[PATCH] Fix build with MIT Kerberos
Günther Deschner
gd at samba.org
Fri Jul 22 15:21:45 UTC 2016
Hi,
currently master does not build with MIT Kerberos, attached is a fix.
Please review and push.
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-------------- next part --------------
From 0f0558b70d38f1decddb6ad0443c0a6fb841f93f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 21 Jul 2016 14:26:45 +0200
Subject: [PATCH 1/2] s4-torture: add new torture_assert_krb5_error_equal
macro.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
---
lib/torture/torture.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/torture/torture.h b/lib/torture/torture.h
index 31c02f7..5b957fa 100644
--- a/lib/torture/torture.h
+++ b/lib/torture/torture.h
@@ -301,6 +301,14 @@ void torture_result(struct torture_context *test,
} \
} while (0)
+#define torture_assert_krb5_error_equal(torture_ctx, got, expected, cmt) \
+ do { krb5_error_code __got = got, __expected = expected; \
+ if (__got != __expected) { \
+ torture_result(torture_ctx, TORTURE_FAIL, __location__": "#got" was %d (%s), expected %d (%s): %s", __got, error_message(__got), __expected, error_message(__expected), cmt); \
+ return false; \
+ } \
+ } while (0)
+
#define torture_assert_casestr_equal(torture_ctx,got,expected,cmt) \
do { const char *__got = (got), *__expected = (expected); \
if (!strequal(__got, __expected)) { \
--
2.7.4
From 7476b414517466e2bb590e07c9e275c59381e057 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 21 Jul 2016 14:25:56 +0200
Subject: [PATCH 2/2] s4-torture: fix compile of new NDR PAC tests with MIT
Kerberos.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
---
lib/krb5_wrap/krb5_samba.h | 8 ++++++++
source4/torture/ndr/krb5pac.c | 32 ++++++++++++++++++++++----------
2 files changed, 30 insertions(+), 10 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 2b5e2bb..f988858 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -85,6 +85,14 @@
#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
#endif
+/*
+ * KRB5_KU_OTHER_ENCRYPTED in Heimdal
+ * KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
+ */
+#if defined(KRB5_KEYUSAGE_APP_DATA_ENCRYPT) && !defined(KRB5_KU_OTHER_ENCRYPTED)
+#define KRB5_KU_OTHER_ENCRYPTED KRB5_KEYUSAGE_APP_DATA_ENCRYPT
+#endif
+
typedef struct {
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address **addrs;
diff --git a/source4/torture/ndr/krb5pac.c b/source4/torture/ndr/krb5pac.c
index 23a1214..1deac73 100644
--- a/source4/torture/ndr/krb5pac.c
+++ b/source4/torture/ndr/krb5pac.c
@@ -434,7 +434,7 @@ static bool PAC_DATA_pkinit(struct torture_context *tctx,
DATA_BLOB reply_key_blob = data_blob_null;
krb5_context ctx;
krb5_keyblock reply_key;
- krb5_crypto crypto;
+ krb5_enc_data input;
krb5_data plain_data;
DATA_BLOB plain_data_blob = data_blob_null;
@@ -474,21 +474,33 @@ static bool PAC_DATA_pkinit(struct torture_context *tctx,
reply_key_blob.data, reply_key_blob.length,
&reply_key), 0,
"smb_krb5_keyblock_init_contents");
- torture_assert_int_equal(tctx, krb5_crypto_init(ctx,
- &reply_key, ETYPE_NULL,
- &crypto), 0,
- "krb5_crypto_init");
- torture_assert_int_equal(tctx, krb5_decrypt(ctx, crypto,
+
+ ZERO_STRUCT(input);
+
+ input.ciphertext.data = (char *)r->buffers[1].info->credential_info.encrypted_data.data;
+ input.ciphertext.length = r->buffers[1].info->credential_info.encrypted_data.length;
+ input.enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+
+ plain_data.data = malloc(r->buffers[1].info->credential_info.encrypted_data.length);
+ plain_data.length = r->buffers[1].info->credential_info.encrypted_data.length;
+ torture_assert(tctx, plain_data.data, "malloc failed");
+
+ torture_assert_krb5_error_equal(tctx, krb5_c_decrypt(ctx,
+#ifdef SAMBA4_USES_HEIMDAL
+ reply_key,
+#else
+ &reply_key,
+#endif
KRB5_KU_OTHER_ENCRYPTED,
- r->buffers[1].info->credential_info.encrypted_data.data,
- r->buffers[1].info->credential_info.encrypted_data.length,
+ NULL,
+ &input,
&plain_data), 0,
"krb5_decrypt");
+
torture_assert_int_equal(tctx, plain_data.length, 112, "plain_data.length");
plain_data_blob = data_blob_talloc(tctx, plain_data.data, plain_data.length);
torture_assert_int_equal(tctx, plain_data_blob.length, 112, "plain_data_blob.length");
- krb5_data_free(&plain_data);
- krb5_crypto_destroy(ctx, crypto);
+ kerberos_free_data_contents(ctx, &plain_data);
krb5_free_keyblock_contents(ctx, &reply_key);
krb5_free_context(ctx);
torture_assert_data_blob_equal(tctx,
--
2.7.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160722/c9fbaeee/signature.sig>
More information about the samba-technical
mailing list