rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 4.1.2

Browse Source 
- see http://www.freeipa.org/page/Releases/4.1.2
- fix CVE-2014-7850
This commit is contained in:
Petr Vobornik 2014-11-25 13:44:50 +01:00
parent da888bc1a9
commit 81defaec91
9 changed files with 11 additions and 14371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -35,3 +35,4 @@
/freeipa-4.0.3.tar.gz
/freeipa-4.1.0.tar.gz
/freeipa-4.1.1.tar.gz
/freeipa-4.1.2.tar.gz

176
0001-Fix-named-working-directory-permissions.patch
View File

@ -1,176 +0,0 @@
From ba124045b9f39f8264a974c977beba6f15b1b1fb Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 11 Nov 2014 13:00:18 +0100
Subject: [PATCH] Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
freeipa.spec.in | 3 +--
install/tools/ipa-upgradeconfig | 14 +++++++++++++
ipaplatform/base/paths.py | 1 +
ipaserver/install/dnskeysyncinstance.py | 36 +++++++++++++++++++++++++++------
4 files changed, 46 insertions(+), 8 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b2ff97a11dcbb675940086ab9af9aea9bf7988be..af367037eee27d45f0c825ad4518f269b2798045 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -426,7 +426,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
-mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -666,7 +665,6 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@@ -780,6 +778,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6556d8f313d3a9efeb32d4cba97cb82796459652..b0b574476ffc5ce6f075cf46177cc059483551ab 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -30,6 +30,7 @@ import shutil
import pwd
import fileinput
import ConfigParser
+import grp
from ipalib import api
import SSSDConfig
@@ -1161,6 +1162,18 @@ def mask_named_regular():
return False
+def fix_dyndb_ldap_workdir_permissions():
+ """Fix dyndb-ldap working dir permissions. DNSSEC daemons requires it"""
+ if sysupgrade.get_upgrade_state('dns', 'dyndb_ipa_workdir_perm'):
+ return
+
+ if bindinstance.named_conf_exists():
+ root_logger.info('[Fix bind-dyndb-ldap IPA working directory]')
+ dnskeysync = dnskeysyncinstance.DNSKeySyncInstance()
+ dnskeysync.set_dyndb_ldap_workdir_permissions()
+
+ sysupgrade.set_upgrade_state('dns', 'dyndb_ipa_workdir_perm', True)
+
def fix_schema_file_syntax():
"""Fix syntax errors in schema files
@@ -1433,6 +1446,7 @@ def main():
named_managed_keys_dir_option(),
named_root_key_include(),
mask_named_regular(),
+ fix_dyndb_ldap_workdir_permissions(),
)
if any(named_conf_changes):
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index e28147ab4aa1faa3859c38665a83f57fb67e96b2..c4cdc58d61caca7a0d80546bdd69915ac47a23bd 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -189,6 +189,7 @@ class BasePathNamespace(object):
BIN_WGET = "/usr/bin/wget"
ZIP = "/usr/bin/zip"
BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
+ BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
USR_LIB_DIRSRV = "/usr/lib/dirsrv"
USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1dd9a0983fb689f14656431496dfd4b2bb2e30a9..5da65d87b1471710b762f90b9a33c453c7d809b7 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -60,7 +60,6 @@ def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
return ret
-
class DNSKeySyncInstance(service.Service):
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
ldapi=False):
@@ -84,6 +83,23 @@ class DNSKeySyncInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
+ def set_dyndb_ldap_workdir_permissions(self):
+ """
+ Setting up correct permissions to allow write/read access for daemons
+ """
+ if self.named_uid is None:
+ self.named_uid = self.__get_named_uid()
+
+ if self.named_gid is None:
+ self.named_gid = self.__get_named_gid()
+
+ if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+ os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+ # dnssec daemons require to have access into the directory
+ os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+ os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
+ self.named_gid)
+
def remove_replica_public_keys(self, replica_fqdn):
ldap = api.Backend.ldap2
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
@@ -119,6 +135,8 @@ class DNSKeySyncInstance(service.Service):
self.ldap_connect()
# checking status step must be first
self.step("checking status", self.__check_dnssec_status)
+ self.step("setting up bind-dyndb-ldap working directory",
+ self.set_dyndb_ldap_workdir_permissions)
self.step("setting up kerberos principal", self.__setup_principal)
self.step("setting up SoftHSM", self.__setup_softhsm)
self.step("adding DNSSEC containers", self.__setup_dnssec_containers)
@@ -127,20 +145,26 @@ class DNSKeySyncInstance(service.Service):
# we need restart named after setting up this service
self.start_creation()
- def __check_dnssec_status(self):
+ def __get_named_uid(self):
named = services.knownservices.named
- ods_enforcerd = services.knownservices.ods_enforcerd
-
try:
- self.named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+ return pwd.getpwnam(named.get_user_name()).pw_uid
except KeyError:
raise RuntimeError("Named UID not found")
+ def __get_named_gid(self):
+ named = services.knownservices.named
try:
- self.named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+ return grp.getgrnam(named.get_group_name()).gr_gid
except KeyError:
raise RuntimeError("Named GID not found")
+ def __check_dnssec_status(self):
+ ods_enforcerd = services.knownservices.ods_enforcerd
+
+ self.named_uid = self.__get_named_uid()
+ self.named_gid = self.__get_named_gid()
+
try:
self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
except KeyError:
--
2.1.0

32
0002-Show-warning-instead-of-error-if-CA-did-not-start.patch
View File

@ -1,32 +0,0 @@
From 3f3f49ea93f8ca0c2cdd569a78c952492e7b520a Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Tue, 18 Nov 2014 18:30:59 +0100
Subject: [PATCH] Show warning instead of error if CA did not start
This is just workaround, checking if CA is working raises false positive
exception during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
install/tools/ipa-upgradeconfig | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index b0b574476ffc5ce6f075cf46177cc059483551ab..ffb51a97726d2212284f2bb2b939cefd674e24c4 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1471,6 +1471,10 @@ def main():
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
except ipautil.CalledProcessError, e:
root_logger.error("Failed to restart %s: %s", ca.service_name, e)
+ # FIXME https://fedorahosted.org/freeipa/ticket/4676
+ # workaround
+ except RuntimeError as e:
+ root_logger.warning(str(e))
set_sssd_domain_option('ipa_server_mode', 'True')
--
2.1.0

131
0003-webui-fix-potential-XSS-vulnerabilities.patch
View File

@ -1,131 +0,0 @@
From af9fd4dfe2c18e52127480c959c35ad37b566095 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvoborni@redhat.com>
Date: Mon, 10 Nov 2014 16:24:15 +0100
Subject: [PATCH] webui: fix potential XSS vulnerabilities
Escape user defined text to prevent XSS attacks. Extra precaution was taken
to escape also parts which are unlikely to contain user-defined text.
fixes CVE-2014-7850
https://fedorahosted.org/freeipa/ticket/4742
Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
install/ui/src/freeipa/Application_controller.js | 4 ++--
install/ui/src/freeipa/facet.js | 12 +++++++-----
install/ui/src/freeipa/ipa.js | 1 +
install/ui/src/freeipa/rule.js | 2 +-
install/ui/src/freeipa/widget.js | 4 ++--
5 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 094bd3da7c4806a316ebe2589b98a523410f4a5f..4bf76f8f56a8e34e330c35956b8922cc3c8f79e3 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -252,12 +252,12 @@ define([
var error_container = $('<div/>', {
'class': 'container facet-content facet-error'
}).appendTo($('.app-container .content').empty());
- error_container.append('<h1>'+name+'</h1>');
+ error_container.append($('<h1/>', { text: name }));
var details = $('<div/>', {
'class': 'error-details'
}).appendTo(error_container);
- details.append('<p> Web UI got in unrecoverable state during "'+error.phase+'" phase.</p>');
+ details.append($('<p/>', { text: 'Web UI got in unrecoverable state during "' + error.phase + '" phase' }));
if (error.name) window.console.error(error.name);
if (error.results) {
var msg = error.results.message;
diff --git a/install/ui/src/freeipa/facet.js b/install/ui/src/freeipa/facet.js
index 43627d9d531ed700ff780a0773451eaf17b1cbdd..b0121c75fd584988883a3b5f7d1665a985a321fd 100644
--- a/install/ui/src/freeipa/facet.js
+++ b/install/ui/src/freeipa/facet.js
@@ -895,12 +895,12 @@ exp.facet = IPA.facet = function(spec, no_init) {
title = title.replace('${error}', error_thrown.name);
that.error_container.empty();
- that.error_container.append('<h1>'+title+'</h1>');
+ that.error_container.append($('<h1/>', { text: title }));
var details = $('<div/>', {
'class': 'error-details'
}).appendTo(that.error_container);
- details.append('<p>'+error_thrown.message+'</p>');
+ details.append($('<p/>', { text: error_thrown.message }));
$('<div/>', {
text: text.get('@i18n:error_report.options')
@@ -932,7 +932,9 @@ exp.facet = IPA.facet = function(spec, no_init) {
}
);
- that.error_container.append('<p>'+text.get('@i18n:error_report.problem_persists')+'</p>');
+ that.error_container.append($('<p/>', {
+ text: text.get('@i18n:error_report.problem_persists')
+ }));
that.show_error();
};
@@ -1214,7 +1216,7 @@ exp.facet_header = IPA.facet_header = function(spec) {
click: item.handler
}).appendTo(bc_item);
} else {
- bc_item.append(item.text);
+ bc_item.text(item.text);
}
return bc_item;
};
@@ -1823,7 +1825,7 @@ exp.table_facet = IPA.table_facet = function(spec, no_init) {
function(xhr, text_status, error_thrown) {
that.load_records([]);
var summary = that.table.summary.empty();
- summary.append(error_thrown.name+': '+error_thrown.message);
+ summary.text(error_thrown.name+': '+error_thrown.message);
}
);
};
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 6d3aeaaaaca11dfdaf20935e5c9084c9ed106e6c..137f11e832ff8d0b6dd1b50060f8537c7b117616 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -1133,6 +1133,7 @@ IPA.notify = function(message, type, timeout) {
if (typeof message === 'string') {
message = text.get(message);
+ message = document.createTextNode(message);
}
var notification_area = $('#notification .notification-area');
diff --git a/install/ui/src/freeipa/rule.js b/install/ui/src/freeipa/rule.js
index 8a2b01963b74e1892ac15127ae0050b35fe6ac27..706827190261efda136f6d1489bdb13543c00f7a 100644
--- a/install/ui/src/freeipa/rule.js
+++ b/install/ui/src/freeipa/rule.js
@@ -91,7 +91,7 @@ IPA.rule_radio_widget = function(spec) {
var param_info = IPA.get_entity_param(that.entity.name, that.name);
var title = param_info ? param_info.doc : that.name;
- container.append(title + ': ');
+ container.append(document.createTextNode(title + ': '));
that.widget_create(container);
that.owb_create(container);
if (that.undo) {
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 9240df8ef5402310ec9ceafd0b766def10c8cb48..1ef1a2bf22b735edcfcca44cfc1e69bc8d36a740 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -4166,8 +4166,8 @@ IPA.link_widget = function(spec) {
that.values = util.normalize_value(values);
that.value = that.values.slice(-1)[0] || '';
- that.link.html(that.value);
- that.nonlink.html(that.value);
+ that.link.text(that.value);
+ that.nonlink.text(that.value);
that.update_link();
that.check_entity_link();
that.on_value_changed(values);
--
2.1.0

