1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 /*! \file */
13
14 #include <inttypes.h>
15 #include <stdbool.h>
16 #include <stdlib.h>
17
18 #include <isc/buffer.h>
19 #include <isc/mem.h>
20 #include <isc/print.h>
21 #include <isc/refcount.h>
22 #include <isc/result.h>
23 #include <isc/serial.h>
24 #include <isc/string.h> /* Required for HP/UX (and others?) */
25 #include <isc/time.h>
26 #include <isc/util.h>
27
28 #include <dns/fixedname.h>
29 #include <dns/keyvalues.h>
30 #include <dns/log.h>
31 #include <dns/message.h>
32 #include <dns/rbt.h>
33 #include <dns/rdata.h>
34 #include <dns/rdatalist.h>
35 #include <dns/rdataset.h>
36 #include <dns/rdatastruct.h>
37 #include <dns/tsig.h>
38
39 #include "tsig_p.h"
40
41 #define TSIG_MAGIC ISC_MAGIC('T', 'S', 'I', 'G')
42 #define VALID_TSIG_KEY(x) ISC_MAGIC_VALID(x, TSIG_MAGIC)
43
44 #ifndef DNS_TSIG_MAXGENERATEDKEYS
45 #define DNS_TSIG_MAXGENERATEDKEYS 4096
46 #endif /* ifndef DNS_TSIG_MAXGENERATEDKEYS */
47
48 #define is_response(msg) ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
49
50 #define BADTIMELEN 6
51
52 static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
53 static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
54
55 static dns_name_t const hmacmd5 = DNS_NAME_INITABSOLUTE(hmacmd5_ndata,
56 hmacmd5_offsets);
57 const dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
58
59 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
60 static unsigned char gsstsig_offsets[] = { 0, 9 };
61 static dns_name_t const gsstsig = DNS_NAME_INITABSOLUTE(gsstsig_ndata,
62 gsstsig_offsets);
63 const dns_name_t *dns_tsig_gssapi_name = &gsstsig;
64
65 /*
66 * Since Microsoft doesn't follow its own standard, we will use this
67 * alternate name as a second guess.
68 */
69 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
70 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
71 static dns_name_t const gsstsigms = DNS_NAME_INITABSOLUTE(gsstsigms_ndata,
72 gsstsigms_offsets);
73 const dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
74
75 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
76 static unsigned char hmacsha1_offsets[] = { 0, 10 };
77 static dns_name_t const hmacsha1 = DNS_NAME_INITABSOLUTE(hmacsha1_ndata,
78 hmacsha1_offsets);
79 const dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
80
81 static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
82 static unsigned char hmacsha224_offsets[] = { 0, 12 };
83 static dns_name_t const hmacsha224 = DNS_NAME_INITABSOLUTE(hmacsha224_ndata,
84 hmacsha224_offsets);
85 const dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
86
87 static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
88 static unsigned char hmacsha256_offsets[] = { 0, 12 };
89 static dns_name_t const hmacsha256 = DNS_NAME_INITABSOLUTE(hmacsha256_ndata,
90 hmacsha256_offsets);
91 const dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
92
93 static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
94 static unsigned char hmacsha384_offsets[] = { 0, 12 };
95 static dns_name_t const hmacsha384 = DNS_NAME_INITABSOLUTE(hmacsha384_ndata,
96 hmacsha384_offsets);
97 const dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
98
99 static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
100 static unsigned char hmacsha512_offsets[] = { 0, 12 };
101 static dns_name_t const hmacsha512 = DNS_NAME_INITABSOLUTE(hmacsha512_ndata,
102 hmacsha512_offsets);
103 const dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
104
105 static const struct {
106 const dns_name_t *name;
107 unsigned int dstalg;
108 } known_algs[] = { { &hmacmd5, DST_ALG_HMACMD5 },
109 { &gsstsig, DST_ALG_GSSAPI },
110 { &gsstsigms, DST_ALG_GSSAPI },
111 { &hmacsha1, DST_ALG_HMACSHA1 },
112 { &hmacsha224, DST_ALG_HMACSHA224 },
113 { &hmacsha256, DST_ALG_HMACSHA256 },
114 { &hmacsha384, DST_ALG_HMACSHA384 },
115 { &hmacsha512, DST_ALG_HMACSHA512 } };
116
117 static isc_result_t
118 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
119
120 static void
121 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
122 ISC_FORMAT_PRINTF(3, 4);
123
124 static void
125 cleanup_ring(dns_tsig_keyring_t *ring);
126 static void
127 tsigkey_free(dns_tsigkey_t *key);
128
129 bool
dns__tsig_algvalid(unsigned int alg)130 dns__tsig_algvalid(unsigned int alg) {
131 return (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
132 alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
133 alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512);
134 }
135
136 static void
tsig_log(dns_tsigkey_t * key,int level,const char * fmt,...)137 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
138 va_list ap;
139 char message[4096];
140 char namestr[DNS_NAME_FORMATSIZE];
141 char creatorstr[DNS_NAME_FORMATSIZE];
142
143 if (!isc_log_wouldlog(dns_lctx, level)) {
144 return;
145 }
146 if (key != NULL) {
147 dns_name_format(&key->name, namestr, sizeof(namestr));
148 } else {
149 strlcpy(namestr, "<null>", sizeof(namestr));
150 }
151
152 if (key != NULL && key->generated && key->creator) {
153 dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
154 } else {
155 strlcpy(creatorstr, "<null>", sizeof(creatorstr));
156 }
157
158 va_start(ap, fmt);
159 vsnprintf(message, sizeof(message), fmt, ap);
160 va_end(ap);
161 if (key != NULL && key->generated) {
162 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
163 DNS_LOGMODULE_TSIG, level,
164 "tsig key '%s' (%s): %s", namestr, creatorstr,
165 message);
166 } else {
167 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
168 DNS_LOGMODULE_TSIG, level, "tsig key '%s': %s",
169 namestr, message);
170 }
171 }
172
173 static void
remove_fromring(dns_tsigkey_t * tkey)174 remove_fromring(dns_tsigkey_t *tkey) {
175 if (tkey->generated) {
176 ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
177 tkey->ring->generated--;
178 }
179 (void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, false);
180 }
181
182 static void
adjust_lru(dns_tsigkey_t * tkey)183 adjust_lru(dns_tsigkey_t *tkey) {
184 if (tkey->generated) {
185 RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
186 /*
187 * We may have been removed from the LRU list between
188 * removing the read lock and acquiring the write lock.
189 */
190 if (ISC_LINK_LINKED(tkey, link) && tkey->ring->lru.tail != tkey)
191 {
192 ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
193 ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
194 }
195 RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
196 }
197 }
198
199 /*
200 * A supplemental routine just to add a key to ring. Note that reference
201 * counter should be counted separately because we may be adding the key
202 * as part of creation of the key, in which case the reference counter was
203 * already initialized. Also note we don't need RWLOCK for the reference
204 * counter: it's protected by a separate lock.
205 */
206 static isc_result_t
keyring_add(dns_tsig_keyring_t * ring,const dns_name_t * name,dns_tsigkey_t * tkey)207 keyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
208 dns_tsigkey_t *tkey) {
209 isc_result_t result;
210
211 RWLOCK(&ring->lock, isc_rwlocktype_write);
212 ring->writecount++;
213
214 /*
215 * Do on the fly cleaning. Find some nodes we might not
216 * want around any more.
217 */
218 if (ring->writecount > 10) {
219 cleanup_ring(ring);
220 ring->writecount = 0;
221 }
222
223 result = dns_rbt_addname(ring->keys, name, tkey);
224 if (result == ISC_R_SUCCESS && tkey->generated) {
225 /*
226 * Add the new key to the LRU list and remove the least
227 * recently used key if there are too many keys on the list.
228 */
229 ISC_LIST_APPEND(ring->lru, tkey, link);
230 if (ring->generated++ > ring->maxgenerated) {
231 remove_fromring(ISC_LIST_HEAD(ring->lru));
232 }
233 }
234 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
235
236 return (result);
237 }
238
239 isc_result_t
dns_tsigkey_createfromkey(const dns_name_t * name,const dns_name_t * algorithm,dst_key_t * dstkey,bool generated,const dns_name_t * creator,isc_stdtime_t inception,isc_stdtime_t expire,isc_mem_t * mctx,dns_tsig_keyring_t * ring,dns_tsigkey_t ** key)240 dns_tsigkey_createfromkey(const dns_name_t *name, const dns_name_t *algorithm,
241 dst_key_t *dstkey, bool generated,
242 const dns_name_t *creator, isc_stdtime_t inception,
243 isc_stdtime_t expire, isc_mem_t *mctx,
244 dns_tsig_keyring_t *ring, dns_tsigkey_t **key) {
245 dns_tsigkey_t *tkey;
246 isc_result_t ret;
247 unsigned int refs = 0;
248 unsigned int dstalg = 0;
249
250 REQUIRE(key == NULL || *key == NULL);
251 REQUIRE(name != NULL);
252 REQUIRE(algorithm != NULL);
253 REQUIRE(mctx != NULL);
254 REQUIRE(key != NULL || ring != NULL);
255
256 tkey = isc_mem_get(mctx, sizeof(dns_tsigkey_t));
257
258 dns_name_init(&tkey->name, NULL);
259 dns_name_dup(name, mctx, &tkey->name);
260 (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
261
262 /* Check against known algorithm names */
263 dstalg = dns__tsig_algfromname(algorithm);
264 if (dstalg != 0) {
265 /*
266 * 'algorithm' must be set to a static pointer
267 * so that dns__tsig_algallocated() can compare them.
268 */
269 tkey->algorithm = dns__tsig_algnamefromname(algorithm);
270 if (dstkey != NULL && dst_key_alg(dstkey) != dstalg) {
271 ret = DNS_R_BADALG;
272 goto cleanup_name;
273 }
274 } else {
275 dns_name_t *tmpname;
276 if (dstkey != NULL) {
277 ret = DNS_R_BADALG;
278 goto cleanup_name;
279 }
280 tmpname = isc_mem_get(mctx, sizeof(dns_name_t));
281 dns_name_init(tmpname, NULL);
282 dns_name_dup(algorithm, mctx, tmpname);
283 (void)dns_name_downcase(tmpname, tmpname, NULL);
284 tkey->algorithm = tmpname;
285 }
286
287 if (creator != NULL) {
288 tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
289 dns_name_init(tkey->creator, NULL);
290 dns_name_dup(creator, mctx, tkey->creator);
291 } else {
292 tkey->creator = NULL;
293 }
294
295 tkey->key = NULL;
296 if (dstkey != NULL) {
297 dst_key_attach(dstkey, &tkey->key);
298 }
299 tkey->ring = ring;
300
301 if (key != NULL) {
302 refs = 1;
303 }
304 if (ring != NULL) {
305 refs++;
306 }
307
308 isc_refcount_init(&tkey->refs, refs);
309
310 tkey->generated = generated;
311 tkey->inception = inception;
312 tkey->expire = expire;
313 tkey->mctx = NULL;
314 isc_mem_attach(mctx, &tkey->mctx);
315 ISC_LINK_INIT(tkey, link);
316
317 tkey->magic = TSIG_MAGIC;
318
319 if (ring != NULL) {
320 ret = keyring_add(ring, name, tkey);
321 if (ret != ISC_R_SUCCESS) {
322 goto cleanup_refs;
323 }
324 }
325
326 /*
327 * Ignore this if it's a GSS key, since the key size is meaningless.
328 */
329 if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
330 dstalg != DST_ALG_GSSAPI) {
331 char namestr[DNS_NAME_FORMATSIZE];
332 dns_name_format(name, namestr, sizeof(namestr));
333 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
334 DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
335 "the key '%s' is too short to be secure",
336 namestr);
337 }
338
339 if (key != NULL) {
340 *key = tkey;
341 }
342
343 return (ISC_R_SUCCESS);
344
345 cleanup_refs:
346 tkey->magic = 0;
347 while (refs-- > 0) {
348 isc_refcount_decrement0(&tkey->refs);
349 }
350 isc_refcount_destroy(&tkey->refs);
351
352 if (tkey->key != NULL) {
353 dst_key_free(&tkey->key);
354 }
355 if (tkey->creator != NULL) {
356 dns_name_free(tkey->creator, mctx);
357 isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
358 }
359 if (dns__tsig_algallocated(tkey->algorithm)) {
360 dns_name_t *tmpname;
361 DE_CONST(tkey->algorithm, tmpname);
362 if (dns_name_dynamic(tmpname)) {
363 dns_name_free(tmpname, mctx);
364 }
365 isc_mem_put(mctx, tmpname, sizeof(dns_name_t));
366 }
367 cleanup_name:
368 dns_name_free(&tkey->name, mctx);
369 isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
370
371 return (ret);
372 }
373
374 /*
375 * Find a few nodes to destroy if possible.
376 */
377 static void
cleanup_ring(dns_tsig_keyring_t * ring)378 cleanup_ring(dns_tsig_keyring_t *ring) {
379 isc_result_t result;
380 dns_rbtnodechain_t chain;
381 dns_name_t foundname;
382 dns_fixedname_t fixedorigin;
383 dns_name_t *origin;
384 isc_stdtime_t now;
385 dns_rbtnode_t *node;
386 dns_tsigkey_t *tkey;
387
388 /*
389 * Start up a new iterator each time.
390 */
391 isc_stdtime_get(&now);
392 dns_name_init(&foundname, NULL);
393 origin = dns_fixedname_initname(&fixedorigin);
394
395 again:
396 dns_rbtnodechain_init(&chain);
397 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
398 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
399 dns_rbtnodechain_invalidate(&chain);
400 return;
401 }
402
403 for (;;) {
404 node = NULL;
405 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
406 tkey = node->data;
407 if (tkey != NULL) {
408 if (tkey->generated &&
409 isc_refcount_current(&tkey->refs) == 1 &&
410 tkey->inception != tkey->expire &&
411 tkey->expire < now)
412 {
413 tsig_log(tkey, 2, "tsig expire: deleting");
414 /* delete the key */
415 dns_rbtnodechain_invalidate(&chain);
416 remove_fromring(tkey);
417 goto again;
418 }
419 }
420 result = dns_rbtnodechain_next(&chain, &foundname, origin);
421 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
422 dns_rbtnodechain_invalidate(&chain);
423 return;
424 }
425 }
426 }
427
428 static void
destroyring(dns_tsig_keyring_t * ring)429 destroyring(dns_tsig_keyring_t *ring) {
430 isc_refcount_destroy(&ring->references);
431 dns_rbt_destroy(&ring->keys);
432 isc_rwlock_destroy(&ring->lock);
433 isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
434 }
435
436 /*
437 * Look up the DST_ALG_ constant for a given name.
438 */
439 unsigned int
dns__tsig_algfromname(const dns_name_t * algorithm)440 dns__tsig_algfromname(const dns_name_t *algorithm) {
441 int i;
442 int n = sizeof(known_algs) / sizeof(*known_algs);
443 for (i = 0; i < n; ++i) {
444 const dns_name_t *name = known_algs[i].name;
445 if (algorithm == name || dns_name_equal(algorithm, name)) {
446 return (known_algs[i].dstalg);
447 }
448 }
449 return (0);
450 }
451
452 /*
453 * Convert an algorithm name into a pointer to the
454 * corresponding pre-defined dns_name_t structure.
455 */
456 const dns_name_t *
dns__tsig_algnamefromname(const dns_name_t * algorithm)457 dns__tsig_algnamefromname(const dns_name_t *algorithm) {
458 int i;
459 int n = sizeof(known_algs) / sizeof(*known_algs);
460 for (i = 0; i < n; ++i) {
461 const dns_name_t *name = known_algs[i].name;
462 if (algorithm == name || dns_name_equal(algorithm, name)) {
463 return (name);
464 }
465 }
466 return (NULL);
467 }
468
469 /*
470 * Test whether the passed algorithm is NOT a pointer to one of the
471 * pre-defined known algorithms (and therefore one that has been
472 * dynamically allocated).
473 *
474 * This will return an incorrect result if passed a dynamically allocated
475 * dns_name_t that happens to match one of the pre-defined names.
