1 /* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */ 2 /* Written by Vern Staats <staatsvr (at) asc.hpc.mil> for the OpenSSL project 2000. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 2000 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). 55 * 56 */ 57 58 59 /* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl 60 ** 61 ** 19990701 VRS Started. 62 ** 200011?? Jeffrey Altman, Richard Levitte 63 ** Generalized for Heimdal, Newer MIT, & Win32. 64 ** Integrated into main OpenSSL 0.9.7 snapshots. 65 ** 20010413 Simon Wilkinson, VRS 66 ** Real RFC2712 KerberosWrapper replaces AP_REQ. 67 */ 68 69 #include <openssl/opensslconf.h> 70 71 #include <string.h> 72 73 #define KRB5_PRIVATE 1 74 75 #include <openssl/ssl.h> 76 #include <openssl/evp.h> 77 #include <openssl/objects.h> 78 #include <openssl/krb5_asn.h> 79 #include "kssl_lcl.h" 80 81 #ifndef OPENSSL_NO_KRB5 82 83 #ifndef ENOMEM 84 #define ENOMEM KRB5KRB_ERR_GENERIC 85 #endif 86 87 /* 88 * When OpenSSL is built on Windows, we do not want to require that 89 * the Kerberos DLLs be available in order for the OpenSSL DLLs to 90 * work. Therefore, all Kerberos routines are loaded at run time 91 * and we do not link to a .LIB file. 92 */ 93 94 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) 95 /* 96 * The purpose of the following pre-processor statements is to provide 97 * compatibility with different releases of MIT Kerberos for Windows. 98 * All versions up to 1.2 used macros. But macros do not allow for 99 * a binary compatible interface for DLLs. Therefore, all macros are 100 * being replaced by function calls. The following code will allow 101 * an OpenSSL DLL built on Windows to work whether or not the macro 102 * or function form of the routines are utilized. 103 */ 104 #ifdef krb5_cc_get_principal 105 #define NO_DEF_KRB5_CCACHE 106 #undef krb5_cc_get_principal 107 #endif 108 #define krb5_cc_get_principal kssl_krb5_cc_get_principal 109 110 #define krb5_free_data_contents kssl_krb5_free_data_contents 111 #define krb5_free_context kssl_krb5_free_context 112 #define krb5_auth_con_free kssl_krb5_auth_con_free 113 #define krb5_free_principal kssl_krb5_free_principal 114 #define krb5_mk_req_extended kssl_krb5_mk_req_extended 115 #define krb5_get_credentials kssl_krb5_get_credentials 116 #define krb5_cc_default kssl_krb5_cc_default 117 #define krb5_sname_to_principal kssl_krb5_sname_to_principal 118 #define krb5_init_context kssl_krb5_init_context 119 #define krb5_free_ticket kssl_krb5_free_ticket 120 #define krb5_rd_req kssl_krb5_rd_req 121 #define krb5_kt_default kssl_krb5_kt_default 122 #define krb5_kt_resolve kssl_krb5_kt_resolve 123 /* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ 124 #ifndef krb5_kt_close 125 #define krb5_kt_close kssl_krb5_kt_close 126 #endif /* krb5_kt_close */ 127 #ifndef krb5_kt_get_entry 128 #define krb5_kt_get_entry kssl_krb5_kt_get_entry 129 #endif /* krb5_kt_get_entry */ 130 #define krb5_auth_con_init kssl_krb5_auth_con_init 131 132 #define krb5_principal_compare kssl_krb5_principal_compare 133 #define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part 134 #define krb5_timeofday kssl_krb5_timeofday 135 #define krb5_rc_default kssl_krb5_rc_default 136 137 #ifdef krb5_rc_initialize 138 #undef krb5_rc_initialize 139 #endif 140 #define krb5_rc_initialize kssl_krb5_rc_initialize 141 142 #ifdef krb5_rc_get_lifespan 143 #undef krb5_rc_get_lifespan 144 #endif 145 #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan 146 147 #ifdef krb5_rc_destroy 148 #undef krb5_rc_destroy 149 #endif 150 #define krb5_rc_destroy kssl_krb5_rc_destroy 151 152 #define valid_cksumtype kssl_valid_cksumtype 153 #define krb5_checksum_size kssl_krb5_checksum_size 154 #define krb5_kt_free_entry kssl_krb5_kt_free_entry 155 #define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache 156 #define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache 157 #define krb5_get_server_rcache kssl_krb5_get_server_rcache 158 159 /* Prototypes for built in stubs */ 160 void kssl_krb5_free_data_contents(krb5_context, krb5_data *); 161 void kssl_krb5_free_principal(krb5_context, krb5_principal ); 162 krb5_error_code kssl_krb5_kt_resolve(krb5_context, 163 krb5_const char *, 164 krb5_keytab *); 165 krb5_error_code kssl_krb5_kt_default(krb5_context, 166 krb5_keytab *); 167 krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); 168 krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 169 krb5_const krb5_data *, 170 krb5_const_principal, krb5_keytab, 171 krb5_flags *,krb5_ticket **); 172 173 krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, 174 krb5_const_principal); 175 krb5_error_code kssl_krb5_mk_req_extended(krb5_context, 176 krb5_auth_context *, 177 krb5_const krb5_flags, 178 krb5_data *, 179 krb5_creds *, 180 krb5_data * ); 181 krb5_error_code kssl_krb5_init_context(krb5_context *); 182 void kssl_krb5_free_context(krb5_context); 183 krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *); 184 krb5_error_code kssl_krb5_sname_to_principal(krb5_context, 185 krb5_const char *, 186 krb5_const char *, 187 krb5_int32, 188 krb5_principal *); 189 krb5_error_code kssl_krb5_get_credentials(krb5_context, 190 krb5_const krb5_flags, 191 krb5_ccache, 192 krb5_creds *, 193 krb5_creds * *); 194 krb5_error_code kssl_krb5_auth_con_init(krb5_context, 195 krb5_auth_context *); 196 krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 197 krb5_ccache cache, 198 krb5_principal *principal); 199 krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context); 200 size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype); 201 krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); 202 krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * ); 203 krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 204 krb5_auth_context, 205 krb5_rcache); 206 krb5_error_code kssl_krb5_get_server_rcache(krb5_context, 207 krb5_const krb5_data *, 208 krb5_rcache *); 209 krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 210 krb5_auth_context, 211 krb5_rcache *); 212 213 /* Function pointers (almost all Kerberos functions are _stdcall) */ 214 static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *) 215 =NULL; 216 static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal ) 217 =NULL; 218 static krb5_error_code(_stdcall *p_krb5_kt_resolve) 219 (krb5_context, krb5_const char *, krb5_keytab *)=NULL; 220 static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context, 221 krb5_keytab *)=NULL; 222 static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, 223 krb5_ticket *)=NULL; 224 static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, 225 krb5_auth_context *, 226 krb5_const krb5_data *, 227 krb5_const_principal, 228 krb5_keytab, krb5_flags *, 229 krb5_ticket **)=NULL; 230 static krb5_error_code (_stdcall *p_krb5_mk_req_extended) 231 (krb5_context, krb5_auth_context *, 232 krb5_const krb5_flags, krb5_data *, krb5_creds *, 233 krb5_data * )=NULL; 234 static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL; 235 static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL; 236 static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context, 237 krb5_ccache *)=NULL; 238 static krb5_error_code (_stdcall *p_krb5_sname_to_principal) 239 (krb5_context, krb5_const char *, krb5_const char *, 240 krb5_int32, krb5_principal *)=NULL; 241 static krb5_error_code (_stdcall *p_krb5_get_credentials) 242 (krb5_context, krb5_const krb5_flags, krb5_ccache, 243 krb5_creds *, krb5_creds **)=NULL; 244 static krb5_error_code (_stdcall *p_krb5_auth_con_init) 245 (krb5_context, krb5_auth_context *)=NULL; 246 static krb5_error_code (_stdcall *p_krb5_cc_get_principal) 247 (krb5_context context, krb5_ccache cache, 248 krb5_principal *principal)=NULL; 249 static krb5_error_code (_stdcall *p_krb5_auth_con_free) 250 (krb5_context, krb5_auth_context)=NULL; 251 static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part) 252 (krb5_context, krb5_const krb5_keyblock *, 253 krb5_ticket *)=NULL; 254 static krb5_error_code (_stdcall *p_krb5_timeofday) 255 (krb5_context context, krb5_int32 *timeret)=NULL; 256 static krb5_error_code (_stdcall *p_krb5_rc_default) 257 (krb5_context context, krb5_rcache *rc)=NULL; 258 static krb5_error_code (_stdcall *p_krb5_rc_initialize) 259 (krb5_context context, krb5_rcache