#1 Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli needs to backport patches to only use permitted enctypes from upstream
Merged 2 months ago by adamwill. Opened 2 months ago by jhrozek.
rpms/ jhrozek/adcli enctypes  into  master

@@ -0,0 +1,43 @@ 

+ From 3c93c96eb6ea2abd3869921ee4c89e1a4d9e4c44 Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Tue, 14 Aug 2018 13:08:52 +0200

+ Subject: [PATCH] Fix for issues found by Coverity

+ 

+ ---

+  library/adenroll.c | 12 ++++++------

+  1 file changed, 6 insertions(+), 6 deletions(-)

+ 

+ diff --git a/library/adenroll.c b/library/adenroll.c

+ index 02bd9e3..de2242a 100644

+ --- a/library/adenroll.c

+ +++ b/library/adenroll.c

+ @@ -1575,7 +1575,7 @@ load_host_keytab (adcli_enroll *enroll)

+  	}

+  

+  	krb5_free_context (k5);

+ -	return ADCLI_SUCCESS;

+ +	return res;

+  }

+  

+  typedef struct {

+ @@ -1756,12 +1756,12 @@ add_principal_to_keytab (adcli_enroll *enroll,

+  		                                       enroll->kvno, &password, enctypes, &salts[*which_salt]);

+  

+  		free_principal_salts (k5, salts);

+ +	}

+  

+ -		if (code != 0) {

+ -			_adcli_err ("Couldn't add keytab entries: %s: %s",

+ -			            enroll->keytab_name, krb5_get_error_message (k5, code));

+ -			return ADCLI_ERR_FAIL;

+ -		}

+ +	if (code != 0) {

+ +		_adcli_err ("Couldn't add keytab entries: %s: %s",

+ +		            enroll->keytab_name, krb5_get_error_message (k5, code));

+ +		return ADCLI_ERR_FAIL;

+  	}

+  

+  

+ -- 

+ 2.20.1

+ 

@@ -0,0 +1,80 @@ 

+ From 341974aae7d0755fc32a0b7e2b34d8e1ef60d195 Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Thu, 20 Dec 2018 21:05:35 +0100

+ Subject: [PATCH] adenroll: make sure only allowed enctypes are used in FIPS

+  mode

+ 

+ Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355

+ ---

+  library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-

+  1 file changed, 35 insertions(+), 1 deletion(-)

+ 

+ diff --git a/library/adenroll.c b/library/adenroll.c

+ index 52aa8a8..f617f28 100644

+ --- a/library/adenroll.c

+ +++ b/library/adenroll.c

+ @@ -41,11 +41,19 @@

+  #include <netdb.h>

+  #include <stdio.h>

+  #include <unistd.h>

+ +#include <sys/stat.h>

+ +#include <fcntl.h>

+  

+  #ifndef SAMBA_DATA_TOOL

+  #define SAMBA_DATA_TOOL "/usr/bin/net"

+  #endif

+  

+ +static krb5_enctype v60_later_enctypes_fips[] = {

+ +	ENCTYPE_AES256_CTS_HMAC_SHA1_96,

+ +	ENCTYPE_AES128_CTS_HMAC_SHA1_96,

+ +	0

+ +};

+ +

+  static krb5_enctype v60_later_enctypes[] = {

+  	ENCTYPE_AES256_CTS_HMAC_SHA1_96,

+  	ENCTYPE_AES128_CTS_HMAC_SHA1_96,

+ @@ -2594,6 +2602,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,

+  	enroll->keytab_name_is_krb5 = 0;

+  }

+  

+ +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"

+ +

+ +static bool adcli_fips_enabled (void)

+ +{

+ +	int fd;

+ +	ssize_t len;

+ +	char buf[8];

+ +

+ +	fd = open (PROC_SYS_FIPS, O_RDONLY);

+ +	if (fd != -1) {

+ +		len = read (fd, buf, sizeof (buf));

+ +		close (fd);

+ +		/* Assume FIPS in enabled if PROC_SYS_FIPS contains a

+ +		 * non-0 value. */

+ +		if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {

+ +			return true;

+ +		}

+ +	}

+ +

+ +	return false;

+ +}

+ +

+  krb5_enctype *

+  adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)

+  {

+ @@ -2602,7 +2632,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)

+  		return enroll->keytab_enctypes;

+  

+  	if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))

+ -		return v60_later_enctypes;

+ +		if (adcli_fips_enabled ()) {

+ +			return v60_later_enctypes_fips;

+ +		} else {

+ +			return v60_later_enctypes;

+ +		}

+  	else

+  		return v51_earlier_enctypes;

+  }

+ -- 

+ 2.20.1

+ 

@@ -0,0 +1,52 @@ 

+ From 2fc259a88be618871cea8ff8b8a13bd3e040aea4 Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Thu, 13 Jun 2019 17:23:47 +0200

+ Subject: [PATCH 1/3] adconn: add adcli_conn_set_krb5_context

+ 

+ Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3

+ ---

+  library/adconn.c | 13 +++++++++++++

+  library/adconn.h |  3 +++

+  2 files changed, 16 insertions(+)

+ 

+ diff --git a/library/adconn.c b/library/adconn.c

+ index f6c23d3..bcaced8 100644

+ --- a/library/adconn.c

+ +++ b/library/adconn.c

+ @@ -1406,6 +1406,19 @@ adcli_conn_get_krb5_context (adcli_conn *conn)

+  	return conn->k5;

+  }

+  

+ +void

+ +adcli_conn_set_krb5_context (adcli_conn *conn,

+ +                             krb5_context k5)

+ +{

+ +	return_if_fail (conn != NULL);

+ +

+ +	if (conn->k5 != NULL) {

+ +		krb5_free_context (conn->k5);

+ +	}

+ +

+ +	conn->k5 = k5;

+ +}

+ +

+  const char *

+  adcli_conn_get_login_user (adcli_conn *conn)

+  {

+ diff --git a/library/adconn.h b/library/adconn.h

+ index 13cfd32..1ad5715 100644

+ --- a/library/adconn.h

+ +++ b/library/adconn.h

+ @@ -97,6 +97,9 @@ LDAP *              adcli_conn_get_ldap_connection   (adcli_conn *conn);

+  

+  krb5_context        adcli_conn_get_krb5_context      (adcli_conn *conn);

+  

+ +void                adcli_conn_set_krb5_context      (adcli_conn *conn,

+ +                                                      krb5_context k5);

+ +

+  const char *        adcli_conn_get_computer_name     (adcli_conn *conn);

+  

+  void                adcli_conn_set_computer_name     (adcli_conn *conn,

+ -- 

+ 2.20.1

+ 

@@ -0,0 +1,196 @@ 

+ From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Thu, 13 Jun 2019 17:25:52 +0200

+ Subject: [PATCH 2/3] adenroll: add adcli_enroll_get_permitted_keytab_enctypes

+  with tests

+ 

+ The new call does not only return the current encryption types set in AD

+ or a default list but filters them with the list of permitted encryption

+ types on the client. This makes sure the client can create and use the

+ keys.

+ 

+ Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3

+ ---

+  library/Makefile.am |   5 ++

+  library/adenroll.c  | 124 ++++++++++++++++++++++++++++++++++++++++++++

+  library/adenroll.h  |   2 +

+  3 files changed, 131 insertions(+)

+ 

+ diff --git a/library/Makefile.am b/library/Makefile.am

+ index 39e8fd1..4829555 100644

+ --- a/library/Makefile.am

+ +++ b/library/Makefile.am

+ @@ -40,6 +40,7 @@ check_PROGRAMS = \

+  	test-util \

+  	test-ldap \

+  	test-attrs \

+ +	test-adenroll \

+  	$(NULL)

+  

+  test_seq_SOURCES = seq.c test.c test.h

+ @@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)

+  test_attrs_CFLAGS = -DATTRS_TESTS

+  test_attrs_LDADD = $(test_ldap_LDADD)

+  

+ +test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)

+ +test_adenroll_CFLAGS = -DADENROLL_TESTS

+ +test_adenroll_LDADD = $(KRB5_LIBS)

+ +

+  TESTS = $(check_PROGRAMS)

+  

+  MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes

+ diff --git a/library/adenroll.c b/library/adenroll.c

+ index f617f28..95c07cd 100644

+ --- a/library/adenroll.c

+ +++ b/library/adenroll.c

+ @@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)

+  		return v51_earlier_enctypes;

+  }

+  

+ +krb5_enctype *

+ +adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)

+ +{

+ +	krb5_enctype *cur_enctypes;

+ +	krb5_enctype *permitted_enctypes;

+ +	krb5_enctype *new_enctypes;

+ +	krb5_error_code code;

+ +	krb5_context k5;

+ +	size_t c;

+ +	size_t p;

+ +	size_t n;

+ +

+ +	return_val_if_fail (enroll != NULL, NULL);

+ +	cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);

+ +

+ +	k5 = adcli_conn_get_krb5_context (enroll->conn);

+ +	return_val_if_fail (k5 != NULL, NULL);

+ +

+ +	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);

+ +	return_val_if_fail (code == 0, NULL);

+ +

+ +	for (c = 0; cur_enctypes[c] != 0; c++);

+ +

+ +	new_enctypes = calloc (c + 1, sizeof (krb5_enctype));

+ +	return_val_if_fail (new_enctypes != NULL, NULL);

+ +

+ +	n = 0;

+ +	for (c = 0; cur_enctypes[c] != 0; c++) {

+ +		for (p = 0; permitted_enctypes[p] != 0; p++) {

+ +			if (cur_enctypes[c] == permitted_enctypes[p]) {

+ +				new_enctypes[n++] = cur_enctypes[c];

+ +				break;

+ +			}

+ +		}

+ +		if (permitted_enctypes[p] == 0) {

+ +			_adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);

+ +		}

+ +	}

+ +

+ +	krb5_free_enctypes (k5, permitted_enctypes);

+ +

+ +	return new_enctypes;

+ +}

+ +

+  void

+  adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,

+                                    krb5_enctype *value)

+ @@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,

+  							    strdup (value), NULL);

+  	return_if_fail (enroll->service_principals_to_remove != NULL);

+  }

+ +

+ +#ifdef ADENROLL_TESTS

+ +

+ +#include "test.h"

+ +

+ +static void

+ +test_adcli_enroll_get_permitted_keytab_enctypes (void)

+ +{

+ +	krb5_enctype *enctypes;

+ +	krb5_error_code code;

+ +	krb5_enctype *permitted_enctypes;

+ +	krb5_enctype check_enctypes[3] = { 0 };

+ +	adcli_conn *conn;

+ +	adcli_enroll *enroll;

+ +	adcli_result res;

+ +	krb5_context k5;

+ +	size_t c;

+ +

+ +	conn = adcli_conn_new ("test.dom");

+ +	assert_ptr_not_null (conn);

+ +

+ +	enroll = adcli_enroll_new (conn);

+ +	assert_ptr_not_null (enroll);

+ +

+ +	enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);

+ +	assert_ptr_eq (enctypes, NULL);

+ +

+ +	/* krb5 context missing */

+ +	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);

+ +	assert_ptr_eq (enctypes, NULL);

+ +

+ +	/* check that all permitted enctypes can pass */

+ +	res = _adcli_krb5_init_context (&k5);

+ +	assert_num_eq (res, ADCLI_SUCCESS);

+ +

+ +	adcli_conn_set_krb5_context (conn, k5);

+ +

+ +	code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);

+ +	assert_num_eq (code, 0);

+ +	assert_ptr_not_null (permitted_enctypes);

+ +	assert_num_cmp (permitted_enctypes[0], !=, 0);

+ +

+ +	adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);

+ +

+ +	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);

+ +	assert_ptr_not_null (enctypes);

+ +	for (c = 0; permitted_enctypes[c] != 0; c++) {

+ +		assert_num_eq (enctypes[c], permitted_enctypes[c]);

+ +	}

+ +	assert_num_eq (enctypes[c], 0);

+ +	krb5_free_enctypes (k5, enctypes);

+ +

+ +	/* check that ENCTYPE_UNKNOWN is filtered out */

+ +	check_enctypes[0] = permitted_enctypes[0];

+ +	check_enctypes[1] = ENCTYPE_UNKNOWN;

+ +	check_enctypes[2] = 0;

+ +	adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);

+ +

+ +	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);

+ +	assert_ptr_not_null (enctypes);

+ +	assert_num_eq (enctypes[0], permitted_enctypes[0]);

+ +	assert_num_eq (enctypes[1], 0);

+ +	krb5_free_enctypes (k5, enctypes);

+ +

+ +	krb5_free_enctypes (k5, permitted_enctypes);

+ +

+ +	adcli_enroll_unref (enroll);

+ +	adcli_conn_unref (conn);

+ +}

+ +

+ +int

+ +main (int argc,

+ +      char *argv[])

+ +{

+ +	test_func (test_adcli_enroll_get_permitted_keytab_enctypes,

+ +	           "/attrs/adcli_enroll_get_permitted_keytab_enctypes");

+ +	return test_run (argc, argv);

+ +}

+ +

+ +#endif /* ADENROLL_TESTS */

+ diff --git a/library/adenroll.h b/library/adenroll.h

+ index abbbfd4..1d5d00d 100644

+ --- a/library/adenroll.h

+ +++ b/library/adenroll.h

+ @@ -138,6 +138,8 @@ krb5_enctype *     adcli_enroll_get_keytab_enctypes     (adcli_enroll *enroll);

+  void               adcli_enroll_set_keytab_enctypes     (adcli_enroll *enroll,

+                                                           krb5_enctype *enctypes);

+  

+ +krb5_enctype *     adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);

+ +

+  const char *       adcli_enroll_get_os_name             (adcli_enroll *enroll);

+  

+  void               adcli_enroll_set_os_name             (adcli_enroll *enroll,

+ -- 

+ 2.20.1

+ 

@@ -0,0 +1,103 @@ 

+ From cc3ef52884a48863a81acbfc741735fe09cd85f7 Mon Sep 17 00:00:00 2001

+ From: Sumit Bose <sbose@redhat.com>

+ Date: Thu, 13 Jun 2019 18:27:49 +0200

+ Subject: [PATCH 3/3] adenroll: use only enctypes permitted by Kerberos config

+ 

+ Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3

+ ---

+  doc/adcli.xml      | 10 ++++++++++

+  library/adenroll.c | 22 +++++++++++++++++++---

+  2 files changed, 29 insertions(+), 3 deletions(-)

+ 

+ diff --git a/doc/adcli.xml b/doc/adcli.xml

+ index 9605b4a..094f577 100644

+ --- a/doc/adcli.xml

+ +++ b/doc/adcli.xml

+ @@ -342,6 +342,11 @@ Password for Administrator:

+  		</varlistentry>

+  	</variablelist>

+  

+ +	<para>If supported on the AD side the

+ +	<option>msDS-supportedEncryptionTypes</option> attribute will be set as

+ +	well. Either the current value or the default list of AD's supported

+ +	encryption types filtered by the permitted encryption types of the

+ +	client's Kerberos configuration are written.</para>

+  </refsect1>

+  

+  <refsect1 id='updating'>

+ @@ -475,6 +480,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123

+  		</varlistentry>

+  	</variablelist>

+  

+ +	<para>If supported on the AD side the

+ +	<option>msDS-supportedEncryptionTypes</option> attribute will be set as

+ +	well. Either the current value or the default list of AD's supported

+ +	encryption types filtered by the permitted encryption types of the

+ +	client's Kerberos configuration are written.</para>

+  </refsect1>

+  

+  <refsect1 id='testjoin'>

+ diff --git a/library/adenroll.c b/library/adenroll.c

+ index 95c07cd..53cd812 100644

+ --- a/library/adenroll.c

+ +++ b/library/adenroll.c

+ @@ -639,6 +639,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)

