diff options
author | Gerald Carter <jerry@samba.org> | 2006-11-17 21:46:26 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:15:53 -0500 |
commit | c2aae726ea3f697c50f8d2304e2a9e69c56ab90f (patch) | |
tree | 0c05a34d585fa27282a3a106863c99e24237957f /source3/libaddns/dnsgss.c | |
parent | 9a88644bb5834b526085fad7536a02e333bf8c3c (diff) | |
download | samba-c2aae726ea3f697c50f8d2304e2a9e69c56ab90f.tar.gz samba-c2aae726ea3f697c50f8d2304e2a9e69c56ab90f.tar.bz2 samba-c2aae726ea3f697c50f8d2304e2a9e69c56ab90f.zip |
r19762: libaddns/*[ch] code fixes donated by Centeris Corporation
(http://www.centeris.com/) under my copyright.
* Rework error reporting to use DNS_ERROR instead
of int32
* Convert memory allocation to use talloc()
* Generalize the DNS request/response packet marshalling
* Fix the secure update requests
(This used to be commit c78798333616c3f823514df0f58da2eb3a30a988)
Diffstat (limited to 'source3/libaddns/dnsgss.c')
-rw-r--r-- | source3/libaddns/dnsgss.c | 620 |
1 files changed, 197 insertions, 423 deletions
diff --git a/source3/libaddns/dnsgss.c b/source3/libaddns/dnsgss.c index 862f5e7b58..fc674a7b81 100644 --- a/source3/libaddns/dnsgss.c +++ b/source3/libaddns/dnsgss.c @@ -48,507 +48,281 @@ static int strupr( char *szDomainName ) /********************************************************************* *********************************************************************/ -int32 DNSBuildTKeyQueryRequest( char *szKeyName, - uint8 * pKeyData, - int32 dwKeyLen, DNS_REQUEST ** ppDNSRequest ) -{ - int32 dwError = 0; - DNS_RR_RECORD *pDNSTKeyRecord = NULL; - DNS_REQUEST *pDNSRequest = NULL; - DNS_QUESTION_RECORD *pDNSQuestionRecord = NULL; - - dwError = DNSStdCreateStdRequest( &pDNSRequest ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSCreateQuestionRecord( szKeyName, - QTYPE_TKEY, - DNS_CLASS_IN, - &pDNSQuestionRecord ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSStdAddQuestionSection( pDNSRequest, pDNSQuestionRecord ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSCreateTKeyRecord( szKeyName, - pKeyData, - ( int16 ) dwKeyLen, &pDNSTKeyRecord ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSStdAddAdditionalSection( pDNSRequest, pDNSTKeyRecord ); - BAIL_ON_ERROR( dwError ); - - *ppDNSRequest = pDNSRequest; - - return dwError; - - error: - - *ppDNSRequest = NULL; - - return dwError; -} - -/********************************************************************* -*********************************************************************/ - -int32 DNSVerifyResponseMessage_GSSSuccess( gss_ctx_id_t * pGSSContext, - DNS_RR_RECORD * pClientTKeyRecord, - DNS_RESPONSE * pDNSResponse ) -{ - int32 dwError = 0; - DNS_RR_RECORD *pTKeyRecord = NULL; - DNS_RR_RECORD *pTSIGRecord = NULL; - int16 wRCode = 0; - - dwError = DNSResponseGetRCode( pDNSResponse, &wRCode ); - BAIL_ON_ERROR( dwError ); - - if ( wRCode != 0 ) { - dwError = ERROR_BAD_RESPONSE; - BAIL_ON_ERROR( dwError ); - - } - - dwError = DNSResponseGetTKeyRecord( pDNSResponse, &pTKeyRecord ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSCompareTKeyRecord( pClientTKeyRecord, pTKeyRecord ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSResponseGetTSIGRecord( pDNSResponse, &pTSIGRecord ); - BAIL_ON_ERROR( dwError ); - -/* - dwMajorStatus = GSS_VerifyMIC( - pDNSResponse->pDNSResponseBuffer, - pDNSResponse->dwNumBytes, - pDNSRRRecord->RData.TSIGRData.pMAC, - pDNSRRRecord->RData.TSIGRData.wMaxSize - ) - BAIL_ON_ERROR(dwMajorStatus);*/ - - error: - - return dwError; -} - -/********************************************************************* -*********************************************************************/ - -int32 DNSVerifyResponseMessage_GSSContinue( gss_ctx_id_t * pGSSContext, - DNS_RR_RECORD * pClientTKeyRecord, - DNS_RESPONSE * pDNSResponse, - uint8 ** ppServerKeyData, - int16 * pwServerKeyDataSize ) +static void display_status_1( const char *m, OM_uint32 code, int type ) { - int32 dwError = 0; - DNS_RR_RECORD *pTKeyRecord = NULL; - int16 wRCode = 0; - uint8 *pServerKeyData = NULL; - int16 wServerKeyDataSize = 0; - + OM_uint32 maj_stat, min_stat; + gss_buffer_desc msg; + OM_uint32 msg_ctx; - dwError = DNSResponseGetRCode( pDNSResponse, &wRCode ); - BAIL_ON_ERROR( dwError ); - if ( wRCode != 0 ) { - dwError = ERROR_BAD_RESPONSE; - BAIL_ON_ERROR( dwError ); + msg_ctx = 0; + while ( 1 ) { + maj_stat = gss_display_status( &min_stat, code, + type, GSS_C_NULL_OID, + &msg_ctx, &msg ); + fprintf( stdout, "GSS-API error %s: %s\n", m, + ( char * ) msg.value ); + ( void ) gss_release_buffer( &min_stat, &msg ); + if ( !msg_ctx ) + break; } - - dwError = DNSResponseGetTKeyRecord( pDNSResponse, &pTKeyRecord ); - BAIL_ON_ERROR( dwError ); - - - dwError = DNSCompareTKeyRecord( pClientTKeyRecord, pTKeyRecord ); - BAIL_ON_ERROR( dwError ); - - dwError = DNSGetTKeyData( pTKeyRecord, - &pServerKeyData, &wServerKeyDataSize ); - BAIL_ON_ERROR( dwError ); - - *ppServerKeyData = pServerKeyData; - *pwServerKeyDataSize = wServerKeyDataSize; - - return dwError; - - error: - - *ppServerKeyData = NULL; - *pwServerKeyDataSize = 0; - return dwError; } /********************************************************************* *********************************************************************/ -int32 DNSResponseGetRCode( DNS_RESPONSE * pDNSResponse, int16 * pwRCode ) +void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat ) { - int32 dwError = 0; - int16 wnParameter = 0; - uint8 uChar = 0; - - wnParameter = htons( pDNSResponse->wParameter ); - - /* Byte 0 is the most significate byte - Bit 12, 13, 14, 15 or Bit 4, 5, 6, 7 represent the RCode */ - - memcpy( &uChar, ( uint8 * ) & wnParameter + 1, 1 ); - uChar >>= 4; - *pwRCode = ( int16 ) uChar; - - return dwError; + display_status_1( msg, maj_stat, GSS_C_GSS_CODE ); + display_status_1( msg, min_stat, GSS_C_MECH_CODE ); } -/********************************************************************* -*********************************************************************/ - -int32 DNSResponseGetTKeyRecord( DNS_RESPONSE * pDNSResponse, - DNS_RR_RECORD ** ppTKeyRecord ) +static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx, + struct dns_connection *conn, + const char *keyname, + const gss_name_t target_name, + gss_ctx_id_t *ctx ) { - int32 dwError = 0; - int16 wAnswers = 0; - DNS_RR_RECORD *pDNSRecord = NULL; - int32 i = 0; + struct gss_buffer_desc_struct input_desc, *input_ptr, output_desc; + OM_uint32 major, minor; + OM_uint32 ret_flags; + DNS_ERROR err; + gss_OID_desc krb5_oid_desc = + { 9, (char *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; - wAnswers = pDNSResponse->wAnswers; - if ( !wAnswers ) { - dwError = ERROR_INVALID_PARAMETER; - BAIL_ON_ERROR( dwError ); - } + *ctx = GSS_C_NO_CONTEXT; + input_ptr = NULL; - for ( i = 