1109998Smarkm/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ 2109998Smarkm/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000. 3109998Smarkm * project 2000. 4109998Smarkm */ 5109998Smarkm/* ==================================================================== 6109998Smarkm * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 7109998Smarkm * 8109998Smarkm * Redistribution and use in source and binary forms, with or without 9109998Smarkm * modification, are permitted provided that the following conditions 10109998Smarkm * are met: 11109998Smarkm * 12109998Smarkm * 1. Redistributions of source code must retain the above copyright 13109998Smarkm * notice, this list of conditions and the following disclaimer. 14109998Smarkm * 15109998Smarkm * 2. Redistributions in binary form must reproduce the above copyright 16109998Smarkm * notice, this list of conditions and the following disclaimer in 17109998Smarkm * the documentation and/or other materials provided with the 18109998Smarkm * distribution. 19109998Smarkm * 20109998Smarkm * 3. All advertising materials mentioning features or use of this 21109998Smarkm * software must display the following acknowledgment: 22109998Smarkm * "This product includes software developed by the OpenSSL Project 23109998Smarkm * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24109998Smarkm * 25109998Smarkm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26109998Smarkm * endorse or promote products derived from this software without 27109998Smarkm * prior written permission. For written permission, please contact 28109998Smarkm * licensing@OpenSSL.org. 29109998Smarkm * 30109998Smarkm * 5. Products derived from this software may not be called "OpenSSL" 31109998Smarkm * nor may "OpenSSL" appear in their names without prior written 32109998Smarkm * permission of the OpenSSL Project. 33109998Smarkm * 34109998Smarkm * 6. Redistributions of any form whatsoever must retain the following 35109998Smarkm * acknowledgment: 36109998Smarkm * "This product includes software developed by the OpenSSL Project 37109998Smarkm * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38109998Smarkm * 39109998Smarkm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40109998Smarkm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41109998Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42109998Smarkm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43109998Smarkm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44109998Smarkm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45109998Smarkm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46109998Smarkm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47109998Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48109998Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49109998Smarkm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50109998Smarkm * OF THE POSSIBILITY OF SUCH DAMAGE. 51109998Smarkm * ==================================================================== 52109998Smarkm * 53109998Smarkm * This product includes cryptographic software written by Eric Young 54109998Smarkm * (eay@cryptsoft.com). This product includes software written by Tim 55109998Smarkm * Hudson (tjh@cryptsoft.com). 56109998Smarkm * 57109998Smarkm */ 58109998Smarkm 59109998Smarkm/* 60109998Smarkm** 19990701 VRS Started. 61109998Smarkm*/ 62109998Smarkm 63109998Smarkm#ifndef KSSL_H 64109998Smarkm#define KSSL_H 65109998Smarkm 66109998Smarkm#include <openssl/opensslconf.h> 67109998Smarkm 68109998Smarkm#ifndef OPENSSL_NO_KRB5 69109998Smarkm 70109998Smarkm#include <stdio.h> 71109998Smarkm#include <ctype.h> 72109998Smarkm#include <krb5.h> 73279264Sdelphij#ifdef OPENSSL_SYS_WIN32 74279264Sdelphij/* These can sometimes get redefined indirectly by krb5 header files 75279264Sdelphij * after they get undefed in ossl_typ.h 76279264Sdelphij */ 77279264Sdelphij#undef X509_NAME 78279264Sdelphij#undef X509_EXTENSIONS 79279264Sdelphij#undef OCSP_REQUEST 80279264Sdelphij#undef OCSP_RESPONSE 81279264Sdelphij#endif 82109998Smarkm 83109998Smarkm#ifdef __cplusplus 84109998Smarkmextern "C" { 85109998Smarkm#endif 86109998Smarkm 87109998Smarkm/* 88109998Smarkm** Depending on which KRB5 implementation used, some types from 89109998Smarkm** the other may be missing. Resolve that here and now 90109998Smarkm*/ 91109998Smarkm#ifdef KRB5_HEIMDAL 92109998Smarkmtypedef unsigned char krb5_octet; 93109998Smarkm#define FAR 94160814Ssimon#else 95160814Ssimon 96160814Ssimon#ifndef FAR 97160814Ssimon#define FAR 98109998Smarkm#endif 99109998Smarkm 100160814Ssimon#endif 101160814Ssimon 102109998Smarkm/* Uncomment this to debug kssl problems or 103109998Smarkm** to trace usage of the Kerberos session key 104109998Smarkm** 105109998Smarkm** #define KSSL_DEBUG 106109998Smarkm*/ 107109998Smarkm 108109998Smarkm#ifndef KRB5SVC 109109998Smarkm#define KRB5SVC "host" 110109998Smarkm#endif 111109998Smarkm 112109998Smarkm#ifndef KRB5KEYTAB 113109998Smarkm#define KRB5KEYTAB "/etc/krb5.keytab" 114109998Smarkm#endif 115109998Smarkm 116109998Smarkm#ifndef KRB5SENDAUTH 117109998Smarkm#define KRB5SENDAUTH 1 118109998Smarkm#endif 119109998Smarkm 120109998Smarkm#ifndef KRB5CHECKAUTH 121109998Smarkm#define KRB5CHECKAUTH 1 122109998Smarkm#endif 123109998Smarkm 124109998Smarkm#ifndef KSSL_CLOCKSKEW 125109998Smarkm#define KSSL_CLOCKSKEW 300; 126109998Smarkm#endif 127109998Smarkm 128109998Smarkm#define KSSL_ERR_MAX 255 129109998Smarkmtypedef struct kssl_err_st { 130109998Smarkm int reason; 131109998Smarkm char text[KSSL_ERR_MAX+1]; 132109998Smarkm } KSSL_ERR; 133109998Smarkm 134109998Smarkm 135109998Smarkm/* Context for passing 136109998Smarkm** (1) Kerberos session key to SSL, and 137109998Smarkm** (2) Config data between application and SSL lib 138109998Smarkm*/ 139109998Smarkmtypedef struct kssl_ctx_st 140109998Smarkm { 141109998Smarkm /* used by: disposition: */ 142109998Smarkm char *service_name; /* C,S default ok (kssl) */ 143109998Smarkm char *service_host; /* C input, REQUIRED */ 144109998Smarkm char *client_princ; /* S output from krb5 ticket */ 145109998Smarkm char *keytab_file; /* S NULL (/etc/krb5.keytab) */ 146109998Smarkm char *cred_cache; /* C NULL (default) */ 147109998Smarkm krb5_enctype enctype; 148109998Smarkm int length; 149109998Smarkm krb5_octet FAR *key; 150109998Smarkm } KSSL_CTX; 151109998Smarkm 152109998Smarkm#define KSSL_CLIENT 1 153109998Smarkm#define KSSL_SERVER 2 154109998Smarkm#define KSSL_SERVICE 3 155109998Smarkm#define KSSL_KEYTAB 4 156109998Smarkm 157109998Smarkm#define KSSL_CTX_OK 0 158109998Smarkm#define KSSL_CTX_ERR 1 159109998Smarkm#define KSSL_NOMEM 2 160109998Smarkm 161109998Smarkm/* Public (for use by applications that use OpenSSL with Kerberos 5 support */ 162109998Smarkmkrb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text); 163109998SmarkmKSSL_CTX *kssl_ctx_new(void); 164109998SmarkmKSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx); 165109998Smarkmvoid kssl_ctx_show(KSSL_CTX *kssl_ctx); 166109998Smarkmkrb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, 167120631Snectar krb5_data *realm, krb5_data *entity, int nentities); 168109998Smarkmkrb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp, 169109998Smarkm krb5_data *authenp, KSSL_ERR *kssl_err); 170109998Smarkmkrb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata, 171109998Smarkm krb5_ticket_times *ttimes, KSSL_ERR *kssl_err); 172109998Smarkmkrb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session); 173109998Smarkmvoid kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text); 174109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context context, krb5_data *data); 175109998Smarkmkrb5_error_code kssl_build_principal_2(krb5_context context, 176109998Smarkm krb5_principal *princ, int rlen, const char *realm, 177109998Smarkm int slen, const char *svc, int hlen, const char *host); 178109998Smarkmkrb5_error_code kssl_validate_times(krb5_timestamp atime, 179109998Smarkm krb5_ticket_times *ttimes); 180109998Smarkmkrb5_error_code kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp, 181109998Smarkm krb5_timestamp *atimep, KSSL_ERR *kssl_err); 182109998Smarkmunsigned char *kssl_skip_confound(krb5_enctype enctype, unsigned char *authn); 183109998Smarkm 184238405Sjkimvoid SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx); 185238405SjkimKSSL_CTX * SSL_get0_kssl_ctx(SSL *s); 186238405Sjkimchar *kssl_ctx_get0_client_princ(KSSL_CTX *kctx); 187238405Sjkim 188109998Smarkm#ifdef __cplusplus 189109998Smarkm} 190109998Smarkm#endif 191109998Smarkm#endif /* OPENSSL_NO_KRB5 */ 192109998Smarkm#endif /* KSSL_H */ 193