17c478bd9Sstevel@tonic-gate /* 2*ab9b2e15Sgtb * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate * Use is subject to license terms. 47c478bd9Sstevel@tonic-gate */ 57c478bd9Sstevel@tonic-gate 67c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 77c478bd9Sstevel@tonic-gate 87c478bd9Sstevel@tonic-gate /* 97c478bd9Sstevel@tonic-gate * lib/gssapi/krb5/import_sec_context.c 107c478bd9Sstevel@tonic-gate * 11*ab9b2e15Sgtb * Copyright 1995,2004 by the Massachusetts Institute of Technology. 127c478bd9Sstevel@tonic-gate * All Rights Reserved. 137c478bd9Sstevel@tonic-gate * 147c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may 157c478bd9Sstevel@tonic-gate * require a specific license from the United States Government. 167c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating 177c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting. 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 207c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and 217c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright 227c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and 237c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that 247c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining 257c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior 267c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label 277c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a 287c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software. 297c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of 307c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express 317c478bd9Sstevel@tonic-gate * or implied warranty. 327c478bd9Sstevel@tonic-gate * 337c478bd9Sstevel@tonic-gate */ 347c478bd9Sstevel@tonic-gate 357c478bd9Sstevel@tonic-gate /* 367c478bd9Sstevel@tonic-gate * import_sec_context.c - Internalize the security context. 377c478bd9Sstevel@tonic-gate */ 38*ab9b2e15Sgtb #include "gssapiP_krb5.h" 39*ab9b2e15Sgtb /* for serialization initialization functions */ 40*ab9b2e15Sgtb #include "k5-int.h" 41*ab9b2e15Sgtb #include "mglueP.h" /* SUNW15resync - for KGSS_ macros */ 42*ab9b2e15Sgtb 43*ab9b2e15Sgtb #ifdef _KERNEL 44*ab9b2e15Sgtb extern OM_uint32 kgss_release_oid(OM_uint32 *, gss_OID *); 45*ab9b2e15Sgtb #endif 46*ab9b2e15Sgtb 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gate /* 497c478bd9Sstevel@tonic-gate * Fix up the OID of the mechanism so that uses the static version of 507c478bd9Sstevel@tonic-gate * the OID if possible. 517c478bd9Sstevel@tonic-gate */ 52*ab9b2e15Sgtb gss_OID krb5_gss_convert_static_mech_oid(oid) 53*ab9b2e15Sgtb gss_OID oid; 547c478bd9Sstevel@tonic-gate { 557c478bd9Sstevel@tonic-gate const gss_OID_desc *p; 567c478bd9Sstevel@tonic-gate OM_uint32 minor_status; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate for (p = krb5_gss_oid_array; p->length; p++) { 597c478bd9Sstevel@tonic-gate if ((oid->length == p->length) && 607c478bd9Sstevel@tonic-gate (memcmp(oid->elements, p->elements, p->length) == 0)) { 61*ab9b2e15Sgtb (void) KGSS_RELEASE_OID(&minor_status, &oid); 62*ab9b2e15Sgtb return (gss_OID) p; 637c478bd9Sstevel@tonic-gate } 647c478bd9Sstevel@tonic-gate } 65*ab9b2e15Sgtb return oid; 667c478bd9Sstevel@tonic-gate } 67*ab9b2e15Sgtb 68*ab9b2e15Sgtb krb5_error_code 69*ab9b2e15Sgtb krb5_gss_ser_init (krb5_context context) 70*ab9b2e15Sgtb { 71*ab9b2e15Sgtb krb5_error_code code; 72*ab9b2e15Sgtb static krb5_error_code (KRB5_CALLCONV *const fns[])(krb5_context) = { 73*ab9b2e15Sgtb krb5_ser_auth_context_init, 74*ab9b2e15Sgtb #ifndef _KERNEL 75*ab9b2e15Sgtb krb5_ser_context_init, 76*ab9b2e15Sgtb krb5_ser_ccache_init, krb5_ser_rcache_init, krb5_ser_keytab_init, 777c478bd9Sstevel@tonic-gate #endif 78*ab9b2e15Sgtb }; 79*ab9b2e15Sgtb int i; 80*ab9b2e15Sgtb 81*ab9b2e15Sgtb for (i = 0; i < sizeof(fns)/sizeof(fns[0]); i++) 82*ab9b2e15Sgtb if ((code = (fns[i])(context)) != 0) 83*ab9b2e15Sgtb return code; 84*ab9b2e15Sgtb return 0; 85*ab9b2e15Sgtb } 867c478bd9Sstevel@tonic-gate 877c478bd9Sstevel@tonic-gate OM_uint32 88*ab9b2e15Sgtb krb5_gss_import_sec_context(minor_status, interprocess_token, context_handle) 897c478bd9Sstevel@tonic-gate OM_uint32 *minor_status; 907c478bd9Sstevel@tonic-gate gss_buffer_t interprocess_token; 917c478bd9Sstevel@tonic-gate gss_ctx_id_t *context_handle; 927c478bd9Sstevel@tonic-gate { 937c478bd9Sstevel@tonic-gate krb5_context context; 947c478bd9Sstevel@tonic-gate krb5_error_code kret = 0; 957c478bd9Sstevel@tonic-gate size_t blen; 967c478bd9Sstevel@tonic-gate krb5_gss_ctx_id_t ctx; 977c478bd9Sstevel@tonic-gate krb5_octet *ibp; 987c478bd9Sstevel@tonic-gate 99*ab9b2e15Sgtb /* This is a bit screwy. We create a krb5 context because we need 100*ab9b2e15Sgtb one when calling the serialization code. However, one of the 101*ab9b2e15Sgtb objects we're unpacking is a krb5 context, so when we finish, 102*ab9b2e15Sgtb we can throw this one away. */ 103*ab9b2e15Sgtb kret = KGSS_INIT_CONTEXT(&context); 104*ab9b2e15Sgtb if (kret) { 105*ab9b2e15Sgtb *minor_status = kret; 106*ab9b2e15Sgtb return GSS_S_FAILURE; 107*ab9b2e15Sgtb } 1087c478bd9Sstevel@tonic-gate 109*ab9b2e15Sgtb kret = krb5_gss_ser_init(context); 110*ab9b2e15Sgtb if (kret) { 111*ab9b2e15Sgtb krb5_free_context(context); 112*ab9b2e15Sgtb *minor_status = kret; 113*ab9b2e15Sgtb return GSS_S_FAILURE; 114*ab9b2e15Sgtb } 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate /* Assume a tragic failure */ 1177c478bd9Sstevel@tonic-gate ctx = (krb5_gss_ctx_id_t) NULL; 1187c478bd9Sstevel@tonic-gate *minor_status = 0; 1197c478bd9Sstevel@tonic-gate 1207c478bd9Sstevel@tonic-gate /* Internalize the context */ 1217c478bd9Sstevel@tonic-gate ibp = (krb5_octet *) interprocess_token->value; 1227c478bd9Sstevel@tonic-gate blen = (size_t) interprocess_token->length; 123*ab9b2e15Sgtb kret = kg_ctx_internalize(context, (krb5_pointer *) &ctx, &ibp, &blen); 124*ab9b2e15Sgtb /* 125*ab9b2e15Sgtb * SUNW15resync 126*ab9b2e15Sgtb * 127*ab9b2e15Sgtb * krb5_free_context(context); 128*ab9b2e15Sgtb * Previous versions of MIT(1.2ish)/Solaris did not serialize the 129*ab9b2e15Sgtb * k5_context but MIT 1.5 does. But we don't need all the userspace 130*ab9b2e15Sgtb * junk in the kernel so we continue to not serialize it. 131*ab9b2e15Sgtb * So we keep this context live here (see it's use in kg_ctx_internalize) 132*ab9b2e15Sgtb * and it will get freed by delete_sec_context. 133*ab9b2e15Sgtb */ 134*ab9b2e15Sgtb if (kret) { 135*ab9b2e15Sgtb krb5_free_context(context); 1367c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) kret; 137*ab9b2e15Sgtb return(GSS_S_FAILURE); 1387c478bd9Sstevel@tonic-gate } 1397c478bd9Sstevel@tonic-gate 1407c478bd9Sstevel@tonic-gate /* intern the context handle */ 1417c478bd9Sstevel@tonic-gate if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) { 142*ab9b2e15Sgtb (void)krb5_gss_delete_sec_context(minor_status, 1437c478bd9Sstevel@tonic-gate (gss_ctx_id_t *) &ctx, NULL 1447c478bd9Sstevel@tonic-gate #ifdef _KERNEL 145*ab9b2e15Sgtb ,0 /* gssd_ctx_verifier */ 1467c478bd9Sstevel@tonic-gate #endif 1477c478bd9Sstevel@tonic-gate ); 1487c478bd9Sstevel@tonic-gate *minor_status = (OM_uint32) G_VALIDATE_FAILED; 1497c478bd9Sstevel@tonic-gate return(GSS_S_FAILURE); 1507c478bd9Sstevel@tonic-gate } 1517c478bd9Sstevel@tonic-gate 152*ab9b2e15Sgtb ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used); 153*ab9b2e15Sgtb 1547c478bd9Sstevel@tonic-gate *context_handle = (gss_ctx_id_t) ctx; 1557c478bd9Sstevel@tonic-gate 1567c478bd9Sstevel@tonic-gate *minor_status = 0; 1577c478bd9Sstevel@tonic-gate return (GSS_S_COMPLETE); 1587c478bd9Sstevel@tonic-gate } 159