Commit 06f9d648 authored by Brian Wellington's avatar Brian Wellington

dns_message_signer update

parent bf04258e
......@@ -838,8 +838,9 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
isc_result_t
dns_message_signer(dns_message_t *msg, dns_name_t **signer);
/*
* If this response message was signed and the signature has been validated,
* return the identity of the signer.
* If this response message was signed, return the identity of the signer.
* Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
* key that signed the message.
*
* Requires:
*
......@@ -854,16 +855,16 @@ dns_message_signer(dns_message_t *msg, dns_name_t **signer);
* ISC_R_NOTFOUND - no TSIG record or key is present in the
* message
*
* DNS_R_KEYUNAUTHORIZED - the message was signed and verified, but
* the key has no identity since it was
* generated by an unsigned TKEY process
* (new error code?)
*
* DNS_R_TSIGVERIFYFAILURE - the message was signed, but the signature
* failed to verify
*
* DNS_R_TSIGERRORSET - the message was signed and verified, but
* the query was rejected by the server
*
* DNS_R_KEYUNAUTHORIZED - the message was signed and verified, but
* the key has no identity since it was
* generated by an unsigned TKEY process
* (new error code?)
*/
ISC_LANG_ENDDECLS
......
......@@ -1907,6 +1907,8 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer)
isc_result_t
dns_message_signer(dns_message_t *msg, dns_name_t **signer) {
isc_result_t result;
REQUIRE(DNS_MESSAGE_VALID(msg));
REQUIRE(signer != NULL);
REQUIRE(*signer == NULL);
......@@ -1914,12 +1916,15 @@ dns_message_signer(dns_message_t *msg, dns_name_t **signer) {
if (msg->tsigkey == NULL || msg->tsig == NULL)
return (ISC_R_NOTFOUND);
if (msg->tsigkey->generated)
return (DNS_R_KEYUNAUTHORIZED);
if (msg->tsigstatus != dns_rcode_noerror)
return (DNS_R_TSIGVERIFYFAILURE);
if (msg->tsig->error != dns_rcode_noerror)
return (DNS_R_TSIGERRORSET);
result = DNS_R_TSIGVERIFYFAILURE;
else if (msg->tsig->error != dns_rcode_noerror)
result = DNS_R_TSIGERRORSET;
else if (msg->tsigkey->generated)
result = DNS_R_KEYUNAUTHORIZED;
else
result = ISC_R_SUCCESS;
*signer = &msg->tsigkey->name;
return (ISC_R_SUCCESS);
return (result);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment