mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Harden checks

Browse Source
This commit is contained in:
Matthijs Mekking 2019-01-30 11:12:49 +01:00 committed by Evan Hunt
parent 1cc25ff5e0
commit b05a095a3e
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/dns/tkey.c
View File

@ -625,12 +625,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
tkey_log("process_gsstkey(): dns_tsigerror_noerror"); /* XXXSRA */
/*
* We found a TKEY to respond with. We don't know if
* the request is TSIG signed, but if it is not we need to make
* sure the response is signed (RFC 2845 secton 2.2).
* We found a TKEY to respond with. If the request is not TSIG signed,
* we need to make sure the response is signed (see RFC 3645, Section
* 2.2).
*/
if (tsigkey != NULL) {
if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
dns_message_settsigkey(msg, tsigkey);
}

9
lib/dns/tsig.c
View File

@ -778,7 +778,16 @@ dns_tsig_sign(dns_message_t *msg) {
key = dns_message_gettsigkey(msg);
REQUIRE(VALID_TSIG_KEY(key));
/*
* If this is a response, there should be a TSIG in the query with the
* the exception if this is a TKEY request (see RFC 3645, Section 2.2).
*/
response = is_response(msg);
if (response && msg->querytsig == NULL) {
if (msg->tkey != 1) {
return (DNS_R_EXPECTEDTSIG);
}
}
mctx = msg->mctx;