Blame SOURCES/0003-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch

bfd5b6
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
bfd5b6
From: Sumit Bose <sbose@redhat.com>
bfd5b6
Date: Thu, 13 Jun 2019 17:25:52 +0200
bfd5b6
Subject: [PATCH 3/4] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
bfd5b6
 with tests
bfd5b6
bfd5b6
The new call does not only return the current encryption types set in AD
bfd5b6
or a default list but filters them with the list of permitted encryption
bfd5b6
types on the client. This makes sure the client can create and use the
bfd5b6
keys.
bfd5b6
bfd5b6
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
bfd5b6
---
bfd5b6
 library/Makefile.am |   5 ++
bfd5b6
 library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++
bfd5b6
 library/adenroll.h  |   2 +
bfd5b6
 3 files changed, 131 insertions(+)
bfd5b6
bfd5b6
diff --git a/library/Makefile.am b/library/Makefile.am
bfd5b6
index 39e8fd1..4829555 100644
bfd5b6
--- a/library/Makefile.am
bfd5b6
+++ b/library/Makefile.am
bfd5b6
@@ -40,6 +40,7 @@ check_PROGRAMS = \
bfd5b6
 	test-util \
bfd5b6
 	test-ldap \
bfd5b6
 	test-attrs \
bfd5b6
+	test-adenroll \
bfd5b6
 	$(NULL)
bfd5b6
 
bfd5b6
 test_seq_SOURCES = seq.c test.c test.h
bfd5b6
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
bfd5b6
 test_attrs_CFLAGS = -DATTRS_TESTS
bfd5b6
 test_attrs_LDADD = $(test_ldap_LDADD)
bfd5b6
 
bfd5b6
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
bfd5b6
+test_adenroll_CFLAGS = -DADENROLL_TESTS
bfd5b6
+test_adenroll_LDADD = $(KRB5_LIBS)
bfd5b6
+
bfd5b6
 TESTS = $(check_PROGRAMS)
bfd5b6
 
bfd5b6
 MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
bfd5b6
diff --git a/library/adenroll.c b/library/adenroll.c
bfd5b6
index f617f28..95c07cd 100644
bfd5b6
--- a/library/adenroll.c
bfd5b6
+++ b/library/adenroll.c
bfd5b6
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
bfd5b6
 		return v51_earlier_enctypes;
bfd5b6
 }
bfd5b6
 
bfd5b6
+krb5_enctype *
bfd5b6
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
bfd5b6
+{
bfd5b6
+	krb5_enctype *cur_enctypes;
bfd5b6
+	krb5_enctype *permitted_enctypes;
bfd5b6
+	krb5_enctype *new_enctypes;
bfd5b6
+	krb5_error_code code;
bfd5b6
+	krb5_context k5;
bfd5b6
+	size_t c;
bfd5b6
+	size_t p;
bfd5b6
+	size_t n;
bfd5b6
+
bfd5b6
+	return_val_if_fail (enroll != NULL, NULL);
bfd5b6
+	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
bfd5b6
+
bfd5b6
+	k5 = adcli_conn_get_krb5_context (enroll->conn);
bfd5b6
+	return_val_if_fail (k5 != NULL, NULL);
bfd5b6
+
bfd5b6
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
bfd5b6
+	return_val_if_fail (code == 0, NULL);
bfd5b6
+
bfd5b6
+	for (c = 0; cur_enctypes[c] != 0; c++);
bfd5b6
+
bfd5b6
+	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
bfd5b6
+	return_val_if_fail (new_enctypes != NULL, NULL);
bfd5b6
+
bfd5b6
+	n = 0;
bfd5b6
+	for (c = 0; cur_enctypes[c] != 0; c++) {
bfd5b6
+		for (p = 0; permitted_enctypes[p] != 0; p++) {
bfd5b6
+			if (cur_enctypes[c] == permitted_enctypes[p]) {
bfd5b6
+				new_enctypes[n++] = cur_enctypes[c];
bfd5b6
+				break;
bfd5b6
+			}
bfd5b6
+		}
bfd5b6
+		if (permitted_enctypes[p] == 0) {
bfd5b6
+			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
bfd5b6
+		}
bfd5b6
+	}
bfd5b6
+
bfd5b6
+	krb5_free_enctypes (k5, permitted_enctypes);
bfd5b6
+
bfd5b6
+	return new_enctypes;
bfd5b6
+}
bfd5b6
+
bfd5b6
 void
bfd5b6
 adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
bfd5b6
                                   krb5_enctype *value)
bfd5b6
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
bfd5b6
 							    strdup (value), NULL);
bfd5b6
 	return_if_fail (enroll->service_principals_to_remove != NULL);
bfd5b6
 }
bfd5b6
+
bfd5b6
+#ifdef ADENROLL_TESTS
bfd5b6
+
bfd5b6
+#include "test.h"
bfd5b6
+
bfd5b6
+static void
bfd5b6
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
bfd5b6
+{
bfd5b6
+	krb5_enctype *enctypes;
bfd5b6
+	krb5_error_code code;
bfd5b6
+	krb5_enctype *permitted_enctypes;
bfd5b6
+	krb5_enctype check_enctypes[3] = { 0 };
bfd5b6
+	adcli_conn *conn;
bfd5b6
+	adcli_enroll *enroll;
bfd5b6
+	adcli_result res;
bfd5b6
+	krb5_context k5;
bfd5b6
+	size_t c;
bfd5b6
+
bfd5b6
+	conn = adcli_conn_new ("test.dom");
bfd5b6
+	assert_ptr_not_null (conn);
bfd5b6
+
bfd5b6
+	enroll = adcli_enroll_new (conn);
bfd5b6
+	assert_ptr_not_null (enroll);
bfd5b6
+
bfd5b6
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
bfd5b6
+	assert_ptr_eq (enctypes, NULL);
bfd5b6
+
bfd5b6
+	/* krb5 context missing */
bfd5b6
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
bfd5b6
+	assert_ptr_eq (enctypes, NULL);
bfd5b6
+
bfd5b6
+	/* check that all permitted enctypes can pass */
bfd5b6
+	res = _adcli_krb5_init_context (&k5;;
bfd5b6
+	assert_num_eq (res, ADCLI_SUCCESS);
bfd5b6
+
bfd5b6
+	adcli_conn_set_krb5_context (conn, k5);
bfd5b6
+
bfd5b6
+	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
bfd5b6
+	assert_num_eq (code, 0);
bfd5b6
+	assert_ptr_not_null (permitted_enctypes);
bfd5b6
+	assert_num_cmp (permitted_enctypes[0], !=, 0);
bfd5b6
+
bfd5b6
+	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
bfd5b6
+
bfd5b6
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
bfd5b6
+	assert_ptr_not_null (enctypes);
bfd5b6
+	for (c = 0; permitted_enctypes[c] != 0; c++) {
bfd5b6
+		assert_num_eq (enctypes[c], permitted_enctypes[c]);
bfd5b6
+	}
bfd5b6
+	assert_num_eq (enctypes[c], 0);
bfd5b6
+	krb5_free_enctypes (k5, enctypes);
bfd5b6
+
bfd5b6
+	/* check that ENCTYPE_UNKNOWN is filtered out */
bfd5b6
+	check_enctypes[0] = permitted_enctypes[0];
bfd5b6
+	check_enctypes[1] = ENCTYPE_UNKNOWN;
bfd5b6
+	check_enctypes[2] = 0;
bfd5b6
+	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
bfd5b6
+
bfd5b6
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
bfd5b6
+	assert_ptr_not_null (enctypes);
bfd5b6
+	assert_num_eq (enctypes[0], permitted_enctypes[0]);
bfd5b6
+	assert_num_eq (enctypes[1], 0);
bfd5b6
+	krb5_free_enctypes (k5, enctypes);
bfd5b6
+
bfd5b6
+	krb5_free_enctypes (k5, permitted_enctypes);
bfd5b6
+
bfd5b6
+	adcli_enroll_unref (enroll);
bfd5b6
+	adcli_conn_unref (conn);
bfd5b6
+}
bfd5b6
+
bfd5b6
+int
bfd5b6
+main (int argc,
bfd5b6
+      char *argv[])
bfd5b6
+{
bfd5b6
+	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
bfd5b6
+	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
bfd5b6
+	return test_run (argc, argv);
bfd5b6
+}
bfd5b6
+
bfd5b6
+#endif /* ADENROLL_TESTS */
bfd5b6
diff --git a/library/adenroll.h b/library/adenroll.h
bfd5b6
index abbbfd4..1d5d00d 100644
bfd5b6
--- a/library/adenroll.h
bfd5b6
+++ b/library/adenroll.h
bfd5b6
@@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);
bfd5b6
 void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,
bfd5b6
                                                          krb5_enctype *enctypes);
bfd5b6
 
bfd5b6
+krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
bfd5b6
+
bfd5b6
 const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);
bfd5b6
 
bfd5b6
 void               adcli_enroll_set_os_name             (adcli_enroll *enroll,
bfd5b6
-- 
bfd5b6
2.21.0
bfd5b6