From: Francis Dupont Date: Sat, 28 Feb 2015 17:55:07 +0000 (+0100) Subject: [master] better handling of TSIG keys with empty secrets (#3727) X-Git-Tag: trac3733_base~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d655a68f46e964b70feb81582beef3d1d6958d60;p=thirdparty%2Fkea.git [master] better handling of TSIG keys with empty secrets (#3727) --- diff --git a/src/lib/dns/tests/tsigkey_unittest.cc b/src/lib/dns/tests/tsigkey_unittest.cc index f06a67981c..06bc009be1 100644 --- a/src/lib/dns/tests/tsigkey_unittest.cc +++ b/src/lib/dns/tests/tsigkey_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC") +// Copyright (C) 2010, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above @@ -116,6 +116,11 @@ TEST_F(TSIGKeyTest, construct) { isc::InvalidParameter); EXPECT_THROW(TSIGKey(key_name, TSIGKey::HMACSHA256_NAME(), NULL, 16), isc::InvalidParameter); + + // Empty secret + TSIGKey keye = TSIGKey(key_name, TSIGKey::HMACSHA256_NAME(), NULL, 0); + EXPECT_EQ(keye.getSecretLength(), 0); + EXPECT_EQ(keye.getSecret(), (const void*)0); } void diff --git a/src/lib/dns/tsigkey.cc b/src/lib/dns/tsigkey.cc index fd055e4233..c47a357545 100644 --- a/src/lib/dns/tsigkey.cc +++ b/src/lib/dns/tsigkey.cc @@ -1,4 +1,4 @@ -// Copyright (C) 2010, 2014 Internet Systems Consortium, Inc. ("ISC") +// Copyright (C) 2010, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") // // Permission to use, copy, modify, and/or distribute this software for any // purpose with or without fee is hereby granted, provided that the above @@ -63,6 +63,21 @@ namespace { struct TSIGKey::TSIGKeyImpl { + TSIGKeyImpl(const Name& key_name, const Name& algorithm_name, + isc::cryptolink::HashAlgorithm algorithm, + size_t digestbits) : + + key_name_(key_name), algorithm_name_(algorithm_name), + algorithm_(algorithm), digestbits_(digestbits), + secret_() + { + // Convert the key and algorithm names to the canonical form. + key_name_.downcase(); + if (algorithm == isc::cryptolink::MD5) { + algorithm_name_ = TSIGKey::HMACMD5_NAME(); + } + algorithm_name_.downcase(); + } TSIGKeyImpl(const Name& key_name, const Name& algorithm_name, isc::cryptolink::HashAlgorithm algorithm, size_t digestbits, @@ -103,8 +118,13 @@ TSIGKey::TSIGKey(const Name& key_name, const Name& algorithm_name, "TSIGKey with unknown algorithm has non empty secret: " << key_name << ":" << algorithm_name); } - impl_ = new TSIGKeyImpl(key_name, algorithm_name, algorithm, - digestbits, secret, secret_len); + if (secret == NULL) { + impl_ = new TSIGKeyImpl(key_name, algorithm_name, algorithm, + digestbits); + } else { + impl_ = new TSIGKeyImpl(key_name, algorithm_name, algorithm, + digestbits, secret, secret_len); + } } TSIGKey::TSIGKey(const std::string& str) : impl_(NULL) { @@ -161,10 +181,13 @@ TSIGKey::TSIGKey(const std::string& str) : impl_(NULL) { << str); } - impl_ = new TSIGKeyImpl(Name(keyname_str), algo_name, algorithm, - digestbits, - secret.empty() ? NULL : &secret[0], - secret.size()); + if (secret.empty()) { + impl_ = new TSIGKeyImpl(Name(keyname_str), algo_name, algorithm, + digestbits); + } else { + impl_ = new TSIGKeyImpl(Name(keyname_str), algo_name, algorithm, + digestbits, &secret[0], secret.size()); + } } catch (const isc::Exception& e) { // 'reduce' the several types of exceptions name parsing and // Base64 decoding can throw to just the InvalidParameter