spnego

GSSAPI/gssapi.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/jcmturner/asn1"
+	"github.com/jcmturner/gokrb5/asn1tools"
 )
 
 const (
@@ -59,3 +60,26 @@ func (s *SPNEGO) Unmarshal(b []byte) error {
 	}
 	return nil
 }
+
+func (s *SPNEGO) Marshal() ([]byte, error) {
+	var b []byte
+	if !s.Init && !s.Resp {
+		return b, errors.New("SPNEGO cannot be marshalled. It contains neither a NegTokenInit or NegTokenResp")
+	}
+	hb, _ := asn1.Marshal(MechTypeOID_Krb5)
+	if s.Init {
+		tb, err := s.NegTokenInit.Marshal()
+		if err != nil {
+			return b, fmt.Errorf("Could not marshal NegTokenInit: %v", err)
+		}
+		b = append(hb, tb...)
+	}
+	if s.Resp {
+		tb, err := s.NegTokenResp.Marshal()
+		if err != nil {
+			return b, fmt.Errorf("Could not marshal NegTokenResp: %v", err)
+		}
+		b = append(hb, tb...)
+	}
+	return asn1tools.AddASNAppTag(b, 0), nil
+}

client/http.go

@@ -1,13 +1,13 @@
 package client
 
 import (
-	"github.com/jcmturner/gokrb5/GSSAPI"
+	"encoding/base64"
 	"fmt"
+	"github.com/jcmturner/gokrb5/GSSAPI"
 	"net/http"
-	"encoding/base64"
 )
 
-func (cl *Client) SetKRB5NegotiationHeader(HTTPReq *http.Request, spn string) error {
+func (cl *Client) SetSPNEGOHeader(HTTPReq *http.Request, spn string) error {
 	tkt, skey, err := cl.GetServiceTicket(spn)
 	if err != nil {
 		return fmt.Errorf("Could not get service ticket: %v", err)
@@ -16,12 +16,16 @@ func (cl *Client) SetKRB5NegotiationHeader(HTTPReq *http.Request, spn string) er
 	if err != nil {
 		return fmt.Errorf("Could not create NegTokenInit: %v", err)
 	}
-	nb, err := negTokenInit.Marshal()
+	SPNEGOToken := GSSAPI.SPNEGO{
+		Init:         true,
+		NegTokenInit: negTokenInit,
+	}
+	nb, err := SPNEGOToken.Marshal()
 	if err != nil {
-		return fmt.Errorf("Could marshal NegTokenInit: %v", err)
+		return fmt.Errorf("Could marshal SPNEGO: %v", err)
 	}
 
 	hs := "Negotiate " + base64.StdEncoding.EncodeToString(nb)
 	HTTPReq.Header.Set("Authorization", hs)
 	return nil
-}
+}

debug.go

@@ -34,8 +34,8 @@ const krb5conf = `[libdefaults]
  `
 
 func main() {
-	//httpRequest()
-	runClient()
+	httpRequest()
+	//runClient()
 }
 
 func runClient() {
@@ -73,7 +73,7 @@ func httpRequest() {
 		fmt.Fprintf(os.Stderr, "Error on AS_REQ: %v\n", err)
 	}
 	r, _ := http.NewRequest("GET", "http://10.80.88.90/index.html", nil)
-	cl.SetKRB5NegotiationHeader(r, "HTTP/host.test.gokrb5")
+	cl.SetSPNEGOHeader(r, "HTTP/host.test.gokrb5")
 	httpResp, err := http.DefaultClient.Do(r)
 	fmt.Fprintf(os.Stderr, "RESPONSE CODE: %v\n", httpResp.StatusCode)
 }

testdata/test_vectors.go

@@ -98,7 +98,7 @@ var TestVectors = map[string]string{
 }
 
 const (
-	TESTUSER1_KEYTAB = "0502000000470001000b544553542e474f4b52423500097465737475736572310000000158a869020100120020bbdc430aab7e2d4622a0b6951481453b0962e9db8e2f168942ad175cda6d9de9000000370001000b544553542e474f4b52423500097465737475736572310000000158a869020100110010698c4df8e9f60e7eea5a21bf4526ad25"
+	TESTUSER1_KEYTAB = "05020000004b0001000b544553542e474f4b52423500097465737475736572310000000158e14ba20200120020ece15fc2116941977fab023c6fb784933ff1c80d3a71f5d742e169273a3585c5000000020000003b0001000b544553542e474f4b52423500097465737475736572310000000158e14ba202001100106fd4e428fdf2f54f03866c94b6d34d8900000002000000430001000b544553542e474f4b52423500097465737475736572310000000158e14ba202001000189408ef92262634badc25089ef2e0047fcb463425c18f2f20000000020000003b0001000b544553542e474f4b52423500097465737475736572310000000158e14ba202001700109d890eb35d54e48ff29e3386e858e0c0000000020000004b0001000b544553542e474f4b52423500097465737475736572310000000158e14ba202001a0020e4a7346f6e37484ec10ca0bcf14d4e340ab8bcc6b9a42851e1114540325b7e4f000000020000003b0001000b544553542e474f4b52423500097465737475736572310000000158e14ba2020019001076ed573a0bd71371eecd9c5402dace6a00000002000000330001000b544553542e474f4b52423500097465737475736572310000000158e14ba202000800087f68858f6413e54f00000002000000330001000b544553542e474f4b52423500097465737475736572310000000158e14ba202000300080283f2ea20a10efb00000002"
 	TEST_AS_REQ      = "6a81a63081a3a103020105a20302010aa30e300c300aa10402020095a2020400a48186308183a00703050040000010a1163014a003020101a10d300b1b09746573747573657231a20d1b0b544553542e474f4b524235a320301ea003020102a11730151b066b72627467741b0b544553542e474f4b524235a511180f32303137303232303134323530315aa70602040f6755a6a814301202011202011102011002011702011902011a"
 	TEST_AS_REP      = "6b8202f3308202efa003020105a10302010ba22e302c302aa103020113a2230421301f301da003020112a1161b14544553542e474f4b524235746573747573657231a30d1b0b544553542e474f4b524235a4163014a003020101a10d300b1b09746573747573657231a582015a6182015630820152a003020105a10d1b0b544553542e474f4b524235a220301ea003020102a11730151b066b72627467741b0b544553542e474f4b524235a382011830820114a003020112a103020101a28201060482010264d3fa49d89b627ed471298846ff92cd8632f657c58fe25322a61fffa32bb7966dc4c44c86a81353def2a11c36c537191406a609147f424a63266c00d02bcc56a27b0969d86ff4352634be9e2a4ac0ad5a36b0b0a3d689f128c0afa97401796e88037a35ad19efaf31d1ed4f3213769c03a58bc90ffac2051db152c0ed0809ad05ffb03aa3afaf731ed85f7a73020cb72355e0de27842dcf7eae3de9f7c14aa237edb25153b217ef3693373bc3cacbebe406910ff9ae9d00b7b08f726cb29a213cb9ad51ba80a8c24fa4b6692a445686889702cfa6ea749bac03e27e982407aca623fbd48586bcf566cfe87e1d9f17a74b1315669c16480f93e9d8782e71a8f11000a682012c30820128a003020112a282011f0482011b99b86153c0393c0e4130628f3e1e0f0a1f034e7e61a111b7fad15884e231c8fd8727e0bc945c9b35be20c57d057c8b09b0de74c53fb38cc15c9a2d483023fc369f5bde4da7324b4732b5a3d9504d92f67026aaa01df4f0138245d2ccb1c5a4014804cf295c7e7e56a867e6cf0c534f667f32da7aa5e700af1461764f1c276a8ff0fbee0e99322fe2059d2321853be09d0956c3afcfd07e3e702646a4678926a77bea20d9aaf3086b6d384821c81900af9013a3519f0e50eab6e1491d72e4ee17c2a44441b2ebc8a796cc3d876e328347dce65f61104e14d4c31532885776c9c8a70186b8b39f928972945c98bd60381ead5448e7ebe93fea308054287ac34b0583b4b9b5e43c5f8518d693ba9eb48a219c27344466b3c693a70462"
 	TEST_TGS_REQ     = "6c82038f3082038ba103020105a20302010ca382031a3082031630820245a103020101a282023c048202386e82023430820230a003020105a10302010ea20703050000000000a382015a6182015630820152a003020105a10d1b0b544553542e474f4b524235a220301ea003020102a11730151b066b72627467741b0b544553542e474f4b524235a382011830820114a003020112a103020101a28201060482010264d3fa49d89b627ed471298846ff92cd8632f657c58fe25322a61fffa32bb7966dc4c44c86a81353def2a11c36c537191406a609147f424a63266c00d02bcc56a27b0969d86ff4352634be9e2a4ac0ad5a36b0b0a3d689f128c0afa97401796e88037a35ad19efaf31d1ed4f3213769c03a58bc90ffac2051db152c0ed0809ad05ffb03aa3afaf731ed85f7a73020cb72355e0de27842dcf7eae3de9f7c14aa237edb25153b217ef3693373bc3cacbebe406910ff9ae9d00b7b08f726cb29a213cb9ad51ba80a8c24fa4b6692a445686889702cfa6ea749bac03e27e982407aca623fbd48586bcf566cfe87e1d9f17a74b1315669c16480f93e9d8782e71a8f11000a481bc3081b9a003020112a281b10481ae8ae3cb8ac47d77cfc7b0b6bf0d3c5f8fcc6dd569344256a6a40c004fc2d23ebbe6ee0b9e00eccf37e710b7c01a7d2a63bbed6d75f2b230d24d724ef90edad2c5680e7e2436ab1145ff68481673444ebd61e3aef79b9ee05809551672c6c436eb8ac732a7fe78bd8f380e68a541191e3125554e4bab63dcc19ea931c1477366a6039ff7b7e62521ebfeffd6784b6ef0c97f653ac4d8dfb304f3e2e843faab12d838c23f1105f0a281c39325987cb03081caa10402020088a281c10481bea081bb3081b8a1173015a003020110a10e040ce613d8e9d544f0e56c60d3bba2819c308199a003020112a2819104818ec4fabcb1ec2f24e04ef51f9247239b28275653fa5cbc1dc9e747530c597631050fe86a5f3cba2ff54270aa771dcefa87efc8c8604407f84e603f5c01a2d929e18103561c3ffbc3a0cf63340bdd67a0739d4d81989827fc1d3f7f13e9dd5cc2346ca08e26a2aaf6d0102fbef8f7a6ee0a1caae7880e953ea678da619038786122a0b71853e8d0b95f544f8fbd6945a461305fa00703050040810000a20d1b0b544553542e474f4b524235a3233021a003020101a11a30181b04485454501b10686f73742e746573742e676f6b726235a511180f32303137303232303032323634325aa706020458a9ab2aa8053003020112"

testenv/krb5kdc-vagrant/bootstrap.sh

@@ -6,7 +6,7 @@ setenforce 0
 sed -i "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/sysconfig/selinux
 
 yum update -y && yum clean all
-yum install -y tcpdump krb5-server krb5-workstation httpd mod_auth_kerb mod_ssl ntp
+yum install -y tcpdump krb5-server krb5-workstation httpd mod_auth_kerb mod_ssl ntp vim
 
 systemctl stop firewalld
 systemctl disable firewalld