Commit Graph

1028 Commits

Author SHA1 Message Date
Love Hörnquist Åstrand
c10e99bead Merge pull request #109 from cg2v/dist-kadmin-version-script
version-script-client.map needs to be in dist
2014-08-22 21:38:55 -07:00
Love Hörnquist Åstrand
37afa01be3 rename roken base64, fixes #107 2014-08-22 20:57:24 -07:00
Chaskiel Grundman
41da16b48a version-script-client.map needs to be in dist
version-script-client.map needs to be in lib/kadm5's EXTRA_DIST,
otherwise make distcheck fails
2014-07-07 12:39:49 -04:00
Jakub Čajka
6affa4ccec kadm5: fix race in Makefile with kadm5_err.h
When running make with -j4, occasionally kadm5 fails due to a missing
header file kadm5_err.h. Fix the race condition.

Reported at https://bugzilla.redhat.com/1115164

Reviewed-by: Ken Dreyer <ktdreyer@ktdreyer.com>
2014-07-01 13:18:09 -06:00
Nicolas Williams
b80b21c8a8 Make kadmin ext work when lacking get-keys priv
When we added the get-keys privilege we lost the ability to setup
keytabs with the kadmin ext command.  The fix is to note that we got
bogus key data and randkey (as we used to).
2014-03-25 21:45:10 -05:00
Jeffrey Altman
dba026b5ef Introduce and apply krb5_storage_from_socket
On Windows a file descriptor is an int value allocated by the
local module instance of the C Run Time Library.  A socket handle is a
SOCKET value allocated by a Winsock Provider for the requested family and
protocol.   These two values cannot be mixed and there is no mechanism for
converting between the two.   The _get_osfhandle() and _open_osfhandle()
functions can work with a standard HANDLE (file, pipe, etc) but cannot be
used for a SOCKET.

The Heimdal krb5_storage_from_fd() routine counted on the osf conversion
functions working on SOCKET values.  Since they do not any attempt to call
krb5_storage_from_fd() on a socket resulted in an assertion being thrown
by the C RTL.

Another problem is SOCKET value truncation when storing a 64-bit value
into a 32-bit int.

To address these problems a new krb5_storage_from_socket() routine is
introduced.  This routine setups a krb5_storage that stores a socket value
as a rk_socket_t and provides a set of helper routines that always use
network ready functions.

The krb5_storage_from_fd() routines no longer use net_read() and
net_write() but provide helpers that follow their logic so that pipes can
be processed.

All call sites that allocate a socket now store the socket as rk_socket_t
and call krb5_storage_from_socket().

All locations that previously called the bare close() on a socket value
now call rk_closesocket().

Change-Id: I045f775b2a5dbf5cf803751409490bc27fffe597
2014-02-04 23:20:08 -05:00
Jeffrey Altman
6c4423cd46 kadm5: use rk_closesocket to close sockets
kadm5_c_destroy did not use rk_closesocket when cleaning up
the context.  This results in an exception on Windows since a
socket is not a file descriptor.

Change-Id: I9ebddad61f0199acb495a0773925df4f41e4fef2
2014-02-03 15:40:32 -05:00
Russ Allbery
22c7f07ed8 Add symbol versioning for libkadm5clnt
In order to support plugins for kadmin that use libkadm5srv, the
libkadm5clnt library has to be versioned to avoid hijacking all
of the function calls that should go to the server library.  Omit
the _kadm5_ clients from the public interface, and version
everything else.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2013-12-23 13:20:26 +01:00
Love Hornquist Astrand
1d84562886 add HDBGET: that only supports get, iteration doesnt really make sense for the HDB keytab except when dumping 2013-10-15 12:40:39 +02:00
Jeffrey Altman
3c3e2ad5e6 Windows: ktutil.exe requires libkadmsrv and libhdb
Include libkadmsrv.dll and libhdb.dll in the assembly which are
required for ktutil.exe to load.

Change-Id: Ic72d51e72daac71683a7f7000fe084197ee3c94a
2013-09-13 22:17:43 -04:00
Nicolas Williams
2d238b9d15 Backwards interop for older iprop peers
Don't abort() when seeing as-yet-unimplemented things we know about.

Patch from Harald Barth <haba@kth.se>.
2013-08-12 11:40:23 -05:00
Love Hornquist Astrand
6e5bfce2de use socket_set_nonblocking 2013-04-24 16:31:32 -07:00
Viktor Dukhovni
72f0690694 Temporary fix for high-priority iprop issues
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:29:34 -07:00
Viktor Dukhovni
eface6d31f Fix free before use in ipropd_master slaves-stats open function
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:27:34 -07:00
Love Hornquist Astrand
60472d48ea set vno to unconfuse coverity 2012-11-27 21:58:05 -08:00
Love Hornquist Astrand
65107e39ee fixup error messages 2012-10-01 09:54:13 -07:00
Love Hornquist Astrand
0a237dc778 don't use free'd string 2012-10-01 09:53:52 -07:00
Roland C. Dowdeswell
be5afdbf7f Make concurrent builds work.
To stop the errors when building concurrently, we make a number of
changes:

        1.  stop including generated files in *_SOURCES,

        2.  make *-protos.h and *-private.h depend on the *_SOURCES,

        3.  make all objects depend on *-{protos,private}.h,

        4.  in a few places change dir/header.h to $(srcdir)/dir/header.h,

This appears to work for me with make -j16 on a 4-way box.
2012-08-08 00:04:04 +01:00
Nicolas Williams
82f1c1f391 Encrypt keys in change password code even when !keepold 2012-06-14 13:46:20 -05:00
Jeffrey Altman
aed7a3b948 Windows: missing exports on Windows
synchronize the export lists on Windows and UNIX.
When new functions are exported on UNIX or Windows,
the "test" build target on Windows will verify if
the export lists are in sync.

Change-Id: I9df3607983b03ee8dc6fa7cd22f85b07a6cee784
2012-06-12 18:48:37 -04:00
Roland C. Dowdeswell
5775cb529c randkey_s.c must also clear requires_pwchange flag. 2012-06-08 16:09:55 +01:00
Roland C. Dowdeswell
c2cd2395bb chpass_s.c must set KADM5_ATTRIBUTES when writing the log entry...
...because we may have cleared the requires_pwchange flag.
2012-06-08 16:08:25 +01:00
Roland C. Dowdeswell
539ba5fb87 Fix issue where master HDB can be locked while waiting for network I/O.
We should not hold locks on the master's database while waiting
for network I/O which may take a terribly long time to complete as
this will block out all writers and could therefore be slightly
problematic.  ipropd-master was holding a shared lock on the database
while sending a complete propation to slaves which are out of sync
with the log file.  We fix this by writing what we intend to send
in record format into a file hdb_db_dir()/ipropd.dumpfile while
holding a shared lock on the database and then we send the contents
of the file after releasing the lock.  We also save and re-use the file
that we generated during future complete propagation events as long
as the log is long enough to get us back to the state previously
dumped.
2012-06-06 22:29:03 +01:00
Roland C. Dowdeswell
f9f78a2cbf kadm5_log_reinit() needs to obtain its lock before truncating the file.
We can't use O_TRUNC on open because (without O_EXLOCK which is
not portable) we would be modifying the file without an exclusive
lock.  So, we drop the use of O_TRUNC and use ftruncate(2) after
obtaining the lock via flock(2).
2012-05-31 17:30:29 +01:00
Harald Barth
8546c0c7b8 Better character classes and wording
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2012-05-30 19:43:30 +02:00
Roland C. Dowdeswell
8dc7c43a8b ipropd_slave.c: init data to zero or we free a random ptr. 2012-05-28 12:43:29 +01:00
Roland C. Dowdeswell
21b7863935 kadm5_s_get_principals() is a read only operation, so open the HDB in r/o mode. 2012-05-18 17:13:30 +01:00
Nicolas Williams
ef9012aef5 Fix ipropd-slave assert when doing del_enctype
Change a paranoid heim_assert into something better.  Update block
    comment.

    Next commit: add a test for del_enctype and iprop.
2012-03-15 18:57:32 -05:00
Roland C. Dowdeswell
92b243a638 We must unlock before close. 2012-03-07 11:17:26 +00:00
Roland C. Dowdeswell
5b2d65fa2b We need to remove +requires_pwchange on passwd changes. 2012-02-27 11:04:24 +00:00
Roland C. Dowdeswell
0da84c0c3a Add require-pwchange flag to HDB and honour it if present in mit-db:. 2012-02-27 10:19:54 +00:00
Roland C. Dowdeswell
932c4c1859 We use a struct defined in sys/un.h. 2012-02-25 17:19:44 +00:00
Roland C. Dowdeswell
12b24ad876 Add a server side implementation of kadm5_create_principal_3(). 2012-02-24 18:56:30 +00:00
Roland C. Dowdeswell
1017d42b18 We honour settings to specify the location of the KDB and stash file. 2012-02-24 18:56:25 +00:00
Roland C. Dowdeswell
e8779d5d4a Add -Wshadow and deal with the warnings. 2012-02-21 11:17:55 +00:00
Roland C. Dowdeswell
cc47c8fa7b Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer.  Note that we get different
warnings on different machines and so this will be a work in
progress.  So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).

Notably, we fixed

	1.  a lot of missing structure initialisers,

	2.  unchecked return values for functions that glibc
	    marks as __attribute__((warn-unused-result)),

	3.  made minor modifications to slc and asn1_compile
	    which can generate code which generates warnings,
	    and

	4.  a few stragglers here and there.

We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g.  rsh, rcp,
popper, ftp and telnet.

Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.

We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.
2012-02-20 19:45:41 +00:00
Love Hörnquist Åstrand
a802c4799d Log client status changes 2012-02-15 21:05:05 -08:00
Love Hörnquist Åstrand
bf37778dbd make ipropd_slave tell its status in a status file
The ipropd_slave will log its status to /var/heimdal/ipropd-slave-status
if its connecting, up to date, or disconnected.

The master will now also confirm to slaves that are are in fact up to date
if they just restart, before there was no confirmation, the slave just didn't
get any deltas.
2012-02-15 20:59:54 -08:00
Russ Allbery
5ca056969a Close memory leak in the client kadmin library
kadm5_c_destroy was not freeing the kadm5_client_context, just its
contents.  Also free the context itself.

Signed-off-by: Nicolas Williams <nico@cryptonector.com>
2011-12-22 18:36:17 -06:00
Nicolas Williams
417dff03ba Fix trailing whitespace 2011-11-29 14:50:44 -06:00
Roland C. Dowdeswell
af011f57fc Provide server side kadm5_chpass_principal_3() with ks_tuple implementation.
We enable kadm5_chpass_principal_3() in the server side of the
library.  The client kadm5 library calls will still return the
error KAMD5_KS_TUPLE_NO_SUPP.

Signed-off-by: Nicolas Williams <nico@cryptonector.com>
2011-11-29 14:47:37 -06:00
Roland C. Dowdeswell
2f6ad56c46 Reverse order of n_ks_tuple and ks_tuple in hdb_generate_key_set().
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
2011-11-29 14:47:37 -06:00
Nicolas Williams
40a7d4b62f More fixes for -Werror (GCC 4.6 catches more stuff) 2011-11-02 23:20:55 -05:00
Nicolas Williams
104bb8ef53 Fix unitialized HDB_extension problem (specifically the mandatory field) 2011-10-31 00:20:05 -05:00
Love Hornquist Astrand
33f717edb2 Only set msg in case we have one, from Rangar Sundblad 2011-10-19 10:38:59 +02:00
Nicolas Williams
0c893d3980 Fixed booboos from kadm5 key history patch set
Also: add support for ignoring null enctype / zero-length keys,
    which *can* be found in MIT DB entries created in pre-historic
    times.

    Also: make the mitdb HDB backend more elegant (e.g., use the ASN.1
    compiler's generated sequence/array utility functions.

    Also: add a utility function needed for kadm5 kvno change
    improvements and make kadmin's mod --kvno work correctly and
    naturally.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2011-09-22 15:13:13 +02:00
Luke Howard
775a452313 some Windows build fixes 2011-09-12 20:11:36 +10:00
Love Hörnquist Åstrand
8fccb51d49 Merge pull request #12 from nicowilliams/krb5_admin_patches_2nd
Krb5 admin patches 2nd

This has all the patches needed for krb5_admind to build and pass most tests, that includes:
- more kadm5 API compatibility (including very basic profile functionality)
- multi-kvno support (useful for key rollovers) (a test for this is included in tests/db/check-kdc)

Unfinished:
- password history (currently uses key history, needs to be separated and use digests)
- policies (only default policy allowed)
- mit kdb changes not tested yet


Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2011-07-24 15:41:36 -07:00
Linus Nordberg
2e35198908 Add version-script.map to _DEPENDENCIES.
Added to 11 out of 14 directories with map files.  Not lib/ntlm,
lib/hcrypto and kdc which have the map file as an explicit dependency
to _OBBJECTS.

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
2011-07-24 14:07:59 -07:00
Nicolas Williams
a7717ae4f9 Use heim_assert() instead of assert() 2011-07-24 11:10:37 -05:00