If the Kerberos v5 principal name is
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
and the principal type is KRB5_NT_WELLKNOWN, then gss_display_name()
is expected to return GSS_C_NT_ANONYMOUS instead of
GSS_KRB5_NT_PRINCIPAL_NAME. This change matches the behavior of
MIT Kerberos.
We build variants of kinit and test_acquire_cred that define their
own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and
getaddrinfo to print a message and abort. For getaddrinfo, we abort
only if the caller failed to specify AI_NUMERICHOST; otherwise we use
dlsym(RTLD_NEXT, "getaddrinfo") instead.
The new test tests/gss/check-nodns is like tests/gss/check-basic, but
uses kinit_auditdns and test_acquire_cred_auditdns to verify that no
DNS resolution happens.
This test should work and be effective on ELF platforms where the
getaddrinfo function is implemented by the symbol `getaddrinfo'. On
non-ELF platforms it may not be effective -- and on platforms where
the getaddrinfo function is implemented by another symbol (like
`__getaddrinfo50') it may not work, but we can cross that bridge when
we come to it.
Verified manually that the test fails, with the expected error
message and abort, without `block_dns = yes' in krb5-nodns.conf. No
automatic test of the mechanism for now because it might not work on
some platforms.
XXX check-nodns.in is copypasta of check-basic.in, should factor out
the common parts so they don't get out of sync.
Excluded: libtomath and libedit files, most of which appear to be
testing or example code not involved in production, and which are
derived from an upstream that should perhaps have patches submitted
upstream instead.
fix https://github.com/heimdal/heimdal/issues/1111
The interface between the krb5 mechanism and the mechglue API
gsskrb5_extract_authtime_from_sec_context() assumed the authtime would fit into
an uint32_t, which is not the case on platforms where time_t is 64-bit.
Fixes: #1073
SANON cred export/import never worked correctly as the export function was
producing the wrong form of token, which was leading gss_import_cred() to
allocate more than 64MB of memory to parse the SANON exported credential. The
recent change to reduce the default `max_alloc` of krb5_storage exposed this.
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):
CC test_common.o
In file included from test_common.c:34:
krb5/gsskrb5_locl.h:42:10: fatal error: gkrb5_err.h: No such file or directory
42 | #include <gkrb5_err.h>
| ^~~~~~~~~~~~~
compilation terminated.
make[3]: *** [Makefile:2347: test_common.o] Error 1 shuffle=1656680590
The change moves gkrb5_err.h and friends to BUILT_SOURCES
to guarantee their presence when main build starts.
Apple clang version 14.0.0 (clang-1400.0.17.3.1) fails the build
because stds.h defines `fallthrough` as a macro which is then
expanded when base.h evaluates
# if __has_attribute(fallthrough) && __clang_major__ >= 5
The macOS SDK defines `DISPATCH_FALLTHROUGH` as the macro instead
of `fallthrough`.
This change replaces the use of `fallthrough` in the tree with
`HEIM_FALLTHROUGH` and updates the declaration in configure logic
to define `HEIM_FALLTHROUGH` based upon existing definitions
(if any) of `fallthrough` or `DISPATCH_FALLTHROUGH`.
The definitions of memcpy(), memmove(), and memset() state that
the behaviour is undefined if any of the pointer arguments are
NULL, and some compilers are known to make use of this to
optimise away existing NULL checks in the source.
Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
Link: https://www.imperialviolet.org/2016/06/26/nonnull.html
The pseudo keyword 'fallthrough' is defined such that case statement
blocks must end with any of these keywords:
* break;
* fallthrough;
* continue;
* goto <label>;
* return [expression];
*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Statement-Attributes.html#Statement-Attributes
The macro is defined either as
__attribute__((__fallthrough__))
or as
do {} while (0) /* fallthrough */
not including the semicolon.
This change implements the Linux kernel style and updates several locations
where "/*fallthrough*/ and /* FALLTHROUGH */ were not previously replaced.
Externally imported code such as libedit, libtommath and sqlite are
restored to their unaltered state.
Change-Id: I69db8167b0d5884f55d96d72de3059a0235a1ba3
