rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Default dns_canonicalize_hostname to "fallback"

Browse Source
This commit is contained in:
Robbie Harwood 2020-05-30 12:01:58 -04:00
parent 331a9df349
commit 883355750a
3 changed files with 924 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

371
Default-dns_canonicalize_hostname-to-fallback.patch Normal file
View File

@ -0,0 +1,371 @@
From 1e72ba5c1b74d5b78f84c5884d06e979830aeb53 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 27 May 2020 18:48:35 -0400
Subject: [PATCH] Default dns_canonicalize_hostname to "fallback"
This change should mitigate some of the pain caused by the rdns=true
default (generally associated with unwanted PTR records that cannot
easily be changed), with a minimum of fallout.
Update the documentation and tests accordingly. In test environments,
disable qualify_shortname and use the uncanonicalized system hostname
(lowercased) to match the initial sn2princ result.
ticket: 8911 (new)
---
doc/admin/appl_servers.rst | 14 +++---
doc/admin/conf_files/krb5_conf.rst | 9 ++--
doc/admin/princ_dns.rst | 44 +++++++++++--------
src/kadmin/testing/proto/krb5.conf.proto | 8 ++--
src/kadmin/testing/scripts/env-setup.shin | 4 +-
src/kadmin/testing/scripts/init_db | 3 +-
src/kadmin/testing/scripts/start_servers | 3 +-
.../testing/scripts/start_servers_local | 2 +-
.../kadm5/unit-test/api.current/init-v2.exp | 6 +--
src/lib/krb5/krb/init_ctx.c | 2 +-
src/tests/dejagnu/config/default.exp | 5 +--
src/tests/t_sn2princ.py | 5 ++-
src/util/k5test.py | 25 +++--------
13 files changed, 58 insertions(+), 72 deletions(-)
diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst
index 5232db9af..afdf30297 100644
--- a/doc/admin/appl_servers.rst
+++ b/doc/admin/appl_servers.rst
@@ -115,14 +115,12 @@ Getting DNS information correct
-------------------------------
Several aspects of Kerberos rely on name service. When a hostname is
-used to name a service, the Kerberos library canonicalizes the
-hostname using forward and reverse name resolution. (The reverse name
-resolution step can be turned off using the **rdns** variable in
-:ref:`libdefaults`.) The result of this canonicalization must match
-the principal entry in the host's keytab, or authentication will fail.
-
-Each host's canonical name must be the fully-qualified host name
-(including the domain), and each host's IP address must
+used to name a service, clients may canonicalize the hostname using
+forward and possibly reverse name resolution. The result of this
+canonicalization must match the principal entry in the host's keytab,
+or authentication will fail. To work with all client canonicalization
+configurations, each host's canonical name must be the fully-qualified
+host name (including the domain), and each host's IP address must
reverse-resolve to the canonical name.
Configuration of hostnames varies by operating system. On the
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 1d2aa7f68..a7e7a29d1 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -188,11 +188,10 @@ The libdefaults section may contain any of the following relations:
hostnames for use in service principal names. Setting this flag
to false can improve security by reducing reliance on DNS, but
means that short hostnames will not be canonicalized to
- fully-qualified hostnames. The default value is true.
-
- If this option is set to ``fallback`` (new in release 1.18), DNS
- canonicalization will only be performed the server hostname is not
- found with the original name when requesting credentials.
+ fully-qualified hostnames. If this option is set to ``fallback`` (new
+ in release 1.18), DNS canonicalization will only be performed the
+ server hostname is not found with the original name when
+ requesting credentials. The default value is ``fallback``.
**dns_lookup_kdc**
Indicate whether DNS SRV records should be used to locate the KDCs
diff --git a/doc/admin/princ_dns.rst b/doc/admin/princ_dns.rst
index e1d823f27..32a269afc 100644
--- a/doc/admin/princ_dns.rst
+++ b/doc/admin/princ_dns.rst
@@ -31,27 +31,35 @@ based on rotating ``CNAME`` records in DNS.
