From b5076014b9fd3b6fac25f45c6599abd8c6577c52 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 08:34:45 +1000 Subject: [PATCH 1/4] Return REFUSED if GSSAPI is not configured Return REFUSED if neither a keytab nor a gssapi credential is configured to GSSAPI/TKEY requests. --- lib/dns/tkey.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index 0f98820edf..8133d927a3 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -194,7 +194,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) { tkey_log("process_gsstkey(): no tkey-gssapi-credential " "or tkey-gssapi-keytab configured"); - return (ISC_R_NOPERM); + return (DNS_R_REFUSED); } if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME)) { From f2446196809b4eb99928493c7dd7f22cfee32249 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 16:47:09 +1000 Subject: [PATCH 2/4] Report TKEY query errors in nsupdate --- bin/nsupdate/nsupdate.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 724567ce41..bedab93704 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -3209,7 +3209,16 @@ recvgss(void *arg) { if (rcvmsg->rcode != dns_rcode_noerror && rcvmsg->rcode != dns_rcode_nxdomain) { - fatal("response to GSS-TSIG query was unsuccessful"); + char rcode[64]; + isc_buffer_t b; + + isc_buffer_init(&b, rcode, sizeof(rcode) - 1); + result = dns_rcode_totext(rcvmsg->rcode, &b); + check_result(result, "dns_rcode_totext"); + rcode[isc_buffer_usedlength(&b)] = 0; + + fatal("response to GSS-TSIG query was unsuccessful (%s)", + rcode); } servname = dns_fixedname_initname(&fname); From 3a2a24903c0ab3a5a04b6d69e88d3948ff0df95a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 17:08:34 +1000 Subject: [PATCH 3/4] Check GSS-API TKEY against non configured server Check for the expected error message which includes rcode REFUSED then reload the server to specify the keytab for the rest of the GSSAPI tests. --- bin/tests/system/nsupdate/ns7/named1.conf.in | 52 +++++++++++++++++++ .../ns7/{named.conf.in => named2.conf.in} | 0 bin/tests/system/nsupdate/setup.sh | 2 +- bin/tests/system/nsupdate/tests.sh | 18 +++++++ 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/nsupdate/ns7/named1.conf.in rename bin/tests/system/nsupdate/ns7/{named.conf.in => named2.conf.in} (100%) diff --git a/bin/tests/system/nsupdate/ns7/named1.conf.in b/bin/tests/system/nsupdate/ns7/named1.conf.in new file mode 100644 index 0000000000..28d2aeafd5 --- /dev/null +++ b/bin/tests/system/nsupdate/ns7/named1.conf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.7; }; + recursion no; + notify yes; + minimal-responses no; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "in-addr.arpa" { + type primary; + file "in-addr.db"; + update-policy { grant EXAMPLE.COM krb5-subdomain-self-rhs . PTR; }; +}; + +zone "example.com" { + type primary; + file "example.com.db"; + update-policy { + grant EXAMPLE.COM krb5-self . ANY; + grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV; + grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv.example.com SRV; + grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv-no-type.example.com; + }; +}; diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named2.conf.in similarity index 100% rename from bin/tests/system/nsupdate/ns7/named.conf.in rename to bin/tests/system/nsupdate/ns7/named2.conf.in diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh index a143eac98d..c3477616e7 100644 --- a/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh @@ -31,7 +31,7 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf -copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns7/named1.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf # If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index b92b23cd4a..04d533b8f1 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -1762,6 +1762,24 @@ wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1 if ! $FEATURETEST --gssapi ; then echo_i "SKIPPED: GSSAPI tests" else + n=$((n + 1)) + ret=0 + echo_i "check GSS-API TKEY request rcode against a non configured server ($n)" + KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache" + export KRB5CCNAME + $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1 + gsstsig + realm EXAMPLE.COM + server 10.53.0.7 ${PORT} + zone example.com + send +EOF + grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null || ret=1 + [ $ret = 0 ] || { echo_i "failed"; status=1; } + + copy_setports ns7/named2.conf.in ns7/named.conf + rndc_reload ns7 10.53.0.7 + n=$((n + 1)) ret=0 echo_i "check krb5-self match ($n)" From ccaefce7ca85b91a1b72fec5cfcc22f3aa951cc5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 27 Jul 2023 08:51:11 +1000 Subject: [PATCH 4/4] Add CHANGES for [GL #4225] --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 12953a3c5c..4e4d9e5a04 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API + support is not configured. [GL #4225] + 6214. [bug] Fix the memory leak in for struct stub_glue_request allocated in stub_request_nameserver_address() but not freed in stub_glue_response(). [GL #4227]