From e5c75445501bb0459753f55cf3a9529b3cb794df Mon Sep 17 00:00:00 2001 From: Brian Wellington Date: Wed, 27 Oct 1999 22:25:55 +0000 Subject: [PATCH] dns_message_signer --- lib/dns/include/dns/message.h | 31 +++++++++++++++++++++++++++++++ lib/dns/message.c | 19 +++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index bbd0182937..2127c2e495 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -835,6 +835,37 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer); * dynamincally allocated via isc_buffer_allocate(). */ +isc_result_t +dns_message_signer(dns_message_t *msg, dns_name_t **signer); +/* + * If this response message was signed and the signature has been validated, + * return the identity of the signer. + * + * Requires: + * + * msg be a valid response message. + * signer != NULL && *signer is NULL + * + * Returns: + * + * ISC_R_SUCCESS - the message was signed, and *signer + * contains the signing identity + * + * ISC_R_NOTFOUND - no TSIG record or key is present in the + * message + * + * DNS_R_KEYUNAUTHORIZED - the message was signed and verified, but + * the key has no identity since it was + * generated by an unsigned TKEY process + * (new error code?) + * + * DNS_R_TSIGVERIFYFAILURE - the message was signed, but the signature + * failed to verify + * + * DNS_R_TSIGERRORSET - the message was signed and verified, but + * the query was rejected by the server + */ + ISC_LANG_ENDDECLS #endif /* DNS_DNS_H */ diff --git a/lib/dns/message.c b/lib/dns/message.c index 9782d1729b..28b9fec2b2 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1904,3 +1904,22 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) ISC_LIST_APPEND(msg->cleanup, *buffer, link); *buffer = NULL; } + +isc_result_t +dns_message_signer(dns_message_t *msg, dns_name_t **signer) { + REQUIRE(DNS_MESSAGE_VALID(msg)); + REQUIRE(signer != NULL); + REQUIRE(*signer == NULL); + REQUIRE(msg->flags & DNS_MESSAGEFLAG_QR); + + if (msg->tsigkey == NULL || msg->tsig == NULL) + return (ISC_R_NOTFOUND); + if (msg->tsigkey->generated) + return (DNS_R_KEYUNAUTHORIZED); + if (msg->tsigstatus != dns_rcode_noerror) + return (DNS_R_TSIGVERIFYFAILURE); + if (msg->tsig->error != dns_rcode_noerror) + return (DNS_R_TSIGERRORSET); + *signer = &msg->tsigkey->name; + return (ISC_R_SUCCESS); +}