From 25c87ff4ce72002a72ca515d617589e9a982ba50 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 28 May 2015 21:03:28 +0300 Subject: [PATCH] Move tkeyHandler to separate file --- pdns/packethandler.cc | 100 ---------------------------------------- pdns/tkey.cc | 104 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+), 100 deletions(-) create mode 100644 pdns/tkey.cc diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index d35e543c9..546fafdcb 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1424,103 +1424,3 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse) return r; } - -void PacketHandler::tkeyHandler(DNSPacket *p, DNSPacket *r) { - TKEYRecordContent tkey_in; - std::shared_ptr tkey_out(new TKEYRecordContent()); - string label; - bool sign = false; - - if (!p->getTKEYRecord(&tkey_in, &label)) { - L<setRcode(RCode::FormErr); - return; - } - - // retain original label for response - tkey_out->d_error = 0; - tkey_out->d_mode = tkey_in.d_mode; - tkey_out->d_algo = tkey_in.d_algo; - tkey_out->d_inception = time((time_t*)NULL); - tkey_out->d_expiration = tkey_out->d_inception+15; - - GssContext ctx(label); - - if (tkey_in.d_mode == 3) { // establish context - if (tkey_in.d_algo == "gss-tsig.") { - std::vector meta; - string tmpLabel = toLowerCanonic(label); - bool ok = true; - while(ok) { - if (B.getDomainMetadata(tmpLabel, "GSS-ACCEPTOR-PRINCIPAL", meta) && meta.size()>0) { - break; - } - ok = chopOff(tmpLabel); - } - - if (meta.size()>0) { - ctx.setLocalPrincipal(meta[0]); - } - // try to get a context - if (!ctx.accept(tkey_in.d_key, tkey_out->d_key)) - tkey_out->d_error = 19; - else - sign = true; - } else { - tkey_out->d_error = 21; // BADALGO - } - } else if (tkey_in.d_mode == 5) { // destroy context - if (p->d_havetsig == false) { // unauthenticated - if (p->d.opcode == Opcode::Update) - r->setRcode(RCode::Refused); - else - r->setRcode(RCode::NotAuth); - return; - } - if (ctx.valid()) - ctx.destroy(); - else - tkey_out->d_error = 20; // BADNAME (because we have no support for anything here) - } else { - if (p->d_havetsig == false && tkey_in.d_mode != 2) { // unauthenticated - if (p->d.opcode == Opcode::Update) - r->setRcode(RCode::Refused); - else - r->setRcode(RCode::NotAuth); - return; - } - tkey_out->d_error = 19; // BADMODE - } - - tkey_out->d_keysize = tkey_out->d_key.size(); - tkey_out->d_othersize = tkey_out->d_other.size(); - - DNSRecord rec; - rec.d_label = label; - rec.d_ttl = 0; - rec.d_type = QType::TKEY; - rec.d_class = QClass::ANY; - rec.d_content = tkey_out; - - DNSResourceRecord rr(rec); - rr.qclass = QClass::ANY; - rr.qtype = QType::TKEY; - rr.d_place = DNSResourceRecord::ANSWER; - r->addRecord(rr); - - if (sign) - { - TSIGRecordContent trc; - trc.d_algoName = "gss-tsig"; - trc.d_time = tkey_out->d_inception; - trc.d_fudge = 300; - trc.d_mac = ""; - trc.d_origID = p->d.id; - trc.d_eRcode = 0; - trc.d_otherData = ""; - // this should cause it to lookup label context - r->setTSIGDetails(trc, label, label, "", false); - } - - r->commitD(); -} diff --git a/pdns/tkey.cc b/pdns/tkey.cc new file mode 100644 index 000000000..f0d3c88b5 --- /dev/null +++ b/pdns/tkey.cc @@ -0,0 +1,104 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif +#include "packethandler.hh" + +void PacketHandler::tkeyHandler(DNSPacket *p, DNSPacket *r) { + TKEYRecordContent tkey_in; + std::shared_ptr tkey_out(new TKEYRecordContent()); + string label; + bool sign = false; + + if (!p->getTKEYRecord(&tkey_in, &label)) { + L<setRcode(RCode::FormErr); + return; + } + + // retain original label for response + tkey_out->d_error = 0; + tkey_out->d_mode = tkey_in.d_mode; + tkey_out->d_algo = tkey_in.d_algo; + tkey_out->d_inception = time((time_t*)NULL); + tkey_out->d_expiration = tkey_out->d_inception+15; + + GssContext ctx(label); + + if (tkey_in.d_mode == 3) { // establish context + if (tkey_in.d_algo == "gss-tsig.") { + std::vector meta; + string tmpLabel = toLowerCanonic(label); + bool ok = true; + while(ok) { + if (B.getDomainMetadata(tmpLabel, "GSS-ACCEPTOR-PRINCIPAL", meta) && meta.size()>0) { + break; + } + ok = chopOff(tmpLabel); + } + + if (meta.size()>0) { + ctx.setLocalPrincipal(meta[0]); + } + // try to get a context + if (!ctx.accept(tkey_in.d_key, tkey_out->d_key)) + tkey_out->d_error = 19; + else + sign = true; + } else { + tkey_out->d_error = 21; // BADALGO + } + } else if (tkey_in.d_mode == 5) { // destroy context + if (p->d_havetsig == false) { // unauthenticated + if (p->d.opcode == Opcode::Update) + r->setRcode(RCode::Refused); + else + r->setRcode(RCode::NotAuth); + return; + } + if (ctx.valid()) + ctx.destroy(); + else + tkey_out->d_error = 20; // BADNAME (because we have no support for anything here) + } else { + if (p->d_havetsig == false && tkey_in.d_mode != 2) { // unauthenticated + if (p->d.opcode == Opcode::Update) + r->setRcode(RCode::Refused); + else + r->setRcode(RCode::NotAuth); + return; + } + tkey_out->d_error = 19; // BADMODE + } + + tkey_out->d_keysize = tkey_out->d_key.size(); + tkey_out->d_othersize = tkey_out->d_other.size(); + + DNSRecord rec; + rec.d_label = label; + rec.d_ttl = 0; + rec.d_type = QType::TKEY; + rec.d_class = QClass::ANY; + rec.d_content = tkey_out; + + DNSResourceRecord rr(rec); + rr.qclass = QClass::ANY; + rr.qtype = QType::TKEY; + rr.d_place = DNSResourceRecord::ANSWER; + r->addRecord(rr); + + if (sign) + { + TSIGRecordContent trc; + trc.d_algoName = "gss-tsig"; + trc.d_time = tkey_out->d_inception; + trc.d_fudge = 300; + trc.d_mac = ""; + trc.d_origID = p->d.id; + trc.d_eRcode = 0; + trc.d_otherData = ""; + // this should cause it to lookup label context + r->setTSIGDetails(trc, label, label, "", false); + } + + r->commitD(); +} -- 2.40.0