Allow update using GSS-TSIG with matching principal

author Aki Tuomi <cmouse@cmouse.fi>

Thu, 21 May 2015 20:14:34 +0000 (23:14 +0300)

committer Aki Tuomi <cmouse@cmouse.fi>

Thu, 28 May 2015 14:42:23 +0000 (17:42 +0300)
author Aki Tuomi <cmouse@cmouse.fi>
Thu, 21 May 2015 20:14:34 +0000 (23:14 +0300)
committer Aki Tuomi <cmouse@cmouse.fi>
Thu, 28 May 2015 14:42:23 +0000 (17:42 +0300)
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc

index e4b0fed47ee0a41ad9d288df92aa3f8b6bc3f3df..09a612fa9cae8eebcf1a9c4cb5cdd05065cc8e10 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -701,9 +701,21 @@ int PacketHandler::processUpdate(DNSPacket *p) {
        return RCode::Refused;
      }
  
-    for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
-      if (inputkey == *key) // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
-        validKey=true;
+    if (p->d_tsig_algo == TSIG_GSS) {
+      GssName inputname(p->d_peer_principal); // match against principal since GSS
+      for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
+        if (inputname.match(*key)) {
+          validKey = true;
+          break;
+        }
+      }
+    } else {
+      for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
+        if (inputkey == *key) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
+          validKey=true;
+          break;
+        }
+      }
      }
  
      if (!validKey) {
author	Aki Tuomi <cmouse@cmouse.fi>
	Thu, 21 May 2015 20:14:34 +0000 (23:14 +0300)
committer	Aki Tuomi <cmouse@cmouse.fi>
	Thu, 28 May 2015 14:42:23 +0000 (17:42 +0300)