source3/libsmb/clikrb5.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Guenther Deschner 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
  25 #define KRB5_DEPRECATED 1       /* this file uses DEPRECATED interfaces! */
  26
  27 #include "includes.h"
  28
  29 #ifdef HAVE_KRB5
  30
  31 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
  32 #define KRB5_KEY_TYPE(k)        ((k)->keytype)
  33 #define KRB5_KEY_LENGTH(k)      ((k)->keyvalue.length)
  34 #define KRB5_KEY_DATA(k)        ((k)->keyvalue.data)
  35 #else
  36 #define KRB5_KEY_TYPE(k)        ((k)->enctype)
  37 #define KRB5_KEY_LENGTH(k)      ((k)->length)
  38 #define KRB5_KEY_DATA(k)        ((k)->contents)
  39 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
  40
  41 #ifndef HAVE_KRB5_SET_REAL_TIME
  42 /*
  43  * This function is not in the Heimdal mainline.
  44  */
  45  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
  46 {
  47         krb5_error_code ret;
  48         int32_t sec, usec;
  49
  50         ret = krb5_us_timeofday(context, &sec, &usec);
  51         if (ret)
  52                 return ret;
  53
  54         context->kdc_sec_offset = seconds - sec;
  55         context->kdc_usec_offset = microseconds - usec;
  56
  57         return 0;
  58 }
  59 #endif
  60
  61 #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
  62  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
  63 {
  64         return krb5_set_default_in_tkt_etypes(ctx, enc);
  65 }
  66 #endif
  67
  68 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
  69 /* HEIMDAL */
  70  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  71 {
  72         pkaddr->addr_type = KRB5_ADDRESS_INET;
  73         pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  74         pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
  75 }
  76 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
  77 /* MIT */
  78  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  79 {
  80         pkaddr->addrtype = ADDRTYPE_INET;
  81         pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  82         pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
  83 }
  84 #else
  85 #error UNKNOWN_ADDRTYPE
  86 #endif
  87
  88 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
  89  int create_kerberos_key_from_string_direct(krb5_context context,
  90                                         krb5_principal host_princ,
  91                                         krb5_data *password,
  92                                         krb5_keyblock *key,
  93                                         krb5_enctype enctype)
  94 {
  95         int ret;
  96         krb5_data salt;
  97         krb5_encrypt_block eblock;
  98
  99         ret = krb5_principal2salt(context, host_princ, &salt);
 100         if (ret) {
 101                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
 102                 return ret;
 103         }
 104         krb5_use_enctype(context, &eblock, enctype);
 105         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
 106         SAFE_FREE(salt.data);
 107         return ret;
 108 }
 109 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
 110  int create_kerberos_key_from_string_direct(krb5_context context,
 111                                         krb5_principal host_princ,
 112                                         krb5_data *password,
 113                                         krb5_keyblock *key,
 114                                         krb5_enctype enctype)
 115 {
 116         int ret;
 117         krb5_salt salt;
 118
 119         ret = krb5_get_pw_salt(context, host_princ, &salt);
 120         if (ret) {
 121                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
 122                 return ret;
 123         }
 124
 125         ret = krb5_string_to_key_salt(context, enctype, password->data, salt, key);
 126         krb5_free_salt(context, salt);
 127         return ret;
 128 }
 129 #else
 130 #error UNKNOWN_CREATE_KEY_FUNCTIONS
 131 #endif
 132
 133  int create_kerberos_key_from_string(krb5_context context,
 134                                         krb5_principal host_princ,
 135                                         krb5_data *password,
 136                                         krb5_keyblock *key,
 137                                         krb5_enctype enctype)
 138 {
 139         krb5_principal salt_princ = NULL;
 140         int ret;
 141         /*
 142          * Check if we've determined that the KDC is salting keys for this
 143          * principal/enctype in a non-obvious way.  If it is, try to match
 144          * its behavior.
 145          */
 146         salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
 147         ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
 148         if (salt_princ) {
 149                 krb5_free_principal(context, salt_princ);
 150         }
 151         return ret;
 152 }
 153
 154 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
 155  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 156                                             krb5_enctype **enctypes)
 157 {
 158         return krb5_get_permitted_enctypes(context, enctypes);
 159 }
 160 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
 161  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 162                                             krb5_enctype **enctypes)
 163 {
 164         return krb5_get_default_in_tkt_etypes(context, enctypes);
 165 }
 166 #else
 167 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
 168 #endif
 169
 170  void free_kerberos_etypes(krb5_context context,
 171                            krb5_enctype *enctypes)
 172 {
 173 #if defined(HAVE_KRB5_FREE_KTYPES)
 174         krb5_free_ktypes(context, enctypes);
 175         return;
 176 #else
 177         SAFE_FREE(enctypes);
 178         return;
 179 #endif
 180 }
 181
 182 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
 183  krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
 184                                         krb5_auth_context auth_context,
 185                                         krb5_keyblock *keyblock)
 186 {
 187         return krb5_auth_con_setkey(context, auth_context, keyblock);
 188 }
 189 #endif
 190
 191 BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
 192 {
 193         DATA_BLOB pac_contents;
 194         ASN1_DATA data;
 195         int data_type;
 196
 197         if (!auth_data->length) {
 198                 return False;
 199         }
 200
 201         asn1_load(&data, *auth_data);
 202         asn1_start_tag(&data, ASN1_SEQUENCE(0));
 203         asn1_start_tag(&data, ASN1_SEQUENCE(0));
 204         asn1_start_tag(&data, ASN1_CONTEXT(0));
 205         asn1_read_Integer(&data, &data_type);
 206
 207         if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
 208                 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
 209                 asn1_free(&data);
 210                 return False;
 211         }
 212
 213         asn1_end_tag(&data);
 214         asn1_start_tag(&data, ASN1_CONTEXT(1));
 215         asn1_read_OctetString(&data, &pac_contents);
 216         asn1_end_tag(&data);
 217         asn1_end_tag(&data);
 218         asn1_end_tag(&data);
 219         asn1_free(&data);
 220
 221         *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
 222
 223         data_blob_free(&pac_contents);
 224
 225         return True;
 226 }
 227
 228  BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt)
 229 {
 230         DATA_BLOB auth_data_wrapped;
 231         BOOL got_auth_data_pac = False;
 232         int i;
 233
 234 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 235         if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
 236             tkt->enc_part2->authorization_data[0] &&
 237             tkt->enc_part2->authorization_data[0]->length)
 238         {
 239                 for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
 240
 241                         if (tkt->enc_part2->authorization_data[i]->ad_type !=
 242                             KRB5_AUTHDATA_IF_RELEVANT) {
 243                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
 244                                         tkt->enc_part2->authorization_data[i]->ad_type));
 245                                 continue;
 246                         }
 247
 248                         auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
 249                                                       tkt->enc_part2->authorization_data[i]->length);
 250
 251                         /* check if it is a PAC */
 252                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 253                         data_blob_free(&auth_data_wrapped);
 254
 255                         if (!got_auth_data_pac) {
 256                                 continue;
 257                         }
 258                 }
 259
 260                 return got_auth_data_pac;
 261         }
 262
 263 #else
 264         if (tkt->ticket.authorization_data &&
 265             tkt->ticket.authorization_data->len)
 266         {
 267                 for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
 268
 269                         if (tkt->ticket.authorization_data->val[i].ad_type !=
 270                             KRB5_AUTHDATA_IF_RELEVANT) {
 271                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
 272                                         tkt->ticket.authorization_data->val[i].ad_type));
 273                                 continue;
 274                         }
 275
 276                         auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
 277                                                       tkt->ticket.authorization_data->val[i].ad_data.length);
 278
 279                         /* check if it is a PAC */
 280                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 281                         data_blob_free(&auth_data_wrapped);
 282
 283                         if (!got_auth_data_pac) {
 284                                 continue;
 285                         }
 286                 }
 287
 288                 return got_auth_data_pac;
 289         }
 290 #endif
 291         return False;
 292 }
 293
 294  krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
 295 {
 296 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 297         return tkt->enc_part2->client;
 298 #else
 299         return tkt->client;
 300 #endif
 301 }
 302
 303 #if !defined(HAVE_KRB5_LOCATE_KDC)
 304  krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
 305 {
 306         krb5_krbhst_handle hnd;
 307         krb5_krbhst_info *hinfo;
 308         krb5_error_code rc;
 309         int num_kdcs, i;
 310         struct sockaddr *sa;
 311         struct addrinfo *ai;
 312
 313         *addr_pp = NULL;
 314         *naddrs = 0;
 315
 316         rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
 317         if (rc) {
 318                 DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
 319                 return rc;
 320         }
 321
 322         for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
 323                 ;
 324
 325         krb5_krbhst_reset(ctx, hnd);
 326
 327         if (!num_kdcs) {
 328                 DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n"));
 329                 krb5_krbhst_free(ctx, hnd);
 330                 return -1;
 331         }
 332
 333         sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
 334         if (!sa) {
 335                 DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
 336                 krb5_krbhst_free(ctx, hnd);
 337                 naddrs = 0;
 338                 return -1;
 339         }
 340
 341         memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
 342
 343         for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
 344
 345 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
 346                 rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
 347                 if (rc) {
 348                         DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
 349                         continue;
 350                 }
 351 #endif
 352                 if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
 353                         memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
 354         }
 355
 356         krb5_krbhst_free(ctx, hnd);
 357
 358         *naddrs = num_kdcs;
 359         *addr_pp = sa;
 360         return 0;
 361 }
 362 #endif
 363
 364 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 365  void krb5_free_unparsed_name(krb5_context context, char *val)
 366 {
 367         SAFE_FREE(val);
 368 }
 369 #endif
 370
 371  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
 372 {
 373 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 374         if (pdata->data) {
 375                 krb5_free_data_contents(context, pdata);
 376         }
 377 #else
 378         SAFE_FREE(pdata->data);
 379 #endif
 380 }
 381
 382  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 383 {
 384 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
 385         KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
 386 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
 387         KRB5_KEY_TYPE((&pcreds->session)) = enctype;
 388 #else
 389 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
 390 #endif
 391 }
 392
 393  BOOL kerberos_compatible_enctypes(krb5_context context,
 394                                   krb5_enctype enctype1,
 395                                   krb5_enctype enctype2)
 396 {
 397 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
 398         krb5_boolean similar = 0;
 399
 400         krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
 401         return similar ? True : False;
 402 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
 403         return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 404 #endif
 405 }
 406
 407 static BOOL ads_cleanup_expired_creds(krb5_context context,
 408                                       krb5_ccache  ccache,
 409                                       krb5_creds  *credsp)
 410 {
 411         krb5_error_code retval;
 412
 413         DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
 414                   krb5_cc_default_name(context),
 415                   http_timestring(credsp->times.endtime)));
 416
 417         /* we will probably need new tickets if the current ones
 418            will expire within 10 seconds.
 419         */
 420         if (credsp->times.endtime >= (time(NULL) + 10))
 421                 return False;
 422
 423         /* heimdal won't remove creds from a file ccache, and
 424            perhaps we shouldn't anyway, since internally we
 425            use memory ccaches, and a FILE one probably means that
 426            we're using creds obtained outside of our exectuable
 427         */
 428         if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
 429                 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
 430                 return False;
 431         }
 432
 433         retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
 434         if (retval) {
 435                 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
 436                           error_message(retval)));
 437                 /* If we have an error in this, we want to display it,
 438                    but continue as though we deleted it */
 439         }
 440         return True;
 441 }
 442
 443 /*
 444   we can't use krb5_mk_req because w2k wants the service to be in a particular format
 445 */
 446 static krb5_error_code ads_krb5_mk_req(krb5_context context,
 447                                        krb5_auth_context *auth_context,
 448                                        const krb5_flags ap_req_options,
 449                                        const char *principal,
 450                                        krb5_ccache ccache,
 451                                        krb5_data *outbuf)
 452 {
 453         krb5_error_code           retval;
 454         krb5_principal    server;
 455         krb5_creds              * credsp;
 456         krb5_creds                creds;
 457         krb5_data in_data;
 458         BOOL creds_ready = False;
 459
 460         retval = krb5_parse_name(context, principal, &server);
 461         if (retval) {
 462                 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
 463                 return retval;
 464         }
 465
 466         /* obtain ticket & session key */
 467         ZERO_STRUCT(creds);
 468         if ((retval = krb5_copy_principal(context, server, &creds.server))) {
 469                 DEBUG(1,("krb5_copy_principal failed (%s)\n",
 470                          error_message(retval)));
 471                 goto cleanup_princ;
 472         }
 473
 474         if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
 475                 /* This can commonly fail on smbd startup with no ticket in the cache.
 476                  * Report at higher level than 1. */
 477                 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
 478                          error_message(retval)));
 479                 goto cleanup_creds;
 480         }
 481
 482         while(!creds_ready) {
 483                 if ((retval = krb5_get_credentials(context, 0, ccache,
 484                                                    &creds, &credsp))) {
 485                         DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
 486                                  principal, error_message(retval)));
 487                         goto cleanup_creds;
 488                 }
 489
 490                 /* cope with ticket being in the future due to clock skew */
 491                 if ((unsigned)credsp->times.starttime > time(NULL)) {
 492                         time_t t = time(NULL);
 493                         int time_offset =(int)((unsigned)credsp->times.starttime-t);
 494                         DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 495                         krb5_set_real_time(context, t + time_offset + 1, 0);
 496                 }
 497
 498                 if (!ads_cleanup_expired_creds(context, ccache, credsp))
 499                         creds_ready = True;
 500         }
 501
 502         DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n",
 503                   principal, krb5_cc_default_name(context),
 504                   http_timestring((unsigned)credsp->times.endtime),
 505                   (unsigned)credsp->times.endtime));
 506
 507         in_data.length = 0;
 508         retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
 509                                       &in_data, credsp, outbuf);
 510         if (retval) {
 511                 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
 512                          error_message(retval)));
 513         }
 514
 515         krb5_free_creds(context, credsp);
 516
 517 cleanup_creds:
 518         krb5_free_cred_contents(context, &creds);
 519
 520 cleanup_princ:
 521         krb5_free_principal(context, server);
 522
 523         return retval;
 524 }
 525
 526 /*
 527   get a kerberos5 ticket for the given service
 528 */
 529 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 530                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
 531 {
 532         krb5_error_code retval;
 533         krb5_data packet;
 534         krb5_context context = NULL;
 535         krb5_ccache ccdef = NULL;
 536         krb5_auth_context auth_context = NULL;
 537         krb5_enctype enc_types[] = {
 538 #ifdef ENCTYPE_ARCFOUR_HMAC
 539                 ENCTYPE_ARCFOUR_HMAC,
 540 #endif
 541                 ENCTYPE_DES_CBC_MD5,
 542                 ENCTYPE_DES_CBC_CRC,
 543                 ENCTYPE_NULL};
 544
 545         initialize_krb5_error_table();
 546         retval = krb5_init_context(&context);
 547         if (retval) {
 548                 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
 549                          error_message(retval)));
 550                 goto failed;
 551         }
 552
 553         if (time_offset != 0) {
 554                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 555         }
 556
 557         if ((retval = krb5_cc_default(context, &ccdef))) {
 558                 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
 559                          error_message(retval)));
 560                 goto failed;
 561         }
 562
 563         if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
 564                 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
 565                          error_message(retval)));
 566                 goto failed;
 567         }
 568
 569         if ((retval = ads_krb5_mk_req(context,
 570                                         &auth_context,
 571                                         AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
 572                                         principal,
 573                                         ccdef, &packet))) {
 574                 goto failed;
 575         }
 576
 577         get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
 578
 579         *ticket = data_blob(packet.data, packet.length);
 580
 581         kerberos_free_data_contents(context, &packet);
 582
 583 failed:
 584
 585         if ( context ) {
 586                 if (ccdef)
 587                         krb5_cc_close(context, ccdef);
 588                 if (auth_context)
 589                         krb5_auth_con_free(context, auth_context);
 590                 krb5_free_context(context);
 591         }
 592
 593         return retval;
 594 }
 595
 596  BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
 597  {
 598         krb5_keyblock *skey;
 599         krb5_error_code err;
 600         BOOL ret = False;
 601
 602         if (remote)
 603                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
 604         else
 605                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 606         if (err == 0 && skey != NULL) {
 607                 DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
 608                 *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
 609                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 610
 611                 ret = True;
 612
 613                 krb5_free_keyblock(context, skey);
 614         } else {
 615                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
 616         }
 617
 618         return ret;
 619  }
 620
 621
 622 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
 623  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
 624
 625  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
 626 {
 627         static krb5_data kdata;
 628
 629         kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
 630         kdata.length = strlen(kdata.data);
 631         return &kdata;
 632 }
 633 #endif
 634
 635  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
 636 {
 637 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
 638         return krb5_kt_free_entry(context, kt_entry);
 639 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 640         return krb5_free_keytab_entry_contents(context, kt_entry);
 641 #else
 642 #error UNKNOWN_KT_FREE_FUNCTION
 643 #endif
 644 }
 645
 646  void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
 647                                     PAC_SIGNATURE_DATA *sig)
 648 {
 649 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
 650         cksum->cksumtype        = (krb5_cksumtype)sig->type;
 651         cksum->checksum.length  = sig->signature.buf_len;
 652         cksum->checksum.data    = sig->signature.buffer;
 653 #else
 654         cksum->checksum_type    = (krb5_cksumtype)sig->type;
 655         cksum->length           = sig->signature.buf_len;
 656         cksum->contents         = sig->signature.buffer;
 657 #endif
 658 }
 659
 660  krb5_error_code smb_krb5_verify_checksum(krb5_context context,
 661                                          krb5_keyblock *keyblock,
 662                                          krb5_keyusage usage,
 663                                          krb5_checksum *cksum,
 664                                          uint8 *data,
 665                                          size_t length)
 666 {
 667         krb5_error_code ret;
 668
 669         /* verify the checksum */
 670
 671         /* welcome to the wonderful world of samba's kerberos abstraction layer:
 672          *
 673          * function                     heimdal 0.6.1rc3        heimdal 0.7     MIT krb 1.4.2
 674          * -----------------------------------------------------------------------------
 675          * krb5_c_verify_checksum       -                       works           works
 676          * krb5_verify_checksum         works (6 args)          works (6 args)  broken (7 args)
 677          */
 678
 679 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
 680         {
 681                 krb5_boolean checksum_valid = False;
 682                 krb5_data input;
 683
 684                 input.data = (char *)data;
 685                 input.length = length;
 686
 687                 ret = krb5_c_verify_checksum(context,
 688                                              keyblock,
 689                                              usage,
 690                                              &input,
 691                                              cksum,
 692                                              &checksum_valid);
 693                 if (ret) {
 694                         DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
 695                                 error_message(ret)));
 696                         return ret;
 697                 }
 698
 699                 if (!checksum_valid)
 700                         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 701         }
 702
 703 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
 704
 705         /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
 706          * without enctype and it ignores any key_usage types - Guenther */
 707
 708         {
 709
 710                 krb5_crypto crypto;
 711                 ret = krb5_crypto_init(context,
 712                                        keyblock,
 713                                        0,
 714                                        &crypto);
 715                 if (ret) {
 716                         DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
 717                                 error_message(ret)));
 718                         return ret;
 719                 }
 720
 721                 ret = krb5_verify_checksum(context,
 722                                            crypto,
 723                                            usage,
 724                                            data,
 725                                            length,
 726                                            cksum);
 727
 728                 krb5_crypto_destroy(context, crypto);
 729         }
 730
 731 #else
 732 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
 733 #endif
 734
 735         return ret;
 736 }
 737
 738  time_t get_authtime_from_tkt(krb5_ticket *tkt)
 739 {
 740 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 741         return tkt->enc_part2->times.authtime;
 742 #else
 743         return tkt->ticket.authtime;
 744 #endif
 745 }
 746
 747 static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
 748 {
 749 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
 750         if (ap_req->ticket->enc_part.kvno)
 751                 return ap_req->ticket->enc_part.kvno;
 752 #else /* Heimdal */
 753         if (ap_req->ticket.enc_part.kvno)
 754                 return *ap_req->ticket.enc_part.kvno;
 755 #endif
 756         return 0;
 757 }
 758
 759 static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
 760 {
 761 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
 762         return ap_req->ticket.enc_part.etype;
 763 #else /* MIT */
 764         return ap_req->ticket->enc_part.enctype;
 765 #endif
 766 }
 767
 768 static krb5_error_code
 769 get_key_from_keytab(krb5_context context,
 770                     krb5_const_principal server,
 771                     krb5_enctype enctype,
 772                     krb5_kvno kvno,
 773                     krb5_keyblock **out_key)
 774 {
 775         krb5_keytab_entry entry;
 776         krb5_error_code ret;
 777         krb5_keytab keytab;
 778         char *name = NULL;
 779
 780         /* We have to open a new keytab handle here, as MIT does
 781            an implicit open/getnext/close on krb5_kt_get_entry. We
 782            may be in the middle of a keytab enumeration when this is
 783            called. JRA. */
 784
 785         ret = krb5_kt_default(context, &keytab);
 786         if (ret) {
 787                 DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret)));
 788                 return ret;
 789         }
 790
 791         if ( DEBUGLEVEL >= 10 ) {
 792                 krb5_unparse_name(context, server, &name);
 793                 DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
 794                         kvno, enctype, name));
 795                 krb5_free_unparsed_name(context, name);
 796         }
 797
 798         ret = krb5_kt_get_entry(context,
 799                                 keytab,
 800                                 server,
 801                                 kvno,
 802                                 enctype,
 803                                 &entry);
 804
 805         if (ret) {
 806                 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
 807                 goto out;
 808         }
 809
 810 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
 811         ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
 812 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
 813         ret = krb5_copy_keyblock(context, &entry.key, out_key);
 814 #else
 815 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
 816 #endif
 817
 818         if (ret) {
 819                 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
 820                 goto out;
 821         }
 822
 823         smb_krb5_kt_free_entry(context, &entry);
 824
 825 out:
 826         krb5_kt_close(context, keytab);
 827         return ret;
 828 }
 829
 830  void smb_krb5_free_ap_req(krb5_context context,
 831                           krb5_ap_req *ap_req)
 832 {
 833 #ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */
 834         krb5_free_ap_req(context, ap_req);
 835 #elif defined(HAVE_FREE_AP_REQ) /* Heimdal */
 836         free_AP_REQ(ap_req);
 837 #else
 838 #error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION
 839 #endif
 840 }
 841
 842 /* Prototypes */
 843 #if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
 844 krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep);
 845 #endif
 846
 847  krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
 848                                                  const krb5_data *inbuf,
 849                                                  krb5_kvno *kvno,
 850                                                  krb5_enctype *enctype)
 851 {
 852         krb5_error_code ret;
 853 #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
 854         {
 855                 krb5_ap_req ap_req;
 856
 857                 ret = krb5_decode_ap_req(context, inbuf, &ap_req);
 858                 if (ret)
 859                         return ret;
 860
 861                 *kvno = get_kvno_from_ap_req(&ap_req);
 862                 *enctype = get_enctype_from_ap_req(&ap_req);
 863
 864                 smb_krb5_free_ap_req(context, &ap_req);
 865         }
 866 #elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
 867         {
 868                 krb5_ap_req *ap_req = NULL;
 869
 870                 ret = decode_krb5_ap_req(inbuf, &ap_req);
 871                 if (ret)
 872                         return ret;
 873
 874                 *kvno = get_kvno_from_ap_req(ap_req);
 875                 *enctype = get_enctype_from_ap_req(ap_req);
 876
 877                 smb_krb5_free_ap_req(context, ap_req);
 878         }
 879 #else
 880 #error UNKOWN_KRB5_AP_REQ_DECODING_FUNCTION
 881 #endif
 882         return ret;
 883 }
 884
 885  krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
 886                                                         krb5_auth_context *auth_context,
 887                                                         const krb5_data *inbuf,
 888                                                         krb5_const_principal server,
 889                                                         krb5_keytab keytab,
 890                                                         krb5_flags *ap_req_options,
 891                                                         krb5_ticket **ticket,
 892                                                         krb5_keyblock **keyblock)
 893 {
 894         krb5_error_code ret;
 895         krb5_ap_req *ap_req = NULL;
 896         krb5_kvno kvno;
 897         krb5_enctype enctype;
 898         krb5_keyblock *local_keyblock;
 899
 900         ret = krb5_rd_req(context,
 901                           auth_context,
 902                           inbuf,
 903                           server,
 904                           keytab,
 905                           ap_req_options,
 906                           ticket);
 907         if (ret) {
 908                 return ret;
 909         }
 910
 911         ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
 912         if (ret) {
 913                 return ret;
 914         }
 915
 916         ret = get_key_from_keytab(context,
 917                                   server,
 918                                   enctype,
 919                                   kvno,
 920                                   &local_keyblock);
 921         if (ret) {
 922                 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
 923                 goto out;
 924         }
 925
 926 out:
 927         if (ap_req) {
 928                 smb_krb5_free_ap_req(context, ap_req);
 929         }
 930
 931         if (ret && local_keyblock != NULL) {
 932                 krb5_free_keyblock(context, local_keyblock);
 933         } else {
 934                 *keyblock = local_keyblock;
 935         }
 936
 937         return ret;
 938 }
 939
 940  krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
 941                                             const char *name,
 942                                             krb5_principal *principal)
 943 {
 944 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
 945         return krb5_parse_name_norealm(context, name, principal);
 946 #endif
 947
 948         /* we are cheating here because parse_name will in fact set the realm.
 949          * We don't care as the only caller of smb_krb5_parse_name_norealm
 950          * ignores the realm anyway when calling
 951          * smb_krb5_principal_compare_any_realm later - Guenther */
 952
 953         return krb5_parse_name(context, name, principal);
 954 }
 955
 956  BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
 957                                           krb5_const_principal princ1,
 958                                           krb5_const_principal princ2)
 959 {
 960 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
 961
 962         return krb5_principal_compare_any_realm(context, princ1, princ2);
 963
 964 /* krb5_princ_size is a macro in MIT */
 965 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
 966
 967         int i, len1, len2;
 968         const krb5_data *p1, *p2;
 969
 970         len1 = krb5_princ_size(context, princ1);
 971         len2 = krb5_princ_size(context, princ2);
 972
 973         if (len1 != len2)
 974                 return False;
 975
 976         for (i = 0; i < len1; i++) {
 977
 978                 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
 979                 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
 980
 981                 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
 982                         return False;
 983         }
 984
 985         return True;
 986 #else
 987 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
 988 #endif
 989 }
 990
 991 #else /* HAVE_KRB5 */
 992  /* this saves a few linking headaches */
 993  int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 994                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
 995 {
 996          DEBUG(0,("NO KERBEROS SUPPORT\n"));
 997          return 1;
 998 }
 999
1000 #endif