Harden checks

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index be4f2668d9ebc455c05db9d9036af57dad653823..20fc75897fb431fddca09e5971dbbe21a6911d79 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -625,12 +625,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
        tkey_log("process_gsstkey(): dns_tsigerror_noerror");   /* XXXSRA */
 
        /*
-        * We found a TKEY to respond with.  We don't know if
-        * the request is TSIG signed, but if it is not we need to make
-        * sure the response is signed (RFC 2845 secton 2.2).
+        * We found a TKEY to respond with.  If the request is not TSIG signed,
+        * we need to make sure the response is signed (see RFC 3645, Section
+        * 2.2).
         */
-
-       if (tsigkey != NULL) {
+       if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
                dns_message_settsigkey(msg, tsigkey);
        }
 

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 79afd3f15c5f13a58636da6c499b8449ce15d280..bb66c5f174f7bb869d722dcb009c7d879346e037 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -778,7 +778,16 @@ dns_tsig_sign(dns_message_t *msg) {
        key = dns_message_gettsigkey(msg);
        REQUIRE(VALID_TSIG_KEY(key));
 
+       /*
+        * If this is a response, there should be a TSIG in the query with the
+        * the exception if this is a TKEY request (see RFC 3645, Section 2.2).
+        */
        response = is_response(msg);
+       if (response && msg->querytsig == NULL) {
+               if (msg->tkey != 1) {
+                       return (DNS_R_EXPECTEDTSIG);
+               }
+       }
 
        mctx = msg->mctx;