diff options
author | Jim McDonough <jmcd@samba.org> | 2003-02-19 01:16:40 +0000 |
---|---|---|
committer | Jim McDonough <jmcd@samba.org> | 2003-02-19 01:16:40 +0000 |
commit | adfefcdcb6e9d8ea0458a11b6f684a5cf231c3ba (patch) | |
tree | d9afd403aac46465eac080932df856dfa675099d /source3 | |
parent | e354fd27cb05f9d6259ca480831e325d17cfefea (diff) | |
download | samba-adfefcdcb6e9d8ea0458a11b6f684a5cf231c3ba.tar.gz samba-adfefcdcb6e9d8ea0458a11b6f684a5cf231c3ba.tar.bz2 samba-adfefcdcb6e9d8ea0458a11b6f684a5cf231c3ba.zip |
Try to get heimdal working with HEAD.
- Provide generic functions for
- get valid encryption types
- free encryption types
- Add encryption type parm to generic function create_kerberos_key_from_string()
- Try to merge the two versions (between HEAD and SAMBA_3_0) of kerberos_verify.c
I think this should work for both MIT and heimdal, in HEAD. If all goes smooth,
I'll move it over to 3.0 soon...
(This used to be commit 45e409fc8da9f26cf888e13d004392660d7c55d4)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/includes.h | 5 | ||||
-rw-r--r-- | source3/libads/kerberos_verify.c | 27 | ||||
-rw-r--r-- | source3/libsmb/clikrb5.c | 38 |
3 files changed, 44 insertions, 26 deletions
diff --git a/source3/include/includes.h b/source3/include/includes.h index 988913d16c..c5738f0a61 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1224,11 +1224,12 @@ krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_con /* Samba wrapper function for krb5 functionality. */ void setup_kaddr( krb5_address *pkaddr, struct sockaddr *paddr); -int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key); +int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype); void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt); krb5_const_principal get_principal_from_tkt(krb5_ticket *tkt); krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters); - +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes); +void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes); #endif /* HAVE_KRB5 */ #endif /* _INCLUDES_H */ diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index c1402b1370..17fecf60c8 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -36,8 +36,6 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, krb5_keytab keytab = NULL; krb5_data packet; krb5_ticket *tkt = NULL; - krb5_data salt; - krb5_encrypt_block eblock; int ret, i; krb5_keyblock * key; krb5_principal host_princ; @@ -92,17 +90,11 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, return NT_STATUS_LOGON_FAILURE; } - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; - } - if (!(key = (krb5_keyblock *)malloc(sizeof(*key)))) { return NT_STATUS_NO_MEMORY; } - if ((ret = krb5_get_permitted_enctypes(context, &enctypes))) { + if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) { DEBUG(1,("krb5_get_permitted_enctypes failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; @@ -110,10 +102,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, /* we need to setup a auth context with each possible encoding type in turn */ for (i=0;enctypes[i];i++) { - krb5_use_enctype(context, &eblock, enctypes[i]); - - ret = krb5_string_to_key(context, &eblock, key, &password, &salt); - if (ret) { + if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) { continue; } @@ -124,7 +113,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, if (!(ret = krb5_rd_req(context, &auth_context, &packet, NULL, keytab, NULL, &tkt))) { - krb5_free_ktypes(context, enctypes); + free_kerberos_etypes(context, enctypes); auth_ok = True; break; } @@ -133,6 +122,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, if (!auth_ok) { DEBUG(3,("krb5_rd_req with auth failed (%s)\n", error_message(ret))); + SAFE_FREE(key); return NT_STATUS_LOGON_FAILURE; } @@ -140,11 +130,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, file_save("/tmp/ticket.dat", ticket->data, ticket->length); #endif - - if (tkt->enc_part2) { - *auth_data = data_blob(tkt->enc_part2->authorization_data[0]->contents, - tkt->enc_part2->authorization_data[0]->length); - } + get_auth_data_from_tkt(auth_data, tkt); #if 0 if (tkt->enc_part2) { @@ -154,7 +140,8 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket, } #endif - if ((ret = krb5_unparse_name(context, tkt->enc_part2->client, principal))) { + if ((ret = krb5_unparse_name(context, get_principal_from_tkt(tkt), + principal))) { DEBUG(3,("krb5_unparse_name failed (%s)\n", error_message(ret))); return NT_STATUS_LOGON_FAILURE; diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index e380d80bcc..c13f663381 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -74,7 +74,8 @@ int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, - krb5_keyblock *key) + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_data salt; @@ -85,14 +86,15 @@ DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); return ret; } - krb5_use_enctype(context, &eblock, ENCTYPE_DES_CBC_MD5); + krb5_use_enctype(context, &eblock, enctype); return krb5_string_to_key(context, &eblock, key, password, &salt); } #elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) int create_kerberos_key_from_string(krb5_context context, krb5_principal host_princ, krb5_data *password, - krb5_keyblock *key) + krb5_keyblock *key, + krb5_enctype enctype) { int ret; krb5_salt salt; @@ -102,13 +104,41 @@ DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); return ret; } - return krb5_string_to_key_salt(context, ENCTYPE_DES_CBC_MD5, password->data, + return krb5_string_to_key_salt(context, enctype, password->data, salt, key); } #else __ERROR_XX_UNKNOWN_CREATE_KEY_FUNCTIONS #endif +#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES) +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_enctype **enctypes) +{ + return krb5_get_permitted_enctypes(context, enctypes); +} +#elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES) +krb5_error_code get_kerberos_allowed_etypes(krb5_context context, + krb5_enctype **enctypes) +{ + return krb5_get_default_in_tkt_etypes(context, enctypes); +} +#else + __ERROR_XX_UNKNOWN_GET_ENCTYPES_FUNCTIONS +#endif + +#if defined(HAVE_KRB5_FREE_KTYPES) +void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes) +{ + return krb5_free_ktypes(context, enctypes); +} +#else +void free_kerberos_etypes(krb5_context context, krb5_enctype *enctypes) +{ + return free(enctypes); +} +#endif + #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, |