pullup:

 650.   [bug]           SIG(0) records were being generated and verified
                        incorrectly. [RT #606]

diff --git a/CHANGES b/CHANGES
index 9187fb1e5aaec0ae34062cac52b47da5aa46588d..04d4220fc399fae415f6d15820932f35a93959e7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,9 @@
  680.  [bug]           dns_rdata_fromstruct() mishandled options bigger
                        than 255 octets.
 
+ 650.  [bug]           SIG(0) records were being generated and verified
+                       incorrectly. [RT #606]
+
        --- 9.1.0rc1 released ---
 
  679.  [bug]           $INCLUDE could leak memory and file descriptors on

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 474dc488d7a159219f44eeb7bacb4fd86d2804f1..f3e2b3d8efc829d6add9fd5d7a71db5c89bc871b 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.56.2.1 2001/01/09 22:43:35 bwelling Exp $
+ * $Id: dnssec.c,v 1.56.2.2 2001/01/16 22:38:42 gson Exp $
  */
 
 
@@ -559,6 +559,19 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 
        RETERR(dst_context_create(key, mctx, &ctx));
 
+       /*
+        * Digest the fields of the SIG - we can cheat and use
+        * dns_rdata_fromstruct.  Since siglen is 0, the digested data
+        * is identical to dns format.
+        */
+       RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
+                                   dns_rdatatype_sig, &sig, &databuf));
+       isc_buffer_usedregion(&databuf, &r);
+       RETERR(dst_context_adddata(ctx, &r));
+
+       /*
+        * If this is a response, digest the query.
+        */
        if (is_response(msg))
                RETERR(dst_context_adddata(ctx, msg->query));
 
@@ -577,16 +590,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
        isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
        RETERR(dst_context_adddata(ctx, &r));
 
-       /*
-        * Digest the fields of the SIG - we can cheat and use
-        * dns_rdata_fromstruct.  Since siglen is 0, the digested data
-        * is identical to dns format.
-        */
-       RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
-                                   dns_rdatatype_sig, &sig, &databuf));
-       isc_buffer_usedregion(&databuf, &r);
-       RETERR(dst_context_adddata(ctx, &r));
-
        RETERR(dst_key_sigsize(key, &sigsize));
        sig.siglen = sigsize;
        sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
@@ -697,6 +700,13 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 
        RETERR(dst_context_create(key, mctx, &ctx));
 
+       /*
+        * Digest the SIG(0) record, except for the signature.
+        */
+       dns_rdata_toregion(&rdata, &r);
+       r.length -= sig.siglen;
+       RETERR(dst_context_adddata(ctx, &r));
+
        /*
         * If this is a response, digest the query.
         */
@@ -729,15 +739,6 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
        r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
        RETERR(dst_context_adddata(ctx, &r));
 
-       /*
-        * Digest the SIG(0) record .  Find the start of the record, skip
-        * the name and 10 bytes for class, type, ttl, length to get to
-        * the start of the rdata.
-        */
-       dns_rdata_toregion(&rdata, &r);
-       r.length -= sig.siglen;
-       RETERR(dst_context_adddata(ctx, &r));
-
        sig_r.base = sig.signature;
        sig_r.length = sig.siglen;
        result = dst_context_verify(ctx, &sig_r);