freeipa.git/daemons/ipa-slapi-plugins/libotp, branch coverity FreeIPA patches Fix an integer underflow bug in libotp 2015-09-29T13:16:09+00:00 Nathaniel McCallum npmccallum@redhat.com 2015-09-25T15:35:03+00:00 9e3eeadeb3120f3577e00ab9cb410eccf8d71de0 Temporarily storing the offset time in an unsigned integer causes the value of the offset to underflow when a (valid) negative offset value is generated. Using a signed variable avoids this problem. https://fedorahosted.org/freeipa/ticket/5333 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.

https://fedorahosted.org/freeipa/ticket/5333

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Fix a signedness bug in OTP code 2015-05-05T09:50:20+00:00 Nathaniel McCallum npmccallum@redhat.com 2015-04-27T14:23:49+00:00 978298882b06dcf8a86a8d6ec60d7f1266aac697 This bug caused negative token windows to wrap-around, causing issues with TOTP authentication and (especially) synchronization. https://fedorahosted.org/freeipa/ticket/4990 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.

https://fedorahosted.org/freeipa/ticket/4990

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
OTP: emit a log message when LDAP entry for config record is not found 2015-01-30T10:02:16+00:00 Martin Babinsky mbabinsk@redhat.com 2015-01-28T15:28:50+00:00 782ad366390e1672ebe3584b2c88f58d757e38b3 This patch proposes a fix to the following defect found by covscan of FreeIPA master code: """ Error: CHECKED_RETURN (CWE-252): /daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling "slapi_search_internal_get_entry" without checking return value (as is done elsewhere 14 out of 16 times). /daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402: example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc = slapi_search_internal_get_entry(sdn, NULL, &config_entry, ipaenrollment_plugin_id)) != 0". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign: Example 2: Assigning: "ret" = return value from "slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())". /daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked: Example 2 (cont.): "ret" has its value checked in "ret". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example 3: Assigning: "search_result" = return value from "slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked: Example 3 (cont.): "search_result" has its value checked in "search_result != 0". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign: Example 4: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target, ipapwd_plugin_id)". /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039: example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5: Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn, NULL, &e, getPluginID())". /daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5 (cont.): "ret" has its value checked in "ret == 10". """ The patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This patch proposes a fix to the following defect found by covscan of FreeIPA
master code:

"""
Error: CHECKED_RETURN (CWE-252):
/daemons/ipa-slapi-plugins/libotp/otp_config.c:239: check_return: Calling
"slapi_search_internal_get_entry" without checking return value (as is done
elsewhere 14 out of 16 times).
/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c:402:
example_checked: Example 1: "slapi_search_internal_get_entry(sdn, NULL,
&config_entry, ipaenrollment_plugin_id)" has its value checked in "(rc =
slapi_search_internal_get_entry(sdn, NULL, &config_entry,
ipaenrollment_plugin_id)) != 0".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:207: example_assign:
Example 2: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(sdn, NULL, &config_entry, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c:212: example_checked:
Example 2 (cont.): "ret" has its value checked in "ret".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:651: example_assign: Example
3: Assigning: "search_result" = return value from
"slapi_search_internal_get_entry(sdn, attrlist, e2, ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c:653: example_checked:
Example 3 (cont.): "search_result" has its value checked in "search_result !=
0".  /daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1035: example_assign:
Example 4: Assigning: "ret" = return value from
"slapi_search_internal_get_entry(tmp_dn, NULL, &pwdop->pwdata.target,
ipapwd_plugin_id)".
/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c:1039:
example_checked: Example 4 (cont.): "ret" has its value checked in "ret != 0".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:817: example_assign: Example 5:
Assigning: "ret" = return value from "slapi_search_internal_get_entry(tmp_dn,
NULL, &e, getPluginID())".
/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c:820: example_checked: Example 5
(cont.): "ret" has its value checked in "ret == 10".
"""

The patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make token auth and sync windows configurable 2014-12-05T12:42:19+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T19:41:42+00:00 9baa93da1cbf56c2a6f7e82e099bc3ff3f19e2e4 This introduces two new CLI commands: * otpconfig-show * otpconfig-mod https://fedorahosted.org/freeipa/ticket/4511 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Move authentication configuration cache into libotp 2014-12-03T07:48:56+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T03:46:44+00:00 953c6846b7cb8d75253538ab92a1360fceee0c3c This enables plugins to share authentication configuration cache code. Additionally, update the caching mechanism to be declarative and faster. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
This enables plugins to share authentication configuration cache code.

Additionally, update the caching mechanism to be declarative and faster.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Preliminary refactoring of libotp files 2014-12-03T07:48:56+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-11-11T01:58:20+00:00 bdccb0c721283f17a48423ab562ab5515ecd7f8e There are no major changes in this commit other than changing filenames and symbols to have consistent namespaces. This prepares for larger changes to come in subsequent commits. Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
There are no major changes in this commit other than changing filenames
and symbols to have consistent namespaces. This prepares for larger
changes to come in subsequent commits.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Move OTP synchronization step to after counter writeback 2014-09-30T14:19:06+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-09-19T16:18:34+00:00 915837c14af5f0839d1d08683ea8332334e284ba This prevents synchronization when an authentication collision occurs. https://fedorahosted.org/freeipa/ticket/4493 Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com> 
This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
Use stack allocation when writing values during otp auth 2014-09-30T06:27:47+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-09-19T16:17:32+00:00 35ec0f7e3d9832c9b687bb01561a10e0304dfa74 Reviewed-By: Thierry Bordaz <tbordaz@redhat.com> 
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Add TOTP watermark support 2014-07-25T08:41:17+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-07-11T16:29:58+00:00 d3638438fce1a9d1e07c2be3b8f43befb07a6b40 This prevents the reuse of TOTP tokens by recording the last token interval that was used. This will be replicated as normal. However, this patch does not increase the number of writes to the database in the standard authentication case. This is because it also eliminates an unnecessary write during authentication. Hence, this patch should be write-load neutral with the existing code. Further performance enhancement is desired, but is outside the scope of this patch. https://fedorahosted.org/freeipa/ticket/4410 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.

Further performance enhancement is desired, but is outside the
scope of this patch.

https://fedorahosted.org/freeipa/ticket/4410

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Change OTPSyncRequest structure to use OctetString 2014-06-25T12:22:01+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-05-23T17:01:59+00:00 7b15fcd57b06482be36e95e50cbec596777955b4 This change has two motivations: 1. Clients don't have to parse the string. 2. Future token types may have new formats. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This change has two motivations:
  1. Clients don't have to parse the string.
  2. Future token types may have new formats.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>