diff options
author | Ralph Boehme <slow@samba.org> | 2016-05-30 16:40:45 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2016-06-23 12:10:22 +0200 |
commit | 721a858376adfbb125b9f168727fd5db4d8e5621 (patch) | |
tree | aaffcc5dbc0a8516f934607ec9c4e4185feac81f /source4 | |
parent | f116a7bdeb24f69d96da0dd49b5079184f9ff5c3 (diff) | |
download | samba-721a858376adfbb125b9f168727fd5db4d8e5621.tar.gz |
s4/dns_server: error codes for failing MAC verification in TSIG requests
According to RFC 2845 "4.5.3. MAC check and error handling" we must
return NOTAUTH and DNS_RCODE_BADSIG when MAC verification fails.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 8b4a2dcf38e9f38bb99bd1daa5e0d5da176a1e15)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dns_server/dns_crypto.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c index 47b75fc5654..21d30d789eb 100644 --- a/source4/dns_server/dns_crypto.c +++ b/source4/dns_server/dns_crypto.c @@ -231,7 +231,8 @@ WERROR dns_verify_tsig(struct dns_server *dns, status = gensec_check_packet(tkey->gensec, buffer, buffer_len, buffer, buffer_len, &sig); if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) { - return DNS_ERR(BADKEY); + state->tsig_error = DNS_RCODE_BADSIG; + return DNS_ERR(NOTAUTH); } if (!NT_STATUS_IS_OK(status)) { |