2 Unix SMB/CIFS implementation.
3 simple kerberos5 routines for active directory
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Luke Howard 2002-2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2011
7 Copyright (C) Guenther Deschner 2005-2009
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "libcli/auth/krb5_wrap.h"
27 #include "librpc/gen_ndr/krb5pac.h"
29 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
30 int create_kerberos_key_from_string_direct(krb5_context context,
31 krb5_principal host_princ,
38 krb5_encrypt_block eblock;
40 ret = krb5_principal2salt(context, host_princ, &salt);
42 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
45 krb5_use_enctype(context, &eblock, enctype);
46 ret = krb5_string_to_key(context, &eblock, key, password, &salt);
51 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
52 int create_kerberos_key_from_string_direct(krb5_context context,
53 krb5_principal host_princ,
61 ret = krb5_get_pw_salt(context, host_princ, &salt);
63 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
67 ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
68 krb5_free_salt(context, salt);
73 #error UNKNOWN_CREATE_KEY_FUNCTIONS
76 void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
78 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
80 krb5_free_data_contents(context, pdata);
82 #elif defined(HAVE_KRB5_DATA_FREE)
83 krb5_data_free(context, pdata);
85 SAFE_FREE(pdata->data);
90 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
92 /* Try krb5_free_keytab_entry_contents first, since
93 * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
94 * krb5_kt_free_entry but only has a prototype for the first, while the
95 * second is considered private.
97 #if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
98 return krb5_free_keytab_entry_contents(context, kt_entry);
99 #elif defined(HAVE_KRB5_KT_FREE_ENTRY)
100 return krb5_kt_free_entry(context, kt_entry);
102 #error UNKNOWN_KT_FREE_FUNCTION
106 /**************************************************************
107 Wrappers around kerberos string functions that convert from
108 utf8 -> unix charset and vica versa.
109 **************************************************************/
111 /**************************************************************
112 krb5_parse_name that takes a UNIX charset.
113 **************************************************************/
115 krb5_error_code smb_krb5_parse_name(krb5_context context,
116 const char *name, /* in unix charset */
117 krb5_principal *principal)
121 size_t converted_size;
123 if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
127 ret = krb5_parse_name(context, utf8_name, principal);
128 TALLOC_FREE(utf8_name);
132 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
133 static void krb5_free_unparsed_name(krb5_context context, char *val)
139 /**************************************************************
140 krb5_parse_name that returns a UNIX charset name. Must
141 be freed with talloc_free() call.
142 **************************************************************/
144 krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
145 krb5_context context,
146 krb5_const_principal principal,
151 size_t converted_size;
154 ret = krb5_unparse_name(context, principal, &utf8_name);
159 if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
160 krb5_free_unparsed_name(context, utf8_name);
163 krb5_free_unparsed_name(context, utf8_name);
167 krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
169 krb5_principal *principal)
171 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
172 return smb_krb5_parse_name_norealm_conv(context, name, principal);
175 /* we are cheating here because parse_name will in fact set the realm.
176 * We don't care as the only caller of smb_krb5_parse_name_norealm
177 * ignores the realm anyway when calling
178 * smb_krb5_principal_compare_any_realm later - Guenther */
180 return smb_krb5_parse_name(context, name, principal);
183 bool smb_krb5_principal_compare_any_realm(krb5_context context,
184 krb5_const_principal princ1,
185 krb5_const_principal princ2)
187 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
189 return krb5_principal_compare_any_realm(context, princ1, princ2);
191 /* krb5_princ_size is a macro in MIT */
192 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
195 const krb5_data *p1, *p2;
197 len1 = krb5_princ_size(context, princ1);
198 len2 = krb5_princ_size(context, princ2);
203 for (i = 0; i < len1; i++) {
205 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
206 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
208 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
214 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
218 void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
219 struct PAC_SIGNATURE_DATA *sig)
221 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
222 cksum->cksumtype = (krb5_cksumtype)sig->type;
223 cksum->checksum.length = sig->signature.length;
224 cksum->checksum.data = sig->signature.data;
226 cksum->checksum_type = (krb5_cksumtype)sig->type;
227 cksum->length = sig->signature.length;
228 cksum->contents = sig->signature.data;
232 krb5_error_code smb_krb5_verify_checksum(krb5_context context,
233 const krb5_keyblock *keyblock,
235 krb5_checksum *cksum,
241 /* verify the checksum */
243 /* welcome to the wonderful world of samba's kerberos abstraction layer:
245 * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2
246 * -----------------------------------------------------------------------------
247 * krb5_c_verify_checksum - works works
248 * krb5_verify_checksum works (6 args) works (6 args) broken (7 args)
251 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
253 krb5_boolean checksum_valid = false;
256 input.data = (char *)data;
257 input.length = length;
259 ret = krb5_c_verify_checksum(context,
266 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
267 error_message(ret)));
272 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
275 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
277 /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
278 * without enctype and it ignores any key_usage types - Guenther */
283 ret = krb5_crypto_init(context,
288 DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
289 error_message(ret)));
293 ret = krb5_verify_checksum(context,
300 krb5_crypto_destroy(context, crypto);
304 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
310 char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
314 #if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
315 const char *context_error = krb5_get_error_message(context, code);
317 ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
318 krb5_free_error_message(context, context_error);
322 ret = talloc_strdup(mem_ctx, error_message(code));