From: Kees Monshouwer Date: Mon, 9 Sep 2013 08:00:09 +0000 (+0200) Subject: cleanup hmac algorithm lookup X-Git-Tag: rec-3.6.0-rc1~448^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=785594c9df390135fb6602824cb96110dfa89a1c;p=pdns cleanup hmac algorithm lookup --- diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc index f169a7596..3184927be 100644 --- a/pdns/dnspacket.cc +++ b/pdns/dnspacket.cc @@ -596,16 +596,15 @@ void DNSPacket::commitD() bool checkForCorrectTSIG(const DNSPacket* q, DNSBackend* B, string* keyname, string* secret, TSIGRecordContent* trc) { string message; - + q->getTSIGDetails(trc, keyname, &message); uint64_t now = time(0); if(abs(trc->d_time - now) > trc->d_fudge) { L<qdomain<<"' denied: TSIG (key '"<<*keyname<<"') time delta "<< abs(trc->d_time - now)<<" > 'fudge' "<d_fudge<getTSIGKey(*keyname, &trc->d_algoName, &secret64)) { L<qdomain<<"' denied: can't find TSIG key with name '"<<*keyname<<"' and algorithm '"<d_algoName<<"'"<d_algoName == "hmac-md5") trc->d_algoName += ".sig-alg.reg.int."; - bool result; TSIGHashEnum algo; - if (*(trc->d_algoName.rbegin()) != '.') trc->d_algoName.append("."); - - if (trc->d_algoName == "hmac-md5.sig-alg.reg.int.") - algo = TSIG_MD5; - else if (trc->d_algoName == "hmac-sha1.") - algo = TSIG_SHA1; - else if (trc->d_algoName == "hmac-sha224.") - algo = TSIG_SHA224; - else if (trc->d_algoName == "hmac-sha256.") - algo = TSIG_SHA256; - else if (trc->d_algoName == "hmac-sha384.") - algo = TSIG_SHA384; - else if (trc->d_algoName == "hmac-sha512.") - algo = TSIG_SHA512; - else { + if(!getTSIGHashEnum(trc->d_algoName, algo)) { L<d_algoName << endl; return false; } B64Decode(secret64, *secret); - result=calculateHMAC(*secret, message, algo) == trc->d_mac; - + bool result=calculateHMAC(*secret, message, algo) == trc->d_mac; if(!result) { L<qdomain<<"' denied: TSIG signature mismatch using '"<<*keyname<<"' and algorithm '"<d_algoName<<"'"<d_algoName.rbegin()) != '.') trc->d_algoName.append("."); - - if (trc->d_algoName == "hmac-md5.sig-alg.reg.int.") - algo = TSIG_MD5; - else if (trc->d_algoName == "hmac-sha1.") - algo = TSIG_SHA1; - else if (trc->d_algoName == "hmac-sha224.") - algo = TSIG_SHA224; - else if (trc->d_algoName == "hmac-sha256.") - algo = TSIG_SHA256; - else if (trc->d_algoName == "hmac-sha384.") - algo = TSIG_SHA384; - else if (trc->d_algoName == "hmac-sha512.") - algo = TSIG_SHA512; - else { + if (!getTSIGHashEnum(trc->d_algoName, algo)) { L<d_algoName << endl; return; } diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 2788fd907..da723cae1 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -135,6 +135,7 @@ string calculateSHAHMAC(const std::string& key_, const std::string& text, TSIGHa string calculateHMAC(const std::string& key_, const std::string& text, TSIGHashEnum hash); string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigoffset, const string& keyname, const TSIGRecordContent& trc, const string& previous, bool timersonly, unsigned int dnsHeaderOffset=0); +bool getTSIGHashEnum(string algoName, TSIGHashEnum& algoEnum); void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly); #endif diff --git a/pdns/resolver.cc b/pdns/resolver.cc index 62c66fb79..32c87213a 100644 --- a/pdns/resolver.cc +++ b/pdns/resolver.cc @@ -122,7 +122,7 @@ uint16_t Resolver::sendResolve(const ComboAddress& remote, const char *domain, i if(!tsigkeyname.empty()) { // cerr<<"Adding TSIG to notification, key name: '"<