Sumit Bose 461678
From 9ad1164405e7b4decb7c4ad96fe5ab27d6e53366 Mon Sep 17 00:00:00 2001
Sumit Bose 461678
From: Sumit Bose <sbose@redhat.com>
Sumit Bose 461678
Date: Wed, 6 Jun 2018 16:31:32 +0200
Sumit Bose 461678
Subject: [PATCH 19/23] Calculate enctypes in a separate function
Sumit Bose 461678
Sumit Bose 461678
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354
Sumit Bose 461678
---
Sumit Bose 461678
 library/adenroll.c | 137 +++++++++++++++++++++++++++++++----------------------
Sumit Bose 461678
 1 file changed, 81 insertions(+), 56 deletions(-)
Sumit Bose 461678
Sumit Bose 461678
diff --git a/library/adenroll.c b/library/adenroll.c
Sumit Bose 461678
index 6fdc773..75ac1e4 100644
Sumit Bose 461678
--- a/library/adenroll.c
Sumit Bose 461678
+++ b/library/adenroll.c
Sumit Bose 461678
@@ -542,6 +542,83 @@ calculate_computer_account (adcli_enroll *enroll,
Sumit Bose 461678
 	return ADCLI_SUCCESS;
Sumit Bose 461678
 }
Sumit Bose 461678
 
Sumit Bose 461678
+static adcli_result
Sumit Bose 461678
+calculate_enctypes (adcli_enroll *enroll, char **enctype)
Sumit Bose 461678
+{
Sumit Bose 461678
+	char *value = NULL;
Sumit Bose 461678
+	krb5_enctype *read_enctypes;
Sumit Bose 461678
+	char *new_value = NULL;
Sumit Bose 461678
+	int is_2008_or_later;
Sumit Bose 461678
+	LDAP *ldap;
Sumit Bose 461678
+
Sumit Bose 461678
+	*enctype = NULL;
Sumit Bose 461678
+	/*
Sumit Bose 461678
+	 * Because we're using a keytab we want the server to be aware of the
Sumit Bose 461678
+	 * encryption types supported on the client, because we can't dynamically
Sumit Bose 461678
+	 * use a new one that's thrown at us.
Sumit Bose 461678
+	 *
Sumit Bose 461678
+	 * If the encryption types are not explicitly set by the caller of this
Sumit Bose 461678
+	 * library, then see if the account already has some encryption types
Sumit Bose 461678
+	 * marked on it.
Sumit Bose 461678
+	 *
Sumit Bose 461678
+	 * If not, write our default set to the account.
Sumit Bose 461678
+	 *
Sumit Bose 461678
+	 * Note that Windows 2003 and earlier have a standard set of encryption
Sumit Bose 461678
+	 * types, and no msDS-supportedEncryptionTypes attribute.
Sumit Bose 461678
+	 */
Sumit Bose 461678
+
Sumit Bose 461678
+	ldap = adcli_conn_get_ldap_connection (enroll->conn);
Sumit Bose 461678
+	return_unexpected_if_fail (ldap != NULL);
Sumit Bose 461678
+
Sumit Bose 461678
+	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
Sumit Bose 461678
+
Sumit Bose 461678
+	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
Sumit Bose 461678
+	if (is_2008_or_later) {
Sumit Bose 461678
+		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
Sumit Bose 461678
+		                                 "msDS-supportedEncryptionTypes");
Sumit Bose 461678
+
Sumit Bose 461678
+		if (!enroll->keytab_enctypes_explicit && value != NULL) {
Sumit Bose 461678
+			read_enctypes = _adcli_krb5_parse_enctypes (value);
Sumit Bose 461678
+			if (read_enctypes == NULL) {
Sumit Bose 461678
+				_adcli_warn ("Invalid or unsupported encryption types are set on "
Sumit Bose 461678
+				             "the computer account (%s).", value);
Sumit Bose 461678
+			} else {
Sumit Bose 461678
+				free (enroll->keytab_enctypes);
Sumit Bose 461678
+				enroll->keytab_enctypes = read_enctypes;
Sumit Bose 461678
+			}
Sumit Bose 461678
+		}
Sumit Bose 461678
+
Sumit Bose 461678
+	/* In 2003 or earlier, standard set of enc types */
Sumit Bose 461678
+	} else {
Sumit Bose 461678
+		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
Sumit Bose 461678
+	}
Sumit Bose 461678
+
Sumit Bose 461678
+	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
Sumit Bose 461678
+	if (new_value == NULL) {
Sumit Bose 461678
+		free (value);
Sumit Bose 461678
+		_adcli_warn ("The encryption types desired are not available in active directory");
Sumit Bose 461678
+		return ADCLI_ERR_CONFIG;
Sumit Bose 461678
+	}
Sumit Bose 461678
+
Sumit Bose 461678
+	/* If we already have this value, then don't need to update */
Sumit Bose 461678
+	if (value && strcmp (new_value, value) == 0) {
Sumit Bose 461678
+		free (value);
Sumit Bose 461678
+		free (new_value);
Sumit Bose 461678
+		return ADCLI_SUCCESS;
Sumit Bose 461678
+	}
Sumit Bose 461678
+	free (value);
Sumit Bose 461678
+
Sumit Bose 461678
+	if (!is_2008_or_later) {
Sumit Bose 461678
+		free (new_value);
Sumit Bose 461678
+		_adcli_warn ("Server does not support setting encryption types");
Sumit Bose 461678
+		return ADCLI_SUCCESS;
Sumit Bose 461678
+	}
Sumit Bose 461678
+
Sumit Bose 461678
+	*enctype = new_value;
Sumit Bose 461678
+	return ADCLI_SUCCESS;
Sumit Bose 461678
+}
Sumit Bose 461678
+
Sumit Bose 461678
+
Sumit Bose 461678
 static adcli_result
Sumit Bose 461678
 create_computer_account (adcli_enroll *enroll,
Sumit Bose 461678
                          LDAP *ldap)
Sumit Bose 461678
@@ -1053,75 +1130,23 @@ retrieve_computer_account (adcli_enroll *enroll)
Sumit Bose 461678
 static adcli_result
Sumit Bose 461678
 update_and_calculate_enctypes (adcli_enroll *enroll)
Sumit Bose 461678
 {
Sumit Bose 461678
-	char *value = NULL;
Sumit Bose 461678
-	krb5_enctype *read_enctypes;
Sumit Bose 461678
 	char *vals_supportedEncryptionTypes[] = { NULL, NULL };
Sumit Bose 461678
 	LDAPMod mod = { LDAP_MOD_REPLACE, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } };
Sumit Bose 461678
 	LDAPMod *mods[2] = { &mod, NULL };
Sumit Bose 461678
-	int is_2008_or_later;
Sumit Bose 461678
 	char *new_value;
Sumit Bose 461678
 	LDAP *ldap;
Sumit Bose 461678
 	int ret;
Sumit Bose 461678
 
Sumit Bose 461678
-	/*
Sumit Bose 461678
-	 * Because we're using a keytab we want the server to be aware of the
Sumit Bose 461678
-	 * encryption types supported on the client, because we can't dynamically
Sumit Bose 461678
-	 * use a new one that's thrown at us.
Sumit Bose 461678
-	 *
Sumit Bose 461678
-	 * If the encryption types are not explicitly set by the caller of this
Sumit Bose 461678
-	 * library, then see if the account already has some encryption types
Sumit Bose 461678
-	 * marked on it.
Sumit Bose 461678
-	 *
Sumit Bose 461678
-	 * If not, write our default set to the account.
Sumit Bose 461678
-	 *
Sumit Bose 461678
-	 * Note that Windows 2003 and earlier have a standard set of encryption
Sumit Bose 461678
-	 * types, and no msDS-supportedEncryptionTypes attribute.
Sumit Bose 461678
-	 */
Sumit Bose 461678
-
Sumit Bose 461678
 	ldap = adcli_conn_get_ldap_connection (enroll->conn);
Sumit Bose 461678
 	return_unexpected_if_fail (ldap != NULL);
Sumit Bose 461678
 
Sumit Bose 461678
-	is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID);
Sumit Bose 461678
-
Sumit Bose 461678
-	/* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */
Sumit Bose 461678
-	if (is_2008_or_later) {
Sumit Bose 461678
-		value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes,
Sumit Bose 461678
-		                                 "msDS-supportedEncryptionTypes");
Sumit Bose 461678
-
Sumit Bose 461678
-		if (!enroll->keytab_enctypes_explicit && value != NULL) {
Sumit Bose 461678
-			read_enctypes = _adcli_krb5_parse_enctypes (value);
Sumit Bose 461678
-			if (read_enctypes == NULL) {
Sumit Bose 461678
-				_adcli_warn ("Invalid or unsupported encryption types are set on "
Sumit Bose 461678
-				             "the computer account (%s).", value);
Sumit Bose 461678
-			} else {
Sumit Bose 461678
-				free (enroll->keytab_enctypes);
Sumit Bose 461678
-				enroll->keytab_enctypes = read_enctypes;
Sumit Bose 461678
-			}
Sumit Bose 461678
-		}
Sumit Bose 461678
-
Sumit Bose 461678
-	/* In 2003 or earlier, standard set of enc types */
Sumit Bose 461678
-	} else {
Sumit Bose 461678
-		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
Sumit Bose 461678
-	}
Sumit Bose 461678
-
Sumit Bose 461678
-	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
Sumit Bose 461678
-	if (new_value == NULL) {
Sumit Bose 461678
-		free (value);
Sumit Bose 461678
-		_adcli_warn ("The encryption types desired are not available in active directory");
Sumit Bose 461678
-		return ADCLI_ERR_CONFIG;
Sumit Bose 461678
-	}
Sumit Bose 461678
-
Sumit Bose 461678
-	/* If we already have this value, then don't need to update */
Sumit Bose 461678
-	if (value && strcmp (new_value, value) == 0) {
Sumit Bose 461678
-		free (value);
Sumit Bose 461678
+	ret = calculate_enctypes (enroll, &new_value);
Sumit Bose 461678
+	if (ret != ADCLI_SUCCESS) {
Sumit Bose 461678
 		free (new_value);
Sumit Bose 461678
-		return ADCLI_SUCCESS;
Sumit Bose 461678
+		return ret;
Sumit Bose 461678
 	}
Sumit Bose 461678
-	free (value);
Sumit Bose 461678
 
Sumit Bose 461678
-	if (!is_2008_or_later) {
Sumit Bose 461678
-		free (new_value);
Sumit Bose 461678
-		_adcli_warn ("Server does not support setting encryption types");
Sumit Bose 461678
+	if (new_value == NULL) {
Sumit Bose 461678
 		return ADCLI_SUCCESS;
Sumit Bose 461678
 	}
Sumit Bose 461678
 
Sumit Bose 461678
-- 
Sumit Bose 461678
2.14.4
Sumit Bose 461678