2 Unix SMB/CIFS implementation.
3 simple kerberos5 routines for active directory
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Luke Howard 2002-2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Guenther Deschner 2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
25 #define KRB5_DEPRECATED 1 /* this file uses DEPRECATED interfaces! */
31 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
32 #define KRB5_KEY_TYPE(k) ((k)->keytype)
33 #define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
34 #define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
36 #define KRB5_KEY_TYPE(k) ((k)->enctype)
37 #define KRB5_KEY_LENGTH(k) ((k)->length)
38 #define KRB5_KEY_DATA(k) ((k)->contents)
39 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
41 #ifndef HAVE_KRB5_SET_REAL_TIME
43 * This function is not in the Heimdal mainline.
45 krb5_error_code
krb5_set_real_time(krb5_context context
, int32_t seconds
, int32_t microseconds
)
50 ret
= krb5_us_timeofday(context
, &sec
, &usec
);
54 context
->kdc_sec_offset
= seconds
- sec
;
55 context
->kdc_usec_offset
= microseconds
- usec
;
61 #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
62 krb5_error_code
krb5_set_default_tgs_ktypes(krb5_context ctx
, const krb5_enctype
*enc
)
64 return krb5_set_default_in_tkt_etypes(ctx
, enc
);
68 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
70 void setup_kaddr( krb5_address
*pkaddr
, struct sockaddr
*paddr
)
72 pkaddr
->addr_type
= KRB5_ADDRESS_INET
;
73 pkaddr
->address
.length
= sizeof(((struct sockaddr_in
*)paddr
)->sin_addr
);
74 pkaddr
->address
.data
= (char *)&(((struct sockaddr_in
*)paddr
)->sin_addr
);
76 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
78 void setup_kaddr( krb5_address
*pkaddr
, struct sockaddr
*paddr
)
80 pkaddr
->addrtype
= ADDRTYPE_INET
;
81 pkaddr
->length
= sizeof(((struct sockaddr_in
*)paddr
)->sin_addr
);
82 pkaddr
->contents
= (krb5_octet
*)&(((struct sockaddr_in
*)paddr
)->sin_addr
);
85 #error UNKNOWN_ADDRTYPE
88 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
89 int create_kerberos_key_from_string_direct(krb5_context context
,
90 krb5_principal host_princ
,
97 krb5_encrypt_block eblock
;
99 ret
= krb5_principal2salt(context
, host_princ
, &salt
);
101 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret
)));
104 krb5_use_enctype(context
, &eblock
, enctype
);
105 ret
= krb5_string_to_key(context
, &eblock
, key
, password
, &salt
);
106 SAFE_FREE(salt
.data
);
109 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
110 int create_kerberos_key_from_string_direct(krb5_context context
,
111 krb5_principal host_princ
,
114 krb5_enctype enctype
)
119 ret
= krb5_get_pw_salt(context
, host_princ
, &salt
);
121 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret
)));
125 ret
= krb5_string_to_key_salt(context
, enctype
, password
->data
, salt
, key
);
126 krb5_free_salt(context
, salt
);
130 #error UNKNOWN_CREATE_KEY_FUNCTIONS
133 int create_kerberos_key_from_string(krb5_context context
,
134 krb5_principal host_princ
,
137 krb5_enctype enctype
)
139 krb5_principal salt_princ
= NULL
;
142 * Check if we've determined that the KDC is salting keys for this
143 * principal/enctype in a non-obvious way. If it is, try to match
146 salt_princ
= kerberos_fetch_salt_princ_for_host_princ(context
, host_princ
, enctype
);
147 ret
= create_kerberos_key_from_string_direct(context
, salt_princ
? salt_princ
: host_princ
, password
, key
, enctype
);
149 krb5_free_principal(context
, salt_princ
);
154 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
155 krb5_error_code
get_kerberos_allowed_etypes(krb5_context context
,
156 krb5_enctype
**enctypes
)
158 return krb5_get_permitted_enctypes(context
, enctypes
);
160 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
161 krb5_error_code
get_kerberos_allowed_etypes(krb5_context context
,
162 krb5_enctype
**enctypes
)
164 return krb5_get_default_in_tkt_etypes(context
, enctypes
);
167 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
170 void free_kerberos_etypes(krb5_context context
,
171 krb5_enctype
*enctypes
)
173 #if defined(HAVE_KRB5_FREE_KTYPES)
174 krb5_free_ktypes(context
, enctypes
);
182 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
183 krb5_error_code
krb5_auth_con_setuseruserkey(krb5_context context
,
184 krb5_auth_context auth_context
,
185 krb5_keyblock
*keyblock
)
187 return krb5_auth_con_setkey(context
, auth_context
, keyblock
);
191 BOOL
unwrap_pac(TALLOC_CTX
*mem_ctx
, DATA_BLOB
*auth_data
, DATA_BLOB
*unwrapped_pac_data
)
193 DATA_BLOB pac_contents
;
197 if (!auth_data
->length
) {
201 asn1_load(&data
, *auth_data
);
202 asn1_start_tag(&data
, ASN1_SEQUENCE(0));
203 asn1_start_tag(&data
, ASN1_SEQUENCE(0));
204 asn1_start_tag(&data
, ASN1_CONTEXT(0));
205 asn1_read_Integer(&data
, &data_type
);
207 if (data_type
!= KRB5_AUTHDATA_WIN2K_PAC
) {
208 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type
));
214 asn1_start_tag(&data
, ASN1_CONTEXT(1));
215 asn1_read_OctetString(&data
, &pac_contents
);
221 *unwrapped_pac_data
= data_blob_talloc(mem_ctx
, pac_contents
.data
, pac_contents
.length
);
223 data_blob_free(&pac_contents
);
228 BOOL
get_auth_data_from_tkt(TALLOC_CTX
*mem_ctx
, DATA_BLOB
*auth_data
, krb5_ticket
*tkt
)
230 DATA_BLOB auth_data_wrapped
;
231 BOOL got_auth_data_pac
= False
;
234 #if defined(HAVE_KRB5_TKT_ENC_PART2)
235 if (tkt
->enc_part2
&& tkt
->enc_part2
->authorization_data
&&
236 tkt
->enc_part2
->authorization_data
[0] &&
237 tkt
->enc_part2
->authorization_data
[0]->length
)
239 for (i
= 0; tkt
->enc_part2
->authorization_data
[i
] != NULL
; i
++) {
241 if (tkt
->enc_part2
->authorization_data
[i
]->ad_type
!=
242 KRB5_AUTHDATA_IF_RELEVANT
) {
243 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
244 tkt
->enc_part2
->authorization_data
[i
]->ad_type
));
248 auth_data_wrapped
= data_blob(tkt
->enc_part2
->authorization_data
[i
]->contents
,
249 tkt
->enc_part2
->authorization_data
[i
]->length
);
251 /* check if it is a PAC */
252 got_auth_data_pac
= unwrap_pac(mem_ctx
, &auth_data_wrapped
, auth_data
);
253 data_blob_free(&auth_data_wrapped
);
255 if (!got_auth_data_pac
) {
260 return got_auth_data_pac
;
264 if (tkt
->ticket
.authorization_data
&&
265 tkt
->ticket
.authorization_data
->len
)
267 for (i
= 0; i
< tkt
->ticket
.authorization_data
->len
; i
++) {
269 if (tkt
->ticket
.authorization_data
->val
[i
].ad_type
!=
270 KRB5_AUTHDATA_IF_RELEVANT
) {
271 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
272 tkt
->ticket
.authorization_data
->val
[i
].ad_type
));
276 auth_data_wrapped
= data_blob(tkt
->ticket
.authorization_data
->val
[i
].ad_data
.data
,
277 tkt
->ticket
.authorization_data
->val
[i
].ad_data
.length
);
279 /* check if it is a PAC */
280 got_auth_data_pac
= unwrap_pac(mem_ctx
, &auth_data_wrapped
, auth_data
);
281 data_blob_free(&auth_data_wrapped
);
283 if (!got_auth_data_pac
) {
288 return got_auth_data_pac
;
294 krb5_const_principal
get_principal_from_tkt(krb5_ticket
*tkt
)
296 #if defined(HAVE_KRB5_TKT_ENC_PART2)
297 return tkt
->enc_part2
->client
;
303 #if !defined(HAVE_KRB5_LOCATE_KDC)
304 krb5_error_code
krb5_locate_kdc(krb5_context ctx
, const krb5_data
*realm
, struct sockaddr
**addr_pp
, int *naddrs
, int get_masters
)
306 krb5_krbhst_handle hnd
;
307 krb5_krbhst_info
*hinfo
;
316 rc
= krb5_krbhst_init(ctx
, realm
->data
, KRB5_KRBHST_KDC
, &hnd
);
318 DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc
)));
322 for ( num_kdcs
= 0; (rc
= krb5_krbhst_next(ctx
, hnd
, &hinfo
) == 0); num_kdcs
++)
325 krb5_krbhst_reset(ctx
, hnd
);
328 DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n"));
329 krb5_krbhst_free(ctx
, hnd
);
333 sa
= SMB_MALLOC_ARRAY( struct sockaddr
, num_kdcs
);
335 DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
336 krb5_krbhst_free(ctx
, hnd
);
341 memset(sa
, '\0', sizeof(struct sockaddr
) * num_kdcs
);
343 for (i
= 0; i
< num_kdcs
&& (rc
= krb5_krbhst_next(ctx
, hnd
, &hinfo
) == 0); i
++) {
345 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
346 rc
= krb5_krbhst_get_addrinfo(ctx
, hinfo
, &ai
);
348 DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc
)));
352 if (hinfo
->ai
&& hinfo
->ai
->ai_family
== AF_INET
)
353 memcpy(&sa
[i
], hinfo
->ai
->ai_addr
, sizeof(struct sockaddr
));
356 krb5_krbhst_free(ctx
, hnd
);
364 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
365 void krb5_free_unparsed_name(krb5_context context
, char *val
)
371 void kerberos_free_data_contents(krb5_context context
, krb5_data
*pdata
)
373 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
375 krb5_free_data_contents(context
, pdata
);
378 SAFE_FREE(pdata
->data
);
382 void kerberos_set_creds_enctype(krb5_creds
*pcreds
, int enctype
)
384 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
385 KRB5_KEY_TYPE((&pcreds
->keyblock
)) = enctype
;
386 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
387 KRB5_KEY_TYPE((&pcreds
->session
)) = enctype
;
389 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
393 BOOL
kerberos_compatible_enctypes(krb5_context context
,
394 krb5_enctype enctype1
,
395 krb5_enctype enctype2
)
397 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
398 krb5_boolean similar
= 0;
400 krb5_c_enctype_compare(context
, enctype1
, enctype2
, &similar
);
401 return similar
? True
: False
;
402 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
403 return krb5_enctypes_compatible_keys(context
, enctype1
, enctype2
) ? True
: False
;
407 static BOOL
ads_cleanup_expired_creds(krb5_context context
,
411 krb5_error_code retval
;
413 DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
414 krb5_cc_default_name(context
),
415 http_timestring(credsp
->times
.endtime
)));
417 /* we will probably need new tickets if the current ones
418 will expire within 10 seconds.
420 if (credsp
->times
.endtime
>= (time(NULL
) + 10))
423 /* heimdal won't remove creds from a file ccache, and
424 perhaps we shouldn't anyway, since internally we
425 use memory ccaches, and a FILE one probably means that
426 we're using creds obtained outside of our exectuable
428 if (StrCaseCmp(krb5_cc_get_type(context
, ccache
), "FILE") == 0) {
429 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
433 retval
= krb5_cc_remove_cred(context
, ccache
, 0, credsp
);
435 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
436 error_message(retval
)));
437 /* If we have an error in this, we want to display it,
438 but continue as though we deleted it */
444 we can't use krb5_mk_req because w2k wants the service to be in a particular format
446 static krb5_error_code
ads_krb5_mk_req(krb5_context context
,
447 krb5_auth_context
*auth_context
,
448 const krb5_flags ap_req_options
,
449 const char *principal
,
453 krb5_error_code retval
;
454 krb5_principal server
;
458 BOOL creds_ready
= False
;
460 retval
= krb5_parse_name(context
, principal
, &server
);
462 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal
));
466 /* obtain ticket & session key */
468 if ((retval
= krb5_copy_principal(context
, server
, &creds
.server
))) {
469 DEBUG(1,("krb5_copy_principal failed (%s)\n",
470 error_message(retval
)));
474 if ((retval
= krb5_cc_get_principal(context
, ccache
, &creds
.client
))) {
475 /* This can commonly fail on smbd startup with no ticket in the cache.
476 * Report at higher level than 1. */
477 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
478 error_message(retval
)));
482 while(!creds_ready
) {
483 if ((retval
= krb5_get_credentials(context
, 0, ccache
,
485 DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
486 principal
, error_message(retval
)));
490 /* cope with ticket being in the future due to clock skew */
491 if ((unsigned)credsp
->times
.starttime
> time(NULL
)) {
492 time_t t
= time(NULL
);
493 int time_offset
=(int)((unsigned)credsp
->times
.starttime
-t
);
494 DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset
));
495 krb5_set_real_time(context
, t
+ time_offset
+ 1, 0);
498 if (!ads_cleanup_expired_creds(context
, ccache
, credsp
))
502 DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n",
503 principal
, krb5_cc_default_name(context
),
504 http_timestring((unsigned)credsp
->times
.endtime
),
505 (unsigned)credsp
->times
.endtime
));
508 retval
= krb5_mk_req_extended(context
, auth_context
, ap_req_options
,
509 &in_data
, credsp
, outbuf
);
511 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
512 error_message(retval
)));
515 krb5_free_creds(context
, credsp
);
518 krb5_free_cred_contents(context
, &creds
);
521 krb5_free_principal(context
, server
);
527 get a kerberos5 ticket for the given service
529 int cli_krb5_get_ticket(const char *principal
, time_t time_offset
,
530 DATA_BLOB
*ticket
, DATA_BLOB
*session_key_krb5
, uint32 extra_ap_opts
)
532 krb5_error_code retval
;
534 krb5_context context
= NULL
;
535 krb5_ccache ccdef
= NULL
;
536 krb5_auth_context auth_context
= NULL
;
537 krb5_enctype enc_types
[] = {
538 #ifdef ENCTYPE_ARCFOUR_HMAC
539 ENCTYPE_ARCFOUR_HMAC
,
545 retval
= krb5_init_context(&context
);
547 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
548 error_message(retval
)));
552 if (time_offset
!= 0) {
553 krb5_set_real_time(context
, time(NULL
) + time_offset
, 0);
556 if ((retval
= krb5_cc_default(context
, &ccdef
))) {
557 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
558 error_message(retval
)));
562 if ((retval
= krb5_set_default_tgs_ktypes(context
, enc_types
))) {
563 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
564 error_message(retval
)));
568 if ((retval
= ads_krb5_mk_req(context
,
570 AP_OPTS_USE_SUBKEY
| (krb5_flags
)extra_ap_opts
,
576 get_krb5_smb_session_key(context
, auth_context
, session_key_krb5
, False
);
578 *ticket
= data_blob(packet
.data
, packet
.length
);
580 kerberos_free_data_contents(context
, &packet
);
586 krb5_cc_close(context
, ccdef
);
588 krb5_auth_con_free(context
, auth_context
);
589 krb5_free_context(context
);
595 BOOL
get_krb5_smb_session_key(krb5_context context
, krb5_auth_context auth_context
, DATA_BLOB
*session_key
, BOOL remote
)
602 err
= krb5_auth_con_getremotesubkey(context
, auth_context
, &skey
);
604 err
= krb5_auth_con_getlocalsubkey(context
, auth_context
, &skey
);
605 if (err
== 0 && skey
!= NULL
) {
606 DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey
)));
607 *session_key
= data_blob(KRB5_KEY_DATA(skey
), KRB5_KEY_LENGTH(skey
));
608 dump_data_pw("KRB5 Session Key:\n", session_key
->data
, session_key
->length
);
612 krb5_free_keyblock(context
, skey
);
614 DEBUG(10, ("KRB5 error getting session key %d\n", err
));
621 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
622 const krb5_data
*krb5_princ_component(krb5_context context
, krb5_principal principal
, int i
);
624 const krb5_data
*krb5_princ_component(krb5_context context
, krb5_principal principal
, int i
)
626 static krb5_data kdata
;
628 kdata
.data
= (char *)krb5_principal_get_comp_string(context
, principal
, i
);
629 kdata
.length
= strlen(kdata
.data
);
634 krb5_error_code
smb_krb5_kt_free_entry(krb5_context context
, krb5_keytab_entry
*kt_entry
)
636 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
637 return krb5_kt_free_entry(context
, kt_entry
);
638 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
639 return krb5_free_keytab_entry_contents(context
, kt_entry
);
641 #error UNKNOWN_KT_FREE_FUNCTION
645 void smb_krb5_checksum_from_pac_sig(krb5_checksum
*cksum
,
646 PAC_SIGNATURE_DATA
*sig
)
648 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
649 cksum
->cksumtype
= (krb5_cksumtype
)sig
->type
;
650 cksum
->checksum
.length
= sig
->signature
.buf_len
;
651 cksum
->checksum
.data
= sig
->signature
.buffer
;
653 cksum
->checksum_type
= (krb5_cksumtype
)sig
->type
;
654 cksum
->length
= sig
->signature
.buf_len
;
655 cksum
->contents
= sig
->signature
.buffer
;
659 krb5_error_code
smb_krb5_verify_checksum(krb5_context context
,
660 krb5_keyblock
*keyblock
,
662 krb5_checksum
*cksum
,
668 /* verify the checksum */
670 /* welcome to the wonderful world of samba's kerberos abstraction layer:
672 * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2
673 * -----------------------------------------------------------------------------
674 * krb5_c_verify_checksum - works works
675 * krb5_verify_checksum works (6 args) works (6 args) broken (7 args)
678 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
680 krb5_boolean checksum_valid
= False
;
683 input
.data
= (char *)data
;
684 input
.length
= length
;
686 ret
= krb5_c_verify_checksum(context
,
693 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
694 error_message(ret
)));
699 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
;
702 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
704 /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
705 * without enctype and it ignores any key_usage types - Guenther */
710 ret
= krb5_crypto_init(context
,
715 DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
716 error_message(ret
)));
720 ret
= krb5_verify_checksum(context
,
727 krb5_crypto_destroy(context
, crypto
);
731 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
737 time_t get_authtime_from_tkt(krb5_ticket
*tkt
)
739 #if defined(HAVE_KRB5_TKT_ENC_PART2)
740 return tkt
->enc_part2
->times
.authtime
;
742 return tkt
->ticket
.authtime
;
746 static int get_kvno_from_ap_req(krb5_ap_req
*ap_req
)
748 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
749 if (ap_req
->ticket
->enc_part
.kvno
)
750 return ap_req
->ticket
->enc_part
.kvno
;
752 if (ap_req
->ticket
.enc_part
.kvno
)
753 return *ap_req
->ticket
.enc_part
.kvno
;
758 static krb5_enctype
get_enctype_from_ap_req(krb5_ap_req
*ap_req
)
760 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
761 return ap_req
->ticket
.enc_part
.etype
;
763 return ap_req
->ticket
->enc_part
.enctype
;
767 static krb5_error_code
768 get_key_from_keytab(krb5_context context
,
770 krb5_const_principal server
,
771 krb5_enctype enctype
,
773 krb5_keyblock
**out_key
)
775 krb5_keytab_entry entry
;
777 krb5_keytab real_keytab
;
780 if (keytab
== NULL
) {
781 krb5_kt_default(context
, &real_keytab
);
783 real_keytab
= keytab
;
786 if ( DEBUGLEVEL
>= 10 ) {
787 krb5_unparse_name(context
, server
, &name
);
788 DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
789 kvno
, enctype
, name
));
790 krb5_free_unparsed_name(context
, name
);
793 ret
= krb5_kt_get_entry(context
,
801 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret
)));
805 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
806 ret
= krb5_copy_keyblock(context
, &entry
.keyblock
, out_key
);
807 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
808 ret
= krb5_copy_keyblock(context
, &entry
.key
, out_key
);
810 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
814 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret
)));
818 smb_krb5_kt_free_entry(context
, &entry
);
821 if (keytab
== NULL
) {
822 krb5_kt_close(context
, real_keytab
);
828 void smb_krb5_free_ap_req(krb5_context context
,
831 #ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */
832 krb5_free_ap_req(context
, ap_req
);
833 #elif defined(HAVE_FREE_AP_REQ) /* Heimdal */
836 #error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION
841 #if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
842 krb5_error_code
decode_krb5_ap_req(const krb5_data
*code
, krb5_ap_req
**rep
);
845 krb5_error_code
smb_krb5_get_keyinfo_from_ap_req(krb5_context context
,
846 const krb5_data
*inbuf
,
848 krb5_enctype
*enctype
)
851 #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
855 ret
= krb5_decode_ap_req(context
, inbuf
, &ap_req
);
859 *kvno
= get_kvno_from_ap_req(&ap_req
);
860 *enctype
= get_enctype_from_ap_req(&ap_req
);
862 smb_krb5_free_ap_req(context
, &ap_req
);
864 #elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
866 krb5_ap_req
*ap_req
= NULL
;
868 ret
= decode_krb5_ap_req(inbuf
, &ap_req
);
872 *kvno
= get_kvno_from_ap_req(ap_req
);
873 *enctype
= get_enctype_from_ap_req(ap_req
);
875 smb_krb5_free_ap_req(context
, ap_req
);
878 #error UNKOWN_KRB5_AP_REQ_DECODING_FUNCTION
883 krb5_error_code
krb5_rd_req_return_keyblock_from_keytab(krb5_context context
,
884 krb5_auth_context
*auth_context
,
885 const krb5_data
*inbuf
,
886 krb5_const_principal server
,
888 krb5_flags
*ap_req_options
,
889 krb5_ticket
**ticket
,
890 krb5_keyblock
**keyblock
)
893 krb5_ap_req
*ap_req
= NULL
;
895 krb5_enctype enctype
;
896 krb5_keyblock
*local_keyblock
;
898 ret
= krb5_rd_req(context
,
909 ret
= smb_krb5_get_keyinfo_from_ap_req(context
, inbuf
, &kvno
, &enctype
);
914 ret
= get_key_from_keytab(context
,
921 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
927 smb_krb5_free_ap_req(context
, ap_req
);
930 if (ret
&& local_keyblock
!= NULL
) {
931 krb5_free_keyblock(context
, local_keyblock
);
933 *keyblock
= local_keyblock
;
939 krb5_error_code
smb_krb5_parse_name_norealm(krb5_context context
,
941 krb5_principal
*principal
)
943 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
944 return krb5_parse_name_norealm(context
, name
, principal
);
947 /* we are cheating here because parse_name will in fact set the realm.
948 * We don't care as the only caller of smb_krb5_parse_name_norealm
949 * ignores the realm anyway when calling
950 * smb_krb5_principal_compare_any_realm later - Guenther */
952 return krb5_parse_name(context
, name
, principal
);
955 BOOL
smb_krb5_principal_compare_any_realm(krb5_context context
,
956 krb5_const_principal princ1
,
957 krb5_const_principal princ2
)
959 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
961 return krb5_principal_compare_any_realm(context
, princ1
, princ2
);
963 /* krb5_princ_size is a macro in MIT */
964 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
967 const krb5_data
*p1
, *p2
;
969 len1
= krb5_princ_size(context
, princ1
);
970 len2
= krb5_princ_size(context
, princ2
);
975 for (i
= 0; i
< len1
; i
++) {
977 p1
= krb5_princ_component(context
, CONST_DISCARD(krb5_principal
, princ1
), i
);
978 p2
= krb5_princ_component(context
, CONST_DISCARD(krb5_principal
, princ2
), i
);
980 if (p1
->length
!= p2
->length
|| memcmp(p1
->data
, p2
->data
, p1
->length
))
986 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
990 #else /* HAVE_KRB5 */
991 /* this saves a few linking headaches */
992 int cli_krb5_get_ticket(const char *principal
, time_t time_offset
,
993 DATA_BLOB
*ticket
, DATA_BLOB
*session_key_krb5
, uint32 extra_ap_opts
)
995 DEBUG(0,("NO KERBEROS SUPPORT\n"));