2014-05-07 16:52:42 +02:00
/*
Unix SMB / CIFS implementation .
Database Glue between Samba and the KDC
Copyright ( C ) Guenther Deschner < gd @ samba . org > 2014
Copyright ( C ) Andreas Schneider < asn @ samba . org > 2014
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "system/kerberos.h"
# include "sdb.h"
2022-03-22 17:04:22 +01:00
# include "samba_kdc.h"
2014-05-07 16:52:42 +02:00
# include "lib/krb5_wrap/krb5_samba.h"
2022-09-09 12:32:57 +02:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_KERBEROS
2022-02-11 21:04:44 +01:00
void sdb_key_free ( struct sdb_key * k )
2014-05-07 16:52:42 +02:00
{
if ( k = = NULL ) {
return ;
}
2022-02-11 20:56:17 +01:00
/*
* Passing NULL as the Kerberos context is intentional here , as
* both Heimdal and MIT libraries don ' t use the context when
* clearing the keyblocks .
*/
krb5_free_keyblock_contents ( NULL , & k - > key ) ;
2014-05-07 16:52:42 +02:00
if ( k - > salt ) {
2016-08-26 11:51:52 +02:00
smb_krb5_free_data_contents ( NULL , & k - > salt - > salt ) ;
2022-02-11 21:13:24 +01:00
SAFE_FREE ( k - > salt ) ;
2014-05-07 16:52:42 +02:00
}
ZERO_STRUCTP ( k ) ;
}
2022-02-11 21:04:44 +01:00
void sdb_keys_free ( struct sdb_keys * keys )
2014-05-07 16:52:42 +02:00
{
unsigned int i ;
2022-02-11 21:04:44 +01:00
if ( keys = = NULL ) {
return ;
}
for ( i = 0 ; i < keys - > len ; i + + ) {
sdb_key_free ( & keys - > val [ i ] ) ;
}
SAFE_FREE ( keys - > val ) ;
ZERO_STRUCTP ( keys ) ;
}
2022-03-22 17:59:19 +01:00
void sdb_entry_free ( struct sdb_entry * s )
2022-02-11 21:04:44 +01:00
{
2022-03-22 17:04:22 +01:00
if ( s - > skdc_entry ! = NULL ) {
s - > skdc_entry - > db_entry = NULL ;
TALLOC_FREE ( s - > skdc_entry ) ;
}
2014-05-07 16:52:42 +02:00
/*
* Passing NULL as the Kerberos context is intentional here , as both
* Heimdal and MIT libraries don ' t use the context when clearing the
* principals .
*/
krb5_free_principal ( NULL , s - > principal ) ;
2022-02-11 21:04:44 +01:00
sdb_keys_free ( & s - > keys ) ;
2023-08-10 16:33:24 +12:00
SAFE_FREE ( s - > etypes ) ;
2022-03-23 00:41:13 +01:00
sdb_keys_free ( & s - > old_keys ) ;
sdb_keys_free ( & s - > older_keys ) ;
2023-08-10 16:33:24 +12:00
if ( s - > session_etypes ! = NULL ) {
SAFE_FREE ( s - > session_etypes - > val ) ;
}
SAFE_FREE ( s - > session_etypes ) ;
2014-05-07 16:52:42 +02:00
krb5_free_principal ( NULL , s - > created_by . principal ) ;
if ( s - > modified_by ) {
krb5_free_principal ( NULL , s - > modified_by - > principal ) ;
}
SAFE_FREE ( s - > valid_start ) ;
SAFE_FREE ( s - > valid_end ) ;
SAFE_FREE ( s - > pw_end ) ;
2023-08-10 16:33:24 +12:00
SAFE_FREE ( s - > max_life ) ;
SAFE_FREE ( s - > max_renew ) ;
2014-05-07 16:52:42 +02:00
ZERO_STRUCTP ( s ) ;
}
2022-11-01 15:20:47 +13:00
/* Set the etypes of an sdb_entry based on its available current keys. */
krb5_error_code sdb_entry_set_etypes ( struct sdb_entry * s )
{
if ( s - > keys . val ! = NULL ) {
unsigned i ;
s - > etypes = malloc ( sizeof ( * s - > etypes ) ) ;
if ( s - > etypes = = NULL ) {
return ENOMEM ;
}
s - > etypes - > len = s - > keys . len ;
s - > etypes - > val = calloc ( s - > etypes - > len , sizeof ( * s - > etypes - > val ) ) ;
if ( s - > etypes - > val = = NULL ) {
2023-08-10 16:33:24 +12:00
SAFE_FREE ( s - > etypes ) ;
2022-11-01 15:20:47 +13:00
return ENOMEM ;
}
for ( i = 0 ; i < s - > etypes - > len ; i + + ) {
const struct sdb_key * k = & s - > keys . val [ i ] ;
s - > etypes - > val [ i ] = KRB5_KEY_TYPE ( & ( k - > key ) ) ;
}
}
return 0 ;
}
/*
* Set the session etypes of a server sdb_entry based on its etypes , forcing in
* strong etypes as desired .
*/
krb5_error_code sdb_entry_set_session_etypes ( struct sdb_entry * s ,
2022-03-24 15:44:40 +01:00
bool add_aes256 ,
bool add_aes128 ,
bool add_rc4 )
2022-11-01 15:20:47 +13:00
{
2022-03-24 15:44:40 +01:00
unsigned len = 0 ;
if ( add_aes256 ) {
/* Reserve space for AES256 */
len + = 1 ;
}
if ( add_aes128 ) {
/* Reserve space for AES128 */
len + = 1 ;
}
if ( add_rc4 ) {
/* Reserve space for RC4. */
len + = 1 ;
}
if ( len ! = 0 ) {
2022-11-01 15:20:47 +13:00
unsigned j = 0 ;
s - > session_etypes = malloc ( sizeof ( * s - > session_etypes ) ) ;
if ( s - > session_etypes = = NULL ) {
return ENOMEM ;
}
/* session_etypes must be sorted in order of strength, with preferred etype first. */
s - > session_etypes - > val = calloc ( len , sizeof ( * s - > session_etypes - > val ) ) ;
if ( s - > session_etypes - > val = = NULL ) {
2022-03-24 15:44:40 +01:00
SAFE_FREE ( s - > session_etypes ) ;
2022-11-01 15:20:47 +13:00
return ENOMEM ;
}
2022-03-24 15:44:40 +01:00
if ( add_aes256 ) {
/* Add AES256 */
2022-11-01 15:20:47 +13:00
s - > session_etypes - > val [ j + + ] = ENCTYPE_AES256_CTS_HMAC_SHA1_96 ;
2022-03-24 15:44:40 +01:00
}
if ( add_aes128 ) {
/* Add AES128. */
2022-11-01 15:20:47 +13:00
s - > session_etypes - > val [ j + + ] = ENCTYPE_AES128_CTS_HMAC_SHA1_96 ;
}
2022-03-24 15:44:40 +01:00
if ( add_rc4 ) {
2022-11-01 15:20:47 +13:00
/* Add RC4. */
s - > session_etypes - > val [ j + + ] = ENCTYPE_ARCFOUR_HMAC ;
}
s - > session_etypes - > len = j ;
}
return 0 ;
}