25#include <boost/shared_ptr.hpp>
37typedef boost::shared_ptr<HMAC> HMACPtr;
76 size_t default_digest_len =
hmac_->getOutputLength();
98 uint16_t digest_len) {
106 static_cast<const uint8_t*
>(
digest) +
120 HMACPtr ret = HMACPtr();
145 uint64_t time_signed, uint16_t fudge,
146 uint16_t error, uint16_t otherlen,
147 const void* otherdata,
148 bool time_variables_only)
const;
150 size_t data_len)
const;
180 if (previous_digest_len != 0) {
188 uint32_t rrttl, uint64_t time_signed,
189 uint16_t fudge, uint16_t error,
190 uint16_t otherlen,
const void* otherdata,
191 bool time_variables_only)
const {
196 size_t data_size = 8;
197 if (!time_variables_only) {
198 data_size += 10 + key_.getKeyName().getLength() +
199 key_.getAlgorithmName().getLength();
203 if (!time_variables_only) {
204 key_.getKeyName().toWire(buffer);
207 key_.getAlgorithmName().toWire(buffer);
213 if (!time_variables_only) {
219 if (!time_variables_only && otherlen > 0) {
220 hmac->update(otherdata, otherlen);
236const size_t MESSAGE_HEADER_LEN = 12;
241 uint16_t qid,
const void* data,
242 size_t data_len)
const {
244 const uint8_t* msgptr =
static_cast<const uint8_t*
>(data);
248 msgptr +=
sizeof(uint16_t);
261 hmac->update(msgptr, data_len - MESSAGE_HEADER_LEN);
312 const size_t digest_len =
320 return (26 + impl_->key_.getKeyName().getLength() +
321 impl_->key_.getAlgorithmName().getLength() +
322 digest_len + other_len);
327 return (impl_->state_);
332 return (impl_->error_);
337 const size_t data_len) {
340 "TSIG sign attempt after verifying a response");
343 if (!data || data_len == 0) {
348 const uint64_t now = getTSIGTime();
352 error = impl_->error_;
359 impl_->key_.getKeyName(),
360 any::TSIG(impl_->key_.getAlgorithmName(),
362 qid, error.getCode(), 0, 0)));
363 impl_->previous_digest_.clear();
368 HMACPtr hmac(impl_->createHMAC());
372 if (impl_->state_ !=
INIT) {
373 impl_->digestPreviousMAC(hmac);
377 hmac->update(data, data_len);
382 impl_->previous_timesigned_ : now;
391 const void*
const otherdata =
392 (otherlen == 0) ? 0 : otherdatabuf.
getData();
403 vector<uint8_t>
digest = hmac->sign(impl_->digest_len_);
406 impl_->key_.getKeyName(),
407 any::TSIG(impl_->key_.getAlgorithmName(),
410 qid, error.getCode(), otherlen,
413 impl_->previous_digest_.swap(
digest);
420 const size_t data_len) {
423 "TSIG verify attempt after sending a response");
427 if (impl_->last_sig_dist_ >= 0 && impl_->last_sig_dist_ < 99) {
433 impl_->last_sig_dist_++;
447 if (data_len < MESSAGE_HEADER_LEN + record->getLength()) {
449 "TSIG verify: data length is invalid: " << data_len);
456 impl_->last_sig_dist_ = 0;
464 if (impl_->key_.getKeyName() != record->
getName() ||
465 impl_->key_.getAlgorithmName() != tsig_rdata.
getAlgorithm()) {
476 const uint64_t now = getTSIGTime();
480 size_t digest_len = 0;
481 if (impl_->state_ ==
INIT) {
500 return (impl_->postVerifyUpdate(error, 0, 0));
503 HMACPtr hmac(impl_->createHMAC());
507 if (impl_->state_ !=
INIT) {
508 impl_->digestPreviousMAC(hmac);
512 if (tsig_rdata.
getMACSize() > hmac->getOutputLength()) {
517 (tsig_rdata.
getMACSize() < (hmac->getOutputLength() / 2))) {
521 if (tsig_rdata.
getMACSize() < impl_->digest_len_) {
559 if (impl_->last_sig_dist_ == -1) {
562 return (impl_->last_sig_dist_ == 0);
567 HMACPtr hmac(impl_->createHMAC());
569 impl_->digestPreviousMAC(hmac);
570 impl_->previous_digest_.clear();
572 hmac->update(data, len);
This is a base class for exceptions thrown from the DNS library module.
A generic exception that is thrown if a parameter given to a method or function is considered invalid...
static CryptoLink & getCryptoLink()
Returns a reference to the singleton instance.
The Name class encapsulates DNS names.
An exception that is thrown for logic errors identified in TSIG sign/verify operations.
State
Internal state of context.
@ RECEIVED_REQUEST
Server received a signed request.
@ SENT_REQUEST
Client sent a signed request, waiting response.
@ SENT_RESPONSE
Server sent a signed response.
@ VERIFIED_RESPONSE
Client successfully verified a response.
virtual ConstTSIGRecordPtr sign(const uint16_t qid, const void *const data, const size_t data_len)
Sign a DNS message.
static const uint16_t DEFAULT_FUDGE
The recommended fudge value (in seconds) by RFC2845.
virtual TSIGError getError() const
Return the TSIG error as a result of the latest verification.
virtual size_t getTSIGLength() const
Return the expected length of TSIG RR after sign()
virtual ~TSIGContext()
The destructor.
void update(const void *const data, size_t len)
Update internal HMAC state by more data.
TSIGContext(const TSIGKey &key)
Constructor from a TSIG key.
virtual TSIGError verify(const TSIGRecord *const record, const void *const data, const size_t data_len)
Verify a DNS message.
virtual State getState() const
Return the current state of the context.
virtual bool lastHadSignature() const
Check whether the last verified message was signed.
static const TSIGError & BAD_SIG()
A constant TSIG error object for the BADSIG code (see TSIGError::BAD_SIG_CODE).
static const TSIGError & BAD_KEY()
A constant TSIG error object for the BADKEY code (see TSIGError::BAD_KEY_CODE).
static const TSIGError & BAD_TIME()
A constant TSIG error object for the BADTIME code (see TSIGError::BAD_TIME_CODE).
static const TSIGError & NOERROR()
A constant TSIG error object derived from Rcode::NOERROR()
static const TSIGError & BAD_TRUNC()
A constant TSIG error object for the BADTRUNC code (see TSIGError::BAD_TRUNC_CODE).
static const TSIGError & FORMERR()
A constant TSIG error object derived from Rcode::FORMERR()
A simple repository of a set of TSIGKey objects.
FindResult find(const Name &key_name) const
Find a TSIGKey for the given name in the TSIGKeyRing.
size_t getDigestbits() const
Return the minimum truncated length.
isc::cryptolink::HashAlgorithm getAlgorithm() const
Return the hash algorithm name in the form of cryptolink::HashAlgorithm.
size_t getSecretLength() const
Return the length of the TSIG secret in bytes.
const void * getSecret() const
Return the value of the TSIG secret.
static const RRClass & getClass()
Return the RR class of TSIG.
static const uint32_t TSIG_TTL
The TTL value to be used in TSIG RRs.
size_t getLength() const
Return the length of the TSIG record.
const Name & getName() const
Return the owner name of the TSIG RR, which is the TSIG key name.
const rdata::any::TSIG & getRdata() const
Return the RDATA of the TSIG RR.
rdata::TSIG class represents the TSIG RDATA as defined in RFC2845.
uint16_t getOriginalID() const
Return the value of the Original ID field.
uint16_t getError() const
Return the value of the Error field.
const Name & getAlgorithm() const
Return the algorithm name.
uint16_t getOtherLen() const
Return the value of the Other Len field.
const void * getOtherData() const
Return the value of the Other Data field.
const void * getMAC() const
Return the value of the MAC field.
uint16_t getFudge() const
Return the value of the Fudge field.
uint16_t getMACSize() const
Return the value of the MAC Size field.
uint64_t getTimeSigned() const
Return the value of the Time Signed field.
The OutputBuffer class is a buffer abstraction for manipulating mutable data.
void writeUint16(uint16_t data)
Write an unsigned 16-bit integer in host byte order into the buffer in network byte order.
void writeData(const void *data, size_t len)
Copy an arbitrary length of data into the buffer.
void writeUint32(uint32_t data)
Write an unsigned 32-bit integer in host byte order into the buffer in network byte order.
const uint8_t * getData() const
Return a pointer to the head of the data stored in the buffer.
size_t getLength() const
Return the length of data written in the buffer.
#define isc_throw(type, stream)
A shortcut macro to insert known values into exception arguments.
#define isc_throw_assert(expr)
Replacement for assert() that throws if the expression is false.
void deleteHMAC(HMAC *hmac)
Delete an HMAC object.
void digest(const void *data, const size_t data_len, const HashAlgorithm hash_algorithm, isc::util::OutputBuffer &result, size_t len)
Create an Hash digest for the given data.
boost::shared_ptr< const TSIGRecord > ConstTSIGRecordPtr
A pointer-like type pointing to an immutable TSIGRecord object.
int64_t getTimeWrapper()
Return the current time in seconds.
uint16_t readUint16(void const *const buffer, size_t const length)
uint16_t wrapper over readUint.
Defines the logger used by the top-level component of kea-lfc.
void digestDNSMessage(HMACPtr hmac, uint16_t qid, const void *data, size_t data_len) const
void digestPreviousMAC(HMACPtr hmac)
uint64_t previous_timesigned_
TSIGContextImpl(const TSIGKey &key, TSIGError error=TSIGError::NOERROR())
TSIGError postVerifyUpdate(TSIGError error, const void *digest, uint16_t digest_len)
void digestTSIGVariables(HMACPtr hmac, uint16_t rrclass, uint32_t rrttl, uint64_t time_signed, uint16_t fudge, uint16_t error, uint16_t otherlen, const void *otherdata, bool time_variables_only) const
vector< uint8_t > previous_digest_
A helper structure to represent the search result of TSIGKeyRing::find().