git.samba.org / metze / samba / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
s4 make use of gensec_gssapi_try_kerberos()
[metze/samba/wip.git] / source4 / auth / gensec / gensec_gssapi.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7    Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "lib/util/tevent_ntstatus.h"
27 #include "lib/events/events.h"
28 #include "system/kerberos.h"
29 #include "system/gssapi.h"
30 #include "auth/kerberos/kerberos.h"
31 #include "librpc/gen_ndr/krb5pac.h"
32 #include "auth/auth.h"
33 #include <ldb.h>
34 #include "auth/auth_sam.h"
35 #include "librpc/gen_ndr/dcerpc.h"
36 #include "auth/credentials/credentials.h"
37 #include "auth/credentials/credentials_krb5.h"
38 #include "auth/gensec/gensec.h"
39 #include "auth/gensec/gensec_internal.h"
40 #include "auth/gensec/gensec_proto.h"
41 #include "auth/gensec/gensec_toplevel_proto.h"
42 #include "param/param.h"
43 #include "auth/session_proto.h"
44 #include "gensec_gssapi.h"
45 #include "lib/util/util_net.h"
46 #include "auth/kerberos/pac_utils.h"
47 #include "auth/kerberos/gssapi_helper.h"
48
49 #ifndef gss_mech_spnego
50 gss_OID_desc spnego_mech_oid_desc =
51                 { 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
52 #define gss_mech_spnego (&spnego_mech_oid_desc)
53 #endif
54
55 _PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *);
56
57 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
58 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
59 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size);
60
61 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
62 {
63         OM_uint32 min_stat;
64
65         if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
66                 gss_release_cred(&min_stat,
67                                  &gensec_gssapi_state->delegated_cred_handle);
68         }
69
70         if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
71                 gss_delete_sec_context(&min_stat,
72                                        &gensec_gssapi_state->gssapi_context,
73                                        GSS_C_NO_BUFFER);
74         }
75
76         if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
77                 gss_release_name(&min_stat,
78                                  &gensec_gssapi_state->server_name);
79         }
80         if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
81                 gss_release_name(&min_stat,
82                                  &gensec_gssapi_state->client_name);
83         }
84
85         return 0;
86 }
87
88 static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
89                                                      const char *target_principal,
90                                                      const char *service,
91                                                      const char *hostname,
92                                                      const char *realm,
93                                                      const gss_OID mech,
94                                                      char **pserver_principal,
95                                                      gss_name_t *pserver_name)
96 {
97         char *server_principal = NULL;
98         gss_buffer_desc name_token;
99         gss_OID name_type;
100         OM_uint32 maj_stat, min_stat = 0;
101
102         if (target_principal != NULL) {
103                 server_principal = talloc_strdup(mem_ctx, target_principal);
104                 name_type = GSS_C_NULL_OID;
105         } else {
106                 server_principal = talloc_asprintf(mem_ctx,
107                                                    "%s/%s@%s",
108                                                    service, hostname, realm);
109                 name_type = GSS_C_NT_USER_NAME;
110         }
111         if (server_principal == NULL) {
112                 return NT_STATUS_NO_MEMORY;
113         }
114
115         name_token.value = (uint8_t *)server_principal;
116         name_token.length = strlen(server_principal);
117
118         maj_stat = gss_import_name(&min_stat,
119                                    &name_token,
120                                    name_type,
121                                    pserver_name);
122         if (maj_stat) {
123                 DBG_WARNING("GSS Import name of %s failed: %s\n",
124                             server_principal,
125                             gssapi_error_string(mem_ctx,
126                                                 maj_stat,
127                                                 min_stat,
128                                                 mech));
129                 TALLOC_FREE(server_principal);
130                 return NT_STATUS_INVALID_PARAMETER;
131         }
132
133         *pserver_principal = server_principal;
134
135         return NT_STATUS_OK;
136 }
137
138 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
139 {
140         struct gensec_gssapi_state *gensec_gssapi_state;
141         krb5_error_code ret;
142 #ifdef SAMBA4_USES_HEIMDAL
143         const char *realm;
144 #endif
145
146         gensec_gssapi_state = talloc_zero(gensec_security, struct gensec_gssapi_state);
147         if (!gensec_gssapi_state) {
148                 return NT_STATUS_NO_MEMORY;
149         }
150
151         gensec_security->private_data = gensec_gssapi_state;
152
153         gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
154
155         /* TODO: Fill in channel bindings */
156         gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
157
158         gensec_gssapi_state->server_name = GSS_C_NO_NAME;
159         gensec_gssapi_state->client_name = GSS_C_NO_NAME;
160         
161         gensec_gssapi_state->gss_want_flags = 0;
162         gensec_gssapi_state->expire_time = GENSEC_EXPIRE_TIME_INFINITY;
163
164         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
165                 gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_POLICY_FLAG;
166         }
167         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
168                 gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
169         }
170         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
171                 gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
172         }
173         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
174                 gensec_gssapi_state->gss_want_flags |= GSS_C_REPLAY_FLAG;
175         }
176         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
177                 gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
178         }
179
180         if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
181                 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
182         }
183         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
184                 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
185         }
186         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
187                 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
188                 gensec_gssapi_state->gss_want_flags |= GSS_C_CONF_FLAG;
189         }
190         if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
191                 gensec_gssapi_state->gss_want_flags |= GSS_C_DCE_STYLE;
192         }
193
194         gensec_gssapi_state->gss_got_flags = 0;
195
196         switch (gensec_security->ops->auth_type) {
197         case DCERPC_AUTH_TYPE_SPNEGO:
198                 gensec_gssapi_state->gss_oid = gss_mech_spnego;
199                 break;
200         case DCERPC_AUTH_TYPE_KRB5:
201         default:
202                 gensec_gssapi_state->gss_oid =
203                         discard_const_p(void, gss_mech_krb5);
204                 break;
205         }
206
207         ret = smb_krb5_init_context(gensec_gssapi_state,
208                                     gensec_security->settings->lp_ctx,
209                                     &gensec_gssapi_state->smb_krb5_context);
210         if (ret) {
211                 DEBUG(1,("gensec_gssapi_start: smb_krb5_init_context failed (%s)\n",
212                          error_message(ret)));
213                 talloc_free(gensec_gssapi_state);
214                 return NT_STATUS_INTERNAL_ERROR;
215         }
216
217         gensec_gssapi_state->client_cred = NULL;
218         gensec_gssapi_state->server_cred = NULL;
219
220         gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
221
222         gensec_gssapi_state->sasl = false;
223         gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
224         gensec_gssapi_state->sasl_protection = 0;
225
226         gensec_gssapi_state->max_wrap_buf_size
227                 = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
228         gensec_gssapi_state->gss_exchange_count = 0;
229         gensec_gssapi_state->sig_size = 0;
230
231         talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
232
233 #ifdef SAMBA4_USES_HEIMDAL
234         realm = lpcfg_realm(gensec_security->settings->lp_ctx);
235         if (realm != NULL) {
236                 ret = gsskrb5_set_default_realm(realm);
237                 if (ret) {
238                         DEBUG(1,("gensec_gssapi_start: gsskrb5_set_default_realm failed\n"));
239                         talloc_free(gensec_gssapi_state);
240                         return NT_STATUS_INTERNAL_ERROR;
241                 }
242         }
243
244         /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
245         ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
246         if (ret) {
247                 DEBUG(1,("gensec_gssapi_start: gsskrb5_set_dns_canonicalize failed\n"));
248                 talloc_free(gensec_gssapi_state);
249                 return NT_STATUS_INTERNAL_ERROR;
250         }
251 #endif
252         return NT_STATUS_OK;
253 }
254
255 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
256 {
257         NTSTATUS nt_status;
258         int ret;
259         struct gensec_gssapi_state *gensec_gssapi_state;
260         struct cli_credentials *machine_account;
261         struct gssapi_creds_container *gcc;
262
263         nt_status = gensec_gssapi_start(gensec_security);
264         if (!NT_STATUS_IS_OK(nt_status)) {
265                 return nt_status;
266         }
267
268         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
269
270         machine_account = gensec_get_credentials(gensec_security);
271         
272         if (!machine_account) {
273                 DEBUG(3, ("No machine account credentials specified\n"));
274                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
275         } else {
276                 ret = cli_credentials_get_server_gss_creds(machine_account, 
277                                                            gensec_security->settings->lp_ctx, &gcc);
278                 if (ret) {
279                         DEBUG(1, ("Acquiring acceptor credentials failed: %s\n",
280                                   error_message(ret)));
281                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
282                 }
283         }
284
285         gensec_gssapi_state->server_cred = gcc;
286         return NT_STATUS_OK;
287
288 }
289
290 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
291 {
292         NTSTATUS nt_status;
293         struct gensec_gssapi_state *gensec_gssapi_state;
294         nt_status = gensec_gssapi_server_start(gensec_security);
295
296         if (NT_STATUS_IS_OK(nt_status)) {
297                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
298                 gensec_gssapi_state->sasl = true;
299         }
300         return nt_status;
301 }
302
303 static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security,
304                                            struct tevent_context *ev)
305 {
306         struct gensec_gssapi_state *gensec_gssapi_state;
307         struct gssapi_creds_container *gcc;
308         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
309         const char *error_string;
310         int ret;
311
312         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
313
314         /* Only run this the first time the update() call is made */
315         if (gensec_gssapi_state->client_cred) {
316                 return NT_STATUS_OK;
317         }
318
319         ret = cli_credentials_get_client_gss_creds(creds,
320                                                    ev,
321                                                    gensec_security->settings->lp_ctx, &gcc, &error_string);
322         switch (ret) {
323         case 0:
324                 break;
325         case EINVAL:
326                 DEBUG(3, ("Cannot obtain client GSS credentials we need to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
327                 return NT_STATUS_INVALID_PARAMETER;
328         case KRB5KDC_ERR_PREAUTH_FAILED:
329         case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
330         case KRB5KRB_AP_ERR_BAD_INTEGRITY:
331                 DEBUG(1, ("Wrong username or password: %s\n", error_string));
332                 return NT_STATUS_LOGON_FAILURE;
333         case KRB5KDC_ERR_CLIENT_REVOKED:
334                 DEBUG(1, ("Account locked out: %s\n", error_string));
335                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
336         case KRB5_REALM_UNKNOWN:
337         case KRB5_KDC_UNREACH:
338                 DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
339                 return NT_STATUS_NO_LOGON_SERVERS;
340         case KRB5_CC_NOTFOUND:
341         case KRB5_CC_END:
342                 DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
343                 return NT_STATUS_TIME_DIFFERENCE_AT_DC;
344         default:
345                 DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
346                 return NT_STATUS_UNSUCCESSFUL;
347         }
348
349         gensec_gssapi_state->client_cred = gcc;
350         if (!talloc_reference(gensec_gssapi_state, gcc)) {
351                 return NT_STATUS_NO_MEMORY;
352         }
353
354         return NT_STATUS_OK;
355 }
356
357 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
358 {
359         struct gensec_gssapi_state *gensec_gssapi_state;
360         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
361         NTSTATUS nt_status;
362         const char *target_principal = NULL;
363         const char *hostname = gensec_get_target_hostname(gensec_security);
364         const char *service = gensec_get_target_service(gensec_security);
365         const char *realm = cli_credentials_get_realm(creds);
366
367         nt_status = gensec_gssapi_try_kerberos(gensec_security);
368         if (!NT_STATUS_IS_OK(nt_status)) {
369                 return nt_status;
370         }
371
372         target_principal = gensec_get_target_principal(gensec_security);
373         if (target_principal == NULL && realm == NULL) {
374                 char *cred_name = cli_credentials_get_unparsed_name(creds,
375                                                                 gensec_security);
376                 DEBUG(3, ("cli_credentials(%s) without realm, "
377                           "cannot use kerberos for this connection %s/%s\n",
378                           cred_name, service, hostname));
379                 TALLOC_FREE(cred_name);
380                 return NT_STATUS_INVALID_PARAMETER;
381         }
382
383         nt_status = gensec_gssapi_start(gensec_security);
384         if (!NT_STATUS_IS_OK(nt_status)) {
385                 return nt_status;
386         }
387
388         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
389
390         if (cli_credentials_get_impersonate_principal(creds)) {
391                 gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
392         }
393
394         return NT_STATUS_OK;
395 }
396
397 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
398 {
399         NTSTATUS nt_status;
400         struct gensec_gssapi_state *gensec_gssapi_state;
401         nt_status = gensec_gssapi_client_start(gensec_security);
402
403         if (NT_STATUS_IS_OK(nt_status)) {
404                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
405                 gensec_gssapi_state->sasl = true;
406         }
407         return nt_status;
408 }
409
410 static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_security,
411                                               TALLOC_CTX *out_mem_ctx,
412                                               struct tevent_context *ev,
413                                               const DATA_BLOB in, DATA_BLOB *out)
414 {
415         struct gensec_gssapi_state *gensec_gssapi_state
416                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
417         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
418         OM_uint32 maj_stat, min_stat;
419         OM_uint32 min_stat2;
420         gss_buffer_desc input_token = { 0, NULL };
421         gss_buffer_desc output_token = { 0, NULL };
422         struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
423         const char *target_principal = gensec_get_target_principal(gensec_security);
424         const char *hostname = gensec_get_target_hostname(gensec_security);
425         const char *service = gensec_get_target_service(gensec_security);
426         const char *client_realm = cli_credentials_get_realm(cli_creds);
427         const char *server_realm = NULL;
428         gss_OID gss_oid_p = NULL;
429         OM_uint32 time_req = 0;
430         OM_uint32 time_rec = 0;
431         struct timeval tv;
432
433         time_req = gensec_setting_int(gensec_security->settings,
434                                       "gensec_gssapi", "requested_life_time",
435                                       time_req);
436
437         input_token.length = in.length;
438         input_token.value = in.data;
439
440         switch (gensec_gssapi_state->sasl_state) {
441         case STAGE_GSS_NEG:
442         {
443                 switch (gensec_security->gensec_role) {
444                 case GENSEC_CLIENT:
445                 {
446 #ifdef SAMBA4_USES_HEIMDAL
447                         struct gsskrb5_send_to_kdc send_to_kdc;
448                         krb5_error_code ret;
449 #else
450                         bool fallback = false;
451 #endif
452
453                         nt_status = gensec_gssapi_client_creds(gensec_security, ev);
454                         if (!NT_STATUS_IS_OK(nt_status)) {
455                                 return nt_status;
456                         }
457
458 #ifdef SAMBA4_USES_HEIMDAL
459                         send_to_kdc.func = smb_krb5_send_and_recv_func;
460                         send_to_kdc.ptr = ev;
461
462                         min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
463                         if (min_stat) {
464                                 DEBUG(1,("gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n"));
465                                 return NT_STATUS_INTERNAL_ERROR;
466                         }
467 #endif
468
469                         /*
470                          * With credentials for
471                          * administrator@FOREST1.EXAMPLE.COM this patch changes
472                          * the target_principal for the ldap service of host
473                          * dc2.forest2.example.com from
474                          *
475                          *   ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
476                          *
477                          * to
478                          *
479                          *   ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
480                          *
481                          * Typically
482                          * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
483                          * should be used in order to allow the KDC of
484                          * FOREST1.EXAMPLE.COM to generate a referral ticket
485                          * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
486                          *
487                          * The problem is that KDCs only return such referral
488                          * tickets if there's a forest trust between
489                          * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
490                          * there's only an external domain trust between
491                          * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
492                          * of FOREST1.EXAMPLE.COM will respond with
493                          * S_PRINCIPAL_UNKNOWN when being asked for
494                          * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
495                          *
496                          * In the case of an external trust the client can
497                          * still ask explicitly for
498                          * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
499                          * the KDC of FOREST1.EXAMPLE.COM will generate it.
500                          *
501                          * From there the client can use the
502                          * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
503                          * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
504                          * service ticket for
505                          * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
506                          *
507                          * With Heimdal we'll get the fallback on
508                          * S_PRINCIPAL_UNKNOWN behavior when we pass
509                          * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
510                          * target principal. As _krb5_get_cred_kdc_any() first
511                          * calls get_cred_kdc_referral() (which always starts
512                          * with the client realm) and falls back to
513                          * get_cred_kdc_capath() (which starts with the given
514                          * realm).
515                          *
516                          * MIT krb5 only tries the given realm of the target
517                          * principal, if we want to autodetect support for
518                          * transitive forest trusts, would have to do the
519                          * fallback ourself.
520                          */
521 #ifndef SAMBA4_USES_HEIMDAL
522                         if (gensec_gssapi_state->server_name == NULL) {
523                                 nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
524                                                                                  target_principal,
525                                                                                  service,
526                                                                                  hostname,
527                                                                                  client_realm,
528                                                                                  gensec_gssapi_state->gss_oid,
529                                                                                  &gensec_gssapi_state->target_principal,
530                                                                                  &gensec_gssapi_state->server_name);
531                                 if (!NT_STATUS_IS_OK(nt_status)) {
532                                         return nt_status;
533                                 }
534
535                                 maj_stat = gss_init_sec_context(&min_stat,
536                                                                 gensec_gssapi_state->client_cred->creds,
537                                                                 &gensec_gssapi_state->gssapi_context,
538                                                                 gensec_gssapi_state->server_name,
539                                                                 gensec_gssapi_state->gss_oid,
540                                                                 gensec_gssapi_state->gss_want_flags,
541                                                                 time_req,
542                                                                 gensec_gssapi_state->input_chan_bindings,
543                                                                 &input_token,
544                                                                 &gss_oid_p,
545                                                                 &output_token,
546                                                                 &gensec_gssapi_state->gss_got_flags, /* ret flags */
547                                                                 &time_rec);
548                                 if (maj_stat != GSS_S_FAILURE) {
549                                         goto init_sec_context_done;
550                                 }
551                                 if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
552                                         goto init_sec_context_done;
553                                 }
554                                 if (target_principal != NULL) {
555                                         goto init_sec_context_done;
556                                 }
557
558                                 fallback = true;
559                                 TALLOC_FREE(gensec_gssapi_state->target_principal);
560                                 gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
561                         }
562 #endif /* !SAMBA4_USES_HEIMDAL */
563                         if (gensec_gssapi_state->server_name == NULL) {
564                                 server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
565                                                                                 hostname,
566                                                                                 client_realm);
567                                 if (server_realm == NULL) {
568                                         return NT_STATUS_NO_MEMORY;
569                                 }
570
571 #ifndef SAMBA4_USES_HEIMDAL
572                                 if (fallback &&
573                                     strequal(client_realm, server_realm)) {
574                                         goto init_sec_context_done;
575                                 }
576 #endif /* !SAMBA4_USES_HEIMDAL */
577
578                                 nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
579                                                                                  target_principal,
580                                                                                  service,
581                                                                                  hostname,
582                                                                                  server_realm,
583                                                                                  gensec_gssapi_state->gss_oid,
584                                                                                  &gensec_gssapi_state->target_principal,
585                                                                                  &gensec_gssapi_state->server_name);
586                                 if (!NT_STATUS_IS_OK(nt_status)) {
587                                         return nt_status;
588                                 }
589                         }
590
591                         maj_stat = gss_init_sec_context(&min_stat, 
592                                                         gensec_gssapi_state->client_cred->creds,
593                                                         &gensec_gssapi_state->gssapi_context, 
594                                                         gensec_gssapi_state->server_name, 
595                                                         gensec_gssapi_state->gss_oid,
596                                                         gensec_gssapi_state->gss_want_flags, 
597                                                         time_req,
598                                                         gensec_gssapi_state->input_chan_bindings,
599                                                         &input_token, 
600                                                         &gss_oid_p,
601                                                         &output_token, 
602                                                         &gensec_gssapi_state->gss_got_flags, /* ret flags */
603                                                         &time_rec);
604                         goto init_sec_context_done;
605                         /* JUMP! */
606 init_sec_context_done:
607                         if (gss_oid_p) {
608                                 gensec_gssapi_state->gss_oid = gss_oid_p;
609                         }
610
611 #ifdef SAMBA4_USES_HEIMDAL
612                         send_to_kdc.func = smb_krb5_send_and_recv_func;
613                         send_to_kdc.ptr = NULL;
614
615                         ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
616                         if (ret) {
617                                 DEBUG(1,("gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n"));
618                                 return NT_STATUS_INTERNAL_ERROR;
619                         }
620 #endif
621                         break;
622                 }
623                 case GENSEC_SERVER:
624                 {
625                         maj_stat = gss_accept_sec_context(&min_stat, 
626                                                           &gensec_gssapi_state->gssapi_context, 
627                                                           gensec_gssapi_state->server_cred->creds,
628                                                           &input_token, 
629                                                           gensec_gssapi_state->input_chan_bindings,
630                                                           &gensec_gssapi_state->client_name, 
631                                                           &gss_oid_p,
632                                                           &output_token, 
633                                                           &gensec_gssapi_state->gss_got_flags, 
634                                                           &time_rec,
635                                                           &gensec_gssapi_state->delegated_cred_handle);
636                         if (gss_oid_p) {
637                                 gensec_gssapi_state->gss_oid = gss_oid_p;
638                         }
639                         break;
640                 }
641                 default:
642                         return NT_STATUS_INVALID_PARAMETER;
643                         
644                 }
645
646                 gensec_gssapi_state->gss_exchange_count++;
647
648                 if (maj_stat == GSS_S_COMPLETE) {
649                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
650                         gss_release_buffer(&min_stat2, &output_token);
651                         
652                         if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
653                             gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
654                                 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
655                         } else {
656                                 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
657                         }
658
659                         tv = timeval_current_ofs(time_rec, 0);
660                         gensec_gssapi_state->expire_time = timeval_to_nttime(&tv);
661
662                         /* We may have been invoked as SASL, so there
663                          * is more work to do */
664                         if (gensec_gssapi_state->sasl) {
665                                 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
666                                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
667                         } else {
668                                 gensec_gssapi_state->sasl_state = STAGE_DONE;
669
670                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
671                                         DEBUG(5, ("GSSAPI Connection will be cryptographically sealed\n"));
672                                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
673                                         DEBUG(5, ("GSSAPI Connection will be cryptographically signed\n"));
674                                 } else {
675                                         DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
676                                 }
677
678                                 return NT_STATUS_OK;
679                         }
680                 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
681                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
682                         gss_release_buffer(&min_stat2, &output_token);
683                         
684                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
685                 } else if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
686                         gss_cred_id_t creds = NULL;
687                         gss_name_t name;
688                         gss_buffer_desc buffer;
689                         OM_uint32 lifetime = 0;
690                         gss_cred_usage_t usage;
691                         const char *role = NULL;
692                         DEBUG(0, ("GSS %s Update(krb5)(%d) Update failed, credentials expired during GSSAPI handshake!\n",
693                                   role,
694                                   gensec_gssapi_state->gss_exchange_count));
695
696                         
697                         switch (gensec_security->gensec_role) {
698                         case GENSEC_CLIENT:
699                                 creds = gensec_gssapi_state->client_cred->creds;
700                                 role = "client";
701                                 break;
702                         case GENSEC_SERVER:
703                                 creds = gensec_gssapi_state->server_cred->creds;
704                                 role = "server";
705                                 break;
706                         }
707
708                         maj_stat = gss_inquire_cred(&min_stat, 
709                                                     creds,
710                                                     &name, &lifetime, &usage, NULL);
711
712                         if (maj_stat == GSS_S_COMPLETE) {
713                                 const char *usage_string = NULL;
714                                 switch (usage) {
715                                 case GSS_C_BOTH:
716                                         usage_string = "GSS_C_BOTH";
717                                         break;
718                                 case GSS_C_ACCEPT:
719                                         usage_string = "GSS_C_ACCEPT";
720                                         break;
721                                 case GSS_C_INITIATE:
722                                         usage_string = "GSS_C_INITIATE";
723                                         break;
724                                 }
725                                 maj_stat = gss_display_name(&min_stat, name, &buffer, NULL);
726                                 if (maj_stat) {
727                                         buffer.value = NULL;
728                                         buffer.length = 0;
729                                 }
730                                 if (lifetime > 0) {
731                                         DEBUG(0, ("GSSAPI gss_inquire_cred indicates expiry of %*.*s in %u sec for %s\n", 
732                                                   (int)buffer.length, (int)buffer.length, (char *)buffer.value, 
733                                                   lifetime, usage_string));
734                                 } else {
735                                         DEBUG(0, ("GSSAPI gss_inquire_cred indicates %*.*s has already expired for %s\n", 
736                                                   (int)buffer.length, (int)buffer.length, (char *)buffer.value, 
737                                                   usage_string));
738                                 }
739                                 gss_release_buffer(&min_stat, &buffer);
740                                 gss_release_name(&min_stat, &name);
741                         } else if (maj_stat != GSS_S_COMPLETE) {
742                                 DEBUG(0, ("inquiry of credential lifefime via GSSAPI gss_inquire_cred failed: %s\n",
743                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
744                         }
745                         return NT_STATUS_INVALID_PARAMETER;
746                 } else if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
747                                              gss_mech_krb5)) {
748                         switch (min_stat) {
749                         case KRB5KRB_AP_ERR_TKT_NYV:
750                                 DEBUG(1, ("Error with ticket to contact %s: possible clock skew between us and the KDC or target server: %s\n",
751                                           gensec_gssapi_state->target_principal,
752                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
753                                 return NT_STATUS_TIME_DIFFERENCE_AT_DC; /* Make SPNEGO ignore us, we can't go any further here */
754                         case KRB5KRB_AP_ERR_TKT_EXPIRED:
755                                 DEBUG(1, ("Error with ticket to contact %s: ticket is expired, possible clock skew between us and the KDC or target server: %s\n",
756                                           gensec_gssapi_state->target_principal,
757                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
758                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
759                         case KRB5_KDC_UNREACH:
760                                 DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticket to %s: %s\n",
761                                           gensec_gssapi_state->target_principal,
762                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
763                                 return NT_STATUS_NO_LOGON_SERVERS; /* Make SPNEGO ignore us, we can't go any further here */
764                         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
765                                 DEBUG(3, ("Server %s is not registered with our KDC: %s\n",
766                                           gensec_gssapi_state->target_principal,
767                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
768                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
769                         case KRB5KRB_AP_ERR_MSG_TYPE:
770                                 /* garbage input, possibly from the auto-mech detection */
771                                 return NT_STATUS_INVALID_PARAMETER;
772                         default:
773                                 DEBUG(1, ("GSS %s Update(krb5)(%d) Update failed: %s\n",
774                                           gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
775                                           gensec_gssapi_state->gss_exchange_count,
776                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
777                                 return NT_STATUS_LOGON_FAILURE;
778                         }
779                 } else {
780                         DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
781                                   gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
782                                   gensec_gssapi_state->gss_exchange_count,
783                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
784                         return NT_STATUS_LOGON_FAILURE;
785                 }
786                 break;
787         }
788
789         /* These last two stages are only done if we were invoked as SASL */
790         case STAGE_SASL_SSF_NEG:
791         {
792                 switch (gensec_security->gensec_role) {
793                 case GENSEC_CLIENT:
794                 {
795                         uint8_t maxlength_proposed[4]; 
796                         uint8_t maxlength_accepted[4]; 
797                         uint8_t security_supported;
798                         int conf_state;
799                         gss_qop_t qop_state;
800                         input_token.length = in.length;
801                         input_token.value = in.data;
802
803                         /* As a client, we have just send a
804                          * zero-length blob to the server (after the
805                          * normal GSSAPI exchange), and it has replied
806                          * with it's SASL negotiation */
807                         
808                         maj_stat = gss_unwrap(&min_stat, 
809                                               gensec_gssapi_state->gssapi_context, 
810                                               &input_token,
811                                               &output_token, 
812                                               &conf_state,
813                                               &qop_state);
814                         if (GSS_ERROR(maj_stat)) {
815                                 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
816                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
817                                 return NT_STATUS_ACCESS_DENIED;
818                         }
819                         
820                         if (output_token.length < 4) {
821                                 return NT_STATUS_INVALID_PARAMETER;
822                         }
823
824                         memcpy(maxlength_proposed, output_token.value, 4);
825                         gss_release_buffer(&min_stat, &output_token);
826
827                         /* first byte is the proposed security */
828                         security_supported = maxlength_proposed[0];
829                         maxlength_proposed[0] = '\0';
830                         
831                         /* Rest is the proposed max wrap length */
832                         gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0), 
833                                                                      gensec_gssapi_state->max_wrap_buf_size);
834                         gensec_gssapi_state->sasl_protection = 0;
835                         if (security_supported & NEG_SEAL) {
836                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
837                                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
838                                 }
839                         }
840                         if (security_supported & NEG_SIGN) {
841                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
842                                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
843                                 }
844                         }
845                         if (security_supported & NEG_NONE) {
846                                 gensec_gssapi_state->sasl_protection |= NEG_NONE;
847                         }
848                         if (gensec_gssapi_state->sasl_protection == 0) {
849                                 DEBUG(1, ("Remote server does not support unprotected connections\n"));
850                                 return NT_STATUS_ACCESS_DENIED;
851                         }
852
853                         /* Send back the negotiated max length */
854
855                         RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
856
857                         maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
858                         
859                         input_token.value = maxlength_accepted;
860                         input_token.length = sizeof(maxlength_accepted);
861
862                         maj_stat = gss_wrap(&min_stat, 
863                                             gensec_gssapi_state->gssapi_context, 
864                                             false,
865                                             GSS_C_QOP_DEFAULT,
866                                             &input_token,
867                                             &conf_state,
868                                             &output_token);
869                         if (GSS_ERROR(maj_stat)) {
870                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
871                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
872                                 return NT_STATUS_ACCESS_DENIED;
873                         }
874                         
875                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
876                         gss_release_buffer(&min_stat, &output_token);
877
878                         /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
879                         gensec_gssapi_state->sasl_state = STAGE_DONE;
880
881                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
882                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically sealed\n"));
883                         } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
884                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically signed\n"));
885                         } else {
886                                 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographically protection\n"));
887                         }
888
889                         return NT_STATUS_OK;
890                 }
891                 case GENSEC_SERVER:
892                 {
893                         uint8_t maxlength_proposed[4]; 
894                         uint8_t security_supported = 0x0;
895                         int conf_state;
896
897                         /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
898                         if (in.length != 0) {
899                                 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
900                         }
901                         
902                         /* Give the client some idea what we will support */
903                           
904                         RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
905                         /* first byte is the proposed security */
906                         maxlength_proposed[0] = '\0';
907                         
908                         gensec_gssapi_state->sasl_protection = 0;
909                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
910                                 security_supported |= NEG_SEAL;
911                         } 
912                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
913                                 security_supported |= NEG_SIGN;
914                         }
915                         if (security_supported == 0) {
916                                 /* If we don't support anything, this must be 0 */
917                                 RSIVAL(maxlength_proposed, 0, 0x0);
918                         }
919
920                         /* TODO:  We may not wish to support this */
921                         security_supported |= NEG_NONE;
922                         maxlength_proposed[0] = security_supported;
923                         
924                         input_token.value = maxlength_proposed;
925                         input_token.length = sizeof(maxlength_proposed);
926
927                         maj_stat = gss_wrap(&min_stat, 
928                                             gensec_gssapi_state->gssapi_context, 
929                                             false,
930                                             GSS_C_QOP_DEFAULT,
931                                             &input_token,
932                                             &conf_state,
933                                             &output_token);
934                         if (GSS_ERROR(maj_stat)) {
935                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
936                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
937                                 return NT_STATUS_ACCESS_DENIED;
938                         }
939                         
940                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
941                         gss_release_buffer(&min_stat, &output_token);
942
943                         gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
944                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
945                 }
946                 default:
947                         return NT_STATUS_INVALID_PARAMETER;
948                         
949                 }
950         }
951         /* This is s server-only stage */
952         case STAGE_SASL_SSF_ACCEPT:
953         {
954                 uint8_t maxlength_accepted[4]; 
955                 uint8_t security_accepted;
956                 int conf_state;
957                 gss_qop_t qop_state;
958                 input_token.length = in.length;
959                 input_token.value = in.data;
960                         
961                 maj_stat = gss_unwrap(&min_stat, 
962                                       gensec_gssapi_state->gssapi_context, 
963                                       &input_token,
964                                       &output_token, 
965                                       &conf_state,
966                                       &qop_state);
967                 if (GSS_ERROR(maj_stat)) {
968                         DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
969                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
970                         return NT_STATUS_ACCESS_DENIED;
971                 }
972                         
973                 if (output_token.length < 4) {
974                         return NT_STATUS_INVALID_PARAMETER;
975                 }
976
977                 memcpy(maxlength_accepted, output_token.value, 4);
978                 gss_release_buffer(&min_stat, &output_token);
979                 
980                 /* first byte is the proposed security */
981                 security_accepted = maxlength_accepted[0];
982                 maxlength_accepted[0] = '\0';
983
984                 /* Rest is the proposed max wrap length */
985                 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), 
986                                                              gensec_gssapi_state->max_wrap_buf_size);
987
988                 gensec_gssapi_state->sasl_protection = 0;
989                 if (security_accepted & NEG_SEAL) {
990                         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
991                                 DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
992                                 return NT_STATUS_ACCESS_DENIED;
993                         }
994                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
995                 }
996                 if (security_accepted & NEG_SIGN) {
997                         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
998                                 DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
999                                 return NT_STATUS_ACCESS_DENIED;
1000                         }
1001                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
1002                 }
1003                 if (security_accepted & NEG_NONE) {
1004                         gensec_gssapi_state->sasl_protection |= NEG_NONE;
1005                 }
1006
1007                 /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
1008                 gensec_gssapi_state->sasl_state = STAGE_DONE;
1009                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
1010                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically sealed\n"));
1011                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
1012                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically signed\n"));
1013                 } else {
1014                         DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
1015                 }
1016
1017                 *out = data_blob(NULL, 0);
1018                 return NT_STATUS_OK;    
1019         }
1020         default:
1021                 return NT_STATUS_INVALID_PARAMETER;
1022         }
1023 }
1024
1025 struct gensec_gssapi_update_state {
1026         NTSTATUS status;
1027         DATA_BLOB out;
1028 };
1029
1030 static struct tevent_req *gensec_gssapi_update_send(TALLOC_CTX *mem_ctx,
1031                                                     struct tevent_context *ev,
1032                                                     struct gensec_security *gensec_security,
1033                                                     const DATA_BLOB in)
1034 {
1035         struct tevent_req *req = NULL;
1036         struct gensec_gssapi_update_state *state = NULL;
1037         NTSTATUS status;
1038
1039         req = tevent_req_create(mem_ctx, &state,
1040                                 struct gensec_gssapi_update_state);
1041         if (req == NULL) {
1042                 return NULL;
1043         }
1044
1045         status = gensec_gssapi_update_internal(gensec_security,
1046                                                state, ev, in,
1047                                                &state->out);
1048         state->status = status;
1049         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1050                 tevent_req_done(req);
1051                 return tevent_req_post(req, ev);
1052         }
1053         if (tevent_req_nterror(req, status)) {
1054                 return tevent_req_post(req, ev);
1055         }
1056
1057         tevent_req_done(req);
1058         return tevent_req_post(req, ev);
1059 }
1060
1061 static NTSTATUS gensec_gssapi_update_recv(struct tevent_req *req,
1062                                           TALLOC_CTX *out_mem_ctx,
1063                                           DATA_BLOB *out)
1064 {
1065         struct gensec_gssapi_update_state *state =
1066                 tevent_req_data(req,
1067                 struct gensec_gssapi_update_state);
1068         NTSTATUS status;
1069
1070         *out = data_blob_null;
1071
1072         if (tevent_req_is_nterror(req, &status)) {
1073                 tevent_req_received(req);
1074                 return status;
1075         }
1076
1077         *out = state->out;
1078         talloc_steal(out_mem_ctx, state->out.data);
1079         status = state->status;
1080         tevent_req_received(req);
1081         return status;
1082 }
1083
1084 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security, 
1085                                    TALLOC_CTX *mem_ctx, 
1086                                    const DATA_BLOB *in, 
1087                                    DATA_BLOB *out)
1088 {
1089         struct gensec_gssapi_state *gensec_gssapi_state
1090                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1091         OM_uint32 maj_stat, min_stat;
1092         gss_buffer_desc input_token, output_token;
1093         int conf_state;
1094         input_token.length = in->length;
1095         input_token.value = in->data;
1096
1097         maj_stat = gss_wrap(&min_stat, 
1098                             gensec_gssapi_state->gssapi_context, 
1099                             gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1100                             GSS_C_QOP_DEFAULT,
1101                             &input_token,
1102                             &conf_state,
1103                             &output_token);
1104         if (GSS_ERROR(maj_stat)) {
1105                 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n", 
1106                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1107                 return NT_STATUS_ACCESS_DENIED;
1108         }
1109
1110         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1111         gss_release_buffer(&min_stat, &output_token);
1112
1113         if (gensec_gssapi_state->sasl) {
1114                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
1115                 if (max_wrapped_size < out->length) {
1116                         DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
1117                                   (unsigned)in->length, 
1118                                   (unsigned)out->length, 
1119                                   (unsigned int)max_wrapped_size));
1120                         return NT_STATUS_INVALID_PARAMETER;
1121                 }
1122         }
1123         
1124         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1125             && !conf_state) {
1126                 return NT_STATUS_ACCESS_DENIED;
1127         }
1128         return NT_STATUS_OK;
1129 }
1130
1131 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, 
1132                                      TALLOC_CTX *mem_ctx, 
1133                                      const DATA_BLOB *in, 
1134                                      DATA_BLOB *out)
1135 {
1136         struct gensec_gssapi_state *gensec_gssapi_state
1137                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1138         OM_uint32 maj_stat, min_stat;
1139         gss_buffer_desc input_token, output_token;
1140         int conf_state;
1141         gss_qop_t qop_state;
1142         input_token.length = in->length;
1143         input_token.value = in->data;
1144         
1145         if (gensec_gssapi_state->sasl) {
1146                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
1147                 if (max_wrapped_size < in->length) {
1148                         DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
1149                         return NT_STATUS_INVALID_PARAMETER;
1150                 }
1151         }
1152         
1153         maj_stat = gss_unwrap(&min_stat, 
1154                               gensec_gssapi_state->gssapi_context, 
1155                               &input_token,
1156                               &output_token, 
1157                               &conf_state,
1158                               &qop_state);
1159         if (GSS_ERROR(maj_stat)) {
1160                 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n", 
1161                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1162                 return NT_STATUS_ACCESS_DENIED;
1163         }
1164
1165         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1166         gss_release_buffer(&min_stat, &output_token);
1167         
1168         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1169             && !conf_state) {
1170                 return NT_STATUS_ACCESS_DENIED;
1171         }
1172         return NT_STATUS_OK;
1173 }
1174
1175 /* Find out the maximum input size negotiated on this connection */
1176
1177 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security) 
1178 {
1179         struct gensec_gssapi_state *gensec_gssapi_state
1180                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1181         OM_uint32 maj_stat, min_stat;
1182         OM_uint32 max_input_size;
1183
1184         maj_stat = gss_wrap_size_limit(&min_stat, 
1185                                        gensec_gssapi_state->gssapi_context,
1186                                        gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1187                                        GSS_C_QOP_DEFAULT,
1188                                        gensec_gssapi_state->max_wrap_buf_size,
1189                                        &max_input_size);
1190         if (GSS_ERROR(maj_stat)) {
1191                 TALLOC_CTX *mem_ctx = talloc_new(NULL); 
1192                 DEBUG(1, ("gensec_gssapi_max_input_size: determining signature size with gss_wrap_size_limit failed: %s\n",
1193                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1194                 talloc_free(mem_ctx);
1195                 return 0;
1196         }
1197
1198         return max_input_size;
1199 }
1200
1201 /* Find out the maximum output size negotiated on this connection */
1202 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security) 
1203 {
1204         struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
1205         return gensec_gssapi_state->max_wrap_buf_size;
1206 }
1207
1208 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security, 
1209                                           TALLOC_CTX *mem_ctx, 
1210                                           uint8_t *data, size_t length, 
1211                                           const uint8_t *whole_pdu, size_t pdu_length, 
1212                                           DATA_BLOB *sig)
1213 {
1214         struct gensec_gssapi_state *gensec_gssapi_state
1215                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1216         bool hdr_signing = false;
1217         size_t sig_size = 0;
1218         NTSTATUS status;
1219
1220         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1221                 hdr_signing = true;
1222         }
1223
1224         sig_size = gensec_gssapi_sig_size(gensec_security, length);
1225
1226         status = gssapi_seal_packet(gensec_gssapi_state->gssapi_context,
1227                                     gensec_gssapi_state->gss_oid,
1228                                     hdr_signing, sig_size,
1229                                     data, length,
1230                                     whole_pdu, pdu_length,
1231                                     mem_ctx, sig);
1232         if (!NT_STATUS_IS_OK(status)) {
1233                 DEBUG(0, ("gssapi_seal_packet(hdr_signing=%u,sig_size=%zu,"
1234                           "data=%zu,pdu=%zu) failed: %s\n",
1235                           hdr_signing, sig_size, length, pdu_length,
1236                           nt_errstr(status)));
1237                 return status;
1238         }
1239
1240         return NT_STATUS_OK;
1241 }
1242
1243 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, 
1244                                             uint8_t *data, size_t length, 
1245                                             const uint8_t *whole_pdu, size_t pdu_length,
1246                                             const DATA_BLOB *sig)
1247 {
1248         struct gensec_gssapi_state *gensec_gssapi_state
1249                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1250         bool hdr_signing = false;
1251         NTSTATUS status;
1252
1253         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1254                 hdr_signing = true;
1255         }
1256
1257         status = gssapi_unseal_packet(gensec_gssapi_state->gssapi_context,
1258                                       gensec_gssapi_state->gss_oid,
1259                                       hdr_signing,
1260                                       data, length,
1261                                       whole_pdu, pdu_length,
1262                                       sig);
1263         if (!NT_STATUS_IS_OK(status)) {
1264                 DEBUG(0, ("gssapi_unseal_packet(hdr_signing=%u,sig_size=%zu,"
1265                           "data=%zu,pdu=%zu) failed: %s\n",
1266                           hdr_signing, sig->length, length, pdu_length,
1267                           nt_errstr(status)));
1268                 return status;
1269         }
1270
1271         return NT_STATUS_OK;
1272 }
1273
1274 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security, 
1275                                           TALLOC_CTX *mem_ctx, 
1276                                           const uint8_t *data, size_t length, 
1277                                           const uint8_t *whole_pdu, size_t pdu_length, 
1278                                           DATA_BLOB *sig)
1279 {
1280         struct gensec_gssapi_state *gensec_gssapi_state
1281                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1282         bool hdr_signing = false;
1283         NTSTATUS status;
1284
1285         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1286                 hdr_signing = true;
1287         }
1288
1289         status = gssapi_sign_packet(gensec_gssapi_state->gssapi_context,
1290                                     gensec_gssapi_state->gss_oid,
1291                                     hdr_signing,
1292                                     data, length,
1293                                     whole_pdu, pdu_length,
1294                                     mem_ctx, sig);
1295         if (!NT_STATUS_IS_OK(status)) {
1296                 DEBUG(0, ("gssapi_sign_packet(hdr_signing=%u,"
1297                           "data=%zu,pdu=%zu) failed: %s\n",
1298                           hdr_signing, length, pdu_length,
1299                           nt_errstr(status)));
1300                 return status;
1301         }
1302
1303         return NT_STATUS_OK;
1304 }
1305
1306 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, 
1307                                            const uint8_t *data, size_t length, 
1308                                            const uint8_t *whole_pdu, size_t pdu_length, 
1309                                            const DATA_BLOB *sig)
1310 {
1311         struct gensec_gssapi_state *gensec_gssapi_state
1312                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1313         bool hdr_signing = false;
1314         NTSTATUS status;
1315
1316         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1317                 hdr_signing = true;
1318         }
1319
1320         status = gssapi_check_packet(gensec_gssapi_state->gssapi_context,
1321                                      gensec_gssapi_state->gss_oid,
1322                                      hdr_signing,
1323                                      data, length,
1324                                      whole_pdu, pdu_length,
1325                                      sig);
1326         if (!NT_STATUS_IS_OK(status)) {
1327                 DEBUG(0, ("gssapi_check_packet(hdr_signing=%u,sig_size=%zu,"
1328                           "data=%zu,pdu=%zu) failed: %s\n",
1329                           hdr_signing, sig->length, length, pdu_length,
1330                           nt_errstr(status)));
1331                 return status;
1332         }
1333
1334         return NT_STATUS_OK;
1335 }
1336
1337 /* Try to figure out what features we actually got on the connection */
1338 static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, 
1339                                        uint32_t feature) 
1340 {
1341         struct gensec_gssapi_state *gensec_gssapi_state
1342                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1343         if (feature & GENSEC_FEATURE_SIGN) {
1344                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1345                 if (gensec_gssapi_state->sasl 
1346                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1347                         return ((gensec_gssapi_state->sasl_protection & NEG_SIGN) 
1348                                 && (gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG));
1349                 }
1350                 return gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG;
1351         }
1352         if (feature & GENSEC_FEATURE_SEAL) {
1353                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1354                 if (gensec_gssapi_state->sasl 
1355                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1356                         return ((gensec_gssapi_state->sasl_protection & NEG_SEAL) 
1357                                  && (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG));
1358                 }
1359                 return gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG;
1360         }
1361         if (feature & GENSEC_FEATURE_SESSION_KEY) {
1362                 /* Only for GSSAPI/Krb5 */
1363                 if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
1364                                       gss_mech_krb5)) {
1365                         return true;
1366                 }
1367         }
1368         if (feature & GENSEC_FEATURE_DCE_STYLE) {
1369                 return gensec_gssapi_state->gss_got_flags & GSS_C_DCE_STYLE;
1370         }
1371         if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
1372                 NTSTATUS status;
1373                 uint32_t keytype;
1374
1375                 if (!(gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG)) {
1376                         return false;
1377                 }
1378
1379                 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
1380                         return true;
1381                 }
1382                 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
1383                         return false;
1384                 }
1385
1386                 status = gssapi_get_session_key(gensec_gssapi_state,
1387                                                 gensec_gssapi_state->gssapi_context, NULL, &keytype);
1388                 /* 
1389                  * We should do a proper sig on the mechListMic unless
1390                  * we know we have to be backwards compatible with
1391                  * earlier windows versions.  
1392                  * 
1393                  * Negotiating a non-krb5
1394                  * mech for example should be regarded as having
1395                  * NEW_SPNEGO
1396                  */
1397                 if (NT_STATUS_IS_OK(status)) {
1398                         switch (keytype) {
1399                         case ENCTYPE_DES_CBC_CRC:
1400                         case ENCTYPE_DES_CBC_MD5:
1401                         case ENCTYPE_ARCFOUR_HMAC:
1402                         case ENCTYPE_DES3_CBC_SHA1:
1403                                 return false;
1404                         }
1405                 }
1406                 return true;
1407         }
1408         /* We can always do async (rather than strict request/reply) packets.  */
1409         if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1410                 return true;
1411         }
1412         if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1413                 return true;
1414         }
1415         return false;
1416 }
1417
1418 static NTTIME gensec_gssapi_expire_time(struct gensec_security *gensec_security)
1419 {
1420         struct gensec_gssapi_state *gensec_gssapi_state =
1421                 talloc_get_type_abort(gensec_security->private_data,
1422                 struct gensec_gssapi_state);
1423
1424         return gensec_gssapi_state->expire_time;
1425 }
1426
1427 /*
1428  * Extract the 'sesssion key' needed by SMB signing and ncacn_np 
1429  * (for encrypting some passwords).
1430  * 
1431  * This breaks all the abstractions, but what do you expect...
1432  */
1433 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security, 
1434                                           TALLOC_CTX *mem_ctx,
1435                                           DATA_BLOB *session_key) 
1436 {
1437         struct gensec_gssapi_state *gensec_gssapi_state
1438                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1439         return gssapi_get_session_key(mem_ctx, gensec_gssapi_state->gssapi_context, session_key, NULL);
1440 }
1441
1442 /* Get some basic (and authorization) information about the user on
1443  * this session.  This uses either the PAC (if present) or a local
1444  * database lookup */
1445 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1446                                            TALLOC_CTX *mem_ctx,
1447                                            struct auth_session_info **_session_info) 
1448 {
1449         NTSTATUS nt_status;
1450         TALLOC_CTX *tmp_ctx;
1451         struct gensec_gssapi_state *gensec_gssapi_state
1452                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1453         struct auth_session_info *session_info = NULL;
1454         OM_uint32 maj_stat, min_stat;
1455         DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
1456
1457         gss_buffer_desc name_token;
1458         char *principal_string;
1459         
1460         tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
1461         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1462
1463         maj_stat = gss_display_name (&min_stat,
1464                                      gensec_gssapi_state->client_name,
1465                                      &name_token,
1466                                      NULL);
1467         if (GSS_ERROR(maj_stat)) {
1468                 DEBUG(1, ("GSS display_name failed: %s\n",
1469                           gssapi_error_string(tmp_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1470                 talloc_free(tmp_ctx);
1471                 return NT_STATUS_FOOBAR;
1472         }
1473
1474         principal_string = talloc_strndup(tmp_ctx,
1475                                           (const char *)name_token.value,
1476                                           name_token.length);
1477
1478         gss_release_buffer(&min_stat, &name_token);
1479
1480         if (!principal_string) {
1481                 talloc_free(tmp_ctx);
1482                 return NT_STATUS_NO_MEMORY;
1483         }
1484
1485         nt_status = gssapi_obtain_pac_blob(tmp_ctx,  gensec_gssapi_state->gssapi_context,
1486                                            gensec_gssapi_state->client_name,
1487                                            &pac_blob);
1488         
1489         /* IF we have the PAC - otherwise we need to get this
1490          * data from elsewere - local ldb, or (TODO) lookup of some
1491          * kind... 
1492          */
1493         if (NT_STATUS_IS_OK(nt_status)) {
1494                 pac_blob_ptr = &pac_blob;
1495         }
1496         nt_status = gensec_generate_session_info_pac(tmp_ctx,
1497                                                      gensec_security,
1498                                                      gensec_gssapi_state->smb_krb5_context,
1499                                                      pac_blob_ptr, principal_string,
1500                                                      gensec_get_remote_address(gensec_security),
1501                                                      &session_info);
1502         if (!NT_STATUS_IS_OK(nt_status)) {
1503                 talloc_free(tmp_ctx);
1504                 return nt_status;
1505         }
1506
1507         nt_status = gensec_gssapi_session_key(gensec_security, session_info, &session_info->session_key);
1508         if (!NT_STATUS_IS_OK(nt_status)) {
1509                 talloc_free(tmp_ctx);
1510                 return nt_status;
1511         }
1512
1513         if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
1514             gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
1515                 krb5_error_code ret;
1516                 const char *error_string;
1517
1518                 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1519
1520                 /*
1521                  * Create anonymous credentials for now.
1522                  *
1523                  * We will update them with the provided client gss creds.
1524                  */
1525                 session_info->credentials = cli_credentials_init_anon(session_info);
1526                 if (session_info->credentials == NULL) {
1527                         talloc_free(tmp_ctx);
1528                         return NT_STATUS_NO_MEMORY;
1529                 }
1530
1531                 ret = cli_credentials_set_client_gss_creds(session_info->credentials, 
1532                                                            gensec_security->settings->lp_ctx,
1533                                                            gensec_gssapi_state->delegated_cred_handle,
1534                                                            CRED_SPECIFIED, &error_string);
1535                 if (ret) {
1536                         talloc_free(tmp_ctx);
1537                         DEBUG(2,("Failed to get gss creds: %s\n", error_string));
1538                         return NT_STATUS_NO_MEMORY;
1539                 }
1540                 
1541                 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1542                 cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1543
1544                 /* It has been taken from this place... */
1545                 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1546         } else {
1547                 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1548         }
1549
1550         *_session_info = talloc_steal(mem_ctx, session_info);
1551         talloc_free(tmp_ctx);
1552
1553         return NT_STATUS_OK;
1554 }
1555
1556 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1557 {
1558         struct gensec_gssapi_state *gensec_gssapi_state
1559                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1560         size_t sig_size;
1561
1562         if (gensec_gssapi_state->sig_size > 0) {
1563                 return gensec_gssapi_state->sig_size;
1564         }
1565
1566         sig_size = gssapi_get_sig_size(gensec_gssapi_state->gssapi_context,
1567                                        gensec_gssapi_state->gss_oid,
1568                                        gensec_gssapi_state->gss_got_flags,
1569                                        data_size);
1570
1571         gensec_gssapi_state->sig_size = sig_size;
1572         return gensec_gssapi_state->sig_size;
1573 }
1574
1575 static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security)
1576 {
1577         struct gensec_gssapi_state *gensec_gssapi_state
1578                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1579         /* Only return the string for GSSAPI/Krb5 */
1580         if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
1581                               gss_mech_krb5)) {
1582                 return GENSEC_FINAL_AUTH_TYPE_KRB5;
1583         } else {
1584                 return "gensec_gssapi: UNKNOWN MECH";
1585         }
1586 }
1587
1588 static const char *gensec_gssapi_krb5_oids[] = { 
1589         GENSEC_OID_KERBEROS5_OLD,
1590         GENSEC_OID_KERBEROS5,
1591         NULL 
1592 };
1593
1594 static const char *gensec_gssapi_spnego_oids[] = { 
1595         GENSEC_OID_SPNEGO,
1596         NULL 
1597 };
1598
1599 /* As a server, this could in theory accept any GSSAPI mech */
1600 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1601         .name           = "gssapi_spnego",
1602         .sasl_name      = "GSS-SPNEGO",
1603         .auth_type      = DCERPC_AUTH_TYPE_SPNEGO,
1604         .oid            = gensec_gssapi_spnego_oids,
1605         .client_start   = gensec_gssapi_client_start,
1606         .server_start   = gensec_gssapi_server_start,
1607         .magic          = gensec_magic_check_krb5_oid,
1608         .update_send    = gensec_gssapi_update_send,
1609         .update_recv    = gensec_gssapi_update_recv,
1610         .session_key    = gensec_gssapi_session_key,
1611         .session_info   = gensec_gssapi_session_info,
1612         .sign_packet    = gensec_gssapi_sign_packet,
1613         .check_packet   = gensec_gssapi_check_packet,
1614         .seal_packet    = gensec_gssapi_seal_packet,
1615         .unseal_packet  = gensec_gssapi_unseal_packet,
1616         .max_input_size   = gensec_gssapi_max_input_size,
1617         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1618         .wrap           = gensec_gssapi_wrap,
1619         .unwrap         = gensec_gssapi_unwrap,
1620         .have_feature   = gensec_gssapi_have_feature,
1621         .expire_time    = gensec_gssapi_expire_time,
1622         .final_auth_type = gensec_gssapi_final_auth_type,
1623         .enabled        = false,
1624         .kerberos       = true,
1625         .priority       = GENSEC_GSSAPI
1626 };
1627
1628 /* As a server, this could in theory accept any GSSAPI mech */
1629 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1630         .name           = "gssapi_krb5",
1631         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
1632         .oid            = gensec_gssapi_krb5_oids,
1633         .client_start   = gensec_gssapi_client_start,
1634         .server_start   = gensec_gssapi_server_start,
1635         .magic          = gensec_magic_check_krb5_oid,
1636         .update_send    = gensec_gssapi_update_send,
1637         .update_recv    = gensec_gssapi_update_recv,
1638         .session_key    = gensec_gssapi_session_key,
1639         .session_info   = gensec_gssapi_session_info,
1640         .sig_size       = gensec_gssapi_sig_size,
1641         .sign_packet    = gensec_gssapi_sign_packet,
1642         .check_packet   = gensec_gssapi_check_packet,
1643         .seal_packet    = gensec_gssapi_seal_packet,
1644         .unseal_packet  = gensec_gssapi_unseal_packet,
1645         .max_input_size   = gensec_gssapi_max_input_size,
1646         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1647         .wrap           = gensec_gssapi_wrap,
1648         .unwrap         = gensec_gssapi_unwrap,
1649         .have_feature   = gensec_gssapi_have_feature,
1650         .expire_time    = gensec_gssapi_expire_time,
1651         .final_auth_type = gensec_gssapi_final_auth_type,
1652         .enabled        = true,
1653         .kerberos       = true,
1654         .priority       = GENSEC_GSSAPI
1655 };
1656
1657 /* As a server, this could in theory accept any GSSAPI mech */
1658 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1659         .name             = "gssapi_krb5_sasl",
1660         .sasl_name        = "GSSAPI",
1661         .client_start     = gensec_gssapi_sasl_client_start,
1662         .server_start     = gensec_gssapi_sasl_server_start,
1663         .update_send      = gensec_gssapi_update_send,
1664         .update_recv      = gensec_gssapi_update_recv,
1665         .session_key      = gensec_gssapi_session_key,
1666         .session_info     = gensec_gssapi_session_info,
1667         .max_input_size   = gensec_gssapi_max_input_size,
1668         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1669         .wrap             = gensec_gssapi_wrap,
1670         .unwrap           = gensec_gssapi_unwrap,
1671         .have_feature     = gensec_gssapi_have_feature,
1672         .expire_time      = gensec_gssapi_expire_time,
1673         .final_auth_type = gensec_gssapi_final_auth_type,
1674         .enabled          = true,
1675         .kerberos         = true,
1676         .priority         = GENSEC_GSSAPI
1677 };
1678
1679 _PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *ctx)
1680 {
1681         NTSTATUS ret;
1682
1683         ret = gensec_register(ctx, &gensec_gssapi_spnego_security_ops);
1684         if (!NT_STATUS_IS_OK(ret)) {
1685                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1686                         gensec_gssapi_spnego_security_ops.name));
1687                 return ret;
1688         }
1689
1690         ret = gensec_register(ctx, &gensec_gssapi_krb5_security_ops);
1691         if (!NT_STATUS_IS_OK(ret)) {
1692                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1693                         gensec_gssapi_krb5_security_ops.name));
1694                 return ret;
1695         }
1696
1697         ret = gensec_register(ctx, &gensec_gssapi_sasl_krb5_security_ops);
1698         if (!NT_STATUS_IS_OK(ret)) {
1699                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1700                         gensec_gssapi_sasl_krb5_security_ops.name));
1701                 return ret;
1702         }
1703
1704         return ret;
1705 }
Work in progress branches