oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Use AI_NUMERICSERV if block_dns, and use local getaddrinfo to audit.

Browse Source 
This change has two parts:

1. Provide our own local implementation of numeric-only getaddrinfo
   in auditdns.c used to audit for DNS leaks, rather than deferring
   to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton.

   To keep review and implementation simple, this is limited to
   AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we
   arrange to pass AI_NUMERICSERV in callers too.

2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to
   AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo.

   (In principle this might also avoid other network leaks -- POSIX
   guarantees no name resolution service will be invoked, and gives
   NIS+ as an example.)

   One tiny semantic change to avoid tripping over the auditor:
   kadmin(8) now uses the string "749" rather than the string
   "kerberos-adm".  (Currently we don't audit kadmin(8) for DNS leaks
   but let's avoid leaving a rake to step on.)  Every other caller I
   found is already guaranteed to pass a numeric service rather than
   named service to getaddrinfo.

fix https://github.com/heimdal/heimdal/issues/1212
This commit is contained in:
Taylor R Campbell
2024-01-09 04:23:24 +00:00
committed by Nico Williams
parent 1d8f4347bb
commit e75e549252
11 changed files with 305 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/kadm5/init_c.c
View File

@@ -574,7 +574,7 @@ kadm_connect(kadm5_client_context *ctx)
if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL)) {
hints.ai_flags &= ~AI_CANONNAME;
hints.ai_flags |= AI_NUMERICHOST;
hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
}
error = getaddrinfo(hostname, portstr, &hints, &ai);
if (error) {