rpms/adcli
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli needs to backport patches to only use permitted enctypes from upstream

Browse Source
This commit is contained in:
Jakub Hrozek 2019-07-05 10:36:37 +02:00
parent 603fc1b711
commit c2be30fe08
6 changed files with 488 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
0001-Fix-for-issues-found-by-Coverity.patch Normal file
View File

@ -0,0 +1,43 @@
From 3c93c96eb6ea2abd3869921ee4c89e1a4d9e4c44 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Aug 2018 13:08:52 +0200
Subject: [PATCH] Fix for issues found by Coverity
---
library/adenroll.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 02bd9e3..de2242a 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -1575,7 +1575,7 @@ load_host_keytab (adcli_enroll *enroll)
}
krb5_free_context (k5);
- return ADCLI_SUCCESS;
+ return res;
}
typedef struct {
@@ -1756,12 +1756,12 @@ add_principal_to_keytab (adcli_enroll *enroll,
enroll->kvno, &password, enctypes, &salts[*which_salt]);
free_principal_salts (k5, salts);
+ }
- if (code != 0) {
- _adcli_err ("Couldn't add keytab entries: %s: %s",
- enroll->keytab_name, krb5_get_error_message (k5, code));
- return ADCLI_ERR_FAIL;
- }
+ if (code != 0) {
+ _adcli_err ("Couldn't add keytab entries: %s: %s",
+ enroll->keytab_name, krb5_get_error_message (k5, code));
+ return ADCLI_ERR_FAIL;
}
--
2.20.1

80
0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch Normal file
View File

@ -0,0 +1,80 @@
From 341974aae7d0755fc32a0b7e2b34d8e1ef60d195 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 20 Dec 2018 21:05:35 +0100
Subject: [PATCH] adenroll: make sure only allowed enctypes are used in FIPS
mode
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
---
library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/library/adenroll.c b/library/adenroll.c
index 52aa8a8..f617f28 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -41,11 +41,19 @@
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
+#include <sys/stat.h>
+#include <fcntl.h>
#ifndef SAMBA_DATA_TOOL
#define SAMBA_DATA_TOOL "/usr/bin/net"
#endif
+static krb5_enctype v60_later_enctypes_fips[] = {
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ 0
+};
+
static krb5_enctype v60_later_enctypes[] = {
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
@@ -2594,6 +2602,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
enroll->keytab_name_is_krb5 = 0;
}
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+static bool adcli_fips_enabled (void)
+{
+ int fd;
+ ssize_t len;
+ char buf[8];
+
+ fd = open (PROC_SYS_FIPS, O_RDONLY);
+ if (fd != -1) {
+ len = read (fd, buf, sizeof (buf));
+ close (fd);
+ /* Assume FIPS in enabled if PROC_SYS_FIPS contains a
+ * non-0 value. */
+ if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
krb5_enctype *
adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
{
@@ -2602,7 +2632,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
return enroll->keytab_enctypes;
if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
- return v60_later_enctypes;
+ if (adcli_fips_enabled ()) {
+ return v60_later_enctypes_fips;
+ } else {
+ return v60_later_enctypes;
+ }
else
return v51_earlier_enctypes;
}
--
2.20.1

52
0003-adconn-add-adcli_conn_set_krb5_context.patch Normal file
View File

@ -0,0 +1,52 @@
From 2fc259a88be618871cea8ff8b8a13bd3e040aea4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:23:47 +0200
Subject: [PATCH 1/3] adconn: add adcli_conn_set_krb5_context
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
---
library/adconn.c | 13 +++++++++++++
library/adconn.h | 3 +++
2 files changed, 16 insertions(+)
diff --git a/library/adconn.c b/library/adconn.c
index f6c23d3..bcaced8 100644
--- a/library/adconn.c
+++ b/library/adconn.c
@@ -1406,6 +1406,19 @@ adcli_conn_get_krb5_context (adcli_conn *conn)
return conn->k5;
}
+void
+adcli_conn_set_krb5_context (adcli_conn *conn,
+ krb5_context k5)
+{
+ return_if_fail (conn != NULL);
+
+ if (conn->k5 != NULL) {
+ krb5_free_context (conn->k5);
+ }
+
+ conn->k5 = k5;
+}
+
const char *
adcli_conn_get_login_user (adcli_conn *conn)
{
diff --git a/library/adconn.h b/library/adconn.h
index 13cfd32..1ad5715 100644
--- a/library/adconn.h
+++ b/library/adconn.h
@@ -97,6 +97,9 @@ LDAP * adcli_conn_get_ldap_connection (adcli_conn *conn);
krb5_context adcli_conn_get_krb5_context (adcli_conn *conn);
+void adcli_conn_set_krb5_context (adcli_conn *conn,
+ krb5_context k5);
+
const char * adcli_conn_get_computer_name (adcli_conn *conn);
void adcli_conn_set_computer_name (adcli_conn *conn,
--
2.20.1

196
0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch Normal file
View File

@ -0,0 +1,196 @@
From 0c09070e8beec734e3f0c70e14b0a04788077b73 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 17:25:52 +0200
Subject: [PATCH 2/3] adenroll: add adcli_enroll_get_permitted_keytab_enctypes
with tests
The new call does not only return the current encryption types set in AD
or a default list but filters them with the list of permitted encryption
types on the client. This makes sure the client can create and use the
keys.
Related to https://gitlab.freedesktop.org/realmd/adcli/issues/3
---
library/Makefile.am | 5 ++
library/adenroll.c | 124 ++++++++++++++++++++++++++++++++++++++++++++
library/adenroll.h | 2 +
3 files changed, 131 insertions(+)
diff --git a/library/Makefile.am b/library/Makefile.am
index 39e8fd1..4829555 100644
--- a/library/Makefile.am
+++ b/library/Makefile.am
@@ -40,6 +40,7 @@ check_PROGRAMS = \
test-util \
test-ldap \
test-attrs \
+ test-adenroll \
$(NULL)
test_seq_SOURCES = seq.c test.c test.h
@@ -56,6 +57,10 @@ test_attrs_SOURCES = adattrs.c $(test_ldap_SOURCES)
test_attrs_CFLAGS = -DATTRS_TESTS
test_attrs_LDADD = $(test_ldap_LDADD)
+test_adenroll_SOURCES = adenroll.c $(test_ldap_SOURCES)
+test_adenroll_CFLAGS = -DADENROLL_TESTS
+test_adenroll_LDADD = $(KRB5_LIBS)
+
TESTS = $(check_PROGRAMS)
MEMCHECK_ENV = $(TEST_RUNNER) valgrind --error-exitcode=80 --quiet --trace-children=yes
diff --git a/library/adenroll.c b/library/adenroll.c
index f617f28..95c07cd 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -2641,6 +2641,50 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
return v51_earlier_enctypes;
}
+krb5_enctype *
+adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll)
+{
+ krb5_enctype *cur_enctypes;
+ krb5_enctype *permitted_enctypes;
+ krb5_enctype *new_enctypes;
+ krb5_error_code code;
+ krb5_context k5;
+ size_t c;
+ size_t p;
+ size_t n;
+
+ return_val_if_fail (enroll != NULL, NULL);
+ cur_enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+
+ k5 = adcli_conn_get_krb5_context (enroll->conn);
+ return_val_if_fail (k5 != NULL, NULL);
+
+ code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+ return_val_if_fail (code == 0, NULL);
+
+ for (c = 0; cur_enctypes[c] != 0; c++);
+
+ new_enctypes = calloc (c + 1, sizeof (krb5_enctype));
+ return_val_if_fail (new_enctypes != NULL, NULL);
+
+ n = 0;
+ for (c = 0; cur_enctypes[c] != 0; c++) {
+ for (p = 0; permitted_enctypes[p] != 0; p++) {
+ if (cur_enctypes[c] == permitted_enctypes[p]) {
+ new_enctypes[n++] = cur_enctypes[c];
+ break;
+ }
+ }
+ if (permitted_enctypes[p] == 0) {
+ _adcli_info ("Encryption type [%d] not permitted.", cur_enctypes[c]);
+ }
+ }
+
+ krb5_free_enctypes (k5, permitted_enctypes);
+
+ return new_enctypes;
+}
+
void
adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
krb5_enctype *value)
@@ -2833,3 +2877,83 @@ adcli_enroll_add_service_principal_to_remove (adcli_enroll *enroll,
strdup (value), NULL);
return_if_fail (enroll->service_principals_to_remove != NULL);
}
+
+#ifdef ADENROLL_TESTS
+
+#include "test.h"
+
+static void
+test_adcli_enroll_get_permitted_keytab_enctypes (void)
+{
+ krb5_enctype *enctypes;
+ krb5_error_code code;
+ krb5_enctype *permitted_enctypes;
+ krb5_enctype check_enctypes[3] = { 0 };
+ adcli_conn *conn;
+ adcli_enroll *enroll;
+ adcli_result res;
+ krb5_context k5;
+ size_t c;
+
+ conn = adcli_conn_new ("test.dom");
+ assert_ptr_not_null (conn);
+
+ enroll = adcli_enroll_new (conn);
+ assert_ptr_not_null (enroll);
+
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (NULL);
+ assert_ptr_eq (enctypes, NULL);
+
+ /* krb5 context missing */
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ assert_ptr_eq (enctypes, NULL);
+
+ /* check that all permitted enctypes can pass */
+ res = _adcli_krb5_init_context (&k5);
+ assert_num_eq (res, ADCLI_SUCCESS);
+
+ adcli_conn_set_krb5_context (conn, k5);
+
+ code = krb5_get_permitted_enctypes (k5, &permitted_enctypes);
+ assert_num_eq (code, 0);
+ assert_ptr_not_null (permitted_enctypes);
+ assert_num_cmp (permitted_enctypes[0], !=, 0);
+
+ adcli_enroll_set_keytab_enctypes (enroll, permitted_enctypes);
+
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ assert_ptr_not_null (enctypes);
+ for (c = 0; permitted_enctypes[c] != 0; c++) {
+ assert_num_eq (enctypes[c], permitted_enctypes[c]);
+ }
+ assert_num_eq (enctypes[c], 0);
+ krb5_free_enctypes (k5, enctypes);
+
+ /* check that ENCTYPE_UNKNOWN is filtered out */
+ check_enctypes[0] = permitted_enctypes[0];
+ check_enctypes[1] = ENCTYPE_UNKNOWN;
+ check_enctypes[2] = 0;
+ adcli_enroll_set_keytab_enctypes (enroll, check_enctypes);
+
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ assert_ptr_not_null (enctypes);
+ assert_num_eq (enctypes[0], permitted_enctypes[0]);
+ assert_num_eq (enctypes[1], 0);
+ krb5_free_enctypes (k5, enctypes);
+
+ krb5_free_enctypes (k5, permitted_enctypes);
+
+ adcli_enroll_unref (enroll);
+ adcli_conn_unref (conn);
+}
+
+int
+main (int argc,
+ char *argv[])
+{
+ test_func (test_adcli_enroll_get_permitted_keytab_enctypes,
+ "/attrs/adcli_enroll_get_permitted_keytab_enctypes");
+ return test_run (argc, argv);
+}
+
+#endif /* ADENROLL_TESTS */
diff --git a/library/adenroll.h b/library/adenroll.h
index abbbfd4..1d5d00d 100644
--- a/library/adenroll.h
+++ b/library/adenroll.h
@@ -138,6 +138,8 @@ krb5_enctype * adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll);
void adcli_enroll_set_keytab_enctypes (adcli_enroll *enroll,
krb5_enctype *enctypes);
+krb5_enctype * adcli_enroll_get_permitted_keytab_enctypes (adcli_enroll *enroll);
+
const char * adcli_enroll_get_os_name (adcli_enroll *enroll);
void adcli_enroll_set_os_name (adcli_enroll *enroll,
--
2.20.1

103
0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch Normal file
View File

@ -0,0 +1,103 @@
From cc3ef52884a48863a81acbfc741735fe09cd85f7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 13 Jun 2019 18:27:49 +0200
Subject: [PATCH 3/3] adenroll: use only enctypes permitted by Kerberos config
Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3
---
doc/adcli.xml | 10 ++++++++++
library/adenroll.c | 22 +++++++++++++++++++---
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/doc/adcli.xml b/doc/adcli.xml
index 9605b4a..094f577 100644
--- a/doc/adcli.xml
+++ b/doc/adcli.xml
@@ -342,6 +342,11 @@ Password for Administrator:
</varlistentry>
</variablelist>
+ <para>If supported on the AD side the
+ <option>msDS-supportedEncryptionTypes</option> attribute will be set as
+ well. Either the current value or the default list of AD's supported
+ encryption types filtered by the permitted encryption types of the
+ client's Kerberos configuration are written.</para>
</refsect1>
<refsect1 id='updating'>
@@ -475,6 +480,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
</varlistentry>
</variablelist>
+ <para>If supported on the AD side the
+ <option>msDS-supportedEncryptionTypes</option> attribute will be set as
+ well. Either the current value or the default list of AD's supported
+ encryption types filtered by the permitted encryption types of the
+ client's Kerberos configuration are written.</para>
</refsect1>
<refsect1 id='testjoin'>
diff --git a/library/adenroll.c b/library/adenroll.c
index 95c07cd..53cd812 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -639,6 +639,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
{
char *value = NULL;
krb5_enctype *read_enctypes;
+ krb5_enctype *new_enctypes;
char *new_value = NULL;
int is_2008_or_later;
LDAP *ldap;
@@ -685,7 +686,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
}
- new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
+ new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ if (new_enctypes == NULL) {
+ _adcli_warn ("No permitted encryption type found.");
+ return ADCLI_ERR_UNEXPECTED;
+ }
+
+ new_value = _adcli_krb5_format_enctypes (new_enctypes);
+ krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);
if (new_value == NULL) {
free (value);
_adcli_warn ("The encryption types desired are not available in active directory");
@@ -1758,7 +1766,11 @@ add_principal_to_keytab (adcli_enroll *enroll,
enroll->keytab_name);
}
- enctypes = adcli_enroll_get_keytab_enctypes (enroll);
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
+ if (enctypes == NULL) {
+ _adcli_warn ("No permitted encryption type found.");
+ return ADCLI_ERR_UNEXPECTED;
+ }
if (flags & ADCLI_ENROLL_PASSWORD_VALID) {
code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,
@@ -1774,7 +1786,10 @@ add_principal_to_keytab (adcli_enroll *enroll,
*/
salts = build_principal_salts (enroll, k5, principal);
- return_unexpected_if_fail (salts != NULL);
+ if (salts == NULL) {
+ krb5_free_enctypes (k5, enctypes);
+ return ADCLI_ERR_UNEXPECTED;
+ }
if (*which_salt < 0) {
code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
@@ -1794,6 +1809,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
free_principal_salts (k5, salts);
}
+ krb5_free_enctypes (k5, enctypes);
if (code != 0) {
_adcli_err ("Couldn't add keytab entries: %s: %s",
--
2.20.1

15
adcli.spec
View File

@ -1,6 +1,6 @@
Name: adcli Name: adcli
Version: 0.8.2 Version: 0.8.2
Release: 5%{?dist} Release: 6%{?dist}
Summary: Active Directory enrollment Summary: Active Directory enrollment
License: LGPLv2+ License: LGPLv2+
URL: http://cgit.freedesktop.org/realmd/adcli URL: http://cgit.freedesktop.org/realmd/adcli
@ -84,6 +84,14 @@ Patch48: 0005-tools-remove-errx-from-setup_krb5_conf_directory.patch
Patch49: 0006-tools-entry-remove-errx-from-parse_option.patch Patch49: 0006-tools-entry-remove-errx-from-parse_option.patch
Patch50: 0007-tools-computer-remove-errx-from-parse_option.patch Patch50: 0007-tools-computer-remove-errx-from-parse_option.patch
# rhbz#1727144 - adcli join fails with new krb5-libs; adcli needs to
# backport patches to only use permitted enctypes from upstream
Patch51: 0001-Fix-for-issues-found-by-Coverity.patch
Patch52: 0002-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch
Patch53: 0003-adconn-add-adcli_conn_set_krb5_context.patch
Patch54: 0004-adenroll-add-adcli_enroll_get_permitted_keytab_encty.patch
Patch55: 0005-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: intltool pkgconfig BuildRequires: intltool pkgconfig
BuildRequires: libtool BuildRequires: libtool
@ -140,6 +148,11 @@ documentation.
%doc %{_datadir}/doc/adcli/* %doc %{_datadir}/doc/adcli/*
%changelog %changelog
* Fri Jul 5 2019 Jakub Hrozek <jhrozek@redhat.com> - 0.8.2-6
- Resolves: rhbz#1727144 - adcli join fails with new krb5-libs; adcli
needs to backport patches to only use permitted
enctypes from upstream
* Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5 * Tue Apr 30 2019 Sumit Bose <sbose@redhat.com> - 0.8.2-5
- addition patch for rhbz#1630187 and new ones for rhbz#1588596 - addition patch for rhbz#1630187 and new ones for rhbz#1588596
Resolves: rhbz#1630187, rhbz#1588596 Resolves: rhbz#1630187, rhbz#1588596