From: Wouter Wijngaards Date: Thu, 21 Jun 2012 12:00:48 +0000 (+0000) Subject: - nss check for verification failure. X-Git-Tag: release-1.4.18rc1~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2da5c6867e9e29c941d2a33ade386c395e026a9;p=thirdparty%2Funbound.git - nss check for verification failure. git-svn-id: file:///svn/unbound/trunk@2695 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 735a63ecd..7a27ea9f8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 21 June 2012: Wouter - fix error handling of alloc failure during rrsig verification. + - nss check for verification failure. 20 June 2012: Wouter - work on --with-nss build option (for now, --with-libunbound-only). diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index b52abb4ff..ff5aa48c2 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -553,6 +553,7 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, #include #include #include +#include #include size_t @@ -841,6 +842,7 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, SECItem secsig = {siBuffer, sigblock, sigblock_len}; SECItem sechash = {siBuffer, hash, 0}; SECStatus res; + int err; // extern SECKEYPublicKey *SECKEY_DecodeDERPublicKey(SECItem *pubkder); // SECKEYPublicKey* SECKEY_ImportDERPublicKey(SECItem *derKey, CK_KEY_TYPE type); @@ -874,8 +876,16 @@ verify_canonrrset(ldns_buffer* buf, int algo, unsigned char* sigblock, if(res == SECSuccess) { return sec_status_secure; } - verbose(VERB_QUERY, "verify: signature mismatch %s", - PORT_ErrorToString(PORT_GetError())); + err = PORT_GetError(); + if(err != SEC_ERROR_BAD_SIGNATURE) { + /* failed to verify */ + verbose(VERB_QUERY, "verify: PK11_Verify failed: %s", + PORT_ErrorToString(err)); + SECKEY_DestroyPublicKey(pubkey); + return sec_status_unchecked; + } + verbose(VERB_QUERY, "verify: signature mismatch: %s", + PORT_ErrorToString(err)); *reason = "signature crypto failed"; return sec_status_bogus; }