In some (low level) code, g_doGSSTSIG cannot be used as the code is shared betwen various executables,
but the functionality should be conditional in the higher level processing.
This is a bit tricky to get right, so carefull checks needed.
time_t g_luaHealthChecksInterval{5};
time_t g_luaHealthChecksExpireDelay{3600};
#endif
+#ifdef ENABLE_GSS_TSIG
bool g_doGssTSIG;
+#endif
typedef Distributor<DNSPacket, DNSPacket, PacketHandler> DNSDistributor;
ArgvMap theArg;
::arg().setSwitch("consistent-backends", "Assume individual zones are not divided over backends. Send only ANY lookup operations to the backend to reduce the number of lookups") = "yes";
::arg().set("rng", "Specify the random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom.") = "auto";
+#ifdef ENABLE_GSS_TSIG
::arg().setSwitch("enable-gss-tsig", "Enable GSS TSIG processing") = "no";
+#endif
::arg().setDefaults();
}
g_luaHealthChecksInterval = ::arg().asNum("lua-health-checks-interval");
g_luaHealthChecksExpireDelay = ::arg().asNum("lua-health-checks-expire-delay");
#endif
+#ifdef ENABLE_GSS_TSIG
g_doGssTSIG = ::arg().mustDo("enable-gss-tsig");
+#endif
DNSPacket::s_udpTruncationThreshold = std::max(512, ::arg().asNum("udp-truncation-threshold"));
DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
extern bool g_LuaRecordSharedState;
extern time_t g_luaHealthChecksInterval;
extern time_t g_luaHealthChecksExpireDelay;
-extern bool g_doGssTSIG;
#endif // HAVE_LUA_RECORDS
#include "arguments.hh"
#include <atomic>
#include "statbag.hh"
+#include "gss_context.hh"
extern StatBag S;
QD->callback(a, QD->start);
#ifdef ENABLE_GSS_TSIG
- if (a != nullptr) {
+ if (g_doGssTSIG && a != nullptr) {
QD->Q.cleanupGSS(a->d.rcode);
}
#endif
}
callback(a, start);
#ifdef ENABLE_GSS_TSIG
- if (a != nullptr) {
+ if (g_doGssTSIG && a != nullptr) {
q.cleanupGSS(a->d.rcode);
}
#endif
#ifdef ENABLE_GSS_TSIG
void DNSPacket::cleanupGSS(int rcode)
{
+ // We cannot check g_doGssTSIG here, as this code is also included in other executables
+ // than pdns_server.
if (rcode != RCode::NoError && d_tsig_algo == TSIG_GSS && !getTSIGKeyname().empty()) {
GssContext ctx(getTSIGKeyname());
ctx.destroy();
#ifdef ENABLE_GSS_TSIG
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
+extern bool g_doGssTSIG;
#endif
//! Generic errors
return r;
} else {
getTSIGHashEnum(trc.d_algoName, p.d_tsig_algo);
+#ifdef ENABLE_GSS_TSIG
if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
GssContext gssctx(keyname);
if (!gssctx.getPeerPrincipal(p.d_peer_principal)) {
g_log<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
}
}
+#endif
}
p.setTSIGDetails(trc, keyname, secret, trc.d_mac); // this will get copied by replyPacket()
noCache=true;
g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
return RCode::Refused;
}
-
+#ifdef ENABLE_GSS_TSIG
if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
GssName inputname(p.d_peer_principal); // match against principal since GSS requires that
for(const auto& key: tsigKeys) {
break;
}
}
- } else {
+ }
+ else
+#endif
+ {
for(const auto& key: tsigKeys) {
if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid.
validKey=true;
sendPacket(reply, fd);
#ifdef ENABLE_GSS_TSIG
- packet->cleanupGSS(reply->d.rcode);
+ if (g_doGssTSIG) {
+ packet->cleanupGSS(reply->d.rcode);
+ }
#endif
}
}
return false;
} else {
getTSIGHashEnum(trc.d_algoName, q->d_tsig_algo);
+#ifdef ENABLE_GSS_TSIG
if (g_doGssTSIG && q->d_tsig_algo == TSIG_GSS) {
GssContext gssctx(keyname);
if (!gssctx.getPeerPrincipal(q->d_peer_principal)) {
g_log<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
}
}
+#endif
}
DNSSECKeeper dk(packetHandler->getBackend());
+#ifdef ENABLE_GSS_TSIG
if (g_doGssTSIG && q->d_tsig_algo == TSIG_GSS) {
vector<string> princs;
packetHandler->getBackend()->getDomainMetadata(q->qdomain, "GSS-ALLOW-AXFR-PRINCIPAL", princs);
g_log<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' denied: TSIG signed request with principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig' is not permitted"<<endl;
return false;
}
+#endif
if(!dk.TSIGGrantsAccess(q->qdomain, keyname)) {
g_log<<Logger::Warning<<logPrefix<<"denied: key with name '"<<keyname<<"' and algorithm '"<<getTSIGAlgoName(q->d_tsig_algo)<<"' does not grant access"<<endl;
return false;
#include <boost/test/unit_test.hpp>
#include "distributor.hh"
#include "dnspacket.hh"
-#include "namespaces.hh"
+#include "namespaces.hh"
+
+bool g_doGssTSIG = false;
BOOST_AUTO_TEST_SUITE(test_distributor_hh)
tkey_out->d_expiration = tkey_out->d_inception+15;
if (tkey_in.d_mode == 3) { // establish context
+#ifdef ENABLE_GSS_TSIG
if (g_doGssTSIG) {
if (tkey_in.d_algo == DNSName("gss-tsig.")) {
std::vector<std::string> meta;
} else {
tkey_out->d_error = 21; // BADALGO
}
- } else {
+ } else
+#endif
+ {
tkey_out->d_error = 21; // BADALGO
#ifdef ENABLE_GSS_TSIG
g_log<<Logger::Error<<"GSS-TSIG request but feature not enabled by enable-gss-tsigs setting"<<endl;
projects / thirdparty / pdns.git / commitdiff
