The branch, master has been updated
via e8e5afd krb5samba: Add smb_krb5_make_pac_checksum.
via 7f9e4d7 s4-auth: Use smb_krb5_make_pac_checksum.
via 3ef95a0 krb5samba: Add krb5_free_checksum_contents wrapper
from 470cfb3 lib/util: Map 0x7fffffffffffffffLL as 0x7fffffffffffffffLL
in time conversion
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e8e5afd4d4038043f1125c5e2afc41e9e87ebfde
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 3 17:10:27 2012 +0200
krb5samba: Add smb_krb5_make_pac_checksum.
Signed-off-by: Simo Sorce <i...@samba.org>
Autobuild-User: Simo Sorce <i...@samba.org>
Autobuild-Date: Tue May 8 08:30:52 CEST 2012 on sn-devel-104
commit 7f9e4d70b9a2db7400791fbfef284dd63e79f078
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 3 17:10:53 2012 +0200
s4-auth: Use smb_krb5_make_pac_checksum.
Signed-off-by: Simo Sorce <i...@samba.org>
commit 3ef95a0b59fa2a9ec5d01398d702bd107f290422
Author: Simo Sorce <i...@samba.org>
Date: Fri May 4 11:02:48 2012 -0400
krb5samba: Add krb5_free_checksum_contents wrapper
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 83 +++++++++++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 14 +++++
source3/configure.in | 2 +
source4/auth/kerberos/kerberos_pac.c | 78 +++++++++--------------------
source4/heimdal_build/wscript_configure | 2 +
wscript_configure_krb5 | 3 +-
6 files changed, 127 insertions(+), 55 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index ddebdd8..16c6901 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2175,6 +2175,89 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context
context,
}
#endif /* HAVE_KRB5_CC_GET_LIFETIME */
+#if !defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS) && defined(HAVE_FREE_CHECKSUM)
+void smb_krb5_free_checksum_contents(krb5_context ctx, krb5_checksum *cksum)
+{
+ free_Checksum(cksum);
+}
+#endif
+
+krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *pac_data,
+ krb5_context context,
+ const krb5_keyblock *keyblock,
+ uint32_t *sig_type,
+ DATA_BLOB *sig_blob)
+{
+ krb5_error_code ret;
+ krb5_checksum cksum;
+#if defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CREATE_CHECKSUM)
+ krb5_crypto crypto;
+
+
+ ret = krb5_crypto_init(context,
+ keyblock,
+ 0,
+ &crypto);
+ if (ret) {
+ DEBUG(0,("krb5_crypto_init() failed: %s\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ return ret;
+ }
+ ret = krb5_create_checksum(context,
+ crypto,
+ KRB5_KU_OTHER_CKSUM,
+ 0,
+ pac_data->data,
+ pac_data->length,
+ &cksum);
+ if (ret) {
+ DEBUG(2, ("PAC Verification failed: %s\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ }
+
+ krb5_crypto_destroy(context, crypto);
+
+ if (ret) {
+ return ret;
+ }
+
+ *sig_type = cksum.cksumtype;
+ *sig_blob = data_blob_talloc(mem_ctx,
+ cksum.checksum.data,
+ cksum.checksum.length);
+#elif defined(HAVE_KRB5_C_MAKE_CHECKSUM)
+ krb5_data input;
+
+ input.data = (char *)pac_data->data;
+ input.length = pac_data->length;
+
+ ret = krb5_c_make_checksum(context,
+ 0,
+ keyblock,
+ KRB5_KEYUSAGE_APP_DATA_CKSUM,
+ &input,
+ &cksum);
+ if (ret) {
+ DEBUG(2, ("PAC Verification failed: %s\n",
+ smb_get_krb5_error_message(context, ret, mem_ctx)));
+ return ret;
+ }
+
+ *sig_type = cksum.checksum_type;
+ *sig_blob = data_blob_talloc(mem_ctx,
+ cksum.contents,
+ cksum.length);
+
+#else
+#error krb5_create_checksum or krb5_c_make_checksum not available
+#endif /* HAVE_KRB5_C_MAKE_CHECKSUM */
+ smb_krb5_free_checksum_contents(context, &cksum);
+
+ return 0;
+}
+
+
/*
* smb_krb5_principal_get_realm
*
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index f036e05..15da39c 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -251,6 +251,20 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context
context,
#error krb5_cc_get_lifetime not available
#endif
+#if defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS)
+#define smb_krb5_free_checksum_contents krb5_free_checksum_contents
+#elif defined (HAVE_FREE_CHECKSUM)
+void smb_krb5_free_checksum_contents(krb5_context ctx, krb5_checksum *cksum);
+#else
+#error krb5_free_checksum_contents/free_Checksum is not vailable
+#endif
+
+krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *pac_data,
+ krb5_context context,
+ const krb5_keyblock *keyblock,
+ uint32_t *sig_type,
+ DATA_BLOB *sig_blob);
char *smb_krb5_principal_get_realm(krb5_context context,
krb5_principal principal);
diff --git a/source3/configure.in b/source3/configure.in
index edd1d1d..c1564a5 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3618,6 +3618,8 @@ if test x"$with_ads_support" != x"no"; then
AC_CHECK_FUNC_EXT(krb5_build_principal_alloc_va, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_cc_get_lifetime, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(krb5_cc_retrieve_cred, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_free_checksum_contents, $KRB5_LIBS)
