From: Wouter Wijngaards Date: Thu, 10 Dec 2009 16:03:31 +0000 (+0000) Subject: Check rrsig expiration last in verify_rrsig X-Git-Tag: release-1.4.1~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=47e7b5fb51f8c038db1df9300b37ceca4f804240;p=thirdparty%2Funbound.git Check rrsig expiration last in verify_rrsig git-svn-id: file:///svn/unbound/trunk@1936 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 1a6f9e185..a0e5712ff 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,7 @@ - requirements.txt updated with design choice explanations. - Reading fixes: fix to set unlame when child confirms parent glue, and fix to avoid duplicate addresses in delegation point. + - verify_rrsig routine checks expiration last. 9 December 2009: Wouter - Fix Bug#287(reopened): update of ldns tarball with fix for parse diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 288a2a351..84c25dda1 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1570,11 +1570,6 @@ dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf, /* original ttl, always ok */ - /* verify inception, expiration dates */ - if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) { - return sec_status_bogus; - } - if(!*buf_canon) { /* create rrset canonical format in buffer, ready for * signature */ @@ -1597,9 +1592,16 @@ dnskey_verify_rrset_sig(struct regional* region, ldns_buffer* buf, sec = verify_canonrrset(buf, (int)sig[2+2], sigblock, sigblock_len, key, keylen, reason); - /* check if TTL is too high - reduce if so */ if(sec == sec_status_secure) { + /* check if TTL is too high - reduce if so */ adjust_ttl(ve, now, rrset, sig+2+4, sig+2+8, sig+2+12); + + /* verify inception, expiration dates + * Do this last so that if you ignore expired-sigs the + * rest is sure to be OK. */ + if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) { + return sec_status_bogus; + } } return sec;