mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Use the new DST API

Browse Source
This commit is contained in:
Brian Wellington
2000-06-02 18:59:33 +00:00
parent 011463c376
commit 4fe8755480
11 changed files with 282 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
bin/tests/dst/dst_test.c
View File

@@ -37,12 +37,13 @@ char *current;
const char *tmp = "/tmp";
static void
use(dst_key_t *key) {
use(dst_key_t *key, isc_mem_t *mctx) {
isc_result_t ret;
const char *data = "This is some data";
unsigned char sig[512];
isc_buffer_t databuf, sigbuf;
isc_region_t datareg, sigreg;
dst_context_t *ctx = NULL;
isc_buffer_init(&sigbuf, sig, sizeof(sig));
/*
@@ -54,15 +55,33 @@ use(dst_key_t *key) {
isc_buffer_add(&databuf, strlen(data));
isc_buffer_usedregion(&databuf, &datareg);
ret = dst_key_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
ret = dst_context_adddata(ctx, &datareg);
if (ret != ISC_R_SUCCESS)
printf("adddata(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
ret = dst_context_sign(ctx, &sigbuf);
printf("sign(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
dst_context_destroy(&ctx);
isc_buffer_forward(&sigbuf, 1);
isc_buffer_remainingregion(&sigbuf, &sigreg);
ret = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
ret = dst_context_adddata(ctx, &datareg);
if (ret != ISC_R_SUCCESS)
printf("adddata(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
ret = dst_context_verify(ctx, &sigreg);
printf("verify(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
dst_context_destroy(&ctx);
}
static void
@@ -116,7 +135,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx) {
printf("write(%d) returned: %s\n", alg, isc_result_totext(ret));
if (ret != 0)
return;
use(key);
use(key, mctx);
dns(key, mctx);
dst_key_free(&key);
}
@@ -192,7 +211,7 @@ generate(int alg, isc_mem_t *mctx) {
printf("generate(%d) returned: %s\n", alg, isc_result_totext(ret));
if (alg != DST_ALG_DH)
use(key);
use(key, mctx);
dst_key_free(&key);
}

