d2/d05/tkey__exchange_8cc_source.html

// Copyright (C) 2021-2025 Internet Systems Consortium, Inc. ("ISC")

//

// This Source Code Form is subject to the terms of the Mozilla Public

// License, v. 2.0. If a copy of the MPL was not distributed with this

// file, You can obtain one at http://mozilla.org/MPL/2.0/.


#include <config.h>


#include <d2srv/d2_log.h>

#include <dns/messagerenderer.h>

#include <dns/opcode.h>

#include <dns/rdataclass.h>

#include <stats/stats_mgr.h>

#include <gss_tsig_context.h>

#include <gss_tsig_key.h>

#include <gss_tsig_log.h>

#include <tkey_exchange.h>

#include <limits>

#include <sstream>


namespace isc {

namespace gss_tsig {


namespace {


// OutputBuffer objects are pre-allocated before data is written to them.

// This is a default number of bytes for the buffers we create within

// TKeyExchange class.

const size_t DEFAULT_BUFFER_SIZE = 4096;


}


using namespace isc::asiolink;

using namespace isc::asiodns;

using namespace isc::dns;

using namespace isc::dns::rdata;

using namespace isc::dns::rdata::generic;

using namespace isc::log;

using namespace isc::stats;

using namespace isc::util;

using namespace std;


string


TKeyExchange::statusToText(Status status) {

    switch (status) {

    case SUCCESS:

        return ("response received and is ok");

    case TIMEOUT:

        return ("no response, timeout");

    case IO_STOPPED:

        return ("IO was stopped");

    case INVALID_RESPONSE:

        return ("response received but invalid");

    case UNSIGNED_RESPONSE:

        return ("response received but not signed");

    case BAD_CREDENTIALS:

        return ("bad client credentials");

    default:

        return ("other, unclassified error");

    }

}


// This class provides the implementation for the TKeyExchange. This allows for

// the separation of the TKeyExchange interface from the implementation details.

// Currently, implementation uses IOFetch object to handle asynchronous

// communication with the DNS. This design may be revisited in the future. If

// implementation is changed, the TKeyExchange API will remain unchanged thanks

// to this separation.


class TKeyExchangeImpl : public IOFetch::Callback {

public:


    enum State {

        NONE,

        STARTED,

        STOPPED,

        SUCCESS,

        FAILURE,

    };


    TKeyExchangeImpl(const IOServicePtr& io_service, const DnsServerPtr& server,

                     const GssTsigKeyPtr& key, TKeyExchange::Callback* callback,

                     uint32_t timeout, OM_uint32 flags);


    virtual ~TKeyExchangeImpl();


    virtual void operator()(IOFetch::Result result);


    void doExchange();


    void cancel();


    isc::asiolink::IOServicePtr getIOService() {

        return (io_service_);

    }


    void setIOService(const isc::asiolink::IOServicePtr& io_service) {

        io_service_ = io_service;

    }


private:

    void doExchangeInternal(GssApiBufferPtr intoken);


    void callCallback(TKeyExchange::Status status);


    void acquireCredentials();


    GssApiBufferPtr readTKey(const OutputBufferPtr& outbuf);


    bool verifyTKey();


    void createTKeyRequest(const GssApiBufferPtr& outtoken);


    void incrStats(const string& stat);


    IOServicePtr io_service_;


    State state_;


    OutputBufferPtr in_buf_;


    OutputBufferPtr out_buf_;


    TKeyExchange::Callback* callback_;


    DnsServerPtr server_;


    GssTsigKeyPtr key_;


    OM_uint32 flags_;


    GssApiCredPtr cred_;


    MessagePtr msg_;


    uint32_t timeout_;


    IOFetchPtr io_fetch_;

};


TKeyExchangeImpl::TKeyExchangeImpl(const IOServicePtr& io_service,

                                   const DnsServerPtr& server,

                                   const GssTsigKeyPtr& key,

                                   TKeyExchange::Callback* callback,

                                   uint32_t timeout, OM_uint32 flags)

    : io_service_(io_service), state_(NONE), in_buf_(), out_buf_(),

      callback_(callback), server_(server), key_(key), flags_(flags), cred_(),

      msg_(), timeout_(timeout) {

    if (!io_service) {

        isc_throw(BadValue, "null IOService");

    }

    if (key->getSecCtx().get() != GSS_C_NO_CONTEXT) {

        isc_throw(BadValue, "wrong security context state");

    }

}


TKeyExchangeImpl::~TKeyExchangeImpl() {

    cancel();

}


void


TKeyExchangeImpl::operator()(IOFetch::Result result) {

    // Get the status from IO. If no success, we just call user's callback

    // and pass the status code.

    GssApiBufferPtr intoken;

    switch (result) {

    case IOFetch::SUCCESS:

        intoken = readTKey(out_buf_);

        if (!intoken || intoken->empty()) {

            LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_EMPTY_IN_TOKEN);

            incrStats("tkey-error");

            callCallback(TKeyExchange::INVALID_RESPONSE);

        } else {

            // The TKEY payload from the server response is used for

            // the GSS-API security context establishment.


            doExchangeInternal(intoken);

        }

        return;


    case IOFetch::TIME_OUT:

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_IO_TIMEOUT);

        incrStats("tkey-timeout");

        callCallback(TKeyExchange::TIMEOUT);

        return;


    case IOFetch::STOPPED:

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_IO_STOPPED);

        incrStats("tkey-error");

        callCallback(TKeyExchange::IO_STOPPED);

        return;


    default:

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_IO_ERROR)

            .arg(result);

        incrStats("tkey-error");

        callCallback(TKeyExchange::OTHER);

        return;

    }

}


void

TKeyExchangeImpl::acquireCredentials() {

    const string& cred_princ = server_->getClientPrincipal();

    if (cred_princ.empty()) {

        return;

    }


    OM_uint32 lifetime(0);

    GssApiName cname(cred_princ);

    cred_.reset(new GssApiCred(cname, GSS_C_INITIATE, lifetime));

    if (lifetime == 0) {

        isc_throw(GssCredExpired, "credentials expired for " << cred_princ);

    }

}


bool

TKeyExchangeImpl::verifyTKey() {

    // The last TKEY response must be signed.

    const TSIGRecord* tsig = msg_->getTSIGRecord();

    if (!tsig) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_NOT_SIGNED);

        return (false);

    }

    GssTsigContextPtr tkey_ctx(new GssTsigContext(*key_));

    tkey_ctx->setState(TSIGContext::SENT_REQUEST);

    TSIGError error = tkey_ctx->verify(tsig, out_buf_->getData(),

                                       out_buf_->getLength());

    if (error != TSIGError::NOERROR()) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAILED_TO_VERIFY);

        return (false);

    }


    LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_VERIFIED);


    return (true);

}


void

TKeyExchangeImpl::createTKeyRequest(const GssApiBufferPtr& outtoken) {

    // Create a TKEY request.

    msg_.reset(new Message(Message::RENDER));

    // QID is added by IOFetch using the cryptolink::generateQid.

    msg_->setOpcode(Opcode::QUERY());

    msg_->setRcode(Rcode::NOERROR());

    msg_->setHeaderFlag(Message::HEADERFLAG_QR, false);

    msg_->setHeaderFlag(Message::HEADERFLAG_RD, false);


    msg_->addQuestion(Question(key_->getKeyName(), RRClass::ANY(),

                               RRType::TKEY()));


    // Create the TKEY Resource Record.

    RRsetPtr tkey_rrset(new RRset(key_->getKeyName(), RRClass::ANY(),

                                  RRType::TKEY(), RRTTL(0)));

    Name algorithm("gss-tsig.");

    uint32_t inception = key_->getInception32();

    uint32_t expire = key_->getExpire32();

    uint16_t mode = TKEY::GSS_API_MODE;

    uint16_t error = Rcode::NOERROR().getCode();

    size_t key_length = outtoken->getLength();

    if (key_length > std::numeric_limits<uint16_t>::max()) {

        isc_throw(BadValue, "TKEY value too long: " << key_length);

    }

    uint16_t key_len = static_cast<uint16_t>(key_length);

    ConstRdataPtr tkey_rdata(new TKEY(algorithm, inception, expire, mode, error,

                                      key_len, outtoken->getValue(), 0, 0));

    tkey_rrset->addRdata(tkey_rdata);

    msg_->addRRset(Message::SECTION_ADDITIONAL, tkey_rrset);


    // Encode the TKEY request.

    MessageRenderer renderer;

    in_buf_.reset(new OutputBuffer(DEFAULT_BUFFER_SIZE));

    renderer.setBuffer(in_buf_.get());

    renderer.setLengthLimit(DEFAULT_BUFFER_SIZE);

    msg_->toWire(renderer);

}


void

TKeyExchangeImpl::callCallback(TKeyExchange::Status status) {

    // Once we are done with internal business, let's call a callback supplied

    // by a caller.

    if (callback_) {

        (*callback_)(status);

    }

    if (status == TKeyExchange::SUCCESS) {

        state_ = SUCCESS;

    } else {

        state_ = FAILURE;

    }

}


void

TKeyExchangeImpl::doExchangeInternal(GssApiBufferPtr intoken) {

    GssApiName named_gname(server_->getServerPrincipal());


    GssApiBufferPtr outtoken(new GssApiBuffer());

    OM_uint32 lifetime(0);

    bool ret;

    try {

        ret = key_->getSecCtx().init(cred_, named_gname, flags_, *intoken,

                                     *outtoken, lifetime);

    } catch (const isc::Exception& ex) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_TO_INIT)

            .arg(ex.what());

        incrStats("tkey-error");

        callCallback(TKeyExchange::OTHER);

        return;

    }

    if (ret) {

        // Established.

        if (!outtoken->empty()) {

            // The RFC is not consistent about this case because it specifies it

            // and at the same time requires the server to sign the last response

            // so the first security context to be established is the server one

            // and any further exchange does not make sense...

            LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_OUT_TOKEN_NOT_EMPTY);

        }

        lifetime = key_->getSecCtx().getLifetime();

        if (lifetime < server_->getKeyLifetime()) {

            ostringstream msg;

            msg << "too short credential lifetime: " << lifetime

                << " < " << server_->getKeyLifetime();

            LOG_ERROR(gss_tsig_logger, BAD_CLIENT_CREDENTIALS)

                .arg(msg.str());

            incrStats("tkey-error");

            callCallback(TKeyExchange::BAD_CREDENTIALS);

            return;

        }

        LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_VALID)

            .arg(key_->getSecCtx().getLifetime());


        if (verifyTKey()) {

            incrStats("tkey-success");

            callCallback(TKeyExchange::SUCCESS);

        } else {

            incrStats("tkey-error");

            callCallback(TKeyExchange::UNSIGNED_RESPONSE);

        }


        return;

    }


    if (outtoken->empty()) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_EMPTY_OUT_TOKEN);

        incrStats("tkey-error");

        callCallback(TKeyExchange::INVALID_RESPONSE);

        return;

    }


    createTKeyRequest(outtoken);

    LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_SEND_MESSAGE)

        .arg(in_buf_->getLength());

    incrStats("tkey-sent");


    // Send the TKEY request.

    IOAddress io_addr = server_->getIpAddress();

    out_buf_.reset(new OutputBuffer(DEFAULT_BUFFER_SIZE));


    // Do not use msg because IOFetch code will mess it!

    io_fetch_.reset(new IOFetch(server_->getKeyProto(), io_service_, in_buf_,

                                io_addr, server_->getPort(), out_buf_,

                                this, static_cast<int>(timeout_)));

    io_service_->post(*io_fetch_);

}


void


TKeyExchangeImpl::doExchange() {

    if (state_ != NONE) {

        isc_throw(InvalidOperation, "initiating exchange from invalid state");

    }


    state_ = STARTED;


    // start acquire credentials

    try {

        acquireCredentials();

    } catch (const isc::Exception& ex) {

        LOG_ERROR(gss_tsig_logger, BAD_CLIENT_CREDENTIALS)

            .arg(ex.what());

        incrStats("tkey-error");

        callCallback(TKeyExchange::BAD_CREDENTIALS);

        return;

    }


    GssApiBufferPtr intoken(new GssApiBuffer());

    doExchangeInternal(intoken);

}


void


TKeyExchangeImpl::cancel() {

    if (io_fetch_) {

        io_fetch_->stop();

    }

    state_ = STOPPED;

}


GssApiBufferPtr

TKeyExchangeImpl::readTKey(const OutputBufferPtr& outbuf) {

    // Decode the TKEY response.

    size_t msg_len = outbuf->getLength();

    if (msg_len == 0) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_EMPTY_RESPONSE);

        return (GssApiBufferPtr());

    }

    const void* msg_buf = outbuf->getData();

    if (!msg_buf) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_NULL_RESPONSE);

        return (GssApiBufferPtr());

    }


    LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_RECEIVE_MESSAGE)

        .arg(msg_len);


    msg_.reset(new Message(Message::PARSE));

    InputBuffer recv_buf(msg_buf, msg_len);

    msg_->fromWire(recv_buf);


    // Validate the TKEY response.

    if (!msg_->getHeaderFlag(Message::HEADERFLAG_QR)) {

        LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_NOT_A_RESPONSE);

    }

    if (msg_->getRcode() != Rcode::NOERROR()) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_RESPONSE_ERROR)

            .arg(msg_->getRcode().toText());

        return (GssApiBufferPtr());

    }

    if (msg_->getOpcode() != Opcode::QUERY()) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_OPCODE)

            .arg(msg_->getOpcode());

        return (GssApiBufferPtr());

    }

    // According to RFC3645, the TKEY is found in the ANSWER section.

    if (msg_->getRRCount(Message::SECTION_ANSWER) != 1) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_ANSWER_COUNT)

            .arg(msg_->getRRCount(Message::SECTION_ANSWER));

        return (GssApiBufferPtr());

    }

    RRsetPtr rrset = *msg_->beginSection(Message::SECTION_ANSWER);

    if (!rrset) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_NO_RESPONSE_ANSWER);

        return (GssApiBufferPtr());

    }

    if (rrset->getClass() != RRClass::ANY()) {

        LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_ANSWER_CLASS)

            .arg(rrset->getClass().toText());

    }

    if (rrset->getType() != RRType::TKEY()) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_ANSWER_TYPE)

            .arg(rrset->getType().toText());

        return (GssApiBufferPtr());

    }

    if (rrset->getTTL() != RRTTL(0)) {

        LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_RESPONSE_TTL)

            .arg(rrset->getTTL().toText());

    }

    if (rrset->getRdataCount() != 1) {

        LOG_DEBUG(gss_tsig_logger, DBGLVL_TRACE_BASIC, TKEY_EXCHANGE_RDATA_COUNT)

            .arg(rrset->getRdataCount());

        if (rrset->getRdataCount() == 0) {

            LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_NO_RDATA);

            return (GssApiBufferPtr());

        }

    }

    auto rdata_it = rrset->getRdataIterator();

    const TKEY& tkey = dynamic_cast<const TKEY&>(rdata_it->getCurrent());

    if (tkey.getError() != Rcode::NOERROR_CODE) {

        LOG_ERROR(gss_tsig_logger, TKEY_EXCHANGE_FAIL_TKEY_ERROR)

            .arg(tkey.getError());

        return (GssApiBufferPtr());

    }

    return (GssApiBufferPtr(new GssApiBuffer(tkey.getKeyLen(), tkey.getKey())));

}


void

TKeyExchangeImpl::incrStats(const string& stat) {

    StatsMgr& mgr = StatsMgr::instance();

    mgr.addValue(stat, static_cast<int64_t>(1));

    if (server_) {

        mgr.addValue(StatsMgr::generateName("server", server_->getID(), stat),

                     static_cast<int64_t>(1));

    }

}


const OM_uint32 TKeyExchange::TKEY_EXCHANGE_FLAGS = (GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG);

const uint32_t TKeyExchange::TKEY_EXCHANGE_IO_TIMEOUT = 3000;


TKeyExchange::TKeyExchange(const IOServicePtr& io_service,

                           const DnsServerPtr& server, const GssTsigKeyPtr& key,

                           Callback* callback, uint32_t timeout, OM_uint32 flags)

    : impl_(new TKeyExchangeImpl(io_service, server, key, callback, timeout, flags)) {

}


TKeyExchange::~TKeyExchange() {

    cancel();

}


void


TKeyExchange::doExchange() {

    impl_->doExchange();

}


void


TKeyExchange::cancel() {

    impl_->cancel();

}


IOServicePtr


TKeyExchange::getIOService() {

    return (impl_->getIOService());

}


void


TKeyExchange::setIOService(const IOServicePtr io_service) {

    impl_->setIOService(io_service);

}


} // namespace gss_tsig

} // namespace isc

isc::BadValue
A generic exception that is thrown if a parameter given to a method is considered invalid in that con...
Definition exceptions/exceptions.h:132

isc::Exception
This is a base class for exceptions thrown from the DNS library module.
Definition exceptions/exceptions.h:23

isc::Exception::what
virtual const char * what() const
Returns a C-style character string of the cause of the exception.
Definition exceptions/exceptions.cc:32

isc::InvalidOperation
A generic exception that is thrown if a function is called in a prohibited way.
Definition exceptions/exceptions.h:143

isc::asiodns::IOFetch::Callback
I/O Fetch Callback.
Definition io_fetch.h:85

isc::asiodns::IOFetch::Result
Result
Result of Upstream Fetch.
Definition io_fetch.h:58

isc::asiodns::IOFetch::STOPPED
@ STOPPED
Definition io_fetch.h:61

isc::asiodns::IOFetch::TIME_OUT
@ TIME_OUT
Definition io_fetch.h:60

isc::asiodns::IOFetch::SUCCESS
@ SUCCESS
Definition io_fetch.h:59

isc::dns::AbstractMessageRenderer::setBuffer
void setBuffer(isc::util::OutputBuffer *buffer)
Set or reset a temporary output buffer.
Definition messagerenderer.cc:367

isc::dns::MessageRenderer::setLengthLimit
virtual void setLengthLimit(size_t len)
Set the maximum length of rendered data that can fit in the corresponding DNS message without truncat...
Definition messagerenderer.cc:254

isc::dns::Message
The Message class encapsulates a standard DNS message.
Definition message.h:152

isc::dns::Message::SECTION_ADDITIONAL
@ SECTION_ADDITIONAL
Definition message.h:246

isc::dns::Message::SECTION_ANSWER
@ SECTION_ANSWER
Definition message.h:244

isc::dns::Message::RENDER
@ RENDER
Definition message.h:157

isc::dns::Message::PARSE
@ PARSE
Definition message.h:156

isc::dns::Message::HEADERFLAG_RD
@ HEADERFLAG_RD
Definition message.h:206

isc::dns::Message::HEADERFLAG_QR
@ HEADERFLAG_QR
Definition message.h:203

isc::dns::Opcode::QUERY
static const Opcode & QUERY()
A constant object for the QUERY Opcode.
Definition opcode.h:178

isc::dns::RRClass::ANY
static const RRClass & ANY()
Definition rrclass.h:298

isc::dns::RRType::TKEY
static const RRType & TKEY()
Definition rrtype.h:333

isc::dns::Rcode::NOERROR
static const Rcode & NOERROR()
A constant object for the NOERROR Rcode (see Rcode::NOERROR_CODE).
Definition rcode.h:228

isc::dns::Rcode::getCode
uint16_t getCode() const
Returns the Rcode code value.
Definition rcode.h:106

isc::dns::Rcode::NOERROR_CODE
@ NOERROR_CODE
0: No error (RFC1035)
Definition rcode.h:44

isc::dns::TSIGContext::SENT_REQUEST
@ SENT_REQUEST
Client sent a signed request, waiting response.
Definition tsig.h:183

isc::dns::TSIGError::NOERROR
static const TSIGError & NOERROR()
A constant TSIG error object derived from Rcode::NOERROR()
Definition tsigerror.h:227

isc::dns::rdata::generic::TKEY::GSS_API_MODE
static const uint16_t GSS_API_MODE
The GSS_API constant for the Mode field.
Definition rdataclass.h:514

isc::dns::rdata::generic::TKEY::getKey
const void * getKey() const
Return the value of the Key field.

isc::dns::rdata::generic::TKEY::getError
uint16_t getError() const
Return the value of the Error field.

isc::dns::rdata::generic::TKEY::getKeyLen
uint16_t getKeyLen() const
Return the value of the Key Len field.

isc::gss_tsig::GssApiBuffer
GSS-API buffer.
Definition gss_tsig_api.h:100

isc::gss_tsig::TKeyExchangeImpl
Definition tkey_exchange.cc:69

isc::gss_tsig::TKeyExchangeImpl::TKeyExchangeImpl
TKeyExchangeImpl(const IOServicePtr &io_service, const DnsServerPtr &server, const GssTsigKeyPtr &key, TKeyExchange::Callback *callback, uint32_t timeout, OM_uint32 flags)
Constructor.
Definition tkey_exchange.cc:205

isc::gss_tsig::TKeyExchangeImpl::setIOService
void setIOService(const isc::asiolink::IOServicePtr &io_service)
Sets IO service.
Definition tkey_exchange.cc:123

isc::gss_tsig::TKeyExchangeImpl::State
State
The TKEY exchange state.
Definition tkey_exchange.cc:72

isc::gss_tsig::TKeyExchangeImpl::FAILURE
@ FAILURE
The TKEY exchange has failed.
Definition tkey_exchange.cc:77

isc::gss_tsig::TKeyExchangeImpl::STARTED
@ STARTED
The TKEY exchange has been started.
Definition tkey_exchange.cc:74

isc::gss_tsig::TKeyExchangeImpl::SUCCESS
@ SUCCESS
The TKEY exchange has succeeded.
Definition tkey_exchange.cc:76

isc::gss_tsig::TKeyExchangeImpl::STOPPED
@ STOPPED
The TKEY exchange has been canceled.
Definition tkey_exchange.cc:75

isc::gss_tsig::TKeyExchangeImpl::NONE
@ NONE
Initial state: no action has been initiated.
Definition tkey_exchange.cc:73

isc::gss_tsig::TKeyExchangeImpl::getIOService
isc::asiolink::IOServicePtr getIOService()
Gets IO service.
Definition tkey_exchange.cc:116

isc::gss_tsig::TKeyExchangeImpl::cancel
void cancel()
This function cancels the started TKEY exchange.
Definition tkey_exchange.cc:454

isc::gss_tsig::TKeyExchangeImpl::operator()
virtual void operator()(IOFetch::Result result)
This internal callback is called when the DNS update message exchange is complete.
Definition tkey_exchange.cc:226

isc::gss_tsig::TKeyExchangeImpl::doExchange
void doExchange()
This function handles the repeated communication with the DNS server trying to complete the TKEY exch...
Definition tkey_exchange.cc:431

isc::gss_tsig::TKeyExchangeImpl::~TKeyExchangeImpl
virtual ~TKeyExchangeImpl()
Destructor.
Definition tkey_exchange.cc:221

isc::gss_tsig::TKeyExchange::Callback
Callback for the TKeyExchange class.
Definition tkey_exchange.h:58

isc::gss_tsig::TKeyExchange::cancel
void cancel()
This function cancels the in-flight TKEY exchange.
Definition tkey_exchange.cc:567

isc::gss_tsig::TKeyExchange::Status
Status
A status code of the TKeyExchange.
Definition tkey_exchange.h:39

isc::gss_tsig::TKeyExchange::SUCCESS
@ SUCCESS
Response received and is ok.
Definition tkey_exchange.h:40

isc::gss_tsig::TKeyExchange::BAD_CREDENTIALS
@ BAD_CREDENTIALS
Bad client credentials.
Definition tkey_exchange.h:45

isc::gss_tsig::TKeyExchange::IO_STOPPED
@ IO_STOPPED
IO was stopped.
Definition tkey_exchange.h:42

isc::gss_tsig::TKeyExchange::UNSIGNED_RESPONSE
@ UNSIGNED_RESPONSE
Response received but not signed.
Definition tkey_exchange.h:44

isc::gss_tsig::TKeyExchange::INVALID_RESPONSE
@ INVALID_RESPONSE
Response received but invalid.
Definition tkey_exchange.h:43

isc::gss_tsig::TKeyExchange::TIMEOUT
@ TIMEOUT
No response, timeout.
Definition tkey_exchange.h:41

isc::gss_tsig::TKeyExchange::OTHER
@ OTHER
Other, unclassified error.
Definition tkey_exchange.h:46

isc::gss_tsig::TKeyExchange::statusToText
static std::string statusToText(Status status)
Convert a status to its textual form.
Definition tkey_exchange.cc:44

isc::gss_tsig::TKeyExchange::TKeyExchange
TKeyExchange(const isc::asiolink::IOServicePtr &io_service, const DnsServerPtr &server, const GssTsigKeyPtr &key, Callback *callback, uint32_t timeout=TKEY_EXCHANGE_IO_TIMEOUT, OM_uint32 flags=TKEY_EXCHANGE_FLAGS)
Constructor.
Definition tkey_exchange.cc:551

isc::gss_tsig::TKeyExchange::getIOService
isc::asiolink::IOServicePtr getIOService()
Gets IO service.
Definition tkey_exchange.cc:572

isc::gss_tsig::TKeyExchange::doExchange
void doExchange()
This function handles the repeated communication with the DNS server trying to complete the TKEY exch...
Definition tkey_exchange.cc:562

isc::gss_tsig::TKeyExchange::setIOService
void setIOService(const isc::asiolink::IOServicePtr io_service)
Sets IO service.
Definition tkey_exchange.cc:577

isc::gss_tsig::TKeyExchange::TKEY_EXCHANGE_IO_TIMEOUT
static const uint32_t TKEY_EXCHANGE_IO_TIMEOUT
The default IO timeout used for IO operations (in milliseconds) set to 3000 (3 seconds).
Definition tkey_exchange.h:121

isc::gss_tsig::TKeyExchange::TKEY_EXCHANGE_FLAGS
static const OM_uint32 TKEY_EXCHANGE_FLAGS
The default TKEY exchange flags.
Definition tkey_exchange.h:117

isc::gss_tsig::TKeyExchange::~TKeyExchange
virtual ~TKeyExchange()
Virtual destructor, does nothing.
Definition tkey_exchange.cc:557

isc::stats::StatsMgr::instance
static StatsMgr & instance()
Statistics Manager accessor method.
Definition lib/stats/stats_mgr.cc:30

isc::stats::StatsMgr::generateName
static std::string generateName(const std::string &context, Type index, const std::string &stat_name)
Generates statistic name in a given context.
Definition lib/stats/stats_mgr.h:298

isc::util::InputBuffer
The InputBuffer class is a buffer abstraction for manipulating read-only data.
Definition buffer.h:81

isc::util::State
Defines a State within the State Model.
Definition state_model.h:61

d2_log.h

isc_throw
#define isc_throw(type, stream)
A shortcut macro to insert known values into exception arguments.
Definition exceptions/exceptions.h:210

gss_tsig_context.h
Implements a TSIGContext derived class which can be used as the value of TSIGContext pointers so with...

gss_tsig_key.h

gss_tsig_log.h

stats_mgr.h

LOG_ERROR
#define LOG_ERROR(LOGGER, MESSAGE)
Macro to conveniently test error output and log it.
Definition macros.h:32

LOG_DEBUG
#define LOG_DEBUG(LOGGER, LEVEL, MESSAGE)
Macro to conveniently test debug output and log it.
Definition macros.h:14

messagerenderer.h

isc::asiodns::IOFetchPtr
boost::shared_ptr< IOFetch > IOFetchPtr
Defines a pointer to an IOFetch.
Definition io_fetch.h:247

isc::asiolink::IOServicePtr
boost::shared_ptr< IOService > IOServicePtr
Defines a smart pointer to an IOService instance.
Definition io_service.h:28

isc::db::error
@ error
Definition db_log.h:118

isc::dns::rdata::ConstRdataPtr
boost::shared_ptr< const Rdata > ConstRdataPtr
Definition rdata.h:69

isc::dns::RRsetPtr
boost::shared_ptr< AbstractRRset > RRsetPtr
A pointer-like type pointing to an RRset object.
Definition rrset.h:50

isc::dns::MessagePtr
boost::shared_ptr< Message > MessagePtr
Pointer-like type pointing to a Message.
Definition message.h:670

isc::gss_tsig
Definition gss_tsig_api.cc:17

isc::gss_tsig::TKEY_EXCHANGE_FAIL_NO_RDATA
const isc::log::MessageID TKEY_EXCHANGE_FAIL_NO_RDATA
Definition gss_tsig_messages.h:42

isc::gss_tsig::TKEY_EXCHANGE_FAIL_NOT_SIGNED
const isc::log::MessageID TKEY_EXCHANGE_FAIL_NOT_SIGNED
Definition gss_tsig_messages.h:41

isc::gss_tsig::TKEY_EXCHANGE_FAIL_NO_RESPONSE_ANSWER
const isc::log::MessageID TKEY_EXCHANGE_FAIL_NO_RESPONSE_ANSWER
Definition gss_tsig_messages.h:43

isc::gss_tsig::TKEY_EXCHANGE_RECEIVE_MESSAGE
const isc::log::MessageID TKEY_EXCHANGE_RECEIVE_MESSAGE
Definition gss_tsig_messages.h:54

isc::gss_tsig::TKEY_EXCHANGE_RDATA_COUNT
const isc::log::MessageID TKEY_EXCHANGE_RDATA_COUNT
Definition gss_tsig_messages.h:53

isc::gss_tsig::TKEY_EXCHANGE_FAIL_RESPONSE_ERROR
const isc::log::MessageID TKEY_EXCHANGE_FAIL_RESPONSE_ERROR
Definition gss_tsig_messages.h:45

isc::gss_tsig::TKEY_EXCHANGE_FAIL_EMPTY_RESPONSE
const isc::log::MessageID TKEY_EXCHANGE_FAIL_EMPTY_RESPONSE
Definition gss_tsig_messages.h:37

isc::gss_tsig::DnsServerPtr
boost::shared_ptr< DnsServer > DnsServerPtr
A pointer to a DNS server.
Definition gss_tsig_cfg.h:399

isc::gss_tsig::TKEY_EXCHANGE_FAILED_TO_VERIFY
const isc::log::MessageID TKEY_EXCHANGE_FAILED_TO_VERIFY
Definition gss_tsig_messages.h:34

isc::gss_tsig::TKEY_EXCHANGE_RESPONSE_TTL
const isc::log::MessageID TKEY_EXCHANGE_RESPONSE_TTL
Definition gss_tsig_messages.h:55

isc::gss_tsig::TKEY_EXCHANGE_VERIFIED
const isc::log::MessageID TKEY_EXCHANGE_VERIFIED
Definition gss_tsig_messages.h:58

isc::gss_tsig::TKEY_EXCHANGE_NOT_A_RESPONSE
const isc::log::MessageID TKEY_EXCHANGE_NOT_A_RESPONSE
Definition gss_tsig_messages.h:51

isc::gss_tsig::TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_OPCODE
const isc::log::MessageID TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_OPCODE
Definition gss_tsig_messages.h:50

isc::gss_tsig::TKEY_EXCHANGE_FAIL_IO_ERROR
const isc::log::MessageID TKEY_EXCHANGE_FAIL_IO_ERROR
Definition gss_tsig_messages.h:38

isc::gss_tsig::TKEY_EXCHANGE_FAIL_EMPTY_IN_TOKEN
const isc::log::MessageID TKEY_EXCHANGE_FAIL_EMPTY_IN_TOKEN
Definition gss_tsig_messages.h:35

isc::gss_tsig::GssApiBufferPtr
boost::shared_ptr< GssApiBuffer > GssApiBufferPtr
Shared pointer to GSS-API buffer.
Definition gss_tsig_api.h:180

isc::gss_tsig::TKEY_EXCHANGE_FAIL_EMPTY_OUT_TOKEN
const isc::log::MessageID TKEY_EXCHANGE_FAIL_EMPTY_OUT_TOKEN
Definition gss_tsig_messages.h:36

isc::gss_tsig::TKEY_EXCHANGE_FAIL_NULL_RESPONSE
const isc::log::MessageID TKEY_EXCHANGE_FAIL_NULL_RESPONSE
Definition gss_tsig_messages.h:44

isc::gss_tsig::TKEY_EXCHANGE_OUT_TOKEN_NOT_EMPTY
const isc::log::MessageID TKEY_EXCHANGE_OUT_TOKEN_NOT_EMPTY
Definition gss_tsig_messages.h:52

isc::gss_tsig::TKEY_EXCHANGE_FAIL_IO_STOPPED
const isc::log::MessageID TKEY_EXCHANGE_FAIL_IO_STOPPED
Definition gss_tsig_messages.h:39

isc::gss_tsig::GssTsigContextPtr
boost::shared_ptr< GssTsigContext > GssTsigContextPtr
Type of pointer to a GSS-TSIG context.
Definition gss_tsig_context.h:178

isc::gss_tsig::TKEY_EXCHANGE_SEND_MESSAGE
const isc::log::MessageID TKEY_EXCHANGE_SEND_MESSAGE
Definition gss_tsig_messages.h:56

isc::gss_tsig::TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_ANSWER_COUNT
const isc::log::MessageID TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_ANSWER_COUNT
Definition gss_tsig_messages.h:48

isc::gss_tsig::TKEY_EXCHANGE_FAIL_TKEY_ERROR
const isc::log::MessageID TKEY_EXCHANGE_FAIL_TKEY_ERROR
Definition gss_tsig_messages.h:46

isc::gss_tsig::TKEY_EXCHANGE_FAIL_TO_INIT
const isc::log::MessageID TKEY_EXCHANGE_FAIL_TO_INIT
Definition gss_tsig_messages.h:47

isc::gss_tsig::TKEY_EXCHANGE_ANSWER_CLASS
const isc::log::MessageID TKEY_EXCHANGE_ANSWER_CLASS
Definition gss_tsig_messages.h:33

isc::gss_tsig::TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_ANSWER_TYPE
const isc::log::MessageID TKEY_EXCHANGE_FAIL_WRONG_RESPONSE_ANSWER_TYPE
Definition gss_tsig_messages.h:49

isc::gss_tsig::gss_tsig_logger
isc::log::Logger gss_tsig_logger("gss-tsig-hooks")
Definition gss_tsig_log.h:17

isc::gss_tsig::TKEY_EXCHANGE_VALID
const isc::log::MessageID TKEY_EXCHANGE_VALID
Definition gss_tsig_messages.h:57

isc::gss_tsig::BAD_CLIENT_CREDENTIALS
const isc::log::MessageID BAD_CLIENT_CREDENTIALS
Definition gss_tsig_messages.h:11

isc::gss_tsig::GssApiCredPtr
boost::shared_ptr< GssApiCred > GssApiCredPtr
Shared pointer to GSS-API credential.
Definition gss_tsig_api.h:283

isc::gss_tsig::GssTsigKeyPtr
boost::shared_ptr< GssTsigKey > GssTsigKeyPtr
Type of pointer to a GSS-TSIG key.
Definition gss_tsig_key.h:115

isc::gss_tsig::TKEY_EXCHANGE_FAIL_IO_TIMEOUT
const isc::log::MessageID TKEY_EXCHANGE_FAIL_IO_TIMEOUT
Definition gss_tsig_messages.h:40

isc::log::DBGLVL_TRACE_BASIC
const int DBGLVL_TRACE_BASIC
Trace basic operations.
Definition log_dbglevels.h:69

isc::perfmon::mgr
PerfMonMgrPtr mgr
PerfMonMgr singleton.
Definition perfmon_callouts.cc:24

isc::util::OutputBufferPtr
boost::shared_ptr< OutputBuffer > OutputBufferPtr
Type of pointers to output buffers.
Definition buffer.h:574

isc
Defines the logger used by the top-level component of kea-lfc.
Definition agent_parser.cc:148

opcode.h

rdataclass.h

tkey_exchange.h