static bool use_tls = false;
static bool usevc = false;
static bool usegsstsig = false;
-static bool use_win2k_gsstsig = false;
-static bool tried_other_gsstsig = false;
static bool local_only = false;
static isc_nm_t *netmgr = NULL;
static isc_loopmgr_t *loopmgr = NULL;
if (gssring != NULL) {
dns_tsigkeyring_detach(&gssring);
}
- tried_other_gsstsig = false;
}
}
break;
case 'g':
usegsstsig = true;
- use_win2k_gsstsig = false;
break;
case 'o':
usegsstsig = true;
- use_win2k_gsstsig = true;
break;
case 'O':
use_tls = true;
if (strcasecmp(word, "gsstsig") == 0) {
#if HAVE_GSSAPI
usegsstsig = true;
- use_win2k_gsstsig = false;
#else /* HAVE_GSSAPI */
fprintf(stderr, "gsstsig not supported\n");
#endif /* HAVE_GSSAPI */
if (strcasecmp(word, "oldgsstsig") == 0) {
#if HAVE_GSSAPI
usegsstsig = true;
- use_win2k_gsstsig = true;
#else /* HAVE_GSSAPI */
fprintf(stderr, "gsstsig not supported\n");
#endif /* HAVE_GSSAPI */
"the request)\n"
"gsstsig (use GSS_TSIG to "
"sign the request)\n"
- "oldgsstsig (use Microsoft's "
- "GSS_TSIG to sign the request)\n"
"zone name (set the zone to be "
"updated)\n"
"class CLASS (set the zone's DNS "
/* Build first request. */
context = GSS_C_NO_CONTEXT;
result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
- &context, use_win2k_gsstsig, gmctx,
- &err_message);
+ &context, gmctx, &err_message);
if (result == ISC_R_FAILURE) {
fprintf(stderr, "tkey query failed: %s\n",
err_message != NULL ? err_message : "unknown error");
fatal("invalid OPCODE in response to GSS-TSIG query");
}
- if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) {
- ddebug("recvgss trying %s GSS-TSIG",
- use_win2k_gsstsig ? "Standard" : "Win2k");
- if (use_win2k_gsstsig) {
- use_win2k_gsstsig = false;
- } else {
- use_win2k_gsstsig = true;
- }
- tried_other_gsstsig = true;
- start_gssrequest(&restart_primary);
- goto done;
- }
-
if (rcvmsg->rcode != dns_rcode_noerror &&
rcvmsg->rcode != dns_rcode_nxdomain)
{
tsigkey = NULL;
result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname, &context,
- &tsigkey, gssring, use_win2k_gsstsig,
- &err_message);
+ &tsigkey, gssring, &err_message);
switch (result) {
case DNS_R_CONTINUE:
dns_message_detach(&rcvmsg);
err_message != NULL ? err_message : "");
}
-done:
dns_request_destroy(&request);
dns_message_detach(&tsigquery);
.. option:: -o
- This option enables a non-standards-compliant variant of GSS-TSIG
- used by Windows 2000.
+ This option is deprecated. Previously, it enabled a
+ non-standards-compliant variant of GSS-TSIG that was used by Windows
+ 2000. Since that OS is now long past its end of life, this option is
+ now treated as a synonym for :option:`-g`.
.. option:: -O
:option:`-g` on the command line.
``oldgsstsig``
- This command uses the Windows 2000 version of GSS-TSIG to sign the updates. This is
- equivalent to specifying :option:`-o` on the command line.
+ This command is deprecated and will be removed in a future release.
+ Previously, it caused ``nsupdate`` to use the Windows 2000 version of
+ GSS-TSIG to sign updates. It is now treated as a synonym for ``gsstsig``.
``realm [realm_name]``
When using GSS-TSIG, this command specifies the use of ``realm_name`` rather than the default realm
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
- uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k,
+ uint32_t lifetime, dns_gss_ctx_id_t *context,
isc_mem_t *mctx, char **err_message);
/*%<
* Builds a query containing a TKEY that will generate a GSSAPI context.
*\li 'gname' is a valid name
*\li 'context' is a pointer to a valid gss_ctx_id_t
* (which may have the value GSS_C_NO_CONTEXT)
- *\li 'win2k' when true says to turn on some hacks to work
- * with the non-standard GSS-TSIG of Windows 2000
*
* Returns:
*\li ISC_R_SUCCESS msg was successfully updated to include the
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *server, dns_gss_ctx_id_t *context,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
- bool win2k, char **err_message);
-
-/*
+ char **err_message);
+/*%<
* Client side negotiation of GSS-TSIG. Process the response
* to a TKEY, and establish a TSIG key if negotiation was successful.
* Build a response to the input TKEY message. Can take multiple
* if non-NULL must point to NULL
* 'ring' is the keyring in which to establish the key,
* or NULL
- * 'win2k' when true says to turn on some hacks to work
- * with the non-standard GSS-TSIG of Windows 2000
*
* Returns:
* ISC_R_SUCCESS context was successfully established
* DNS_R_CONTINUE additional context negotiation is required;
* send the new qmsg to the server
*/
-
ISC_LANG_ENDDECLS
#define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name
extern const dns_name_t *dns_tsig_gssapi_name;
#define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name
-extern const dns_name_t *dns_tsig_gssapims_name;
-#define DNS_TSIG_GSSAPIMS_NAME dns_tsig_gssapims_name
extern const dns_name_t *dns_tsig_hmacsha1_name;
#define DNS_TSIG_HMACSHA1_NAME dns_tsig_hmacsha1_name
extern const dns_name_t *dns_tsig_hmacsha224_name;
return (ISC_R_NOPERM);
}
- if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
- !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME))
- {
+ if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME)) {
tkeyout->error = dns_tsigerror_badalg;
- tkey_log("process_gsstkey(): dns_tsigerror_badalg"); /* XXXSRA
- */
+ tkey_log("process_gsstkey(): dns_tsigerror_badalg");
return (ISC_R_SUCCESS);
}
result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
dns_rdatatype_tkey, 0, &name, &tkeyset);
if (result != ISC_R_SUCCESS) {
- /*
- * Try the answer section, since that's where Win2000
- * puts it.
- */
- name = NULL;
- if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
- dns_rdatatype_tkey, 0, &name,
- &tkeyset) != ISC_R_SUCCESS)
- {
- result = DNS_R_FORMERR;
- tkey_log("dns_tkey_processquery: couldn't find a TKEY "
- "matching the question");
- goto failure;
- }
+ result = DNS_R_FORMERR;
+ tkey_log("dns_tkey_processquery: couldn't find a TKEY "
+ "matching the question");
+ goto failure;
}
result = dns_rdataset_first(tkeyset);
if (result != ISC_R_SUCCESS) {
}
static isc_result_t
-buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey,
- bool win2k) {
+buildquery(dns_message_t *msg, const dns_name_t *name, dns_rdata_tkey_t *tkey) {
dns_name_t *qname = NULL, *aname = NULL;
dns_rdataset_t *question = NULL, *tkeyset = NULL;
dns_rdatalist_t *tkeylist = NULL;
ISC_LIST_APPEND(aname->list, tkeyset, link);
dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-
- /*
- * Windows 2000 needs this in the answer section, not the additional
- * section where the RFC specifies.
- */
- if (win2k) {
- dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
- } else {
- dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
- }
+ dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
return (ISC_R_SUCCESS);
}
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, const dns_name_t *name,
const dns_name_t *gname, isc_buffer_t *intoken,
- uint32_t lifetime, dns_gss_ctx_id_t *context, bool win2k,
+ uint32_t lifetime, dns_gss_ctx_id_t *context,
isc_mem_t *mctx, char **err_message) {
dns_rdata_tkey_t tkey;
isc_result_t result;
ISC_LINK_INIT(&tkey.common, link);
tkey.mctx = NULL;
dns_name_init(&tkey.algorithm, NULL);
-
- if (win2k) {
- dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
- } else {
- dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
- }
-
+ dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
tkey.inception = now;
tkey.expire = now + lifetime;
tkey.mode = DNS_TKEYMODE_GSSAPI;
tkey.other = NULL;
tkey.otherlen = 0;
- return (buildquery(msg, name, &tkey, win2k));
+ return (buildquery(msg, name, &tkey));
}
static isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
const dns_name_t *server, dns_gss_ctx_id_t *context,
dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
- bool win2k, char **err_message) {
+ char **err_message) {
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
dns_name_t *tkeyname;
dns_rdata_tkey_t rtkey, qtkey, tkey;
RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
freertkey = true;
- if (win2k) {
- RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
- DNS_SECTION_ANSWER));
- } else {
- RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
- DNS_SECTION_ADDITIONAL));
- }
-
+ RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata, DNS_SECTION_ADDITIONAL));
RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
if (rtkey.error != dns_rcode_noerror ||
ISC_LINK_INIT(&tkey.common, link);
tkey.mctx = NULL;
dns_name_init(&tkey.algorithm, NULL);
-
- if (win2k) {
- dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
- } else {
- dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
- }
+ dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
tkey.inception = qtkey.inception;
tkey.expire = qtkey.expire;
tkey.otherlen = 0;
dns_message_reset(qmsg, DNS_MESSAGE_INTENTRENDER);
- RETERR(buildquery(qmsg, tkeyname, &tkey, win2k));
+ RETERR(buildquery(qmsg, tkeyname, &tkey));
return (DNS_R_CONTINUE);
}
*/
RETERR(dns_tsigkey_createfromkey(
- tkeyname,
- (win2k ? DNS_TSIG_GSSAPIMS_NAME : DNS_TSIG_GSSAPI_NAME), dstkey,
- true, false, NULL, rtkey.inception, rtkey.expire, ring->mctx,
- ring, outkey));
+ tkeyname, DNS_TSIG_GSSAPI_NAME, dstkey, true, false, NULL,
+ rtkey.inception, rtkey.expire, ring->mctx, ring, outkey));
dst_key_free(&dstkey);
dns_rdata_freestruct(&rtkey);
return (result);
gsstsig_offsets);
const dns_name_t *dns_tsig_gssapi_name = &gsstsig;
-/*
- * Since Microsoft doesn't follow its own standard, we will use this
- * alternate name as a second guess.
- */
-static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
-static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
-static dns_name_t const gsstsigms = DNS_NAME_INITABSOLUTE(gsstsigms_ndata,
- gsstsigms_offsets);
-const dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
-
static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
static unsigned char hmacsha1_offsets[] = { 0, 10 };
static dns_name_t const hmacsha1 = DNS_NAME_INITABSOLUTE(hmacsha1_ndata,
unsigned int dstalg;
} known_algs[] = { { &hmacmd5, DST_ALG_HMACMD5 },
{ &gsstsig, DST_ALG_GSSAPI },
- { &gsstsigms, DST_ALG_GSSAPI },
{ &hmacsha1, DST_ALG_HMACSHA1 },
{ &hmacsha224, DST_ALG_HMACSHA224 },
{ &hmacsha256, DST_ALG_HMACSHA256 },
assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPI_NAME),
DST_ALG_GSSAPI);
- assert_int_equal(dns__tsig_algfromname(DNS_TSIG_GSSAPIMS_NAME),
- DST_ALG_GSSAPI);
assert_int_equal(dns__tsig_algfromname(dns_rootname), 0);
}
test_name("hmac-sha512", DNS_TSIG_HMACSHA512_NAME);
test_name("gss-tsig", DNS_TSIG_GSSAPI_NAME);
- test_name("gss.microsoft.com", DNS_TSIG_GSSAPIMS_NAME);
/* try another name that isn't a standard algorithm name */
assert_null(dns__tsig_algnamefromname(dns_rootname));
projects / thirdparty / bind9.git / commitdiff
