Add a test for potential DNS leaks via symbol interposition.
We build variants of kinit and test_acquire_cred that define their own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and getaddrinfo to print a message and abort. For getaddrinfo, we abort only if the caller failed to specify AI_NUMERICHOST; otherwise we use dlsym(RTLD_NEXT, "getaddrinfo") instead. The new test tests/gss/check-nodns is like tests/gss/check-basic, but uses kinit_auditdns and test_acquire_cred_auditdns to verify that no DNS resolution happens. This test should work and be effective on ELF platforms where the getaddrinfo function is implemented by the symbol `getaddrinfo'. On non-ELF platforms it may not be effective -- and on platforms where the getaddrinfo function is implemented by another symbol (like `__getaddrinfo50') it may not work, but we can cross that bridge when we come to it. Verified manually that the test fails, with the expected error message and abort, without `block_dns = yes' in krb5-nodns.conf. No automatic test of the mechanism for now because it might not work on some platforms. XXX check-nodns.in is copypasta of check-basic.in, should factor out the common parts so they don't get out of sync.
This commit is contained in:
Taylor R Campbell
committed by
Nico Williams
Nico Williams
parent
e2c0d98965
commit
ad23636db8
@@ -26,6 +26,7 @@ libexec_PROGRAMS = kdigest kimpersonate
|
||||
|
||||
noinst_PROGRAMS = kverify kdecode_ticket generate-requests
|
||||
|
||||
# sync with kinit_auditdns_LDADD in appl/test/Makefile.am
|
||||
kinit_LDADD = \
|
||||
$(afs_lib) \
|
||||
$(top_builddir)/lib/krb5/libkrb5.la \
|
||||
|
||||
Reference in New Issue
Block a user