This addresses part of https://github.com/heimdal/heimdal/issues/1214
to audit potential network leaks with [libdefaults] block_dns = yes.
NI_NUMERICHOST is _probably_ sufficient -- we probably won't see many
systems using NIS to look up service names by number if we fail to
specify NI_NUMERICSERV, and such systems probably require careful
auditing of their own. And I don't know of any way NI_NUMERICSCOPE
could trigger network leaks. But named scope ids are such a niche
option with IPv6 that setting it to forestall concerns can't hurt
much, and it makes reviewing easier if we just unconditionally flip
on all the numeric-only options.
This flag has defined by POSIX for years if not decades, but glibc
and Windows apparently still don't have it.
We will use it with getnameinfo, along with all other NI_NUMERICxxx
options, to minimize risk of network leaks with block_dns.
This change has two parts:
1. Provide our own local implementation of numeric-only getaddrinfo
in auditdns.c used to audit for DNS leaks, rather than deferring
to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton.
To keep review and implementation simple, this is limited to
AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we
arrange to pass AI_NUMERICSERV in callers too.
2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to
AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo.
(In principle this might also avoid other network leaks -- POSIX
guarantees no name resolution service will be invoked, and gives
NIS+ as an example.)
One tiny semantic change to avoid tripping over the auditor:
kadmin(8) now uses the string "749" rather than the string
"kerberos-adm". (Currently we don't audit kadmin(8) for DNS leaks
but let's avoid leaving a rake to step on.) Every other caller I
found is already guaranteed to pass a numeric service rather than
named service to getaddrinfo.
fix https://github.com/heimdal/heimdal/issues/1212
We build variants of kinit and test_acquire_cred that define their
own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and
getaddrinfo to print a message and abort. For getaddrinfo, we abort
only if the caller failed to specify AI_NUMERICHOST; otherwise we use
dlsym(RTLD_NEXT, "getaddrinfo") instead.
The new test tests/gss/check-nodns is like tests/gss/check-basic, but
uses kinit_auditdns and test_acquire_cred_auditdns to verify that no
DNS resolution happens.
This test should work and be effective on ELF platforms where the
getaddrinfo function is implemented by the symbol `getaddrinfo'. On
non-ELF platforms it may not be effective -- and on platforms where
the getaddrinfo function is implemented by another symbol (like
`__getaddrinfo50') it may not work, but we can cross that bridge when
we come to it.
Verified manually that the test fails, with the expected error
message and abort, without `block_dns = yes' in krb5-nodns.conf. No
automatic test of the mechanism for now because it might not work on
some platforms.
XXX check-nodns.in is copypasta of check-basic.in, should factor out
the common parts so they don't get out of sync.
Previously, the hostname was initialized to `localhost'. If it was
not cleared by init_syslog, init_logger_addr (via openlog) would
query gethostbyname to find the IP address of `localhost', which will
essentially always be 127.0.0.1. But if it was cleared by
init_syslog, init_logger_addr would return 127.0.0.1 anyway.
This way, it always returns 127.0.0.1 in the event of no init_syslog
call, and avoids a DNS lookup. You can always force a DNS lookup by
passing `localhost' to init_syslog explicitly, of course.
I'm not sure if anything even uses this as a fallback in Heimdal, but
let's avoid leaving a rake to step on.
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.
Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
heimdal uses 8-byte (64-bits) atomic operations for a while now (ie in
lib/krb5/krcache.c). however some platforms (ie i386, i486, ARM < 7)
don't support them natively and need to be linked against libatomic in
order to implement functionallity from <stdatomic.h>.
if the header was found check 64-bit atomics work without any additional
libraries. if not try to add linking with libatomic. if that fails as
well fallback to -DHEIM_BASE_ATOMICS_FALLBACK
no change for platfroms without <stdatomic.h>
Fixes: #1186
Instead of freeing host->ai on return from submit_request in the
http_proxy path, stash the proxy's ai in another member host->freeai
which will be freed when host is freed.
Assumption: All hosts created in submit_request cease to be used
before any of them are freed, so it's safe to pick one host to hang
the proxy's ai on and free the ai when that host is freed.
fix https://github.com/heimdal/heimdal/issues/1205
In the future we should also make it so that `make check` for `tests/db`,
`tests/gss`, and `tests/kdc` first initializes all the realms and starts all
the daemons, then runs the actual checks possibly in parallel, then shuts down
the daemons. This will require quite a bit of work, so for now we just disable
parallel make in those directories.
If multiple valid CRLs are specified for a particular issuer, only the
first will be checked. The documentation didn’t really hint at this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If ‘keyid’ is an empty string, then the numeric error code that gets
appended to this error message may be mistaken for the key ID. Address
this by not mentioning any ID in such cases.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
