Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

clikrb5.c@ 5

Visit:

Last change on this file since 5 was 1, checked in by Paul Smedley, 18 years ago
Initial code import
File size: 37.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	simple kerberos5 routines for active directory
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Luke Howard 2002-2003
6	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7	Copyright (C) Guenther Deschner 2005
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 2 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19	You should have received a copy of the GNU General Public License
20	along with this program; if not, write to the Free Software
21	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22	*/
23
24	#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
25	#define KRB5_DEPRECATED 1 /* this file uses DEPRECATED interfaces! */
26
27	#include "includes.h"
28
29	#ifdef HAVE_KRB5
30
31	#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
32	#define KRB5_KEY_TYPE(k) ((k)->keytype)
33	#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
34	#define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
35	#else
36	#define KRB5_KEY_TYPE(k) ((k)->enctype)
37	#define KRB5_KEY_LENGTH(k) ((k)->length)
38	#define KRB5_KEY_DATA(k) ((k)->contents)
39	#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
40
41	/**************************************************************
42	Wrappers around kerberos string functions that convert from
43	utf8 -> unix charset and vica versa.
44	**************************************************************/
45
46	/**************************************************************
47	krb5_parse_name that takes a UNIX charset.
48	**************************************************************/
49
50	krb5_error_code smb_krb5_parse_name(krb5_context context,
51	const char name, / in unix charset */
52	krb5_principal *principal)
53	{
54	krb5_error_code ret;
55	char *utf8_name;
56
57	if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) {
58	return ENOMEM;
59	}
60
61	ret = krb5_parse_name(context, utf8_name, principal);
62	SAFE_FREE(utf8_name);
63	return ret;
64	}
65
66	#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
67	/**************************************************************
68	krb5_parse_name_norealm that takes a UNIX charset.
69	**************************************************************/
70
71	static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
72	const char name, / in unix charset */
73	krb5_principal *principal)
74	{
75	krb5_error_code ret;
76	char *utf8_name;
77
78	if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) {
79	return ENOMEM;
80	}
81
82	ret = krb5_parse_name_norealm(context, utf8_name, principal);
83	SAFE_FREE(utf8_name);
84	return ret;
85	}
86	#endif
87
88	/**************************************************************
89	krb5_parse_name that returns a UNIX charset name. Must
90	be freed with normal free() call.
91	**************************************************************/
92
93	krb5_error_code smb_krb5_unparse_name(krb5_context context,
94	krb5_const_principal principal,
95	char **unix_name)
96	{
97	krb5_error_code ret;
98	char *utf8_name;
99
100	ret = krb5_unparse_name(context, principal, &utf8_name);
101	if (ret) {
102	return ret;
103	}
104
105	if (pull_utf8_allocate(unix_name, utf8_name)==-1) {
106	krb5_free_unparsed_name(context, utf8_name);
107	return ENOMEM;
108	}
109	krb5_free_unparsed_name(context, utf8_name);
110	return 0;
111	}
112
113	#ifndef HAVE_KRB5_SET_REAL_TIME
114	/*
115	* This function is not in the Heimdal mainline.
116	*/
117	krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
118	{
119	krb5_error_code ret;
120	int32_t sec, usec;
121
122	ret = krb5_us_timeofday(context, &sec, &usec);
123	if (ret)
124	return ret;
125
126	context->kdc_sec_offset = seconds - sec;
127	context->kdc_usec_offset = microseconds - usec;
128
129	return 0;
130	}
131	#endif
132
133	#if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
134
135	#if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
136
137	/* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference
138	* to krb5_set_default_tgs_ktypes. See
139	* http://lists.samba.org/archive/samba-technical/2006-July/048271.html
140	*
141	* If the MIT libraries are not exporting internal symbols, we will end up in
142	* this branch, which is correct. Otherwise we will continue to use the
143	* internal symbol
144	*/
145	krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
146	{
147	return krb5_set_default_tgs_enctypes(ctx, enc);
148	}
149
150	#elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES)
151
152	/* Heimdal */
153	krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
154	{
155	return krb5_set_default_in_tkt_etypes(ctx, enc);
156	}
157
158	#endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */
159
160	#endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */
161
162	#if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
163	/* HEIMDAL */
164	void setup_kaddr( krb5_address pkaddr, struct sockaddr paddr)
165	{
166	pkaddr->addr_type = KRB5_ADDRESS_INET;
167	pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
168	pkaddr->address.data = (char )&(((struct sockaddr_in )paddr)->sin_addr);
169	}
170	#elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
171	/* MIT */
172	void setup_kaddr( krb5_address pkaddr, struct sockaddr paddr)
173	{
174	pkaddr->addrtype = ADDRTYPE_INET;
175	pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
176	pkaddr->contents = (krb5_octet )&(((struct sockaddr_in )paddr)->sin_addr);
177	}
178	#else
179	#error UNKNOWN_ADDRTYPE
180	#endif
181
182	#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
183	int create_kerberos_key_from_string_direct(krb5_context context,
