pullup:

  771.   [cleanup]       TSIG errors related to unsynchronized clocks
                         are logged better. [RT #919]

diff --git a/CHANGES b/CHANGES
index 42d146f3dd066d5878e41d96e5961b0d8d714440..5682c48cf9f8bcbf829da7724106fe27c815ed27 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,9 @@
  806.  [bug]           DNS_R_SEENINCLUDE was failing to propagate back up
                        the calling stack to the zone maintence level.
 
+ 771.  [cleanup]       TSIG errors related to unsynchronized clocks
+                       are logged better. [RT #919]
+
  669.  [bug]           dnssec-keygen now makes the public key file
                        non-world-readable for symmetric keys. [RT #403]
 

diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index f5e100b02cf8e56d1d0a9c1daec3fc2cc9c19cd0..c6e659158131ac1006f62c9bf980cc89d877b3bc 100644 (file)
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.36.4.1 2001/01/09 22:46:24 bwelling Exp $ */
+/* $Id: tsig.h,v 1.36.4.2 2001/05/18 21:28:43 gson Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
@@ -188,6 +188,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
  *             DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
  *             DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
  *                                  and this is a query
+ *             DNS_R_CLOCKSKEW - the TSIG failed to verify because of
+ *                               the time was out of the allowed range.
  *             DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
  */
 

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 46a4fbfede353eea602316bce83aab940ba09e5b..beeb3c316cc7f36ea2f708d53dbf34cad5423069 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.98.4.5 2001/01/22 20:42:29 gson Exp $
+ * $Id: tsig.c,v 1.98.4.6 2001/05/18 21:28:41 gson Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -747,7 +747,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                else
                        tsig_log(msg->tsigkey, 2,
                                 "signature is in the future");
-               return (DNS_R_TSIGVERIFYFAILURE);
+               return (DNS_R_CLOCKSKEW);
        }
 
        if (tsig.siglen > 0) {
@@ -876,8 +876,12 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
        msg->tsigstatus = dns_rcode_noerror;
 
-       if (tsig.error != dns_rcode_noerror)
-               return (DNS_R_TSIGERRORSET);
+       if (tsig.error != dns_rcode_noerror) {
+               if (tsig.error == dns_tsigerror_badtime)
+                       return (DNS_R_CLOCKSKEW);
+               else
+                       return (DNS_R_TSIGERRORSET);
+       }
 
        msg->verified_sig = 1;
 
@@ -964,7 +968,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
                isc_stdtime_get(&now);
                if (abs(now - tsig.timesigned) > tsig.fudge) {
                        msg->tsigstatus = dns_tsigerror_badtime;
-                       ret = DNS_R_TSIGVERIFYFAILURE;
+                       ret = DNS_R_CLOCKSKEW;
                        if (now > tsig.timesigned + tsig.fudge)
                                tsig_log(msg->tsigkey, 2,
                                         "signature has expired");
@@ -1066,9 +1070,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
                sig_r.base = tsig.signature;
                sig_r.length = tsig.siglen;
                if (tsig.siglen == 0) {
-                       if (tsig.error != dns_rcode_noerror)
-                               ret = DNS_R_TSIGERRORSET;
-                       else {
+                       if (tsig.error != dns_rcode_noerror) {
+                               if (tsig.error == dns_tsigerror_badtime)
+                                       ret = DNS_R_CLOCKSKEW;
+                               else
+                                       ret = DNS_R_TSIGERRORSET;
+                       } else {
                                tsig_log(msg->tsigkey, 2,
                                         "signature is empty");
                                ret = DNS_R_TSIGVERIFYFAILURE;