From cfba2c40d30cab29dd4e2140f3274c8c67b11d24 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 19 May 2017 17:17:00 +0200 Subject: [PATCH] s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c These don't use any krb5_context related functions and they just work on secrets.tdb, so they really belong to machine_account_secrets.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 504b446d8dc7410ad63eba9d214e9cf271cf3b2f) --- source3/include/secrets.h | 4 ++ source3/libads/kerberos.c | 97 -------------------------------- source3/libads/kerberos_proto.h | 3 - source3/libnet/libnet_keytab.c | 1 + source3/passdb/machine_account_secrets.c | 96 +++++++++++++++++++++++++++++++ 5 files changed, 101 insertions(+), 100 deletions(-) diff --git a/source3/include/secrets.h b/source3/include/secrets.h index f397129b128..c40a9514164 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -133,6 +133,10 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const uint32_t secure_channel, bool delete_join); +char* kerberos_standard_des_salt( void ); +bool kerberos_secrets_store_des_salt( const char* salt ); +char *kerberos_secrets_fetch_salt_princ(void); + /* The following definitions come from passdb/secrets_lsa.c */ NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx, const char *secret_name, diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 6cfbca69a07..cfb09a704cb 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -272,103 +272,6 @@ int ads_kdestroy(const char *cc_name) return code; } -/************************************************************************ - Return the standard DES salt key -************************************************************************/ - -char* kerberos_standard_des_salt( void ) -{ - fstring salt; - - fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() ); - (void)strlower_m( salt ); - fstrcat( salt, lp_realm() ); - - return SMB_STRDUP( salt ); -} - -/************************************************************************ -************************************************************************/ - -static char* des_salt_key( void ) -{ - char *key; - - if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL, - lp_realm()) == -1) { - return NULL; - } - - return key; -} - -/************************************************************************ -************************************************************************/ - -bool kerberos_secrets_store_des_salt( const char* salt ) -{ - char* key; - bool ret; - - if ( (key = des_salt_key()) == NULL ) { - DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n")); - return False; - } - - if ( !salt ) { - DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n")); - secrets_delete( key ); - return True; - } - - DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt)); - - ret = secrets_store( key, salt, strlen(salt)+1 ); - - SAFE_FREE( key ); - - return ret; -} - -/************************************************************************ -************************************************************************/ - -static -char* kerberos_secrets_fetch_des_salt( void ) -{ - char *salt, *key; - - if ( (key = des_salt_key()) == NULL ) { - DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n")); - return NULL; - } - - salt = (char*)secrets_fetch( key, NULL ); - - SAFE_FREE( key ); - - return salt; -} - -/************************************************************************ - Routine to get the salting principal for this service. - Caller must free if return is not null. - ************************************************************************/ - -char *kerberos_secrets_fetch_salt_princ(void) -{ - char *salt_princ_s; - /* lookup new key first */ - - salt_princ_s = kerberos_secrets_fetch_des_salt(); - if (salt_princ_s == NULL) { - /* fall back to host/machine.realm@REALM */ - salt_princ_s = kerberos_standard_des_salt(); - } - - return salt_princ_s; -} - int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_principal salt_princ, diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index e481d1d78a6..f92cabd757e 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -56,9 +56,6 @@ int kerberos_kinit_password_ext(const char *principal, time_t renewable_time, NTSTATUS *ntstatus); int ads_kdestroy(const char *cc_name); -char* kerberos_standard_des_salt( void ); -bool kerberos_secrets_store_des_salt( const char* salt ); -char *kerberos_secrets_fetch_salt_princ(void); int kerberos_kinit_password(const char *principal, const char *password, diff --git a/source3/libnet/libnet_keytab.c b/source3/libnet/libnet_keytab.c index 1b5ac672710..c76e7b298cf 100644 --- a/source3/libnet/libnet_keytab.c +++ b/source3/libnet/libnet_keytab.c @@ -22,6 +22,7 @@ #include "includes.h" #include "smb_krb5.h" #include "ads.h" +#include "secrets.h" #include "libnet/libnet_keytab.h" #ifdef HAVE_KRB5 diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 3f097ab4055..3f6d6b69f1c 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -553,6 +553,102 @@ bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const return ret; } +/************************************************************************ + Return the standard DES salt key +************************************************************************/ + +char* kerberos_standard_des_salt( void ) +{ + fstring salt; + + fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() ); + (void)strlower_m( salt ); + fstrcat( salt, lp_realm() ); + + return SMB_STRDUP( salt ); +} + +/************************************************************************ +************************************************************************/ + +static char* des_salt_key( void ) +{ + char *key; + + if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL, + lp_realm()) == -1) { + return NULL; + } + + return key; +} + +/************************************************************************ +************************************************************************/ + +bool kerberos_secrets_store_des_salt( const char* salt ) +{ + char* key; + bool ret; + + if ( (key = des_salt_key()) == NULL ) { + DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n")); + return False; + } + + if ( !salt ) { + DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n")); + secrets_delete( key ); + return True; + } + + DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt)); + + ret = secrets_store( key, salt, strlen(salt)+1 ); + + SAFE_FREE( key ); + + return ret; +} + +/************************************************************************ +************************************************************************/ + +static +char* kerberos_secrets_fetch_des_salt( void ) +{ + char *salt, *key; + + if ( (key = des_salt_key()) == NULL ) { + DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n")); + return NULL; + } + + salt = (char*)secrets_fetch( key, NULL ); + + SAFE_FREE( key ); + + return salt; +} + +/************************************************************************ + Routine to get the salting principal for this service. + Caller must free if return is not null. + ************************************************************************/ + +char *kerberos_secrets_fetch_salt_princ(void) +{ + char *salt_princ_s; + /* lookup new key first */ + + salt_princ_s = kerberos_secrets_fetch_des_salt(); + if (salt_princ_s == NULL) { + /* fall back to host/machine.realm@REALM */ + salt_princ_s = kerberos_standard_des_salt(); + } + + return salt_princ_s; +} /************************************************************************ Routine to fetch the previous plaintext machine account password for a realm -- 2.11.4.GIT