diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-07-11 10:47:41 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:56:56 -0500 |
commit | bd38d43214ebe71715776f1c0c1b9edf6e1b28ef (patch) | |
tree | 37a226d61dcef6feb8b64f8d3e6a9d308c275582 | |
parent | 0f3f9090faa0f35b5ead4a4ac6801a5caa43766c (diff) | |
download | samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.tar.gz samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.tar.bz2 samba-bd38d43214ebe71715776f1c0c1b9edf6e1b28ef.zip |
r1443: More changes towards Kerberos in Samba4's GENSEC.
The kerberos context is now tied in life to the GENSEC context.
Andrew Bartlett
(This used to be commit 64e99170c3b53a14d7f8d29cf78283f2bc22c1f7)
-rw-r--r-- | source4/libcli/auth/clikrb5.c | 139 | ||||
-rw-r--r-- | source4/libcli/auth/kerberos.h | 17 |
2 files changed, 24 insertions, 132 deletions
diff --git a/source4/libcli/auth/clikrb5.c b/source4/libcli/auth/clikrb5.c index cf0c4b6424..17824ceefe 100644 --- a/source4/libcli/auth/clikrb5.c +++ b/source4/libcli/auth/clikrb5.c @@ -23,16 +23,6 @@ #ifdef HAVE_KRB5 -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#else -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - #ifndef HAVE_KRB5_SET_REAL_TIME /* * This function is not in the Heimdal mainline. @@ -160,7 +150,8 @@ } #endif - void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt) +void get_auth_data_from_tkt(TALLOC_CTX *mem_ctx, + DATA_BLOB *auth_data, krb5_ticket *tkt) { #if defined(HAVE_KRB5_TKT_ENC_PART2) if (tkt->enc_part2) @@ -286,12 +277,12 @@ static BOOL ads_cleanup_expired_creds(krb5_context context, /* we can't use krb5_mk_req because w2k wants the service to be in a particular format */ -static krb5_error_code ads_krb5_mk_req(krb5_context context, - krb5_auth_context *auth_context, - const krb5_flags ap_req_options, - const char *principal, - krb5_ccache ccache, - krb5_data *outbuf) + krb5_error_code ads_krb5_mk_req(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const char *principal, + krb5_ccache ccache, + krb5_data *outbuf) { krb5_error_code retval; krb5_principal server; @@ -374,111 +365,6 @@ cleanup_princ: return retval; } -/* - get a kerberos5 ticket for the given service -*/ -int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) -{ - krb5_error_code retval; - krb5_data packet; - krb5_context context = NULL; - krb5_ccache ccdef = NULL; - krb5_auth_context auth_context = NULL; - krb5_enctype enc_types[] = { -#ifdef ENCTYPE_ARCFOUR_HMAC - ENCTYPE_ARCFOUR_HMAC, -#endif - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_CRC, - ENCTYPE_NULL}; - - retval = krb5_init_context(&context); - if (retval) { - DEBUG(1,("krb5_init_context failed (%s)\n", - error_message(retval))); - goto failed; - } - - if (time_offset != 0) { - krb5_set_real_time(context, time(NULL) + time_offset, 0); - } - - if ((retval = krb5_cc_default(context, &ccdef))) { - DEBUG(1,("krb5_cc_default failed (%s)\n", - error_message(retval))); - goto failed; - } - - if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { - DEBUG(1,("krb5_set_default_tgs_ktypes failed (%s)\n", - error_message(retval))); - goto failed; - } - - if ((retval = ads_krb5_mk_req(context, - &auth_context, - AP_OPTS_USE_SUBKEY, - principal, - ccdef, &packet))) { - goto failed; - } - - get_krb5_smb_session_key(context, auth_context, session_key_krb5, False); - - *ticket = data_blob(packet.data, packet.length); - -/* Hmm, heimdal dooesn't have this - what's the correct call? */ -#ifdef HAVE_KRB5_FREE_DATA_CONTENTS - krb5_free_data_contents(context, &packet); -#endif - -failed: - - if ( context ) { -/* Removed by jra. They really need to fix their kerberos so we don't leak memory. - JERRY -- disabled since it causes heimdal 0.6.1rc3 to die - SuSE 9.1 Pro -*/ - if (ccdef) -#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */ - krb5_cc_close(context, ccdef); -#endif - if (auth_context) - krb5_auth_con_free(context, auth_context); - krb5_free_context(context); - } - - return retval; -} - - BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote) - { - krb5_keyblock *skey; - krb5_error_code err; - BOOL ret = False; - - memset(session_key, 0, 16); - - if (remote) - err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); - else - err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); - if (err == 0 && skey != NULL) { - DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey))); - *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); - dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); - - ret = True; - - krb5_free_keyblock(context, skey); - } else { - DEBUG(10, ("KRB5 error getting session key %d\n", err)); - } - - return ret; - } - #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT) const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i ) @@ -502,13 +388,4 @@ failed: #endif } -#else /* HAVE_KRB5 */ - /* this saves a few linking headaches */ -int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5) -{ - DEBUG(0,("NO KERBEROS SUPPORT\n")); - return 1; -} - #endif diff --git a/source4/libcli/auth/kerberos.h b/source4/libcli/auth/kerberos.h index 6f63f6eef2..193a1a9438 100644 --- a/source4/libcli/auth/kerberos.h +++ b/source4/libcli/auth/kerberos.h @@ -21,6 +21,16 @@ #if defined(HAVE_KRB5) +#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE +#define KRB5_KEY_TYPE(k) ((k)->keytype) +#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) +#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) +#else +#define KRB5_KEY_TYPE(k) ((k)->enctype) +#define KRB5_KEY_LENGTH(k) ((k)->length) +#define KRB5_KEY_DATA(k) ((k)->contents) +#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ + #ifndef HAVE_KRB5_SET_REAL_TIME krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds); #endif @@ -40,11 +50,16 @@ void krb5_free_unparsed_name(krb5_context ctx, char *val); /* Samba wrapper function for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); -void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt); krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes); BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote); +krb5_error_code ads_krb5_mk_req(krb5_context context, + krb5_auth_context *auth_context, + const krb5_flags ap_req_options, + const char *principal, + krb5_ccache ccache, + krb5_data *outbuf); #endif /* HAVE_KRB5 */ |