From f13cde2acbb61171d2ef4378e277040765cde5e3 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Fri, 7 Jan 2022 10:36:20 +0100 Subject: [PATCH] Reinstate AXFR code for GSS-TSIG, respecting global enable flag. --- pdns/gss_context.cc | 8 +++++--- pdns/gss_context.hh | 2 +- pdns/tcpreceiver.cc | 35 ++++++++++++++++++++++++++++------- 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/pdns/gss_context.cc b/pdns/gss_context.cc index 3d5528016d..cbd3265ee5 100644 --- a/pdns/gss_context.cc +++ b/pdns/gss_context.cc @@ -508,7 +508,8 @@ void GssContext::processError(const std::string& method, OM_uint32 maj, OM_uint3 ostringstream oss; if (gss_display_status(&tmp_min, maj, GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &msg) == GSS_S_COMPLETE) { oss << method << ": " << msg.value; - } else { + } + else { oss << method << ": ?"; } if (msg.length != 0) { @@ -521,9 +522,10 @@ void GssContext::processError(const std::string& method, OM_uint32 maj, OM_uint3 msg_ctx = 0; while (1) { ostringstream oss; - if (gss_display_status(&tmp_min, min, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &msg) == GSS_S_COMPLETE) { + if (gss_display_status(&tmp_min, min, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &msg) == GSS_S_COMPLETE) { oss << method << ": " << msg.value; - } else { + } + else { oss << method << ": ?"; } if (msg.length != 0) { diff --git a/pdns/gss_context.hh b/pdns/gss_context.hh index 0be518cdd5..659df9d2f0 100644 --- a/pdns/gss_context.hh +++ b/pdns/gss_context.hh @@ -57,7 +57,7 @@ enum GssContextType class GssSecContext; /*! Class for representing GSS names, such as host/host.domain.com@REALM. -*/ + */ class GssName { public: diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index 88d1be86c0..37fc3ffb8e 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -60,6 +60,7 @@ #include "stubresolver.hh" #include "proxy-protocol.hh" #include "noinitvector.hh" +#include "gss_context.hh" extern AuthPacketCache PC; extern StatBag S; @@ -458,9 +459,27 @@ bool TCPNameserver::canDoAXFR(std::unique_ptr& q, bool isAXFR, std::u return false; } else { getTSIGHashEnum(trc.d_algoName, q->d_tsig_algo); + if (g_doGssTSIG && q->d_tsig_algo == TSIG_GSS) { + GssContext gssctx(keyname); + if (!gssctx.getPeerPrincipal(q->d_peer_principal)) { + g_log<getBackend()); + if (g_doGssTSIG && q->d_tsig_algo == TSIG_GSS) { + vector princs; + packetHandler->getBackend()->getDomainMetadata(q->qdomain, "GSS-ALLOW-AXFR-PRINCIPAL", princs); + for(const std::string& princ : princs) { + if (q->d_peer_principal == princ) { + g_log<qdomain<<"' allowed: TSIG signed request with authorized principal '"<d_peer_principal<<"' and algorithm 'gss-tsig'"<qdomain<<"' denied: TSIG signed request with principal '"<d_peer_principal<<"' and algorithm 'gss-tsig' is not permitted"<qdomain, keyname)) { g_log<d_tsig_algo)<<"' does not grant access"<& q, DNSName algorithm=trc.d_algoName; // FIXME400: check if (algorithm == DNSName("hmac-md5.sig-alg.reg.int")) algorithm = DNSName("hmac-md5"); - if (!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) { - g_log<