From 88bcf5899c3bd12b05d017436df0fc1374c954a5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 17 Sep 2013 00:28:32 -0400 Subject: keytabs: Expose and modify key encoding function Make it available outside of the encoding.c file for use in a follow-up patch. Add option to not pass a password and generate a random key instead. Related: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum --- daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 20 +++++++++++++------- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 6 ++++++ util/ipa_krb5.c | 12 +++++++++--- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c index 28f164eb8..5ca155dcf 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c @@ -102,8 +102,10 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset) *pkset = NULL; } -static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, +Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, + int num_encsalts, + krb5_key_salt_tuple *encsalts, char **errMesg) { krb5_context krbctx; @@ -113,7 +115,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, Slapi_Value **svals = NULL; krb5_principal princ = NULL; krb5_error_code krberr; - krb5_data pwd; + krb5_data pwd = { 0 }; struct ipapwd_keyset *kset = NULL; krbctx = krbcfg->krbctx; @@ -141,8 +143,10 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, goto enc_error; } - pwd.data = (char *)data->password; - pwd.length = strlen(data->password); + if (data->password) { + pwd.data = (char *)data->password; + pwd.length = strlen(data->password); + } kset = malloc(sizeof(struct ipapwd_keyset)); if (!kset) { @@ -160,8 +164,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, krberr = ipa_krb5_generate_key_data(krbctx, princ, pwd, kvno, krbcfg->kmkey, - krbcfg->num_pref_encsalts, - krbcfg->pref_encsalts, + num_encsalts, encsalts, &kset->num_keys, &kset->keys); if (krberr != 0) { LOG_FATAL("generating kerberos keys failed [%s]\n", @@ -212,7 +215,10 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, if (is_krb) { - *svals = encrypt_encode_key(krbcfg, data, errMesg); + *svals = ipapwd_encrypt_encode_key(krbcfg, data, + krbcfg->num_pref_encsalts, + krbcfg->pref_encsalts, + errMesg); if (!*svals) { /* errMesg should have been set in encrypt_encode_key() */ diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index e18bf7bb6..f8851122b 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -141,6 +141,12 @@ struct ipapwd_keyset { void ipapwd_keyset_free(struct ipapwd_keyset **pkset); +Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, + struct ipapwd_data *data, + int num_encsalts, + krb5_key_salt_tuple *encsalts, + char **errMesg); + int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, struct ipapwd_data *data, char *userpw, int is_krb, int is_smb, int is_ipant, diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c index cc84f9920..2a94b1944 100644 --- a/util/ipa_krb5.c +++ b/util/ipa_krb5.c @@ -212,9 +212,15 @@ krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx, /* need to build the key now to manage the AFS salt.length * special case */ - kerr = krb5_c_string_to_key(krbctx, - encsalts[i].ks_enctype, - &pwd, &salt, &key); + if (pwd.data == NULL) { + kerr = krb5_c_make_random_key(krbctx, + encsalts[i].ks_enctype, + &key); + } else { + kerr = krb5_c_string_to_key(krbctx, + encsalts[i].ks_enctype, + &pwd, &salt, &key); + } if (kerr) { krb5_free_data_contents(krbctx, &salt); goto done; -- cgit