diff --git a/appl/test/Makefile.am b/appl/test/Makefile.am index 15ed68fca..7bc9b6f41 100644 --- a/appl/test/Makefile.am +++ b/appl/test/Makefile.am @@ -5,7 +5,8 @@ include $(top_srcdir)/Makefile.am.common WFLAGS += $(WFLAGS_LITE) noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \ - uu_server uu_client nt_gss_server nt_gss_client http_client + uu_server uu_client nt_gss_server nt_gss_client http_client \ + kinit_auditdns tcp_client_SOURCES = tcp_client.c common.c test_locl.h @@ -38,6 +39,25 @@ nt_gss_client_LDADD = $(gssapi_server_LDADD) nt_gss_server_LDADD = $(nt_gss_client_LDADD) +kinit_auditdns_SOURCES = ../../kuser/kinit.c auditdns.c + +kinit_auditdns_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/../../lib/krb5 + +# sync with kinit_LDADD in kuser/Makefile.am +if !NO_AFS +afs_lib = $(LIB_kafs) +endif +kinit_auditdns_LDADD = \ + $(afs_lib) \ + $(top_builddir)/lib/krb5/libkrb5.la \ + $(top_builddir)/lib/gssapi/libgssapi.la \ + $(top_builddir)/lib/gss_preauth/libgss_preauth.la \ + $(top_builddir)/lib/ntlm/libheimntlm.la \ + $(LIB_hcrypto) \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(LIB_libintl) \ + $(LIB_roken) + LDADD = $(top_builddir)/lib/krb5/libkrb5.la \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ diff --git a/appl/test/auditdns.c b/appl/test/auditdns.c new file mode 100644 index 000000000..ae0e6e63c --- /dev/null +++ b/appl/test/auditdns.c @@ -0,0 +1,96 @@ +/*- + * Copyright (c) 2024 Taylor R. Campbell + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include + +#include "resolve.h" + +struct rk_dns_reply * +rk_dns_lookup(const char *domain, const char *type_name) +{ + + fprintf(stderr, "DNS leak: %s %s (%s)\n", __func__, domain, type_name); + abort(); +} + +struct hostent * +gethostbyname(const char *name) +{ + + fprintf(stderr, "DNS leak: %s %s\n", __func__, name); + abort(); +} + +#ifdef HAVE_GETHOSTBYNAME2 + +struct hostent * +gethostbyname2(const char *name, int af) +{ + + fprintf(stderr, "DNS leak: %s %s\n", __func__, name); + abort(); +} + +#endif /* HAVE_GETHOSTBYNAME2 */ + +#ifdef HAVE_GETADDRINFO + +typedef int getaddrinfo_fn_t(const char *, const char *, + const struct addrinfo *restrict, + struct addrinfo **restrict); +getaddrinfo_fn_t getaddrinfo; +int +getaddrinfo(const char *hostname, const char *servname, + const struct addrinfo *restrict hints, + struct addrinfo **restrict res) +{ + void *sym; + + if (hints == NULL || + (hints->ai_flags & AI_NUMERICHOST) == 0 || + (hints->ai_flags & AI_CANONNAME) != 0) { + fprintf(stderr, "DNS leak: %s %s:%s\n", + __func__, hostname, servname); + abort(); + } + + if ((sym = dlsym(RTLD_NEXT, __func__)) == NULL) { + fprintf(stderr, "dlsym(RTLD_NEXT, \"%s\") failed: %s\n", + __func__, dlerror()); + return EAI_FAIL; + } + + return (*(getaddrinfo_fn_t *)sym)(hostname, servname, hints, res); +} + +#endif /* HAVE_GETADDRINFO */ diff --git a/kuser/Makefile.am b/kuser/Makefile.am index 96ad36fd2..561e40e71 100644 --- a/kuser/Makefile.am +++ b/kuser/Makefile.am @@ -26,6 +26,7 @@ libexec_PROGRAMS = kdigest kimpersonate noinst_PROGRAMS = kverify kdecode_ticket generate-requests +# sync with kinit_auditdns_LDADD in appl/test/Makefile.am kinit_LDADD = \ $(afs_lib) \ $(top_builddir)/lib/krb5/libkrb5.la \ diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 3cb8437db..3254866dc 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -381,7 +381,7 @@ TESTS = test_oid test_names test_cfx test_cfx_SOURCES = krb5/test_cfx.c -check_PROGRAMS = test_acquire_cred $(TESTS) +check_PROGRAMS = test_acquire_cred test_acquire_cred_auditdns $(TESTS) bin_PROGRAMS = gsstool gss-token noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred @@ -389,6 +389,9 @@ noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cre test_context_SOURCES = test_context.c test_common.c test_common.h test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h +test_acquire_cred_auditdns_SOURCES = \ + test_acquire_cred.c test_common.c test_common.h \ + ../../appl/test/auditdns.c test_add_store_cred_SOURCES = test_add_store_cred.c diff --git a/tests/bin/setup-env.in b/tests/bin/setup-env.in index 8efa0e992..d94bba387 100644 --- a/tests/bin/setup-env.in +++ b/tests/bin/setup-env.in @@ -38,6 +38,7 @@ kdigest="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kdigest" kgetcred="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kgetcred" kimpersonate="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kimpersonate" kinit="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kinit" +kinit_auditdns="${TESTS_ENVIRONMENT} ${top_builddir}/appl/test/kinit_auditdns" klist="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/heimtools klist" kpasswd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswd" kpasswdd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswdd" diff --git a/tests/gss/Makefile.am b/tests/gss/Makefile.am index b9c5ddd60..c5d85e721 100644 --- a/tests/gss/Makefile.am +++ b/tests/gss/Makefile.am @@ -4,9 +4,9 @@ include $(top_srcdir)/Makefile.am.common .NOTPARALLEL: -noinst_DATA = krb5.conf new_clients_k5.conf mech +noinst_DATA = krb5.conf krb5-nodns.conf new_clients_k5.conf mech -SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex +SCRIPT_TESTS = check-basic check-nodns check-gss check-gssmask check-context check-spnego check-ntlm check-negoex TESTS = $(SCRIPT_TESTS) @@ -47,6 +47,11 @@ check-basic: check-basic.in Makefile chmod +x check-basic.tmp && \ mv check-basic.tmp check-basic +check-nodns: check-nodns.in Makefile + $(do_subst) < $(srcdir)/check-nodns.in > check-nodns.tmp && \ + chmod +x check-nodns.tmp && \ + mv check-nodns.tmp check-nodns + check-ntlm: check-ntlm.in Makefile $(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp && \ chmod +x check-ntlm.tmp && \ @@ -61,6 +66,10 @@ krb5.conf: krb5.conf.in Makefile $(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \ mv krb5.conf.tmp krb5.conf +krb5-nodns.conf: krb5-nodns.conf.in Makefile + $(do_subst) < $(srcdir)/krb5-nodns.conf.in > krb5-nodns.conf.tmp && \ + mv krb5-nodns.conf.tmp krb5-nodns.conf + new_clients_k5.conf: new_clients_k5.conf.in Makefile $(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \ mv new_clients_k5.conf.tmp new_clients_k5.conf @@ -77,12 +86,14 @@ CLEANFILES= \ krb5ccfile-ds \ server.keytab \ krb5.conf \ + krb5-nodns.conf \ new_clients_k5.conf \ mech \ current-db* \ *.log \ tempfile \ check-basic.tmp \ + check-nodns.tmp \ check-gss.tmp \ check-gssmask.tmp \ check-spnego.tmp \ @@ -92,6 +103,7 @@ CLEANFILES= \ EXTRA_DIST = \ NTMakefile \ check-basic.in \ + check-nodns.in \ check-gss.in \ check-gssmask.in \ check-spnego.in \ diff --git a/tests/gss/check-nodns.in b/tests/gss/check-nodns.in new file mode 100644 index 000000000..799e55378 --- /dev/null +++ b/tests/gss/check-nodns.in @@ -0,0 +1,219 @@ +#!/bin/sh +# +# Copyright (c) 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +env_setup="@env_setup@" +srcdir="@srcdir@" +objdir="@objdir@" + +. ${env_setup} + +# If there is no useful db support compiled in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +nokeytab="FILE:no-such-keytab" +cache="FILE:krb5ccfile" +cache2="FILE:krb5ccfile2" +nocache="FILE:no-such-cache" + +kadmin="${kadmin} -l -r $R" +kdc="${kdc} --addresses=127.0.0.1 -P $port" + +acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred_auditdns" +test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred" +test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred" + +KRB5_CONFIG="${objdir}/krb5-nodns.conf" +export KRB5_CONFIG + +KRB5_KTNAME="${keytab}" +export KRB5_KTNAME +KRB5CCNAME="${cache}" +export KRB5CCNAME + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +echo upw > ${objdir}/foopassword + +${kadmin} add -p upw --use-defaults user@${R} || exit 1 +${kadmin} add -p upw --use-defaults another@${R} || exit 1 +${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1 +${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo Starting kdc +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT + +exitcode=0 + +echo "initial ticket" +${kinit_auditdns} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1 + +echo "copy ccache with gss_store_cred" +# Note we test that the ccache used for storing is token-expanded +${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1 +${klist} -c ${cache2} || exit 1 + +echo "keytab" +${acquire_cred} \ + --acquire-type=accept \ + --acquire-name=host@host.test.h5l.se || exit 1 + +echo "keytab w/ short-form name and name canon rules" +${acquire_cred} \ + --acquire-type=accept \ + --acquire-name=host@host || exit 1 + +echo "keytab w/o name" +${acquire_cred} \ + --acquire-type=accept || exit 1 + +echo "keytab w/ wrong name" +${acquire_cred} \ + --acquire-type=accept --kerberos \ + --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1 + +echo "init using keytab" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10)" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --loops=10 \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10, target)" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --loops=10 \ + --target=host@host.test.h5l.se \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10, kerberos)" +${acquire_cred} \ + --acquire-type=initiate \ + --loops=10 \ + --kerberos \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using keytab (loop 10, target, kerberos)" +${acquire_cred} \ + --acquire-type=initiate \ + --loops=10 \ + --kerberos \ + --target=host@host.test.h5l.se \ + --acquire-name=host@host.test.h5l.se > /dev/null || exit 1 + +echo "init using existing cc" +${acquire_cred} \ + --kerberos \ + --name-type=user-name \ + --acquire-type=initiate \ + --acquire-name=user || exit 1 + +KRB5CCNAME=${nocache} + +echo "fail init using existing cc" +${acquire_cred} \ + --kerberos \ + --name-type=user-name \ + --acquire-type=initiate \ + --acquire-name=user 2>/dev/null && exit 1 + +echo "use gss_krb5_ccache_name for user" +${acquire_cred} \ + --kerberos \ + --name-type=user-name \ + --ccache=${cache} \ + --acquire-type=initiate \ + --acquire-name=user >/dev/null || exit 1 + +KRB5CCNAME=${cache} +KRB5_KTNAME=${nokeytab} + +echo "kcred" +${test_kcred} || exit 1 + +${kdestroy} -c ${cache} + +KRB5_KTNAME="${keytab}" + +echo "init using keytab" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + +echo "init using keytab (ccache)" +${acquire_cred} \ + --kerberos \ + --acquire-type=initiate \ + --ccache=${cache} \ + --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1 + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +kill ${kdcpid} 2> /dev/null + +exit $exitcode diff --git a/tests/gss/krb5-nodns.conf.in b/tests/gss/krb5-nodns.conf.in new file mode 100644 index 000000000..99fb54490 --- /dev/null +++ b/tests/gss/krb5-nodns.conf.in @@ -0,0 +1,55 @@ +include @srcdirabs@/include-krb5.conf + +[libdefaults] + default_keytab_name = @objdir@/server.keytab + enable-kx509 = yes + kx509_store = PEM-FILE:/tmp/cert_%{euid}.pem + default_realm = TEST.H5L.SE + kuserok = SYSTEM-K5LOGIN:@srcdir@/../kdc/k5login + kuserok = USER-K5LOGIN + kuserok = SIMPLE + block_dns = yes + +[realms] + TEST.H5L.SE = { + kdc = 127.0.0.1:@port@ + auth_to_local_names = { + user1 = mapped_user1 + } + } + +[kdc] + enable-digest = true + allow-anonymous = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + strict-nametypes = true + synthetic_clients = true + enable_gss_preauth = true + gss_mechanisms_allowed = sanon-x25519 + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + + database = { + dbname = @objdir@/current-db + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + log_file = @objdir@/current.log + } + +[hdb] + db-dir = @objdir@ + enable_virtual_hostbased_princs = true + virtual_hostbased_princ_mindots = 1 + virtual_hostbased_princ_maxdots = 3 + same_realm_aliases_are_soft = true + +[logging] + kdc = 0-/FILE:@objdir@/messages.log + default = 0-/FILE:@objdir@/messages.log + +include @srcdirabs@/missing-krb5.conf