source4/auth/kerberos/clikrb5.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "system/network.h"
  24 #include "system/kerberos.h"
  25 #include "system/time.h"
  26 #include "auth/kerberos/kerberos.h"
  27
  28 #ifdef HAVE_KRB5
  29
  30 #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
  31  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
  32 {
  33         return krb5_set_default_in_tkt_etypes(ctx, enc);
  34 }
  35 #endif
  36
  37 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
  38 /* HEIMDAL */
  39  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  40 {
  41         pkaddr->addr_type = KRB5_ADDRESS_INET;
  42         pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  43         pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
  44 }
  45 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
  46 /* MIT */
  47  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  48 {
  49         pkaddr->addrtype = ADDRTYPE_INET;
  50         pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  51         pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
  52 }
  53 #else
  54 #error UNKNOWN_ADDRTYPE
  55 #endif
  56
  57 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
  58  int create_kerberos_key_from_string(krb5_context context,
  59                                         krb5_principal host_princ,
  60                                         krb5_data *password,
  61                                         krb5_keyblock *key,
  62                                         krb5_enctype enctype)
  63 {
  64         int ret;
  65         krb5_data salt;
  66         krb5_encrypt_block eblock;
  67
  68         ret = krb5_principal2salt(context, host_princ, &salt);
  69         if (ret) {
  70                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
  71                 return ret;
  72         }
  73         krb5_use_enctype(context, &eblock, enctype);
  74         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
  75         SAFE_FREE(salt.data);
  76         return ret;
  77 }
  78 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
  79  int create_kerberos_key_from_string(krb5_context context,
  80                                         krb5_principal host_princ,
  81                                         krb5_data *password,
  82                                         krb5_keyblock *key,
  83                                         krb5_enctype enctype)
  84 {
  85         int ret;
  86         krb5_salt salt;
  87
  88         ret = krb5_get_pw_salt(context, host_princ, &salt);
  89         if (ret) {
  90                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
  91                 return ret;
  92         }
  93         ret = krb5_string_to_key_salt(context, enctype, password->data,
  94                                       salt, key);
  95         krb5_free_salt(context, salt);
  96         return ret;
  97 }
  98 #else
  99 #error UNKNOWN_CREATE_KEY_FUNCTIONS
 100 #endif
 101
 102 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
 103  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 104                                             krb5_enctype **enctypes)
 105 {
 106         return krb5_get_permitted_enctypes(context, enctypes);
 107 }
 108 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
 109  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 110                                             krb5_enctype **enctypes)
 111 {
 112         return krb5_get_default_in_tkt_etypes(context, enctypes);
 113 }
 114 #else
 115 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
 116 #endif
 117
 118  void free_kerberos_etypes(krb5_context context,
 119                            krb5_enctype *enctypes)
 120 {
 121 #if defined(HAVE_KRB5_FREE_KTYPES)
 122         krb5_free_ktypes(context, enctypes);
 123         return;
 124 #else
 125         SAFE_FREE(enctypes);
 126         return;
 127 #endif
 128 }
 129
 130 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
 131  krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
 132                                         krb5_auth_context auth_context,
 133                                         krb5_keyblock *keyblock)
 134 {
 135         return krb5_auth_con_setkey(context, auth_context, keyblock);
 136 }
 137 #endif
 138
 139 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 140  void krb5_free_unparsed_name(krb5_context context, char *val)
 141 {
 142         SAFE_FREE(val);
 143 }
 144 #endif
 145
 146  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
 147 {
 148 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 149         if (pdata->data) {
 150                 krb5_free_data_contents(context, pdata);
 151         }
 152 #else
 153         SAFE_FREE(pdata->data);
 154 #endif
 155 }
 156
 157  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 158 {
 159 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
 160         KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
 161 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
 162         KRB5_KEY_TYPE((&pcreds->session)) = enctype;
 163 #else
 164 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
 165 #endif
 166 }
 167
 168  BOOL kerberos_compatible_enctypes(krb5_context context,
 169                                   krb5_enctype enctype1,
 170                                   krb5_enctype enctype2)
 171 {
 172 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
 173         krb5_boolean similar = 0;
 174
 175         krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
 176         return similar ? True : False;
 177 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
 178         return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 179 #endif
 180 }
 181
 182  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
 183 {
 184 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
 185         return krb5_kt_free_entry(context, kt_entry);
 186 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 187         return krb5_free_keytab_entry_contents(context, kt_entry);
 188 #else
 189 #error UNKNOWN_KT_FREE_FUNCTION
 190 #endif
 191 }
 192
 193  char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
 194 {
 195         char *ret;
 196
 197 #if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING)
 198         char *context_error = krb5_get_error_string(context);
 199         if (context_error) {
 200                 ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
 201                 krb5_free_error_string(context, context_error);
 202                 return ret;
 203         }
 204 #endif
 205         ret = talloc_strdup(mem_ctx, error_message(code));
 206         return ret;
 207 }
 208
 209 #endif