summaryrefslogtreecommitdiffstats
path: root/util
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2015-04-04 10:53:52 -0400
committerSimo Sorce <simo@redhat.com>2015-05-27 09:45:56 -0400
commitd5b6c8360116857623b4b67a42ed3788df2ba24a (patch)
tree2c3f7a30cc26d0f28a84c30304480804baf3546e /util
parent01fa05dd4ec7bd79abee8df0dd3642eabf138bcf (diff)
downloadfreeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.gz
freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.xz
freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.zip
Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts from the password policy. Failure to provide them will result in kadmin using the defaults specified in the kdc.conf file or hardcoded defaults (the default salt is then of type NORMAL). This patch provides the supported values that have been read out of the appropriate LDAP attribute when we read the server configuration. Then at actual password change, check if kadmin is handing us back the exact list of supported encsalts we sent it, and in that case replace it with the real default encsalts. Fixes https://fedorahosted.org/freeipa/ticket/4914 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'util')
-rw-r--r--util/ipa_krb5.c85
-rw-r--r--util/ipa_krb5.h2
2 files changed, 87 insertions, 0 deletions
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index feb23eae9..65e10dd40 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -1075,3 +1075,88 @@ int create_keys(krb5_context krbctx,
return nkeys;
}
+int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str)
+{
+ char *buf = NULL;
+ char *tmp;
+ int buf_avail;
+ int buf_size;
+ int buf_cur;
+ int len;
+ int ret = 0;
+ int i;
+
+ buf_size = 512; /* should be enough for the default supported enctypes */
+ buf = malloc(buf_size);
+ if (!buf) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ buf_cur = 0;
+ for (i = 0; i < n_kst; i++) {
+ /* grow if too tight */
+ if (ret == ENOMEM) {
+ buf_size *= 2;
+ /* hard limit at 8k, do not eat all memory by mistake */
+ if (buf_size > 8192) goto done;
+ tmp = realloc(buf, buf_size);
+ if (!tmp) {
+ ret = ENOMEM;
+ goto done;
+ }
+ buf = tmp;
+ }
+
+ buf_avail = buf_size - buf_cur;
+ len = 0;
+
+ /* append separator if necessary */
+ if (buf_cur > 0) {
+ buf[buf_cur] = ',';
+ len++;
+ }
+
+ ret = krb5_enctype_to_name(kst[i].ks_enctype, 0,
+ &buf[buf_cur + len], buf_avail - len);
+ if (ret == ENOMEM) {
+ i--;
+ continue;
+ } else if (ret != 0) {
+ goto done;
+ }
+
+ len += strlen(&buf[buf_cur + len]);
+ buf[buf_cur + len] = ':';
+ len++;
+
+ ret = krb5_salttype_to_string(kst[i].ks_salttype,
+ &buf[buf_cur + len], buf_avail - len);
+ if (ret == ENOMEM) {
+ i--;
+ continue;
+ } else if (ret != 0) {
+ goto done;
+ }
+
+ len += strlen(&buf[buf_cur + len]);
+
+ if (buf_avail - len < 2) {
+ ret = ENOMEM;
+ i--;
+ continue;
+ }
+
+ buf_cur += len;
+ }
+
+ buf[buf_cur] = '\0';
+ *str = buf;
+ ret = 0;
+
+done:
+ if (ret) {
+ free(buf);
+ }
+ return ret;
+}
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
index 2153bd571..c2a0dde2d 100644
--- a/util/ipa_krb5.h
+++ b/util/ipa_krb5.h
@@ -81,4 +81,6 @@ int create_keys(krb5_context krbctx,
const char *enctypes_string,
struct keys_container *keys,
char **err_msg);
+
+int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str);
#endif /* __IPA_KRB5_H_ */