From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 2 Mar 2022 10:48:26 +0000 (+0100)
Subject: Add the ability specify the signing / verification time
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5a62e940794686a56e3f502316e573b0c0c77a7;p=thirdparty%2Fbind9.git

Add the ability specify the signing / verification time

When fuzzing it is useful for all signing operations to happen
at a specific time for reproducability.  Add two variables to
the message structure (fuzzing and fuzztime) to specify if a
fixed time should be used and the value of that time.

(cherry picked from commit 3e85d8c3d69d62ee585a5544c1454b452cab917e)
---

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 17ee8bd87eb..2adc9747d9d 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -973,7 +973,11 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	sig.labels = 0; /* the root name */
 	sig.originalttl = 0;
 
-	isc_stdtime_get(&now);
+	if (msg->fuzzing) {
+		now = msg->fuzztime;
+	} else {
+		isc_stdtime_get(&now);
+	}
 	sig.timesigned = now - DNS_TSIG_FUDGE;
 	sig.timeexpire = now + DNS_TSIG_FUDGE;
 
@@ -1118,7 +1122,12 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 		goto failure;
 	}
 
-	isc_stdtime_get(&now);
+	if (msg->fuzzing) {
+		now = msg->fuzztime;
+	} else {
+		isc_stdtime_get(&now);
+	}
+
 	if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
 		result = DNS_R_SIGFUTURE;
 		msg->sig0status = dns_tsigerror_badtime;
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index ea457424398..fe51fcfe24b 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -235,6 +235,7 @@ struct dns_message {
 	unsigned int cc_bad	      : 1;
 	unsigned int tkey	      : 1;
 	unsigned int rdclass_set      : 1;
+	unsigned int fuzzing	      : 1;
 
 	unsigned int opt_reserved;
 	unsigned int sig_reserved;
@@ -277,6 +278,11 @@ struct dns_message {
 	isc_region_t query;
 	isc_region_t saved;
 
+	/*
+	 * Time to be used when fuzzing.
+	 */
+	isc_stdtime_t fuzztime;
+
 	dns_rdatasetorderfunc_t order;
 	dns_sortlist_arg_t	order_arg;
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 8f4c3b9d1b4..7b0129f1a8f 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -800,7 +800,12 @@ dns_tsig_sign(dns_message_t *msg) {
 	dns_name_init(&tsig.algorithm, NULL);
 	dns_name_clone(key->algorithm, &tsig.algorithm);
 
-	isc_stdtime_get(&now);
+	if (msg->fuzzing) {
+		now = msg->fuzztime;
+	} else {
+		isc_stdtime_get(&now);
+	}
+
 	tsig.timesigned = now + msg->timeadjust;
 	tsig.fudge = DNS_TSIG_FUDGE;
 
@@ -1168,7 +1173,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	/*
 	 * Get the current time.
 	 */
-	isc_stdtime_get(&now);
+	if (msg->fuzzing) {
+		now = msg->fuzztime;
+	} else {
+		isc_stdtime_get(&now);
+	}
 
 	/*
 	 * Find dns_tsigkey_t based on keyname.
@@ -1666,7 +1675,11 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		/*
 		 * Is the time ok?
 		 */
-		isc_stdtime_get(&now);
+		if (msg->fuzzing) {
+			now = msg->fuzztime;
+		} else {
+			isc_stdtime_get(&now);
+		}
 
 		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
 			msg->tsigstatus = dns_tsigerror_badtime;