Context Navigation

source: branches/samba-3.3.x/source/libsmb/clikrb5.c@ 221

Visit:

Last change on this file since 221 was 221, checked in by Herwig Bauernfeind, 16 years ago
Update Samba 3.3 to 3.3.1
File size: 52.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	simple kerberos5 routines for active directory
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Luke Howard 2002-2003
6	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7	Copyright (C) Guenther Deschner 2005-2007
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program. If not, see <http://www.gnu.org/licenses/>.
21	*/
22
23	#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
24	#define KRB5_DEPRECATED 1 /* this file uses DEPRECATED interfaces! */
25
26	#include "includes.h"
27
28	#ifdef HAVE_KRB5
29
30	#define GSSAPI_CHECKSUM 0x8003 /* Checksum type value for Kerberos */
31	#define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */
32	#define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH)
33
34	#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
35	static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
36	krb5_auth_context *auth_context,
37	krb5_creds *credsp,
38	krb5_ccache ccache,
39	krb5_data *authenticator);
40	#endif
41
42	/**************************************************************
43	Wrappers around kerberos string functions that convert from
44	utf8 -> unix charset and vica versa.
45	**************************************************************/
46
47	/**************************************************************
48	krb5_parse_name that takes a UNIX charset.
49	**************************************************************/
50
51	krb5_error_code smb_krb5_parse_name(krb5_context context,
52	const char name, / in unix charset */
53	krb5_principal *principal)
54	{
55	krb5_error_code ret;
56	char *utf8_name;
57	size_t converted_size;
58
59	if (!push_utf8_allocate(&utf8_name, name, &converted_size)) {
60	return ENOMEM;
61	}
62
63	ret = krb5_parse_name(context, utf8_name, principal);
64	SAFE_FREE(utf8_name);
65	return ret;
66	}
67
68	#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
69	/**************************************************************
70	krb5_parse_name_norealm that takes a UNIX charset.
71	**************************************************************/
72
73	static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
74	const char name, / in unix charset */
75	krb5_principal *principal)
76	{
77	krb5_error_code ret;
78	char *utf8_name;
79	size_t converted_size;
80
81	*principal = NULL;
82	if (!push_utf8_allocate(&utf8_name, name, &converted_size)) {
83	return ENOMEM;
84	}
85
86	ret = krb5_parse_name_norealm(context, utf8_name, principal);
87	SAFE_FREE(utf8_name);
88	return ret;
89	}
90	#endif
91
92	/**************************************************************
93	krb5_parse_name that returns a UNIX charset name. Must
94	be freed with normal free() call.
95	**************************************************************/
96
97	krb5_error_code smb_krb5_unparse_name(krb5_context context,
98	krb5_const_principal principal,
99	char **unix_name)
100	{
101	krb5_error_code ret;
102	char *utf8_name;
103	size_t converted_size;
104
105	*unix_name = NULL;
106	ret = krb5_unparse_name(context, principal, &utf8_name);
107	if (ret) {
108	return ret;
109	}
110
111	if (!pull_utf8_allocate(unix_name, utf8_name, &converted_size)) {
112	krb5_free_unparsed_name(context, utf8_name);
113	return ENOMEM;
114	}
115	krb5_free_unparsed_name(context, utf8_name);
116	return 0;
117	}
118
119	#ifndef HAVE_KRB5_SET_REAL_TIME
120	/*
121	* This function is not in the Heimdal mainline.
122	*/
123	krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
124	{
125	krb5_error_code ret;
126	int32_t sec, usec;
127
128	ret = krb5_us_timeofday(context, &sec, &usec);
129	if (ret)
130	return ret;
131
132	context->kdc_sec_offset = seconds - sec;
133	context->kdc_usec_offset = microseconds - usec;
134
135	return 0;
136	}
137	#endif
138
139	#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
140
141	#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
142
143	/* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference
144	* to krb5_set_default_tgs_ktypes. See
145	* http://lists.samba.org/archive/samba-technical/2006-July/048271.html
146	*
147	* If the MIT libraries are not exporting internal symbols, we will end up in
148	* this branch, which is correct. Otherwise we will continue to use the
149	* internal symbol
150	*/
151	krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
152	{
153	return krb5_set_default_tgs_enctypes(ctx, enc);
154	}
155
156	#elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES)
157
158	/* Heimdal */
159	krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
160	{
161	return krb5_set_default_in_tkt_etypes(ctx, enc);
162	}
163
164	#endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */
165
166	#endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */
167
168	#if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
169	/* HEIMDAL */
170	bool setup_kaddr( krb5_address pkaddr, struct sockaddr_storage paddr)
171	{
172	memset(pkaddr, '\0', sizeof(krb5_address));
173	#if defined(HAVE_IPV6) && defined(KRB5_ADDRESS_INET6)
174	if (paddr->ss_family == AF_INET6) {
175	pkaddr->addr_type = KRB5_ADDRESS_INET6;
176	pkaddr->address.length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
177	pkaddr->address.data = (char )&(((struct sockaddr_in6 )paddr)->sin6_addr);
178	return true;
179	}
180	#endif
181	if (paddr->ss_family == AF_INET) {
182	pkaddr->addr_type = KRB5_ADDRESS_INET;
183	pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
184	pkaddr->address.data = (char )&(((struct sockaddr_in )paddr)->sin_addr);
185	return true;
186	}
187	return false;
188	}
189	#elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
190	/* MIT */
191	bool setup_kaddr( krb5_address pkaddr, struct sockaddr_storage paddr)
192	{
193	memset(pkaddr, '\0', sizeof(krb5_address));
194	#if defined(HAVE_IPV6) && defined(ADDRTYPE_INET6)
195	if (paddr->ss_family == AF_INET6) {
196	pkaddr->addrtype = ADDRTYPE_INET6;
197	pkaddr->length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
198	pkaddr->contents = (krb5_octet )&(((struct sockaddr_in6 )paddr)->sin6_addr);
199	return true;
200	}
201	#endif
202	if (paddr->ss_family == AF_INET) {
203	pkaddr->addrtype = ADDRTYPE_INET;
204	pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
205	pkaddr->contents = (krb5_octet )&(((struct sockaddr_in )paddr)->sin_addr);
206	return true;
207	}
208	return false;
209	}
210	#else
211	#error UNKNOWN_ADDRTYPE
212	#endif
213
214	#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
215	static int create_kerberos_key_from_string_direct(krb5_context context,
216	krb5_principal host_princ,
217	krb5_data *password,
218	krb5_keyblock *key,
219	krb5_enctype enctype)
220	{
221	int ret = 0;
222	krb5_data salt;
223	krb5_encrypt_block eblock;
224
225	ret = krb5_principal2salt(context, host_princ, &salt);
226	if (ret) {
227	DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
228	return ret;
229	}
230	krb5_use_enctype(context, &eblock, enctype);
231	ret = krb5_string_to_key(context, &eblock, key, password, &salt);
232	SAFE_FREE(salt.data);
233
234	return ret;
235	}
236	#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
237	static int create_kerberos_key_from_string_direct(krb5_context context,
238	krb5_principal host_princ,
239	krb5_data *password,
240	krb5_keyblock *key,
241	krb5_enctype enctype)
242	{
243	int ret;
244	krb5_salt salt;
245
246	ret = krb5_get_pw_salt(context, host_princ, &salt);
247	if (ret) {
248	DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
249	return ret;
250	}
251
252	ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
253	krb5_free_salt(context, salt);
254
255	return ret;
256	}
257	#else
258	#error UNKNOWN_CREATE_KEY_FUNCTIONS
259	#endif
260
261	int create_kerberos_key_from_string(krb5_context context,
262	krb5_principal host_princ,
263	krb5_data *password,
264	krb5_keyblock *key,
265	krb5_enctype enctype,
266	bool no_salt)
267	{
268	krb5_principal salt_princ = NULL;
269	int ret;
270	/*
271	* Check if we've determined that the KDC is salting keys for this
272	* principal/enctype in a non-obvious way. If it is, try to match
273	* its behavior.
274	*/
275	if (no_salt) {
276	KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
277	if (!KRB5_KEY_DATA(key)) {
278	return ENOMEM;
279	}
280	memcpy(KRB5_KEY_DATA(key), password->data, password->length);
281	KRB5_KEY_LENGTH(key) = password->length;
282	KRB5_KEY_TYPE(key) = enctype;
283	return 0;
284	}
285	salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
286	ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
287	if (salt_princ) {
288	krb5_free_principal(context, salt_princ);
289	}
290	return ret;
291	}
292
293	#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
294	krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
295	krb5_enctype **enctypes)
296	{
297	return krb5_get_permitted_enctypes(context, enctypes);
298	}
299	#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
300	krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
301	krb5_enctype **enctypes)
302	{
303	return krb5_get_default_in_tkt_etypes(context, enctypes);
304	}
305	#else
306	#error UNKNOWN_GET_ENCTYPES_FUNCTIONS
307	#endif
308
309	#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
310	krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
311	krb5_auth_context auth_context,
312	krb5_keyblock *keyblock)
313	{
314	return krb5_auth_con_setkey(context, auth_context, keyblock);
315	}
316	#endif
317
318	bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
319	DATA_BLOB *edata,
320	DATA_BLOB *edata_out)
321	{
322	DATA_BLOB edata_contents;
323	ASN1_DATA data;
324	int edata_type;
325
326	if (!edata->length) {
327	return False;
328	}
329
330	asn1_load(&data, *edata);
331	asn1_start_tag(&data, ASN1_SEQUENCE(0));
332	asn1_start_tag(&data, ASN1_CONTEXT(1));
333	asn1_read_Integer(&data, &edata_type);
334
335	if (edata_type != KRB5_PADATA_PW_SALT) {
336	DEBUG(0,("edata is not of required type %d but of type %d\n",
337	KRB5_PADATA_PW_SALT, edata_type));
338	asn1_free(&data);
339	return False;
340	}
341
342	asn1_start_tag(&data, ASN1_CONTEXT(2));
343	asn1_read_OctetString(&data, &edata_contents);
344	asn1_end_tag(&data);
345	asn1_end_tag(&data);
346	asn1_end_tag(&data);
347	asn1_free(&data);
348
349	*edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
350
351	data_blob_free(&edata_contents);
352
353	return True;
354	}
355
356
357	bool unwrap_pac(TALLOC_CTX mem_ctx, DATA_BLOB auth_data, DATA_BLOB *unwrapped_pac_data)
358	{
359	DATA_BLOB pac_contents;
360	ASN1_DATA data;
361	int data_type;
362
363	if (!auth_data->length) {
364	return False;
365	}
366
367	asn1_load(&data, *auth_data);
368	asn1_start_tag(&data, ASN1_SEQUENCE(0));
369	asn1_start_tag(&data, ASN1_SEQUENCE(0));
370	asn1_start_tag(&data, ASN1_CONTEXT(0));
371	asn1_read_Integer(&data, &data_type);
372
373	if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
374	DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
375	asn1_free(&data);
376	return False;
377	}
378
379	asn1_end_tag(&data);
380	asn1_start_tag(&data, ASN1_CONTEXT(1));
381	asn1_read_OctetString(&data, &pac_contents);
382	asn1_end_tag(&data);
383	asn1_end_tag(&data);
384	asn1_end_tag(&data);
385	asn1_free(&data);
386
387	*unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
388
389	data_blob_free(&pac_contents);
390
391	return True;
392	}
393
394	bool get_auth_data_from_tkt(TALLOC_CTX mem_ctx, DATA_BLOB auth_data, krb5_ticket *tkt)
395	{
396	DATA_BLOB auth_data_wrapped;
397	bool got_auth_data_pac = False;
398	int i;
399
400	#if defined(HAVE_KRB5_TKT_ENC_PART2)
401	if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
402	tkt->enc_part2->authorization_data[0] &&
403	tkt->enc_part2->authorization_data[0]->length)
404	{
405	for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
406
407	if (tkt->enc_part2->authorization_data[i]->ad_type !=
408	KRB5_AUTHDATA_IF_RELEVANT) {
409	DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
410	tkt->enc_part2->authorization_data[i]->ad_type));
411	continue;
412	}
413
414	auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
415	tkt->enc_part2->authorization_data[i]->length);
416
417	/* check if it is a PAC */
418	got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
419	data_blob_free(&auth_data_wrapped);
420
421	if (got_auth_data_pac) {
422	return true;
423	}
424	}
425
426	return got_auth_data_pac;
427	}
428
429	#else
430	if (tkt->ticket.authorization_data &&
431	tkt->ticket.authorization_data->len)
432	{
433	for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
434
435	if (tkt->ticket.authorization_data->val[i].ad_type !=
436	KRB5_AUTHDATA_IF_RELEVANT) {
437	DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
438	tkt->ticket.authorization_data->val[i].ad_type));
439	continue;
440	}
441
442	auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
443	tkt->ticket.authorization_data->val[i].ad_data.length);
444
445	/* check if it is a PAC */
446	got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
447	data_blob_free(&auth_data_wrapped);
448
449	if (got_auth_data_pac) {
450	return true;
451	}
452	}
453
454	return got_auth_data_pac;
455	}
456	#endif
457	return False;
458	}
459
460	krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
461	{
462	#if defined(HAVE_KRB5_TKT_ENC_PART2)
463	return tkt->enc_part2->client;
464	#else
465	return tkt->client;
466	#endif
467	}
468
469	#if !defined(HAVE_KRB5_LOCATE_KDC)
470
471	/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit
472	* to a public interface for this functionality, so we have to be able to live
473	* without it if the MIT libraries are hiding their internal symbols.
474	*/
475
476	#if defined(KRB5_KRBHST_INIT)
477	/* Heimdal */
478	krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data realm, struct sockaddr addr_pp, int naddrs, int get_masters)
479	{
480	krb5_krbhst_handle hnd;
481	krb5_krbhst_info *hinfo;
482	krb5_error_code rc;
483	int num_kdcs, i;
484	struct sockaddr *sa;
485	struct addrinfo *ai;
486
487	*addr_pp = NULL;
488	*naddrs = 0;
489
490	rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
491	if (rc) {
492	DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
493	return rc;
494	}
495
496	for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
497	;
498
499	krb5_krbhst_reset(ctx, hnd);
500
501	if (!num_kdcs) {
502	DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n"));
503	krb5_krbhst_free(ctx, hnd);
504	return -1;
505	}
506
507	sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
508	if (!sa) {
509	DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n"));
510	krb5_krbhst_free(ctx, hnd);
511	naddrs = 0;
512	return -1;
513	}
514
515	memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
516
517	for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
518
519	#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
520	rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
521	if (rc) {
522	DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
523	continue;
524	}
525	#endif
526	if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
527	memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
528	}
529
530	krb5_krbhst_free(ctx, hnd);
531
532	*naddrs = num_kdcs;
533	*addr_pp = sa;
534	return 0;
535	}
536
537	#else /* ! defined(KRB5_KRBHST_INIT) */
538
539	krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
540	struct sockaddr *addr_pp, int naddrs, int get_masters)
541	{
542	DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
543	return KRB5_KDC_UNREACH;
544	}
545
546	#endif /* KRB5_KRBHST_INIT */
547
548	#else /* ! HAVE_KRB5_LOCATE_KDC */
549
550	krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
551	struct sockaddr *addr_pp, int naddrs, int get_masters)
552	{
553	return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters);
554	}
555
556	#endif /* HAVE_KRB5_LOCATE_KDC */
557
558	#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
559	void krb5_free_unparsed_name(krb5_context context, char *val)
560	{
561	SAFE_FREE(val);
562	}
563	#endif
564
565	void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
566	{
567	#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
568	if (pdata->data) {
569	krb5_free_data_contents(context, pdata);
570	}
571	#else
572	SAFE_FREE(pdata->data);
573	#endif
574	}
575
576	void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
577	{
578	#if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
579	KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
580	#elif defined(HAVE_KRB5_SESSION_IN_CREDS)
581	KRB5_KEY_TYPE((&pcreds->session)) = enctype;
582	#else
583	#error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
584	#endif
585	}
586
587	bool kerberos_compatible_enctypes(krb5_context context,
588	krb5_enctype enctype1,
589	krb5_enctype enctype2)
590	{
591	#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
592	krb5_boolean similar = 0;
593
594	krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
595	return similar ? True : False;
596	#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
597	return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
598	#endif
599	}
600
601	static bool ads_cleanup_expired_creds(krb5_context context,
602	krb5_ccache ccache,
603	krb5_creds *credsp)
604	{
605	krb5_error_code retval;
606	const char *cc_type = krb5_cc_get_type(context, ccache);
607
608	DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
609	cc_type, krb5_cc_get_name(context, ccache),
610	http_timestring(credsp->times.endtime)));
611
612	/* we will probably need new tickets if the current ones
613	will expire within 10 seconds.
614	*/
615	if (credsp->times.endtime >= (time(NULL) + 10))
616	return False;
617
618	/* heimdal won't remove creds from a file ccache, and
619	perhaps we shouldn't anyway, since internally we
620	use memory ccaches, and a FILE one probably means that
621	we're using creds obtained outside of our exectuable
622	*/
623	if (strequal(cc_type, "FILE")) {
624	DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
625	return False;
626	}
627
628	retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
629	if (retval) {
630	DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
631	error_message(retval)));
632	/* If we have an error in this, we want to display it,
633	but continue as though we deleted it */
634	}
635	return True;
636	}
637
638	/*
639	we can't use krb5_mk_req because w2k wants the service to be in a particular format
640	*/
641	static krb5_error_code ads_krb5_mk_req(krb5_context context,
642	krb5_auth_context *auth_context,
643	const krb5_flags ap_req_options,
644	const char *principal,
645	krb5_ccache ccache,
646	krb5_data *outbuf,
647	time_t *expire_time)
648	{
649	krb5_error_code retval;
650	krb5_principal server;
651	krb5_creds * credsp;
652	krb5_creds creds;
653	krb5_data in_data;
654	bool creds_ready = False;
655	int i = 0, maxtries = 3;
656
657	ZERO_STRUCT(in_data);
658
659	retval = smb_krb5_parse_name(context, principal, &server);
660	if (retval) {
661	DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
662	return retval;
663	}
664
665	/* obtain ticket & session key */
666	ZERO_STRUCT(creds);
667	if ((retval = krb5_copy_principal(context, server, &creds.server))) {
668	DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
669	error_message(retval)));
670	goto cleanup_princ;
671	}
672
673	if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
674	/* This can commonly fail on smbd startup with no ticket in the cache.
675	* Report at higher level than 1. */
676	DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
677	error_message(retval)));
678	goto cleanup_creds;
679	}
680
681	while (!creds_ready && (i < maxtries)) {
682
683	if ((retval = krb5_get_credentials(context, 0, ccache,
684	&creds, &credsp))) {
685	DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
686	principal, error_message(retval)));
687	goto cleanup_creds;
688	}
689
690	/* cope with ticket being in the future due to clock skew */
691	if ((unsigned)credsp->times.starttime > time(NULL)) {
692	time_t t = time(NULL);
693	int time_offset =(int)((unsigned)credsp->times.starttime-t);
694	DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
695	krb5_set_real_time(context, t + time_offset + 1, 0);
696	}
697
698	if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
699	creds_ready = True;
700	}
701
702	i++;
703	}
704
705	DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
706	principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
707	http_timestring((unsigned)credsp->times.endtime),
708	(unsigned)credsp->times.endtime));
709
710	if (expire_time) {
711	*expire_time = (time_t)credsp->times.endtime;
712	}
713
714	#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
715	if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
716	/* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
717	as part of the kerberos exchange. */
718
719	DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n") );
720
721	if( *auth_context == NULL ) {
722	/* Allocate if it has not yet been allocated. */
723	retval = krb5_auth_con_init( context, auth_context );
724	if (retval) {
725	DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_init failed (%s)\n",
726	error_message(retval)));
727	goto cleanup_creds;
728	}
729	}
730
731	retval = krb5_auth_con_setuseruserkey( context, *auth_context, &credsp->keyblock );
732	if (retval) {
733	DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setuseruserkey failed (%s)\n",
734	error_message(retval)));
735	goto cleanup_creds;
736	}
737
738	/* Must use a subkey for forwarded tickets. */
739	retval = krb5_auth_con_setflags( context, *auth_context, KRB5_AUTH_CONTEXT_USE_SUBKEY);
740	if (retval) {
741	DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setflags failed (%s)\n",
742	error_message(retval)));
743	goto cleanup_creds;
744	}
745
746	retval = ads_krb5_get_fwd_ticket( context,
747	auth_context,
748	credsp,
749	ccache,
750	&in_data );
751	if (retval) {
752	DEBUG( 3, ("ads_krb5_get_fwd_ticket failed (%s)\n",
753	error_message( retval ) ) );
754
755	/*
756	* This is not fatal. Delete the *auth_context and continue
757	* with krb5_mk_req_extended to get a non-forwardable ticket.
758	*/
759
760	if (in_data.data) {
761	free( in_data.data );
762	in_data.data = NULL;
763	in_data.length = 0;
764	}
765	krb5_auth_con_free(context, *auth_context);
766	*auth_context = NULL;
767	}
768	}
769	#endif
770
771	retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
772	&in_data, credsp, outbuf);
773	if (retval) {
774	DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
775	error_message(retval)));
776	}
777
778	if (in_data.data) {
779	free( in_data.data );
780	in_data.length = 0;
781	}
782
783	krb5_free_creds(context, credsp);
784
785	cleanup_creds:
786	krb5_free_cred_contents(context, &creds);
787
788	cleanup_princ:
789	krb5_free_principal(context, server);
790
791	return retval;
792	}
793
794	/*
795	get a kerberos5 ticket for the given service
796	*/
797	int cli_krb5_get_ticket(const char *principal, time_t time_offset,
798	DATA_BLOB ticket, DATA_BLOB session_key_krb5,
799	uint32 extra_ap_opts, const char *ccname,
800	time_t *tgs_expire)
801
802	{
803	krb5_error_code retval;
804	krb5_data packet;
805	krb5_context context = NULL;
806	krb5_ccache ccdef = NULL;
807	krb5_auth_context auth_context = NULL;
808	krb5_enctype enc_types[] = {
809	#ifdef ENCTYPE_ARCFOUR_HMAC
810	ENCTYPE_ARCFOUR_HMAC,
811	#endif
812	ENCTYPE_DES_CBC_MD5,
813	ENCTYPE_DES_CBC_CRC,
814	ENCTYPE_NULL};
815
816	initialize_krb5_error_table();
817	retval = krb5_init_context(&context);
818	if (retval) {
819	DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
820	error_message(retval)));
821	goto failed;
822	}
823
824	if (time_offset != 0) {
825	krb5_set_real_time(context, time(NULL) + time_offset, 0);
826	}
827
828	if ((retval = krb5_cc_resolve(context, ccname ?
829	ccname : krb5_cc_default_name(context), &ccdef))) {
830	DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
831	error_message(retval)));
832	goto failed;
833	}
834
835	if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
836	DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
837	error_message(retval)));
838	goto failed;
839	}
840
841	if ((retval = ads_krb5_mk_req(context,
842	&auth_context,
843	AP_OPTS_USE_SUBKEY \| (krb5_flags)extra_ap_opts,
844	principal,
845	ccdef, &packet,
846	tgs_expire))) {
847	goto failed;
848	}
849
850	get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
851
852	*ticket = data_blob(packet.data, packet.length);
853
854	kerberos_free_data_contents(context, &packet);
855
856	failed:
857
858	if ( context ) {
859	if (ccdef)
860	krb5_cc_close(context, ccdef);
861	if (auth_context)
862	krb5_auth_con_free(context, auth_context);
863	krb5_free_context(context);
864	}
865
866	return retval;
867	}
868
869	bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote)
870	{
871	krb5_keyblock *skey;
872	krb5_error_code err;
873	bool ret = False;
874
875	if (remote)
876	err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
877	else
878	err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
879	if (err == 0 && skey != NULL) {
880	DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey)));
881	*session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
882	dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
883
884	ret = True;
885
886	krb5_free_keyblock(context, skey);
887	} else {
888	DEBUG(10, ("KRB5 error getting session key %d\n", err));
889	}
890
891	return ret;
892	}
893
894
895	#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
896	const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
897
898	const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
899	{
900	static krb5_data kdata;
901
902	kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
903	kdata.length = strlen((const char *)kdata.data);
904	return &kdata;
905	}
906	#endif
907
908	krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
909	{
910	#if defined(HAVE_KRB5_KT_FREE_ENTRY)
911	return krb5_kt_free_entry(context, kt_entry);
912	#elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
913	return krb5_free_keytab_entry_contents(context, kt_entry);
914	#else
915	#error UNKNOWN_KT_FREE_FUNCTION
916	#endif
917	}
918
919	void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
920	struct PAC_SIGNATURE_DATA *sig)
921	{
922	#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
923	cksum->cksumtype = (krb5_cksumtype)sig->type;
924	cksum->checksum.length = sig->signature.length;
925	cksum->checksum.data = sig->signature.data;
926	#else
927	cksum->checksum_type = (krb5_cksumtype)sig->type;
928	cksum->length = sig->signature.length;
929	cksum->contents = sig->signature.data;
930	#endif
931	}
932
933	krb5_error_code smb_krb5_verify_checksum(krb5_context context,
934	const krb5_keyblock *keyblock,
935	krb5_keyusage usage,
936	krb5_checksum *cksum,
937	uint8 *data,
938	size_t length)
939	{
940	krb5_error_code ret;
941
942	/* verify the checksum */
943
944	/* welcome to the wonderful world of samba's kerberos abstraction layer:
945	*
946	* function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2
947	* -----------------------------------------------------------------------------
948	* krb5_c_verify_checksum - works works
949	* krb5_verify_checksum works (6 args) works (6 args) broken (7 args)
950	*/
951
952	#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
953	{
954	krb5_boolean checksum_valid = False;
955	krb5_data input;
956
957	input.data = (char *)data;
958	input.length = length;
959
960	ret = krb5_c_verify_checksum(context,
961	keyblock,
962	usage,
963	&input,
964	cksum,
965	&checksum_valid);
966	if (ret) {
967	DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
968	error_message(ret)));
969	return ret;
970	}
971
972	if (!checksum_valid)
973	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
974	}
975
976	#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
977
978	/* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
979	* without enctype and it ignores any key_usage types - Guenther */
980
981	{
982
983	krb5_crypto crypto;
984	ret = krb5_crypto_init(context,
985	keyblock,
986	0,
987	&crypto);
988	if (ret) {
989	DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
990	error_message(ret)));
991	return ret;
992	}
993
994	ret = krb5_verify_checksum(context,
995	crypto,
996	usage,
997	data,
998	length,
999	cksum);
1000
1001	krb5_crypto_destroy(context, crypto);
1002	}
1003
1004	#else
1005	#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
1006	#endif
1007
1008	return ret;
1009	}
1010
1011	time_t get_authtime_from_tkt(krb5_ticket *tkt)
1012	{
1013	#if defined(HAVE_KRB5_TKT_ENC_PART2)
1014	return tkt->enc_part2->times.authtime;
1015	#else
1016	return tkt->ticket.authtime;
1017	#endif
1018	}
1019
1020	#ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
1021	static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
1022	{
1023	#ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
1024	if (ap_req->ticket->enc_part.kvno)
1025	return ap_req->ticket->enc_part.kvno;
1026	#else /* Heimdal */
1027	if (ap_req->ticket.enc_part.kvno)
1028	return *ap_req->ticket.enc_part.kvno;
1029	#endif
1030	return 0;
1031	}
1032
1033	static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
1034	{
1035	#ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
1036	return ap_req->ticket.enc_part.etype;
1037	#else /* MIT */
1038	return ap_req->ticket->enc_part.enctype;
1039	#endif
1040	}
1041	#endif /* HAVE_KRB5_DECODE_AP_REQ */
1042
1043	static krb5_error_code
1044	get_key_from_keytab(krb5_context context,
1045	krb5_const_principal server,
1046	krb5_enctype enctype,
1047	krb5_kvno kvno,
1048	krb5_keyblock **out_key)
1049	{
1050	krb5_keytab_entry entry;
1051	krb5_error_code ret;
1052	krb5_keytab keytab;
1053	char *name = NULL;
1054	krb5_keyblock *keyp;
1055
1056	/* We have to open a new keytab handle here, as MIT does
1057	an implicit open/getnext/close on krb5_kt_get_entry. We
1058	may be in the middle of a keytab enumeration when this is
1059	called. JRA. */
1060
1061	ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
1062	if (ret) {
1063	DEBUG(1,("get_key_from_keytab: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
1064	return ret;
1065	}
1066
1067	if ( DEBUGLEVEL >= 10 ) {
1068	if (smb_krb5_unparse_name(context, server, &name) == 0) {
1069	DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
1070	kvno, enctype, name));
1071	SAFE_FREE(name);
1072	}
1073	}
1074
1075	ret = krb5_kt_get_entry(context,
1076	keytab,
1077	server,
1078	kvno,
1079	enctype,
1080	&entry);
1081
1082	if (ret) {
1083	DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
1084	goto out;
1085	}
1086
1087	keyp = KRB5_KT_KEY(&entry);
1088
1089	ret = krb5_copy_keyblock(context, keyp, out_key);
1090	if (ret) {
1091	DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
1092	goto out;
1093	}
1094
1095	smb_krb5_kt_free_entry(context, &entry);
1096
1097	out:
1098	krb5_kt_close(context, keytab);
1099	return ret;
1100	}
1101
1102	/* Prototypes */
1103
1104	krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
1105	const krb5_data *inbuf,
1106	krb5_kvno *kvno,
1107	krb5_enctype *enctype)
1108	{
1109	#ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
1110	{
1111	krb5_error_code ret;
1112	krb5_ap_req ap_req;
1113
1114	ret = krb5_decode_ap_req(context, inbuf, &ap_req);
1115	if (ret)
1116	return ret;
1117
1118	*kvno = get_kvno_from_ap_req(&ap_req);
1119	*enctype = get_enctype_from_ap_req(&ap_req);
1120
1121	free_AP_REQ(&ap_req);
1122	return 0;
1123	}
1124	#endif
1125
1126	/* Possibly not an appropriate error code. */
1127	return KRB5KDC_ERR_BADOPTION;
1128	}
1129
1130	krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
1131	krb5_auth_context *auth_context,
1132	const krb5_data *inbuf,
1133	krb5_const_principal server,
1134	krb5_keytab keytab,
1135	krb5_flags *ap_req_options,
1136	krb5_ticket **ticket,
1137	krb5_keyblock **keyblock)
1138	{
1139	krb5_error_code ret;
1140	krb5_kvno kvno;
1141	krb5_enctype enctype;
1142	krb5_keyblock *local_keyblock;
1143
1144	ret = krb5_rd_req(context,
1145	auth_context,
1146	inbuf,
1147	server,
1148	keytab,
1149	ap_req_options,
1150	ticket);
1151	if (ret) {
1152	return ret;
1153	}
1154
1155	#ifdef KRB5_TICKET_HAS_KEYINFO
1156	enctype = (*ticket)->enc_part.enctype;
1157	kvno = (*ticket)->enc_part.kvno;
1158	#else
1159	ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
1160	if (ret) {
1161	return ret;
1162	}
1163	#endif
1164
1165	ret = get_key_from_keytab(context,
1166	server,
1167	enctype,
1168	kvno,
1169	&local_keyblock);
1170	if (ret) {
1171	DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
1172	goto out;
1173	}
1174
1175	out:
1176	if (ret && local_keyblock != NULL) {
1177	krb5_free_keyblock(context, local_keyblock);
1178	} else {
1179	*keyblock = local_keyblock;
1180	}
1181
1182	return ret;
1183	}
1184
1185	krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
1186	const char *name,
1187	krb5_principal *principal)
1188	{
1189	#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
1190	return smb_krb5_parse_name_norealm_conv(context, name, principal);
1191	#endif
1192
1193	/* we are cheating here because parse_name will in fact set the realm.
1194	* We don't care as the only caller of smb_krb5_parse_name_norealm
1195	* ignores the realm anyway when calling
1196	* smb_krb5_principal_compare_any_realm later - Guenther */
1197
1198	return smb_krb5_parse_name(context, name, principal);
1199	}
1200
1201	bool smb_krb5_principal_compare_any_realm(krb5_context context,
1202	krb5_const_principal princ1,
1203	krb5_const_principal princ2)
1204	{
1205	#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
1206
1207	return krb5_principal_compare_any_realm(context, princ1, princ2);
1208
1209	/* krb5_princ_size is a macro in MIT */
1210	#elif defined(HAVE_KRB5_PRINC_SIZE) \|\| defined(krb5_princ_size)
1211
1212	int i, len1, len2;
1213	const krb5_data p1, p2;
1214
1215	len1 = krb5_princ_size(context, princ1);
1216	len2 = krb5_princ_size(context, princ2);
1217
1218	if (len1 != len2)
1219	return False;
1220
1221	for (i = 0; i < len1; i++) {
1222
1223	p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
1224	p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
1225
1226	if (p1->length != p2->length \|\| memcmp(p1->data, p2->data, p1->length))
1227	return False;
1228	}
1229
1230	return True;
1231	#else
1232	#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
1233	#endif
1234	}
1235
1236	krb5_error_code smb_krb5_renew_ticket(const char ccache_string, / FILE:/tmp/krb5cc_0 */
1237	const char client_string, / gd@BER.SUSE.DE */
1238	const char service_string, / krbtgt/BER.SUSE.DE@BER.SUSE.DE */
1239	time_t *expire_time)
1240	{
1241	krb5_error_code ret;
1242	krb5_context context = NULL;
1243	krb5_ccache ccache = NULL;
1244	krb5_principal client = NULL;
1245	krb5_creds creds, creds_in, *creds_out = NULL;
1246
1247	ZERO_STRUCT(creds);
1248	ZERO_STRUCT(creds_in);
1249
1250	initialize_krb5_error_table();
1251	ret = krb5_init_context(&context);
1252	if (ret) {
1253	goto done;
1254	}
1255
1256	if (!ccache_string) {
1257	ccache_string = krb5_cc_default_name(context);
1258	}
1259
1260	if (!ccache_string) {
1261	ret = EINVAL;
1262	goto done;
1263	}
1264
1265	DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
1266
1267	/* FIXME: we should not fall back to defaults */
1268	ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
1269	if (ret) {
1270	goto done;
1271	}
1272
1273	if (client_string) {
1274	ret = smb_krb5_parse_name(context, client_string, &client);
1275	if (ret) {
1276	goto done;
1277	}
1278	} else {
1279	ret = krb5_cc_get_principal(context, ccache, &client);
1280	if (ret) {
1281	goto done;
1282	}
1283	}
1284
1285	#ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */
1286	{
1287	ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
1288	if (ret) {
1289	DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
1290	goto done;
1291	}
1292	}
1293	#elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */
1294	{
1295	krb5_kdc_flags flags;
1296	krb5_realm *client_realm = NULL;
1297
1298	ret = krb5_copy_principal(context, client, &creds_in.client);
1299	if (ret) {
1300	goto done;
1301	}
1302
1303	if (service_string) {
1304	ret = smb_krb5_parse_name(context, service_string, &creds_in.server);
1305	if (ret) {
1306	goto done;
1307	}
1308	} else {
1309	/* build tgt service by default */
1310	client_realm = krb5_princ_realm(context, creds_in.client);
1311	if (!client_realm) {
1312	ret = ENOMEM;
1313	goto done;
1314	}
1315	ret = krb5_make_principal(context, &creds_in.server, client_realm, KRB5_TGS_NAME, client_realm, NULL);
1316	if (ret) {
1317	goto done;
1318	}
1319	}
1320
1321	flags.i = 0;
1322	flags.b.renewable = flags.b.renew = True;
1323
1324	ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds_out);
1325	if (ret) {
1326	DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
1327	goto done;
1328	}
1329
1330	creds = *creds_out;
1331	}
1332	#else
1333	#error NO_SUITABLE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE
1334	#endif
1335
1336	/* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
1337	ret = krb5_cc_initialize(context, ccache, client);
1338	if (ret) {
1339	goto done;
1340	}
1341
1342	ret = krb5_cc_store_cred(context, ccache, &creds);
1343
1344	if (expire_time) {
1345	*expire_time = (time_t) creds.times.endtime;
1346	}
1347
1348	done:
1349	krb5_free_cred_contents(context, &creds_in);
1350
1351	if (creds_out) {
1352	krb5_free_creds(context, creds_out);
1353	} else {
1354	krb5_free_cred_contents(context, &creds);
1355	}
1356
1357	if (client) {
1358	krb5_free_principal(context, client);
1359	}
1360	if (ccache) {
1361	krb5_cc_close(context, ccache);
1362	}
1363	if (context) {
1364	krb5_free_context(context);
1365	}
1366
1367	return ret;
1368	}
1369
1370	krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
1371	{
1372	krb5_error_code ret = 0;
1373	if (addr == NULL) {
1374	return ret;
1375	}
1376	#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1377	krb5_free_addresses(context, addr->addrs);
1378	#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1379	ret = krb5_free_addresses(context, addr->addrs);
1380	SAFE_FREE(addr->addrs);
1381	#endif
1382	SAFE_FREE(addr);
1383	addr = NULL;
1384	return ret;
1385	}
1386
1387	krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
1388	{
1389	krb5_error_code ret = 0;
1390	nstring buf;
1391	#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1392	krb5_address **addrs = NULL;
1393	#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1394	krb5_addresses *addrs = NULL;
1395	#endif
1396
1397	kerb_addr = (smb_krb5_addresses )SMB_MALLOC(sizeof(smb_krb5_addresses));
1398	if (*kerb_addr == NULL) {
1399	return ENOMEM;
1400	}
1401
1402	put_name(buf, global_myname(), ' ', 0x20);
1403
1404	#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1405	{
1406	int num_addr = 2;
1407
1408	addrs = (krb5_address *)SMB_MALLOC(sizeof(krb5_address ) * num_addr);
1409	if (addrs == NULL) {
1410	SAFE_FREE(*kerb_addr);
1411	return ENOMEM;
1412	}
1413
1414	memset(addrs, 0, sizeof(krb5_address ) num_addr);
1415
1416	addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
1417	if (addrs[0] == NULL) {
1418	SAFE_FREE(addrs);
1419	SAFE_FREE(*kerb_addr);
1420	return ENOMEM;
1421	}
1422
1423	addrs[0]->magic = KV5M_ADDRESS;
1424	addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
1425	addrs[0]->length = MAX_NETBIOSNAME_LEN;
1426	addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
1427	if (addrs[0]->contents == NULL) {
1428	SAFE_FREE(addrs[0]);
1429	SAFE_FREE(addrs);
1430	SAFE_FREE(*kerb_addr);
1431	return ENOMEM;
1432	}
1433
1434	memcpy(addrs[0]->contents, buf, addrs[0]->length);
1435
1436	addrs[1] = NULL;
1437	}
1438	#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1439	{
1440	addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
1441	if (addrs == NULL) {
1442	SAFE_FREE(*kerb_addr);
1443	return ENOMEM;
1444	}
1445
1446	memset(addrs, 0, sizeof(krb5_addresses));
1447
1448	addrs->len = 1;
1449	addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
1450	if (addrs->val == NULL) {
1451	SAFE_FREE(addrs);
1452	SAFE_FREE(kerb_addr);
1453	return ENOMEM;
1454	}
1455
1456	addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
1457	addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
1458	addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
1459	if (addrs->val[0].address.data == NULL) {
1460	SAFE_FREE(addrs->val);
1461	SAFE_FREE(addrs);
1462	SAFE_FREE(*kerb_addr);
1463	return ENOMEM;
1464	}
1465
1466	memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
1467	}
1468	#else
1469	#error UNKNOWN_KRB5_ADDRESS_FORMAT
1470	#endif
1471	(*kerb_addr)->addrs = addrs;
1472
1473	return ret;
1474	}
1475
1476	void smb_krb5_free_error(krb5_context context, krb5_error *krberror)
1477	{
1478	#ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */
1479	krb5_free_error_contents(context, krberror);
1480	#else /* MIT */
1481	krb5_free_error(context, krberror);
1482	#endif
1483	}
1484
1485	krb5_error_code handle_krberror_packet(krb5_context context,
1486	krb5_data *packet)
1487	{
1488	krb5_error_code ret;
1489	bool got_error_code = False;
1490
1491	DEBUG(10,("handle_krberror_packet: got error packet\n"));
1492
1493	#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
1494	{
1495	krb5_error krberror;
1496
1497	if ((ret = krb5_rd_error(context, packet, &krberror))) {
1498	DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
1499	error_message(ret)));
1500	return ret;
1501	}
1502
1503	if (krberror.e_data == NULL \|\| krberror.e_data->data == NULL) {
1504	ret = (krb5_error_code) krberror.error_code;
1505	got_error_code = True;
1506	}
1507
1508	smb_krb5_free_error(context, &krberror);
1509	}
1510	#else /* MIT */
1511	{
1512	krb5_error *krberror;
1513
1514	if ((ret = krb5_rd_error(context, packet, &krberror))) {
1515	DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
1516	error_message(ret)));
1517	return ret;
1518	}
1519
1520	if (krberror->e_data.data == NULL) {
1521	ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
1522	got_error_code = True;
1523	}
1524	smb_krb5_free_error(context, krberror);
1525	}
1526	#endif
1527	if (got_error_code) {
1528	DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n",
1529	error_message(ret), ret));
1530	}
1531	return ret;
1532	}
1533
1534	krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
1535	krb5_get_init_creds_opt **opt)
1536	{
1537	#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
1538	/* Heimdal or modern MIT version */
1539	return krb5_get_init_creds_opt_alloc(context, opt);
1540	#else
1541	/* Historical MIT version */
1542	krb5_get_init_creds_opt *my_opt;
1543
1544	*opt = NULL;
1545
1546	if ((my_opt = SMB_MALLOC_P(krb5_get_init_creds_opt)) == NULL) {
1547	return ENOMEM;
1548	}
1549
1550	krb5_get_init_creds_opt_init(my_opt);
1551
1552	*opt = my_opt;
1553	return 0;
1554	#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */
1555	}
1556
1557	void smb_krb5_get_init_creds_opt_free(krb5_context context,
1558	krb5_get_init_creds_opt *opt)
1559	{
1560	#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE
1561
1562	#ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT
1563	/* Modern MIT or Heimdal version */
1564	krb5_get_init_creds_opt_free(context, opt);
1565	#else
1566	/* Heimdal version */
1567	krb5_get_init_creds_opt_free(opt);
1568	#endif /* KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT */
1569
1570	#else /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
1571	/* Historical MIT version */
1572	SAFE_FREE(opt);
1573	opt = NULL;
1574	#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
1575	}
1576
1577	krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry)
1578	{
1579	return KRB5_KEY_TYPE(KRB5_KT_KEY(kt_entry));
1580	}
1581
1582
1583	/* caller needs to free etype_s */
1584	krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
1585	krb5_enctype enctype,
1586	char **etype_s)
1587	{
1588	#ifdef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG
1589	return krb5_enctype_to_string(context, enctype, etype_s); /* Heimdal */
1590	#elif defined(HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG)
1591	char buf[256];
1592	krb5_error_code ret = krb5_enctype_to_string(enctype, buf, 256); /* MIT */
1593	if (ret) {
1594	return ret;
1595	}
1596	*etype_s = SMB_STRDUP(buf);
1597	if (!*etype_s) {
1598	return ENOMEM;
1599	}
1600	return ret;
1601	#else
1602	#error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION
1603	#endif
1604	}
1605
1606	krb5_error_code smb_krb5_mk_error(krb5_context context,
1607	krb5_error_code error_code,
1608	const krb5_principal server,
1609	krb5_data *reply)
1610	{
1611	#ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */
1612	/*
1613	* The MIT interface is terrible.
1614	* We have to construct this ourselves...
1615	*/
1616	krb5_error e;
1617
1618	memset(&e, 0, sizeof(e));
1619	krb5_us_timeofday(context, &e.stime, &e.susec);
1620	e.server = server;
1621	#if defined(krb5_err_base)
1622	e.error = error_code - krb5_err_base;
1623	#elif defined(ERROR_TABLE_BASE_krb5)
1624	e.error = error_code - ERROR_TABLE_BASE_krb5;
1625	#else
1626	e.error = error_code; /* Almost certainly wrong, but what can we do... ? */
1627	#endif
1628
1629	return krb5_mk_error(context, &e, reply);
1630	#else /* Heimdal. */
1631	return krb5_mk_error(context,
1632	error_code,
1633	NULL,
1634	NULL, /* e_data */
1635	NULL,
1636	server,
1637	NULL,
1638	NULL,
1639	reply);
1640	#endif
1641	}
1642
1643	/**********************************************************************
1644	* Open a krb5 keytab with flags, handles readonly or readwrite access and
1645	* allows to process non-default keytab names.
1646	* @param context krb5_context
1647	* @param keytab_name_req string
1648	* @param write_access bool if writable keytab is required
1649	* @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close())
1650	* @return krb5_error_code
1651	**********************************************************************/
1652
1653	/* This MAX_NAME_LEN is a constant defined in krb5.h */
1654	#ifndef MAX_KEYTAB_NAME_LEN
1655	#define MAX_KEYTAB_NAME_LEN 1100
1656	#endif
1657
1658	krb5_error_code smb_krb5_open_keytab(krb5_context context,
1659	const char *keytab_name_req,
1660	bool write_access,
1661	krb5_keytab *keytab)
1662	{
1663	krb5_error_code ret = 0;
1664	TALLOC_CTX *mem_ctx;
1665	char keytab_string[MAX_KEYTAB_NAME_LEN];
1666	char *kt_str = NULL;
1667	bool found_valid_name = False;
1668	const char *pragma = "FILE";
1669	const char *tmp = NULL;
1670
1671	if (!write_access && !keytab_name_req) {
1672	/* caller just wants to read the default keytab readonly, so be it */
1673	return krb5_kt_default(context, keytab);
1674	}
1675
1676	mem_ctx = talloc_init("smb_krb5_open_keytab");
1677	if (!mem_ctx) {
1678	return ENOMEM;
1679	}
1680
1681	#ifdef HAVE_WRFILE_KEYTAB
1682	if (write_access) {
1683	pragma = "WRFILE";
1684	}
1685	#endif
1686
1687	if (keytab_name_req) {
1688
1689	if (strlen(keytab_name_req) > MAX_KEYTAB_NAME_LEN) {
1690	ret = KRB5_CONFIG_NOTENUFSPACE;
1691	goto out;
1692	}
1693
1694	if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) \|\|
1695	(strncmp(keytab_name_req, "FILE:/", 6) == 0)) {
1696	tmp = keytab_name_req;
1697	goto resolve;
1698	}
1699
1700	if (keytab_name_req[0] != '/') {
1701	ret = KRB5_KT_BADNAME;
1702	goto out;
1703	}
1704
1705	tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, keytab_name_req);
1706	if (!tmp) {
1707	ret = ENOMEM;
1708	goto out;
1709	}
1710
1711	goto resolve;
1712	}
1713
1714	/* we need to handle more complex keytab_strings, like:
1715	* "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */
1716
1717	ret = krb5_kt_default_name(context, &keytab_string[0], MAX_KEYTAB_NAME_LEN - 2);
1718	if (ret) {
1719	goto out;
1720	}
1721
1722	DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned %s\n", keytab_string));
1723
1724	tmp = talloc_strdup(mem_ctx, keytab_string);
1725	if (!tmp) {
1726	ret = ENOMEM;
1727	goto out;
1728	}
1729
1730	if (strncmp(tmp, "ANY:", 4) == 0) {
1731	tmp += 4;
1732	}
1733
1734	memset(&keytab_string, '\0', sizeof(keytab_string));
1735
1736	while (next_token_talloc(mem_ctx, &tmp, &kt_str, ",")) {
1737	if (strncmp(kt_str, "WRFILE:", 7) == 0) {
1738	found_valid_name = True;
1739	tmp = kt_str;
1740	tmp += 7;
1741	}
1742
1743	if (strncmp(kt_str, "FILE:", 5) == 0) {
1744	found_valid_name = True;
1745	tmp = kt_str;
1746	tmp += 5;
1747	}
1748
1749	if (tmp[0] == '/') {
1750	/* Treat as a FILE: keytab definition. */
1751	found_valid_name = true;
1752	}
1753
1754	if (found_valid_name) {
1755	if (tmp[0] != '/') {
1756	ret = KRB5_KT_BADNAME;
1757	goto out;
1758	}
1759
1760	tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, tmp);
1761	if (!tmp) {
1762	ret = ENOMEM;
1763	goto out;
1764	}
1765	break;
1766	}
1767	}
1768
1769	if (!found_valid_name) {
1770	ret = KRB5_KT_UNKNOWN_TYPE;
1771	goto out;
1772	}
1773
1774	resolve:
1775	DEBUG(10,("smb_krb5_open_keytab: resolving: %s\n", tmp));
1776	ret = krb5_kt_resolve(context, tmp, keytab);
1777
1778	out:
1779	TALLOC_FREE(mem_ctx);
1780	return ret;
1781	}
1782
1783	krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
1784	krb5_context context,
1785	krb5_keytab keytab,
1786	const char **keytab_name)
1787	{
1788	char keytab_string[MAX_KEYTAB_NAME_LEN];
1789	krb5_error_code ret = 0;
1790
1791	ret = krb5_kt_get_name(context, keytab,
1792	keytab_string, MAX_KEYTAB_NAME_LEN - 2);
1793	if (ret) {
1794	return ret;
1795	}
1796
1797	*keytab_name = talloc_strdup(mem_ctx, keytab_string);
1798	if (!*keytab_name) {
1799	return ENOMEM;
1800	}
1801
1802	return ret;
1803	}
1804
1805	#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
1806	/**************************************************************
1807	Routine: ads_krb5_get_fwd_ticket
1808	Description:
1809	When a service ticket is flagged as trusted
1810	for delegation we should provide a forwardable
1811	ticket so that the remote host can act on our
1812	behalf. This is done by taking the 2nd forwardable
1813	TGT and storing it in the GSS-API authenticator
1814	"checksum". This routine will populate
1815	the krb5_data authenticator with this TGT.
1816	Parameters:
1817	krb5_context context: The kerberos context for this authentication.
1818	krb5_auth_context: The authentication context.
1819	krb5_creds *credsp: The ticket credentials (AS-REP).
1820	krb5_ccache ccache: The credentials cache.
1821	krb5_data &authenticator: The checksum field that will store the TGT, and
1822	authenticator.data must be freed by the caller.
1823
1824	Returns:
1825	krb5_error_code: 0 if no errors, otherwise set.
1826	**************************************************************/
1827
1828	static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
1829	krb5_auth_context *auth_context,
1830	krb5_creds *credsp,
1831	krb5_ccache ccache,
1832	krb5_data *authenticator)
1833	{
1834	krb5_data fwdData;
1835	krb5_error_code retval = 0;
1836	char *pChksum = NULL;
1837	char *p = NULL;
1838
1839	ZERO_STRUCT(fwdData);
1840	ZERO_STRUCTP(authenticator);
1841
1842	retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
1843	auth_context, / Authentication context [in] */
1844	CONST_DISCARD(char , KRB5_TGS_NAME), / Ticket service name ("krbtgt") [in] */
1845	credsp->client, /* Client principal for the tgt [in] */
1846	credsp->server, /* Server principal for the tgt [in] */
1847	ccache, /* Credential cache to use for storage [in] */
1848	1, /* Turn on for "Forwardable ticket" [in] */
1849	&fwdData ); /* Resulting response [out] */
1850
1851
1852	if (retval) {
1853	DEBUG(1,("ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (%s)\n",
1854	error_message(retval)));
1855	goto out;
1856	}
1857
1858	if ((unsigned int)GSSAPI_CHECKSUM_SIZE + (unsigned int)fwdData.length <
1859	(unsigned int)GSSAPI_CHECKSUM_SIZE) {
1860	retval = EINVAL;
1861	goto out;
1862	}
1863
1864	/* We're going to allocate a gssChecksum structure with a little
1865	extra data the length of the kerberos credentials length
1866	(APPLICATION 22) so that we can pack it on the end of the structure.
1867	*/
1868
1869	pChksum = (char *)SMB_MALLOC(GSSAPI_CHECKSUM_SIZE + fwdData.length );
1870	if (!pChksum) {
1871	retval = ENOMEM;
1872	goto out;
1873	}
1874
1875	p = pChksum;
1876
1877	SIVAL(p, 0, GSSAPI_BNDLENGTH);
1878	p += 4;
1879
1880	/* Zero out the bindings fields */
1881	memset(p, '\0', GSSAPI_BNDLENGTH );
1882	p += GSSAPI_BNDLENGTH;
1883
1884	SIVAL(p, 0, GSS_C_DELEG_FLAG );
1885	p += 4;
1886	SSVAL(p, 0, 1 );
1887	p += 2;
1888	SSVAL(p, 0, fwdData.length );
1889	p += 2;
1890
1891	/* Migrate the kerberos KRB_CRED data to the checksum delegation */
1892	memcpy(p, fwdData.data, fwdData.length );
1893	p += fwdData.length;
1894
1895	/* We need to do this in order to allow our GSS-API */
1896	retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
1897	if (retval) {
1898	goto out;
1899	}
1900
1901	/* We now have a service ticket, now turn it into an AP-REQ. */
1902	authenticator->length = fwdData.length + GSSAPI_CHECKSUM_SIZE;
1903
1904	/* Caller should call free() when they're done with this. */
1905	authenticator->data = (char *)pChksum;
1906
1907	out:
1908
1909	/* Remove that input data, we never needed it anyway. */
1910	if (fwdData.length > 0) {
1911	krb5_free_data_contents( context, &fwdData );
1912	}
1913
1914	return retval;
1915	}
1916	#endif
1917
1918	#else /* HAVE_KRB5 */
1919	/* this saves a few linking headaches */
1920	int cli_krb5_get_ticket(const char *principal, time_t time_offset,
1921	DATA_BLOB ticket, DATA_BLOB session_key_krb5, uint32 extra_ap_opts,
1922	const char ccname, time_t tgs_expire)
1923	{
1924	DEBUG(0,("NO KERBEROS SUPPORT\n"));
1925	return 1;
1926	}
1927
1928	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: