9323580e92ff091cf655181dc4f9dba109cc48a2
[samba.git] / source4 / libcli / auth / gensec_krb5.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7    Copyright (C) Andrew Tridgell 2001
8    Copyright (C) Luke Howard 2002-2003
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    
21    You should have received a copy of the GNU General Public License
22    along with this program; if not, write to the Free Software
23    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "includes.h"
27 #include "system/kerberos.h"
28 #include "system/time.h"
29 #include "libcli/auth/kerberos.h"
30 #include "librpc/gen_ndr/ndr_krb5pac.h"
31 #include "auth/auth.h"
32
33 #undef DBGC_CLASS
34 #define DBGC_CLASS DBGC_AUTH
35
36 enum GENSEC_KRB5_STATE {
37         GENSEC_KRB5_SERVER_START,
38         GENSEC_KRB5_CLIENT_START,
39         GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
40         GENSEC_KRB5_DONE
41 };
42
43 struct gensec_krb5_state {
44         DATA_BLOB session_key;
45         DATA_BLOB pac;
46         enum GENSEC_KRB5_STATE state_position;
47         krb5_context krb5_context;
48         krb5_auth_context krb5_auth_context;
49         krb5_ccache krb5_ccache;
50         krb5_data ticket;
51         krb5_keyblock krb5_keyblock;
52         char *peer_principal;
53 };
54
55 #ifdef KRB5_DO_VERIFY_PAC
56 static NTSTATUS gensec_krb5_pac_checksum(DATA_BLOB pac_data,
57                                             struct PAC_SIGNATURE_DATA *sig,
58                                             struct gensec_krb5_state *gensec_krb5_state,
59                                             uint32 keyusage)
60 {
61         krb5_error_code ret;
62         krb5_crypto crypto;
63         Checksum cksum;
64         int i;
65
66         cksum.cksumtype         = (CKSUMTYPE)sig->type;
67         cksum.checksum.length   = sizeof(sig->signature);
68         cksum.checksum.data     = sig->signature;
69
70
71         ret = krb5_crypto_init(gensec_krb5_state->krb5_context,
72                                 &gensec_krb5_state->krb5_keyblock,
73                                 0,
74                                 &crypto);
75         if (ret) {
76                 DEBUG(0,("krb5_crypto_init() failed\n"));
77                 return NT_STATUS_FOOBAR;
78         }
79         for (i=0; i < 40; i++) {
80                 keyusage = i;
81                 ret = krb5_verify_checksum(gensec_krb5_state->krb5_context,
82                                            crypto,
83                                            keyusage,
84                                            pac_data.data,
85                                            pac_data.length,
86                                            &cksum);
87                 if (!ret) {
88                         DEBUG(0,("PAC Verified: keyusage: %d\n", keyusage));
89                         break;
90                 }
91         }
92         krb5_crypto_destroy(gensec_krb5_state->krb5_context, crypto);
93
94         if (ret) {
95                 DEBUG(0,("NOT verifying PAC checksums yet!\n"));
96                 //return NT_STATUS_LOGON_FAILURE;
97         } else {
98                 DEBUG(0,("PAC checksums verified!\n"));
99         }
100
101         return NT_STATUS_OK;
102 }
103 #endif
104
105 static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx,
106                                 struct PAC_LOGON_INFO **logon_info_out,
107                                 DATA_BLOB blob,
108                                 struct gensec_krb5_state *gensec_krb5_state)
109 {
110         NTSTATUS status;
111         struct PAC_SIGNATURE_DATA srv_sig;
112         struct PAC_SIGNATURE_DATA *srv_sig_ptr;
113         struct PAC_SIGNATURE_DATA kdc_sig;
114         struct PAC_SIGNATURE_DATA *kdc_sig_ptr;
115         struct PAC_LOGON_INFO *logon_info = NULL;
116         struct PAC_DATA pac_data;
117 #ifdef KRB5_DO_VERIFY_PAC
118         DATA_BLOB tmp_blob = data_blob(NULL, 0);
119 #endif
120         int i;
121
122         status = ndr_pull_struct_blob(&blob, mem_ctx, &pac_data,
123                                         (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
124         if (!NT_STATUS_IS_OK(status)) {
125                 DEBUG(0,("can't parse the PAC\n"));
126                 return status;
127         }
128         NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
129
130         if (pac_data.num_buffers < 3) {
131                 /* we need logon_ingo, service_key and kdc_key */
132                 DEBUG(0,("less than 3 PAC buffers\n"));
133                 return NT_STATUS_FOOBAR;
134         }
135
136         for (i=0; i < pac_data.num_buffers; i++) {
137                 switch (pac_data.buffers[i].type) {
138                         case PAC_TYPE_LOGON_INFO:
139                                 if (!pac_data.buffers[i].info) {
140                                         break;
141                                 }
142                                 logon_info = &pac_data.buffers[i].info->logon_info;
143                                 break;
144                         case PAC_TYPE_SRV_CHECKSUM:
145                                 if (!pac_data.buffers[i].info) {
146                                         break;
147                                 }
148                                 srv_sig_ptr = &pac_data.buffers[i].info->srv_cksum;
149                                 srv_sig = pac_data.buffers[i].info->srv_cksum;
150                                 break;
151                         case PAC_TYPE_KDC_CHECKSUM:
152                                 if (!pac_data.buffers[i].info) {
153                                         break;
154                                 }
155                                 kdc_sig_ptr = &pac_data.buffers[i].info->kdc_cksum;
156                                 kdc_sig = pac_data.buffers[i].info->kdc_cksum;
157                                 break;
158                         case PAC_TYPE_UNKNOWN_10:
159                                 break;
160                         default:
161                                 break;
162                 }
163         }
164
165         if (!logon_info) {
166                 DEBUG(0,("PAC no logon_info\n"));
167                 return NT_STATUS_FOOBAR;
168         }
169
170         if (!srv_sig_ptr) {
171                 DEBUG(0,("PAC no srv_key\n"));
172                 return NT_STATUS_FOOBAR;
173         }
174
175         if (!kdc_sig_ptr) {
176                 DEBUG(0,("PAC no kdc_key\n"));
177                 return NT_STATUS_FOOBAR;
178         }
179 #ifdef KRB5_DO_VERIFY_PAC
180         /* clear the kdc_key */
181 /*      memset((void *)kdc_sig_ptr , '\0', sizeof(*kdc_sig_ptr));*/
182
183         status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
184                                               (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
185         if (!NT_STATUS_IS_OK(status)) {
186                 return status;
187         }
188         status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
189                                         (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
190         if (!NT_STATUS_IS_OK(status)) {
191                 DEBUG(0,("can't parse the PAC\n"));
192                 return status;
193         }
194         /*NDR_PRINT_DEBUG(PAC_DATA, &pac_data);*/
195
196         /* verify by kdc_key */
197         status = gensec_krb5_pac_checksum(tmp_blob, &kdc_sig, gensec_krb5_state, 0);
198
199         if (!NT_STATUS_IS_OK(status)) {
200                 return status;
201         }
202
203         /* clear the service_key */
204 /*      memset((void *)srv_sig_ptr , '\0', sizeof(*srv_sig_ptr));*/
205
206         status = ndr_push_struct_blob(&tmp_blob, mem_ctx, &pac_data,
207                                               (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
208         if (!NT_STATUS_IS_OK(status)) {
209                 return status;
210         }
211         status = ndr_pull_struct_blob(&tmp_blob, mem_ctx, &pac_data,
212                                         (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
213         if (!NT_STATUS_IS_OK(status)) {
214                 DEBUG(0,("can't parse the PAC\n"));
215                 return status;
216         }
217         NDR_PRINT_DEBUG(PAC_DATA, &pac_data);
218
219         /* verify by servie_key */
220         status = gensec_krb5_pac_checksum(tmp_blob, &srv_sig, gensec_krb5_state, 0);
221
222         if (!NT_STATUS_IS_OK(status)) {
223                 return status;
224         }
225 #endif
226         DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string));
227         *logon_info_out = logon_info;
228
229         return status;
230 }
231
232 static void gensec_krb5_end(struct gensec_security *gensec_security)
233 {
234         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
235
236         if (gensec_krb5_state->ticket.length) { 
237         /* Hmm, early heimdal dooesn't have this - correct call would be krb5_data_free */
238 #ifdef HAVE_KRB5_FREE_DATA_CONTENTS
239                 krb5_free_data_contents(gensec_krb5_state->krb5_context, &gensec_krb5_state->ticket); 
240 #endif
241         }
242         if (gensec_krb5_state->krb5_ccache) {
243                 /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
244                 krb5_cc_close(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache);
245         }
246
247         krb5_free_keyblock_contents(gensec_krb5_state->krb5_context, 
248                                     &gensec_krb5_state->krb5_keyblock);
249                 
250         if (gensec_krb5_state->krb5_auth_context) {
251                 krb5_auth_con_free(gensec_krb5_state->krb5_context, 
252                                    gensec_krb5_state->krb5_auth_context);
253         }
254
255         if (gensec_krb5_state->krb5_context) {
256                 krb5_free_context(gensec_krb5_state->krb5_context);
257         }
258
259         talloc_free(gensec_krb5_state);
260         gensec_security->private_data = NULL;
261 }
262
263
264 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
265 {
266         struct gensec_krb5_state *gensec_krb5_state;
267         krb5_error_code ret = 0;
268
269         gensec_krb5_state = talloc_p(gensec_security, struct gensec_krb5_state);
270         if (!gensec_krb5_state) {
271                 return NT_STATUS_NO_MEMORY;
272         }
273
274         gensec_security->private_data = gensec_krb5_state;
275
276         initialize_krb5_error_table();
277         gensec_krb5_state->krb5_context = NULL;
278         gensec_krb5_state->krb5_auth_context = NULL;
279         gensec_krb5_state->krb5_ccache = NULL;
280         ZERO_STRUCT(gensec_krb5_state->ticket);
281         ZERO_STRUCT(gensec_krb5_state->krb5_keyblock);
282         gensec_krb5_state->session_key = data_blob(NULL, 0);
283         gensec_krb5_state->pac = data_blob(NULL, 0);
284
285         ret = krb5_init_context(&gensec_krb5_state->krb5_context);
286         if (ret) {
287                 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", error_message(ret)));
288                 return NT_STATUS_INTERNAL_ERROR;
289         }
290
291         if (lp_realm() && *lp_realm()) {
292                 ret = krb5_set_default_realm(gensec_krb5_state->krb5_context, lp_realm());
293                 if (ret) {
294                         DEBUG(1,("gensec_krb5_start: krb5_set_default_realm failed (%s)\n", error_message(ret)));
295                         return NT_STATUS_INTERNAL_ERROR;
296                 }
297         }
298
299         ret = krb5_auth_con_init(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_auth_context);
300         if (ret) {
301                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", error_message(ret)));
302                 return NT_STATUS_INTERNAL_ERROR;
303         }
304
305         return NT_STATUS_OK;
306 }
307
308 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
309 {
310         NTSTATUS nt_status;
311         struct gensec_krb5_state *gensec_krb5_state;
312
313         nt_status = gensec_krb5_start(gensec_security);
314         if (!NT_STATUS_IS_OK(nt_status)) {
315                 return nt_status;
316         }
317
318         gensec_krb5_state = gensec_security->private_data;
319         gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
320
321         return NT_STATUS_OK;
322 }
323
324 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
325 {
326         struct gensec_krb5_state *gensec_krb5_state;
327         krb5_error_code ret;
328         NTSTATUS nt_status;
329
330         nt_status = gensec_krb5_start(gensec_security);
331         if (!NT_STATUS_IS_OK(nt_status)) {
332                 return nt_status;
333         }
334
335         gensec_krb5_state = gensec_security->private_data;
336         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
337
338         /* TODO: This is effecivly a static/global variable... */ 
339         ret = krb5_cc_default(gensec_krb5_state->krb5_context, &gensec_krb5_state->krb5_ccache);
340         if (ret) {
341                 DEBUG(1,("krb5_cc_default failed (%s)\n",
342                          error_message(ret)));
343                 return NT_STATUS_INTERNAL_ERROR;
344         }
345         
346         while (1) {
347                 if (gensec_security->target.principal) {
348                         DEBUG(5, ("Finding ticket for target [%s]\n", gensec_security->target.principal));
349                         ret = ads_krb5_mk_req(gensec_krb5_state->krb5_context, 
350                                               &gensec_krb5_state->krb5_auth_context,
351                                               AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
352                                               gensec_security->target.principal,
353                                               gensec_krb5_state->krb5_ccache, 
354                                               &gensec_krb5_state->ticket);
355                 } else {
356                         krb5_data in_data;
357                         const char *hostname = gensec_get_target_hostname(gensec_security);
358                         if (!hostname) {
359                                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
360                                 return NT_STATUS_ACCESS_DENIED;
361                         }
362                         
363                         in_data.length = 0;
364
365                         ret = krb5_mk_req(gensec_krb5_state->krb5_context, 
366                                           &gensec_krb5_state->krb5_auth_context,
367                                           AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
368                                           gensec_get_target_service(gensec_security),
369                                           hostname,
370                                           &in_data, gensec_krb5_state->krb5_ccache, 
371                                           &gensec_krb5_state->ticket);
372                         
373                 }
374                 switch (ret) {
375                 case 0:
376                         return NT_STATUS_OK;
377                 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
378                         DEBUG(3, ("Server is not registered with our KDC: %s\n", 
379                                   error_message(ret)));
380                         return NT_STATUS_ACCESS_DENIED;
381                 case KRB5KDC_ERR_PREAUTH_FAILED:
382                 case KRB5KRB_AP_ERR_TKT_EXPIRED:
383                 case KRB5_CC_END:
384                 {
385                         DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
386                                   error_message(ret)));
387                         /* fall down to remaining code */
388                 }
389                 /* just don't print a message for these really ordinary messages */
390                 case KRB5_FCC_NOFILE:
391                 case KRB5_CC_NOTFOUND:
392                 case ENOENT:
393                 {
394                         char *password;
395                         time_t kdc_time = 0;
396                         nt_status = gensec_get_password(gensec_security, 
397                                                         gensec_security, 
398                                                         &password);
399                         if (!NT_STATUS_IS_OK(nt_status)) {
400                                 return nt_status;
401                         }
402
403                         ret = kerberos_kinit_password_cc(gensec_krb5_state->krb5_context, gensec_krb5_state->krb5_ccache, 
404                                                          gensec_get_client_principal(gensec_security, gensec_security), 
405                                                          password, NULL, &kdc_time);
406
407                         /* cope with ticket being in the future due to clock skew */
408                         if ((unsigned)kdc_time > time(NULL)) {
409                                 time_t t = time(NULL);
410                                 int time_offset =(unsigned)kdc_time-t;
411                                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
412                                 krb5_set_real_time(gensec_krb5_state->krb5_context, t + time_offset + 1, 0);
413                         }
414         
415                         if (ret) {
416                                 DEBUG(1,("kinit failed (%s)\n", 
417                                          error_message(ret)));
418                                 return NT_STATUS_WRONG_PASSWORD;
419                         }
420                         break;
421                 }
422                 default:
423                         DEBUG(0, ("kerberos: %s\n", 
424                                   error_message(ret)));
425                         return NT_STATUS_UNSUCCESSFUL;
426                 }
427         }
428 }
429
430
431 /**
432  * Next state function for the Krb5 GENSEC mechanism
433  * 
434  * @param gensec_krb5_state KRB5 State
435  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
436  * @param in The request, as a DATA_BLOB
437  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
438  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
439  *                or NT_STATUS_OK if the user is authenticated. 
440  */
441
442 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, 
443                                       const DATA_BLOB in, DATA_BLOB *out) 
444 {
445         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
446         krb5_error_code ret = 0;
447         DATA_BLOB pac;
448         NTSTATUS nt_status;
449
450         switch (gensec_krb5_state->state_position) {
451         case GENSEC_KRB5_CLIENT_START:
452         {
453                 if (ret) {
454                         DEBUG(1,("ads_krb5_mk_req (request ticket) failed (%s)\n",
455                                  error_message(ret)));
456                         nt_status = NT_STATUS_LOGON_FAILURE;
457                 } else {
458                         DATA_BLOB unwrapped_out;
459
460 #ifndef GENSEC_SEND_UNWRAPPED_KRB5 /* This should be a switch for the torture code to set */
461                         unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
462                         
463                         /* wrap that up in a nice GSS-API wrapping */
464                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
465 #else
466                         *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
467 #endif
468                         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
469                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
470                 }
471                 
472                 return nt_status;
473         }
474                 
475         case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
476         {
477                 krb5_data inbuf;
478                 krb5_ap_rep_enc_part *repl = NULL;
479                 uint8 tok_id[2];
480                 DATA_BLOB unwrapped_in;
481
482                 if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
483                         DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
484                         dump_data_pw("Mutual authentication message:\n", in.data, in.length);
485                         return NT_STATUS_INVALID_PARAMETER;
486                 }
487                 /* TODO: check the tok_id */
488
489                 inbuf.data = unwrapped_in.data;
490                 inbuf.length = unwrapped_in.length;
491                 ret = krb5_rd_rep(gensec_krb5_state->krb5_context, 
492                                   gensec_krb5_state->krb5_auth_context,
493                                   &inbuf, &repl);
494                 if (ret) {
495                         DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
496                                  error_message(ret)));
497                         dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
498                         nt_status = NT_STATUS_ACCESS_DENIED;
499                 } else {
500                         *out = data_blob(NULL, 0);
501                         nt_status = NT_STATUS_OK;
502                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
503                 }
504                 if (repl) {
505                         krb5_free_ap_rep_enc_part(gensec_krb5_state->krb5_context, repl);
506                 }
507                 return nt_status;
508         }
509
510         case GENSEC_KRB5_SERVER_START:
511         {
512                 char *principal;
513                 DATA_BLOB unwrapped_in;
514                 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
515                 uint8 tok_id[2];
516
517                 if (!in.data) {
518                         *out = unwrapped_out;
519                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
520                 }       
521
522                 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
523                 if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
524                         nt_status = ads_verify_ticket(out_mem_ctx, 
525                                                       gensec_krb5_state->krb5_context, 
526                                                       gensec_krb5_state->krb5_auth_context, 
527                                                       lp_realm(), &in, 
528                                                       &principal, &pac, &unwrapped_out,
529                                                       &gensec_krb5_state->krb5_keyblock);
530                 } else {
531                         /* TODO: check the tok_id */
532                         nt_status = ads_verify_ticket(out_mem_ctx, 
533                                                       gensec_krb5_state->krb5_context, 
534                                                       gensec_krb5_state->krb5_auth_context, 
535                                                       lp_realm(), &unwrapped_in, 
536                                                       &principal, &pac, &unwrapped_out,
537                                                       &gensec_krb5_state->krb5_keyblock);
538                 }
539
540                 if (!NT_STATUS_IS_OK(nt_status)) {
541                         return nt_status;
542                 }
543
544                 if (pac.data) {
545                         gensec_krb5_state->pac = data_blob_talloc_reference(gensec_krb5_state, &pac);
546                 }
547
548                 if (NT_STATUS_IS_OK(nt_status)) {
549                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
550                         /* wrap that up in a nice GSS-API wrapping */
551 #ifndef GENSEC_SEND_UNWRAPPED_KRB5
552                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
553 #else
554                         *out = unwrapped_out;
555 #endif
556                         gensec_krb5_state->peer_principal = talloc_steal(gensec_krb5_state, principal);
557                 }
558                 return nt_status;
559         }
560         case GENSEC_KRB5_DONE:
561                 return NT_STATUS_OK;
562         }
563         
564         return NT_STATUS_INVALID_PARAMETER;
565 }
566
567 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
568                                            DATA_BLOB *session_key) 
569 {
570         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
571         krb5_context context = gensec_krb5_state->krb5_context;
572         krb5_auth_context auth_context = gensec_krb5_state->krb5_auth_context;
573         krb5_keyblock *skey;
574         krb5_error_code err;
575
576         if (gensec_krb5_state->session_key.data) {
577                 *session_key = gensec_krb5_state->session_key;
578                 return NT_STATUS_OK;
579         }
580
581         switch (gensec_security->gensec_role) {
582         case GENSEC_CLIENT:
583                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
584                 break;
585         case GENSEC_SERVER:
586                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
587                 break;
588         }
589         if (err == 0 && skey != NULL) {
590                 DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
591                 gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state, 
592                                                 KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
593                 *session_key = gensec_krb5_state->session_key;
594                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
595
596                 krb5_free_keyblock(context, skey);
597                 return NT_STATUS_OK;
598         } else {
599                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
600                 return NT_STATUS_NO_USER_SESSION_KEY;
601         }
602 }
603
604 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
605                                      struct auth_session_info **session_info_out) 
606 {
607         NTSTATUS nt_status;
608         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
609         struct auth_serversupplied_info *server_info = NULL;
610         struct auth_session_info *session_info = NULL;
611         struct PAC_LOGON_INFO *logon_info;
612         char *p;
613         char *principal;
614         const char *username;
615         const char *realm;
616
617         *session_info_out = NULL;
618
619         principal = talloc_strdup(gensec_krb5_state, gensec_krb5_state->peer_principal);
620         p = strchr(principal, '@');
621         if (p) {
622                 *p = '\0';
623         }
624         p++;
625         username = principal;
626         realm = p;
627         
628         /* decode and verify the pac */
629         nt_status = gensec_krb5_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac,
630                                            gensec_krb5_state);
631
632         /* IF we have the PAC - otherwise we need to get this
633          * data from elsewere - local ldb, or (TODO) lookup of some
634          * kind... 
635          *
636          * when heimdal can generate the PAC, we should fail if there's
637          * no PAC present
638          */
639
640         if (NT_STATUS_IS_OK(nt_status)) {
641                 union netr_Validation validation;
642                 validation.sam3 = &logon_info->info3;
643                 nt_status = make_server_info_netlogon_validation(gensec_krb5_state, 
644                                                                  username, 
645                                                                  &server_info,
646                                                                  3,
647                                                                  &validation); 
648                 if (!NT_STATUS_IS_OK(nt_status)) {
649                         return nt_status;
650                 }
651         } else {
652                 nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info);
653                 if (!NT_STATUS_IS_OK(nt_status)) {
654                         return nt_status;
655                 }
656         }
657
658         /* references the server_info into the session_info */
659         nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
660         talloc_free(server_info);
661         if (!NT_STATUS_IS_OK(nt_status)) {
662                 return nt_status;
663         }
664
665         talloc_free(principal);
666
667         nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
668
669         session_info->workstation = NULL;
670
671         *session_info_out = session_info;
672
673         return nt_status;
674 }
675
676
677 static const struct gensec_security_ops gensec_krb5_security_ops = {
678         .name           = "krb5",
679         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
680         .oid            = GENSEC_OID_KERBEROS5,
681         .client_start   = gensec_krb5_client_start,
682         .server_start   = gensec_krb5_server_start,
683         .update         = gensec_krb5_update,
684         .session_key    = gensec_krb5_session_key,
685         .session_info   = gensec_krb5_session_info,
686         .end            = gensec_krb5_end
687 };
688
689 static const struct gensec_security_ops gensec_ms_krb5_security_ops = {
690         .name           = "ms_krb5",
691         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
692         .oid            = GENSEC_OID_KERBEROS5_OLD,
693         .client_start   = gensec_krb5_client_start,
694         .server_start   = gensec_krb5_server_start,
695         .update         = gensec_krb5_update,
696         .session_key    = gensec_krb5_session_key,
697         .session_info   = gensec_krb5_session_info,
698         .end            = gensec_krb5_end
699 };
700
701
702 NTSTATUS gensec_krb5_init(void)
703 {
704         NTSTATUS ret;
705
706         ret = gensec_register(&gensec_krb5_security_ops);
707         if (!NT_STATUS_IS_OK(ret)) {
708                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
709                         gensec_krb5_security_ops.name));
710                 return ret;
711         }
712
713         ret = gensec_register(&gensec_ms_krb5_security_ops);
714         if (!NT_STATUS_IS_OK(ret)) {
715                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
716                         gensec_krb5_security_ops.name));
717                 return ret;
718         }
719
720         return ret;
721 }