Fixed bug where HMAC-MD5 is always assumed and fixed for.

author Aki Tuomi <cmouse@cmouse.fi>

Mon, 17 Jun 2013 19:05:41 +0000 (22:05 +0300)

committer Peter van Dijk <peter.van.dijk@netherlabs.nl>

Tue, 18 Jun 2013 10:02:06 +0000 (12:02 +0200)
author Aki Tuomi <cmouse@cmouse.fi>
Mon, 17 Jun 2013 19:05:41 +0000 (22:05 +0300)
committer Peter van Dijk <peter.van.dijk@netherlabs.nl>
Tue, 18 Jun 2013 10:02:06 +0000 (12:02 +0200)
diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc

index 82fb7075f6521f150ebf9e645c4e6dec81316e35..30729cd2f54facca559bd40a6ac743917581c3b9 100644 (file)
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -599,7 +599,15 @@ bool checkForCorrectTSIG(const DNSPacket* q, DNSBackend* B, string* keyname, str
      L<<Logger::Error<<"Packet for domain '"<<q->qdomain<<"' denied: can't find TSIG key with name '"<<*keyname<<"' and algorithm '"<<trc->d_algoName<<"'"<<endl;
      return false;
    }
-  trc->d_algoName += ".sig-alg.reg.int.";
+
+  if (trc->d_algoName == "hmac-md5") 
+    rc->d_algoName += ".sig-alg.reg.int."; 
+
+  if (trc->d_algoName != "hmac-md5.sig-alg.reg.int.") {
+    L<<Logger::Error<<"Unsupported TSIG HMAC algorithm " << trc->d_algoName << endl;
+    return false;
+  }
+
    B64Decode(secret64, *secret);
    bool result=calculateMD5HMAC(*secret, message) == trc->d_mac;
    if(!result) {
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc

index 86b52bdbc2f86f2b1bc2e4cde925ab387aed1c47..e7024e7af67cf3953e6f048c1df51d1bb65ce2bd 100644 (file)
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -495,6 +495,11 @@ string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigOff
  
  void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly)
  {
+  if (trc->d_algoName != "hmac-md5.sig-alg.reg.int.") {
+    L<<Logger::Error<<"Unsupported HMAC TSIG algorithm " << trc->d_algoName << endl;
+    return;
+  }
+
    string toSign;
    if(!tsigprevious.empty()) {
      uint16_t len = htons(tsigprevious.length());
diff --git a/pdns/resolver.cc b/pdns/resolver.cc

index 8dae6bb749202c79c7b372b2d5c906d79b5d504e..13043c1ff8348b098b2f12ec917ba6c8764adee0 100644 (file)
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -122,7 +122,8 @@ uint16_t Resolver::sendResolve(const ComboAddress& remote, const char *domain, i
    if(!tsigkeyname.empty()) {
      // cerr<<"Adding TSIG to notification, key name: '"<<tsigkeyname<<"', algo: '"<<tsigalgorithm<<"', secret: "<<Base64Encode(tsigsecret)<<endl;
      TSIGRecordContent trc;
-    trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
+    if (tsigalgorithm == "hmac-md5")  
+      trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
      trc.d_time = time(0);
      trc.d_fudge = 300;
      trc.d_origID=ntohs(d_randomid);
author	Aki Tuomi <cmouse@cmouse.fi>
	Mon, 17 Jun 2013 19:05:41 +0000 (22:05 +0300)
committer	Peter van Dijk <peter.van.dijk@netherlabs.nl>
	Tue, 18 Jun 2013 10:02:06 +0000 (12:02 +0200)
pdns/dnspacket.cc		patch \| blob \| history
pdns/dnssecinfra.cc		patch \| blob \| history
pdns/resolver.cc		patch \| blob \| history