Commit Graph

14 Commits

Author SHA1 Message Date
Christian Heimes
93fb037d84 Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
  Samba's ZERO_STRUCT() macro, see
  https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
  http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
  see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
  instead of generic __typeof__().

Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-07 12:33:45 +01:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Simo Sorce
d5b6c83601 Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
2015-05-27 09:45:56 -04:00
Martin Babinsky
98b1690a0e ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
This patch is related this defect reported by covscan on FreeIPA master:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""

This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Simo Sorce
c6afc489a1 Add asn1c generated code for keytab controls
Instead of manually encoding controls, use an actual asn1 compiler.
The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code
is committed to the tree and built into a static library that is linked
to the code that uses it.

The first module implements the GetKeytabControl control.

Related:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-11-20 10:52:13 -05:00
Simo Sorce
f352702d67 ipa-getkeytab: Add support for get_keytab extop
This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
505bc85ec3 Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
2012-07-30 10:31:47 -04:00
Sumit Bose
ee936431c8 Move some krb5 keys related functions from ipa-client to util 2012-06-11 12:04:05 +02:00
Simo Sorce
452fcdccdc ipa-kdb: implement change_pwd function 2011-08-26 08:24:49 -04:00
Simo Sorce
7d41e7b4d4 ipa-pwd-extop: make encsalt parsing function common
It is going to be used by the ipa-kdb module too.
2011-08-26 08:24:49 -04:00
Simo Sorce
eed401306c ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
4928229093 ipa-pwd-extop: Move encryption of keys in common
This way we can reuse the same code from ipa-kdb later
2011-08-26 08:24:49 -04:00
Jakub Hrozek
3b7a86024b Use internal implementation of internal Kerberos functions
Don't use KRB5_PRIVATE.

The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
 * krb5_principal2salt_norealm
 * krb5_free_ktypes

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00