Commit e5c75445 authored by Brian Wellington's avatar Brian Wellington

dns_message_signer

parent 2bcb48cf
......@@ -835,6 +835,37 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
* dynamincally allocated via isc_buffer_allocate().
*/
isc_result_t
dns_message_signer(dns_message_t *msg, dns_name_t **signer);
/*
* If this response message was signed and the signature has been validated,
* return the identity of the signer.
*
* Requires:
*
* msg be a valid response message.
* signer != NULL && *signer is NULL
*
* Returns:
*
* ISC_R_SUCCESS - the message was signed, and *signer
* contains the signing identity
*
* ISC_R_NOTFOUND - no TSIG record or key is present in the
* message
*
* DNS_R_KEYUNAUTHORIZED - the message was signed and verified, but
* the key has no identity since it was
* generated by an unsigned TKEY process
* (new error code?)
*
* DNS_R_TSIGVERIFYFAILURE - the message was signed, but the signature
* failed to verify
*
* DNS_R_TSIGERRORSET - the message was signed and verified, but
* the query was rejected by the server
*/
ISC_LANG_ENDDECLS
#endif /* DNS_DNS_H */
......@@ -1904,3 +1904,22 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer)
ISC_LIST_APPEND(msg->cleanup, *buffer, link);
*buffer = NULL;
}
isc_result_t
dns_message_signer(dns_message_t *msg, dns_name_t **signer) {
REQUIRE(DNS_MESSAGE_VALID(msg));
REQUIRE(signer != NULL);
REQUIRE(*signer == NULL);
REQUIRE(msg->flags & DNS_MESSAGEFLAG_QR);
if (msg->tsigkey == NULL || msg->tsig == NULL)
return (ISC_R_NOTFOUND);
if (msg->tsigkey->generated)
return (DNS_R_KEYUNAUTHORIZED);
if (msg->tsigstatus != dns_rcode_noerror)
return (DNS_R_TSIGVERIFYFAILURE);
if (msg->tsig->error != dns_rcode_noerror)
return (DNS_R_TSIGERRORSET);
*signer = &msg->tsigkey->name;
return (ISC_R_SUCCESS);
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment