Whamcloud - gitweb
LU-6020 kerberos: checksum errors when using kerberos
[fs/lustre-release.git] / lustre / utils / gss / context_lucid.c
1 /*
2  * COPYRIGHT (c) 2006 The Regents of the University of Michigan
3  * ALL RIGHTS RESERVED
4  *
5  * Copyright (c) 2014, Intel Corporation.
6  *
7  * Permission is granted to use, copy, create derivative works
8  * and redistribute this software and such derivative works
9  * for any purpose, so long as the name of The University of
10  * Michigan is not used in any advertising or publicity
11  * pertaining to the use of distribution of this software
12  * without specific, written prior authorization.  If the
13  * above copyright notice or any other identification of the
14  * University of Michigan is included in any copy of any
15  * portion of this software, then the disclaimer below must
16  * also be included.
17  *
18  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGES.
30  */
31
32 #include "config.h"
33
34 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
35
36 /*
37  * Newer versions of MIT and Heimdal have lucid context support.
38  * We can use common code if it is supported.
39  */
40
41 #include <stdio.h>
42 #include <syslog.h>
43 #include <string.h>
44 #include <errno.h>
45 #include <stdint.h>
46 #include <krb5.h>
47 #include <gssapi/gssapi.h>
48 #ifndef OM_uint64
49 typedef uint64_t OM_uint64;
50 #endif
51 #include <gssapi/gssapi_krb5.h>
52
53 #ifdef _NEW_BUILD_
54 # include "lgss_utils.h"
55 #else
56 # include "gss_util.h"
57 # include "gss_oids.h"
58 # include "err_util.h"
59 #endif
60 #include "write_bytes.h"
61 #include "context.h"
62
63 extern OM_uint32 gss_export_lucid_sec_context(OM_uint32 *min_stat,
64                                               gss_ctx_id_t *ctx,
65                                               OM_uint32 version,
66                                               void **kctx);
67 extern OM_uint32 gss_free_lucid_sec_context(OM_uint32 *min_stat,
68                                             gss_ctx_id_t ctx,
69                                             void *kctx);
70
71 static int
72 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
73 {
74         gss_buffer_desc tmp;
75
76         if (WRITE_BYTES(p, end, key->type)) return -1;
77         tmp.length = key->length;
78         tmp.value = key->data;
79         if (write_buffer(p, end, &tmp)) return -1;
80         return 0;
81 }
82
83 static int
84 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
85         gss_buffer_desc *buf)
86 {
87         char *p, *end;
88         static int constant_zero = 0;
89         unsigned char fakeseed[16] = { 0 };
90         uint32_t word_send_seq;
91         gss_krb5_lucid_key_t enc_key;
92         int i;
93         char *skd, *dkd;
94
95         /*
96          * The new Kerberos interface to get the gss context
97          * does not include the seed or seed_init fields
98          * because we never really use them.  But for now,
99          * send down a fake buffer so we can use the same
100          * interface to the kernel.
101          */
102         memset(&enc_key, 0, sizeof(enc_key));
103
104         if (!(buf->value = calloc(1, MAX_CTX_LEN)))
105                 goto out_err;
106         p = buf->value;
107         end = buf->value + MAX_CTX_LEN;
108
109         if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
110
111         /* seed_init and seed not used by kernel anyway */
112         if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
113         if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
114
115         if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
116         if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
117         if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
118         word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
119         if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
120         if (write_oid(&p, end, &krb5oid)) goto out_err;
121
122 #ifdef HAVE_HEIMDAL
123         /*
124          * The kernel gss code expects des-cbc-raw for all flavors of des.
125          * The keytype from MIT has this type, but Heimdal does not.
126          * Force the Heimdal keytype to 4 (des-cbc-raw).
127          * Note that the rfc1964 version only supports DES enctypes.
128          */
129         if (lctx->rfc1964_kd.ctx_key.type != 4) {
130                 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
131                          __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
132                 lctx->rfc1964_kd.ctx_key.type = 4;
133         }
134 #endif
135         printerr(2, "%s: serializing keys with enctype %d and length %d\n",
136                  __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
137                  lctx->rfc1964_kd.ctx_key.length);
138
139         /* derive the encryption key and copy it into buffer */
140         enc_key.type = lctx->rfc1964_kd.ctx_key.type;
141         enc_key.length = lctx->rfc1964_kd.ctx_key.length;
142         if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
143                 goto out_err;
144         skd = (char *) lctx->rfc1964_kd.ctx_key.data;
145         dkd = (char *) enc_key.data;
146         for (i = 0; i < enc_key.length; i++)
147                 dkd[i] = skd[i] ^ 0xf0;
148         if (write_lucid_keyblock(&p, end, &enc_key))
149                 goto out_err;
150         if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
151                 goto out_err;
152         free(enc_key.data);
153
154         buf->length = p - (char *)buf->value;
155         return 0;
156 out_err:
157         printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
158         if (buf->value) {
159                 free(buf->value);
160                 buf->value = NULL;
161         }
162         buf->length = 0;
163         if (enc_key.data) free(enc_key.data);
164         return -1;
165 }
166
167 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
168 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
169
170 /* for 3DES */
171 #define KG_USAGE_SEAL 22
172 #define KG_USAGE_SIGN 23
173 #define KG_USAGE_SEQ  24
174
175 /* for rfc???? */
176 #define KG_USAGE_ACCEPTOR_SEAL  22
177 #define KG_USAGE_ACCEPTOR_SIGN  23
178 #define KG_USAGE_INITIATOR_SEAL 24
179 #define KG_USAGE_INITIATOR_SIGN 25
180
181 /* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */
182 enum seal_alg {
183   SEAL_ALG_NONE            = 0xffff,
184   SEAL_ALG_DES             = 0x0000,
185   SEAL_ALG_1               = 0x0001, /* not published */
186   SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k;  */
187   SEAL_ALG_DES3KD          = 0x0002
188 };
189
190 #define KEY_USAGE_SEED_ENCRYPTION       0xAA
191 #define KEY_USAGE_SEED_INTEGRITY        0x55
192 #define KEY_USAGE_SEED_CHECKSUM         0x99
193 #define K5CLENGTH 5
194
195 /* Flags for version 2 context flags */
196 #define KRB5_CTX_FLAG_INITIATOR         0x00000001
197 #define KRB5_CTX_FLAG_CFX               0x00000002
198 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
199
200 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
201 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
202 /*
203  * We don't have "legal" access to these MIT-only
204  * structures located in libk5crypto
205  */
206 extern void *krb5int_enc_arcfour;
207 extern void *krb5int_enc_des3;
208 extern void *krb5int_enc_aes128;
209 extern void *krb5int_enc_aes256;
210
211 static void
212 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
213 {
214         memset(kout, 0, sizeof(*kout));
215 #ifdef HAVE_KRB5
216         kout->enctype = lin->type;
217         kout->length = lin->length;
218         kout->contents = lin->data;
219 #else
220         kout->keytype = lin->type;
221         kout->keyvalue.length = lin->length;
222         kout->keyvalue.data = lin->data;
223 #endif
224 }
225
226 static int
227 key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
228 {
229         memset(lout, 0, sizeof(*lout));
230
231 #ifdef HAVE_KRB5
232         lout->data = malloc(kin->length);
233         if (lout->data == NULL)
234                 return KRB5_CC_NOMEM;
235
236         lout->type = kin->enctype;
237         lout->length = kin->length;
238         memcpy(lout->data, kin->contents, kin->length);
239 #else
240         lout->data = malloc(kin->keyvalue.length);
241         if (lout->data == NULL)
242                 return KRB5_CC_NOMEM;
243
244         lout->type = kin->keytype;
245         lout->length = kin->keyvalue.length;
246         memcpy(lout->data, kin->keyvalue.data, kin->keyvalue.length);
247 #endif
248
249         return 0;
250 }
251
252 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
253 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
254 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
255 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
256 /*
257  * Function to derive a new key from a given key and given constant data.
