s4/dns_server: ensure we store the key name in error code paths

We need the TKEY name when adding TSIG records to error responses.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
index 1590814e54b207e5f839a2038db30cebe0e17433..47b75fc5654f4e45e06ad418ea3ffca126bf5373 100644 (file)
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -146,10 +146,27 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 
        tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
        if (tkey == NULL) {
+               /*
+                * We must save the name for use in the TSIG error
+                * response and have no choice here but to save the
+                * keyname from the TSIG request.
+                */
+               state->key_name = talloc_strdup(state->mem_ctx,
+                                               state->tsig->name);
                state->tsig_error = DNS_RCODE_BADKEY;
                return DNS_ERR(NOTAUTH);
        }
 
+       /*
+        * Remember the keyname that found an existing tkey, used
+        * later to fetch the key with dns_find_tkey() when signing
+        * and adding a TSIG record with MAC.
+        */
+       state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
+       if (state->key_name == NULL) {
+               return WERR_NOMEM;
+       }
+
        /* FIXME: check TSIG here */
        if (check_rec == NULL) {
                return WERR_NOMEM;
@@ -223,10 +240,6 @@ WERROR dns_verify_tsig(struct dns_server *dns,
        }
 
        state->authenticated = true;
-       state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
-       if (state->key_name == NULL) {
-               return WERR_NOMEM;
-       }
 
        return WERR_OK;
 }