diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c index 8a9f03e69..9373646df 100644 --- a/lib/krb5/send_to_kdc.c +++ b/lib/krb5/send_to_kdc.c @@ -436,7 +436,9 @@ send_stream(krb5_context context, struct host *host) { ssize_t len; + _krb5_debug(context, 5, "send_stream: fd=%d len=%lu", host->fd, (unsigned long)host->data.length); len = krb5_net_write(context, &host->fd, host->data.data, host->data.length); + _krb5_debug(context, 5, "send_stream: wrote %ld bytes", (long)len); if (len < 0) return errno; @@ -458,8 +460,13 @@ recv_stream(krb5_context context, struct host *host) ssize_t sret; int nbytes; - if (rk_SOCK_IOCTL(host->fd, FIONREAD, &nbytes) != 0 || nbytes <= 0) + if (rk_SOCK_IOCTL(host->fd, FIONREAD, &nbytes) != 0 || nbytes <= 0) { + _krb5_debug(context, 5, "recv_stream: FIONREAD failed or nbytes=%d, oldlen=%lu", + nbytes, (unsigned long)host->data.length); return HEIM_NET_CONN_REFUSED; + } + _krb5_debug(context, 5, "recv_stream: fd=%d FIONREAD=%d oldlen=%lu", + host->fd, nbytes, (unsigned long)host->data.length); if (context->max_msg_size - host->data.length < nbytes) { krb5_set_error_message(context, KRB5KRB_ERR_FIELD_TOOLONG, @@ -476,10 +483,13 @@ recv_stream(krb5_context context, struct host *host) sret = krb5_net_read(context, &host->fd, ((uint8_t *)host->data.data) + oldlen, nbytes); if (sret <= 0) { + _krb5_debug(context, 5, "recv_stream: krb5_net_read returned %ld, errno=%d", (long)sret, errno); ret = errno; return ret; } host->data.length = oldlen + sret; + _krb5_debug(context, 5, "recv_stream: read %ld bytes, total len=%lu", + (long)sret, (unsigned long)host->data.length); /* zero terminate for http transport */ ((uint8_t *)host->data.data)[host->data.length] = '\0'; @@ -749,7 +759,10 @@ recv_tcp(krb5_context context, struct host *host, krb5_data *data) return -1; _krb5_get_int(host->data.data, &pktlen, 4); - + + _krb5_debug(context, 5, "recv_tcp: len=%lu pktlen=%lu", + (unsigned long)host->data.length, pktlen); + if (pktlen > host->data.length - 4) return -1; @@ -758,7 +771,7 @@ recv_tcp(krb5_context context, struct host *host, krb5_data *data) *data = host->data; krb5_data_zero(&host->data); - + return 0; } @@ -891,9 +904,28 @@ eval_host_state(krb5_context context, return 0; } - if (readable) { + /* check if there is anything to send */ + if (writeable && host->state == CONNECTED) { - debug_host(context, 5, host, "reading packet"); + ctx->stats.sent_packets++; + + debug_host(context, 5, host, "writing packet fd=%d data_len=%lu", + host->fd, (unsigned long)host->data.length); + + ret = host->fun->send_fn(context, host); + if (ret == -1) { + /* not done yet */ + } else if (ret) { + host_dead(context, host, "host dead, write failed"); + } else { + host->state = WAITING_REPLY; + return 0; /* wait for next select before reading */ + } + } + + if (readable && host->state == WAITING_REPLY) { + + debug_host(context, 5, host, "reading packet fd=%d", host->fd); ret = host->fun->recv_fn(context, host, &ctx->response); if (ret == -1) { @@ -907,22 +939,6 @@ eval_host_state(krb5_context context, } } - /* check if there is anything to send, state might DEAD after read */ - if (writeable && host->state == CONNECTED) { - - ctx->stats.sent_packets++; - - debug_host(context, 5, host, "writing packet"); - - ret = host->fun->send_fn(context, host); - if (ret == -1) { - /* not done yet */ - } else if (ret) { - host_dead(context, host, "host dead, write failed"); - } else - host->state = WAITING_REPLY; - } - return 0; } diff --git a/lib/krb5/socksdrawer.c b/lib/krb5/socksdrawer.c index f08fbbd65..196d41b0f 100644 --- a/lib/krb5/socksdrawer.c +++ b/lib/krb5/socksdrawer.c @@ -358,7 +358,7 @@ static void handleclient(int clientfd, int argc, char **argv) { struct socks4a_request req; - struct socks4a_request reply; + struct socks4a_reply reply; const char *user, *host; uint16_t port; char portstr[sizeof("65536")]; diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am index 98c12a9dd..6de1c4a1b 100644 --- a/tests/kdc/Makefile.am +++ b/tests/kdc/Makefile.am @@ -43,6 +43,7 @@ SCRIPT_TESTS = \ check-httpkadmind \ check-iprop \ check-referral \ + check-socks \ check-tester \ check-uu @@ -192,6 +193,11 @@ check-referral: check-referral.in Makefile $(chmod) +x check-referral.tmp && \ mv check-referral.tmp check-referral +check-socks: check-socks.in Makefile + $(do_subst) < $(srcdir)/check-socks.in > check-socks.tmp && \ + $(chmod) +x check-socks.tmp && \ + mv check-socks.tmp check-socks + check-kpasswdd: check-kpasswdd.in Makefile $(do_subst) < $(srcdir)/check-kpasswdd.in > check-kpasswdd.tmp && \ $(chmod) +x check-kpasswdd.tmp && \ @@ -360,6 +366,7 @@ CLEANFILES= \ krb5-httpkadmind.conf \ krb5-slave2.conf \ krb5-slave.conf \ + krb5-socks.conf \ krb5-weak.conf \ krb5.conf \ krb5.conf.keys \ @@ -380,6 +387,7 @@ CLEANFILES= \ sdb \ server.keytab \ signal \ + socksdrawer.out \ signal2 \ signal3 \ tempfile \ @@ -409,6 +417,7 @@ EXTRA_DIST = \ check-old-heimdal-client.in \ check-pkinit.in \ check-referral.in \ + check-socks.in \ check-tester.in \ check-uu.in \ donotexists.txt \ diff --git a/tests/kdc/check-socks.in b/tests/kdc/check-socks.in new file mode 100644 index 000000000..65fd98de0 --- /dev/null +++ b/tests/kdc/check-socks.in @@ -0,0 +1,176 @@ +#!/bin/sh +# +# Copyright (c) 2025 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +top_builddir="@top_builddir@" +env_setup="@env_setup@" +objdir="@objdir@" + +. ${env_setup} + +# Use the main krb5.conf for KDC and admin operations +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compiled in, disable test +${have_db} || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +kadmin="${kadmin} -l -A -r $R" +kdc="${kdc} --addresses=localhost -P $port" +socksdrawer="${top_builddir}/lib/krb5/socksdrawer" + +cache="FILE:${objdir}/cache.krb5" +kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" + +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo "Creating database" +${kadmin} < ${objdir}/foopassword + +echo "Starting kdc" +${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; } +kdcpid=`getpid kdc` + +# First verify that kinit works without SOCKS (using main krb5.conf) +echo "Verifying kinit works without SOCKS proxy" +${kinit} -c ${cache} ${afs_no_afslog} --password-file=${objdir}/foopassword foo@${R} || \ + { echo "kinit without proxy failed - test setup is broken"; cat messages.log; exit 1; } +${kdestroy} -c ${cache} ${afs_no_unlog} +echo "kinit without SOCKS proxy succeeded" + +sockspid= + +cleanup() { + echo "Cleaning up" + if [ -n "${kdcpid}" ]; then + kill -9 ${kdcpid} 2>/dev/null + fi + if [ -n "${sockspid}" ]; then + kill -9 ${sockspid} 2>/dev/null + fi + trap '' EXIT INT TERM + cat messages.log + exit 1 +} +trap cleanup EXIT INT TERM + +ec=0 + +# Start socksdrawer in the background +# Arguments: listenport matchhost matchport matchuser host port +# Use a fake KDC hostname (kdc.invalid) to prove the proxy is being used +# The proxy will map kdc.invalid:54321 -> localhost:${port} +echo "Starting socksdrawer" +${socksdrawer} 0 kdc.invalid 54321 foo@${R} localhost ${port} > ${objdir}/socksdrawer.out & +sockspid=$! +sleep 1 + +# Read the port number that socksdrawer chose +socksport=`cat ${objdir}/socksdrawer.out` +if [ -z "${socksport}" ]; then + echo "Failed to get SOCKS port from socksdrawer" + ec=1 + eval "${testfailed}" +fi +echo "socksdrawer listening on port ${socksport}" + +# Create krb5-socks.conf with socks4a_proxy for client operations +# Use kdc.invalid:54321 as the KDC - this only works through the proxy +cat > ${objdir}/krb5-socks.conf </dev/null +sockspid= + +echo "Test that kinit fails without proxy running" +${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ + { echo "kinit should have failed without proxy"; ec=1; eval "${testfailed}"; } + +echo "Killing kdc (${kdcpid})" +sh ${leaks_kill} kdc $kdcpid || exit 1 + +trap "" EXIT + +exit $ec