OM_uint32 GSSAPI_CALLCONV _gss_spnego_import_sec_context (
OM_uint32 * minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle
)
{
OM_uint32 ret, minor;
gss_ctx_id_t context;
gssspnego_ctx ctx;
ret = _gss_spnego_alloc_sec_context(minor_status, &context);
if (ret != GSS_S_COMPLETE) {
return ret;
}
ctx = (gssspnego_ctx)context;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = gss_import_sec_context(minor_status,
interprocess_token,
&ctx->negotiated_ctx_id);
if (ret != GSS_S_COMPLETE) {
_gss_spnego_internal_delete_sec_context(&minor, context_handle, GSS_C_NO_BUFFER);
return ret;
}
ctx->open = 1;
/* don't bother filling in the rest of the fields */
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
*context_handle = (gss_ctx_id_t)ctx;
return GSS_S_COMPLETE;
}
uint32_t
sapgss_import_sec_context(
uint32_t *minor_status,
gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
return gss_import_sec_context(minor_status, interprocess_token,
context_handle);
}
OM_uint32
ntlm_gss_import_sec_context(
OM_uint32 *minor_status,
const gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
OM_uint32 ret;
ret = gss_import_sec_context(minor_status,
interprocess_token,
context_handle);
return (ret);
}
uint32_t gp_import_gssx_to_ctx_id(uint32_t *min, int type,
gssx_ctx *in, gss_ctx_id_t *out)
{
gss_buffer_desc export_buffer = GSS_C_EMPTY_BUFFER;
if (type != EXP_CTX_DEFAULT) {
*min = EINVAL;
return GSS_S_FAILURE;
}
gp_conv_gssx_to_buffer(&in->exported_context_token, &export_buffer);
return gss_import_sec_context(min, &export_buffer, out);
}
/*
* Yes, yes, this isn't the best place for doing this test.
* DO NOT REMOVE THIS UNTIL A BETTER TEST HAS BEEN WRITTEN, THOUGH.
* -TYT
*/
static int
test_import_export_context(gss_ctx_id_t *context)
{
OM_uint32 min_stat, maj_stat;
gss_buffer_desc context_token, copied_token;
struct timeval tm1, tm2;
/*
* Attempt to save and then restore the context.
*/
gettimeofday(&tm1, (struct timezone *) 0);
maj_stat = gss_export_sec_context(&min_stat, context, &context_token);
if (maj_stat != GSS_S_COMPLETE) {
display_status("exporting context", maj_stat, min_stat);
return 1;
}
gettimeofday(&tm2, (struct timezone *) 0);
if (verbose && logfile)
fprintf(logfile, "Exported context: %d bytes, %7.4f seconds\n",
(int) context_token.length, timeval_subtract(&tm2, &tm1));
copied_token.length = context_token.length;
copied_token.value = malloc(context_token.length);
if (copied_token.value == 0) {
if (logfile)
fprintf(logfile,
"Couldn't allocate memory to copy context token.\n");
return 1;
}
memcpy(copied_token.value, context_token.value, copied_token.length);
maj_stat = gss_import_sec_context(&min_stat, &copied_token, context);
if (maj_stat != GSS_S_COMPLETE) {
display_status("importing context", maj_stat, min_stat);
return 1;
}
free(copied_token.value);
gettimeofday(&tm1, (struct timezone *) 0);
if (verbose && logfile)
fprintf(logfile, "Importing context: %7.4f seconds\n",
timeval_subtract(&tm1, &tm2));
(void) gss_release_buffer(&min_stat, &context_token);
return 0;
}
static isc_result_t
gssapi_restore(dst_key_t *key, const char *keystr) {
OM_uint32 major, minor;
unsigned int len;
isc_buffer_t *b = NULL;
isc_region_t r;
gss_buffer_desc gssbuffer;
isc_result_t result;
len = strlen(keystr);
if ((len % 4) != 0U)
return (ISC_R_BADBASE64);
len = (len / 4) * 3;
result = isc_buffer_allocate(key->mctx, &b, len);
if (result != ISC_R_SUCCESS)
return (result);
result = isc_base64_decodestring(keystr, b);
if (result != ISC_R_SUCCESS) {
isc_buffer_free(&b);
return (result);
}
isc_buffer_remainingregion(b, &r);
REGION_TO_GBUFFER(r, gssbuffer);
major = gss_import_sec_context(&minor, &gssbuffer,
&key->keydata.gssctx);
if (major != GSS_S_COMPLETE) {
isc_buffer_free(&b);
return (ISC_R_FAILURE);
}
isc_buffer_free(&b);
return (ISC_R_SUCCESS);
}
OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status,
gss_OID mech_type,
gss_buffer_t interprocess_token,
gss_ctx_id_t *context_handle)
{
struct gpp_context_handle *ctx;
gss_buffer_desc wrap_token = {0};
OM_uint32 maj, min = 0;
GSSI_TRACE();
ctx = calloc(1, sizeof(struct gpp_context_handle));
if (!ctx) {
*minor_status = 0;
return GSS_S_FAILURE;
}
/* NOTE: it makes no sense to import a context remotely atm,
* so we only handle the local case for now. */
maj = gpp_wrap_sec_ctx_token(&min, mech_type,
interprocess_token, &wrap_token);
if (maj != GSS_S_COMPLETE) {
goto done;
}
maj = gss_import_sec_context(&min, &wrap_token, &ctx->local);
done:
*minor_status = gpp_map_error(min);
if (maj == GSS_S_COMPLETE) {
*context_handle = (gss_ctx_id_t)ctx;
} else {
free(ctx);
}
(void)gss_release_buffer(&min, &wrap_token);
return maj;
}
static const void *
gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct gss_api_mech *gm)
{
const void *q;
unsigned int seclen;
unsigned int timeout;
unsigned long now = jiffies;
u32 window_size;
int ret;
/* First unsigned int gives the remaining lifetime in seconds of the
* credential - e.g. the remaining TGT lifetime for Kerberos or
* the -t value passed to GSSD.
*/
p = simple_get_bytes(p, end, &timeout, sizeof(timeout));
if (IS_ERR(p))
goto err;
if (timeout == 0)
timeout = GSSD_MIN_TIMEOUT;
ctx->gc_expiry = now + ((unsigned long)timeout * HZ);
/* Sequence number window. Determines the maximum number of
* simultaneous requests
*/
p = simple_get_bytes(p, end, &window_size, sizeof(window_size));
if (IS_ERR(p))
goto err;
ctx->gc_win = window_size;
/* gssd signals an error by passing ctx->gc_win = 0: */
if (ctx->gc_win == 0) {
/*
* in which case, p points to an error code. Anything other
* than -EKEYEXPIRED gets converted to -EACCES.
*/
p = simple_get_bytes(p, end, &ret, sizeof(ret));
if (!IS_ERR(p))
p = (ret == -EKEYEXPIRED) ? ERR_PTR(-EKEYEXPIRED) :
ERR_PTR(-EACCES);
goto err;
}
/* copy the opaque wire context */
p = simple_get_netobj(p, end, &ctx->gc_wire_ctx);
if (IS_ERR(p))
goto err;
/* import the opaque security context */
p = simple_get_bytes(p, end, &seclen, sizeof(seclen));
if (IS_ERR(p))
goto err;
q = (const void *)((const char *)p + seclen);
if (unlikely(q > end || q < p)) {
p = ERR_PTR(-EFAULT);
goto err;
}
ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS);
if (ret < 0) {
p = ERR_PTR(ret);
goto err;
}
/* is there any trailing data? */
if (q == end) {
p = q;
goto done;
}
/* pull in acceptor name (if there is one) */
p = simple_get_netobj(q, end, &ctx->gc_acceptor);
if (IS_ERR(p))
goto err;
done:
dprintk("RPC: %s Success. gc_expiry %lu now %lu timeout %u acceptor %.*s\n",
__fun
