The branch, master has been updated via faa3bef gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() via 7f9a075 gensec_krb5: Use implementation idependent krb5_mk_req_extended() via 739a7ad gensec_krb5: Use kerberos_free_data_contents() to free krb5 data via 8268501 gensec_krb5: Only set the event context with Heimdal via 7ea7b60 gensec_krb5: Use krb5_wrap setup_kaddr() to convert address via ab8628a gensec_krb5: Rename smb_rd_req_return_stuff() via de224d7 gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal via 1fe94a6 s4-kdc: pac-glue: Add support for MIT pkinit via 4f51484 mit_samba: Add missing copyright via 5ac9de3 mit_samba: Add missing argument passed to authsam_make_user_info_dc() from dd5439e tests/samba-tool/user.py: replace deprecated 'add' subcommand with 'create'
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit faa3bef690a72a7b3f546e04494a8a3baebafc52 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 11 15:18:14 2016 +0200 gensec_krb5: Use get_krb5_smb_session_key() in gensec_krb5_session_key() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Aug 30 15:24:02 CEST 2016 on sn-devel-144 commit 7f9a075d9c8d777fd04c1dcec6693e1e27efc3ae Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 11 15:04:42 2016 +0200 gensec_krb5: Use implementation idependent krb5_mk_req_extended() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 739a7adaef29d24611ee2d709e01e1cb7ffb31be Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 11 15:10:33 2016 +0200 gensec_krb5: Use kerberos_free_data_contents() to free krb5 data Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8268501972994ce8240a27b68e85f9208b617094 Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 11 11:22:41 2016 +0200 gensec_krb5: Only set the event context with Heimdal Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7ea7b60649dbc8312963a18119184b51ec2345fc Author: Andreas Schneider <a...@samba.org> Date: Thu Aug 11 11:20:42 2016 +0200 gensec_krb5: Use krb5_wrap setup_kaddr() to convert address Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ab8628ac7a206d5b35022b6161f1ed9963ad0f97 Author: Andreas Schneider <a...@samba.org> Date: Fri Aug 12 14:41:05 2016 +0200 gensec_krb5: Rename smb_rd_req_return_stuff() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit de224d70062695d50668d1b3084a80ac81d6d79b Author: Andreas Schneider <a...@samba.org> Date: Fri Aug 12 14:37:51 2016 +0200 gensec_krb5: Rename gensec_krb5_util to gensec_krb5_heimdal Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1fe94a659e8fdeb9ddb07c9f5a3126f1cdaa459c Author: Andreas Schneider <a...@samba.org> Date: Wed Aug 10 15:57:05 2016 +0200 s4-kdc: pac-glue: Add support for MIT pkinit This only makes sure the code compiles again. I'm not able to test this yet. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4f51484b4071d54183fbca0db4cfb21960016214 Author: Andreas Schneider <a...@samba.org> Date: Thu Jun 9 16:02:23 2016 +0200 mit_samba: Add missing copyright Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5ac9de30f0bc184fae14daca80a476de8161ea6d Author: Andreas Schneider <a...@samba.org> Date: Thu Jun 30 16:25:41 2016 +0200 mit_samba: Add missing argument passed to authsam_make_user_info_dc() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/auth/gensec/gensec_krb5.c | 116 ++++++++++++++------- .../gensec/{gensec_krb5_util.h => gensec_krb5.h} | 8 +- .../{gensec_krb5_util.c => gensec_krb5_heimdal.c} | 61 ++++++----- source4/auth/gensec/wscript_build | 2 +- source4/kdc/mit_samba.c | 3 + source4/kdc/pac-glue.c | 101 ++++++++++++++++++ 6 files changed, 216 insertions(+), 75 deletions(-) rename source4/auth/gensec/{gensec_krb5_util.h => gensec_krb5.h} (56%) rename source4/auth/gensec/{gensec_krb5_util.c => gensec_krb5_heimdal.c} (81%) Changeset truncated at 500 lines: diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 2af6b14..8dbec15 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -41,7 +41,7 @@ #include "lib/util/util_net.h" #include "../lib/util/asn1.h" #include "auth/kerberos/pac_utils.h" -#include "gensec_krb5_util.h" +#include "gensec_krb5.h" _PUBLIC_ NTSTATUS gensec_krb5_init(void); @@ -150,6 +150,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool if (tlocal_addr) { ssize_t socklen; struct sockaddr_storage ss; + bool ok; socklen = tsocket_address_bsd_sockaddr(tlocal_addr, (struct sockaddr *) &ss, @@ -158,12 +159,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } - ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, - (const struct sockaddr *) &ss, &my_krb5_addr); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, - ret, gensec_krb5_state))); + ok = setup_kaddr(&my_krb5_addr, &ss); + if (!ok) { + DBG_WARNING("setup_kaddr (local) failed\n"); talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } @@ -173,6 +171,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool if (tremote_addr) { ssize_t socklen; struct sockaddr_storage ss; + bool ok; socklen = tsocket_address_bsd_sockaddr(tremote_addr, (struct sockaddr *) &ss, @@ -181,12 +180,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } - ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, - (const struct sockaddr *) &ss, &peer_krb5_addr); - if (ret) { - DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", - smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, - ret, gensec_krb5_state))); + ok = setup_kaddr(&peer_krb5_addr, &ss); + if (!ok) { + DBG_WARNING("setup_kaddr (remote) failed\n"); talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } @@ -287,7 +283,9 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s const char *hostname; krb5_data in_data = { .length = 0 }; krb5_data *in_data_p = NULL; +#ifdef SAMBA4_USES_HEIMDAL struct tevent_context *previous_ev; +#endif if (lpcfg_parm_bool(gensec_security->settings->lp_ctx, NULL, "gensec_krb5", "send_authenticator_checksum", true)) { @@ -320,23 +318,58 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s return NT_STATUS_UNSUCCESSFUL; } +#ifdef SAMBA4_USES_HEIMDAL /* Do this every time, in case we have weird recursive issues here */ ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev); if (ret != 0) { DEBUG(1, ("gensec_krb5_start: Setting event context failed\n")); return NT_STATUS_NO_MEMORY; } +#endif if (principal) { krb5_principal target_principal; ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, &target_principal); if (ret == 0) { - ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, - &gensec_krb5_state->auth_context, - gensec_krb5_state->ap_req_options, - target_principal, - in_data_p, ccache_container->ccache, - &gensec_krb5_state->enc_ticket); + krb5_creds this_cred; + krb5_creds *cred; + + ZERO_STRUCT(this_cred); + ret = krb5_cc_get_principal(gensec_krb5_state->smb_krb5_context->krb5_context, + ccache_container->ccache, + &this_cred.client); + if (ret != 0) { + return NT_STATUS_UNSUCCESSFUL; + } + + ret = krb5_copy_principal(gensec_krb5_state->smb_krb5_context->krb5_context, + target_principal, + &this_cred.server); + if (ret != 0) { + krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context, + &this_cred); + return NT_STATUS_UNSUCCESSFUL; + } + this_cred.times.endtime = 0; + + ret = krb5_get_credentials(gensec_krb5_state->smb_krb5_context->krb5_context, + 0, + ccache_container->ccache, + &this_cred, + &cred); + krb5_free_cred_contents(gensec_krb5_state->smb_krb5_context->krb5_context, + &this_cred); + if (ret != 0) { + return NT_STATUS_UNSUCCESSFUL; + } + + ret = krb5_mk_req_extended(gensec_krb5_state->smb_krb5_context->krb5_context, + &gensec_krb5_state->auth_context, + gensec_krb5_state->ap_req_options, + in_data_p, + cred, + &gensec_krb5_state->enc_ticket); + krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, target_principal); } @@ -350,7 +383,9 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s &gensec_krb5_state->enc_ticket); } +#ifdef SAMBA4_USES_HEIMDAL smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev); +#endif switch (ret) { case 0: @@ -618,11 +653,13 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, inbuf.length = in.length; } - ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context, - &gensec_krb5_state->auth_context, - &inbuf, keytab->keytab, server_in_keytab, - &outbuf, - &gensec_krb5_state->ticket, + ret = smb_krb5_rd_req_decoded(gensec_krb5_state->smb_krb5_context->krb5_context, + &gensec_krb5_state->auth_context, + &inbuf, + keytab->keytab, + server_in_keytab, + &outbuf, + &gensec_krb5_state->ticket, &gensec_krb5_state->keyblock); if (ret) { @@ -637,7 +674,8 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } else { *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length); } - krb5_data_free(&outbuf); + kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, + &outbuf); return NT_STATUS_OK; } @@ -655,8 +693,9 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; krb5_auth_context auth_context = gensec_krb5_state->auth_context; - krb5_keyblock *skey; krb5_error_code err = -1; + bool remote = false; + bool ok; if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) { return NT_STATUS_NO_USER_SESSION_KEY; @@ -664,25 +703,24 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, switch (gensec_security->gensec_role) { case GENSEC_CLIENT: - err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); + remote = false; break; case GENSEC_SERVER: - err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); + remote = true; break; } - if (err == 0 && skey != NULL) { - DEBUG(10, ("Got KRB5 session key of length %d\n", - (int)KRB5_KEY_LENGTH(skey))); - *session_key = data_blob_talloc(mem_ctx, - KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); - dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); - krb5_free_keyblock(context, skey); - return NT_STATUS_OK; - } else { + ok = get_krb5_smb_session_key(mem_ctx, + context, + auth_context, + session_key, + remote); + if (!ok) { DEBUG(10, ("KRB5 error getting session key %d\n", err)); return NT_STATUS_NO_USER_SESSION_KEY; } + + return NT_STATUS_OK; } static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security, @@ -816,7 +854,7 @@ static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security, } *out = data_blob_talloc(mem_ctx, output.data, output.length); - krb5_data_free(&output); + kerberos_free_data_contents(context, &output); } else { return NT_STATUS_ACCESS_DENIED; } @@ -847,7 +885,7 @@ static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security, } *out = data_blob_talloc(mem_ctx, output.data, output.length); - krb5_data_free(&output); + kerberos_free_data_contents(context, &output); } else { return NT_STATUS_ACCESS_DENIED; } diff --git a/source4/auth/gensec/gensec_krb5_util.h b/source4/auth/gensec/gensec_krb5.h similarity index 56% rename from source4/auth/gensec/gensec_krb5_util.h rename to source4/auth/gensec/gensec_krb5.h index 09be3ff..ee684be 100644 --- a/source4/auth/gensec/gensec_krb5_util.h +++ b/source4/auth/gensec/gensec_krb5.h @@ -1,10 +1,10 @@ /* See gensec_krb5_util.c for the license */ -krb5_error_code smb_rd_req_return_stuff(krb5_context context, +krb5_error_code smb_krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, - krb5_keytab keytab, + krb5_keytab keytab, krb5_principal acceptor_principal, - krb5_data *outbuf, - krb5_ticket **ticket, + krb5_data *outbuf, + krb5_ticket **ticket, krb5_keyblock **keyblock); diff --git a/source4/auth/gensec/gensec_krb5_util.c b/source4/auth/gensec/gensec_krb5_heimdal.c similarity index 81% rename from source4/auth/gensec/gensec_krb5_util.c rename to source4/auth/gensec/gensec_krb5_heimdal.c index 1e72293..7e9cb5a 100644 --- a/source4/auth/gensec/gensec_krb5_util.c +++ b/source4/auth/gensec/gensec_krb5_heimdal.c @@ -1,34 +1,34 @@ /* * Copyright (c) 1997 - 2006 Kungliga Tekniska H�gskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ /* This file for code taken from the Heimdal code, to preserve licence */ @@ -37,16 +37,16 @@ #include "includes.h" #include "system/kerberos.h" #include "auth/kerberos/kerberos.h" -#include "gensec_krb5_util.h" +#include "gensec_krb5.h" /* Taken from accept_sec_context.c,v 1.65 */ -krb5_error_code smb_rd_req_return_stuff(krb5_context context, +krb5_error_code smb_krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, - krb5_keytab keytab, + krb5_keytab keytab, krb5_principal acceptor_principal, - krb5_data *outbuf, - krb5_ticket **ticket, + krb5_data *outbuf, + krb5_ticket **ticket, krb5_keyblock **keyblock) { krb5_rd_req_in_ctx in = NULL; @@ -80,7 +80,7 @@ krb5_error_code smb_rd_req_return_stuff(krb5_context context, /* * We need to remember some data on the context_handle. */ - kret = krb5_rd_req_out_get_ticket(context, out, + kret = krb5_rd_req_out_get_ticket(context, out, ticket); if (kret == 0) { kret = krb5_rd_req_out_get_keyblock(context, out, @@ -100,4 +100,3 @@ krb5_error_code smb_rd_req_return_stuff(krb5_context context, return kret; } - diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index 3c7cc2e..c4e6918 100755 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -6,7 +6,7 @@ bld.SAMBA_SUBSYSTEM('gensec_util', autoproto='gensec_proto.h') bld.SAMBA_MODULE('gensec_krb5', - source='gensec_krb5.c gensec_krb5_util.c', + source='gensec_krb5.c gensec_krb5_heimdal.c', subsystem='gensec', init_function='gensec_krb5_init', deps='samba-credentials authkrb5 com_err gensec_util', diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 69cddac..f501584 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -2,6 +2,8 @@ MIT-Samba4 library Copyright (c) 2010, Simo Sorce <i...@samba.org> + Copyright (c) 2014-2015 Guenther Deschner <g...@samba.org> + Copyright (c) 2014-2016 Andreas Schneider <a...@samba.org> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -644,6 +646,7 @@ int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, ctx->db_ctx->samdb, lpcfg_netbios_name(ctx->db_ctx->lp_ctx), lpcfg_sam_name(ctx->db_ctx->lp_ctx), + lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx), p->realm_dn, p->msg, data_blob(NULL, 0), diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index ff3f62a..ad72e2e 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -234,6 +234,7 @@ NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +#ifdef SAMBA4_USES_HEIMDAL krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context, const krb5_keyblock *pkreplykey, const DATA_BLOB *cred_ndr_blob, @@ -309,6 +310,106 @@ krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context, return 0; } +#else /* SAMBA4_USES_HEIMDAL */ +krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context, + const krb5_keyblock *pkreplykey, + const DATA_BLOB *cred_ndr_blob, + TALLOC_CTX *mem_ctx, + DATA_BLOB *cred_info_blob) +{ + krb5_key cred_key; + krb5_enctype cred_enctype; + struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, }; + krb5_error_code code; + const char *krb5err; + enum ndr_err_code ndr_err; + NTSTATUS nt_status; + krb5_data cred_ndr_data; + krb5_enc_data cred_ndr_crypt; + size_t enc_len = 0; + + *cred_info_blob = data_blob_null; + + code = krb5_k_create_key(context, + pkreplykey, + &cred_key); + if (code != 0) { + krb5err = krb5_get_error_message(context, code); + DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err)); + krb5_free_error_message(context, krb5err); + return code; + } + + cred_enctype = krb5_k_key_enctype(context, cred_key); + + DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n", + cred_ndr_blob->length)); + dump_data_pw("PAC_CREDENTIAL_DATA_NDR", + cred_ndr_blob->data, cred_ndr_blob->length); + + pac_cred_info.encryption_type = cred_enctype; + + cred_ndr_data.magic = 0; + cred_ndr_data.data = (char *)cred_ndr_blob->data; + cred_ndr_data.length = cred_ndr_blob->length; + + code = krb5_c_encrypt_length(context, + cred_enctype, + cred_ndr_data.length, + &enc_len); + if (code != 0) { + krb5err = krb5_get_error_message(context, code); + DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err)); + krb5_free_error_message(context, krb5err); + return code; + } + + pac_cred_info.encrypted_data = data_blob_talloc_zero(mem_ctx, enc_len); + if (pac_cred_info.encrypted_data.data == NULL) { + DBG_ERR("Out of memory\n"); + return ENOMEM; + } + + cred_ndr_crypt.ciphertext.length = enc_len; + cred_ndr_crypt.ciphertext.data = (char *)pac_cred_info.encrypted_data.data; + + code = krb5_k_encrypt(context, + cred_key, + KRB5_KU_OTHER_ENCRYPTED, + NULL, + &cred_ndr_data, + &cred_ndr_crypt); + krb5_k_free_key(context, cred_key); + if (code != 0) { + krb5err = krb5_get_error_message(context, code); + DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err)); + krb5_free_error_message(context, krb5err); + return code; + } + + if (DEBUGLVL(10)) { + NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info); + } + + ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info, + (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO); + TALLOC_FREE(pac_cred_info.encrypted_data.data); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + nt_status = ndr_map_error2ntstatus(ndr_err); -- Samba Shared Repository