diff options
| author | Simo Sorce <simo@redhat.com> | 2015-04-04 10:53:52 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2015-05-27 09:45:56 -0400 |
| commit | d5b6c8360116857623b4b67a42ed3788df2ba24a (patch) | |
| tree | 2c3f7a30cc26d0f28a84c30304480804baf3546e /util | |
| parent | 01fa05dd4ec7bd79abee8df0dd3642eabf138bcf (diff) | |
| download | freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.gz freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.tar.xz freeipa-d5b6c8360116857623b4b67a42ed3788df2ba24a.zip | |
Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'util')
| -rw-r--r-- | util/ipa_krb5.c | 85 | ||||
| -rw-r--r-- | util/ipa_krb5.h | 2 |
2 files changed, 87 insertions, 0 deletions
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c index feb23eae9..65e10dd40 100644 --- a/util/ipa_krb5.c +++ b/util/ipa_krb5.c @@ -1075,3 +1075,88 @@ int create_keys(krb5_context krbctx, return nkeys; } +int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str) +{ + char *buf = NULL; + char *tmp; + int buf_avail; + int buf_size; + int buf_cur; + int len; + int ret = 0; + int i; + + buf_size = 512; /* should be enough for the default supported enctypes */ + buf = malloc(buf_size); + if (!buf) { + ret = ENOMEM; + goto done; + } + + buf_cur = 0; + for (i = 0; i < n_kst; i++) { + /* grow if too tight */ + if (ret == ENOMEM) { + buf_size *= 2; + /* hard limit at 8k, do not eat all memory by mistake */ + if (buf_size > 8192) goto done; + tmp = realloc(buf, buf_size); + if (!tmp) { + ret = ENOMEM; + goto done; + } + buf = tmp; + } + + buf_avail = buf_size - buf_cur; + len = 0; + + /* append separator if necessary */ + if (buf_cur > 0) { + buf[buf_cur] = ','; + len++; + } + + ret = krb5_enctype_to_name(kst[i].ks_enctype, 0, + &buf[buf_cur + len], buf_avail - len); + if (ret == ENOMEM) { + i--; + continue; + } else if (ret != 0) { + goto done; + } + + len += strlen(&buf[buf_cur + len]); + buf[buf_cur + len] = ':'; + len++; + + ret = krb5_salttype_to_string(kst[i].ks_salttype, + &buf[buf_cur + len], buf_avail - len); + if (ret == ENOMEM) { + i--; + continue; + } else if (ret != 0) { + goto done; + } + + len += strlen(&buf[buf_cur + len]); + + if (buf_avail - len < 2) { + ret = ENOMEM; + i--; + continue; + } + + buf_cur += len; + } + + buf[buf_cur] = '\0'; + *str = buf; + ret = 0; + +done: + if (ret) { + free(buf); + } + return ret; +} diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h index 2153bd571..c2a0dde2d 100644 --- a/util/ipa_krb5.h +++ b/util/ipa_krb5.h @@ -81,4 +81,6 @@ int create_keys(krb5_context krbctx, const char *enctypes_string, struct keys_container *keys, char **err_msg); + +int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str); #endif /* __IPA_KRB5_H_ */ |