diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h new file mode 100644 index 0000000000..165885156c --- /dev/null +++ b/bin/named/include/named/tkeyconf.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#ifndef DNS_TKEYCONF_H +#define DNS_TKEYCONF_H 1 + +#include +#include + +#include +#include + +ISC_LANG_BEGINDECLS + +isc_result_t +dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctxp); +/* + * Create a TKEY context and configure it, including the default DH key + * and default domain, according to 'cfg'. + * + * Requires: + * 'cfg' is a valid configuration context. + * 'mctx' is not NULL + * 'tctx' is not NULL + * '*tctx' is NULL + * + * Returns: + * ISC_R_SUCCESS + * ISC_R_NOMEMORY + */ + +ISC_LANG_ENDDECLS + +#endif /* DNS_TKEYCONF_H */ diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h new file mode 100644 index 0000000000..c43067f68a --- /dev/null +++ b/bin/named/include/named/tsigconf.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#ifndef DNS_TSIGCONF_H +#define DNS_TSIGCONF_H 1 + +#include +#include + +#include +#include + +ISC_LANG_BEGINDECLS + +isc_result_t +dns_tsigkeyring_fromconfig(dns_c_ctx_t *confctx, isc_mem_t *mctx, + dns_tsig_keyring_t **ring); +/* + * Create a TSIG key ring and configure it according to 'confctx'. + * + * Requires: + * 'confctx' is a valid configuration context. + * 'mctx' is not NULL + * 'ring' is not NULL, and '*ring' is NULL + * + * Returns: + * ISC_R_SUCCESS + * ISC_R_NOMEMORY + */ + +ISC_LANG_ENDDECLS + +#endif /* DNS_TSIGCONF_H */ diff --git a/bin/named/server.c b/bin/named/server.c index a5f553997d..a87f509278 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -47,8 +47,8 @@ #include #include #include -#include -#include +#include +#include #include #include #include @@ -156,7 +156,7 @@ configure_view(dns_view_t *view, dns_c_ctx_t *cctx, isc_mem_t *mctx) * Configure the view's TSIG keys. */ ring = NULL; - CHECK(dns_tsig_init(cctx, view->mctx, &ring)); + CHECK(dns_tsigkeyring_fromconfig(cctx, view->mctx, &ring)); dns_view_setkeyring(view, ring); cleanup: @@ -564,8 +564,8 @@ load_configuration(const char *filename, ns_server_t *server) { * Load the TKEY information from the configuration */ if (ns_g_tkeyctx != NULL) - dns_tkey_destroy(&ns_g_tkeyctx); - CHECKM(dns_tkey_init(configctx, ns_g_mctx, &ns_g_tkeyctx), + dns_tkeyctx_destroy(&ns_g_tkeyctx); + CHECKM(dns_tkeyctx_fromconfig(configctx, ns_g_mctx, &ns_g_tkeyctx), "setting up TKEY"); /* * Rescan the interface list to pick up changes in the @@ -667,7 +667,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { RWUNLOCK(&server->viewlock, isc_rwlocktype_write); - dns_tkey_destroy(&ns_g_tkeyctx); + dns_tkeyctx_destroy(&ns_g_tkeyctx); ns_clientmgr_destroy(&server->clientmgr); ns_interfacemgr_shutdown(server->interfacemgr); diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c new file mode 100644 index 0000000000..dca7c0b1ad --- /dev/null +++ b/bin/named/tkeyconf.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include + +#include +#include + +#include +#include +#include +#include +#include + +#define RETERR(x) do { \ + result = (x); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + + +isc_result_t +dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx, + dns_tkey_ctx_t **tctxp) +{ + isc_result_t result; + dns_tkey_ctx_t *tctx = NULL; + char *s; + int n; + isc_buffer_t b, namebuf; + unsigned char data[1024]; + dns_name_t domain; + + result = dns_tkeyctx_create(mctx, &tctx); + if (result != ISC_R_SUCCESS) + return (result); + + s = NULL; + result = dns_c_ctx_gettkeydhkey(cfg, &s, &n); + if (result == ISC_R_NOTFOUND) + return (ISC_R_SUCCESS); + RETERR(dst_key_fromfile(s, n, DNS_KEYALG_DH, + DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, + mctx, &tctx->dhkey)); + s = NULL; + RETERR(dns_c_ctx_gettkeydomain(cfg, &s)); + dns_name_init(&domain, NULL); + tctx->domain = (dns_name_t *) isc_mem_get(mctx, sizeof(dns_name_t)); + if (tctx->domain == NULL) + return (ISC_R_NOMEMORY); + dns_name_init(tctx->domain, NULL); + isc_buffer_init(&b, s, strlen(s), ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&b, strlen(s)); + isc_buffer_init(&namebuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY); + RETERR(dns_name_fromtext(&domain, &b, dns_rootname, ISC_FALSE, + &namebuf)); + RETERR(dns_name_dup(&domain, mctx, tctx->domain)); + + *tctxp = tctx; + return (ISC_R_SUCCESS); + + failure: + if (tctx->dhkey != NULL) { + dst_key_free(tctx->dhkey); + tctx->dhkey = NULL; + } + if (tctx->domain != NULL) { + dns_name_free(tctx->domain, mctx); + isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t)); + tctx->domain = NULL; + } + dns_tkeyctx_destroy(&tctx); + return (result); +} + diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c new file mode 100644 index 0000000000..08ce36bfdb --- /dev/null +++ b/bin/named/tsigconf.c @@ -0,0 +1,150 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include + +#include +#include + +#include +#include +#include +#include + +static isc_result_t +add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring, + isc_mem_t *mctx) +{ + isc_lex_t *lex = NULL; + dns_c_kdef_t *key; + unsigned char *secret = NULL; + int secretalloc = 0; + int secretlen = 0; + isc_result_t ret; + + key = ISC_LIST_HEAD(list->keydefs); + while (key != NULL) { + dns_name_t keyname; + dns_name_t alg; + char keynamedata[1024], algdata[1024]; + isc_buffer_t keynamesrc, keynamebuf, algsrc, algbuf; + isc_buffer_t secretsrc, secretbuf; + + dns_name_init(&keyname, NULL); + dns_name_init(&alg, NULL); + + /* Create the key name */ + isc_buffer_init(&keynamesrc, key->keyid, strlen(key->keyid), + ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&keynamesrc, strlen(key->keyid)); + isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata), + ISC_BUFFERTYPE_BINARY); + ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname, + ISC_TRUE, &keynamebuf); + if (ret != ISC_R_SUCCESS) + goto failure; + + /* Create the algorithm */ + if (strcasecmp(key->algorithm, "hmac-md5") == 0) + alg = *dns_tsig_hmacmd5_name; + else { + isc_buffer_init(&algsrc, key->algorithm, + strlen(key->algorithm), + ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&algsrc, strlen(key->algorithm)); + isc_buffer_init(&algbuf, algdata, sizeof(algdata), + ISC_BUFFERTYPE_BINARY); + ret = dns_name_fromtext(&alg, &algsrc, dns_rootname, + ISC_TRUE, &algbuf); + if (ret != ISC_R_SUCCESS) + goto failure; + } + + if (strlen(key->secret) % 4 != 0) { + ret = ISC_R_BADBASE64; + goto failure; + } + secretalloc = secretlen = strlen(key->secret) * 3 / 4; + secret = isc_mem_get(mctx, secretlen); + if (secret == NULL) { + ret = ISC_R_NOMEMORY; + goto failure; + } + isc_buffer_init(&secretsrc, key->secret, strlen(key->secret), + ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&secretsrc, strlen(key->secret)); + isc_buffer_init(&secretbuf, secret, secretlen, + ISC_BUFFERTYPE_BINARY); + ret = isc_lex_create(mctx, strlen(key->secret), &lex); + if (ret != ISC_R_SUCCESS) + goto failure; + ret = isc_lex_openbuffer(lex, &secretsrc); + if (ret != ISC_R_SUCCESS) + goto failure; + ret = isc_base64_tobuffer(lex, &secretbuf, -1); + if (ret != ISC_R_SUCCESS) + goto failure; + secretlen = ISC_BUFFER_USEDCOUNT(&secretbuf); + isc_lex_close(lex); + isc_lex_destroy(&lex); + + ret = dns_tsigkey_create(&keyname, &alg, secret, secretlen, + ISC_FALSE, NULL, mctx, ring, NULL); + isc_mem_put(mctx, secret, secretalloc); + secret = NULL; + if (ret != ISC_R_SUCCESS) + goto failure; + key = ISC_LIST_NEXT(key, next); + } + return (ISC_R_SUCCESS); + + failure: + if (lex != NULL) + isc_lex_destroy(&lex); + if (secret != NULL) + isc_mem_put(mctx, secret, secretlen); + return (ret); + +} + +isc_result_t +dns_tsigkeyring_fromconfig(dns_c_ctx_t *confctx, isc_mem_t *mctx, + dns_tsig_keyring_t **ringp) +{ + dns_c_kdeflist_t *keylist = NULL; + dns_tsig_keyring_t *ring = NULL; + isc_result_t result; + + result = dns_tsigkeyring_create(mctx, &ring); + if (result != ISC_R_SUCCESS) + return (result); + + result = dns_c_ctx_getkdeflist(confctx, &keylist); + if (result == ISC_R_SUCCESS) + result = add_initial_keys(keylist, ring, mctx); + else if (result == ISC_R_NOTFOUND) + result = ISC_R_SUCCESS; + if (result != ISC_R_SUCCESS) + goto failure; + + *ringp = ring; + return (ISC_R_SUCCESS); + + failure: + dns_tsigkeyring_destroy(&ring); + return (result); +} diff --git a/bin/tests/tkey_test.c b/bin/tests/tkey_test.c index d7ca1d1879..ae85ab6ba3 100644 --- a/bin/tests/tkey_test.c +++ b/bin/tests/tkey_test.c @@ -320,8 +320,8 @@ main(int argc, char *argv[]) { RUNTIME_CHECK(isc_log_create(mctx, &log) == ISC_R_SUCCESS); ring = NULL; - RUNTIME_CHECK(dns_tsig_init(NULL, mctx, &ring) == ISC_R_SUCCESS); - RUNTIME_CHECK(dns_tkey_init(NULL, mctx, &tctx) == ISC_R_SUCCESS); + RUNTIME_CHECK(dns_tsigkeyring_create(mctx, &ring) == ISC_R_SUCCESS); + RUNTIME_CHECK(dns_tkeyctx_create(mctx, &tctx) == ISC_R_SUCCESS); argc -= isc_commandline_index; argv += isc_commandline_index; @@ -362,8 +362,8 @@ main(int argc, char *argv[]) { isc_socketmgr_destroy(&socketmgr); isc_timermgr_destroy(&timermgr); - dns_tsig_destroy(&ring); - dns_tkey_destroy(&tctx); + dns_tsigkeyring_destroy(&ring); + dns_tkeyctx_destroy(&tctx); if (verbose) isc_mem_stats(mctx, stdout); isc_mem_destroy(&mctx); diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index 9f4d6011a6..8351798dd7 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -123,7 +123,8 @@ OBJS = a6.@O@ acl.@O@ aclconf.@O@ adb.@O@ byaddr.@O@ \ rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rdata.@O@ rdatalist.@O@ \ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ resolver.@O@ \ result.@O@ rootns.@O@ \ - tcpmsg.@O@ time.@O@ tkey.@O@ tsig.@O@ ttl.@O@ \ + tcpmsg.@O@ time.@O@ tkey.@O@ tkeyconf.@O@ \ + tsig.@O@ tsigconf.@O@ ttl.@O@ \ version.@O@ view.@O@ xfrin.@O@ zone.@O@ zoneconf.@O@ zt.@O@ \ ${DSTOBJS} ${OPENSSLOBJS} ${DNSSAFEOBJS} ${CONFOBJS} @@ -137,7 +138,8 @@ SRCS = a6.c acl.c aclconf.c adb.c byaddr.c \ rbt.c rbtdb.c rbtdb64.c rdata.c rdatalist.c \ rdataset.c rdatasetiter.c rdataslab.c resolver.c \ result.c rootns.c \ - tcpmsg.c time.c tkey.c tsig.c ttl.c \ + tcpmsg.c time.c tkey.c tkeyconf.c \ + tsig.c tsigconf.c ttl.c \ version.c view.c xfrin.c zone.c zoneconf.c zt.c SUBDIRS = include sec config diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index cb38652027..87f9a50092 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -18,12 +18,11 @@ #ifndef DNS_TKEY_H #define DNS_TKEY_H 1 -#include +#include #include #include #include -#include #include @@ -43,10 +42,9 @@ struct dns_tkey_ctx { }; isc_result_t -dns_tkey_init(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctx); +dns_tkeyctx_create(isc_mem_t *mctx, dns_tkey_ctx_t **tctx); /* - * Obtains TKEY configuration information, including default DH key - * and default domain from the configuration, if it's not NULL. + * Create an empty TKEY context. * * Requires: * 'mctx' is not NULL @@ -60,7 +58,7 @@ dns_tkey_init(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctx); */ void -dns_tkey_destroy(dns_tkey_ctx_t **tctx); +dns_tkeyctx_destroy(dns_tkey_ctx_t **tctx); /* * Frees all data associated with the TKEY context * diff --git a/lib/dns/include/dns/tkeyconf.h b/lib/dns/include/dns/tkeyconf.h new file mode 100644 index 0000000000..165885156c --- /dev/null +++ b/lib/dns/include/dns/tkeyconf.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#ifndef DNS_TKEYCONF_H +#define DNS_TKEYCONF_H 1 + +#include +#include + +#include +#include + +ISC_LANG_BEGINDECLS + +isc_result_t +dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctxp); +/* + * Create a TKEY context and configure it, including the default DH key + * and default domain, according to 'cfg'. + * + * Requires: + * 'cfg' is a valid configuration context. + * 'mctx' is not NULL + * 'tctx' is not NULL + * '*tctx' is NULL + * + * Returns: + * ISC_R_SUCCESS + * ISC_R_NOMEMORY + */ + +ISC_LANG_ENDDECLS + +#endif /* DNS_TKEYCONF_H */ diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 3e9c07e548..ea06ab0f74 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -24,7 +24,6 @@ #include #include -#include #include @@ -174,10 +173,9 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name, isc_result_t -dns_tsig_init(dns_c_ctx_t *confctx, isc_mem_t *mctx, dns_tsig_keyring_t **ring); +dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring); /* - * Initializes the TSIG subsystem. If confctx is not NULL, any - * specified keys are loaded. + * Create an empty TSIG key ring. * * Requires: * 'mctx' is not NULL @@ -190,9 +188,9 @@ dns_tsig_init(dns_c_ctx_t *confctx, isc_mem_t *mctx, dns_tsig_keyring_t **ring); void -dns_tsig_destroy(dns_tsig_keyring_t **ring); +dns_tsigkeyring_destroy(dns_tsig_keyring_t **ring); /* - * Frees all data associated with the TSIG subsystem + * Destroy a TSIG key ring. * * Requires: * 'ring' is not NULL diff --git a/lib/dns/include/dns/tsigconf.h b/lib/dns/include/dns/tsigconf.h new file mode 100644 index 0000000000..c43067f68a --- /dev/null +++ b/lib/dns/include/dns/tsigconf.h @@ -0,0 +1,47 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#ifndef DNS_TSIGCONF_H +#define DNS_TSIGCONF_H 1 + +#include +#include + +#include +#include + +ISC_LANG_BEGINDECLS + +isc_result_t +dns_tsigkeyring_fromconfig(dns_c_ctx_t *confctx, isc_mem_t *mctx, + dns_tsig_keyring_t **ring); +/* + * Create a TSIG key ring and configure it according to 'confctx'. + * + * Requires: + * 'confctx' is a valid configuration context. + * 'mctx' is not NULL + * 'ring' is not NULL, and '*ring' is NULL + * + * Returns: + * ISC_R_SUCCESS + * ISC_R_NOMEMORY + */ + +ISC_LANG_ENDDECLS + +#endif /* DNS_TSIGCONF_H */ diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index ae541c5963..9744a75709 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -16,7 +16,7 @@ */ /* - * $Id: tkey.c,v 1.18 2000/01/22 04:45:13 bwelling Exp $ + * $Id: tkey.c,v 1.19 2000/01/24 19:14:21 gson Exp $ * Principal Author: Brian Wellington */ @@ -65,14 +65,7 @@ isc_result_t -dns_tkey_init(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctx) { - isc_result_t result; - char *s; - int n; - isc_buffer_t b, namebuf; - unsigned char data[1024]; - dns_name_t domain; - +dns_tkeyctx_create(isc_mem_t *mctx, dns_tkey_ctx_t **tctx) { REQUIRE(mctx != NULL); REQUIRE(tctx != NULL); REQUIRE(*tctx == NULL); @@ -84,47 +77,11 @@ dns_tkey_init(dns_c_ctx_t *cfg, isc_mem_t *mctx, dns_tkey_ctx_t **tctx) { (*tctx)->dhkey = NULL; (*tctx)->domain = NULL; - if (cfg == NULL) - return (ISC_R_SUCCESS); - - s = NULL; - result = dns_c_ctx_gettkeydhkey(cfg, &s, &n); - if (result == ISC_R_NOTFOUND) - return (ISC_R_SUCCESS); - RETERR(dst_key_fromfile(s, n, DNS_KEYALG_DH, - DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, - mctx, &(*tctx)->dhkey)); - s = NULL; - RETERR(dns_c_ctx_gettkeydomain(cfg, &s)); - dns_name_init(&domain, NULL); - (*tctx)->domain = (dns_name_t *) isc_mem_get(mctx, sizeof(dns_name_t)); - if ((*tctx)->domain == NULL) - return (ISC_R_NOMEMORY); - dns_name_init((*tctx)->domain, NULL); - isc_buffer_init(&b, s, strlen(s), ISC_BUFFERTYPE_TEXT); - isc_buffer_add(&b, strlen(s)); - isc_buffer_init(&namebuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY); - RETERR(dns_name_fromtext(&domain, &b, dns_rootname, ISC_FALSE, - &namebuf)); - RETERR(dns_name_dup(&domain, mctx, (*tctx)->domain)); - return (ISC_R_SUCCESS); - - failure: - if ((*tctx)->dhkey != NULL) { - dst_key_free((*tctx)->dhkey); - (*tctx)->dhkey = NULL; - } - if ((*tctx)->domain != NULL) { - dns_name_free((*tctx)->domain, mctx); - isc_mem_put(mctx, (*tctx)->domain, sizeof(dns_name_t)); - (*tctx)->domain = NULL; - } - return (result); } void -dns_tkey_destroy(dns_tkey_ctx_t **tctx) { +dns_tkeyctx_destroy(dns_tkey_ctx_t **tctx) { isc_mem_t *mctx; REQUIRE(tctx != NULL); diff --git a/lib/dns/tkeyconf.c b/lib/dns/tkeyconf.c new file mode 100644 index 0000000000..dca7c0b1ad --- /dev/null +++ b/lib/dns/tkeyconf.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include + +#include +#include + +#include +#include +#include +#include +#include + +#define RETERR(x) do { \ + result = (x); \ + if (result != ISC_R_SUCCESS) \ + goto failure; \ + } while (0) + + +isc_result_t +dns_tkeyctx_fromconfig(dns_c_ctx_t *cfg, isc_mem_t *mctx, + dns_tkey_ctx_t **tctxp) +{ + isc_result_t result; + dns_tkey_ctx_t *tctx = NULL; + char *s; + int n; + isc_buffer_t b, namebuf; + unsigned char data[1024]; + dns_name_t domain; + + result = dns_tkeyctx_create(mctx, &tctx); + if (result != ISC_R_SUCCESS) + return (result); + + s = NULL; + result = dns_c_ctx_gettkeydhkey(cfg, &s, &n); + if (result == ISC_R_NOTFOUND) + return (ISC_R_SUCCESS); + RETERR(dst_key_fromfile(s, n, DNS_KEYALG_DH, + DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, + mctx, &tctx->dhkey)); + s = NULL; + RETERR(dns_c_ctx_gettkeydomain(cfg, &s)); + dns_name_init(&domain, NULL); + tctx->domain = (dns_name_t *) isc_mem_get(mctx, sizeof(dns_name_t)); + if (tctx->domain == NULL) + return (ISC_R_NOMEMORY); + dns_name_init(tctx->domain, NULL); + isc_buffer_init(&b, s, strlen(s), ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&b, strlen(s)); + isc_buffer_init(&namebuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY); + RETERR(dns_name_fromtext(&domain, &b, dns_rootname, ISC_FALSE, + &namebuf)); + RETERR(dns_name_dup(&domain, mctx, tctx->domain)); + + *tctxp = tctx; + return (ISC_R_SUCCESS); + + failure: + if (tctx->dhkey != NULL) { + dst_key_free(tctx->dhkey); + tctx->dhkey = NULL; + } + if (tctx->domain != NULL) { + dns_name_free(tctx->domain, mctx); + isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t)); + tctx->domain = NULL; + } + dns_tkeyctx_destroy(&tctx); + return (result); +} + diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 352a141517..2a85ebfd7e 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.40 2000/01/22 04:45:14 bwelling Exp $ + * $Id: tsig.c,v 1.41 2000/01/24 19:14:22 gson Exp $ * Principal Author: Brian Wellington */ @@ -27,7 +27,6 @@ #include #include -#include #include #include #include @@ -46,8 +45,6 @@ #include #include #include -#include -#include #include #include @@ -985,102 +982,6 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name, return (ISC_R_NOTFOUND); } -static isc_result_t -add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring, - isc_mem_t *mctx) -{ - isc_lex_t *lex = NULL; - dns_c_kdef_t *key; - unsigned char *secret = NULL; - int secretalloc = 0; - int secretlen = 0; - isc_result_t ret; - - key = ISC_LIST_HEAD(list->keydefs); - while (key != NULL) { - dns_name_t keyname; - dns_name_t alg; - char keynamedata[1024], algdata[1024]; - isc_buffer_t keynamesrc, keynamebuf, algsrc, algbuf; - isc_buffer_t secretsrc, secretbuf; - - dns_name_init(&keyname, NULL); - dns_name_init(&alg, NULL); - - /* Create the key name */ - isc_buffer_init(&keynamesrc, key->keyid, strlen(key->keyid), - ISC_BUFFERTYPE_TEXT); - isc_buffer_add(&keynamesrc, strlen(key->keyid)); - isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata), - ISC_BUFFERTYPE_BINARY); - ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname, - ISC_TRUE, &keynamebuf); - if (ret != ISC_R_SUCCESS) - goto failure; - - /* Create the algorithm */ - if (strcasecmp(key->algorithm, "hmac-md5") == 0) - alg = *dns_tsig_hmacmd5_name; - else { - isc_buffer_init(&algsrc, key->algorithm, - strlen(key->algorithm), - ISC_BUFFERTYPE_TEXT); - isc_buffer_add(&algsrc, strlen(key->algorithm)); - isc_buffer_init(&algbuf, algdata, sizeof(algdata), - ISC_BUFFERTYPE_BINARY); - ret = dns_name_fromtext(&alg, &algsrc, dns_rootname, - ISC_TRUE, &algbuf); - if (ret != ISC_R_SUCCESS) - goto failure; - } - - if (strlen(key->secret) % 4 != 0) { - ret = ISC_R_BADBASE64; - goto failure; - } - secretalloc = secretlen = strlen(key->secret) * 3 / 4; - secret = isc_mem_get(mctx, secretlen); - if (secret == NULL) { - ret = ISC_R_NOMEMORY; - goto failure; - } - isc_buffer_init(&secretsrc, key->secret, strlen(key->secret), - ISC_BUFFERTYPE_TEXT); - isc_buffer_add(&secretsrc, strlen(key->secret)); - isc_buffer_init(&secretbuf, secret, secretlen, - ISC_BUFFERTYPE_BINARY); - ret = isc_lex_create(mctx, strlen(key->secret), &lex); - if (ret != ISC_R_SUCCESS) - goto failure; - ret = isc_lex_openbuffer(lex, &secretsrc); - if (ret != ISC_R_SUCCESS) - goto failure; - ret = isc_base64_tobuffer(lex, &secretbuf, -1); - if (ret != ISC_R_SUCCESS) - goto failure; - secretlen = ISC_BUFFER_USEDCOUNT(&secretbuf); - isc_lex_close(lex); - isc_lex_destroy(&lex); - - ret = dns_tsigkey_create(&keyname, &alg, secret, secretlen, - ISC_FALSE, NULL, mctx, ring, NULL); - isc_mem_put(mctx, secret, secretalloc); - secret = NULL; - if (ret != ISC_R_SUCCESS) - goto failure; - key = ISC_LIST_NEXT(key, next); - } - return (ISC_R_SUCCESS); - - failure: - if (lex != NULL) - isc_lex_destroy(&lex); - if (secret != NULL) - isc_mem_put(mctx, secret, secretlen); - return (ret); - -} - static void dns_tsig_inithmac() { isc_region_t r; @@ -1093,11 +994,10 @@ dns_tsig_inithmac() { } isc_result_t -dns_tsig_init(dns_c_ctx_t *confctx, isc_mem_t *mctx, dns_tsig_keyring_t **ring) +dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ring) { isc_result_t ret; - dns_c_kdeflist_t *keylist = NULL; - + REQUIRE(mctx != NULL); REQUIRE(ring != NULL); REQUIRE(*ring == NULL); @@ -1117,21 +1017,13 @@ dns_tsig_init(dns_c_ctx_t *confctx, isc_mem_t *mctx, dns_tsig_keyring_t **ring) ISC_LIST_INIT((*ring)->keys); - if (confctx != NULL) { - ret = dns_c_ctx_getkdeflist(confctx, &keylist); - if (ret == ISC_R_SUCCESS) - ret = add_initial_keys(keylist, *ring, mctx); - else if (ret != ISC_R_NOTFOUND) - return (ret); - } - (*ring)->mctx = mctx; return (ISC_R_SUCCESS); } void -dns_tsig_destroy(dns_tsig_keyring_t **ring) { +dns_tsigkeyring_destroy(dns_tsig_keyring_t **ring) { isc_mem_t *mctx; REQUIRE(ring != NULL); diff --git a/lib/dns/tsigconf.c b/lib/dns/tsigconf.c new file mode 100644 index 0000000000..08ce36bfdb --- /dev/null +++ b/lib/dns/tsigconf.c @@ -0,0 +1,150 @@ +/* + * Copyright (C) 1999, 2000 Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include + +#include +#include + +#include +#include +#include +#include + +static isc_result_t +add_initial_keys(dns_c_kdeflist_t *list, dns_tsig_keyring_t *ring, + isc_mem_t *mctx) +{ + isc_lex_t *lex = NULL; + dns_c_kdef_t *key; + unsigned char *secret = NULL; + int secretalloc = 0; + int secretlen = 0; + isc_result_t ret; + + key = ISC_LIST_HEAD(list->keydefs); + while (key != NULL) { + dns_name_t keyname; + dns_name_t alg; + char keynamedata[1024], algdata[1024]; + isc_buffer_t keynamesrc, keynamebuf, algsrc, algbuf; + isc_buffer_t secretsrc, secretbuf; + + dns_name_init(&keyname, NULL); + dns_name_init(&alg, NULL); + + /* Create the key name */ + isc_buffer_init(&keynamesrc, key->keyid, strlen(key->keyid), + ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&keynamesrc, strlen(key->keyid)); + isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata), + ISC_BUFFERTYPE_BINARY); + ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname, + ISC_TRUE, &keynamebuf); + if (ret != ISC_R_SUCCESS) + goto failure; + + /* Create the algorithm */ + if (strcasecmp(key->algorithm, "hmac-md5") == 0) + alg = *dns_tsig_hmacmd5_name; + else { + isc_buffer_init(&algsrc, key->algorithm, + strlen(key->algorithm), + ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&algsrc, strlen(key->algorithm)); + isc_buffer_init(&algbuf, algdata, sizeof(algdata), + ISC_BUFFERTYPE_BINARY); + ret = dns_name_fromtext(&alg, &algsrc, dns_rootname, + ISC_TRUE, &algbuf); + if (ret != ISC_R_SUCCESS) + goto failure; + } + + if (strlen(key->secret) % 4 != 0) { + ret = ISC_R_BADBASE64; + goto failure; + } + secretalloc = secretlen = strlen(key->secret) * 3 / 4; + secret = isc_mem_get(mctx, secretlen); + if (secret == NULL) { + ret = ISC_R_NOMEMORY; + goto failure; + } + isc_buffer_init(&secretsrc, key->secret, strlen(key->secret), + ISC_BUFFERTYPE_TEXT); + isc_buffer_add(&secretsrc, strlen(key->secret)); + isc_buffer_init(&secretbuf, secret, secretlen, + ISC_BUFFERTYPE_BINARY); + ret = isc_lex_create(mctx, strlen(key->secret), &lex); + if (ret != ISC_R_SUCCESS) + goto failure; + ret = isc_lex_openbuffer(lex, &secretsrc); + if (ret != ISC_R_SUCCESS) + goto failure; + ret = isc_base64_tobuffer(lex, &secretbuf, -1); + if (ret != ISC_R_SUCCESS) + goto failure; + secretlen = ISC_BUFFER_USEDCOUNT(&secretbuf); + isc_lex_close(lex); + isc_lex_destroy(&lex); + + ret = dns_tsigkey_create(&keyname, &alg, secret, secretlen, + ISC_FALSE, NULL, mctx, ring, NULL); + isc_mem_put(mctx, secret, secretalloc); + secret = NULL; + if (ret != ISC_R_SUCCESS) + goto failure; + key = ISC_LIST_NEXT(key, next); + } + return (ISC_R_SUCCESS); + + failure: + if (lex != NULL) + isc_lex_destroy(&lex); + if (secret != NULL) + isc_mem_put(mctx, secret, secretlen); + return (ret); + +} + +isc_result_t +dns_tsigkeyring_fromconfig(dns_c_ctx_t *confctx, isc_mem_t *mctx, + dns_tsig_keyring_t **ringp) +{ + dns_c_kdeflist_t *keylist = NULL; + dns_tsig_keyring_t *ring = NULL; + isc_result_t result; + + result = dns_tsigkeyring_create(mctx, &ring); + if (result != ISC_R_SUCCESS) + return (result); + + result = dns_c_ctx_getkdeflist(confctx, &keylist); + if (result == ISC_R_SUCCESS) + result = add_initial_keys(keylist, ring, mctx); + else if (result == ISC_R_NOTFOUND) + result = ISC_R_SUCCESS; + if (result != ISC_R_SUCCESS) + goto failure; + + *ringp = ring; + return (ISC_R_SUCCESS); + + failure: + dns_tsigkeyring_destroy(&ring); + return (result); +} diff --git a/lib/dns/view.c b/lib/dns/view.c index 3be3a5c63a..753923a54f 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -109,7 +109,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN); view->statickeys = NULL; view->dynamickeys = NULL; - result = dns_tsig_init(NULL, view->mctx, &view->dynamickeys); + result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys); if (result != DNS_R_SUCCESS) goto cleanup_zt; ISC_LINK_INIT(view, link); @@ -169,9 +169,9 @@ destroy(dns_view_t *view) { REQUIRE(ADBSHUTDOWN(view)); if (view->dynamickeys != NULL) - dns_tsig_destroy(&view->dynamickeys); + dns_tsigkeyring_destroy(&view->dynamickeys); if (view->statickeys != NULL) - dns_tsig_destroy(&view->statickeys); + dns_tsigkeyring_destroy(&view->statickeys); if (view->adb != NULL) dns_adb_detach(&view->adb); if (view->resolver != NULL) @@ -366,7 +366,7 @@ dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) { REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(ring != NULL); if (view->statickeys != NULL) - dns_tsig_destroy(&view->statickeys); + dns_tsigkeyring_destroy(&view->statickeys); view->statickeys = ring; } diff --git a/util/copyrights b/util/copyrights index 411bc066e4..2128354d11 100644 --- a/util/copyrights +++ b/util/copyrights @@ -390,7 +390,9 @@ ./lib/dns/include/dns/tcpmsg.h C 1999,2000 ./lib/dns/include/dns/time.h C 1999,2000 ./lib/dns/include/dns/tkey.h C 1999,2000 +./lib/dns/include/dns/tkeyconf.h C 1999,2000 ./lib/dns/include/dns/tsig.h C 1999,2000 +./lib/dns/include/dns/tsigconf.h C 1999,2000 ./lib/dns/include/dns/ttl.h C 1999,2000 ./lib/dns/include/dns/types.h C 1998,1999,2000 ./lib/dns/include/dns/view.h C 1999,2000 @@ -522,7 +524,9 @@ ./lib/dns/tcpmsg.c C 1999,2000 ./lib/dns/time.c C 1998,1999,2000 ./lib/dns/tkey.c C 1999,2000 +./lib/dns/tkeyconf.c C 1999,2000 ./lib/dns/tsig.c C 1999,2000 +./lib/dns/tsigconf.c C 1999,2000 ./lib/dns/ttl.c C 1999,2000 ./lib/dns/version.c C 1998,1999,2000 ./lib/dns/view.c C 1999,2000