Home | History | Annotate | Download | only in ssl 
      1 /* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
      2 /* Written by Vern Staats <staatsvr (at) asc.hpc.mil> for the OpenSSL project 2000.
      3  * project 2000.
      4  */
      5 /* ====================================================================
      6  * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
      7  *
      8  * Redistribution and use in source and binary forms, with or without
      9  * modification, are permitted provided that the following conditions
     10  * are met:
     11  *
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  *
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in
     17  *    the documentation and/or other materials provided with the
     18  *    distribution.
     19  *
     20  * 3. All advertising materials mentioning features or use of this
     21  *    software must display the following acknowledgment:
     22  *    "This product includes software developed by the OpenSSL Project
     23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     24  *
     25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     26  *    endorse or promote products derived from this software without
     27  *    prior written permission. For written permission, please contact
     28  *    licensing (at) OpenSSL.org.
     29  *
     30  * 5. Products derived from this software may not be called "OpenSSL"
     31  *    nor may "OpenSSL" appear in their names without prior written
     32  *    permission of the OpenSSL Project.
     33  *
     34  * 6. Redistributions of any form whatsoever must retain the following
     35  *    acknowledgment:
     36  *    "This product includes software developed by the OpenSSL Project
     37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     38  *
     39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     50  * OF THE POSSIBILITY OF SUCH DAMAGE.
     51  * ====================================================================
     52  *
     53  * This product includes cryptographic software written by Eric Young
     54  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     55  * Hudson (tjh (at) cryptsoft.com).
     56  *
     57  */
     58 
     59 /*
     60 **	19990701	VRS 	Started.
     61 */
     62 
     63 #ifndef	KSSL_H
     64 #define	KSSL_H
     65 
     66 #include <openssl/opensslconf.h>
     67 
     68 #ifndef OPENSSL_NO_KRB5
     69 
     70 #include <stdio.h>
     71 #include <ctype.h>
     72 #include <krb5.h>
     73 #ifdef OPENSSL_SYS_WIN32
     74 /* These can sometimes get redefined indirectly by krb5 header files
     75  * after they get undefed in ossl_typ.h
     76  */
     77 #undef X509_NAME
     78 #undef X509_EXTENSIONS
     79 #undef OCSP_REQUEST
     80 #undef OCSP_RESPONSE
     81 #endif
     82 
     83 #ifdef  __cplusplus
     84 extern "C" {
     85 #endif
     86 
     87 /*
     88 **	Depending on which KRB5 implementation used, some types from
     89 **	the other may be missing.  Resolve that here and now
     90 */
     91 #ifdef KRB5_HEIMDAL
     92 typedef unsigned char krb5_octet;
     93 #define FAR
     94 #else
     95 
     96 #ifndef FAR
     97 #define FAR
     98 #endif
     99 
    100 #endif
    101 
    102 /*	Uncomment this to debug kssl problems or
    103 **	to trace usage of the Kerberos session key
    104 **
    105 **	#define		KSSL_DEBUG
    106 */
    107 
    108 #ifndef	KRB5SVC
    109 #define KRB5SVC	"host"
    110 #endif
    111 
    112 #ifndef	KRB5KEYTAB
    113 #define KRB5KEYTAB	"/etc/krb5.keytab"
    114 #endif
    115 
    116 #ifndef KRB5SENDAUTH
    117 #define KRB5SENDAUTH	1
    118 #endif
    119 
    120 #ifndef KRB5CHECKAUTH
    121 #define KRB5CHECKAUTH	1
    122 #endif
    123 
    124 #ifndef KSSL_CLOCKSKEW
    125 #define	KSSL_CLOCKSKEW	300;
    126 #endif
    127 
    128 #define	KSSL_ERR_MAX	255
    129 typedef struct kssl_err_st  {
    130 	int  reason;
    131 	char text[KSSL_ERR_MAX+1];
    132 	} KSSL_ERR;
    133 
    134 
    135 /*	Context for passing
    136 **		(1) Kerberos session key to SSL, and
    137 **		(2)	Config data between application and SSL lib
    138 */
    139 typedef struct kssl_ctx_st
    140         {
    141                                 /*	used by:    disposition:            */
    142 	char *service_name;	/*	C,S	    default ok (kssl)       */
    143 	char *service_host;	/*	C	    input, REQUIRED         */
    144 	char *client_princ;	/*	S	    output from krb5 ticket */
    145 	char *keytab_file;	/*      S	    NULL (/etc/krb5.keytab) */
    146 	char *cred_cache;	/*	C	    NULL (default)          */
    147 	krb5_enctype enctype;
    148 	int length;
    149 	krb5_octet FAR *key;
    150 	} KSSL_CTX;
    151 
    152 #define	KSSL_CLIENT 	1
    153 #define KSSL_SERVER 	2
    154 #define	KSSL_SERVICE	3
    155 #define	KSSL_KEYTAB 	4
    156 
    157 #define KSSL_CTX_OK 	0
    158 #define KSSL_CTX_ERR	1
    159 #define KSSL_NOMEM	2
    160 
    161 /* Public (for use by applications that use OpenSSL with Kerberos 5 support */
    162 krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
    163 KSSL_CTX *kssl_ctx_new(void);
    164 KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
    165 void kssl_ctx_show(KSSL_CTX *kssl_ctx);
    166 krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
    167         krb5_data *realm, krb5_data *entity, int nentities);
    168 krb5_error_code	kssl_cget_tkt(KSSL_CTX *kssl_ctx,  krb5_data **enc_tktp,
    169         krb5_data *authenp, KSSL_ERR *kssl_err);
    170 krb5_error_code	kssl_sget_tkt(KSSL_CTX *kssl_ctx,  krb5_data *indata,
    171         krb5_ticket_times *ttimes, KSSL_ERR *kssl_err);
    172 krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
    173 void	kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
    174 void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
    175 krb5_error_code  kssl_build_principal_2(krb5_context context,
    176 			krb5_principal *princ, int rlen, const char *realm,
    177 			int slen, const char *svc, int hlen, const char *host);
    178 krb5_error_code  kssl_validate_times(krb5_timestamp atime,
    179 					krb5_ticket_times *ttimes);
    180 krb5_error_code  kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp,
    181 			            krb5_timestamp *atimep, KSSL_ERR *kssl_err);
    182 unsigned char	*kssl_skip_confound(krb5_enctype enctype, unsigned char *authn);
    183 
    184 void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx);
    185 KSSL_CTX * SSL_get0_kssl_ctx(SSL *s);
    186 char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx);
    187 
    188 #ifdef  __cplusplus
    189 }
    190 #endif
    191 #endif	/* OPENSSL_NO_KRB5	*/
    192 #endif	/* KSSL_H 	*/
    193