|
Packit |
5ce601 |
/*
|
|
Packit |
5ce601 |
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
Packit |
5ce601 |
*
|
|
Packit |
5ce601 |
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
5ce601 |
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit Service |
704ed8 |
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
Packit |
5ce601 |
*
|
|
Packit |
5ce601 |
* See the COPYRIGHT file distributed with this work for additional
|
|
Packit |
5ce601 |
* information regarding copyright ownership.
|
|
Packit |
5ce601 |
*/
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
#include <config.h>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
#include <isc/mem.h>
|
|
Packit |
5ce601 |
#include <isc/util.h>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
#include <pk11/site.h>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
#include <dns/tsec.h>
|
|
Packit |
5ce601 |
#include <dns/tsig.h>
|
|
Packit |
5ce601 |
#include <dns/result.h>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
#include <dst/dst.h>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
#define DNS_TSEC_MAGIC ISC_MAGIC('T', 's', 'e', 'c')
|
|
Packit |
5ce601 |
#define DNS_TSEC_VALID(t) ISC_MAGIC_VALID(t, DNS_TSEC_MAGIC)
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
/*%
|
|
Packit |
5ce601 |
* DNS Transaction Security object. We assume this is not shared by
|
|
Packit |
5ce601 |
* multiple threads, and so the structure does not contain a lock.
|
|
Packit |
5ce601 |
*/
|
|
Packit |
5ce601 |
struct dns_tsec {
|
|
Packit |
5ce601 |
unsigned int magic;
|
|
Packit |
5ce601 |
dns_tsectype_t type;
|
|
Packit |
5ce601 |
isc_mem_t *mctx;
|
|
Packit |
5ce601 |
union {
|
|
Packit |
5ce601 |
dns_tsigkey_t *tsigkey;
|
|
Packit |
5ce601 |
dst_key_t *key;
|
|
Packit |
5ce601 |
} ukey;
|
|
Packit |
5ce601 |
};
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
isc_result_t
|
|
Packit |
5ce601 |
dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
|
|
Packit |
5ce601 |
dns_tsec_t **tsecp)
|
|
Packit |
5ce601 |
{
|
|
Packit |
5ce601 |
isc_result_t result;
|
|
Packit |
5ce601 |
dns_tsec_t *tsec;
|
|
Packit |
5ce601 |
dns_tsigkey_t *tsigkey = NULL;
|
|
Packit |
5ce601 |
dns_name_t *algname;
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
REQUIRE(mctx != NULL);
|
|
Packit |
5ce601 |
REQUIRE(tsecp != NULL && *tsecp == NULL);
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
tsec = isc_mem_get(mctx, sizeof(*tsec));
|
|
Packit |
5ce601 |
if (tsec == NULL)
|
|
Packit |
5ce601 |
return (ISC_R_NOMEMORY);
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
tsec->type = type;
|
|
Packit |
5ce601 |
tsec->mctx = mctx;
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
switch (type) {
|
|
Packit |
5ce601 |
case dns_tsectype_tsig:
|
|
Packit |
5ce601 |
switch (dst_key_alg(key)) {
|
|
Packit |
5ce601 |
#ifndef PK11_MD5_DISABLE
|
|
Packit |
5ce601 |
case DST_ALG_HMACMD5:
|
|
Packit Service |
d3afd5 |
algname = dns_tsig_hmacmd5_name;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
#endif
|
|
Packit |
5ce601 |
case DST_ALG_HMACSHA1:
|
|
Packit |
5ce601 |
algname = dns_tsig_hmacsha1_name;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case DST_ALG_HMACSHA224:
|
|
Packit |
5ce601 |
algname = dns_tsig_hmacsha224_name;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case DST_ALG_HMACSHA256:
|
|
Packit |
5ce601 |
algname = dns_tsig_hmacsha256_name;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case DST_ALG_HMACSHA384:
|
|
Packit |
5ce601 |
algname = dns_tsig_hmacsha384_name;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case DST_ALG_HMACSHA512:
|
|
Packit |
5ce601 |
algname = dns_tsig_hmacsha512_name;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
default:
|
|
Packit |
5ce601 |
isc_mem_put(mctx, tsec, sizeof(*tsec));
|
|
Packit |
5ce601 |
return (DNS_R_BADALG);
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
result = dns_tsigkey_createfromkey(dst_key_name(key),
|
|
Packit |
5ce601 |
algname, key, false,
|
|
Packit |
5ce601 |
NULL, 0, 0, mctx, NULL,
|
|
Packit |
5ce601 |
&tsigkey);
|
|
Packit |
5ce601 |
if (result != ISC_R_SUCCESS) {
|
|
Packit |
5ce601 |
isc_mem_put(mctx, tsec, sizeof(*tsec));
|
|
Packit |
5ce601 |
return (result);
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
tsec->ukey.tsigkey = tsigkey;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case dns_tsectype_sig0:
|
|
Packit |
5ce601 |
tsec->ukey.key = key;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
default:
|
|
Packit |
5ce601 |
INSIST(0);
|
|
Packit |
5ce601 |
ISC_UNREACHABLE();
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
tsec->magic = DNS_TSEC_MAGIC;
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
*tsecp = tsec;
|
|
Packit |
5ce601 |
return (ISC_R_SUCCESS);
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
void
|
|
Packit |
5ce601 |
dns_tsec_destroy(dns_tsec_t **tsecp) {
|
|
Packit |
5ce601 |
dns_tsec_t *tsec;
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
REQUIRE(tsecp != NULL && *tsecp != NULL);
|
|
Packit |
5ce601 |
tsec = *tsecp;
|
|
Packit |
5ce601 |
REQUIRE(DNS_TSEC_VALID(tsec));
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
switch (tsec->type) {
|
|
Packit |
5ce601 |
case dns_tsectype_tsig:
|
|
Packit |
5ce601 |
dns_tsigkey_detach(&tsec->ukey.tsigkey);
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case dns_tsectype_sig0:
|
|
Packit |
5ce601 |
dst_key_free(&tsec->ukey.key);
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
default:
|
|
Packit |
5ce601 |
INSIST(0);
|
|
Packit |
5ce601 |
ISC_UNREACHABLE();
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
tsec->magic = 0;
|
|
Packit |
5ce601 |
isc_mem_put(tsec->mctx, tsec, sizeof(*tsec));
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
*tsecp = NULL;
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
dns_tsectype_t
|
|
Packit |
5ce601 |
dns_tsec_gettype(dns_tsec_t *tsec) {
|
|
Packit |
5ce601 |
REQUIRE(DNS_TSEC_VALID(tsec));
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
return (tsec->type);
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
void
|
|
Packit |
5ce601 |
dns_tsec_getkey(dns_tsec_t *tsec, void *keyp) {
|
|
Packit |
5ce601 |
REQUIRE(DNS_TSEC_VALID(tsec));
|
|
Packit |
5ce601 |
REQUIRE(keyp != NULL);
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
switch (tsec->type) {
|
|
Packit |
5ce601 |
case dns_tsectype_tsig:
|
|
Packit |
5ce601 |
dns_tsigkey_attach(tsec->ukey.tsigkey, (dns_tsigkey_t **)keyp);
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
case dns_tsectype_sig0:
|
|
Packit |
5ce601 |
*(dst_key_t **)keyp = tsec->ukey.key;
|
|
Packit |
5ce601 |
break;
|
|
Packit |
5ce601 |
default:
|
|
Packit |
5ce601 |
INSIST(0);
|
|
Packit |
5ce601 |
ISC_UNREACHABLE();
|
|
Packit |
5ce601 |
}
|
|
Packit |
5ce601 |
}
|