[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-151-g1223cd1
Stefan Metzmacher
metze at samba.org
Thu Jul 24 06:32:17 GMT 2008
The branch, v4-0-test has been updated
via 1223cd17c79d130b46b0e0ccb0f6011c92441173 (commit)
via fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6 (commit)
via 4b79a7678571ac2f7d5f827913fdcb419f5d2e20 (commit)
via 231e6f5ab2dc8a3e991a9872be252cffff6f14c6 (commit)
from 24309dbf4d9622fcfafa29ef98bc0459fdaa814b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 1223cd17c79d130b46b0e0ccb0f6011c92441173
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 24 08:23:15 2008 +0200
hdb-ldb: fix the callers after drsblobs.idl changes
metze
commit fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 24 08:22:23 2008 +0200
password_hash: fix the callers after drsblobs.idl changes
metze
commit 4b79a7678571ac2f7d5f827913fdcb419f5d2e20
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 24 08:20:06 2008 +0200
drsblobs.idl: unify the Primary:Kerberos and Primary:Kerberos-Newer-Keys structs
metze
commit 231e6f5ab2dc8a3e991a9872be252cffff6f14c6
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 24 07:53:55 2008 +0200
drsblobs.idl: give some unknowns a meaning
metze
-----------------------------------------------------------------------
Summary of changes:
source/dsdb/samdb/ldb_modules/password_hash.c | 74 +++++++++++++-----------
source/kdc/hdb-ldb.c | 75 ++++++++++---------------
source/librpc/idl/drsblobs.idl | 61 +++++++++------------
3 files changed, 97 insertions(+), 113 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/dsdb/samdb/ldb_modules/password_hash.c b/source/dsdb/samdb/ldb_modules/password_hash.c
index 413ec12..69783ae 100644
--- a/source/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source/dsdb/samdb/ldb_modules/password_hash.c
@@ -437,10 +437,11 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
* ENCTYPE_DES_CBC_MD5
* ENCTYPE_DES_CBC_CRC
*/
+ pkb->version = 3;
pkb3->salt.string = io->g.salt;
pkb3->num_keys = 2;
pkb3->keys = talloc_array(io->ac,
- struct package_PrimaryKerberosKey,
+ struct package_PrimaryKerberosKey3,
pkb3->num_keys);
if (!pkb3->keys) {
ldb_oom(io->ac->module->ldb);
@@ -521,12 +522,12 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
const struct supplementalCredentialsBlob *old_scb,
- struct package_PrimaryKerberosNewerBlob *pkb)
+ struct package_PrimaryKerberosBlob *pkb)
{
- struct package_PrimaryKerberosNewerCtr4 *pkb4 = &pkb->ctr.ctr4;
+ struct package_PrimaryKerberosCtr4 *pkb4 = &pkb->ctr.ctr4;
struct supplementalCredentialsPackage *old_scp = NULL;
- struct package_PrimaryKerberosNewerBlob _old_pkb;
- struct package_PrimaryKerberosNewerCtr4 *old_pkb4 = NULL;
+ struct package_PrimaryKerberosBlob _old_pkb;
+ struct package_PrimaryKerberosCtr4 *old_pkb4 = NULL;
uint32_t i;
enum ndr_err_code ndr_err;
@@ -538,30 +539,37 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
* ENCTYPE_DES_CBC_MD5
* ENCTYPE_DES_CBC_CRC
*/
- pkb4->salt.string = io->g.salt;
- pkb4->num_keys = 4;
- pkb4->keys = talloc_array(io->ac,
- struct package_PrimaryKerberosNewerKey,
- pkb4->num_keys);
+ pkb->version = 4;
+ pkb4->salt.string = io->g.salt;
+ pkb4->default_iteration_count = 4096;
+ pkb4->num_keys = 4;
+
+ pkb4->keys = talloc_array(io->ac,
+ struct package_PrimaryKerberosKey4,
+ pkb4->num_keys);
if (!pkb4->keys) {
ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- pkb4->keys[0].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
- pkb4->keys[0].value = &io->g.aes_256;
- pkb4->keys[1].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
- pkb4->keys[1].value = &io->g.aes_128;
- pkb4->keys[2].keytype = ENCTYPE_DES_CBC_MD5;
- pkb4->keys[2].value = &io->g.des_md5;
- pkb4->keys[3].keytype = ENCTYPE_DES_CBC_CRC;
- pkb4->keys[3].value = &io->g.des_crc;
+ pkb4->keys[0].iteration_count = 4096;
+ pkb4->keys[0].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ pkb4->keys[0].value = &io->g.aes_256;
+ pkb4->keys[1].iteration_count = 4096;
+ pkb4->keys[1].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ pkb4->keys[1].value = &io->g.aes_128;
+ pkb4->keys[2].iteration_count = 4096;
+ pkb4->keys[2].keytype = ENCTYPE_DES_CBC_MD5;
+ pkb4->keys[2].value = &io->g.des_md5;
+ pkb4->keys[3].iteration_count = 4096;
+ pkb4->keys[3].keytype = ENCTYPE_DES_CBC_CRC;
+ pkb4->keys[3].value = &io->g.des_crc;
/* initialize the old keys to zero */
- pkb4->num_old_keys1 = 0;
- pkb4->old_keys1 = NULL;
- pkb4->num_old_keys2 = 0;
- pkb4->old_keys2 = NULL;
+ pkb4->num_old_keys = 0;
+ pkb4->old_keys = NULL;
+ pkb4->num_older_keys = 0;
+ pkb4->older_keys = NULL;
/* if there're no old keys, then we're done */
if (!old_scb) {
@@ -580,7 +588,7 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
old_scp = &old_scb->sub.packages[i];
break;
}
- /* Primary:Kerberos element of supplementalCredentials */
+ /* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
if (old_scp) {
DATA_BLOB blob;
@@ -595,20 +603,20 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
ndr_err = ndr_pull_struct_blob(&blob, io->ac,
lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
&_old_pkb,
- (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosNewerBlob);
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
ldb_asprintf_errstring(io->ac->module->ldb,
"setup_primary_kerberos_newer: "
- "failed to pull old package_PrimaryKerberosNewerBlob: %s",
+ "failed to pull old package_PrimaryKerberosBlob: %s",
nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
if (_old_pkb.version != 4) {
ldb_asprintf_errstring(io->ac->module->ldb,
- "setup_primary_kerberos: "
- "package_PrimaryKerberosNewerBlob version[%u] expected[4]",
+ "setup_primary_kerberos_newer: "
+ "package_PrimaryKerberosBlob version[%u] expected[4]",
_old_pkb.version);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -622,10 +630,10 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
}
/* fill in the old keys */
- pkb4->num_old_keys1 = old_pkb4->num_keys;
- pkb4->old_keys1 = old_pkb4->keys;
- pkb4->num_old_keys2 = old_pkb4->num_old_keys1;
- pkb4->old_keys2 = old_pkb4->old_keys1;
+ pkb4->num_old_keys = old_pkb4->num_keys;
+ pkb4->old_keys = old_pkb4->keys;
+ pkb4->num_older_keys = old_pkb4->num_old_keys;
+ pkb4->older_keys = old_pkb4->old_keys;
return LDB_SUCCESS;
}
@@ -980,7 +988,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
/* Primary:Kerberos-Newer-Keys */
const char **nkn = NULL;
struct supplementalCredentialsPackage *pkn = NULL;
- struct package_PrimaryKerberosNewerBlob pknb;
+ struct package_PrimaryKerberosBlob pknb;
DATA_BLOB pknb_blob;
char *pknb_hexstr;
/* Primary:Kerberos */
@@ -1105,7 +1113,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
ndr_err = ndr_push_struct_blob(&pknb_blob, io->ac,
lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
&pknb,
- (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosNewerBlob);
+ (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
ldb_asprintf_errstring(io->ac->module->ldb,
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index 9960085..8f8ce30 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -191,11 +191,10 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
const struct ldb_val *sc_val;
struct supplementalCredentialsBlob scb;
struct supplementalCredentialsPackage *scpk = NULL;
- struct supplementalCredentialsPackage *scpkn = NULL;
+ bool newer_keys = false;
struct package_PrimaryKerberosBlob _pkb;
struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
- struct package_PrimaryKerberosNewerBlob _pknb;
- struct package_PrimaryKerberosNewerCtr4 *pkb4 = NULL;
+ struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
uint32_t i;
uint32_t allocated_keys = 0;
@@ -232,11 +231,12 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
for (i=0; i < scb.sub.num_packages; i++) {
if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
- scpkn = &scb.sub.packages[i];
- if (!scpkn->data || !scpkn->data[0]) {
- scpkn = NULL;
+ scpk = &scb.sub.packages[i];
+ if (!scpk->data || !scpk->data[0]) {
+ scpk = NULL;
continue;
}
+ newer_keys = true;
break;
} else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
scpk = &scb.sub.packages[i];
@@ -250,39 +250,11 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
}
}
}
- /* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
- if (scpkn) {
- DATA_BLOB blob;
-
- blob = strhex_to_data_blob(scpkn->data);
- if (!blob.data) {
- ret = ENOMEM;
- goto out;
- }
- talloc_steal(mem_ctx, blob.data);
-
- /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, iconv_convenience, &_pknb,
- (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosNewerBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- krb5_set_error_string(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosNewerBlob");
- krb5_warnx(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosNewerBlob");
- ret = EINVAL;
- goto out;
- }
-
- if (_pknb.version != 4) {
- krb5_set_error_string(context, "LDB_message2entry_keys: could not parse PrimaryKerberosNewer not version 4");
- krb5_warnx(context, "LDB_message2entry_keys: could not parse PrimaryKerberosNewer not version 4");
- ret = EINVAL;
- goto out;
- }
-
- pkb4 = &_pknb.ctr.ctr4;
-
- allocated_keys += pkb4->num_keys;
- } else if (scpk) {
- /* Fallback to Primary:Kerberos element of supplementalCredentials */
+ /*
+ * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
+ * of supplementalCredentials
+ */
+ if (scpk) {
DATA_BLOB blob;
blob = strhex_to_data_blob(scpk->data);
@@ -302,16 +274,27 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
goto out;
}
- if (_pkb.version != 3) {
- krb5_set_error_string(context, "LDB_message2entry_keys: could not parse PrimaryKerberos not version 3");
- krb5_warnx(context, "LDB_message2entry_keys: could not parse PrimaryKerberos not version 3");
+ if (newer_keys && _pkb.version != 4) {
+ krb5_set_error_string(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
+ krb5_warnx(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
ret = EINVAL;
goto out;
}
-
- pkb3 = &_pkb.ctr.ctr3;
- allocated_keys += pkb3->num_keys;
+ if (!newer_keys && _pkb.version != 3) {
+ krb5_set_error_string(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3");
+ krb5_warnx(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3");
+ ret = EINVAL;
+ goto out;
+ }
+
+ if (_pkb.version == 4) {
+ pkb4 = &_pkb.ctr.ctr4;
+ allocated_keys += pkb4->num_keys;
+ } else if (_pkb.version == 3) {
+ pkb3 = &_pkb.ctr.ctr3;
+ allocated_keys += pkb3->num_keys;
+ }
}
if (allocated_keys == 0) {
@@ -391,6 +374,8 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
}
}
+ /* TODO: maybe pass the iteration_count somehow... */
+
ret = krb5_keyblock_init(context,
pkb4->keys[i].keytype,
pkb4->keys[i].value->data,
diff --git a/source/librpc/idl/drsblobs.idl b/source/librpc/idl/drsblobs.idl
index c876ae7..adfc010 100644
--- a/source/librpc/idl/drsblobs.idl
+++ b/source/librpc/idl/drsblobs.idl
@@ -278,14 +278,14 @@ interface drsblobs {
uint32 keytype;
[value((value?value->length:0))] uint32 value_len;
[relative,subcontext(0),subcontext_size(value_len),flag(NDR_REMAINING)] DATA_BLOB *value;
- } package_PrimaryKerberosKey;
+ } package_PrimaryKerberosKey3;
typedef struct {
uint16 num_keys;
uint16 num_old_keys;
package_PrimaryKerberosString salt;
- package_PrimaryKerberosKey keys[num_keys];
- package_PrimaryKerberosKey old_keys[num_old_keys];
+ package_PrimaryKerberosKey3 keys[num_keys];
+ package_PrimaryKerberosKey3 old_keys[num_old_keys];
[value(0)] uint32 padding1;
[value(0)] uint32 padding2;
[value(0)] uint32 padding3;
@@ -293,51 +293,42 @@ interface drsblobs {
[value(0)] uint32 padding5;
} package_PrimaryKerberosCtr3;
- typedef [nodiscriminant] union {
- [case(3)] package_PrimaryKerberosCtr3 ctr3;
- } package_PrimaryKerberosCtr;
-
- typedef [public] struct {
- [value(3)] uint32 version;
- [switch_is(version)] package_PrimaryKerberosCtr ctr;
- } package_PrimaryKerberosBlob;
-
- void decode_PrimaryKerberos(
- [in] package_PrimaryKerberosBlob blob
- );
-
typedef struct {
- [value(0)] uint32 unknown1;
- [value(0)] uint32 unknown2;
- [value(0x00001000)] uint32 unknown3; /* could the the iterator for the AES key creation */
+ [value(0)] uint16 reserved1;
+ [value(0)] uint16 reserved2;
+ [value(0)] uint32 reserved3;
+ uint32 iteration_count;
uint32 keytype;
[value((value?value->length:0))] uint32 value_len;
[relative,subcontext(0),subcontext_size(value_len),flag(NDR_REMAINING)] DATA_BLOB *value;
- } package_PrimaryKerberosNewerKey;
+ } package_PrimaryKerberosKey4;
typedef struct {
uint16 num_keys;
- [value(0)] uint16 unknown1;
- uint16 num_old_keys1;
- uint16 num_old_keys2;
+ [value(0)] uint16 num_service_keys;
+ uint16 num_old_keys;
+ uint16 num_older_keys;
package_PrimaryKerberosString salt;
- [value(0x00001000)] uint32 unknown2; /* could the the iterator for the AES key creation */
- package_PrimaryKerberosNewerKey keys[num_keys];
- package_PrimaryKerberosNewerKey old_keys1[num_old_keys1];
- package_PrimaryKerberosNewerKey old_keys2[num_old_keys2];
- } package_PrimaryKerberosNewerCtr4;
+ uint32 default_iteration_count;
+ package_PrimaryKerberosKey4 keys[num_keys];
+ package_PrimaryKerberosKey4 service_keys[num_service_keys];
+ package_PrimaryKerberosKey4 old_keys[num_old_keys];
+ package_PrimaryKerberosKey4 older_keys[num_older_keys];
+ } package_PrimaryKerberosCtr4;
typedef [nodiscriminant] union {
- [case(4)] package_PrimaryKerberosNewerCtr4 ctr4;
- } package_PrimaryKerberosNewerCtr;
+ [case(3)] package_PrimaryKerberosCtr3 ctr3;
+ [case(4)] package_PrimaryKerberosCtr4 ctr4;
+ } package_PrimaryKerberosCtr;
typedef [public] struct {
- [value(4)] uint32 version;
- [switch_is(version)] package_PrimaryKerberosNewerCtr ctr;
- } package_PrimaryKerberosNewerBlob;
+ uint16 version;
+ [value(0)] uint16 flags;
+ [switch_is(version)] package_PrimaryKerberosCtr ctr;
+ } package_PrimaryKerberosBlob;
- void decode_PrimaryKerberosNewer(
- [in] package_PrimaryKerberosNewerBlob blob
+ void decode_PrimaryKerberos(
+ [in] package_PrimaryKerberosBlob blob
);
typedef [public] struct {
--
Samba Shared Repository
More information about the samba-cvs
mailing list