476 */
477 bool
dns__tsig_algallocated(const dns_name_t * algorithm)478 dns__tsig_algallocated(const dns_name_t *algorithm) {
479 int i;
480 int n = sizeof(known_algs) / sizeof(*known_algs);
481 for (i = 0; i < n; ++i) {
482 const dns_name_t *name = known_algs[i].name;
483 if (algorithm == name) {
484 return (false);
485 }
486 }
487 return (true);
488 }
489
490 static isc_result_t
restore_key(dns_tsig_keyring_t * ring,isc_stdtime_t now,FILE * fp)491 restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) {
492 dst_key_t *dstkey = NULL;
493 char namestr[1024];
494 char creatorstr[1024];
495 char algorithmstr[1024];
496 char keystr[4096];
497 unsigned int inception, expire;
498 int n;
499 isc_buffer_t b;
500 dns_name_t *name, *creator, *algorithm;
501 dns_fixedname_t fname, fcreator, falgorithm;
502 isc_result_t result;
503 unsigned int dstalg;
504
505 n = fscanf(fp, "%1023s %1023s %u %u %1023s %4095s\n", namestr,
506 creatorstr, &inception, &expire, algorithmstr, keystr);
507 if (n == EOF) {
508 return (ISC_R_NOMORE);
509 }
510 if (n != 6) {
511 return (ISC_R_FAILURE);
512 }
513
514 if (isc_serial_lt(expire, now)) {
515 return (DNS_R_EXPIRED);
516 }
517
518 name = dns_fixedname_initname(&fname);
519 isc_buffer_init(&b, namestr, strlen(namestr));
520 isc_buffer_add(&b, strlen(namestr));
521 result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
522 if (result != ISC_R_SUCCESS) {
523 return (result);
524 }
525
526 creator = dns_fixedname_initname(&fcreator);
527 isc_buffer_init(&b, creatorstr, strlen(creatorstr));
528 isc_buffer_add(&b, strlen(creatorstr));
529 result = dns_name_fromtext(creator, &b, dns_rootname, 0, NULL);
530 if (result != ISC_R_SUCCESS) {
531 return (result);
532 }
533
534 algorithm = dns_fixedname_initname(&falgorithm);
535 isc_buffer_init(&b, algorithmstr, strlen(algorithmstr));
536 isc_buffer_add(&b, strlen(algorithmstr));
537 result = dns_name_fromtext(algorithm, &b, dns_rootname, 0, NULL);
538 if (result != ISC_R_SUCCESS) {
539 return (result);
540 }
541
542 dstalg = dns__tsig_algfromname(algorithm);
543 if (dstalg == 0) {
544 return (DNS_R_BADALG);
545 }
546
547 result = dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
548 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
549 ring->mctx, keystr, &dstkey);
550 if (result != ISC_R_SUCCESS) {
551 return (result);
552 }
553
554 result = dns_tsigkey_createfromkey(name, algorithm, dstkey, true,
555 creator, inception, expire,
556 ring->mctx, ring, NULL);
557 if (dstkey != NULL) {
558 dst_key_free(&dstkey);
559 }
560 return (result);
561 }
562
563 static void
dump_key(dns_tsigkey_t * tkey,FILE * fp)564 dump_key(dns_tsigkey_t *tkey, FILE *fp) {
565 char *buffer = NULL;
566 int length = 0;
567 char namestr[DNS_NAME_FORMATSIZE];
568 char creatorstr[DNS_NAME_FORMATSIZE];
569 char algorithmstr[DNS_NAME_FORMATSIZE];
570 isc_result_t result;
571
572 REQUIRE(tkey != NULL);
573 REQUIRE(fp != NULL);
574
575 dns_name_format(&tkey->name, namestr, sizeof(namestr));
576 dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr));
577 dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));
578 result = dst_key_dump(tkey->key, tkey->mctx, &buffer, &length);
579 if (result == ISC_R_SUCCESS) {
580 fprintf(fp, "%s %s %u %u %s %.*s\n", namestr, creatorstr,
581 tkey->inception, tkey->expire, algorithmstr, length,
582 buffer);
583 }
584 if (buffer != NULL) {
585 isc_mem_put(tkey->mctx, buffer, length);
586 }
587 }
588
589 isc_result_t
dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t ** ringp,FILE * fp)590 dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
591 isc_result_t result;
592 dns_rbtnodechain_t chain;
593 dns_name_t foundname;
594 dns_fixedname_t fixedorigin;
595 dns_name_t *origin;
596 isc_stdtime_t now;
597 dns_rbtnode_t *node;
598 dns_tsigkey_t *tkey;
599 dns_tsig_keyring_t *ring;
600
601 REQUIRE(ringp != NULL && *ringp != NULL);
602
603 ring = *ringp;
604 *ringp = NULL;
605
606 if (isc_refcount_decrement(&ring->references) > 1) {
607 return (DNS_R_CONTINUE);
608 }
609
610 isc_stdtime_get(&now);
611 dns_name_init(&foundname, NULL);
612 origin = dns_fixedname_initname(&fixedorigin);
613 dns_rbtnodechain_init(&chain);
614 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname, origin);
615 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
616 dns_rbtnodechain_invalidate(&chain);
617 goto destroy;
618 }
619
620 for (;;) {
621 node = NULL;
622 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
623 tkey = node->data;
624 if (tkey != NULL && tkey->generated && tkey->expire >= now) {
625 dump_key(tkey, fp);
626 }
627 result = dns_rbtnodechain_next(&chain, &foundname, origin);
628 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
629 dns_rbtnodechain_invalidate(&chain);
630 if (result == ISC_R_NOMORE) {
631 result = ISC_R_SUCCESS;
632 }
633 goto destroy;
634 }
635 }
636
637 destroy:
638 destroyring(ring);
639 return (result);
640 }
641
642 const dns_name_t *
dns_tsigkey_identity(const dns_tsigkey_t * tsigkey)643 dns_tsigkey_identity(const dns_tsigkey_t *tsigkey) {
644 REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
645
646 if (tsigkey == NULL) {
647 return (NULL);
648 }
649 if (tsigkey->generated) {
650 return (tsigkey->creator);
651 } else {
652 return (&tsigkey->name);
653 }
654 }
655
656 isc_result_t
dns_tsigkey_create(const dns_name_t * name,const dns_name_t * algorithm,unsigned char * secret,int length,bool generated,const dns_name_t * creator,isc_stdtime_t inception,isc_stdtime_t expire,isc_mem_t * mctx,dns_tsig_keyring_t * ring,dns_tsigkey_t ** key)657 dns_tsigkey_create(const dns_name_t *name, const dns_name_t *algorithm,
658 unsigned char *secret, int length, bool generated,
659 const dns_name_t *creator, isc_stdtime_t inception,
660 isc_stdtime_t expire, isc_mem_t *mctx,
661 dns_tsig_keyring_t *ring, dns_tsigkey_t **key) {
662 dst_key_t *dstkey = NULL;
663 isc_result_t result;
664 unsigned int dstalg = 0;
665
666 REQUIRE(length >= 0);
667 if (length > 0) {
668 REQUIRE(secret != NULL);
669 }
670
671 dstalg = dns__tsig_algfromname(algorithm);
672 if (dns__tsig_algvalid(dstalg)) {
673 if (secret != NULL) {
674 isc_buffer_t b;
675
676 isc_buffer_init(&b, secret, length);
677 isc_buffer_add(&b, length);
678 result = dst_key_frombuffer(
679 name, dstalg, DNS_KEYOWNER_ENTITY,
680 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, &b,
681 mctx, &dstkey);
682 if (result != ISC_R_SUCCESS) {
683 return (result);
684 }
685 }
686 } else if (length > 0) {
687 return (DNS_R_BADALG);
688 }
689
690 result = dns_tsigkey_createfromkey(name, algorithm, dstkey, generated,
691 creator, inception, expire, mctx,
692 ring, key);
693 if (dstkey != NULL) {
694 dst_key_free(&dstkey);
695 }
696 return (result);
697 }
698
699 void
dns_tsigkey_attach(dns_tsigkey_t * source,dns_tsigkey_t ** targetp)700 dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
701 REQUIRE(VALID_TSIG_KEY(source));
702 REQUIRE(targetp != NULL && *targetp == NULL);
703
704 isc_refcount_increment(&source->refs);
705 *targetp = source;
706 }
707
708 static void
tsigkey_free(dns_tsigkey_t * key)709 tsigkey_free(dns_tsigkey_t *key) {
710 REQUIRE(VALID_TSIG_KEY(key));
711
712 key->magic = 0;
713 dns_name_free(&key->name, key->mctx);
714 if (dns__tsig_algallocated(key->algorithm)) {
715 dns_name_t *name;
716 DE_CONST(key->algorithm, name);
717 dns_name_free(name, key->mctx);
718 isc_mem_put(key->mctx, name, sizeof(dns_name_t));
719 }
720 if (key->key != NULL) {
721 dst_key_free(&key->key);
722 }
723 if (key->creator != NULL) {
724 dns_name_free(key->creator, key->mctx);
725 isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
726 }
727 isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
728 }
729
730 void
dns_tsigkey_detach(dns_tsigkey_t ** keyp)731 dns_tsigkey_detach(dns_tsigkey_t **keyp) {
732 REQUIRE(keyp != NULL && VALID_TSIG_KEY(*keyp));
733 dns_tsigkey_t *key = *keyp;
734 *keyp = NULL;
735
736 if (isc_refcount_decrement(&key->refs) == 1) {
737 isc_refcount_destroy(&key->refs);
738 tsigkey_free(key);
739 }
740 }
741
742 void
dns_tsigkey_setdeleted(dns_tsigkey_t * key)743 dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
744 REQUIRE(VALID_TSIG_KEY(key));
745 REQUIRE(key->ring != NULL);
746
747 RWLOCK(&key->ring->lock, isc_rwlocktype_write);
748 remove_fromring(key);
749 RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
750 }
751
752 isc_result_t
dns_tsig_sign(dns_message_t * msg)753 dns_tsig_sign(dns_message_t *msg) {
754 dns_tsigkey_t *key = NULL;
755 dns_rdata_any_tsig_t tsig, querytsig;
756 unsigned char data[128];
757 isc_buffer_t databuf, sigbuf;
758 isc_buffer_t *dynbuf = NULL;
759 dns_name_t *owner = NULL;
760 dns_rdata_t *rdata = NULL;
761 dns_rdatalist_t *datalist = NULL;
762 dns_rdataset_t *dataset = NULL;
763 isc_region_t r;
764 isc_stdtime_t now;
765 isc_mem_t *mctx;
766 dst_context_t *ctx = NULL;
767 isc_result_t ret;
768 unsigned char badtimedata[BADTIMELEN];
769 unsigned int sigsize = 0;
770 bool response;
771
772 REQUIRE(msg != NULL);
773 key = dns_message_gettsigkey(msg);
774 REQUIRE(VALID_TSIG_KEY(key));
775
776 /*
777 * If this is a response, there should be a TSIG in the query with the
778 * the exception if this is a TKEY request (see RFC 3645, Section 2.2).
779 */
780 response = is_response(msg);
781 if (response && msg->querytsig == NULL) {
782 if (msg->tkey != 1) {
783 return (DNS_R_EXPECTEDTSIG);
784 }
785 }
786
787 mctx = msg->mctx;
788
789 tsig.mctx = mctx;
790 tsig.common.rdclass = dns_rdataclass_any;
791 tsig.common.rdtype = dns_rdatatype_tsig;
792 ISC_LINK_INIT(&tsig.common, link);
793 dns_name_init(&tsig.algorithm, NULL);
794 dns_name_clone(key->algorithm, &tsig.algorithm);
795
796 isc_stdtime_get(&now);
797 tsig.timesigned = now + msg->timeadjust;
798 tsig.fudge = DNS_TSIG_FUDGE;
799
800 tsig.originalid = msg->id;
801
802 isc_buffer_init(&databuf, data, sizeof(data));
803
804 if (response) {
805 tsig.error = msg->querytsigstatus;
806 } else {
807 tsig.error = dns_rcode_noerror;
808 }
809
810 if (tsig.error != dns_tsigerror_badtime) {
811 tsig.otherlen = 0;
812 tsig.other = NULL;
813 } else {
814 isc_buffer_t otherbuf;
815
816 tsig.otherlen = BADTIMELEN;
817 tsig.other = badtimedata;
818 isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
819 isc_buffer_putuint48(&otherbuf, tsig.timesigned);
820 }
821
822 if ((key->key != NULL) && (tsig.error != dns_tsigerror_badsig) &&
823 (tsig.error != dns_tsigerror_badkey))
824 {
825 unsigned char header[DNS_MESSAGE_HEADERLEN];
826 isc_buffer_t headerbuf;
827 uint16_t digestbits;
828 bool querytsig_ok = false;
829
830 /*
831 * If it is a response, we assume that the request MAC
832 * has validated at this point. This is why we include a
833 * MAC length > 0 in the reply.
834 */
835 ret = dst_context_create(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
836 true, 0, &ctx);
837 if (ret != ISC_R_SUCCESS) {
838 return (ret);
839 }
840
841 /*
842 * If this is a response, and if there was a TSIG in
843 * the query, digest the request's MAC.
844 *
845 * (Note: querytsig should be non-NULL for all
846 * responses except TKEY responses. Those may be signed
847 * with the newly-negotiated TSIG key even if the query
848 * wasn't signed.)
849 */
850 if (response && msg->querytsig != NULL) {
851 dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
852
853 INSIST(msg->verified_sig);
854
855 ret = dns_rdataset_first(msg->querytsig);
856 if (ret != ISC_R_SUCCESS) {
857 goto cleanup_context;
858 }
859 dns_rdataset_current(msg->querytsig, &querytsigrdata);
860 ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
861 NULL);
862 if (ret != ISC_R_SUCCESS) {
863 goto cleanup_context;
864 }
865 isc_buffer_putuint16(&databuf, querytsig.siglen);
866 if (isc_buffer_availablelength(&databuf) <
867 querytsig.siglen) {
868 ret = ISC_R_NOSPACE;
869 goto cleanup_context;
870 }
871 isc_buffer_putmem(&databuf, querytsig.signature,
872 querytsig.siglen);
873 isc_buffer_usedregion(&databuf, &r);
874 ret = dst_context_adddata(ctx, &r);
875 if (ret != ISC_R_SUCCESS) {
876 goto cleanup_context;
877 }
878 querytsig_ok = true;
879 }
880
881 /*
882 * Digest the header.
883 */
884 isc_buffer_init(&headerbuf, header, sizeof(header));
885 dns_message_renderheader(msg, &headerbuf);
886 isc_buffer_usedregion(&headerbuf, &r);
887 ret = dst_context_adddata(ctx, &r);
888 if (ret != ISC_R_SUCCESS) {
889 goto cleanup_context;
890 }
891
892 /*
893 * Digest the remainder of the message.
894 */
895 isc_buffer_usedregion(msg->buffer, &r);
896 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
897 ret = dst_context_adddata(ctx, &r);
898 if (ret != ISC_R_SUCCESS) {
899 goto cleanup_context;
900 }
901
902 if (msg->tcp_continuation == 0) {
903 /*
904 * Digest the name, class, ttl, alg.
905 */
906 dns_name_toregion(&key->name, &r);
907 ret = dst_context_adddata(ctx, &r);
908 if (ret != ISC_R_SUCCESS) {
909 goto cleanup_context;
910 }
911
912 isc_buffer_clear(&databuf);
913 isc_buffer_putuint16(&databuf, dns_rdataclass_any);
914 isc_buffer_putuint32(&databuf, 0); /* ttl */
915 isc_buffer_usedregion(&databuf, &r);
916 ret = dst_context_adddata(ctx, &r);
917 if (ret != ISC_R_SUCCESS) {
918 goto cleanup_context;
919 }
920
921 dns_name_toregion(&tsig.algorithm, &r);
922 ret = dst_context_adddata(ctx, &r);
923 if (ret != ISC_R_SUCCESS) {
924 goto cleanup_context;
925 }
926 }
927 /* Digest the timesigned and fudge */
928 isc_buffer_clear(&databuf);
929 if (tsig.error == dns_tsigerror_badtime && querytsig_ok) {
930 tsig.timesigned = querytsig.timesigned;
931 }
932 isc_buffer_putuint48(&databuf, tsig.timesigned);
933 isc_buffer_putuint16(&databuf, tsig.fudge);
934 isc_buffer_usedregion(&databuf, &r);
935 ret = dst_context_adddata(ctx, &r);
936 if (ret != ISC_R_SUCCESS) {
937 goto cleanup_context;
938 }
939
940 if (msg->tcp_continuation == 0) {
941 /*
942 * Digest the error and other data length.
943 */
944 isc_buffer_clear(&databuf);
945 isc_buffer_putuint16(&databuf, tsig.error);
946 isc_buffer_putuint16(&databuf, tsig.otherlen);
947
948 isc_buffer_usedregion(&databuf, &r);
949 ret = dst_context_adddata(ctx, &r);
950 if (ret != ISC_R_SUCCESS) {
951 goto cleanup_context;
952 }
953
954 /*
955 * Digest other data.
956 */
957 if (tsig.otherlen > 0) {
958 r.length = tsig.otherlen;
959 r.base = tsig.other;
960 ret = dst_context_adddata(ctx, &r);
961 if (ret != ISC_R_SUCCESS) {
962 goto cleanup_context;
963 }
964 }
965 }
966
967 ret = dst_key_sigsize(key->key, &sigsize);
968 if (ret != ISC_R_SUCCESS) {
969 goto cleanup_context;
970 }
971 tsig.signature = isc_mem_get(mctx, sigsize);
972
973 isc_buffer_init(&sigbuf, tsig.signature, sigsize);
974 ret = dst_context_sign(ctx, &sigbuf);
975 if (ret != ISC_R_SUCCESS) {
976 goto cleanup_signature;
977 }
978 dst_context_destroy(&ctx);
979 digestbits = dst_key_getbits(key->key);
980 if (digestbits != 0) {
981 unsigned int bytes = (digestbits + 7) / 8;
982 if (querytsig_ok && bytes < querytsig.siglen) {
983 bytes = querytsig.siglen;
984 }
985 if (bytes > isc_buffer_usedlength(&sigbuf)) {
986 bytes = isc_buffer_usedlength(&sigbuf);
987 }
988 tsig.siglen = bytes;
989 } else {
990 tsig.siglen = isc_buffer_usedlength(&sigbuf);
991 }
992 } else {
993 tsig.siglen = 0;
994 tsig.signature = NULL;
995 }
996
997 ret = dns_message_gettemprdata(msg, &rdata);
998 if (ret != ISC_R_SUCCESS) {
999 goto cleanup_signature;
1000 }
1001 isc_buffer_allocate(msg->mctx, &dynbuf, 512);
1002 ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
1003 dns_rdatatype_tsig, &tsig, dynbuf);
1004 if (ret != ISC_R_SUCCESS) {
1005 goto cleanup_dynbuf;
1006 }
1007
1008 dns_message_takebuffer(msg, &dynbuf);
1009
1010 if (tsig.signature != NULL) {
1011 isc_mem_put(mctx, tsig.signature, sigsize);
1012 tsig.signature = NULL;
1013 }
1014
1015 ret = dns_message_gettempname(msg, &owner);
1016 if (ret != ISC_R_SUCCESS) {
1017 goto cleanup_rdata;
1018 }
1019 dns_name_copy(&key->name, owner);
1020
1021 ret = dns_message_gettemprdatalist(msg, &datalist);
1022 if (ret != ISC_R_SUCCESS) {
1023 goto cleanup_owner;
1024 }
1025
1026 ret = dns_message_gettemprdataset(msg, &dataset);
1027 if (ret != ISC_R_SUCCESS) {
1028 goto cleanup_rdatalist;
1029 }
1030 datalist->rdclass = dns_rdataclass_any;
1031 datalist->type = dns_rdatatype_tsig;
1032 ISC_LIST_APPEND(datalist->rdata, rdata, link);
1033 RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) ==
1034 ISC_R_SUCCESS);
1035 msg->tsig = dataset;
1036 msg->tsigname = owner;
1037
1038 /* Windows does not like the tsig name being compressed. */
1039 msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
1040
1041 return (ISC_R_SUCCESS);
1042
1043 cleanup_rdatalist:
1044 dns_message_puttemprdatalist(msg, &datalist);
1045 cleanup_owner:
1046 dns_message_puttempname(msg, &owner);
1047 goto cleanup_rdata;
1048 cleanup_dynbuf:
1049 isc_buffer_free(&dynbuf);
1050 cleanup_rdata:
1051 dns_message_puttemprdata(msg, &rdata);
1052 cleanup_signature:
1053 if (tsig.signature != NULL) {
1054 isc_mem_put(mctx, tsig.signature, sigsize);
1055 }
1056 cleanup_context:
1057 if (ctx != NULL) {
1058 dst_context_destroy(&ctx);
1059 }
1060 return (ret);
1061 }
1062
1063 isc_result_t
dns_tsig_verify(isc_buffer_t * source,dns_message_t * msg,dns_tsig_keyring_t * ring1,dns_tsig_keyring_t * ring2)1064 dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
1065 dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2) {
1066 dns_rdata_any_tsig_t tsig, querytsig;
1067 isc_region_t r, source_r, header_r, sig_r;
1068 isc_buffer_t databuf;
1069 unsigned char data[32];
1070 dns_name_t *keyname;
1071 dns_rdata_t rdata = DNS_RDATA_INIT;
1072 isc_stdtime_t now;
1073 isc_result_t ret;
1074 dns_tsigkey_t *tsigkey;
1075 dst_key_t *key = NULL;
1076 unsigned char header[DNS_MESSAGE_HEADERLEN];
1077 dst_context_t *ctx = NULL;
1078 isc_mem_t *mctx;
1079 uint16_t addcount, id;
1080 unsigned int siglen;
1081 unsigned int alg;
1082 bool response;
1083
1084 REQUIRE(source != NULL);
1085 REQUIRE(DNS_MESSAGE_VALID(msg));
1086 tsigkey = dns_message_gettsigkey(msg);
1087 response = is_response(msg);
1088
1089 REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
1090
1091 msg->verify_attempted = 1;
1092 msg->verified_sig = 0;
1093 msg->tsigstatus = dns_tsigerror_badsig;
1094
1095 if (msg->tcp_continuation) {
1096 if (tsigkey == NULL || msg->querytsig == NULL) {
1097 return (DNS_R_UNEXPECTEDTSIG);
1098 }
1099 return (tsig_verify_tcp(source, msg));
1100 }
1101
1102 /*
1103 * There should be a TSIG record...
1104 */
1105 if (msg->tsig == NULL) {
1106 return (DNS_R_EXPECTEDTSIG);
1107 }
1108
1109 /*
1110 * If this is a response and there's no key or query TSIG, there
1111 * shouldn't be one on the response.
1112 */
1113 if (response && (tsigkey == NULL || msg->querytsig == NULL)) {
1114 return (DNS_R_UNEXPECTEDTSIG);
1115 }
1116
1117 mctx = msg->mctx;
1118
1119 /*
1120 * If we're here, we know the message is well formed and contains a
1121 * TSIG record.
1122 */
1123
1124 keyname = msg->tsigname;
1125 ret = dns_rdataset_first(msg->tsig);
1126 if (ret != ISC_R_SUCCESS) {
1127 return (ret);
1128 }
1129 dns_rdataset_current(msg->tsig, &rdata);
1130 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1131 if (ret != ISC_R_SUCCESS) {
1132 return (ret);
1133 }
1134 dns_rdata_reset(&rdata);
1135 if (response) {
1136 ret = dns_rdataset_first(msg->querytsig);
1137 if (ret != ISC_R_SUCCESS) {
1138 return (ret);
1139 }
1140 dns_rdataset_current(msg->querytsig, &rdata);
1141 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1142 if (ret != ISC_R_SUCCESS) {
1143 return (ret);
1144 }
1145 }
1146 #if defined(__clang__) && (__clang_major__ < 3 || \
1147 (__clang_major__ == 3 && __clang_minor__ < 2) || \
1148 (__clang_major__ == 4 && __clang_minor__ < 2))
1149 /* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
1150 else
1151 {
1152 memset(&querytsig, 0, sizeof(querytsig));
1153 }
1154 #endif /* if defined(__clang__) && (__clang_major__ < 3 || (__clang_major__ == \
1155 * 3 \
1156 * && __clang_minor__ < 2) || (__clang_major__ == 4 && __clang_minor__ \
1157 * < 2)) */
1158
1159 /*
1160 * Do the key name and algorithm match that of the query?
1161 */
1162 if (response &&
1163 (!dns_name_equal(keyname, &tsigkey->name) ||
1164 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
1165 {
1166 msg->tsigstatus = dns_tsigerror_badkey;
1167 tsig_log(msg->tsigkey, 2,
1168 "key name and algorithm do not match");
1169 return (DNS_R_TSIGVERIFYFAILURE);
1170 }
1171
1172 /*
1173 * Get the current time.
1174 */
1175 isc_stdtime_get(&now);
1176
1177 /*
1178 * Find dns_tsigkey_t based on keyname.
1179 */
1180 if (tsigkey == NULL) {
1181 ret = ISC_R_NOTFOUND;
1182 if (ring1 != NULL) {
1183 ret = dns_tsigkey_find(&tsigkey, keyname,
1184 &tsig.algorithm, ring1);
1185 }
1186 if (ret == ISC_R_NOTFOUND && ring2 != NULL) {
1187 ret = dns_tsigkey_find(&tsigkey, keyname,
1188 &tsig.algorithm, ring2);
1189 }
1190 if (ret != ISC_R_SUCCESS) {
1191 msg->tsigstatus = dns_tsigerror_badkey;
1192 ret = dns_tsigkey_create(keyname, &tsig.algorithm, NULL,
1193 0, false, NULL, now, now, mctx,
1194 NULL, &msg->tsigkey);
1195 if (ret != ISC_R_SUCCESS) {
1196 return (ret);
1197 }
1198 tsig_log(msg->tsigkey, 2, "unknown key");
1199 return (DNS_R_TSIGVERIFYFAILURE);
1200 }
1201 msg->tsigkey = tsigkey;
1202 }
1203
1204 key = tsigkey->key;
1205
1206 /*
1207 * Check digest length.
