Kea 3.1.1
Public Member Functions | Protected Member Functions | List of all members
isc::gss_tsig::GssTsigContext Class Reference

GSS-TSIG overwrite of the DNS TSIGContext class. More...

#include <gss_tsig_context.h>

+ Inheritance diagram for isc::gss_tsig::GssTsigContext:

Public Member Functions

 GssTsigContext (GssTsigKey &key)
 Constructor.
 
virtual ~GssTsigContext ()
 Destructor.
 
virtual dns::TSIGError getError () const override
 Return the TSIG error as a result of the latest verification.
 
virtual State getState () const override
 Return the current state of the context.
 
virtual size_t getTSIGLength () const override
 Return the expected length of TSIG RR after sign().
 
virtual bool lastHadSignature () const override
 Check whether the last verified message was signed.
 
virtual void setError (dns::TSIGError error)
 Set the TSIG error.
 
virtual void setState (State state)
 Set the current state of the context.
 
virtual dns::ConstTSIGRecordPtr sign (const uint16_t qid, const void *const data, const size_t data_len) override
 Sign a DNS message.
 
virtual dns::TSIGError verify (const dns::TSIGRecord *const record, const void *const data, const size_t data_len) override
 a DNS message.
 
- Public Member Functions inherited from isc::dns::TSIGContext
 TSIGContext (const TSIGKey &key)
 Constructor from a TSIG key.
 
 TSIGContext (const Name &key_name, const Name &algorithm_name, const TSIGKeyRing &keyring)
 Constructor from key parameters and key ring.
 
virtual ~TSIGContext ()
 The destructor.
 

Protected Member Functions

void update (const void *const data, size_t len)
 Update internal MAC state by more data.
 
void update (const void *const data, size_t len)
 Update internal HMAC state by more data.
 

Additional Inherited Members

- Public Types inherited from isc::dns::TSIGContext
enum  State {
  INIT , SENT_REQUEST , RECEIVED_REQUEST , SENT_RESPONSE ,
  VERIFIED_RESPONSE
}
 Internal state of context. More...
 
static const uint16_t DEFAULT_FUDGE = 300
 The recommended fudge value (in seconds) by RFC2845.
 

Detailed Description

GSS-TSIG overwrite of the DNS TSIGContext class.

src/lib/dns/tsig.h includes a description of TSIGContext API.

The last TKEY response is signed but this is outside the state transitions which are:

client side:

  • INIT
  • send a signed request
  • SENT_REQUEST
  • receive a signed response
  • VERIFIED_RESPONSE

server side:

  • INIT
  • receive a signed request
  • RECEIVED_REQUEST
  • send a signed response

For TKEY on the reception of the last signed response:

  • use the payload to finish the GSS-API security context establishment
  • check the presence of a TSIG
  • create a GssTsigContext object
  • set its state to SENT_REQUEST
  • verify the response using a pointer to the GssTsigContext object

For each exchange a different TSIGContext is required (no clear operation).

Definition at line 50 of file gss_tsig_context.h.

Constructor & Destructor Documentation

◆ GssTsigContext()

isc::gss_tsig::GssTsigContext::GssTsigContext ( GssTsigKey & key)
explicit

Constructor.

Parameters
keyGSS-TSIG key.

Definition at line 143 of file gss_tsig_context.cc.

References isc::dns::TSIGContext::TSIGContext(), and isc::dns::TSIGContext::INIT.

+ Here is the call graph for this function:

◆ ~GssTsigContext()

isc::gss_tsig::GssTsigContext::~GssTsigContext ( )
virtual

Destructor.

Definition at line 149 of file gss_tsig_context.cc.

Member Function Documentation

◆ getError()

virtual dns::TSIGError isc::gss_tsig::GssTsigContext::getError ( ) const
inlineoverridevirtual

Return the TSIG error as a result of the latest verification.

See isc::dns::TSIGContext::getError().

Exceptions
None.

Reimplemented from isc::dns::TSIGContext.

Definition at line 121 of file gss_tsig_context.h.

◆ getState()

virtual State isc::gss_tsig::GssTsigContext::getState ( ) const
inlineoverridevirtual

Return the current state of the context.

See isc::dns::TSIGContext::getState().

Exceptions
None.

Reimplemented from isc::dns::TSIGContext.

Definition at line 103 of file gss_tsig_context.h.

◆ getTSIGLength()

size_t isc::gss_tsig::GssTsigContext::getTSIGLength ( ) const
overridevirtual

Return the expected length of TSIG RR after sign().

See isc::dns::TSIGContext::getTSIGLength().

Note
: use the fixed constant of 128 from bind9.
Returns
The expected TSIG RR length in bytes.

Reimplemented from isc::dns::TSIGContext.

Definition at line 415 of file gss_tsig_context.cc.

References isc::dns::TSIGError::BAD_KEY(), isc::dns::TSIGError::BAD_SIG(), and isc::dns::TSIGError::BAD_TIME().

+ Here is the call graph for this function:

◆ lastHadSignature()

bool isc::gss_tsig::GssTsigContext::lastHadSignature ( ) const
overridevirtual

Check whether the last verified message was signed.

See isc::dns::TSIGContext::lastHadSignature().

Returns
If the last message was signed or not.
Exceptions
TSIGContextErrorif no message was verified yet.

Reimplemented from isc::dns::TSIGContext.

Definition at line 407 of file gss_tsig_context.cc.

References isc_throw.

◆ setError()

virtual void isc::gss_tsig::GssTsigContext::setError ( dns::TSIGError error)
inlinevirtual

Set the TSIG error.

Note
: to be used for the last TKEY response.
Parameters
errorNew error.

Definition at line 130 of file gss_tsig_context.h.

◆ setState()

virtual void isc::gss_tsig::GssTsigContext::setState ( State state)
inlinevirtual

Set the current state of the context.

Note
: to be used for the last TKEY response.
Parameters
stateNew state.

Definition at line 112 of file gss_tsig_context.h.

◆ sign()

ConstTSIGRecordPtr isc::gss_tsig::GssTsigContext::sign ( const uint16_t qid,
const void *const data,
const size_t data_len )
overridevirtual

Sign a DNS message.

See isc::dns::TSIGContext::sign().

Parameters
qidThe QID to be as the value of the original ID field of the resulting TSIG record.
dataThe wire-format data to be signed.
data_lenThe length of data in bytes.
Returns
A TSIG record for the given data along with the context.

Reimplemented from isc::dns::TSIGContext.

Definition at line 153 of file gss_tsig_context.cc.

References isc::dns::TSIGError::BAD_KEY(), isc::dns::TSIGError::BAD_SIG(), isc::dns::TSIGError::BAD_TIME(), isc::dns::TSIGContext::DEFAULT_FUDGE, isc::dns::TSIGRecord::getClass(), isc::gss_tsig::GssApiBuffer::getContent(), isc::util::OutputBuffer::getData(), isc::gss_tsig::GssApiBuffer::getLength(), isc::gss_tsig::GssApiBuffer::getValue(), isc::dns::TSIGContext::INIT, isc_throw, isc::dns::TSIGError::NOERROR(), isc::dns::TSIGContext::RECEIVED_REQUEST, isc::dns::TSIGContext::SENT_REQUEST, isc::dns::TSIGContext::SENT_RESPONSE, isc::dns::TSIGRecord::TSIG_TTL, isc::dns::TSIGContext::VERIFIED_RESPONSE, isc::util::OutputBuffer::writeUint16(), and isc::util::OutputBuffer::writeUint32().

+ Here is the call graph for this function:

◆ update()

void isc::gss_tsig::GssTsigContext::update ( const void *const data,
size_t len )
protected

Update internal MAC state by more data.

This is used mostly internally, when we need to verify a message without TSIG signature in the middle of signed TCP stream. However, it is also used in tests, so it's protected instead of private, to allow tests in.

It doesn't contain sanity checks, and it is not tested directly. But we may want to add these one day to allow generating the skipped TSIG messages too. Until then, do not use this method.

Parameters
dataPoints to the wire-format data.
lenThe length of data in bytes.

Definition at line 458 of file gss_tsig_context.cc.

Referenced by verify().

◆ verify()

TSIGError isc::gss_tsig::GssTsigContext::verify ( const dns::TSIGRecord *const record,
const void *const data,
const size_t data_len )
overridevirtual

a DNS message.

See isc::dns::TSIGContext::verify().

Reimplemented from isc::dns::TSIGContext.

Definition at line 248 of file gss_tsig_context.cc.

References isc::dns::TSIGError::BAD_KEY(), isc::dns::TSIGError::BAD_SIG(), isc::dns::TSIGError::BAD_TIME(), isc::log::DBGLVL_TRACE_BASIC, isc::dns::TSIGContext::DEFAULT_FUDGE, isc::dns::TSIGError::FORMERR(), isc::dns::rdata::any::TSIG::getAlgorithm(), isc::dns::TSIGRecord::getClass(), isc::dns::rdata::any::TSIG::getError(), isc::dns::rdata::any::TSIG::getFudge(), isc::dns::TSIGRecord::getLength(), isc::dns::rdata::any::TSIG::getMAC(), isc::dns::rdata::any::TSIG::getMACSize(), isc::dns::TSIGRecord::getName(), isc::dns::rdata::any::TSIG::getOriginalID(), isc::dns::rdata::any::TSIG::getOtherData(), isc::dns::rdata::any::TSIG::getOtherLen(), isc::dns::TSIGRecord::getRdata(), isc::dns::rdata::any::TSIG::getTimeSigned(), isc::gss_tsig::gss_tsig_logger, isc::gss_tsig::GSS_TSIG_VERIFIED, isc::gss_tsig::GSS_TSIG_VERIFY_FAILED, isc::dns::TSIGContext::INIT, isc_throw, LOG_DEBUG, LOG_INFO, isc::dns::TSIGError::NOERROR(), isc::dns::TSIGContext::RECEIVED_REQUEST, isc::dns::TSIGContext::SENT_REQUEST, isc::dns::TSIGContext::SENT_RESPONSE, isc::dns::TSIGRecord::TSIG_TTL, update(), isc::dns::TSIGContext::VERIFIED_RESPONSE, and isc::Exception::what().

+ Here is the call graph for this function:
The documentation for this class was generated from the following files: