From: Bob Halley <halley@dnspython.org>
Date: Wed, 29 Jul 2020 01:40:36 +0000 (-0700)
Subject: When validating a signature, derelativize before doing any label computations.
X-Git-Tag: v2.1.0rc1~116
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b21457fdd4ee741416708f68b222d41ec3d6cb9c;p=thirdparty%2Fdnspython.git

When validating a signature, derelativize before doing any label computations.

Raise an error if the number of labels in the signature is longer than the
number of labels in the owner name.  (This is just to give a better error
as the validation would fail anyway.)
---

diff --git a/dns/dnssec.py b/dns/dnssec.py
index c50abf8d..e36e7293 100644
--- a/dns/dnssec.py
+++ b/dns/dnssec.py
@@ -393,10 +393,15 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None):
         data += rrsig.to_wire(origin=origin)[:18]
         data += rrsig.signer.to_digestable(origin)
 
-        if rrsig.labels < len(rrname) - 1:
+        # Derelativize the name before considering labels.
+        rrname = rrname.derelativize(origin)
+
+        if len(rrname) - 1 < rrsig.labels:
+            raise ValidationFailure('owner name longer than RRSIG labels')
+        elif rrsig.labels < len(rrname) - 1:
             suffix = rrname.split(rrsig.labels + 1)[1]
             rrname = dns.name.from_text('*', suffix)
-        rrnamebuf = rrname.to_digestable(origin)
+        rrnamebuf = rrname.to_digestable()
         rrfixed = struct.pack('!HHI', rdataset.rdtype, rdataset.rdclass,
                               rrsig.original_ttl)
         rrlist = sorted(rdataset)
diff --git a/tests/test_dnssec.py b/tests/test_dnssec.py
index 3e14a22c..ea82d7b8 100644
--- a/tests/test_dnssec.py
+++ b/tests/test_dnssec.py
@@ -358,7 +358,7 @@ class DNSSECValidatorTestCase(unittest.TestCase):
         dns.dnssec.validate(rsasha512_ns, rsasha512_ns_rrsig, rsasha512_keys,
                             None, rsasha512_when)
 
-    def testWildcardGood(self):
+    def testWildcardGoodAndBad(self):
         dns.dnssec.validate(wildcard_txt, wildcard_txt_rrsig,
                             wildcard_keys, None, wildcard_when)
 
@@ -377,6 +377,13 @@ class DNSSECValidatorTestCase(unittest.TestCase):
         dns.dnssec.validate(abc_txt, abc_txt_rrsig, wildcard_keys, None,
                             wildcard_when)
 
+        com_name = dns.name.from_text('com.')
+        com_txt = clone_rrset(wildcard_txt, com_name)
+        com_txt_rrsig = clone_rrset(wildcard_txt_rrsig, abc_name)
+        with self.assertRaises(dns.dnssec.ValidationFailure):
+            dns.dnssec.validate_rrsig(com_txt, com_txt_rrsig[0], wildcard_keys,
+                                      None, wildcard_when)
+
     def testAlternateParameterFormats(self):  # type: () -> None
         # Pass rrset and rrsigset as (name, rdataset) tuples, not rrsets
         rrset = (abs_soa.name, abs_soa.to_rdataset())