kssl.c revision 295009
1295009Sjkim/* ssl/kssl.c */ 2280297Sjkim/* 3280297Sjkim * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 4280297Sjkim * 2000. 5109998Smarkm */ 6109998Smarkm/* ==================================================================== 7109998Smarkm * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 8109998Smarkm * 9109998Smarkm * Redistribution and use in source and binary forms, with or without 10109998Smarkm * modification, are permitted provided that the following conditions 11109998Smarkm * are met: 12109998Smarkm * 13109998Smarkm * 1. Redistributions of source code must retain the above copyright 14280297Sjkim * notice, this list of conditions and the following disclaimer. 15109998Smarkm * 16109998Smarkm * 2. Redistributions in binary form must reproduce the above copyright 17109998Smarkm * notice, this list of conditions and the following disclaimer in 18109998Smarkm * the documentation and/or other materials provided with the 19109998Smarkm * distribution. 20109998Smarkm * 21109998Smarkm * 3. All advertising materials mentioning features or use of this 22109998Smarkm * software must display the following acknowledgment: 23109998Smarkm * "This product includes software developed by the OpenSSL Project 24109998Smarkm * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25109998Smarkm * 26109998Smarkm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27109998Smarkm * endorse or promote products derived from this software without 28109998Smarkm * prior written permission. For written permission, please contact 29109998Smarkm * licensing@OpenSSL.org. 30109998Smarkm * 31109998Smarkm * 5. Products derived from this software may not be called "OpenSSL" 32109998Smarkm * nor may "OpenSSL" appear in their names without prior written 33109998Smarkm * permission of the OpenSSL Project. 34109998Smarkm * 35109998Smarkm * 6. Redistributions of any form whatsoever must retain the following 36109998Smarkm * acknowledgment: 37109998Smarkm * "This product includes software developed by the OpenSSL Project 38109998Smarkm * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39109998Smarkm * 40109998Smarkm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41109998Smarkm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42109998Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43109998Smarkm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44109998Smarkm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45109998Smarkm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46109998Smarkm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47109998Smarkm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48109998Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49109998Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50109998Smarkm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51109998Smarkm * OF THE POSSIBILITY OF SUCH DAMAGE. 52109998Smarkm * ==================================================================== 53109998Smarkm * 54109998Smarkm * This product includes cryptographic software written by Eric Young 55109998Smarkm * (eay@cryptsoft.com). This product includes software written by Tim 56109998Smarkm * Hudson (tjh@cryptsoft.com). 57109998Smarkm * 58109998Smarkm */ 59109998Smarkm 60280297Sjkim/*- 61280297Sjkim * ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl 62280297Sjkim * 63280297Sjkim * 19990701 VRS Started. 64280297Sjkim * 200011?? Jeffrey Altman, Richard Levitte 65280297Sjkim * Generalized for Heimdal, Newer MIT, & Win32. 66280297Sjkim * Integrated into main OpenSSL 0.9.7 snapshots. 67280297Sjkim * 20010413 Simon Wilkinson, VRS 68280297Sjkim * Real RFC2712 KerberosWrapper replaces AP_REQ. 69280297Sjkim */ 70109998Smarkm 71109998Smarkm#include <openssl/opensslconf.h> 72109998Smarkm 73109998Smarkm#include <string.h> 74109998Smarkm 75280297Sjkim#define KRB5_PRIVATE 1 76160814Ssimon 77109998Smarkm#include <openssl/ssl.h> 78109998Smarkm#include <openssl/evp.h> 79109998Smarkm#include <openssl/objects.h> 80109998Smarkm#include <openssl/krb5_asn.h> 81238405Sjkim#include "kssl_lcl.h" 82109998Smarkm 83109998Smarkm#ifndef OPENSSL_NO_KRB5 84109998Smarkm 85280297Sjkim# ifndef ENOMEM 86280297Sjkim# define ENOMEM KRB5KRB_ERR_GENERIC 87280297Sjkim# endif 88160814Ssimon 89280297Sjkim/* 90109998Smarkm * When OpenSSL is built on Windows, we do not want to require that 91109998Smarkm * the Kerberos DLLs be available in order for the OpenSSL DLLs to 92109998Smarkm * work. Therefore, all Kerberos routines are loaded at run time 93109998Smarkm * and we do not link to a .LIB file. 94109998Smarkm */ 95109998Smarkm 96280297Sjkim# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) 97280297Sjkim/* 98109998Smarkm * The purpose of the following pre-processor statements is to provide 99109998Smarkm * compatibility with different releases of MIT Kerberos for Windows. 100109998Smarkm * All versions up to 1.2 used macros. But macros do not allow for 101109998Smarkm * a binary compatible interface for DLLs. Therefore, all macros are 102109998Smarkm * being replaced by function calls. The following code will allow 103109998Smarkm * an OpenSSL DLL built on Windows to work whether or not the macro 104109998Smarkm * or function form of the routines are utilized. 105109998Smarkm */ 106280297Sjkim# ifdef krb5_cc_get_principal 107280297Sjkim# define NO_DEF_KRB5_CCACHE 108280297Sjkim# undef krb5_cc_get_principal 109280297Sjkim# endif 110280297Sjkim# define krb5_cc_get_principal kssl_krb5_cc_get_principal 111109998Smarkm 112280297Sjkim# define krb5_free_data_contents kssl_krb5_free_data_contents 113280297Sjkim# define krb5_free_context kssl_krb5_free_context 114280297Sjkim# define krb5_auth_con_free kssl_krb5_auth_con_free 115280297Sjkim# define krb5_free_principal kssl_krb5_free_principal 116280297Sjkim# define krb5_mk_req_extended kssl_krb5_mk_req_extended 117280297Sjkim# define krb5_get_credentials kssl_krb5_get_credentials 118280297Sjkim# define krb5_cc_default kssl_krb5_cc_default 119280297Sjkim# define krb5_sname_to_principal kssl_krb5_sname_to_principal 120280297Sjkim# define krb5_init_context kssl_krb5_init_context 121280297Sjkim# define krb5_free_ticket kssl_krb5_free_ticket 122280297Sjkim# define krb5_rd_req kssl_krb5_rd_req 123280297Sjkim# define krb5_kt_default kssl_krb5_kt_default 124280297Sjkim# define krb5_kt_resolve kssl_krb5_kt_resolve 125109998Smarkm/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ 126280297Sjkim# ifndef krb5_kt_close 127280297Sjkim# define krb5_kt_close kssl_krb5_kt_close 128280297Sjkim# endif /* krb5_kt_close */ 129280297Sjkim# ifndef krb5_kt_get_entry 130280297Sjkim# define krb5_kt_get_entry kssl_krb5_kt_get_entry 131280297Sjkim# endif /* krb5_kt_get_entry */ 132280297Sjkim# define krb5_auth_con_init kssl_krb5_auth_con_init 133109998Smarkm 134280297Sjkim# define krb5_principal_compare kssl_krb5_principal_compare 135280297Sjkim# define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part 136280297Sjkim# define krb5_timeofday kssl_krb5_timeofday 137280297Sjkim# define krb5_rc_default kssl_krb5_rc_default 138109998Smarkm 139280297Sjkim# ifdef krb5_rc_initialize 140280297Sjkim# undef krb5_rc_initialize 141280297Sjkim# endif 142280297Sjkim# define krb5_rc_initialize kssl_krb5_rc_initialize 143109998Smarkm 144280297Sjkim# ifdef krb5_rc_get_lifespan 145280297Sjkim# undef krb5_rc_get_lifespan 146280297Sjkim# endif 147280297Sjkim# define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan 148109998Smarkm 149280297Sjkim# ifdef krb5_rc_destroy 150280297Sjkim# undef krb5_rc_destroy 151280297Sjkim# endif 152280297Sjkim# define krb5_rc_destroy kssl_krb5_rc_destroy 153109998Smarkm 154280297Sjkim# define valid_cksumtype kssl_valid_cksumtype 155280297Sjkim# define krb5_checksum_size kssl_krb5_checksum_size 156280297Sjkim# define krb5_kt_free_entry kssl_krb5_kt_free_entry 157280297Sjkim# define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache 158280297Sjkim# define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache 159280297Sjkim# define krb5_get_server_rcache kssl_krb5_get_server_rcache 160109998Smarkm 161109998Smarkm/* Prototypes for built in stubs */ 162109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context, krb5_data *); 163280297Sjkimvoid kssl_krb5_free_principal(krb5_context, krb5_principal); 164109998Smarkmkrb5_error_code kssl_krb5_kt_resolve(krb5_context, 165280297Sjkim krb5_const char *, krb5_keytab *); 166280297Sjkimkrb5_error_code kssl_krb5_kt_default(krb5_context, krb5_keytab *); 167109998Smarkmkrb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); 168280297Sjkimkrb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 169109998Smarkm krb5_const krb5_data *, 170280297Sjkim krb5_const_principal, krb5_keytab, 171280297Sjkim krb5_flags *, krb5_ticket **); 172109998Smarkm 173109998Smarkmkrb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, 174109998Smarkm krb5_const_principal); 175109998Smarkmkrb5_error_code kssl_krb5_mk_req_extended(krb5_context, 176280297Sjkim krb5_auth_context *, 177109998Smarkm krb5_const krb5_flags, 178280297Sjkim krb5_data *, 179280297Sjkim krb5_creds *, krb5_data *); 180109998Smarkmkrb5_error_code kssl_krb5_init_context(krb5_context *); 181109998Smarkmvoid kssl_krb5_free_context(krb5_context); 182280297Sjkimkrb5_error_code kssl_krb5_cc_default(krb5_context, krb5_ccache *); 183109998Smarkmkrb5_error_code kssl_krb5_sname_to_principal(krb5_context, 184280297Sjkim krb5_const char *, 185280297Sjkim krb5_const char *, 186280297Sjkim krb5_int32, krb5_principal *); 187109998Smarkmkrb5_error_code kssl_krb5_get_credentials(krb5_context, 188109998Smarkm krb5_const krb5_flags, 189109998Smarkm krb5_ccache, 190280297Sjkim krb5_creds *, krb5_creds * *); 191280297Sjkimkrb5_error_code kssl_krb5_auth_con_init(krb5_context, krb5_auth_context *); 192280297Sjkimkrb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 193109998Smarkm krb5_ccache cache, 194109998Smarkm krb5_principal *principal); 195280297Sjkimkrb5_error_code kssl_krb5_auth_con_free(krb5_context, krb5_auth_context); 196280297Sjkimsize_t kssl_krb5_checksum_size(krb5_context context, krb5_cksumtype ctype); 197109998Smarkmkrb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); 198280297Sjkimkrb5_error_code krb5_kt_free_entry(krb5_context, krb5_keytab_entry FAR *); 199280297Sjkimkrb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 200280297Sjkim krb5_auth_context, krb5_rcache); 201280297Sjkimkrb5_error_code kssl_krb5_get_server_rcache(krb5_context, 202109998Smarkm krb5_const krb5_data *, 203109998Smarkm krb5_rcache *); 204280297Sjkimkrb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 205109998Smarkm krb5_auth_context, 206109998Smarkm krb5_rcache *); 207109998Smarkm 208109998Smarkm/* Function pointers (almost all Kerberos functions are _stdcall) */ 209280297Sjkimstatic void (_stdcall *p_krb5_free_data_contents) (krb5_context, krb5_data *) 210280297Sjkim = NULL; 211280297Sjkimstatic void (_stdcall *p_krb5_free_principal) (krb5_context, krb5_principal) 212280297Sjkim = NULL; 213109998Smarkmstatic krb5_error_code(_stdcall *p_krb5_kt_resolve) 214280297Sjkim (krb5_context, krb5_const char *, krb5_keytab *) = NULL; 215280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_default) (krb5_context, 216280297Sjkim krb5_keytab *) = NULL; 217280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_free_ticket) (krb5_context, 218280297Sjkim krb5_ticket *) = NULL; 219280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rd_req) (krb5_context, 220280297Sjkim krb5_auth_context *, 221109998Smarkm krb5_const krb5_data *, 222280297Sjkim krb5_const_principal, 223109998Smarkm krb5_keytab, krb5_flags *, 224280297Sjkim krb5_ticket **) = NULL; 225280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_mk_req_extended) 226280297Sjkim (krb5_context, krb5_auth_context *, 227280297Sjkim krb5_const krb5_flags, krb5_data *, krb5_creds *, krb5_data *) = NULL; 228280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_init_context) (krb5_context *) = NULL; 229280297Sjkimstatic void (_stdcall *p_krb5_free_context) (krb5_context) = NULL; 230280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_cc_default) (krb5_context, 231280297Sjkim krb5_ccache *) = NULL; 232280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_sname_to_principal) 233280297Sjkim (krb5_context, krb5_const char *, krb5_const char *, 234280297Sjkim krb5_int32, krb5_principal *) = NULL; 235280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_get_credentials) 236280297Sjkim (krb5_context, krb5_const krb5_flags, krb5_ccache, 237280297Sjkim krb5_creds *, krb5_creds **) = NULL; 238280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_auth_con_init) 239280297Sjkim (krb5_context, krb5_auth_context *) = NULL; 240280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_cc_get_principal) 241280297Sjkim (krb5_context context, krb5_ccache cache, krb5_principal *principal) = NULL; 242280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_auth_con_free) 243280297Sjkim (krb5_context, krb5_auth_context) = NULL; 244280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_decrypt_tkt_part) 245280297Sjkim (krb5_context, krb5_const krb5_keyblock *, krb5_ticket *) = NULL; 246280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_timeofday) 247280297Sjkim (krb5_context context, krb5_int32 *timeret) = NULL; 248280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_default) 249280297Sjkim (krb5_context context, krb5_rcache *rc) = NULL; 250280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_initialize) 251280297Sjkim (krb5_context context, krb5_rcache rc, krb5_deltat lifespan) = NULL; 252280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_get_lifespan) 253280297Sjkim (krb5_context context, krb5_rcache rc, krb5_deltat *lifespan) = NULL; 254280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_rc_destroy) 255280297Sjkim (krb5_context context, krb5_rcache rc) = NULL; 256280297Sjkimstatic krb5_boolean(_stdcall *p_krb5_principal_compare) 257280297Sjkim (krb5_context, krb5_const_principal, krb5_const_principal) = NULL; 258280297Sjkimstatic size_t (_stdcall *p_krb5_checksum_size) (krb5_context context, 259280297Sjkim krb5_cksumtype ctype) = NULL; 260280297Sjkimstatic krb5_boolean(_stdcall *p_valid_cksumtype) (krb5_cksumtype ctype) = 261280297Sjkim NULL; 262280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_free_entry) 263280297Sjkim (krb5_context, krb5_keytab_entry *) = NULL; 264280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_auth_con_setrcache) (krb5_context, 265280297Sjkim krb5_auth_context, 266280297Sjkim krb5_rcache) = 267280297Sjkim NULL; 268280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_get_server_rcache) (krb5_context, 269280297Sjkim krb5_const 270280297Sjkim krb5_data *, 271280297Sjkim krb5_rcache *) = 272280297Sjkim NULL; 273280297Sjkimstatic krb5_error_code(*p_krb5_auth_con_getrcache) (krb5_context, 274280297Sjkim krb5_auth_context, 275280297Sjkim krb5_rcache *) = NULL; 276280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_close) (krb5_context context, 277280297Sjkim krb5_keytab keytab) = NULL; 278280297Sjkimstatic krb5_error_code(_stdcall *p_krb5_kt_get_entry) (krb5_context context, 279280297Sjkim krb5_keytab keytab, 280280297Sjkim krb5_const_principal 281280297Sjkim principal, 282280297Sjkim krb5_kvno vno, 283280297Sjkim krb5_enctype enctype, 284280297Sjkim krb5_keytab_entry 285280297Sjkim *entry) = NULL; 286109998Smarkmstatic int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ 287109998Smarkm 288109998Smarkm/* Function to Load the Kerberos 5 DLL and initialize function pointers */ 289280297Sjkimvoid load_krb5_dll(void) 290280297Sjkim{ 291280297Sjkim HANDLE hKRB5_32; 292109998Smarkm 293280297Sjkim krb5_loaded++; 294280297Sjkim hKRB5_32 = LoadLibrary(TEXT("KRB5_32")); 295280297Sjkim if (!hKRB5_32) 296280297Sjkim return; 297109998Smarkm 298280297Sjkim (FARPROC) p_krb5_free_data_contents = 299280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_data_contents"); 300280297Sjkim (FARPROC) p_krb5_free_context = 301280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_context"); 302280297Sjkim (FARPROC) p_krb5_auth_con_free = 303280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_free"); 304280297Sjkim (FARPROC) p_krb5_free_principal = 305280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_principal"); 306280297Sjkim (FARPROC) p_krb5_mk_req_extended = 307280297Sjkim GetProcAddress(hKRB5_32, "krb5_mk_req_extended"); 308280297Sjkim (FARPROC) p_krb5_get_credentials = 309280297Sjkim GetProcAddress(hKRB5_32, "krb5_get_credentials"); 310280297Sjkim (FARPROC) p_krb5_cc_get_principal = 311280297Sjkim GetProcAddress(hKRB5_32, "krb5_cc_get_principal"); 312280297Sjkim (FARPROC) p_krb5_cc_default = GetProcAddress(hKRB5_32, "krb5_cc_default"); 313280297Sjkim (FARPROC) p_krb5_sname_to_principal = 314280297Sjkim GetProcAddress(hKRB5_32, "krb5_sname_to_principal"); 315280297Sjkim (FARPROC) p_krb5_init_context = 316280297Sjkim GetProcAddress(hKRB5_32, "krb5_init_context"); 317280297Sjkim (FARPROC) p_krb5_free_ticket = 318280297Sjkim GetProcAddress(hKRB5_32, "krb5_free_ticket"); 319280297Sjkim (FARPROC) p_krb5_rd_req = GetProcAddress(hKRB5_32, "krb5_rd_req"); 320280297Sjkim (FARPROC) p_krb5_principal_compare = 321280297Sjkim GetProcAddress(hKRB5_32, "krb5_principal_compare"); 322280297Sjkim (FARPROC) p_krb5_decrypt_tkt_part = 323280297Sjkim GetProcAddress(hKRB5_32, "krb5_decrypt_tkt_part"); 324280297Sjkim (FARPROC) p_krb5_timeofday = GetProcAddress(hKRB5_32, "krb5_timeofday"); 325280297Sjkim (FARPROC) p_krb5_rc_default = GetProcAddress(hKRB5_32, "krb5_rc_default"); 326280297Sjkim (FARPROC) p_krb5_rc_initialize = 327280297Sjkim GetProcAddress(hKRB5_32, "krb5_rc_initialize"); 328280297Sjkim (FARPROC) p_krb5_rc_get_lifespan = 329280297Sjkim GetProcAddress(hKRB5_32, "krb5_rc_get_lifespan"); 330280297Sjkim (FARPROC) p_krb5_rc_destroy = GetProcAddress(hKRB5_32, "krb5_rc_destroy"); 331280297Sjkim (FARPROC) p_krb5_kt_default = GetProcAddress(hKRB5_32, "krb5_kt_default"); 332280297Sjkim (FARPROC) p_krb5_kt_resolve = GetProcAddress(hKRB5_32, "krb5_kt_resolve"); 333280297Sjkim (FARPROC) p_krb5_auth_con_init = 334280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_init"); 335280297Sjkim (FARPROC) p_valid_cksumtype = GetProcAddress(hKRB5_32, "valid_cksumtype"); 336280297Sjkim (FARPROC) p_krb5_checksum_size = 337280297Sjkim GetProcAddress(hKRB5_32, "krb5_checksum_size"); 338280297Sjkim (FARPROC) p_krb5_kt_free_entry = 339280297Sjkim GetProcAddress(hKRB5_32, "krb5_kt_free_entry"); 340280297Sjkim (FARPROC) p_krb5_auth_con_setrcache = 341280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_setrcache"); 342280297Sjkim (FARPROC) p_krb5_get_server_rcache = 343280297Sjkim GetProcAddress(hKRB5_32, "krb5_get_server_rcache"); 344280297Sjkim (FARPROC) p_krb5_auth_con_getrcache = 345280297Sjkim GetProcAddress(hKRB5_32, "krb5_auth_con_getrcache"); 346280297Sjkim (FARPROC) p_krb5_kt_close = GetProcAddress(hKRB5_32, "krb5_kt_close"); 347280297Sjkim (FARPROC) p_krb5_kt_get_entry = 348280297Sjkim GetProcAddress(hKRB5_32, "krb5_kt_get_entry"); 349280297Sjkim} 350280297Sjkim 351109998Smarkm/* Stubs for each function to be dynamicly loaded */ 352280297Sjkimvoid kssl_krb5_free_data_contents(krb5_context CO, krb5_data *data) 353280297Sjkim{ 354280297Sjkim if (!krb5_loaded) 355280297Sjkim load_krb5_dll(); 356109998Smarkm 357280297Sjkim if (p_krb5_free_data_contents) 358280297Sjkim p_krb5_free_data_contents(CO, data); 359280297Sjkim} 360109998Smarkm 361109998Smarkmkrb5_error_code 362280297Sjkimkssl_krb5_mk_req_extended(krb5_context CO, 363280297Sjkim krb5_auth_context *pACO, 364109998Smarkm krb5_const krb5_flags F, 365280297Sjkim krb5_data *pD1, krb5_creds *pC, krb5_data *pD2) 366280297Sjkim{ 367280297Sjkim if (!krb5_loaded) 368280297Sjkim load_krb5_dll(); 369109998Smarkm 370280297Sjkim if (p_krb5_mk_req_extended) 371280297Sjkim return (p_krb5_mk_req_extended(CO, pACO, F, pD1, pC, pD2)); 372280297Sjkim else 373280297Sjkim return KRB5KRB_ERR_GENERIC; 374280297Sjkim} 375280297Sjkim 376109998Smarkmkrb5_error_code 377280297Sjkimkssl_krb5_auth_con_init(krb5_context CO, krb5_auth_context *pACO) 378280297Sjkim{ 379280297Sjkim if (!krb5_loaded) 380280297Sjkim load_krb5_dll(); 381109998Smarkm 382280297Sjkim if (p_krb5_auth_con_init) 383280297Sjkim return (p_krb5_auth_con_init(CO, pACO)); 384280297Sjkim else 385280297Sjkim return KRB5KRB_ERR_GENERIC; 386280297Sjkim} 387280297Sjkim 388109998Smarkmkrb5_error_code 389280297Sjkimkssl_krb5_auth_con_free(krb5_context CO, krb5_auth_context ACO) 390280297Sjkim{ 391280297Sjkim if (!krb5_loaded) 392280297Sjkim load_krb5_dll(); 393109998Smarkm 394280297Sjkim if (p_krb5_auth_con_free) 395280297Sjkim return (p_krb5_auth_con_free(CO, ACO)); 396280297Sjkim else 397280297Sjkim return KRB5KRB_ERR_GENERIC; 398280297Sjkim} 399280297Sjkim 400109998Smarkmkrb5_error_code 401109998Smarkmkssl_krb5_get_credentials(krb5_context CO, 402280297Sjkim krb5_const krb5_flags F, 403280297Sjkim krb5_ccache CC, krb5_creds *pCR, krb5_creds **ppCR) 404280297Sjkim{ 405280297Sjkim if (!krb5_loaded) 406280297Sjkim load_krb5_dll(); 407109998Smarkm 408280297Sjkim if (p_krb5_get_credentials) 409280297Sjkim return (p_krb5_get_credentials(CO, F, CC, pCR, ppCR)); 410280297Sjkim else 411280297Sjkim return KRB5KRB_ERR_GENERIC; 412280297Sjkim} 413280297Sjkim 414109998Smarkmkrb5_error_code 415109998Smarkmkssl_krb5_sname_to_principal(krb5_context CO, 416280297Sjkim krb5_const char *pC1, 417280297Sjkim krb5_const char *pC2, 418280297Sjkim krb5_int32 I, krb5_principal *pPR) 419280297Sjkim{ 420280297Sjkim if (!krb5_loaded) 421280297Sjkim load_krb5_dll(); 422109998Smarkm 423280297Sjkim if (p_krb5_sname_to_principal) 424280297Sjkim return (p_krb5_sname_to_principal(CO, pC1, pC2, I, pPR)); 425280297Sjkim else 426280297Sjkim return KRB5KRB_ERR_GENERIC; 427280297Sjkim} 428109998Smarkm 429280297Sjkimkrb5_error_code kssl_krb5_cc_default(krb5_context CO, krb5_ccache *pCC) 430280297Sjkim{ 431280297Sjkim if (!krb5_loaded) 432280297Sjkim load_krb5_dll(); 433109998Smarkm 434280297Sjkim if (p_krb5_cc_default) 435280297Sjkim return (p_krb5_cc_default(CO, pCC)); 436280297Sjkim else 437280297Sjkim return KRB5KRB_ERR_GENERIC; 438280297Sjkim} 439109998Smarkm 440280297Sjkimkrb5_error_code kssl_krb5_init_context(krb5_context *pCO) 441280297Sjkim{ 442280297Sjkim if (!krb5_loaded) 443280297Sjkim load_krb5_dll(); 444109998Smarkm 445280297Sjkim if (p_krb5_init_context) 446280297Sjkim return (p_krb5_init_context(pCO)); 447280297Sjkim else 448280297Sjkim return KRB5KRB_ERR_GENERIC; 449280297Sjkim} 450109998Smarkm 451280297Sjkimvoid kssl_krb5_free_context(krb5_context CO) 452280297Sjkim{ 453280297Sjkim if (!krb5_loaded) 454280297Sjkim load_krb5_dll(); 455109998Smarkm 456280297Sjkim if (p_krb5_free_context) 457280297Sjkim p_krb5_free_context(CO); 458280297Sjkim} 459109998Smarkm 460280297Sjkimvoid kssl_krb5_free_principal(krb5_context c, krb5_principal p) 461280297Sjkim{ 462280297Sjkim if (!krb5_loaded) 463280297Sjkim load_krb5_dll(); 464109998Smarkm 465280297Sjkim if (p_krb5_free_principal) 466280297Sjkim p_krb5_free_principal(c, p); 467280297Sjkim} 468109998Smarkm 469109998Smarkmkrb5_error_code 470280297Sjkimkssl_krb5_kt_resolve(krb5_context con, krb5_const char *sz, krb5_keytab *kt) 471280297Sjkim{ 472280297Sjkim if (!krb5_loaded) 473280297Sjkim load_krb5_dll(); 474109998Smarkm 475280297Sjkim if (p_krb5_kt_resolve) 476280297Sjkim return (p_krb5_kt_resolve(con, sz, kt)); 477280297Sjkim else 478280297Sjkim return KRB5KRB_ERR_GENERIC; 479280297Sjkim} 480109998Smarkm 481280297Sjkimkrb5_error_code kssl_krb5_kt_default(krb5_context con, krb5_keytab *kt) 482280297Sjkim{ 483280297Sjkim if (!krb5_loaded) 484280297Sjkim load_krb5_dll(); 485109998Smarkm 486280297Sjkim if (p_krb5_kt_default) 487280297Sjkim return (p_krb5_kt_default(con, kt)); 488280297Sjkim else 489280297Sjkim return KRB5KRB_ERR_GENERIC; 490280297Sjkim} 491109998Smarkm 492280297Sjkimkrb5_error_code kssl_krb5_free_ticket(krb5_context con, krb5_ticket *kt) 493280297Sjkim{ 494280297Sjkim if (!krb5_loaded) 495280297Sjkim load_krb5_dll(); 496109998Smarkm 497280297Sjkim if (p_krb5_free_ticket) 498280297Sjkim return (p_krb5_free_ticket(con, kt)); 499280297Sjkim else 500280297Sjkim return KRB5KRB_ERR_GENERIC; 501280297Sjkim} 502109998Smarkm 503109998Smarkmkrb5_error_code 504280297Sjkimkssl_krb5_rd_req(krb5_context con, krb5_auth_context *pacon, 505280297Sjkim krb5_const krb5_data *data, 506280297Sjkim krb5_const_principal princ, krb5_keytab keytab, 507280297Sjkim krb5_flags *flags, krb5_ticket **pptkt) 508280297Sjkim{ 509280297Sjkim if (!krb5_loaded) 510280297Sjkim load_krb5_dll(); 511109998Smarkm 512280297Sjkim if (p_krb5_rd_req) 513280297Sjkim return (p_krb5_rd_req(con, pacon, data, princ, keytab, flags, pptkt)); 514280297Sjkim else 515280297Sjkim return KRB5KRB_ERR_GENERIC; 516280297Sjkim} 517109998Smarkm 518109998Smarkmkrb5_boolean 519109998Smarkmkrb5_principal_compare(krb5_context con, krb5_const_principal princ1, 520280297Sjkim krb5_const_principal princ2) 521280297Sjkim{ 522280297Sjkim if (!krb5_loaded) 523280297Sjkim load_krb5_dll(); 524109998Smarkm 525280297Sjkim if (p_krb5_principal_compare) 526280297Sjkim return (p_krb5_principal_compare(con, princ1, princ2)); 527280297Sjkim else 528280297Sjkim return KRB5KRB_ERR_GENERIC; 529280297Sjkim} 530109998Smarkm 531109998Smarkmkrb5_error_code 532109998Smarkmkrb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, 533280297Sjkim krb5_ticket *ticket) 534280297Sjkim{ 535280297Sjkim if (!krb5_loaded) 536280297Sjkim load_krb5_dll(); 537109998Smarkm 538280297Sjkim if (p_krb5_decrypt_tkt_part) 539280297Sjkim return (p_krb5_decrypt_tkt_part(con, keys, ticket)); 540280297Sjkim else 541280297Sjkim return KRB5KRB_ERR_GENERIC; 542280297Sjkim} 543109998Smarkm 544280297Sjkimkrb5_error_code krb5_timeofday(krb5_context con, krb5_int32 *timeret) 545280297Sjkim{ 546280297Sjkim if (!krb5_loaded) 547280297Sjkim load_krb5_dll(); 548109998Smarkm 549280297Sjkim if (p_krb5_timeofday) 550280297Sjkim return (p_krb5_timeofday(con, timeret)); 551280297Sjkim else 552280297Sjkim return KRB5KRB_ERR_GENERIC; 553280297Sjkim} 554109998Smarkm 555280297Sjkimkrb5_error_code krb5_rc_default(krb5_context con, krb5_rcache *rc) 556280297Sjkim{ 557280297Sjkim if (!krb5_loaded) 558280297Sjkim load_krb5_dll(); 559109998Smarkm 560280297Sjkim if (p_krb5_rc_default) 561280297Sjkim return (p_krb5_rc_default(con, rc)); 562280297Sjkim else 563280297Sjkim return KRB5KRB_ERR_GENERIC; 564280297Sjkim} 565109998Smarkm 566109998Smarkmkrb5_error_code 567109998Smarkmkrb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) 568280297Sjkim{ 569280297Sjkim if (!krb5_loaded) 570280297Sjkim load_krb5_dll(); 571109998Smarkm 572280297Sjkim if (p_krb5_rc_initialize) 573280297Sjkim return (p_krb5_rc_initialize(con, rc, lifespan)); 574280297Sjkim else 575280297Sjkim return KRB5KRB_ERR_GENERIC; 576280297Sjkim} 577109998Smarkm 578109998Smarkmkrb5_error_code 579109998Smarkmkrb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) 580280297Sjkim{ 581280297Sjkim if (!krb5_loaded) 582280297Sjkim load_krb5_dll(); 583109998Smarkm 584280297Sjkim if (p_krb5_rc_get_lifespan) 585280297Sjkim return (p_krb5_rc_get_lifespan(con, rc, lifespanp)); 586280297Sjkim else 587280297Sjkim return KRB5KRB_ERR_GENERIC; 588280297Sjkim} 589109998Smarkm 590280297Sjkimkrb5_error_code krb5_rc_destroy(krb5_context con, krb5_rcache rc) 591280297Sjkim{ 592280297Sjkim if (!krb5_loaded) 593280297Sjkim load_krb5_dll(); 594109998Smarkm 595280297Sjkim if (p_krb5_rc_destroy) 596280297Sjkim return (p_krb5_rc_destroy(con, rc)); 597280297Sjkim else 598280297Sjkim return KRB5KRB_ERR_GENERIC; 599280297Sjkim} 600109998Smarkm 601280297Sjkimsize_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) 602280297Sjkim{ 603280297Sjkim if (!krb5_loaded) 604280297Sjkim load_krb5_dll(); 605109998Smarkm 606280297Sjkim if (p_krb5_checksum_size) 607280297Sjkim return (p_krb5_checksum_size(context, ctype)); 608280297Sjkim else 609280297Sjkim return KRB5KRB_ERR_GENERIC; 610280297Sjkim} 611109998Smarkm 612280297Sjkimkrb5_boolean valid_cksumtype(krb5_cksumtype ctype) 613280297Sjkim{ 614280297Sjkim if (!krb5_loaded) 615280297Sjkim load_krb5_dll(); 616109998Smarkm 617280297Sjkim if (p_valid_cksumtype) 618280297Sjkim return (p_valid_cksumtype(ctype)); 619280297Sjkim else 620280297Sjkim return KRB5KRB_ERR_GENERIC; 621280297Sjkim} 622109998Smarkm 623280297Sjkimkrb5_error_code krb5_kt_free_entry(krb5_context con, krb5_keytab_entry *entry) 624280297Sjkim{ 625280297Sjkim if (!krb5_loaded) 626280297Sjkim load_krb5_dll(); 627109998Smarkm 628280297Sjkim if (p_krb5_kt_free_entry) 629280297Sjkim return (p_krb5_kt_free_entry(con, entry)); 630280297Sjkim else 631280297Sjkim return KRB5KRB_ERR_GENERIC; 632280297Sjkim} 633280297Sjkim 634109998Smarkm/* Structure definitions */ 635280297Sjkim# ifndef NO_DEF_KRB5_CCACHE 636280297Sjkim# ifndef krb5_x 637280297Sjkim# define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) 638280297Sjkim# define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) 639280297Sjkim# endif 640109998Smarkm 641280297Sjkimtypedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ 642109998Smarkm 643280297Sjkimtypedef struct _krb5_ccache { 644280297Sjkim krb5_magic magic; 645280297Sjkim struct _krb5_cc_ops FAR *ops; 646280297Sjkim krb5_pointer data; 647280297Sjkim} *krb5_ccache; 648109998Smarkm 649280297Sjkimtypedef struct _krb5_cc_ops { 650280297Sjkim krb5_magic magic; 651280297Sjkim char *prefix; 652280297Sjkim char *(KRB5_CALLCONV *get_name) 653280297Sjkim (krb5_context, krb5_ccache); 654280297Sjkim krb5_error_code(KRB5_CALLCONV *resolve) 655280297Sjkim (krb5_context, krb5_ccache *, const char *); 656280297Sjkim krb5_error_code(KRB5_CALLCONV *gen_new) 657280297Sjkim (krb5_context, krb5_ccache *); 658280297Sjkim krb5_error_code(KRB5_CALLCONV *init) 659280297Sjkim (krb5_context, krb5_ccache, krb5_principal); 660280297Sjkim krb5_error_code(KRB5_CALLCONV *destroy) 661280297Sjkim (krb5_context, krb5_ccache); 662280297Sjkim krb5_error_code(KRB5_CALLCONV *close) 663280297Sjkim (krb5_context, krb5_ccache); 664280297Sjkim krb5_error_code(KRB5_CALLCONV *store) 665280297Sjkim (krb5_context, krb5_ccache, krb5_creds *); 666280297Sjkim krb5_error_code(KRB5_CALLCONV *retrieve) 667280297Sjkim (krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *); 668280297Sjkim krb5_error_code(KRB5_CALLCONV *get_princ) 669280297Sjkim (krb5_context, krb5_ccache, krb5_principal *); 670280297Sjkim krb5_error_code(KRB5_CALLCONV *get_first) 671280297Sjkim (krb5_context, krb5_ccache, krb5_cc_cursor *); 672280297Sjkim krb5_error_code(KRB5_CALLCONV *get_next) 673280297Sjkim (krb5_context, krb5_ccache, krb5_cc_cursor *, krb5_creds *); 674280297Sjkim krb5_error_code(KRB5_CALLCONV *end_get) 675280297Sjkim (krb5_context, krb5_ccache, krb5_cc_cursor *); 676280297Sjkim krb5_error_code(KRB5_CALLCONV *remove_cred) 677280297Sjkim (krb5_context, krb5_ccache, krb5_flags, krb5_creds *); 678280297Sjkim krb5_error_code(KRB5_CALLCONV *set_flags) 679280297Sjkim (krb5_context, krb5_ccache, krb5_flags); 680280297Sjkim} krb5_cc_ops; 681280297Sjkim# endif /* NO_DEF_KRB5_CCACHE */ 682109998Smarkm 683280297Sjkimkrb5_error_code 684280297Sjkim kssl_krb5_cc_get_principal 685280297Sjkim (krb5_context context, krb5_ccache cache, krb5_principal *principal) { 686280297Sjkim if (p_krb5_cc_get_principal) 687280297Sjkim return (p_krb5_cc_get_principal(context, cache, principal)); 688280297Sjkim else 689280297Sjkim return (krb5_x((cache)->ops->get_princ, (context, cache, principal))); 690280297Sjkim} 691109998Smarkm 692109998Smarkmkrb5_error_code 693109998Smarkmkssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, 694109998Smarkm krb5_rcache rcache) 695280297Sjkim{ 696280297Sjkim if (p_krb5_auth_con_setrcache) 697280297Sjkim return (p_krb5_auth_con_setrcache(con, acon, rcache)); 698280297Sjkim else 699280297Sjkim return KRB5KRB_ERR_GENERIC; 700280297Sjkim} 701109998Smarkm 702109998Smarkmkrb5_error_code 703280297Sjkimkssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data *data, 704280297Sjkim krb5_rcache *rcache) 705280297Sjkim{ 706280297Sjkim if (p_krb5_get_server_rcache) 707280297Sjkim return (p_krb5_get_server_rcache(con, data, rcache)); 708280297Sjkim else 709280297Sjkim return KRB5KRB_ERR_GENERIC; 710280297Sjkim} 711109998Smarkm 712109998Smarkmkrb5_error_code 713109998Smarkmkssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, 714280297Sjkim krb5_rcache *prcache) 715280297Sjkim{ 716280297Sjkim if (p_krb5_auth_con_getrcache) 717280297Sjkim return (p_krb5_auth_con_getrcache(con, acon, prcache)); 718280297Sjkim else 719280297Sjkim return KRB5KRB_ERR_GENERIC; 720280297Sjkim} 721109998Smarkm 722280297Sjkimkrb5_error_code kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) 723280297Sjkim{ 724280297Sjkim if (p_krb5_kt_close) 725280297Sjkim return (p_krb5_kt_close(context, keytab)); 726280297Sjkim else 727280297Sjkim return KRB5KRB_ERR_GENERIC; 728280297Sjkim} 729280297Sjkim 730109998Smarkmkrb5_error_code 731109998Smarkmkssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, 732109998Smarkm krb5_const_principal principal, krb5_kvno vno, 733109998Smarkm krb5_enctype enctype, krb5_keytab_entry *entry) 734280297Sjkim{ 735280297Sjkim if (p_krb5_kt_get_entry) 736280297Sjkim return (p_krb5_kt_get_entry 737280297Sjkim (context, keytab, principal, vno, enctype, entry)); 738280297Sjkim else 739280297Sjkim return KRB5KRB_ERR_GENERIC; 740280297Sjkim} 741280297Sjkim# endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ 742109998Smarkm 743280297Sjkim/* 744280297Sjkim * memory allocation functions for non-temporary storage (e.g. stuff that 745280297Sjkim * gets saved into the kssl context) 746280297Sjkim */ 747280297Sjkimstatic void *kssl_calloc(size_t nmemb, size_t size) 748280297Sjkim{ 749280297Sjkim void *p; 750167612Ssimon 751280297Sjkim p = OPENSSL_malloc(nmemb * size); 752280297Sjkim if (p) { 753280297Sjkim memset(p, 0, nmemb * size); 754280297Sjkim } 755280297Sjkim return p; 756167612Ssimon} 757167612Ssimon 758280297Sjkim# define kssl_malloc(size) OPENSSL_malloc((size)) 759280297Sjkim# define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) 760280297Sjkim# define kssl_free(ptr) OPENSSL_free((ptr)) 761167612Ssimon 762109998Smarkmchar 763109998Smarkm*kstring(char *string) 764280297Sjkim{ 765280297Sjkim static char *null = "[NULL]"; 766109998Smarkm 767280297Sjkim return ((string == NULL) ? null : string); 768280297Sjkim} 769109998Smarkm 770280297Sjkim/* 771280297Sjkim * Given KRB5 enctype (basically DES or 3DES), return closest match openssl 772280297Sjkim * EVP_ encryption algorithm. Return NULL for unknown or problematic 773280297Sjkim * (krb5_dk_encrypt) enctypes. Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are 774280297Sjkim * OK. 775280297Sjkim */ 776280297Sjkimconst EVP_CIPHER *kssl_map_enc(krb5_enctype enctype) 777280297Sjkim{ 778280297Sjkim switch (enctype) { 779280297Sjkim case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ 780280297Sjkim case ENCTYPE_DES_CBC_CRC: 781280297Sjkim case ENCTYPE_DES_CBC_MD4: 782280297Sjkim case ENCTYPE_DES_CBC_MD5: 783280297Sjkim case ENCTYPE_DES_CBC_RAW: 784280297Sjkim return EVP_des_cbc(); 785280297Sjkim break; 786280297Sjkim case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 787280297Sjkim case ENCTYPE_DES3_CBC_SHA: 788280297Sjkim case ENCTYPE_DES3_CBC_RAW: 789280297Sjkim return EVP_des_ede3_cbc(); 790280297Sjkim break; 791280297Sjkim default: 792280297Sjkim return NULL; 793280297Sjkim break; 794280297Sjkim } 795280297Sjkim} 796109998Smarkm 797280297Sjkim/* 798280297Sjkim * Return true:1 if p "looks like" the start of the real authenticator 799280297Sjkim * described in kssl_skip_confound() below. The ASN.1 pattern is "62 xx 30 800280297Sjkim * yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and xx and yy are 801280297Sjkim * possibly multi-byte length fields. 802280297Sjkim */ 803280297Sjkimstatic int kssl_test_confound(unsigned char *p) 804280297Sjkim{ 805280297Sjkim int len = 2; 806280297Sjkim int xx = 0, yy = 0; 807109998Smarkm 808280297Sjkim if (*p++ != 0x62) 809280297Sjkim return 0; 810280297Sjkim if (*p > 0x82) 811280297Sjkim return 0; 812280297Sjkim switch (*p) { 813280297Sjkim case 0x82: 814280297Sjkim p++; 815280297Sjkim xx = (*p++ << 8); 816280297Sjkim xx += *p++; 817280297Sjkim break; 818280297Sjkim case 0x81: 819280297Sjkim p++; 820280297Sjkim xx = *p++; 821280297Sjkim break; 822280297Sjkim case 0x80: 823280297Sjkim return 0; 824280297Sjkim default: 825280297Sjkim xx = *p++; 826280297Sjkim break; 827280297Sjkim } 828280297Sjkim if (*p++ != 0x30) 829280297Sjkim return 0; 830280297Sjkim if (*p > 0x82) 831280297Sjkim return 0; 832280297Sjkim switch (*p) { 833280297Sjkim case 0x82: 834280297Sjkim p++; 835280297Sjkim len += 2; 836280297Sjkim yy = (*p++ << 8); 837280297Sjkim yy += *p++; 838280297Sjkim break; 839280297Sjkim case 0x81: 840280297Sjkim p++; 841280297Sjkim len++; 842280297Sjkim yy = *p++; 843280297Sjkim break; 844280297Sjkim case 0x80: 845280297Sjkim return 0; 846280297Sjkim default: 847280297Sjkim yy = *p++; 848280297Sjkim break; 849280297Sjkim } 850109998Smarkm 851280297Sjkim return (xx - len == yy) ? 1 : 0; 852280297Sjkim} 853109998Smarkm 854280297Sjkim/* 855280297Sjkim * Allocate, fill, and return cksumlens array of checksum lengths. This 856280297Sjkim * array holds just the unique elements from the krb5_cksumarray[]. array[n] 857280297Sjkim * == 0 signals end of data. The krb5_cksumarray[] was an internal variable 858280297Sjkim * that has since been replaced by a more general method for storing the 859280297Sjkim * data. It should not be used. Instead we use real API calls and make a 860280297Sjkim * guess for what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 861280297Sjkim * it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. 862280297Sjkim */ 863280297Sjkimstatic size_t *populate_cksumlens(void) 864280297Sjkim{ 865280297Sjkim int i, j, n; 866280297Sjkim static size_t *cklens = NULL; 867109998Smarkm 868280297Sjkim# ifdef KRB5_MIT_OLD11 869280297Sjkim n = krb5_max_cksum; 870280297Sjkim# else 871280297Sjkim n = 0x0010; 872280297Sjkim# endif /* KRB5_MIT_OLD11 */ 873109998Smarkm 874280297Sjkim# ifdef KRB5CHECKAUTH 875280297Sjkim if (!cklens && !(cklens = (size_t *)calloc(sizeof(int), n + 1))) 876280297Sjkim return NULL; 877109998Smarkm 878280297Sjkim for (i = 0; i < n; i++) { 879280297Sjkim if (!valid_cksumtype(i)) 880280297Sjkim continue; /* array has holes */ 881280297Sjkim for (j = 0; j < n; j++) { 882280297Sjkim if (cklens[j] == 0) { 883280297Sjkim cklens[j] = krb5_checksum_size(NULL, i); 884280297Sjkim break; /* krb5 elem was new: add */ 885280297Sjkim } 886280297Sjkim if (cklens[j] == krb5_checksum_size(NULL, i)) { 887280297Sjkim break; /* ignore duplicate elements */ 888280297Sjkim } 889280297Sjkim } 890280297Sjkim } 891280297Sjkim# endif /* KRB5CHECKAUTH */ 892109998Smarkm 893280297Sjkim return cklens; 894280297Sjkim} 895109998Smarkm 896280297Sjkim/*- 897280297Sjkim * Return pointer to start of real authenticator within authenticator, or 898280297Sjkim * return NULL on error. 899280297Sjkim * Decrypted authenticator looks like this: 900280297Sjkim * [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] 901280297Sjkim * This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the 902280297Sjkim * krb5_auth_con_getcksumtype() function advertised in its krb5.h. 903280297Sjkim */ 904280297Sjkimunsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) 905280297Sjkim{ 906280297Sjkim int i, conlen; 907280297Sjkim size_t cklen; 908280297Sjkim static size_t *cksumlens = NULL; 909280297Sjkim unsigned char *test_auth; 910109998Smarkm 911280297Sjkim conlen = (etype) ? 8 : 0; 912109998Smarkm 913280297Sjkim if (!cksumlens && !(cksumlens = populate_cksumlens())) 914280297Sjkim return NULL; 915280297Sjkim for (i = 0; (cklen = cksumlens[i]) != 0; i++) { 916280297Sjkim test_auth = a + conlen + cklen; 917280297Sjkim if (kssl_test_confound(test_auth)) 918280297Sjkim return test_auth; 919280297Sjkim } 920109998Smarkm 921280297Sjkim return NULL; 922280297Sjkim} 923109998Smarkm 924280297Sjkim/* 925280297Sjkim * Set kssl_err error info when reason text is a simple string kssl_err = 926280297Sjkim * struct { int reason; char text[KSSL_ERR_MAX+1]; } 927280297Sjkim */ 928280297Sjkimvoid kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) 929280297Sjkim{ 930280297Sjkim if (kssl_err == NULL) 931280297Sjkim return; 932109998Smarkm 933280297Sjkim kssl_err->reason = reason; 934280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); 935280297Sjkim return; 936280297Sjkim} 937109998Smarkm 938280297Sjkim/* 939280297Sjkim * Display contents of krb5_data struct, for debugging 940280297Sjkim */ 941280297Sjkimvoid print_krb5_data(char *label, krb5_data *kdata) 942280297Sjkim{ 943280297Sjkim int i; 944109998Smarkm 945280297Sjkim fprintf(stderr, "%s[%d] ", label, kdata->length); 946280297Sjkim for (i = 0; i < (int)kdata->length; i++) { 947280297Sjkim if (0 && isprint((int)kdata->data[i])) 948280297Sjkim fprintf(stderr, "%c ", kdata->data[i]); 949280297Sjkim else 950280297Sjkim fprintf(stderr, "%02x ", (unsigned char)kdata->data[i]); 951280297Sjkim } 952280297Sjkim fprintf(stderr, "\n"); 953280297Sjkim} 954109998Smarkm 955280297Sjkim/* 956280297Sjkim * Display contents of krb5_authdata struct, for debugging 957280297Sjkim */ 958280297Sjkimvoid print_krb5_authdata(char *label, krb5_authdata **adata) 959280297Sjkim{ 960280297Sjkim if (adata == NULL) { 961280297Sjkim fprintf(stderr, "%s, authdata==0\n", label); 962280297Sjkim return; 963280297Sjkim } 964280297Sjkim fprintf(stderr, "%s [%p]\n", label, (void *)adata); 965280297Sjkim# if 0 966280297Sjkim { 967280297Sjkim int i; 968280297Sjkim fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length); 969280297Sjkim for (i = 0; i < adata->length; i++) { 970280297Sjkim fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x", 971280297Sjkim adata->contents[i]); 972109998Smarkm } 973280297Sjkim fprintf(stderr, "\n"); 974280297Sjkim } 975280297Sjkim# endif 976280297Sjkim} 977109998Smarkm 978280297Sjkim/* 979280297Sjkim * Display contents of krb5_keyblock struct, for debugging 980280297Sjkim */ 981280297Sjkimvoid print_krb5_keyblock(char *label, krb5_keyblock *keyblk) 982280297Sjkim{ 983280297Sjkim int i; 984109998Smarkm 985280297Sjkim if (keyblk == NULL) { 986280297Sjkim fprintf(stderr, "%s, keyblk==0\n", label); 987280297Sjkim return; 988280297Sjkim } 989280297Sjkim# ifdef KRB5_HEIMDAL 990280297Sjkim fprintf(stderr, "%s\n\t[et%d:%d]: ", label, keyblk->keytype, 991280297Sjkim keyblk->keyvalue->length); 992280297Sjkim for (i = 0; i < (int)keyblk->keyvalue->length; i++) { 993280297Sjkim fprintf(stderr, "%02x", 994280297Sjkim (unsigned char *)(keyblk->keyvalue->contents)[i]); 995280297Sjkim } 996280297Sjkim fprintf(stderr, "\n"); 997280297Sjkim# else 998280297Sjkim fprintf(stderr, "%s\n\t[et%d:%d]: ", label, keyblk->enctype, 999280297Sjkim keyblk->length); 1000280297Sjkim for (i = 0; i < (int)keyblk->length; i++) { 1001280297Sjkim fprintf(stderr, "%02x", keyblk->contents[i]); 1002280297Sjkim } 1003280297Sjkim fprintf(stderr, "\n"); 1004280297Sjkim# endif 1005280297Sjkim} 1006109998Smarkm 1007280297Sjkim/* 1008280297Sjkim * Display contents of krb5_principal_data struct, for debugging 1009280297Sjkim * (krb5_principal is typedef'd == krb5_principal_data *) 1010280297Sjkim */ 1011280297Sjkimstatic void print_krb5_princ(char *label, krb5_principal_data *princ) 1012280297Sjkim{ 1013280297Sjkim int i, ui, uj; 1014109998Smarkm 1015280297Sjkim fprintf(stderr, "%s principal Realm: ", label); 1016280297Sjkim if (princ == NULL) 1017280297Sjkim return; 1018280297Sjkim for (ui = 0; ui < (int)princ->realm.length; ui++) 1019280297Sjkim putchar(princ->realm.data[ui]); 1020280297Sjkim fprintf(stderr, " (nametype %d) has %d strings:\n", princ->type, 1021280297Sjkim princ->length); 1022280297Sjkim for (i = 0; i < (int)princ->length; i++) { 1023280297Sjkim fprintf(stderr, "\t%d [%d]: ", i, princ->data[i].length); 1024280297Sjkim for (uj = 0; uj < (int)princ->data[i].length; uj++) { 1025280297Sjkim putchar(princ->data[i].data[uj]); 1026109998Smarkm } 1027280297Sjkim fprintf(stderr, "\n"); 1028280297Sjkim } 1029280297Sjkim return; 1030280297Sjkim} 1031109998Smarkm 1032280297Sjkim/*- Given krb5 service (typically "kssl") and hostname in kssl_ctx, 1033280297Sjkim * Return encrypted Kerberos ticket for service @ hostname. 1034280297Sjkim * If authenp is non-NULL, also return encrypted authenticator, 1035280297Sjkim * whose data should be freed by caller. 1036280297Sjkim * (Originally was: Create Kerberos AP_REQ message for SSL Client.) 1037280297Sjkim * 1038280297Sjkim * 19990628 VRS Started; Returns Kerberos AP_REQ message. 1039280297Sjkim * 20010409 VRS Modified for RFC2712; Returns enc tkt. 1040280297Sjkim * 20010606 VRS May also return optional authenticator. 1041280297Sjkim */ 1042280297Sjkimkrb5_error_code kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1043280297Sjkim /* 1044280297Sjkim * OUT 1045280297Sjkim */ krb5_data **enc_ticketp, 1046280297Sjkim /* 1047280297Sjkim * UPDATE 1048280297Sjkim */ krb5_data *authenp, 1049280297Sjkim /* 1050280297Sjkim * OUT 1051280297Sjkim */ KSSL_ERR *kssl_err) 1052280297Sjkim{ 1053280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1054280297Sjkim krb5_context krb5context = NULL; 1055280297Sjkim krb5_auth_context krb5auth_context = NULL; 1056280297Sjkim krb5_ccache krb5ccdef = NULL; 1057280297Sjkim krb5_creds krb5creds, *krb5credsp = NULL; 1058280297Sjkim krb5_data krb5_app_req; 1059109998Smarkm 1060280297Sjkim kssl_err_set(kssl_err, 0, ""); 1061280297Sjkim memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1062109998Smarkm 1063280297Sjkim if (!kssl_ctx) { 1064280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); 1065280297Sjkim goto err; 1066280297Sjkim } else if (!kssl_ctx->service_host) { 1067280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1068280297Sjkim "kssl_ctx service_host undefined.\n"); 1069280297Sjkim goto err; 1070280297Sjkim } 1071109998Smarkm 1072280297Sjkim if ((krb5rc = krb5_init_context(&krb5context)) != 0) { 1073280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1074280297Sjkim "krb5_init_context() fails: %d\n", krb5rc); 1075280297Sjkim kssl_err->reason = SSL_R_KRB5_C_INIT; 1076280297Sjkim goto err; 1077280297Sjkim } 1078109998Smarkm 1079280297Sjkim if ((krb5rc = krb5_sname_to_principal(krb5context, 1080280297Sjkim kssl_ctx->service_host, 1081280297Sjkim (kssl_ctx->service_name) ? 1082280297Sjkim kssl_ctx->service_name : KRB5SVC, 1083280297Sjkim KRB5_NT_SRV_HST, 1084280297Sjkim &krb5creds.server)) != 0) { 1085280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1086280297Sjkim "krb5_sname_to_principal() fails for %s/%s\n", 1087280297Sjkim kssl_ctx->service_host, 1088280297Sjkim (kssl_ctx-> 1089280297Sjkim service_name) ? kssl_ctx->service_name : KRB5SVC); 1090280297Sjkim kssl_err->reason = SSL_R_KRB5_C_INIT; 1091280297Sjkim goto err; 1092280297Sjkim } 1093109998Smarkm 1094280297Sjkim if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) { 1095280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1096280297Sjkim "krb5_cc_default fails.\n"); 1097280297Sjkim goto err; 1098280297Sjkim } 1099109998Smarkm 1100280297Sjkim if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1101280297Sjkim &krb5creds.client)) != 0) { 1102280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1103280297Sjkim "krb5_cc_get_principal() fails.\n"); 1104280297Sjkim goto err; 1105280297Sjkim } 1106109998Smarkm 1107280297Sjkim if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1108280297Sjkim &krb5creds, &krb5credsp)) != 0) { 1109280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, 1110280297Sjkim "krb5_get_credentials() fails.\n"); 1111280297Sjkim goto err; 1112280297Sjkim } 1113109998Smarkm 1114280297Sjkim *enc_ticketp = &krb5credsp->ticket; 1115280297Sjkim# ifdef KRB5_HEIMDAL 1116280297Sjkim kssl_ctx->enctype = krb5credsp->session.keytype; 1117280297Sjkim# else 1118280297Sjkim kssl_ctx->enctype = krb5credsp->keyblock.enctype; 1119280297Sjkim# endif 1120109998Smarkm 1121280297Sjkim krb5rc = KRB5KRB_ERR_GENERIC; 1122280297Sjkim /* caller should free data of krb5_app_req */ 1123280297Sjkim /* 1124280297Sjkim * 20010406 VRS deleted for real KerberosWrapper 20010605 VRS reinstated 1125280297Sjkim * to offer Authenticator to KerberosWrapper 1126280297Sjkim */ 1127280297Sjkim krb5_app_req.length = 0; 1128280297Sjkim if (authenp) { 1129280297Sjkim krb5_data krb5in_data; 1130280297Sjkim const unsigned char *p; 1131280297Sjkim long arlen; 1132280297Sjkim KRB5_APREQBODY *ap_req; 1133109998Smarkm 1134280297Sjkim authenp->length = 0; 1135280297Sjkim krb5in_data.data = NULL; 1136280297Sjkim krb5in_data.length = 0; 1137280297Sjkim if ((krb5rc = krb5_mk_req_extended(krb5context, 1138280297Sjkim &krb5auth_context, 0, &krb5in_data, 1139280297Sjkim krb5credsp, &krb5_app_req)) != 0) { 1140280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, 1141280297Sjkim "krb5_mk_req_extended() fails.\n"); 1142280297Sjkim goto err; 1143280297Sjkim } 1144109998Smarkm 1145280297Sjkim arlen = krb5_app_req.length; 1146280297Sjkim p = (unsigned char *)krb5_app_req.data; 1147280297Sjkim ap_req = (KRB5_APREQBODY *)d2i_KRB5_APREQ(NULL, &p, arlen); 1148280297Sjkim if (ap_req) { 1149280297Sjkim authenp->length = i2d_KRB5_ENCDATA(ap_req->authenticator, NULL); 1150280297Sjkim if (authenp->length && (authenp->data = malloc(authenp->length))) { 1151280297Sjkim unsigned char *adp = (unsigned char *)authenp->data; 1152280297Sjkim authenp->length = 1153280297Sjkim i2d_KRB5_ENCDATA(ap_req->authenticator, &adp); 1154280297Sjkim } 1155280297Sjkim } 1156109998Smarkm 1157280297Sjkim if (ap_req) 1158280297Sjkim KRB5_APREQ_free((KRB5_APREQ *) ap_req); 1159280297Sjkim if (krb5_app_req.length) 1160280297Sjkim kssl_krb5_free_data_contents(krb5context, &krb5_app_req); 1161280297Sjkim } 1162280297Sjkim# ifdef KRB5_HEIMDAL 1163280297Sjkim if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) { 1164280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1165280297Sjkim "kssl_ctx_setkey() fails.\n"); 1166280297Sjkim } 1167280297Sjkim# else 1168280297Sjkim if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) { 1169280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1170280297Sjkim "kssl_ctx_setkey() fails.\n"); 1171280297Sjkim } 1172280297Sjkim# endif 1173280297Sjkim else 1174280297Sjkim krb5rc = 0; 1175109998Smarkm 1176280297Sjkim err: 1177280297Sjkim# ifdef KSSL_DEBUG 1178280297Sjkim kssl_ctx_show(kssl_ctx); 1179280297Sjkim# endif /* KSSL_DEBUG */ 1180109998Smarkm 1181280297Sjkim if (krb5creds.client) 1182280297Sjkim krb5_free_principal(krb5context, krb5creds.client); 1183280297Sjkim if (krb5creds.server) 1184280297Sjkim krb5_free_principal(krb5context, krb5creds.server); 1185280297Sjkim if (krb5auth_context) 1186280297Sjkim krb5_auth_con_free(krb5context, krb5auth_context); 1187280297Sjkim if (krb5context) 1188280297Sjkim krb5_free_context(krb5context); 1189280297Sjkim return (krb5rc); 1190280297Sjkim} 1191109998Smarkm 1192280297Sjkim/*- 1193280297Sjkim * Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. 1194280297Sjkim * Return Kerberos error code and kssl_err struct on error. 1195280297Sjkim * Allocates krb5_ticket and krb5_principal; caller should free these. 1196280297Sjkim * 1197280297Sjkim * 20010410 VRS Implemented krb5_decode_ticket() as 1198280297Sjkim * old_krb5_decode_ticket(). Missing from MIT1.0.6. 1199280297Sjkim * 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. 1200280297Sjkim * Re-used some of the old krb5_decode_ticket() 1201280297Sjkim * code here. This tkt should alloc/free just 1202280297Sjkim * like the real thing. 1203280297Sjkim */ 1204280297Sjkimstatic krb5_error_code kssl_TKT2tkt( /* IN */ krb5_context krb5context, 1205280297Sjkim /* 1206280297Sjkim * IN 1207280297Sjkim */ KRB5_TKTBODY *asn1ticket, 1208280297Sjkim /* 1209280297Sjkim * OUT 1210280297Sjkim */ krb5_ticket **krb5ticket, 1211280297Sjkim /* 1212280297Sjkim * OUT 1213280297Sjkim */ KSSL_ERR *kssl_err) 1214280297Sjkim{ 1215280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1216280297Sjkim krb5_ticket *new5ticket = NULL; 1217280297Sjkim ASN1_GENERALSTRING *gstr_svc, *gstr_host; 1218109998Smarkm 1219280297Sjkim *krb5ticket = NULL; 1220109998Smarkm 1221280297Sjkim if (asn1ticket == NULL || asn1ticket->realm == NULL || 1222280297Sjkim asn1ticket->sname == NULL || 1223280297Sjkim sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) { 1224280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1225280297Sjkim "Null field in asn1ticket.\n"); 1226280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1227280297Sjkim return KRB5KRB_ERR_GENERIC; 1228280297Sjkim } 1229109998Smarkm 1230280297Sjkim if ((new5ticket = (krb5_ticket *)calloc(1, sizeof(krb5_ticket))) == NULL) { 1231280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1232280297Sjkim "Unable to allocate new krb5_ticket.\n"); 1233280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1234280297Sjkim return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ 1235280297Sjkim } 1236109998Smarkm 1237280297Sjkim gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); 1238280297Sjkim gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); 1239109998Smarkm 1240280297Sjkim if ((krb5rc = kssl_build_principal_2(krb5context, 1241280297Sjkim &new5ticket->server, 1242280297Sjkim asn1ticket->realm->length, 1243280297Sjkim (char *)asn1ticket->realm->data, 1244280297Sjkim gstr_svc->length, 1245280297Sjkim (char *)gstr_svc->data, 1246280297Sjkim gstr_host->length, 1247280297Sjkim (char *)gstr_host->data)) != 0) { 1248280297Sjkim free(new5ticket); 1249280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1250280297Sjkim "Error building ticket server principal.\n"); 1251280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1252280297Sjkim return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ 1253280297Sjkim } 1254109998Smarkm 1255280297Sjkim krb5_princ_type(krb5context, new5ticket->server) = 1256280297Sjkim asn1ticket->sname->nametype->data[0]; 1257280297Sjkim new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; 1258280297Sjkim new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; 1259280297Sjkim new5ticket->enc_part.ciphertext.length = 1260280297Sjkim asn1ticket->encdata->cipher->length; 1261280297Sjkim if ((new5ticket->enc_part.ciphertext.data = 1262280297Sjkim calloc(1, asn1ticket->encdata->cipher->length)) == NULL) { 1263280297Sjkim free(new5ticket); 1264280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1265280297Sjkim "Error allocating cipher in krb5ticket.\n"); 1266280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1267280297Sjkim return KRB5KRB_ERR_GENERIC; 1268280297Sjkim } else { 1269280297Sjkim memcpy(new5ticket->enc_part.ciphertext.data, 1270280297Sjkim asn1ticket->encdata->cipher->data, 1271280297Sjkim asn1ticket->encdata->cipher->length); 1272280297Sjkim } 1273109998Smarkm 1274280297Sjkim *krb5ticket = new5ticket; 1275280297Sjkim return 0; 1276280297Sjkim} 1277109998Smarkm 1278280297Sjkim/*- 1279280297Sjkim * Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), 1280280297Sjkim * and krb5 AP_REQ message & message length, 1281280297Sjkim * Return Kerberos session key and client principle 1282280297Sjkim * to SSL Server in KSSL_CTX *kssl_ctx. 1283280297Sjkim * 1284280297Sjkim * 19990702 VRS Started. 1285280297Sjkim */ 1286280297Sjkimkrb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1287280297Sjkim /* 1288280297Sjkim * IN 1289280297Sjkim */ krb5_data *indata, 1290280297Sjkim /* 1291280297Sjkim * OUT 1292280297Sjkim */ krb5_ticket_times *ttimes, 1293280297Sjkim /* 1294280297Sjkim * OUT 1295280297Sjkim */ KSSL_ERR *kssl_err) 1296280297Sjkim{ 1297280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1298280297Sjkim static krb5_context krb5context = NULL; 1299280297Sjkim static krb5_auth_context krb5auth_context = NULL; 1300280297Sjkim krb5_ticket *krb5ticket = NULL; 1301280297Sjkim KRB5_TKTBODY *asn1ticket = NULL; 1302280297Sjkim const unsigned char *p; 1303280297Sjkim krb5_keytab krb5keytab = NULL; 1304280297Sjkim krb5_keytab_entry kt_entry; 1305280297Sjkim krb5_principal krb5server; 1306280297Sjkim krb5_rcache rcache = NULL; 1307109998Smarkm 1308280297Sjkim kssl_err_set(kssl_err, 0, ""); 1309109998Smarkm 1310280297Sjkim if (!kssl_ctx) { 1311280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); 1312280297Sjkim goto err; 1313280297Sjkim } 1314280297Sjkim# ifdef KSSL_DEBUG 1315280297Sjkim fprintf(stderr, "in kssl_sget_tkt(%s)\n", 1316280297Sjkim kstring(kssl_ctx->service_name)); 1317280297Sjkim# endif /* KSSL_DEBUG */ 1318109998Smarkm 1319280297Sjkim if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) { 1320280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1321280297Sjkim "krb5_init_context() fails.\n"); 1322280297Sjkim goto err; 1323280297Sjkim } 1324280297Sjkim if (krb5auth_context && 1325280297Sjkim (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) { 1326280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1327280297Sjkim "krb5_auth_con_free() fails.\n"); 1328280297Sjkim goto err; 1329280297Sjkim } else 1330280297Sjkim krb5auth_context = NULL; 1331280297Sjkim if (!krb5auth_context && 1332280297Sjkim (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) { 1333280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1334280297Sjkim "krb5_auth_con_init() fails.\n"); 1335280297Sjkim goto err; 1336280297Sjkim } 1337109998Smarkm 1338280297Sjkim if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, 1339280297Sjkim &rcache))) { 1340280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1341280297Sjkim "krb5_auth_con_getrcache() fails.\n"); 1342280297Sjkim goto err; 1343280297Sjkim } 1344109998Smarkm 1345280297Sjkim if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, 1346280297Sjkim (kssl_ctx->service_name) ? 1347280297Sjkim kssl_ctx->service_name : KRB5SVC, 1348280297Sjkim KRB5_NT_SRV_HST, 1349280297Sjkim &krb5server)) != 0) { 1350280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1351280297Sjkim "krb5_sname_to_principal() fails.\n"); 1352280297Sjkim goto err; 1353280297Sjkim } 1354109998Smarkm 1355280297Sjkim if (rcache == NULL) { 1356280297Sjkim if ((krb5rc = krb5_get_server_rcache(krb5context, 1357280297Sjkim krb5_princ_component(krb5context, 1358280297Sjkim krb5server, 1359280297Sjkim 0), 1360280297Sjkim &rcache))) { 1361280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1362280297Sjkim "krb5_get_server_rcache() fails.\n"); 1363280297Sjkim goto err; 1364280297Sjkim } 1365280297Sjkim } 1366109998Smarkm 1367280297Sjkim if ((krb5rc = 1368280297Sjkim krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) { 1369280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1370280297Sjkim "krb5_auth_con_setrcache() fails.\n"); 1371280297Sjkim goto err; 1372280297Sjkim } 1373109998Smarkm 1374280297Sjkim /* 1375280297Sjkim * kssl_ctx->keytab_file == NULL ==> use Kerberos default 1376280297Sjkim */ 1377280297Sjkim if (kssl_ctx->keytab_file) { 1378280297Sjkim krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1379280297Sjkim &krb5keytab); 1380280297Sjkim if (krb5rc) { 1381280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1382280297Sjkim "krb5_kt_resolve() fails.\n"); 1383280297Sjkim goto err; 1384280297Sjkim } 1385280297Sjkim } else { 1386280297Sjkim krb5rc = krb5_kt_default(krb5context, &krb5keytab); 1387280297Sjkim if (krb5rc) { 1388280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1389280297Sjkim "krb5_kt_default() fails.\n"); 1390280297Sjkim goto err; 1391280297Sjkim } 1392280297Sjkim } 1393109998Smarkm 1394280297Sjkim /*- Actual Kerberos5 krb5_recvauth() has initial conversation here 1395280297Sjkim * o check KRB5_SENDAUTH_BADAUTHVERS 1396280297Sjkim * unless KRB5_RECVAUTH_SKIP_VERSION 1397280297Sjkim * o check KRB5_SENDAUTH_BADAPPLVERS 1398280297Sjkim * o send "0" msg if all OK 1399280297Sjkim */ 1400109998Smarkm 1401280297Sjkim /*- 1402280297Sjkim * 20010411 was using AP_REQ instead of true KerberosWrapper 1403280297Sjkim * 1404280297Sjkim * if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, 1405280297Sjkim * &krb5in_data, krb5server, krb5keytab, 1406280297Sjkim * &ap_option, &krb5ticket)) != 0) { Error } 1407280297Sjkim */ 1408109998Smarkm 1409280297Sjkim p = (unsigned char *)indata->data; 1410280297Sjkim if ((asn1ticket = (KRB5_TKTBODY *)d2i_KRB5_TICKET(NULL, &p, 1411280297Sjkim (long)indata->length)) 1412280297Sjkim == NULL) { 1413280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1414280297Sjkim "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); 1415280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1416280297Sjkim goto err; 1417280297Sjkim } 1418109998Smarkm 1419280297Sjkim /* 1420280297Sjkim * Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) 1421280297Sjkim */ 1422280297Sjkim if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, 1423280297Sjkim kssl_err)) != 0) { 1424280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1425280297Sjkim "Error converting ASN.1 ticket to krb5_ticket.\n"); 1426280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1427280297Sjkim goto err; 1428280297Sjkim } 1429109998Smarkm 1430280297Sjkim if (!krb5_principal_compare(krb5context, krb5server, krb5ticket->server)) { 1431280297Sjkim krb5rc = KRB5_PRINC_NOMATCH; 1432280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1433280297Sjkim "server principal != ticket principal\n"); 1434280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1435280297Sjkim goto err; 1436280297Sjkim } 1437280297Sjkim if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 1438280297Sjkim krb5ticket->server, 1439280297Sjkim krb5ticket->enc_part.kvno, 1440280297Sjkim krb5ticket->enc_part.enctype, 1441280297Sjkim &kt_entry)) != 0) { 1442280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1443280297Sjkim "krb5_kt_get_entry() fails with %x.\n", krb5rc); 1444280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1445280297Sjkim goto err; 1446280297Sjkim } 1447280297Sjkim if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, 1448280297Sjkim krb5ticket)) != 0) { 1449280297Sjkim BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1450280297Sjkim "krb5_decrypt_tkt_part() failed.\n"); 1451280297Sjkim kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1452280297Sjkim goto err; 1453280297Sjkim } else { 1454280297Sjkim krb5_kt_free_entry(krb5context, &kt_entry); 1455280297Sjkim# ifdef KSSL_DEBUG 1456280297Sjkim { 1457280297Sjkim int i; 1458280297Sjkim krb5_address **paddr = krb5ticket->enc_part2->caddrs; 1459280297Sjkim fprintf(stderr, "Decrypted ticket fields:\n"); 1460280297Sjkim fprintf(stderr, "\tflags: %X, transit-type: %X", 1461280297Sjkim krb5ticket->enc_part2->flags, 1462280297Sjkim krb5ticket->enc_part2->transited.tr_type); 1463280297Sjkim print_krb5_data("\ttransit-data: ", 1464280297Sjkim &(krb5ticket->enc_part2->transited.tr_contents)); 1465280297Sjkim fprintf(stderr, "\tcaddrs: %p, authdata: %p\n", 1466280297Sjkim krb5ticket->enc_part2->caddrs, 1467280297Sjkim krb5ticket->enc_part2->authorization_data); 1468280297Sjkim if (paddr) { 1469280297Sjkim fprintf(stderr, "\tcaddrs:\n"); 1470280297Sjkim for (i = 0; paddr[i] != NULL; i++) { 1471280297Sjkim krb5_data d; 1472280297Sjkim d.length = paddr[i]->length; 1473280297Sjkim d.data = paddr[i]->contents; 1474280297Sjkim print_krb5_data("\t\tIP: ", &d); 1475109998Smarkm } 1476280297Sjkim } 1477280297Sjkim fprintf(stderr, "\tstart/auth/end times: %d / %d / %d\n", 1478280297Sjkim krb5ticket->enc_part2->times.starttime, 1479280297Sjkim krb5ticket->enc_part2->times.authtime, 1480280297Sjkim krb5ticket->enc_part2->times.endtime); 1481280297Sjkim } 1482280297Sjkim# endif /* KSSL_DEBUG */ 1483280297Sjkim } 1484109998Smarkm 1485280297Sjkim krb5rc = KRB5_NO_TKT_SUPPLIED; 1486280297Sjkim if (!krb5ticket || !krb5ticket->enc_part2 || 1487280297Sjkim !krb5ticket->enc_part2->client || 1488280297Sjkim !krb5ticket->enc_part2->client->data || 1489280297Sjkim !krb5ticket->enc_part2->session) { 1490280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1491280297Sjkim "bad ticket from krb5_rd_req.\n"); 1492280297Sjkim } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, 1493280297Sjkim &krb5ticket->enc_part2->client->realm, 1494280297Sjkim krb5ticket->enc_part2->client->data, 1495280297Sjkim krb5ticket->enc_part2->client->length)) { 1496280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1497280297Sjkim "kssl_ctx_setprinc() fails.\n"); 1498280297Sjkim } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) { 1499280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1500280297Sjkim "kssl_ctx_setkey() fails.\n"); 1501280297Sjkim } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) { 1502280297Sjkim krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; 1503280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1504280297Sjkim "invalid ticket from krb5_rd_req.\n"); 1505280297Sjkim } else 1506280297Sjkim krb5rc = 0; 1507109998Smarkm 1508280297Sjkim kssl_ctx->enctype = krb5ticket->enc_part.enctype; 1509280297Sjkim ttimes->authtime = krb5ticket->enc_part2->times.authtime; 1510280297Sjkim ttimes->starttime = krb5ticket->enc_part2->times.starttime; 1511280297Sjkim ttimes->endtime = krb5ticket->enc_part2->times.endtime; 1512280297Sjkim ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; 1513109998Smarkm 1514109998Smarkm err: 1515280297Sjkim# ifdef KSSL_DEBUG 1516280297Sjkim kssl_ctx_show(kssl_ctx); 1517280297Sjkim# endif /* KSSL_DEBUG */ 1518109998Smarkm 1519280297Sjkim if (asn1ticket) 1520280297Sjkim KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); 1521280297Sjkim if (krb5keytab) 1522280297Sjkim krb5_kt_close(krb5context, krb5keytab); 1523280297Sjkim if (krb5ticket) 1524280297Sjkim krb5_free_ticket(krb5context, krb5ticket); 1525280297Sjkim if (krb5server) 1526280297Sjkim krb5_free_principal(krb5context, krb5server); 1527280297Sjkim return (krb5rc); 1528280297Sjkim} 1529109998Smarkm 1530280297Sjkim/* 1531280297Sjkim * Allocate & return a new kssl_ctx struct. 1532280297Sjkim */ 1533280297SjkimKSSL_CTX *kssl_ctx_new(void) 1534280297Sjkim{ 1535280297Sjkim return ((KSSL_CTX *)kssl_calloc(1, sizeof(KSSL_CTX))); 1536280297Sjkim} 1537109998Smarkm 1538280297Sjkim/* 1539280297Sjkim * Frees a kssl_ctx struct and any allocated memory it holds. Returns NULL. 1540280297Sjkim */ 1541280297SjkimKSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx) 1542280297Sjkim{ 1543280297Sjkim if (kssl_ctx == NULL) 1544280297Sjkim return kssl_ctx; 1545109998Smarkm 1546280297Sjkim if (kssl_ctx->key) 1547280297Sjkim OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1548280297Sjkim if (kssl_ctx->key) 1549280297Sjkim kssl_free(kssl_ctx->key); 1550280297Sjkim if (kssl_ctx->client_princ) 1551280297Sjkim kssl_free(kssl_ctx->client_princ); 1552280297Sjkim if (kssl_ctx->service_host) 1553280297Sjkim kssl_free(kssl_ctx->service_host); 1554280297Sjkim if (kssl_ctx->service_name) 1555280297Sjkim kssl_free(kssl_ctx->service_name); 1556280297Sjkim if (kssl_ctx->keytab_file) 1557280297Sjkim kssl_free(kssl_ctx->keytab_file); 1558109998Smarkm 1559280297Sjkim kssl_free(kssl_ctx); 1560280297Sjkim return (KSSL_CTX *)NULL; 1561280297Sjkim} 1562109998Smarkm 1563280297Sjkim/* 1564280297Sjkim * Given an array of (krb5_data *) entity (and optional realm), set the plain 1565280297Sjkim * (char *) client_princ or service_host member of the kssl_ctx struct. 1566280297Sjkim */ 1567109998Smarkmkrb5_error_code 1568109998Smarkmkssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, 1569280297Sjkim krb5_data *realm, krb5_data *entity, int nentities) 1570280297Sjkim{ 1571280297Sjkim char **princ; 1572280297Sjkim int length; 1573280297Sjkim int i; 1574109998Smarkm 1575280297Sjkim if (kssl_ctx == NULL || entity == NULL) 1576280297Sjkim return KSSL_CTX_ERR; 1577109998Smarkm 1578280297Sjkim switch (which) { 1579280297Sjkim case KSSL_CLIENT: 1580280297Sjkim princ = &kssl_ctx->client_princ; 1581280297Sjkim break; 1582280297Sjkim case KSSL_SERVER: 1583280297Sjkim princ = &kssl_ctx->service_host; 1584280297Sjkim break; 1585280297Sjkim default: 1586280297Sjkim return KSSL_CTX_ERR; 1587280297Sjkim break; 1588280297Sjkim } 1589280297Sjkim if (*princ) 1590280297Sjkim kssl_free(*princ); 1591109998Smarkm 1592280297Sjkim /* Add up all the entity->lengths */ 1593280297Sjkim length = 0; 1594280297Sjkim for (i = 0; i < nentities; i++) { 1595280297Sjkim length += entity[i].length; 1596280297Sjkim } 1597280297Sjkim /* Add in space for the '/' character(s) (if any) */ 1598280297Sjkim length += nentities - 1; 1599280297Sjkim /* Space for the ('@'+realm+NULL | NULL) */ 1600280297Sjkim length += ((realm) ? realm->length + 2 : 1); 1601120631Snectar 1602280297Sjkim if ((*princ = kssl_calloc(1, length)) == NULL) 1603280297Sjkim return KSSL_CTX_ERR; 1604280297Sjkim else { 1605280297Sjkim for (i = 0; i < nentities; i++) { 1606280297Sjkim strncat(*princ, entity[i].data, entity[i].length); 1607280297Sjkim if (i < nentities - 1) { 1608280297Sjkim strcat(*princ, "/"); 1609280297Sjkim } 1610109998Smarkm } 1611280297Sjkim if (realm) { 1612280297Sjkim strcat(*princ, "@"); 1613280297Sjkim (void)strncat(*princ, realm->data, realm->length); 1614280297Sjkim } 1615280297Sjkim } 1616109998Smarkm 1617280297Sjkim return KSSL_CTX_OK; 1618280297Sjkim} 1619109998Smarkm 1620280297Sjkim/*- Set one of the plain (char *) string members of the kssl_ctx struct. 1621280297Sjkim * Default values should be: 1622280297Sjkim * which == KSSL_SERVICE => "khost" (KRB5SVC) 1623280297Sjkim * which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) 1624280297Sjkim */ 1625280297Sjkimkrb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) 1626280297Sjkim{ 1627280297Sjkim char **string; 1628109998Smarkm 1629280297Sjkim if (!kssl_ctx) 1630280297Sjkim return KSSL_CTX_ERR; 1631109998Smarkm 1632280297Sjkim switch (which) { 1633280297Sjkim case KSSL_SERVICE: 1634280297Sjkim string = &kssl_ctx->service_name; 1635280297Sjkim break; 1636280297Sjkim case KSSL_SERVER: 1637280297Sjkim string = &kssl_ctx->service_host; 1638280297Sjkim break; 1639280297Sjkim case KSSL_CLIENT: 1640280297Sjkim string = &kssl_ctx->client_princ; 1641280297Sjkim break; 1642280297Sjkim case KSSL_KEYTAB: 1643280297Sjkim string = &kssl_ctx->keytab_file; 1644280297Sjkim break; 1645280297Sjkim default: 1646280297Sjkim return KSSL_CTX_ERR; 1647280297Sjkim break; 1648280297Sjkim } 1649280297Sjkim if (*string) 1650280297Sjkim kssl_free(*string); 1651109998Smarkm 1652280297Sjkim if (!text) { 1653280297Sjkim *string = '\0'; 1654280297Sjkim return KSSL_CTX_OK; 1655280297Sjkim } 1656109998Smarkm 1657280297Sjkim if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) 1658280297Sjkim return KSSL_CTX_ERR; 1659280297Sjkim else 1660280297Sjkim strcpy(*string, text); 1661109998Smarkm 1662280297Sjkim return KSSL_CTX_OK; 1663280297Sjkim} 1664109998Smarkm 1665280297Sjkim/* 1666280297Sjkim * Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx 1667280297Sjkim * struct. Clear kssl_ctx->key if Kerberos session key is NULL. 1668280297Sjkim */ 1669280297Sjkimkrb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) 1670280297Sjkim{ 1671280297Sjkim int length; 1672280297Sjkim krb5_enctype enctype; 1673280297Sjkim krb5_octet FAR *contents = NULL; 1674109998Smarkm 1675280297Sjkim if (!kssl_ctx) 1676280297Sjkim return KSSL_CTX_ERR; 1677109998Smarkm 1678280297Sjkim if (kssl_ctx->key) { 1679280297Sjkim OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1680280297Sjkim kssl_free(kssl_ctx->key); 1681280297Sjkim } 1682109998Smarkm 1683280297Sjkim if (session) { 1684109998Smarkm 1685280297Sjkim# ifdef KRB5_HEIMDAL 1686280297Sjkim length = session->keyvalue->length; 1687280297Sjkim enctype = session->keytype; 1688280297Sjkim contents = session->keyvalue->contents; 1689280297Sjkim# else 1690280297Sjkim length = session->length; 1691280297Sjkim enctype = session->enctype; 1692280297Sjkim contents = session->contents; 1693280297Sjkim# endif 1694280297Sjkim kssl_ctx->enctype = enctype; 1695280297Sjkim kssl_ctx->length = length; 1696280297Sjkim } else { 1697280297Sjkim kssl_ctx->enctype = ENCTYPE_UNKNOWN; 1698280297Sjkim kssl_ctx->length = 0; 1699280297Sjkim return KSSL_CTX_OK; 1700280297Sjkim } 1701109998Smarkm 1702280297Sjkim if ((kssl_ctx->key = 1703280297Sjkim (krb5_octet FAR *)kssl_calloc(1, kssl_ctx->length)) == NULL) { 1704280297Sjkim kssl_ctx->length = 0; 1705280297Sjkim return KSSL_CTX_ERR; 1706280297Sjkim } else 1707280297Sjkim memcpy(kssl_ctx->key, contents, length); 1708109998Smarkm 1709280297Sjkim return KSSL_CTX_OK; 1710280297Sjkim} 1711109998Smarkm 1712280297Sjkim/* 1713280297Sjkim * Display contents of kssl_ctx struct 1714280297Sjkim */ 1715280297Sjkimvoid kssl_ctx_show(KSSL_CTX *kssl_ctx) 1716280297Sjkim{ 1717280297Sjkim int i; 1718109998Smarkm 1719280297Sjkim printf("kssl_ctx: "); 1720280297Sjkim if (kssl_ctx == NULL) { 1721280297Sjkim printf("NULL\n"); 1722280297Sjkim return; 1723280297Sjkim } else 1724280297Sjkim printf("%p\n", (void *)kssl_ctx); 1725109998Smarkm 1726280297Sjkim printf("\tservice:\t%s\n", 1727280297Sjkim (kssl_ctx->service_name) ? kssl_ctx->service_name : "NULL"); 1728280297Sjkim printf("\tclient:\t%s\n", 1729280297Sjkim (kssl_ctx->client_princ) ? kssl_ctx->client_princ : "NULL"); 1730280297Sjkim printf("\tserver:\t%s\n", 1731280297Sjkim (kssl_ctx->service_host) ? kssl_ctx->service_host : "NULL"); 1732280297Sjkim printf("\tkeytab:\t%s\n", 1733280297Sjkim (kssl_ctx->keytab_file) ? kssl_ctx->keytab_file : "NULL"); 1734280297Sjkim printf("\tkey [%d:%d]:\t", kssl_ctx->enctype, kssl_ctx->length); 1735109998Smarkm 1736280297Sjkim for (i = 0; i < kssl_ctx->length && kssl_ctx->key; i++) { 1737280297Sjkim printf("%02x", kssl_ctx->key[i]); 1738280297Sjkim } 1739280297Sjkim printf("\n"); 1740280297Sjkim return; 1741280297Sjkim} 1742109998Smarkm 1743280297Sjkimint kssl_keytab_is_available(KSSL_CTX *kssl_ctx) 1744109998Smarkm{ 1745280297Sjkim krb5_context krb5context = NULL; 1746280297Sjkim krb5_keytab krb5keytab = NULL; 1747280297Sjkim krb5_keytab_entry entry; 1748280297Sjkim krb5_principal princ = NULL; 1749280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1750109998Smarkm int rc = 0; 1751109998Smarkm 1752109998Smarkm if ((krb5rc = krb5_init_context(&krb5context))) 1753280297Sjkim return (0); 1754109998Smarkm 1755280297Sjkim /* 1756280297Sjkim * kssl_ctx->keytab_file == NULL ==> use Kerberos default 1757280297Sjkim */ 1758280297Sjkim if (kssl_ctx->keytab_file) { 1759109998Smarkm krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1760280297Sjkim &krb5keytab); 1761109998Smarkm if (krb5rc) 1762109998Smarkm goto exit; 1763280297Sjkim } else { 1764280297Sjkim krb5rc = krb5_kt_default(krb5context, &krb5keytab); 1765109998Smarkm if (krb5rc) 1766109998Smarkm goto exit; 1767109998Smarkm } 1768109998Smarkm 1769109998Smarkm /* the host key we are looking for */ 1770280297Sjkim krb5rc = krb5_sname_to_principal(krb5context, NULL, 1771280297Sjkim kssl_ctx-> 1772280297Sjkim service_name ? kssl_ctx->service_name : 1773280297Sjkim KRB5SVC, KRB5_NT_SRV_HST, &princ); 1774109998Smarkm 1775206046Ssimon if (krb5rc) 1776280297Sjkim goto exit; 1777206046Ssimon 1778280297Sjkim krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ, 1779280297Sjkim /* IGNORE_VNO */ 1780280297Sjkim 0, 1781280297Sjkim /* IGNORE_ENCTYPE */ 1782280297Sjkim 0, &entry); 1783280297Sjkim if (krb5rc == KRB5_KT_NOTFOUND) { 1784109998Smarkm rc = 1; 1785109998Smarkm goto exit; 1786280297Sjkim } else if (krb5rc) 1787109998Smarkm goto exit; 1788280297Sjkim 1789109998Smarkm krb5_kt_free_entry(krb5context, &entry); 1790109998Smarkm rc = 1; 1791109998Smarkm 1792280297Sjkim exit: 1793280297Sjkim if (krb5keytab) 1794280297Sjkim krb5_kt_close(krb5context, krb5keytab); 1795280297Sjkim if (princ) 1796280297Sjkim krb5_free_principal(krb5context, princ); 1797280297Sjkim if (krb5context) 1798280297Sjkim krb5_free_context(krb5context); 1799280297Sjkim return (rc); 1800109998Smarkm} 1801109998Smarkm 1802280297Sjkimint kssl_tgt_is_available(KSSL_CTX *kssl_ctx) 1803280297Sjkim{ 1804280297Sjkim krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1805280297Sjkim krb5_context krb5context = NULL; 1806280297Sjkim krb5_ccache krb5ccdef = NULL; 1807280297Sjkim krb5_creds krb5creds, *krb5credsp = NULL; 1808280297Sjkim int rc = 0; 1809109998Smarkm 1810280297Sjkim memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1811109998Smarkm 1812280297Sjkim if (!kssl_ctx) 1813280297Sjkim return (0); 1814109998Smarkm 1815280297Sjkim if (!kssl_ctx->service_host) 1816280297Sjkim return (0); 1817109998Smarkm 1818280297Sjkim if ((krb5rc = krb5_init_context(&krb5context)) != 0) 1819280297Sjkim goto err; 1820109998Smarkm 1821280297Sjkim if ((krb5rc = krb5_sname_to_principal(krb5context, 1822280297Sjkim kssl_ctx->service_host, 1823280297Sjkim (kssl_ctx->service_name) ? 1824280297Sjkim kssl_ctx->service_name : KRB5SVC, 1825280297Sjkim KRB5_NT_SRV_HST, 1826280297Sjkim &krb5creds.server)) != 0) 1827280297Sjkim goto err; 1828109998Smarkm 1829280297Sjkim if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) 1830280297Sjkim goto err; 1831109998Smarkm 1832280297Sjkim if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1833280297Sjkim &krb5creds.client)) != 0) 1834280297Sjkim goto err; 1835109998Smarkm 1836280297Sjkim if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1837280297Sjkim &krb5creds, &krb5credsp)) != 0) 1838280297Sjkim goto err; 1839109998Smarkm 1840280297Sjkim rc = 1; 1841109998Smarkm 1842280297Sjkim err: 1843280297Sjkim# ifdef KSSL_DEBUG 1844280297Sjkim kssl_ctx_show(kssl_ctx); 1845280297Sjkim# endif /* KSSL_DEBUG */ 1846109998Smarkm 1847280297Sjkim if (krb5creds.client) 1848280297Sjkim krb5_free_principal(krb5context, krb5creds.client); 1849280297Sjkim if (krb5creds.server) 1850280297Sjkim krb5_free_principal(krb5context, krb5creds.server); 1851280297Sjkim if (krb5context) 1852280297Sjkim krb5_free_context(krb5context); 1853280297Sjkim return (rc); 1854280297Sjkim} 1855109998Smarkm 1856280297Sjkim# if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) 1857109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) 1858280297Sjkim{ 1859280297Sjkim# ifdef KRB5_HEIMDAL 1860280297Sjkim data->length = 0; 1861280297Sjkim if (data->data) 1862280297Sjkim free(data->data); 1863280297Sjkim# elif defined(KRB5_MIT_OLD11) 1864280297Sjkim if (data->data) { 1865280297Sjkim krb5_xfree(data->data); 1866280297Sjkim data->data = 0; 1867280297Sjkim } 1868280297Sjkim# else 1869280297Sjkim krb5_free_data_contents(NULL, data); 1870280297Sjkim# endif 1871280297Sjkim} 1872280297Sjkim# endif 1873280297Sjkim/* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ 1874109998Smarkm 1875280297Sjkim/* 1876280297Sjkim * Given pointers to KerberosTime and struct tm structs, convert the 1877280297Sjkim * KerberosTime string to struct tm. Note that KerberosTime is a 1878280297Sjkim * ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional seconds 1879280297Sjkim * as defined in RFC 1510. Return pointer to the (partially) filled in 1880280297Sjkim * struct tm on success, return NULL on failure. 1881280297Sjkim */ 1882238405Sjkimstatic struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) 1883280297Sjkim{ 1884280297Sjkim char c, *p; 1885109998Smarkm 1886280297Sjkim if (!k_tm) 1887280297Sjkim return NULL; 1888280297Sjkim if (gtime == NULL || gtime->length < 14) 1889280297Sjkim return NULL; 1890280297Sjkim if (gtime->data == NULL) 1891280297Sjkim return NULL; 1892109998Smarkm 1893280297Sjkim p = (char *)>ime->data[14]; 1894109998Smarkm 1895280297Sjkim c = *p; 1896280297Sjkim *p = '\0'; 1897280297Sjkim p -= 2; 1898280297Sjkim k_tm->tm_sec = atoi(p); 1899280297Sjkim *(p + 2) = c; 1900280297Sjkim c = *p; 1901280297Sjkim *p = '\0'; 1902280297Sjkim p -= 2; 1903280297Sjkim k_tm->tm_min = atoi(p); 1904280297Sjkim *(p + 2) = c; 1905280297Sjkim c = *p; 1906280297Sjkim *p = '\0'; 1907280297Sjkim p -= 2; 1908280297Sjkim k_tm->tm_hour = atoi(p); 1909280297Sjkim *(p + 2) = c; 1910280297Sjkim c = *p; 1911280297Sjkim *p = '\0'; 1912280297Sjkim p -= 2; 1913280297Sjkim k_tm->tm_mday = atoi(p); 1914280297Sjkim *(p + 2) = c; 1915280297Sjkim c = *p; 1916280297Sjkim *p = '\0'; 1917280297Sjkim p -= 2; 1918280297Sjkim k_tm->tm_mon = atoi(p) - 1; 1919280297Sjkim *(p + 2) = c; 1920280297Sjkim c = *p; 1921280297Sjkim *p = '\0'; 1922280297Sjkim p -= 4; 1923280297Sjkim k_tm->tm_year = atoi(p) - 1900; 1924280297Sjkim *(p + 4) = c; 1925109998Smarkm 1926280297Sjkim return k_tm; 1927280297Sjkim} 1928109998Smarkm 1929280297Sjkim/* 1930280297Sjkim * Helper function for kssl_validate_times(). We need context->clockskew, 1931280297Sjkim * but krb5_context is an opaque struct. So we try to sneek the clockskew 1932280297Sjkim * out through the replay cache. If that fails just return a likely default 1933280297Sjkim * (300 seconds). 1934280297Sjkim */ 1935238405Sjkimstatic krb5_deltat get_rc_clockskew(krb5_context context) 1936280297Sjkim{ 1937280297Sjkim krb5_rcache rc; 1938280297Sjkim krb5_deltat clockskew; 1939109998Smarkm 1940280297Sjkim if (krb5_rc_default(context, &rc)) 1941280297Sjkim return KSSL_CLOCKSKEW; 1942280297Sjkim if (krb5_rc_initialize(context, rc, 0)) 1943280297Sjkim return KSSL_CLOCKSKEW; 1944280297Sjkim if (krb5_rc_get_lifespan(context, rc, &clockskew)) { 1945280297Sjkim clockskew = KSSL_CLOCKSKEW; 1946280297Sjkim } 1947280297Sjkim (void)krb5_rc_destroy(context, rc); 1948280297Sjkim return clockskew; 1949280297Sjkim} 1950109998Smarkm 1951280297Sjkim/* 1952280297Sjkim * kssl_validate_times() combines (and more importantly exposes) the MIT KRB5 1953280297Sjkim * internal function krb5_validate_times() and the in_clock_skew() macro. 1954280297Sjkim * The authenticator client time is checked to be within clockskew secs of 1955280297Sjkim * the current time and the current time is checked to be within the ticket 1956280297Sjkim * start and expire times. Either check may be omitted by supplying a NULL 1957280297Sjkim * value. Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. See 1958280297Sjkim * Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c 20010420 VRS 1959280297Sjkim */ 1960280297Sjkimkrb5_error_code kssl_validate_times(krb5_timestamp atime, 1961280297Sjkim krb5_ticket_times *ttimes) 1962280297Sjkim{ 1963280297Sjkim krb5_deltat skew; 1964280297Sjkim krb5_timestamp start, now; 1965280297Sjkim krb5_error_code rc; 1966280297Sjkim krb5_context context; 1967109998Smarkm 1968280297Sjkim if ((rc = krb5_init_context(&context))) 1969280297Sjkim return SSL_R_KRB5_S_BAD_TICKET; 1970280297Sjkim skew = get_rc_clockskew(context); 1971280297Sjkim if ((rc = krb5_timeofday(context, &now))) 1972280297Sjkim return SSL_R_KRB5_S_BAD_TICKET; 1973280297Sjkim krb5_free_context(context); 1974109998Smarkm 1975280297Sjkim if (atime && labs(atime - now) >= skew) 1976280297Sjkim return SSL_R_KRB5_S_TKT_SKEW; 1977109998Smarkm 1978280297Sjkim if (!ttimes) 1979280297Sjkim return 0; 1980109998Smarkm 1981280297Sjkim start = (ttimes->starttime != 0) ? ttimes->starttime : ttimes->authtime; 1982280297Sjkim if (start - now > skew) 1983280297Sjkim return SSL_R_KRB5_S_TKT_NYV; 1984280297Sjkim if ((now - ttimes->endtime) > skew) 1985280297Sjkim return SSL_R_KRB5_S_TKT_EXPIRED; 1986109998Smarkm 1987280297Sjkim# ifdef KSSL_DEBUG 1988280297Sjkim fprintf(stderr, "kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", 1989280297Sjkim start, atime, now, skew, ttimes->endtime); 1990280297Sjkim# endif /* KSSL_DEBUG */ 1991109998Smarkm 1992280297Sjkim return 0; 1993280297Sjkim} 1994109998Smarkm 1995280297Sjkim/* 1996280297Sjkim * Decode and decrypt given DER-encoded authenticator, then pass 1997280297Sjkim * authenticator ctime back in *atimep (or 0 if time unavailable). Returns 1998280297Sjkim * krb5_error_code and kssl_err on error. A NULL authenticator 1999280297Sjkim * (authentp->length == 0) is not considered an error. Note that 2000280297Sjkim * kssl_check_authent() makes use of the KRB5 session key; you must call 2001280297Sjkim * kssl_sget_tkt() to get the key before calling this routine. 2002280297Sjkim */ 2003280297Sjkimkrb5_error_code kssl_check_authent( 2004280297Sjkim /* 2005280297Sjkim * IN 2006280297Sjkim */ KSSL_CTX *kssl_ctx, 2007280297Sjkim /* 2008280297Sjkim * IN 2009280297Sjkim */ krb5_data *authentp, 2010280297Sjkim /* 2011280297Sjkim * OUT 2012280297Sjkim */ krb5_timestamp *atimep, 2013280297Sjkim /* 2014280297Sjkim * OUT 2015280297Sjkim */ KSSL_ERR *kssl_err) 2016280297Sjkim{ 2017280297Sjkim krb5_error_code krb5rc = 0; 2018280297Sjkim KRB5_ENCDATA *dec_authent = NULL; 2019280297Sjkim KRB5_AUTHENTBODY *auth = NULL; 2020280297Sjkim krb5_enctype enctype; 2021280297Sjkim EVP_CIPHER_CTX ciph_ctx; 2022280297Sjkim const EVP_CIPHER *enc = NULL; 2023280297Sjkim unsigned char iv[EVP_MAX_IV_LENGTH]; 2024280297Sjkim const unsigned char *p; 2025280297Sjkim unsigned char *unenc_authent; 2026280297Sjkim int outl, unencbufsize; 2027280297Sjkim struct tm tm_time, *tm_l, *tm_g; 2028280297Sjkim time_t now, tl, tg, tr, tz_offset; 2029109998Smarkm 2030280297Sjkim EVP_CIPHER_CTX_init(&ciph_ctx); 2031280297Sjkim *atimep = 0; 2032280297Sjkim kssl_err_set(kssl_err, 0, ""); 2033109998Smarkm 2034280297Sjkim# ifndef KRB5CHECKAUTH 2035280297Sjkim authentp = NULL; 2036280297Sjkim# else 2037280297Sjkim# if KRB5CHECKAUTH == 0 2038280297Sjkim authentp = NULL; 2039280297Sjkim# endif 2040280297Sjkim# endif /* KRB5CHECKAUTH */ 2041109998Smarkm 2042280297Sjkim if (authentp == NULL || authentp->length == 0) 2043280297Sjkim return 0; 2044109998Smarkm 2045280297Sjkim# ifdef KSSL_DEBUG 2046280297Sjkim { 2047109998Smarkm unsigned int ui; 2048280297Sjkim fprintf(stderr, "kssl_check_authent: authenticator[%d]:\n", 2049280297Sjkim authentp->length); 2050280297Sjkim p = authentp->data; 2051280297Sjkim for (ui = 0; ui < authentp->length; ui++) 2052280297Sjkim fprintf(stderr, "%02x ", p[ui]); 2053280297Sjkim fprintf(stderr, "\n"); 2054280297Sjkim } 2055280297Sjkim# endif /* KSSL_DEBUG */ 2056109998Smarkm 2057280297Sjkim unencbufsize = 2 * authentp->length; 2058280297Sjkim if ((unenc_authent = calloc(1, unencbufsize)) == NULL) { 2059280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2060280297Sjkim "Unable to allocate authenticator buffer.\n"); 2061280297Sjkim krb5rc = KRB5KRB_ERR_GENERIC; 2062280297Sjkim goto err; 2063280297Sjkim } 2064109998Smarkm 2065280297Sjkim p = (unsigned char *)authentp->data; 2066280297Sjkim if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, 2067280297Sjkim (long)authentp->length)) == NULL) { 2068280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2069280297Sjkim "Error decoding authenticator.\n"); 2070280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2071280297Sjkim goto err; 2072280297Sjkim } 2073109998Smarkm 2074280297Sjkim enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ 2075280297Sjkim# if !defined(KRB5_MIT_OLD11) 2076280297Sjkim switch (enctype) { 2077280297Sjkim case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 2078280297Sjkim case ENCTYPE_DES3_CBC_SHA: 2079280297Sjkim case ENCTYPE_DES3_CBC_RAW: 2080280297Sjkim krb5rc = 0; /* Skip, can't handle derived keys */ 2081280297Sjkim goto err; 2082280297Sjkim } 2083280297Sjkim# endif 2084280297Sjkim enc = kssl_map_enc(enctype); 2085280297Sjkim memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2086109998Smarkm 2087280297Sjkim if (enc == NULL) { 2088280297Sjkim /* 2089280297Sjkim * Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. This 2090280297Sjkim * enctype indicates the authenticator was encrypted using key-usage 2091280297Sjkim * derived keys which openssl cannot decrypt. 2092280297Sjkim */ 2093280297Sjkim goto err; 2094280297Sjkim } 2095109998Smarkm 2096280297Sjkim if (!EVP_CipherInit(&ciph_ctx, enc, kssl_ctx->key, iv, 0)) { 2097280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2098280297Sjkim "EVP_CipherInit error decrypting authenticator.\n"); 2099280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2100280297Sjkim goto err; 2101280297Sjkim } 2102280297Sjkim outl = dec_authent->cipher->length; 2103280297Sjkim if (!EVP_Cipher 2104280297Sjkim (&ciph_ctx, unenc_authent, dec_authent->cipher->data, outl)) { 2105280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2106280297Sjkim "EVP_Cipher error decrypting authenticator.\n"); 2107280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2108280297Sjkim goto err; 2109280297Sjkim } 2110280297Sjkim EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2111109998Smarkm 2112280297Sjkim# ifdef KSSL_DEBUG 2113280297Sjkim { 2114280297Sjkim int padl; 2115280297Sjkim fprintf(stderr, "kssl_check_authent: decrypted authenticator[%d] =\n", 2116280297Sjkim outl); 2117280297Sjkim for (padl = 0; padl < outl; padl++) 2118280297Sjkim fprintf(stderr, "%02x ", unenc_authent[padl]); 2119280297Sjkim fprintf(stderr, "\n"); 2120280297Sjkim } 2121280297Sjkim# endif /* KSSL_DEBUG */ 2122109998Smarkm 2123280297Sjkim if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) { 2124280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2125280297Sjkim "confounded by authenticator.\n"); 2126280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2127280297Sjkim goto err; 2128280297Sjkim } 2129280297Sjkim outl -= p - unenc_authent; 2130109998Smarkm 2131280297Sjkim if ((auth = (KRB5_AUTHENTBODY *)d2i_KRB5_AUTHENT(NULL, &p, 2132280297Sjkim (long)outl)) == NULL) { 2133280297Sjkim kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2134280297Sjkim "Error decoding authenticator body.\n"); 2135280297Sjkim krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2136280297Sjkim goto err; 2137280297Sjkim } 2138109998Smarkm 2139280297Sjkim memset(&tm_time, 0, sizeof(struct tm)); 2140280297Sjkim if (k_gmtime(auth->ctime, &tm_time) && 2141280297Sjkim ((tr = mktime(&tm_time)) != (time_t)(-1))) { 2142280297Sjkim now = time(&now); 2143280297Sjkim tm_l = localtime(&now); 2144280297Sjkim tl = mktime(tm_l); 2145280297Sjkim tm_g = gmtime(&now); 2146280297Sjkim tg = mktime(tm_g); 2147280297Sjkim tz_offset = tg - tl; 2148109998Smarkm 2149280297Sjkim *atimep = (krb5_timestamp)(tr - tz_offset); 2150280297Sjkim } 2151280297Sjkim# ifdef KSSL_DEBUG 2152280297Sjkim fprintf(stderr, "kssl_check_authent: returns %d for client time ", 2153280297Sjkim *atimep); 2154280297Sjkim if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) 2155280297Sjkim fprintf(stderr, "%.*s\n", auth->ctime->length, auth->ctime->data); 2156280297Sjkim else 2157280297Sjkim fprintf(stderr, "NULL\n"); 2158280297Sjkim# endif /* KSSL_DEBUG */ 2159109998Smarkm 2160109998Smarkm err: 2161280297Sjkim if (auth) 2162280297Sjkim KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); 2163280297Sjkim if (dec_authent) 2164280297Sjkim KRB5_ENCDATA_free(dec_authent); 2165280297Sjkim if (unenc_authent) 2166280297Sjkim free(unenc_authent); 2167280297Sjkim EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2168280297Sjkim return krb5rc; 2169280297Sjkim} 2170109998Smarkm 2171280297Sjkim/* 2172280297Sjkim * Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), 2173280297Sjkim * because I don't know how to stub varargs. Returns krb5_error_code == 2174280297Sjkim * ENOMEM on alloc error, otherwise passes back newly constructed principal, 2175280297Sjkim * which should be freed by caller. 2176280297Sjkim */ 2177280297Sjkimkrb5_error_code kssl_build_principal_2( 2178280297Sjkim /* 2179280297Sjkim * UPDATE 2180280297Sjkim */ krb5_context context, 2181280297Sjkim /* 2182280297Sjkim * OUT 2183280297Sjkim */ krb5_principal *princ, 2184280297Sjkim /* 2185280297Sjkim * IN 2186280297Sjkim */ int rlen, const char *realm, 2187280297Sjkim /* 2188280297Sjkim * IN 2189280297Sjkim */ int slen, const char *svc, 2190280297Sjkim /* 2191280297Sjkim * IN 2192280297Sjkim */ int hlen, const char *host) 2193280297Sjkim{ 2194280297Sjkim krb5_data *p_data = NULL; 2195280297Sjkim krb5_principal new_p = NULL; 2196280297Sjkim char *new_r = NULL; 2197109998Smarkm 2198280297Sjkim if ((p_data = (krb5_data *)calloc(2, sizeof(krb5_data))) == NULL || 2199280297Sjkim (new_p = (krb5_principal)calloc(1, sizeof(krb5_principal_data))) 2200280297Sjkim == NULL) 2201280297Sjkim goto err; 2202280297Sjkim new_p->length = 2; 2203280297Sjkim new_p->data = p_data; 2204109998Smarkm 2205280297Sjkim if ((new_r = calloc(1, rlen + 1)) == NULL) 2206280297Sjkim goto err; 2207280297Sjkim memcpy(new_r, realm, rlen); 2208280297Sjkim krb5_princ_set_realm_length(context, new_p, rlen); 2209280297Sjkim krb5_princ_set_realm_data(context, new_p, new_r); 2210109998Smarkm 2211280297Sjkim if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) 2212280297Sjkim goto err; 2213280297Sjkim memcpy(new_p->data[0].data, svc, slen); 2214280297Sjkim new_p->data[0].length = slen; 2215109998Smarkm 2216280297Sjkim if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) 2217280297Sjkim goto err; 2218280297Sjkim memcpy(new_p->data[1].data, host, hlen); 2219280297Sjkim new_p->data[1].length = hlen; 2220109998Smarkm 2221280297Sjkim krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; 2222280297Sjkim *princ = new_p; 2223280297Sjkim return 0; 2224109998Smarkm 2225109998Smarkm err: 2226280297Sjkim if (new_p && new_p[0].data) 2227280297Sjkim free(new_p[0].data); 2228280297Sjkim if (new_p && new_p[1].data) 2229280297Sjkim free(new_p[1].data); 2230280297Sjkim if (new_p) 2231280297Sjkim free(new_p); 2232280297Sjkim if (new_r) 2233280297Sjkim free(new_r); 2234280297Sjkim return ENOMEM; 2235280297Sjkim} 2236109998Smarkm 2237238405Sjkimvoid SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx) 2238280297Sjkim{ 2239280297Sjkim s->kssl_ctx = kctx; 2240280297Sjkim} 2241109998Smarkm 2242280297SjkimKSSL_CTX *SSL_get0_kssl_ctx(SSL *s) 2243280297Sjkim{ 2244280297Sjkim return s->kssl_ctx; 2245280297Sjkim} 2246238405Sjkim 2247238405Sjkimchar *kssl_ctx_get0_client_princ(KSSL_CTX *kctx) 2248280297Sjkim{ 2249280297Sjkim if (kctx) 2250280297Sjkim return kctx->client_princ; 2251280297Sjkim return NULL; 2252280297Sjkim} 2253238405Sjkim 2254280297Sjkim#else /* !OPENSSL_NO_KRB5 */ 2255109998Smarkm 2256280297Sjkim# if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) 2257280297Sjkimstatic void *dummy = &dummy; 2258280297Sjkim# endif 2259109998Smarkm 2260280297Sjkim#endif /* !OPENSSL_NO_KRB5 */ 2261