ostringstream oss;
if (gss_display_status(&tmp_min, maj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &msg) == GSS_S_COMPLETE) {
oss << method << ": " << msg.value;
- } else {
+ }
+ else {
oss << method << ": ?";
}
if (msg.length != 0) {
msg_ctx = 0;
while (1) {
ostringstream oss;
- if (gss_display_status(&tmp_min, min, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &msg) == GSS_S_COMPLETE) {
+ if (gss_display_status(&tmp_min, min, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &msg) == GSS_S_COMPLETE) {
oss << method << ": " << msg.value;
- } else {
+ }
+ else {
oss << method << ": ?";
}
if (msg.length != 0) {
#include "stubresolver.hh"
#include "proxy-protocol.hh"
#include "noinitvector.hh"
+#include "gss_context.hh"
extern AuthPacketCache PC;
extern StatBag S;
return false;
} else {
getTSIGHashEnum(trc.d_algoName, q->d_tsig_algo);
+ if (g_doGssTSIG && q->d_tsig_algo == TSIG_GSS) {
+ GssContext gssctx(keyname);
+ if (!gssctx.getPeerPrincipal(q->d_peer_principal)) {
+ g_log<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
+ }
+ }
}
DNSSECKeeper dk(packetHandler->getBackend());
+ if (g_doGssTSIG && q->d_tsig_algo == TSIG_GSS) {
+ vector<string> princs;
+ packetHandler->getBackend()->getDomainMetadata(q->qdomain, "GSS-ALLOW-AXFR-PRINCIPAL", princs);
+ for(const std::string& princ : princs) {
+ if (q->d_peer_principal == princ) {
+ g_log<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: TSIG signed request with authorized principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig'"<<endl;
+ return true;
+ }
+ }
+ g_log<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' denied: TSIG signed request with principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig' is not permitted"<<endl;
+ return false;
+ }
if(!dk.TSIGGrantsAccess(q->qdomain, keyname)) {
g_log<<Logger::Warning<<logPrefix<<"denied: key with name '"<<keyname<<"' and algorithm '"<<getTSIGAlgoName(q->d_tsig_algo)<<"' does not grant access"<<endl;
return false;
DNSName algorithm=trc.d_algoName; // FIXME400: check
if (algorithm == DNSName("hmac-md5.sig-alg.reg.int"))
algorithm = DNSName("hmac-md5");
- if (!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
- g_log<<Logger::Warning<<logPrefix<<"TSIG key not found"<<endl;
- return 0;
- }
- if (B64Decode(tsig64, tsigsecret) == -1) {
- g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
- return 0;
+ if (algorithm != DNSName("gss-tsig")) {
+ if(!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
+ g_log<<Logger::Warning<<logPrefix<<"TSIG key not found"<<endl;
+ return 0;
+ }
+ if (B64Decode(tsig64, tsigsecret) == -1) {
+ g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+ return 0;
+ }
}
}
projects / thirdparty / pdns.git / commitdiff
