[Freeipa-devel] [PATCH] Fixup fix for 4914
Alexander Bokovoy
abokovoy at redhat.com
Fri May 29 15:59:20 UTC 2015
On Fri, 29 May 2015, Simo Sorce wrote:
>The patches for ticket 4914 worked fine on Fedora 22 (and in general any
>system that was updated to krb5 1.13) however they fail in Fedora 21 and
>similar because of a bug in one of the libkrb5 functions used in the new
>code. The bug is fixed in 1.13 but not in older versions as it causes
>side effects in kadmin output.
>
>The attached patch takes care of using a replacement function if we
>detect at runtime that the library in use does not have the fixes
>present in 1.13. This allows us the freedom to backport or not the 1.13
>fix.
>
>Unfortunately I am running out of time today so I could not test it, but
>I still wanted to put it out there to get this fixed asap.
>
>Milan, or Martin, can you please test it ?
>
>Simo.
>
>--
>Simo Sorce * Red Hat, Inc * New York
>>From ea7811f7d11b68a34dc357d0e0dcb7d81c7f65c8 Mon Sep 17 00:00:00 2001
>From: Simo Sorce <simo at redhat.com>
>Date: Fri, 29 May 2015 11:18:17 -0400
>Subject: [PATCH] Add compatibility function for older libkrb5
>
>Before krb5 1.13 the krb5_salttype_to_string() function was returning
>incorrect names (display names of some kind instead of the names
>used by the rest of the library to map saltname to the salt type
>integer number).
>This patch adds a function that checks at runtime if we have a working
>function and uses a fallback map updated to the salt types known up
>to 1.12, this allows us to use the library provided function in
>following releases where new salt types may emerge.
>
>Signed-off-by: Simo Sorce <simo at redhat.com>
>---
> util/ipa_krb5.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 60 insertions(+), 1 deletion(-)
>
>diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
>index 65e10dd401edf6b54988fc4bfa5a2e08789b7b75..d6992c561830ff682ede3a156ad9efbfff701432 100644
>--- a/util/ipa_krb5.c
>+++ b/util/ipa_krb5.c
>@@ -1075,6 +1075,65 @@ int create_keys(krb5_context krbctx,
> return nkeys;
> }
>
>+/* in older versions of libkrb5 the krb5_salttype_to_string() function is
>+ * faulty and returns strings that do not match the expected format.
>+ * Later version of krb5 were fixed to return the proper string.
>+ * Do lazy detection the first time the function is invoked to determine
>+ * if we can use the library provided function or if we have to use a
>+ * fallback map which includes the salt types known up to krb5 1.12 (the
>+ * fault is fixed upstream in 1.13). */
>+static int ipa_salttype_to_string(krb5_int32 salttype,
>+ char *buffer, size_t buflen)
>+{
>+ static int faulty_function = -1;
>+
>+ static const struct {
>+ krb5_int32 salttype;
>+ const char *name;
>+ } fallback_map[] = {
>+ { KRB5_KDB_SALTTYPE_NORMAL, "normal" },
>+ { KRB5_KDB_SALTTYPE_V4, "v4" },
>+ { KRB5_KDB_SALTTYPE_NOREALM, "norealm" },
>+ { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm" },
>+ { KRB5_KDB_SALTTYPE_SPECIAL, "speacial" },
There is a typo in 'special' in the KRB5_KDB_SALTTYPE_SPECIAL entry.
It needs to be fixed before we get this ACKed.
>+ { KRB5_KDB_SALTTYPE_AFS3, "afs3" },
>+ { -1, NULL }
>+ };
>+
>+ if (faulty_function == -1) {
>+ /* haven't checked yet, let's find out */
>+ char testbuf[100];
>+ size_t len = 100;
>+ int ret;
>+
>+ ret = krb5_salttype_to_string(KRB5_KDB_SALTTYPE_NORMAL, testbuf, len);
>+ if (ret) return ret;
>+
>+ if (strcmp(buffer, "normal") == 0) {
>+ faulty_function = 0;
>+ } else {
>+ faulty_function = 1;
>+ }
>+ }
>+
>+ if (faulty_function == 0) {
>+ return krb5_salttype_to_string(salttype, buffer, buflen);
>+ } else {
>+ size_t len;
>+ int i;
>+ for (i = 0; fallback_map[i].name != NULL; i++) {
>+ if (salttype == fallback_map[i].salttype) break;
>+ }
>+ if (fallback_map[i].name == NULL) return EINVAL;
>+
>+ len = strlen(fallback_map[i].name);
>+ if (len >= buflen) return ENOMEM;
>+
>+ memcpy(buffer, fallback_map[i].name, len + 1);
>+ return 0;
>+ }
>+}
>+
> int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str)
> {
> char *buf = NULL;
>@@ -1130,7 +1189,7 @@ int ipa_kstuples_to_string(krb5_key_salt_tuple *kst, int n_kst, char **str)
> buf[buf_cur + len] = ':';
> len++;
>
>- ret = krb5_salttype_to_string(kst[i].ks_salttype,
>+ ret = ipa_salttype_to_string(kst[i].ks_salttype,
> &buf[buf_cur + len], buf_avail - len);
> if (ret == ENOMEM) {
> i--;
>--
>2.4.1
>
>--
>Manage your subscription for the Freeipa-devel mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list