From 6a6389fefdc055b5a920e6e4412ff0b7e37ef33a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 17 Nov 2014 21:05:56 -0500
Subject: [PATCH] Fix filtering of enctypes in server code.

The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.

Partial fix for:
https://fedorahosted.org/freeipa/ticket/4718

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
---
 .../ipa-pwd-extop/ipa_pwd_extop.c                  | 60 ++++++++++++++++------
 1 file changed, 43 insertions(+), 17 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index f0346a343188930dfc90e19d2e5d38cb30741b90..b87ae0dc7a180008228f31293b49212df80584e8 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -125,6 +125,48 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg,
     }
 }
 
+static void filter_enctypes(struct ipapwd_krbcfg *krbcfg,
+                            krb5_key_salt_tuple *kenctypes,
+                            int *num_kenctypes)
+{
+    /* first filter for duplicates */
+    for (int i = 0; i + 1 < *num_kenctypes; i++) {
+        for (int j = i + 1; j < *num_kenctypes; j++) {
+            if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) {
+                /* duplicate, filter out */
+                for (int k = j; k + 1 < *num_kenctypes; k++) {
+                    kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
+                    kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
+                }
+                (*num_kenctypes)--;
+                j--;
+            }
+        }
+    }
+
+    /* then filter for supported */
+    for (int i = 0; i < *num_kenctypes; i++) {
+        int j;
+
+        /* Check if supported */
+        for (j = 0; j < krbcfg->num_supp_encsalts; j++) {
+            if (kenctypes[i].ks_enctype ==
+                                    krbcfg->supp_encsalts[j].ks_enctype) {
+                break;
+            }
+        }
+        if (j == krbcfg->num_supp_encsalts) {
+            /* Unsupported, filter out */
+            for (int k = i; k + 1 < *num_kenctypes; k++) {
+                kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype;
+                kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype;
+            }
+            (*num_kenctypes)--;
+            i--;
+        }
+    }
+}
+
 static int ipapwd_to_ldap_pwpolicy_error(int ipapwderr)
 {
     switch (ipapwderr) {
@@ -1740,23 +1782,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
             goto free_and_return;
         }
 
-        for (int i = 0; i < num_kenctypes; i++) {
-
-            /* Check if supported */
-            for (int j = 0; j < krbcfg->num_supp_encsalts; j++) {
-                if (kenctypes[i].ks_enctype ==
-                                        krbcfg->supp_encsalts[j].ks_enctype) {
-                    continue;
-                }
-            }
-            /* Unsupported, filter out */
-            for (int j = i; j + 1 < num_kenctypes; j++) {
-                kenctypes[j].ks_enctype = kenctypes[j + 1].ks_enctype;
-                kenctypes[j].ks_salttype = kenctypes[j + 1].ks_salttype;
-            }
-            num_kenctypes--;
-            i--;
-        }
+        filter_enctypes(krbcfg, kenctypes, &num_kenctypes);
 
         /* check if we have any left */
         if (num_kenctypes == 0 && kenctypes != NULL) {
-- 
2.1.0