Commit 5c688a00 authored by Brian Wellington's avatar Brian Wellington

A bit of SIG(0) cleanup

parent f2762b0d
......@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.12 1999/11/02 19:53:41 bwelling Exp $
* $Id: dnssec.c,v 1.13 1999/11/02 22:58:28 bwelling Exp $
* Principal Author: Brian Wellington
*/
......@@ -733,9 +733,7 @@ failure:
}
isc_result_t
dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dst_key_t *key)
{
dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_generic_sig_t sig;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dns_rdata_t rdata;
......@@ -749,8 +747,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
isc_uint16_t addcount;
isc_boolean_t signeedsfree = ISC_FALSE;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
REQUIRE(msg->saved != NULL);
REQUIRE(key != NULL);
if (is_response(msg))
......@@ -798,9 +796,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
NULL));
/* Extract the header */
isc_buffer_used(source, &r);
memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
memcpy(header, msg->saved->base, DNS_MESSAGE_HEADERLEN);
/* Decrement the additional field counter */
memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
......@@ -813,6 +809,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r, NULL));
/* Digest all non-SIG(0) records */
r.base = msg->saved->base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
RETERR(dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
......@@ -821,8 +818,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
* the name and 10 bytes for class, type, ttl, length to get to
* the start of the rdata.
*/
isc_buffer_used(source, &r);
isc_region_consume(&r, msg->sigstart);
r.base = msg->saved->base + msg->sigstart;
r.length = msg->saved->length - msg->sigstart;
dns_name_init(&tname, NULL);
dns_name_fromregion(&tname, &r);
dns_name_toregion(&tname, &r2);
......
......@@ -110,7 +110,6 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
* Returns:
* DNS_R_SUCCESS
* ISC_R_NOMEMORY
* DNS_R_RANGE - the SIG record has an invalid signature length
* DNS_R_SIGINVALID - the signature fails to verify
* DNS_R_SIGEXPIRED - the signature has expired
* DNS_R_SIGFUTURE - the signature's validity period has not begun
......@@ -147,10 +146,40 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
/*
* Signs a message with a SIG(0) record. This is implicitly called by
* dns_message_renderend() if msg->sig0key is not NULL.
*
* Requires:
* 'msg' is a valid message
* 'key' is a valid key that can be used for signing
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
* DST_R_*
*/
isc_result_t
dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dst_key_t *key);
dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key);
/*
* Verifies a message signed by a SIG(0) record. This is not
* called implicitly by dns_message_parse(). If dns_message_signer()
* is called before dns_dnssec_verifymessage(), it will return
* DNS_R_SIGNOTVERIFIEDYET. dns_dnssec_verifymessage() will set
* the verified_sig0 flag in msg if the verify succeeds, and
* the sig0status field otherwise.
*
* Requires:
* 'msg' is a valid message
* 'key' is a valid key
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
* ISC_R_NOTFOUND - no SIG(0) was found
* DST_R_*
*/
ISC_LANG_ENDDECLS
......
......@@ -164,7 +164,6 @@ struct dns_message {
unsigned int header_ok : 1;
unsigned int question_ok : 1;
unsigned int tcp_continuation: 1;
unsigned int response_needs_sig0: 1;
unsigned int verified_sig0: 1;
unsigned int reserved; /* reserved space (render) */
......@@ -196,6 +195,7 @@ struct dns_message {
dst_key_t *sig0key;
dns_rcode_t sig0status;
isc_region_t *query;
isc_region_t *saved;
};
dns_result_t
......
......@@ -294,6 +294,7 @@ msginittsig(dns_message_t *m)
m->sig0key = NULL;
m->sig0status = dns_rcode_noerror;
m->query = NULL;
m->saved = NULL;
}
/*
......@@ -309,7 +310,6 @@ msginit(dns_message_t *m)
m->header_ok = 0;
m->question_ok = 0;
m->tcp_continuation = 0;
m->response_needs_sig0 = 0;
m->verified_sig0 = 0;
}
......@@ -455,6 +455,12 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
msg->query = NULL;
}
if (msg->saved != NULL) {
isc_mem_put(msg->mctx, msg->saved->base, msg->saved->length);
isc_mem_put(msg->mctx, msg->saved, sizeof(isc_region_t));
msg->saved = NULL;
}
/*
* cleanup the buffer cleanup list
*/
......@@ -1065,8 +1071,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
else if (covers == 0) {
msg->sigstart = recstart;
section = &msg->sections[DNS_SECTION_SIG0];
if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
msg->response_needs_sig0 = 1;
}
} else
covers = 0;
......@@ -1256,20 +1260,20 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
if (ret != DNS_R_SUCCESS)
return ret;
}
else if (msg->response_needs_sig0 == 1) {
msg->query = isc_mem_get(msg->mctx, sizeof(isc_region_t));
if (msg->query == NULL)
else if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) {
msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t));
if (msg->saved == NULL)
return (ISC_R_NOMEMORY);
isc_buffer_used(&origsource, &r);
msg->query->length = msg->sigstart;
msg->query->base = isc_mem_get(msg->mctx, msg->query->length);
if (msg->query->base == NULL) {
isc_mem_put(msg->mctx, msg->query,
msg->saved->length = r.length;
msg->saved->base = isc_mem_get(msg->mctx, msg->saved->length);
if (msg->saved->base == NULL) {
isc_mem_put(msg->mctx, msg->saved,
sizeof(isc_region_t));
msg->query = NULL;
msg->saved = NULL;
return (ISC_R_NOMEMORY);
}
memcpy(msg->query->base, r.base, msg->query->length);
memcpy(msg->saved->base, r.base, msg->saved->length);
}
return (DNS_R_SUCCESS);
......@@ -1878,6 +1882,10 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
msg->querytsigstatus = msg->tsigstatus;
msg->tsigstatus = dns_rcode_noerror;
}
if (msg->saved != NULL) {
msg->query = msg->saved;
msg->saved = NULL;
}
return (DNS_R_SUCCESS);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment