From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 31 May 2024 06:38:24 +0000 (+0200)
Subject: s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
X-Git-Tag: samba-4.19.8~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=288744a74b5bbc99c40c6a66eda58efde6545d7d;p=thirdparty%2Fsamba.git

s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae7538af04435658d2ba6dcab109beecb6c5f13e)
---

diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey
index edb6e0b2115..8ce60f8507c 100644
--- a/selftest/knownfail.d/dns_tkey
+++ b/selftest/knownfail.d/dns_tkey
@@ -1,12 +1,9 @@
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_keyname.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_mac.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_tkey_gss_microsoft_com.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_answers.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_additional.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_answers.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_algorithm.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm1.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm2.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_additional.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_windows.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_wo_tsig.fl2008r2dc
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
index 9d44512b1ca..19d6b0dad14 100644
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -382,6 +382,7 @@ WERROR dns_sign_tsig(struct dns_server *dns,
 		.data = NULL,
 		.length = 0
 	};
+	const char *algorithm = "gss-tsig";
 
 	tsig = talloc_zero(mem_ctx, struct dns_res_rec);
 	if (tsig == NULL) {
@@ -402,6 +403,8 @@ WERROR dns_sign_tsig(struct dns_server *dns,
 		if (!W_ERROR_IS_OK(werror)) {
 			return werror;
 		}
+
+		algorithm = tkey->algorithm;
 	}
 
 	tsig->name = talloc_strdup(tsig, state->key_name);
@@ -412,7 +415,7 @@ WERROR dns_sign_tsig(struct dns_server *dns,
 	tsig->rr_type = DNS_QTYPE_TSIG;
 	tsig->ttl = 0;
 	tsig->length = UINT16_MAX;
-	tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
+	tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, algorithm);
 	if (tsig->rdata.tsig_record.algorithm_name == NULL) {
 		return WERR_NOT_ENOUGH_MEMORY;
 	}