From: Miek Gieben <miekg@NLnetLabs.nl>
Date: Wed, 24 Aug 2005 12:53:03 +0000 (+0000)
Subject: check for rrsig inception and expiration time stamps when validating signatures
X-Git-Tag: release-1.0.0~247
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7d3c12cc0804d113cde5960cd5ef91bc65c755f;p=thirdparty%2Fldns.git

check for rrsig inception and expiration time stamps when validating signatures
---

diff --git a/dnssec.c b/dnssec.c
index 764dfa32..7cb84f9e 100644
--- a/dnssec.c
+++ b/dnssec.c
@@ -159,6 +159,7 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr_list *key
 	ldns_rr *current_key;
 	ldns_rr_list *rrset_clone;
 	ldns_rr_list *validkeys;
+	time_t now, inception, expiration;
 
 	if (!rrset) {
 		return NULL;
@@ -179,6 +180,24 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr_list *key
 	sig_algo = ldns_rdf2native_int8(ldns_rr_rdf(rrsig, 1));
 	result = false;
 
+	/* check the signature time stamps */
+	inception = ldns_rdf2native_time_t(ldns_rr_rrsig_inception(rrsig));
+	expiration = ldns_rdf2native_time_t(ldns_rr_rrsig_expiration(rrsig));
+	now = time(NULL);
+
+	if (expiration - inception < 0) {
+                /* bad sig, expiration before inception?? Tsssg */
+		return NULL;
+        }
+        if (now - inception < 0) {
+                /* bad sig, inception date has passed */
+		return NULL;
+        }
+        if (expiration - now < 0) {
+                /* bad sig, expiration date has passed */
+		return NULL;
+        }
+	
 	/* create a buffer with b64 signature rdata */
 	if (ldns_rdf2buffer_wire(rawsig_buf,
 				ldns_rr_rdf(rrsig, 8)) != LDNS_STATUS_OK) {