pullup:

author Andreas Gustafsson <source@isc.org>

Tue, 17 Apr 2001 17:37:20 +0000 (17:37 +0000)

committer Andreas Gustafsson <source@isc.org>

Tue, 17 Apr 2001 17:37:20 +0000 (17:37 +0000)
author Andreas Gustafsson <source@isc.org>
Tue, 17 Apr 2001 17:37:20 +0000 (17:37 +0000)
committer Andreas Gustafsson <source@isc.org>
Tue, 17 Apr 2001 17:37:20 +0000 (17:37 +0000)
diff --git a/CHANGES b/CHANGES

index 554be76e3ffa915360d992f911d235a051c92580..87363747d74f826e07a1252d6f270250b4bc44a4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
  
+ 810.  [bug]           The signer name in SIG records was not properly
+                       downcased when signing/verifying records. [RT #1186]
+
   807.  [bug]           When setting up TCP connections for incoming zone
                         transfers, the transfer-source port was not
                         ignored like it should be.
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c

index a994262fd3d17a305f78ce6479b90d596b28f6ba..5608dde5f7f0b123f4a3c8d7d539d412671c72ac 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
   */
  
  /*
- * $Id: dnssec.c,v 1.56.2.3 2001/03/26 19:12:48 gson Exp $
+ * $Id: dnssec.c,v 1.56.2.4 2001/04/17 17:37:20 gson Exp $
   */
  
  
@@ -140,12 +140,32 @@ dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
         return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
  }
  
+static isc_result_t
+digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_sig_t *sig) {
+       isc_region_t r;
+       isc_result_t ret;
+       dns_fixedname_t fname;
+
+       dns_rdata_toregion(sigrdata, &r);
+       INSIST(r.length >= 19);
+
+       r.length = 18;
+       ret = dst_context_adddata(ctx, &r);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+       dns_fixedname_init(&fname);
+       dns_name_downcase(&sig->signer, dns_fixedname_name(&fname), NULL);
+       dns_name_toregion(dns_fixedname_name(&fname), &r);
+       return (dst_context_adddata(ctx, &r));
+}
+
  isc_result_t
  dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
                 isc_stdtime_t *inception, isc_stdtime_t *expire,
                 isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
  {
         dns_rdata_sig_t sig;
+       dns_rdata_t tmpsigrdata;
         dns_rdata_t *rdatas;
         int nrdatas, i;
         isc_buffer_t b, sigbuf, envbuf;
@@ -204,13 +224,12 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
                 return (ISC_R_NOMEMORY);
  
         isc_buffer_init(&b, data, sizeof(data));
-       ret = dns_rdata_fromstruct(NULL, sig.common.rdclass,
-                                 sig.common.rdtype, &sig, &b);
+       dns_rdata_init(&tmpsigrdata);
+       ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
+                                  sig.common.rdtype, &sig, &b);
         if (ret != ISC_R_SUCCESS)
                 goto cleanup_signature;
  
-       isc_buffer_usedregion(&b, &r);
-
         ret = dst_context_create(key, mctx, &ctx);
         if (ret != ISC_R_SUCCESS)
                 goto cleanup_signature;
@@ -218,9 +237,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
         /*
          * Digest the SIG rdata.
          */
-       INSIST(r.length >= sig.siglen);
-       r.length -= sig.siglen;
-       ret = dst_context_adddata(ctx, &r);
+       ret = digest_sig(ctx, &tmpsigrdata, &sig);
         if (ret != ISC_R_SUCCESS)
                 goto cleanup_context;
  
@@ -347,21 +364,16 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
         if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
                 return (DNS_R_KEYUNAUTHORIZED);
  
-       /*
-        * Digest the SIG rdata (not including the signature).
-        */
-       dns_rdata_toregion(sigrdata, &r);
-       INSIST(r.length >= sig.siglen); 
-       r.length -= sig.siglen;
-       RUNTIME_CHECK(r.length >= 19);
-
         ret = dst_context_create(key, mctx, &ctx);
         if (ret != ISC_R_SUCCESS)
                 goto cleanup_struct;
  
-       ret = dst_context_adddata(ctx, &r);
+       /*
+        * Digest the SIG rdata (not including the signature).
+        */
+       ret = digest_sig(ctx, sigrdata, &sig);
         if (ret != ISC_R_SUCCESS)
-               goto cleanup_struct;
+               goto cleanup_context;
  
         /*
          * If the name is an expanded wildcard, use the wildcard name.
author	Andreas Gustafsson <source@isc.org>
	Tue, 17 Apr 2001 17:37:20 +0000 (17:37 +0000)
committer	Andreas Gustafsson <source@isc.org>
	Tue, 17 Apr 2001 17:37:20 +0000 (17:37 +0000)
CHANGES		patch \| blob \| blame \| history
lib/dns/dnssec.c		patch \| blob \| blame \| history