Skip to content
Snippets Groups Projects
Commit e796477d authored by Jan Včelák's avatar Jan Včelák :rocket:
Browse files

TSIG: fix possible weakness in signature checking 

Use binary comparison instead of string comparison for the received MAC.

The transaction signature was checked only partially, if the MAC
contained a zero byte. If this was the very first byte of the signature,
the checking didn't happen at all. In addition, possible ASCII
characters in the MAC were compared case insensitively.
parent 48624412
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 2 deletions
src/libknot/tsig-op.c
+ 1
2
View file @ e796477d
......@@ -748,8 +748,7 @@ static int knot_tsig_check_digest(const knot_rrset_t *tsig_rr,
dbg_tsig_verb("TSIG: given digest:\n");
dbg_tsig_hex_verb((char *)tsig_mac, mac_length);
if (strncasecmp((char *)(tsig_mac), (char *)digest_tmp,
mac_length) != 0) {
if (memcmp(tsig_mac, digest_tmp, mac_length) != 0) {
return KNOT_TSIG_EBADSIG;
}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment