2 Unix SMB/CIFS implementation.
4 Database Glue between Samba and the KDC
6 Copyright (C) Guenther Deschner <gd@samba.org> 2014
7 Copyright (C) Andreas Schneider <asn@samba.org> 2014
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/kerberos.h"
27 #include "lib/krb5_wrap/krb5_samba.h"
29 void sdb_free_entry(struct sdb_entry_ex *ent)
34 if (ent->free_entry) {
35 (*ent->free_entry)(ent);
38 for (i = 0; i < ent->entry.keys.len; i++) {
39 k = &ent->entry.keys.val[i];
42 * Passing NULL as the Kerberos context is intentional here, as
43 * both Heimdal and MIT libraries don't use the context when
44 * clearing the keyblocks.
46 krb5_free_keyblock_contents(NULL, &k->key);
49 free_sdb_entry(&ent->entry);
52 static void free_sdb_key(struct sdb_key *k)
62 /* keyblock not alloced */
65 smb_krb5_free_data_contents(NULL, &k->salt->salt);
71 void free_sdb_entry(struct sdb_entry *s)
76 * Passing NULL as the Kerberos context is intentional here, as both
77 * Heimdal and MIT libraries don't use the context when clearing the
80 krb5_free_principal(NULL, s->principal);
83 for (i=0; i < s->keys.len; i++) {
84 free_sdb_key(&s->keys.val[i]);
88 krb5_free_principal(NULL, s->created_by.principal);
90 krb5_free_principal(NULL, s->modified_by->principal);
92 SAFE_FREE(s->valid_start);
93 SAFE_FREE(s->valid_end);
99 struct SDBFlags int2SDBFlags(unsigned n)
101 struct SDBFlags flags;
103 memset(&flags, 0, sizeof(flags));
105 flags.initial = (n >> 0) & 1;
106 flags.forwardable = (n >> 1) & 1;
107 flags.proxiable = (n >> 2) & 1;
108 flags.renewable = (n >> 3) & 1;
109 flags.postdate = (n >> 4) & 1;
110 flags.server = (n >> 5) & 1;
111 flags.client = (n >> 6) & 1;
112 flags.invalid = (n >> 7) & 1;
113 flags.require_preauth = (n >> 8) & 1;
114 flags.change_pw = (n >> 9) & 1;
115 flags.require_hwauth = (n >> 10) & 1;
116 flags.ok_as_delegate = (n >> 11) & 1;
117 flags.user_to_user = (n >> 12) & 1;
118 flags.immutable = (n >> 13) & 1;
119 flags.trusted_for_delegation = (n >> 14) & 1;
120 flags.allow_kerberos4 = (n >> 15) & 1;
121 flags.allow_digest = (n >> 16) & 1;
122 flags.locked_out = (n >> 17) & 1;
123 flags.do_not_store = (n >> 31) & 1;
127 /* Set the etypes of an sdb_entry based on its available current keys. */
128 krb5_error_code sdb_entry_set_etypes(struct sdb_entry *s)
130 if (s->keys.val != NULL) {
133 s->etypes = malloc(sizeof(*s->etypes));
134 if (s->etypes == NULL) {
138 s->etypes->len = s->keys.len;
140 s->etypes->val = calloc(s->etypes->len, sizeof(*s->etypes->val));
141 if (s->etypes->val == NULL) {
145 for (i = 0; i < s->etypes->len; i++) {
146 const struct sdb_key *k = &s->keys.val[i];
148 s->etypes->val[i] = KRB5_KEY_TYPE(&(k->key));
156 * Set the session etypes of a server sdb_entry based on its etypes, forcing in
157 * strong etypes as desired.
159 krb5_error_code sdb_entry_set_session_etypes(struct sdb_entry *s,
160 bool add_strong_aes_etypes,
163 if (s->etypes != NULL) {
166 unsigned len = s->etypes->len;
168 s->session_etypes = malloc(sizeof(*s->session_etypes));
169 if (s->session_etypes == NULL) {
173 if (add_strong_aes_etypes) {
174 /* Reserve space for AES256 and AES128. */
179 /* Reserve space for RC4. */
183 /* session_etypes must be sorted in order of strength, with preferred etype first. */
185 s->session_etypes->val = calloc(len, sizeof(*s->session_etypes->val));
186 if (s->session_etypes->val == NULL) {
190 if (add_strong_aes_etypes) {
191 /* Add AES256 and AES128. */
192 s->session_etypes->val[j++] = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
193 s->session_etypes->val[j++] = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
198 s->session_etypes->val[j++] = ENCTYPE_ARCFOUR_HMAC;
201 for (i = 0; i < s->etypes->len; ++i) {
202 const krb5_enctype etype = s->etypes->val[i];
204 if (add_strong_aes_etypes &&
205 (etype == (krb5_enctype)ENCTYPE_AES256_CTS_HMAC_SHA1_96 ||
206 etype == (krb5_enctype)ENCTYPE_AES128_CTS_HMAC_SHA1_96))
209 * Skip AES256 and AES128, for we've
210 * already added them.
215 if (force_rc4 && etype == (krb5_enctype)ENCTYPE_ARCFOUR_HMAC) {
216 /* Skip RC4, for we've already added it. */
220 s->session_etypes->val[j++] = etype;
223 s->session_etypes->len = j;