mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 23:25:38 +00:00
Code Issues Releases Wiki Activity

Merge branch '4225-return-refused-if-gssapi-not-configured' into 'main'

Browse Source 
Resolve "SERVFAIL response to TKEY query"

Closes #4225

See merge request isc-projects/bind9!8146
This commit is contained in:
Mark Andrews
2023-07-28 06:43:58 +00:00
parent 5342d6e97d ccaefce7ca
commit c8b73d98e4
7 changed files with 85 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
6215. [protocol] Return REFUSED to GSS-API TKEY requests if GSS-API
support is not configured. [GL #4225]
6214. [bug] Fix the memory leak in for struct stub_glue_request 6214. [bug] Fix the memory leak in for struct stub_glue_request
allocated in stub_request_nameserver_address() but not allocated in stub_request_nameserver_address() but not
freed in stub_glue_response(). [GL #4227] freed in stub_glue_response(). [GL #4227]

11
bin/nsupdate/nsupdate.c
View File

@@ -3209,7 +3209,16 @@ recvgss(void *arg) {
if (rcvmsg->rcode != dns_rcode_noerror && if (rcvmsg->rcode != dns_rcode_noerror &&
rcvmsg->rcode != dns_rcode_nxdomain) rcvmsg->rcode != dns_rcode_nxdomain)
{ {
fatal("response to GSS-TSIG query was unsuccessful"); char rcode[64];
isc_buffer_t b;
isc_buffer_init(&b, rcode, sizeof(rcode) - 1);
result = dns_rcode_totext(rcvmsg->rcode, &b);
check_result(result, "dns_rcode_totext");
rcode[isc_buffer_usedlength(&b)] = 0;
fatal("response to GSS-TSIG query was unsuccessful (%s)",
rcode);
} }
servname = dns_fixedname_initname(&fname); servname = dns_fixedname_initname(&fname);

52
bin/tests/system/nsupdate/ns7/named1.conf.in Normal file
View File

@@ -0,0 +1,52 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
session-keyfile "session.key";
listen-on { 10.53.0.7; };
recursion no;
notify yes;
minimal-responses no;
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "in-addr.arpa" {
type primary;
file "in-addr.db";
update-policy { grant EXAMPLE.COM krb5-subdomain-self-rhs . PTR; };
};
zone "example.com" {
type primary;
file "example.com.db";
update-policy {
grant EXAMPLE.COM krb5-self . ANY;
grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv.example.com SRV;
grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv-no-type.example.com;
};
};

0
bin/tests/system/nsupdate/ns7/named.conf.in → bin/tests/system/nsupdate/ns7/named2.conf.in
View File

2
bin/tests/system/nsupdate/setup.sh
View File

@@ -31,7 +31,7 @@ copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns7/named1.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns8/named.conf.in ns8/named.conf
# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is # If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is

18
bin/tests/system/nsupdate/tests.sh
View File

@@ -1762,6 +1762,24 @@ wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
if ! $FEATURETEST --gssapi ; then if ! $FEATURETEST --gssapi ; then
echo_i "SKIPPED: GSSAPI tests" echo_i "SKIPPED: GSSAPI tests"
else else
n=$((n + 1))
ret=0
echo_i "check GSS-API TKEY request rcode against a non configured server ($n)"
KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
export KRB5CCNAME
$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
gsstsig
realm EXAMPLE.COM
server 10.53.0.7 ${PORT}
zone example.com
send
EOF
grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
copy_setports ns7/named2.conf.in ns7/named.conf
rndc_reload ns7 10.53.0.7
n=$((n + 1)) n=$((n + 1))
ret=0 ret=0
echo_i "check krb5-self match ($n)" echo_i "check krb5-self match ($n)"

2
lib/dns/tkey.c
View File

@@ -194,7 +194,7 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) { if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
tkey_log("process_gsstkey(): no tkey-gssapi-credential " tkey_log("process_gsstkey(): no tkey-gssapi-credential "
"or tkey-gssapi-keytab configured"); "or tkey-gssapi-keytab configured");
return (ISC_R_NOPERM); return (DNS_R_REFUSED);
} }
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME)) { if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME)) {