File 0035-handle-encryption-types.patch of Package adcli.22052
From 2057c2fccabefcc682cbd94a374595b0aa69a7e1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 13:08:52 +0200
Subject: [PATCH 1/6] Fix for issues found by Coverity
(cherry picked from commit 3c93c96eb6ea2abd3869921ee4c89e1a4d9e4c44)
---
library/adenroll.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 5b35c9a..58362c2 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1564,7 +1564,7 @@ load_host_keytab (adcli_enroll *enroll)
}
krb5_free_context (k5);
- return ADCLI_SUCCESS;
+ return res;
}
typedef struct {
@@ -1745,12 +1745,12 @@ add_principal_to_keytab (adcli_enroll *enroll,
enroll->kvno, &password, enctypes, &salts[*which_salt]);
free_principal_salts (k5, salts);
+ }
- if (code != 0) {
- _adcli_err ("Couldn't add keytab entries: %s: %s",
- enroll->keytab_name, krb5_get_error_message (k5, code));
- return ADCLI_ERR_FAIL;
- }
+ if (code != 0) {
+ _adcli_err ("Couldn't add keytab entries: %s: %s",
+ enroll->keytab_name, krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
}
--
2.30.2
From 6d3eee7f75436b261131c1af9c7030d4dfdd03b9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 20 Dec 2018 21:05:35 +0100
Subject: [PATCH 2/6] adenroll: make sure only allowed enctypes are used in
FIPS mode
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
(cherry picked from commit 341974aae7d0755fc32a0b7e2b34d8e1ef60d195)
---
library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 58362c2..6edf913 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -41,11 +41,19 @@
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
#ifndef SAMBA_DATA_TOOL
#define SAMBA_DATA_TOOL "/usr/bin/net"
#endif
+static krb5_enctype v60_later_enctypes_fips[] = {
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ 0
+};
+
static krb5_enctype v60_later_enctypes[] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -2513,6 +2521,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
enroll->keytab_name_is_krb5 = 0;
}
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+static bool adcli_fips_enabled (void)
+{
+ int fd;
+ ssize_t len;
+ char buf[8];
+
+ fd = open (PROC_SYS_FIPS, O_RDONLY);
+ if (fd != -1) {
+ len = read (fd, buf, sizeof (buf));
+ close (fd);
+ /* Assume FIPS in enabled if PROC_SYS_FIPS contains a
+ * non-0 value. */
+ if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
krb5_enctype *
adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
{
@@ -2521,7 +2551,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
return enroll->keytab_enctypes;
if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
- return v60_later_enctypes;
+ if (adcli_fips_enabled ()) {
+ return v60_later_enctypes_fips;
+ } else {
+ return v60_later_enctypes;
+ }
else
return v51_earlier_enctypes;
}
--
2.30.2
From c054cfdda348c1b86d7f35c543807b9f94984445 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:23:47 +0200
Subject: [PATCH 3/6] adconn: add adcli_conn_set_krb5_context
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
(cherry picked from commit 2fc259a88be618871cea8ff8b8a13bd3e040aea4)
---
library/adconn.c | 13 +++++++++++++
library/adconn.h | 3 +++
2 files changed, 16 insertions(+)
diff --git a/library/adconn.c b/library/adconn.c
index 8a55776..7bab852 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -1480,6 +1480,19 @@ adcli_conn_get_krb5_context (adcli_conn *conn)
return conn->k5;
}
+void
+adcli_conn_set_krb5_context (adcli_conn *conn,
+ krb5_context k5)
+{
+ return_if_fail (conn != NULL);
+
+ if (conn->k5 != NULL) {
+ krb5_free_context (conn->k5);
+ }
+
+ conn->k5 = k5;
+}
+
const char *
adcli_conn_get_login_user (adcli_conn *conn)
{
diff --git a/library/adconn.h b/library/adconn.h
index 3e287b1..1d5faa8 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -101,6 +101,9 @@ LDAP * adcli_conn_get_ldap_connection (adcli_conn *conn);
krb5_context adcli_conn_get_krb5_context (adcli_conn *conn);
+void adcli_conn_set_krb5_context (adcli_conn *conn,
+ krb5_context k5);
+
const char * adcli_conn_get_computer_name (adcli_conn *conn);
void adcli_conn_set_computer_name (adcli_conn *conn,
--
2.30.2
From 90ba606b8d38492982cde1cbee08af32b7fa32a1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:25:52 +0200
Subject: [PATCH 4/6] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
with tests
The new call does not only return the current encryption types set in AD
or a default list but filters them with the list of permitted encryption
types on the client. This makes sure the client can create and use the