258  */
259 static krb5_error_code
260 derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
261                  int usage, char extra)
262 {
263         krb5_error_code code;
264         unsigned char constant_data[K5CLENGTH];
265         krb5_data datain;
266         int keylength;
267 #ifdef HAVE_KRB5
268         void *enc;
269 #endif
270         krb5_keyblock kin;  /* must send krb5_keyblock, not lucid! */
271 #if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY
272         krb5_context kcontext;
273         krb5_keyblock *outkey;
274 #else
275         krb5_keyblock kout;
276 #endif
277 #if HAVE_KRB5INT_DERIVE_KEY
278         krb5_key key_in, key_out;
279 #endif
280
281         /*
282          * XXX Hack alert.  We don't have "legal" access to these
283          * values and structures located in libk5crypto
284          */
285         switch (in->type) {
286         case ENCTYPE_DES3_CBC_SHA1:
287 #ifdef HAVE_KRB5
288         case ENCTYPE_DES3_CBC_RAW:
289 #endif
290                 keylength = 24;
291 #ifdef HAVE_KRB5
292                 enc = &krb5int_enc_des3;
293 #endif
294                 break;
295         case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
296                 keylength = 16;
297 #ifdef HAVE_KRB5
298                 enc = &krb5int_enc_aes128;
299 #endif
300                 break;
301         case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
302                 keylength = 32;
303 #ifdef HAVE_KRB5
304                 enc = &krb5int_enc_aes256;
305 #endif
306                 break;
307         default:
308                 code = KRB5_BAD_ENCTYPE;
309                 goto out;
310         }
311
312         /* Convert to correct format for call to krb5_derive_key */
313         key_lucid_to_krb5(in, &kin);
314
315         datain.data = (char *) constant_data;
316         datain.length = K5CLENGTH;
317
318         ((char *)(datain.data))[0] = (usage>>24)&0xff;
319         ((char *)(datain.data))[1] = (usage>>16)&0xff;
320         ((char *)(datain.data))[2] = (usage>>8)&0xff;
321         ((char *)(datain.data))[3] = usage&0xff;
322
323         ((char *)(datain.data))[4] = (char) extra;
324
325         /* Step 1: Init context */
326         /* Heimdal and newer MIT Kerberos require kcontext */
327 #if defined(HAVE_KRB5INT_DERIVE_KEY) || defined(HAVE_HEIMDAL)
328         code = krb5_init_context(&kcontext);
329         if (code)
330                 goto out;
331 #endif
332
333         /* Step 2: Get the derived key */
334 #ifdef HAVE_KRB5
335 #if HAVE_KRB5INT_DERIVE_KEY
336         code = krb5_k_create_key(kcontext, &kin, &key_in);
337         if (code)
338                 goto out;
339
340         code = krb5int_derive_key(enc, key_in, &key_out, &datain,
341                                   DERIVE_RFC3961);
342
343         krb5_k_free_key(kcontext, key_in);
344         if (code == 0) {
345                 krb5_k_key_keyblock(kcontext, key_out, &outkey);
346                 krb5_k_free_key(kcontext, key_out);
347         }
348 #else  /* !HAVE_KRB5INT_DERIVE_KEY */
349         out->length = keylength;
350         out->type = in->type;
351
352         key_lucid_to_krb5(out, &kout);
353
354         code = krb5_derive_key(enc, &kin, &kout, &datain);
355 #endif  /* HAVE_KRB5INT_DERIVE_KEY */
356 #else   /* !defined(HAVE_KRB5) */
357         code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
358 #endif  /* defined(HAVE_KRB5) */
359
360         if (code)
361                 goto out;
362
363         /* Step 3: Copy the key to out */
364 #if defined(HAVE_KRB5INT_DERIVE_KEY) || defined(HAVE_HEIMDAL)
365         code = key_krb5_to_lucid(outkey, out);
366         krb5_free_keyblock(kcontext, outkey);
367 #else   /* !defined(HAVE_KRB5) */
368         code = key_krb5_to_lucid(&kout, out);
369 #endif  /* defined(HAVE_KRB5) */
370
371         /* Step 4: Free the context */
372 #if defined(HAVE_KRB5INT_DERIVE_KEY) || defined(HAVE_HEIMDAL)
373         krb5_free_context(kcontext);
374 #endif
375
376   out:
377         if (code)
378                 printerr(0, "ERROR: %s: returning error %d (%s)\n",
379                          __FUNCTION__, code, error_message(code));
380         return (code);
381 }
382
383
384 /*
385  * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
386  * to send to the kernel for newer encryption types -- or for DES3.
387  *
388  * The new format is:
389  *
390  *      u32 initiate;                   ( whether we are the initiator or not )
391  *      s32 endtime;
392  *      u32 flags;
393  *      #define KRB5_CTX_FLAG_INITIATOR         0x00000001
394  *      #define KRB5_CTX_FLAG_CFX               0x00000002
395  *      #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
396  *      u64 seq_send;
397  *      u32  enctype;                   ( encrption type of keys )
398  *      u32  size_of_each_key;          ( size of each key in bytes )
399  *      u32  number_of_keys;            ( N -- should always be 3 for now )
400  *      keydata-1;                      ( Ke )
401  *      keydata-2;                      ( Ki )
402  *      keydata-3;                      ( Kc )
403  *
404  */
405 static int
406 prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
407                             gss_buffer_desc *buf)
408 {
409         static int constant_two = 2;
410         char *p, *end;
411         uint32_t v2_flags = 0;
412         gss_krb5_lucid_key_t enc_key;
413         gss_krb5_lucid_key_t derived_key;
414         gss_buffer_desc fakeoid;
415         uint32_t enctype;
416         uint32_t keysize;
417         uint32_t numkeys;
418
419         memset(&enc_key, 0, sizeof(enc_key));
420         memset(&fakeoid, 0, sizeof(fakeoid));
421
422         if (!(buf->value = calloc(1, MAX_CTX_LEN)))
423                 goto out_err;
424         p = buf->value;
425         end = buf->value + MAX_CTX_LEN;
426
427         /* Version 2 */
428         if (WRITE_BYTES(&p, end, constant_two)) goto out_err;
429         if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
430
431         if (lctx->initiate)
432                 v2_flags |= KRB5_CTX_FLAG_INITIATOR;
433         if (lctx->protocol != 0)
434                 v2_flags |= KRB5_CTX_FLAG_CFX;
435         if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
436                 v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
437
438         if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
439
440         if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
441
442         /* Protocol 0 here implies DES3 or RC4 */
443         printerr(3, "protocol %d\n", lctx->protocol);
444         if (lctx->protocol == 0) {
445                 enctype = lctx->rfc1964_kd.ctx_key.type;
446 #ifdef HAVE_HEIMDAL
447                 /*
448                  * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for
449                  * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16).
450                  * Force the Heimdal enctype to 6.
451                  */
452                 if (enctype == ENCTYPE_DES3_CBC_SHA1) {
453                         printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
454                                  __FUNCTION__, enctype, 6);
455
456                         enctype = 6;
457                 }
458 #endif
459                 keysize = lctx->rfc1964_kd.ctx_key.length;
460                 numkeys = 3;    /* XXX is always gonna be three? */
461         } else {
462                 if (lctx->cfx_kd.have_acceptor_subkey) {
463                         enctype = lctx->cfx_kd.acceptor_subkey.type;
464                         keysize = lctx->cfx_kd.acceptor_subkey.length;
465                 } else {
466                         enctype = lctx->cfx_kd.ctx_key.type;
467                         keysize = lctx->cfx_kd.ctx_key.length;
468                 }
469                 numkeys = 3;
470         }
471         printerr(3, "serializing %d keys with enctype %d and size %d\n",
472                  numkeys, enctype, keysize);
473         if (WRITE_BYTES(&p, end, enctype)) goto out_err;
474         if (WRITE_BYTES(&p, end, keysize)) goto out_err;
475         if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
476
477         if (lctx->protocol == 0) {
478                 /* derive and send down: Ke, Ki, and Kc */
479                 /* Ke */
480                 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
481                                 lctx->rfc1964_kd.ctx_key.length))
482                         goto out_err;
483
484                 /* Ki */
485                 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
486                                 lctx->rfc1964_kd.ctx_key.length))
487                         goto out_err;
488
489                 /* Kc */
490                 /*
491                  * RC4 is special, it dosen't need key derivation. Actually
492                  * the Ke is based on plain text. Here we just let all three
493                  * key identical, kernel will handle everything. --ericm
494                  */
495                 if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
496                         if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
497                                         lctx->rfc1964_kd.ctx_key.length))
498                                 goto out_err;
499                 } else {
500                         if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
501                                         &derived_key,
502                                         KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
503                                 goto out_err;
504                         if (write_bytes(&p, end, derived_key.data,
505                                         derived_key.length))
506                                 goto out_err;
507                         free(derived_key.data);
508                 }
509         } else {
510                 gss_krb5_lucid_key_t *keyptr;
511                 uint32_t sign_usage, seal_usage;
512
513                 if (lctx->cfx_kd.have_acceptor_subkey)
514                         keyptr = &lctx->cfx_kd.acceptor_subkey;
515                 else
516                         keyptr = &lctx->cfx_kd.ctx_key;
517
518 #if 0
519                 if (lctx->initiate == 1) {
520                         sign_usage = KG_USAGE_INITIATOR_SIGN;
521                         seal_usage = KG_USAGE_INITIATOR_SEAL;
522                 } else {
523                         sign_usage = KG_USAGE_ACCEPTOR_SIGN;
524                         seal_usage = KG_USAGE_ACCEPTOR_SEAL;
525                 }
526 #else
527                 /* FIXME
528                  * These are from rfc4142, but I don't understand: if we supply
529                  * different 'usage' value for client & server, then the peers
530                  * will have different derived keys. How could this work?
531                  *
532                  * Here we simply use old SIGN/SEAL values until we find the
533                  * answer.  --ericm
534                  * FIXME
535                  */
536                 sign_usage = KG_USAGE_SIGN;
537                 seal_usage = KG_USAGE_SEAL;
538 #endif
539
540                 /* derive and send down: Ke, Ki, and Kc */
541
542                 /* Ke */
543                 if (derive_key_lucid(keyptr, &derived_key,
544                                seal_usage, KEY_USAGE_SEED_ENCRYPTION))
545                         goto out_err;
546                 if (write_bytes(&p, end, derived_key.data,
547                                 derived_key.length))
548                         goto out_err;
549                 free(derived_key.data);
550
551                 /* Ki */
552                 if (derive_key_lucid(keyptr, &derived_key,
553                                seal_usage, KEY_USAGE_SEED_INTEGRITY))
554                         goto out_err;
555                 if (write_bytes(&p, end, derived_key.data,
556                                 derived_key.length))
557                         goto out_err;
558                 free(derived_key.data);
559
560                 /* Kc */
561                 if (derive_key_lucid(keyptr, &derived_key,
562                                sign_usage, KEY_USAGE_SEED_CHECKSUM))
563                         goto out_err;
564                 if (write_bytes(&p, end, derived_key.data,
565                                 derived_key.length))
566                         goto out_err;
567                 free(derived_key.data);
568         }
569
570         buf->length = p - (char *)buf->value;
571         return 0;
572
573 out_err:
574         printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
575                  __FUNCTION__);
576         if (buf->value) {
577                 free(buf->value);
578                 buf->value = NULL;
579         }
580         buf->length = 0;
581         if (enc_key.data) {
582                 free(enc_key.data);
583                 enc_key.data = NULL;
584         }
585         return -1;
586 }
587 int
588 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
589 {
590         OM_uint32 maj_stat, min_stat;
591         void *return_ctx = 0;
592         OM_uint32 vers;
593         gss_krb5_lucid_context_v1_t *lctx = 0;
594         int retcode = 0;
595
596         printerr(3, "lucid version!\n");
597         maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
598                                                 1, &return_ctx);
599         if (maj_stat != GSS_S_COMPLETE) {
600                 pgsserr("gss_export_lucid_sec_context",
601                         maj_stat, min_stat, &krb5oid);
602                 goto out_err;
603         }
604
605         /* Check the version returned, we only support v1 right now */
606         vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
607         switch (vers) {
608         case 1:
609                 lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
610                 break;
611         default:
612                 printerr(0, "ERROR: unsupported lucid sec context version %d\n",
613                         vers);
614                 goto out_err;
615                 break;
616         }
617
618         /*
619          * Now lctx points to a lucid context that we can send down to kernel
620          *
621          * Note: we send down different information to the kernel depending
622          * on the protocol version and the enctyption type.
623          * For protocol version 0 with all enctypes besides DES3, we use
624          * the original format.  For protocol version != 0 or DES3, we
625          * send down the new style information.
626          */
627
628         if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
629                 retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
630         else
631                 retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
632
633         maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
634         if (maj_stat != GSS_S_COMPLETE) {
635                 pgsserr("gss_export_lucid_sec_context",
636                         maj_stat, min_stat, &krb5oid);
637                 printerr(0, "WARN: failed to free lucid sec context\n");
638         }
639
640         if (retcode) {
641                 printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
642                          __FUNCTION__, retcode);
643                 goto out_err;
644         }
645
646         return 0;
647
648 out_err:
649         printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
650         return -1;
651 }
652
653
654
655 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */