tkey.c

bind 9.3结合mysql数据库

		      dns_name_t *algorithm, isc_buffer_t *nonce,
		      isc_uint32_t lifetime)
{
	dns_rdata_tkey_t tkey;
	dns_rdata_t *rdata = NULL;
	isc_buffer_t *dynbuf = NULL;
	isc_region_t r;
	dns_name_t keyname;
	dns_namelist_t namelist;
	isc_result_t result;
	isc_stdtime_t now;

	REQUIRE(msg != NULL);
	REQUIRE(key != NULL);
	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
	REQUIRE(dst_key_isprivate(key));
	REQUIRE(name != NULL);
	REQUIRE(algorithm != NULL);

	tkey.common.rdclass = dns_rdataclass_any;
	tkey.common.rdtype = dns_rdatatype_tkey;
	ISC_LINK_INIT(&tkey.common, link);
	tkey.mctx = msg->mctx;
	dns_name_init(&tkey.algorithm, NULL);
	dns_name_clone(algorithm, &tkey.algorithm);
	isc_stdtime_get(&now);
	tkey.inception = now;
	tkey.expire = now + lifetime;
	tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
	if (nonce != NULL)
		isc_buffer_usedregion(nonce, &r);
	else {
		r.base = isc_mem_get(msg->mctx, 0);
		r.length = 0;
	}
	tkey.error = 0;
	tkey.key = r.base;
	tkey.keylen =  r.length;
	tkey.other = NULL;
	tkey.otherlen = 0;

	RETERR(buildquery(msg, name, &tkey));

	if (nonce == NULL)
		isc_mem_put(msg->mctx, r.base, 0);

	RETERR(dns_message_gettemprdata(msg, &rdata));
	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
	RETERR(dst_key_todns(key, dynbuf));
	isc_buffer_usedregion(dynbuf, &r);
	dns_rdata_fromregion(rdata, dns_rdataclass_any,
			     dns_rdatatype_key, &r);
	dns_message_takebuffer(msg, &dynbuf);

	dns_name_init(&keyname, NULL);
	dns_name_clone(dst_key_name(key), &keyname);

	ISC_LIST_INIT(namelist);
	RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
	dns_message_addname(msg, ISC_LIST_HEAD(namelist),
			    DNS_SECTION_ADDITIONAL);

	return (ISC_R_SUCCESS);

 failure:

	if (dynbuf != NULL)
		isc_buffer_free(&dynbuf);
	return (result);
}

isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
		       dns_name_t *gname, void *cred,
		       isc_uint32_t lifetime, void **context)
{
	dns_rdata_tkey_t tkey;
	isc_result_t result;
	isc_stdtime_t now;
	isc_buffer_t token;
	unsigned char array[1024];

	REQUIRE(msg != NULL);
	REQUIRE(name != NULL);
	REQUIRE(gname != NULL);
	REQUIRE(context != NULL && *context == NULL);

	isc_buffer_init(&token, array, sizeof(array));
	result = dst_gssapi_initctx(gname, cred, NULL, &token, context);
	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
		return (result);

	tkey.common.rdclass = dns_rdataclass_any;
	tkey.common.rdtype = dns_rdatatype_tkey;
	ISC_LINK_INIT(&tkey.common, link);
	tkey.mctx = NULL;
	dns_name_init(&tkey.algorithm, NULL);
	dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
	isc_stdtime_get(&now);
	tkey.inception = now;
	tkey.expire = now + lifetime;
	tkey.mode = DNS_TKEYMODE_GSSAPI;
	tkey.error = 0;
	tkey.key = isc_buffer_base(&token);
	tkey.keylen = isc_buffer_usedlength(&token);
	tkey.other = NULL;
	tkey.otherlen = 0;

	RETERR(buildquery(msg, name, &tkey));

	return (ISC_R_SUCCESS);

 failure:
	return (result);
}

isc_result_t
dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
	dns_rdata_tkey_t tkey;

