r1457: Add the GSSAPI layer to our gensec_krb5 code.

Andrew Bartlett
(This used to be commit 893a9a3865d7046d8b1cb0418aaf48b88beefa05)

2 files changed, 142 insertions, 33 deletions

diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 2035a5bf9a..dbb2a10659 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -66,6 +66,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
 	initialize_krb5_error_table();
 	gensec_krb5_state->krb5_context = NULL;
 	gensec_krb5_state->krb5_auth_context = NULL;
+	gensec_krb5_state->krb5_ccdef = NULL;
 	gensec_krb5_state->session_key = data_blob(NULL, 0);
 
 	ret = krb5_init_context(&gensec_krb5_state->krb5_context);
@@ -120,6 +121,13 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
 	gensec_krb5_state = gensec_security->private_data;
 	gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
 
+	ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->ccdef);
+	if (ret) {
+		DEBUG(1,("krb5_cc_default failed (%s)\n",
+			 error_message(ret)));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	
 	return NT_STATUS_OK;
 }
 
@@ -127,6 +135,16 @@ static void gensec_krb5_end(struct gensec_security *gensec_security)
 {
 	struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
 
+	if (gensec_krb5_state->krb5_ccdef) {
+		/* Removed by jra. They really need to fix their kerberos so we don't leak memory. 
+		   JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
+		   SuSE 9.1 Pro 
+		*/
+#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
+		krb5_cc_close(context, gensec_krb5_state->krb5_ccdef);
+#endif
+	}
+
 	if (gensec_krb5_state->krb5_auth_context) {
 		krb5_auth_con_free(gensec_krb5_state->krb5_context, 
 				   gensec_krb5_state->krb5_auth_context);
@@ -164,7 +182,6 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
 	case GENSEC_KRB5_CLIENT_START:
 	{
 		krb5_data packet;
-		krb5_ccache ccdef = NULL;
 		
 #if 0 /* When we get some way to input the time offset */
 		if (time_offset != 0) {
@@ -172,20 +189,9 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
 		}
 #endif
 
-		ret = krb5_cc_default(gensec_krb5_state->krb5_context, &ccdef);
-		if (ret) {
-			DEBUG(1,("krb5_cc_default failed (%s)\n",
-				 error_message(ret)));
-			return NT_STATUS_INTERNAL_ERROR;
-		}
-
 		ret = ads_krb5_mk_req(gensec_krb5_state->krb5_context, 
 				      &gensec_krb5_state->krb5_auth_context, 
-				      AP_OPTS_USE_SUBKEY
-#ifdef MUTUAL_AUTH
- | AP_OPTS_MUTUAL_REQUIRED
-#endif
-				      , 
+				      AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
 				      gensec_security->target.principal,
 				      ccdef, &packet);
 		if (ret) {
@@ -193,28 +199,19 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
 				 error_message(ret)));
 			nt_status = NT_STATUS_LOGON_FAILURE;
 		} else {
-			*out = data_blob_talloc(out_mem_ctx, packet.data, packet.length);
+			DATA_BLOB unwrapped_out;
+			unwrapped_out = data_blob_talloc(out_mem_ctx, packet.data, packet.length);
 			
+			/* wrap that up in a nice GSS-API wrapping */
+			*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
 			/* Hmm, heimdal dooesn't have this - what's the correct call? */
 #ifdef HAVE_KRB5_FREE_DATA_CONTENTS
 			krb5_free_data_contents(gensec_krb5_state->krb5_context, &packet); 
 #endif
-#ifdef MUTUAL_AUTH
 			gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
 			nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-#else 
-			gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
-			nt_status = NT_STATUS_OK;
-#endif
 		}
 		
-		/* Removed by jra. They really need to fix their kerberos so we don't leak memory. 
-		   JERRY -- disabled since it causes heimdal 0.6.1rc3 to die
-		   SuSE 9.1 Pro 
-		*/
-#if 0 /* redisabled by gd :) at least until any official heimdal version has it fixed. */
-		krb5_cc_close(context, ccdef);
-#endif
 		return nt_status;
 	}
 		
@@ -222,8 +219,16 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
 	{
 		krb5_data inbuf;
 		krb5_ap_rep_enc_part *repl = NULL;
-		inbuf.data = in.data;
-		inbuf.length = in.length;
+		uint8 tok_id[2];
+		DATA_BLOB unwrapped_in;
+
+		if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+		/* TODO: check the tok_id */
+
+		inbuf.data = unwrapped_in.data;
+		inbuf.length = unwrapped_in.length;
 		ret = krb5_rd_rep(gensec_krb5_state->krb5_context, 
 				  gensec_krb5_state->krb5_auth_context,
 				  &inbuf, &repl);
@@ -246,18 +251,34 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
 	case GENSEC_KRB5_SERVER_START:
 	{
 		char *principal;
+		DATA_BLOB unwrapped_in;
+		DATA_BLOB unwrapped_out;
+		uint8 tok_id[2];
+
+		/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
+		if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
+			nt_status = ads_verify_ticket(out_mem_ctx, 
+						      gensec_krb5_state->krb5_context, 
+						      gensec_krb5_state->krb5_auth_context, 
+						      lp_realm(), &in, 
+						      &principal, &pac, &unwrapped_out);
+		} else {
+			/* TODO: check the tok_id */
+			nt_status = ads_verify_ticket(out_mem_ctx, 
+						      gensec_krb5_state->krb5_context, 
+						      gensec_krb5_state->krb5_auth_context, 
+						      lp_realm(), &unwrapped_in, 
+						      &principal, &pac, &unwrapped_out);
+		}
 
-		nt_status = ads_verify_ticket(out_mem_ctx, 
-					      gensec_krb5_state->krb5_context, 
-					      gensec_krb5_state->krb5_auth_context, 
-					      lp_realm(), &in, 
-					      &principal, &pac, out);
 		gensec_krb5_state->pac = data_blob_talloc_steal(out_mem_ctx, gensec_krb5_state->mem_ctx, 
 								&pac);
 		/* TODO: parse the pac */
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
+			/* wrap that up in a nice GSS-API wrapping */
+			*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
 		}
 		SAFE_FREE(principal);
 		return nt_status;
diff --git a/source4/libcli/auth/gssapi_parse.c b/source4/libcli/auth/gssapi_parse.c
new file mode 100644
index 0000000000..4a80e1d799
--- /dev/null
+++ b/source4/libcli/auth/gssapi_parse.c
@@ -0,0 +1,88 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   simple GSSAPI wrappers
+
+   Copyright (C) Andrew Tridgell 2001
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+   Copyright (C) Luke Howard     2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/*
+  generate a krb5 GSS-API wrapper packet given a ticket
+*/
+DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8 tok_id[2])
+{
+	ASN1_DATA data;
+	DATA_BLOB ret;
+
+	ZERO_STRUCT(data);
+
+	asn1_push_tag(&data, ASN1_APPLICATION(0));
+	asn1_write_OID(&data, OID_KERBEROS5);
+
+	asn1_write(&data, tok_id, 2);
+	asn1_write(&data, ticket->data, ticket->length);
+	asn1_pop_tag(&data);
+
+	if (data.has_error) {
+		DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data.ofs));
+		asn1_free(&data);
+	}
+
+	ret = data_blob_talloc(mem_ctx, data.data, data.length);
+	asn1_free(&data);
+
+	return ret;
+}
+
+/*
+  parse a krb5 GSS-API wrapper packet giving a ticket
+*/
+BOOL gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8 tok_id[2])
+{
+	BOOL ret;
+	ASN1_DATA data;
+	int data_remaining;
+
+	asn1_load(&data, *blob);
+	asn1_start_tag(&data, ASN1_APPLICATION(0));
+	asn1_check_OID(&data, OID_KERBEROS5);
+
+	data_remaining = asn1_tag_remaining(&data);
+
+	if (data_remaining < 3) {
+		data.has_error = True;
+	} else {
+		asn1_read(&data, tok_id, 2);
+		data_remaining -= 2;
+		*ticket = data_blob_talloc(mem_ctx, NULL, data_remaining);
+		asn1_read(&data, ticket->data, ticket->length);
+	}
+
+	asn1_end_tag(&data);
+
+	ret = !data.has_error;
+
+	asn1_free(&data);
+
+	return ret;
+}
+
+