|
|
f441eb |
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
|
|
|
f441eb |
From: Sumit Bose <sbose@redhat.com>
|
|
|
f441eb |
Date: Thu, 13 Jun 2019 17:25:52 +0200
|
|
|
f441eb |
Subject: [PATCH 3/4] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
|
|
|
f441eb |
with tests
|
|
|
f441eb |
|
|
|
f441eb |
The new call does not only return the current encryption types set in AD
|
|
|
f441eb |
or a default list but filters them with the list of permitted encryption
|
|
|
f441eb |
types on the client. This makes sure the client can create and use the
|
|
|
f441eb |
keys.
|
|
|
f441eb |
|
|
|
f441eb |
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
|
|
|
f441eb |
---
|
|
|
f441eb |
library/Makefile.am | 5 ++
|
|
|
f441eb |
library/adenroll.c | 124 ++++++++++++++++++++++++++++++++++++++++++++
|
|
|
f441eb |
library/adenroll.h | 2 +
|
|
|
f441eb |
3 files changed, 131 insertions(+)
|
|
|
f441eb |
|
|
|
f441eb |
diff --git a/library/Makefile.am b/library/Makefile.am
|
|
|
f441eb |
index 39e8fd1..4829555 100644
|
|
|
f441eb |
--- a/library/Makefile.am
|
|
|
f441eb |
+++ b/library/Makefile.am
|
|
|
f441eb |
@@ -40,6 +40,7 @@ check_PROGRAMS = \
|
|
|
f441eb |
test-util \
|
|
|
f441eb |
test-ldap \
|
|
|
f441eb |
test-attrs \
|
|
|
f441eb |
+ test-adenroll \
|
|
|
f441eb |
$(NULL)
|
|
|
f441eb |
|
|
|
f441eb |
test_seq_SOURCES = seq.c test.c test.h
|
|
|
f441eb |
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
|
|
|
f441eb |
test_attrs_CFLAGS = -DATTRS_TESTS
|
|
|
f441eb |
test_attrs_LDADD = $(test_ldap_LDADD)
|
|
|
f441eb |
|
|
|
f441eb |
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
|
|
|
f441eb |
+test_adenroll_CFLAGS = -DADENROLL_TESTS
|
|
|
f441eb |
+test_adenroll_LDADD = $(KRB5_LIBS)
|
|
|
f441eb |
+
|
|
|
f441eb |
TESTS = $(check_PROGRAMS)
|
|
|
f441eb |
|
|
|
f441eb |
MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
|
|
|
f441eb |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
f441eb |
index f617f28..95c07cd 100644
|
|
|
f441eb |
--- a/library/adenroll.c
|
|
|
f441eb |
+++ b/library/adenroll.c
|
|
|
f441eb |
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
|
|
|
f441eb |
return v51_earlier_enctypes;
|
|
|
f441eb |
}
|
|
|
f441eb |
|
|
|
f441eb |
+krb5_enctype *
|
|
|
f441eb |
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
|
|
|
f441eb |
+{
|
|
|
f441eb |
+ krb5_enctype *cur_enctypes;
|
|
|
f441eb |
+ krb5_enctype *permitted_enctypes;
|
|
|
f441eb |
+ krb5_enctype *new_enctypes;
|
|
|
f441eb |
+ krb5_error_code code;
|
|
|
f441eb |
+ krb5_context k5;
|
|
|
f441eb |
+ size_t c;
|
|
|
f441eb |
+ size_t p;
|
|
|
f441eb |
+ size_t n;
|
|
|
f441eb |
+
|
|
|
f441eb |
+ return_val_if_fail (enroll != NULL, NULL);
|
|
|
f441eb |
+ cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
|
|
|
f441eb |
+ return_val_if_fail (k5 != NULL, NULL);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
|
|
|
f441eb |
+ return_val_if_fail (code == 0, NULL);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ for (c = 0; cur_enctypes[c] != 0; c++);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
|
|
|
f441eb |
+ return_val_if_fail (new_enctypes != NULL, NULL);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ n = 0;
|
|
|
f441eb |
+ for (c = 0; cur_enctypes[c] != 0; c++) {
|
|
|
f441eb |
+ for (p = 0; permitted_enctypes[p] != 0; p++) {
|
|
|
f441eb |
+ if (cur_enctypes[c] == permitted_enctypes[p]) {
|
|
|
f441eb |
+ new_enctypes[n++] = cur_enctypes[c];
|
|
|
f441eb |
+ break;
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+ if (permitted_enctypes[p] == 0) {
|
|
|
f441eb |
+ _adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+
|
|
|
f441eb |
+ krb5_free_enctypes (k5, permitted_enctypes);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ return new_enctypes;
|
|
|
f441eb |
+}
|
|
|
f441eb |
+
|
|
|
f441eb |
void
|
|
|
f441eb |
adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
|
|
|
f441eb |
krb5_enctype *value)
|
|
|
f441eb |
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
|
|
|
f441eb |
strdup (value), NULL);
|
|
|
f441eb |
return_if_fail (enroll->service_principals_to_remove != NULL);
|
|
|
f441eb |
}
|
|
|
f441eb |
+
|
|
|
f441eb |
+#ifdef ADENROLL_TESTS
|
|
|
f441eb |
+
|
|
|
f441eb |
+#include "test.h"
|
|
|
f441eb |
+
|
|
|
f441eb |
+static void
|
|
|
f441eb |
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
|
|
|
f441eb |
+{
|
|
|
f441eb |
+ krb5_enctype *enctypes;
|
|
|
f441eb |
+ krb5_error_code code;
|
|
|
f441eb |
+ krb5_enctype *permitted_enctypes;
|
|
|
f441eb |
+ krb5_enctype check_enctypes[3] = { 0 };
|
|
|
f441eb |
+ adcli_conn *conn;
|
|
|
f441eb |
+ adcli_enroll *enroll;
|
|
|
f441eb |
+ adcli_result res;
|
|
|
f441eb |
+ krb5_context k5;
|
|
|
f441eb |
+ size_t c;
|
|
|
f441eb |
+
|
|
|
f441eb |
+ conn = adcli_conn_new ("test.dom");
|
|
|
f441eb |
+ assert_ptr_not_null (conn);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ enroll = adcli_enroll_new (conn);
|
|
|
f441eb |
+ assert_ptr_not_null (enroll);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
|
|
|
f441eb |
+ assert_ptr_eq (enctypes, NULL);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ /* krb5 context missing */
|
|
|
f441eb |
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
|
|
|
f441eb |
+ assert_ptr_eq (enctypes, NULL);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ /* check that all permitted enctypes can pass */
|
|
|
f441eb |
+ res = _adcli_krb5_init_context (&k5;;
|
|
|
f441eb |
+ assert_num_eq (res, ADCLI_SUCCESS);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ adcli_conn_set_krb5_context (conn, k5);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
|
|
|
f441eb |
+ assert_num_eq (code, 0);
|
|
|
f441eb |
+ assert_ptr_not_null (permitted_enctypes);
|
|
|
f441eb |
+ assert_num_cmp (permitted_enctypes[0], !=, 0);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
|
|
|
f441eb |
+ assert_ptr_not_null (enctypes);
|
|
|
f441eb |
+ for (c = 0; permitted_enctypes[c] != 0; c++) {
|
|
|
f441eb |
+ assert_num_eq (enctypes[c], permitted_enctypes[c]);
|
|
|
f441eb |
+ }
|
|
|
f441eb |
+ assert_num_eq (enctypes[c], 0);
|
|
|
f441eb |
+ krb5_free_enctypes (k5, enctypes);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ /* check that ENCTYPE_UNKNOWN is filtered out */
|
|
|
f441eb |
+ check_enctypes[0] = permitted_enctypes[0];
|
|
|
f441eb |
+ check_enctypes[1] = ENCTYPE_UNKNOWN;
|
|
|
f441eb |
+ check_enctypes[2] = 0;
|
|
|
f441eb |
+ adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
|
|
|
f441eb |
+ assert_ptr_not_null (enctypes);
|
|
|
f441eb |
+ assert_num_eq (enctypes[0], permitted_enctypes[0]);
|
|
|
f441eb |
+ assert_num_eq (enctypes[1], 0);
|
|
|
f441eb |
+ krb5_free_enctypes (k5, enctypes);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ krb5_free_enctypes (k5, permitted_enctypes);
|
|
|
f441eb |
+
|
|
|
f441eb |
+ adcli_enroll_unref (enroll);
|
|
|
f441eb |
+ adcli_conn_unref (conn);
|
|
|
f441eb |
+}
|
|
|
f441eb |
+
|
|
|
f441eb |
+int
|
|
|
f441eb |
+main (int argc,
|
|
|
f441eb |
+ char *argv[])
|
|
|
f441eb |
+{
|
|
|
f441eb |
+ test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
|
|
|
f441eb |
+ "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
|
|
|
f441eb |
+ return test_run (argc, argv);
|
|
|
f441eb |
+}
|
|
|
f441eb |
+
|
|
|
f441eb |
+#endif /* ADENROLL_TESTS */
|
|
|
f441eb |
diff --git a/library/adenroll.h b/library/adenroll.h
|
|
|
f441eb |
index abbbfd4..1d5d00d 100644
|
|
|
f441eb |
--- a/library/adenroll.h
|
|
|
f441eb |
+++ b/library/adenroll.h
|
|
|
f441eb |
@@ -138,6 +138,8 @@ krb5_enctype * adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll);
|
|
|
f441eb |
void adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
|
|
|
f441eb |
krb5_enctype *enctypes);
|
|
|
f441eb |
|
|
|
f441eb |
+krb5_enctype * adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
|
|
|
f441eb |
+
|
|
|
f441eb |
const char * adcli_enroll_get_os_name (adcli_enroll *enroll);
|
|
|
f441eb |
|
|
|
f441eb |
void adcli_enroll_set_os_name (adcli_enroll *enroll,
|
|
|
f441eb |
--
|
|
|
f441eb |
2.21.0
|
|
|
f441eb |
|