kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.

Guenther

diff --git a/source/include/includes.h b/source/include/includes.h
index 7513dfb6e0a945082db136fe82ccf4bdd692658d..61ca937138cdcdd88ea9bd7b128ed2707d5a8107 100644 (file)
--- a/source/include/includes.h
+++ b/source/include/includes.h
@@ -1143,7 +1143,7 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
 
 /* Samba wrapper function for krb5 functionality. */
 bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
-int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
 bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
 krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
 krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
@@ -1221,6 +1221,13 @@ krb5_error_code smb_krb5_open_keytab(krb5_context context,
                                      const char *keytab_name, 
                                      bool write_access, 
                                      krb5_keytab *keytab);
+int smb_krb5_kt_add_entry(krb5_context context,
+                         krb5_keytab keytab,
+                         krb5_kvno kvno,
+                         const char *princ_s,
+                         krb5_enctype *enctypes,
+                         krb5_data password,
+                         bool no_salt);
 #endif /* HAVE_KRB5 */
 
 

diff --git a/source/libads/kerberos_keytab.c b/source/libads/kerberos_keytab.c
index 8e6983897fab3ff139ae68a09afe80ae6ba67689..c8ffd734fc2333456b3cbd289be0d44e891e646a 100644 (file)
--- a/source/libads/kerberos_keytab.c
+++ b/source/libads/kerberos_keytab.c
@@ -32,9 +32,13 @@
 /**********************************************************************
 **********************************************************************/
 
-static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
-                                  krb5_kvno kvno, const char *princ_s, 
-                                 krb5_enctype *enctypes, krb5_data password )
+int smb_krb5_kt_add_entry(krb5_context context,
+                         krb5_keytab keytab,
+                         krb5_kvno kvno,
+                         const char *princ_s,
+                         krb5_enctype *enctypes,
+                         krb5_data password,
+                         bool no_salt)
 {
        krb5_error_code ret = 0;
        krb5_kt_cursor cursor;
@@ -166,7 +170,7 @@ static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
                keyp = &kt_entry.keyblock;
 #endif
-               if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
+               if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) {
                        continue;
                }
 
@@ -321,7 +325,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
        
        /* add the fqdn principal to the keytab */
        
-       ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
+       ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password, false );
        if ( ret ) {
                DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
                goto out;
@@ -330,7 +334,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
        /* add the short principal name if we have one */
        
        if ( short_princ_s ) {
-               ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
+               ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password, false );
                if ( ret ) {
                        DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
                        goto out;

diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c
index a4d7a8e680389e62abb014ece5fa51eb806e42a4..c66718164272a757482971d83286e67e159cc9a6 100644 (file)
--- a/source/libads/kerberos_verify.c
+++ b/source/libads/kerberos_verify.c
@@ -259,7 +259,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
                        goto out;
                }
        
-               if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
+               if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) {
                        SAFE_FREE(key);
                        continue;
                }

diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index 4c535d2bcf9052d756133cf1467d3fbd270e2337..52c729625c1337a554c1c60eb746ae3a32ac6afa 100644 (file)
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -214,20 +214,31 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
                                                  krb5_principal host_princ,
                                                  krb5_data *password,
                                                  krb5_keyblock *key,
-                                                 krb5_enctype enctype)
+                                                 krb5_enctype enctype,
+                                                 bool no_salt)
 {
        int ret;
        krb5_data salt;
        krb5_encrypt_block eblock;
 
-       ret = krb5_principal2salt(context, host_princ, &salt);
-       if (ret) {
-               DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
-               return ret;
+       if (no_salt) {
+               key->contents = (krb5_octet *)SMB_MALLOC(password->length);
+               if (!key->contents) {
+                       return ENOMEM;
+               }
+               memcpy(key->contents, password->data, password->length);
+               key->length = password->length;
+               key->enctype = enctype;
+       } else {
+               ret = krb5_principal2salt(context, host_princ, &salt);
+               if (ret) {
+                       DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
+                       return ret;
+               }
+               krb5_use_enctype(context, &eblock, enctype);
+               ret = krb5_string_to_key(context, &eblock, key, password, &salt);
+               SAFE_FREE(salt.data);
        }
-       krb5_use_enctype(context, &eblock, enctype);
-       ret = krb5_string_to_key(context, &eblock, key, password, &salt);
-       SAFE_FREE(salt.data);
        return ret;
 }
 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
@@ -235,19 +246,27 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
                                                  krb5_principal host_princ,
                                                  krb5_data *password,
                                                  krb5_keyblock *key,
-                                                 krb5_enctype enctype)
+                                                 krb5_enctype enctype,
+                                                 bool no_salt)
 {
        int ret;
        krb5_salt salt;
 
-       ret = krb5_get_pw_salt(context, host_princ, &salt);
-       if (ret) {
-               DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
-               return ret;
+       if (no_salt) {
+               return krb5_keyblock_init(context, enctype,
+                                         password->data, password->length,
+                                         key);
+       } else {
+               ret = krb5_get_pw_salt(context, host_princ, &salt);
+               if (ret) {
+                       DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+                       return ret;
+               }
+
+               ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
+               krb5_free_salt(context, salt);
        }
-       
-       ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
-       krb5_free_salt(context, salt);
+
        return ret;
 }
 #else
@@ -258,7 +277,8 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
                                        krb5_principal host_princ,
                                        krb5_data *password,
                                        krb5_keyblock *key,
-                                       krb5_enctype enctype)
+                                       krb5_enctype enctype,
+                                       bool no_salt)
 {
        krb5_principal salt_princ = NULL;
        int ret;
@@ -268,7 +288,7 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
         * its behavior.
         */
        salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
-       ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
+       ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype, no_salt);
        if (salt_princ) {
                krb5_free_principal(context, salt_princ);
        }