+ AC_CHECK_FUNC_EXT(krb5_c_make_checksum, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
AC_CHECK_FUNC_EXT(gsskrb5_extract_authz_data_from_sec_context, $KRB5_LIBS)
diff --git a/source4/auth/kerberos/kerberos_pac.c
b/source4/auth/kerberos/kerberos_pac.c
index d3f54d9..85b6263 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -70,51 +70,6 @@ _PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX
*mem_ctx,
return NT_STATUS_OK;
}
-static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
- DATA_BLOB *pac_data,
- struct PAC_SIGNATURE_DATA *sig,
- krb5_context context,
- const krb5_keyblock *keyblock)
-{
- krb5_error_code ret;
- krb5_crypto crypto;
- Checksum cksum;
-
-
- ret = krb5_crypto_init(context,
- keyblock,
- 0,
- &crypto);
- if (ret) {
- DEBUG(0,("krb5_crypto_init() failed: %s\n",
- smb_get_krb5_error_message(context, ret, mem_ctx)));
- return ret;
- }
- ret = krb5_create_checksum(context,
- crypto,
- KRB5_KU_OTHER_CKSUM,
- 0,
- pac_data->data,
- pac_data->length,
- &cksum);
- if (ret) {
- DEBUG(2, ("PAC Verification failed: %s\n",
- smb_get_krb5_error_message(context, ret, mem_ctx)));
- }
-
- krb5_crypto_destroy(context, crypto);
-
- if (ret) {
- return ret;
- }
-
- sig->type = cksum.cksumtype;
- sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data,
cksum.checksum.length);
- free_Checksum(&cksum);
-
- return 0;
-}
-
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
struct PAC_DATA *pac_data,
krb5_context context,
@@ -137,9 +92,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX
*mem_ctx,
continue;
}
kdc_checksum = &pac_data->buffers[i].info->kdc_cksum,
- ret = make_pac_checksum(mem_ctx, &zero_blob,
- kdc_checksum,
- context, krbtgt_keyblock);
+ ret = smb_krb5_make_pac_checksum(mem_ctx,
+ &zero_blob,
+ context,
+ krbtgt_keyblock,
+ &kdc_checksum->type,
+ &kdc_checksum->signature);
if (ret) {
DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret,
mem_ctx)));
@@ -153,9 +111,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX
*mem_ctx,
continue;
}
srv_checksum = &pac_data->buffers[i].info->srv_cksum;
- ret = make_pac_checksum(mem_ctx, &zero_blob,
- srv_checksum,
- context, service_keyblock);
+ ret = smb_krb5_make_pac_checksum(mem_ctx,
+ &zero_blob,
+ context,
+ service_keyblock,
+ &srv_checksum->type,
+ &srv_checksum->signature);
if (ret) {
DEBUG(2, ("making service PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret,
mem_ctx)));
@@ -188,11 +149,20 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX
*mem_ctx,
}
/* Then sign the result of the previous push, where the sig was zero'ed
out */
- ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum,
- context, service_keyblock);
+ ret = smb_krb5_make_pac_checksum(mem_ctx,
+ &tmp_blob,
+ context,
+ service_keyblock,
+ &srv_checksum->type,
+ &srv_checksum->signature);
/* Then sign Server checksum */
- ret = make_pac_checksum(mem_ctx, &srv_checksum->signature,
kdc_checksum, context, krbtgt_keyblock);
+ ret = smb_krb5_make_pac_checksum(mem_ctx,
+ &srv_checksum->signature,
+ context,
+ krbtgt_keyblock,
+ &kdc_checksum->type,
+ &kdc_checksum->signature);
if (ret) {
DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
diff --git a/source4/heimdal_build/wscript_configure
b/source4/heimdal_build/wscript_configure
index 619944d..17b7361 100755
--- a/source4/heimdal_build/wscript_configure
+++ b/source4/heimdal_build/wscript_configure
@@ -99,6 +99,7 @@ conf.define('HAVE_INITIALIZE_KRB5_ERROR_TABLE', 1)
conf.define('HAVE_KRB5_ADDRESSES', 1)
conf.define('HAVE_KRB5_AUTH_CON_SETKEY', 1)
conf.define('HAVE_KRB5_CC_GET_LIFETIME', 1)
+conf.define('HAVE_KRB5_CREATE_CHECKSUM', 1)
conf.define('HAVE_KRB5_CRYPTO', 1)
conf.define('HAVE_KRB5_CRYPTO_DESTROY', 1)
conf.define('HAVE_KRB5_CRYPTO_INIT', 1)
@@ -139,6 +140,7 @@ conf.define('HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES', 1)
conf.define('HAVE_KRB5_SET_REAL_TIME', 1)
conf.define('HAVE_KRB5_STRING_TO_KEY', 1)
conf.define('HAVE_KRB5_STRING_TO_KEY_SALT', 1)
+conf.define('HAVE_FREE_CHECKSUM', 1)
conf.define('HAVE_LIBKRB5', 1)
conf.define('KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT', 1)
conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1)
diff --git a/wscript_configure_krb5 b/wscript_configure_krb5
index 9a2fe1b..abfd04a 100644
--- a/wscript_configure_krb5
+++ b/wscript_configure_krb5
@@ -64,7 +64,8 @@ conf.CHECK_FUNCS('''
krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm
krb5_get_init_creds_keyblock krb5_get_init_creds_keytab
krb5_make_principal krb5_build_principal_alloc_va
- krb5_cc_get_lifetime krb5_cc_retrieve_cred''',
+ krb5_cc_get_lifetime krb5_cc_retrieve_cred
+ krb5_free_checksum_contents krb5_c_make_checksum''',
lib='krb5 k5crypto')
conf.CHECK_DECLS('''krb5_get_credentials_for_user
krb5_auth_con_set_req_cksumtype''',
--
Samba Shared Repository
