From: Brian Wellington <source@isc.org>
Date: Fri, 8 Jun 2001 19:37:29 +0000 (+0000)
Subject:  891.	[bug]		Return an error when a SIG(0) signed response to
X-Git-Tag: v9.2.0a2~35
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3b6bcedffe1d326fd9f6aa3bfb1537af0975fab8;p=thirdparty%2Fbind9.git

 891.	[bug]		Return an error when a SIG(0) signed response to
			an unsigned query is seen.  This should actually
			do the verification, but it's not currently
			possible. [RT #1391]
---

diff --git a/CHANGES b/CHANGES
index 7da122cf9ec..acb0d6966b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+ 891.	[bug]		Return an error when a SIG(0) signed response to
+ 			an unsigned query is seen.  This should actually
+			do the verification, but it's not currently
+			possible. [RT #1391]
 
  890.	[cleanup]	The man pages no longer require the mandoc macros
 			and should now format cleanly using most versions of
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 4a34fcc57e4..75891ba0d1f 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.67 2001/05/29 22:54:07 bwelling Exp $
+ * $Id: dnssec.c,v 1.68 2001/06/08 19:37:27 bwelling Exp $
  */
 
 
@@ -689,13 +689,15 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	REQUIRE(msg != NULL);
 	REQUIRE(key != NULL);
 
-	if (is_response(msg))
-		REQUIRE(msg->query.base != NULL);
-
 	mctx = msg->mctx;
 
 	msg->verify_attempted = 1;
 
+	if (is_response(msg)) {
+		if (msg->query == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
+	}
+
 	isc_buffer_usedregion(source, &source_r);
 
 	RETERR(dns_rdataset_first(msg->sig0));
diff --git a/lib/dns/result.c b/lib/dns/result.c
index 02c03604795..a4aead7f06d 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.89 2001/05/10 17:51:48 gson Exp $ */
+/* $Id: result.c,v 1.90 2001/06/08 19:37:29 bwelling Exp $ */
 
 #include <config.h>
 
@@ -80,8 +80,8 @@ static const char *text[DNS_R_NRESULTS] = {
 	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
 	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
 
-	"expected a TSIG",		       /* 45 DNS_R_EXPECTEDTSIG	     */
-	"did not expect a TSIG",	       /* 46 DNS_R_UNEXPECTEDTSIG    */
+	"expected a TSIG or SIG(0)",	       /* 45 DNS_R_EXPECTEDTSIG	     */
+	"did not expect a TSIG or SIG(0)",     /* 46 DNS_R_UNEXPECTEDTSIG    */
 	"TKEY is unacceptable",		       /* 47 DNS_R_INVALIDTKEY	     */
 	"hint",				       /* 48 DNS_R_HINT		     */
 	"drop",				       /* 49 DNS_R_DROP		     */