Service principal canonicalization
----------------------------------
-MIT Kerberos clients currently always do forward resolution (looking
-up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of
-the hostname part of a host-based service principal to canonicalize
-the hostname. They obtain the "canonical" name of the host when doing
-so. By default, MIT Kerberos clients will also then do reverse DNS
-resolution (looking up the hostname associated with the IPv4 or IPv6
-address using ``getnameinfo()``) of the hostname. Using the
-:ref:`krb5.conf(5)` setting::
+In the MIT krb5 client library, canonicalization of host-based service
+principals is controlled by the **dns_canonicalize_hostname**,
+**rnds**, and **qualify_shortname** variables in :ref:`libdefaults`.
- [libdefaults]
- rdns = false
+If **dns_canonicalize_hostname** is set to ``true`` (the default value
+before release 1.19), the client performs forward resolution by
+looking up the IPv4 and/or IPv6 addresses of the hostname using
+``getaddrinfo()``. This process will typically add a domain suffix to
+the hostname if needed, and follow CNAME records in the DNS. If
+**rdns** is also set to ``true`` (the default), the client will then
+perform a reverse lookup of the first returned Internet address using
+``getnameinfo()``, finding the name associated with the PTR record.
-will disable reverse DNS lookup on clients. The default setting is
-"true".
+If **dns_canonicalize_hostname** is set to ``false``, the hostname is
+not canonicalized using DNS. If the hostname has only one component
+(i.e. it contains no "." characters), the host's primary DNS search
+domain will be appended, if there is one. The **qualify_shortname**
+variable can be used to override or disable this suffix.
+
+If **dns_canonicalize_hostname** is set to ``fallback`` (the default
+value in release 1.19 and later), the hostname is initially treated
+according to the rules for ``dns_canonicalize_hostname=false``. If a
+ticket request fails because the service principal is unknown, it the
+hostname will be canonicalized according to the rules for
+``dns_canonicalize_hostname=true`` and the request will be retried.
+
+In all cases, the hostname is converted to lowercase, and any trailing
+dot is removed.
-Operating system bugs may prevent a setting of ``rdns = false`` from
-disabling reverse DNS lookup. Some versions of GNU libc have a bug in
-``getaddrinfo()`` that cause them to look up ``PTR`` records even when
-not required. MIT Kerberos releases krb5-1.10.2 and newer have a
-workaround for this problem, as does the krb5-1.9.x series as of
-release krb5-1.9.4.
Reverse DNS mismatches
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
index e710852d4..c0af716a5 100644
--- a/src/kadmin/testing/proto/krb5.conf.proto
+++ b/src/kadmin/testing/proto/krb5.conf.proto
@@ -2,19 +2,19 @@
default_realm = __REALM__
default_keytab_name = FILE:__K5ROOT__/keytab
dns_fallback = no
+ qualify_shortname = ""
plugin_base_dir = __PLUGIN_DIR__
allow_weak_crypto = true
[realms]
__REALM__ = {
- kdc = __KDCHOST__:1750
- admin_server = __KDCHOST__:1751
+ kdc = __HOSTNAME__:1750
+ admin_server = __HOSTNAME__:1751
database_module = foobar_db2_module_blah
}
[domain_realm]
- __LOCALHOST__ = __REALM__
- __KDCHOST__ = __REALM__
+ __HOSTNAME__ = __REALM__
[logging]
admin_server = FILE:__K5ROOT__/syslog
diff --git a/src/kadmin/testing/scripts/env-setup.shin b/src/kadmin/testing/scripts/env-setup.shin
index 969c5340c..88f8ad1aa 100755
--- a/src/kadmin/testing/scripts/env-setup.shin
+++ b/src/kadmin/testing/scripts/env-setup.shin
@@ -71,8 +71,8 @@ BSDDB_DUMP=$TESTDIR/util/bsddb_dump; export BSDDB_DUMP
CLNTTCL=$TESTDIR/util/kadm5_clnt_tcl; export CLNTTCL
SRVTCL=$TESTDIR/util/kadm5_srv_tcl; export SRVTCL
-QUALNAME=`$BUILDTOP/tests/resolve/resolve -q | tr '[A-Z]' '[a-z]'`
-export QUALNAME
+HOSTNAME=`hostname | tr '[A-Z]' '[a-z]'`
+export HOSTNAME
KRB5_CONFIG=$K5ROOT/krb5.conf; export KRB5_CONFIG
KRB5_KDC_PROFILE=$K5ROOT/kdc.conf; export KRB5_KDC_PROFILE
diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
index e65826c96..216f62793 100755
--- a/src/kadmin/testing/scripts/init_db
+++ b/src/kadmin/testing/scripts/init_db
@@ -79,8 +79,7 @@ fi
# done
sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \
- -e "s/__KDCHOST__/$QUALNAME/g" \
- -e "s/__LOCALHOST__/$QUALNAME/g" \
+ -e "s/__HOSTNAME__/$HOSTNAME/g" \
-e "s#__MODDIR__#$MODDIR#g" \
< $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf
sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \
diff --git a/src/kadmin/testing/scripts/start_servers b/src/kadmin/testing/scripts/start_servers
index f23df0682..05519e4ee 100755
--- a/src/kadmin/testing/scripts/start_servers
+++ b/src/kadmin/testing/scripts/start_servers
@@ -36,8 +36,7 @@ if [ $local = 0 ]; then
# Fix up the local krb5.conf to point to the remote
sed -e "s/__REALM__/$REALM/g" -e "s#__K5ROOT__#$K5ROOT#g" \
- -e "s/__KDCHOST__/$hostname/g" \
- -e "s/__LOCALHOST__/$QUALNAME/g" \
+ -e "s/__HOSTNAME__/$HOSTNAME/g" \
-e "s#__MODDIR__#$TOP/../plugins/kdb#g"\
-e "s#__PLUGIN_DIR__#$TOP/../plugins#g"\
< $STESTDIR/proto/krb5.conf.proto > $K5ROOT/krb5.conf
diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local
index 998ef9164..858e88031 100755
--- a/src/kadmin/testing/scripts/start_servers_local
+++ b/src/kadmin/testing/scripts/start_servers_local
@@ -79,7 +79,7 @@ cat - > /tmp/start_servers_local$$ <<\EOF
if { [catch {
source $env(STOP)/testing/tcl/util.t
set r $env(REALM)
- set q $env(QUALNAME)
+ set q $env(HOSTNAME)
puts stdout [kadm5_init $env(SRVTCL) mrroot null \
[config_params {KADM5_CONFIG_REALM} $r] \
$KADM5_STRUCT_VERSION $KADM5_API_VERSION_3 server_handle]
diff --git a/src/lib/kadm5/unit-test/api.current/init-v2.exp b/src/lib/kadm5/unit-test/api.current/init-v2.exp
index 7a353d4e9..47764c212 100644
--- a/src/lib/kadm5/unit-test/api.current/init-v2.exp
+++ b/src/lib/kadm5/unit-test/api.current/init-v2.exp
@@ -3,18 +3,14 @@ load_lib lib.t
api_exit
api_start
-if ![info exists RESOLVE] {
- set RESOLVE [findfile $objdir/../../../tests/resolve/resolve]
-}
proc get_hostname { } {
- global RESOLVE
global hostname
if {[info exists hostname]} {
return 1
}
- catch "exec $RESOLVE -q >myname" exec_output
+ catch "exec hostname >myname" exec_output
if ![string match "" $exec_output] {
send_log "$exec_output\n"
verbose $exec_output
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 9a4741fa6..0b8ae6714 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -237,7 +237,7 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags,
ctx->enforce_ok_as_delegate = tmp;
retval = get_tristate(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, "fallback",
- CANONHOST_FALLBACK, 1, &tmp);
+ CANONHOST_FALLBACK, CANONHOST_FALLBACK, &tmp);
if (retval)
goto cleanup;
ctx->dns_canonicalize_hostname = tmp;
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 4d8c917cd..1e7777f1e 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -268,7 +268,6 @@ foreach i {
{KTUTIL $objdir/../../kadmin/ktutil/ktutil}
{KLIST $objdir/../../clients/klist/klist}
{KDESTROY $objdir/../../clients/kdestroy/kdestroy}
- {RESOLVE $objdir/../resolve/resolve}
{T_INETD $objdir/t_inetd}
{KPROPLOG $objdir/../../kprop/kproplog}
{KPASSWD $objdir/../../clients/kpasswd/kpasswd}
@@ -462,7 +461,6 @@ proc setup_runtime_env { } {
# 0 on failure.
proc get_hostname { } {
- global RESOLVE
global hostname
global tmppwd
@@ -472,7 +470,7 @@ proc get_hostname { } {
envstack_push
setup_runtime_env
- catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output
+ catch "exec hostname >$tmppwd/hostname" exec_output
envstack_pop
if ![string match "" $exec_output] {
verbose -log $exec_output
@@ -710,6 +708,7 @@ proc setup_krb5_conf { {type client} } {
puts $conffile "\[libdefaults\]"
puts $conffile " default_realm = $REALMNAME"
puts $conffile " dns_lookup_kdc = false"
+ puts $conffile " qualify_shortname = \"\""
if [info exists allow_weak_crypto($type)] {
puts $conffile " allow_weak_crypto = $allow_weak_crypto($type)"
} else {
diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py
index 26dcb91c2..f3e187286 100755
--- a/src/tests/t_sn2princ.py
+++ b/src/tests/t_sn2princ.py
@@ -2,7 +2,8 @@ from k5test import *
offline = (len(args) > 0 and args[0] != "no")
-conf = {'domain_realm': {'kerberos.org': 'R1',
+conf = {'libdefaults': {'dns_canonicalize_hostname': 'true'},
+ 'domain_realm': {'kerberos.org': 'R1',
'example.com': 'R2',
'mit.edu': 'R3'}}
no_rdns_conf = {'libdefaults': {'rdns': 'false'}}
@@ -28,7 +29,7 @@ def testbase(host, nametype, princhost, princrealm, env=None):
fail('Expected %s, got %s' % (expected, out))
def test(host, princhost, princrealm):
- # Test with the host-based name type in the default environment.
+ # Test with the host-based name type with canonicalization enabled.
testbase(host, 'srv-hst', princhost, princrealm)
def testnc(host, princhost, princrealm):
diff --git a/src/util/k5test.py b/src/util/k5test.py
index eea92275d..5196cfa43 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -193,7 +193,10 @@ Scripts may use the following functions and variables:
* plugins: The plugin directory in the build tree (absolute path).
-* hostname: This machine's fully-qualified domain name.
+* hostname: The local hostname as it will initially appear in
+ krb5_sname_to_principal() results. (Shortname qualification is
+ turned off in the test environment to make this value easy to
+ discover from Python.)
* null_input: A file opened to read /dev/null.
@@ -525,23 +528,6 @@ def _find_srctop():
return os.path.abspath(root)
-# Return the local hostname as it will be canonicalized by
-# krb5_sname_to_principal. We can't simply use socket.getfqdn()
-# because it explicitly prefers results containing periods and
-# krb5_sname_to_principal doesn't care.
-def _get_hostname():
- hostname = socket.gethostname()
- try:
- ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME)
- except socket.gaierror as e:
- fail('Local hostname "%s" does not resolve: %s.' % (hostname, e[1]))
- (family, socktype, proto, canonname, sockaddr) = ai[0]
- try:
- name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD)
- except socket.gaierror:
- return canonname.lower()
- return name[0].lower()
-
# Parse command line arguments, setting global option variables. Also
# sets the global variable args to the positional arguments, which may
# be used by the test script.
@@ -1263,6 +1249,7 @@ _default_krb5_conf = {
'libdefaults': {
'default_realm': '$realm',
'dns_lookup_kdc': 'false',
+ 'qualify_shortname': '',
'plugin_base_dir': '$plugins'},
'realms': {'$realm': {
'kdc': '$hostname:$port0',
@@ -1356,7 +1343,7 @@ buildtop = _find_buildtop()
srctop = _find_srctop()
plugins = os.path.join(buildtop, 'plugins')
runenv = _import_runenv()
-hostname = _get_hostname()
+hostname = socket.gethostname().lower()
null_input = open(os.devnull, 'r')
# A DB pass is a tuple of: name, kdc_conf.

547
Remove-resolver-test-utility.patch Normal file
View File

@ -0,0 +1,547 @@
From 621cf6c98d74b025a0ca190cd279756596709ef9 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 28 May 2020 18:41:02 -0400
Subject: [PATCH] Remove resolver test utility
tests/resolve is no longer used after the previous commit.
[rharwood@redhat.com: .gitignore]
---
src/configure.ac | 5 +-
src/tests/Makefile.in | 4 +-
src/tests/resolve/Makefile.in | 28 ---
src/tests/resolve/addrinfo-test.c | 306 -------------------------
src/tests/resolve/deps | 14 --
src/tests/resolve/fake-addrinfo-test.c | 3 -
src/tests/resolve/resolve.c | 115 ----------
7 files changed, 4 insertions(+), 471 deletions(-)
delete mode 100644 src/tests/resolve/Makefile.in
delete mode 100644 src/tests/resolve/addrinfo-test.c
delete mode 100644 src/tests/resolve/deps
delete mode 100644 src/tests/resolve/fake-addrinfo-test.c
delete mode 100644 src/tests/resolve/resolve.c
diff --git a/src/configure.ac b/src/configure.ac
index 29be532cb..2a756d6b5 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1542,7 +1542,6 @@ V5_AC_OUTPUT_MAKEFILE(.
appl/simple appl/simple/client appl/simple/server
appl/gss-sample appl/user_user
- tests tests/resolve tests/asn.1 tests/create tests/hammer
- tests/verify tests/gssapi tests/dejagnu tests/threads tests/shlib
- tests/gss-threads tests/misc
+ tests tests/asn.1 tests/create tests/hammer tests/verify tests/gssapi
+ tests/dejagnu tests/threads tests/shlib tests/gss-threads tests/misc
)
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 3f88f1713..6b7749129 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -1,7 +1,7 @@
mydir=tests
BUILDTOP=$(REL)..
-SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
- gss-threads misc threads softpkcs11
+SUBDIRS = asn.1 create hammer verify gssapi dejagnu shlib gss-threads misc \
+ threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND)
diff --git a/src/tests/resolve/Makefile.in b/src/tests/resolve/Makefile.in
deleted file mode 100644
index 1f5954089..000000000
--- a/src/tests/resolve/Makefile.in
+++ /dev/null
@@ -1,28 +0,0 @@
-mydir=tests$(S)resolve
-BUILDTOP=$(REL)..$(S)..
-
-OBJS=resolve.o addrinfo-test.o fake-addrinfo-test.o
-SRCS=$(srcdir)/resolve.c $(srcdir)/addrinfo-test.c \
- $(srcdir)/fake-addrinfo-test.c
-
-all: resolve addrinfo-test fake-addrinfo-test
-
-resolve: resolve.o
- $(CC_LINK) -o $@ resolve.o $(SUPPORT_LIB) $(LIBS)
-
-addrinfo-test: addrinfo-test.o
- $(CC_LINK) -o $@ addrinfo-test.o $(SUPPORT_LIB) $(LIBS)
-
-fake-addrinfo-test: fake-addrinfo-test.o
- $(CC_LINK) -o $@ fake-addrinfo-test.o $(SUPPORT_LIB) $(LIBS)
-
-check: resolve addrinfo-test fake-addrinfo-test
- $(RUN_TEST) ./resolve
- $(RUN_TEST) ./addrinfo-test -p telnet
- $(RUN_TEST) ./fake-addrinfo-test -p telnet
-
-install:
-
-clean:
- $(RM) resolve addrinfo-test fake-addrinfo-test
-
diff --git a/src/tests/resolve/addrinfo-test.c b/src/tests/resolve/addrinfo-test.c
deleted file mode 100644
index e77640b62..000000000
--- a/src/tests/resolve/addrinfo-test.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/resolve/addrinfo-test.c */
-/*
- * Copyright 2004 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * A simple program to test the functionality of the getaddrinfo function.
- *
- * Usage:
- * addrinfo-test [-t|-u|-R|-I] [-d|-s|-r] [-p port] [-P] [hostname]
- *
- * When invoked with no arguments, NULL is used for the node name,
- * which (at least with a non-null "port") means a socket address
- * is desired that can be used with connect() or bind() (depending
- * on whether "-P" is given).
- */
-
-#include <k5-platform.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <netinet/in.h> /* needed for IPPROTO_* on NetBSD */
-#ifdef USE_FAKE_ADDRINFO
-#include "fake-addrinfo.h"
-#endif
-
-static const char *protoname (int p) {
- static char buf[30];
-
-#define X(N) if (p == IPPROTO_ ## N) return #N
-
- X(TCP);
- X(UDP);
- X(ICMP);
-#ifdef IPPROTO_IPV6
- X(IPV6);
-#endif
-#ifdef IPPROTO_GRE
- X(GRE);
-#endif
-#ifdef IPPROTO_NONE
- X(NONE);
-#endif
- X(RAW);
-#ifdef IPPROTO_COMP
- X(COMP);
-#endif
-
- snprintf(buf, sizeof(buf), " %-2d", p);
- return buf;
-}
-
-static const char *socktypename (int t) {
- static char buf[30];
- switch (t) {
- case SOCK_DGRAM: return "DGRAM";
- case SOCK_STREAM: return "STREAM";
- case SOCK_RAW: return "RAW";
- case SOCK_RDM: return "RDM";
- case SOCK_SEQPACKET: return "SEQPACKET";
- }
- snprintf(buf, sizeof(buf), " %-2d", t);
- return buf;
-}
-
-static char *whoami;
-
-static void usage () {
- fprintf(stderr,
- "usage:\n"
- "\t%s [ options ] [host]\n"
- "options:\n"
- "\t-t\tspecify protocol IPPROTO_TCP\n"
- "\t-u\tspecify protocol IPPROTO_UDP\n"
- "\t-R\tspecify protocol IPPROTO_RAW\n"
- "\t-I\tspecify protocol IPPROTO_ICMP\n"
- "\n"
- "\t-d\tspecify socket type SOCK_DGRAM\n"
- "\t-s\tspecify socket type SOCK_STREAM\n"
- "\t-r\tspecify socket type SOCK_RAW\n"
- "\n"
- "\t-4\tspecify address family AF_INET\n"
-#ifdef AF_INET6
- "\t-6\tspecify address family AF_INET6\n"
-#endif
- "\n"
- "\t-p P\tspecify port P (service name or port number)\n"
- "\t-N\thostname is numeric, skip DNS query\n"
- "\t-n\tservice/port is numeric (sets AI_NUMERICSERV)\n"
- "\t-P\tset AI_PASSIVE\n"
- "\n"
- "default: protocol 0, socket type 0, address family 0, null port\n"
- ,
- whoami);
- /* [ -t | -u | -R | -I ] [ -d | -s | -r ] [ -p port ] */
- exit (1);
-}
-
-static const char *familyname (int f) {
- static char buf[30];
- switch (f) {
- default:
- snprintf(buf, sizeof(buf), "AF %d", f);
- return buf;
- case AF_INET: return "AF_INET";
-#ifdef AF_INET6
- case AF_INET6: return "AF_INET6";
-#endif
- }
-}
-
-#define eaistr(X) (X == EAI_SYSTEM ? strerror(errno) : gai_strerror(X))
-
-int main (int argc, char *argv[])
-{
- struct addrinfo *ap, *ap2;
- int err, numerichost = 0, numericserv = 0;
- char *hname, *port = 0, *sep;
- struct addrinfo hints;
-
- whoami = strrchr(argv[0], '/');
- if (whoami == 0)
- whoami = argv[0];
- else
- whoami = whoami+1;
-
- memset(&hints, 0, sizeof(hints));
- hints.ai_flags = 0;
- hints.ai_socktype = 0;
-
- hname = 0;
- hints.ai_family = 0;
-
- if (argc == 1)
- usage ();
-
- while (++argv, --argc > 0) {
- char *arg;
- arg = *argv;
-
- if (*arg != '-')
- hname = arg;
- else if (arg[1] == 0 || arg[2] != 0)
- usage ();
- else
- switch (arg[1]) {
- case 'u':
- hints.ai_protocol = IPPROTO_UDP;
- break;
- case 't':
- hints.ai_protocol = IPPROTO_TCP;
- break;
- case 'R':
- hints.ai_protocol = IPPROTO_RAW;
- break;
- case 'I':
- hints.ai_protocol = IPPROTO_ICMP;
- break;
- case 'd':
- hints.ai_socktype = SOCK_DGRAM;
- break;
- case 's':
- hints.ai_socktype = SOCK_STREAM;
- break;
- case 'r':
- hints.ai_socktype = SOCK_RAW;
- break;
- case 'p':
- if (argv[1] == 0 || argv[1][0] == 0 || argv[1][0] == '-')
- usage ();
- port = argv[1];
- argc--, argv++;
- break;
- case '4':
- hints.ai_family = AF_INET;
- break;
-#ifdef AF_INET6
- case '6':
- hints.ai_family = AF_INET6;
- break;
-#endif
- case 'N':
- numerichost = 1;
- break;
- case 'n':
- numericserv = 1;
- break;
- case 'P':
- hints.ai_flags |= AI_PASSIVE;
- break;
- default:
- usage ();
- }
- }
-
- if (hname && !numerichost)
- hints.ai_flags |= AI_CANONNAME;
- if (numerichost) {
-#ifdef AI_NUMERICHOST
- hints.ai_flags |= AI_NUMERICHOST;
-#else
- fprintf(stderr, "AI_NUMERICHOST not defined on this platform\n");
- exit(1);
-#endif
- }
- if (numericserv) {
-#ifdef AI_NUMERICSERV
- hints.ai_flags |= AI_NUMERICSERV;
-#else
- fprintf(stderr, "AI_NUMERICSERV not defined on this platform\n");
- exit(1);
-#endif
- }
-
- printf("getaddrinfo(hostname %s, service %s,\n"
- " hints { ",
- hname ? hname : "(null)", port ? port : "(null)");
- sep = "";
-#define Z(FLAG) if (hints.ai_flags & AI_##FLAG) printf("%s%s", sep, #FLAG), sep = "|"
- Z(CANONNAME);
- Z(PASSIVE);
-#ifdef AI_NUMERICHOST
- Z(NUMERICHOST);
-#endif
-#ifdef AI_NUMERICSERV
- Z(NUMERICSERV);
-#endif
- if (sep[0] == 0)
- printf ("no-flags");
- if (hints.ai_family)
- printf(" %s", familyname(hints.ai_family));
- if (hints.ai_socktype)
- printf(" SOCK_%s", socktypename(hints.ai_socktype));
- if (hints.ai_protocol)
- printf(" IPPROTO_%s", protoname(hints.ai_protocol));
- printf(" }):\n");
-
- err = getaddrinfo(hname, port, &hints, &ap);
- if (err) {
- printf("\terror => %s\n", eaistr(err));
- return 1;
- }
-
- for (ap2 = ap; ap2; ap2 = ap2->ai_next) {
- char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV];
- /* If we don't do this, even AIX's own getnameinfo will reject
- the sockaddr structures. The sa_len field doesn't get set
- either, on AIX, but getnameinfo won't complain. */
- if (ap2->ai_addr->sa_family == 0) {
- printf("BAD: sa_family zero! fixing...\n");
- ap2->ai_addr->sa_family = ap2->ai_family;
- } else if (ap2->ai_addr->sa_family != ap2->ai_family) {
- printf("BAD: sa_family != ai_family! fixing...\n");
- ap2->ai_addr->sa_family = ap2->ai_family;
- }
- if (getnameinfo(ap2->ai_addr, ap2->ai_addrlen, hbuf, sizeof(hbuf),
- pbuf, sizeof(pbuf), NI_NUMERICHOST | NI_NUMERICSERV)) {
- strlcpy(hbuf, "...", sizeof(hbuf));
- strlcpy(pbuf, "...", sizeof(pbuf));
- }
- printf("%p:\n"
- "\tfamily = %s\tproto = %-4s\tsocktype = %s\n",
- (void *) ap2, familyname(ap2->ai_family),
- protoname (ap2->ai_protocol),
- socktypename (ap2->ai_socktype));
- if (ap2->ai_canonname) {
- if (ap2->ai_canonname[0])
- printf("\tcanonname = %s\n", ap2->ai_canonname);
- else
- printf("BAD: ai_canonname is set but empty!\n");
- } else if (ap2 == ap && (hints.ai_flags & AI_CANONNAME)) {
- printf("BAD: first ai_canonname is null!\n");
- }
- printf("\taddr = %-28s\tport = %s\n", hbuf, pbuf);
-
- err = getnameinfo(ap2->ai_addr, ap2->ai_addrlen, hbuf, sizeof (hbuf),
- pbuf, sizeof(pbuf), NI_NAMEREQD);
- if (err)
- printf("\tgetnameinfo(NI_NAMEREQD): %s\n", eaistr(err));
- else
- printf("\tgetnameinfo => %s, %s\n", hbuf, pbuf);
- }
- freeaddrinfo(ap);
- return 0;
-}
diff --git a/src/tests/resolve/deps b/src/tests/resolve/deps
deleted file mode 100644
index 762d9adab..000000000
--- a/src/tests/resolve/deps
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# Generated makefile dependencies follow.
-#
-$(OUTPRE)resolve.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- resolve.c
-$(OUTPRE)addrinfo-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \
- addrinfo-test.c
-$(OUTPRE)fake-addrinfo-test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
- $(top_srcdir)/include/fake-addrinfo.h $(top_srcdir)/include/k5-platform.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h addrinfo-test.c \
- fake-addrinfo-test.c
diff --git a/src/tests/resolve/fake-addrinfo-test.c b/src/tests/resolve/fake-addrinfo-test.c
deleted file mode 100644
index 86365a5ba..000000000
--- a/src/tests/resolve/fake-addrinfo-test.c
+++ /dev/null
@@ -1,3 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-#define USE_FAKE_ADDRINFO
-#include "addrinfo-test.c"
diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c
deleted file mode 100644
index ea0239113..000000000
--- a/src/tests/resolve/resolve.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* tests/resolve/resolve.c */
-/*
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- */
-
-/*
- * A simple program to test the functionality of the resolver library.
- * It simply will try to get the IP address of the host, and then look
- * up the name from the address. If the resulting name does not contain the
- * domain name, then the resolve library is broken.
- *
- * Warning: It is possible to fool this program into thinking everything is
- * alright by a clever use of /etc/hosts - but this is better than nothing.
- *
- * Usage:
- * resolve [hostname]
- *
- * When invoked with no arguments, gethostname is used for the local host.
- *
- */
-
-/* This program tests the resolve library and sees if it is broken... */
-
-#include "k5-platform.h"
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#ifdef HAVE_SYS_PARAM_H
-#include <sys/param.h>
-#endif
-
-int
-main(int argc, char **argv)
-{
- struct addrinfo *ai = NULL, hint;
- char myname[MAXHOSTNAMELEN + 1], namebuf[NI_MAXHOST], abuf[256];
- const char *addrstr;
- int err, quiet = 0;
-
- argc--; argv++;
- while (argc) {
- if ((strcmp(*argv, "--quiet") == 0) ||
- (strcmp(*argv, "-q") == 0)) {
- quiet++;
- } else
- break;
- argc--; argv++;
- }
-
- if (argc >= 1) {
- strlcpy(myname, *argv, sizeof(myname));
- } else {
- if(gethostname(myname, MAXHOSTNAMELEN)) {
- perror("gethostname failure");
- exit(1);
- }
- }
-
- myname[MAXHOSTNAMELEN] = '\0'; /* for safety */
-
- /* Look up the address... */
- if (!quiet)
- printf("Hostname: %s\n", myname);
-
- memset(&hint, 0, sizeof(hint));
- hint.ai_flags = AI_CANONNAME;
- err = getaddrinfo(myname, 0, &hint, &ai);
- if (err) {
- fprintf(stderr,
- "Could not look up address for hostname '%s' - fatal\n",
- myname);
- exit(2);
- }
-
- if (!quiet) {
- addrstr = inet_ntop(ai->ai_family, ai->ai_addr, abuf, sizeof(abuf));
- if (addrstr != NULL)
- printf("Host address: %s\n", addrstr);
- }
-
- err = getnameinfo(ai->ai_addr, ai->ai_addrlen, namebuf, sizeof(namebuf),
- NULL, 0, NI_NAMEREQD);
- if (err && !quiet)
- fprintf(stderr, "Error looking up IP address\n");
-
- printf("%s%s\n", quiet ? "" : "FQDN: ", err ? ai->ai_canonname : namebuf);
-
- if (!quiet)
- printf("Resolve library appears to have passed the test\n");
-
- freeaddrinfo(ai);
- return 0;
-}

7
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5
Version: 1.18.2
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 3%{?dist}
Release: 4%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@ -60,6 +60,8 @@ Patch17: Pass-gss_localname-through-SPNEGO.patch
Patch18: Omit-KDC-indicator-check-for-S4U2Self-requests.patch
Patch19: Fix-typo-in-in-in-the-ksu-man-page.patch
Patch20: Pass-channel-bindings-through-SPNEGO.patch
Patch21: Default-dns_canonicalize_hostname-to-fallback.patch
Patch22: Remove-resolver-test-utility.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -632,6 +634,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Sat May 30 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-4
- Default dns_canonicalize_hostname to "fallback"
* Tue May 26 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-3
- dns_canonicalize_hostname = fallback