git.samba.org / metze / samba / wip.git / blob
? search:


a61b2b2659cbd4001e2acfd4afdccf4999d15fa3
[metze/samba/wip.git] / source4 / auth / gensec / gensec_gssapi.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7    Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "lib/util/tevent_ntstatus.h"
27 #include "lib/events/events.h"
28 #include "system/kerberos.h"
29 #include "system/gssapi.h"
30 #include "auth/kerberos/kerberos.h"
31 #include "librpc/gen_ndr/krb5pac.h"
32 #include "auth/auth.h"
33 #include <ldb.h>
34 #include "auth/auth_sam.h"
35 #include "librpc/gen_ndr/dcerpc.h"
36 #include "auth/credentials/credentials.h"
37 #include "auth/credentials/credentials_krb5.h"
38 #include "auth/gensec/gensec.h"
39 #include "auth/gensec/gensec_internal.h"
40 #include "auth/gensec/gensec_proto.h"
41 #include "auth/gensec/gensec_toplevel_proto.h"
42 #include "param/param.h"
43 #include "auth/session_proto.h"
44 #include "gensec_gssapi.h"
45 #include "lib/util/util_net.h"
46 #include "auth/kerberos/pac_utils.h"
47 #include "auth/kerberos/gssapi_helper.h"
48
49 #ifndef gss_mech_spnego
50 gss_OID_desc spnego_mech_oid_desc =
51                 { 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
52 #define gss_mech_spnego (&spnego_mech_oid_desc)
53 #endif
54
55 _PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *);
56
57 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
58 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
59 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size);
60
61 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
62 {
63         OM_uint32 min_stat;
64
65         if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
66                 gss_release_cred(&min_stat,
67                                  &gensec_gssapi_state->delegated_cred_handle);
68         }
69
70         if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
71                 gss_delete_sec_context(&min_stat,
72                                        &gensec_gssapi_state->gssapi_context,
73                                        GSS_C_NO_BUFFER);
74         }
75
76         if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
77                 gss_release_name(&min_stat,
78                                  &gensec_gssapi_state->server_name);
79         }
80         if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
81                 gss_release_name(&min_stat,
82                                  &gensec_gssapi_state->client_name);
83         }
84
85         return 0;
86 }
87
88 static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
89                                                      const char *target_principal,
90                                                      const char *service,
91                                                      const char *hostname,
92                                                      const char *realm,
93                                                      const gss_OID mech,
94                                                      char **pserver_principal,
95                                                      gss_name_t *pserver_name)
96 {
97         char *server_principal = NULL;
98         gss_buffer_desc name_token;
99         gss_OID name_type;
100         OM_uint32 maj_stat, min_stat = 0;
101
102         if (target_principal != NULL) {
103                 server_principal = talloc_strdup(mem_ctx, target_principal);
104                 name_type = GSS_C_NULL_OID;
105         } else {
106                 server_principal = talloc_asprintf(mem_ctx,
107                                                    "%s/%s@%s",
108                                                    service, hostname, realm);
109                 name_type = GSS_C_NT_USER_NAME;
110         }
111         if (server_principal == NULL) {
112                 return NT_STATUS_NO_MEMORY;
113         }
114
115         name_token.value = (uint8_t *)server_principal;
116         name_token.length = strlen(server_principal);
117
118         maj_stat = gss_import_name(&min_stat,
119                                    &name_token,
120                                    name_type,
121                                    pserver_name);
122         if (maj_stat) {
123                 DBG_WARNING("GSS Import name of %s failed: %s\n",
124                             server_principal,
125                             gssapi_error_string(mem_ctx,
126                                                 maj_stat,
127                                                 min_stat,
128                                                 mech));
129                 TALLOC_FREE(server_principal);
130                 return NT_STATUS_INVALID_PARAMETER;
131         }
132
133         *pserver_principal = server_principal;
134
135         return NT_STATUS_OK;
136 }
137
138 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
139 {
140         struct gensec_gssapi_state *gensec_gssapi_state;
141         krb5_error_code ret;
142 #ifdef SAMBA4_USES_HEIMDAL
143         const char *realm;
144 #endif
145
146         gensec_gssapi_state = talloc_zero(gensec_security, struct gensec_gssapi_state);
147         if (!gensec_gssapi_state) {
148                 return NT_STATUS_NO_MEMORY;
149         }
150
151         gensec_security->private_data = gensec_gssapi_state;
152
153         gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
154
155         /* TODO: Fill in channel bindings */
156         gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
157
158         gensec_gssapi_state->server_name = GSS_C_NO_NAME;
159         gensec_gssapi_state->client_name = GSS_C_NO_NAME;
160         
161         gensec_gssapi_state->gss_want_flags = 0;
162         gensec_gssapi_state->expire_time = GENSEC_EXPIRE_TIME_INFINITY;
163
164         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
165                 gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_POLICY_FLAG;
166         }
167         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
168                 gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
169         }
170         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
171                 gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
172         }
173         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
174                 gensec_gssapi_state->gss_want_flags |= GSS_C_REPLAY_FLAG;
175         }
176         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
177                 gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
178         }
179
180         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
181                 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
182         }
183         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
184                 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
185         }
186         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
187                 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
188                 gensec_gssapi_state->gss_want_flags |= GSS_C_CONF_FLAG;
189         }
190         if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
191                 gensec_gssapi_state->gss_want_flags |= GSS_C_DCE_STYLE;
192         }
193
194         gensec_gssapi_state->gss_got_flags = 0;
195
196         switch (gensec_security->ops->auth_type) {
197         case DCERPC_AUTH_TYPE_SPNEGO:
198                 gensec_gssapi_state->gss_oid = gss_mech_spnego;
199                 break;
200         case DCERPC_AUTH_TYPE_KRB5:
201         default:
202                 gensec_gssapi_state->gss_oid =
203                         discard_const_p(void, gss_mech_krb5);
204                 break;
205         }
206
207         ret = smb_krb5_init_context(gensec_gssapi_state,
208                                     gensec_security->settings->lp_ctx,
209                                     &gensec_gssapi_state->smb_krb5_context);
210         if (ret) {
211                 DEBUG(1,("gensec_gssapi_start: smb_krb5_init_context failed (%s)\n",
212                          error_message(ret)));
213                 talloc_free(gensec_gssapi_state);
214                 return NT_STATUS_INTERNAL_ERROR;
215         }
216
217         gensec_gssapi_state->client_cred = NULL;
218         gensec_gssapi_state->server_cred = NULL;
219
220         gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
221
222         gensec_gssapi_state->sasl = false;
223         gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
224         gensec_gssapi_state->sasl_protection = 0;
225
226         gensec_gssapi_state->max_wrap_buf_size
227                 = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
228         gensec_gssapi_state->gss_exchange_count = 0;
229         gensec_gssapi_state->sig_size = 0;
230
231         talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
232
233 #ifdef SAMBA4_USES_HEIMDAL
234         realm = lpcfg_realm(gensec_security->settings->lp_ctx);
235         if (realm != NULL) {
236                 ret = gsskrb5_set_default_realm(realm);
237                 if (ret) {
238                         DEBUG(1,("gensec_gssapi_start: gsskrb5_set_default_realm failed\n"));
239                         talloc_free(gensec_gssapi_state);
240                         return NT_STATUS_INTERNAL_ERROR;
241                 }
242         }
243
244         /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
245         ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
246         if (ret) {
247                 DEBUG(1,("gensec_gssapi_start: gsskrb5_set_dns_canonicalize failed\n"));
248                 talloc_free(gensec_gssapi_state);
249                 return NT_STATUS_INTERNAL_ERROR;
250         }
251 #endif
252         return NT_STATUS_OK;
253 }
254
255 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
256 {
257         NTSTATUS nt_status;
258         int ret;
259         struct gensec_gssapi_state *gensec_gssapi_state;
260         struct cli_credentials *machine_account;
261         struct gssapi_creds_container *gcc;
262
263         nt_status = gensec_gssapi_start(gensec_security);
264         if (!NT_STATUS_IS_OK(nt_status)) {
265                 return nt_status;
266         }
267
268         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
269
270         machine_account = gensec_get_credentials(gensec_security);
271         
272         if (!machine_account) {
273                 DEBUG(3, ("No machine account credentials specified\n"));
274                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
275         } else {
276                 ret = cli_credentials_get_server_gss_creds(machine_account, 
277                                                            gensec_security->settings->lp_ctx, &gcc);
