auth/credentials: Add cli_credentials_get_aes256_key()

This allows us to generate AES256 keys from a given password and salt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 70 insertions, 0 deletions

diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 551b1611826..e9d8b8a44b1 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -344,4 +344,10 @@ NTSTATUS netlogon_creds_session_encrypt(
 	struct netlogon_creds_CredentialState *state,
 	DATA_BLOB data);
 
+int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+				   TALLOC_CTX *mem_ctx,
+				   struct loadparm_context *lp_ctx,
+				   const char *salt,
+				   DATA_BLOB *aes_256);
+
 #endif /* __CREDENTIALS_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e69e1a83b3c..bd47113e60c 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1464,3 +1464,67 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c
 	cred->target_service = talloc_strdup(cred, target_service);
 }
 
+_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+					    TALLOC_CTX *mem_ctx,
+					    struct loadparm_context *lp_ctx,
+					    const char *salt,
+					    DATA_BLOB *aes_256)
+{
+	struct smb_krb5_context *smb_krb5_context = NULL;
+	krb5_error_code krb5_ret;
+	int ret;
+	const char *password = NULL;
+	krb5_data cleartext_data;
+	krb5_data salt_data;
+	krb5_keyblock key;
+
+	if (cred->password_will_be_nt_hash) {
+		DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n"));
+		return EINVAL;
+	}
+
+	password = cli_credentials_get_password(cred);
+	if (password == NULL) {
+		return EINVAL;
+	}
+
+	cleartext_data.data = discard_const_p(char, password);
+	cleartext_data.length = strlen(password);
+
+	ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+					       &smb_krb5_context);
+	if (ret != 0) {
+		return ret;
+	}
+
+	salt_data.data = discard_const_p(char, salt);
+	salt_data.length = strlen(salt);
+
+	/*
+	 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+	 * the salt and the cleartext password
+	 */
+	krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context,
+						   NULL,
+						   &salt_data,
+						   &cleartext_data,
+						   ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+						   &key);
+	if (krb5_ret != 0) {
+		DEBUG(1,("cli_credentials_get_aes256_key: "
+			 "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
+			 smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+						    krb5_ret, mem_ctx)));
+		return EINVAL;
+	}
+	*aes_256 = data_blob_talloc(mem_ctx,
+				    KRB5_KEY_DATA(&key),
+				    KRB5_KEY_LENGTH(&key));
+	krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key);
+	if (aes_256->data == NULL) {
+		return ENOMEM;
+	}
+	talloc_keep_secret(aes_256->data);
+
+	return 0;
+}