upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-23 10:37:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
bind9/lib/dns/include/dst/gssapi.h
Michał Kępień 84b96df153
Remove "tkey-gssapi-credential" and related code 
Since the "tkey-gssapi-credential" statement has been previously
deprecated, mark it as ancient and remove all code related to it:

  - The code processing the "tkey-gssapi-credential" statement in the
    configuration is the only user of the dst_gssapi_acquirecred() and
    dst_gssapi_releasecred() functions, so remove them along with their
    static helper functions and a backup definition of the
    GSS_KRB5_MECHANISM macro.

  - When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL
    instead of the credential acquired by gss_acquire_cred().
    (Previously, NULL was passed when "tkey-gssapi-credential" was not
    specified.  Kerberos headers define GSS_C_NO_CREDENTIAL as
    (gss_cred_id_t) 0, so the logic was effectively the same, but using
    the GSS_C_NO_CREDENTIAL macro is more appropriate.)  This renders
    the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove
    it from the prototype of the latter.  (Contrary to what the
    documentation for dst_gssapi_acceptctx() claims,
    dst_gssapi_releasecred() does not need to subsequently be called to
    free the GSS-API context; a dst_gssapi_deletectx() call in
    gssapi_destroy() takes care of that when the dynamically generated
    TSIG key is destroyed.)

  - Remove the 'gsscred' member from struct dns_tkeyctx, along with its
    related dns_gss_cred_id_t typedef.

Update the relevant sections of the ARM and code comments accordingly.

This makes the "tkey-gssapi-keytab" statement the only way to set up
GSS-TSIG in named.

Remove redundant code from bin/named/tkeyconf.c while at it.
2025-10-06 13:19:50 +02:00

146 lines
4.1 KiB
C
Raw Blame History

/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#pragma once
/*! \file dst/gssapi.h */
#include <inttypes.h>
#include <stdbool.h>
#include <isc/formatcheck.h>
#include <isc/types.h>
#include <dns/types.h>
typedef void *dns_gss_ctx_id_t;
/***
*** Types
***/
/***
*** Functions
***/
isc_result_t
dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx,
isc_mem_t *mctx, char **err_message);
/*
* Initiates a GSS context.
*
* Requires:
* 'name' is a valid name, preferably one known by the GSS
* provider
* 'intoken' is a token received from the acceptor, or NULL if
* there isn't one
* 'outtoken' is a buffer to receive the token generated by
* gss_init_sec_context() to be sent to the acceptor
* 'context' is a pointer to a valid dns_gss_ctx_id_t
* (which may have the value DNS_GSS_C_NO_CONTEXT)
*
* Returns:
* ISC_R_SUCCESS msg was successfully updated to include the
* query to be sent
* other an error occurred while building the message
* *err_message optional error message
*/
isc_result_t
dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
isc_buffer_t **outtoken, dns_gss_ctx_id_t *context,
dns_name_t *principal, isc_mem_t *mctx);
/*
* Accepts a GSS context.
*
* Requires:
* 'mctx' is a valid memory context
* 'intoken' is a token received from the initiator
* 'outtoken' is a pointer a buffer pointer used to return the token
* generated by gss_accept_sec_context() to be sent to the
* initiator
* 'context' is a valid pointer to receive the generated context handle.
* On the initial call, it should be a pointer to NULL, which
* will be allocated as a dns_gss_ctx_id_t. Subsequent calls
* should pass in the handle generated on the first call.
*
* Requires:
* 'outtoken' to != NULL && *outtoken == NULL.
*
* Returns:
* ISC_R_SUCCESS msg was successfully updated to include the
* query to be sent
* DNS_R_CONTINUE transaction still in progress
* other an error occurred while building the message
*/
isc_result_t
dst_gssapi_deletectx(isc_mem_t *mctx, dns_gss_ctx_id_t *gssctx);
/*
* Destroys a GSS context. This function deletes the context from the GSS
* provider and then frees the memory used by the context pointer.
*
* Requires:
* 'mctx' is a valid memory context
* 'context' is a valid GSS context
*
* Returns:
* ISC_R_SUCCESS
*/
void
gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
/*
* Logging function for GSS.
*
* Requires
* 'level' is the log level to be used, as an integer
* 'fmt' is a printf format specifier
*/
char *
gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen);
/*
* Render a GSS major status/minor status pair into a string
*
* Requires:
* 'major' is a GSS major status code
* 'minor' is a GSS minor status code
*
* Returns:
* A string containing the text representation of the error codes.
* Users should copy the string if they wish to keep it.
*/
bool
dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
const dns_name_t *name,
const dns_name_t *realm, bool subdomain);
/*
* Compare a "signer" (in the format of a Kerberos-format Kerberos5
* principal: host/example.com@EXAMPLE.COM) to the realm name stored
* in "name" (which represents the realm name).
*
*/
bool
dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
const dns_name_t *name,
const dns_name_t *realm, bool subdomain);
/*
* Compare a "signer" (in the format of a Kerberos-format Kerberos5
* principal: host/example.com@EXAMPLE.COM) to the realm name stored
* in "name" (which represents the realm name).
*
*/
Reference in a new issue View git blame Copy permalink