674. [func] Allow messages to be TSIG signed / verified using

a offset from the current time.

674. [func] Allow messages to be TSIG signed / verified using
a offset from the current time.
19c7cce8 · Mark Andrews · d6230d41 · 19c7cce8 · 19c7cce8 · 19c7cce8
Commit 19c7cce8 authored Jan 09, 2001 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+ 674.	[func]		Allow messages to be TSIG signed / verified using
+			a offset from the current time.

 673.	[func]		The server can now convert RFC1886-style recursive
 			lookup requests into RFC2874-style lookups, when 

--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: message.h,v 1.87 2001/01/09 21:53:03 bwelling Exp $ */
+/* $Id: message.h,v 1.88 2001/01/09 23:35:33 marka Exp $ */

 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -217,6 +217,7 @@ struct dns_message {
 	dns_tsigkey_t		       *tsigkey;
 	dst_context_t		       *tsigctx;
 	int				sigstart;
+	int				timeadjust;

 	dns_name_t		       *sig0name;
 	dst_key_t		       *sig0key;
@@ -1194,9 +1195,29 @@ dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
 * 'order_arg' are NULL, a default order is used.
 *
 * Requires:
+ *	msg be a valid message.
 *	order_arg is NULL if and only if order is NULL.
 */

+void 
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
+/*
+ * Adjust the time used to sign/verify a message by timeadjust.
+ * Currently only TSIG.
+ *
+ * Requires:
+ *	msg be a valid message.
+ */
+
+int 
+dns_message_gettimeadjust(dns_message_t *msg);
+/*
+ * Return the current time adjustment.
+ *
+ * Requires:
+ *	msg be a valid message.
+ */
+
 ISC_LANG_ENDDECLS

 #endif /* DNS_MESSAGE_H */
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: message.c,v 1.171 2001/01/09 21:51:05 bwelling Exp $ */
+/* $Id: message.c,v 1.172 2001/01/09 23:35:27 marka Exp $ */

 /***
 *** Imports
@@ -355,6 +355,7 @@ msginittsig(dns_message_t *m) {
 	m->sigstart = -1;
 	m->sig0key = NULL;
 	m->sig0status = dns_rcode_noerror;
+	m->timeadjust = 0;
 }

 /*
@@ -2978,7 +2979,19 @@ void
 dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
 			 void *order_arg)
 {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
 	msg->order = order;
 	msg->order_arg = order_arg;
 }
-     
+
+void
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->timeadjust = timeadjust;
+}
+
+int
+dns_message_gettimeadjust(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (msg->timeadjust);
+}
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
 */

 /*
- * $Id: tsig.c,v 1.100 2001/01/09 21:51:39 bwelling Exp $
+ * $Id: tsig.c,v 1.101 2001/01/09 23:35:29 marka Exp $
 * Principal Author: Brian Wellington
 */

@@ -399,7 +399,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	dns_name_clone(key->algorithm, &tsig.algorithm);

 	isc_stdtime_get(&now);
-	tsig.timesigned = now;
+	tsig.timesigned = now + msg->timeadjust;
 	tsig.fudge = DNS_TSIG_FUDGE;

 	tsig.originalid = msg->id;
@@ -739,9 +739,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	/*
 	 * Is the time ok?
 	 */
-	if (abs(now - tsig.timesigned) > tsig.fudge) {
+	if (abs(now + msg->timeadjust - tsig.timesigned) > tsig.fudge) {
 		msg->tsigstatus = dns_tsigerror_badtime;
-		if (now > tsig.timesigned + tsig.fudge)
+		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge)
 			tsig_log(msg->tsigkey, 2,
 				 "signature has expired");
 		else