sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

auth/credentials: Allow generation of old Kerberos keys also

Browse Source 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2023-12-21 14:04:23 +13:00
parent b8308f3fe0
commit 48affb137f
3 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
auth/credentials/credentials_krb5.c
View File

@ -1508,6 +1508,7 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
krb5_enctype enctype,
bool previous,
DATA_BLOB *key_blob)
{
struct smb_krb5_context *smb_krb5_context = NULL;
@ -1524,8 +1525,14 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
TALLOC_CTX *frame = talloc_stackframe();
if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
struct samr_Password *nt_hash
= cli_credentials_get_nt_hash(cred, frame);
struct samr_Password *nt_hash;
if (previous) {
nt_hash = cli_credentials_get_old_nt_hash(cred, frame);
} else {
nt_hash = cli_credentials_get_nt_hash(cred, frame);
}
if (nt_hash == NULL) {
TALLOC_FREE(frame);
return EINVAL;
@ -1553,7 +1560,11 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
return EINVAL;
}
password = cli_credentials_get_password(cred);
if (previous) {
password = cli_credentials_get_old_password(cred);
} else {
password = cli_credentials_get_password(cred);
}
if (password == NULL) {
TALLOC_FREE(frame);
return EINVAL;

1
auth/credentials/credentials_krb5.h
View File

@ -45,6 +45,7 @@ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
krb5_enctype enctype,
bool previous,
DATA_BLOB *key_blob);

21
auth/credentials/pycredentials.c
View File

@ -1015,7 +1015,7 @@ static PyObject *py_creds_get_kerberos_salt_principal(PyObject *self, PyObject *
return ret;
}
static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
static PyObject *py_creds_get_kerberos_key_current_or_old(PyObject *self, PyObject *args, bool old)
{
struct loadparm_context *lp_ctx = NULL;
TALLOC_CTX *mem_ctx = NULL;
@ -1049,6 +1049,7 @@ static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
mem_ctx,
lp_ctx,
enctype,
old,
&key);
if (code != 0) {
PyErr_SetString(PyExc_RuntimeError,
@ -1063,6 +1064,16 @@ static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
return ret;
}
static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
{
return py_creds_get_kerberos_key_current_or_old(self, args, false);
}
static PyObject *py_creds_get_old_kerberos_key(PyObject *self, PyObject *args)
{
return py_creds_get_kerberos_key_current_or_old(self, args, true);
}
static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
PyObject *args)
{
@ -1646,6 +1657,14 @@ static PyMethodDef py_creds_methods[] = {
"Generate a Kerberos key using the current password and\n"
"the salt on this credentials object",
},
{
.ml_name = "get_old_kerberos_key",
.ml_meth = py_creds_get_old_kerberos_key,
.ml_flags = METH_VARARGS,
.ml_doc = "S.get_old_kerberos_key(enctype, [lp]) -> bytes\n"
"Generate a Kerberos key using the old (previous) password and\n"
"the salt on this credentials object",
},
{
.ml_name = "encrypt_netr_crypt_password",
.ml_meth = py_creds_encrypt_netr_crypt_password,