98
0004-Fix-filtering-of-enctypes-in-server-code.patch
View File

@ -1,98 +0,0 @@
From b170851058d6712442d553ef3d11ecd21b282443 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 17 Nov 2014 21:05:56 -0500
Subject: [PATCH 1/3] Fix filtering of enctypes in server code.
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.
Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
---
.../ipa-pwd-extop/ipa_pwd_extop.c | 60 ++++++++++++++++------
1 file changed, 43 insertions(+), 17 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index f0346a343188930dfc90e19d2e5d38cb30741b90..b87ae0dc7a180008228f31293b49212df80584e8 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -125,6 +125,48 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
}
}
+static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
+ krb5_key_salt_tuple *kenctypes,
+ int *num_kenctypes)
+{
+ /* first filter for duplicates */
+ for (int i = 0; i + 1 < *num_kenctypes; i++) {
+ for (int j = i + 1; j < *num_kenctypes; j++) {
+ if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
+ /* duplicate, filter out */
+ for (int k = j; k + 1 < *num_kenctypes; k++) {
+ kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
+ kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
+ }
+ (*num_kenctypes)--;
+ j--;
+ }
+ }
+ }
+
+ /* then filter for supported */
+ for (int i = 0; i < *num_kenctypes; i++) {
+ int j;
+
+ /* Check if supported */
+ for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
+ if (kenctypes[i].ks_enctype ==
+ krbcfg->supp_encsalts[j].ks_enctype) {
+ break;
+ }
+ }
+ if (j == krbcfg->num_supp_encsalts) {
+ /* Unsupported, filter out */
+ for (int k = i; k + 1 < *num_kenctypes; k++) {
+ kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
+ kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
+ }
+ (*num_kenctypes)--;
+ i--;
+ }
+ }
+}
+
static int ipapwd_to_ldap_pwpolicy_error(int ipapwderr)
{
switch (ipapwderr) {
@@ -1740,23 +1782,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
goto free_and_return;
}
- for (int i = 0; i < num_kenctypes; i++) {
-
- /* Check if supported */
- for (int j = 0; j < krbcfg->num_supp_encsalts; j++) {
- if (kenctypes[i].ks_enctype ==
- krbcfg->supp_encsalts[j].ks_enctype) {
- continue;
- }
- }
- /* Unsupported, filter out */
- for (int j = i; j + 1 < num_kenctypes; j++) {
- kenctypes[j].ks_enctype = kenctypes[j + 1].ks_enctype;
- kenctypes[j].ks_salttype = kenctypes[j + 1].ks_salttype;
- }
- num_kenctypes--;
- i--;
- }
+ filter_enctypes(krbcfg, kenctypes, &num_kenctypes);
/* check if we have any left */
if (num_kenctypes == 0 && kenctypes != NULL) {
--
2.1.0

13109
0005-Add-asn1c-generated-code-for-keytab-controls.patch
View File

File diff suppressed because it is too large Load Diff

812
0006-Use-asn1c-helpers-to-encode-decode-the-getkeytab-con.patch
View File

@ -1,812 +0,0 @@
From b1a30bff04fe9763b8b270590ec37084fd19b4e0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 17 Nov 2014 15:19:57 -0500
Subject: [PATCH 3/3] Use asn1c helpers to encode/decode the getkeytab control
Replaces manual encoding with automatically generated code.
Fixes:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
---
Makefile | 1 +
daemons/configure.ac | 2 +
.../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 7 +-
.../ipa-pwd-extop/ipa_pwd_extop.c | 239 ++++----------------
ipa-client/Makefile.am | 4 +
ipa-client/configure.ac | 2 +
ipa-client/ipa-getkeytab.c | 246 ++++-----------------
7 files changed, 106 insertions(+), 395 deletions(-)
diff --git a/Makefile b/Makefile
index 9321c81fe5deebdd5d8b3d7e406347fc5d159610..3225a61b5b80e1ca0968e0c45f18c0ec3645df05 100644
--- a/Makefile
+++ b/Makefile
@@ -76,6 +76,7 @@ client: client-autogen
bootstrap-autogen: version-update client-autogen
@echo "Building IPA $(IPA_VERSION)"
+ cd asn1; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) --with-openldap; fi
cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
diff --git a/daemons/configure.ac b/daemons/configure.ac
index bfcdeadcd1dc73762d8c773ee50210d9bdb91e92..e81aa60e381e035aff73bf27475fc0f101a5fbf9 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -5,6 +5,7 @@ AC_INIT([ipa-server],
[https://hosted.fedoraproject.org/projects/freeipa/newticket])
AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_SUBDIRS([../asn1])
AM_INIT_AUTOMAKE([foreign])
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
@@ -305,6 +306,7 @@ AC_SUBST(LDFLAGS)
AC_CONFIG_FILES([
Makefile
+ ../asn1/Makefile
ipa-kdb/Makefile
ipa-sam/Makefile
ipa-otpd/Makefile
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index 4cf80ec802b40bb579a44fc9357c6a8119dab577..77beca2da0810ed5507d95b21f99d22f63b05fc1 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -6,6 +6,7 @@ KRB5_UTIL_DIR = ../../../util
KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \
$(KRB5_UTIL_DIR)/ipa_pwd.c \
$(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c
+ASN1_UTIL_DIR=../../../asn1
AM_CPPFLAGS = \
-I. \
@@ -13,6 +14,7 @@ AM_CPPFLAGS = \
-I$(srcdir)/../libotp \
-I$(PLUGIN_COMMON_DIR) \
-I$(KRB5_UTIL_DIR) \
+ -I$(ASN1_UTIL_DIR) \
-I$(COMMON_BER_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
@@ -38,7 +40,10 @@ AM_LDFLAGS = \
# Plugin Binary
plugindir = $(libdir)/dirsrv/plugins
plugin_LTLIBRARIES = libipa_pwd_extop.la
-libipa_pwd_extop_la_LIBADD = $(builddir)/../libotp/libotp.la
+libipa_pwd_extop_la_LIBADD = \
+ $(builddir)/../libotp/libotp.la \
+ $(ASN1_UTIL_DIR)/libipaasn1.la \
+ $(NULL)
libipa_pwd_extop_la_SOURCES = \
authcfg.c \
common.c \
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index b87ae0dc7a180008228f31293b49212df80584e8..ceea49cab50b0836c882240f210339e60d26729b 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -40,6 +40,7 @@
#include "ipapwd.h"
#include "util.h"
#include "authcfg.h"
+#include "ipa_asn1.h"
/*
* Password Modify - LDAP Extended Operation.
@@ -1310,31 +1311,7 @@ free_and_return:
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
}
-/* Format of getkeytab request
- *
- * KeytabGetRequest ::= CHOICE {
- * newkeys [0] Newkeys,
- * curkeys [1] CurrentKeys,
- * reply [2] Reply
- * }
- *
- * NewKeys ::= SEQUENCE {
- * serviceIdentity [0] OCTET STRING,
- * enctypes [1] SEQUENCE OF Int16
- * password [2] OCTET STRING OPTIONAL,
- * }
- *
- * CurrentKeys ::= SEQUENCE {
- * serviceIdentity [0] OCTET STRING,
- * }
- */
-
-#define GK_REQUEST_NEWKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
-#define GK_REQUEST_CURKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_SVCNAME_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_ENCTYPES_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_PASSWORD_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
-
+/* decode a getkeytab control request using libipaasn1 helpers */
static int decode_getkeytab_request(struct berval *extop, bool *wantold,
char **_svcname, char **_password,
krb5_key_salt_tuple **kenctypes,
@@ -1342,96 +1319,44 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
{
int rc = LDAP_OPERATIONS_ERROR;
char *err_msg = NULL;
- BerElement *ber = NULL;
- ber_len_t tlen;
- ber_tag_t rtag;
- ber_tag_t ttag;
- ber_tag_t ctag;
char *svcname = NULL;
char *password = NULL;
- ber_int_t enctype;
+ long *etypes = NULL;
+ int numtypes = 0;
krb5_key_salt_tuple *enctypes = NULL;
- int num = 0;
+ bool newkt;
+ bool ret;
+ int i;
- ber = ber_init(extop);
- if (ber == NULL) {
- err_msg = "KeytabGet Request decode failed.\n";
+ ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,
+ &svcname, &password, &etypes, &numtypes);
+ if (!ret) {
+ err_msg = "Failed to decode GetKeytab Control.\n";
rc = LDAP_PROTOCOL_ERROR;
goto done;
}
- /* check this is a request */
- rtag = ber_peek_tag(ber, &tlen);
- if (rtag != GK_REQUEST_NEWKEYS && rtag != GK_REQUEST_CURKEYS) {
- LOG_FATAL("ber_peek_tag failed, wrong request type\n");
- err_msg = "Invalid payload.\n";
- rc = LDAP_PROTOCOL_ERROR;
- goto done;
- }
-
- /* ber parse code */
- ttag = ber_scanf(ber, "{ta", &ctag, &svcname);
- if (ttag == LBER_ERROR || ctag != GKREQ_SVCNAME_TAG) {
- LOG_FATAL("ber_scanf failed to decode service name\n");
- err_msg = "Invalid payload.\n";
- rc = LDAP_PROTOCOL_ERROR;
- goto done;
- }
-
- if (rtag == GK_REQUEST_CURKEYS) {
- rc = LDAP_SUCCESS;
- goto done;
- }
-
- ttag = ber_peek_tag(ber, &tlen);
- if (ttag != GKREQ_ENCTYPES_TAG) {
- LOG_FATAL("ber_peek_tag failed to find enctypes\n");
- err_msg = "Invalid payload.\n";
- rc = LDAP_PROTOCOL_ERROR;
- goto done;
- }
- ttag = ber_peek_tag(ber, &tlen);
- for (num = 0; ttag == LBER_INTEGER; num++) {
- if ((num % 10) == 0) {
- /* allocate space for at least 10 more enctypes */
- enctypes = realloc(enctypes,
- (num + 10) * sizeof(krb5_key_salt_tuple));
+ if (newkt) {
+ if (numtypes) {
+ enctypes = malloc(numtypes * sizeof(krb5_key_salt_tuple));
if (!enctypes) {
LOG_FATAL("allocation failed\n");
err_msg = "Internal error\n";
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
- }
- ttag = ber_scanf(ber, "i", &enctype);
- if (ttag == LBER_ERROR) {
- LOG_FATAL("ber_scanf failed to decode enctype\n");
- err_msg = "Invalid payload.\n";
- rc = LDAP_PROTOCOL_ERROR;
- goto done;
- }
-
- enctypes[num].ks_enctype = enctype;
- enctypes[num].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
- ttag = ber_peek_tag(ber, &tlen);
- }
-
- /* ttag peek done as last step of the previous for loop */
- if (ttag == GKREQ_PASSWORD_TAG) {
- /* optional password present */
- ttag = ber_scanf(ber, "a", &password);
- if (ttag == LBER_ERROR) {
- LOG_FATAL("ber_scanf failed to decode password\n");
- err_msg = "Invalid payload.\n";
- rc = LDAP_PROTOCOL_ERROR;
- goto done;
+ for (i = 0; i < numtypes; i++) {
+ enctypes[i].ks_enctype = etypes[i];
+ enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ }
}
}
rc = LDAP_SUCCESS;
done:
+ free(etypes);
if (rc != LDAP_SUCCESS) {
free(password);
free(svcname);
@@ -1440,78 +1365,34 @@ done:
} else {
*_password = password;
*_svcname = svcname;
- *wantold = (rtag == GK_REQUEST_CURKEYS);
+ *wantold = (newkt == false);
*kenctypes = enctypes;
- *num_kenctypes = num;
+ *num_kenctypes = numtypes;
}
- if (ber) ber_free(ber, 1);
return rc;
}
-/* Format of getkeytab reply
- *
- * Reply ::= SEQUENCE {
- * new_kvno Int32
- * keys SEQUENCE OF KrbKey,
- * }
- *
- * KrbKey ::= SEQUENCE {
- * key [0] EncryptionKey,
- * salt [1] KrbSalt OPTIONAL,
- * s2kparams [2] OCTET STRING OPTIONAL,
- * }
- *
- * EncryptionKey ::= SEQUENCE {
- * keytype [0] Int32,
- * keyvalue [1] OCTET STRING
- * }
- *
- * KrbSalt ::= SEQUENCE {
- * type [0] Int32,
- * salt [1] OCTET STRING
- * }
- */
-
-#define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
-#define GKREP_KEY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
-#define GKREP_SALT_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREP_S2KPARAMS_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
-#define GKREP_KEYTYPE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
-#define GKREP_KEYVALUE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREP_SALTTYPE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
-#define GKREP_SALTVALUE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-
static int encode_getkeytab_reply(krb5_context krbctx,
krb5_keyblock *kmkey, int mkvno,
krb5_key_data *keys, int num_keys,
struct berval **_bvp)
{
int rc = LDAP_OPERATIONS_ERROR;
+ struct krb_key_salt ksdata[num_keys];
+ struct keys_container ksc = { num_keys, ksdata };
struct berval *bvp = NULL;
- BerElement *ber = NULL;
- ber_int_t kvno;
- krb5_data plain = { 0 };
+ int kvno;
+ bool ret;
- ber = ber_alloc();
- if (!ber) {
- LOG_OOM();
- goto done;
- }
+ memset(ksdata, '\0', num_keys * sizeof(struct krb_key_salt));
/* uses last key kvno */
kvno = keys[num_keys-1].key_data_kvno;
- rc = ber_printf(ber, "t{i{", GK_REPLY_TAG, kvno);
- if (rc == -1) {
- rc = LDAP_OPERATIONS_ERROR;
- LOG_FATAL("Failed to initiate key buffer\n");
- goto done;
- }
-
for (int i = 0; i < num_keys; i++) {
krb5_enc_data cipher = { 0 };
+ krb5_data plain = { 0 };
krb5_int16 plen;
- void *p;
/* retrieve plain key */
memcpy(&plen, keys[i].key_data_contents[0], 2);
@@ -1521,13 +1402,12 @@ static int encode_getkeytab_reply(krb5_context krbctx,
cipher.kvno = mkvno;
plain.length = le16toh(plen);
- p = realloc(plain.data, plain.length);
- if (!p) {
+ plain.data = malloc(plain.length);
+ if (!plain.data) {
LOG_FATAL("Failed to allocate plain buffer\n");
rc = LDAP_OPERATIONS_ERROR;
goto done;
}
- plain.data = p;
rc = krb5_c_decrypt(krbctx, kmkey, 0, 0, &cipher, &plain);
if (rc) {
@@ -1536,68 +1416,37 @@ static int encode_getkeytab_reply(krb5_context krbctx,
goto done;
}
- rc = ber_printf(ber,
- "{t{tito}",
- GKREP_KEY_TAG,
- GKREP_KEYTYPE_TAG,
- (ber_int_t)keys[i].key_data_type[0],
- GKREP_KEYVALUE_TAG,
- plain.data, (ber_len_t)plain.length);
- if (rc == -1) {
- LOG_FATAL("Failed to encode key data\n");
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
+ ksc.ksdata[i].enctype = keys[i].key_data_type[0];
+ ksc.ksdata[i].key.enctype = keys[i].key_data_type[0];
+ ksc.ksdata[i].key.contents = (void *)plain.data;
