From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 15 Mar 2024 18:19:20 +0000 (+0100)
Subject: s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP
X-Git-Tag: tdb-1.4.11~638
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1efc396de4855a90c7dfd3d935028a21d780272;p=thirdparty%2Fsamba.git

s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP

We already handle it in samba_kdc_fill_user_keys() mostly for DES keys,
but other encryption types might be from kerberos libraries in future.
And things like FIPS mode may also alter the runtime behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 2ab3155dffb..6589b067142 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2204,15 +2204,21 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 							      &cleartext_data,
 							      ENCTYPE_AES256_CTS_HMAC_SHA1_96,
 							      &key.key);
+			if (ret == 0) {
+				entry->keys.val[entry->keys.len++] = key;
+			} else if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+				DBG_NOTICE("Unsupported keytype ignored - type %u\n",
+					   ENCTYPE_AES256_CTS_HMAC_SHA1_96);
+				ZERO_STRUCT(key.key);
+				sdb_key_free(&key);
+				ret = 0;
+			}
 			if (ret != 0) {
 				ZERO_STRUCT(key.key);
 				sdb_key_free(&key);
 				smb_krb5_free_data_contents(context, &salt);
 				goto out;
 			}
-
-			entry->keys.val[entry->keys.len] = key;
-			entry->keys.len++;
 		}
 
 		if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
@@ -2241,15 +2247,21 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 							      &cleartext_data,
 							      ENCTYPE_AES128_CTS_HMAC_SHA1_96,
 							      &key.key);
+			if (ret == 0) {
+				entry->keys.val[entry->keys.len++] = key;
+			} else if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+				DBG_NOTICE("Unsupported keytype ignored - type %u\n",
+					   ENCTYPE_AES128_CTS_HMAC_SHA1_96);
+				ZERO_STRUCT(key.key);
+				sdb_key_free(&key);
+				ret = 0;
+			}
 			if (ret != 0) {
 				ZERO_STRUCT(key.key);
 				sdb_key_free(&key);
 				smb_krb5_free_data_contents(context, &salt);
 				goto out;
 			}
-
-			entry->keys.val[entry->keys.len] = key;
-			entry->keys.len++;
 		}
 
 		smb_krb5_free_data_contents(context, &salt);
@@ -2263,12 +2275,20 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 						      password_hash->hash,
 						      sizeof(password_hash->hash),
 						      &key.key);
+		if (ret == 0) {
+			entry->keys.val[entry->keys.len++] = key;
+		} else if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+			DBG_NOTICE("Unsupported keytype ignored - type %u\n",
+				   ENCTYPE_ARCFOUR_HMAC);
+			ZERO_STRUCT(key.key);
+			sdb_key_free(&key);
+			ret = 0;
+		}
 		if (ret != 0) {
+			ZERO_STRUCT(key.key);
+			sdb_key_free(&key);
 			goto out;
 		}
-
-		entry->keys.val[entry->keys.len] = key;
-		entry->keys.len++;
 	}
 
 	entry->flags = (struct SDBFlags) {};