A bit of SIG(0) cleanup

5c688a00 · Brian Wellington · f2762b0d · 5c688a00 · 5c688a00 · 5c688a00
Commit 5c688a00 authored Nov 02, 1999 by Brian Wellington
4 changed files
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
 */

 /*
- * $Id: dnssec.c,v 1.12 1999/11/02 19:53:41 bwelling Exp $
+ * $Id: dnssec.c,v 1.13 1999/11/02 22:58:28 bwelling Exp $
 * Principal Author: Brian Wellington
 */

@@ -733,9 +733,7 @@ failure:
 }

 isc_result_t
-dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
-			 dst_key_t *key)
-{
+dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
 	dns_rdata_generic_sig_t sig;
 	unsigned char header[DNS_MESSAGE_HEADERLEN];
 	dns_rdata_t rdata;
@@ -749,8 +747,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	isc_uint16_t addcount;
 	isc_boolean_t signeedsfree = ISC_FALSE;

-	REQUIRE(source != NULL);
 	REQUIRE(msg != NULL);
+	REQUIRE(msg->saved != NULL);
 	REQUIRE(key != NULL);

 	if (is_response(msg))
@@ -798,9 +796,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 				  NULL));

 	/* Extract the header */
-	isc_buffer_used(source, &r);
-	memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
-	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+	memcpy(header, msg->saved->base, DNS_MESSAGE_HEADERLEN);

 	/* Decrement the additional field counter */
 	memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
@@ -813,6 +809,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r, NULL));

 	/* Digest all non-SIG(0) records */
+	r.base = msg->saved->base + DNS_MESSAGE_HEADERLEN;
 	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
 	RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));

@@ -821,8 +818,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	 * the name and 10 bytes for class, type, ttl, length to get to
 	 * the start of the rdata.
 	 */
-	isc_buffer_used(source, &r);
-	isc_region_consume(&r, msg->sigstart);
+	r.base = msg->saved->base + msg->sigstart;
+	r.length = msg->saved->length - msg->sigstart;
 	dns_name_init(&tname, NULL);
 	dns_name_fromregion(&tname, &r);
 	dns_name_toregion(&tname, &r2);

--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -110,7 +110,6 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 *	Returns:
 *		DNS_R_SUCCESS
 *		ISC_R_NOMEMORY
- *		DNS_R_RANGE - the SIG record has an invalid signature length
 *		DNS_R_SIGINVALID - the signature fails to verify
 *		DNS_R_SIGEXPIRED - the signature has expired
 *		DNS_R_SIGFUTURE - the signature's validity period has not begun
@@ -147,10 +146,40 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,

 isc_result_t
 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
+/*
+ *	Signs a message with a SIG(0) record.  This is implicitly called by
+ *	dns_message_renderend() if msg->sig0key is not NULL.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid key that can be used for signing
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DST_R_*
+ */

 isc_result_t
-dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
-                         dst_key_t *key);
+dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key);
+/*
+ *	Verifies a message signed by a SIG(0) record.  This is not
+ *	called implicitly by dns_message_parse().  If dns_message_signer()
+ *	is called before dns_dnssec_verifymessage(), it will return
+ *	DNS_R_SIGNOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	the verified_sig0 flag in msg if the verify succeeds, and
+ *	the sig0status field otherwise.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid key
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOTFOUND - no SIG(0) was found
+ *		DST_R_*
+ */

 ISC_LANG_ENDDECLS


--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -164,7 +164,6 @@ struct dns_message {
 	unsigned int			header_ok : 1;
 	unsigned int			question_ok : 1;
 	unsigned int			tcp_continuation: 1;
-	unsigned int			response_needs_sig0: 1;
 	unsigned int			verified_sig0: 1;

 	unsigned int			reserved; /* reserved space (render) */
@@ -196,6 +195,7 @@ struct dns_message {
 	dst_key_t		       *sig0key;
 	dns_rcode_t			sig0status;
 	isc_region_t		       *query;
+	isc_region_t		       *saved;
 };

 dns_result_t

--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -294,6 +294,7 @@ msginittsig(dns_message_t *m)
 	m->sig0key = NULL;
 	m->sig0status = dns_rcode_noerror;
 	m->query = NULL;
+	m->saved = NULL;
 }

 /*
@@ -309,7 +310,6 @@ msginit(dns_message_t *m)
 	m->header_ok = 0;
 	m->question_ok = 0;
 	m->tcp_continuation = 0;
-	m->response_needs_sig0 = 0;
 	m->verified_sig0 = 0;
 }

@@ -455,6 +455,12 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
 		msg->query = NULL;
 	}

+	if (msg->saved != NULL) {
+		isc_mem_put(msg->mctx, msg->saved->base, msg->saved->length);
+		isc_mem_put(msg->mctx, msg->saved, sizeof(isc_region_t));
+		msg->saved = NULL;
+	}
+
 	/*
 	 * cleanup the buffer cleanup list
 	 */
@@ -1065,8 +1071,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 			else if (covers == 0) {
 				msg->sigstart = recstart;
 				section = &msg->sections[DNS_SECTION_SIG0];
-				if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
-					msg->response_needs_sig0 = 1;
 			}
 		} else
 			covers = 0;
@@ -1256,20 +1260,20 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
 		if (ret != DNS_R_SUCCESS)
 			return ret;
 	}
-	else if (msg->response_needs_sig0 == 1) {
-		msg->query = isc_mem_get(msg->mctx, sizeof(isc_region_t));
-		if (msg->query == NULL)
+	else if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) {
+		msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t));
+		if (msg->saved == NULL)
 			return (ISC_R_NOMEMORY);
 		isc_buffer_used(&origsource, &r);
-		msg->query->length = msg->sigstart;
-		msg->query->base = isc_mem_get(msg->mctx, msg->query->length);
-		if (msg->query->base == NULL) {
-			isc_mem_put(msg->mctx, msg->query,
+		msg->saved->length = r.length;
+		msg->saved->base = isc_mem_get(msg->mctx, msg->saved->length);
+		if (msg->saved->base == NULL) {
+			isc_mem_put(msg->mctx, msg->saved,
 				    sizeof(isc_region_t));
-			msg->query = NULL;
+			msg->saved = NULL;
 			return (ISC_R_NOMEMORY);
 		}
-		memcpy(msg->query->base, r.base, msg->query->length);
+		memcpy(msg->saved->base, r.base, msg->saved->length);
 	}

 	return (DNS_R_SUCCESS);
@@ -1878,6 +1882,10 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
 		msg->querytsigstatus = msg->tsigstatus;
 		msg->tsigstatus = dns_rcode_noerror;
 	}
+	if (msg->saved != NULL) {
+		msg->query = msg->saved;
+		msg->saved = NULL;
+	}

 	return (DNS_R_SUCCESS);
 }