r25430: Add the loadparm context to all parametric options.
[kai/samba-autobuild/.git] / source4 / auth / gensec / gensec_gssapi.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7    Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "lib/events/events.h"
26 #include "system/kerberos.h"
27 #include "heimdal/lib/gssapi/gssapi/gssapi.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "librpc/gen_ndr/krb5pac.h"
30 #include "auth/auth.h"
31 #include "lib/ldb/include/ldb.h"
32 #include "auth/auth_sam.h"
33 #include "librpc/rpc/dcerpc.h"
34 #include "auth/credentials/credentials.h"
35 #include "auth/credentials/credentials_krb5.h"
36 #include "auth/gensec/gensec.h"
37 #include "param/param.h"
38
39 enum gensec_gssapi_sasl_state 
40 {
41         STAGE_GSS_NEG,
42         STAGE_SASL_SSF_NEG,
43         STAGE_SASL_SSF_ACCEPT,
44         STAGE_DONE
45 };
46
47 #define NEG_SEAL 0x4
48 #define NEG_SIGN 0x2
49 #define NEG_NONE 0x1
50
51 struct gensec_gssapi_state {
52         gss_ctx_id_t gssapi_context;
53         struct gss_channel_bindings_struct *input_chan_bindings;
54         gss_name_t server_name;
55         gss_name_t client_name;
56         OM_uint32 want_flags, got_flags;
57         const gss_OID_desc *gss_oid;
58
59         DATA_BLOB session_key;
60         DATA_BLOB pac;
61
62         struct smb_krb5_context *smb_krb5_context;
63         struct gssapi_creds_container *client_cred;
64         struct gssapi_creds_container *server_cred;
65
66         gss_cred_id_t delegated_cred_handle;
67
68         BOOL sasl; /* We have two different mechs in this file: One
69                     * for SASL wrapped GSSAPI and another for normal
70                     * GSSAPI */
71         enum gensec_gssapi_sasl_state sasl_state;
72         uint8_t sasl_protection; /* What was negotiated at the SASL
73                                   * layer, independent of the GSSAPI
74                                   * layer... */
75
76         size_t max_wrap_buf_size;
77         int gss_exchange_count;
78 };
79
80 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
81 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
82
83 static char *gssapi_error_string(TALLOC_CTX *mem_ctx, 
84                                  OM_uint32 maj_stat, OM_uint32 min_stat, 
85                                  const gss_OID_desc *mech)
86 {
87         OM_uint32 disp_min_stat, disp_maj_stat;
88         gss_buffer_desc maj_error_message;
89         gss_buffer_desc min_error_message;
90         char *maj_error_string, *min_error_string;
91         OM_uint32 msg_ctx = 0;
92
93         char *ret;
94
95         maj_error_message.value = NULL;
96         min_error_message.value = NULL;
97         maj_error_message.length = 0;
98         min_error_message.length = 0;
99         
100         disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
101                            mech, &msg_ctx, &maj_error_message);
102         disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
103                            mech, &msg_ctx, &min_error_message);
104         
105         maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
106
107         min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
108
109         ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
110
111         talloc_free(maj_error_string);
112         talloc_free(min_error_string);
113
114         gss_release_buffer(&disp_min_stat, &maj_error_message);
115         gss_release_buffer(&disp_min_stat, &min_error_message);
116
117         return ret;
118 }
119
120
121 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
122 {
123         OM_uint32 maj_stat, min_stat;
124         
125         if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
126                 maj_stat = gss_release_cred(&min_stat, 
127                                             &gensec_gssapi_state->delegated_cred_handle);
128         }
129
130         if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
131                 maj_stat = gss_delete_sec_context (&min_stat,
132                                                    &gensec_gssapi_state->gssapi_context,
133                                                    GSS_C_NO_BUFFER);
134         }
135
136         if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
137                 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->server_name);
138         }
139         if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
140                 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
141         }
142         return 0;
143 }
144
145 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
146 {
147         struct gensec_gssapi_state *gensec_gssapi_state;
148         krb5_error_code ret;
149         struct gsskrb5_send_to_kdc send_to_kdc;
150
151         gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
152         if (!gensec_gssapi_state) {
153                 return NT_STATUS_NO_MEMORY;
154         }
155         
156         gensec_gssapi_state->gss_exchange_count = 0;
157         gensec_gssapi_state->max_wrap_buf_size
158                 = lp_parm_int(global_loadparm, NULL, "gensec_gssapi", "max wrap buf size", 65536);
159                 
160         gensec_gssapi_state->sasl = False;
161         gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
162
163         gensec_security->private_data = gensec_gssapi_state;
164
165         gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
166         gensec_gssapi_state->server_name = GSS_C_NO_NAME;
167         gensec_gssapi_state->client_name = GSS_C_NO_NAME;
168
169         /* TODO: Fill in channel bindings */
170         gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
171         
172         gensec_gssapi_state->want_flags = 0;
173         if (lp_parm_bool(global_loadparm, NULL, "gensec_gssapi", "mutual", true)) {
174                 gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
175         }
176         if (lp_parm_bool(global_loadparm, NULL, "gensec_gssapi", "delegation", true)) {
177                 gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
178         }
179         if (lp_parm_bool(global_loadparm, NULL, "gensec_gssapi", "replay", true)) {
180                 gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
181         }
182         if (lp_parm_bool(global_loadparm, NULL, "gensec_gssapi", "sequence", true)) {
183                 gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
184         }
185
186         gensec_gssapi_state->got_flags = 0;
187
188         gensec_gssapi_state->session_key = data_blob(NULL, 0);
189         gensec_gssapi_state->pac = data_blob(NULL, 0);
190
191         gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
192
193         talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
194
195         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
196                 gensec_gssapi_state->want_flags |= GSS_C_INTEG_FLAG;
197         }
198         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
199                 gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG;
200         }
201         if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
202                 gensec_gssapi_state->want_flags |= GSS_C_DCE_STYLE;
203         }
204
205         gensec_gssapi_state->gss_oid = GSS_C_NULL_OID;
206         
207         send_to_kdc.func = smb_krb5_send_and_recv_func;
208         send_to_kdc.ptr = gensec_security->event_ctx;
209
210         ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
211         if (ret) {
212                 DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
213                 talloc_free(gensec_gssapi_state);
214                 return NT_STATUS_INTERNAL_ERROR;
215         }
216         if (lp_realm(global_loadparm) && *lp_realm(global_loadparm)) {
217                 char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(global_loadparm));
218                 if (!upper_realm) {
219                         DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(global_loadparm)));
220                         talloc_free(gensec_gssapi_state);
221                         return NT_STATUS_NO_MEMORY;
222                 }
223                 ret = gsskrb5_set_default_realm(upper_realm);
224                 talloc_free(upper_realm);
225                 if (ret) {
226                         DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
227                         talloc_free(gensec_gssapi_state);
228                         return NT_STATUS_INTERNAL_ERROR;
229                 }
230         }
231
232         /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
233         ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(global_loadparm, NULL, "krb5", "set_dns_canonicalize", false));
234         if (ret) {
235                 DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
236                 talloc_free(gensec_gssapi_state);
237                 return NT_STATUS_INTERNAL_ERROR;
238         }
239
240         ret = smb_krb5_init_context(gensec_gssapi_state, 
241                                     gensec_security->event_ctx,
242                                     &gensec_gssapi_state->smb_krb5_context);
243         if (ret) {
244                 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
245                          error_message(ret)));
246                 talloc_free(gensec_gssapi_state);
247                 return NT_STATUS_INTERNAL_ERROR;
248         }
249         return NT_STATUS_OK;
250 }
251
252 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
253 {
254         NTSTATUS nt_status;
255         int ret;
256         struct gensec_gssapi_state *gensec_gssapi_state;
257         struct cli_credentials *machine_account;
258         struct gssapi_creds_container *gcc;
259
260         nt_status = gensec_gssapi_start(gensec_security);
261         if (!NT_STATUS_IS_OK(nt_status)) {
262                 return nt_status;
263         }
264
265         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
266
267         machine_account = gensec_get_credentials(gensec_security);
268         
269         if (!machine_account) {
270                 DEBUG(3, ("No machine account credentials specified\n"));
271                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
272         } else {
273                 ret = cli_credentials_get_server_gss_creds(machine_account, &gcc);
274                 if (ret) {
275                         DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", 
276                                   error_message(ret)));
277                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
278                 }
279         }
280
281         gensec_gssapi_state->server_cred = gcc;
282         return NT_STATUS_OK;
283
284 }
285
286 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
287 {
288         NTSTATUS nt_status;
289         struct gensec_gssapi_state *gensec_gssapi_state;
290         nt_status = gensec_gssapi_server_start(gensec_security);
291
292         if (NT_STATUS_IS_OK(nt_status)) {
293                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
294                 gensec_gssapi_state->sasl = True;
295         }
296         return nt_status;
297 }
298
299 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
300 {
301         struct gensec_gssapi_state *gensec_gssapi_state;
302         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
303         krb5_error_code ret;
304         NTSTATUS nt_status;
305         gss_buffer_desc name_token;
306         gss_OID name_type;
307         OM_uint32 maj_stat, min_stat;
308         const char *hostname = gensec_get_target_hostname(gensec_security);
309         const char *principal;
310         struct gssapi_creds_container *gcc;
311
312         if (!hostname) {
313                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
314                 return NT_STATUS_INVALID_PARAMETER;
315         }
316         if (is_ipaddress(hostname)) {
317                 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
318                 return NT_STATUS_INVALID_PARAMETER;
319         }
320         if (strcmp(hostname, "localhost") == 0) {
321                 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
322                 return NT_STATUS_INVALID_PARAMETER;
323         }
324
325         nt_status = gensec_gssapi_start(gensec_security);
326         if (!NT_STATUS_IS_OK(nt_status)) {
327                 return nt_status;
328         }
329
330         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
331
332         gensec_gssapi_state->gss_oid = gss_mech_krb5;
333
334         principal = gensec_get_target_principal(gensec_security);
335         if (principal && lp_client_use_spnego_principal(global_loadparm)) {
336                 name_type = GSS_C_NULL_OID;
337         } else {
338                 principal = talloc_asprintf(gensec_gssapi_state, "%s@%s", 
339                                             gensec_get_target_service(gensec_security), 
340                                             hostname);
341
342                 name_type = GSS_C_NT_HOSTBASED_SERVICE;
343         }               
344         name_token.value  = discard_const_p(uint8_t, principal);
345         name_token.length = strlen(principal);
346
347
348         maj_stat = gss_import_name (&min_stat,
349                                     &name_token,
350                                     name_type,
351                                     &gensec_gssapi_state->server_name);
352         if (maj_stat) {
353                 DEBUG(2, ("GSS Import name of %s failed: %s\n",
354                           (char *)name_token.value,
355                           gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
356                 return NT_STATUS_INVALID_PARAMETER;
357         }
358
359         ret = cli_credentials_get_client_gss_creds(creds, &gcc);
360         switch (ret) {
361         case 0:
362                 break;
363         case KRB5KDC_ERR_PREAUTH_FAILED:
364                 return NT_STATUS_LOGON_FAILURE;
365         case KRB5_KDC_UNREACH:
366                 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
367                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
368         default:
369                 DEBUG(1, ("Aquiring initiator credentails failed\n"));
370                 return NT_STATUS_UNSUCCESSFUL;
371         }
372
373         gensec_gssapi_state->client_cred = gcc;
374         if (!talloc_reference(gensec_gssapi_state, gcc)) {
375                 return NT_STATUS_NO_MEMORY;
376         }
377         
378         return NT_STATUS_OK;
379 }
380
381 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
382 {
383         NTSTATUS nt_status;
384         struct gensec_gssapi_state *gensec_gssapi_state;
385         nt_status = gensec_gssapi_client_start(gensec_security);
386
387         if (NT_STATUS_IS_OK(nt_status)) {
388                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
389                 gensec_gssapi_state->sasl = True;
390         }
391         return nt_status;
392 }
393
394
395 /**
396  * Check if the packet is one for this mechansim
397  * 
398  * @param gensec_security GENSEC state
399  * @param in The request, as a DATA_BLOB
400  * @return Error, INVALID_PARAMETER if it's not a packet for us
401  *                or NT_STATUS_OK if the packet is ok. 
