esc/win32 coolkey-64.iss,1.2,1.3 build.sh,1.13,1.14
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/esc/win32
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv14213
Modified Files:
coolkey-64.iss build.sh
Log Message:
Bump version on build script and 64 bit installer.
Index: coolkey-64.iss
===================================================================
RCS file: /cvs/dirsec/esc/win32/coolkey-64.iss,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- coolkey-64.iss 8 Oct 2009 23:45:30 -0000 1.2
+++ coolkey-64.iss 22 Jan 2011 04:27:58 -0000 1.3
@@ -4,14 +4,14 @@
[Setup]
AppName=Coolkey
AppId=Coolkey
-AppVerName=Coolkey 1.0.0-1
+AppVerName=Coolkey 1.0.0-2
AppPublisher=Red Hat
CreateAppDir=true
Compression=lzma
SolidCompression=true
MinVersion=0,5.0.2195
ShowLanguageDialog=yes
-OutputBaseFilename=CoolkeySetup-1.0.0-1.win64.x64
+OutputBaseFilename=CoolkeySetup-1.0.0-2.win64.x64
DefaultDirName={pf}\Red Hat\Coolkey
DisableProgramGroupPage=false
DefaultGroupName=Red Hat
@@ -22,16 +22,19 @@
LicenseFile=esc-license.txt
InfoBeforeFile=coolkey-64-info-before.txt
PrivilegesRequired=admin
-VersionInfoVersion=1.0.0.1
+VersionInfoVersion=1.0.0.2
ArchitecturesAllowed=x64
ArchitecturesInstallIn64BitMode=x64
[Files]
-Source: BUILD\regcerts.exe; DestDir: {app}
+;Source: BUILD\regcerts.exe; DestDir: {app}
Source: ..\src\app\xpcom\tray\esc.ico; DestDir: {app}
Source: BUILD\clkcsp.dll; DestDir: {sys}; Flags: restartreplace
Source: BUILD\cspres.dll; DestDir: {sys}; Flags: restartreplace
Source: BUILD\clkcsp.sig; DestDir: {sys}
+Source: BUILD\coolkeypk11.dll; DestDir: {sys}; Flags: restartreplace
+Source: BUILD\zlibwapi.dll; DestDir: {sys}; Flags: restartreplace
+Source: BUILD\libckyapplet-1.dll; DestDir: {sys}; Flags: restartreplace
Source: BUILD\vcredist_x64.exe; DestDir: "{tmp}"
Index: build.sh
===================================================================
RCS file: /cvs/dirsec/esc/win32/build.sh,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- build.sh 1 Dec 2010 01:01:35 -0000 1.13
+++ build.sh 22 Jan 2011 04:27:58 -0000 1.14
@@ -70,6 +70,12 @@
CSP_DIR=CLKCSP
CSP_ARCHIVE=CLKCSP.zip
+if [ X$ON_64 == X1 ];
+then
+export INNO_PATH="C:/Program Files (x86)/Inno Setup 5/ISCC.exe"
+fi
+
+
if [ X$USE_64 == X1 ];
then
CSP_PATH=support/esc/windows/csp/64/latest
@@ -94,9 +100,9 @@
XULRUNNER_DIR=xulrunner
XULRUNNER_FTP_PATH=http://releases.mozilla.org/pub/mozilla.org/
-XULRUNNER_PATH=xulrunner/releases/1.9.2.12/runtimes/
+XULRUNNER_PATH=xulrunner/releases/1.9.2.13/runtimes/
-XULRUNNER_ARCHIVE=xulrunner-1.9.2.12.en-US.win32.zip
+XULRUNNER_ARCHIVE=xulrunner-1.9.2.13.en-US.win32.zip
#Base Dirctory calc
12 years, 2 months
ldap/admin
by Richard Allen Megginson
ldap/admin/src/scripts/SetupDialogs.pm.in | 3 +++
1 file changed, 3 insertions(+)
New commits:
commit f2a1d62458458ca9bbceb436642a6cbf2e30c322
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Fri Jan 21 14:50:04 2011 -0700
Bug 624485 - setup dsktune check step should default to "yes" if no problems found
https://bugzilla.redhat.com/show_bug.cgi?id=624485
Resolves: bug 624485
Bug Description: setup dsktune check step should default to "yes" if no problems found
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Check the result of the output of running dsktune - if
success, set the default answer to yes, otherwise, to no.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/SetupDialogs.pm.in b/ldap/admin/src/scripts/SetupDialogs.pm.in
index e925c4b..dd05b04 100644
--- a/ldap/admin/src/scripts/SetupDialogs.pm.in
+++ b/ldap/admin/src/scripts/SetupDialogs.pm.in
@@ -94,7 +94,10 @@ my $dsktune = new DialogYesNo (
['dialog_dsktune_prompt']
);
+$? = 0; # clear error condition
my $dsktune_output = `@bindir@/dsktune`;
+my $dsktune_result = $?;
+$dsktune->{defaultIsYes} = $dsktune_result ? 0 : 1;
$dsktune->{text} = [$dsktune->{text}, $dsktune_output];
my $setuptype = new Dialog (
12 years, 2 months
ldap/admin
by Noriko Hosoi
ldap/admin/src/scripts/template-dn2rdn.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 466f6792ec6fdc02678424f99b4a8719e28e707a
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Jan 21 13:12:00 2011 -0800
dn2rdn should respect the DB version info
The command line utility dn2rdn currently skips the db version
check and is forced to convert the index files. This patch
removes the force option "-f" to make sure that the utility
checks the db version.
diff --git a/ldap/admin/src/scripts/template-dn2rdn.in b/ldap/admin/src/scripts/template-dn2rdn.in
index f8232df..f9efeea 100755
--- a/ldap/admin/src/scripts/template-dn2rdn.in
+++ b/ldap/admin/src/scripts/template-dn2rdn.in
@@ -16,7 +16,7 @@ cd {{SERVERBIN-DIR}}
if [ $# -eq 0 ]
then
bak_dir={{BAK-DIR}}/reindex_`date +%Y_%m_%d_%H_%M_%S`
- ./ns-slapd upgradedb -D {{CONFIG-DIR}} -f -r -a "$bak_dir"
+ ./ns-slapd upgradedb -D {{CONFIG-DIR}} -r -a "$bak_dir"
else
echo "Usage: dn2rdn"
exit 1
12 years, 2 months
ldap/admin
by Nathan Kinder
ldap/admin/src/scripts/setup-ds.res.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 53794a074af7c26c0b49ca700de5a5071c490d3d
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Thu Jan 20 15:10:09 2011 -0800
Bug 527912 - setup-ds.pl appears to hang when DNS is unreachable
The setup-ds.pl program will appear to hang when it attempts to
contact an unreachable DNS server to determine the FQDN. The
hostname prompt will eventually be displayed after a network
timeout is hit.
This patch makes the setup program log a warning message just
prior to trying to determine the FQDN. This message states that
setup may appear to hang if it can't reach the DNS servers, and
that one can re-run setup and pass the hostname as an option on
the command line instead.
diff --git a/ldap/admin/src/scripts/setup-ds.res.in b/ldap/admin/src/scripts/setup-ds.res.in
index 25f8493..344fcf9 100644
--- a/ldap/admin/src/scripts/setup-ds.res.in
+++ b/ldap/admin/src/scripts/setup-ds.res.in
@@ -33,7 +33,7 @@ dialog_setuptype_error = Invalid setup type\n\n
# ----------- HostName Dialog Resource ----------------
-dialog_hostname_text = Enter the fully qualified domain name of the computer\non which you're setting up server software. Using the form\n<hostname>.<domainname>\nExample: eros.example.com.\n\nTo accept the default shown in brackets, press the Enter key.\n\n
+dialog_hostname_text = Enter the fully qualified domain name of the computer\non which you're setting up server software. Using the form\n<hostname>.<domainname>\nExample: eros.example.com.\n\nTo accept the default shown in brackets, press the Enter key.\n\nWarning: This step may take a few minutes if your DNS servers\ncan not be reached or if DNS is not configured correctly. If\nyou would rather not wait, hit Ctrl-C and run this program again\nwith the following command line option to specify the hostname:\n\n General.FullMachineName=your.hostname.domain.name\n\n
dialog_hostname_prompt = Computer name
12 years, 2 months
ldap/servers
by Nathan Kinder
ldap/servers/plugins/dna/dna.c | 31 +++++++------------------------
1 file changed, 7 insertions(+), 24 deletions(-)
New commits:
commit bd717265ad729abdfaf02f91e3b7b92b76ad5781
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Thu Jan 20 10:03:33 2011 -0800
Bug 671033 - range sharing between server breaks with SASL/GSSAPI auth
The DNA range request extop uses the replication bind credentials
to authenticate to the other master. If the replication agreement
is configured to use SASL/GSSAPI (or any non simple bind auth), the
DNA plug-in falls back to using an anonymous bind, which will fail.
The problem is that the function that fetches the replication bind
credentials was expecting a bind dn and password. If both of these
were not found, it would free everything (including the bind
method). The fix is to just fetch the credentials and return them
without doing this additional check.
This patch also makes the receiving master check if the bind DN
matches any replication bind DN, which allows it to work properly
when multiple replication bind DNs are configured. It previously
only worked with a single-valued replication bind DN attribute.
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 284203b..c457c0f 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -2313,10 +2313,7 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn)
{
char *replica_dn = NULL;
Slapi_DN *replica_sdn = NULL;
- char *replica_bind_dn = NULL;
- Slapi_DN *replica_bind_sdn = NULL;
Slapi_DN *range_sdn = NULL;
- Slapi_DN *bind_sdn = NULL;
Slapi_Entry *e = NULL;
char *attrs[2];
Slapi_Backend *be = NULL;
@@ -2351,7 +2348,10 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn)
slapi_search_internal_get_entry(replica_sdn, attrs, &e, getPluginID());
if (e) {
- replica_bind_dn = slapi_entry_attr_get_charptr(e, DNA_REPL_BIND_DN);
+ /* Check if the passed in bind dn matches any of the replica bind dns. */
+ Slapi_Value *bind_dn_sv = slapi_value_new_string(bind_dn);
+ ret = slapi_entry_attr_has_syntax_value(e, DNA_REPL_BIND_DN, bind_dn_sv);
+ slapi_value_free(&bind_dn_sv);
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
"dna_is_replica_bind_dn: Failed to fetch replica entry "
@@ -2359,21 +2359,10 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn)
}
}
- if (replica_bind_dn) {
- /* Compare the passed in bind dn to the replica bind dn */
- bind_sdn = slapi_sdn_new_dn_byref(bind_dn);
- replica_bind_sdn = slapi_sdn_new_dn_passin(replica_bind_dn);
- if (slapi_sdn_compare(bind_sdn, replica_bind_sdn) == 0) {
- ret = 1;
- }
- }
-
done:
slapi_entry_free(e);
slapi_sdn_free(&range_sdn);
slapi_sdn_free(&replica_sdn);
- slapi_sdn_free(&replica_bind_sdn);
- slapi_sdn_free(&bind_sdn);
return ret;
}
@@ -2515,15 +2504,9 @@ static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server,
}
}
- /* If we didn't get both a bind DN and a decoded password,
- * then just free everything and return an error. */
- if (*bind_dn && *bind_passwd) {
- ret = 0;
- } else {
- slapi_ch_free_string(bind_dn);
- slapi_ch_free_string(bind_passwd);
- slapi_ch_free_string(bind_method);
- }
+ /* If we got here, we succesfully got the
+ * creds. Set the success return value. */
+ ret = 0;
bail:
slapi_ch_free_string(&transport);
12 years, 2 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/slapi-private.h | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit 68bc0a4391b77ad717fbdfb93f9eebb25eda5bc1
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Jan 20 10:20:52 2011 -0800
Bug 627993 - Inconsistent storage of password expiry times
Commit made in 5727b8899700f574026bc9be5a1990c4c66619cf introduced
a bug. The commit removed 2 functions format_genTime and
parse_genTime from slapi-private.h. But they are used in plugins,
which requires them in the header file. This fix restores the
function declarations.
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 0873a75..3bc0c74 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1117,8 +1117,10 @@ time_t read_localTime(struct berval* from);
time_t parse_localTime(char* from);
void write_localTime(time_t from, struct berval* into);
time_t current_time( void );
+char* format_genTime(time_t from);
void write_genTime(time_t from, struct berval* into);
time_t read_genTime(struct berval* from);
+time_t parse_genTime(char* from);
long parse_duration(char *value);
char *gen_duration(long duration);
12 years, 2 months
coolkey/applet/src/com/redhat/ckey/applet CardEdge.java, 1.4, 1.5
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv19334
Modified Files:
CardEdge.java
Log Message:
Fix Bugzilla Bug 614639 - 64k gemalto usb token no longer works properly after a logout request is issued.
