aes/aescpp.h \
aes/aescrypt.c aes/aes.h aes/aeskey.c aes/aes_modes.c aes/aesopt.h \
aes/aestab.c aes/aestab.h aes/brg_endian.h aes/brg_types.h aes/dns_random.cc json.cc \
- serialtweaker.cc
-
+ serialtweaker.cc randomhelper.cc
pdnssec_LDFLAGS=@moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) $(BOOST_SERIALIZATION_LDFLAGS)
pdnssec_LDADD= $(POLARSSL_LIBS) $(BOOST_PROGRAM_OPTIONS_LIBS) $(BOOST_SERIALIZATION_LIBS) $(SQLITE3_LIBS) $(LIBCURL_LIBS) $(MYSQL_lib)
d_dnssecdb->doCommand( (fmt % d_dnssecdb->escape(name) % d_dnssecdb->escape(algorithm) % d_dnssecdb->escape(content)).str() );
}
catch (SSqlException &e) {
- throw AhuException("BindBackend unable to retrieve named TSIG key: "+e.txtReason());
+ throw PDNSException("BindBackend unable to retrieve named TSIG key: "+e.txtReason());
}
return true;
d_dnssecdb->doCommand( (fmt % d_dnssecdb->escape(name)).str() );
}
catch (SSqlException &e) {
- throw AhuException("BindBackend unable to retrieve named TSIG key: "+e.txtReason());
+ throw PDNSException("BindBackend unable to retrieve named TSIG key: "+e.txtReason());
}
return true;
d_dnssecdb->doQuery( "select name,algorithm,secret from tsigkeys" );
}
catch (SSqlException &e) {
- throw AhuException("GSQLBackend unable to retrieve named TSIG key: "+e.txtReason());
+ throw PDNSException("GSQLBackend unable to retrieve named TSIG key: "+e.txtReason());
}
SSql::row_t row;
d_db->doCommand(output);
}
catch (SSqlException &e) {
- throw AhuException("GSQLBackend unable to store named TSIG key: "+e.txtReason());
+ throw PDNSException("GSQLBackend unable to store named TSIG key: "+e.txtReason());
}
return true;
}
d_db->doCommand(output);
}
catch (SSqlException &e) {
- throw AhuException("GSQLBackend unable to store named TSIG key: "+e.txtReason());
+ throw PDNSException("GSQLBackend unable to store named TSIG key: "+e.txtReason());
}
return true;
}
d_db->doQuery(output);
}
catch (SSqlException &e) {
- throw AhuException("GSQLBackend unable to retrieve named TSIG key: "+e.txtReason());
+ throw PDNSException("GSQLBackend unable to retrieve TSIG keys: "+e.txtReason());
}
SSql::row_t row;
key.name = row[0];
key.algorithm = row[1];
key.key = row[2];
+ keys.push_back(key);
}
return keys.empty();
trc->d_algoName += ".sig-alg.reg.int.";
bool result;
+ TSIGHashEnum algo;
+ if (*(trc->d_algoName.rbegin()) != '.') trc->d_algoName.append(".");
+
if (trc->d_algoName == "hmac-md5.sig-alg.reg.int.")
- {
- B64Decode(secret64, *secret);
- result=calculateMD5HMAC(*secret, message) == trc->d_mac;
- }
- else
- {
- L<<Logger::Error<<"Do not know how to handle TSIG algorithm " << trc->d_algoName << endl;
- return false;
+ algo = TSIG_MD5;
+ else if (trc->d_algoName == "hmac-sha1.")
+ algo = TSIG_SHA1;
+ else if (trc->d_algoName == "hmac-sha224.")
+ algo = TSIG_SHA224;
+ else if (trc->d_algoName == "hmac-sha256.")
+ algo = TSIG_SHA256;
+ else if (trc->d_algoName == "hmac-sha384.")
+ algo = TSIG_SHA384;
+ else if (trc->d_algoName == "hmac-sha512.")
+ algo = TSIG_SHA512;
+ else {
+ L<<Logger::Error<<"Unsupported TSIG HMAC algorithm " << trc->d_algoName << endl;
+ return false;
}
+ B64Decode(secret64, *secret);
+ result=calculateHMAC(*secret, message, algo) == trc->d_mac;
+
if(!result) {
L<<Logger::Error<<"Packet for domain '"<<q->qdomain<<"' denied: TSIG signature mismatch using '"<<*keyname<<"' and algorithm '"<<trc->d_algoName<<"'"<<endl;
}
string calculateMD5HMAC(const std::string& key_, const std::string& text)
{
- const unsigned char* key=(const unsigned char*)key_.c_str();
+ unsigned char key[64] = {0};
+ key_.copy((char*)key,64);
unsigned char keyIpad[64];
unsigned char keyOpad[64];
string calculateSHAHMAC(const std::string& key_, const std::string& text, TSIGHashEnum hasher)
{
- const unsigned char* key=(const unsigned char*)key_.c_str();
+ unsigned char key[64] = {0};
+ key_.copy((char*)key,64);
unsigned char keyIpad[64];
unsigned char keyOpad[64];
return s2.get();
};
default:
- throw new AhuException("Unknown hash algorithm requested for SHA");
+ throw new PDNSException("Unknown hash algorithm requested for SHA");
};
return std::string("");
void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly)
{
- if (trc->d_algoName != "hmac-md5.sig-alg.reg.int.") {
- L<<Logger::Error<<"Unsupported HMAC TSIG algorithm " << trc->d_algoName << endl;
- return;
+ TSIGHashEnum algo;
+
+ if (*(trc->d_algoName.rbegin()) != '.') trc->d_algoName.append(".");
+
+ if (trc->d_algoName == "hmac-md5.sig-alg.reg.int.")
+ algo = TSIG_MD5;
+ else if (trc->d_algoName == "hmac-sha1.")
+ algo = TSIG_SHA1;
+ else if (trc->d_algoName == "hmac-sha224.")
+ algo = TSIG_SHA224;
+ else if (trc->d_algoName == "hmac-sha256.")
+ algo = TSIG_SHA256;
+ else if (trc->d_algoName == "hmac-sha384.")
+ algo = TSIG_SHA384;
+ else if (trc->d_algoName == "hmac-sha512.")
+ algo = TSIG_SHA512;
+ else {
+ L<<Logger::Error<<"Unsupported TSIG HMAC algorithm " << trc->d_algoName << endl;
+ return;
}
string toSign;
const vector<uint8_t>& signRecord=dw.getRecordBeingWritten();
toSign.append(&*signRecord.begin(), &*signRecord.end());
- trc->d_mac = calculateMD5HMAC(tsigsecret, toSign);
+ trc->d_mac = calculateHMAC(tsigsecret, toSign, algo);
// d_trc->d_mac[0]++; // sabotage
pw.startRecord(tsigkeyname, QType::TSIG, 0, QClass::ANY, DNSPacketWriter::ADDITIONAL, false);
trc->toPacket(pw);
#include "signingpipe.hh"
#include <boost/scoped_ptr.hpp>
#include "bindbackend2.hh"
+#include "dns_random.hh"
StatBag S;
PacketCache PC;
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
-
::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
::arg().set("module-dir","Default directory for modules")=LIBDIR;
+ ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
+
::arg().setSwitch("experimental-direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
::arg().laxFile(configname.c_str());
cerr << "Zone has following allowed TSIG key(s): " << boost::join(meta, ",") << endl;
}
+ meta.clear();
if (B.getDomainMetadata(zone, "AXFR-MASTER-TSIG", meta) && meta.size() > 0) {
cerr << "Zone uses following TSIG key(s): " << boost::join(meta, ",") << endl;
}
}
cerr << "Generating new key with " << klen << " bytes (this can take a while)" << endl;
-
- ifstream keyin("/dev/random", ifstream::in|ifstream::binary);
- // read and hash data
- keyin.read(tmpkey, klen);
+ seedRandom(::arg()["entropy-source"]);
+ for(size_t i = 0; i < klen; i+=4) {
+ *(unsigned int*)(tmpkey+i) = dns_random(0xffffffff);
+ }
key = Base64Encode(std::string(tmpkey, klen));
UeberBackend B("default");
TSIGRecordContent trc;
if (tsigalgorithm == "hmac-md5")
trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
+ else
+ trc.d_algoName = tsigalgorithm;
trc.d_time = time(0);
trc.d_fudge = 300;
trc.d_origID=ntohs(d_randomid);
pw.getHeader()->id = dns_random(0xffff);
if(!tsigkeyname.empty()) {
- d_trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
+ if (tsigalgorithm == "hmac-md5")
+ d_trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
+ else
+ d_trc.d_algoName = tsigalgorithm;
d_trc.d_time = time(0);
d_trc.d_fudge = 300;
d_trc.d_origID=ntohs(pw.getHeader()->id);
a63dc120391d9df0003f2ec4f461a6af ../regression-tests/secure-delegated.dnssec-parent.com
24514dc104b22206daeb973ff9303545 ../regression-tests/minimal.com
f77817aafda5cd6a8e3d4ac998be6fff ../modules/tinydnsbackend/data.cdb
+0b20d7a0250576451135483b863750bf ../regression-tests/tsig.com
projects / pdns / commitdiff