16 #include <boost/shared_ptr.hpp>
40 typedef boost::shared_ptr<HMAC> HMACPtr;
57 state_(INIT), key_(key), error_(
error),
58 previous_timesigned_(0), digest_len_(0),
60 if (
error == TSIGError::NOERROR()) {
71 hmac_.reset(CryptoLink::getCryptoLink().createHMAC(
72 key_.getSecret(), key_.getSecretLength(),
78 size_t digestbits = key_.getDigestbits();
79 size_t default_digest_len = hmac_->getOutputLength();
81 digest_len_ = (digestbits + 7) / 8;
83 if ((digest_len_ < 10) ||
84 (digest_len_ < (default_digest_len / 2)) ||
85 (digest_len_ > default_digest_len)) {
87 digest_len_ = default_digest_len;
90 digest_len_ = default_digest_len;
103 if (state_ == INIT) {
104 state_ = RECEIVED_REQUEST;
105 }
else if (state_ == SENT_REQUEST &&
error == TSIGError::NOERROR()) {
106 state_ = VERIFIED_RESPONSE;
109 previous_digest_.assign(
static_cast<const uint8_t*
>(
digest),
110 static_cast<const uint8_t*
>(
digest) +
124 HMACPtr ret = HMACPtr();
128 return (HMACPtr(CryptoLink::getCryptoLink().createHMAC(
129 key_.getSecret(), key_.getSecretLength(),
130 key_.getAlgorithm()),
147 void digestPreviousMAC(HMACPtr hmac);
148 void digestTSIGVariables(HMACPtr hmac, uint16_t rrclass, uint32_t rrttl,
149 uint64_t time_signed, uint16_t fudge,
150 uint16_t
error, uint16_t otherlen,
151 const void* otherdata,
152 bool time_variables_only)
const;
153 void digestDNSMessage(HMACPtr hmac, uint16_t qid,
const void* data,
154 size_t data_len)
const;
169 TSIGContext::TSIGContextImpl::digestPreviousMAC(HMACPtr hmac) {
172 assert(previous_digest_.size() <= 0xffff);
174 if (previous_digest_.empty()) {
181 OutputBuffer buffer(
sizeof(uint16_t) + previous_digest_.size());
182 const uint16_t previous_digest_len(previous_digest_.size());
184 if (previous_digest_len != 0) {
185 buffer.
writeData(&previous_digest_[0], previous_digest_len);
191 TSIGContext::TSIGContextImpl::digestTSIGVariables(
192 HMACPtr hmac, uint16_t rrclass, uint32_t rrttl, uint64_t time_signed,
193 uint16_t fudge, uint16_t
error, uint16_t otherlen,
const void* otherdata,
194 bool time_variables_only)
const {
199 size_t data_size = 8;
200 if (!time_variables_only) {
201 data_size += 10 + key_.getKeyName().getLength() +
202 key_.getAlgorithmName().getLength();
206 if (!time_variables_only) {
207 key_.getKeyName().toWire(buffer);
210 key_.getAlgorithmName().toWire(buffer);
216 if (!time_variables_only) {
222 if (!time_variables_only && otherlen > 0) {
223 hmac->update(otherdata, otherlen);
239 const size_t MESSAGE_HEADER_LEN = 12;
243 TSIGContext::TSIGContextImpl::digestDNSMessage(HMACPtr hmac,
244 uint16_t qid,
const void* data,
245 size_t data_len)
const {
247 const uint8_t* msgptr =
static_cast<const uint8_t*
>(data);
251 msgptr +=
sizeof(uint16_t);
264 hmac->update(msgptr, data_len - MESSAGE_HEADER_LEN);
316 const size_t digest_len =
326 digest_len + other_len);
341 const size_t data_len) {
344 "TSIG sign attempt after verifying a response");
347 if (data == NULL || data_len == 0) {
352 const uint64_t now = getTSIGTime();
366 qid,
error.getCode(), 0, NULL)));
381 hmac->update(data, data_len);
395 const void*
const otherdata =
396 (otherlen == 0) ? NULL : otherdatabuf.
getData();
408 assert(
digest.size() <= 0xffff);
414 qid,
error.getCode(), otherlen,
424 const size_t data_len) {
427 "TSIG verify attempt after sending a response");
430 if (record == NULL) {
451 if (data_len < MESSAGE_HEADER_LEN + record->getLength()) {
453 "TSIG verify: data length is invalid: " << data_len);
480 const uint64_t now = getTSIGTime();
483 const void*
digest = NULL;
484 size_t digest_len = 0;
516 if (tsig_rdata.
getMACSize() > hmac->getOutputLength()) {
521 (tsig_rdata.
getMACSize() < (hmac->getOutputLength() / 2))) {
576 hmac->update(data, len);
This is a base class for exceptions thrown from the DNS library module.
A generic exception that is thrown if a parameter given to a method or function is considered invalid...
The Name class encapsulates DNS names.
size_t getLength() const
Gets the length of the Name in its wire format.
uint16_t getCode() const
Returns the RR class code as a 16-bit unsigned integer.
An exception that is thrown for logic errors identified in TSIG sign/verify operations.
State
Internal state of context.
@ RECEIVED_REQUEST
Server received a signed request.
@ SENT_REQUEST
Client sent a signed request, waiting response.
@ SENT_RESPONSE
Server sent a signed response.
@ VERIFIED_RESPONSE
Client successfully verified a response.
virtual ConstTSIGRecordPtr sign(const uint16_t qid, const void *const data, const size_t data_len)
Sign a DNS message.
static const uint16_t DEFAULT_FUDGE
The recommended fudge value (in seconds) by RFC2845.
virtual TSIGError getError() const
Return the TSIG error as a result of the latest verification.
virtual size_t getTSIGLength() const
Return the expected length of TSIG RR after sign()
virtual ~TSIGContext()
The destructor.
void update(const void *const data, size_t len)
Update internal HMAC state by more data.
TSIGContext(const TSIGKey &key)
Constructor from a TSIG key.
virtual TSIGError verify(const TSIGRecord *const record, const void *const data, const size_t data_len)
Verify a DNS message.
virtual State getState() const
Return the current state of the context.
virtual bool lastHadSignature() const
Check whether the last verified message was signed.
static const TSIGError & BAD_SIG()
A constant TSIG error object for the BADSIG code (see TSIGError::BAD_SIG_CODE).
static const TSIGError & BAD_KEY()
A constant TSIG error object for the BADKEY code (see TSIGError::BAD_KEY_CODE).
static const TSIGError & BAD_TIME()
A constant TSIG error object for the BADTIME code (see TSIGError::BAD_TIME_CODE).
static const TSIGError & NOERROR()
A constant TSIG error object derived from Rcode::NOERROR()
static const TSIGError & BAD_TRUNC()
A constant TSIG error object for the BADTRUNC code (see TSIGError::BAD_TRUNC_CODE).
static const TSIGError & FORMERR()
A constant TSIG error object derived from Rcode::FORMERR()
A simple repository of a set of TSIGKey objects.
FindResult find(const Name &key_name) const
Find a TSIGKey for the given name in the TSIGKeyRing.
@ NOTFOUND
The specified key is not found in TSIGKeyRing.
const Name & getAlgorithmName() const
Return the algorithm name.
const Name & getKeyName() const
Return the key name.
static const RRClass & getClass()
Return the RR class of TSIG.
static const uint32_t TSIG_TTL
The TTL value to be used in TSIG RRs.
const rdata::any::TSIG & getRdata() const
Return the RDATA of the TSIG RR.
size_t getLength() const
Return the length of the TSIG record.
const Name & getName() const
Return the owner name of the TSIG RR, which is the TSIG key name.
rdata::TSIG class represents the TSIG RDATA as defined in RFC2845.
uint16_t getOriginalID() const
Return the value of the Original ID field.
uint16_t getError() const
Return the value of the Error field.
const Name & getAlgorithm() const
Return the algorithm name.
uint16_t getOtherLen() const
Return the value of the Other Len field.
const void * getOtherData() const
Return the value of the Other Data field.
uint16_t getFudge() const
Return the value of the Fudge field.
const void * getMAC() const
Return the value of the MAC field.
uint16_t getMACSize() const
Return the value of the MAC Size field.
uint64_t getTimeSigned() const
Return the value of the Time Signed field.
The OutputBuffer class is a buffer abstraction for manipulating mutable data.
const void * getData() const
Return a pointer to the head of the data stored in the buffer.
void writeUint16(uint16_t data)
Write an unsigned 16-bit integer in host byte order into the buffer in network byte order.
void writeData(const void *data, size_t len)
Copy an arbitrary length of data into the buffer.
void writeUint32(uint32_t data)
Write an unsigned 32-bit integer in host byte order into the buffer in network byte order.
size_t getLength() const
Return the length of data written in the buffer.
#define isc_throw(type, stream)
A shortcut macro to insert known values into exception arguments.
void deleteHMAC(HMAC *hmac)
Delete an HMAC object.
void digest(const void *data, const size_t data_len, const HashAlgorithm hash_algorithm, isc::util::OutputBuffer &result, size_t len)
Create an Hash digest for the given data.
boost::shared_ptr< const TSIGRecord > ConstTSIGRecordPtr
A pointer-like type pointing to an immutable TSIGRecord object.
int64_t gettimeWrapper()
Return the current time in seconds.
uint16_t readUint16(const void *buffer, size_t length)
Read Unsigned 16-Bit Integer from Buffer.
Defines the logger used by the top-level component of kea-lfc.
void digestDNSMessage(HMACPtr hmac, uint16_t qid, const void *data, size_t data_len) const
void digestPreviousMAC(HMACPtr hmac)
uint64_t previous_timesigned_
TSIGContextImpl(const TSIGKey &key, TSIGError error=TSIGError::NOERROR())
TSIGError postVerifyUpdate(TSIGError error, const void *digest, uint16_t digest_len)
void digestTSIGVariables(HMACPtr hmac, uint16_t rrclass, uint32_t rrttl, uint64_t time_signed, uint16_t fudge, uint16_t error, uint16_t otherlen, const void *otherdata, bool time_variables_only) const
vector< uint8_t > previous_digest_
A helper structure to represent the search result of TSIGKeyRing::find().