r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.

Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c

Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)

5 files changed, 146 insertions, 134 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 9f796dc9d1..7094692fb2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1123,9 +1123,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
 		return NT_STATUS_OK;
 	}
 
-	maj_stat = gsskrb5_get_initiator_subkey(&min_stat, 
-						gensec_gssapi_state->gssapi_context,
-						&subkey);
+	maj_stat = gsskrb5_get_subkey(&min_stat, 
+				      gensec_gssapi_state->gssapi_context,
+				      &subkey);
 	if (maj_stat != 0) {
 		DEBUG(1, ("NO session key for this mech\n"));
 		return NT_STATUS_NO_USER_SESSION_KEY;
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 66d2801520..044c7df1de 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -427,48 +427,61 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
 	{
 		DATA_BLOB unwrapped_in;
 		DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+		krb5_data inbuf, outbuf;
 		uint8_t tok_id[2];
+		struct keytab_container *keytab;
+		krb5_principal server_in_keytab;
 
 		if (!in.data) {
 			return NT_STATUS_INVALID_PARAMETER;
 		}	
 
+		/* Grab the keytab, however generated */
+		ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab);
+		if (ret) {
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+		
+		/* This ensures we lookup the correct entry in that keytab */
+		ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
+						 gensec_krb5_state->smb_krb5_context, 
+						 &server_in_keytab);
+
+		if (ret) {
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+		}
+
 		/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
 		if (gensec_krb5_state->gssapi
 		    && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
-			nt_status = ads_verify_ticket(out_mem_ctx, 
-						      gensec_krb5_state->smb_krb5_context,
-						      &gensec_krb5_state->auth_context, 
-						      gensec_get_credentials(gensec_security),
-						      gensec_get_target_service(gensec_security), &unwrapped_in, 
-						      &gensec_krb5_state->ticket, &unwrapped_out,
-						      &gensec_krb5_state->keyblock);
+			inbuf.data = unwrapped_in.data;
+			inbuf.length = unwrapped_in.length;
 		} else {
-			/* TODO: check the tok_id */
-			nt_status = ads_verify_ticket(out_mem_ctx, 
-						      gensec_krb5_state->smb_krb5_context,
-						      &gensec_krb5_state->auth_context, 
-						      gensec_get_credentials(gensec_security),
-						      gensec_get_target_service(gensec_security), 
-						      &in, 
-						      &gensec_krb5_state->ticket, &unwrapped_out,
-						      &gensec_krb5_state->keyblock);
+			inbuf.data = in.data;
+			inbuf.length = in.length;
 		}
 
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
+		ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
+					      &gensec_krb5_state->auth_context, 
+					      &inbuf, keytab->keytab, server_in_keytab,  
+					      &outbuf, 
+					      &gensec_krb5_state->ticket, 
+					      &gensec_krb5_state->keyblock);
 
-		if (NT_STATUS_IS_OK(nt_status)) {
-			gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
-			/* wrap that up in a nice GSS-API wrapping */
-			if (gensec_krb5_state->gssapi) {
-				*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
-			} else {
-				*out = unwrapped_out;
-			}
+		if (ret) {
+			return NT_STATUS_LOGON_FAILURE;
 		}
-		return nt_status;
+		unwrapped_out.data = outbuf.data;
+		unwrapped_out.length = outbuf.length;
+		gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+		/* wrap that up in a nice GSS-API wrapping */
+		if (gensec_krb5_state->gssapi) {
+			*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
+		} else {
+			*out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
+		}
+		krb5_data_free(&outbuf);
+		return NT_STATUS_OK;
 	}
 
 	case GENSEC_KRB5_DONE:
diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk
index 689130d567..f75fd99323 100644
--- a/source4/auth/kerberos/config.mk
+++ b/source4/auth/kerberos/config.mk
@@ -4,7 +4,7 @@
 PRIVATE_PROTO_HEADER = proto.h
 OBJ_FILES = kerberos.o \
 			clikrb5.o \
-			kerberos_verify.o \
+			kerberos_heimdal.o \
 			kerberos_util.o \
 			kerberos_pac.o \
 			gssapi_parse.o \
diff --git a/source4/auth/kerberos/kerberos_heimdal.c b/source4/auth/kerberos/kerberos_heimdal.c
new file mode 100644
index 0000000000..f669d0f2f4
--- /dev/null
+++ b/source4/auth/kerberos/kerberos_heimdal.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* This file for code taken from the Heimdal code, to preserve licence */
+/* Modified by Andrew Bartlett <abartlet@samba.org> */
+
+#include "includes.h"
+#include "system/kerberos.h"
+
+/* Taken from  accept_sec_context.c,v 1.65 */
+krb5_error_code smb_rd_req_return_stuff(krb5_context context, 
+					krb5_auth_context *auth_context,
+					const krb5_data *inbuf,
+					krb5_keytab keytab, 
+					krb5_principal acceptor_principal,
+					krb5_data *outbuf, 
+					krb5_ticket **ticket, 
+					krb5_keyblock **keyblock)
+{
+	krb5_rd_req_in_ctx in = NULL;
+	krb5_rd_req_out_ctx out = NULL;
+	krb5_error_code kret;
+
+	*keyblock = NULL;
+	*ticket = NULL;
+	outbuf->length = 0;
+	outbuf->data = NULL;
+
+	kret = krb5_rd_req_in_ctx_alloc(context, &in);
+	if (kret == 0)
+	    kret = krb5_rd_req_in_set_keytab(context, in, keytab);
+	if (kret) {
+	    if (in)
+		krb5_rd_req_in_ctx_free(context, in);
+	    return kret;
+	}
+
+	kret = krb5_rd_req_ctx(context,
+			       auth_context,
+			       inbuf,
+			       acceptor_principal,
+			       in, &out);
+	krb5_rd_req_in_ctx_free(context, in);
+	if (kret) {
+	    return kret;
+	}
+
+	/*
+	 * We need to remember some data on the context_handle.
+	 */
+	kret = krb5_rd_req_out_get_ticket(context, out, 
+					  ticket);
+	if (kret == 0) {
+	    kret = krb5_rd_req_out_get_keyblock(context, out,
+						keyblock);
+	}
+	krb5_rd_req_out_ctx_free(context, out);
+
+	if (kret == 0) {
+		kret = krb5_mk_rep(context, *auth_context, outbuf);
+	}
+
+	if (kret) {
+		krb5_free_ticket(context, *ticket);
+		krb5_free_keyblock(context, *keyblock);
+		krb5_data_free(outbuf);
+	}
+
+	return kret;
+}
+    
diff --git a/source4/auth/kerberos/kerberos_verify.c b/source4/auth/kerberos/kerberos_verify.c
deleted file mode 100644
index 2111e22aa3..0000000000
--- a/source4/auth/kerberos/kerberos_verify.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-   kerberos utility library
-   Copyright (C) Andrew Tridgell 2001
-   Copyright (C) Remus Koos 2001
-   Copyright (C) Luke Howard 2003   
-   Copyright (C) Guenther Deschner 2003
-   Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "system/kerberos.h"
-#include "auth/kerberos/kerberos.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
-
-/**********************************************************************************
- Verify an incoming ticket and parse out the principal name and 
- authorization_data if available.
-***********************************************************************************/
-
- NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, 
-			    struct smb_krb5_context *smb_krb5_context,
-			    krb5_auth_context *auth_context,
-			    struct cli_credentials *machine_account,
-			    const char *service, 
-			    const DATA_BLOB *enc_ticket, 
-			    krb5_ticket **tkt,
-			    DATA_BLOB *ap_rep,
-			    krb5_keyblock **keyblock)
-{
-	krb5_keyblock *local_keyblock;
-	krb5_data packet;
-	int ret;
-	krb5_flags ap_req_options = 0;
-	krb5_principal server;
-	krb5_data packet_out;
-
-	struct keytab_container *keytab_container;
-
-	/*
-	 * TODO: Actually hook in the replay cache in Heimdal, then
-	 * re-add calls to setup a replay cache here, in our private
-	 * directory.  This will eventually prevent replay attacks
-	 */
-
-	packet.length = enc_ticket->length;
-	packet.data = (krb5_pointer)enc_ticket->data;
-
-	/* Grab the keytab, however generated */
-	ret = cli_credentials_get_keytab(machine_account, &keytab_container);
-	if (ret) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
-	/* This ensures we lookup the correct entry in that keytab */
-	ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, 
-					 &server);
-	if (ret == 0) {
-		ret = krb5_rd_req_return_keyblock(smb_krb5_context->krb5_context, auth_context, &packet,
-						  server,
-						  keytab_container->keytab, &ap_req_options, tkt,
-						  &local_keyblock);
-	}
-
-	if (ret) {
-		DEBUG(3,("ads_secrets_verify_ticket: failed to decrypt with error %s\n",
-			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
-		return NT_STATUS_LOGON_FAILURE;
-	}
-	*keyblock = local_keyblock;
-	
-	
-	ret = krb5_mk_rep(smb_krb5_context->krb5_context, *auth_context, &packet_out);
-	if (ret) {
-		krb5_free_ticket(smb_krb5_context->krb5_context, *tkt);
-		
-		DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
-			 smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
-		return NT_STATUS_LOGON_FAILURE;
-	}
-		
-	*ap_rep = data_blob_talloc(mem_ctx, packet_out.data, packet_out.length);
-	krb5_free_data_contents(smb_krb5_context->krb5_context, &packet_out);
-
-	return NT_STATUS_OK;
-}