]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b8308f3)
auth/credentials: Allow generation of old Kerberos keys also
authorAndrew Bartlett <abartlet@samba.org>
Thu, 21 Dec 2023 01:04:23 +0000 (14:04 +1300)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 14 Mar 2024 22:06:39 +0000 (22:06 +0000)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
auth/credentials/credentials_krb5.c patch | blob | blame | history
auth/credentials/credentials_krb5.h patch | blob | blame | history
auth/credentials/pycredentials.c patch | blob | blame | history

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index ce5a5a3fadda571ece52ca83a91a31adb35795a4..c388f6c82dfa35ab51a90aebf86212ecd905a892 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1508,6 +1508,7 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
                                              TALLOC_CTX *mem_ctx,
                                              struct loadparm_context *lp_ctx,
                                              krb5_enctype enctype,
+                                             bool previous,
                                              DATA_BLOB *key_blob)
 {
        struct smb_krb5_context *smb_krb5_context = NULL;
@@ -1524,8 +1525,14 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
        TALLOC_CTX *frame = talloc_stackframe();
 
        if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
-               struct samr_Password *nt_hash
-                       = cli_credentials_get_nt_hash(cred, frame);
+               struct samr_Password *nt_hash;
+
+               if (previous) {
+                       nt_hash = cli_credentials_get_old_nt_hash(cred, frame);
+               } else {
+                       nt_hash = cli_credentials_get_nt_hash(cred, frame);
+               }
+
                if (nt_hash == NULL) {
                        TALLOC_FREE(frame);
                        return EINVAL;
@@ -1553,7 +1560,11 @@ _PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
                return EINVAL;
        }
 
-       password = cli_credentials_get_password(cred);
+       if (previous) {
+               password = cli_credentials_get_old_password(cred);
+       } else {
+               password = cli_credentials_get_password(cred);
+       }
        if (password == NULL) {
                TALLOC_FREE(frame);
                return EINVAL;
diff --git a/auth/credentials/credentials_krb5.h b/auth/credentials/credentials_krb5.h
index 6ee2e139a4dc5a99b7d76516bc2a3a5110e92e65..e454de362401fbe8f321232335fd656c6acbb743 100644 (file)
--- a/auth/credentials/credentials_krb5.h
+++ b/auth/credentials/credentials_krb5.h
@@ -45,6 +45,7 @@ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
                                     TALLOC_CTX *mem_ctx,
                                     struct loadparm_context *lp_ctx,
                                     krb5_enctype enctype,
+                                    bool previous,
                                     DATA_BLOB *key_blob);
 
 
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 517b4757f1cab607361e043319f7e286f22dfebf..a16be54690163e77a37cbd428ea6ba35f9d91562 100644 (file)
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1015,7 +1015,7 @@ static PyObject *py_creds_get_kerberos_salt_principal(PyObject *self, PyObject *
        return ret;
 }
 
-static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
+static PyObject *py_creds_get_kerberos_key_current_or_old(PyObject *self, PyObject *args, bool old)
 {
        struct loadparm_context *lp_ctx = NULL;
        TALLOC_CTX *mem_ctx = NULL;
@@ -1049,6 +1049,7 @@ static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
                                                mem_ctx,
                                                lp_ctx,
                                                enctype,
+                                               old,
                                                &key);
        if (code != 0) {
                PyErr_SetString(PyExc_RuntimeError,
@@ -1063,6 +1064,16 @@ static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
        return ret;
 }
 
+static PyObject *py_creds_get_kerberos_key(PyObject *self, PyObject *args)
+{
+       return py_creds_get_kerberos_key_current_or_old(self, args, false);
+}
+
+static PyObject *py_creds_get_old_kerberos_key(PyObject *self, PyObject *args)
+{
+       return py_creds_get_kerberos_key_current_or_old(self, args, true);
+}
+
 static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
                                                      PyObject *args)
 {
@@ -1646,6 +1657,14 @@ static PyMethodDef py_creds_methods[] = {
                            "Generate a Kerberos key using the current password and\n"
                            "the salt on this credentials object",
        },
+       {
+               .ml_name  = "get_old_kerberos_key",
+               .ml_meth  = py_creds_get_old_kerberos_key,
+               .ml_flags = METH_VARARGS,
+               .ml_doc   = "S.get_old_kerberos_key(enctype, [lp]) -> bytes\n"
+                           "Generate a Kerberos key using the old (previous) password and\n"
+                           "the salt on this credentials object",
+       },
        {
                .ml_name  = "encrypt_netr_crypt_password",
                .ml_meth  = py_creds_encrypt_netr_crypt_password,
Mirror of https://github.com/samba-team/samba.git