root/source3/libsmb/clikrb5.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. smb_krb5_parse_name
  2. smb_krb5_parse_name_norealm_conv
  3. smb_krb5_unparse_name
  4. krb5_set_real_time
  5. krb5_set_default_tgs_ktypes
  6. krb5_set_default_tgs_ktypes
  7. setup_kaddr
  8. setup_kaddr
  9. create_kerberos_key_from_string_direct
  10. create_kerberos_key_from_string_direct
  11. create_kerberos_key_from_string
  12. get_kerberos_allowed_etypes
  13. get_kerberos_allowed_etypes
  14. krb5_auth_con_setuseruserkey
  15. unwrap_edata_ntstatus
  16. unwrap_pac
  17. get_auth_data_from_tkt
  18. get_principal_from_tkt
  19. smb_krb5_locate_kdc
  20. smb_krb5_locate_kdc
  21. smb_krb5_locate_kdc
  22. krb5_free_unparsed_name
  23. kerberos_free_data_contents
  24. kerberos_set_creds_enctype
  25. kerberos_compatible_enctypes
  26. ads_cleanup_expired_creds
  27. ads_krb5_mk_req
  28. cli_krb5_get_ticket
  29. get_krb5_smb_session_key
  30. krb5_princ_component
  31. smb_krb5_kt_free_entry
  32. smb_krb5_checksum_from_pac_sig
  33. smb_krb5_verify_checksum
  34. get_authtime_from_tkt
  35. get_kvno_from_ap_req
  36. get_enctype_from_ap_req
  37. get_key_from_keytab
  38. smb_krb5_get_keyinfo_from_ap_req
  39. krb5_rd_req_return_keyblock_from_keytab
  40. smb_krb5_parse_name_norealm
  41. smb_krb5_principal_compare_any_realm
  42. smb_krb5_renew_ticket
  43. smb_krb5_free_addresses
  44. smb_krb5_gen_netbios_krb5_address
  45. smb_krb5_free_error
  46. handle_krberror_packet
  47. smb_krb5_get_init_creds_opt_alloc
  48. smb_krb5_get_init_creds_opt_free
  49. smb_get_enctype_from_kt_entry
  50. smb_krb5_enctype_to_string
  51. smb_krb5_mk_error
  52. smb_krb5_open_keytab
  53. smb_krb5_keytab_name
  54. ads_krb5_get_fwd_ticket
  55. cli_krb5_get_ticket

   1 /* 
   2    Unix SMB/CIFS implementation.
   3    simple kerberos5 routines for active directory
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Luke Howard 2002-2003
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Guenther Deschner 2005-2007
   8    
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13    
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18    
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22 
  23 #define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
  24 #define KRB5_DEPRECATED 1       /* this file uses DEPRECATED interfaces! */
  25 
  26 #include "includes.h"
  27 
  28 #ifdef HAVE_KRB5
  29 
  30 #define GSSAPI_CHECKSUM      0x8003             /* Checksum type value for Kerberos */
  31 #define GSSAPI_BNDLENGTH     16                 /* Bind Length (rfc-1964 pg.3) */
  32 #define GSSAPI_CHECKSUM_SIZE (12+GSSAPI_BNDLENGTH)
  33 
  34 #if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
  35 static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
  36                                          krb5_auth_context *auth_context,
  37                                          krb5_creds *credsp,
  38                                          krb5_ccache ccache,
  39                                          krb5_data *authenticator);
  40 #endif
  41 
  42 /**************************************************************
  43  Wrappers around kerberos string functions that convert from
  44  utf8 -> unix charset and vica versa.
  45 **************************************************************/
  46 
  47 /**************************************************************
  48  krb5_parse_name that takes a UNIX charset.
  49 **************************************************************/
  50 
  51  krb5_error_code smb_krb5_parse_name(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  52                                 const char *name, /* in unix charset */
  53                                 krb5_principal *principal)
  54 {
  55         krb5_error_code ret;
  56         char *utf8_name;
  57         size_t converted_size;
  58 
  59         if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
  60                 return ENOMEM;
  61         }
  62 
  63         ret = krb5_parse_name(context, utf8_name, principal);
  64         TALLOC_FREE(utf8_name);
  65         return ret;
  66 }
  67 
  68 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
  69 /**************************************************************
  70  krb5_parse_name_norealm that takes a UNIX charset.
  71 **************************************************************/
  72 
  73 static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  74                                 const char *name, /* in unix charset */
  75                                 krb5_principal *principal)
  76 {
  77         krb5_error_code ret;
  78         char *utf8_name;
  79         size_t converted_size;
  80 
  81         *principal = NULL;
  82         if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
  83                 return ENOMEM;
  84         }
  85 
  86         ret = krb5_parse_name_norealm(context, utf8_name, principal);
  87         TALLOC_FREE(utf8_name);
  88         return ret;
  89 }
  90 #endif
  91 
  92 /**************************************************************
  93  krb5_parse_name that returns a UNIX charset name. Must
  94  be freed with talloc_free() call.
  95 **************************************************************/
  96 
  97 krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
  98                                       krb5_context context,
  99                                       krb5_const_principal principal,
 100                                       char **unix_name)
 101 {
 102         krb5_error_code ret;
 103         char *utf8_name;
 104         size_t converted_size;
 105 
 106         *unix_name = NULL;
 107         ret = krb5_unparse_name(context, principal, &utf8_name);
 108         if (ret) {
 109                 return ret;
 110         }
 111 
 112         if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
 113                 krb5_free_unparsed_name(context, utf8_name);
 114                 return ENOMEM;
 115         }
 116         krb5_free_unparsed_name(context, utf8_name);
 117         return 0;
 118 }
 119 
 120 #ifndef HAVE_KRB5_SET_REAL_TIME
 121 /*
 122  * This function is not in the Heimdal mainline.
 123  */
 124  krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
     /* [<][>][^][v][top][bottom][index][help] */
 125 {
 126         krb5_error_code ret;
 127         int32_t sec, usec;
 128 
 129         ret = krb5_us_timeofday(context, &sec, &usec);
 130         if (ret)
 131                 return ret;
 132 
 133         context->kdc_sec_offset = seconds - sec;
 134         context->kdc_usec_offset = microseconds - usec;
 135 
 136         return 0;
 137 }
 138 #endif
 139 
 140 #if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
 141 
 142 #if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
 143 
 144 /* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference
 145  * to krb5_set_default_tgs_ktypes. See
 146  *         http://lists.samba.org/archive/samba-technical/2006-July/048271.html
 147  *
 148  * If the MIT libraries are not exporting internal symbols, we will end up in
 149  * this branch, which is correct. Otherwise we will continue to use the
 150  * internal symbol
 151  */
 152  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
     /* [<][>][^][v][top][bottom][index][help] */
 153 {
 154     return krb5_set_default_tgs_enctypes(ctx, enc);
 155 }
 156 
 157 #elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES)
 158 
 159 /* Heimdal */
 160  krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
     /* [<][>][^][v][top][bottom][index][help] */
 161 {
 162         return krb5_set_default_in_tkt_etypes(ctx, enc);
 163 }
 164 
 165 #endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */
 166 
 167 #endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */
 168 
 169 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
 170 /* HEIMDAL */
 171  bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
     /* [<][>][^][v][top][bottom][index][help] */
 172 {
 173         memset(pkaddr, '\0', sizeof(krb5_address));
 174 #if defined(HAVE_IPV6) && defined(KRB5_ADDRESS_INET6)
 175         if (paddr->ss_family == AF_INET6) {
 176                 pkaddr->addr_type = KRB5_ADDRESS_INET6;
 177                 pkaddr->address.length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
 178                 pkaddr->address.data = (char *)&(((struct sockaddr_in6 *)paddr)->sin6_addr);
 179                 return true;
 180         }
 181 #endif
 182         if (paddr->ss_family == AF_INET) {
 183                 pkaddr->addr_type = KRB5_ADDRESS_INET;
 184                 pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
 185                 pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
 186                 return true;
 187         }
 188         return false;
 189 }
 190 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
 191 /* MIT */
 192  bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
     /* [<][>][^][v][top][bottom][index][help] */
 193 {
 194         memset(pkaddr, '\0', sizeof(krb5_address));
 195 #if defined(HAVE_IPV6) && defined(ADDRTYPE_INET6)
 196         if (paddr->ss_family == AF_INET6) {
 197                 pkaddr->addrtype = ADDRTYPE_INET6;
 198                 pkaddr->length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
 199                 pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in6 *)paddr)->sin6_addr);
 200                 return true;
 201         }
 202 #endif
 203         if (paddr->ss_family == AF_INET) {
 204                 pkaddr->addrtype = ADDRTYPE_INET;
 205                 pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
 206                 pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
 207                 return true;
 208         }
 209         return false;
 210 }
 211 #else
 212 #error UNKNOWN_ADDRTYPE
 213 #endif
 214 
 215 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_USE_ENCTYPE) && defined(HAVE_KRB5_STRING_TO_KEY) && defined(HAVE_KRB5_ENCRYPT_BLOCK)
 216 static int create_kerberos_key_from_string_direct(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 217                                                   krb5_principal host_princ,
 218                                                   krb5_data *password,
 219                                                   krb5_keyblock *key,
 220                                                   krb5_enctype enctype)
 221 {
 222         int ret = 0;
 223         krb5_data salt;
 224         krb5_encrypt_block eblock;
 225 
 226         ret = krb5_principal2salt(context, host_princ, &salt);
 227         if (ret) {
 228                 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret)));
 229                 return ret;
 230         }
 231         krb5_use_enctype(context, &eblock, enctype);
 232         ret = krb5_string_to_key(context, &eblock, key, password, &salt);
 233         SAFE_FREE(salt.data);
 234 
 235         return ret;
 236 }
 237 #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT)
 238 static int create_kerberos_key_from_string_direct(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 239                                                   krb5_principal host_princ,
 240                                                   krb5_data *password,
 241                                                   krb5_keyblock *key,
 242                                                   krb5_enctype enctype)
 243 {
 244         int ret;
 245         krb5_salt salt;
 246 
 247         ret = krb5_get_pw_salt(context, host_princ, &salt);
 248         if (ret) {
 249                 DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret)));
 250                 return ret;
 251         }
 252 
 253         ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key);
 254         krb5_free_salt(context, salt);
 255 
 256         return ret;
 257 }
 258 #else
 259 #error UNKNOWN_CREATE_KEY_FUNCTIONS
 260 #endif
 261 
 262  int create_kerberos_key_from_string(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 263                                         krb5_principal host_princ,
 264                                         krb5_data *password,
 265                                         krb5_keyblock *key,
 266                                         krb5_enctype enctype,
 267                                         bool no_salt)
 268 {
 269         krb5_principal salt_princ = NULL;
 270         int ret;
 271         /*
 272          * Check if we've determined that the KDC is salting keys for this
 273          * principal/enctype in a non-obvious way.  If it is, try to match
 274          * its behavior.
 275          */
 276         if (no_salt) {
 277                 KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
 278                 if (!KRB5_KEY_DATA(key)) {
 279                         return ENOMEM;
 280                 }
 281                 memcpy(KRB5_KEY_DATA(key), password->data, password->length);
 282                 KRB5_KEY_LENGTH(key) = password->length;
 283                 KRB5_KEY_TYPE(key) = enctype;
 284                 return 0;
 285         }
 286         salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
 287         ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
 288         if (salt_princ) {
 289                 krb5_free_principal(context, salt_princ);
 290         }
 291         return ret;
 292 }
 293 
 294 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
 295  krb5_error_code get_kerberos_allowed_etypes(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
 296                                             krb5_enctype **enctypes)
 297 {
 298         return krb5_get_permitted_enctypes(context, enctypes);
 299 }
 300 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
 301  krb5_error_code get_kerberos_allowed_etypes(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
 302                                             krb5_enctype **enctypes)
 303 {
 304         return krb5_get_default_in_tkt_etypes(context, enctypes);
 305 }
 306 #else
 307 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
 308 #endif
 309 
 310 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
 311  krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 312                                         krb5_auth_context auth_context,
 313                                         krb5_keyblock *keyblock)
 314 {
 315         return krb5_auth_con_setkey(context, auth_context, keyblock);
 316 }
 317 #endif
 318 
 319 bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, 
     /* [<][>][^][v][top][bottom][index][help] */
 320                            DATA_BLOB *edata, 
 321                            DATA_BLOB *edata_out)
 322 {
 323         DATA_BLOB edata_contents;
 324         ASN1_DATA *data;
 325         int edata_type;
 326 
 327         if (!edata->length) {
 328                 return False;
 329         }
 330 
 331         data = asn1_init(mem_ctx);
 332         if (data == NULL) {
 333                 return false;
 334         }
 335 
 336         asn1_load(data, *edata);
 337         asn1_start_tag(data, ASN1_SEQUENCE(0));
 338         asn1_start_tag(data, ASN1_CONTEXT(1));
 339         asn1_read_Integer(data, &edata_type);
 340 
 341         if (edata_type != KRB5_PADATA_PW_SALT) {
 342                 DEBUG(0,("edata is not of required type %d but of type %d\n", 
 343                         KRB5_PADATA_PW_SALT, edata_type));
 344                 asn1_free(data);
 345                 return False;
 346         }
 347         
 348         asn1_start_tag(data, ASN1_CONTEXT(2));
 349         asn1_read_OctetString(data, NULL, &edata_contents);
 350         asn1_end_tag(data);
 351         asn1_end_tag(data);
 352         asn1_end_tag(data);
 353         asn1_free(data);
 354 
 355         *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
 356 
 357         data_blob_free(&edata_contents);
 358 
 359         return True;
 360 }
 361 
 362 
 363 bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data)
     /* [<][>][^][v][top][bottom][index][help] */
 364 {
 365         DATA_BLOB pac_contents;
 366         ASN1_DATA *data;
 367         int data_type;
 368 
 369         if (!auth_data->length) {
 370                 return False;
 371         }
 372 
 373         data = asn1_init(mem_ctx);
 374         if (data == NULL) {
 375                 return false;
 376         }
 377 
 378         asn1_load(data, *auth_data);
 379         asn1_start_tag(data, ASN1_SEQUENCE(0));
 380         asn1_start_tag(data, ASN1_SEQUENCE(0));
 381         asn1_start_tag(data, ASN1_CONTEXT(0));
 382         asn1_read_Integer(data, &data_type);
 383         
 384         if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) {
 385                 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type));
 386                 asn1_free(data);
 387                 return False;
 388         }
 389         
 390         asn1_end_tag(data);
 391         asn1_start_tag(data, ASN1_CONTEXT(1));
 392         asn1_read_OctetString(data, NULL, &pac_contents);
 393         asn1_end_tag(data);
 394         asn1_end_tag(data);
 395         asn1_end_tag(data);
 396         asn1_free(data);
 397 
 398         *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length);
 399 
 400         data_blob_free(&pac_contents);
 401 
 402         return True;
 403 }
 404 
 405  bool get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt)
     /* [<][>][^][v][top][bottom][index][help] */
 406 {
 407         DATA_BLOB auth_data_wrapped;
 408         bool got_auth_data_pac = False;
 409         int i;
 410         
 411 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 412         if (tkt->enc_part2 && tkt->enc_part2->authorization_data && 
 413             tkt->enc_part2->authorization_data[0] && 
 414             tkt->enc_part2->authorization_data[0]->length)
 415         {
 416                 for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) {
 417                 
 418                         if (tkt->enc_part2->authorization_data[i]->ad_type != 
 419                             KRB5_AUTHDATA_IF_RELEVANT) {
 420                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", 
 421                                         tkt->enc_part2->authorization_data[i]->ad_type));
 422                                 continue;
 423                         }
 424 
 425                         auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents,
 426                                                       tkt->enc_part2->authorization_data[i]->length);
 427 
 428                         /* check if it is a PAC */
 429                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 430                         data_blob_free(&auth_data_wrapped);
 431 
 432                         if (got_auth_data_pac) {
 433                                 return true;
 434                         }
 435                 }
 436 
 437                 return got_auth_data_pac;
 438         }
 439                 
 440 #else
 441         if (tkt->ticket.authorization_data && 
 442             tkt->ticket.authorization_data->len)
 443         {
 444                 for (i = 0; i < tkt->ticket.authorization_data->len; i++) {
 445                         
 446                         if (tkt->ticket.authorization_data->val[i].ad_type != 
 447                             KRB5_AUTHDATA_IF_RELEVANT) {
 448                                 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", 
 449                                         tkt->ticket.authorization_data->val[i].ad_type));
 450                                 continue;
 451                         }
 452 
 453                         auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data,
 454                                                       tkt->ticket.authorization_data->val[i].ad_data.length);
 455 
 456                         /* check if it is a PAC */
 457                         got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data);
 458                         data_blob_free(&auth_data_wrapped);
 459 
 460                         if (got_auth_data_pac) {
 461                                 return true;
 462                         }
 463                 }
 464 
 465                 return got_auth_data_pac;
 466         }
 467 #endif
 468         return False;
 469 }
 470 
 471  krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt)
     /* [<][>][^][v][top][bottom][index][help] */
 472 {
 473 #if defined(HAVE_KRB5_TKT_ENC_PART2)
 474         return tkt->enc_part2->client;
 475 #else
 476         return tkt->client;
 477 #endif
 478 }
 479 
 480 #if !defined(HAVE_KRB5_LOCATE_KDC)
 481 
 482 /* krb5_locate_kdc is an internal MIT symbol. MIT are not yet willing to commit
 483  * to a public interface for this functionality, so we have to be able to live
 484  * without it if the MIT libraries are hiding their internal symbols.
 485  */
 486 
 487 #if defined(KRB5_KRBHST_INIT)
 488 /* Heimdal */
 489  krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters)
     /* [<][>][^][v][top][bottom][index][help] */
 490 {
 491         krb5_krbhst_handle hnd;
 492         krb5_krbhst_info *hinfo;
 493         krb5_error_code rc;
 494         int num_kdcs, i;
 495         struct sockaddr *sa;
 496         struct addrinfo *ai;
 497 
 498         *addr_pp = NULL;
 499         *naddrs = 0;
 500 
 501         rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd);
 502         if (rc) {
 503                 DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc)));
 504                 return rc;
 505         }
 506 
 507         for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++)
 508                 ;
 509 
 510         krb5_krbhst_reset(ctx, hnd);
 511 
 512         if (!num_kdcs) {
 513                 DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n"));
 514                 krb5_krbhst_free(ctx, hnd);
 515                 return -1;
 516         }
 517 
 518         sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs );
 519         if (!sa) {
 520                 DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n"));
 521                 krb5_krbhst_free(ctx, hnd);
 522                 naddrs = 0;
 523                 return -1;
 524         }
 525 
 526         memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs );
 527 
 528         for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) {
 529 
 530 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO)
 531                 rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai);
 532                 if (rc) {
 533                         DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc)));
 534                         continue;
 535                 }
 536 #endif
 537                 if (hinfo->ai && hinfo->ai->ai_family == AF_INET) 
 538                         memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr));
 539         }
 540 
 541         krb5_krbhst_free(ctx, hnd);
 542 
 543         *naddrs = num_kdcs;
 544         *addr_pp = sa;
 545         return 0;
 546 }
 547 
 548 #else /* ! defined(KRB5_KRBHST_INIT) */
 549 
 550  krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
     /* [<][>][^][v][top][bottom][index][help] */
 551                 struct sockaddr **addr_pp, int *naddrs, int get_masters)
 552 {
 553         DEBUG(0, ("unable to explicitly locate the KDC on this platform\n"));
 554         return KRB5_KDC_UNREACH;
 555 }
 556 
 557 #endif /* KRB5_KRBHST_INIT */
 558 
 559 #else /* ! HAVE_KRB5_LOCATE_KDC */
 560 
 561  krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm,
     /* [<][>][^][v][top][bottom][index][help] */
 562                 struct sockaddr **addr_pp, int *naddrs, int get_masters)
 563 {
 564         return krb5_locate_kdc(ctx, realm, addr_pp, naddrs, get_masters);
 565 }
 566 
 567 #endif /* HAVE_KRB5_LOCATE_KDC */
 568 
 569 #if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
 570  void krb5_free_unparsed_name(krb5_context context, char *val)
     /* [<][>][^][v][top][bottom][index][help] */
 571 {
 572         SAFE_FREE(val);
 573 }
 574 #endif
 575 
 576  void kerberos_free_data_contents(krb5_context context, krb5_data *pdata)
     /* [<][>][^][v][top][bottom][index][help] */
 577 {
 578 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS)
 579         if (pdata->data) {
 580                 krb5_free_data_contents(context, pdata);
 581         }
 582 #else
 583         SAFE_FREE(pdata->data);
 584 #endif
 585 }
 586 
 587  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
     /* [<][>][^][v][top][bottom][index][help] */
 588 {
 589 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
 590         KRB5_KEY_TYPE((&pcreds->keyblock)) = enctype;
 591 #elif defined(HAVE_KRB5_SESSION_IN_CREDS)
 592         KRB5_KEY_TYPE((&pcreds->session)) = enctype;
 593 #else
 594 #error UNKNOWN_KEYBLOCK_MEMBER_IN_KRB5_CREDS_STRUCT
 595 #endif
 596 }
 597 
 598  bool kerberos_compatible_enctypes(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 599                                   krb5_enctype enctype1,
 600                                   krb5_enctype enctype2)
 601 {
 602 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE)
 603         krb5_boolean similar = 0;
 604 
 605         krb5_c_enctype_compare(context, enctype1, enctype2, &similar);
 606         return similar ? True : False;
 607 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS)
 608         return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False;
 609 #endif
 610 }
 611 
 612 static bool ads_cleanup_expired_creds(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
 613                                       krb5_ccache  ccache,
 614                                       krb5_creds  *credsp)
 615 {
 616         krb5_error_code retval;
 617         const char *cc_type = krb5_cc_get_type(context, ccache);
 618 
 619         DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
 620                   cc_type, krb5_cc_get_name(context, ccache),
 621                   http_timestring(talloc_tos(), credsp->times.endtime)));
 622 
 623         /* we will probably need new tickets if the current ones
 624            will expire within 10 seconds.
 625         */
 626         if (credsp->times.endtime >= (time(NULL) + 10))
 627                 return False;
 628 
 629         /* heimdal won't remove creds from a file ccache, and 
 630            perhaps we shouldn't anyway, since internally we 
 631            use memory ccaches, and a FILE one probably means that
 632            we're using creds obtained outside of our exectuable
 633         */
 634         if (strequal(cc_type, "FILE")) {
 635                 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
 636                 return False;
 637         }
 638 
 639         retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
 640         if (retval) {
 641                 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
 642                           error_message(retval)));
 643                 /* If we have an error in this, we want to display it,
 644                    but continue as though we deleted it */
 645         }
 646         return True;
 647 }
 648 
 649 /*
 650   we can't use krb5_mk_req because w2k wants the service to be in a particular format
 651 */
 652 static krb5_error_code ads_krb5_mk_req(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
 653                                        krb5_auth_context *auth_context, 
 654                                        const krb5_flags ap_req_options,
 655                                        const char *principal,
 656                                        krb5_ccache ccache, 
 657                                        krb5_data *outbuf, 
 658                                        time_t *expire_time)
 659 {
 660         krb5_error_code           retval;
 661         krb5_principal    server;
 662         krb5_creds              * credsp;
 663         krb5_creds                creds;
 664         krb5_data in_data;
 665         bool creds_ready = False;
 666         int i = 0, maxtries = 3;
 667         
 668         ZERO_STRUCT(in_data);
 669 
 670         retval = smb_krb5_parse_name(context, principal, &server);
 671         if (retval) {
 672                 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
 673                 return retval;
 674         }
 675         
 676         /* obtain ticket & session key */
 677         ZERO_STRUCT(creds);
 678         if ((retval = krb5_copy_principal(context, server, &creds.server))) {
 679                 DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n", 
 680                          error_message(retval)));
 681                 goto cleanup_princ;
 682         }
 683         
 684         if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
 685                 /* This can commonly fail on smbd startup with no ticket in the cache.
 686                  * Report at higher level than 1. */
 687                 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n", 
 688                          error_message(retval)));
 689                 goto cleanup_creds;
 690         }
 691 
 692         while (!creds_ready && (i < maxtries)) {
 693 
 694                 if ((retval = krb5_get_credentials(context, 0, ccache, 
 695                                                    &creds, &credsp))) {
 696                         DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n",
 697                                  principal, error_message(retval)));
 698                         goto cleanup_creds;
 699                 }
 700 
 701                 /* cope with ticket being in the future due to clock skew */
 702                 if ((unsigned)credsp->times.starttime > time(NULL)) {
 703                         time_t t = time(NULL);
 704                         int time_offset =(int)((unsigned)credsp->times.starttime-t);
 705                         DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 706                         krb5_set_real_time(context, t + time_offset + 1, 0);
 707                 }
 708 
 709                 if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
 710                         creds_ready = True;
 711                 }
 712 
 713                 i++;
 714         }
 715 
 716         DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
 717                   principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
 718                   http_timestring(talloc_tos(), (unsigned)credsp->times.endtime), 
 719                   (unsigned)credsp->times.endtime));
 720 
 721         if (expire_time) {
 722                 *expire_time = (time_t)credsp->times.endtime;
 723         }
 724 
 725 #if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
 726         if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
 727                 /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
 728                  as part of the kerberos exchange. */
 729 
 730                 DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n")  );
 731 
 732                 if( *auth_context == NULL ) {
 733                         /* Allocate if it has not yet been allocated. */
 734                         retval = krb5_auth_con_init( context, auth_context );
 735                         if (retval) {
 736                                 DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_init failed (%s)\n",
 737                                         error_message(retval)));
 738                                 goto cleanup_creds;
 739                         }
 740                 }
 741 
 742                 retval = krb5_auth_con_setuseruserkey( context, *auth_context, &credsp->keyblock );
 743                 if (retval) {
 744                         DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setuseruserkey failed (%s)\n",
 745                                 error_message(retval)));
 746                         goto cleanup_creds;
 747                 }
 748 
 749                 /* Must use a subkey for forwarded tickets. */
 750                 retval = krb5_auth_con_setflags( context, *auth_context, KRB5_AUTH_CONTEXT_USE_SUBKEY);
 751                 if (retval) {
 752                         DEBUG(1,("ads_krb5_mk_req: krb5_auth_con_setflags failed (%s)\n",
 753                                 error_message(retval)));
 754                         goto cleanup_creds;
 755                 }
 756 
 757                 retval = ads_krb5_get_fwd_ticket( context,
 758                                                 auth_context,
 759                                                 credsp,
 760                                                 ccache,
 761                                                 &in_data );
 762                 if (retval) {
 763                         DEBUG( 3, ("ads_krb5_get_fwd_ticket failed (%s)\n",
 764                                    error_message( retval ) ) );
 765 
 766                         /*
 767                          * This is not fatal. Delete the *auth_context and continue
 768                          * with krb5_mk_req_extended to get a non-forwardable ticket.
 769                          */
 770 
 771                         if (in_data.data) {
 772                                 free( in_data.data );
 773                                 in_data.data = NULL;
 774                                 in_data.length = 0;
 775                         }
 776                         krb5_auth_con_free(context, *auth_context);
 777                         *auth_context = NULL;
 778                 }
 779         }
 780 #endif
 781 
 782         retval = krb5_mk_req_extended(context, auth_context, ap_req_options, 
 783                                       &in_data, credsp, outbuf);
 784         if (retval) {
 785                 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", 
 786                          error_message(retval)));
 787         }
 788 
 789         if (in_data.data) {
 790                 free( in_data.data );
 791                 in_data.length = 0;
 792         }
 793 
 794         krb5_free_creds(context, credsp);
 795 
 796 cleanup_creds:
 797         krb5_free_cred_contents(context, &creds);
 798 
 799 cleanup_princ:
 800         krb5_free_principal(context, server);
 801 
 802         return retval;
 803 }
 804 
 805 /*
 806   get a kerberos5 ticket for the given service 
 807 */
 808 int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
     /* [<][>][^][v][top][bottom][index][help] */
 809                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, 
 810                         uint32 extra_ap_opts, const char *ccname, 
 811                         time_t *tgs_expire)
 812 
 813 {
 814         krb5_error_code retval;
 815         krb5_data packet;
 816         krb5_context context = NULL;
 817         krb5_ccache ccdef = NULL;
 818         krb5_auth_context auth_context = NULL;
 819         krb5_enctype enc_types[] = {
 820 #ifdef ENCTYPE_ARCFOUR_HMAC
 821                 ENCTYPE_ARCFOUR_HMAC,
 822 #endif 
 823                 ENCTYPE_DES_CBC_MD5, 
 824                 ENCTYPE_DES_CBC_CRC, 
 825                 ENCTYPE_NULL};
 826 
 827         initialize_krb5_error_table();
 828         retval = krb5_init_context(&context);
 829         if (retval) {
 830                 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n", 
 831                          error_message(retval)));
 832                 goto failed;
 833         }
 834 
 835         if (time_offset != 0) {
 836                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
 837         }
 838 
 839         if ((retval = krb5_cc_resolve(context, ccname ?
 840                         ccname : krb5_cc_default_name(context), &ccdef))) {
 841                 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n",
 842                          error_message(retval)));
 843                 goto failed;
 844         }
 845 
 846         if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
 847                 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n",
 848                          error_message(retval)));
 849                 goto failed;
 850         }
 851 
 852         if ((retval = ads_krb5_mk_req(context, 
 853                                         &auth_context, 
 854                                         AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
 855                                         principal,
 856                                         ccdef, &packet,
 857                                         tgs_expire))) {
 858                 goto failed;
 859         }
 860 
 861         get_krb5_smb_session_key(context, auth_context, session_key_krb5, False);
 862 
 863         *ticket = data_blob(packet.data, packet.length);
 864 
 865         kerberos_free_data_contents(context, &packet); 
 866 
 867 failed:
 868 
 869         if ( context ) {
 870                 if (ccdef)
 871                         krb5_cc_close(context, ccdef);
 872                 if (auth_context)
 873                         krb5_auth_con_free(context, auth_context);
 874                 krb5_free_context(context);
 875         }
 876                 
 877         return retval;
 878 }
 879 
 880  bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote)
     /* [<][>][^][v][top][bottom][index][help] */
 881  {
 882         krb5_keyblock *skey = NULL;
 883         krb5_error_code err = 0;
 884         bool ret = false;
 885 
 886         if (remote) {
 887                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
 888         } else {
 889                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 890         }
 891 
 892         if (err || skey == NULL) {
 893                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
 894                 goto done;
 895         }
 896 
 897         DEBUG(10, ("Got KRB5 session key of length %d\n",  (int)KRB5_KEY_LENGTH(skey)));
 898         *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
 899         dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 900 
 901         ret = true;
 902 
 903  done:
 904         if (skey) {
 905                 krb5_free_keyblock(context, skey);
 906         }
 907 
 908         return ret;
 909  }
 910 
 911 
 912 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
 913  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
 914 
 915  const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
     /* [<][>][^][v][top][bottom][index][help] */
 916 {
 917         static krb5_data kdata;
 918 
 919         kdata.data = (char *)krb5_principal_get_comp_string(context, principal, i);
 920         kdata.length = strlen((const char *)kdata.data);
 921         return &kdata;
 922 }
 923 #endif
 924 
 925  krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry)
     /* [<][>][^][v][top][bottom][index][help] */
 926 {
 927 #if defined(HAVE_KRB5_KT_FREE_ENTRY)
 928         return krb5_kt_free_entry(context, kt_entry);
 929 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS)
 930         return krb5_free_keytab_entry_contents(context, kt_entry);
 931 #else
 932 #error UNKNOWN_KT_FREE_FUNCTION
 933 #endif
 934 }
 935 
 936  void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
     /* [<][>][^][v][top][bottom][index][help] */
 937                                      struct PAC_SIGNATURE_DATA *sig)
 938 {
 939 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
 940         cksum->cksumtype        = (krb5_cksumtype)sig->type;
 941         cksum->checksum.length  = sig->signature.length;