402  */
403
404 static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security, 
405                                     const DATA_BLOB *in) 
406 {
407         if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
408                 return NT_STATUS_OK;
409         } else {
410                 return NT_STATUS_INVALID_PARAMETER;
411         }
412 }
413
414
415 /**
416  * Next state function for the GSSAPI GENSEC mechanism
417  * 
418  * @param gensec_gssapi_state GSSAPI State
419  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
420  * @param in The request, as a DATA_BLOB
421  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
422  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
423  *                or NT_STATUS_OK if the user is authenticated. 
424  */
425
426 static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, 
427                                    TALLOC_CTX *out_mem_ctx, 
428                                    const DATA_BLOB in, DATA_BLOB *out) 
429 {
430         struct gensec_gssapi_state *gensec_gssapi_state
431                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
432         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
433         OM_uint32 maj_stat, min_stat;
434         OM_uint32 min_stat2;
435         gss_buffer_desc input_token, output_token;
436         gss_OID gss_oid_p = NULL;
437         input_token.length = in.length;
438         input_token.value = in.data;
439
440         switch (gensec_gssapi_state->sasl_state) {
441         case STAGE_GSS_NEG:
442         {
443                 switch (gensec_security->gensec_role) {
444                 case GENSEC_CLIENT:
445                 {
446                         maj_stat = gss_init_sec_context(&min_stat, 
447                                                         gensec_gssapi_state->client_cred->creds,
448                                                         &gensec_gssapi_state->gssapi_context, 
449                                                         gensec_gssapi_state->server_name, 
450                                                         discard_const_p(gss_OID_desc, gensec_gssapi_state->gss_oid),
451                                                         gensec_gssapi_state->want_flags, 
452                                                         0, 
453                                                         gensec_gssapi_state->input_chan_bindings,
454                                                         &input_token, 
455                                                         &gss_oid_p,
456                                                         &output_token, 
457                                                         &gensec_gssapi_state->got_flags, /* ret flags */
458                                                         NULL);
459                         if (gss_oid_p) {
460                                 gensec_gssapi_state->gss_oid = gss_oid_p;
461                         }
462                         break;
463                 }
464                 case GENSEC_SERVER:
465                 {
466                         maj_stat = gss_accept_sec_context(&min_stat, 
467                                                           &gensec_gssapi_state->gssapi_context, 
468                                                           gensec_gssapi_state->server_cred->creds,
469                                                           &input_token, 
470                                                           gensec_gssapi_state->input_chan_bindings,
471                                                           &gensec_gssapi_state->client_name, 
472                                                           &gss_oid_p,
473                                                           &output_token, 
474                                                           &gensec_gssapi_state->got_flags, 
475                                                           NULL, 
476                                                           &gensec_gssapi_state->delegated_cred_handle);
477                         if (gss_oid_p) {
478                                 gensec_gssapi_state->gss_oid = gss_oid_p;
479                         }
480                         break;
481                 }
482                 default:
483                         return NT_STATUS_INVALID_PARAMETER;
484                         
485                 }
486
487                 gensec_gssapi_state->gss_exchange_count++;
488
489                 if (maj_stat == GSS_S_COMPLETE) {
490                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
491                         gss_release_buffer(&min_stat2, &output_token);
492                         
493                         if (gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG) {
494                                 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
495                         } else {
496                                 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
497                         }
498
499                         /* We may have been invoked as SASL, so there
500                          * is more work to do */
501                         if (gensec_gssapi_state->sasl) {
502                                 /* Due to a very subtle interaction
503                                  * with SASL and the LDAP libs, we
504                                  * must ensure the data pointer is 
505                                  * != NULL, but the length is 0.  
506                                  *
507                                  * This ensures we send a 'zero
508                                  * length' (rather than NULL) response 
509                                  */
510                                 
511                                 if (!out->data) {
512                                         out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
513                                 }
514
515                                 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
516                                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
517                         } else {
518                                 gensec_gssapi_state->sasl_state = STAGE_DONE;
519
520                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
521                                         DEBUG(5, ("GSSAPI Connection will be cryptographicly sealed\n"));
522                                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
523                                         DEBUG(5, ("GSSAPI Connection will be cryptographicly signed\n"));
524                                 } else {
525                                         DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
526                                 }
527
528                                 return NT_STATUS_OK;
529                         }
530                 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
531                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
532                         gss_release_buffer(&min_stat2, &output_token);
533                         
534                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
535                 } else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
536                         switch (min_stat) {
537                         case KRB5_KDC_UNREACH:
538                                 DEBUG(3, ("Cannot reach a KDC we require: %s\n",
539                                           gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
540                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
541                         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
542                                 DEBUG(3, ("Server is not registered with our KDC: %s\n", 
543                                           gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
544                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
545                         case KRB5KRB_AP_ERR_MSG_TYPE:
546                                 /* garbage input, possibly from the auto-mech detection */
547                                 return NT_STATUS_INVALID_PARAMETER;
548                         default:
549                                 DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n", 
550                                           gensec_gssapi_state->gss_exchange_count,
551                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
552                                 return nt_status;
553                         }
554                 } else {
555                         DEBUG(1, ("GSS Update(%d) failed: %s\n", 
556                                   gensec_gssapi_state->gss_exchange_count,
557                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
558                         return nt_status;
559                 }
560                 break;
561         }
562
563         /* These last two stages are only done if we were invoked as SASL */
564         case STAGE_SASL_SSF_NEG:
565         {
566                 switch (gensec_security->gensec_role) {
567                 case GENSEC_CLIENT:
568                 {
569                         uint8_t maxlength_proposed[4]; 
570                         uint8_t maxlength_accepted[4]; 
