Change #4148 wasn't complete

- there was a memory leak when using negotiated TSIG keys. - TKEY responses could only be signed when using a newly negotiated key; if an existent matching TSIG was found in in the keyring it would not be used.

Change #4148 wasn't complete
- there was a memory leak when using negotiated TSIG keys. - TKEY responses could only be signed when using a newly negotiated key; if an existent matching TSIG was found in in the keyring it would not be used.
73ba24fb · Evan Hunt · 8793a4f3 · 73ba24fb
Commit 73ba24fb authored Jan 30, 2019 by Evan Hunt
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

lib/dns/tkey.c lib/dns/tkey.c +7 -4

No files found.
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -566,8 +566,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	isc_stdtime_get(&now);

 	if (dns_name_countlabels(principal) == 0U) {
-		if (tsigkey != NULL)
+		if (tsigkey != NULL) {
 			dns_tsigkey_detach(&tsigkey);
+		}
 	} else if (tsigkey == NULL) {
 #ifdef GSSAPI
 		OM_uint32 gret, minor, lifetime;
@@ -596,7 +597,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	} else {
 		tkeyout->inception = tsigkey->inception;
 		tkeyout->expire = tsigkey->expire;
-		dns_tsigkey_detach(&tsigkey);
 	}

 	if (outtoken) {
@@ -629,8 +629,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	 * we need to make sure the response is signed (see RFC 3645, Section
 	 * 2.2).
 	 */
-	if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
-		dns_message_settsigkey(msg, tsigkey);
+	if (tsigkey != NULL) {
+		if (msg->tsigkey == NULL && msg->sig0key == NULL) {
+			dns_message_settsigkey(msg, tsigkey);
+		}
+		dns_tsigkey_detach(&tsigkey);
 	}

 	return (ISC_R_SUCCESS);