#ifdef HAVE_SSL
ldns_status
-ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
+ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
ldns_rr_list *nsecs,
ldns_rr_list *rrsigs,
ldns_pkt_rcode packet_rcode,
ldns_rr_type packet_qtype,
- bool packet_nodata)
+ bool packet_nodata,
+ ldns_rr **match)
{
ldns_rdf *closest_encloser;
ldns_rdf *wildcard;
rrsigs = rrsigs;
+ if (match) {
+ *match = NULL;
+ }
+
zone_name = ldns_dname_left_chop(ldns_rr_owner(ldns_rr_list_rr(nsecs,0)));
/* section 8.4 */
if (ldns_nsec_covers_name(ldns_rr_list_rr(nsecs, i),
hashed_wildcard_name)) {
wildcard_covered = true;
+ if (match) {
+ *match = ldns_rr_list_rr(nsecs, i);
+ }
}
ldns_rdf_deep_free(hashed_wildcard_name);
}
ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
LDNS_RR_TYPE_CNAME)) {
result = LDNS_STATUS_OK;
+ if (match) {
+ *match = ldns_rr_list_rr(nsecs, i);
+ }
goto done;
}
}
ldns_nsec3_bitmap(ldns_rr_list_rr(nsecs, i)),
LDNS_RR_TYPE_CNAME)) {
result = LDNS_STATUS_OK;
+ if (match) {
+ *match = ldns_rr_list_rr(nsecs, i);
+ }
goto done;
}
}
ldns_rdf_deep_free(zone_name);
return result;
}
+
+ldns_status
+ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
+ ldns_rr_list *nsecs,
+ ldns_rr_list *rrsigs,
+ ldns_pkt_rcode packet_rcode,
+ ldns_rr_type packet_qtype,
+ bool packet_nodata)
+{
+ return ldns_dnssec_verify_denial_nsec3_match(
+ rr, nsecs, rrsigs, packet_rcode,
+ packet_qtype, packet_nodata, NULL
+ );
+}
+
+
#endif /* HAVE_SSL */
#ifdef USE_GOST
} else if( (nsecs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_NSEC3, LDNS_SECTION_ANY_NOQUESTION)) ) {
ldns_rr_list* sigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANY_NOQUESTION);
ldns_rr* q = ldns_rr_new();
+ ldns_rr* match = NULL;
if(!sigs) return LDNS_STATUS_MEM_ERR;
if(!q) return LDNS_STATUS_MEM_ERR;
ldns_rr_set_question(q, 1);
if(!ldns_rr_owner(q)) return LDNS_STATUS_MEM_ERR;
ldns_rr_set_type(q, type);
- result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0);
+ /* result = ldns_dnssec_verify_denial_nsec3(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0); */
+ result = ldns_dnssec_verify_denial_nsec3_match(q, nsecs, sigs, ldns_pkt_get_rcode(pkt), type, ldns_pkt_ancount(pkt) == 0, &match);
+ if (result == LDNS_STATUS_OK && match && nsec_rrs && nsec_rr_sigs) {
+ (void) get_dnssec_rr(pkt, ldns_rr_owner(match), LDNS_RR_TYPE_NSEC3, nsec_rrs, nsec_rr_sigs);
+ }
ldns_rr_free(q);
ldns_rr_list_deep_free(nsecs);
ldns_rr_list_deep_free(sigs);
* \param[in] algo Signing algorithm
* \return status LDNS_STATUS_OK if the data verifies. Error if not.
*/
+ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
+ ldns_rr_list *nsecs,
+ ldns_rr_list *rrsigs,
+ ldns_pkt_rcode packet_rcode,
+ ldns_rr_type packet_qtype,
+ bool packet_nodata,
+ ldns_rr **match);
+/**
+ * Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns
+ * the nsec rr that matched.
+ * This function should probably not be used directly.
+ *
+ * \param[in] rawsig_buf Buffer containing signature data to use
+ * \param[in] verify_buf Buffer containing data to verify
+ * \param[in] key_buf Buffer containing key data to use
+ * \param[in] algo Signing algorithm
+ * \return status LDNS_STATUS_OK if the data verifies. Error if not.
+ */
+
+
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
ldns_buffer *verify_buf,
ldns_buffer *key_buf,
projects / thirdparty / ldns.git / commitdiff
