hdb: generate default salts for entries missing them
Older databases may lack explicitly stored salts where the salt is the default one. When fetching a client entry for an AS-REQ, add default salts to keys that lack one.
This commit is contained in:
Luke Howard
@@ -31,6 +31,7 @@
|
|||||||
* SUCH DAMAGE.
|
* SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include "krb5_locl.h"
|
||||||
#include "hdb_locl.h"
|
#include "hdb_locl.h"
|
||||||
|
|
||||||
int
|
int
|
||||||
@@ -98,6 +99,50 @@ hdb_value2entry_alias(krb5_context context, krb5_data *value,
|
|||||||
return decode_hdb_entry_alias(value->data, value->length, ent, NULL);
|
return decode_hdb_entry_alias(value->data, value->length, ent, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Some old databases may not have stored the salt with each key, which will
|
||||||
|
* break clients when aliases or canonicalization are used. Generate a
|
||||||
|
* default salt based on the real principal name in the entry to handle
|
||||||
|
* this case.
|
||||||
|
*/
|
||||||
|
static krb5_error_code
|
||||||
|
add_default_salts(krb5_context context, HDB *db, hdb_entry *entry)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
size_t i;
|
||||||
|
krb5_salt pwsalt;
|
||||||
|
|
||||||
|
ret = krb5_get_pw_salt(context, entry->principal, &pwsalt);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
for (i = 0; i < entry->keys.len; i++) {
|
||||||
|
Key *key = &entry->keys.val[i];
|
||||||
|
|
||||||
|
if (key->salt != NULL ||
|
||||||
|
_krb5_enctype_requires_random_salt(context, key->key.keytype))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
key->salt = malloc(sizeof(*key->salt));
|
||||||
|
if (key->salt == NULL) {
|
||||||
|
ret = krb5_enomem(context);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
key->salt->type = KRB5_PADATA_PW_SALT;
|
||||||
|
|
||||||
|
ret = krb5_data_copy(&key->salt->salt,
|
||||||
|
pwsalt.saltvalue.data,
|
||||||
|
pwsalt.saltvalue.length);
|
||||||
|
if (ret)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
krb5_free_salt(context, pwsalt);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
krb5_error_code
|
krb5_error_code
|
||||||
_hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
|
_hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
|
||||||
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
|
unsigned flags, krb5_kvno kvno, hdb_entry_ex *entry)
|
||||||
@@ -191,6 +236,19 @@ _hdb_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if ((flags & HDB_F_FOR_AS_REQ) && (flags & HDB_F_GET_CLIENT)) {
|
||||||
|
/*
|
||||||
|
* Generate default salt for any principals missing one; note such
|
||||||
|
* principals could include those for which a random (non-password)
|
||||||
|
* key was generated, but given the salt will be ignored by a keytab
|
||||||
|
* client it doesn't hurt to include the default salt.
|
||||||
|
*/
|
||||||
|
ret = add_default_salts(context, db, &entry->entry);
|
||||||
|
if (ret) {
|
||||||
|
hdb_free_entry(context, entry);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
if (enterprise_principal) {
|
if (enterprise_principal) {
|
||||||
/*
|
/*
|
||||||
* Whilst Windows does not canonicalize enterprise principal names if
|
* Whilst Windows does not canonicalize enterprise principal names if
|
||||||
|
|||||||
Reference in New Issue
Block a user