Skip to content

Knot DNS
Knot DNS
Commit 77c19667 authored by Jan Včelák's avatar Jan Včelák 🚀
Browse files
Options

migrate TSIG code to libdnssec

parent 9ba69da0
Hide whitespace changes
Inline Side-by-side
Showing with 97 additions and 305 deletions
src/knot/conf/cf-lex.l
View file @ 77c19667
......@@ -281,13 +281,12 @@ include BEGIN(include);
return HEXSTR;
}
gss-tsig { lval.alg = KNOT_TSIG_ALG_GSS_TSIG; return TSIG_ALGO_NAME; }
hmac-md5 { lval.alg = KNOT_TSIG_ALG_HMAC_MD5; return TSIG_ALGO_NAME; }
hmac-sha1 { lval.alg = KNOT_TSIG_ALG_HMAC_SHA1; return TSIG_ALGO_NAME; }
hmac-sha224 { lval.alg = KNOT_TSIG_ALG_HMAC_SHA224; return TSIG_ALGO_NAME; }
hmac-sha256 { lval.alg = KNOT_TSIG_ALG_HMAC_SHA256; return TSIG_ALGO_NAME; }
hmac-sha384 { lval.alg = KNOT_TSIG_ALG_HMAC_SHA384; return TSIG_ALGO_NAME; }
hmac-sha512 { lval.alg = KNOT_TSIG_ALG_HMAC_SHA512; return TSIG_ALGO_NAME; }
hmac-md5 { lval.alg = DNSSEC_TSIG_HMAC_MD5; return TSIG_ALGO_NAME; }
hmac-sha1 { lval.alg = DNSSEC_TSIG_HMAC_SHA1; return TSIG_ALGO_NAME; }
hmac-sha224 { lval.alg = DNSSEC_TSIG_HMAC_SHA224; return TSIG_ALGO_NAME; }
hmac-sha256 { lval.alg = DNSSEC_TSIG_HMAC_SHA256; return TSIG_ALGO_NAME; }
hmac-sha384 { lval.alg = DNSSEC_TSIG_HMAC_SHA384; return TSIG_ALGO_NAME; }
hmac-sha512 { lval.alg = DNSSEC_TSIG_HMAC_SHA512; return TSIG_ALGO_NAME; }
["][^"\n]*["] {
yytext[yyleng-1] = 0;
......
src/knot/conf/cf-parse.y
View file @ 77c19667
......@@ -30,6 +30,8 @@
#include <stdlib.h>
#include <pwd.h>
#include <grp.h>
#include "dnssec/binary.h"
#include "dnssec/tsig.h"
#include "common/sockaddr.h"
#include "libknot/dname.h"
#include "libknot/binary.h"
......@@ -445,7 +447,7 @@ static void ident_auto(int tok, conf_t *conf, bool val)
char *t;
long i;
size_t l;
knot_tsig_algorithm_t alg;
dnssec_tsig_algorithm_t alg;
} tok;
}
......@@ -641,7 +643,7 @@ keys:
KEYS '{'
| keys TEXT TSIG_ALGO_NAME TEXT ';' {
/* Check algorithm length. */
if (knot_tsig_digest_length($3.alg) == 0) {
if (dnssec_tsig_algorithm_size($3.alg) == 0) {
cf_error(scanner, "unsupported digest algorithm");
}
......@@ -676,7 +678,8 @@ keys:
memset(k, 0, sizeof(conf_key_t));
k->k.name = dname;
k->k.algorithm = $3.alg;
if (knot_binary_from_base64($4.t, &(k->k.secret)) != 0) {
dnssec_binary_t secret64 = { .data = (uint8_t *)$4.t, .size = strlen($4.t) };
if (dnssec_binary_from_base64(&secret64, &(k->k.secret)) != 0) {
cf_error(scanner, "invalid key secret '%s'", $4.t);
knot_dname_free(&dname, NULL);
free(k);
......
src/knot/ctl/knotc_main.c
View file @ 77c19667
......@@ -309,13 +309,12 @@ static int tsig_parse_str(knot_tsig_key_t *key, const char *str)
/* Determine algorithm. */
int algorithm = KNOT_TSIG_ALG_HMAC_MD5;
int algorithm = DNSSEC_TSIG_HMAC_MD5;
if (s) {
*s++ = '\0'; /* Last part separator */
knot_lookup_table_t *alg = NULL;
alg = knot_lookup_by_name(knot_tsig_alg_dnames_str, h);
if (alg) {
algorithm = alg->id;
dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(h);
if (alg != DNSSEC_TSIG_UNKNOWN) {
algorithm = alg;
} else {
free(h);
return KNOT_EINVAL;
......@@ -362,15 +361,13 @@ static int tsig_parse_line(knot_tsig_key_t *k, char *l)
}
/* Lookup algorithm. */
knot_lookup_table_t *alg;
alg = knot_lookup_by_name(knot_tsig_alg_names, a);
if (!alg) {
dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(a);
if (alg == DNSSEC_TSIG_UNKNOWN) {
return KNOT_EMALF;
}
/* Create the key data. */
return knot_tsig_create_key(n, alg->id, s, k);
return knot_tsig_create_key(n, alg, s, k);
}
static int tsig_parse_file(knot_tsig_key_t *k, const char *f)
......
src/knot/ctl/remote.c
View file @ 77c19667
......@@ -758,7 +758,7 @@ int remote_query_sign(uint8_t *wire, size_t *size, size_t maxlen,
return KNOT_EINVAL;
}
size_t dlen = knot_tsig_digest_length(key->algorithm);
size_t dlen = dnssec_tsig_algorithm_size(key->algorithm);
uint8_t *digest = malloc(dlen);
if (!digest) {
return KNOT_ENOMEM;
......
src/knot/nameserver/process_query.c
View file @ 77c19667
......@@ -16,6 +16,7 @@
#include "libknot/tsig-op.h"
#include "common/descriptor.h"
#include "common/debug.h"
#include "dnssec/tsig.h"
/* Forward decls. */
static const zone_t *answer_zone_find(const knot_pkt_t *query, knot_zonedb_t *zonedb);
......@@ -223,7 +224,7 @@ bool process_query_acl_check(acl_t *acl, struct query_data *qdata)
knot_pkt_t *query = qdata->query;
struct sockaddr_storage *query_source = qdata->param->query_source;
const knot_dname_t *key_name = NULL;
knot_tsig_algorithm_t key_alg = KNOT_TSIG_ALG_NULL;
dnssec_tsig_algorithm_t key_alg = DNSSEC_TSIG_UNKNOWN;
/* Skip if already checked and valid. */
if (qdata->sign.tsig_key != NULL) {
......@@ -311,7 +312,7 @@ int process_query_sign_response(knot_pkt_t *pkt, struct query_data *qdata)
/* Sign query response. */
dbg_ns("%s: signing response using key %p\n", __func__, ctx->tsig_key);
size_t new_digest_len = knot_tsig_digest_length(ctx->tsig_key->algorithm);
size_t new_digest_len = dnssec_tsig_algorithm_size(ctx->tsig_key->algorithm);
if (ctx->pkt_count == 0) {
ret = knot_tsig_sign(pkt->wire, &pkt->size, pkt->max_size,
ctx->tsig_digest, ctx->tsig_digestlen,
......
src/knot/server/xfr-handler.c
View file @ 77c19667
......@@ -193,7 +193,7 @@ static int xfr_task_setsig(knot_ns_xfr_t *rq, knot_tsig_key_t *key)
int ret = KNOT_EOK;
rq->tsig_key = key;
rq->tsig_size = tsig_wire_maxsize(key);
rq->digest_max_size = knot_tsig_digest_length(key->algorithm);
rq->digest_max_size = dnssec_tsig_algorithm_size(key->algorithm);
rq->digest = malloc(rq->digest_max_size);
if (rq->digest == NULL) {
rq->tsig_key = NULL;
......
src/knot/server/zones.c
View file @ 77c19667
......@@ -31,6 +31,7 @@
#include "knot/zone/zone-dump.h"
#include "libknot/dname.h"
#include "dnssec/random.h"
#include "dnssec/tsig.h"
#include "libknot/rdata/soa.h"
#include "knot/dnssec/zone-events.h"
#include "knot/dnssec/zone-sign.h"
......@@ -1723,8 +1724,8 @@ int zones_verify_tsig_query(const knot_pkt_t *query,
/*
* 1) Check if we support the requested algorithm.
*/
knot_tsig_algorithm_t alg = tsig_rdata_alg(query->tsig_rr);
if (knot_tsig_digest_length(alg) == 0) {
dnssec_tsig_algorithm_t alg = tsig_rdata_alg(query->tsig_rr);
if (dnssec_tsig_algorithm_size(alg) == 0) {
log_answer_info("Unsupported digest algorithm "
"requested, treating as bad key\n");
/*! \todo [TSIG] It is unclear from RFC if I
......@@ -1758,7 +1759,7 @@ int zones_verify_tsig_query(const knot_pkt_t *query,
/* Prepare variables for TSIG */
/*! \todo These need to be saved to the response somehow. */
//size_t tsig_size = tsig_wire_maxsize(key);
size_t digest_max_size = knot_tsig_digest_length(key->algorithm);
size_t digest_max_size = dnssec_tsig_algorithm_size(key->algorithm);
//size_t digest_size = 0;
//uint64_t tsig_prev_time_signed = 0;
//uint8_t *digest = (uint8_t *)malloc(digest_max_size);
......
src/libknot/consts.c
View file @ 77c19667
......@@ -47,38 +47,6 @@ knot_lookup_table_t knot_rcode_names[] = {
{ 0, NULL }
};
knot_lookup_table_t knot_tsig_alg_names[] = {
{ KNOT_TSIG_ALG_HMAC_MD5, "hmac-md5" },
{ KNOT_TSIG_ALG_HMAC_SHA1, "hmac-sha1" },
{ KNOT_TSIG_ALG_HMAC_SHA224, "hmac-sha224" },
{ KNOT_TSIG_ALG_HMAC_SHA256, "hmac-sha256" },
{ KNOT_TSIG_ALG_HMAC_SHA384, "hmac-sha384" },
{ KNOT_TSIG_ALG_HMAC_SHA512, "hmac-sha512" },
{ KNOT_TSIG_ALG_NULL, NULL }
};
knot_lookup_table_t knot_tsig_alg_dnames_str[] = {
{ KNOT_TSIG_ALG_GSS_TSIG, "gss-tsig." },
{ KNOT_TSIG_ALG_HMAC_MD5, "hmac-md5.sig-alg.reg.int." },
{ KNOT_TSIG_ALG_HMAC_SHA1, "hmac-sha1." },
{ KNOT_TSIG_ALG_HMAC_SHA224, "hmac-sha224." },
{ KNOT_TSIG_ALG_HMAC_SHA256, "hmac-sha256." },
{ KNOT_TSIG_ALG_HMAC_SHA384, "hmac-sha384." },
{ KNOT_TSIG_ALG_HMAC_SHA512, "hmac-sha512." },
{ KNOT_TSIG_ALG_NULL, NULL }
};
knot_lookup_table_t knot_tsig_alg_dnames[] = {
{ KNOT_TSIG_ALG_GSS_TSIG, "\x08" "gss-tsig" },
{ KNOT_TSIG_ALG_HMAC_MD5, "\x08" "hmac-md5" "\x07" "sig-alg" "\x03" "reg" "\x03" "int" },
{ KNOT_TSIG_ALG_HMAC_SHA1, "\x09" "hmac-sha1" },
{ KNOT_TSIG_ALG_HMAC_SHA224, "\x0B" "hmac-sha224" },
{ KNOT_TSIG_ALG_HMAC_SHA256, "\x0B" "hmac-sha256" },
{ KNOT_TSIG_ALG_HMAC_SHA384, "\x0B" "hmac-sha384" },
{ KNOT_TSIG_ALG_HMAC_SHA512, "\x0B" "hmac-sha512" },
{ KNOT_TSIG_ALG_NULL, NULL }
};
knot_lookup_table_t knot_dnssec_alg_names[] = {
{ KNOT_DNSSEC_ALG_RSAMD5, "RSAMD5" },
{ KNOT_DNSSEC_ALG_DH, "DH" },
......@@ -94,28 +62,6 @@ knot_lookup_table_t knot_dnssec_alg_names[] = {
{ 0, NULL }
};
size_t knot_tsig_digest_length(const uint8_t algorithm)
{
switch (algorithm) {
case KNOT_TSIG_ALG_GSS_TSIG:
return KNOT_TSIG_ALG_DIG_LENGTH_GSS_TSIG;
case KNOT_TSIG_ALG_HMAC_MD5:
return KNOT_TSIG_ALG_DIG_LENGTH_HMAC_MD5;
case KNOT_TSIG_ALG_HMAC_SHA1:
return KNOT_TSIG_ALG_DIG_LENGTH_SHA1;
case KNOT_TSIG_ALG_HMAC_SHA224:
return KNOT_TSIG_ALG_DIG_LENGTH_SHA224;
case KNOT_TSIG_ALG_HMAC_SHA256:
return KNOT_TSIG_ALG_DIG_LENGTH_SHA256;
case KNOT_TSIG_ALG_HMAC_SHA384:
return KNOT_TSIG_ALG_DIG_LENGTH_SHA384;
case KNOT_TSIG_ALG_HMAC_SHA512:
return KNOT_TSIG_ALG_DIG_LENGTH_SHA512;
default:
return 0;
}
}
size_t knot_ds_digest_length(const uint8_t algorithm)
{
switch (algorithm) {
......
src/libknot/consts.h
View file @ 77c19667
......@@ -91,35 +91,6 @@ typedef enum {
KNOT_ADDITIONAL = 2
} knot_section_t;
/*!
* \brief TSIG algorithm numbers.
*
* These constants were taken from the Bind file key format (dnssec-keygen).
*/
typedef enum {
KNOT_TSIG_ALG_NULL = 0,
KNOT_TSIG_ALG_GSS_TSIG = 128,
KNOT_TSIG_ALG_HMAC_MD5 = 157,
KNOT_TSIG_ALG_HMAC_SHA1 = 161,
KNOT_TSIG_ALG_HMAC_SHA224 = 162,
KNOT_TSIG_ALG_HMAC_SHA256 = 163,
KNOT_TSIG_ALG_HMAC_SHA384 = 164,
KNOT_TSIG_ALG_HMAC_SHA512 = 165
} knot_tsig_algorithm_t;
/*!
* \brief Lengths of TSIG algorithm digests.
*/
typedef enum {
KNOT_TSIG_ALG_DIG_LENGTH_GSS_TSIG = 0,
KNOT_TSIG_ALG_DIG_LENGTH_HMAC_MD5 = 16,
KNOT_TSIG_ALG_DIG_LENGTH_SHA1 = 20,
KNOT_TSIG_ALG_DIG_LENGTH_SHA224 = 28,
KNOT_TSIG_ALG_DIG_LENGTH_SHA256 = 32,
KNOT_TSIG_ALG_DIG_LENGTH_SHA384 = 48,
KNOT_TSIG_ALG_DIG_LENGTH_SHA512 = 64
} knot_tsig_algorithm_digest_length_t;
/*!
* \brief DS digest lengths.
*/
......@@ -182,35 +153,11 @@ extern knot_lookup_table_t knot_opcode_names[];
*/
extern knot_lookup_table_t knot_rcode_names[];
/*!
* \brief TSIG key algorithm names.
*/
extern knot_lookup_table_t knot_tsig_alg_names[];
/*!
* \brief TSIG key algorithm names in a domain form.
*/
extern knot_lookup_table_t knot_tsig_alg_dnames_str[];
/*!
* \brief TSIG key algorithm domain names.
*/
extern knot_lookup_table_t knot_tsig_alg_dnames[];
/*!
* \brief DNSSEC algorithm names.
*/
extern knot_lookup_table_t knot_dnssec_alg_names[];
/*!
* \brief Returns length of TSIG digest for given algorithm.
*
* \param algorithm Algorithm code to be used.
*
* \retval Digest length for given algorithm.
*/
size_t knot_tsig_digest_length(const uint8_t algorithm);
/*!
* \brief Returns length of DS digest for given algorithm.
*
......
src/libknot/dnssec/key.c
View file @ 77c19667
......@@ -17,6 +17,7 @@
#include <assert.h>
#include <string.h>
#include "dnssec/binary.h"
#include "libknot/common.h"
#include "libknot/dname.h"
#include "libknot/dnssec/key.h"
......@@ -25,10 +26,10 @@
/*!
* \brief Creates TSIG key.
*/
int knot_tsig_create_key(const char *name, int algorithm,
const char *b64secret, knot_tsig_key_t *key)
int knot_tsig_create_key(const char *name, dnssec_tsig_algorithm_t algorithm,
const char *b64secret_str, knot_tsig_key_t *key)
{
if (!name || !b64secret || !key) {
if (!name || !b64secret_str || !key) {
return KNOT_EINVAL;
}
......@@ -38,8 +39,12 @@ int knot_tsig_create_key(const char *name, int algorithm,
return KNOT_ENOMEM;
}
knot_binary_t secret;
int result = knot_binary_from_base64(b64secret, &secret);
dnssec_binary_t b64secret = { 0 };
b64secret.data = (uint8_t *)b64secret_str;
b64secret.size = strlen(b64secret_str);
dnssec_binary_t secret = { 0 };
int result = dnssec_binary_from_base64(&b64secret, &secret);
if (result != KNOT_EOK) {
knot_dname_free(&dname, NULL);
return result;
......@@ -62,7 +67,7 @@ int knot_tsig_key_free(knot_tsig_key_t *key)
}
knot_dname_free(&key->name, NULL);
knot_binary_free(&key->secret);
dnssec_binary_free(&key->secret);
memset(key, '\0', sizeof(knot_tsig_key_t));
return KNOT_EOK;
......@@ -84,7 +89,7 @@ int knot_copy_key_params(const knot_key_params_t *src, knot_key_params_t *dst)
}
}
int ret = knot_binary_dup(&src->secret, &copy.secret);
int ret = dnssec_binary_dup(&src->secret, &copy.secret);
if (ret != KNOT_EOK) {
knot_dname_free(&copy.name, NULL);
}
......@@ -101,14 +106,13 @@ int knot_free_key_params(knot_key_params_t *key_params)
}
knot_dname_free(&key_params->name, NULL);
knot_binary_free(&key_params->secret);
dnssec_binary_free(&key_params->secret);
memset(key_params, '\0', sizeof(*key_params));
return KNOT_EOK;
}
int knot_tsig_key_from_params(const knot_key_params_t *params,
knot_tsig_key_t *key_ptr)
{
......@@ -125,7 +129,7 @@ int knot_tsig_key_from_params(const knot_key_params_t *params,
return KNOT_ENOMEM;
}
int result = knot_binary_dup(&params->secret, &key.secret);
int result = dnssec_binary_dup(&params->secret, &key.secret);
if (result != KNOT_EOK) {
knot_dname_free(&key.name, NULL);
return result;
......
src/libknot/dnssec/key.h
View file @ 77c19667
......@@ -36,7 +36,7 @@
typedef struct knot_key_params {
knot_dname_t *name;
int algorithm;
knot_binary_t secret;
dnssec_binary_t secret;
} knot_key_params_t;
/*!
......@@ -59,7 +59,7 @@ int knot_free_key_params(knot_key_params_t *key_params);
*
* \return Error code, KNOT_EOK when succeeded.
*/
int knot_tsig_create_key(const char *name, int algorithm,
int knot_tsig_create_key(const char *name, dnssec_tsig_algorithm_t algorithm,
const char *b64secret, knot_tsig_key_t *key);
/*!
......
src/libknot/rdata/tsig.c
View file @ 77c19667
......@@ -21,6 +21,7 @@
#include <assert.h>
#include <time.h>
#include "dnssec/tsig.h"
#include "libknot/rdata/tsig.h"
#include "common/debug.h"
#include "libknot/common.h"
......@@ -227,30 +228,16 @@ const knot_dname_t *tsig_rdata_alg_name(const knot_rrset_t *tsig)
return knot_rrset_rr_rdata(tsig, 0);
}
knot_tsig_algorithm_t tsig_rdata_alg(const knot_rrset_t *tsig)
dnssec_tsig_algorithm_t tsig_rdata_alg(const knot_rrset_t *tsig)
{
/* Get the algorithm name. */
const knot_dname_t *alg_name = tsig_rdata_alg_name(tsig);
if (!alg_name) {
dbg_tsig("TSIG: rdata: cannot get algorithm name.\n");
return KNOT_TSIG_ALG_NULL;
return DNSSEC_TSIG_UNKNOWN;
}
/* Convert alg name to string. */
char *name = knot_dname_to_str(alg_name);
if (!name) {
dbg_tsig("TSIG: rdata: cannot convert alg name.\n");
return KNOT_TSIG_ALG_NULL;
}
knot_lookup_table_t *item = knot_lookup_by_name(
knot_tsig_alg_dnames_str, name);
free(name);
if (!item) {
dbg_tsig("TSIG: rdata: unknown algorithm.\n");
return KNOT_TSIG_ALG_NULL;
}
return item->id;
return dnssec_tsig_algorithm_from_dname(alg_name);
}
uint64_t tsig_rdata_time_signed(const knot_rrset_t *tsig)
......@@ -326,31 +313,6 @@ uint16_t tsig_rdata_other_data_length(const knot_rrset_t *tsig)
return knot_wire_read_u16(rd);
}
int tsig_alg_from_name(const knot_dname_t *alg_name)
{
if (!alg_name) {
return 0;
}
char *name = knot_dname_to_str(alg_name);
if (!name) {
return 0;
}
knot_lookup_table_t *found =
knot_lookup_by_name(knot_tsig_alg_dnames_str, name);
if (!found) {
dbg_tsig("Unknown algorithm: %s \n", name);
free(name);
return 0;
}
free(name);
return found->id;
}
size_t tsig_rdata_tsig_variables_length(const knot_rrset_t *tsig)
{
if (tsig == NULL) {
......@@ -390,39 +352,13 @@ int tsig_rdata_store_current_time(knot_rrset_t *tsig)
return KNOT_EOK;
}
const char* tsig_alg_to_str(knot_tsig_algorithm_t alg)
{
knot_lookup_table_t *item;
item = knot_lookup_by_id(knot_tsig_alg_dnames_str, alg);
if (item != NULL) {
return item->name;
} else {
return "";
}
}
const knot_dname_t* tsig_alg_to_dname(knot_tsig_algorithm_t alg)
{
knot_lookup_table_t *item;
item = knot_lookup_by_id(knot_tsig_alg_dnames, alg);
if (item != NULL) {
return (const knot_dname_t*)item->name;
} else {
return NULL;
}
}
size_t tsig_wire_maxsize(const knot_tsig_key_t *key)
{
if (key == NULL) {
return 0;
}
size_t alg_name_size = strlen(tsig_alg_to_str(key->algorithm)) + 1;
const uint8_t *alg_dname = dnssec_tsig_algorithm_to_dname(key->algorithm);
/*! \todo Used fixed size as a base. */
return knot_dname_size(key->name) +
......@@ -430,11 +366,11 @@ size_t tsig_wire_maxsize(const knot_tsig_key_t *key)
sizeof(uint16_t) + /* CLASS */
sizeof(uint32_t) + /* TTL */
sizeof(uint16_t) + /* RDLENGTH */
alg_name_size + /* Alg. name */
knot_dname_size(alg_dname) + /* Alg. name */
6 * sizeof(uint8_t) + /* Time signed */
sizeof(uint16_t) + /* Fudge */
sizeof(uint16_t) + /* MAC size */
knot_tsig_digest_length(key->algorithm) + /* MAC */
dnssec_tsig_algorithm_size(key->algorithm) + /* MAC */
sizeof(uint16_t) + /* Original ID */
sizeof(uint16_t) + /* Error */
sizeof(uint16_t) + /* Other len */
......
src/libknot/rdata/tsig.h
View file @ 77c19667
......@@ -28,6 +28,8 @@
#include <stdint.h>
#include "dnssec/binary.h"
#include "dnssec/tsig.h"
#include "libknot/rrset.h"
#include "libknot/binary.h"
#include "libknot/util/utils.h"
......@@ -35,8 +37,8 @@
struct knot_tsig_key {
knot_dname_t *name;
knot_tsig_algorithm_t algorithm;
knot_binary_t secret;
dnssec_tsig_algorithm_t algorithm;
dnssec_binary_t secret;
};
typedef struct knot_tsig_key knot_tsig_key_t;
......@@ -91,7 +93,7 @@ int tsig_rdata_set_other_data(knot_rrset_t *tsig, uint16_t length,
const uint8_t *other_data);
const knot_dname_t *tsig_rdata_alg_name(const knot_rrset_t *tsig);
knot_tsig_algorithm_t tsig_rdata_alg(const knot_rrset_t *tsig);
dnssec_tsig_algorithm_t tsig_rdata_alg(const knot_rrset_t *tsig);
uint64_t tsig_rdata_time_signed(const knot_rrset_t *tsig);
uint16_t tsig_rdata_fudge(const knot_rrset_t *tsig);
const uint8_t *tsig_rdata_mac(const knot_rrset_t *tsig);
......@@ -104,28 +106,6 @@ size_t tsig_rdata_tsig_variables_length(const knot_rrset_t *tsig);
size_t tsig_rdata_tsig_timers_length();
int tsig_alg_from_name(const knot_dname_t *name);
/*!
* \brief Convert TSIG algorithm identifier to name.
*
* \param alg TSIG algorithm identifier.
*
* \retval TSIG algorithm string name.
* \retval Empty string if undefined.
*/
const char* tsig_alg_to_str(knot_tsig_algorithm_t alg);
/*!
* \brief Convert TSIG algorithm identifier to domain name.
*
* \param alg TSIG algorithm identifier.
*
* \retval TSIG algorithm string name.
* \retval Empty string if undefined.
*/
const knot_dname_t* tsig_alg_to_dname(knot_tsig_algorithm_t alg);
/*!
* \brief Return TSIG RRSET maximum wire size for given algorithm.
*
......
src/libknot/tsig-op.c
View file @ 77c19667
......@@ -21,6 +21,9 @@
#include "libknot/common.h"
#include "common/descriptor.h"
#include "dnssec/binary.h"
#include "dnssec/error.h"
#include "dnssec/tsig.h"
#include "libknot/rdata/tsig.h"
#include "libknot/tsig-op.h"
#include "libknot/packet/wire.h"
......@@ -42,8 +45,8 @@ static int knot_tsig_check_algorithm(const knot_rrset_t *tsig_rr)
return KNOT_EMALF;
}
knot_tsig_algorithm_t alg = tsig_alg_from_name(alg_name);
if (alg == 0) {
dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_dname(alg_name);
if (alg == DNSSEC_TSIG_UNKNOWN) {
/*!< \todo is this error OK? */
dbg_tsig("TSIG: unknown algorithm.\n");
return KNOT_TSIG_EBADSIG;
......@@ -94,59 +97,30 @@ static int knot_tsig_compute_digest(const uint8_t *wire, size_t wire_len,
return KNOT_EMALF;
}
knot_tsig_algorithm_t tsig_alg = key->algorithm;
if (tsig_alg == 0) {
dbg_tsig("TSIG: digest: unknown algorithm\n");
return KNOT_TSIG_EBADSIG;
}
dbg_tsig_detail("TSIG: key size: %zu\n", key->secret.size);
dbg_tsig_detail("TSIG: key:\n");
dbg_tsig_hex_detail((char *)key->secret.data, key->secret.size);
dbg_tsig_detail("Wire for signing is %zu bytes long.\n", wire_len);
return KNOT_ERROR;
#if 0
/* Compute digest. */
HMAC_CTX ctx;
switch (tsig_alg) {
case KNOT_TSIG_ALG_HMAC_MD5:
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_md5());
break;
case KNOT_TSIG_ALG_HMAC_SHA1:
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha1());
break;
case KNOT_TSIG_ALG_HMAC_SHA224:
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha224());
break;
case KNOT_TSIG_ALG_HMAC_SHA256:
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha256());
break;
case KNOT_TSIG_ALG_HMAC_SHA384:
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha384());
break;
case KNOT_TSIG_ALG_HMAC_SHA512:
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha512());
break;
default:
return KNOT_ENOTSUP;
} /* switch */
unsigned tmp_dig_len = *digest_len;
HMAC_Update(&ctx, (const unsigned char *)wire, wire_len);
HMAC_Final(&ctx, digest, &tmp_dig_len);
*digest_len = tmp_dig_len;
HMAC_CTX_cleanup(&ctx);
dnssec_tsig_ctx_t *ctx = NULL;
int result = dnssec_tsig_new(&ctx, key->algorithm, &key->secret);
if (result != DNSSEC_EOK) {
return KNOT_TSIG_EBADSIG;
}
dnssec_binary_t cover = { .const_data = wire, .size = wire_len };
dnssec_tsig_add(ctx, &cover);
size_t size = dnssec_tsig_size(ctx);