1208 */
1209 alg = dst_key_alg(key);
1210 ret = dst_key_sigsize(key, &siglen);
1211 if (ret != ISC_R_SUCCESS) {
1212 return (ret);
1213 }
1214 if (dns__tsig_algvalid(alg)) {
1215 if (tsig.siglen > siglen) {
1216 tsig_log(msg->tsigkey, 2, "signature length too big");
1217 return (DNS_R_FORMERR);
1218 }
1219 if (tsig.siglen > 0 &&
1220 (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
1221 tsig_log(msg->tsigkey, 2,
1222 "signature length below minimum");
1223 return (DNS_R_FORMERR);
1224 }
1225 }
1226
1227 if (tsig.siglen > 0) {
1228 uint16_t addcount_n;
1229
1230 sig_r.base = tsig.signature;
1231 sig_r.length = tsig.siglen;
1232
1233 ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
1234 false, 0, &ctx);
1235 if (ret != ISC_R_SUCCESS) {
1236 return (ret);
1237 }
1238
1239 if (response) {
1240 isc_buffer_init(&databuf, data, sizeof(data));
1241 isc_buffer_putuint16(&databuf, querytsig.siglen);
1242 isc_buffer_usedregion(&databuf, &r);
1243 ret = dst_context_adddata(ctx, &r);
1244 if (ret != ISC_R_SUCCESS) {
1245 goto cleanup_context;
1246 }
1247 if (querytsig.siglen > 0) {
1248 r.length = querytsig.siglen;
1249 r.base = querytsig.signature;
1250 ret = dst_context_adddata(ctx, &r);
1251 if (ret != ISC_R_SUCCESS) {
1252 goto cleanup_context;
1253 }
1254 }
1255 }
1256
1257 /*
1258 * Extract the header.
1259 */
1260 isc_buffer_usedregion(source, &r);
1261 memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
1262 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1263
1264 /*
1265 * Decrement the additional field counter.
1266 */
1267 memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1268 addcount_n = ntohs(addcount);
1269 addcount = htons((uint16_t)(addcount_n - 1));
1270 memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1271
1272 /*
1273 * Put in the original id.
1274 */
1275 id = htons(tsig.originalid);
1276 memmove(&header[0], &id, 2);
1277
1278 /*
1279 * Digest the modified header.
1280 */
1281 header_r.base = (unsigned char *)header;
1282 header_r.length = DNS_MESSAGE_HEADERLEN;
1283 ret = dst_context_adddata(ctx, &header_r);
1284 if (ret != ISC_R_SUCCESS) {
1285 goto cleanup_context;
1286 }
1287
1288 /*
1289 * Digest all non-TSIG records.
1290 */
1291 isc_buffer_usedregion(source, &source_r);
1292 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1293 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1294 ret = dst_context_adddata(ctx, &r);
1295 if (ret != ISC_R_SUCCESS) {
1296 goto cleanup_context;
1297 }
1298
1299 /*
1300 * Digest the key name.
1301 */
1302 dns_name_toregion(&tsigkey->name, &r);
1303 ret = dst_context_adddata(ctx, &r);
1304 if (ret != ISC_R_SUCCESS) {
1305 goto cleanup_context;
1306 }
1307
1308 isc_buffer_init(&databuf, data, sizeof(data));
1309 isc_buffer_putuint16(&databuf, tsig.common.rdclass);
1310 isc_buffer_putuint32(&databuf, msg->tsig->ttl);
1311 isc_buffer_usedregion(&databuf, &r);
1312 ret = dst_context_adddata(ctx, &r);
1313 if (ret != ISC_R_SUCCESS) {
1314 goto cleanup_context;
1315 }
1316
1317 /*
1318 * Digest the key algorithm.
1319 */
1320 dns_name_toregion(tsigkey->algorithm, &r);
1321 ret = dst_context_adddata(ctx, &r);
1322 if (ret != ISC_R_SUCCESS) {
1323 goto cleanup_context;
1324 }
1325
1326 isc_buffer_clear(&databuf);
1327 isc_buffer_putuint48(&databuf, tsig.timesigned);
1328 isc_buffer_putuint16(&databuf, tsig.fudge);
1329 isc_buffer_putuint16(&databuf, tsig.error);
1330 isc_buffer_putuint16(&databuf, tsig.otherlen);
1331 isc_buffer_usedregion(&databuf, &r);
1332 ret = dst_context_adddata(ctx, &r);
1333 if (ret != ISC_R_SUCCESS) {
1334 goto cleanup_context;
1335 }
1336
1337 if (tsig.otherlen > 0) {
1338 r.base = tsig.other;
1339 r.length = tsig.otherlen;
1340 ret = dst_context_adddata(ctx, &r);
1341 if (ret != ISC_R_SUCCESS) {
1342 goto cleanup_context;
1343 }
1344 }
1345
1346 ret = dst_context_verify(ctx, &sig_r);
1347 if (ret == DST_R_VERIFYFAILURE) {
1348 ret = DNS_R_TSIGVERIFYFAILURE;
1349 tsig_log(msg->tsigkey, 2,
1350 "signature failed to verify(1)");
1351 goto cleanup_context;
1352 } else if (ret != ISC_R_SUCCESS) {
1353 goto cleanup_context;
1354 }
1355 msg->verified_sig = 1;
1356 } else if (!response || (tsig.error != dns_tsigerror_badsig &&
1357 tsig.error != dns_tsigerror_badkey))
1358 {
1359 tsig_log(msg->tsigkey, 2, "signature was empty");
1360 return (DNS_R_TSIGVERIFYFAILURE);
1361 }
1362
1363 /*
1364 * Here at this point, the MAC has been verified. Even if any of
1365 * the following code returns a TSIG error, the reply will be
1366 * signed and WILL always include the request MAC in the digest
1367 * computation.
1368 */
1369
1370 /*
1371 * Is the time ok?
1372 */
1373 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1374 msg->tsigstatus = dns_tsigerror_badtime;
1375 tsig_log(msg->tsigkey, 2, "signature has expired");
1376 ret = DNS_R_CLOCKSKEW;
1377 goto cleanup_context;
1378 } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
1379 msg->tsigstatus = dns_tsigerror_badtime;
1380 tsig_log(msg->tsigkey, 2, "signature is in the future");
1381 ret = DNS_R_CLOCKSKEW;
1382 goto cleanup_context;
1383 }
1384
1385 if (dns__tsig_algvalid(alg)) {
1386 uint16_t digestbits = dst_key_getbits(key);
1387
1388 if (tsig.siglen > 0 && digestbits != 0 &&
1389 tsig.siglen < ((digestbits + 7) / 8)) {
1390 msg->tsigstatus = dns_tsigerror_badtrunc;
1391 tsig_log(msg->tsigkey, 2,
1392 "truncated signature length too small");
1393 ret = DNS_R_TSIGVERIFYFAILURE;
1394 goto cleanup_context;
1395 }
1396 if (tsig.siglen > 0 && digestbits == 0 && tsig.siglen < siglen)
1397 {
1398 msg->tsigstatus = dns_tsigerror_badtrunc;
1399 tsig_log(msg->tsigkey, 2, "signature length too small");
1400 ret = DNS_R_TSIGVERIFYFAILURE;
1401 goto cleanup_context;
1402 }
1403 }
1404
1405 if (response && tsig.error != dns_rcode_noerror) {
1406 msg->tsigstatus = tsig.error;
1407 if (tsig.error == dns_tsigerror_badtime) {
1408 ret = DNS_R_CLOCKSKEW;
1409 } else {
1410 ret = DNS_R_TSIGERRORSET;
1411 }
1412 goto cleanup_context;
1413 }
1414
1415 msg->tsigstatus = dns_rcode_noerror;
1416 ret = ISC_R_SUCCESS;
1417
1418 cleanup_context:
1419 if (ctx != NULL) {
1420 dst_context_destroy(&ctx);
1421 }
1422
1423 return (ret);
1424 }
1425
1426 static isc_result_t
tsig_verify_tcp(isc_buffer_t * source,dns_message_t * msg)1427 tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
1428 dns_rdata_any_tsig_t tsig, querytsig;
1429 isc_region_t r, source_r, header_r, sig_r;
1430 isc_buffer_t databuf;
1431 unsigned char data[32];
1432 dns_name_t *keyname;
1433 dns_rdata_t rdata = DNS_RDATA_INIT;
1434 isc_stdtime_t now;
1435 isc_result_t ret;
1436 dns_tsigkey_t *tsigkey;
1437 dst_key_t *key = NULL;
1438 unsigned char header[DNS_MESSAGE_HEADERLEN];
1439 uint16_t addcount, id;
1440 bool has_tsig = false;
1441 isc_mem_t *mctx;
1442 unsigned int siglen;
1443 unsigned int alg;
1444
1445 REQUIRE(source != NULL);
1446 REQUIRE(msg != NULL);
1447 REQUIRE(dns_message_gettsigkey(msg) != NULL);
1448 REQUIRE(msg->tcp_continuation == 1);
1449 REQUIRE(msg->querytsig != NULL);
1450
1451 msg->verified_sig = 0;
1452 msg->tsigstatus = dns_tsigerror_badsig;
1453
1454 if (!is_response(msg)) {
1455 return (DNS_R_EXPECTEDRESPONSE);
1456 }
1457
1458 mctx = msg->mctx;
1459
1460 tsigkey = dns_message_gettsigkey(msg);
1461 key = tsigkey->key;
1462
1463 /*
1464 * Extract and parse the previous TSIG
1465 */
1466 ret = dns_rdataset_first(msg->querytsig);
1467 if (ret != ISC_R_SUCCESS) {
1468 return (ret);
1469 }
1470 dns_rdataset_current(msg->querytsig, &rdata);
1471 ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
1472 if (ret != ISC_R_SUCCESS) {
1473 return (ret);
1474 }
1475 dns_rdata_reset(&rdata);
1476
1477 /*
1478 * If there is a TSIG in this message, do some checks.
