From: Aki Tuomi <cmouse@cmouse.fi>
Date: Tue, 20 Oct 2015 05:41:25 +0000 (+0300)
Subject: Use DNSName in GSS-TSIG code
X-Git-Tag: dnsdist-1.0.0-alpha1~252^2~8^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1635f12b2eb22702835733511001063806b82bbe;p=pdns

Use DNSName in GSS-TSIG code
---

diff --git a/pdns/gss_context.cc b/pdns/gss_context.cc
index 1f88996c0..10d103ed1 100644
--- a/pdns/gss_context.cc
+++ b/pdns/gss_context.cc
@@ -20,13 +20,13 @@
 
 bool GssContext::supported() { return false; }
 GssContext::GssContext() { d_error = GSS_CONTEXT_UNSUPPORTED; d_type = GSS_CONTEXT_NONE; }
-GssContext::GssContext(const std::string& label) { d_error = GSS_CONTEXT_UNSUPPORTED; d_type = GSS_CONTEXT_NONE; }
+GssContext::GssContext(const DNSName& label) { d_error = GSS_CONTEXT_UNSUPPORTED; d_type = GSS_CONTEXT_NONE; }
 void GssContext::setLocalPrincipal(const std::string& name) {}
 bool GssContext::getLocalPrincipal(std::string& name) { return false; }
 void GssContext::setPeerPrincipal(const std::string& name) {}
 bool GssContext::getPeerPrincipal(std::string& name) { return false; }
 void GssContext::generateLabel(const std::string& suffix) {}
-void GssContext::setLabel(const std::string& label) {}
+void GssContext::setLabel(const DNSName& label) {}
 bool GssContext::init(const std::string &input, std::string& output) { return false; }
 bool GssContext::accept(const std::string &input, std::string& output) { return false; }
 bool GssContext::destroy() { return false; }
@@ -116,7 +116,7 @@ std::map<std::string, boost::shared_ptr<GssCredential> > s_gss_init_creds;
 
 class GssSecContext : boost::noncopyable {
 public:
-  GssSecContext(const std::string& label, boost::shared_ptr<GssCredential> cred) {    
+  GssSecContext(boost::shared_ptr<GssCredential> cred) {
     if (cred->valid() == false) throw PDNSException("Invalid credential " + cred->d_nameS);
     d_cred = cred;
     d_state = GssStateInitial;
@@ -153,12 +153,11 @@ public:
 
 };
 
-std::map<std::string, boost::shared_ptr<GssSecContext> > s_gss_sec_context;
+std::map<DNSName, boost::shared_ptr<GssSecContext> > s_gss_sec_context;
 
 bool GssContext::supported() { return true; }
 
 void GssContext::initialize() {
-  d_label = "";
   d_peerPrincipal = "";
   d_localPrincipal = "";
   d_error = GSS_CONTEXT_NO_ERROR;
@@ -170,9 +169,9 @@ GssContext::GssContext() {
   generateLabel("pdns.tsig");
 }
 
-GssContext::GssContext(const std::string& label) {
+GssContext::GssContext(const DNSName& label) {
   initialize();
-  setLabel(toLowerCanonic(label));
+  setLabel(label);
 }
 
 void GssContext::generateLabel(const std::string& suffix) {
@@ -181,7 +180,7 @@ void GssContext::generateLabel(const std::string& suffix) {
   setLabel(oss.str());
 }
 
-void GssContext::setLabel(const std::string& label) {
+void GssContext::setLabel(const DNSName& label) {
   d_label = label;
   if (s_gss_sec_context.find(d_label) != s_gss_sec_context.end()) {
     d_ctx = s_gss_sec_context[d_label];
@@ -227,7 +226,7 @@ bool GssContext::init(const std::string &input, std::string& output) {
     }
   } else {
     // make context
-    s_gss_sec_context[d_label] = boost::make_shared<GssSecContext>(d_label, cred);
+    s_gss_sec_context[d_label] = boost::make_shared<GssSecContext>(cred);
     s_gss_sec_context[d_label]->d_type = d_type;
     d_ctx = s_gss_sec_context[d_label];
     d_ctx->d_state = GssSecContext::GssStateNegotiate;
@@ -298,7 +297,7 @@ bool GssContext::accept(const std::string &input, std::string& output) {
     } 
   } else {
     // make context
-    s_gss_sec_context[d_label] = boost::make_shared<GssSecContext>(d_label, cred);
+    s_gss_sec_context[d_label] = boost::make_shared<GssSecContext>(cred);
     s_gss_sec_context[d_label]->d_type = d_type;
     d_ctx = s_gss_sec_context[d_label];
     d_ctx->d_state = GssSecContext::GssStateNegotiate;
@@ -434,7 +433,7 @@ void GssContext::processError(const std::string& method, OM_uint32 maj, OM_uint3
 
 bool gss_add_signature(const DNSName& context, const std::string& message, std::string& mac) {
   string tmp_mac;
-  GssContext gssctx(context.toStringNoDot());
+  GssContext gssctx(context);
   if (!gssctx.valid()) {
     L<<Logger::Error<<"GSS context '"<<context<<"' is not valid"<<endl;
     BOOST_FOREACH(const string& error, gssctx.getErrorStrings()) {
@@ -455,7 +454,7 @@ bool gss_add_signature(const DNSName& context, const std::string& message, std::
 }
 
 bool gss_verify_signature(const DNSName& context, const std::string& message, const std::string& mac) {
-  GssContext gssctx(context.toStringNoDot());
+  GssContext gssctx(context);
   if (!gssctx.valid()) {
     L<<Logger::Error<<"GSS context '"<<context<<"' is not valid"<<endl;
     BOOST_FOREACH(const string& error, gssctx.getErrorStrings()) {
diff --git a/pdns/gss_context.hh b/pdns/gss_context.hh
index d9f519b6a..da4763125 100644
--- a/pdns/gss_context.hh
+++ b/pdns/gss_context.hh
@@ -120,7 +120,7 @@ class GssContext {
 public:
   static bool supported(); //<! Returns true if GSS is supported in the first place
   GssContext(); //<! Construct new GSS context with random name
-  GssContext(const std::string& label); //<! Create or open existing named context
+  GssContext(const DNSName& label); //<! Create or open existing named context
 
   void setLocalPrincipal(const std::string& name); //<! Set our gss name
   bool getLocalPrincipal(std::string& name); //<! Get our name
@@ -128,8 +128,8 @@ public:
   bool getPeerPrincipal(std::string &name); //<! Return remote name, returns actual name after negotatioan
 
   void generateLabel(const std::string& suffix); //<! Generate random context name using suffix (such as mydomain.com)
-  void setLabel(const std::string& label); //<! Set context name to this label
-  const std::string& getLabel() { return d_label; } //<! Return context name
+  void setLabel(const DNSName& label); //<! Set context name to this label
+  const DNSName& getLabel() { return d_label; } //<! Return context name
 
   bool init(const std::string &input, std::string& output); //<! Perform GSS Initiate Security Context handshake
   bool accept(const std::string &input, std::string& output); //<! Perform GSS Acccept Security Context handshake
@@ -148,7 +148,7 @@ public:
 #ifdef ENABLE_GSS_TSIG
   void processError(const string& method, OM_uint32 maj, OM_uint32 min); //<! Process and fill error text vector
 #endif
-  std::string d_label; //<! Context name
+  DNSName d_label; //<! Context name
   std::string d_peerPrincipal; //<! Remote name
   std::string d_localPrincipal; //<! Our name
   GssContextError d_error; //<! Context error
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 50fbcb199..2ed23adc2 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1154,7 +1154,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     } else {
       getTSIGHashEnum(trc.d_algoName, p->d_tsig_algo);
       if (p->d_tsig_algo == TSIG_GSS) {
-        GssContext gssctx(keyname.toStringNoDot());
+        GssContext gssctx(keyname);
         if (!gssctx.getPeerPrincipal(p->d_peer_principal)) {
           L<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
         }
diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index df8ea6ba6..d0ce7f42e 100644
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -504,7 +504,7 @@ int AXFRRetriever::getChunk(Resolver::res_t &res) // Implementation is making su
       }
 
       if (algo == TSIG_GSS) {
-        GssContext gssctx(d_tsigkeyname.toStringNoDot());
+        GssContext gssctx(d_tsigkeyname);
         if (!gss_verify_signature(d_tsigkeyname, message, theirMac)) {
           throw ResolverException("Signature failed to validate on AXFR response from "+d_remote.toStringWithPort()+" signed with TSIG key '"+d_tsigkeyname.toString()+"'");
         }
diff --git a/pdns/saxfr.cc b/pdns/saxfr.cc
index 5f048f2a0..26b491948 100644
--- a/pdns/saxfr.cc
+++ b/pdns/saxfr.cc
@@ -16,7 +16,7 @@
 
 StatBag S;
 
-bool validateTSIG(const string& message, const TSIGHashEnum& algo, const string& key, const string& secret, const TSIGRecordContent *trc) {
+bool validateTSIG(const string& message, const TSIGHashEnum& algo, const DNSName& key, const string& secret, const TSIGRecordContent *trc) {
   int64_t now = time(0);
   if(abs((int64_t)trc->d_time - now) > trc->d_fudge) {
     cerr<<"TSIG (key '"<<key<<"') time delta "<< abs(trc->d_time - now)<<" > 'fudge' "<<trc->d_fudge<<endl;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 9496ba0d2..4ffabf6f0 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -411,7 +411,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
     } else {
       getTSIGHashEnum(trc.d_algoName, q->d_tsig_algo);
       if (q->d_tsig_algo == TSIG_GSS) {
-        GssContext gssctx(keyname.toStringNoDot());
+        GssContext gssctx(keyname);
         if (!gssctx.getPeerPrincipal(q->d_peer_principal)) {
           L<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
         }
diff --git a/pdns/tkey.cc b/pdns/tkey.cc
index fa9283de2..18103f63f 100644
--- a/pdns/tkey.cc
+++ b/pdns/tkey.cc
@@ -22,7 +22,7 @@ void PacketHandler::tkeyHandler(DNSPacket *p, DNSPacket *r) {
   tkey_out->d_inception = time((time_t*)NULL);
   tkey_out->d_expiration = tkey_out->d_inception+15;
 
-  GssContext ctx(name.toStringNoDot());
+  GssContext ctx(name);
 
   if (tkey_in.d_mode == 3) { // establish context
     if (tkey_in.d_algo == DNSName("gss-tsig.")) {