[SCM] Samba Shared Repository - branch v4-0-test updated - release-4-0-0alpha5-151-g1223cd1

Stefan Metzmacher metze at samba.org
Thu Jul 24 06:32:17 GMT 2008


The branch, v4-0-test has been updated
       via  1223cd17c79d130b46b0e0ccb0f6011c92441173 (commit)
       via  fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6 (commit)
       via  4b79a7678571ac2f7d5f827913fdcb419f5d2e20 (commit)
       via  231e6f5ab2dc8a3e991a9872be252cffff6f14c6 (commit)
      from  24309dbf4d9622fcfafa29ef98bc0459fdaa814b (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 1223cd17c79d130b46b0e0ccb0f6011c92441173
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 24 08:23:15 2008 +0200

    hdb-ldb: fix the callers after drsblobs.idl changes
    
    metze

commit fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 24 08:22:23 2008 +0200

    password_hash: fix the callers after drsblobs.idl changes
    
    metze

commit 4b79a7678571ac2f7d5f827913fdcb419f5d2e20
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 24 08:20:06 2008 +0200

    drsblobs.idl: unify the Primary:Kerberos and Primary:Kerberos-Newer-Keys structs
    
    metze

commit 231e6f5ab2dc8a3e991a9872be252cffff6f14c6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Jul 24 07:53:55 2008 +0200

    drsblobs.idl: give some unknowns a meaning
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source/dsdb/samdb/ldb_modules/password_hash.c |   74 +++++++++++++-----------
 source/kdc/hdb-ldb.c                          |   75 ++++++++++---------------
 source/librpc/idl/drsblobs.idl                |   61 +++++++++------------
 3 files changed, 97 insertions(+), 113 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/dsdb/samdb/ldb_modules/password_hash.c b/source/dsdb/samdb/ldb_modules/password_hash.c
index 413ec12..69783ae 100644
--- a/source/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source/dsdb/samdb/ldb_modules/password_hash.c
@@ -437,10 +437,11 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
 	 * ENCTYPE_DES_CBC_MD5
 	 * ENCTYPE_DES_CBC_CRC
 	 */
+	pkb->version		= 3;
 	pkb3->salt.string	= io->g.salt;
 	pkb3->num_keys		= 2;
 	pkb3->keys		= talloc_array(io->ac,
-					       struct package_PrimaryKerberosKey,
+					       struct package_PrimaryKerberosKey3,
 					       pkb3->num_keys);
 	if (!pkb3->keys) {
 		ldb_oom(io->ac->module->ldb);
@@ -521,12 +522,12 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
 
 static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
 					const struct supplementalCredentialsBlob *old_scb,
-					struct package_PrimaryKerberosNewerBlob *pkb)
+					struct package_PrimaryKerberosBlob *pkb)
 {
-	struct package_PrimaryKerberosNewerCtr4 *pkb4 = &pkb->ctr.ctr4;
+	struct package_PrimaryKerberosCtr4 *pkb4 = &pkb->ctr.ctr4;
 	struct supplementalCredentialsPackage *old_scp = NULL;
-	struct package_PrimaryKerberosNewerBlob _old_pkb;
-	struct package_PrimaryKerberosNewerCtr4 *old_pkb4 = NULL;
+	struct package_PrimaryKerberosBlob _old_pkb;
+	struct package_PrimaryKerberosCtr4 *old_pkb4 = NULL;
 	uint32_t i;
 	enum ndr_err_code ndr_err;
 
@@ -538,30 +539,37 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
 	 * ENCTYPE_DES_CBC_MD5
 	 * ENCTYPE_DES_CBC_CRC
 	 */
-	pkb4->salt.string	= io->g.salt;
-	pkb4->num_keys		= 4;
-	pkb4->keys		= talloc_array(io->ac,
-					       struct package_PrimaryKerberosNewerKey,
-					       pkb4->num_keys);
+	pkb->version			= 4;
+	pkb4->salt.string		= io->g.salt;
+	pkb4->default_iteration_count	= 4096;
+	pkb4->num_keys			= 4;
+
+	pkb4->keys = talloc_array(io->ac,
+				  struct package_PrimaryKerberosKey4,
+				  pkb4->num_keys);
 	if (!pkb4->keys) {
 		ldb_oom(io->ac->module->ldb);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	pkb4->keys[0].keytype	= ENCTYPE_AES256_CTS_HMAC_SHA1_96;
-	pkb4->keys[0].value	= &io->g.aes_256;
-	pkb4->keys[1].keytype	= ENCTYPE_AES128_CTS_HMAC_SHA1_96;
-	pkb4->keys[1].value	= &io->g.aes_128;
-	pkb4->keys[2].keytype	= ENCTYPE_DES_CBC_MD5;
-	pkb4->keys[2].value	= &io->g.des_md5;
-	pkb4->keys[3].keytype	= ENCTYPE_DES_CBC_CRC;
-	pkb4->keys[3].value	= &io->g.des_crc;
+	pkb4->keys[0].iteration_count	= 4096;
+	pkb4->keys[0].keytype		= ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+	pkb4->keys[0].value		= &io->g.aes_256;
+	pkb4->keys[1].iteration_count	= 4096;
+	pkb4->keys[1].keytype		= ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+	pkb4->keys[1].value		= &io->g.aes_128;
+	pkb4->keys[2].iteration_count	= 4096;
+	pkb4->keys[2].keytype		= ENCTYPE_DES_CBC_MD5;
+	pkb4->keys[2].value		= &io->g.des_md5;
+	pkb4->keys[3].iteration_count	= 4096;
+	pkb4->keys[3].keytype		= ENCTYPE_DES_CBC_CRC;
+	pkb4->keys[3].value		= &io->g.des_crc;
 
 	/* initialize the old keys to zero */
-	pkb4->num_old_keys1	= 0;
-	pkb4->old_keys1		= NULL;
-	pkb4->num_old_keys2	= 0;
-	pkb4->old_keys2		= NULL;
+	pkb4->num_old_keys	= 0;
+	pkb4->old_keys		= NULL;
+	pkb4->num_older_keys	= 0;
+	pkb4->older_keys	= NULL;
 
 	/* if there're no old keys, then we're done */
 	if (!old_scb) {
@@ -580,7 +588,7 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
 		old_scp = &old_scb->sub.packages[i];
 		break;
 	}
-	/* Primary:Kerberos element of supplementalCredentials */
+	/* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
 	if (old_scp) {
 		DATA_BLOB blob;
 
@@ -595,20 +603,20 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
 		ndr_err = ndr_pull_struct_blob(&blob, io->ac,
 					       lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
 					       &_old_pkb,
-					       (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosNewerBlob);
+					       (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
 		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 			NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
 			ldb_asprintf_errstring(io->ac->module->ldb,
 					       "setup_primary_kerberos_newer: "
-					       "failed to pull old package_PrimaryKerberosNewerBlob: %s",
+					       "failed to pull old package_PrimaryKerberosBlob: %s",
 					       nt_errstr(status));
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
 		if (_old_pkb.version != 4) {
 			ldb_asprintf_errstring(io->ac->module->ldb,
-					       "setup_primary_kerberos: "
-					       "package_PrimaryKerberosNewerBlob version[%u] expected[4]",
+					       "setup_primary_kerberos_newer: "
+					       "package_PrimaryKerberosBlob version[%u] expected[4]",
 					       _old_pkb.version);
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
@@ -622,10 +630,10 @@ static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
 	}
 
 	/* fill in the old keys */
-	pkb4->num_old_keys1	= old_pkb4->num_keys;
-	pkb4->old_keys1		= old_pkb4->keys;
-	pkb4->num_old_keys2	= old_pkb4->num_old_keys1;
-	pkb4->old_keys2		= old_pkb4->old_keys1;
+	pkb4->num_old_keys	= old_pkb4->num_keys;
+	pkb4->old_keys		= old_pkb4->keys;
+	pkb4->num_older_keys	= old_pkb4->num_old_keys;
+	pkb4->older_keys	= old_pkb4->old_keys;
 
 	return LDB_SUCCESS;
 }
@@ -980,7 +988,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 	/* Primary:Kerberos-Newer-Keys */
 	const char **nkn = NULL;
 	struct supplementalCredentialsPackage *pkn = NULL;
-	struct package_PrimaryKerberosNewerBlob pknb;
+	struct package_PrimaryKerberosBlob pknb;
 	DATA_BLOB pknb_blob;
 	char *pknb_hexstr;
 	/* Primary:Kerberos */
@@ -1105,7 +1113,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
 		ndr_err = ndr_push_struct_blob(&pknb_blob, io->ac,
 					       lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
 					       &pknb,
-					       (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosNewerBlob);
+					       (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
 		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 			NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
 			ldb_asprintf_errstring(io->ac->module->ldb,
diff --git a/source/kdc/hdb-ldb.c b/source/kdc/hdb-ldb.c
index 9960085..8f8ce30 100644
--- a/source/kdc/hdb-ldb.c
+++ b/source/kdc/hdb-ldb.c
@@ -191,11 +191,10 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
 	const struct ldb_val *sc_val;
 	struct supplementalCredentialsBlob scb;
 	struct supplementalCredentialsPackage *scpk = NULL;
-	struct supplementalCredentialsPackage *scpkn = NULL;
+	bool newer_keys = false;
 	struct package_PrimaryKerberosBlob _pkb;
 	struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
-	struct package_PrimaryKerberosNewerBlob _pknb;
-	struct package_PrimaryKerberosNewerCtr4 *pkb4 = NULL;
+	struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
 	uint32_t i;
 	uint32_t allocated_keys = 0;
 
@@ -232,11 +231,12 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
 
 		for (i=0; i < scb.sub.num_packages; i++) {
 			if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
-				scpkn = &scb.sub.packages[i];
-				if (!scpkn->data || !scpkn->data[0]) {
-					scpkn = NULL;
+				scpk = &scb.sub.packages[i];
+				if (!scpk->data || !scpk->data[0]) {
+					scpk = NULL;
 					continue;
 				}
+				newer_keys = true;
 				break;
 			} else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
 				scpk = &scb.sub.packages[i];
@@ -250,39 +250,11 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
 			}
 		}
 	}
-	/* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
-	if (scpkn) {
-		DATA_BLOB blob;
-
-		blob = strhex_to_data_blob(scpkn->data);
-		if (!blob.data) {
-			ret = ENOMEM;
-			goto out;
-		}
-		talloc_steal(mem_ctx, blob.data);
-
-		/* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
-		ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, iconv_convenience, &_pknb,
-					       (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosNewerBlob);
-		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-			krb5_set_error_string(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosNewerBlob");
-			krb5_warnx(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosNewerBlob");
-			ret = EINVAL;
-			goto out;
-		}
-
-		if (_pknb.version != 4) {
-			krb5_set_error_string(context, "LDB_message2entry_keys: could not parse PrimaryKerberosNewer not version 4");
-			krb5_warnx(context, "LDB_message2entry_keys: could not parse PrimaryKerberosNewer not version 4");
-			ret = EINVAL;
-			goto out;
-		}
-
-		pkb4 = &_pknb.ctr.ctr4;
-
-		allocated_keys += pkb4->num_keys;
-	} else if (scpk) {
-		/* Fallback to Primary:Kerberos element of supplementalCredentials */
+	/*
+	 * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
+	 * of supplementalCredentials
+	 */
+	if (scpk) {
 		DATA_BLOB blob;
 
 		blob = strhex_to_data_blob(scpk->data);
@@ -302,16 +274,27 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
 			goto out;
 		}
 
-		if (_pkb.version != 3) {
-			krb5_set_error_string(context, "LDB_message2entry_keys: could not parse PrimaryKerberos not version 3");
-			krb5_warnx(context, "LDB_message2entry_keys: could not parse PrimaryKerberos not version 3");
+		if (newer_keys && _pkb.version != 4) {
+			krb5_set_error_string(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
+			krb5_warnx(context, "LDB_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
 			ret = EINVAL;
 			goto out;
 		}
-		
-		pkb3 = &_pkb.ctr.ctr3;
 
-		allocated_keys += pkb3->num_keys;
+		if (!newer_keys && _pkb.version != 3) {
+			krb5_set_error_string(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3");
+			krb5_warnx(context, "LDB_message2entry_keys: could not parse Primary:Kerberos not version 3");
+			ret = EINVAL;
+			goto out;
+		}
+
+		if (_pkb.version == 4) {
+			pkb4 = &_pkb.ctr.ctr4;
+			allocated_keys += pkb4->num_keys;
+		} else if (_pkb.version == 3) {
+			pkb3 = &_pkb.ctr.ctr3;
+			allocated_keys += pkb3->num_keys;
+		}
 	}
 
 	if (allocated_keys == 0) {
@@ -391,6 +374,8 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
 				}
 			}
 
+			/* TODO: maybe pass the iteration_count somehow... */
+
 			ret = krb5_keyblock_init(context,
 						 pkb4->keys[i].keytype,
 						 pkb4->keys[i].value->data,
diff --git a/source/librpc/idl/drsblobs.idl b/source/librpc/idl/drsblobs.idl
index c876ae7..adfc010 100644
--- a/source/librpc/idl/drsblobs.idl
+++ b/source/librpc/idl/drsblobs.idl
@@ -278,14 +278,14 @@ interface drsblobs {
 		uint32 keytype;
 		[value((value?value->length:0))] uint32 value_len;
 		[relative,subcontext(0),subcontext_size(value_len),flag(NDR_REMAINING)] DATA_BLOB *value;
-	} package_PrimaryKerberosKey;
+	} package_PrimaryKerberosKey3;
 
 	typedef struct {
 		uint16 num_keys;
 		uint16 num_old_keys;
 		package_PrimaryKerberosString salt;
-		package_PrimaryKerberosKey keys[num_keys];
-		package_PrimaryKerberosKey old_keys[num_old_keys];
+		package_PrimaryKerberosKey3 keys[num_keys];
+		package_PrimaryKerberosKey3 old_keys[num_old_keys];
 		[value(0)] uint32 padding1;
 		[value(0)] uint32 padding2;
 		[value(0)] uint32 padding3;
@@ -293,51 +293,42 @@ interface drsblobs {
 		[value(0)] uint32 padding5;
 	} package_PrimaryKerberosCtr3;
 
-	typedef [nodiscriminant] union {
-		[case(3)] package_PrimaryKerberosCtr3 ctr3;
-	} package_PrimaryKerberosCtr;
-
-	typedef [public] struct {
-		[value(3)] uint32 version;
-		[switch_is(version)] package_PrimaryKerberosCtr ctr;
-	} package_PrimaryKerberosBlob;
-
-	void decode_PrimaryKerberos(
-		[in] package_PrimaryKerberosBlob blob
-		);
-
 	typedef struct {
-		[value(0)] uint32 unknown1;
-		[value(0)] uint32 unknown2;
-		[value(0x00001000)] uint32 unknown3; /* could the the iterator for the AES key creation */
+		[value(0)] uint16 reserved1;
+		[value(0)] uint16 reserved2;
+		[value(0)] uint32 reserved3;
+		uint32 iteration_count;
 		uint32 keytype;
 		[value((value?value->length:0))] uint32 value_len;
 		[relative,subcontext(0),subcontext_size(value_len),flag(NDR_REMAINING)] DATA_BLOB *value;
-	} package_PrimaryKerberosNewerKey;
+	} package_PrimaryKerberosKey4;
 
 	typedef struct {
 		uint16 num_keys;
-		[value(0)] uint16 unknown1;
-		uint16 num_old_keys1;
-		uint16 num_old_keys2;
+		[value(0)] uint16 num_service_keys;
+		uint16 num_old_keys;
+		uint16 num_older_keys;
 		package_PrimaryKerberosString salt;
-		[value(0x00001000)] uint32 unknown2; /* could the the iterator for the AES key creation */
-		package_PrimaryKerberosNewerKey keys[num_keys];
-		package_PrimaryKerberosNewerKey old_keys1[num_old_keys1];
-		package_PrimaryKerberosNewerKey old_keys2[num_old_keys2];
-	} package_PrimaryKerberosNewerCtr4;
+		uint32 default_iteration_count;
+		package_PrimaryKerberosKey4 keys[num_keys];
+		package_PrimaryKerberosKey4 service_keys[num_service_keys];
+		package_PrimaryKerberosKey4 old_keys[num_old_keys];
+		package_PrimaryKerberosKey4 older_keys[num_older_keys];
+	} package_PrimaryKerberosCtr4;
 
 	typedef [nodiscriminant] union {
-		[case(4)] package_PrimaryKerberosNewerCtr4 ctr4;
-	} package_PrimaryKerberosNewerCtr;
+		[case(3)] package_PrimaryKerberosCtr3 ctr3;
+		[case(4)] package_PrimaryKerberosCtr4 ctr4;
+	} package_PrimaryKerberosCtr;
 
 	typedef [public] struct {
-		[value(4)] uint32 version;
-		[switch_is(version)] package_PrimaryKerberosNewerCtr ctr;
-	} package_PrimaryKerberosNewerBlob;
+		uint16 version;
+		[value(0)] uint16 flags;
+		[switch_is(version)] package_PrimaryKerberosCtr ctr;
+	} package_PrimaryKerberosBlob;
 
-	void decode_PrimaryKerberosNewer(
-		[in] package_PrimaryKerberosNewerBlob blob
+	void decode_PrimaryKerberos(
+		[in] package_PrimaryKerberosBlob blob
 		);
 
 	typedef [public] struct {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list