search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest: Polish selftest-vars.sh a little so it can be used again
[Samba.git] / libcli / auth / krb5_wrap.c
blob485a722d8cbef6384e824a86d9bdab3b92550d33
1 /*
2 Unix SMB/CIFS implementation.
3 simple kerberos5 routines for active directory
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Luke Howard 2002-2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2011
7 Copyright (C) Guenther Deschner 2005-2009
8 Copyright (C) Simo Sorce 2010.
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #ifdef HAVE_KRB5
26
27 #include "libcli/auth/krb5_wrap.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29
30 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
31 int create_kerberos_key_from_string_direct(krb5_context context,
32 krb5_principal host_princ,
33 krb5_data *password,
34 krb5_keyblock *key,
35 krb5_enctype enctype)
36 {
37 int ret = 0;
38 krb5_data salt;
39 krb5_encrypt_block eblock;
40
41 ret = krb5_principal2salt(context, host_princ, &salt);
42 if (ret) {
43 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
44 return ret;
45 }
46 krb5_use_enctype(context, &eblock, enctype);
47 ret = krb5_string_to_key(context, &eblock, key, password, &salt);
48 SAFE_FREE(salt.data);
49
50 return ret;
51 }
52 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
53 int create_kerberos_key_from_string_direct(krb5_context context,
54 krb5_principal host_princ,
55 krb5_data *password,
56 krb5_keyblock *key,
57 krb5_enctype enctype)
58 {
59 int ret;
60 krb5_salt salt;
61
62 ret = krb5_get_pw_salt(context, host_princ, &salt);
63 if (ret) {
64 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
65 return ret;
66 }
67
68 ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
69 krb5_free_salt(context, salt);
70
71 return ret;
72 }
73 #else
74 #error UNKNOWN_CREATE_KEY_FUNCTIONS
75 #endif
76
77 void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
78 {
79 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
80 if (pdata->data) {
81 krb5_free_data_contents(context, pdata);
82 }
83 #elif defined(HAVE_KRB5_DATA_FREE)
84 krb5_data_free(context, pdata);
85 #else
86 SAFE_FREE(pdata->data);
87 #endif
88 }
89
90
91 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
92 {
93 /* Try krb5_free_keytab_entry_contents first, since
94 * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
95 * krb5_kt_free_entry but only has a prototype for the first, while the
96 * second is considered private.
97 */
98 #if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
99 return krb5_free_keytab_entry_contents(context, kt_entry);
100 #elif defined(HAVE_KRB5_KT_FREE_ENTRY)
101 return krb5_kt_free_entry(context, kt_entry);
102 #else
103 #error UNKNOWN_KT_FREE_FUNCTION
104 #endif
105 }
106
107 /**************************************************************
108 Wrappers around kerberos string functions that convert from
109 utf8 -> unix charset and vica versa.
110 **************************************************************/
111
112 /**************************************************************
113 krb5_parse_name that takes a UNIX charset.
114 **************************************************************/
115
116 krb5_error_code smb_krb5_parse_name(krb5_context context,
117 const char *name, /* in unix charset */
118 krb5_principal *principal)
119 {
120 krb5_error_code ret;
121 char *utf8_name;
122 size_t converted_size;
123
124 if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
125 return ENOMEM;
126 }
127
128 ret = krb5_parse_name(context, utf8_name, principal);
129 TALLOC_FREE(utf8_name);
130 return ret;
131 }
132
133 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
134 static void krb5_free_unparsed_name(krb5_context context, char *val)
135 {
136 SAFE_FREE(val);
137 }
138 #endif
139
140 /**************************************************************
141 krb5_parse_name that returns a UNIX charset name. Must
142 be freed with talloc_free() call.
143 **************************************************************/
144
145 krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
146 krb5_context context,
147 krb5_const_principal principal,
148 char **unix_name)
149 {
150 krb5_error_code ret;
151 char *utf8_name;
152 size_t converted_size;
153
154 *unix_name = NULL;
155 ret = krb5_unparse_name(context, principal, &utf8_name);
156 if (ret) {
157 return ret;
158 }
159
160 if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
161 krb5_free_unparsed_name(context, utf8_name);
162 return ENOMEM;
163 }
164 krb5_free_unparsed_name(context, utf8_name);
165 return 0;
166 }
167
168 krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
169 const char *name,
170 krb5_principal *principal)
171 {
172 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
173 return smb_krb5_parse_name_norealm_conv(context, name, principal);
174 #endif
175
176 /* we are cheating here because parse_name will in fact set the realm.
177 * We don't care as the only caller of smb_krb5_parse_name_norealm
178 * ignores the realm anyway when calling
179 * smb_krb5_principal_compare_any_realm later - Guenther */
180
181 return smb_krb5_parse_name(context, name, principal);
182 }
183
184 bool smb_krb5_principal_compare_any_realm(krb5_context context,
185 krb5_const_principal princ1,
186 krb5_const_principal princ2)
187 {
188 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
189
190 return krb5_principal_compare_any_realm(context, princ1, princ2);
191
192 /* krb5_princ_size is a macro in MIT */
193 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
194
195 int i, len1, len2;
196 const krb5_data *p1, *p2;
197
198 len1 = krb5_princ_size(context, princ1);
199 len2 = krb5_princ_size(context, princ2);
200
201 if (len1 != len2)
202 return False;
203
204 for (i = 0; i < len1; i++) {
205
206 p1 = krb5_princ_component(context, discard_const(krb5_principal, princ1), i);
207 p2 = krb5_princ_component(context, discard_const(krb5_principal, princ2), i);
208
209 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
210 return False;
211 }
212
213 return True;
214 #else
215 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
216 #endif
217 }
218
219 void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
220 struct PAC_SIGNATURE_DATA *sig)
221 {
222 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
223 cksum->cksumtype = (krb5_cksumtype)sig->type;
224 cksum->checksum.length = sig->signature.length;
225 cksum->checksum.data = sig->signature.data;
226 #else
227 cksum->checksum_type = (krb5_cksumtype)sig->type;
228 cksum->length = sig->signature.length;
229 cksum->contents = sig->signature.data;
230 #endif
231 }
232
233 krb5_error_code smb_krb5_verify_checksum(krb5_context context,
234 const krb5_keyblock *keyblock,
235 krb5_keyusage usage,
236 krb5_checksum *cksum,
237 uint8_t *data,
238 size_t length)
239 {
240 krb5_error_code ret;
241
242 /* verify the checksum */
243
244 /* welcome to the wonderful world of samba's kerberos abstraction layer:
245 *
246 * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2
247 * -----------------------------------------------------------------------------
248 * krb5_c_verify_checksum - works works
249 * krb5_verify_checksum works (6 args) works (6 args) broken (7 args)
250 */
251
252 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
253 {
254 krb5_boolean checksum_valid = false;
255 krb5_data input;
256
257 input.data = (char *)data;
258 input.length = length;
259
260 ret = krb5_c_verify_checksum(context,
261 keyblock,
262 usage,
263 &input,
264 cksum,
265 &checksum_valid);
266 if (ret) {
267 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
268 error_message(ret)));
269 return ret;
270 }
271
272 if (!checksum_valid)
273 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
274 }
275
276 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
277
278 /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
279 * without enctype and it ignores any key_usage types - Guenther */
280
281 {
282
283 krb5_crypto crypto;
284 ret = krb5_crypto_init(context,
285 keyblock,
286 0,
287 &crypto);
288 if (ret) {
289 DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
290 error_message(ret)));
291 return ret;
292 }
293
294 ret = krb5_verify_checksum(context,
295 crypto,
296 usage,
297 data,
298 length,
299 cksum);
300
301 krb5_crypto_destroy(context, crypto);
302 }
303
304 #else
305 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
306 #endif
307
308 return ret;
309 }
310
311 char *gssapi_error_string(TALLOC_CTX *mem_ctx,
312 OM_uint32 maj_stat, OM_uint32 min_stat,
313 const gss_OID mech)
314 {
315 OM_uint32 disp_min_stat, disp_maj_stat;
316 gss_buffer_desc maj_error_message;
317 gss_buffer_desc min_error_message;
318 char *maj_error_string, *min_error_string;
319 OM_uint32 msg_ctx = 0;
320
321 char *ret;
322
323 maj_error_message.value = NULL;
324 min_error_message.value = NULL;
325 maj_error_message.length = 0;
326 min_error_message.length = 0;
327
328 disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
329 mech, &msg_ctx, &maj_error_message);
330 disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
331 mech, &msg_ctx, &min_error_message);
332
333 maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
334
335 min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
336
337 ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
338
339 talloc_free(maj_error_string);
340 talloc_free(min_error_string);
341
342 gss_release_buffer(&disp_min_stat, &maj_error_message);
343 gss_release_buffer(&disp_min_stat, &min_error_message);
344
345 return ret;
346 }
347
348
349 char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx)
350 {
351 char *ret;
352
353 #if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
354 const char *context_error = krb5_get_error_message(context, code);
355 if (context_error) {
356 ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error);
357 krb5_free_error_message(context, context_error);
358 return ret;
359 }
360 #endif
361 ret = talloc_strdup(mem_ctx, error_message(code));
362 return ret;
363 }
364
365 #endif
Samba GIT mirror