Move more comments that confuse indent
[openssl.git] / ssl / kssl.c
1 /* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */
2 /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
3  */
4 /* ====================================================================
5  * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer. 
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com).
55  *
56  */
57
58
59 /*-
60  * ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
61  *
62  *  19990701    VRS     Started.
63  *  200011??    Jeffrey Altman, Richard Levitte
64  *                      Generalized for Heimdal, Newer MIT, & Win32.
65  *                      Integrated into main OpenSSL 0.9.7 snapshots.
66  *  20010413    Simon Wilkinson, VRS
67  *                      Real RFC2712 KerberosWrapper replaces AP_REQ.
68  */
69
70 #include <openssl/opensslconf.h>
71
72 #include <string.h>
73
74 #define KRB5_PRIVATE    1
75
76 #include <openssl/ssl.h>
77 #include <openssl/evp.h>
78 #include <openssl/objects.h>
79 #include <openssl/krb5_asn.h>
80 #include "kssl_lcl.h"
81
82 #ifndef OPENSSL_NO_KRB5
83
84 #ifndef ENOMEM
85 #define ENOMEM KRB5KRB_ERR_GENERIC
86 #endif
87
88 /* 
89  * When OpenSSL is built on Windows, we do not want to require that
90  * the Kerberos DLLs be available in order for the OpenSSL DLLs to
91  * work.  Therefore, all Kerberos routines are loaded at run time
92  * and we do not link to a .LIB file.
93  */
94
95 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
96 /* 
97  * The purpose of the following pre-processor statements is to provide
98  * compatibility with different releases of MIT Kerberos for Windows.
99  * All versions up to 1.2 used macros.  But macros do not allow for
100  * a binary compatible interface for DLLs.  Therefore, all macros are
101  * being replaced by function calls.  The following code will allow
102  * an OpenSSL DLL built on Windows to work whether or not the macro
103  * or function form of the routines are utilized.
104  */
105 #ifdef  krb5_cc_get_principal
106 #define NO_DEF_KRB5_CCACHE
107 #undef  krb5_cc_get_principal
108 #endif
109 #define krb5_cc_get_principal    kssl_krb5_cc_get_principal
110
111 #define krb5_free_data_contents  kssl_krb5_free_data_contents   
112 #define krb5_free_context        kssl_krb5_free_context         
113 #define krb5_auth_con_free       kssl_krb5_auth_con_free        
114 #define krb5_free_principal      kssl_krb5_free_principal       
115 #define krb5_mk_req_extended     kssl_krb5_mk_req_extended      
116 #define krb5_get_credentials     kssl_krb5_get_credentials      
117 #define krb5_cc_default          kssl_krb5_cc_default           
118 #define krb5_sname_to_principal  kssl_krb5_sname_to_principal   
119 #define krb5_init_context        kssl_krb5_init_context         
120 #define krb5_free_ticket         kssl_krb5_free_ticket          
121 #define krb5_rd_req              kssl_krb5_rd_req               
122 #define krb5_kt_default          kssl_krb5_kt_default           
123 #define krb5_kt_resolve          kssl_krb5_kt_resolve           
124 /* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */
125 #ifndef krb5_kt_close
126 #define krb5_kt_close            kssl_krb5_kt_close
127 #endif /* krb5_kt_close */
128 #ifndef krb5_kt_get_entry
129 #define krb5_kt_get_entry        kssl_krb5_kt_get_entry
130 #endif /* krb5_kt_get_entry */
131 #define krb5_auth_con_init       kssl_krb5_auth_con_init        
132
133 #define krb5_principal_compare   kssl_krb5_principal_compare
134 #define krb5_decrypt_tkt_part    kssl_krb5_decrypt_tkt_part
135 #define krb5_timeofday           kssl_krb5_timeofday
136 #define krb5_rc_default          kssl_krb5_rc_default
137
138 #ifdef krb5_rc_initialize
139 #undef krb5_rc_initialize
140 #endif
141 #define krb5_rc_initialize   kssl_krb5_rc_initialize
142
143 #ifdef krb5_rc_get_lifespan
144 #undef krb5_rc_get_lifespan
145 #endif
146 #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan
147
148 #ifdef krb5_rc_destroy
149 #undef krb5_rc_destroy
150 #endif
151 #define krb5_rc_destroy      kssl_krb5_rc_destroy
152
153 #define valid_cksumtype      kssl_valid_cksumtype
154 #define krb5_checksum_size   kssl_krb5_checksum_size
155 #define krb5_kt_free_entry   kssl_krb5_kt_free_entry
156 #define krb5_auth_con_setrcache  kssl_krb5_auth_con_setrcache
157 #define krb5_auth_con_getrcache  kssl_krb5_auth_con_getrcache
158 #define krb5_get_server_rcache   kssl_krb5_get_server_rcache
159
160 /* Prototypes for built in stubs */
161 void kssl_krb5_free_data_contents(krb5_context, krb5_data *);
162 void kssl_krb5_free_principal(krb5_context, krb5_principal );
163 krb5_error_code kssl_krb5_kt_resolve(krb5_context,
164                                      krb5_const char *,
165                                      krb5_keytab *);
166 krb5_error_code kssl_krb5_kt_default(krb5_context,
167                                      krb5_keytab *);
168 krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *);
169 krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 
170                                  krb5_const krb5_data *,
171                                  krb5_const_principal, krb5_keytab, 
172                                  krb5_flags *,krb5_ticket **);
173
174 krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal,
175                                          krb5_const_principal);
176 krb5_error_code kssl_krb5_mk_req_extended(krb5_context,
177                                           krb5_auth_context  *,
178                                           krb5_const krb5_flags,
179                                           krb5_data  *,
180                                           krb5_creds  *,
181                                           krb5_data  * );
182 krb5_error_code kssl_krb5_init_context(krb5_context *);
183 void kssl_krb5_free_context(krb5_context);
184 krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache  *);
185 krb5_error_code kssl_krb5_sname_to_principal(krb5_context,
186                                              krb5_const char  *,
187                                              krb5_const char  *,
188                                              krb5_int32,
189                                              krb5_principal  *);
190 krb5_error_code kssl_krb5_get_credentials(krb5_context,
191                                           krb5_const krb5_flags,
192                                           krb5_ccache,
193                                           krb5_creds  *,
194                                           krb5_creds  *  *);
195 krb5_error_code kssl_krb5_auth_con_init(krb5_context,
196                                         krb5_auth_context  *);
197 krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 
198                                            krb5_ccache cache,
199                                            krb5_principal *principal);
200 krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context);
201 size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype);
202 krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype);
203 krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * );
204 krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 
205                                              krb5_auth_context, 
206                                              krb5_rcache);
207 krb5_error_code kssl_krb5_get_server_rcache(krb5_context, 
208                                             krb5_const krb5_data *,
209                                             krb5_rcache *);
210 krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 
211                                              krb5_auth_context,
212                                              krb5_rcache *);
213
214 /* Function pointers (almost all Kerberos functions are _stdcall) */
215 static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *)
216         =NULL;
217 static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal )
218         =NULL;
219 static krb5_error_code(_stdcall *p_krb5_kt_resolve)
220                         (krb5_context, krb5_const char *, krb5_keytab *)=NULL;
221 static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context,
222                                                      krb5_keytab *)=NULL;
223 static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, 
224                                                       krb5_ticket *)=NULL;
225 static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, 
226                                                  krb5_auth_context *, 
227                                                  krb5_const krb5_data *,
228                                                  krb5_const_principal, 
229                                                  krb5_keytab, krb5_flags *,
230                                                  krb5_ticket **)=NULL;
231 static krb5_error_code (_stdcall *p_krb5_mk_req_extended)
232                         (krb5_context, krb5_auth_context *,
233                          krb5_const krb5_flags, krb5_data *, krb5_creds *,
234                          krb5_data * )=NULL;
235 static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL;
236 static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL;
237 static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context,
238                                                      krb5_ccache  *)=NULL;
239 static krb5_error_code (_stdcall *p_krb5_sname_to_principal)
240                         (krb5_context, krb5_const char *, krb5_const char *,
241                          krb5_int32, krb5_principal *)=NULL;
242 static krb5_error_code (_stdcall *p_krb5_get_credentials)
243                         (krb5_context, krb5_const krb5_flags, krb5_ccache,
244                          krb5_creds *, krb5_creds **)=NULL;
245 static krb5_error_code (_stdcall *p_krb5_auth_con_init)
246                         (krb5_context, krb5_auth_context *)=NULL;
247 static krb5_error_code (_stdcall *p_krb5_cc_get_principal)
248                         (krb5_context context, krb5_ccache cache,
249                          krb5_principal *principal)=NULL;
250 static krb5_error_code (_stdcall *p_krb5_auth_con_free)
251                         (krb5_context, krb5_auth_context)=NULL;
252 static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part)
253                         (krb5_context, krb5_const krb5_keyblock *,
254                                            krb5_ticket *)=NULL;
