From 48affb137fb3841b2e65f58d80fa959fa1c47741 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 21 Dec 2023 14:04:23 +1300 Subject: [PATCH] auth/credentials: Allow generation of old Kerberos keys also Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- auth/credentials/credentials_krb5.c | 17 ++++++++++++++--- auth/credentials/credentials_krb5.h | 1 + auth/credentials/pycredentials.c | 21 ++++++++++++++++++++- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index ce5a5a3fadd..c388f6c82df 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -1508,6 +1508,7 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, krb5_enctype enctype, + bool previous, DATA_BLOB *key_blob) { struct smb_krb5_context *smb_krb5_context = NULL; @@ -1524,8 +1525,14 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred, TALLOC_CTX *frame = talloc_stackframe(); if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) { - struct samr_Password *nt_hash - = cli_credentials_get_nt_hash(cred, frame); + struct samr_Password *nt_hash; + + if (previous) { + nt_hash = cli_credentials_get_old_nt_hash(cred, frame); + } else { + nt_hash = cli_credentials_get_nt_hash(cred, frame); + } + if (nt_hash == NULL) { TALLOC_FREE(frame); return EINVAL; @@ -1553,7 +1560,11 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred, return EINVAL; } - password = cli_credentials_get_password(cred); + if (previous) { + password = cli_credentials_get_old_password(cred); + } else { + password = cli_credentials_get_password(cred); + } if (password == NULL) { TALLOC_FREE(frame); return EINVAL; diff --git a/auth/credentials/credentials_krb5.h b/auth/credentials/credentials_krb5.h index 6ee2e139a4d..e454de36240 100644 --- a/auth/credentials/credentials_krb5.h +++ b/auth/credentials/credentials_krb5.h @@ -45,6 +45,7 @@ int cli_credentials_get_kerberos_key(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, krb5_enctype enctype, + bool previous, DATA_BLOB *key_blob); diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 517b4757f1c..a16be546901 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -1015,7 +1015,7 @@ static PyObject *py_creds_get_kerberos_salt_principal(PyObject *self, PyObject * return ret; } -static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args) +static PyObject *py_creds_get_kerberos_key_current_or_old(PyObject *self, PyObject *args, bool old) { struct loadparm_context *lp_ctx = NULL; TALLOC_CTX *mem_ctx = NULL; @@ -1049,6 +1049,7 @@ static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args) mem_ctx, lp_ctx, enctype, + old, &key); if (code != 0) { PyErr_SetString(PyExc_RuntimeError, @@ -1063,6 +1064,16 @@ static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args) return ret; } +static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args) +{ + return py_creds_get_kerberos_key_current_or_old(self, args, false); +} + +static PyObject *py_creds_get_old_kerberos_key(PyObject *self, PyObject *args) +{ + return py_creds_get_kerberos_key_current_or_old(self, args, true); +} + static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self, PyObject *args) { @@ -1646,6 +1657,14 @@ static PyMethodDef py_creds_methods[] = { "Generate a Kerberos key using the current password and\n" "the salt on this credentials object", }, + { + .ml_name = "get_old_kerberos_key", + .ml_meth = py_creds_get_old_kerberos_key, + .ml_flags = METH_VARARGS, + .ml_doc = "S.get_old_kerberos_key(enctype, [lp]) -> bytes\n" + "Generate a Kerberos key using the old (previous) password and\n" + "the salt on this credentials object", + }, { .ml_name = "encrypt_netr_crypt_password", .ml_meth = py_creds_encrypt_netr_crypt_password,