2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/spnego.h"
27 #include "librpc/gen_ndr/ndr_dcerpc.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_internal.h"
31 #include "param/param.h"
32 #include "lib/util/asn1.h"
36 _PUBLIC_ NTSTATUS
gensec_spnego_init(void);
38 enum spnego_state_position
{
48 enum spnego_message_type expected_packet
;
49 enum spnego_state_position state_position
;
50 struct gensec_security
*sub_sec_security
;
51 bool no_response_expected
;
58 * The following is used to implement
59 * the update token fragmentation
63 size_t out_max_length
;
69 static NTSTATUS
gensec_spnego_client_start(struct gensec_security
*gensec_security
)
71 struct spnego_state
*spnego_state
;
73 spnego_state
= talloc_zero(gensec_security
, struct spnego_state
);
75 return NT_STATUS_NO_MEMORY
;
78 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_INIT
;
79 spnego_state
->state_position
= SPNEGO_CLIENT_START
;
80 spnego_state
->sub_sec_security
= NULL
;
81 spnego_state
->no_response_expected
= false;
82 spnego_state
->mech_types
= data_blob(NULL
, 0);
83 spnego_state
->out_max_length
= gensec_max_update_size(gensec_security
);
84 spnego_state
->out_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
86 gensec_security
->private_data
= spnego_state
;
90 static NTSTATUS
gensec_spnego_server_start(struct gensec_security
*gensec_security
)
92 struct spnego_state
*spnego_state
;
94 spnego_state
= talloc_zero(gensec_security
, struct spnego_state
);
96 return NT_STATUS_NO_MEMORY
;
99 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_INIT
;
100 spnego_state
->state_position
= SPNEGO_SERVER_START
;
101 spnego_state
->sub_sec_security
= NULL
;
102 spnego_state
->no_response_expected
= false;
103 spnego_state
->mech_types
= data_blob(NULL
, 0);
104 spnego_state
->out_max_length
= gensec_max_update_size(gensec_security
);
105 spnego_state
->out_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
107 gensec_security
->private_data
= spnego_state
;
112 wrappers for the spnego_*() functions
114 static NTSTATUS
gensec_spnego_unseal_packet(struct gensec_security
*gensec_security
,
115 uint8_t *data
, size_t length
,
116 const uint8_t *whole_pdu
, size_t pdu_length
,
117 const DATA_BLOB
*sig
)
119 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
121 if (spnego_state
->state_position
!= SPNEGO_DONE
122 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
123 return NT_STATUS_INVALID_PARAMETER
;
126 return gensec_unseal_packet(spnego_state
->sub_sec_security
,
128 whole_pdu
, pdu_length
,
132 static NTSTATUS
gensec_spnego_check_packet(struct gensec_security
*gensec_security
,
133 const uint8_t *data
, size_t length
,
134 const uint8_t *whole_pdu
, size_t pdu_length
,
135 const DATA_BLOB
*sig
)
137 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
139 if (spnego_state
->state_position
!= SPNEGO_DONE
140 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
141 return NT_STATUS_INVALID_PARAMETER
;
144 return gensec_check_packet(spnego_state
->sub_sec_security
,
146 whole_pdu
, pdu_length
,
150 static NTSTATUS
gensec_spnego_seal_packet(struct gensec_security
*gensec_security
,
152 uint8_t *data
, size_t length
,
153 const uint8_t *whole_pdu
, size_t pdu_length
,
156 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
158 if (spnego_state
->state_position
!= SPNEGO_DONE
159 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
160 return NT_STATUS_INVALID_PARAMETER
;
163 return gensec_seal_packet(spnego_state
->sub_sec_security
,
166 whole_pdu
, pdu_length
,
170 static NTSTATUS
gensec_spnego_sign_packet(struct gensec_security
*gensec_security
,
172 const uint8_t *data
, size_t length
,
173 const uint8_t *whole_pdu
, size_t pdu_length
,
176 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
178 if (spnego_state
->state_position
!= SPNEGO_DONE
179 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
180 return NT_STATUS_INVALID_PARAMETER
;
183 return gensec_sign_packet(spnego_state
->sub_sec_security
,
186 whole_pdu
, pdu_length
,
190 static NTSTATUS
gensec_spnego_wrap(struct gensec_security
*gensec_security
,
195 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
197 if (spnego_state
->state_position
!= SPNEGO_DONE
198 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
199 DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
200 return NT_STATUS_INVALID_PARAMETER
;
203 return gensec_wrap(spnego_state
->sub_sec_security
,
207 static NTSTATUS
gensec_spnego_unwrap(struct gensec_security
*gensec_security
,
212 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
214 if (spnego_state
->state_position
!= SPNEGO_DONE
215 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
216 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
217 return NT_STATUS_INVALID_PARAMETER
;
220 return gensec_unwrap(spnego_state
->sub_sec_security
,
224 static NTSTATUS
gensec_spnego_wrap_packets(struct gensec_security
*gensec_security
,
228 size_t *len_processed
)
230 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
232 if (spnego_state
->state_position
!= SPNEGO_DONE
233 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
234 DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
235 return NT_STATUS_INVALID_PARAMETER
;
238 return gensec_wrap_packets(spnego_state
->sub_sec_security
,
243 static NTSTATUS
gensec_spnego_packet_full_request(struct gensec_security
*gensec_security
,
244 DATA_BLOB blob
, size_t *size
)
246 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
248 if (spnego_state
->state_position
!= SPNEGO_DONE
249 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
250 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
251 return NT_STATUS_INVALID_PARAMETER
;
254 return gensec_packet_full_request(spnego_state
->sub_sec_security
,
258 static NTSTATUS
gensec_spnego_unwrap_packets(struct gensec_security
*gensec_security
,
262 size_t *len_processed
)
264 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
266 if (spnego_state
->state_position
!= SPNEGO_DONE
267 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
268 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
269 return NT_STATUS_INVALID_PARAMETER
;
272 return gensec_unwrap_packets(spnego_state
->sub_sec_security
,
277 static size_t gensec_spnego_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
279 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
281 if (spnego_state
->state_position
!= SPNEGO_DONE
282 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
286 return gensec_sig_size(spnego_state
->sub_sec_security
, data_size
);
289 static size_t gensec_spnego_max_input_size(struct gensec_security
*gensec_security
)
291 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
293 if (spnego_state
->state_position
!= SPNEGO_DONE
294 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
298 return gensec_max_input_size(spnego_state
->sub_sec_security
);
301 static size_t gensec_spnego_max_wrapped_size(struct gensec_security
*gensec_security
)
303 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
305 if (spnego_state
->state_position
!= SPNEGO_DONE
306 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
310 return gensec_max_wrapped_size(spnego_state
->sub_sec_security
);
313 static NTSTATUS
gensec_spnego_session_key(struct gensec_security
*gensec_security
,
315 DATA_BLOB
*session_key
)
317 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
318 if (!spnego_state
->sub_sec_security
) {
319 return NT_STATUS_INVALID_PARAMETER
;
322 return gensec_session_key(spnego_state
->sub_sec_security
,
327 static NTSTATUS
gensec_spnego_session_info(struct gensec_security
*gensec_security
,
329 struct auth_session_info
**session_info
)
331 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
332 if (!spnego_state
->sub_sec_security
) {
333 return NT_STATUS_INVALID_PARAMETER
;
336 return gensec_session_info(spnego_state
->sub_sec_security
,
341 /** Fallback to another GENSEC mechanism, based on magic strings
343 * This is the 'fallback' case, where we don't get SPNEGO, and have to
344 * try all the other options (and hope they all have a magic string
348 static NTSTATUS
gensec_spnego_server_try_fallback(struct gensec_security
*gensec_security
,
349 struct spnego_state
*spnego_state
,
350 struct tevent_context
*ev
,
351 TALLOC_CTX
*out_mem_ctx
,
352 const DATA_BLOB in
, DATA_BLOB
*out
)
355 struct gensec_security_ops
**all_ops
356 = gensec_security_mechs(gensec_security
, out_mem_ctx
);
357 for (i
=0; all_ops
[i
]; i
++) {
361 if (gensec_security
!= NULL
&&
362 !gensec_security_ops_enabled(all_ops
[i
], gensec_security
))
365 if (!all_ops
[i
]->oid
) {
370 for (j
=0; all_ops
[i
]->oid
[j
]; j
++) {
371 if (strcasecmp(GENSEC_OID_SPNEGO
,all_ops
[i
]->oid
[j
]) == 0) {
379 if (!all_ops
[i
]->magic
) {
383 nt_status
= all_ops
[i
]->magic(gensec_security
, &in
);
384 if (!NT_STATUS_IS_OK(nt_status
)) {
388 spnego_state
->state_position
= SPNEGO_FALLBACK
;
390 nt_status
= gensec_subcontext_start(spnego_state
,
392 &spnego_state
->sub_sec_security
);
394 if (!NT_STATUS_IS_OK(nt_status
)) {
397 /* select the sub context */
398 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
400 if (!NT_STATUS_IS_OK(nt_status
)) {
403 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
404 ev
, out_mem_ctx
, in
, out
);
407 DEBUG(1, ("Failed to parse SPNEGO request\n"));
408 return NT_STATUS_INVALID_PARAMETER
;
412 Parse the netTokenInit, either from the client, to the server, or
413 from the server to the client.
416 static NTSTATUS
gensec_spnego_parse_negTokenInit(struct gensec_security
*gensec_security
,
417 struct spnego_state
*spnego_state
,
418 TALLOC_CTX
*out_mem_ctx
,
419 struct tevent_context
*ev
,
420 const char * const *mechType
,
421 const DATA_BLOB unwrapped_in
, DATA_BLOB
*unwrapped_out
)
424 NTSTATUS nt_status
= NT_STATUS_INVALID_PARAMETER
;
425 DATA_BLOB null_data_blob
= data_blob(NULL
,0);
428 const struct gensec_security_ops_wrapper
*all_sec
429 = gensec_security_by_oid_list(gensec_security
,
434 ok
= spnego_write_mech_types(spnego_state
,
436 &spnego_state
->mech_types
);
438 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
439 return NT_STATUS_NO_MEMORY
;
442 if (spnego_state
->state_position
== SPNEGO_SERVER_START
) {
444 for (j
=0; mechType
&& mechType
[j
]; j
++) {
445 for (i
=0; all_sec
&& all_sec
[i
].op
; i
++) {
446 if (strcmp(mechType
[j
], all_sec
[i
].oid
) != 0) {
450 nt_status
= gensec_subcontext_start(spnego_state
,
452 &spnego_state
->sub_sec_security
);
453 if (!NT_STATUS_IS_OK(nt_status
)) {
456 /* select the sub context */
457 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
459 if (!NT_STATUS_IS_OK(nt_status
)) {
460 talloc_free(spnego_state
->sub_sec_security
);
461 spnego_state
->sub_sec_security
= NULL
;
466 /* no optimistic token */
467 spnego_state
->neg_oid
= all_sec
[i
].oid
;
468 *unwrapped_out
= data_blob_null
;
469 nt_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
473 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
478 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
) ||
479 NT_STATUS_EQUAL(nt_status
, NT_STATUS_CANT_ACCESS_DOMAIN_INFO
)) {
480 /* Pretend we never started it (lets the first run find some incompatible demand) */
482 DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
483 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
484 talloc_free(spnego_state
->sub_sec_security
);
485 spnego_state
->sub_sec_security
= NULL
;
489 spnego_state
->neg_oid
= all_sec
[i
].oid
;
492 if (spnego_state
->sub_sec_security
) {
497 if (!spnego_state
->sub_sec_security
) {
498 DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
499 return NT_STATUS_INVALID_PARAMETER
;
503 /* Having tried any optimistic token from the client (if we
504 * were the server), if we didn't get anywhere, walk our list
505 * in our preference order */
507 if (!spnego_state
->sub_sec_security
) {
508 for (i
=0; all_sec
&& all_sec
[i
].op
; i
++) {
509 nt_status
= gensec_subcontext_start(spnego_state
,
511 &spnego_state
->sub_sec_security
);
512 if (!NT_STATUS_IS_OK(nt_status
)) {
515 /* select the sub context */
516 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
518 if (!NT_STATUS_IS_OK(nt_status
)) {
519 talloc_free(spnego_state
->sub_sec_security
);
520 spnego_state
->sub_sec_security
= NULL
;
524 spnego_state
->neg_oid
= all_sec
[i
].oid
;
526 /* only get the helping start blob for the first OID */
527 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
533 /* it is likely that a NULL input token will
534 * not be liked by most server mechs, but if
535 * we are in the client, we want the first
536 * update packet to be able to abort the use
538 if (spnego_state
->state_position
!= SPNEGO_SERVER_START
) {
539 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
) ||
540 NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_LOGON_SERVERS
) ||
541 NT_STATUS_EQUAL(nt_status
, NT_STATUS_TIME_DIFFERENCE_AT_DC
) ||
542 NT_STATUS_EQUAL(nt_status
, NT_STATUS_CANT_ACCESS_DOMAIN_INFO
)) {
543 /* Pretend we never started it (lets the first run find some incompatible demand) */
545 DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
546 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
547 talloc_free(spnego_state
->sub_sec_security
);
548 spnego_state
->sub_sec_security
= NULL
;
557 if (spnego_state
->sub_sec_security
) {
558 /* it is likely that a NULL input token will
559 * not be liked by most server mechs, but this
560 * does the right thing in the CIFS client.
561 * just push us along the merry-go-round
562 * again, and hope for better luck next
565 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
)) {
566 *unwrapped_out
= data_blob(NULL
, 0);
567 nt_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
570 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
)
571 && !NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
572 && !NT_STATUS_IS_OK(nt_status
)) {
573 DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
574 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
575 talloc_free(spnego_state
->sub_sec_security
);
576 spnego_state
->sub_sec_security
= NULL
;
578 /* We started the mech correctly, and the
579 * input from the other side was valid.
580 * Return the error (say bad password, invalid
585 return nt_status
; /* OK, INVALID_PARAMETER ore MORE PROCESSING */
588 DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
589 /* we could re-negotiate here, but it would only work
590 * if the client or server lied about what it could
591 * support the first time. Lets keep this code to
597 /** create a negTokenInit
599 * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
601 static NTSTATUS
gensec_spnego_create_negTokenInit(struct gensec_security
*gensec_security
,
602 struct spnego_state
*spnego_state
,
603 TALLOC_CTX
*out_mem_ctx
,
604 struct tevent_context
*ev
,
605 const DATA_BLOB in
, DATA_BLOB
*out
)
608 NTSTATUS nt_status
= NT_STATUS_INVALID_PARAMETER
;
609 DATA_BLOB null_data_blob
= data_blob(NULL
,0);
610 const char **mechTypes
= NULL
;
611 DATA_BLOB unwrapped_out
= data_blob(NULL
, 0);
612 const struct gensec_security_ops_wrapper
*all_sec
;
614 mechTypes
= gensec_security_oids(gensec_security
,
615 out_mem_ctx
, GENSEC_OID_SPNEGO
);
617 all_sec
= gensec_security_by_oid_list(gensec_security
,
621 for (i
=0; all_sec
&& all_sec
[i
].op
; i
++) {
622 struct spnego_data spnego_out
;
623 const char **send_mech_types
;
626 nt_status
= gensec_subcontext_start(spnego_state
,
628 &spnego_state
->sub_sec_security
);
629 if (!NT_STATUS_IS_OK(nt_status
)) {
632 /* select the sub context */
633 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
635 if (!NT_STATUS_IS_OK(nt_status
)) {
636 talloc_free(spnego_state
->sub_sec_security
);
637 spnego_state
->sub_sec_security
= NULL
;
641 /* In the client, try and produce the first (optimistic) packet */
642 if (spnego_state
->state_position
== SPNEGO_CLIENT_START
) {
643 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
649 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
650 && !NT_STATUS_IS_OK(nt_status
)) {
651 DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
652 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
653 talloc_free(spnego_state
->sub_sec_security
);
654 spnego_state
->sub_sec_security
= NULL
;
655 /* Pretend we never started it (lets the first run find some incompatible demand) */
661 spnego_out
.type
= SPNEGO_NEG_TOKEN_INIT
;
663 send_mech_types
= gensec_security_oids_from_ops_wrapped(out_mem_ctx
,
666 ok
= spnego_write_mech_types(spnego_state
,
668 &spnego_state
->mech_types
);
670 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
671 return NT_STATUS_NO_MEMORY
;
674 /* List the remaining mechs as options */
675 spnego_out
.negTokenInit
.mechTypes
= send_mech_types
;
676 spnego_out
.negTokenInit
.reqFlags
= null_data_blob
;
677 spnego_out
.negTokenInit
.reqFlagsPadding
= 0;
679 if (spnego_state
->state_position
== SPNEGO_SERVER_START
) {
680 spnego_out
.negTokenInit
.mechListMIC
681 = data_blob_string_const(ADS_IGNORE_PRINCIPAL
);
683 spnego_out
.negTokenInit
.mechListMIC
= null_data_blob
;
686 spnego_out
.negTokenInit
.mechToken
= unwrapped_out
;
688 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
689 DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
690 return NT_STATUS_INVALID_PARAMETER
;
694 spnego_state
->neg_oid
= all_sec
[i
].oid
;
696 if (NT_STATUS_IS_OK(nt_status
)) {
697 spnego_state
->no_response_expected
= true;
700 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
702 talloc_free(spnego_state
->sub_sec_security
);
703 spnego_state
->sub_sec_security
= NULL
;
705 DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status
)));
706 return NT_STATUS_INVALID_PARAMETER
;
710 /** create a server negTokenTarg
712 * This is the case, where the client is the first one who sends data
715 static NTSTATUS
gensec_spnego_server_negTokenTarg(struct spnego_state
*spnego_state
,
716 TALLOC_CTX
*out_mem_ctx
,
718 const DATA_BLOB unwrapped_out
,
719 DATA_BLOB mech_list_mic
,
722 struct spnego_data spnego_out
;
723 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
726 spnego_out
.type
= SPNEGO_NEG_TOKEN_TARG
;
727 spnego_out
.negTokenTarg
.responseToken
= unwrapped_out
;
728 spnego_out
.negTokenTarg
.mechListMIC
= null_data_blob
;
729 spnego_out
.negTokenTarg
.supportedMech
= NULL
;
731 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
732 spnego_out
.negTokenTarg
.supportedMech
= spnego_state
->neg_oid
;
733 spnego_out
.negTokenTarg
.negResult
= SPNEGO_ACCEPT_INCOMPLETE
;
734 spnego_state
->state_position
= SPNEGO_SERVER_TARG
;
735 } else if (NT_STATUS_IS_OK(nt_status
)) {
736 if (unwrapped_out
.data
) {
737 spnego_out
.negTokenTarg
.supportedMech
= spnego_state
->neg_oid
;
739 spnego_out
.negTokenTarg
.negResult
= SPNEGO_ACCEPT_COMPLETED
;
740 spnego_out
.negTokenTarg
.mechListMIC
= mech_list_mic
;
741 spnego_state
->state_position
= SPNEGO_DONE
;
743 spnego_out
.negTokenTarg
.negResult
= SPNEGO_REJECT
;
744 DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status
)));
745 spnego_state
->state_position
= SPNEGO_DONE
;
748 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
749 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
750 return NT_STATUS_INVALID_PARAMETER
;
753 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_TARG
;
759 static NTSTATUS
gensec_spnego_update(struct gensec_security
*gensec_security
, TALLOC_CTX
*out_mem_ctx
,
760 struct tevent_context
*ev
,
761 const DATA_BLOB in
, DATA_BLOB
*out
)
763 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
764 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
765 DATA_BLOB mech_list_mic
= data_blob(NULL
, 0);
766 DATA_BLOB unwrapped_out
= data_blob(NULL
, 0);
767 struct spnego_data spnego_out
;
768 struct spnego_data spnego
;
772 *out
= data_blob(NULL
, 0);
775 out_mem_ctx
= spnego_state
;
778 /* and switch into the state machine */
780 switch (spnego_state
->state_position
) {
781 case SPNEGO_FALLBACK
:
782 return gensec_update(spnego_state
->sub_sec_security
, ev
,
783 out_mem_ctx
, in
, out
);
784 case SPNEGO_SERVER_START
:
789 len
= spnego_read_data(gensec_security
, in
, &spnego
);
791 return gensec_spnego_server_try_fallback(gensec_security
, spnego_state
,
792 out_mem_ctx
, ev
, in
, out
);
794 /* client sent NegTargetInit, we send NegTokenTarg */
796 /* OK, so it's real SPNEGO, check the packet's the one we expect */
797 if (spnego
.type
!= spnego_state
->expected_packet
) {
798 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
799 spnego_state
->expected_packet
));
800 dump_data(1, in
.data
, in
.length
);
801 spnego_free_data(&spnego
);
802 return NT_STATUS_INVALID_PARAMETER
;
805 nt_status
= gensec_spnego_parse_negTokenInit(gensec_security
,
809 spnego
.negTokenInit
.mechTypes
,
810 spnego
.negTokenInit
.mechToken
,
813 nt_status
= gensec_spnego_server_negTokenTarg(spnego_state
,
820 spnego_free_data(&spnego
);
824 nt_status
= gensec_spnego_create_negTokenInit(gensec_security
, spnego_state
,
825 out_mem_ctx
, ev
, in
, out
);
826 spnego_state
->state_position
= SPNEGO_SERVER_START
;
827 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_INIT
;
832 case SPNEGO_CLIENT_START
:
834 /* The server offers a list of mechanisms */
836 const char *my_mechs
[] = {NULL
, NULL
};
837 NTSTATUS nt_status
= NT_STATUS_INVALID_PARAMETER
;
840 /* client to produce negTokenInit */
841 nt_status
= gensec_spnego_create_negTokenInit(gensec_security
, spnego_state
,
842 out_mem_ctx
, ev
, in
, out
);
843 spnego_state
->state_position
= SPNEGO_CLIENT_TARG
;
844 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_TARG
;
848 len
= spnego_read_data(gensec_security
, in
, &spnego
);
851 DEBUG(1, ("Invalid SPNEGO request:\n"));
852 dump_data(1, in
.data
, in
.length
);
853 return NT_STATUS_INVALID_PARAMETER
;
856 /* OK, so it's real SPNEGO, check the packet's the one we expect */
857 if (spnego
.type
!= spnego_state
->expected_packet
) {
858 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
859 spnego_state
->expected_packet
));
860 dump_data(1, in
.data
, in
.length
);
861 spnego_free_data(&spnego
);
862 return NT_STATUS_INVALID_PARAMETER
;
865 if (spnego
.negTokenInit
.targetPrincipal
866 && strcmp(spnego
.negTokenInit
.targetPrincipal
, ADS_IGNORE_PRINCIPAL
) != 0) {
867 DEBUG(5, ("Server claims it's principal name is %s\n", spnego
.negTokenInit
.targetPrincipal
));
868 if (lpcfg_client_use_spnego_principal(gensec_security
->settings
->lp_ctx
)) {
869 gensec_set_target_principal(gensec_security
, spnego
.negTokenInit
.targetPrincipal
);
873 nt_status
= gensec_spnego_parse_negTokenInit(gensec_security
,
877 spnego
.negTokenInit
.mechTypes
,
878 spnego
.negTokenInit
.mechToken
,
881 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) && !NT_STATUS_IS_OK(nt_status
)) {
882 spnego_free_data(&spnego
);
886 my_mechs
[0] = spnego_state
->neg_oid
;
888 spnego_out
.type
= SPNEGO_NEG_TOKEN_INIT
;
889 spnego_out
.negTokenInit
.mechTypes
= my_mechs
;
890 spnego_out
.negTokenInit
.reqFlags
= null_data_blob
;
891 spnego_out
.negTokenInit
.reqFlagsPadding
= 0;
892 spnego_out
.negTokenInit
.mechListMIC
= null_data_blob
;
893 spnego_out
.negTokenInit
.mechToken
= unwrapped_out
;
895 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
896 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
897 return NT_STATUS_INVALID_PARAMETER
;
901 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_TARG
;
902 spnego_state
->state_position
= SPNEGO_CLIENT_TARG
;
904 if (NT_STATUS_IS_OK(nt_status
)) {
905 spnego_state
->no_response_expected
= true;
908 spnego_free_data(&spnego
);
909 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
911 case SPNEGO_SERVER_TARG
:
914 bool new_spnego
= false;
917 return NT_STATUS_INVALID_PARAMETER
;
920 len
= spnego_read_data(gensec_security
, in
, &spnego
);
923 DEBUG(1, ("Invalid SPNEGO request:\n"));
924 dump_data(1, in
.data
, in
.length
);
925 return NT_STATUS_INVALID_PARAMETER
;
928 /* OK, so it's real SPNEGO, check the packet's the one we expect */
929 if (spnego
.type
!= spnego_state
->expected_packet
) {
930 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
931 spnego_state
->expected_packet
));
932 dump_data(1, in
.data
, in
.length
);
933 spnego_free_data(&spnego
);
934 return NT_STATUS_INVALID_PARAMETER
;
937 if (!spnego_state
->sub_sec_security
) {
938 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
939 spnego_free_data(&spnego
);
940 return NT_STATUS_INVALID_PARAMETER
;
943 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
945 spnego
.negTokenTarg
.responseToken
,
947 if (NT_STATUS_IS_OK(nt_status
) && spnego
.negTokenTarg
.mechListMIC
.length
> 0) {
949 nt_status
= gensec_check_packet(spnego_state
->sub_sec_security
,
950 spnego_state
->mech_types
.data
,
951 spnego_state
->mech_types
.length
,
952 spnego_state
->mech_types
.data
,
953 spnego_state
->mech_types
.length
,
954 &spnego
.negTokenTarg
.mechListMIC
);
955 if (!NT_STATUS_IS_OK(nt_status
)) {
956 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
957 nt_errstr(nt_status
)));
960 if (NT_STATUS_IS_OK(nt_status
) && new_spnego
) {
961 nt_status
= gensec_sign_packet(spnego_state
->sub_sec_security
,
963 spnego_state
->mech_types
.data
,
964 spnego_state
->mech_types
.length
,
965 spnego_state
->mech_types
.data
,
966 spnego_state
->mech_types
.length
,
968 if (!NT_STATUS_IS_OK(nt_status
)) {
969 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
970 nt_errstr(nt_status
)));
974 nt_status
= gensec_spnego_server_negTokenTarg(spnego_state
,
981 spnego_free_data(&spnego
);
985 case SPNEGO_CLIENT_TARG
:
989 return NT_STATUS_INVALID_PARAMETER
;
992 len
= spnego_read_data(gensec_security
, in
, &spnego
);
995 DEBUG(1, ("Invalid SPNEGO request:\n"));
996 dump_data(1, in
.data
, in
.length
);
997 return NT_STATUS_INVALID_PARAMETER
;
1000 /* OK, so it's real SPNEGO, check the packet's the one we expect */
1001 if (spnego
.type
!= spnego_state
->expected_packet
) {
1002 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
1003 spnego_state
->expected_packet
));
1004 dump_data(1, in
.data
, in
.length
);
1005 spnego_free_data(&spnego
);
1006 return NT_STATUS_INVALID_PARAMETER
;
1009 if (spnego
.negTokenTarg
.negResult
== SPNEGO_REJECT
) {
1010 spnego_free_data(&spnego
);
1011 return NT_STATUS_ACCESS_DENIED
;
1014 /* Server didn't like our choice of mech, and chose something else */
1015 if ((spnego
.negTokenTarg
.negResult
== SPNEGO_ACCEPT_INCOMPLETE
) &&
1016 spnego
.negTokenTarg
.supportedMech
&&
1017 strcmp(spnego
.negTokenTarg
.supportedMech
, spnego_state
->neg_oid
) != 0) {
1018 DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
1019 gensec_get_name_by_oid(gensec_security
, spnego
.negTokenTarg
.supportedMech
),
1020 gensec_get_name_by_oid(gensec_security
, spnego_state
->neg_oid
)));
1022 talloc_free(spnego_state
->sub_sec_security
);
1023 nt_status
= gensec_subcontext_start(spnego_state
,
1025 &spnego_state
->sub_sec_security
);
1026 if (!NT_STATUS_IS_OK(nt_status
)) {
1027 spnego_free_data(&spnego
);
1030 /* select the sub context */
1031 nt_status
= gensec_start_mech_by_oid(spnego_state
->sub_sec_security
,
1032 spnego
.negTokenTarg
.supportedMech
);
1033 if (!NT_STATUS_IS_OK(nt_status
)) {
1034 spnego_free_data(&spnego
);
1038 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
1040 spnego
.negTokenTarg
.responseToken
,
1042 spnego_state
->neg_oid
= talloc_strdup(spnego_state
, spnego
.negTokenTarg
.supportedMech
);
1043 } else if (spnego_state
->no_response_expected
) {
1044 if (spnego
.negTokenTarg
.negResult
!= SPNEGO_ACCEPT_COMPLETED
) {
1045 DEBUG(3,("GENSEC SPNEGO: client GENSEC accepted, but server rejected (bad password?)\n"));
1046 nt_status
= NT_STATUS_INVALID_PARAMETER
;
1047 } else if (spnego
.negTokenTarg
.responseToken
.length
) {
1048 DEBUG(2,("GENSEC SPNEGO: client GENSEC accepted, but server continued negotiation!\n"));
1049 nt_status
= NT_STATUS_INVALID_PARAMETER
;
1051 nt_status
= NT_STATUS_OK
;
1053 if (NT_STATUS_IS_OK(nt_status
) && spnego
.negTokenTarg
.mechListMIC
.length
> 0) {
1054 nt_status
= gensec_check_packet(spnego_state
->sub_sec_security
,
1055 spnego_state
->mech_types
.data
,
1056 spnego_state
->mech_types
.length
,
1057 spnego_state
->mech_types
.data
,
1058 spnego_state
->mech_types
.length
,
1059 &spnego
.negTokenTarg
.mechListMIC
);
1060 if (!NT_STATUS_IS_OK(nt_status
)) {
1061 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1062 nt_errstr(nt_status
)));
1066 bool new_spnego
= false;
1068 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
1070 spnego
.negTokenTarg
.responseToken
,
1073 if (NT_STATUS_IS_OK(nt_status
)
1074 && spnego
.negTokenTarg
.negResult
!= SPNEGO_ACCEPT_COMPLETED
) {
1075 new_spnego
= gensec_have_feature(spnego_state
->sub_sec_security
,
1076 GENSEC_FEATURE_NEW_SPNEGO
);
1078 if (NT_STATUS_IS_OK(nt_status
) && new_spnego
) {
1079 nt_status
= gensec_sign_packet(spnego_state
->sub_sec_security
,
1081 spnego_state
->mech_types
.data
,
1082 spnego_state
->mech_types
.length
,
1083 spnego_state
->mech_types
.data
,
1084 spnego_state
->mech_types
.length
,
1086 if (!NT_STATUS_IS_OK(nt_status
)) {
1087 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
1088 nt_errstr(nt_status
)));
1091 if (NT_STATUS_IS_OK(nt_status
)) {
1092 spnego_state
->no_response_expected
= true;
1096 spnego_free_data(&spnego
);
1098 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
1099 && !NT_STATUS_IS_OK(nt_status
)) {
1100 DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
1101 spnego_state
->sub_sec_security
->ops
->name
,
1102 nt_errstr(nt_status
)));
1106 if (unwrapped_out
.length
|| mech_list_mic
.length
) {
1108 spnego_out
.type
= SPNEGO_NEG_TOKEN_TARG
;
1109 spnego_out
.negTokenTarg
.negResult
= SPNEGO_NONE_RESULT
;
1110 spnego_out
.negTokenTarg
.supportedMech
= NULL
;
1111 spnego_out
.negTokenTarg
.responseToken
= unwrapped_out
;
1112 spnego_out
.negTokenTarg
.mechListMIC
= mech_list_mic
;
1114 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
1115 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
1116 return NT_STATUS_INVALID_PARAMETER
;
1119 spnego_state
->state_position
= SPNEGO_CLIENT_TARG
;
1120 nt_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
1123 /* all done - server has accepted, and we agree */
1124 *out
= null_data_blob
;
1126 if (spnego
.negTokenTarg
.negResult
!= SPNEGO_ACCEPT_COMPLETED
) {
1127 /* unless of course it did not accept */
1128 DEBUG(1,("gensec_update ok but not accepted\n"));
1129 nt_status
= NT_STATUS_INVALID_PARAMETER
;
1132 spnego_state
->state_position
= SPNEGO_DONE
;
1138 /* We should not be called after we are 'done' */
1139 return NT_STATUS_INVALID_PARAMETER
;
1141 return NT_STATUS_INVALID_PARAMETER
;
1144 static NTSTATUS
gensec_spnego_update_in(struct gensec_security
*gensec_security
,
1145 const DATA_BLOB in
, DATA_BLOB
*full_in
)
1147 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1152 *full_in
= data_blob_null
;
1154 if (spnego_state
->in_needed
== 0) {
1158 * try to work out the size of the full
1159 * input token, it might be fragmented
1161 status
= asn1_peek_full_tag(in
, ASN1_APPLICATION(0), &size
);
1162 if (!NT_STATUS_IS_OK(status
) &&
1163 !NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
1164 status
= asn1_peek_full_tag(in
, ASN1_CONTEXT(1), &size
);
1167 if (NT_STATUS_IS_OK(status
) ||
1168 NT_STATUS_EQUAL(status
, STATUS_MORE_ENTRIES
)) {
1169 spnego_state
->in_needed
= size
;
1172 * If it is not an asn1 message
1173 * just call the next layer.
1175 spnego_state
->in_needed
= in
.length
;
1179 if (spnego_state
->in_needed
> UINT16_MAX
) {
1181 * limit the incoming message to 0xFFFF
1182 * to avoid DoS attacks.
1184 return NT_STATUS_INVALID_BUFFER_SIZE
;
1187 if ((spnego_state
->in_needed
> 0) && (in
.length
== 0)) {
1189 * If we reach this, we know we got at least
1190 * part of an asn1 message, getting 0 means
1191 * the remote peer wants us to spin.
1193 return NT_STATUS_INVALID_PARAMETER
;
1196 expected
= spnego_state
->in_needed
- spnego_state
->in_frag
.length
;
1197 if (in
.length
> expected
) {
1199 * we got more than expected
1201 return NT_STATUS_INVALID_PARAMETER
;
1204 if (in
.length
== spnego_state
->in_needed
) {
1206 * if the in.length contains the full blob
1209 * Note: this implies spnego_state->in_frag.length == 0,
1210 * but we do not need to check this explicitly
1211 * because we already know that we did not get
1212 * more than expected.
1215 return NT_STATUS_OK
;
1218 ok
= data_blob_append(spnego_state
, &spnego_state
->in_frag
,
1219 in
.data
, in
.length
);
1221 return NT_STATUS_NO_MEMORY
;
1224 if (spnego_state
->in_needed
> spnego_state
->in_frag
.length
) {
1225 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
1228 *full_in
= spnego_state
->in_frag
;
1229 return NT_STATUS_OK
;
1232 static NTSTATUS
gensec_spnego_update_out(struct gensec_security
*gensec_security
,
1233 TALLOC_CTX
*out_mem_ctx
,
1236 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1237 DATA_BLOB out
= data_blob_null
;
1239 *_out
= data_blob_null
;
1241 if (spnego_state
->out_frag
.length
== 0) {
1242 return spnego_state
->out_status
;
1246 * There is still more data to be delivered
1247 * to the remote peer.
1250 if (spnego_state
->out_frag
.length
<= spnego_state
->out_max_length
) {
1252 * Fast path, we can deliver everything
1255 *_out
= spnego_state
->out_frag
;
1256 talloc_steal(out_mem_ctx
, _out
->data
);
1257 spnego_state
->out_frag
= data_blob_null
;
1258 return spnego_state
->out_status
;
1261 out
= spnego_state
->out_frag
;
1264 * copy the remaining bytes
1266 spnego_state
->out_frag
= data_blob_talloc(spnego_state
,
1267 out
.data
+ spnego_state
->out_max_length
,
1268 out
.length
- spnego_state
->out_max_length
);
1269 if (spnego_state
->out_frag
.data
== NULL
) {
1270 return NT_STATUS_NO_MEMORY
;
1274 * truncate the buffer
1276 data_blob_realloc(spnego_state
, &out
, spnego_state
->out_max_length
);
1278 talloc_steal(out_mem_ctx
, out
.data
);
1280 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
1283 static NTSTATUS
gensec_spnego_update_wrapper(struct gensec_security
*gensec_security
,
1284 TALLOC_CTX
*out_mem_ctx
,
1285 struct tevent_context
*ev
,
1286 const DATA_BLOB in
, DATA_BLOB
*out
)
1288 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1289 DATA_BLOB full_in
= data_blob_null
;
1292 *out
= data_blob_null
;
1294 if (spnego_state
->out_frag
.length
> 0) {
1295 if (in
.length
> 0) {
1296 return NT_STATUS_INVALID_PARAMETER
;
1299 return gensec_spnego_update_out(gensec_security
,
1304 status
= gensec_spnego_update_in(gensec_security
,
1306 if (!NT_STATUS_IS_OK(status
)) {
1310 status
= gensec_spnego_update(gensec_security
,
1313 &spnego_state
->out_frag
);
1314 data_blob_free(&spnego_state
->in_frag
);
1315 spnego_state
->in_needed
= 0;
1316 if (!NT_STATUS_IS_OK(status
) &&
1317 !NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
1321 spnego_state
->out_status
= status
;
1323 return gensec_spnego_update_out(gensec_security
,
1328 static void gensec_spnego_want_feature(struct gensec_security
*gensec_security
,
1331 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1333 if (!spnego_state
|| !spnego_state
->sub_sec_security
) {
1334 gensec_security
->want_features
|= feature
;
1338 gensec_want_feature(spnego_state
->sub_sec_security
,
1342 static bool gensec_spnego_have_feature(struct gensec_security
*gensec_security
,
1345 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1346 if (!spnego_state
->sub_sec_security
) {
1350 return gensec_have_feature(spnego_state
->sub_sec_security
,
1354 static NTTIME
gensec_spnego_expire_time(struct gensec_security
*gensec_security
)
1356 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1358 if (!spnego_state
->sub_sec_security
) {
1359 return GENSEC_EXPIRE_TIME_INFINITY
;
1362 return gensec_expire_time(spnego_state
->sub_sec_security
);
1365 static const char *gensec_spnego_oids
[] = {
1370 static const struct gensec_security_ops gensec_spnego_security_ops
= {
1372 .sasl_name
= "GSS-SPNEGO",
1373 .auth_type
= DCERPC_AUTH_TYPE_SPNEGO
,
1374 .oid
= gensec_spnego_oids
,
1375 .client_start
= gensec_spnego_client_start
,
1376 .server_start
= gensec_spnego_server_start
,
1377 .update
= gensec_spnego_update_wrapper
,
1378 .seal_packet
= gensec_spnego_seal_packet
,
1379 .sign_packet
= gensec_spnego_sign_packet
,
1380 .sig_size
= gensec_spnego_sig_size
,
1381 .max_wrapped_size
= gensec_spnego_max_wrapped_size
,
1382 .max_input_size
= gensec_spnego_max_input_size
,
1383 .check_packet
= gensec_spnego_check_packet
,
1384 .unseal_packet
= gensec_spnego_unseal_packet
,
1385 .packet_full_request
= gensec_spnego_packet_full_request
,
1386 .wrap
= gensec_spnego_wrap
,
1387 .unwrap
= gensec_spnego_unwrap
,
1388 .wrap_packets
= gensec_spnego_wrap_packets
,
1389 .unwrap_packets
= gensec_spnego_unwrap_packets
,
1390 .session_key
= gensec_spnego_session_key
,
1391 .session_info
= gensec_spnego_session_info
,
1392 .want_feature
= gensec_spnego_want_feature
,
1393 .have_feature
= gensec_spnego_have_feature
,
1394 .expire_time
= gensec_spnego_expire_time
,
1396 .priority
= GENSEC_SPNEGO
1399 _PUBLIC_ NTSTATUS
gensec_spnego_init(void)
1402 ret
= gensec_register(&gensec_spnego_security_ops
);
1403 if (!NT_STATUS_IS_OK(ret
)) {
1404 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1405 gensec_spnego_security_ops
.name
));