2011-06-10 15:03:55 +02:00
/*
Unix SMB / CIFS implementation .
simple kerberos5 routines for active directory
Copyright ( C ) Andrew Tridgell 2001
Copyright ( C ) Luke Howard 2002 - 2003
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
Copyright ( C ) Guenther Deschner 2005 - 2009
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2012-04-21 17:26:18 -04:00
# ifndef _KRB5_SAMBA_H
# define _KRB5_SAMBA_H
2011-06-10 15:03:55 +02:00
2023-09-27 13:13:39 +13:00
# include "lib/util/data_blob.h"
# include "libcli/util/ntstatus.h"
2012-04-21 17:26:18 -04:00
# ifdef HAVE_KRB5
# define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
/* this file uses DEPRECATED interfaces! */
2012-04-22 19:05:31 -04:00
# ifdef KRB5_DEPRECATED
# undef KRB5_DEPRECATED
# endif
2012-04-21 17:26:18 -04:00
# if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
# define KRB5_DEPRECATED 1
# else
# define KRB5_DEPRECATED
# endif
# include "system/kerberos.h"
# include "system/network.h"
# ifndef KRB5_ADDR_NETBIOS
# define KRB5_ADDR_NETBIOS 0x14
# endif
# ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
# define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
# endif
/* Heimdal uses a slightly different name */
# if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
# define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
# endif
2012-05-08 12:38:20 -04:00
# if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
# define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
# endif
2012-04-21 17:26:18 -04:00
/* The older versions of heimdal that don't have this
define don ' t seem to use it anyway . I ' m told they
always use a subkey */
# ifndef HAVE_AP_OPTS_USE_SUBKEY
# define AP_OPTS_USE_SUBKEY 0
# endif
2014-05-08 14:31:37 +02:00
# ifndef KRB5_PW_SALT
# define KRB5_PW_SALT 3
# endif
2014-05-08 14:54:06 +02:00
/* CKSUMTYPE_HMAC_MD5 in Heimdal
CKSUMTYPE_HMAC_MD5_ARCFOUR in MIT */
# if defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && !defined(CKSUMTYPE_HMAC_MD5)
# define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
# endif
2016-07-19 16:31:01 +02:00
/*
* CKSUMTYPE_HMAC_SHA1_96_AES_ * in Heimdal
* CKSUMTYPE_HMAC_SHA1_96_AES * in MIT
*/
# if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
# define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
# endif
# if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
# define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
# endif
2016-07-21 14:25:56 +02:00
/*
* KRB5_KU_OTHER_ENCRYPTED in Heimdal
* KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
*/
# if defined(KRB5_KEYUSAGE_APP_DATA_ENCRYPT) && !defined(KRB5_KU_OTHER_ENCRYPTED)
# define KRB5_KU_OTHER_ENCRYPTED KRB5_KEYUSAGE_APP_DATA_ENCRYPT
# endif
2012-04-21 17:26:18 -04:00
typedef struct {
# if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address * * addrs ;
# elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
krb5_addresses * addrs ;
# else
# error UNKNOWN_KRB5_ADDRESS_TYPE
# endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
} smb_krb5_addresses ;
# ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY /* MIT */
# define KRB5_KT_KEY(k) (&(k)->key)
2018-12-13 18:48:44 +01:00
# elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK) /* Heimdal */
2012-04-21 17:26:18 -04:00
# define KRB5_KT_KEY(k) (&(k)->keyblock)
# else
# error krb5_keytab_entry has no key or keyblock member
# endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
2010-08-02 23:12:16 +02:00
2009-11-27 15:52:57 +01:00
/* work around broken krb5.h on sles9 */
# ifdef SIZEOF_LONG
# undef SIZEOF_LONG
# endif
2012-04-21 17:26:18 -04:00
# ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
# define KRB5_KEY_TYPE(k) ((k)->keytype)
# define KRB5_KEY_LENGTH(k) ((k)->keyvalue.length)
# define KRB5_KEY_DATA(k) ((k)->keyvalue.data)
# define KRB5_KEY_DATA_CAST void
# else /* MIT */
# define KRB5_KEY_TYPE(k) ((k)->enctype)
# define KRB5_KEY_LENGTH(k) ((k)->length)
# define KRB5_KEY_DATA(k) ((k)->contents)
# define KRB5_KEY_DATA_CAST krb5_octet
# endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
2009-11-27 15:52:57 +01:00
2015-07-09 18:00:49 +02:00
# ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
# define KRB5_ERROR_CODE(k) ((k)->error_code)
# else /* MIT */
# define KRB5_ERROR_CODE(k) ((k)->error)
# endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
2022-09-27 14:45:36 +13:00
# ifndef HAVE_KRB5_CONST_PAC
2022-11-02 14:56:34 +13:00
# ifdef KRB5_CONST_PAC_GET_BUFFER
typedef const struct krb5_pac_data * krb5_const_pac ;
# else
/*
* Certain Heimdal versions include a version of krb5_pac_get_buffer ( ) that is
* unusable in certain cases , taking a krb5_pac when a krb5_const_pac may be all
* that we can supply . Furthermore , MIT Kerberos doesn ' t declare krb5_const_pac
* at all . In such cases , we must declare krb5_const_pac as a non - const typedef
* so that the build can succeed .
*/
typedef struct krb5_pac_data * krb5_const_pac ;
# endif
2022-09-27 14:45:36 +13:00
# endif
2009-11-27 15:52:57 +01:00
krb5_error_code smb_krb5_parse_name ( krb5_context context ,
const char * name , /* in unix charset */
krb5_principal * principal ) ;
krb5_error_code smb_krb5_unparse_name ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
krb5_const_principal principal ,
char * * unix_name ) ;
2018-12-05 10:29:44 +01:00
krb5_error_code smb_krb5_init_context_common ( krb5_context * _krb5_context ) ;
2009-11-27 15:52:57 +01:00
krb5_error_code krb5_set_default_tgs_ktypes ( krb5_context ctx , const krb5_enctype * enc ) ;
# if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
krb5_error_code krb5_auth_con_setuseruserkey ( krb5_context context , krb5_auth_context auth_context , krb5_keyblock * keyblock ) ;
# endif
# ifndef HAVE_KRB5_FREE_UNPARSED_NAME
void krb5_free_unparsed_name ( krb5_context ctx , char * val ) ;
# endif
2023-07-27 16:22:22 +02:00
# if !defined(HAVE_KRB5_FREE_ENCTYPES)
void krb5_free_enctypes ( krb5_context context , krb5_enctype * val ) ;
# endif
2023-07-27 22:01:00 +02:00
# if !defined(HAVE_KRB5_FREE_STRING)
void krb5_free_string ( krb5_context context , char * val ) ;
# endif
2009-11-27 15:52:57 +01:00
/* Stub out initialize_krb5_error_table since it is not present in all
* Kerberos implementations . If it ' s not present , it ' s not necessary to
* call it .
*/
# ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
# define initialize_krb5_error_table()
# endif
2012-04-21 17:26:18 -04:00
/* Samba wrapper functions for krb5 functionality. */
2016-08-25 16:59:18 +02:00
bool smb_krb5_sockaddr_to_kaddr ( struct sockaddr_storage * paddr ,
krb5_address * pkaddr ) ;
2012-04-21 17:26:18 -04:00
2016-06-13 10:52:46 +02:00
krb5_error_code smb_krb5_mk_error ( krb5_context context ,
krb5_error_code error_code ,
const char * e_text ,
krb5_data * e_data ,
2016-09-02 11:54:48 +02:00
const krb5_principal client ,
const krb5_principal server ,
2016-06-13 10:52:46 +02:00
krb5_data * enc_err ) ;
2016-08-25 17:02:59 +02:00
krb5_error_code smb_krb5_get_allowed_etypes ( krb5_context context ,
krb5_enctype * * enctypes ) ;
2016-08-26 17:07:18 +02:00
bool smb_krb5_get_smb_session_key ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
krb5_auth_context auth_context ,
DATA_BLOB * session_key ,
bool remote ) ;
2009-11-27 15:52:57 +01:00
krb5_error_code smb_krb5_kt_free_entry ( krb5_context context , krb5_keytab_entry * kt_entry ) ;
2016-08-26 11:51:52 +02:00
void smb_krb5_free_data_contents ( krb5_context context , krb5_data * pdata ) ;
2009-11-27 15:52:57 +01:00
krb5_error_code smb_krb5_renew_ticket ( const char * ccache_string , const char * client_string , const char * service_string , time_t * expire_time ) ;
2012-04-21 17:26:18 -04:00
krb5_error_code smb_krb5_gen_netbios_krb5_address ( smb_krb5_addresses * * kerb_addr ,
const char * netbios_name ) ;
2009-11-27 15:52:57 +01:00
krb5_error_code smb_krb5_free_addresses ( krb5_context context , smb_krb5_addresses * addr ) ;
2016-08-29 09:17:37 +02:00
krb5_enctype smb_krb5_kt_get_enctype_from_entry ( krb5_keytab_entry * kt_entry ) ;
2009-11-27 15:52:57 +01:00
krb5_error_code smb_krb5_enctype_to_string ( krb5_context context ,
krb5_enctype enctype ,
char * * etype_s ) ;
2016-08-29 10:42:57 +02:00
krb5_error_code smb_krb5_kt_open_relative ( krb5_context context ,
const char * keytab_name_req ,
bool write_access ,
krb5_keytab * keytab ) ;
2016-08-29 11:03:51 +02:00
krb5_error_code smb_krb5_kt_open ( krb5_context context ,
const char * keytab_name ,
bool write_access ,
krb5_keytab * keytab ) ;
2016-08-29 11:07:48 +02:00
krb5_error_code smb_krb5_kt_get_name ( TALLOC_CTX * mem_ctx ,
2009-11-27 15:52:57 +01:00
krb5_context context ,
krb5_keytab keytab ,
const char * * keytab_name ) ;
2016-02-29 17:31:56 +01:00
krb5_error_code smb_krb5_kt_seek_and_delete_old_entries ( krb5_context context ,
krb5_keytab keytab ,
2022-10-26 11:03:34 +02:00
bool keep_old_kvno ,
2016-02-29 17:31:56 +01:00
krb5_kvno kvno ,
2022-10-26 11:03:34 +02:00
bool enctype_only ,
2016-04-21 20:54:12 +02:00
krb5_enctype enctype ,
2016-02-29 17:31:56 +01:00
const char * princ_s ,
krb5_principal princ ,
2022-10-26 10:34:47 +02:00
bool flush ) ;
2016-02-29 17:31:56 +01:00
krb5_error_code smb_krb5_kt_add_entry ( krb5_context context ,
krb5_keytab keytab ,
krb5_kvno kvno ,
const char * princ_s ,
const char * salt_principal ,
krb5_enctype enctype ,
krb5_data * password ,
2022-10-26 10:34:47 +02:00
bool no_salt ) ;
2016-02-29 17:31:56 +01:00
2009-11-27 15:52:57 +01:00
krb5_error_code smb_krb5_get_credentials ( krb5_context context ,
krb5_ccache ccache ,
krb5_principal me ,
krb5_principal server ,
krb5_principal impersonate_princ ,
krb5_creds * * out_creds ) ;
2012-04-26 16:52:37 -04:00
krb5_error_code smb_krb5_keyblock_init_contents ( krb5_context context ,
krb5_enctype enctype ,
const void * data ,
size_t length ,
krb5_keyblock * key ) ;
2016-08-29 11:33:24 +02:00
krb5_error_code smb_krb5_kinit_keyblock_ccache ( krb5_context ctx ,
krb5_ccache cc ,
krb5_principal principal ,
krb5_keyblock * keyblock ,
const char * target_service ,
krb5_get_init_creds_opt * krb_options ,
time_t * expire_time ,
time_t * kdc_time ) ;
2016-08-29 11:47:11 +02:00
krb5_error_code smb_krb5_kinit_password_ccache ( krb5_context ctx ,
krb5_ccache cc ,
krb5_principal principal ,
const char * password ,
const char * target_service ,
krb5_get_init_creds_opt * krb_options ,
time_t * expire_time ,
time_t * kdc_time ) ;
2016-08-29 11:59:18 +02:00
krb5_error_code smb_krb5_kinit_s4u2_ccache ( krb5_context ctx ,
krb5_ccache store_cc ,
krb5_principal init_principal ,
const char * init_password ,
krb5_principal impersonate_principal ,
const char * self_service ,
const char * target_service ,
krb5_get_init_creds_opt * krb_options ,
time_t * expire_time ,
time_t * kdc_time ) ;
2012-04-26 17:21:22 -04:00