1479 */
1480 if (msg->tsig != NULL) {
1481 has_tsig = true;
1482
1483 keyname = msg->tsigname;
1484 ret = dns_rdataset_first(msg->tsig);
1485 if (ret != ISC_R_SUCCESS) {
1486 goto cleanup_querystruct;
1487 }
1488 dns_rdataset_current(msg->tsig, &rdata);
1489 ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
1490 if (ret != ISC_R_SUCCESS) {
1491 goto cleanup_querystruct;
1492 }
1493
1494 /*
1495 * Do the key name and algorithm match that of the query?
1496 */
1497 if (!dns_name_equal(keyname, &tsigkey->name) ||
1498 !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
1499 {
1500 msg->tsigstatus = dns_tsigerror_badkey;
1501 ret = DNS_R_TSIGVERIFYFAILURE;
1502 tsig_log(msg->tsigkey, 2,
1503 "key name and algorithm do not match");
1504 goto cleanup_querystruct;
1505 }
1506
1507 /*
1508 * Check digest length.
1509 */
1510 alg = dst_key_alg(key);
1511 ret = dst_key_sigsize(key, &siglen);
1512 if (ret != ISC_R_SUCCESS) {
1513 goto cleanup_querystruct;
1514 }
1515 if (dns__tsig_algvalid(alg)) {
1516 if (tsig.siglen > siglen) {
1517 tsig_log(tsigkey, 2,
1518 "signature length too big");
1519 ret = DNS_R_FORMERR;
1520 goto cleanup_querystruct;
1521 }
1522 if (tsig.siglen > 0 &&
1523 (tsig.siglen < 10 ||
1524 tsig.siglen < ((siglen + 1) / 2))) {
1525 tsig_log(tsigkey, 2,
1526 "signature length below minimum");
1527 ret = DNS_R_FORMERR;
1528 goto cleanup_querystruct;
1529 }
1530 }
1531 }
1532
1533 if (msg->tsigctx == NULL) {
1534 ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
1535 false, 0, &msg->tsigctx);
1536 if (ret != ISC_R_SUCCESS) {
1537 goto cleanup_querystruct;
1538 }
1539
1540 /*
1541 * Digest the length of the query signature
1542 */
1543 isc_buffer_init(&databuf, data, sizeof(data));
1544 isc_buffer_putuint16(&databuf, querytsig.siglen);
1545 isc_buffer_usedregion(&databuf, &r);
1546 ret = dst_context_adddata(msg->tsigctx, &r);
1547 if (ret != ISC_R_SUCCESS) {
1548 goto cleanup_context;
1549 }
1550
1551 /*
1552 * Digest the data of the query signature
1553 */
1554 if (querytsig.siglen > 0) {
1555 r.length = querytsig.siglen;
1556 r.base = querytsig.signature;
1557 ret = dst_context_adddata(msg->tsigctx, &r);
1558 if (ret != ISC_R_SUCCESS) {
1559 goto cleanup_context;
1560 }
1561 }
1562 }
1563
1564 /*
1565 * Extract the header.
1566 */
1567 isc_buffer_usedregion(source, &r);
1568 memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
1569 isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
1570
1571 /*
1572 * Decrement the additional field counter if necessary.
1573 */
1574 if (has_tsig) {
1575 uint16_t addcount_n;
1576
1577 memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
1578 addcount_n = ntohs(addcount);
1579 addcount = htons((uint16_t)(addcount_n - 1));
1580 memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
1581
1582 /*
1583 * Put in the original id.
1584 *
1585 * XXX Can TCP transfers be forwarded? How would that
1586 * work?
1587 */
1588 /* cppcheck-suppress uninitStructMember
1589 * symbolName=tsig.originalid */
1590 id = htons(tsig.originalid);
1591 memmove(&header[0], &id, 2);
1592 }
1593
1594 /*
1595 * Digest the modified header.
1596 */
1597 header_r.base = (unsigned char *)header;
1598 header_r.length = DNS_MESSAGE_HEADERLEN;
1599 ret = dst_context_adddata(msg->tsigctx, &header_r);
1600 if (ret != ISC_R_SUCCESS) {
1601 goto cleanup_context;
1602 }
1603
1604 /*
1605 * Digest all non-TSIG records.
1606 */
1607 isc_buffer_usedregion(source, &source_r);
1608 r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
1609 if (has_tsig) {
1610 r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
1611 } else {
1612 r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
1613 }
1614 ret = dst_context_adddata(msg->tsigctx, &r);
1615 if (ret != ISC_R_SUCCESS) {
1616 goto cleanup_context;
1617 }
1618
1619 /*
1620 * Digest the time signed and fudge.
1621 */
1622 if (has_tsig) {
1623 isc_buffer_init(&databuf, data, sizeof(data));
1624 isc_buffer_putuint48(&databuf, tsig.timesigned);
1625 isc_buffer_putuint16(&databuf, tsig.fudge);
1626 isc_buffer_usedregion(&databuf, &r);
1627 ret = dst_context_adddata(msg->tsigctx, &r);
1628 if (ret != ISC_R_SUCCESS) {
1629 goto cleanup_context;
1630 }
1631
1632 sig_r.base = tsig.signature;
1633 sig_r.length = tsig.siglen;
1634 if (tsig.siglen == 0) {
1635 if (tsig.error != dns_rcode_noerror) {
1636 msg->tsigstatus = tsig.error;
1637 if (tsig.error == dns_tsigerror_badtime) {
1638 ret = DNS_R_CLOCKSKEW;
1639 } else {
1640 ret = DNS_R_TSIGERRORSET;
1641 }
1642 } else {
1643 tsig_log(msg->tsigkey, 2, "signature is empty");
1644 ret = DNS_R_TSIGVERIFYFAILURE;
1645 }
1646 goto cleanup_context;
1647 }
1648
1649 ret = dst_context_verify(msg->tsigctx, &sig_r);
1650 if (ret == DST_R_VERIFYFAILURE) {
1651 tsig_log(msg->tsigkey, 2,
1652 "signature failed to verify(2)");
1653 ret = DNS_R_TSIGVERIFYFAILURE;
1654 goto cleanup_context;
1655 } else if (ret != ISC_R_SUCCESS) {
1656 goto cleanup_context;
1657 }
1658 msg->verified_sig = 1;
1659
1660 /*
1661 * Here at this point, the MAC has been verified. Even
1662 * if any of the following code returns a TSIG error,
1663 * the reply will be signed and WILL always include the
1664 * request MAC in the digest computation.
1665 */
1666
1667 /*
1668 * Is the time ok?
1669 */
1670 isc_stdtime_get(&now);
1671
1672 if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
1673 msg->tsigstatus = dns_tsigerror_badtime;
1674 tsig_log(msg->tsigkey, 2, "signature has expired");
1675 ret = DNS_R_CLOCKSKEW;
1676 goto cleanup_context;
1677 } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge)
1678 {
1679 msg->tsigstatus = dns_tsigerror_badtime;
1680 tsig_log(msg->tsigkey, 2, "signature is in the future");
1681 ret = DNS_R_CLOCKSKEW;
1682 goto cleanup_context;
1683 }
1684
1685 alg = dst_key_alg(key);
1686 ret = dst_key_sigsize(key, &siglen);
1687 if (ret != ISC_R_SUCCESS) {
1688 goto cleanup_context;
1689 }
1690 if (dns__tsig_algvalid(alg)) {
1691 uint16_t digestbits = dst_key_getbits(key);
1692
1693 if (tsig.siglen > 0 && digestbits != 0 &&
1694 tsig.siglen < ((digestbits + 7) / 8)) {
1695 msg->tsigstatus = dns_tsigerror_badtrunc;
1696 tsig_log(msg->tsigkey, 2,
1697 "truncated signature length "
1698 "too small");
1699 ret = DNS_R_TSIGVERIFYFAILURE;
1700 goto cleanup_context;
1701 }
1702 if (tsig.siglen > 0 && digestbits == 0 &&
1703 tsig.siglen < siglen) {
1704 msg->tsigstatus = dns_tsigerror_badtrunc;
1705 tsig_log(msg->tsigkey, 2,
1706 "signature length too small");
1707 ret = DNS_R_TSIGVERIFYFAILURE;
1708 goto cleanup_context;
1709 }
1710 }
1711
1712 if (tsig.error != dns_rcode_noerror) {
1713 msg->tsigstatus = tsig.error;
1714 if (tsig.error == dns_tsigerror_badtime) {
1715 ret = DNS_R_CLOCKSKEW;
1716 } else {
1717 ret = DNS_R_TSIGERRORSET;
1718 }
1719 goto cleanup_context;
1720 }
1721 }
1722
1723 msg->tsigstatus = dns_rcode_noerror;
1724 ret = ISC_R_SUCCESS;
1725
1726 cleanup_context:
1727 /*
1728 * Except in error conditions, don't destroy the DST context
1729 * for unsigned messages; it is a running sum till the next
1730 * TSIG signed message.
1731 */
1732 if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
1733 dst_context_destroy(&msg->tsigctx);
1734 }
1735
1736 cleanup_querystruct:
1737 dns_rdata_freestruct(&querytsig);
1738
1739 return (ret);
1740 }
1741
1742 isc_result_t
dns_tsigkey_find(dns_tsigkey_t ** tsigkey,const dns_name_t * name,const dns_name_t * algorithm,dns_tsig_keyring_t * ring)1743 dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name,
1744 const dns_name_t *algorithm, dns_tsig_keyring_t *ring) {
1745 dns_tsigkey_t *key;
1746 isc_stdtime_t now;
1747 isc_result_t result;
1748
1749 REQUIRE(tsigkey != NULL);
1750 REQUIRE(*tsigkey == NULL);
1751 REQUIRE(name != NULL);
1752 REQUIRE(ring != NULL);
1753
1754 RWLOCK(&ring->lock, isc_rwlocktype_write);
1755 cleanup_ring(ring);
1756 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1757
1758 isc_stdtime_get(&now);
1759 RWLOCK(&ring->lock, isc_rwlocktype_read);
1760 key = NULL;
1761 result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
1762 if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
1763 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1764 return (ISC_R_NOTFOUND);
1765 }
1766 if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
1767 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1768 return (ISC_R_NOTFOUND);
1769 }
1770 if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
1771 /*
1772 * The key has expired.
1773 */
1774 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1775 RWLOCK(&ring->lock, isc_rwlocktype_write);
1776 remove_fromring(key);
1777 RWUNLOCK(&ring->lock, isc_rwlocktype_write);
1778 return (ISC_R_NOTFOUND);
1779 }
1780 #if 0
1781 /*
1782 * MPAXXX We really should look at the inception time.
1783 */
1784 if (key->inception != key->expire &&
1785 isc_serial_lt(key->inception, now)) {
1786 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1787 adjust_lru(key);
1788 return (ISC_R_NOTFOUND);
1789 }
1790 #endif /* if 0 */
1791 isc_refcount_increment(&key->refs);
1792 RWUNLOCK(&ring->lock, isc_rwlocktype_read);
1793 adjust_lru(key);
1794 *tsigkey = key;
1795 return (ISC_R_SUCCESS);
1796 }
1797
1798 static void
free_tsignode(void * node,void * _unused)1799 free_tsignode(void *node, void *_unused) {
1800 dns_tsigkey_t *key;
1801
1802 REQUIRE(node != NULL);
1803
1804 UNUSED(_unused);
1805
1806 key = node;
1807 if (key->generated) {
1808 if (ISC_LINK_LINKED(key, link)) {
1809 ISC_LIST_UNLINK(key->ring->lru, key, link);
1810 }
1811 }
1812 dns_tsigkey_detach(&key);
1813 }
1814
1815 isc_result_t
dns_tsigkeyring_create(isc_mem_t * mctx,dns_tsig_keyring_t ** ringp)1816 dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
1817 isc_result_t result;
1818 dns_tsig_keyring_t *ring;
1819
1820 REQUIRE(mctx != NULL);
1821 REQUIRE(ringp != NULL);
1822 REQUIRE(*ringp == NULL);
1823
1824 ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
1825
1826 isc_rwlock_init(&ring->lock, 0, 0);
1827 ring->keys = NULL;
1828 result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
1829 if (result != ISC_R_SUCCESS) {
1830 isc_rwlock_destroy(&ring->lock);
1831 isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
1832 return (result);
1833 }
1834
1835 ring->writecount = 0;
1836 ring->mctx = NULL;
1837 ring->generated = 0;
1838 ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
1839 ISC_LIST_INIT(ring->lru);
1840 isc_mem_attach(mctx, &ring->mctx);
1841 isc_refcount_init(&ring->references, 1);
1842
1843 *ringp = ring;
1844 return (ISC_R_SUCCESS);
1845 }
1846
1847 isc_result_t
dns_tsigkeyring_add(dns_tsig_keyring_t * ring,const dns_name_t * name,dns_tsigkey_t * tkey)1848 dns_tsigkeyring_add(dns_tsig_keyring_t *ring, const dns_name_t *name,
1849 dns_tsigkey_t *tkey) {
1850 isc_result_t result;
1851
1852 result = keyring_add(ring, name, tkey);
1853 if (result == ISC_R_SUCCESS) {
1854 isc_refcount_increment(&tkey->refs);
1855 }
1856
1857 return (result);
1858 }
1859
1860 void
dns_tsigkeyring_attach(dns_tsig_keyring_t * source,dns_tsig_keyring_t ** target)1861 dns_tsigkeyring_attach(dns_tsig_keyring_t *source,
1862 dns_tsig_keyring_t **target) {
1863 REQUIRE(source != NULL);
1864 REQUIRE(target != NULL && *target == NULL);
1865
1866 isc_refcount_increment(&source->references);
1867
1868 *target = source;
1869 }
1870
1871 void
dns_tsigkeyring_detach(dns_tsig_keyring_t ** ringp)1872 dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
1873 dns_tsig_keyring_t *ring;
1874
1875 REQUIRE(ringp != NULL);
1876 REQUIRE(*ringp != NULL);
1877
1878 ring = *ringp;
1879 *ringp = NULL;
1880
1881 if (isc_refcount_decrement(&ring->references) == 1) {
1882 destroyring(ring);
1883 }
1884 }
1885
1886 void
dns_keyring_restore(dns_tsig_keyring_t * ring,FILE * fp)1887 dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp) {
1888 isc_stdtime_t now;
1889 isc_result_t result;
1890
1891 isc_stdtime_get(&now);
1892 do {
1893 result = restore_key(ring, now, fp);
1894 if (result == ISC_R_NOMORE) {
1895 return;
1896 }
1897 if (result == DNS_R_BADALG || result == DNS_R_EXPIRED) {
1898 result = ISC_R_SUCCESS;
1899 }
1900 } while (result == ISC_R_SUCCESS);
1901 }
1902