278                 if (ret) {
279                         DEBUG(1, ("Acquiring acceptor credentials failed: %s\n",
280                                   error_message(ret)));
281                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
282                 }
283         }
284
285         gensec_gssapi_state->server_cred = gcc;
286         return NT_STATUS_OK;
287
288 }
289
290 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
291 {
292         NTSTATUS nt_status;
293         struct gensec_gssapi_state *gensec_gssapi_state;
294         nt_status = gensec_gssapi_server_start(gensec_security);
295
296         if (NT_STATUS_IS_OK(nt_status)) {
297                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
298                 gensec_gssapi_state->sasl = true;
299         }
300         return nt_status;
301 }
302
303 static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security,
304                                            struct tevent_context *ev)
305 {
306         struct gensec_gssapi_state *gensec_gssapi_state;
307         struct gssapi_creds_container *gcc;
308         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
309         const char *error_string;
310         int ret;
311
312         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
313
314         /* Only run this the first time the update() call is made */
315         if (gensec_gssapi_state->client_cred) {
316                 return NT_STATUS_OK;
317         }
318
319         ret = cli_credentials_get_client_gss_creds(creds,
320                                                    ev,
321                                                    gensec_security->settings->lp_ctx, &gcc, &error_string);
322         switch (ret) {
323         case 0:
324                 break;
325         case EINVAL:
326                 DEBUG(3, ("Cannot obtain client GSS credentials we need to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
327                 return NT_STATUS_INVALID_PARAMETER;
328         case KRB5KDC_ERR_PREAUTH_FAILED:
329         case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
330         case KRB5KRB_AP_ERR_BAD_INTEGRITY:
331                 DEBUG(1, ("Wrong username or password: %s\n", error_string));
332                 return NT_STATUS_LOGON_FAILURE;
333         case KRB5KDC_ERR_CLIENT_REVOKED:
334                 DEBUG(1, ("Account locked out: %s\n", error_string));
335                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
336         case KRB5_REALM_UNKNOWN:
337         case KRB5_KDC_UNREACH:
338                 DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
339                 return NT_STATUS_NO_LOGON_SERVERS;
340         case KRB5_CC_NOTFOUND:
341         case KRB5_CC_END:
342                 DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
343                 return NT_STATUS_TIME_DIFFERENCE_AT_DC;
344         default:
345                 DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
346                 return NT_STATUS_UNSUCCESSFUL;
347         }
348
349         gensec_gssapi_state->client_cred = gcc;
350         if (!talloc_reference(gensec_gssapi_state, gcc)) {
351                 return NT_STATUS_NO_MEMORY;
352         }
353
354         return NT_STATUS_OK;
355 }
356
357 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
358 {
359         struct gensec_gssapi_state *gensec_gssapi_state;
360         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
361         NTSTATUS nt_status;
362         const char *target_principal = NULL;
363         const char *hostname = gensec_get_target_hostname(gensec_security);
364         const char *service = gensec_get_target_service(gensec_security);
365         const char *realm = cli_credentials_get_realm(creds);
366
367         target_principal = gensec_get_target_principal(gensec_security);
368         if (target_principal != NULL) {
369                 goto do_start;
370         }
371
372         if (!hostname) {
373                 DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
374                 return NT_STATUS_INVALID_PARAMETER;
375         }
376         if (is_ipaddress(hostname)) {
377                 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
378                 return NT_STATUS_INVALID_PARAMETER;
379         }
380         if (strcmp(hostname, "localhost") == 0) {
381                 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
382                 return NT_STATUS_INVALID_PARAMETER;
383         }
384
385         if (realm == NULL) {
386                 char *cred_name = cli_credentials_get_unparsed_name(creds,
387                                                                 gensec_security);
388                 DEBUG(3, ("cli_credentials(%s) without realm, "
389                           "cannot use kerberos for this connection %s/%s\n",
390                           cred_name, service, hostname));
391                 TALLOC_FREE(cred_name);
392                 return NT_STATUS_INVALID_PARAMETER;
393         }
394
395 do_start:
396
397         nt_status = gensec_gssapi_start(gensec_security);
398         if (!NT_STATUS_IS_OK(nt_status)) {
399                 return nt_status;
400         }
401
402         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
403
404         if (cli_credentials_get_impersonate_principal(creds)) {
405                 gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
406         }
407
408         return NT_STATUS_OK;
409 }
410
411 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
412 {
413         NTSTATUS nt_status;
414         struct gensec_gssapi_state *gensec_gssapi_state;
415         nt_status = gensec_gssapi_client_start(gensec_security);
416
417         if (NT_STATUS_IS_OK(nt_status)) {
418                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
419                 gensec_gssapi_state->sasl = true;
420         }
421         return nt_status;
422 }
423
424 static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_security,
425                                               TALLOC_CTX *out_mem_ctx,
426                                               struct tevent_context *ev,
427                                               const DATA_BLOB in, DATA_BLOB *out)
428 {
429         struct gensec_gssapi_state *gensec_gssapi_state
430                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
431         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
432         OM_uint32 maj_stat, min_stat;
433         OM_uint32 min_stat2;
434         gss_buffer_desc input_token = { 0, NULL };
435         gss_buffer_desc output_token = { 0, NULL };
436         struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
437         const char *target_principal = gensec_get_target_principal(gensec_security);
438         const char *hostname = gensec_get_target_hostname(gensec_security);
439         const char *service = gensec_get_target_service(gensec_security);
440         const char *client_realm = cli_credentials_get_realm(cli_creds);
441         const char *server_realm = NULL;
442         gss_OID gss_oid_p = NULL;
443         OM_uint32 time_req = 0;
444         OM_uint32 time_rec = 0;
445         struct timeval tv;
446
447         time_req = gensec_setting_int(gensec_security->settings,
448                                       "gensec_gssapi", "requested_life_time",
449                                       time_req);
450
451         input_token.length = in.length;
452         input_token.value = in.data;
453
454         switch (gensec_gssapi_state->sasl_state) {
455         case STAGE_GSS_NEG:
456         {
457                 switch (gensec_security->gensec_role) {
458                 case GENSEC_CLIENT:
459                 {
460 #ifdef SAMBA4_USES_HEIMDAL
461                         struct gsskrb5_send_to_kdc send_to_kdc;
462                         krb5_error_code ret;
463 #else
464                         bool fallback = false;
465 #endif
466
467                         nt_status = gensec_gssapi_client_creds(gensec_security, ev);
468                         if (!NT_STATUS_IS_OK(nt_status)) {
469                                 return nt_status;
470                         }
471
472 #ifdef SAMBA4_USES_HEIMDAL
473                         send_to_kdc.func = smb_krb5_send_and_recv_func;
474                         send_to_kdc.ptr = ev;
475
476                         min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
477                         if (min_stat) {
478                                 DEBUG(1,("gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n"));
479                                 return NT_STATUS_INTERNAL_ERROR;
480                         }
481 #endif
482
483                         /*
484                          * With credentials for
485                          * administrator@FOREST1.EXAMPLE.COM this patch changes
486                          * the target_principal for the ldap service of host
487                          * dc2.forest2.example.com from
488                          *
489                          *   ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
490                          *
491                          * to
492                          *
493                          *   ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
494                          *
495                          * Typically
496                          * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
497                          * should be used in order to allow the KDC of
498                          * FOREST1.EXAMPLE.COM to generate a referral ticket
499                          * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
500                          *
501                          * The problem is that KDCs only return such referral
502                          * tickets if there's a forest trust between
503                          * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
504                          * there's only an external domain trust between
505                          * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
506                          * of FOREST1.EXAMPLE.COM will respond with
507                          * S_PRINCIPAL_UNKNOWN when being asked for
508                          * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
509                          *
510                          * In the case of an external trust the client can
511                          * still ask explicitly for
512                          * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
513                          * the KDC of FOREST1.EXAMPLE.COM will generate it.
514                          *
515                          * From there the client can use the
516                          * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
517                          * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
518                          * service ticket for
519                          * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
520                          *
521                          * With Heimdal we'll get the fallback on
522                          * S_PRINCIPAL_UNKNOWN behavior when we pass
523                          * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
524                          * target principal. As _krb5_get_cred_kdc_any() first
525                          * calls get_cred_kdc_referral() (which always starts
526                          * with the client realm) and falls back to
527                          * get_cred_kdc_capath() (which starts with the given
528                          * realm).
529                          *
530                          * MIT krb5 only tries the given realm of the target
531                          * principal, if we want to autodetect support for
532                          * transitive forest trusts, would have to do the
533                          * fallback ourself.
534                          */
535 #ifndef SAMBA4_USES_HEIMDAL
536                         if (gensec_gssapi_state->server_name == NULL) {
537                                 nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
538                                                                                  target_principal,
539                                                                                  service,
540                                                                                  hostname,
541                                                                                  client_realm,
542                                                                                  gensec_gssapi_state->gss_oid,
543                                                                                  &gensec_gssapi_state->target_principal,
544                                                                                  &gensec_gssapi_state->server_name);
545                                 if (!NT_STATUS_IS_OK(nt_status)) {
546                                         return nt_status;
547                                 }
548
549                                 maj_stat = gss_init_sec_context(&min_stat,
550                                                                 gensec_gssapi_state->client_cred->creds,
551                                                                 &gensec_gssapi_state->gssapi_context,
552                                                                 gensec_gssapi_state->server_name,
553                                                                 gensec_gssapi_state->gss_oid,
554                                                                 gensec_gssapi_state->gss_want_flags,
555                                                                 time_req,
556                                                                 gensec_gssapi_state->input_chan_bindings,
557                                                                 &input_token,
558                                                                 &gss_oid_p,
559                                                                 &output_token,
560                                                                 &gensec_gssapi_state->gss_got_flags, /* ret flags */
561                                                                 &time_rec);
562                                 if (maj_stat != GSS_S_FAILURE) {
563                                         goto init_sec_context_done;
564                                 }
565                                 if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
566                                         goto init_sec_context_done;
567                                 }
568                                 if (target_principal != NULL) {
569                                         goto init_sec_context_done;
570                                 }
571
572                                 fallback = true;
573                                 TALLOC_FREE(gensec_gssapi_state->target_principal);
574                                 gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
575                         }
576 #endif /* !SAMBA4_USES_HEIMDAL */
577                         if (gensec_gssapi_state->server_name == NULL) {
578                                 server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
579                                                                                 hostname,
580                                                                                 client_realm);
581                                 if (server_realm == NULL) {
582                                         return NT_STATUS_NO_MEMORY;
583                                 }
584
585 #ifndef SAMBA4_USES_HEIMDAL
586                                 if (fallback &&
587                                     strequal(client_realm, server_realm)) {
588                                         goto init_sec_context_done;
589                                 }
590 #endif /* !SAMBA4_USES_HEIMDAL */
591
592                                 nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
593                                                                                  target_principal,
594                                                                                  service,
595                                                                                  hostname,
596                                                                                  server_realm,
597                                                                                  gensec_gssapi_state->gss_oid,
598                                                                                  &gensec_gssapi_state->target_principal,
599                                                                                  &gensec_gssapi_state->server_name);
600                                 if (!NT_STATUS_IS_OK(nt_status)) {
601                                         return nt_status;
602                                 }
603                         }
604
605                         maj_stat = gss_init_sec_context(&min_stat, 
606                                                         gensec_gssapi_state->client_cred->creds,
607                                                         &gensec_gssapi_state->gssapi_context, 
608                                                         gensec_gssapi_state->server_name, 
609                                                         gensec_gssapi_state->gss_oid,
610                                                         gensec_gssapi_state->gss_want_flags, 
611                                                         time_req,
612                                                         gensec_gssapi_state->input_chan_bindings,
613                                                         &input_token, 
614                                                         &gss_oid_p,
615                                                         &output_token, 
616                                                         &gensec_gssapi_state->gss_got_flags, /* ret flags */
617                                                         &time_rec);
618                         goto init_sec_context_done;
619                         /* JUMP! */
620 init_sec_context_done:
621                         if (gss_oid_p) {
622                                 gensec_gssapi_state->gss_oid = gss_oid_p;
623                         }
624
625 #ifdef SAMBA4_USES_HEIMDAL
626                         send_to_kdc.func = smb_krb5_send_and_recv_func;
627                         send_to_kdc.ptr = NULL;
628
629                         ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
630                         if (ret) {
631                                 DEBUG(1,("gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n"));
632                                 return NT_STATUS_INTERNAL_ERROR;
633                         }
634 #endif
635                         break;
636                 }
637                 case GENSEC_SERVER:
638                 {
639                         maj_stat = gss_accept_sec_context(&min_stat, 
640                                                           &gensec_gssapi_state->gssapi_context, 
641                                                           gensec_gssapi_state->server_cred->creds,
642                                                           &input_token, 
643                                                           gensec_gssapi_state->input_chan_bindings,
644                                                           &gensec_gssapi_state->client_name, 
645                                                           &gss_oid_p,
646                                                           &output_token, 
647                                                           &gensec_gssapi_state->gss_got_flags, 
648                                                           &time_rec,
649                                                           &gensec_gssapi_state->delegated_cred_handle);
650                         if (gss_oid_p) {
651                                 gensec_gssapi_state->gss_oid = gss_oid_p;
652                         }
653                         break;
654                 }
655                 default:
656                         return NT_STATUS_INVALID_PARAMETER;
657                         
658                 }
659
660                 gensec_gssapi_state->gss_exchange_count++;
661
662                 if (maj_stat == GSS_S_COMPLETE) {
663                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
664                         gss_release_buffer(&min_stat2, &output_token);
665                         
666                         if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
667                             gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
668                                 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
669                         } else {
670                                 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
671                         }
672
673                         tv = timeval_current_ofs(time_rec, 0);
674                         gensec_gssapi_state->expire_time = timeval_to_nttime(&tv);
675
676                         /* We may have been invoked as SASL, so there
677                          * is more work to do */
678                         if (gensec_gssapi_state->sasl) {
679                                 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
680                                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
681                         } else {
682                                 gensec_gssapi_state->sasl_state = STAGE_DONE;
683
684                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
685                                         DEBUG(5, ("GSSAPI Connection will be cryptographically sealed\n"));
686                                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
687                                         DEBUG(5, ("GSSAPI Connection will be cryptographically signed\n"));
688                                 } else {
689                                         DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
690                                 }
691
692                                 return NT_STATUS_OK;
693                         }
694                 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
695                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
696                         gss_release_buffer(&min_stat2, &output_token);
697                         
698                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
699                 } else if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
700                         gss_cred_id_t creds = NULL;
701                         gss_name_t name;
702                         gss_buffer_desc buffer;
703                         OM_uint32 lifetime = 0;
704                         gss_cred_usage_t usage;
705                         const char *role = NULL;
706                         DEBUG(0, ("GSS %s Update(krb5)(%d) Update failed, credentials expired during GSSAPI handshake!\n",
707                                   role,
708                                   gensec_gssapi_state->gss_exchange_count));
709
710                         
711                         switch (gensec_security->gensec_role) {
712                         case GENSEC_CLIENT:
713                                 creds = gensec_gssapi_state->client_cred->creds;
714                                 role = "client";
715                                 break;
716                         case GENSEC_SERVER:
717                                 creds = gensec_gssapi_state->server_cred->creds;
718                                 role = "server";
719                                 break;
720                         }
721
722                         maj_stat = gss_inquire_cred(&min_stat, 
723                                                     creds,
724                                                     &name, &lifetime, &usage, NULL);
725
726                         if (maj_stat == GSS_S_COMPLETE) {
727                                 const char *usage_string = NULL;
728                                 switch (usage) {
729                                 case GSS_C_BOTH:
730                                         usage_string = "GSS_C_BOTH";
731                                         break;
732                                 case GSS_C_ACCEPT:
733                                         usage_string = "GSS_C_ACCEPT";
734                                         break;
735                                 case GSS_C_INITIATE:
736                                         usage_string = "GSS_C_INITIATE";
737                                         break;
738                                 }
739                                 maj_stat = gss_display_name(&min_stat, name, &buffer, NULL);
740                                 if (maj_stat) {
741                                         buffer.value = NULL;
742                                         buffer.length = 0;
743                                 }
744                                 if (lifetime > 0) {
745                                         DEBUG(0, ("GSSAPI gss_inquire_cred indicates expiry of %*.*s in %u sec for %s\n", 
746                                                   (int)buffer.length, (int)buffer.length, (char *)buffer.value, 
747                                                   lifetime, usage_string));
748                                 } else {
749                                         DEBUG(0, ("GSSAPI gss_inquire_cred indicates %*.*s has already expired for %s\n", 
750                                                   (int)buffer.length, (int)buffer.length, (char *)buffer.value, 
751                                                   usage_string));
752                                 }
753                                 gss_release_buffer(&min_stat, &buffer);
754                                 gss_release_name(&min_stat, &name);
755                         } else if (maj_stat != GSS_S_COMPLETE) {
756                                 DEBUG(0, ("inquiry of credential lifefime via GSSAPI gss_inquire_cred failed: %s\n",
757                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
758                         }
759                         return NT_STATUS_INVALID_PARAMETER;
760                 } else if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
761                                              gss_mech_krb5)) {
762                         switch (min_stat) {
763                         case KRB5KRB_AP_ERR_TKT_NYV:
764                                 DEBUG(1, ("Error with ticket to contact %s: possible clock skew between us and the KDC or target server: %s\n",
765                                           gensec_gssapi_state->target_principal,
766                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
767                                 return NT_STATUS_TIME_DIFFERENCE_AT_DC; /* Make SPNEGO ignore us, we can't go any further here */
768                         case KRB5KRB_AP_ERR_TKT_EXPIRED:
769                                 DEBUG(1, ("Error with ticket to contact %s: ticket is expired, possible clock skew between us and the KDC or target server: %s\n",
770                                           gensec_gssapi_state->target_principal,
771                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
772                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
773                         case KRB5_KDC_UNREACH:
774                                 DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticket to %s: %s\n",
775                                           gensec_gssapi_state->target_principal,
776                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
777                                 return NT_STATUS_NO_LOGON_SERVERS; /* Make SPNEGO ignore us, we can't go any further here */
778                         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
779                                 DEBUG(3, ("Server %s is not registered with our KDC: %s\n",
780                                           gensec_gssapi_state->target_principal,
781                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
782                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
783                         case KRB5KRB_AP_ERR_MSG_TYPE:
784                                 /* garbage input, possibly from the auto-mech detection */
785                                 return NT_STATUS_INVALID_PARAMETER;
786                         default:
787                                 DEBUG(1, ("GSS %s Update(krb5)(%d) Update failed: %s\n",
788                                           gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
789                                           gensec_gssapi_state->gss_exchange_count,
790                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
791                                 return NT_STATUS_LOGON_FAILURE;
792                         }
793                 } else {
794                         DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
795                                   gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
796                                   gensec_gssapi_state->gss_exchange_count,
797                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
798                         return NT_STATUS_LOGON_FAILURE;
799                 }
800                 break;
801         }
802
803         /* These last two stages are only done if we were invoked as SASL */
804         case STAGE_SASL_SSF_NEG:
805         {
806                 switch (gensec_security->gensec_role) {
807                 case GENSEC_CLIENT:
808                 {
809                         uint8_t maxlength_proposed[4]; 
810                         uint8_t maxlength_accepted[4]; 
811                         uint8_t security_supported;
812                         int conf_state;
813                         gss_qop_t qop_state;
814                         input_token.length = in.length;
815                         input_token.value = in.data;
816
817                         /* As a client, we have just send a
818                          * zero-length blob to the server (after the
819                          * normal GSSAPI exchange), and it has replied
820                          * with it's SASL negotiation */
821                         
822                         maj_stat = gss_unwrap(&min_stat, 
823                                               gensec_gssapi_state->gssapi_context, 
824                                               &input_token,
825                                               &output_token, 
826                                               &conf_state,
827                                               &qop_state);
828                         if (GSS_ERROR(maj_stat)) {
829                                 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
830                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
831                                 return NT_STATUS_ACCESS_DENIED;
832                         }
833                         
834                         if (output_token.length < 4) {
835                                 return NT_STATUS_INVALID_PARAMETER;
836                         }
837
838                         memcpy(maxlength_proposed, output_token.value, 4);
839                         gss_release_buffer(&min_stat, &output_token);
840
841                         /* first byte is the proposed security */
842                         security_supported = maxlength_proposed[0];
843                         maxlength_proposed[0] = '\0';
844                         
845                         /* Rest is the proposed max wrap length */
846                         gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0), 
847                                                                      gensec_gssapi_state->max_wrap_buf_size);
848                         gensec_gssapi_state->sasl_protection = 0;
849                         if (security_supported & NEG_SEAL) {
850                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
851                                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
852                                 }
853                         }
854                         if (security_supported & NEG_SIGN) {
855                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
856                                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
857                                 }
858                         }
859                         if (security_supported & NEG_NONE) {
860                                 gensec_gssapi_state->sasl_protection |= NEG_NONE;
861                         }
862                         if (gensec_gssapi_state->sasl_protection == 0) {
863                                 DEBUG(1, ("Remote server does not support unprotected connections\n"));
864                                 return NT_STATUS_ACCESS_DENIED;
865                         }
866
867                         /* Send back the negotiated max length */
868
869                         RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
870
871                         maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
872                         
873                         input_token.value = maxlength_accepted;
874                         input_token.length = sizeof(maxlength_accepted);
875
876                         maj_stat = gss_wrap(&min_stat, 
877                                             gensec_gssapi_state->gssapi_context, 
878                                             false,
879                                             GSS_C_QOP_DEFAULT,
880                                             &input_token,
881                                             &conf_state,
882                                             &output_token);
883                         if (GSS_ERROR(maj_stat)) {
884                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
885                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
886                                 return NT_STATUS_ACCESS_DENIED;
887                         }
888                         
889                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
890                         gss_release_buffer(&min_stat, &output_token);
891
892                         /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
893                         gensec_gssapi_state->sasl_state = STAGE_DONE;
894
895                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
896                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically sealed\n"));
897                         } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
898                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically signed\n"));
899                         } else {
900                                 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographically protection\n"));
901                         }
902
903                         return NT_STATUS_OK;
904                 }
905                 case GENSEC_SERVER:
906                 {
907                         uint8_t maxlength_proposed[4]; 
908                         uint8_t security_supported = 0x0;
909                         int conf_state;
910
911                         /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
912                         if (in.length != 0) {
913                                 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
914                         }
915                         
916                         /* Give the client some idea what we will support */
917                           
918                         RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
919                         /* first byte is the proposed security */
920                         maxlength_proposed[0] = '\0';
921                         
922                         gensec_gssapi_state->sasl_protection = 0;
923                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
924                                 security_supported |= NEG_SEAL;
925                         } 
926                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
927                                 security_supported |= NEG_SIGN;
928                         }
929                         if (security_supported == 0) {
930                                 /* If we don't support anything, this must be 0 */
931                                 RSIVAL(maxlength_proposed, 0, 0x0);
932                         }
933
934                         /* TODO:  We may not wish to support this */
935                         security_supported |= NEG_NONE;
936                         maxlength_proposed[0] = security_supported;
937                         
938                         input_token.value = maxlength_proposed;
939                         input_token.length = sizeof(maxlength_proposed);
940
941                         maj_stat = gss_wrap(&min_stat, 
942                                             gensec_gssapi_state->gssapi_context, 
943                                             false,
944                                             GSS_C_QOP_DEFAULT,
945                                             &input_token,
946                                             &conf_state,
947                                             &output_token);
948                         if (GSS_ERROR(maj_stat)) {
949                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
950                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
951                                 return NT_STATUS_ACCESS_DENIED;
952                         }
953                         
954                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
955                         gss_release_buffer(&min_stat, &output_token);
956
957                         gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
958                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
959                 }
960                 default:
961                         return NT_STATUS_INVALID_PARAMETER;
962                         
963                 }
964         }
965         /* This is s server-only stage */
966         case STAGE_SASL_SSF_ACCEPT:
967         {
968                 uint8_t maxlength_accepted[4]; 
969                 uint8_t security_accepted;
970                 int conf_state;
971                 gss_qop_t qop_state;
972                 input_token.length = in.length;
973                 input_token.value = in.data;
974                         
975                 maj_stat = gss_unwrap(&min_stat, 
976                                       gensec_gssapi_state->gssapi_context, 
977                                       &input_token,
978                                       &output_token, 
979                                       &conf_state,
980                                       &qop_state);
981                 if (GSS_ERROR(maj_stat)) {
982                         DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
983                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
984                         return NT_STATUS_ACCESS_DENIED;
985                 }
986                         
987                 if (output_token.length < 4) {
988                         return NT_STATUS_INVALID_PARAMETER;
989                 }
990
991                 memcpy(maxlength_accepted, output_token.value, 4);
992                 gss_release_buffer(&min_stat, &output_token);
993                 
994                 /* first byte is the proposed security */
995                 security_accepted = maxlength_accepted[0];
996                 maxlength_accepted[0] = '\0';
997
998                 /* Rest is the proposed max wrap length */
999                 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), 
1000                                                              gensec_gssapi_state->max_wrap_buf_size);
1001
1002                 gensec_gssapi_state->sasl_protection = 0;
1003                 if (security_accepted & NEG_SEAL) {
1004                         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
1005                                 DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
1006                                 return NT_STATUS_ACCESS_DENIED;
1007                         }
1008                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
1009                 }
1010                 if (security_accepted & NEG_SIGN) {
1011                         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
1012                                 DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
1013                                 return NT_STATUS_ACCESS_DENIED;
1014                         }
1015                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
1016                 }
1017                 if (security_accepted & NEG_NONE) {
1018                         gensec_gssapi_state->sasl_protection |= NEG_NONE;
1019                 }
1020
1021                 /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
1022                 gensec_gssapi_state->sasl_state = STAGE_DONE;
1023                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
1024                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically sealed\n"));
1025                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
1026                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically signed\n"));
1027                 } else {
1028                         DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
1029                 }
1030
1031                 *out = data_blob(NULL, 0);
1032                 return NT_STATUS_OK;    
1033         }
1034         default:
1035                 return NT_STATUS_INVALID_PARAMETER;
1036         }
1037 }
1038
1039 struct gensec_gssapi_update_state {
1040         NTSTATUS status;
1041         DATA_BLOB out;
1042 };
1043
1044 static struct tevent_req *gensec_gssapi_update_send(TALLOC_CTX *mem_ctx,
1045                                                     struct tevent_context *ev,
1046                                                     struct gensec_security *gensec_security,
1047                                                     const DATA_BLOB in)
1048 {
1049         struct tevent_req *req = NULL;
1050         struct gensec_gssapi_update_state *state = NULL;
1051         NTSTATUS status;
1052
1053         req = tevent_req_create(mem_ctx, &state,
1054                                 struct gensec_gssapi_update_state);
1055         if (req == NULL) {
1056                 return NULL;
1057         }
1058
1059         status = gensec_gssapi_update_internal(gensec_security,
1060                                                state, ev, in,
1061                                                &state->out);
1062         state->status = status;
1063         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1064                 tevent_req_done(req);
1065                 return tevent_req_post(req, ev);
1066         }
1067         if (tevent_req_nterror(req, status)) {
1068                 return tevent_req_post(req, ev);
1069         }
1070
1071         tevent_req_done(req);
1072         return tevent_req_post(req, ev);
1073 }
1074
1075 static NTSTATUS gensec_gssapi_update_recv(struct tevent_req *req,
1076                                           TALLOC_CTX *out_mem_ctx,
1077                                           DATA_BLOB *out)
1078 {
1079         struct gensec_gssapi_update_state *state =
1080                 tevent_req_data(req,
1081                 struct gensec_gssapi_update_state);
1082         NTSTATUS status;
1083
1084         *out = data_blob_null;
1085
1086         if (tevent_req_is_nterror(req, &status)) {
1087                 tevent_req_received(req);
1088                 return status;
1089         }
1090
1091         *out = state->out;
1092         talloc_steal(out_mem_ctx, state->out.data);
1093         status = state->status;
1094         tevent_req_received(req);
1095         return status;
1096 }
1097
1098 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security, 
1099                                    TALLOC_CTX *mem_ctx, 
1100                                    const DATA_BLOB *in, 
1101                                    DATA_BLOB *out)
1102 {
1103         struct gensec_gssapi_state *gensec_gssapi_state
1104                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1105         OM_uint32 maj_stat, min_stat;
1106         gss_buffer_desc input_token, output_token;
1107         int conf_state;
1108         input_token.length = in->length;
1109         input_token.value = in->data;
1110
1111         maj_stat = gss_wrap(&min_stat, 
1112                             gensec_gssapi_state->gssapi_context, 
1113                             gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1114                             GSS_C_QOP_DEFAULT,
1115                             &input_token,
1116                             &conf_state,
1117                             &output_token);
1118         if (GSS_ERROR(maj_stat)) {
1119                 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n", 
1120                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1121                 return NT_STATUS_ACCESS_DENIED;
1122         }
1123
1124         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1125         gss_release_buffer(&min_stat, &output_token);
1126
1127         if (gensec_gssapi_state->sasl) {
1128                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
1129                 if (max_wrapped_size < out->length) {
1130                         DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
1131                                   (unsigned)in->length, 
1132                                   (unsigned)out->length, 
1133                                   (unsigned int)max_wrapped_size));
1134                         return NT_STATUS_INVALID_PARAMETER;
1135                 }
1136         }
1137         
1138         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1139             && !conf_state) {
1140                 return NT_STATUS_ACCESS_DENIED;
1141         }
1142         return NT_STATUS_OK;
1143 }
1144
1145 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, 
1146                                      TALLOC_CTX *mem_ctx, 
1147                                      const DATA_BLOB *in, 
1148                                      DATA_BLOB *out)
1149 {
1150         struct gensec_gssapi_state *gensec_gssapi_state
1151                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1152         OM_uint32 maj_stat, min_stat;
1153         gss_buffer_desc input_token, output_token;
1154         int conf_state;
1155         gss_qop_t qop_state;
1156         input_token.length = in->length;
1157         input_token.value = in->data;
1158         
1159         if (gensec_gssapi_state->sasl) {
1160                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
1161                 if (max_wrapped_size < in->length) {
1162                         DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
1163                         return NT_STATUS_INVALID_PARAMETER;
1164                 }
1165         }
1166         
1167         maj_stat = gss_unwrap(&min_stat, 
1168                               gensec_gssapi_state->gssapi_context, 
1169                               &input_token,
1170                               &output_token, 
1171                               &conf_state,
1172                               &qop_state);
1173         if (GSS_ERROR(maj_stat)) {
1174                 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n", 
1175                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1176                 return NT_STATUS_ACCESS_DENIED;
1177         }
1178
1179         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1180         gss_release_buffer(&min_stat, &output_token);
1181         
1182         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1183             && !conf_state) {
1184                 return NT_STATUS_ACCESS_DENIED;
1185         }
1186         return NT_STATUS_OK;
1187 }
1188
1189 /* Find out the maximum input size negotiated on this connection */
1190
1191 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security) 
1192 {
1193         struct gensec_gssapi_state *gensec_gssapi_state
1194                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1195         OM_uint32 maj_stat, min_stat;
1196         OM_uint32 max_input_size;
1197
1198         maj_stat = gss_wrap_size_limit(&min_stat, 
1199                                        gensec_gssapi_state->gssapi_context,
1200                                        gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1201                                        GSS_C_QOP_DEFAULT,
1202                                        gensec_gssapi_state->max_wrap_buf_size,
1203                                        &max_input_size);
1204         if (GSS_ERROR(maj_stat)) {
1205                 TALLOC_CTX *mem_ctx = talloc_new(NULL); 
1206                 DEBUG(1, ("gensec_gssapi_max_input_size: determining signature size with gss_wrap_size_limit failed: %s\n",
1207                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1208                 talloc_free(mem_ctx);
1209                 return 0;
1210         }
1211
1212         return max_input_size;
1213 }
1214
1215 /* Find out the maximum output size negotiated on this connection */
1216 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security) 
1217 {
1218         struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
1219         return gensec_gssapi_state->max_wrap_buf_size;
1220 }
1221
1222 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security, 
1223                                           TALLOC_CTX *mem_ctx, 
1224                                           uint8_t *data, size_t length, 
1225                                           const uint8_t *whole_pdu, size_t pdu_length, 
1226                                           DATA_BLOB *sig)
1227 {
1228         struct gensec_gssapi_state *gensec_gssapi_state
1229                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1230         bool hdr_signing = false;
1231         size_t sig_size = 0;
1232         NTSTATUS status;
1233
1234         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1235                 hdr_signing = true;
1236         }
1237
1238         sig_size = gensec_gssapi_sig_size(gensec_security, length);
1239
1240         status = gssapi_seal_packet(gensec_gssapi_state->gssapi_context,
1241                                     gensec_gssapi_state->gss_oid,
1242                                     hdr_signing, sig_size,
1243                                     data, length,
1244                                     whole_pdu, pdu_length,
1245                                     mem_ctx, sig);
1246         if (!NT_STATUS_IS_OK(status)) {
1247                 DEBUG(0, ("gssapi_seal_packet(hdr_signing=%u,sig_size=%zu,"
1248                           "data=%zu,pdu=%zu) failed: %s\n",
1249                           hdr_signing, sig_size, length, pdu_length,
1250                           nt_errstr(status)));
1251                 return status;
1252         }
1253
1254         return NT_STATUS_OK;
1255 }
1256
1257 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, 
1258                                             uint8_t *data, size_t length, 
1259                                             const uint8_t *whole_pdu, size_t pdu_length,
1260                                             const DATA_BLOB *sig)
1261 {
1262         struct gensec_gssapi_state *gensec_gssapi_state
1263                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1264         bool hdr_signing = false;
1265         NTSTATUS status;
1266
1267         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1268                 hdr_signing = true;
1269         }
1270
1271         status = gssapi_unseal_packet(gensec_gssapi_state->gssapi_context,
1272                                       gensec_gssapi_state->gss_oid,
1273                                       hdr_signing,
1274                                       data, length,
1275                                       whole_pdu, pdu_length,
1276                                       sig);
1277         if (!NT_STATUS_IS_OK(status)) {
1278                 DEBUG(0, ("gssapi_unseal_packet(hdr_signing=%u,sig_size=%zu,"
1279                           "data=%zu,pdu=%zu) failed: %s\n",
1280                           hdr_signing, sig->length, length, pdu_length,
1281                           nt_errstr(status)));
1282                 return status;
1283         }
1284
1285         return NT_STATUS_OK;
1286 }
1287
1288 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security, 
1289                                           TALLOC_CTX *mem_ctx, 
1290                                           const uint8_t *data, size_t length, 
1291                                           const uint8_t *whole_pdu, size_t pdu_length, 
1292                                           DATA_BLOB *sig)
1293 {
1294         struct gensec_gssapi_state *gensec_gssapi_state
1295                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1296         bool hdr_signing = false;
1297         NTSTATUS status;
1298
1299         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1300                 hdr_signing = true;
1301         }
1302
1303         status = gssapi_sign_packet(gensec_gssapi_state->gssapi_context,
1304                                     gensec_gssapi_state->gss_oid,
1305                                     hdr_signing,
1306                                     data, length,
1307                                     whole_pdu, pdu_length,
1308                                     mem_ctx, sig);
1309         if (!NT_STATUS_IS_OK(status)) {
1310                 DEBUG(0, ("gssapi_sign_packet(hdr_signing=%u,"
1311                           "data=%zu,pdu=%zu) failed: %s\n",
1312                           hdr_signing, length, pdu_length,
1313                           nt_errstr(status)));
1314                 return status;
1315         }
1316
1317         return NT_STATUS_OK;
1318 }
1319
1320 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, 
1321                                            const uint8_t *data, size_t length, 
1322                                            const uint8_t *whole_pdu, size_t pdu_length, 
1323                                            const DATA_BLOB *sig)
1324 {
1325         struct gensec_gssapi_state *gensec_gssapi_state
1326                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1327         bool hdr_signing = false;
1328         NTSTATUS status;
1329
1330         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1331                 hdr_signing = true;
1332         }
1333
1334         status = gssapi_check_packet(gensec_gssapi_state->gssapi_context,
1335                                      gensec_gssapi_state->gss_oid,
1336                                      hdr_signing,
1337                                      data, length,
1338                                      whole_pdu, pdu_length,
1339                                      sig);
1340         if (!NT_STATUS_IS_OK(status)) {
1341                 DEBUG(0, ("gssapi_check_packet(hdr_signing=%u,sig_size=%zu,"
1342                           "data=%zu,pdu=%zu) failed: %s\n",
1343                           hdr_signing, sig->length, length, pdu_length,
1344                           nt_errstr(status)));
1345                 return status;
1346         }
1347
1348         return NT_STATUS_OK;
1349 }
1350
1351 /* Try to figure out what features we actually got on the connection */
1352 static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, 
1353                                        uint32_t feature) 
1354 {
1355         struct gensec_gssapi_state *gensec_gssapi_state
1356                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1357         if (feature & GENSEC_FEATURE_SIGN) {
1358                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1359                 if (gensec_gssapi_state->sasl 
1360                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1361                         return ((gensec_gssapi_state->sasl_protection & NEG_SIGN) 
1362                                 && (gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG));
1363                 }
1364                 return gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG;
1365         }
1366         if (feature & GENSEC_FEATURE_SEAL) {
1367                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1368                 if (gensec_gssapi_state->sasl 
1369                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1370                         return ((gensec_gssapi_state->sasl_protection & NEG_SEAL) 
1371                                  && (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG));
1372                 }
1373                 return gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG;
1374         }
1375         if (feature & GENSEC_FEATURE_SESSION_KEY) {
1376                 /* Only for GSSAPI/Krb5 */
1377                 if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
1378                                       gss_mech_krb5)) {
1379                         return true;
1380                 }
1381         }
1382         if (feature & GENSEC_FEATURE_DCE_STYLE) {
1383                 return gensec_gssapi_state->gss_got_flags & GSS_C_DCE_STYLE;
1384         }
1385         if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
1386                 NTSTATUS status;
1387                 uint32_t keytype;
1388
1389                 if (!(gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG)) {
1390                         return false;
1391                 }
1392
1393                 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
1394                         return true;
1395                 }
1396                 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
1397                         return false;
1398                 }
1399
1400                 status = gssapi_get_session_key(gensec_gssapi_state,
1401                                                 gensec_gssapi_state->gssapi_context, NULL, &keytype);
1402                 /* 
1403                  * We should do a proper sig on the mechListMic unless
1404                  * we know we have to be backwards compatible with
1405                  * earlier windows versions.  
1406                  * 
1407                  * Negotiating a non-krb5
1408                  * mech for example should be regarded as having
1409                  * NEW_SPNEGO
1410                  */
1411                 if (NT_STATUS_IS_OK(status)) {
1412                         switch (keytype) {
1413                         case ENCTYPE_DES_CBC_CRC:
1414                         case ENCTYPE_DES_CBC_MD5:
1415                         case ENCTYPE_ARCFOUR_HMAC:
1416                         case ENCTYPE_DES3_CBC_SHA1:
1417                                 return false;
1418                         }
1419                 }
1420                 return true;
1421         }
1422         /* We can always do async (rather than strict request/reply) packets.  */
1423         if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1424                 return true;
1425         }
1426         if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1427                 return true;
1428         }
1429         return false;
1430 }
1431
1432 static NTTIME gensec_gssapi_expire_time(struct gensec_security *gensec_security)
1433 {
1434         struct gensec_gssapi_state *gensec_gssapi_state =
1435                 talloc_get_type_abort(gensec_security->private_data,
1436                 struct gensec_gssapi_state);
1437
1438         return gensec_gssapi_state->expire_time;
1439 }
1440
1441 /*
1442  * Extract the 'sesssion key' needed by SMB signing and ncacn_np 
1443  * (for encrypting some passwords).
1444  * 
1445  * This breaks all the abstractions, but what do you expect...
1446  */
1447 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security, 
1448                                           TALLOC_CTX *mem_ctx,
1449                                           DATA_BLOB *session_key) 
1450 {
1451         struct gensec_gssapi_state *gensec_gssapi_state
1452                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1453         return gssapi_get_session_key(mem_ctx, gensec_gssapi_state->gssapi_context, session_key, NULL);
1454 }
1455
1456 /* Get some basic (and authorization) information about the user on
1457  * this session.  This uses either the PAC (if present) or a local
1458  * database lookup */
1459 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1460                                            TALLOC_CTX *mem_ctx,
1461                                            struct auth_session_info **_session_info) 
1462 {
1463         NTSTATUS nt_status;
1464         TALLOC_CTX *tmp_ctx;
1465         struct gensec_gssapi_state *gensec_gssapi_state
1466                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1467         struct auth_session_info *session_info = NULL;
1468         OM_uint32 maj_stat, min_stat;
1469         DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
1470
1471         gss_buffer_desc name_token;
1472         char *principal_string;
1473         
1474         tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
1475         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1476
1477         maj_stat = gss_display_name (&min_stat,
1478                                      gensec_gssapi_state->client_name,
1479                                      &name_token,
1480                                      NULL);
1481         if (GSS_ERROR(maj_stat)) {
1482                 DEBUG(1, ("GSS display_name failed: %s\n",
1483                           gssapi_error_string(tmp_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1484                 talloc_free(tmp_ctx);
1485                 return NT_STATUS_FOOBAR;
1486         }
1487
1488         principal_string = talloc_strndup(tmp_ctx,
1489                                           (const char *)name_token.value,
1490                                           name_token.length);
1491
1492         gss_release_buffer(&min_stat, &name_token);
1493
1494         if (!principal_string) {
1495                 talloc_free(tmp_ctx);
1496                 return NT_STATUS_NO_MEMORY;
1497         }
1498
1499         nt_status = gssapi_obtain_pac_blob(tmp_ctx,  gensec_gssapi_state->gssapi_context,
1500                                            gensec_gssapi_state->client_name,
1501                                            &pac_blob);
1502         
1503         /* IF we have the PAC - otherwise we need to get this
1504          * data from elsewere - local ldb, or (TODO) lookup of some
1505          * kind... 
1506          */
1507         if (NT_STATUS_IS_OK(nt_status)) {
1508                 pac_blob_ptr = &pac_blob;
1509         }
1510         nt_status = gensec_generate_session_info_pac(tmp_ctx,
1511                                                      gensec_security,
1512                                                      gensec_gssapi_state->smb_krb5_context,
1513                                                      pac_blob_ptr, principal_string,
1514                                                      gensec_get_remote_address(gensec_security),
1515                                                      &session_info);
1516         if (!NT_STATUS_IS_OK(nt_status)) {
1517                 talloc_free(tmp_ctx);
1518                 return nt_status;
1519         }
1520
1521         nt_status = gensec_gssapi_session_key(gensec_security, session_info, &session_info->session_key);
1522         if (!NT_STATUS_IS_OK(nt_status)) {
1523                 talloc_free(tmp_ctx);
1524                 return nt_status;
1525         }
1526
1527         if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
1528             gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
1529                 krb5_error_code ret;
1530                 const char *error_string;
1531
1532                 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1533
1534                 /*
1535                  * Create anonymous credentials for now.
1536                  *
1537                  * We will update them with the provided client gss creds.
1538                  */
1539                 session_info->credentials = cli_credentials_init_anon(session_info);
1540                 if (session_info->credentials == NULL) {
1541                         talloc_free(tmp_ctx);
1542                         return NT_STATUS_NO_MEMORY;
1543                 }
1544
1545                 ret = cli_credentials_set_client_gss_creds(session_info->credentials, 
1546                                                            gensec_security->settings->lp_ctx,
1547                                                            gensec_gssapi_state->delegated_cred_handle,
1548                                                            CRED_SPECIFIED, &error_string);
1549                 if (ret) {
1550                         talloc_free(tmp_ctx);
1551                         DEBUG(2,("Failed to get gss creds: %s\n", error_string));
1552                         return NT_STATUS_NO_MEMORY;
1553                 }
1554                 
1555                 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1556                 cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1557
1558                 /* It has been taken from this place... */
1559                 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1560         } else {
1561                 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1562         }
1563
1564         *_session_info = talloc_steal(mem_ctx, session_info);
1565         talloc_free(tmp_ctx);
1566
1567         return NT_STATUS_OK;
1568 }
1569
1570 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1571 {
1572         struct gensec_gssapi_state *gensec_gssapi_state
1573                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1574         size_t sig_size;
1575
1576         if (gensec_gssapi_state->sig_size > 0) {
1577                 return gensec_gssapi_state->sig_size;
1578         }
1579
1580         sig_size = gssapi_get_sig_size(gensec_gssapi_state->gssapi_context,
1581                                        gensec_gssapi_state->gss_oid,
1582                                        gensec_gssapi_state->gss_got_flags,
1583                                        data_size);
1584
1585         gensec_gssapi_state->sig_size = sig_size;
1586         return gensec_gssapi_state->sig_size;
1587 }
1588
1589 static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security)
1590 {
1591         struct gensec_gssapi_state *gensec_gssapi_state
1592                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1593         /* Only return the string for GSSAPI/Krb5 */
1594         if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
1595                               gss_mech_krb5)) {
1596                 return GENSEC_FINAL_AUTH_TYPE_KRB5;
1597         } else {
1598                 return "gensec_gssapi: UNKNOWN MECH";
1599         }
1600 }
1601
1602 static const char *gensec_gssapi_krb5_oids[] = { 
1603         GENSEC_OID_KERBEROS5_OLD,
1604         GENSEC_OID_KERBEROS5,
1605         NULL 
1606 };
1607
1608 static const char *gensec_gssapi_spnego_oids[] = { 
1609         GENSEC_OID_SPNEGO,
1610         NULL 
1611 };
1612
1613 /* As a server, this could in theory accept any GSSAPI mech */
1614 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1615         .name           = "gssapi_spnego",
1616         .sasl_name      = "GSS-SPNEGO",
1617         .auth_type      = DCERPC_AUTH_TYPE_SPNEGO,
1618         .oid            = gensec_gssapi_spnego_oids,
1619         .client_start   = gensec_gssapi_client_start,
1620         .server_start   = gensec_gssapi_server_start,
1621         .magic          = gensec_magic_check_krb5_oid,
1622         .update_send    = gensec_gssapi_update_send,
1623         .update_recv    = gensec_gssapi_update_recv,
1624         .session_key    = gensec_gssapi_session_key,
1625         .session_info   = gensec_gssapi_session_info,
1626         .sign_packet    = gensec_gssapi_sign_packet,
1627         .check_packet   = gensec_gssapi_check_packet,
1628         .seal_packet    = gensec_gssapi_seal_packet,
1629         .unseal_packet  = gensec_gssapi_unseal_packet,
1630         .max_input_size   = gensec_gssapi_max_input_size,
1631         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1632         .wrap           = gensec_gssapi_wrap,
1633         .unwrap         = gensec_gssapi_unwrap,
1634         .have_feature   = gensec_gssapi_have_feature,
1635         .expire_time    = gensec_gssapi_expire_time,
1636         .final_auth_type = gensec_gssapi_final_auth_type,
1637         .enabled        = false,
1638         .kerberos       = true,
1639         .priority       = GENSEC_GSSAPI
1640 };
1641
1642 /* As a server, this could in theory accept any GSSAPI mech */
1643 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1644         .name           = "gssapi_krb5",
1645         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
1646         .oid            = gensec_gssapi_krb5_oids,
1647         .client_start   = gensec_gssapi_client_start,
1648         .server_start   = gensec_gssapi_server_start,
1649         .magic          = gensec_magic_check_krb5_oid,
1650         .update_send    = gensec_gssapi_update_send,
1651         .update_recv    = gensec_gssapi_update_recv,
1652         .session_key    = gensec_gssapi_session_key,
1653         .session_info   = gensec_gssapi_session_info,
1654         .sig_size       = gensec_gssapi_sig_size,
1655         .sign_packet    = gensec_gssapi_sign_packet,
1656         .check_packet   = gensec_gssapi_check_packet,
1657         .seal_packet    = gensec_gssapi_seal_packet,
1658         .unseal_packet  = gensec_gssapi_unseal_packet,
1659         .max_input_size   = gensec_gssapi_max_input_size,
1660         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1661         .wrap           = gensec_gssapi_wrap,
1662         .unwrap         = gensec_gssapi_unwrap,
1663         .have_feature   = gensec_gssapi_have_feature,
1664         .expire_time    = gensec_gssapi_expire_time,
1665         .final_auth_type = gensec_gssapi_final_auth_type,
1666         .enabled        = true,
1667         .kerberos       = true,
1668         .priority       = GENSEC_GSSAPI
1669 };
1670
1671 /* As a server, this could in theory accept any GSSAPI mech */
1672 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1673         .name             = "gssapi_krb5_sasl",
1674         .sasl_name        = "GSSAPI",
1675         .client_start     = gensec_gssapi_sasl_client_start,
1676         .server_start     = gensec_gssapi_sasl_server_start,
1677         .update_send      = gensec_gssapi_update_send,
1678         .update_recv      = gensec_gssapi_update_recv,
1679         .session_key      = gensec_gssapi_session_key,
1680         .session_info     = gensec_gssapi_session_info,
1681         .max_input_size   = gensec_gssapi_max_input_size,
1682         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1683         .wrap             = gensec_gssapi_wrap,
1684         .unwrap           = gensec_gssapi_unwrap,
1685         .have_feature     = gensec_gssapi_have_feature,
1686         .expire_time      = gensec_gssapi_expire_time,
1687         .final_auth_type = gensec_gssapi_final_auth_type,
1688         .enabled          = true,
1689         .kerberos         = true,
1690         .priority         = GENSEC_GSSAPI
1691 };
1692
1693 _PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *ctx)
1694 {
1695         NTSTATUS ret;
1696
1697         ret = gensec_register(ctx, &gensec_gssapi_spnego_security_ops);
1698         if (!NT_STATUS_IS_OK(ret)) {
1699                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1700                         gensec_gssapi_spnego_security_ops.name));
1701                 return ret;
1702         }
1703
1704         ret = gensec_register(ctx, &gensec_gssapi_krb5_security_ops);
1705         if (!NT_STATUS_IS_OK(ret)) {
1706                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1707                         gensec_gssapi_krb5_security_ops.name));
1708                 return ret;
1709         }
1710
1711         ret = gensec_register(ctx, &gensec_gssapi_sasl_krb5_security_ops);
1712         if (!NT_STATUS_IS_OK(ret)) {
1713                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1714                         gensec_gssapi_sasl_krb5_security_ops.name));
1715                 return ret;
1716         }
1717
1718         return ret;
1719 }
Work in progress branches