upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 04:20:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Verify integrity flag on server-side GSS-API context

Browse source 
After gss_accept_sec_context() completes, verify that the INTEG flag
is set in ret_flags.  Without integrity protection, GSS-TSIG message
authentication cannot function correctly.

The server side was previously passing NULL for ret_flags, meaning it
never verified the negotiated security properties.  The client side
was fixed in the previous commit; this fixes the server side.
This commit is contained in:
Ondřej Surý 2026-03-18 01:02:24 +01:00 committed by Michał Kępień
parent 4e455365bf
commit 45c93af5c0
No known key found for this signature in database
1 changed files with 17 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
lib/dns/gssapictx.c
View file

@ -442,15 +442,30 @@ dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
#endif
}
OM_uint32 ret_flags = 0;
gret = gss_accept_sec_context(&minor, &context, GSS_C_NO_CREDENTIAL,
&gintoken, GSS_C_NO_CHANNEL_BINDINGS,
&gname, NULL, &gouttoken, NULL, NULL,
NULL);
&gname, NULL, &gouttoken, &ret_flags,
NULL, NULL);
result = ISC_R_FAILURE;
switch (gret) {
case GSS_S_COMPLETE:
/*
* RFC 2743 Section 1.2.2: verify that the negotiated
* context provides integrity protection.
*/
if ((ret_flags & GSS_C_INTEG_FLAG) == 0) {
gss_log(3,
"GSS-API context lacks required INTEG "
"flag (ret_flags=0x%x)",
(unsigned int)ret_flags);
(void)gss_delete_sec_context(&minor, &context, NULL);
result = DNS_R_INVALIDTKEY;
goto cleanup;
}
break;
/*
* RFC 3645 4.1.3: we don't handle GSS_S_CONTINUE_NEEDED