From 6b2e742d6c719258c8ff1c2309847e88bdae97e7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Jan 2012 10:51:29 +1100 Subject: krb5: Require krb5_c_verify_checksum is available to build with krb5 --- libcli/auth/krb5_wrap.c | 83 ++++++++++++------------------------------------- source3/configure.in | 6 ++-- source3/wscript | 15 ++------- 3 files changed, 25 insertions(+), 79 deletions(-) diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c index e7e071d484..8bd17670bb 100644 --- a/libcli/auth/krb5_wrap.c +++ b/libcli/auth/krb5_wrap.c @@ -241,71 +241,28 @@ krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, { krb5_error_code ret; - /* verify the checksum */ - - /* welcome to the wonderful world of samba's kerberos abstraction layer: - * - * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2 - * ----------------------------------------------------------------------------- - * krb5_c_verify_checksum - works works - * krb5_verify_checksum works (6 args) works (6 args) broken (7 args) - */ - -#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM) - { - krb5_boolean checksum_valid = false; - krb5_data input; - - input.data = (char *)data; - input.length = length; - - ret = krb5_c_verify_checksum(context, - keyblock, - usage, - &input, - cksum, - &checksum_valid); - if (ret) { - DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", - error_message(ret))); - return ret; - } - - if (!checksum_valid) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; - } - -#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY) - - /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key - * without enctype and it ignores any key_usage types - Guenther */ - - { + /* verify the checksum, heimdal 0.7 and MIT krb 1.4.2 and above */ - krb5_crypto crypto; - ret = krb5_crypto_init(context, - keyblock, - 0, - &crypto); - if (ret) { - DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", - error_message(ret))); - return ret; - } - - ret = krb5_verify_checksum(context, - crypto, - usage, - data, - length, - cksum); - - krb5_crypto_destroy(context, crypto); + krb5_boolean checksum_valid = false; + krb5_data input; + + input.data = (char *)data; + input.length = length; + + ret = krb5_c_verify_checksum(context, + keyblock, + usage, + &input, + cksum, + &checksum_valid); + if (ret) { + DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", + error_message(ret))); + return ret; } - -#else -#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION -#endif + + if (!checksum_valid) + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } diff --git a/source3/configure.in b/source3/configure.in index 1847ad2181..fd28a4bb1a 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3873,7 +3873,6 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_crypto_destroy, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_decode_ap_req, $KRB5_LIBS) AC_CHECK_FUNC_EXT(free_AP_REQ, $KRB5_LIBS) - AC_CHECK_FUNC_EXT(krb5_verify_checksum, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_c_verify_checksum, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_principal_compare_any_realm, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_parse_name_norealm, $KRB5_LIBS) @@ -4444,10 +4443,9 @@ if test x"$with_ads_support" != x"no"; then use_ads=no fi - if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes" -a \ - x"$ac_cv_func_ext_krb5_verify_checksum" != x"yes" + if test x"$ac_cv_func_ext_krb5_c_verify_checksum" != x"yes" then - AC_MSG_WARN(no KRB5_VERIFY_CHECKSUM_FUNCTION detected) + AC_MSG_WARN(krb5_c_verify_checksum not found in -lkrb5) use_ads=no fi diff --git a/source3/wscript b/source3/wscript index 903061db9d..690ae957e3 100644 --- a/source3/wscript +++ b/source3/wscript @@ -582,7 +582,7 @@ krb5_principal_get_comp_string krb5_free_unparsed_name krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init krb5_krbhst_get_addrinfo krb5_c_enctype_compare krb5_crypto_init krb5_crypto_destroy krb5_decode_ap_req free_AP_REQ -krb5_verify_checksum krb5_c_verify_checksum krb5_principal_compare_any_realm +krb5_c_verify_checksum krb5_principal_compare_any_realm krb5_parse_name_norealm krb5_princ_size krb5_get_init_creds_opt_set_pac_request krb5_get_renewed_creds krb5_get_kdc_cred krb5_free_error_contents initialize_krb5_error_table krb5_get_init_creds_opt_alloc @@ -696,14 +696,6 @@ int main(void) { headers='krb5.h', lib='krb5', addmain=False, msg="Checking whether krb5_principal_get_realm is defined") - if conf.CHECK_CODE('''krb5_verify_checksum(0, 0, 0, 0, 0, 0, 0);''', - 'KRB5_VERIFY_CHECKSUM_ARGS', - headers='krb5.h', lib='krb5', - msg="Checking whether krb5_verify_checksum takes 7 arguments"): - conf.DEFINE('KRB5_VERIFY_CHECKSUM_ARGS', '7') - else: - conf.DEFINE('KRB5_VERIFY_CHECKSUM_ARGS', '6') - conf.CHECK_CODE(''' krb5_enctype enctype; enctype = ENCTYPE_ARCFOUR_HMAC_MD5; @@ -770,9 +762,8 @@ return krb5_kt_resolve(context, "WRFILE:api", &keytab); not conf.CONFIG_SET('HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS'): Logs.warn("no KT_FREE_FUNCTION detected") use_ads=False - if not conf.CONFIG_SET('HAVE_KRB5_C_VERIFY_CHECKSUM') and \ - not conf.CONFIG_SET('HAVE_KRB5_VERIFY_CHECKSUM'): - Logs.warn("no KRB5_VERIFY_CHECKSUM_FUNCTION detected") + if not conf.CONFIG_SET('HAVE_KRB5_C_VERIFY_CHECKSUM'): + Logs.warn("krb5_c_verify_checksum_compare not found in -lkrb5") use_ads=False if not conf.CONFIG_SET('KRB5_TICKET_HAS_KEYINFO'): # We only need the following functions if we can't get the enctype -- cgit