Index: openssl/ssl/kssl.c |
diff --git a/openssl/ssl/kssl.c b/openssl/ssl/kssl.c |
deleted file mode 100644 |
index fd7c67bb1fcb6406b99ec87190c5beefda44eb53..0000000000000000000000000000000000000000 |
--- a/openssl/ssl/kssl.c |
+++ /dev/null |
@@ -1,2221 +0,0 @@ |
-/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */ |
-/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000. |
- */ |
-/* ==================================================================== |
- * Copyright (c) 2000 The OpenSSL Project. All rights reserved. |
- * |
- * Redistribution and use in source and binary forms, with or without |
- * modification, are permitted provided that the following conditions |
- * are met: |
- * |
- * 1. Redistributions of source code must retain the above copyright |
- * notice, this list of conditions and the following disclaimer. |
- * |
- * 2. Redistributions in binary form must reproduce the above copyright |
- * notice, this list of conditions and the following disclaimer in |
- * the documentation and/or other materials provided with the |
- * distribution. |
- * |
- * 3. All advertising materials mentioning features or use of this |
- * software must display the following acknowledgment: |
- * "This product includes software developed by the OpenSSL Project |
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" |
- * |
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
- * endorse or promote products derived from this software without |
- * prior written permission. For written permission, please contact |
- * licensing@OpenSSL.org. |
- * |
- * 5. Products derived from this software may not be called "OpenSSL" |
- * nor may "OpenSSL" appear in their names without prior written |
- * permission of the OpenSSL Project. |
- * |
- * 6. Redistributions of any form whatsoever must retain the following |
- * acknowledgment: |
- * "This product includes software developed by the OpenSSL Project |
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" |
- * |
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
- * OF THE POSSIBILITY OF SUCH DAMAGE. |
- * ==================================================================== |
- * |
- * This product includes cryptographic software written by Eric Young |
- * (eay@cryptsoft.com). This product includes software written by Tim |
- * Hudson (tjh@cryptsoft.com). |
- * |
- */ |
- |
- |
-/* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl |
-** |
-** 19990701 VRS Started. |
-** 200011?? Jeffrey Altman, Richard Levitte |
-** Generalized for Heimdal, Newer MIT, & Win32. |
-** Integrated into main OpenSSL 0.9.7 snapshots. |
-** 20010413 Simon Wilkinson, VRS |
-** Real RFC2712 KerberosWrapper replaces AP_REQ. |
-*/ |
- |
-#include <openssl/opensslconf.h> |
- |
-#include <string.h> |
- |
-#define KRB5_PRIVATE 1 |
- |
-#include <openssl/ssl.h> |
-#include <openssl/evp.h> |
-#include <openssl/objects.h> |
-#include <openssl/krb5_asn.h> |
-#include "kssl_lcl.h" |
- |
-#ifndef OPENSSL_NO_KRB5 |
- |
-#ifndef ENOMEM |
-#define ENOMEM KRB5KRB_ERR_GENERIC |
-#endif |
- |
-/* |
- * When OpenSSL is built on Windows, we do not want to require that |
- * the Kerberos DLLs be available in order for the OpenSSL DLLs to |
- * work. Therefore, all Kerberos routines are loaded at run time |
- * and we do not link to a .LIB file. |
- */ |
- |
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) |
-/* |
- * The purpose of the following pre-processor statements is to provide |
- * compatibility with different releases of MIT Kerberos for Windows. |
- * All versions up to 1.2 used macros. But macros do not allow for |
- * a binary compatible interface for DLLs. Therefore, all macros are |
- * being replaced by function calls. The following code will allow |
- * an OpenSSL DLL built on Windows to work whether or not the macro |
- * or function form of the routines are utilized. |
- */ |
-#ifdef krb5_cc_get_principal |
-#define NO_DEF_KRB5_CCACHE |
-#undef krb5_cc_get_principal |
-#endif |
-#define krb5_cc_get_principal kssl_krb5_cc_get_principal |
- |
-#define krb5_free_data_contents kssl_krb5_free_data_contents |
-#define krb5_free_context kssl_krb5_free_context |
-#define krb5_auth_con_free kssl_krb5_auth_con_free |
-#define krb5_free_principal kssl_krb5_free_principal |
-#define krb5_mk_req_extended kssl_krb5_mk_req_extended |
-#define krb5_get_credentials kssl_krb5_get_credentials |
-#define krb5_cc_default kssl_krb5_cc_default |
-#define krb5_sname_to_principal kssl_krb5_sname_to_principal |
-#define krb5_init_context kssl_krb5_init_context |
-#define krb5_free_ticket kssl_krb5_free_ticket |
-#define krb5_rd_req kssl_krb5_rd_req |
-#define krb5_kt_default kssl_krb5_kt_default |
-#define krb5_kt_resolve kssl_krb5_kt_resolve |
-/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ |
-#ifndef krb5_kt_close |
-#define krb5_kt_close kssl_krb5_kt_close |
-#endif /* krb5_kt_close */ |
-#ifndef krb5_kt_get_entry |
-#define krb5_kt_get_entry kssl_krb5_kt_get_entry |
-#endif /* krb5_kt_get_entry */ |
-#define krb5_auth_con_init kssl_krb5_auth_con_init |
- |
-#define krb5_principal_compare kssl_krb5_principal_compare |
-#define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part |
-#define krb5_timeofday kssl_krb5_timeofday |
-#define krb5_rc_default kssl_krb5_rc_default |
- |
-#ifdef krb5_rc_initialize |
-#undef krb5_rc_initialize |
-#endif |
-#define krb5_rc_initialize kssl_krb5_rc_initialize |
- |
-#ifdef krb5_rc_get_lifespan |
-#undef krb5_rc_get_lifespan |
-#endif |
-#define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan |
- |
-#ifdef krb5_rc_destroy |
-#undef krb5_rc_destroy |
-#endif |
-#define krb5_rc_destroy kssl_krb5_rc_destroy |
- |
-#define valid_cksumtype kssl_valid_cksumtype |
-#define krb5_checksum_size kssl_krb5_checksum_size |
-#define krb5_kt_free_entry kssl_krb5_kt_free_entry |
-#define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache |
-#define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache |
-#define krb5_get_server_rcache kssl_krb5_get_server_rcache |
- |
-/* Prototypes for built in stubs */ |
-void kssl_krb5_free_data_contents(krb5_context, krb5_data *); |
-void kssl_krb5_free_principal(krb5_context, krb5_principal ); |
-krb5_error_code kssl_krb5_kt_resolve(krb5_context, |
- krb5_const char *, |
- krb5_keytab *); |
-krb5_error_code kssl_krb5_kt_default(krb5_context, |
- krb5_keytab *); |
-krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); |
-krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, |
- krb5_const krb5_data *, |
- krb5_const_principal, krb5_keytab, |
- krb5_flags *,krb5_ticket **); |
- |
-krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, |
- krb5_const_principal); |
-krb5_error_code kssl_krb5_mk_req_extended(krb5_context, |
- krb5_auth_context *, |
- krb5_const krb5_flags, |
- krb5_data *, |
- krb5_creds *, |
- krb5_data * ); |
-krb5_error_code kssl_krb5_init_context(krb5_context *); |
-void kssl_krb5_free_context(krb5_context); |
-krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *); |
-krb5_error_code kssl_krb5_sname_to_principal(krb5_context, |
- krb5_const char *, |
- krb5_const char *, |
- krb5_int32, |
- krb5_principal *); |
-krb5_error_code kssl_krb5_get_credentials(krb5_context, |
- krb5_const krb5_flags, |
- krb5_ccache, |
- krb5_creds *, |
- krb5_creds * *); |
-krb5_error_code kssl_krb5_auth_con_init(krb5_context, |
- krb5_auth_context *); |
-krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, |
- krb5_ccache cache, |
- krb5_principal *principal); |
-krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context); |
-size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype); |
-krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); |
-krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * ); |
-krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, |
- krb5_auth_context, |
- krb5_rcache); |
-krb5_error_code kssl_krb5_get_server_rcache(krb5_context, |
- krb5_const krb5_data *, |
- krb5_rcache *); |
-krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, |
- krb5_auth_context, |
- krb5_rcache *); |
- |
-/* Function pointers (almost all Kerberos functions are _stdcall) */ |
-static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *) |
- =NULL; |
-static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal ) |
- =NULL; |
-static krb5_error_code(_stdcall *p_krb5_kt_resolve) |
- (krb5_context, krb5_const char *, krb5_keytab *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context, |
- krb5_keytab *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, |
- krb5_ticket *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, |
- krb5_auth_context *, |
- krb5_const krb5_data *, |
- krb5_const_principal, |
- krb5_keytab, krb5_flags *, |
- krb5_ticket **)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_mk_req_extended) |
- (krb5_context, krb5_auth_context *, |
- krb5_const krb5_flags, krb5_data *, krb5_creds *, |
- krb5_data * )=NULL; |
-static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL; |
-static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context, |
- krb5_ccache *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_sname_to_principal) |
- (krb5_context, krb5_const char *, krb5_const char *, |
- krb5_int32, krb5_principal *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_get_credentials) |
- (krb5_context, krb5_const krb5_flags, krb5_ccache, |
- krb5_creds *, krb5_creds **)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_auth_con_init) |
- (krb5_context, krb5_auth_context *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_cc_get_principal) |
- (krb5_context context, krb5_ccache cache, |
- krb5_principal *principal)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_auth_con_free) |
- (krb5_context, krb5_auth_context)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part) |
- (krb5_context, krb5_const krb5_keyblock *, |
- krb5_ticket *)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_timeofday) |
- (krb5_context context, krb5_int32 *timeret)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_rc_default) |
- (krb5_context context, krb5_rcache *rc)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_rc_initialize) |
- (krb5_context context, krb5_rcache rc, |
- krb5_deltat lifespan)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan) |
- (krb5_context context, krb5_rcache rc, |
- krb5_deltat *lifespan)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_rc_destroy) |
- (krb5_context context, krb5_rcache rc)=NULL; |
-static krb5_boolean (_stdcall *p_krb5_principal_compare) |
- (krb5_context, krb5_const_principal, krb5_const_principal)=NULL; |
-static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL; |
-static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL; |
-static krb5_error_code (_stdcall *p_krb5_kt_free_entry) |
- (krb5_context,krb5_keytab_entry * )=NULL; |
-static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, |
- krb5_auth_context, |
- krb5_rcache)=NULL; |
-static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, |
- krb5_const krb5_data *, |
- krb5_rcache *)=NULL; |
-static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, |
- krb5_auth_context, |
- krb5_rcache *)=NULL; |
-static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, |
- krb5_keytab keytab)=NULL; |
-static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, |
- krb5_keytab keytab, |
- krb5_const_principal principal, krb5_kvno vno, |
- krb5_enctype enctype, krb5_keytab_entry *entry)=NULL; |
-static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ |
- |
-/* Function to Load the Kerberos 5 DLL and initialize function pointers */ |
-void |
-load_krb5_dll(void) |
- { |
- HANDLE hKRB5_32; |
- |
- krb5_loaded++; |
- hKRB5_32 = LoadLibrary(TEXT("KRB5_32")); |
- if (!hKRB5_32) |
- return; |
- |
- (FARPROC) p_krb5_free_data_contents = |
- GetProcAddress( hKRB5_32, "krb5_free_data_contents" ); |
- (FARPROC) p_krb5_free_context = |
- GetProcAddress( hKRB5_32, "krb5_free_context" ); |
- (FARPROC) p_krb5_auth_con_free = |
- GetProcAddress( hKRB5_32, "krb5_auth_con_free" ); |
- (FARPROC) p_krb5_free_principal = |
- GetProcAddress( hKRB5_32, "krb5_free_principal" ); |
- (FARPROC) p_krb5_mk_req_extended = |
- GetProcAddress( hKRB5_32, "krb5_mk_req_extended" ); |
- (FARPROC) p_krb5_get_credentials = |
- GetProcAddress( hKRB5_32, "krb5_get_credentials" ); |
- (FARPROC) p_krb5_cc_get_principal = |
- GetProcAddress( hKRB5_32, "krb5_cc_get_principal" ); |
- (FARPROC) p_krb5_cc_default = |
- GetProcAddress( hKRB5_32, "krb5_cc_default" ); |
- (FARPROC) p_krb5_sname_to_principal = |
- GetProcAddress( hKRB5_32, "krb5_sname_to_principal" ); |
- (FARPROC) p_krb5_init_context = |
- GetProcAddress( hKRB5_32, "krb5_init_context" ); |
- (FARPROC) p_krb5_free_ticket = |
- GetProcAddress( hKRB5_32, "krb5_free_ticket" ); |
- (FARPROC) p_krb5_rd_req = |
- GetProcAddress( hKRB5_32, "krb5_rd_req" ); |
- (FARPROC) p_krb5_principal_compare = |
- GetProcAddress( hKRB5_32, "krb5_principal_compare" ); |
- (FARPROC) p_krb5_decrypt_tkt_part = |
- GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" ); |
- (FARPROC) p_krb5_timeofday = |
- GetProcAddress( hKRB5_32, "krb5_timeofday" ); |
- (FARPROC) p_krb5_rc_default = |
- GetProcAddress( hKRB5_32, "krb5_rc_default" ); |
- (FARPROC) p_krb5_rc_initialize = |
- GetProcAddress( hKRB5_32, "krb5_rc_initialize" ); |
- (FARPROC) p_krb5_rc_get_lifespan = |
- GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" ); |
- (FARPROC) p_krb5_rc_destroy = |
- GetProcAddress( hKRB5_32, "krb5_rc_destroy" ); |
- (FARPROC) p_krb5_kt_default = |
- GetProcAddress( hKRB5_32, "krb5_kt_default" ); |
- (FARPROC) p_krb5_kt_resolve = |
- GetProcAddress( hKRB5_32, "krb5_kt_resolve" ); |
- (FARPROC) p_krb5_auth_con_init = |
- GetProcAddress( hKRB5_32, "krb5_auth_con_init" ); |
- (FARPROC) p_valid_cksumtype = |
- GetProcAddress( hKRB5_32, "valid_cksumtype" ); |
- (FARPROC) p_krb5_checksum_size = |
- GetProcAddress( hKRB5_32, "krb5_checksum_size" ); |
- (FARPROC) p_krb5_kt_free_entry = |
- GetProcAddress( hKRB5_32, "krb5_kt_free_entry" ); |
- (FARPROC) p_krb5_auth_con_setrcache = |
- GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" ); |
- (FARPROC) p_krb5_get_server_rcache = |
- GetProcAddress( hKRB5_32, "krb5_get_server_rcache" ); |
- (FARPROC) p_krb5_auth_con_getrcache = |
- GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" ); |
- (FARPROC) p_krb5_kt_close = |
- GetProcAddress( hKRB5_32, "krb5_kt_close" ); |
- (FARPROC) p_krb5_kt_get_entry = |
- GetProcAddress( hKRB5_32, "krb5_kt_get_entry" ); |
- } |
- |
-/* Stubs for each function to be dynamicly loaded */ |
-void |
-kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_free_data_contents ) |
- p_krb5_free_data_contents(CO,data); |
- } |
- |
-krb5_error_code |
-kssl_krb5_mk_req_extended (krb5_context CO, |
- krb5_auth_context * pACO, |
- krb5_const krb5_flags F, |
- krb5_data * pD1, |
- krb5_creds * pC, |
- krb5_data * pD2) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_mk_req_extended ) |
- return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
-krb5_error_code |
-kssl_krb5_auth_con_init(krb5_context CO, |
- krb5_auth_context * pACO) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_auth_con_init ) |
- return(p_krb5_auth_con_init(CO,pACO)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
-krb5_error_code |
-kssl_krb5_auth_con_free (krb5_context CO, |
- krb5_auth_context ACO) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_auth_con_free ) |
- return(p_krb5_auth_con_free(CO,ACO)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
-krb5_error_code |
-kssl_krb5_get_credentials(krb5_context CO, |
- krb5_const krb5_flags F, |
- krb5_ccache CC, |
- krb5_creds * pCR, |
- krb5_creds ** ppCR) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_get_credentials ) |
- return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
-krb5_error_code |
-kssl_krb5_sname_to_principal(krb5_context CO, |
- krb5_const char * pC1, |
- krb5_const char * pC2, |
- krb5_int32 I, |
- krb5_principal * pPR) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_sname_to_principal ) |
- return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_cc_default(krb5_context CO, |
- krb5_ccache * pCC) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_cc_default ) |
- return(p_krb5_cc_default(CO,pCC)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_init_context(krb5_context * pCO) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_init_context ) |
- return(p_krb5_init_context(pCO)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-void |
-kssl_krb5_free_context(krb5_context CO) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_free_context ) |
- p_krb5_free_context(CO); |
- } |
- |
-void |
-kssl_krb5_free_principal(krb5_context c, krb5_principal p) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_free_principal ) |
- p_krb5_free_principal(c,p); |
- } |
- |
-krb5_error_code |
-kssl_krb5_kt_resolve(krb5_context con, |
- krb5_const char * sz, |
- krb5_keytab * kt) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_kt_resolve ) |
- return(p_krb5_kt_resolve(con,sz,kt)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_kt_default(krb5_context con, |
- krb5_keytab * kt) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_kt_default ) |
- return(p_krb5_kt_default(con,kt)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_free_ticket(krb5_context con, |
- krb5_ticket * kt) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_free_ticket ) |
- return(p_krb5_free_ticket(con,kt)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon, |
- krb5_const krb5_data * data, |
- krb5_const_principal princ, krb5_keytab keytab, |
- krb5_flags * flags, krb5_ticket ** pptkt) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_rd_req ) |
- return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_boolean |
-krb5_principal_compare(krb5_context con, krb5_const_principal princ1, |
- krb5_const_principal princ2) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_principal_compare ) |
- return(p_krb5_principal_compare(con,princ1,princ2)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, |
- krb5_ticket *ticket) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_decrypt_tkt_part ) |
- return(p_krb5_decrypt_tkt_part(con,keys,ticket)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_timeofday(krb5_context con, krb5_int32 *timeret) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_timeofday ) |
- return(p_krb5_timeofday(con,timeret)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_rc_default(krb5_context con, krb5_rcache *rc) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_rc_default ) |
- return(p_krb5_rc_default(con,rc)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_rc_initialize ) |
- return(p_krb5_rc_initialize(con, rc, lifespan)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_rc_get_lifespan ) |
- return(p_krb5_rc_get_lifespan(con, rc, lifespanp)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_rc_destroy(krb5_context con, krb5_rcache rc) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_rc_destroy ) |
- return(p_krb5_rc_destroy(con, rc)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-size_t |
-krb5_checksum_size(krb5_context context,krb5_cksumtype ctype) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_checksum_size ) |
- return(p_krb5_checksum_size(context, ctype)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_boolean |
-valid_cksumtype(krb5_cksumtype ctype) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_valid_cksumtype ) |
- return(p_valid_cksumtype(ctype)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry) |
- { |
- if (!krb5_loaded) |
- load_krb5_dll(); |
- |
- if ( p_krb5_kt_free_entry ) |
- return(p_krb5_kt_free_entry(con,entry)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-/* Structure definitions */ |
-#ifndef NO_DEF_KRB5_CCACHE |
-#ifndef krb5_x |
-#define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) |
-#define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) |
-#endif |
- |
-typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ |
- |
-typedef struct _krb5_ccache |
- { |
- krb5_magic magic; |
- struct _krb5_cc_ops FAR *ops; |
- krb5_pointer data; |
- } *krb5_ccache; |
- |
-typedef struct _krb5_cc_ops |
- { |
- krb5_magic magic; |
- char *prefix; |
- char * (KRB5_CALLCONV *get_name) |
- (krb5_context, krb5_ccache); |
- krb5_error_code (KRB5_CALLCONV *resolve) |
- (krb5_context, krb5_ccache *, const char *); |
- krb5_error_code (KRB5_CALLCONV *gen_new) |
- (krb5_context, krb5_ccache *); |
- krb5_error_code (KRB5_CALLCONV *init) |
- (krb5_context, krb5_ccache, krb5_principal); |
- krb5_error_code (KRB5_CALLCONV *destroy) |
- (krb5_context, krb5_ccache); |
- krb5_error_code (KRB5_CALLCONV *close) |
- (krb5_context, krb5_ccache); |
- krb5_error_code (KRB5_CALLCONV *store) |
- (krb5_context, krb5_ccache, krb5_creds *); |
- krb5_error_code (KRB5_CALLCONV *retrieve) |
- (krb5_context, krb5_ccache, |
- krb5_flags, krb5_creds *, krb5_creds *); |
- krb5_error_code (KRB5_CALLCONV *get_princ) |
- (krb5_context, krb5_ccache, krb5_principal *); |
- krb5_error_code (KRB5_CALLCONV *get_first) |
- (krb5_context, krb5_ccache, krb5_cc_cursor *); |
- krb5_error_code (KRB5_CALLCONV *get_next) |
- (krb5_context, krb5_ccache, |
- krb5_cc_cursor *, krb5_creds *); |
- krb5_error_code (KRB5_CALLCONV *end_get) |
- (krb5_context, krb5_ccache, krb5_cc_cursor *); |
- krb5_error_code (KRB5_CALLCONV *remove_cred) |
- (krb5_context, krb5_ccache, |
- krb5_flags, krb5_creds *); |
- krb5_error_code (KRB5_CALLCONV *set_flags) |
- (krb5_context, krb5_ccache, krb5_flags); |
- } krb5_cc_ops; |
-#endif /* NO_DEF_KRB5_CCACHE */ |
- |
-krb5_error_code |
-kssl_krb5_cc_get_principal |
- (krb5_context context, krb5_ccache cache, |
- krb5_principal *principal) |
- { |
- if ( p_krb5_cc_get_principal ) |
- return(p_krb5_cc_get_principal(context,cache,principal)); |
- else |
- return(krb5_x |
- ((cache)->ops->get_princ,(context, cache, principal))); |
- } |
- |
-krb5_error_code |
-kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, |
- krb5_rcache rcache) |
- { |
- if ( p_krb5_auth_con_setrcache ) |
- return(p_krb5_auth_con_setrcache(con,acon,rcache)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data, |
- krb5_rcache * rcache) |
- { |
- if ( p_krb5_get_server_rcache ) |
- return(p_krb5_get_server_rcache(con,data,rcache)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, |
- krb5_rcache * prcache) |
- { |
- if ( p_krb5_auth_con_getrcache ) |
- return(p_krb5_auth_con_getrcache(con,acon, prcache)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) |
- { |
- if ( p_krb5_kt_close ) |
- return(p_krb5_kt_close(context,keytab)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
-krb5_error_code |
-kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, |
- krb5_const_principal principal, krb5_kvno vno, |
- krb5_enctype enctype, krb5_keytab_entry *entry) |
- { |
- if ( p_krb5_kt_get_entry ) |
- return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry)); |
- else |
- return KRB5KRB_ERR_GENERIC; |
- } |
-#endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ |
- |
- |
-/* memory allocation functions for non-temporary storage |
- * (e.g. stuff that gets saved into the kssl context) */ |
-static void* kssl_calloc(size_t nmemb, size_t size) |
-{ |
- void* p; |
- |
- p=OPENSSL_malloc(nmemb*size); |
- if (p){ |
- memset(p, 0, nmemb*size); |
- } |
- return p; |
-} |
- |
-#define kssl_malloc(size) OPENSSL_malloc((size)) |
-#define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) |
-#define kssl_free(ptr) OPENSSL_free((ptr)) |
- |
- |
-char |
-*kstring(char *string) |
- { |
- static char *null = "[NULL]"; |
- |
- return ((string == NULL)? null: string); |
- } |
- |
-/* Given KRB5 enctype (basically DES or 3DES), |
-** return closest match openssl EVP_ encryption algorithm. |
-** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. |
-** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. |
-*/ |
-const EVP_CIPHER * |
-kssl_map_enc(krb5_enctype enctype) |
- { |
- switch (enctype) |
- { |
- case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ |
- case ENCTYPE_DES_CBC_CRC: |
- case ENCTYPE_DES_CBC_MD4: |
- case ENCTYPE_DES_CBC_MD5: |
- case ENCTYPE_DES_CBC_RAW: |
- return EVP_des_cbc(); |
- break; |
- case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ |
- case ENCTYPE_DES3_CBC_SHA: |
- case ENCTYPE_DES3_CBC_RAW: |
- return EVP_des_ede3_cbc(); |
- break; |
- default: return NULL; |
- break; |
- } |
- } |
- |
- |
-/* Return true:1 if p "looks like" the start of the real authenticator |
-** described in kssl_skip_confound() below. The ASN.1 pattern is |
-** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and |
-** xx and yy are possibly multi-byte length fields. |
-*/ |
-static int kssl_test_confound(unsigned char *p) |
- { |
- int len = 2; |
- int xx = 0, yy = 0; |
- |
- if (*p++ != 0x62) return 0; |
- if (*p > 0x82) return 0; |
- switch(*p) { |
- case 0x82: p++; xx = (*p++ << 8); xx += *p++; break; |
- case 0x81: p++; xx = *p++; break; |
- case 0x80: return 0; |
- default: xx = *p++; break; |
- } |
- if (*p++ != 0x30) return 0; |
- if (*p > 0x82) return 0; |
- switch(*p) { |
- case 0x82: p++; len+=2; yy = (*p++ << 8); yy += *p++; break; |
- case 0x81: p++; len++; yy = *p++; break; |
- case 0x80: return 0; |
- default: yy = *p++; break; |
- } |
- |
- return (xx - len == yy)? 1: 0; |
- } |
- |
-/* Allocate, fill, and return cksumlens array of checksum lengths. |
-** This array holds just the unique elements from the krb5_cksumarray[]. |
-** array[n] == 0 signals end of data. |
-** |
-** The krb5_cksumarray[] was an internal variable that has since been |
-** replaced by a more general method for storing the data. It should |
-** not be used. Instead we use real API calls and make a guess for |
-** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 |
-** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. |
-*/ |
-static size_t *populate_cksumlens(void) |
- { |
- int i, j, n; |
- static size_t *cklens = NULL; |
- |
-#ifdef KRB5_MIT_OLD11 |
- n = krb5_max_cksum; |
-#else |
- n = 0x0010; |
-#endif /* KRB5_MIT_OLD11 */ |
- |
-#ifdef KRB5CHECKAUTH |
- if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1))) return NULL; |
- |
- for (i=0; i < n; i++) { |
- if (!valid_cksumtype(i)) continue; /* array has holes */ |
- for (j=0; j < n; j++) { |
- if (cklens[j] == 0) { |
- cklens[j] = krb5_checksum_size(NULL,i); |
- break; /* krb5 elem was new: add */ |
- } |
- if (cklens[j] == krb5_checksum_size(NULL,i)) { |
- break; /* ignore duplicate elements */ |
- } |
- } |
- } |
-#endif /* KRB5CHECKAUTH */ |
- |
- return cklens; |
- } |
- |
-/* Return pointer to start of real authenticator within authenticator, or |
-** return NULL on error. |
-** Decrypted authenticator looks like this: |
-** [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] |
-** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the |
-** krb5_auth_con_getcksumtype() function advertised in its krb5.h. |
-*/ |
-unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) |
- { |
- int i, conlen; |
- size_t cklen; |
- static size_t *cksumlens = NULL; |
- unsigned char *test_auth; |
- |
- conlen = (etype)? 8: 0; |
- |
- if (!cksumlens && !(cksumlens = populate_cksumlens())) return NULL; |
- for (i=0; (cklen = cksumlens[i]) != 0; i++) |
- { |
- test_auth = a + conlen + cklen; |
- if (kssl_test_confound(test_auth)) return test_auth; |
- } |
- |
- return NULL; |
- } |
- |
- |
-/* Set kssl_err error info when reason text is a simple string |
-** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; } |
-*/ |
-void |
-kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) |
- { |
- if (kssl_err == NULL) return; |
- |
- kssl_err->reason = reason; |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); |
- return; |
- } |
- |
- |
-/* Display contents of krb5_data struct, for debugging |
-*/ |
-void |
-print_krb5_data(char *label, krb5_data *kdata) |
- { |
- int i; |
- |
- printf("%s[%d] ", label, kdata->length); |
- for (i=0; i < (int)kdata->length; i++) |
- { |
- if (0 && isprint((int) kdata->data[i])) |
- printf( "%c ", kdata->data[i]); |
- else |
- printf( "%02x ", (unsigned char) kdata->data[i]); |
- } |
- printf("\n"); |
- } |
- |
- |
-/* Display contents of krb5_authdata struct, for debugging |
-*/ |
-void |
-print_krb5_authdata(char *label, krb5_authdata **adata) |
- { |
- if (adata == NULL) |
- { |
- printf("%s, authdata==0\n", label); |
- return; |
- } |
- printf("%s [%p]\n", label, (void *)adata); |
-#if 0 |
- { |
- int i; |
- printf("%s[at%d:%d] ", label, adata->ad_type, adata->length); |
- for (i=0; i < adata->length; i++) |
- { |
- printf((isprint(adata->contents[i]))? "%c ": "%02x", |
- adata->contents[i]); |
- } |
- printf("\n"); |
- } |
-#endif |
- } |
- |
- |
-/* Display contents of krb5_keyblock struct, for debugging |
-*/ |
-void |
-print_krb5_keyblock(char *label, krb5_keyblock *keyblk) |
- { |
- int i; |
- |
- if (keyblk == NULL) |
- { |
- printf("%s, keyblk==0\n", label); |
- return; |
- } |
-#ifdef KRB5_HEIMDAL |
- printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, |
- keyblk->keyvalue->length); |
- for (i=0; i < (int)keyblk->keyvalue->length; i++) |
- { |
- printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); |
- } |
- printf("\n"); |
-#else |
- printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); |
- for (i=0; i < (int)keyblk->length; i++) |
- { |
- printf("%02x",keyblk->contents[i]); |
- } |
- printf("\n"); |
-#endif |
- } |
- |
- |
-/* Display contents of krb5_principal_data struct, for debugging |
-** (krb5_principal is typedef'd == krb5_principal_data *) |
-*/ |
-static void |
-print_krb5_princ(char *label, krb5_principal_data *princ) |
- { |
- int i, ui, uj; |
- |
- printf("%s principal Realm: ", label); |
- if (princ == NULL) return; |
- for (ui=0; ui < (int)princ->realm.length; ui++) putchar(princ->realm.data[ui]); |
- printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); |
- for (i=0; i < (int)princ->length; i++) |
- { |
- printf("\t%d [%d]: ", i, princ->data[i].length); |
- for (uj=0; uj < (int)princ->data[i].length; uj++) { |
- putchar(princ->data[i].data[uj]); |
- } |
- printf("\n"); |
- } |
- return; |
- } |
- |
- |
-/* Given krb5 service (typically "kssl") and hostname in kssl_ctx, |
-** Return encrypted Kerberos ticket for service @ hostname. |
-** If authenp is non-NULL, also return encrypted authenticator, |
-** whose data should be freed by caller. |
-** (Originally was: Create Kerberos AP_REQ message for SSL Client.) |
-** |
-** 19990628 VRS Started; Returns Kerberos AP_REQ message. |
-** 20010409 VRS Modified for RFC2712; Returns enc tkt. |
-** 20010606 VRS May also return optional authenticator. |
-*/ |
-krb5_error_code |
-kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, |
- /* OUT */ krb5_data **enc_ticketp, |
- /* UPDATE */ krb5_data *authenp, |
- /* OUT */ KSSL_ERR *kssl_err) |
- { |
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; |
- krb5_context krb5context = NULL; |
- krb5_auth_context krb5auth_context = NULL; |
- krb5_ccache krb5ccdef = NULL; |
- krb5_creds krb5creds, *krb5credsp = NULL; |
- krb5_data krb5_app_req; |
- |
- kssl_err_set(kssl_err, 0, ""); |
- memset((char *)&krb5creds, 0, sizeof(krb5creds)); |
- |
- if (!kssl_ctx) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "No kssl_ctx defined.\n"); |
- goto err; |
- } |
- else if (!kssl_ctx->service_host) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "kssl_ctx service_host undefined.\n"); |
- goto err; |
- } |
- |
- if ((krb5rc = krb5_init_context(&krb5context)) != 0) |
- { |
- BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, |
- "krb5_init_context() fails: %d\n", krb5rc); |
- kssl_err->reason = SSL_R_KRB5_C_INIT; |
- goto err; |
- } |
- |
- if ((krb5rc = krb5_sname_to_principal(krb5context, |
- kssl_ctx->service_host, |
- (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, |
- KRB5_NT_SRV_HST, &krb5creds.server)) != 0) |
- { |
- BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, |
- "krb5_sname_to_principal() fails for %s/%s\n", |
- kssl_ctx->service_host, |
- (kssl_ctx->service_name)? kssl_ctx->service_name: |
- KRB5SVC); |
- kssl_err->reason = SSL_R_KRB5_C_INIT; |
- goto err; |
- } |
- |
- if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, |
- "krb5_cc_default fails.\n"); |
- goto err; |
- } |
- |
- if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, |
- &krb5creds.client)) != 0) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, |
- "krb5_cc_get_principal() fails.\n"); |
- goto err; |
- } |
- |
- if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, |
- &krb5creds, &krb5credsp)) != 0) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, |
- "krb5_get_credentials() fails.\n"); |
- goto err; |
- } |
- |
- *enc_ticketp = &krb5credsp->ticket; |
-#ifdef KRB5_HEIMDAL |
- kssl_ctx->enctype = krb5credsp->session.keytype; |
-#else |
- kssl_ctx->enctype = krb5credsp->keyblock.enctype; |
-#endif |
- |
- krb5rc = KRB5KRB_ERR_GENERIC; |
- /* caller should free data of krb5_app_req */ |
- /* 20010406 VRS deleted for real KerberosWrapper |
- ** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper |
- */ |
- krb5_app_req.length = 0; |
- if (authenp) |
- { |
- krb5_data krb5in_data; |
- const unsigned char *p; |
- long arlen; |
- KRB5_APREQBODY *ap_req; |
- |
- authenp->length = 0; |
- krb5in_data.data = NULL; |
- krb5in_data.length = 0; |
- if ((krb5rc = krb5_mk_req_extended(krb5context, |
- &krb5auth_context, 0, &krb5in_data, krb5credsp, |
- &krb5_app_req)) != 0) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, |
- "krb5_mk_req_extended() fails.\n"); |
- goto err; |
- } |
- |
- arlen = krb5_app_req.length; |
- p = (unsigned char *)krb5_app_req.data; |
- ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen); |
- if (ap_req) |
- { |
- authenp->length = i2d_KRB5_ENCDATA( |
- ap_req->authenticator, NULL); |
- if (authenp->length && |
- (authenp->data = malloc(authenp->length))) |
- { |
- unsigned char *adp = (unsigned char *)authenp->data; |
- authenp->length = i2d_KRB5_ENCDATA( |
- ap_req->authenticator, &adp); |
- } |
- } |
- |
- if (ap_req) KRB5_APREQ_free((KRB5_APREQ *) ap_req); |
- if (krb5_app_req.length) |
- kssl_krb5_free_data_contents(krb5context,&krb5_app_req); |
- } |
-#ifdef KRB5_HEIMDAL |
- if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, |
- "kssl_ctx_setkey() fails.\n"); |
- } |
-#else |
- if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, |
- "kssl_ctx_setkey() fails.\n"); |
- } |
-#endif |
- else krb5rc = 0; |
- |
- err: |
-#ifdef KSSL_DEBUG |
- kssl_ctx_show(kssl_ctx); |
-#endif /* KSSL_DEBUG */ |
- |
- if (krb5creds.client) krb5_free_principal(krb5context, |
- krb5creds.client); |
- if (krb5creds.server) krb5_free_principal(krb5context, |
- krb5creds.server); |
- if (krb5auth_context) krb5_auth_con_free(krb5context, |
- krb5auth_context); |
- if (krb5context) krb5_free_context(krb5context); |
- return (krb5rc); |
- } |
- |
- |
-/* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. |
-** Return Kerberos error code and kssl_err struct on error. |
-** Allocates krb5_ticket and krb5_principal; caller should free these. |
-** |
-** 20010410 VRS Implemented krb5_decode_ticket() as |
-** old_krb5_decode_ticket(). Missing from MIT1.0.6. |
-** 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. |
-** Re-used some of the old krb5_decode_ticket() |
-** code here. This tkt should alloc/free just |
-** like the real thing. |
-*/ |
-static krb5_error_code |
-kssl_TKT2tkt( /* IN */ krb5_context krb5context, |
- /* IN */ KRB5_TKTBODY *asn1ticket, |
- /* OUT */ krb5_ticket **krb5ticket, |
- /* OUT */ KSSL_ERR *kssl_err ) |
- { |
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; |
- krb5_ticket *new5ticket = NULL; |
- ASN1_GENERALSTRING *gstr_svc, *gstr_host; |
- |
- *krb5ticket = NULL; |
- |
- if (asn1ticket == NULL || asn1ticket->realm == NULL || |
- asn1ticket->sname == NULL || |
- sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) |
- { |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "Null field in asn1ticket.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- return KRB5KRB_ERR_GENERIC; |
- } |
- |
- if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL) |
- { |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "Unable to allocate new krb5_ticket.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ |
- } |
- |
- gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); |
- gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); |
- |
- if ((krb5rc = kssl_build_principal_2(krb5context, |
- &new5ticket->server, |
- asn1ticket->realm->length, (char *)asn1ticket->realm->data, |
- gstr_svc->length, (char *)gstr_svc->data, |
- gstr_host->length, (char *)gstr_host->data)) != 0) |
- { |
- free(new5ticket); |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "Error building ticket server principal.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ |
- } |
- |
- krb5_princ_type(krb5context, new5ticket->server) = |
- asn1ticket->sname->nametype->data[0]; |
- new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; |
- new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; |
- new5ticket->enc_part.ciphertext.length = |
- asn1ticket->encdata->cipher->length; |
- if ((new5ticket->enc_part.ciphertext.data = |
- calloc(1, asn1ticket->encdata->cipher->length)) == NULL) |
- { |
- free(new5ticket); |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "Error allocating cipher in krb5ticket.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- return KRB5KRB_ERR_GENERIC; |
- } |
- else |
- { |
- memcpy(new5ticket->enc_part.ciphertext.data, |
- asn1ticket->encdata->cipher->data, |
- asn1ticket->encdata->cipher->length); |
- } |
- |
- *krb5ticket = new5ticket; |
- return 0; |
- } |
- |
- |
-/* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), |
-** and krb5 AP_REQ message & message length, |
-** Return Kerberos session key and client principle |
-** to SSL Server in KSSL_CTX *kssl_ctx. |
-** |
-** 19990702 VRS Started. |
-*/ |
-krb5_error_code |
-kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, |
- /* IN */ krb5_data *indata, |
- /* OUT */ krb5_ticket_times *ttimes, |
- /* OUT */ KSSL_ERR *kssl_err ) |
- { |
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; |
- static krb5_context krb5context = NULL; |
- static krb5_auth_context krb5auth_context = NULL; |
- krb5_ticket *krb5ticket = NULL; |
- KRB5_TKTBODY *asn1ticket = NULL; |
- const unsigned char *p; |
- krb5_keytab krb5keytab = NULL; |
- krb5_keytab_entry kt_entry; |
- krb5_principal krb5server; |
- krb5_rcache rcache = NULL; |
- |
- kssl_err_set(kssl_err, 0, ""); |
- |
- if (!kssl_ctx) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "No kssl_ctx defined.\n"); |
- goto err; |
- } |
- |
-#ifdef KSSL_DEBUG |
- printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); |
-#endif /* KSSL_DEBUG */ |
- |
- if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_init_context() fails.\n"); |
- goto err; |
- } |
- if (krb5auth_context && |
- (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_auth_con_free() fails.\n"); |
- goto err; |
- } |
- else krb5auth_context = NULL; |
- if (!krb5auth_context && |
- (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_auth_con_init() fails.\n"); |
- goto err; |
- } |
- |
- |
- if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, |
- &rcache))) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_auth_con_getrcache() fails.\n"); |
- goto err; |
- } |
- |
- if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, |
- (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, |
- KRB5_NT_SRV_HST, &krb5server)) != 0) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_sname_to_principal() fails.\n"); |
- goto err; |
- } |
- |
- if (rcache == NULL) |
- { |
- if ((krb5rc = krb5_get_server_rcache(krb5context, |
- krb5_princ_component(krb5context, krb5server, 0), |
- &rcache))) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_get_server_rcache() fails.\n"); |
- goto err; |
- } |
- } |
- |
- if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_auth_con_setrcache() fails.\n"); |
- goto err; |
- } |
- |
- |
- /* kssl_ctx->keytab_file == NULL ==> use Kerberos default |
- */ |
- if (kssl_ctx->keytab_file) |
- { |
- krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, |
- &krb5keytab); |
- if (krb5rc) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_kt_resolve() fails.\n"); |
- goto err; |
- } |
- } |
- else |
- { |
- krb5rc = krb5_kt_default(krb5context,&krb5keytab); |
- if (krb5rc) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "krb5_kt_default() fails.\n"); |
- goto err; |
- } |
- } |
- |
- /* Actual Kerberos5 krb5_recvauth() has initial conversation here |
- ** o check KRB5_SENDAUTH_BADAUTHVERS |
- ** unless KRB5_RECVAUTH_SKIP_VERSION |
- ** o check KRB5_SENDAUTH_BADAPPLVERS |
- ** o send "0" msg if all OK |
- */ |
- |
- /* 20010411 was using AP_REQ instead of true KerberosWrapper |
- ** |
- ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, |
- ** &krb5in_data, krb5server, krb5keytab, |
- ** &ap_option, &krb5ticket)) != 0) { Error } |
- */ |
- |
- p = (unsigned char *)indata->data; |
- if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, |
- (long) indata->length)) == NULL) |
- { |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- goto err; |
- } |
- |
- /* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */ |
- if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, |
- kssl_err)) != 0) |
- { |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "Error converting ASN.1 ticket to krb5_ticket.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- goto err; |
- } |
- |
- if (! krb5_principal_compare(krb5context, krb5server, |
- krb5ticket->server)) { |
- krb5rc = KRB5_PRINC_NOMATCH; |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "server principal != ticket principal\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- goto err; |
- } |
- if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, |
- krb5ticket->server, krb5ticket->enc_part.kvno, |
- krb5ticket->enc_part.enctype, &kt_entry)) != 0) { |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "krb5_kt_get_entry() fails with %x.\n", krb5rc); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- goto err; |
- } |
- if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, |
- krb5ticket)) != 0) { |
- BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, |
- "krb5_decrypt_tkt_part() failed.\n"); |
- kssl_err->reason = SSL_R_KRB5_S_RD_REQ; |
- goto err; |
- } |
- else { |
- krb5_kt_free_entry(krb5context, &kt_entry); |
-#ifdef KSSL_DEBUG |
- { |
- int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs; |
- printf("Decrypted ticket fields:\n"); |
- printf("\tflags: %X, transit-type: %X", |
- krb5ticket->enc_part2->flags, |
- krb5ticket->enc_part2->transited.tr_type); |
- print_krb5_data("\ttransit-data: ", |
- &(krb5ticket->enc_part2->transited.tr_contents)); |
- printf("\tcaddrs: %p, authdata: %p\n", |
- krb5ticket->enc_part2->caddrs, |
- krb5ticket->enc_part2->authorization_data); |
- if (paddr) |
- { |
- printf("\tcaddrs:\n"); |
- for (i=0; paddr[i] != NULL; i++) |
- { |
- krb5_data d; |
- d.length=paddr[i]->length; |
- d.data=paddr[i]->contents; |
- print_krb5_data("\t\tIP: ", &d); |
- } |
- } |
- printf("\tstart/auth/end times: %d / %d / %d\n", |
- krb5ticket->enc_part2->times.starttime, |
- krb5ticket->enc_part2->times.authtime, |
- krb5ticket->enc_part2->times.endtime); |
- } |
-#endif /* KSSL_DEBUG */ |
- } |
- |
- krb5rc = KRB5_NO_TKT_SUPPLIED; |
- if (!krb5ticket || !krb5ticket->enc_part2 || |
- !krb5ticket->enc_part2->client || |
- !krb5ticket->enc_part2->client->data || |
- !krb5ticket->enc_part2->session) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, |
- "bad ticket from krb5_rd_req.\n"); |
- } |
- else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, |
- &krb5ticket->enc_part2->client->realm, |
- krb5ticket->enc_part2->client->data, |
- krb5ticket->enc_part2->client->length)) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, |
- "kssl_ctx_setprinc() fails.\n"); |
- } |
- else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, |
- "kssl_ctx_setkey() fails.\n"); |
- } |
- else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) |
- { |
- krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, |
- "invalid ticket from krb5_rd_req.\n"); |
- } |
- else krb5rc = 0; |
- |
- kssl_ctx->enctype = krb5ticket->enc_part.enctype; |
- ttimes->authtime = krb5ticket->enc_part2->times.authtime; |
- ttimes->starttime = krb5ticket->enc_part2->times.starttime; |
- ttimes->endtime = krb5ticket->enc_part2->times.endtime; |
- ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; |
- |
- err: |
-#ifdef KSSL_DEBUG |
- kssl_ctx_show(kssl_ctx); |
-#endif /* KSSL_DEBUG */ |
- |
- if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); |
- if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); |
- if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket); |
- if (krb5server) krb5_free_principal(krb5context, krb5server); |
- return (krb5rc); |
- } |
- |
- |
-/* Allocate & return a new kssl_ctx struct. |
-*/ |
-KSSL_CTX * |
-kssl_ctx_new(void) |
- { |
- return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX))); |
- } |
- |
- |
-/* Frees a kssl_ctx struct and any allocated memory it holds. |
-** Returns NULL. |
-*/ |
-KSSL_CTX * |
-kssl_ctx_free(KSSL_CTX *kssl_ctx) |
- { |
- if (kssl_ctx == NULL) return kssl_ctx; |
- |
- if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, |
- kssl_ctx->length); |
- if (kssl_ctx->key) kssl_free(kssl_ctx->key); |
- if (kssl_ctx->client_princ) kssl_free(kssl_ctx->client_princ); |
- if (kssl_ctx->service_host) kssl_free(kssl_ctx->service_host); |
- if (kssl_ctx->service_name) kssl_free(kssl_ctx->service_name); |
- if (kssl_ctx->keytab_file) kssl_free(kssl_ctx->keytab_file); |
- |
- kssl_free(kssl_ctx); |
- return (KSSL_CTX *) NULL; |
- } |
- |
- |
-/* Given an array of (krb5_data *) entity (and optional realm), |
-** set the plain (char *) client_princ or service_host member |
-** of the kssl_ctx struct. |
-*/ |
-krb5_error_code |
-kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, |
- krb5_data *realm, krb5_data *entity, int nentities) |
- { |
- char **princ; |
- int length; |
- int i; |
- |
- if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; |
- |
- switch (which) |
- { |
- case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break; |
- case KSSL_SERVER: princ = &kssl_ctx->service_host; break; |
- default: return KSSL_CTX_ERR; break; |
- } |
- if (*princ) kssl_free(*princ); |
- |
- /* Add up all the entity->lengths */ |
- length = 0; |
- for (i=0; i < nentities; i++) |
- { |
- length += entity[i].length; |
- } |
- /* Add in space for the '/' character(s) (if any) */ |
- length += nentities-1; |
- /* Space for the ('@'+realm+NULL | NULL) */ |
- length += ((realm)? realm->length + 2: 1); |
- |
- if ((*princ = kssl_calloc(1, length)) == NULL) |
- return KSSL_CTX_ERR; |
- else |
- { |
- for (i = 0; i < nentities; i++) |
- { |
- strncat(*princ, entity[i].data, entity[i].length); |
- if (i < nentities-1) |
- { |
- strcat (*princ, "/"); |
- } |
- } |
- if (realm) |
- { |
- strcat (*princ, "@"); |
- (void) strncat(*princ, realm->data, realm->length); |
- } |
- } |
- |
- return KSSL_CTX_OK; |
- } |
- |
- |
-/* Set one of the plain (char *) string members of the kssl_ctx struct. |
-** Default values should be: |
-** which == KSSL_SERVICE => "khost" (KRB5SVC) |
-** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) |
-*/ |
-krb5_error_code |
-kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) |
- { |
- char **string; |
- |
- if (!kssl_ctx) return KSSL_CTX_ERR; |
- |
- switch (which) |
- { |
- case KSSL_SERVICE: string = &kssl_ctx->service_name; break; |
- case KSSL_SERVER: string = &kssl_ctx->service_host; break; |
- case KSSL_CLIENT: string = &kssl_ctx->client_princ; break; |
- case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break; |
- default: return KSSL_CTX_ERR; break; |
- } |
- if (*string) kssl_free(*string); |
- |
- if (!text) |
- { |
- *string = '\0'; |
- return KSSL_CTX_OK; |
- } |
- |
- if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) |
- return KSSL_CTX_ERR; |
- else |
- strcpy(*string, text); |
- |
- return KSSL_CTX_OK; |
- } |
- |
- |
-/* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx |
-** struct. Clear kssl_ctx->key if Kerberos session key is NULL. |
-*/ |
-krb5_error_code |
-kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) |
- { |
- int length; |
- krb5_enctype enctype; |
- krb5_octet FAR *contents = NULL; |
- |
- if (!kssl_ctx) return KSSL_CTX_ERR; |
- |
- if (kssl_ctx->key) |
- { |
- OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); |
- kssl_free(kssl_ctx->key); |
- } |
- |
- if (session) |
- { |
- |
-#ifdef KRB5_HEIMDAL |
- length = session->keyvalue->length; |
- enctype = session->keytype; |
- contents = session->keyvalue->contents; |
-#else |
- length = session->length; |
- enctype = session->enctype; |
- contents = session->contents; |
-#endif |
- kssl_ctx->enctype = enctype; |
- kssl_ctx->length = length; |
- } |
- else |
- { |
- kssl_ctx->enctype = ENCTYPE_UNKNOWN; |
- kssl_ctx->length = 0; |
- return KSSL_CTX_OK; |
- } |
- |
- if ((kssl_ctx->key = |
- (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL) |
- { |
- kssl_ctx->length = 0; |
- return KSSL_CTX_ERR; |
- } |
- else |
- memcpy(kssl_ctx->key, contents, length); |
- |
- return KSSL_CTX_OK; |
- } |
- |
- |
-/* Display contents of kssl_ctx struct |
-*/ |
-void |
-kssl_ctx_show(KSSL_CTX *kssl_ctx) |
- { |
- int i; |
- |
- printf("kssl_ctx: "); |
- if (kssl_ctx == NULL) |
- { |
- printf("NULL\n"); |
- return; |
- } |
- else |
- printf("%p\n", (void *)kssl_ctx); |
- |
- printf("\tservice:\t%s\n", |
- (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); |
- printf("\tclient:\t%s\n", |
- (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL"); |
- printf("\tserver:\t%s\n", |
- (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL"); |
- printf("\tkeytab:\t%s\n", |
- (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL"); |
- printf("\tkey [%d:%d]:\t", |
- kssl_ctx->enctype, kssl_ctx->length); |
- |
- for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++) |
- { |
- printf("%02x", kssl_ctx->key[i]); |
- } |
- printf("\n"); |
- return; |
- } |
- |
- int |
- kssl_keytab_is_available(KSSL_CTX *kssl_ctx) |
-{ |
- krb5_context krb5context = NULL; |
- krb5_keytab krb5keytab = NULL; |
- krb5_keytab_entry entry; |
- krb5_principal princ = NULL; |
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; |
- int rc = 0; |
- |
- if ((krb5rc = krb5_init_context(&krb5context))) |
- return(0); |
- |
- /* kssl_ctx->keytab_file == NULL ==> use Kerberos default |
- */ |
- if (kssl_ctx->keytab_file) |
- { |
- krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, |
- &krb5keytab); |
- if (krb5rc) |
- goto exit; |
- } |
- else |
- { |
- krb5rc = krb5_kt_default(krb5context,&krb5keytab); |
- if (krb5rc) |
- goto exit; |
- } |
- |
- /* the host key we are looking for */ |
- krb5rc = krb5_sname_to_principal(krb5context, NULL, |
- kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC, |
- KRB5_NT_SRV_HST, &princ); |
- |
- if (krb5rc) |
- goto exit; |
- |
- krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, |
- princ, |
- 0 /* IGNORE_VNO */, |
- 0 /* IGNORE_ENCTYPE */, |
- &entry); |
- if ( krb5rc == KRB5_KT_NOTFOUND ) { |
- rc = 1; |
- goto exit; |
- } else if ( krb5rc ) |
- goto exit; |
- |
- krb5_kt_free_entry(krb5context, &entry); |
- rc = 1; |
- |
- exit: |
- if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); |
- if (princ) krb5_free_principal(krb5context, princ); |
- if (krb5context) krb5_free_context(krb5context); |
- return(rc); |
-} |
- |
-int |
-kssl_tgt_is_available(KSSL_CTX *kssl_ctx) |
- { |
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; |
- krb5_context krb5context = NULL; |
- krb5_ccache krb5ccdef = NULL; |
- krb5_creds krb5creds, *krb5credsp = NULL; |
- int rc = 0; |
- |
- memset((char *)&krb5creds, 0, sizeof(krb5creds)); |
- |
- if (!kssl_ctx) |
- return(0); |
- |
- if (!kssl_ctx->service_host) |
- return(0); |
- |
- if ((krb5rc = krb5_init_context(&krb5context)) != 0) |
- goto err; |
- |
- if ((krb5rc = krb5_sname_to_principal(krb5context, |
- kssl_ctx->service_host, |
- (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, |
- KRB5_NT_SRV_HST, &krb5creds.server)) != 0) |
- goto err; |
- |
- if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) |
- goto err; |
- |
- if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, |
- &krb5creds.client)) != 0) |
- goto err; |
- |
- if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, |
- &krb5creds, &krb5credsp)) != 0) |
- goto err; |
- |
- rc = 1; |
- |
- err: |
-#ifdef KSSL_DEBUG |
- kssl_ctx_show(kssl_ctx); |
-#endif /* KSSL_DEBUG */ |
- |
- if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client); |
- if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server); |
- if (krb5context) krb5_free_context(krb5context); |
- return(rc); |
- } |
- |
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) |
-void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) |
- { |
-#ifdef KRB5_HEIMDAL |
- data->length = 0; |
- if (data->data) |
- free(data->data); |
-#elif defined(KRB5_MIT_OLD11) |
- if (data->data) { |
- krb5_xfree(data->data); |
- data->data = 0; |
- } |
-#else |
- krb5_free_data_contents(NULL, data); |
-#endif |
- } |
-#endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ |
- |
- |
-/* Given pointers to KerberosTime and struct tm structs, convert the |
-** KerberosTime string to struct tm. Note that KerberosTime is a |
-** ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional |
-** seconds as defined in RFC 1510. |
-** Return pointer to the (partially) filled in struct tm on success, |
-** return NULL on failure. |
-*/ |
-static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) |
- { |
- char c, *p; |
- |
- if (!k_tm) return NULL; |
- if (gtime == NULL || gtime->length < 14) return NULL; |
- if (gtime->data == NULL) return NULL; |
- |
- p = (char *)>ime->data[14]; |
- |
- c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c; |
- c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c; |
- c = *p; *p = '\0'; p -= 2; k_tm->tm_hour = atoi(p); *(p+2) = c; |
- c = *p; *p = '\0'; p -= 2; k_tm->tm_mday = atoi(p); *(p+2) = c; |
- c = *p; *p = '\0'; p -= 2; k_tm->tm_mon = atoi(p)-1; *(p+2) = c; |
- c = *p; *p = '\0'; p -= 4; k_tm->tm_year = atoi(p)-1900; *(p+4) = c; |
- |
- return k_tm; |
- } |
- |
- |
-/* Helper function for kssl_validate_times(). |
-** We need context->clockskew, but krb5_context is an opaque struct. |
-** So we try to sneek the clockskew out through the replay cache. |
-** If that fails just return a likely default (300 seconds). |
-*/ |
-static krb5_deltat get_rc_clockskew(krb5_context context) |
- { |
- krb5_rcache rc; |
- krb5_deltat clockskew; |
- |
- if (krb5_rc_default(context, &rc)) return KSSL_CLOCKSKEW; |
- if (krb5_rc_initialize(context, rc, 0)) return KSSL_CLOCKSKEW; |
- if (krb5_rc_get_lifespan(context, rc, &clockskew)) { |
- clockskew = KSSL_CLOCKSKEW; |
- } |
- (void) krb5_rc_destroy(context, rc); |
- return clockskew; |
- } |
- |
- |
-/* kssl_validate_times() combines (and more importantly exposes) |
-** the MIT KRB5 internal function krb5_validate_times() and the |
-** in_clock_skew() macro. The authenticator client time is checked |
-** to be within clockskew secs of the current time and the current |
-** time is checked to be within the ticket start and expire times. |
-** Either check may be omitted by supplying a NULL value. |
-** Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. |
-** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c |
-** 20010420 VRS |
-*/ |
-krb5_error_code kssl_validate_times( krb5_timestamp atime, |
- krb5_ticket_times *ttimes) |
- { |
- krb5_deltat skew; |
- krb5_timestamp start, now; |
- krb5_error_code rc; |
- krb5_context context; |
- |
- if ((rc = krb5_init_context(&context))) return SSL_R_KRB5_S_BAD_TICKET; |
- skew = get_rc_clockskew(context); |
- if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET; |
- krb5_free_context(context); |
- |
- if (atime && labs(atime - now) >= skew) return SSL_R_KRB5_S_TKT_SKEW; |
- |
- if (! ttimes) return 0; |
- |
- start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime; |
- if (start - now > skew) return SSL_R_KRB5_S_TKT_NYV; |
- if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED; |
- |
-#ifdef KSSL_DEBUG |
- printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", |
- start, atime, now, skew, ttimes->endtime); |
-#endif /* KSSL_DEBUG */ |
- |
- return 0; |
- } |
- |
- |
-/* Decode and decrypt given DER-encoded authenticator, then pass |
-** authenticator ctime back in *atimep (or 0 if time unavailable). |
-** Returns krb5_error_code and kssl_err on error. A NULL |
-** authenticator (authentp->length == 0) is not considered an error. |
-** Note that kssl_check_authent() makes use of the KRB5 session key; |
-** you must call kssl_sget_tkt() to get the key before calling this routine. |
-*/ |
-krb5_error_code kssl_check_authent( |
- /* IN */ KSSL_CTX *kssl_ctx, |
- /* IN */ krb5_data *authentp, |
- /* OUT */ krb5_timestamp *atimep, |
- /* OUT */ KSSL_ERR *kssl_err ) |
- { |
- krb5_error_code krb5rc = 0; |
- KRB5_ENCDATA *dec_authent = NULL; |
- KRB5_AUTHENTBODY *auth = NULL; |
- krb5_enctype enctype; |
- EVP_CIPHER_CTX ciph_ctx; |
- const EVP_CIPHER *enc = NULL; |
- unsigned char iv[EVP_MAX_IV_LENGTH]; |
- const unsigned char *p; |
- unsigned char *unenc_authent; |
- int outl, unencbufsize; |
- struct tm tm_time, *tm_l, *tm_g; |
- time_t now, tl, tg, tr, tz_offset; |
- |
- EVP_CIPHER_CTX_init(&ciph_ctx); |
- *atimep = 0; |
- kssl_err_set(kssl_err, 0, ""); |
- |
-#ifndef KRB5CHECKAUTH |
- authentp = NULL; |
-#else |
-#if KRB5CHECKAUTH == 0 |
- authentp = NULL; |
-#endif |
-#endif /* KRB5CHECKAUTH */ |
- |
- if (authentp == NULL || authentp->length == 0) return 0; |
- |
-#ifdef KSSL_DEBUG |
- { |
- unsigned int ui; |
- printf("kssl_check_authent: authenticator[%d]:\n",authentp->length); |
- p = authentp->data; |
- for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]); |
- printf("\n"); |
- } |
-#endif /* KSSL_DEBUG */ |
- |
- unencbufsize = 2 * authentp->length; |
- if ((unenc_authent = calloc(1, unencbufsize)) == NULL) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "Unable to allocate authenticator buffer.\n"); |
- krb5rc = KRB5KRB_ERR_GENERIC; |
- goto err; |
- } |
- |
- p = (unsigned char *)authentp->data; |
- if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, |
- (long) authentp->length)) == NULL) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "Error decoding authenticator.\n"); |
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; |
- goto err; |
- } |
- |
- enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ |
-#if !defined(KRB5_MIT_OLD11) |
- switch ( enctype ) { |
- case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ |
- case ENCTYPE_DES3_CBC_SHA: |
- case ENCTYPE_DES3_CBC_RAW: |
- krb5rc = 0; /* Skip, can't handle derived keys */ |
- goto err; |
- } |
-#endif |
- enc = kssl_map_enc(enctype); |
- memset(iv, 0, sizeof iv); /* per RFC 1510 */ |
- |
- if (enc == NULL) |
- { |
- /* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. |
- ** This enctype indicates the authenticator was encrypted |
- ** using key-usage derived keys which openssl cannot decrypt. |
- */ |
- goto err; |
- } |
- |
- if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0)) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "EVP_CipherInit error decrypting authenticator.\n"); |
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; |
- goto err; |
- } |
- outl = dec_authent->cipher->length; |
- if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl)) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "EVP_Cipher error decrypting authenticator.\n"); |
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; |
- goto err; |
- } |
- EVP_CIPHER_CTX_cleanup(&ciph_ctx); |
- |
-#ifdef KSSL_DEBUG |
- { |
- int padl; |
- printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl); |
- for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]); |
- printf("\n"); |
- } |
-#endif /* KSSL_DEBUG */ |
- |
- if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "confounded by authenticator.\n"); |
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; |
- goto err; |
- } |
- outl -= p - unenc_authent; |
- |
- if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p, |
- (long) outl))==NULL) |
- { |
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, |
- "Error decoding authenticator body.\n"); |
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; |
- goto err; |
- } |
- |
- memset(&tm_time,0,sizeof(struct tm)); |
- if (k_gmtime(auth->ctime, &tm_time) && |
- ((tr = mktime(&tm_time)) != (time_t)(-1))) |
- { |
- now = time(&now); |
- tm_l = localtime(&now); tl = mktime(tm_l); |
- tm_g = gmtime(&now); tg = mktime(tm_g); |
- tz_offset = tg - tl; |
- |
- *atimep = (krb5_timestamp)(tr - tz_offset); |
- } |
- |
-#ifdef KSSL_DEBUG |
- printf("kssl_check_authent: returns %d for client time ", *atimep); |
- if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) |
- printf("%.*s\n", auth->ctime->length, auth->ctime->data); |
- else printf("NULL\n"); |
-#endif /* KSSL_DEBUG */ |
- |
- err: |
- if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); |
- if (dec_authent) KRB5_ENCDATA_free(dec_authent); |
- if (unenc_authent) free(unenc_authent); |
- EVP_CIPHER_CTX_cleanup(&ciph_ctx); |
- return krb5rc; |
- } |
- |
- |
-/* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), |
-** because I dont't know how to stub varargs. |
-** Returns krb5_error_code == ENOMEM on alloc error, otherwise |
-** passes back newly constructed principal, which should be freed by caller. |
-*/ |
-krb5_error_code kssl_build_principal_2( |
- /* UPDATE */ krb5_context context, |
- /* OUT */ krb5_principal *princ, |
- /* IN */ int rlen, const char *realm, |
- /* IN */ int slen, const char *svc, |
- /* IN */ int hlen, const char *host) |
- { |
- krb5_data *p_data = NULL; |
- krb5_principal new_p = NULL; |
- char *new_r = NULL; |
- |
- if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL || |
- (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data))) |
- == NULL) goto err; |
- new_p->length = 2; |
- new_p->data = p_data; |
- |
- if ((new_r = calloc(1, rlen + 1)) == NULL) goto err; |
- memcpy(new_r, realm, rlen); |
- krb5_princ_set_realm_length(context, new_p, rlen); |
- krb5_princ_set_realm_data(context, new_p, new_r); |
- |
- if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) goto err; |
- memcpy(new_p->data[0].data, svc, slen); |
- new_p->data[0].length = slen; |
- |
- if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) goto err; |
- memcpy(new_p->data[1].data, host, hlen); |
- new_p->data[1].length = hlen; |
- |
- krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; |
- *princ = new_p; |
- return 0; |
- |
- err: |
- if (new_p && new_p[0].data) free(new_p[0].data); |
- if (new_p && new_p[1].data) free(new_p[1].data); |
- if (new_p) free(new_p); |
- if (new_r) free(new_r); |
- return ENOMEM; |
- } |
- |
-void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx) |
- { |
- s->kssl_ctx = kctx; |
- } |
- |
-KSSL_CTX * SSL_get0_kssl_ctx(SSL *s) |
- { |
- return s->kssl_ctx; |
- } |
- |
-char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx) |
- { |
- if (kctx) |
- return kctx->client_princ; |
- return NULL; |
- } |
- |
-#else /* !OPENSSL_NO_KRB5 */ |
- |
-#if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) |
-static void *dummy=&dummy; |
-#endif |
- |
-#endif /* !OPENSSL_NO_KRB5 */ |
- |