	REQUIRE(msg != NULL);
	REQUIRE(key != NULL);

	tkey.common.rdclass = dns_rdataclass_any;
	tkey.common.rdtype = dns_rdatatype_tkey;
	ISC_LINK_INIT(&tkey.common, link);
	tkey.mctx = msg->mctx;
	dns_name_init(&tkey.algorithm, NULL);
	dns_name_clone(key->algorithm, &tkey.algorithm);
	tkey.inception = tkey.expire = 0;
	tkey.mode = DNS_TKEYMODE_DELETE;
	tkey.error = 0;
	tkey.keylen = tkey.otherlen = 0;
	tkey.key = tkey.other = NULL;

	return (buildquery(msg, &key->name, &tkey));
}

static isc_result_t
find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
	  int section)
{
	dns_rdataset_t *tkeyset;
	isc_result_t result;

	result = dns_message_firstname(msg, section);
	while (result == ISC_R_SUCCESS) {
		*name = NULL;
		dns_message_currentname(msg, section, name);
		tkeyset = NULL;
		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
					      &tkeyset);
		if (result == ISC_R_SUCCESS) {
			result = dns_rdataset_first(tkeyset);
			if (result != ISC_R_SUCCESS)
				return (result);
			dns_rdataset_current(tkeyset, rdata);
			return (ISC_R_SUCCESS);
		}
		result = dns_message_nextname(msg, section);
	}
	if (result == ISC_R_NOMORE)
		return (ISC_R_NOTFOUND);
	return (result);
}

isc_result_t
dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
			   dst_key_t *key, isc_buffer_t *nonce,
			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
{
	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
	dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
	dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
	dst_key_t *theirkey = NULL;
	dns_rdata_tkey_t qtkey, rtkey;
	unsigned char secretdata[256];
	unsigned int sharedsize;
	isc_buffer_t *shared = NULL, secret;
	isc_region_t r, r2;
	isc_result_t result;
	isc_boolean_t freertkey = ISC_FALSE;

	REQUIRE(qmsg != NULL);
	REQUIRE(rmsg != NULL);
	REQUIRE(key != NULL);
	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
	REQUIRE(dst_key_isprivate(key));
	if (outkey != NULL)
		REQUIRE(*outkey == NULL);

	if (rmsg->rcode != dns_rcode_noerror)
		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
	freertkey = ISC_TRUE;

	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
			 DNS_SECTION_ADDITIONAL));
	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));

	if (rtkey.error != dns_rcode_noerror ||
	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
	    rtkey.mode != qtkey.mode ||
	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
	    rmsg->rcode != dns_rcode_noerror)
	{
		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
			 "or error set");
		result = DNS_R_INVALIDTKEY;
		dns_rdata_freestruct(&qtkey);
		goto failure;
	}

	dns_rdata_freestruct(&qtkey);

	dns_name_init(&keyname, NULL);
	dns_name_clone(dst_key_name(key), &keyname);

	ourkeyname = NULL;
	ourkeyset = NULL;
	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
				    dns_rdatatype_key, 0, &ourkeyname,
				    &ourkeyset));

	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
	while (result == ISC_R_SUCCESS) {
		theirkeyname = NULL;
		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
					&theirkeyname);
		if (dns_name_equal(theirkeyname, ourkeyname))
			goto next;
		theirkeyset = NULL;
		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
					      0, &theirkeyset);
		if (result == ISC_R_SUCCESS) {
			RETERR(dns_rdataset_first(theirkeyset));
			break;
		}
 next:
		result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
	}

	if (theirkeyset == NULL) {
		tkey_log("dns_tkey_processdhresponse: failed to find server "
			 "key");
		result = ISC_R_NOTFOUND;
		goto failure;
	}

	dns_rdataset_current(theirkeyset, &theirkeyrdata);
	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
				       rmsg->mctx, &theirkey));

	RETERR(dst_key_secretsize(key, &sharedsize));
	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));

	RETERR(dst_key_computesecret(theirkey, key, shared));

	isc_buffer_init(&secret, secretdata, sizeof(secretdata));

	r.base = rtkey.key;
	r.length = rtkey.keylen;
	if (nonce != NULL)
		isc_buffer_usedregion(nonce, &r2);
	else {
		r2.base = isc_mem_get(rmsg->mctx, 0);
		r2.length = 0;
	}
	RETERR(compute_secret(shared, &r2, &r, &secret));
	if (nonce == NULL)
		isc_mem_put(rmsg->mctx, r2.base, 0);

	isc_buffer_usedregion(&secret, &r);
	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
				    r.base, r.length, ISC_TRUE,
				    NULL, rtkey.inception, rtkey.expire,
				    rmsg->mctx, ring, outkey);
	isc_buffer_free(&shared);
	dns_rdata_freestruct(&rtkey);
	dst_key_free(&theirkey);
	return (result);

 failure:
	if (shared != NULL)
		isc_buffer_free(&shared);

	if (theirkey != NULL)
		dst_key_free(&theirkey);

	if (freertkey)
		dns_rdata_freestruct(&rtkey);

	return (result);
}

isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
			    dns_name_t *gname, void *cred, void **context,
			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
{
	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
	dns_name_t *tkeyname;
	dns_rdata_tkey_t rtkey, qtkey;
	isc_buffer_t outtoken;
	dst_key_t *dstkey = NULL;
	isc_region_t r;
	isc_result_t result;
	unsigned char array[1024];

	REQUIRE(qmsg != NULL);
	REQUIRE(rmsg != NULL);
	REQUIRE(gname != NULL);
	if (outkey != NULL)
		REQUIRE(*outkey == NULL);

	if (rmsg->rcode != dns_rcode_noerror)
		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));

	RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
			 DNS_SECTION_ADDITIONAL));
	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));

	if (rtkey.error != dns_rcode_noerror ||
	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
	    !dns_name_equal(&rtkey.algorithm, &rtkey.algorithm))
	{
		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
			 "or error set");
		result = DNS_R_INVALIDTKEY;
		goto failure;
	}

	isc_buffer_init(&outtoken, array, sizeof(array));
	r.base = rtkey.key;
	r.length = rtkey.keylen;
	RETERR(dst_gssapi_initctx(gname, cred, &r, &outtoken, context));

	dstkey = NULL;
	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
				  &dstkey));

	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
					 dstkey, ISC_TRUE, NULL,
					 rtkey.inception, rtkey.expire,
					 rmsg->mctx, ring, outkey));

	dns_rdata_freestruct(&rtkey);
	return (result);

 failure:
	return (result);
}

isc_result_t
dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
			       dns_tsig_keyring_t *ring)
{
	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
	dns_name_t *tkeyname, *tempname;
	dns_rdata_tkey_t qtkey, rtkey;
	dns_tsigkey_t *tsigkey = NULL;
	isc_result_t result;

	REQUIRE(qmsg != NULL);
	REQUIRE(rmsg != NULL);

	if (rmsg->rcode != dns_rcode_noerror)
		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);

	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));

	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
			 DNS_SECTION_ADDITIONAL));
	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));

	if (rtkey.error != dns_rcode_noerror ||
	    rtkey.mode != DNS_TKEYMODE_DELETE ||
	    rtkey.mode != qtkey.mode ||
	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
	    rmsg->rcode != dns_rcode_noerror)
	{
		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
			 "or error set");
		result = DNS_R_INVALIDTKEY;
		dns_rdata_freestruct(&qtkey);
		dns_rdata_freestruct(&rtkey);
		goto failure;
	}

	dns_rdata_freestruct(&qtkey);

	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));

	dns_rdata_freestruct(&rtkey);

	/*
	 * Mark the key as deleted.
	 */
	dns_tsigkey_setdeleted(tsigkey);
	/*
	 * Release the reference.
	 */
	dns_tsigkey_detach(&tsigkey);

 failure:
	return (result);
}