*/
/*
- * $Id: dnssec.c,v 1.43 2000/06/06 22:00:47 bwelling Exp $
+ * $Id: dnssec.c,v 1.44 2000/07/25 17:11:58 bwelling Exp $
* Principal Author: Brian Wellington
*/
REQUIRE(mctx != NULL);
REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_sig);
- ret = dns_rdata_tostruct(sigrdata, &sig, mctx);
+ ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
if (ret != ISC_R_SUCCESS)
return (ret);
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
RETERR(dst_context_sign(ctx, &sigbuf));
+ dst_context_destroy(&ctx);
rdata = NULL;
RETERR(dns_message_gettemprdata(msg, &rdata));
RETERR(dns_rdataset_first(msg->sig0));
dns_rdataset_current(msg->sig0, &rdata);
- RETERR(dns_rdata_tostruct(&rdata, &sig, mctx));
+ RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
signeedsfree = ISC_TRUE;
if (sig.labels != 0) {
goto failure;
}
- /* XXXBEW ensure that sig.signer refers to this key */
+ if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
+ result = DNS_R_SIGINVALID;
+ msg->sig0status = dns_tsigerror_badkey;
+ goto failure;
+ }
RETERR(dst_context_create(key, mctx, &ctx));
msg->verified_sig = 1;
+ dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
return (ISC_R_SUCCESS);
* SOFTWARE.
*/
-/* $Id: dnssec.h,v 1.15 2000/06/22 21:55:37 tale Exp $ */
+/* $Id: dnssec.h,v 1.16 2000/07/25 17:12:00 bwelling Exp $ */
#ifndef DNS_DNSSEC_H
#define DNS_DNSSEC_H 1
* ISC_R_SUCCESS
* ISC_R_NOMEMORY
* ISC_R_NOTFOUND - no SIG(0) was found
+ * DNS_R_SIGINVALID - the SIG record is not well-formed or
+ * was not generated by the key.
* DST_R_*
*/
projects / thirdparty / bind9.git / commitdiff