# if defined(HAVE_KRB5_MAKE_PRINCIPAL)
# define smb_krb5_make_principal krb5_make_principal
# elif defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
krb5_error_code smb_krb5_make_principal ( krb5_context context ,
krb5_principal * principal ,
const char * realm , . . . ) ;
# else
# error krb5_make_principal not available
# endif
2012-04-27 16:52:26 +02:00
# if defined(HAVE_KRB5_CC_GET_LIFETIME)
# define smb_krb5_cc_get_lifetime krb5_cc_get_lifetime
# elif defined(HAVE_KRB5_CC_RETRIEVE_CRED)
krb5_error_code smb_krb5_cc_get_lifetime ( krb5_context context ,
krb5_ccache id ,
time_t * t ) ;
# else
# error krb5_cc_get_lifetime not available
# endif
2012-05-04 11:02:48 -04:00
# if defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS)
# define smb_krb5_free_checksum_contents krb5_free_checksum_contents
# elif defined (HAVE_FREE_CHECKSUM)
void smb_krb5_free_checksum_contents ( krb5_context ctx , krb5_checksum * cksum ) ;
# else
2023-03-31 11:14:11 +02:00
# error krb5_free_checksum_contents / free_Checksum is not available
2012-05-04 11:02:48 -04:00
# endif
2012-04-27 16:52:26 +02:00
2012-05-03 17:10:27 +02:00
krb5_error_code smb_krb5_make_pac_checksum ( TALLOC_CTX * mem_ctx ,
DATA_BLOB * pac_data ,
krb5_context context ,
const krb5_keyblock * keyblock ,
uint32_t * sig_type ,
DATA_BLOB * sig_blob ) ;
2018-11-20 17:45:11 +01:00
char * smb_krb5_principal_get_realm ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
2014-05-08 10:06:13 +02:00
krb5_const_principal principal ) ;
2010-08-19 07:35:01 -04:00
2015-02-10 13:13:01 +01:00
void smb_krb5_principal_set_type ( krb5_context context ,
krb5_principal principal ,
int type ) ;
2022-03-15 07:30:03 +01:00
int smb_krb5_principal_is_tgs ( krb5_context context ,
krb5_const_principal principal ) ;
2014-05-08 09:57:21 +02:00
krb5_error_code smb_krb5_principal_set_realm ( krb5_context context ,
krb5_principal principal ,
const char * realm ) ;
2017-03-08 11:56:30 +01:00
char * smb_krb5_get_realm_from_hostname ( TALLOC_CTX * mem_ctx ,
const char * hostname ,
const char * client_realm ) ;
2012-04-21 17:26:18 -04:00
char * smb_get_krb5_error_message ( krb5_context context ,
krb5_error_code code ,
TALLOC_CTX * mem_ctx ) ;
2009-11-27 15:52:57 +01:00
2012-04-26 18:22:43 -04:00
# if defined(HAVE_KRB5_KT_COMPARE)
# define smb_krb5_kt_compare krb5_kt_compare
# else
krb5_boolean smb_krb5_kt_compare ( krb5_context context ,
krb5_keytab_entry * entry ,
krb5_const_principal principal ,
krb5_kvno vno ,
krb5_enctype enctype ) ;
# endif
2012-08-27 15:51:52 +10:00
const krb5_enctype * samba_all_enctypes ( void ) ;
2012-08-27 15:52:47 +10:00
uint32_t kerberos_enctype_to_bitmap ( krb5_enctype enc_type_enum ) ;
2012-08-27 18:34:02 +10:00
krb5_enctype ms_suptype_to_ietf_enctype ( uint32_t enctype_bitmap ) ;
krb5_error_code ms_suptypes_to_ietf_enctypes ( TALLOC_CTX * mem_ctx ,
uint32_t enctype_bitmap ,
krb5_enctype * * enctypes ) ;
2014-04-25 14:03:35 +02:00
int smb_krb5_get_pw_salt ( krb5_context context ,
2015-03-26 11:31:34 +01:00
krb5_const_principal host_princ ,
2014-04-25 14:03:35 +02:00
krb5_data * psalt ) ;
2021-10-19 16:01:36 +13:00
int smb_krb5_salt_principal ( krb5_context krb5_ctx ,
const char * realm ,
2017-05-17 17:13:02 +02:00
const char * sAMAccountName ,
const char * userPrincipalName ,
2018-02-16 18:15:28 +02:00
uint32_t uac_flags ,
2021-10-19 16:01:36 +13:00
krb5_principal * salt_princ ) ;
int smb_krb5_salt_principal_str ( const char * realm ,
const char * sAMAccountName ,
const char * userPrincipalName ,
uint32_t uac_flags ,
TALLOC_CTX * mem_ctx ,
char * * _salt_principal ) ;
2017-05-18 11:32:46 +02:00
int smb_krb5_salt_principal2data ( krb5_context context ,
const char * salt_principal ,
TALLOC_CTX * mem_ctx ,
char * * _salt_data ) ;
2012-08-27 15:52:47 +10:00
2014-04-25 14:12:05 +02:00
int smb_krb5_create_key_from_string ( krb5_context context ,
2015-03-26 11:21:06 +01:00
krb5_const_principal host_princ ,
2022-05-09 13:55:07 +12:00
const krb5_data * salt ,
const krb5_data * password ,
2014-04-25 14:12:05 +02:00
krb5_enctype enctype ,
krb5_keyblock * key ) ;
2014-04-30 10:46:20 +02:00
# ifndef krb5_princ_size
# if defined(HAVE_KRB5_PRINCIPAL_GET_NUM_COMP)
# define krb5_princ_size krb5_principal_get_num_comp
# else
# error krb5_princ_size unavailable
# endif
# endif
2023-09-21 10:41:05 +12:00
krb5_error_code smb_krb5_principal_get_comp_string ( TALLOC_CTX * mem_ctx ,
krb5_context context ,
krb5_const_principal principal ,
unsigned int component ,
char * * out ) ;
2014-04-30 10:49:14 +02:00
2016-08-26 11:57:30 +02:00
krb5_error_code smb_krb5_copy_data_contents ( krb5_data * p ,
const void * data ,
size_t len ) ;
2014-05-08 14:59:00 +02:00
2022-09-24 12:36:25 +12:00
krb5_data smb_krb5_make_data ( void * data ,
size_t len ) ;
krb5_data smb_krb5_data_from_blob ( DATA_BLOB blob ) ;
2014-05-08 12:13:00 +02:00
int smb_krb5_principal_get_type ( krb5_context context ,
krb5_const_principal principal ) ;
2014-05-08 15:06:51 +02:00
# if !defined(HAVE_KRB5_WARNX)
2021-02-01 18:32:25 +01:00
krb5_error_code krb5_warnx ( krb5_context context , const char * fmt , . . . )
PRINTF_ATTRIBUTE ( 2 , 0 ) ;
2014-05-08 15:06:51 +02:00
# endif
2016-07-24 15:47:33 +03:00
krb5_error_code smb_krb5_cc_copy_creds ( krb5_context context ,
krb5_ccache incc , krb5_ccache outcc ) ;
2012-04-21 17:26:18 -04:00
# endif /* HAVE_KRB5 */
2016-08-26 16:38:53 +02:00
int ads_krb5_cli_get_ticket ( TALLOC_CTX * mem_ctx ,
const char * principal ,
time_t time_offset ,
DATA_BLOB * ticket ,
DATA_BLOB * session_key_krb5 ,
uint32_t extra_ap_opts , const char * ccname ,
time_t * tgs_expire ,
const char * impersonate_princ_s ) ;
2012-04-21 17:26:18 -04:00
2019-11-06 15:38:23 +01:00
NTSTATUS krb5_to_nt_status ( krb5_error_code kerberos_error ) ;
krb5_error_code nt_status_to_krb5 ( NTSTATUS nt_status ) ;
2012-04-21 17:26:18 -04:00
# endif /* _KRB5_SAMBA_H */
