1109998Smarkm/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */ 2296341Sdelphij/* 3296341Sdelphij * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 4296341Sdelphij * 2000. 5109998Smarkm */ 6109998Smarkm/* ==================================================================== 7109998Smarkm * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 8109998Smarkm * 9109998Smarkm * Redistribution and use in source and binary forms, with or without 10109998Smarkm * modification, are permitted provided that the following conditions 11109998Smarkm * are met: 12109998Smarkm * 13109998Smarkm * 1. Redistributions of source code must retain the above copyright 14296341Sdelphij * notice, this list of conditions and the following disclaimer. 15109998Smarkm * 16109998Smarkm * 2. Redistributions in binary form must reproduce the above copyright 17109998Smarkm * notice, this list of conditions and the following disclaimer in 18109998Smarkm * the documentation and/or other materials provided with the 19109998Smarkm * distribution. 20109998Smarkm * 21109998Smarkm * 3. All advertising materials mentioning features or use of this 22109998Smarkm * software must display the following acknowledgment: 23109998Smarkm * "This product includes software developed by the OpenSSL Project 24109998Smarkm * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25109998Smarkm * 26109998Smarkm * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27109998Smarkm * endorse or promote products derived from this software without 28109998Smarkm * prior written permission. For written permission, please contact 29109998Smarkm * licensing@OpenSSL.org. 30109998Smarkm * 31109998Smarkm * 5. Products derived from this software may not be called "OpenSSL" 32109998Smarkm * nor may "OpenSSL" appear in their names without prior written 33109998Smarkm * permission of the OpenSSL Project. 34109998Smarkm * 35109998Smarkm * 6. Redistributions of any form whatsoever must retain the following 36109998Smarkm * acknowledgment: 37109998Smarkm * "This product includes software developed by the OpenSSL Project 38109998Smarkm * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39109998Smarkm * 40109998Smarkm * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41109998Smarkm * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42109998Smarkm * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43109998Smarkm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44109998Smarkm * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45109998Smarkm * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46109998Smarkm * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47109998Smarkm * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48109998Smarkm * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49109998Smarkm * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50109998Smarkm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51109998Smarkm * OF THE POSSIBILITY OF SUCH DAMAGE. 52109998Smarkm * ==================================================================== 53109998Smarkm * 54109998Smarkm * This product includes cryptographic software written by Eric Young 55109998Smarkm * (eay@cryptsoft.com). This product includes software written by Tim 56109998Smarkm * Hudson (tjh@cryptsoft.com). 57109998Smarkm * 58109998Smarkm */ 59109998Smarkm 60296341Sdelphij/*- 61296341Sdelphij * ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl 62296341Sdelphij * 63296341Sdelphij * 19990701 VRS Started. 64296341Sdelphij * 200011?? Jeffrey Altman, Richard Levitte 65296341Sdelphij * Generalized for Heimdal, Newer MIT, & Win32. 66296341Sdelphij * Integrated into main OpenSSL 0.9.7 snapshots. 67296341Sdelphij * 20010413 Simon Wilkinson, VRS 68296341Sdelphij * Real RFC2712 KerberosWrapper replaces AP_REQ. 69296341Sdelphij */ 70109998Smarkm 71109998Smarkm#include <openssl/opensslconf.h> 72109998Smarkm 73109998Smarkm#include <string.h> 74109998Smarkm 75296341Sdelphij#define KRB5_PRIVATE 1 76160814Ssimon 77109998Smarkm#include <openssl/ssl.h> 78109998Smarkm#include <openssl/evp.h> 79109998Smarkm#include <openssl/objects.h> 80109998Smarkm#include <openssl/krb5_asn.h> 81238405Sjkim#include "kssl_lcl.h" 82109998Smarkm 83109998Smarkm#ifndef OPENSSL_NO_KRB5 84109998Smarkm 85296341Sdelphij# ifndef ENOMEM 86296341Sdelphij# define ENOMEM KRB5KRB_ERR_GENERIC 87296341Sdelphij# endif 88160814Ssimon 89296341Sdelphij/* 90109998Smarkm * When OpenSSL is built on Windows, we do not want to require that 91109998Smarkm * the Kerberos DLLs be available in order for the OpenSSL DLLs to 92109998Smarkm * work. Therefore, all Kerberos routines are loaded at run time 93109998Smarkm * and we do not link to a .LIB file. 94109998Smarkm */ 95109998Smarkm 96296341Sdelphij# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) 97296341Sdelphij/* 98109998Smarkm * The purpose of the following pre-processor statements is to provide 99109998Smarkm * compatibility with different releases of MIT Kerberos for Windows. 100109998Smarkm * All versions up to 1.2 used macros. But macros do not allow for 101109998Smarkm * a binary compatible interface for DLLs. Therefore, all macros are 102109998Smarkm * being replaced by function calls. The following code will allow 103109998Smarkm * an OpenSSL DLL built on Windows to work whether or not the macro 104109998Smarkm * or function form of the routines are utilized. 105109998Smarkm */ 106296341Sdelphij# ifdef krb5_cc_get_principal 107296341Sdelphij# define NO_DEF_KRB5_CCACHE 108296341Sdelphij# undef krb5_cc_get_principal 109296341Sdelphij# endif 110296341Sdelphij# define krb5_cc_get_principal kssl_krb5_cc_get_principal 111109998Smarkm 112296341Sdelphij# define krb5_free_data_contents kssl_krb5_free_data_contents 113296341Sdelphij# define krb5_free_context kssl_krb5_free_context 114296341Sdelphij# define krb5_auth_con_free kssl_krb5_auth_con_free 115296341Sdelphij# define krb5_free_principal kssl_krb5_free_principal 116296341Sdelphij# define krb5_mk_req_extended kssl_krb5_mk_req_extended 117296341Sdelphij# define krb5_get_credentials kssl_krb5_get_credentials 118296341Sdelphij# define krb5_cc_default kssl_krb5_cc_default 119296341Sdelphij# define krb5_sname_to_principal kssl_krb5_sname_to_principal 120296341Sdelphij# define krb5_init_context kssl_krb5_init_context 121296341Sdelphij# define krb5_free_ticket kssl_krb5_free_ticket 122296341Sdelphij# define krb5_rd_req kssl_krb5_rd_req 123296341Sdelphij# define krb5_kt_default kssl_krb5_kt_default 124296341Sdelphij# define krb5_kt_resolve kssl_krb5_kt_resolve 125109998Smarkm/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ 126296341Sdelphij# ifndef krb5_kt_close 127296341Sdelphij# define krb5_kt_close kssl_krb5_kt_close 128296341Sdelphij# endif /* krb5_kt_close */ 129296341Sdelphij# ifndef krb5_kt_get_entry 130296341Sdelphij# define krb5_kt_get_entry kssl_krb5_kt_get_entry 131296341Sdelphij# endif /* krb5_kt_get_entry */ 132296341Sdelphij# define krb5_auth_con_init kssl_krb5_auth_con_init 133109998Smarkm 134296341Sdelphij# define krb5_principal_compare kssl_krb5_principal_compare 135296341Sdelphij# define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part 136296341Sdelphij# define krb5_timeofday kssl_krb5_timeofday 137296341Sdelphij# define krb5_rc_default kssl_krb5_rc_default 138109998Smarkm 139296341Sdelphij# ifdef krb5_rc_initialize 140296341Sdelphij# undef krb5_rc_initialize 141296341Sdelphij# endif 142296341Sdelphij# define krb5_rc_initialize kssl_krb5_rc_initialize 143109998Smarkm 144296341Sdelphij# ifdef krb5_rc_get_lifespan 145296341Sdelphij# undef krb5_rc_get_lifespan 146296341Sdelphij# endif 147296341Sdelphij# define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan 148109998Smarkm 149296341Sdelphij# ifdef krb5_rc_destroy 150296341Sdelphij# undef krb5_rc_destroy 151296341Sdelphij# endif 152296341Sdelphij# define krb5_rc_destroy kssl_krb5_rc_destroy 153109998Smarkm 154296341Sdelphij# define valid_cksumtype kssl_valid_cksumtype 155296341Sdelphij# define krb5_checksum_size kssl_krb5_checksum_size 156296341Sdelphij# define krb5_kt_free_entry kssl_krb5_kt_free_entry 157296341Sdelphij# define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache 158296341Sdelphij# define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache 159296341Sdelphij# define krb5_get_server_rcache kssl_krb5_get_server_rcache 160109998Smarkm 161109998Smarkm/* Prototypes for built in stubs */ 162109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context, krb5_data *); 163296341Sdelphijvoid kssl_krb5_free_principal(krb5_context, krb5_principal); 164109998Smarkmkrb5_error_code kssl_krb5_kt_resolve(krb5_context, 165296341Sdelphij krb5_const char *, krb5_keytab *); 166296341Sdelphijkrb5_error_code kssl_krb5_kt_default(krb5_context, krb5_keytab *); 167109998Smarkmkrb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); 168296341Sdelphijkrb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 169109998Smarkm krb5_const krb5_data *, 170296341Sdelphij krb5_const_principal, krb5_keytab, 171296341Sdelphij krb5_flags *, krb5_ticket **); 172109998Smarkm 173109998Smarkmkrb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, 174109998Smarkm krb5_const_principal); 175109998Smarkmkrb5_error_code kssl_krb5_mk_req_extended(krb5_context, 176296341Sdelphij krb5_auth_context *, 177109998Smarkm krb5_const krb5_flags, 178296341Sdelphij krb5_data *, 179296341Sdelphij krb5_creds *, krb5_data *); 180109998Smarkmkrb5_error_code kssl_krb5_init_context(krb5_context *); 181109998Smarkmvoid kssl_krb5_free_context(krb5_context); 182296341Sdelphijkrb5_error_code kssl_krb5_cc_default(krb5_context, krb5_ccache *); 183109998Smarkmkrb5_error_code kssl_krb5_sname_to_principal(krb5_context, 184296341Sdelphij krb5_const char *, 185296341Sdelphij krb5_const char *, 186296341Sdelphij krb5_int32, krb5_principal *); 187109998Smarkmkrb5_error_code kssl_krb5_get_credentials(krb5_context, 188109998Smarkm krb5_const krb5_flags, 189109998Smarkm krb5_ccache, 190296341Sdelphij krb5_creds *, krb5_creds * *); 191296341Sdelphijkrb5_error_code kssl_krb5_auth_con_init(krb5_context, krb5_auth_context *); 192296341Sdelphijkrb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 193109998Smarkm krb5_ccache cache, 194109998Smarkm krb5_principal *principal); 195296341Sdelphijkrb5_error_code kssl_krb5_auth_con_free(krb5_context, krb5_auth_context); 196296341Sdelphijsize_t kssl_krb5_checksum_size(krb5_context context, krb5_cksumtype ctype); 197109998Smarkmkrb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); 198296341Sdelphijkrb5_error_code krb5_kt_free_entry(krb5_context, krb5_keytab_entry FAR *); 199296341Sdelphijkrb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 200296341Sdelphij krb5_auth_context, krb5_rcache); 201296341Sdelphijkrb5_error_code kssl_krb5_get_server_rcache(krb5_context, 202109998Smarkm krb5_const krb5_data *, 203109998Smarkm krb5_rcache *); 204296341Sdelphijkrb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 205109998Smarkm krb5_auth_context, 206109998Smarkm krb5_rcache *); 207109998Smarkm 208109998Smarkm/* Function pointers (almost all Kerberos functions are _stdcall) */ 209296341Sdelphijstatic void (_stdcall *p_krb5_free_data_contents) (krb5_context, krb5_data *) 210296341Sdelphij = NULL; 211296341Sdelphijstatic void (_stdcall *p_krb5_free_principal) (krb5_context, krb5_principal) 212296341Sdelphij = NULL; 213109998Smarkmstatic krb5_error_code(_stdcall *p_krb5_kt_resolve) 214296341Sdelphij (krb5_context, krb5_const char *, krb5_keytab *) = NULL; 215296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_kt_default) (krb5_context, 216296341Sdelphij krb5_keytab *) = NULL; 217296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_free_ticket) (krb5_context, 218296341Sdelphij krb5_ticket *) = NULL; 219296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_rd_req) (krb5_context, 220296341Sdelphij krb5_auth_context *, 221109998Smarkm krb5_const krb5_data *, 222296341Sdelphij krb5_const_principal, 223109998Smarkm krb5_keytab, krb5_flags *, 224296341Sdelphij krb5_ticket **) = NULL; 225296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_mk_req_extended) 226296341Sdelphij (krb5_context, krb5_auth_context *, 227296341Sdelphij krb5_const krb5_flags, krb5_data *, krb5_creds *, krb5_data *) = NULL; 228296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_init_context) (krb5_context *) = NULL; 229296341Sdelphijstatic void (_stdcall *p_krb5_free_context) (krb5_context) = NULL; 230296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_cc_default) (krb5_context, 231296341Sdelphij krb5_ccache *) = NULL; 232296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_sname_to_principal) 233296341Sdelphij (krb5_context, krb5_const char *, krb5_const char *, 234296341Sdelphij krb5_int32, krb5_principal *) = NULL; 235296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_get_credentials) 236296341Sdelphij (krb5_context, krb5_const krb5_flags, krb5_ccache, 237296341Sdelphij krb5_creds *, krb5_creds **) = NULL; 238296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_auth_con_init) 239296341Sdelphij (krb5_context, krb5_auth_context *) = NULL; 240296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_cc_get_principal) 241296341Sdelphij (krb5_context context, krb5_ccache cache, krb5_principal *principal) = NULL; 242296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_auth_con_free) 243296341Sdelphij (krb5_context, krb5_auth_context) = NULL; 244296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_decrypt_tkt_part) 245296341Sdelphij (krb5_context, krb5_const krb5_keyblock *, krb5_ticket *) = NULL; 246296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_timeofday) 247296341Sdelphij (krb5_context context, krb5_int32 *timeret) = NULL; 248296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_rc_default) 249296341Sdelphij (krb5_context context, krb5_rcache *rc) = NULL; 250296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_rc_initialize) 251296341Sdelphij (krb5_context context, krb5_rcache rc, krb5_deltat lifespan) = NULL; 252296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_rc_get_lifespan) 253296341Sdelphij (krb5_context context, krb5_rcache rc, krb5_deltat *lifespan) = NULL; 254296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_rc_destroy) 255296341Sdelphij (krb5_context context, krb5_rcache rc) = NULL; 256296341Sdelphijstatic krb5_boolean(_stdcall *p_krb5_principal_compare) 257296341Sdelphij (krb5_context, krb5_const_principal, krb5_const_principal) = NULL; 258296341Sdelphijstatic size_t (_stdcall *p_krb5_checksum_size) (krb5_context context, 259296341Sdelphij krb5_cksumtype ctype) = NULL; 260296341Sdelphijstatic krb5_boolean(_stdcall *p_valid_cksumtype) (krb5_cksumtype ctype) = 261296341Sdelphij NULL; 262296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_kt_free_entry) 263296341Sdelphij (krb5_context, krb5_keytab_entry *) = NULL; 264296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_auth_con_setrcache) (krb5_context, 265296341Sdelphij krb5_auth_context, 266296341Sdelphij krb5_rcache) = 267296341Sdelphij NULL; 268296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_get_server_rcache) (krb5_context, 269296341Sdelphij krb5_const 270296341Sdelphij krb5_data *, 271296341Sdelphij krb5_rcache *) = 272296341Sdelphij NULL; 273296341Sdelphijstatic krb5_error_code(*p_krb5_auth_con_getrcache) (krb5_context, 274296341Sdelphij krb5_auth_context, 275296341Sdelphij krb5_rcache *) = NULL; 276296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_kt_close) (krb5_context context, 277296341Sdelphij krb5_keytab keytab) = NULL; 278296341Sdelphijstatic krb5_error_code(_stdcall *p_krb5_kt_get_entry) (krb5_context context, 279296341Sdelphij krb5_keytab keytab, 280296341Sdelphij krb5_const_principal 281296341Sdelphij principal, 282296341Sdelphij krb5_kvno vno, 283296341Sdelphij krb5_enctype enctype, 284296341Sdelphij krb5_keytab_entry 285296341Sdelphij *entry) = NULL; 286109998Smarkmstatic int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ 287109998Smarkm 288109998Smarkm/* Function to Load the Kerberos 5 DLL and initialize function pointers */ 289296341Sdelphijvoid load_krb5_dll(void) 290296341Sdelphij{ 291296341Sdelphij HANDLE hKRB5_32; 292109998Smarkm 293296341Sdelphij krb5_loaded++; 294296341Sdelphij hKRB5_32 = LoadLibrary(TEXT("KRB5_32")); 295296341Sdelphij if (!hKRB5_32) 296296341Sdelphij return; 297109998Smarkm 298296341Sdelphij (FARPROC) p_krb5_free_data_contents = 299296341Sdelphij GetProcAddress(hKRB5_32, "krb5_free_data_contents"); 300296341Sdelphij (FARPROC) p_krb5_free_context = 301296341Sdelphij GetProcAddress(hKRB5_32, "krb5_free_context"); 302296341Sdelphij (FARPROC) p_krb5_auth_con_free = 303296341Sdelphij GetProcAddress(hKRB5_32, "krb5_auth_con_free"); 304296341Sdelphij (FARPROC) p_krb5_free_principal = 305296341Sdelphij GetProcAddress(hKRB5_32, "krb5_free_principal"); 306296341Sdelphij (FARPROC) p_krb5_mk_req_extended = 307296341Sdelphij GetProcAddress(hKRB5_32, "krb5_mk_req_extended"); 308296341Sdelphij (FARPROC) p_krb5_get_credentials = 309296341Sdelphij GetProcAddress(hKRB5_32, "krb5_get_credentials"); 310296341Sdelphij (FARPROC) p_krb5_cc_get_principal = 311296341Sdelphij GetProcAddress(hKRB5_32, "krb5_cc_get_principal"); 312296341Sdelphij (FARPROC) p_krb5_cc_default = GetProcAddress(hKRB5_32, "krb5_cc_default"); 313296341Sdelphij (FARPROC) p_krb5_sname_to_principal = 314296341Sdelphij GetProcAddress(hKRB5_32, "krb5_sname_to_principal"); 315296341Sdelphij (FARPROC) p_krb5_init_context = 316296341Sdelphij GetProcAddress(hKRB5_32, "krb5_init_context"); 317296341Sdelphij (FARPROC) p_krb5_free_ticket = 318296341Sdelphij GetProcAddress(hKRB5_32, "krb5_free_ticket"); 319296341Sdelphij (FARPROC) p_krb5_rd_req = GetProcAddress(hKRB5_32, "krb5_rd_req"); 320296341Sdelphij (FARPROC) p_krb5_principal_compare = 321296341Sdelphij GetProcAddress(hKRB5_32, "krb5_principal_compare"); 322296341Sdelphij (FARPROC) p_krb5_decrypt_tkt_part = 323296341Sdelphij GetProcAddress(hKRB5_32, "krb5_decrypt_tkt_part"); 324296341Sdelphij (FARPROC) p_krb5_timeofday = GetProcAddress(hKRB5_32, "krb5_timeofday"); 325296341Sdelphij (FARPROC) p_krb5_rc_default = GetProcAddress(hKRB5_32, "krb5_rc_default"); 326296341Sdelphij (FARPROC) p_krb5_rc_initialize = 327296341Sdelphij GetProcAddress(hKRB5_32, "krb5_rc_initialize"); 328296341Sdelphij (FARPROC) p_krb5_rc_get_lifespan = 329296341Sdelphij GetProcAddress(hKRB5_32, "krb5_rc_get_lifespan"); 330296341Sdelphij (FARPROC) p_krb5_rc_destroy = GetProcAddress(hKRB5_32, "krb5_rc_destroy"); 331296341Sdelphij (FARPROC) p_krb5_kt_default = GetProcAddress(hKRB5_32, "krb5_kt_default"); 332296341Sdelphij (FARPROC) p_krb5_kt_resolve = GetProcAddress(hKRB5_32, "krb5_kt_resolve"); 333296341Sdelphij (FARPROC) p_krb5_auth_con_init = 334296341Sdelphij GetProcAddress(hKRB5_32, "krb5_auth_con_init"); 335296341Sdelphij (FARPROC) p_valid_cksumtype = GetProcAddress(hKRB5_32, "valid_cksumtype"); 336296341Sdelphij (FARPROC) p_krb5_checksum_size = 337296341Sdelphij GetProcAddress(hKRB5_32, "krb5_checksum_size"); 338296341Sdelphij (FARPROC) p_krb5_kt_free_entry = 339296341Sdelphij GetProcAddress(hKRB5_32, "krb5_kt_free_entry"); 340296341Sdelphij (FARPROC) p_krb5_auth_con_setrcache = 341296341Sdelphij GetProcAddress(hKRB5_32, "krb5_auth_con_setrcache"); 342296341Sdelphij (FARPROC) p_krb5_get_server_rcache = 343296341Sdelphij GetProcAddress(hKRB5_32, "krb5_get_server_rcache"); 344296341Sdelphij (FARPROC) p_krb5_auth_con_getrcache = 345296341Sdelphij GetProcAddress(hKRB5_32, "krb5_auth_con_getrcache"); 346296341Sdelphij (FARPROC) p_krb5_kt_close = GetProcAddress(hKRB5_32, "krb5_kt_close"); 347296341Sdelphij (FARPROC) p_krb5_kt_get_entry = 348296341Sdelphij GetProcAddress(hKRB5_32, "krb5_kt_get_entry"); 349296341Sdelphij} 350296341Sdelphij 351109998Smarkm/* Stubs for each function to be dynamicly loaded */ 352296341Sdelphijvoid kssl_krb5_free_data_contents(krb5_context CO, krb5_data *data) 353296341Sdelphij{ 354296341Sdelphij if (!krb5_loaded) 355296341Sdelphij load_krb5_dll(); 356109998Smarkm 357296341Sdelphij if (p_krb5_free_data_contents) 358296341Sdelphij p_krb5_free_data_contents(CO, data); 359296341Sdelphij} 360109998Smarkm 361109998Smarkmkrb5_error_code 362296341Sdelphijkssl_krb5_mk_req_extended(krb5_context CO, 363296341Sdelphij krb5_auth_context *pACO, 364109998Smarkm krb5_const krb5_flags F, 365296341Sdelphij krb5_data *pD1, krb5_creds *pC, krb5_data *pD2) 366296341Sdelphij{ 367296341Sdelphij if (!krb5_loaded) 368296341Sdelphij load_krb5_dll(); 369109998Smarkm 370296341Sdelphij if (p_krb5_mk_req_extended) 371296341Sdelphij return (p_krb5_mk_req_extended(CO, pACO, F, pD1, pC, pD2)); 372296341Sdelphij else 373296341Sdelphij return KRB5KRB_ERR_GENERIC; 374296341Sdelphij} 375296341Sdelphij 376109998Smarkmkrb5_error_code 377296341Sdelphijkssl_krb5_auth_con_init(krb5_context CO, krb5_auth_context *pACO) 378296341Sdelphij{ 379296341Sdelphij if (!krb5_loaded) 380296341Sdelphij load_krb5_dll(); 381109998Smarkm 382296341Sdelphij if (p_krb5_auth_con_init) 383296341Sdelphij return (p_krb5_auth_con_init(CO, pACO)); 384296341Sdelphij else 385296341Sdelphij return KRB5KRB_ERR_GENERIC; 386296341Sdelphij} 387296341Sdelphij 388109998Smarkmkrb5_error_code 389296341Sdelphijkssl_krb5_auth_con_free(krb5_context CO, krb5_auth_context ACO) 390296341Sdelphij{ 391296341Sdelphij if (!krb5_loaded) 392296341Sdelphij load_krb5_dll(); 393109998Smarkm 394296341Sdelphij if (p_krb5_auth_con_free) 395296341Sdelphij return (p_krb5_auth_con_free(CO, ACO)); 396296341Sdelphij else 397296341Sdelphij return KRB5KRB_ERR_GENERIC; 398296341Sdelphij} 399296341Sdelphij 400109998Smarkmkrb5_error_code 401109998Smarkmkssl_krb5_get_credentials(krb5_context CO, 402296341Sdelphij krb5_const krb5_flags F, 403296341Sdelphij krb5_ccache CC, krb5_creds *pCR, krb5_creds **ppCR) 404296341Sdelphij{ 405296341Sdelphij if (!krb5_loaded) 406296341Sdelphij load_krb5_dll(); 407109998Smarkm 408296341Sdelphij if (p_krb5_get_credentials) 409296341Sdelphij return (p_krb5_get_credentials(CO, F, CC, pCR, ppCR)); 410296341Sdelphij else 411296341Sdelphij return KRB5KRB_ERR_GENERIC; 412296341Sdelphij} 413296341Sdelphij 414109998Smarkmkrb5_error_code 415109998Smarkmkssl_krb5_sname_to_principal(krb5_context CO, 416296341Sdelphij krb5_const char *pC1, 417296341Sdelphij krb5_const char *pC2, 418296341Sdelphij krb5_int32 I, krb5_principal *pPR) 419296341Sdelphij{ 420296341Sdelphij if (!krb5_loaded) 421296341Sdelphij load_krb5_dll(); 422109998Smarkm 423296341Sdelphij if (p_krb5_sname_to_principal) 424296341Sdelphij return (p_krb5_sname_to_principal(CO, pC1, pC2, I, pPR)); 425296341Sdelphij else 426296341Sdelphij return KRB5KRB_ERR_GENERIC; 427296341Sdelphij} 428109998Smarkm 429296341Sdelphijkrb5_error_code kssl_krb5_cc_default(krb5_context CO, krb5_ccache *pCC) 430296341Sdelphij{ 431296341Sdelphij if (!krb5_loaded) 432296341Sdelphij load_krb5_dll(); 433109998Smarkm 434296341Sdelphij if (p_krb5_cc_default) 435296341Sdelphij return (p_krb5_cc_default(CO, pCC)); 436296341Sdelphij else 437296341Sdelphij return KRB5KRB_ERR_GENERIC; 438296341Sdelphij} 439109998Smarkm 440296341Sdelphijkrb5_error_code kssl_krb5_init_context(krb5_context *pCO) 441296341Sdelphij{ 442296341Sdelphij if (!krb5_loaded) 443296341Sdelphij load_krb5_dll(); 444109998Smarkm 445296341Sdelphij if (p_krb5_init_context) 446296341Sdelphij return (p_krb5_init_context(pCO)); 447296341Sdelphij else 448296341Sdelphij return KRB5KRB_ERR_GENERIC; 449296341Sdelphij} 450109998Smarkm 451296341Sdelphijvoid kssl_krb5_free_context(krb5_context CO) 452296341Sdelphij{ 453296341Sdelphij if (!krb5_loaded) 454296341Sdelphij load_krb5_dll(); 455109998Smarkm 456296341Sdelphij if (p_krb5_free_context) 457296341Sdelphij p_krb5_free_context(CO); 458296341Sdelphij} 459109998Smarkm 460296341Sdelphijvoid kssl_krb5_free_principal(krb5_context c, krb5_principal p) 461296341Sdelphij{ 462296341Sdelphij if (!krb5_loaded) 463296341Sdelphij load_krb5_dll(); 464109998Smarkm 465296341Sdelphij if (p_krb5_free_principal) 466296341Sdelphij p_krb5_free_principal(c, p); 467296341Sdelphij} 468109998Smarkm 469109998Smarkmkrb5_error_code 470296341Sdelphijkssl_krb5_kt_resolve(krb5_context con, krb5_const char *sz, krb5_keytab *kt) 471296341Sdelphij{ 472296341Sdelphij if (!krb5_loaded) 473296341Sdelphij load_krb5_dll(); 474109998Smarkm 475296341Sdelphij if (p_krb5_kt_resolve) 476296341Sdelphij return (p_krb5_kt_resolve(con, sz, kt)); 477296341Sdelphij else 478296341Sdelphij return KRB5KRB_ERR_GENERIC; 479296341Sdelphij} 480109998Smarkm 481296341Sdelphijkrb5_error_code kssl_krb5_kt_default(krb5_context con, krb5_keytab *kt) 482296341Sdelphij{ 483296341Sdelphij if (!krb5_loaded) 484296341Sdelphij load_krb5_dll(); 485109998Smarkm 486296341Sdelphij if (p_krb5_kt_default) 487296341Sdelphij return (p_krb5_kt_default(con, kt)); 488296341Sdelphij else 489296341Sdelphij return KRB5KRB_ERR_GENERIC; 490296341Sdelphij} 491109998Smarkm 492296341Sdelphijkrb5_error_code kssl_krb5_free_ticket(krb5_context con, krb5_ticket *kt) 493296341Sdelphij{ 494296341Sdelphij if (!krb5_loaded) 495296341Sdelphij load_krb5_dll(); 496109998Smarkm 497296341Sdelphij if (p_krb5_free_ticket) 498296341Sdelphij return (p_krb5_free_ticket(con, kt)); 499296341Sdelphij else 500296341Sdelphij return KRB5KRB_ERR_GENERIC; 501296341Sdelphij} 502109998Smarkm 503109998Smarkmkrb5_error_code 504296341Sdelphijkssl_krb5_rd_req(krb5_context con, krb5_auth_context *pacon, 505296341Sdelphij krb5_const krb5_data *data, 506296341Sdelphij krb5_const_principal princ, krb5_keytab keytab, 507296341Sdelphij krb5_flags *flags, krb5_ticket **pptkt) 508296341Sdelphij{ 509296341Sdelphij if (!krb5_loaded) 510296341Sdelphij load_krb5_dll(); 511109998Smarkm 512296341Sdelphij if (p_krb5_rd_req) 513296341Sdelphij return (p_krb5_rd_req(con, pacon, data, princ, keytab, flags, pptkt)); 514296341Sdelphij else 515296341Sdelphij return KRB5KRB_ERR_GENERIC; 516296341Sdelphij} 517109998Smarkm 518109998Smarkmkrb5_boolean 519109998Smarkmkrb5_principal_compare(krb5_context con, krb5_const_principal princ1, 520296341Sdelphij krb5_const_principal princ2) 521296341Sdelphij{ 522296341Sdelphij if (!krb5_loaded) 523296341Sdelphij load_krb5_dll(); 524109998Smarkm 525296341Sdelphij if (p_krb5_principal_compare) 526296341Sdelphij return (p_krb5_principal_compare(con, princ1, princ2)); 527296341Sdelphij else 528296341Sdelphij return KRB5KRB_ERR_GENERIC; 529296341Sdelphij} 530109998Smarkm 531109998Smarkmkrb5_error_code 532109998Smarkmkrb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, 533296341Sdelphij krb5_ticket *ticket) 534296341Sdelphij{ 535296341Sdelphij if (!krb5_loaded) 536296341Sdelphij load_krb5_dll(); 537109998Smarkm 538296341Sdelphij if (p_krb5_decrypt_tkt_part) 539296341Sdelphij return (p_krb5_decrypt_tkt_part(con, keys, ticket)); 540296341Sdelphij else 541296341Sdelphij return KRB5KRB_ERR_GENERIC; 542296341Sdelphij} 543109998Smarkm 544296341Sdelphijkrb5_error_code krb5_timeofday(krb5_context con, krb5_int32 *timeret) 545296341Sdelphij{ 546296341Sdelphij if (!krb5_loaded) 547296341Sdelphij load_krb5_dll(); 548109998Smarkm 549296341Sdelphij if (p_krb5_timeofday) 550296341Sdelphij return (p_krb5_timeofday(con, timeret)); 551296341Sdelphij else 552296341Sdelphij return KRB5KRB_ERR_GENERIC; 553296341Sdelphij} 554109998Smarkm 555296341Sdelphijkrb5_error_code krb5_rc_default(krb5_context con, krb5_rcache *rc) 556296341Sdelphij{ 557296341Sdelphij if (!krb5_loaded) 558296341Sdelphij load_krb5_dll(); 559109998Smarkm 560296341Sdelphij if (p_krb5_rc_default) 561296341Sdelphij return (p_krb5_rc_default(con, rc)); 562296341Sdelphij else 563296341Sdelphij return KRB5KRB_ERR_GENERIC; 564296341Sdelphij} 565109998Smarkm 566109998Smarkmkrb5_error_code 567109998Smarkmkrb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) 568296341Sdelphij{ 569296341Sdelphij if (!krb5_loaded) 570296341Sdelphij load_krb5_dll(); 571109998Smarkm 572296341Sdelphij if (p_krb5_rc_initialize) 573296341Sdelphij return (p_krb5_rc_initialize(con, rc, lifespan)); 574296341Sdelphij else 575296341Sdelphij return KRB5KRB_ERR_GENERIC; 576296341Sdelphij} 577109998Smarkm 578109998Smarkmkrb5_error_code 579109998Smarkmkrb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) 580296341Sdelphij{ 581296341Sdelphij if (!krb5_loaded) 582296341Sdelphij load_krb5_dll(); 583109998Smarkm 584296341Sdelphij if (p_krb5_rc_get_lifespan) 585296341Sdelphij return (p_krb5_rc_get_lifespan(con, rc, lifespanp)); 586296341Sdelphij else 587296341Sdelphij return KRB5KRB_ERR_GENERIC; 588296341Sdelphij} 589109998Smarkm 590296341Sdelphijkrb5_error_code krb5_rc_destroy(krb5_context con, krb5_rcache rc) 591296341Sdelphij{ 592296341Sdelphij if (!krb5_loaded) 593296341Sdelphij load_krb5_dll(); 594109998Smarkm 595296341Sdelphij if (p_krb5_rc_destroy) 596296341Sdelphij return (p_krb5_rc_destroy(con, rc)); 597296341Sdelphij else 598296341Sdelphij return KRB5KRB_ERR_GENERIC; 599296341Sdelphij} 600109998Smarkm 601296341Sdelphijsize_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) 602296341Sdelphij{ 603296341Sdelphij if (!krb5_loaded) 604296341Sdelphij load_krb5_dll(); 605109998Smarkm 606296341Sdelphij if (p_krb5_checksum_size) 607296341Sdelphij return (p_krb5_checksum_size(context, ctype)); 608296341Sdelphij else 609296341Sdelphij return KRB5KRB_ERR_GENERIC; 610296341Sdelphij} 611109998Smarkm 612296341Sdelphijkrb5_boolean valid_cksumtype(krb5_cksumtype ctype) 613296341Sdelphij{ 614296341Sdelphij if (!krb5_loaded) 615296341Sdelphij load_krb5_dll(); 616109998Smarkm 617296341Sdelphij if (p_valid_cksumtype) 618296341Sdelphij return (p_valid_cksumtype(ctype)); 619296341Sdelphij else 620296341Sdelphij return KRB5KRB_ERR_GENERIC; 621296341Sdelphij} 622109998Smarkm 623296341Sdelphijkrb5_error_code krb5_kt_free_entry(krb5_context con, krb5_keytab_entry *entry) 624296341Sdelphij{ 625296341Sdelphij if (!krb5_loaded) 626296341Sdelphij load_krb5_dll(); 627109998Smarkm 628296341Sdelphij if (p_krb5_kt_free_entry) 629296341Sdelphij return (p_krb5_kt_free_entry(con, entry)); 630296341Sdelphij else 631296341Sdelphij return KRB5KRB_ERR_GENERIC; 632296341Sdelphij} 633296341Sdelphij 634109998Smarkm/* Structure definitions */ 635296341Sdelphij# ifndef NO_DEF_KRB5_CCACHE 636296341Sdelphij# ifndef krb5_x 637296341Sdelphij# define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) 638296341Sdelphij# define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) 639296341Sdelphij# endif 640109998Smarkm 641296341Sdelphijtypedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ 642109998Smarkm 643296341Sdelphijtypedef struct _krb5_ccache { 644296341Sdelphij krb5_magic magic; 645296341Sdelphij struct _krb5_cc_ops FAR *ops; 646296341Sdelphij krb5_pointer data; 647296341Sdelphij} *krb5_ccache; 648109998Smarkm 649296341Sdelphijtypedef struct _krb5_cc_ops { 650296341Sdelphij krb5_magic magic; 651296341Sdelphij char *prefix; 652296341Sdelphij char *(KRB5_CALLCONV *get_name) 653296341Sdelphij (krb5_context, krb5_ccache); 654296341Sdelphij krb5_error_code(KRB5_CALLCONV *resolve) 655296341Sdelphij (krb5_context, krb5_ccache *, const char *); 656296341Sdelphij krb5_error_code(KRB5_CALLCONV *gen_new) 657296341Sdelphij (krb5_context, krb5_ccache *); 658296341Sdelphij krb5_error_code(KRB5_CALLCONV *init) 659296341Sdelphij (krb5_context, krb5_ccache, krb5_principal); 660296341Sdelphij krb5_error_code(KRB5_CALLCONV *destroy) 661296341Sdelphij (krb5_context, krb5_ccache); 662296341Sdelphij krb5_error_code(KRB5_CALLCONV *close) 663296341Sdelphij (krb5_context, krb5_ccache); 664296341Sdelphij krb5_error_code(KRB5_CALLCONV *store) 665296341Sdelphij (krb5_context, krb5_ccache, krb5_creds *); 666296341Sdelphij krb5_error_code(KRB5_CALLCONV *retrieve) 667296341Sdelphij (krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *); 668296341Sdelphij krb5_error_code(KRB5_CALLCONV *get_princ) 669296341Sdelphij (krb5_context, krb5_ccache, krb5_principal *); 670296341Sdelphij krb5_error_code(KRB5_CALLCONV *get_first) 671296341Sdelphij (krb5_context, krb5_ccache, krb5_cc_cursor *); 672296341Sdelphij krb5_error_code(KRB5_CALLCONV *get_next) 673296341Sdelphij (krb5_context, krb5_ccache, krb5_cc_cursor *, krb5_creds *); 674296341Sdelphij krb5_error_code(KRB5_CALLCONV *end_get) 675296341Sdelphij (krb5_context, krb5_ccache, krb5_cc_cursor *); 676296341Sdelphij krb5_error_code(KRB5_CALLCONV *remove_cred) 677296341Sdelphij (krb5_context, krb5_ccache, krb5_flags, krb5_creds *); 678296341Sdelphij krb5_error_code(KRB5_CALLCONV *set_flags) 679296341Sdelphij (krb5_context, krb5_ccache, krb5_flags); 680296341Sdelphij} krb5_cc_ops; 681296341Sdelphij# endif /* NO_DEF_KRB5_CCACHE */ 682109998Smarkm 683296341Sdelphijkrb5_error_code 684296341Sdelphij kssl_krb5_cc_get_principal 685296341Sdelphij (krb5_context context, krb5_ccache cache, krb5_principal *principal) { 686296341Sdelphij if (p_krb5_cc_get_principal) 687296341Sdelphij return (p_krb5_cc_get_principal(context, cache, principal)); 688296341Sdelphij else 689296341Sdelphij return (krb5_x((cache)->ops->get_princ, (context, cache, principal))); 690296341Sdelphij} 691109998Smarkm 692109998Smarkmkrb5_error_code 693109998Smarkmkssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, 694109998Smarkm krb5_rcache rcache) 695296341Sdelphij{ 696296341Sdelphij if (p_krb5_auth_con_setrcache) 697296341Sdelphij return (p_krb5_auth_con_setrcache(con, acon, rcache)); 698296341Sdelphij else 699296341Sdelphij return KRB5KRB_ERR_GENERIC; 700296341Sdelphij} 701109998Smarkm 702109998Smarkmkrb5_error_code 703296341Sdelphijkssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data *data, 704296341Sdelphij krb5_rcache *rcache) 705296341Sdelphij{ 706296341Sdelphij if (p_krb5_get_server_rcache) 707296341Sdelphij return (p_krb5_get_server_rcache(con, data, rcache)); 708296341Sdelphij else 709296341Sdelphij return KRB5KRB_ERR_GENERIC; 710296341Sdelphij} 711109998Smarkm 712109998Smarkmkrb5_error_code 713109998Smarkmkssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, 714296341Sdelphij krb5_rcache *prcache) 715296341Sdelphij{ 716296341Sdelphij if (p_krb5_auth_con_getrcache) 717296341Sdelphij return (p_krb5_auth_con_getrcache(con, acon, prcache)); 718296341Sdelphij else 719296341Sdelphij return KRB5KRB_ERR_GENERIC; 720296341Sdelphij} 721109998Smarkm 722296341Sdelphijkrb5_error_code kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) 723296341Sdelphij{ 724296341Sdelphij if (p_krb5_kt_close) 725296341Sdelphij return (p_krb5_kt_close(context, keytab)); 726296341Sdelphij else 727296341Sdelphij return KRB5KRB_ERR_GENERIC; 728296341Sdelphij} 729296341Sdelphij 730109998Smarkmkrb5_error_code 731109998Smarkmkssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, 732109998Smarkm krb5_const_principal principal, krb5_kvno vno, 733109998Smarkm krb5_enctype enctype, krb5_keytab_entry *entry) 734296341Sdelphij{ 735296341Sdelphij if (p_krb5_kt_get_entry) 736296341Sdelphij return (p_krb5_kt_get_entry 737296341Sdelphij (context, keytab, principal, vno, enctype, entry)); 738296341Sdelphij else 739296341Sdelphij return KRB5KRB_ERR_GENERIC; 740296341Sdelphij} 741296341Sdelphij# endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ 742109998Smarkm 743296341Sdelphij/* 744296341Sdelphij * memory allocation functions for non-temporary storage (e.g. stuff that 745296341Sdelphij * gets saved into the kssl context) 746296341Sdelphij */ 747296341Sdelphijstatic void *kssl_calloc(size_t nmemb, size_t size) 748296341Sdelphij{ 749296341Sdelphij void *p; 750167612Ssimon 751296341Sdelphij p = OPENSSL_malloc(nmemb * size); 752296341Sdelphij if (p) { 753296341Sdelphij memset(p, 0, nmemb * size); 754296341Sdelphij } 755296341Sdelphij return p; 756167612Ssimon} 757167612Ssimon 758296341Sdelphij# define kssl_malloc(size) OPENSSL_malloc((size)) 759296341Sdelphij# define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) 760296341Sdelphij# define kssl_free(ptr) OPENSSL_free((ptr)) 761167612Ssimon 762109998Smarkmchar 763109998Smarkm*kstring(char *string) 764296341Sdelphij{ 765296341Sdelphij static char *null = "[NULL]"; 766109998Smarkm 767296341Sdelphij return ((string == NULL) ? null : string); 768296341Sdelphij} 769109998Smarkm 770296341Sdelphij/* 771296341Sdelphij * Given KRB5 enctype (basically DES or 3DES), return closest match openssl 772296341Sdelphij * EVP_ encryption algorithm. Return NULL for unknown or problematic 773296341Sdelphij * (krb5_dk_encrypt) enctypes. Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are 774296341Sdelphij * OK. 775296341Sdelphij */ 776296341Sdelphijconst EVP_CIPHER *kssl_map_enc(krb5_enctype enctype) 777296341Sdelphij{ 778296341Sdelphij switch (enctype) { 779296341Sdelphij case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ 780296341Sdelphij case ENCTYPE_DES_CBC_CRC: 781296341Sdelphij case ENCTYPE_DES_CBC_MD4: 782296341Sdelphij case ENCTYPE_DES_CBC_MD5: 783296341Sdelphij case ENCTYPE_DES_CBC_RAW: 784296341Sdelphij return EVP_des_cbc(); 785296341Sdelphij break; 786296341Sdelphij case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 787296341Sdelphij case ENCTYPE_DES3_CBC_SHA: 788296341Sdelphij case ENCTYPE_DES3_CBC_RAW: 789296341Sdelphij return EVP_des_ede3_cbc(); 790296341Sdelphij break; 791296341Sdelphij default: 792296341Sdelphij return NULL; 793296341Sdelphij break; 794296341Sdelphij } 795296341Sdelphij} 796109998Smarkm 797296341Sdelphij/* 798296341Sdelphij * Return true:1 if p "looks like" the start of the real authenticator 799296341Sdelphij * described in kssl_skip_confound() below. The ASN.1 pattern is "62 xx 30 800296341Sdelphij * yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and xx and yy are 801296341Sdelphij * possibly multi-byte length fields. 802296341Sdelphij */ 803296341Sdelphijstatic int kssl_test_confound(unsigned char *p) 804296341Sdelphij{ 805296341Sdelphij int len = 2; 806296341Sdelphij int xx = 0, yy = 0; 807109998Smarkm 808296341Sdelphij if (*p++ != 0x62) 809296341Sdelphij return 0; 810296341Sdelphij if (*p > 0x82) 811296341Sdelphij return 0; 812296341Sdelphij switch (*p) { 813296341Sdelphij case 0x82: 814296341Sdelphij p++; 815296341Sdelphij xx = (*p++ << 8); 816296341Sdelphij xx += *p++; 817296341Sdelphij break; 818296341Sdelphij case 0x81: 819296341Sdelphij p++; 820296341Sdelphij xx = *p++; 821296341Sdelphij break; 822296341Sdelphij case 0x80: 823296341Sdelphij return 0; 824296341Sdelphij default: 825296341Sdelphij xx = *p++; 826296341Sdelphij break; 827296341Sdelphij } 828296341Sdelphij if (*p++ != 0x30) 829296341Sdelphij return 0; 830296341Sdelphij if (*p > 0x82) 831296341Sdelphij return 0; 832296341Sdelphij switch (*p) { 833296341Sdelphij case 0x82: 834296341Sdelphij p++; 835296341Sdelphij len += 2; 836296341Sdelphij yy = (*p++ << 8); 837296341Sdelphij yy += *p++; 838296341Sdelphij break; 839296341Sdelphij case 0x81: 840296341Sdelphij p++; 841296341Sdelphij len++; 842296341Sdelphij yy = *p++; 843296341Sdelphij break; 844296341Sdelphij case 0x80: 845296341Sdelphij return 0; 846296341Sdelphij default: 847296341Sdelphij yy = *p++; 848296341Sdelphij break; 849296341Sdelphij } 850109998Smarkm 851296341Sdelphij return (xx - len == yy) ? 1 : 0; 852296341Sdelphij} 853109998Smarkm 854296341Sdelphij/* 855296341Sdelphij * Allocate, fill, and return cksumlens array of checksum lengths. This 856296341Sdelphij * array holds just the unique elements from the krb5_cksumarray[]. array[n] 857296341Sdelphij * == 0 signals end of data. The krb5_cksumarray[] was an internal variable 858296341Sdelphij * that has since been replaced by a more general method for storing the 859296341Sdelphij * data. It should not be used. Instead we use real API calls and make a 860296341Sdelphij * guess for what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 861296341Sdelphij * it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. 862296341Sdelphij */ 863296341Sdelphijstatic size_t *populate_cksumlens(void) 864296341Sdelphij{ 865296341Sdelphij int i, j, n; 866296341Sdelphij static size_t *cklens = NULL; 867109998Smarkm 868296341Sdelphij# ifdef KRB5_MIT_OLD11 869296341Sdelphij n = krb5_max_cksum; 870296341Sdelphij# else 871296341Sdelphij n = 0x0010; 872296341Sdelphij# endif /* KRB5_MIT_OLD11 */ 873109998Smarkm 874296341Sdelphij# ifdef KRB5CHECKAUTH 875296341Sdelphij if (!cklens && !(cklens = (size_t *)calloc(sizeof(int), n + 1))) 876296341Sdelphij return NULL; 877109998Smarkm 878296341Sdelphij for (i = 0; i < n; i++) { 879296341Sdelphij if (!valid_cksumtype(i)) 880296341Sdelphij continue; /* array has holes */ 881296341Sdelphij for (j = 0; j < n; j++) { 882296341Sdelphij if (cklens[j] == 0) { 883296341Sdelphij cklens[j] = krb5_checksum_size(NULL, i); 884296341Sdelphij break; /* krb5 elem was new: add */ 885296341Sdelphij } 886296341Sdelphij if (cklens[j] == krb5_checksum_size(NULL, i)) { 887296341Sdelphij break; /* ignore duplicate elements */ 888296341Sdelphij } 889296341Sdelphij } 890296341Sdelphij } 891296341Sdelphij# endif /* KRB5CHECKAUTH */ 892109998Smarkm 893296341Sdelphij return cklens; 894296341Sdelphij} 895109998Smarkm 896296341Sdelphij/*- 897296341Sdelphij * Return pointer to start of real authenticator within authenticator, or 898296341Sdelphij * return NULL on error. 899296341Sdelphij * Decrypted authenticator looks like this: 900296341Sdelphij * [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] 901296341Sdelphij * This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the 902296341Sdelphij * krb5_auth_con_getcksumtype() function advertised in its krb5.h. 903296341Sdelphij */ 904296341Sdelphijunsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) 905296341Sdelphij{ 906296341Sdelphij int i, conlen; 907296341Sdelphij size_t cklen; 908296341Sdelphij static size_t *cksumlens = NULL; 909296341Sdelphij unsigned char *test_auth; 910109998Smarkm 911296341Sdelphij conlen = (etype) ? 8 : 0; 912109998Smarkm 913296341Sdelphij if (!cksumlens && !(cksumlens = populate_cksumlens())) 914296341Sdelphij return NULL; 915296341Sdelphij for (i = 0; (cklen = cksumlens[i]) != 0; i++) { 916296341Sdelphij test_auth = a + conlen + cklen; 917296341Sdelphij if (kssl_test_confound(test_auth)) 918296341Sdelphij return test_auth; 919296341Sdelphij } 920109998Smarkm 921296341Sdelphij return NULL; 922296341Sdelphij} 923109998Smarkm 924296341Sdelphij/* 925296341Sdelphij * Set kssl_err error info when reason text is a simple string kssl_err = 926296341Sdelphij * struct { int reason; char text[KSSL_ERR_MAX+1]; } 927296341Sdelphij */ 928296341Sdelphijvoid kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) 929296341Sdelphij{ 930296341Sdelphij if (kssl_err == NULL) 931296341Sdelphij return; 932109998Smarkm 933296341Sdelphij kssl_err->reason = reason; 934296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); 935296341Sdelphij return; 936296341Sdelphij} 937109998Smarkm 938296341Sdelphij/* 939296341Sdelphij * Display contents of krb5_data struct, for debugging 940296341Sdelphij */ 941296341Sdelphijvoid print_krb5_data(char *label, krb5_data *kdata) 942296341Sdelphij{ 943296341Sdelphij int i; 944109998Smarkm 945296341Sdelphij fprintf(stderr, "%s[%d] ", label, kdata->length); 946296341Sdelphij for (i = 0; i < (int)kdata->length; i++) { 947296341Sdelphij if (0 && isprint((int)kdata->data[i])) 948296341Sdelphij fprintf(stderr, "%c ", kdata->data[i]); 949296341Sdelphij else 950296341Sdelphij fprintf(stderr, "%02x ", (unsigned char)kdata->data[i]); 951296341Sdelphij } 952296341Sdelphij fprintf(stderr, "\n"); 953296341Sdelphij} 954109998Smarkm 955296341Sdelphij/* 956296341Sdelphij * Display contents of krb5_authdata struct, for debugging 957296341Sdelphij */ 958296341Sdelphijvoid print_krb5_authdata(char *label, krb5_authdata **adata) 959296341Sdelphij{ 960296341Sdelphij if (adata == NULL) { 961296341Sdelphij fprintf(stderr, "%s, authdata==0\n", label); 962296341Sdelphij return; 963296341Sdelphij } 964296341Sdelphij fprintf(stderr, "%s [%p]\n", label, (void *)adata); 965296341Sdelphij# if 0 966296341Sdelphij { 967296341Sdelphij int i; 968296341Sdelphij fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length); 969296341Sdelphij for (i = 0; i < adata->length; i++) { 970296341Sdelphij fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x", 971296341Sdelphij adata->contents[i]); 972109998Smarkm } 973296341Sdelphij fprintf(stderr, "\n"); 974296341Sdelphij } 975296341Sdelphij# endif 976296341Sdelphij} 977109998Smarkm 978296341Sdelphij/* 979296341Sdelphij * Display contents of krb5_keyblock struct, for debugging 980296341Sdelphij */ 981296341Sdelphijvoid print_krb5_keyblock(char *label, krb5_keyblock *keyblk) 982296341Sdelphij{ 983296341Sdelphij int i; 984109998Smarkm 985296341Sdelphij if (keyblk == NULL) { 986296341Sdelphij fprintf(stderr, "%s, keyblk==0\n", label); 987296341Sdelphij return; 988296341Sdelphij } 989296341Sdelphij# ifdef KRB5_HEIMDAL 990296341Sdelphij fprintf(stderr, "%s\n\t[et%d:%d]: ", label, keyblk->keytype, 991296341Sdelphij keyblk->keyvalue->length); 992296341Sdelphij for (i = 0; i < (int)keyblk->keyvalue->length; i++) { 993296341Sdelphij fprintf(stderr, "%02x", 994296341Sdelphij (unsigned char *)(keyblk->keyvalue->contents)[i]); 995296341Sdelphij } 996296341Sdelphij fprintf(stderr, "\n"); 997296341Sdelphij# else 998296341Sdelphij fprintf(stderr, "%s\n\t[et%d:%d]: ", label, keyblk->enctype, 999296341Sdelphij keyblk->length); 1000296341Sdelphij for (i = 0; i < (int)keyblk->length; i++) { 1001296341Sdelphij fprintf(stderr, "%02x", keyblk->contents[i]); 1002296341Sdelphij } 1003296341Sdelphij fprintf(stderr, "\n"); 1004296341Sdelphij# endif 1005296341Sdelphij} 1006109998Smarkm 1007296341Sdelphij/* 1008296341Sdelphij * Display contents of krb5_principal_data struct, for debugging 1009296341Sdelphij * (krb5_principal is typedef'd == krb5_principal_data *) 1010296341Sdelphij */ 1011296341Sdelphijstatic void print_krb5_princ(char *label, krb5_principal_data *princ) 1012296341Sdelphij{ 1013296341Sdelphij int i, ui, uj; 1014109998Smarkm 1015296341Sdelphij fprintf(stderr, "%s principal Realm: ", label); 1016296341Sdelphij if (princ == NULL) 1017296341Sdelphij return; 1018296341Sdelphij for (ui = 0; ui < (int)princ->realm.length; ui++) 1019296341Sdelphij putchar(princ->realm.data[ui]); 1020296341Sdelphij fprintf(stderr, " (nametype %d) has %d strings:\n", princ->type, 1021296341Sdelphij princ->length); 1022296341Sdelphij for (i = 0; i < (int)princ->length; i++) { 1023296341Sdelphij fprintf(stderr, "\t%d [%d]: ", i, princ->data[i].length); 1024296341Sdelphij for (uj = 0; uj < (int)princ->data[i].length; uj++) { 1025296341Sdelphij putchar(princ->data[i].data[uj]); 1026109998Smarkm } 1027296341Sdelphij fprintf(stderr, "\n"); 1028296341Sdelphij } 1029296341Sdelphij return; 1030296341Sdelphij} 1031109998Smarkm 1032296341Sdelphij/*- Given krb5 service (typically "kssl") and hostname in kssl_ctx, 1033296341Sdelphij * Return encrypted Kerberos ticket for service @ hostname. 1034296341Sdelphij * If authenp is non-NULL, also return encrypted authenticator, 1035296341Sdelphij * whose data should be freed by caller. 1036296341Sdelphij * (Originally was: Create Kerberos AP_REQ message for SSL Client.) 1037296341Sdelphij * 1038296341Sdelphij * 19990628 VRS Started; Returns Kerberos AP_REQ message. 1039296341Sdelphij * 20010409 VRS Modified for RFC2712; Returns enc tkt. 1040296341Sdelphij * 20010606 VRS May also return optional authenticator. 1041296341Sdelphij */ 1042296341Sdelphijkrb5_error_code kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1043296341Sdelphij /* 1044296341Sdelphij * OUT 1045296341Sdelphij */ krb5_data **enc_ticketp, 1046296341Sdelphij /* 1047296341Sdelphij * UPDATE 1048296341Sdelphij */ krb5_data *authenp, 1049296341Sdelphij /* 1050296341Sdelphij * OUT 1051296341Sdelphij */ KSSL_ERR *kssl_err) 1052296341Sdelphij{ 1053296341Sdelphij krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1054296341Sdelphij krb5_context krb5context = NULL; 1055296341Sdelphij krb5_auth_context krb5auth_context = NULL; 1056296341Sdelphij krb5_ccache krb5ccdef = NULL; 1057296341Sdelphij krb5_creds krb5creds, *krb5credsp = NULL; 1058296341Sdelphij krb5_data krb5_app_req; 1059109998Smarkm 1060296341Sdelphij kssl_err_set(kssl_err, 0, ""); 1061296341Sdelphij memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1062109998Smarkm 1063296341Sdelphij if (!kssl_ctx) { 1064296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); 1065296341Sdelphij goto err; 1066296341Sdelphij } else if (!kssl_ctx->service_host) { 1067296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1068296341Sdelphij "kssl_ctx service_host undefined.\n"); 1069296341Sdelphij goto err; 1070296341Sdelphij } 1071109998Smarkm 1072296341Sdelphij if ((krb5rc = krb5_init_context(&krb5context)) != 0) { 1073296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1074296341Sdelphij "krb5_init_context() fails: %d\n", krb5rc); 1075296341Sdelphij kssl_err->reason = SSL_R_KRB5_C_INIT; 1076296341Sdelphij goto err; 1077296341Sdelphij } 1078109998Smarkm 1079296341Sdelphij if ((krb5rc = krb5_sname_to_principal(krb5context, 1080296341Sdelphij kssl_ctx->service_host, 1081296341Sdelphij (kssl_ctx->service_name) ? 1082296341Sdelphij kssl_ctx->service_name : KRB5SVC, 1083296341Sdelphij KRB5_NT_SRV_HST, 1084296341Sdelphij &krb5creds.server)) != 0) { 1085296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1086296341Sdelphij "krb5_sname_to_principal() fails for %s/%s\n", 1087296341Sdelphij kssl_ctx->service_host, 1088296341Sdelphij (kssl_ctx-> 1089296341Sdelphij service_name) ? kssl_ctx->service_name : KRB5SVC); 1090296341Sdelphij kssl_err->reason = SSL_R_KRB5_C_INIT; 1091296341Sdelphij goto err; 1092296341Sdelphij } 1093109998Smarkm 1094296341Sdelphij if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) { 1095296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1096296341Sdelphij "krb5_cc_default fails.\n"); 1097296341Sdelphij goto err; 1098296341Sdelphij } 1099109998Smarkm 1100296341Sdelphij if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1101296341Sdelphij &krb5creds.client)) != 0) { 1102296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1103296341Sdelphij "krb5_cc_get_principal() fails.\n"); 1104296341Sdelphij goto err; 1105296341Sdelphij } 1106109998Smarkm 1107296341Sdelphij if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1108296341Sdelphij &krb5creds, &krb5credsp)) != 0) { 1109296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, 1110296341Sdelphij "krb5_get_credentials() fails.\n"); 1111296341Sdelphij goto err; 1112296341Sdelphij } 1113109998Smarkm 1114296341Sdelphij *enc_ticketp = &krb5credsp->ticket; 1115296341Sdelphij# ifdef KRB5_HEIMDAL 1116296341Sdelphij kssl_ctx->enctype = krb5credsp->session.keytype; 1117296341Sdelphij# else 1118296341Sdelphij kssl_ctx->enctype = krb5credsp->keyblock.enctype; 1119296341Sdelphij# endif 1120109998Smarkm 1121296341Sdelphij krb5rc = KRB5KRB_ERR_GENERIC; 1122296341Sdelphij /* caller should free data of krb5_app_req */ 1123296341Sdelphij /* 1124296341Sdelphij * 20010406 VRS deleted for real KerberosWrapper 20010605 VRS reinstated 1125296341Sdelphij * to offer Authenticator to KerberosWrapper 1126296341Sdelphij */ 1127296341Sdelphij krb5_app_req.length = 0; 1128296341Sdelphij if (authenp) { 1129296341Sdelphij krb5_data krb5in_data; 1130296341Sdelphij const unsigned char *p; 1131296341Sdelphij long arlen; 1132296341Sdelphij KRB5_APREQBODY *ap_req; 1133109998Smarkm 1134296341Sdelphij authenp->length = 0; 1135296341Sdelphij krb5in_data.data = NULL; 1136296341Sdelphij krb5in_data.length = 0; 1137296341Sdelphij if ((krb5rc = krb5_mk_req_extended(krb5context, 1138296341Sdelphij &krb5auth_context, 0, &krb5in_data, 1139296341Sdelphij krb5credsp, &krb5_app_req)) != 0) { 1140296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, 1141296341Sdelphij "krb5_mk_req_extended() fails.\n"); 1142296341Sdelphij goto err; 1143296341Sdelphij } 1144109998Smarkm 1145296341Sdelphij arlen = krb5_app_req.length; 1146296341Sdelphij p = (unsigned char *)krb5_app_req.data; 1147296341Sdelphij ap_req = (KRB5_APREQBODY *)d2i_KRB5_APREQ(NULL, &p, arlen); 1148296341Sdelphij if (ap_req) { 1149296341Sdelphij authenp->length = i2d_KRB5_ENCDATA(ap_req->authenticator, NULL); 1150296341Sdelphij if (authenp->length && (authenp->data = malloc(authenp->length))) { 1151296341Sdelphij unsigned char *adp = (unsigned char *)authenp->data; 1152296341Sdelphij authenp->length = 1153296341Sdelphij i2d_KRB5_ENCDATA(ap_req->authenticator, &adp); 1154296341Sdelphij } 1155296341Sdelphij } 1156109998Smarkm 1157296341Sdelphij if (ap_req) 1158296341Sdelphij KRB5_APREQ_free((KRB5_APREQ *) ap_req); 1159296341Sdelphij if (krb5_app_req.length) 1160296341Sdelphij kssl_krb5_free_data_contents(krb5context, &krb5_app_req); 1161296341Sdelphij } 1162296341Sdelphij# ifdef KRB5_HEIMDAL 1163296341Sdelphij if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) { 1164296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1165296341Sdelphij "kssl_ctx_setkey() fails.\n"); 1166296341Sdelphij } 1167296341Sdelphij# else 1168296341Sdelphij if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) { 1169296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1170296341Sdelphij "kssl_ctx_setkey() fails.\n"); 1171296341Sdelphij } 1172296341Sdelphij# endif 1173296341Sdelphij else 1174296341Sdelphij krb5rc = 0; 1175109998Smarkm 1176296341Sdelphij err: 1177296341Sdelphij# ifdef KSSL_DEBUG 1178296341Sdelphij kssl_ctx_show(kssl_ctx); 1179296341Sdelphij# endif /* KSSL_DEBUG */ 1180109998Smarkm 1181296341Sdelphij if (krb5creds.client) 1182296341Sdelphij krb5_free_principal(krb5context, krb5creds.client); 1183296341Sdelphij if (krb5creds.server) 1184296341Sdelphij krb5_free_principal(krb5context, krb5creds.server); 1185296341Sdelphij if (krb5auth_context) 1186296341Sdelphij krb5_auth_con_free(krb5context, krb5auth_context); 1187296341Sdelphij if (krb5context) 1188296341Sdelphij krb5_free_context(krb5context); 1189296341Sdelphij return (krb5rc); 1190296341Sdelphij} 1191109998Smarkm 1192296341Sdelphij/*- 1193296341Sdelphij * Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. 1194296341Sdelphij * Return Kerberos error code and kssl_err struct on error. 1195296341Sdelphij * Allocates krb5_ticket and krb5_principal; caller should free these. 1196296341Sdelphij * 1197296341Sdelphij * 20010410 VRS Implemented krb5_decode_ticket() as 1198296341Sdelphij * old_krb5_decode_ticket(). Missing from MIT1.0.6. 1199296341Sdelphij * 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. 1200296341Sdelphij * Re-used some of the old krb5_decode_ticket() 1201296341Sdelphij * code here. This tkt should alloc/free just 1202296341Sdelphij * like the real thing. 1203296341Sdelphij */ 1204296341Sdelphijstatic krb5_error_code kssl_TKT2tkt( /* IN */ krb5_context krb5context, 1205296341Sdelphij /* 1206296341Sdelphij * IN 1207296341Sdelphij */ KRB5_TKTBODY *asn1ticket, 1208296341Sdelphij /* 1209296341Sdelphij * OUT 1210296341Sdelphij */ krb5_ticket **krb5ticket, 1211296341Sdelphij /* 1212296341Sdelphij * OUT 1213296341Sdelphij */ KSSL_ERR *kssl_err) 1214296341Sdelphij{ 1215296341Sdelphij krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1216296341Sdelphij krb5_ticket *new5ticket = NULL; 1217296341Sdelphij ASN1_GENERALSTRING *gstr_svc, *gstr_host; 1218109998Smarkm 1219296341Sdelphij *krb5ticket = NULL; 1220109998Smarkm 1221296341Sdelphij if (asn1ticket == NULL || asn1ticket->realm == NULL || 1222296341Sdelphij asn1ticket->sname == NULL || 1223296341Sdelphij sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) { 1224296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1225296341Sdelphij "Null field in asn1ticket.\n"); 1226296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1227296341Sdelphij return KRB5KRB_ERR_GENERIC; 1228296341Sdelphij } 1229109998Smarkm 1230296341Sdelphij if ((new5ticket = (krb5_ticket *)calloc(1, sizeof(krb5_ticket))) == NULL) { 1231296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1232296341Sdelphij "Unable to allocate new krb5_ticket.\n"); 1233296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1234296341Sdelphij return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ 1235296341Sdelphij } 1236109998Smarkm 1237296341Sdelphij gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); 1238296341Sdelphij gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); 1239109998Smarkm 1240296341Sdelphij if ((krb5rc = kssl_build_principal_2(krb5context, 1241296341Sdelphij &new5ticket->server, 1242296341Sdelphij asn1ticket->realm->length, 1243296341Sdelphij (char *)asn1ticket->realm->data, 1244296341Sdelphij gstr_svc->length, 1245296341Sdelphij (char *)gstr_svc->data, 1246296341Sdelphij gstr_host->length, 1247296341Sdelphij (char *)gstr_host->data)) != 0) { 1248296341Sdelphij free(new5ticket); 1249296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1250296341Sdelphij "Error building ticket server principal.\n"); 1251296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1252296341Sdelphij return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ 1253296341Sdelphij } 1254109998Smarkm 1255296341Sdelphij krb5_princ_type(krb5context, new5ticket->server) = 1256296341Sdelphij asn1ticket->sname->nametype->data[0]; 1257296341Sdelphij new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; 1258296341Sdelphij new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; 1259296341Sdelphij new5ticket->enc_part.ciphertext.length = 1260296341Sdelphij asn1ticket->encdata->cipher->length; 1261296341Sdelphij if ((new5ticket->enc_part.ciphertext.data = 1262296341Sdelphij calloc(1, asn1ticket->encdata->cipher->length)) == NULL) { 1263296341Sdelphij free(new5ticket); 1264296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1265296341Sdelphij "Error allocating cipher in krb5ticket.\n"); 1266296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1267296341Sdelphij return KRB5KRB_ERR_GENERIC; 1268296341Sdelphij } else { 1269296341Sdelphij memcpy(new5ticket->enc_part.ciphertext.data, 1270296341Sdelphij asn1ticket->encdata->cipher->data, 1271296341Sdelphij asn1ticket->encdata->cipher->length); 1272296341Sdelphij } 1273109998Smarkm 1274296341Sdelphij *krb5ticket = new5ticket; 1275296341Sdelphij return 0; 1276296341Sdelphij} 1277109998Smarkm 1278296341Sdelphij/*- 1279296341Sdelphij * Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), 1280296341Sdelphij * and krb5 AP_REQ message & message length, 1281296341Sdelphij * Return Kerberos session key and client principle 1282296341Sdelphij * to SSL Server in KSSL_CTX *kssl_ctx. 1283296341Sdelphij * 1284296341Sdelphij * 19990702 VRS Started. 1285296341Sdelphij */ 1286296341Sdelphijkrb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1287296341Sdelphij /* 1288296341Sdelphij * IN 1289296341Sdelphij */ krb5_data *indata, 1290296341Sdelphij /* 1291296341Sdelphij * OUT 1292296341Sdelphij */ krb5_ticket_times *ttimes, 1293296341Sdelphij /* 1294296341Sdelphij * OUT 1295296341Sdelphij */ KSSL_ERR *kssl_err) 1296296341Sdelphij{ 1297296341Sdelphij krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1298296341Sdelphij static krb5_context krb5context = NULL; 1299296341Sdelphij static krb5_auth_context krb5auth_context = NULL; 1300296341Sdelphij krb5_ticket *krb5ticket = NULL; 1301296341Sdelphij KRB5_TKTBODY *asn1ticket = NULL; 1302296341Sdelphij const unsigned char *p; 1303296341Sdelphij krb5_keytab krb5keytab = NULL; 1304296341Sdelphij krb5_keytab_entry kt_entry; 1305296341Sdelphij krb5_principal krb5server; 1306296341Sdelphij krb5_rcache rcache = NULL; 1307109998Smarkm 1308296341Sdelphij kssl_err_set(kssl_err, 0, ""); 1309109998Smarkm 1310296341Sdelphij if (!kssl_ctx) { 1311296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n"); 1312296341Sdelphij goto err; 1313296341Sdelphij } 1314296341Sdelphij# ifdef KSSL_DEBUG 1315296341Sdelphij fprintf(stderr, "in kssl_sget_tkt(%s)\n", 1316296341Sdelphij kstring(kssl_ctx->service_name)); 1317296341Sdelphij# endif /* KSSL_DEBUG */ 1318109998Smarkm 1319296341Sdelphij if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) { 1320296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1321296341Sdelphij "krb5_init_context() fails.\n"); 1322296341Sdelphij goto err; 1323296341Sdelphij } 1324296341Sdelphij if (krb5auth_context && 1325296341Sdelphij (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) { 1326296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1327296341Sdelphij "krb5_auth_con_free() fails.\n"); 1328296341Sdelphij goto err; 1329296341Sdelphij } else 1330296341Sdelphij krb5auth_context = NULL; 1331296341Sdelphij if (!krb5auth_context && 1332296341Sdelphij (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) { 1333296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1334296341Sdelphij "krb5_auth_con_init() fails.\n"); 1335296341Sdelphij goto err; 1336296341Sdelphij } 1337109998Smarkm 1338296341Sdelphij if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, 1339296341Sdelphij &rcache))) { 1340296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1341296341Sdelphij "krb5_auth_con_getrcache() fails.\n"); 1342296341Sdelphij goto err; 1343296341Sdelphij } 1344109998Smarkm 1345296341Sdelphij if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, 1346296341Sdelphij (kssl_ctx->service_name) ? 1347296341Sdelphij kssl_ctx->service_name : KRB5SVC, 1348296341Sdelphij KRB5_NT_SRV_HST, 1349296341Sdelphij &krb5server)) != 0) { 1350296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1351296341Sdelphij "krb5_sname_to_principal() fails.\n"); 1352296341Sdelphij goto err; 1353296341Sdelphij } 1354109998Smarkm 1355296341Sdelphij if (rcache == NULL) { 1356296341Sdelphij if ((krb5rc = krb5_get_server_rcache(krb5context, 1357296341Sdelphij krb5_princ_component(krb5context, 1358296341Sdelphij krb5server, 1359296341Sdelphij 0), 1360296341Sdelphij &rcache))) { 1361296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1362296341Sdelphij "krb5_get_server_rcache() fails.\n"); 1363296341Sdelphij goto err; 1364296341Sdelphij } 1365296341Sdelphij } 1366109998Smarkm 1367296341Sdelphij if ((krb5rc = 1368296341Sdelphij krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) { 1369296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1370296341Sdelphij "krb5_auth_con_setrcache() fails.\n"); 1371296341Sdelphij goto err; 1372296341Sdelphij } 1373109998Smarkm 1374296341Sdelphij /* 1375296341Sdelphij * kssl_ctx->keytab_file == NULL ==> use Kerberos default 1376296341Sdelphij */ 1377296341Sdelphij if (kssl_ctx->keytab_file) { 1378296341Sdelphij krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1379296341Sdelphij &krb5keytab); 1380296341Sdelphij if (krb5rc) { 1381296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1382296341Sdelphij "krb5_kt_resolve() fails.\n"); 1383296341Sdelphij goto err; 1384296341Sdelphij } 1385296341Sdelphij } else { 1386296341Sdelphij krb5rc = krb5_kt_default(krb5context, &krb5keytab); 1387296341Sdelphij if (krb5rc) { 1388296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1389296341Sdelphij "krb5_kt_default() fails.\n"); 1390296341Sdelphij goto err; 1391296341Sdelphij } 1392296341Sdelphij } 1393109998Smarkm 1394296341Sdelphij /*- Actual Kerberos5 krb5_recvauth() has initial conversation here 1395296341Sdelphij * o check KRB5_SENDAUTH_BADAUTHVERS 1396296341Sdelphij * unless KRB5_RECVAUTH_SKIP_VERSION 1397296341Sdelphij * o check KRB5_SENDAUTH_BADAPPLVERS 1398296341Sdelphij * o send "0" msg if all OK 1399296341Sdelphij */ 1400109998Smarkm 1401296341Sdelphij /*- 1402296341Sdelphij * 20010411 was using AP_REQ instead of true KerberosWrapper 1403296341Sdelphij * 1404296341Sdelphij * if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, 1405296341Sdelphij * &krb5in_data, krb5server, krb5keytab, 1406296341Sdelphij * &ap_option, &krb5ticket)) != 0) { Error } 1407296341Sdelphij */ 1408109998Smarkm 1409296341Sdelphij p = (unsigned char *)indata->data; 1410296341Sdelphij if ((asn1ticket = (KRB5_TKTBODY *)d2i_KRB5_TICKET(NULL, &p, 1411296341Sdelphij (long)indata->length)) 1412296341Sdelphij == NULL) { 1413296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1414296341Sdelphij "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); 1415296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1416296341Sdelphij goto err; 1417296341Sdelphij } 1418109998Smarkm 1419296341Sdelphij /* 1420296341Sdelphij * Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) 1421296341Sdelphij */ 1422296341Sdelphij if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, 1423296341Sdelphij kssl_err)) != 0) { 1424296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1425296341Sdelphij "Error converting ASN.1 ticket to krb5_ticket.\n"); 1426296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1427296341Sdelphij goto err; 1428296341Sdelphij } 1429109998Smarkm 1430296341Sdelphij if (!krb5_principal_compare(krb5context, krb5server, krb5ticket->server)) { 1431296341Sdelphij krb5rc = KRB5_PRINC_NOMATCH; 1432296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1433296341Sdelphij "server principal != ticket principal\n"); 1434296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1435296341Sdelphij goto err; 1436296341Sdelphij } 1437296341Sdelphij if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 1438296341Sdelphij krb5ticket->server, 1439296341Sdelphij krb5ticket->enc_part.kvno, 1440296341Sdelphij krb5ticket->enc_part.enctype, 1441296341Sdelphij &kt_entry)) != 0) { 1442296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1443296341Sdelphij "krb5_kt_get_entry() fails with %x.\n", krb5rc); 1444296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1445296341Sdelphij goto err; 1446296341Sdelphij } 1447296341Sdelphij if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, 1448296341Sdelphij krb5ticket)) != 0) { 1449296341Sdelphij BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1450296341Sdelphij "krb5_decrypt_tkt_part() failed.\n"); 1451296341Sdelphij kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1452296341Sdelphij goto err; 1453296341Sdelphij } else { 1454296341Sdelphij krb5_kt_free_entry(krb5context, &kt_entry); 1455296341Sdelphij# ifdef KSSL_DEBUG 1456296341Sdelphij { 1457296341Sdelphij int i; 1458296341Sdelphij krb5_address **paddr = krb5ticket->enc_part2->caddrs; 1459296341Sdelphij fprintf(stderr, "Decrypted ticket fields:\n"); 1460296341Sdelphij fprintf(stderr, "\tflags: %X, transit-type: %X", 1461296341Sdelphij krb5ticket->enc_part2->flags, 1462296341Sdelphij krb5ticket->enc_part2->transited.tr_type); 1463296341Sdelphij print_krb5_data("\ttransit-data: ", 1464296341Sdelphij &(krb5ticket->enc_part2->transited.tr_contents)); 1465296341Sdelphij fprintf(stderr, "\tcaddrs: %p, authdata: %p\n", 1466296341Sdelphij krb5ticket->enc_part2->caddrs, 1467296341Sdelphij krb5ticket->enc_part2->authorization_data); 1468296341Sdelphij if (paddr) { 1469296341Sdelphij fprintf(stderr, "\tcaddrs:\n"); 1470296341Sdelphij for (i = 0; paddr[i] != NULL; i++) { 1471296341Sdelphij krb5_data d; 1472296341Sdelphij d.length = paddr[i]->length; 1473296341Sdelphij d.data = paddr[i]->contents; 1474296341Sdelphij print_krb5_data("\t\tIP: ", &d); 1475109998Smarkm } 1476296341Sdelphij } 1477296341Sdelphij fprintf(stderr, "\tstart/auth/end times: %d / %d / %d\n", 1478296341Sdelphij krb5ticket->enc_part2->times.starttime, 1479296341Sdelphij krb5ticket->enc_part2->times.authtime, 1480296341Sdelphij krb5ticket->enc_part2->times.endtime); 1481296341Sdelphij } 1482296341Sdelphij# endif /* KSSL_DEBUG */ 1483296341Sdelphij } 1484109998Smarkm 1485296341Sdelphij krb5rc = KRB5_NO_TKT_SUPPLIED; 1486296341Sdelphij if (!krb5ticket || !krb5ticket->enc_part2 || 1487296341Sdelphij !krb5ticket->enc_part2->client || 1488296341Sdelphij !krb5ticket->enc_part2->client->data || 1489296341Sdelphij !krb5ticket->enc_part2->session) { 1490296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1491296341Sdelphij "bad ticket from krb5_rd_req.\n"); 1492296341Sdelphij } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, 1493296341Sdelphij &krb5ticket->enc_part2->client->realm, 1494296341Sdelphij krb5ticket->enc_part2->client->data, 1495296341Sdelphij krb5ticket->enc_part2->client->length)) { 1496296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1497296341Sdelphij "kssl_ctx_setprinc() fails.\n"); 1498296341Sdelphij } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) { 1499296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1500296341Sdelphij "kssl_ctx_setkey() fails.\n"); 1501296341Sdelphij } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) { 1502296341Sdelphij krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; 1503296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1504296341Sdelphij "invalid ticket from krb5_rd_req.\n"); 1505296341Sdelphij } else 1506296341Sdelphij krb5rc = 0; 1507109998Smarkm 1508296341Sdelphij kssl_ctx->enctype = krb5ticket->enc_part.enctype; 1509296341Sdelphij ttimes->authtime = krb5ticket->enc_part2->times.authtime; 1510296341Sdelphij ttimes->starttime = krb5ticket->enc_part2->times.starttime; 1511296341Sdelphij ttimes->endtime = krb5ticket->enc_part2->times.endtime; 1512296341Sdelphij ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; 1513109998Smarkm 1514109998Smarkm err: 1515296341Sdelphij# ifdef KSSL_DEBUG 1516296341Sdelphij kssl_ctx_show(kssl_ctx); 1517296341Sdelphij# endif /* KSSL_DEBUG */ 1518109998Smarkm 1519296341Sdelphij if (asn1ticket) 1520296341Sdelphij KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); 1521296341Sdelphij if (krb5keytab) 1522296341Sdelphij krb5_kt_close(krb5context, krb5keytab); 1523296341Sdelphij if (krb5ticket) 1524296341Sdelphij krb5_free_ticket(krb5context, krb5ticket); 1525296341Sdelphij if (krb5server) 1526296341Sdelphij krb5_free_principal(krb5context, krb5server); 1527296341Sdelphij return (krb5rc); 1528296341Sdelphij} 1529109998Smarkm 1530296341Sdelphij/* 1531296341Sdelphij * Allocate & return a new kssl_ctx struct. 1532296341Sdelphij */ 1533296341SdelphijKSSL_CTX *kssl_ctx_new(void) 1534296341Sdelphij{ 1535296341Sdelphij return ((KSSL_CTX *)kssl_calloc(1, sizeof(KSSL_CTX))); 1536296341Sdelphij} 1537109998Smarkm 1538296341Sdelphij/* 1539296341Sdelphij * Frees a kssl_ctx struct and any allocated memory it holds. Returns NULL. 1540296341Sdelphij */ 1541296341SdelphijKSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx) 1542296341Sdelphij{ 1543296341Sdelphij if (kssl_ctx == NULL) 1544296341Sdelphij return kssl_ctx; 1545109998Smarkm 1546296341Sdelphij if (kssl_ctx->key) 1547296341Sdelphij OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1548296341Sdelphij if (kssl_ctx->key) 1549296341Sdelphij kssl_free(kssl_ctx->key); 1550296341Sdelphij if (kssl_ctx->client_princ) 1551296341Sdelphij kssl_free(kssl_ctx->client_princ); 1552296341Sdelphij if (kssl_ctx->service_host) 1553296341Sdelphij kssl_free(kssl_ctx->service_host); 1554296341Sdelphij if (kssl_ctx->service_name) 1555296341Sdelphij kssl_free(kssl_ctx->service_name); 1556296341Sdelphij if (kssl_ctx->keytab_file) 1557296341Sdelphij kssl_free(kssl_ctx->keytab_file); 1558109998Smarkm 1559296341Sdelphij kssl_free(kssl_ctx); 1560296341Sdelphij return (KSSL_CTX *)NULL; 1561296341Sdelphij} 1562109998Smarkm 1563296341Sdelphij/* 1564296341Sdelphij * Given an array of (krb5_data *) entity (and optional realm), set the plain 1565296341Sdelphij * (char *) client_princ or service_host member of the kssl_ctx struct. 1566296341Sdelphij */ 1567109998Smarkmkrb5_error_code 1568109998Smarkmkssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, 1569296341Sdelphij krb5_data *realm, krb5_data *entity, int nentities) 1570296341Sdelphij{ 1571296341Sdelphij char **princ; 1572296341Sdelphij int length; 1573296341Sdelphij int i; 1574109998Smarkm 1575296341Sdelphij if (kssl_ctx == NULL || entity == NULL) 1576296341Sdelphij return KSSL_CTX_ERR; 1577109998Smarkm 1578296341Sdelphij switch (which) { 1579296341Sdelphij case KSSL_CLIENT: 1580296341Sdelphij princ = &kssl_ctx->client_princ; 1581296341Sdelphij break; 1582296341Sdelphij case KSSL_SERVER: 1583296341Sdelphij princ = &kssl_ctx->service_host; 1584296341Sdelphij break; 1585296341Sdelphij default: 1586296341Sdelphij return KSSL_CTX_ERR; 1587296341Sdelphij break; 1588296341Sdelphij } 1589296341Sdelphij if (*princ) 1590296341Sdelphij kssl_free(*princ); 1591109998Smarkm 1592296341Sdelphij /* Add up all the entity->lengths */ 1593296341Sdelphij length = 0; 1594296341Sdelphij for (i = 0; i < nentities; i++) { 1595296341Sdelphij length += entity[i].length; 1596296341Sdelphij } 1597296341Sdelphij /* Add in space for the '/' character(s) (if any) */ 1598296341Sdelphij length += nentities - 1; 1599296341Sdelphij /* Space for the ('@'+realm+NULL | NULL) */ 1600296341Sdelphij length += ((realm) ? realm->length + 2 : 1); 1601120631Snectar 1602296341Sdelphij if ((*princ = kssl_calloc(1, length)) == NULL) 1603296341Sdelphij return KSSL_CTX_ERR; 1604296341Sdelphij else { 1605296341Sdelphij for (i = 0; i < nentities; i++) { 1606296341Sdelphij strncat(*princ, entity[i].data, entity[i].length); 1607296341Sdelphij if (i < nentities - 1) { 1608296341Sdelphij strcat(*princ, "/"); 1609296341Sdelphij } 1610109998Smarkm } 1611296341Sdelphij if (realm) { 1612296341Sdelphij strcat(*princ, "@"); 1613296341Sdelphij (void)strncat(*princ, realm->data, realm->length); 1614296341Sdelphij } 1615296341Sdelphij } 1616109998Smarkm 1617296341Sdelphij return KSSL_CTX_OK; 1618296341Sdelphij} 1619109998Smarkm 1620296341Sdelphij/*- Set one of the plain (char *) string members of the kssl_ctx struct. 1621296341Sdelphij * Default values should be: 1622296341Sdelphij * which == KSSL_SERVICE => "khost" (KRB5SVC) 1623296341Sdelphij * which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) 1624296341Sdelphij */ 1625296341Sdelphijkrb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) 1626296341Sdelphij{ 1627296341Sdelphij char **string; 1628109998Smarkm 1629296341Sdelphij if (!kssl_ctx) 1630296341Sdelphij return KSSL_CTX_ERR; 1631109998Smarkm 1632296341Sdelphij switch (which) { 1633296341Sdelphij case KSSL_SERVICE: 1634296341Sdelphij string = &kssl_ctx->service_name; 1635296341Sdelphij break; 1636296341Sdelphij case KSSL_SERVER: 1637296341Sdelphij string = &kssl_ctx->service_host; 1638296341Sdelphij break; 1639296341Sdelphij case KSSL_CLIENT: 1640296341Sdelphij string = &kssl_ctx->client_princ; 1641296341Sdelphij break; 1642296341Sdelphij case KSSL_KEYTAB: 1643296341Sdelphij string = &kssl_ctx->keytab_file; 1644296341Sdelphij break; 1645296341Sdelphij default: 1646296341Sdelphij return KSSL_CTX_ERR; 1647296341Sdelphij break; 1648296341Sdelphij } 1649296341Sdelphij if (*string) 1650296341Sdelphij kssl_free(*string); 1651109998Smarkm 1652296341Sdelphij if (!text) { 1653296341Sdelphij *string = '\0'; 1654296341Sdelphij return KSSL_CTX_OK; 1655296341Sdelphij } 1656109998Smarkm 1657296341Sdelphij if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) 1658296341Sdelphij return KSSL_CTX_ERR; 1659296341Sdelphij else 1660296341Sdelphij strcpy(*string, text); 1661109998Smarkm 1662296341Sdelphij return KSSL_CTX_OK; 1663296341Sdelphij} 1664109998Smarkm 1665296341Sdelphij/* 1666296341Sdelphij * Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx 1667296341Sdelphij * struct. Clear kssl_ctx->key if Kerberos session key is NULL. 1668296341Sdelphij */ 1669296341Sdelphijkrb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) 1670296341Sdelphij{ 1671296341Sdelphij int length; 1672296341Sdelphij krb5_enctype enctype; 1673296341Sdelphij krb5_octet FAR *contents = NULL; 1674109998Smarkm 1675296341Sdelphij if (!kssl_ctx) 1676296341Sdelphij return KSSL_CTX_ERR; 1677109998Smarkm 1678296341Sdelphij if (kssl_ctx->key) { 1679296341Sdelphij OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1680296341Sdelphij kssl_free(kssl_ctx->key); 1681296341Sdelphij } 1682109998Smarkm 1683296341Sdelphij if (session) { 1684109998Smarkm 1685296341Sdelphij# ifdef KRB5_HEIMDAL 1686296341Sdelphij length = session->keyvalue->length; 1687296341Sdelphij enctype = session->keytype; 1688296341Sdelphij contents = session->keyvalue->contents; 1689296341Sdelphij# else 1690296341Sdelphij length = session->length; 1691296341Sdelphij enctype = session->enctype; 1692296341Sdelphij contents = session->contents; 1693296341Sdelphij# endif 1694296341Sdelphij kssl_ctx->enctype = enctype; 1695296341Sdelphij kssl_ctx->length = length; 1696296341Sdelphij } else { 1697296341Sdelphij kssl_ctx->enctype = ENCTYPE_UNKNOWN; 1698296341Sdelphij kssl_ctx->length = 0; 1699296341Sdelphij return KSSL_CTX_OK; 1700296341Sdelphij } 1701109998Smarkm 1702296341Sdelphij if ((kssl_ctx->key = 1703296341Sdelphij (krb5_octet FAR *)kssl_calloc(1, kssl_ctx->length)) == NULL) { 1704296341Sdelphij kssl_ctx->length = 0; 1705296341Sdelphij return KSSL_CTX_ERR; 1706296341Sdelphij } else 1707296341Sdelphij memcpy(kssl_ctx->key, contents, length); 1708109998Smarkm 1709296341Sdelphij return KSSL_CTX_OK; 1710296341Sdelphij} 1711109998Smarkm 1712296341Sdelphij/* 1713296341Sdelphij * Display contents of kssl_ctx struct 1714296341Sdelphij */ 1715296341Sdelphijvoid kssl_ctx_show(KSSL_CTX *kssl_ctx) 1716296341Sdelphij{ 1717296341Sdelphij int i; 1718109998Smarkm 1719296341Sdelphij printf("kssl_ctx: "); 1720296341Sdelphij if (kssl_ctx == NULL) { 1721296341Sdelphij printf("NULL\n"); 1722296341Sdelphij return; 1723296341Sdelphij } else 1724296341Sdelphij printf("%p\n", (void *)kssl_ctx); 1725109998Smarkm 1726296341Sdelphij printf("\tservice:\t%s\n", 1727296341Sdelphij (kssl_ctx->service_name) ? kssl_ctx->service_name : "NULL"); 1728296341Sdelphij printf("\tclient:\t%s\n", 1729296341Sdelphij (kssl_ctx->client_princ) ? kssl_ctx->client_princ : "NULL"); 1730296341Sdelphij printf("\tserver:\t%s\n", 1731296341Sdelphij (kssl_ctx->service_host) ? kssl_ctx->service_host : "NULL"); 1732296341Sdelphij printf("\tkeytab:\t%s\n", 1733296341Sdelphij (kssl_ctx->keytab_file) ? kssl_ctx->keytab_file : "NULL"); 1734296341Sdelphij printf("\tkey [%d:%d]:\t", kssl_ctx->enctype, kssl_ctx->length); 1735109998Smarkm 1736296341Sdelphij for (i = 0; i < kssl_ctx->length && kssl_ctx->key; i++) { 1737296341Sdelphij printf("%02x", kssl_ctx->key[i]); 1738296341Sdelphij } 1739296341Sdelphij printf("\n"); 1740296341Sdelphij return; 1741296341Sdelphij} 1742109998Smarkm 1743296341Sdelphijint kssl_keytab_is_available(KSSL_CTX *kssl_ctx) 1744109998Smarkm{ 1745296341Sdelphij krb5_context krb5context = NULL; 1746296341Sdelphij krb5_keytab krb5keytab = NULL; 1747296341Sdelphij krb5_keytab_entry entry; 1748296341Sdelphij krb5_principal princ = NULL; 1749296341Sdelphij krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1750109998Smarkm int rc = 0; 1751109998Smarkm 1752109998Smarkm if ((krb5rc = krb5_init_context(&krb5context))) 1753296341Sdelphij return (0); 1754109998Smarkm 1755296341Sdelphij /* 1756296341Sdelphij * kssl_ctx->keytab_file == NULL ==> use Kerberos default 1757296341Sdelphij */ 1758296341Sdelphij if (kssl_ctx->keytab_file) { 1759109998Smarkm krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1760296341Sdelphij &krb5keytab); 1761109998Smarkm if (krb5rc) 1762109998Smarkm goto exit; 1763296341Sdelphij } else { 1764296341Sdelphij krb5rc = krb5_kt_default(krb5context, &krb5keytab); 1765109998Smarkm if (krb5rc) 1766109998Smarkm goto exit; 1767109998Smarkm } 1768109998Smarkm 1769109998Smarkm /* the host key we are looking for */ 1770296341Sdelphij krb5rc = krb5_sname_to_principal(krb5context, NULL, 1771296341Sdelphij kssl_ctx-> 1772296341Sdelphij service_name ? kssl_ctx->service_name : 1773296341Sdelphij KRB5SVC, KRB5_NT_SRV_HST, &princ); 1774109998Smarkm 1775206046Ssimon if (krb5rc) 1776296341Sdelphij goto exit; 1777206046Ssimon 1778296341Sdelphij krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ, 1779296341Sdelphij /* IGNORE_VNO */ 1780296341Sdelphij 0, 1781296341Sdelphij /* IGNORE_ENCTYPE */ 1782296341Sdelphij 0, &entry); 1783296341Sdelphij if (krb5rc == KRB5_KT_NOTFOUND) { 1784109998Smarkm rc = 1; 1785109998Smarkm goto exit; 1786296341Sdelphij } else if (krb5rc) 1787109998Smarkm goto exit; 1788296341Sdelphij 1789109998Smarkm krb5_kt_free_entry(krb5context, &entry); 1790109998Smarkm rc = 1; 1791109998Smarkm 1792296341Sdelphij exit: 1793296341Sdelphij if (krb5keytab) 1794296341Sdelphij krb5_kt_close(krb5context, krb5keytab); 1795296341Sdelphij if (princ) 1796296341Sdelphij krb5_free_principal(krb5context, princ); 1797296341Sdelphij if (krb5context) 1798296341Sdelphij krb5_free_context(krb5context); 1799296341Sdelphij return (rc); 1800109998Smarkm} 1801109998Smarkm 1802296341Sdelphijint kssl_tgt_is_available(KSSL_CTX *kssl_ctx) 1803296341Sdelphij{ 1804296341Sdelphij krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1805296341Sdelphij krb5_context krb5context = NULL; 1806296341Sdelphij krb5_ccache krb5ccdef = NULL; 1807296341Sdelphij krb5_creds krb5creds, *krb5credsp = NULL; 1808296341Sdelphij int rc = 0; 1809109998Smarkm 1810296341Sdelphij memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1811109998Smarkm 1812296341Sdelphij if (!kssl_ctx) 1813296341Sdelphij return (0); 1814109998Smarkm 1815296341Sdelphij if (!kssl_ctx->service_host) 1816296341Sdelphij return (0); 1817109998Smarkm 1818296341Sdelphij if ((krb5rc = krb5_init_context(&krb5context)) != 0) 1819296341Sdelphij goto err; 1820109998Smarkm 1821296341Sdelphij if ((krb5rc = krb5_sname_to_principal(krb5context, 1822296341Sdelphij kssl_ctx->service_host, 1823296341Sdelphij (kssl_ctx->service_name) ? 1824296341Sdelphij kssl_ctx->service_name : KRB5SVC, 1825296341Sdelphij KRB5_NT_SRV_HST, 1826296341Sdelphij &krb5creds.server)) != 0) 1827296341Sdelphij goto err; 1828109998Smarkm 1829296341Sdelphij if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) 1830296341Sdelphij goto err; 1831109998Smarkm 1832296341Sdelphij if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1833296341Sdelphij &krb5creds.client)) != 0) 1834296341Sdelphij goto err; 1835109998Smarkm 1836296341Sdelphij if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1837296341Sdelphij &krb5creds, &krb5credsp)) != 0) 1838296341Sdelphij goto err; 1839109998Smarkm 1840296341Sdelphij rc = 1; 1841109998Smarkm 1842296341Sdelphij err: 1843296341Sdelphij# ifdef KSSL_DEBUG 1844296341Sdelphij kssl_ctx_show(kssl_ctx); 1845296341Sdelphij# endif /* KSSL_DEBUG */ 1846109998Smarkm 1847296341Sdelphij if (krb5creds.client) 1848296341Sdelphij krb5_free_principal(krb5context, krb5creds.client); 1849296341Sdelphij if (krb5creds.server) 1850296341Sdelphij krb5_free_principal(krb5context, krb5creds.server); 1851296341Sdelphij if (krb5context) 1852296341Sdelphij krb5_free_context(krb5context); 1853296341Sdelphij return (rc); 1854296341Sdelphij} 1855109998Smarkm 1856296341Sdelphij# if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) 1857109998Smarkmvoid kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) 1858296341Sdelphij{ 1859296341Sdelphij# ifdef KRB5_HEIMDAL 1860296341Sdelphij data->length = 0; 1861296341Sdelphij if (data->data) 1862296341Sdelphij free(data->data); 1863296341Sdelphij# elif defined(KRB5_MIT_OLD11) 1864296341Sdelphij if (data->data) { 1865296341Sdelphij krb5_xfree(data->data); 1866296341Sdelphij data->data = 0; 1867296341Sdelphij } 1868296341Sdelphij# else 1869296341Sdelphij krb5_free_data_contents(NULL, data); 1870296341Sdelphij# endif 1871296341Sdelphij} 1872296341Sdelphij# endif 1873296341Sdelphij/* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ 1874109998Smarkm 1875296341Sdelphij/* 1876296341Sdelphij * Given pointers to KerberosTime and struct tm structs, convert the 1877296341Sdelphij * KerberosTime string to struct tm. Note that KerberosTime is a 1878296341Sdelphij * ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional seconds 1879296341Sdelphij * as defined in RFC 1510. Return pointer to the (partially) filled in 1880296341Sdelphij * struct tm on success, return NULL on failure. 1881296341Sdelphij */ 1882238405Sjkimstatic struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) 1883296341Sdelphij{ 1884296341Sdelphij char c, *p; 1885109998Smarkm 1886296341Sdelphij if (!k_tm) 1887296341Sdelphij return NULL; 1888296341Sdelphij if (gtime == NULL || gtime->length < 14) 1889296341Sdelphij return NULL; 1890296341Sdelphij if (gtime->data == NULL) 1891296341Sdelphij return NULL; 1892109998Smarkm 1893296341Sdelphij p = (char *)>ime->data[14]; 1894109998Smarkm 1895296341Sdelphij c = *p; 1896296341Sdelphij *p = '\0'; 1897296341Sdelphij p -= 2; 1898296341Sdelphij k_tm->tm_sec = atoi(p); 1899296341Sdelphij *(p + 2) = c; 1900296341Sdelphij c = *p; 1901296341Sdelphij *p = '\0'; 1902296341Sdelphij p -= 2; 1903296341Sdelphij k_tm->tm_min = atoi(p); 1904296341Sdelphij *(p + 2) = c; 1905296341Sdelphij c = *p; 1906296341Sdelphij *p = '\0'; 1907296341Sdelphij p -= 2; 1908296341Sdelphij k_tm->tm_hour = atoi(p); 1909296341Sdelphij *(p + 2) = c; 1910296341Sdelphij c = *p; 1911296341Sdelphij *p = '\0'; 1912296341Sdelphij p -= 2; 1913296341Sdelphij k_tm->tm_mday = atoi(p); 1914296341Sdelphij *(p + 2) = c; 1915296341Sdelphij c = *p; 1916296341Sdelphij *p = '\0'; 1917296341Sdelphij p -= 2; 1918296341Sdelphij k_tm->tm_mon = atoi(p) - 1; 1919296341Sdelphij *(p + 2) = c; 1920296341Sdelphij c = *p; 1921296341Sdelphij *p = '\0'; 1922296341Sdelphij p -= 4; 1923296341Sdelphij k_tm->tm_year = atoi(p) - 1900; 1924296341Sdelphij *(p + 4) = c; 1925109998Smarkm 1926296341Sdelphij return k_tm; 1927296341Sdelphij} 1928109998Smarkm 1929296341Sdelphij/* 1930296341Sdelphij * Helper function for kssl_validate_times(). We need context->clockskew, 1931296341Sdelphij * but krb5_context is an opaque struct. So we try to sneek the clockskew 1932296341Sdelphij * out through the replay cache. If that fails just return a likely default 1933296341Sdelphij * (300 seconds). 1934296341Sdelphij */ 1935238405Sjkimstatic krb5_deltat get_rc_clockskew(krb5_context context) 1936296341Sdelphij{ 1937296341Sdelphij krb5_rcache rc; 1938296341Sdelphij krb5_deltat clockskew; 1939109998Smarkm 1940296341Sdelphij if (krb5_rc_default(context, &rc)) 1941296341Sdelphij return KSSL_CLOCKSKEW; 1942296341Sdelphij if (krb5_rc_initialize(context, rc, 0)) 1943296341Sdelphij return KSSL_CLOCKSKEW; 1944296341Sdelphij if (krb5_rc_get_lifespan(context, rc, &clockskew)) { 1945296341Sdelphij clockskew = KSSL_CLOCKSKEW; 1946296341Sdelphij } 1947296341Sdelphij (void)krb5_rc_destroy(context, rc); 1948296341Sdelphij return clockskew; 1949296341Sdelphij} 1950109998Smarkm 1951296341Sdelphij/* 1952296341Sdelphij * kssl_validate_times() combines (and more importantly exposes) the MIT KRB5 1953296341Sdelphij * internal function krb5_validate_times() and the in_clock_skew() macro. 1954296341Sdelphij * The authenticator client time is checked to be within clockskew secs of 1955296341Sdelphij * the current time and the current time is checked to be within the ticket 1956296341Sdelphij * start and expire times. Either check may be omitted by supplying a NULL 1957296341Sdelphij * value. Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. See 1958296341Sdelphij * Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c 20010420 VRS 1959296341Sdelphij */ 1960296341Sdelphijkrb5_error_code kssl_validate_times(krb5_timestamp atime, 1961296341Sdelphij krb5_ticket_times *ttimes) 1962296341Sdelphij{ 1963296341Sdelphij krb5_deltat skew; 1964296341Sdelphij krb5_timestamp start, now; 1965296341Sdelphij krb5_error_code rc; 1966296341Sdelphij krb5_context context; 1967109998Smarkm 1968296341Sdelphij if ((rc = krb5_init_context(&context))) 1969296341Sdelphij return SSL_R_KRB5_S_BAD_TICKET; 1970296341Sdelphij skew = get_rc_clockskew(context); 1971296341Sdelphij if ((rc = krb5_timeofday(context, &now))) 1972296341Sdelphij return SSL_R_KRB5_S_BAD_TICKET; 1973296341Sdelphij krb5_free_context(context); 1974109998Smarkm 1975296341Sdelphij if (atime && labs(atime - now) >= skew) 1976296341Sdelphij return SSL_R_KRB5_S_TKT_SKEW; 1977109998Smarkm 1978296341Sdelphij if (!ttimes) 1979296341Sdelphij return 0; 1980109998Smarkm 1981296341Sdelphij start = (ttimes->starttime != 0) ? ttimes->starttime : ttimes->authtime; 1982296341Sdelphij if (start - now > skew) 1983296341Sdelphij return SSL_R_KRB5_S_TKT_NYV; 1984296341Sdelphij if ((now - ttimes->endtime) > skew) 1985296341Sdelphij return SSL_R_KRB5_S_TKT_EXPIRED; 1986109998Smarkm 1987296341Sdelphij# ifdef KSSL_DEBUG 1988296341Sdelphij fprintf(stderr, "kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", 1989296341Sdelphij start, atime, now, skew, ttimes->endtime); 1990296341Sdelphij# endif /* KSSL_DEBUG */ 1991109998Smarkm 1992296341Sdelphij return 0; 1993296341Sdelphij} 1994109998Smarkm 1995296341Sdelphij/* 1996296341Sdelphij * Decode and decrypt given DER-encoded authenticator, then pass 1997296341Sdelphij * authenticator ctime back in *atimep (or 0 if time unavailable). Returns 1998296341Sdelphij * krb5_error_code and kssl_err on error. A NULL authenticator 1999296341Sdelphij * (authentp->length == 0) is not considered an error. Note that 2000296341Sdelphij * kssl_check_authent() makes use of the KRB5 session key; you must call 2001296341Sdelphij * kssl_sget_tkt() to get the key before calling this routine. 2002296341Sdelphij */ 2003296341Sdelphijkrb5_error_code kssl_check_authent( 2004296341Sdelphij /* 2005296341Sdelphij * IN 2006296341Sdelphij */ KSSL_CTX *kssl_ctx, 2007296341Sdelphij /* 2008296341Sdelphij * IN 2009296341Sdelphij */ krb5_data *authentp, 2010296341Sdelphij /* 2011296341Sdelphij * OUT 2012296341Sdelphij */ krb5_timestamp *atimep, 2013296341Sdelphij /* 2014296341Sdelphij * OUT 2015296341Sdelphij */ KSSL_ERR *kssl_err) 2016296341Sdelphij{ 2017296341Sdelphij krb5_error_code krb5rc = 0; 2018296341Sdelphij KRB5_ENCDATA *dec_authent = NULL; 2019296341Sdelphij KRB5_AUTHENTBODY *auth = NULL; 2020296341Sdelphij krb5_enctype enctype; 2021296341Sdelphij EVP_CIPHER_CTX ciph_ctx; 2022296341Sdelphij const EVP_CIPHER *enc = NULL; 2023296341Sdelphij unsigned char iv[EVP_MAX_IV_LENGTH]; 2024296341Sdelphij const unsigned char *p; 2025296341Sdelphij unsigned char *unenc_authent; 2026296341Sdelphij int outl, unencbufsize; 2027296341Sdelphij struct tm tm_time, *tm_l, *tm_g; 2028296341Sdelphij time_t now, tl, tg, tr, tz_offset; 2029109998Smarkm 2030296341Sdelphij EVP_CIPHER_CTX_init(&ciph_ctx); 2031296341Sdelphij *atimep = 0; 2032296341Sdelphij kssl_err_set(kssl_err, 0, ""); 2033109998Smarkm 2034296341Sdelphij# ifndef KRB5CHECKAUTH 2035296341Sdelphij authentp = NULL; 2036296341Sdelphij# else 2037296341Sdelphij# if KRB5CHECKAUTH == 0 2038296341Sdelphij authentp = NULL; 2039296341Sdelphij# endif 2040296341Sdelphij# endif /* KRB5CHECKAUTH */ 2041109998Smarkm 2042296341Sdelphij if (authentp == NULL || authentp->length == 0) 2043296341Sdelphij return 0; 2044109998Smarkm 2045296341Sdelphij# ifdef KSSL_DEBUG 2046296341Sdelphij { 2047109998Smarkm unsigned int ui; 2048296341Sdelphij fprintf(stderr, "kssl_check_authent: authenticator[%d]:\n", 2049296341Sdelphij authentp->length); 2050296341Sdelphij p = authentp->data; 2051296341Sdelphij for (ui = 0; ui < authentp->length; ui++) 2052296341Sdelphij fprintf(stderr, "%02x ", p[ui]); 2053296341Sdelphij fprintf(stderr, "\n"); 2054296341Sdelphij } 2055296341Sdelphij# endif /* KSSL_DEBUG */ 2056109998Smarkm 2057296341Sdelphij unencbufsize = 2 * authentp->length; 2058296341Sdelphij if ((unenc_authent = calloc(1, unencbufsize)) == NULL) { 2059296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2060296341Sdelphij "Unable to allocate authenticator buffer.\n"); 2061296341Sdelphij krb5rc = KRB5KRB_ERR_GENERIC; 2062296341Sdelphij goto err; 2063296341Sdelphij } 2064109998Smarkm 2065296341Sdelphij p = (unsigned char *)authentp->data; 2066296341Sdelphij if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, 2067296341Sdelphij (long)authentp->length)) == NULL) { 2068296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2069296341Sdelphij "Error decoding authenticator.\n"); 2070296341Sdelphij krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2071296341Sdelphij goto err; 2072296341Sdelphij } 2073109998Smarkm 2074296341Sdelphij enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ 2075296341Sdelphij# if !defined(KRB5_MIT_OLD11) 2076296341Sdelphij switch (enctype) { 2077296341Sdelphij case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 2078296341Sdelphij case ENCTYPE_DES3_CBC_SHA: 2079296341Sdelphij case ENCTYPE_DES3_CBC_RAW: 2080296341Sdelphij krb5rc = 0; /* Skip, can't handle derived keys */ 2081296341Sdelphij goto err; 2082296341Sdelphij } 2083296341Sdelphij# endif 2084296341Sdelphij enc = kssl_map_enc(enctype); 2085296341Sdelphij memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2086109998Smarkm 2087296341Sdelphij if (enc == NULL) { 2088296341Sdelphij /* 2089296341Sdelphij * Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. This 2090296341Sdelphij * enctype indicates the authenticator was encrypted using key-usage 2091296341Sdelphij * derived keys which openssl cannot decrypt. 2092296341Sdelphij */ 2093296341Sdelphij goto err; 2094296341Sdelphij } 2095109998Smarkm 2096296341Sdelphij if (!EVP_CipherInit(&ciph_ctx, enc, kssl_ctx->key, iv, 0)) { 2097296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2098296341Sdelphij "EVP_CipherInit error decrypting authenticator.\n"); 2099296341Sdelphij krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2100296341Sdelphij goto err; 2101296341Sdelphij } 2102296341Sdelphij outl = dec_authent->cipher->length; 2103296341Sdelphij if (!EVP_Cipher 2104296341Sdelphij (&ciph_ctx, unenc_authent, dec_authent->cipher->data, outl)) { 2105296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2106296341Sdelphij "EVP_Cipher error decrypting authenticator.\n"); 2107296341Sdelphij krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2108296341Sdelphij goto err; 2109296341Sdelphij } 2110296341Sdelphij EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2111109998Smarkm 2112296341Sdelphij# ifdef KSSL_DEBUG 2113296341Sdelphij { 2114296341Sdelphij int padl; 2115296341Sdelphij fprintf(stderr, "kssl_check_authent: decrypted authenticator[%d] =\n", 2116296341Sdelphij outl); 2117296341Sdelphij for (padl = 0; padl < outl; padl++) 2118296341Sdelphij fprintf(stderr, "%02x ", unenc_authent[padl]); 2119296341Sdelphij fprintf(stderr, "\n"); 2120296341Sdelphij } 2121296341Sdelphij# endif /* KSSL_DEBUG */ 2122109998Smarkm 2123296341Sdelphij if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) { 2124296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2125296341Sdelphij "confounded by authenticator.\n"); 2126296341Sdelphij krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2127296341Sdelphij goto err; 2128296341Sdelphij } 2129296341Sdelphij outl -= p - unenc_authent; 2130109998Smarkm 2131296341Sdelphij if ((auth = (KRB5_AUTHENTBODY *)d2i_KRB5_AUTHENT(NULL, &p, 2132296341Sdelphij (long)outl)) == NULL) { 2133296341Sdelphij kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2134296341Sdelphij "Error decoding authenticator body.\n"); 2135296341Sdelphij krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2136296341Sdelphij goto err; 2137296341Sdelphij } 2138109998Smarkm 2139296341Sdelphij memset(&tm_time, 0, sizeof(struct tm)); 2140296341Sdelphij if (k_gmtime(auth->ctime, &tm_time) && 2141296341Sdelphij ((tr = mktime(&tm_time)) != (time_t)(-1))) { 2142296341Sdelphij now = time(&now); 2143296341Sdelphij tm_l = localtime(&now); 2144296341Sdelphij tl = mktime(tm_l); 2145296341Sdelphij tm_g = gmtime(&now); 2146296341Sdelphij tg = mktime(tm_g); 2147296341Sdelphij tz_offset = tg - tl; 2148109998Smarkm 2149296341Sdelphij *atimep = (krb5_timestamp)(tr - tz_offset); 2150296341Sdelphij } 2151296341Sdelphij# ifdef KSSL_DEBUG 2152296341Sdelphij fprintf(stderr, "kssl_check_authent: returns %d for client time ", 2153296341Sdelphij *atimep); 2154296341Sdelphij if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) 2155296341Sdelphij fprintf(stderr, "%.*s\n", auth->ctime->length, auth->ctime->data); 2156296341Sdelphij else 2157296341Sdelphij fprintf(stderr, "NULL\n"); 2158296341Sdelphij# endif /* KSSL_DEBUG */ 2159109998Smarkm 2160109998Smarkm err: 2161296341Sdelphij if (auth) 2162296341Sdelphij KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); 2163296341Sdelphij if (dec_authent) 2164296341Sdelphij KRB5_ENCDATA_free(dec_authent); 2165296341Sdelphij if (unenc_authent) 2166296341Sdelphij free(unenc_authent); 2167296341Sdelphij EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2168296341Sdelphij return krb5rc; 2169296341Sdelphij} 2170109998Smarkm 2171296341Sdelphij/* 2172296341Sdelphij * Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), 2173296341Sdelphij * because I don't know how to stub varargs. Returns krb5_error_code == 2174296341Sdelphij * ENOMEM on alloc error, otherwise passes back newly constructed principal, 2175296341Sdelphij * which should be freed by caller. 2176296341Sdelphij */ 2177296341Sdelphijkrb5_error_code kssl_build_principal_2( 2178296341Sdelphij /* 2179296341Sdelphij * UPDATE 2180296341Sdelphij */ krb5_context context, 2181296341Sdelphij /* 2182296341Sdelphij * OUT 2183296341Sdelphij */ krb5_principal *princ, 2184296341Sdelphij /* 2185296341Sdelphij * IN 2186296341Sdelphij */ int rlen, const char *realm, 2187296341Sdelphij /* 2188296341Sdelphij * IN 2189296341Sdelphij */ int slen, const char *svc, 2190296341Sdelphij /* 2191296341Sdelphij * IN 2192296341Sdelphij */ int hlen, const char *host) 2193296341Sdelphij{ 2194296341Sdelphij krb5_data *p_data = NULL; 2195296341Sdelphij krb5_principal new_p = NULL; 2196296341Sdelphij char *new_r = NULL; 2197109998Smarkm 2198296341Sdelphij if ((p_data = (krb5_data *)calloc(2, sizeof(krb5_data))) == NULL || 2199296341Sdelphij (new_p = (krb5_principal)calloc(1, sizeof(krb5_principal_data))) 2200296341Sdelphij == NULL) 2201296341Sdelphij goto err; 2202296341Sdelphij new_p->length = 2; 2203296341Sdelphij new_p->data = p_data; 2204109998Smarkm 2205296341Sdelphij if ((new_r = calloc(1, rlen + 1)) == NULL) 2206296341Sdelphij goto err; 2207296341Sdelphij memcpy(new_r, realm, rlen); 2208296341Sdelphij krb5_princ_set_realm_length(context, new_p, rlen); 2209296341Sdelphij krb5_princ_set_realm_data(context, new_p, new_r); 2210109998Smarkm 2211296341Sdelphij if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) 2212296341Sdelphij goto err; 2213296341Sdelphij memcpy(new_p->data[0].data, svc, slen); 2214296341Sdelphij new_p->data[0].length = slen; 2215109998Smarkm 2216296341Sdelphij if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) 2217296341Sdelphij goto err; 2218296341Sdelphij memcpy(new_p->data[1].data, host, hlen); 2219296341Sdelphij new_p->data[1].length = hlen; 2220109998Smarkm 2221296341Sdelphij krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; 2222296341Sdelphij *princ = new_p; 2223296341Sdelphij return 0; 2224109998Smarkm 2225109998Smarkm err: 2226296341Sdelphij if (new_p && new_p[0].data) 2227296341Sdelphij free(new_p[0].data); 2228296341Sdelphij if (new_p && new_p[1].data) 2229296341Sdelphij free(new_p[1].data); 2230296341Sdelphij if (new_p) 2231296341Sdelphij free(new_p); 2232296341Sdelphij if (new_r) 2233296341Sdelphij free(new_r); 2234296341Sdelphij return ENOMEM; 2235296341Sdelphij} 2236109998Smarkm 2237238405Sjkimvoid SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx) 2238296341Sdelphij{ 2239296341Sdelphij s->kssl_ctx = kctx; 2240296341Sdelphij} 2241109998Smarkm 2242296341SdelphijKSSL_CTX *SSL_get0_kssl_ctx(SSL *s) 2243296341Sdelphij{ 2244296341Sdelphij return s->kssl_ctx; 2245296341Sdelphij} 2246238405Sjkim 2247238405Sjkimchar *kssl_ctx_get0_client_princ(KSSL_CTX *kctx) 2248296341Sdelphij{ 2249296341Sdelphij if (kctx) 2250296341Sdelphij return kctx->client_princ; 2251296341Sdelphij return NULL; 2252296341Sdelphij} 2253238405Sjkim 2254296341Sdelphij#else /* !OPENSSL_NO_KRB5 */ 2255109998Smarkm 2256296341Sdelphij# if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) 2257296341Sdelphijstatic void *dummy = &dummy; 2258296341Sdelphij# endif 2259109998Smarkm 2260296341Sdelphij#endif /* !OPENSSL_NO_KRB5 */ 2261