Commit Diff
Diff:
3483358277d8c522172f7136ba5039ff96c66020
193814c2edc1ee03c64f9602095d6ddba313bad1
Commit:
193814c2edc1ee03c64f9602095d6ddba313bad1
Tree:
f61fd68f2a1aa947ab6f2449ab284ed5c9a047f7
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Thu Feb 28 08:54:29 2019 UTC
Message:
refactor to allow TSIG signing every 89th envelope, this works in the lab.
blob - 749201c595d532238952a0a38c6654ad7e863f51
blob + 85cc809728df66ee7d8e90ae16168b7cb50ca443
--- additional.c
+++ additional.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: additional.c,v 1.24 2019/02/27 19:11:41 pjp Exp $
+ * $Id: additional.c,v 1.25 2019/02/28 08:54:29 pjp Exp $
*/
#include "ddd-include.h"
@@ -45,7 +45,7 @@ int additional_ptr(char *, int, struct rbtree *, char
int additional_rrsig(char *, int, int, struct rbtree *, char *, int, int, int);
int additional_nsec(char *, int, int, struct rbtree *, char *, int, int);
int additional_nsec3(char *, int, int, struct rbtree *, char *, int, int);
-int additional_tsig(struct question *, char *, int, int, int, int);
+int additional_tsig(struct question *, char *, int, int, int, int, HMAC_CTX *);
extern int compress_label(u_char *, int, int);
extern struct rbtree * find_rrset(ddDB *db, char *name, int len);
@@ -357,7 +357,7 @@ out:
*/
int
-additional_tsig(struct question *question, char *reply, int replylen, int offset, int request, int axfrmode)
+additional_tsig(struct question *question, char *reply, int replylen, int offset, int request, int envelope, HMAC_CTX *tsigctx)
{
struct dns_tsigrr *answer, *ppanswer, *timers;
u_int16_t *sval;
@@ -365,12 +365,13 @@ additional_tsig(struct question *question, char *reply
u_int32_t *lval;
int tsignamelen;
int ppoffset = 0;
- int ttlen = 0;
+ int ttlen = 0, rollback;
char *pseudo_packet = NULL;
char *tsig_timers = NULL;
struct dns_header *odh;
char tsigkey[512];
time_t now;
+ static int priordigest = 1;
pseudo_packet = malloc(replylen);
if (pseudo_packet == NULL) {
@@ -378,20 +379,25 @@ additional_tsig(struct question *question, char *reply
}
now = time(NULL);
+ rollback = offset;
- if (axfrmode) {
+ if (envelope > 1 || envelope < -1) {
tsig_timers = malloc(replylen);
if (tsig_timers == NULL)
goto out;
ttlen = 0;
- sval = (u_int16_t *)&tsig_timers[ttlen];
- *sval = htons(question->tsig.tsigmaclen);
- ttlen += 2;
+ if (priordigest) {
+ sval = (u_int16_t *)&tsig_timers[ttlen];
+ *sval = htons(question->tsig.tsigmaclen);
+ ttlen += 2;
- memcpy(&tsig_timers[ttlen], question->tsig.tsigmac, question->tsig.tsigmaclen);
- ttlen += question->tsig.tsigmaclen;
+ memcpy(&tsig_timers[ttlen], question->tsig.tsigmac, question->tsig.tsigmaclen);
+ ttlen += question->tsig.tsigmaclen;
+ priordigest = 0;
+ }
+
question->tsig.tsigerrorcode = 0; /* to be sure */
} else {
if (request == 0) {
@@ -417,7 +423,7 @@ additional_tsig(struct question *question, char *reply
memcpy(&pseudo_packet[ppoffset], &reply[0], offset);
ppoffset += offset;
- if (axfrmode) {
+ if (envelope > 1 || envelope < -1) {
memcpy(&tsig_timers[ttlen], reply, offset);
ttlen += offset;
}
@@ -482,10 +488,11 @@ additional_tsig(struct question *question, char *reply
answer = (struct dns_tsigrr *)&reply[offset];
- if (axfrmode) {
+ if (envelope > 1 || envelope < -1) {
answer->timefudge = htobe64(((u_int64_t)now << 16) | (300 & 0xffff));
+ //answer->timefudge = question->tsig.tsig_timefudge;
} else {
- if (request == 0) {
+ if (request == 0 || envelope == 1) {
answer->timefudge = question->tsig.tsig_timefudge;
} else {
answer->timefudge = htobe64((now << 16) | (300 & 0xffff));
@@ -526,7 +533,7 @@ additional_tsig(struct question *question, char *reply
}
ppanswer = (struct dns_tsigrr *)&pseudo_packet[ppoffset];
- if (request == 0)
+ if (request == 0 || envelope == 1)
ppanswer->timefudge = question->tsig.tsig_timefudge;
else
