From 5c716146e8aee16b46a2144c199b922c13fd00ba Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Wed, 17 Feb 2010 16:34:33 +1100
Subject: [PATCH] examples: add bind9 patches for TSIG-GSS support

We will point at these from the Samba4 HOWTO
---
 ...question-section-in-update-responses.patch | 29 ++++++
 ...algrind-uninitialised-memory-warning.patch | 34 +++++++
 .../0003-don-t-compress-TSIG-names.patch      | 58 ++++++++++++
 ...nitialisation-fails-then-heck-for-th.patch | 94 +++++++++++++++++++
 ...return-valid-GSSAPI-sequence-numbers.patch | 30 ++++++
 examples/bind9-patches/README                 |  5 +
 6 files changed, 250 insertions(+)
 create mode 100644 examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
 create mode 100644 examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
 create mode 100644 examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
 create mode 100644 examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
 create mode 100644 examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
 create mode 100644 examples/bind9-patches/README

diff --git a/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch b/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
new file mode 100644
index 00000000000..3716dd4ab63
--- /dev/null
+++ b/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
@@ -0,0 +1,29 @@
+From 1d97835f07fd5142187629941422f87b33015414 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 10:47:59 +1100
+Subject: [PATCH 1/5] leave the question section in update responses.
+
+This fixes TSIG-GSS updates from windows7 and w2k8r2, which require
+the question to be included in the initial refusal for the unsigned
+update.
+---
+ lib/dns/message.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index b541635..ae4965f 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -2474,7 +2474,8 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
+	if (!msg->header_ok)
+		return (DNS_R_FORMERR);
+	if (msg->opcode != dns_opcode_query &&
+-	    msg->opcode != dns_opcode_notify)
++	    msg->opcode != dns_opcode_notify &&
++	    msg->opcode != dns_opcode_update)
+		want_question_section = ISC_FALSE;
+	if (want_question_section) {
+		if (!msg->question_ok)
+--
+1.6.3.3
+
diff --git a/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch b/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
new file mode 100644
index 00000000000..22f0ce493f2
--- /dev/null
+++ b/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
@@ -0,0 +1,34 @@
+From 31059dee4a706bb4f25f3dccaae7616451eabd8b Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 10:59:42 +1100
+Subject: [PATCH 2/5] prevent a valgrind uninitialised memory warning
+
+epoll uses a union, so to prevent passing uninitialised data in a
+syscall we need to zero it before use.
+---
+ lib/isc/unix/socket.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
+index d09fe51..4796ee4 100644
+--- a/lib/isc/unix/socket.c
++++ b/lib/isc/unix/socket.c
+@@ -652,6 +652,7 @@ watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+		event.events = EPOLLIN;
+	else
+		event.events = EPOLLOUT;
++	memset(&event.data, 0, sizeof(event.data));
+	event.data.fd = fd;
+	if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_ADD, fd, &event) == -1 &&
+	    errno != EEXIST) {
+@@ -719,6 +720,7 @@ unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+		event.events = EPOLLIN;
+	else
+		event.events = EPOLLOUT;
++	memset(&event.data, 0, sizeof(event.data));
+	event.data.fd = fd;
+	if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_DEL, fd, &event) == -1 &&
+	    errno != ENOENT) {
+--
+1.6.3.3
+
diff --git a/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch b/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
new file mode 100644
index 00000000000..e92dce39372
--- /dev/null
+++ b/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
@@ -0,0 +1,58 @@
+From ec22ed6c9797dbdcd820e352167bef8500ca00c6 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 12:20:35 +1100
+Subject: [PATCH 3/5] don't compress TSIG names
+
+windows DNS servers will refuse TSIG-GSS requests with compressed
+names
+---
+ bin/nsupdate/nsupdate.c |    4 ++++
+ lib/dns/message.c       |    2 ++
+ lib/dns/tsig.c          |    3 +++
+ 3 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
+index 6cf4cf4..f7ce6db 100644
+--- a/bin/nsupdate/nsupdate.c
++++ b/bin/nsupdate/nsupdate.c
+@@ -1985,6 +1985,10 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
+		fprintf(stderr, "Sending update to %s\n", addrbuf);
+	}
+
++	/* windows doesn't like the tsig name to be compressed */
++	if (updatemsg->tsigname)
++		updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
++
+	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
+					master, options, tsigkey, timeout,
+					udp_timeout, udp_retries, global_task,
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index ae4965f..cb4528f 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1531,6 +1531,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
+			msg->tsig = rdataset;
+			msg->tsigname = name;
++			/* TSIG names should not be compressed */
++			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+			rdataset = NULL;
+			free_rdataset = ISC_FALSE;
+			free_name = ISC_FALSE;
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index 74a7af3..3223942 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -889,6 +889,9 @@ dns_tsig_sign(dns_message_t *msg) {
+	msg->tsig = dataset;
+	msg->tsigname = owner;
+
++	/* windows does not like the tsig name being compressed */
++	msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
++
+	return (ISC_R_SUCCESS);
+
+  cleanup_rdatalist:
+--
+1.6.3.3
+
diff --git a/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch b/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
new file mode 100644
index 00000000000..3130a05fd07
--- /dev/null
+++ b/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
@@ -0,0 +1,94 @@
+From c73ceb48ffc518e171d1d40b82ae2b5f603fe038 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 15:27:44 +1100
+Subject: [PATCH 4/5] If tkey-gssapi initialisation fails, then heck for the most common
+ configuration errors so that the admin doesn't spend all day trying to
+ work out why the config is broken.
+
+---
+ lib/dns/gssapictx.c |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 48 insertions(+), 0 deletions(-)
+
+diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
+index 11eadb9..879393c 100644
+--- a/lib/dns/gssapictx.c
++++ b/lib/dns/gssapictx.c
+@@ -66,6 +66,7 @@
+  * we include SPNEGO's OID.
+  */
+ #if defined(GSSAPI)
++#include <krb5/krb5.h>
+
+ static unsigned char krb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+@@ -191,6 +192,50 @@ log_cred(const gss_cred_id_t cred) {
+ }
+ #endif
+
++#ifdef GSSAPI
++/*
++ * check for the most common configuration errors.
++ *
++ * The errors checked for are:
++ *   - tkey-gssapi-credential doesn't start with DNS/
++ *   - the default realm in /etc/krb5.conf and the
++ *     tkey-gssapi-credential bind config option don't match
++ */
++static void dst_gssapi_check_config(const char *gss_name)
++{
++	const char *p;
++	krb5_context krb5_ctx;
++	char *krb5_realm = NULL;
++
++	if (strncasecmp(gss_name, "DNS/", 4) != 0) {
++		gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) should start with 'DNS/'");
++		return;
++	}
++
++	if (krb5_init_context(&krb5_ctx) != 0) {
++		gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
++		return;
++	}
++	if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
++		gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
++		krb5_free_context(krb5_ctx);
++		return;
++	}
++	if (!(p = strchr(gss_name, '/'))) {
++		gss_log(ISC_LOG_ERROR, "badly formatted tkey-gssapi-credentials (%s)", gss_name);
++		krb5_free_context(krb5_ctx);
++		return;
++	}
++	if (strcasecmp(p+1, krb5_realm) != 0) {
++		gss_log(ISC_LOG_ERROR,"default realm from krb5.conf (%s) does not match tkey-gssapi-credential (%s)",
++			krb5_realm, gss_name);
++		krb5_free_context(krb5_ctx);
++		return;
++	}
++	krb5_free_context(krb5_ctx);
++}
++#endif
++
+ isc_result_t
+ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+		       gss_cred_id_t *cred)
+@@ -223,6 +268,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+		gret = gss_import_name(&minor, &gnamebuf,
+				       GSS_C_NO_OID, &gname);
+		if (gret != GSS_S_COMPLETE) {
++			dst_gssapi_check_config((char *)array);
++
+			gss_log(3, "failed gss_import_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+@@ -254,6 +301,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+			initiate ? "initiate" : "accept",
+			(char *)gnamebuf.value,
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
++		dst_gssapi_check_config((char *)array);
+		return (ISC_R_FAILURE);
+	}
+
+--
+1.6.3.3
+
diff --git a/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch b/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
new file mode 100644
index 00000000000..a44813dd627
--- /dev/null
+++ b/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
@@ -0,0 +1,30 @@
+From 0f6a49d9fb4a3b9f917ee9caed3a94e44db045a5 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 15:28:51 +1100
+Subject: [PATCH 5/5] windows doesn't return valid GSSAPI sequence numbers on its
+ TSIG-GSS DNS update replies
+
+---
+ lib/dns/gssapictx.c |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
+index 879393c..69b66c5 100644
+--- a/lib/dns/gssapictx.c
++++ b/lib/dns/gssapictx.c
+@@ -536,8 +536,11 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		gintokenp = NULL;
+	}
+
++	/* note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
++	 * servers don't like it
++	 */
+	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
+-		GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG;
++		GSS_C_INTEG_FLAG;
+
+	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
+				    gname, GSS_SPNEGO_MECHANISM, flags,
+--
+1.6.3.3
+
diff --git a/examples/bind9-patches/README b/examples/bind9-patches/README
new file mode 100644
index 00000000000..172d0e6740e
--- /dev/null
+++ b/examples/bind9-patches/README
@@ -0,0 +1,5 @@
+These patches fix the TSIG-GSS dynamic DNS updates in bind9 to allow
+dynamic updates to work with recent windows versions.
+
+The patches were developed against bind9 version 9.6.1, and were
+tested on Ubuntu Karmic.
-- 
2.34.1