+  {

+  	char *value = NULL;

+  	krb5_enctype *read_enctypes;

+ +	krb5_enctype *new_enctypes;

+  	char *new_value = NULL;

+  	int is_2008_or_later;

+  	LDAP *ldap;

+ @@ -685,7 +686,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)

+  		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);

+  	}

+  

+ -	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));

+ +	new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);

+ +	if (new_enctypes == NULL) {

+ +		_adcli_warn ("No permitted encryption type found.");

+ +		return ADCLI_ERR_UNEXPECTED;

+ +	}

+ +

+ +	new_value = _adcli_krb5_format_enctypes (new_enctypes);

+ +	krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);

+  	if (new_value == NULL) {

+  		free (value);

+  		_adcli_warn ("The encryption types desired are not available in active directory");

+ @@ -1758,7 +1766,11 @@ add_principal_to_keytab (adcli_enroll *enroll,

+  		             enroll->keytab_name);

+  	}

+  

+ -	enctypes = adcli_enroll_get_keytab_enctypes (enroll);

+ +	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);

+ +	if (enctypes == NULL) {

+ +		_adcli_warn ("No permitted encryption type found.");

+ +		return ADCLI_ERR_UNEXPECTED;

+ +	}

+  

+  	if (flags & ADCLI_ENROLL_PASSWORD_VALID) {

+  		code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,

+ @@ -1774,7 +1786,10 @@ add_principal_to_keytab (adcli_enroll *enroll,

+  		 */

+  

+  		salts = build_principal_salts (enroll, k5, principal);

+ -		return_unexpected_if_fail (salts != NULL);

+ +		if (salts == NULL) {

+ +			krb5_free_enctypes (k5, enctypes);

+ +			return ADCLI_ERR_UNEXPECTED;

+ +		}

+  

+  		if (*which_salt < 0) {

+  			code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,

+ @@ -1794,6 +1809,7 @@ add_principal_to_keytab (adcli_enroll *enroll,

+  

+  		free_principal_salts (k5, salts);

+  	}

+ +	krb5_free_enctypes (k5, enctypes);

+  

+  	if (code != 0) {

+  		_adcli_err ("Couldn't add keytab entries: %s: %s",

+ -- 

+ 2.20.1

+ 

file modified
+14 -1

@@ -1,6 +1,6 @@ 

  Name:		adcli

  Version:	0.8.2

- Release:	5%{?dist}

+ Release:	6%{?dist}

  Summary:	Active Directory enrollment

  License:	LGPLv2+

  URL:		http://cgit.freedesktop.org/realmd/adcli

@@ -84,6 +84,14 @@ 

  Patch49:        0006-tools-entry-remove-errx-from-parse_option.patch

  Patch50:        0007-tools-computer-remove-errx-from-parse_option.patch

  

+ # rhbz#1727144 - adcli join fails with new krb5-libs; adcli needs to

+ #                backport patches to only use permitted enctypes from upstream

+ Patch51:        0001-Fix-for-issues-found-by-Coverity.patch

+ Patch52:        0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch

+ Patch53:        0003-adconn-add-adcli_conn_set_krb5_context.patch

+ Patch54:        0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch

+ Patch55:        0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch

+ 

  BuildRequires:	gcc

  BuildRequires:	intltool pkgconfig

  BuildRequires:	libtool

@@ -140,6 +148,11 @@ 

  %doc %{_datadir}/doc/adcli/*

  

  %changelog

+ * Fri Jul  5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.8.2-6

+ - Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli

+                            needs to backport patches to only use permitted

+                            enctypes from upstream

+ 

  * Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5

  - addition patch for rhbz#1630187 and new ones for rhbz#1588596

    Resolves: rhbz#1630187, rhbz#1588596