ppanswer->timefudge = htobe64(((u_int64_t)now << 16) | (300 & 0xffff));
@@ -558,16 +565,23 @@ additional_tsig(struct question *question, char *reply
}
- if (axfrmode) {
- timers = (struct dns_tsigrr *)&tsig_timers[ttlen];
- timers->timefudge = htobe64(((u_int64_t)now << 16) | (300 & 0xffff));
- ttlen += 8;
-
- HMAC(EVP_sha256(), tsigkey, tsignamelen,
- (unsigned char *)tsig_timers, ttlen,
- (unsigned char *)&answer->mac[0], (u_int *)&macsize);
+ if (envelope > 1 || envelope < -1) {
+ if (envelope % 89 == 0 || envelope == -2) {
+ timers = (struct dns_tsigrr *)&tsig_timers[ttlen];
+ timers->timefudge = htobe64(((u_int64_t)now << 16) | (300 & 0xffff));
+ //timers->timefudge = question->tsig.tsig_timefudge;
+ ttlen += 8;
+ }
+
+ HMAC_Update(tsigctx, (const unsigned char *)tsig_timers, ttlen);
- memcpy(question->tsig.tsigmac, &answer->mac[0], macsize);
+ if (envelope % 89 == 0 || envelope == -2) {
+ macsize = 32;
+ HMAC_Final(tsigctx, (unsigned char *)&answer->mac[0], (u_int *)&macsize);
+ memcpy(question->tsig.tsigmac, &answer->mac[0], macsize);
+ priordigest = 1;
+ } else
+ offset = rollback;
free(tsig_timers);
} else {
blob - 436d029c57f3e22a5a9be2bb6e974e3ef517fe2d
blob + de287bb871401a8323af5b6d89392109ca53256f
--- axfr.c
+++ axfr.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: axfr.c,v 1.23 2019/02/27 19:11:41 pjp Exp $
+ * $Id: axfr.c,v 1.24 2019/02/28 08:54:29 pjp Exp $
*/
#include "ddd-include.h"
@@ -73,7 +73,7 @@ extern int rotate_rr(struct rrset *rrset);
extern int domaincmp(struct node *e1, struct node *e2);
extern char * dns_label(char *, int *);
-extern int additional_tsig(struct question *, char *, int, int, int, int);
+extern int additional_tsig(struct question *, char *, int, int, int, int, HMAC_CTX *);
extern int find_tsig_key(char *keyname, int keynamelen, char *key, int keylen);
int notify = 0; /* do not notify when set to 0 */
@@ -389,6 +389,12 @@ axfrloop(int *afd, int sockcount, char **ident, ddDB *
now = time(NULL);
if (difftime(now, time_changed) <= 1800) {
gather_notifydomains(db);
+#if 0
+ for (int x = 1; x;) {
+ dolog(LOG_INFO, "in debug loop\n");
+ sleep(1);
+ }
+#endif
notifyfd[0] = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
notifyfd[1] = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
@@ -416,6 +422,7 @@ axfrloop(int *afd, int sockcount, char **ident, ddDB *
}
}
+
for (;;) {
FD_ZERO(&rset);
@@ -808,6 +815,7 @@ axfr_connection(int so, char *address, int is_ipv6, dd
struct rr *rrp = NULL;
ddDBT key, data;
+ HMAC_CTX *tsigctx = NULL;
if (packetlen > sizeof(buf)) {
dolog(LOG_ERR, "buffer size of buf is smaller than given packet, drop\n");
@@ -960,7 +968,6 @@ axfr_connection(int so, char *address, int is_ipv6, dd
/* initialize tsig */
-#if 0
if (question->tsig.tsigverified) {
if ((tsigkeylen = find_tsig_key(question->tsig.tsigkey,
question->tsig.tsigkeylen, (char *)&tsigkey, sizeof(tsigkey))) < 0) {
@@ -975,7 +982,6 @@ axfr_connection(int so, char *address, int is_ipv6, dd
goto drop;
}
}
-#endif
dolog(LOG_INFO, "%s request for zone \"%s\", replying...\n",
(ntohs(question->hdr->qtype) == DNS_TYPE_AXFR ? "AXFR"
@@ -1048,11 +1054,22 @@ axfr_connection(int so, char *address, int is_ipv6, dd
odh->answer += rrcount;
HTONS(odh->answer);
- /* additional_tsig here */
if (question->tsig.have_tsig && question->tsig.tsigverified) {
- outlen = additional_tsig(question, (reply + 2), 65000, outlen, 0, (envelopcount++ != 1));
- odh->additional = htons(1);
+ int tmplen = outlen;
+ outlen = additional_tsig(question, (reply + 2), 65000, outlen, 0, envelopcount, tsigctx);
+ if (tmplen != outlen) {
+ odh->additional = htons(1);
+
+ HMAC_CTX_reset(tsigctx);
+ if (HMAC_Init(tsigctx, (const void *)&tsigkey, tsigkeylen, EVP_sha256()) == 0) {
+ dolog(LOG_ERR, "AXFR tsig initialization error, drop\n");
+ goto drop;
+ }
+ }
+
+ envelopcount++;
+
tmp = (u_int16_t *)reply;
