#include "includes.h"
#include "system/filesys.h"
#include "krb5_samba.h"
-#include "lib/util/asn1.h"
+#include "lib/crypto/crypto.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
*
* @param[out] pkaddr A Kerberos address to store tha address in.
*
- * @return True on success, false if an error occured.
+ * @return True on success, false if an error occurred.
*/
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr)
*
* @param[in] pkaddr A Kerberos address to store tha address in.
*
- * @return True on success, false if an error occured.
+ * @return True on success, false if an error occurred.
*/
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr)
krb5_error_code error_code,
const char *e_text,
krb5_data *e_data,
+ const krb5_principal client,
+ const krb5_principal server,
krb5_data *enc_err)
{
krb5_error_code code = EINVAL;
error_code,
e_text,
e_data,
- NULL, /* client */
- NULL, /* server */
+ client,
+ server,
NULL, /* client_time */
NULL, /* client_usec */
enc_err);
#else
- krb5_error dec_err = {
- .error = error_code,
- };
+ krb5_principal unspec_server = NULL;
+ krb5_error errpkt;
+ errpkt.ctime = 0;
+ errpkt.cusec = 0;
+
+ code = krb5_us_timeofday(context,
+ &errpkt.stime,
+ &errpkt.susec);
+ if (code != 0) {
+ return code;
+ }
+
+ errpkt.error = error_code;
+
+ errpkt.text.length = 0;
if (e_text != NULL) {
- dec_err.text.length = strlen(e_text);
- dec_err.text.data = discard_const_p(char, e_text);
+ errpkt.text.length = strlen(e_text);
+ errpkt.text.data = discard_const_p(char, e_text);
}
+
+ errpkt.e_data.magic = KV5M_DATA;
+ errpkt.e_data.length = 0;
+ errpkt.e_data.data = NULL;
if (e_data != NULL) {
- dec_err.e_data = *e_data;
+ errpkt.e_data = *e_data;
+ }
+
+ errpkt.client = client;
+
+ if (server != NULL) {
+ errpkt.server = server;
+ } else {
+ code = smb_krb5_make_principal(context,
+ &unspec_server,
+ "<unspecified realm>",
+ NULL);
+ if (code != 0) {
+ return code;
+ }
+ errpkt.server = unspec_server;
}
code = krb5_mk_error(context,
- &dec_err,
+ &errpkt,
enc_err);
+ krb5_free_principal(context, unspec_server);
#endif
return code;
}
return -1;
}
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t *utf16 = NULL;
+ size_t utf16_size = 0;
+ uint8_t nt_hash[16];
+ bool ok;
+
+ ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+ password->data, password->length,
+ (void **)&utf16, &utf16_size);
+ if (!ok) {
+ if (errno == 0) {
+ errno = EINVAL;
+ }
+ ret = errno;
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ mdfour(nt_hash, utf16, utf16_size);
+ memset(utf16, 0, utf16_size);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ nt_hash,
+ sizeof(nt_hash),
+ key);
+ ZERO_STRUCT(nt_hash);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
{/* MIT */
krb5_data _salt;
#error UNKNOWN_GET_ENCTYPES_FUNCTIONS
#endif
-bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
- DATA_BLOB *edata,
- DATA_BLOB *edata_out)
-{
- DATA_BLOB edata_contents;
- ASN1_DATA *data;
- int edata_type;
-
- if (!edata->length) {
- return false;
- }
-
- data = asn1_init(mem_ctx);
- if (data == NULL) {
- return false;
- }
-
- if (!asn1_load(data, *edata)) goto err;
- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
- if (!asn1_read_Integer(data, &edata_type)) goto err;
-
- if (edata_type != KRB5_PADATA_PW_SALT) {
- DEBUG(0,("edata is not of required type %d but of type %d\n",
- KRB5_PADATA_PW_SALT, edata_type));
- goto err;
- }
-
- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- asn1_free(data);
-
- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
-
- data_blob_free(&edata_contents);
-
- return true;
-
- err:
-
- asn1_free(data);
- return false;
-}
-
-
-/**************************************************************
- krb5_parse_name that takes a UNIX charset.
-**************************************************************/
+/**
+ * @brief Convert a string principal name to a Kerberos principal.
+ *
+ * @param[in] context The library context
+ *
+ * @param[in] name The principal as a unix charset string.
+ *
+ * @param[out] principal The newly allocated principal.
+ *
+ * Use krb5_free_principal() to free a principal when it is no longer needed.
+ *
+ * @return 0 on success, a Kerberos error code otherwise.
+ */
krb5_error_code smb_krb5_parse_name(krb5_context context,
- const char *name, /* in unix charset */
- krb5_principal *principal)
+ const char *name,
+ krb5_principal *principal)
{
krb5_error_code ret;
char *utf8_name;
return ret;
}
-/**************************************************************
- krb5_parse_name that returns a UNIX charset name. Must
- be freed with talloc_free() call.
-**************************************************************/
-
+/**
+ * @brief Convert a Kerberos principal structure to a string representation.
+ *
+ * The resulting string representation will be a unix charset name and is
+ * talloc'ed.
+ *
+ * @param[in] mem_ctx The talloc context to allocate memory on.
+ *
+ * @param[in] context The library context.
+ *
+ * @param[in] principal The principal.
+ *
+ * @param[out] unix_name A string representation of the princpial name as with
+ * unix charset.
+ *
+ * Use talloc_free() to free the string representation if it is no longer
+ * needed.
+ *
+ * @return 0 on success, a Kerberos error code otherwise.
+ */
krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
return 0;
}
-krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
- const char *name,
- krb5_principal *principal)
-{
- /* we are cheating here because parse_name will in fact set the realm.
- * We don't care as the only caller of smb_krb5_parse_name_norealm
- * ignores the realm anyway when calling
- * smb_krb5_principal_compare_any_realm later - Guenther */
-
- return smb_krb5_parse_name(context, name, principal);
-}
-
-bool smb_krb5_principal_compare_any_realm(krb5_context context,
- krb5_const_principal princ1,
- krb5_const_principal princ2)
-{
- return krb5_principal_compare_any_realm(context, princ1, princ2);
-}
-
/**
* @brief Free the contents of a krb5_data structure and zero the data field.
*
goto out;
}
- if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) ||
- (strncmp(keytab_name_req, "FILE:/", 6) == 0)) {
+ if ((strncmp(keytab_name_req, "WRFILE:", 7) == 0) ||
+ (strncmp(keytab_name_req, "FILE:", 5) == 0)) {
tmp = keytab_name_req;
goto resolve;
}
bool write_access,
krb5_keytab *keytab)
{
- if (keytab_name_req != NULL) {
- if (keytab_name_req[0] != '/') {
- return KRB5_KT_BADNAME;
- }
+ int cmp;
+
+ if (keytab_name_req == NULL) {
+ return KRB5_KT_BADNAME;
+ }
+
+ if (keytab_name_req[0] == '/') {
+ goto open_keytab;
+ }
+
+ cmp = strncmp(keytab_name_req, "FILE:/", 6);
+ if (cmp == 0) {
+ goto open_keytab;
+ }
+
+ cmp = strncmp(keytab_name_req, "WRFILE:/", 8);
+ if (cmp == 0) {
+ goto open_keytab;
}
+ return KRB5_KT_BADNAME;
+
+open_keytab:
return smb_krb5_kt_open_relative(context,
keytab_name_req,
write_access,
{
krb5_error_code ret;
krb5_kt_cursor cursor;
- krb5_kt_cursor zero_csr;
krb5_keytab_entry kt_entry;
- krb5_keytab_entry zero_kt_entry;
char *ktprinc = NULL;
krb5_kvno old_kvno = kvno - 1;
TALLOC_CTX *tmp_ctx;
ZERO_STRUCT(cursor);
- ZERO_STRUCT(zero_csr);
ZERO_STRUCT(kt_entry);
- ZERO_STRUCT(zero_kt_entry);
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret == KRB5_KT_END || ret == ENOENT ) {
out:
talloc_free(tmp_ctx);
- if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
- if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor))) {
krb5_kt_end_seq_get(context, keytab, &cursor);
}
return ret;
{
#if defined(HAVE_KRB5_KEYBLOCK_INIT)
return krb5_keyblock_init(context, enctype, data, length, key);
-#elif defined(HAVE_KRB5_INIT_KEYBLOCK)
- krb5_error_code code;
-
- code = krb5_init_keyblock(context,
- enctype,
- length,
- key);
- if (code != 0) {
- return code;
- }
-
- if (length != 0) {
- memcpy(KRB5_KEY_DATA(key), data, length);
- }
-
- return 0;
#else
memset(key, 0, sizeof(krb5_keyblock));
KRB5_KEY_DATA(key) = SMB_MALLOC(length);
krb5_principal target_princ;
krb5_ccache tmp_cc;
const char *self_realm;
+ const char *client_realm = NULL;
krb5_principal blacklist_principal = NULL;
krb5_principal whitelist_principal = NULL;
return code;
}
+ client_realm = krb5_principal_get_realm(ctx, store_creds.client);
+ if (client_realm != NULL) {
+ /*
+ * Because the CANON flag doesn't have any impact
+ * on the impersonate_principal => store_creds.client
+ * realm mapping. We need to store the credentials twice,
+ * once with the returned realm and once with the
+ * realm of impersonate_principal.
+ */
+ code = krb5_principal_set_realm(ctx, store_creds.server,
+ client_realm);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, &store_creds);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+ }
+
if (expire_time) {
*expire_time = (time_t) store_creds.times.endtime;
}
*
* @param[in] principal The principal to get the realm from.
*
- * @return An allocated string with the realm or NULL if an error occured.
+ * @return An allocated string with the realm or NULL if an error occurred.
*
* The caller must free the realm string with free() if not needed anymore.
*/
goto out;
}
- if (realm_list && realm_list[0]) {
+ if (realm_list != NULL &&
+ realm_list[0] != NULL &&
+ realm_list[0][0] != '\0') {
realm = talloc_strdup(mem_ctx, realm_list[0]);
}
* @param[in] default_realm The default_realm if we cannot get it from the
* hostname or netbios name.
*
- * @return A talloc'ed principal string or NULL if an error occured.
+ * @return A talloc'ed principal string or NULL if an error occurred.
*
* The caller needs to free the principal with talloc_free() if it isn't needed
* anymore.
return principal;
}
+/**
+ * @brief Get an error string from a Kerberos error code.
+ *
+ * @param[in] context The library context.
+ *
+ * @param[in] code The Kerberos error code.
+ *
+ * @param[in] mem_ctx The talloc context to allocate the error string on.
+ *
+ * @return A talloc'ed error string or NULL if an error occurred.
+ *
+ * The caller must free the returned error string with talloc_free() if not
+ * needed anymore
+ */
char *smb_get_krb5_error_message(krb5_context context,
krb5_error_code code,
TALLOC_CTX *mem_ctx)
/**
-* @brief Return the kerberos library setting for "libdefaults:allow_weak_crypto"
-*
-* @param context The krb5_context
-*
-* @return krb5_boolean
-*
-* Function returns true if weak crypto is allowd, false if not
-*/
-
+ * @brief Return the kerberos library setting for: libdefaults:allow_weak_crypto
+ *
+ * @param[in] context The library context
+ *
+ * @return True if weak crypto is allowed, false if not.
+ */
krb5_boolean smb_krb5_get_allowed_weak_crypto(krb5_context context)
#if defined(HAVE_KRB5_CONFIG_GET_BOOL_DEFAULT)
{
#endif
/**
-* @brief Return the type of a krb5_principal
-*
-* @param context The krb5_context
-* @param principal The const krb5_principal
-*
-* @return integer type of the principal
-*/
+ * @brief Return the type of a krb5_principal
+ *
+ * @param[in] context The library context.
+ *
+ * @param[in] principal The principal to get the type from.
+ *
+ * @return The integer type of the principal.
+ */
int smb_krb5_principal_get_type(krb5_context context,
krb5_const_principal principal)
{
}
/**
-* @brief Set the type of a krb5_principal
-*
-* @param context The krb5_context
-* @param principal The const krb5_principal
-* @param type The principal type
-*
-*/
+ * @brief Set the type of a principal
+ *
+ * @param[in] context The library context
+ *
+ * @param[inout] principal The principal to set the type for.
+ *
+ * @param[in] type The principal type to set.
+ */
void smb_krb5_principal_set_type(krb5_context context,
krb5_principal principal,
int type)
#endif
}
-/**
-* @brief Generate a krb5 warning, forwarding to com_err
-*
-* @param context The krb5_context
-* @param fmt The message format
-* @param ... The message arguments
-*
-* @return
-*/
#if !defined(HAVE_KRB5_WARNX)
+/**
+ * @brief Log a Kerberos message
+ *
+ * It sends the message to com_err.
+ *
+ * @param[in] context The library context
+ *
+ * @param[in] fmt The message format
+ *
+ * @param[in] ... The message arguments
+ *
+ * @return 0 on success.
+ */
krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
- com_err_va("kdb_samba", errno, fmt, args);
+ com_err_va("samba-kdc", errno, fmt, args);
va_end(args);
return 0;
}
#endif
+/**
+ * @brief Copy a credential cache.
+ *
+ * @param[in] context The library context.
+ *
+ * @param[in] incc Credential cache to be copied.
+ *
+ * @param[inout] outcc Copy of credential cache to be filled in.
+ *
+ * @return 0 on success, a Kerberos error code otherwise.
+ */
krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
krb5_ccache incc, krb5_ccache outcc)
{
#ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */
return krb5_cc_copy_cache(context, incc, outcc);
#elif defined(HAVE_KRB5_CC_COPY_CREDS)
+ krb5_error_code ret;
+ krb5_principal princ = NULL;
+
+ ret = krb5_cc_get_principal(context, incc, &princ);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = krb5_cc_initialize(context, outcc, princ);
+ krb5_free_principal(context, princ);
+ if (ret != 0) {
+ return ret;
+ }
return krb5_cc_copy_creds(context, incc, outcc);
#else
#error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION
if (retval != 0) {
DBG_WARNING("krb5_auth_con_setuseruserkey "
"failed (%s)\n",
- error_message(retval)));
+ error_message(retval));
goto cleanup_creds;
}
KRB5_AUTH_CONTEXT_USE_SUBKEY);
if (retval != 0) {
DBG_WARNING("krb5_auth_con_setflags failed (%s)\n",
- error_message(retval)));
+ error_message(retval));
goto cleanup_creds;
}
retval = ads_setup_auth_context(context, auth_context);
if (retval != 0) {
DBG_WARNING("ads_setup_auth_context failed (%s)\n",
- error_message(retval)));
+ error_message(retval));
goto cleanup_creds;
}
} else {