upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-21 14:17:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

650. [bug] SIG(0) records were being generated and verified

Browse source 
incorrectly. [RT #606]
This commit is contained in:
Brian Wellington 2001-01-04 00:10:13 +00:00
parent 84d982f168
commit abfbf760f3
2 changed files with 24 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
650. [bug] SIG(0) records were being generated and verified
incorrectly. [RT #606]
649. [bug] It was possible to join to an already running fctx
after it had "cloned" its events, but before it sent
them. In this case, the event of the newly joined

41
lib/dns/dnssec.c
View file

@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.57 2001/01/03 20:42:07 bwelling Exp $
* $Id: dnssec.c,v 1.58 2001/01/04 00:10:13 bwelling Exp $
*/
@ -559,6 +559,19 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
RETERR(dst_context_create(key, mctx, &ctx));
/*
* Digest the fields of the SIG - we can cheat and use
* dns_rdata_fromstruct. Since siglen is 0, the digested data
* is identical to dns format.
*/
RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
dns_rdatatype_sig, &sig, &databuf));
isc_buffer_usedregion(&databuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_context_adddata(ctx, &msg->query));
@ -577,16 +590,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the fields of the SIG - we can cheat and use
* dns_rdata_fromstruct. Since siglen is 0, the digested data
* is identical to dns format.
*/
RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
dns_rdatatype_sig, &sig, &databuf));
isc_buffer_usedregion(&databuf, &r);
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_key_sigsize(key, &sigsize));
sig.siglen = sigsize;
sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
@ -697,6 +700,13 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
RETERR(dst_context_create(key, mctx, &ctx));
/*
* Digest the SIG(0) record, except for the signature.
*/
dns_rdata_toregion(&rdata, &r);
r.length -= sig.siglen;
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
@ -729,15 +739,6 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the SIG(0) record . Find the start of the record, skip
* the name and 10 bytes for class, type, ttl, length to get to
* the start of the rdata.
*/
dns_rdata_toregion(&rdata, &r);
r.length -= sig.siglen;
RETERR(dst_context_adddata(ctx, &r));
sig_r.base = sig.signature;
sig_r.length = sig.siglen;
result = dst_context_verify(ctx, &sig_r);