[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-2970-gc273ce8

Günther Deschner gd at samba.org
Tue Jun 24 21:37:49 GMT 2008 

The branch, v3-3-test has been updated
       via  c273ce8798062d1b55100411f3e92a01bdbf611c (commit)
       via  7c4da23be1105dc224033b21eb486e7fcdc7d9c5 (commit)
      from  63c1a5146e25e05678d2bef95286add5c95a5f38 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit c273ce8798062d1b55100411f3e92a01bdbf611c
Author: Günther Deschner <gd at samba.org>
Date:   Wed Jun 18 12:48:35 2008 +0200

    kerberos: add smb_krb5_keytab_name().
    
    Guenther

commit 7c4da23be1105dc224033b21eb486e7fcdc7d9c5
Author: Günther Deschner <gd at samba.org>
Date:   Wed Jun 18 12:45:57 2008 +0200

    kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source/include/includes.h       |   13 ++++++-
 source/libads/kerberos_keytab.c |   16 +++++---
 source/libads/kerberos_verify.c |    2 +-
 source/libsmb/clikrb5.c         |   78 ++++++++++++++++++++++++++++++---------
 4 files changed, 83 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/include/includes.h b/source/include/includes.h
index 7513dfb..d3e8b33 100644
--- a/source/include/includes.h
+++ b/source/include/includes.h
@@ -1143,7 +1143,7 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val);
 
 /* Samba wrapper function for krb5 functionality. */
 bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr);
-int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype);
+int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype, bool no_salt);
 bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt);
 krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt);
 krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
@@ -1221,6 +1221,17 @@ krb5_error_code smb_krb5_open_keytab(krb5_context context,
  				      const char *keytab_name, 
 				      bool write_access, 
 				      krb5_keytab *keytab);
+krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
+				     krb5_context context,
+				     krb5_keytab keytab,
+				     const char **keytab_name);
+int smb_krb5_kt_add_entry(krb5_context context,
+			  krb5_keytab keytab,
+			  krb5_kvno kvno,
+			  const char *princ_s,
+			  krb5_enctype *enctypes,
+			  krb5_data password,
+			  bool no_salt);
 #endif /* HAVE_KRB5 */
 
 
diff --git a/source/libads/kerberos_keytab.c b/source/libads/kerberos_keytab.c
index 8e69838..c8ffd73 100644
--- a/source/libads/kerberos_keytab.c
+++ b/source/libads/kerberos_keytab.c
@@ -32,9 +32,13 @@
 /**********************************************************************
 **********************************************************************/
 
-static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
-                                  krb5_kvno kvno, const char *princ_s, 
-				  krb5_enctype *enctypes, krb5_data password )
+int smb_krb5_kt_add_entry(krb5_context context,
+			  krb5_keytab keytab,
+			  krb5_kvno kvno,
+			  const char *princ_s,
+			  krb5_enctype *enctypes,
+			  krb5_data password,
+			  bool no_salt)
 {
 	krb5_error_code ret = 0;
 	krb5_kt_cursor cursor;
@@ -166,7 +170,7 @@ static int smb_krb5_kt_add_entry( krb5_context context, krb5_keytab keytab,
 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK          /* Heimdal */
 		keyp = &kt_entry.keyblock;
 #endif
-		if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i])) {
+		if (create_kerberos_key_from_string(context, princ, &password, keyp, enctypes[i], no_salt)) {
 			continue;
 		}
 
@@ -321,7 +325,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
 	
 	/* add the fqdn principal to the keytab */
 	
-	ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password );
+	ret = smb_krb5_kt_add_entry( context, keytab, kvno, princ_s, enctypes, password, false );
 	if ( ret ) {
 		DEBUG(1,("ads_keytab_add_entry: Failed to add entry to keytab file\n"));
 		goto out;
@@ -330,7 +334,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
 	/* add the short principal name if we have one */
 	
 	if ( short_princ_s ) {
-		ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password );
+		ret = smb_krb5_kt_add_entry( context, keytab, kvno, short_princ_s, enctypes, password, false );
 		if ( ret ) {
 			DEBUG(1,("ads_keytab_add_entry: Failed to add short entry to keytab file\n"));
 			goto out;
diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c
index a4d7a8e..c667181 100644
--- a/source/libads/kerberos_verify.c
+++ b/source/libads/kerberos_verify.c
@@ -259,7 +259,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
 			goto out;
 		}
 	
-		if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
+		if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i], false)) {
 			SAFE_FREE(key);
 			continue;
 		}
diff --git a/source/libsmb/clikrb5.c b/source/libsmb/clikrb5.c
index 4c535d2..2aae9df 100644
--- a/source/libsmb/clikrb5.c
+++ b/source/libsmb/clikrb5.c
@@ -214,20 +214,31 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
 						  krb5_principal host_princ,
 						  krb5_data *password,
 						  krb5_keyblock *key,
-						  krb5_enctype enctype)
+						  krb5_enctype enctype,
+						  bool no_salt)
 {
 	int ret;
 	krb5_data salt;
 	krb5_encrypt_block eblock;
 
-	ret = krb5_principal2salt(context, host_princ, &salt);
-	if (ret) {
-		DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
-		return ret;
+	if (no_salt) {
+		key->contents = (krb5_octet *)SMB_MALLOC(password->length);
+		if (!key->contents) {
+			return ENOMEM;
+		}
+		memcpy(key->contents, password->data, password->length);
+		key->length = password->length;
+		key->enctype = enctype;
+	} else {
+		ret = krb5_principal2salt(context, host_princ, &salt);
+		if (ret) {
+			DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
+			return ret;
+		}
+		krb5_use_enctype(context, &eblock, enctype);
+		ret = krb5_string_to_key(context, &eblock, key, password, &salt);
+		SAFE_FREE(salt.data);
 	}
-	krb5_use_enctype(context, &eblock, enctype);
-	ret = krb5_string_to_key(context, &eblock, key, password, &salt);
-	SAFE_FREE(salt.data);
 	return ret;
 }
 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
@@ -235,19 +246,27 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
 						  krb5_principal host_princ,
 						  krb5_data *password,
 						  krb5_keyblock *key,
-						  krb5_enctype enctype)
+						  krb5_enctype enctype,
+						  bool no_salt)
 {
 	int ret;
 	krb5_salt salt;
 
-	ret = krb5_get_pw_salt(context, host_princ, &salt);
-	if (ret) {
-		DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
-		return ret;
+	if (no_salt) {
+		return krb5_keyblock_init(context, enctype,
+					  password->data, password->length,
+					  key);
+	} else {
+		ret = krb5_get_pw_salt(context, host_princ, &salt);
+		if (ret) {
+			DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
+			return ret;
+		}
+
+		ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
+		krb5_free_salt(context, salt);
 	}
-	
-	ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
-	krb5_free_salt(context, salt);
+
 	return ret;
 }
 #else
@@ -258,7 +277,8 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
 					krb5_principal host_princ,
 					krb5_data *password,
 					krb5_keyblock *key,
-					krb5_enctype enctype)
+					krb5_enctype enctype,
+					bool no_salt)
 {
 	krb5_principal salt_princ = NULL;
 	int ret;
@@ -268,7 +288,7 @@ static int create_kerberos_key_from_string_direct(krb5_context context,
 	 * its behavior.
 	 */
 	salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
-	ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
+	ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype, no_salt);
 	if (salt_princ) {
 		krb5_free_principal(context, salt_princ);
 	}
@@ -1707,6 +1727,28 @@ done:
  	return ret;
 }
 
+krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
+				     krb5_context context,
+				     krb5_keytab keytab,
+				     const char **keytab_name)
+{
+	char keytab_string[MAX_KEYTAB_NAME_LEN];
+	krb5_error_code ret = 0;
+
+	ret = krb5_kt_get_name(context, keytab,
+			       keytab_string, MAX_KEYTAB_NAME_LEN - 2);
+	if (ret) {
+		return ret;
+	}
+
+	*keytab_name = talloc_strdup(mem_ctx, keytab_string);
+	if (!*keytab_name) {
+		return ENOMEM;
+	}
+
+	return ret;
+}
+
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
  int cli_krb5_get_ticket(const char *principal, time_t time_offset, 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list