diff options
author | Simo Sorce <ssorce@redhat.com> | 2011-06-20 11:55:13 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2011-08-26 08:24:49 -0400 |
commit | eed401306c400ae938e2d328de22da6f729c8f3f (patch) | |
tree | 0d80aaf819a5d45a9ca1cb086f01624c35ddaa23 /daemons/ipa-slapi-plugins/ipa-pwd-extop | |
parent | 49282290938c735c566c7d0abf57c67b69945cce (diff) | |
download | freeipa-eed401306c400ae938e2d328de22da6f729c8f3f.tar.gz freeipa-eed401306c400ae938e2d328de22da6f729c8f3f.tar.xz freeipa-eed401306c400ae938e2d328de22da6f729c8f3f.zip |
ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
Diffstat (limited to 'daemons/ipa-slapi-plugins/ipa-pwd-extop')
4 files changed, 50 insertions, 202 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index 1daf942da..cc041aa4f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -2,13 +2,14 @@ NULL = PLUGIN_COMMON_DIR=../common KRB5_UTIL_DIR= ../../../util -KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c +KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c INCLUDES = \ -I. \ -I$(srcdir) \ -I$(PLUGIN_COMMON_DIR) \ -I$(KRB5_UTIL_DIR) \ + -I$(COMMON_BER_DIR) \ -DPREFIX=\""$(prefix)"\" \ -DBINDIR=\""$(bindir)"\" \ -DLIBDIR=\""$(libdir)"\" \ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 9ce497746..68d1703b5 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -86,13 +86,14 @@ Slapi_PluginDesc ipapwd_plugin_desc = { void *ipapwd_plugin_id; -static int filter_keys(struct ipapwd_krbcfg *krbcfg, struct ipapwd_keyset *kset) +static int filter_keys(struct ipapwd_krbcfg *krbcfg, + struct ipapwd_keyset *kset) { int i, j; for (i = 0; i < kset->num_keys; i++) { for (j = 0; j < krbcfg->num_supp_encsalts; j++) { - if (kset->keys[i].ekey->type == + if (kset->keys[i].key_data_type[0] == krbcfg->supp_encsalts[j].ks_enctype) { break; } @@ -100,15 +101,8 @@ static int filter_keys(struct ipapwd_krbcfg *krbcfg, struct ipapwd_keyset *kset) if (j == krbcfg->num_supp_encsalts) { /* not valid */ /* free key */ - if (kset->keys[i].ekey) { - free(kset->keys[i].ekey->value.bv_val); - free(kset->keys[i].ekey); - } - if (kset->keys[i].salt) { - free(kset->keys[i].salt->value.bv_val); - free(kset->keys[i].salt); - } - free(kset->keys[i].s2kparams.bv_val); + free(kset->keys[i].key_data_contents[0]); + free(kset->keys[i].key_data_contents[1]); /* move all remaining keys up by one */ kset->num_keys -= 1; @@ -672,6 +666,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) kset = malloc(sizeof(struct ipapwd_keyset)); if (!kset) { LOG_OOM(); + rc = LDAP_OPERATIONS_ERROR; goto free_and_return; } @@ -679,7 +674,6 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) /* major-vno = 1 and minor-vno = 1 */ kset->major_vno = 1; kset->minor_vno = 1; - kset->kvno = kvno; kset->mkvno = krbcfg->mkvno; kset->keys = NULL; @@ -687,6 +681,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) rtag = ber_peek_tag(ber, &tlen); while (rtag == LBER_SEQUENCE) { + krb5_key_data *newset; krb5_data plain; krb5_enc_data cipher; struct berval tval; @@ -696,28 +691,18 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) i = kset->num_keys; - if (kset->keys) { - struct ipapwd_krbkey *newset; - - newset = realloc(kset->keys, sizeof(struct ipapwd_krbkey) * (i + 1)); - if (!newset) { - LOG_OOM(); - goto free_and_return; - } - kset->keys = newset; - } else { - kset->keys = malloc(sizeof(struct ipapwd_krbkey)); - if (!kset->keys) { - LOG_OOM(); - goto free_and_return; - } + newset = realloc(kset->keys, sizeof(krb5_key_data) * (i + 1)); + if (!newset) { + LOG_OOM(); + goto free_and_return; } + kset->keys = newset; + kset->num_keys += 1; - kset->keys[i].salt = NULL; - kset->keys[i].ekey = NULL; - kset->keys[i].s2kparams.bv_len = 0; - kset->keys[i].s2kparams.bv_val = NULL; + memset(&kset->keys[i], 0, sizeof(krb5_key_data)); + kset->keys[i].key_data_ver = 1; + kset->keys[i].key_data_kvno = kvno; /* EncryptionKey */ rtag = ber_scanf(ber, "{t[{t[i]t[o]}]", &ttmp, &ttmp, &tint, &ttmp, &tval); @@ -728,13 +713,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) goto free_and_return; } - kset->keys[i].ekey = calloc(1, sizeof(struct ipapwd_krbkeydata)); - if (!kset->keys[i].ekey) { - LOG_OOM(); - goto free_and_return; - } - - kset->keys[i].ekey->type = tint; + kset->keys[i].key_data_type[0] = tint; plain.length = tval.bv_len; plain.data = tval.bv_val; @@ -755,8 +734,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) t = htole16(plain.length); memcpy(kdata, &t, 2); - kset->keys[i].ekey->value.bv_len = 2 + klen; - kset->keys[i].ekey->value.bv_val = (char *)kdata; + kset->keys[i].key_data_length[0] = 2 + klen; + kset->keys[i].key_data_contents[0] = (krb5_octet *)kdata; cipher.ciphertext.length = klen; cipher.ciphertext.data = (char *)kdata + 2; @@ -768,7 +747,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) goto free_and_return; } - free(tval.bv_val); + ber_memfree(tval.bv_val); rtag = ber_peek_tag(ber, &tlen); @@ -783,13 +762,8 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) goto free_and_return; } - kset->keys[i].salt = calloc(1, sizeof(struct ipapwd_krbkeydata)); - if (!kset->keys[i].salt) { - LOG_OOM(); - goto free_and_return; - } - - kset->keys[i].salt->type = tint; + kset->keys[i].key_data_ver = 2; /* we have a salt */ + kset->keys[i].key_data_type[1] = tint; rtag = ber_peek_tag(ber, &tlen); if (rtag == (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1)) { @@ -802,7 +776,16 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) goto free_and_return; } - kset->keys[i].salt->value = tval; + kset->keys[i].key_data_length[1] = tval.bv_len; + kset->keys[i].key_data_contents[1] = malloc(tval.bv_len); + if (!kset->keys[i].key_data_contents[1]) { + LOG_OOM(); + rc = LDAP_OPERATIONS_ERROR; + goto free_and_return; + } + memcpy(kset->keys[i].key_data_contents[1], + tval.bv_val, tval.bv_len); + ber_memfree(tval.bv_val); rtag = ber_peek_tag(ber, &tlen); } @@ -866,9 +849,10 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "krbPasswordExpiration", timestr); #endif - bval = encode_keys(kset); - if (!bval) { - LOG_FATAL("encoding asn1 KrbSalt failed\n"); + ret = ber_encode_krb5_key_data(kset->keys, kset->num_keys, + kset->mkvno, &bval); + if (ret != 0) { + LOG_FATAL("encoding krb5_key_data failed\n"); slapi_mods_free(&smods); goto free_and_return; } @@ -954,7 +938,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) } for (i = 0; i < kset->num_keys; i++) { - ret = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].ekey->type); + ret = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]); if (ret == -1) { goto free_and_return; } diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 904995eca..7d81bda3d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -53,12 +53,15 @@ #include <ssl.h> #include <dirsrv/slapi-plugin.h> #include <krb5.h> +#include <kdb.h> #include <lber.h> #include <time.h> #include <iconv.h> #include <openssl/des.h> #include <openssl/md4.h> +#include "ipa_krb5.h" + #define IPAPWD_PLUGIN_NAME "ipa-pwd-extop" #define IPAPWD_FEATURE_DESC "IPA Password Manager" #define IPAPWD_PLUGIN_DESC "IPA Password Extended Operation plugin" @@ -132,25 +135,14 @@ void ipapwd_free_slapi_value_array(Slapi_Value ***svals); void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg); /* from ipapwd_encoding.c */ -struct ipapwd_krbkeydata { - int32_t type; - struct berval value; -}; -struct ipapwd_krbkey { - struct ipapwd_krbkeydata *salt; - struct ipapwd_krbkeydata *ekey; - struct berval s2kparams; -}; struct ipapwd_keyset { uint16_t major_vno; uint16_t minor_vno; - uint32_t kvno; uint32_t mkvno; - struct ipapwd_krbkey *keys; + krb5_key_data *keys; int num_keys; }; -struct berval *encode_keys(struct ipapwd_keyset *kset); void ipapwd_keyset_free(struct ipapwd_keyset **pkset); int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index a1b0e99f5..ea01ab865 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -72,36 +72,6 @@ #define KTF_DISALLOW_SVR 0x00001000 #define KTF_PWCHANGE_SERVICE 0x00002000 -/* Novell key-format scheme: - - KrbKeySet ::= SEQUENCE { - attribute-major-vno [0] UInt16, - attribute-minor-vno [1] UInt16, - kvno [2] UInt32, - mkvno [3] UInt32 OPTIONAL, - keys [4] SEQUENCE OF KrbKey, - ... - } - - KrbKey ::= SEQUENCE { - salt [0] KrbSalt OPTIONAL, - key [1] EncryptionKey, - s2kparams [2] OCTET STRING OPTIONAL, - ... - } - - KrbSalt ::= SEQUENCE { - type [0] Int32, - salt [1] OCTET STRING OPTIONAL - } - - EncryptionKey ::= SEQUENCE { - keytype [0] Int32, - keyvalue [1] OCTET STRING - } - - */ - /* ascii hex output of bytes in "in" * out len is 32 (preallocated) * in len is 16 */ @@ -116,99 +86,6 @@ static void hexbuf(char *out, const uint8_t *in) } } -struct berval *encode_keys(struct ipapwd_keyset *kset) -{ - BerElement *be = NULL; - struct berval *bval = NULL; - int ret, i; - - be = ber_alloc_t(LBER_USE_DER); - - if (!be) { - LOG_OOM(); - return NULL; - } - - ret = ber_printf(be, "{t[i]t[i]t[i]t[i]t[{", - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - kset->major_vno, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - kset->minor_vno, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2), - kset->kvno, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 3), - kset->mkvno, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 4)); - if (ret == -1) { - LOG_FATAL("encoding asn1 vno info failed\n"); - goto done; - } - - for (i = 0; i < kset->num_keys; i++) { - - ret = ber_printf(be, "{"); - if (ret == -1) { - LOG_FATAL("encoding asn1 EncryptionKey failed\n"); - goto done; - } - - if (kset->keys[i].salt) { - ret = ber_printf(be, "t[{t[i]", - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - kset->keys[i].salt->type); - if ((ret != -1) && kset->keys[i].salt->value.bv_len) { - ret = ber_printf(be, "t[o]", - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - kset->keys[i].salt->value.bv_val, - kset->keys[i].salt->value.bv_len); - } - if (ret != -1) { - ret = ber_printf(be, "}]"); - } - if (ret == -1) { - goto done; - } - } - - ret = ber_printf(be, "t[{t[i]t[o]}]", - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 0), - kset->keys[i].ekey->type, - (ber_tag_t)(LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 1), - kset->keys[i].ekey->value.bv_val, - kset->keys[i].ekey->value.bv_len); - if (ret == -1) { - LOG_FATAL("encoding asn1 EncryptionKey failed\n"); - goto done; - } - - /* FIXME: s2kparams not supported yet */ - - ret = ber_printf(be, "}"); - if (ret == -1) { - LOG_FATAL("encoding asn1 EncryptionKey failed\n"); - goto done; - } - } - - ret = ber_printf(be, "}]}"); - if (ret == -1) { - LOG_FATAL("encoding asn1 end of sequences failed\n"); - goto done; - } - - ret = ber_flatten(be, &bval); - if (ret == -1) { - LOG_FATAL("flattening asn1 failed\n"); - goto done; - } -done: - ber_free(be, 1); - - return bval; -} - void ipapwd_keyset_free(struct ipapwd_keyset **pkset) { struct ipapwd_keyset *kset = *pkset; @@ -217,15 +94,8 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset) if (!kset) return; for (i = 0; i < kset->num_keys; i++) { - if (kset->keys[i].salt) { - free(kset->keys[i].salt->value.bv_val); - free(kset->keys[i].salt); - } - if (kset->keys[i].ekey) { - free(kset->keys[i].ekey->value.bv_val); - free(kset->keys[i].ekey); - } - free(kset->keys[i].s2kparams.bv_val); + free(kset->keys[i].key_data_contents[0]); + free(kset->keys[i].key_data_contents[1]); } free(kset->keys); free(kset); @@ -285,7 +155,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, kset->major_vno = 1; kset->minor_vno = 1; /* increment kvno (will be 1 if this is a new entry) */ - kset->kvno = kvno + 1; + kvno += 1; kset->mkvno = krbcfg->mkvno; krberr = ipa_krb5_generate_key_data(krbctx, princ, @@ -299,9 +169,10 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, goto enc_error; } - bval = encode_keys(kset); - if (!bval) { - LOG_FATAL("encoding asn1 KrbSalt failed\n"); + krberr = ber_encode_krb5_key_data(kset->keys, kset->num_keys, + kset->mkvno, &bval); + if (krberr != 0) { + LOG_FATAL("encoding krb5_key_data failed\n"); goto enc_error; } |