From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 31 May 2024 06:38:24 +0000 (+0200)
Subject: s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
X-Git-Tag: samba-4.19.8~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=234503e23759a8984bac63826e0104788473bbdb;p=thirdparty%2Fsamba.git

s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa0f23e69eaf4f475bc9dc9aa0e23c7bd5208250)
---

diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey
index 0925ca288a1..edb6e0b2115 100644
--- a/selftest/knownfail.d/dns_tkey
+++ b/selftest/knownfail.d/dns_tkey
@@ -1,8 +1,6 @@
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_keyname.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_mac.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_tkey_gss_microsoft_com.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_tkey_invalid_gss_MICROSOFT_com.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_tkey_invalid_gss_TSIG.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_answers.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_additional.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_answers.fl2008r2dc
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 181beda219b..3ac3cd4b2b1 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -663,8 +663,17 @@ static NTSTATUS create_tkey(struct dns_server *dns,
 {
 	NTSTATUS status;
 	struct dns_server_tkey_store *store = dns->tkeys;
-	struct dns_server_tkey *k = talloc_zero(store, struct dns_server_tkey);
+	struct dns_server_tkey *k = NULL;
+
+	if (strcmp(algorithm, "gss-tsig") == 0) {
+		/* ok */
+	} else if (strcmp(algorithm, "gss.microsoft.com") == 0) {
+		/* ok */
+	} else {
+		return NT_STATUS_ACCESS_DENIED;
+	}
 
+	k = talloc_zero(store, struct dns_server_tkey);
 	if (k == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}