freeipa/util/ipa_krb5.h

/*
 * Kerberos related utils for FreeIPA
 *
 * Authors: Simo Sorce <ssorce@redhat.com>
 *
 * Copyright (C) 2011  Simo Sorce, Red Hat
 * see file 'COPYING' for use and warranty information
 *
 * This program is free software you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
/*
 * Functions krb5_ts2tt, krb5_ts_incr, krb5_ts_after are taken from Kerberos 5:
 * https://github.com/krb5/krb5/blob/master/src/include/k5-int.h
 *
 * Authors: Greg Hudson <ghudson@mit.edu>
 *
 * Copyright (C) 2017
 *
 * This software is being provided to you, the LICENSEE, by the
 * Massachusetts Institute of Technology (M.I.T.) under the following
 * license.  By obtaining, using and/or copying this software, you agree
 * that you have read, understood, and will comply with these terms and
 * conditions:
 *
 * Export of this software from the United States of America may
 * require a specific license from the United States Government.
 * It is the responsibility of any person or organization contemplating
 * export to obtain such a license before exporting.
 *
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
 * this software and its documentation for any purpose and without fee or
 * royalty is hereby granted, provided that you agree to comply with the
 * following copyright notice and statements, including the disclaimer, and
 * that the same appear on ALL copies of the software and documentation,
 * including modifications that you make for internal use or for
 * distribution:
 *
 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
 * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
 *
 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
 * be used in advertising or publicity pertaining to distribution of the
 * software.  Title to copyright in this software and any associated
 * documentation shall at all times remain with M.I.T., and USER agrees to
 * preserve same.
 *
 * Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 */

#pragma once

#include <stdbool.h>
#include <time.h>
#include <lber.h>
#include <krb5/krb5.h>
#include <kdb.h>
#include <syslog.h>

struct krb_key_salt {
    krb5_enctype enctype;
    krb5_int32 salttype;
    krb5_keyblock key;
    krb5_data salt;
};

struct keys_container {
    krb5_int32 nkeys;
    struct krb_key_salt *ksdata;
};

/* Salt types */
#define NO_SALT                        -1
#define KRB5_KDB_SALTTYPE_NORMAL        0
#define KRB5_KDB_SALTTYPE_V4            1
#define KRB5_KDB_SALTTYPE_NOREALM       2
#define KRB5_KDB_SALTTYPE_ONLYREALM     3
#define KRB5_KDB_SALTTYPE_SPECIAL       4
#define KRB5_KDB_SALTTYPE_AFS3          5

#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1"
#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2"
#define KEYTAB_GET_OID "2.16.840.1.113730.3.8.10.5"

#define IPAPWD_PASSWORD_MAX_LEN 1000
extern const char *ipapwd_password_max_len_errmsg;

int krb5_klog_syslog(int, const char *, ...);

void
ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val);

krb5_error_code ipa_krb5_principal2salt_norealm(krb5_context context,
                                                krb5_const_principal pr,
                                                krb5_data *ret);

krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx,
                                           krb5_principal principal,
                                           krb5_data pwd, int kvno,
                                           krb5_keyblock *kmkey,
                                           int num_encsalts,
                                           krb5_key_salt_tuple *encsalts,
                                           int *_num_keys,
                                           krb5_key_data **_keys);

void ipa_krb5_free_key_data(krb5_key_data *keys, int num_keys);

int ber_encode_krb5_key_data(krb5_key_data *data,
                             int numk, int mkvno,
                             struct berval **encoded);
int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
                             int *numk, krb5_key_data **data);

krb5_error_code parse_bval_key_salt_tuples(krb5_context kcontext,
                                           const char * const *vals,
                                           int n_vals,
                                           krb5_key_salt_tuple **kst,
                                           int *n_kst);

krb5_error_code filter_key_salt_tuples(krb5_context context,
                                       krb5_key_salt_tuple *req, int n_req,
                                       krb5_key_salt_tuple *supp, int n_supp,
                                       krb5_key_salt_tuple **res, int *n_res);

void free_keys_contents(krb5_context krbctx, struct keys_container *keys);

struct berval *create_key_control(struct keys_container *keys,
                                  const char *principalName);

int ipa_string_to_enctypes(const char *str, struct krb_key_salt **encsalts,
                           int *num_encsalts, char **err_msg);

int create_keys(krb5_context krbctx,
                krb5_principal princ,
                char *password,
                const char *enctypes_string,
                struct keys_container *keys,
                char **err_msg);

int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str);

/* Convert a krb5_timestamp to a time_t value, treating the negative range of
 * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */
static inline time_t
krb5_ts2tt(krb5_timestamp timestamp) {
    return (time_t)(uint32_t)timestamp;
}

/* Increment a timestamp by a signed 32-bit interval, without relying on
 * undefined behavior. */
static inline krb5_timestamp
krb5_ts_incr(krb5_timestamp ts, krb5_deltat delta) {
    return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);
}

/* Return true if a comes after b. */
static inline bool
krb5_ts_after(krb5_timestamp a, krb5_timestamp b) {
    return (uint32_t)a > (uint32_t)b;
}
ipa-kdb: handle dates up to 2106-02-07 06:28:16 krb5 uses the negative part of krb5_timestamp to store time values after 2038: https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038 In other words, krb5 uses krb5_timestamp (signed int) with unsigned arithmetic for expanding the timestamp's upper bound. This commit: - adds some helper functions for working with krb5_timestamp as unsigned (actually copied from https://github.com/krb5/krb5/blob/master/src/include/k5-int.h) - replaces operations with krb5_timestamp's by these new functions Fixes: https://pagure.io/freeipa/issue/8028 Signed-off-by: Slava Aseev <ptrnine@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 2020-11-23 09:23:01 -06:00			`/*`
			`* Kerberos related utils for FreeIPA`
			`*`
			`* Authors: Simo Sorce <ssorce@redhat.com>`
			`*`
			`* Copyright (C) 2011 Simo Sorce, Red Hat`
			`* see file 'COPYING' for use and warranty information`
			`*`
			`* This program is free software you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`
			`/*`
			`* Functions krb5_ts2tt, krb5_ts_incr, krb5_ts_after are taken from Kerberos 5:`
			`* https://github.com/krb5/krb5/blob/master/src/include/k5-int.h`
			`*`
			`* Authors: Greg Hudson <ghudson@mit.edu>`
			`*`
			`* Copyright (C) 2017`
			`*`
			`* This software is being provided to you, the LICENSEE, by the`
			`* Massachusetts Institute of Technology (M.I.T.) under the following`
			`* license. By obtaining, using and/or copying this software, you agree`
			`* that you have read, understood, and will comply with these terms and`
			`* conditions:`
			`*`
			`* Export of this software from the United States of America may`
			`* require a specific license from the United States Government.`
			`* It is the responsibility of any person or organization contemplating`
			`* export to obtain such a license before exporting.`
			`*`
			`* WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute`
			`* this software and its documentation for any purpose and without fee or`
			`* royalty is hereby granted, provided that you agree to comply with the`
			`* following copyright notice and statements, including the disclaimer, and`
			`* that the same appear on ALL copies of the software and documentation,`
			`* including modifications that you make for internal use or for`
			`* distribution:`
			`*`
			`* THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS`
			`* OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not`
			`* limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF`
			`* MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF`
			`* THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY`
			`* PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.`
			`*`
			`* The name of the Massachusetts Institute of Technology or M.I.T. may NOT`
			`* be used in advertising or publicity pertaining to distribution of the`
			`* software. Title to copyright in this software and any associated`
			`* documentation shall at all times remain with M.I.T., and USER agrees to`
			`* preserve same.`
			`*`
			`* Furthermore if you modify this software you must label`
			`* your software as modified software and not distribute it in such a`
			`* fashion that it might be confused with the original M.I.T. software.`
			`*/`

Migrate from #ifndef guards to #pragma once Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2016-05-24 09:18:43 -05:00			`#pragma once`
Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com> 2010-11-04 13:29:01 -05:00
ipa-kdb: handle dates up to 2106-02-07 06:28:16 krb5 uses the negative part of krb5_timestamp to store time values after 2038: https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038 In other words, krb5 uses krb5_timestamp (signed int) with unsigned arithmetic for expanding the timestamp's upper bound. This commit: - adds some helper functions for working with krb5_timestamp as unsigned (actually copied from https://github.com/krb5/krb5/blob/master/src/include/k5-int.h) - replaces operations with krb5_timestamp's by these new functions Fixes: https://pagure.io/freeipa/issue/8028 Signed-off-by: Slava Aseev <ptrnine@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 2020-11-23 09:23:01 -06:00			`#include <stdbool.h>`
Compile IPA modules with C11 extensions - define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for Samba's ZERO_STRUCT() macro, see https://en.cppreference.com/w/c/string/byte/memset - _DEFAULT_SOURCE enables features like htole16() from endian.h, see http://man7.org/linux/man-pages/man3/endian.3.html - _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h, see http://man7.org/linux/man-pages/man3/strndup.3.html - time_t is no longer implicitly defined, include time.h - typeof() is only available as GNU extension. Use explicit types instead of generic __typeof__(). Fixes: https://pagure.io/freeipa/issue/7858 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-02-06 06:47:01 -06:00			`#include <time.h>`
Add asn1c generated code for keytab controls Instead of manually encoding controls, use an actual asn1 compiler. The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code is committed to the tree and built into a static library that is linked to the code that uses it. The first module implements the GetKeytabControl control. Related: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 2014-11-13 10:31:09 -06:00			`#include <lber.h>`
ipa-pwd-extop: Move encryption of keys in common This way we can reuse the same code from ipa-kdb later 2011-06-20 09:46:11 -05:00			`#include <krb5/krb5.h>`
			`#include <kdb.h>`
Log INFO message when LDAP connection fails on startup Since krb5_klog_syslog() always needs parameters from syslog.h, move the include into ipa_krb5.h. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2019-08-02 14:55:20 -05:00			`#include <syslog.h>`
Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com> 2010-11-04 13:29:01 -05:00
Move some krb5 keys related functions from ipa-client to util 2012-03-13 04:29:00 -05:00			`struct krb_key_salt {`
			`krb5_enctype enctype;`
			`krb5_int32 salttype;`
			`krb5_keyblock key;`
			`krb5_data salt;`
			`};`

			`struct keys_container {`
			`krb5_int32 nkeys;`
			`struct krb_key_salt *ksdata;`
			`};`

			`/* Salt types */`
			`#define NO_SALT -1`
			`#define KRB5_KDB_SALTTYPE_NORMAL 0`
			`#define KRB5_KDB_SALTTYPE_V4 1`
			`#define KRB5_KDB_SALTTYPE_NOREALM 2`
			`#define KRB5_KDB_SALTTYPE_ONLYREALM 3`
			`#define KRB5_KDB_SALTTYPE_SPECIAL 4`
			`#define KRB5_KDB_SALTTYPE_AFS3 5`

			`#define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1"`
			`#define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2"`
keytab: Add new extended operation to get a keytab. This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 2013-09-16 23:30:14 -05:00			`#define KEYTAB_GET_OID "2.16.840.1.113730.3.8.10.5"`
Move some krb5 keys related functions from ipa-client to util 2012-03-13 04:29:00 -05:00
CVE-2020-1722: prevent use of too long passwords NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2: https://pages.nist.gov/800-63-3/sp800-63b.html#appA Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes. Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit. FreeIPA already applied 256 characters limit for non-random passwords set through ipa-getkeytab tool. The limit was not, however, enforced in other places. MIT Kerberos limits the length of the password to 1024 characters in its tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not differentiate between a password larger than 1024 and a password of 1024 characters. As a result, longer passwords are silently cut off. To prevent silent cut off for user passwords, use limit of 1000 characters. Thus, this patch enforces common limit of 1000 characters everywhere: - LDAP-based password changes - LDAP password change control - LDAP ADD and MOD operations on clear-text userPassword - Keytab setting with ipa-getkeytab - Kerberos password setting and changing Fixes: https://pagure.io/freeipa/issue/8268 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <ssorce@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 2020-04-08 07:00:38 -05:00			`#define IPAPWD_PASSWORD_MAX_LEN 1000`
			`extern const char *ipapwd_password_max_len_errmsg;`

ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message This patch is related this defect reported by covscan on FreeIPA master: """ Error: DEADCODE (CWE-561): /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328353L", taking false branch. Now the value of "error_code" is equal to -1765328353. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328360L", taking false branch. Now the value of "error_code" is equal to -1765328360. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != 0", taking false branch. Now the value of "error_code" is equal to 0. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: intervals: When switching on "error_code", the value of "error_code" must be in one of the following intervals: {[-1765328360,-1765328360], [-1765328353,-1765328353], [0,0]}. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: dead_error_condition: The switch value "error_code" cannot reach the default case. /daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution cannot reach this statement: "default:". """ This patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2015-01-28 09:21:15 -06:00			`int krb5_klog_syslog(int, const char *, ...);`

Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com> 2010-11-04 13:29:01 -05:00			`void`
			`ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val);`

ipa-pwd-extop: Move encryption of keys in common This way we can reuse the same code from ipa-kdb later 2011-06-20 09:46:11 -05:00			`krb5_error_code ipa_krb5_principal2salt_norealm(krb5_context context,`
			`krb5_const_principal pr,`
			`krb5_data *ret);`

			`krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx,`
			`krb5_principal principal,`
			`krb5_data pwd, int kvno,`
			`krb5_keyblock *kmkey,`
			`int num_encsalts,`
			`krb5_key_salt_tuple *encsalts,`
			`int *_num_keys,`
			`krb5_key_data **_keys);`

			`void ipa_krb5_free_key_data(krb5_key_data *keys, int num_keys);`
Use internal implementation of internal Kerberos functions Don't use KRB5_PRIVATE. The patch implements and uses the following krb5 functions that are otherwise private in recent MIT Kerberos releases: * krb5_principal2salt_norealm * krb5_free_ktypes Signed-off-by: Simo Sorce <ssorce@redhat.com> 2010-11-04 13:29:01 -05:00
ipa-pwd-extop: Move encoding in common too Also to be used by ipa-kdb 2011-06-20 10:55:13 -05:00			`int ber_encode_krb5_key_data(krb5_key_data *data,`
			`int numk, int mkvno,`
			`struct berval **encoded);`
Move code into common krb5 utils This moves the decoding function that reads the keys from the ber format into a structure in the common krb5 util code right below the function that encodes the same data structure into a ber format. This way the 2 functions are in the same place and can be both used by all ia components. 2012-07-06 10:15:15 -05:00			`int ber_decode_krb5_key_data(struct berval encoded, int m_kvno,`
			`int numk, krb5_key_data *data);`
ipa-pwd-extop: Move encoding in common too Also to be used by ipa-kdb 2011-06-20 10:55:13 -05:00
ipa-pwd-extop: make encsalt parsing function common It is going to be used by the ipa-kdb module too. 2011-06-22 15:23:52 -05:00			`krb5_error_code parse_bval_key_salt_tuples(krb5_context kcontext,`
			`const char * const *vals,`
			`int n_vals,`
			`krb5_key_salt_tuple **kst,`
			`int *n_kst);`

ipa-kdb: implement change_pwd function 2011-06-20 18:35:50 -05:00			`krb5_error_code filter_key_salt_tuples(krb5_context context,`
			`krb5_key_salt_tuple *req, int n_req,`
			`krb5_key_salt_tuple *supp, int n_supp,`
			`krb5_key_salt_tuple *res, int n_res);`
Move some krb5 keys related functions from ipa-client to util 2012-03-13 04:29:00 -05:00
			`void free_keys_contents(krb5_context krbctx, struct keys_container *keys);`

			`struct berval create_key_control(struct keys_container keys,`
			`const char *principalName);`

ipa-getkeytab: Add support for get_keytab extop This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 2013-09-19 11:50:35 -05:00			`int ipa_string_to_enctypes(const char str, struct krb_key_salt *encsalts,`
			`int num_encsalts, char *err_msg);`

Move some krb5 keys related functions from ipa-client to util 2012-03-13 04:29:00 -05:00			`int create_keys(krb5_context krbctx,`
			`krb5_principal princ,`
			`char *password,`
			`const char *enctypes_string,`
			`struct keys_container *keys,`
			`char **err_msg);`
Detect default encsalts kadmin password change When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com> 2015-04-04 09:53:52 -05:00
			`int ipa_kstuples_to_string(krb5_key_salt_tuple kst, int n_kst, char *str);`
ipa-kdb: handle dates up to 2106-02-07 06:28:16 krb5 uses the negative part of krb5_timestamp to store time values after 2038: https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038 In other words, krb5 uses krb5_timestamp (signed int) with unsigned arithmetic for expanding the timestamp's upper bound. This commit: - adds some helper functions for working with krb5_timestamp as unsigned (actually copied from https://github.com/krb5/krb5/blob/master/src/include/k5-int.h) - replaces operations with krb5_timestamp's by these new functions Fixes: https://pagure.io/freeipa/issue/8028 Signed-off-by: Slava Aseev <ptrnine@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 2020-11-23 09:23:01 -06:00
			`/* Convert a krb5_timestamp to a time_t value, treating the negative range of`
			`* krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */`
			`static inline time_t`
			`krb5_ts2tt(krb5_timestamp timestamp) {`
			`return (time_t)(uint32_t)timestamp;`
			`}`

			`/* Increment a timestamp by a signed 32-bit interval, without relying on`
			`* undefined behavior. */`
			`static inline krb5_timestamp`
			`krb5_ts_incr(krb5_timestamp ts, krb5_deltat delta) {`
			`return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);`
			`}`

			`/* Return true if a comes after b. */`
			`static inline bool`
			`krb5_ts_after(krb5_timestamp a, krb5_timestamp b) {`
			`return (uint32_t)a > (uint32_t)b;`
			`}`