From 19c7cce8555ccc0c95455a0c35dedd017d420d05 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 9 Jan 2001 23:35:33 +0000 Subject: [PATCH] 674. [func] Allow messages to be TSIG signed / verified using a offset from the current time. --- CHANGES | 2 ++ lib/dns/include/dns/message.h | 23 ++++++++++++++++++++++- lib/dns/message.c | 17 +++++++++++++++-- lib/dns/tsig.c | 8 ++++---- 4 files changed, 43 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index d026979bac..989fa5348e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ + 674. [func] Allow messages to be TSIG signed / verified using + a offset from the current time. 673. [func] The server can now convert RFC1886-style recursive lookup requests into RFC2874-style lookups, when diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index 52661ebfa6..7cc6acef8e 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.h,v 1.87 2001/01/09 21:53:03 bwelling Exp $ */ +/* $Id: message.h,v 1.88 2001/01/09 23:35:33 marka Exp $ */ #ifndef DNS_MESSAGE_H #define DNS_MESSAGE_H 1 @@ -217,6 +217,7 @@ struct dns_message { dns_tsigkey_t *tsigkey; dst_context_t *tsigctx; int sigstart; + int timeadjust; dns_name_t *sig0name; dst_key_t *sig0key; @@ -1194,9 +1195,29 @@ dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order, * 'order_arg' are NULL, a default order is used. * * Requires: + * msg be a valid message. * order_arg is NULL if and only if order is NULL. */ +void +dns_message_settimeadjust(dns_message_t *msg, int timeadjust); +/* + * Adjust the time used to sign/verify a message by timeadjust. + * Currently only TSIG. + * + * Requires: + * msg be a valid message. + */ + +int +dns_message_gettimeadjust(dns_message_t *msg); +/* + * Return the current time adjustment. + * + * Requires: + * msg be a valid message. + */ + ISC_LANG_ENDDECLS #endif /* DNS_MESSAGE_H */ diff --git a/lib/dns/message.c b/lib/dns/message.c index 7cb41c3d6b..778a4ede90 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.171 2001/01/09 21:51:05 bwelling Exp $ */ +/* $Id: message.c,v 1.172 2001/01/09 23:35:27 marka Exp $ */ /*** *** Imports @@ -355,6 +355,7 @@ msginittsig(dns_message_t *m) { m->sigstart = -1; m->sig0key = NULL; m->sig0status = dns_rcode_noerror; + m->timeadjust = 0; } /* @@ -2978,7 +2979,19 @@ void dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order, void *order_arg) { + REQUIRE(DNS_MESSAGE_VALID(msg)); msg->order = order; msg->order_arg = order_arg; } - + +void +dns_message_settimeadjust(dns_message_t *msg, int timeadjust) { + REQUIRE(DNS_MESSAGE_VALID(msg)); + msg->timeadjust = timeadjust; +} + +int +dns_message_gettimeadjust(dns_message_t *msg) { + REQUIRE(DNS_MESSAGE_VALID(msg)); + return (msg->timeadjust); +} diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 8a86139699..80281ec186 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -16,7 +16,7 @@ */ /* - * $Id: tsig.c,v 1.100 2001/01/09 21:51:39 bwelling Exp $ + * $Id: tsig.c,v 1.101 2001/01/09 23:35:29 marka Exp $ * Principal Author: Brian Wellington */ @@ -399,7 +399,7 @@ dns_tsig_sign(dns_message_t *msg) { dns_name_clone(key->algorithm, &tsig.algorithm); isc_stdtime_get(&now); - tsig.timesigned = now; + tsig.timesigned = now + msg->timeadjust; tsig.fudge = DNS_TSIG_FUDGE; tsig.originalid = msg->id; @@ -739,9 +739,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, /* * Is the time ok? */ - if (abs(now - tsig.timesigned) > tsig.fudge) { + if (abs(now + msg->timeadjust - tsig.timesigned) > tsig.fudge) { msg->tsigstatus = dns_tsigerror_badtime; - if (now > tsig.timesigned + tsig.fudge) + if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) tsig_log(msg->tsigkey, 2, "signature has expired"); else