remove the 'new_tsigkey' exception, allow TSIG to be set any time

this allows 'dns_message_settsigkey()' to be run any time after
parsing without having to set a special flag in the message object.

diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 314639238815ca6c362a1520cc41b26afe32e64b..b933a57c91cbd66841ebdd7835f860c571b1f834 100644 (file)
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -224,7 +224,6 @@ struct dns_message {
        unsigned int                    cc_bad : 1;
        unsigned int                    tkey : 1;
        unsigned int                    rdclass_set : 1;
-       unsigned int                    new_tsigkey : 1;
 
        unsigned int                    opt_reserved;
        unsigned int                    sig_reserved;

diff --git a/lib/dns/message.c b/lib/dns/message.c
index d9c8cba17f1a3abfc7d1b30815c799d3f312159e..d03fc8d9c5abada9bca157fcbcabae52ed192d1a 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -432,7 +432,6 @@ msginit(dns_message_t *m) {
        m->tkey = 0;
        m->rdclass_set = 0;
        m->querytsig = NULL;
-       m->new_tsigkey = 0;
 }
 
 static inline void
@@ -2802,7 +2801,6 @@ dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
         */
 
        REQUIRE(DNS_MESSAGE_VALID(msg));
-       REQUIRE(msg->state == DNS_SECTION_ANY || msg->new_tsigkey == 1);
 
        if (key == NULL && msg->tsigkey != NULL) {
                if (msg->sig_reserved != 0) {

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 9b206ce19844c7e9de1d07d6bfe75b40a2c27d2b..be4f2668d9ebc455c05db9d9036af57dad653823 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -631,11 +631,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
         */
 
        if (tsigkey != NULL) {
-               /*
-                * First, we have to set the message to accept a new
-                * TSIG key; normally they can only be set during parsing.
-                */
-               msg->new_tsigkey = 1;
                dns_message_settsigkey(msg, tsigkey);
        }
 

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 26c561cef025175dbb0fcf114f212a773d34fb07..79afd3f15c5f13a58636da6c499b8449ce15d280 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -756,15 +756,15 @@ dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
 
 isc_result_t
 dns_tsig_sign(dns_message_t *msg) {
-       dns_tsigkey_t *key;
+       dns_tsigkey_t *key = NULL;
        dns_rdata_any_tsig_t tsig, querytsig;
        unsigned char data[128];
        isc_buffer_t databuf, sigbuf;
-       isc_buffer_t *dynbuf;
+       isc_buffer_t *dynbuf = NULL;
        dns_name_t *owner;
        dns_rdata_t *rdata = NULL;
-       dns_rdatalist_t *datalist;
-       dns_rdataset_t *dataset;
+       dns_rdatalist_t *datalist = NULL;
+       dns_rdataset_t *dataset = NULL;
        isc_region_t r;
        isc_stdtime_t now;
        isc_mem_t *mctx;
@@ -778,15 +778,7 @@ dns_tsig_sign(dns_message_t *msg) {
        key = dns_message_gettsigkey(msg);
        REQUIRE(VALID_TSIG_KEY(key));
 
-       /*
-        * If this is a response, there should be a query tsig.
-        */
        response = is_response(msg);
-       if (response && (msg->querytsig == NULL && msg->new_tsigkey == 0)) {
-               return (DNS_R_EXPECTEDTSIG);
-       }
-
-       dynbuf = NULL;
 
        mctx = msg->mctx;
 
@@ -805,7 +797,7 @@ dns_tsig_sign(dns_message_t *msg) {
 
        isc_buffer_init(&databuf, data, sizeof(data));
 
-       if (response && msg->new_tsigkey == 0)
+       if (response)
                tsig.error = msg->querytsigstatus;
        else
                tsig.error = dns_rcode_noerror;
@@ -842,9 +834,15 @@ dns_tsig_sign(dns_message_t *msg) {
                        return (ret);
 
                /*
-                * If this is a response, digest the request's MAC.
+                * If this is a response, and if there was a TSIG in
+                * the query, digest the request's MAC.
+                *
+                * (Note: querytsig should be non-NULL for all
+                * responses except TKEY responses. Those may be signed
+                * with the newly-negotiated TSIG key even if the query
+                * wasn't signed.)
                 */
-               if (response && msg->new_tsigkey == 0) {
+               if (response && msg->querytsig != NULL) {
                        dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
 
                        INSIST(msg->verified_sig);