From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 6 Mar 2024 04:42:01 +0000 (+1300)
Subject: lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
X-Git-Tag: tdb-1.4.11~1452
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f97f6fe484bc39ac05d8738b238bfd57d800d03;p=thirdparty%2Fsamba.git

lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()

The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 5afd2404fce..6865b049b77 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1877,27 +1877,25 @@ out:
  *
  * @param[in]  password       The password of the keytab entry.
  *
- * @param[in]  already_hashed The password is a key, not a password
- *
  * @retval 0 on Success
  *
  * @return A corresponding KRB5 error code.
  *
  * @see smb_krb5_kt_open()
  */
-krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
-				      krb5_keytab keytab,
-				      krb5_kvno kvno,
-				      const char *princ_s,
-				      const char *salt_principal,
-				      krb5_enctype enctype,
-				      krb5_data *password,
-				      bool already_hashed)
+krb5_error_code smb_krb5_kt_add_password(krb5_context context,
+					 krb5_keytab keytab,
+					 krb5_kvno kvno,
+					 const char *princ_s,
+					 const char *salt_principal,
+					 krb5_enctype enctype,
+					 krb5_data *password)
 {
 	krb5_error_code ret;
 	krb5_keytab_entry kt_entry;
 	krb5_principal princ = NULL;
 	krb5_keyblock *keyp;
+	krb5_principal salt_princ = NULL;
 
 	ZERO_STRUCT(kt_entry);
 
@@ -1927,36 +1925,23 @@ krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
 
 	keyp = KRB5_KT_KEY(&kt_entry);
 
-	if (already_hashed) {
-		KRB5_KEY_DATA(keyp) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
-		if (KRB5_KEY_DATA(keyp) == NULL) {
-			ret = ENOMEM;
-			goto out;
-		}
-		memcpy(KRB5_KEY_DATA(keyp), password->data, password->length);
-		KRB5_KEY_LENGTH(keyp) = password->length;
-		KRB5_KEY_TYPE(keyp) = enctype;
-	} else {
-		krb5_principal salt_princ = NULL;
-
-		/* Now add keytab entries for all encryption types */
-		ret = smb_krb5_parse_name(context, salt_principal, &salt_princ);
-		if (ret) {
-			DBG_WARNING("krb5_parse_name(%s) failed (%s)\n",
-				    salt_principal, error_message(ret));
-			goto out;
-		}
+	/* Now add keytab entries for all encryption types */
+	ret = smb_krb5_parse_name(context, salt_principal, &salt_princ);
+	if (ret) {
+		DBG_WARNING("krb5_parse_name(%s) failed (%s)\n",
+			    salt_principal, error_message(ret));
+		goto out;
+	}
 
-		ret = smb_krb5_create_key_from_string(context,
-						      salt_princ,
-						      NULL,
-						      password,
-						      enctype,
-						      keyp);
-		krb5_free_principal(context, salt_princ);
-		if (ret != 0) {
-			goto out;
-		}
+	ret = smb_krb5_create_key_from_string(context,
+					      salt_princ,
+					      NULL,
+					      password,
+					      enctype,
+					      keyp);
+	krb5_free_principal(context, salt_princ);
+	if (ret != 0) {
+		goto out;
 	}
 
 	kt_entry.principal = princ;
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 464a7f21569..05546f8a2eb 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -242,14 +242,13 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
 							const char *princ_s,
 							krb5_principal princ,
 							bool flush);
-krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
-				      krb5_keytab keytab,
-				      krb5_kvno kvno,
-				      const char *princ_s,
-				      const char *salt_principal,
-				      krb5_enctype enctype,
-				      krb5_data *password,
-				      bool already_hashed);
+krb5_error_code smb_krb5_kt_add_password(krb5_context context,
+					 krb5_keytab keytab,
+					 krb5_kvno kvno,
+					 const char *princ_s,
+					 const char *salt_principal,
+					 krb5_enctype enctype,
+					 krb5_data *password);
 
 krb5_error_code smb_krb5_get_credentials(krb5_context context,
 					 krb5_ccache ccache,
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 9841c60f0d9..8dac25a0ef9 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -295,14 +295,13 @@ static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
 	for (i = 0; enctypes[i]; i++) {
 
 		/* add the fqdn principal to the keytab */
-		ret = smb_krb5_kt_add_entry(context,
-					    keytab,
-					    kvno,
-					    princ_s,
-					    salt_princ_s,
-					    enctypes[i],
-					    password,
-					    false); /* needs string2key (hashing) */
+		ret = smb_krb5_kt_add_password(context,
+					       keytab,
+					       kvno,
+					       princ_s,
+					       salt_princ_s,
+					       enctypes[i],
+					       password);
 		if (ret) {
 			DBG_WARNING("Failed to add entry to keytab\n");
 			goto out;
@@ -310,14 +309,13 @@ static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
 
 		/* add the short principal name if we have one */
 		if (short_princ_s) {
-			ret = smb_krb5_kt_add_entry(context,
-						    keytab,
-						    kvno,
-						    short_princ_s,
-						    salt_princ_s,
-						    enctypes[i],
-						    password,
-						    false); /* needs string2key (hashing) */
+			ret = smb_krb5_kt_add_password(context,
+						       keytab,
+						       kvno,
+						       short_princ_s,
+						       salt_princ_s,
+						       enctypes[i],
+						       password);
 			if (ret) {
 				DBG_WARNING("Failed to add short entry to keytab\n");
 				goto out;
diff --git a/source4/libnet/libnet_export_keytab.c b/source4/libnet/libnet_export_keytab.c
index c8e094ef1d9..2f144aff4d5 100644
--- a/source4/libnet/libnet_export_keytab.c
+++ b/source4/libnet/libnet_export_keytab.c
@@ -43,7 +43,6 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	char *entry_principal = NULL;
 	bool copy_one_principal = (principal != NULL);
-	krb5_data password;
 	bool keys_exported = false;
 	krb5_context context = smb_krb5_context->krb5_context;
 	TALLOC_CTX *tmp_ctx = NULL;
@@ -166,24 +165,20 @@ static NTSTATUS sdb_kt_copy(TALLOC_CTX *mem_ctx,
 				goto done;
 			}
 		} else {
+			krb5_keytab_entry kt_entry;
+			ZERO_STRUCT(kt_entry);
+			kt_entry.principal = sentry.principal;
+			kt_entry.vno       = sentry.kvno;
+
 			for (i = 0; i < sentry.keys.len; i++) {
 				struct sdb_key *s = &(sentry.keys.val[i]);
-				krb5_enctype enctype;
-
-				enctype = KRB5_KEY_TYPE(&(s->key));
-				password.length = KRB5_KEY_LENGTH(&s->key);
-				password.data = (char *)KRB5_KEY_DATA(&s->key);
-
-				DBG_INFO("smb_krb5_kt_add_entry for enctype=0x%04x\n",
-					 (int)enctype);
-				code = smb_krb5_kt_add_entry(context,
-							     keytab,
-							     sentry.kvno,
-							     entry_principal,
-							     NULL,
-							     enctype,
-							     &password,
-							     true);    /* no_salt */
+				krb5_keyblock *keyp;
+
+				keyp = KRB5_KT_KEY(&kt_entry);
+
+				*keyp = s->key;
+
+				code = krb5_kt_add_entry(context, keytab, &kt_entry);
 				if (code != 0) {
 					status = NT_STATUS_UNSUCCESSFUL;
 					*error_string = smb_get_krb5_error_message(context,