*tmp = htons(outlen);
}
@@ -1090,13 +1107,19 @@ axfr_connection(int so, char *address, int is_ipv6, dd
odh->answer += rrcount;
HTONS(odh->answer);
- /* additional_tsig here */
if (question->tsig.have_tsig && question->tsig.tsigverified) {
- outlen = additional_tsig(question, (reply + 2), 65000, outlen, 0, (envelopcount != 1));
+ if (envelopcount == 1)
+ envelopcount = -1;
+ else
+ envelopcount = -2;
+
+ outlen = additional_tsig(question, (reply + 2), 65000, outlen, 0, envelopcount, tsigctx);
odh->additional = htons(1);
tmp = (u_int16_t *)reply;
*tmp = htons(outlen);
+
+ HMAC_CTX_free(tsigctx);
}
len = send(so, reply, outlen + 2, 0);
@@ -1524,7 +1547,7 @@ notifypacket(int so, void *vnse, void *vnotnp, int pac
return;
}
- outlen = additional_tsig(fq, packet, sizeof(packet), outlen, 1, 0);
+ outlen = additional_tsig(fq, packet, sizeof(packet), outlen, 1, 0, NULL);
dnh->additional = htons(1);
blob - 5b510949707f3d7e9f923386949c46f92b0616a3
blob + 5872842f92a3cbbc99ae709b93e03b5f5220ff81
--- reply.c
+++ reply.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: reply.c,v 1.74 2019/02/27 19:11:41 pjp Exp $
+ * $Id: reply.c,v 1.75 2019/02/28 08:54:29 pjp Exp $
*/
#include "ddd-include.h"
@@ -47,7 +47,7 @@ extern int additional_aaaa(char *, int, struct rbtre
extern int additional_mx(char *, int, struct rbtree *, char *, int, int, int *);
extern int additional_ptr(char *, int, struct rbtree *, char *, int, int, int *);
extern int additional_opt(struct question *, char *, int, int);
-extern int additional_tsig(struct question *, char *, int, int, int, int);
+extern int additional_tsig(struct question *, char *, int, int, int, int, HMAC_CTX *);
extern int additional_rrsig(char *, int, int, struct rbtree *, char *, int, int, int);
extern int additional_nsec(char *, int, int, struct rbtree *, char *, int, int);
extern struct question *build_fake_question(char *, int, u_int16_t, char *, int);
@@ -267,7 +267,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -477,7 +477,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -702,7 +702,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -897,7 +897,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -1090,7 +1090,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -1301,7 +1301,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -1453,7 +1453,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -1625,7 +1625,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -1821,7 +1821,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -2020,7 +2020,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -2336,7 +2336,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -2525,7 +2525,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -2784,7 +2784,7 @@ out:
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -2956,7 +2956,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -3277,7 +3277,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -3465,7 +3465,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -3688,7 +3688,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -3882,7 +3882,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -4357,7 +4357,7 @@ out:
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -4515,7 +4515,7 @@ reply_notauth(struct sreply *sreply, ddDB *db)
odh->additional = htons(1);
- tmplen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ tmplen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
if (tmplen != 0)
outlen = tmplen;
@@ -4918,7 +4918,7 @@ out:
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
@@ -5059,7 +5059,7 @@ reply_any(struct sreply *sreply, ddDB *db)
}
if (q->tsig.tsigverified == 1) {
- outlen = additional_tsig(q, reply, replysize, outlen, 0, 0);
+ outlen = additional_tsig(q, reply, replysize, outlen, 0, 0, NULL);
NTOHS(odh->additional);
odh->additional++;
repomaster@centroid.eu