From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 31 May 2024 06:38:24 +0000 (+0200)
Subject: s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
X-Git-Tag: samba-4.19.8~74
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbf10a68e1c1b67cab3d5862461075d28ae176bf;p=thirdparty%2Fsamba.git

s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3467d1491490830d61d16cb6278051daf48466fc)
---

diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
index be79a4e87b7..332d2255dd4 100644
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -106,7 +106,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 	struct dns_server_tkey *tkey = NULL;
 	struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
 			struct dns_fake_tsig_rec);
-
+	const char *algorithm = NULL;
 
 	/* Find the first TSIG record in the additional records */
 	for (i=0; i < packet->arcount; i++) {
@@ -161,6 +161,16 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 	}
 	DBG_DEBUG("dns_find_tkey() => found\n");
 
+	algorithm = state->tsig->rdata.tsig_record.algorithm_name;
+	if (strcmp(algorithm, "gss-tsig") == 0) {
+		/* ok */
+	} else if (strcmp(algorithm, "gss.microsoft.com") == 0) {
+		/* ok */
+	} else {
+		state->tsig_error = DNS_RCODE_BADKEY;
+		return DNS_ERR(REFUSED);
+	}
+
 	/*
 	 * Remember the keyname that found an existing tkey, used
 	 * later to fetch the key with dns_find_tkey() when signing