Fix getkeytab code to always use implicit tagging.

A mixture of implicit and explicit tagging was being used and this caused
a bug in retrieving the enctype number due to the way ber_scanf() loosely
treat sequences and explicit tagging.

The ASN.1 notation used to describe the getkeytab operation uses implicit
tagging, so by changing the code we simply follow to the specified encoding.

Resolves: https://fedorahosted.org/freeipa/ticket/4404

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

2 files changed, 9 insertions, 9 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 90a92f1ef..ca021cac7 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1073,7 +1073,7 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset,
 
     for (int i = 0; i < kset->num_keys; i++) {
         rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]);
-    if (rc == -1) {
+        if (rc == -1) {
             rc = LDAP_OPERATIONS_ERROR;
             LOG_FATAL("Failed to ber_printf the enctype");
             goto done;
@@ -1328,7 +1328,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
     }
 
     /* ber parse code */
-    ttag = ber_scanf(ber, "{t[a]", &ctag, &svcname);
+    ttag = ber_scanf(ber, "{ta", &ctag, &svcname);
     if (ttag == LBER_ERROR || ctag != GKREQ_SVCNAME_TAG) {
         LOG_FATAL("ber_scanf failed to decode service name\n");
         err_msg = "Invalid payload.\n";
@@ -1378,7 +1378,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,
     /* ttag peek done as last step of the previous for loop */
     if (ttag == GKREQ_PASSWORD_TAG) {
         /* optional password present */
-        ttag = ber_scanf(ber, "[a]", &password);
+        ttag = ber_scanf(ber, "a", &password);
         if (ttag == LBER_ERROR) {
             LOG_FATAL("ber_scanf failed to decode password\n");
             err_msg = "Invalid payload.\n";
@@ -1494,7 +1494,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
         }
 
         rc = ber_printf(ber,
-                        "{t[{t[i]t[o]}]",
+                        "{t{tito}",
                         GKREP_KEY_TAG,
                             GKREP_KEYTYPE_TAG,
                                 (ber_int_t)keys[i].key_data_type[0],
@@ -1509,7 +1509,7 @@ static int encode_getkeytab_reply(krb5_context krbctx,
         /* if salt available, add it */
         if (keys[i].key_data_length[1] != 0) {
             rc = ber_printf(ber,
-                            "t[{t[i]t[o]}]",
+                            "t{tito}",
                             GKREP_SALT_TAG,
                                 GKREP_SALTTYPE_TAG,
                                     (ber_int_t)keys[i].key_data_type[1],
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 74a8800bc..d0e975f1a 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -503,7 +503,7 @@ static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
         ctag = GK_REQUEST_CURKEYS;
     }
 
-    ret = ber_printf(be, "t{t[s]", ctag, GKREQ_SVCNAME_TAG, svc_princ);
+    ret = ber_printf(be, "t{ts", ctag, GKREQ_SVCNAME_TAG, svc_princ);
     if (ret == -1) {
         ber_free(be, 1);
         goto done;
@@ -530,7 +530,7 @@ static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,
         }
 
         if (password) {
-            ret = ber_printf(be, "t[s]", GKREQ_PASSWORD_TAG, password);
+            ret = ber_printf(be, "ts", GKREQ_PASSWORD_TAG, password);
             if (ret == -1) {
                 ber_free(be, 1);
                 goto done;
@@ -642,7 +642,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
         memset(&keys->ksdata[i], 0, sizeof(struct krb_key_salt));
         keys->nkeys = i + 1;
 
-        rtag = ber_scanf(ber, "{t{[i][o]}]", &ctag, &tint, &tbval);
+        rtag = ber_scanf(ber, "{t{io}", &ctag, &tint, &tbval);
         if (rtag == LBER_ERROR || ctag != GKREP_KEY_TAG) {
             *err_msg = _("Failed to parse enctype in key data!\n");
             ret = LDAP_OPERATIONS_ERROR;
@@ -662,7 +662,7 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,
 
         rtag = ber_peek_tag(ber, &tlen);
         if (rtag == GKREP_SALT_TAG) {
-            rtag = ber_scanf(ber, "t{[i][o]}", &ctag, &tint, &tbval);
+            rtag = ber_scanf(ber, "t{io}", &ctag, &tint, &tbval);
             if (rtag == LBER_ERROR) {
                 *err_msg = _("Failed to parse salt in key data!\n");
                 ret = LDAP_OPERATIONS_ERROR;