File 0035-handle-encryption-types.patch of Package adcli.19060

Overview Repositories Revisions Requests Users Attributes Meta

File 0035-handle-encryption-types.patch of Package adcli.19060

From 2057c2fccabefcc682cbd94a374595b0aa69a7e1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 13:08:52 +0200
Subject: [PATCH 1/6] Fix for issues found by Coverity

(cherry picked from commit 3c93c96eb6ea2abd3869921ee4c89e1a4d9e4c44)
---
 library/adenroll.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/library/adenroll.c b/library/adenroll.c
index 5b35c9a..58362c2 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1564,7 +1564,7 @@ load_host_keytab (adcli_enroll *enroll)
 	}
 
 	krb5_free_context (k5);
-	return ADCLI_SUCCESS;
+	return res;
 }
 
 typedef struct {
@@ -1745,12 +1745,12 @@ add_principal_to_keytab (adcli_enroll *enroll,
 		                                       enroll->kvno, &password, enctypes, &salts[*which_salt]);
 
 		free_principal_salts (k5, salts);
+	}
 
-		if (code != 0) {
-			_adcli_err ("Couldn't add keytab entries: %s: %s",
-			            enroll->keytab_name, krb5_get_error_message (k5, code));
-			return ADCLI_ERR_FAIL;
-		}
+	if (code != 0) {
+		_adcli_err ("Couldn't add keytab entries: %s: %s",
+		            enroll->keytab_name, krb5_get_error_message (k5, code));
+		return ADCLI_ERR_FAIL;
 	}
 
 
-- 
2.30.2

From 6d3eee7f75436b261131c1af9c7030d4dfdd03b9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 20 Dec 2018 21:05:35 +0100
Subject: [PATCH 2/6] adenroll: make sure only allowed enctypes are used in
 FIPS mode

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355

(cherry picked from commit 341974aae7d0755fc32a0b7e2b34d8e1ef60d195)
---
 library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/library/adenroll.c b/library/adenroll.c
index 58362c2..6edf913 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -41,11 +41,19 @@
 #include <netdb.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 
 #ifndef SAMBA_DATA_TOOL
 #define SAMBA_DATA_TOOL "/usr/bin/net"
 #endif
 
+static krb5_enctype v60_later_enctypes_fips[] = {
+	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+	0
+};
+
 static krb5_enctype v60_later_enctypes[] = {
 	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
 	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -2513,6 +2521,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
 	enroll->keytab_name_is_krb5 = 0;
 }
 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+static bool adcli_fips_enabled (void)
+{
+	int fd;
+	ssize_t len;
+	char buf[8];
+
+	fd = open (PROC_SYS_FIPS, O_RDONLY);
+	if (fd != -1) {
+		len = read (fd, buf, sizeof (buf));
+		close (fd);
+		/* Assume FIPS in enabled if PROC_SYS_FIPS contains a
+		 * non-0 value. */
+		if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
 krb5_enctype *
 adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
 {
@@ -2521,7 +2551,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
 		return enroll->keytab_enctypes;
 
 	if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
-		return v60_later_enctypes;
+		if (adcli_fips_enabled ()) {
+			return v60_later_enctypes_fips;
+		} else {
+			return v60_later_enctypes;
+		}
 	else
 		return v51_earlier_enctypes;
 }
-- 
2.30.2

From c054cfdda348c1b86d7f35c543807b9f94984445 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:23:47 +0200
Subject: [PATCH 3/6] adconn: add adcli_conn_set_krb5_context

Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3

(cherry picked from commit 2fc259a88be618871cea8ff8b8a13bd3e040aea4)
---
 library/adconn.c | 13 +++++++++++++
 library/adconn.h |  3 +++
 2 files changed, 16 insertions(+)

diff --git a/library/adconn.c b/library/adconn.c
index 8a55776..7bab852 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -1480,6 +1480,19 @@ adcli_conn_get_krb5_context (adcli_conn *conn)
 	return conn->k5;
 }
 
+void
+adcli_conn_set_krb5_context (adcli_conn *conn,
+                             krb5_context k5)
+{
+	return_if_fail (conn != NULL);
+
+	if (conn->k5 != NULL) {
+		krb5_free_context (conn->k5);
+	}
+
+	conn->k5 = k5;
+}
+
 const char *
 adcli_conn_get_login_user (adcli_conn *conn)
 {
diff --git a/library/adconn.h b/library/adconn.h
index 3e287b1..1d5faa8 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -101,6 +101,9 @@ LDAP *              adcli_conn_get_ldap_connection   (adcli_conn *conn);
 
 krb5_context        adcli_conn_get_krb5_context      (adcli_conn *conn);
 
+void                adcli_conn_set_krb5_context      (adcli_conn *conn,
+                                                      krb5_context k5);
+
 const char *        adcli_conn_get_computer_name     (adcli_conn *conn);
 
 void                adcli_conn_set_computer_name     (adcli_conn *conn,
-- 
2.30.2

From 90ba606b8d38492982cde1cbee08af32b7fa32a1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:25:52 +0200
Subject: [PATCH 4/6] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
 with tests

The new call does not only return the current encryption types set in AD
or a default list but filters them with the list of permitted encryption
types on the client. This makes sure the client can create and use the
keys.

Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3

(cherry picked from commit 0c09070e8beec734e3f0c70e14b0a04788077b73)
---
 library/Makefile.am |   5 ++
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
 library/adenroll.h  |   2 +
 3 files changed, 131 insertions(+)

diff --git a/library/Makefile.am b/library/Makefile.am
index 39e8fd1..4829555 100644
--- a/library/Makefile.am
+++ b/library/Makefile.am
@@ -40,6 +40,7 @@ check_PROGRAMS = \
 	test-util \
 	test-ldap \
 	test-attrs \
+	test-adenroll \
 	$(NULL)
 
 test_seq_SOURCES = seq.c test.c test.h
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
 test_attrs_CFLAGS = -DATTRS_TESTS
 test_attrs_LDADD = $(test_ldap_LDADD)
 
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
+test_adenroll_CFLAGS = -DADENROLL_TESTS
+test_adenroll_LDADD = $(KRB5_LIBS)
+
 TESTS = $(check_PROGRAMS)
 
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
diff --git a/library/adenroll.c b/library/adenroll.c
index 6edf913..31cc53c 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2560,6 +2560,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
 		return v51_earlier_enctypes;
 }
 
+krb5_enctype *
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+{
+	krb5_enctype *cur_enctypes;
+	krb5_enctype *permitted_enctypes;
+	krb5_enctype *new_enctypes;
+	krb5_error_code code;
+	krb5_context k5;
+	size_t c;
+	size_t p;
+	size_t n;
+
+	return_val_if_fail (enroll != NULL, NULL);
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
+	return_val_if_fail (k5 != NULL, NULL);
+
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+	return_val_if_fail (code == 0, NULL);
+
+	for (c = 0; cur_enctypes[c] != 0; c++);
+
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+	return_val_if_fail (new_enctypes != NULL, NULL);
+
+	n = 0;
+	for (c = 0; cur_enctypes[c] != 0; c++) {
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
+				new_enctypes[n++] = cur_enctypes[c];
+				break;
+			}
+		}
+		if (permitted_enctypes[p] == 0) {
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
+		}
+	}
+
+	krb5_free_enctypes (k5, permitted_enctypes);
+
+	return new_enctypes;
+}
+
 void
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
                                   krb5_enctype *value)
@@ -2752,3 +2796,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
 							    strdup (value), NULL);
 	return_if_fail (enroll->service_principals_to_remove != NULL);
 }
+
+#ifdef ADENROLL_TESTS
+
+#include "test.h"
+
+static void
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
+{
+	krb5_enctype *enctypes;
+	krb5_error_code code;
+	krb5_enctype *permitted_enctypes;
+	krb5_enctype check_enctypes[3] = { 0 };
+	adcli_conn *conn;
+	adcli_enroll *enroll;
+	adcli_result res;
+	krb5_context k5;
+	size_t c;
+
+	conn = adcli_conn_new ("test.dom");
+	assert_ptr_not_null (conn);
+
+	enroll = adcli_enroll_new (conn);
+	assert_ptr_not_null (enroll);
+
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
+	assert_ptr_eq (enctypes, NULL);
+
+	/* krb5 context missing */
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	assert_ptr_eq (enctypes, NULL);
+
+	/* check that all permitted enctypes can pass */
+	res = _adcli_krb5_init_context (&k5);
+	assert_num_eq (res, ADCLI_SUCCESS);
+
+	adcli_conn_set_krb5_context (conn, k5);
+
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+	assert_num_eq (code, 0);
+	assert_ptr_not_null (permitted_enctypes);
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
+
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
+
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	assert_ptr_not_null (enctypes);
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
+	}
+	assert_num_eq (enctypes[c], 0);
+	krb5_free_enctypes (k5, enctypes);
+
+	/* check that ENCTYPE_UNKNOWN is filtered out */
+	check_enctypes[0] = permitted_enctypes[0];
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
+	check_enctypes[2] = 0;
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
+
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	assert_ptr_not_null (enctypes);
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
+	assert_num_eq (enctypes[1], 0);
+	krb5_free_enctypes (k5, enctypes);
+
+	krb5_free_enctypes (k5, permitted_enctypes);
+
+	adcli_enroll_unref (enroll);
+	adcli_conn_unref (conn);
+}
+
+int
+main (int argc,
+      char *argv[])
+{
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
+	return test_run (argc, argv);
+}
+
+#endif /* ADENROLL_TESTS */
diff --git a/library/adenroll.h b/library/adenroll.h
index abbbfd4..1d5d00d 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
                                                          krb5_enctype *enctypes);
 
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
+
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
 
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
-- 
2.30.2

From ecae701599badb68c72da7430483cd12c25169d2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 18:27:49 +0200
Subject: [PATCH 5/6] adenroll: use only enctypes permitted by Kerberos config

Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3

(cherry picked from commit cc3ef52884a48863a81acbfc741735fe09cd85f7)
---
 doc/adcli.xml      | 10 ++++++++++
 library/adenroll.c | 22 +++++++++++++++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/doc/adcli.xml b/doc/adcli.xml
index 154df07..6bd5697 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -366,6 +366,11 @@ Password for Administrator:
 		</varlistentry>
 	</variablelist>
 
+	<para>If supported on the AD side the
+	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
+	well. Either the current value or the default list of AD's supported
+	encryption types filtered by the permitted encryption types of the
+	client's Kerberos configuration are written.</para>
 </refsect1>
 
 <refsect1 id='updating'>
@@ -499,6 +504,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
 		</varlistentry>
 	</variablelist>
 
+	<para>If supported on the AD side the
+	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
+	well. Either the current value or the default list of AD's supported
+	encryption types filtered by the permitted encryption types of the
+	client's Kerberos configuration are written.</para>
 </refsect1>
 
 <refsect1 id='testjoin'>
diff --git a/library/adenroll.c b/library/adenroll.c
index 31cc53c..ea415ba 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -599,6 +599,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
 {
 	char *value = NULL;
 	krb5_enctype *read_enctypes;
+	krb5_enctype *new_enctypes;
 	char *new_value = NULL;
 	int is_2008_or_later;
 	LDAP *ldap;
@@ -645,7 +646,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
 		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
 	}
 
-	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
+	new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	if (new_enctypes == NULL) {
+		_adcli_warn ("No permitted encryption type found.");
+		return ADCLI_ERR_UNEXPECTED;
+	}
+
+	new_value = _adcli_krb5_format_enctypes (new_enctypes);
+	krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);
 	if (new_value == NULL) {
 		free (value);
 		_adcli_warn ("The encryption types desired are not available in active directory");
@@ -1718,7 +1726,11 @@ add_principal_to_keytab (adcli_enroll *enroll,
 		             enroll->keytab_name);
 	}
 
-	enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+	if (enctypes == NULL) {
+		_adcli_warn ("No permitted encryption type found.");
+		return ADCLI_ERR_UNEXPECTED;
+	}
 
 	if (flags & ADCLI_ENROLL_PASSWORD_VALID) {
 		code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,
@@ -1734,7 +1746,10 @@ add_principal_to_keytab (adcli_enroll *enroll,
 		 */
 
 		salts = build_principal_salts (enroll, k5, principal);
-		return_unexpected_if_fail (salts != NULL);
+		if (salts == NULL) {
+			krb5_free_enctypes (k5, enctypes);
+			return ADCLI_ERR_UNEXPECTED;
+		}
 
 		if (*which_salt < 0) {
 			code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
@@ -1754,6 +1769,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
 
 		free_principal_salts (k5, salts);
 	}
+	krb5_free_enctypes (k5, enctypes);
 
 	if (code != 0) {
 		_adcli_err ("Couldn't add keytab entries: %s: %s",
-- 
2.30.2

From ef0dda68e59d4d46664ddb394cd39489cf98e1c9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 12 Aug 2019 17:28:20 +0200
Subject: [PATCH 6/6] Fix for issue found by Coverity

Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3

(cherry picked from commit 5da6d34e2659f915e830932fd366c635801ecd91)
---
 library/adenroll.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/library/adenroll.c b/library/adenroll.c
index ea415ba..e72972d 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2600,7 +2600,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
 	for (c = 0; cur_enctypes[c] != 0; c++);
 
 	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
-	return_val_if_fail (new_enctypes != NULL, NULL);
+	if (new_enctypes == NULL) {
+		krb5_free_enctypes (k5, permitted_enctypes);
+		return NULL;
+	}
 
 	n = 0;
 	for (c = 0; cur_enctypes[c] != 0; c++) {
-- 
2.30.2

Places

File 0035-handle-encryption-types.patch of Package adcli.19060

Places