From ec2da944d304852d76137e8f9d234462bc807c6b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 18 May 2017 11:32:46 +0200 Subject: krb5_wrap: add smb_krb5_salt_principal2data() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- lib/krb5_wrap/krb5_samba.c | 69 +++++++++++++++++++++++++++++++++++++++++++++- lib/krb5_wrap/krb5_samba.h | 4 +++ 2 files changed, 72 insertions(+), 1 deletion(-) (limited to 'lib/krb5_wrap') diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 153221728c1..fcde9f5de81 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -435,7 +435,8 @@ int smb_krb5_get_pw_salt(krb5_context context, * - SomePrincipal@EXAMPLE.COM * * This is not the form that's used as salt, it's just - * the human readable form. + * the human readable form. It needs to be converted by + * smb_krb5_salt_principal2data(). * * @param[in] realm The realm the user/computer is added too. * @@ -452,6 +453,8 @@ int smb_krb5_get_pw_salt(krb5_context context, * @param[out] _salt_principal The resulting principal as string. * * @retval 0 Success; otherwise - Kerberos error codes + * + * @see smb_krb5_salt_principal2data */ int smb_krb5_salt_principal(const char *realm, const char *sAMAccountName, @@ -542,6 +545,70 @@ int smb_krb5_salt_principal(const char *realm, return 0; } +/** + * @brief Converts the salt principal string into the salt data blob + * + * This function takes a salt_principal as string in forms like this: + * - host/somehost.example.com@EXAMPLE.COM + * - SomeAccount@EXAMPLE.COM + * - SomePrincipal@EXAMPLE.COM + * + * It generates values like: + * - EXAMPLE.COMhost/somehost.example.com + * - EXAMPLE.COMSomeAccount + * - EXAMPLE.COMSomePrincipal + * + * @param[in] realm The realm the user/computer is added too. + * + * @param[in] sAMAccountName The sAMAccountName attribute of the object. + * + * @param[in] userPrincipalName The userPrincipalName attribute of the object + * or NULL is not available. + * + * @param[in] is_computer The indication of the object includes + * objectClass=computer. + * + * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal. + * + * @param[out] _salt_principal The resulting principal as string. + * + * @retval 0 Success; otherwise - Kerberos error codes + * + * @see smb_krb5_salt_principal + */ +int smb_krb5_salt_principal2data(krb5_context context, + const char *salt_principal, + TALLOC_CTX *mem_ctx, + char **_salt_data) +{ + krb5_error_code ret; + krb5_principal salt_princ = NULL; + krb5_data salt; + + *_salt_data = NULL; + + ret = krb5_parse_name(context, salt_principal, &salt_princ); + if (ret != 0) { + return ret; + } + + ret = smb_krb5_get_pw_salt(context, salt_princ, &salt); + krb5_free_principal(context, salt_princ); + if (ret != 0) { + return ret; + } + + *_salt_data = talloc_strndup(mem_ctx, + (char *)salt.data, + salt.length); + smb_krb5_free_data_contents(context, &salt); + if (*_salt_data == NULL) { + return ENOMEM; + } + + return 0; +} + #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) /** * @brief Get a list of encryption types allowed for session keys diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index daaae3f0386..315d3c3492e 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -356,6 +356,10 @@ int smb_krb5_salt_principal(const char *realm, bool is_computer, TALLOC_CTX *mem_ctx, char **_salt_principal); +int smb_krb5_salt_principal2data(krb5_context context, + const char *salt_principal, + TALLOC_CTX *mem_ctx, + char **_salt_data); int smb_krb5_create_key_from_string(krb5_context context, krb5_const_principal host_princ, -- cgit v1.2.1