mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity

TSIG and SIG(0) are no longer message pseudosections.

Browse Source
This commit is contained in:
Brian Wellington 2000-03-29 01:32:22 +00:00
parent da47a1b896
commit 5caab9f99d
4 changed files with 187 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
lib/dns/dnssec.c
View File

@ -16,7 +16,7 @@
*/
/*
* $Id: dnssec.c,v 1.24 2000/03/13 19:27:33 bwelling Exp $
* $Id: dnssec.c,v 1.25 2000/03/29 01:32:20 bwelling Exp $
* Principal Author: Brian Wellington
*/
@ -200,6 +200,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
unsigned int sigsize;
REQUIRE(name != NULL);
REQUIRE(dns_name_depth(name) <= 255);
REQUIRE(set != NULL);
REQUIRE(key != NULL);
REQUIRE(inception != NULL);
@ -459,15 +460,6 @@ cleanup_struct:
#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
== DNS_KEYOWNER_ZONE)
#define check_result(op, msg) \
do { result = (op); \
if (result != DNS_R_SUCCESS) { \
fprintf(stderr, "%s: %s\n", msg, \
isc_result_totext(result)); \
goto failure; \
} \
} while (0)
isc_result_t
dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
@ -482,43 +474,37 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
*nkeys = 0;
dns_rdataset_init(&rdataset);
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
&rdataset, NULL);
if (result == ISC_R_NOTFOUND)
goto failure;
check_result(result, "dns_db_findrdataset()");
result = dns_rdataset_first(&rdataset);
check_result(result, "dns_rdataset_first()");
RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
&rdataset, NULL));
RETERR(dns_rdataset_first(&rdataset));
while (result == ISC_R_SUCCESS && count < maxkeys) {
pubkey = NULL;
dns_rdataset_current(&rdataset, &rdata);
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey);
check_result(result, "dns_dnssec_keyfromrdata()");
RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
if (!is_zone_key(pubkey))
goto next;
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
dst_key_alg(pubkey),
DST_TYPE_PRIVATE,
mctx, &keys[count++]);
mctx, &keys[count]);
if (result == DST_R_INVALIDPRIVATEKEY)
count--;
else {
check_result(result, "dst_key_fromfile()");
if (dst_key_flags(keys[count - 1]) & DNS_KEYTYPE_NOAUTH)
{
dst_key_free(keys[count - 1]);
keys[count - 1] = NULL;
count--;
}
goto next;
if (result != ISC_R_SUCCESS)
goto failure;
if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
dst_key_free(keys[count]);
keys[count] = NULL;
goto next;
}
count++;
next:
dst_key_free(pubkey);
pubkey = NULL;
result = dns_rdataset_next(&rdataset);
}
if (result != DNS_R_NOMORE)
check_result(result, "iteration over zone keys");
goto failure;
if (count == 0)
result = ISC_R_NOTFOUND;
else
@ -541,7 +527,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
isc_buffer_t headerbuf, databuf, sigbuf;
unsigned int sigsize;
isc_buffer_t *dynbuf;
dns_name_t *owner, signer;
dns_name_t signer;
dns_rdata_t *rdata;
dns_rdatalist_t *datalist;
dns_rdataset_t *dataset;
@ -569,7 +555,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
sig.covered = 0;
sig.algorithm = dst_key_alg(key);
sig.labels = 1; /* the root name */
sig.labels = 0; /* the root name */
sig.originalttl = 0;
isc_stdtime_get(&now);
@ -640,11 +626,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_message_takebuffer(msg, &dynbuf);
owner = NULL;
RETERR(dns_message_gettempname(msg, &owner));
dns_name_init(owner, NULL);
dns_name_clone(dns_rootname, owner);
datalist = NULL;
RETERR(dns_message_gettemprdatalist(msg, &datalist));
datalist->rdclass = dns_rdataclass_any;
@ -657,8 +638,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
RETERR(dns_message_gettemprdataset(msg, &dataset));
dns_rdataset_init(dataset);
dns_rdatalist_tordataset(datalist, dataset);
ISC_LIST_APPEND(owner->list, dataset, link);
dns_message_addname(msg, owner, DNS_SECTION_SIG0);
msg->sig0 = dataset;
return (ISC_R_SUCCESS);
@ -676,8 +656,7 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_generic_sig_t sig;
unsigned char header[DNS_MESSAGE_HEADERLEN];
dns_rdata_t rdata;
dns_rdataset_t *dataset;
dns_name_t tname, *sig0name;
dns_name_t tname;
isc_region_t r, r2, sig_r, header_r;
isc_stdtime_t now;
dst_context_t ctx;
@ -695,24 +674,17 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
mctx = msg->mctx;
result = dns_message_firstname(msg, DNS_SECTION_SIG0);
if (result != ISC_R_SUCCESS) {
result = ISC_R_NOTFOUND;
goto failure;
}
sig0name = NULL;
dns_message_currentname(msg, DNS_SECTION_SIG0, &sig0name);
dataset = NULL;
result = dns_message_findtype(sig0name, dns_rdatatype_sig, 0, &dataset);
if (result != ISC_R_SUCCESS)
goto failure;
RETERR(dns_rdataset_first(dataset));
dns_rdataset_current(dataset, &rdata);
RETERR(dns_rdataset_first(msg->sig0));
dns_rdataset_current(msg->sig0, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &sig, mctx));
signeedsfree = ISC_TRUE;
if (sig.labels != 0) {
result = DNS_R_SIGINVALID;
goto failure;
}
isc_stdtime_get(&now);
if (sig.timesigned > now) {
result = DNS_R_SIGFUTURE;

36
lib/dns/include/dns/message.h
View File

@ -120,9 +120,7 @@ typedef int dns_section_t;
#define DNS_SECTION_ANSWER 1
#define DNS_SECTION_AUTHORITY 2
#define DNS_SECTION_ADDITIONAL 3
#define DNS_SECTION_TSIG 4 /* pseudo-section */
#define DNS_SECTION_SIG0 5 /* pseudo-section */
#define DNS_SECTION_MAX 6
#define DNS_SECTION_MAX 4
/*
* Dynamic update names for these sections.
@ -162,6 +160,8 @@ struct dns_message {
dns_namelist_t sections[DNS_SECTION_MAX];
dns_name_t *cursors[DNS_SECTION_MAX];
dns_rdataset_t *opt;
dns_rdataset_t *sig0;
dns_rdataset_t *tsigset;
int state;
unsigned int from_to_wire : 2;
@ -193,6 +193,7 @@ struct dns_message {
dns_rcode_t tsigstatus;
dns_rcode_t querytsigstatus;
dns_name_t *tsigname;
dns_rdata_any_tsig_t *tsig;
dns_rdata_any_tsig_t *querytsig;
dns_tsigkey_t *tsigkey;
@ -847,6 +848,35 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
* DNS_R_NOSPACE -- there is no space for the OPT record.
*/
dns_rdataset_t *
dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
/*
* Get the TSIG record and owner for 'msg'.
*
* Requires:
*
* 'msg' is a valid message.
* 'owner' is not NULL, and *owner is NULL. Contains the owner on return.
*
* Returns:
*
* The TSIG rdataset of 'msg', or NULL if there isn't one.
*/
dns_rdataset_t *
dns_message_getsig0(dns_message_t *msg);
/*
* Get the SIG(0) record for 'msg'.
*
* Requires:
*
* 'msg' is a valid message.
*
* Returns:
*
* The SIG(0) rdataset of 'msg', or NULL if there isn't one.
*/
void
dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
/*

159
lib/dns/message.c
View File

@ -278,6 +278,9 @@ msginitprivate(dns_message_t *m)
m->counts[i] = 0;
}
m->opt = NULL;
m->sig0 = NULL;
m->tsigset = NULL;
m->tsigname = NULL;
m->state = DNS_SECTION_ANY; /* indicate nothing parsed or rendered */
m->opt_reserved = 0;
m->reserved = 0;
@ -362,6 +365,26 @@ msgresetopt(dns_message_t *msg)
}
}
static void
msgresetsigs(dns_message_t *msg)
{
if (msg->tsigset != NULL) {
INSIST(dns_rdataset_isassociated(msg->tsigset));
INSIST(msg->namepool != NULL);
dns_rdataset_disassociate(msg->tsigset);
isc_mempool_put(msg->rdspool, msg->tsigset);
isc_mempool_put(msg->namepool, msg->tsigname);
msg->tsigset = NULL;
msg->tsigname = NULL;
}
if (msg->sig0 != NULL) {
INSIST(dns_rdataset_isassociated(msg->sig0));
dns_rdataset_disassociate(msg->sig0);
isc_mempool_put(msg->rdspool, msg->sig0);
msg->sig0 = NULL;
}
}
/*
* Free all but one (or everything) for this message. This is used by
* both dns_message_reset() and dns_message_parse().
@ -376,6 +399,7 @@ msgreset(dns_message_t *msg, isc_boolean_t everything)
msgresetnames(msg, 0);
msgresetopt(msg);
msgresetsigs(msg);
/*
* Clean up linked lists.
@ -1024,7 +1048,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
result = DNS_R_FORMERR;
goto cleanup;
}
section = &msg->sections[DNS_SECTION_TSIG];
if (msg->tsigset != NULL) {
result = DNS_R_FORMERR;
goto cleanup;
}
msg->sigstart = recstart;
skip_name_search = ISC_TRUE;
skip_type_search = ISC_TRUE;
@ -1044,10 +1071,17 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
skip_type_search = ISC_TRUE;
} else if (rdtype == dns_rdatatype_tkey) {
/*
* A TKEY must be in the additional section.
* A TKEY must be in the additional section if this
* is a query, and the answer section if this is a
* response.
* Its class is ignored.
*/
if (sectionid != DNS_SECTION_ADDITIONAL) {
int tkeysection;
if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
tkeysection = DNS_SECTION_ADDITIONAL;
else
tkeysection = DNS_SECTION_ANSWER;
if (sectionid != tkeysection) {
result = DNS_R_FORMERR;
goto cleanup;
}
@ -1101,8 +1135,11 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
else if (covers == dns_rdatatype_dname)
attributes = DNS_NAMEATTR_DNAME;
else if (covers == 0) {
if (msg->sig0 != NULL) {
result = DNS_R_FORMERR;
goto cleanup;
}
msg->sigstart = recstart;
section = &msg->sections[DNS_SECTION_SIG0];
}
} else
covers = 0;
@ -1113,7 +1150,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
*/
if (preserve_order || msg->opcode == dns_opcode_update ||
skip_name_search) {
if (rdtype != dns_rdatatype_opt) {
if (rdtype != dns_rdatatype_opt &&
rdtype != dns_rdatatype_tsig &&
!(rdtype == dns_rdatatype_sig && covers == 0))
{
ISC_LIST_APPEND(*section, name, link);
free_name = ISC_FALSE;
}
@ -1231,6 +1271,24 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
free_name = ISC_FALSE;
}
/*
* If this is an SIG(0) or TSIG record, remember it.
*/
if (rdtype == dns_rdatatype_sig && covers == 0) {
msg->sig0 = rdataset;
rdataset = NULL;
free_rdataset = ISC_FALSE;
isc_mempool_put(msg->namepool, name);
free_name = ISC_FALSE;
}
else if (rdtype == dns_rdatatype_tsig) {
msg->tsigset = rdataset;
msg->tsigname = name;
rdataset = NULL;
free_rdataset = ISC_FALSE;
free_name = ISC_FALSE;
}
INSIST(free_name == ISC_FALSE);
INSIST(free_rdataset == ISC_FALSE);
}
@ -1317,9 +1375,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
if (r.length != 0)
return (DNS_R_FORMERR);
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]) ||
!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0]))
{
if (msg->tsigset != NULL || msg->sig0 != NULL) {
msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t));
if (msg->saved == NULL)
return (ISC_R_NOMEMORY);
@ -1594,9 +1650,7 @@ dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target)
INSIST(msg->counts[DNS_SECTION_QUESTION] < 65536 &&
msg->counts[DNS_SECTION_ANSWER] < 65536 &&
msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
(msg->counts[DNS_SECTION_ADDITIONAL] +
msg->counts[DNS_SECTION_TSIG] +
msg->counts[DNS_SECTION_SIG0]) < 65536);
msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
isc_buffer_putuint16(target, tmp);
isc_buffer_putuint16(target,
@ -1605,10 +1659,8 @@ dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target)
(isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
isc_buffer_putuint16(target,
(isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
tmp = msg->counts[DNS_SECTION_ADDITIONAL]
+ msg->counts[DNS_SECTION_TSIG]
+ msg->counts[DNS_SECTION_SIG0];
isc_buffer_putuint16(target, tmp);
isc_buffer_putuint16(target,
(isc_uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
}
isc_result_t
@ -1657,8 +1709,11 @@ dns_message_renderend(dns_message_t *msg)
result = dns_tsig_sign(msg);
if (result != DNS_R_SUCCESS)
return (result);
result = dns_message_rendersection(msg, DNS_SECTION_TSIG, 0);
if (result != DNS_R_SUCCESS)
count = 0;
result = dns_rdataset_towire(msg->tsigset, msg->tsigname,
&msg->cctx, msg->buffer, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
}
@ -1666,8 +1721,11 @@ dns_message_renderend(dns_message_t *msg)
result = dns_dnssec_signmessage(msg, msg->sig0key);
if (result != DNS_R_SUCCESS)
return (result);
result = dns_message_rendersection(msg, DNS_SECTION_SIG0, 0);
if (result != DNS_R_SUCCESS)
count = 0;
result = dns_rdataset_towire(msg->sig0, dns_rootname,
&msg->cctx, msg->buffer, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
}
@ -1999,6 +2057,7 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
msgresetnames(msg, first_section);
msgresetopt(msg);
msgresetsigs(msg);
msginitprivate(msg);
/*
* We now clear most flags and then set QR, ensuring that the
@ -2068,6 +2127,7 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
REQUIRE(msg->state == DNS_SECTION_ANY);
msgresetopt(msg);
msgresetsigs(msg);
result = dns_rdataset_first(opt);
if (result != ISC_R_SUCCESS)
@ -2085,6 +2145,32 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
return (DNS_R_SUCCESS);
}
dns_rdataset_t *
dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) {
/*
* Get the TSIG record and owner for 'msg'.
*/
REQUIRE(DNS_MESSAGE_VALID(msg));
REQUIRE(owner != NULL && *owner == NULL);
*owner = msg->tsigname;
return (msg->tsigset);
}
dns_rdataset_t *
dns_message_getsig0(dns_message_t *msg) {
/*
* Get the SIG(0) record for 'msg'.
*/
REQUIRE(DNS_MESSAGE_VALID(msg));
return (msg->sig0);
}
void
dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer)
{
@ -2105,10 +2191,12 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
REQUIRE(signer != NULL);
REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
if ((msg->tsig == NULL || msg->tsigkey == NULL) &&
ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0]))
if ((msg->tsig == NULL || msg->tsigkey == NULL) && msg->sig0 == NULL)
return (ISC_R_NOTFOUND);
if (msg->verify_attempted == 0)
return (DNS_R_NOTVERIFIEDYET);
if (!dns_name_hasbuffer(signer)) {
isc_buffer_t *dynbuf = NULL;
result = isc_buffer_allocate(msg->mctx, &dynbuf, 512,
@ -2119,32 +2207,18 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
dns_message_takebuffer(msg, &dynbuf);
}
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) {
dns_rdataset_t *dataset;
if (msg->sig0 != NULL) {
dns_rdata_t rdata;
dns_name_t *sig0name;
dns_rdata_generic_sig_t sig;
if (msg->verify_attempted == 0)
result = DNS_R_NOTVERIFIEDYET;
result = dns_message_firstname(msg, DNS_SECTION_SIG0);
if (result != ISC_R_SUCCESS)
return (ISC_R_NOTFOUND);
sig0name = NULL;
dns_message_currentname(msg, DNS_SECTION_SIG0, &sig0name);
dataset = NULL;
result = dns_message_findtype(sig0name, dns_rdatatype_sig, 0,
&dataset);
if (result != ISC_R_SUCCESS)
return (result);
result = dns_rdataset_first(dataset);
dns_rdataset_current(dataset, &rdata);
result = dns_rdataset_first(msg->sig0);
dns_rdataset_current(msg->sig0, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
if (result != ISC_R_SUCCESS)
return (result);
if (msg->verified_sig && msg->sig0status != dns_rcode_noerror)
if (msg->verified_sig && msg->sig0status == dns_rcode_noerror)
result = ISC_R_SUCCESS;
else
result = DNS_R_SIGINVALID;
@ -2154,9 +2228,7 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
}
else {
dns_name_t *identity;
if (msg->verify_attempted == 0)
result = DNS_R_NOTVERIFIEDYET;
else if (msg->tsigstatus != dns_rcode_noerror)
if (msg->tsigstatus != dns_rcode_noerror)
result = DNS_R_TSIGVERIFYFAILURE;
else if (msg->tsig->error != dns_rcode_noerror)
result = DNS_R_TSIGERRORSET;
@ -2182,8 +2254,7 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
REQUIRE(DNS_MESSAGE_VALID(msg));
REQUIRE(view != NULL);
if (msg->tsigkey == NULL &&
ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
if (msg->tsigkey == NULL && msg->tsigset == NULL)
return (ISC_R_SUCCESS);
if (msg->saved == NULL)
return (DNS_R_EXPECTEDTSIG);

