result = dns_dnssec_verify(name, rdataset, ki->dst,
false, isc_g_mctx, &sigrdata,
- NULL);
+ NULL, NULL);
if (result != ISC_R_SUCCESS &&
result != DNS_R_FROMWILDCARD)
if (tryverify) {
result = dns_dnssec_verify(name, rdataset, key, true,
- isc_g_mctx, &trdata, NULL);
+ isc_g_mctx, &trdata, NULL, NULL);
if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
vbprintf(3, "\tsignature verified\n");
INCSTAT(nverified);
dns_rdata_t *rrsig) {
isc_result_t result;
result = dns_dnssec_verify(name, set, key, false, isc_g_mctx, rrsig,
- NULL);
+ NULL, NULL);
if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
INCSTAT(nverified);
return true;
isc_result_t
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
bool ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata,
- dns_name_t *wild) {
+ dns_name_t *wild, dns_name_t *wildsigner) {
dns_rdata_rrsig_t sig;
dns_fixedname_t fnewname;
isc_region_t r;
dns_fixedname_name(&fnewname),
wild) == ISC_R_SUCCESS);
}
+ if (wildsigner != NULL) {
+ dns_name_copy(&sig.signer, wildsigner);
+ }
inc_stat(dns_dnssecstats_wildcard);
result = DNS_R_FROMWILDCARD;
}
if (sig.algorithm == key.algorithm && sig.keyid == keytag) {
result = dns_dnssec_verify(name, rdataset, dstkey,
ignoretime, mctx, &sigrdata,
- NULL);
+ NULL, NULL);
if (result == ISC_R_SUCCESS) {
dst_key_free(&dstkey);
return true;
isc_result_t
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
bool ignoretime, isc_mem_t *mctx, dns_rdata_t *sigrdata,
- dns_name_t *wild);
+ dns_name_t *wild, dns_name_t *wildsigner);
/*%<
* Verifies the RRSIG record covering this rdataset signed by a specific
* key. This does not determine if the key's owner is authorized to sign
*\li 'key' is a valid key
*\li 'mctx' is not NULL
*\li 'sigrdata' is a valid rdata containing a SIG record
- *\li 'wild' if non-NULL then is a valid and has a buffer.
+ *\li 'wild' if non-NULL then is a valid name and has a buffer.
+ *\li 'wildsigner' if non-NULL then is a valid name and has a buffer.
*
* Returns:
*\li #ISC_R_SUCCESS
*\li #DNS_R_FROMWILDCARD - the signature is valid and is from
* a wildcard expansion. dns_dnssec_verify2() only.
- * 'wild' contains the name of the wildcard if non-NULL.
+ * 'wild', if non-NULL, contains the name of the wildcard.
+ * 'wildsigner', if non-NULL, contains the 'signer' name
+ * from the RRSIG signing the wildcard.
*\li #DNS_R_SIGINVALID - the signature fails to verify
*\li #DNS_R_SIGEXPIRED - the signature has expired
*\li #DNS_R_SIGFUTURE - the signature's validity period has not begun
dns_rdataset_t dsrdataset;
dns_fixedname_t fname;
dns_fixedname_t wild;
+ dns_fixedname_t wildsigner;
dns_fixedname_t closest;
ISC_LINK(dns_validator_t) link;
unsigned int depth;
}
consume_validation(val);
- result = dns_dnssec_verify(name, rdataset,
- dstkey, true, mctx,
- &sigrdata, NULL);
+ result = dns_dnssec_verify(
+ name, rdataset, dstkey, true, mctx,
+ &sigrdata, NULL, NULL);
switch (result) {
case DNS_R_SIGFUTURE:
case DNS_R_SIGEXPIRED:
verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
uint16_t keyid) {
isc_result_t result;
- dns_fixedname_t fixed;
+ dns_fixedname_t fwild, fsigner;
bool ignore = false;
- dns_name_t *wild = dns_fixedname_initname(&fixed);
+ dns_name_t *wild = dns_fixedname_initname(&fwild);
+ dns_name_t *wildsigner = dns_fixedname_initname(&fsigner);
if (DNS_TRUST_SECURE(val->rdataset->trust)) {
/*
again:
result = dns_dnssec_verify(val->name, val->rdataset, key, ignore,
- val->view->mctx, rdata, wild);
+ val->view->mctx, rdata, wild, wildsigner);
if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
val->view->acceptexpired)
{
}
if (result == DNS_R_FROMWILDCARD) {
if (!dns_name_equal(val->name, wild)) {
- dns_name_t *closest;
- unsigned int labels;
+ dns_name_t *closest = dns_fixedname_name(&val->closest);
/*
* Compute the closest encloser in case we need it
* for the NSEC3 NOQNAME proof.
*/
- closest = dns_fixedname_name(&val->closest);
dns_name_copy(wild, closest);
- labels = dns_name_countlabels(closest) - 1;
- dns_name_getlabelsequence(closest, 1, labels, closest);
+ dns_name_getlabelsequence(
+ closest, 1, dns_name_countlabels(closest) - 1,
+ closest);
+ dns_name_copy(wildsigner,
+ dns_fixedname_name(&val->wildsigner));
val->attributes |= VALATTR_NEEDNOQNAME;
}
result = ISC_R_SUCCESS;
* have a valid closest encloser. Otherwise we could still be looking
* at proofs from the parent zone.
*/
+ dns_name_t *wildsigner = dns_fixedname_name(&val->wildsigner);
if (dns_name_countlabels(closest) > 0 &&
dns_name_countlabels(nearest) ==
dns_name_countlabels(closest) + 1 &&
- dns_name_issubdomain(nearest, closest))
+ dns_name_issubdomain(nearest, closest) &&
+ (dns_name_countlabels(wildsigner) == 0 ||
+ dns_name_equal(zonename, wildsigner)))
{
val->attributes |= VALATTR_FOUNDCLOSEST;
result = dns_name_concatenate(dns_wildcardname, closest,
dns_rdataset_init(&val->fsigrdataset);
dns_rdataset_init(&val->dsrdataset);
dns_fixedname_init(&val->wild);
+ dns_fixedname_init(&val->wildsigner);
dns_fixedname_init(&val->closest);
val->start = isc_stdtime_now();
val->magic = VALIDATOR_MAGIC;
/* See if that key generated any of the signatures */
DNS_RDATASET_FOREACH(&fetch->sigset) {
dns_rdata_t sigrr = DNS_RDATA_INIT;
- dns_fixedname_t fixed;
- dns_fixedname_init(&fixed);
dns_rdataset_current(&fetch->sigset, &sigrr);
result = dns_rdata_tostruct(&sigrr, &sig, NULL);
{
result = dns_dnssec_verify(keyname, &fetch->rrset,
dstkey, false, mctx, &sigrr,
- dns_fixedname_name(&fixed));
+ NULL, NULL);
dnssec_log(fetch->zone, ISC_LOG_DEBUG(3),
"Confirm revoked DNSKEY is self-signed: %s",
}
result = dns_dnssec_verify(keyname, dnskeys, dstkey,
- false, mctx, &sigrr, NULL);
+ false, mctx, &sigrr, NULL,
+ NULL);
dst_key_free(&dstkey);
dnssec_log(zone, ISC_LOG_DEBUG(3),
continue;
}
result = dns_dnssec_verify(name, rdataset, dstkeys[key], false,
- vctx->mctx, sigrdata, NULL);
+ vctx->mctx, sigrdata, NULL, NULL);
if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) {
return true;
}
projects / thirdparty / bind9.git / commitdiff
