Commit 19c7cce8 authored by Mark Andrews's avatar Mark Andrews

674. [func] Allow messages to be TSIG signed / verified using

                        a offset from the current time.
parent d6230d41
674. [func] Allow messages to be TSIG signed / verified using
a offset from the current time.
673. [func] The server can now convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: message.h,v 1.87 2001/01/09 21:53:03 bwelling Exp $ */
/* $Id: message.h,v 1.88 2001/01/09 23:35:33 marka Exp $ */
#ifndef DNS_MESSAGE_H
#define DNS_MESSAGE_H 1
......@@ -217,6 +217,7 @@ struct dns_message {
dns_tsigkey_t *tsigkey;
dst_context_t *tsigctx;
int sigstart;
int timeadjust;
dns_name_t *sig0name;
dst_key_t *sig0key;
......@@ -1194,9 +1195,29 @@ dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
* 'order_arg' are NULL, a default order is used.
*
* Requires:
* msg be a valid message.
* order_arg is NULL if and only if order is NULL.
*/
void
dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
/*
* Adjust the time used to sign/verify a message by timeadjust.
* Currently only TSIG.
*
* Requires:
* msg be a valid message.
*/
int
dns_message_gettimeadjust(dns_message_t *msg);
/*
* Return the current time adjustment.
*
* Requires:
* msg be a valid message.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_MESSAGE_H */
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: message.c,v 1.171 2001/01/09 21:51:05 bwelling Exp $ */
/* $Id: message.c,v 1.172 2001/01/09 23:35:27 marka Exp $ */
/***
*** Imports
......@@ -355,6 +355,7 @@ msginittsig(dns_message_t *m) {
m->sigstart = -1;
m->sig0key = NULL;
m->sig0status = dns_rcode_noerror;
m->timeadjust = 0;
}
/*
......@@ -2978,7 +2979,19 @@ void
dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
void *order_arg)
{
REQUIRE(DNS_MESSAGE_VALID(msg));
msg->order = order;
msg->order_arg = order_arg;
}
void
dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
REQUIRE(DNS_MESSAGE_VALID(msg));
msg->timeadjust = timeadjust;
}
int
dns_message_gettimeadjust(dns_message_t *msg) {
REQUIRE(DNS_MESSAGE_VALID(msg));
return (msg->timeadjust);
}
......@@ -16,7 +16,7 @@
*/
/*
* $Id: tsig.c,v 1.100 2001/01/09 21:51:39 bwelling Exp $
* $Id: tsig.c,v 1.101 2001/01/09 23:35:29 marka Exp $
* Principal Author: Brian Wellington
*/
......@@ -399,7 +399,7 @@ dns_tsig_sign(dns_message_t *msg) {
dns_name_clone(key->algorithm, &tsig.algorithm);
isc_stdtime_get(&now);
tsig.timesigned = now;
tsig.timesigned = now + msg->timeadjust;
tsig.fudge = DNS_TSIG_FUDGE;
tsig.originalid = msg->id;
......@@ -739,9 +739,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
/*
* Is the time ok?
*/
if (abs(now - tsig.timesigned) > tsig.fudge) {
if (abs(now + msg->timeadjust - tsig.timesigned) > tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime;
if (now > tsig.timesigned + tsig.fudge)
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge)
tsig_log(msg->tsigkey, 2,
"signature has expired");
else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment