From 0e5482c791b9d99a44ca62323aa4dedbbf8d188e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 20 Apr 2011 12:03:48 +1000
Subject: libcli/auth: Move more kerberos wrapping in common

These functions are required to get the krb5 PAC parsing and
verfication in common.

Andrew Bartlett
---
 source3/libsmb/clikrb5.c | 228 -----------------------------------------------
 1 file changed, 228 deletions(-)

(limited to 'source3/libsmb/clikrb5.c')

diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index b341ff4be6..a872d2df61 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -50,84 +50,6 @@ krb5_error_code krb5_auth_con_set_req_cksumtype(
 	krb5_cksumtype     cksumtype);
 #endif
 
-/**************************************************************
- Wrappers around kerberos string functions that convert from
- utf8 -> unix charset and vica versa.
-**************************************************************/
-
-/**************************************************************
- krb5_parse_name that takes a UNIX charset.
-**************************************************************/
-
- krb5_error_code smb_krb5_parse_name(krb5_context context,
-				const char *name, /* in unix charset */
-				krb5_principal *principal)
-{
-	krb5_error_code ret;
-	char *utf8_name;
-	size_t converted_size;
-
-	if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
-		return ENOMEM;
-	}
-
-	ret = krb5_parse_name(context, utf8_name, principal);
-	TALLOC_FREE(utf8_name);
-	return ret;
-}
-
-#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
-/**************************************************************
- krb5_parse_name_norealm that takes a UNIX charset.
-**************************************************************/
-
-static krb5_error_code smb_krb5_parse_name_norealm_conv(krb5_context context,
-				const char *name, /* in unix charset */
-				krb5_principal *principal)
-{
-	krb5_error_code ret;
-	char *utf8_name;
-	size_t converted_size;
-
-	*principal = NULL;
-	if (!push_utf8_talloc(talloc_tos(), &utf8_name, name, &converted_size)) {
-		return ENOMEM;
-	}
-
-	ret = krb5_parse_name_norealm(context, utf8_name, principal);
-	TALLOC_FREE(utf8_name);
-	return ret;
-}
-#endif
-
-/**************************************************************
- krb5_parse_name that returns a UNIX charset name. Must
- be freed with talloc_free() call.
-**************************************************************/
-
-krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
-				      krb5_context context,
-				      krb5_const_principal principal,
-				      char **unix_name)
-{
-	krb5_error_code ret;
-	char *utf8_name;
-	size_t converted_size;
-
-	*unix_name = NULL;
-	ret = krb5_unparse_name(context, principal, &utf8_name);
-	if (ret) {
-		return ret;
-	}
-
-	if (!pull_utf8_talloc(mem_ctx, unix_name, utf8_name, &converted_size)) {
-		krb5_free_unparsed_name(context, utf8_name);
-		return ENOMEM;
-	}
-	krb5_free_unparsed_name(context, utf8_name);
-	return 0;
-}
-
 #ifndef HAVE_KRB5_SET_REAL_TIME
 /*
  * This function is not in the Heimdal mainline.
@@ -530,13 +452,6 @@ bool unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_
 
 #endif /* HAVE_KRB5_LOCATE_KDC */
 
-#if !defined(HAVE_KRB5_FREE_UNPARSED_NAME)
- void krb5_free_unparsed_name(krb5_context context, char *val)
-{
-	SAFE_FREE(val);
-}
-#endif
-
  void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype)
 {
 #if defined(HAVE_KRB5_KEYBLOCK_IN_CREDS)
@@ -1010,98 +925,6 @@ done:
 }
 #endif
 
- void smb_krb5_checksum_from_pac_sig(krb5_checksum *cksum,
-				     struct PAC_SIGNATURE_DATA *sig)
-{
-#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM
-	cksum->cksumtype	= (krb5_cksumtype)sig->type;
-	cksum->checksum.length	= sig->signature.length;
-	cksum->checksum.data	= sig->signature.data;
-#else
-	cksum->checksum_type	= (krb5_cksumtype)sig->type;
-	cksum->length		= sig->signature.length;
-	cksum->contents		= sig->signature.data;
-#endif
-}
-
- krb5_error_code smb_krb5_verify_checksum(krb5_context context,
-					  const krb5_keyblock *keyblock,
-					 krb5_keyusage usage,
-					 krb5_checksum *cksum,
-					 uint8 *data,
-					 size_t length)
-{
-	krb5_error_code ret;
-
-	/* verify the checksum */
-
-	/* welcome to the wonderful world of samba's kerberos abstraction layer:
-	 * 
-	 * function			heimdal 0.6.1rc3	heimdal 0.7	MIT krb 1.4.2
-	 * -----------------------------------------------------------------------------
-	 * krb5_c_verify_checksum	-			works		works
-	 * krb5_verify_checksum		works (6 args)		works (6 args)	broken (7 args) 
-	 */
-
-#if defined(HAVE_KRB5_C_VERIFY_CHECKSUM)
-	{
-		krb5_boolean checksum_valid = False;
-		krb5_data input;
-
-		input.data = (char *)data;
-		input.length = length;
-
-		ret = krb5_c_verify_checksum(context, 
-					     keyblock, 
-					     usage,
-					     &input, 
-					     cksum,
-					     &checksum_valid);
-		if (ret) {
-			DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 
-				error_message(ret)));
-			return ret;
-		}
-
-		if (!checksum_valid)
-			ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-	}
-
-#elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY)
-
-	/* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key
-	 * without enctype and it ignores any key_usage types - Guenther */
-
-	{
-
-		krb5_crypto crypto;
-		ret = krb5_crypto_init(context,
-				       keyblock,
-				       0,
-				       &crypto);
-		if (ret) {
-			DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", 
-				error_message(ret)));
-			return ret;
-		}
-
-		ret = krb5_verify_checksum(context,
-					   crypto,
-					   usage,
-					   data,
-					   length,
-					   cksum);
-
-		krb5_crypto_destroy(context, crypto);
-	}
-
-#else
-#error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION
-#endif
-
-	return ret;
-}
-
  time_t get_authtime_from_tkt(krb5_ticket *tkt)
 {
 #if defined(HAVE_KRB5_TKT_ENC_PART2)
@@ -1276,57 +1099,6 @@ out:
 	return ret;
 }
 
- krb5_error_code smb_krb5_parse_name_norealm(krb5_context context, 
-					    const char *name, 
-					    krb5_principal *principal)
-{
-#ifdef HAVE_KRB5_PARSE_NAME_NOREALM
-	return smb_krb5_parse_name_norealm_conv(context, name, principal);
-#endif
-
-	/* we are cheating here because parse_name will in fact set the realm.
-	 * We don't care as the only caller of smb_krb5_parse_name_norealm
-	 * ignores the realm anyway when calling
-	 * smb_krb5_principal_compare_any_realm later - Guenther */
-
-	return smb_krb5_parse_name(context, name, principal);
-}
-
- bool smb_krb5_principal_compare_any_realm(krb5_context context, 
-					  krb5_const_principal princ1, 
-					  krb5_const_principal princ2)
-{
-#ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM
-
-	return krb5_principal_compare_any_realm(context, princ1, princ2);
-
-/* krb5_princ_size is a macro in MIT */
-#elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size)
-
-	int i, len1, len2;
-	const krb5_data *p1, *p2;
-
-	len1 = krb5_princ_size(context, princ1);
-	len2 = krb5_princ_size(context, princ2);
-
-	if (len1 != len2)
-		return False;
-
-	for (i = 0; i < len1; i++) {
-
-		p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i);
-		p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i);
-
-		if (p1->length != p2->length ||	memcmp(p1->data, p2->data, p1->length))
-			return False;
-	}
-
-	return True;
-#else
-#error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION
-#endif
-}
-
  krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,	/* FILE:/tmp/krb5cc_0 */
 				       const char *client_string,	/* gd@BER.SUSE.DE */
 				       const char *service_string,	/* krbtgt/BER.SUSE.DE@BER.SUSE.DE */
-- 
cgit