Commit 2e9d4e3d authored by Marek Vavrusa's avatar Marek Vavrusa

TSIG RR is stripped on packet parsing.

parent c44482db
......@@ -196,7 +196,7 @@ static int set_acl(acl_t **acl, list_t* acl_list)
/* Load rule. */
if (ret > 0) {
acl_insert(new_acl, &addr, cfg_if);
acl_insert(new_acl, &addr, cfg_if->key);
}
}
......
......@@ -1343,7 +1343,8 @@ int zones_query_check_zone(const knot_zone_t *zone, uint8_t q_opcode,
acl_used = zd->update_in;
}
acl_match_t *match = NULL;
if ((match = acl_find(acl_used, addr)) == NULL) {
#warning This check is not wrong since it doesn't provide key from TSIG RR.
if ((match = acl_find(acl_used, addr, NULL)) == NULL) {
*rcode = KNOT_RCODE_REFUSED;
return KNOT_EACCES;
} else {
......@@ -1351,9 +1352,9 @@ int zones_query_check_zone(const knot_zone_t *zone, uint8_t q_opcode,
"'%s %s'. match=%p\n", zd->conf->name,
q_opcode == KNOT_OPCODE_UPDATE ? "UPDATE":"XFR/OUT",
match);
if (match->val) {
if (match->key) {
/* Save configured TSIG key for comparison. */
*tsig_key = ((conf_iface_t*)(match->val))->key;
*tsig_key = match->key;
}
}
return KNOT_EOK;
......
......@@ -590,6 +590,13 @@ int knot_dname_cmp_wire(const knot_dname_t *d1, const knot_dname_t *d2,
bool knot_dname_is_equal(const knot_dname_t *d1, const knot_dname_t *d2)
{
if (d1 == d2) {
return true;
}
if (d1 == NULL || d1 == NULL) {
return false;
}
while(*d1 != '\0' || *d2 != '\0') {
if (knot_label_is_equal(d1, d2)) {
d1 = knot_wire_next_label(d1, NULL);
......
......@@ -382,7 +382,9 @@ int knot_pkt_tsig_set(knot_pkt_t *pkt, const knot_tsig_key_t *tsig_key)
{
dbg_packet("%s(%p, %p)\n", __func__, pkt, tsig_key);
pkt->tsig_key = tsig_key;
pkt->tsig_size = tsig_wire_maxsize(tsig_key);
if (tsig_key) {
pkt->tsig_size = tsig_wire_maxsize(tsig_key);
}
return KNOT_EOK;
}
......@@ -764,12 +766,16 @@ int knot_pkt_parse_rr(knot_pkt_t *pkt, unsigned flags)
pkt->rr_info[pkt->rrset_count].flags = KNOT_PF_FREE;
/* Parse wire format. */
size_t rr_size = pkt->parsed;
knot_rrset_t *rr = NULL;
rr = knot_pkt_rr_from_wire(pkt->wire, &pkt->parsed, pkt->max_size);
if (rr == NULL) {
dbg_packet("%s: failed to parse RR\n", __func__);
return KNOT_EMALF;
}
/* Calculate parsed RR size from before/after parsing. */
rr_size = (pkt->parsed - rr_size);
/* Append to RR list if couldn't merge with existing RRSet. */
if (knot_pkt_merge_rr(pkt, rr, flags) != KNOT_EOK) {
......@@ -793,6 +799,13 @@ int knot_pkt_parse_rr(knot_pkt_t *pkt, unsigned flags)
return KNOT_EMALF;
}
/* Strip TSIG RR from wireformat and decrease ARCOUNT. */
pkt->parsed -= rr_size;
pkt->size -= rr_size;
knot_wire_set_id(pkt->wire, tsig_rdata_orig_id(rr));
knot_wire_set_arcount(pkt->wire, knot_wire_get_arcount(pkt->wire) - 1);
/* Remember TSIG RR. */
pkt->tsig_rr = rr;
break;
case KNOT_RRTYPE_OPT:
......
......@@ -148,6 +148,14 @@ static inline bool knot_pkt_have_edns(const knot_pkt_t *pkt)
return pkt && (knot_edns_get_version(&pkt->opt_rr) != EDNS_NOT_SUPPORTED);
}
/*!
* \brief Checks if EDNS is supported (i.e. has EDNS VERSION != UNSUPPORTED).
*/
static inline bool knot_pkt_have_tsig(const knot_pkt_t *pkt)
{
return pkt && pkt->tsig_rr;
}
/*!
* \brief Checks if DNSSEC was requested (i.e. the DO bit was set).
*/
......
......@@ -665,25 +665,6 @@ int knot_tsig_sign_next(uint8_t *msg, size_t *msg_len, size_t msg_max_len,
return KNOT_EOK;
}
int knot_tsig_check_prep(uint8_t* wire, size_t *wire_size, const knot_rrset_t *tsig)
{
if (wire == NULL || wire_size == NULL || tsig == NULL) {
return KNOT_EINVAL;
}
/* Trim TSIG from the packet if it contains it. */
size_t tsig_len = tsig_wire_actsize(tsig);
*wire_size -= tsig_len;
/* Restore message id. */
knot_wire_set_id(wire, tsig_rdata_orig_id(tsig));
/* Decrease arcount. */
knot_wire_set_arcount(wire, knot_wire_get_arcount(wire) - 1);
return KNOT_EOK;
}
static int knot_tsig_check_digest(const knot_rrset_t *tsig_rr,
const uint8_t *wire, size_t size,
const uint8_t *request_mac,
......@@ -741,8 +722,6 @@ static int knot_tsig_check_digest(const knot_rrset_t *tsig_rr,
digest_tmp, &digest_tmp_len,
tsig_rr, tsig_key);
} else {
/* Well, here it isn't. Strip the TSIG. */
knot_tsig_check_prep(wire_to_sign, &size, tsig_rr);
ret = knot_tsig_create_sign_wire(wire_to_sign, size,
request_mac, request_mac_len,
digest_tmp, &digest_tmp_len,
......
......@@ -101,19 +101,6 @@ int knot_tsig_sign_next(uint8_t *msg, size_t *msg_len, size_t msg_max_len,
const knot_tsig_key_t *key, uint8_t *to_sign,
size_t to_sign_len);
/*!
* \brief Strip TSIG and restore message ID on the wire.
*
* This is required for computing the digest from the wire for
* checking signature validity.
*
* \param wire
* \param wire_size
* \param tsig
* \return
*/
int knot_tsig_check_prep(uint8_t* wire, size_t *wire_size, const knot_rrset_t *tsig);
/*!
* \brief Checks incoming request.
*
......@@ -177,6 +164,11 @@ int knot_tsig_client_check_next(const knot_rrset_t *tsig_rr,
int knot_tsig_add(uint8_t *msg, size_t *msg_len, size_t msg_max_len,
uint16_t tsig_rcode, const knot_rrset_t *tsig_rr);
/*! \brief Return true if the TSIG RCODE allows signing the packet. */
static inline bool knot_tsig_can_sign(uint16_t tsig_rcode) {
return (tsig_rcode == KNOT_RCODE_NOERROR || tsig_rcode == KNOT_RCODE_BADTIME);
}
#endif /* _KNOT_TSIG_H_ */
/*! @} */
......@@ -309,11 +309,6 @@ static int xfrin_check_tsig(knot_pkt_t *packet, knot_ns_xfr_t *xfr,
uint8_t *wire_buf = xfr->tsig_data + xfr->tsig_data_size;
memcpy(wire_buf, xfr->wire, xfr->wire_size);
xfr->tsig_data_size += xfr->wire_size;
/* Strip TSIG RR from wire and restore message ID. */
if (packet->tsig_rr) {
knot_tsig_check_prep(wire_buf, &xfr->tsig_data_size, packet->tsig_rr);
}
}
if (xfr->tsig_key) {
......@@ -324,7 +319,7 @@ static int xfrin_check_tsig(knot_pkt_t *packet, knot_ns_xfr_t *xfr,
// TSIG there, either required or not, process
if (xfr->packet_nr == 0) {
ret = knot_tsig_client_check(packet->tsig_rr,
xfr->wire, xfr->wire_size,
xfr->tsig_data, xfr->tsig_data_size,
xfr->digest, xfr->digest_size,
xfr->tsig_key,
xfr->tsig_prev_time_signed);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment