s4:kerberos Add functions to convert msDS-SupportedEncryptionTypes

This will allow us to interpret this attibute broadly in Samba.

Andrew Bartlett

2 files changed, 60 insertions, 0 deletions

diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 7e3a7865d6..b4422b5b16 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -140,6 +140,9 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 				     time_t tgs_authtime,
 				     DATA_BLOB *pac);
 struct loadparm_context;
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
+/* Translate between the Microsoft msDS-SupportedEncryptionTypes values and the IETF encryption type values */
+krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap);
 
 #include "auth/kerberos/proto.h"
 
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 2b358515f8..30e43f0795 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -740,3 +740,60 @@ krb5_error_code smb_krb5_create_memory_keytab(TALLOC_CTX *parent_ctx,
 	return ret;
 }
 
+/* Translate between the IETF encryption type values and the Microsoft msDS-SupportedEncryptionTypes values */
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum)
+{
+	switch (enc_type_enum) {
+	case ENCTYPE_DES_CBC_CRC:
+		return ENC_CRC32;
+	case ENCTYPE_DES_CBC_MD5:
+		return ENC_RSA_MD5;
+	case ENCTYPE_ARCFOUR_HMAC_MD5:
+		return ENC_RC4_HMAC_MD5;
+	case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+		return ENC_HMAC_SHA1_96_AES128;
+	case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+		return ENC_HMAC_SHA1_96_AES256;
+	default:
+		return 0;
+	}
+}
+
+/* Translate between the Microsoft msDS-SupportedEncryptionTypes values and the IETF encryption type values */
+krb5_enctype kerberos_enctype_bitmap_to_enctype(uint32_t enctype_bitmap)
+{
+	switch (enctype_bitmap) {
+	case ENC_CRC32:
+		return ENCTYPE_DES_CBC_CRC;
+	case ENC_RSA_MD5:
+		return ENCTYPE_DES_CBC_MD5;
+	case ENC_RC4_HMAC_MD5:
+		return ENCTYPE_ARCFOUR_HMAC_MD5;
+	case ENC_HMAC_SHA1_96_AES128:
+		return ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+	case ENC_HMAC_SHA1_96_AES256:
+		return ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+	default:
+		return 0;
+	}
+}
+
+/* Return an array of krb5_enctype values */
+krb5_error_code kerberos_enctype_bitmap_to_enctypes(TALLOC_CTX *mem_ctx, uint32_t enctype_bitmap, krb5_enctype **enctypes)
+{
+	unsigned int i, j = 0;
+	*enctypes = talloc_zero_array(mem_ctx, krb5_enctype, 8*sizeof(enctype_bitmap));
+	if (!*enctypes) {
+		return ENOMEM;
+	}
+	for (i=0; i<(8*sizeof(enctype_bitmap)); i++) {
+		if ((1 << i) & enctype_bitmap) {
+			(*enctypes)[j] = kerberos_enctype_bitmap_to_enctype(enctype_bitmap);
+			if (!(*enctypes)[j]) {
+				return KRB5_PROG_ETYPE_NOSUPP;
+			}
+			j++;
+		}
+	}
+	return 0;
+}