From: Sarah Day <sarahday@mit.edu>
Date: Mon, 2 May 2016 21:06:35 +0000 (-0400)
Subject: Add libkdb function to specialize principal's salt
X-Git-Tag: krb5-1.15-beta1~197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09cdb3079508f9d3fcc107a8ee8e7537f70c9d37;p=thirdparty%2Fkrb5.git

Add libkdb function to specialize principal's salt

Add a function krb5_dbe_specialize_salt() to libkdb5 which transforms
a principal entry's salt to KRB5_KDB_SALTTYPE_SPECIAL.

ticket: 8418 (new)
---

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 0a9ddbdb93..63eadc4f7c 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -602,6 +602,13 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
                       krb5_const_principal princ, krb5_int16 *salttype_out,
                       krb5_data **salt_out);
 
+/*
+ * Modify the key data of entry to explicitly store salt values using the
+ * KRB5_KDB_SALTTYPE_SPECIAL salt type.
+ */
+krb5_error_code
+krb5_dbe_specialize_salt(krb5_context context, krb5_db_entry *entry);
+
 krb5_error_code
 krb5_dbe_cpw( krb5_context        kcontext,
               krb5_keyblock       * master_key,
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index deafed133c..68bec6e9c3 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -2260,6 +2260,48 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
     return 0;
 }
 
+krb5_error_code
+krb5_dbe_specialize_salt(krb5_context context, krb5_db_entry *entry)
+{
+    krb5_int16 stype, i;
+    krb5_data *salt = NULL;
+    krb5_error_code ret = 0;
+    uint8_t *data;
+
+    if (context == NULL || entry == NULL)
+        return EINVAL;
+
+    /*
+     * Store salt values explicitly so that they don't depend on the principal
+     * name.
+     */
+    for (i = 0; i < entry->n_key_data; i++) {
+        ret = krb5_dbe_compute_salt(context, &entry->key_data[i], entry->princ,
+                                    &stype, &salt);
+        if (ret)
+            goto cleanup;
+
+        data = krb5_db_alloc(context, NULL, salt->length);
+        if (data == NULL) {
+            ret = ENOMEM;
+            goto cleanup;
+        }
+        memcpy(data, salt->data, salt->length);
+
+        entry->key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL;
+        krb5_db_free(context, entry->key_data[i].key_data_contents[1]);
+        entry->key_data[i].key_data_contents[1] = data;
+        entry->key_data[i].key_data_length[1] = salt->length;
+        entry->key_data[i].key_data_ver = 2;
+        krb5_free_data(context, salt);
+        salt = NULL;
+    }
+
+cleanup:
+    krb5_free_data(context, salt);
+    return ret;
+}
+
 /* change password functions */
 krb5_error_code
 krb5_dbe_cpw(krb5_context kcontext, krb5_keyblock *master_key,
diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
index 68ac537f11..60ab4b24af 100644
--- a/src/lib/kdb/libkdb5.exports
+++ b/src/lib/kdb/libkdb5.exports
@@ -58,6 +58,7 @@ krb5_dbe_lookup_mod_princ_data
 krb5_dbe_lookup_tl_data
 krb5_dbe_search_enctype
 krb5_dbe_set_string
+krb5_dbe_specialize_salt
 krb5_dbe_update_actkvno
 krb5_dbe_update_last_admin_unlock
 krb5_dbe_update_last_pwd_change