34
lib/dns/tsig.c
View File

@ -16,7 +16,7 @@
*/
/*
* $Id: tsig.c,v 1.48 2000/03/16 23:13:25 bwelling Exp $
* $Id: tsig.c,v 1.49 2000/03/29 01:32:21 bwelling Exp $
* Principal Author: Brian Wellington
*/
@ -513,8 +513,8 @@ dns_tsig_sign(dns_message_t *msg) {
goto cleanup_dynbuf;
dns_rdataset_init(dataset);
dns_rdatalist_tordataset(datalist, dataset);
ISC_LIST_APPEND(owner->list, dataset, link);
dns_message_addname(msg, owner, DNS_SECTION_TSIG);
msg->tsigset = dataset;
msg->tsigname = owner;
return (ISC_R_SUCCESS);
@ -545,7 +545,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
isc_buffer_t databuf;
unsigned char data[32];
dns_name_t *keyname;
dns_rdataset_t *dataset;
dns_rdata_t rdata;
isc_stdtime_t now;
isc_result_t ret;
@ -568,7 +567,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
return(dns_tsig_verify_tcp(source, msg));
/* There should be a TSIG record... */
if (ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]))
if (msg->tsigset == NULL)
return (DNS_R_EXPECTEDTSIG);
/*
@ -586,16 +585,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
* TSIG record.
*/
ret = dns_message_firstname(msg, DNS_SECTION_TSIG);
keyname = msg->tsigname;
ret = dns_rdataset_first(msg->tsigset);
if (ret != ISC_R_SUCCESS)
return (ret);
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_TSIG, &keyname);
dataset = ISC_LIST_HEAD(keyname->list);
ret = dns_rdataset_first(dataset);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(dataset, &rdata);
dns_rdataset_current(msg->tsigset, &rdata);
tsig = (dns_rdata_any_tsig_t *)
isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t));
if (tsig == NULL)
@ -720,7 +714,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
isc_buffer_init(&databuf, data, sizeof(data),
ISC_BUFFERTYPE_BINARY);
isc_buffer_putuint16(&databuf, tsig->common.rdclass);
isc_buffer_putuint32(&databuf, dataset->ttl);
isc_buffer_putuint32(&databuf, msg->tsigset->ttl);
isc_buffer_used(&databuf, &r);
ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r);
if (ret != ISC_R_SUCCESS)
@ -802,7 +796,6 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
isc_buffer_t databuf;
unsigned char data[32];
dns_name_t *keyname;
dns_rdataset_t *dataset;
dns_rdata_t rdata;
isc_stdtime_t now;
isc_result_t ret;
@ -822,17 +815,14 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
mctx = msg->mctx;
ret = dns_message_firstname(msg, DNS_SECTION_TSIG);
if (ret == ISC_R_SUCCESS) {
if (msg->tsigset != NULL) {
has_tsig = ISC_TRUE;
keyname = NULL;
dns_message_currentname(msg, DNS_SECTION_TSIG, &keyname);
dataset = ISC_LIST_HEAD(keyname->list);
ret = dns_rdataset_first(dataset);
keyname = msg->tsigname;
ret = dns_rdataset_first(msg->tsigset);
if (ret != ISC_R_SUCCESS)
return (ret);
dns_rdataset_current(dataset, &rdata);
dns_rdataset_current(msg->tsigset, &rdata);
tsig = (dns_rdata_any_tsig_t *)
isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t));
if (tsig == NULL)