static isc_result_t
add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
isc_uint32_t ttl, dns_namelist_t *namelist)
{
isc_result_t result;
isc_region_t r, newr;
dns_rdata_t *newrdata = NULL;
dns_name_t *newname = NULL;
dns_rdatalist_t *newlist = NULL;
dns_rdataset_t *newset = NULL;
isc_buffer_t *tmprdatabuf = NULL;
RETERR(dns_message_gettemprdata(msg, &newrdata));
dns_rdata_toregion(rdata, &r);
RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
isc_buffer_availableregion(tmprdatabuf, &newr);
memcpy(newr.base, r.base, r.length);
dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
dns_message_takebuffer(msg, &tmprdatabuf);
RETERR(dns_message_gettempname(msg, &newname));
dns_name_init(newname, NULL);
RETERR(dns_name_dup(name, msg->mctx, newname));
RETERR(dns_message_gettemprdatalist(msg, &newlist));
newlist->rdclass = newrdata->rdclass;
newlist->type = newrdata->type;
newlist->covers = 0;
newlist->ttl = ttl;
ISC_LIST_INIT(newlist->rdata);
ISC_LIST_APPEND(newlist->rdata, newrdata, link);
RETERR(dns_message_gettemprdataset(msg, &newset));
dns_rdataset_init(newset);
RETERR(dns_rdatalist_tordataset(newlist, newset));
ISC_LIST_INIT(newname->list);
ISC_LIST_APPEND(newname->list, newset, link);
ISC_LIST_APPEND(*namelist, newname, link);
return (ISC_R_SUCCESS);
failure:
if (newrdata != NULL) {
if (ISC_LINK_LINKED(newrdata, link)) {
INSIST(newlist != NULL);
ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
}
dns_message_puttemprdata(msg, &newrdata);
}
if (newname != NULL)
dns_message_puttempname(msg, &newname);
if (newset != NULL) {
dns_rdataset_disassociate(newset);
dns_message_puttemprdataset(msg, &newset);
}
if (newlist != NULL)
dns_message_puttemprdatalist(msg, &newlist);
return (result);
}
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_sig_t sig; /* SIG(0) */
unsigned char data[512];
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf, databuf, sigbuf;
unsigned int sigsize;
isc_buffer_t *dynbuf = NULL;
dns_rdata_t *rdata;
dns_rdatalist_t *datalist;
dns_rdataset_t *dataset;
isc_region_t r;
isc_stdtime_t now;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
isc_boolean_t signeedsfree = ISC_TRUE;
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
if (is_response(msg))
REQUIRE(msg->query.base != NULL);
mctx = msg->mctx;
memset(&sig, 0, sizeof(sig));
sig.mctx = mctx;
sig.common.rdclass = dns_rdataclass_any;
sig.common.rdtype = dns_rdatatype_sig; /* SIG(0) */
ISC_LINK_INIT(&sig.common, link);
sig.covered = 0;
sig.algorithm = dst_key_alg(key);
sig.labels = 0; /* the root name */
sig.originalttl = 0;
isc_stdtime_get(&now);
sig.timesigned = now - DNS_TSIG_FUDGE;
sig.timeexpire = now + DNS_TSIG_FUDGE;
sig.keyid = dst_key_id(key);
dns_name_init(&sig.signer, NULL);
dns_name_clone(dst_key_name(key), &sig.signer);
sig.siglen = 0;
sig.signature = NULL;
isc_buffer_init(&databuf, data, sizeof(data));
RETERR(dst_context_create(key, mctx, &ctx));
/*
* Digest the fields of the SIG - we can cheat and use
* dns_rdata_fromstruct. Since siglen is 0, the digested data
* is identical to dns format.
*/
RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
dns_rdatatype_sig /* SIG(0) */,
&sig, &databuf));
isc_buffer_usedregion(&databuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg))
RETERR(dst_context_adddata(ctx, &msg->query));
/*
* Digest the header.
*/
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_key_sigsize(key, &sigsize));
sig.siglen = sigsize;
sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
if (sig.signature == NULL) {
result = ISC_R_NOMEMORY;
goto failure;
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
RETERR(dst_context_sign(ctx, &sigbuf));
dst_context_destroy(&ctx);
rdata = NULL;
RETERR(dns_message_gettemprdata(msg, &rdata));
RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
dns_rdatatype_sig /* SIG(0) */,
&sig, dynbuf));
isc_mem_put(mctx, sig.signature, sig.siglen);
signeedsfree = ISC_FALSE;
dns_message_takebuffer(msg, &dynbuf);
datalist = NULL;
RETERR(dns_message_gettemprdatalist(msg, &datalist));
datalist->rdclass = dns_rdataclass_any;
datalist->type = dns_rdatatype_sig; /* SIG(0) */
datalist->covers = 0;
datalist->ttl = 0;
ISC_LIST_INIT(datalist->rdata);
ISC_LIST_APPEND(datalist->rdata, rdata, link);
dataset = NULL;
RETERR(dns_message_gettemprdataset(msg, &dataset));
dns_rdataset_init(dataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
msg->sig0 = dataset;
return (ISC_R_SUCCESS);
failure:
if (dynbuf != NULL)
isc_buffer_free(&dynbuf);
if (signeedsfree)
isc_mem_put(mctx, sig.signature, sig.siglen);
if (ctx != NULL)
dst_context_destroy(&ctx);
return (result);
}
static void
make_prereq(isc_mem_t *mctx, char *cmdline, isc_boolean_t ispositive,
isc_boolean_t isrrset, dns_name_t *name)
{
isc_result_t result;
char *word;
isc_textregion_t region;
dns_rdataset_t *rdataset = NULL;
dns_rdatalist_t *rdatalist = NULL;
dns_rdataclass_t rdataclass;
dns_rdatatype_t rdatatype;
dns_rdata_t *rdata = NULL;
/*
* Read the owner name
*/
parse_name(&cmdline, name);
/*
* If this is an rrset prereq, read the class or type.
*/
if (isrrset) {
word = nsu_strsep(&cmdline, " \t\r\n");
if (word == NULL || *word == 0) {
fprintf(stderr, "could not read class or type\n");
exit(1);
}
region.base = word;
region.length = strlen(word);
result = dns_rdataclass_fromtext(&rdataclass, ®ion);
if (result == ISC_R_SUCCESS) {
/*
* Now read the type.
*/
word = nsu_strsep(&cmdline, " \t\r\n");
if (word == NULL || *word == 0) {
fprintf(stderr, "could not read type\n");
exit(1);
}
region.base = word;
region.length = strlen(word);
result = dns_rdatatype_fromtext(&rdatatype, ®ion);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "invalid type: %s\n", word);
exit(1);
}
} else {
rdataclass = default_rdataclass;
result = dns_rdatatype_fromtext(&rdatatype, ®ion);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "invalid type: %s\n", word);
exit(1);
}
}
} else
rdatatype = dns_rdatatype_any;
rdata = isc_mem_get(mctx, sizeof(*rdata));
if (rdata == NULL) {
fprintf(stderr, "memory allocation for rdata failed\n");
exit(1);
}
dns_rdata_init(rdata);
if (isrrset && ispositive)
parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
else
rdata->flags = DNS_RDATA_UPDATE;
rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
if (rdatalist == NULL) {
fprintf(stderr, "memory allocation for rdatalist failed\n");
exit(1);
}
dns_rdatalist_init(rdatalist);
rdatalist->type = rdatatype;
if (ispositive) {
if (isrrset && rdata->data != NULL)
rdatalist->rdclass = rdataclass;
else
rdatalist->rdclass = dns_rdataclass_any;
} else
rdatalist->rdclass = dns_rdataclass_none;
rdatalist->covers = 0;
rdatalist->ttl = 0;
rdata->rdclass = rdatalist->rdclass;
rdata->type = rdatatype;
ISC_LIST_INIT(rdatalist->rdata);
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
rdataset = isc_mem_get(mctx, sizeof(*rdataset));
if (rdataset == NULL) {
fprintf(stderr, "memory allocation for rdataset failed\n");
exit(1);
}
dns_rdataset_init(rdataset);
dns_rdatalist_tordataset(rdatalist, rdataset);
ISC_LIST_INIT(name->list);
ISC_LIST_APPEND(name->list, rdataset, link);
}
static void
resigned(isc_assertioncallback_t callback) {
isc_result_t result;
dns_rdataset_t rdataset, added;
dns_dbnode_t *node = NULL;
dns_rdatalist_t rdatalist;
dns_rdata_rrsig_t rrsig;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_buffer_t b;
unsigned char buf[1024];
result = dns_test_begin(NULL, ISC_FALSE);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
setup_db();
/*
* Create a dummy RRSIG record and set a resigning time.
*/
dns_rdataset_init(&added);
dns_rdataset_init(&rdataset);
dns_rdatalist_init(&rdatalist);
isc_buffer_init(&b, buf, sizeof(buf));
DNS_RDATACOMMON_INIT(&rrsig, dns_rdatatype_rrsig, dns_rdataclass_in);
rrsig.covered = dns_rdatatype_a;
rrsig.algorithm = 100;
rrsig.labels = 0;
rrsig.originalttl = 0;
rrsig.timeexpire = 3600;
rrsig.timesigned = 0;
rrsig.keyid = 0;
dns_name_init(&rrsig.signer, NULL);
dns_name_clone(dns_rootname, &rrsig.signer);
rrsig.siglen = 0;
rrsig.signature = NULL;
result = dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
dns_rdatatype_rrsig, &rrsig, &b);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
rdatalist.rdclass = dns_rdataclass_in;
rdatalist.type = dns_rdatatype_rrsig;
ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
rdataset.attributes |= DNS_RDATASETATTR_RESIGN;
rdataset.resign = 7200;
result = dns_db_findnode(db1, dns_rootname, ISC_FALSE, &node);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dns_db_addrdataset(db1, node, v1, 0, &rdataset, 0, &added);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
dns_db_detachnode(db1, &node);
ATF_REQUIRE_EQ(node, NULL);
isc_assertion_setcallback(callback);
dns_db_resigned(db1, &added, VERSION(callback));
if (callback != NULL)
atf_tc_fail("dns_db_resigned did not assert");
dns_rdataset_disassociate(&added);
close_db();
dns_test_end();
}
isc_result_t
dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
dns_dbnode_t *node, dns_rdatatype_t covers,
isc_stdtime_t now, dns_ttl_t maxttl,
isc_boolean_t optout, dns_rdataset_t *addedrdataset)
{
isc_result_t result;
isc_buffer_t buffer;
isc_region_t r;
dns_rdataset_t *rdataset;
dns_rdatatype_t type;
dns_name_t *name;
dns_ttl_t ttl;
dns_trust_t trust;
dns_rdata_t rdata[DNS_NCACHE_RDATA];
dns_rdataset_t ncrdataset;
dns_rdatalist_t ncrdatalist;
unsigned char data[4096];
unsigned int next = 0;
/*
* Convert the authority data from 'message' into a negative cache
* rdataset, and store it in 'cache' at 'node'.
*/
REQUIRE(message != NULL);
/*
* We assume that all data in the authority section has been
* validated by the caller.
*/
/*
* Initialize the list.
*/
ncrdatalist.rdclass = dns_db_class(cache);
ncrdatalist.type = 0;
ncrdatalist.covers = covers;
ncrdatalist.ttl = maxttl;
ISC_LIST_INIT(ncrdatalist.rdata);
ISC_LINK_INIT(&ncrdatalist, link);
/*
* Build an ncache rdatas into buffer.
*/
ttl = maxttl;
trust = 0xffff;
isc_buffer_init(&buffer, data, sizeof(data));
if (message->counts[DNS_SECTION_AUTHORITY])
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
else
result = ISC_R_NOMORE;
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY,
&name);
if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if ((rdataset->attributes &
DNS_RDATASETATTR_NCACHE) == 0)
continue;
type = rdataset->type;
if (type == dns_rdatatype_rrsig)
type = rdataset->covers;
if (type == dns_rdatatype_soa ||
type == dns_rdatatype_nsec ||
type == dns_rdatatype_nsec3) {
if (ttl > rdataset->ttl)
ttl = rdataset->ttl;
if (trust > rdataset->trust)
trust = rdataset->trust;
/*
* Copy the owner name to the buffer.
*/
dns_name_toregion(name, &r);
result = isc_buffer_copyregion(&buffer,
&r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
isc_buffer_putuint8(&buffer,
(unsigned char)rdataset->trust);
/*
* Copy the rdataset into the buffer.
*/
result = copy_rdataset(rdataset,
&buffer);
if (result != ISC_R_SUCCESS)
return (result);
if (next >= DNS_NCACHE_RDATA)
return (ISC_R_NOSPACE);
dns_rdata_init(&rdata[next]);
isc_buffer_remainingregion(&buffer, &r);
rdata[next].data = r.base;
rdata[next].length = r.length;
rdata[next].rdclass =
ncrdatalist.rdclass;
rdata[next].type = 0;
rdata[next].flags = 0;
ISC_LIST_APPEND(ncrdatalist.rdata,
&rdata[next], link);
isc_buffer_forward(&buffer, r.length);
next++;
}
}
}
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
}
if (result != ISC_R_NOMORE)
return (result);
if (trust == 0xffff) {
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
message->counts[DNS_SECTION_ANSWER] == 0) {
/*
* The response has aa set and we haven't followed
* any CNAME or DNAME chains.
*/
trust = dns_trust_authauthority;
} else
trust = dns_trust_additional;
ttl = 0;
}
INSIST(trust != 0xffff);
ncrdatalist.ttl = ttl;
dns_rdataset_init(&ncrdataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
ncrdataset.trust = trust;
ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
if (optout)
ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
0, addedrdataset));
}
static void
update_addordelete(isc_mem_t *mctx, char *cmdline, isc_boolean_t isdelete,
dns_name_t *name)
{
isc_result_t result;
isc_uint32_t ttl;
char *word;
dns_rdataclass_t rdataclass;
dns_rdatatype_t rdatatype;
dns_rdata_t *rdata = NULL;
dns_rdatalist_t *rdatalist = NULL;
dns_rdataset_t *rdataset = NULL;
isc_textregion_t region;
/*
* Read the owner name.
*/
parse_name(&cmdline, name);
rdata = isc_mem_get(mctx, sizeof(*rdata));
if (rdata == NULL) {
fprintf(stderr, "memory allocation for rdata failed\n");
exit(1);
}
dns_rdata_init(rdata);
/*
* If this is an add, read the TTL and verify that it's in range.
* If it's a delete, ignore a TTL if present (for compatibility).
*/
word = nsu_strsep(&cmdline, " \t\r\n");
if (word == NULL || *word == 0) {
if (!isdelete) {
fprintf(stderr, "could not read owner ttl\n");
exit(1);
}
else {
ttl = 0;
rdataclass = dns_rdataclass_any;
rdatatype = dns_rdatatype_any;
rdata->flags = DNS_RDATA_UPDATE;
goto doneparsing;
}
}
result = isc_parse_uint32(&ttl, word, 10);
if (result != ISC_R_SUCCESS) {
if (isdelete) {
ttl = 0;
goto parseclass;
} else {
fprintf(stderr, "ttl '%s': %s\n", word,
isc_result_totext(result));
exit(1);
}
}
if (isdelete)
ttl = 0;
else if (ttl > TTL_MAX) {
fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
word, TTL_MAX);
exit(1);
}
/*
* Read the class or type.
*/
word = nsu_strsep(&cmdline, " \t\r\n");
parseclass:
if (word == NULL || *word == 0) {
if (isdelete) {
rdataclass = dns_rdataclass_any;
rdatatype = dns_rdatatype_any;
rdata->flags = DNS_RDATA_UPDATE;
goto doneparsing;
} else {
fprintf(stderr, "could not read class or type\n");
exit(1);
}
}
region.base = word;
region.length = strlen(word);
result = dns_rdataclass_fromtext(&rdataclass, ®ion);
if (result == ISC_R_SUCCESS) {
/*
* Now read the type.
*/
word = nsu_strsep(&cmdline, " \t\r\n");
if (word == NULL || *word == 0) {
if (isdelete) {
rdataclass = dns_rdataclass_any;
rdatatype = dns_rdatatype_any;
rdata->flags = DNS_RDATA_UPDATE;
goto doneparsing;
} else {
fprintf(stderr, "could not read type\n");
exit(1);
}
}
region.base = word;
region.length = strlen(word);
result = dns_rdatatype_fromtext(&rdatatype, ®ion);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "'%s' is not a valid type: %s\n",
word, isc_result_totext(result));
exit(1);
}
} else {
rdataclass = default_rdataclass;
result = dns_rdatatype_fromtext(&rdatatype, ®ion);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "'%s' is not a valid class or type: "
"%s\n", word, isc_result_totext(result));
exit(1);
}
}
parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
if (isdelete) {
if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
rdataclass = dns_rdataclass_any;
else
rdataclass = dns_rdataclass_none;
} else {
if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
fprintf(stderr, "could not read rdata\n");
exit(1);
}
}
doneparsing:
rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
if (rdatalist == NULL) {
fprintf(stderr, "memory allocation for rdatalist failed\n");
exit(1);
}
dns_rdatalist_init(rdatalist);
rdatalist->type = rdatatype;
rdatalist->rdclass = rdataclass;
rdatalist->covers = rdatatype;
rdatalist->ttl = (dns_ttl_t)ttl;
ISC_LIST_INIT(rdatalist->rdata);
ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
rdataset = isc_mem_get(mctx, sizeof(*rdataset));
if (rdataset == NULL) {
fprintf(stderr, "memory allocation for rdataset failed\n");
exit(1);
}
dns_rdataset_init(rdataset);
dns_rdatalist_tordataset(rdatalist, rdataset);
ISC_LIST_INIT(name->list);
ISC_LIST_APPEND(name->list, rdataset, link);
}
/*
* Arrange to send as much as we can of "stream" without blocking.
*
* Requires:
* The stream iterator is initialized and points at an RR,
* or possibly at the end of the stream (that is, the
* _first method of the iterator has been called).
*/
static void
sendstream(xfrout_ctx_t *xfr) {
dns_message_t *tcpmsg = NULL;
dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */
isc_result_t result;
isc_region_t used;
isc_region_t region;
dns_rdataset_t *qrdataset;
dns_name_t *msgname = NULL;
dns_rdata_t *msgrdata = NULL;
dns_rdatalist_t *msgrdl = NULL;
dns_rdataset_t *msgrds = NULL;
dns_compress_t cctx;
isc_boolean_t cleanup_cctx = ISC_FALSE;
isc_boolean_t is_tcp;
int n_rrs;
isc_buffer_clear(&xfr->buf);
isc_buffer_clear(&xfr->txlenbuf);
isc_buffer_clear(&xfr->txbuf);
is_tcp = ISC_TF((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0);
if (!is_tcp) {
/*
* In the UDP case, we put the response data directly into
* the client message.
*/
msg = xfr->client->message;
CHECK(dns_message_reply(msg, ISC_TRUE));
} else {
/*
* TCP. Build a response dns_message_t, temporarily storing
* the raw, uncompressed owner names and RR data contiguously
* in xfr->buf. We know that if the uncompressed data fits
* in xfr->buf, the compressed data will surely fit in a TCP
* message.
*/
CHECK(dns_message_create(xfr->mctx,
DNS_MESSAGE_INTENTRENDER, &tcpmsg));
msg = tcpmsg;
msg->id = xfr->id;
msg->rcode = dns_rcode_noerror;
msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA;
if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0)
msg->flags |= DNS_MESSAGEFLAG_RA;
CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
if (xfr->lasttsig != NULL)
isc_buffer_free(&xfr->lasttsig);
/*
* Add a EDNS option to the message?
*/
if ((xfr->client->attributes & NS_CLIENTATTR_WANTOPT) != 0) {
dns_rdataset_t *opt = NULL;
CHECK(ns_client_addopt(xfr->client, msg, &opt));
CHECK(dns_message_setopt(msg, opt));
/*
* Add to first message only.
*/
xfr->client->attributes &= ~NS_CLIENTATTR_WANTNSID;
xfr->client->attributes &= ~NS_CLIENTATTR_HAVEEXPIRE;
}
/*
* Account for reserved space.
*/
if (xfr->tsigkey != NULL)
INSIST(msg->reserved != 0U);
isc_buffer_add(&xfr->buf, msg->reserved);
/*
* Include a question section in the first message only.
* BIND 8.2.1 will not recognize an IXFR if it does not
* have a question section.
*/
if (xfr->nmsg == 0) {
dns_name_t *qname = NULL;
isc_region_t r;
/*
* Reserve space for the 12-byte message header
* and 4 bytes of question.
*/
isc_buffer_add(&xfr->buf, 12 + 4);
qrdataset = NULL;
result = dns_message_gettemprdataset(msg, &qrdataset);
if (result != ISC_R_SUCCESS)
goto failure;
dns_rdataset_makequestion(qrdataset,
xfr->client->message->rdclass,
xfr->qtype);
result = dns_message_gettempname(msg, &qname);
if (result != ISC_R_SUCCESS)
goto failure;
dns_name_init(qname, NULL);
isc_buffer_availableregion(&xfr->buf, &r);
INSIST(r.length >= xfr->qname->length);
r.length = xfr->qname->length;
isc_buffer_putmem(&xfr->buf, xfr->qname->ndata,
xfr->qname->length);
dns_name_fromregion(qname, &r);
ISC_LIST_INIT(qname->list);
ISC_LIST_APPEND(qname->list, qrdataset, link);
dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
} else {
/*
* Reserve space for the 12-byte message header
*/
isc_buffer_add(&xfr->buf, 12);
msg->tcp_continuation = 1;
}
}
/*
* Try to fit in as many RRs as possible, unless "one-answer"
* format has been requested.
*/
for (n_rrs = 0; ; n_rrs++) {
dns_name_t *name = NULL;
isc_uint32_t ttl;
dns_rdata_t *rdata = NULL;
unsigned int size;
isc_region_t r;
msgname = NULL;
msgrdata = NULL;
msgrdl = NULL;
msgrds = NULL;
xfr->stream->methods->current(xfr->stream,
&name, &ttl, &rdata);
size = name->length + 10 + rdata->length;
isc_buffer_availableregion(&xfr->buf, &r);
if (size >= r.length) {
/*
* RR would not fit. If there are other RRs in the
* buffer, send them now and leave this RR to the
* next message. If this RR overflows the buffer
* all by itself, fail.
*
* In theory some RRs might fit in a TCP message
* when compressed even if they do not fit when
* uncompressed, but surely we don't want
* to send such monstrosities to an unsuspecting
* slave.
*/
if (n_rrs == 0) {
xfrout_log(xfr, ISC_LOG_WARNING,
"RR too large for zone transfer "
"(%d bytes)", size);
/* XXX DNS_R_RRTOOLARGE? */
result = ISC_R_NOSPACE;
goto failure;
}
break;
}
if (isc_log_wouldlog(ns_g_lctx, XFROUT_RR_LOGLEVEL))
log_rr(name, rdata, ttl); /* XXX */
result = dns_message_gettempname(msg, &msgname);
if (result != ISC_R_SUCCESS)
goto failure;
dns_name_init(msgname, NULL);
isc_buffer_availableregion(&xfr->buf, &r);
INSIST(r.length >= name->length);
r.length = name->length;
isc_buffer_putmem(&xfr->buf, name->ndata, name->length);
dns_name_fromregion(msgname, &r);
/* Reserve space for RR header. */
isc_buffer_add(&xfr->buf, 10);
result = dns_message_gettemprdata(msg, &msgrdata);
if (result != ISC_R_SUCCESS)
goto failure;
isc_buffer_availableregion(&xfr->buf, &r);
r.length = rdata->length;
isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length);
dns_rdata_init(msgrdata);
dns_rdata_fromregion(msgrdata,
rdata->rdclass, rdata->type, &r);
result = dns_message_gettemprdatalist(msg, &msgrdl);
if (result != ISC_R_SUCCESS)
goto failure;
msgrdl->type = rdata->type;
msgrdl->rdclass = rdata->rdclass;
msgrdl->ttl = ttl;
if (rdata->type == dns_rdatatype_sig ||
rdata->type == dns_rdatatype_rrsig)
msgrdl->covers = dns_rdata_covers(rdata);
else
msgrdl->covers = dns_rdatatype_none;
ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
result = dns_message_gettemprdataset(msg, &msgrds);
if (result != ISC_R_SUCCESS)
goto failure;
result = dns_rdatalist_tordataset(msgrdl, msgrds);
INSIST(result == ISC_R_SUCCESS);
ISC_LIST_APPEND(msgname->list, msgrds, link);
dns_message_addname(msg, msgname, DNS_SECTION_ANSWER);
msgname = NULL;
result = xfr->stream->methods->next(xfr->stream);
if (result == ISC_R_NOMORE) {
xfr->end_of_stream = ISC_TRUE;
break;
}
CHECK(result);
if (! xfr->many_answers)
break;
/*
* At this stage, at least 1 RR has been rendered into
* the message. Check if we want to clamp this message
* here (TCP only).
*/
if ((isc_buffer_usedlength(&xfr->buf) >=
ns_g_server->transfer_tcp_message_size) && is_tcp)
break;
}
if (is_tcp) {
CHECK(dns_compress_init(&cctx, -1, xfr->mctx));
dns_compress_setsensitive(&cctx, ISC_TRUE);
cleanup_cctx = ISC_TRUE;
CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf));
CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
CHECK(dns_message_renderend(msg));
dns_compress_invalidate(&cctx);
cleanup_cctx = ISC_FALSE;
isc_buffer_usedregion(&xfr->txbuf, &used);
isc_buffer_putuint16(&xfr->txlenbuf,
(isc_uint16_t)used.length);
region.base = xfr->txlenbuf.base;
region.length = 2 + used.length;
xfrout_log(xfr, ISC_LOG_DEBUG(8),
"sending TCP message of %d bytes",
used.length);
CHECK(isc_socket_send(xfr->client->tcpsocket, /* XXX */
®ion, xfr->client->task,
xfrout_senddone,
xfr));
xfr->sends++;
} else {
xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response");
ns_client_send(xfr->client);
xfr->stream->methods->pause(xfr->stream);
xfrout_ctx_destroy(&xfr);
return;
}
/* Advance lasttsig to be the last TSIG generated */
CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
xfr->nmsg++;
failure:
if (msgname != NULL) {
if (msgrds != NULL) {
if (dns_rdataset_isassociated(msgrds))
dns_rdataset_disassociate(msgrds);
dns_message_puttemprdataset(msg, &msgrds);
}
if (msgrdl != NULL) {
ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link);
dns_message_puttemprdatalist(msg, &msgrdl);
}
if (msgrdata != NULL)
dns_message_puttemprdata(msg, &msgrdata);
dns_message_puttempname(msg, &msgname);
}
if (tcpmsg != NULL)
dns_message_destroy(&tcpmsg);
if (cleanup_cctx)
dns_compress_invalidate(&cctx);
/*
* Make sure to release any locks held by database
* iterators before returning from the event handler.
*/
xfr->stream->methods->pause(xfr->stream);
if (result == ISC_R_SUCCESS)
return;
xfrout_fail(xfr, result, "sending zone data");
}
isc_result_t
dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
dns_rdataset_t *addedrdataset)
{
isc_result_t result;
isc_buffer_t buffer;
isc_region_t r;
dns_rdataset_t *rdataset;
dns_rdatatype_t type;
dns_name_t *name;
dns_ttl_t ttl;
dns_trust_t trust;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t ncrdataset;
dns_rdatalist_t ncrdatalist;
unsigned char data[4096];
/*
* Convert the authority data from 'message' into a negative cache
* rdataset, and store it in 'cache' at 'node'.
*/
REQUIRE(message != NULL);
/*
* We assume that all data in the authority section has been
* validated by the caller.
*/
/*
* First, build an ncache rdata in buffer.
*/
ttl = maxttl;
trust = 0xffff;
isc_buffer_init(&buffer, data, sizeof(data));
if (message->counts[DNS_SECTION_AUTHORITY])
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
else
result = ISC_R_NOMORE;
while (result == ISC_R_SUCCESS) {
name = NULL;
dns_message_currentname(message, DNS_SECTION_AUTHORITY,
&name);
if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if ((rdataset->attributes &
DNS_RDATASETATTR_NCACHE) == 0)
continue;
type = rdataset->type;
if (type == dns_rdatatype_rrsig)
type = rdataset->covers;
if (type == dns_rdatatype_soa ||
type == dns_rdatatype_nsec) {
if (ttl > rdataset->ttl)
ttl = rdataset->ttl;
if (trust > rdataset->trust)
trust = rdataset->trust;
/*
* Copy the owner name to the buffer.
*/
dns_name_toregion(name, &r);
result = isc_buffer_copyregion(&buffer,
&r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 2)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
/*
* Copy the rdataset into the buffer.
*/
result = copy_rdataset(rdataset,
&buffer);
if (result != ISC_R_SUCCESS)
return (result);
}
}
}
result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
}
if (result != ISC_R_NOMORE)
return (result);
if (trust == 0xffff) {
/*
* We didn't find any authority data from which to create a
* negative cache rdataset. In particular, we have no SOA.
*
* We trust that the caller wants negative caching, so this
* means we have a "type 3 nxdomain" or "type 3 nodata"
* response (see RFC 2308 for details).
*
* We will now build a suitable negative cache rdataset that
* will cause zero bytes to be emitted when converted to
* wire format.
*/
/*
* The ownername must exist, but it doesn't matter what value
* it has. We use the root name.
*/
dns_name_toregion(dns_rootname, &r);
result = isc_buffer_copyregion(&buffer, &r);
if (result != ISC_R_SUCCESS)
return (result);
/*
* Copy the type and a zero rdata count to the buffer.
*/
isc_buffer_availableregion(&buffer, &r);
if (r.length < 4)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer, 0);
isc_buffer_putuint16(&buffer, 0);
/*
* RFC 2308, section 5, says that negative answers without
* SOAs should not be cached.
*/
ttl = 0;
/*
* Set trust.
*/
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
message->counts[DNS_SECTION_ANSWER] == 0) {
/*
* The response has aa set and we haven't followed
* any CNAME or DNAME chains.
*/
trust = dns_trust_authauthority;
} else
trust = dns_trust_additional;
}
/*
* Now add it to the cache.
*/
INSIST(trust != 0xffff);
isc_buffer_usedregion(&buffer, &r);
rdata.data = r.base;
rdata.length = r.length;
rdata.rdclass = dns_db_class(cache);
rdata.type = 0;
rdata.flags = 0;
ncrdatalist.rdclass = rdata.rdclass;
ncrdatalist.type = 0;
ncrdatalist.covers = covers;
ncrdatalist.ttl = ttl;
ISC_LIST_INIT(ncrdatalist.rdata);
ISC_LINK_INIT(&ncrdatalist, link);
ISC_LIST_APPEND(ncrdatalist.rdata, &rdata, link);
dns_rdataset_init(&ncrdataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
ncrdataset.trust = trust;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
0, addedrdataset));
}
isc_result_t
dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
void *add_private)
{
dns_difftuple_t *t;
isc_result_t result;
REQUIRE(DNS_DIFF_VALID(diff));
t = ISC_LIST_HEAD(diff->tuples);
while (t != NULL) {
dns_name_t *name;
name = &t->name;
while (t != NULL && dns_name_equal(&t->name, name)) {
dns_rdatatype_t type, covers;
dns_diffop_t op;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
op = t->op;
type = t->rdata.type;
covers = rdata_covers(&t->rdata);
rdl.type = type;
rdl.covers = covers;
rdl.rdclass = t->rdata.rdclass;
rdl.ttl = t->ttl;
ISC_LIST_INIT(rdl.rdata);
ISC_LINK_INIT(&rdl, link);
while (t != NULL && dns_name_equal(&t->name, name) &&
t->op == op && t->rdata.type == type &&
rdata_covers(&t->rdata) == covers)
{
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
/*
* Convert the rdatalist into a rdataset.
*/
dns_rdataset_init(&rds);
CHECK(dns_rdatalist_tordataset(&rdl, &rds));
rds.trust = dns_trust_ultimate;
INSIST(op == DNS_DIFFOP_ADD);
result = (*addfunc)(add_private, name, &rds);
if (result == DNS_R_UNCHANGED) {
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"update with no effect");
} else if (result == ISC_R_SUCCESS ||
result == DNS_R_NXRRSET) {
/*
* OK.