184	krb5_principal host_princ,
185	krb5_data *password,
186	krb5_keyblock *key,
187	krb5_enctype enctype)
188	{
189	int ret;
190	krb5_data salt;
191	krb5_encrypt_block eblock;
192
193	ret = krb5_principal2salt(context, host_princ, &salt);
194	if (ret) {
195	DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
196	return ret;
197	}
198	krb5_use_enctype(context, &eblock, enctype);
199	ret = krb5_string_to_key(context, &eblock, key, password, &salt);
200	SAFE_FREE(salt.data);
201	return ret;
202	}
203	#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
204	int create_kerberos_key_from_string_direct(krb5_context context,
205	krb5_principal host_princ,
206	krb5_data *password,
207	krb5_keyblock *key,
208	krb5_enctype enctype)
209	{
210	int ret;
211	krb5_salt salt;
212
213	ret = krb5_get_pw_salt(context, host_princ, &salt);
214	if (ret) {
215	DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
216	return ret;
217	}
218
219	ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
220	krb5_free_salt(context, salt);
221	return ret;
222	}
223	#else
224	#error UNKNOWN_CREATE_KEY_FUNCTIONS
225	#endif
226
227	int create_kerberos_key_from_string(krb5_context context,
228	krb5_principal host_princ,
229	krb5_data *password,
230	krb5_keyblock *key,
231	krb5_enctype enctype)
232	{
233	krb5_principal salt_princ = NULL;
234	int ret;
235	/*
236	* Check if we've determined that the KDC is salting keys for this
237	* principal/enctype in a non-obvious way. If it is, try to match
238	* its behavior.
239	*/
240	salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
241	ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
242	if (salt_princ) {
243	krb5_free_principal(context, salt_princ);
244	}
245	return ret;
246	}
247
248	#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
249	krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
250	krb5_enctype **enctypes)
251	{
252	return krb5_get_permitted_enctypes(context, enctypes);
253	}
254	#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
255	krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
256	krb5_enctype **enctypes)
257	{
258	return krb5_get_default_in_tkt_etypes(context, enctypes);
259	}
260	#else
261	#error UNKNOWN_GET_ENCTYPES_FUNCTIONS
262	#endif
263
264	#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
265	krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
266	krb5_auth_context auth_context,
267	krb5_keyblock *keyblock)
268	{
269	return krb5_auth_con_setkey(context, auth_context, keyblock);
270	}
271	#endif
272
273	BOOL unwrap_pac(TALLOC_CTX mem_ctx, DATA_BLOB auth_data, DATA_BLOB *unwrapped_pac_data)
274	{
275	DATA_BLOB pac_contents;
276	ASN1_DATA data;
277	int data_type;
278
279	if (!auth_data->length) {
280	return False;
281	}
282
283	asn1_load(&data, *auth_data);
284	asn1_start_tag(&data, ASN1_SEQUENCE(0));
285	asn1_start_tag(&data, ASN1_SEQUENCE(0));
286	asn1_start_tag(&data, ASN1_CONTEXT(0));
287	asn1_read_Integer(&data, &data_type);
288
289	if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
290	DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
291	asn1_free(&data);
292	return False;
293	}
294
295	asn1_end_tag(&data);
296	asn1_start_tag(&data, ASN1_CONTEXT(1));
297	asn1_read_OctetString(&data, &pac_contents);
298	asn1_end_tag(&data);
299	asn1_end_tag(&data);
300	asn1_end_tag(&data);
301	asn1_free(&data);
302
303	*unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
304
305	data_blob_free(&pac_contents);
306
307	return True;
308	}
309
310	BOOL get_auth_data_from_tkt(TALLOC_CTX mem_ctx, DATA_BLOB auth_data, krb5_ticket *tkt)
311	{
312	DATA_BLOB auth_data_wrapped;
313	BOOL got_auth_data_pac = False;
314	int i;
315
316	#if defined(HAVE_KRB5_TKT_ENC_PART2)
317	if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
318	tkt->enc_part2->authorization_data[0] &&
319	tkt->enc_part2->authorization_data[0]->length)
320	{
321	for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
322
323	if (tkt->enc_part2->authorization_data[i]->ad_type !=
324	KRB5_AUTHDATA_IF_RELEVANT) {
325	DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
326	tkt->enc_part2->authorization_data[i]->ad_type));
327	continue;
328	}
329
330	auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
331	tkt->enc_part2->authorization_data[i]->length);
332
333	/* check if it is a PAC */
334	got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
335	data_blob_free(&auth_data_wrapped);
336
337	if (!got_auth_data_pac) {
338	continue;
339	}
340	}
341
342	return got_auth_data_pac;
343	}
344
345	#else
346	if (tkt->ticket.authorization_data &&
347	tkt->ticket.authorization_data->len)
348	{
349	for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
350
351	if (tkt->ticket.authorization_data->val[i].ad_type !=
352	KRB5_AUTHDATA_IF_RELEVANT) {
353	DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
354	tkt->ticket.authorization_data->val[i].ad_type));
355	continue;
356	}
357
358	auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
359	tkt->ticket.authorization_data->val[i].ad_data.length);
360
361	/* check if it is a PAC */
362	got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
363	data_blob_free(&auth_data_wrapped);
364
365	if (!got_auth_data_pac) {
366	continue;
367	}
368	}
369
370	return got_auth_data_pac;
371	}
372	#endif
373	return False;
374	}
375
376	krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
377	{
378	#if defined(HAVE_KRB5_TKT_ENC_PART2)
379	return tkt->enc_part2->client;
380	#else
381	return tkt->client;
382	#endif
383	}
384
385	#if !defined(HAVE_KRB5_LOCATE_KDC)
386
387	/* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit
388	* to a public interface for this functionality, so we have to be able to live
389	* without it if the MIT libraries are hiding their internal symbols.
390	*/
391
392	#if defined(KRB5_KRBHST_INIT)
393	/* Heimdal */
394	krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data realm, struct sockaddr addr_pp, int naddrs, int get_masters)
395	{
396	krb5_krbhst_handle hnd;
397	krb5_krbhst_info *hinfo;
398	krb5_error_code rc;
399	int num_kdcs, i;
400	struct sockaddr *sa;
401	struct addrinfo *ai;
402
403	*addr_pp = NULL;
404	*naddrs = 0;
405
406	rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
407	if (rc) {
408	DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
409	return rc;
410	}
411
412	for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
413	;
414
415	krb5_krbhst_reset(ctx, hnd);
416
417	if (!num_kdcs) {
418	DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n"));
419	krb5_krbhst_free(ctx, hnd);
420	return -1;
421	}
422
423	sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
424	if (!sa) {
425	DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
426	krb5_krbhst_free(ctx, hnd);
427	naddrs = 0;
428	return -1;
429	}
430
431	memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
432
433	for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
434
435	#if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
436	rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
437	if (rc) {
438	DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
439	continue;
440	}
441	#endif
442	if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
443	memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
444	}
445
446	krb5_krbhst_free(ctx, hnd);
447
448	*naddrs = num_kdcs;
449	*addr_pp = sa;
450	return 0;
451	}
452
453	#else /* ! defined(KRB5_KRBHST_INIT) */
454
455	krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
456	struct sockaddr *addr_pp, int naddrs, int get_masters)
457	{
458	DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
459	return KRB5_KDC_UNREACH;
460	}
461
462	#endif /* KRB5_KRBHST_INIT */
463
464	#endif /* HAVE_KRB5_LOCATE_KDC */
465
466	#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
467	void krb5_free_unparsed_name(krb5_context context, char *val)
468	{
469	SAFE_FREE(val);
470	}
471	#endif
472
473	void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
474	{
475	#if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
476	if (pdata->data) {
477	krb5_free_data_contents(context, pdata);
478	}
479	#else
480	SAFE_FREE(pdata->data);
481	#endif
482	}
483
484	void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
485	{
486	#if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
487	KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
488	#elif defined(HAVE_KRB5_SESSION_IN_CREDS)
489	KRB5_KEY_TYPE((&pcreds->session)) = enctype;
490	#else
491	#error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
492	#endif
493	}
494
495	BOOL kerberos_compatible_enctypes(krb5_context context,
496	krb5_enctype enctype1,
497	krb5_enctype enctype2)
498	{
499	#if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
500	krb5_boolean similar = 0;
501
502	krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
503	return similar ? True : False;
504	#elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
505	return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
506	#endif
507	}
508
509	static BOOL ads_cleanup_expired_creds(krb5_context context,
510	krb5_ccache ccache,
511	krb5_creds *credsp)
512	{
513	krb5_error_code retval;
514	const char *cc_type = krb5_cc_get_type(context, ccache);
515
516	DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
517	cc_type, krb5_cc_get_name(context, ccache),
518	http_timestring(credsp->times.endtime)));
519
520	/* we will probably need new tickets if the current ones
521	will expire within 10 seconds.
522	*/
523	if (credsp->times.endtime >= (time(NULL) + 10))
524	return False;
525
526	/* heimdal won't remove creds from a file ccache, and
527	perhaps we shouldn't anyway, since internally we
528	use memory ccaches, and a FILE one probably means that
529	we're using creds obtained outside of our exectuable
530	*/
531	if (strequal(cc_type, "FILE")) {
532	DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
533	return False;
534	}
535
536	retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
537	if (retval) {
538	DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
539	error_message(retval)));
540	/* If we have an error in this, we want to display it,
541	but continue as though we deleted it */
542	}
543	return True;
544	}
545
546	/*
547	we can't use krb5_mk_req because w2k wants the service to be in a particular format
548	*/
549	static krb5_error_code ads_krb5_mk_req(krb5_context context,
550	krb5_auth_context *auth_context,
551	const krb5_flags ap_req_options,
552	const char *principal,
553	krb5_ccache ccache,
554	krb5_data *outbuf,
555	time_t *expire_time)
556	{
557	krb5_error_code retval;
558	krb5_principal server;
559	krb5_creds * credsp;
560	krb5_creds creds;
561	krb5_data in_data;
562	BOOL creds_ready = False;
563	int i = 0, maxtries = 3;
564
565	retval = smb_krb5_parse_name(context, principal, &server);
566	if (retval) {
567	DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
568	return retval;
569	}
570
571	/* obtain ticket & session key */
572	ZERO_STRUCT(creds);
573	if ((retval = krb5_copy_principal(context, server, &creds.server))) {
574	DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
575	error_message(retval)));
576	goto cleanup_princ;
577	}
578
579	if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
580	/* This can commonly fail on smbd startup with no ticket in the cache.
581	* Report at higher level than 1. */
582	DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
583	error_message(retval)));
584	goto cleanup_creds;
585	}
586
587	while (!creds_ready && (i < maxtries)) {
588
589	if ((retval = krb5_get_credentials(context, 0, ccache,
590	&creds, &credsp))) {
591	DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
592	principal, error_message(retval)));
593	goto cleanup_creds;
594	}
595
596	/* cope with ticket being in the future due to clock skew */
597	if ((unsigned)credsp->times.starttime > time(NULL)) {
598	time_t t = time(NULL);
599	int time_offset =(int)((unsigned)credsp->times.starttime-t);
600	DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
601	krb5_set_real_time(context, t + time_offset + 1, 0);
602	}
603
604	if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
605	creds_ready = True;
606	}
607
608	i++;
609	}
610
611	DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
612	principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
613	http_timestring((unsigned)credsp->times.endtime),
614	(unsigned)credsp->times.endtime));
615
616	if (expire_time) {
617	*expire_time = (time_t)credsp->times.endtime;
618	}
619
620	in_data.length = 0;
621	retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
622	&in_data, credsp, outbuf);
623	if (retval) {
624	DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
625	error_message(retval)));
626	}
627
628	krb5_free_creds(context, credsp);
629
630	cleanup_creds:
631	krb5_free_cred_contents(context, &creds);
632
633	cleanup_princ:
634	krb5_free_principal(context, server);
635
636	return retval;
637	}
638
639	/*
640	get a kerberos5 ticket for the given service
641	*/
642	int cli_krb5_get_ticket(const char *principal, time_t time_offset,
643	DATA_BLOB ticket, DATA_BLOB session_key_krb5,
644	uint32 extra_ap_opts, const char *ccname,
645	time_t *tgs_expire)
646
647	{
648	krb5_error_code retval;
649	krb5_data packet;
650	krb5_context context = NULL;
651	krb5_ccache ccdef = NULL;
652	krb5_auth_context auth_context = NULL;
653	krb5_enctype enc_types[] = {
654	#ifdef ENCTYPE_ARCFOUR_HMAC
655	ENCTYPE_ARCFOUR_HMAC,
656	#endif
657	ENCTYPE_DES_CBC_MD5,
658	ENCTYPE_DES_CBC_CRC,
659	ENCTYPE_NULL};
660
661	initialize_krb5_error_table();
662	retval = krb5_init_context(&context);
663	if (retval) {
664	DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
665	error_message(retval)));
666	goto failed;
667	}
668
669	if (time_offset != 0) {
670	krb5_set_real_time(context, time(NULL) + time_offset, 0);
671	}
672
673	if ((retval = krb5_cc_resolve(context, ccname ?
674	ccname : krb5_cc_default_name(context), &ccdef))) {
675	DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
676	error_message(retval)));
677	goto failed;
678	}
679
680	if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
681	DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
682	error_message(retval)));
683	goto failed;
684	}
685
686	if ((retval = ads_krb5_mk_req(context,
687	&auth_context,
688	AP_OPTS_USE_SUBKEY \| (krb5_flags)extra_ap_opts,
689	principal,
690	ccdef, &packet,
691	tgs_expire))) {
692	goto failed;
693	}
694
695	get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
696
697	*ticket = data_blob(packet.data, packet.length);
698
699	kerberos_free_data_contents(context, &packet);
700
701	failed:
702
703	if ( context ) {
704	if (ccdef)
705	krb5_cc_close(context, ccdef);
706	if (auth_context)
707	krb5_auth_con_free(context, auth_context);
708	krb5_free_context(context);
709	}
710
711	return retval;
712	}
713
714	BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
715	{
716	krb5_keyblock *skey;
717	krb5_error_code err;
718	BOOL ret = False;
719
720	if (remote)
721	err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
722	else
723	err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
724	if (err == 0 && skey != NULL) {
725	DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey)));
726	*session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
727	dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
728
729	ret = True;
730
731	krb5_free_keyblock(context, skey);
732	} else {
733	DEBUG(10, ("KRB5 error getting session key %d\n", err));
734	}
735
736	return ret;
737	}
738
739
740	#if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
741	const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
742
743	const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
744	{
745	static krb5_data kdata;
746
747	kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
748	kdata.length = strlen((const char *)kdata.data);
749	return &kdata;
750	}
751	#endif
752
753	krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
754	{
755	#if defined(HAVE_KRB5_KT_FREE_ENTRY)
756	return krb5_kt_free_entry(context, kt_entry);
757	#elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
758	return krb5_free_keytab_entry_contents(context, kt_entry);
759	#else
760	#error UNKNOWN_KT_FREE_FUNCTION
761	#endif
762	}
763
764	void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
765	PAC_SIGNATURE_DATA *sig)
766	{
767	#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
768	cksum->cksumtype = (krb5_cksumtype)sig->type;
769	cksum->checksum.length = sig->signature.buf_len;
770	cksum->checksum.data = sig->signature.buffer;
771	#else
772	cksum->checksum_type = (krb5_cksumtype)sig->type;
773	cksum->length = sig->signature.buf_len;
774	cksum->contents = sig->signature.buffer;
775	#endif
776	}
777
778	krb5_error_code smb_krb5_verify_checksum(krb5_context context,
779	krb5_keyblock *keyblock,
780	krb5_keyusage usage,
781	krb5_checksum *cksum,
782	uint8 *data,
783	size_t length)
784	{
785	krb5_error_code ret;
786
787	/* verify the checksum */
788
789	/* welcome to the wonderful world of samba's kerberos abstraction layer:
790	*
791	* function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2
792	* -----------------------------------------------------------------------------
793	* krb5_c_verify_checksum - works works
794	* krb5_verify_checksum works (6 args) works (6 args) broken (7 args)
795	*/
796
797	#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
798	{
799	krb5_boolean checksum_valid = False;
800	krb5_data input;
801
802	input.data = (char *)data;
803	input.length = length;
804
805	ret = krb5_c_verify_checksum(context,
806	keyblock,
807	usage,
808	&input,
809	cksum,
810	&checksum_valid);
811	if (ret) {
812	DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
813	error_message(ret)));
814	return ret;
815	}
816
817	if (!checksum_valid)
818	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
819	}
820
821	#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
822
823	/* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
824	* without enctype and it ignores any key_usage types - Guenther */
825
826	{
827
828	krb5_crypto crypto;
829	ret = krb5_crypto_init(context,
830	keyblock,
831	0,
832	&crypto);
833	if (ret) {
834	DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
835	error_message(ret)));
836	return ret;
837	}
838
839	ret = krb5_verify_checksum(context,
840	crypto,
841	usage,
842	data,
843	length,
844	cksum);
845
846	krb5_crypto_destroy(context, crypto);
847	}
848
849	#else
850	#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
851	#endif
852
853	return ret;
854	}
855
856	time_t get_authtime_from_tkt(krb5_ticket *tkt)
857	{
858	#if defined(HAVE_KRB5_TKT_ENC_PART2)
859	return tkt->enc_part2->times.authtime;
860	#else
861	return tkt->ticket.authtime;
862	#endif
863	}
864
865	#ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
866	static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
867	{
868	#ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
869	if (ap_req->ticket->enc_part.kvno)
870	return ap_req->ticket->enc_part.kvno;
871	#else /* Heimdal */
872	if (ap_req->ticket.enc_part.kvno)
873	return *ap_req->ticket.enc_part.kvno;
874	#endif
875	return 0;
876	}
877
878	static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
879	{
880	#ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
881	return ap_req->ticket.enc_part.etype;
882	#else /* MIT */
883	return ap_req->ticket->enc_part.enctype;
884	#endif
885	}
886	#endif /* HAVE_KRB5_DECODE_AP_REQ */
887
888	static krb5_error_code
889	get_key_from_keytab(krb5_context context,
890	krb5_const_principal server,
891	krb5_enctype enctype,
892	krb5_kvno kvno,
893	krb5_keyblock **out_key)
894	{
895	krb5_keytab_entry entry;
896	krb5_error_code ret;
897	krb5_keytab keytab;
898	char *name = NULL;
899
900	/* We have to open a new keytab handle here, as MIT does
901	an implicit open/getnext/close on krb5_kt_get_entry. We
902	may be in the middle of a keytab enumeration when this is
903	called. JRA. */
904
905	ret = krb5_kt_default(context, &keytab);
906	if (ret) {
907	DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret)));
908	return ret;
909	}
910
911	if ( DEBUGLEVEL >= 10 ) {
912	if (smb_krb5_unparse_name(context, server, &name) == 0) {
913	DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
914	kvno, enctype, name));
915	SAFE_FREE(name);
916	}
917	}
918
919	ret = krb5_kt_get_entry(context,
920	keytab,
921	server,
922	kvno,
923	enctype,
924	&entry);
925
926	if (ret) {
927	DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
928	goto out;
929	}
930
931	#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
932	ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
933	#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
934	ret = krb5_copy_keyblock(context, &entry.key, out_key);
935	#else
936	#error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
937	#endif
938
939	if (ret) {
940	DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
941	goto out;
942	}
943
944	smb_krb5_kt_free_entry(context, &entry);
945
946	out:
947	krb5_kt_close(context, keytab);
948	return ret;
949	}
950
951	/* Prototypes */
952
953	krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
954	const krb5_data *inbuf,
955	krb5_kvno *kvno,
956	krb5_enctype *enctype)
957	{
958	#ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
959	{
960	krb5_error_code ret;
961	krb5_ap_req ap_req;
962
963	ret = krb5_decode_ap_req(context, inbuf, &ap_req);
964	if (ret)
965	return ret;
966
967	*kvno = get_kvno_from_ap_req(&ap_req);
968	*enctype = get_enctype_from_ap_req(&ap_req);
969
970	free_AP_REQ(&ap_req);
971	return 0;
972	}
973	#endif
974
975	/* Possibly not an appropriate error code. */
976	return KRB5KDC_ERR_BADOPTION;
977	}
978
979	krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
980	krb5_auth_context *auth_context,
981	const krb5_data *inbuf,
982	krb5_const_principal server,
983	krb5_keytab keytab,
984	krb5_flags *ap_req_options,
985	krb5_ticket **ticket,
986	krb5_keyblock **keyblock)
987	{
988	krb5_error_code ret;
989	krb5_kvno kvno;
990	krb5_enctype enctype;
991	krb5_keyblock *local_keyblock;
992
993	ret = krb5_rd_req(context,
994	auth_context,
995	inbuf,
996	server,
997	keytab,
998	ap_req_options,
999	ticket);
1000	if (ret) {
1001	return ret;
1002	}
1003
1004	#ifdef KRB5_TICKET_HAS_KEYINFO
1005	enctype = (*ticket)->enc_part.enctype;
1006	kvno = (*ticket)->enc_part.kvno;
1007	#else
1008	ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
1009	if (ret) {
1010	return ret;
1011	}
1012	#endif
1013
1014	ret = get_key_from_keytab(context,
1015	server,
1016	enctype,
1017	kvno,
1018	&local_keyblock);
1019	if (ret) {
1020	DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
1021	goto out;
1022	}
1023
1024	out:
1025	if (ret && local_keyblock != NULL) {
1026	krb5_free_keyblock(context, local_keyblock);
1027	} else {
1028	*keyblock = local_keyblock;
1029	}
1030
1031	return ret;
1032	}
1033
1034	krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
1035	const char *name,
1036	krb5_principal *principal)
1037	{
1038	#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
1039	return smb_krb5_parse_name_norealm_conv(context, name, principal);
1040	#endif
1041
1042	/* we are cheating here because parse_name will in fact set the realm.
1043	* We don't care as the only caller of smb_krb5_parse_name_norealm
1044	* ignores the realm anyway when calling
1045	* smb_krb5_principal_compare_any_realm later - Guenther */
1046
1047	return smb_krb5_parse_name(context, name, principal);
1048	}
1049
1050	BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
1051	krb5_const_principal princ1,
1052	krb5_const_principal princ2)
1053	{
1054	#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
1055
1056	return krb5_principal_compare_any_realm(context, princ1, princ2);
1057
1058	/* krb5_princ_size is a macro in MIT */
1059	#elif defined(HAVE_KRB5_PRINC_SIZE) \|\| defined(krb5_princ_size)
1060
1061	int i, len1, len2;
1062	const krb5_data p1, p2;
1063
1064	len1 = krb5_princ_size(context, princ1);
1065	len2 = krb5_princ_size(context, princ2);
1066
1067	if (len1 != len2)
1068	return False;
1069
1070	for (i = 0; i < len1; i++) {
1071
1072	p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
1073	p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
1074
1075	if (p1->length != p2->length \|\| memcmp(p1->data, p2->data, p1->length))
1076	return False;
1077	}
1078
1079	return True;
1080	#else
1081	#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
1082	#endif
1083	}
1084
1085	krb5_error_code smb_krb5_renew_ticket(const char ccache_string, / FILE:/tmp/krb5cc_0 */
1086	const char client_string, / gd@BER.SUSE.DE */
1087	const char service_string, / krbtgt/BER.SUSE.DE@BER.SUSE.DE */
1088	time_t *new_start_time)
1089	{
1090	krb5_error_code ret;
1091	krb5_context context = NULL;
1092	krb5_ccache ccache = NULL;
1093	krb5_principal client = NULL;
1094
1095	initialize_krb5_error_table();
1096	ret = krb5_init_context(&context);
1097	if (ret) {
1098	goto done;
1099	}
1100
1101	if (!ccache_string) {
1102	ccache_string = krb5_cc_default_name(context);
1103	}
1104
1105	DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
1106
1107	/* FIXME: we should not fall back to defaults */
1108	ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
1109	if (ret) {
1110	goto done;
1111	}
1112
1113	#ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */
1114	{
1115	krb5_creds creds;
1116
1117	if (client_string) {
1118	ret = smb_krb5_parse_name(context, client_string, &client);
1119	if (ret) {
1120	goto done;
1121	}
1122	} else {
1123	ret = krb5_cc_get_principal(context, ccache, &client);
1124	if (ret) {
1125	goto done;
1126	}
1127	}
1128
1129	ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
1130	if (ret) {
1131	DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
1132	goto done;
1133	}
1134
1135	/* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
1136	ret = krb5_cc_initialize(context, ccache, client);
1137	if (ret) {
1138	goto done;
1139	}
1140
1141	ret = krb5_cc_store_cred(context, ccache, &creds);
1142
1143	if (new_start_time) {
1144	*new_start_time = (time_t) creds.times.renew_till;
1145	}
1146
1147	krb5_free_cred_contents(context, &creds);
1148	}
1149	#elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */
1150	{
1151	krb5_kdc_flags flags;
1152	krb5_creds creds_in;
1153	krb5_realm *client_realm;
1154	krb5_creds *creds;
1155
1156	memset(&creds_in, 0, sizeof(creds_in));
1157
1158	if (client_string) {
1159	ret = smb_krb5_parse_name(context, client_string, &creds_in.client);
1160	if (ret) {
1161	goto done;
1162	}
1163	} else {
1164	ret = krb5_cc_get_principal(context, ccache, &creds_in.client);
1165	if (ret) {
1166	goto done;
1167	}
1168	}
1169
1170	if (service_string) {
1171	ret = smb_krb5_parse_name(context, service_string, &creds_in.server);
1172	if (ret) {
1173	goto done;
1174	}
1175	} else {
1176	/* build tgt service by default */
1177	client_realm = krb5_princ_realm(context, client);
1178	ret = krb5_make_principal(context, &creds_in.server, client_realm, KRB5_TGS_NAME, client_realm, NULL);
1179	if (ret) {
1180	goto done;
1181	}
1182	}
1183
1184	flags.i = 0;
1185	flags.b.renewable = flags.b.renew = True;
1186
1187	ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds);
1188	if (ret) {
1189	DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
1190	goto done;
1191	}
1192
1193	/* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
1194	ret = krb5_cc_initialize(context, ccache, creds_in.client);
1195	if (ret) {
1196	goto done;
1197	}
1198
1199	ret = krb5_cc_store_cred(context, ccache, creds);
1200
1201	if (new_start_time) {
1202	*new_start_time = (time_t) creds->times.renew_till;
1203	}
1204
1205	krb5_free_cred_contents(context, &creds_in);
1206	krb5_free_creds(context, creds);
1207	}
1208	#else
1209	#error No suitable krb5 ticket renew function available
1210	#endif
1211
1212
1213	done:
1214	if (client) {
1215	krb5_free_principal(context, client);
1216	}
1217	if (context) {
1218	krb5_free_context(context);
1219	}
1220	if (ccache) {
1221	krb5_cc_close(context, ccache);
1222	}
1223
1224	return ret;
1225
1226	}
1227
1228	krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
1229	{
1230	krb5_error_code ret = 0;
1231	if (addr == NULL) {
1232	return ret;
1233	}
1234	#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1235	krb5_free_addresses(context, addr->addrs);
1236	#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1237	ret = krb5_free_addresses(context, addr->addrs);
1238	SAFE_FREE(addr->addrs);
1239	#endif
1240	SAFE_FREE(addr);
1241	addr = NULL;
1242	return ret;
1243	}
1244
1245	krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
1246	{
1247	krb5_error_code ret = 0;
1248	nstring buf;
1249	#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1250	krb5_address **addrs = NULL;
1251	#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1252	krb5_addresses *addrs = NULL;
1253	#endif
1254
1255	kerb_addr = (smb_krb5_addresses )SMB_MALLOC(sizeof(smb_krb5_addresses));
1256	if (*kerb_addr == NULL) {
1257	return ENOMEM;
1258	}
1259
1260	put_name(buf, global_myname(), ' ', 0x20);
1261
1262	#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1263	{
1264	int num_addr = 2;
1265
1266	addrs = (krb5_address *)SMB_MALLOC(sizeof(krb5_address ) * num_addr);
1267	if (addrs == NULL) {
1268	SAFE_FREE(kerb_addr);
1269	return ENOMEM;
1270	}
1271
1272	memset(addrs, 0, sizeof(krb5_address ) num_addr);
1273
1274	addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
1275	if (addrs[0] == NULL) {
1276	SAFE_FREE(addrs);
1277	SAFE_FREE(kerb_addr);
1278	return ENOMEM;
1279	}
1280
1281	addrs[0]->magic = KV5M_ADDRESS;
1282	addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
1283	addrs[0]->length = MAX_NETBIOSNAME_LEN;
1284	addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
1285	if (addrs[0]->contents == NULL) {
1286	SAFE_FREE(addrs[0]);
1287	SAFE_FREE(addrs);
1288	SAFE_FREE(kerb_addr);
1289	return ENOMEM;
1290	}
1291
1292	memcpy(addrs[0]->contents, buf, addrs[0]->length);
1293
1294	addrs[1] = NULL;
1295	}
1296	#elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1297	{
1298	addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
1299	if (addrs == NULL) {
1300	SAFE_FREE(kerb_addr);
1301	return ENOMEM;
1302	}
1303
1304	memset(addrs, 0, sizeof(krb5_addresses));
1305
1306	addrs->len = 1;
1307	addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
1308	if (addrs->val == NULL) {
1309	SAFE_FREE(addrs);
1310	SAFE_FREE(kerb_addr);
1311	return ENOMEM;
1312	}
1313
1314	addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
1315	addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
1316	addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
1317	if (addrs->val[0].address.data == NULL) {
1318	SAFE_FREE(addrs->val);
1319	SAFE_FREE(addrs);
1320	SAFE_FREE(kerb_addr);
1321	return ENOMEM;
1322	}
1323
1324	memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
1325	}
1326	#else
1327	#error UNKNOWN_KRB5_ADDRESS_FORMAT
1328	#endif
1329	(*kerb_addr)->addrs = addrs;
1330
1331	return ret;
1332	}
1333
1334	void smb_krb5_free_error(krb5_context context, krb5_error *krberror)
1335	{
1336	#ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */
1337	krb5_free_error_contents(context, krberror);
1338	#else /* MIT */
1339	krb5_free_error(context, krberror);
1340	#endif
1341	}
1342
1343	krb5_error_code handle_krberror_packet(krb5_context context,
1344	krb5_data *packet)
1345	{
1346	krb5_error_code ret;
1347	BOOL got_error_code = False;
1348
1349	DEBUG(10,("handle_krberror_packet: got error packet\n"));
1350
1351	#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
1352	{
1353	krb5_error krberror;
1354
1355	if ((ret = krb5_rd_error(context, packet, &krberror))) {
1356	DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
1357	error_message(ret)));
1358	return ret;
1359	}
1360
1361	if (krberror.e_data == NULL \|\| krberror.e_data->data == NULL) {
1362	ret = (krb5_error_code) krberror.error_code;
1363	got_error_code = True;
1364	}
1365
1366	smb_krb5_free_error(context, &krberror);
1367	}
1368	#else /* MIT */
1369	{
1370	krb5_error *krberror;
1371
1372	if ((ret = krb5_rd_error(context, packet, &krberror))) {
1373	DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
1374	error_message(ret)));
1375	return ret;
1376	}
1377
1378	if (krberror->e_data.data == NULL) {
1379	ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
1380	got_error_code = True;
1381	}
1382	smb_krb5_free_error(context, krberror);
1383	}
1384	#endif
1385	if (got_error_code) {
1386	DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n",
1387	error_message(ret), ret));
1388	}
1389	return ret;
1390	}
1391
1392	#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
1393	krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt **opt)
1394	{
1395	krb5_get_init_creds_opt *my_opt;
1396
1397	*opt = NULL;
1398
1399	if ((my_opt = SMB_MALLOC(sizeof(krb5_get_init_creds_opt))) == NULL) {
1400	return ENOMEM;
1401	}
1402
1403	krb5_get_init_creds_opt_init(my_opt);
1404
1405	*opt = my_opt;
1406	return 0;
1407	}
1408	#endif
1409
1410	#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE
1411	void krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt)
1412	{
1413	SAFE_FREE(opt);
1414	opt = NULL;
1415	}
1416	#endif
1417
1418	#else /* HAVE_KRB5 */
1419	/* this saves a few linking headaches */
1420	int cli_krb5_get_ticket(const char *principal, time_t time_offset,
1421	DATA_BLOB ticket, DATA_BLOB session_key_krb5, uint32 extra_ap_opts,
1422	const char ccname, time_t tgs_expire)
1423	{
1424	DEBUG(0,("NO KERBEROS SUPPORT\n"));
1425	return 1;
1426	}
1427
1428	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/samba-3.0.25pre1/source/libsmb/clikrb5.c@ 5

Download in other formats: