search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge from main trunk: lets see if this works ;-)
[OpenSSL.git] / ssl / kssl.c
blobfe7f4ebe5e75494f30bcf47bea801c8654658a9d
1 /* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */
2 /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
3 */
4 /* ====================================================================
5 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
55 *
56 */
57
58
59 /* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl
60 **
61 ** 19990701 VRS Started.
62 */
63
64 #ifndef NO_KRB5
65 #include <string.h>
66 #include <openssl/ssl.h>
67
68 /*
69 * When OpenSSL is built on Windows, we do not want to require that
70 * the Kerberos DLLs be available in order for the OpenSSL DLLs to
71 * work. Therefore, all Kerberos routines are loaded at run time
72 * and we do not link to a .LIB file.
73 */
74
75 #if defined(WINDOWS) || defined(WIN32)
76 /*
77 * The purpose of the following pre-processor statements is to provide
78 * compatibility with different releases of MIT Kerberos for Windows.
79 * All versions up to 1.2 used macros. But macros do not allow for
80 * a binary compatible interface for DLLs. Therefore, all macros are
81 * being replaced by function calls. The following code will allow
82 * an OpenSSL DLL built on Windows to work whether or not the macro
83 * or function form of the routines are utilized.
84 */
85 #ifdef krb5_cc_get_principal
86 #define NO_DEF_KRB5_CCACHE
87 #undef krb5_cc_get_principal
88 #endif
89 #define krb5_cc_get_principal kssl_krb5_cc_get_principal
90
91 #define krb5_free_data_contents kssl_krb5_free_data_contents
92 #define krb5_free_context kssl_krb5_free_context
93 #define krb5_auth_con_free kssl_krb5_auth_con_free
94 #define krb5_free_principal kssl_krb5_free_principal
95 #define krb5_mk_req_extended kssl_krb5_mk_req_extended
96 #define krb5_get_credentials kssl_krb5_get_credentials
97 #define krb5_cc_default kssl_krb5_cc_default
98 #define krb5_sname_to_principal kssl_krb5_sname_to_principal
99 #define krb5_init_context kssl_krb5_init_context
100 #define krb5_free_ticket kssl_krb5_free_ticket
101 #define krb5_rd_req kssl_krb5_rd_req
102 #define krb5_kt_default kssl_krb5_kt_default
103 #define krb5_kt_resolve kssl_krb5_kt_resolve
104 #define krb5_auth_con_init kssl_krb5_auth_con_init
105
106 /* Prototypes for built in stubs */
107 void kssl_krb5_free_data_contents(krb5_context, krb5_data *);
108 void kssl_krb5_free_principal(krb5_context, krb5_principal );
109 krb5_error_code kssl_krb5_kt_resolve(krb5_context,
110 krb5_const char *,
111 krb5_keytab *);
112 krb5_error_code kssl_krb5_kt_default(krb5_context,
113 krb5_keytab *);
114 krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *);
115 krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *,
116 krb5_const krb5_data *,
117 krb5_const_principal, krb5_keytab,
118 krb5_flags *,krb5_ticket **);
119 krb5_error_code kssl_krb5_mk_req_extended(krb5_context,
120 krb5_auth_context *,
121 krb5_const krb5_flags,
122 krb5_data *,
123 krb5_creds *,
124 krb5_data * );
125 krb5_error_code kssl_krb5_init_context(krb5_context *);
126 void kssl_krb5_free_context(krb5_context);
127 krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *);
128 krb5_error_code kssl_krb5_sname_to_principal(krb5_context,
129 krb5_const char *,
130 krb5_const char *,
131 krb5_int32,
132 krb5_principal *);
133 krb5_error_code kssl_krb5_get_credentials(krb5_context,
134 krb5_const krb5_flags,
135 krb5_ccache,
136 krb5_creds *,
137 krb5_creds * *);
138 krb5_error_code kssl_krb5_auth_con_init(krb5_context,
139 krb5_auth_context *);
140 krb5_error_code kssl_krb5_cc_get_principal(krb5_context context,
141 krb5_ccache cache,
142 krb5_principal *principal);
143 krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context);
144
145 /* Function pointers (almost all Kerberos functions are _stdcall) */
146 static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *)=NULL;
147 static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal )=NULL;
148 static krb5_error_code(_stdcall *p_krb5_kt_resolve)(krb5_context, krb5_const char *,
149 krb5_keytab *)=NULL;
150 static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context,
151 krb5_keytab *)=NULL;
152 static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context,
153 krb5_ticket *)=NULL;
154 static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context,
155 krb5_auth_context *,
156 krb5_const krb5_data *,
157 krb5_const_principal,
158 krb5_keytab, krb5_flags *,
159 krb5_ticket **)=NULL;
160 static krb5_error_code (_stdcall *p_krb5_mk_req_extended) (krb5_context,
161 krb5_auth_context *,
162 krb5_const krb5_flags,
163 krb5_data *,
164 krb5_creds *,
165 krb5_data * )=NULL;
166 static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL;
167 static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL;
168 static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context,
169 krb5_ccache *)=NULL;
170 static krb5_error_code (_stdcall *p_krb5_sname_to_principal)(krb5_context,
171 krb5_const char *,
172 krb5_const char *,
173 krb5_int32,
174 krb5_principal *)=NULL;
175 static krb5_error_code (_stdcall *p_krb5_get_credentials)(krb5_context,
176 krb5_const krb5_flags,
177 krb5_ccache,
178 krb5_creds *,
179 krb5_creds * *)=NULL;
180 static krb5_error_code (_stdcall *p_krb5_auth_con_init)(krb5_context,
181 krb5_auth_context *)=NULL;
182 static krb5_error_code (_stdcall *p_krb5_cc_get_principal)(krb5_context context,
183 krb5_ccache cache,
184 krb5_principal *principal)=NULL;
185 static krb5_error_code (_stdcall *p_krb5_auth_con_free)(krb5_context,
186 krb5_auth_context)=NULL;
187 static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */
188
189 /* Function to Load the Kerberos 5 DLL and initialize function pointers */
190 void
191 load_krb5_dll(void)
192 {
193 HANDLE hKRB5_32;
194
195 krb5_loaded++;
196 hKRB5_32 = LoadLibrary("KRB5_32");
197 if (!hKRB5_32)
198 return;
199
200 (FARPROC) p_krb5_free_data_contents =
201 GetProcAddress( hKRB5_32, "krb5_free_data_contents" );
202 (FARPROC) p_krb5_free_context =
203 GetProcAddress( hKRB5_32, "krb5_free_context" );
204 (FARPROC) p_krb5_auth_con_free =
205 GetProcAddress( hKRB5_32, "krb5_auth_con_free" );
206 (FARPROC) p_krb5_free_principal =
207 GetProcAddress( hKRB5_32, "krb5_free_principal" );
208 (FARPROC) p_krb5_mk_req_extended =
209 GetProcAddress( hKRB5_32, "krb5_mk_req_extended" );
210 (FARPROC) p_krb5_get_credentials =
211 GetProcAddress( hKRB5_32, "krb5_get_credentials" );
212 (FARPROC) p_krb5_cc_get_principal =
213 GetProcAddress( hKRB5_32, "krb5_cc_get_principal" );
214 (FARPROC) p_krb5_cc_default =
215 GetProcAddress( hKRB5_32, "krb5_cc_default" );
216 (FARPROC) p_krb5_sname_to_principal =
217 GetProcAddress( hKRB5_32, "krb5_sname_to_principal" );
218 (FARPROC) p_krb5_init_context =
219 GetProcAddress( hKRB5_32, "krb5_init_context" );
220 (FARPROC) p_krb5_free_ticket =
221 GetProcAddress( hKRB5_32, "krb5_free_ticket" );
222 (FARPROC) p_krb5_rd_req =
223 GetProcAddress( hKRB5_32, "krb5_rd_req" );
224 (FARPROC) p_krb5_kt_default =
225 GetProcAddress( hKRB5_32, "krb5_kt_default" );
226 (FARPROC) p_krb5_kt_resolve =
227 GetProcAddress( hKRB5_32, "krb5_kt_resolve" );
228 (FARPROC) p_krb5_auth_con_init =
229 GetProcAddress( hKRB5_32, "krb5_auth_con_init" );
230 }
231
232 /* Stubs for each function to be dynamicly loaded */
233 void
234 kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data)
235 {
236 if (!krb5_loaded)
237 load_krb5_dll();
238
239 if ( p_krb5_free_data_contents )
240 p_krb5_free_data_contents(CO,data);
241 }
242
243 krb5_error_code
244 kssl_krb5_mk_req_extended (krb5_context CO,
245 krb5_auth_context * pACO,
246 krb5_const krb5_flags F,
247 krb5_data * pD1,
248 krb5_creds * pC,
249 krb5_data * pD2)
250 {
251 if (!krb5_loaded)
252 load_krb5_dll();
253
254 if ( p_krb5_mk_req_extended )
255 return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2));
256 else
257 return KRB5KRB_ERR_GENERIC;
258 }
259 krb5_error_code
260 kssl_krb5_auth_con_init(krb5_context CO,
261 krb5_auth_context * pACO)
262 {
263 if (!krb5_loaded)
264 load_krb5_dll();
265
266 if ( p_krb5_auth_con_init )
267 return(p_krb5_auth_con_init(CO,pACO));
268 else
269 return KRB5KRB_ERR_GENERIC;
270 }
271 krb5_error_code
272 kssl_krb5_auth_con_free (krb5_context CO,
273 krb5_auth_context ACO)
274 {
275 if (!krb5_loaded)
276 load_krb5_dll();
277
278 if ( p_krb5_auth_con_free )
279 return(p_krb5_auth_con_free(CO,ACO));
280 else
281 return KRB5KRB_ERR_GENERIC;
282 }
283 krb5_error_code
284 kssl_krb5_get_credentials(krb5_context CO,
285 krb5_const krb5_flags F,
286 krb5_ccache CC,
287 krb5_creds * pCR,
288 krb5_creds ** ppCR)
289 {
290 if (!krb5_loaded)
291 load_krb5_dll();
292
293 if ( p_krb5_get_credentials )
294 return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR));
295 else
296 return KRB5KRB_ERR_GENERIC;
297 }
298 krb5_error_code
299 kssl_krb5_sname_to_principal(krb5_context CO,
300 krb5_const char * pC1,
301 krb5_const char * pC2,
302 krb5_int32 I,
303 krb5_principal * pPR)
304 {
305 if (!krb5_loaded)
306 load_krb5_dll();
307
308 if ( p_krb5_sname_to_principal )
309 return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR));
310 else
311 return KRB5KRB_ERR_GENERIC;
312 }
313
314 krb5_error_code
315 kssl_krb5_cc_default(krb5_context CO,
316 krb5_ccache * pCC)
317 {
318 if (!krb5_loaded)
319 load_krb5_dll();
320
321 if ( p_krb5_cc_default )
322 return(p_krb5_cc_default(CO,pCC));
323 else
324 return KRB5KRB_ERR_GENERIC;
325 }
326
327 krb5_error_code
328 kssl_krb5_init_context(krb5_context * pCO)
329 {
330 if (!krb5_loaded)
331 load_krb5_dll();
332
333 if ( p_krb5_init_context )
334 return(p_krb5_init_context(pCO));
335 else
336 return KRB5KRB_ERR_GENERIC;
337 }
338
339 void
340 kssl_krb5_free_context(krb5_context CO)
341 {
342 if (!krb5_loaded)
343 load_krb5_dll();
344
345 if ( p_krb5_free_context )
346 p_krb5_free_context(CO);
347 }
348
349 void
350 kssl_krb5_free_principal(krb5_context c, krb5_principal p)
351 {
352 if (!krb5_loaded)
353 load_krb5_dll();
354
355 if ( p_krb5_free_principal )
356 p_krb5_free_principal(c,p);
357 }
358
359 krb5_error_code
360 kssl_krb5_kt_resolve(krb5_context con,
361 krb5_const char * sz,
362 krb5_keytab * kt)
363 {
364 if (!krb5_loaded)
365 load_krb5_dll();
366
367 if ( p_krb5_kt_resolve )
368 return(p_krb5_kt_resolve(con,sz,kt));
369 else
370 return KRB5KRB_ERR_GENERIC;
371 }
372
373 krb5_error_code
374 kssl_krb5_kt_default(krb5_context con,
375 krb5_keytab * kt)
376 {
377 if (!krb5_loaded)
378 load_krb5_dll();
379
380 if ( p_krb5_kt_default )
381 return(p_krb5_kt_default(con,kt));
382 else
383 return KRB5KRB_ERR_GENERIC;
384 }
385
386 krb5_error_code
387 kssl_krb5_free_ticket(krb5_context con,
388 krb5_ticket * kt)
389 {
390 if (!krb5_loaded)
391 load_krb5_dll();
392
393 if ( p_krb5_free_ticket )
394 return(p_krb5_free_ticket(con,kt));
395 else
396 return KRB5KRB_ERR_GENERIC;
397 }
398
399 krb5_error_code
400 kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon,
401 krb5_const krb5_data * data,
402 krb5_const_principal princ, krb5_keytab keytab,
403 krb5_flags * flags, krb5_ticket ** pptkt)
404 {
405 if (!krb5_loaded)
406 load_krb5_dll();
407
408 if ( p_krb5_rd_req )
409 return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt));
410 else
411 return KRB5KRB_ERR_GENERIC;
412 }
413
414 /* Structure definitions */
415 #ifndef NO_DEF_KRB5_CCACHE
416 #ifndef krb5_x
417 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
418 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
419 #endif
420
421 typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */
422
423 typedef struct _krb5_ccache
424 {
425 krb5_magic magic;
426 struct _krb5_cc_ops FAR *ops;
427 krb5_pointer data;
428 } *krb5_ccache;
429
430 typedef struct _krb5_cc_ops
431 {
432 krb5_magic magic;
433 char *prefix;
434 char * (KRB5_CALLCONV *get_name) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
435 krb5_error_code (KRB5_CALLCONV *resolve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache *,
436 const char *));
437 krb5_error_code (KRB5_CALLCONV *gen_new) KRB5_NPROTOTYPE((krb5_context, krb5_ccache *));
438 krb5_error_code (KRB5_CALLCONV *init) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
439 krb5_principal));
440 krb5_error_code (KRB5_CALLCONV *destroy) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
441 krb5_error_code (KRB5_CALLCONV *close) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
442 krb5_error_code (KRB5_CALLCONV *store) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
443 krb5_creds *));
444 krb5_error_code (KRB5_CALLCONV *retrieve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
445 krb5_flags, krb5_creds *,
446 krb5_creds *));
447 krb5_error_code (KRB5_CALLCONV *get_princ) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
448 krb5_principal *));
449 krb5_error_code (KRB5_CALLCONV *get_first) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
450 krb5_cc_cursor *));
451 krb5_error_code (KRB5_CALLCONV *get_next) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
452 krb5_cc_cursor *, krb5_creds *));
453 krb5_error_code (KRB5_CALLCONV *end_get) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
454 krb5_cc_cursor *));
455 krb5_error_code (KRB5_CALLCONV *remove_cred) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
456 krb5_flags, krb5_creds *));
457 krb5_error_code (KRB5_CALLCONV *set_flags) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
458 krb5_flags));
459 } krb5_cc_ops;
460 #endif /* NO_DEF_KRB5_CCACHE */
461
462 krb5_error_code
463 kssl_krb5_cc_get_principal
464 (krb5_context context, krb5_ccache cache,
465 krb5_principal *principal)
466 {
467 if ( p_krb5_cc_get_principal )
468 return(p_krb5_cc_get_principal(context,cache,principal));
469 else
470 return(krb5_x ((cache)->ops->get_princ,(context, cache, principal)));
471 }
472 #endif /* WINDOWS || WIN32 */
473
474 char
475 *kstring(char *string)
476 {
477 static char *null = "[NULL]";
478
479 return ((string == NULL)? null: string);
480 }
481
482 #define MAXKNUM 255
483 char
484 *knumber(int len, krb5_octet *contents)
485 {
486 static char buf[MAXKNUM+1];
487 int i;
488
489 BIO_snprintf(buf, MAXKNUM, "[%d] ", len);
490
491 for (i=0; i < len && MAXKNUM > strlen(buf)+3; i++)
492 {
493 BIO_snprintf(&buf[strlen(buf)], 3, "%02x", contents[i]);
494 }
495
496 return (buf);
497 }
498
499
500 /* Set kssl_err error info when reason text is a simple string
501 ** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
502 */
503 void
504 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
505 {
506 if (kssl_err == NULL) return;
507
508 kssl_err->reason = reason;
509 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text);
510 return;
511 }
512
513
514 /* Display contents of krb5_data struct, for debugging
515 */
516 void
517 print_krb5_data(char *label, krb5_data *kdata)
518 {
519 int i;
520
521 printf("%s[%d] ", label, kdata->length);
522 for (i=0; i < kdata->length; i++)
523 {
524 if (isprint((int) kdata->data[i]))
525 printf( "%c ", kdata->data[i]);
526 else
527 printf( "%02x", kdata->data[i]);
528 }
529 printf("\n");
530 }
531
532
533 /* Display contents of krb5_authdata struct, for debugging
534 */
535 void
536 print_krb5_authdata(char *label, krb5_authdata **adata)
537 {
538 if (adata == NULL)
539 {
540 printf("%s, authdata==0\n", label);
541 return;
542 }
543 printf("%s [%p]\n", label, adata);
544 #if 0
545 {
546 int i;
547 printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
548 for (i=0; i < adata->length; i++)
549 {
550 printf((isprint(adata->contents[i]))? "%c ": "%02x",
551 adata->contents[i]);
552 }
553 printf("\n");
554 }
555 #endif
556 }
557
558
559 /* Display contents of krb5_keyblock struct, for debugging
560 */
561 void
562 print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
563 {
564 int i;
565
566 if (keyblk == NULL)
567 {
568 printf("%s, keyblk==0\n", label);
569 return;
570 }
571 #ifdef KRB5_HEIMDAL
572 printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, keyblk->keyvalue->length);
573 for (i=0; i < keyblk->keyvalue->length; i++)
574 {
575 printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
576 }
577 printf("\n");
578 #else
579 printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
580 for (i=0; i < keyblk->length; i++)
581 {
582 printf("%02x",keyblk->contents[i]);
583 }
584 printf("\n");
585 #endif
586 }
587
588
589 /* Given krb5 service (typically "kssl") and hostname in kssl_ctx,
590 ** Create Kerberos AP_REQ message for SSL Client.
591 **
592 ** 19990628 VRS Started.
593 */
594 krb5_error_code
595 kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
596 /* OUT */ krb5_data *krb5_app_req, KSSL_ERR *kssl_err)
597 {
598 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
599 krb5_context krb5context = NULL;
600 krb5_auth_context krb5auth_context = NULL;
601 krb5_ccache krb5ccdef = NULL;
602 krb5_creds krb5creds, *krb5credsp = NULL;
603 krb5_data krb5in_data;
604
605 kssl_err_set(kssl_err, 0, "");
606 memset((char *)&krb5creds, 0, sizeof(krb5creds));
607
608 if (!kssl_ctx)
609 {
610 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
611 "No kssl_ctx defined.\n");
612 goto err;
613 }
614 else if (!kssl_ctx->service_host)
615 {
616 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
617 "kssl_ctx service_host undefined.\n");
618 goto err;
619 }
620
621 if ((krb5rc = krb5_init_context(&krb5context)) != 0)
622 {
623 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
624 "krb5_init_context() fails: %d\n", krb5rc);
625 kssl_err->reason = SSL_R_KRB5_C_INIT;
626 goto err;
627 }
628
629 if ((krb5rc = krb5_sname_to_principal(krb5context,
630 kssl_ctx->service_host,
631 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
632 KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
633 {
634 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
635 "krb5_sname_to_principal() fails for %s/%s\n",
636 kssl_ctx->service_host,
637 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC);
638 kssl_err->reason = SSL_R_KRB5_C_INIT;
639 goto err;
640 }
641
642 if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
643 {
644 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
645 "krb5_cc_default fails.\n");
646 goto err;
647 }
648
649 if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
650 &krb5creds.client)) != 0)
651 {
652 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
653 "krb5_cc_get_principal() fails.\n");
654 goto err;
655 }
656
657 if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
658 &krb5creds, &krb5credsp)) != 0)
659 {
660 kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
661 "krb5_get_credentials() fails.\n");
662 goto err;
663 }
664
665 krb5in_data.data = NULL;
666 krb5in_data.length = 0;
667
668 krb5rc = KRB5KRB_ERR_GENERIC;
669 /* caller should free data of krb5_app_req */
670 if ((krb5rc = krb5_mk_req_extended(krb5context, &krb5auth_context,
671 0, &krb5in_data, krb5credsp, krb5_app_req)) != 0)
672 {
673 kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
674 "krb5_mk_req_extended() fails.\n");
675 goto err;
676 }
677 #ifdef KRB5_HEIMDAL
678 else if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
679 {
680 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
681 "kssl_ctx_setkey() fails.\n");
682 }
683 #else
684 else if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
685 {
686 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
687 "kssl_ctx_setkey() fails.\n");
688 }
689 #endif
690 else krb5rc = 0;
691
692 err:
693 #ifdef KSSL_DEBUG
694 kssl_ctx_show(kssl_ctx);
695 #endif /* KSSL_DEBUG */
696
697 if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client);
698 if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server);
699 if (krb5auth_context) krb5_auth_con_free(krb5context, krb5auth_context);
700 if (krb5context) krb5_free_context(krb5context);
701 return (krb5rc);
702 }
703
704
705 /* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
706 ** and krb5 AP_REQ message & message length,
707 ** Return Kerberos session key and client principle
708 ** to SSL Server in KSSL_CTX *kssl_ctx.
709 **
710 ** 19990702 VRS Started.
711 */
712 krb5_error_code
713 kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
714 /* IN */ char *msg, int msglen,
715 /* OUT */ KSSL_ERR *kssl_err )
716 {
717 krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
718 static krb5_context krb5context = NULL;
719 static krb5_auth_context krb5auth_context = NULL;
720 krb5_ticket *krb5ticket = NULL;
721 krb5_keytab krb5keytab = NULL;
722 krb5_principal krb5server;
723 krb5_data krb5in_data;
724 krb5_flags ap_option;
725
726 kssl_err_set(kssl_err, 0, "");
727
728 if (!kssl_ctx)
729 {
730 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "No kssl_ctx defined.\n");
731 goto err;
732 }
733
734 #ifdef KSSL_DEBUG
735 printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
736 #endif /* KSSL_DEBUG */
737
738 if (!krb5context && (krb5rc = krb5_init_context(&krb5context)))
739 {
740 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
741 "krb5_init_context() fails.\n");
742 goto err;
743 }
744 if (krb5auth_context &&
745 (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context)))
746 {
747 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
748 "krb5_auth_con_free() fails.\n");
749 goto err;
750 }
751 else krb5auth_context = NULL;
752 if (!krb5auth_context &&
753 (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context)))
754 {
755 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
756 "krb5_auth_con_init() fails.\n");
757 goto err;
758 }
759
760 if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
761 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
762 KRB5_NT_SRV_HST, &krb5server)) != 0)
763 {
764 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
765 "krb5_sname_to_principal() fails.\n");
766 goto err;
767 }
768
769 /* kssl_ctx->keytab_file == NULL ==> use Kerberos default
770 */
771 if (kssl_ctx->keytab_file)
772 {
773 krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
774 &krb5keytab);
775 if (krb5rc)
776 {
777 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
778 "krb5_kt_resolve() fails.\n");
779 goto err;
780 }
781 }
782 else
783 {
784 krb5rc = krb5_kt_default(krb5context,&krb5keytab);
785 if (krb5rc)
786 {
787 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
788 "krb5_kt_default() fails.\n");
789 goto err;
790 }
791 }
792
793 /* Actual Kerberos5 krb5_recvauth() has initial conversation here
794 ** o check KRB5_SENDAUTH_BADAUTHVERS unless KRB5_RECVAUTH_SKIP_VERSION
795 ** o check KRB5_SENDAUTH_BADAPPLVERS
796 ** o send "0" msg if all OK
797 */
798
799 krb5in_data.data = msg;
800 krb5in_data.length = msglen;
801 if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, &krb5in_data,
802 krb5server, krb5keytab, &ap_option, &krb5ticket)) != 0)
803 {
804 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
805 "krb5_rd_req() fails with %x.\n", krb5rc);
806 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
807 goto err;
808 }
809
810 krb5rc = KRB5_NO_TKT_SUPPLIED;
811 if (!krb5ticket || !krb5ticket->enc_part2 ||
812 !krb5ticket->enc_part2->client ||
813 !krb5ticket->enc_part2->client->data ||
814 !krb5ticket->enc_part2->session)
815 {
816 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
817 "bad ticket from krb5_rd_req.\n");
818 }
819 else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
820 &krb5ticket->enc_part2->client->realm,
821 krb5ticket->enc_part2->client->data))
822 {
823 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
824 "kssl_ctx_setprinc() fails.\n");
825 }
826 else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session))
827 {
828 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
829 "kssl_ctx_setkey() fails.\n");
830 }
831 else krb5rc = 0;
832
833 err:
834 #ifdef KSSL_DEBUG
835 kssl_ctx_show(kssl_ctx);
836 #endif /* KSSL_DEBUG */
837
838 if (krb5keytab) krb5_kt_close(krb5context, krb5keytab);
839 if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket);
840 if (krb5server) krb5_free_principal(krb5context, krb5server);
841 return (krb5rc);
842 }
843
844
845 /* Allocate & return a new kssl_ctx struct.
846 */
847 KSSL_CTX *
848 kssl_ctx_new(void)
849 {
850 return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX)));
851 }
852
853
854 /* Frees a kssl_ctx struct and any allocated memory it holds.
855 ** Returns NULL.
856 */
857 KSSL_CTX *
858 kssl_ctx_free(KSSL_CTX *kssl_ctx)
859 {
860 if (kssl_ctx == NULL) return kssl_ctx;
861
862 if (kssl_ctx->key) memset(kssl_ctx->key, 0, kssl_ctx->length);
863 if (kssl_ctx->key) free(kssl_ctx->key);
864 if (kssl_ctx->client_princ) free(kssl_ctx->client_princ);
865 if (kssl_ctx->service_host) free(kssl_ctx->service_host);
866 if (kssl_ctx->service_name) free(kssl_ctx->service_name);
867 if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file);
868
869 free(kssl_ctx);
870 return (KSSL_CTX *) NULL;
871 }
872
873
874 /* Given a (krb5_data *) entity (and optional realm),
875 ** set the plain (char *) client_princ or service_host member
876 ** of the kssl_ctx struct.
877 */
878 krb5_error_code
879 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
880 krb5_data *realm, krb5_data *entity)
881 {
882 char **princ;
883 int length;
884
885 if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
886
887 switch (which)
888 {
889 case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break;
890 case KSSL_SERVER: princ = &kssl_ctx->service_host; break;
891 default: return KSSL_CTX_ERR; break;
892 }
893 if (*princ) free(*princ);
894
895 length = entity->length + ((realm)? realm->length + 2: 1);
896 if ((*princ = calloc(1, length)) == NULL)
897 return KSSL_CTX_ERR;
898 else
899 {
900 strncpy(*princ, entity->data, entity->length);
901 if (realm)
902 {
903 strcat (*princ, "@");
904 (void) strncat(*princ, realm->data, realm->length);
905 }
906 }
907
908 return KSSL_CTX_OK;
909 }
910
911
912 /* Set one of the plain (char *) string members of the kssl_ctx struct.
913 ** Default values should be:
914 ** which == KSSL_SERVICE => "khost" (KRB5SVC)
915 ** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB)
916 */
917 krb5_error_code
918 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
919 {
920 char **string;
921
922 if (!kssl_ctx) return KSSL_CTX_ERR;
923
924 switch (which)
925 {
926 case KSSL_SERVICE: string = &kssl_ctx->service_name; break;
927 case KSSL_SERVER: string = &kssl_ctx->service_host; break;
928 case KSSL_CLIENT: string = &kssl_ctx->client_princ; break;
929 case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break;
930 default: return KSSL_CTX_ERR; break;
931 }
932 if (*string) free(*string);
933
934 if (!text)
935 {
936 *string = '\0';
937 return KSSL_CTX_OK;
938 }
939
940 if ((*string = calloc(1, strlen(text) + 1)) == NULL)
941 return KSSL_CTX_ERR;
942 else
943 strcpy(*string, text);
944
945 return KSSL_CTX_OK;
946 }
947
948
949 /* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
950 ** struct. Clear kssl_ctx->key if Kerberos session key is NULL.
951 */
952 krb5_error_code
953 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
954 {
955 if (!kssl_ctx) return KSSL_CTX_ERR;
956
957 if (kssl_ctx->key)
958 {
959 memset(kssl_ctx->key, 0, kssl_ctx->length);
960 free(kssl_ctx->key);
961 }
962
963 if (session)
964 {
965 kssl_ctx->enctype = session->enctype;
966 kssl_ctx->length = session->length;
967 }
968 else
969 {
970 kssl_ctx->enctype = ENCTYPE_UNKNOWN;
971 kssl_ctx->length = 0;
972 return KSSL_CTX_OK;
973 }
974
975 if ((kssl_ctx->key =
976 (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL)
977 {
978 kssl_ctx->length = 0;
979 return KSSL_CTX_ERR;
980 }
981 else
982 memcpy(kssl_ctx->key, session->contents, session->length);
983
984 return KSSL_CTX_OK;
985 }
986
987
988 /* Display contents of kssl_ctx struct
989 */
990 void
991 kssl_ctx_show(KSSL_CTX *kssl_ctx)
992 {
993 int i;
994
995 printf("kssl_ctx: ");
996 if (kssl_ctx == NULL)
997 {
998 printf("NULL\n");
999 return;
1000 }
1001 else
1002 printf("%p\n", kssl_ctx);
1003
1004 printf("\tservice:\t%s\n",
1005 (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
1006 printf("\tclient:\t%s\n",
1007 (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL");
1008 printf("\tserver:\t%s\n",
1009 (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL");
1010 printf("\tkeytab:\t%s\n",
1011 (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL");
1012 printf("\tkey [%d:%d]:\t",
1013 kssl_ctx->enctype, kssl_ctx->length);
1014
1015 for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++)
1016 {
1017 printf("%02x", kssl_ctx->key[i]);
1018 }
1019 printf("\n");
1020 return;
1021 }
1022
1023 void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
1024 {
1025 #ifdef KRB5_HEIMDAL
1026 data->length = 0;
1027 free(data->if (data->data) data);
1028 #else
1029 krb5_free_data_contents(NULL, data);
1030 #endif
1031 }
1032
1033 #else /* !NO_KRB5 */
1034
1035 #ifdef PEDANTIC
1036 static int dummy=(int)&dummy;
1037 #endif
1038
1039 #endif /* !NO_KRB5 */
1040
open ssl git mirror