2011-06-10 17:03:55 +04:00
/*
Unix SMB / CIFS implementation .
simple kerberos5 routines for active directory
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Luke Howard 2002 - 2003
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
Copyright ( C ) Guenther Deschner 2005 - 2009
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2012-04-22 01:26:18 +04:00
# ifndef _KRB5_SAMBA_H
# define _KRB5_SAMBA_H
2011-06-10 17:03:55 +04:00
2012-04-22 01:26:18 +04:00
# ifdef HAVE_KRB5
# define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
/* this file uses DEPRECATED interfaces! */
2012-04-23 03:05:31 +04:00
# ifdef KRB5_DEPRECATED
# undef KRB5_DEPRECATED
# endif
2012-04-22 01:26:18 +04:00
# if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
# define KRB5_DEPRECATED 1
# else
# define KRB5_DEPRECATED
# endif
# include "system/kerberos.h"
# include "system/network.h"
# ifndef KRB5_ADDR_NETBIOS
# define KRB5_ADDR_NETBIOS 0x14
# endif
# ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
# define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
# endif
/* Heimdal uses a slightly different name */
# if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
# define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
# endif
2012-05-08 20:38:20 +04:00
# if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
# define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
# endif
2012-04-22 01:26:18 +04:00
/* The older versions of heimdal that don't have this
define don ' t seem to use it anyway . I ' m told they
always use a subkey */
# ifndef HAVE_AP_OPTS_USE_SUBKEY
# define AP_OPTS_USE_SUBKEY 0
# endif
2014-05-08 16:31:37 +04:00
# ifndef KRB5_PW_SALT
# define KRB5_PW_SALT 3
# endif
2014-05-08 16:54:06 +04:00
/* CKSUMTYPE_HMAC_MD5 in Heimdal
CKSUMTYPE_HMAC_MD5_ARCFOUR in MIT */
# if defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && !defined(CKSUMTYPE_HMAC_MD5)
# define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
# endif
2016-07-19 17:31:01 +03:00
/*
* CKSUMTYPE_HMAC_SHA1_96_AES_ * in Heimdal
* CKSUMTYPE_HMAC_SHA1_96_AES * in MIT
*/
# if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
# define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
# endif
# if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
# define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
# endif
2016-07-21 15:25:56 +03:00
/*
* KRB5_KU_OTHER_ENCRYPTED in Heimdal
* KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
*/
# if defined(KRB5_KEYUSAGE_APP_DATA_ENCRYPT) && !defined(KRB5_KU_OTHER_ENCRYPTED)
# define KRB5_KU_OTHER_ENCRYPTED KRB5_KEYUSAGE_APP_DATA_ENCRYPT
# endif
2012-04-22 01:26:18 +04:00
typedef struct {
# if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address * * addrs ;
# elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
krb5_addresses * addrs ;
# else
# error UNKNOWN_KRB5_ADDRESS_TYPE
# endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
} smb_krb5_addresses ;
# ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
# define KRB5_KT_KEY(k) (&(k)->key)
# elif HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */
# define KRB5_KT_KEY(k) (&(k)->keyblock)
# else
# error krb5_keytab_entry has no key or keyblock member
# endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
2010-08-03 01:12:16 +04:00
2009-11-27 17:52:57 +03:00
/* work around broken krb5.h on sles9 */
# ifdef SIZEOF_LONG
# undef SIZEOF_LONG
# endif
2012-04-22 01:26:18 +04:00
# ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
# define KRB5_KEY_TYPE(k) ((k)->keytype)
# define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
# define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
# define KRB5_KEY_DATA_CAST void
# else /* MIT */
# define KRB5_KEY_TYPE(k) ((k)->enctype)
# define KRB5_KEY_LENGTH(k) ((k)->length)
# define KRB5_KEY_DATA(k) ((k)->contents)
# define KRB5_KEY_DATA_CAST krb5_octet
# endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
2009-11-27 17:52:57 +03:00
2015-07-09 19:00:49 +03:00
# ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
# define KRB5_ERROR_CODE(k) ((k)->error_code)
# else /* MIT */
# define KRB5_ERROR_CODE(k) ((k)->error)
# endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
2009-11-27 17:52:57 +03:00
krb5_error_code smb_krb5_parse_name ( krb5_context context ,
const char * name , /* in unix charset */
krb5_principal * principal ) ;
krb5_error_code smb_krb5_unparse_name ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
krb5_const_principal principal ,
char * * unix_name ) ;
krb5_error_code krb5_set_default_tgs_ktypes ( krb5_context ctx , const krb5_enctype * enc ) ;
# if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
krb5_error_code krb5_auth_con_setuseruserkey ( krb5_context context , krb5_auth_context auth_context , krb5_keyblock * keyblock ) ;
# endif
# ifndef HAVE_KRB5_FREE_UNPARSED_NAME
void krb5_free_unparsed_name ( krb5_context ctx , char * val ) ;
# endif
/* Stub out initialize_krb5_error_table since it is not present in all
* Kerberos implementations . If it ' s not present , it ' s not necessary to
* call it .
