1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth/credentials: Use salt on credentials object for Creds.get_aes256_key()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2023-12-20 22:55:07 +13:00
parent 74f9d2e519
commit 9fc11e329c
4 changed files with 11 additions and 8 deletions

View File

@ -351,7 +351,6 @@ NTSTATUS netlogon_creds_session_encrypt(
int cli_credentials_get_aes256_key(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char *salt,
DATA_BLOB *aes_256);
/**

View File

@ -1484,13 +1484,13 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c
_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char *salt,
DATA_BLOB *aes_256)
{
struct smb_krb5_context *smb_krb5_context = NULL;
krb5_error_code krb5_ret;
int ret;
const char *password = NULL;
const char *salt = NULL;
krb5_data cleartext_data;
krb5_data salt_data = {
.length = 0,
@ -1502,6 +1502,11 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
return EINVAL;
}
salt = cli_credentials_get_salt_principal(cred);
if (salt == NULL) {
return EINVAL;
}
password = cli_credentials_get_password(cred);
if (password == NULL) {
return EINVAL;

View File

@ -1007,7 +1007,6 @@ static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args)
struct loadparm_context *lp_ctx = NULL;
TALLOC_CTX *mem_ctx = NULL;
PyObject *py_lp_ctx = Py_None;
const char *salt = NULL;
DATA_BLOB aes_256;
int code;
PyObject *ret = NULL;
@ -1017,7 +1016,7 @@ static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args)
return NULL;
}
if (!PyArg_ParseTuple(args, "s|O", &salt, &py_lp_ctx))
if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
return NULL;
mem_ctx = talloc_new(NULL);
@ -1035,7 +1034,6 @@ static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args)
code = cli_credentials_get_aes256_key(creds,
mem_ctx,
lp_ctx,
salt,
&aes_256);
if (code != 0) {
PyErr_SetString(PyExc_RuntimeError,
@ -1629,9 +1627,9 @@ static PyMethodDef py_creds_methods[] = {
.ml_name = "get_aes256_key",
.ml_meth = py_creds_get_aes256_key,
.ml_flags = METH_VARARGS,
.ml_doc = "S.get_aes256_key(salt[, lp]) -> bytes\n"
.ml_doc = "S.get_aes256_key([lp]) -> bytes\n"
"Generate an AES256 key using the current password and\n"
"the specified salt",
"the salt on this credentials object",
},
{
.ml_name = "encrypt_netr_crypt_password",

View File

@ -489,7 +489,8 @@ class GetPasswordCommand(Command):
decrypted = tmp.get_nt_hash()
current_hash = unicodePwd
elif aes256_key is not None and kerberos_salt is not None:
decrypted = tmp.get_aes256_key(kerberos_salt)
tmp.set_kerberos_salt_principal(kerberos_salt)
decrypted = tmp.get_aes256_key()
current_hash = aes256_key.value
if current_hash is not None and current_hash == decrypted: