From: Gary Lockyer <gary@catalyst.net.nz>
Date: Thu, 17 Jul 2025 02:12:08 +0000 (+1200)
Subject: s4:kdc:sdb: Add support for key trust public keys
X-Git-Tag: tdb-1.4.14~71
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=4ffb578aa749a5ac56b0b4c5258aa4618092bfcf;p=thirdparty%2Fsamba.git

s4:kdc:sdb: Add support for key trust public keys

Add public keys to the sdb entry to allow them to be passed to Kerberos
for key trust authentication.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/source4/kdc/sdb.c b/source4/kdc/sdb.c
index 3913954be0c..d9399452eaa 100644
--- a/source4/kdc/sdb.c
+++ b/source4/kdc/sdb.c
@@ -59,7 +59,7 @@ void sdb_keys_free(struct sdb_keys *keys)
 		return;
 	}
 
-	for (i=0; i < keys->len; i++) {
+	for (i = 0; i < keys->len; i++) {
 		sdb_key_free(&keys->val[i]);
 	}
 
@@ -67,6 +67,44 @@ void sdb_keys_free(struct sdb_keys *keys)
 	ZERO_STRUCTP(keys);
 }
 
+/**
+ * @brief free the memory allocated to a sdb_key structure.
+ *
+ * @param[in,out] keys sdb_key to be freed, will be zeroed on return
+ */
+void sdb_pub_key_free(struct sdb_pub_key *k)
+{
+	if (k == NULL) {
+		return;
+	}
+
+	SAFE_FREE(k->exponent.data);
+	SAFE_FREE(k->modulus.data);
+
+	ZERO_STRUCTP(k);
+}
+
+/**
+ * @brief free the memory allocated to a sdb_pub_keys structure.
+ *
+ * @param[in,out] keys sdb_pub_keys to be freed, will be zeroed on return
+ */
+void sdb_pub_keys_free(struct sdb_pub_keys *keys)
+{
+	unsigned int i;
+
+	if (keys == NULL) {
+		return;
+	}
+
+	for (i = 0; i < keys->len; i++) {
+		sdb_pub_key_free(&keys->keys[i]);
+	}
+
+	SAFE_FREE(keys->keys);
+	ZERO_STRUCTP(keys);
+}
+
 void sdb_entry_free(struct sdb_entry *s)
 {
 	if (s->skdc_entry != NULL) {
@@ -82,6 +120,7 @@ void sdb_entry_free(struct sdb_entry *s)
 	krb5_free_principal(NULL, s->principal);
 
 	sdb_keys_free(&s->keys);
+	sdb_pub_keys_free(&s->pub_keys);
 
 	if (s->etypes != NULL) {
 		SAFE_FREE(s->etypes->val);
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index f8ce01024a7..59676c2842c 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -84,6 +84,17 @@ struct SDBFlags {
 	unsigned int do_not_store:1;
 };
 
+struct sdb_pub_key {
+	unsigned int bit_size;
+	krb5_data modulus;
+	krb5_data exponent;
+};
+
+struct sdb_pub_keys {
+	unsigned int len;
+	struct sdb_pub_key *keys;
+};
+
 struct sdb_entry {
 	struct samba_kdc_entry *skdc_entry;
 	krb5_principal principal;
@@ -101,6 +112,7 @@ struct sdb_entry {
 	int *max_life;
 	int *max_renew;
 	struct SDBFlags flags;
+	struct sdb_pub_keys pub_keys;
 };
 
 #define SDB_ERR_NOENTRY 36150275
@@ -147,6 +159,8 @@ struct sdb_entry {
 #define SDB_F_FORCE_CANON		0x4000	/* force canonicalization */
 #define SDB_F_RODC_NUMBER_SPECIFIED	0x8000	/* we want a particular RODC number */
 
+void sdb_pub_key_free(struct sdb_pub_key *key);
+void sdb_pub_keys_free(struct sdb_pub_keys *keys);
 void sdb_key_free(struct sdb_key *key);
 void sdb_keys_free(struct sdb_keys *keys);
 void sdb_entry_free(struct sdb_entry *e);