[PATCH] Fix build with MIT Kerberos

Günther Deschner gd at samba.org
Fri Jul 22 15:21:45 UTC 2016 

Hi,

currently master does not build with MIT Kerberos, attached is a fix.

Please review and push.

Thanks,
Guenther
-- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-------------- next part --------------
From 0f0558b70d38f1decddb6ad0443c0a6fb841f93f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 21 Jul 2016 14:26:45 +0200
Subject: [PATCH 1/2] s4-torture: add new torture_assert_krb5_error_equal
 macro.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
---
 lib/torture/torture.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/torture/torture.h b/lib/torture/torture.h
index 31c02f7..5b957fa 100644
--- a/lib/torture/torture.h
+++ b/lib/torture/torture.h
@@ -301,6 +301,14 @@ void torture_result(struct torture_context *test,
 	} \
 	} while (0)
 
+#define torture_assert_krb5_error_equal(torture_ctx, got, expected, cmt) \
+	do { krb5_error_code __got = got, __expected = expected; \
+	if (__got != __expected) { \
+		torture_result(torture_ctx, TORTURE_FAIL, __location__": "#got" was %d (%s), expected %d (%s): %s", __got, error_message(__got), __expected, error_message(__expected), cmt); \
+		return false; \
+	} \
+	} while (0)
+
 #define torture_assert_casestr_equal(torture_ctx,got,expected,cmt) \
 	do { const char *__got = (got), *__expected = (expected); \
 	if (!strequal(__got, __expected)) { \
-- 
2.7.4


From 7476b414517466e2bb590e07c9e275c59381e057 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 21 Jul 2016 14:25:56 +0200
Subject: [PATCH 2/2] s4-torture: fix compile of new NDR PAC tests with MIT
 Kerberos.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
---
 lib/krb5_wrap/krb5_samba.h    |  8 ++++++++
 source4/torture/ndr/krb5pac.c | 32 ++++++++++++++++++++++----------
 2 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 2b5e2bb..f988858 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -85,6 +85,14 @@
 #define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
 #endif
 
+/*
+ * KRB5_KU_OTHER_ENCRYPTED in Heimdal
+ * KRB5_KEYUSAGE_APP_DATA_ENCRYPT in MIT
+ */
+#if defined(KRB5_KEYUSAGE_APP_DATA_ENCRYPT) && !defined(KRB5_KU_OTHER_ENCRYPTED)
+#define KRB5_KU_OTHER_ENCRYPTED KRB5_KEYUSAGE_APP_DATA_ENCRYPT
+#endif
+
 typedef struct {
 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
 	krb5_address **addrs;
diff --git a/source4/torture/ndr/krb5pac.c b/source4/torture/ndr/krb5pac.c
index 23a1214..1deac73 100644
--- a/source4/torture/ndr/krb5pac.c
+++ b/source4/torture/ndr/krb5pac.c
@@ -434,7 +434,7 @@ static bool PAC_DATA_pkinit(struct torture_context *tctx,
 	DATA_BLOB reply_key_blob = data_blob_null;
 	krb5_context ctx;
 	krb5_keyblock reply_key;
-	krb5_crypto crypto;
+	krb5_enc_data input;
 	krb5_data plain_data;
 	DATA_BLOB plain_data_blob = data_blob_null;
 
@@ -474,21 +474,33 @@ static bool PAC_DATA_pkinit(struct torture_context *tctx,
 					reply_key_blob.data, reply_key_blob.length,
 					&reply_key), 0,
 				"smb_krb5_keyblock_init_contents");
-	torture_assert_int_equal(tctx, krb5_crypto_init(ctx,
-					&reply_key, ETYPE_NULL,
-					&crypto), 0,
-				"krb5_crypto_init");
-	torture_assert_int_equal(tctx, krb5_decrypt(ctx, crypto,
+
+	ZERO_STRUCT(input);
+
+	input.ciphertext.data = (char *)r->buffers[1].info->credential_info.encrypted_data.data;
+	input.ciphertext.length = r->buffers[1].info->credential_info.encrypted_data.length;
+	input.enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+
+	plain_data.data = malloc(r->buffers[1].info->credential_info.encrypted_data.length);
+	plain_data.length = r->buffers[1].info->credential_info.encrypted_data.length;
+	torture_assert(tctx, plain_data.data, "malloc failed");
+
+	torture_assert_krb5_error_equal(tctx, krb5_c_decrypt(ctx,
+#ifdef SAMBA4_USES_HEIMDAL
+					reply_key,
+#else
+					&reply_key,
+#endif
 					KRB5_KU_OTHER_ENCRYPTED,
-					r->buffers[1].info->credential_info.encrypted_data.data,
-					r->buffers[1].info->credential_info.encrypted_data.length,
+					NULL,
+					&input,
 					&plain_data), 0,
 				"krb5_decrypt");
+
 	torture_assert_int_equal(tctx, plain_data.length, 112, "plain_data.length");
 	plain_data_blob = data_blob_talloc(tctx, plain_data.data, plain_data.length);
 	torture_assert_int_equal(tctx, plain_data_blob.length, 112, "plain_data_blob.length");
-	krb5_data_free(&plain_data);
-	krb5_crypto_destroy(ctx, crypto);
+	kerberos_free_data_contents(ctx, &plain_data);
 	krb5_free_keyblock_contents(ctx, &reply_key);
 	krb5_free_context(ctx);
 	torture_assert_data_blob_equal(tctx,
-- 
2.7.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160722/c9fbaeee/signature.sig>

More information about the samba-technical mailing list