Commit 9f696b11c2 changed the
behaviour of key expiry for principals that have an sambaPwdLastSet
attribute in LDAP. The change was twofold:
* if "password_lifetime" is not set in kdc.conf a default lifetime
of 1 year is enforced
* krb5PasswordEnd is not honoured.
This patch causes pw_end to be modified only if sambaPwdLastSet
*and* "password_lifetime" is defined in kdc.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
o implement add1() using 32 bit ints, this makes _krb5_n_fold()
about 5% faster on an amd64 platform. 64 bit ints yield a
further improvement but we would need to test the platform
to see if they are natively supported. This should yield
better performance improvements on big endian machines as
we have to byte swap on little endian boxen.
o fix two cases where a malloc(3)d pointer may be dereferenced
before we test that it is not NULL.
All in lib/krb5/n-fold.c:
1. eliminate malloc/free from rr13() because it is always a
buffer of the same size called in a tight loop.
2. eliminate memcpy(3) from rr13() by bouncing back and forth
between two buffers buf1, buf2 instead of performing the
calculation into a tmp buffer and memcpy(3)ing the result
back into buf.
3. eliminate code cases from rr13() that I can visually determine
will never occur but I'm guessing that the compiler can't, i.e.
i. now that we're no longer using malloc(3), rr13()
cannot fail, so make it void and avoid the if in
the calling routine checking its error code. In
case you ask, yes, this made the tests run a little
faster,
ii. rr13() has code for being passed a number of bits
not divisble by 8 but _krb5_n_fold() only passes
an int * 8. So, we eliminate this conditional and
the associated code.
4. we make rr13() take 2 destination buffers and copy the results
into both of them, we use this to eliminate another memcpy(3)
from the calling routine. This appears to make it a bit faster
as well.
In both hx509_cert_init() and hx509_cert_init_data(), there is an
output parameter for the error code but there are cases where the
error is used as a return value instead of the specified hx509_cert.
We fix these issues. We also check if error is non-NULL and only
set the error in this case, allowing the functions to be called
with error == NULL without segfault.
1. in ticket_lifetime() calculate the remaining lifetime
of the ticket rather than the requested lifetime.
2. in renew_func(), attempt to renew if the tickets are
renewable rather than only if --renewable is specified.
3. fix the call to renew_validate() in renew_func() to
specify renewable tickets if the original tickets are
renewable rather than only if --renewable is specified.
4. stop printing constant warnings to the terminal about
how tickets cannot be obtained if they expire, cannot
be renewed and we can't non-interactively obtain fresh
ones. We limit it to a single warning.
5. after the tickets expire, we backoff the requests to
obtain fresh tickets exponentially.
__sync_add_and_fetch is treated as a built in function by the compiler if the return value is not used (as in the autoconf test), but it is treated as a regular function when the return value is used
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