*/
# ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
# define initialize_krb5_error_table()
# endif
2012-04-22 01:26:18 +04:00
/* Samba wrapper functions for krb5 functionality. */
2016-08-25 17:59:18 +03:00
bool smb_krb5_sockaddr_to_kaddr ( struct sockaddr_storage * paddr ,
krb5_address * pkaddr ) ;
2012-04-22 01:26:18 +04:00
2016-06-13 11:52:46 +03:00
krb5_error_code smb_krb5_mk_error ( krb5_context context ,
krb5_error_code error_code ,
const char * e_text ,
krb5_data * e_data ,
krb5_data * enc_err ) ;
2016-08-25 18:02:59 +03:00
krb5_error_code smb_krb5_get_allowed_etypes ( krb5_context context ,
krb5_enctype * * enctypes ) ;
2016-08-26 18:07:18 +03:00
bool smb_krb5_get_smb_session_key ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
krb5_auth_context auth_context ,
DATA_BLOB * session_key ,
bool remote ) ;
2009-11-27 17:52:57 +03:00
krb5_error_code smb_krb5_kt_free_entry ( krb5_context context , krb5_keytab_entry * kt_entry ) ;
void kerberos_set_creds_enctype ( krb5_creds * pcreds , int enctype ) ;
bool kerberos_compatible_enctypes ( krb5_context context , krb5_enctype enctype1 , krb5_enctype enctype2 ) ;
2016-08-26 12:51:52 +03:00
void smb_krb5_free_data_contents ( krb5_context context , krb5_data * pdata ) ;
2009-11-27 17:52:57 +03:00
krb5_error_code smb_krb5_parse_name_norealm ( krb5_context context ,
const char * name ,
krb5_principal * principal ) ;
bool smb_krb5_principal_compare_any_realm ( krb5_context context ,
krb5_const_principal princ1 ,
krb5_const_principal princ2 ) ;
krb5_error_code smb_krb5_renew_ticket ( const char * ccache_string , const char * client_string , const char * service_string , time_t * expire_time ) ;
2012-04-22 01:26:18 +04:00
krb5_error_code smb_krb5_gen_netbios_krb5_address ( smb_krb5_addresses * * kerb_addr ,
const char * netbios_name ) ;
2009-11-27 17:52:57 +03:00
krb5_error_code smb_krb5_free_addresses ( krb5_context context , smb_krb5_addresses * addr ) ;
NTSTATUS krb5_to_nt_status ( krb5_error_code kerberos_error ) ;
krb5_error_code nt_status_to_krb5 ( NTSTATUS nt_status ) ;
2016-08-29 10:09:18 +03:00
2016-08-29 10:17:37 +03:00
krb5_enctype smb_krb5_kt_get_enctype_from_entry ( krb5_keytab_entry * kt_entry ) ;
2009-11-27 17:52:57 +03:00
krb5_error_code smb_krb5_enctype_to_string ( krb5_context context ,
krb5_enctype enctype ,
char * * etype_s ) ;
2016-08-29 11:42:57 +03:00
krb5_error_code smb_krb5_kt_open_relative ( krb5_context context ,
const char * keytab_name_req ,
bool write_access ,
krb5_keytab * keytab ) ;
2016-08-29 12:03:51 +03:00
krb5_error_code smb_krb5_kt_open ( krb5_context context ,
const char * keytab_name ,
bool write_access ,
krb5_keytab * keytab ) ;
2016-08-29 12:07:48 +03:00
krb5_error_code smb_krb5_kt_get_name ( TALLOC_CTX * mem_ctx ,
2009-11-27 17:52:57 +03:00
krb5_context context ,
krb5_keytab keytab ,
const char * * keytab_name ) ;
2016-02-29 19:31:56 +03:00
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries ( krb5_context context ,
krb5_keytab keytab ,
krb5_kvno kvno ,
2016-04-21 21:54:12 +03:00
krb5_enctype enctype ,
2016-02-29 19:31:56 +03:00
const char * princ_s ,
krb5_principal princ ,
bool flush ,
bool keep_old_entries ) ;
krb5_error_code smb_krb5_kt_add_entry ( krb5_context context ,
krb5_keytab keytab ,
krb5_kvno kvno ,
const char * princ_s ,
const char * salt_principal ,
krb5_enctype enctype ,
krb5_data * password ,
bool no_salt ,
bool keep_old_entries ) ;
2009-11-27 17:52:57 +03:00
krb5_error_code smb_krb5_get_credentials ( krb5_context context ,
krb5_ccache ccache ,
krb5_principal me ,
krb5_principal server ,
krb5_principal impersonate_princ ,
krb5_creds * * out_creds ) ;
2012-04-27 00:52:37 +04:00
krb5_error_code smb_krb5_keyblock_init_contents ( krb5_context context ,
krb5_enctype enctype ,
const void * data ,
size_t length ,
krb5_keyblock * key ) ;
2016-08-29 12:33:24 +03:00
krb5_error_code smb_krb5_kinit_keyblock_ccache ( krb5_context ctx ,
krb5_ccache cc ,
krb5_principal principal ,
krb5_keyblock * keyblock ,
const char * target_service ,
krb5_get_init_creds_opt * krb_options ,
time_t * expire_time ,
time_t * kdc_time ) ;
2012-04-26 19:05:51 +04:00
krb5_error_code kerberos_kinit_password_cc ( krb5_context ctx ,
2012-04-26 20:06:24 +04:00
krb5_ccache cc ,
krb5_principal principal ,
const char * password ,
2012-04-26 19:05:51 +04:00
const char * target_service ,
krb5_get_init_creds_opt * krb_options ,
time_t * expire_time ,
time_t * kdc_time ) ;
2012-04-26 20:06:24 +04:00
# ifdef SAMBA4_USES_HEIMDAL
krb5_error_code kerberos_kinit_s4u2_cc ( krb5_context ctx ,
krb5_ccache store_cc ,
krb5_principal init_principal ,
const char * init_password ,
krb5_principal impersonate_principal ,
const char * self_service ,
const char * target_service ,
krb5_get_init_creds_opt * krb_options ,
time_t * expire_time ,
time_t * kdc_time ) ;
# endif
2012-04-27 01:21:22 +04:00
# if defined(HAVE_KRB5_MAKE_PRINCIPAL)
# define smb_krb5_make_principal krb5_make_principal
# elif defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
krb5_error_code smb_krb5_make_principal ( krb5_context context ,
krb5_principal * principal ,
const char * realm , . . . ) ;
# else
# error krb5_make_principal not available
# endif
2012-04-27 18:52:26 +04:00
# if defined(HAVE_KRB5_CC_GET_LIFETIME)
# define smb_krb5_cc_get_lifetime krb5_cc_get_lifetime
# elif defined(HAVE_KRB5_CC_RETRIEVE_CRED)
krb5_error_code smb_krb5_cc_get_lifetime ( krb5_context context ,
krb5_ccache id ,
time_t * t ) ;
# else
# error krb5_cc_get_lifetime not available
# endif
2012-05-04 19:02:48 +04:00
# if defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS)
# define smb_krb5_free_checksum_contents krb5_free_checksum_contents
# elif defined (HAVE_FREE_CHECKSUM)
void smb_krb5_free_checksum_contents ( krb5_context ctx , krb5_checksum * cksum ) ;
# else
# error krb5_free_checksum_contents / free_Checksum is not vailable
# endif
2012-04-27 18:52:26 +04:00
2012-05-03 19:10:27 +04:00
krb5_error_code smb_krb5_make_pac_checksum ( TALLOC_CTX * mem_ctx ,
DATA_BLOB * pac_data ,
krb5_context context ,
const krb5_keyblock * keyblock ,
uint32_t * sig_type ,
DATA_BLOB * sig_blob ) ;
2009-11-27 17:52:57 +03:00
char * smb_krb5_principal_get_realm ( krb5_context context ,
2014-05-08 12:06:13 +04:00
krb5_const_principal principal ) ;
2010-08-19 15:35:01 +04:00
2015-02-10 15:13:01 +03:00
void smb_krb5_principal_set_type ( krb5_context context ,
krb5_principal principal ,
int type ) ;
2014-05-08 11:57:21 +04:00
krb5_error_code smb_krb5_principal_set_realm ( krb5_context context ,
krb5_principal principal ,
const char * realm ) ;
2012-04-03 07:41:32 +04:00
char * kerberos_get_principal_from_service_hostname ( TALLOC_CTX * mem_ctx ,
const char * service ,
2012-04-22 01:26:18 +04:00
const char * remote_name ,
const char * default_realm ) ;
2010-08-19 15:35:01 +04:00
2012-04-22 01:26:18 +04:00
char * smb_get_krb5_error_message ( krb5_context context ,
krb5_error_code code ,
TALLOC_CTX * mem_ctx ) ;
2009-11-27 17:52:57 +03:00
2011-05-03 14:05:47 +04:00
bool unwrap_edata_ntstatus ( TALLOC_CTX * mem_ctx ,
DATA_BLOB * edata ,
DATA_BLOB * edata_out ) ;
2011-06-10 17:03:55 +04:00
2012-04-26 23:05:11 +04:00
krb5_error_code kt_copy ( krb5_context context ,
const char * from ,
const char * to ) ;
krb5_error_code kt_copy_one_principal ( krb5_context context ,
const char * from ,
const char * to ,
const char * principal ,
krb5_kvno kvno ,
2012-08-29 11:58:45 +04:00
const krb5_enctype * enctypes ) ;
2012-04-26 23:05:11 +04:00
2012-04-27 02:22:43 +04:00
# if defined(HAVE_KRB5_KT_COMPARE)
# define smb_krb5_kt_compare krb5_kt_compare
# else
krb5_boolean smb_krb5_kt_compare ( krb5_context context ,
krb5_keytab_entry * entry ,
krb5_const_principal principal ,
krb5_kvno vno ,
krb5_enctype enctype ) ;
# endif
2012-08-27 09:51:52 +04:00
const krb5_enctype * samba_all_enctypes ( void ) ;
2012-08-27 09:52:47 +04:00
uint32_t kerberos_enctype_to_bitmap ( krb5_enctype enc_type_enum ) ;
2012-08-27 12:34:02 +04:00
krb5_enctype ms_suptype_to_ietf_enctype ( uint32_t enctype_bitmap ) ;
krb5_error_code ms_suptypes_to_ietf_enctypes ( TALLOC_CTX * mem_ctx ,
uint32_t enctype_bitmap ,
krb5_enctype * * enctypes ) ;
2014-04-25 16:03:35 +04:00
int smb_krb5_get_pw_salt ( krb5_context context ,
2015-03-26 13:31:34 +03:00
krb5_const_principal host_princ ,
2014-04-25 16:03:35 +04:00
krb5_data * psalt ) ;
2012-08-27 09:52:47 +04:00
2014-04-25 16:12:05 +04:00
int smb_krb5_create_key_from_string ( krb5_context context ,
2015-03-26 13:21:06 +03:00
krb5_const_principal host_princ ,
2014-04-25 16:12:05 +04:00
krb5_data * salt ,
krb5_data * password ,
krb5_enctype enctype ,
krb5_keyblock * key ) ;
2014-04-29 20:14:05 +04:00
krb5_boolean smb_krb5_get_allowed_weak_crypto ( krb5_context context ) ;
2014-04-30 12:46:20 +04:00
# ifndef krb5_princ_size
# if defined(HAVE_KRB5_PRINCIPAL_GET_NUM_COMP)
# define krb5_princ_size krb5_principal_get_num_comp
# else
# error krb5_princ_size unavailable
# endif
# endif
2014-04-30 12:49:14 +04:00
char * smb_krb5_principal_get_comp_string ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
krb5_const_principal principal ,
unsigned int component ) ;
2016-08-26 12:57:30 +03:00
krb5_error_code smb_krb5_copy_data_contents ( krb5_data * p ,
const void * data ,
size_t len ) ;
2014-05-08 16:59:00 +04:00
2014-05-08 14:13:00 +04:00
int smb_krb5_principal_get_type ( krb5_context context ,
krb5_const_principal principal ) ;
2014-05-08 17:06:51 +04:00
# if !defined(HAVE_KRB5_WARNX)
krb5_error_code krb5_warnx ( krb5_context context , const char * fmt , . . . ) ;
# endif
2016-07-24 15:47:33 +03:00
krb5_error_code smb_krb5_cc_copy_creds ( krb5_context context ,
krb5_ccache incc , krb5_ccache outcc ) ;
2012-04-22 01:26:18 +04:00
# endif /* HAVE_KRB5 */
2016-08-26 17:38:53 +03:00
int ads_krb5_cli_get_ticket ( TALLOC_CTX * mem_ctx ,
const char * principal ,
time_t time_offset ,
DATA_BLOB * ticket ,
DATA_BLOB * session_key_krb5 ,
uint32_t extra_ap_opts , const char * ccname ,
time_t * tgs_expire ,
const char * impersonate_princ_s ) ;
2012-04-22 01:26:18 +04:00
# endif /* _KRB5_SAMBA_H */