Commit Diff
Diff:
775f7fca031d66aafafc9f7ea85048e1de945bbe
19e452ff1517c91e588956d5b8c69e76d8bc01d8
Commit:
19e452ff1517c91e588956d5b8c69e76d8bc01d8
Tree:
268587eb8502d75792cebec6c6a07b93d6dffd99
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Sat Jul 11 10:01:56 2020 UTC
Message:
do a real working check against the TSIG coming in. discard the packet if the TSIG doesn't check out. I don't know how this stuff worked yesterday.
blob - f4b026f9626c9d10dee785c7a2f18a524b4bf317
blob + bdab6f15c1805f95160563651cfdb8e3127e53a1
--- forward.c
+++ forward.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: forward.c,v 1.18 2020/07/11 06:18:36 pjp Exp $
+ * $Id: forward.c,v 1.19 2020/07/11 10:01:56 pjp Exp $
*/
#include <sys/types.h>
@@ -228,6 +228,7 @@ extern int debug, verbose;
extern int tsig;
extern int dnssec;
extern int cache;
+extern int forward;
/*
@@ -320,6 +321,7 @@ forwardloop(ddDB *db, struct cfg *cfg, struct imsgbuf
ptr = cfg->shptr;
+ forward = 0; /* in this process we don't need forward on */
dolog(LOG_INFO, "FORWARD: expired %d records from non-forwarding DB\n", expire_db(db, 1));
if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, PF_UNSPEC, &pi[0]) < 0) {
@@ -1138,7 +1140,6 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
{
struct timeval tv;
struct dns_header *dh;
- struct tsig *stsig = NULL;
struct question *q;
struct fwdpq *fwdpq, *fwdpq0;
struct imsg imsg;
@@ -1316,7 +1317,7 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
switch (imsg.hdr.type) {
case IMSG_PARSEERROR_MESSAGE:
if (datalen != sizeof(int)) {
- dolog(LOG_ERR, "bad parserepy message, drop\n");
+ dolog(LOG_ERR, "bad parsereply message, drop\n");
imsg_free(&imsg);
free(fwdpq);
return;
@@ -1377,15 +1378,18 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
endimsg:
- if (fwdpq->tsig.have_tsig && fwdpq->tsig.tsigverified == 0) {
- dolog(LOG_INFO, "FORWARD returnit, TSIG didn't check out error code = %d\n", stsig->tsigerrorcode);
+ if (fwq->tsigkey && (fwdpq->tsig.have_tsig == 0 || fwdpq->tsig.tsigverified == 0)) {
+ dolog(LOG_INFO, "FORWARD returnit, TSIG didn't check out error code = %d\n", fwdpq->tsig.tsigerrorcode);
free(fwdpq);
return;
}
- NTOHS(dh->additional);
- dh->additional--;
- HTONS(dh->additional);
+ if (fwdpq->tsig.have_tsig) {
+ NTOHS(dh->additional);
+ if (dh->additional > 0)
+ dh->additional--;
+ HTONS(dh->additional);
+ }
if (fwdpq->tsigcheck)
rlen = fwdpq->tsig.tsigoffset;
@@ -1475,16 +1479,20 @@ check_tsig(char *buf, int len, char *mac)
struct dns_tsigrr *tsigrr = NULL;
struct dns_optrr *opt = NULL;
- struct dns_header *hdr = (struct dns_header *)buf;
+ struct dns_header *hdr;
struct tsig *rtsig;
+ hdr = (struct dns_header *)&buf[0];
+
rtsig = (void *)calloc(1, sizeof(struct tsig));
if (rtsig == NULL) {
dolog(LOG_INFO, "calloc: %s\n", strerror(errno));
return NULL;
}
+ rtsig->tsigoffset = len;
+
rollback = i = sizeof(struct dns_header);
/* the name is parsed here */
elen = 0;
@@ -1868,7 +1876,6 @@ check_tsig(char *buf, int len, char *mac)
} while (0);
/* parse type and class from the question */
-
return (rtsig);
}
repomaster@centroid.eu