+ ksc.ksdata[i].key.length = plain.length;
/* if salt available, add it */
if (keys[i].key_data_length[1] != 0) {
- rc = ber_printf(ber,
- "t{tito}",
- GKREP_SALT_TAG,
- GKREP_SALTTYPE_TAG,
- (ber_int_t)keys[i].key_data_type[1],
- GKREP_SALTVALUE_TAG,
- keys[i].key_data_contents[1],
- (ber_len_t)keys[i].key_data_length[1]);
- if (rc == -1) {
- LOG_FATAL("Failed to encode salt data\n");
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- }
-
- rc = ber_printf(ber, "}");
- if (rc == -1) {
- LOG_FATAL("Failed to encode data\n");
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
+ ksc.ksdata[i].salttype = keys[i].key_data_type[1];
+ ksc.ksdata[i].salt.data = (void *)keys[i].key_data_contents[1];
+ ksc.ksdata[i].salt.length = keys[i].key_data_length[1];
}
}
- rc = ber_printf(ber, "}}");
- if (rc == -1) {
- LOG_FATAL("Failed to terminate key buffer\n");
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
+ bvp = calloc(1, sizeof(struct berval));
+ if (!bvp) goto done;
- rc = ber_flatten(ber, &bvp);
- if (rc == -1) {
- LOG_FATAL("Failed to encode key buffer\n");
- rc = LDAP_OPERATIONS_ERROR;
- goto done;
- }
+ ret = ipaasn1_enc_getktreply(kvno, &ksc,
+ (void **)&bvp->bv_val, &bvp->bv_len);
+ if (!ret) goto done;
rc = LDAP_SUCCESS;
done:
+ for (int i = 0; i < ksc.nkeys; i ++) {
+ free(ksc.ksdata[i].key.contents);
+ }
if (rc != LDAP_SUCCESS) {
if (bvp) ber_bvfree(bvp);
} else {
*_bvp = bvp;
}
- if (ber) ber_free(ber, 1);
- free(plain.data);
return rc;
}
diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am
index 2df175e53b2a547acdad546db182b38011becd06..b9c7020f3b687b3c0030ed5166625e6ef07e2fa4 100644
--- a/ipa-client/Makefile.am
+++ b/ipa-client/Makefile.am
@@ -14,11 +14,13 @@ export AM_CFLAGS
KRB5_UTIL_DIR=../util
KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c
+ASN1_UTIL_DIR=../asn1
AM_CPPFLAGS = \
-I. \
-I$(srcdir) \
-I$(KRB5_UTIL_DIR) \
+ -I$(ASN1_UTIL_DIR) \
-DPREFIX=\""$(prefix)"\" \
-DBINDIR=\""$(bindir)"\" \
-DLIBDIR=\""$(libdir)"\" \
@@ -45,6 +47,7 @@ ipa_getkeytab_SOURCES = \
$(NULL)
ipa_getkeytab_LDADD = \
+ ../asn1/libipaasn1.la \
$(KRB5_LIBS) \
$(OPENLDAP_LIBS) \
$(SASL_LIBS) \
@@ -80,6 +83,7 @@ ipa_join_LDADD = \
$(NULL)
SUBDIRS = \
+ ../asn1 \
ipaclient \
ipa-install \
man \
diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac
index 34625622d3e3bb64866b3b0b1a58d29e33f11a7d..78da8e6e413b8becbd4c75422abffb670050f446 100644
--- a/ipa-client/configure.ac
+++ b/ipa-client/configure.ac
@@ -8,6 +8,7 @@ AC_PROG_LIBTOOL
AC_CONFIG_SRCDIR([ipaclient/__init__.py])
AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_SUBDIRS([../asn1])
AM_INIT_AUTOMAKE([foreign])
@@ -205,6 +206,7 @@ dnl ---------------------------------------------------------------------------
AC_CONFIG_FILES([
Makefile
+ ../asn1/Makefile
ipaclient/Makefile
ipa-install/Makefile
man/Makefile
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index bb43c333dca6560807a120103a1cb535fa87b76a..15255d6a33c8c298f138868ac545d4ebea415fe5 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -40,6 +40,7 @@
#include "config.h"
#include "ipa_krb5.h"
+#include "ipa_asn1.h"
#include "ipa-client-common.h"
static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)
@@ -295,14 +296,15 @@ done:
return ret;
}
-static BerElement *get_control_data(LDAPControl **list, const char *repoid)
+static int find_control_data(LDAPControl **list, const char *repoid,
+ struct berval *data)
{
LDAPControl *control = NULL;
int i;
if (!list) {
fprintf(stderr, _("Missing reply control list!\n"));
- return NULL;
+ return LDAP_OPERATIONS_ERROR;
}
for (i = 0; list[i]; i++) {
@@ -312,10 +314,22 @@ static BerElement *get_control_data(LDAPControl **list, const char *repoid)
}
if (!control) {
fprintf(stderr, _("Missing reply control!\n"));
- return NULL;
+ return LDAP_OPERATIONS_ERROR;
}
- return ber_init(&control->ldctl_value);
+ *data = control->ldctl_value;
+ return LDAP_SUCCESS;
+}
+
+static BerElement *get_control_data(LDAPControl **list, const char *repoid)
+{
+ struct berval data;
+ int ret;
+
+ ret = find_control_data(list, repoid, &data);
+ if (ret != LDAP_SUCCESS) return NULL;
+
+ return ber_init(&data);
}
static int ldap_set_keytab(krb5_context krbctx,
@@ -435,124 +449,42 @@ error_out:
return -1;
}
-/* Format of getkeytab control
- *
- * KeytabGetRequest ::= CHOICE {
- * newkeys [0] Newkeys,
- * curkeys [1] CurrentKeys,
- * reply [2] Reply
- * }
- *
- * NewKeys ::= SEQUENCE {
- * serviceIdentity [0] OCTET STRING,
- * enctypes [1] SEQUENCE OF Int16
- * password [2] OCTET STRING OPTIONAL,
- * }
- *
- * CurrentKeys ::= SEQUENCE {
- * serviceIdentity [0] OCTET STRING,
- * }
- *
- * Reply ::= SEQUENCE {
- * new_kvno Int32
- * keys SEQUENCE OF KrbKey,
- * }
- *
- * KrbKey ::= SEQUENCE {
- * key [0] EncryptionKey,
- * salt [1] KrbSalt OPTIONAL,
- * s2kparams [2] OCTET STRING OPTIONAL,
- * }
- *
- * EncryptionKey ::= SEQUENCE {
- * keytype [0] Int32,
- * keyvalue [1] OCTET STRING
- * }
- *
- * KrbSalt ::= SEQUENCE {
- * type [0] Int32,
- * salt [1] OCTET STRING
- * }
- */
-
-#define GK_REQUEST_NEWKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)
-#define GK_REQUEST_CURKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_SVCNAME_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_ENCTYPES_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)
-#define GKREQ_PASSWORD_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
-
+/* use asn1c generated code to fill up control */
static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
const char *password,
struct krb_key_salt *encsalts,
int num_encsalts)
{
- struct berval *bval = NULL;
- BerElement *be;
- ber_tag_t ctag;
- ber_int_t e;
- int ret, i;
-
- be = ber_alloc_t(LBER_USE_DER);
- if (!be) {
- return NULL;
- }
-
- if (gen) {
- ctag = GK_REQUEST_NEWKEYS;
- } else {
- ctag = GK_REQUEST_CURKEYS;
- }
-
- ret = ber_printf(be, "t{ts", ctag, GKREQ_SVCNAME_TAG, svc_princ);
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
+ struct berval *result = NULL;
+ void *buffer = NULL;
+ size_t buflen;
+ long ets[num_encsalts];
+ bool ret;
+ int i;
if (gen) {
- ret = ber_printf(be, "t{", GKREQ_ENCTYPES_TAG);
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
for (i = 0; i < num_encsalts; i++) {
- e = encsalts[i].enctype;
- ret = ber_printf(be, "i", e);
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
- }
- ret = ber_printf(be, "}");
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
-
- if (password) {
- ret = ber_printf(be, "ts", GKREQ_PASSWORD_TAG, password);
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
+ ets[i] = encsalts[i].enctype;
}
}
+ ret = ipaasn1_enc_getkt(gen, svc_princ,
+ password, ets, num_encsalts,
+ &buffer, &buflen);
+ if (!ret) goto done;
- ret = ber_printf(be, "}");
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
+ result = malloc(sizeof(struct berval));
+ if (!result) goto done;
- ret = ber_flatten(be, &bval);
- if (ret == -1) {
- ber_free(be, 1);
- goto done;
- }
+ result->bv_val = buffer;
+ result->bv_len = buflen;
done:
- ber_free(be, 1);
- return bval;
+ if (result == NULL) {
+ if (buffer) {
+ free(buffer);
+ }
+ }
+ return result;
}
#define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)
@@ -571,13 +503,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
struct berval *control = NULL;
LDAP *ld = NULL;
LDAPControl **srvctrl = NULL;
- BerElement *ber = NULL;
- ber_tag_t rtag;
- ber_tag_t ctag;
- ber_len_t tlen;
- ber_int_t vno;
- ber_int_t tint;
- struct berval tbval;
+ struct berval data;
+ bool res;
int ret;
*err_msg = NULL;
@@ -609,98 +536,19 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
goto done;
}
- ber = get_control_data(srvctrl, KEYTAB_GET_OID);
- if (!ber) {
- *err_msg = _("Failed to find or parse reply control!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- rtag = ber_scanf(ber, "t{i{", &ctag, &vno);
- if (rtag == LBER_ERROR || ctag != GK_REPLY_TAG) {
- *err_msg = _("Failed to parse control head!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- keys->nkeys = 0;
- keys->ksdata = NULL;
-
- rtag = ber_peek_tag(ber, &tlen);
- for (int i = 0; rtag == LBER_SEQUENCE; i++) {
- if ((i % 5) == 0) {
- struct krb_key_salt *ksdata;
- ksdata = realloc(keys->ksdata,
- (i + 5) * sizeof(struct krb_key_salt));
- if (!ksdata) {
- *err_msg = _("Out of memory!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- keys->ksdata = ksdata;
- }
- memset(&keys->ksdata[i], 0, sizeof(struct krb_key_salt));
- keys->nkeys = i + 1;
-
- rtag = ber_scanf(ber, "{t{io}", &ctag, &tint, &tbval);
- if (rtag == LBER_ERROR || ctag != GKREP_KEY_TAG) {
- *err_msg = _("Failed to parse enctype in key data!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- keys->ksdata[i].enctype = tint;
- keys->ksdata[i].key.enctype = tint;
- keys->ksdata[i].key.length = tbval.bv_len;
- keys->ksdata[i].key.contents = malloc(tbval.bv_len);
- if (!keys->ksdata[i].key.contents) {
- *err_msg = _("Out of memory!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- memcpy(keys->ksdata[i].key.contents, tbval.bv_val, tbval.bv_len);
- ber_memfree(tbval.bv_val);
-
- rtag = ber_peek_tag(ber, &tlen);
- if (rtag == GKREP_SALT_TAG) {
- rtag = ber_scanf(ber, "t{io}", &ctag, &tint, &tbval);
- if (rtag == LBER_ERROR) {
- *err_msg = _("Failed to parse salt in key data!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- keys->ksdata[i].salttype = tint;
- keys->ksdata[i].salt.length = tbval.bv_len;
- keys->ksdata[i].salt.data = malloc(tbval.bv_len);
- if (!keys->ksdata[i].salt.data) {
- *err_msg = _("Out of memory!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
- memcpy(keys->ksdata[i].salt.data, tbval.bv_val, tbval.bv_len);
- ber_memfree(tbval.bv_val);
- }
- rtag = ber_scanf(ber, "}");
- if (rtag == LBER_ERROR) {
- *err_msg = _("Failed to parse ending of key data!\n");
- ret = LDAP_OPERATIONS_ERROR;
- goto done;
- }
-
- rtag = ber_peek_tag(ber, &tlen);
- }
+ ret = find_control_data(srvctrl, KEYTAB_GET_OID, &data);
+ if (ret != LDAP_SUCCESS) goto done;
- rtag = ber_scanf(ber, "}}");
- if (rtag == LBER_ERROR) {
- *err_msg = _("Failed to parse ending of control!\n");
+ res = ipaasn1_dec_getktreply(data.bv_val, data.bv_len, kvno, keys);
+ if (!res) {
+ *err_msg = _("Failed to decode control reply!\n");
ret = LDAP_OPERATIONS_ERROR;
goto done;
}
- *kvno = vno;
ret = LDAP_SUCCESS;
done:
- if (ber) ber_free(ber, 1);
if (ld) ldap_unbind_ext(ld, NULL, NULL);
if (control) ber_bvfree(control);
free(es);
--
2.1.0

21
freeipa.spec
View File

@ -19,13 +19,13 @@
%global platform_module fedora
%endif
%global VERSION 4.1.1
%global VERSION 4.1.2
%define _hardened_build 1
Name: freeipa
Version: %{VERSION}
Release: 2%{?dist}
Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -34,13 +34,6 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch01: 0001-Fix-named-working-directory-permissions.patch
Patch02: 0002-Show-warning-instead-of-error-if-CA-did-not-start.patch
Patch03: 0003-webui-fix-potential-XSS-vulnerabilities.patch
Patch04: 0004-Fix-filtering-of-enctypes-in-server-code.patch
Patch05: 0005-Add-asn1c-generated-code-for-keytab-controls.patch
Patch06: 0006-Use-asn1c-helpers-to-encode-decode-the-getkeytab-con.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.3.5
BuildRequires: svrcore-devel
@ -157,7 +150,7 @@ Requires: python-dns >= 1.11.1
Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
Requires(pre): certmonger >= 0.75.13
Requires(pre): certmonger >= 0.76.8
Requires(pre): 389-ds-base >= 1.3.3.5
Requires: fontawesome-fonts
Requires: open-sans-fonts
@ -244,7 +237,7 @@ Requires: wget
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.12.2
Requires: certmonger >= 0.75.6
Requires: certmonger >= 0.76.8
Requires: nss-tools
Requires: bind-utils
Requires: oddjob-mkhomedir
@ -294,7 +287,7 @@ Requires: gnupg
Requires: iproute
Requires: keyutils
Requires: pyOpenSSL
Requires: python-nss >= 0.15
Requires: python-nss >= 0.16
Requires: python-lxml
Requires: python-netaddr
Requires: libipa_hbac-python
@ -937,6 +930,10 @@ fi
%endif # ONLY_CLIENT
%changelog
* Tue Nov 25 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.2-1
- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2
- fix CVE-2014-7850
* Thu Nov 20 2014 Simo Sorce <simo@redhat.com> - 4.1.1-2
- Patch blokers and feature freze exceptions
- Resolves: bz1165674

2
sources
View File

@ -1 +1 @@
6e1ec60f71aa17b65a2a3caadd688f3c freeipa-4.1.1.tar.gz
f40681838166b72a038380a7ad623dae freeipa-4.1.2.tar.gz