mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.
Guenther
This commit is contained in:
parent
63c1a5146e
commit
7c4da23be1
@ -1143,7 +1143,7 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
|
||||
|
||||
/* Samba wrapper function for krb5 functionality. */
|
||||
bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
|
||||
int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
|
||||
int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
|
||||
bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
|
||||
krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
|
||||
krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
|
||||
@ -1221,6 +1221,13 @@ krb5_error_code smb_krb5_open_keytab(krb5_context context,
|
||||
const char *keytab_name,
|
||||
bool write_access,
|
||||
krb5_keytab *keytab);
|
||||
int smb_krb5_kt_add_entry(krb5_context context,
|
||||
krb5_keytab keytab,
|
||||
krb5_kvno kvno,
|
||||
const char *princ_s,
|
||||
krb5_enctype *enctypes,
|
||||
krb5_data password,
|
||||
bool no_salt);
|
||||
#endif /* HAVE_KRB5 */
|
||||
|
||||
|
||||
|
@ -32,9 +32,13 @@
|
||||
/**********************************************************************
|
||||
**********************************************************************/
|
||||
|
||||
static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
|
||||
krb5_kvno kvno, const char *princ_s,
|
||||
krb5_enctype *enctypes, krb5_data password )
|
||||
int smb_krb5_kt_add_entry(krb5_context context,
|
||||
krb5_keytab keytab,
|
||||
krb5_kvno kvno,
|
||||
const char *princ_s,
|
||||
krb5_enctype *enctypes,
|
||||
krb5_data password,
|
||||
bool no_salt)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
krb5_kt_cursor cursor;
|
||||
@ -166,7 +170,7 @@ static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
|
||||
#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
|
||||
keyp = &kt_entry.keyblock;
|
||||
#endif
|
||||
if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
|
||||
if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -321,7 +325,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
|
||||
|
||||
/* add the fqdn principal to the keytab */
|
||||
|
||||
ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
|
||||
ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password, false );
|
||||
if ( ret ) {
|
||||
DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
|
||||
goto out;
|
||||
@ -330,7 +334,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
|
||||
/* add the short principal name if we have one */
|
||||
|
||||
if ( short_princ_s ) {
|
||||
ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
|
||||
ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password, false );
|
||||
if ( ret ) {
|
||||
DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
|
||||
goto out;
|
||||
|
@ -259,7 +259,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
|
||||
if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) {
|
||||
SAFE_FREE(key);
|
||||
continue;
|
||||
}
|
||||
|
@ -214,20 +214,31 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
krb5_data *password,
|
||||
krb5_keyblock *key,
|
||||
krb5_enctype enctype)
|
||||
krb5_enctype enctype,
|
||||
bool no_salt)
|
||||
{
|
||||
int ret;
|
||||
krb5_data salt;
|
||||
krb5_encrypt_block eblock;
|
||||
|
||||
ret = krb5_principal2salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
|
||||
return ret;
|
||||
if (no_salt) {
|
||||
key->contents = (krb5_octet *)SMB_MALLOC(password->length);
|
||||
if (!key->contents) {
|
||||
return ENOMEM;
|
||||
}
|
||||
memcpy(key->contents, password->data, password->length);
|
||||
key->length = password->length;
|
||||
key->enctype = enctype;
|
||||
} else {
|
||||
ret = krb5_principal2salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
|
||||
return ret;
|
||||
}
|
||||
krb5_use_enctype(context, &eblock, enctype);
|
||||
ret = krb5_string_to_key(context, &eblock, key, password, &salt);
|
||||
SAFE_FREE(salt.data);
|
||||
}
|
||||
krb5_use_enctype(context, &eblock, enctype);
|
||||
ret = krb5_string_to_key(context, &eblock, key, password, &salt);
|
||||
SAFE_FREE(salt.data);
|
||||
return ret;
|
||||
}
|
||||
#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
|
||||
@ -235,19 +246,27 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
krb5_data *password,
|
||||
krb5_keyblock *key,
|
||||
krb5_enctype enctype)
|
||||
krb5_enctype enctype,
|
||||
bool no_salt)
|
||||
{
|
||||
int ret;
|
||||
krb5_salt salt;
|
||||
|
||||
ret = krb5_get_pw_salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
|
||||
return ret;
|
||||
if (no_salt) {
|
||||
return krb5_keyblock_init(context, enctype,
|
||||
password->data, password->length,
|
||||
key);
|
||||
} else {
|
||||
ret = krb5_get_pw_salt(context, host_princ, &salt);
|
||||
if (ret) {
|
||||
DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
|
||||
krb5_free_salt(context, salt);
|
||||
}
|
||||
|
||||
ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
|
||||
krb5_free_salt(context, salt);
|
||||
|
||||
return ret;
|
||||
}
|
||||
#else
|
||||
@ -258,7 +277,8 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
|
||||
krb5_principal host_princ,
|
||||
krb5_data *password,
|
||||
krb5_keyblock *key,
|
||||
krb5_enctype enctype)
|
||||
krb5_enctype enctype,
|
||||
bool no_salt)
|
||||
{
|
||||
krb5_principal salt_princ = NULL;
|
||||
int ret;
|
||||
@ -268,7 +288,7 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
|
||||
* its behavior.
|
||||
*/
|
||||
salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
|
||||
ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
|
||||
ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype, no_salt);
|
||||
if (salt_princ) {
|
||||
krb5_free_principal(context, salt_princ);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user