rc, 260 krb5_deltat lifespan)=NULL; 261 static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan) 262 (krb5_context context, krb5_rcache rc, 263 krb5_deltat *lifespan)=NULL; 264 static krb5_error_code (_stdcall *p_krb5_rc_destroy) 265 (krb5_context context, krb5_rcache rc)=NULL; 266 static krb5_boolean (_stdcall *p_krb5_principal_compare) 267 (krb5_context, krb5_const_principal, krb5_const_principal)=NULL; 268 static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL; 269 static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL; 270 static krb5_error_code (_stdcall *p_krb5_kt_free_entry) 271 (krb5_context,krb5_keytab_entry * )=NULL; 272 static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, 273 krb5_auth_context, 274 krb5_rcache)=NULL; 275 static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, 276 krb5_const krb5_data *, 277 krb5_rcache *)=NULL; 278 static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, 279 krb5_auth_context, 280 krb5_rcache *)=NULL; 281 static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, 282 krb5_keytab keytab)=NULL; 283 static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, 284 krb5_keytab keytab, 285 krb5_const_principal principal, krb5_kvno vno, 286 krb5_enctype enctype, krb5_keytab_entry *entry)=NULL; 287 static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ 288 289 /* Function to Load the Kerberos 5 DLL and initialize function pointers */ 290 void 291 load_krb5_dll(void) 292 { 293 HANDLE hKRB5_32; 294 295 krb5_loaded++; 296 hKRB5_32 = LoadLibrary(TEXT("KRB5_32")); 297 if (!hKRB5_32) 298 return; 299 300 (FARPROC) p_krb5_free_data_contents = 301 GetProcAddress( hKRB5_32, "krb5_free_data_contents" ); 302 (FARPROC) p_krb5_free_context = 303 GetProcAddress( hKRB5_32, "krb5_free_context" ); 304 (FARPROC) p_krb5_auth_con_free = 305 GetProcAddress( hKRB5_32, "krb5_auth_con_free" ); 306 (FARPROC) p_krb5_free_principal = 307 GetProcAddress( hKRB5_32, "krb5_free_principal" ); 308 (FARPROC) p_krb5_mk_req_extended = 309 GetProcAddress( hKRB5_32, "krb5_mk_req_extended" ); 310 (FARPROC) p_krb5_get_credentials = 311 GetProcAddress( hKRB5_32, "krb5_get_credentials" ); 312 (FARPROC) p_krb5_cc_get_principal = 313 GetProcAddress( hKRB5_32, "krb5_cc_get_principal" ); 314 (FARPROC) p_krb5_cc_default = 315 GetProcAddress( hKRB5_32, "krb5_cc_default" ); 316 (FARPROC) p_krb5_sname_to_principal = 317 GetProcAddress( hKRB5_32, "krb5_sname_to_principal" ); 318 (FARPROC) p_krb5_init_context = 319 GetProcAddress( hKRB5_32, "krb5_init_context" ); 320 (FARPROC) p_krb5_free_ticket = 321 GetProcAddress( hKRB5_32, "krb5_free_ticket" ); 322 (FARPROC) p_krb5_rd_req = 323 GetProcAddress( hKRB5_32, "krb5_rd_req" ); 324 (FARPROC) p_krb5_principal_compare = 325 GetProcAddress( hKRB5_32, "krb5_principal_compare" ); 326 (FARPROC) p_krb5_decrypt_tkt_part = 327 GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" ); 328 (FARPROC) p_krb5_timeofday = 329 GetProcAddress( hKRB5_32, "krb5_timeofday" ); 330 (FARPROC) p_krb5_rc_default = 331 GetProcAddress( hKRB5_32, "krb5_rc_default" ); 332 (FARPROC) p_krb5_rc_initialize = 333 GetProcAddress( hKRB5_32, "krb5_rc_initialize" ); 334 (FARPROC) p_krb5_rc_get_lifespan = 335 GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" ); 336 (FARPROC) p_krb5_rc_destroy = 337 GetProcAddress( hKRB5_32, "krb5_rc_destroy" ); 338 (FARPROC) p_krb5_kt_default = 339 GetProcAddress( hKRB5_32, "krb5_kt_default" ); 340 (FARPROC) p_krb5_kt_resolve = 341 GetProcAddress( hKRB5_32, "krb5_kt_resolve" ); 342 (FARPROC) p_krb5_auth_con_init = 343 GetProcAddress( hKRB5_32, "krb5_auth_con_init" ); 344 (FARPROC) p_valid_cksumtype = 345 GetProcAddress( hKRB5_32, "valid_cksumtype" ); 346 (FARPROC) p_krb5_checksum_size = 347 GetProcAddress( hKRB5_32, "krb5_checksum_size" ); 348 (FARPROC) p_krb5_kt_free_entry = 349 GetProcAddress( hKRB5_32, "krb5_kt_free_entry" ); 350 (FARPROC) p_krb5_auth_con_setrcache = 351 GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" ); 352 (FARPROC) p_krb5_get_server_rcache = 353 GetProcAddress( hKRB5_32, "krb5_get_server_rcache" ); 354 (FARPROC) p_krb5_auth_con_getrcache = 355 GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" ); 356 (FARPROC) p_krb5_kt_close = 357 GetProcAddress( hKRB5_32, "krb5_kt_close" ); 358 (FARPROC) p_krb5_kt_get_entry = 359 GetProcAddress( hKRB5_32, "krb5_kt_get_entry" ); 360 } 361 362 /* Stubs for each function to be dynamicly loaded */ 363 void 364 kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data) 365 { 366 if (!krb5_loaded) 367 load_krb5_dll(); 368 369 if ( p_krb5_free_data_contents ) 370 p_krb5_free_data_contents(CO,data); 371 } 372 373 krb5_error_code 374 kssl_krb5_mk_req_extended (krb5_context CO, 375 krb5_auth_context * pACO, 376 krb5_const krb5_flags F, 377 krb5_data * pD1, 378 krb5_creds * pC, 379 krb5_data * pD2) 380 { 381 if (!krb5_loaded) 382 load_krb5_dll(); 383 384 if ( p_krb5_mk_req_extended ) 385 return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2)); 386 else 387 return KRB5KRB_ERR_GENERIC; 388 } 389 krb5_error_code 390 kssl_krb5_auth_con_init(krb5_context CO, 391 krb5_auth_context * pACO) 392 { 393 if (!krb5_loaded) 394 load_krb5_dll(); 395 396 if ( p_krb5_auth_con_init ) 397 return(p_krb5_auth_con_init(CO,pACO)); 398 else 399 return KRB5KRB_ERR_GENERIC; 400 } 401 krb5_error_code 402 kssl_krb5_auth_con_free (krb5_context CO, 403 krb5_auth_context ACO) 404 { 405 if (!krb5_loaded) 406 load_krb5_dll(); 407 408 if ( p_krb5_auth_con_free ) 409 return(p_krb5_auth_con_free(CO,ACO)); 410 else 411 return KRB5KRB_ERR_GENERIC; 412 } 413 krb5_error_code 414 kssl_krb5_get_credentials(krb5_context CO, 415 krb5_const krb5_flags F, 416 krb5_ccache CC, 417 krb5_creds * pCR, 418 krb5_creds ** ppCR) 419 { 420 if (!krb5_loaded) 421 load_krb5_dll(); 422 423 if ( p_krb5_get_credentials ) 424 return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR)); 425 else 426 return KRB5KRB_ERR_GENERIC; 427 } 428 krb5_error_code 429 kssl_krb5_sname_to_principal(krb5_context CO, 430 krb5_const char * pC1, 431 krb5_const char * pC2, 432 krb5_int32 I, 433 krb5_principal * pPR) 434 { 435 if (!krb5_loaded) 436 load_krb5_dll(); 437 438 if ( p_krb5_sname_to_principal ) 439 return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR)); 440 else 441 return KRB5KRB_ERR_GENERIC; 442 } 443 444 krb5_error_code 445 kssl_krb5_cc_default(krb5_context CO, 446 krb5_ccache * pCC) 447 { 448 if (!krb5_loaded) 449 load_krb5_dll(); 450 451 if ( p_krb5_cc_default ) 452 return(p_krb5_cc_default(CO,pCC)); 453 else 454 return KRB5KRB_ERR_GENERIC; 455 } 456 457 krb5_error_code 458 kssl_krb5_init_context(krb5_context * pCO) 459 { 460 if (!krb5_loaded) 461 load_krb5_dll(); 462 463 if ( p_krb5_init_context ) 464 return(p_krb5_init_context(pCO)); 465 else 466 return KRB5KRB_ERR_GENERIC; 467 } 468 469 void 470 kssl_krb5_free_context(krb5_context CO) 471 { 472 if (!krb5_loaded) 473 load_krb5_dll(); 474 475 if ( p_krb5_free_context ) 476 p_krb5_free_context(CO); 477 } 478 479 void 480 kssl_krb5_free_principal(krb5_context c, krb5_principal p) 481 { 482 if (!krb5_loaded) 483 load_krb5_dll(); 484 485 if ( p_krb5_free_principal ) 486 p_krb5_free_principal(c,p); 487 } 488 489 krb5_error_code 490 kssl_krb5_kt_resolve(krb5_context con, 491 krb5_const char * sz, 492 krb5_keytab * kt) 493 { 494 if (!krb5_loaded) 495 load_krb5_dll(); 496 497 if ( p_krb5_kt_resolve ) 498 return(p_krb5_kt_resolve(con,sz,kt)); 499 else 500 return KRB5KRB_ERR_GENERIC; 501 } 502 503 krb5_error_code 504 kssl_krb5_kt_default(krb5_context con, 505 krb5_keytab * kt) 506 { 507 if (!krb5_loaded) 508 load_krb5_dll(); 509 510 if ( p_krb5_kt_default ) 511 return(p_krb5_kt_default(con,kt)); 512 else 513 return KRB5KRB_ERR_GENERIC; 514 } 515 516 krb5_error_code 517 kssl_krb5_free_ticket(krb5_context con, 518 krb5_ticket * kt) 519 { 520 if (!krb5_loaded) 521 load_krb5_dll(); 522 523 if ( p_krb5_free_ticket ) 524 return(p_krb5_free_ticket(con,kt)); 525 else 526 return KRB5KRB_ERR_GENERIC; 527 } 528 529 krb5_error_code 530 kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon, 531 krb5_const krb5_data * data, 532 krb5_const_principal princ, krb5_keytab keytab, 533 krb5_flags * flags, krb5_ticket ** pptkt) 534 { 535 if (!krb5_loaded) 536 load_krb5_dll(); 537 538 if ( p_krb5_rd_req ) 539 return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt)); 540 else 541 return KRB5KRB_ERR_GENERIC; 542 } 543 544 krb5_boolean 545 krb5_principal_compare(krb5_context con, krb5_const_principal princ1, 546 krb5_const_principal princ2) 547 { 548 if (!krb5_loaded) 549 load_krb5_dll(); 550 551 if ( p_krb5_principal_compare ) 552 return(p_krb5_principal_compare(con,princ1,princ2)); 553 else 554 return KRB5KRB_ERR_GENERIC; 555 } 556 557 krb5_error_code 558 krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, 559 krb5_ticket *ticket) 560 { 561 if (!krb5_loaded) 562 load_krb5_dll(); 563 564 if ( p_krb5_decrypt_tkt_part ) 565 return(p_krb5_decrypt_tkt_part(con,keys,ticket)); 566 else 567 return KRB5KRB_ERR_GENERIC; 568 } 569 570 krb5_error_code 571 krb5_timeofday(krb5_context con, krb5_int32 *timeret) 572 { 573 if (!krb5_loaded) 574 load_krb5_dll(); 575 576 if ( p_krb5_timeofday ) 577 return(p_krb5_timeofday(con,timeret)); 578 else 579 return KRB5KRB_ERR_GENERIC; 580 } 581 582 krb5_error_code 583 krb5_rc_default(krb5_context con, krb5_rcache *rc) 584 { 585 if (!krb5_loaded) 586 load_krb5_dll(); 587 588 if ( p_krb5_rc_default ) 589 return(p_krb5_rc_default(con,rc)); 590 else 591 return KRB5KRB_ERR_GENERIC; 592 } 593 594 krb5_error_code 595 krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) 596 { 597 if (!krb5_loaded) 598 load_krb5_dll(); 599 600 if ( p_krb5_rc_initialize ) 601 return(p_krb5_rc_initialize(con, rc, lifespan)); 602 else 603 return KRB5KRB_ERR_GENERIC; 604 } 605 606 krb5_error_code 607 krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) 608 { 609 if (!krb5_loaded) 610 load_krb5_dll(); 611 612 if ( p_krb5_rc_get_lifespan ) 613 return(p_krb5_rc_get_lifespan(con, rc, lifespanp)); 614 else 615 return KRB5KRB_ERR_GENERIC; 616 } 617 618 krb5_error_code 619 krb5_rc_destroy(krb5_context con, krb5_rcache rc) 620 { 621 if (!krb5_loaded) 622 load_krb5_dll(); 623 624 if ( p_krb5_rc_destroy ) 625 return(p_krb5_rc_destroy(con, rc)); 626 else 627 return KRB5KRB_ERR_GENERIC; 628 } 629 630 size_t 631 krb5_checksum_size(krb5_context context,krb5_cksumtype ctype) 632 { 633 if (!krb5_loaded) 634 load_krb5_dll(); 635 636 if ( p_krb5_checksum_size ) 637 return(p_krb5_checksum_size(context, ctype)); 638 else 639 return KRB5KRB_ERR_GENERIC; 640 } 641 642 krb5_boolean 643 valid_cksumtype(krb5_cksumtype ctype) 644 { 645 if (!krb5_loaded) 646 load_krb5_dll(); 647 648 if ( p_valid_cksumtype ) 649 return(p_valid_cksumtype(ctype)); 650 else 651 return KRB5KRB_ERR_GENERIC; 652 } 653 654 krb5_error_code 655 krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry) 656 { 657 if (!krb5_loaded) 658 load_krb5_dll(); 659 660 if ( p_krb5_kt_free_entry ) 661 return(p_krb5_kt_free_entry(con,entry)); 662 else 663 return KRB5KRB_ERR_GENERIC; 664 } 665 666 /* Structure definitions */ 667 #ifndef NO_DEF_KRB5_CCACHE 668 #ifndef krb5_x 669 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) 670 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) 671 #endif 672 673 typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ 674 675 typedef struct _krb5_ccache 676 { 677 krb5_magic magic; 678 struct _krb5_cc_ops FAR *ops; 679 krb5_pointer data; 680 } *krb5_ccache; 681 682 typedef struct _krb5_cc_ops 683 { 684 krb5_magic magic; 685 char *prefix; 686 char * (KRB5_CALLCONV *get_name) 687 (krb5_context, krb5_ccache); 688 krb5_error_code (KRB5_CALLCONV *resolve) 689 (krb5_context, krb5_ccache *, const char *); 690 krb5_error_code (KRB5_CALLCONV *gen_new) 691 (krb5_context, krb5_ccache *); 692 krb5_error_code (KRB5_CALLCONV *init) 693 (krb5_context, krb5_ccache, krb5_principal); 694 krb5_error_code (KRB5_CALLCONV *destroy) 695 (krb5_context, krb5_ccache); 696 krb5_error_code (KRB5_CALLCONV *close) 697 (krb5_context, krb5_ccache); 698 krb5_error_code (KRB5_CALLCONV *store) 699 (krb5_context, krb5_ccache, krb5_creds *); 700 krb5_error_code (KRB5_CALLCONV *retrieve) 701 (krb5_context, krb5_ccache, 702 krb5_flags, krb5_creds *, krb5_creds *); 703 krb5_error_code (KRB5_CALLCONV *get_princ) 704 (krb5_context, krb5_ccache, krb5_principal *); 705 krb5_error_code (KRB5_CALLCONV *get_first) 706 (krb5_context, krb5_ccache, krb5_cc_cursor *); 707 krb5_error_code (KRB5_CALLCONV *get_next) 708 (krb5_context, krb5_ccache, 709 krb5_cc_cursor *, krb5_creds *); 710 krb5_error_code (KRB5_CALLCONV *end_get) 711 (krb5_context, krb5_ccache, krb5_cc_cursor *); 712 krb5_error_code (KRB5_CALLCONV *remove_cred) 713 (krb5_context, krb5_ccache, 714 krb5_flags, krb5_creds *); 715 krb5_error_code (KRB5_CALLCONV *set_flags) 716 (krb5_context, krb5_ccache, krb5_flags); 717 } krb5_cc_ops; 718 #endif /* NO_DEF_KRB5_CCACHE */ 719 720 krb5_error_code 721 kssl_krb5_cc_get_principal 722 (krb5_context context, krb5_ccache cache, 723 krb5_principal *principal) 724 { 725 if ( p_krb5_cc_get_principal ) 726 return(p_krb5_cc_get_principal(context,cache,principal)); 727 else 728 return(krb5_x 729 ((cache)->ops->get_princ,(context, cache, principal))); 730 } 731 732 krb5_error_code 733 kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, 734 krb5_rcache rcache) 735 { 736 if ( p_krb5_auth_con_setrcache ) 737 return(p_krb5_auth_con_setrcache(con,acon,rcache)); 738 else 739 return KRB5KRB_ERR_GENERIC; 740 } 741 742 krb5_error_code 743 kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data, 744 krb5_rcache * rcache) 745 { 746 if ( p_krb5_get_server_rcache ) 747 return(p_krb5_get_server_rcache(con,data,rcache)); 748 else 749 return KRB5KRB_ERR_GENERIC; 750 } 751 752 krb5_error_code 753 kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, 754 krb5_rcache * prcache) 755 { 756 if ( p_krb5_auth_con_getrcache ) 757 return(p_krb5_auth_con_getrcache(con,acon, prcache)); 758 else 759 return KRB5KRB_ERR_GENERIC; 760 } 761 762 krb5_error_code 763 kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) 764 { 765 if ( p_krb5_kt_close ) 766 return(p_krb5_kt_close(context,keytab)); 767 else 768 return KRB5KRB_ERR_GENERIC; 769 } 770 771 krb5_error_code 772 kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, 773 krb5_const_principal principal, krb5_kvno vno, 774 krb5_enctype enctype, krb5_keytab_entry *entry) 775 { 776 if ( p_krb5_kt_get_entry ) 777 return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry)); 778 else 779 return KRB5KRB_ERR_GENERIC; 780 } 781 #endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ 782 783 784 /* memory allocation functions for non-temporary storage 785 * (e.g. stuff that gets saved into the kssl context) */ 786 static void* kssl_calloc(size_t nmemb, size_t size) 787 { 788 void* p; 789 790 p=OPENSSL_malloc(nmemb*size); 791 if (p){ 792 memset(p, 0, nmemb*size); 793 } 794 return p; 795 } 796 797 #define kssl_malloc(size) OPENSSL_malloc((size)) 798 #define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) 799 #define kssl_free(ptr) OPENSSL_free((ptr)) 800 801 802 char 803 *kstring(char *string) 804 { 805 static char *null = "[NULL]"; 806 807 return ((string == NULL)? null: string); 808 } 809 810 /* Given KRB5 enctype (basically DES or 3DES), 811 ** return closest match openssl EVP_ encryption algorithm. 812 ** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. 813 ** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. 814 */ 815 const EVP_CIPHER * 816 kssl_map_enc(krb5_enctype enctype) 817 { 818 switch (enctype) 819 { 820 case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ 821 case ENCTYPE_DES_CBC_CRC: 822 case ENCTYPE_DES_CBC_MD4: 823 case ENCTYPE_DES_CBC_MD5: 824 case ENCTYPE_DES_CBC_RAW: 825 return EVP_des_cbc(); 826 break; 827 case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 828 case ENCTYPE_DES3_CBC_SHA: 829 case ENCTYPE_DES3_CBC_RAW: 830 return EVP_des_ede3_cbc(); 831 break; 832 default: return NULL; 833 break; 834 } 835 } 836 837 838 /* Return true:1 if p "looks like" the start of the real authenticator 839 ** described in kssl_skip_confound() below. The ASN.1 pattern is 840 ** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and 841 ** xx and yy are possibly multi-byte length fields. 842 */ 843 static int kssl_test_confound(unsigned char *p) 844 { 845 int len = 2; 846 int xx = 0, yy = 0; 847 848 if (*p++ != 0x62) return 0; 849 if (*p > 0x82) return 0; 850 switch(*p) { 851 case 0x82: p++; xx = (*p++ << 8); xx += *p++; break; 852 case 0x81: p++; xx = *p++; break; 853 case 0x80: return 0; 854 default: xx = *p++; break; 855 } 856 if (*p++ != 0x30) return 0; 857 if (*p > 0x82) return 0; 858 switch(*p) { 859 case 0x82: p++; len+=2; yy = (*p++ << 8); yy += *p++; break; 860 case 0x81: p++; len++; yy = *p++; break; 861 case 0x80: return 0; 862 default: yy = *p++; break; 863 } 864 865 return (xx - len == yy)? 