Index: CardEdge.java
===================================================================
RCS file: /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet/CardEdge.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- CardEdge.java 12 Nov 2007 19:24:51 -0000 1.4
+++ CardEdge.java 20 Jan 2011 18:14:10 -0000 1.5
@@ -122,9 +122,9 @@
private static final byte VERSION_PROTOCOL_MAJOR = 1;
private static final byte VERSION_PROTOCOL_MINOR = 1;
private static final byte VERSION_APPLET_MAJOR = 1;
- private static final byte VERSION_APPLET_MINOR = 3;
- private static final short BUILDID_MAJOR = (short) 0x4734;
- private static final short BUILDID_MINOR = (short) 0xb002;
+ private static final byte VERSION_APPLET_MINOR = 4;
+ private static final short BUILDID_MAJOR = (short) 0x4d38;
+ private static final short BUILDID_MINOR = (short) 0x7a3f;
private static final short ZEROS = 0;
// * Enable pin size check
@@ -405,17 +405,18 @@
private static final short OFFSET_IMP_KEY_ENC_WRAP_KEY = 5;
- private static final short MAX_RSA_MOD_BITS = 1024;
- private static final short MAX_RSA_MOD_BYTES = 128;
+ private static final short MAX_RSA_MOD_BITS = 2048;
+ private static final short MAX_RSA_MOD_BYTES = 256;
// 554 = 2 bytes for explicit length,
// 512 bytes for data
// 40 bytes for two sha digest buffers.
- private static final short IOBUF_ALLOC = 554;
+ //private static final short IOBUF_ALLOC = 554;
+ private static final short IOBUF_ALLOC = 1200;
// offsets in iobuf used by CryptProcessFinal()
- private static final short VFY_OFF = 258;
- private static final short VFY_MD_0 = 514;
- private static final short VFY_MD_1 = 534;
+ private static final short VFY_OFF = 558;
+ private static final short VFY_MD_0 = 1014;
+ private static final short VFY_MD_1 = 1034;
// how many ms to delay when a bad password is detected
private static final short BAD_PASSWD_DELAY = 1000;
@@ -484,6 +485,7 @@
private byte[] keyTries; // persistent
private byte[] issuerInfo; // persistent
+
/**
* Instance variable array declarations - TRANSIENT
* Allocated by JCSystem.makeTransientXxxxxArray calls below.
@@ -507,7 +509,7 @@
//Save offset of the instance aid length.
byte remainingLength = bLength;
- short mem_size = (short)6000;
+ short mem_size = (short)5000;
create_object_ACL = RA_ACL;
create_key_ACL = RA_ACL;
create_pin_ACL = RA_ACL;
@@ -1932,16 +1934,18 @@
private void Logout(APDU apdu, byte[] buffer)
{
- byte lc = buffer[ISO7816.OFFSET_LC];
- if( lc != 0 )
- ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
+ //Disable exceptions below to appease Gemalto 64K USB key
+ //byte lc = buffer[ISO7816.OFFSET_LC];
+ //if( lc != 0 )
+ // ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
byte logoutID = buffer[ISO7816.OFFSET_P1];
- if ((authenticated_id & (short)(1 << logoutID)) == 0) {
- ISOException.throwIt(SW_UNAUTHORIZED);
- }
+ //if ((authenticated_id & (short)(1 << logoutID)) == 0) {
+ // ISOException.throwIt(SW_UNAUTHORIZED);
+ //}
+
LogoutOneIdentity(logoutID);
}
@@ -2050,12 +2054,12 @@
LogoutAllIdentity(pin_nb);
}
- private short outputRSAPublicKey(short key_nb, byte[] buf, short offset) {
+ private short outputRSAPublicKey(short key_nb, byte[] buf, short offset, short key_size) {
buf[offset] = ZEROB; // plaintext
offset++;
buf[offset] = (byte) 1; // RSA public key
offset++;
- Util.setShort(buf, offset, (short)(1024)); // 1024-bit key
+ Util.setShort(buf, offset, (short)(key_size)); // Key Size.
offset+=2;
RSAPublicKey key = (RSAPublicKey) keys[key_nb];
@@ -2079,6 +2083,7 @@
byte owner = (byte) ((buffer[ISO7816.OFFSET_P1] >> 4) & 0xf) ;
byte usage = (byte) ((buffer[ISO7816.OFFSET_P2] >> 4) & 0xf);
short acl = 0;
+ short key_size = Util.getShort(buffer, (short)(ISO7816.OFFSET_CDATA+1));
if ((buffer[ISO7816.OFFSET_P1] == 0)
&& (buffer[ISO7816.OFFSET_P2] == 0)) {
@@ -2127,7 +2132,9 @@
GenerateKeyPairRSA(apdu, buffer, prv_key_nb, pub_key_nb, acl);
// copy public key to output object
- short pubkeysize = outputRSAPublicKey(pub_key_nb, iobuf, (short)2);
+ short pubkeysize = outputRSAPublicKey(pub_key_nb, iobuf, (short)2, (short) key_size);
+ short modsize = (short) ((short)key_size / (short) 8);
+
Util.setShort(iobuf, ZEROS, pubkeysize);
// Compute digest over public key and decrypted challenge.
@@ -2135,31 +2142,32 @@
Util.arrayCopyNonAtomic(buffer, (short)11, iobuf,
(short)(2 + pubkeysize), (short)16);
doDigest(iobuf, (short)2, (short)(16+pubkeysize),
- iobuf, (short)(2+pubkeysize+128) );
-
+ iobuf, (short)(2+pubkeysize+modsize) );
// Sign the digest, writing the signature over the digest in the iobuf
- short sigsize = handSign(prv_key_nb, iobuf, (short) (2+pubkeysize+128),
- (short)shaDigest.getLength(), iobuf, (short)(2+pubkeysize+2));
+ short sigsize = handSign(prv_key_nb, iobuf, (short) (2+pubkeysize+modsize),
+ (short)shaDigest.getLength(), iobuf, (short)(2+pubkeysize+2), modsize);
+
Util.setShort(iobuf, (short)(2 + pubkeysize), sigsize);
iobuf_size = (short) (2 + pubkeysize + 2 + sigsize);
Util.setShort(buffer, ZEROS, iobuf_size);
apdu.setOutgoingAndSend(ZEROS, (short)2);
+
}
//
// HandSign hard codes SHA1.
//
private short handSign(byte key_nb, byte inbuf[], short inOffset,
- short len, byte outbuf[], short outOffset)
+ short len, byte outbuf[], short outOffset, short modsize)
{
short index;
//
// build the signed data
//
// Hard coded for SHA1
- index = (short)(outOffset+108);
+ index = (short)(outOffset+modsize-(short)20);
Util.arrayCopyNonAtomic(inbuf, inOffset, outbuf, index, (short)20);
index = (short) (index - sha1encodeLen);
Util.arrayCopyNonAtomic(sha1encode,ZEROS,outbuf,index,sha1encodeLen);
@@ -2171,7 +2179,7 @@
outbuf[outOffset] = 0;
Cipher ciph = getCipher(key_nb, Cipher.ALG_RSA_NOPAD);
ciph.init(keys[key_nb], (byte) Cipher.MODE_ENCRYPT);
- return ciph.doFinal(outbuf, outOffset, (short)128,
+ return ciph.doFinal(outbuf, outOffset, modsize,
outbuf, outOffset);
}
@@ -2784,7 +2792,7 @@
case INS_DELETE_OBJ:
case INS_READ_OBJ:
case INS_WRITE_OBJ:
- case INS_LOGOUT:
+// case INS_LOGOUT:
ret = true;
}
return ret;
@@ -2793,7 +2801,7 @@
private void initTransient()
{
iobuf = JCSystem.makeTransientByteArray(IOBUF_ALLOC,
- JCSystem.CLEAR_ON_DESELECT);
+ JCSystem.CLEAR_ON_DESELECT);
ciph_dirs = JCSystem.makeTransientByteArray(MAX_NUM_KEYS,
JCSystem.CLEAR_ON_DESELECT);
//
@@ -2821,7 +2829,7 @@
if (requireAuth(ins)) {
verifySecureNonce(apdu, buffer);
}
-
+
switch(ins)
{
case INS_IMPORT_KEY:
12 years, 2 months
coolkey/applet/src/com/redhat/ckey/applet CardEdge.java, 1.4.2.2, 1.4.2.3
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv19281
Modified Files:
Tag: COOLKEY_330J_BRANCH
CardEdge.java
Log Message:
Fix Bugzilla Bug 614639 - 64k gemalto usb token no longer works properly after a logout request is issued.