571                         uint8_t security_supported;
572                         int conf_state;
573                         gss_qop_t qop_state;
574                         input_token.length = in.length;
575                         input_token.value = in.data;
576
577                         /* As a client, we have just send a
578                          * zero-length blob to the server (after the
579                          * normal GSSAPI exchange), and it has replied
580                          * with it's SASL negotiation */
581                         
582                         maj_stat = gss_unwrap(&min_stat, 
583                                               gensec_gssapi_state->gssapi_context, 
584                                               &input_token,
585                                               &output_token, 
586                                               &conf_state,
587                                               &qop_state);
588                         if (GSS_ERROR(maj_stat)) {
589                                 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
590                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
591                                 return NT_STATUS_ACCESS_DENIED;
592                         }
593                         
594                         if (output_token.length < 4) {
595                                 return NT_STATUS_INVALID_PARAMETER;
596                         }
597
598                         memcpy(maxlength_proposed, output_token.value, 4);
599                         gss_release_buffer(&min_stat, &output_token);
600
601                         /* first byte is the proposed security */
602                         security_supported = maxlength_proposed[0];
603                         maxlength_proposed[0] = '\0';
604                         
605                         /* Rest is the proposed max wrap length */
606                         gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0), 
607                                                                      gensec_gssapi_state->max_wrap_buf_size);
608                         gensec_gssapi_state->sasl_protection = 0;
609                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
610                                 if (security_supported & NEG_SEAL) {
611                                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
612                                 }
613                         } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
614                                 if (security_supported & NEG_SIGN) {
615                                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
616                                 }
617                         } else if (security_supported & NEG_NONE) {
618                                 gensec_gssapi_state->sasl_protection |= NEG_NONE;
619                         } else {
620                                 DEBUG(1, ("Remote server does not support unprotected connections"));
621                                 return NT_STATUS_ACCESS_DENIED;
622                         }
623
624                         /* Send back the negotiated max length */
625
626                         RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
627
628                         maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
629                         
630                         input_token.value = maxlength_accepted;
631                         input_token.length = sizeof(maxlength_accepted);
632
633                         maj_stat = gss_wrap(&min_stat, 
634                                             gensec_gssapi_state->gssapi_context, 
635                                             False,
636                                             GSS_C_QOP_DEFAULT,
637                                             &input_token,
638                                             &conf_state,
639                                             &output_token);
640                         if (GSS_ERROR(maj_stat)) {
641                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
642                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
643                                 return NT_STATUS_ACCESS_DENIED;
644                         }
645                         
646                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
647                         gss_release_buffer(&min_stat, &output_token);
648
649                         /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
650                         gensec_gssapi_state->sasl_state = STAGE_DONE;
651
652                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
653                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
654                         } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
655                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
656                         } else {
657                                 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
658                         }
659
660                         return NT_STATUS_OK;
661                 }
662                 case GENSEC_SERVER:
663                 {
664                         uint8_t maxlength_proposed[4]; 
665                         uint8_t security_supported = 0x0;
666                         int conf_state;
667
668                         /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
669                         if (in.length != 0) {
670                                 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
671                         }
672                         
673                         /* Give the client some idea what we will support */
674                           
675                         RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
676                         /* first byte is the proposed security */
677                         maxlength_proposed[0] = '\0';
678                         
679                         gensec_gssapi_state->sasl_protection = 0;
680                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
681                                 security_supported |= NEG_SEAL;
682                         } 
683                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
684                                 security_supported |= NEG_SIGN;
685                         }
686                         if (security_supported == 0) {
687                                 /* If we don't support anything, this must be 0 */
688                                 RSIVAL(maxlength_proposed, 0, 0x0);
689                         }
690
691                         /* TODO:  We may not wish to support this */
692                         security_supported |= NEG_NONE;
693                         maxlength_proposed[0] = security_supported;
694                         
695                         input_token.value = maxlength_proposed;
696                         input_token.length = sizeof(maxlength_proposed);
697
698                         maj_stat = gss_wrap(&min_stat, 
699                                             gensec_gssapi_state->gssapi_context, 
700                                             False,
701                                             GSS_C_QOP_DEFAULT,
702                                             &input_token,
703                                             &conf_state,
704                                             &output_token);
705                         if (GSS_ERROR(maj_stat)) {
706                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
707                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
708                                 return NT_STATUS_ACCESS_DENIED;
709                         }
710                         
711                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
712                         gss_release_buffer(&min_stat, &output_token);
713
714                         gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
715                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
716                 }
717                 default:
718                         return NT_STATUS_INVALID_PARAMETER;
719                         
720                 }
721         }
722         /* This is s server-only stage */
723         case STAGE_SASL_SSF_ACCEPT:
724         {
725                 uint8_t maxlength_accepted[4]; 
726                 uint8_t security_accepted;
727                 int conf_state;
728                 gss_qop_t qop_state;
729                 input_token.length = in.length;
730                 input_token.value = in.data;
731                         
732                 maj_stat = gss_unwrap(&min_stat, 
733                                       gensec_gssapi_state->gssapi_context, 
734                                       &input_token,
735                                       &output_token, 
736                                       &conf_state,
737                                       &qop_state);
738                 if (GSS_ERROR(maj_stat)) {
739                         DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
740                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
741                         return NT_STATUS_ACCESS_DENIED;
742                 }
743                         
744                 if (output_token.length < 4) {
745                         return NT_STATUS_INVALID_PARAMETER;
746                 }
747
748                 memcpy(maxlength_accepted, output_token.value, 4);
749                 gss_release_buffer(&min_stat, &output_token);
750                 
751                 /* first byte is the proposed security */
752                 security_accepted = maxlength_accepted[0];
753                 maxlength_accepted[0] = '\0';
754                 
755                 /* Rest is the proposed max wrap length */
756                 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), 
757                                                              gensec_gssapi_state->max_wrap_buf_size);
758
759                 gensec_gssapi_state->sasl_protection = 0;
760                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
761                         if (security_accepted & NEG_SEAL) {
762                                 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
763                         }
764                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
765                         if (security_accepted & NEG_SIGN) {
766                                 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
767                         }
768                 } else if (security_accepted & NEG_NONE) {
769                         gensec_gssapi_state->sasl_protection |= NEG_NONE;
770                 } else {
771                         DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
772                         return NT_STATUS_ACCESS_DENIED;
773                 }
774
775                 /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
776                 gensec_gssapi_state->sasl_state = STAGE_DONE;
777                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
778                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
779                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
780                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
781                 } else {
782                         DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
783                 }
784
785                 *out = data_blob(NULL, 0);
786                 return NT_STATUS_OK;    
787         }
788         default:
789                 return NT_STATUS_INVALID_PARAMETER;
790         }
791 }
792
793 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security, 
794                                    TALLOC_CTX *mem_ctx, 
795                                    const DATA_BLOB *in, 
796                                    DATA_BLOB *out)
797 {
798         struct gensec_gssapi_state *gensec_gssapi_state
799                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
800         OM_uint32 maj_stat, min_stat;
801         gss_buffer_desc input_token, output_token;
802         int conf_state;
803         input_token.length = in->length;
804         input_token.value = in->data;
805
806         maj_stat = gss_wrap(&min_stat, 
807                             gensec_gssapi_state->gssapi_context, 
808                             gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
809                             GSS_C_QOP_DEFAULT,
810                             &input_token,
811                             &conf_state,
812                             &output_token);
813         if (GSS_ERROR(maj_stat)) {
814                 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n", 
815                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
816                 return NT_STATUS_ACCESS_DENIED;
817         }
818
819         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
820         gss_release_buffer(&min_stat, &output_token);
821
822         if (gensec_gssapi_state->sasl) {
823                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
824                 if (max_wrapped_size < out->length) {
825                         DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
826                                   (unsigned)in->length, 
827                                   (unsigned)out->length, 
828                                   (unsigned int)max_wrapped_size));
829                         return NT_STATUS_INVALID_PARAMETER;
830                 }
831         }
832         
833         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
834             && !conf_state) {
835                 return NT_STATUS_ACCESS_DENIED;
836         }
837         return NT_STATUS_OK;
838 }
839
840 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, 
841                                      TALLOC_CTX *mem_ctx, 
842                                      const DATA_BLOB *in, 
843                                      DATA_BLOB *out)
844 {
845         struct gensec_gssapi_state *gensec_gssapi_state
846                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
847         OM_uint32 maj_stat, min_stat;
848         gss_buffer_desc input_token, output_token;
849         int conf_state;
850         gss_qop_t qop_state;
851         input_token.length = in->length;
852         input_token.value = in->data;
853         
854         if (gensec_gssapi_state->sasl) {
855                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
856                 if (max_wrapped_size < in->length) {
857                         DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
858                         return NT_STATUS_INVALID_PARAMETER;
859                 }
860         }
861         
862         maj_stat = gss_unwrap(&min_stat, 
863                               gensec_gssapi_state->gssapi_context, 
864                               &input_token,
865                               &output_token, 
866                               &conf_state,
867                               &qop_state);
868         if (GSS_ERROR(maj_stat)) {
869                 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n", 
870                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
871                 return NT_STATUS_ACCESS_DENIED;
872         }
873
874         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
875         gss_release_buffer(&min_stat, &output_token);
876         
877         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
878             && !conf_state) {
879                 return NT_STATUS_ACCESS_DENIED;
880         }
881         return NT_STATUS_OK;
882 }
883
884 /* Find out the maximum input size negotiated on this connection */
885
886 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security) 
887 {
888         struct gensec_gssapi_state *gensec_gssapi_state
889                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
890         OM_uint32 maj_stat, min_stat;
891         OM_uint32 max_input_size;
892
893         maj_stat = gss_wrap_size_limit(&min_stat, 
894                                        gensec_gssapi_state->gssapi_context,
895                                        gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
896                                        GSS_C_QOP_DEFAULT,
897                                        gensec_gssapi_state->max_wrap_buf_size,
898                                        &max_input_size);
899         if (GSS_ERROR(maj_stat)) {
900                 TALLOC_CTX *mem_ctx = talloc_new(NULL); 
901                 DEBUG(1, ("gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n", 
902                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
903                 talloc_free(mem_ctx);
904                 return 0;
905         }
906
907         return max_input_size;
908 }
909
910 /* Find out the maximum output size negotiated on this connection */
911 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security) 
912 {
913         struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
914         return gensec_gssapi_state->max_wrap_buf_size;
915 }
916
917 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security, 
918                                           TALLOC_CTX *mem_ctx, 
919                                           uint8_t *data, size_t length, 
920                                           const uint8_t *whole_pdu, size_t pdu_length, 
921                                           DATA_BLOB *sig)
922 {
923         struct gensec_gssapi_state *gensec_gssapi_state
924                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
925         OM_uint32 maj_stat, min_stat;
926         gss_buffer_desc input_token, output_token;
927         int conf_state;
928         ssize_t sig_length;
929
930         input_token.length = length;
931         input_token.value = data;
932         
933         maj_stat = gss_wrap(&min_stat, 
934                             gensec_gssapi_state->gssapi_context,
935                             gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
936                             GSS_C_QOP_DEFAULT,
937                             &input_token,
938                             &conf_state,
939                             &output_token);
940         if (GSS_ERROR(maj_stat)) {
941                 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n", 
942                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
943                 return NT_STATUS_ACCESS_DENIED;
944         }
945
946         if (output_token.length < input_token.length) {
947                 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n", 
948                           (long)output_token.length, (long)length));
949                 return NT_STATUS_INTERNAL_ERROR;
950         }
951         sig_length = output_token.length - input_token.length;
952
953         memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
954         *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
955
956         dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
957         dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
958         dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
959
960         gss_release_buffer(&min_stat, &output_token);
961
962         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
963             && !conf_state) {
964                 return NT_STATUS_ACCESS_DENIED;
965         }
966         return NT_STATUS_OK;
967 }
968
969 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, 
970                                             TALLOC_CTX *mem_ctx, 
971                                             uint8_t *data, size_t length, 
972                                             const uint8_t *whole_pdu, size_t pdu_length,
973                                             const DATA_BLOB *sig)
974 {
975         struct gensec_gssapi_state *gensec_gssapi_state
976                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
977         OM_uint32 maj_stat, min_stat;
978         gss_buffer_desc input_token, output_token;
979         int conf_state;
980         gss_qop_t qop_state;
981         DATA_BLOB in;
982
983         dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
984
985         in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
986
987         memcpy(in.data, sig->data, sig->length);
988         memcpy(in.data + sig->length, data, length);
989
990         input_token.length = in.length;
991         input_token.value = in.data;
992         
993         maj_stat = gss_unwrap(&min_stat, 
994                               gensec_gssapi_state->gssapi_context, 
995                               &input_token,
996                               &output_token, 
997                               &conf_state,
998                               &qop_state);
999         if (GSS_ERROR(maj_stat)) {
1000                 DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n", 
1001                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1002                 return NT_STATUS_ACCESS_DENIED;
1003         }
1004
1005         if (output_token.length != length) {
1006                 return NT_STATUS_INTERNAL_ERROR;
1007         }
1008
1009         memcpy(data, output_token.value, length);
1010
1011         gss_release_buffer(&min_stat, &output_token);
1012         
1013         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1014             && !conf_state) {
1015                 return NT_STATUS_ACCESS_DENIED;
1016         }
1017         return NT_STATUS_OK;
1018 }
1019
1020 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security, 
1021                                           TALLOC_CTX *mem_ctx, 
1022                                           const uint8_t *data, size_t length, 
1023                                           const uint8_t *whole_pdu, size_t pdu_length, 
1024                                           DATA_BLOB *sig)
1025 {
1026         struct gensec_gssapi_state *gensec_gssapi_state
1027                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1028         OM_uint32 maj_stat, min_stat;
1029         gss_buffer_desc input_token, output_token;
1030         int conf_state;
1031         ssize_t sig_length = 0;
1032
1033         input_token.length = length;
1034         input_token.value = discard_const_p(uint8_t *, data);
1035
1036         maj_stat = gss_wrap(&min_stat, 
1037                             gensec_gssapi_state->gssapi_context,
1038                             0,
1039                             GSS_C_QOP_DEFAULT,
1040                             &input_token,
1041                             &conf_state,
1042                             &output_token);
1043         if (GSS_ERROR(maj_stat)) {
1044                 DEBUG(1, ("GSS Wrap failed: %s\n", 
1045                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1046                 return NT_STATUS_ACCESS_DENIED;
1047         }
1048
1049         if (output_token.length < input_token.length) {
1050                 DEBUG(1, ("gensec_gssapi_sign_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n", 
1051                           (long)output_token.length, (long)length));
1052                 return NT_STATUS_INTERNAL_ERROR;
1053         }
1054
1055         /* Caller must pad to right boundary */
1056         sig_length = output_token.length - input_token.length;
1057
1058         *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
1059
1060         dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1061
1062         gss_release_buffer(&min_stat, &output_token);
1063
1064         return NT_STATUS_OK;
1065 }
1066
1067 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, 
1068                                            TALLOC_CTX *mem_ctx, 
1069                                            const uint8_t *data, size_t length, 
1070                                            const uint8_t *whole_pdu, size_t pdu_length, 
1071                                            const DATA_BLOB *sig)
1072 {
1073         struct gensec_gssapi_state *gensec_gssapi_state
1074                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1075         OM_uint32 maj_stat, min_stat;
1076         gss_buffer_desc input_token, output_token;
1077         int conf_state;
1078         gss_qop_t qop_state;
1079         DATA_BLOB in;
1080
1081         dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1082
1083         in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
1084
1085         memcpy(in.data, sig->data, sig->length);
1086         memcpy(in.data + sig->length, data, length);
1087
1088         input_token.length = in.length;
1089         input_token.value = in.data;
1090         
1091         maj_stat = gss_unwrap(&min_stat, 
1092                               gensec_gssapi_state->gssapi_context, 
1093                               &input_token,
1094                               &output_token, 
1095                               &conf_state,
1096                               &qop_state);
1097         if (GSS_ERROR(maj_stat)) {
1098                 DEBUG(1, ("GSS UnWrap failed: %s\n", 
1099                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1100                 return NT_STATUS_ACCESS_DENIED;
1101         }
1102
1103         if (output_token.length != length) {
1104                 return NT_STATUS_INTERNAL_ERROR;
1105         }
1106
1107         gss_release_buffer(&min_stat, &output_token);
1108
1109         return NT_STATUS_OK;
1110 }
1111
1112 /* Try to figure out what features we actually got on the connection */
1113 static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security, 
1114                                        uint32_t feature) 
1115 {
1116         struct gensec_gssapi_state *gensec_gssapi_state
1117                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1118         if (feature & GENSEC_FEATURE_SIGN) {
1119                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1120                 if (gensec_gssapi_state->sasl 
1121                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1122                         return ((gensec_gssapi_state->sasl_protection & NEG_SIGN) 
1123                                 && (gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG));
1124                 }
1125                 return gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG;
1126         }
1127         if (feature & GENSEC_FEATURE_SEAL) {
1128                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1129                 if (gensec_gssapi_state->sasl 
1130                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1131                         return ((gensec_gssapi_state->sasl_protection & NEG_SEAL) 
1132                                  && (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG));
1133                 }
1134                 return gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG;
1135         }
1136         if (feature & GENSEC_FEATURE_SESSION_KEY) {
1137                 /* Only for GSSAPI/Krb5 */
1138                 if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
1139                         return True;
1140                 }
1141         }
1142         if (feature & GENSEC_FEATURE_DCE_STYLE) {
1143                 return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE;
1144         }
1145         /* We can always do async (rather than strict request/reply) packets.  */
1146         if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1147                 return True;
1148         }
1149         return False;
1150 }
1151
1152 /*
1153  * Extract the 'sesssion key' needed by SMB signing and ncacn_np 
1154  * (for encrypting some passwords).
1155  * 
1156  * This breaks all the abstractions, but what do you expect...
1157  */
1158 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security, 
1159                                           DATA_BLOB *session_key) 
1160 {
1161         struct gensec_gssapi_state *gensec_gssapi_state
1162                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1163         OM_uint32 maj_stat, min_stat;
1164         krb5_keyblock *subkey;
1165
1166         if (gensec_gssapi_state->session_key.data) {
1167                 *session_key = gensec_gssapi_state->session_key;
1168                 return NT_STATUS_OK;
1169         }
1170
1171         maj_stat = gsskrb5_get_initiator_subkey(&min_stat, 
1172                                                 gensec_gssapi_state->gssapi_context,
1173                                                 &subkey);
1174         if (maj_stat != 0) {
1175                 DEBUG(1, ("NO session key for this mech\n"));
1176                 return NT_STATUS_NO_USER_SESSION_KEY;
1177         }
1178         
1179         DEBUG(10, ("Got KRB5 session key of length %d\n",  
1180                    (int)KRB5_KEY_LENGTH(subkey)));
1181         gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, 
1182                                                             KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
1183         krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
1184         *session_key = gensec_gssapi_state->session_key;
1185         dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
1186
1187         return NT_STATUS_OK;
1188 }
1189
1190 /* Get some basic (and authorization) information about the user on
1191  * this session.  This uses either the PAC (if present) or a local
1192  * database lookup */
1193 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1194                                            struct auth_session_info **_session_info) 
1195 {
1196         NTSTATUS nt_status;
1197         TALLOC_CTX *mem_ctx;
1198         struct gensec_gssapi_state *gensec_gssapi_state
1199                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1200         struct auth_serversupplied_info *server_info = NULL;
1201         struct auth_session_info *session_info = NULL;
1202         struct PAC_LOGON_INFO *logon_info;
1203         OM_uint32 maj_stat, min_stat;
1204         gss_buffer_desc name_token;
1205         gss_buffer_desc pac;
1206         krb5_keyblock *keyblock;
1207         time_t authtime;
1208         krb5_principal principal;
1209         char *principal_string;
1210         DATA_BLOB pac_blob;
1211         
1212         if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
1213             || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
1214                        gensec_gssapi_state->gss_oid->length) != 0)) {
1215                 DEBUG(1, ("NO session info available for this mech\n"));
1216                 return NT_STATUS_INVALID_PARAMETER;
1217         }
1218                 
1219         mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context"); 
1220         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
1221
1222         maj_stat = gss_display_name (&min_stat,
1223                                      gensec_gssapi_state->client_name,
1224                                      &name_token,
1225                                      NULL);
1226         if (GSS_ERROR(maj_stat)) {
1227                 DEBUG(1, ("GSS display_name failed: %s\n", 
1228                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1229                 talloc_free(mem_ctx);
1230                 return NT_STATUS_FOOBAR;
1231         }
1232
1233         principal_string = talloc_strndup(mem_ctx, 
1234                                           (const char *)name_token.value, 
1235                                           name_token.length);
1236
1237         gss_release_buffer(&min_stat, &name_token);
1238
1239         if (!principal_string) {
1240                 talloc_free(mem_ctx);
1241                 return NT_STATUS_NO_MEMORY;
1242         }
1243
1244         maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, 
1245                                                                gensec_gssapi_state->gssapi_context, 
1246                                                                KRB5_AUTHDATA_WIN2K_PAC,
1247                                                                &pac);
1248         
1249         
1250         if (maj_stat == 0) {
1251                 pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
1252                 gss_release_buffer(&min_stat, &pac);
1253
1254         } else {
1255                 pac_blob = data_blob(NULL, 0);
1256         }
1257         
1258         /* IF we have the PAC - otherwise we need to get this
1259          * data from elsewere - local ldb, or (TODO) lookup of some
1260          * kind... 
1261          */
1262         if (pac_blob.length) {
1263                 krb5_error_code ret;
1264                 union netr_Validation validation;
1265
1266                 maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
1267                                                                      gensec_gssapi_state->gssapi_context, 
1268                                                                      &authtime);
1269                 
1270                 if (GSS_ERROR(maj_stat)) {
1271                         DEBUG(1, ("gsskrb5_extract_authtime_from_sec_context: %s\n", 
1272                                   gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1273                         talloc_free(mem_ctx);
1274                         return NT_STATUS_FOOBAR;
1275                 }
1276
1277                 maj_stat = gsskrb5_extract_service_keyblock(&min_stat, 
1278                                                             gensec_gssapi_state->gssapi_context, 
1279                                                             &keyblock);
1280                 
1281                 if (GSS_ERROR(maj_stat)) {
1282                         DEBUG(1, ("gsskrb5_copy_service_keyblock failed: %s\n", 
1283                                   gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1284                         talloc_free(mem_ctx);
1285                         return NT_STATUS_FOOBAR;
1286                 } 
1287
1288                 ret = krb5_parse_name_flags(gensec_gssapi_state->smb_krb5_context->krb5_context,
1289                                             principal_string, 
1290                                             KRB5_PRINCIPAL_PARSE_MUST_REALM,
1291                                             &principal);
1292                 if (ret) {
1293                         krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
1294                                            keyblock);
1295                         talloc_free(mem_ctx);
1296                         return NT_STATUS_INVALID_PARAMETER;
1297                 }
1298                 
1299                 /* decode and verify the pac */
1300                 nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, pac_blob,
1301                                                     gensec_gssapi_state->smb_krb5_context->krb5_context,
1302                                                     NULL, keyblock, principal, authtime, NULL);
1303                 krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
1304                 krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
1305                                    keyblock);
1306
1307                 if (!NT_STATUS_IS_OK(nt_status)) {
1308                         talloc_free(mem_ctx);
1309                         return nt_status;
1310                 }
1311                 validation.sam3 = &logon_info->info3;
1312                 nt_status = make_server_info_netlogon_validation(gensec_gssapi_state, 
1313                                                                  NULL,
1314                                                                  3, &validation,
1315                                                                  &server_info); 
1316                 if (!NT_STATUS_IS_OK(nt_status)) {
1317                         talloc_free(mem_ctx);
1318                         return nt_status;
1319                 }
1320         } else if (!lp_parm_bool(global_loadparm, NULL, "gensec", "require_pac", false)) {
1321                 DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
1322                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1323                 nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
1324                                                           &server_info);
1325
1326                 if (!NT_STATUS_IS_OK(nt_status)) {
1327                         talloc_free(mem_ctx);
1328                         return nt_status;
1329                 }
1330         } else {
1331                 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
1332                           principal_string,
1333                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1334                 return NT_STATUS_ACCESS_DENIED;
1335         }
1336
1337         /* references the server_info into the session_info */
1338         nt_status = auth_generate_session_info(mem_ctx, server_info, &session_info);
1339         if (!NT_STATUS_IS_OK(nt_status)) {
1340                 talloc_free(mem_ctx);
1341                 return nt_status;
1342         }
1343
1344         nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
1345         if (!NT_STATUS_IS_OK(nt_status)) {
1346                 talloc_free(mem_ctx);
1347                 return nt_status;
1348         }
1349
1350         if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
1351                 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1352         } else {
1353                 krb5_error_code ret;
1354                 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1355                 session_info->credentials = cli_credentials_init(session_info);
1356                 if (!session_info->credentials) {
1357                         talloc_free(mem_ctx);
1358                         return NT_STATUS_NO_MEMORY;
1359                 }
1360
1361                 cli_credentials_set_event_context(session_info->credentials, gensec_security->event_ctx);
1362                 cli_credentials_set_conf(session_info->credentials, global_loadparm);
1363                 /* Just so we don't segfault trying to get at a username */
1364                 cli_credentials_set_anonymous(session_info->credentials);
1365                 
1366                 ret = cli_credentials_set_client_gss_creds(session_info->credentials, 
1367                                                            gensec_gssapi_state->delegated_cred_handle,
1368                                                            CRED_SPECIFIED);
1369                 if (ret) {
1370                         talloc_free(mem_ctx);
1371                         return NT_STATUS_NO_MEMORY;
1372                 }
1373                 
1374                 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1375                 cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1376
1377                 /* It has been taken from this place... */
1378                 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1379         }
1380         talloc_steal(gensec_gssapi_state, session_info);
1381         talloc_free(mem_ctx);
1382         *_session_info = session_info;
1383
1384         return NT_STATUS_OK;
1385 }
1386
1387 static const char *gensec_gssapi_krb5_oids[] = { 
1388         GENSEC_OID_KERBEROS5_OLD,
1389         GENSEC_OID_KERBEROS5,
1390         NULL 
1391 };
1392
1393 static const char *gensec_gssapi_spnego_oids[] = { 
1394         GENSEC_OID_SPNEGO,
1395         NULL 
1396 };
1397
1398 /* As a server, this could in theory accept any GSSAPI mech */
1399 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1400         .name           = "gssapi_spnego",
1401         .sasl_name      = "GSS-SPNEGO",
1402         .auth_type      = DCERPC_AUTH_TYPE_SPNEGO,
1403         .oid            = gensec_gssapi_spnego_oids,
1404         .client_start   = gensec_gssapi_client_start,
1405         .server_start   = gensec_gssapi_server_start,
1406         .magic          = gensec_gssapi_magic,
1407         .update         = gensec_gssapi_update,
1408         .session_key    = gensec_gssapi_session_key,
1409         .session_info   = gensec_gssapi_session_info,
1410         .sign_packet    = gensec_gssapi_sign_packet,
1411         .check_packet   = gensec_gssapi_check_packet,
1412         .seal_packet    = gensec_gssapi_seal_packet,
1413         .unseal_packet  = gensec_gssapi_unseal_packet,
1414         .wrap           = gensec_gssapi_wrap,
1415         .unwrap         = gensec_gssapi_unwrap,
1416         .have_feature   = gensec_gssapi_have_feature,
1417         .enabled        = False,
1418         .kerberos       = True,
1419         .priority       = GENSEC_GSSAPI
1420 };
1421
1422 /* As a server, this could in theory accept any GSSAPI mech */
1423 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1424         .name           = "gssapi_krb5",
1425         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
1426         .oid            = gensec_gssapi_krb5_oids,
1427         .client_start   = gensec_gssapi_client_start,
1428         .server_start   = gensec_gssapi_server_start,
1429         .magic          = gensec_gssapi_magic,
1430         .update         = gensec_gssapi_update,
1431         .session_key    = gensec_gssapi_session_key,
1432         .session_info   = gensec_gssapi_session_info,
1433         .sign_packet    = gensec_gssapi_sign_packet,
1434         .check_packet   = gensec_gssapi_check_packet,
1435         .seal_packet    = gensec_gssapi_seal_packet,
1436         .unseal_packet  = gensec_gssapi_unseal_packet,
1437         .wrap           = gensec_gssapi_wrap,
1438         .unwrap         = gensec_gssapi_unwrap,
1439         .have_feature   = gensec_gssapi_have_feature,
1440         .enabled        = True,
1441         .kerberos       = True,
1442         .priority       = GENSEC_GSSAPI
1443 };
1444
1445 /* As a server, this could in theory accept any GSSAPI mech */
1446 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1447         .name             = "gssapi_krb5_sasl",
1448         .sasl_name        = "GSSAPI",
1449         .client_start     = gensec_gssapi_sasl_client_start,
1450         .server_start     = gensec_gssapi_sasl_server_start,
1451         .update           = gensec_gssapi_update,
1452         .session_key      = gensec_gssapi_session_key,
1453         .session_info     = gensec_gssapi_session_info,
1454         .max_input_size   = gensec_gssapi_max_input_size,
1455         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1456         .wrap             = gensec_gssapi_wrap,
1457         .unwrap           = gensec_gssapi_unwrap,
1458         .have_feature     = gensec_gssapi_have_feature,
1459         .enabled          = True,
1460         .kerberos         = True,
1461         .priority         = GENSEC_GSSAPI
1462 };
1463
1464 NTSTATUS gensec_gssapi_init(void)
1465 {
1466         NTSTATUS ret;
1467
1468         ret = gensec_register(&gensec_gssapi_spnego_security_ops);
1469         if (!NT_STATUS_IS_OK(ret)) {
1470                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1471                         gensec_gssapi_spnego_security_ops.name));
1472                 return ret;
1473         }
1474
1475         ret = gensec_register(&gensec_gssapi_krb5_security_ops);
1476         if (!NT_STATUS_IS_OK(ret)) {
1477                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1478                         gensec_gssapi_krb5_security_ops.name));
1479                 return ret;
1480         }
1481
1482         ret = gensec_register(&gensec_gssapi_sasl_krb5_security_ops);
1483         if (!NT_STATUS_IS_OK(ret)) {
1484                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1485                         gensec_gssapi_sasl_krb5_security_ops.name));
1486                 return ret;
1487         }
1488
1489         return ret;
1490 }