diff options
| author | Daniel Salzman <daniel.salzman@nic.cz> | 2017-06-20 23:20:59 +0200 |
|---|---|---|
| committer | Daniel Salzman <daniel.salzman@nic.cz> | 2017-06-21 18:45:08 +0200 |
| commit | 74862ce015e89c0dfa58db9783c497b96d06f52d (patch) | |
| tree | f7a70f2aaa4a129d5725348ad50e42afbb1a873b | |
| parent | doc: unify installation, update introduction, and extend migration (diff) | |
| download | knot-74862ce015e89c0dfa58db9783c497b96d06f52d.tar.xz knot-74862ce015e89c0dfa58db9783c497b96d06f52d.zip | |
tsig: move signature validity period check after the signature validity check
When the signature validity period check returned KNOT_TSIG_EBADTIME,
the itself signature validity check was omitted and the response TSIG
contained a non-empty signature, based on the unverified data.
Thanks to Synacktiv!
| -rw-r--r-- | src/libknot/tsig-op.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/libknot/tsig-op.c b/src/libknot/tsig-op.c index a396e4e82..60fe6f804 100644 --- a/src/libknot/tsig-op.c +++ b/src/libknot/tsig-op.c @@ -520,14 +520,8 @@ static int check_digest(const knot_rrset_t *tsig_rr, return KNOT_TSIG_EBADKEY; } - /* Check time signed. */ - int ret = check_time_signed(tsig_rr, prev_time_signed); - if (ret != KNOT_EOK) { - return ret; - } - /* Check that libknot knows the algorithm. */ - ret = check_algorithm(tsig_rr); + int ret = check_algorithm(tsig_rr); if (ret != KNOT_EOK) { return ret; } @@ -591,6 +585,12 @@ static int check_digest(const knot_rrset_t *tsig_rr, return KNOT_TSIG_EBADSIG; } + /* Check TSIG validity period, must be after the signature check! */ + ret = check_time_signed(tsig_rr, prev_time_signed); + if (ret != KNOT_EOK) { + return ret; + } + return KNOT_EOK; } |