Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-19 17:20:00 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-19 17:20:00 +0000
commit: 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch)
tree: 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /lib/krb5_wrap/krb5_samba.h
parent: Initial commit. (diff)
download: samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz
samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip
1 files changed, 443 insertions, 0 deletions
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
new file mode 100644
index 0000000..e158a40
--- /dev/null
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -0,0 +1,443 @@
+/*
+   Unix SMB/CIFS implementation.
+   simple kerberos5 routines for active directory
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Luke Howard 2002-2003
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+   Copyright (C) Guenther Deschner 2005-2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _KRB5_SAMBA_H
+#define _KRB5_SAMBA_H
+
+#include "lib/util/data_blob.h"
+#include "libcli/util/ntstatus.h"
+
+#ifdef HAVE_KRB5
+
+#define KRB5_PRIVATE    1       /* this file uses PRIVATE interfaces! */
+/* this file uses DEPRECATED interfaces! */
+
+#ifdef KRB5_DEPRECATED
+#undef KRB5_DEPRECATED
+#endif
+
+#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
+#define KRB5_DEPRECATED 1
+#else
+#define KRB5_DEPRECATED
+#endif
+
+#include "system/kerberos.h"
+#include "system/network.h"
+
+#ifndef KRB5_ADDR_NETBIOS
+#define KRB5_ADDR_NETBIOS 0x14
+#endif
+
+#ifndef KRB5KRB_ERR_RESPONSE_TOO_BIG
+#define KRB5KRB_ERR_RESPONSE_TOO_BIG (-1765328332L)
+#endif
+
+/* Heimdal uses a slightly different name */
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC)
+#define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
+#endif
+#if defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56) && !defined(HAVE_ENCTYPE_ARCFOUR_HMAC_EXP)
+#define ENCTYPE_ARCFOUR_HMAC_EXP ENCTYPE_ARCFOUR_HMAC_MD5_56
+#endif
+
+/* The older versions of heimdal that don't have this
+   define don't seem to use it anyway.  I'm told they
+   always use a subkey */
+#ifndef HAVE_AP_OPTS_USE_SUBKEY
+#define AP_OPTS_USE_SUBKEY 0
+#endif
+
+#ifndef KRB5_PW_SALT
+#define KRB5_PW_SALT 3
+#endif
+
+/* CKSUMTYPE_HMAC_MD5 in Heimdal
+   CKSUMTYPE_HMAC_MD5_ARCFOUR in MIT */
+#if defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && !defined(CKSUMTYPE_HMAC_MD5)
+#define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
+#endif
+
+/*
+ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal
+ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT
+ */
+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
+#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
+#endif
+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
+#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
+#endif
+
+/*
+ * KRB5_KU_OTHER_ENCRYPTED in Heimdal
+ * KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
+ */
+#if defined(KRB5_KEYUSAGE_APP_DATA_ENCRYPT) && !defined(KRB5_KU_OTHER_ENCRYPTED)
+#define KRB5_KU_OTHER_ENCRYPTED KRB5_KEYUSAGE_APP_DATA_ENCRYPT
+#endif
+
+typedef struct {
+#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+	krb5_address **addrs;
+#elif defined(HAVE_KRB5_ADDRESSES) /* Heimdal */
+	krb5_addresses *addrs;
+#else
+#error UNKNOWN_KRB5_ADDRESS_TYPE
+#endif /* defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) */
+} smb_krb5_addresses;
+
+#ifdef HAVE_KRB5_KEYTAB_ENTRY_KEY               /* MIT */
+#define KRB5_KT_KEY(k)		(&(k)->key)
+#elif defined(HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK)  /* Heimdal */
+#define KRB5_KT_KEY(k)		(&(k)->keyblock)
+#else
+#error krb5_keytab_entry has no key or keyblock member
+#endif /* HAVE_KRB5_KEYTAB_ENTRY_KEY */
+
+/* work around broken krb5.h on sles9 */
+#ifdef SIZEOF_LONG
+#undef SIZEOF_LONG
+#endif
+
+#ifdef HAVE_KRB5_KEYBLOCK_KEYVALUE /* Heimdal */
+#define KRB5_KEY_TYPE(k)	((k)->keytype)
+#define KRB5_KEY_LENGTH(k)	((k)->keyvalue.length)
+#define KRB5_KEY_DATA(k)	((k)->keyvalue.data)
+#define KRB5_KEY_DATA_CAST	void
+#else /* MIT */
+#define KRB5_KEY_TYPE(k)	((k)->enctype)
+#define KRB5_KEY_LENGTH(k)	((k)->length)
+#define KRB5_KEY_DATA(k)	((k)->contents)
+#define KRB5_KEY_DATA_CAST	krb5_octet
+#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
+#define KRB5_ERROR_CODE(k)	((k)->error_code)
+#else /* MIT */
+#define KRB5_ERROR_CODE(k)	((k)->error)
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+
+#ifndef HAVE_KRB5_CONST_PAC
+#ifdef KRB5_CONST_PAC_GET_BUFFER
+typedef const struct krb5_pac_data *krb5_const_pac;
+#else
+/*
+ * Certain Heimdal versions include a version of krb5_pac_get_buffer() that is
+ * unusable in certain cases, taking a krb5_pac when a krb5_const_pac may be all
+ * that we can supply. Furthermore, MIT Kerberos doesn't declare krb5_const_pac
+ * at all. In such cases, we must declare krb5_const_pac as a non-const typedef
+ * so that the build can succeed.
+ */
+typedef struct krb5_pac_data *krb5_const_pac;
+#endif
+#endif
+
+krb5_error_code smb_krb5_parse_name(krb5_context context,
+				const char *name, /* in unix charset */
+                                krb5_principal *principal);
+
+krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
+				      krb5_context context,
+				      krb5_const_principal principal,
+				      char **unix_name);
+
+krb5_error_code smb_krb5_init_context_common(krb5_context *_krb5_context);
+
+krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc);
+
+#if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
+krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock);
+#endif
+
+#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
+void krb5_free_unparsed_name(krb5_context ctx, char *val);
+#endif
+
+#if !defined(HAVE_KRB5_FREE_ENCTYPES)
+void krb5_free_enctypes(krb5_context context, krb5_enctype *val);
+#endif
+
+#if !defined(HAVE_KRB5_FREE_STRING)
+void krb5_free_string(krb5_context context, char *val);
+#endif
+
+/* Stub out initialize_krb5_error_table since it is not present in all
+ * Kerberos implementations. If it's not present, it's not necessary to
+ * call it.
+ */
+#ifndef HAVE_INITIALIZE_KRB5_ERROR_TABLE
+#define initialize_krb5_error_table()
+#endif
+
+/* Samba wrapper functions for krb5 functionality. */
+bool smb_krb5_sockaddr_to_kaddr(struct sockaddr_storage *paddr,
+				krb5_address *pkaddr);
+
+krb5_error_code smb_krb5_mk_error(krb5_context context,
+				  krb5_error_code error_code,
+				  const char *e_text,
+				  krb5_data *e_data,
+				  const krb5_principal client,
+				  const krb5_principal server,
+				  krb5_data *enc_err);
+
+krb5_error_code smb_krb5_get_allowed_etypes(krb5_context context,
+					    krb5_enctype **enctypes);
+
+bool smb_krb5_get_smb_session_key(TALLOC_CTX *mem_ctx,
+				  krb5_context context,
+				  krb5_auth_context auth_context,
+				  DATA_BLOB *session_key,
+				  bool remote);
+
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
+void smb_krb5_free_data_contents(krb5_context context, krb5_data *pdata);
+krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *expire_time);
+krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr,
+						  const char *netbios_name);
+krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr);
+krb5_enctype smb_krb5_kt_get_enctype_from_entry(krb5_keytab_entry *kt_entry);
+
+krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
+					    krb5_enctype enctype,
+					    char **etype_s);
+krb5_error_code smb_krb5_kt_open_relative(krb5_context context,
+					  const char *keytab_name_req,
+					  bool write_access,
+					  krb5_keytab *keytab);
+krb5_error_code smb_krb5_kt_open(krb5_context context,
+				 const char *keytab_name,
+				 bool write_access,
+				 krb5_keytab *keytab);
+krb5_error_code smb_krb5_kt_get_name(TALLOC_CTX *mem_ctx,
+				     krb5_context context,
+				     krb5_keytab keytab,
+				     const char **keytab_name);
+krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
+							krb5_keytab keytab,
+							bool keep_old_kvno,
+							krb5_kvno kvno,
+							bool enctype_only,
+							krb5_enctype enctype,
+							const char *princ_s,
+							krb5_principal princ,
+							bool flush);
+krb5_error_code smb_krb5_kt_add_entry(krb5_context context,
+				      krb5_keytab keytab,
+				      krb5_kvno kvno,
+				      const char *princ_s,
+				      const char *salt_principal,
+				      krb5_enctype enctype,
+				      krb5_data *password,
+				      bool no_salt);
+
+krb5_error_code smb_krb5_get_credentials(krb5_context context,
+					 krb5_ccache ccache,
+					 krb5_principal me,
+					 krb5_principal server,
+					 krb5_principal impersonate_princ,
+					 krb5_creds **out_creds);
+krb5_error_code smb_krb5_keyblock_init_contents(krb5_context context,
+						krb5_enctype enctype,
+						const void *data,
+						size_t length,
+						krb5_keyblock *key);
+krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx,
+					       krb5_ccache cc,
+					       krb5_principal principal,
+					       krb5_keyblock *keyblock,
+					       const char *target_service,
+					       krb5_get_init_creds_opt *krb_options,
+					       time_t *expire_time,
+					       time_t *kdc_time);
+krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
+					       krb5_ccache cc,
+					       krb5_principal principal,
+					       const char *password,
+					       const char *target_service,
+					       krb5_get_init_creds_opt *krb_options,
+					       time_t *expire_time,
+					       time_t *kdc_time);
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+					   krb5_ccache store_cc,
+					   krb5_principal init_principal,
+					   const char *init_password,
+					   krb5_principal impersonate_principal,
+					   const char *self_service,
+					   const char *target_service,
+					   krb5_get_init_creds_opt *krb_options,
+					   time_t *expire_time,
+					   time_t *kdc_time);
+
+#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
+#define smb_krb5_make_principal krb5_make_principal
+#elif defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
+krb5_error_code smb_krb5_make_principal(krb5_context context,
+					krb5_principal *principal,
+					const char *realm, ...);
+#else
+#error krb5_make_principal not available
+#endif
+
+#if defined(HAVE_KRB5_CC_GET_LIFETIME)
+#define smb_krb5_cc_get_lifetime krb5_cc_get_lifetime
+#elif defined(HAVE_KRB5_CC_RETRIEVE_CRED)
+krb5_error_code smb_krb5_cc_get_lifetime(krb5_context context,
+					 krb5_ccache id,
+					 time_t *t);
+#else
+#error krb5_cc_get_lifetime not available
+#endif
+
+#if defined(HAVE_KRB5_FREE_CHECKSUM_CONTENTS)
+#define smb_krb5_free_checksum_contents krb5_free_checksum_contents
+#elif defined (HAVE_FREE_CHECKSUM)
+void smb_krb5_free_checksum_contents(krb5_context ctx, krb5_checksum *cksum);
+#else
+#error krb5_free_checksum_contents/free_Checksum is not available
+#endif
+
+krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
+					   DATA_BLOB *pac_data,
+					   krb5_context context,
+					   const krb5_keyblock *keyblock,
+					   uint32_t *sig_type,
+					   DATA_BLOB *sig_blob);
+
+char *smb_krb5_principal_get_realm(TALLOC_CTX *mem_ctx,
+				   krb5_context context,
+				   krb5_const_principal principal);
+
+void smb_krb5_principal_set_type(krb5_context context,
+				 krb5_principal principal,
+				 int type);
+
+int smb_krb5_principal_is_tgs(krb5_context context,
+			      krb5_const_principal principal);
+
+krb5_error_code smb_krb5_principal_set_realm(krb5_context context,
+					     krb5_principal principal,
+					     const char *realm);
+
+char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+				       const char *hostname,
+				       const char *client_realm);
+
+char *smb_get_krb5_error_message(krb5_context context,
+				 krb5_error_code code,
+				 TALLOC_CTX *mem_ctx);
+
+#if defined(HAVE_KRB5_KT_COMPARE)
+#define smb_krb5_kt_compare krb5_kt_compare
+#else
+krb5_boolean smb_krb5_kt_compare(krb5_context context,
+				 krb5_keytab_entry *entry,
+				 krb5_const_principal principal,
+				 krb5_kvno vno,
+				 krb5_enctype enctype);
+#endif
+
+const krb5_enctype *samba_all_enctypes(void);
+
+uint32_t kerberos_enctype_to_bitmap(krb5_enctype enc_type_enum);
+krb5_enctype ms_suptype_to_ietf_enctype(uint32_t enctype_bitmap);
+krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
+					     uint32_t enctype_bitmap,
+					     krb5_enctype **enctypes);
+int smb_krb5_get_pw_salt(krb5_context context,
+			 krb5_const_principal host_princ,
+			 krb5_data *psalt);
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+			    const char *realm,
+			    const char *sAMAccountName,
+			    const char *userPrincipalName,
+			    uint32_t uac_flags,
+			    krb5_principal *salt_princ);
+
+int smb_krb5_salt_principal_str(const char *realm,
+				const char *sAMAccountName,
+				const char *userPrincipalName,
+				uint32_t uac_flags,
+				TALLOC_CTX *mem_ctx,
+				char **_salt_principal);
+int smb_krb5_salt_principal2data(krb5_context context,
+				 const char *salt_principal,
+				 TALLOC_CTX *mem_ctx,
+				 char **_salt_data);
+
+int smb_krb5_create_key_from_string(krb5_context context,
+				    krb5_const_principal host_princ,
+				    const krb5_data *salt,
+				    const krb5_data *password,
+				    krb5_enctype enctype,
+				    krb5_keyblock *key);
+
+#ifndef krb5_princ_size
+#if defined(HAVE_KRB5_PRINCIPAL_GET_NUM_COMP)
+#define krb5_princ_size krb5_principal_get_num_comp
+#else
+#error krb5_princ_size unavailable
+#endif
+#endif
+
+krb5_error_code smb_krb5_principal_get_comp_string(TALLOC_CTX *mem_ctx,
+						   krb5_context context,
+						   krb5_const_principal principal,
+						   unsigned int component,
+						   char **out);
+
+krb5_error_code smb_krb5_copy_data_contents(krb5_data *p,
+					    const void *data,
+					    size_t len);
+
+krb5_data smb_krb5_make_data(void *data,
+			     size_t len);
+
+krb5_data smb_krb5_data_from_blob(DATA_BLOB blob);
+
+int smb_krb5_principal_get_type(krb5_context context,
+				krb5_const_principal principal);
+
+#if !defined(HAVE_KRB5_WARNX)
+krb5_error_code krb5_warnx(krb5_context context, const char *fmt, ...)
+	PRINTF_ATTRIBUTE(2, 0);
+#endif
+
+krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
+				       krb5_ccache incc, krb5_ccache outcc);
+
+#endif /* HAVE_KRB5 */
+
+int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
+			    const char *principal,
+			    time_t time_offset,
+			    DATA_BLOB *ticket,
+			    DATA_BLOB *session_key_krb5,
+			    uint32_t extra_ap_opts, const char *ccname,
+			    time_t *tgs_expire,
+			    const char *impersonate_princ_s);
+
+NTSTATUS krb5_to_nt_status(krb5_error_code kerberos_error);
+krb5_error_code nt_status_to_krb5(NTSTATUS nt_status);
+
+#endif /* _KRB5_SAMBA_H */
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-19 17:20:00 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-19 17:20:00 +0000
commit	8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch)
tree	4099e8021376c7d8c05bdf8503093d80e9c7bad0 /lib/krb5_wrap/krb5_samba.h
parent	Initial commit. (diff)
download	samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip