From fd7bbdb71a8c9251b6e378e1e377886585e1d815 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 3 Jan 2022 17:15:53 +0100
Subject: [PATCH] Introduce runtime switch `enable-gss-tsig` so that GSS-TSIG
 is disabled by default even if it is compiled in.

---
 pdns/auth-main.cc      |  3 +++
 pdns/auth-main.hh      |  1 +
 pdns/gss_context.hh    |  1 -
 pdns/packethandler.cc  |  2 +-
 pdns/rfc2136handler.cc |  3 ++-
 pdns/tkey.cc           | 50 +++++++++++++++++++++++++-----------------
 6 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
index 96f20a4dfd..0d7f13335d 100644
--- a/pdns/auth-main.cc
+++ b/pdns/auth-main.cc
@@ -109,6 +109,7 @@ int g_luaRecordExecLimit;
 time_t g_luaHealthChecksInterval{5};
 time_t g_luaHealthChecksExpireDelay{3600};
 #endif
+bool g_doGssTSIG;
 typedef Distributor<DNSPacket, DNSPacket, PacketHandler> DNSDistributor;
 
 ArgvMap theArg;
@@ -325,6 +326,7 @@ void declareArguments()
   ::arg().setSwitch("consistent-backends", "Assume individual zones are not divided over backends. Send only ANY lookup operations to the backend to reduce the number of lookups") = "yes";
 
   ::arg().set("rng", "Specify the random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom.") = "auto";
+  ::arg().setSwitch("enable-gss-tsig", "Enable GSS TSIG processing") = "no";
   ::arg().setDefaults();
 }
 
@@ -697,6 +699,7 @@ void mainthread()
   g_luaHealthChecksInterval = ::arg().asNum("lua-health-checks-interval");
   g_luaHealthChecksExpireDelay = ::arg().asNum("lua-health-checks-expire-delay");
 #endif
+  g_doGssTSIG = ::arg().mustDo("enable-gss-tsig");
 
   DNSPacket::s_udpTruncationThreshold = std::max(512, ::arg().asNum("udp-truncation-threshold"));
   DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
diff --git a/pdns/auth-main.hh b/pdns/auth-main.hh
index 83fb0c8f4a..de840cc0d4 100644
--- a/pdns/auth-main.hh
+++ b/pdns/auth-main.hh
@@ -60,4 +60,5 @@ extern bool g_doLuaRecord;
 extern bool g_LuaRecordSharedState;
 extern time_t g_luaHealthChecksInterval;
 extern time_t g_luaHealthChecksExpireDelay;
+extern bool g_doGssTSIG;
 #endif // HAVE_LUA_RECORDS
diff --git a/pdns/gss_context.hh b/pdns/gss_context.hh
index 7f3a36bc6c..0be518cdd5 100644
--- a/pdns/gss_context.hh
+++ b/pdns/gss_context.hh
@@ -21,7 +21,6 @@
  */
 #pragma once
 
-
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index fdde319cb4..cc9328824d 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1377,7 +1377,7 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
       return r;
     } else {
       getTSIGHashEnum(trc.d_algoName, p.d_tsig_algo);
-      if (p.d_tsig_algo == TSIG_GSS) {
+      if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
         GssContext gssctx(keyname);
         if (!gssctx.getPeerPrincipal(p.d_peer_principal)) {
           g_log<<Logger::Warning<<"Failed to extract peer principal from GSS context with keyname '"<<keyname<<"'"<<endl;
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 39b3a8cb41..e29a27e06b 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -19,6 +19,7 @@
 #include "communicator.hh"
 #include "query-local-address.hh"
 #include "gss_context.hh"
+#include "auth-main.hh"
 
 extern StatBag S;
 extern CommunicatorClass Communicator;
@@ -695,7 +696,7 @@ int PacketHandler::processUpdate(DNSPacket& p) {
         return RCode::Refused;
       }
 
-      if (p.d_tsig_algo == TSIG_GSS) {
+      if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
         GssName inputname(p.d_peer_principal); // match against principal since GSS
         for(const auto& key: tsigKeys) {
           if (inputname.match(key)) {
diff --git a/pdns/tkey.cc b/pdns/tkey.cc
index fe94438eeb..5d4bdc3481 100644
--- a/pdns/tkey.cc
+++ b/pdns/tkey.cc
@@ -3,6 +3,7 @@
 #endif
 #include "packethandler.hh"
 #include "gss_context.hh"
+#include "auth-main.hh"
 
 void PacketHandler::tkeyHandler(const DNSPacket& p, std::unique_ptr<DNSPacket>& r) {
 #if 0
@@ -29,31 +30,40 @@ void PacketHandler::tkeyHandler(const DNSPacket& p, std::unique_ptr<DNSPacket>&
   tkey_out->d_expiration = tkey_out->d_inception+15;
 
   if (tkey_in.d_mode == 3) { // establish context
-    if (tkey_in.d_algo == DNSName("gss-tsig.")) {
-      std::vector<std::string> meta;
-      DNSName tmpName(name);
-      do {
-        if (B.getDomainMetadata(tmpName, "GSS-ACCEPTOR-PRINCIPAL", meta) && meta.size()>0) {
-          break;
-        }
-      } while(tmpName.chopOff());
+    if (g_doGssTSIG) {
+      if (tkey_in.d_algo == DNSName("gss-tsig.")) {
+        std::vector<std::string> meta;
+        DNSName tmpName(name);
+        do {
+          if (B.getDomainMetadata(tmpName, "GSS-ACCEPTOR-PRINCIPAL", meta) && meta.size()>0) {
+            break;
+          }
+        } while(tmpName.chopOff());
 
-      if (meta.size() == 0) {
-        tkey_out->d_error = 20;
-      } else {
-        GssContext ctx(name);
-        ctx.setLocalPrincipal(meta[0]);
-        // try to get a context
-        if (!ctx.accept(tkey_in.d_key, tkey_out->d_key)) {
-          ctx.destroy();
-          tkey_out->d_error = 19;
-        }
-        else {
-          sign = true;
+        if (meta.size() == 0) {
+          tkey_out->d_error = 20;
+        } else {
+          GssContext ctx(name);
+          ctx.setLocalPrincipal(meta[0]);
+          // try to get a context
+          if (!ctx.accept(tkey_in.d_key, tkey_out->d_key)) {
+            ctx.destroy();
+            tkey_out->d_error = 19;
+          }
+          else {
+            sign = true;
+          }
         }
+      } else {
+        tkey_out->d_error = 21; // BADALGO
       }
     } else {
       tkey_out->d_error = 21; // BADALGO
+#ifdef ENABLE_GSS_TSIG
+      g_log<<Logger::Error<<"GSS-TSIG request but feature not enabled by enable-gss-tsigs setting"<<endl;
+#else
+      g_log<<Logger::Error<<"GSS-TSIG request but not feature not compiled in"<<endl;
+#endif
     }
   } else if (tkey_in.d_mode == 5) { // destroy context
     if (p.d_havetsig == false) { // unauthenticated
-- 
2.47.2