From 883355750aaa600491502d2d3659303ed7cbb3ac Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sat, 30 May 2020 12:01:58 -0400 Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" --- ...ns_canonicalize_hostname-to-fallback.patch | 371 ++++++++++++ Remove-resolver-test-utility.patch | 547 ++++++++++++++++++ krb5.spec | 7 +- 3 files changed, 924 insertions(+), 1 deletion(-) create mode 100644 Default-dns_canonicalize_hostname-to-fallback.patch create mode 100644 Remove-resolver-test-utility.patch diff --git a/Default-dns_canonicalize_hostname-to-fallback.patch b/Default-dns_canonicalize_hostname-to-fallback.patch new file mode 100644 index 0000000..2e34e13 --- /dev/null +++ b/Default-dns_canonicalize_hostname-to-fallback.patch @@ -0,0 +1,371 @@ +From 1e72ba5c1b74d5b78f84c5884d06e979830aeb53 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 27 May 2020 18:48:35 -0400 +Subject: [PATCH] Default dns_canonicalize_hostname to "fallback" + +This change should mitigate some of the pain caused by the rdns=true +default (generally associated with unwanted PTR records that cannot +easily be changed), with a minimum of fallout. + +Update the documentation and tests accordingly. In test environments, +disable qualify_shortname and use the uncanonicalized system hostname +(lowercased) to match the initial sn2princ result. + +ticket: 8911 (new) +--- + doc/admin/appl_servers.rst | 14 +++--- + doc/admin/conf_files/krb5_conf.rst | 9 ++-- + doc/admin/princ_dns.rst | 44 +++++++++++-------- + src/kadmin/testing/proto/krb5.conf.proto | 8 ++-- + src/kadmin/testing/scripts/env-setup.shin | 4 +- + src/kadmin/testing/scripts/init_db | 3 +- + src/kadmin/testing/scripts/start_servers | 3 +- + .../testing/scripts/start_servers_local | 2 +- + .../kadm5/unit-test/api.current/init-v2.exp | 6 +-- + src/lib/krb5/krb/init_ctx.c | 2 +- + src/tests/dejagnu/config/default.exp | 5 +-- + src/tests/t_sn2princ.py | 5 ++- + src/util/k5test.py | 25 +++-------- + 13 files changed, 58 insertions(+), 72 deletions(-) + +diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst +index 5232db9af..afdf30297 100644 +--- a/doc/admin/appl_servers.rst ++++ b/doc/admin/appl_servers.rst +@@ -115,14 +115,12 @@ Getting DNS information correct + ------------------------------- + + Several aspects of Kerberos rely on name service. When a hostname is +-used to name a service, the Kerberos library canonicalizes the +-hostname using forward and reverse name resolution. (The reverse name +-resolution step can be turned off using the **rdns** variable in +-:ref:`libdefaults`.) The result of this canonicalization must match +-the principal entry in the host's keytab, or authentication will fail. +- +-Each host's canonical name must be the fully-qualified host name +-(including the domain), and each host's IP address must ++used to name a service, clients may canonicalize the hostname using ++forward and possibly reverse name resolution. The result of this ++canonicalization must match the principal entry in the host's keytab, ++or authentication will fail. To work with all client canonicalization ++configurations, each host's canonical name must be the fully-qualified ++host name (including the domain), and each host's IP address must + reverse-resolve to the canonical name. + + Configuration of hostnames varies by operating system. On the +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index 1d2aa7f68..a7e7a29d1 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations: + hostnames for use in service principal names. Setting this flag + to false can improve security by reducing reliance on DNS, but + means that short hostnames will not be canonicalized to +- fully-qualified hostnames. The default value is true. +- +- If this option is set to ``fallback`` (new in release 1.18), DNS +- canonicalization will only be performed the server hostname is not +- found with the original name when requesting credentials. ++ fully-qualified hostnames. If this option is set to ``fallback`` (new ++ in release 1.18), DNS canonicalization will only be performed the ++ server hostname is not found with the original name when ++ requesting credentials. The default value is ``fallback``. + + **dns_lookup_kdc** + Indicate whether DNS SRV records should be used to locate the KDCs +diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst +index e1d823f27..32a269afc 100644 +--- a/doc/admin/princ_dns.rst ++++ b/doc/admin/princ_dns.rst +@@ -31,27 +31,35 @@ based on rotating ``CNAME`` records in DNS. + Service principal canonicalization + ---------------------------------- + +-MIT Kerberos clients currently always do forward resolution (looking +-up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of +-the hostname part of a host-based service principal to canonicalize +-the hostname. They obtain the "canonical" name of the host when doing +-so. By default, MIT Kerberos clients will also then do reverse DNS +-resolution (looking up the hostname associated with the IPv4 or IPv6 +-address using ``getnameinfo()``) of the hostname. Using the +-:ref:`krb5.conf(5)` setting:: ++In the MIT krb5 client library, canonicalization of host-based service ++principals is controlled by the **dns_canonicalize_hostname**, ++**rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. + +- [libdefaults] +- rdns = false ++If **dns_canonicalize_hostname** is set to ``true`` (the default value ++before release 1.19), the client performs forward resolution by ++looking up the IPv4 and/or IPv6 addresses of the hostname using ++``getaddrinfo()``. This process will typically add a domain suffix to ++the hostname if needed, and follow CNAME records in the DNS. If ++**rdns** is also set to ``true`` (the default), the client will then ++perform a reverse lookup of the first returned Internet address using ++``getnameinfo()``, finding the name associated with the PTR record. + +-will disable reverse DNS lookup on clients. The default setting is +-"true". ++If **dns_canonicalize_hostname** is set to ``false``, the hostname is ++not canonicalized using DNS. If the hostname has only one component ++(i.e. it contains no "." characters), the host's primary DNS search ++domain will be appended, if there is one. The **qualify_shortname** ++variable can be used to override or disable this suffix. ++ ++If **dns_canonicalize_hostname** is set to ``fallback`` (the default ++value in release 1.19 and later), the hostname is initially treated ++according to the rules for ``dns_canonicalize_hostname=false``. If a ++ticket request fails because the service principal is unknown, it the ++hostname will be canonicalized according to the rules for ++``dns_canonicalize_hostname=true`` and the request will be retried. ++ ++In all cases, the hostname is converted to lowercase, and any trailing ++dot is removed. + +-Operating system bugs may prevent a setting of ``rdns = false`` from +-disabling reverse DNS lookup. Some versions of GNU libc have a bug in +-``getaddrinfo()`` that cause them to look up ``PTR`` records even when +-not required. MIT Kerberos releases krb5-1.10.2 and newer have a +-workaround for this problem, as does the krb5-1.9.x series as of +-release krb5-1.9.4. + + + Reverse DNS mismatches +diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto +index e710852d4..c0af716a5 100644 +--- a/src/kadmin/testing/proto/krb5.conf.proto ++++ b/src/kadmin/testing/proto/krb5.conf.proto +@@ -2,19 +2,19 @@ + default_realm = __REALM__ + default_keytab_name = FILE:__K5ROOT__/keytab + dns_fallback = no ++ qualify_shortname = "" + plugin_base_dir = __PLUGIN_DIR__ + allow_weak_crypto = true + + [realms] + __REALM__ = { +- kdc = __KDCHOST__:1750 +- admin_server = __KDCHOST__:1751 ++ kdc = __HOSTNAME__:1750 ++ admin_server = __HOSTNAME__:1751 + database_module = foobar_db2_module_blah + } + + [domain_realm] +- __LOCALHOST__ = __REALM__ +- __KDCHOST__ = __REALM__ ++ __HOSTNAME__ = __REALM__ + + [logging] + admin_server = FILE:__K5ROOT__/syslog +diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin +index 969c5340c..88f8ad1aa 100755 +--- a/src/kadmin/testing/scripts/env-setup.shin ++++ b/src/kadmin/testing/scripts/env-setup.shin +@@ -71,8 +71,8 @@ BSDDB_DUMP=$TESTDIR/util/bsddb_dump; export BSDDB_DUMP + CLNTTCL=$TESTDIR/util/kadm5_clnt_tcl; export CLNTTCL + SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL + +-QUALNAME=`$BUILDTOP/tests/resolve/resolve -q | tr '[A-Z]' '[a-z]'` +-export QUALNAME ++HOSTNAME=`hostname | tr '[A-Z]' '[a-z]'` ++export HOSTNAME + + KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG + KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE +diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db +index e65826c96..216f62793 100755 +--- a/src/kadmin/testing/scripts/init_db ++++ b/src/kadmin/testing/scripts/init_db +@@ -79,8 +79,7 @@ fi + # done + + sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ +- -e "s/__KDCHOST__/$QUALNAME/g" \ +- -e "s/__LOCALHOST__/$QUALNAME/g" \ ++ -e "s/__HOSTNAME__/$HOSTNAME/g" \ + -e "s#__MODDIR__#$MODDIR#g" \ + < $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf + sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ +diff --git a/src/kadmin/testing/scripts/start_servers b/src/kadmin/testing/scripts/start_servers +index f23df0682..05519e4ee 100755 +--- a/src/kadmin/testing/scripts/start_servers ++++ b/src/kadmin/testing/scripts/start_servers +@@ -36,8 +36,7 @@ if [ $local = 0 ]; then + + # Fix up the local krb5.conf to point to the remote + sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \ +- -e "s/__KDCHOST__/$hostname/g" \ +- -e "s/__LOCALHOST__/$QUALNAME/g" \ ++ -e "s/__HOSTNAME__/$HOSTNAME/g" \ + -e "s#__MODDIR__#$TOP/../plugins/kdb#g"\ + -e "s#__PLUGIN_DIR__#$TOP/../plugins#g"\ + < $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf +diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local +index 998ef9164..858e88031 100755 +--- a/src/kadmin/testing/scripts/start_servers_local ++++ b/src/kadmin/testing/scripts/start_servers_local +@@ -79,7 +79,7 @@ cat - > /tmp/start_servers_local$$ <<\EOF + if { [catch { + source $env(STOP)/testing/tcl/util.t + set r $env(REALM) +- set q $env(QUALNAME) ++ set q $env(HOSTNAME) + puts stdout [kadm5_init $env(SRVTCL) mrroot null \ + [config_params {KADM5_CONFIG_REALM} $r] \ + $KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 server_handle] +diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp +index 7a353d4e9..47764c212 100644 +--- a/src/lib/kadm5/unit-test/api.current/init-v2.exp ++++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp +@@ -3,18 +3,14 @@ load_lib lib.t + api_exit + api_start + +-if ![info exists RESOLVE] { +- set RESOLVE [findfile $objdir/../../../tests/resolve/resolve] +-} + proc get_hostname { } { +- global RESOLVE + global hostname + + if {[info exists hostname]} { + return 1 + } + +- catch "exec $RESOLVE -q >myname" exec_output ++ catch "exec hostname >myname" exec_output + if ![string match "" $exec_output] { + send_log "$exec_output\n" + verbose $exec_output +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 9a4741fa6..0b8ae6714 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -237,7 +237,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + ctx->enforce_ok_as_delegate = tmp; + + retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback", +- CANONHOST_FALLBACK, 1, &tmp); ++ CANONHOST_FALLBACK, CANONHOST_FALLBACK, &tmp); + if (retval) + goto cleanup; + ctx->dns_canonicalize_hostname = tmp; +diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp +index 4d8c917cd..1e7777f1e 100644 +--- a/src/tests/dejagnu/config/default.exp ++++ b/src/tests/dejagnu/config/default.exp +@@ -268,7 +268,6 @@ foreach i { + {KTUTIL $objdir/../../kadmin/ktutil/ktutil} + {KLIST $objdir/../../clients/klist/klist} + {KDESTROY $objdir/../../clients/kdestroy/kdestroy} +- {RESOLVE $objdir/../resolve/resolve} + {T_INETD $objdir/t_inetd} + {KPROPLOG $objdir/../../kprop/kproplog} + {KPASSWD $objdir/../../clients/kpasswd/kpasswd} +@@ -462,7 +461,6 @@ proc setup_runtime_env { } { + # 0 on failure. + + proc get_hostname { } { +- global RESOLVE + global hostname + global tmppwd + +@@ -472,7 +470,7 @@ proc get_hostname { } { + + envstack_push + setup_runtime_env +- catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output ++ catch "exec hostname >$tmppwd/hostname" exec_output + envstack_pop + if ![string match "" $exec_output] { + verbose -log $exec_output +@@ -710,6 +708,7 @@ proc setup_krb5_conf { {type client} } { + puts $conffile "\[libdefaults\]" + puts $conffile " default_realm = $REALMNAME" + puts $conffile " dns_lookup_kdc = false" ++ puts $conffile " qualify_shortname = \"\"" + if [info exists allow_weak_crypto($type)] { + puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)" + } else { +diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py +index 26dcb91c2..f3e187286 100755 +--- a/src/tests/t_sn2princ.py ++++ b/src/tests/t_sn2princ.py +@@ -2,7 +2,8 @@ from k5test import * + + offline = (len(args) > 0 and args[0] != "no") + +-conf = {'domain_realm': {'kerberos.org': 'R1', ++conf = {'libdefaults': {'dns_canonicalize_hostname': 'true'}, ++ 'domain_realm': {'kerberos.org': 'R1', + 'example.com': 'R2', + 'mit.edu': 'R3'}} + no_rdns_conf = {'libdefaults': {'rdns': 'false'}} +@@ -28,7 +29,7 @@ def testbase(host, nametype, princhost, princrealm, env=None): + fail('Expected %s, got %s' % (expected, out)) + + def test(host, princhost, princrealm): +- # Test with the host-based name type in the default environment. ++ # Test with the host-based name type with canonicalization enabled. + testbase(host, 'srv-hst', princhost, princrealm) + + def testnc(host, princhost, princrealm): +diff --git a/src/util/k5test.py b/src/util/k5test.py +index eea92275d..5196cfa43 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -193,7 +193,10 @@ Scripts may use the following functions and variables: + + * plugins: The plugin directory in the build tree (absolute path). + +-* hostname: This machine's fully-qualified domain name. ++* hostname: The local hostname as it will initially appear in ++ krb5_sname_to_principal() results. (Shortname qualification is ++ turned off in the test environment to make this value easy to ++ discover from Python.) + + * null_input: A file opened to read /dev/null. + +@@ -525,23 +528,6 @@ def _find_srctop(): + return os.path.abspath(root) + + +-# Return the local hostname as it will be canonicalized by +-# krb5_sname_to_principal. We can't simply use socket.getfqdn() +-# because it explicitly prefers results containing periods and +-# krb5_sname_to_principal doesn't care. +-def _get_hostname(): +- hostname = socket.gethostname() +- try: +- ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME) +- except socket.gaierror as e: +- fail('Local hostname "%s" does not resolve: %s.' % (hostname, e[1])) +- (family, socktype, proto, canonname, sockaddr) = ai[0] +- try: +- name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD) +- except socket.gaierror: +- return canonname.lower() +- return name[0].lower() +- + # Parse command line arguments, setting global option variables. Also + # sets the global variable args to the positional arguments, which may + # be used by the test script. +@@ -1263,6 +1249,7 @@ _default_krb5_conf = { + 'libdefaults': { + 'default_realm': '$realm', + 'dns_lookup_kdc': 'false', ++ 'qualify_shortname': '', + 'plugin_base_dir': '$plugins'}, + 'realms': {'$realm': { + 'kdc': '$hostname:$port0', +@@ -1356,7 +1343,7 @@ buildtop = _find_buildtop() + srctop = _find_srctop() + plugins = os.path.join(buildtop, 'plugins') + runenv = _import_runenv() +-hostname = _get_hostname() ++hostname = socket.gethostname().lower() + null_input = open(os.devnull, 'r') + + # A DB pass is a tuple of: name, kdc_conf. diff --git a/Remove-resolver-test-utility.patch b/Remove-resolver-test-utility.patch new file mode 100644 index 0000000..444f99a --- /dev/null +++ b/Remove-resolver-test-utility.patch @@ -0,0 +1,547 @@ +From 621cf6c98d74b025a0ca190cd279756596709ef9 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Thu, 28 May 2020 18:41:02 -0400 +Subject: [PATCH] Remove resolver test utility + +tests/resolve is no longer used after the previous commit. + +[rharwood@redhat.com: .gitignore] +--- + src/configure.ac | 5 +- + src/tests/Makefile.in | 4 +- + src/tests/resolve/Makefile.in | 28 --- + src/tests/resolve/addrinfo-test.c | 306 ------------------------- + src/tests/resolve/deps | 14 -- + src/tests/resolve/fake-addrinfo-test.c | 3 - + src/tests/resolve/resolve.c | 115 ---------- + 7 files changed, 4 insertions(+), 471 deletions(-) + delete mode 100644 src/tests/resolve/Makefile.in + delete mode 100644 src/tests/resolve/addrinfo-test.c + delete mode 100644 src/tests/resolve/deps + delete mode 100644 src/tests/resolve/fake-addrinfo-test.c + delete mode 100644 src/tests/resolve/resolve.c + +diff --git a/src/configure.ac b/src/configure.ac +index 29be532cb..2a756d6b5 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1542,7 +1542,6 @@ V5_AC_OUTPUT_MAKEFILE(. + appl/simple appl/simple/client appl/simple/server + appl/gss-sample appl/user_user + +- tests tests/resolve tests/asn.1 tests/create tests/hammer +- tests/verify tests/gssapi tests/dejagnu tests/threads tests/shlib +- tests/gss-threads tests/misc ++ tests tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi ++ tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc + ) +diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in +index 3f88f1713..6b7749129 100644 +--- a/src/tests/Makefile.in ++++ b/src/tests/Makefile.in +@@ -1,7 +1,7 @@ + mydir=tests + BUILDTOP=$(REL).. +-SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ +- gss-threads misc threads softpkcs11 ++SUBDIRS = asn.1 create hammer verify gssapi dejagnu shlib gss-threads misc \ ++ threads softpkcs11 + + RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ + GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND) +diff --git a/src/tests/resolve/Makefile.in b/src/tests/resolve/Makefile.in +deleted file mode 100644 +index 1f5954089..000000000 +--- a/src/tests/resolve/Makefile.in ++++ /dev/null +@@ -1,28 +0,0 @@ +-mydir=tests$(S)resolve +-BUILDTOP=$(REL)..$(S).. +- +-OBJS=resolve.o addrinfo-test.o fake-addrinfo-test.o +-SRCS=$(srcdir)/resolve.c $(srcdir)/addrinfo-test.c \ +- $(srcdir)/fake-addrinfo-test.c +- +-all: resolve addrinfo-test fake-addrinfo-test +- +-resolve: resolve.o +- $(CC_LINK) -o $@ resolve.o $(SUPPORT_LIB) $(LIBS) +- +-addrinfo-test: addrinfo-test.o +- $(CC_LINK) -o $@ addrinfo-test.o $(SUPPORT_LIB) $(LIBS) +- +-fake-addrinfo-test: fake-addrinfo-test.o +- $(CC_LINK) -o $@ fake-addrinfo-test.o $(SUPPORT_LIB) $(LIBS) +- +-check: resolve addrinfo-test fake-addrinfo-test +- $(RUN_TEST) ./resolve +- $(RUN_TEST) ./addrinfo-test -p telnet +- $(RUN_TEST) ./fake-addrinfo-test -p telnet +- +-install: +- +-clean: +- $(RM) resolve addrinfo-test fake-addrinfo-test +- +diff --git a/src/tests/resolve/addrinfo-test.c b/src/tests/resolve/addrinfo-test.c +deleted file mode 100644 +index e77640b62..000000000 +--- a/src/tests/resolve/addrinfo-test.c ++++ /dev/null +@@ -1,306 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* tests/resolve/addrinfo-test.c */ +-/* +- * Copyright 2004 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * A simple program to test the functionality of the getaddrinfo function. +- * +- * Usage: +- * addrinfo-test [-t|-u|-R|-I] [-d|-s|-r] [-p port] [-P] [hostname] +- * +- * When invoked with no arguments, NULL is used for the node name, +- * which (at least with a non-null "port") means a socket address +- * is desired that can be used with connect() or bind() (depending +- * on whether "-P" is given). +- */ +- +-#include +-#include +-#include +-#include +-#include /* needed for IPPROTO_* on NetBSD */ +-#ifdef USE_FAKE_ADDRINFO +-#include "fake-addrinfo.h" +-#endif +- +-static const char *protoname (int p) { +- static char buf[30]; +- +-#define X(N) if (p == IPPROTO_ ## N) return #N +- +- X(TCP); +- X(UDP); +- X(ICMP); +-#ifdef IPPROTO_IPV6 +- X(IPV6); +-#endif +-#ifdef IPPROTO_GRE +- X(GRE); +-#endif +-#ifdef IPPROTO_NONE +- X(NONE); +-#endif +- X(RAW); +-#ifdef IPPROTO_COMP +- X(COMP); +-#endif +- +- snprintf(buf, sizeof(buf), " %-2d", p); +- return buf; +-} +- +-static const char *socktypename (int t) { +- static char buf[30]; +- switch (t) { +- case SOCK_DGRAM: return "DGRAM"; +- case SOCK_STREAM: return "STREAM"; +- case SOCK_RAW: return "RAW"; +- case SOCK_RDM: return "RDM"; +- case SOCK_SEQPACKET: return "SEQPACKET"; +- } +- snprintf(buf, sizeof(buf), " %-2d", t); +- return buf; +-} +- +-static char *whoami; +- +-static void usage () { +- fprintf(stderr, +- "usage:\n" +- "\t%s [ options ] [host]\n" +- "options:\n" +- "\t-t\tspecify protocol IPPROTO_TCP\n" +- "\t-u\tspecify protocol IPPROTO_UDP\n" +- "\t-R\tspecify protocol IPPROTO_RAW\n" +- "\t-I\tspecify protocol IPPROTO_ICMP\n" +- "\n" +- "\t-d\tspecify socket type SOCK_DGRAM\n" +- "\t-s\tspecify socket type SOCK_STREAM\n" +- "\t-r\tspecify socket type SOCK_RAW\n" +- "\n" +- "\t-4\tspecify address family AF_INET\n" +-#ifdef AF_INET6 +- "\t-6\tspecify address family AF_INET6\n" +-#endif +- "\n" +- "\t-p P\tspecify port P (service name or port number)\n" +- "\t-N\thostname is numeric, skip DNS query\n" +- "\t-n\tservice/port is numeric (sets AI_NUMERICSERV)\n" +- "\t-P\tset AI_PASSIVE\n" +- "\n" +- "default: protocol 0, socket type 0, address family 0, null port\n" +- , +- whoami); +- /* [ -t | -u | -R | -I ] [ -d | -s | -r ] [ -p port ] */ +- exit (1); +-} +- +-static const char *familyname (int f) { +- static char buf[30]; +- switch (f) { +- default: +- snprintf(buf, sizeof(buf), "AF %d", f); +- return buf; +- case AF_INET: return "AF_INET"; +-#ifdef AF_INET6 +- case AF_INET6: return "AF_INET6"; +-#endif +- } +-} +- +-#define eaistr(X) (X == EAI_SYSTEM ? strerror(errno) : gai_strerror(X)) +- +-int main (int argc, char *argv[]) +-{ +- struct addrinfo *ap, *ap2; +- int err, numerichost = 0, numericserv = 0; +- char *hname, *port = 0, *sep; +- struct addrinfo hints; +- +- whoami = strrchr(argv[0], '/'); +- if (whoami == 0) +- whoami = argv[0]; +- else +- whoami = whoami+1; +- +- memset(&hints, 0, sizeof(hints)); +- hints.ai_flags = 0; +- hints.ai_socktype = 0; +- +- hname = 0; +- hints.ai_family = 0; +- +- if (argc == 1) +- usage (); +- +- while (++argv, --argc > 0) { +- char *arg; +- arg = *argv; +- +- if (*arg != '-') +- hname = arg; +- else if (arg[1] == 0 || arg[2] != 0) +- usage (); +- else +- switch (arg[1]) { +- case 'u': +- hints.ai_protocol = IPPROTO_UDP; +- break; +- case 't': +- hints.ai_protocol = IPPROTO_TCP; +- break; +- case 'R': +- hints.ai_protocol = IPPROTO_RAW; +- break; +- case 'I': +- hints.ai_protocol = IPPROTO_ICMP; +- break; +- case 'd': +- hints.ai_socktype = SOCK_DGRAM; +- break; +- case 's': +- hints.ai_socktype = SOCK_STREAM; +- break; +- case 'r': +- hints.ai_socktype = SOCK_RAW; +- break; +- case 'p': +- if (argv[1] == 0 || argv[1][0] == 0 || argv[1][0] == '-') +- usage (); +- port = argv[1]; +- argc--, argv++; +- break; +- case '4': +- hints.ai_family = AF_INET; +- break; +-#ifdef AF_INET6 +- case '6': +- hints.ai_family = AF_INET6; +- break; +-#endif +- case 'N': +- numerichost = 1; +- break; +- case 'n': +- numericserv = 1; +- break; +- case 'P': +- hints.ai_flags |= AI_PASSIVE; +- break; +- default: +- usage (); +- } +- } +- +- if (hname && !numerichost) +- hints.ai_flags |= AI_CANONNAME; +- if (numerichost) { +-#ifdef AI_NUMERICHOST +- hints.ai_flags |= AI_NUMERICHOST; +-#else +- fprintf(stderr, "AI_NUMERICHOST not defined on this platform\n"); +- exit(1); +-#endif +- } +- if (numericserv) { +-#ifdef AI_NUMERICSERV +- hints.ai_flags |= AI_NUMERICSERV; +-#else +- fprintf(stderr, "AI_NUMERICSERV not defined on this platform\n"); +- exit(1); +-#endif +- } +- +- printf("getaddrinfo(hostname %s, service %s,\n" +- " hints { ", +- hname ? hname : "(null)", port ? port : "(null)"); +- sep = ""; +-#define Z(FLAG) if (hints.ai_flags & AI_##FLAG) printf("%s%s", sep, #FLAG), sep = "|" +- Z(CANONNAME); +- Z(PASSIVE); +-#ifdef AI_NUMERICHOST +- Z(NUMERICHOST); +-#endif +-#ifdef AI_NUMERICSERV +- Z(NUMERICSERV); +-#endif +- if (sep[0] == 0) +- printf ("no-flags"); +- if (hints.ai_family) +- printf(" %s", familyname(hints.ai_family)); +- if (hints.ai_socktype) +- printf(" SOCK_%s", socktypename(hints.ai_socktype)); +- if (hints.ai_protocol) +- printf(" IPPROTO_%s", protoname(hints.ai_protocol)); +- printf(" }):\n"); +- +- err = getaddrinfo(hname, port, &hints, &ap); +- if (err) { +- printf("\terror => %s\n", eaistr(err)); +- return 1; +- } +- +- for (ap2 = ap; ap2; ap2 = ap2->ai_next) { +- char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV]; +- /* If we don't do this, even AIX's own getnameinfo will reject +- the sockaddr structures. The sa_len field doesn't get set +- either, on AIX, but getnameinfo won't complain. */ +- if (ap2->ai_addr->sa_family == 0) { +- printf("BAD: sa_family zero! fixing...\n"); +- ap2->ai_addr->sa_family = ap2->ai_family; +- } else if (ap2->ai_addr->sa_family != ap2->ai_family) { +- printf("BAD: sa_family != ai_family! fixing...\n"); +- ap2->ai_addr->sa_family = ap2->ai_family; +- } +- if (getnameinfo(ap2->ai_addr, ap2->ai_addrlen, hbuf, sizeof(hbuf), +- pbuf, sizeof(pbuf), NI_NUMERICHOST | NI_NUMERICSERV)) { +- strlcpy(hbuf, "...", sizeof(hbuf)); +- strlcpy(pbuf, "...", sizeof(pbuf)); +- } +- printf("%p:\n" +- "\tfamily = %s\tproto = %-4s\tsocktype = %s\n", +- (void *) ap2, familyname(ap2->ai_family), +- protoname (ap2->ai_protocol), +- socktypename (ap2->ai_socktype)); +- if (ap2->ai_canonname) { +- if (ap2->ai_canonname[0]) +- printf("\tcanonname = %s\n", ap2->ai_canonname); +- else +- printf("BAD: ai_canonname is set but empty!\n"); +- } else if (ap2 == ap && (hints.ai_flags & AI_CANONNAME)) { +- printf("BAD: first ai_canonname is null!\n"); +- } +- printf("\taddr = %-28s\tport = %s\n", hbuf, pbuf); +- +- err = getnameinfo(ap2->ai_addr, ap2->ai_addrlen, hbuf, sizeof (hbuf), +- pbuf, sizeof(pbuf), NI_NAMEREQD); +- if (err) +- printf("\tgetnameinfo(NI_NAMEREQD): %s\n", eaistr(err)); +- else +- printf("\tgetnameinfo => %s, %s\n", hbuf, pbuf); +- } +- freeaddrinfo(ap); +- return 0; +-} +diff --git a/src/tests/resolve/deps b/src/tests/resolve/deps +deleted file mode 100644 +index 762d9adab..000000000 +--- a/src/tests/resolve/deps ++++ /dev/null +@@ -1,14 +0,0 @@ +-# +-# Generated makefile dependencies follow. +-# +-$(OUTPRE)resolve.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ +- resolve.c +-$(OUTPRE)addrinfo-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ +- addrinfo-test.c +-$(OUTPRE)fake-addrinfo-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ +- $(top_srcdir)/include/fake-addrinfo.h $(top_srcdir)/include/k5-platform.h \ +- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/port-sockets.h \ +- $(top_srcdir)/include/socket-utils.h addrinfo-test.c \ +- fake-addrinfo-test.c +diff --git a/src/tests/resolve/fake-addrinfo-test.c b/src/tests/resolve/fake-addrinfo-test.c +deleted file mode 100644 +index 86365a5ba..000000000 +--- a/src/tests/resolve/fake-addrinfo-test.c ++++ /dev/null +@@ -1,3 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-#define USE_FAKE_ADDRINFO +-#include "addrinfo-test.c" +diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c +deleted file mode 100644 +index ea0239113..000000000 +--- a/src/tests/resolve/resolve.c ++++ /dev/null +@@ -1,115 +0,0 @@ +-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +-/* tests/resolve/resolve.c */ +-/* +- * Copyright 1995 by the Massachusetts Institute of Technology. +- * All Rights Reserved. +- * +- * Export of this software from the United States of America may +- * require a specific license from the United States Government. +- * It is the responsibility of any person or organization contemplating +- * export to obtain such a license before exporting. +- * +- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +- * distribute this software and its documentation for any purpose and +- * without fee is hereby granted, provided that the above copyright +- * notice appear in all copies and that both that copyright notice and +- * this permission notice appear in supporting documentation, and that +- * the name of M.I.T. not be used in advertising or publicity pertaining +- * to distribution of the software without specific, written prior +- * permission. Furthermore if you modify this software you must label +- * your software as modified software and not distribute it in such a +- * fashion that it might be confused with the original M.I.T. software. +- * M.I.T. makes no representations about the suitability of +- * this software for any purpose. It is provided "as is" without express +- * or implied warranty. +- */ +- +-/* +- * A simple program to test the functionality of the resolver library. +- * It simply will try to get the IP address of the host, and then look +- * up the name from the address. If the resulting name does not contain the +- * domain name, then the resolve library is broken. +- * +- * Warning: It is possible to fool this program into thinking everything is +- * alright by a clever use of /etc/hosts - but this is better than nothing. +- * +- * Usage: +- * resolve [hostname] +- * +- * When invoked with no arguments, gethostname is used for the local host. +- * +- */ +- +-/* This program tests the resolve library and sees if it is broken... */ +- +-#include "k5-platform.h" +-#include +-#include +-#include +-#include +-#ifdef HAVE_SYS_PARAM_H +-#include +-#endif +- +-int +-main(int argc, char **argv) +-{ +- struct addrinfo *ai = NULL, hint; +- char myname[MAXHOSTNAMELEN + 1], namebuf[NI_MAXHOST], abuf[256]; +- const char *addrstr; +- int err, quiet = 0; +- +- argc--; argv++; +- while (argc) { +- if ((strcmp(*argv, "--quiet") == 0) || +- (strcmp(*argv, "-q") == 0)) { +- quiet++; +- } else +- break; +- argc--; argv++; +- } +- +- if (argc >= 1) { +- strlcpy(myname, *argv, sizeof(myname)); +- } else { +- if(gethostname(myname, MAXHOSTNAMELEN)) { +- perror("gethostname failure"); +- exit(1); +- } +- } +- +- myname[MAXHOSTNAMELEN] = '\0'; /* for safety */ +- +- /* Look up the address... */ +- if (!quiet) +- printf("Hostname: %s\n", myname); +- +- memset(&hint, 0, sizeof(hint)); +- hint.ai_flags = AI_CANONNAME; +- err = getaddrinfo(myname, 0, &hint, &ai); +- if (err) { +- fprintf(stderr, +- "Could not look up address for hostname '%s' - fatal\n", +- myname); +- exit(2); +- } +- +- if (!quiet) { +- addrstr = inet_ntop(ai->ai_family, ai->ai_addr, abuf, sizeof(abuf)); +- if (addrstr != NULL) +- printf("Host address: %s\n", addrstr); +- } +- +- err = getnameinfo(ai->ai_addr, ai->ai_addrlen, namebuf, sizeof(namebuf), +- NULL, 0, NI_NAMEREQD); +- if (err && !quiet) +- fprintf(stderr, "Error looking up IP address\n"); +- +- printf("%s%s\n", quiet ? "" : "FQDN: ", err ? ai->ai_canonname : namebuf); +- +- if (!quiet) +- printf("Resolve library appears to have passed the test\n"); +- +- freeaddrinfo(ai); +- return 0; +-} diff --git a/krb5.spec b/krb5.spec index ccd17ed..264ff0f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.18.2 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) -Release: 3%{?dist} +Release: 4%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz @@ -60,6 +60,8 @@ Patch17: Pass-gss_localname-through-SPNEGO.patch Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch Patch20: Pass-channel-bindings-through-SPNEGO.patch +Patch21: Default-dns_canonicalize_hostname-to-fallback.patch +Patch22: Remove-resolver-test-utility.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -632,6 +634,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Sat May 30 2020 Robbie Harwood - 1.18.2-4 +- Default dns_canonicalize_hostname to "fallback" + * Tue May 26 2020 Robbie Harwood - 1.18.2-3 - dns_canonicalize_hostname = fallback