}
}
+bool GssApiSecCtx::ignore_bad_direction_ = false;
+
GssApiSecCtx::GssApiSecCtx(gss_ctx_id_t sec_ctx)
: GssApiLastError(), sec_ctx_(sec_ctx) {
}
OM_uint32 major = gss_verify_mic(&minor, sec_ctx_, gmessage.getPtr(),
gsig.getPtr(), 0);
if (major != GSS_S_COMPLETE) {
+ string err_msg = gssApiErrMsg(major, minor);
+ // Should use minor == G_BAD_DIRECTION but the code point is
+ // in a generated include not provided by all packages.
+ if (ignore_bad_direction_ && (major == GSS_S_BAD_MIC) &&
+#ifdef G_BAD_DIRECTION
+ (minor == G_BAD_DIRECTION)
+#else
+ (err_msg.find("wrong direction") != string::npos)
+#endif
+ ) {
+ return;
+ }
setLastError(major);
- isc_throw(GssApiError, "gss_verify_mic failed with "
- << gssApiErrMsg(major, minor));
+ isc_throw(GssApiError, "gss_verify_mic failed with " << err_msg);
}
}
#include <dns/name.h>
#include <gss_tsig_cfg.h>
+#include <gss_tsig_context.h>
#include <stats/stats_mgr.h>
#include <limits>
}
const SimpleKeywords GssTsigCfg::GLOBAL_PARAMETERS = {
- { "server-principal", Element::string },
- { "client-principal", Element::string },
- { "client-keytab", Element::string },
- { "credentials-cache", Element::string },
- { "gss-replay-flag", Element::boolean },
- { "gss-sequence-flag", Element::boolean },
- { "tkey-lifetime", Element::integer },
- { "rekey-interval", Element::integer },
- { "retry-interval", Element::integer },
- { "tkey-protocol", Element::string },
- { "fallback", Element::boolean },
- { "exchange-timeout", Element::integer },
- { "servers", Element::list },
- { "user-context", Element::map },
- { "comment", Element::string }
+ { "server-principal", Element::string },
+ { "client-principal", Element::string },
+ { "client-keytab", Element::string },
+ { "credentials-cache", Element::string },
+ { "gss-replay-flag", Element::boolean },
+ { "gss-sequence-flag", Element::boolean },
+ { "tkey-lifetime", Element::integer },
+ { "rekey-interval", Element::integer },
+ { "retry-interval", Element::integer },
+ { "tkey-protocol", Element::string },
+ { "fallback", Element::boolean },
+ { "exchange-timeout", Element::integer },
+ { "ignore-bad-direction", Element::boolean },
+ { "servers", Element::list },
+ { "user-context", Element::map },
+ { "comment", Element::string }
};
GssTsigCfg::GssTsigCfg()
: servers_(), servers_rev_map_(), client_keytab_(""), creds_cache_(""),
- max_tkey_lifetime_(0) {
+ max_tkey_lifetime_(0), ignore_bad_direction_(false) {
}
GssTsigCfg::~GssTsigCfg() {
}
}
+ ConstElementPtr ignore_bad_direction = params->get("ignore-bad-direction");
+ if (ignore_bad_direction) {
+ bool val = ignore_bad_direction->boolValue();
+ ignore_bad_direction_ = val;
+ GssApiSecCtx::ignore_bad_direction_ = val;
+ }
+
ConstElementPtr servers = params->get("servers");
if (!servers) {
return;
max_tkey_lifetime_ = max_tkey_lifetime;
}
+ /// @brief Get the ignore bad direction flag.
+ ///
+ /// @return the ignore bad direction flag.
+ bool getIgnoreBadDirection() const {
+ return (ignore_bad_direction_);
+ }
+
+ /// @brief Set the ignore bad direction flag.
+ ///
+ /// @param ignore_bad_direction A new ignore bad direction.
+ void setIgnoreBadDirection(bool ignore_bad_direction) {
+ ignore_bad_direction_ = ignore_bad_direction;
+ }
+
private:
/// @brief The DNS server list.
DnsServerList servers_;
/// @brief The maximum TKEY lifetime.
uint32_t max_tkey_lifetime_;
+
+ /// @brief The ignore bad direction flag.
+ bool ignore_bad_direction_;
};
} // end of namespace isc::gss_tsig
projects / thirdparty / kea.git / commitdiff
