1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * Copyright 2001-2003 Sun Microsystems, Inc. All rights reserved. 3*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 4*7c478bd9Sstevel@tonic-gate */ 5*7c478bd9Sstevel@tonic-gate 6*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 7*7c478bd9Sstevel@tonic-gate 8*7c478bd9Sstevel@tonic-gate /* 9*7c478bd9Sstevel@tonic-gate * lib/gssapi/krb5/import_sec_context.c 10*7c478bd9Sstevel@tonic-gate * 11*7c478bd9Sstevel@tonic-gate * Copyright 1995 by the Massachusetts Institute of Technology. 12*7c478bd9Sstevel@tonic-gate * All Rights Reserved. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may 15*7c478bd9Sstevel@tonic-gate * require a specific license from the United States Government. 16*7c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating 17*7c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting. 18*7c478bd9Sstevel@tonic-gate * 19*7c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 20*7c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 21*7c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 22*7c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 23*7c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 24*7c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining 25*7c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 26*7c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label 27*7c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a 28*7c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software. 29*7c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of 30*7c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 31*7c478bd9Sstevel@tonic-gate * or implied warranty. 32*7c478bd9Sstevel@tonic-gate * 33*7c478bd9Sstevel@tonic-gate */ 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gate /* 36*7c478bd9Sstevel@tonic-gate * import_sec_context.c - Internalize the security context. 37*7c478bd9Sstevel@tonic-gate */ 38*7c478bd9Sstevel@tonic-gate #include <gssapiP_krb5.h> 39*7c478bd9Sstevel@tonic-gate #include <k5-int.h> 40*7c478bd9Sstevel@tonic-gate #include <gssapi/gssapi.h> 41*7c478bd9Sstevel@tonic-gate 42*7c478bd9Sstevel@tonic-gate #include <sys/debug.h> 43*7c478bd9Sstevel@tonic-gate /* 44*7c478bd9Sstevel@tonic-gate * Fix up the OID of the mechanism so that uses the static version of 45*7c478bd9Sstevel@tonic-gate * the OID if possible. 46*7c478bd9Sstevel@tonic-gate * 47*7c478bd9Sstevel@tonic-gate * Solaris Kerberos: this is not necessary. Our mech_used is allocated 48*7c478bd9Sstevel@tonic-gate * as part of the context structure. This function attempts to point to 49*7c478bd9Sstevel@tonic-gate * the corresponding gss_OID in the array krb5_gss_oid_array. 50*7c478bd9Sstevel@tonic-gate */ 51*7c478bd9Sstevel@tonic-gate #if 0 52*7c478bd9Sstevel@tonic-gate gss_OID_desc krb5_gss_convert_static_mech_oid(oid) 53*7c478bd9Sstevel@tonic-gate gss_OID FAR oid; 54*7c478bd9Sstevel@tonic-gate { 55*7c478bd9Sstevel@tonic-gate const gss_OID_desc *p; 56*7c478bd9Sstevel@tonic-gate OM_uint32 minor_status; 57*7c478bd9Sstevel@tonic-gate 58*7c478bd9Sstevel@tonic-gate for (p = krb5_gss_oid_array; p->length; p++) { 59*7c478bd9Sstevel@tonic-gate if ((oid->length == p->length) && 60*7c478bd9Sstevel@tonic-gate (memcmp(oid->elements, p->elements, p->length) == 0)) { 61*7c478bd9Sstevel@tonic-gate gss_release_oid(&minor_status, &oid); 62*7c478bd9Sstevel@tonic-gate return *p; 63*7c478bd9Sstevel@tonic-gate } 64*7c478bd9Sstevel@tonic-gate } 65*7c478bd9Sstevel@tonic-gate return *oid; 66*7c478bd9Sstevel@tonic-gate } 67*7c478bd9Sstevel@tonic-gate #endif 68*7c478bd9Sstevel@tonic-gate 69*7c478bd9Sstevel@tonic-gate OM_uint32 70*7c478bd9Sstevel@tonic-gate krb5_gss_import_sec_context(ct, minor_status, interprocess_token, context_handle) 71*7c478bd9Sstevel@tonic-gate void *ct; 72*7c478bd9Sstevel@tonic-gate OM_uint32 *minor_status; 73*7c478bd9Sstevel@tonic-gate gss_buffer_t interprocess_token; 74*7c478bd9Sstevel@tonic-gate gss_ctx_id_t *context_handle; 75*7c478bd9Sstevel@tonic-gate { 76*7c478bd9Sstevel@tonic-gate krb5_context context; 77*7c478bd9Sstevel@tonic-gate krb5_error_code kret = 0; 78*7c478bd9Sstevel@tonic-gate size_t blen; 79*7c478bd9Sstevel@tonic-gate krb5_gss_ctx_id_t ctx; 80*7c478bd9Sstevel@tonic-gate krb5_octet *ibp; 81*7c478bd9Sstevel@tonic-gate 82*7c478bd9Sstevel@tonic-gate /* Solaris Kerberos: we use the global kg_context for MT safe */ 83*7c478bd9Sstevel@tonic-gate #if 0 84*7c478bd9Sstevel@tonic-gate if (GSS_ERROR(kg_get_context(minor_status, &context))) 85*7c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE); 86*7c478bd9Sstevel@tonic-gate #endif 87*7c478bd9Sstevel@tonic-gate 88*7c478bd9Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, "krb5_gss_import_sec_context() start\n"); 89*7c478bd9Sstevel@tonic-gate 90*7c478bd9Sstevel@tonic-gate mutex_lock(&krb5_mutex); 91*7c478bd9Sstevel@tonic-gate context = ct; 92*7c478bd9Sstevel@tonic-gate 93*7c478bd9Sstevel@tonic-gate /* Assume a tragic failure */ 94*7c478bd9Sstevel@tonic-gate ctx = (krb5_gss_ctx_id_t) NULL; 95*7c478bd9Sstevel@tonic-gate *minor_status = 0; 96*7c478bd9Sstevel@tonic-gate 97*7c478bd9Sstevel@tonic-gate /* Internalize the context */ 98*7c478bd9Sstevel@tonic-gate ibp = (krb5_octet *) interprocess_token->value; 99*7c478bd9Sstevel@tonic-gate blen = (size_t) interprocess_token->length; 100*7c478bd9Sstevel@tonic-gate if ((kret = kg_ctx_internalize(context, 101*7c478bd9Sstevel@tonic-gate (krb5_pointer *) &ctx, 102*7c478bd9Sstevel@tonic-gate &ibp, &blen))) { 103*7c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) kret; 104*7c478bd9Sstevel@tonic-gate mutex_unlock(&krb5_mutex); 105*7c478bd9Sstevel@tonic-gate 106*7c478bd9Sstevel@tonic-gate KRB5_LOG(KRB5_ERR, "krb5_gss_import_sec_context() end," 107*7c478bd9Sstevel@tonic-gate "kg_ctx_internalize() error kret = %d\n", kret); 108*7c478bd9Sstevel@tonic-gate 109*7c478bd9Sstevel@tonic-gate if (kret == ENOMEM) 110*7c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE); 111*7c478bd9Sstevel@tonic-gate else 112*7c478bd9Sstevel@tonic-gate return(GSS_S_DEFECTIVE_TOKEN); 113*7c478bd9Sstevel@tonic-gate } 114*7c478bd9Sstevel@tonic-gate 115*7c478bd9Sstevel@tonic-gate /* intern the context handle */ 116*7c478bd9Sstevel@tonic-gate if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { 117*7c478bd9Sstevel@tonic-gate (void)krb5_gss_delete_sec_context_no_lock(context, minor_status, 118*7c478bd9Sstevel@tonic-gate (gss_ctx_id_t *) &ctx, NULL 119*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 120*7c478bd9Sstevel@tonic-gate ,0 /* gssd_ctx_verifier */ 121*7c478bd9Sstevel@tonic-gate #endif 122*7c478bd9Sstevel@tonic-gate ); 123*7c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED; 124*7c478bd9Sstevel@tonic-gate mutex_unlock(&krb5_mutex); 125*7c478bd9Sstevel@tonic-gate 126*7c478bd9Sstevel@tonic-gate KRB5_LOG0(KRB5_ERR, "krb5_gss_import_sec_context() end," 127*7c478bd9Sstevel@tonic-gate "kg_save_ctx_id() error\n"); 128*7c478bd9Sstevel@tonic-gate 129*7c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE); 130*7c478bd9Sstevel@tonic-gate } 131*7c478bd9Sstevel@tonic-gate if (! kg_validate_ctx_id((gss_ctx_id_t) ctx)) { 132*7c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED; 133*7c478bd9Sstevel@tonic-gate mutex_unlock(&krb5_mutex); 134*7c478bd9Sstevel@tonic-gate 135*7c478bd9Sstevel@tonic-gate KRB5_LOG0(KRB5_ERR, "krb5_gss_import_sec_context() end," 136*7c478bd9Sstevel@tonic-gate "kg_validate_ctx_id() error\n"); 137*7c478bd9Sstevel@tonic-gate 138*7c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE); 139*7c478bd9Sstevel@tonic-gate } 140*7c478bd9Sstevel@tonic-gate 141*7c478bd9Sstevel@tonic-gate /* Solaris Kerberos: our mech_used is part of the ctx structure */ 142*7c478bd9Sstevel@tonic-gate /* ctx->mech_used = krb5_gss_convert_static_mech_oid(&(ctx->mech_used)); */ 143*7c478bd9Sstevel@tonic-gate 144*7c478bd9Sstevel@tonic-gate *context_handle = (gss_ctx_id_t) ctx; 145*7c478bd9Sstevel@tonic-gate 146*7c478bd9Sstevel@tonic-gate *minor_status = 0; 147*7c478bd9Sstevel@tonic-gate mutex_unlock(&krb5_mutex); 148*7c478bd9Sstevel@tonic-gate 149*7c478bd9Sstevel@tonic-gate KRB5_LOG0(KRB5_INFO, "krb5_gss_import_sec_context() end\n"); 150*7c478bd9Sstevel@tonic-gate 151*7c478bd9Sstevel@tonic-gate return (GSS_S_COMPLETE); 152*7c478bd9Sstevel@tonic-gate } 153