diff options
Diffstat (limited to 'lib/dns/tsig.c')
| -rw-r--r-- | lib/dns/tsig.c | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 74ef8d424a2d1..76c239bb775f2 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.147.10.1 2011-03-21 19:53:34 each Exp $ + * $Id$ */ /*! \file */ #include <config.h> @@ -889,6 +889,7 @@ dns_tsig_sign(dns_message_t *msg) { isc_result_t ret; unsigned char badtimedata[BADTIMELEN]; unsigned int sigsize = 0; + isc_boolean_t response = is_response(msg); REQUIRE(msg != NULL); REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg))); @@ -896,7 +897,7 @@ dns_tsig_sign(dns_message_t *msg) { /* * If this is a response, there should be a query tsig. */ - if (is_response(msg) && msg->querytsig == NULL) + if (response && msg->querytsig == NULL) return (DNS_R_EXPECTEDTSIG); dynbuf = NULL; @@ -919,7 +920,7 @@ dns_tsig_sign(dns_message_t *msg) { isc_buffer_init(&databuf, data, sizeof(data)); - if (is_response(msg)) + if (response) tsig.error = msg->querytsigstatus; else tsig.error = dns_rcode_noerror; @@ -948,7 +949,7 @@ dns_tsig_sign(dns_message_t *msg) { /* * If this is a response, digest the query signature. */ - if (is_response(msg)) { + if (response) { dns_rdata_t querytsigrdata = DNS_RDATA_INIT; ret = dns_rdataset_first(msg->querytsig); @@ -1017,8 +1018,10 @@ dns_tsig_sign(dns_message_t *msg) { } /* Digest the timesigned and fudge */ isc_buffer_clear(&databuf); - if (tsig.error == dns_tsigerror_badtime) + if (tsig.error == dns_tsigerror_badtime) { + INSIST(response); tsig.timesigned = querytsig.timesigned; + } isc_buffer_putuint48(&databuf, tsig.timesigned); isc_buffer_putuint16(&databuf, tsig.fudge); isc_buffer_usedregion(&databuf, &r); @@ -1040,7 +1043,7 @@ dns_tsig_sign(dns_message_t *msg) { goto cleanup_context; /* - * Digest the error and other data. + * Digest other data. */ if (tsig.otherlen > 0) { r.length = tsig.otherlen; @@ -1068,7 +1071,7 @@ dns_tsig_sign(dns_message_t *msg) { digestbits = dst_key_getbits(key->key); if (digestbits != 0) { unsigned int bytes = (digestbits + 1) / 8; - if (is_response(msg) && bytes < querytsig.siglen) + if (response && bytes < querytsig.siglen) bytes = querytsig.siglen; if (bytes > isc_buffer_usedlength(&sigbuf)) bytes = isc_buffer_usedlength(&sigbuf); @@ -1170,10 +1173,12 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, isc_uint16_t addcount, id; unsigned int siglen; unsigned int alg; + isc_boolean_t response; REQUIRE(source != NULL); REQUIRE(DNS_MESSAGE_VALID(msg)); tsigkey = dns_message_gettsigkey(msg); + response = is_response(msg); REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey)); @@ -1195,8 +1200,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, * If this is a response and there's no key or query TSIG, there * shouldn't be one on the response. */ - if (is_response(msg) && - (tsigkey == NULL || msg->querytsig == NULL)) + if (response && (tsigkey == NULL || msg->querytsig == NULL)) return (DNS_R_UNEXPECTEDTSIG); mctx = msg->mctx; @@ -1215,7 +1219,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if (ret != ISC_R_SUCCESS) return (ret); dns_rdata_reset(&rdata); - if (is_response(msg)) { + if (response) { ret = dns_rdataset_first(msg->querytsig); if (ret != ISC_R_SUCCESS) return (ret); @@ -1228,7 +1232,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, /* * Do the key name and algorithm match that of the query? */ - if (is_response(msg) && + if (response && (!dns_name_equal(keyname, &tsigkey->name) || !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) { msg->tsigstatus = dns_tsigerror_badkey; @@ -1326,7 +1330,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if (ret != ISC_R_SUCCESS) return (ret); - if (is_response(msg)) { + if (response) { isc_buffer_init(&databuf, data, sizeof(data)); isc_buffer_putuint16(&databuf, querytsig.siglen); isc_buffer_usedregion(&databuf, &r); |