|
 |
e3ffab |
From 6a6389fefdc055b5a920e6e4412ff0b7e37ef33a Mon Sep 17 00:00:00 2001
|
|
|
e3ffab |
From: Simo Sorce <simo@redhat.com>
|
|
|
e3ffab |
Date: Mon, 17 Nov 2014 21:05:56 -0500
|
|
|
e3ffab |
Subject: [PATCH] Fix filtering of enctypes in server code.
|
|
|
e3ffab |
|
|
|
e3ffab |
The filtering was incorrect and would result in always discarding all values.
|
|
|
e3ffab |
Also make sure there are no duplicates in the list.
|
|
|
e3ffab |
|
|
|
e3ffab |
Partial fix for:
|
|
|
e3ffab |
https://fedorahosted.org/freeipa/ticket/4718
|
|
|
e3ffab |
|
|
|
e3ffab |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
e3ffab |
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
e3ffab |
---
|
|
|
e3ffab |
.../ipa-pwd-extop/ipa_pwd_extop.c | 60 ++++++++++++++++------
|
|
|
e3ffab |
1 file changed, 43 insertions(+), 17 deletions(-)
|
|
|
e3ffab |
|
|
|
e3ffab |
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
|
|
e3ffab |
index f0346a343188930dfc90e19d2e5d38cb30741b90..b87ae0dc7a180008228f31293b49212df80584e8 100644
|
|
|
e3ffab |
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
|
|
e3ffab |
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
|
|
|
e3ffab |
@@ -125,6 +125,48 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
|
|
|
e3ffab |
}
|
|
|
e3ffab |
}
|
|
|
e3ffab |
|
|
|
e3ffab |
+static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
|
|
|
e3ffab |
+ krb5_key_salt_tuple *kenctypes,
|
|
|
e3ffab |
+ int *num_kenctypes)
|
|
|
e3ffab |
+{
|
|
|
e3ffab |
+ /* first filter for duplicates */
|
|
|
e3ffab |
+ for (int i = 0; i + 1 < *num_kenctypes; i++) {
|
|
|
e3ffab |
+ for (int j = i + 1; j < *num_kenctypes; j++) {
|
|
|
e3ffab |
+ if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
|
|
|
e3ffab |
+ /* duplicate, filter out */
|
|
|
e3ffab |
+ for (int k = j; k + 1 < *num_kenctypes; k++) {
|
|
|
e3ffab |
+ kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
|
|
|
e3ffab |
+ kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ (*num_kenctypes)--;
|
|
|
e3ffab |
+ j--;
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+ /* then filter for supported */
|
|
|
e3ffab |
+ for (int i = 0; i < *num_kenctypes; i++) {
|
|
|
e3ffab |
+ int j;
|
|
|
e3ffab |
+
|
|
|
e3ffab |
+ /* Check if supported */
|
|
|
e3ffab |
+ for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
|
|
|
e3ffab |
+ if (kenctypes[i].ks_enctype ==
|
|
|
e3ffab |
+ krbcfg->supp_encsalts[j].ks_enctype) {
|
|
|
e3ffab |
+ break;
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ if (j == krbcfg->num_supp_encsalts) {
|
|
|
e3ffab |
+ /* Unsupported, filter out */
|
|
|
e3ffab |
+ for (int k = i; k + 1 < *num_kenctypes; k++) {
|
|
|
e3ffab |
+ kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
|
|
|
e3ffab |
+ kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ (*num_kenctypes)--;
|
|
|
e3ffab |
+ i--;
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+ }
|
|
|
e3ffab |
+}
|
|
|
e3ffab |
+
|
|
|
e3ffab |
static int ipapwd_to_ldap_pwpolicy_error(int ipapwderr)
|
|
|
e3ffab |
{
|
|
|
e3ffab |
switch (ipapwderr) {
|
|
|
e3ffab |
@@ -1740,23 +1782,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
|
|
|
e3ffab |
goto free_and_return;
|
|
|
e3ffab |
}
|
|
|
e3ffab |
|
|
|
e3ffab |
- for (int i = 0; i < num_kenctypes; i++) {
|
|
|
e3ffab |
-
|
|
|
e3ffab |
- /* Check if supported */
|
|
|
e3ffab |
- for (int j = 0; j < krbcfg->num_supp_encsalts; j++) {
|
|
|
e3ffab |
- if (kenctypes[i].ks_enctype ==
|
|
|
e3ffab |
- krbcfg->supp_encsalts[j].ks_enctype) {
|
|
|
e3ffab |
- continue;
|
|
|
e3ffab |
- }
|
|
|
e3ffab |
- }
|
|
|
e3ffab |
- /* Unsupported, filter out */
|
|
|
e3ffab |
- for (int j = i; j + 1 < num_kenctypes; j++) {
|
|
|
e3ffab |
- kenctypes[j].ks_enctype = kenctypes[j + 1].ks_enctype;
|
|
|
e3ffab |
- kenctypes[j].ks_salttype = kenctypes[j + 1].ks_salttype;
|
|
|
e3ffab |
- }
|
|
|
e3ffab |
- num_kenctypes--;
|
|
|
e3ffab |
- i--;
|
|
|
e3ffab |
- }
|
|
|
e3ffab |
+ filter_enctypes(krbcfg, kenctypes, &num_kenctypes);
|
|
|
e3ffab |
|
|
|
e3ffab |
/* check if we have any left */
|
|
|
e3ffab |
if (num_kenctypes == 0 && kenctypes != NULL) {
|
|
|
e3ffab |
--
|
|
|
e3ffab |
2.1.0
|
|
|
e3ffab |
|