 2)))
1525 {
1526 tsig_log(tsigkey, 2,
1527 "signature length below minimum");
1528 ret = DNS_R_FORMERR;
1529 goto cleanup_querystruct;
1530 }
1531 }
1532 }
1533
1534 if (msg->tsigctx == NULL) {
1535 ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
1536 false, 0, &msg->tsigctx);
1537 if (ret != ISC_R_SUCCESS) {
1538 goto cleanup_querystruct;
1539 }
1540
1541 /*
1542 * Digest the length of the query signature
1543 */
1544 isc_buffer_init(&databuf, data, sizeof(data));
1545 isc_buffer_putuint16(&databuf, querytsig.siglen);
1546 isc_buffer_usedregion(&databuf, &r);
1547 ret = dst_context_adddata(msg->tsigctx, &r);
1548 if (ret != ISC_R_SUCCESS) {
1549 goto cleanup_context;
1550 }
1551
1552 /*
1553 * Digest the data of the query signature
1554 */
1555 if (querytsig.siglen > 0) {
1556 r.length = querytsig.siglen;
1557 r.base = querytsig.signature;
1558 ret = dst_context_adddata(msg->tsigctx, &r);
1559 if (ret != ISC_R_SUCCESS) {
1560 goto cleanup_context;
1561 }
1562 }
1563 }
1564
1565 /*
1566 * Extract the header.
1567 */
1568 isc_buffer_usedregion(source, &r);
1569 memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
1570 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1571
1572 /*
1573 * Decrement the additional field counter if necessary.
1574 */
1575 if (has_tsig) {
1576 uint16_t addcount_n;
1577
1578 memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1579 addcount_n = ntohs(addcount);
1580 addcount = htons((uint16_t)(addcount_n - 1));
1581 memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1582
1583 /*
1584 * Put in the original id.
1585 *
1586 * XXX Can TCP transfers be forwarded? How would that
1587 * work?
1588 */
1589 /* cppcheck-suppress uninitStructMember
1590 * symbolName=tsig.originalid */
1591 id = htons(tsig.originalid);
1592 memmove(&header[0], &id, 2);
1593 }
1594
1595 /*
1596 * Digest the modified header.
1597 */
1598 header_r.base = (unsigned char *)header;
1599 header_r.length = DNS_MESSAGE_HEADERLEN;
1600 ret = dst_context_adddata(msg->tsigctx, &header_r);
1601 if (ret != ISC_R_SUCCESS) {
1602 goto cleanup_context;
1603 }
1604
1605 /*
1606 * Digest all non-TSIG records.
1607 */
1608 isc_buffer_usedregion(source, &source_r);
1609 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1610 if (has_tsig) {
1611 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1612 } else {
1613 r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
1614 }
1615 ret = dst_context_adddata(msg->tsigctx, &r);
1616 if (ret != ISC_R_SUCCESS) {
1617 goto cleanup_context;
1618 }
1619
1620 /*
1621 * Digest the time signed and fudge.
1622 */
1623 if (has_tsig) {
1624 isc_buffer_init(&databuf, data, sizeof(data));
1625 isc_buffer_putuint48(&databuf, tsig.timesigned);
1626 isc_buffer_putuint16(&databuf, tsig.fudge);
1627 isc_buffer_usedregion(&databuf, &r);
1628 ret = dst_context_adddata(msg->tsigctx, &r);
1629 if (ret != ISC_R_SUCCESS) {
1630 goto cleanup_context;
1631 }
1632
1633 sig_r.base = tsig.signature;
1634 sig_r.length = tsig.siglen;
1635 if (tsig.siglen == 0) {
1636 if (tsig.error != dns_rcode_noerror) {
1637 msg->tsigstatus = tsig.error;
1638 if (tsig.error == dns_tsigerror_badtime) {
1639 ret = DNS_R_CLOCKSKEW;
1640 } else {
1641 ret = DNS_R_TSIGERRORSET;
1642 }
1643 } else {
1644 tsig_log(msg->tsigkey, 2, "signature is empty");
1645 ret = DNS_R_TSIGVERIFYFAILURE;
1646 }
1647 goto cleanup_context;
1648 }
1649
1650 ret = dst_context_verify(msg->tsigctx, &sig_r);
1651 if (ret == DST_R_VERIFYFAILURE) {
1652 tsig_log(msg->tsigkey, 2,
1653 "signature failed to verify(2)");
1654 ret = DNS_R_TSIGVERIFYFAILURE;
1655 goto cleanup_context;
1656 } else if (ret != ISC_R_SUCCESS) {
1657 goto cleanup_context;
1658 }
1659 msg->verified_sig = 1;
1660
1661 /*
1662 * Here at this point, the MAC has been verified. Even
1663 * if any of the following code returns a TSIG error,
1664 * the reply will be signed and WILL always include the
1665 * request MAC in the digest computation.
1666 */
1667
1668 /*
1669 * Is the time ok?
1670 */
1671 isc_stdtime_get(&now);
1672
1673 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1674 msg->tsigstatus = dns_tsigerror_badtime;
1675 tsig_log(msg->tsigkey, 2, "signature has expired");
1676 ret = DNS_R_CLOCKSKEW;
1677 goto cleanup_context;
1678 } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge)
1679 {
1680 msg->tsigstatus = dns_tsigerror_badtime;
1681 tsig_log(msg->tsigkey, 2, "signature is in the future");
1682 ret = DNS_R_CLOCKSKEW;
1683 goto cleanup_context;
1684 }
1685
1686 alg = dst_key_alg(key);
1687 ret = dst_key_sigsize(key, &siglen);
1688 if (ret != ISC_R_SUCCESS) {
1689 goto cleanup_context;
1690 }
1691 if (dns__tsig_algvalid(alg)) {
1692 uint16_t digestbits = dst_key_getbits(key);
1693
1694 if (tsig.siglen > 0 && digestbits != 0 &&
1695 tsig.siglen < ((digestbits + 7) / 8))
1696 {
1697 msg->tsigstatus = dns_tsigerror_badtrunc;
1698 tsig_log(msg->tsigkey, 2,
1699 "truncated signature length "
1700 "too small");
1701 ret = DNS_R_TSIGVERIFYFAILURE;
1702 goto cleanup_context;
1703 }
1704 if (tsig.siglen > 0 && digestbits == 0 &&
1705 tsig.siglen < siglen)
1706 {
1707 msg->tsigstatus = dns_tsigerror_badtrunc;
1708 tsig_log(msg->tsigkey, 2,
1709 "signature length too small");
1710 ret = DNS_R_TSIGVERIFYFAILURE;
1711 goto cleanup_context;
1712 }
1713 }
1714
1715 if (tsig.error != dns_rcode_noerror) {
1716 msg->tsigstatus = tsig.error;
1717 if (tsig.error == dns_tsigerror_badtime) {
1718 ret = DNS_R_CLOCKSKEW;
1719 } else {
1720 ret = DNS_R_TSIGERRORSET;
1721 }
1722 goto cleanup_context;
1723 }
1724 }
1725
1726 msg->tsigstatus = dns_rcode_noerror;
1727 ret = ISC_R_SUCCESS;
1728
1729 cleanup_context:
1730 /*
1731 * Except in error conditions, don't destroy the DST context
1732 * for unsigned messages; it is a running sum till the next
1733 * TSIG signed message.
1734 */
1735 if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
1736 dst_context_destroy(&msg->tsigctx);
1737 }
1738
1739 cleanup_querystruct:
1740 dns_rdata_freestruct(&querytsig);
1741
1742 return (ret);
1743 }
1744
1745 isc_result_t
dns_tsigkey_find(dns_tsigkey_t ** tsigkey,const dns_name_t * name,const dns_name_t * algorithm,dns_tsig_keyring_t * ring)1746 dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name,
1747 const dns_name_t *algorithm, dns_tsig_keyring_t *ring) {
1748 dns_tsigkey_t *key;
1749 isc_stdtime_t now;
1750 isc_result_t result;
1751
1752 REQUIRE(tsigkey != NULL);
1753 REQUIRE(*tsigkey == NULL);
1754 REQUIRE(name != NULL);
1755 REQUIRE(ring != NULL);
1756
1757 RWLOCK(&ring->lock, isc_rwlocktype_write);
1758 cleanup_ring(ring);
1759 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1760
1761 isc_stdtime_get(&now);
1762 RWLOCK(&ring->lock, isc_rwlocktype_read);
1763 key = NULL;
1764 result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
1765 if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
1766 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1767 return (ISC_R_NOTFOUND);
1768 }
1769 if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
1770 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1771 return (ISC_R_NOTFOUND);
1772 }
1773 if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
1774 /*
1775 * The key has expired.
1776 */
1777 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1778 RWLOCK(&ring->lock, isc_rwlocktype_write);
1779 remove_fromring(key);
1780 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1781 return (ISC_R_NOTFOUND);
1782 }
1783 #if 0
1784 /*
1785 * MPAXXX We really should look at the inception time.
1786 */
1787 if (key->inception != key->expire &&
1788 isc_serial_lt(key->inception, now)) {
1789 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1790 adjust_lru(key);
1791 return (ISC_R_NOTFOUND);
1792 }
1793 #endif /* if 0 */
1794 isc_refcount_increment(&key->refs);
1795 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1796 adjust_lru(key);
1797 *tsigkey = key;
1798 return (ISC_R_SUCCESS);
1799 }
1800
1801 static void
free_tsignode(void * node,void * _unused)1802 free_tsignode(void *node, void *_unused) {
1803 dns_tsigkey_t *key;
1804
1805 REQUIRE(node != NULL);
1806
1807 UNUSED(_unused);
1808
1809 key = node;
1810 if (key->generated) {
1811 if (ISC_LINK_LINKED(key, link)) {
1812 ISC_LIST_UNLINK(key->ring->lru, key, link);
1813 }
1814 }
1815 dns_tsigkey_detach(&key);
1816 }
1817
1818 isc_result_t
dns_tsigkeyring_create(isc_mem_t * mctx,dns_tsig_keyring_t ** ringp)1819 dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
1820 isc_result_t result;
1821 dns_tsig_keyring_t *ring;
1822
1823 REQUIRE(mctx != NULL);
1824 REQUIRE(ringp != NULL);
1825 REQUIRE(*ringp == NULL);
1826
1827 ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
1828
1829 isc_rwlock_init(&ring->lock, 0, 0);
1830 ring->keys = NULL;
1831 result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
1832 if (result != ISC_R_SUCCESS) {
1833 isc_rwlock_destroy(&ring->lock);
1834 isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
1835 return (result);
1836 }
1837
1838 ring->writecount = 0;
1839 ring->mctx = NULL;
1840 ring->generated = 0;
1841 ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
1842 ISC_LIST_INIT(ring->lru);
1843 isc_mem_attach(mctx, &ring->mctx);
1844 isc_refcount_init(&ring->references, 1);
1845
1846 *ringp = ring;
1847 return (ISC_R_SUCCESS);
1848 }
1849
1850 isc_result_t
dns_tsigkeyring_add(dns_tsig_keyring_t * ring,const dns_name_t * name,dns_tsigkey_t * tkey)1851 dns_tsigkeyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
1852 dns_tsigkey_t *tkey) {
1853 isc_result_t result;
1854
1855 result = keyring_add(ring, name, tkey);
1856 if (result == ISC_R_SUCCESS) {
1857 isc_refcount_increment(&tkey->refs);
1858 }
1859
1860 return (result);
1861 }
1862
1863 void
dns_tsigkeyring_attach(dns_tsig_keyring_t * source,dns_tsig_keyring_t ** target)1864 dns_tsigkeyring_attach(dns_tsig_keyring_t *source,
1865 dns_tsig_keyring_t **target) {
1866 REQUIRE(source != NULL);
1867 REQUIRE(target != NULL && *target == NULL);
1868
1869 isc_refcount_increment(&source->references);
1870
1871 *target = source;
1872 }
1873
1874 void
dns_tsigkeyring_detach(dns_tsig_keyring_t ** ringp)1875 dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
1876 dns_tsig_keyring_t *ring;
1877
1878 REQUIRE(ringp != NULL);
1879 REQUIRE(*ringp != NULL);
1880
1881 ring = *ringp;
1882 *ringp = NULL;
1883
1884 if (isc_refcount_decrement(&ring->references) == 1) {
1885 destroyring(ring);
1886 }
1887 }
1888
1889 void
dns_keyring_restore(dns_tsig_keyring_t * ring,FILE * fp)1890 dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp) {
1891 isc_stdtime_t now;
1892 isc_result_t result;
1893
1894 isc_stdtime_get(&now);
1895 do {
1896 result = restore_key(ring, now, fp);
1897 if (result == ISC_R_NOMORE) {
1898 return;
1899 }
1900 if (result == DNS_R_BADALG || result == DNS_R_EXPIRED) {
1901 result = ISC_R_SUCCESS;
1902 }
1903 } while (result == ISC_R_SUCCESS);
1904 }
1905