From 5caab9f99d19ab9ebb0a0ba64c09c8de80e89e29 Mon Sep 17 00:00:00 2001 From: Brian Wellington Date: Wed, 29 Mar 2000 01:32:22 +0000 Subject: [PATCH] TSIG and SIG(0) are no longer message pseudosections. --- lib/dns/dnssec.c | 82 ++++++------------ lib/dns/include/dns/message.h | 36 +++++++- lib/dns/message.c | 159 ++++++++++++++++++++++++---------- lib/dns/tsig.c | 34 +++----- 4 files changed, 187 insertions(+), 124 deletions(-) diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 09851c1e1a..76e1f8b07c 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.24 2000/03/13 19:27:33 bwelling Exp $ + * $Id: dnssec.c,v 1.25 2000/03/29 01:32:20 bwelling Exp $ * Principal Author: Brian Wellington */ @@ -200,6 +200,7 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, unsigned int sigsize; REQUIRE(name != NULL); + REQUIRE(dns_name_depth(name) <= 255); REQUIRE(set != NULL); REQUIRE(key != NULL); REQUIRE(inception != NULL); @@ -459,15 +460,6 @@ cleanup_struct: #define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \ == DNS_KEYOWNER_ZONE) -#define check_result(op, msg) \ - do { result = (op); \ - if (result != DNS_R_SUCCESS) { \ - fprintf(stderr, "%s: %s\n", msg, \ - isc_result_totext(result)); \ - goto failure; \ - } \ - } while (0) - isc_result_t dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx, @@ -482,43 +474,37 @@ dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, *nkeys = 0; dns_rdataset_init(&rdataset); - result = dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0, - &rdataset, NULL); - if (result == ISC_R_NOTFOUND) - goto failure; - check_result(result, "dns_db_findrdataset()"); - result = dns_rdataset_first(&rdataset); - check_result(result, "dns_rdataset_first()"); + RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0, + &rdataset, NULL)); + RETERR(dns_rdataset_first(&rdataset)); while (result == ISC_R_SUCCESS && count < maxkeys) { pubkey = NULL; dns_rdataset_current(&rdataset, &rdata); - result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey); - check_result(result, "dns_dnssec_keyfromrdata()"); + RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); if (!is_zone_key(pubkey)) goto next; result = dst_key_fromfile(dst_key_name(pubkey), dst_key_id(pubkey), dst_key_alg(pubkey), DST_TYPE_PRIVATE, - mctx, &keys[count++]); + mctx, &keys[count]); if (result == DST_R_INVALIDPRIVATEKEY) - count--; - else { - check_result(result, "dst_key_fromfile()"); - if (dst_key_flags(keys[count - 1]) & DNS_KEYTYPE_NOAUTH) - { - dst_key_free(keys[count - 1]); - keys[count - 1] = NULL; - count--; - } + goto next; + if (result != ISC_R_SUCCESS) + goto failure; + if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { + dst_key_free(keys[count]); + keys[count] = NULL; + goto next; } + count++; next: dst_key_free(pubkey); pubkey = NULL; result = dns_rdataset_next(&rdataset); } if (result != DNS_R_NOMORE) - check_result(result, "iteration over zone keys"); + goto failure; if (count == 0) result = ISC_R_NOTFOUND; else @@ -541,7 +527,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { isc_buffer_t headerbuf, databuf, sigbuf; unsigned int sigsize; isc_buffer_t *dynbuf; - dns_name_t *owner, signer; + dns_name_t signer; dns_rdata_t *rdata; dns_rdatalist_t *datalist; dns_rdataset_t *dataset; @@ -569,7 +555,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { sig.covered = 0; sig.algorithm = dst_key_alg(key); - sig.labels = 1; /* the root name */ + sig.labels = 0; /* the root name */ sig.originalttl = 0; isc_stdtime_get(&now); @@ -640,11 +626,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { dns_message_takebuffer(msg, &dynbuf); - owner = NULL; - RETERR(dns_message_gettempname(msg, &owner)); - dns_name_init(owner, NULL); - dns_name_clone(dns_rootname, owner); - datalist = NULL; RETERR(dns_message_gettemprdatalist(msg, &datalist)); datalist->rdclass = dns_rdataclass_any; @@ -657,8 +638,7 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) { RETERR(dns_message_gettemprdataset(msg, &dataset)); dns_rdataset_init(dataset); dns_rdatalist_tordataset(datalist, dataset); - ISC_LIST_APPEND(owner->list, dataset, link); - dns_message_addname(msg, owner, DNS_SECTION_SIG0); + msg->sig0 = dataset; return (ISC_R_SUCCESS); @@ -676,8 +656,7 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) { dns_rdata_generic_sig_t sig; unsigned char header[DNS_MESSAGE_HEADERLEN]; dns_rdata_t rdata; - dns_rdataset_t *dataset; - dns_name_t tname, *sig0name; + dns_name_t tname; isc_region_t r, r2, sig_r, header_r; isc_stdtime_t now; dst_context_t ctx; @@ -695,24 +674,17 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) { mctx = msg->mctx; - result = dns_message_firstname(msg, DNS_SECTION_SIG0); - if (result != ISC_R_SUCCESS) { - result = ISC_R_NOTFOUND; - goto failure; - } - sig0name = NULL; - dns_message_currentname(msg, DNS_SECTION_SIG0, &sig0name); - dataset = NULL; - result = dns_message_findtype(sig0name, dns_rdatatype_sig, 0, &dataset); - if (result != ISC_R_SUCCESS) - goto failure; - - RETERR(dns_rdataset_first(dataset)); - dns_rdataset_current(dataset, &rdata); + RETERR(dns_rdataset_first(msg->sig0)); + dns_rdataset_current(msg->sig0, &rdata); RETERR(dns_rdata_tostruct(&rdata, &sig, mctx)); signeedsfree = ISC_TRUE; + if (sig.labels != 0) { + result = DNS_R_SIGINVALID; + goto failure; + } + isc_stdtime_get(&now); if (sig.timesigned > now) { result = DNS_R_SIGFUTURE; diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index 5b5886641c..be0ff2bc34 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -120,9 +120,7 @@ typedef int dns_section_t; #define DNS_SECTION_ANSWER 1 #define DNS_SECTION_AUTHORITY 2 #define DNS_SECTION_ADDITIONAL 3 -#define DNS_SECTION_TSIG 4 /* pseudo-section */ -#define DNS_SECTION_SIG0 5 /* pseudo-section */ -#define DNS_SECTION_MAX 6 +#define DNS_SECTION_MAX 4 /* * Dynamic update names for these sections. @@ -162,6 +160,8 @@ struct dns_message { dns_namelist_t sections[DNS_SECTION_MAX]; dns_name_t *cursors[DNS_SECTION_MAX]; dns_rdataset_t *opt; + dns_rdataset_t *sig0; + dns_rdataset_t *tsigset; int state; unsigned int from_to_wire : 2; @@ -193,6 +193,7 @@ struct dns_message { dns_rcode_t tsigstatus; dns_rcode_t querytsigstatus; + dns_name_t *tsigname; dns_rdata_any_tsig_t *tsig; dns_rdata_any_tsig_t *querytsig; dns_tsigkey_t *tsigkey; @@ -847,6 +848,35 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt); * DNS_R_NOSPACE -- there is no space for the OPT record. */ +dns_rdataset_t * +dns_message_gettsig(dns_message_t *msg, dns_name_t **owner); +/* + * Get the TSIG record and owner for 'msg'. + * + * Requires: + * + * 'msg' is a valid message. + * 'owner' is not NULL, and *owner is NULL. Contains the owner on return. + * + * Returns: + * + * The TSIG rdataset of 'msg', or NULL if there isn't one. + */ + +dns_rdataset_t * +dns_message_getsig0(dns_message_t *msg); +/* + * Get the SIG(0) record for 'msg'. + * + * Requires: + * + * 'msg' is a valid message. + * + * Returns: + * + * The SIG(0) rdataset of 'msg', or NULL if there isn't one. + */ + void dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer); /* diff --git a/lib/dns/message.c b/lib/dns/message.c index f7c23afd1e..c674096240 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -278,6 +278,9 @@ msginitprivate(dns_message_t *m) m->counts[i] = 0; } m->opt = NULL; + m->sig0 = NULL; + m->tsigset = NULL; + m->tsigname = NULL; m->state = DNS_SECTION_ANY; /* indicate nothing parsed or rendered */ m->opt_reserved = 0; m->reserved = 0; @@ -362,6 +365,26 @@ msgresetopt(dns_message_t *msg) } } +static void +msgresetsigs(dns_message_t *msg) +{ + if (msg->tsigset != NULL) { + INSIST(dns_rdataset_isassociated(msg->tsigset)); + INSIST(msg->namepool != NULL); + dns_rdataset_disassociate(msg->tsigset); + isc_mempool_put(msg->rdspool, msg->tsigset); + isc_mempool_put(msg->namepool, msg->tsigname); + msg->tsigset = NULL; + msg->tsigname = NULL; + } + if (msg->sig0 != NULL) { + INSIST(dns_rdataset_isassociated(msg->sig0)); + dns_rdataset_disassociate(msg->sig0); + isc_mempool_put(msg->rdspool, msg->sig0); + msg->sig0 = NULL; + } +} + /* * Free all but one (or everything) for this message. This is used by * both dns_message_reset() and dns_message_parse(). @@ -376,6 +399,7 @@ msgreset(dns_message_t *msg, isc_boolean_t everything) msgresetnames(msg, 0); msgresetopt(msg); + msgresetsigs(msg); /* * Clean up linked lists. @@ -1024,7 +1048,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, result = DNS_R_FORMERR; goto cleanup; } - section = &msg->sections[DNS_SECTION_TSIG]; + if (msg->tsigset != NULL) { + result = DNS_R_FORMERR; + goto cleanup; + } msg->sigstart = recstart; skip_name_search = ISC_TRUE; skip_type_search = ISC_TRUE; @@ -1044,10 +1071,17 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, skip_type_search = ISC_TRUE; } else if (rdtype == dns_rdatatype_tkey) { /* - * A TKEY must be in the additional section. + * A TKEY must be in the additional section if this + * is a query, and the answer section if this is a + * response. * Its class is ignored. */ - if (sectionid != DNS_SECTION_ADDITIONAL) { + int tkeysection; + if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0) + tkeysection = DNS_SECTION_ADDITIONAL; + else + tkeysection = DNS_SECTION_ANSWER; + if (sectionid != tkeysection) { result = DNS_R_FORMERR; goto cleanup; } @@ -1101,8 +1135,11 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, else if (covers == dns_rdatatype_dname) attributes = DNS_NAMEATTR_DNAME; else if (covers == 0) { + if (msg->sig0 != NULL) { + result = DNS_R_FORMERR; + goto cleanup; + } msg->sigstart = recstart; - section = &msg->sections[DNS_SECTION_SIG0]; } } else covers = 0; @@ -1113,7 +1150,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, */ if (preserve_order || msg->opcode == dns_opcode_update || skip_name_search) { - if (rdtype != dns_rdatatype_opt) { + if (rdtype != dns_rdatatype_opt && + rdtype != dns_rdatatype_tsig && + !(rdtype == dns_rdatatype_sig && covers == 0)) + { ISC_LIST_APPEND(*section, name, link); free_name = ISC_FALSE; } @@ -1231,6 +1271,24 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, free_name = ISC_FALSE; } + /* + * If this is an SIG(0) or TSIG record, remember it. + */ + if (rdtype == dns_rdatatype_sig && covers == 0) { + msg->sig0 = rdataset; + rdataset = NULL; + free_rdataset = ISC_FALSE; + isc_mempool_put(msg->namepool, name); + free_name = ISC_FALSE; + } + else if (rdtype == dns_rdatatype_tsig) { + msg->tsigset = rdataset; + msg->tsigname = name; + rdataset = NULL; + free_rdataset = ISC_FALSE; + free_name = ISC_FALSE; + } + INSIST(free_name == ISC_FALSE); INSIST(free_rdataset == ISC_FALSE); } @@ -1317,9 +1375,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, if (r.length != 0) return (DNS_R_FORMERR); - if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG]) || - !ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) - { + if (msg->tsigset != NULL || msg->sig0 != NULL) { msg->saved = isc_mem_get(msg->mctx, sizeof(isc_region_t)); if (msg->saved == NULL) return (ISC_R_NOMEMORY); @@ -1594,9 +1650,7 @@ dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) INSIST(msg->counts[DNS_SECTION_QUESTION] < 65536 && msg->counts[DNS_SECTION_ANSWER] < 65536 && msg->counts[DNS_SECTION_AUTHORITY] < 65536 && - (msg->counts[DNS_SECTION_ADDITIONAL] + - msg->counts[DNS_SECTION_TSIG] + - msg->counts[DNS_SECTION_SIG0]) < 65536); + msg->counts[DNS_SECTION_ADDITIONAL] < 65536); isc_buffer_putuint16(target, tmp); isc_buffer_putuint16(target, @@ -1605,10 +1659,8 @@ dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]); isc_buffer_putuint16(target, (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]); - tmp = msg->counts[DNS_SECTION_ADDITIONAL] - + msg->counts[DNS_SECTION_TSIG] - + msg->counts[DNS_SECTION_SIG0]; - isc_buffer_putuint16(target, tmp); + isc_buffer_putuint16(target, + (isc_uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]); } isc_result_t @@ -1657,8 +1709,11 @@ dns_message_renderend(dns_message_t *msg) result = dns_tsig_sign(msg); if (result != DNS_R_SUCCESS) return (result); - result = dns_message_rendersection(msg, DNS_SECTION_TSIG, 0); - if (result != DNS_R_SUCCESS) + count = 0; + result = dns_rdataset_towire(msg->tsigset, msg->tsigname, + &msg->cctx, msg->buffer, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) return (result); } @@ -1666,8 +1721,11 @@ dns_message_renderend(dns_message_t *msg) result = dns_dnssec_signmessage(msg, msg->sig0key); if (result != DNS_R_SUCCESS) return (result); - result = dns_message_rendersection(msg, DNS_SECTION_SIG0, 0); - if (result != DNS_R_SUCCESS) + count = 0; + result = dns_rdataset_towire(msg->sig0, dns_rootname, + &msg->cctx, msg->buffer, &count); + msg->counts[DNS_SECTION_ADDITIONAL] += count; + if (result != ISC_R_SUCCESS) return (result); } @@ -1999,6 +2057,7 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) { msg->from_to_wire = DNS_MESSAGE_INTENTRENDER; msgresetnames(msg, first_section); msgresetopt(msg); + msgresetsigs(msg); msginitprivate(msg); /* * We now clear most flags and then set QR, ensuring that the @@ -2068,6 +2127,7 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) { REQUIRE(msg->state == DNS_SECTION_ANY); msgresetopt(msg); + msgresetsigs(msg); result = dns_rdataset_first(opt); if (result != ISC_R_SUCCESS) @@ -2085,6 +2145,32 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) { return (DNS_R_SUCCESS); } +dns_rdataset_t * +dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) { + + /* + * Get the TSIG record and owner for 'msg'. + */ + + REQUIRE(DNS_MESSAGE_VALID(msg)); + REQUIRE(owner != NULL && *owner == NULL); + + *owner = msg->tsigname; + return (msg->tsigset); +} + +dns_rdataset_t * +dns_message_getsig0(dns_message_t *msg) { + + /* + * Get the SIG(0) record for 'msg'. + */ + + REQUIRE(DNS_MESSAGE_VALID(msg)); + + return (msg->sig0); +} + void dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) { @@ -2105,10 +2191,12 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { REQUIRE(signer != NULL); REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE); - if ((msg->tsig == NULL || msg->tsigkey == NULL) && - ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) + if ((msg->tsig == NULL || msg->tsigkey == NULL) && msg->sig0 == NULL) return (ISC_R_NOTFOUND); + if (msg->verify_attempted == 0) + return (DNS_R_NOTVERIFIEDYET); + if (!dns_name_hasbuffer(signer)) { isc_buffer_t *dynbuf = NULL; result = isc_buffer_allocate(msg->mctx, &dynbuf, 512, @@ -2119,32 +2207,18 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { dns_message_takebuffer(msg, &dynbuf); } - if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_SIG0])) { - dns_rdataset_t *dataset; + if (msg->sig0 != NULL) { dns_rdata_t rdata; - dns_name_t *sig0name; dns_rdata_generic_sig_t sig; - if (msg->verify_attempted == 0) - result = DNS_R_NOTVERIFIEDYET; - result = dns_message_firstname(msg, DNS_SECTION_SIG0); - if (result != ISC_R_SUCCESS) - return (ISC_R_NOTFOUND); - sig0name = NULL; - dns_message_currentname(msg, DNS_SECTION_SIG0, &sig0name); - dataset = NULL; - result = dns_message_findtype(sig0name, dns_rdatatype_sig, 0, - &dataset); - if (result != ISC_R_SUCCESS) - return (result); - result = dns_rdataset_first(dataset); - dns_rdataset_current(dataset, &rdata); + result = dns_rdataset_first(msg->sig0); + dns_rdataset_current(msg->sig0, &rdata); result = dns_rdata_tostruct(&rdata, &sig, msg->mctx); if (result != ISC_R_SUCCESS) return (result); - if (msg->verified_sig && msg->sig0status != dns_rcode_noerror) + if (msg->verified_sig && msg->sig0status == dns_rcode_noerror) result = ISC_R_SUCCESS; else result = DNS_R_SIGINVALID; @@ -2154,9 +2228,7 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { } else { dns_name_t *identity; - if (msg->verify_attempted == 0) - result = DNS_R_NOTVERIFIEDYET; - else if (msg->tsigstatus != dns_rcode_noerror) + if (msg->tsigstatus != dns_rcode_noerror) result = DNS_R_TSIGVERIFYFAILURE; else if (msg->tsig->error != dns_rcode_noerror) result = DNS_R_TSIGERRORSET; @@ -2182,8 +2254,7 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) { REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(view != NULL); - if (msg->tsigkey == NULL && - ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG])) + if (msg->tsigkey == NULL && msg->tsigset == NULL) return (ISC_R_SUCCESS); if (msg->saved == NULL) return (DNS_R_EXPECTEDTSIG); diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 5ba1196adf..624e9a0ef7 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.48 2000/03/16 23:13:25 bwelling Exp $ + * $Id: tsig.c,v 1.49 2000/03/29 01:32:21 bwelling Exp $ * Principal Author: Brian Wellington */ @@ -513,8 +513,8 @@ dns_tsig_sign(dns_message_t *msg) { goto cleanup_dynbuf; dns_rdataset_init(dataset); dns_rdatalist_tordataset(datalist, dataset); - ISC_LIST_APPEND(owner->list, dataset, link); - dns_message_addname(msg, owner, DNS_SECTION_TSIG); + msg->tsigset = dataset; + msg->tsigname = owner; return (ISC_R_SUCCESS); @@ -545,7 +545,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, isc_buffer_t databuf; unsigned char data[32]; dns_name_t *keyname; - dns_rdataset_t *dataset; dns_rdata_t rdata; isc_stdtime_t now; isc_result_t ret; @@ -568,7 +567,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, return(dns_tsig_verify_tcp(source, msg)); /* There should be a TSIG record... */ - if (ISC_LIST_EMPTY(msg->sections[DNS_SECTION_TSIG])) + if (msg->tsigset == NULL) return (DNS_R_EXPECTEDTSIG); /* @@ -586,16 +585,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, * TSIG record. */ - ret = dns_message_firstname(msg, DNS_SECTION_TSIG); + keyname = msg->tsigname; + ret = dns_rdataset_first(msg->tsigset); if (ret != ISC_R_SUCCESS) return (ret); - keyname = NULL; - dns_message_currentname(msg, DNS_SECTION_TSIG, &keyname); - dataset = ISC_LIST_HEAD(keyname->list); - ret = dns_rdataset_first(dataset); - if (ret != ISC_R_SUCCESS) - return (ret); - dns_rdataset_current(dataset, &rdata); + dns_rdataset_current(msg->tsigset, &rdata); tsig = (dns_rdata_any_tsig_t *) isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t)); if (tsig == NULL) @@ -720,7 +714,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, isc_buffer_init(&databuf, data, sizeof(data), ISC_BUFFERTYPE_BINARY); isc_buffer_putuint16(&databuf, tsig->common.rdclass); - isc_buffer_putuint32(&databuf, dataset->ttl); + isc_buffer_putuint32(&databuf, msg->tsigset->ttl); isc_buffer_used(&databuf, &r); ret = dst_verify(DST_SIGMODE_UPDATE, key, &ctx, &r, &sig_r); if (ret != ISC_R_SUCCESS) @@ -802,7 +796,6 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { isc_buffer_t databuf; unsigned char data[32]; dns_name_t *keyname; - dns_rdataset_t *dataset; dns_rdata_t rdata; isc_stdtime_t now; isc_result_t ret; @@ -822,17 +815,14 @@ dns_tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { mctx = msg->mctx; - ret = dns_message_firstname(msg, DNS_SECTION_TSIG); - if (ret == ISC_R_SUCCESS) { + if (msg->tsigset != NULL) { has_tsig = ISC_TRUE; - keyname = NULL; - dns_message_currentname(msg, DNS_SECTION_TSIG, &keyname); - dataset = ISC_LIST_HEAD(keyname->list); - ret = dns_rdataset_first(dataset); + keyname = msg->tsigname; + ret = dns_rdataset_first(msg->tsigset); if (ret != ISC_R_SUCCESS) return (ret); - dns_rdataset_current(dataset, &rdata); + dns_rdataset_current(msg->tsigset, &rdata); tsig = (dns_rdata_any_tsig_t *) isc_mem_get(mctx, sizeof(dns_rdata_any_tsig_t)); if (tsig == NULL)