IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix getkeytab code to always use implicit tagging.

Browse Source 
A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.

The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.

Resolves: https://fedorahosted.org/freeipa/ticket/4404

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Simo Sorce 2014-06-26 11:43:47 -04:00 committed by Martin Kosek
parent 0d21937995
commit d9d5967f7e
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
View File

@ -1073,7 +1073,7 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
for (int i = 0; i < kset->num_keys; i++) { for (int i = 0; i < kset->num_keys; i++) {
rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]); rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
if (rc == -1) { if (rc == -1) {
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
LOG_FATAL("Failed to ber_printf the enctype"); LOG_FATAL("Failed to ber_printf the enctype");
goto done; goto done;
@ -1328,7 +1328,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
} }
/* ber parse code */ /* ber parse code */
ttag = ber_scanf(ber, "{t[a]", &ctag, &svcname); ttag = ber_scanf(ber, "{ta", &ctag, &svcname);
if (ttag == LBER_ERROR || ctag != GKREQ_SVCNAME_TAG) { if (ttag == LBER_ERROR || ctag != GKREQ_SVCNAME_TAG) {
LOG_FATAL("ber_scanf failed to decode service name\n"); LOG_FATAL("ber_scanf failed to decode service name\n");
err_msg = "Invalid payload.\n"; err_msg = "Invalid payload.\n";
@ -1378,7 +1378,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
/* ttag peek done as last step of the previous for loop */ /* ttag peek done as last step of the previous for loop */
if (ttag == GKREQ_PASSWORD_TAG) { if (ttag == GKREQ_PASSWORD_TAG) {
/* optional password present */ /* optional password present */
ttag = ber_scanf(ber, "[a]", &password); ttag = ber_scanf(ber, "a", &password);
if (ttag == LBER_ERROR) { if (ttag == LBER_ERROR) {
LOG_FATAL("ber_scanf failed to decode password\n"); LOG_FATAL("ber_scanf failed to decode password\n");
err_msg = "Invalid payload.\n"; err_msg = "Invalid payload.\n";
@ -1494,7 +1494,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
} }
rc = ber_printf(ber, rc = ber_printf(ber,
"{t[{t[i]t[o]}]", "{t{tito}",
GKREP_KEY_TAG, GKREP_KEY_TAG,
GKREP_KEYTYPE_TAG, GKREP_KEYTYPE_TAG,
(ber_int_t)keys[i].key_data_type[0], (ber_int_t)keys[i].key_data_type[0],
@ -1509,7 +1509,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
/* if salt available, add it */ /* if salt available, add it */
if (keys[i].key_data_length[1] != 0) { if (keys[i].key_data_length[1] != 0) {
rc = ber_printf(ber, rc = ber_printf(ber,
"t[{t[i]t[o]}]", "t{tito}",
GKREP_SALT_TAG, GKREP_SALT_TAG,
GKREP_SALTTYPE_TAG, GKREP_SALTTYPE_TAG,
(ber_int_t)keys[i].key_data_type[1], (ber_int_t)keys[i].key_data_type[1],

8
ipa-client/ipa-getkeytab.c
View File

@ -503,7 +503,7 @@ static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
ctag = GK_REQUEST_CURKEYS; ctag = GK_REQUEST_CURKEYS;
} }
ret = ber_printf(be, "t{t[s]", ctag, GKREQ_SVCNAME_TAG, svc_princ); ret = ber_printf(be, "t{ts", ctag, GKREQ_SVCNAME_TAG, svc_princ);
if (ret == -1) { if (ret == -1) {
ber_free(be, 1); ber_free(be, 1);
goto done; goto done;
@ -530,7 +530,7 @@ static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
} }
if (password) { if (password) {
ret = ber_printf(be, "t[s]", GKREQ_PASSWORD_TAG, password); ret = ber_printf(be, "ts", GKREQ_PASSWORD_TAG, password);
if (ret == -1) { if (ret == -1) {
ber_free(be, 1); ber_free(be, 1);
goto done; goto done;
@ -642,7 +642,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
memset(&keys->ksdata[i], 0, sizeof(struct krb_key_salt)); memset(&keys->ksdata[i], 0, sizeof(struct krb_key_salt));
keys->nkeys = i + 1; keys->nkeys = i + 1;
rtag = ber_scanf(ber, "{t{[i][o]}]", &ctag, &tint, &tbval); rtag = ber_scanf(ber, "{t{io}", &ctag, &tint, &tbval);
if (rtag == LBER_ERROR || ctag != GKREP_KEY_TAG) { if (rtag == LBER_ERROR || ctag != GKREP_KEY_TAG) {
*err_msg = _("Failed to parse enctype in key data!\n"); *err_msg = _("Failed to parse enctype in key data!\n");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
@ -662,7 +662,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
rtag = ber_peek_tag(ber, &tlen); rtag = ber_peek_tag(ber, &tlen);
if (rtag == GKREP_SALT_TAG) { if (rtag == GKREP_SALT_TAG) {
rtag = ber_scanf(ber, "t{[i][o]}", &ctag, &tint, &tbval); rtag = ber_scanf(ber, "t{io}", &ctag, &tint, &tbval);
if (rtag == LBER_ERROR) { if (rtag == LBER_ERROR) {
*err_msg = _("Failed to parse salt in key data!\n"); *err_msg = _("Failed to parse salt in key data!\n");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;