Index: CardEdge.java
===================================================================
RCS file: /cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet/CardEdge.java,v
retrieving revision 1.4.2.2
retrieving revision 1.4.2.3
diff -u -r1.4.2.2 -r1.4.2.3
--- CardEdge.java 19 Feb 2009 02:06:31 -0000 1.4.2.2
+++ CardEdge.java 20 Jan 2011 18:13:07 -0000 1.4.2.3
@@ -123,8 +123,8 @@
private static final byte VERSION_PROTOCOL_MINOR = 1;
private static final byte VERSION_APPLET_MAJOR = 1;
private static final byte VERSION_APPLET_MINOR = 4;
- private static final short BUILDID_MAJOR = (short) 0x498f;
- private static final short BUILDID_MINOR = (short) 0xa85f;
+ private static final short BUILDID_MAJOR = (short) 0x4d38;
+ private static final short BUILDID_MINOR = (short) 0x7a28;
private static final short ZEROS = 0;
// * Enable pin size check
@@ -1935,16 +1935,18 @@
private void Logout(APDU apdu, byte[] buffer)
{
- byte lc = buffer[ISO7816.OFFSET_LC];
- if( lc != 0 )
- ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
+ //Disable exceptions below to appease Gemalto 64K USB key
+ //byte lc = buffer[ISO7816.OFFSET_LC];
+ //if( lc != 0 )
+ // ISOException.throwIt(ISO7816.SW_WRONG_LENGTH);
byte logoutID = buffer[ISO7816.OFFSET_P1];
- if ((authenticated_id & (short)(1 << logoutID)) == 0) {
- ISOException.throwIt(SW_UNAUTHORIZED);
- }
+ //if ((authenticated_id & (short)(1 << logoutID)) == 0) {
+ // ISOException.throwIt(SW_UNAUTHORIZED);
+ //}
+
LogoutOneIdentity(logoutID);
}
@@ -2791,7 +2793,7 @@
case INS_DELETE_OBJ:
case INS_READ_OBJ:
case INS_WRITE_OBJ:
- case INS_LOGOUT:
+// case INS_LOGOUT:
ret = true;
}
return ret;
@@ -2828,7 +2830,7 @@
if (requireAuth(ins)) {
verifySecureNonce(apdu, buffer);
}
-
+
switch(ins)
{
case INS_IMPORT_KEY:
12 years, 2 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/libglobs.c | 50 ++++++---------------
ldap/servers/slapd/slapi-private.h | 6 --
ldap/servers/slapd/time.c | 85 ++++++++++++++++++++++++++++++++++++-
3 files changed, 102 insertions(+), 39 deletions(-)
New commits:
commit 5727b8899700f574026bc9be5a1990c4c66619cf
Author: Noriko Hosoi <nhosoi(a)jiji.usersys.redhat.com>
Date: Wed Jan 19 16:49:57 2011 -0800
Bug 627993 - Inconsistent storage of password expiry times
https://bugzilla.redhat.com/show_bug.cgi?id=627993
Description: Allows passwordLockoutDuration, passwordResetFailureCount,
passwordMaxAge, passwordMinAge, passwordWarning to have <days>D|d,
<hours>H|h, <min>M|m, and <sec>S|s in addition to the current
representation <sec> in seconds.
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index e547b47..15f2aca 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -2163,7 +2163,6 @@ int
config_set_pw_lockduration( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
long duration = 0; /* in minutes */
- char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -2173,11 +2172,11 @@ config_set_pw_lockduration( const char *attrname, char *value, char *errorbuf, i
errno = 0;
/* in seconds */
- duration = strtol(value, &endp, 10);
+ duration = parse_duration(value);
- if ( *endp != '\0' || errno == ERANGE || duration <= 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
+ if ( errno == ERANGE || duration <= 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password lockout duration \"%s\" seconds is invalid. ",
+ "password lockout duration \"%s\" is invalid. ",
value );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
@@ -2195,7 +2194,6 @@ int
config_set_pw_resetfailurecount( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
long duration = 0; /* in minutes */
- char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -2205,11 +2203,11 @@ config_set_pw_resetfailurecount( const char *attrname, char *value, char *errorb
errno = 0;
/* in seconds */
- duration = strtol(value, &endp, 10);
+ duration = parse_duration(value);
- if ( *endp != '\0' || errno == ERANGE || duration < 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
+ if ( errno == ERANGE || duration < 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password reset count duration \"%s\" seconds is invalid. ",
+ "password reset count duration \"%s\" is invalid. ",
value );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
@@ -3269,7 +3267,6 @@ int
config_set_pw_maxage( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
long age;
- char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -3279,11 +3276,11 @@ config_set_pw_maxage( const char *attrname, char *value, char *errorbuf, int app
errno = 0;
/* age in seconds */
- age = strtol(value, &endp, 10);
+ age = parse_duration(value);
- if ( *endp != '\0' || errno == ERANGE || age <= 0 || age > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
+ if ( age <= 0 || age > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password maximum age \"%s\" seconds is invalid. ",
+ "%s: password maximum age \"%s\" is invalid. ",
attrname, value );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
@@ -3299,7 +3296,6 @@ int
config_set_pw_minage( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
long age;
- char *endPtr = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
@@ -3308,24 +3304,11 @@ config_set_pw_minage( const char *attrname, char *value, char *errorbuf, int app
errno = 0;
/* age in seconds */
- age = strtol(value, &endPtr, 0 );
- /* endPtr should never be NULL, but we check just in case; if the
- value contains no digits, or a string that does not begin with
- a valid digit (e.g. "z2"), the days will be 0, and endPtr will
- point to the beginning of value; if days contains at least 1
- valid digit string, endPtr will point to the character after
- the end of the first valid digit string in value. Example:
- value = " 2 3 " endPtr will point at the space character
- between the 2 and the 3. So, we should be able to simply
- check to see if the character at *(endPtr - 1) is a digit.
- */
- if ( (age < 0) ||
- (age > (MAX_ALLOWED_TIME_IN_SECS - current_time())) ||
- (endPtr == NULL) || (endPtr == value) || !isdigit(*(endPtr-1)) ||
- errno == ERANGE ) {
+ age = parse_duration(value);
+ if ( age < 0 || age > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password minimum age \"%s\" seconds is invalid. ",
- attrname, value );
+ "%s: password minimum age \"%s\" is invalid. ",
+ attrname, value );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3340,7 +3323,6 @@ int
config_set_pw_warning( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
long sec;
- char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -3350,11 +3332,11 @@ config_set_pw_warning( const char *attrname, char *value, char *errorbuf, int ap
errno = 0;
/* in seconds */
- sec = strtol(value, &endp, 10);
+ sec = parse_duration(value);
- if (*endp != '\0' || errno == ERANGE || sec < 0) {
+ if (errno == ERANGE || sec < 0) {
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password warning age \"%s\" seconds is invalid, password warning "
+ "%s: password warning age \"%s\" is invalid, password warning "
"age must range from 0 to %ld seconds",
attrname, value, LONG_MAX );
retVal = LDAP_OPERATIONS_ERROR;
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 44e9bb3..0873a75 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1117,10 +1117,10 @@ time_t read_localTime(struct berval* from);
time_t parse_localTime(char* from);
void write_localTime(time_t from, struct berval* into);
time_t current_time( void );
-char* format_genTime(time_t from);
void write_genTime(time_t from, struct berval* into);
time_t read_genTime(struct berval* from);
-time_t parse_genTime(char* from);
+long parse_duration(char *value);
+char *gen_duration(long duration);
/* Client SSL code */
int slapd_security_library_is_initialized( void );
@@ -1226,8 +1226,6 @@ void DS_Sleep(PRIntervalTime ticks);
/* plugin.c */
int plugin_enabled(const char *plugin_name, void *identity);
-int is_slapd_running();
-
#ifdef __cplusplus
}
#endif
diff --git a/ldap/servers/slapd/time.c b/ldap/servers/slapd/time.c
index 12e02ce..bf58cdf 100644
--- a/ldap/servers/slapd/time.c
+++ b/ldap/servers/slapd/time.c
@@ -399,5 +399,88 @@ parse_genTime (char* from)
tbv.bv_val = from;
tbv.bv_len = strlen (from);
- return read_genTime(&tbv);
+ return read_genTime(&tbv);
+}
+
+/*
+ * Return Value:
+ * Success: duration in seconds
+ * Failure: -1
+ */
+long
+parse_duration(char *value)
+{
+ char *input = NULL;
+ char *endp;
+ long duration = -1;
+ int times = 1;
+
+ if (NULL == value || '\0' == *value) {
+ goto bail;
+ }
+ input = slapi_ch_strdup(value);
+ endp = input + strlen(input) - 1;
+ while ((' ' == *endp || '\t' == *endp) && endp >= input) {
+ endp--;
+ }
+ if ((endp == input) && !isdigit(*input)) {
+ goto bail;
+ }
+ if ('d' == *endp || 'D' == *endp) {
+ times = 60 * 60 * 24;
+ *endp = '\0';
+ } else if ('h' == *endp || 'H' == *endp) {
+ times = 60 * 60;
+ *endp = '\0';
+ } else if ('m' == *endp || 'M' == *endp) {
+ times = 60;
+ *endp = '\0';
+ } else if ('s' == *endp || 'S' == *endp) {
+ times = 1;
+ *endp = '\0';
+ }
+
+ duration = strtol(input, &endp, 10);
+ if ( *endp != '\0' || errno == ERANGE ) {
+ duration = -1;
+ goto bail;
+ }
+ duration *= times;
+
+bail:
+ slapi_ch_free_string(&input);
+ return duration;
+}
+
+/*
+ * caller is responsible to free the returned string
+ */
+char *
+gen_duration(long duration)
+{
+ char *duration_str = NULL;
+ long remainder = 0;
+ long devided = duration;
+ int devider[] = {60, 60, 24, 0};
+ char *unit[] = {"", "M", "H", "D", NULL};
+ int i = 0;
+
+ if (0 > duration) {
+ goto bail;
+ } else if (0 == duration) {
+ duration_str = strdup("0");
+ goto bail;
+ }
+ do {
+ remainder = devided % devider[i];
+ if (remainder) {
+ break;
+ }
+ devided /= devider[i++];
+ } while (devider[i]);
+
+ duration_str = slapi_ch_smprintf("%ld%s", devided, unit[i]);
+
+bail:
+ return duration_str;
}
12 years, 2 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/configdse.c | 21 ++++++++++++++++++---
ldap/servers/slapd/libglobs.c | 2 +-
2 files changed, 19 insertions(+), 4 deletions(-)
New commits:
commit f1899ba0ea425639932c373d3171ec8a9441f780
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Jan 19 10:52:24 2011 -0800
Bug 616850 - ldapmodify failed to reject the replace operation
if its targeted for an Unknown attribute
https://bugzilla.redhat.com/show_bug.cgi?id=616850
Description: Attempting to modify an unknown attribute in the
config entry fails with LDAP_UNWILLING_TO_PERFORM, while starting
up just ignores unknown attributes and the server successfully
starts.
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index 4799145..faf1560 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -329,9 +329,12 @@ load_config_dse(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* ignored, int *ret
retval = LDAP_SUCCESS;
}
} else {
- if ((retval != LDAP_SUCCESS) &&
- slapi_attr_flag_is_set(attr, SLAPI_ATTR_FLAG_OPATTR)) {
- retval = LDAP_SUCCESS; /* ignore attempts to modify operational attrs */
+ if (((retval != LDAP_SUCCESS) &&
+ slapi_attr_flag_is_set(attr, SLAPI_ATTR_FLAG_OPATTR)) ||
+ (LDAP_NO_SUCH_ATTRIBUTE == retval)) {
+ /* ignore attempts to modify operational attrs and */
+ /* ignore attempts to modify unknown attributes for load. */
+ retval = LDAP_SUCCESS;
}
}
}
@@ -425,6 +428,12 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
}
rc = config_set(config_attr, mods[i]->mod_bvalues,
returntext, apply_mods);
+ if (LDAP_NO_SUCH_ATTRIBUTE == rc) {
+ /* config_set returns LDAP_NO_SUCH_ATTRIBUTE if the
+ * attr is not defined for cn=config.
+ * map it to LDAP_UNWILLING_TO_PERFORM */
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ }
} else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) {
/* Need to allow deleting some configuration attrs */
if (allowed_to_delete_attrs(config_attr)) {
@@ -458,6 +467,12 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in
rc = config_set(config_attr, mods[i]->mod_bvalues, returntext,
apply_mods);
+ if (LDAP_NO_SUCH_ATTRIBUTE == rc) {
+ /* config_set returns LDAP_NO_SUCH_ATTRIBUTE if the
+ * attr is not defined for cn=config.
+ * map it to LDAP_UNWILLING_TO_PERFORM */
+ rc = LDAP_UNWILLING_TO_PERFORM;
+ }
}
}
}
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6a7e014..e547b47 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -5671,7 +5671,7 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
#endif
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Unknown attribute %s will be ignored", attr);
slapi_log_error(SLAPI_LOG_FATAL, "config", "%s\n", errorbuf);
- return retval;
+ return LDAP_NO_SUCH_ATTRIBUTE;
}
switch (cgas->config_var_type)
12 years, 2 months