#include "includes.h"
#include "system/filesys.h"
#include "krb5_samba.h"
+#include "lib/crypto/crypto.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
*
* @param[out] pkaddr A Kerberos address to store tha address in.
*
- * @return True on success, false if an error occured.
+ * @return True on success, false if an error occurred.
*/
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr)
*
* @param[in] pkaddr A Kerberos address to store tha address in.
*
- * @return True on success, false if an error occured.
+ * @return True on success, false if an error occurred.
*/
bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
krb5_address *pkaddr)
krb5_error_code error_code,
const char *e_text,
krb5_data *e_data,
+ const krb5_principal client,
+ const krb5_principal server,
krb5_data *enc_err)
{
krb5_error_code code = EINVAL;
error_code,
e_text,
e_data,
- NULL, /* client */
- NULL, /* server */
+ client,
+ server,
NULL, /* client_time */
NULL, /* client_usec */
enc_err);
#else
- krb5_error dec_err = {
- .error = error_code,
- };
+ krb5_principal unspec_server = NULL;
+ krb5_error errpkt;
+ errpkt.ctime = 0;
+ errpkt.cusec = 0;
+
+ code = krb5_us_timeofday(context,
+ &errpkt.stime,
+ &errpkt.susec);
+ if (code != 0) {
+ return code;
+ }
+
+ errpkt.error = error_code;
+
+ errpkt.text.length = 0;
if (e_text != NULL) {
- dec_err.text.length = strlen(e_text);
- dec_err.text.data = discard_const_p(char, e_text);
+ errpkt.text.length = strlen(e_text);
+ errpkt.text.data = discard_const_p(char, e_text);
}
+
+ errpkt.e_data.magic = KV5M_DATA;
+ errpkt.e_data.length = 0;
+ errpkt.e_data.data = NULL;
if (e_data != NULL) {
- dec_err.e_data = *e_data;
+ errpkt.e_data = *e_data;
+ }
+
+ errpkt.client = client;
+
+ if (server != NULL) {
+ errpkt.server = server;
+ } else {
+ code = smb_krb5_make_principal(context,
+ &unspec_server,
+ "<unspecified realm>",
+ NULL);
+ if (code != 0) {
+ return code;
+ }
+ errpkt.server = unspec_server;
}
code = krb5_mk_error(context,
- &dec_err,
+ &errpkt,
enc_err);
+ krb5_free_principal(context, unspec_server);
#endif
return code;
}
return -1;
}
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t *utf16 = NULL;
+ size_t utf16_size = 0;
+ uint8_t nt_hash[16];
+ bool ok;
+
+ ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+ password->data, password->length,
+ (void **)&utf16, &utf16_size);
+ if (!ok) {
+ if (errno == 0) {
+ errno = EINVAL;
+ }
+ ret = errno;
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ mdfour(nt_hash, utf16, utf16_size);
+ memset(utf16, 0, utf16_size);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ nt_hash,
+ sizeof(nt_hash),
+ key);
+ ZERO_STRUCT(nt_hash);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
{/* MIT */
krb5_data _salt;
goto out;
}
- if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) ||
- (strncmp(keytab_name_req, "FILE:/", 6) == 0)) {
+ if ((strncmp(keytab_name_req, "WRFILE:", 7) == 0) ||
+ (strncmp(keytab_name_req, "FILE:", 5) == 0)) {
tmp = keytab_name_req;
goto resolve;
}
bool write_access,
krb5_keytab *keytab)
{
- if (keytab_name_req != NULL) {
- if (keytab_name_req[0] != '/') {
- return KRB5_KT_BADNAME;
- }
+ int cmp;
+
+ if (keytab_name_req == NULL) {
+ return KRB5_KT_BADNAME;
+ }
+
+ if (keytab_name_req[0] == '/') {
+ goto open_keytab;
+ }
+
+ cmp = strncmp(keytab_name_req, "FILE:/", 6);
+ if (cmp == 0) {
+ goto open_keytab;
+ }
+
+ cmp = strncmp(keytab_name_req, "WRFILE:/", 8);
+ if (cmp == 0) {
+ goto open_keytab;
}
+ return KRB5_KT_BADNAME;
+
+open_keytab:
return smb_krb5_kt_open_relative(context,
keytab_name_req,
write_access,
{
krb5_error_code ret;
krb5_kt_cursor cursor;
- krb5_kt_cursor zero_csr;
krb5_keytab_entry kt_entry;
- krb5_keytab_entry zero_kt_entry;
char *ktprinc = NULL;
krb5_kvno old_kvno = kvno - 1;
TALLOC_CTX *tmp_ctx;
ZERO_STRUCT(cursor);
- ZERO_STRUCT(zero_csr);
ZERO_STRUCT(kt_entry);
- ZERO_STRUCT(zero_kt_entry);
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret == KRB5_KT_END || ret == ENOENT ) {
out:
talloc_free(tmp_ctx);
- if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
- if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor))) {
krb5_kt_end_seq_get(context, keytab, &cursor);
}
return ret;
krb5_principal target_princ;
krb5_ccache tmp_cc;
const char *self_realm;
+ const char *client_realm = NULL;
krb5_principal blacklist_principal = NULL;
krb5_principal whitelist_principal = NULL;
return code;
}
+ client_realm = krb5_principal_get_realm(ctx, store_creds.client);
+ if (client_realm != NULL) {
+ /*
+ * Because the CANON flag doesn't have any impact
+ * on the impersonate_principal => store_creds.client
+ * realm mapping. We need to store the credentials twice,
+ * once with the returned realm and once with the
+ * realm of impersonate_principal.
+ */
+ code = krb5_principal_set_realm(ctx, store_creds.server,
+ client_realm);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, &store_creds);
+ if (code != 0) {
+ krb5_free_cred_contents(ctx, &store_creds);
+ return code;
+ }
+ }
+
if (expire_time) {
*expire_time = (time_t) store_creds.times.endtime;
}
*
* @param[in] principal The principal to get the realm from.
*
- * @return An allocated string with the realm or NULL if an error occured.
+ * @return An allocated string with the realm or NULL if an error occurred.
*
* The caller must free the realm string with free() if not needed anymore.
*/
goto out;
}
- if (realm_list && realm_list[0]) {
+ if (realm_list != NULL &&
+ realm_list[0] != NULL &&
+ realm_list[0][0] != '\0') {
realm = talloc_strdup(mem_ctx, realm_list[0]);
}
* @param[in] default_realm The default_realm if we cannot get it from the
* hostname or netbios name.
*
- * @return A talloc'ed principal string or NULL if an error occured.
+ * @return A talloc'ed principal string or NULL if an error occurred.
*
* The caller needs to free the principal with talloc_free() if it isn't needed
* anymore.
*
* @param[in] mem_ctx The talloc context to allocate the error string on.
*
- * @return A talloc'ed error string or NULL if an error occured.
+ * @return A talloc'ed error string or NULL if an error occurred.
*
* The caller must free the returned error string with talloc_free() if not
* needed anymore
#ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */
return krb5_cc_copy_cache(context, incc, outcc);
#elif defined(HAVE_KRB5_CC_COPY_CREDS)
+ krb5_error_code ret;
+ krb5_principal princ = NULL;
+
+ ret = krb5_cc_get_principal(context, incc, &princ);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = krb5_cc_initialize(context, outcc, princ);
+ krb5_free_principal(context, princ);
+ if (ret != 0) {
+ return ret;
+ }
return krb5_cc_copy_creds(context, incc, outcc);
#else
#error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION