URL: https://github.com/freeipa/freeipa/pull/4126
Author: frozencemetery
Title: #4126: Support KDB DAL version 8.0
Action: opened
PR body:
"""
A krb5 build containing the 1.18 beta - which has this KDB version - can be
found here for testing:
https://koji.fedoraproject.org/koji/taskinfo?taskID=40498937
Note that samba isn't ready to go with KDB 8.0, so I don't think this can
actually build. I've reached out to @iboukris to hopefully coordinate that.
(This is based on #3842).
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4126/head:pr4126
git checkout pr4126
From 702902e4e6605df2a0d78a7ecd80c8cf7ed32a01 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Wed, 31 Jul 2019 18:20:34 -0400
Subject: [PATCH 1/6] [KDB] Make the coding style explicit
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
daemons/ipa-kdb/README | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/daemons/ipa-kdb/README b/daemons/ipa-kdb/README
index b0786853bd..4075082ee2 100644
--- a/daemons/ipa-kdb/README
+++ b/daemons/ipa-kdb/README
@@ -1 +1,19 @@
This is the ipa krb5kdc database backend.
+
+As the KDB interfaces heavily with krb5, we inherit its code style as well.
+However, note the following changes:
+
+- no modelines (and different file preamble)
+- return types don't require their own line
+- single-statement blocks may optionally be braced
+- /* and */ do not ever get their own line
+- C99 for-loops are permitted (and encouraged)
+- a restricted set of other C99 features are permitted
+
+In particular, variable-length arrays, flexible array members, compound
+literals, universal character names, and //-style comments are not permitted.
+
+Use of regular malloc/free is preferred over talloc for new code.
+
+By and large, existing code mostly conforms to these requirements. New code
+must conform to them.
From a227e24b347810e58cf04a17ebf12056a78a6d75 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 1 Nov 2019 16:48:55 -0400
Subject: [PATCH 2/6] [KDB] Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 0b8aa668f6..9467b1ba1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -23,6 +23,7 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
struct ipadb_e_data *ied;
struct ipadb_e_pol_limits *pol_limits = NULL;
int valid_auth_indicators = 0;
+ krb5_db_entry *client_actual = NULL;
*status = NULL;
*lifetime_out = 0;
@@ -32,13 +33,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
/* e-data is not availble, getting user auth from LDAP */
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
- kerr = ipadb_get_principal(context, request->client, KRB5_KDB_FLAG_ALIAS_OK, &client);
+ kerr = ipadb_get_principal(context, request->client,
+ KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
return kerr;
}
- ied = (struct ipadb_e_data *)client->e_data;
+ ied = (struct ipadb_e_data *)client_actual->e_data;
if (ied == NULL && ied->magic != IPA_E_DATA_MAGIC) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: client e_data fetching failed.");
return EINVAL;
From 172249998c365bad5c08eca96f91e25129aea4ec Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Thu, 9 Jan 2020 16:11:28 -0500
Subject: [PATCH 3/6] [KDB] Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_principals.c | 132 +++++++++++++--------------
1 file changed, 64 insertions(+), 68 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 9e711cea5e..47e44f0900 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1035,100 +1035,96 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
struct ipadb_context *ipactx;
bool found = false;
LDAPMessage *le = NULL;
- struct berval **vals;
- int i, result;
+ struct berval **vals = NULL;
+ int result;
+ krb5_error_code ret;
ipactx = ipadb_get_context(kcontext);
if (!ipactx) {
- return KRB5_KDB_DBNOTINITED;
+ ret = KRB5_KDB_DBNOTINITED;
+ goto done;
}
- while (!found) {
-
- if (!le) {
- le = ldap_first_entry(ipactx->lcontext, res);
- } else {
- le = ldap_next_entry(ipactx->lcontext, le);
- }
- if (!le) {
- break;
- }
-
+ for (le = ldap_first_entry(ipactx->lcontext, res); le != NULL;
+ le = ldap_next_entry(ipactx->lcontext, le)) {
vals = ldap_get_values_len(ipactx->lcontext, le, "krbprincipalname");
- if (vals == NULL) {
+ if (vals == NULL)
continue;
- }
- /* we need to check for a strict match as a '*' in the name may have
- * caused the ldap server to return multiple entries */
- for (i = 0; vals[i]; i++) {
- /* KDC will accept aliases when doing TGT lookup (ref_tgt_again in do_tgs_req.c */
- /* Use case-insensitive comparison in such cases */
- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
- if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len,
- (*principal), strlen(*principal),
- NULL, NULL, &result) != 0)
- return KRB5_KDB_INTERNAL_ERROR;
- found = (result == 0);
- if (found) {
- /* replace the incoming principal with the value having
- * the correct case. This ensures that valid name/alias
- * is returned even if krbCanonicalName is not present
- */
- free(*principal);
- *principal = strdup(vals[i]->bv_val);
- if (!(*principal)) {
- return KRB5_KDB_INTERNAL_ERROR;
- }
- }
- } else {
- found = (strcmp(vals[i]->bv_val, (*principal)) == 0);
+ /* We need to check for a strict match as a '*' in the name may have
+ * caused the ldap server to return multiple entries. */
+ for (int i = 0; vals[i]; i++) {
+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
+ found = strcmp(vals[i]->bv_val, *principal) == 0;
+ if (found)
+ break;
+
+ continue;
}
- if (found) {
- break;
+
+ /* The KDC will accept aliases when doing TGT lookup
+ * (ref_tgt_again in do_tgs_req.c), so use case-insensitive
+ * comparison. */
+ if (ulc_casecmp(vals[i]->bv_val, vals[i]->bv_len, *principal,
+ strlen(*principal), NULL, NULL, &result) != 0) {
+ ret = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
}
+ if (result != 0)
+ continue;
+
+ /* Fix case on the incoming principal to ensure that a valid
+ * name/alias is returned even if krbCanonicalName is not
+ * present. */
+ free(*principal);
+ *principal = strdup(vals[i]->bv_val);
+ if (!*principal) {
+ ret = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
+ }
+ found = true;
+ break;
}
-
- ldap_value_free_len(vals);
-
- if (!found) {
+ if (!found)
continue;
- }
- /* we need to check if this is the canonical name */
+ /* We need to check if this is the canonical name. */
+ ldap_value_free_len(vals);
vals = ldap_get_values_len(ipactx->lcontext, le, "krbcanonicalname");
- if (vals == NULL) {
- continue;
- }
-
- /* Again, if aliases are accepted by KDC, use case-insensitive comparison */
- if ((flags & KRB5_KDB_FLAG_ALIAS_OK) != 0) {
- found = true;
- } else {
- found = (strcmp(vals[0]->bv_val, (*principal)) == 0);
- }
+ if (vals == NULL)
+ break;
- if (!found) {
- /* search does not allow aliases */
- ldap_value_free_len(vals);
- continue;
+ /* If aliases aren't accepted by the KDC, use case-sensitive
+ * comparison. */
+ if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
+ found = strcmp(vals[0]->bv_val, *principal) == 0;
+ if (!found) {
+ ldap_value_free_len(vals);
+ continue;
+ }
}
free(*principal);
*principal = strdup(vals[0]->bv_val);
- if (!(*principal)) {
- return KRB5_KDB_INTERNAL_ERROR;
+ if (!*principal) {
+ ret = KRB5_KDB_INTERNAL_ERROR;
+ goto done;
}
-
- ldap_value_free_len(vals);
+ break;
}
if (!found || !le) {
- return KRB5_KDB_NOENTRY;
+ ret = KRB5_KDB_NOENTRY;
+ goto done;
}
+ ret = 0;
*entry = le;
- return 0;
+done:
+ if (vals)
+ ldap_value_free_len(vals);
+
+ return ret;
}
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
From 3a89c98ad34887cd241bbf32f2d21404e9fd3e7b Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Thu, 9 Jan 2020 16:44:15 -0500
Subject: [PATCH 4/6] [KDB] Handle the removal of KRB5_KDB_FLAG_ALIAS_OK
In ac8865a22138ab0c657208c41be8fd6bc7968148 (between 1.17 and 1.18),
krb5 removed this flag, and always accepts aliases.
Related-to: https://pagure.io/freeipa/issue/7879
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_certauth.c | 21 +++++++-------
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 11 +++++--
daemons/ipa-kdb/ipa_kdb_principals.c | 43 ++++++++++++++++------------
3 files changed, 43 insertions(+), 32 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 47911aa3de..bc6b26578d 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -261,16 +261,18 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
const krb5_db_entry *db_entry,
char ***authinds_out)
{
- char *cert_filter = NULL;
- char **domains = NULL;
- int ret;
+ char *cert_filter = NULL, **domains = NULL;
+ int ret, flags = 0;
size_t c;
- char *principal = NULL;
- char **auth_inds = NULL;
+ char *principal = NULL, **auth_inds = NULL;
LDAPMessage *res = NULL;
krb5_error_code kerr;
LDAPMessage *lentry;
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+ flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
+
if (moddata == NULL) {
return KRB5_PLUGIN_NO_HANDLE;
}
@@ -327,10 +329,8 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
}
}
- kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx,
- KRB5_KDB_FLAG_ALIAS_OK,
- principal,
- cert_filter,
+ kerr = ipadb_fetch_principals_with_extra_filter(moddata->ipactx, flags,
+ principal, cert_filter,
&res);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "Search failed [%d]", kerr);
@@ -338,8 +338,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
goto done;
}
- kerr = ipadb_find_principal(context, KRB5_KDB_FLAG_ALIAS_OK, res,
- &principal, &lentry);
+ kerr = ipadb_find_principal(context, flags, res, &principal, &lentry);
if (kerr == KRB5_KDB_NOENTRY) {
krb5_klog_syslog(LOG_INFO, "No matching entry found");
ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH;
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 9467b1ba1b..8d2ad66f71 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -22,9 +22,14 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
enum ipadb_user_auth ua;
struct ipadb_e_data *ied;
struct ipadb_e_pol_limits *pol_limits = NULL;
- int valid_auth_indicators = 0;
+ int valid_auth_indicators = 0, flags = 0;
krb5_db_entry *client_actual = NULL;
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+ flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
+
+
*status = NULL;
*lifetime_out = 0;
*renew_lifetime_out = 0;
@@ -33,8 +38,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
/* e-data is not availble, getting user auth from LDAP */
krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: client e_data not availble. Try fetching...");
- kerr = ipadb_get_principal(context, request->client,
- KRB5_KDB_FLAG_ALIAS_OK, &client_actual);
+ kerr = ipadb_get_principal(context, request->client, flags,
+ &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "IPA kdcpolicy: ipadb_find_principal failed.");
return kerr;
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 47e44f0900..da0b841a1d 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -964,8 +964,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
LDAPMessage **result)
{
krb5_error_code kerr;
- char *src_filter = NULL;
- char *esc_original_princ = NULL;
+ char *src_filter = NULL, *esc_original_princ = NULL;
int ret;
if (!ipactx->lcontext) {
@@ -976,28 +975,33 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
}
}
- /* escape filter but do not touch '*' as this function accepts
- * wildcards in names */
+ /* Escape filter but do not touch '*' as this function accepts
+ * wildcards in names. */
esc_original_princ = ipadb_filter_escape(principal, false);
if (!esc_original_princ) {
kerr = KRB5_KDB_INTERNAL_ERROR;
goto done;
}
- if (filter == NULL) {
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ /* Starting in DAL 8.0, aliases are always okay. */
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
+ if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
+ if (filter == NULL) {
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER,
+ esc_original_princ);
+ } else {
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+ esc_original_princ, filter);
+ }
+ } else
+#endif
+ {
+ if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
esc_original_princ, esc_original_princ);
} else {
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
- }
- } else {
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
esc_original_princ, esc_original_princ, filter);
- } else {
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
- esc_original_princ, filter);
}
}
@@ -1006,11 +1010,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
goto done;
}
- kerr = ipadb_simple_search(ipactx,
- ipactx->base, LDAP_SCOPE_SUBTREE,
- src_filter, std_principal_attrs,
- result);
-
+ kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE,
+ src_filter, std_principal_attrs, result);
done:
free(src_filter);
free(esc_original_princ);
@@ -1054,6 +1055,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
/* We need to check for a strict match as a '*' in the name may have
* caused the ldap server to return multiple entries. */
for (int i = 0; vals[i]; i++) {
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
found = strcmp(vals[i]->bv_val, *principal) == 0;
if (found)
@@ -1061,6 +1063,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
continue;
}
+#endif
/* The KDC will accept aliases when doing TGT lookup
* (ref_tgt_again in do_tgs_req.c), so use case-insensitive
@@ -1094,6 +1097,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
if (vals == NULL)
break;
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
/* If aliases aren't accepted by the KDC, use case-sensitive
* comparison. */
if ((flags & KRB5_KDB_FLAG_ALIAS_OK) == 0) {
@@ -1103,6 +1107,7 @@ krb5_error_code ipadb_find_principal(krb5_context kcontext,
continue;
}
}
+#endif
free(*principal);
*principal = strdup(vals[0]->bv_val);
@@ -2601,7 +2606,9 @@ krb5_error_code ipadb_delete_principal(krb5_context kcontext,
goto done;
}
+#ifdef KRB5_KDB_FLAG_ALIAS_OK
flags = KRB5_KDB_FLAG_ALIAS_OK;
+#endif
kerr = ipadb_find_principal(kcontext, flags, res, &canonicalized, &lentry);
if (kerr != 0) {
goto done;
From 91f0fc3ac95c2a6e16051a932f27386adfd877c8 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Thu, 9 Jan 2020 17:02:44 -0500
Subject: [PATCH 5/6] [KDB] Support DAL version 8.0
Provide stubs for backward compatibility. DAL 8.0 was released with
krb5-1.18.
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 61 ++++++++++++++++++++++++++++++++++++++-
freeipa.spec.in | 2 +-
2 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 612857b389..9a5c29b131 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -751,8 +751,67 @@ kdb_vftabl kdb_function_table = {
};
#endif
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 8)
+/* Version 8 adds several arguments here. However, if we want to actually use
+ * them in mspac, we really ought to drop support for older DAL versions. */
+static inline krb5_error_code
+stub_sign_authdata(krb5_context context, unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *header_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *client_key,
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
+ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
+ krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
+ void *ad_info, krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data)
+{
+ krb5_db_entry *krbtgt = header_server ? header_server : server;
+ krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
+
+ return ipadb_sign_authdata(context, flags, client_princ, client, server,
+ krbtgt, client_key, server_key, krbtgt_key,
+ session_key, authtime, tgt_auth_data,
+ signed_auth_data);
+}
+
+kdb_vftabl kdb_function_table = {
+ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+ .min_ver = 0,
+ .init_library = ipadb_init_library,
+ .fini_library = ipadb_fini_library,
+ .init_module = ipadb_init_module,
+ .fini_module = ipadb_fini_module,
+ .create = ipadb_create,
+ .get_age = ipadb_get_age,
+ .get_principal = ipadb_get_principal,
+ .put_principal = ipadb_put_principal,
+ .delete_principal = ipadb_delete_principal,
+ .iterate = ipadb_iterate,
+ .create_policy = ipadb_create_pwd_policy,
+ .get_policy = ipadb_get_pwd_policy,
+ .put_policy = ipadb_put_pwd_policy,
+ .iter_policy = ipadb_iterate_pwd_policy,
+ .delete_policy = ipadb_delete_pwd_policy,
+ .fetch_master_key = ipadb_fetch_master_key,
+ .store_master_key_list = ipadb_store_master_key_list,
+ .change_pwd = ipadb_change_pwd,
+ .sign_authdata = stub_sign_authdata,
+ .check_transited_realms = ipadb_check_transited_realms,
+ .check_policy_as = ipadb_check_policy_as,
+ .audit_as_req = ipadb_audit_as_req,
+ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
+ .free_principal_e_data = ipadb_free_principal_e_data,
+ .get_s4u_x509_principal = NULL,
+ .allowed_to_delegate_from = NULL,
+ .get_authdata_info = NULL,
+ .free_authdata_info = NULL,
+};
+#endif
+
#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
- (KRB5_KDB_DAL_MAJOR_VERSION != 7)
+ (KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
+ (KRB5_KDB_DAL_MAJOR_VERSION != 8)
#error unsupported DAL major version
#endif
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 502ac24997..7617c935a2 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -61,7 +61,7 @@
%global alt_name ipa
# Fix for CVE-2018-20217
%global krb5_version 1.16.1-24
-%global krb5_kdb_version 7.0
+%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
From d0bb1753358d8b966cbab8616be755b078d929d4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Thu, 9 Jan 2020 17:08:07 -0500
Subject: [PATCH 6/6] [KDB] Drop support for DAL version 5.0
No supported Linux distro packages a version of krb5 with this DAL, so
we don't lose anything by removing it.
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 49 +--------------------------------------
1 file changed, 1 insertion(+), 48 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 9a5c29b131..3982c131bc 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -635,57 +635,11 @@ static krb5_error_code ipadb_get_age(krb5_context kcontext,
return 0;
}
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
-static void *ipadb_alloc(krb5_context context, void *ptr, size_t size)
-{
- return realloc(ptr, size);
-}
-
-static void ipadb_free(krb5_context context, void *ptr)
-{
- free(ptr);
-}
-#endif
-
/* KDB Virtual Table */
/* We explicitly want to keep different ABI tables below separate. */
/* Do not merge them together. Older ABI does not need to be updated */
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
-kdb_vftabl kdb_function_table = {
- .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
- .min_ver = 0,
- .init_library = ipadb_init_library,
- .fini_library = ipadb_fini_library,
- .init_module = ipadb_init_module,
- .fini_module = ipadb_fini_module,
- .create = ipadb_create,
- .get_age = ipadb_get_age,
- .get_principal = ipadb_get_principal,
- .free_principal = ipadb_free_principal,
- .put_principal = ipadb_put_principal,
- .delete_principal = ipadb_delete_principal,
- .iterate = ipadb_iterate,
- .create_policy = ipadb_create_pwd_policy,
- .get_policy = ipadb_get_pwd_policy,
- .put_policy = ipadb_put_pwd_policy,
- .iter_policy = ipadb_iterate_pwd_policy,
- .delete_policy = ipadb_delete_pwd_policy,
- .free_policy = ipadb_free_pwd_policy,
- .alloc = ipadb_alloc,
- .free = ipadb_free,
- .fetch_master_key = ipadb_fetch_master_key,
- .store_master_key_list = ipadb_store_master_key_list,
- .change_pwd = ipadb_change_pwd,
- .sign_authdata = ipadb_sign_authdata,
- .check_transited_realms = ipadb_check_transited_realms,
- .check_policy_as = ipadb_check_policy_as,
- .audit_as_req = ipadb_audit_as_req,
- .check_allowed_to_delegate = ipadb_check_allowed_to_delegate
-};
-#endif
-
#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
@@ -809,8 +763,7 @@ kdb_vftabl kdb_function_table = {
};
#endif
-#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && \
- (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
+#if (KRB5_KDB_DAL_MAJOR_VERSION != 6) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 7) && \
(KRB5_KDB_DAL_MAJOR_VERSION != 8)
#error unsupported DAL major version
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