assert(size > 0 && size <= *digest_len);
*digest_len = size;
dnssec_tsig_write(ctx, digest);
dnssec_tsig_free(ctx);
return KNOT_EOK;
#endif
}
static int knot_tsig_check_time_signed(const knot_rrset_t *tsig_rr,
......@@ -461,8 +435,10 @@ int knot_tsig_sign(uint8_t *msg, size_t *msg_len,
uint16_t rdata_rcode = 0;
if (tsig_rcode == KNOT_RCODE_BADTIME)
rdata_rcode = tsig_rcode;
tsig_create_rdata(tmp_tsig, tsig_alg_to_dname(key->algorithm),
knot_tsig_digest_length(key->algorithm), rdata_rcode);
const uint8_t *alg_name = dnssec_tsig_algorithm_to_dname(key->algorithm);
size_t alg_size = dnssec_tsig_algorithm_size(key->algorithm);
tsig_create_rdata(tmp_tsig, alg_name, alg_size, rdata_rcode);
/* Distinguish BADTIME response. */
if (tsig_rcode == KNOT_RCODE_BADTIME) {
......@@ -556,8 +532,9 @@ int knot_tsig_sign_next(uint8_t *msg, size_t *msg_len, size_t msg_max_len,
}
/* Create rdata for TSIG RR. */
tsig_create_rdata(tmp_tsig, tsig_alg_to_dname(key->algorithm),
knot_tsig_digest_length(key->algorithm), 0);
const uint8_t *alg_name = dnssec_tsig_algorithm_to_dname(key->algorithm);
size_t alg_size = dnssec_tsig_algorithm_size(key->algorithm);
tsig_create_rdata(tmp_tsig, alg_name, alg_size, 0);
tsig_rdata_store_current_time(tmp_tsig);
tsig_rdata_set_fudge(tmp_tsig, KNOT_TSIG_FUDGE_DEFAULT);
......@@ -730,13 +707,13 @@ static int knot_tsig_check_digest(const knot_rrset_t *tsig_rr,
/*!< \todo move to function. */
const knot_dname_t *alg_name = tsig_rdata_alg_name(tsig_rr);
knot_tsig_algorithm_t alg = tsig_alg_from_name(alg_name);
dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_dname(alg_name);
/*! \todo [TSIG] TRUNCATION */
uint16_t mac_length = tsig_rdata_mac_length(tsig_rr);
const uint8_t *tsig_mac = tsig_rdata_mac(tsig_rr);
if (mac_length != knot_tsig_digest_length(alg)) {
if (mac_length != dnssec_tsig_algorithm_size(alg)) {
dbg_tsig("TSIG: calculated digest length and given length do "
"not match!\n");
return KNOT_TSIG_EBADSIG;
......
src/utils/common/exec.c
View file @ 77c19667
......@@ -621,7 +621,7 @@ int sign_packet(knot_pkt_t *pkt,
knot_tsig_key_t *key = &sign_ctx->tsig_key;
sign_ctx->digest_size = knot_tsig_digest_length(key->algorithm);
sign_ctx->digest_size = dnssec_tsig_algorithm_size(key->algorithm);
sign_ctx->digest = malloc(sign_ctx->digest_size);
knot_pkt_reserve(pkt, tsig_wire_maxsize(key));
......
src/utils/common/params.c
View file @ 77c19667
......@@ -417,14 +417,13 @@ int params_parse_tsig(const char *value, knot_key_params_t *key_params)
}
/* Determine algorithm. */
key_params->algorithm = KNOT_TSIG_ALG_HMAC_MD5;
key_params->algorithm = DNSSEC_TSIG_HMAC_MD5;
if (s) {
*s++ = '\0'; /* Last part separator */
knot_lookup_table_t *alg = NULL;
alg = knot_lookup_by_name(knot_tsig_alg_names, h);
if (alg) {
dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(h);
if (alg != DNSSEC_TSIG_UNKNOWN) {
DBG("%s: parsed algorithm '%s'\n", __func__, h);
key_params->algorithm = alg->id;