1: 0; 866 } 867 868 /* Allocate, fill, and return cksumlens array of checksum lengths. 869 ** This array holds just the unique elements from the krb5_cksumarray[]. 870 ** array[n] == 0 signals end of data. 871 ** 872 ** The krb5_cksumarray[] was an internal variable that has since been 873 ** replaced by a more general method for storing the data. It should 874 ** not be used. Instead we use real API calls and make a guess for 875 ** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 876 ** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. 877 */ 878 static size_t *populate_cksumlens(void) 879 { 880 int i, j, n; 881 static size_t *cklens = NULL; 882 883 #ifdef KRB5_MIT_OLD11 884 n = krb5_max_cksum; 885 #else 886 n = 0x0010; 887 #endif /* KRB5_MIT_OLD11 */ 888 889 #ifdef KRB5CHECKAUTH 890 if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1))) return NULL; 891 892 for (i=0; i < n; i++) { 893 if (!valid_cksumtype(i)) continue; /* array has holes */ 894 for (j=0; j < n; j++) { 895 if (cklens[j] == 0) { 896 cklens[j] = krb5_checksum_size(NULL,i); 897 break; /* krb5 elem was new: add */ 898 } 899 if (cklens[j] == krb5_checksum_size(NULL,i)) { 900 break; /* ignore duplicate elements */ 901 } 902 } 903 } 904 #endif /* KRB5CHECKAUTH */ 905 906 return cklens; 907 } 908 909 /* Return pointer to start of real authenticator within authenticator, or 910 ** return NULL on error. 911 ** Decrypted authenticator looks like this: 912 ** [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] 913 ** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the 914 ** krb5_auth_con_getcksumtype() function advertised in its krb5.h. 915 */ 916 unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) 917 { 918 int i, conlen; 919 size_t cklen; 920 static size_t *cksumlens = NULL; 921 unsigned char *test_auth; 922 923 conlen = (etype)? 8: 0; 924 925 if (!cksumlens && !(cksumlens = populate_cksumlens())) return NULL; 926 for (i=0; (cklen = cksumlens[i]) != 0; i++) 927 { 928 test_auth = a + conlen + cklen; 929 if (kssl_test_confound(test_auth)) return test_auth; 930 } 931 932 return NULL; 933 } 934 935 936 /* Set kssl_err error info when reason text is a simple string 937 ** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; } 938 */ 939 void 940 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) 941 { 942 if (kssl_err == NULL) return; 943 944 kssl_err->reason = reason; 945 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); 946 return; 947 } 948 949 950 /* Display contents of krb5_data struct, for debugging 951 */ 952 void 953 print_krb5_data(char *label, krb5_data *kdata) 954 { 955 int i; 956 957 printf("%s[%d] ", label, kdata->length); 958 for (i=0; i < (int)kdata->length; i++) 959 { 960 if (0 && isprint((int) kdata->data[i])) 961 printf( "%c ", kdata->data[i]); 962 else 963 printf( "%02x ", (unsigned char) kdata->data[i]); 964 } 965 printf("\n"); 966 } 967 968 969 /* Display contents of krb5_authdata struct, for debugging 970 */ 971 void 972 print_krb5_authdata(char *label, krb5_authdata **adata) 973 { 974 if (adata == NULL) 975 { 976 printf("%s, authdata==0\n", label); 977 return; 978 } 979 printf("%s [%p]\n", label, (void *)adata); 980 #if 0 981 { 982 int i; 983 printf("%s[at%d:%d] ", label, adata->ad_type, adata->length); 984 for (i=0; i < adata->length; i++) 985 { 986 printf((isprint(adata->contents[i]))? "%c ": "%02x", 987 adata->contents[i]); 988 } 989 printf("\n"); 990 } 991 #endif 992 } 993 994 995 /* Display contents of krb5_keyblock struct, for debugging 996 */ 997 void 998 print_krb5_keyblock(char *label, krb5_keyblock *keyblk) 999 { 1000 int i; 1001 1002 if (keyblk == NULL) 1003 { 1004 printf("%s, keyblk==0\n", label); 1005 return; 1006 } 1007 #ifdef KRB5_HEIMDAL 1008 printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, 1009 keyblk->keyvalue->length); 1010 for (i=0; i < (int)keyblk->keyvalue->length; i++) 1011 { 1012 printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); 1013 } 1014 printf("\n"); 1015 #else 1016 printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); 1017 for (i=0; i < (int)keyblk->length; i++) 1018 { 1019 printf("%02x",keyblk->contents[i]); 1020 } 1021 printf("\n"); 1022 #endif 1023 } 1024 1025 1026 /* Display contents of krb5_principal_data struct, for debugging 1027 ** (krb5_principal is typedef'd == krb5_principal_data *) 1028 */ 1029 static void 1030 print_krb5_princ(char *label, krb5_principal_data *princ) 1031 { 1032 int i, ui, uj; 1033 1034 printf("%s principal Realm: ", label); 1035 if (princ == NULL) return; 1036 for (ui=0; ui < (int)princ->realm.length; ui++) putchar(princ->realm.data[ui]); 1037 printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); 1038 for (i=0; i < (int)princ->length; i++) 1039 { 1040 printf("\t%d [%d]: ", i, princ->data[i].length); 1041 for (uj=0; uj < (int)princ->data[i].length; uj++) { 1042 putchar(princ->data[i].data[uj]); 1043 } 1044 printf("\n"); 1045 } 1046 return; 1047 } 1048 1049 1050 /* Given krb5 service (typically "kssl") and hostname in kssl_ctx, 1051 ** Return encrypted Kerberos ticket for service @ hostname. 1052 ** If authenp is non-NULL, also return encrypted authenticator, 1053 ** whose data should be freed by caller. 1054 ** (Originally was: Create Kerberos AP_REQ message for SSL Client.) 1055 ** 1056 ** 19990628 VRS Started; Returns Kerberos AP_REQ message. 1057 ** 20010409 VRS Modified for RFC2712; Returns enc tkt. 1058 ** 20010606 VRS May also return optional authenticator. 1059 */ 1060 krb5_error_code 1061 kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1062 /* OUT */ krb5_data **enc_ticketp, 1063 /* UPDATE */ krb5_data *authenp, 1064 /* OUT */ KSSL_ERR *kssl_err) 1065 { 1066 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1067 krb5_context krb5context = NULL; 1068 krb5_auth_context krb5auth_context = NULL; 1069 krb5_ccache krb5ccdef = NULL; 1070 krb5_creds krb5creds, *krb5credsp = NULL; 1071 krb5_data krb5_app_req; 1072 1073 kssl_err_set(kssl_err, 0, ""); 1074 memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1075 1076 if (!kssl_ctx) 1077 { 1078 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1079 "No kssl_ctx defined.\n"); 1080 goto err; 1081 } 1082 else if (!kssl_ctx->service_host) 1083 { 1084 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1085 "kssl_ctx service_host undefined.\n"); 1086 goto err; 1087 } 1088 1089 if ((krb5rc = krb5_init_context(&krb5context)) != 0) 1090 { 1091 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, 1092 "krb5_init_context() fails: %d\n", krb5rc); 1093 kssl_err->reason = SSL_R_KRB5_C_INIT; 1094 goto err; 1095 } 1096 1097 if ((krb5rc = krb5_sname_to_principal(krb5context, 1098 kssl_ctx->service_host, 1099 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, 1100 KRB5_NT_SRV_HST, &krb5creds.server)) != 0) 1101 { 1102 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, 1103 "krb5_sname_to_principal() fails for %s/%s\n", 1104 kssl_ctx->service_host, 1105 (kssl_ctx->service_name)? kssl_ctx->service_name: 1106 KRB5SVC); 1107 kssl_err->reason = SSL_R_KRB5_C_INIT; 1108 goto err; 1109 } 1110 1111 if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) 1112 { 1113 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1114 "krb5_cc_default fails.\n"); 1115 goto err; 1116 } 1117 1118 if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1119 &krb5creds.client)) != 0) 1120 { 1121 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, 1122 "krb5_cc_get_principal() fails.\n"); 1123 goto err; 1124 } 1125 1126 if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1127 &krb5creds, &krb5credsp)) != 0) 1128 { 1129 kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, 1130 "krb5_get_credentials() fails.\n"); 1131 goto err; 1132 } 1133 1134 *enc_ticketp = &krb5credsp->ticket; 1135 #ifdef KRB5_HEIMDAL 1136 kssl_ctx->enctype = krb5credsp->session.keytype; 1137 #else 1138 kssl_ctx->enctype = krb5credsp->keyblock.enctype; 1139 #endif 1140 1141 krb5rc = KRB5KRB_ERR_GENERIC; 1142 /* caller should free data of krb5_app_req */ 1143 /* 20010406 VRS deleted for real KerberosWrapper 1144 ** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper 1145 */ 1146 krb5_app_req.length = 0; 1147 if (authenp) 1148 { 1149 krb5_data krb5in_data; 1150 const unsigned char *p; 1151 long arlen; 1152 KRB5_APREQBODY *ap_req; 1153 1154 authenp->length = 0; 1155 krb5in_data.data = NULL; 1156 krb5in_data.length = 0; 1157 if ((krb5rc = krb5_mk_req_extended(krb5context, 1158 &krb5auth_context, 0, &krb5in_data, krb5credsp, 1159 &krb5_app_req)) != 0) 1160 { 1161 kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, 1162 "krb5_mk_req_extended() fails.\n"); 1163 goto err; 1164 } 1165 1166 arlen = krb5_app_req.length; 1167 p = (unsigned char *)krb5_app_req.data; 1168 ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen); 1169 if (ap_req) 1170 { 1171 authenp->length = i2d_KRB5_ENCDATA( 1172 ap_req->authenticator, NULL); 1173 if (authenp->length && 1174 (authenp->data = malloc(authenp->length))) 1175 { 1176 unsigned char *adp = (unsigned char *)authenp->data; 1177 authenp->length = i2d_KRB5_ENCDATA( 1178 ap_req->authenticator, &adp); 1179 } 1180 } 1181 1182 if (ap_req) KRB5_APREQ_free((KRB5_APREQ *) ap_req); 1183 if (krb5_app_req.length) 1184 kssl_krb5_free_data_contents(krb5context,&krb5_app_req); 1185 } 1186 #ifdef KRB5_HEIMDAL 1187 if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) 1188 { 1189 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1190 "kssl_ctx_setkey() fails.\n"); 1191 } 1192 #else 1193 if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) 1194 { 1195 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, 1196 "kssl_ctx_setkey() fails.\n"); 1197 } 1198 #endif 1199 else krb5rc = 0; 1200 1201 err: 1202 #ifdef KSSL_DEBUG 1203 kssl_ctx_show(kssl_ctx); 1204 #endif /* KSSL_DEBUG */ 1205 1206 if (krb5creds.client) krb5_free_principal(krb5context, 1207 krb5creds.client); 1208 if (krb5creds.server) krb5_free_principal(krb5context, 1209 krb5creds.server); 1210 if (krb5auth_context) krb5_auth_con_free(krb5context, 1211 krb5auth_context); 1212 if (krb5context) krb5_free_context(krb5context); 1213 return (krb5rc); 1214 } 1215 1216 1217 /* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. 1218 ** Return Kerberos error code and kssl_err struct on error. 1219 ** Allocates krb5_ticket and krb5_principal; caller should free these. 1220 ** 1221 ** 20010410 VRS Implemented krb5_decode_ticket() as 1222 ** old_krb5_decode_ticket(). Missing from MIT1.0.6. 1223 ** 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. 1224 ** Re-used some of the old krb5_decode_ticket() 1225 ** code here. This tkt should alloc/free just 1226 ** like the real thing. 1227 */ 1228 static krb5_error_code 1229 kssl_TKT2tkt( /* IN */ krb5_context krb5context, 1230 /* IN */ KRB5_TKTBODY *asn1ticket, 1231 /* OUT */ krb5_ticket **krb5ticket, 1232 /* OUT */ KSSL_ERR *kssl_err ) 1233 { 1234 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1235 krb5_ticket *new5ticket = NULL; 1236 ASN1_GENERALSTRING *gstr_svc, *gstr_host; 1237 1238 *krb5ticket = NULL; 1239 1240 if (asn1ticket == NULL || asn1ticket->realm == NULL || 1241 asn1ticket->sname == NULL || 1242 sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) 1243 { 1244 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1245 "Null field in asn1ticket.\n"); 1246 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1247 return KRB5KRB_ERR_GENERIC; 1248 } 1249 1250 if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL) 1251 { 1252 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1253 "Unable to allocate new krb5_ticket.\n"); 1254 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1255 return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ 1256 } 1257 1258 gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); 1259 gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); 1260 1261 if ((krb5rc = kssl_build_principal_2(krb5context, 1262 &new5ticket->server, 1263 asn1ticket->realm->length, (char *)asn1ticket->realm->data, 1264 gstr_svc->length, (char *)gstr_svc->data, 1265 gstr_host->length, (char *)gstr_host->data)) != 0) 1266 { 1267 free(new5ticket); 1268 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1269 "Error building ticket server principal.\n"); 1270 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1271 return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ 1272 } 1273 1274 krb5_princ_type(krb5context, new5ticket->server) = 1275 asn1ticket->sname->nametype->data[0]; 1276 new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; 1277 new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; 1278 new5ticket->enc_part.ciphertext.length = 1279 asn1ticket->encdata->cipher->length; 1280 if ((new5ticket->enc_part.ciphertext.data = 1281 calloc(1, asn1ticket->encdata->cipher->length)) == NULL) 1282 { 1283 free(new5ticket); 1284 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1285 "Error allocating cipher in krb5ticket.\n"); 1286 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1287 return KRB5KRB_ERR_GENERIC; 1288 } 1289 else 1290 { 1291 memcpy(new5ticket->enc_part.ciphertext.data, 1292 asn1ticket->encdata->cipher->data, 1293 asn1ticket->encdata->cipher->length); 1294 } 1295 1296 *krb5ticket = new5ticket; 1297 return 0; 1298 } 1299 1300 1301 /* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), 1302 ** and krb5 AP_REQ message & message length, 1303 ** Return Kerberos session key and client principle 1304 ** to SSL Server in KSSL_CTX *kssl_ctx. 1305 ** 1306 ** 19990702 VRS Started. 1307 */ 1308 krb5_error_code 1309 kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, 1310 /* IN */ krb5_data *indata, 1311 /* OUT */ krb5_ticket_times *ttimes, 1312 /* OUT */ KSSL_ERR *kssl_err ) 1313 { 1314 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1315 static krb5_context krb5context = NULL; 1316 static krb5_auth_context krb5auth_context = NULL; 1317 krb5_ticket *krb5ticket = NULL; 1318 KRB5_TKTBODY *asn1ticket = NULL; 1319 const unsigned char *p; 1320 krb5_keytab krb5keytab = NULL; 1321 krb5_keytab_entry kt_entry; 1322 krb5_principal krb5server; 1323 krb5_rcache rcache = NULL; 1324 1325 kssl_err_set(kssl_err, 0, ""); 1326 1327 if (!kssl_ctx) 1328 { 1329 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1330 "No kssl_ctx defined.\n"); 1331 goto err; 1332 } 1333 1334 #ifdef KSSL_DEBUG 1335 printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); 1336 #endif /* KSSL_DEBUG */ 1337 1338 if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) 1339 { 1340 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1341 "krb5_init_context() fails.\n"); 1342 goto err; 1343 } 1344 if (krb5auth_context && 1345 (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) 1346 { 1347 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1348 "krb5_auth_con_free() fails.\n"); 1349 goto err; 1350 } 1351 else krb5auth_context = NULL; 1352 if (!krb5auth_context && 1353 (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) 1354 { 1355 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1356 "krb5_auth_con_init() fails.\n"); 1357 goto err; 1358 } 1359 1360 1361 if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, 1362 &rcache))) 1363 { 1364 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1365 "krb5_auth_con_getrcache() fails.\n"); 1366 goto err; 1367 } 1368 1369 if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, 1370 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, 1371 KRB5_NT_SRV_HST, &krb5server)) != 0) 1372 { 1373 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1374 "krb5_sname_to_principal() fails.\n"); 1375 goto err; 1376 } 1377 1378 if (rcache == NULL) 1379 { 1380 if ((krb5rc = krb5_get_server_rcache(krb5context, 1381 krb5_princ_component(krb5context, krb5server, 0), 1382 &rcache))) 1383 { 1384 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1385 "krb5_get_server_rcache() fails.\n"); 1386 goto err; 1387 } 1388 } 1389 1390 if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) 1391 { 1392 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1393 "krb5_auth_con_setrcache() fails.\n"); 1394 goto err; 1395 } 1396 1397 1398 /* kssl_ctx->keytab_file == NULL ==> use Kerberos default 1399 */ 1400 if (kssl_ctx->keytab_file) 1401 { 1402 krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1403 &krb5keytab); 1404 if (krb5rc) 1405 { 1406 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1407 "krb5_kt_resolve() fails.\n"); 1408 goto err; 1409 } 1410 } 1411 else 1412 { 1413 krb5rc = krb5_kt_default(krb5context,&krb5keytab); 1414 if (krb5rc) 1415 { 1416 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 1417 "krb5_kt_default() fails.\n"); 1418 goto err; 1419 } 1420 } 1421 1422 /* Actual Kerberos5 krb5_recvauth() has initial conversation here 1423 ** o check KRB5_SENDAUTH_BADAUTHVERS 1424 ** unless KRB5_RECVAUTH_SKIP_VERSION 1425 ** o check KRB5_SENDAUTH_BADAPPLVERS 1426 ** o send "0" msg if all OK 1427 */ 1428 1429 /* 20010411 was using AP_REQ instead of true KerberosWrapper 1430 ** 1431 ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, 1432 ** &krb5in_data, krb5server, krb5keytab, 1433 ** &ap_option, &krb5ticket)) != 0) { Error } 1434 */ 1435 1436 p = (unsigned char *)indata->data; 1437 if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, 1438 (long) indata->length)) == NULL) 1439 { 1440 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1441 "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); 1442 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1443 goto err; 1444 } 1445 1446 /* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */ 1447 if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, 1448 kssl_err)) != 0) 1449 { 1450 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1451 "Error converting ASN.1 ticket to krb5_ticket.\n"); 1452 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1453 goto err; 1454 } 1455 1456 if (! krb5_principal_compare(krb5context, krb5server, 1457 krb5ticket->server)) { 1458 krb5rc = KRB5_PRINC_NOMATCH; 1459 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1460 "server principal != ticket principal\n"); 1461 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1462 goto err; 1463 } 1464 if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 1465 krb5ticket->server, krb5ticket->enc_part.kvno, 1466 krb5ticket->enc_part.enctype, &kt_entry)) != 0) { 1467 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1468 "krb5_kt_get_entry() fails with %x.\n", krb5rc); 1469 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1470 goto err; 1471 } 1472 if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, 1473 krb5ticket)) != 0) { 1474 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, 1475 "krb5_decrypt_tkt_part() failed.\n"); 1476 kssl_err->reason = SSL_R_KRB5_S_RD_REQ; 1477 goto err; 1478 } 1479 else { 1480 krb5_kt_free_entry(krb5context, &kt_entry); 1481 #ifdef KSSL_DEBUG 1482 { 1483 int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs; 1484 printf("Decrypted ticket fields:\n"); 1485 printf("\tflags: %X, transit-type: %X", 1486 krb5ticket->enc_part2->flags, 1487 krb5ticket->enc_part2->transited.tr_type); 1488 print_krb5_data("\ttransit-data: ", 1489 &(krb5ticket->enc_part2->transited.tr_contents)); 1490 printf("\tcaddrs: %p, authdata: %p\n", 1491 krb5ticket->enc_part2->caddrs, 1492 krb5ticket->enc_part2->authorization_data); 1493 if (paddr) 1494 { 1495 printf("\tcaddrs:\n"); 1496 for (i=0; paddr[i] != NULL; i++) 1497 { 1498 krb5_data d; 1499 d.length=paddr[i]->length; 1500 d.data=paddr[i]->contents; 1501 print_krb5_data("\t\tIP: ", &d); 1502 } 1503 } 1504 printf("\tstart/auth/end times: %d / %d / %d\n", 1505 krb5ticket->enc_part2->times.starttime, 1506 krb5ticket->enc_part2->times.authtime, 1507 krb5ticket->enc_part2->times.endtime); 1508 } 1509 #endif /* KSSL_DEBUG */ 1510 } 1511 1512 krb5rc = KRB5_NO_TKT_SUPPLIED; 1513 if (!krb5ticket || !krb5ticket->enc_part2 || 1514 !krb5ticket->enc_part2->client || 1515 !krb5ticket->enc_part2->client->data || 1516 !krb5ticket->enc_part2->session) 1517 { 1518 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1519 "bad ticket from krb5_rd_req.\n"); 1520 } 1521 else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, 1522 &krb5ticket->enc_part2->client->realm, 1523 krb5ticket->enc_part2->client->data, 1524 krb5ticket->enc_part2->client->length)) 1525 { 1526 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1527 "kssl_ctx_setprinc() fails.\n"); 1528 } 1529 else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) 1530 { 1531 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1532 "kssl_ctx_setkey() fails.\n"); 1533 } 1534 else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) 1535 { 1536 krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; 1537 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, 1538 "invalid ticket from krb5_rd_req.\n"); 1539 } 1540 else krb5rc = 0; 1541 1542 kssl_ctx->enctype = krb5ticket->enc_part.enctype; 1543 ttimes->authtime = krb5ticket->enc_part2->times.authtime; 1544 ttimes->starttime = krb5ticket->enc_part2->times.starttime; 1545 ttimes->endtime = krb5ticket->enc_part2->times.endtime; 1546 ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; 1547 1548 err: 1549 #ifdef KSSL_DEBUG 1550 kssl_ctx_show(kssl_ctx); 1551 #endif /* KSSL_DEBUG */ 1552 1553 if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); 1554 if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); 1555 if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket); 1556 if (krb5server) krb5_free_principal(krb5context, krb5server); 1557 return (krb5rc); 1558 } 1559 1560 1561 /* Allocate & return a new kssl_ctx struct. 1562 */ 1563 KSSL_CTX * 1564 kssl_ctx_new(void) 1565 { 1566 return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX))); 1567 } 1568 1569 1570 /* Frees a kssl_ctx struct and any allocated memory it holds. 1571 ** Returns NULL. 1572 */ 1573 KSSL_CTX * 1574 kssl_ctx_free(KSSL_CTX *kssl_ctx) 1575 { 1576 if (kssl_ctx == NULL) return kssl_ctx; 1577 1578 if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, 1579 kssl_ctx->length); 1580 if (kssl_ctx->key) kssl_free(kssl_ctx->key); 1581 if (kssl_ctx->client_princ) kssl_free(kssl_ctx->client_princ); 1582 if (kssl_ctx->service_host) kssl_free(kssl_ctx->service_host); 1583 if (kssl_ctx->service_name) kssl_free(kssl_ctx->service_name); 1584 if (kssl_ctx->keytab_file) kssl_free(kssl_ctx->keytab_file); 1585 1586 kssl_free(kssl_ctx); 1587 return (KSSL_CTX *) NULL; 1588 } 1589 1590 1591 /* Given an array of (krb5_data *) entity (and optional realm), 1592 ** set the plain (char *) client_princ or service_host member 1593 ** of the kssl_ctx struct. 1594 */ 1595 krb5_error_code 1596 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, 1597 krb5_data *realm, krb5_data *entity, int nentities) 1598 { 1599 char **princ; 1600 int length; 1601 int i; 1602 1603 if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; 1604 1605 switch (which) 1606 { 1607 case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break; 1608 case KSSL_SERVER: princ = &kssl_ctx->service_host; break; 1609 default: return KSSL_CTX_ERR; break; 1610 } 1611 if (*princ) kssl_free(*princ); 1612 1613 /* Add up all the entity->lengths */ 1614 length = 0; 1615 for (i=0; i < nentities; i++) 1616 { 1617 length += entity[i].length; 1618 } 1619 /* Add in space for the '/' character(s) (if any) */ 1620 length += nentities-1; 1621 /* Space for the ('@'+realm+NULL | NULL) */ 1622 length += ((realm)? realm->length + 2: 1); 1623 1624 if ((*princ = kssl_calloc(1, length)) == NULL) 1625 return KSSL_CTX_ERR; 1626 else 1627 { 1628 for (i = 0; i < nentities; i++) 1629 { 1630 strncat(*princ, entity[i].data, entity[i].length); 1631 if (i < nentities-1) 1632 { 1633 strcat (*princ, "/"); 1634 } 1635 } 1636 if (realm) 1637 { 1638 strcat (*princ, "@"); 1639 (void) strncat(*princ, realm->data, realm->length); 1640 } 1641 } 1642 1643 return KSSL_CTX_OK; 1644 } 1645 1646 1647 /* Set one of the plain (char *) string members of the kssl_ctx struct. 1648 ** Default values should be: 1649 ** which == KSSL_SERVICE => "khost" (KRB5SVC) 1650 ** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) 1651 */ 1652 krb5_error_code 1653 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) 1654 { 1655 char **string; 1656 1657 if (!kssl_ctx) return KSSL_CTX_ERR; 1658 1659 switch (which) 1660 { 1661 case KSSL_SERVICE: string = &kssl_ctx->service_name; break; 1662 case KSSL_SERVER: string = &kssl_ctx->service_host; break; 1663 case KSSL_CLIENT: string = &kssl_ctx->client_princ; break; 1664 case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break; 1665 default: return KSSL_CTX_ERR; break; 1666 } 1667 if (*string) kssl_free(*string); 1668 1669 if (!text) 1670 { 1671 *string = '\0'; 1672 return KSSL_CTX_OK; 1673 } 1674 1675 if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) 1676 return KSSL_CTX_ERR; 1677 else 1678 strcpy(*string, text); 1679 1680 return KSSL_CTX_OK; 1681 } 1682 1683 1684 /* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx 1685 ** struct. Clear kssl_ctx->key if Kerberos session key is NULL. 1686 */ 1687 krb5_error_code 1688 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) 1689 { 1690 int length; 1691 krb5_enctype enctype; 1692 krb5_octet FAR *contents = NULL; 1693 1694 if (!kssl_ctx) return KSSL_CTX_ERR; 1695 1696 if (kssl_ctx->key) 1697 { 1698 OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); 1699 kssl_free(kssl_ctx->key); 1700 } 1701 1702 if (session) 1703 { 1704 1705 #ifdef KRB5_HEIMDAL 1706 length = session->keyvalue->length; 1707 enctype = session->keytype; 1708 contents = session->keyvalue->contents; 1709 #else 1710 length = session->length; 1711 enctype = session->enctype; 1712 contents = session->contents; 1713 #endif 1714 kssl_ctx->enctype = enctype; 1715 kssl_ctx->length = length; 1716 } 1717 else 1718 { 1719 kssl_ctx->enctype = ENCTYPE_UNKNOWN; 1720 kssl_ctx->length = 0; 1721 return KSSL_CTX_OK; 1722 } 1723 1724 if ((kssl_ctx->key = 1725 (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL) 1726 { 1727 kssl_ctx->length = 0; 1728 return KSSL_CTX_ERR; 1729 } 1730 else 1731 memcpy(kssl_ctx->key, contents, length); 1732 1733 return KSSL_CTX_OK; 1734 } 1735 1736 1737 /* Display contents of kssl_ctx struct 1738 */ 1739 void 1740 kssl_ctx_show(KSSL_CTX *kssl_ctx) 1741 { 1742 int i; 1743 1744 printf("kssl_ctx: "); 1745 if (kssl_ctx == NULL) 1746 { 1747 printf("NULL\n"); 1748 return; 1749 } 1750 else 1751 printf("%p\n", (void *)kssl_ctx); 1752 1753 printf("\tservice:\t%s\n", 1754 (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); 1755 printf("\tclient:\t%s\n", 1756 (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL"); 1757 printf("\tserver:\t%s\n", 1758 (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL"); 1759 printf("\tkeytab:\t%s\n", 1760 (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL"); 1761 printf("\tkey [%d:%d]:\t", 1762 kssl_ctx->enctype, kssl_ctx->length); 1763 1764 for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++) 1765 { 1766 printf("%02x", kssl_ctx->key[i]); 1767 } 1768 printf("\n"); 1769 return; 1770 } 1771 1772 int 1773 kssl_keytab_is_available(KSSL_CTX *kssl_ctx) 1774 { 1775 krb5_context krb5context = NULL; 1776 krb5_keytab krb5keytab = NULL; 1777 krb5_keytab_entry entry; 1778 krb5_principal princ = NULL; 1779 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1780 int rc = 0; 1781 1782 if ((krb5rc = krb5_init_context(&krb5context))) 1783 return(0); 1784 1785 /* kssl_ctx->keytab_file == NULL ==> use Kerberos default 1786 */ 1787 if (kssl_ctx->keytab_file) 1788 { 1789 krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, 1790 &krb5keytab); 1791 if (krb5rc) 1792 goto exit; 1793 } 1794 else 1795 { 1796 krb5rc = krb5_kt_default(krb5context,&krb5keytab); 1797 if (krb5rc) 1798 goto exit; 1799 } 1800 1801 /* the host key we are looking for */ 1802 krb5rc = krb5_sname_to_principal(krb5context, NULL, 1803 kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC, 1804 KRB5_NT_SRV_HST, &princ); 1805 1806 if (krb5rc) 1807 goto exit; 1808 1809 krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 1810 princ, 1811 0 /* IGNORE_VNO */, 1812 0 /* IGNORE_ENCTYPE */, 1813 &entry); 1814 if ( krb5rc == KRB5_KT_NOTFOUND ) { 1815 rc = 1; 1816 goto exit; 1817 } else if ( krb5rc ) 1818 goto exit; 1819 1820 krb5_kt_free_entry(krb5context, &entry); 1821 rc = 1; 1822 1823 exit: 1824 if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); 1825 if (princ) krb5_free_principal(krb5context, princ); 1826 if (krb5context) krb5_free_context(krb5context); 1827 return(rc); 1828 } 1829 1830 int 1831 kssl_tgt_is_available(KSSL_CTX *kssl_ctx) 1832 { 1833 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; 1834 krb5_context krb5context = NULL; 1835 krb5_ccache krb5ccdef = NULL; 1836 krb5_creds krb5creds, *krb5credsp = NULL; 1837 int rc = 0; 1838 1839 memset((char *)&krb5creds, 0, sizeof(krb5creds)); 1840 1841 if (!kssl_ctx) 1842 return(0); 1843 1844 if (!kssl_ctx->service_host) 1845 return(0); 1846 1847 if ((krb5rc = krb5_init_context(&krb5context)) != 0) 1848 goto err; 1849 1850 if ((krb5rc = krb5_sname_to_principal(krb5context, 1851 kssl_ctx->service_host, 1852 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, 1853 KRB5_NT_SRV_HST, &krb5creds.server)) != 0) 1854 goto err; 1855 1856 if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) 1857 goto err; 1858 1859 if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, 1860 &krb5creds.client)) != 0) 1861 goto err; 1862 1863 if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, 1864 &krb5creds, &krb5credsp)) != 0) 1865 goto err; 1866 1867 rc = 1; 1868 1869 err: 1870 #ifdef KSSL_DEBUG 1871 kssl_ctx_show(kssl_ctx); 1872 #endif /* KSSL_DEBUG */ 1873 1874 if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client); 1875 if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server); 1876 if (krb5context) krb5_free_context(krb5context); 1877 return(rc); 1878 } 1879 1880 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) 1881 void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) 1882 { 1883 #ifdef KRB5_HEIMDAL 1884 data->length = 0; 1885 if (data->data) 1886 free(data->data); 1887 #elif defined(KRB5_MIT_OLD11) 1888 if (data->data) { 1889 krb5_xfree(data->data); 1890 data->data = 0; 1891 } 1892 #else 1893 krb5_free_data_contents(NULL, data); 1894 #endif 1895 } 1896 #endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ 1897 1898 1899 /* Given pointers to KerberosTime and struct tm structs, convert the 1900 ** KerberosTime string to struct tm. Note that KerberosTime is a 1901 ** ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional 1902 ** seconds as defined in RFC 1510. 1903 ** Return pointer to the (partially) filled in struct tm on success, 1904 ** return NULL on failure. 1905 */ 1906 static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) 1907 { 1908 char c, *p; 1909 1910 if (!k_tm) return NULL; 1911 if (gtime == NULL || gtime->length < 14) return NULL; 1912 if (gtime->data == NULL) return NULL; 1913 1914 p = (char *)>ime->data[14]; 1915 1916 c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c; 1917 c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c; 1918 c = *p; *p = '\0'; p -= 2; k_tm->tm_hour = atoi(p); *(p+2) = c; 1919 c = *p; *p = '\0'; p -= 2; k_tm->tm_mday = atoi(p); *(p+2) = c; 1920 c = *p; *p = '\0'; p -= 2; k_tm->tm_mon = atoi(p)-1; *(p+2) = c; 1921 c = *p; *p = '\0'; p -= 4; k_tm->tm_year = atoi(p)-1900; *(p+4) = c; 1922 1923 return k_tm; 1924 } 1925 1926 1927 /* Helper function for kssl_validate_times(). 1928 ** We need context->clockskew, but krb5_context is an opaque struct. 1929 ** So we try to sneek the clockskew out through the replay cache. 1930 ** If that fails just return a likely default (300 seconds). 1931 */ 1932 static krb5_deltat get_rc_clockskew(krb5_context context) 1933 { 1934 krb5_rcache rc; 1935 krb5_deltat clockskew; 1936 1937 if (krb5_rc_default(context, &rc)) return KSSL_CLOCKSKEW; 1938 if (krb5_rc_initialize(context, rc, 0)) return KSSL_CLOCKSKEW; 1939 if (krb5_rc_get_lifespan(context, rc, &clockskew)) { 1940 clockskew = KSSL_CLOCKSKEW; 1941 } 1942 (void) krb5_rc_destroy(context, rc); 1943 return clockskew; 1944 } 1945 1946 1947 /* kssl_validate_times() combines (and more importantly exposes) 1948 ** the MIT KRB5 internal function krb5_validate_times() and the 1949 ** in_clock_skew() macro. The authenticator client time is checked 1950 ** to be within clockskew secs of the current time and the current 1951 ** time is checked to be within the ticket start and expire times. 1952 ** Either check may be omitted by supplying a NULL value. 1953 ** Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. 1954 ** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c 1955 ** 20010420 VRS 1956 */ 1957 krb5_error_code kssl_validate_times( krb5_timestamp atime, 1958 krb5_ticket_times *ttimes) 1959 { 1960 krb5_deltat skew; 1961 krb5_timestamp start, now; 1962 krb5_error_code rc; 1963 krb5_context context; 1964 1965 if ((rc = krb5_init_context(&context))) return SSL_R_KRB5_S_BAD_TICKET; 1966 skew = get_rc_clockskew(context); 1967 if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET; 1968 krb5_free_context(context); 1969 1970 if (atime && labs(atime - now) >= skew) return SSL_R_KRB5_S_TKT_SKEW; 1971 1972 if (! ttimes) return 0; 1973 1974 start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime; 1975 if (start - now > skew) return SSL_R_KRB5_S_TKT_NYV; 1976 if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED; 1977 1978 #ifdef KSSL_DEBUG 1979 printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", 1980 start, atime, now, skew, ttimes->endtime); 1981 #endif /* KSSL_DEBUG */ 1982 1983 return 0; 1984 } 1985 1986 1987 /* Decode and decrypt given DER-encoded authenticator, then pass 1988 ** authenticator ctime back in *atimep (or 0 if time unavailable). 1989 ** Returns krb5_error_code and kssl_err on error. A NULL 1990 ** authenticator (authentp->length == 0) is not considered an error. 1991 ** Note that kssl_check_authent() makes use of the KRB5 session key; 1992 ** you must call kssl_sget_tkt() to get the key before calling this routine. 1993 */ 1994 krb5_error_code kssl_check_authent( 1995 /* IN */ KSSL_CTX *kssl_ctx, 1996 /* IN */ krb5_data *authentp, 1997 /* OUT */ krb5_timestamp *atimep, 1998 /* OUT */ KSSL_ERR *kssl_err ) 1999 { 2000 krb5_error_code krb5rc = 0; 2001 KRB5_ENCDATA *dec_authent = NULL; 2002 KRB5_AUTHENTBODY *auth = NULL; 2003 krb5_enctype enctype; 2004 EVP_CIPHER_CTX ciph_ctx; 2005 const EVP_CIPHER *enc = NULL; 2006 unsigned char iv[EVP_MAX_IV_LENGTH]; 2007 const unsigned char *p; 2008 unsigned char *unenc_authent; 2009 int outl, unencbufsize; 2010 struct tm tm_time, *tm_l, *tm_g; 2011 time_t now, tl, tg, tr, tz_offset; 2012 2013 EVP_CIPHER_CTX_init(&ciph_ctx); 2014 *atimep = 0; 2015 kssl_err_set(kssl_err, 0, ""); 2016 2017 #ifndef KRB5CHECKAUTH 2018 authentp = NULL; 2019 #else 2020 #if KRB5CHECKAUTH == 0 2021 authentp = NULL; 2022 #endif 2023 #endif /* KRB5CHECKAUTH */ 2024 2025 if (authentp == NULL || authentp->length == 0) return 0; 2026 2027 #ifdef KSSL_DEBUG 2028 { 2029 unsigned int ui; 2030 printf("kssl_check_authent: authenticator[%d]:\n",authentp->length); 2031 p = authentp->data; 2032 for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]); 2033 printf("\n"); 2034 } 2035 #endif /* KSSL_DEBUG */ 2036 2037 unencbufsize = 2 * authentp->length; 2038 if ((unenc_authent = calloc(1, unencbufsize)) == NULL) 2039 { 2040 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2041 "Unable to allocate authenticator buffer.\n"); 2042 krb5rc = KRB5KRB_ERR_GENERIC; 2043 goto err; 2044 } 2045 2046 p = (unsigned char *)authentp->data; 2047 if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, 2048 (long) authentp->length)) == NULL) 2049 { 2050 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2051 "Error decoding authenticator.\n"); 2052 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2053 goto err; 2054 } 2055 2056 enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ 2057 #if !defined(KRB5_MIT_OLD11) 2058 switch ( enctype ) { 2059 case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ 2060 case ENCTYPE_DES3_CBC_SHA: 2061 case ENCTYPE_DES3_CBC_RAW: 2062 krb5rc = 0; /* Skip, can't handle derived keys */ 2063 goto err; 2064 } 2065 #endif 2066 enc = kssl_map_enc(enctype); 2067 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 2068 2069 if (enc == NULL) 2070 { 2071 /* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. 2072 ** This enctype indicates the authenticator was encrypted 2073 ** using key-usage derived keys which openssl cannot decrypt. 2074 */ 2075 goto err; 2076 } 2077 2078 if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0)) 2079 { 2080 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2081 "EVP_CipherInit error decrypting authenticator.\n"); 2082 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2083 goto err; 2084 } 2085 outl = dec_authent->cipher->length; 2086 if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl)) 2087 { 2088 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2089 "EVP_Cipher error decrypting authenticator.\n"); 2090 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2091 goto err; 2092 } 2093 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2094 2095 #ifdef KSSL_DEBUG 2096 { 2097 int padl; 2098 printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl); 2099 for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]); 2100 printf("\n"); 2101 } 2102 #endif /* KSSL_DEBUG */ 2103 2104 if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) 2105 { 2106 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2107 "confounded by authenticator.\n"); 2108 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2109 goto err; 2110 } 2111 outl -= p - unenc_authent; 2112 2113 if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p, 2114 (long) outl))==NULL) 2115 { 2116 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 2117 "Error decoding authenticator body.\n"); 2118 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; 2119 goto err; 2120 } 2121 2122 memset(&tm_time,0,sizeof(struct tm)); 2123 if (k_gmtime(auth->ctime, &tm_time) && 2124 ((tr = mktime(&tm_time)) != (time_t)(-1))) 2125 { 2126 now = time(&now); 2127 tm_l = localtime(&now); tl = mktime(tm_l); 2128 tm_g = gmtime(&now); tg = mktime(tm_g); 2129 tz_offset = tg - tl; 2130 2131 *atimep = (krb5_timestamp)(tr - tz_offset); 2132 } 2133 2134 #ifdef KSSL_DEBUG 2135 printf("kssl_check_authent: returns %d for client time ", *atimep); 2136 if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) 2137 printf("%.*s\n", auth->ctime->length, auth->ctime->data); 2138 else printf("NULL\n"); 2139 #endif /* KSSL_DEBUG */ 2140 2141 err: 2142 if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); 2143 if (dec_authent) KRB5_ENCDATA_free(dec_authent); 2144 if (unenc_authent) free(unenc_authent); 2145 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 2146 return krb5rc; 2147 } 2148 2149 2150 /* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), 2151 ** because I dont't know how to stub varargs. 2152 ** Returns krb5_error_code == ENOMEM on alloc error, otherwise 2153 ** passes back newly constructed principal, which should be freed by caller. 2154 */ 2155 krb5_error_code kssl_build_principal_2( 2156 /* UPDATE */ krb5_context context, 2157 /* OUT */ krb5_principal *princ, 2158 /* IN */ int rlen, const char *realm, 2159 /* IN */ int slen, const char *svc, 2160 /* IN */ int hlen, const char *host) 2161 { 2162 krb5_data *p_data = NULL; 2163 krb5_principal new_p = NULL; 2164 char *new_r = NULL; 2165 2166 if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL || 2167 (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data))) 2168 == NULL) goto err; 2169 new_p->length = 2; 2170 new_p->data = p_data; 2171 2172 if ((new_r = calloc(1, rlen + 1)) == NULL) goto err; 2173 memcpy(new_r, realm, rlen); 2174 krb5_princ_set_realm_length(context, new_p, rlen); 2175 krb5_princ_set_realm_data(context, new_p, new_r); 2176 2177 if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) goto err; 2178 memcpy(new_p->data[0].data, svc, slen); 2179 new_p->data[0].length = slen; 2180 2181 if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) goto err; 2182 memcpy(new_p->data[1].data, host, hlen); 2183 new_p->data[1].length = hlen; 2184 2185 krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; 2186 *princ = new_p; 2187 return 0; 2188 2189 err: 2190 if (new_p && new_p[0].data) free(new_p[0].data); 2191 if (new_p && new_p[1].data) free(new_p[1].data); 2192 if (new_p) free(new_p); 2193 if (new_r) free(new_r); 2194 return ENOMEM; 2195 } 2196 2197 void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx) 2198 { 2199 s->kssl_ctx = kctx; 2200 } 2201 2202 KSSL_CTX * SSL_get0_kssl_ctx(SSL *s) 2203 { 2204 return s->kssl_ctx; 2205 } 2206 2207 char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx) 2208 { 2209 if (kctx) 2210 return kctx->client_princ; 2211 return NULL; 2212 } 2213 2214 #else /* !OPENSSL_NO_KRB5 */ 2215 2216 #if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) 2217 static void *dummy=&dummy; 2218 #endif 2219 2220 #endif /* !OPENSSL_NO_KRB5 */ 2221 2222