time_t g_luaHealthChecksInterval{5};
time_t g_luaHealthChecksExpireDelay{3600};
#endif
+bool g_doGssTSIG;
typedef Distributor<DNSPacket, DNSPacket, PacketHandler> DNSDistributor;
ArgvMap theArg;
::arg().setSwitch("consistent-backends", "Assume individual zones are not divided over backends. Send only ANY lookup operations to the backend to reduce the number of lookups") = "yes";
::arg().set("rng", "Specify the random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom.") = "auto";
+ ::arg().setSwitch("enable-gss-tsig", "Enable GSS TSIG processing") = "no";
::arg().setDefaults();
}
g_luaHealthChecksInterval = ::arg().asNum("lua-health-checks-interval");
g_luaHealthChecksExpireDelay = ::arg().asNum("lua-health-checks-expire-delay");
#endif
+ g_doGssTSIG = ::arg().mustDo("enable-gss-tsig");
DNSPacket::s_udpTruncationThreshold = std::max(512, ::arg().asNum("udp-truncation-threshold"));
DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
extern bool g_LuaRecordSharedState;
extern time_t g_luaHealthChecksInterval;
extern time_t g_luaHealthChecksExpireDelay;
+extern bool g_doGssTSIG;
#endif // HAVE_LUA_RECORDS
*/
#pragma once
-
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
return r;
} else {
getTSIGHashEnum(trc.d_algoName, p.d_tsig_algo);
- if (p.d_tsig_algo == TSIG_GSS) {
+ if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
GssContext gssctx(keyname);
if (!gssctx.getPeerPrincipal(p.d_peer_principal)) {
g_log<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
#include "communicator.hh"
#include "query-local-address.hh"
#include "gss_context.hh"
+#include "auth-main.hh"
extern StatBag S;
extern CommunicatorClass Communicator;
return RCode::Refused;
}
- if (p.d_tsig_algo == TSIG_GSS) {
+ if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
GssName inputname(p.d_peer_principal); // match against principal since GSS
for(const auto& key: tsigKeys) {
if (inputname.match(key)) {
#endif
#include "packethandler.hh"
#include "gss_context.hh"
+#include "auth-main.hh"
void PacketHandler::tkeyHandler(const DNSPacket& p, std::unique_ptr<DNSPacket>& r) {
#if 0
tkey_out->d_expiration = tkey_out->d_inception+15;
if (tkey_in.d_mode == 3) { // establish context
- if (tkey_in.d_algo == DNSName("gss-tsig.")) {
- std::vector<std::string> meta;
- DNSName tmpName(name);
- do {
- if (B.getDomainMetadata(tmpName, "GSS-ACCEPTOR-PRINCIPAL", meta) && meta.size()>0) {
- break;
- }
- } while(tmpName.chopOff());
+ if (g_doGssTSIG) {
+ if (tkey_in.d_algo == DNSName("gss-tsig.")) {
+ std::vector<std::string> meta;
+ DNSName tmpName(name);
+ do {
+ if (B.getDomainMetadata(tmpName, "GSS-ACCEPTOR-PRINCIPAL", meta) && meta.size()>0) {
+ break;
+ }
+ } while(tmpName.chopOff());
- if (meta.size() == 0) {
- tkey_out->d_error = 20;
- } else {
- GssContext ctx(name);
- ctx.setLocalPrincipal(meta[0]);
- // try to get a context
- if (!ctx.accept(tkey_in.d_key, tkey_out->d_key)) {
- ctx.destroy();
- tkey_out->d_error = 19;
- }
- else {
- sign = true;
+ if (meta.size() == 0) {
+ tkey_out->d_error = 20;
+ } else {
+ GssContext ctx(name);
+ ctx.setLocalPrincipal(meta[0]);
+ // try to get a context
+ if (!ctx.accept(tkey_in.d_key, tkey_out->d_key)) {
+ ctx.destroy();
+ tkey_out->d_error = 19;
+ }
+ else {
+ sign = true;
+ }
}
+ } else {
+ tkey_out->d_error = 21; // BADALGO
}
} else {
tkey_out->d_error = 21; // BADALGO
+#ifdef ENABLE_GSS_TSIG
+ g_log<<Logger::Error<<"GSS-TSIG request but feature not enabled by enable-gss-tsigs setting"<<endl;
+#else
+ g_log<<Logger::Error<<"GSS-TSIG request but not feature not compiled in"<<endl;
+#endif
}
} else if (tkey_in.d_mode == 5) { // destroy context
if (p.d_havetsig == false) { // unauthenticated
projects / thirdparty / pdns.git / commitdiff