*/
} else {
CHECK(result);
}
}
}
result = ISC_R_SUCCESS;
failure:
return (result);
}
static isc_result_t
diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
isc_boolean_t warn)
{
dns_difftuple_t *t;
dns_dbnode_t *node = NULL;
isc_result_t result;
char namebuf[DNS_NAME_FORMATSIZE];
char typebuf[DNS_RDATATYPE_FORMATSIZE];
char classbuf[DNS_RDATACLASS_FORMATSIZE];
REQUIRE(DNS_DIFF_VALID(diff));
REQUIRE(DNS_DB_VALID(db));
t = ISC_LIST_HEAD(diff->tuples);
while (t != NULL) {
dns_name_t *name;
INSIST(node == NULL);
name = &t->name;
/*
* Find the node.
* We create the node if it does not exist.
* This will cause an empty node to be created if the diff
* contains a deletion of an RR at a nonexistent name,
* but such diffs should never be created in the first
* place.
*/
node = NULL;
CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
while (t != NULL && dns_name_equal(&t->name, name)) {
dns_rdatatype_t type, covers;
dns_diffop_t op;
dns_rdatalist_t rdl;
dns_rdataset_t rds;
op = t->op;
type = t->rdata.type;
covers = rdata_covers(&t->rdata);
/*
* Collect a contiguous set of updates with
* the same operation (add/delete) and RR type
* into a single rdatalist so that the
* database rrset merging/subtraction code
* can work more efficiently than if each
* RR were merged into / subtracted from
* the database separately.
*
* This is done by linking rdata structures from the
* diff into "rdatalist". This uses the rdata link
* field, not the diff link field, so the structure
* of the diff itself is not affected.
*/
rdl.type = type;
rdl.covers = covers;
rdl.rdclass = t->rdata.rdclass;
rdl.ttl = t->ttl;
ISC_LIST_INIT(rdl.rdata);
ISC_LINK_INIT(&rdl, link);
while (t != NULL &&
dns_name_equal(&t->name, name) &&
t->op == op &&
t->rdata.type == type &&
rdata_covers(&t->rdata) == covers)
{
dns_name_format(name, namebuf, sizeof(namebuf));
dns_rdatatype_format(t->rdata.type, typebuf,
sizeof(typebuf));
dns_rdataclass_format(t->rdata.rdclass,
classbuf,
sizeof(classbuf));
if (t->ttl != rdl.ttl && warn)
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"'%s/%s/%s': TTL differs in "
"rdataset, adjusting "
"%lu -> %lu",
namebuf, typebuf, classbuf,
(unsigned long) t->ttl,
(unsigned long) rdl.ttl);
ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
t = ISC_LIST_NEXT(t, link);
}
/*
* Convert the rdatalist into a rdataset.
*/
dns_rdataset_init(&rds);
CHECK(dns_rdatalist_tordataset(&rdl, &rds));
rds.trust = dns_trust_ultimate;
/*
* Merge the rdataset into the database.
*/
if (op == DNS_DIFFOP_ADD) {
result = dns_db_addrdataset(db, node, ver,
0, &rds,
DNS_DBADD_MERGE|
DNS_DBADD_EXACT|
DNS_DBADD_EXACTTTL,
NULL);
} else if (op == DNS_DIFFOP_DEL) {
result = dns_db_subtractrdataset(db, node, ver,
&rds,
DNS_DBSUB_EXACT,
NULL);
} else {
INSIST(0);
}
if (result == DNS_R_UNCHANGED) {
/*
* This will not happen when executing a
* dynamic update, because that code will
* generate strictly minimal diffs.
* It may happen when receiving an IXFR
* from a server that is not as careful.
* Issue a warning and continue.
*/
if (warn)
isc_log_write(DIFF_COMMON_LOGARGS,
ISC_LOG_WARNING,
"update with no effect");
} else if (result == ISC_R_SUCCESS ||
result == DNS_R_NXRRSET) {
/*
* OK.
*/
} else {
CHECK(result);
}
}
dns_db_detachnode(db, &node);
}
return (ISC_R_SUCCESS);
failure:
if (node != NULL)
dns_db_detachnode(db, &node);
return (result);
}
isc_result_t
dns_tsig_sign(dns_message_t *msg) {
dns_tsigkey_t *key;
dns_rdata_any_tsig_t tsig, querytsig;
unsigned char data[128];
isc_buffer_t databuf, sigbuf;
isc_buffer_t *dynbuf;
dns_name_t *owner;
dns_rdata_t *rdata = NULL;
dns_rdatalist_t *datalist;
dns_rdataset_t *dataset;
isc_region_t r;
isc_stdtime_t now;
isc_mem_t *mctx;
dst_context_t *ctx = NULL;
isc_result_t ret;
unsigned char badtimedata[BADTIMELEN];
unsigned int sigsize = 0;
isc_boolean_t response = is_response(msg);
REQUIRE(msg != NULL);
REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg)));
/*
* If this is a response, there should be a query tsig.
*/
if (response && msg->querytsig == NULL)
return (DNS_R_EXPECTEDTSIG);
dynbuf = NULL;
mctx = msg->mctx;
key = dns_message_gettsigkey(msg);
tsig.mctx = mctx;
tsig.common.rdclass = dns_rdataclass_any;
tsig.common.rdtype = dns_rdatatype_tsig;
ISC_LINK_INIT(&tsig.common, link);
dns_name_init(&tsig.algorithm, NULL);
dns_name_clone(key->algorithm, &tsig.algorithm);
isc_stdtime_get(&now);
tsig.timesigned = now + msg->timeadjust;
tsig.fudge = DNS_TSIG_FUDGE;
tsig.originalid = msg->id;
isc_buffer_init(&databuf, data, sizeof(data));
if (response)
tsig.error = msg->querytsigstatus;
else
tsig.error = dns_rcode_noerror;
if (tsig.error != dns_tsigerror_badtime) {
tsig.otherlen = 0;
tsig.other = NULL;
} else {
isc_buffer_t otherbuf;
tsig.otherlen = BADTIMELEN;
tsig.other = badtimedata;
isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
isc_buffer_putuint48(&otherbuf, tsig.timesigned);
}
if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf;
isc_uint16_t digestbits;
ret = dst_context_create3(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_TRUE, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
/*
* If this is a response, digest the query signature.
*/
if (response) {
dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dns_rdataset_current(msg->querytsig, &querytsigrdata);
ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_putuint16(&databuf, querytsig.siglen);
if (isc_buffer_availablelength(&databuf) <
querytsig.siglen) {
ret = ISC_R_NOSPACE;
goto cleanup_context;
}
isc_buffer_putmem(&databuf, querytsig.signature,
querytsig.siglen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
#if defined(__clang__) && \
( __clang_major__ < 3 || \
(__clang_major__ == 3 && __clang_minor__ < 2) || \
(__clang_major__ == 4 && __clang_minor__ < 2))
/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
else memset(&querytsig, 0, sizeof(querytsig));
#endif
/*
* Digest the header.
*/
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the name, class, ttl, alg.
*/
dns_name_toregion(&key->name, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
isc_buffer_clear(&databuf);
isc_buffer_putuint16(&databuf, dns_rdataclass_any);
isc_buffer_putuint32(&databuf, 0); /* ttl */
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
dns_name_toregion(&tsig.algorithm, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
/* Digest the timesigned and fudge */
isc_buffer_clear(&databuf);
if (tsig.error == dns_tsigerror_badtime) {
INSIST(response);
tsig.timesigned = querytsig.timesigned;
}
isc_buffer_putuint48(&databuf, tsig.timesigned);
isc_buffer_putuint16(&databuf, tsig.fudge);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
if (msg->tcp_continuation == 0) {
/*
* Digest the error and other data length.
*/
isc_buffer_clear(&databuf);
isc_buffer_putuint16(&databuf, tsig.error);
isc_buffer_putuint16(&databuf, tsig.otherlen);
isc_buffer_usedregion(&databuf, &r);
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
/*
* Digest other data.
*/
if (tsig.otherlen > 0) {
r.length = tsig.otherlen;
r.base = tsig.other;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
}
}
ret = dst_key_sigsize(key->key, &sigsize);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
if (tsig.signature == NULL) {
ret = ISC_R_NOMEMORY;
goto cleanup_context;
}
isc_buffer_init(&sigbuf, tsig.signature, sigsize);
ret = dst_context_sign(ctx, &sigbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
dst_context_destroy(&ctx);
digestbits = dst_key_getbits(key->key);
if (digestbits != 0) {
unsigned int bytes = (digestbits + 1) / 8;
if (response && bytes < querytsig.siglen)
bytes = querytsig.siglen;
if (bytes > isc_buffer_usedlength(&sigbuf))
bytes = isc_buffer_usedlength(&sigbuf);
tsig.siglen = bytes;
} else
tsig.siglen = isc_buffer_usedlength(&sigbuf);
} else {
tsig.siglen = 0;
tsig.signature = NULL;
}
ret = dns_message_gettemprdata(msg, &rdata);
if (ret != ISC_R_SUCCESS)
goto cleanup_signature;
ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
if (ret != ISC_R_SUCCESS)
goto cleanup_rdata;
ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
dns_rdatatype_tsig, &tsig, dynbuf);
if (ret != ISC_R_SUCCESS)
goto cleanup_dynbuf;
dns_message_takebuffer(msg, &dynbuf);
if (tsig.signature != NULL) {
isc_mem_put(mctx, tsig.signature, sigsize);
tsig.signature = NULL;
}
owner = NULL;
ret = dns_message_gettempname(msg, &owner);
if (ret != ISC_R_SUCCESS)
goto cleanup_rdata;
dns_name_init(owner, NULL);
ret = dns_name_dup(&key->name, msg->mctx, owner);
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
datalist = NULL;
ret = dns_message_gettemprdatalist(msg, &datalist);
if (ret != ISC_R_SUCCESS)
goto cleanup_owner;
dataset = NULL;
ret = dns_message_gettemprdataset(msg, &dataset);
if (ret != ISC_R_SUCCESS)
goto cleanup_rdatalist;
datalist->rdclass = dns_rdataclass_any;
datalist->type = dns_rdatatype_tsig;
datalist->covers = 0;
datalist->ttl = 0;
ISC_LIST_INIT(datalist->rdata);
ISC_LIST_APPEND(datalist->rdata, rdata, link);
dns_rdataset_init(dataset);
RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
== ISC_R_SUCCESS);
msg->tsig = dataset;
msg->tsigname = owner;
/* Windows does not like the tsig name being compressed. */
msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
return (ISC_R_SUCCESS);
cleanup_rdatalist:
dns_message_puttemprdatalist(msg, &datalist);
cleanup_owner:
dns_message_puttempname(msg, &owner);
goto cleanup_rdata;
cleanup_dynbuf:
isc_buffer_free(&dynbuf);
cleanup_rdata:
dns_message_puttemprdata(msg, &rdata);
cleanup_signature:
if (tsig.signature != NULL)
isc_mem_put(mctx, tsig.signature, sigsize);
cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
return (ret);
}
