From 77c5bfdce417a36b523e9901668fbff0d42f1ed2 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Mon, 30 May 2016 16:37:32 +0200 Subject: [PATCH] s4/dns_server: ensure we store the key name in error code paths We need the TKEY name when adding TSIG records to error responses. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme Reviewed-by: Garming Sam --- source4/dns_server/dns_crypto.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c index 1590814e54b..47b75fc5654 100644 --- a/source4/dns_server/dns_crypto.c +++ b/source4/dns_server/dns_crypto.c @@ -146,10 +146,27 @@ WERROR dns_verify_tsig(struct dns_server *dns, tkey = dns_find_tkey(dns->tkeys, state->tsig->name); if (tkey == NULL) { + /* + * We must save the name for use in the TSIG error + * response and have no choice here but to save the + * keyname from the TSIG request. + */ + state->key_name = talloc_strdup(state->mem_ctx, + state->tsig->name); state->tsig_error = DNS_RCODE_BADKEY; return DNS_ERR(NOTAUTH); } + /* + * Remember the keyname that found an existing tkey, used + * later to fetch the key with dns_find_tkey() when signing + * and adding a TSIG record with MAC. + */ + state->key_name = talloc_strdup(state->mem_ctx, tkey->name); + if (state->key_name == NULL) { + return WERR_NOMEM; + } + /* FIXME: check TSIG here */ if (check_rec == NULL) { return WERR_NOMEM; @@ -223,10 +240,6 @@ WERROR dns_verify_tsig(struct dns_server *dns, } state->authenticated = true; - state->key_name = talloc_strdup(state->mem_ctx, tkey->name); - if (state->key_name == NULL) { - return WERR_NOMEM; - } return WERR_OK; }