diff options
author | Simo Sorce <idra@samba.org> | 2012-04-21 17:26:18 -0400 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2012-04-23 19:20:38 -0400 |
commit | 08c733d75fd83fd5e32ced9712d41dd595e0f182 (patch) | |
tree | a49d6ebbf1d6c498294862f268d6890a1e6a507f /libcli/auth | |
parent | f7070c90b94954835478a09e89a85c03f0f85500 (diff) | |
download | samba-08c733d75fd83fd5e32ced9712d41dd595e0f182.tar.gz samba-08c733d75fd83fd5e32ced9712d41dd595e0f182.tar.bz2 samba-08c733d75fd83fd5e32ced9712d41dd595e0f182.zip |
Make krb5 wrapper library common so they can be used all over
Diffstat (limited to 'libcli/auth')
-rw-r--r-- | libcli/auth/krb5_wrap.c | 243 | ||||
-rw-r--r-- | libcli/auth/krb5_wrap.h | 62 | ||||
-rwxr-xr-x[-rw-r--r--] | libcli/auth/wscript_build | 6 |
3 files changed, 1 insertions, 310 deletions
diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c deleted file mode 100644 index 55a224612d..0000000000 --- a/libcli/auth/krb5_wrap.c +++ /dev/null @@ -1,243 +0,0 @@ -/* - Unix SMB/CIFS implementation. - simple kerberos5 routines for active directory - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Luke Howard 2002-2003 - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2011 - Copyright (C) Guenther Deschner 2005-2009 - Copyright (C) Simo Sorce 2010. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#ifdef HAVE_KRB5 - -#include "libcli/auth/krb5_wrap.h" -#include "librpc/gen_ndr/krb5pac.h" - -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY) -/* MIT */ -int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype) -{ - int ret = 0; - krb5_data salt; - - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; - } - ret = krb5_c_string_to_key(context, enctype, password, &salt, key); - SAFE_FREE(salt.data); - - return ret; -} -#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) -/* Heimdal */ -int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype) -{ - int ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; - } - - ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); - krb5_free_salt(context, salt); - - return ret; -} -#else -#error UNKNOWN_CREATE_KEY_FUNCTIONS -#endif - - void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) -{ -#if defined(HAVE_KRB5_FREE_DATA_CONTENTS) - if (pdata->data) { - krb5_free_data_contents(context, pdata); - } -#elif defined(HAVE_KRB5_DATA_FREE) - krb5_data_free(context, pdata); -#else - SAFE_FREE(pdata->data); -#endif -} - - - krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) -{ -/* Try krb5_free_keytab_entry_contents first, since - * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and - * krb5_kt_free_entry but only has a prototype for the first, while the - * second is considered private. - */ -#if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS) - return krb5_free_keytab_entry_contents(context, kt_entry); -#elif defined(HAVE_KRB5_KT_FREE_ENTRY) - return krb5_kt_free_entry(context, kt_entry); -#else -#error UNKNOWN_KT_FREE_FUNCTION -#endif -} - -/************************************************************** - Wrappers around kerberos string functions that convert from - utf8 -> unix charset and vica versa. -**************************************************************/ - -/************************************************************** - krb5_parse_name that takes a UNIX charset. -**************************************************************/ - - krb5_error_code smb_krb5_parse_name(krb5_context context, - const char *name, /* in unix charset */ - krb5_principal *principal) -{ - krb5_error_code ret; - char *utf8_name; - size_t converted_size; - TALLOC_CTX *frame = talloc_stackframe(); - - if (!push_utf8_talloc(frame, &utf8_name, name, &converted_size)) { - talloc_free(frame); - return ENOMEM; - } - - ret = krb5_parse_name(context, utf8_name, principal); - TALLOC_FREE(frame); - return ret; -} - -#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) -static void krb5_free_unparsed_name(krb5_context context, char *val) -{ - SAFE_FREE(val); -} -#endif - -/************************************************************** - krb5_parse_name that returns a UNIX charset name. Must - be freed with talloc_free() call. -**************************************************************/ - -krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_const_principal principal, - char **unix_name) -{ - krb5_error_code ret; - char *utf8_name; - size_t converted_size; - - *unix_name = NULL; - ret = krb5_unparse_name(context, principal, &utf8_name); - if (ret) { - return ret; - } - - if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) { - krb5_free_unparsed_name(context, utf8_name); - return ENOMEM; - } - krb5_free_unparsed_name(context, utf8_name); - return 0; -} - - krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal) -{ - /* we are cheating here because parse_name will in fact set the realm. - * We don't care as the only caller of smb_krb5_parse_name_norealm - * ignores the realm anyway when calling - * smb_krb5_principal_compare_any_realm later - Guenther */ - - return smb_krb5_parse_name(context, name, principal); -} - - bool smb_krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) -{ - return krb5_principal_compare_any_realm(context, princ1, princ2); -} - -char *gssapi_error_string(TALLOC_CTX *mem_ctx, - OM_uint32 maj_stat, OM_uint32 min_stat, - const gss_OID mech) -{ - OM_uint32 disp_min_stat, disp_maj_stat; - gss_buffer_desc maj_error_message; - gss_buffer_desc min_error_message; - char *maj_error_string, *min_error_string; - OM_uint32 msg_ctx = 0; - - char *ret; - - maj_error_message.value = NULL; - min_error_message.value = NULL; - maj_error_message.length = 0; - min_error_message.length = 0; - - disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE, - mech, &msg_ctx, &maj_error_message); - disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE, - mech, &msg_ctx, &min_error_message); - - maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length); - - min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length); - - ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string); - - talloc_free(maj_error_string); - talloc_free(min_error_string); - - gss_release_buffer(&disp_min_stat, &maj_error_message); - gss_release_buffer(&disp_min_stat, &min_error_message); - - return ret; -} - - - char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx) -{ - char *ret; - -#if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE) - const char *context_error = krb5_get_error_message(context, code); - if (context_error) { - ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error); - krb5_free_error_message(context, context_error); - return ret; - } -#endif - ret = talloc_strdup(mem_ctx, error_message(code)); - return ret; -} - -#endif diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h deleted file mode 100644 index 4c0ef93e4c..0000000000 --- a/libcli/auth/krb5_wrap.h +++ /dev/null @@ -1,62 +0,0 @@ -/* - Unix SMB/CIFS implementation. - simple kerberos5 routines for active directory - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Luke Howard 2002-2003 - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 - Copyright (C) Guenther Deschner 2005-2009 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "system/kerberos.h" - -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#define KRB5_KEY_DATA_CAST void -#else /* MIT */ -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#define KRB5_KEY_DATA_CAST krb5_octet -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - -int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype); -void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); -krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); - - krb5_error_code smb_krb5_parse_name(krb5_context context, - const char *name, /* in unix charset */ - krb5_principal *principal); -krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_const_principal principal, - char **unix_name); - krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal); - bool smb_krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2); -char *gssapi_error_string(TALLOC_CTX *mem_ctx, - OM_uint32 maj_stat, OM_uint32 min_stat, - const gss_OID mech); -char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx); - diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index b4b648efa1..893cfd9d95 100644..100755 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -2,7 +2,7 @@ bld.SAMBA_LIBRARY('cliauth', source='', - deps='MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE KRB5_WRAP errors NTLM_CHECK UTIL_LSARPC', + deps='MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE krb5samba errors NTLM_CHECK UTIL_LSARPC', private_library=True, grouping_library=True) @@ -37,7 +37,3 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS', bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE', source='spnego_parse.c', deps='asn1util') - -bld.SAMBA_SUBSYSTEM('KRB5_WRAP', - source='krb5_wrap.c', - deps='gssapi_krb5 krb5 ndr-krb5pac com_err KRB5_PAC') |