1295009Sjkim/* ssl/kssl.c */ 2280297Sjkim/* 3280297Sjkim * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 4280297Sjkim * 2000. 5109998Smarkm */ 6109998Smarkm/* ==================================================================== 7331638Sjkim * Copyright (c) 2000-2018 The OpenSSL Project. All rights reserved. 8109998Smarkm * 9109998Smarkm * Redistribution and use in source and binary forms, with or without 10109998Smarkm * modification, are permitted provided that the following conditions 11109998Smarkm * are met: 12109998Smarkm * 13109998Smarkm * 1. Redistributions of source code must retain the above copyright 14280297Sjkim * notice, this list of conditions and the following disclaimer. 15109998Smarkm * 16109998Smarkm * 2. Redistributions in binary form must reproduce the above copyright 17109998Smarkm * notice, this list of conditions and the following disclaimer in 18109998Smarkm * the documentation and/or other materials provided with the 19109998Smarkm * distribution. 20109998Smarkm * 21109998Smarkm * 3. All advertising materials mentioning features or use of this 22109998Smarkm * software must display the following acknowledgment: 23109998Smarkm * "This product includes software developed by the OpenSSL Project 24109998Smarkm * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25109998Smarkm * 26109998Smarkm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27109998Smarkm * endorse or promote products derived from this software without 28109998Smarkm * prior written permission. For written permission, please contact 29109998Smarkm * licensing@OpenSSL.org. 30109998Smarkm * 31109998Smarkm * 5. Products derived from this software may not be called "OpenSSL" 32109998Smarkm * nor may "OpenSSL" appear in their names without prior written 33109998Smarkm * permission of the OpenSSL Project. 34109998Smarkm * 35109998Smarkm * 6. Redistributions of any form whatsoever must retain the following 36109998Smarkm * acknowledgment: 37109998Smarkm * "This product includes software developed by the OpenSSL Project 38109998Smarkm * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39109998Smarkm * 40109998Smarkm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41109998Smarkm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42109998Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43109998Smarkm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44109998Smarkm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45109998Smarkm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46109998Smarkm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47109998Smarkm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48109998Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49109998Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50109998Smarkm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51109998Smarkm * OF THE POSSIBILITY OF SUCH DAMAGE. 52109998Smarkm * ==================================================================== 53109998Smarkm * 54109998Smarkm * This product includes cryptographic software written by Eric Young 55109998Smarkm * (eay@cryptsoft.com). This product includes software written by Tim 56109998Smarkm * Hudson (tjh@cryptsoft.com). 57109998Smarkm * 58109998Smarkm */ 59109998Smarkm 60280297Sjkim/*- 61280297Sjkim * ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl 62280297Sjkim * 63280297Sjkim * 19990701 VRS Started. 64280297Sjkim * 200011?? Jeffrey Altman, Richard Levitte 65280297Sjkim * Generalized for Heimdal, Newer MIT, & Win32. 66280297Sjkim * Integrated into main OpenSSL 0.9.7 snapshots. 67280297Sjkim * 20010413 Simon Wilkinson, VRS 68280297Sjkim * Real RFC2712 KerberosWrapper replaces AP_REQ. 69280297Sjkim */ 70109998Smarkm 71109998Smarkm#include <openssl/opensslconf.h> 72109998Smarkm 73109998Smarkm#include <string.h> 74109998Smarkm 75280297Sjkim#define KRB5_PRIVATE 1 76160814Ssimon 77109998Smarkm#include <openssl/ssl.h> 78109998Smarkm#include <openssl/evp.h> 79109998Smarkm#include <openssl/objects.h> 80109998Smarkm#include <openssl/krb5_asn.h> 81331638Sjkim#include "o_time.h" 82238405Sjkim#include "kssl_lcl.h" 83109998Smarkm 84109998Smarkm#ifndef OPENSSL_NO_KRB5 85109998Smarkm 86280297Sjkim# ifndef ENOMEM 87280297Sjkim# define ENOMEM KRB5KRB_ERR_GENERIC 88280297Sjkim# endif 89160814Ssimon 90280297Sjkim/* 91109998Smarkm * When OpenSSL is built on Windows, we do not want to require that 92109998Smarkm * the Kerberos DLLs be available in order for the OpenSSL DLLs to 93109998Smarkm * work. Therefore, all Kerberos routines are loaded at run time 94109998Smarkm * and we do not link to a .LIB file. 95109998Smarkm */ 96109998Smarkm 97280297Sjkim# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) 98280297Sjkim/* 99109998Smarkm * The purpose of the following pre-processor statements is to provide 100109998Smarkm * compatibility with different releases of MIT Kerberos for Windows. 101109998Smarkm * All versions up to 1.2 used macros. But macros do not allow for 102109998Smarkm * a binary compatible interface for DLLs. Therefore, all macros are 103109998Smarkm * being replaced by function calls. The following code will allow 104109998Smarkm * an OpenSSL DLL built on Windows to work whether or not the macro 105109998Smarkm * or function form of the routines are utilized. 106109998Smarkm */ 107280297Sjkim# ifdef krb5_cc_get_principal 108280297Sjkim# define NO_DEF_KRB5_CCACHE 109280297Sjkim# undef krb5_cc_get_principal 110280297Sjkim# endif 111280297Sjkim# define krb5_cc_get_principal kssl_krb5_cc_get_principal 112109998Smarkm 113280297Sjkim# define krb5_free_data_contents kssl_krb5_free_data_contents 114280297Sjkim# define krb5_free_context kssl_krb5_free_context 115280297Sjkim# define krb5_auth_con_free kssl_krb5_auth_con_free 116280297Sjkim# define krb5_free_principal kssl_krb5_free_principal 117280297Sjkim# define krb5_mk_req_extended kssl_krb5_mk_req_extended 118280297Sjkim# define krb5_get_credentials kssl_krb5_get_credentials 119280297Sjkim# define krb5_cc_default kssl_krb5_cc_default 120280297Sjkim# define krb5_sname_to_principal kssl_krb5_sname_to_principal 121280297Sjkim# define krb5_init_context kssl_krb5_init_context 122280297Sjkim# define krb5_free_ticket kssl_krb5_free_ticket 123280297Sjkim# define krb5_rd_req kssl_krb5_rd_req 124280297Sjkim# define krb5_kt_default kssl_krb5_kt_default 125280297Sjkim# define krb5_kt_resolve kssl_krb5_kt_resolve 126109998Smarkm/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ 127280297Sjkim# ifndef krb5_kt_close 128280297Sjkim# define krb5_kt_close kssl_krb5_kt_close 129280297Sjkim# endif /* krb5_kt_close */ 130280297Sjkim# ifndef krb5_kt_get_entry 131280297Sjkim# define krb5_kt_get_entry kssl_krb5_kt_get_entry 132280297Sjkim# endif /* krb5_kt_get_entry */ 133280297Sjkim# define krb5_auth_con_init kssl_krb5_auth_con_init 134109998Smarkm 135280297Sjkim# define krb5_principal_compare kssl_krb5_principal_compare 136280297Sjkim# define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part 137280297Sjkim# define krb5_timeofday kssl_krb5_timeofday 138280297Sjkim# define krb5_rc_default kssl_krb5_rc_default 139109998Smarkm 140280297Sjkim# ifdef krb5_rc_initialize 141280297Sjkim# undef krb5_rc_initialize 142280297Sjkim# endif 143280297Sjkim# define krb5_rc_initialize kssl_krb5_rc_initialize 144109998Smarkm 145280297Sjkim# ifdef krb5_rc_get_lifespan 146280297Sjkim# undef krb5_rc_get_lifespan 147280297Sjkim# endif 148280297Sjkim# define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan 149109998Smarkm 150280297Sjkim# ifdef krb5_rc_destroy 151280297Sjkim# undef krb5_rc_destroy 152280297Sjkim# endif 153280297Sjkim# define krb5_rc_destroy kssl_krb5_rc_destroy 154109998Smarkm 155280297Sjkim# define valid_cksumtype kssl_valid_cksumtype 156280297Sjkim# define krb5_checksum_size kssl_krb5_checksum_size 157280297Sjkim# define krb5_kt_free_entry kssl_krb5_kt_free_entry 158280297Sjkim# define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache 159280297Sjkim# define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache 160280297Sjkim# define krb5_get_server_rcache kssl_krb5_get_server_rcache 161109998Smarkm 162109998Smarkm/* Prototypes for built in stubs */ 163109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context, krb5_data *); 164280297Sjkimvoid kssl_krb5_free_principal(krb5_context, krb5_principal); 165109998Smarkmkrb5_error_code kssl_krb5_kt_resolve(krb5_context, 166280297Sjkim krb5_const char *, krb5_keytab *); 167280297Sjkimkrb5_error_code kssl_krb5_kt_default(krb5_context, krb5_keytab *); 168109998Smarkmkrb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); 169280297Sjkimkrb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 170109998Smarkm krb5_const krb5_data *, 171280297Sjkim krb5_const_principal, krb5_keytab, 172280297Sjkim krb5_flags *, krb5_ticket **); 173109998Smarkm 174109998Smarkmkrb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, 175109998Smarkm krb5_const_principal); 176109998Smarkmkrb5_error_code kssl_krb5_mk_req_extended(krb5_context, 177280297Sjkim krb5_auth_context *, 178109998Smarkm krb5_const krb5_flags, 179280297Sjkim krb5_data *, 180280297Sjkim krb5_creds *, krb5_data *); 181109998Smarkmkrb5_error_code kssl_krb5_init_context(krb5_context *); 182109998Smarkmvoid kssl_krb5_free_context(krb5_context); 183280297Sjkimkrb5_error_code kssl_krb5_cc_default(krb5_context, krb5_ccache *); 184109998Smarkmkrb5_error_code kssl_krb5_sname_to_principal(krb5_context, 185280297Sjkim krb5_const char *, 186280297Sjkim krb5_const char *, 187280297Sjkim krb5_int32, krb5_principal *); 188109998Smarkmkrb5_error_code kssl_krb5_get_credentials(krb5_context, 189109998Smarkm krb5_const krb5_flags, 190109998Smarkm krb5_ccache, 191280297Sjkim krb5_creds *, krb5_creds * *); 192280297Sjkimkrb5_error_code kssl_krb5_auth_con_init(krb5_context, krb5_auth_context *); 193280297Sjkimkrb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 194109998Smarkm krb5_ccache cache, 195109998Smarkm krb5_principal *principal); 196280297Sjkimkrb5_error_code kssl_krb5_auth_con_free(krb5_context, krb5_auth_context); 197280297Sjkimsize_t kssl_krb5_checksum_size(krb5_context context, krb5_cksumtype ctype); 198109998Smarkmkrb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); 199280297Sjkimkrb5_error_code krb5_kt_free_entry(krb5_context, krb5_keytab_entry FAR *); 200280297Sjkimkrb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 201280297Sjkim krb5_auth_context, krb5_rcache); 202280297Sjkimkrb5_error_code kssl_krb5_get_server_rcache(krb5_context, 203109998Smarkm krb5_const krb5_data *, 204109998Smarkm krb5_rcache *); 205280297Sjkimkrb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 206109998Smarkm krb5_auth_context, 207109998Smarkm krb5_rcache *); 208109998Smarkm 209109998Smarkm/* Function pointers (almost all Kerberos functions are _stdcall) */ 210280297Sjkimstatic void (_stdcall *p_krb5_free_data_contents) (krb5_context, krb5_data *) 211280297Sjkim = NULL; 212280297Sjkimstatic void (_stdcall *p_krb5_free_principal) (krb5_context, krb5_principal) 213280297Sjkim = NULL; 214109998Smarkmstatic krb5_error_code(_stdcall *p_krb5_kt_resolve) 215280297Sjkim (krb5_context, krb5_const char *, krb5_keytab *) = NULL; 216280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_default) (krb5_context, 217280297Sjkim krb5_keytab *) = NULL; 218280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_free_ticket) (krb5_context, 219280297Sjkim krb5_ticket *) = NULL; 220280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rd_req) (krb5_context, 221280297Sjkim krb5_auth_context *, 222109998Smarkm krb5_const krb5_data *, 223280297Sjkim krb5_const_principal, 224109998Smarkm krb5_keytab, krb5_flags *, 225280297Sjkim krb5_ticket **) = NULL; 226280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_mk_req_extended) 227280297Sjkim (krb5_context, krb5_auth_context *, 228280297Sjkim krb5_const krb5_flags, krb5_data *, krb5_creds *, krb5_data *) = NULL; 229280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_init_context) (krb5_context *) = NULL; 230280297Sjkimstatic void (_stdcall *p_krb5_free_context) (krb5_context) = NULL; 231280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_cc_default) (krb5_context, 232280297Sjkim krb5_ccache *) = NULL; 233280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_sname_to_principal) 234280297Sjkim (krb5_context, krb5_const char *, krb5_const char *, 235280297Sjkim krb5_int32, krb5_principal *) = NULL; 236280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_get_credentials) 237280297Sjkim (krb5_context, krb5_const krb5_flags, krb5_ccache, 238280297Sjkim krb5_creds *, krb5_creds **) = NULL; 239280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_auth_con_init) 240280297Sjkim (krb5_context, krb5_auth_context *) = NULL; 241280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_cc_get_principal) 242280297Sjkim (krb5_context context, krb5_ccache cache, krb5_principal *principal) = NULL; 243280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_auth_con_free) 244280297Sjkim (krb5_context, krb5_auth_context) = NULL; 245280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_decrypt_tkt_part) 246280297Sjkim (krb5_context, krb5_const krb5_keyblock *, krb5_ticket *) = NULL; 247280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_timeofday) 248280297Sjkim (krb5_context context, krb5_int32 *timeret) = NULL; 249280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_default) 250280297Sjkim (krb5_context context, krb5_rcache *rc) = NULL; 251280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_initialize) 252280297Sjkim (krb5_context context, krb5_rcache rc, krb5_deltat lifespan) = NULL; 253280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_get_lifespan) 254280297Sjkim (krb5_context context, krb5_rcache rc, krb5_deltat *lifespan) = NULL; 255280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_destroy) 256280297Sjkim (krb5_context context, krb5_rcache rc) = NULL; 257280297Sjkimstatic krb5_boolean(_stdcall *p_krb5_principal_compare) 258280297Sjkim (krb5_context, krb5_const_principal, krb5_const_principal) = NULL; 259280297Sjkimstatic size_t (_stdcall *p_krb5_checksum_size) (krb5_context context, 260280297Sjkim krb5_cksumtype ctype) = NULL; 261280297Sjkimstatic krb5_boolean(_stdcall *p_valid_cksumtype) (krb5_cksumtype ctype) = 262280297Sjkim NULL; 263280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_free_entry) 264280297Sjkim (krb5_context, krb5_keytab_entry *) = NULL; 265280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_auth_con_setrcache) (krb5_context, 266280297Sjkim krb5_auth_context, 267280297Sjkim krb5_rcache) = 268280297Sjkim NULL; 269280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_get_server_rcache) (krb5_context, 270280297Sjkim krb5_const 271280297Sjkim krb5_data *, 272280297Sjkim krb5_rcache *) = 273280297Sjkim NULL; 274280297Sjkimstatic krb5_error_code(*p_krb5_auth_con_getrcache) (krb5_context, 275280297Sjkim krb5_auth_context, 276280297Sjkim krb5_rcache *) = NULL; 277280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_close) (krb5_context context, 278280297Sjkim krb5_keytab keytab) = NULL; 279280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_get_entry) (krb5_context context, 280280297Sjkim krb5_keytab keytab, 281280297Sjkim krb5_const_principal 282280297Sjkim principal, 283280297Sjkim krb5_kvno vno, 284280297Sjkim krb5_enctype enctype, 285280297Sjkim krb5_keytab_entry 286280297Sjkim *entry) = NULL; 287109998Smarkmstatic int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ 288109998Smarkm 289109998Smarkm/* Function to Load the Kerberos 5 DLL and initialize function pointers */ 290280297Sjkimvoid load_krb5_dll(void) 291280297Sjkim{ 292280297Sjkim HANDLE hKRB5_32; 293109998Smarkm 294280297Sjkim krb5_loaded++; 295280297Sjkim hKRB5_32 = LoadLibrary(TEXT("KRB5_32")); 296280297Sjkim if (!hKRB5_32) 297280297Sjkim return; 298109998Smarkm 299280297Sjkim (FARPROC) p_krb5_free_data_contents = 300280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_data_contents"); 301280297Sjkim (FARPROC) p_krb5_free_context = 302280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_context"); 303280297Sjkim (FARPROC) p_krb5_auth_con_free = 304280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_free"); 305280297Sjkim (FARPROC) p_krb5_free_principal = 306280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_principal"); 307280297Sjkim (FARPROC) p_krb5_mk_req_extended = 308280297Sjkim GetProcAddress(hKRB5_32, "krb5_mk_req_extended"); 309280297Sjkim (FARPROC) p_krb5_get_credentials = 310280297Sjkim GetProcAddress(hKRB5_32, "krb5_get_credentials"); 311280297Sjkim (FARPROC) p_krb5_cc_get_principal = 312280297Sjkim GetProcAddress(hKRB5_32, "krb5_cc_get_principal"); 313280297Sjkim (FARPROC) p_krb5_cc_default = GetProcAddress(hKRB5_32, "krb5_cc_default"); 314280297Sjkim (FARPROC) p_krb5_sname_to_principal = 315280297Sjkim GetProcAddress(hKRB5_32, "krb5_sname_to_principal"); 316280297Sjkim (FARPROC) p_krb5_init_context = 317280297Sjkim GetProcAddress(hKRB5_32, "krb5_init_context"); 318280297Sjkim (FARPROC) p_krb5_free_ticket = 319280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_ticket"); 320280297Sjkim (FARPROC) p_krb5_rd_req = GetProcAddress(hKRB5_32, "krb5_rd_req"); 321280297Sjkim (FARPROC) p_krb5_principal_compare = 322280297Sjkim GetProcAddress(hKRB5_32, "krb5_principal_compare"); 323280297Sjkim (FARPROC) p_krb5_decrypt_tkt_part = 324280297Sjkim GetProcAddress(hKRB5_32, "krb5_decrypt_tkt_part"); 325280297Sjkim (FARPROC) p_krb5_timeofday = GetProcAddress(hKRB5_32, "krb5_timeofday"); 326280297Sjkim (FARPROC) p_krb5_rc_default = GetProcAddress(hKRB5_32, "krb5_rc_default"); 327280297Sjkim (FARPROC) p_krb5_rc_initialize = 328280297Sjkim GetProcAddress(hKRB5_32, "krb5_rc_initialize"); 329280297Sjkim (FARPROC) p_krb5_rc_get_lifespan = 330280297Sjkim GetProcAddress(hKRB5_32, "krb5_rc_get_lifespan"); 331280297Sjkim (FARPROC) p_krb5_rc_destroy = GetProcAddress(hKRB5_32, "krb5_rc_destroy"); 332280297Sjkim (FARPROC) p_krb5_kt_default = GetProcAddress(hKRB5_32, "krb5_kt_default"); 333280297Sjkim (FARPROC) p_krb5_kt_resolve = GetProcAddress(hKRB5_32, "krb5_kt_resolve"); 334280297Sjkim (FARPROC) p_krb5_auth_con_init = 335280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_init"); 336280297Sjkim (FARPROC) p_valid_cksumtype = GetProcAddress(hKRB5_32, "valid_cksumtype"); 337280297Sjkim (FARPROC) p_krb5_checksum_size = 338280297Sjkim GetProcAddress(hKRB5_32, "krb5_checksum_size"); 339280297Sjkim (FARPROC) p_krb5_kt_free_entry = 340280297Sjkim GetProcAddress(hKRB5_32, "krb5_kt_free_entry"); 341280297Sjkim (FARPROC) p_krb5_auth_con_setrcache = 342280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_setrcache"); 343280297Sjkim (FARPROC) p_krb5_get_server_rcache = 344280297Sjkim GetProcAddress(hKRB5_32, "krb5_get_server_rcache"); 345280297Sjkim (FARPROC) p_krb5_auth_con_getrcache = 346280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_getrcache"); 347280297Sjkim (FARPROC) p_krb5_kt_close = GetProcAddress(hKRB5_32, "krb5_kt_close"); 348280297Sjkim (FARPROC) p_krb5_kt_get_entry = 349280297Sjkim GetProcAddress(hKRB5_32, "krb5_kt_get_entry"); 350280297Sjkim} 351280297Sjkim 352109998Smarkm/* Stubs for each function to be dynamicly loaded */ 353280297Sjkimvoid kssl_krb5_free_data_contents(krb5_context CO, krb5_data *data) 354280297Sjkim{ 355280297Sjkim if (!krb5_loaded) 356280297Sjkim load_krb5_dll(); 357109998Smarkm 358280297Sjkim if (p_krb5_free_data_contents) 359280297Sjkim p_krb5_free_data_contents(CO, data); 360280297Sjkim} 361109998Smarkm 362109998Smarkmkrb5_error_code 363280297Sjkimkssl_krb5_mk_req_extended(krb5_context CO, 364280297Sjkim krb5_auth_context *pACO, 365109998Smarkm krb5_const krb5_flags F, 366280297Sjkim krb5_data *pD1, krb5_creds *pC, krb5_data *pD2) 367280297Sjkim{ 368280297Sjkim if (!krb5_loaded) 369280297Sjkim load_krb5_dll(); 370109998Smarkm 371280297Sjkim if (p_krb5_mk_req_extended) 372280297Sjkim return (p_krb5_mk_req_extended(CO, pACO, F, pD1, pC, pD2)); 373280297Sjkim else 374280297Sjkim return KRB5KRB_ERR_GENERIC; 375280297Sjkim} 376280297Sjkim 377109998Smarkmkrb5_error_code 378280297Sjkimkssl_krb5_auth_con_init(krb5_context CO, krb5_auth_context *pACO) 379280297Sjkim{ 380280297Sjkim if (!krb5_loaded) 381280297Sjkim load_krb5_dll(); 382109998Smarkm 383280297Sjkim if (p_krb5_auth_con_init) 384280297Sjkim return (p_krb5_auth_con_init(CO, pACO)); 385280297Sjkim else 386280297Sjkim return KRB5KRB_ERR_GENERIC; 387280297Sjkim} 388280297Sjkim 389109998Smarkmkrb5_error_code 390280297Sjkimkssl_krb5_auth_con_free(krb5_context CO, krb5_auth_context ACO) 391280297Sjkim{ 392280297Sjkim if (!krb5_loaded) 393280297Sjkim load_krb5_dll(); 394109998Smarkm 395280297Sjkim if (p_krb5_auth_con_free) 396280297Sjkim return (p_krb5_auth_con_free(CO, ACO)); 397280297Sjkim else 398280297Sjkim return KRB5KRB_ERR_GENERIC; 399280297Sjkim} 400280297Sjkim 401109998Smarkmkrb5_error_code 402109998Smarkmkssl_krb5_get_credentials(krb5_context CO, 403280297Sjkim krb5_const krb5_flags F, 404280297Sjkim krb5_ccache CC, krb5_creds *pCR, krb5_creds **ppCR) 405280297Sjkim{ 406280297Sjkim if (!krb5_loaded) 407280297Sjkim load_krb5_dll(); 408109998Smarkm 409280297Sjkim if (p_krb5_get_credentials) 410280297Sjkim return (p_krb5_get_credentials(CO, F, CC, pCR, ppCR)); 411280297Sjkim else 412280297Sjkim return KRB5KRB_ERR_GENERIC; 413280297Sjkim} 414280297Sjkim 415109998Smarkmkrb5_error_code 416109998Smarkmkssl_krb5_sname_to_principal(krb5_context CO, 417280297Sjkim krb5_const char *pC1, 418280297Sjkim krb5_const char *pC2, 419280297Sjkim krb5_int32 I, krb5_principal *pPR) 420280297Sjkim{ 421280297Sjkim if (!krb5_loaded) 422280297Sjkim load_krb5_dll(); 423109998Smarkm 424280297Sjkim if (p_krb5_sname_to_principal) 425280297Sjkim return (p_krb5_sname_to_principal(CO, pC1, pC2, I, pPR)); 426280297Sjkim else 427280297Sjkim return KRB5KRB_ERR_GENERIC; 428280297Sjkim} 429109998Smarkm 430280297Sjkimkrb5_error_code kssl_krb5_cc_default(krb5_context CO, krb5_ccache *pCC) 431280297Sjkim{ 432280297Sjkim if (!krb5_loaded) 433280297Sjkim load_krb5_dll(); 434109998Smarkm 435280297Sjkim if (p_krb5_cc_default) 436280297Sjkim return (p_krb5_cc_default(CO, pCC)); 437280297Sjkim else 438280297Sjkim return KRB5KRB_ERR_GENERIC; 439280297Sjkim} 440109998Smarkm 441280297Sjkimkrb5_error_code kssl_krb5_init_context(krb5_context *pCO) 442280297Sjkim{ 443280297Sjkim if (!krb5_loaded) 444280297Sjkim load_krb5_dll(); 445109998Smarkm 446280297Sjkim if (p_krb5_init_context) 447280297Sjkim return (p_krb5_init_context(pCO)); 448280297Sjkim else 449280297Sjkim return KRB5KRB_ERR_GENERIC; 450280297Sjkim} 451109998Smarkm 452280297Sjkimvoid kssl_krb5_free_context(krb5_context CO) 453280297Sjkim{ 454280297Sjkim if (!krb5_loaded) 455280297Sjkim load_krb5_dll(); 456109998Smarkm 457280297Sjkim if (p_krb5_free_context) 458280297Sjkim p_krb5_free_context(CO); 459280297Sjkim} 460109998Smarkm 461280297Sjkimvoid kssl_krb5_free_principal(krb5_context c, krb5_principal p) 462280297Sjkim{ 463280297Sjkim if (!krb5_loaded) 464280297Sjkim load_krb5_dll(); 465109998Smarkm 466280297Sjkim if (p_krb5_free_principal) 467280297Sjkim p_krb5_free_principal(c, p); 468280297Sjkim} 469109998Smarkm 470109998Smarkmkrb5_error_code 471280297Sjkimkssl_krb5_kt_resolve(krb5_context con, krb5_const char *sz, krb5_keytab *kt) 472280297Sjkim{ 473280297Sjkim if (!krb5_loaded) 474280297Sjkim load_krb5_dll(); 475109998Smarkm 476280297Sjkim if (p_krb5_kt_resolve) 477280297Sjkim return (p_krb5_kt_resolve(con, sz, kt)); 478280297Sjkim else 479280297Sjkim return KRB5KRB_ERR_GENERIC; 480280297Sjkim} 481109998Smarkm 482280297Sjkimkrb5_error_code kssl_krb5_kt_default(krb5_context con, krb5_keytab *kt) 483280297Sjkim{ 484280297Sjkim if (!krb5_loaded) 485280297Sjkim load_krb5_dll(); 486109998Smarkm 487280297Sjkim if (p_krb5_kt_default) 488280297Sjkim return (p_krb5_kt_default(con, kt)); 489280297Sjkim else 490280297Sjkim return KRB5KRB_ERR_GENERIC; 491280297Sjkim} 492109998Smarkm 493280297Sjkimkrb5_error_code kssl_krb5_free_ticket(krb5_context con, krb5_ticket *kt) 494280297Sjkim{ 495280297Sjkim if (!krb5_loaded) 496280297Sjkim load_krb5_dll(); 497109998Smarkm 498280297Sjkim if (p_krb5_free_ticket) 499280297Sjkim return (p_krb5_free_ticket(con, kt)); 500280297Sjkim else 501280297Sjkim return KRB5KRB_ERR_GENERIC; 502280297Sjkim} 503109998Smarkm 504109998Smarkmkrb5_error_code 505280297Sjkimkssl_krb5_rd_req(krb5_context con, krb5_auth_context *pacon, 506280297Sjkim krb5_const krb5_data *data, 507280297Sjkim krb5_const_principal princ, krb5_keytab keytab, 508280297Sjkim krb5_flags *flags, krb5_ticket **pptkt) 509280297Sjkim{ 510280297Sjkim if (!krb5_loaded) 511280297Sjkim load_krb5_dll(); 512109998Smarkm 513280297Sjkim if (p_krb5_rd_req) 514280297Sjkim return (p_krb5_rd_req(con, pacon, data, princ, keytab, flags, pptkt)); 515280297Sjkim else 516280297Sjkim return KRB5KRB_ERR_GENERIC; 517280297Sjkim} 518109998Smarkm 519109998Smarkmkrb5_boolean 520109998Smarkmkrb5_principal_compare(krb5_context con, krb5_const_principal princ1, 521280297Sjkim krb5_const_principal princ2) 522280297Sjkim{ 523280297Sjkim if (!krb5_loaded) 524280297Sjkim load_krb5_dll(); 525109998Smarkm 526280297Sjkim if (p_krb5_principal_compare) 527280297Sjkim return (p_krb5_principal_compare(con, princ1, princ2)); 528280297Sjkim else 529280297Sjkim return KRB5KRB_ERR_GENERIC; 530280297Sjkim} 531109998Smarkm 532109998Smarkmkrb5_error_code 533109998Smarkmkrb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, 534280297Sjkim krb5_ticket *ticket) 535280297Sjkim{ 536280297Sjkim if (!krb5_loaded) 537280297Sjkim load_krb5_dll(); 538109998Smarkm 539280297Sjkim if (p_krb5_decrypt_tkt_part) 540280297Sjkim return (p_krb5_decrypt_tkt_part(con, keys, ticket)); 541280297Sjkim else 542280297Sjkim return KRB5KRB_ERR_GENERIC; 543280297Sjkim} 544109998Smarkm 545280297Sjkimkrb5_error_code krb5_timeofday(krb5_context con, krb5_int32 *timeret) 546280297Sjkim{ 547280297Sjkim if (!krb5_loaded) 548280297Sjkim load_krb5_dll(); 549109998Smarkm 550280297Sjkim if (p_krb5_timeofday) 551280297Sjkim return (p_krb5_timeofday(con, timeret)); 552280297Sjkim else 553280297Sjkim return KRB5KRB_ERR_GENERIC; 554280297Sjkim} 555109998Smarkm 556280297Sjkimkrb5_error_code krb5_rc_default(krb5_context con, krb5_rcache *rc) 557280297Sjkim{ 558280297Sjkim if (!krb5_loaded) 559280297Sjkim load_krb5_dll(); 560109998Smarkm 561280297Sjkim if (p_krb5_rc_default) 562280297Sjkim return (p_krb5_rc_default(con, rc)); 563280297Sjkim else 564280297Sjkim return KRB5KRB_ERR_GENERIC; 565280297Sjkim} 566109998Smarkm 567109998Smarkmkrb5_error_code 568109998Smarkmkrb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) 569280297Sjkim{ 570280297Sjkim if (!krb5_loaded) 571280297Sjkim load_krb5_dll(); 572109998Smarkm 573280297Sjkim if (p_krb5_rc_initialize) 574280297Sjkim return (p_krb5_rc_initialize(con, rc, lifespan)); 575280297Sjkim else 576280297Sjkim return KRB5KRB_ERR_GENERIC; 577280297Sjkim} 578109998Smarkm 579109998Smarkmkrb5_error_code 580109998Smarkmkrb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) 581280297Sjkim{ 582280297Sjkim if (!krb5_loaded) 583280297Sjkim load_krb5_dll(); 584109998Smarkm 585280297Sjkim if (p_krb5_rc_get_lifespan) 586280297Sjkim return (p_krb5_rc_get_lifespan(con, rc, lifespanp)); 587280297Sjkim else 588280297Sjkim return KRB5KRB_ERR_GENERIC; 589280297Sjkim} 590109998Smarkm 591280297Sjkimkrb5_error_code krb5_rc_destroy(krb5_context con, krb5_rcache rc) 592280297Sjkim{ 593280297Sjkim if (!krb5_loaded) 594280297Sjkim load_krb5_dll(); 595109998Smarkm 596280297Sjkim if (p_krb5_rc_destroy) 597280297Sjkim return (p_krb5_rc_destroy(con, rc)); 598280297Sjkim else 599280297Sjkim return KRB5KRB_ERR_GENERIC; 600280297Sjkim} 601109998Smarkm 602280297Sjkimsize_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) 603280297Sjkim{ 604280297Sjkim if (!krb5_loaded) 605280297Sjkim load_krb5_dll(); 606109998Smarkm 607280297Sjkim if (p_krb5_checksum_size) 608280297Sjkim return (p_krb5_checksum_size(context, ctype)); 609280297Sjkim else 610280297Sjkim return KRB5KRB_ERR_GENERIC; 611280297Sjkim} 612109998Smarkm 613280297Sjkimkrb5_boolean valid_cksumtype(krb5_cksumtype ctype) 614280297Sjkim{ 615280297Sjkim if (!krb5_loaded) 616280297Sjkim load_krb5_dll(); 617109998Smarkm 618280297Sjkim if (p_valid_cksumtype) 619280297Sjkim return (p_valid_cksumtype(ctype)); 620280297Sjkim else 621280297Sjkim return KRB5KRB_ERR_GENERIC; 622280297Sjkim} 623109998Smarkm 624280297Sjkimkrb5_error_code krb5_kt_free_entry(krb5_context con, krb5_keytab_entry *entry) 625280297Sjkim{ 626280297Sjkim if (!krb5_loaded) 627280297Sjkim load_krb5_dll(); 628109998Smarkm 629280297Sjkim if (p_krb5_kt_free_entry) 630280297Sjkim return (p_krb5_kt_free_entry(con, entry)); 631280297Sjkim else 632280297Sjkim return KRB5KRB_ERR_GENERIC; 633280297Sjkim} 634280297Sjkim 635109998Smarkm/* Structure definitions */ 636280297Sjkim# ifndef NO_DEF_KRB5_CCACHE 637280297Sjkim# ifndef krb5_x 638280297Sjkim# define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) 639280297Sjkim# define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) 640280297Sjkim# endif 641109998Smarkm 642280297Sjkimtypedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ 643109998Smarkm 644280297Sjkimtypedef struct _krb5_ccache { 645280297Sjkim krb5_magic magic; 646280297Sjkim struct _krb5_cc_ops FAR *ops; 647280297Sjkim krb5_pointer data; 648280297Sjkim} *krb5_ccache; 649109998Smarkm 650280297Sjkimtypedef struct _krb5_cc_ops { 651280297Sjkim krb5_magic magic; 652280297Sjkim char *prefix; 653280297Sjkim char *(KRB5_CALLCONV *get_name) 654280297Sjkim (krb5_context, krb5_ccache); 655280297Sjkim krb5_error_code(KRB5_CALLCONV *resolve) 656280297Sjkim (krb5_context, krb5_ccache *, const char *); 657280297Sjkim krb5_error_code(KRB5_CALLCONV *gen_new) 658280297Sjkim (krb5_context, krb5_ccache *); 659280297Sjkim krb5_error_code(KRB5_CALLCONV *init) 660280297Sjkim (krb5_context, krb5_ccache, krb5_principal); 661280297Sjkim krb5_error_code(KRB5_CALLCONV *destroy) 662280297Sjkim (krb5_context, krb5_ccache); 663280297Sjkim krb5_error_code(KRB5_CALLCONV *close) 664280297Sjkim (krb5_context, krb5_ccache); 665280297Sjkim krb5_error_code(KRB5_CALLCONV *store) 666280297Sjkim (krb5_context, krb5_ccache, krb5_creds *); 667280297Sjkim krb5_error_code(KRB5_CALLCONV *retrieve) 668280297Sjkim (krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *); 669280297Sjkim krb5_error_code(KRB5_CALLCONV *get_princ) 670280297Sjkim (krb5_context, krb5_ccache, krb5_principal *); 671280297Sjkim krb5_error_code(KRB5_CALLCONV *get_first) 672280297Sjkim (krb5_context, krb5_ccache, krb5_cc_cursor *); 673280297Sjkim krb5_error_code(KRB5_CALLCONV *get_next) 674280297Sjkim (krb5_context, krb5_ccache, krb5_cc_cursor *, krb5_creds *); 675280297Sjkim krb5_error_code(KRB5_CALLCONV *end_get) 676280297Sjkim (krb5_context, krb5_ccache, krb5_cc_cursor *); 677280297Sjkim krb5_error_code(KRB5_CALLCONV *remove_cred) 678280297Sjkim (krb5_context, krb5_ccache, krb5_flags, krb5_creds *); 679280297Sjkim krb5_error_code(KRB5_CALLCONV *set_flags) 680280297Sjkim (krb5_context, krb5_ccache, krb5_flags); 681280297Sjkim} krb5_cc_ops; 682280297Sjkim# endif /* NO_DEF_KRB5_CCACHE */ 683109998Smarkm 684280297Sjkimkrb5_error_code 685280297Sjkim kssl_krb5_cc_get_principal 686280297Sjkim (krb5_context context, krb5_ccache cache, krb5_principal *principal) { 687280297Sjkim if (p_krb5_cc_get_principal) 688280297Sjkim return (p_krb5_cc_get_principal(context, cache, principal)); 689280297Sjkim else 690280297Sjkim return (krb5_x((cache)->ops->get_princ, (context, cache, principal))); 691280297Sjkim} 692109998Smarkm 693109998Smarkmkrb5_error_code 694109998Smarkmkssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, 695109998Smarkm krb5_rcache rcache) 696280297Sjkim{ 697280297Sjkim if (p_krb5_auth_con_setrcache) 698280297Sjkim return (p_krb5_auth_con_setrcache(con, acon, rcache)); 699280297Sjkim else 700280297Sjkim return KRB5KRB_ERR_GENERIC; 701280297Sjkim} 702109998Smarkm 703109998Smarkmkrb5_error_code 704280297Sjkimkssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data *data, 705280297Sjkim krb5_rcache *rcache) 706280297Sjkim{ 707280297Sjkim if (p_krb5_get_server_rcache) 708280297Sjkim return (p_krb5_get_server_rcache(con, data, rcache)); 709280297Sjkim else 710280297Sjkim return KRB5KRB_ERR_GENERIC; 711280297Sjkim} 712109998Smarkm 713109998Smarkmkrb5_error_code 714109998Smarkmkssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, 715280297Sjkim krb5_rcache *prcache) 716280297Sjkim{ 717280297Sjkim if (p_krb5_auth_con_getrcache) 718280297Sjkim return (p_krb5_auth_con_getrcache(con, acon, prcache)); 719280297Sjkim else 720280297Sjkim return KRB5KRB_ERR_GENERIC; 721280297Sjkim} 722109998Smarkm 723280297Sjkimkrb5_error_code kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) 724280297Sjkim{ 725280297Sjkim if (p_krb5_kt_close) 726280297Sjkim return (p_krb5_kt_close(context, keytab)); 727280297Sjkim else 728280297Sjkim return KRB5KRB_ERR_GENERIC; 729280297Sjkim} 730280297Sjkim 731109998Smarkmkrb5_error_code 732109998Smarkmkssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, 733109998Smarkm krb5_const_principal principal, krb5_kvno vno, 734109998Smarkm krb5_enctype enctype, krb5_keytab_entry *entry) 735280297Sjkim{ 736280297Sjkim if (p_krb5_kt_get_entry) 737280297Sjkim return (p_krb5_kt_get_entry 738280297Sjkim (context, keytab, principal, vno, enctype, entry)); 739280297Sjkim else 740280297Sjkim return KRB5KRB_ERR_GENERIC; 741280297Sjkim} 742280297Sjkim# endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ 743109998Smarkm 744280297Sjkim/* 745280297Sjkim * memory allocation functions for non-temporary storage (e.g. stuff that 746280297Sjkim * gets saved into the kssl context) 747280297Sjkim */ 748280297Sjkimstatic void *kssl_calloc(size_t nmemb, size_t size) 749280297Sjkim{ 750280297Sjkim void *p; 751167612Ssimon 752280297Sjkim p = OPENSSL_malloc(nmemb * size); 753280297Sjkim if (p) { 754280297Sjkim memset(p, 0, nmemb * size); 755280297Sjkim } 756280297Sjkim return p; 757167612Ssimon} 758167612Ssimon 759280297Sjkim# define kssl_malloc(size) OPENSSL_malloc((size)) 760280297Sjkim# define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) 761280297Sjkim# define kssl_free(ptr) OPENSSL_free((ptr)) 762167612Ssimon 763109998Smarkmchar 764109998Smarkm*kstring(char *string) 765280297Sjkim{ 766280297Sjkim static char *null = "[NULL]"; 767109998Smarkm 768280297Sjkim return ((string == NULL) ? null : string); 769280297Sjkim} 770109998Smarkm 771280297Sjkim/* 772280297Sjkim * Given KRB5 enctype (basically DES or 3DES), return closest match openssl 773280297Sjkim * EVP_ encryption algorithm. Return NULL for unknown or problematic 774280297Sjkim * (krb5_dk_encrypt) enctypes. Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are 775280297Sjkim * OK. 776280297Sjkim */ 777280297Sjkimconst EVP_CIPHER *kssl_map_enc(krb5_enctype enctype) 778280297Sjkim{ 779280297Sjkim switch (enctype) { 780280297Sjkim case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ 781280297Sjkim case ENCTYPE_DES_CBC_CRC: 782280297Sjkim case ENCTYPE_DES_CBC_MD4: 783280297Sjkim case ENCTYPE_DES_CBC_MD5: 784280297Sjkim case ENCTYPE_DES_CBC_RAW: 785280297Sjkim return EVP_des_cbc(); 786280297Sjkim break; 787280297Sjkim case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 788280297Sjkim case ENCTYPE_DES3_CBC_SHA: 789280297Sjkim case ENCTYPE_DES3_CBC_RAW: 790280297Sjkim return EVP_des_ede3_cbc(); 791280297Sjkim break; 792280297Sjkim default: 793280297Sjkim return NULL; 794280297Sjkim break; 795280297Sjkim } 796280297Sjkim} 797109998Smarkm 798280297Sjkim/* 799280297Sjkim * Return true:1 if p "looks like" the start of the real authenticator 800280297Sjkim * described in kssl_skip_confound() below. The ASN.1 pattern is "62 xx 30 801280297Sjkim * yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and xx and yy are 802280297Sjkim * possibly multi-byte length fields. 803280297Sjkim */ 804280297Sjkimstatic int kssl_test_confound(unsigned char *p) 805280297Sjkim{ 806280297Sjkim int len = 2; 807280297Sjkim int xx = 0, yy = 0; 808109998Smarkm 809280297Sjkim if (*p++ != 0x62) 810280297Sjkim return 0; 811280297Sjkim if (*p > 0x82) 812280297Sjkim return 0; 813280297Sjkim switch (*p) { 814280297Sjkim case 0x82: 815280297Sjkim p++; 816280297Sjkim xx = (*p++ << 8); 817280297Sjkim xx += *p++; 818280297Sjkim break; 819280297Sjkim case 0x81: 820280297Sjkim p++; 821280297Sjkim xx = *p++; 822280297Sjkim break; 823280297Sjkim case 0x80: 824280297Sjkim return 0; 825280297Sjkim default: 826280297Sjkim xx = *p++; 827280297Sjkim break; 828280297Sjkim } 829280297Sjkim if (*p++ != 0x30) 830280297Sjkim return 0; 831280297Sjkim if (*p > 0x82) 832280297Sjkim return 0; 833280297Sjkim switch (*p) { 834280297Sjkim case 0x82: 835280297Sjkim p++; 836280297Sjkim len += 2; 837280297Sjkim yy = (*p++ << 8); 838280297Sjkim yy += *p++; 839280297Sjkim break; 840280297Sjkim case 0x81: 841280297Sjkim p++; 842280297Sjkim len++; 843280297Sjkim yy = *p++; 844280297Sjkim break; 845280297Sjkim case 0x80: 846280297Sjkim return 0; 847280297Sjkim default: 848280297Sjkim yy = *p++; 849280297Sjkim break; 850280297Sjkim } 851109998Smarkm 852280297Sjkim return (xx - len == yy) ? 1 : 0; 853280297Sjkim} 854109998Smarkm 855280297Sjkim/* 856280297Sjkim * Allocate, fill, and return cksumlens array of checksum lengths. This 857280297Sjkim * array holds just the unique elements from the krb5_cksumarray[]. array[n] 858280297Sjkim * == 0 signals end of data. The krb5_cksumarray[] was an internal variable 859280297Sjkim * that has since been replaced by a more general method for storing the 860280297Sjkim * data. It should not be used. Instead we use real API calls and make a 861280297Sjkim * guess for what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 862280297Sjkim * it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. 863280297Sjkim */ 864280297Sjkimstatic size_t *populate_cksumlens(void) 865280297Sjkim{ 866280297Sjkim int i, j, n; 867280297Sjkim static size_t *cklens = NULL; 868109998Smarkm 869280297Sjkim# ifdef KRB5_MIT_OLD11 870280297Sjkim n = krb5_max_cksum; 871280297Sjkim# else 872280297Sjkim n = 0x0010; 873280297Sjkim# endif /* KRB5_MIT_OLD11 */ 874109998Smarkm 875280297Sjkim# ifdef KRB5CHECKAUTH 876280297Sjkim if (!cklens && !(cklens = (size_t *)calloc(sizeof(int), n + 1))) 877280297Sjkim return NULL; 878109998Smarkm 879280297Sjkim for (i = 0; i < n; i++) { 880280297Sjkim if (!valid_cksumtype(i)) 881280297Sjkim continue; /* array has holes */ 882280297Sjkim for (j = 0; j < n; j++) { 883280297Sjkim if (cklens[j] == 0) { 884280297Sjkim cklens[j] = krb5_checksum_size(NULL, i); 885280297Sjkim break; /* krb5 elem was new: add */ 886280297Sjkim } 887280297Sjkim if (cklens[j] == krb5_checksum_size(NULL, i)) { 888280297Sjkim break; /* ignore duplicate elements */ 889280297Sjkim } 890280297Sjkim } 891280297Sjkim } 892280297Sjkim# endif /* KRB5CHECKAUTH */ 893109998Smarkm 894280297Sjkim return cklens; 895280297Sjkim} 896109998Smarkm 897280297Sjkim/*- 898280297Sjkim * Return pointer to start of real authenticator within authenticator, or 899280297Sjkim * return NULL on error. 900280297Sjkim * Decrypted authenticator looks like this: 901280297Sjkim * [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] 902280297Sjkim * This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the 903280297Sjkim * krb5_auth_con_getcksumtype() function advertised in its krb5.h. 904280297Sjkim */ 905280297Sjkimunsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) 906280297Sjkim{ 907280297Sjkim int i, conlen; 908280297Sjkim size_t cklen; 909280297Sjkim static size_t *cksumlens = NULL; 910280297Sjkim unsigned char *test_auth; 911109998Smarkm 912280297Sjkim conlen = (etype) ? 8 : 0; 913109998Smarkm 914280297Sjkim if (!cksumlens && !(cksumlens = populate_cksumlens())) 915280297Sjkim return NULL; 916280297Sjkim for (i = 0; (cklen = cksumlens[i]) != 0; i++) { 917280297Sjkim test_auth = a + conlen + cklen; 918280297Sjkim if (kssl_test_confound(test_auth)) 919280297Sjkim return test_auth; 920280297Sjkim } 921109998Smarkm 922280297Sjkim return NULL; 923280297Sjkim} 924109998Smarkm 925280297Sjkim/* 926280297Sjkim * Set kssl_err error info when reason text is a simple string kssl_err = 927280297Sjkim * struct { int reason; char text[KSSL_ERR_MAX+1]; } 928280297Sjkim */ 929280297Sjkimvoid kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) 930280297Sjkim{ 931280297Sjkim if (kssl_err == NULL) 932280297Sjkim return; 933109998Smarkm 934280297Sjkim kssl_err->reason = reason; 935280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); 936280297Sjkim return; 937280297Sjkim} 938109998Smarkm 939280297Sjkim/* 940280297Sjkim * Display contents of krb5_data struct, for debugging 941280297Sjkim */ 942280297Sjkimvoid print_krb5_data(char *label, krb5_data *kdata) 943280297Sjkim{ 944280297Sjkim int i; 945109998Smarkm 946280297Sjkim fprintf(stderr, "%s[%d] ", label, kdata->length); 947280297Sjkim for (i = 0; i < (int)kdata->length; i++) { 948280297Sjkim if (0 && isprint((int)kdata->data[i])) 949280297Sjkim fprintf(stderr, "%c ", kdata->data[i]); 950280297Sjkim else 951280297Sjkim fprintf(stderr, "%02x ", (unsigned char)kdata->data[i]); 952280297Sjkim } 953280297Sjkim fprintf(stderr, "\n"); 954280297Sjkim} 955109998Smarkm 956280297Sjkim/* 957280297Sjkim * Display contents of krb5_authdata struct, for debugging 958280297Sjkim */ 959280297Sjkimvoid print_krb5_authdata(char *label, krb5_authdata **adata) 960280297Sjkim{ 961280297Sjkim if (adata == NULL) { 962280297Sjkim fprintf(stderr, "%s, authdata==0\n", label); 963280297Sjkim return; 964280297Sjkim } 965280297Sjkim fprintf(stderr, "%s [%p]\n", label, (void *)adata); 966280297Sjkim# if 0 967280297Sjkim { 968280297Sjkim int i; 969280297Sjkim fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length); 970280297Sjkim for (i = 0; i < adata->length; i++) { 971280297Sjkim fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x", 972280297Sjkim adata->contents[i]); 973109998Smarkm } 974280297Sjkim fprintf(stderr, "\n"); 975280297Sjkim } 976280297Sjkim# endif 977280297Sjkim} 978109998Smarkm 979280297Sjkim/* 980280297Sjkim * Display contents of krb5_keyblock struct, for debugging 981280297Sjkim */ 982280297Sjkimvoid print_krb5_keyblock(char *label, krb5_keyblock *keyblk) 983280297Sjkim{ 984280297Sjkim int i; 985109998Smarkm 986280297Sjkim if (keyblk == NULL) { 987280297Sjkim fprintf(stderr, "%s, keyblk==0\n", label); 988280297Sjkim return; 989280297Sjkim } 990280297Sjkim# ifdef KRB5_HEIMDAL 991280297Sjkim fprintf(stderr, "%s\n\t[et%d:%d]: ", label, keyblk->keytype, 992280297Sjkim keyblk->keyvalue->length); 993280297Sjkim for (i = 0; i < (int)keyblk->keyvalue->length; i++) { 994280297Sjkim fprintf(stderr, "%02x", 995280297Sjkim (unsigned char *)(keyblk->keyvalue->contents)[i]); 996280297Sjkim } 997280297Sjkim fprintf(stderr, "\n"); 998280297Sjkim# else 999280297Sjkim fprintf(stderr, "%s\n\t[et%d:%d]: ", label, keyblk->enctype, 1000280297Sjkim keyblk->length); 1001280297Sjkim for (i = 0; i < (int)keyblk->length; i++) { 1002280297Sjkim fprintf(stderr, "%02x", keyblk->contents[i]); 1003280297Sjkim } 1004280297Sjkim fprintf(stderr, "\n"); 1005280297Sjkim# endif 1006280297Sjkim} 1007109998Smarkm 1008280297Sjkim/* 1009280297Sjkim * Display contents of krb5_principal_data struct, for debugging 1010280297Sjkim * (krb5_principal is typedef'd == krb5_principal_data *) 1011280297Sjkim */ 1012280297Sjkimstatic void print_krb5_princ(char *label, krb5_principal_data *princ) 1013280297Sjkim{ 1014280297Sjkim int i, ui, uj; 1015109998Smarkm 1016280297Sjkim fprintf(stderr, "%s principal Realm: ", label); 1017280297Sjkim if (princ == NULL) 1018280297Sjkim return; 1019280297Sjkim for (ui = 0; ui < (int)princ->realm.length; ui++) 1020280297Sjkim putchar(princ->realm.data[ui]); 1021280297Sjkim fprintf(stderr, " (nametype %d) has %d strings:\n", princ->type, 1022280297Sjkim princ->length); 1023280297Sjkim for (i = 0; i < (int)princ->length; i++) { 1024280297Sjkim fprintf(stderr, "\t%d [%d]: ", i, princ->data[i].length); 1025280297Sjkim for (uj = 0; uj < (int)princ->data[i].length; uj++) { 1026280297Sjkim putchar(princ->data[i].data[uj]); 1027109998Smarkm } 1028280297Sjkim fprintf(stderr, "\n"); 1029280297Sjkim } 1030280297Sjkim return; 1031280297Sjkim} 1032109998Smarkm 1033280297Sjkim/*- Given krb5 service (typically "kssl") and hostname in kssl_ctx, 1034280297Sjkim * Return encrypted Kerberos ticket for service @ hostname. 1035280297Sjkim * If authenp is non-NULL, also return encrypted authenticator, 1036280297Sjkim * whose data should be freed by caller. 1037280297Sjkim * (Originally was: Create Kerberos AP_REQ message for SSL Client.) 1038280297Sjkim * 1039280297Sjkim * 19990628 VRS Started; Returns Kerberos AP_REQ message. 1040280297Sjkim * 20010409 VRS Modified for RFC2712; Returns enc tkt. 1041280297Sjkim * 20010606 VRS May also return optional authenticator. 1042280297Sjkim */ 1043280297Sjkimkrb5_error_code kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1044280297Sjkim /* 1045280297Sjkim * OUT 1046280297Sjkim */ krb5_data **enc_ticketp, 1047280297Sjkim /* 1048280297Sjkim * UPDATE 1049280297Sjkim */ krb5_data *authenp, 1050280297Sjkim /* 1051280297Sjkim * OUT 1052280297Sjkim */ KSSL_ERR *kssl_err) 1053280297Sjkim{ 1054280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1055280297Sjkim krb5_context krb5context = NULL; 1056280297Sjkim krb5_auth_context krb5auth_context = NULL; 1057280297Sjkim krb5_ccache krb5ccdef = NULL; 1058280297Sjkim krb5_creds krb5creds, *krb5credsp = NULL; 1059280297Sjkim krb5_data krb5_app_req; 1060109998Smarkm 1061280297Sjkim kssl_err_set(kssl_err, 0, ""); 1062280297Sjkim memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1063109998Smarkm 1064280297Sjkim if (!kssl_ctx) { 1065280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); 1066280297Sjkim goto err; 1067280297Sjkim } else if (!kssl_ctx->service_host) { 1068280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1069280297Sjkim "kssl_ctx service_host undefined.\n"); 1070280297Sjkim goto err; 1071280297Sjkim } 1072109998Smarkm 1073280297Sjkim if ((krb5rc = krb5_init_context(&krb5context)) != 0) { 1074280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1075280297Sjkim "krb5_init_context() fails: %d\n", krb5rc); 1076280297Sjkim kssl_err->reason = SSL_R_KRB5_C_INIT; 1077280297Sjkim goto err; 1078280297Sjkim } 1079109998Smarkm 1080280297Sjkim if ((krb5rc = krb5_sname_to_principal(krb5context, 1081280297Sjkim kssl_ctx->service_host, 1082280297Sjkim (kssl_ctx->service_name) ? 1083280297Sjkim kssl_ctx->service_name : KRB5SVC, 1084280297Sjkim KRB5_NT_SRV_HST, 1085280297Sjkim &krb5creds.server)) != 0) { 1086280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1087280297Sjkim "krb5_sname_to_principal() fails for %s/%s\n", 1088280297Sjkim kssl_ctx->service_host, 1089280297Sjkim (kssl_ctx-> 1090280297Sjkim service_name) ? kssl_ctx->service_name : KRB5SVC); 1091280297Sjkim kssl_err->reason = SSL_R_KRB5_C_INIT; 1092280297Sjkim goto err; 1093280297Sjkim } 1094109998Smarkm 1095280297Sjkim if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) { 1096280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1097280297Sjkim "krb5_cc_default fails.\n"); 1098280297Sjkim goto err; 1099280297Sjkim } 1100109998Smarkm 1101280297Sjkim if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1102280297Sjkim &krb5creds.client)) != 0) { 1103280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1104280297Sjkim "krb5_cc_get_principal() fails.\n"); 1105280297Sjkim goto err; 1106280297Sjkim } 1107109998Smarkm 1108280297Sjkim if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1109280297Sjkim &krb5creds, &krb5credsp)) != 0) { 1110280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, 1111280297Sjkim "krb5_get_credentials() fails.\n"); 1112280297Sjkim goto err; 1113280297Sjkim } 1114109998Smarkm 1115280297Sjkim *enc_ticketp = &krb5credsp->ticket; 1116280297Sjkim# ifdef KRB5_HEIMDAL 1117280297Sjkim kssl_ctx->enctype = krb5credsp->session.keytype; 1118280297Sjkim# else 1119280297Sjkim kssl_ctx->enctype = krb5credsp->keyblock.enctype; 1120280297Sjkim# endif 1121109998Smarkm 1122280297Sjkim krb5rc = KRB5KRB_ERR_GENERIC; 1123280297Sjkim /* caller should free data of krb5_app_req */ 1124280297Sjkim /* 1125280297Sjkim * 20010406 VRS deleted for real KerberosWrapper 20010605 VRS reinstated 1126280297Sjkim * to offer Authenticator to KerberosWrapper 1127280297Sjkim */ 1128280297Sjkim krb5_app_req.length = 0; 1129280297Sjkim if (authenp) { 1130280297Sjkim krb5_data krb5in_data; 1131280297Sjkim const unsigned char *p; 1132280297Sjkim long arlen; 1133280297Sjkim KRB5_APREQBODY *ap_req; 1134109998Smarkm 1135280297Sjkim authenp->length = 0; 1136280297Sjkim krb5in_data.data = NULL; 1137280297Sjkim krb5in_data.length = 0; 1138280297Sjkim if ((krb5rc = krb5_mk_req_extended(krb5context, 1139280297Sjkim &krb5auth_context, 0, &krb5in_data, 1140280297Sjkim krb5credsp, &krb5_app_req)) != 0) { 1141280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, 1142280297Sjkim "krb5_mk_req_extended() fails.\n"); 1143280297Sjkim goto err; 1144280297Sjkim } 1145109998Smarkm 1146280297Sjkim arlen = krb5_app_req.length; 1147280297Sjkim p = (unsigned char *)krb5_app_req.data; 1148280297Sjkim ap_req = (KRB5_APREQBODY *)d2i_KRB5_APREQ(NULL, &p, arlen); 1149280297Sjkim if (ap_req) { 1150280297Sjkim authenp->length = i2d_KRB5_ENCDATA(ap_req->authenticator, NULL); 1151280297Sjkim if (authenp->length && (authenp->data = malloc(authenp->length))) { 1152280297Sjkim unsigned char *adp = (unsigned char *)authenp->data; 1153280297Sjkim authenp->length = 1154280297Sjkim i2d_KRB5_ENCDATA(ap_req->authenticator, &adp); 1155280297Sjkim } 1156280297Sjkim } 1157109998Smarkm 1158280297Sjkim if (ap_req) 1159280297Sjkim KRB5_APREQ_free((KRB5_APREQ *) ap_req); 1160280297Sjkim if (krb5_app_req.length) 1161280297Sjkim kssl_krb5_free_data_contents(krb5context, &krb5_app_req); 1162280297Sjkim } 1163280297Sjkim# ifdef KRB5_HEIMDAL 1164280297Sjkim if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) { 1165280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1166280297Sjkim "kssl_ctx_setkey() fails.\n"); 1167280297Sjkim } 1168280297Sjkim# else 1169280297Sjkim if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) { 1170280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1171280297Sjkim "kssl_ctx_setkey() fails.\n"); 1172280297Sjkim } 1173280297Sjkim# endif 1174280297Sjkim else 1175280297Sjkim krb5rc = 0; 1176109998Smarkm 1177280297Sjkim err: 1178280297Sjkim# ifdef KSSL_DEBUG 1179280297Sjkim kssl_ctx_show(kssl_ctx); 1180280297Sjkim# endif /* KSSL_DEBUG */ 1181109998Smarkm 1182280297Sjkim if (krb5creds.client) 1183280297Sjkim krb5_free_principal(krb5context, krb5creds.client); 1184280297Sjkim if (krb5creds.server) 1185280297Sjkim krb5_free_principal(krb5context, krb5creds.server); 1186280297Sjkim if (krb5auth_context) 1187280297Sjkim krb5_auth_con_free(krb5context, krb5auth_context); 1188280297Sjkim if (krb5context) 1189280297Sjkim krb5_free_context(krb5context); 1190280297Sjkim return (krb5rc); 1191280297Sjkim} 1192109998Smarkm 1193280297Sjkim/*- 1194280297Sjkim * Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. 1195280297Sjkim * Return Kerberos error code and kssl_err struct on error. 1196280297Sjkim * Allocates krb5_ticket and krb5_principal; caller should free these. 1197280297Sjkim * 1198280297Sjkim * 20010410 VRS Implemented krb5_decode_ticket() as 1199280297Sjkim * old_krb5_decode_ticket(). Missing from MIT1.0.6. 1200280297Sjkim * 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. 1201280297Sjkim * Re-used some of the old krb5_decode_ticket() 1202280297Sjkim * code here. This tkt should alloc/free just 1203280297Sjkim * like the real thing. 1204280297Sjkim */ 1205280297Sjkimstatic krb5_error_code kssl_TKT2tkt( /* IN */ krb5_context krb5context, 1206280297Sjkim /* 1207280297Sjkim * IN 1208280297Sjkim */ KRB5_TKTBODY *asn1ticket, 1209280297Sjkim /* 1210280297Sjkim * OUT 1211280297Sjkim */ krb5_ticket **krb5ticket, 1212280297Sjkim /* 1213280297Sjkim * OUT 1214280297Sjkim */ KSSL_ERR *kssl_err) 1215280297Sjkim{ 1216280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1217280297Sjkim krb5_ticket *new5ticket = NULL; 1218280297Sjkim ASN1_GENERALSTRING *gstr_svc, *gstr_host; 1219109998Smarkm 1220280297Sjkim *krb5ticket = NULL; 1221109998Smarkm 1222280297Sjkim if (asn1ticket == NULL || asn1ticket->realm == NULL || 1223280297Sjkim asn1ticket->sname == NULL || 1224280297Sjkim sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) { 1225280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1226280297Sjkim "Null field in asn1ticket.\n"); 1227280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1228280297Sjkim return KRB5KRB_ERR_GENERIC; 1229280297Sjkim } 1230109998Smarkm 1231280297Sjkim if ((new5ticket = (krb5_ticket *)calloc(1, sizeof(krb5_ticket))) == NULL) { 1232280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1233280297Sjkim "Unable to allocate new krb5_ticket.\n"); 1234280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1235280297Sjkim return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ 1236280297Sjkim } 1237109998Smarkm 1238280297Sjkim gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); 1239280297Sjkim gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); 1240109998Smarkm 1241280297Sjkim if ((krb5rc = kssl_build_principal_2(krb5context, 1242280297Sjkim &new5ticket->server, 1243280297Sjkim asn1ticket->realm->length, 1244280297Sjkim (char *)asn1ticket->realm->data, 1245280297Sjkim gstr_svc->length, 1246280297Sjkim (char *)gstr_svc->data, 1247280297Sjkim gstr_host->length, 1248280297Sjkim (char *)gstr_host->data)) != 0) { 1249280297Sjkim free(new5ticket); 1250280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1251280297Sjkim "Error building ticket server principal.\n"); 1252280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1253280297Sjkim return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ 1254280297Sjkim } 1255109998Smarkm 1256280297Sjkim krb5_princ_type(krb5context, new5ticket->server) = 1257280297Sjkim asn1ticket->sname->nametype->data[0]; 1258280297Sjkim new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; 1259280297Sjkim new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; 1260280297Sjkim new5ticket->enc_part.ciphertext.length = 1261280297Sjkim asn1ticket->encdata->cipher->length; 1262280297Sjkim if ((new5ticket->enc_part.ciphertext.data = 1263280297Sjkim calloc(1, asn1ticket->encdata->cipher->length)) == NULL) { 1264280297Sjkim free(new5ticket); 1265280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1266280297Sjkim "Error allocating cipher in krb5ticket.\n"); 1267280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1268280297Sjkim return KRB5KRB_ERR_GENERIC; 1269280297Sjkim } else { 1270280297Sjkim memcpy(new5ticket->enc_part.ciphertext.data, 1271280297Sjkim asn1ticket->encdata->cipher->data, 1272280297Sjkim asn1ticket->encdata->cipher->length); 1273280297Sjkim } 1274109998Smarkm 1275280297Sjkim *krb5ticket = new5ticket; 1276280297Sjkim return 0; 1277280297Sjkim} 1278109998Smarkm 1279280297Sjkim/*- 1280280297Sjkim * Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), 1281280297Sjkim * and krb5 AP_REQ message & message length, 1282280297Sjkim * Return Kerberos session key and client principle 1283280297Sjkim * to SSL Server in KSSL_CTX *kssl_ctx. 1284280297Sjkim * 1285280297Sjkim * 19990702 VRS Started. 1286280297Sjkim */ 1287280297Sjkimkrb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1288280297Sjkim /* 1289280297Sjkim * IN 1290280297Sjkim */ krb5_data *indata, 1291280297Sjkim /* 1292280297Sjkim * OUT 1293280297Sjkim */ krb5_ticket_times *ttimes, 1294280297Sjkim /* 1295280297Sjkim * OUT 1296280297Sjkim */ KSSL_ERR *kssl_err) 1297280297Sjkim{ 1298280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1299280297Sjkim static krb5_context krb5context = NULL; 1300280297Sjkim static krb5_auth_context krb5auth_context = NULL; 1301280297Sjkim krb5_ticket *krb5ticket = NULL; 1302280297Sjkim KRB5_TKTBODY *asn1ticket = NULL; 1303280297Sjkim const unsigned char *p; 1304280297Sjkim krb5_keytab krb5keytab = NULL; 1305280297Sjkim krb5_keytab_entry kt_entry; 1306280297Sjkim krb5_principal krb5server; 1307280297Sjkim krb5_rcache rcache = NULL; 1308109998Smarkm 1309280297Sjkim kssl_err_set(kssl_err, 0, ""); 1310109998Smarkm 1311280297Sjkim if (!kssl_ctx) { 1312280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); 1313280297Sjkim goto err; 1314280297Sjkim } 1315280297Sjkim# ifdef KSSL_DEBUG 1316280297Sjkim fprintf(stderr, "in kssl_sget_tkt(%s)\n", 1317280297Sjkim kstring(kssl_ctx->service_name)); 1318280297Sjkim# endif /* KSSL_DEBUG */ 1319109998Smarkm 1320280297Sjkim if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) { 1321280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1322280297Sjkim "krb5_init_context() fails.\n"); 1323280297Sjkim goto err; 1324280297Sjkim } 1325280297Sjkim if (krb5auth_context && 1326280297Sjkim (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) { 1327280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1328280297Sjkim "krb5_auth_con_free() fails.\n"); 1329280297Sjkim goto err; 1330280297Sjkim } else 1331280297Sjkim krb5auth_context = NULL; 1332280297Sjkim if (!krb5auth_context && 1333280297Sjkim (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) { 1334280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1335280297Sjkim "krb5_auth_con_init() fails.\n"); 1336280297Sjkim goto err; 1337280297Sjkim } 1338109998Smarkm 1339280297Sjkim if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, 1340280297Sjkim &rcache))) { 1341280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1342280297Sjkim "krb5_auth_con_getrcache() fails.\n"); 1343280297Sjkim goto err; 1344280297Sjkim } 1345109998Smarkm 1346280297Sjkim if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, 1347280297Sjkim (kssl_ctx->service_name) ? 1348280297Sjkim kssl_ctx->service_name : KRB5SVC, 1349280297Sjkim KRB5_NT_SRV_HST, 1350280297Sjkim &krb5server)) != 0) { 1351280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1352280297Sjkim "krb5_sname_to_principal() fails.\n"); 1353280297Sjkim goto err; 1354280297Sjkim } 1355109998Smarkm 1356280297Sjkim if (rcache == NULL) { 1357280297Sjkim if ((krb5rc = krb5_get_server_rcache(krb5context, 1358280297Sjkim krb5_princ_component(krb5context, 1359280297Sjkim krb5server, 1360280297Sjkim 0), 1361280297Sjkim &rcache))) { 1362280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1363280297Sjkim "krb5_get_server_rcache() fails.\n"); 1364280297Sjkim goto err; 1365280297Sjkim } 1366280297Sjkim } 1367109998Smarkm 1368280297Sjkim if ((krb5rc = 1369280297Sjkim krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) { 1370280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1371280297Sjkim "krb5_auth_con_setrcache() fails.\n"); 1372280297Sjkim goto err; 1373280297Sjkim } 1374109998Smarkm 1375280297Sjkim /* 1376280297Sjkim * kssl_ctx->keytab_file == NULL ==> use Kerberos default 1377280297Sjkim */ 1378280297Sjkim if (kssl_ctx->keytab_file) { 1379280297Sjkim krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1380280297Sjkim &krb5keytab); 1381280297Sjkim if (krb5rc) { 1382280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1383280297Sjkim "krb5_kt_resolve() fails.\n"); 1384280297Sjkim goto err; 1385280297Sjkim } 1386280297Sjkim } else { 1387280297Sjkim krb5rc = krb5_kt_default(krb5context, &krb5keytab); 1388280297Sjkim if (krb5rc) { 1389280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1390280297Sjkim "krb5_kt_default() fails.\n"); 1391280297Sjkim goto err; 1392280297Sjkim } 1393280297Sjkim } 1394109998Smarkm 1395280297Sjkim /*- Actual Kerberos5 krb5_recvauth() has initial conversation here 1396280297Sjkim * o check KRB5_SENDAUTH_BADAUTHVERS 1397280297Sjkim * unless KRB5_RECVAUTH_SKIP_VERSION 1398280297Sjkim * o check KRB5_SENDAUTH_BADAPPLVERS 1399280297Sjkim * o send "0" msg if all OK 1400280297Sjkim */ 1401109998Smarkm 1402280297Sjkim /*- 1403280297Sjkim * 20010411 was using AP_REQ instead of true KerberosWrapper 1404280297Sjkim * 1405280297Sjkim * if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, 1406280297Sjkim * &krb5in_data, krb5server, krb5keytab, 1407280297Sjkim * &ap_option, &krb5ticket)) != 0) { Error } 1408280297Sjkim */ 1409109998Smarkm 1410280297Sjkim p = (unsigned char *)indata->data; 1411280297Sjkim if ((asn1ticket = (KRB5_TKTBODY *)d2i_KRB5_TICKET(NULL, &p, 1412280297Sjkim (long)indata->length)) 1413280297Sjkim == NULL) { 1414280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1415280297Sjkim "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); 1416280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1417280297Sjkim goto err; 1418280297Sjkim } 1419109998Smarkm 1420280297Sjkim /* 1421280297Sjkim * Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) 1422280297Sjkim */ 1423280297Sjkim if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, 1424280297Sjkim kssl_err)) != 0) { 1425280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1426280297Sjkim "Error converting ASN.1 ticket to krb5_ticket.\n"); 1427280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1428280297Sjkim goto err; 1429280297Sjkim } 1430109998Smarkm 1431280297Sjkim if (!krb5_principal_compare(krb5context, krb5server, krb5ticket->server)) { 1432280297Sjkim krb5rc = KRB5_PRINC_NOMATCH; 1433280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1434280297Sjkim "server principal != ticket principal\n"); 1435280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1436280297Sjkim goto err; 1437280297Sjkim } 1438280297Sjkim if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 1439280297Sjkim krb5ticket->server, 1440280297Sjkim krb5ticket->enc_part.kvno, 1441280297Sjkim krb5ticket->enc_part.enctype, 1442280297Sjkim &kt_entry)) != 0) { 1443280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1444280297Sjkim "krb5_kt_get_entry() fails with %x.\n", krb5rc); 1445280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1446280297Sjkim goto err; 1447280297Sjkim } 1448280297Sjkim if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, 1449280297Sjkim krb5ticket)) != 0) { 1450280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1451280297Sjkim "krb5_decrypt_tkt_part() failed.\n"); 1452280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1453280297Sjkim goto err; 1454280297Sjkim } else { 1455280297Sjkim krb5_kt_free_entry(krb5context, &kt_entry); 1456280297Sjkim# ifdef KSSL_DEBUG 1457280297Sjkim { 1458280297Sjkim int i; 1459280297Sjkim krb5_address **paddr = krb5ticket->enc_part2->caddrs; 1460280297Sjkim fprintf(stderr, "Decrypted ticket fields:\n"); 1461280297Sjkim fprintf(stderr, "\tflags: %X, transit-type: %X", 1462280297Sjkim krb5ticket->enc_part2->flags, 1463280297Sjkim krb5ticket->enc_part2->transited.tr_type); 1464280297Sjkim print_krb5_data("\ttransit-data: ", 1465280297Sjkim &(krb5ticket->enc_part2->transited.tr_contents)); 1466280297Sjkim fprintf(stderr, "\tcaddrs: %p, authdata: %p\n", 1467280297Sjkim krb5ticket->enc_part2->caddrs, 1468280297Sjkim krb5ticket->enc_part2->authorization_data); 1469280297Sjkim if (paddr) { 1470280297Sjkim fprintf(stderr, "\tcaddrs:\n"); 1471280297Sjkim for (i = 0; paddr[i] != NULL; i++) { 1472280297Sjkim krb5_data d; 1473280297Sjkim d.length = paddr[i]->length; 1474280297Sjkim d.data = paddr[i]->contents; 1475280297Sjkim print_krb5_data("\t\tIP: ", &d); 1476109998Smarkm } 1477280297Sjkim } 1478280297Sjkim fprintf(stderr, "\tstart/auth/end times: %d / %d / %d\n", 1479280297Sjkim krb5ticket->enc_part2->times.starttime, 1480280297Sjkim krb5ticket->enc_part2->times.authtime, 1481280297Sjkim krb5ticket->enc_part2->times.endtime); 1482280297Sjkim } 1483280297Sjkim# endif /* KSSL_DEBUG */ 1484280297Sjkim } 1485109998Smarkm 1486280297Sjkim krb5rc = KRB5_NO_TKT_SUPPLIED; 1487280297Sjkim if (!krb5ticket || !krb5ticket->enc_part2 || 1488280297Sjkim !krb5ticket->enc_part2->client || 1489280297Sjkim !krb5ticket->enc_part2->client->data || 1490280297Sjkim !krb5ticket->enc_part2->session) { 1491280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1492280297Sjkim "bad ticket from krb5_rd_req.\n"); 1493280297Sjkim } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, 1494280297Sjkim &krb5ticket->enc_part2->client->realm, 1495280297Sjkim krb5ticket->enc_part2->client->data, 1496280297Sjkim krb5ticket->enc_part2->client->length)) { 1497280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1498280297Sjkim "kssl_ctx_setprinc() fails.\n"); 1499280297Sjkim } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) { 1500280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1501280297Sjkim "kssl_ctx_setkey() fails.\n"); 1502280297Sjkim } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) { 1503280297Sjkim krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; 1504280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1505280297Sjkim "invalid ticket from krb5_rd_req.\n"); 1506280297Sjkim } else 1507280297Sjkim krb5rc = 0; 1508109998Smarkm 1509280297Sjkim kssl_ctx->enctype = krb5ticket->enc_part.enctype; 1510280297Sjkim ttimes->authtime = krb5ticket->enc_part2->times.authtime; 1511280297Sjkim ttimes->starttime = krb5ticket->enc_part2->times.starttime; 1512280297Sjkim ttimes->endtime = krb5ticket->enc_part2->times.endtime; 1513280297Sjkim ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; 1514109998Smarkm 1515109998Smarkm err: 1516280297Sjkim# ifdef KSSL_DEBUG 1517280297Sjkim kssl_ctx_show(kssl_ctx); 1518280297Sjkim# endif /* KSSL_DEBUG */ 1519109998Smarkm 1520280297Sjkim if (asn1ticket) 1521280297Sjkim KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); 1522280297Sjkim if (krb5keytab) 1523280297Sjkim krb5_kt_close(krb5context, krb5keytab); 1524280297Sjkim if (krb5ticket) 1525280297Sjkim krb5_free_ticket(krb5context, krb5ticket); 1526280297Sjkim if (krb5server) 1527280297Sjkim krb5_free_principal(krb5context, krb5server); 1528280297Sjkim return (krb5rc); 1529280297Sjkim} 1530109998Smarkm 1531280297Sjkim/* 1532280297Sjkim * Allocate & return a new kssl_ctx struct. 1533280297Sjkim */ 1534280297SjkimKSSL_CTX *kssl_ctx_new(void) 1535280297Sjkim{ 1536280297Sjkim return ((KSSL_CTX *)kssl_calloc(1, sizeof(KSSL_CTX))); 1537280297Sjkim} 1538109998Smarkm 1539280297Sjkim/* 1540280297Sjkim * Frees a kssl_ctx struct and any allocated memory it holds. Returns NULL. 1541280297Sjkim */ 1542280297SjkimKSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx) 1543280297Sjkim{ 1544280297Sjkim if (kssl_ctx == NULL) 1545280297Sjkim return kssl_ctx; 1546109998Smarkm 1547280297Sjkim if (kssl_ctx->key) 1548280297Sjkim OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1549280297Sjkim if (kssl_ctx->key) 1550280297Sjkim kssl_free(kssl_ctx->key); 1551280297Sjkim if (kssl_ctx->client_princ) 1552280297Sjkim kssl_free(kssl_ctx->client_princ); 1553280297Sjkim if (kssl_ctx->service_host) 1554280297Sjkim kssl_free(kssl_ctx->service_host); 1555280297Sjkim if (kssl_ctx->service_name) 1556280297Sjkim kssl_free(kssl_ctx->service_name); 1557280297Sjkim if (kssl_ctx->keytab_file) 1558280297Sjkim kssl_free(kssl_ctx->keytab_file); 1559109998Smarkm 1560280297Sjkim kssl_free(kssl_ctx); 1561280297Sjkim return (KSSL_CTX *)NULL; 1562280297Sjkim} 1563109998Smarkm 1564280297Sjkim/* 1565280297Sjkim * Given an array of (krb5_data *) entity (and optional realm), set the plain 1566280297Sjkim * (char *) client_princ or service_host member of the kssl_ctx struct. 1567280297Sjkim */ 1568109998Smarkmkrb5_error_code 1569109998Smarkmkssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, 1570280297Sjkim krb5_data *realm, krb5_data *entity, int nentities) 1571280297Sjkim{ 1572280297Sjkim char **princ; 1573280297Sjkim int length; 1574280297Sjkim int i; 1575109998Smarkm 1576280297Sjkim if (kssl_ctx == NULL || entity == NULL) 1577280297Sjkim return KSSL_CTX_ERR; 1578109998Smarkm 1579280297Sjkim switch (which) { 1580280297Sjkim case KSSL_CLIENT: 1581280297Sjkim princ = &kssl_ctx->client_princ; 1582280297Sjkim break; 1583280297Sjkim case KSSL_SERVER: 1584280297Sjkim princ = &kssl_ctx->service_host; 1585280297Sjkim break; 1586280297Sjkim default: 1587280297Sjkim return KSSL_CTX_ERR; 1588280297Sjkim break; 1589280297Sjkim } 1590280297Sjkim if (*princ) 1591280297Sjkim kssl_free(*princ); 1592109998Smarkm 1593280297Sjkim /* Add up all the entity->lengths */ 1594280297Sjkim length = 0; 1595280297Sjkim for (i = 0; i < nentities; i++) { 1596280297Sjkim length += entity[i].length; 1597280297Sjkim } 1598280297Sjkim /* Add in space for the '/' character(s) (if any) */ 1599280297Sjkim length += nentities - 1; 1600280297Sjkim /* Space for the ('@'+realm+NULL | NULL) */ 1601280297Sjkim length += ((realm) ? realm->length + 2 : 1); 1602120631Snectar 1603280297Sjkim if ((*princ = kssl_calloc(1, length)) == NULL) 1604280297Sjkim return KSSL_CTX_ERR; 1605280297Sjkim else { 1606280297Sjkim for (i = 0; i < nentities; i++) { 1607280297Sjkim strncat(*princ, entity[i].data, entity[i].length); 1608280297Sjkim if (i < nentities - 1) { 1609280297Sjkim strcat(*princ, "/"); 1610280297Sjkim } 1611109998Smarkm } 1612280297Sjkim if (realm) { 1613280297Sjkim strcat(*princ, "@"); 1614280297Sjkim (void)strncat(*princ, realm->data, realm->length); 1615280297Sjkim } 1616280297Sjkim } 1617109998Smarkm 1618280297Sjkim return KSSL_CTX_OK; 1619280297Sjkim} 1620109998Smarkm 1621280297Sjkim/*- Set one of the plain (char *) string members of the kssl_ctx struct. 1622280297Sjkim * Default values should be: 1623280297Sjkim * which == KSSL_SERVICE => "khost" (KRB5SVC) 1624280297Sjkim * which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) 1625280297Sjkim */ 1626280297Sjkimkrb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) 1627280297Sjkim{ 1628280297Sjkim char **string; 1629109998Smarkm 1630280297Sjkim if (!kssl_ctx) 1631280297Sjkim return KSSL_CTX_ERR; 1632109998Smarkm 1633280297Sjkim switch (which) { 1634280297Sjkim case KSSL_SERVICE: 1635280297Sjkim string = &kssl_ctx->service_name; 1636280297Sjkim break; 1637280297Sjkim case KSSL_SERVER: 1638280297Sjkim string = &kssl_ctx->service_host; 1639280297Sjkim break; 1640280297Sjkim case KSSL_CLIENT: 1641280297Sjkim string = &kssl_ctx->client_princ; 1642280297Sjkim break; 1643280297Sjkim case KSSL_KEYTAB: 1644280297Sjkim string = &kssl_ctx->keytab_file; 1645280297Sjkim break; 1646280297Sjkim default: 1647280297Sjkim return KSSL_CTX_ERR; 1648280297Sjkim break; 1649280297Sjkim } 1650280297Sjkim if (*string) 1651280297Sjkim kssl_free(*string); 1652109998Smarkm 1653280297Sjkim if (!text) { 1654280297Sjkim *string = '\0'; 1655280297Sjkim return KSSL_CTX_OK; 1656280297Sjkim } 1657109998Smarkm 1658280297Sjkim if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) 1659280297Sjkim return KSSL_CTX_ERR; 1660280297Sjkim else 1661280297Sjkim strcpy(*string, text); 1662109998Smarkm 1663280297Sjkim return KSSL_CTX_OK; 1664280297Sjkim} 1665109998Smarkm 1666280297Sjkim/* 1667280297Sjkim * Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx 1668280297Sjkim * struct. Clear kssl_ctx->key if Kerberos session key is NULL. 1669280297Sjkim */ 1670280297Sjkimkrb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) 1671280297Sjkim{ 1672280297Sjkim int length; 1673280297Sjkim krb5_enctype enctype; 1674280297Sjkim krb5_octet FAR *contents = NULL; 1675109998Smarkm 1676280297Sjkim if (!kssl_ctx) 1677280297Sjkim return KSSL_CTX_ERR; 1678109998Smarkm 1679280297Sjkim if (kssl_ctx->key) { 1680280297Sjkim OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1681280297Sjkim kssl_free(kssl_ctx->key); 1682280297Sjkim } 1683109998Smarkm 1684280297Sjkim if (session) { 1685109998Smarkm 1686280297Sjkim# ifdef KRB5_HEIMDAL 1687280297Sjkim length = session->keyvalue->length; 1688280297Sjkim enctype = session->keytype; 1689280297Sjkim contents = session->keyvalue->contents; 1690280297Sjkim# else 1691280297Sjkim length = session->length; 1692280297Sjkim enctype = session->enctype; 1693280297Sjkim contents = session->contents; 1694280297Sjkim# endif 1695280297Sjkim kssl_ctx->enctype = enctype; 1696280297Sjkim kssl_ctx->length = length; 1697280297Sjkim } else { 1698280297Sjkim kssl_ctx->enctype = ENCTYPE_UNKNOWN; 1699280297Sjkim kssl_ctx->length = 0; 1700280297Sjkim return KSSL_CTX_OK; 1701280297Sjkim } 1702109998Smarkm 1703280297Sjkim if ((kssl_ctx->key = 1704280297Sjkim (krb5_octet FAR *)kssl_calloc(1, kssl_ctx->length)) == NULL) { 1705280297Sjkim kssl_ctx->length = 0; 1706280297Sjkim return KSSL_CTX_ERR; 1707280297Sjkim } else 1708280297Sjkim memcpy(kssl_ctx->key, contents, length); 1709109998Smarkm 1710280297Sjkim return KSSL_CTX_OK; 1711280297Sjkim} 1712109998Smarkm 1713280297Sjkim/* 1714280297Sjkim * Display contents of kssl_ctx struct 1715280297Sjkim */ 1716280297Sjkimvoid kssl_ctx_show(KSSL_CTX *kssl_ctx) 1717280297Sjkim{ 1718280297Sjkim int i; 1719109998Smarkm 1720280297Sjkim printf("kssl_ctx: "); 1721280297Sjkim if (kssl_ctx == NULL) { 1722280297Sjkim printf("NULL\n"); 1723280297Sjkim return; 1724280297Sjkim } else 1725280297Sjkim printf("%p\n", (void *)kssl_ctx); 1726109998Smarkm 1727280297Sjkim printf("\tservice:\t%s\n", 1728280297Sjkim (kssl_ctx->service_name) ? kssl_ctx->service_name : "NULL"); 1729280297Sjkim printf("\tclient:\t%s\n", 1730280297Sjkim (kssl_ctx->client_princ) ? kssl_ctx->client_princ : "NULL"); 1731280297Sjkim printf("\tserver:\t%s\n", 1732280297Sjkim (kssl_ctx->service_host) ? kssl_ctx->service_host : "NULL"); 1733280297Sjkim printf("\tkeytab:\t%s\n", 1734280297Sjkim (kssl_ctx->keytab_file) ? kssl_ctx->keytab_file : "NULL"); 1735280297Sjkim printf("\tkey [%d:%d]:\t", kssl_ctx->enctype, kssl_ctx->length); 1736109998Smarkm 1737280297Sjkim for (i = 0; i < kssl_ctx->length && kssl_ctx->key; i++) { 1738280297Sjkim printf("%02x", kssl_ctx->key[i]); 1739280297Sjkim } 1740280297Sjkim printf("\n"); 1741280297Sjkim return; 1742280297Sjkim} 1743109998Smarkm 1744280297Sjkimint kssl_keytab_is_available(KSSL_CTX *kssl_ctx) 1745109998Smarkm{ 1746280297Sjkim krb5_context krb5context = NULL; 1747280297Sjkim krb5_keytab krb5keytab = NULL; 1748280297Sjkim krb5_keytab_entry entry; 1749280297Sjkim krb5_principal princ = NULL; 1750280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1751109998Smarkm int rc = 0; 1752109998Smarkm 1753109998Smarkm if ((krb5rc = krb5_init_context(&krb5context))) 1754280297Sjkim return (0); 1755109998Smarkm 1756280297Sjkim /* 1757280297Sjkim * kssl_ctx->keytab_file == NULL ==> use Kerberos default 1758280297Sjkim */ 1759280297Sjkim if (kssl_ctx->keytab_file) { 1760109998Smarkm krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1761280297Sjkim &krb5keytab); 1762109998Smarkm if (krb5rc) 1763109998Smarkm goto exit; 1764280297Sjkim } else { 1765280297Sjkim krb5rc = krb5_kt_default(krb5context, &krb5keytab); 1766109998Smarkm if (krb5rc) 1767109998Smarkm goto exit; 1768109998Smarkm } 1769109998Smarkm 1770109998Smarkm /* the host key we are looking for */ 1771280297Sjkim krb5rc = krb5_sname_to_principal(krb5context, NULL, 1772280297Sjkim kssl_ctx-> 1773280297Sjkim service_name ? kssl_ctx->service_name : 1774280297Sjkim KRB5SVC, KRB5_NT_SRV_HST, &princ); 1775109998Smarkm 1776206046Ssimon if (krb5rc) 1777280297Sjkim goto exit; 1778206046Ssimon 1779280297Sjkim krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ, 1780280297Sjkim /* IGNORE_VNO */ 1781280297Sjkim 0, 1782280297Sjkim /* IGNORE_ENCTYPE */ 1783280297Sjkim 0, &entry); 1784280297Sjkim if (krb5rc == KRB5_KT_NOTFOUND) { 1785109998Smarkm rc = 1; 1786109998Smarkm goto exit; 1787280297Sjkim } else if (krb5rc) 1788109998Smarkm goto exit; 1789280297Sjkim 1790109998Smarkm krb5_kt_free_entry(krb5context, &entry); 1791109998Smarkm rc = 1; 1792109998Smarkm 1793280297Sjkim exit: 1794280297Sjkim if (krb5keytab) 1795280297Sjkim krb5_kt_close(krb5context, krb5keytab); 1796280297Sjkim if (princ) 1797280297Sjkim krb5_free_principal(krb5context, princ); 1798280297Sjkim if (krb5context) 1799280297Sjkim krb5_free_context(krb5context); 1800280297Sjkim return (rc); 1801109998Smarkm} 1802109998Smarkm 1803280297Sjkimint kssl_tgt_is_available(KSSL_CTX *kssl_ctx) 1804280297Sjkim{ 1805280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1806280297Sjkim krb5_context krb5context = NULL; 1807280297Sjkim krb5_ccache krb5ccdef = NULL; 1808280297Sjkim krb5_creds krb5creds, *krb5credsp = NULL; 1809280297Sjkim int rc = 0; 1810109998Smarkm 1811280297Sjkim memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1812109998Smarkm 1813280297Sjkim if (!kssl_ctx) 1814280297Sjkim return (0); 1815109998Smarkm 1816280297Sjkim if (!kssl_ctx->service_host) 1817280297Sjkim return (0); 1818109998Smarkm 1819280297Sjkim if ((krb5rc = krb5_init_context(&krb5context)) != 0) 1820280297Sjkim goto err; 1821109998Smarkm 1822280297Sjkim if ((krb5rc = krb5_sname_to_principal(krb5context, 1823280297Sjkim kssl_ctx->service_host, 1824280297Sjkim (kssl_ctx->service_name) ? 1825280297Sjkim kssl_ctx->service_name : KRB5SVC, 1826280297Sjkim KRB5_NT_SRV_HST, 1827280297Sjkim &krb5creds.server)) != 0) 1828280297Sjkim goto err; 1829109998Smarkm 1830280297Sjkim if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) 1831280297Sjkim goto err; 1832109998Smarkm 1833280297Sjkim if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1834280297Sjkim &krb5creds.client)) != 0) 1835280297Sjkim goto err; 1836109998Smarkm 1837280297Sjkim if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1838280297Sjkim &krb5creds, &krb5credsp)) != 0) 1839280297Sjkim goto err; 1840109998Smarkm 1841280297Sjkim rc = 1; 1842109998Smarkm 1843280297Sjkim err: 1844280297Sjkim# ifdef KSSL_DEBUG 1845280297Sjkim kssl_ctx_show(kssl_ctx); 1846280297Sjkim# endif /* KSSL_DEBUG */ 1847109998Smarkm 1848280297Sjkim if (krb5creds.client) 1849280297Sjkim krb5_free_principal(krb5context, krb5creds.client); 1850280297Sjkim if (krb5creds.server) 1851280297Sjkim krb5_free_principal(krb5context, krb5creds.server); 1852280297Sjkim if (krb5context) 1853280297Sjkim krb5_free_context(krb5context); 1854280297Sjkim return (rc); 1855280297Sjkim} 1856109998Smarkm 1857280297Sjkim# if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) 1858109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) 1859280297Sjkim{ 1860280297Sjkim# ifdef KRB5_HEIMDAL 1861280297Sjkim data->length = 0; 1862280297Sjkim if (data->data) 1863280297Sjkim free(data->data); 1864280297Sjkim# elif defined(KRB5_MIT_OLD11) 1865280297Sjkim if (data->data) { 1866280297Sjkim krb5_xfree(data->data); 1867280297Sjkim data->data = 0; 1868280297Sjkim } 1869280297Sjkim# else 1870280297Sjkim krb5_free_data_contents(NULL, data); 1871280297Sjkim# endif 1872280297Sjkim} 1873280297Sjkim# endif 1874280297Sjkim/* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ 1875109998Smarkm 1876280297Sjkim/* 1877280297Sjkim * Given pointers to KerberosTime and struct tm structs, convert the 1878280297Sjkim * KerberosTime string to struct tm. Note that KerberosTime is a 1879280297Sjkim * ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional seconds 1880280297Sjkim * as defined in RFC 1510. Return pointer to the (partially) filled in 1881280297Sjkim * struct tm on success, return NULL on failure. 1882280297Sjkim */ 1883238405Sjkimstatic struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) 1884280297Sjkim{ 1885280297Sjkim char c, *p; 1886109998Smarkm 1887280297Sjkim if (!k_tm) 1888280297Sjkim return NULL; 1889280297Sjkim if (gtime == NULL || gtime->length < 14) 1890280297Sjkim return NULL; 1891280297Sjkim if (gtime->data == NULL) 1892280297Sjkim return NULL; 1893109998Smarkm 1894280297Sjkim p = (char *)>ime->data[14]; 1895109998Smarkm 1896280297Sjkim c = *p; 1897280297Sjkim *p = '\0'; 1898280297Sjkim p -= 2; 1899280297Sjkim k_tm->tm_sec = atoi(p); 1900280297Sjkim *(p + 2) = c; 1901280297Sjkim c = *p; 1902280297Sjkim *p = '\0'; 1903280297Sjkim p -= 2; 1904280297Sjkim k_tm->tm_min = atoi(p); 1905280297Sjkim *(p + 2) = c; 1906280297Sjkim c = *p; 1907280297Sjkim *p = '\0'; 1908280297Sjkim p -= 2; 1909280297Sjkim k_tm->tm_hour = atoi(p); 1910280297Sjkim *(p + 2) = c; 1911280297Sjkim c = *p; 1912280297Sjkim *p = '\0'; 1913280297Sjkim p -= 2; 1914280297Sjkim k_tm->tm_mday = atoi(p); 1915280297Sjkim *(p + 2) = c; 1916280297Sjkim c = *p; 1917280297Sjkim *p = '\0'; 1918280297Sjkim p -= 2; 1919280297Sjkim k_tm->tm_mon = atoi(p) - 1; 1920280297Sjkim *(p + 2) = c; 1921280297Sjkim c = *p; 1922280297Sjkim *p = '\0'; 1923280297Sjkim p -= 4; 1924280297Sjkim k_tm->tm_year = atoi(p) - 1900; 1925280297Sjkim *(p + 4) = c; 1926109998Smarkm 1927280297Sjkim return k_tm; 1928280297Sjkim} 1929109998Smarkm 1930280297Sjkim/* 1931280297Sjkim * Helper function for kssl_validate_times(). We need context->clockskew, 1932280297Sjkim * but krb5_context is an opaque struct. So we try to sneek the clockskew 1933280297Sjkim * out through the replay cache. If that fails just return a likely default 1934280297Sjkim * (300 seconds). 1935280297Sjkim */ 1936238405Sjkimstatic krb5_deltat get_rc_clockskew(krb5_context context) 1937280297Sjkim{ 1938280297Sjkim krb5_rcache rc; 1939280297Sjkim krb5_deltat clockskew; 1940109998Smarkm 1941280297Sjkim if (krb5_rc_default(context, &rc)) 1942280297Sjkim return KSSL_CLOCKSKEW; 1943280297Sjkim if (krb5_rc_initialize(context, rc, 0)) 1944280297Sjkim return KSSL_CLOCKSKEW; 1945280297Sjkim if (krb5_rc_get_lifespan(context, rc, &clockskew)) { 1946280297Sjkim clockskew = KSSL_CLOCKSKEW; 1947280297Sjkim } 1948280297Sjkim (void)krb5_rc_destroy(context, rc); 1949280297Sjkim return clockskew; 1950280297Sjkim} 1951109998Smarkm 1952280297Sjkim/* 1953280297Sjkim * kssl_validate_times() combines (and more importantly exposes) the MIT KRB5 1954280297Sjkim * internal function krb5_validate_times() and the in_clock_skew() macro. 1955280297Sjkim * The authenticator client time is checked to be within clockskew secs of 1956280297Sjkim * the current time and the current time is checked to be within the ticket 1957280297Sjkim * start and expire times. Either check may be omitted by supplying a NULL 1958280297Sjkim * value. Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. See 1959280297Sjkim * Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c 20010420 VRS 1960280297Sjkim */ 1961280297Sjkimkrb5_error_code kssl_validate_times(krb5_timestamp atime, 1962280297Sjkim krb5_ticket_times *ttimes) 1963280297Sjkim{ 1964280297Sjkim krb5_deltat skew; 1965280297Sjkim krb5_timestamp start, now; 1966280297Sjkim krb5_error_code rc; 1967280297Sjkim krb5_context context; 1968109998Smarkm 1969280297Sjkim if ((rc = krb5_init_context(&context))) 1970280297Sjkim return SSL_R_KRB5_S_BAD_TICKET; 1971280297Sjkim skew = get_rc_clockskew(context); 1972280297Sjkim if ((rc = krb5_timeofday(context, &now))) 1973280297Sjkim return SSL_R_KRB5_S_BAD_TICKET; 1974280297Sjkim krb5_free_context(context); 1975109998Smarkm 1976280297Sjkim if (atime && labs(atime - now) >= skew) 1977280297Sjkim return SSL_R_KRB5_S_TKT_SKEW; 1978109998Smarkm 1979280297Sjkim if (!ttimes) 1980280297Sjkim return 0; 1981109998Smarkm 1982280297Sjkim start = (ttimes->starttime != 0) ? ttimes->starttime : ttimes->authtime; 1983280297Sjkim if (start - now > skew) 1984280297Sjkim return SSL_R_KRB5_S_TKT_NYV; 1985280297Sjkim if ((now - ttimes->endtime) > skew) 1986280297Sjkim return SSL_R_KRB5_S_TKT_EXPIRED; 1987109998Smarkm 1988280297Sjkim# ifdef KSSL_DEBUG 1989280297Sjkim fprintf(stderr, "kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", 1990280297Sjkim start, atime, now, skew, ttimes->endtime); 1991280297Sjkim# endif /* KSSL_DEBUG */ 1992109998Smarkm 1993280297Sjkim return 0; 1994280297Sjkim} 1995109998Smarkm 1996280297Sjkim/* 1997280297Sjkim * Decode and decrypt given DER-encoded authenticator, then pass 1998280297Sjkim * authenticator ctime back in *atimep (or 0 if time unavailable). Returns 1999280297Sjkim * krb5_error_code and kssl_err on error. A NULL authenticator 2000280297Sjkim * (authentp->length == 0) is not considered an error. Note that 2001280297Sjkim * kssl_check_authent() makes use of the KRB5 session key; you must call 2002280297Sjkim * kssl_sget_tkt() to get the key before calling this routine. 2003280297Sjkim */ 2004280297Sjkimkrb5_error_code kssl_check_authent( 2005280297Sjkim /* 2006280297Sjkim * IN 2007280297Sjkim */ KSSL_CTX *kssl_ctx, 2008280297Sjkim /* 2009280297Sjkim * IN 2010280297Sjkim */ krb5_data *authentp, 2011280297Sjkim /* 2012280297Sjkim * OUT 2013280297Sjkim */ krb5_timestamp *atimep, 2014280297Sjkim /* 2015280297Sjkim * OUT 2016280297Sjkim */ KSSL_ERR *kssl_err) 2017280297Sjkim{ 2018280297Sjkim krb5_error_code krb5rc = 0; 2019280297Sjkim KRB5_ENCDATA *dec_authent = NULL; 2020280297Sjkim KRB5_AUTHENTBODY *auth = NULL; 2021280297Sjkim krb5_enctype enctype; 2022280297Sjkim EVP_CIPHER_CTX ciph_ctx; 2023280297Sjkim const EVP_CIPHER *enc = NULL; 2024280297Sjkim unsigned char iv[EVP_MAX_IV_LENGTH]; 2025280297Sjkim const unsigned char *p; 2026280297Sjkim unsigned char *unenc_authent; 2027280297Sjkim int outl, unencbufsize; 2028280297Sjkim struct tm tm_time, *tm_l, *tm_g; 2029280297Sjkim time_t now, tl, tg, tr, tz_offset; 2030331638Sjkim struct tm gmt_result = {0}; 2031331638Sjkim struct tm lt_result = {0}; 2032109998Smarkm 2033280297Sjkim EVP_CIPHER_CTX_init(&ciph_ctx); 2034280297Sjkim *atimep = 0; 2035280297Sjkim kssl_err_set(kssl_err, 0, ""); 2036109998Smarkm 2037280297Sjkim# ifndef KRB5CHECKAUTH 2038280297Sjkim authentp = NULL; 2039280297Sjkim# else 2040280297Sjkim# if KRB5CHECKAUTH == 0 2041280297Sjkim authentp = NULL; 2042280297Sjkim# endif 2043280297Sjkim# endif /* KRB5CHECKAUTH */ 2044109998Smarkm 2045280297Sjkim if (authentp == NULL || authentp->length == 0) 2046280297Sjkim return 0; 2047109998Smarkm 2048280297Sjkim# ifdef KSSL_DEBUG 2049280297Sjkim { 2050109998Smarkm unsigned int ui; 2051280297Sjkim fprintf(stderr, "kssl_check_authent: authenticator[%d]:\n", 2052280297Sjkim authentp->length); 2053280297Sjkim p = authentp->data; 2054280297Sjkim for (ui = 0; ui < authentp->length; ui++) 2055280297Sjkim fprintf(stderr, "%02x ", p[ui]); 2056280297Sjkim fprintf(stderr, "\n"); 2057280297Sjkim } 2058280297Sjkim# endif /* KSSL_DEBUG */ 2059109998Smarkm 2060280297Sjkim unencbufsize = 2 * authentp->length; 2061280297Sjkim if ((unenc_authent = calloc(1, unencbufsize)) == NULL) { 2062280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2063280297Sjkim "Unable to allocate authenticator buffer.\n"); 2064280297Sjkim krb5rc = KRB5KRB_ERR_GENERIC; 2065280297Sjkim goto err; 2066280297Sjkim } 2067109998Smarkm 2068280297Sjkim p = (unsigned char *)authentp->data; 2069280297Sjkim if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, 2070280297Sjkim (long)authentp->length)) == NULL) { 2071280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2072280297Sjkim "Error decoding authenticator.\n"); 2073280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2074280297Sjkim goto err; 2075280297Sjkim } 2076109998Smarkm 2077280297Sjkim enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ 2078280297Sjkim# if !defined(KRB5_MIT_OLD11) 2079280297Sjkim switch (enctype) { 2080280297Sjkim case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 2081280297Sjkim case ENCTYPE_DES3_CBC_SHA: 2082280297Sjkim case ENCTYPE_DES3_CBC_RAW: 2083280297Sjkim krb5rc = 0; /* Skip, can't handle derived keys */ 2084280297Sjkim goto err; 2085280297Sjkim } 2086280297Sjkim# endif 2087280297Sjkim enc = kssl_map_enc(enctype); 2088331638Sjkim memset(iv, 0, sizeof(iv)); /* per RFC 1510 */ 2089109998Smarkm 2090280297Sjkim if (enc == NULL) { 2091280297Sjkim /* 2092280297Sjkim * Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. This 2093280297Sjkim * enctype indicates the authenticator was encrypted using key-usage 2094280297Sjkim * derived keys which openssl cannot decrypt. 2095280297Sjkim */ 2096280297Sjkim goto err; 2097280297Sjkim } 2098109998Smarkm 2099280297Sjkim if (!EVP_CipherInit(&ciph_ctx, enc, kssl_ctx->key, iv, 0)) { 2100280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2101280297Sjkim "EVP_CipherInit error decrypting authenticator.\n"); 2102280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2103280297Sjkim goto err; 2104280297Sjkim } 2105280297Sjkim outl = dec_authent->cipher->length; 2106280297Sjkim if (!EVP_Cipher 2107280297Sjkim (&ciph_ctx, unenc_authent, dec_authent->cipher->data, outl)) { 2108280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2109280297Sjkim "EVP_Cipher error decrypting authenticator.\n"); 2110280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2111280297Sjkim goto err; 2112280297Sjkim } 2113280297Sjkim EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2114109998Smarkm 2115280297Sjkim# ifdef KSSL_DEBUG 2116280297Sjkim { 2117280297Sjkim int padl; 2118280297Sjkim fprintf(stderr, "kssl_check_authent: decrypted authenticator[%d] =\n", 2119280297Sjkim outl); 2120280297Sjkim for (padl = 0; padl < outl; padl++) 2121280297Sjkim fprintf(stderr, "%02x ", unenc_authent[padl]); 2122280297Sjkim fprintf(stderr, "\n"); 2123280297Sjkim } 2124280297Sjkim# endif /* KSSL_DEBUG */ 2125109998Smarkm 2126280297Sjkim if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) { 2127280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2128280297Sjkim "confounded by authenticator.\n"); 2129280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2130280297Sjkim goto err; 2131280297Sjkim } 2132280297Sjkim outl -= p - unenc_authent; 2133109998Smarkm 2134280297Sjkim if ((auth = (KRB5_AUTHENTBODY *)d2i_KRB5_AUTHENT(NULL, &p, 2135280297Sjkim (long)outl)) == NULL) { 2136280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2137280297Sjkim "Error decoding authenticator body.\n"); 2138280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2139280297Sjkim goto err; 2140280297Sjkim } 2141109998Smarkm 2142280297Sjkim memset(&tm_time, 0, sizeof(struct tm)); 2143280297Sjkim if (k_gmtime(auth->ctime, &tm_time) && 2144280297Sjkim ((tr = mktime(&tm_time)) != (time_t)(-1))) { 2145280297Sjkim now = time(&now); 2146331638Sjkim tm_g = OPENSSL_gmtime(&now, &gmt_result); 2147331638Sjkim 2148331638Sjkim# if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && \ 2149331638Sjkim !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_SUNOS) && \ 2150331638Sjkim (!defined(OPENSSL_SYS_VMS) || defined(localtime_r)) 2151331638Sjkim tm_l = localtime_r(&now, <_result); 2152331638Sjkim# else 2153280297Sjkim tm_l = localtime(&now); 2154331638Sjkim# endif 2155331638Sjkim 2156280297Sjkim tl = mktime(tm_l); 2157280297Sjkim tg = mktime(tm_g); 2158280297Sjkim tz_offset = tg - tl; 2159109998Smarkm 2160280297Sjkim *atimep = (krb5_timestamp)(tr - tz_offset); 2161280297Sjkim } 2162280297Sjkim# ifdef KSSL_DEBUG 2163280297Sjkim fprintf(stderr, "kssl_check_authent: returns %d for client time ", 2164280297Sjkim *atimep); 2165280297Sjkim if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) 2166280297Sjkim fprintf(stderr, "%.*s\n", auth->ctime->length, auth->ctime->data); 2167280297Sjkim else 2168280297Sjkim fprintf(stderr, "NULL\n"); 2169280297Sjkim# endif /* KSSL_DEBUG */ 2170109998Smarkm 2171109998Smarkm err: 2172280297Sjkim if (auth) 2173280297Sjkim KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); 2174280297Sjkim if (dec_authent) 2175280297Sjkim KRB5_ENCDATA_free(dec_authent); 2176280297Sjkim if (unenc_authent) 2177280297Sjkim free(unenc_authent); 2178280297Sjkim EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2179280297Sjkim return krb5rc; 2180280297Sjkim} 2181109998Smarkm 2182280297Sjkim/* 2183280297Sjkim * Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), 2184280297Sjkim * because I don't know how to stub varargs. Returns krb5_error_code == 2185280297Sjkim * ENOMEM on alloc error, otherwise passes back newly constructed principal, 2186280297Sjkim * which should be freed by caller. 2187280297Sjkim */ 2188280297Sjkimkrb5_error_code kssl_build_principal_2( 2189280297Sjkim /* 2190280297Sjkim * UPDATE 2191280297Sjkim */ krb5_context context, 2192280297Sjkim /* 2193280297Sjkim * OUT 2194280297Sjkim */ krb5_principal *princ, 2195280297Sjkim /* 2196280297Sjkim * IN 2197280297Sjkim */ int rlen, const char *realm, 2198280297Sjkim /* 2199280297Sjkim * IN 2200280297Sjkim */ int slen, const char *svc, 2201280297Sjkim /* 2202280297Sjkim * IN 2203280297Sjkim */ int hlen, const char *host) 2204280297Sjkim{ 2205280297Sjkim krb5_data *p_data = NULL; 2206280297Sjkim krb5_principal new_p = NULL; 2207280297Sjkim char *new_r = NULL; 2208109998Smarkm 2209280297Sjkim if ((p_data = (krb5_data *)calloc(2, sizeof(krb5_data))) == NULL || 2210280297Sjkim (new_p = (krb5_principal)calloc(1, sizeof(krb5_principal_data))) 2211280297Sjkim == NULL) 2212280297Sjkim goto err; 2213280297Sjkim new_p->length = 2; 2214280297Sjkim new_p->data = p_data; 2215109998Smarkm 2216280297Sjkim if ((new_r = calloc(1, rlen + 1)) == NULL) 2217280297Sjkim goto err; 2218280297Sjkim memcpy(new_r, realm, rlen); 2219280297Sjkim krb5_princ_set_realm_length(context, new_p, rlen); 2220280297Sjkim krb5_princ_set_realm_data(context, new_p, new_r); 2221109998Smarkm 2222280297Sjkim if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) 2223280297Sjkim goto err; 2224280297Sjkim memcpy(new_p->data[0].data, svc, slen); 2225280297Sjkim new_p->data[0].length = slen; 2226109998Smarkm 2227280297Sjkim if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) 2228280297Sjkim goto err; 2229280297Sjkim memcpy(new_p->data[1].data, host, hlen); 2230280297Sjkim new_p->data[1].length = hlen; 2231109998Smarkm 2232280297Sjkim krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; 2233280297Sjkim *princ = new_p; 2234280297Sjkim return 0; 2235109998Smarkm 2236109998Smarkm err: 2237280297Sjkim if (new_p && new_p[0].data) 2238280297Sjkim free(new_p[0].data); 2239280297Sjkim if (new_p && new_p[1].data) 2240280297Sjkim free(new_p[1].data); 2241280297Sjkim if (new_p) 2242280297Sjkim free(new_p); 2243280297Sjkim if (new_r) 2244280297Sjkim free(new_r); 2245280297Sjkim return ENOMEM; 2246280297Sjkim} 2247109998Smarkm 2248238405Sjkimvoid SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx) 2249280297Sjkim{ 2250280297Sjkim s->kssl_ctx = kctx; 2251280297Sjkim} 2252109998Smarkm 2253280297SjkimKSSL_CTX *SSL_get0_kssl_ctx(SSL *s) 2254280297Sjkim{ 2255280297Sjkim return s->kssl_ctx; 2256280297Sjkim} 2257238405Sjkim 2258238405Sjkimchar *kssl_ctx_get0_client_princ(KSSL_CTX *kctx) 2259280297Sjkim{ 2260280297Sjkim if (kctx) 2261280297Sjkim return kctx->client_princ; 2262280297Sjkim return NULL; 2263280297Sjkim} 2264238405Sjkim 2265280297Sjkim#else /* !OPENSSL_NO_KRB5 */ 2266109998Smarkm 2267280297Sjkim# if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) 2268280297Sjkimstatic void *dummy = &dummy; 2269280297Sjkim# endif 2270109998Smarkm 2271280297Sjkim#endif /* !OPENSSL_NO_KRB5 */ 2272