Only look at tsig.error in responses

author Mark Andrews <marka@isc.org>

Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)

committer Michał Kępień <michal@isc.org>

Tue, 19 May 2020 12:24:52 +0000 (14:24 +0200)
author Mark Andrews <marka@isc.org>
Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)
committer Michał Kępień <michal@isc.org>
Tue, 19 May 2020 12:24:52 +0000 (14:24 +0200)
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c

index b597a18d496a97217fd9b8e26be5299a595154e2..6357a3a486fc785315e8372251acc632d52c9351 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -9,9 +9,6 @@
   * information regarding copyright ownership.
   */
  
-/*
- * $Id$
- */
  /*! \file */
  #include <config.h>
  
@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                         goto cleanup_context;
                 }
                 msg->verified_sig = 1;
-       } else if (tsig.error != dns_tsigerror_badsig &&
-                  tsig.error != dns_tsigerror_badkey) {
+       } else if (!response || (tsig.error != dns_tsigerror_badsig &&
+                                tsig.error != dns_tsigerror_badkey))
+       {
                 tsig_log(msg->tsigkey, 2, "signature was empty");
                 return (DNS_R_TSIGVERIFYFAILURE);
         }
@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                 }
         }
  
-       if (tsig.error != dns_rcode_noerror) {
+       if (response && tsig.error != dns_rcode_noerror) {
                 msg->tsigstatus = tsig.error;
                 if (tsig.error == dns_tsigerror_badtime)
                         ret = DNS_R_CLOCKSKEW;
author	Mark Andrews <marka@isc.org>
	Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)
committer	Michał Kępień <michal@isc.org>
	Tue, 19 May 2020 12:24:52 +0000 (14:24 +0200)