From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sat, 9 Apr 2011 18:29:01 +0000 (+0000)
Subject: sligthly improve error messages on checking the TSIG signatures on incoming zone... 
X-Git-Tag: auth-3.0~101
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e8b0c58e5031393ac82ecda2a305dc5ce2fada0e;p=pdns

sligthly improve error messages on checking the TSIG signatures on incoming zone transfers


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2148 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index 4e8ebdc92..e317f0719 100644
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -382,11 +382,14 @@ int AXFRRetriever::getChunk(Resolver::res_t &res)
       if(answer.first.d_type == QType::TSIG)
         theirMac = boost::dynamic_pointer_cast<TSIGRecordContent>(answer.first.d_content)->d_mac;
     }
+    if(theirMac.empty())
+      throw ResolverException("No TSIG on AXFR response from "+d_remote.toStringWithPort()+" , should be signed with TSIG key '"+d_tsigkeyname+"'");
+      
     string message = makeTSIGMessageFromTSIGPacket(string(d_buf.get(), len), mdp.getTSIGPos(), d_tsigkeyname, d_trc, d_trc.d_mac, false); // insert our question MAC
     string ourMac=calculateMD5HMAC(d_tsigsecret, message);
     // ourMac[0]++; // sabotage
     if(ourMac != theirMac)
-      throw ResolverException("AXFR response from "+d_remote.toStringWithPort()+" was not signed correctly with TSIG key '"+d_tsigkeyname+"'");
+      throw ResolverException("Signature failed to validate on AXFR response from "+d_remote.toStringWithPort()+" signed with TSIG key '"+d_tsigkeyname+"'");
   }
   
   int err = parseResult(mdp, "", 0, 0, &res);