87
bin/tests/dst/t_dst.c
View File

@@ -78,37 +78,68 @@ cleandir(char *path) {
}
static void
use(dst_key_t *key, isc_result_t exp_result, int *nfails) {
use(dst_key_t *key, isc_mem_t *mctx, isc_result_t exp_result, int *nfails) {
isc_result_t ret;
const char *data = "This is some data";
unsigned char sig[512];
isc_buffer_t databuf, sigbuf;
isc_region_t datareg, sigreg;
dst_context_t *ctx = NULL;
isc_buffer_init(&sigbuf, sig, sizeof(sig));
isc_buffer_init(&databuf, data, strlen(data));
isc_buffer_add(&databuf, strlen(data));
isc_buffer_usedregion(&databuf, &datareg);
ret = dst_key_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS) {
t_info("dst_context_create(%d) returned (%s)\n",
dst_key_alg(key), dst_result_totext(ret));
++*nfails;
return;
}
ret = dst_context_adddata(ctx, &datareg);
if (ret != ISC_R_SUCCESS) {
t_info("dst_context_adddata(%d) returned (%s)\n",
dst_key_alg(key), dst_result_totext(ret));
++*nfails;
return;
}
ret = dst_context_sign(ctx, &sigbuf);
if (ret != exp_result) {
t_info("dst_sign(%d) returned (%s) expected (%s)\n",
t_info("dst_context_sign(%d) returned (%s) expected (%s)\n",
dst_key_alg(key), dst_result_totext(ret),
dst_result_totext(exp_result));
++*nfails;
return;
}
dst_context_destroy(&ctx);
isc_buffer_remainingregion(&sigbuf, &sigreg);
ret = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg, &sigreg);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS) {
t_info("dst_context_create(%d) returned (%s)\n",
dst_key_alg(key), dst_result_totext(ret));
++*nfails;
return;
}
ret = dst_context_adddata(ctx, &datareg);
if (ret != ISC_R_SUCCESS) {
t_info("dst_context_adddata(%d) returned (%s)\n",
dst_key_alg(key), dst_result_totext(ret));
++*nfails;
return;
}
ret = dst_context_verify(ctx, &sigreg);
if (ret != exp_result) {
t_info("dst_verify(%d) returned (%s) expected (%s)\n",
t_info("dst_context_verify(%d) returned (%s) expected (%s)\n",
dst_key_alg(key), dst_result_totext(ret),
dst_result_totext(exp_result));
++*nfails;
return;
}
dst_context_destroy(&ctx);
}
static void
@@ -287,7 +318,7 @@ io(dns_name_t *name, int id, int alg, int type, isc_mem_t *mctx,
}
if (dst_key_alg(key) != DST_ALG_DH)
use(key, exp_result, nfails);
use(key, mctx, exp_result, nfails);
if (chdir(current)) {
t_info("chdir failed %d\n", errno);
@@ -314,7 +345,7 @@ generate(int alg, isc_mem_t *mctx, int size, int *nfails) {
}
if (alg != DST_ALG_DH)
use(key, ISC_R_SUCCESS, nfails);
use(key, mctx, ISC_R_SUCCESS, nfails);
dst_key_free(&key);
}
@@ -618,6 +649,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
dns_fixedname_t fname;
dns_name_t *name;
isc_buffer_t b;
dst_context_t *ctx = NULL;
/*
* Read data from file in a form usable by dst_verify.
@@ -686,7 +718,25 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
memset(sig, 0, sizeof(sig));
isc_buffer_init(&sigbuf, sig, sizeof(sig));
isc_result = dst_sign(DST_SIGMODE_ALL, key, NULL, &datareg, &sigbuf);
isc_result = dst_context_create(key, mctx, &ctx);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_create(%d) failed %s\n",
dst_result_totext(isc_result));
(void) free(data);
dst_key_free(&key);
++*nprobs;
return;
}
isc_result = dst_context_adddata(ctx, &datareg);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_adddata(%d) failed %s\n",
dst_result_totext(isc_result));
(void) free(data);
dst_key_free(&key);
++*nprobs;
return;
}
isc_result = dst_context_sign(ctx, &sigbuf);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_sign(%d) failed %s\n",
dst_result_totext(isc_result));
@@ -695,6 +745,7 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
++*nprobs;
return;
}
dst_context_destroy(&ctx);
rval = sig_tofile(sigpath, &sigbuf);
if (rval != 0) {
@@ -731,18 +782,30 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
if (strstr(expected_result, "!"))
exp_res = 1;
isc_result = dst_key_verify(DST_SIGMODE_ALL, key, NULL, &datareg,
&sigreg);
isc_result = dst_context_create(key, mctx, &ctx);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_create returned %s\n",
isc_result_totext(isc_result));
++*nfails;
}
isc_result = dst_context_adddata(ctx, &datareg);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_adddata returned %s\n",
isc_result_totext(isc_result));
++*nfails;
}
isc_result = dst_context_verify(ctx, &sigreg);
if ( ((exp_res == 0) && (isc_result != ISC_R_SUCCESS)) ||
((exp_res != 0) && (isc_result == ISC_R_SUCCESS))) {
t_info("dst_verify returned %s, expected %s\n",
t_info("dst_context_verify returned %s, expected %s\n",
isc_result_totext(isc_result),
expected_result);
++*nfails;
}
(void) free(data);
dst_context_destroy(&ctx);
dst_key_free(&key);
return;
}

118
lib/dns/dnssec.c
View File

@@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.41 2000/06/01 18:25:29 tale Exp $
* $Id: dnssec.c,v 1.42 2000/06/02 18:59:12 bwelling Exp $
* Principal Author: Brian Wellington
*/
@@ -55,12 +55,6 @@
#define TYPE_SIGN 0
#define TYPE_VERIFY 1
typedef struct digestctx {
dst_key_t *key;
dst_context_t context;
isc_uint8_t type;
} digestctx_t;
static isc_result_t
digest_callback(void *arg, isc_region_t *data);
@@ -73,18 +67,9 @@ rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
static isc_result_t
digest_callback(void *arg, isc_region_t *data) {
digestctx_t *ctx = arg;
isc_result_t result;
dst_context_t *ctx = arg;
REQUIRE(ctx->type == TYPE_SIGN || ctx->type == TYPE_VERIFY);
if (ctx->type == TYPE_SIGN)
result = dst_key_sign(DST_SIGMODE_UPDATE, ctx->key,
&ctx->context, data, NULL);
else
result = dst_key_verify(DST_SIGMODE_UPDATE, ctx->key,
&ctx->context, data, NULL);
return (result);
return (dst_context_adddata(ctx, data));
}
/*
@@ -169,10 +154,9 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
int nrdatas, i;
isc_buffer_t b, sigbuf, envbuf;
isc_region_t r;
dst_context_t ctx = NULL;
dst_context_t *ctx = NULL;
isc_result_t ret;
unsigned char data[300];
digestctx_t dctx;
isc_uint32_t flags;
unsigned int sigsize;
@@ -230,15 +214,17 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_buffer_usedregion(&b, &r);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
/*
* Digest the SIG rdata.
*/
r.length -= sig.siglen;
ret = dst_key_sign(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
key, &ctx, &r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
goto cleanup_context;
dns_name_toregion(name, &r);
@@ -252,14 +238,9 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, set->ttl);
memset(&dctx, 0, sizeof(dctx));
dctx.key = key;
dctx.context = ctx;
dctx.type = TYPE_SIGN;
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
goto cleanup_context;
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
@@ -270,7 +251,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
/*
* Digest the envelope.
*/
ret = dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
@@ -281,20 +262,20 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
INSIST(rdatas[i].length < 65536);
isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &lenr, NULL);
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
/*
* Digest the rdata.
*/
ret = dns_rdata_digest(&rdatas[i], digest_callback, &dctx);
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
ret = dst_key_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf);
ret = dst_context_sign(ctx, &sigbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
isc_buffer_usedregion(&sigbuf, &r);
@@ -309,6 +290,8 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
cleanup_array:
isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_signature:
isc_mem_put(mctx, sig.signature, sig.siglen);
@@ -329,8 +312,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_stdtime_t now;
isc_result_t ret;
unsigned char data[300];
dst_context_t ctx;
digestctx_t dctx;
dst_context_t *ctx = NULL;
int labels;
isc_uint32_t flags;
@@ -372,8 +354,13 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
r.length -= sig.siglen;
RUNTIME_CHECK(r.length >= 19);
ret = dst_key_verify(DST_SIGMODE_INIT | DST_SIGMODE_UPDATE,
key, &ctx, &r, NULL);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
/*
* If the name is an expanded wildcard, use the wildcard name.
@@ -404,14 +391,10 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, sig.originalttl);
memset(&dctx, 0, sizeof(dctx));
dctx.key = key;
dctx.context = ctx;
dctx.type = TYPE_VERIFY;
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
goto cleanup_context;
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
@@ -422,7 +405,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
/*
