s4/dns_server: error codes for failing MAC verification in TSIG requests

According to RFC 2845 "4.5.3. MAC check and error handling" we must return NOTAUTH and DNS_RCODE_BADSIG when MAC verification fails. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> (cherry picked from commit 8b4a2dcf38e9f38bb99bd1daa5e0d5da176a1e15)
author: Ralph Boehme <slow@samba.org> 2016-05-30 16:40:45 +0200
committer: Karolin Seeger <kseeger@samba.org> 2016-06-23 12:10:22 +0200
commit: 721a858376adfbb125b9f168727fd5db4d8e5621 (patch)
tree: aaffcc5dbc0a8516f934607ec9c4e4185feac81f /source4
parent: f116a7bdeb24f69d96da0dd49b5079184f9ff5c3 (diff)
download: samba-721a858376adfbb125b9f168727fd5db4d8e5621.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
index 47b75fc5654..21d30d789eb 100644
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -231,7 +231,8 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 	status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
 				    buffer, buffer_len, &sig);
 	if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
-		return DNS_ERR(BADKEY);
+		state->tsig_error = DNS_RCODE_BADSIG;
+		return DNS_ERR(NOTAUTH);
 	}
 
 	if (!NT_STATUS_IS_OK(status)) {
author	Ralph Boehme <slow@samba.org>	2016-05-30 16:40:45 +0200
committer	Karolin Seeger <kseeger@samba.org>	2016-06-23 12:10:22 +0200
commit	721a858376adfbb125b9f168727fd5db4d8e5621 (patch)
tree	aaffcc5dbc0a8516f934607ec9c4e4185feac81f /source4
parent	f116a7bdeb24f69d96da0dd49b5079184f9ff5c3 (diff)
download	samba-721a858376adfbb125b9f168727fd5db4d8e5621.tar.gz