bool checkForCorrectTSIG(const DNSPacket* q, DNSBackend* B, string* keyname, string* secret, TSIGRecordContent* trc)
{
string message;
-
+
q->getTSIGDetails(trc, keyname, &message);
uint64_t now = time(0);
if(abs(trc->d_time - now) > trc->d_fudge) {
L<<Logger::Error<<"Packet for '"<<q->qdomain<<"' denied: TSIG (key '"<<*keyname<<"') time delta "<< abs(trc->d_time - now)<<" > 'fudge' "<<trc->d_fudge<<endl;
return false;
}
-
+
string secret64;
-
if(!B->getTSIGKey(*keyname, &trc->d_algoName, &secret64)) {
L<<Logger::Error<<"Packet for domain '"<<q->qdomain<<"' denied: can't find TSIG key with name '"<<*keyname<<"' and algorithm '"<<trc->d_algoName<<"'"<<endl;
return false;
if (trc->d_algoName == "hmac-md5")
trc->d_algoName += ".sig-alg.reg.int.";
- bool result;
TSIGHashEnum algo;
- if (*(trc->d_algoName.rbegin()) != '.') trc->d_algoName.append(".");
-
- if (trc->d_algoName == "hmac-md5.sig-alg.reg.int.")
- algo = TSIG_MD5;
- else if (trc->d_algoName == "hmac-sha1.")
- algo = TSIG_SHA1;
- else if (trc->d_algoName == "hmac-sha224.")
- algo = TSIG_SHA224;
- else if (trc->d_algoName == "hmac-sha256.")
- algo = TSIG_SHA256;
- else if (trc->d_algoName == "hmac-sha384.")
- algo = TSIG_SHA384;
- else if (trc->d_algoName == "hmac-sha512.")
- algo = TSIG_SHA512;
- else {
+ if(!getTSIGHashEnum(trc->d_algoName, algo)) {
L<<Logger::Error<<"Unsupported TSIG HMAC algorithm " << trc->d_algoName << endl;
return false;
}
B64Decode(secret64, *secret);
- result=calculateHMAC(*secret, message, algo) == trc->d_mac;
-
+ bool result=calculateHMAC(*secret, message, algo) == trc->d_mac;
if(!result) {
L<<Logger::Error<<"Packet for domain '"<<q->qdomain<<"' denied: TSIG signature mismatch using '"<<*keyname<<"' and algorithm '"<<trc->d_algoName<<"'"<<endl;
}
+
return result;
}
return message;
}
+
+bool getTSIGHashEnum(string algoName, TSIGHashEnum& algoEnum)
+{
+ if (*(algoName.rbegin()) != '.')
+ algoName.append(".");
+
+ if (algoName == "hmac-md5.sig-alg.reg.int.")
+ algoEnum = TSIG_MD5;
+ else if (algoName == "hmac-sha1.")
+ algoEnum = TSIG_SHA1;
+ else if (algoName == "hmac-sha224.")
+ algoEnum = TSIG_SHA224;
+ else if (algoName == "hmac-sha256.")
+ algoEnum = TSIG_SHA256;
+ else if (algoName == "hmac-sha384.")
+ algoEnum = TSIG_SHA384;
+ else if (algoName == "hmac-sha512.")
+ algoEnum = TSIG_SHA512;
+ else {
+ return false;
+ }
+ return true;
+}
+
+
void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly)
{
TSIGHashEnum algo;
-
- if (*(trc->d_algoName.rbegin()) != '.') trc->d_algoName.append(".");
-
- if (trc->d_algoName == "hmac-md5.sig-alg.reg.int.")
- algo = TSIG_MD5;
- else if (trc->d_algoName == "hmac-sha1.")
- algo = TSIG_SHA1;
- else if (trc->d_algoName == "hmac-sha224.")
- algo = TSIG_SHA224;
- else if (trc->d_algoName == "hmac-sha256.")
- algo = TSIG_SHA256;
- else if (trc->d_algoName == "hmac-sha384.")
- algo = TSIG_SHA384;
- else if (trc->d_algoName == "hmac-sha512.")
- algo = TSIG_SHA512;
- else {
+ if (!getTSIGHashEnum(trc->d_algoName, algo)) {
L<<Logger::Error<<"Unsupported TSIG HMAC algorithm " << trc->d_algoName << endl;
return;
}
string calculateHMAC(const std::string& key_, const std::string& text, TSIGHashEnum hash);
string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigoffset, const string& keyname, const TSIGRecordContent& trc, const string& previous, bool timersonly, unsigned int dnsHeaderOffset=0);
+bool getTSIGHashEnum(string algoName, TSIGHashEnum& algoEnum);
void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly);
#endif
if(!tsigkeyname.empty()) {
// cerr<<"Adding TSIG to notification, key name: '"<<tsigkeyname<<"', algo: '"<<tsigalgorithm<<"', secret: "<<Base64Encode(tsigsecret)<<endl;
TSIGRecordContent trc;
- if (tsigalgorithm == "hmac-md5")
+ if (tsigalgorithm == "hmac-md5")
trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
else
trc.d_algoName = tsigalgorithm;
} else {
message = makeTSIGMessageFromTSIGPacket(d_signData, d_tsigPos, d_tsigkeyname, d_trc, d_trc.d_mac, false);
}
- TSIGHashEnum algo;
- if (*(d_trc.d_algoName.rbegin()) != '.') d_trc.d_algoName.append(".");
-
- if (d_trc.d_algoName == "hmac-md5.sig-alg.reg.int.")
- algo = TSIG_MD5;
- else if (d_trc.d_algoName == "hmac-sha1.")
- algo = TSIG_SHA1;
- else if (d_trc.d_algoName == "hmac-sha224.")
- algo = TSIG_SHA224;
- else if (d_trc.d_algoName == "hmac-sha256.")
- algo = TSIG_SHA256;
- else if (d_trc.d_algoName == "hmac-sha384.")
- algo = TSIG_SHA384;
- else if (d_trc.d_algoName == "hmac-sha512.")
- algo = TSIG_SHA512;
- else {
+ TSIGHashEnum algo;
+ if (!getTSIGHashEnum(d_trc.d_algoName, algo)) {
throw ResolverException("Unsupported TSIG HMAC algorithm " + d_trc.d_algoName);
}
projects / pdns / commitdiff