Change #4148 wasn't complete

- there was a memory leak when using negotiated TSIG keys.
- TKEY responses could only be signed when using a newly negotiated
  key; if an existent matching TSIG was found in in the keyring it
  would not be used.

(cherry picked from commit 73ba24fb36d234caeb7098a22d869885c13703f6)

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index f4447f3e442c4553a8becb7a071bbd5f04af037e..03afb5650d726672caae5fe27c673d16b1a91450 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -530,8 +530,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
        isc_stdtime_get(&now);
 
        if (dns_name_countlabels(principal) == 0U) {
-               if (tsigkey != NULL)
+               if (tsigkey != NULL) {
                        dns_tsigkey_detach(&tsigkey);
+               }
        } else if (tsigkey == NULL) {
 #ifdef GSSAPI
                OM_uint32 gret, minor, lifetime;
@@ -560,7 +561,6 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
        } else {
                tkeyout->inception = tsigkey->inception;
                tkeyout->expire = tsigkey->expire;
-               dns_tsigkey_detach(&tsigkey);
        }
 
        if (outtoken) {
@@ -593,8 +593,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
         * we need to make sure the response is signed (see RFC 3645, Section
         * 2.2).
         */
-       if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
-               dns_message_settsigkey(msg, tsigkey);
+       if (tsigkey != NULL) {
+               if (msg->tsigkey == NULL && msg->sig0key == NULL) {
+                       dns_message_settsigkey(msg, tsigkey);
+               }
+               dns_tsigkey_detach(&tsigkey);
        }
 
        return (ISC_R_SUCCESS);