tsig.c
Go to the documentation of this file.
00001 /*
00002  * tsig.c
00003  *
00004  * contains the functions needed for TSIG [RFC2845]
00005  *
00006  * (c) 2005-2006 NLnet Labs
00007  * See the file LICENSE for the license
00008  */
00009 
00010 #include <ldns/config.h>
00011 
00012 #include <ldns/ldns.h>
00013 
00014 #include <strings.h>
00015 
00016 #ifdef HAVE_SSL
00017 #include <openssl/hmac.h>
00018 #include <openssl/md5.h>
00019 #endif /* HAVE_SSL */
00020 
00021 char *
00022 ldns_tsig_algorithm(ldns_tsig_credentials *tc)
00023 {
00024         return tc->algorithm;
00025 }
00026 
00027 char *
00028 ldns_tsig_keyname(ldns_tsig_credentials *tc)
00029 {
00030         return tc->keyname;
00031 }
00032 
00033 char *
00034 ldns_tsig_keydata(ldns_tsig_credentials *tc)
00035 {
00036         return tc->keydata;
00037 }
00038 
00039 char *
00040 ldns_tsig_keyname_clone(ldns_tsig_credentials *tc)
00041 {
00042         return strdup(tc->keyname);
00043 }
00044 
00045 char *
00046 ldns_tsig_keydata_clone(ldns_tsig_credentials *tc)
00047 {
00048         return strdup(tc->keydata);
00049 }
00050 
00051 /*
00052  *  Makes an exact copy of the wire, but with the tsig rr removed
00053  */
00054 static uint8_t *
00055 ldns_tsig_prepare_pkt_wire(uint8_t *wire, size_t wire_len, size_t *result_len)
00056 {
00057         uint8_t *wire2 = NULL;
00058         uint16_t qd_count;
00059         uint16_t an_count;
00060         uint16_t ns_count;
00061         uint16_t ar_count;
00062         ldns_rr *rr;
00063 
00064         size_t pos;
00065         uint16_t i;
00066 
00067         ldns_status status;
00068 
00069         if(wire_len < LDNS_HEADER_SIZE) {
00070                 return NULL;
00071         }
00072         /* fake parse the wire */
00073         qd_count = LDNS_QDCOUNT(wire);
00074         an_count = LDNS_ANCOUNT(wire);
00075         ns_count = LDNS_NSCOUNT(wire);
00076         ar_count = LDNS_ARCOUNT(wire);
00077 
00078         if (ar_count > 0) {
00079                 ar_count--;
00080         } else {
00081                 return NULL;
00082         }
00083 
00084         pos = LDNS_HEADER_SIZE;
00085 
00086         for (i = 0; i < qd_count; i++) {
00087                 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_QUESTION);
00088                 if (status != LDNS_STATUS_OK) {
00089                         return NULL;
00090                 }
00091                 ldns_rr_free(rr);
00092         }
00093 
00094         for (i = 0; i < an_count; i++) {
00095                 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_ANSWER);
00096                 if (status != LDNS_STATUS_OK) {
00097                         return NULL;
00098                 }
00099                 ldns_rr_free(rr);
00100         }
00101 
00102         for (i = 0; i < ns_count; i++) {
00103                 status = ldns_wire2rr(&rr, wire, wire_len, &pos, LDNS_SECTION_AUTHORITY);
00104                 if (status != LDNS_STATUS_OK) {
00105                         return NULL;
00106                 }
00107                 ldns_rr_free(rr);
00108         }
00109 
00110         for (i = 0; i < ar_count; i++) {
00111                 status = ldns_wire2rr(&rr, wire, wire_len, &pos,
00112                                 LDNS_SECTION_ADDITIONAL);
00113                 if (status != LDNS_STATUS_OK) {
00114                         return NULL;
00115                 }
00116                 ldns_rr_free(rr);
00117         }
00118 
00119         *result_len = pos;
00120         wire2 = LDNS_XMALLOC(uint8_t, *result_len);
00121         if(!wire2) {
00122                 return NULL;
00123         }
00124         memcpy(wire2, wire, *result_len);
00125 
00126         ldns_write_uint16(wire2 + LDNS_ARCOUNT_OFF, ar_count);
00127 
00128         return wire2;
00129 }
00130 
00131 #ifdef HAVE_SSL
00132 static const EVP_MD *
00133 ldns_digest_function(char *name)
00134 {
00135         /* these are the mandatory algorithms from RFC4635 */
00136         /* The optional algorithms are not yet implemented */
00137         if (strcasecmp(name, "hmac-sha256.") == 0) {
00138 #ifdef HAVE_EVP_SHA256
00139                 return EVP_sha256();
00140 #else
00141                 return NULL;
00142 #endif
00143         } else if (strcasecmp(name, "hmac-sha1.") == 0) {
00144                 return EVP_sha1();
00145         } else if (strcasecmp(name, "hmac-md5.sig-alg.reg.int.") == 0) {
00146                 return EVP_md5();
00147         } else {
00148                 return NULL;
00149         }
00150 }
00151 #endif
00152 
00153 #ifdef HAVE_SSL
00154 static ldns_status
00155 ldns_tsig_mac_new(ldns_rdf **tsig_mac, uint8_t *pkt_wire, size_t pkt_wire_size,
00156                 const char *key_data, ldns_rdf *key_name_rdf, ldns_rdf *fudge_rdf,
00157                 ldns_rdf *algorithm_rdf, ldns_rdf *time_signed_rdf, ldns_rdf *error_rdf,
00158                 ldns_rdf *other_data_rdf, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00159 {
00160         ldns_status status;
00161         char *wireformat;
00162         int wiresize;
00163         unsigned char *mac_bytes = NULL;
00164         unsigned char *key_bytes = NULL;
00165         int key_size;
00166         const EVP_MD *digester;
00167         char *algorithm_name = NULL;
00168         unsigned int md_len = EVP_MAX_MD_SIZE;
00169         ldns_rdf *result = NULL;
00170         ldns_buffer *data_buffer = NULL;
00171         ldns_rdf *canonical_key_name_rdf = NULL;
00172         ldns_rdf *canonical_algorithm_rdf = NULL;
00173         
00174         if (key_name_rdf == NULL || algorithm_rdf == NULL) {
00175                 return LDNS_STATUS_NULL;
00176         }
00177         canonical_key_name_rdf  = ldns_rdf_clone(key_name_rdf);
00178         if (canonical_key_name_rdf == NULL) {
00179                 return LDNS_STATUS_MEM_ERR;
00180         }
00181         canonical_algorithm_rdf = ldns_rdf_clone(algorithm_rdf);
00182         if (canonical_algorithm_rdf == NULL) {
00183                 ldns_rdf_deep_free(canonical_key_name_rdf);
00184                 return LDNS_STATUS_MEM_ERR;
00185         }
00186         /*
00187          * prepare the digestable information
00188          */
00189         data_buffer = ldns_buffer_new(LDNS_MAX_PACKETLEN);
00190         if (!data_buffer) {
00191                 status = LDNS_STATUS_MEM_ERR;
00192                 goto clean;
00193         }
00194         /* if orig_mac is not NULL, add it too */
00195         if (orig_mac_rdf) {
00196                 (void) ldns_rdf2buffer_wire(data_buffer, orig_mac_rdf);
00197         }
00198         ldns_buffer_write(data_buffer, pkt_wire, pkt_wire_size);
00199         if (!tsig_timers_only) {
00200                 ldns_dname2canonical(canonical_key_name_rdf);
00201                 (void)ldns_rdf2buffer_wire(data_buffer, 
00202                                 canonical_key_name_rdf);
00203                 ldns_buffer_write_u16(data_buffer, LDNS_RR_CLASS_ANY);
00204                 ldns_buffer_write_u32(data_buffer, 0);
00205                 ldns_dname2canonical(canonical_algorithm_rdf);
00206                 (void)ldns_rdf2buffer_wire(data_buffer, 
00207                                 canonical_algorithm_rdf);
00208         }
00209         (void)ldns_rdf2buffer_wire(data_buffer, time_signed_rdf);
00210         (void)ldns_rdf2buffer_wire(data_buffer, fudge_rdf);
00211         if (!tsig_timers_only) {
00212                 (void)ldns_rdf2buffer_wire(data_buffer, error_rdf);
00213                 (void)ldns_rdf2buffer_wire(data_buffer, other_data_rdf);
00214         }
00215 
00216         wireformat = (char *) data_buffer->_data;
00217         wiresize = (int) ldns_buffer_position(data_buffer);
00218 
00219         algorithm_name = ldns_rdf2str(algorithm_rdf);
00220         if(!algorithm_name) {
00221                 status = LDNS_STATUS_MEM_ERR;
00222                 goto clean;
00223         }
00224 
00225         /* prepare the key */
00226         key_bytes = LDNS_XMALLOC(unsigned char,
00227                         ldns_b64_pton_calculate_size(strlen(key_data)));
00228         if(!key_bytes) {
00229                 status = LDNS_STATUS_MEM_ERR;
00230                 goto clean;
00231         }
00232         key_size = ldns_b64_pton(key_data, key_bytes,
00233         ldns_b64_pton_calculate_size(strlen(key_data)));
00234         if (key_size < 0) {
00235                 status = LDNS_STATUS_INVALID_B64;
00236                 goto clean;
00237         }
00238         /* hmac it */
00239         /* 2 spare bytes for the length */
00240         mac_bytes = LDNS_XMALLOC(unsigned char, md_len+2);
00241         if(!mac_bytes) {
00242                 status = LDNS_STATUS_MEM_ERR;
00243                 goto clean;
00244         }
00245         memset(mac_bytes, 0, md_len+2);
00246 
00247         digester = ldns_digest_function(algorithm_name);
00248 
00249         if (digester) {
00250                 (void) HMAC(digester, key_bytes, key_size, (void *)wireformat,
00251                             (size_t) wiresize, mac_bytes + 2, &md_len);
00252 
00253                 ldns_write_uint16(mac_bytes, md_len);
00254                 result = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_INT16_DATA, md_len + 2,
00255                                 mac_bytes);
00256         } else {
00257                 status = LDNS_STATUS_CRYPTO_UNKNOWN_ALGO;
00258                 goto clean;
00259         }
00260         *tsig_mac = result;
00261         status = LDNS_STATUS_OK;
00262   clean:
00263         LDNS_FREE(mac_bytes);
00264         LDNS_FREE(key_bytes);
00265         LDNS_FREE(algorithm_name);
00266         ldns_buffer_free(data_buffer);
00267         ldns_rdf_deep_free(canonical_algorithm_rdf);
00268         ldns_rdf_deep_free(canonical_key_name_rdf);
00269         return status;
00270 }
00271 #endif /*  HAVE_SSL */
00272 
00273 
00274 #ifdef HAVE_SSL
00275 bool
00276 ldns_pkt_tsig_verify(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char *key_name,
00277         const char *key_data, ldns_rdf *orig_mac_rdf)
00278 {
00279         return ldns_pkt_tsig_verify_next(pkt, wire, wirelen, key_name, key_data, orig_mac_rdf, 0);
00280 }
00281 
00282 bool
00283 ldns_pkt_tsig_verify_next(ldns_pkt *pkt, uint8_t *wire, size_t wirelen, const char* key_name,
00284         const char *key_data, ldns_rdf *orig_mac_rdf, int tsig_timers_only)
00285 {
00286         ldns_rdf *fudge_rdf;
00287         ldns_rdf *algorithm_rdf;
00288         ldns_rdf *time_signed_rdf;
00289         ldns_rdf *orig_id_rdf;
00290         ldns_rdf *error_rdf;
00291         ldns_rdf *other_data_rdf;
00292         ldns_rdf *pkt_mac_rdf;
00293         ldns_rdf *my_mac_rdf;
00294         ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00295         uint16_t pkt_id, orig_pkt_id;
00296         ldns_status status;
00297 
00298         uint8_t *prepared_wire = NULL;
00299         size_t prepared_wire_size = 0;
00300 
00301         ldns_rr *orig_tsig = ldns_pkt_tsig(pkt);
00302 
00303         if (!orig_tsig || ldns_rr_rd_count(orig_tsig) <= 6) {
00304                 ldns_rdf_deep_free(key_name_rdf);
00305                 return false;
00306         }
00307         algorithm_rdf = ldns_rr_rdf(orig_tsig, 0);
00308         time_signed_rdf = ldns_rr_rdf(orig_tsig, 1);
00309         fudge_rdf = ldns_rr_rdf(orig_tsig, 2);
00310         pkt_mac_rdf = ldns_rr_rdf(orig_tsig, 3);
00311         orig_id_rdf = ldns_rr_rdf(orig_tsig, 4);
00312         error_rdf = ldns_rr_rdf(orig_tsig, 5);
00313         other_data_rdf = ldns_rr_rdf(orig_tsig, 6);
00314 
00315         /* remove temporarily */
00316         ldns_pkt_set_tsig(pkt, NULL);
00317         /* temporarily change the id to the original id */
00318         pkt_id = ldns_pkt_id(pkt);
00319         orig_pkt_id = ldns_rdf2native_int16(orig_id_rdf);
00320         ldns_pkt_set_id(pkt, orig_pkt_id);
00321 
00322         prepared_wire = ldns_tsig_prepare_pkt_wire(wire, wirelen, &prepared_wire_size);
00323 
00324         status = ldns_tsig_mac_new(&my_mac_rdf, prepared_wire, prepared_wire_size,
00325                         key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00326                         time_signed_rdf, error_rdf, other_data_rdf, orig_mac_rdf, tsig_timers_only);
00327 
00328         LDNS_FREE(prepared_wire);
00329 
00330         if (status != LDNS_STATUS_OK) {
00331                 ldns_rdf_deep_free(key_name_rdf);
00332                 return false;
00333         }
00334         /* Put back the values */
00335         ldns_pkt_set_tsig(pkt, orig_tsig);
00336         ldns_pkt_set_id(pkt, pkt_id);
00337 
00338         ldns_rdf_deep_free(key_name_rdf);
00339 
00340         if (ldns_rdf_compare(pkt_mac_rdf, my_mac_rdf) == 0) {
00341                 ldns_rdf_deep_free(my_mac_rdf);
00342                 return true;
00343         } else {
00344                 ldns_rdf_deep_free(my_mac_rdf);
00345                 return false;
00346         }
00347 }
00348 #endif /* HAVE_SSL */
00349 
00350 #ifdef HAVE_SSL
00351 ldns_status
00352 ldns_pkt_tsig_sign(ldns_pkt *pkt, const char *key_name, const char *key_data,
00353         uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac)
00354 {
00355         return ldns_pkt_tsig_sign_next(pkt, key_name, key_data, fudge, algorithm_name, query_mac, 0);
00356 }
00357 
00358 ldns_status
00359 ldns_pkt_tsig_sign_next(ldns_pkt *pkt, const char *key_name, const char *key_data,
00360         uint16_t fudge, const char *algorithm_name, ldns_rdf *query_mac, int tsig_timers_only)
00361 {
00362         ldns_rr *tsig_rr;
00363         ldns_rdf *key_name_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, key_name);
00364         ldns_rdf *fudge_rdf = NULL;
00365         ldns_rdf *orig_id_rdf = NULL;
00366         ldns_rdf *algorithm_rdf;
00367         ldns_rdf *error_rdf = NULL;
00368         ldns_rdf *mac_rdf = NULL;
00369         ldns_rdf *other_data_rdf = NULL;
00370 
00371         ldns_status status = LDNS_STATUS_OK;
00372 
00373         uint8_t *pkt_wire = NULL;
00374         size_t pkt_wire_len;
00375 
00376         struct timeval tv_time_signed;
00377         uint8_t *time_signed = NULL;
00378         ldns_rdf *time_signed_rdf = NULL;
00379 
00380         algorithm_rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, algorithm_name);
00381         if(!key_name_rdf || !algorithm_rdf) {
00382                 status = LDNS_STATUS_MEM_ERR;
00383                 goto clean;
00384         }
00385 
00386         /* eww don't have create tsigtime rdf yet :( */
00387         /* bleh :p */
00388         if (gettimeofday(&tv_time_signed, NULL) == 0) {
00389                 time_signed = LDNS_XMALLOC(uint8_t, 6);
00390                 if(!time_signed) {
00391                         status = LDNS_STATUS_MEM_ERR;
00392                         goto clean;
00393                 }
00394                 ldns_write_uint64_as_uint48(time_signed,
00395                                 (uint64_t)tv_time_signed.tv_sec);
00396         } else {
00397                 status = LDNS_STATUS_INTERNAL_ERR;
00398                 goto clean;
00399         }
00400 
00401         time_signed_rdf = ldns_rdf_new(LDNS_RDF_TYPE_TSIGTIME, 6, time_signed);
00402         if(!time_signed_rdf) {
00403                 LDNS_FREE(time_signed);
00404                 status = LDNS_STATUS_MEM_ERR;
00405                 goto clean;
00406         }
00407 
00408         fudge_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, fudge);
00409 
00410         orig_id_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_pkt_id(pkt));
00411 
00412         error_rdf = ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 0);
00413 
00414         other_data_rdf = ldns_native2rdf_int16_data(0, NULL);
00415 
00416         if(!fudge_rdf || !orig_id_rdf || !error_rdf || !other_data_rdf) {
00417                 status = LDNS_STATUS_MEM_ERR;
00418                 goto clean;
00419         }
00420 
00421         if (ldns_pkt2wire(&pkt_wire, pkt, &pkt_wire_len) != LDNS_STATUS_OK) {
00422                 status = LDNS_STATUS_ERR;
00423                 goto clean;
00424         }
00425 
00426         status = ldns_tsig_mac_new(&mac_rdf, pkt_wire, pkt_wire_len,
00427                         key_data, key_name_rdf, fudge_rdf, algorithm_rdf,
00428                         time_signed_rdf, error_rdf, other_data_rdf, query_mac, tsig_timers_only);
00429 
00430         if (!mac_rdf) {
00431                 goto clean;
00432         }
00433 
00434         LDNS_FREE(pkt_wire);
00435 
00436         /* Create the TSIG RR */
00437         tsig_rr = ldns_rr_new();
00438         if(!tsig_rr) {
00439                 status = LDNS_STATUS_MEM_ERR;
00440                 goto clean;
00441         }
00442         ldns_rr_set_owner(tsig_rr, key_name_rdf);
00443         ldns_rr_set_class(tsig_rr, LDNS_RR_CLASS_ANY);
00444         ldns_rr_set_type(tsig_rr, LDNS_RR_TYPE_TSIG);
00445         ldns_rr_set_ttl(tsig_rr, 0);
00446 
00447         ldns_rr_push_rdf(tsig_rr, algorithm_rdf);
00448         ldns_rr_push_rdf(tsig_rr, time_signed_rdf);
00449         ldns_rr_push_rdf(tsig_rr, fudge_rdf);
00450         ldns_rr_push_rdf(tsig_rr, mac_rdf);
00451         ldns_rr_push_rdf(tsig_rr, orig_id_rdf);
00452         ldns_rr_push_rdf(tsig_rr, error_rdf);
00453         ldns_rr_push_rdf(tsig_rr, other_data_rdf);
00454 
00455         ldns_pkt_set_tsig(pkt, tsig_rr);
00456 
00457         return status;
00458 
00459   clean:
00460         LDNS_FREE(pkt_wire);
00461         ldns_rdf_free(key_name_rdf);
00462         ldns_rdf_free(algorithm_rdf);
00463         ldns_rdf_free(time_signed_rdf);
00464         ldns_rdf_free(fudge_rdf);
00465         ldns_rdf_free(orig_id_rdf);
00466         ldns_rdf_free(error_rdf);
00467         ldns_rdf_free(other_data_rdf);
00468         return status;
00469 }
00470 #endif /* HAVE_SSL */