From d3982afe5c68194938f0f67776cd088384102817 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 22 Jun 2018 09:50:10 +1000 Subject: [PATCH 1/2] the client cookie was being hashed twice when computing the server cookie for sha1 and sha256 (cherry picked from commit 4795f0ca89a3e907cbcc2d406da27b38f9aed8dd) --- bin/named/client.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/bin/named/client.c b/bin/named/client.c index feb4eb3e790..23b83778e48 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -1850,8 +1850,6 @@ compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, INSIST(0); } isc_hmacsha1_update(&hmacsha1, cp, length); - isc_hmacsha1_update(&hmacsha1, client->cookie, - sizeof(client->cookie)); isc_hmacsha1_sign(&hmacsha1, digest, sizeof(digest)); isc_buffer_putmem(buf, digest, 8); isc_hmacsha1_invalidate(&hmacsha1); @@ -1887,8 +1885,6 @@ compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, INSIST(0); } isc_hmacsha256_update(&hmacsha256, cp, length); - isc_hmacsha256_update(&hmacsha256, client->cookie, - sizeof(client->cookie)); isc_hmacsha256_sign(&hmacsha256, digest, sizeof(digest)); isc_buffer_putmem(buf, digest, 8); isc_hmacsha256_invalidate(&hmacsha256); -- GitLab From c61b0cbc6507a97a1e0a9d03524376e82922f716 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 22 Jun 2018 10:26:21 +1000 Subject: [PATCH 2/2] 4975. [bug] The server cookie computation for sha1 and sha256 did not match the method described in RFC 7873. [GL #356] (cherry picked from commit 8755a249bc50f0f166fd2164bc6605348f915eec) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index a0a7566c579..8c5972735ec 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4975. [bug] The server cookie computation for sha1 and sha256 did + not match the method described in RFC 7873. [GL #356] + 4972. [func] Declare the 'rdata' argument for dns_rdata_tostruct() to be const. [GL #341] -- GitLab