We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
This change has two parts:
1. Provide our own local implementation of numeric-only getaddrinfo
in auditdns.c used to audit for DNS leaks, rather than deferring
to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton.
To keep review and implementation simple, this is limited to
AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we
arrange to pass AI_NUMERICSERV in callers too.
2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to
AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo.
(In principle this might also avoid other network leaks -- POSIX
guarantees no name resolution service will be invoked, and gives
NIS+ as an example.)
One tiny semantic change to avoid tripping over the auditor:
kadmin(8) now uses the string "749" rather than the string
"kerberos-adm". (Currently we don't audit kadmin(8) for DNS leaks
but let's avoid leaving a rake to step on.) Every other caller I
found is already guaranteed to pass a numeric service rather than
named service to getaddrinfo.
fix https://github.com/heimdal/heimdal/issues/1212
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.
Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
This helps with certain automation tools, such as ansible, that usually
expect failure to be visible in stderr.
Other minor changes:
* replace "doesn't" with "does not" to keep messages consistent and
avoid escaping quotes in grep, etc.
* add newlines
Now we can use heredocs to execute multiple kadmin commands with just
one `execve()`:
```
${kadmin} <<EOF || exit 1
init ...
add ...
...
EOF
```
This will allow tests to use heredocs in setting up an HDB so as to go a
bit faster.
Apple clang version 14.0.0 (clang-1400.0.17.3.1) fails the build
because stds.h defines `fallthrough` as a macro which is then
expanded when base.h evaluates
# if __has_attribute(fallthrough) && __clang_major__ >= 5
The macOS SDK defines `DISPATCH_FALLTHROUGH` as the macro instead
of `fallthrough`.
This change replaces the use of `fallthrough` in the tree with
`HEIM_FALLTHROUGH` and updates the declaration in configure logic
to define `HEIM_FALLTHROUGH` based upon existing definitions
(if any) of `fallthrough` or `DISPATCH_FALLTHROUGH`.
Any callback of kadm5_iter_principals() that wants to call other kadm5
functions (such as kadm5_get_principal()) needs to do so on a different
kadm5 handle than the one used for kadm5_iter_principals().
The online LIST interrupt message is a NOP, but it's expected to not
have a reply (the server doesn't send one if it receives it before the
LIST finishes).
However, if the interrupt message arrives after the LIST finished, then
it does get a reply, and this causes the client to get out of step with
the server.
Fixes include:
1) flavor the interrupt NOP to make sure it never gets a reply,
2) introduce a new kadm_list_interrtupt message that is like a NOP that
produces no reply
3) always consume -after the LIST ends- a reply to any list interrupt
NOP on the client side.
This implements (1).
Now that we have a properly working API for listing principals in an
online way, and a server-side implementation of it, use it.
This should work with old and new servers, but it will only be online
and fast when talking to new servers.
(Old servers have a bug though that prevents LIST from working.)
Implement a variation on the op for listing principals where if the
client indicates support for the new variation then we stream the list
instead of collecting it into one reply. This is the server-side
version of the associated, preceding commit:
kadm5: Add online kadm5_iter_principals()
Seeing "End of file" errors from kadm5 client calls which were the
result of not sending back errors in many error paths in
kadmin/server.c:kadmind_dispatch().
8dcc5e617b
("kadmin: add_one_principal refactor") made 'princ_name' a
top-level variable. This precludes the need to declare
subsequent block-level variables with the same name.
Change-Id: I4bf9e54b49a0e366ed4cd39920d3fe58439beb33
The pseudo keyword 'fallthrough' is defined such that case statement
blocks must end with any of these keywords:
* break;
* fallthrough;
* continue;
* goto <label>;
* return [expression];
*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html#Statement-Attributes
The macro is defined either as
__attribute__((__fallthrough__))
or as
do {} while (0) /* fallthrough */
not including the semicolon.
This change implements the Linux kernel style and updates several locations
where "/*fallthrough*/ and /* FALLTHROUGH */ were not previously replaced.
Externally imported code such as libedit, libtommath and sqlite are
restored to their unaltered state.
Change-Id: I69db8167b0d5884f55d96d72de3059a0235a1ba3
124b8d0f78 ("kadmin: kadmind_dispatch
do not write NULL 'rsp' to 'out'") was committed with an
unintentional source code removal.
Change-Id: I3de21e3624d713a9b5a1e89d147a5db5f1f55ab1
1b213c1082 ("kadmind: Add missing
error checks") altered the behavior of kadmin_dispatch() such that
it unconditionally called
krb5_storage_to_data(rsp, out);
This change was unsafe because krb5_unparse_name_fixed() failure
would skip the allocation of the 'rsp' and 'sp' krb5_storage
objects.
This change allocates the krb5_storage objects prior to performing
any work. If either of them fail, kadmin_dispatch() immediately
returns ENOMEM.
Change-Id: I14fd96afe029a4e74bb769605286ca0e17d25043
If rand_password is true, allocate princ_name early to prevent
memory allocation errors after the principal was added.
Use memset_s to clear the 'password' so that it will not be
optimized away.
Change-Id: I80d11546166d2350e6a79c5a376cb9e8cb191fa3
Obtain the unparsed principal name early so that there is no
risk of memory allocation failure after kadm5_chpass_principal_3()
succeeds.
Change-Id: I389281004826da5752081c2f26127d55e3dc3989
1b213c1082 ("kadmind: Add missing
error checks") altered the behavior of kadmin_dispatch() such that
it unconditionally called
krb5_storage_to_data(rsp, out);
Previously kadmin_dispatch() only wrote to 'out' on success.
Doing so is important because 'rsp' might be NULL on error.
Change-Id: I2688a5c47db0f94d955971e785037c578d3f3fa4
1b213c1082 ("kadmind: Add missing
error checks") altered the scope of the
if (ret == HEIM_ERR_EOF)
ret = 0;
treatment of HEIM_ERR_EOF as a success code. Prior to that
commit HEIM_ERR_EOF meant success only when reading the 'keepold'
value. It indicated a premature failure if returned when reading
'princ' or 'n_key_data'.
This change corrects the scope of HEIM_ERR_EOF indicating success.
Change-Id: If5463b47dc3eabee6fa2f8e717147f02adc1586c
