- updates to dns_message_signer to handle SIG(0) as well as TSIG

- SIG(0)'s can be rendered, and information is stored to allow them to be verified after parsing. This needs some cleanup work done.
2025-09-03 16:15:27 +00:00 · 1999-11-02 19:59:04 +00:00
parent 322b0fb39d
commit 0b764d91c9
2 changed files with 157 additions and 41 deletions
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -34,6 +34,8 @@
 #include <dns/rdatastruct.h>
 #include <dns/compress.h>

+#include <dst/dst.h>
+
 /*
 * How this beast works:
 *
@@ -119,7 +121,8 @@ typedef int dns_section_t;
 #define DNS_SECTION_AUTHORITY		2
 #define DNS_SECTION_ADDITIONAL		3
 #define DNS_SECTION_TSIG		4 /* pseudo-section */
-#define DNS_SECTION_MAX			5
+#define DNS_SECTION_SIG0		5 /* pseudo-section */
+#define DNS_SECTION_MAX			6

 /*
 * Dynamic update named for these sections.
@@ -161,6 +164,8 @@ struct dns_message {
 	unsigned int			header_ok : 1;
 	unsigned int			question_ok : 1;
 	unsigned int			tcp_continuation: 1;
+	unsigned int			response_needs_sig0: 1;
+	unsigned int			verified_sig0: 1;

 	unsigned int			reserved; /* reserved space (render) */

@@ -186,7 +191,11 @@ struct dns_message {
 	dns_rdata_any_tsig_t	       *querytsig;
 	dns_tsigkey_t		       *tsigkey;
 	void			       *tsigctx;
-	int				tsigstart;
+	int				sigstart;
+
+	dst_key_t		       *sig0key;
+	dns_rcode_t			sig0status;
+	isc_region_t		       *query;
 };

 dns_result_t
@@ -836,37 +845,43 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
 */

 isc_result_t
-dns_message_signer(dns_message_t *msg, dns_name_t **signer);
+dns_message_signer(dns_message_t *msg, dns_name_t *signer);
 /*
- * If this response message was signed, return the identity of the signer.
+ * If this message was signed, return the identity of the signer.
 * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
 * key that signed the message.
 *
 * Requires:
 *
- *	msg be a valid response message.
- *	signer != NULL && *signer is NULL
+ *	msg is a valid parsed message.
+ *	signer is a valid name
 *
 * Returns:
 *
 *	ISC_R_SUCCESS		- the message was signed, and *signer
 *				  contains the signing identity
 *
- *	ISC_R_NOTFOUND		- no TSIG record or key is present in the
+ *	ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
 *				  message
 *
- *	DNS_R_TSIGVERIFYFAILURE	- the message was signed, but the signature
- *				  failed to verify
+ *	DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
+ *				  signature failed to verify
 *
- *	DNS_R_TSIGERRORSET	- the message was signed and verified, but
- *				  the query was rejected by the server
+ *	DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
+ *				  verified, but the query was rejected by
+ *				  the server
 *
- *	DNS_R_KEYUNAUTHORIZED	- the message was signed and verified, but
- *				  the key has no identity since it was
- *				  generated by an unsigned TKEY process
- *				  (new error code?)
+ *	DNS_R_NOIDENTITY	- the message was signed by a TSIG and
+ *				  verified, but the key has no identity since
+ *				  it was generated by an unsigned TKEY process
+ *
+ *	DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
+ *				  the signature failed to verify
+ *
+ *	DNS_R_SIGNOTVERIFIEDYET	- the message was signed by a SIG(0), but
+ *				  the signature has not been verified yet
 */

 ISC_LANG_ENDDECLS

-#endif	/* DNS_DNS_H */
+#endif	/* DNS_MESSAGE_H */