keys.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
(cherry picked from commit 0c09070e8beec734e3f0c70e14b0a04788077b73)
---
library/Makefile.am | 5 ++
library/adenroll.c | 124 ++++++++++++++++++++++++++++++++++++++++++++
library/adenroll.h | 2 +
3 files changed, 131 insertions(+)
diff --git a/library/Makefile.am b/library/Makefile.am
index 39e8fd1..4829555 100644
--- a/library/Makefile.am
+++ b/library/Makefile.am
@@ -40,6 +40,7 @@ check_PROGRAMS = \
test-util \
test-ldap \
test-attrs \
+ test-adenroll \
$(NULL)
test_seq_SOURCES = seq.c test.c test.h
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
test_attrs_CFLAGS = -DATTRS_TESTS
test_attrs_LDADD = $(test_ldap_LDADD)
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
+test_adenroll_CFLAGS = -DADENROLL_TESTS
+test_adenroll_LDADD = $(KRB5_LIBS)
+
TESTS = $(check_PROGRAMS)
MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
diff --git a/library/adenroll.c b/library/adenroll.c
index 6edf913..31cc53c 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2560,6 +2560,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
return v51_earlier_enctypes;
}
+krb5_enctype *
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+{
+ krb5_enctype *cur_enctypes;
+ krb5_enctype *permitted_enctypes;
+ krb5_enctype *new_enctypes;
+ krb5_error_code code;
+ krb5_context k5;
+ size_t c;
+ size_t p;
+ size_t n;
+
+ return_val_if_fail (enroll != NULL, NULL);
+ cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
+ return_val_if_fail (k5 != NULL, NULL);
+
+ code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+ return_val_if_fail (code == 0, NULL);
+
+ for (c = 0; cur_enctypes[c] != 0; c++);
+
+ new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+ return_val_if_fail (new_enctypes != NULL, NULL);
+
+ n = 0;
+ for (c = 0; cur_enctypes[c] != 0; c++) {
+ for (p = 0; permitted_enctypes[p] != 0; p++) {
+ if (cur_enctypes[c] == permitted_enctypes[p]) {
+ new_enctypes[n++] = cur_enctypes[c];
+ break;
+ }
+ }
+ if (permitted_enctypes[p] == 0) {
+ _adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
+ }
+ }
+
+ krb5_free_enctypes (k5, permitted_enctypes);
+
+ return new_enctypes;
+}
+
void
adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
krb5_enctype *value)
@@ -2752,3 +2796,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
strdup (value), NULL);
return_if_fail (enroll->service_principals_to_remove != NULL);
}
+
+#ifdef ADENROLL_TESTS
+
+#include "test.h"
+
+static void
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
+{
+ krb5_enctype *enctypes;
+ krb5_error_code code;
+ krb5_enctype *permitted_enctypes;
+ krb5_enctype check_enctypes[3] = { 0 };
+ adcli_conn *conn;
+ adcli_enroll *enroll;
+ adcli_result res;
+ krb5_context k5;
+ size_t c;
+
+ conn = adcli_conn_new ("test.dom");
+ assert_ptr_not_null (conn);
+
+ enroll = adcli_enroll_new (conn);
+ assert_ptr_not_null (enroll);
+
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
+ assert_ptr_eq (enctypes, NULL);
+
+ /* krb5 context missing */
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ assert_ptr_eq (enctypes, NULL);
+
+ /* check that all permitted enctypes can pass */
+ res = _adcli_krb5_init_context (&k5);
+ assert_num_eq (res, ADCLI_SUCCESS);
+
+ adcli_conn_set_krb5_context (conn, k5);
+
+ code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+ assert_num_eq (code, 0);
+ assert_ptr_not_null (permitted_enctypes);
+ assert_num_cmp (permitted_enctypes[0], !=, 0);
+
+ adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
+
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ assert_ptr_not_null (enctypes);
+ for (c = 0; permitted_enctypes[c] != 0; c++) {
+ assert_num_eq (enctypes[c], permitted_enctypes[c]);
+ }
+ assert_num_eq (enctypes[c], 0);
+ krb5_free_enctypes (k5, enctypes);
+
+ /* check that ENCTYPE_UNKNOWN is filtered out */
+ check_enctypes[0] = permitted_enctypes[0];
+ check_enctypes[1] = ENCTYPE_UNKNOWN;
+ check_enctypes[2] = 0;
+ adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
+
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ assert_ptr_not_null (enctypes);
+ assert_num_eq (enctypes[0], permitted_enctypes[0]);
+ assert_num_eq (enctypes[1], 0);
+ krb5_free_enctypes (k5, enctypes);
+
+ krb5_free_enctypes (k5, permitted_enctypes);
+
+ adcli_enroll_unref (enroll);
+ adcli_conn_unref (conn);
+}
+
+int
+main (int argc,
+ char *argv[])
+{
+ test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
+ "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
+ return test_run (argc, argv);
+}
+
+#endif /* ADENROLL_TESTS */
diff --git a/library/adenroll.h b/library/adenroll.h
index abbbfd4..1d5d00d 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -138,6 +138,8 @@ krb5_enctype * adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll);
void adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
krb5_enctype *enctypes);
+krb5_enctype * adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
+
const char * adcli_enroll_get_os_name (adcli_enroll *enroll);
void adcli_enroll_set_os_name (adcli_enroll *enroll,
--
2.30.2
From ecae701599badb68c72da7430483cd12c25169d2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 18:27:49 +0200
Subject: [PATCH 5/6] adenroll: use only enctypes permitted by Kerberos config
Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3
(cherry picked from commit cc3ef52884a48863a81acbfc741735fe09cd85f7)
---
doc/adcli.xml | 10 ++++++++++
library/adenroll.c | 22 +++++++++++++++++++---
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 154df07..6bd5697 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -366,6 +366,11 @@ Password for Administrator:
</varlistentry>
</variablelist>
+ <para>If supported on the AD side the
+ <option>msDS-supportedEncryptionTypes</option> attribute will be set as
+ well. Either the current value or the default list of AD's supported
+ encryption types filtered by the permitted encryption types of the
+ client's Kerberos configuration are written.</para>
</refsect1>
<refsect1 id='updating'>
@@ -499,6 +504,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
</varlistentry>
</variablelist>
+ <para>If supported on the AD side the
+ <option>msDS-supportedEncryptionTypes</option> attribute will be set as
+ well. Either the current value or the default list of AD's supported
+ encryption types filtered by the permitted encryption types of the
+ client's Kerberos configuration are written.</para>
</refsect1>
<refsect1 id='testjoin'>
diff --git a/library/adenroll.c b/library/adenroll.c
index 31cc53c..ea415ba 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -599,6 +599,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
{
char *value = NULL;
krb5_enctype *read_enctypes;
+ krb5_enctype *new_enctypes;
char *new_value = NULL;
int is_2008_or_later;
LDAP *ldap;
@@ -645,7 +646,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
}
- new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
+ new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ if (new_enctypes == NULL) {
+ _adcli_warn ("No permitted encryption type found.");
+ return ADCLI_ERR_UNEXPECTED;
+ }
+
+ new_value = _adcli_krb5_format_enctypes (new_enctypes);
+ krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);
if (new_value == NULL) {
free (value);
_adcli_warn ("The encryption types desired are not available in active directory");
@@ -1718,7 +1726,11 @@ add_principal_to_keytab (adcli_enroll *enroll,
enroll->keytab_name);
}
- enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ if (enctypes == NULL) {
+ _adcli_warn ("No permitted encryption type found.");
+ return ADCLI_ERR_UNEXPECTED;
+ }
if (flags & ADCLI_ENROLL_PASSWORD_VALID) {
code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,
@@ -1734,7 +1746,10 @@ add_principal_to_keytab (adcli_enroll *enroll,
*/
salts = build_principal_salts (enroll, k5, principal);
- return_unexpected_if_fail (salts != NULL);
+ if (salts == NULL) {
+ krb5_free_enctypes (k5, enctypes);
+ return ADCLI_ERR_UNEXPECTED;
+ }
if (*which_salt < 0) {
code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
@@ -1754,6 +1769,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
free_principal_salts (k5, salts);
}
+ krb5_free_enctypes (k5, enctypes);
if (code != 0) {
_adcli_err ("Couldn't add keytab entries: %s: %s",
--
2.30.2
From ef0dda68e59d4d46664ddb394cd39489cf98e1c9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 12 Aug 2019 17:28:20 +0200
Subject: [PATCH 6/6] Fix for issue found by Coverity
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
(cherry picked from commit 5da6d34e2659f915e830932fd366c635801ecd91)
---
library/adenroll.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index ea415ba..e72972d 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2600,7 +2600,10 @@ adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
for (c = 0; cur_enctypes[c] != 0; c++);
new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
- return_val_if_fail (new_enctypes != NULL, NULL);
+ if (new_enctypes == NULL) {
+ krb5_free_enctypes (k5, permitted_enctypes);
+ return NULL;
+ }
n = 0;
for (c = 0; cur_enctypes[c] != 0; c++) {
--
2.30.2