]> git.ipfire.org Git - thirdparty/bind9.git/commit
projects / thirdparty / bind9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 51dde6e) | patch
Add regression test for GSS-API context leak via TKEY CONTINUE
authorOndřej Surý <ondrej@isc.org>
Fri, 20 Mar 2026 07:43:28 +0000 (08:43 +0100)
committerMichał Kępień <michal@isc.org>
Thu, 7 May 2026 11:32:15 +0000 (13:32 +0200)
commitf14fac5a331d0c2176701dbf6ff3b8dcdb33473b
treef429b7367f2776f022400441f524cd45247b978ftree | snapshot
parent51dde6ef431c4290f7fa0a0a45670e1d67c6f195commit | diff
Add regression test for GSS-API context leak via TKEY CONTINUE

Send crafted SPNEGO NegTokenInit tokens that propose the krb5
mechanism without a mechToken.  This causes gss_accept_sec_context()
to return GSS_S_CONTINUE_NEEDED, which on unfixed code leaks the
GSS context handle (~520 bytes per query).

The test verifies that the server rejects the negotiation (TKEY
error != 0, no continuation token) rather than returning a CONTINUE
response (error=0 with output token).
bin/tests/system/tkeyleak/ns1/dns.keytab [new file with mode: 0644] blob
bin/tests/system/tkeyleak/ns1/example.db.in [new file with mode: 0644] blob
bin/tests/system/tkeyleak/ns1/named.conf.j2 [new file with mode: 0644] blob
bin/tests/system/tkeyleak/prereq.sh [new file with mode: 0644] blob
bin/tests/system/tkeyleak/setup.sh [new file with mode: 0644] blob
bin/tests/system/tkeyleak/tests_tkeyleak.py [new file with mode: 0644] blob
Mirror of https://gitlab.isc.org/isc-projects/bind9.git