git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
krb5: Require krb5_string_to_key be available to build with krb5
[samba.git] / libcli / auth / krb5_wrap.c
1 /*
2    Unix SMB/CIFS implementation.
3    simple kerberos5 routines for active directory
4    Copyright (C) Andrew Tridgell 2001
5    Copyright (C) Luke Howard 2002-2003
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2011
7    Copyright (C) Guenther Deschner 2005-2009
8    Copyright (C) Simo Sorce 2010.
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #ifdef HAVE_KRB5
26
27 #include "libcli/auth/krb5_wrap.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29
30 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
31 int create_kerberos_key_from_string_direct(krb5_context context,
32                                                   krb5_principal host_princ,
33                                                   krb5_data *password,
34                                                   krb5_keyblock *key,
35                                                   krb5_enctype enctype)
36 {
37         int ret = 0;
38         krb5_data salt;
39         krb5_encrypt_block eblock;
40
41         ret = krb5_principal2salt(context, host_princ, &salt);
42         if (ret) {
43                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
44                 return ret;
45         }
46         krb5_use_enctype(context, &eblock, enctype);
47         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
48         SAFE_FREE(salt.data);
49
50         return ret;
51 }
52 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
53 int create_kerberos_key_from_string_direct(krb5_context context,
54                                                   krb5_principal host_princ,
55                                                   krb5_data *password,
56                                                   krb5_keyblock *key,
57                                                   krb5_enctype enctype)
58 {
59         int ret;
60         krb5_salt salt;
61
62         ret = krb5_get_pw_salt(context, host_princ, &salt);
63         if (ret) {
64                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
65                 return ret;
66         }
67
68         ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
69         krb5_free_salt(context, salt);
70
71         return ret;
72 }
73 #else
74 #error UNKNOWN_CREATE_KEY_FUNCTIONS
75 #endif
76
77  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
78 {
79 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
80         if (pdata->data) {
81                 krb5_free_data_contents(context, pdata);
82         }
83 #elif defined(HAVE_KRB5_DATA_FREE)
84         krb5_data_free(context, pdata);
85 #else
86         SAFE_FREE(pdata->data);
87 #endif
88 }
89
90
91  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
92 {
93 /* Try krb5_free_keytab_entry_contents first, since
94  * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
95  * krb5_kt_free_entry but only has a prototype for the first, while the
96  * second is considered private.
97  */
98 #if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
99         return krb5_free_keytab_entry_contents(context, kt_entry);
100 #elif defined(HAVE_KRB5_KT_FREE_ENTRY)
101         return krb5_kt_free_entry(context, kt_entry);
102 #else
103 #error UNKNOWN_KT_FREE_FUNCTION
104 #endif
105 }
106
107 /**************************************************************
108  Wrappers around kerberos string functions that convert from
109  utf8 -> unix charset and vica versa.
110 **************************************************************/
111
112 /**************************************************************
113  krb5_parse_name that takes a UNIX charset.
114 **************************************************************/
115
116  krb5_error_code smb_krb5_parse_name(krb5_context context,
117                                 const char *name, /* in unix charset */
118                                 krb5_principal *principal)
119 {
120         krb5_error_code ret;
121         char *utf8_name;
122         size_t converted_size;
123         TALLOC_CTX *frame = talloc_stackframe();
124
125         if (!push_utf8_talloc(frame, &utf8_name, name, &converted_size)) {
126                 talloc_free(frame);
127                 return ENOMEM;
128         }
129
130         ret = krb5_parse_name(context, utf8_name, principal);
131         TALLOC_FREE(frame);
132         return ret;
133 }
134
135 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
136 static void krb5_free_unparsed_name(krb5_context context, char *val)
137 {
138         SAFE_FREE(val);
139 }
140 #endif
141
142 /**************************************************************
143  krb5_parse_name that returns a UNIX charset name. Must
144  be freed with talloc_free() call.
145 **************************************************************/
146
147 krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
148                                       krb5_context context,
149                                       krb5_const_principal principal,
150                                       char **unix_name)
151 {
152         krb5_error_code ret;
153         char *utf8_name;
154         size_t converted_size;
155
156         *unix_name = NULL;
157         ret = krb5_unparse_name(context, principal, &utf8_name);
158         if (ret) {
159                 return ret;
160         }
161
162         if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
163                 krb5_free_unparsed_name(context, utf8_name);
164                 return ENOMEM;
165         }
166         krb5_free_unparsed_name(context, utf8_name);
167         return 0;
168 }
169
170  krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, 
171                                             const char *name, 
172                                             krb5_principal *principal)
173 {
174 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
175         return smb_krb5_parse_name_norealm_conv(context, name, principal);
176 #endif
177
178         /* we are cheating here because parse_name will in fact set the realm.
179          * We don't care as the only caller of smb_krb5_parse_name_norealm
180          * ignores the realm anyway when calling
181          * smb_krb5_principal_compare_any_realm later - Guenther */
182
183         return smb_krb5_parse_name(context, name, principal);
184 }
185
186  bool smb_krb5_principal_compare_any_realm(krb5_context context, 
187                                           krb5_const_principal princ1, 
188                                           krb5_const_principal princ2)
189 {
190         return krb5_principal_compare_any_realm(context, princ1, princ2);
191 }
192
193  void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
194                                      struct PAC_SIGNATURE_DATA *sig)
195 {
196 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
197         cksum->cksumtype        = (krb5_cksumtype)sig->type;
198         cksum->checksum.length  = sig->signature.length;
199         cksum->checksum.data    = sig->signature.data;
200 #else
201         cksum->checksum_type    = (krb5_cksumtype)sig->type;
202         cksum->length           = sig->signature.length;
203         cksum->contents         = sig->signature.data;
204 #endif
205 }
206
207  krb5_error_code smb_krb5_verify_checksum(krb5_context context,
208                                           const krb5_keyblock *keyblock,
209                                          krb5_keyusage usage,
210                                          krb5_checksum *cksum,
211                                          uint8_t *data,
212                                          size_t length)
213 {
214         krb5_error_code ret;
215
216         /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
217
218         krb5_boolean checksum_valid = false;
219         krb5_data input;
220         
221         input.data = (char *)data;
222         input.length = length;
223         
224         ret = krb5_c_verify_checksum(context, 
225                                      keyblock, 
226                                      usage,
227                                      &input, 
228                                      cksum,
229                                      &checksum_valid);
230         if (ret) {
231                 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
232                          error_message(ret)));
233                 return ret;
234         }
235         
236         if (!checksum_valid)
237                 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
238
239         return ret;
240 }
241
242 char *gssapi_error_string(TALLOC_CTX *mem_ctx, 
243                           OM_uint32 maj_stat, OM_uint32 min_stat, 
244                           const gss_OID mech)
245 {
246         OM_uint32 disp_min_stat, disp_maj_stat;
247         gss_buffer_desc maj_error_message;
248         gss_buffer_desc min_error_message;
249         char *maj_error_string, *min_error_string;
250         OM_uint32 msg_ctx = 0;
251
252         char *ret;
253
254         maj_error_message.value = NULL;
255         min_error_message.value = NULL;
256         maj_error_message.length = 0;
257         min_error_message.length = 0;
258         
259         disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
260                            mech, &msg_ctx, &maj_error_message);
261         disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
262                            mech, &msg_ctx, &min_error_message);
263         
264         maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
265
266         min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
267
268         ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
269
270         talloc_free(maj_error_string);
271         talloc_free(min_error_string);
272
273         gss_release_buffer(&disp_min_stat, &maj_error_message);
274         gss_release_buffer(&disp_min_stat, &min_error_message);
275
276         return ret;
277 }
278
279
280  char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
281 {
282         char *ret;
283
284 #if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
285         const char *context_error = krb5_get_error_message(context, code);
286         if (context_error) {
287                 ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
288                 krb5_free_error_message(context, context_error);
289                 return ret;
290         }
291 #endif
292         ret = talloc_strdup(mem_ctx, error_message(code));
293         return ret;
294 }
295
296 #endif
Samba Shared Repository