From 9fc11e329c90351b9b14212ce849894acdd50b45 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 20 Dec 2023 22:55:07 +1300 Subject: [PATCH] auth/credentials: Use salt on credentials object for Creds.get_aes256_key() Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- auth/credentials/credentials.h | 1 - auth/credentials/credentials_krb5.c | 7 ++++++- auth/credentials/pycredentials.c | 8 +++----- python/samba/netcmd/user/readpasswords/common.py | 3 ++- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 341c984f60c..9c11bbd9bca 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -351,7 +351,6 @@ NTSTATUS netlogon_creds_session_encrypt( int cli_credentials_get_aes256_key(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, - const char *salt, DATA_BLOB *aes_256); /** diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index 4463401a767..4e7a1a3b265 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -1484,13 +1484,13 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, - const char *salt, DATA_BLOB *aes_256) { struct smb_krb5_context *smb_krb5_context = NULL; krb5_error_code krb5_ret; int ret; const char *password = NULL; + const char *salt = NULL; krb5_data cleartext_data; krb5_data salt_data = { .length = 0, @@ -1502,6 +1502,11 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred, return EINVAL; } + salt = cli_credentials_get_salt_principal(cred); + if (salt == NULL) { + return EINVAL; + } + password = cli_credentials_get_password(cred); if (password == NULL) { return EINVAL; diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 40773ff74a9..6d73a0a2c32 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -1007,7 +1007,6 @@ static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args) struct loadparm_context *lp_ctx = NULL; TALLOC_CTX *mem_ctx = NULL; PyObject *py_lp_ctx = Py_None; - const char *salt = NULL; DATA_BLOB aes_256; int code; PyObject *ret = NULL; @@ -1017,7 +1016,7 @@ static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args) return NULL; } - if (!PyArg_ParseTuple(args, "s|O", &salt, &py_lp_ctx)) + if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx)) return NULL; mem_ctx = talloc_new(NULL); @@ -1035,7 +1034,6 @@ static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args) code = cli_credentials_get_aes256_key(creds, mem_ctx, lp_ctx, - salt, &aes_256); if (code != 0) { PyErr_SetString(PyExc_RuntimeError, @@ -1629,9 +1627,9 @@ static PyMethodDef py_creds_methods[] = { .ml_name = "get_aes256_key", .ml_meth = py_creds_get_aes256_key, .ml_flags = METH_VARARGS, - .ml_doc = "S.get_aes256_key(salt[, lp]) -> bytes\n" + .ml_doc = "S.get_aes256_key([lp]) -> bytes\n" "Generate an AES256 key using the current password and\n" - "the specified salt", + "the salt on this credentials object", }, { .ml_name = "encrypt_netr_crypt_password", diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py index 8af8be7341e..2b888c4f0f7 100644 --- a/python/samba/netcmd/user/readpasswords/common.py +++ b/python/samba/netcmd/user/readpasswords/common.py @@ -489,7 +489,8 @@ class GetPasswordCommand(Command): decrypted = tmp.get_nt_hash() current_hash = unicodePwd elif aes256_key is not None and kerberos_salt is not None: - decrypted = tmp.get_aes256_key(kerberos_salt) + tmp.set_kerberos_salt_principal(kerberos_salt) + decrypted = tmp.get_aes256_key() current_hash = aes256_key.value if current_hash is not None and current_hash == decrypted: