From 08c733d75fd83fd5e32ced9712d41dd595e0f182 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 21 Apr 2012 17:26:18 -0400 Subject: Make krb5 wrapper library common so they can be used all over --- libcli/auth/krb5_wrap.c | 243 ---------------------------------------------- libcli/auth/krb5_wrap.h | 62 ------------ libcli/auth/wscript_build | 6 +- libcli/smb/smb_seal.c | 2 +- libcli/smb/wscript_build | 2 +- 5 files changed, 3 insertions(+), 312 deletions(-) delete mode 100644 libcli/auth/krb5_wrap.c delete mode 100644 libcli/auth/krb5_wrap.h mode change 100644 => 100755 libcli/auth/wscript_build mode change 100644 => 100755 libcli/smb/wscript_build (limited to 'libcli') diff --git a/libcli/auth/krb5_wrap.c b/libcli/auth/krb5_wrap.c deleted file mode 100644 index 55a224612d..0000000000 --- a/libcli/auth/krb5_wrap.c +++ /dev/null @@ -1,243 +0,0 @@ -/* - Unix SMB/CIFS implementation. - simple kerberos5 routines for active directory - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Luke Howard 2002-2003 - Copyright (C) Andrew Bartlett 2005-2011 - Copyright (C) Guenther Deschner 2005-2009 - Copyright (C) Simo Sorce 2010. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "includes.h" -#ifdef HAVE_KRB5 - -#include "libcli/auth/krb5_wrap.h" -#include "librpc/gen_ndr/krb5pac.h" - -#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY) -/* MIT */ -int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype) -{ - int ret = 0; - krb5_data salt; - - ret = krb5_principal2salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); - return ret; - } - ret = krb5_c_string_to_key(context, enctype, password, &salt, key); - SAFE_FREE(salt.data); - - return ret; -} -#elif defined(HAVE_KRB5_GET_PW_SALT) && defined(HAVE_KRB5_STRING_TO_KEY_SALT) -/* Heimdal */ -int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype) -{ - int ret; - krb5_salt salt; - - ret = krb5_get_pw_salt(context, host_princ, &salt); - if (ret) { - DEBUG(1,("krb5_get_pw_salt failed (%s)\n", error_message(ret))); - return ret; - } - - ret = krb5_string_to_key_salt(context, enctype, (const char *)password->data, salt, key); - krb5_free_salt(context, salt); - - return ret; -} -#else -#error UNKNOWN_CREATE_KEY_FUNCTIONS -#endif - - void kerberos_free_data_contents(krb5_context context, krb5_data *pdata) -{ -#if defined(HAVE_KRB5_FREE_DATA_CONTENTS) - if (pdata->data) { - krb5_free_data_contents(context, pdata); - } -#elif defined(HAVE_KRB5_DATA_FREE) - krb5_data_free(context, pdata); -#else - SAFE_FREE(pdata->data); -#endif -} - - - krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry) -{ -/* Try krb5_free_keytab_entry_contents first, since - * MIT Kerberos >= 1.7 has both krb5_free_keytab_entry_contents and - * krb5_kt_free_entry but only has a prototype for the first, while the - * second is considered private. - */ -#if defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS) - return krb5_free_keytab_entry_contents(context, kt_entry); -#elif defined(HAVE_KRB5_KT_FREE_ENTRY) - return krb5_kt_free_entry(context, kt_entry); -#else -#error UNKNOWN_KT_FREE_FUNCTION -#endif -} - -/************************************************************** - Wrappers around kerberos string functions that convert from - utf8 -> unix charset and vica versa. -**************************************************************/ - -/************************************************************** - krb5_parse_name that takes a UNIX charset. -**************************************************************/ - - krb5_error_code smb_krb5_parse_name(krb5_context context, - const char *name, /* in unix charset */ - krb5_principal *principal) -{ - krb5_error_code ret; - char *utf8_name; - size_t converted_size; - TALLOC_CTX *frame = talloc_stackframe(); - - if (!push_utf8_talloc(frame, &utf8_name, name, &converted_size)) { - talloc_free(frame); - return ENOMEM; - } - - ret = krb5_parse_name(context, utf8_name, principal); - TALLOC_FREE(frame); - return ret; -} - -#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME) -static void krb5_free_unparsed_name(krb5_context context, char *val) -{ - SAFE_FREE(val); -} -#endif - -/************************************************************** - krb5_parse_name that returns a UNIX charset name. Must - be freed with talloc_free() call. -**************************************************************/ - -krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_const_principal principal, - char **unix_name) -{ - krb5_error_code ret; - char *utf8_name; - size_t converted_size; - - *unix_name = NULL; - ret = krb5_unparse_name(context, principal, &utf8_name); - if (ret) { - return ret; - } - - if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) { - krb5_free_unparsed_name(context, utf8_name); - return ENOMEM; - } - krb5_free_unparsed_name(context, utf8_name); - return 0; -} - - krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal) -{ - /* we are cheating here because parse_name will in fact set the realm. - * We don't care as the only caller of smb_krb5_parse_name_norealm - * ignores the realm anyway when calling - * smb_krb5_principal_compare_any_realm later - Guenther */ - - return smb_krb5_parse_name(context, name, principal); -} - - bool smb_krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) -{ - return krb5_principal_compare_any_realm(context, princ1, princ2); -} - -char *gssapi_error_string(TALLOC_CTX *mem_ctx, - OM_uint32 maj_stat, OM_uint32 min_stat, - const gss_OID mech) -{ - OM_uint32 disp_min_stat, disp_maj_stat; - gss_buffer_desc maj_error_message; - gss_buffer_desc min_error_message; - char *maj_error_string, *min_error_string; - OM_uint32 msg_ctx = 0; - - char *ret; - - maj_error_message.value = NULL; - min_error_message.value = NULL; - maj_error_message.length = 0; - min_error_message.length = 0; - - disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE, - mech, &msg_ctx, &maj_error_message); - disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE, - mech, &msg_ctx, &min_error_message); - - maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length); - - min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length); - - ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string); - - talloc_free(maj_error_string); - talloc_free(min_error_string); - - gss_release_buffer(&disp_min_stat, &maj_error_message); - gss_release_buffer(&disp_min_stat, &min_error_message); - - return ret; -} - - - char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx) -{ - char *ret; - -#if defined(HAVE_KRB5_GET_ERROR_MESSAGE) && defined(HAVE_KRB5_FREE_ERROR_MESSAGE) - const char *context_error = krb5_get_error_message(context, code); - if (context_error) { - ret = talloc_asprintf(mem_ctx, "%s: %s", error_message(code), context_error); - krb5_free_error_message(context, context_error); - return ret; - } -#endif - ret = talloc_strdup(mem_ctx, error_message(code)); - return ret; -} - -#endif diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h deleted file mode 100644 index 4c0ef93e4c..0000000000 --- a/libcli/auth/krb5_wrap.h +++ /dev/null @@ -1,62 +0,0 @@ -/* - Unix SMB/CIFS implementation. - simple kerberos5 routines for active directory - Copyright (C) Andrew Tridgell 2001 - Copyright (C) Luke Howard 2002-2003 - Copyright (C) Andrew Bartlett 2005 - Copyright (C) Guenther Deschner 2005-2009 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "system/kerberos.h" - -#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */ -#define KRB5_KEY_TYPE(k) ((k)->keytype) -#define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length) -#define KRB5_KEY_DATA(k) ((k)->keyvalue.data) -#define KRB5_KEY_DATA_CAST void -#else /* MIT */ -#define KRB5_KEY_TYPE(k) ((k)->enctype) -#define KRB5_KEY_LENGTH(k) ((k)->length) -#define KRB5_KEY_DATA(k) ((k)->contents) -#define KRB5_KEY_DATA_CAST krb5_octet -#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ - -int create_kerberos_key_from_string_direct(krb5_context context, - krb5_principal host_princ, - krb5_data *password, - krb5_keyblock *key, - krb5_enctype enctype); -void kerberos_free_data_contents(krb5_context context, krb5_data *pdata); -krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry); - - krb5_error_code smb_krb5_parse_name(krb5_context context, - const char *name, /* in unix charset */ - krb5_principal *principal); -krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx, - krb5_context context, - krb5_const_principal principal, - char **unix_name); - krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, - const char *name, - krb5_principal *principal); - bool smb_krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2); -char *gssapi_error_string(TALLOC_CTX *mem_ctx, - OM_uint32 maj_stat, OM_uint32 min_stat, - const gss_OID mech); -char *smb_get_krb5_error_message(krb5_context context, krb5_error_code code, TALLOC_CTX *mem_ctx); - diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build old mode 100644 new mode 100755 index b4b648efa1..893cfd9d95 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -2,7 +2,7 @@ bld.SAMBA_LIBRARY('cliauth', source='', - deps='MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE KRB5_WRAP errors NTLM_CHECK UTIL_LSARPC', + deps='MSRPC_PARSE LIBCLI_AUTH COMMON_SCHANNEL PAM_ERRORS SPNEGO_PARSE krb5samba errors NTLM_CHECK UTIL_LSARPC', private_library=True, grouping_library=True) @@ -37,7 +37,3 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS', bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE', source='spnego_parse.c', deps='asn1util') - -bld.SAMBA_SUBSYSTEM('KRB5_WRAP', - source='krb5_wrap.c', - deps='gssapi_krb5 krb5 ndr-krb5pac com_err KRB5_PAC') diff --git a/libcli/smb/smb_seal.c b/libcli/smb/smb_seal.c index d5bb2388bb..78af733d00 100644 --- a/libcli/smb/smb_seal.c +++ b/libcli/smb/smb_seal.c @@ -20,7 +20,7 @@ #include "includes.h" #include "smb_common.h" #if HAVE_KRB5 -#include "libcli/auth/krb5_wrap.h" +#include "lib/krb5_wrap/krb5_samba.h" #endif #include "auth/gensec/gensec.h" #include "libcli/smb/smb_seal.h" diff --git a/libcli/smb/wscript_build b/libcli/smb/wscript_build old mode 100644 new mode 100755 index 7a21d4a4a7..6feed445df --- a/libcli/smb/wscript_build +++ b/libcli/smb/wscript_build @@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('cli_smb_common', smbXcli_base.c smb1cli_trans.c ''', - deps='LIBCRYPTO errors gssapi gensec KRB5_WRAP LIBASYNC_REQ', + deps='LIBCRYPTO errors gssapi gensec krb5samba LIBASYNC_REQ', public_deps='talloc samba-util', private_library=True, public_headers=''' -- cgit