r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.

Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c

Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)

3 files changed, 102 insertions, 103 deletions

diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk
index 689130d567..f75fd99323 100644
--- a/source4/auth/kerberos/config.mk
+++ b/source4/auth/kerberos/config.mk
@@ -4,7 +4,7 @@
 PRIVATE_PROTO_HEADER = proto.h
 OBJ_FILES = kerberos.o \
 			clikrb5.o \
-			kerberos_verify.o \
+			kerberos_heimdal.o \
 			kerberos_util.o \
 			kerberos_pac.o \
 			gssapi_parse.o \
diff --git a/source4/auth/kerberos/kerberos_heimdal.c b/source4/auth/kerberos/kerberos_heimdal.c
new file mode 100644
index 0000000000..f669d0f2f4
--- /dev/null
+++ b/source4/auth/kerberos/kerberos_heimdal.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* This file for code taken from the Heimdal code, to preserve licence */
+/* Modified by Andrew Bartlett <abartlet@samba.org> */
+
+#include "includes.h"
+#include "system/kerberos.h"
+
+/* Taken from  accept_sec_context.c,v 1.65 */
+krb5_error_code smb_rd_req_return_stuff(krb5_context context, 
+					krb5_auth_context *auth_context,
+					const krb5_data *inbuf,
+					krb5_keytab keytab, 
+					krb5_principal acceptor_principal,
+					krb5_data *outbuf, 
+					krb5_ticket **ticket, 
+					krb5_keyblock **keyblock)
+{
+	krb5_rd_req_in_ctx in = NULL;
+	krb5_rd_req_out_ctx out = NULL;
+	krb5_error_code kret;
+
+	*keyblock = NULL;
+	*ticket = NULL;
+	outbuf->length = 0;
+	outbuf->data = NULL;
+
+	kret = krb5_rd_req_in_ctx_alloc(context, &in);
+	if (kret == 0)
+	    kret = krb5_rd_req_in_set_keytab(context, in, keytab);
+	if (kret) {
+	    if (in)
+		krb5_rd_req_in_ctx_free(context, in);
+	    return kret;
+	}
+
+	kret = krb5_rd_req_ctx(context,
+			       auth_context,
+			       inbuf,
+			       acceptor_principal,
+			       in, &out);
+	krb5_rd_req_in_ctx_free(context, in);
+	if (kret) {
+	    return kret;
+	}
+
+	/*
+	 * We need to remember some data on the context_handle.
+	 */
+	kret = krb5_rd_req_out_get_ticket(context, out, 
+					  ticket);
+	if (kret == 0) {
+	    kret = krb5_rd_req_out_get_keyblock(context, out,
+						keyblock);
+	}
+	krb5_rd_req_out_ctx_free(context, out);
+
+	if (kret == 0) {
+		kret = krb5_mk_rep(context, *auth_context, outbuf);
+	}
+
+	if (kret) {
+		krb5_free_ticket(context, *ticket);
+		krb5_free_keyblock(context, *keyblock);
+		krb5_data_free(outbuf);
+	}
+
+	return kret;
+}
+    
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c
deleted file mode 100644
index 2111e22aa3..0000000000
--- a/source4/auth/kerberos/kerberos_verify.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-   kerberos utility library
-   Copyright (C) Andrew Tridgell 2001
-   Copyright (C) Remus Koos 2001
-   Copyright (C) Luke Howard 2003   
-   Copyright (C) Guenther Deschner 2003
-   Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
-
-/**********************************************************************************
- Verify an incoming ticket and parse out the principal name and 
- authorization_data if available.
-***********************************************************************************/
-
- NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, 
-			    struct smb_krb5_context *smb_krb5_context,
-			    krb5_auth_context *auth_context,
-			    struct cli_credentials *machine_account,
-			    const char *service, 
-			    const DATA_BLOB *enc_ticket, 
-			    krb5_ticket **tkt,
-			    DATA_BLOB *ap_rep,
-			    krb5_keyblock **keyblock)
-{
-	krb5_keyblock *local_keyblock;
-	krb5_data packet;
-	int ret;
-	krb5_flags ap_req_options = 0;
-	krb5_principal server;
-	krb5_data packet_out;
-
-	struct keytab_container *keytab_container;
-
-	/*
-	 * TODO: Actually hook in the replay cache in Heimdal, then
-	 * re-add calls to setup a replay cache here, in our private
-	 * directory.  This will eventually prevent replay attacks
-	 */
-
-	packet.length = enc_ticket->length;
-	packet.data = (krb5_pointer)enc_ticket->data;
-
-	/* Grab the keytab, however generated */
-	ret = cli_credentials_get_keytab(machine_account, &keytab_container);
-	if (ret) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
-	/* This ensures we lookup the correct entry in that keytab */
-	ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, 
-					 &server);
-	if (ret == 0) {
-		ret = krb5_rd_req_return_keyblock(smb_krb5_context->krb5_context, auth_context, &packet,
-						  server,
-						  keytab_container->keytab, &ap_req_options, tkt,
-						  &local_keyblock);
-	}
-
-	if (ret) {
-		DEBUG(3,("ads_secrets_verify_ticket: failed to decrypt with error %s\n",
-			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
-		return NT_STATUS_LOGON_FAILURE;
-	}
-	*keyblock = local_keyblock;
-	
-	
-	ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out);
-	if (ret) {
-		krb5_free_ticket(smb_krb5_context->krb5_context, *tkt);
-		
-		DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
-			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
-		return NT_STATUS_LOGON_FAILURE;
-	}
-		
-	*ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length);
-	krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out);
-
-	return NT_STATUS_OK;
-}