upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-25 02:47:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove "tkey-gssapi-credential" and related code

Browse source 
Since the "tkey-gssapi-credential" statement has been previously
deprecated, mark it as ancient and remove all code related to it:

  - The code processing the "tkey-gssapi-credential" statement in the
    configuration is the only user of the dst_gssapi_acquirecred() and
    dst_gssapi_releasecred() functions, so remove them along with their
    static helper functions and a backup definition of the
    GSS_KRB5_MECHANISM macro.

  - When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL
    instead of the credential acquired by gss_acquire_cred().
    (Previously, NULL was passed when "tkey-gssapi-credential" was not
    specified.  Kerberos headers define GSS_C_NO_CREDENTIAL as
    (gss_cred_id_t) 0, so the logic was effectively the same, but using
    the GSS_C_NO_CREDENTIAL macro is more appropriate.)  This renders
    the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove
    it from the prototype of the latter.  (Contrary to what the
    documentation for dst_gssapi_acceptctx() claims,
    dst_gssapi_releasecred() does not need to subsequently be called to
    free the GSS-API context; a dst_gssapi_deletectx() call in
    gssapi_destroy() takes care of that when the dynamically generated
    TSIG key is destroyed.)

  - Remove the 'gsscred' member from struct dns_tkeyctx, along with its
    related dns_gss_cred_id_t typedef.

Update the relevant sections of the ARM and code comments accordingly.

This makes the "tkey-gssapi-keytab" statement the only way to set up
GSS-TSIG in named.

Remove redundant code from bin/named/tkeyconf.c while at it.
This commit is contained in:
Michał Kępień 2025-10-06 13:19:50 +02:00
parent 73197feec7
commit 84b96df153
No known key found for this signature in database
12 changed files with 33 additions and 431 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitlab-ci.yml
View file

@ -920,6 +920,7 @@ cross-version-config-tests:
untracked: true
expire_in: "1 day"
when: always
allow_failure: true
# Jobs for regular GCC builds on Alpine Linux 3.22 (amd64)

1
bin/named/config.c
View file

@ -127,7 +127,6 @@ options {\n\
tcp-primaries-timeout 150;\n\
tcp-receive-buffer 0;\n\
tcp-send-buffer 0;\n\
# tkey-gssapi-credential <none>\n\
transfer-message-size 20480;\n\
transfers-in 10;\n\
transfers-out 10;\n\

38
bin/named/tkeyconf.c
View file

@ -13,15 +13,8 @@
/*! \file */
#include <inttypes.h>
#include <isc/buffer.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dns/tkey.h>
#include <dst/gssapi.h>
@ -30,43 +23,16 @@
#include <named/tkeyconf.h>
#define RETERR(x) \
do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
goto failure; \
} while (0)
#include <named/log.h>
#define LOG(msg) \
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, "%s", msg)
isc_result_t
named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
dns_tkeyctx_t **tctxp) {
isc_result_t result;
dns_tkeyctx_t *tctx = NULL;
const char *s;
dns_fixedname_t fname;
dns_name_t *name;
isc_buffer_t b;
const cfg_obj_t *obj;
dns_tkeyctx_create(mctx, &tctx);
obj = NULL;
result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
if (result == ISC_R_SUCCESS) {
s = cfg_obj_asstring(obj);
isc_buffer_constinit(&b, s, strlen(s));
isc_buffer_add(&b, strlen(s));
name = dns_fixedname_initname(&fname);
RETERR(dns_name_fromtext(name, &b, dns_rootname, 0));
RETERR(dst_gssapi_acquirecred(name, false, &tctx->gsscred));
}
obj = NULL;
result = cfg_map_get(options, "tkey-gssapi-keytab", &obj);
if (result == ISC_R_SUCCESS) {
@ -76,8 +42,4 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
*tctxp = tctx;
return ISC_R_SUCCESS;
failure:
dns_tkeyctx_destroy(&tctx);
return result;
}

17
doc/arm/reference.rst
View file

@ -1448,21 +1448,8 @@ default is used.
:tags: security
:short: Sets the KRB5 keytab file to use for GSS-TSIG updates.
This is the KRB5 keytab file to use for GSS-TSIG updates. If this option is
set and ``tkey-gssapi-credential`` is not set, updates are
allowed with any key matching a principal in the specified keytab.
.. namedconf:statement:: tkey-gssapi-credential
:tags: security
:short: Sets the security credential for authentication keys requested by the GSS-TSIG protocol.
This is the security credential with which the server should authenticate
keys requested by the GSS-TSIG protocol. Currently only Kerberos 5
authentication is available; the credential is a Kerberos
principal which the server can acquire through the default system key
file, normally ``/etc/krb5.keytab``. The location of the keytab file can be
overridden using the :any:`tkey-gssapi-keytab` option. Normally this
principal is of the form ``DNS/server.domain``.
This is the KRB5 keytab file to use for GSS-TSIG updates, which are
allowed for any key matching a principal in the specified keytab.
.. namedconf:statement:: dump-file
:tags: logging

8
doc/changelog/changelog-9.21.12.rst
View file

@ -61,16 +61,16 @@ Removed Features
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up
in a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
``tkey-gssapi-credential`` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
``tkey-gssapi-credential`` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
:any:`tkey-gssapi-keytab` *and* ``tkey-gssapi-credential``, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204`
previously specified by ``tkey-gssapi-credential``. :gl:`#4204`
:gl:`!10782`
- Obsolete the "tkey-domain" statement. ``bed752f57f``

1
doc/misc/options
View file

@ -303,7 +303,6 @@ options {
tcp-receive-buffer <integer>;
tcp-send-buffer <integer>;
tkey-domain <quoted_string>; // obsolete
tkey-gssapi-credential <quoted_string>; // deprecated
tkey-gssapi-keytab <quoted_string>;
tls-port <integer>;
transfer-format ( many-answers | one-answer );

10
doc/notes/notes-9.21.12.rst
View file

@ -40,20 +40,20 @@ New Features
Removed Features
~~~~~~~~~~~~~~~~
- Deprecate the :namedconf:ref:`tkey-gssapi-credential` statement.
- Deprecate the ``tkey-gssapi-credential`` statement.
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up
in a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
``tkey-gssapi-credential`` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
``tkey-gssapi-credential`` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
:any:`tkey-gssapi-keytab` *and* ``tkey-gssapi-credential``, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204`
previously specified by ``tkey-gssapi-credential``. :gl:`#4204`
- Obsolete the "tkey-domain" statement.

313
lib/dns/gssapictx.c
View file

@ -61,15 +61,6 @@
#if HAVE_GSSAPI
#ifndef GSS_KRB5_MECHANISM
static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x12, 0x01, 0x02, 0x02 };
static gss_OID_desc __gss_krb5_mechanism_oid_desc = {
sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes
};
#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc)
#endif /* ifndef GSS_KRB5_MECHANISM */
#ifndef GSS_SPNEGO_MECHANISM
static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01,
0x05, 0x05, 0x02 };
@ -124,249 +115,6 @@ name_to_gbuffer(const dns_name_t *name, isc_buffer_t *buffer,
REGION_TO_GBUFFER(r, *gbuffer);
}
static void
log_cred(const gss_cred_id_t cred) {
OM_uint32 gret, minor, lifetime;
gss_name_t gname;
gss_buffer_desc gbuffer;
gss_cred_usage_t usage;
const char *usage_text;
char buf[1024];
gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed gss_inquire_cred: %s",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
return;
}
gret = gss_display_name(&minor, gname, &gbuffer, NULL);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed gss_display_name: %s",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
} else {
switch (usage) {
case GSS_C_BOTH:
usage_text = "GSS_C_BOTH";
break;
case GSS_C_INITIATE:
usage_text = "GSS_C_INITIATE";
break;
case GSS_C_ACCEPT:
usage_text = "GSS_C_ACCEPT";
break;
default:
usage_text = "???";
}
gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
usage_text, (unsigned long)lifetime);
}
if (gret == GSS_S_COMPLETE) {
if (gbuffer.length != 0U) {
gret = gss_release_buffer(&minor, &gbuffer);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed gss_release_buffer: %s",
gss_error_tostring(gret, minor, buf,
sizeof(buf)));
}
}
}
gret = gss_release_name(&minor, &gname);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed gss_release_name: %s",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
}
}
/*
* check for the most common configuration errors.
*
* The errors checked for are:
* - tkey-gssapi-credential doesn't start with DNS/
* - the default realm in /etc/krb5.conf and the
* tkey-gssapi-credential bind config option don't match
*
* Note that if tkey-gssapi-keytab is set then these configure checks
* are not performed, and runtime errors from gssapi are used instead
*/
static void
check_config(const char *gss_name) {
const char *p;
krb5_context krb5_ctx;
char *krb5_realm_name = NULL;
if (strncasecmp(gss_name, "DNS/", 4) != 0) {
gss_log(ISC_LOG_ERROR,
"tkey-gssapi-credential (%s) "
"should start with 'DNS/'",
gss_name);
return;
}
if (krb5_init_context(&krb5_ctx) != 0) {
gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
return;
}
if (krb5_get_default_realm(krb5_ctx, &krb5_realm_name) != 0) {
gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
krb5_free_context(krb5_ctx);
return;
}
p = strchr(gss_name, '@');
if (p == NULL) {
gss_log(ISC_LOG_ERROR,
"badly formatted "
"tkey-gssapi-credentials (%s)",
gss_name);
krb5_free_context(krb5_ctx);
return;
}
if (strcasecmp(p + 1, krb5_realm_name) != 0) {
gss_log(ISC_LOG_ERROR,
"default realm from krb5.conf (%s) "
"does not match tkey-gssapi-credential (%s)",
krb5_realm_name, gss_name);
krb5_free_context(krb5_ctx);
return;
}
krb5_free_context(krb5_ctx);
}
static OM_uint32
mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) {
OM_uint32 gret;
gret = gss_create_empty_oid_set(minor, mech_oid_set);
if (gret != GSS_S_COMPLETE) {
return gret;
}
gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set);
if (gret != GSS_S_COMPLETE) {
goto release;
}
gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM,
mech_oid_set);
if (gret != GSS_S_COMPLETE) {
goto release;
}
release:
REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE);
return gret;
}
static void
mech_oid_set_release(gss_OID_set *mech_oid_set) {
OM_uint32 minor;
REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE);
}
isc_result_t
dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
dns_gss_cred_id_t *cred) {
isc_result_t result;
isc_buffer_t namebuf;
gss_name_t gname;
gss_buffer_desc gnamebuf;
unsigned char array[DNS_NAME_MAXTEXT + 1];
OM_uint32 gret, minor;
OM_uint32 lifetime;
gss_cred_usage_t usage;
char buf[1024];
gss_OID_set mech_oid_set;
REQUIRE(cred != NULL && *cred == NULL);
/*
* XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
* here when we're in the acceptor role, which would let us
* default the hostname and use a compiled in default service
* name of "DNS", giving one less thing to configure in
* named.conf. Unfortunately, this creates a circular
* dependency due to DNS-based realm lookup in at least one
* GSSAPI implementation (Heimdal). Oh well.
*/
if (name != NULL) {
isc_buffer_init(&namebuf, array, sizeof(array));
name_to_gbuffer(name, &namebuf, &gnamebuf);
gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
if (gret != GSS_S_COMPLETE) {
check_config((char *)array);
gss_log(3, "failed gss_import_name: %s",
gss_error_tostring(gret, minor, buf,
sizeof(buf)));
return ISC_R_FAILURE;
}
} else {
gname = NULL;
}
/* Get the credentials. */
if (gname != NULL) {
gss_log(3, "acquiring credentials for %s",
(char *)gnamebuf.value);
} else {
/* XXXDCL does this even make any sense? */
gss_log(3, "acquiring credentials for ?");
}
if (initiate) {
usage = GSS_C_INITIATE;
} else {
usage = GSS_C_ACCEPT;
}
gret = mech_oid_set_create(&minor, &mech_oid_set);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed to create OID_set: %s",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
return ISC_R_FAILURE;
}
gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set,
usage, (gss_cred_id_t *)cred, NULL, &lifetime);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed to acquire %s credentials for %s: %s",
initiate ? "initiate" : "accept",
(gname != NULL) ? (char *)gnamebuf.value : "?",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
if (gname != NULL) {
check_config((char *)array);
}
result = ISC_R_FAILURE;
goto cleanup;
}
gss_log(4, "acquired %s credentials for %s",
initiate ? "initiate" : "accept",
(gname != NULL) ? (char *)gnamebuf.value : "?");
log_cred(*cred);
result = ISC_R_SUCCESS;
cleanup:
mech_oid_set_release(&mech_oid_set);
if (gname != NULL) {
gret = gss_release_name(&minor, &gname);
if (gret != GSS_S_COMPLETE) {
gss_log(3, "failed gss_release_name: %s",
gss_error_tostring(gret, minor, buf,
sizeof(buf)));
}
}
return result;
}
bool
dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
const dns_name_t *name,
@ -527,24 +275,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
return true;
}
isc_result_t
dst_gssapi_releasecred(dns_gss_cred_id_t *cred) {
OM_uint32 gret, minor;
char buf[1024];
REQUIRE(cred != NULL && *cred != NULL);
gret = gss_release_cred(&minor, (gss_cred_id_t *)cred);
if (gret != GSS_S_COMPLETE) {
/* Log the error, but still free the credential's memory */
gss_log(3, "failed releasing credential: %s",
gss_error_tostring(gret, minor, buf, sizeof(buf)));
}
*cred = NULL;
return ISC_R_SUCCESS;
}
/*
* Format a gssapi error message info into a char ** on the given memory
* context. This is used to return gssapi error messages back up the
@ -655,10 +385,9 @@ out:
}
isc_result_t
dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
isc_region_t *intoken, isc_buffer_t **outtoken,
dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
isc_mem_t *mctx) {
dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
isc_buffer_t **outtoken, dns_gss_ctx_id_t *ctxout,
dns_name_t *principal, isc_mem_t *mctx) {
isc_region_t r;
isc_buffer_t namebuf;
gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
@ -713,11 +442,10 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
#endif
}
log_cred(cred);
gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
GSS_C_NO_CHANNEL_BINDINGS, &gname, NULL,
&gouttoken, NULL, NULL, NULL);
gret = gss_accept_sec_context(&minor, &context, GSS_C_NO_CREDENTIAL,
&gintoken, GSS_C_NO_CHANNEL_BINDINGS,
&gname, NULL, &gouttoken, NULL, NULL,
NULL);
result = ISC_R_FAILURE;
@ -862,18 +590,6 @@ gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) {
#else
isc_result_t
dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
dns_gss_cred_id_t *cred) {
REQUIRE(cred != NULL && *cred == NULL);
UNUSED(name);
UNUSED(initiate);
UNUSED(cred);
return ISC_R_NOTIMPLEMENTED;
}
bool
dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
const dns_name_t *name,
@ -898,13 +614,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
return false;
}
isc_result_t
dst_gssapi_releasecred(dns_gss_cred_id_t *cred) {
UNUSED(cred);
return ISC_R_NOTIMPLEMENTED;
}
isc_result_t
dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
@ -920,11 +629,9 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
}
isc_result_t
dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
isc_region_t *intoken, isc_buffer_t **outtoken,
dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
isc_mem_t *mctx) {
UNUSED(cred);
dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
isc_buffer_t **outtoken, dns_gss_ctx_id_t *ctxout,
dns_name_t *principal, isc_mem_t *mctx) {
UNUSED(gssapi_keytab);
UNUSED(intoken);
UNUSED(outtoken);

5
lib/dns/include/dns/tkey.h
View file

@ -31,9 +31,8 @@
#define DNS_TKEYMODE_DELETE 5
struct dns_tkeyctx {
dns_gss_cred_id_t gsscred;
isc_mem_t *mctx;
char *gssapi_keytab;
isc_mem_t *mctx;
char *gssapi_keytab;
};
void

47
lib/dns/include/dst/gssapi.h
View file

@ -23,7 +23,6 @@
#include <dns/types.h>
typedef void *dns_gss_cred_id_t;
typedef void *dns_gss_ctx_id_t;
/***
@ -34,42 +33,6 @@ typedef void *dns_gss_ctx_id_t;
*** Functions
***/
isc_result_t
dst_gssapi_acquirecred(const dns_name_t *name, bool initiate,
dns_gss_cred_id_t *cred);
/*
* Acquires GSS credentials.
*
* Requires:
* 'name' is a valid name, preferably one known by the GSS provider
* 'initiate' indicates whether the credentials are for initiating or
* accepting contexts
* 'cred' is a pointer to NULL, which will be allocated with the
* credential handle. Call dst_gssapi_releasecred to free
* the memory.
*
* Returns:
* ISC_R_SUCCESS msg was successfully updated to include the
* query to be sent
* other an error occurred while building the message
*/
isc_result_t
dst_gssapi_releasecred(dns_gss_cred_id_t *cred);
/*
* Releases GSS credentials. Calling this function does release the
* memory allocated for the credential in dst_gssapi_acquirecred()
*
* Requires:
* 'mctx' is a valid memory context
* 'cred' is a pointer to the credential to be released
*
* Returns:
* ISC_R_SUCCESS credential was released successfully
* other an error occurred while releaseing
* the credential
*/
isc_result_t
dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
@ -95,16 +58,14 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
*/
isc_result_t
dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
isc_region_t *intoken, isc_buffer_t **outtoken,
dns_gss_ctx_id_t *context, dns_name_t *principal,
isc_mem_t *mctx);
dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
isc_buffer_t **outtoken, dns_gss_ctx_id_t *context,
dns_name_t *principal, isc_mem_t *mctx);
/*
* Accepts a GSS context.
*
* Requires:
* 'mctx' is a valid memory context
* 'cred' is the acceptor's valid GSS credential handle
* 'intoken' is a token received from the initiator
* 'outtoken' is a pointer a buffer pointer used to return the token
* generated by gss_accept_sec_context() to be sent to the
@ -113,8 +74,6 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
* On the initial call, it should be a pointer to NULL, which
* will be allocated as a dns_gss_ctx_id_t. Subsequent calls
* should pass in the handle generated on the first call.
* Call dst_gssapi_releasecred to delete the context and free
* the memory.
*
* Requires:
* 'outtoken' to != NULL && *outtoken == NULL.

20
lib/dns/tkey.c
View file

@ -103,9 +103,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
if (tctx->gssapi_keytab != NULL) {
isc_mem_free(mctx, tctx->gssapi_keytab);
}
if (tctx->gsscred != NULL) {
dst_gssapi_releasecred(&tctx->gsscred);
}
isc_mem_putanddetach(&mctx, tctx, sizeof(dns_tkeyctx_t));
}
@ -176,14 +173,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
dns_gss_ctx_id_t gss_ctx = NULL;
/*
* You have to define either a gss credential (principal) to
* accept with tkey-gssapi-credential, or you have to
* configure a specific keytab (with tkey-gssapi-keytab) in
* You have to define a specific keytab (with tkey-gssapi-keytab) in
* order to use gsstkey.
*/
if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
tkey_log("process_gsstkey(): no tkey-gssapi-credential "
"or tkey-gssapi-keytab configured");
if (tctx->gssapi_keytab == NULL) {
tkey_log("process_gsstkey(): no tkey-gssapi-keytab configured");
return DNS_R_REFUSED;
}
@ -202,13 +196,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
gss_ctx = dst_key_getgssctx(tsigkey->key);
}
/*
* Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
*/
intoken = (isc_region_t){ tkeyin->key, tkeyin->keylen };
result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
&intoken, &outtoken, &gss_ctx, principal,
tctx->mctx);
result = dst_gssapi_acceptctx(tctx->gssapi_keytab, &intoken, &outtoken,
&gss_ctx, principal, tctx->mctx);
if (result == DNS_R_INVALIDTKEY) {
if (tsigkey != NULL) {
dns_tsigkey_detach(&tsigkey);

3
lib/isccfg/namedconf.c
View file

@ -1349,8 +1349,7 @@ static cfg_clausedef_t options_clauses[] = {
{ "tcp-send-buffer", &cfg_type_uint32, 0 },
{ "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT },
{ "tkey-domain", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
{ "tkey-gssapi-credential", &cfg_type_qstring,
CFG_CLAUSEFLAG_DEPRECATED },
{ "tkey-gssapi-credential", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT },
{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
{ "transfer-message-size", &cfg_type_uint32, 0 },
{ "transfers-in", &cfg_type_uint32, 0 },