rpms / adcli

Clone
Source Code
GIT

Blame SOURCES/0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta el6 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 master
  1.   2e5ed6e680dda23bd2bd0e136bce117697b9bff9
  2.   SOURCES
  3.   0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
Blob History Raw
2e5ed6 
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
2e5ed6 
From: Sumit Bose <sbose@redhat.com>
2e5ed6 
Date: Thu, 13 Jun 2019 17:25:52 +0200
2e5ed6 
Subject: [PATCH 3/4] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
2e5ed6 
 with tests
2e5ed6
2e5ed6 
The new call does not only return the current encryption types set in AD
2e5ed6 
or a default list but filters them with the list of permitted encryption
2e5ed6 
types on the client. This makes sure the client can create and use the
2e5ed6 
keys.
2e5ed6
2e5ed6 
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
2e5ed6 
---
2e5ed6 
 library/Makefile.am |   5 ++
2e5ed6 
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
2e5ed6 
 library/adenroll.h  |   2 +
2e5ed6 
 3 files changed, 131 insertions(+)
2e5ed6
2e5ed6 
diff --git a/library/Makefile.am b/library/Makefile.am
2e5ed6 
index 39e8fd1..4829555 100644
2e5ed6 
--- a/library/Makefile.am
2e5ed6 
+++ b/library/Makefile.am
2e5ed6 
@@ -40,6 +40,7 @@ check_PROGRAMS = \
2e5ed6 
 	test-util \
2e5ed6 
 	test-ldap \
2e5ed6 
 	test-attrs \
2e5ed6 
+	test-adenroll \
2e5ed6 
 	$(NULL)
2e5ed6
2e5ed6 
 test_seq_SOURCES = seq.c test.c test.h
2e5ed6 
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
2e5ed6 
 test_attrs_CFLAGS = -DATTRS_TESTS
2e5ed6 
 test_attrs_LDADD = $(test_ldap_LDADD)
2e5ed6
2e5ed6 
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
2e5ed6 
+test_adenroll_CFLAGS = -DADENROLL_TESTS
2e5ed6 
+test_adenroll_LDADD = $(KRB5_LIBS)
2e5ed6 
+
2e5ed6 
 TESTS = $(check_PROGRAMS)
2e5ed6
2e5ed6 
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
2e5ed6 
diff --git a/library/adenroll.c b/library/adenroll.c
2e5ed6 
index f617f28..95c07cd 100644
2e5ed6 
--- a/library/adenroll.c
2e5ed6 
+++ b/library/adenroll.c
2e5ed6 
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
2e5ed6 
 		return v51_earlier_enctypes;
2e5ed6 
 }
2e5ed6
2e5ed6 
+krb5_enctype *
2e5ed6 
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
2e5ed6 
+{
2e5ed6 
+	krb5_enctype *cur_enctypes;
2e5ed6 
+	krb5_enctype *permitted_enctypes;
2e5ed6 
+	krb5_enctype *new_enctypes;
2e5ed6 
+	krb5_error_code code;
2e5ed6 
+	krb5_context k5;
2e5ed6 
+	size_t c;
2e5ed6 
+	size_t p;
2e5ed6 
+	size_t n;
2e5ed6 
+
2e5ed6 
+	return_val_if_fail (enroll != NULL, NULL);
2e5ed6 
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
2e5ed6 
+
2e5ed6 
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
2e5ed6 
+	return_val_if_fail (k5 != NULL, NULL);
2e5ed6 
+
2e5ed6 
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
2e5ed6 
+	return_val_if_fail (code == 0, NULL);
2e5ed6 
+
2e5ed6 
+	for (c = 0; cur_enctypes[c] != 0; c++);
2e5ed6 
+
2e5ed6 
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
2e5ed6 
+	return_val_if_fail (new_enctypes != NULL, NULL);
2e5ed6 
+
2e5ed6 
+	n = 0;
2e5ed6 
+	for (c = 0; cur_enctypes[c] != 0; c++) {
2e5ed6 
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
2e5ed6 
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
2e5ed6 
+				new_enctypes[n++] = cur_enctypes[c];
2e5ed6 
+				break;
2e5ed6 
+			}
2e5ed6 
+		}
2e5ed6 
+		if (permitted_enctypes[p] == 0) {
2e5ed6 
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
2e5ed6 
+		}
2e5ed6 
+	}
2e5ed6 
+
2e5ed6 
+	krb5_free_enctypes (k5, permitted_enctypes);
2e5ed6 
+
2e5ed6 
+	return new_enctypes;
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
 void
2e5ed6 
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
2e5ed6 
                                   krb5_enctype *value)
2e5ed6 
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
2e5ed6 
 							    strdup (value), NULL);
2e5ed6 
 	return_if_fail (enroll->service_principals_to_remove != NULL);
2e5ed6 
 }
2e5ed6 
+
2e5ed6 
+#ifdef ADENROLL_TESTS
2e5ed6 
+
2e5ed6 
+#include "test.h"
2e5ed6 
+
2e5ed6 
+static void
2e5ed6 
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
2e5ed6 
+{
2e5ed6 
+	krb5_enctype *enctypes;
2e5ed6 
+	krb5_error_code code;
2e5ed6 
+	krb5_enctype *permitted_enctypes;
2e5ed6 
+	krb5_enctype check_enctypes[3] = { 0 };
2e5ed6 
+	adcli_conn *conn;
2e5ed6 
+	adcli_enroll *enroll;
2e5ed6 
+	adcli_result res;
2e5ed6 
+	krb5_context k5;
2e5ed6 
+	size_t c;
2e5ed6 
+
2e5ed6 
+	conn = adcli_conn_new ("test.dom");
2e5ed6 
+	assert_ptr_not_null (conn);
2e5ed6 
+
2e5ed6 
+	enroll = adcli_enroll_new (conn);
2e5ed6 
+	assert_ptr_not_null (enroll);
2e5ed6 
+
2e5ed6 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
2e5ed6 
+	assert_ptr_eq (enctypes, NULL);
2e5ed6 
+
2e5ed6 
+	/* krb5 context missing */
2e5ed6 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
2e5ed6 
+	assert_ptr_eq (enctypes, NULL);
2e5ed6 
+
2e5ed6 
+	/* check that all permitted enctypes can pass */
2e5ed6 
+	res = _adcli_krb5_init_context (&k5;;
2e5ed6 
+	assert_num_eq (res, ADCLI_SUCCESS);
2e5ed6 
+
2e5ed6 
+	adcli_conn_set_krb5_context (conn, k5);
2e5ed6 
+
2e5ed6 
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
2e5ed6 
+	assert_num_eq (code, 0);
2e5ed6 
+	assert_ptr_not_null (permitted_enctypes);
2e5ed6 
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
2e5ed6 
+
2e5ed6 
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
2e5ed6 
+
2e5ed6 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
2e5ed6 
+	assert_ptr_not_null (enctypes);
2e5ed6 
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
2e5ed6 
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
2e5ed6 
+	}
2e5ed6 
+	assert_num_eq (enctypes[c], 0);
2e5ed6 
+	krb5_free_enctypes (k5, enctypes);
2e5ed6 
+
2e5ed6 
+	/* check that ENCTYPE_UNKNOWN is filtered out */
2e5ed6 
+	check_enctypes[0] = permitted_enctypes[0];
2e5ed6 
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
2e5ed6 
+	check_enctypes[2] = 0;
2e5ed6 
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
2e5ed6 
+
2e5ed6 
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
2e5ed6 
+	assert_ptr_not_null (enctypes);
2e5ed6 
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
2e5ed6 
+	assert_num_eq (enctypes[1], 0);
2e5ed6 
+	krb5_free_enctypes (k5, enctypes);
2e5ed6 
+
2e5ed6 
+	krb5_free_enctypes (k5, permitted_enctypes);
2e5ed6 
+
2e5ed6 
+	adcli_enroll_unref (enroll);
2e5ed6 
+	adcli_conn_unref (conn);
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
+int
2e5ed6 
+main (int argc,
2e5ed6 
+      char *argv[])
2e5ed6 
+{
2e5ed6 
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
2e5ed6 
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
2e5ed6 
+	return test_run (argc, argv);
2e5ed6 
+}
2e5ed6 
+
2e5ed6 
+#endif /* ADENROLL_TESTS */
2e5ed6 
diff --git a/library/adenroll.h b/library/adenroll.h
2e5ed6 
index abbbfd4..1d5d00d 100644
2e5ed6 
--- a/library/adenroll.h
2e5ed6 
+++ b/library/adenroll.h
2e5ed6 
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
2e5ed6 
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
2e5ed6 
                                                          krb5_enctype *enctypes);
2e5ed6
2e5ed6 
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
2e5ed6 
+
2e5ed6 
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
2e5ed6
2e5ed6 
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
2e5ed6 
--
2e5ed6 
2.21.0
2e5ed6

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation