Commit 4b43bef7 authored by Jan Včelák's avatar Jan Včelák 🚀
Browse files

TSIG: fix possible weakness in signature checking

Use binary comparison instead of string comparison for the received MAC.

The transaction signature was checked only partially, if the MAC
contained a zero byte. If this was the very first byte of the signature,
the checking didn't happen at all. In addition, possible ASCII
characters in the MAC were compared case insensitively.
parent 4c941cdd
......@@ -796,8 +796,7 @@ static int knot_tsig_check_digest(const knot_rrset_t *tsig_rr,
dbg_tsig_verb("TSIG: given digest:\n");
dbg_tsig_hex_verb((char *)tsig_mac, mac_length);
if (strncasecmp((char *)(tsig_mac), (char *)digest_tmp,
mac_length) != 0) {
if (memcmp(tsig_mac, digest_tmp, mac_length) != 0) {
return KNOT_TSIG_EBADSIG;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment