From b21457fdd4ee741416708f68b222d41ec3d6cb9c Mon Sep 17 00:00:00 2001 From: Bob Halley Date: Tue, 28 Jul 2020 18:40:36 -0700 Subject: [PATCH] When validating a signature, derelativize before doing any label computations. Raise an error if the number of labels in the signature is longer than the number of labels in the owner name. (This is just to give a better error as the validation would fail anyway.) --- dns/dnssec.py | 9 +++++++-- tests/test_dnssec.py | 9 ++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/dns/dnssec.py b/dns/dnssec.py index c50abf8d..e36e7293 100644 --- a/dns/dnssec.py +++ b/dns/dnssec.py @@ -393,10 +393,15 @@ def _validate_rrsig(rrset, rrsig, keys, origin=None, now=None): data += rrsig.to_wire(origin=origin)[:18] data += rrsig.signer.to_digestable(origin) - if rrsig.labels < len(rrname) - 1: + # Derelativize the name before considering labels. + rrname = rrname.derelativize(origin) + + if len(rrname) - 1 < rrsig.labels: + raise ValidationFailure('owner name longer than RRSIG labels') + elif rrsig.labels < len(rrname) - 1: suffix = rrname.split(rrsig.labels + 1)[1] rrname = dns.name.from_text('*', suffix) - rrnamebuf = rrname.to_digestable(origin) + rrnamebuf = rrname.to_digestable() rrfixed = struct.pack('!HHI', rdataset.rdtype, rdataset.rdclass, rrsig.original_ttl) rrlist = sorted(rdataset) diff --git a/tests/test_dnssec.py b/tests/test_dnssec.py index 3e14a22c..ea82d7b8 100644 --- a/tests/test_dnssec.py +++ b/tests/test_dnssec.py @@ -358,7 +358,7 @@ class DNSSECValidatorTestCase(unittest.TestCase): dns.dnssec.validate(rsasha512_ns, rsasha512_ns_rrsig, rsasha512_keys, None, rsasha512_when) - def testWildcardGood(self): + def testWildcardGoodAndBad(self): dns.dnssec.validate(wildcard_txt, wildcard_txt_rrsig, wildcard_keys, None, wildcard_when) @@ -377,6 +377,13 @@ class DNSSECValidatorTestCase(unittest.TestCase): dns.dnssec.validate(abc_txt, abc_txt_rrsig, wildcard_keys, None, wildcard_when) + com_name = dns.name.from_text('com.') + com_txt = clone_rrset(wildcard_txt, com_name) + com_txt_rrsig = clone_rrset(wildcard_txt_rrsig, abc_name) + with self.assertRaises(dns.dnssec.ValidationFailure): + dns.dnssec.validate_rrsig(com_txt, com_txt_rrsig[0], wildcard_keys, + None, wildcard_when) + def testAlternateParameterFormats(self): # type: () -> None # Pass rrset and rrsigset as (name, rdataset) tuples, not rrsets rrset = (abs_soa.name, abs_soa.to_rdataset()) -- 2.47.3