From 55172f11776453c0f8defb1363dd144b29f181d3 Mon Sep 17 00:00:00 2001

From: Simo Sorce <simo@redhat.com>

Date: Mon, 17 Nov 2014 15:19:57 -0500

Subject: [PATCH] Use asn1c helpers to encode/decode the getkeytab control

Replaces manual encoding with automatically generated code.

Fixes:

https://fedorahosted.org/freeipa/ticket/4718

https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>

---

 Makefile                                           |   1 +

 daemons/configure.ac                               |   2 +

 .../ipa-slapi-plugins/ipa-pwd-extop/Makefile.am    |   7 +-

 .../ipa-pwd-extop/ipa_pwd_extop.c                  | 241 ++++----------------

 ipa-client/Makefile.am                             |   4 +

 ipa-client/configure.ac                            |   2 +

 ipa-client/ipa-getkeytab.c                         | 246 ++++-----------------

 7 files changed, 107 insertions(+), 396 deletions(-)

diff --git a/Makefile b/Makefile

index c1a298f91717246e8dab5e3f0de47d0ac9b2ae35..8fd0c60e392d720f47c8ee7c4b674727dc5eb789 100644

--- a/Makefile

+++ b/Makefile

@@ -75,6 +75,7 @@ client: client-autogen

 bootstrap-autogen: version-update client-autogen

 	@echo "Building IPA $(IPA_VERSION)"

+	cd asn1; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi

 	cd daemons; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR) --with-openldap; fi

 	cd install; if [ ! -e Makefile ]; then ../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi

diff --git a/daemons/configure.ac b/daemons/configure.ac

index bfcdeadcd1dc73762d8c773ee50210d9bdb91e92..e81aa60e381e035aff73bf27475fc0f101a5fbf9 100644

--- a/daemons/configure.ac

+++ b/daemons/configure.ac

@@ -5,6 +5,7 @@ AC_INIT([ipa-server],

         [https://hosted.fedoraproject.org/projects/freeipa/newticket])

 AC_CONFIG_HEADERS([config.h])

+AC_CONFIG_SUBDIRS([../asn1])

 AM_INIT_AUTOMAKE([foreign])

 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])

@@ -305,6 +306,7 @@ AC_SUBST(LDFLAGS)

 AC_CONFIG_FILES([

     Makefile

+    ../asn1/Makefile

     ipa-kdb/Makefile

     ipa-sam/Makefile

     ipa-otpd/Makefile

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

index 4cf80ec802b40bb579a44fc9357c6a8119dab577..77beca2da0810ed5507d95b21f99d22f63b05fc1 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

@@ -6,6 +6,7 @@ KRB5_UTIL_DIR = ../../../util

 KRB5_UTIL_SRCS = $(KRB5_UTIL_DIR)/ipa_krb5.c \

 		 $(KRB5_UTIL_DIR)/ipa_pwd.c \

 		 $(KRB5_UTIL_DIR)/ipa_pwd_ntlm.c

+ASN1_UTIL_DIR=../../../asn1

 AM_CPPFLAGS =							\

 	-I.							\

@@ -13,6 +14,7 @@ AM_CPPFLAGS =							\

 	-I$(srcdir)/../libotp					\

 	-I$(PLUGIN_COMMON_DIR)					\

 	-I$(KRB5_UTIL_DIR)					\

+	-I$(ASN1_UTIL_DIR)					\

 	-I$(COMMON_BER_DIR)					\

 	-DPREFIX=\""$(prefix)"\" 				\

 	-DBINDIR=\""$(bindir)"\"				\

@@ -38,7 +40,10 @@ AM_LDFLAGS = \

 # Plugin Binary

 plugindir = $(libdir)/dirsrv/plugins

 plugin_LTLIBRARIES = libipa_pwd_extop.la

-libipa_pwd_extop_la_LIBADD  = $(builddir)/../libotp/libotp.la

+libipa_pwd_extop_la_LIBADD  = \

+	$(builddir)/../libotp/libotp.la \

+	$(ASN1_UTIL_DIR)/libipaasn1.la  \

+	$(NULL)

 libipa_pwd_extop_la_SOURCES = 		\

 	authcfg.c			\

 	common.c			\

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

index b87ae0dc7a180008228f31293b49212df80584e8..ceea49cab50b0836c882240f210339e60d26729b 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

@@ -40,6 +40,7 @@

 #include "ipapwd.h"

 #include "util.h"

 #include "authcfg.h"

+#include "ipa_asn1.h"

 /*

  * Password Modify - LDAP Extended Operation.

@@ -1310,31 +1311,7 @@ free_and_return:

 	return SLAPI_PLUGIN_EXTENDED_SENT_RESULT;

 }

-/* Format of getkeytab request

- *

- * KeytabGetRequest ::= CHOICE {

- *     newkeys      [0] Newkeys,

- *     curkeys      [1] CurrentKeys,

- *     reply        [2] Reply

- * }

- *

- * NewKeys ::= SEQUENCE {

- *     serviceIdentity [0] OCTET STRING,

- *     enctypes        [1] SEQUENCE OF Int16

- *     password        [2] OCTET STRING OPTIONAL,

- * }

- *

- * CurrentKeys ::= SEQUENCE {

- *     serviceIdentity [0] OCTET STRING,

- * }

- */

-

-#define GK_REQUEST_NEWKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)

-#define GK_REQUEST_CURKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREQ_SVCNAME_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREQ_ENCTYPES_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREQ_PASSWORD_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)

-

+/* decode a getkeytab control request using libipaasn1 helpers */

 static int decode_getkeytab_request(struct berval *extop, bool *wantold,

                                     char **_svcname, char **_password,

                                     krb5_key_salt_tuple **kenctypes,

@@ -1342,96 +1319,44 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold,

 {

     int rc = LDAP_OPERATIONS_ERROR;

     char *err_msg = NULL;

-    BerElement *ber = NULL;

-    ber_len_t tlen;

-    ber_tag_t rtag;

-    ber_tag_t ttag;

-    ber_tag_t ctag;

     char *svcname = NULL;

     char *password = NULL;

-    ber_int_t enctype;

+    long *etypes = NULL;

+    int numtypes = 0;

     krb5_key_salt_tuple *enctypes = NULL;

-    int num = 0;

-

-    ber = ber_init(extop);

-    if (ber == NULL) {

-        err_msg = "KeytabGet Request decode failed.\n";

-        rc = LDAP_PROTOCOL_ERROR;

-        goto done;

-    }

-

-    /* check this is a request */

-    rtag = ber_peek_tag(ber, &tlen);

-    if (rtag != GK_REQUEST_NEWKEYS && rtag != GK_REQUEST_CURKEYS) {

-        LOG_FATAL("ber_peek_tag failed, wrong request type\n");

-        err_msg = "Invalid payload.\n";

-        rc = LDAP_PROTOCOL_ERROR;

-        goto done;

-    }

-

-    /* ber parse code */

-    ttag = ber_scanf(ber, "{ta", &ctag, &svcname);

-    if (ttag == LBER_ERROR || ctag != GKREQ_SVCNAME_TAG) {

-        LOG_FATAL("ber_scanf failed to decode service name\n");

-        err_msg = "Invalid payload.\n";

+    bool newkt;

+    bool ret;

+    int i;

+

+    ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt,

+                            &svcname, &password, &etypes, &numtypes);

+    if (!ret) {

+        err_msg = "Failed to decode GetKeytab Control.\n";

         rc = LDAP_PROTOCOL_ERROR;

         goto done;

     }

-    if (rtag == GK_REQUEST_CURKEYS) {

-        rc = LDAP_SUCCESS;

-        goto done;

-    }

-

-    ttag = ber_peek_tag(ber, &tlen);

-    if (ttag != GKREQ_ENCTYPES_TAG) {

-        LOG_FATAL("ber_peek_tag failed to find enctypes\n");

-        err_msg = "Invalid payload.\n";

-        rc = LDAP_PROTOCOL_ERROR;

-        goto done;

-    }

-    ttag = ber_peek_tag(ber, &tlen);

-    for (num = 0; ttag == LBER_INTEGER; num++) {

-        if ((num % 10) == 0) {

-            /* allocate space for at least 10 more enctypes */

-            enctypes = realloc(enctypes,

-                               (num + 10) * sizeof(krb5_key_salt_tuple));

+    if (newkt) {

+        if (numtypes) {

+            enctypes = malloc(numtypes * sizeof(krb5_key_salt_tuple));

             if (!enctypes) {

                 LOG_FATAL("allocation failed\n");

                 err_msg = "Internal error\n";

                 rc = LDAP_OPERATIONS_ERROR;

                 goto done;

             }

-        }

-

-        ttag = ber_scanf(ber, "i", &enctype);

-        if (ttag == LBER_ERROR) {

-            LOG_FATAL("ber_scanf failed to decode enctype\n");

-            err_msg = "Invalid payload.\n";

-            rc = LDAP_PROTOCOL_ERROR;

-            goto done;

-        }

-

-        enctypes[num].ks_enctype = enctype;

-        enctypes[num].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;

-        ttag = ber_peek_tag(ber, &tlen);

-    }

-    /* ttag peek done as last step of the previous for loop */

-    if (ttag == GKREQ_PASSWORD_TAG) {

-        /* optional password present */

-        ttag = ber_scanf(ber, "a", &password);

-        if (ttag == LBER_ERROR) {

-            LOG_FATAL("ber_scanf failed to decode password\n");

-            err_msg = "Invalid payload.\n";

-            rc = LDAP_PROTOCOL_ERROR;

-            goto done;

+            for (i = 0; i < numtypes; i++) {

+                enctypes[i].ks_enctype = etypes[i];

+                enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;

+            }

         }

     }

     rc = LDAP_SUCCESS;

 done:

+    free(etypes);

     if (rc != LDAP_SUCCESS) {

         free(password);

         free(svcname);

@@ -1440,78 +1365,34 @@ done:

     } else {

         *_password = password;

         *_svcname = svcname;

-        *wantold = (rtag == GK_REQUEST_CURKEYS);

+        *wantold = (newkt == false);

         *kenctypes = enctypes;

-        *num_kenctypes = num;

+        *num_kenctypes = numtypes;

     }

-    if (ber) ber_free(ber, 1);

     return rc;

 }

-/* Format of getkeytab reply

- *

- * Reply ::= SEQUENCE {

- *     new_kvno        Int32

- *     keys            SEQUENCE OF KrbKey,

- * }

- *

- * KrbKey ::= SEQUENCE {

- *     key       [0] EncryptionKey,

- *     salt      [1] KrbSalt OPTIONAL,

- *     s2kparams [2] OCTET STRING OPTIONAL,

- * }

- *

- * EncryptionKey ::= SEQUENCE {

- *     keytype   [0] Int32,

- *     keyvalue  [1] OCTET STRING

- * }

- *

- * KrbSalt ::= SEQUENCE {

- *     type      [0] Int32,

- *     salt      [1] OCTET STRING

- * }

- */

-

-#define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)

-#define GKREP_KEY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)

-#define GKREP_SALT_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREP_S2KPARAMS_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)

-#define GKREP_KEYTYPE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)

-#define GKREP_KEYVALUE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREP_SALTTYPE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)

-#define GKREP_SALTVALUE_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-

 static int encode_getkeytab_reply(krb5_context krbctx,

                                   krb5_keyblock *kmkey, int mkvno,

                                   krb5_key_data *keys, int num_keys,

                                   struct berval **_bvp)

 {

     int rc = LDAP_OPERATIONS_ERROR;

+    struct krb_key_salt ksdata[num_keys];

+    struct keys_container ksc = { num_keys, ksdata };

     struct berval *bvp = NULL;

-    BerElement *ber = NULL;

-    ber_int_t kvno;

-    krb5_data plain = { 0 };

+    int kvno;

+    bool ret;

-    ber = ber_alloc();

-    if (!ber) {

-        LOG_OOM();

-        goto done;

-    }

+    memset(ksdata, '\0', num_keys * sizeof(struct krb_key_salt));

     /* uses last key kvno */

     kvno = keys[num_keys-1].key_data_kvno;

-    rc = ber_printf(ber, "t{i{", GK_REPLY_TAG, kvno);

-    if (rc == -1) {

-        rc = LDAP_OPERATIONS_ERROR;

-        LOG_FATAL("Failed to initiate key buffer\n");

-        goto done;

-    }

-

     for (int i = 0; i < num_keys; i++) {

         krb5_enc_data cipher = { 0 };

+        krb5_data plain = { 0 };

         krb5_int16 plen;

-        void *p;

         /* retrieve plain key */

         memcpy(&plen, keys[i].key_data_contents[0], 2);

@@ -1521,13 +1402,12 @@ static int encode_getkeytab_reply(krb5_context krbctx,

         cipher.kvno = mkvno;

         plain.length = le16toh(plen);

-        p = realloc(plain.data, plain.length);

-        if (!p) {

+        plain.data = malloc(plain.length);

+        if (!plain.data) {

             LOG_FATAL("Failed to allocate plain buffer\n");

             rc = LDAP_OPERATIONS_ERROR;

             goto done;

         }

-        plain.data = p;

         rc = krb5_c_decrypt(krbctx, kmkey, 0, 0, &cipher, &plain);

         if (rc) {

@@ -1536,68 +1416,37 @@ static int encode_getkeytab_reply(krb5_context krbctx,

             goto done;

         }

-        rc = ber_printf(ber,

-                        "{t{tito}",

-                        GKREP_KEY_TAG,

-                            GKREP_KEYTYPE_TAG,

-                                (ber_int_t)keys[i].key_data_type[0],

-                            GKREP_KEYVALUE_TAG,

-                                plain.data, (ber_len_t)plain.length);

-        if (rc == -1) {

-            LOG_FATAL("Failed to encode key data\n");

-            rc = LDAP_OPERATIONS_ERROR;

-            goto done;

-        }

+        ksc.ksdata[i].enctype = keys[i].key_data_type[0];

+        ksc.ksdata[i].key.enctype = keys[i].key_data_type[0];

+        ksc.ksdata[i].key.contents = (void *)plain.data;

+        ksc.ksdata[i].key.length = plain.length;

         /* if salt available, add it */

         if (keys[i].key_data_length[1] != 0) {

-            rc = ber_printf(ber,

-                            "t{tito}",

-                            GKREP_SALT_TAG,

-                                GKREP_SALTTYPE_TAG,

-                                    (ber_int_t)keys[i].key_data_type[1],

-                                GKREP_SALTVALUE_TAG,

-                                    keys[i].key_data_contents[1],

-                                    (ber_len_t)keys[i].key_data_length[1]);

-            if (rc == -1) {

-                LOG_FATAL("Failed to encode salt data\n");

-                rc = LDAP_OPERATIONS_ERROR;

-                goto done;

-            }

-        }

-

-        rc = ber_printf(ber, "}");

-        if (rc == -1) {

-            LOG_FATAL("Failed to encode data\n");

-            rc = LDAP_OPERATIONS_ERROR;

-            goto done;

+            ksc.ksdata[i].salttype = keys[i].key_data_type[1];

+            ksc.ksdata[i].salt.data = (void *)keys[i].key_data_contents[1];

+            ksc.ksdata[i].salt.length = keys[i].key_data_length[1];

         }

     }

-    rc = ber_printf(ber, "}}");

-    if (rc == -1) {

-        LOG_FATAL("Failed to terminate key buffer\n");

-        rc = LDAP_OPERATIONS_ERROR;

-        goto done;

-    }

+    bvp = calloc(1, sizeof(struct berval));

+    if (!bvp) goto done;

-    rc = ber_flatten(ber, &bvp);

-    if (rc == -1) {

-        LOG_FATAL("Failed to encode key buffer\n");

-        rc = LDAP_OPERATIONS_ERROR;

-        goto done;

-    }

+    ret = ipaasn1_enc_getktreply(kvno, &ksc,

+                                 (void **)&bvp->bv_val, &bvp->bv_len);

+    if (!ret) goto done;

     rc = LDAP_SUCCESS;

 done:

+    for (int i = 0; i < ksc.nkeys; i ++) {

+        free(ksc.ksdata[i].key.contents);

+    }

     if (rc != LDAP_SUCCESS) {

         if (bvp) ber_bvfree(bvp);

     } else {

         *_bvp = bvp;

     }

-    if (ber) ber_free(ber, 1);

-    free(plain.data);

     return rc;

 }

diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am

index 2df175e53b2a547acdad546db182b38011becd06..b9c7020f3b687b3c0030ed5166625e6ef07e2fa4 100644

--- a/ipa-client/Makefile.am

+++ b/ipa-client/Makefile.am

@@ -14,11 +14,13 @@ export AM_CFLAGS

 KRB5_UTIL_DIR=../util

 KRB5_UTIL_SRCS=$(KRB5_UTIL_DIR)/ipa_krb5.c

+ASN1_UTIL_DIR=../asn1

 AM_CPPFLAGS =							\

 	-I.							\

 	-I$(srcdir)						\

 	-I$(KRB5_UTIL_DIR)					\

+	-I$(ASN1_UTIL_DIR)					\

 	-DPREFIX=\""$(prefix)"\" 				\

 	-DBINDIR=\""$(bindir)"\"				\

 	-DLIBDIR=\""$(libdir)"\" 				\

@@ -45,6 +47,7 @@ ipa_getkeytab_SOURCES =		\

 	$(NULL)

 ipa_getkeytab_LDADD = 		\

+	../asn1/libipaasn1.la	\

 	$(KRB5_LIBS)		\

 	$(OPENLDAP_LIBS)	\

 	$(SASL_LIBS)		\

@@ -80,6 +83,7 @@ ipa_join_LDADD = 		\

 	$(NULL)

 SUBDIRS =			\

+	../asn1			\

 	ipaclient		\

 	ipa-install		\

 	man			\

diff --git a/ipa-client/configure.ac b/ipa-client/configure.ac

index 34625622d3e3bb64866b3b0b1a58d29e33f11a7d..78da8e6e413b8becbd4c75422abffb670050f446 100644

--- a/ipa-client/configure.ac

+++ b/ipa-client/configure.ac

@@ -8,6 +8,7 @@ AC_PROG_LIBTOOL

 AC_CONFIG_SRCDIR([ipaclient/__init__.py])

 AC_CONFIG_HEADERS([config.h])

+AC_CONFIG_SUBDIRS([../asn1])

 AM_INIT_AUTOMAKE([foreign])

@@ -205,6 +206,7 @@ dnl ---------------------------------------------------------------------------

 AC_CONFIG_FILES([

     Makefile

+    ../asn1/Makefile

     ipaclient/Makefile

     ipa-install/Makefile

     man/Makefile

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c

index bb43c333dca6560807a120103a1cb535fa87b76a..15255d6a33c8c298f138868ac545d4ebea415fe5 100644

--- a/ipa-client/ipa-getkeytab.c

+++ b/ipa-client/ipa-getkeytab.c

@@ -40,6 +40,7 @@

 #include "config.h"

 #include "ipa_krb5.h"

+#include "ipa_asn1.h"

 #include "ipa-client-common.h"

 static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *sit)

@@ -295,14 +296,15 @@ done:

     return ret;

 }

-static BerElement *get_control_data(LDAPControl **list, const char *repoid)

+static int find_control_data(LDAPControl **list, const char *repoid,

+                             struct berval *data)

 {

     LDAPControl *control = NULL;

     int i;

     if (!list) {

         fprintf(stderr, _("Missing reply control list!\n"));

-        return NULL;

+        return LDAP_OPERATIONS_ERROR;

     }

     for (i = 0; list[i]; i++) {

@@ -312,10 +314,22 @@ static BerElement *get_control_data(LDAPControl **list, const char *repoid)

     }

     if (!control) {

         fprintf(stderr, _("Missing reply control!\n"));

-        return NULL;

+        return LDAP_OPERATIONS_ERROR;

     }

-    return ber_init(&control->ldctl_value);

+    *data = control->ldctl_value;

+    return LDAP_SUCCESS;

+}

+

+static BerElement *get_control_data(LDAPControl **list, const char *repoid)

+{

+    struct berval data;

+    int ret;

+

+    ret = find_control_data(list, repoid, &data);

+    if (ret != LDAP_SUCCESS) return NULL;

+

+    return ber_init(&data);

 }

 static int ldap_set_keytab(krb5_context krbctx,

@@ -435,124 +449,42 @@ error_out:

 	return -1;

 }

-/* Format of getkeytab control

- *

- * KeytabGetRequest ::= CHOICE {

- *     newkeys      [0] Newkeys,

- *     curkeys      [1] CurrentKeys,

- *     reply        [2] Reply

- * }

- *

- * NewKeys ::= SEQUENCE {

- *     serviceIdentity [0] OCTET STRING,

- *     enctypes        [1] SEQUENCE OF Int16

- *     password        [2] OCTET STRING OPTIONAL,

- * }

- *

- * CurrentKeys ::= SEQUENCE {

- *     serviceIdentity [0] OCTET STRING,

- * }

- *

- * Reply ::= SEQUENCE {

- *     new_kvno        Int32

- *     keys            SEQUENCE OF KrbKey,

- * }

- *

- * KrbKey ::= SEQUENCE {

- *     key       [0] EncryptionKey,

- *     salt      [1] KrbSalt OPTIONAL,

- *     s2kparams [2] OCTET STRING OPTIONAL,

- * }

- *

- * EncryptionKey ::= SEQUENCE {

- *     keytype   [0] Int32,

- *     keyvalue  [1] OCTET STRING

- * }

- *

- * KrbSalt ::= SEQUENCE {

- *     type      [0] Int32,

- *     salt      [1] OCTET STRING

- * }

- */

-

-#define GK_REQUEST_NEWKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 0)

-#define GK_REQUEST_CURKEYS (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREQ_SVCNAME_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREQ_ENCTYPES_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 1)

-#define GKREQ_PASSWORD_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)

-

+/* use asn1c generated code to fill up control */

 static struct berval *create_getkeytab_control(const char *svc_princ, bool gen,

                                                const char *password,

                                                struct krb_key_salt *encsalts,

                                                int num_encsalts)

 {

-    struct berval *bval = NULL;

-    BerElement *be;

-    ber_tag_t ctag;

-    ber_int_t e;

-    int ret, i;

-

-    be = ber_alloc_t(LBER_USE_DER);

-    if (!be) {

-        return NULL;

-    }

-

-    if (gen) {

-        ctag = GK_REQUEST_NEWKEYS;

-    } else {

-        ctag = GK_REQUEST_CURKEYS;

-    }

-

-    ret = ber_printf(be, "t{ts", ctag, GKREQ_SVCNAME_TAG, svc_princ);

-    if (ret == -1) {

-        ber_free(be, 1);

-        goto done;

-    }

+    struct berval *result = NULL;

+    void *buffer = NULL;

+    size_t buflen;

+    long ets[num_encsalts];

+    bool ret;

+    int i;

     if (gen) {

-        ret = ber_printf(be, "t{", GKREQ_ENCTYPES_TAG);

-        if (ret == -1) {

-            ber_free(be, 1);

-            goto done;

-        }

         for (i = 0; i < num_encsalts; i++) {

-            e = encsalts[i].enctype;

-            ret = ber_printf(be, "i", e);

-            if (ret == -1) {

-                ber_free(be, 1);

-                goto done;

-            }

-        }

-        ret = ber_printf(be, "}");

-        if (ret == -1) {

-            ber_free(be, 1);

-            goto done;

-        }

-

-        if (password) {

-            ret = ber_printf(be, "ts", GKREQ_PASSWORD_TAG, password);

-            if (ret == -1) {

-                ber_free(be, 1);

-                goto done;

-            }

+            ets[i] = encsalts[i].enctype;

         }

     }

+    ret = ipaasn1_enc_getkt(gen, svc_princ,

+                            password, ets, num_encsalts,

+                            &buffer, &buflen);

+    if (!ret) goto done;

-    ret = ber_printf(be, "}");

-    if (ret == -1) {

-        ber_free(be, 1);

-        goto done;

-    }

+    result = malloc(sizeof(struct berval));

+    if (!result) goto done;

-    ret = ber_flatten(be, &bval);

-    if (ret == -1) {

-        ber_free(be, 1);

-        goto done;

-    }

+    result->bv_val = buffer;

+    result->bv_len = buflen;

 done:

-    ber_free(be, 1);

-    return bval;

+    if (result == NULL) {

+        if (buffer) {

+            free(buffer);

+        }

+    }

+    return result;

 }

 #define GK_REPLY_TAG (LBER_CLASS_CONTEXT | LBER_CONSTRUCTED | 2)

@@ -571,13 +503,8 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,

     struct berval *control = NULL;

     LDAP *ld = NULL;

     LDAPControl **srvctrl = NULL;

-    BerElement *ber = NULL;

-    ber_tag_t rtag;

-    ber_tag_t ctag;

-    ber_len_t tlen;

-    ber_int_t vno;

-    ber_int_t tint;

-    struct berval tbval;

+    struct berval data;

+    bool res;

     int ret;

     *err_msg = NULL;

@@ -609,98 +536,19 @@ static int ldap_get_keytab(krb5_context krbctx, bool generate, char *password,

         goto done;

     }

-    ber = get_control_data(srvctrl, KEYTAB_GET_OID);

-    if (!ber) {

-        *err_msg = _("Failed to find or parse reply control!\n");

-        ret = LDAP_OPERATIONS_ERROR;

-        goto done;

-    }

-

-    rtag = ber_scanf(ber, "t{i{", &ctag, &vno;;

-    if (rtag == LBER_ERROR || ctag != GK_REPLY_TAG) {