net-ssh-kerberos 0.1.3 → 0.2.0

data/Rakefile

@@ -7,14 +7,13 @@ begin
     gem.name = "net-ssh-kerberos"
     gem.summary = %Q{Add Kerberos support to Net::SSH}
     gem.description = <<-EOTEXT
-Adds support for Microsoft Kerberos (SSPI) with the Net:SSH gem.
+Extends Net::SSH by adding Kerberos authentication capability for password-less logins on multiple platforms.
 EOTEXT
     gem.email = "joe@ankhcraft.com"
     gem.homepage = "http://github.com/joekhoobyar/net-ssh-kerberos"
     gem.authors = ["Joe Khoobyar"]
     gem.rubyforge_project = 'net-ssh-krb'
     gem.add_runtime_dependency(%q<net-ssh>, [">= 2.0"])
-    gem.add_runtime_dependency(%q<rubysspi>, [">= 1.3"])
 
     # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
   end
@@ -42,6 +41,33 @@ rescue LoadError
   end
 end
 
+# These are new tasks
+begin
+  require 'rake/contrib/sshpublisher'
+  namespace :rubyforge do
+
+    desc "Release gem and RDoc documentation to RubyForge"
+    task :release => ["rubyforge:release:gem", "rubyforge:release:docs"]
+
+    namespace :release do
+      desc "Publish RDoc to RubyForge."
+      task :docs => [:rdoc] do
+        config = YAML.load(
+            File.read(File.expand_path('~/.rubyforge/user-config.yml'))
+        )
+
+        host = "#{config['username']}@rubyforge.org"
+        remote_dir = "/var/www/gforge-projects/net-ssh-krb/"
+        local_dir = 'doc'
+
+        Rake::SshDirPublisher.new(host, remote_dir, local_dir).upload
+      end
+    end
+  end
+rescue LoadError
+  puts "Rake SshDirPublisher is unavailable or your rubyforge environment is not configured."
+end
+
 
 task :default => :test
 
@@ -53,9 +79,12 @@ Rake::RDocTask.new do |rdoc|
   else
     version = ""
   end
+  rdoc.options << '--line-numbers' << '--inline-source' <<
+    '--main' << 'README.rdoc' <<
+    '--charset' << 'utf-8'
 
-  rdoc.rdoc_dir = 'rdoc'
-  rdoc.title = "Net-ssh-kerberos #{version}"
+  rdoc.rdoc_dir = 'doc'
+  rdoc.title = "Net::SSH::Kerberos #{version}"
   rdoc.rdoc_files.include('README*')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end

data/VERSION.yml

@@ -1,4 +1,4 @@
 --- 
 :major: 0
-:minor: 1
-:patch: 3
+:minor: 2
+:patch: 0

data/lib/net/ssh/authentication/methods/gssapi_with_mic.rb

@@ -10,20 +10,17 @@ module Net
         class GssapiWithMic < Abstract
           include Net::SSH::Kerberos::Constants
           
-	        # OID 1.2.840.113554.1.2.2 - Kerberos 5 (RFC 1964)
-          SUPPORTED_OID = "\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
-
           # Attempts to perform gssapi-with-mic Kerberos authentication
           def authenticate(next_service, username, password=nil)
-            gss_klass = (defined?(Net::SSH::Kerberos::SSPI::Context) ?
-	                           Net::SSH::Kerberos::SSPI::Context : Net::SSH::Kerberos::GSS::Context)
+            gss_klass = (defined?(Net::SSH::Kerberos::Drivers::SSPI::Context) ?
+	                           Net::SSH::Kerberos::Drivers::SSPI::Context : Net::SSH::Kerberos::Drivers::GSS::Context)
             gss = nil
             
             # Try to start gssapi-with-mic authentication.
 	          debug { "trying kerberos authentication" }
 	          req = userauth_request(username, next_service, "gssapi-with-mic")
-	          req.write_long 1
-	          req.write_string SUPPORTED_OID
+	          req.write_long(1)
+	          req.write_string(supported_oid = 6.chr + GSS_KRB5_MECH.length.chr + GSS_KRB5_MECH)
 	          send_message req
 	          message = session.next_message
 	          case message.type
@@ -38,7 +35,7 @@ module Net
 	          
 	          # Try to match the OID.
 	          oid = message.read_string
-	          if oid != SUPPORTED_OID
+	          if oid != supported_oid
               info { "gssapi-with-mic failed (USERAUTH_GSSAPI_RESPONSE)" }
               return false
 	          end

data/lib/net/ssh/kerberos.rb

@@ -1,24 +1,11 @@
 require 'net/ssh'
+require 'net/ssh/errors'
+
+module Net; module SSH; module Kerberos
+end; end; end
+
 require 'net/ssh/kerberos/constants'
+require 'net/ssh/kerberos/context'
+require 'net/ssh/kerberos/drivers'
 #require 'net/ssh/kerberos/kex'
-
-if RUBY_PLATFORM.include?('win') && ! RUBY_PLATFORM.include?('dar'); then
-  begin
-    require 'net/ssh/kerberos/sspi'
-  rescue Exception => e
-    if RuntimeError === e and e.message =~ /^LoadLibrary: ([^\s]+)/
-      $stderr.puts "error: While loading Kerberos SSPI: failed to load library: #{$1}"
-    else
-      raise e
-    end
-  end
-end
-require 'net/ssh/kerberos/gss'
 require 'net/ssh/authentication/methods/gssapi_with_mic'
-
-module Net
-  module SSH
-    module Kerberos
-    end
-  end
-end

data/lib/net/ssh/kerberos/constants.rb

@@ -1,11 +1,7 @@
 module Net; module SSH; module Kerberos
   module Constants
 
-
-    #--
     # GSSAPI Key exchange method specific messages
-    #++
-
     KEXGSS_INIT                       = 30
     KEXGSS_CONTINUE                   = 31
     KEXGSS_COMPLETE                   = 32
@@ -14,10 +10,7 @@ module Net; module SSH; module Kerberos
     KEXGSS_GROUPREQ                   = 40
     KEXGSS_GROUP                      = 41
 
-    #--
     # GSSAPI User authentication method specific messages
-    #++
-
     USERAUTH_GSSAPI_RESPONSE          = 60
     USERAUTH_GSSAPI_TOKEN             = 61
     USERAUTH_GSSAPI_EXCHANGE_COMPLETE = 63
@@ -25,6 +18,9 @@ module Net; module SSH; module Kerberos
     USERAUTH_GSSAPI_ERRTOK            = 65
     USERAUTH_GSSAPI_MIC               = 66
     
+    # GSSAPI constant OID(s)
+	  GSS_KRB5_MECH = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+	  GSS_KRB5_MECH_USER2USER = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
   end
 end; end; end
 

data/lib/net/ssh/kerberos/context.rb

@@ -0,0 +1,75 @@
+module Net; module SSH; module Kerberos
+  
+  class Context
+
+	  class GeneralError < StandardError; end
+	
+	  class State < Struct.new(:handle, :result, :token, :timestamp)
+	    def complete?; result.complete? end
+	  end
+	
+	  attr_reader :cred_name, :cred_krb_name, :server_name, :server_krb_name
+	
+	  def initialize
+	    raise "Don't create this class directly - use a subclass" if self.class == Context
+	  end
+	
+	  def create(user, host)
+	    dispose if @credentials or @target or @handle
+	
+	    creds, name = acquire_current_credentials
+	    begin
+	      @cred_name = name.to_s.sub(/^[^\\\/]*[\\\/]/, '')
+	      @cred_krb_name = @cred_name.gsub('@', '/');
+	
+	      z = (user.include?('@') ? user.gsub('@','/') : user+'/')
+	      unless z.downcase == @cred_krb_name[0,z.length].downcase
+	        raise GeneralError, "Credentials mismatch: current is #{@cred_name}, requested is #{user}"
+	      end
+	      @credentials = creds
+	    ensure
+	      if @credentials.nil?
+	        release_credentials creds
+	        @cred_name = @cred_krb_name = nil
+	      end
+	    end
+	
+	    @server_name = Socket.gethostbyname(host)[0]
+	    @target, @server_krb_name = import_server_name host
+	
+	    true
+	  end
+	
+	  def credentials?; ! @credentials.nil? end
+	  
+	  def established?; ! @handle.nil? && (@state.nil? || @state.complete?) end
+	  
+	  def init(token=nil); raise NotImplementedError, "subclasses must implement this method" end
+	  
+	  def get_mic(token); raise NotImplementedError, "subclasses must implement this method" end
+	  
+	  def dispose
+	    @handle and delete_context @handle
+	    @credentials and release_credentials @credentials
+	    @target and release_server_name @target
+	  ensure
+	    @credentials = @cred_name = @cred_krb_name = nil
+	    @target = @server_name = @server_krb_name = nil
+	    @handle = @state = nil
+	  end 
+	
+	private
+	
+	  def acquire_current_credentials; raise NotImplementedError, "subclasses must implement this method" end
+	
+	  def release_credentials(creds); raise NotImplementedError, "subclasses must implement this method" end
+	
+	  def import_server_name(host); raise NotImplementedError, "subclasses must implement this method" end
+	
+	  def release_server_name(target); raise NotImplementedError, "subclasses must implement this method" end
+	
+	  def delete_context(handle); raise NotImplementedError, "subclasses must implement this method" end
+	
+	end
+
+end; end; end

data/lib/net/ssh/kerberos/drivers.rb

@@ -0,0 +1,57 @@
+require 'dl/import'
+require 'dl/struct'
+
+module Net; module SSH; module Kerberos;
+  
+  module Drivers
+
+    # Some useful DL extensions.
+	  module DLExtensions
+	    PTR_ENC = proc{|v| v && (DL::PtrData===v ? v : v.to_ptr) }
+	    PTR_REF_ENC = proc{|v| (v.nil? ? DL::PtrData.new(v) : (DL::PtrData===v ? v : v.to_ptr)).ref }
+	      
+	    module ClassMethods
+		    def PTR_DEC(t) proc{|v| v && t.new(v)} end
+		    def PTR_REF_DEC(t) proc{|v| v && v.ptr && t.new(v.ptr)} end
+		  
+		    def struct2(fields, &block)
+		      t = struct fields
+		      return t unless block_given?
+		      t.instance_variable_set :@methods, Module.new(&block)
+		      class << t
+		        alias :new_struct :new
+		        def new(ptr)
+		          mem = new_struct(ptr)
+		          mem.extend @methods
+		          mem
+		        end
+		      end
+		      t
+		    end
+	    end
+	    
+	    def self.included(base)
+	      base.extend ClassMethods
+	    end
+	  end
+	  
+	  @@available = []
+    def self.available; @@available end
+
+		if RUBY_PLATFORM.include?('win') && ! RUBY_PLATFORM.include?('dar'); then
+		  begin require 'net/ssh/kerberos/drivers/sspi'; available << 'SSPI'
+		  rescue => e
+		    raise e unless RuntimeError === e and e.message =~ /^LoadLibrary: ([^\s]+)/
+			  $stderr.puts "error: While loading Kerberos SSPI: failed to load library: #{$1}"
+		  end
+		end
+		begin require 'net/ssh/kerberos/drivers/gss'; available << 'GSS'
+		rescue => e; raise e if available.empty?
+		end
+			
+		if available.empty?
+		  $stderr.puts "error: Failed to a find a supported GSS implementation on this platform (#{RUBY_PLATFORM})"
+		end
+  end
+
+end; end; end

data/lib/net/ssh/kerberos/drivers/gss.rb

@@ -0,0 +1,263 @@
+module Net; module SSH; module Kerberos; module Drivers;
+
+  module GSS
+
+    include Net::SSH::Kerberos::Constants
+	
+	  GSS_C_INITIATE = 1
+	
+	  GSS_C_DELEG_FLAG      = 1
+	  GSS_C_MUTUAL_FLAG     = 2
+	  GSS_C_REPLAY_FLAG     = 4
+	  GSS_C_SEQUENCE_FLAG   = 8
+	  GSS_C_CONF_FLAG       = 16
+	  GSS_C_INTEG_FLAG      = 32
+	  GSS_C_ANON_FLAG       = 64
+	  GSS_C_PROT_READY_FLAG = 128
+	  GSS_C_TRANS_FLAG      = 256
+	
+	  GSS_C_NO_NAME         = nil
+	  GSS_C_NO_BUFFER       = nil
+	  GSS_C_NO_OID          = nil
+	  GSS_C_NO_OID_SET      = nil
+	  GSS_C_NO_CONTEXT      = nil
+	  GSS_C_NO_CREDENTIAL   = nil
+	  GSS_C_NO_CHANNEL_BINDINGS = nil
+	  GSS_C_QOP_DEFAULT     = 0
+	
+	  GSS_S_COMPLETE        = 0
+	  GSS_S_CONTINUE_NEEDED = 1
+	  GSS_S_DUPLICATE_TOKEN = 2
+	  GSS_S_OLD_TOKEN       = 4
+	  GSS_S_UNSEQ_TOKEN     = 8
+	  GSS_S_GAP_TOKEN       = 16
+	
+    GSS_C_GSS_CODE = 1
+    GSS_C_MECH_CODE = 2
+
+	  module API
+	    extend DL::Importable
+	    include DLExtensions
+	    
+	    def self.gss_func(sym, sig)
+	      extern "OM_uint32 #{sym} (OM_uint32_ref, #{sig})"
+	      module_eval <<-"EOCODE"
+  alias :_#{sym} :#{sym}
+  module_function :_#{sym}
+	def #{sym}(*args)
+	  _#{sym}(*(args.unshift(0)))
+	  @retval = GssResult.new(@retval, @args.shift)
+	end 
+  module_function :#{sym}
+EOCODE
+	    end
+	
+	    if RUBY_PLATFORM =~ /cygwin/
+	      dlload('cyggss-1.dll')
+	    else
+	      dlload('libgssapi_krb5.so')
+	    end 
+	
+      typealias "void **", "p", PTR_REF_ENC, proc{|v| v.ptr}
+      typealias "GssResult", "L", proc{|v| v.to_i }, proc{|v| GssResult.new(v) }
+	    typealias 'OM_uint32', 'unsigned int'
+      typealias "OM_uint32_ref", 'unsigned int ref' 
+	    typealias 'size_t', 'unsigned int'
+      typealias "gss_bytes_t", "P" #, nil, nil, "P", PTR_ENC
+	    GssBuffer = struct2 [ "size_t length", "gss_bytes_t value" ] do
+        def to_s; value.to_s(length) if length > 0 end
+      end
+	    typealias 'gss_buffer_desc', 'GssBuffer'
+	    typealias 'gss_buffer_t', 'gss_buffer_desc *'
+	    GssOID = struct2 [ "OM_uint32 length", "gss_bytes_t elements" ] do
+	      def eql?(oid) !oid.nil? && length==oid.length && to_s==oid.to_s end
+	      def ==(oid) !oid.nil? && length==oid.length && to_s==oid.to_s end
+        def to_s; elements.to_s(length) if length > 0 end
+	      def inspect; 'OID: ' + (to_s.unpack("H2" * length).join(' ') rescue 'nil') end
+	    end
+      def GssOID.create(bytes) new [bytes.length, bytes].pack("LP#{bytes.length}").to_ptr end
+	    typealias 'gss_OID', 'P', PTR_ENC, PTR_DEC(GssOID)
+	    typealias 'gss_OID_ref', 'p', PTR_REF_ENC, PTR_REF_DEC(GssOID)
+	    GssOIDSet = struct2 [ "size_t count", "gss_OID elements" ] do
+        def oids
+          if @oids.nil? or elements != (@oids.first.to_ptr rescue nil)
+            @oids = []
+            0.upto(count-1) { |n| @oids[n] = GssOID.new(elements + n*GssOID.size) } unless elements.nil?
+          end
+          @oids
+        end
+	      def inspect; 'OIDSet: [' + oids.map {|o| o.inspect }.join(', ') + ']' end
+      end
+	    typealias 'gss_OID_set', 'P', PTR_ENC, PTR_DEC(GssOIDSet)
+	    typealias 'gss_OID_set_ref', 'p', PTR_REF_ENC, PTR_REF_DEC(GssOIDSet)
+	
+	    typealias 'gss_ctx_id_t', 'void *'
+	    typealias 'gss_ctx_id_ref', 'void **'
+	    typealias 'gss_cred_id_t', 'void *'
+	    typealias 'gss_cred_id_ref', 'void **'
+	    typealias 'gss_name_t', 'void *'
+	    typealias 'gss_name_ref', 'void **'
+	    typealias 'gss_qop_t', 'OM_uint32'
+	    typealias 'gss_qop_ref', 'OM_uint32_ref'
+	    typealias 'gss_cred_usage_t', 'int'
+	    typealias 'gss_cred_usage_ref', 'int ref'
+	
+	    class GssResult
+	      def initialize(code, minor=nil) @value, @minor = code, minor end
+	      def ok?; major.zero? end
+	      def complete?; status.zero? end
+	      def incomplete?; false end
+	      def failure?; major.nonzero? end
+	      def temporary_failure?
+	        routine_error==GSS_S_CREDENTIALS_EXPIRED ||
+	          routine_error==GSS_S_CONTEXT_EXPIRED ||
+	          routine_error==GSS_S_UNAVAILABLE
+	      end
+	      def major; (@value >> 16) & 0x0000ffff end
+	      def status; @value & 0x0000ffff end
+	      def calling_error; (@value >> 24) & 0x000000ff end
+	      def routine_error; (@value >> 16) & 0x000000ff end
+        def to_i; @value end
+	      def to_s
+          orig_retval, orig_args = API._retval_, API._args_
+          begin
+            msgctx, msgbuff, msglist = 0, API::GssBuffer.malloc, []
+            begin
+              result = API.gss_display_status @value, GSS_C_GSS_CODE, GSS_C_NO_OID, msgctx, msgbuff
+              result.ok? or return 'unknown'
+              msgctx = API._args_[3]
+              msglist << msgbuff.to_s
+              API.gss_release_buffer msgbuff
+            end until msgctx.zero?
+            msglist.empty? ? 'ok' : msglist.join(', ')
+          ensure
+            API.instance_eval { @retval = orig_retval; @args = orig_args }
+          end
+        end
+	    end
+	
+	    gss_func "gss_acquire_cred", "gss_name_t, OM_uint32, gss_OID_set, gss_cred_usage_t, gss_cred_id_ref, void *, OM_uint32_ref"
+	    gss_func "gss_inquire_cred", "gss_cred_id_t, gss_name_ref, OM_uint32_ref, gss_cred_usage_ref, gss_OID_set_ref"
+      gss_func "gss_import_name", "gss_buffer_t, gss_OID, gss_name_ref"
+      gss_func "gss_display_name", "gss_name_t, gss_buffer_t, gss_OID_ref"
+	    gss_func "gss_release_cred", "gss_cred_id_ref"
+	    gss_func "gss_release_oid_set", "gss_OID_set_ref"
+	    gss_func "gss_release_name", "gss_name_ref"
+      gss_func "gss_release_buffer", "gss_buffer_t"
+	    gss_func "gss_init_sec_context", "gss_cred_id_t, gss_ctx_id_ref, gss_name_t, gss_OID, OM_uint32, OM_uint32, void *, "+
+                                        "gss_buffer_t, gss_OID_ref, gss_buffer_t, OM_uint32_ref, OM_uint32_ref"
+      gss_func "gss_delete_sec_context", "gss_ctx_id_ref, gss_buffer_t"
+	    gss_func "gss_get_mic", "gss_ctx_id_t, gss_qop_t, gss_buffer_t, gss_buffer_t"
+	    gss_func "gss_display_status", "OM_uint32, int, gss_OID, OM_uint32_ref, gss_buffer_t"
+	    gss_func "gss_indicate_mechs", "gss_OID_set_ref"
+	  end
+
+	  # GSSAPI / Kerberos 5 OID(s)
+	  GSS_C_NT_PRINCIPAL = API::GssOID.create("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01")
+	  GSS_C_NT_MACHINE_UID_NAME = API::GssOID.create("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02")
+	  GSS_C_NT_STRING_UID_NAME = API::GssOID.create("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")
+	  GSS_C_NT_HOSTBASED_SERVICE = API::GssOID.create("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")
+	  GSS_C_NT_ANONYMOUS = API::GssOID.create("\x2b\x06\x01\x05\x06\x03")
+	  GSS_C_NT_EXPORT_NAME = API::GssOID.create("\x2b\x06\x01\x05\x06\x04")
+	  GSS_C_KRB5 = API::GssOID.create(GSS_KRB5_MECH)
+	
+	  # GSSAPI / Kerberos 5  Deprecated / Proprietary OID(s)
+	  GSS_C_NT_HOSTBASED_SERVICE_X = API::GssOID.create("\x2b\x06\x01\x05\x06\x02")
+
+    # GSSAPI - Kerberos 5 mechanism support.
+    result = API.gss_indicate_mechs nil
+    result.ok? or raise "gss_indicate_mechs failed: #{result}"
+    if API._args_[0].oids.include? GSS_C_KRB5
+      API.gss_release_oid_set API._args_[0]
+    else
+      raise "This GSSAPI library reports no support for Kerberos authentication"
+    end
+
+	  class Context < Net::SSH::Kerberos::Context
+	
+		  GssResult = API::GssResult
+		
+		  def init(token=nil)
+		    unless token.nil?
+		      input = API::GssBuffer.malloc
+		      input.value = token.to_ptr
+		      input.length = token.length
+		    end
+        buffer = API::GssBuffer.malloc
+		    context = @state.handle if @state
+		    result = API.gss_init_sec_context @credentials, context, @target, GSS_C_KRB5,
+	                                        GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
+	                                        GSS_C_NO_CHANNEL_BINDINGS, input, nil, buffer, 0, 0
+		    result.failure? and raise GeneralError, "Error initializing security context: #{result}"
+		    begin
+		      @state = State.new(API._args_[1], result, buffer.to_s, nil)
+		      @handle = @state.handle if result.complete?
+		      return @state.token
+		    ensure
+		      API.gss_release_buffer buffer if buffer.value
+		    end
+		  end
+		  
+		  def get_mic(token)
+		    input = API::GssBuffer.malloc
+		    input.value = token.to_ptr
+		    input.length = token.length
+		    @state.result = API.gss_get_mic @handle, GSS_C_QOP_DEFAULT, input, output=API::GssBuffer.malloc
+		    unless @state.result.complete? and output
+		      raise GeneralError, "Error creating the signature: #{@state.result}"
+		    end
+		    begin return output.to_s
+		    ensure API.gss_release_buffer output
+		    end
+		  end
+		
+		protected
+		
+		  def state; @state end
+		  
+		private
+		  
+		  def acquire_current_credentials
+		    result = API.gss_acquire_cred nil, 60, nil, GSS_C_INITIATE, nil, nil, 0
+		    result.ok? or raise GeneralError, "Error acquiring credentials: #{result}"
+	      result = API.gss_inquire_cred creds=API._args_[4], nil, 0, 0, nil
+	      result.ok? or raise GeneralError, "Error inquiring credentials: #{result}"
+	      begin
+	        name, oids = API._args_[1], API._args_[4]
+	        result = API.gss_display_name name, buffer=API::GssBuffer.malloc, nil
+	        result.ok? or raise GeneralError, "Error getting display name: #{result}"
+	        begin return [creds, buffer.to_s]
+	        ensure API.gss_release_buffer buffer
+	        end
+	      ensure
+	        API.gss_release_name name
+          API.gss_release_oid_set oids
+	      end
+		  end
+		
+		  def release_credentials(creds)
+		    creds.nil? or API.gss_release_cred creds
+		  end
+		
+		  def import_server_name(host)
+		    host = 'host@' + host
+		    buffer = API::GssBuffer.malloc
+		    buffer.value = host.to_ptr
+		    buffer.length = host.length
+		    result = API.gss_import_name buffer, GSS_C_NT_HOSTBASED_SERVICE, nil
+		    result.failure? and raise GeneralError, "Error importing name: #{result}"
+		    [API._args_[2], host]
+		  end
+		
+		  def release_server_name(target)
+		    target.nil? or API.gss_release_name target
+		  end
+		
+		  def delete_context(handle)
+		    handle.nil? or API.gss_delete_sec_context handle, nil
+		  end
+		
+		end
+		
+	end
+end; end; end; end