Changeset 745 for trunk/server/source3/libsmb/clikrb5.c

Timestamp:

Nov 27, 2012, 4:43:17 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: updated trunk to 3.6.0

Location:

trunk/server

Files:

• . (modified) (1 prop)
• source3/libsmb/clikrb5.c (modified) (14 diffs)

trunk/server/source3/libsmb/clikrb5.c

@@ -23 +23 @@
 #include "includes.h"
 #include "smb_krb5.h"
-#include "authdata.h"
+#include "../librpc/gen_ndr/krb5pac.h"
+#include "../lib/util/asn1.h"
+#include "libsmb/nmblib.h"
+
+#ifndef KRB5_AUTHDATA_WIN2K_PAC
+#define KRB5_AUTHDATA_WIN2K_PAC 128
+#endif
+
+#ifndef KRB5_AUTHDATA_IF_RELEVANT
+#define KRB5_AUTHDATA_IF_RELEVANT 1
+#endif
 
 #ifdef HAVE_KRB5
@@ -348 +358 @@
         
         asn1_start_tag(data, ASN1_CONTEXT(2));
-        asn1_read_OctetString(data, talloc_autofree_context(), &edata_contents);
+        asn1_read_OctetString(data, talloc_tos(), &edata_contents);
         asn1_end_tag(data);
         asn1_end_tag(data);
@@ -391 +401 @@
         asn1_end_tag(data);
         asn1_start_tag(data, ASN1_CONTEXT(1));
-        asn1_read_OctetString(data, talloc_autofree_context(), &pac_contents);
+        asn1_read_OctetString(data, talloc_tos(), &pac_contents);
         asn1_end_tag(data);
         asn1_end_tag(data);
@@ -929 +939 @@
 
 /*
-  get a kerberos5 ticket for the given service 
+  get a kerberos5 ticket for the given service
 */
-int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-                        DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, 
-                        uint32 extra_ap_opts, const char *ccname, 
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+                        const char *principal, time_t time_offset,
+                        DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+                        uint32_t extra_ap_opts, const char *ccname,
                         time_t *tgs_expire,
                         const char *impersonate_princ_s)
@@ -944 +955 @@
         krb5_auth_context auth_context = NULL;
         krb5_enctype enc_types[] = {
-#ifdef ENCTYPE_ARCFOUR_HMAC
                 ENCTYPE_ARCFOUR_HMAC,
-#endif 
-                ENCTYPE_DES_CBC_MD5, 
-                ENCTYPE_DES_CBC_CRC, 
+                ENCTYPE_DES_CBC_MD5,
+                ENCTYPE_DES_CBC_CRC,
                 ENCTYPE_NULL};
 
@@ -954 +963 @@
         retval = krb5_init_context(&context);
         if (retval) {
-                DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n", 
+                DEBUG(1, ("krb5_init_context failed (%s)\n",
                          error_message(retval)));
                 goto failed;
@@ -965 +974 @@
         if ((retval = krb5_cc_resolve(context, ccname ?
                         ccname : krb5_cc_default_name(context), &ccdef))) {
-                DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
+                DEBUG(1, ("krb5_cc_default failed (%s)\n",
                          error_message(retval)));
                 goto failed;
@@ -971 +980 @@
 
         if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
-                DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
+                DEBUG(1, ("krb5_set_default_tgs_ktypes failed (%s)\n",
                          error_message(retval)));
                 goto failed;
         }
 
-        if ((retval = ads_krb5_mk_req(context, 
-                                        &auth_context, 
-                                        AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
-                                        principal,
-                                        ccdef, &packet,
-                                        tgs_expire,
-                                        impersonate_princ_s))) {
+        retval = ads_krb5_mk_req(context, &auth_context,
+                                AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
+                                principal, ccdef, &packet,
+                                tgs_expire, impersonate_princ_s);
+        if (retval) {
                 goto failed;
         }
 
-        get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
-
-        *ticket = data_blob(packet.data, packet.length);
-
-        kerberos_free_data_contents(context, &packet); 
+        get_krb5_smb_session_key(mem_ctx, context, auth_context,
+                                 session_key_krb5, false);
+
+        *ticket = data_blob_talloc(mem_ctx, packet.data, packet.length);
+
+        kerberos_free_data_contents(context, &packet);
 
 failed:
 
-        if ( context ) {
+        if (context) {
                 if (ccdef)
                         krb5_cc_close(context, ccdef);
@@ -1001 +1009 @@
                 krb5_free_context(context);
         }
-                
+
         return retval;
 }
 
- bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote)
- {
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+                              krb5_context context,
+                              krb5_auth_context auth_context,
+                              DATA_BLOB *session_key, bool remote)
+{
         krb5_keyblock *skey = NULL;
         krb5_error_code err = 0;
@@ -1012 +1023 @@
 
         if (remote) {
-                err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
+                err = krb5_auth_con_getremotesubkey(context,
+                                                    auth_context, &skey);
         } else {
-                err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
+                err = krb5_auth_con_getlocalsubkey(context,
+                                                   auth_context, &skey);
         }
 
@@ -1022 +1035 @@
         }
 
-        DEBUG(10, ("Got KRB5 session key of length %d\n",  (int)KRB5_KEY_LENGTH(skey)));
-        *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
-        dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
+        DEBUG(10, ("Got KRB5 session key of length %d\n",
+                   (int)KRB5_KEY_LENGTH(skey)));
+
+        *session_key = data_blob_talloc(mem_ctx,
+                                         KRB5_KEY_DATA(skey),
+                                         KRB5_KEY_LENGTH(skey));
+        dump_data_pw("KRB5 Session Key:\n",
+                     session_key->data,
+                     session_key->length);
 
         ret = true;
 
- done:
+done:
         if (skey) {
                 krb5_free_keyblock(context, skey);
@@ -1034 +1053 @@
 
         return ret;
- }
+}
 
 
@@ -2252 +2271 @@
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
- int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-                        DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
+ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+                        const char *principal, time_t time_offset,
+                        DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+                        uint32_t extra_ap_opts,
                         const char *ccname, time_t *tgs_expire,
                         const char *impersonate_princ_s)
@@ -2261 +2282 @@
 }
 
-#endif
+bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
+{
+        DEBUG(0,("NO KERBEROS SUPPORT\n"));
+        return false;
+}
+
+#endif /* HAVE_KRB5 */