2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * glue routine gss_import_name 2N/A/* local function to import GSS_C_EXPORT_NAME names */ 2N/A /* Initialize outputs. */ 2N/A /* Validate arguments. */ 2N/A * First create the union name struct that will hold the external 2N/A * name and the name type. 2N/A * All we do here is record the external name and name_type. 2N/A * When the name is actually used, the underlying gss_import_name() 2N/A * is called for the appropriate mechanism. The exception to this 2N/A * rule is when the name of GSS_C_NT_EXPORT_NAME type. If that is 2N/A * the case, then we make it MN in this call. 2N/A * In MIT Distribution the mechanism is determined from the nametype; 2N/A * This is not a good idea - first mechanism that supports a given 2N/A * name type is picked up; later on the caller can request a 2N/A * different mechanism. So we don't determine the mechanism here. Now 2N/A * the user level and kernel level import_name routine looks similar 2N/A * except the kernel routine makes a copy of the nametype structure. We 2N/A * do however make this an MN for names of GSS_C_NT_EXPORT_NAME type. 2N/A * GSS export name constants 2N/A /* extract the mechanism oid length */ 2N/A * The mechOid itself is encoded in DER format, OID Tag (0x06) 2N/A * length and the value of mech_OID 2N/A * mechoid Length is encoded twice; once in 2 bytes as 2N/A * explained in RFC2743 (under mechanism independent exported 2N/A * name object format) and once using DER encoding 2N/A * We verify both lengths. 2N/A * 'bytes' is the length of the DER length, '1' is for the DER 2N/A * we must now determine if we should unwrap the name ourselves 2N/A * or make the mechanism do it - we should only unwrap it 2N/A * if we create it; so if mech->gss_export_name == NULL, we must 2N/A * we must have exported the name - so we now need to reconstruct it 2N/A * and call the mechanism to create it 2N/A * WARNING: Older versions of __gss_export_internal_name() did 2N/A * not export names correctly, but now it does. In 2N/A * order to stay compatible with existing exported 2N/A * names we must support names exported the broken 2N/A * Specifically, __gss_export_internal_name() used to include 2N/A * the name type OID in the encoding of the exported MN. 2N/A * Additionally, the Kerberos V mech used to make display names 2N/A * that included a null terminator which was counted in the 2N/A * display name gss_buffer_desc. 2N/A /* next 4 bytes in the name are the name length */ 2N/A * we use < here because bad code in rpcsec_gss rounds up exported 2N/A * name token lengths and pads with nulls, otherwise != would be 2N/A * We detect broken exported names here: they always start with 2N/A * a two-octet network-byte order OID length, which is always 2N/A * less than 256 bytes, so the first octet of the length is 2N/A * always '\0', which is not allowed in GSS-API display names 2N/A * (or never occurs in them anyways). Of course, the OID 2N/A * shouldn't be there, but it is. After the OID (sans DER tag 2N/A * and length) there's the name itself, though null-terminated; 2N/A * this null terminator should also not be there, but it is. 2N/A /* next two bytes are the name oid */ 2N/A * adjust for expected null terminator that should 2N/A * really not be there 2N/A * Can a name be null? Let the mech decide. 2N/A * NOTE: We use GSS_C_NULL_OID as the name type when importing 2N/A * the unwrapped name. Presumably the exported name had, 2N/A * prior to being exported been obtained in such a way 2N/A * that it has been properly perpared ("canonicalized," in 2N/A * GSS-API terms) accroding to some name type; we cannot 2N/A * tell what that name type was now, but the name should 2N/A * need no further preparation other than the lowest 2N/A * common denominator afforded by the mech to names 2N/A * imported with GSS_C_NULL_OID. For the Kerberos V mech 2N/A * this means doing less busywork too (particularly once 2N/A * IDN is thrown in with Kerberos V extensions). 2N/A}
/* importExportName */