oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Add a test for potential DNS leaks via symbol interposition.

Browse Source 
We build variants of kinit and test_acquire_cred that define their
own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and
getaddrinfo to print a message and abort.  For getaddrinfo, we abort
only if the caller failed to specify AI_NUMERICHOST; otherwise we use
dlsym(RTLD_NEXT, "getaddrinfo") instead.

The new test tests/gss/check-nodns is like tests/gss/check-basic, but
uses kinit_auditdns and test_acquire_cred_auditdns to verify that no
DNS resolution happens.

This test should work and be effective on ELF platforms where the
getaddrinfo function is implemented by the symbol `getaddrinfo'.  On
non-ELF platforms it may not be effective -- and on platforms where
the getaddrinfo function is implemented by another symbol (like
`__getaddrinfo50') it may not work, but we can cross that bridge when
we come to it.

Verified manually that the test fails, with the expected error
message and abort, without `block_dns = yes' in krb5-nodns.conf.  No
automatic test of the mechanism for now because it might not work on
some platforms.

XXX check-nodns.in is copypasta of check-basic.in, should factor out
the common parts so they don't get out of sync.
This commit is contained in:
Taylor R Campbell
2024-01-07 21:44:29 +00:00
committed by Nico Williams
parent e2c0d98965
commit ad23636db8
8 changed files with 411 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/gssapi/Makefile.am
View File

@@ -381,7 +381,7 @@ TESTS = test_oid test_names test_cfx
test_cfx_SOURCES = krb5/test_cfx.c
check_PROGRAMS = test_acquire_cred $(TESTS)
check_PROGRAMS = test_acquire_cred test_acquire_cred_auditdns $(TESTS)
bin_PROGRAMS = gsstool gss-token
noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
@@ -389,6 +389,9 @@ noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cre
test_context_SOURCES = test_context.c test_common.c test_common.h
test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
test_acquire_cred_auditdns_SOURCES = \
test_acquire_cred.c test_common.c test_common.h \
../../appl/test/auditdns.c
test_add_store_cred_SOURCES = test_add_store_cred.c