1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate  * Copyright 2001-2003 Sun Microsystems, Inc.  All rights reserved.
3*7c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
4*7c478bd9Sstevel@tonic-gate  */
5*7c478bd9Sstevel@tonic-gate 
6*7c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
7*7c478bd9Sstevel@tonic-gate 
8*7c478bd9Sstevel@tonic-gate /*
9*7c478bd9Sstevel@tonic-gate  * lib/gssapi/krb5/import_sec_context.c
10*7c478bd9Sstevel@tonic-gate  *
11*7c478bd9Sstevel@tonic-gate  * Copyright 1995 by the Massachusetts Institute of Technology.
12*7c478bd9Sstevel@tonic-gate  * All Rights Reserved.
13*7c478bd9Sstevel@tonic-gate  *
14*7c478bd9Sstevel@tonic-gate  * Export of this software from the United States of America may
15*7c478bd9Sstevel@tonic-gate  *   require a specific license from the United States Government.
16*7c478bd9Sstevel@tonic-gate  *   It is the responsibility of any person or organization contemplating
17*7c478bd9Sstevel@tonic-gate  *   export to obtain such a license before exporting.
18*7c478bd9Sstevel@tonic-gate  *
19*7c478bd9Sstevel@tonic-gate  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
20*7c478bd9Sstevel@tonic-gate  * distribute this software and its documentation for any purpose and
21*7c478bd9Sstevel@tonic-gate  * without fee is hereby granted, provided that the above copyright
22*7c478bd9Sstevel@tonic-gate  * notice appear in all copies and that both that copyright notice and
23*7c478bd9Sstevel@tonic-gate  * this permission notice appear in supporting documentation, and that
24*7c478bd9Sstevel@tonic-gate  * the name of M.I.T. not be used in advertising or publicity pertaining
25*7c478bd9Sstevel@tonic-gate  * to distribution of the software without specific, written prior
26*7c478bd9Sstevel@tonic-gate  * permission.  Furthermore if you modify this software you must label
27*7c478bd9Sstevel@tonic-gate  * your software as modified software and not distribute it in such a
28*7c478bd9Sstevel@tonic-gate  * fashion that it might be confused with the original M.I.T. software.
29*7c478bd9Sstevel@tonic-gate  * M.I.T. makes no representations about the suitability of
30*7c478bd9Sstevel@tonic-gate  * this software for any purpose.  It is provided "as is" without express
31*7c478bd9Sstevel@tonic-gate  * or implied warranty.
32*7c478bd9Sstevel@tonic-gate  *
33*7c478bd9Sstevel@tonic-gate  */
34*7c478bd9Sstevel@tonic-gate 
35*7c478bd9Sstevel@tonic-gate /*
36*7c478bd9Sstevel@tonic-gate  * import_sec_context.c	- Internalize the security context.
37*7c478bd9Sstevel@tonic-gate  */
38*7c478bd9Sstevel@tonic-gate #include <gssapiP_krb5.h>
39*7c478bd9Sstevel@tonic-gate #include <k5-int.h>
40*7c478bd9Sstevel@tonic-gate #include <gssapi/gssapi.h>
41*7c478bd9Sstevel@tonic-gate 
42*7c478bd9Sstevel@tonic-gate #include <sys/debug.h>
43*7c478bd9Sstevel@tonic-gate /*
44*7c478bd9Sstevel@tonic-gate  * Fix up the OID of the mechanism so that uses the static version of
45*7c478bd9Sstevel@tonic-gate  * the OID if possible.
46*7c478bd9Sstevel@tonic-gate  *
47*7c478bd9Sstevel@tonic-gate  * Solaris Kerberos: this is not necessary.  Our mech_used is allocated
48*7c478bd9Sstevel@tonic-gate  * as part of the context structure.  This function attempts to point to
49*7c478bd9Sstevel@tonic-gate  * the corresponding gss_OID in the array krb5_gss_oid_array.
50*7c478bd9Sstevel@tonic-gate  */
51*7c478bd9Sstevel@tonic-gate #if 0
52*7c478bd9Sstevel@tonic-gate gss_OID_desc krb5_gss_convert_static_mech_oid(oid)
53*7c478bd9Sstevel@tonic-gate      gss_OID	FAR oid;
54*7c478bd9Sstevel@tonic-gate {
55*7c478bd9Sstevel@tonic-gate 	const gss_OID_desc 	*p;
56*7c478bd9Sstevel@tonic-gate 	OM_uint32		minor_status;
57*7c478bd9Sstevel@tonic-gate 
58*7c478bd9Sstevel@tonic-gate 	for (p = krb5_gss_oid_array; p->length; p++) {
59*7c478bd9Sstevel@tonic-gate 		if ((oid->length == p->length) &&
60*7c478bd9Sstevel@tonic-gate 		    (memcmp(oid->elements, p->elements, p->length) == 0)) {
61*7c478bd9Sstevel@tonic-gate 			gss_release_oid(&minor_status, &oid);
62*7c478bd9Sstevel@tonic-gate 			return *p;
63*7c478bd9Sstevel@tonic-gate 		}
64*7c478bd9Sstevel@tonic-gate 	}
65*7c478bd9Sstevel@tonic-gate 	return *oid;
66*7c478bd9Sstevel@tonic-gate }
67*7c478bd9Sstevel@tonic-gate #endif
68*7c478bd9Sstevel@tonic-gate 
69*7c478bd9Sstevel@tonic-gate OM_uint32
70*7c478bd9Sstevel@tonic-gate krb5_gss_import_sec_context(ct, minor_status, interprocess_token, context_handle)
71*7c478bd9Sstevel@tonic-gate     void		*ct;
72*7c478bd9Sstevel@tonic-gate     OM_uint32		*minor_status;
73*7c478bd9Sstevel@tonic-gate     gss_buffer_t	interprocess_token;
74*7c478bd9Sstevel@tonic-gate     gss_ctx_id_t	*context_handle;
75*7c478bd9Sstevel@tonic-gate {
76*7c478bd9Sstevel@tonic-gate     krb5_context	context;
77*7c478bd9Sstevel@tonic-gate     krb5_error_code	kret = 0;
78*7c478bd9Sstevel@tonic-gate     size_t		blen;
79*7c478bd9Sstevel@tonic-gate     krb5_gss_ctx_id_t	ctx;
80*7c478bd9Sstevel@tonic-gate     krb5_octet		*ibp;
81*7c478bd9Sstevel@tonic-gate 
82*7c478bd9Sstevel@tonic-gate    /* Solaris Kerberos:  we use the global kg_context for MT safe */
83*7c478bd9Sstevel@tonic-gate #if 0
84*7c478bd9Sstevel@tonic-gate     if (GSS_ERROR(kg_get_context(minor_status, &context)))
85*7c478bd9Sstevel@tonic-gate        return(GSS_S_FAILURE);
86*7c478bd9Sstevel@tonic-gate #endif
87*7c478bd9Sstevel@tonic-gate 
88*7c478bd9Sstevel@tonic-gate     KRB5_LOG0(KRB5_INFO, "krb5_gss_import_sec_context() start\n");
89*7c478bd9Sstevel@tonic-gate 
90*7c478bd9Sstevel@tonic-gate     mutex_lock(&krb5_mutex);
91*7c478bd9Sstevel@tonic-gate     context = ct;
92*7c478bd9Sstevel@tonic-gate 
93*7c478bd9Sstevel@tonic-gate     /* Assume a tragic failure */
94*7c478bd9Sstevel@tonic-gate     ctx = (krb5_gss_ctx_id_t) NULL;
95*7c478bd9Sstevel@tonic-gate     *minor_status = 0;
96*7c478bd9Sstevel@tonic-gate 
97*7c478bd9Sstevel@tonic-gate     /* Internalize the context */
98*7c478bd9Sstevel@tonic-gate     ibp = (krb5_octet *) interprocess_token->value;
99*7c478bd9Sstevel@tonic-gate     blen = (size_t) interprocess_token->length;
100*7c478bd9Sstevel@tonic-gate     if ((kret = kg_ctx_internalize(context,
101*7c478bd9Sstevel@tonic-gate 				   (krb5_pointer *) &ctx,
102*7c478bd9Sstevel@tonic-gate 				   &ibp, &blen))) {
103*7c478bd9Sstevel@tonic-gate        *minor_status = (OM_uint32) kret;
104*7c478bd9Sstevel@tonic-gate        mutex_unlock(&krb5_mutex);
105*7c478bd9Sstevel@tonic-gate 
106*7c478bd9Sstevel@tonic-gate        KRB5_LOG(KRB5_ERR, "krb5_gss_import_sec_context() end,"
107*7c478bd9Sstevel@tonic-gate 		"kg_ctx_internalize() error kret = %d\n", kret);
108*7c478bd9Sstevel@tonic-gate 
109*7c478bd9Sstevel@tonic-gate        if (kret == ENOMEM)
110*7c478bd9Sstevel@tonic-gate            return(GSS_S_FAILURE);
111*7c478bd9Sstevel@tonic-gate        else
112*7c478bd9Sstevel@tonic-gate            return(GSS_S_DEFECTIVE_TOKEN);
113*7c478bd9Sstevel@tonic-gate     }
114*7c478bd9Sstevel@tonic-gate 
115*7c478bd9Sstevel@tonic-gate     /* intern the context handle */
116*7c478bd9Sstevel@tonic-gate     if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
117*7c478bd9Sstevel@tonic-gate        (void)krb5_gss_delete_sec_context_no_lock(context, minor_status,
118*7c478bd9Sstevel@tonic-gate 					 (gss_ctx_id_t *) &ctx, NULL
119*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL
120*7c478bd9Sstevel@tonic-gate 					,0  /* gssd_ctx_verifier */
121*7c478bd9Sstevel@tonic-gate #endif
122*7c478bd9Sstevel@tonic-gate 					);
123*7c478bd9Sstevel@tonic-gate        *minor_status = (OM_uint32) G_VALIDATE_FAILED;
124*7c478bd9Sstevel@tonic-gate        mutex_unlock(&krb5_mutex);
125*7c478bd9Sstevel@tonic-gate 
126*7c478bd9Sstevel@tonic-gate        KRB5_LOG0(KRB5_ERR, "krb5_gss_import_sec_context() end,"
127*7c478bd9Sstevel@tonic-gate 		"kg_save_ctx_id() error\n");
128*7c478bd9Sstevel@tonic-gate 
129*7c478bd9Sstevel@tonic-gate        return(GSS_S_FAILURE);
130*7c478bd9Sstevel@tonic-gate     }
131*7c478bd9Sstevel@tonic-gate     if (! kg_validate_ctx_id((gss_ctx_id_t) ctx)) {
132*7c478bd9Sstevel@tonic-gate        *minor_status = (OM_uint32) G_VALIDATE_FAILED;
133*7c478bd9Sstevel@tonic-gate         mutex_unlock(&krb5_mutex);
134*7c478bd9Sstevel@tonic-gate 
135*7c478bd9Sstevel@tonic-gate 	KRB5_LOG0(KRB5_ERR, "krb5_gss_import_sec_context() end,"
136*7c478bd9Sstevel@tonic-gate 		"kg_validate_ctx_id() error\n");
137*7c478bd9Sstevel@tonic-gate 
138*7c478bd9Sstevel@tonic-gate         return(GSS_S_FAILURE);
139*7c478bd9Sstevel@tonic-gate     }
140*7c478bd9Sstevel@tonic-gate 
141*7c478bd9Sstevel@tonic-gate     /* Solaris Kerberos:  our mech_used is part of the ctx structure */
142*7c478bd9Sstevel@tonic-gate     /* ctx->mech_used = krb5_gss_convert_static_mech_oid(&(ctx->mech_used)); */
143*7c478bd9Sstevel@tonic-gate 
144*7c478bd9Sstevel@tonic-gate     *context_handle = (gss_ctx_id_t) ctx;
145*7c478bd9Sstevel@tonic-gate 
146*7c478bd9Sstevel@tonic-gate     *minor_status = 0;
147*7c478bd9Sstevel@tonic-gate     mutex_unlock(&krb5_mutex);
148*7c478bd9Sstevel@tonic-gate 
149*7c478bd9Sstevel@tonic-gate     KRB5_LOG0(KRB5_INFO, "krb5_gss_import_sec_context() end\n");
150*7c478bd9Sstevel@tonic-gate 
151*7c478bd9Sstevel@tonic-gate     return (GSS_S_COMPLETE);
152*7c478bd9Sstevel@tonic-gate }
153