source4/auth/kerberos/clikrb5.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "system/network.h"
  25 #include "system/kerberos.h"
  26 #include "system/time.h"
  27 #include "auth/kerberos/kerberos.h"
  28
  29 #ifdef HAVE_KRB5
  30
  31 #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
  32  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
  33 {
  34         return krb5_set_default_in_tkt_etypes(ctx, enc);
  35 }
  36 #endif
  37
  38 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
  39 /* HEIMDAL */
  40  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  41 {
  42         pkaddr->addr_type = KRB5_ADDRESS_INET;
  43         pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  44         pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
  45 }
  46 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
  47 /* MIT */
  48  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  49 {
  50         pkaddr->addrtype = ADDRTYPE_INET;
  51         pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  52         pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
  53 }
  54 #else
  55 #error UNKNOWN_ADDRTYPE
  56 #endif
  57
  58 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
  59  int create_kerberos_key_from_string(krb5_context context,
  60                                         krb5_principal host_princ,
  61                                         krb5_data *password,
  62                                         krb5_keyblock *key,
  63                                         krb5_enctype enctype)
  64 {
  65         int ret;
  66         krb5_data salt;
  67         krb5_encrypt_block eblock;
  68
  69         ret = krb5_principal2salt(context, host_princ, &salt);
  70         if (ret) {
  71                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
  72                 return ret;
  73         }
  74         krb5_use_enctype(context, &eblock, enctype);
  75         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
  76         SAFE_FREE(salt.data);
  77         return ret;
  78 }
  79 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
  80  int create_kerberos_key_from_string(krb5_context context,
  81                                         krb5_principal host_princ,
  82                                         krb5_data *password,
  83                                         krb5_keyblock *key,
  84                                         krb5_enctype enctype)
  85 {
  86         int ret;
  87         krb5_salt salt;
  88
  89         ret = krb5_get_pw_salt(context, host_princ, &salt);
  90         if (ret) {
  91                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
  92                 return ret;
  93         }
  94         ret = krb5_string_to_key_salt(context, enctype, password->data,
  95                                       salt, key);
  96         krb5_free_salt(context, salt);
  97         return ret;
  98 }
  99 #else
 100 #error UNKNOWN_CREATE_KEY_FUNCTIONS
 101 #endif
 102
 103 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
 104  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 105                                             krb5_enctype **enctypes)
 106 {
 107         return krb5_get_permitted_enctypes(context, enctypes);
 108 }
 109 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
 110  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 111                                             krb5_enctype **enctypes)
 112 {
 113         return krb5_get_default_in_tkt_etypes(context, enctypes);
 114 }
 115 #else
 116 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
 117 #endif
 118
 119  void free_kerberos_etypes(krb5_context context,
 120                            krb5_enctype *enctypes)
 121 {
 122 #if defined(HAVE_KRB5_FREE_KTYPES)
 123         krb5_free_ktypes(context, enctypes);
 124         return;
 125 #else
 126         SAFE_FREE(enctypes);
 127         return;
 128 #endif
 129 }
 130
 131 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
 132  krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
 133                                         krb5_auth_context auth_context,
 134                                         krb5_keyblock *keyblock)
 135 {
 136         return krb5_auth_con_setkey(context, auth_context, keyblock);
 137 }
 138 #endif
 139
 140 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 141  void krb5_free_unparsed_name(krb5_context context, char *val)
 142 {
 143         SAFE_FREE(val);
 144 }
 145 #endif
 146
 147  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
 148 {
 149 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 150         if (pdata->data) {
 151                 krb5_free_data_contents(context, pdata);
 152         }
 153 #else
 154         SAFE_FREE(pdata->data);
 155 #endif
 156 }
 157
 158  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 159 {
 160 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
 161         KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
 162 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
 163         KRB5_KEY_TYPE((&pcreds->session)) = enctype;
 164 #else
 165 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
 166 #endif
 167 }
 168
 169  BOOL kerberos_compatible_enctypes(krb5_context context,
 170                                   krb5_enctype enctype1,
 171                                   krb5_enctype enctype2)
 172 {
 173 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
 174         krb5_boolean similar = 0;
 175
 176         krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
 177         return similar ? True : False;
 178 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
 179         return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 180 #endif
 181 }
 182
 183  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
 184 {
 185 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
 186         return krb5_kt_free_entry(context, kt_entry);
 187 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 188         return krb5_free_keytab_entry_contents(context, kt_entry);
 189 #else
 190 #error UNKNOWN_KT_FREE_FUNCTION
 191 #endif
 192 }
 193
 194  char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
 195 {
 196         char *ret;
 197
 198 #if defined(HAVE_KRB5_GET_ERROR_STRING) && defined(HAVE_KRB5_FREE_ERROR_STRING)
 199         char *context_error = krb5_get_error_string(context);
 200         if (context_error) {
 201                 ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
 202                 krb5_free_error_string(context, context_error);
 203                 return ret;
 204         }
 205 #endif
 206         ret = talloc_strdup(mem_ctx, error_message(code));
 207         return ret;
 208 }
 209
 210 #endif