2 Unix SMB/CIFS implementation.
3 simple kerberos5 routines for active directory
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Luke Howard 2002-2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2011
7 Copyright (C) Guenther Deschner 2005-2009
8 Copyright (C) Simo Sorce 2010.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "libcli/auth/krb5_wrap.h"
28 #include "librpc/gen_ndr/krb5pac.h"
30 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
31 int create_kerberos_key_from_string_direct(krb5_context context
,
32 krb5_principal host_princ
,
39 krb5_encrypt_block eblock
;
41 ret
= krb5_principal2salt(context
, host_princ
, &salt
);
43 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret
)));
46 krb5_use_enctype(context
, &eblock
, enctype
);
47 ret
= krb5_string_to_key(context
, &eblock
, key
, password
, &salt
);
52 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
53 int create_kerberos_key_from_string_direct(krb5_context context
,
54 krb5_principal host_princ
,
62 ret
= krb5_get_pw_salt(context
, host_princ
, &salt
);
64 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret
)));
68 ret
= krb5_string_to_key_salt(context
, enctype
, (const char *)password
->data
, salt
, key
);
69 krb5_free_salt(context
, salt
);
74 #error UNKNOWN_CREATE_KEY_FUNCTIONS
77 void kerberos_free_data_contents(krb5_context context
, krb5_data
*pdata
)
79 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
81 krb5_free_data_contents(context
, pdata
);
83 #elif defined(HAVE_KRB5_DATA_FREE)
84 krb5_data_free(context
, pdata
);
86 SAFE_FREE(pdata
->data
);
91 krb5_error_code
smb_krb5_kt_free_entry(krb5_context context
, krb5_keytab_entry
*kt_entry
)
93 /* Try krb5_free_keytab_entry_contents first, since
94 * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and
95 * krb5_kt_free_entry but only has a prototype for the first, while the
96 * second is considered private.
98 #if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
99 return krb5_free_keytab_entry_contents(context
, kt_entry
);
100 #elif defined(HAVE_KRB5_KT_FREE_ENTRY)
101 return krb5_kt_free_entry(context
, kt_entry
);
103 #error UNKNOWN_KT_FREE_FUNCTION
107 /**************************************************************
108 Wrappers around kerberos string functions that convert from
109 utf8 -> unix charset and vica versa.
110 **************************************************************/
112 /**************************************************************
113 krb5_parse_name that takes a UNIX charset.
114 **************************************************************/
116 krb5_error_code
smb_krb5_parse_name(krb5_context context
,
117 const char *name
, /* in unix charset */
118 krb5_principal
*principal
)
122 size_t converted_size
;
123 TALLOC_CTX
*frame
= talloc_stackframe();
125 if (!push_utf8_talloc(frame
, &utf8_name
, name
, &converted_size
)) {
130 ret
= krb5_parse_name(context
, utf8_name
, principal
);
135 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
136 static void krb5_free_unparsed_name(krb5_context context
, char *val
)
142 /**************************************************************
143 krb5_parse_name that returns a UNIX charset name. Must
144 be freed with talloc_free() call.
145 **************************************************************/
147 krb5_error_code
smb_krb5_unparse_name(TALLOC_CTX
*mem_ctx
,
148 krb5_context context
,
149 krb5_const_principal principal
,
154 size_t converted_size
;
157 ret
= krb5_unparse_name(context
, principal
, &utf8_name
);
162 if (!pull_utf8_talloc(mem_ctx
, unix_name
, utf8_name
, &converted_size
)) {
163 krb5_free_unparsed_name(context
, utf8_name
);
166 krb5_free_unparsed_name(context
, utf8_name
);
170 krb5_error_code
smb_krb5_parse_name_norealm(krb5_context context
,
172 krb5_principal
*principal
)
174 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
175 return smb_krb5_parse_name_norealm_conv(context
, name
, principal
);
178 /* we are cheating here because parse_name will in fact set the realm.
179 * We don't care as the only caller of smb_krb5_parse_name_norealm
180 * ignores the realm anyway when calling
181 * smb_krb5_principal_compare_any_realm later - Guenther */
183 return smb_krb5_parse_name(context
, name
, principal
);
186 bool smb_krb5_principal_compare_any_realm(krb5_context context
,
187 krb5_const_principal princ1
,
188 krb5_const_principal princ2
)
190 return krb5_principal_compare_any_realm(context
, princ1
, princ2
);
193 void smb_krb5_checksum_from_pac_sig(krb5_checksum
*cksum
,
194 struct PAC_SIGNATURE_DATA
*sig
)
196 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
197 cksum
->cksumtype
= (krb5_cksumtype
)sig
->type
;
198 cksum
->checksum
.length
= sig
->signature
.length
;
199 cksum
->checksum
.data
= sig
->signature
.data
;
201 cksum
->checksum_type
= (krb5_cksumtype
)sig
->type
;
202 cksum
->length
= sig
->signature
.length
;
203 cksum
->contents
= sig
->signature
.data
;
207 krb5_error_code
smb_krb5_verify_checksum(krb5_context context
,
208 const krb5_keyblock
*keyblock
,
210 krb5_checksum
*cksum
,
216 /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */
218 krb5_boolean checksum_valid
= false;
221 input
.data
= (char *)data
;
222 input
.length
= length
;
224 ret
= krb5_c_verify_checksum(context
,
231 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
232 error_message(ret
)));
237 ret
= KRB5KRB_AP_ERR_BAD_INTEGRITY
;
242 char *gssapi_error_string(TALLOC_CTX
*mem_ctx
,
243 OM_uint32 maj_stat
, OM_uint32 min_stat
,
246 OM_uint32 disp_min_stat
, disp_maj_stat
;
247 gss_buffer_desc maj_error_message
;
248 gss_buffer_desc min_error_message
;
249 char *maj_error_string
, *min_error_string
;
250 OM_uint32 msg_ctx
= 0;
254 maj_error_message
.value
= NULL
;
255 min_error_message
.value
= NULL
;
256 maj_error_message
.length
= 0;
257 min_error_message
.length
= 0;
259 disp_maj_stat
= gss_display_status(&disp_min_stat
, maj_stat
, GSS_C_GSS_CODE
,
260 mech
, &msg_ctx
, &maj_error_message
);
261 disp_maj_stat
= gss_display_status(&disp_min_stat
, min_stat
, GSS_C_MECH_CODE
,
262 mech
, &msg_ctx
, &min_error_message
);
264 maj_error_string
= talloc_strndup(mem_ctx
, (char *)maj_error_message
.value
, maj_error_message
.length
);
266 min_error_string
= talloc_strndup(mem_ctx
, (char *)min_error_message
.value
, min_error_message
.length
);
268 ret
= talloc_asprintf(mem_ctx
, "%s: %s", maj_error_string
, min_error_string
);
270 talloc_free(maj_error_string
);
271 talloc_free(min_error_string
);
273 gss_release_buffer(&disp_min_stat
, &maj_error_message
);
274 gss_release_buffer(&disp_min_stat
, &min_error_message
);
280 char *smb_get_krb5_error_message(krb5_context context
, krb5_error_code code
, TALLOC_CTX
*mem_ctx
)
284 #if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE)
285 const char *context_error
= krb5_get_error_message(context
, code
);
287 ret
= talloc_asprintf(mem_ctx
, "%s: %s", error_message(code
), context_error
);
288 krb5_free_error_message(context
, context_error
);
292 ret
= talloc_strdup(mem_ctx
, error_message(code
));