関数 | |
krb5_error_code | smb_krb5_parse_name (krb5_context context, const char *name, krb5_principal *principal) |
static krb5_error_code | smb_krb5_parse_name_norealm_conv (krb5_context context, const char *name, krb5_principal *principal) |
krb5_error_code | smb_krb5_unparse_name (krb5_context context, krb5_const_principal principal, char **unix_name) |
krb5_error_code | krb5_set_real_time (krb5_context context, int32_t seconds, int32_t microseconds) |
krb5_error_code | krb5_set_default_tgs_ktypes (krb5_context ctx, const krb5_enctype *enc) |
void | setup_kaddr (krb5_address *pkaddr, struct sockaddr *paddr) |
int | create_kerberos_key_from_string_direct (krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype) |
int | create_kerberos_key_from_string (krb5_context context, krb5_principal host_princ, krb5_data *password, krb5_keyblock *key, krb5_enctype enctype) |
krb5_error_code | get_kerberos_allowed_etypes (krb5_context context, krb5_enctype **enctypes) |
krb5_error_code | krb5_auth_con_setuseruserkey (krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) |
BOOL | unwrap_pac (TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) |
BOOL | get_auth_data_from_tkt (TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, krb5_ticket *tkt) |
krb5_const_principal | get_principal_from_tkt (krb5_ticket *tkt) |
krb5_error_code | smb_krb5_locate_kdc (krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters) |
void | krb5_free_unparsed_name (krb5_context context, char *val) |
void | kerberos_free_data_contents (krb5_context context, krb5_data *pdata) |
void | kerberos_set_creds_enctype (krb5_creds *pcreds, int enctype) |
BOOL | kerberos_compatible_enctypes (krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2) |
static BOOL | ads_cleanup_expired_creds (krb5_context context, krb5_ccache ccache, krb5_creds *credsp) |
static krb5_error_code | ads_krb5_mk_req (krb5_context context, krb5_auth_context *auth_context, const krb5_flags ap_req_options, const char *principal, krb5_ccache ccache, krb5_data *outbuf, time_t *expire_time) |
int | cli_krb5_get_ticket (const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname, time_t *tgs_expire) |
BOOL | get_krb5_smb_session_key (krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, BOOL remote) |
const krb5_data * | krb5_princ_component (krb5_context context, krb5_principal principal, int i) |
krb5_error_code | smb_krb5_kt_free_entry (krb5_context context, krb5_keytab_entry *kt_entry) |
void | smb_krb5_checksum_from_pac_sig (krb5_checksum *cksum, PAC_SIGNATURE_DATA *sig) |
krb5_error_code | smb_krb5_verify_checksum (krb5_context context, krb5_keyblock *keyblock, krb5_keyusage usage, krb5_checksum *cksum, uint8 *data, size_t length) |
time_t | get_authtime_from_tkt (krb5_ticket *tkt) |
static int | get_kvno_from_ap_req (krb5_ap_req *ap_req) |
static krb5_enctype | get_enctype_from_ap_req (krb5_ap_req *ap_req) |
static krb5_error_code | get_key_from_keytab (krb5_context context, krb5_const_principal server, krb5_enctype enctype, krb5_kvno kvno, krb5_keyblock **out_key) |
krb5_error_code | smb_krb5_get_keyinfo_from_ap_req (krb5_context context, const krb5_data *inbuf, krb5_kvno *kvno, krb5_enctype *enctype) |
krb5_error_code | krb5_rd_req_return_keyblock_from_keytab (krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket, krb5_keyblock **keyblock) |
krb5_error_code | smb_krb5_parse_name_norealm (krb5_context context, const char *name, krb5_principal *principal) |
BOOL | smb_krb5_principal_compare_any_realm (krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) |
krb5_error_code | smb_krb5_renew_ticket (const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time) |
krb5_error_code | smb_krb5_free_addresses (krb5_context context, smb_krb5_addresses *addr) |
krb5_error_code | smb_krb5_gen_netbios_krb5_address (smb_krb5_addresses **kerb_addr) |
void | smb_krb5_free_error (krb5_context context, krb5_error *krberror) |
krb5_error_code | handle_krberror_packet (krb5_context context, krb5_data *packet) |
krb5_error_code | smb_krb5_get_init_creds_opt_alloc (krb5_context context, krb5_get_init_creds_opt **opt) |
void | smb_krb5_get_init_creds_opt_free (krb5_context context, krb5_get_init_creds_opt *opt) |
krb5_error_code | smb_krb5_mk_error (krb5_context context, krb5_error_code error_code, const krb5_principal server, krb5_data *reply) |
krb5_error_code smb_krb5_parse_name | ( | krb5_context | context, | |
const char * | name, | |||
krb5_principal * | principal | |||
) |
参照先 push_utf8_allocate().
参照元 ads_krb5_chg_password()・ads_krb5_mk_req()・ads_krb5_set_password()・ads_sasl_gssapi_bind()・ads_verify_ticket()・kerberos_fetch_salt_princ_for_host_princ()・kerberos_kinit_password_ext()・kerberos_secrets_store_salting_principal()・make_krb5_skew_error()・smb_krb5_kt_add_entry()・smb_krb5_parse_name_norealm()・smb_krb5_renew_ticket().
00053 { 00054 krb5_error_code ret; 00055 char *utf8_name; 00056 00057 if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { 00058 return ENOMEM; 00059 } 00060 00061 ret = krb5_parse_name(context, utf8_name, principal); 00062 SAFE_FREE(utf8_name); 00063 return ret; 00064 }
static krb5_error_code smb_krb5_parse_name_norealm_conv | ( | krb5_context | context, | |
const char * | name, | |||
krb5_principal * | principal | |||
) | [static] |
参照先 push_utf8_allocate().
参照元 smb_krb5_parse_name_norealm().
00074 { 00075 krb5_error_code ret; 00076 char *utf8_name; 00077 00078 *principal = NULL; 00079 if (push_utf8_allocate(&utf8_name, name) == (size_t)-1) { 00080 return ENOMEM; 00081 } 00082 00083 ret = krb5_parse_name_norealm(context, utf8_name, principal); 00084 SAFE_FREE(utf8_name); 00085 return ret; 00086 }
krb5_error_code smb_krb5_unparse_name | ( | krb5_context | context, | |
krb5_const_principal | principal, | |||
char ** | unix_name | |||
) |
参照先 krb5_free_unparsed_name()・pull_utf8_allocate().
参照元 ads_keytab_create_default()・ads_keytab_verify_ticket()・ads_verify_ticket()・get_key_from_keytab()・kerberos_fetch_salt_princ_for_host_princ()・kerberos_secrets_store_salting_principal()・smb_krb5_kt_add_entry().
00097 { 00098 krb5_error_code ret; 00099 char *utf8_name; 00100 00101 *unix_name = NULL; 00102 ret = krb5_unparse_name(context, principal, &utf8_name); 00103 if (ret) { 00104 return ret; 00105 } 00106 00107 if (pull_utf8_allocate(unix_name, utf8_name)==-1) { 00108 krb5_free_unparsed_name(context, utf8_name); 00109 return ENOMEM; 00110 } 00111 krb5_free_unparsed_name(context, utf8_name); 00112 return 0; 00113 }
krb5_error_code krb5_set_real_time | ( | krb5_context | context, | |
int32_t | seconds, | |||
int32_t | microseconds | |||
) |
参照元 ads_krb5_mk_req()・ads_krb5_set_password()・ads_verify_ticket()・cli_krb5_get_ticket()・kerberos_kinit_password_ext().
00120 { 00121 krb5_error_code ret; 00122 int32_t sec, usec; 00123 00124 ret = krb5_us_timeofday(context, &sec, &usec); 00125 if (ret) 00126 return ret; 00127 00128 context->kdc_sec_offset = seconds - sec; 00129 context->kdc_usec_offset = microseconds - usec; 00130 00131 return 0; 00132 }
krb5_error_code krb5_set_default_tgs_ktypes | ( | krb5_context | ctx, | |
const krb5_enctype * | enc | |||
) |
参照元 ads_sasl_gssapi_bind()・cli_krb5_get_ticket().
00148 { 00149 return krb5_set_default_tgs_enctypes(ctx, enc); 00150 }
void setup_kaddr | ( | krb5_address * | pkaddr, | |
struct sockaddr * | paddr | |||
) |
参照元 do_krb5_kpasswd_request().
00167 { 00168 pkaddr->addr_type = KRB5_ADDRESS_INET; 00169 pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr); 00170 pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr); 00171 }
int create_kerberos_key_from_string_direct | ( | krb5_context | context, | |
krb5_principal | host_princ, | |||
krb5_data * | password, | |||
krb5_keyblock * | key, | |||
krb5_enctype | enctype | |||
) |
参照元 create_kerberos_key_from_string().
00190 { 00191 int ret; 00192 krb5_data salt; 00193 krb5_encrypt_block eblock; 00194 00195 ret = krb5_principal2salt(context, host_princ, &salt); 00196 if (ret) { 00197 DEBUG(1,("krb5_principal2salt failed (%s)\n", error_message(ret))); 00198 return ret; 00199 } 00200 krb5_use_enctype(context, &eblock, enctype); 00201 ret = krb5_string_to_key(context, &eblock, key, password, &salt); 00202 SAFE_FREE(salt.data); 00203 return ret; 00204 }
int create_kerberos_key_from_string | ( | krb5_context | context, | |
krb5_principal | host_princ, | |||
krb5_data * | password, | |||
krb5_keyblock * | key, | |||
krb5_enctype | enctype | |||
) |
参照先 create_kerberos_key_from_string_direct()・kerberos_fetch_salt_princ_for_host_princ().
参照元 ads_secrets_verify_ticket()・smb_krb5_kt_add_entry().
00234 { 00235 krb5_principal salt_princ = NULL; 00236 int ret; 00237 /* 00238 * Check if we've determined that the KDC is salting keys for this 00239 * principal/enctype in a non-obvious way. If it is, try to match 00240 * its behavior. 00241 */ 00242 salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype); 00243 ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype); 00244 if (salt_princ) { 00245 krb5_free_principal(context, salt_princ); 00246 } 00247 return ret; 00248 }
krb5_error_code get_kerberos_allowed_etypes | ( | krb5_context | context, | |
krb5_enctype ** | enctypes | |||
) |
krb5_error_code krb5_auth_con_setuseruserkey | ( | krb5_context | context, | |
krb5_auth_context | auth_context, | |||
krb5_keyblock * | keyblock | |||
) |
参照元 ads_secrets_verify_ticket().
00270 { 00271 return krb5_auth_con_setkey(context, auth_context, keyblock); 00272 }
BOOL unwrap_pac | ( | TALLOC_CTX * | mem_ctx, | |
DATA_BLOB * | auth_data, | |||
DATA_BLOB * | unwrapped_pac_data | |||
) |
参照先 asn1_end_tag()・asn1_free()・asn1_load()・asn1_read_Integer()・asn1_read_OctetString()・asn1_start_tag()・data_blob_::data・data_blob_free()・data_blob_talloc()・data_blob_::length.
00276 { 00277 DATA_BLOB pac_contents; 00278 ASN1_DATA data; 00279 int data_type; 00280 00281 if (!auth_data->length) { 00282 return False; 00283 } 00284 00285 asn1_load(&data, *auth_data); 00286 asn1_start_tag(&data, ASN1_SEQUENCE(0)); 00287 asn1_start_tag(&data, ASN1_SEQUENCE(0)); 00288 asn1_start_tag(&data, ASN1_CONTEXT(0)); 00289 asn1_read_Integer(&data, &data_type); 00290 00291 if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) { 00292 DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type)); 00293 asn1_free(&data); 00294 return False; 00295 } 00296 00297 asn1_end_tag(&data); 00298 asn1_start_tag(&data, ASN1_CONTEXT(1)); 00299 asn1_read_OctetString(&data, &pac_contents); 00300 asn1_end_tag(&data); 00301 asn1_end_tag(&data); 00302 asn1_end_tag(&data); 00303 asn1_free(&data); 00304 00305 *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length); 00306 00307 data_blob_free(&pac_contents); 00308 00309 return True; 00310 }
BOOL get_auth_data_from_tkt | ( | TALLOC_CTX * | mem_ctx, | |
DATA_BLOB * | auth_data, | |||
krb5_ticket * | tkt | |||
) |
参照先 data_blob()・data_blob_free()・unwrap_pac().
参照元 ads_verify_ticket().
00313 { 00314 DATA_BLOB auth_data_wrapped; 00315 BOOL got_auth_data_pac = False; 00316 int i; 00317 00318 #if defined(HAVE_KRB5_TKT_ENC_PART2) 00319 if (tkt->enc_part2 && tkt->enc_part2->authorization_data && 00320 tkt->enc_part2->authorization_data[0] && 00321 tkt->enc_part2->authorization_data[0]->length) 00322 { 00323 for (i = 0; tkt->enc_part2->authorization_data[i] != NULL; i++) { 00324 00325 if (tkt->enc_part2->authorization_data[i]->ad_type != 00326 KRB5_AUTHDATA_IF_RELEVANT) { 00327 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", 00328 tkt->enc_part2->authorization_data[i]->ad_type)); 00329 continue; 00330 } 00331 00332 auth_data_wrapped = data_blob(tkt->enc_part2->authorization_data[i]->contents, 00333 tkt->enc_part2->authorization_data[i]->length); 00334 00335 /* check if it is a PAC */ 00336 got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); 00337 data_blob_free(&auth_data_wrapped); 00338 00339 if (got_auth_data_pac) { 00340 return true; 00341 } 00342 } 00343 00344 return got_auth_data_pac; 00345 } 00346 00347 #else 00348 if (tkt->ticket.authorization_data && 00349 tkt->ticket.authorization_data->len) 00350 { 00351 for (i = 0; i < tkt->ticket.authorization_data->len; i++) { 00352 00353 if (tkt->ticket.authorization_data->val[i].ad_type != 00354 KRB5_AUTHDATA_IF_RELEVANT) { 00355 DEBUG(10,("get_auth_data_from_tkt: ad_type is %d\n", 00356 tkt->ticket.authorization_data->val[i].ad_type)); 00357 continue; 00358 } 00359 00360 auth_data_wrapped = data_blob(tkt->ticket.authorization_data->val[i].ad_data.data, 00361 tkt->ticket.authorization_data->val[i].ad_data.length); 00362 00363 /* check if it is a PAC */ 00364 got_auth_data_pac = unwrap_pac(mem_ctx, &auth_data_wrapped, auth_data); 00365 data_blob_free(&auth_data_wrapped); 00366 00367 if (got_auth_data_pac) { 00368 return true; 00369 } 00370 } 00371 00372 return got_auth_data_pac; 00373 } 00374 #endif 00375 return False; 00376 }
krb5_const_principal get_principal_from_tkt | ( | krb5_ticket * | tkt | ) |
参照元 ads_verify_ticket().
00379 { 00380 #if defined(HAVE_KRB5_TKT_ENC_PART2) 00381 return tkt->enc_part2->client; 00382 #else 00383 return tkt->client; 00384 #endif 00385 }
krb5_error_code smb_krb5_locate_kdc | ( | krb5_context | ctx, | |
const krb5_data * | realm, | |||
struct sockaddr ** | addr_pp, | |||
int * | naddrs, | |||
int | get_masters | |||
) |
参照元 net_lookup_kdc().
00397 { 00398 krb5_krbhst_handle hnd; 00399 krb5_krbhst_info *hinfo; 00400 krb5_error_code rc; 00401 int num_kdcs, i; 00402 struct sockaddr *sa; 00403 struct addrinfo *ai; 00404 00405 *addr_pp = NULL; 00406 *naddrs = 0; 00407 00408 rc = krb5_krbhst_init(ctx, realm->data, KRB5_KRBHST_KDC, &hnd); 00409 if (rc) { 00410 DEBUG(0, ("smb_krb5_locate_kdc: krb5_krbhst_init failed (%s)\n", error_message(rc))); 00411 return rc; 00412 } 00413 00414 for ( num_kdcs = 0; (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); num_kdcs++) 00415 ; 00416 00417 krb5_krbhst_reset(ctx, hnd); 00418 00419 if (!num_kdcs) { 00420 DEBUG(0, ("smb_krb5_locate_kdc: zero kdcs found !\n")); 00421 krb5_krbhst_free(ctx, hnd); 00422 return -1; 00423 } 00424 00425 sa = SMB_MALLOC_ARRAY( struct sockaddr, num_kdcs ); 00426 if (!sa) { 00427 DEBUG(0, ("smb_krb5_locate_kdc: malloc failed\n")); 00428 krb5_krbhst_free(ctx, hnd); 00429 naddrs = 0; 00430 return -1; 00431 } 00432 00433 memset(sa, '\0', sizeof(struct sockaddr) * num_kdcs ); 00434 00435 for (i = 0; i < num_kdcs && (rc = krb5_krbhst_next(ctx, hnd, &hinfo) == 0); i++) { 00436 00437 #if defined(HAVE_KRB5_KRBHST_GET_ADDRINFO) 00438 rc = krb5_krbhst_get_addrinfo(ctx, hinfo, &ai); 00439 if (rc) { 00440 DEBUG(0,("krb5_krbhst_get_addrinfo failed: %s\n", error_message(rc))); 00441 continue; 00442 } 00443 #endif 00444 if (hinfo->ai && hinfo->ai->ai_family == AF_INET) 00445 memcpy(&sa[i], hinfo->ai->ai_addr, sizeof(struct sockaddr)); 00446 } 00447 00448 krb5_krbhst_free(ctx, hnd); 00449 00450 *naddrs = num_kdcs; 00451 *addr_pp = sa; 00452 return 0; 00453 }
void krb5_free_unparsed_name | ( | krb5_context | context, | |
char * | val | |||
) |
void kerberos_free_data_contents | ( | krb5_context | context, | |
krb5_data * | pdata | |||
) |
参照元 ads_verify_ticket()・cli_krb5_get_ticket()・make_krb5_skew_error().
00484 { 00485 #if defined(HAVE_KRB5_FREE_DATA_CONTENTS) 00486 if (pdata->data) { 00487 krb5_free_data_contents(context, pdata); 00488 } 00489 #else 00490 SAFE_FREE(pdata->data); 00491 #endif 00492 }
void kerberos_set_creds_enctype | ( | krb5_creds * | pcreds, | |
int | enctype | |||
) |
BOOL kerberos_compatible_enctypes | ( | krb5_context | context, | |
krb5_enctype | enctype1, | |||
krb5_enctype | enctype2 | |||
) |
00508 { 00509 #if defined(HAVE_KRB5_C_ENCTYPE_COMPARE) 00510 krb5_boolean similar = 0; 00511 00512 krb5_c_enctype_compare(context, enctype1, enctype2, &similar); 00513 return similar ? True : False; 00514 #elif defined(HAVE_KRB5_ENCTYPES_COMPATIBLE_KEYS) 00515 return krb5_enctypes_compatible_keys(context, enctype1, enctype2) ? True : False; 00516 #endif 00517 }
static BOOL ads_cleanup_expired_creds | ( | krb5_context | context, | |
krb5_ccache | ccache, | |||
krb5_creds * | credsp | |||
) | [static] |
参照先 http_timestring()・strequal().
参照元 ads_krb5_mk_req().
00522 { 00523 krb5_error_code retval; 00524 const char *cc_type = krb5_cc_get_type(context, ccache); 00525 00526 DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n", 00527 cc_type, krb5_cc_get_name(context, ccache), 00528 http_timestring(credsp->times.endtime))); 00529 00530 /* we will probably need new tickets if the current ones 00531 will expire within 10 seconds. 00532 */ 00533 if (credsp->times.endtime >= (time(NULL) + 10)) 00534 return False; 00535 00536 /* heimdal won't remove creds from a file ccache, and 00537 perhaps we shouldn't anyway, since internally we 00538 use memory ccaches, and a FILE one probably means that 00539 we're using creds obtained outside of our exectuable 00540 */ 00541 if (strequal(cc_type, "FILE")) { 00542 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type)); 00543 return False; 00544 } 00545 00546 retval = krb5_cc_remove_cred(context, ccache, 0, credsp); 00547 if (retval) { 00548 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n", 00549 error_message(retval))); 00550 /* If we have an error in this, we want to display it, 00551 but continue as though we deleted it */ 00552 } 00553 return True; 00554 }
static krb5_error_code ads_krb5_mk_req | ( | krb5_context | context, | |
krb5_auth_context * | auth_context, | |||
const krb5_flags | ap_req_options, | |||
const char * | principal, | |||
krb5_ccache | ccache, | |||
krb5_data * | outbuf, | |||
time_t * | expire_time | |||
) | [static] |
参照先 ads_cleanup_expired_creds()・http_timestring()・krb5_set_real_time()・server・smb_krb5_parse_name()・t.
00566 { 00567 krb5_error_code retval; 00568 krb5_principal server; 00569 krb5_creds * credsp; 00570 krb5_creds creds; 00571 krb5_data in_data; 00572 BOOL creds_ready = False; 00573 int i = 0, maxtries = 3; 00574 00575 retval = smb_krb5_parse_name(context, principal, &server); 00576 if (retval) { 00577 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal)); 00578 return retval; 00579 } 00580 00581 /* obtain ticket & session key */ 00582 ZERO_STRUCT(creds); 00583 if ((retval = krb5_copy_principal(context, server, &creds.server))) { 00584 DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n", 00585 error_message(retval))); 00586 goto cleanup_princ; 00587 } 00588 00589 if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) { 00590 /* This can commonly fail on smbd startup with no ticket in the cache. 00591 * Report at higher level than 1. */ 00592 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n", 00593 error_message(retval))); 00594 goto cleanup_creds; 00595 } 00596 00597 while (!creds_ready && (i < maxtries)) { 00598 00599 if ((retval = krb5_get_credentials(context, 0, ccache, 00600 &creds, &credsp))) { 00601 DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", 00602 principal, error_message(retval))); 00603 goto cleanup_creds; 00604 } 00605 00606 /* cope with ticket being in the future due to clock skew */ 00607 if ((unsigned)credsp->times.starttime > time(NULL)) { 00608 time_t t = time(NULL); 00609 int time_offset =(int)((unsigned)credsp->times.starttime-t); 00610 DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset)); 00611 krb5_set_real_time(context, t + time_offset + 1, 0); 00612 } 00613 00614 if (!ads_cleanup_expired_creds(context, ccache, credsp)) { 00615 creds_ready = True; 00616 } 00617 00618 i++; 00619 } 00620 00621 DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n", 00622 principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache), 00623 http_timestring((unsigned)credsp->times.endtime), 00624 (unsigned)credsp->times.endtime)); 00625 00626 if (expire_time) { 00627 *expire_time = (time_t)credsp->times.endtime; 00628 } 00629 00630 in_data.length = 0; 00631 retval = krb5_mk_req_extended(context, auth_context, ap_req_options, 00632 &in_data, credsp, outbuf); 00633 if (retval) { 00634 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n", 00635 error_message(retval))); 00636 } 00637 00638 krb5_free_creds(context, credsp); 00639 00640 cleanup_creds: 00641 krb5_free_cred_contents(context, &creds); 00642 00643 cleanup_princ: 00644 krb5_free_principal(context, server); 00645 00646 return retval; 00647 }
int cli_krb5_get_ticket | ( | const char * | principal, | |
time_t | time_offset, | |||
DATA_BLOB * | ticket, | |||
DATA_BLOB * | session_key_krb5, | |||
uint32 | extra_ap_opts, | |||
const char * | ccname, | |||
time_t * | tgs_expire | |||
) |
参照先 ads_krb5_mk_req()・data_blob()・failed・get_krb5_smb_session_key()・kerberos_free_data_contents()・krb5_set_default_tgs_ktypes()・krb5_set_real_time()・packet.
参照元 create_krb5_auth_bind_req()・handle_krb5_mech()・manage_client_krb5_init()・spnego_gen_negTokenTarg()・winbindd_raw_kerberos_login().
00657 { 00658 krb5_error_code retval; 00659 krb5_data packet; 00660 krb5_context context = NULL; 00661 krb5_ccache ccdef = NULL; 00662 krb5_auth_context auth_context = NULL; 00663 krb5_enctype enc_types[] = { 00664 #ifdef ENCTYPE_ARCFOUR_HMAC 00665 ENCTYPE_ARCFOUR_HMAC, 00666 #endif 00667 ENCTYPE_DES_CBC_MD5, 00668 ENCTYPE_DES_CBC_CRC, 00669 ENCTYPE_NULL}; 00670 00671 initialize_krb5_error_table(); 00672 retval = krb5_init_context(&context); 00673 if (retval) { 00674 DEBUG(1,("cli_krb5_get_ticket: krb5_init_context failed (%s)\n", 00675 error_message(retval))); 00676 goto failed; 00677 } 00678 00679 if (time_offset != 0) { 00680 krb5_set_real_time(context, time(NULL) + time_offset, 0); 00681 } 00682 00683 if ((retval = krb5_cc_resolve(context, ccname ? 00684 ccname : krb5_cc_default_name(context), &ccdef))) { 00685 DEBUG(1,("cli_krb5_get_ticket: krb5_cc_default failed (%s)\n", 00686 error_message(retval))); 00687 goto failed; 00688 } 00689 00690 if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) { 00691 DEBUG(1,("cli_krb5_get_ticket: krb5_set_default_tgs_ktypes failed (%s)\n", 00692 error_message(retval))); 00693 goto failed; 00694 } 00695 00696 if ((retval = ads_krb5_mk_req(context, 00697 &auth_context, 00698 AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, 00699 principal, 00700 ccdef, &packet, 00701 tgs_expire))) { 00702 goto failed; 00703 } 00704 00705 get_krb5_smb_session_key(context, auth_context, session_key_krb5, False); 00706 00707 *ticket = data_blob(packet.data, packet.length); 00708 00709 kerberos_free_data_contents(context, &packet); 00710 00711 failed: 00712 00713 if ( context ) { 00714 if (ccdef) 00715 krb5_cc_close(context, ccdef); 00716 if (auth_context) 00717 krb5_auth_con_free(context, auth_context); 00718 krb5_free_context(context); 00719 } 00720 00721 return retval; 00722 }
BOOL get_krb5_smb_session_key | ( | krb5_context | context, | |
krb5_auth_context | auth_context, | |||
DATA_BLOB * | session_key, | |||
BOOL | remote | |||
) |
参照先 data_blob_::data・data_blob()・dump_data_pw()・err・data_blob_::length.
参照元 ads_verify_ticket()・cli_krb5_get_ticket().
00725 { 00726 krb5_keyblock *skey; 00727 krb5_error_code err; 00728 BOOL ret = False; 00729 00730 if (remote) 00731 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey); 00732 else 00733 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); 00734 if (err == 0 && skey != NULL) { 00735 DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey))); 00736 *session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); 00737 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); 00738 00739 ret = True; 00740 00741 krb5_free_keyblock(context, skey); 00742 } else { 00743 DEBUG(10, ("KRB5 error getting session key %d\n", err)); 00744 } 00745 00746 return ret; 00747 }
const krb5_data* krb5_princ_component | ( | krb5_context | context, | |
krb5_principal | principal, | |||
int | i | |||
) |
krb5_error_code smb_krb5_kt_free_entry | ( | krb5_context | context, | |
krb5_keytab_entry * | kt_entry | |||
) |
参照元 ads_keytab_create_default()・ads_keytab_flush()・ads_keytab_verify_ticket()・get_key_from_keytab()・smb_krb5_kt_add_entry().
00764 { 00765 #if defined(HAVE_KRB5_KT_FREE_ENTRY) 00766 return krb5_kt_free_entry(context, kt_entry); 00767 #elif defined(HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS) 00768 return krb5_free_keytab_entry_contents(context, kt_entry); 00769 #else 00770 #error UNKNOWN_KT_FREE_FUNCTION 00771 #endif 00772 }
void smb_krb5_checksum_from_pac_sig | ( | krb5_checksum * | cksum, | |
PAC_SIGNATURE_DATA * | sig | |||
) |
参照先 RPC_DATA_BLOB::buf_len・RPC_DATA_BLOB::buffer・pac_signature_data::signature・pac_signature_data::type.
参照元 check_pac_checksum().
00776 { 00777 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM 00778 cksum->cksumtype = (krb5_cksumtype)sig->type; 00779 cksum->checksum.length = sig->signature.buf_len; 00780 cksum->checksum.data = sig->signature.buffer; 00781 #else 00782 cksum->checksum_type = (krb5_cksumtype)sig->type; 00783 cksum->length = sig->signature.buf_len; 00784 cksum->contents = sig->signature.buffer; 00785 #endif 00786 }
krb5_error_code smb_krb5_verify_checksum | ( | krb5_context | context, | |
krb5_keyblock * | keyblock, | |||
krb5_keyusage | usage, | |||
krb5_checksum * | cksum, | |||
uint8 * | data, | |||
size_t | length | |||
) |
参照元 check_pac_checksum().
00794 { 00795 krb5_error_code ret; 00796 00797 /* verify the checksum */ 00798 00799 /* welcome to the wonderful world of samba's kerberos abstraction layer: 00800 * 00801 * function heimdal 0.6.1rc3 heimdal 0.7 MIT krb 1.4.2 00802 * ----------------------------------------------------------------------------- 00803 * krb5_c_verify_checksum - works works 00804 * krb5_verify_checksum works (6 args) works (6 args) broken (7 args) 00805 */ 00806 00807 #if defined(HAVE_KRB5_C_VERIFY_CHECKSUM) 00808 { 00809 krb5_boolean checksum_valid = False; 00810 krb5_data input; 00811 00812 input.data = (char *)data; 00813 input.length = length; 00814 00815 ret = krb5_c_verify_checksum(context, 00816 keyblock, 00817 usage, 00818 &input, 00819 cksum, 00820 &checksum_valid); 00821 if (ret) { 00822 DEBUG(3,("smb_krb5_verify_checksum: krb5_c_verify_checksum() failed: %s\n", 00823 error_message(ret))); 00824 return ret; 00825 } 00826 00827 if (!checksum_valid) 00828 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; 00829 } 00830 00831 #elif KRB5_VERIFY_CHECKSUM_ARGS == 6 && defined(HAVE_KRB5_CRYPTO_INIT) && defined(HAVE_KRB5_CRYPTO) && defined(HAVE_KRB5_CRYPTO_DESTROY) 00832 00833 /* Warning: MIT's krb5_verify_checksum cannot be used as it will use a key 00834 * without enctype and it ignores any key_usage types - Guenther */ 00835 00836 { 00837 00838 krb5_crypto crypto; 00839 ret = krb5_crypto_init(context, 00840 keyblock, 00841 0, 00842 &crypto); 00843 if (ret) { 00844 DEBUG(0,("smb_krb5_verify_checksum: krb5_crypto_init() failed: %s\n", 00845 error_message(ret))); 00846 return ret; 00847 } 00848 00849 ret = krb5_verify_checksum(context, 00850 crypto, 00851 usage, 00852 data, 00853 length, 00854 cksum); 00855 00856 krb5_crypto_destroy(context, crypto); 00857 } 00858 00859 #else 00860 #error UNKNOWN_KRB5_VERIFY_CHECKSUM_FUNCTION 00861 #endif 00862 00863 return ret; 00864 }
time_t get_authtime_from_tkt | ( | krb5_ticket * | tkt | ) |
参照元 ads_verify_ticket().
00867 { 00868 #if defined(HAVE_KRB5_TKT_ENC_PART2) 00869 return tkt->enc_part2->times.authtime; 00870 #else 00871 return tkt->ticket.authtime; 00872 #endif 00873 }
static int get_kvno_from_ap_req | ( | krb5_ap_req * | ap_req | ) | [static] |
参照元 smb_krb5_get_keyinfo_from_ap_req().
00877 { 00878 #ifdef HAVE_TICKET_POINTER_IN_KRB5_AP_REQ /* MIT */ 00879 if (ap_req->ticket->enc_part.kvno) 00880 return ap_req->ticket->enc_part.kvno; 00881 #else /* Heimdal */ 00882 if (ap_req->ticket.enc_part.kvno) 00883 return *ap_req->ticket.enc_part.kvno; 00884 #endif 00885 return 0; 00886 }
static krb5_enctype get_enctype_from_ap_req | ( | krb5_ap_req * | ap_req | ) | [static] |
参照元 smb_krb5_get_keyinfo_from_ap_req().
00889 { 00890 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */ 00891 return ap_req->ticket.enc_part.etype; 00892 #else /* MIT */ 00893 return ap_req->ticket->enc_part.enctype; 00894 #endif 00895 }
static krb5_error_code get_key_from_keytab | ( | krb5_context | context, | |
krb5_const_principal | server, | |||
krb5_enctype | enctype, | |||
krb5_kvno | kvno, | |||
krb5_keyblock ** | out_key | |||
) | [static] |
参照先 DEBUGLEVEL・name・smb_krb5_kt_free_entry()・smb_krb5_unparse_name().
参照元 krb5_rd_req_return_keyblock_from_keytab().
00904 { 00905 krb5_keytab_entry entry; 00906 krb5_error_code ret; 00907 krb5_keytab keytab; 00908 char *name = NULL; 00909 00910 /* We have to open a new keytab handle here, as MIT does 00911 an implicit open/getnext/close on krb5_kt_get_entry. We 00912 may be in the middle of a keytab enumeration when this is 00913 called. JRA. */ 00914 00915 ret = krb5_kt_default(context, &keytab); 00916 if (ret) { 00917 DEBUG(0,("get_key_from_keytab: failed to open keytab: %s\n", error_message(ret))); 00918 return ret; 00919 } 00920 00921 if ( DEBUGLEVEL >= 10 ) { 00922 if (smb_krb5_unparse_name(context, server, &name) == 0) { 00923 DEBUG(10,("get_key_from_keytab: will look for kvno %d, enctype %d and name: %s\n", 00924 kvno, enctype, name)); 00925 SAFE_FREE(name); 00926 } 00927 } 00928 00929 ret = krb5_kt_get_entry(context, 00930 keytab, 00931 server, 00932 kvno, 00933 enctype, 00934 &entry); 00935 00936 if (ret) { 00937 DEBUG(0,("get_key_from_keytab: failed to retrieve key: %s\n", error_message(ret))); 00938 goto out; 00939 } 00940 00941 #ifdef HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK /* Heimdal */ 00942 ret = krb5_copy_keyblock(context, &entry.keyblock, out_key); 00943 #elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEY) /* MIT */ 00944 ret = krb5_copy_keyblock(context, &entry.key, out_key); 00945 #else 00946 #error UNKNOWN_KRB5_KEYTAB_ENTRY_FORMAT 00947 #endif 00948 00949 if (ret) { 00950 DEBUG(0,("get_key_from_keytab: failed to copy key: %s\n", error_message(ret))); 00951 goto out; 00952 } 00953 00954 smb_krb5_kt_free_entry(context, &entry); 00955 00956 out: 00957 krb5_kt_close(context, keytab); 00958 return ret; 00959 }
krb5_error_code smb_krb5_get_keyinfo_from_ap_req | ( | krb5_context | context, | |
const krb5_data * | inbuf, | |||
krb5_kvno * | kvno, | |||
krb5_enctype * | enctype | |||
) |
参照先 get_enctype_from_ap_req()・get_kvno_from_ap_req().
参照元 krb5_rd_req_return_keyblock_from_keytab().
00967 { 00968 #ifdef HAVE_KRB5_DECODE_AP_REQ /* Heimdal */ 00969 { 00970 krb5_error_code ret; 00971 krb5_ap_req ap_req; 00972 00973 ret = krb5_decode_ap_req(context, inbuf, &ap_req); 00974 if (ret) 00975 return ret; 00976 00977 *kvno = get_kvno_from_ap_req(&ap_req); 00978 *enctype = get_enctype_from_ap_req(&ap_req); 00979 00980 free_AP_REQ(&ap_req); 00981 return 0; 00982 } 00983 #endif 00984 00985 /* Possibly not an appropriate error code. */ 00986 return KRB5KDC_ERR_BADOPTION; 00987 }
krb5_error_code krb5_rd_req_return_keyblock_from_keytab | ( | krb5_context | context, | |
krb5_auth_context * | auth_context, | |||
const krb5_data * | inbuf, | |||
krb5_const_principal | server, | |||
krb5_keytab | keytab, | |||
krb5_flags * | ap_req_options, | |||
krb5_ticket ** | ticket, | |||
krb5_keyblock ** | keyblock | |||
) |
参照先 get_key_from_keytab()・smb_krb5_get_keyinfo_from_ap_req().
参照元 ads_keytab_verify_ticket().
00997 { 00998 krb5_error_code ret; 00999 krb5_kvno kvno; 01000 krb5_enctype enctype; 01001 krb5_keyblock *local_keyblock; 01002 01003 ret = krb5_rd_req(context, 01004 auth_context, 01005 inbuf, 01006 server, 01007 keytab, 01008 ap_req_options, 01009 ticket); 01010 if (ret) { 01011 return ret; 01012 } 01013 01014 #ifdef KRB5_TICKET_HAS_KEYINFO 01015 enctype = (*ticket)->enc_part.enctype; 01016 kvno = (*ticket)->enc_part.kvno; 01017 #else 01018 ret = smb_krb5_get_keyinfo_from_ap_req(context, inbuf, &kvno, &enctype); 01019 if (ret) { 01020 return ret; 01021 } 01022 #endif 01023 01024 ret = get_key_from_keytab(context, 01025 server, 01026 enctype, 01027 kvno, 01028 &local_keyblock); 01029 if (ret) { 01030 DEBUG(0,("krb5_rd_req_return_keyblock_from_keytab: failed to call get_key_from_keytab\n")); 01031 goto out; 01032 } 01033 01034 out: 01035 if (ret && local_keyblock != NULL) { 01036 krb5_free_keyblock(context, local_keyblock); 01037 } else { 01038 *keyblock = local_keyblock; 01039 } 01040 01041 return ret; 01042 }
krb5_error_code smb_krb5_parse_name_norealm | ( | krb5_context | context, | |
const char * | name, | |||
krb5_principal * | principal | |||
) |
参照先 smb_krb5_parse_name()・smb_krb5_parse_name_norealm_conv().
01047 { 01048 #ifdef HAVE_KRB5_PARSE_NAME_NOREALM 01049 return smb_krb5_parse_name_norealm_conv(context, name, principal); 01050 #endif 01051 01052 /* we are cheating here because parse_name will in fact set the realm. 01053 * We don't care as the only caller of smb_krb5_parse_name_norealm 01054 * ignores the realm anyway when calling 01055 * smb_krb5_principal_compare_any_realm later - Guenther */ 01056 01057 return smb_krb5_parse_name(context, name, principal); 01058 }
BOOL smb_krb5_principal_compare_any_realm | ( | krb5_context | context, | |
krb5_const_principal | princ1, | |||
krb5_const_principal | princ2 | |||
) |
01063 { 01064 #ifdef HAVE_KRB5_PRINCIPAL_COMPARE_ANY_REALM 01065 01066 return krb5_principal_compare_any_realm(context, princ1, princ2); 01067 01068 /* krb5_princ_size is a macro in MIT */ 01069 #elif defined(HAVE_KRB5_PRINC_SIZE) || defined(krb5_princ_size) 01070 01071 int i, len1, len2; 01072 const krb5_data *p1, *p2; 01073 01074 len1 = krb5_princ_size(context, princ1); 01075 len2 = krb5_princ_size(context, princ2); 01076 01077 if (len1 != len2) 01078 return False; 01079 01080 for (i = 0; i < len1; i++) { 01081 01082 p1 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ1), i); 01083 p2 = krb5_princ_component(context, CONST_DISCARD(krb5_principal, princ2), i); 01084 01085 if (p1->length != p2->length || memcmp(p1->data, p2->data, p1->length)) 01086 return False; 01087 } 01088 01089 return True; 01090 #else 01091 #error NO_SUITABLE_PRINCIPAL_COMPARE_FUNCTION 01092 #endif 01093 }
krb5_error_code smb_krb5_renew_ticket | ( | const char * | ccache_string, | |
const char * | client_string, | |||
const char * | service_string, | |||
time_t * | expire_time | |||
) |
参照先 flags・smb_krb5_parse_name().
参照元 krb5_ticket_refresh_handler().
01095 :/tmp/krb5cc_0 */ 01096 const char *client_string, /* gd@BER.SUSE.DE */ 01097 const char *service_string, /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */ 01098 time_t *expire_time) 01099 { 01100 krb5_error_code ret; 01101 krb5_context context = NULL; 01102 krb5_ccache ccache = NULL; 01103 krb5_principal client = NULL; 01104 01105 initialize_krb5_error_table(); 01106 ret = krb5_init_context(&context); 01107 if (ret) { 01108 goto done; 01109 } 01110 01111 if (!ccache_string) { 01112 ccache_string = krb5_cc_default_name(context); 01113 } 01114 01115 DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); 01116 01117 /* FIXME: we should not fall back to defaults */ 01118 ret = krb5_cc_resolve(context, CONST_DISCARD(char *, ccache_string), &ccache); 01119 if (ret) { 01120 goto done; 01121 } 01122 01123 #ifdef HAVE_KRB5_GET_RENEWED_CREDS /* MIT */ 01124 { 01125 krb5_creds creds; 01126 01127 if (client_string) { 01128 ret = smb_krb5_parse_name(context, client_string, &client); 01129 if (ret) { 01130 goto done; 01131 } 01132 } else { 01133 ret = krb5_cc_get_principal(context, ccache, &client); 01134 if (ret) { 01135 goto done; 01136 } 01137 } 01138 01139 ret = krb5_get_renewed_creds(context, &creds, client, ccache, CONST_DISCARD(char *, service_string)); 01140 if (ret) { 01141 DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); 01142 goto done; 01143 } 01144 01145 /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ 01146 ret = krb5_cc_initialize(context, ccache, client); 01147 if (ret) { 01148 goto done; 01149 } 01150 01151 ret = krb5_cc_store_cred(context, ccache, &creds); 01152 01153 if (expire_time) { 01154 *expire_time = (time_t) creds.times.endtime; 01155 } 01156 01157 krb5_free_cred_contents(context, &creds); 01158 } 01159 #elif defined(HAVE_KRB5_GET_KDC_CRED) /* Heimdal */ 01160 { 01161 krb5_kdc_flags flags; 01162 krb5_creds creds_in; 01163 krb5_realm *client_realm; 01164 krb5_creds *creds; 01165 01166 memset(&creds_in, 0, sizeof(creds_in)); 01167 01168 if (client_string) { 01169 ret = smb_krb5_parse_name(context, client_string, &creds_in.client); 01170 if (ret) { 01171 goto done; 01172 } 01173 } else { 01174 ret = krb5_cc_get_principal(context, ccache, &creds_in.client); 01175 if (ret) { 01176 goto done; 01177 } 01178 } 01179 01180 if (service_string) { 01181 ret = smb_krb5_parse_name(context, service_string, &creds_in.server); 01182 if (ret) { 01183 goto done; 01184 } 01185 } else { 01186 /* build tgt service by default */ 01187 client_realm = krb5_princ_realm(context, creds_in.client); 01188 if (!client_realm) { 01189 ret = ENOMEM; 01190 goto done; 01191 } 01192 ret = krb5_make_principal(context, &creds_in.server, *client_realm, KRB5_TGS_NAME, *client_realm, NULL); 01193 if (ret) { 01194 goto done; 01195 } 01196 } 01197 01198 flags.i = 0; 01199 flags.b.renewable = flags.b.renew = True; 01200 01201 ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &creds_in, &creds); 01202 if (ret) { 01203 DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); 01204 goto done; 01205 } 01206 01207 /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */ 01208 ret = krb5_cc_initialize(context, ccache, creds_in.client); 01209 if (ret) { 01210 goto done; 01211 } 01212 01213 ret = krb5_cc_store_cred(context, ccache, creds); 01214 01215 if (expire_time) { 01216 *expire_time = (time_t) creds->times.endtime; 01217 } 01218 01219 krb5_free_cred_contents(context, &creds_in); 01220 krb5_free_creds(context, creds); 01221 } 01222 #else 01223 #error No suitable krb5 ticket renew function available 01224 #endif 01225 01226 01227 done: 01228 if (client) { 01229 krb5_free_principal(context, client); 01230 } 01231 if (context) { 01232 krb5_free_context(context); 01233 } 01234 if (ccache) { 01235 krb5_cc_close(context, ccache); 01236 } 01237 01238 return ret; 01239 01240 }
krb5_error_code smb_krb5_free_addresses | ( | krb5_context | context, | |
smb_krb5_addresses * | addr | |||
) |
参照先 smb_krb5_addresses::addrs.
参照元 kerberos_kinit_password_ext().
01243 { 01244 krb5_error_code ret = 0; 01245 if (addr == NULL) { 01246 return ret; 01247 } 01248 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ 01249 krb5_free_addresses(context, addr->addrs); 01250 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ 01251 ret = krb5_free_addresses(context, addr->addrs); 01252 SAFE_FREE(addr->addrs); 01253 #endif 01254 SAFE_FREE(addr); 01255 addr = NULL; 01256 return ret; 01257 }
krb5_error_code smb_krb5_gen_netbios_krb5_address | ( | smb_krb5_addresses ** | kerb_addr | ) |
参照先 buf・global_myname・put_name().
参照元 kerberos_kinit_password_ext().
01260 { 01261 krb5_error_code ret = 0; 01262 nstring buf; 01263 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ 01264 krb5_address **addrs = NULL; 01265 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ 01266 krb5_addresses *addrs = NULL; 01267 #endif 01268 01269 *kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses)); 01270 if (*kerb_addr == NULL) { 01271 return ENOMEM; 01272 } 01273 01274 put_name(buf, global_myname(), ' ', 0x20); 01275 01276 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ 01277 { 01278 int num_addr = 2; 01279 01280 addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr); 01281 if (addrs == NULL) { 01282 SAFE_FREE(kerb_addr); 01283 return ENOMEM; 01284 } 01285 01286 memset(addrs, 0, sizeof(krb5_address *) * num_addr); 01287 01288 addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address)); 01289 if (addrs[0] == NULL) { 01290 SAFE_FREE(addrs); 01291 SAFE_FREE(kerb_addr); 01292 return ENOMEM; 01293 } 01294 01295 addrs[0]->magic = KV5M_ADDRESS; 01296 addrs[0]->addrtype = KRB5_ADDR_NETBIOS; 01297 addrs[0]->length = MAX_NETBIOSNAME_LEN; 01298 addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length); 01299 if (addrs[0]->contents == NULL) { 01300 SAFE_FREE(addrs[0]); 01301 SAFE_FREE(addrs); 01302 SAFE_FREE(kerb_addr); 01303 return ENOMEM; 01304 } 01305 01306 memcpy(addrs[0]->contents, buf, addrs[0]->length); 01307 01308 addrs[1] = NULL; 01309 } 01310 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */ 01311 { 01312 addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses)); 01313 if (addrs == NULL) { 01314 SAFE_FREE(kerb_addr); 01315 return ENOMEM; 01316 } 01317 01318 memset(addrs, 0, sizeof(krb5_addresses)); 01319 01320 addrs->len = 1; 01321 addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address)); 01322 if (addrs->val == NULL) { 01323 SAFE_FREE(addrs); 01324 SAFE_FREE(kerb_addr); 01325 return ENOMEM; 01326 } 01327 01328 addrs->val[0].addr_type = KRB5_ADDR_NETBIOS; 01329 addrs->val[0].address.length = MAX_NETBIOSNAME_LEN; 01330 addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length); 01331 if (addrs->val[0].address.data == NULL) { 01332 SAFE_FREE(addrs->val); 01333 SAFE_FREE(addrs); 01334 SAFE_FREE(kerb_addr); 01335 return ENOMEM; 01336 } 01337 01338 memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length); 01339 } 01340 #else 01341 #error UNKNOWN_KRB5_ADDRESS_FORMAT 01342 #endif 01343 (*kerb_addr)->addrs = addrs; 01344 01345 return ret; 01346 }
void smb_krb5_free_error | ( | krb5_context | context, | |
krb5_error * | krberror | |||
) |
krb5_error_code handle_krberror_packet | ( | krb5_context | context, | |
krb5_data * | packet | |||
) |
参照元 parse_setpw_reply().
01359 { 01360 krb5_error_code ret; 01361 BOOL got_error_code = False; 01362 01363 DEBUG(10,("handle_krberror_packet: got error packet\n")); 01364 01365 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */ 01366 { 01367 krb5_error krberror; 01368 01369 if ((ret = krb5_rd_error(context, packet, &krberror))) { 01370 DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n", 01371 error_message(ret))); 01372 return ret; 01373 } 01374 01375 if (krberror.e_data == NULL || krberror.e_data->data == NULL) { 01376 ret = (krb5_error_code) krberror.error_code; 01377 got_error_code = True; 01378 } 01379 01380 smb_krb5_free_error(context, &krberror); 01381 } 01382 #else /* MIT */ 01383 { 01384 krb5_error *krberror; 01385 01386 if ((ret = krb5_rd_error(context, packet, &krberror))) { 01387 DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n", 01388 error_message(ret))); 01389 return ret; 01390 } 01391 01392 if (krberror->e_data.data == NULL) { 01393 ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; 01394 got_error_code = True; 01395 } 01396 smb_krb5_free_error(context, krberror); 01397 } 01398 #endif 01399 if (got_error_code) { 01400 DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n", 01401 error_message(ret), ret)); 01402 } 01403 return ret; 01404 }
krb5_error_code smb_krb5_get_init_creds_opt_alloc | ( | krb5_context | context, | |
krb5_get_init_creds_opt ** | opt | |||
) |
参照元 kerberos_kinit_password_ext().
01408 { 01409 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC 01410 /* Heimdal or modern MIT version */ 01411 return krb5_get_init_creds_opt_alloc(context, opt); 01412 #else 01413 /* Historical MIT version */ 01414 krb5_get_init_creds_opt *my_opt; 01415 01416 *opt = NULL; 01417 01418 if ((my_opt = SMB_MALLOC(sizeof(krb5_get_init_creds_opt))) == NULL) { 01419 return ENOMEM; 01420 } 01421 01422 krb5_get_init_creds_opt_init(my_opt); 01423 01424 *opt = my_opt; 01425 return 0; 01426 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */ 01427 }
void smb_krb5_get_init_creds_opt_free | ( | krb5_context | context, | |
krb5_get_init_creds_opt * | opt | |||
) |
参照元 kerberos_kinit_password_ext().
01431 { 01432 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE 01433 01434 #ifdef KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT 01435 /* Modern MIT version */ 01436 krb5_get_init_creds_opt_free(context, opt); 01437 #else 01438 /* Heimdal version */ 01439 krb5_get_init_creds_opt_free(opt); 01440 #endif 01441 01442 #else /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ 01443 /* Historical MIT version */ 01444 SAFE_FREE(opt); 01445 opt = NULL; 01446 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_FREE */ 01447 }
krb5_error_code smb_krb5_mk_error | ( | krb5_context | context, | |
krb5_error_code | error_code, | |||
const krb5_principal | server, | |||
krb5_data * | reply | |||
) |
01453 { 01454 #ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */ 01455 /* 01456 * The MIT interface is *terrible*. 01457 * We have to construct this ourselves... 01458 */ 01459 krb5_error e; 01460 01461 memset(&e, 0, sizeof(e)); 01462 krb5_us_timeofday(context, &e.stime, &e.susec); 01463 e.server = server; 01464 #if defined(krb5_err_base) 01465 e.error = error_code - krb5_err_base; 01466 #elif defined(ERROR_TABLE_BASE_krb5) 01467 e.error = error_code - ERROR_TABLE_BASE_krb5; 01468 #else 01469 e.error = error_code; /* Almost certainly wrong, but what can we do... ? */ 01470 #endif 01471 01472 return krb5_mk_error(context, &e, reply); 01473 #else /* Heimdal. */ 01474 return krb5_mk_error(context, 01475 error_code, 01476 NULL, 01477 NULL, /* e_data */ 01478 NULL, 01479 server, 01480 NULL, 01481 NULL, 01482 reply); 01483 #endif 01484 }