return WERR_OK;
}
-WERROR dns_sign_tsig(struct dns_server *dns,
- TALLOC_CTX *mem_ctx,
- struct dns_request_state *state,
- struct dns_name_packet *packet,
- uint16_t error)
+static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
+ struct dns_request_state *state,
+ struct dns_name_packet *packet,
+ struct dns_server_tkey *tkey,
+ time_t current_time,
+ DATA_BLOB *_psig)
{
- WERROR werror;
NTSTATUS status;
enum ndr_err_code ndr_err;
- time_t current_time = time(NULL);
DATA_BLOB packet_blob, tsig_blob, sig;
uint8_t *buffer = NULL;
uint8_t *p = NULL;
size_t buffer_len = 0;
- struct dns_server_tkey * tkey = NULL;
- struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec);
-
struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
struct dns_fake_tsig_rec);
size_t mac_size = 0;
- if (tsig == NULL) {
- return WERR_NOMEM;
- }
-
if (check_rec == NULL) {
return WERR_NOMEM;
}
- tkey = dns_find_tkey(dns->tkeys, state->key_name);
- if (tkey == NULL) {
- /* FIXME: read up on what to do when we can't find a key */
- return WERR_OK;
- }
-
/* first build and verify check packet */
check_rec->name = talloc_strdup(check_rec, tkey->name);
if (check_rec->name == NULL) {
return ntstatus_to_werror(status);
}
- tsig->name = talloc_strdup(tsig, check_rec->name);
+ *_psig = sig;
+ return WERR_OK;
+}
+
+WERROR dns_sign_tsig(struct dns_server *dns,
+ TALLOC_CTX *mem_ctx,
+ struct dns_request_state *state,
+ struct dns_name_packet *packet,
+ uint16_t error)
+{
+ WERROR werror;
+ time_t current_time = time(NULL);
+ struct dns_server_tkey *tkey = NULL;
+ struct dns_res_rec *tsig = NULL;
+ DATA_BLOB sig = (DATA_BLOB) {
+ .data = NULL,
+ .length = 0
+ };
+
+ tsig = talloc_zero(mem_ctx, struct dns_res_rec);
+ if (tsig == NULL) {
+ return WERR_NOMEM;
+ }
+
+ tkey = dns_find_tkey(dns->tkeys, state->key_name);
+ if (tkey == NULL) {
+ /* FIXME: read up on what to do when we can't find a key */
+ return WERR_OK;
+ }
+
+ werror = dns_tsig_compute_mac(mem_ctx, state, packet,
+ tkey, current_time, &sig);
+ if (!W_ERROR_IS_OK(werror)) {
+ return werror;
+ }
+
+ tsig->name = talloc_strdup(tsig, state->key_name);
if (tsig->name == NULL) {
return WERR_NOMEM;
}
- tsig->rr_class = check_rec->rr_class;
+ tsig->rr_class = DNS_QCLASS_ANY;
tsig->rr_type = DNS_QTYPE_TSIG;
tsig->ttl = 0;
tsig->length = UINT16_MAX;
- tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig,
- check_rec->algorithm_name);
- tsig->rdata.tsig_record.time_prefix = check_rec->time_prefix;
- tsig->rdata.tsig_record.time = check_rec->time;
- tsig->rdata.tsig_record.fudge = check_rec->fudge;
+ tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
+ tsig->rdata.tsig_record.time_prefix = 0;
+ tsig->rdata.tsig_record.time = current_time;
+ tsig->rdata.tsig_record.fudge = 300;
tsig->rdata.tsig_record.error = state->tsig_error;
tsig->rdata.tsig_record.original_id = packet->id;
tsig->rdata.tsig_record.other_size = 0;