[Freeipa-devel] [PATCHES] Fix getkeytab operation
Simo Sorce
simo at redhat.com
Tue Nov 18 05:01:20 UTC 2014
Hello team,
Recently Alexander opened the following bug:
https://fedorahosted.org/freeipa/ticket/4718
The problem with this code is that manual ASN.1 encoding is fragile and
too prone to error, and I found various issues while investigating the
bug. So I decided to give a shot at replacing the fragile manual code
with more robust code autogenerated by the asn1c compiler.
While working on replacing the code with the autogenerated one I
discovered additional encoding issues of which the following ticket
represent only the most evident:
https://fedorahosted.org/freeipa/ticket/4728
I found numerous encoding errors which basically made the getkeytab
control we implemented in both the client and the server not respect
the encoding we actually defined with ASN.1 notation here:
http://www.freeipa.org/page/V4/Keytab_Retrieval
While digging and testing replacement functions is also became evident
that the getkeytab feature was only partially working and that the bug
in 4718 was not just a minor error, but cannot ever work on existing
servers as there are compounding bugs that would prevent using the
getkeytab protocol to ever work if the user specified enctypes via
ipa-getkeytab instead of just requesting the server's defaults.
Because of this and because it was just too hard *and* useless to try to
be compatible with existing broken clients and servers the new code
breaks compatibility for correctness of implementation.
The break in compatibility is mitigated by the fact that ipa-getkeytab
always falls back to the old setkeytab control in case of error, so
normal operations will not be disrupted. The only feature that will not
work if you have a buggy client or a buggy server is the keytab
retrieval option, as that feature is only available with the new
control. Given we have only recently introduced CLI and UI to actually
enable the use of the retrieval option and given the fact 4.x has not
yet hit major distribution stable releases I think that this patchset
is acceptable as long as we can land it in 4.1.2 and/or in an
immediately following patch release (also in 4.0.x possibly) so that it
can land as a zero day upgrade for Fedora (and an upgrade for Debian).
If you have any questions, please shoot.
This code is fully tested by me on top of master. I think it should
apply directly on 4.1.2 and 4.0.x with none or minor changes.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-filtering-of-enctypes-in-server-code.patch
Type: text/x-patch
Size: 3502 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141118/35d15815/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-asn1c-generated-code-for-keytab-controls.patch
Type: text/x-patch
Size: 352063 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141118/35d15815/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Use-asn1c-helpers-to-encode-decode-the-getkeytab-con.patch
Type: text/x-patch
Size: 25634 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141118/35d15815/attachment-0002.bin>
More information about the Freeipa-devel
mailing list