From: Aki Tuomi <cmouse@cmouse.fi>
Date: Thu, 21 May 2015 20:14:34 +0000 (+0300)
Subject: Allow update using GSS-TSIG with matching principal
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~79^2~9^2~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6917c32156e1d82faf26cabd76bc4ec93976804b;p=pdns

Allow update using GSS-TSIG with matching principal
---

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index e4b0fed47..09a612fa9 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -701,9 +701,21 @@ int PacketHandler::processUpdate(DNSPacket *p) {
       return RCode::Refused;
     }
 
-    for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
-      if (inputkey == *key) // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
-        validKey=true;
+    if (p->d_tsig_algo == TSIG_GSS) {
+      GssName inputname(p->d_peer_principal); // match against principal since GSS
+      for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
+        if (inputname.match(*key)) {
+          validKey = true;
+          break;
+        }
+      }
+    } else {
+      for(vector<string>::const_iterator key=tsigKeys.begin(); key != tsigKeys.end(); key++) {
+        if (inputkey == *key) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
+          validKey=true;
+          break;
+        }
+      }
     }
 
     if (!validKey) {