0; i < wAnswers; i++ ) { - pDNSRecord = *( pDNSResponse->ppAnswerRRSet + i ); - if ( pDNSRecord->RRHeader.wType == QTYPE_TKEY ) { - *ppTKeyRecord = pDNSRecord; - return dwError; + do { + major = gss_init_sec_context( + &minor, NULL, ctx, target_name, &krb5_oid_desc, + GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | + GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG, + 0, NULL, input_ptr, NULL, &output_desc, + &ret_flags, NULL ); + + if (input_ptr != NULL) { + TALLOC_FREE(input_desc.value); } - } - dwError = ERROR_RECORD_NOT_FOUND; - error: - *ppTKeyRecord = NULL; - return dwError; -} + if (output_desc.length != 0) { -/********************************************************************* -*********************************************************************/ + struct dns_request *req; + struct dns_rrec *rec; + struct dns_buffer *buf; -int32 DNSResponseGetTSIGRecord( DNS_RESPONSE * pDNSResponse, - DNS_RR_RECORD ** ppTSIGRecord ) -{ - int32 dwError = 0; - int16 wAdditionals = 0; - DNS_RR_RECORD *pDNSRecord = NULL; - - int32 i = 0; + time_t t = time(NULL); - wAdditionals = pDNSResponse->wAdditionals; - if ( !wAdditionals ) { - dwError = ERROR_INVALID_PARAMETER; - BAIL_ON_ERROR( dwError ); - } + err = dns_create_query(mem_ctx, keyname, QTYPE_TKEY, + DNS_CLASS_IN, &req); + if (!ERR_DNS_IS_OK(err)) goto error; - for ( i = 0; i < wAdditionals; i++ ) { - pDNSRecord = *( pDNSResponse->ppAdditionalRRSet + i ); - if ( pDNSRecord->RRHeader.wType == QTYPE_TSIG ) { - *ppTSIGRecord = pDNSRecord; - return dwError; - } - } - dwError = ERROR_RECORD_NOT_FOUND; + err = dns_create_tkey_record( + req, keyname, "gss.microsoft.com", t, + t + 86400, DNS_TKEY_MODE_GSSAPI, 0, + output_desc.length, (uint8 *)output_desc.value, + &rec); + if (!ERR_DNS_IS_OK(err)) goto error; - error: - *ppTSIGRecord = NULL; - return dwError; -} + err = dns_add_rrec(req, rec, &req->num_additionals, + &req->additionals); + if (!ERR_DNS_IS_OK(err)) goto error; -/********************************************************************* -*********************************************************************/ + err = dns_marshall_request(req, req, &buf); + if (!ERR_DNS_IS_OK(err)) goto error; -int32 DNSCompareTKeyRecord( DNS_RR_RECORD * pClientTKeyRecord, - DNS_RR_RECORD * pTKeyRecord ) -{ - int32 dwError = 0; + err = dns_send(conn, buf); + if (!ERR_DNS_IS_OK(err)) goto error; - return dwError; -} + TALLOC_FREE(req); + } -/********************************************************************* -*********************************************************************/ + gss_release_buffer(&minor, &output_desc); -int32 DNSNegotiateContextAndSecureUpdate( HANDLE hDNSServer, - char *szServiceName, - char *szDomainName, - char *szHost, int32 dwIPAddress ) -{ - int32 dwError = 0; - char *pszKeyName = NULL; - gss_ctx_id_t ContextHandle = 0; - gss_ctx_id_t *pContextHandle = &ContextHandle; + if ((major != GSS_S_COMPLETE) && + (major != GSS_S_CONTINUE_NEEDED)) { + return ERROR_DNS_GSS_ERROR; + } - dwError = DNSGenerateKeyName( &pszKeyName ); - BAIL_ON_ERROR( dwError ); + if (major == GSS_S_CONTINUE_NEEDED) { - dwError = - DNSNegotiateSecureContext( hDNSServer, szDomainName, szHost, - pszKeyName, pContextHandle ); - BAIL_ON_ERROR( dwError ); + struct dns_request *resp; + struct dns_buffer *buf; + struct dns_tkey_record *tkey; - error: + err = dns_receive(mem_ctx, conn, &buf); + if (!ERR_DNS_IS_OK(err)) goto error; - return dwError; -} + err = dns_unmarshall_request(buf, buf, &resp); + if (!ERR_DNS_IS_OK(err)) goto error; -/********************************************************************* -*********************************************************************/ + /* + * TODO: Compare id and keyname + */ + + if ((resp->num_additionals != 1) || + (resp->answers[0]->type != QTYPE_TKEY)) { + err = ERROR_DNS_INVALID_MESSAGE; + goto error; + } -int32 DNSGetTKeyData( DNS_RR_RECORD * pTKeyRecord, - uint8 ** ppKeyData, int16 * pwKeyDataSize ) -{ - int32 dwError = 0; - int16 wKeyDataSize = 0; - int16 wnKeyDataSize = 0; - int32 dwKeyDataSizeOffset = 0; - int32 dwKeyDataOffset = 0; - uint8 *pKeyData = NULL; + err = dns_unmarshall_tkey_record( + mem_ctx, resp->answers[0], &tkey); + if (!ERR_DNS_IS_OK(err)) goto error; - DNSRecordGenerateOffsets( pTKeyRecord ); - dwKeyDataSizeOffset = pTKeyRecord->Offsets.TKey.wKeySizeOffset; - dwKeyDataOffset = pTKeyRecord->Offsets.TKey.wKeyDataOffset; - memcpy( &wnKeyDataSize, pTKeyRecord->pRData + dwKeyDataSizeOffset, - sizeof( int16 ) ); - wKeyDataSize = ntohs( wnKeyDataSize ); + input_desc.length = tkey->key_length; + input_desc.value = talloc_move(mem_ctx, &tkey->key); - dwError = DNSAllocateMemory( wKeyDataSize, ( void * ) &pKeyData ); - BAIL_ON_ERROR( dwError ); + input_ptr = &input_desc; - memcpy( pKeyData, pTKeyRecord->pRData + dwKeyDataOffset, - wKeyDataSize ); + TALLOC_FREE(buf); + } - *ppKeyData = pKeyData; - *pwKeyDataSize = wKeyDataSize; + } while ( major == GSS_S_CONTINUE_NEEDED ); - return dwError; + /* If we arrive here, we have a valid security context */ + err = ERROR_DNS_SUCCESS; error: - *ppKeyData = NULL; - *pwKeyDataSize = 0; - return dwError; + return err; } -/********************************************************************* -*********************************************************************/ - -int32 DNSNegotiateSecureContext( HANDLE hDNSServer, - char *szDomain, - char *szServerName, - char *szKeyName, gss_ctx_id_t * pGSSContext ) +DNS_ERROR dns_negotiate_sec_ctx( const char *target_realm, + const char *servername, + const char *keyname, + gss_ctx_id_t *gss_ctx ) { - int32 dwError = 0; - int32 dwMajorStatus = 0; - char szUpperCaseDomain[256]; - char szTargetName[256]; - DNS_ERROR dns_status; - - gss_buffer_desc input_name; - gss_buffer_desc input_desc, output_desc; - DNS_REQUEST *pDNSRequest = NULL; - DNS_RESPONSE *pDNSResponse = NULL; - DNS_RR_RECORD *pClientTKeyRecord = NULL; - HANDLE hDNSTcpServer = ( HANDLE ) NULL; + OM_uint32 major, minor; - uint8 *pServerKeyData = NULL; - int16 wServerKeyDataSize = 0; + char *upcaserealm, *targetname; + DNS_ERROR err; - OM_uint32 ret_flags = 0; + gss_buffer_desc input_name; + struct dns_connection *conn; - int32 dwMinorStatus = 0; gss_name_t targ_name; - gss_cred_id_t creds; krb5_principal host_principal; - krb5_context ctx = NULL; + krb5_context krb_ctx = NULL; gss_OID_desc nt_host_oid_desc = - { 10, ( char * ) ( ( void * ) "\052\206\110\206\367\022\001\002\002\002" ) }; - gss_OID_desc krb5_oid_desc = - { 9, ( char * ) ( ( void * ) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" ) }; + { 10, (char *)"\052\206\110\206\367\022\001\002\002\002" }; - input_desc.value = NULL; - input_desc.length = 0; + TALLOC_CTX *mem_ctx; - dns_status = DNSOpen( szServerName, DNS_TCP, &hDNSTcpServer ); - BAIL_ON_DNS_ERROR( dns_status ); + if (!(mem_ctx = talloc_init("dns_negotiate_sec_ctx"))) { + return ERROR_DNS_NO_MEMORY; + } + err = dns_open( servername, DNS_TCP, mem_ctx, &conn ); + if (!ERR_DNS_IS_OK(err)) goto error; - memset( szUpperCaseDomain, 0, sizeof( szUpperCaseDomain ) ); - memcpy( szUpperCaseDomain, szDomain, strlen( szDomain ) ); - strupr( szUpperCaseDomain ); + if (!(upcaserealm = talloc_strdup(mem_ctx, target_realm))) { + err = ERROR_DNS_NO_MEMORY; + goto error; + } - dwMajorStatus = gss_acquire_cred( ( OM_uint32 * ) & dwMinorStatus, - GSS_C_NO_NAME, - GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, - GSS_C_INITIATE, - &creds, NULL, NULL ); - BAIL_ON_SEC_ERROR( dwMajorStatus ); - printf( "After gss_acquire_cred %d\n", dwMajorStatus ); + strupr(upcaserealm); - sprintf( szTargetName, "dns/%s@%s", szServerName, szUpperCaseDomain ); - printf( "%s\n", szTargetName ); + if (!(targetname = talloc_asprintf(mem_ctx, "dns/%s@%s", + servername, upcaserealm))) { + err = ERROR_DNS_NO_MEMORY; + goto error; + } - krb5_init_context( &ctx ); - krb5_parse_name( ctx, szTargetName, &host_principal ); - krb5_free_context( ctx ); + krb5_init_context( &krb_ctx ); + krb5_parse_name( krb_ctx, targetname, &host_principal ); input_name.value = &host_principal; input_name.length = sizeof( host_principal ); - dwMajorStatus = gss_import_name( ( OM_uint32 * ) & dwMinorStatus, - &input_name, - &nt_host_oid_desc, &targ_name ); - printf( "After gss_import_name %d\n", dwMajorStatus ); - BAIL_ON_SEC_ERROR( dwMajorStatus ); - printf( "After gss_import_name %d\n", dwMajorStatus ); + major = gss_import_name( &minor, &input_name, + &nt_host_oid_desc, &targ_name ); - memset( pGSSContext, 0, sizeof( gss_ctx_id_t ) ); - *pGSSContext = GSS_C_NO_CONTEXT; + krb5_free_principal( krb_ctx, host_principal ); + krb5_free_context( krb_ctx ); - do { - - dwMajorStatus = gss_init_sec_context( ( OM_uint32 * ) & - dwMinorStatus, creds, - pGSSContext, targ_name, - &krb5_oid_desc, - GSS_C_REPLAY_FLAG | - GSS_C_MUTUAL_FLAG | - GSS_C_SEQUENCE_FLAG | - GSS_C_CONF_FLAG | - GSS_C_INTEG_FLAG | - GSS_C_DELEG_FLAG, 0, - NULL, &input_desc, NULL, - &output_desc, - &ret_flags, NULL ); - display_status( "gss_init_context", dwMajorStatus, - dwMinorStatus ); - BAIL_ON_SEC_ERROR( dwMajorStatus ); - printf( "After gss_init_sec_context %d\n", dwMajorStatus ); - - switch ( dwMajorStatus ) { - - case GSS_S_COMPLETE: - if ( output_desc.length != 0 ) { - - dwError = DNSBuildTKeyQueryRequest( szKeyName, - (uint8 *)output_desc. - value, - output_desc. - length, - &pDNSRequest ); - BAIL_ON_ERROR( dwError ); - - dwError = - DNSStdSendStdRequest2( hDNSTcpServer, - pDNSRequest ); - BAIL_ON_ERROR( dwError ); - - - dwError = - DNSStdReceiveStdResponse - ( hDNSTcpServer, &pDNSResponse ); - BAIL_ON_ERROR( dwError ); - - dwError = - DNSVerifyResponseMessage_GSSSuccess - ( pGSSContext, pClientTKeyRecord, - pDNSResponse ); - BAIL_ON_ERROR( dwError ); - } - break; - - - case GSS_S_CONTINUE_NEEDED: - if ( output_desc.length != 0 ) { - - dwError = DNSBuildTKeyQueryRequest( szKeyName, - (uint8 *)output_desc. - value, - output_desc. - length, - &pDNSRequest ); - BAIL_ON_ERROR( dwError ); - - dwError = - DNSStdSendStdRequest2( hDNSTcpServer, - pDNSRequest ); - BAIL_ON_ERROR( dwError ); - - dwError = - DNSStdReceiveStdResponse - ( hDNSTcpServer, &pDNSResponse ); - BAIL_ON_ERROR( dwError ); - - dwError = - DNSVerifyResponseMessage_GSSContinue - ( pGSSContext, pClientTKeyRecord, - pDNSResponse, &pServerKeyData, - &wServerKeyDataSize ); - BAIL_ON_ERROR( dwError ); - - input_desc.value = pServerKeyData; - input_desc.length = wServerKeyDataSize; - } - break; - - default: - BAIL_ON_ERROR( dwError ); - } + if (major) { + err = ERROR_DNS_GSS_ERROR; + goto error; + } - } while ( dwMajorStatus == GSS_S_CONTINUE_NEEDED ); + err = dns_negotiate_gss_ctx_int(mem_ctx, conn, keyname, targ_name, + gss_ctx); - /* If we arrive here, we have a valid security context */ - - sec_error: - error: + gss_release_name( &minor, &targ_name ); - return dwError; + error: + TALLOC_FREE(mem_ctx); + return err; } -/********************************************************************* -*********************************************************************/ - -static void display_status_1( const char *m, OM_uint32 code, int type ) +DNS_ERROR dns_sign_update(struct dns_update_request *req, + gss_ctx_id_t gss_ctx, + const char *keyname, + const char *algorithmname, + time_t time_signed, uint16 fudge) { - OM_uint32 maj_stat, min_stat; - gss_buffer_desc msg; - OM_uint32 msg_ctx; - - msg_ctx = 0; - while ( 1 ) { - maj_stat = gss_display_status( &min_stat, code, - type, GSS_C_NULL_OID, - &msg_ctx, &msg ); - fprintf( stdout, "GSS-API error %s: %s\n", m, - ( char * ) msg.value ); - ( void ) gss_release_buffer( &min_stat, &msg ); + struct dns_buffer *buf; + DNS_ERROR err; + struct dns_domain_name *key, *algorithm; + struct gss_buffer_desc_struct msg, mic; + OM_uint32 major, minor; + struct dns_rrec *rec; + + err = dns_marshall_update_request(req, req, &buf); + if (!ERR_DNS_IS_OK(err)) return err; + + err = dns_domain_name_from_string(buf, keyname, &key); + if (!ERR_DNS_IS_OK(err)) goto error; + + err = dns_domain_name_from_string(buf, algorithmname, &algorithm); + if (!ERR_DNS_IS_OK(err)) goto error; + + dns_marshall_domain_name(buf, key); + dns_marshall_uint16(buf, DNS_CLASS_ANY); + dns_marshall_uint32(buf, 0); /* TTL */ + dns_marshall_domain_name(buf, algorithm); + dns_marshall_uint16(buf, 0); /* Time prefix for 48-bit time_t */ + dns_marshall_uint32(buf, time_signed); + dns_marshall_uint16(buf, fudge); + dns_marshall_uint16(buf, 0); /* error */ + dns_marshall_uint16(buf, 0); /* other len */ + + err = buf->error; + if (!ERR_DNS_IS_OK(buf->error)) goto error; + + msg.value = (void *)buf->data; + msg.length = buf->offset; + + major = gss_get_mic(&minor, gss_ctx, 0, &msg, &mic); + if (major != 0) { + err = ERROR_DNS_GSS_ERROR; + goto error; + } - if ( !msg_ctx ) - break; + if (mic.length > 0xffff) { + gss_release_buffer(&minor, &mic); + err = ERROR_DNS_GSS_ERROR; + goto error; } -} -/********************************************************************* -*********************************************************************/ + err = dns_create_tsig_record(buf, keyname, algorithmname, time_signed, + fudge, mic.length, (uint8 *)mic.value, + req->id, 0, &rec); + gss_release_buffer(&minor, &mic); + if (!ERR_DNS_IS_OK(err)) goto error; -void display_status( const char *msg, OM_uint32 maj_stat, OM_uint32 min_stat ) -{ - display_status_1( msg, maj_stat, GSS_C_GSS_CODE ); - display_status_1( msg, min_stat, GSS_C_MECH_CODE ); + err = dns_add_rrec(req, rec, &req->num_additionals, &req->additionals); + + error: + TALLOC_FREE(buf); + return err; } #endif /* HAVE_GSSAPI_SUPPORT */ |