diff options
-rw-r--r-- | configure.ac | 21 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 42 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 2 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 42 | ||||
-rw-r--r-- | freeipa.spec.in | 8 |
5 files changed, 95 insertions, 20 deletions
diff --git a/configure.ac b/configure.ac index a79504372..44dc11b51 100644 --- a/configure.ac +++ b/configure.ac @@ -65,6 +65,27 @@ krb5rundir="${localstatedir}/run/krb5kdc" AC_SUBST(KRAD_LIBS) AC_SUBST(krb5rundir) +AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])]) +AC_CHECK_MEMBER( + [kdb_vftabl.free_principal], + [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1], + [KDB driver API has free_principal callback])], + [AC_MSG_NOTICE([KDB driver API has no free_principal callback])], + [[#include <kdb.h>]]) +AC_CHECK_MEMBER( + [kdb_vftabl.free_principal_e_data], + [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1], + [KDB driver API has free_principal_e_data callback])], + [AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])], + [[#include <kdb.h>]]) + +if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \ + -a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then + AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.]) + AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use]) + AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details]) +fi + dnl --------------------------------------------------------------------------- dnl - Check for OpenLDAP SDK dnl --------------------------------------------------------------------------- diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index e96353fe2..e74ab5627 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr) /* KDB Virtual Table */ +/* We explicitly want to keep different ABI tables below separate. */ +/* Do not merge them together. Older ABI does not need to be updated */ + #if KRB5_KDB_DAL_MAJOR_VERSION == 5 kdb_vftabl kdb_function_table = { .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, @@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = { .audit_as_req = ipadb_audit_as_req, .check_allowed_to_delegate = ipadb_check_allowed_to_delegate }; +#endif -#elif KRB5_KDB_DAL_MAJOR_VERSION == 6 +#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA) kdb_vftabl kdb_function_table = { .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, .min_ver = 0, @@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = { .audit_as_req = ipadb_audit_as_req, .check_allowed_to_delegate = ipadb_check_allowed_to_delegate }; +#endif + +#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA) +kdb_vftabl kdb_function_table = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, + .min_ver = 1, + .init_library = ipadb_init_library, + .fini_library = ipadb_fini_library, + .init_module = ipadb_init_module, + .fini_module = ipadb_fini_module, + .create = ipadb_create, + .get_age = ipadb_get_age, + .get_principal = ipadb_get_principal, + .put_principal = ipadb_put_principal, + .delete_principal = ipadb_delete_principal, + .iterate = ipadb_iterate, + .create_policy = ipadb_create_pwd_policy, + .get_policy = ipadb_get_pwd_policy, + .put_policy = ipadb_put_pwd_policy, + .iter_policy = ipadb_iterate_pwd_policy, + .delete_policy = ipadb_delete_pwd_policy, + .fetch_master_key = ipadb_fetch_master_key, + .store_master_key_list = ipadb_store_master_key_list, + .change_pwd = ipadb_change_pwd, + .sign_authdata = ipadb_sign_authdata, + .check_transited_realms = ipadb_check_transited_realms, + .check_policy_as = ipadb_check_policy_as, + .audit_as_req = ipadb_audit_as_req, + .check_allowed_to_delegate = ipadb_check_allowed_to_delegate, + /* The order is important, DAL version 6.1 added + * the free_principal_e_data callback */ + .free_principal_e_data = ipadb_free_principal_e_data, +}; +#endif -#else +#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && (KRB5_KDB_DAL_MAJOR_VERSION != 6) #error unsupported DAL major version #endif diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 1fdb409df..d5a343345 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -180,6 +180,8 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, unsigned int flags, krb5_db_entry **entry); void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry); +/* Helper function for DAL API 6.1 or later */ +void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data); krb5_error_code ipadb_put_principal(krb5_context kcontext, krb5_db_entry *entry, char **db_args); diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 5b8090947..3bd8fb8c7 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1274,12 +1274,33 @@ done: return kerr; } -void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry) +void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data) { struct ipadb_e_data *ied; - krb5_tl_data *prev, *next; int i; + ied = (struct ipadb_e_data *)e_data; + if (ied->magic == IPA_E_DATA_MAGIC) { + ldap_memfree(ied->entry_dn); + free(ied->passwd); + free(ied->pw_policy_dn); + for (i = 0; ied->pw_history && ied->pw_history[i]; i++) { + free(ied->pw_history[i]); + } + free(ied->pw_history); + for (i = 0; ied->authz_data && ied->authz_data[i]; i++) { + free(ied->authz_data[i]); + } + free(ied->authz_data); + free(ied->pol); + free(ied); + } +} + +void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry) +{ + krb5_tl_data *prev, *next; + if (entry) { krb5_free_principal(kcontext, entry->princ); prev = entry->tl_data; @@ -1292,22 +1313,7 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry) ipa_krb5_free_key_data(entry->key_data, entry->n_key_data); if (entry->e_data) { - ied = (struct ipadb_e_data *)entry->e_data; - if (ied->magic == IPA_E_DATA_MAGIC) { - ldap_memfree(ied->entry_dn); - free(ied->passwd); - free(ied->pw_policy_dn); - for (i = 0; ied->pw_history && ied->pw_history[i]; i++) { - free(ied->pw_history[i]); - } - free(ied->pw_history); - for (i = 0; ied->authz_data && ied->authz_data[i]; i++) { - free(ied->authz_data[i]); - } - free(ied->authz_data); - free(ied->pol); - free(ied); - } + ipadb_free_principal_e_data(kcontext, entry->e_data); } free(entry); diff --git a/freeipa.spec.in b/freeipa.spec.in index a65b9bcf1..be32bf88b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -57,8 +57,16 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel +# For KDB DAL version, make explicit dependency so that increase of version +# will cause the build to fail due to unsatisfied dependencies. +# DAL version change may cause code crash or memory leaks, it is better to fail early. +%if 0%{?fedora} > 25 +BuildRequires: krb5-devel >= 1.15-5 +BuildRequires: krb5-kdb-version = 6.1 +%else # 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) BuildRequires: krb5-devel >= 1.12 +%endif # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel |