From: Michał Kępień Date: Mon, 6 Oct 2025 11:19:50 +0000 (+0200) Subject: Remove "tkey-gssapi-credential" and related code X-Git-Tag: v9.21.15~80^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84b96df1532dd5982969e34ef9ac2d9c3d4fe218;p=thirdparty%2Fbind9.git Remove "tkey-gssapi-credential" and related code Since the "tkey-gssapi-credential" statement has been previously deprecated, mark it as ancient and remove all code related to it: - The code processing the "tkey-gssapi-credential" statement in the configuration is the only user of the dst_gssapi_acquirecred() and dst_gssapi_releasecred() functions, so remove them along with their static helper functions and a backup definition of the GSS_KRB5_MECHANISM macro. - When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL instead of the credential acquired by gss_acquire_cred(). (Previously, NULL was passed when "tkey-gssapi-credential" was not specified. Kerberos headers define GSS_C_NO_CREDENTIAL as (gss_cred_id_t) 0, so the logic was effectively the same, but using the GSS_C_NO_CREDENTIAL macro is more appropriate.) This renders the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove it from the prototype of the latter. (Contrary to what the documentation for dst_gssapi_acceptctx() claims, dst_gssapi_releasecred() does not need to subsequently be called to free the GSS-API context; a dst_gssapi_deletectx() call in gssapi_destroy() takes care of that when the dynamically generated TSIG key is destroyed.) - Remove the 'gsscred' member from struct dns_tkeyctx, along with its related dns_gss_cred_id_t typedef. Update the relevant sections of the ARM and code comments accordingly. This makes the "tkey-gssapi-keytab" statement the only way to set up GSS-TSIG in named. Remove redundant code from bin/named/tkeyconf.c while at it. --- diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ad0847d7070..31faed9bffd 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -920,6 +920,7 @@ cross-version-config-tests: untracked: true expire_in: "1 day" when: always + allow_failure: true # Jobs for regular GCC builds on Alpine Linux 3.22 (amd64) diff --git a/bin/named/config.c b/bin/named/config.c index 6e7d481aad6..ce0c17ac419 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -127,7 +127,6 @@ options {\n\ tcp-primaries-timeout 150;\n\ tcp-receive-buffer 0;\n\ tcp-send-buffer 0;\n\ -# tkey-gssapi-credential \n\ transfer-message-size 20480;\n\ transfers-in 10;\n\ transfers-out 10;\n\ diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c index 564c5affacc..9d6b012e5a5 100644 --- a/bin/named/tkeyconf.c +++ b/bin/named/tkeyconf.c @@ -13,15 +13,8 @@ /*! \file */ -#include - -#include #include -#include -#include -#include -#include #include #include @@ -30,43 +23,16 @@ #include -#define RETERR(x) \ - do { \ - result = (x); \ - if (result != ISC_R_SUCCESS) \ - goto failure; \ - } while (0) - -#include -#define LOG(msg) \ - isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, \ - ISC_LOG_ERROR, "%s", msg) - isc_result_t named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, dns_tkeyctx_t **tctxp) { isc_result_t result; dns_tkeyctx_t *tctx = NULL; const char *s; - dns_fixedname_t fname; - dns_name_t *name; - isc_buffer_t b; const cfg_obj_t *obj; dns_tkeyctx_create(mctx, &tctx); - obj = NULL; - result = cfg_map_get(options, "tkey-gssapi-credential", &obj); - if (result == ISC_R_SUCCESS) { - s = cfg_obj_asstring(obj); - - isc_buffer_constinit(&b, s, strlen(s)); - isc_buffer_add(&b, strlen(s)); - name = dns_fixedname_initname(&fname); - RETERR(dns_name_fromtext(name, &b, dns_rootname, 0)); - RETERR(dst_gssapi_acquirecred(name, false, &tctx->gsscred)); - } - obj = NULL; result = cfg_map_get(options, "tkey-gssapi-keytab", &obj); if (result == ISC_R_SUCCESS) { @@ -76,8 +42,4 @@ named_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx, *tctxp = tctx; return ISC_R_SUCCESS; - -failure: - dns_tkeyctx_destroy(&tctx); - return result; } diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 3a761cfd1bd..110d34cf08c 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1448,21 +1448,8 @@ default is used. :tags: security :short: Sets the KRB5 keytab file to use for GSS-TSIG updates. - This is the KRB5 keytab file to use for GSS-TSIG updates. If this option is - set and ``tkey-gssapi-credential`` is not set, updates are - allowed with any key matching a principal in the specified keytab. - -.. namedconf:statement:: tkey-gssapi-credential - :tags: security - :short: Sets the security credential for authentication keys requested by the GSS-TSIG protocol. - - This is the security credential with which the server should authenticate - keys requested by the GSS-TSIG protocol. Currently only Kerberos 5 - authentication is available; the credential is a Kerberos - principal which the server can acquire through the default system key - file, normally ``/etc/krb5.keytab``. The location of the keytab file can be - overridden using the :any:`tkey-gssapi-keytab` option. Normally this - principal is of the form ``DNS/server.domain``. + This is the KRB5 keytab file to use for GSS-TSIG updates, which are + allowed for any key matching a principal in the specified keytab. .. namedconf:statement:: dump-file :tags: logging diff --git a/doc/changelog/changelog-9.21.12.rst b/doc/changelog/changelog-9.21.12.rst index 89527f3674a..d59d8729b98 100644 --- a/doc/changelog/changelog-9.21.12.rst +++ b/doc/changelog/changelog-9.21.12.rst @@ -61,16 +61,16 @@ Removed Features The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in a simpler and more reliable way than using the - :any:`tkey-gssapi-credential` statement and setting environment + ``tkey-gssapi-credential`` statement and setting environment variables (e.g. ``KRB5_KTNAME``). Therefore, the - :any:`tkey-gssapi-credential` statement has been deprecated; + ``tkey-gssapi-credential`` statement has been deprecated; :any:`tkey-gssapi-keytab` should be used instead. For configurations currently using a combination of both - :any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the + :any:`tkey-gssapi-keytab` *and* ``tkey-gssapi-credential``, the latter should be dropped and the keytab pointed to by :any:`tkey-gssapi-keytab` should now only contain the credential - previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204` + previously specified by ``tkey-gssapi-credential``. :gl:`#4204` :gl:`!10782` - Obsolete the "tkey-domain" statement. ``bed752f57f`` diff --git a/doc/misc/options b/doc/misc/options index e11f0c4d869..6a193547a06 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -303,7 +303,6 @@ options { tcp-receive-buffer ; tcp-send-buffer ; tkey-domain ; // obsolete - tkey-gssapi-credential ; // deprecated tkey-gssapi-keytab ; tls-port ; transfer-format ( many-answers | one-answer ); diff --git a/doc/notes/notes-9.21.12.rst b/doc/notes/notes-9.21.12.rst index 283feb4ce57..3c3ce2dd137 100644 --- a/doc/notes/notes-9.21.12.rst +++ b/doc/notes/notes-9.21.12.rst @@ -40,20 +40,20 @@ New Features Removed Features ~~~~~~~~~~~~~~~~ -- Deprecate the :namedconf:ref:`tkey-gssapi-credential` statement. +- Deprecate the ``tkey-gssapi-credential`` statement. The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in a simpler and more reliable way than using the - :any:`tkey-gssapi-credential` statement and setting environment + ``tkey-gssapi-credential`` statement and setting environment variables (e.g. ``KRB5_KTNAME``). Therefore, the - :any:`tkey-gssapi-credential` statement has been deprecated; + ``tkey-gssapi-credential`` statement has been deprecated; :any:`tkey-gssapi-keytab` should be used instead. For configurations currently using a combination of both - :any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the + :any:`tkey-gssapi-keytab` *and* ``tkey-gssapi-credential``, the latter should be dropped and the keytab pointed to by :any:`tkey-gssapi-keytab` should now only contain the credential - previously specified by :any:`tkey-gssapi-credential`. :gl:`#4204` + previously specified by ``tkey-gssapi-credential``. :gl:`#4204` - Obsolete the "tkey-domain" statement. diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c index 8e9025d3570..ea39bb5d98b 100644 --- a/lib/dns/gssapictx.c +++ b/lib/dns/gssapictx.c @@ -61,15 +61,6 @@ #if HAVE_GSSAPI -#ifndef GSS_KRB5_MECHANISM -static unsigned char krb5_mech_oid_bytes[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x12, 0x01, 0x02, 0x02 }; -static gss_OID_desc __gss_krb5_mechanism_oid_desc = { - sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes -}; -#define GSS_KRB5_MECHANISM (&__gss_krb5_mechanism_oid_desc) -#endif /* ifndef GSS_KRB5_MECHANISM */ - #ifndef GSS_SPNEGO_MECHANISM static unsigned char spnego_mech_oid_bytes[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 }; @@ -124,249 +115,6 @@ name_to_gbuffer(const dns_name_t *name, isc_buffer_t *buffer, REGION_TO_GBUFFER(r, *gbuffer); } -static void -log_cred(const gss_cred_id_t cred) { - OM_uint32 gret, minor, lifetime; - gss_name_t gname; - gss_buffer_desc gbuffer; - gss_cred_usage_t usage; - const char *usage_text; - char buf[1024]; - - gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed gss_inquire_cred: %s", - gss_error_tostring(gret, minor, buf, sizeof(buf))); - return; - } - - gret = gss_display_name(&minor, gname, &gbuffer, NULL); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed gss_display_name: %s", - gss_error_tostring(gret, minor, buf, sizeof(buf))); - } else { - switch (usage) { - case GSS_C_BOTH: - usage_text = "GSS_C_BOTH"; - break; - case GSS_C_INITIATE: - usage_text = "GSS_C_INITIATE"; - break; - case GSS_C_ACCEPT: - usage_text = "GSS_C_ACCEPT"; - break; - default: - usage_text = "???"; - } - gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value, - usage_text, (unsigned long)lifetime); - } - - if (gret == GSS_S_COMPLETE) { - if (gbuffer.length != 0U) { - gret = gss_release_buffer(&minor, &gbuffer); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed gss_release_buffer: %s", - gss_error_tostring(gret, minor, buf, - sizeof(buf))); - } - } - } - - gret = gss_release_name(&minor, &gname); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed gss_release_name: %s", - gss_error_tostring(gret, minor, buf, sizeof(buf))); - } -} - -/* - * check for the most common configuration errors. - * - * The errors checked for are: - * - tkey-gssapi-credential doesn't start with DNS/ - * - the default realm in /etc/krb5.conf and the - * tkey-gssapi-credential bind config option don't match - * - * Note that if tkey-gssapi-keytab is set then these configure checks - * are not performed, and runtime errors from gssapi are used instead - */ -static void -check_config(const char *gss_name) { - const char *p; - krb5_context krb5_ctx; - char *krb5_realm_name = NULL; - - if (strncasecmp(gss_name, "DNS/", 4) != 0) { - gss_log(ISC_LOG_ERROR, - "tkey-gssapi-credential (%s) " - "should start with 'DNS/'", - gss_name); - return; - } - - if (krb5_init_context(&krb5_ctx) != 0) { - gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context"); - return; - } - if (krb5_get_default_realm(krb5_ctx, &krb5_realm_name) != 0) { - gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm"); - krb5_free_context(krb5_ctx); - return; - } - p = strchr(gss_name, '@'); - if (p == NULL) { - gss_log(ISC_LOG_ERROR, - "badly formatted " - "tkey-gssapi-credentials (%s)", - gss_name); - krb5_free_context(krb5_ctx); - return; - } - if (strcasecmp(p + 1, krb5_realm_name) != 0) { - gss_log(ISC_LOG_ERROR, - "default realm from krb5.conf (%s) " - "does not match tkey-gssapi-credential (%s)", - krb5_realm_name, gss_name); - krb5_free_context(krb5_ctx); - return; - } - krb5_free_context(krb5_ctx); -} - -static OM_uint32 -mech_oid_set_create(OM_uint32 *minor, gss_OID_set *mech_oid_set) { - OM_uint32 gret; - - gret = gss_create_empty_oid_set(minor, mech_oid_set); - if (gret != GSS_S_COMPLETE) { - return gret; - } - - gret = gss_add_oid_set_member(minor, GSS_KRB5_MECHANISM, mech_oid_set); - if (gret != GSS_S_COMPLETE) { - goto release; - } - - gret = gss_add_oid_set_member(minor, GSS_SPNEGO_MECHANISM, - mech_oid_set); - if (gret != GSS_S_COMPLETE) { - goto release; - } - -release: - REQUIRE(gss_release_oid_set(minor, mech_oid_set) == GSS_S_COMPLETE); - - return gret; -} - -static void -mech_oid_set_release(gss_OID_set *mech_oid_set) { - OM_uint32 minor; - - REQUIRE(gss_release_oid_set(&minor, mech_oid_set) == GSS_S_COMPLETE); -} - -isc_result_t -dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - dns_gss_cred_id_t *cred) { - isc_result_t result; - isc_buffer_t namebuf; - gss_name_t gname; - gss_buffer_desc gnamebuf; - unsigned char array[DNS_NAME_MAXTEXT + 1]; - OM_uint32 gret, minor; - OM_uint32 lifetime; - gss_cred_usage_t usage; - char buf[1024]; - gss_OID_set mech_oid_set; - - REQUIRE(cred != NULL && *cred == NULL); - - /* - * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE - * here when we're in the acceptor role, which would let us - * default the hostname and use a compiled in default service - * name of "DNS", giving one less thing to configure in - * named.conf. Unfortunately, this creates a circular - * dependency due to DNS-based realm lookup in at least one - * GSSAPI implementation (Heimdal). Oh well. - */ - if (name != NULL) { - isc_buffer_init(&namebuf, array, sizeof(array)); - name_to_gbuffer(name, &namebuf, &gnamebuf); - gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname); - if (gret != GSS_S_COMPLETE) { - check_config((char *)array); - - gss_log(3, "failed gss_import_name: %s", - gss_error_tostring(gret, minor, buf, - sizeof(buf))); - return ISC_R_FAILURE; - } - } else { - gname = NULL; - } - - /* Get the credentials. */ - if (gname != NULL) { - gss_log(3, "acquiring credentials for %s", - (char *)gnamebuf.value); - } else { - /* XXXDCL does this even make any sense? */ - gss_log(3, "acquiring credentials for ?"); - } - - if (initiate) { - usage = GSS_C_INITIATE; - } else { - usage = GSS_C_ACCEPT; - } - - gret = mech_oid_set_create(&minor, &mech_oid_set); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed to create OID_set: %s", - gss_error_tostring(gret, minor, buf, sizeof(buf))); - return ISC_R_FAILURE; - } - - gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE, mech_oid_set, - usage, (gss_cred_id_t *)cred, NULL, &lifetime); - - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed to acquire %s credentials for %s: %s", - initiate ? "initiate" : "accept", - (gname != NULL) ? (char *)gnamebuf.value : "?", - gss_error_tostring(gret, minor, buf, sizeof(buf))); - if (gname != NULL) { - check_config((char *)array); - } - result = ISC_R_FAILURE; - goto cleanup; - } - - gss_log(4, "acquired %s credentials for %s", - initiate ? "initiate" : "accept", - (gname != NULL) ? (char *)gnamebuf.value : "?"); - - log_cred(*cred); - result = ISC_R_SUCCESS; - -cleanup: - mech_oid_set_release(&mech_oid_set); - - if (gname != NULL) { - gret = gss_release_name(&minor, &gname); - if (gret != GSS_S_COMPLETE) { - gss_log(3, "failed gss_release_name: %s", - gss_error_tostring(gret, minor, buf, - sizeof(buf))); - } - } - - return result; -} - bool dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, const dns_name_t *name, @@ -527,24 +275,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, return true; } -isc_result_t -dst_gssapi_releasecred(dns_gss_cred_id_t *cred) { - OM_uint32 gret, minor; - char buf[1024]; - - REQUIRE(cred != NULL && *cred != NULL); - - gret = gss_release_cred(&minor, (gss_cred_id_t *)cred); - if (gret != GSS_S_COMPLETE) { - /* Log the error, but still free the credential's memory */ - gss_log(3, "failed releasing credential: %s", - gss_error_tostring(gret, minor, buf, sizeof(buf))); - } - *cred = NULL; - - return ISC_R_SUCCESS; -} - /* * Format a gssapi error message info into a char ** on the given memory * context. This is used to return gssapi error messages back up the @@ -655,10 +385,9 @@ out: } isc_result_t -dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, - isc_region_t *intoken, isc_buffer_t **outtoken, - dns_gss_ctx_id_t *ctxout, dns_name_t *principal, - isc_mem_t *mctx) { +dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken, + isc_buffer_t **outtoken, dns_gss_ctx_id_t *ctxout, + dns_name_t *principal, isc_mem_t *mctx) { isc_region_t r; isc_buffer_t namebuf; gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken, @@ -713,11 +442,10 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, #endif } - log_cred(cred); - - gret = gss_accept_sec_context(&minor, &context, cred, &gintoken, - GSS_C_NO_CHANNEL_BINDINGS, &gname, NULL, - &gouttoken, NULL, NULL, NULL); + gret = gss_accept_sec_context(&minor, &context, GSS_C_NO_CREDENTIAL, + &gintoken, GSS_C_NO_CHANNEL_BINDINGS, + &gname, NULL, &gouttoken, NULL, NULL, + NULL); result = ISC_R_FAILURE; @@ -862,18 +590,6 @@ gss_error_tostring(uint32_t major, uint32_t minor, char *buf, size_t buflen) { #else -isc_result_t -dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - dns_gss_cred_id_t *cred) { - REQUIRE(cred != NULL && *cred == NULL); - - UNUSED(name); - UNUSED(initiate); - UNUSED(cred); - - return ISC_R_NOTIMPLEMENTED; -} - bool dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer, const dns_name_t *name, @@ -898,13 +614,6 @@ dst_gssapi_identitymatchesrealmms(const dns_name_t *signer, return false; } -isc_result_t -dst_gssapi_releasecred(dns_gss_cred_id_t *cred) { - UNUSED(cred); - - return ISC_R_NOTIMPLEMENTED; -} - isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, @@ -920,11 +629,9 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, } isc_result_t -dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, - isc_region_t *intoken, isc_buffer_t **outtoken, - dns_gss_ctx_id_t *ctxout, dns_name_t *principal, - isc_mem_t *mctx) { - UNUSED(cred); +dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken, + isc_buffer_t **outtoken, dns_gss_ctx_id_t *ctxout, + dns_name_t *principal, isc_mem_t *mctx) { UNUSED(gssapi_keytab); UNUSED(intoken); UNUSED(outtoken); diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h index e580f860973..a8309c1abcb 100644 --- a/lib/dns/include/dns/tkey.h +++ b/lib/dns/include/dns/tkey.h @@ -31,9 +31,8 @@ #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dns_gss_cred_id_t gsscred; - isc_mem_t *mctx; - char *gssapi_keytab; + isc_mem_t *mctx; + char *gssapi_keytab; }; void diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h index 5c6f0d203d7..a519487da00 100644 --- a/lib/dns/include/dst/gssapi.h +++ b/lib/dns/include/dst/gssapi.h @@ -23,7 +23,6 @@ #include -typedef void *dns_gss_cred_id_t; typedef void *dns_gss_ctx_id_t; /*** @@ -34,42 +33,6 @@ typedef void *dns_gss_ctx_id_t; *** Functions ***/ -isc_result_t -dst_gssapi_acquirecred(const dns_name_t *name, bool initiate, - dns_gss_cred_id_t *cred); -/* - * Acquires GSS credentials. - * - * Requires: - * 'name' is a valid name, preferably one known by the GSS provider - * 'initiate' indicates whether the credentials are for initiating or - * accepting contexts - * 'cred' is a pointer to NULL, which will be allocated with the - * credential handle. Call dst_gssapi_releasecred to free - * the memory. - * - * Returns: - * ISC_R_SUCCESS msg was successfully updated to include the - * query to be sent - * other an error occurred while building the message - */ - -isc_result_t -dst_gssapi_releasecred(dns_gss_cred_id_t *cred); -/* - * Releases GSS credentials. Calling this function does release the - * memory allocated for the credential in dst_gssapi_acquirecred() - * - * Requires: - * 'mctx' is a valid memory context - * 'cred' is a pointer to the credential to be released - * - * Returns: - * ISC_R_SUCCESS credential was released successfully - * other an error occurred while releaseing - * the credential - */ - isc_result_t dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, isc_buffer_t *outtoken, dns_gss_ctx_id_t *gssctx, @@ -95,16 +58,14 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken, */ isc_result_t -dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, - isc_region_t *intoken, isc_buffer_t **outtoken, - dns_gss_ctx_id_t *context, dns_name_t *principal, - isc_mem_t *mctx); +dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken, + isc_buffer_t **outtoken, dns_gss_ctx_id_t *context, + dns_name_t *principal, isc_mem_t *mctx); /* * Accepts a GSS context. * * Requires: * 'mctx' is a valid memory context - * 'cred' is the acceptor's valid GSS credential handle * 'intoken' is a token received from the initiator * 'outtoken' is a pointer a buffer pointer used to return the token * generated by gss_accept_sec_context() to be sent to the @@ -113,8 +74,6 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab, * On the initial call, it should be a pointer to NULL, which * will be allocated as a dns_gss_ctx_id_t. Subsequent calls * should pass in the handle generated on the first call. - * Call dst_gssapi_releasecred to delete the context and free - * the memory. * * Requires: * 'outtoken' to != NULL && *outtoken == NULL. diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index e5857c5bfec..79ca4da3e0a 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -103,9 +103,6 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) { if (tctx->gssapi_keytab != NULL) { isc_mem_free(mctx, tctx->gssapi_keytab); } - if (tctx->gsscred != NULL) { - dst_gssapi_releasecred(&tctx->gsscred); - } isc_mem_putanddetach(&mctx, tctx, sizeof(dns_tkeyctx_t)); } @@ -176,14 +173,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, dns_gss_ctx_id_t gss_ctx = NULL; /* - * You have to define either a gss credential (principal) to - * accept with tkey-gssapi-credential, or you have to - * configure a specific keytab (with tkey-gssapi-keytab) in + * You have to define a specific keytab (with tkey-gssapi-keytab) in * order to use gsstkey. */ - if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) { - tkey_log("process_gsstkey(): no tkey-gssapi-credential " - "or tkey-gssapi-keytab configured"); + if (tctx->gssapi_keytab == NULL) { + tkey_log("process_gsstkey(): no tkey-gssapi-keytab configured"); return DNS_R_REFUSED; } @@ -202,13 +196,9 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin, gss_ctx = dst_key_getgssctx(tsigkey->key); } - /* - * Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set - */ intoken = (isc_region_t){ tkeyin->key, tkeyin->keylen }; - result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab, - &intoken, &outtoken, &gss_ctx, principal, - tctx->mctx); + result = dst_gssapi_acceptctx(tctx->gssapi_keytab, &intoken, &outtoken, + &gss_ctx, principal, tctx->mctx); if (result == DNS_R_INVALIDTKEY) { if (tsigkey != NULL) { dns_tsigkey_detach(&tsigkey); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 69e5fb0ba99..cb4a36c2b6a 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1349,8 +1349,7 @@ static cfg_clausedef_t options_clauses[] = { { "tcp-send-buffer", &cfg_type_uint32, 0 }, { "tkey-dhkey", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "tkey-domain", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE }, - { "tkey-gssapi-credential", &cfg_type_qstring, - CFG_CLAUSEFLAG_DEPRECATED }, + { "tkey-gssapi-credential", &cfg_type_qstring, CFG_CLAUSEFLAG_ANCIENT }, { "tkey-gssapi-keytab", &cfg_type_qstring, 0 }, { "transfer-message-size", &cfg_type_uint32, 0 }, { "transfers-in", &cfg_type_uint32, 0 },