* Digest the envelope.
*/
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
@@ -437,23 +420,24 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
/*
* Digest the rdata.
*/
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &lenr,
NULL);
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
ret = dns_rdata_digest(&rdatas[i], digest_callback, &dctx);
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_array;
}
r.base = sig.signature;
r.length = sig.siglen;
ret = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &r);
if (ret == DST_R_VERIFYFINALFAILURE)
ret = dst_context_verify(ctx, &r);
if (ret == DST_R_VERIFYFAILURE)
ret = DNS_R_SIGINVALID;
cleanup_array:
isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_struct:
dns_rdata_freestruct(&sig);
@@ -534,7 +518,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdataset_t *dataset;
isc_region_t r;
isc_stdtime_t now;
dst_context_t ctx;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
isc_boolean_t signeedsfree = ISC_TRUE;
@@ -573,11 +557,10 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
isc_buffer_init(&databuf, data, sizeof(data));
RETERR(dst_key_sign(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
RETERR(dst_context_create(key, mctx, &ctx));
if (is_response(msg))
RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, msg->query,
NULL));
RETERR(dst_context_adddata(ctx, msg->query));
/*
* Digest the header.
@@ -585,14 +568,14 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the fields of the SIG - we can cheat and use
@@ -603,7 +586,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdatatype_sig, &sig, &databuf));
isc_buffer_usedregion(&databuf, &r);
r.length -= 2;
RETERR(dst_key_sign(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_key_sigsize(key, &sigsize));
sig.siglen = sigsize;
@@ -614,7 +597,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
RETERR(dst_key_sign(DST_SIGMODE_FINAL, key, &ctx, NULL, &sigbuf));
RETERR(dst_context_sign(ctx, &sigbuf));
rdata = NULL;
RETERR(dns_message_gettemprdata(msg, &rdata));
@@ -649,6 +632,8 @@ failure:
isc_buffer_free(&dynbuf);
if (signeedsfree)
isc_mem_put(mctx, sig.signature, sig.siglen);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
@@ -663,7 +648,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dns_name_t tname;
isc_region_t r, r2, source_r, sig_r, header_r;
isc_stdtime_t now;
dst_context_t ctx;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
isc_uint16_t addcount;
@@ -707,14 +692,13 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
/* XXXBEW ensure that sig.signer refers to this key */
RETERR(dst_key_verify(DST_SIGMODE_INIT, key, &ctx, NULL, NULL));
RETERR(dst_context_create(key, mctx, &ctx));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx,
msg->query, NULL));
RETERR(dst_context_adddata(ctx, msg->query));
/*
* Extract the header.
@@ -733,14 +717,14 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r, NULL));
RETERR(dst_context_adddata(ctx, &header_r));
/*
* Digest all non-SIG(0) records.
*/
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the SIG(0) record . Find the start of the record, skip
@@ -754,11 +738,11 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dns_name_toregion(&tname, &r2);
isc_region_consume(&r, r2.length + 10);
r.length -= (sig.siglen + 2);
RETERR(dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, NULL));
RETERR(dst_context_adddata(ctx, &r));
sig_r.base = sig.signature;
sig_r.length = sig.siglen;
result = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL, &sig_r);
result = dst_context_verify(ctx, &sig_r);
if (result != ISC_R_SUCCESS) {
msg->sig0status = dns_tsigerror_badsig;
goto failure;
@@ -773,6 +757,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
failure:
if (signeedsfree)
dns_rdata_freestruct(&sig);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}

2
lib/dns/include/dns/message.h
View File

@@ -201,7 +201,7 @@ struct dns_message {
dns_name_t *tsigname;
dns_rdataset_t *querytsig;
dns_tsigkey_t *tsigkey;
void *tsigctx;
dst_context_t *tsigctx;
int sigstart;
dns_name_t *sig0name;

44
lib/dns/tkey.c
View File

@@ -16,7 +16,7 @@
*/
/*
* $Id: tkey.c,v 1.41 2000/05/30 22:28:37 bwelling Exp $
* $Id: tkey.c,v 1.42 2000/06/02 18:59:14 bwelling Exp $
* Principal Author: Brian Wellington
*/
@@ -148,9 +148,10 @@ add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
static isc_result_t
compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_region_t *serverrandomness, isc_buffer_t *secret)
isc_region_t *serverrandomness, isc_mem_t *mctx,
isc_buffer_t *secret)
{
dst_context_t ctx;
dst_context_t *ctx = NULL;
isc_result_t result;
isc_region_t r, r2;
char digests[32];
@@ -163,26 +164,20 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
/*
* MD5 ( query data | DH value ).
*/
RETERR(dst_key_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL,
NULL));
RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
queryrandomness, NULL));
RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r,
NULL));
RETERR(dst_key_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
&b));
RETERR(dst_context_create(DST_KEY_MD5, mctx, &ctx));
RETERR(dst_context_adddata(ctx, queryrandomness));
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_context_digest(ctx, &b));
dst_context_destroy(&ctx);
/*
* MD5 ( server data | DH value ).
*/
RETERR(dst_key_digest(DST_SIGMODE_INIT, DST_DIGEST_MD5, &ctx, NULL,
NULL));
RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx,
serverrandomness, NULL));
RETERR(dst_key_digest(DST_SIGMODE_UPDATE, DST_DIGEST_MD5, &ctx, &r,
NULL));
RETERR(dst_key_digest(DST_SIGMODE_FINAL, DST_DIGEST_MD5, &ctx, NULL,
&b));
RETERR(dst_context_create(DST_KEY_MD5, mctx, &ctx));
RETERR(dst_context_adddata(ctx, serverrandomness));
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_context_digest(ctx, &b));
dst_context_destroy(&ctx);
/*
* XOR ( DH value, MD5-1 | MD5-2).
@@ -205,7 +200,10 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
}
failure:
return result;
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
@@ -335,7 +333,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
isc_buffer_usedregion(&randombuf, &r);
r2.base = tkeyin->key;
r2.length = tkeyin->keylen;
RETERR(compute_secret(shared, &r2, &r, &secret));
RETERR(compute_secret(shared, &r2, &r, msg->mctx, &secret));
dst_key_free(&pubkey);
isc_buffer_usedregion(&secret, &r);
@@ -938,7 +936,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
r2.base = isc_mem_get(rmsg->mctx, 0);
r2.length = 0;
}
RETERR(compute_secret(shared, &r2, &r, &secret));
RETERR(compute_secret(shared, &r2, &r, rmsg->mctx, &secret));
if (nonce == NULL)
isc_mem_put(rmsg->mctx, r2.base, 0);

