BIND 10 trac1357, updated. 6f8add1167cb4781cc2f84d8c65ee5db73846ab8 [1357] The unsigned message is accepted

BIND 10 source code commits bind10-changes at lists.isc.org
Fri Sep 7 08:18:57 UTC 2012 

The branch, trac1357 has been updated
       via  6f8add1167cb4781cc2f84d8c65ee5db73846ab8 (commit)
      from  c3c1915586223bb1db2114ad5b2bd2189f632517 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6f8add1167cb4781cc2f84d8c65ee5db73846ab8
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date:   Fri Sep 7 10:17:47 2012 +0200

    [1357] The unsigned message is accepted
    
    The problem for now is that the next signed message is not. But it's
    definitely a progress.

-----------------------------------------------------------------------

Summary of changes:
 src/lib/dns/tests/tsig_unittest.cc |    2 +-
 src/lib/dns/tsig.cc                |   18 ++++++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

-----------------------------------------------------------------------
diff --git a/src/lib/dns/tests/tsig_unittest.cc b/src/lib/dns/tests/tsig_unittest.cc
index a5d3037..5361764 100644
--- a/src/lib/dns/tests/tsig_unittest.cc
+++ b/src/lib/dns/tests/tsig_unittest.cc
@@ -1089,7 +1089,7 @@ TEST_F(TSIGTest, verifyMulti) {
                            TSIGError(Rcode::NOERROR()),
                            TSIGContext::RECEIVED_REQUEST);
 
-        EXPECT_TRUE(tsig_verify_ctx->lastHadSignature());
+        EXPECT_FALSE(tsig_verify_ctx->lastHadSignature());
     }
 
     {
diff --git a/src/lib/dns/tsig.cc b/src/lib/dns/tsig.cc
index 41624b2..d7ffcf8 100644
--- a/src/lib/dns/tsig.cc
+++ b/src/lib/dns/tsig.cc
@@ -426,11 +426,21 @@ TSIGContext::verify(const TSIGRecord* const record, const void* const data,
                   "TSIG verify attempt after sending a response");
     }
 
-    // This case happens when we sent a signed request and have received an
-    // unsigned response.  According to RFC2845 Section 4.6 this case should be
-    // considered a "format error" (although the specific error code
-    // wouldn't matter much for the caller).
     if (record == NULL) {
+        if (impl_->last_sig_dist_ >= 0 && impl_->last_sig_dist_ < 99) {
+            // It is not signed, but in the middle of TCP stream. We just
+            // update the HMAC state and consider this message OK.
+            update(data, data_len);
+            // This one is not signed, the last signed is one message further
+            // now.
+            impl_->last_sig_dist_++;
+            // No digest to return now. Just say it's OK.
+            return (impl_->postVerifyUpdate(TSIGError::NOERROR(), NULL, 0));
+        }
+        // This case happens when we sent a signed request and have received an
+        // unsigned response.  According to RFC2845 Section 4.6 this case should be
+        // considered a "format error" (although the specific error code
+        // wouldn't matter much for the caller).
         return (impl_->postVerifyUpdate(TSIGError::FORMERR(), NULL, 0));
     }

More information about the bind10-changes mailing list