source/libsmb/clikrb5.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Guenther Deschner 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
  25 #define KRB5_DEPRECATED 1       /* this file uses DEPRECATED interfaces! */
  26
  27 #include "includes.h"
  28
  29 #ifdef HAVE_KRB5
  30
  31 #ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE
  32 #define KRB5_KEY_TYPE(k)        ((k)->keytype)
  33 #define KRB5_KEY_LENGTH(k)      ((k)->keyvalue.length)
  34 #define KRB5_KEY_DATA(k)        ((k)->keyvalue.data)
  35 #else
  36 #define KRB5_KEY_TYPE(k)        ((k)->enctype)
  37 #define KRB5_KEY_LENGTH(k)      ((k)->length)
  38 #define KRB5_KEY_DATA(k)        ((k)->contents)
  39 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
  40
  41 #ifndef HAVE_KRB5_SET_REAL_TIME
  42 /*
  43  * This function is not in the Heimdal mainline.
  44  */
  45  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
  46 {
  47         krb5_error_code ret;
  48         int32_t sec, usec;
  49
  50         ret = krb5_us_timeofday(context, &sec, &usec);
  51         if (ret)
  52                 return ret;
  53
  54         context->kdc_sec_offset = seconds - sec;
  55         context->kdc_usec_offset = microseconds - usec;
  56
  57         return 0;
  58 }
  59 #endif
  60
  61 #if defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES) && !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
  62  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
  63 {
  64         return krb5_set_default_in_tkt_etypes(ctx, enc);
  65 }
  66 #endif
  67
  68 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
  69 /* HEIMDAL */
  70  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  71 {
  72         pkaddr->addr_type = KRB5_ADDRESS_INET;
  73         pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  74         pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
  75 }
  76 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
  77 /* MIT */
  78  void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr)
  79 {
  80         pkaddr->addrtype = ADDRTYPE_INET;
  81         pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
  82         pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
  83 }
  84 #else
  85 #error UNKNOWN_ADDRTYPE
  86 #endif
  87
  88 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
  89  int create_kerberos_key_from_string_direct(krb5_context context,
  90                                         krb5_principal host_princ,
  91                                         krb5_data *password,
  92                                         krb5_keyblock *key,
  93                                         krb5_enctype enctype)
  94 {
  95         int ret;
  96         krb5_data salt;
  97         krb5_encrypt_block eblock;
  98
  99         ret = krb5_principal2salt(context, host_princ, &salt);
 100         if (ret) {
 101                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
 102                 return ret;
 103         }
 104         krb5_use_enctype(context, &eblock, enctype);
 105         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
 106         SAFE_FREE(salt.data);
 107         return ret;
 108 }
 109 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
 110  int create_kerberos_key_from_string_direct(krb5_context context,
 111                                         krb5_principal host_princ,
 112                                         krb5_data *password,
 113                                         krb5_keyblock *key,
 114                                         krb5_enctype enctype)
 115 {
 116         int ret;
 117         krb5_salt salt;
 118
 119         ret = krb5_get_pw_salt(context, host_princ, &salt);
 120         if (ret) {
 121                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
 122                 return ret;
 123         }
 124
 125         ret = krb5_string_to_key_salt(context, enctype, password->data, salt, key);
 126         krb5_free_salt(context, salt);
 127         return ret;
 128 }
 129 #else
 130 #error UNKNOWN_CREATE_KEY_FUNCTIONS
 131 #endif
 132
 133  int create_kerberos_key_from_string(krb5_context context,
 134                                         krb5_principal host_princ,
 135                                         krb5_data *password,
 136                                         krb5_keyblock *key,
 137                                         krb5_enctype enctype)
 138 {
 139         krb5_principal salt_princ = NULL;
 140         int ret;
 141         /*
 142          * Check if we've determined that the KDC is salting keys for this
 143          * principal/enctype in a non-obvious way.  If it is, try to match
 144          * its behavior.
 145          */
 146         salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
 147         ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
 148         if (salt_princ) {
 149                 krb5_free_principal(context, salt_princ);
 150         }
 151         return ret;
 152 }
 153
 154 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
 155  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 156                                             krb5_enctype **enctypes)
 157 {
 158         return krb5_get_permitted_enctypes(context, enctypes);
 159 }
 160 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
 161  krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
 162                                             krb5_enctype **enctypes)
 163 {
 164         return krb5_get_default_in_tkt_etypes(context, enctypes);
 165 }
 166 #else
 167 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
 168 #endif
 169
 170  void free_kerberos_etypes(krb5_context context,
 171                            krb5_enctype *enctypes)
 172 {
 173 #if defined(HAVE_KRB5_FREE_KTYPES)
 174         krb5_free_ktypes(context, enctypes);
 175         return;
 176 #else
 177         SAFE_FREE(enctypes);
 178         return;
 179 #endif
 180 }
 181
 182 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
 183  krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
 184                                         krb5_auth_context auth_context,
 185                                         krb5_keyblock *keyblock)
 186 {
 187         return krb5_auth_con_setkey(context, auth_context, keyblock);
 188 }
 189 #endif
 190
 191 BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
 192 {
 193         DATA_BLOB pac_contents;
 194         ASN1_DATA data;
 195         int data_type;
 196
 197         if (!auth_data->length) {
 198                 return False;
 199         }
 200
 201         asn1_load(&data, *auth_data);
 202         asn1_start_tag(&data, ASN1_SEQUENCE(0));
 203         asn1_start_tag(&data, ASN1_SEQUENCE(0));
 204         asn1_start_tag(&data, ASN1_CONTEXT(0));
 205         asn1_read_Integer(&data, &data_type);
 206
 207         if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
 208                 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
 209                 asn1_free(&data);
 210                 return False;
 211         }
 212
 213         asn1_end_tag(&data);
 214         asn1_start_tag(&data, ASN1_CONTEXT(1));
 215         asn1_read_OctetString(&data, &pac_contents);
 216         asn1_end_tag(&data);
 217         asn1_end_tag(&data);
 218         asn1_end_tag(&data);
 219         asn1_free(&data);
 220
 221         *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
 222
 223         data_blob_free(&pac_contents);
 224
 225         return True;
 226 }
 227
 228  BOOL get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt)
 229 {
 230         DATA_BLOB auth_data_wrapped;
 231         BOOL got_auth_data_pac = False;
 232         int i;
 233
 234 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 235         if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
 236             tkt->enc_part2->authorization_data[0] &&
 237             tkt->enc_part2->authorization_data[0]->length)
 238         {
 239                 for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
 240
 241                         if (tkt->enc_part2->authorization_data[i]->ad_type !=
 242                             KRB5_AUTHDATA_IF_RELEVANT) {
 243                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
 244                                         tkt->enc_part2->authorization_data[i]->ad_type));
 245                                 continue;
 246                         }
 247
 248                         auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
 249                                                       tkt->enc_part2->authorization_data[i]->length);
 250
 251                         /* check if it is a PAC */
 252                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 253                         data_blob_free(&auth_data_wrapped);
 254
 255                         if (!got_auth_data_pac) {
 256                                 continue;
 257                         }
 258                 }
 259
 260                 return got_auth_data_pac;
 261         }
 262
 263 #else
 264         if (tkt->ticket.authorization_data &&
 265             tkt->ticket.authorization_data->len)
 266         {
 267                 for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
 268
 269                         if (tkt->ticket.authorization_data->val[i].ad_type !=
 270                             KRB5_AUTHDATA_IF_RELEVANT) {
 271                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n",
 272                                         tkt->ticket.authorization_data->val[i].ad_type));
 273                                 continue;
 274                         }
 275
 276                         auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
 277                                                       tkt->ticket.authorization_data->val[i].ad_data.length);
 278
 279                         /* check if it is a PAC */
 280                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 281                         data_blob_free(&auth_data_wrapped);
 282
 283                         if (!got_auth_data_pac) {
 284                                 continue;
 285                         }
 286                 }
 287
 288                 return got_auth_data_pac;
 289         }
 290 #endif
 291         return False;
 292 }
 293
 294  krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
 295 {
 296 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 297         return tkt->enc_part2->client;
 298 #else
 299         return tkt->client;
 300 #endif
 301 }
 302
 303 #if !defined(HAVE_KRB5_LOCATE_KDC)
 304  krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
 305 {
 306         krb5_krbhst_handle hnd;
 307         krb5_krbhst_info *hinfo;
 308         krb5_error_code rc;
 309         int num_kdcs, i;
 310         struct sockaddr *sa;
 311         struct addrinfo *ai;
 312
 313         *addr_pp = NULL;
 314         *naddrs = 0;
 315
 316         rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
 317         if (rc) {
 318                 DEBUG(0, ("krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
 319                 return rc;
 320         }
 321
 322         for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
 323                 ;
 324
 325         krb5_krbhst_reset(ctx, hnd);
 326
 327         if (!num_kdcs) {
 328                 DEBUG(0, ("krb5_locate_kdc: zero kdcs found !\n"));
 329                 krb5_krbhst_free(ctx, hnd);
 330                 return -1;
 331         }
 332
 333         sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
 334         if (!sa) {
 335                 DEBUG(0, ("krb5_locate_kdc: malloc failed\n"));
 336                 krb5_krbhst_free(ctx, hnd);
 337                 naddrs = 0;
 338                 return -1;
 339         }
 340
 341         memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
 342
 343         for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
 344
 345 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
 346                 rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
 347                 if (rc) {
 348                         DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
 349                         continue;
 350                 }
 351 #endif
 352                 if (hinfo->ai && hinfo->ai->ai_family == AF_INET)
 353                         memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
 354         }
 355
 356         krb5_krbhst_free(ctx, hnd);
 357
 358         *naddrs = num_kdcs;
 359         *addr_pp = sa;
 360         return 0;
 361 }
 362 #endif
 363
 364 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 365  void krb5_free_unparsed_name(krb5_context context, char *val)
 366 {
 367         SAFE_FREE(val);
 368 }
 369 #endif
 370
 371  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
 372 {
 373 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 374         if (pdata->data) {
 375                 krb5_free_data_contents(context, pdata);
 376         }
 377 #else
 378         SAFE_FREE(pdata->data);
 379 #endif
 380 }
 381
 382  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 383 {
 384 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
 385         KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
 386 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
 387         KRB5_KEY_TYPE((&pcreds->session)) = enctype;
 388 #else
 389 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
 390 #endif
 391 }
 392
 393  BOOL kerberos_compatible_enctypes(krb5_context context,
 394                                   krb5_enctype enctype1,
 395                                   krb5_enctype enctype2)
 396 {
 397 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
 398         krb5_boolean similar = 0;
 399
 400         krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
 401         return similar ? True : False;
 402 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
 403         return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 404 #endif
 405 }
 406
 407 static BOOL ads_cleanup_expired_creds(krb5_context context,
 408                                       krb5_ccache  ccache,
 409                                       krb5_creds  *credsp)
 410 {
 411         krb5_error_code retval;
 412
 413         DEBUG(3, ("Ticket in ccache[%s] expiration %s\n",
 414                   krb5_cc_default_name(context),
 415                   http_timestring(credsp->times.endtime)));
 416
 417         /* we will probably need new tickets if the current ones
 418            will expire within 10 seconds.
 419         */
 420         if (credsp->times.endtime >= (time(NULL) + 10))
 421                 return False;
 422
 423         /* heimdal won't remove creds from a file ccache, and
 424            perhaps we shouldn't anyway, since internally we
 425            use memory ccaches, and a FILE one probably means that
 426            we're using creds obtained outside of our exectuable
 427         */
 428         if (StrCaseCmp(krb5_cc_get_type(context, ccache), "FILE") == 0) {
 429                 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a FILE ccache\n"));
 430                 return False;
 431         }
 432
 433         retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
 434         if (retval) {
 435                 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
 436                           error_message(retval)));
 437                 /* If we have an error in this, we want to display it,
 438                    but continue as though we deleted it */
 439         }
 440         return True;
 441 }
 442
 443 /*
 444   we can't use krb5_mk_req because w2k wants the service to be in a particular format
 445 */
 446 static krb5_error_code ads_krb5_mk_req(krb5_context context,
 447                                        krb5_auth_context *auth_context,
 448                                        const krb5_flags ap_req_options,
 449                                        const char *principal,
 450                                        krb5_ccache ccache,
 451                                        krb5_data *outbuf)
 452 {
 453         krb5_error_code           retval;
 454         krb5_principal    server;
 455         krb5_creds              * credsp;
 456         krb5_creds                creds;
 457         krb5_data in_data;
 458         BOOL creds_ready = False;
 459
 460         retval = krb5_parse_name(context, principal, &server);
 461         if (retval) {
 462                 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
 463                 return retval;
 464         }
 465
 466         /* obtain ticket & session key */
 467         ZERO_STRUCT(creds);
 468         if ((retval = krb5_copy_principal(context, server, &creds.server))) {
 469                 DEBUG(1,("krb5_copy_principal failed (%s)\n",
 470                          error_message(retval)));
 471                 goto cleanup_princ;
 472         }
 473
 474         if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
 475                 /* This can commonly fail on smbd startup with no ticket in the cache.
 476                  * Report at higher level than 1. */
 477                 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
 478                          error_message(retval)));
 479                 goto cleanup_creds;
 480         }
 481
 482         while(!creds_ready) {
 483                 if ((retval = krb5_get_credentials(context, 0, ccache,
 484                                                    &creds, &credsp))) {
 485                         DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
 486                                  principal, error_message(retval)));
 487                         goto cleanup_creds;
 488                 }
 489
 490                 /* cope with ticket being in the future due to clock skew */
 491                 if ((unsigned)credsp->times.starttime > time(NULL)) {
 492                         time_t t = time(NULL);
 493                         int time_offset =(int)((unsigned)credsp->times.starttime-t);
 494                         DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 495                         krb5_set_real_time(context, t + time_offset + 1, 0);
 496                 }
 497
 498                 if (!ads_cleanup_expired_creds(context, ccache, credsp))
 499                         creds_ready = True;
 500         }
 501
 502         DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s) is valid until: (%s - %u)\n",
 503                   principal, krb5_cc_default_name(context),
 504                   http_timestring((unsigned)credsp->times.endtime),
 505                   (unsigned)credsp->times.endtime));
 506
 507         in_data.length = 0;
 508         retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
 509                                       &in_data, credsp, outbuf);
 510         if (retval) {
 511                 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
 512                          error_message(retval)));
 513         }
 514
 515         krb5_free_creds(context, credsp);
 516
 517 cleanup_creds:
 518         krb5_free_cred_contents(context, &creds);
 519
 520 cleanup_princ:
 521         krb5_free_principal(context, server);
 522
 523         return retval;
 524 }
 525
 526 /*
 527   get a kerberos5 ticket for the given service
 528 */
 529 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 530                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
 531 {
 532         krb5_error_code retval;
 533         krb5_data packet;
 534         krb5_context context = NULL;
 535         krb5_ccache ccdef = NULL;
 536         krb5_auth_context auth_context = NULL;
 537         krb5_enctype enc_types[] = {
 538 #ifdef ENCTYPE_ARCFOUR_HMAC
 539                 ENCTYPE_ARCFOUR_HMAC,
 540 #endif
 541                 ENCTYPE_DES_CBC_MD5,
 542                 ENCTYPE_DES_CBC_CRC,
 543                 ENCTYPE_NULL};
 544
 545         retval = krb5_init_context(&context);
 546         if (retval) {
 547                 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n",
 548                          error_message(retval)));
 549                 goto failed;
 550         }
 551
 552         if (time_offset != 0) {
 553                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 554         }
 555
 556         if ((retval = krb5_cc_default(context, &ccdef))) {
 557                 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
 558                          error_message(retval)));
 559                 goto failed;
 560         }
 561
 562         if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
 563                 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
 564                          error_message(retval)));
 565                 goto failed;
 566         }
 567
 568         if ((retval = ads_krb5_mk_req(context,
 569                                         &auth_context,
 570                                         AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
 571                                         principal,
 572                                         ccdef, &packet))) {
 573                 goto failed;
 574         }
 575
 576         get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
 577
 578         *ticket = data_blob(packet.data, packet.length);
 579
 580         kerberos_free_data_contents(context, &packet);
 581
 582 failed:
 583
 584         if ( context ) {
 585                 if (ccdef)
 586                         krb5_cc_close(context, ccdef);
 587                 if (auth_context)
 588                         krb5_auth_con_free(context, auth_context);
 589                 krb5_free_context(context);
 590         }
 591
 592         return retval;
 593 }
 594
 595  BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote)
 596  {
 597         krb5_keyblock *skey;
 598         krb5_error_code err;
 599         BOOL ret = False;
 600
 601         if (remote)
 602                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
 603         else
 604                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 605         if (err == 0 && skey != NULL) {
 606                 DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
 607                 *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
 608                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 609
 610                 ret = True;
 611
 612                 krb5_free_keyblock(context, skey);
 613         } else {
 614                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
 615         }
 616
 617         return ret;
 618  }
 619
 620
 621 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
 622  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
 623
 624  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
 625 {
 626         static krb5_data kdata;
 627
 628         kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
 629         kdata.length = strlen(kdata.data);
 630         return &kdata;
 631 }
 632 #endif
 633
 634  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
 635 {
 636 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
 637         return krb5_kt_free_entry(context, kt_entry);
 638 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 639         return krb5_free_keytab_entry_contents(context, kt_entry);
 640 #else
 641 #error UNKNOWN_KT_FREE_FUNCTION
 642 #endif
 643 }
 644
 645 void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
 646                                     PAC_SIGNATURE_DATA *sig)
 647 {
 648 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
 649         cksum->cksumtype        = (krb5_cksumtype)sig->type;
 650         cksum->checksum.length  = sig->signature.buf_len;
 651         cksum->checksum.data    = sig->signature.buffer;
 652 #else
 653         cksum->checksum_type    = (krb5_cksumtype)sig->type;
 654         cksum->length           = sig->signature.buf_len;
 655         cksum->contents         = sig->signature.buffer;
 656 #endif
 657 }
 658
 659 krb5_error_code smb_krb5_verify_checksum(krb5_context context,
 660                                          krb5_keyblock *keyblock,
 661                                          krb5_keyusage usage,
 662                                          krb5_checksum *cksum,
 663                                          uint8 *data,
 664                                          size_t length)
 665 {
 666         krb5_error_code ret;
 667
 668         /* verify the checksum */
 669
 670         /* welcome to the wonderful world of samba's kerberos abstraction layer:
 671          *
 672          * function                     heimdal 0.6.1rc3        heimdal 0.7     MIT krb 1.4.2
 673          * -----------------------------------------------------------------------------
 674          * krb5_c_verify_checksum       -                       works           works
 675          * krb5_verify_checksum         works (6 args)          works (6 args)  broken (7 args)
 676          */
 677
 678 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
 679         {
 680                 krb5_boolean checksum_valid = False;
 681                 krb5_data input;
 682
 683                 input.data = (char *)data;
 684                 input.length = length;
 685
 686                 ret = krb5_c_verify_checksum(context,
 687                                              keyblock,
 688                                              usage,
 689                                              &input,
 690                                              cksum,
 691                                              &checksum_valid);
 692                 if (!checksum_valid)
 693                         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 694         }
 695
 696 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
 697
 698         /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
 699          * without enctype and it ignores any key_usage types - Guenther */
 700
 701         {
 702
 703                 krb5_crypto crypto;
 704                 ret = krb5_crypto_init(context,
 705                                        keyblock,
 706                                        0,
 707                                        &crypto);
 708                 if (ret) {
 709                         DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n",
 710                                 error_message(ret)));
 711                         return ret;
 712                 }
 713
 714                 ret = krb5_verify_checksum(context,
 715                                            crypto,
 716                                            usage,
 717                                            data,
 718                                            length,
 719                                            cksum);
 720
 721                 krb5_crypto_destroy(context, crypto);
 722         }
 723
 724 #else
 725 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
 726 #endif
 727
 728         return ret;
 729 }
 730
 731 time_t get_authtime_from_tkt(krb5_ticket *tkt)
 732 {
 733 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 734         return tkt->enc_part2->times.authtime;
 735 #else
 736         return tkt->ticket.authtime;
 737 #endif
 738 }
 739
 740 static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
 741 {
 742 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
 743         if (ap_req->ticket->enc_part.kvno)
 744                 return ap_req->ticket->enc_part.kvno;
 745 #else /* Heimdal */
 746         if (ap_req->ticket.enc_part.kvno)
 747                 return *ap_req->ticket.enc_part.kvno;
 748 #endif
 749         return 0;
 750 }
 751
 752 static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
 753 {
 754 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
 755         return ap_req->ticket.enc_part.etype;
 756 #else /* MIT */
 757         return ap_req->ticket->enc_part.enctype;
 758 #endif
 759 }
 760
 761 static krb5_error_code
 762 get_key_from_keytab(krb5_context context,
 763                     krb5_keytab keytab,
 764                     krb5_const_principal server,
 765                     krb5_enctype enctype,
 766                     krb5_kvno kvno,
 767                     krb5_keyblock **out_key)
 768 {
 769         krb5_keytab_entry entry;
 770         krb5_error_code ret;
 771         krb5_keytab real_keytab;
 772         char *name = NULL;
 773
 774         if (keytab == NULL) {
 775                 krb5_kt_default(context, &real_keytab);
 776         } else {
 777                 real_keytab = keytab;
 778         }
 779
 780         if ( DEBUGLEVEL >= 10 ) {
 781                 krb5_unparse_name(context, server, &name);
 782                 DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n",
 783                         kvno, enctype, name));
 784                 krb5_free_unparsed_name(context, name);
 785         }
 786
 787         ret = krb5_kt_get_entry(context,
 788                                 real_keytab,
 789                                 server,
 790                                 kvno,
 791                                 enctype,
 792                                 &entry);
 793
 794         if (ret) {
 795                 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
 796                 goto out;
 797         }
 798
 799 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
 800         ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
 801 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */
 802         ret = krb5_copy_keyblock(context, &entry.key, out_key);
 803 #else
 804 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT
 805 #endif
 806
 807         if (ret) {
 808                 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
 809                 goto out;
 810         }
 811
 812         smb_krb5_kt_free_entry(context, &entry);
 813
 814 out:
 815         if (keytab == NULL) {
 816                 krb5_kt_close(context, real_keytab);
 817         }
 818
 819         return ret;
 820 }
 821
 822 void smb_krb5_free_ap_req(krb5_context context,
 823                           krb5_ap_req *ap_req)
 824 {
 825 #ifdef HAVE_KRB5_FREE_AP_REQ /* MIT */
 826         krb5_free_ap_req(context, ap_req);
 827 #elif defined(HAVE_FREE_AP_REQ) /* Heimdal */
 828         free_AP_REQ(ap_req);
 829 #else
 830 #error UNKNOWN_KRB5_AP_REQ_FREE_FUNCTION
 831 #endif
 832 }
 833
 834 /* Prototypes */
 835 #if defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
 836 krb5_error_code decode_krb5_ap_req(const krb5_data *code, krb5_ap_req **rep);
 837 #endif
 838
 839 krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context,
 840                                                  const krb5_data *inbuf,
 841                                                  krb5_kvno *kvno,
 842                                                  krb5_enctype *enctype)
 843 {
 844         krb5_error_code ret;
 845 #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
 846         {
 847                 krb5_ap_req ap_req;
 848
 849                 ret = krb5_decode_ap_req(context, inbuf, &ap_req);
 850                 if (ret)
 851                         return ret;
 852
 853                 *kvno = get_kvno_from_ap_req(&ap_req);
 854                 *enctype = get_enctype_from_ap_req(&ap_req);
 855
 856                 smb_krb5_free_ap_req(context, &ap_req);
 857         }
 858 #elif defined(HAVE_DECODE_KRB5_AP_REQ) /* MIT */
 859         {
 860                 krb5_ap_req *ap_req = NULL;
 861
 862                 ret = decode_krb5_ap_req(inbuf, &ap_req);
 863                 if (ret)
 864                         return ret;
 865
 866                 *kvno = get_kvno_from_ap_req(ap_req);
 867                 *enctype = get_enctype_from_ap_req(ap_req);
 868
 869                 smb_krb5_free_ap_req(context, ap_req);
 870         }
 871 #else
 872 #error UNKOWN_KRB5_AP_REQ_DECODING_FUNCTION
 873 #endif
 874         return ret;
 875 }
 876
 877 krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
 878                                                         krb5_auth_context *auth_context,
 879                                                         const krb5_data *inbuf,
 880                                                         krb5_const_principal server,
 881                                                         krb5_keytab keytab,
 882                                                         krb5_flags *ap_req_options,
 883                                                         krb5_ticket **ticket,
 884                                                         krb5_keyblock **keyblock)
 885 {
 886         krb5_error_code ret;
 887         krb5_ap_req *ap_req = NULL;
 888         krb5_kvno kvno;
 889         krb5_enctype enctype;
 890         krb5_keyblock *local_keyblock;
 891
 892         ret = krb5_rd_req(context,
 893                           auth_context,
 894                           inbuf,
 895                           server,
 896                           keytab,
 897                           ap_req_options,
 898                           ticket);
 899         if (ret) {
 900                 return ret;
 901         }
 902
 903         ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
 904         if (ret) {
 905                 return ret;
 906         }
 907
 908         ret = get_key_from_keytab(context,
 909                                   keytab,
 910                                   server,
 911                                   enctype,
 912                                   kvno,
 913                                   &local_keyblock);
 914         if (ret) {
 915                 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
 916                 goto out;
 917         }
 918
 919 out:
 920         if (ap_req) {
 921                 smb_krb5_free_ap_req(context, ap_req);
 922         }
 923
 924         if (ret && local_keyblock != NULL) {
 925                 krb5_free_keyblock(context, local_keyblock);
 926         } else {
 927                 *keyblock = local_keyblock;
 928         }
 929
 930         return ret;
 931 }
 932
 933 krb5_error_code smb_krb5_parse_name_norealm(krb5_context context,
 934                                             const char *name,
 935                                             krb5_principal *principal)
 936 {
 937 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
 938         return krb5_parse_name_norealm(context, name, principal);
 939 #endif
 940
 941         /* we are cheating here because parse_name will in fact set the realm.
 942          * We don't care as the only caller of smb_krb5_parse_name_norealm
 943          * ignores the realm anyway when calling
 944          * smb_krb5_principal_compare_any_realm later - Guenther */
 945
 946         return krb5_parse_name(context, name, principal);
 947 }
 948
 949 BOOL smb_krb5_principal_compare_any_realm(krb5_context context,
 950                                           krb5_const_principal princ1,
 951                                           krb5_const_principal princ2)
 952 {
 953 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
 954
 955         return krb5_principal_compare_any_realm(context, princ1, princ2);
 956
 957 /* krb5_princ_size is a macro in MIT */
 958 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
 959
 960         int i, len1, len2;
 961         const krb5_data *p1, *p2;
 962
 963         len1 = krb5_princ_size(context, princ1);
 964         len2 = krb5_princ_size(context, princ2);
 965
 966         if (len1 != len2)
 967                 return False;
 968
 969         for (i = 0; i < len1; i++) {
 970
 971                 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
 972                 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
 973
 974                 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
 975                         return False;
 976         }
 977
 978         return True;
 979 #else
 980 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
 981 #endif
 982 }
 983
 984 #else /* HAVE_KRB5 */
 985  /* this saves a few linking headaches */
 986 int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 987                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts)
 988 {
 989          DEBUG(0,("NO KERBEROS SUPPORT\n"));
 990          return 1;
 991 }
 992
 993 #endif