178
lib/dns/tsig.c
View File

@@ -16,7 +16,7 @@
*/
/*
* $Id: tsig.c,v 1.68 2000/06/01 18:25:38 tale Exp $
* $Id: tsig.c,v 1.69 2000/06/02 18:59:17 bwelling Exp $
* Principal Author: Brian Wellington
*/
@@ -250,8 +250,8 @@ dns_tsig_sign(dns_message_t *msg) {
dns_rdataset_t *dataset;
isc_region_t r, r2;
isc_stdtime_t now;
dst_context_t ctx;
isc_mem_t *mctx;
dst_context_t *ctx = NULL;
isc_result_t ret;
REQUIRE(msg != NULL);
@@ -313,8 +313,7 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_t headerbuf;
unsigned int sigsize;
ret = dst_key_sign(DST_SIGMODE_INIT, key->key, &ctx, NULL,
NULL);
ret = dst_context_create(key->key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
@@ -326,26 +325,25 @@ dns_tsig_sign(dns_message_t *msg) {
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
dns_rdataset_current(msg->querytsig, &querytsigrdata);
ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
isc_buffer_putuint16(&databuf, querytsig.siglen);
if (isc_buffer_availablelength(&databuf) <
querytsig.siglen)
{
ret = ISC_R_NOSPACE;
goto cleanup_other;
goto cleanup_context;
}
isc_buffer_putmem(&databuf, querytsig.signature,
querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
&r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
}
/*
@@ -354,45 +352,40 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the name, class, ttl, alg.
*/
dns_name_toregion(&key->name, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
&r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
isc_buffer_clear(&databuf);
isc_buffer_putuint16(&databuf, dns_rdataclass_any);
isc_buffer_putuint32(&databuf, 0); /* ttl */
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
&r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
dns_name_toregion(&tsig.algorithm, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
&r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
}
/* Digest the timesigned and fudge */
@@ -416,10 +409,9 @@ dns_tsig_sign(dns_message_t *msg) {
}
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx, &r,
NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
@@ -430,10 +422,9 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_putuint16(&databuf, tsig.otherlen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_sign(DST_SIGMODE_UPDATE, key->key, &ctx,
&r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
/*
* Digest the error and other data.
@@ -441,29 +432,28 @@ dns_tsig_sign(dns_message_t *msg) {
if (tsig.otherlen > 0) {
r.length = tsig.otherlen;
r.base = tsig.other;
ret = dst_key_sign(DST_SIGMODE_UPDATE,
key->key, &ctx, &r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
}
}
ret = dst_key_sigsize(key->key, &sigsize);
if (ret != ISC_R_SUCCESS)
goto cleanup_other;
goto cleanup_context;
tsig.siglen = sigsize;
tsig.signature = (unsigned char *)
isc_mem_get(mctx, tsig.siglen);
if (tsig.signature == NULL) {
ret = ISC_R_NOMEMORY;
goto cleanup_other;
goto cleanup_context;
}
isc_buffer_init(&sigbuf, tsig.signature, tsig.siglen);
ret = dst_key_sign(DST_SIGMODE_FINAL, key->key, &ctx, NULL,
&sigbuf);
ret = dst_context_sign(ctx, &sigbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
dst_context_destroy(&ctx);
}
else {
tsig.siglen = 0;
@@ -535,6 +525,9 @@ cleanup_dynbuf:
cleanup_signature:
if (tsig.signature != NULL)
isc_mem_put(mctx, tsig.signature, tsig.siglen);
cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
cleanup_other:
if (tsig.other != NULL)
isc_mem_put(mctx, tsig.other, tsig.otherlen);
@@ -557,7 +550,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
dns_tsigkey_t *tsigkey;
dst_key_t *key = NULL;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dst_context_t ctx;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_uint16_t addcount, id;
@@ -666,8 +659,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
ret = dst_key_verify(DST_SIGMODE_INIT, key, &ctx, NULL,
&sig_r);
ret = dst_context_create(key, mctx, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
@@ -675,17 +667,15 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
if (querytsig.siglen > 0) {
r.length = querytsig.siglen;
r.base = querytsig.signature;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key,
&ctx, &r, NULL);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
}
}
@@ -714,10 +704,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &header_r,
&sig_r);
ret = dst_context_adddata(ctx, &header_r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
/*
* Digest all non-TSIG records.
@@ -725,37 +714,33 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
isc_buffer_usedregion(source, &source_r);
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
&sig_r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
/*
* Digest the key name.
*/
dns_name_toregion(&tsigkey->name, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
&sig_r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, tsig.common.rdclass);
isc_buffer_putuint32(&databuf, msg->tsig->ttl);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
&sig_r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
/*
* Digest the key algorithm.
*/
dns_name_toregion(&tsigkey->algorithm, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
&sig_r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
isc_buffer_clear(&databuf);
isc_buffer_putuint16(&databuf, (isc_uint16_t)(tsig.timesigned
@@ -766,26 +751,25 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
isc_buffer_putuint16(&databuf, tsig.error);
isc_buffer_putuint16(&databuf, tsig.otherlen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
&sig_r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (tsig.otherlen > 0) {
r.base = tsig.other;
r.length = tsig.otherlen;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &ctx, &r,
&sig_r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
}
ret = dst_key_verify(DST_SIGMODE_FINAL, key, &ctx, NULL,
&sig_r);
if (ret == DST_R_VERIFYFINALFAILURE) {
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
msg->tsigstatus = dns_tsigerror_badsig;
return (DNS_R_TSIGVERIFYFAILURE);
}
else if (ret != ISC_R_SUCCESS)
goto cleanup_key;
goto cleanup_context;
}
else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey)
@@ -809,6 +793,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
return (ISC_R_SUCCESS);
cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
cleanup_key:
if (dns_tsigkey_empty(tsigkey))
dns_tsigkey_detach(&tsigkey);
@@ -831,6 +818,7 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_uint16_t addcount, id;
isc_boolean_t has_tsig = ISC_FALSE;
isc_mem_t *mctx;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
@@ -839,6 +827,8 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
REQUIRE(is_response(msg));
REQUIRE(msg->querytsig != NULL);
mctx = msg->mctx;
tsigkey = dns_message_gettsigkey(msg);
if (msg->tsig != NULL) {
@@ -883,25 +873,22 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
key = tsigkey->key;
if (msg->tsigctx == NULL) {
ret = dst_key_verify(DST_SIGMODE_INIT, key, &msg->tsigctx,
NULL, NULL);
ret = dst_context_create(key, mctx, &msg->tsigctx);
if (ret != ISC_R_SUCCESS)
return (ret);
isc_buffer_init(&databuf, data, sizeof(data));
isc_buffer_putuint16(&databuf, querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx,
&r, NULL);
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
return (ret);
goto cleanup_context;
if (querytsig.siglen > 0) {
r.length = querytsig.siglen;
r.base = querytsig.signature;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key,
&msg->tsigctx, &r, NULL);
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
return (ret);
goto cleanup_context;
}
}
@@ -935,10 +922,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
*/
header_r.base = (unsigned char *) header;
header_r.length = DNS_MESSAGE_HEADERLEN;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &header_r,
NULL);
ret = dst_context_adddata(msg->tsigctx, &header_r);
if (ret != ISC_R_SUCCESS)
return (ret);
goto cleanup_context;
/*
* Digest all non-TSIG records.
@@ -949,9 +935,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
else
r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx, &r, NULL);
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
return (ret);
goto cleanup_context;
/*
* Digest the time signed and fudge.
@@ -964,8 +950,9 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
& 0xFFFFFFFF));
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_usedregion(&databuf, &r);
ret = dst_key_verify(DST_SIGMODE_UPDATE, key, &msg->tsigctx,
&r, NULL);
ret = dst_context_adddata(msg->tsigctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
@@ -974,23 +961,28 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
ret = DNS_R_TSIGERRORSET;
else
ret = DNS_R_TSIGVERIFYFAILURE;
return (ret);
goto cleanup_context;
}
ret = dst_key_verify(DST_SIGMODE_FINAL, key, &msg->tsigctx,
NULL, &sig_r);
if (ret == DST_R_VERIFYFINALFAILURE) {
ret = dst_context_verify(msg->tsigctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
msg->tsigstatus = dns_tsigerror_badsig;
return (DNS_R_TSIGVERIFYFAILURE);
ret = DNS_R_TSIGVERIFYFAILURE;
goto cleanup_context;
}
else if (ret != ISC_R_SUCCESS)
return (ret);
goto cleanup_context;
msg->tsigctx = NULL;
dst_context_destroy(&msg->tsigctx);
}
msg->tsigstatus = dns_rcode_noerror;
return (ISC_R_SUCCESS);
cleanup_context:
dst_context_destroy(&msg->tsigctx);
return (ret);
}
isc_result_t

6
lib/dns/xfrin.c
View File

@@ -15,7 +15,7 @@
* SOFTWARE.
*/
/* $Id: xfrin.c,v 1.76 2000/06/01 18:04:37 gson Exp $ */
/* $Id: xfrin.c,v 1.77 2000/06/02 18:59:19 bwelling Exp $ */
#include <config.h>
@@ -40,6 +40,8 @@
#include <dns/xfrin.h>
#include <dns/zone.h>
#include <dst/dst.h>
/*
* Incoming AXFR and IXFR.
*/
@@ -133,7 +135,7 @@ struct dns_xfrin_ctx {
dns_tsigkey_t *tsigkey; /* Key used to create TSIG */
isc_buffer_t *lasttsig; /* The last TSIG */
void *tsigctx; /* TSIG verification context */
dst_context_t *tsigctx; /* TSIG verification context */
unsigned int sincetsig; /* recvd since the last TSIG */
dns_xfrindone_t done;

12
lib/omapi/connection.c
View File

@@ -15,7 +15,7 @@
* SOFTWARE.
*/
/* $Id: connection.c,v 1.28 2000/06/01 17:33:35 tale Exp $ */
/* $Id: connection.c,v 1.29 2000/06/02 18:59:24 bwelling Exp $ */
/* Principal Author: DCL */
@@ -643,9 +643,8 @@ omapi_connection_putmem(omapi_object_t *c, const unsigned char *src,
if (protocol->dst_update) {
region.base = src;
region.length = len;
result = dst_key_sign(DST_SIGMODE_UPDATE, protocol->key,
&protocol->dstctx,
(isc_region_t *)&region, NULL);
result = dst_context_adddata(protocol->dstctx,
(isc_region_t *)&region);
if (result != ISC_R_SUCCESS)
return (result);
}
@@ -740,10 +739,7 @@ connection_copyout(unsigned char *dst, omapi_connection_t *connection,
if (protocol->dst_update &&
protocol->verify_result == ISC_R_SUCCESS)
protocol->verify_result =
dst_key_verify(DST_SIGMODE_UPDATE,
protocol->key,
&protocol->dstctx,
&region, NULL);
dst_context_adddata(protocol->dstctx, &region);
isc_buffer_forward(buffer, copy_bytes);

2
lib/omapi/include/omapi/private.h
View File

@@ -236,7 +236,7 @@ struct omapi_protocol {
unsigned int algorithm;
isc_boolean_t dst_update;
dst_key_t *key;
dst_context_t dstctx;
dst_context_t *dstctx;
isc_region_t signature_in;
isc_buffer_t *signature_out;
isc_result_t verify_result;

20
lib/omapi/message.c
View File

@@ -167,8 +167,8 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
m = (omapi_message_t *)message;
if (p->key != NULL) {
result = dst_key_sign(DST_SIGMODE_INIT, p->key, &p->dstctx,
NULL, NULL);
p->dstctx = NULL;
result = dst_context_create(p->key, omapi_mctx, &p->dstctx);
if (result == ISC_R_SUCCESS)
result = dst_key_sigsize(p->key, &authlen);
@@ -249,8 +249,9 @@ omapi_message_send(omapi_object_t *message, omapi_object_t *protocol) {
isc_buffer_clear(p->signature_out);
result = dst_key_sign(DST_SIGMODE_FINAL, p->key, &p->dstctx,
NULL, p->signature_out);
result = dst_context_sign(p->dstctx, p->signature_out);
dst_context_destroy(&p->dstctx);
isc_buffer_region(p->signature_out, &r);
@@ -374,12 +375,13 @@ message_process(omapi_object_t *mo, omapi_object_t *po) {
m = NULL;
if (protocol->key != NULL) {
if (protocol->verify_result == ISC_R_SUCCESS)
if (protocol->verify_result == ISC_R_SUCCESS) {
protocol->verify_result =
dst_key_verify(DST_SIGMODE_FINAL,
protocol->key,
&protocol->dstctx, NULL,
&protocol->signature_in);
dst_context_verify(protocol->dstctx,
&protocol->signature_in);
dst_context_destroy(&protocol->dstctx);
}
if (protocol->verify_result != ISC_R_SUCCESS) {
if (connection->is_client) {

6
lib/omapi/protocol.c
View File

@@ -357,9 +357,11 @@ dispatch_messages(omapi_protocol_t *protocol,
break;
if (protocol->key != NULL) {
protocol->dstctx = NULL;
protocol->verify_result =
dst_key_verify(DST_SIGMODE_INIT, protocol->key,
&protocol->dstctx, NULL, NULL);
dst_context_create(protocol->key,
omapi_mctx,
&protocol->dstctx);
protocol->dst_update = ISC_TRUE;
}