Fixed a memory leak where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with tkey-gssapi-keytab configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting.
Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round.
Also implemented missing RFC 3645 requirement: the client now verifies that mutual authentication and integrity flags are granted by the GSS-API mechanism (Section 3.1.1).
Closes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5752
Backport of !965
Merge branch 'backport-5752-fix-memory-leak-in-TKEY-negotiation-9.11' into 'security-bind-9.11'
See merge request isc-private/bind9!977
projects / thirdparty / bind9.git / commitdiff