 942         cksum->checksum.data    = sig->signature.data;
 943 #else
 944         cksum->checksum_type    = (krb5_cksumtype)sig->type;
 945         cksum->length           = sig->signature.length;
 946         cksum->contents         = sig->signature.data;
 947 #endif
 948 }
 949 
 950  krb5_error_code smb_krb5_verify_checksum(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 951                                           const krb5_keyblock *keyblock,
 952                                          krb5_keyusage usage,
 953                                          krb5_checksum *cksum,
 954                                          uint8 *data,
 955                                          size_t length)
 956 {
 957         krb5_error_code ret;
 958 
 959         /* verify the checksum */
 960 
 961         /* welcome to the wonderful world of samba's kerberos abstraction layer:
 962          * 
 963          * function                     heimdal 0.6.1rc3        heimdal 0.7     MIT krb 1.4.2
 964          * -----------------------------------------------------------------------------
 965          * krb5_c_verify_checksum       -                       works           works
 966          * krb5_verify_checksum         works (6 args)          works (6 args)  broken (7 args) 
 967          */
 968 
 969 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
 970         {
 971                 krb5_boolean checksum_valid = False;
 972                 krb5_data input;
 973 
 974                 input.data = (char *)data;
 975                 input.length = length;
 976 
 977                 ret = krb5_c_verify_checksum(context, 
 978                                              keyblock, 
 979                                              usage,
 980                                              &input, 
 981                                              cksum,
 982                                              &checksum_valid);
 983                 if (ret) {
 984                         DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
 985                                 error_message(ret)));
 986                         return ret;
 987                 }
 988 
 989                 if (!checksum_valid)
 990                         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
 991         }
 992 
 993 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
 994 
 995         /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
 996          * without enctype and it ignores any key_usage types - Guenther */
 997 
 998         {
 999 
1000                 krb5_crypto crypto;
1001                 ret = krb5_crypto_init(context,
1002                                        keyblock,
1003                                        0,
1004                                        &crypto);
1005                 if (ret) {
1006                         DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", 
1007                                 error_message(ret)));
1008                         return ret;
1009                 }
1010 
1011                 ret = krb5_verify_checksum(context,
1012                                            crypto,
1013                                            usage,
1014                                            data,
1015                                            length,
1016                                            cksum);
1017 
1018                 krb5_crypto_destroy(context, crypto);
1019         }
1020 
1021 #else
1022 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
1023 #endif
1024 
1025         return ret;
1026 }
1027 
1028  time_t get_authtime_from_tkt(krb5_ticket *tkt)
     /* [<][>][^][v][top][bottom][index][help] */
1029 {
1030 #if defined(HAVE_KRB5_TKT_ENC_PART2)
1031         return tkt->enc_part2->times.authtime;
1032 #else
1033         return tkt->ticket.authtime;
1034 #endif
1035 }
1036 
1037 #ifdef HAVE_KRB5_DECODE_AP_REQ  /* Heimdal */
1038 static int get_kvno_from_ap_req(krb5_ap_req *ap_req)
     /* [<][>][^][v][top][bottom][index][help] */
1039 {
1040 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */
1041         if (ap_req->ticket->enc_part.kvno)
1042                 return ap_req->ticket->enc_part.kvno;
1043 #else /* Heimdal */
1044         if (ap_req->ticket.enc_part.kvno) 
1045                 return *ap_req->ticket.enc_part.kvno;
1046 #endif
1047         return 0;
1048 }
1049 
1050 static krb5_enctype get_enctype_from_ap_req(krb5_ap_req *ap_req)
     /* [<][>][^][v][top][bottom][index][help] */
1051 {
1052 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
1053         return ap_req->ticket.enc_part.etype;
1054 #else /* MIT */
1055         return ap_req->ticket->enc_part.enctype;
1056 #endif
1057 }
1058 #endif  /* HAVE_KRB5_DECODE_AP_REQ */
1059 
1060 static krb5_error_code
1061 get_key_from_keytab(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1062                     krb5_const_principal server,
1063                     krb5_enctype enctype,
1064                     krb5_kvno kvno,
1065                     krb5_keyblock **out_key)
1066 {
1067         krb5_keytab_entry entry;
1068         krb5_error_code ret;
1069         krb5_keytab keytab;
1070         char *name = NULL;
1071         krb5_keyblock *keyp;
1072 
1073         /* We have to open a new keytab handle here, as MIT does
1074            an implicit open/getnext/close on krb5_kt_get_entry. We
1075            may be in the middle of a keytab enumeration when this is
1076            called. JRA. */
1077 
1078         ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
1079         if (ret) {
1080                 DEBUG(1,("get_key_from_keytab: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
1081                 return ret;
1082         }
1083 
1084         if ( DEBUGLEVEL >= 10 ) {
1085                 if (smb_krb5_unparse_name(talloc_tos(), context, server, &name) == 0) {
1086                         DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", 
1087                                 kvno, enctype, name));
1088                         TALLOC_FREE(name);
1089                 }
1090         }
1091 
1092         ret = krb5_kt_get_entry(context,
1093                                 keytab,
1094                                 server,
1095                                 kvno,
1096                                 enctype,
1097                                 &entry);
1098 
1099         if (ret) {
1100                 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret)));
1101                 goto out;
1102         }
1103 
1104         keyp = KRB5_KT_KEY(&entry);
1105 
1106         ret = krb5_copy_keyblock(context, keyp, out_key);
1107         if (ret) {
1108                 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret)));
1109                 goto out;
1110         }
1111                 
1112         smb_krb5_kt_free_entry(context, &entry);
1113         
1114 out:    
1115         krb5_kt_close(context, keytab);
1116         return ret;
1117 }
1118 
1119 /* Prototypes */
1120 
1121  krb5_error_code smb_krb5_get_keyinfo_from_ap_req(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
1122                                                  const krb5_data *inbuf, 
1123                                                  krb5_kvno *kvno, 
1124                                                  krb5_enctype *enctype)
1125 {
1126 #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */
1127         {
1128                 krb5_error_code ret;
1129                 krb5_ap_req ap_req;
1130                 
1131                 ret = krb5_decode_ap_req(context, inbuf, &ap_req);
1132                 if (ret)
1133                         return ret;
1134 
1135                 *kvno = get_kvno_from_ap_req(&ap_req);
1136                 *enctype = get_enctype_from_ap_req(&ap_req);
1137 
1138                 free_AP_REQ(&ap_req);
1139                 return 0;
1140         }
1141 #endif
1142 
1143         /* Possibly not an appropriate error code. */
1144         return KRB5KDC_ERR_BADOPTION;
1145 }
1146 
1147  krb5_error_code krb5_rd_req_return_keyblock_from_keytab(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1148                                                         krb5_auth_context *auth_context,
1149                                                         const krb5_data *inbuf,
1150                                                         krb5_const_principal server,
1151                                                         krb5_keytab keytab,
1152                                                         krb5_flags *ap_req_options,
1153                                                         krb5_ticket **ticket, 
1154                                                         krb5_keyblock **keyblock)
1155 {
1156         krb5_error_code ret;
1157         krb5_kvno kvno;
1158         krb5_enctype enctype;
1159         krb5_keyblock *local_keyblock;
1160 
1161         ret = krb5_rd_req(context, 
1162                           auth_context, 
1163                           inbuf, 
1164                           server, 
1165                           keytab, 
1166                           ap_req_options, 
1167                           ticket);
1168         if (ret) {
1169                 return ret;
1170         }
1171         
1172 #ifdef KRB5_TICKET_HAS_KEYINFO
1173         enctype = (*ticket)->enc_part.enctype;
1174         kvno = (*ticket)->enc_part.kvno;
1175 #else
1176         ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype);
1177         if (ret) {
1178                 return ret;
1179         }
1180 #endif
1181 
1182         ret = get_key_from_keytab(context, 
1183                                   server,
1184                                   enctype,
1185                                   kvno,
1186                                   &local_keyblock);
1187         if (ret) {
1188                 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n"));
1189                 goto out;
1190         }
1191 
1192 out:
1193         if (ret && local_keyblock != NULL) {
1194                 krb5_free_keyblock(context, local_keyblock);
1195         } else {
1196                 *keyblock = local_keyblock;
1197         }
1198 
1199         return ret;
1200 }
1201 
1202  krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
1203                                             const char *name, 
1204                                             krb5_principal *principal)
1205 {
1206 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM
1207         return smb_krb5_parse_name_norealm_conv(context, name, principal);
1208 #endif
1209 
1210         /* we are cheating here because parse_name will in fact set the realm.
1211          * We don't care as the only caller of smb_krb5_parse_name_norealm
1212          * ignores the realm anyway when calling
1213          * smb_krb5_principal_compare_any_realm later - Guenther */
1214 
1215         return smb_krb5_parse_name(context, name, principal);
1216 }
1217 
1218  bool smb_krb5_principal_compare_any_realm(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
1219                                           krb5_const_principal princ1, 
1220                                           krb5_const_principal princ2)
1221 {
1222 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
1223 
1224         return krb5_principal_compare_any_realm(context, princ1, princ2);
1225 
1226 /* krb5_princ_size is a macro in MIT */
1227 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
1228 
1229         int i, len1, len2;
1230         const krb5_data *p1, *p2;
1231 
1232         len1 = krb5_princ_size(context, princ1);
1233         len2 = krb5_princ_size(context, princ2);
1234 
1235         if (len1 != len2)
1236                 return False;
1237 
1238         for (i = 0; i < len1; i++) {
1239 
1240                 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
1241                 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
1242 
1243                 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length))
1244                         return False;
1245         }
1246 
1247         return True;
1248 #else
1249 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
1250 #endif
1251 }
1252 
1253  krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,       /* FILE:/tmp/krb5cc_0 */
     /* [<][>][^][v][top][bottom][index][help] */
1254                                        const char *client_string,       /* gd@BER.SUSE.DE */
1255                                        const char *service_string,      /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */
1256                                        time_t *expire_time)
1257 {
1258         krb5_error_code ret;
1259         krb5_context context = NULL;
1260         krb5_ccache ccache = NULL;
1261         krb5_principal client = NULL;
1262         krb5_creds creds, creds_in, *creds_out = NULL;
1263 
1264         ZERO_STRUCT(creds);
1265         ZERO_STRUCT(creds_in);
1266 
1267         initialize_krb5_error_table();
1268         ret = krb5_init_context(&context);
1269         if (ret) {
1270                 goto done;
1271         }
1272 
1273         if (!ccache_string) {
1274                 ccache_string = krb5_cc_default_name(context);
1275         }
1276 
1277         if (!ccache_string) {
1278                 ret = EINVAL;
1279                 goto done;
1280         }
1281 
1282         DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
1283 
1284         /* FIXME: we should not fall back to defaults */
1285         ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache);
1286         if (ret) {
1287                 goto done;
1288         }
1289 
1290         if (client_string) {
1291                 ret = smb_krb5_parse_name(context, client_string, &client);
1292                 if (ret) {
1293                         goto done;
1294                 }
1295         } else {
1296                 ret = krb5_cc_get_principal(context, ccache, &client);
1297                 if (ret) {
1298                         goto done;
1299                 }
1300         }
1301 
1302 #ifdef HAVE_KRB5_GET_RENEWED_CREDS      /* MIT */
1303         {
1304                 ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string));
1305                 if (ret) {
1306                         DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
1307                         goto done;
1308                 }
1309         }
1310 #elif defined(HAVE_KRB5_GET_KDC_CRED)   /* Heimdal */
1311         {
1312                 krb5_kdc_flags flags;
1313                 krb5_realm *client_realm = NULL;
1314 
1315                 ret = krb5_copy_principal(context, client, &creds_in.client);
1316                 if (ret) {
1317                         goto done;
1318                 }
1319 
1320                 if (service_string) {
1321                         ret = smb_krb5_parse_name(context, service_string, &creds_in.server);
1322                         if (ret) { 
1323                                 goto done;
1324                         }
1325                 } else {
1326                         /* build tgt service by default */
1327                         client_realm = krb5_princ_realm(context, creds_in.client);
1328                         if (!client_realm) {
1329                                 ret = ENOMEM;
1330                                 goto done;
1331                         }
1332                         ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL);
1333                         if (ret) {
1334                                 goto done;
1335                         }
1336                 }
1337 
1338                 flags.i = 0;
1339                 flags.b.renewable = flags.b.renew = True;
1340 
1341                 ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds_out);
1342                 if (ret) {
1343                         DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
1344                         goto done;
1345                 }
1346 
1347                 creds = *creds_out;
1348         }
1349 #else
1350 #error NO_SUITABLE_KRB5_TICKET_RENEW_FUNCTION_AVAILABLE
1351 #endif
1352 
1353         /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
1354         ret = krb5_cc_initialize(context, ccache, client);
1355         if (ret) {
1356                 goto done;
1357         }
1358         
1359         ret = krb5_cc_store_cred(context, ccache, &creds);
1360 
1361         if (expire_time) {
1362                 *expire_time = (time_t) creds.times.endtime;
1363         }
1364 
1365 done:
1366         krb5_free_cred_contents(context, &creds_in);
1367 
1368         if (creds_out) {
1369                 krb5_free_creds(context, creds_out);
1370         } else {
1371                 krb5_free_cred_contents(context, &creds);
1372         }
1373 
1374         if (client) {
1375                 krb5_free_principal(context, client);
1376         }
1377         if (ccache) {
1378                 krb5_cc_close(context, ccache);
1379         }
1380         if (context) {
1381                 krb5_free_context(context);
1382         }
1383 
1384         return ret;
1385 }
1386 
1387  krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
     /* [<][>][^][v][top][bottom][index][help] */
1388 {
1389         krb5_error_code ret = 0;
1390         if (addr == NULL) {
1391                 return ret;
1392         }
1393 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1394         krb5_free_addresses(context, addr->addrs);
1395 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1396         ret = krb5_free_addresses(context, addr->addrs);
1397         SAFE_FREE(addr->addrs);
1398 #endif
1399         SAFE_FREE(addr);
1400         addr = NULL;
1401         return ret;
1402 }
1403 
1404  krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
     /* [<][>][^][v][top][bottom][index][help] */
1405 {
1406         krb5_error_code ret = 0;
1407         nstring buf;
1408 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1409         krb5_address **addrs = NULL;
1410 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1411         krb5_addresses *addrs = NULL;
1412 #endif
1413 
1414         *kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses));
1415         if (*kerb_addr == NULL) {
1416                 return ENOMEM;
1417         }
1418 
1419         put_name(buf, global_myname(), ' ', 0x20);
1420 
1421 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
1422         {
1423                 int num_addr = 2;
1424 
1425                 addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr);
1426                 if (addrs == NULL) {
1427                         SAFE_FREE(*kerb_addr);
1428                         return ENOMEM;
1429                 }
1430 
1431                 memset(addrs, 0, sizeof(krb5_address *) * num_addr);
1432 
1433                 addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
1434                 if (addrs[0] == NULL) {
1435                         SAFE_FREE(addrs);
1436                         SAFE_FREE(*kerb_addr);
1437                         return ENOMEM;
1438                 }
1439 
1440                 addrs[0]->magic = KV5M_ADDRESS;
1441                 addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
1442                 addrs[0]->length = MAX_NETBIOSNAME_LEN;
