git.maemo.org Git - samba/blob - source/libsmb/clikrb5.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Guenther Deschner 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
  25 #define KRB5_DEPRECATED 1       /* this file uses DEPRECATED interfaces! */
  26
  27 #include "includes.h"
  28
  29 #ifdef HAVE_KRB5
  30
  31 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
  32 #define KRB5_KEY_TYPE(k)        ((k)->keytype)
  33 #define KRB5_KEY_LENGTH(k)      ((k)->keyvalue.length)
  34 #define KRB5_KEY_DATA(k)        ((k)->keyvalue.data)
  35 #else
  36 #define KRB5_KEY_TYPE(k)        ((k)->enctype)
  37 #define KRB5_KEY_LENGTH(k)      ((k)->length)
  38 #define KRB5_KEY_DATA(k)        ((k)->contents)
  39 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
  40
  41 #ifndef HAVE_KRB5_SET_REAL_TIME
  42 /*
  43  * This function is not in the Heimdal mainline.
  44  */
  45  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
  46 {
  47         krb5_error_code ret;
  48         int32_t sec, usec;
  49
  50         ret = krb5_us_timeofday(context, &sec, &usec);
  51         if (ret)
  52                 return ret;
  53
  54         context->kdc_sec_offset = seconds - sec;
  55         context->kdc_usec_offset = microseconds - usec;
  56
  57         return 0;
  58 }
  59 #endif
  60
  61 #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
  62  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
  63 {
  64         return krb5_set_default_in_tkt_etypes(ctx, enc);
  65 }
  66 #endif
  67
  68 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
  69 /* HEIMDAL */
  70  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  71 {
  72         pkaddr->addr_type = KRB5_ADDRESS_INET;
  73         pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  74         pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
  75 }
  76 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
  77 /* MIT */
  78  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  79 {
  80         pkaddr->addrtype = ADDRTYPE_INET;
  81         pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  82         pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
  83 }
  84 #else
  85 #error UNKNOWN_ADDRTYPE
  86 #endif
  87
  88 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
  89  int create_kerberos_key_from_string_direct(krb5_context context,
  90                                         krb5_principal host_princ,
  91                                         krb5_data *password,
  92                                         krb5_keyblock *key,
  93                                         krb5_enctype enctype)
  94 {
  95         int ret;
  96         krb5_data salt;
  97         krb5_encrypt_block eblock;
  98
  99         ret = krb5_principal2salt(context, host_princ, &salt);
 100         if (ret) {
 101                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
 102                 return ret;
 103         }
 104         krb5_use_enctype(context, &eblock, enctype);
 105         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
 106         SAFE_FREE(salt.data);
 107         return ret;
 108 }
 109 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
 110  int create_kerberos_key_from_string_direct(krb5_context context,
 111                                         krb5_principal host_princ,
 112                                         krb5_data *password,
 113                                         krb5_keyblock *key,
 114                                         krb5_enctype enctype)
 115 {
 116         int ret;
 117         krb5_salt salt;
 118
 119         ret = krb5_get_pw_salt(context, host_princ, &salt);
 120         if (ret) {
 121                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
 122                 return ret;
 123         }
 124
 125         ret = krb5_string_to_key_salt(context, enctype, password->data, salt, key);
 126         krb5_free_salt(context, salt);
 127         return ret;
 128 }
 129 #else
 130 #error UNKNOWN_CREATE_KEY_FUNCTIONS
 131 #endif
 132
 133  int create_kerberos_key_from_string(krb5_context context,
 134                                         krb5_principal host_princ,
 135                                         krb5_data *password,
 136                                         krb5_keyblock *key,
 137                                         krb5_enctype enctype)
 138 {
 139         krb5_principal salt_princ = NULL;
 140         int ret;
 141         /*
 142          * Check if we've determined that the KDC is salting keys for this
 143          * principal/enctype in a non-obvious way.  If it is, try to match
 144          * its behavior.
 145          */
 146         salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
 147         ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
 148         if (salt_princ) {
 149                 krb5_free_principal(context, salt_princ);
 150         }
 151         return ret;
 152 }
 153
 154 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
 155  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 156                                             krb5_enctype **enctypes)
 157 {
 158         return krb5_get_permitted_enctypes(context, enctypes);
 159 }
 160 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
 161  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 162                                             krb5_enctype **enctypes)
 163 {
 164         return krb5_get_default_in_tkt_etypes(context, enctypes);
 165 }
 166 #else
 167 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
 168 #endif
 169
 170  void free_kerberos_etypes(krb5_context context,
 171                            krb5_enctype *enctypes)
 172 {
 173 #if defined(HAVE_KRB5_FREE_KTYPES)
 174         krb5_free_ktypes(context, enctypes);
 175         return;
 176 #else
 177         SAFE_FREE(enctypes);
 178         return;
 179 #endif
 180 }
 181
 182 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
 183  krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
 184                                         krb5_auth_context auth_context,
 185                                         krb5_keyblock *keyblock)
 186 {
 187         return krb5_auth_con_setkey(context, auth_context, keyblock);
 188 }
 189 #endif
 190
 191 BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
 192 {
 193         DATA_BLOB pac_contents;
 194         ASN1_DATA data;
 195         int data_type;
 196
 197         if (!auth_data->length) {
 198                 return False;
 199         }
 200
 201         asn1_load(&data, *auth_data);
 202         asn1_start_tag(&data, ASN1_SEQUENCE(0));
 203         asn1_start_tag(&data, ASN1_SEQUENCE(0));
 204         asn1_start_tag(&data, ASN1_CONTEXT(0));
 205         asn1_read_Integer(&data, &data_type);
 206
 207         if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
 208                 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
 209                 asn1_free(&data);
 210                 return False;
 211         }
 212
 213         asn1_end_tag(&data);
 214         asn1_start_tag(&data, ASN1_CONTEXT(1));
 215         asn1_read_OctetString(&data, &pac_contents);
 216         asn1_end_tag(&data);
 217         asn1_end_tag(&data);
 218         asn1_end_tag(&data);
 219         asn1_free(&data);
 220
 221         *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
 222
 223         data_blob_free(&pac_contents);
 224
 225         return True;
 226 }
 227
 228  BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt)
 229 {
 230         DATA_BLOB auth_data_wrapped;
 231         BOOL got_auth_data_pac = False;
 232         int i;
 233
 234 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 235         if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
 236             tkt->enc_part2->authorization_data[0] &&
 237             tkt->enc_part2->authorization_data[0]->length)
 238         {
 239                 for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
 240
 241                         if (tkt->enc_part2->authorization_data[i]->ad_type !=
 242                             KRB5_AUTHDATA_IF_RELEVANT) {
 243                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
 244                                         tkt->enc_part2->authorization_data[i]->ad_type));
 245                                 continue;
 246                         }
 247
 248                         auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
 249                                                       tkt->enc_part2->authorization_data[i]->length);
 250
 251                         /* check if it is a PAC */
 252                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 253                         data_blob_free(&auth_data_wrapped);
 254
 255                         if (!got_auth_data_pac) {
 256                                 continue;
 257                         }
 258                 }
 259
 260                 return got_auth_data_pac;
 261         }
 262
 263 #else
 264         if (tkt->ticket.authorization_data &&
 265             tkt->ticket.authorization_data->len)
 266         {
 267                 for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
 268
 269                         if (tkt->ticket.authorization_data->val[i].ad_type !=
 270                             KRB5_AUTHDATA_IF_RELEVANT) {
 271                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
 272                                         tkt->ticket.authorization_data->val[i].ad_type));
 273                                 continue;
 274                         }
 275
 276                         auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
 277                                                       tkt->ticket.authorization_data->val[i].ad_data.length);
 278
 279                         /* check if it is a PAC */
 280                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 281                         data_blob_free(&auth_data_wrapped);
 282
 283                         if (!got_auth_data_pac) {
 284                                 continue;
 285                         }
 286                 }
 287
 288                 return got_auth_data_pac;
 289         }
 290 #endif
 291         return False;
 292 }
 293
 294  krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
 295 {
 296 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 297         return tkt->enc_part2->client;
 298 #else
 299         return tkt->client;
 300 #endif
 301 }
 302
 303 #if !defined(HAVE_KRB5_LOCATE_KDC)
 304  krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
 305 {
 306         krb5_krbhst_handle hnd;
 307         krb5_krbhst_info *hinfo;
 308         krb5_error_code rc;
 309         int num_kdcs, i;
 310         struct sockaddr *sa;
 311         struct addrinfo *ai;
 312
 313         *addr_pp = NULL;
 314         *naddrs = 0;
 315
 316         rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
 317         if (rc) {
 318                 DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
 319                 return rc;
 320         }
 321
 322         for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
 323                 ;
 324
 325         krb5_krbhst_reset(ctx, hnd);
 326
 327         if (!num_kdcs) {
 328                 DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n"));
 329                 krb5_krbhst_free(ctx, hnd);
 330                 return -1;
 331         }
 332
 333         sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
 334         if (!sa) {
 335                 DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
 336                 krb5_krbhst_free(ctx, hnd);
 337                 naddrs = 0;
 338                 return -1;
 339         }
 340
 341         memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
 342
 343         for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
 344
 345 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
 346                 rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
 347                 if (rc) {
 348                         DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
 349                         continue;
 350                 }
 351 #endif
 352                 if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
 353                         memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
 354         }
 355
 356         krb5_krbhst_free(ctx, hnd);
 357
 358         *naddrs = num_kdcs;
 359         *addr_pp = sa;
 360         return 0;
 361 }
 362 #endif
 363
 364 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 365  void krb5_free_unparsed_name(krb5_context context, char *val)
 366 {
 367         SAFE_FREE(val);
 368 }
 369 #endif
 370
 371  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
 372 {
 373 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 374         if (pdata->data) {
 375                 krb5_free_data_contents(context, pdata);
 376         }
 377 #else
 378         SAFE_FREE(pdata->data);
 379 #endif
 380 }
 381
 382  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 383 {
 384 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
 385         KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
 386 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
 387         KRB5_KEY_TYPE((&pcreds->session)) = enctype;
 388 #else
 389 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
 390 #endif
 391 }
 392
 393  BOOL kerberos_compatible_enctypes(krb5_context context,
 394                                   krb5_enctype enctype1,
 395                                   krb5_enctype enctype2)
 396 {
 397 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
 398         krb5_boolean similar = 0;
 399
 400         krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
 401         return similar ? True : False;
 402 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
 403         return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 404 #endif
 405 }
 406
 407 static BOOL ads_cleanup_expired_creds(krb5_context context,
 408                                       krb5_ccache  ccache,
 409                                       krb5_creds  *credsp)
 410 {
 411         krb5_error_code retval;
 412
 413         DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
 414                   krb5_cc_default_name(context),
 415                   http_timestring(credsp->times.endtime)));
 416
 417         /* we will probably need new tickets if the current ones
 418            will expire within 10 seconds.
 419         */
 420         if (credsp->times.endtime >= (time(NULL) + 10))
 421                 return False;
 422
 423         /* heimdal won't remove creds from a file ccache, and
 424            perhaps we shouldn't anyway, since internally we
 425            use memory ccaches, and a FILE one probably means that
 426            we're using creds obtained outside of our exectuable
 427         */
 428         if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
 429                 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
 430                 return False;
 431         }
 432
 433         retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
 434         if (retval) {
 435                 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
 436                           error_message(retval)));
 437                 /* If we have an error in this, we want to display it,
 438                    but continue as though we deleted it */
 439         }
 440         return True;
 441 }
 442
 443 /*
 444   we can't use krb5_mk_req because w2k wants the service to be in a particular format
 445 */
 446 static krb5_error_code ads_krb5_mk_req(krb5_context context,
 447                                        krb5_auth_context *auth_context,
 448                                        const krb5_flags ap_req_options,
 449                                        const char *principal,
 450                                        krb5_ccache ccache,
 451                                        krb5_data *outbuf)
 452 {
 453         krb5_error_code           retval;
 454         krb5_principal    server;
 455         krb5_creds              * credsp;
 456         krb5_creds                creds;
 457         krb5_data in_data;
 458         BOOL creds_ready = False;
 459         int i = 0, maxtries = 3;
 460
 461         retval = krb5_parse_name(context, principal, &server);
 462         if (retval) {
 463                 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
 464                 return retval;
 465         }
 466
 467         /* obtain ticket & session key */
 468         ZERO_STRUCT(creds);
 469         if ((retval = krb5_copy_principal(context, server, &creds.server))) {
 470                 DEBUG(1,("krb5_copy_principal failed (%s)\n",
 471                          error_message(retval)));
 472                 goto cleanup_princ;
 473         }
 474
 475         if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
 476                 /* This can commonly fail on smbd startup with no ticket in the cache.
 477                  * Report at higher level than 1. */
 478                 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
 479                          error_message(retval)));
 480                 goto cleanup_creds;
 481         }
 482
 483         while (!creds_ready && (i < maxtries)) {
 484                 if ((retval = krb5_get_credentials(context, 0, ccache,
 485                                                    &creds, &credsp))) {
 486                         DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
 487                                  principal, error_message(retval)));
 488                         goto cleanup_creds;
 489                 }
 490
 491                 /* cope with ticket being in the future due to clock skew */
 492                 if ((unsigned)credsp->times.starttime > time(NULL)) {
 493                         time_t t = time(NULL);
 494                         int time_offset =(int)((unsigned)credsp->times.starttime-t);
 495                         DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 496                         krb5_set_real_time(context, t + time_offset + 1, 0);
 497                 }
 498
 499                 if (!ads_cleanup_expired_creds(context, ccache, credsp))
 500                         creds_ready = True;
 501
 502                 i++;
 503         }
 504
 505         DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n",
 506                   principal, krb5_cc_default_name(context),
 507                   http_timestring((unsigned)credsp->times.endtime),
 508                   (unsigned)credsp->times.endtime));
 509
 510         in_data.length = 0;
 511         retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
 512                                       &in_data, credsp, outbuf);
 513         if (retval) {
 514                 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
 515                          error_message(retval)));
 516         }
 517
 518         krb5_free_creds(context, credsp);
 519
 520 cleanup_creds:
 521         krb5_free_cred_contents(context, &creds);
 522
 523 cleanup_princ:
 524         krb5_free_principal(context, server);
 525
 526         return retval;
 527 }
 528
 529 /*
 530   get a kerberos5 ticket for the given service
 531 */
 532 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 533                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
 534 {
 535         krb5_error_code retval;
 536         krb5_data packet;
 537         krb5_context context = NULL;
 538         krb5_ccache ccdef = NULL;
 539         krb5_auth_context auth_context = NULL;
 540         krb5_enctype enc_types[] = {
 541 #ifdef ENCTYPE_ARCFOUR_HMAC
 542                 ENCTYPE_ARCFOUR_HMAC,
 543 #endif
 544                 ENCTYPE_DES_CBC_MD5,
 545                 ENCTYPE_DES_CBC_CRC,
 546                 ENCTYPE_NULL};
 547
 548         initialize_krb5_error_table();
 549         retval = krb5_init_context(&context);
 550         if (retval) {
 551                 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
 552                          error_message(retval)));
 553                 goto failed;
 554         }
 555
 556         if (time_offset != 0) {
 557                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 558         }
 559
 560         if ((retval = krb5_cc_default(context, &ccdef))) {
 561                 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
 562                          error_message(retval)));
 563                 goto failed;
 564         }
 565
 566         if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
 567                 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
 568                          error_message(retval)));
 569                 goto failed;
 570         }
 571
 572         if ((retval = ads_krb5_mk_req(context,
 573                                         &auth_context,
 574                                         AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
 575                                         principal,
 576                                         ccdef, &packet))) {
 577                 goto failed;
 578         }
 579
 580         get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
 581
 582         *ticket = data_blob(packet.data, packet.length);
 583
 584         kerberos_free_data_contents(context, &packet);
 585
 586 failed:
 587
 588         if ( context ) {
 589                 if (ccdef)
 590                         krb5_cc_close(context, ccdef);
 591                 if (auth_context)
 592                         krb5_auth_con_free(context, auth_context);
 593                 krb5_free_context(context);
 594         }
 595
 596         return retval;
 597 }
 598
 599  BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
 600  {
 601         krb5_keyblock *skey;
 602         krb5_error_code err;
 603         BOOL ret = False;
 604
 605         if (remote)
 606                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
 607         else
 608                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 609         if (err == 0 && skey != NULL) {
 610                 DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
 611                 *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
 612                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 613
 614                 ret = True;
 615
 616                 krb5_free_keyblock(context, skey);
 617         } else {
 618                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
 619         }
 620
 621         return ret;
 622  }
 623
 624
 625 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
 626  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
 627
 628  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
 629 {
 630         static krb5_data kdata;
 631
 632         kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
 633         kdata.length = strlen(kdata.data);
 634         return &kdata;
 635 }
 636 #endif
 637
 638  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
 639 {
 640 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
 641         return krb5_kt_free_entry(context, kt_entry);
 642 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 643         return krb5_free_keytab_entry_contents(context, kt_entry);
 644 #else
 645 #error UNKNOWN_KT_FREE_FUNCTION
 646 #endif
 647 }
 648
 649  void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
 650                                     PAC_SIGNATURE_DATA *sig)
 651 {
 652 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
 653         cksum->cksumtype        = (krb5_cksumtype)sig->type;
 654         cksum->checksum.length  = sig->signature.buf_len;
 655         cksum->checksum.data    = sig->signature.buffer;
 656 #else
 657         cksum->checksum_type    = (krb5_cksumtype)sig->type;
 658         cksum->length           = sig->signature.buf_len;
 659         cksum->contents         = sig->signature.buffer;
 660 #endif
 661 }
 662
 663  krb5_error_code smb_krb5_verify_checksum(krb5_context context,
 664                                          krb5_keyblock *keyblock,
 665                                          krb5_keyusage usage,
 666                                          krb5_checksum *cksum,
 667                                          uint8 *data,
 668                                          size_t length)
 669 {
 670         krb5_error_code ret;
 671
 672         /* verify the checksum */
 673
 674         /* welcome to the wonderful world of samba's kerberos abstraction layer:
 675          *
 676          * function                     heimdal 0.6.1rc3        heimdal 0.7     MIT krb 1.4.2
 677          * -----------------------------------------------------------------------------
 678          * krb5_c_verify_checksum       -                       works           works
 679          * krb5_verify_checksum         works (6 args)          works (6 args)  broken (7 args)
 680          */
 681
 682 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
 683         {
 684                 krb5_boolean checksum_valid = False;
 685                 krb5_data input;
 686
 687                 input.data = (char *)data;
 688                 input.length = length;
 689
 690                 ret = krb5_c_verify_checksum(context,
 691                                              keyblock,
 692                                              usage,
 693                                              &input,
 694                                              cksum,
 695                                              &checksum_valid);
 696                 if (ret) {
 697                         DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n",
 698                                 error_message(ret)));
 699                         return ret;
 700                 }
 701
 702                 if (!checksum_valid)
 703                         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 704         }
 705
 706 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
 707
 708         /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
 709          * without enctype and it ignores any key_usage types - Guenther */
 710
 711         {
 712
 713                 krb5_crypto crypto;
 714                 ret = krb5_crypto_init(context,
 715                                        keyblock,
 716                                        0,
 717                                        &crypto);
 718                 if (ret) {
 719                         DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
 720                                 error_message(ret)));
 721                         return ret;
 722                 }
 723
 724                 ret = krb5_verify_checksum(context,
 725                                            crypto,
 726                                            usage,
 727                                            data,
 728                                            length,
 729                                            cksum);
 730
 731                 krb5_crypto_destroy(context, crypto);
 732         }
 733
 734 #else
 735 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
 736 #endif
 737
 738         return ret;
 739 }
 740
 741  time_t get_authtime_from_tkt(krb5_ticket *tkt)
 742 {
 743 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 744         return tkt->enc_part2->times.authtime;
 745 #else
 746         return tkt->ticket.authtime;
 747 #endif
 748 }
 749
 750 static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
 751 {
 752 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
 753         if (ap_req->ticket->enc_part.kvno)
 754                 return ap_req->ticket->enc_part.kvno;
 755 #else /* Heimdal */
 756         if (ap_req->ticket.enc_part.kvno)
 757                 return *ap_req->ticket.enc_part.kvno;
 758 #endif
 759         return 0;
 760 }
 761
 762 static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
 763 {
 764 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
 765         return ap_req->ticket.enc_part.etype;
 766 #else /* MIT */
 767         return ap_req->ticket->enc_part.enctype;
 768 #endif
 769 }
 770
 771 static krb5_error_code
 772 get_key_from_keytab(krb5_context context,
 773                     krb5_const_principal server,
 774                     krb5_enctype enctype,
 775                     krb5_kvno kvno,
 776                     krb5_keyblock **out_key)
 777 {
 778         krb5_keytab_entry entry;
 779         krb5_error_code ret;
 780         krb5_keytab keytab;
 781         char *name = NULL;
 782
 783         /* We have to open a new keytab handle here, as MIT does
 784            an implicit open/getnext/close on krb5_kt_get_entry. We
 785            may be in the middle of a keytab enumeration when this is
 786            called. JRA. */
 787
 788         ret = krb5_kt_default(context, &keytab);
 789         if (ret) {
 790                 DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret)));
 791                 return ret;
 792         }
 793
 794         if ( DEBUGLEVEL >= 10 ) {
 795                 krb5_unparse_name(context, server, &name);
 796                 DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
 797                         kvno, enctype, name));
 798                 krb5_free_unparsed_name(context, name);
 799         }
 800
 801         ret = krb5_kt_get_entry(context,
 802                                 keytab,
 803                                 server,
 804                                 kvno,
 805                                 enctype,
 806                                 &entry);
 807
 808         if (ret) {
 809                 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
 810                 goto out;
 811         }
 812
 813 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
 814         ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
 815 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
 816         ret = krb5_copy_keyblock(context, &entry.key, out_key);
 817 #else
 818 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
 819 #endif
 820
 821         if (ret) {
 822                 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
 823                 goto out;
 824         }
 825
 826         smb_krb5_kt_free_entry(context, &entry);
 827
 828 out:
 829         krb5_kt_close(context, keytab);
 830         return ret;
 831 }
 832
 833  void smb_krb5_free_ap_req(krb5_context context,
 834                           krb5_ap_req *ap_req)
 835 {
 836 #ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */
 837         krb5_free_ap_req(context, ap_req);
 838 #elif defined(HAVE_FREE_AP_REQ) /* Heimdal */
 839         free_AP_REQ(ap_req);
 840 #else
 841 #error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION
 842 #endif
 843 }
 844
 845 /* Prototypes */
 846 #if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
 847 krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep);
 848 #endif
 849
 850  krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
 851                                                  const krb5_data *inbuf,
 852                                                  krb5_kvno *kvno,
 853                                                  krb5_enctype *enctype)
 854 {
 855         krb5_error_code ret;
 856 #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
 857         {
 858                 krb5_ap_req ap_req;
 859
 860                 ret = krb5_decode_ap_req(context, inbuf, &ap_req);
 861                 if (ret)
 862                         return ret;
 863
 864                 *kvno = get_kvno_from_ap_req(&ap_req);
 865                 *enctype = get_enctype_from_ap_req(&ap_req);
 866
 867                 smb_krb5_free_ap_req(context, &ap_req);
 868         }
 869 #elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
 870         {
 871                 krb5_ap_req *ap_req = NULL;
 872
 873                 ret = decode_krb5_ap_req(inbuf, &ap_req);
 874                 if (ret)
 875                         return ret;
 876
 877                 *kvno = get_kvno_from_ap_req(ap_req);
 878                 *enctype = get_enctype_from_ap_req(ap_req);
 879
 880                 smb_krb5_free_ap_req(context, ap_req);
 881         }
 882 #else
 883 #error UNKOWN_KRB5_AP_REQ_DECODING_FUNCTION
 884 #endif
 885         return ret;
 886 }
 887
 888  krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
 889                                                         krb5_auth_context *auth_context,
 890                                                         const krb5_data *inbuf,
 891                                                         krb5_const_principal server,
 892                                                         krb5_keytab keytab,
 893                                                         krb5_flags *ap_req_options,
 894                                                         krb5_ticket **ticket,
 895                                                         krb5_keyblock **keyblock)
 896 {
 897         krb5_error_code ret;
 898         krb5_ap_req *ap_req = NULL;
 899         krb5_kvno kvno;
 900         krb5_enctype enctype;
 901         krb5_keyblock *local_keyblock;
 902
 903         ret = krb5_rd_req(context,
 904                           auth_context,
 905                           inbuf,
 906                           server,
 907                           keytab,
 908                           ap_req_options,
 909                           ticket);
 910         if (ret) {
 911                 return ret;
 912         }
 913
 914         ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
 915         if (ret) {
 916                 return ret;
 917         }
 918
 919         ret = get_key_from_keytab(context,
 920                                   server,
 921                                   enctype,
 922                                   kvno,
 923                                   &local_keyblock);
 924         if (ret) {
 925                 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
 926                 goto out;
 927         }
 928
 929 out:
 930         if (ap_req) {
 931                 smb_krb5_free_ap_req(context, ap_req);
 932         }
 933
 934         if (ret && local_keyblock != NULL) {
 935                 krb5_free_keyblock(context, local_keyblock);
 936         } else {
 937                 *keyblock = local_keyblock;
 938         }
 939
 940         return ret;
 941 }
 942
 943  krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
 944                                             const char *name,
 945                                             krb5_principal *principal)
 946 {
 947 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
 948         return krb5_parse_name_norealm(context, name, principal);
 949 #endif
 950
 951         /* we are cheating here because parse_name will in fact set the realm.
 952          * We don't care as the only caller of smb_krb5_parse_name_norealm
 953          * ignores the realm anyway when calling
 954          * smb_krb5_principal_compare_any_realm later - Guenther */
 955
 956         return krb5_parse_name(context, name, principal);
 957 }
 958
 959  BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
 960                                           krb5_const_principal princ1,
 961                                           krb5_const_principal princ2)
 962 {
 963 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
 964
 965         return krb5_principal_compare_any_realm(context, princ1, princ2);
 966
 967 /* krb5_princ_size is a macro in MIT */
 968 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
 969
 970         int i, len1, len2;
 971         const krb5_data *p1, *p2;
 972
 973         len1 = krb5_princ_size(context, princ1);
 974         len2 = krb5_princ_size(context, princ2);
 975
 976         if (len1 != len2)
 977                 return False;
 978
 979         for (i = 0; i < len1; i++) {
 980
 981                 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
 982                 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
 983
 984                 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
 985                         return False;
 986         }
 987
 988         return True;
 989 #else
 990 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
 991 #endif
 992 }
 993
 994 #else /* HAVE_KRB5 */
 995  /* this saves a few linking headaches */
 996  int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 997                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
 998 {
 999          DEBUG(0,("NO KERBEROS SUPPORT\n"));
1000          return 1;
1001 }
1002
1003 #endif