mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

771. [cleanup] TSIG errors related to unsynchronized clocks

Browse Source 
are logged better.
This commit is contained in:
Brian Wellington 2001-03-07 20:53:32 +00:00
parent 3ba6d0298a
commit 5ea0d11ca4
5 changed files with 32 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
771. [cleanup] TSIG errors related to unsynchronized clocks
are logged better.
770. [func] Add the "edns yes_or_no" statement to the server 770. [func] Add the "edns yes_or_no" statement to the server
clause. [RT #524] clause. [RT #524]

5
lib/dns/include/dns/result.h
View File

@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: result.h,v 1.79 2001/03/06 22:10:34 marka Exp $ */ /* $Id: result.h,v 1.80 2001/03/07 20:53:31 bwelling Exp $ */
#ifndef DNS_RESULT_H #ifndef DNS_RESULT_H
#define DNS_RESULT_H 1 #define DNS_RESULT_H 1
@ -112,8 +112,9 @@
#define DNS_R_HINTNXRRSET (ISC_RESULTCLASS_DNS + 73) #define DNS_R_HINTNXRRSET (ISC_RESULTCLASS_DNS + 73)
#define DNS_R_NOMASTERFILE (ISC_RESULTCLASS_DNS + 74) #define DNS_R_NOMASTERFILE (ISC_RESULTCLASS_DNS + 74)
#define DNS_R_UNKNOWNPROTO (ISC_RESULTCLASS_DNS + 75) #define DNS_R_UNKNOWNPROTO (ISC_RESULTCLASS_DNS + 75)
#define DNS_R_CLOCKSKEW (ISC_RESULTCLASS_DNS + 76)
#define DNS_R_NRESULTS 76 /* Number of results */ #define DNS_R_NRESULTS 77 /* Number of results */
/* /*
* DNS wire format rcodes. * DNS wire format rcodes.

4
lib/dns/include/dns/tsig.h
View File

@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: tsig.h,v 1.38 2001/02/13 03:57:06 bwelling Exp $ */ /* $Id: tsig.h,v 1.39 2001/03/07 20:53:32 bwelling Exp $ */
#ifndef DNS_TSIG_H #ifndef DNS_TSIG_H
#define DNS_TSIG_H 1 #define DNS_TSIG_H 1
@ -185,6 +185,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
* DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected * DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
* DNS_R_TSIGERRORSET - the TSIG verified but ->error was set * DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
* and this is a query * and this is a query
* DNS_R_CLOCKSKEW - the TSIG failed to verify because of
* the time was out of the allowed range.
* DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify * DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
*/ */

10
lib/dns/result.c
View File

@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: result.c,v 1.87 2001/03/06 22:10:31 marka Exp $ */ /* $Id: result.c,v 1.88 2001/03/07 20:53:27 bwelling Exp $ */
#include <config.h> #include <config.h>
@ -109,13 +109,15 @@ static const char *text[DNS_R_NRESULTS] = {
"not exact", /* 67 DNS_R_NOTEXACT */ "not exact", /* 67 DNS_R_NOTEXACT */
"address blackholed", /* 68 DNS_R_BLACKHOLED */ "address blackholed", /* 68 DNS_R_BLACKHOLED */
"bad algorithm", /* 69 DNS_R_BADALG */ "bad algorithm", /* 69 DNS_R_BADALG */
"invalid use of a meta type", /* 70 DNS_R_METATYPE */
"invalid use of a meta type", /* 70 DNS_R_METATYPE */
"CNAME and other data", /* 71 DNS_R_CNAMEANDOTHER */ "CNAME and other data", /* 71 DNS_R_CNAMEANDOTHER */
"multiple RRs of singleton type", /* 72 DNS_R_SINGLETON */ "multiple RRs of singleton type", /* 72 DNS_R_SINGLETON */
"hint nxrrset", /* 73 DNS_R_HINTNXRRSET */ "hint nxrrset", /* 73 DNS_R_HINTNXRRSET */
"no master file configured" /* 74 DNS_R_NOMASTERFILE */ "no master file configured", /* 74 DNS_R_NOMASTERFILE */
"unknown protocol" /* 75 DNS_R_UNKNOWNPROTO */
"unknown protocol", /* 75 DNS_R_UNKNOWNPROTO */
"clocks are unsynchronized" /* 76 DNS_R_CLOCKSKEW */
}; };
static const char *rcode_text[DNS_R_NRCODERESULTS] = { static const char *rcode_text[DNS_R_NRCODERESULTS] = {

23
lib/dns/tsig.c
View File

@ -16,7 +16,7 @@
*/ */
/* /*
* $Id: tsig.c,v 1.106 2001/02/13 03:57:04 bwelling Exp $ * $Id: tsig.c,v 1.107 2001/03/07 20:53:28 bwelling Exp $
*/ */
#include <config.h> #include <config.h>
@ -722,11 +722,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime; msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired"); tsig_log(msg->tsigkey, 2, "signature has expired");
return (DNS_R_TSIGVERIFYFAILURE); return (DNS_R_CLOCKSKEW);
} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime; msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature is in the future"); tsig_log(msg->tsigkey, 2, "signature is in the future");
return (DNS_R_TSIGVERIFYFAILURE); return (DNS_R_CLOCKSKEW);
} }
if (tsig.siglen > 0) { if (tsig.siglen > 0) {
@ -855,8 +855,12 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
msg->tsigstatus = dns_rcode_noerror; msg->tsigstatus = dns_rcode_noerror;
if (tsig.error != dns_rcode_noerror) if (tsig.error != dns_rcode_noerror) {
if (tsig.error == dns_tsigerror_badtime)
return (DNS_R_CLOCKSKEW);
else
return (DNS_R_TSIGERRORSET); return (DNS_R_TSIGERRORSET);
}
msg->verified_sig = 1; msg->verified_sig = 1;
@ -945,7 +949,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
msg->tsigstatus = dns_tsigerror_badtime; msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, "signature has expired"); tsig_log(msg->tsigkey, 2, "signature has expired");
ret = DNS_R_TSIGVERIFYFAILURE; ret = DNS_R_CLOCKSKEW;
goto cleanup_querystruct; goto cleanup_querystruct;
} else if (now + msg->timeadjust < } else if (now + msg->timeadjust <
tsig.timesigned - tsig.fudge) tsig.timesigned - tsig.fudge)
@ -953,7 +957,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
msg->tsigstatus = dns_tsigerror_badtime; msg->tsigstatus = dns_tsigerror_badtime;
tsig_log(msg->tsigkey, 2, tsig_log(msg->tsigkey, 2,
"signature is in the future"); "signature is in the future");
ret = DNS_R_TSIGVERIFYFAILURE; ret = DNS_R_CLOCKSKEW;
goto cleanup_querystruct; goto cleanup_querystruct;
} }
} }
@ -1049,9 +1053,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
sig_r.base = tsig.signature; sig_r.base = tsig.signature;
sig_r.length = tsig.siglen; sig_r.length = tsig.siglen;
if (tsig.siglen == 0) { if (tsig.siglen == 0) {
if (tsig.error != dns_rcode_noerror) if (tsig.error != dns_rcode_noerror) {
if (tsig.error == dns_tsigerror_badtime)
ret = DNS_R_CLOCKSKEW;
else
ret = DNS_R_TSIGERRORSET; ret = DNS_R_TSIGERRORSET;
else { } else {
tsig_log(msg->tsigkey, 2, tsig_log(msg->tsigkey, 2,
"signature is empty"); "signature is empty");
ret = DNS_R_TSIGVERIFYFAILURE; ret = DNS_R_TSIGVERIFYFAILURE;