krb5 commit: Add libkdb function to specialize principal's salt

[Greg Hudson]

https://github.com/krb5/krb5/commit/09cdb3079508f9d3fcc107a8ee8e7537f70c9d37
commit 09cdb3079508f9d3fcc107a8ee8e7537f70c9d37
Author: Sarah Day <sarahday at mit.edu>
Date:   Mon May 2 17:06:35 2016 -0400

    Add libkdb function to specialize principal's salt
    
    Add a function krb5_dbe_specialize_salt() to libkdb5 which transforms
    a principal entry's salt to KRB5_KDB_SALTTYPE_SPECIAL.
    
    ticket: 8418 (new)

 src/include/kdb.h           |    7 +++++++
 src/lib/kdb/kdb5.c          |   42 ++++++++++++++++++++++++++++++++++++++++++
 src/lib/kdb/libkdb5.exports |    1 +
 3 files changed, 50 insertions(+), 0 deletions(-)

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 0a9ddbd..63eadc4 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -602,6 +602,13 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
                       krb5_const_principal princ, krb5_int16 *salttype_out,
                       krb5_data **salt_out);
 
+/*
+ * Modify the key data of entry to explicitly store salt values using the
+ * KRB5_KDB_SALTTYPE_SPECIAL salt type.
+ */
+krb5_error_code
+krb5_dbe_specialize_salt(krb5_context context, krb5_db_entry *entry);
+
 krb5_error_code
 krb5_dbe_cpw( krb5_context        kcontext,
               krb5_keyblock       * master_key,
diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c
index deafed1..68bec6e 100644
--- a/src/lib/kdb/kdb5.c
+++ b/src/lib/kdb/kdb5.c
@@ -2260,6 +2260,48 @@ krb5_dbe_compute_salt(krb5_context context, const krb5_key_data *key,
     return 0;
 }
 
+krb5_error_code
+krb5_dbe_specialize_salt(krb5_context context, krb5_db_entry *entry)
+{
+    krb5_int16 stype, i;
+    krb5_data *salt = NULL;
+    krb5_error_code ret = 0;
+    uint8_t *data;
+
+    if (context == NULL || entry == NULL)
+        return EINVAL;
+
+    /*
+     * Store salt values explicitly so that they don't depend on the principal
+     * name.
+     */
+    for (i = 0; i < entry->n_key_data; i++) {
+        ret = krb5_dbe_compute_salt(context, &entry->key_data[i], entry->princ,
+                                    &stype, &salt);
+        if (ret)
+            goto cleanup;
+
+        data = krb5_db_alloc(context, NULL, salt->length);
+        if (data == NULL) {
+            ret = ENOMEM;
+            goto cleanup;
+        }
+        memcpy(data, salt->data, salt->length);
+
+        entry->key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL;
+        krb5_db_free(context, entry->key_data[i].key_data_contents[1]);
+        entry->key_data[i].key_data_contents[1] = data;
+        entry->key_data[i].key_data_length[1] = salt->length;
+        entry->key_data[i].key_data_ver = 2;
+        krb5_free_data(context, salt);
+        salt = NULL;
+    }
+
+cleanup:
+    krb5_free_data(context, salt);
+    return ret;
+}
+
 /* change password functions */
 krb5_error_code
 krb5_dbe_cpw(krb5_context kcontext, krb5_keyblock *master_key,
diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports
index 68ac537..60ab4b2 100644
--- a/src/lib/kdb/libkdb5.exports
+++ b/src/lib/kdb/libkdb5.exports
@@ -58,6 +58,7 @@ krb5_dbe_lookup_mod_princ_data
 krb5_dbe_lookup_tl_data
 krb5_dbe_search_enctype
 krb5_dbe_set_string
+krb5_dbe_specialize_salt
 krb5_dbe_update_actkvno
 krb5_dbe_update_last_admin_unlock
 krb5_dbe_update_last_pwd_change