|
 |
31db7b |
From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
|
|
|
31db7b |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Date: Fri, 19 Feb 2021 15:37:47 +0200
|
|
|
31db7b |
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
|
|
|
31db7b |
|
|
|
31db7b |
Calling to ipadb_get_connection() will remove LDAP context if any error
|
|
|
31db7b |
happens. This means upper layers must always verify that LDAP context
|
|
|
31db7b |
exists after such calls.
|
|
|
31db7b |
|
|
|
31db7b |
ipadb_get_user_auth() may re-read global configuration and that may fail
|
|
|
31db7b |
and cause IPA context to have NULL LDAP context.
|
|
|
31db7b |
|
|
|
31db7b |
Fixes: https://pagure.io/freeipa/issue/8681
|
|
|
31db7b |
|
|
|
31db7b |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
31db7b |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
31db7b |
---
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb.c | 1 +
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
|
|
|
31db7b |
3 files changed, 37 insertions(+), 22 deletions(-)
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
|
31db7b |
index 43ba955ac..6e1e3e351 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
|
31db7b |
@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
|
|
|
31db7b |
/* ldap free lcontext */
|
|
|
31db7b |
if ((*ctx)->lcontext) {
|
|
|
31db7b |
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
|
|
|
31db7b |
+ (*ctx)->lcontext = NULL;
|
|
|
31db7b |
}
|
|
|
31db7b |
free((*ctx)->supp_encs);
|
|
|
31db7b |
free((*ctx)->def_encs);
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
index 31f617129..81a8fd483 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
krb5_timestamp authtime,
|
|
|
31db7b |
struct netr_SamInfo3 *info3)
|
|
|
31db7b |
{
|
|
|
31db7b |
- LDAP *lcontext = ipactx->lcontext;
|
|
|
31db7b |
LDAPDerefRes *deref_results = NULL;
|
|
|
31db7b |
struct dom_sid sid;
|
|
|
31db7b |
gid_t prigid = -1;
|
|
|
31db7b |
@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
bool is_idobject = false;
|
|
|
31db7b |
krb5_principal princ;
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
|
|
|
31db7b |
&objectclasses);
|
|
|
31db7b |
if (ret == 0 && objectclasses != NULL) {
|
|
|
31db7b |
for (c = 0; objectclasses[c] != NULL; c++) {
|
|
|
31db7b |
@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
if (is_host) {
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
|
|
|
31db7b |
if (ret) {
|
|
|
31db7b |
/* fqdn is mandatory for hosts */
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
}
|
|
|
31db7b |
} else if (is_service) {
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
|
31db7b |
+ "krbCanonicalName", &strres);
|
|
|
31db7b |
if (ret) {
|
|
|
31db7b |
/* krbCanonicalName is mandatory for services */
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
return ENOENT;
|
|
|
31db7b |
}
|
|
|
31db7b |
} else {
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
|
|
|
31db7b |
if (ret) {
|
|
|
31db7b |
/* uid is mandatory */
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
if (is_host || is_service) {
|
|
|
31db7b |
prigid = 515; /* Well known RID for domain computers group */
|
|
|
31db7b |
} else {
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
|
|
|
31db7b |
+ "gidNumber", &intres);
|
|
|
31db7b |
if (ret) {
|
|
|
31db7b |
/* gidNumber is mandatory */
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
info3->base.kickoff_time = INT64_MAX;
|
|
|
31db7b |
#endif
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
|
|
|
31db7b |
"krbLastPwdChange", &timeres);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
case 0:
|
|
|
31db7b |
@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
info3->base.allow_password_change = info3->base.last_password_change;
|
|
|
31db7b |
info3->base.force_password_change = INT64_MAX;
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
case 0:
|
|
|
31db7b |
info3->base.full_name.string = talloc_strdup(memctx, strres);
|
|
|
31db7b |
@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
|
31db7b |
"ipaNTLogonScript", &strres);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
case 0:
|
|
|
31db7b |
@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
|
31db7b |
"ipaNTProfilePath", &strres);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
case 0:
|
|
|
31db7b |
@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
|
31db7b |
"ipaNTHomeDirectory", &strres);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
case 0:
|
|
|
31db7b |
@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
return ret;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
|
31db7b |
"ipaNTHomeDirectoryDrive", &strres);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
case 0:
|
|
|
31db7b |
@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
info3->base.rid = 515;
|
|
|
31db7b |
}
|
|
|
31db7b |
} else {
|
|
|
31db7b |
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
|
31db7b |
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
|
31db7b |
"ipaNTSecurityIdentifier", &strres);
|
|
|
31db7b |
if (ret) {
|
|
|
31db7b |
/* SID is mandatory */
|
|
|
31db7b |
@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
|
31db7b |
}
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
|
|
|
31db7b |
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
|
|
31db7b |
switch (ret) {
|
|
|
31db7b |
LDAPDerefRes *dres;
|
|
|
31db7b |
LDAPDerefVal *dval;
|
|
|
31db7b |
@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
|
|
|
31db7b |
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
{
|
|
|
31db7b |
struct ipadb_adtrusts *t;
|
|
|
31db7b |
- LDAP *lc = ipactx->lcontext;
|
|
|
31db7b |
+ LDAP *lc = NULL;
|
|
|
31db7b |
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
|
|
|
31db7b |
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
|
|
|
31db7b |
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
|
|
|
31db7b |
@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
goto done;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
+ lc = ipactx->lcontext;
|
|
|
31db7b |
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
|
|
|
31db7b |
dnstr = ldap_get_dn(lc, le);
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
31db7b |
index d1fa51578..cf1b4f53e 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
31db7b |
@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
|
|
|
31db7b |
if (gcfg != NULL)
|
|
|
31db7b |
gua = gcfg->user_auth;
|
|
|
31db7b |
|
|
|
31db7b |
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
|
|
|
31db7b |
+ * global config and cleared the ipactx */
|
|
|
31db7b |
+ if (ipactx->lcontext == NULL)
|
|
|
31db7b |
+ return IPADB_USER_AUTH_NONE;
|
|
|
31db7b |
+
|
|
|
31db7b |
/* Get the user's user_auth settings if not disabled. */
|
|
|
31db7b |
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
|
|
|
31db7b |
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
|
|
|
31db7b |
@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
|
31db7b |
free(entry);
|
|
|
31db7b |
return KRB5_KDB_DBNOTINITED;
|
|
|
31db7b |
}
|
|
|
31db7b |
- lcontext = ipactx->lcontext;
|
|
|
31db7b |
- if (!lcontext) {
|
|
|
31db7b |
+
|
|
|
31db7b |
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
|
31db7b |
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
|
31db7b |
+
|
|
|
31db7b |
+ /* Get User Auth configuration. */
|
|
|
31db7b |
+ ua = ipadb_get_user_auth(ipactx, lentry);
|
|
|
31db7b |
+
|
|
|
31db7b |
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
|
|
|
31db7b |
+ * and that might fail, causing lcontext to become NULL */
|
|
|
31db7b |
+ if (!ipactx->lcontext) {
|
|
|
31db7b |
krb5_klog_syslog(LOG_INFO,
|
|
|
31db7b |
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
|
|
|
31db7b |
ret = ipadb_get_connection(ipactx);
|
|
|
31db7b |
@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
|
31db7b |
}
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
|
31db7b |
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
|
31db7b |
-
|
|
|
31db7b |
- /* Get User Auth configuration. */
|
|
|
31db7b |
- ua = ipadb_get_user_auth(ipactx, lentry);
|
|
|
31db7b |
+ /* If any code below would result in invalidating ipactx->lcontext,
|
|
|
31db7b |
+ * lcontext must be updated with the new ipactx->lcontext value.
|
|
|
31db7b |
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
|
|
|
31db7b |
+ lcontext = ipactx->lcontext;
|
|
|
31db7b |
|
|
|
31db7b |
/* ignore mask for now */
|
|
|
31db7b |
|
|
|
31db7b |
--
|
|
|
31db7b |
2.29.2
|
|
|
31db7b |
|
|
|
31db7b |
From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
|
|
|
31db7b |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Date: Tue, 23 Feb 2021 10:06:25 +0200
|
|
|
31db7b |
Subject: [PATCH] ipa-kdb: fix compiler warnings
|
|
|
31db7b |
|
|
|
31db7b |
There are few fields in KDB structures that have 'conflicting' types but
|
|
|
31db7b |
need to be compared. They come from MIT Kerberos and we have no choice
|
|
|
31db7b |
here.
|
|
|
31db7b |
|
|
|
31db7b |
In the same way, SID structures have own requirements.
