From 8d36c3e07a6efc65aadd218c28e2f864db15b7fd Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 6 Jun 2018 16:31:32 +0200 Subject: [PATCH 4/7] Calculate enctypes in a separate function Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354 --- library/adenroll.c | 137 +++++++++++++++++++++++++++++++---------------------- 1 file changed, 81 insertions(+), 56 deletions(-) diff --git a/library/adenroll.c b/library/adenroll.c index 1221e89..1ed94f2 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -542,6 +542,83 @@ calculate_computer_account (adcli_enroll *enroll, return ADCLI_SUCCESS; } +static adcli_result +calculate_enctypes (adcli_enroll *enroll, char **enctype) +{ + char *value = NULL; + krb5_enctype *read_enctypes; + char *new_value = NULL; + int is_2008_or_later; + LDAP *ldap; + + *enctype = NULL; + /* + * Because we're using a keytab we want the server to be aware of the + * encryption types supported on the client, because we can't dynamically + * use a new one that's thrown at us. + * + * If the encryption types are not explicitly set by the caller of this + * library, then see if the account already has some encryption types + * marked on it. + * + * If not, write our default set to the account. + * + * Note that Windows 2003 and earlier have a standard set of encryption + * types, and no msDS-supportedEncryptionTypes attribute. + */ + + ldap = adcli_conn_get_ldap_connection (enroll->conn); + return_unexpected_if_fail (ldap != NULL); + + is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID); + + /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */ + if (is_2008_or_later) { + value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, + "msDS-supportedEncryptionTypes"); + + if (!enroll->keytab_enctypes_explicit && value != NULL) { + read_enctypes = _adcli_krb5_parse_enctypes (value); + if (read_enctypes == NULL) { + _adcli_warn ("Invalid or unsupported encryption types are set on " + "the computer account (%s).", value); + } else { + free (enroll->keytab_enctypes); + enroll->keytab_enctypes = read_enctypes; + } + } + + /* In 2003 or earlier, standard set of enc types */ + } else { + value = _adcli_krb5_format_enctypes (v51_earlier_enctypes); + } + + new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll)); + if (new_value == NULL) { + free (value); + _adcli_warn ("The encryption types desired are not available in active directory"); + return ADCLI_ERR_CONFIG; + } + + /* If we already have this value, then don't need to update */ + if (value && strcmp (new_value, value) == 0) { + free (value); + free (new_value); + return ADCLI_SUCCESS; + } + free (value); + + if (!is_2008_or_later) { + free (new_value); + _adcli_warn ("Server does not support setting encryption types"); + return ADCLI_SUCCESS; + } + + *enctype = new_value; + return ADCLI_SUCCESS; +} + + static adcli_result create_computer_account (adcli_enroll *enroll, LDAP *ldap) @@ -1053,75 +1130,23 @@ retrieve_computer_account (adcli_enroll *enroll) static adcli_result update_and_calculate_enctypes (adcli_enroll *enroll) { - char *value = NULL; - krb5_enctype *read_enctypes; char *vals_supportedEncryptionTypes[] = { NULL, NULL }; LDAPMod mod = { LDAP_MOD_REPLACE, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } }; LDAPMod *mods[2] = { &mod, NULL }; - int is_2008_or_later; char *new_value; LDAP *ldap; int ret; - /* - * Because we're using a keytab we want the server to be aware of the - * encryption types supported on the client, because we can't dynamically - * use a new one that's thrown at us. - * - * If the encryption types are not explicitly set by the caller of this - * library, then see if the account already has some encryption types - * marked on it. - * - * If not, write our default set to the account. - * - * Note that Windows 2003 and earlier have a standard set of encryption - * types, and no msDS-supportedEncryptionTypes attribute. - */ - ldap = adcli_conn_get_ldap_connection (enroll->conn); return_unexpected_if_fail (ldap != NULL); - is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID); - - /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */ - if (is_2008_or_later) { - value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, - "msDS-supportedEncryptionTypes"); - - if (!enroll->keytab_enctypes_explicit && value != NULL) { - read_enctypes = _adcli_krb5_parse_enctypes (value); - if (read_enctypes == NULL) { - _adcli_warn ("Invalid or unsupported encryption types are set on " - "the computer account (%s).", value); - } else { - free (enroll->keytab_enctypes); - enroll->keytab_enctypes = read_enctypes; - } - } - - /* In 2003 or earlier, standard set of enc types */ - } else { - value = _adcli_krb5_format_enctypes (v51_earlier_enctypes); - } - - new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll)); - if (new_value == NULL) { - free (value); - _adcli_warn ("The encryption types desired are not available in active directory"); - return ADCLI_ERR_CONFIG; - } - - /* If we already have this value, then don't need to update */ - if (value && strcmp (new_value, value) == 0) { - free (value); + ret = calculate_enctypes (enroll, &new_value); + if (ret != ADCLI_SUCCESS) { free (new_value); - return ADCLI_SUCCESS; + return ret; } - free (value); - if (!is_2008_or_later) { - free (new_value); - _adcli_warn ("Server does not support setting encryption types"); + if (new_value == NULL) { return ADCLI_SUCCESS; } -- 2.14.4