Whamcloud - gitweb
ef07dfffa49e4b7b52c88de381e99d1de9df5cdf
[fs/lustre-release.git] / lustre / utils / gss / context_lucid.c
1 /*
2  * COPYRIGHT (c) 2006 The Regents of the University of Michigan
3  * ALL RIGHTS RESERVED
4  *
5  * Copyright (c) 2014, Intel Corporation.
6  *
7  * Permission is granted to use, copy, create derivative works
8  * and redistribute this software and such derivative works
9  * for any purpose, so long as the name of The University of
10  * Michigan is not used in any advertising or publicity
11  * pertaining to the use of distribution of this software
12  * without specific, written prior authorization.  If the
13  * above copyright notice or any other identification of the
14  * University of Michigan is included in any copy of any
15  * portion of this software, then the disclaimer below must
16  * also be included.
17  *
18  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
19  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
20  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
21  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
22  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
23  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
24  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
25  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
26  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
27  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
28  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGES.
30  */
31
32 #include "config.h"
33
34 #ifdef HAVE_LUCID_CONTEXT_SUPPORT
35
36 /*
37  * Newer versions of MIT and Heimdal have lucid context support.
38  * We can use common code if it is supported.
39  */
40
41 #include <stdio.h>
42 #include <syslog.h>
43 #include <string.h>
44 #include <errno.h>
45 #include <stdint.h>
46 #include <krb5.h>
47 #include <gssapi/gssapi.h>
48 #ifndef OM_uint64
49 typedef uint64_t OM_uint64;
50 #endif
51 #include <gssapi/gssapi_krb5.h>
52
53 #ifdef _NEW_BUILD_
54 # include "lgss_utils.h"
55 #else
56 # include "gss_util.h"
57 # include "gss_oids.h"
58 # include "err_util.h"
59 #endif
60 #include "write_bytes.h"
61 #include "context.h"
62
63 extern OM_uint32 gss_export_lucid_sec_context(OM_uint32 *min_stat,
64                                               gss_ctx_id_t *ctx,
65                                               OM_uint32 version,
66                                               void **kctx);
67 extern OM_uint32 gss_free_lucid_sec_context(OM_uint32 *min_stat,
68                                             gss_ctx_id_t ctx,
69                                             void *kctx);
70
71 static int
72 write_lucid_keyblock(char **p, char *end, gss_krb5_lucid_key_t *key)
73 {
74         gss_buffer_desc tmp;
75
76         if (WRITE_BYTES(p, end, key->type)) return -1;
77         tmp.length = key->length;
78         tmp.value = key->data;
79         if (write_buffer(p, end, &tmp)) return -1;
80         return 0;
81 }
82
83 static int
84 prepare_krb5_rfc1964_buffer(gss_krb5_lucid_context_v1_t *lctx,
85         gss_buffer_desc *buf)
86 {
87         char *p, *end;
88         static int constant_zero = 0;
89         unsigned char fakeseed[16] = { 0 };
90         uint32_t word_send_seq;
91         gss_krb5_lucid_key_t enc_key;
92         int i;
93         char *skd, *dkd;
94
95         /*
96          * The new Kerberos interface to get the gss context
97          * does not include the seed or seed_init fields
98          * because we never really use them.  But for now,
99          * send down a fake buffer so we can use the same
100          * interface to the kernel.
101          */
102         memset(&enc_key, 0, sizeof(enc_key));
103
104         if (!(buf->value = calloc(1, MAX_CTX_LEN)))
105                 goto out_err;
106         p = buf->value;
107         end = buf->value + MAX_CTX_LEN;
108
109         if (WRITE_BYTES(&p, end, lctx->initiate)) goto out_err;
110
111         /* seed_init and seed not used by kernel anyway */
112         if (WRITE_BYTES(&p, end, constant_zero)) goto out_err;
113         if (write_bytes(&p, end, &fakeseed, 16)) goto out_err;
114
115         if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.sign_alg)) goto out_err;
116         if (WRITE_BYTES(&p, end, lctx->rfc1964_kd.seal_alg)) goto out_err;
117         if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
118         word_send_seq = lctx->send_seq; /* XXX send_seq is 64-bit */
119         if (WRITE_BYTES(&p, end, word_send_seq)) goto out_err;
120         if (write_oid(&p, end, &krb5oid)) goto out_err;
121
122 #ifdef HAVE_HEIMDAL
123         /*
124          * The kernel gss code expects des-cbc-raw for all flavors of des.
125          * The keytype from MIT has this type, but Heimdal does not.
126          * Force the Heimdal keytype to 4 (des-cbc-raw).
127          * Note that the rfc1964 version only supports DES enctypes.
128          */
129         if (lctx->rfc1964_kd.ctx_key.type != 4) {
130                 printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
131                          __FUNCTION__, lctx->rfc1964_kd.ctx_key.type, 4);
132                 lctx->rfc1964_kd.ctx_key.type = 4;
133         }
134 #endif
135         printerr(2, "%s: serializing keys with enctype %d and length %d\n",
136                  __FUNCTION__, lctx->rfc1964_kd.ctx_key.type,
137                  lctx->rfc1964_kd.ctx_key.length);
138
139         /* derive the encryption key and copy it into buffer */
140         enc_key.type = lctx->rfc1964_kd.ctx_key.type;
141         enc_key.length = lctx->rfc1964_kd.ctx_key.length;
142         if ((enc_key.data = calloc(1, enc_key.length)) == NULL)
143                 goto out_err;
144         skd = (char *) lctx->rfc1964_kd.ctx_key.data;
145         dkd = (char *) enc_key.data;
146         for (i = 0; i < enc_key.length; i++)
147                 dkd[i] = skd[i] ^ 0xf0;
148         if (write_lucid_keyblock(&p, end, &enc_key))
149                 goto out_err;
150         if (write_lucid_keyblock(&p, end, &lctx->rfc1964_kd.ctx_key))
151                 goto out_err;
152         free(enc_key.data);
153
154         buf->length = p - (char *)buf->value;
155         return 0;
156 out_err:
157         printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
158         if (buf->value) {
159                 free(buf->value);
160                 buf->value = NULL;
161         }
162         buf->length = 0;
163         if (enc_key.data) free(enc_key.data);
164         return -1;
165 }
166
167 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
168 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
169
170 /* for 3DES */
171 #define KG_USAGE_SEAL 22
172 #define KG_USAGE_SIGN 23
173 #define KG_USAGE_SEQ  24
174
175 /* for rfc???? */
176 #define KG_USAGE_ACCEPTOR_SEAL  22
177 #define KG_USAGE_ACCEPTOR_SIGN  23
178 #define KG_USAGE_INITIATOR_SEAL 24
179 #define KG_USAGE_INITIATOR_SIGN 25
180
181 /* Lifted from mit src/lib/gssapi/krb5/gssapiP_krb5.h */
182 enum seal_alg {
183   SEAL_ALG_NONE            = 0xffff,
184   SEAL_ALG_DES             = 0x0000,
185   SEAL_ALG_1               = 0x0001, /* not published */
186   SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k;  */
187   SEAL_ALG_DES3KD          = 0x0002
188 };
189
190 #define KEY_USAGE_SEED_ENCRYPTION       0xAA
191 #define KEY_USAGE_SEED_INTEGRITY        0x55
192 #define KEY_USAGE_SEED_CHECKSUM         0x99
193 #define K5CLENGTH 5
194
195 /* Flags for version 2 context flags */
196 #define KRB5_CTX_FLAG_INITIATOR         0x00000001
197 #define KRB5_CTX_FLAG_CFX               0x00000002
198 #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
199
200 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
201 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
202 /*
203  * We don't have "legal" access to these MIT-only
204  * structures located in libk5crypto
205  */
206 extern void *krb5int_enc_arcfour;
207 extern void *krb5int_enc_des3;
208 extern void *krb5int_enc_aes128;
209 extern void *krb5int_enc_aes256;
210
211 static void
212 key_lucid_to_krb5(const gss_krb5_lucid_key_t *lin, krb5_keyblock *kout)
213 {
214         memset(kout, 0, sizeof(*kout));
215 #ifdef HAVE_KRB5
216         kout->enctype = lin->type;
217         kout->length = lin->length;
218         kout->contents = lin->data;
219 #else
220         kout->keytype = lin->type;
221         kout->keyvalue.length = lin->length;
222         kout->keyvalue.data = lin->data;
223 #endif
224 }
225
226 static void
227 key_krb5_to_lucid(const krb5_keyblock *kin, gss_krb5_lucid_key_t *lout)
228 {
229         memset(lout, 0, sizeof(*lout));
230 #ifdef HAVE_KRB5
231         lout->type = kin->enctype;
232         lout->length = kin->length;
233         lout->data = kin->contents;
234 #else
235         lout->type = kin->keytype;
236         lout->length = kin->keyvalue.length;
237         memcpy(lout->data, kin->keyvalue.data, kin->keyvalue.length);
238 #endif
239 }
240
241 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
242 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
243 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
244 /* XXX Hack alert! XXX  Do NOT submit upstream! XXX */
245 /*
246  * Function to derive a new key from a given key and given constant data.
247  */
248 static krb5_error_code
249 derive_key_lucid(const gss_krb5_lucid_key_t *in, gss_krb5_lucid_key_t *out,
250                  int usage, char extra)
251 {
252         krb5_error_code code;
253         unsigned char constant_data[K5CLENGTH];
254         krb5_data datain;
255         int keylength;
256         void *enc;
257         krb5_keyblock kin, kout;  /* must send krb5_keyblock, not lucid! */
258 #if defined(HAVE_HEIMDAL) || HAVE_KRB5INT_DERIVE_KEY
259         krb5_context kcontext;
260 #endif
261 #if HAVE_KRB5INT_DERIVE_KEY
262         krb5_key key_in, key_out;
263 #endif
264 #ifdef HAVE_HEIMDAL
265         krb5_keyblock *outkey;
266 #endif
267
268         /*
269          * XXX Hack alert.  We don't have "legal" access to these
270          * values and structures located in libk5crypto
271          */
272         switch (in->type) {
273         case ENCTYPE_DES3_CBC_SHA1:
274 #ifdef HAVE_KRB5
275         case ENCTYPE_DES3_CBC_RAW:
276 #endif
277                 keylength = 24;
278 #ifdef HAVE_KRB5
279                 enc = &krb5int_enc_des3;
280 #endif
281                 break;
282         case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
283                 keylength = 16;
284 #ifdef HAVE_KRB5
285                 enc = &krb5int_enc_aes128;
286 #endif
287                 break;
288         case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
289                 keylength = 32;
290 #ifdef HAVE_KRB5
291                 enc = &krb5int_enc_aes256;
292 #endif
293                 break;
294         default:
295                 code = KRB5_BAD_ENCTYPE;
296                 goto out;
297         }
298
299         /* allocate memory for output key */
300         if ((out->data = malloc(keylength)) == NULL) {
301                 code = ENOMEM;
302                 goto out;
303         }
304         out->length = keylength;
305         out->type = in->type;
306
307         /* Convert to correct format for call to krb5_derive_key */
308         key_lucid_to_krb5(in, &kin);
309         key_lucid_to_krb5(out, &kout);
310
311         datain.data = (char *) constant_data;
312         datain.length = K5CLENGTH;
313
314         ((char *)(datain.data))[0] = (usage>>24)&0xff;
315         ((char *)(datain.data))[1] = (usage>>16)&0xff;
316         ((char *)(datain.data))[2] = (usage>>8)&0xff;
317         ((char *)(datain.data))[3] = usage&0xff;
318
319         ((char *)(datain.data))[4] = (char) extra;
320
321 #ifdef HAVE_KRB5
322 #if HAVE_KRB5INT_DERIVE_KEY
323         code = krb5_init_context(&kcontext);
324         if (code) {
325                 free(out->data);
326                 out->data = NULL;
327                 goto out;
328         }
329         code = krb5_k_create_key(kcontext, &kin, &key_in);
330         if (code) {
331                 free(out->data);
332                 out->data = NULL;
333                 goto out;
334         }
335         code = krb5_k_create_key(kcontext, &kout, &key_out);
336         if (code) {
337                 free(out->data);
338                 out->data = NULL;
339                 goto out;
340         }
341         code = krb5int_derive_key(enc, key_in, &key_out, &datain,
342                                   DERIVE_RFC3961);
343 #else  /* !HAVE_KRB5INT_DERIVE_KEY */
344         code = krb5_derive_key(enc, &kin, &kout, &datain);
345 #endif  /* HAVE_KRB5INT_DERIVE_KEY */
346 #else   /* !defined(HAVE_KRB5) */
347         if ((code = krb5_init_context(&kcontext))) {
348         }
349         code = krb5_derive_key(kcontext, &kin, in->type, constant_data, K5CLENGTH, &outkey);
350 #endif  /* defined(HAVE_KRB5) */
351         if (code) {
352                 free(out->data);
353                 out->data = NULL;
354                 goto out;
355         }
356 #ifdef HAVE_KRB5
357         key_krb5_to_lucid(&kout, out);
358 #if HAVE_KRB5INT_DERIVE_KEY
359         krb5_free_context(kcontext);
360 #endif  /* HAVE_KRB5INT_DERIVE_KEY */
361 #else   /* !defined(HAVE_KRB5) */
362         key_krb5_to_lucid(outkey, out);
363         krb5_free_keyblock(kcontext, outkey);
364         krb5_free_context(kcontext);
365 #endif  /* defined(HAVE_KRB5) */
366
367   out:
368         if (code)
369                 printerr(0, "ERROR: %s: returning error %d (%s)\n",
370                          __FUNCTION__, code, error_message(code));
371         return (code);
372 }
373
374
375 /*
376  * Prepare a new-style buffer, as defined in rfc4121 (a.k.a. cfx),
377  * to send to the kernel for newer encryption types -- or for DES3.
378  *
379  * The new format is:
380  *
381  *      u32 initiate;                   ( whether we are the initiator or not )
382  *      s32 endtime;
383  *      u32 flags;
384  *      #define KRB5_CTX_FLAG_INITIATOR         0x00000001
385  *      #define KRB5_CTX_FLAG_CFX               0x00000002
386  *      #define KRB5_CTX_FLAG_ACCEPTOR_SUBKEY   0x00000004
387  *      u64 seq_send;
388  *      u32  enctype;                   ( encrption type of keys )
389  *      u32  size_of_each_key;          ( size of each key in bytes )
390  *      u32  number_of_keys;            ( N -- should always be 3 for now )
391  *      keydata-1;                      ( Ke )
392  *      keydata-2;                      ( Ki )
393  *      keydata-3;                      ( Kc )
394  *
395  */
396 static int
397 prepare_krb5_rfc4121_buffer(gss_krb5_lucid_context_v1_t *lctx,
398                             gss_buffer_desc *buf)
399 {
400         static int constant_two = 2;
401         char *p, *end;
402         uint32_t v2_flags = 0;
403         gss_krb5_lucid_key_t enc_key;
404         gss_krb5_lucid_key_t derived_key;
405         gss_buffer_desc fakeoid;
406         uint32_t enctype;
407         uint32_t keysize;
408         uint32_t numkeys;
409
410         memset(&enc_key, 0, sizeof(enc_key));
411         memset(&fakeoid, 0, sizeof(fakeoid));
412
413         if (!(buf->value = calloc(1, MAX_CTX_LEN)))
414                 goto out_err;
415         p = buf->value;
416         end = buf->value + MAX_CTX_LEN;
417
418         /* Version 2 */
419         if (WRITE_BYTES(&p, end, constant_two)) goto out_err;
420         if (WRITE_BYTES(&p, end, lctx->endtime)) goto out_err;
421
422         if (lctx->initiate)
423                 v2_flags |= KRB5_CTX_FLAG_INITIATOR;
424         if (lctx->protocol != 0)
425                 v2_flags |= KRB5_CTX_FLAG_CFX;
426         if (lctx->protocol != 0 && lctx->cfx_kd.have_acceptor_subkey == 1)
427                 v2_flags |= KRB5_CTX_FLAG_ACCEPTOR_SUBKEY;
428
429         if (WRITE_BYTES(&p, end, v2_flags)) goto out_err;
430
431         if (WRITE_BYTES(&p, end, lctx->send_seq)) goto out_err;
432
433         /* Protocol 0 here implies DES3 or RC4 */
434         printerr(3, "protocol %d\n", lctx->protocol);
435         if (lctx->protocol == 0) {
436                 enctype = lctx->rfc1964_kd.ctx_key.type;
437 #ifdef HAVE_HEIMDAL
438                 /*
439                  * The kernel gss code expects ENCTYPE_DES3_CBC_RAW (6) for
440                  * 3des keys, but Heimdal key has ENCTYPE_DES3_CBC_SHA1 (16).
441                  * Force the Heimdal enctype to 6.
442                  */
443                 if (enctype == ENCTYPE_DES3_CBC_SHA1) {
444                         printerr(2, "%s: overriding heimdal keytype (%d => %d)\n",
445                                  __FUNCTION__, enctype, 6);
446
447                         enctype = 6;
448                 }
449 #endif
450                 keysize = lctx->rfc1964_kd.ctx_key.length;
451                 numkeys = 3;    /* XXX is always gonna be three? */
452         } else {
453                 if (lctx->cfx_kd.have_acceptor_subkey) {
454                         enctype = lctx->cfx_kd.acceptor_subkey.type;
455                         keysize = lctx->cfx_kd.acceptor_subkey.length;
456                 } else {
457                         enctype = lctx->cfx_kd.ctx_key.type;
458                         keysize = lctx->cfx_kd.ctx_key.length;
459                 }
460                 numkeys = 3;
461         }
462         printerr(3, "serializing %d keys with enctype %d and size %d\n",
463                  numkeys, enctype, keysize);
464         if (WRITE_BYTES(&p, end, enctype)) goto out_err;
465         if (WRITE_BYTES(&p, end, keysize)) goto out_err;
466         if (WRITE_BYTES(&p, end, numkeys)) goto out_err;
467
468         if (lctx->protocol == 0) {
469                 /* derive and send down: Ke, Ki, and Kc */
470                 /* Ke */
471                 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
472                                 lctx->rfc1964_kd.ctx_key.length))
473                         goto out_err;
474
475                 /* Ki */
476                 if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
477                                 lctx->rfc1964_kd.ctx_key.length))
478                         goto out_err;
479
480                 /* Kc */
481                 /*
482                  * RC4 is special, it dosen't need key derivation. Actually
483                  * the Ke is based on plain text. Here we just let all three
484                  * key identical, kernel will handle everything. --ericm
485                  */
486                 if (lctx->rfc1964_kd.ctx_key.type == ENCTYPE_ARCFOUR_HMAC) {
487                         if (write_bytes(&p, end, lctx->rfc1964_kd.ctx_key.data,
488                                         lctx->rfc1964_kd.ctx_key.length))
489                                 goto out_err;
490                 } else {
491                         if (derive_key_lucid(&lctx->rfc1964_kd.ctx_key,
492                                         &derived_key,
493                                         KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM))
494                                 goto out_err;
495                         if (write_bytes(&p, end, derived_key.data,
496                                         derived_key.length))
497                                 goto out_err;
498                         free(derived_key.data);
499                 }
500         } else {
501                 gss_krb5_lucid_key_t *keyptr;
502                 uint32_t sign_usage, seal_usage;
503
504                 if (lctx->cfx_kd.have_acceptor_subkey)
505                         keyptr = &lctx->cfx_kd.acceptor_subkey;
506                 else
507                         keyptr = &lctx->cfx_kd.ctx_key;
508
509 #if 0
510                 if (lctx->initiate == 1) {
511                         sign_usage = KG_USAGE_INITIATOR_SIGN;
512                         seal_usage = KG_USAGE_INITIATOR_SEAL;
513                 } else {
514                         sign_usage = KG_USAGE_ACCEPTOR_SIGN;
515                         seal_usage = KG_USAGE_ACCEPTOR_SEAL;
516                 }
517 #else
518                 /* FIXME
519                  * These are from rfc4142, but I don't understand: if we supply
520                  * different 'usage' value for client & server, then the peers
521                  * will have different derived keys. How could this work?
522                  *
523                  * Here we simply use old SIGN/SEAL values until we find the
524                  * answer.  --ericm
525                  * FIXME
526                  */
527                 sign_usage = KG_USAGE_SIGN;
528                 seal_usage = KG_USAGE_SEAL;
529 #endif
530
531                 /* derive and send down: Ke, Ki, and Kc */
532
533                 /* Ke */
534                 if (derive_key_lucid(keyptr, &derived_key,
535                                seal_usage, KEY_USAGE_SEED_ENCRYPTION))
536                         goto out_err;
537                 if (write_bytes(&p, end, derived_key.data,
538                                 derived_key.length))
539                         goto out_err;
540                 free(derived_key.data);
541
542                 /* Ki */
543                 if (derive_key_lucid(keyptr, &derived_key,
544                                seal_usage, KEY_USAGE_SEED_INTEGRITY))
545                         goto out_err;
546                 if (write_bytes(&p, end, derived_key.data,
547                                 derived_key.length))
548                         goto out_err;
549                 free(derived_key.data);
550
551                 /* Kc */
552                 if (derive_key_lucid(keyptr, &derived_key,
553                                sign_usage, KEY_USAGE_SEED_CHECKSUM))
554                         goto out_err;
555                 if (write_bytes(&p, end, derived_key.data,
556                                 derived_key.length))
557                         goto out_err;
558                 free(derived_key.data);
559         }
560
561         buf->length = p - (char *)buf->value;
562         return 0;
563
564 out_err:
565         printerr(0, "ERROR: %s: failed serializing krb5 context for kernel\n",
566                  __FUNCTION__);
567         if (buf->value) {
568                 free(buf->value);
569                 buf->value = NULL;
570         }
571         buf->length = 0;
572         if (enc_key.data) {
573                 free(enc_key.data);
574                 enc_key.data = NULL;
575         }
576         return -1;
577 }
578 int
579 serialize_krb5_ctx(gss_ctx_id_t ctx, gss_buffer_desc *buf)
580 {
581         OM_uint32 maj_stat, min_stat;
582         void *return_ctx = 0;
583         OM_uint32 vers;
584         gss_krb5_lucid_context_v1_t *lctx = 0;
585         int retcode = 0;
586
587         printerr(3, "lucid version!\n");
588         maj_stat = gss_export_lucid_sec_context(&min_stat, &ctx,
589                                                 1, &return_ctx);
590         if (maj_stat != GSS_S_COMPLETE) {
591                 pgsserr("gss_export_lucid_sec_context",
592                         maj_stat, min_stat, &krb5oid);
593                 goto out_err;
594         }
595
596         /* Check the version returned, we only support v1 right now */
597         vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
598         switch (vers) {
599         case 1:
600                 lctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
601                 break;
602         default:
603                 printerr(0, "ERROR: unsupported lucid sec context version %d\n",
604                         vers);
605                 goto out_err;
606                 break;
607         }
608
609         /*
610          * Now lctx points to a lucid context that we can send down to kernel
611          *
612          * Note: we send down different information to the kernel depending
613          * on the protocol version and the enctyption type.
614          * For protocol version 0 with all enctypes besides DES3, we use
615          * the original format.  For protocol version != 0 or DES3, we
616          * send down the new style information.
617          */
618
619         if (lctx->protocol == 0 && lctx->rfc1964_kd.ctx_key.type <= 4)
620                 retcode = prepare_krb5_rfc1964_buffer(lctx, buf);
621         else
622                 retcode = prepare_krb5_rfc4121_buffer(lctx, buf);
623
624         maj_stat = gss_free_lucid_sec_context(&min_stat, ctx, return_ctx);
625         if (maj_stat != GSS_S_COMPLETE) {
626                 pgsserr("gss_export_lucid_sec_context",
627                         maj_stat, min_stat, &krb5oid);
628                 printerr(0, "WARN: failed to free lucid sec context\n");
629         }
630
631         if (retcode) {
632                 printerr(1, "%s: prepare_krb5_*_buffer failed (retcode = %d)\n",
633                          __FUNCTION__, retcode);
634                 goto out_err;
635         }
636
637         return 0;
638
639 out_err:
640         printerr(0, "ERROR: failed serializing krb5 context for kernel\n");
641         return -1;
642 }
643
644
645
646 #endif /* HAVE_LUCID_CONTEXT_SUPPORT */