]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 45c93af)
Check GSS_C_REPLAY_FLAG in client-side ret_flags validation
authorOndřej Surý <ondrej@sury.org>
Tue, 7 Apr 2026 13:58:31 +0000 (15:58 +0200)
committerMichał Kępień <michal@isc.org>
Thu, 7 May 2026 11:32:15 +0000 (13:32 +0200)
RFC 3645 Section 3.1.1 mandates that the client MUST abandon the
algorithm if replay_det_state is FALSE after GSS_Init_sec_context
completes.  The previous commit checked MUTUAL and INTEG but missed
REPLAY, even though it was already requested in the input flags.

Add GSS_C_REPLAY_FLAG to the ret_flags bitmask check so all three
required properties (replay detection, mutual authentication, and
integrity) are verified.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lib/dns/gssapictx.c patch | blob | blame | history

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index 8f4c1c56c92d1ae5ce89dd272eab5d5f4ddda749..9e025b1a3b3751227b531c325a0f59310d4a1d47 100644 (file)
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -356,17 +356,19 @@ dst_gssapi_initctx(const dns_name_t *name, isc_buffer_t *intoken,
        }
 
        /*
-        * RFC 3645 Section 3.1.1: verify that mutual authentication
-        * and integrity are supported.  If either is missing, the
-        * security context does not meet the protocol requirements.
+        * RFC 3645 Section 3.1.1: verify that replay detection, mutual
+        * authentication and integrity are supported.  The RFC mandates
+        * checking replay_det_state and mutual_state; integ_avail is
+        * also verified because GSS-TSIG cannot function without it.
         */
        if (gret == GSS_S_COMPLETE &&
-           (ret_flags & (GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG)) !=
-                   (GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG))
+           (ret_flags &
+            (GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG)) !=
+                   (GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG))
        {
                gss_log(3,
-                       "GSS-API context lacks required MUTUAL or "
-                       "INTEG flags (ret_flags=0x%x)",
+                       "GSS-API context lacks required REPLAY, MUTUAL, "
+                       "or INTEG flags (ret_flags=0x%x)",
                        (unsigned int)ret_flags);
                CLEANUP(ISC_R_FAILURE);
        }
Mirror of https://gitlab.isc.org/isc-projects/bind9.git