1443                 addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
1444                 if (addrs[0]->contents == NULL) {
1445                         SAFE_FREE(addrs[0]);
1446                         SAFE_FREE(addrs);
1447                         SAFE_FREE(*kerb_addr);
1448                         return ENOMEM;
1449                 }
1450 
1451                 memcpy(addrs[0]->contents, buf, addrs[0]->length);
1452 
1453                 addrs[1] = NULL;
1454         }
1455 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
1456         {
1457                 addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
1458                 if (addrs == NULL) {
1459                         SAFE_FREE(*kerb_addr);
1460                         return ENOMEM;
1461                 }
1462 
1463                 memset(addrs, 0, sizeof(krb5_addresses));
1464 
1465                 addrs->len = 1;
1466                 addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
1467                 if (addrs->val == NULL) {
1468                         SAFE_FREE(addrs);
1469                         SAFE_FREE(kerb_addr);
1470                         return ENOMEM;
1471                 }
1472 
1473                 addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
1474                 addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
1475                 addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
1476                 if (addrs->val[0].address.data == NULL) {
1477                         SAFE_FREE(addrs->val);
1478                         SAFE_FREE(addrs);
1479                         SAFE_FREE(*kerb_addr);
1480                         return ENOMEM;
1481                 }
1482 
1483                 memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
1484         }
1485 #else
1486 #error UNKNOWN_KRB5_ADDRESS_FORMAT
1487 #endif
1488         (*kerb_addr)->addrs = addrs;
1489 
1490         return ret;
1491 }
1492 
1493  void smb_krb5_free_error(krb5_context context, krb5_error *krberror)
     /* [<][>][^][v][top][bottom][index][help] */
1494 {
1495 #ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */
1496         krb5_free_error_contents(context, krberror);
1497 #else /* MIT */
1498         krb5_free_error(context, krberror);
1499 #endif
1500 }
1501 
1502  krb5_error_code handle_krberror_packet(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1503                                         krb5_data *packet)
1504 {
1505         krb5_error_code ret;
1506         bool got_error_code = False;
1507 
1508         DEBUG(10,("handle_krberror_packet: got error packet\n"));
1509         
1510 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
1511         {
1512                 krb5_error krberror;
1513 
1514                 if ((ret = krb5_rd_error(context, packet, &krberror))) {
1515                         DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n", 
1516                                 error_message(ret)));
1517                         return ret;
1518                 }
1519 
1520                 if (krberror.e_data == NULL || krberror.e_data->data == NULL) {
1521                         ret = (krb5_error_code) krberror.error_code;
1522                         got_error_code = True;
1523                 }
1524 
1525                 smb_krb5_free_error(context, &krberror);
1526         }
1527 #else /* MIT */
1528         {
1529                 krb5_error *krberror;
1530 
1531                 if ((ret = krb5_rd_error(context, packet, &krberror))) {
1532                         DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n", 
1533                                 error_message(ret)));
1534                         return ret;
1535                 }
1536 
1537                 if (krberror->e_data.data == NULL) {
1538                         ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
1539                         got_error_code = True;
1540                 }
1541                 smb_krb5_free_error(context, krberror);
1542         }
1543 #endif
1544         if (got_error_code) {
1545                 DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n", 
1546                         error_message(ret), ret));
1547         }
1548         return ret;
1549 }
1550 
1551  krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1552                                             krb5_get_init_creds_opt **opt)
1553 {
1554 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
1555         /* Heimdal or modern MIT version */
1556         return krb5_get_init_creds_opt_alloc(context, opt);
1557 #else
1558         /* Historical MIT version */
1559         krb5_get_init_creds_opt *my_opt;
1560 
1561         *opt = NULL;
1562 
1563         if ((my_opt = SMB_MALLOC_P(krb5_get_init_creds_opt)) == NULL) {
1564                 return ENOMEM;
1565         }
1566 
1567         krb5_get_init_creds_opt_init(my_opt);
1568 
1569         *opt =  my_opt;
1570         return 0;
1571 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC  */
1572 }
1573 
1574  void smb_krb5_get_init_creds_opt_free(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1575                                 krb5_get_init_creds_opt *opt)
1576 {
1577 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE
1578 
1579 #ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT
1580         /* Modern MIT or Heimdal version */
1581         krb5_get_init_creds_opt_free(context, opt);
1582 #else
1583         /* Heimdal version */
1584         krb5_get_init_creds_opt_free(opt);
1585 #endif /* KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT */
1586 
1587 #else /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
1588         /* Historical MIT version */
1589         SAFE_FREE(opt);
1590         opt = NULL;
1591 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */
1592 }
1593 
1594  krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry)
     /* [<][>][^][v][top][bottom][index][help] */
1595 {
1596         return KRB5_KEY_TYPE(KRB5_KT_KEY(kt_entry));
1597 }
1598 
1599 
1600 /* caller needs to free etype_s */
1601  krb5_error_code smb_krb5_enctype_to_string(krb5_context context, 
     /* [<][>][^][v][top][bottom][index][help] */
1602                                             krb5_enctype enctype, 
1603                                             char **etype_s)
1604 {
1605 #ifdef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG
1606         return krb5_enctype_to_string(context, enctype, etype_s); /* Heimdal */
1607 #elif defined(HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG)
1608         char buf[256];
1609         krb5_error_code ret = krb5_enctype_to_string(enctype, buf, 256); /* MIT */
1610         if (ret) {
1611                 return ret;
1612         }
1613         *etype_s = SMB_STRDUP(buf);
1614         if (!*etype_s) {
1615                 return ENOMEM;
1616         }
1617         return ret;
1618 #else
1619 #error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION
1620 #endif
1621 }
1622 
1623  krb5_error_code smb_krb5_mk_error(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1624                                 krb5_error_code error_code,
1625                                 const krb5_principal server,
1626                                 krb5_data *reply)
1627 {
1628 #ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */
1629         /*
1630          * The MIT interface is *terrible*.
1631          * We have to construct this ourselves...
1632          */
1633         krb5_error e;
1634 
1635         memset(&e, 0, sizeof(e));
1636         krb5_us_timeofday(context, &e.stime, &e.susec);
1637         e.server = server;
1638 #if defined(krb5_err_base)
1639         e.error = error_code - krb5_err_base;
1640 #elif defined(ERROR_TABLE_BASE_krb5)
1641         e.error = error_code - ERROR_TABLE_BASE_krb5;
1642 #else
1643         e.error = error_code; /* Almost certainly wrong, but what can we do... ? */
1644 #endif
1645 
1646         return krb5_mk_error(context, &e, reply);
1647 #else /* Heimdal. */
1648         return krb5_mk_error(context,
1649                                 error_code,
1650                                 NULL,
1651                                 NULL, /* e_data */
1652                                 NULL,
1653                                 server,
1654                                 NULL,
1655                                 NULL,
1656                                 reply);
1657 #endif
1658 }
1659 
1660 /**********************************************************************
1661  * Open a krb5 keytab with flags, handles readonly or readwrite access and
1662  * allows to process non-default keytab names.
1663  * @param context krb5_context 
1664  * @param keytab_name_req string
1665  * @param write_access bool if writable keytab is required
1666  * @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close())
1667  * @return krb5_error_code
1668 **********************************************************************/
1669 
1670 /* This MAX_NAME_LEN is a constant defined in krb5.h */
1671 #ifndef MAX_KEYTAB_NAME_LEN
1672 #define MAX_KEYTAB_NAME_LEN 1100
1673 #endif
1674 
1675  krb5_error_code smb_krb5_open_keytab(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1676                                       const char *keytab_name_req,
1677                                       bool write_access,
1678                                       krb5_keytab *keytab)
1679 {
1680         krb5_error_code ret = 0;
1681         TALLOC_CTX *mem_ctx;
1682         char keytab_string[MAX_KEYTAB_NAME_LEN];
1683         char *kt_str = NULL;
1684         bool found_valid_name = False;
1685         const char *pragma = "FILE";
1686         const char *tmp = NULL;
1687 
1688         if (!write_access && !keytab_name_req) {
1689                 /* caller just wants to read the default keytab readonly, so be it */
1690                 return krb5_kt_default(context, keytab);
1691         }
1692 
1693         mem_ctx = talloc_init("smb_krb5_open_keytab");
1694         if (!mem_ctx) {
1695                 return ENOMEM;
1696         }
1697 
1698 #ifdef HAVE_WRFILE_KEYTAB 
1699         if (write_access) {
1700                 pragma = "WRFILE";
1701         }
1702 #endif
1703 
1704         if (keytab_name_req) {
1705 
1706                 if (strlen(keytab_name_req) > MAX_KEYTAB_NAME_LEN) {
1707                         ret = KRB5_CONFIG_NOTENUFSPACE;
1708                         goto out;
1709                 }
1710 
1711                 if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) || 
1712                     (strncmp(keytab_name_req, "FILE:/", 6) == 0)) {
1713                         tmp = keytab_name_req;
1714                         goto resolve;
1715                 }
1716 
1717                 if (keytab_name_req[0] != '/') {
1718                         ret = KRB5_KT_BADNAME;
1719                         goto out;
1720                 }
1721 
1722                 tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, keytab_name_req);
1723                 if (!tmp) {
1724                         ret = ENOMEM;
1725                         goto out;
1726                 }
1727 
1728                 goto resolve;
1729         }
1730 
1731         /* we need to handle more complex keytab_strings, like:
1732          * "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */
1733 
1734         ret = krb5_kt_default_name(context, &keytab_string[0], MAX_KEYTAB_NAME_LEN - 2);
1735         if (ret) {
1736                 goto out;
1737         }
1738 
1739         DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned %s\n", keytab_string));
1740 
1741         tmp = talloc_strdup(mem_ctx, keytab_string);
1742         if (!tmp) {
1743                 ret = ENOMEM;
1744                 goto out;
1745         }
1746 
1747         if (strncmp(tmp, "ANY:", 4) == 0) {
1748                 tmp += 4;
1749         }
1750 
1751         memset(&keytab_string, '\0', sizeof(keytab_string));
1752 
1753         while (next_token_talloc(mem_ctx, &tmp, &kt_str, ",")) {
1754                 if (strncmp(kt_str, "WRFILE:", 7) == 0) {
1755                         found_valid_name = True;
1756                         tmp = kt_str;
1757                         tmp += 7;
1758                 }
1759 
1760                 if (strncmp(kt_str, "FILE:", 5) == 0) {
1761                         found_valid_name = True;
1762                         tmp = kt_str;
1763                         tmp += 5;
1764                 }
1765 
1766                 if (tmp[0] == '/') {
1767                         /* Treat as a FILE: keytab definition. */
1768                         found_valid_name = true;
1769                 }
1770 
1771                 if (found_valid_name) {
1772                         if (tmp[0] != '/') {
1773                                 ret = KRB5_KT_BADNAME;
1774                                 goto out;
1775                         }
1776 
1777                         tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, tmp);
1778                         if (!tmp) {
1779                                 ret = ENOMEM;
1780                                 goto out;
1781                         }
1782                         break;
1783                 }
1784         }
1785 
1786         if (!found_valid_name) {
1787                 ret = KRB5_KT_UNKNOWN_TYPE;
1788                 goto out;
1789         }
1790 
1791  resolve:
1792         DEBUG(10,("smb_krb5_open_keytab: resolving: %s\n", tmp));
1793         ret = krb5_kt_resolve(context, tmp, keytab);
1794 
1795  out:
1796         TALLOC_FREE(mem_ctx);
1797         return ret;
1798 }
1799 
1800 krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1801                                      krb5_context context,
1802                                      krb5_keytab keytab,
1803                                      const char **keytab_name)
1804 {
1805         char keytab_string[MAX_KEYTAB_NAME_LEN];
1806         krb5_error_code ret = 0;
1807 
1808         ret = krb5_kt_get_name(context, keytab,
1809                                keytab_string, MAX_KEYTAB_NAME_LEN - 2);
1810         if (ret) {
1811                 return ret;
1812         }
1813 
1814         *keytab_name = talloc_strdup(mem_ctx, keytab_string);
1815         if (!*keytab_name) {
1816                 return ENOMEM;
1817         }
1818 
1819         return ret;
1820 }
1821 
1822 #if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
1823 /**************************************************************
1824 Routine: ads_krb5_get_fwd_ticket
1825  Description:
1826     When a service ticket is flagged as trusted
1827     for delegation we should provide a forwardable
1828     ticket so that the remote host can act on our
1829     behalf.  This is done by taking the 2nd forwardable
1830     TGT and storing it in the GSS-API authenticator
1831     "checksum".  This routine will populate
1832     the krb5_data authenticator with this TGT.
1833  Parameters:
1834     krb5_context context: The kerberos context for this authentication.
1835     krb5_auth_context:    The authentication context.
1836     krb5_creds *credsp:   The ticket credentials (AS-REP).
1837     krb5_ccache ccache:   The credentials cache.
1838     krb5_data &authenticator: The checksum field that will store the TGT, and
1839      authenticator.data must be freed by the caller.
1840 
1841  Returns:
1842     krb5_error_code: 0 if no errors, otherwise set.
1843 **************************************************************/
1844 
1845 static krb5_error_code ads_krb5_get_fwd_ticket( krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
1846                                          krb5_auth_context *auth_context,
1847                                          krb5_creds *credsp,
1848                                          krb5_ccache ccache,
1849                                          krb5_data *authenticator)
1850 {
1851         krb5_data fwdData;
1852         krb5_error_code retval = 0;
1853         char *pChksum = NULL;
1854         char *p = NULL;
1855 
1856         ZERO_STRUCT(fwdData);
1857         ZERO_STRUCTP(authenticator);
1858 
1859         retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
1860                                 *auth_context,  /* Authentication context [in] */
1861                                 CONST_DISCARD(char *, KRB5_TGS_NAME),  /* Ticket service name ("krbtgt") [in] */
1862                                 credsp->client, /* Client principal for the tgt [in] */
1863                                 credsp->server, /* Server principal for the tgt [in] */
1864                                 ccache,         /* Credential cache to use for storage [in] */
1865                                 1,              /* Turn on for "Forwardable ticket" [in] */
1866                                 &fwdData );     /* Resulting response [out] */
1867 
1868 
1869         if (retval) {
1870                 DEBUG(1,("ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (%s)\n", 
1871                         error_message(retval)));
1872                 goto out;
1873         }
1874 
1875         if ((unsigned int)GSSAPI_CHECKSUM_SIZE + (unsigned int)fwdData.length <
1876                 (unsigned int)GSSAPI_CHECKSUM_SIZE) {
1877                 retval = EINVAL;
1878                 goto out;
1879         }
1880 
1881         /* We're going to allocate a gssChecksum structure with a little
1882            extra data the length of the kerberos credentials length
1883            (APPLICATION 22) so that we can pack it on the end of the structure.
1884         */
1885 
1886         pChksum = (char *)SMB_MALLOC(GSSAPI_CHECKSUM_SIZE + fwdData.length );
1887         if (!pChksum) {
1888                 retval = ENOMEM;
1889                 goto out;
1890         }
1891 
1892         p = pChksum;
1893 
1894         SIVAL(p, 0, GSSAPI_BNDLENGTH);
1895         p += 4;
1896 
1897         /* Zero out the bindings fields */
1898         memset(p, '\0', GSSAPI_BNDLENGTH );
1899         p += GSSAPI_BNDLENGTH;
1900 
1901         SIVAL(p, 0, GSS_C_DELEG_FLAG );
1902         p += 4;
1903         SSVAL(p, 0, 1 );
1904         p += 2;
1905         SSVAL(p, 0, fwdData.length );
1906         p += 2;
1907 
1908         /* Migrate the kerberos KRB_CRED data to the checksum delegation */
1909         memcpy(p, fwdData.data, fwdData.length );
1910         p += fwdData.length;
1911 
1912         /* We need to do this in order to allow our GSS-API  */
1913         retval = krb5_auth_con_set_req_cksumtype( context, *auth_context, GSSAPI_CHECKSUM );
1914         if (retval) {
1915                 goto out;
1916         }
1917 
1918         /* We now have a service ticket, now turn it into an AP-REQ. */
1919         authenticator->length = fwdData.length + GSSAPI_CHECKSUM_SIZE;
1920 
1921         /* Caller should call free() when they're done with this. */
1922         authenticator->data = (char *)pChksum;
1923 
1924   out:
1925 
1926         /* Remove that input data, we never needed it anyway. */
1927         if (fwdData.length > 0) {
1928                 krb5_free_data_contents( context, &fwdData );
1929         }
1930 
1931         return retval;
1932 }
1933 #endif
1934 
1935 #else /* HAVE_KRB5 */
1936  /* this saves a few linking headaches */
1937  int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
     /* [<][>][^][v][top][bottom][index][help] */
1938                         DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
1939                         const char *ccname, time_t *tgs_expire) 
1940 {
1941          DEBUG(0,("NO KERBEROS SUPPORT\n"));
1942          return 1;
1943 }
1944 
1945 #endif

/* [<][>][^][v][top][bottom][index][help] */