X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fkssl.c;h=394ef61769618c44e908937033155b0f80c277bf;hp=cd9144f2be041aeecdde61edb68dfe60894ec553;hb=09e20e0bd89b65d0d083df63bda4699780cf0028;hpb=882e891284c81c7a49b2bce28f44df3e8d6f7ffc diff --git a/ssl/kssl.c b/ssl/kssl.c index cd9144f2be..394ef61769 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -67,16 +67,27 @@ */ #include -#ifndef OPENSSL_NO_KRB5 -#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */ + +#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */ #include +#if 0 /* Experimental */ +#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ +#endif #include +#define KRB5_PRIVATE 1 + #include #include #include #include +#ifndef OPENSSL_NO_KRB5 + +#ifndef ENOMEM +#define ENOMEM KRB5KRB_ERR_GENERIC +#endif + /* * When OpenSSL is built on Windows, we do not want to require that * the Kerberos DLLs be available in order for the OpenSSL DLLs to @@ -113,16 +124,35 @@ #define krb5_rd_req kssl_krb5_rd_req #define krb5_kt_default kssl_krb5_kt_default #define krb5_kt_resolve kssl_krb5_kt_resolve +/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ +#ifndef krb5_kt_close +#define krb5_kt_close kssl_krb5_kt_close +#endif /* krb5_kt_close */ +#ifndef krb5_kt_get_entry +#define krb5_kt_get_entry kssl_krb5_kt_get_entry +#endif /* krb5_kt_get_entry */ #define krb5_auth_con_init kssl_krb5_auth_con_init #define krb5_principal_compare kssl_krb5_principal_compare -/* macro #define krb5_kt_get_entry kssl_krb5_kt_get_entry */ #define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part #define krb5_timeofday kssl_krb5_timeofday #define krb5_rc_default kssl_krb5_rc_default + +#ifdef krb5_rc_initialize +#undef krb5_rc_initialize +#endif #define krb5_rc_initialize kssl_krb5_rc_initialize + +#ifdef krb5_rc_get_lifespan +#undef krb5_rc_get_lifespan +#endif #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan + +#ifdef krb5_rc_destroy +#undef krb5_rc_destroy +#endif #define krb5_rc_destroy kssl_krb5_rc_destroy + #define valid_cksumtype kssl_valid_cksumtype #define krb5_checksum_size kssl_krb5_checksum_size #define krb5_kt_free_entry kssl_krb5_kt_free_entry @@ -252,6 +282,12 @@ static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, krb5_auth_context, krb5_rcache *)=NULL; +static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, + krb5_keytab keytab)=NULL; +static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, + krb5_keytab keytab, + krb5_const_principal principal, krb5_kvno vno, + krb5_enctype enctype, krb5_keytab_entry *entry)=NULL; static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ /* Function to Load the Kerberos 5 DLL and initialize function pointers */ @@ -261,7 +297,7 @@ load_krb5_dll(void) HANDLE hKRB5_32; krb5_loaded++; - hKRB5_32 = LoadLibrary("KRB5_32"); + hKRB5_32 = LoadLibrary(TEXT("KRB5_32")); if (!hKRB5_32) return; @@ -321,6 +357,10 @@ load_krb5_dll(void) GetProcAddress( hKRB5_32, "krb5_get_server_rcache" ); (FARPROC) p_krb5_auth_con_getrcache = GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" ); + (FARPROC) p_krb5_kt_close = + GetProcAddress( hKRB5_32, "krb5_kt_close" ); + (FARPROC) p_krb5_kt_get_entry = + GetProcAddress( hKRB5_32, "krb5_kt_get_entry" ); } /* Stubs for each function to be dynamicly loaded */ @@ -707,20 +747,40 @@ krb5_error_code kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data, krb5_rcache * rcache) { - if ( p_krb5_get_server_rcache ) - return(p_krb5_get_server_rcache(con,data,rcache)); - else - return KRB5KRB_ERR_GENERIC; + if ( p_krb5_get_server_rcache ) + return(p_krb5_get_server_rcache(con,data,rcache)); + else + return KRB5KRB_ERR_GENERIC; } krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, krb5_rcache * prcache) { - if ( p_krb5_auth_con_getrcache ) - return(p_krb5_auth_con_getrcache(con,acon, prcache)); - else - return KRB5KRB_ERR_GENERIC; + if ( p_krb5_auth_con_getrcache ) + return(p_krb5_auth_con_getrcache(con,acon, prcache)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) + { + if ( p_krb5_kt_close ) + return(p_krb5_kt_close(context,keytab)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, + krb5_const_principal principal, krb5_kvno vno, + krb5_enctype enctype, krb5_keytab_entry *entry) + { + if ( p_krb5_kt_get_entry ) + return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry)); + else + return KRB5KRB_ERR_GENERIC; } #endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ @@ -732,30 +792,12 @@ char return ((string == NULL)? null: string); } -#define MAXKNUM 255 -char -*knumber(int len, krb5_octet *contents) - { - static char buf[MAXKNUM+1]; - int i; - - BIO_snprintf(buf, MAXKNUM, "[%d] ", len); - - for (i=0; i < len && MAXKNUM > strlen(buf)+3; i++) - { - BIO_snprintf(&buf[strlen(buf)], 3, "%02x", contents[i]); - } - - return (buf); - } - - /* Given KRB5 enctype (basically DES or 3DES), ** return closest match openssl EVP_ encryption algorithm. ** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. ** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. */ -EVP_CIPHER * +const EVP_CIPHER * kssl_map_enc(krb5_enctype enctype) { switch (enctype) @@ -765,14 +807,14 @@ kssl_map_enc(krb5_enctype enctype) case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_RAW: - return (EVP_CIPHER *) EVP_des_cbc(); + return EVP_des_cbc(); break; case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ case ENCTYPE_DES3_CBC_SHA: case ENCTYPE_DES3_CBC_RAW: - return (EVP_CIPHER *) EVP_des_ede3_cbc(); + return EVP_des_ede3_cbc(); break; - default: return (EVP_CIPHER *) NULL; + default: return NULL; break; } } @@ -818,7 +860,7 @@ int kssl_test_confound(unsigned char *p) ** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 ** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. */ -int *populate_cksumlens(void) +size_t *populate_cksumlens(void) { int i, j, n; static size_t *cklens = NULL; @@ -858,8 +900,9 @@ int *populate_cksumlens(void) */ unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) { - int i, cklen, conlen; - static int *cksumlens = NULL; + int i, conlen; + size_t cklen; + static size_t *cksumlens = NULL; unsigned char *test_auth; conlen = (etype)? 8: 0; @@ -894,10 +937,10 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) void print_krb5_data(char *label, krb5_data *kdata) { - unsigned int i; + int i; printf("%s[%d] ", label, kdata->length); - for (i=0; i < kdata->length; i++) + for (i=0; i < (int)kdata->length; i++) { if (0 && isprint((int) kdata->data[i])) printf( "%c ", kdata->data[i]); @@ -918,7 +961,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata) printf("%s, authdata==0\n", label); return; } - printf("%s [%p]\n", label, adata); + printf("%s [%p]\n", label, (void *)adata); #if 0 { int i; @@ -939,7 +982,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata) void print_krb5_keyblock(char *label, krb5_keyblock *keyblk) { - unsigned int i; + int i; if (keyblk == NULL) { @@ -949,14 +992,14 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk) #ifdef KRB5_HEIMDAL printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, keyblk->keyvalue->length); - for (i=0; i < keyblk->keyvalue->length; i++) + for (i=0; i < (int)keyblk->keyvalue->length; i++) { printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); } printf("\n"); #else printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); - for (i=0; i < keyblk->length; i++) + for (i=0; i < (int)keyblk->length; i++) { printf("%02x",keyblk->contents[i]); } @@ -971,17 +1014,16 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk) void print_krb5_princ(char *label, krb5_principal_data *princ) { - unsigned int ui, uj; - int i; + int i, ui, uj; printf("%s principal Realm: ", label); if (princ == NULL) return; - for (ui=0; ui < princ->realm.length; ui++) putchar(princ->realm.data[ui]); + for (ui=0; ui < (int)princ->realm.length; ui++) putchar(princ->realm.data[ui]); printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); - for (i=0; i < princ->length; i++) + for (i=0; i < (int)princ->length; i++) { printf("\t%d [%d]: ", i, princ->data[i].length); - for (uj=0; uj < princ->data[i].length; uj++) { + for (uj=0; uj < (int)princ->data[i].length; uj++) { putchar(princ->data[i].data[uj]); } printf("\n"); @@ -1090,7 +1132,7 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, if (authenp) { krb5_data krb5in_data; - unsigned char *p; + const unsigned char *p; long arlen; KRB5_APREQBODY *ap_req; @@ -1107,7 +1149,7 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, } arlen = krb5_app_req.length; - p = krb5_app_req.data; + p = (unsigned char *)krb5_app_req.data; ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen); if (ap_req) { @@ -1116,9 +1158,9 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, if (authenp->length && (authenp->data = malloc(authenp->length))) { - unsigned char *p = authenp->data; + unsigned char *adp = (unsigned char *)authenp->data; authenp->length = i2d_KRB5_ENCDATA( - ap_req->authenticator, &p); + ap_req->authenticator, &adp); } } @@ -1182,8 +1224,7 @@ kssl_TKT2tkt( /* IN */ krb5_context krb5context, if (asn1ticket == NULL || asn1ticket->realm == NULL || asn1ticket->sname == NULL || - asn1ticket->sname->namestring == NULL || - asn1ticket->sname->namestring->num < 2) + sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) { BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "Null field in asn1ticket.\n"); @@ -1199,14 +1240,14 @@ kssl_TKT2tkt( /* IN */ krb5_context krb5context, return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ } - gstr_svc = (ASN1_GENERALSTRING*)asn1ticket->sname->namestring->data[0]; - gstr_host = (ASN1_GENERALSTRING*)asn1ticket->sname->namestring->data[1]; + gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); + gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); if ((krb5rc = kssl_build_principal_2(krb5context, &new5ticket->server, - asn1ticket->realm->length, asn1ticket->realm->data, - gstr_svc->length, gstr_svc->data, - gstr_host->length, gstr_host->data)) != 0) + asn1ticket->realm->length, (char *)asn1ticket->realm->data, + gstr_svc->length, (char *)gstr_svc->data, + gstr_host->length, (char *)gstr_host->data)) != 0) { free(new5ticket); BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, @@ -1260,7 +1301,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, static krb5_auth_context krb5auth_context = NULL; krb5_ticket *krb5ticket = NULL; KRB5_TKTBODY *asn1ticket = NULL; - unsigned char *p; + const unsigned char *p; krb5_keytab krb5keytab = NULL; krb5_keytab_entry kt_entry; krb5_principal krb5server; @@ -1377,7 +1418,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, ** &ap_option, &krb5ticket)) != 0) { Error } */ - p = indata->data; + p = (unsigned char *)indata->data; if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, (long) indata->length)) == NULL) { @@ -1463,8 +1504,9 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, "bad ticket from krb5_rd_req.\n"); } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, - &krb5ticket->enc_part2->client->realm, - krb5ticket->enc_part2->client->data)) + &krb5ticket->enc_part2->client->realm, + krb5ticket->enc_part2->client->data, + krb5ticket->enc_part2->client->length)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, "kssl_ctx_setprinc() fails.\n"); @@ -1518,7 +1560,7 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx) { if (kssl_ctx == NULL) return kssl_ctx; - if (kssl_ctx->key) memset(kssl_ctx->key, 0, + if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); if (kssl_ctx->key) free(kssl_ctx->key); if (kssl_ctx->client_princ) free(kssl_ctx->client_princ); @@ -1531,16 +1573,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx) } -/* Given a (krb5_data *) entity (and optional realm), +/* Given an array of (krb5_data *) entity (and optional realm), ** set the plain (char *) client_princ or service_host member ** of the kssl_ctx struct. */ krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, - krb5_data *realm, krb5_data *entity) + krb5_data *realm, krb5_data *entity, int nentities) { char **princ; int length; + int i; if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; @@ -1552,12 +1595,29 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, } if (*princ) free(*princ); - length = entity->length + ((realm)? realm->length + 2: 1); + /* Add up all the entity->lengths */ + length = 0; + for (i=0; i < nentities; i++) + { + length += entity[i].length; + } + /* Add in space for the '/' character(s) (if any) */ + length += nentities-1; + /* Space for the ('@'+realm+NULL | NULL) */ + length += ((realm)? realm->length + 2: 1); + if ((*princ = calloc(1, length)) == NULL) return KSSL_CTX_ERR; else - { - strncpy(*princ, entity->data, entity->length); + { + for (i = 0; i < nentities; i++) + { + strncat(*princ, entity[i].data, entity[i].length); + if (i < nentities-1) + { + strcat (*princ, "/"); + } + } if (realm) { strcat (*princ, "@"); @@ -1620,7 +1680,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) if (kssl_ctx->key) { - memset(kssl_ctx->key, 0, kssl_ctx->length); + OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); free(kssl_ctx->key); } @@ -1673,7 +1733,7 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx) return; } else - printf("%p\n", kssl_ctx); + printf("%p\n", (void *)kssl_ctx); printf("\tservice:\t%s\n", (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); @@ -1825,15 +1885,15 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) ** Return pointer to the (partially) filled in struct tm on success, ** return NULL on failure. */ -struct tm *k_gmtime(ASN1_GENERALIZEDTIME *ctime, struct tm *k_tm) +struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) { char c, *p; if (!k_tm) return NULL; - if (ctime == NULL || ctime->length < 14) return NULL; - if (ctime->data == NULL) return NULL; + if (gtime == NULL || gtime->length < 14) return NULL; + if (gtime->data == NULL) return NULL; - p = &ctime->data[14]; + p = (char *)>ime->data[14]; c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c; c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c; @@ -1924,13 +1984,15 @@ krb5_error_code kssl_check_authent( KRB5_AUTHENTBODY *auth = NULL; krb5_enctype enctype; EVP_CIPHER_CTX ciph_ctx; - EVP_CIPHER *enc = NULL; + const EVP_CIPHER *enc = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; - unsigned char *p, *unenc_authent; - int padl, outl, unencbufsize; + const unsigned char *p; + unsigned char *unenc_authent; + int outl, unencbufsize; struct tm tm_time, *tm_l, *tm_g; time_t now, tl, tg, tr, tz_offset; + EVP_CIPHER_CTX_init(&ciph_ctx); *atimep = 0; kssl_err_set(kssl_err, 0, ""); @@ -1963,7 +2025,7 @@ krb5_error_code kssl_check_authent( goto err; } - p = authentp->data; + p = (unsigned char *)authentp->data; if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, (long) authentp->length)) == NULL) { @@ -1984,7 +2046,7 @@ krb5_error_code kssl_check_authent( } #endif enc = kssl_map_enc(enctype); - memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */ + memset(iv, 0, sizeof iv); /* per RFC 1510 */ if (enc == NULL) { @@ -1994,44 +2056,23 @@ krb5_error_code kssl_check_authent( */ goto err; } - if (!EVP_DecryptInit(&ciph_ctx, enc, kssl_ctx->key, iv)) - { - kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, - "EVP_DecryptInit error decrypting authenticator.\n"); - krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto err; - } - if (!EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl, - dec_authent->cipher->data, dec_authent->cipher->length)) - { - kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, - "EVP_DecryptUpdate error decrypting authenticator.\n"); - krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto err; - } - if (outl > unencbufsize) - { - kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, - "Buffer overflow decrypting authenticator.\n"); - krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto err; - } - if (!EVP_DecryptFinal(&ciph_ctx, &(unenc_authent[outl]), &padl)) - { - kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, - "EVP_DecryptFinal error decrypting authenticator.\n"); - krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto err; - } - outl += padl; - if (outl > unencbufsize) - { - kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, - "Buffer overflow decrypting authenticator.\n"); - krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto err; - } - EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "EVP_CipherInit error decrypting authenticator.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + outl = dec_authent->cipher->length; + if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "EVP_Cipher error decrypting authenticator.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); #ifdef KSSL_DEBUG printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl); @@ -2080,6 +2121,7 @@ krb5_error_code kssl_check_authent( if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); if (dec_authent) KRB5_ENCDATA_free(dec_authent); if (unenc_authent) free(unenc_authent); + EVP_CIPHER_CTX_cleanup(&ciph_ctx); return krb5rc; } @@ -2135,7 +2177,7 @@ krb5_error_code kssl_build_principal_2( #else /* !OPENSSL_NO_KRB5 */ #if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) -static int dummy=(int)&dummy; +static void *dummy=&dummy; #endif #endif /* !OPENSSL_NO_KRB5 */