lustre/utils/gss/context_lucid.c

   1 /*
   2  * COPYRIGHT (c) 2006
   3  * The Regents of the University of Michigan
   4  * ALL RIGHTS RESERVED
   5  *
   6  * Permission is granted to use, copy, create derivative works
   7  * and redistribute this software and such derivative works
   8  * for any purpose, so long as the name of The University of
   9  * Michigan is not used in any advertising or publicity
  10  * pertaining to the use of distribution of this software
  11  * without specific, written prior authorization.  If the
  12  * above copyright notice or any other identification of the
  13  * University of Michigan is included in any copy of any
  14  * portion of this software, then the disclaimer below must
  15  * also be included.
  16  *
  17  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
  18  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
  19  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
  20  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
  21  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
  22  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
  23  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
  24  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
  25  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
  26  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
  27  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
  28  * SUCH DAMAGES.
  29  */
  30
  31 #include "config.h"
  32
  33 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
  34
  35 /*
  36  * Newer versions of MIT and Heimdal have lucid context support.
  37  * We can use common code if it is supported.
  38  */
  39
  40 #include <stdio.h>
  41 #include <syslog.h>
  42 #include <string.h>
  43 #include <errno.h>
  44 #include <stdint.h>
  45 #include <krb5.h>
  46 #include <gssapi/gssapi.h>
  47 #ifndef OM_uint64
  48 typedef uint64_t OM_uint64;
  49 #endif
  50 #include <gssapi/gssapi_krb5.h>
  51
  52 #ifdef _NEW_BUILD_
  53 # include "lgss_utils.h"
  54 #else
  55 # include "gss_util.h"
  56 # include "gss_oids.h"
  57 # include "err_util.h"
  58 #endif
  59 #include "write_bytes.h"
  60 #include "context.h"
  61
  62 extern OM_uint32 gss_export_lucid_sec_context(OM_uint32 *min_stat,
  63                                               gss_ctx_id_t *ctx,
  64                                               OM_uint32 version,
  65                                               void **kctx);
  66 extern OM_uint32 gss_free_lucid_sec_context(OM_uint32 *min_stat,
  67                                             gss_ctx_id_t ctx,
  68                                             void *kctx);
  69
  70 static int
  71 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
  72 {
  73         gss_buffer_desc tmp;
  74
  75         if (WRITE_BYTES(p, end, key->type)) return -1;
  76         tmp.length = key->length;
  77         tmp.value = key->data;
  78         if (write_buffer(p, end, &tmp)) return -1;
  79         return 0;
  80 }
  81
  82 static int
  83 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
  84         gss_buffer_desc *buf)
  85 {
  86         char *p, *end;
  87         static int constant_zero = 0;
  88         unsigned char fakeseed[16];
  89         uint32_t word_send_seq;
  90         gss_krb5_lucid_key_t enc_key;
  91         int i;
  92         char *skd, *dkd;
  93         gss_buffer_desc fakeoid;
  94
  95         /*
  96          * The new Kerberos interface to get the gss context
  97          * does not include the seed or seed_init fields
  98          * because we never really use them.  But for now,
  99          * send down a fake buffer so we can use the same
 100          * interface to the kernel.
 101          */
 102         memset(&enc_key, 0, sizeof(enc_key));
 103         memset(&fakeoid, 0, sizeof(fakeoid));
 104
 105         if (!(buf->value = calloc(1, MAX_CTX_LEN)))
 106                 goto out_err;
 107         p = buf->value;
 108         end = buf->value + MAX_CTX_LEN;
 109
 110         if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
 111
 112         /* seed_init and seed not used by kernel anyway */
 113         if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
 114         if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
 115
 116         if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
 117         if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
 118         if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
 119         word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
 120         if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
 121         if (write_oid(&p, end, &krb5oid)) goto out_err;
 122
 123 #ifdef HAVE_HEIMDAL
 124         /*
 125          * The kernel gss code expects des-cbc-raw for all flavors of des.
 126          * The keytype from MIT has this type, but Heimdal does not.
 127          * Force the Heimdal keytype to 4 (des-cbc-raw).
 128          * Note that the rfc1964 version only supports DES enctypes.
 129          */
 130         if (lctx->rfc1964_kd.ctx_key.type != 4) {
 131                 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
 132                          __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
 133                 lctx->rfc1964_kd.ctx_key.type = 4;
 134         }
 135 #endif
 136         printerr(2, "%s: serializing keys with enctype %d and length %d\n",
 137                  __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
 138                  lctx->rfc1964_kd.ctx_key.length);
 139
 140         /* derive the encryption key and copy it into buffer */
 141         enc_key.type = lctx->rfc1964_kd.ctx_key.type;
 142         enc_key.length = lctx->rfc1964_kd.ctx_key.length;
 143         if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
 144                 goto out_err;
 145         skd = (char *) lctx->rfc1964_kd.ctx_key.data;
 146         dkd = (char *) enc_key.data;
 147         for (i = 0; i < enc_key.length; i++)
 148                 dkd[i] = skd[i] ^ 0xf0;
 149         if (write_lucid_keyblock(&p, end, &enc_key)) {
 150                 free(enc_key.data);
 151                 goto out_err;
 152         }
 153         free(enc_key.data);
 154
 155         if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
 156                 goto out_err;
 157
 158         buf->length = p - (char *)buf->value;
 159         return 0;
 160 out_err:
 161         printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
 162         if (buf->value) free(buf->value);
 163         buf->length = 0;
 164         if (enc_key.data) free(enc_key.data);
 165         return -1;
 166 }
 167
 168 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 169 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 170
 171 /* for 3DES */
 172 #define KG_USAGE_SEAL 22
 173 #define KG_USAGE_SIGN 23
 174 #define KG_USAGE_SEQ  24
 175
 176 /* for rfc???? */
 177 #define KG_USAGE_ACCEPTOR_SEAL  22
 178 #define KG_USAGE_ACCEPTOR_SIGN  23
 179 #define KG_USAGE_INITIATOR_SEAL 24
 180 #define KG_USAGE_INITIATOR_SIGN 25
 181
 182 /* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */
 183 enum seal_alg {
 184   SEAL_ALG_NONE            = 0xffff,
 185   SEAL_ALG_DES             = 0x0000,
 186   SEAL_ALG_1               = 0x0001, /* not published */
 187   SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k;  */
 188   SEAL_ALG_DES3KD          = 0x0002
 189 };
 190
 191 #define KEY_USAGE_SEED_ENCRYPTION       0xAA
 192 #define KEY_USAGE_SEED_INTEGRITY        0x55
 193 #define KEY_USAGE_SEED_CHECKSUM         0x99
 194 #define K5CLENGTH 5
 195
 196 /* Flags for version 2 context flags */
 197 #define KRB5_CTX_FLAG_INITIATOR         0x00000001
 198 #define KRB5_CTX_FLAG_CFX               0x00000002
 199 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 200
 201 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 202 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 203 /*
 204  * We don't have "legal" access to these MIT-only
 205  * structures located in libk5crypto
 206  */
 207 extern void krb5int_enc_arcfour;
 208 extern void krb5int_enc_des3;
 209 extern void krb5int_enc_aes128;
 210 extern void krb5int_enc_aes256;
 211 extern int krb5_derive_key();
 212
 213 static void
 214 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
 215 {
 216         memset(kout, '\0', sizeof(kout));
 217 #ifdef HAVE_KRB5
 218         kout->enctype = lin->type;
 219         kout->length = lin->length;
 220         kout->contents = lin->data;
 221 #else
 222         kout->keytype = lin->type;
 223         kout->keyvalue.length = lin->length;
 224         kout->keyvalue.data = lin->data;
 225 #endif
 226 }
 227
 228 static void
 229 key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
 230 {
 231         memset(lout, '\0', sizeof(lout));
 232 #ifdef HAVE_KRB5
 233         lout->type = kin->enctype;
 234         lout->length = kin->length;
 235         lout->data = kin->contents;
 236 #else
 237         lout->type = kin->keytype;
 238         lout->length = kin->keyvalue.length;
 239         memcpy(lout->data, kin->keyvalue.data, kin->keyvalue.length);
 240 #endif
 241 }
 242
 243 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 244 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 245 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 246 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
 247 /*
 248  * Function to derive a new key from a given key and given constant data.
 249  */
 250 static krb5_error_code
 251 derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
 252                  int usage, char extra)
 253 {
 254         krb5_error_code code;
 255         unsigned char constant_data[K5CLENGTH];
 256         krb5_data datain;
 257         int keylength;
 258         void *enc;
 259         krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
 260 #ifdef HAVE_HEIMDAL
 261         krb5_context kcontext;
 262         krb5_keyblock *outkey;
 263 #endif
 264
 265         /*
 266          * XXX Hack alert.  We don't have "legal" access to these
 267          * values and structures located in libk5crypto
 268          */
 269         switch (in->type) {
 270         case ENCTYPE_DES3_CBC_SHA1:
 271 #ifdef HAVE_KRB5
 272         case ENCTYPE_DES3_CBC_RAW:
 273 #endif
 274                 keylength = 24;
 275 #ifdef HAVE_KRB5
 276                 enc = &krb5int_enc_des3;
 277 #endif
 278                 break;
 279         case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
 280                 keylength = 16;
 281 #ifdef HAVE_KRB5
 282                 enc = &krb5int_enc_aes128;
 283 #endif
 284                 break;
 285         case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
 286                 keylength = 32;
 287 #ifdef HAVE_KRB5
 288                 enc = &krb5int_enc_aes256;
 289 #endif
 290                 break;
 291         default:
 292                 code = KRB5_BAD_ENCTYPE;
 293                 goto out;
 294         }
 295
 296         /* allocate memory for output key */
 297         if ((out->data = malloc(keylength)) == NULL) {
 298                 code = ENOMEM;
 299                 goto out;
 300         }
 301         out->length = keylength;
 302         out->type = in->type;
 303
 304         /* Convert to correct format for call to krb5_derive_key */
 305         key_lucid_to_krb5(in, &kin);
 306         key_lucid_to_krb5(out, &kout);
 307
 308         datain.data = (char *) constant_data;
 309         datain.length = K5CLENGTH;
 310
 311         ((char *)(datain.data))[0] = (usage>>24)&0xff;
 312         ((char *)(datain.data))[1] = (usage>>16)&0xff;
 313         ((char *)(datain.data))[2] = (usage>>8)&0xff;
 314         ((char *)(datain.data))[3] = usage&0xff;
 315
 316         ((char *)(datain.data))[4] = (char) extra;
 317
 318 #ifdef HAVE_KRB5
 319         code = krb5_derive_key(enc, &kin, &kout, &datain);
 320 #else
 321         if ((code = krb5_init_context(&kcontext))) {
 322         }
 323         code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
 324 #endif
 325         if (code) {
 326                 free(out->data);
 327                 out->data = NULL;
 328                 goto out;
 329         }
 330 #ifdef HAVE_KRB5
 331         key_krb5_to_lucid(&kout, out);
 332 #else
 333         key_krb5_to_lucid(outkey, out);
 334         krb5_free_keyblock(kcontext, outkey);
 335         krb5_free_context(kcontext);
 336 #endif
 337
 338   out:
 339         if (code)
 340                 printerr(0, "ERROR: %s: returning error %d (%s)\n",
 341                          __FUNCTION__, code, error_message(code));
 342         return (code);
 343 }
 344
 345
 346 /*
 347  * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
 348  * to send to the kernel for newer encryption types -- or for DES3.
 349  *
 350  * The new format is:
 351  *
 352  *      u32 initiate;                   ( whether we are the initiator or not )
 353  *      s32 endtime;
 354  *      u32 flags;
 355  *      #define KRB5_CTX_FLAG_INITIATOR         0x00000001
 356  *      #define KRB5_CTX_FLAG_CFX               0x00000002
 357  *      #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
 358  *      u64 seq_send;
 359  *      u32  enctype;                   ( encrption type of keys )
 360  *      u32  size_of_each_key;          ( size of each key in bytes )
 361  *      u32  number_of_keys;            ( N -- should always be 3 for now )
 362  *      keydata-1;                      ( Ke )
 363  *      keydata-2;                      ( Ki )
 364  *      keydata-3;                      ( Kc )
 365  *
 366  */
 367 static int
 368 prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
 369                             gss_buffer_desc *buf)
 370 {
 371         static int constant_two = 2;
 372         char *p, *end;
 373         uint32_t v2_flags = 0;
 374         gss_krb5_lucid_key_t enc_key;
 375         gss_krb5_lucid_key_t derived_key;
 376         gss_buffer_desc fakeoid;
 377         uint32_t enctype;
 378         uint32_t keysize;
 379         uint32_t numkeys;
 380
 381         memset(&enc_key, 0, sizeof(enc_key));
 382         memset(&fakeoid, 0, sizeof(fakeoid));
 383
 384         if (!(buf->value = calloc(1, MAX_CTX_LEN)))
 385                 goto out_err;
 386         p = buf->value;
 387         end = buf->value + MAX_CTX_LEN;
 388
 389         /* Version 2 */
 390         if (WRITE_BYTES(&p, end, constant_two)) goto out_err;
 391         if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
 392
 393         if (lctx->initiate)
 394                 v2_flags |= KRB5_CTX_FLAG_INITIATOR;
 395         if (lctx->protocol != 0)
 396                 v2_flags |= KRB5_CTX_FLAG_CFX;
 397         if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
 398                 v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
 399
 400         if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
 401
 402         if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
 403
 404         /* Protocol 0 here implies DES3 or RC4 */
 405         printerr(3, "protocol %d\n", lctx->protocol);
 406         if (lctx->protocol == 0) {
 407                 enctype = lctx->rfc1964_kd.ctx_key.type;
 408 #ifdef HAVE_HEIMDAL
 409                 /*
 410                  * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for
 411                  * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16).
 412                  * Force the Heimdal enctype to 6.
 413                  */
 414                 if (enctype == ENCTYPE_DES3_CBC_SHA1) {
 415                         printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
 416                                  __FUNCTION__, enctype, 6);
 417
 418                         enctype = 6;
 419                 }
 420 #endif
 421                 keysize = lctx->rfc1964_kd.ctx_key.length;
 422                 numkeys = 3;    /* XXX is always gonna be three? */
 423         } else {
 424                 if (lctx->cfx_kd.have_acceptor_subkey) {
 425                         enctype = lctx->cfx_kd.acceptor_subkey.type;
 426                         keysize = lctx->cfx_kd.acceptor_subkey.length;
 427                 } else {
 428                         enctype = lctx->cfx_kd.ctx_key.type;
 429                         keysize = lctx->cfx_kd.ctx_key.length;
 430                 }
 431                 numkeys = 3;
 432         }
 433         printerr(3, "serializing %d keys with enctype %d and size %d\n",
 434                  numkeys, enctype, keysize);
 435         if (WRITE_BYTES(&p, end, enctype)) goto out_err;
 436         if (WRITE_BYTES(&p, end, keysize)) goto out_err;
 437         if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
 438
 439         if (lctx->protocol == 0) {
 440                 /* derive and send down: Ke, Ki, and Kc */
 441                 /* Ke */
 442                 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
 443                                 lctx->rfc1964_kd.ctx_key.length))
 444                         goto out_err;
 445
 446                 /* Ki */
 447                 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
 448                                 lctx->rfc1964_kd.ctx_key.length))
 449                         goto out_err;
 450
 451                 /* Kc */
 452                 /*
 453                  * RC4 is special, it dosen't need key derivation. Actually
 454                  * the Ke is based on plain text. Here we just let all three
 455                  * key identical, kernel will handle everything. --ericm
 456                  */
 457                 if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
 458                         if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
 459                                         lctx->rfc1964_kd.ctx_key.length))
 460                                 goto out_err;
 461                 } else {
 462                         if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
 463                                         &derived_key,
 464                                         KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
 465                                 goto out_err;
 466                         if (write_bytes(&p, end, derived_key.data,
 467                                         derived_key.length))
 468                                 goto out_err;
 469                         free(derived_key.data);
 470                 }
 471         } else {
 472                 gss_krb5_lucid_key_t *keyptr;
 473                 uint32_t sign_usage, seal_usage;
 474
 475                 if (lctx->cfx_kd.have_acceptor_subkey)
 476                         keyptr = &lctx->cfx_kd.acceptor_subkey;
 477                 else
 478                         keyptr = &lctx->cfx_kd.ctx_key;
 479
 480 #if 0
 481                 if (lctx->initiate == 1) {
 482                         sign_usage = KG_USAGE_INITIATOR_SIGN;
 483                         seal_usage = KG_USAGE_INITIATOR_SEAL;
 484                 } else {
 485                         sign_usage = KG_USAGE_ACCEPTOR_SIGN;
 486                         seal_usage = KG_USAGE_ACCEPTOR_SEAL;
 487                 }
 488 #else
 489                 /* FIXME
 490                  * These are from rfc4142, but I don't understand: if we supply
 491                  * different 'usage' value for client & server, then the peers
 492                  * will have different derived keys. How could this work?
 493                  *
 494                  * Here we simply use old SIGN/SEAL values until we find the
 495                  * answer.  --ericm
 496                  * FIXME
 497                  */
 498                 sign_usage = KG_USAGE_SIGN;
 499                 seal_usage = KG_USAGE_SEAL;
 500 #endif
 501
 502                 /* derive and send down: Ke, Ki, and Kc */
 503
 504                 /* Ke */
 505                 if (derive_key_lucid(keyptr, &derived_key,
 506                                seal_usage, KEY_USAGE_SEED_ENCRYPTION))
 507                         goto out_err;
 508                 if (write_bytes(&p, end, derived_key.data,
 509                                 derived_key.length))
 510                         goto out_err;
 511                 free(derived_key.data);
 512
 513                 /* Ki */
 514                 if (derive_key_lucid(keyptr, &derived_key,
 515                                seal_usage, KEY_USAGE_SEED_INTEGRITY))
 516                         goto out_err;
 517                 if (write_bytes(&p, end, derived_key.data,
 518                                 derived_key.length))
 519                         goto out_err;
 520                 free(derived_key.data);
 521
 522                 /* Kc */
 523                 if (derive_key_lucid(keyptr, &derived_key,
 524                                sign_usage, KEY_USAGE_SEED_CHECKSUM))
 525                         goto out_err;
 526                 if (write_bytes(&p, end, derived_key.data,
 527                                 derived_key.length))
 528                         goto out_err;
 529                 free(derived_key.data);
 530         }
 531
 532         buf->length = p - (char *)buf->value;
 533         return 0;
 534
 535 out_err:
 536         printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
 537                  __FUNCTION__);
 538         if (buf->value) {
 539                 free(buf->value);
 540                 buf->value = NULL;
 541         }
 542         buf->length = 0;
 543         if (enc_key.data) {
 544                 free(enc_key.data);
 545                 enc_key.data = NULL;
 546         }
 547         return -1;
 548 }
 549 int
 550 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
 551 {
 552         OM_uint32 maj_stat, min_stat;
 553         void *return_ctx = 0;
 554         OM_uint32 vers;
 555         gss_krb5_lucid_context_v1_t *lctx = 0;
 556         int retcode = 0;
 557
 558         printerr(3, "lucid version!\n");
 559         maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
 560                                                 1, &return_ctx);
 561         if (maj_stat != GSS_S_COMPLETE) {
 562                 pgsserr("gss_export_lucid_sec_context",
 563                         maj_stat, min_stat, &krb5oid);
 564                 goto out_err;
 565         }
 566
 567         /* Check the version returned, we only support v1 right now */
 568         vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
 569         switch (vers) {
 570         case 1:
 571                 lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
 572                 break;
 573         default:
 574                 printerr(0, "ERROR: unsupported lucid sec context version %d\n",
 575                         vers);
 576                 goto out_err;
 577                 break;
 578         }
 579
 580         /*
 581          * Now lctx points to a lucid context that we can send down to kernel
 582          *
 583          * Note: we send down different information to the kernel depending
 584          * on the protocol version and the enctyption type.
 585          * For protocol version 0 with all enctypes besides DES3, we use
 586          * the original format.  For protocol version != 0 or DES3, we
 587          * send down the new style information.
 588          */
 589
 590         if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
 591                 retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
 592         else
 593                 retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
 594
 595         maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
 596         if (maj_stat != GSS_S_COMPLETE) {
 597                 pgsserr("gss_export_lucid_sec_context",
 598                         maj_stat, min_stat, &krb5oid);
 599                 printerr(0, "WARN: failed to free lucid sec context\n");
 600         }
 601
 602         if (retcode) {
 603                 printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
 604                          __FUNCTION__, retcode);
 605                 goto out_err;
 606         }
 607
 608         return 0;
 609
 610 out_err:
 611         printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
 612         return -1;
 613 }
 614
 615
 616
 617 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */