The branch, master has been updated via e8e5afd krb5samba: Add smb_krb5_make_pac_checksum. via 7f9e4d7 s4-auth: Use smb_krb5_make_pac_checksum. via 3ef95a0 krb5samba: Add krb5_free_checksum_contents wrapper from 470cfb3 lib/util: Map 0x7fffffffffffffffLL as 0x7fffffffffffffffLL in time conversion
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e8e5afd4d4038043f1125c5e2afc41e9e87ebfde Author: Andreas Schneider <a...@samba.org> Date: Thu May 3 17:10:27 2012 +0200 krb5samba: Add smb_krb5_make_pac_checksum. Signed-off-by: Simo Sorce <i...@samba.org> Autobuild-User: Simo Sorce <i...@samba.org> Autobuild-Date: Tue May 8 08:30:52 CEST 2012 on sn-devel-104 commit 7f9e4d70b9a2db7400791fbfef284dd63e79f078 Author: Andreas Schneider <a...@samba.org> Date: Thu May 3 17:10:53 2012 +0200 s4-auth: Use smb_krb5_make_pac_checksum. Signed-off-by: Simo Sorce <i...@samba.org> commit 3ef95a0b59fa2a9ec5d01398d702bd107f290422 Author: Simo Sorce <i...@samba.org> Date: Fri May 4 11:02:48 2012 -0400 krb5samba: Add krb5_free_checksum_contents wrapper ----------------------------------------------------------------------- Summary of changes: lib/krb5_wrap/krb5_samba.c | 83 +++++++++++++++++++++++++++++++ lib/krb5_wrap/krb5_samba.h | 14 +++++ source3/configure.in | 2 + source4/auth/kerberos/kerberos_pac.c | 78 +++++++++-------------------- source4/heimdal_build/wscript_configure | 2 + wscript_configure_krb5 | 3 +- 6 files changed, 127 insertions(+), 55 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index ddebdd8..16c6901 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2175,6 +2175,89 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context, } #endif /* HAVE_KRB5_CC_GET_LIFETIME */ +#if !defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS) && defined(HAVE_FREE_CHECKSUM) +void smb_krb5_free_checksum_contents(krb5_context ctx, krb5_checksum *cksum) +{ + free_Checksum(cksum); +} +#endif + +krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx, + DATA_BLOB *pac_data, + krb5_context context, + const krb5_keyblock *keyblock, + uint32_t *sig_type, + DATA_BLOB *sig_blob) +{ + krb5_error_code ret; + krb5_checksum cksum; +#if defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CREATE_CHECKSUM) + krb5_crypto crypto; + + + ret = krb5_crypto_init(context, + keyblock, + 0, + &crypto); + if (ret) { + DEBUG(0,("krb5_crypto_init() failed: %s\n", + smb_get_krb5_error_message(context, ret, mem_ctx))); + return ret; + } + ret = krb5_create_checksum(context, + crypto, + KRB5_KU_OTHER_CKSUM, + 0, + pac_data->data, + pac_data->length, + &cksum); + if (ret) { + DEBUG(2, ("PAC Verification failed: %s\n", + smb_get_krb5_error_message(context, ret, mem_ctx))); + } + + krb5_crypto_destroy(context, crypto); + + if (ret) { + return ret; + } + + *sig_type = cksum.cksumtype; + *sig_blob = data_blob_talloc(mem_ctx, + cksum.checksum.data, + cksum.checksum.length); +#elif defined(HAVE_KRB5_C_MAKE_CHECKSUM) + krb5_data input; + + input.data = (char *)pac_data->data; + input.length = pac_data->length; + + ret = krb5_c_make_checksum(context, + 0, + keyblock, + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &input, + &cksum); + if (ret) { + DEBUG(2, ("PAC Verification failed: %s\n", + smb_get_krb5_error_message(context, ret, mem_ctx))); + return ret; + } + + *sig_type = cksum.checksum_type; + *sig_blob = data_blob_talloc(mem_ctx, + cksum.contents, + cksum.length); + +#else +#error krb5_create_checksum or krb5_c_make_checksum not available +#endif /* HAVE_KRB5_C_MAKE_CHECKSUM */ + smb_krb5_free_checksum_contents(context, &cksum); + + return 0; +} + + /* * smb_krb5_principal_get_realm * diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index f036e05..15da39c 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -251,6 +251,20 @@ krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context, #error krb5_cc_get_lifetime not available #endif +#if defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS) +#define smb_krb5_free_checksum_contents krb5_free_checksum_contents +#elif defined (HAVE_FREE_CHECKSUM) +void smb_krb5_free_checksum_contents(krb5_context ctx, krb5_checksum *cksum); +#else +#error krb5_free_checksum_contents/free_Checksum is not vailable +#endif + +krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx, + DATA_BLOB *pac_data, + krb5_context context, + const krb5_keyblock *keyblock, + uint32_t *sig_type, + DATA_BLOB *sig_blob); char *smb_krb5_principal_get_realm(krb5_context context, krb5_principal principal); diff --git a/source3/configure.in b/source3/configure.in index edd1d1d..c1564a5 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3618,6 +3618,8 @@ if test x"$with_ads_support" != x"no"; then AC_CHECK_FUNC_EXT(krb5_build_principal_alloc_va, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_cc_get_lifetime, $KRB5_LIBS) AC_CHECK_FUNC_EXT(krb5_cc_retrieve_cred, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_free_checksum_contents, $KRB5_LIBS) + AC_CHECK_FUNC_EXT(krb5_c_make_checksum, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS) AC_CHECK_FUNC_EXT(gsskrb5_extract_authz_data_from_sec_context, $KRB5_LIBS) diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index d3f54d9..85b6263 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -70,51 +70,6 @@ _PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, - DATA_BLOB *pac_data, - struct PAC_SIGNATURE_DATA *sig, - krb5_context context, - const krb5_keyblock *keyblock) -{ - krb5_error_code ret; - krb5_crypto crypto; - Checksum cksum; - - - ret = krb5_crypto_init(context, - keyblock, - 0, - &crypto); - if (ret) { - DEBUG(0,("krb5_crypto_init() failed: %s\n", - smb_get_krb5_error_message(context, ret, mem_ctx))); - return ret; - } - ret = krb5_create_checksum(context, - crypto, - KRB5_KU_OTHER_CKSUM, - 0, - pac_data->data, - pac_data->length, - &cksum); - if (ret) { - DEBUG(2, ("PAC Verification failed: %s\n", - smb_get_krb5_error_message(context, ret, mem_ctx))); - } - - krb5_crypto_destroy(context, crypto); - - if (ret) { - return ret; - } - - sig->type = cksum.cksumtype; - sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length); - free_Checksum(&cksum); - - return 0; -} - krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx, struct PAC_DATA *pac_data, krb5_context context, @@ -137,9 +92,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, continue; } kdc_checksum = &pac_data->buffers[i].info->kdc_cksum, - ret = make_pac_checksum(mem_ctx, &zero_blob, - kdc_checksum, - context, krbtgt_keyblock); + ret = smb_krb5_make_pac_checksum(mem_ctx, + &zero_blob, + context, + krbtgt_keyblock, + &kdc_checksum->type, + &kdc_checksum->signature); if (ret) { DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); @@ -153,9 +111,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, continue; } srv_checksum = &pac_data->buffers[i].info->srv_cksum; - ret = make_pac_checksum(mem_ctx, &zero_blob, - srv_checksum, - context, service_keyblock); + ret = smb_krb5_make_pac_checksum(mem_ctx, + &zero_blob, + context, + service_keyblock, + &srv_checksum->type, + &srv_checksum->signature); if (ret) { DEBUG(2, ("making service PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); @@ -188,11 +149,20 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, } /* Then sign the result of the previous push, where the sig was zero'ed out */ - ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum, - context, service_keyblock); + ret = smb_krb5_make_pac_checksum(mem_ctx, + &tmp_blob, + context, + service_keyblock, + &srv_checksum->type, + &srv_checksum->signature); /* Then sign Server checksum */ - ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock); + ret = smb_krb5_make_pac_checksum(mem_ctx, + &srv_checksum->signature, + context, + krbtgt_keyblock, + &kdc_checksum->type, + &kdc_checksum->signature); if (ret) { DEBUG(2, ("making krbtgt PAC checksum failed: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 619944d..17b7361 100755 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -99,6 +99,7 @@ conf.define('HAVE_INITIALIZE_KRB5_ERROR_TABLE', 1) conf.define('HAVE_KRB5_ADDRESSES', 1) conf.define('HAVE_KRB5_AUTH_CON_SETKEY', 1) conf.define('HAVE_KRB5_CC_GET_LIFETIME', 1) +conf.define('HAVE_KRB5_CREATE_CHECKSUM', 1) conf.define('HAVE_KRB5_CRYPTO', 1) conf.define('HAVE_KRB5_CRYPTO_DESTROY', 1) conf.define('HAVE_KRB5_CRYPTO_INIT', 1) @@ -139,6 +140,7 @@ conf.define('HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES', 1) conf.define('HAVE_KRB5_SET_REAL_TIME', 1) conf.define('HAVE_KRB5_STRING_TO_KEY', 1) conf.define('HAVE_KRB5_STRING_TO_KEY_SALT', 1) +conf.define('HAVE_FREE_CHECKSUM', 1) conf.define('HAVE_LIBKRB5', 1) conf.define('KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT', 1) conf.define('HAVE_ETYPE_IN_ENCRYPTEDDATA', 1) diff --git a/wscript_configure_krb5 b/wscript_configure_krb5 index 9a2fe1b..abfd04a 100644 --- a/wscript_configure_krb5 +++ b/wscript_configure_krb5 @@ -64,7 +64,8 @@ conf.CHECK_FUNCS(''' krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm krb5_get_init_creds_keyblock krb5_get_init_creds_keytab krb5_make_principal krb5_build_principal_alloc_va - krb5_cc_get_lifetime krb5_cc_retrieve_cred''', + krb5_cc_get_lifetime krb5_cc_retrieve_cred + krb5_free_checksum_contents krb5_c_make_checksum''', lib='krb5 k5crypto') conf.CHECK_DECLS('''krb5_get_credentials_for_user krb5_auth_con_set_req_cksumtype''', -- Samba Shared Repository