oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Ensure all calls to rk_dns_lookup are headed by a block_dns check.

Browse Source 
Exception: In lib/kafs/common.c, we don't have a krb5_context in
which to check.
This commit is contained in:
Taylor R Campbell
2023-06-09 00:09:59 +00:00
committed by Nico Williams
parent fd77c4000d
commit 19505537fd
3 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
kdc/altsecid_gss_preauth_authorizer.c
View File

@@ -167,6 +167,13 @@ ad_connect(krb5_context context,
} *s, *servers = NULL; } *s, *servers = NULL;
size_t i, num_servers = 0; size_t i, num_servers = 0;
if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL)) {
ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
krb5_set_error_message(context, ret, "DNS blocked when finding AD DC");
return ret;
}
{ {
struct rk_dns_reply *r; struct rk_dns_reply *r;
struct rk_resource_record *rr; struct rk_resource_record *rr;

8
lib/krb5/get_host_realm.c
View File

@@ -116,6 +116,14 @@ dns_find_realm(krb5_context context,
char **config_labels; char **config_labels;
int i, ret = 0; int i, ret = 0;
if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL)) {
ret = KRB5_KDC_UNREACH;
krb5_set_error_message(context, ret,
"Realm lookup failed: DNS blocked");
return ret;
}
config_labels = krb5_config_get_strings(context, NULL, "libdefaults", config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
"dns_lookup_realm_labels", NULL); "dns_lookup_realm_labels", NULL);
if(config_labels != NULL) if(config_labels != NULL)

12
lib/krb5/krbhst.c
View File

@@ -795,7 +795,9 @@ kdc_get_next(krb5_context context,
return KRB5_KDC_UNREACH; return KRB5_KDC_UNREACH;
} }
if(context->srv_lookup) { if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL) &&
context->srv_lookup) {
if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) { if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) {
srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos"); srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos");
kd->flags |= KD_SITE_SRV_TCP; kd->flags |= KD_SITE_SRV_TCP;
@@ -867,7 +869,9 @@ admin_get_next(krb5_context context,
return KRB5_KDC_UNREACH; return KRB5_KDC_UNREACH;
} }
if(context->srv_lookup) { if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL) &&
context->srv_lookup) {
if((kd->flags & KD_SRV_TCP) == 0) { if((kd->flags & KD_SRV_TCP) == 0) {
srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label); srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
kd->flags |= KD_SRV_TCP; kd->flags |= KD_SRV_TCP;
@@ -921,7 +925,9 @@ kpasswd_get_next(krb5_context context,
return KRB5_KDC_UNREACH; return KRB5_KDC_UNREACH;
} }
if(context->srv_lookup) { if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL) &&
context->srv_lookup) {
if((kd->flags & KD_SRV_UDP) == 0) { if((kd->flags & KD_SRV_UDP) == 0) {
srv_get_hosts(context, kd, NULL, "udp", kd->srv_label); srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
kd->flags |= KD_SRV_UDP; kd->flags |= KD_SRV_UDP;