ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
on whether the constraint ranges include numbers that cannot be
represented in 32-bit ints and whether they include negative
numbers.
Template backend support included. check-template is now built with
--template, so we know we're testing it.
Tests included.
We enable kadm5_chpass_principal_3() in the server side of the
library. The client kadm5 library calls will still return the
error KAMD5_KS_TUPLE_NO_SUPP.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
The code was generating a char ** of string representations of the
ks_tuple() array but it was not using it. We modify the code to:
1. extend the array returned by ks_tuple2str() to include
enough space for the trailing NULL and ensure that there
is a NULL at the end,
2. not free the array before exiting ks_tuple2str() as we
intend to use it in the caller,
3. re-organise the pointers in hdb_generate_key_set() to
make it more clear how we are to free things that have
been allocated.
4. free the char ** given us by ks_tuple2str() if it has
been allocated.
Signed-off-by: Nicolas Williams <nico@cryptonector.com>
AD issues x-realm TGTs with kvno 0. On key x-realm trust key change
we need to be able to try current and previous keys for trust, else
we will have some failures.
We have some cross-realm principals in an MIT KDB with one kind of
1DES enctype, but the other realm's KDCs issue x-realm TGTs where
the ticket encpart key enctype is a different 1DES enctype. We need
this to work if we use Heimdal with the MIT HDB backend.
An alternative would be to check for similar (or, rather,
compatible) enctypes in the KDC (and elsewhere?). This patch avoids
the need to make such ugly changes elsewhere.
Also: add support for ignoring null enctype / zero-length keys,
which *can* be found in MIT DB entries created in pre-historic
times.
Also: make the mitdb HDB backend more elegant (e.g., use the ASN.1
compiler's generated sequence/array utility functions.
Also: add a utility function needed for kadm5 kvno change
improvements and make kadmin's mod --kvno work correctly and
naturally.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This will be used to indicate to the backend if a fetch is for
an AS REQ or TGS REQ. Samba needs to take some action in the
HDB_F_FOR_TGS_REQ case and always canonicalize the principal
names, even without HDB_F_CANON.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Krb5 admin patches 2nd
This has all the patches needed for krb5_admind to build and pass most tests, that includes:
- more kadm5 API compatibility (including very basic profile functionality)
- multi-kvno support (useful for key rollovers) (a test for this is included in tests/db/check-kdc)
Unfinished:
- password history (currently uses key history, needs to be separated and use digests)
- policies (only default policy allowed)
- mit kdb changes not tested yet
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Added to 11 out of 14 directories with map files. Not lib/ntlm,
lib/hcrypto and kdc which have the map file as an explicit dependency
to _OBBJECTS.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
