Commit 73ba24fb authored by Evan Hunt's avatar Evan Hunt
Browse files

Change #4148 wasn't complete

- there was a memory leak when using negotiated TSIG keys.
- TKEY responses could only be signed when using a newly negotiated
  key; if an existent matching TSIG was found in in the keyring it
  would not be used.
parent 8793a4f3
Pipeline #9300 passed with stages
in 13 minutes and 30 seconds
......@@ -566,8 +566,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
isc_stdtime_get(&now);
if (dns_name_countlabels(principal) == 0U) {
if (tsigkey != NULL)
if (tsigkey != NULL) {
dns_tsigkey_detach(&tsigkey);
}
} else if (tsigkey == NULL) {
#ifdef GSSAPI
OM_uint32 gret, minor, lifetime;
......@@ -596,7 +597,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
} else {
tkeyout->inception = tsigkey->inception;
tkeyout->expire = tsigkey->expire;
dns_tsigkey_detach(&tsigkey);
}
if (outtoken) {
......@@ -629,8 +629,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
* we need to make sure the response is signed (see RFC 3645, Section
* 2.2).
*/
if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
dns_message_settsigkey(msg, tsigkey);
if (tsigkey != NULL) {
if (msg->tsigkey == NULL && msg->sig0key == NULL) {
dns_message_settsigkey(msg, tsigkey);
}
dns_tsigkey_detach(&tsigkey);
}
return (ISC_R_SUCCESS);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment