patches/mit-krb5-1.4.4

   1 Patch built against MIT Kerberos 1.4.4.  Note that this patch was
   2 generated with some other Stanford-local patches applied and therefore may
   3 not apply entirely cleanly.  I will hopefully have a chance to regenerate
   4 a clean patch against a virgin source tarball for a later release.
   5
   6 This patch may apply to earlier or later versions but may not and will
   7 require verification.
   8
   9 Note that this patch unconditionally adds -ldl to the link line and will
  10 require modification on platforms that use some other library for dlopen
  11 and related calls.
  12
  13
  14 Index: krb5-local/src/lib/kadm5/admin.h
  15 ===================================================================
  16 --- krb5-local.orig/src/lib/kadm5/admin.h       2006-06-06 16:22:39.000000000 -0700
  17 +++ krb5-local/src/lib/kadm5/admin.h    2006-06-06 16:29:45.000000000 -0700
  18 @@ -227,6 +227,7 @@ typedef struct _kadm5_config_params {
  19       char *            admin_keytab;
  20       char *            acl_file;
  21       char *            dict_file;
  22 +     char *            pwcheck_plugin;
  23
  24       int               mkey_from_kbd;
  25       char *            stash_file;
  26 Index: krb5-local/src/lib/kadm5/alt_prof.c
  27 ===================================================================
  28 --- krb5-local.orig/src/lib/kadm5/alt_prof.c    2006-06-06 16:22:39.000000000 -0700
  29 +++ krb5-local/src/lib/kadm5/alt_prof.c 2006-06-06 16:29:45.000000000 -0700
  30 @@ -514,7 +514,15 @@ krb5_error_code kadm5_get_config_params(
  31          params.mask |= KADM5_CONFIG_DICT_FILE;
  32          params.dict_file = svalue;
  33      }
  34 -
  35 +
  36 +    /* Right now, always get the value for the pwcheck plugin */
  37 +    hierarchy[2] = "pwcheck_plugin";
  38 +    if (aprofile && !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
  39 +       params.pwcheck_plugin = svalue;
  40 +   } else {
  41 +       params.pwcheck_plugin = NULL;
  42 +   }
  43 +
  44      /* Get the value for the kadmind port */
  45      if (! (params.mask & KADM5_CONFIG_KADMIND_PORT)) {
  46          hierarchy[2] = "kadmind_port";
  47 Index: krb5-local/src/lib/kadm5/server_internal.h
  48 ===================================================================
  49 --- krb5-local.orig/src/lib/kadm5/server_internal.h     2006-06-06 16:22:39.000000000 -0700
  50 +++ krb5-local/src/lib/kadm5/server_internal.h  2006-06-06 16:29:45.000000000 -0700
  51 @@ -59,7 +59,7 @@ krb5_error_code     kdb_iter_entry(kadm5
  52                                    void *data);
  53
  54  int                init_dict(kadm5_config_params *);
  55 -int                find_word(const char *word);
  56 +int                find_word(const char *word, const char *princ);
  57  void               destroy_dict(void);
  58
  59  /* XXX this ought to be in libkrb5.a, but isn't */
  60 Index: krb5-local/src/lib/kadm5/srv/server_dict.c
  61 ===================================================================
  62 --- krb5-local.orig/src/lib/kadm5/srv/server_dict.c     2006-06-06 16:22:39.000000000 -0700
  63 +++ krb5-local/src/lib/kadm5/srv/server_dict.c  2006-06-06 16:29:45.000000000 -0700
  64 @@ -24,11 +24,17 @@ static char *rcsid = "$Header$";
  65  #include    "adm_proto.h"
  66  #include    <syslog.h>
  67  #include    "server_internal.h"
  68 +#include    <dlfcn.h>
  69
  70  static char        **word_list = NULL;     /* list of word pointers */
  71  static char        *word_block = NULL;     /* actual word data */
  72  static unsigned int word_count = 0;        /* number of words */
  73 -
  74 +static void         *plugin_handle = NULL;  /* Library plugin handle */
  75 +static int          (*d_pwcheck_init)(void **, const char *);
  76 +static int         (*d_pwcheck_check)(void *, const char *, const char *,
  77 +                                      char *, int);
  78 +static void         (*d_pwcheck_close)(void *);
  79 +static void        *d_pwcheck_context;
  80
  81  /*
  82   * Function: word_compare
  83 @@ -86,6 +92,44 @@ int init_dict(kadm5_config_params *param
  84                     *t;
  85      struct  stat    sb;
  86
  87 +    if (plugin_handle != NULL)
  88 +       return KADM5_OK;
  89 +    if (params->pwcheck_plugin) {
  90 +       plugin_handle = dlopen(params->pwcheck_plugin, RTLD_NOW);
  91 +
  92 +       if (! plugin_handle) {
  93 +           krb5_klog_syslog(LOG_ERR, "WARNING: Unable to load plugin "
  94 +                            "\"%s\": %s, continuing without password checking",
  95 +                            params->pwcheck_plugin, dlerror());
  96 +           return KADM5_OK;
  97 +       }
  98 +        d_pwcheck_init = dlsym(plugin_handle, "pwcheck_init");
  99 +       d_pwcheck_check = dlsym(plugin_handle, "pwcheck_check");
 100 +       d_pwcheck_close = dlsym(plugin_handle, "pwcheck_close");
 101 +
 102 +        if (d_pwcheck_init == NULL || d_pwcheck_check == NULL ||
 103 +           d_pwcheck_close == NULL) {
 104 +           krb5_klog_syslog(LOG_ERR, "WARNING: Needed symbols missing in "
 105 +                            "pwcheck plugin, continuing without password "
 106 +                            "checking.");
 107 +           dlclose(plugin_handle);
 108 +           plugin_handle = NULL;
 109 +           return KADM5_OK;
 110 +       }
 111 +
 112 +       if ((*d_pwcheck_init)(&d_pwcheck_context, params->dict_file)) {
 113 +           krb5_klog_syslog(LOG_ERR, "WARNING: Plugin initialization failed, "
 114 +                            "continuing without password checking.");
 115 +           dlclose(plugin_handle);
 116 +           plugin_handle = NULL;
 117 +           return KADM5_OK;
 118 +       }
 119 +
 120 +       krb5_klog_syslog(LOG_INFO, "Password checking plugin \"%s\" "
 121 +                        "initialized.", params->pwcheck_plugin);
 122 +       return KADM5_OK;
 123 +    }
 124 +
 125      if(word_list != NULL && word_block != NULL)
 126         return KADM5_OK;
 127      if (! (params->mask & KADM5_CONFIG_DICT_FILE)) {
 128 @@ -154,10 +198,26 @@ int init_dict(kadm5_config_params *param
 129   */
 130
 131  int
 132 -find_word(const char *word)
 133 +find_word(const char *word, const char *princ)
 134  {
 135      char    **value;
 136
 137 +    if (plugin_handle) {
 138 +       char ret_message[256];
 139 +       int ret_value;
 140 +
 141 +       ret_value = (*d_pwcheck_check)(d_pwcheck_context, word, princ,
 142 +                                      ret_message, sizeof(ret_message));
 143 +
 144 +       if (ret_value) {
 145 +           krb5_klog_syslog(LOG_INFO, "pwcheck plugin rejected new change: "
 146 +                            "%s", ret_message);
 147 +           return KADM5_OK;
 148 +       } else {
 149 +           return WORD_NOT_FOUND;
 150 +       }
 151 +    }
 152 +
 153      if(word_list == NULL || word_block == NULL)
 154             return WORD_NOT_FOUND;
 155      if ((value = (char **) bsearch(&word, word_list, word_count, sizeof(char *),
 156 @@ -189,6 +249,9 @@ find_word(const char *word)
 157  void
 158  destroy_dict(void)
 159  {
 160 +    if (plugin_handle)
 161 +       (*d_pwcheck_close)(d_pwcheck_context);
 162 +
 163      if(word_list) {
 164         free(word_list);
 165         word_list = NULL;
 166 Index: krb5-local/src/lib/kadm5/srv/server_misc.c
 167 ===================================================================
 168 --- krb5-local.orig/src/lib/kadm5/srv/server_misc.c     2006-06-06 16:22:39.000000000 -0700
 169 +++ krb5-local/src/lib/kadm5/srv/server_misc.c  2006-06-06 16:29:45.000000000 -0700
 170 @@ -129,6 +129,7 @@ passwd_check(kadm5_server_handle_t handl
 171             npunct = 0,
 172             nspec = 0;
 173      char    c, *s, *cp;
 174 +    krb5_error_code ret;
 175  #ifdef HESIOD
 176      extern  struct passwd *hes_getpwnam();
 177      struct  passwd *ent;
 178 @@ -159,9 +160,14 @@ passwd_check(kadm5_server_handle_t handl
 179         }
 180         if ((nupper + nlower + ndigit + npunct + nspec) < pol->pw_min_classes)
 181             return KADM5_PASS_Q_CLASS;
 182 -       if((find_word(password) == KADM5_OK))
 183 +       ret = krb5_unparse_name(handle->context, principal, &cp);
 184 +       if (ret)
 185 +           return ret;
 186 +       ret = find_word(password, cp);
 187 +       krb5_free_unparsed_name(handle->context, cp);
 188 +       if(ret == KADM5_OK) {
 189             return KADM5_PASS_Q_DICT;
 190 -       else {
 191 +       } else {
 192             int i, n = krb5_princ_size(handle->context, principal);
 193             cp = krb5_princ_realm(handle->context, principal)->data;
 194             if (strcasecmp(cp, password) == 0)
 195 Index: krb5-local/src/lib/kadm5/Makefile.in
 196 ===================================================================
 197 --- krb5-local.orig/src/lib/kadm5/Makefile.in   2006-06-06 16:22:39.000000000 -0700
 198 +++ krb5-local/src/lib/kadm5/Makefile.in        2006-06-06 16:29:45.000000000 -0700
 199 @@ -53,6 +53,8 @@ STLIBOBJS = \
 200         str_conv.o \
 201         logger.o
 202
 203 +SHLIB_EXPLIBS=-ldl
 204 +
 205  HDRDIR=$(BUILDTOP)/include/kadm5
 206  HDRS = $(HDRDIR)/adb.h \
 207         $(HDRDIR)/admin.h \
 208 Index: krb5-local/src/config/pre.in
 209 ===================================================================
 210 --- krb5-local.orig/src/config/pre.in   2006-06-06 16:31:20.000000000 -0700
 211 +++ krb5-local/src/config/pre.in        2006-06-06 16:31:33.000000000 -0700
 212 @@ -393,7 +393,7 @@ GSS_LIBS    = $(GSS_KRB5_LIB)
 213  GSSRPC_LIBS    = -lgssrpc $(GSS_LIBS)
 214  KADM_COMM_LIBS = $(GSSRPC_LIBS)
 215  # need fixing if ever used on Mac OS X!
 216 -KADMSRV_LIBS   = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS)
 217 +KADMSRV_LIBS   = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) -ldl
 218  KADMCLNT_LIBS  = -lkadm5clnt $(KADM_COMM_LIBS)
 219
 220  # need fixing if ever used on Mac OS X!