|
|
|
31db7b |
|
|
|
31db7b |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
31db7b |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
31db7b |
---
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
|
|
|
31db7b |
4 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
|
31db7b |
index ed48ea758..ec2046bfe 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
|
31db7b |
@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
|
|
31db7b |
|
|
|
31db7b |
if (krb5_ts_after(krb5_ts_incr(client->last_failed,
|
|
|
31db7b |
ied->pol->lockout_duration), authtime) &&
|
|
|
31db7b |
- (client->fail_auth_count >= ied->pol->max_fail &&
|
|
|
31db7b |
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
|
|
|
31db7b |
ied->pol->max_fail != 0)) {
|
|
|
31db7b |
/* client already locked, nothing more to do */
|
|
|
31db7b |
break;
|
|
|
31db7b |
}
|
|
|
31db7b |
if (ied->pol->max_fail == 0 ||
|
|
|
31db7b |
- client->fail_auth_count < ied->pol->max_fail) {
|
|
|
31db7b |
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
|
|
|
31db7b |
/* let's increase the fail counter */
|
|
|
31db7b |
client->fail_auth_count++;
|
|
|
31db7b |
client->mask |= KMASK_FAIL_AUTH_COUNT;
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
index 81a8fd483..9691b14f6 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
|
|
|
31db7b |
|
|
|
31db7b |
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
|
|
|
31db7b |
{
|
|
|
31db7b |
- size_t c;
|
|
|
31db7b |
+ int8_t c;
|
|
|
31db7b |
size_t len;
|
|
|
31db7b |
- int ofs;
|
|
|
31db7b |
+ size_t ofs;
|
|
|
31db7b |
uint32_t ia;
|
|
|
31db7b |
char *buf;
|
|
|
31db7b |
|
|
|
31db7b |
@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
|
|
|
31db7b |
t[n].upn_suffixes_len = NULL;
|
|
|
31db7b |
if (t[n].upn_suffixes != NULL) {
|
|
|
31db7b |
- size_t len = 0;
|
|
|
31db7b |
+ int len = 0;
|
|
|
31db7b |
|
|
|
31db7b |
for (; t[n].upn_suffixes[len] != NULL; len++);
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
31db7b |
index cf1b4f53e..0a98ff054 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
31db7b |
@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
|
|
|
31db7b |
l = len;
|
|
|
31db7b |
for (i = 0; i < count; i++) {
|
|
|
31db7b |
ret = snprintf(ap, l, "%s ", authinds[i]);
|
|
|
31db7b |
- if (ret <= 0 || ret > l) {
|
|
|
31db7b |
+ if (ret <= 0 || ret > (int) l) {
|
|
|
31db7b |
ret = ENOMEM;
|
|
|
31db7b |
goto cleanup;
|
|
|
31db7b |
}
|
|
|
31db7b |
@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
|
|
|
31db7b |
char *s = NULL;
|
|
|
31db7b |
size_t ai_size = 0;
|
|
|
31db7b |
int cnt = 0;
|
|
|
31db7b |
- int i = 0;
|
|
|
31db7b |
+ size_t i = 0;
|
|
|
31db7b |
|
|
|
31db7b |
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
|
|
|
31db7b |
if (ret) {
|
|
|
31db7b |
@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
|
|
|
31db7b |
{
|
|
|
31db7b |
krb5_error_code kerr;
|
|
|
31db7b |
LDAPMod *m = NULL;
|
|
|
31db7b |
- int i;
|
|
|
31db7b |
+ size_t i;
|
|
|
31db7b |
|
|
|
31db7b |
kerr = ipadb_mods_new(imods, &m);
|
|
|
31db7b |
if (kerr) {
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
31db7b |
index 4965e6d7f..6f21ef867 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
|
31db7b |
@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
if (ied->pol->max_fail == 0 ||
|
|
|
31db7b |
- client->fail_auth_count < ied->pol->max_fail) {
|
|
|
31db7b |
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
|
|
|
31db7b |
/* still within allowed failures range */
|
|
|
31db7b |
return 0;
|
|
|
31db7b |
}
|
|
|
31db7b |
--
|
|
|
31db7b |
2.29.2
|
|
|
31db7b |
|
|
|
31db7b |
From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
|
|
|
31db7b |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Date: Wed, 24 Feb 2021 20:51:40 +0200
|
|
|
31db7b |
Subject: [PATCH] ipa-kdb: add missing prototypes
|
|
|
31db7b |
|
|
|
31db7b |
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
|
|
|
31db7b |
about function prototypes missing. If -Werror is specified, this breaks
|
|
|
31db7b |
compilation.
|
|
|
31db7b |
|
|
|
31db7b |
We also default to -Werror=implicit-function-declaration
|
|
|
31db7b |
|
|
|
31db7b |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
31db7b |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
31db7b |
---
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
|
|
|
31db7b |
3 files changed, 20 insertions(+), 8 deletions(-)
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
|
31db7b |
index a89f8bbda..aa61a2d1b 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
|
31db7b |
@@ -14,6 +14,10 @@
|
|
|
31db7b |
#define ONE_DAY_SECONDS (24 * 60 * 60)
|
|
|
31db7b |
#define JITTER_WINDOW_SECONDS (1 * 60 * 60)
|
|
|
31db7b |
|
|
|
31db7b |
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
|
|
|
31db7b |
+ int maj_ver, int min_ver,
|
|
|
31db7b |
+ krb5_plugin_vtable vtable);
|
|
|
31db7b |
+
|
|
|
31db7b |
static void
|
|
|
31db7b |
jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
|
|
|
31db7b |
{
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
index 9691b14f6..47b12a16f 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
|
31db7b |
@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
|
|
31db7b |
*mspac = NULL;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
|
31db7b |
- struct dom_sid **result_sids,
|
|
|
31db7b |
- int *result_length)
|
|
|
31db7b |
+static krb5_error_code
|
|
|
31db7b |
+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
|
31db7b |
+ struct dom_sid **result_sids,
|
|
|
31db7b |
+ int *result_length)
|
|
|
31db7b |
{
|
|
|
31db7b |
int len, i;
|
|
|
31db7b |
char **source;
|
|
|
31db7b |
@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
|
31db7b |
return 0;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
|
|
31db7b |
- char **sid_blocklist_incoming,
|
|
|
31db7b |
- char **sid_blocklist_outgoing)
|
|
|
31db7b |
+static krb5_error_code
|
|
|
31db7b |
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
|
|
31db7b |
+ char **sid_blocklist_incoming,
|
|
|
31db7b |
+ char **sid_blocklist_outgoing)
|
|
|
31db7b |
{
|
|
|
31db7b |
krb5_error_code kerr;
|
|
|
31db7b |
|
|
|
31db7b |
@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
|
|
|
31db7b |
return 0;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
+static krb5_error_code
|
|
|
31db7b |
+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
{
|
|
|
31db7b |
char *attrs[] = { NULL };
|
|
|
31db7b |
char *filter = "(objectclass=ipaNTTrustedDomain)";
|
|
|
31db7b |
@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
|
|
|
31db7b |
}
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
+static krb5_error_code
|
|
|
31db7b |
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
|
31db7b |
{
|
|
|
31db7b |
struct ipadb_adtrusts *t;
|
|
|
31db7b |
LDAP *lc = NULL;
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
|
31db7b |
index d23a14a0b..8c8a3a001 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
|
31db7b |
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
|
|
|
31db7b |
|
|
|
31db7b |
int string_to_sid(const char *str, struct dom_sid *sid);
|
|
|
31db7b |
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
|
|
|
31db7b |
+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
|
|
|
31db7b |
+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
|
|
|
31db7b |
+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
|
|
|
31db7b |
+ bool *_with_pac, bool *_with_pad);
|
|
|
31db7b |
\ No newline at end of file
|
|
|
31db7b |
--
|
|
|
31db7b |
2.29.2
|
|
|
31db7b |
|
|
|
31db7b |
From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
|
|
|
31db7b |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Date: Wed, 24 Feb 2021 20:52:15 +0200
|
|
|
31db7b |
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
|
|
|
31db7b |
|
|
|
31db7b |
Add prototype to the exported function
|
|
|
31db7b |
|
|
|
31db7b |
Replace few tabs by spaces and mark static code as static.
|
|
|
31db7b |
|
|
|
31db7b |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
31db7b |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
31db7b |
---
|
|
|
31db7b |
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
|
|
|
31db7b |
1 file changed, 14 insertions(+), 11 deletions(-)
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
|
31db7b |
index bc6b26578..3a3060c92 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
|
31db7b |
@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
|
|
|
31db7b |
time_t valid_until;
|
|
|
31db7b |
};
|
|
|
31db7b |
|
|
|
31db7b |
-void ipa_certmap_debug(void *private,
|
|
|
31db7b |
- const char *file, long line,
|
|
|
31db7b |
- const char *function,
|
|
|
31db7b |
- const char *format, ...)
|
|
|
31db7b |
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
|
|
|
31db7b |
+ int maj_ver, int min_ver,
|
|
|
31db7b |
+ krb5_plugin_vtable vtable);
|
|
|
31db7b |
+
|
|
|
31db7b |
+static void ipa_certmap_debug(void *private, const char *file, long line,
|
|
|
31db7b |
+ const char *function,
|
|
|
31db7b |
+ const char *format, ...)
|
|
|
31db7b |
{
|
|
|
31db7b |
va_list ap;
|
|
|
31db7b |
char str[255] = { 0 };
|
|
|
31db7b |
@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
|
31db7b |
* so there is nothing more to add here. */
|
|
|
31db7b |
auth_inds = calloc(2, sizeof(char *));
|
|
|
31db7b |
if (auth_inds != NULL) {
|
|
|
31db7b |
- ret = asprintf(&auth_inds[0], "pkinit");
|
|
|
31db7b |
- if (ret != -1) {
|
|
|
31db7b |
+ ret = asprintf(&auth_inds[0], "pkinit");
|
|
|
31db7b |
+ if (ret != -1) {
|
|
|
31db7b |
auth_inds[1] = NULL;
|
|
|
31db7b |
*authinds_out = auth_inds;
|
|
|
31db7b |
- } else {
|
|
|
31db7b |
- free(auth_inds);
|
|
|
31db7b |
+ } else {
|
|
|
31db7b |
+ free(auth_inds);
|
|
|
31db7b |
}
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
|
|
|
31db7b |
size_t i = 0;
|
|
|
31db7b |
|
|
|
31db7b |
if ((authinds == NULL) || (moddata == NULL)) {
|
|
|
31db7b |
- return;
|
|
|
31db7b |
+ return;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
for(i=0; authinds[i]; i++) {
|
|
|
31db7b |
- free(authinds[i]);
|
|
|
31db7b |
- authinds[i] = NULL;
|
|
|
31db7b |
+ free(authinds[i]);
|
|
|
31db7b |
+ authinds[i] = NULL;
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
free(authinds);
|
|
|
31db7b |
--
|
|
|
31db7b |
2.29.2
|
|
|
31db7b |
|
|
|
31db7b |
From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
|
|
|
31db7b |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Date: Wed, 24 Feb 2021 20:55:41 +0200
|
|
|
31db7b |
Subject: [PATCH] ipa-kdb: mark test functions as static
|
|
|
31db7b |
|
|
|
31db7b |
No need to define missing prototypes to single use test functions.
|
|
|
31db7b |
|
|
|
31db7b |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
31db7b |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
31db7b |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
31db7b |
---
|
|
|
31db7b |
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
|
|
|
31db7b |
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
|
31db7b |
|
|
|
31db7b |
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
|
31db7b |
index 2a174ce6b..0b51ffb96 100644
|
|
|
31db7b |
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
|
31db7b |
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
|
31db7b |
@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
|
|
|
31db7b |
krb5_data realm,
|
|
|
31db7b |
struct PAC_LOGON_INFO_CTR *info);
|
|
|
31db7b |
|
|
|
31db7b |
-void test_filter_logon_info(void **state)
|
|
|
31db7b |
+static void test_filter_logon_info(void **state)
|
|
|
31db7b |
{
|
|
|
31db7b |
krb5_error_code kerr;
|
|
|
31db7b |
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
|
|
|
31db7b |
@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
|
|
|
31db7b |
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
|
|
|
31db7b |
- bool *with_pac, bool *with_pad);
|
|
|
31db7b |
-
|
|
|
31db7b |
-void test_get_authz_data_types(void **state)
|
|
|
31db7b |
+static void test_get_authz_data_types(void **state)
|
|
|
31db7b |
{
|
|
|
31db7b |
bool with_pac;
|
|
|
31db7b |
bool with_pad;
|
|
|
31db7b |
@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
|
|
|
31db7b |
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-void test_string_to_sid(void **state)
|
|
|
31db7b |
+static void test_string_to_sid(void **state)
|
|
|
31db7b |
{
|
|
|
31db7b |
int ret;
|
|
|
31db7b |
struct dom_sid sid;
|
|
|
31db7b |
@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
|
|
|
31db7b |
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
-void test_dom_sid_string(void **state)
|
|
|
31db7b |
+static void test_dom_sid_string(void **state)
|
|
|
31db7b |
{
|
|
|
31db7b |
struct test_ctx *test_ctx;
|
|
|
31db7b |
char *str_sid;
|
|
|
31db7b |
@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
|
|
|
31db7b |
}
|
|
|
31db7b |
|
|
|
31db7b |
|
|
|
31db7b |
-void test_check_trusted_realms(void **state)
|
|
|
31db7b |
+static void test_check_trusted_realms(void **state)
|
|
|
31db7b |
{
|
|
|
31db7b |
struct test_ctx *test_ctx;
|
|
|
31db7b |
krb5_error_code kerr = 0;
|
|
|
31db7b |
--
|
|
|
31db7b |
2.29.2
|
|
|
31db7b |
|