keytabs: Expose and modify key encoding function

Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This commit is contained in:
Simo Sorce 2013-09-17 00:28:32 -04:00 committed by Martin Kosek
parent d04746cdea
commit 88bcf5899c
3 changed files with 28 additions and 10 deletions

View File

@ -102,8 +102,10 @@ void ipapwd_keyset_free(struct ipapwd_keyset **pkset)
*pkset = NULL;
}
static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
int num_encsalts,
krb5_key_salt_tuple *encsalts,
char **errMesg)
{
krb5_context krbctx;
@ -113,7 +115,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
Slapi_Value **svals = NULL;
krb5_principal princ = NULL;
krb5_error_code krberr;
krb5_data pwd;
krb5_data pwd = { 0 };
struct ipapwd_keyset *kset = NULL;
krbctx = krbcfg->krbctx;
@ -141,8 +143,10 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
goto enc_error;
}
pwd.data = (char *)data->password;
pwd.length = strlen(data->password);
if (data->password) {
pwd.data = (char *)data->password;
pwd.length = strlen(data->password);
}
kset = malloc(sizeof(struct ipapwd_keyset));
if (!kset) {
@ -160,8 +164,7 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
krberr = ipa_krb5_generate_key_data(krbctx, princ,
pwd, kvno, krbcfg->kmkey,
krbcfg->num_pref_encsalts,
krbcfg->pref_encsalts,
num_encsalts, encsalts,
&kset->num_keys, &kset->keys);
if (krberr != 0) {
LOG_FATAL("generating kerberos keys failed [%s]\n",
@ -212,7 +215,10 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
if (is_krb) {
*svals = encrypt_encode_key(krbcfg, data, errMesg);
*svals = ipapwd_encrypt_encode_key(krbcfg, data,
krbcfg->num_pref_encsalts,
krbcfg->pref_encsalts,
errMesg);
if (!*svals) {
/* errMesg should have been set in encrypt_encode_key() */

View File

@ -141,6 +141,12 @@ struct ipapwd_keyset {
void ipapwd_keyset_free(struct ipapwd_keyset **pkset);
Slapi_Value **ipapwd_encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data,
int num_encsalts,
krb5_key_salt_tuple *encsalts,
char **errMesg);
int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
struct ipapwd_data *data, char *userpw,
int is_krb, int is_smb, int is_ipant,

View File

@ -212,9 +212,15 @@ krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx,
/* need to build the key now to manage the AFS salt.length
* special case */
kerr = krb5_c_string_to_key(krbctx,
encsalts[i].ks_enctype,
&pwd, &salt, &key);
if (pwd.data == NULL) {
kerr = krb5_c_make_random_key(krbctx,
encsalts[i].ks_enctype,
&key);
} else {
kerr = krb5_c_string_to_key(krbctx,
encsalts[i].ks_enctype,
&pwd, &salt, &key);
}
if (kerr) {
krb5_free_data_contents(krbctx, &salt);
goto done;