dns_message_signer

lib/dns/include/dns/message.h

@@ -835,6 +835,37 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
  *	dynamincally allocated via isc_buffer_allocate().
  */
 
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t **signer);
+/*
+ * If this response message was signed and the signature has been validated,
+ * return the identity of the signer.
+ *
+ * Requires:
+ *
+ *	msg be a valid response message.
+ *	signer != NULL && *signer is NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was signed, and *signer
+ *				  contains the signing identity
+ *
+ *	ISC_R_NOTFOUND		- no TSIG record or key is present in the
+ *				  message
+ *
+ *	DNS_R_KEYUNAUTHORIZED	- the message was signed and verified, but
+ *				  the key has no identity since it was
+ *				  generated by an unsigned TKEY process
+ *				  (new error code?)
+ *
+ *	DNS_R_TSIGVERIFYFAILURE	- the message was signed, but the signature
+ *				  failed to verify
+ *
+ *	DNS_R_TSIGERRORSET	- the message was signed and verified, but
+ *				  the query was rejected by the server
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif	/* DNS_DNS_H */

lib/dns/message.c

@@ -1904,3 +1904,22 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer)
 	ISC_LIST_APPEND(msg->cleanup, *buffer, link);
 	*buffer = NULL;
 }
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t **signer) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(signer != NULL);
+	REQUIRE(*signer == NULL);
+	REQUIRE(msg->flags & DNS_MESSAGEFLAG_QR);
+
+	if (msg->tsigkey == NULL || msg->tsig == NULL)
+		return (ISC_R_NOTFOUND);
+	if (msg->tsigkey->generated)
+		return (DNS_R_KEYUNAUTHORIZED);
+	if (msg->tsigstatus != dns_rcode_noerror)
+		return (DNS_R_TSIGVERIFYFAILURE);
+	if (msg->tsig->error != dns_rcode_noerror)
+		return (DNS_R_TSIGERRORSET);
+	*signer = &msg->tsigkey->name;
+	return (ISC_R_SUCCESS);
+}