freeipa.git/util, branch pwdpolicy FreeIPA patches Build: transform util directory to libutil convenience library 2016-10-24T11:30:12+00:00 Petr Spacek pspacek@redhat.com 2016-10-11T13:41:46+00:00 b0cb6afa2308b9d96456f0355771ecbef0ca7263 This is autoconf way of doing things. It should allow us to enable subdir-objects automake option and stay compatible with future versions of automake. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Migrate from #ifndef guards to #pragma once 2016-05-29T12:04:45+00:00 Nathaniel McCallum npmccallum@redhat.com 2016-05-24T14:18:43+00:00 4bafba06f2b8cc51cd95a725e1c8adf7bbf9a5fc Using a pragma instead of guards is easier to write, less error prone and avoids name clashes (a source of very subtle bugs). This pragma is supported on almost all compilers, including all the compilers we care about: https://en.wikipedia.org/wiki/Pragma_once#Portability. This patch does not change the autogenerated files: asn1/asn1c/*.h. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add compatibility function for older libkrb5 2015-05-30T16:24:15+00:00 Simo Sorce simo@redhat.com 2015-05-29T15:18:17+00:00 e2c2d5967d4dfd219cd6ab5fc6f3bc8094ba28a7 Before krb5 1.13 the krb5_salttype_to_string() function was returning incorrect names (display names of some kind instead of the names used by the rest of the library to map saltname to the salt type integer number). This patch adds a function that checks at runtime if we have a working function and uses a fallback map updated to the salt types known up to 1.12, this allows us to use the library provided function in following releases where new salt types may emerge. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Milan Kubik <mkubik@redhat.com> 
Before krb5 1.13 the krb5_salttype_to_string() function was returning
incorrect names (display names of some kind instead of the names
used by the rest of the library to map saltname to the salt type
integer number).
This patch adds a function that checks at runtime if we have a working
function and uses a fallback map updated to the salt types known up
to 1.12, this allows us to use the library provided function in
following releases where new salt types may emerge.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Milan Kubik <mkubik@redhat.com>
Detect default encsalts kadmin password change 2015-05-27T13:45:56+00:00 Simo Sorce simo@redhat.com 2015-04-04T14:53:52+00:00 d5b6c8360116857623b4b67a42ed3788df2ba24a When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com> 
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Stop including the DES algorythm from openssl. 2015-02-23T15:27:22+00:00 Simo Sorce simo@redhat.com 2015-02-20T13:52:24+00:00 8b199b813d8c9e59b514311a0c1fc16eb935ecb9 Since we dropped support for LANMAN hashes we do not need DES from OpenSSL anymore. Stop including an testing for it. Test for the MD4 algorythm instead whichis still used for the NT Hashes. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Add a clear OpenSSL exception. 2015-02-23T15:25:54+00:00 Simo Sorce simo@redhat.com 2015-02-20T13:46:40+00:00 d762f61d25508c1856c0fa7dc0ea1e032671542b We are linking with OpenSSL in 2 files, so make it clear we intentionally add a GPLv3 exception to allow that linking by third parties. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message 2015-01-30T10:02:16+00:00 Martin Babinsky mbabinsk@redhat.com 2015-01-28T15:21:15+00:00 98b1690a0e18f85560c092f8abac5f451bddf2e7 This patch is related this defect reported by covscan on FreeIPA master: """ Error: DEADCODE (CWE-561): /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328353L", taking false branch. Now the value of "error_code" is equal to -1765328353. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != -1765328360L", taking false branch. Now the value of "error_code" is equal to -1765328360. /daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code != 0", taking false branch. Now the value of "error_code" is equal to 0. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: intervals: When switching on "error_code", the value of "error_code" must be in one of the following intervals: {[-1765328360,-1765328360], [-1765328353,-1765328353], [0,0]}. /daemons/ipa-kdb/ipa_kdb_audit_as.c:71: dead_error_condition: The switch value "error_code" cannot reach the default case. /daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution cannot reach this statement: "default:". """ This patch is a part of series related to https://fedorahosted.org/freeipa/ticket/4795. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This patch is related this defect reported by covscan on FreeIPA master:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""

This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix unchecked return value in krb5 common utils 2014-11-25T08:23:24+00:00 Jan Cholasta jcholast@redhat.com 2014-11-10T18:12:52+00:00 66a42e67f337c04fcbf0725ff0d324afe453bf8c https://fedorahosted.org/freeipa/ticket/4713 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add asn1c generated code for keytab controls 2014-11-20T15:52:13+00:00 Simo Sorce simo@redhat.com 2014-11-13T16:31:09+00:00 c6afc489a1c9d86fd593bd47c4a8dae6d9a008d2 Instead of manually encoding controls, use an actual asn1 compiler. The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code is committed to the tree and built into a static library that is linked to the code that uses it. The first module implements the GetKeytabControl control. Related: https://fedorahosted.org/freeipa/ticket/4718 https://fedorahosted.org/freeipa/ticket/4728 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
Instead of manually encoding controls, use an actual asn1 compiler.
The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code
is committed to the tree and built into a static library that is linked
to the code that uses it.

The first module implements the GetKeytabControl control.

Related:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
ipa-getkeytab: Add support for get_keytab extop 2014-06-26T08:30:53+00:00 Simo Sorce simo@redhat.com 2013-09-19T16:50:35+00:00 f352702d6785fc5f59698dba73d415f994b4ce7d This new extended operation is tried by default and then the code falls back to the old method if it fails. The new method allows for server side password generation as well as retrieval of existing credentials w/o causing regeneration of keys on the server. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> 
This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>