From abfbf760f3bc2a6744b0249a31ca5153234b49e8 Mon Sep 17 00:00:00 2001
From: Brian Wellington <source@isc.org>
Date: Thu, 4 Jan 2001 00:10:13 +0000
Subject: [PATCH]  650.   [bug]           SIG(0) records were being generated
 and verified                         incorrectly. [RT #606]

---
 CHANGES          |  3 +++
 lib/dns/dnssec.c | 41 +++++++++++++++++++++--------------------
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/CHANGES b/CHANGES
index 05cdf27c60..f0ec8c64db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+ 650.	[bug]		SIG(0) records were being generated and verified
+			incorrectly. [RT #606]
+
  649.	[bug]		It was possible to join to an already running fctx
 			after it had "cloned" its events, but before it sent
 			them.  In this case, the event of the newly joined
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 7903ec8739..7da7376bd9 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.57 2001/01/03 20:42:07 bwelling Exp $
+ * $Id: dnssec.c,v 1.58 2001/01/04 00:10:13 bwelling Exp $
  */
 
 
@@ -559,6 +559,19 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 
 	RETERR(dst_context_create(key, mctx, &ctx));
 
+	/*
+	 * Digest the fields of the SIG - we can cheat and use
+	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
+	 * is identical to dns format.
+	 */
+	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
+				    dns_rdatatype_sig, &sig, &databuf));
+	isc_buffer_usedregion(&databuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
 	if (is_response(msg))
 		RETERR(dst_context_adddata(ctx, &msg->query));
 
@@ -577,16 +590,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
 	RETERR(dst_context_adddata(ctx, &r));
 
-	/*
-	 * Digest the fields of the SIG - we can cheat and use
-	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
-	 * is identical to dns format.
-	 */
-	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
-				    dns_rdatatype_sig, &sig, &databuf));
-	isc_buffer_usedregion(&databuf, &r);
-	RETERR(dst_context_adddata(ctx, &r));
-
 	RETERR(dst_key_sigsize(key, &sigsize));
 	sig.siglen = sigsize;
 	sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
@@ -697,6 +700,13 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 
 	RETERR(dst_context_create(key, mctx, &ctx));
 
+	/*
+ 	 * Digest the SIG(0) record, except for the signature.
+	 */
+	dns_rdata_toregion(&rdata, &r);
+	r.length -= sig.siglen;
+	RETERR(dst_context_adddata(ctx, &r));
+
 	/*
 	 * If this is a response, digest the query.
 	 */
@@ -729,15 +739,6 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
 	RETERR(dst_context_adddata(ctx, &r));
 
-	/*
- 	 * Digest the SIG(0) record .  Find the start of the record, skip
-	 * the name and 10 bytes for class, type, ttl, length to get to
-	 * the start of the rdata.
-	 */
-	dns_rdata_toregion(&rdata, &r);
-	r.length -= sig.siglen;
-	RETERR(dst_context_adddata(ctx, &r));
-
 	sig_r.base = sig.signature;
 	sig_r.length = sig.siglen;
 	result = dst_context_verify(ctx, &sig_r);