255 static krb5_error_code (_stdcall *p_krb5_timeofday)
256                         (krb5_context context, krb5_int32 *timeret)=NULL;
257 static krb5_error_code (_stdcall *p_krb5_rc_default)
258                         (krb5_context context, krb5_rcache *rc)=NULL;
259 static krb5_error_code (_stdcall *p_krb5_rc_initialize)
260                         (krb5_context context, krb5_rcache rc,
261                                      krb5_deltat lifespan)=NULL;
262 static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan)
263                         (krb5_context context, krb5_rcache rc,
264                                        krb5_deltat *lifespan)=NULL;
265 static krb5_error_code (_stdcall *p_krb5_rc_destroy)
266                         (krb5_context context, krb5_rcache rc)=NULL;
267 static krb5_boolean (_stdcall *p_krb5_principal_compare)
268                      (krb5_context, krb5_const_principal, krb5_const_principal)=NULL;
269 static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL;
270 static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL;
271 static krb5_error_code (_stdcall *p_krb5_kt_free_entry)
272                         (krb5_context,krb5_keytab_entry * )=NULL;
273 static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, 
274                                                                krb5_auth_context, 
275                                                                krb5_rcache)=NULL;
276 static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, 
277                                                               krb5_const krb5_data *, 
278                                                               krb5_rcache *)=NULL;
279 static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, 
280                                                       krb5_auth_context,
281                                                       krb5_rcache *)=NULL;
282 static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, 
283                                                     krb5_keytab keytab)=NULL;
284 static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, 
285                                                         krb5_keytab keytab,
286                        krb5_const_principal principal, krb5_kvno vno,
287                        krb5_enctype enctype, krb5_keytab_entry *entry)=NULL;
288 static int krb5_loaded = 0;     /* only attempt to initialize func ptrs once */
289
290 /* Function to Load the Kerberos 5 DLL and initialize function pointers */
291 void
292 load_krb5_dll(void)
293         {
294         HANDLE hKRB5_32;
295     
296         krb5_loaded++;
297         hKRB5_32 = LoadLibrary(TEXT("KRB5_32"));
298         if (!hKRB5_32)
299                 return;
300
301         (FARPROC) p_krb5_free_data_contents =
302                 GetProcAddress( hKRB5_32, "krb5_free_data_contents" );
303         (FARPROC) p_krb5_free_context =
304                 GetProcAddress( hKRB5_32, "krb5_free_context" );
305         (FARPROC) p_krb5_auth_con_free =
306                 GetProcAddress( hKRB5_32, "krb5_auth_con_free" );
307         (FARPROC) p_krb5_free_principal =
308                 GetProcAddress( hKRB5_32, "krb5_free_principal" );
309         (FARPROC) p_krb5_mk_req_extended =
310                 GetProcAddress( hKRB5_32, "krb5_mk_req_extended" );
311         (FARPROC) p_krb5_get_credentials =
312                 GetProcAddress( hKRB5_32, "krb5_get_credentials" );
313         (FARPROC) p_krb5_cc_get_principal =
314                 GetProcAddress( hKRB5_32, "krb5_cc_get_principal" );
315         (FARPROC) p_krb5_cc_default =
316                 GetProcAddress( hKRB5_32, "krb5_cc_default" );
317         (FARPROC) p_krb5_sname_to_principal =
318                 GetProcAddress( hKRB5_32, "krb5_sname_to_principal" );
319         (FARPROC) p_krb5_init_context =
320                 GetProcAddress( hKRB5_32, "krb5_init_context" );
321         (FARPROC) p_krb5_free_ticket =
322                 GetProcAddress( hKRB5_32, "krb5_free_ticket" );
323         (FARPROC) p_krb5_rd_req =
324                 GetProcAddress( hKRB5_32, "krb5_rd_req" );
325         (FARPROC) p_krb5_principal_compare =
326                 GetProcAddress( hKRB5_32, "krb5_principal_compare" );
327         (FARPROC) p_krb5_decrypt_tkt_part =
328                 GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" );
329         (FARPROC) p_krb5_timeofday =
330                 GetProcAddress( hKRB5_32, "krb5_timeofday" );
331         (FARPROC) p_krb5_rc_default =
332                 GetProcAddress( hKRB5_32, "krb5_rc_default" );
333         (FARPROC) p_krb5_rc_initialize =
334                 GetProcAddress( hKRB5_32, "krb5_rc_initialize" );
335         (FARPROC) p_krb5_rc_get_lifespan =
336                 GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" );
337         (FARPROC) p_krb5_rc_destroy =
338                 GetProcAddress( hKRB5_32, "krb5_rc_destroy" );
339         (FARPROC) p_krb5_kt_default =
340                 GetProcAddress( hKRB5_32, "krb5_kt_default" );
341         (FARPROC) p_krb5_kt_resolve =
342                 GetProcAddress( hKRB5_32, "krb5_kt_resolve" );
343         (FARPROC) p_krb5_auth_con_init =
344                 GetProcAddress( hKRB5_32, "krb5_auth_con_init" );
345         (FARPROC) p_valid_cksumtype =
346                 GetProcAddress( hKRB5_32, "valid_cksumtype" );
347         (FARPROC) p_krb5_checksum_size =
348                 GetProcAddress( hKRB5_32, "krb5_checksum_size" );
349         (FARPROC) p_krb5_kt_free_entry =
350                 GetProcAddress( hKRB5_32, "krb5_kt_free_entry" );
351         (FARPROC) p_krb5_auth_con_setrcache =
352                 GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" );
353         (FARPROC) p_krb5_get_server_rcache =
354                 GetProcAddress( hKRB5_32, "krb5_get_server_rcache" );
355         (FARPROC) p_krb5_auth_con_getrcache =
356                 GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" );
357         (FARPROC) p_krb5_kt_close =
358                 GetProcAddress( hKRB5_32, "krb5_kt_close" );
359         (FARPROC) p_krb5_kt_get_entry =
360                 GetProcAddress( hKRB5_32, "krb5_kt_get_entry" );
361         }
362
363 /* Stubs for each function to be dynamicly loaded */
364 void
365 kssl_krb5_free_data_contents(krb5_context CO, krb5_data  * data)
366         {
367         if (!krb5_loaded)
368                 load_krb5_dll();
369
370         if ( p_krb5_free_data_contents )
371                 p_krb5_free_data_contents(CO,data);
372         }
373
374 krb5_error_code
375 kssl_krb5_mk_req_extended (krb5_context CO,
376                           krb5_auth_context  * pACO,
377                           krb5_const krb5_flags F,
378                           krb5_data  * pD1,
379                           krb5_creds  * pC,
380                           krb5_data  * pD2)
381         {
382         if (!krb5_loaded)
383                 load_krb5_dll();
384
385         if ( p_krb5_mk_req_extended )
386                 return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2));
387         else
388                 return KRB5KRB_ERR_GENERIC;
389         }
390 krb5_error_code
391 kssl_krb5_auth_con_init(krb5_context CO,
392                        krb5_auth_context  * pACO)
393         {
394         if (!krb5_loaded)
395                 load_krb5_dll();
396
397         if ( p_krb5_auth_con_init )
398                 return(p_krb5_auth_con_init(CO,pACO));
399         else
400                 return KRB5KRB_ERR_GENERIC;
401         }
402 krb5_error_code
403 kssl_krb5_auth_con_free (krb5_context CO,
404                         krb5_auth_context ACO)
405         {
406         if (!krb5_loaded)
407                 load_krb5_dll();
408
409         if ( p_krb5_auth_con_free )
410                 return(p_krb5_auth_con_free(CO,ACO));
411         else
412                 return KRB5KRB_ERR_GENERIC;
413         }
414 krb5_error_code
415 kssl_krb5_get_credentials(krb5_context CO,
416                          krb5_const krb5_flags F,
417                          krb5_ccache CC,
418                          krb5_creds  * pCR,
419                          krb5_creds  ** ppCR)
420         {
421         if (!krb5_loaded)
422                 load_krb5_dll();
423
424         if ( p_krb5_get_credentials )
425                 return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR));
426         else
427                 return KRB5KRB_ERR_GENERIC;
428         }
429 krb5_error_code
430 kssl_krb5_sname_to_principal(krb5_context CO,
431                             krb5_const char  * pC1,
432                             krb5_const char  * pC2,
433                             krb5_int32 I,
434                             krb5_principal  * pPR)
435         {
436         if (!krb5_loaded)
437                 load_krb5_dll();
438
439         if ( p_krb5_sname_to_principal )
440                 return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR));
441         else
442                 return KRB5KRB_ERR_GENERIC;
443         }
444
445 krb5_error_code
446 kssl_krb5_cc_default(krb5_context CO,
447                     krb5_ccache  * pCC)
448         {
449         if (!krb5_loaded)
450                 load_krb5_dll();
451
452         if ( p_krb5_cc_default )
453                 return(p_krb5_cc_default(CO,pCC));
454         else
455                 return KRB5KRB_ERR_GENERIC;
456         }
457
458 krb5_error_code
459 kssl_krb5_init_context(krb5_context * pCO)
460         {
461         if (!krb5_loaded)
462                 load_krb5_dll();
463
464         if ( p_krb5_init_context )
465                 return(p_krb5_init_context(pCO));
466         else
467                 return KRB5KRB_ERR_GENERIC;
468         }
469
470 void
471 kssl_krb5_free_context(krb5_context CO)
472         {
473         if (!krb5_loaded)
474                 load_krb5_dll();
475
476         if ( p_krb5_free_context )
477                 p_krb5_free_context(CO);
478         }
479
480 void
481 kssl_krb5_free_principal(krb5_context c, krb5_principal p)
482         {
483         if (!krb5_loaded)
484                 load_krb5_dll();
485
486         if ( p_krb5_free_principal )
487                 p_krb5_free_principal(c,p);
488         }
489
490 krb5_error_code
491 kssl_krb5_kt_resolve(krb5_context con,
492                     krb5_const char * sz,
493                     krb5_keytab * kt)
494         {
495         if (!krb5_loaded)
496                 load_krb5_dll();
497
498         if ( p_krb5_kt_resolve )
499                 return(p_krb5_kt_resolve(con,sz,kt));
500         else
501                 return KRB5KRB_ERR_GENERIC;
502         }
503
504 krb5_error_code
505 kssl_krb5_kt_default(krb5_context con,
506                     krb5_keytab * kt)
507         {
508         if (!krb5_loaded)
509                 load_krb5_dll();
510
511         if ( p_krb5_kt_default )
512                 return(p_krb5_kt_default(con,kt));
513         else
514                 return KRB5KRB_ERR_GENERIC;
515         }
516
517 krb5_error_code
518 kssl_krb5_free_ticket(krb5_context con,
519                      krb5_ticket * kt)
520         {
521         if (!krb5_loaded)
522                 load_krb5_dll();
523
524         if ( p_krb5_free_ticket )
525                 return(p_krb5_free_ticket(con,kt));
526         else
527                 return KRB5KRB_ERR_GENERIC;
528         }
529
530 krb5_error_code
531 kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon,
532                 krb5_const krb5_data * data,
533                 krb5_const_principal princ, krb5_keytab keytab,
534                 krb5_flags * flags, krb5_ticket ** pptkt)
535         {
536         if (!krb5_loaded)
537                 load_krb5_dll();
538
539         if ( p_krb5_rd_req )
540                 return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt));
541         else
542                 return KRB5KRB_ERR_GENERIC;
543         }
544
545 krb5_boolean
546 krb5_principal_compare(krb5_context con, krb5_const_principal princ1,
547                 krb5_const_principal princ2)
548         {
549         if (!krb5_loaded)
550                 load_krb5_dll();
551
552         if ( p_krb5_principal_compare )
553                 return(p_krb5_principal_compare(con,princ1,princ2));
554         else
555                 return KRB5KRB_ERR_GENERIC;
556         }
557
558 krb5_error_code
559 krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys,
560                 krb5_ticket *ticket)
561         {
562         if (!krb5_loaded)
563                 load_krb5_dll();
564
565         if ( p_krb5_decrypt_tkt_part )
566                 return(p_krb5_decrypt_tkt_part(con,keys,ticket));
567         else
568                 return KRB5KRB_ERR_GENERIC;
569         }
570
571 krb5_error_code
572 krb5_timeofday(krb5_context con, krb5_int32 *timeret)
573         {
574         if (!krb5_loaded)
575                 load_krb5_dll();
576
577         if ( p_krb5_timeofday )
578                 return(p_krb5_timeofday(con,timeret));
579         else
580                 return KRB5KRB_ERR_GENERIC;
581         }
582
583 krb5_error_code
584 krb5_rc_default(krb5_context con, krb5_rcache *rc)
585         {
586         if (!krb5_loaded)
587                 load_krb5_dll();
588
589         if ( p_krb5_rc_default )
590                 return(p_krb5_rc_default(con,rc));
591         else
592                 return KRB5KRB_ERR_GENERIC;
593         }
594
595 krb5_error_code
596 krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan)
597         {
598         if (!krb5_loaded)
599                 load_krb5_dll();
600
601         if ( p_krb5_rc_initialize )
602                 return(p_krb5_rc_initialize(con, rc, lifespan));
603         else
604                 return KRB5KRB_ERR_GENERIC;
605         }
606
607 krb5_error_code
608 krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp)
609         {
610         if (!krb5_loaded)
611                 load_krb5_dll();
612
613         if ( p_krb5_rc_get_lifespan )
614                 return(p_krb5_rc_get_lifespan(con, rc, lifespanp));
615         else
616                 return KRB5KRB_ERR_GENERIC;
617         }
618
619 krb5_error_code
620 krb5_rc_destroy(krb5_context con, krb5_rcache rc)
621         {
622         if (!krb5_loaded)
623                 load_krb5_dll();
624
625         if ( p_krb5_rc_destroy )
626                 return(p_krb5_rc_destroy(con, rc));
627         else
628                 return KRB5KRB_ERR_GENERIC;
629         }
630
631 size_t 
632 krb5_checksum_size(krb5_context context,krb5_cksumtype ctype)
633         {
634         if (!krb5_loaded)
635                 load_krb5_dll();
636
637         if ( p_krb5_checksum_size )
638                 return(p_krb5_checksum_size(context, ctype));
639         else
640                 return KRB5KRB_ERR_GENERIC;
641         }
642
643 krb5_boolean 
644 valid_cksumtype(krb5_cksumtype ctype)
645         {
646         if (!krb5_loaded)
647                 load_krb5_dll();
648
649         if ( p_valid_cksumtype )
650                 return(p_valid_cksumtype(ctype));
651         else
652                 return KRB5KRB_ERR_GENERIC;
653         }
654
655 krb5_error_code 
656 krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry)
657         {
658         if (!krb5_loaded)
659                 load_krb5_dll();
660
661         if ( p_krb5_kt_free_entry )
662                 return(p_krb5_kt_free_entry(con,entry));
663         else
664                 return KRB5KRB_ERR_GENERIC;
665         }
666                  
667 /* Structure definitions  */
668 #ifndef NO_DEF_KRB5_CCACHE
669 #ifndef krb5_x
670 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
671 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
672 #endif 
673
674 typedef krb5_pointer    krb5_cc_cursor; /* cursor for sequential lookup */
675
676 typedef struct _krb5_ccache
677         {
678         krb5_magic magic;
679         struct _krb5_cc_ops FAR *ops;
680         krb5_pointer data;
681         } *krb5_ccache;
682
683 typedef struct _krb5_cc_ops
684         {
685         krb5_magic magic;
686         char  *prefix;
687         char  * (KRB5_CALLCONV *get_name)
688                 (krb5_context, krb5_ccache);
689         krb5_error_code (KRB5_CALLCONV *resolve)
690                 (krb5_context, krb5_ccache  *, const char  *);
691         krb5_error_code (KRB5_CALLCONV *gen_new)
692                 (krb5_context, krb5_ccache  *);
693         krb5_error_code (KRB5_CALLCONV *init)
694                 (krb5_context, krb5_ccache, krb5_principal);
695         krb5_error_code (KRB5_CALLCONV *destroy)
696                 (krb5_context, krb5_ccache);
697         krb5_error_code (KRB5_CALLCONV *close)
698                 (krb5_context, krb5_ccache);
699         krb5_error_code (KRB5_CALLCONV *store)
700                 (krb5_context, krb5_ccache, krb5_creds  *);
701         krb5_error_code (KRB5_CALLCONV *retrieve)
702                 (krb5_context, krb5_ccache,
703                 krb5_flags, krb5_creds  *, krb5_creds  *);
704         krb5_error_code (KRB5_CALLCONV *get_princ)
705                 (krb5_context, krb5_ccache, krb5_principal  *);
706         krb5_error_code (KRB5_CALLCONV *get_first)
707                 (krb5_context, krb5_ccache, krb5_cc_cursor  *);
708         krb5_error_code (KRB5_CALLCONV *get_next)
709                 (krb5_context, krb5_ccache,
710                 krb5_cc_cursor  *, krb5_creds  *);
711         krb5_error_code (KRB5_CALLCONV *end_get)
712                 (krb5_context, krb5_ccache, krb5_cc_cursor  *);
713         krb5_error_code (KRB5_CALLCONV *remove_cred)
714                 (krb5_context, krb5_ccache,
715                 krb5_flags, krb5_creds  *);
716         krb5_error_code (KRB5_CALLCONV *set_flags)
717                 (krb5_context, krb5_ccache, krb5_flags);
718         } krb5_cc_ops;
719 #endif /* NO_DEF_KRB5_CCACHE */
720
721 krb5_error_code 
722 kssl_krb5_cc_get_principal
723     (krb5_context context, krb5_ccache cache,
724       krb5_principal *principal)
725         {
726         if ( p_krb5_cc_get_principal )
727                 return(p_krb5_cc_get_principal(context,cache,principal));
728         else
729                 return(krb5_x
730                         ((cache)->ops->get_princ,(context, cache, principal)));
731         }
732
733 krb5_error_code
734 kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon,
735                              krb5_rcache rcache)
736         {
737         if ( p_krb5_auth_con_setrcache )
738                  return(p_krb5_auth_con_setrcache(con,acon,rcache));
739         else
740                  return KRB5KRB_ERR_GENERIC;
741         }
742
743 krb5_error_code
744 kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data,
745                             krb5_rcache * rcache) 
746         {
747         if ( p_krb5_get_server_rcache )
748                 return(p_krb5_get_server_rcache(con,data,rcache));
749         else
750                 return KRB5KRB_ERR_GENERIC;
751         }
752
753 krb5_error_code
754 kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon,
755                              krb5_rcache * prcache)
756         {
757         if ( p_krb5_auth_con_getrcache )
758                 return(p_krb5_auth_con_getrcache(con,acon, prcache));
759         else
760                 return KRB5KRB_ERR_GENERIC;
761         }
762  
763 krb5_error_code
764 kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab)
765         {
766         if ( p_krb5_kt_close )
767                 return(p_krb5_kt_close(context,keytab));
768         else 
769                 return KRB5KRB_ERR_GENERIC;
770         }
771
772 krb5_error_code
773 kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
774                        krb5_const_principal principal, krb5_kvno vno,
775                        krb5_enctype enctype, krb5_keytab_entry *entry)
776         {
777         if ( p_krb5_kt_get_entry )
778                 return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry));
779         else
780                 return KRB5KRB_ERR_GENERIC;
781         }
782 #endif  /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
783
784
785 /* memory allocation functions for non-temporary storage
786  * (e.g. stuff that gets saved into the kssl context) */
787 static void* kssl_calloc(size_t nmemb, size_t size)
788 {
789         void* p;
790         
791         p=OPENSSL_malloc(nmemb*size);
792         if (p){
793                 memset(p, 0, nmemb*size);
794         }
795         return p;
796 }
797
798 #define kssl_malloc(size) OPENSSL_malloc((size))
799 #define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size)
800 #define kssl_free(ptr) OPENSSL_free((ptr))
801
802
803 char
804 *kstring(char *string)
805         {
806         static char     *null = "[NULL]";
807
808         return ((string == NULL)? null: string);
809         }
810
811 /*      Given KRB5 enctype (basically DES or 3DES),
812  *      return closest match openssl EVP_ encryption algorithm.
813  *      Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
814  *      Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
815  */
816 const EVP_CIPHER *
817 kssl_map_enc(krb5_enctype enctype)
818         {
819         switch (enctype)
820                 {
821         case ENCTYPE_DES_HMAC_SHA1:             /*    EVP_des_cbc();       */
822         case ENCTYPE_DES_CBC_CRC:
823         case ENCTYPE_DES_CBC_MD4:
824         case ENCTYPE_DES_CBC_MD5:
825         case ENCTYPE_DES_CBC_RAW:
826                                 return EVP_des_cbc();
827                                 break;
828         case ENCTYPE_DES3_CBC_SHA1:             /*    EVP_des_ede3_cbc();  */
829         case ENCTYPE_DES3_CBC_SHA:
830         case ENCTYPE_DES3_CBC_RAW:
831                                 return EVP_des_ede3_cbc();
832                                 break;
833         default:                return NULL;
834                                 break;
835                 }
836         }
837
838
839 /*      Return true:1 if p "looks like" the start of the real authenticator
840  *      described in kssl_skip_confound() below.  The ASN.1 pattern is
841  *      "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
842  *      xx and yy are possibly multi-byte length fields.
843  */
844 static int      kssl_test_confound(unsigned char *p)
845         {
846         int     len = 2;
847         int     xx = 0, yy = 0;
848
849         if (*p++ != 0x62)  return 0;
850         if (*p > 0x82)  return 0;
851         switch(*p)  {
852                 case 0x82:  p++;          xx = (*p++ << 8);  xx += *p++;  break;
853                 case 0x81:  p++;          xx =  *p++;  break;
854                 case 0x80:  return 0;
855                 default:    xx = *p++;  break;
856                 }
857         if (*p++ != 0x30)  return 0;
858         if (*p > 0x82)  return 0;
859         switch(*p)  {
860                 case 0x82:  p++; len+=2;  yy = (*p++ << 8);  yy += *p++;  break;
861                 case 0x81:  p++; len++;   yy =  *p++;  break;
862                 case 0x80:  return 0;
863                 default:    yy = *p++;  break;
864                 }
865
866         return (xx - len == yy)? 1: 0;
867         }
868
869 /*      Allocate, fill, and return cksumlens array of checksum lengths.
870  *      This array holds just the unique elements from the krb5_cksumarray[].
871  *      array[n] == 0 signals end of data.
872  *
873  *      The krb5_cksumarray[] was an internal variable that has since been
874  *      replaced by a more general method for storing the data.  It should
875  *      not be used.  Instead we use real API calls and make a guess for 
876  *      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
877  *      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
878  */
879 static size_t  *populate_cksumlens(void)
880         {
881         int             i, j, n;
882         static size_t   *cklens = NULL;
883
884 #ifdef KRB5_MIT_OLD11
885         n = krb5_max_cksum;
886 #else
887         n = 0x0010;
888 #endif  /* KRB5_MIT_OLD11 */
889  
890 #ifdef KRB5CHECKAUTH
891         if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1)))  return NULL;
892
893         for (i=0; i < n; i++)  {
894                 if (!valid_cksumtype(i))  continue;     /*  array has holes  */
895                 for (j=0; j < n; j++)  {
896                         if (cklens[j] == 0)  {
897                                 cklens[j] = krb5_checksum_size(NULL,i);
898                                 break;          /*  krb5 elem was new: add   */
899                                 }
900                         if (cklens[j] == krb5_checksum_size(NULL,i))  {
901                                 break;          /*  ignore duplicate elements */
902                                 }
903                         }
904                 }
905 #endif  /* KRB5CHECKAUTH */
906
907         return cklens;
908         }
909
910 /*-
911  *      Return pointer to start of real authenticator within authenticator, or
912  *      return NULL on error.
913  *      Decrypted authenticator looks like this:
914  *              [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
915  *      This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
916  *      krb5_auth_con_getcksumtype() function advertised in its krb5.h.
917  */
918 unsigned char   *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
919         {
920         int             i, conlen;
921         size_t          cklen;
922         static size_t   *cksumlens = NULL;
923         unsigned char   *test_auth;
924
925         conlen = (etype)? 8: 0;
926
927         if (!cksumlens  &&  !(cksumlens = populate_cksumlens()))  return NULL;
928         for (i=0; (cklen = cksumlens[i]) != 0; i++)
929                 {
930                 test_auth = a + conlen + cklen;
931                 if (kssl_test_confound(test_auth))  return test_auth;
932                 }
933
934         return NULL;
935         }
936
937
938 /*      Set kssl_err error info when reason text is a simple string
939  *              kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
940  */
941 void
942 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
943         {
944         if (kssl_err == NULL)  return;
945
946         kssl_err->reason = reason;
947         BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text);
948         return;
949         }
950
951
952 /*      Display contents of krb5_data struct, for debugging
953 */
954 void
955 print_krb5_data(char *label, krb5_data *kdata)
956         {
957         int i;
958
959         fprintf(stderr,"%s[%d] ", label, kdata->length);
960         for (i=0; i < (int)kdata->length; i++)
961                 {
962                 if (0 &&  isprint((int) kdata->data[i]))
963                         fprintf(stderr, "%c ",  kdata->data[i]);
964                 else
965                         fprintf(stderr, "%02x ", (unsigned char) kdata->data[i]);
966                 }
967         fprintf(stderr,"\n");
968         }
969
970
971 /*      Display contents of krb5_authdata struct, for debugging
972 */
973 void
974 print_krb5_authdata(char *label, krb5_authdata **adata)
975         {
976         if (adata == NULL)
977                 {
978                 fprintf(stderr,"%s, authdata==0\n", label);
979                 return;
980                 }
981         fprintf(stderr,"%s [%p]\n", label, (void *)adata);
982 #if 0
983         {
984         int     i;
985         fprintf(stderr,"%s[at%d:%d] ", label, adata->ad_type, adata->length);
986         for (i=0; i < adata->length; i++)
987                 {
988                 fprintf(stderr,(isprint(adata->contents[i]))? "%c ": "%02x",
989                         adata->contents[i]);
990                 }
991         fprintf(stderr,"\n");
992         }
993 #endif
994         }
995
996
997 /*      Display contents of krb5_keyblock struct, for debugging
998 */
999 void
1000 print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
1001         {
1002         int i;
1003
1004         if (keyblk == NULL)
1005                 {
1006                 fprintf(stderr,"%s, keyblk==0\n", label);
1007                 return;
1008                 }
1009 #ifdef KRB5_HEIMDAL
1010         fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->keytype,
1011                                            keyblk->keyvalue->length);
1012         for (i=0; i < (int)keyblk->keyvalue->length; i++)
1013                 {
1014                 fprintf(stderr,"%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
1015                 }
1016         fprintf(stderr,"\n");
1017 #else
1018         fprintf(stderr,"%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
1019         for (i=0; i < (int)keyblk->length; i++)
1020                 {
1021                 fprintf(stderr,"%02x",keyblk->contents[i]);
1022                 }
1023         fprintf(stderr,"\n");
1024 #endif
1025         }
1026
1027
1028 /*      Display contents of krb5_principal_data struct, for debugging
1029  *      (krb5_principal is typedef'd == krb5_principal_data *)
1030  */
1031 static void
1032 print_krb5_princ(char *label, krb5_principal_data *princ)
1033         {
1034         int i, ui, uj;
1035
1036         fprintf(stderr,"%s principal Realm: ", label);
1037         if (princ == NULL)  return;
1038         for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
1039         fprintf(stderr," (nametype %d) has %d strings:\n", princ->type,princ->length);
1040         for (i=0; i < (int)princ->length; i++)
1041                 {
1042                 fprintf(stderr,"\t%d [%d]: ", i, princ->data[i].length);
1043                 for (uj=0; uj < (int)princ->data[i].length; uj++)  {
1044                         putchar(princ->data[i].data[uj]);
1045                         }
1046                 fprintf(stderr,"\n");
1047                 }
1048         return;
1049         }
1050
1051
1052 /*-     Given krb5 service (typically "kssl") and hostname in kssl_ctx,
1053  *      Return encrypted Kerberos ticket for service @ hostname.
1054  *      If authenp is non-NULL, also return encrypted authenticator,
1055  *      whose data should be freed by caller.
1056  *      (Originally was: Create Kerberos AP_REQ message for SSL Client.)
1057  *
1058  *      19990628        VRS     Started; Returns Kerberos AP_REQ message.
1059  *      20010409        VRS     Modified for RFC2712; Returns enc tkt.
1060  *      20010606        VRS     May also return optional authenticator.
1061  */
1062 krb5_error_code
1063 kssl_cget_tkt(  /* UPDATE */    KSSL_CTX *kssl_ctx,
1064                 /* OUT    */    krb5_data **enc_ticketp,
1065                 /* UPDATE */    krb5_data *authenp,
1066                 /* OUT    */    KSSL_ERR *kssl_err)
1067         {
1068         krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
1069         krb5_context            krb5context = NULL;
1070         krb5_auth_context       krb5auth_context = NULL;
1071         krb5_ccache             krb5ccdef = NULL;
1072         krb5_creds              krb5creds, *krb5credsp = NULL;
1073         krb5_data               krb5_app_req;
1074
1075         kssl_err_set(kssl_err, 0, "");
1076         memset((char *)&krb5creds, 0, sizeof(krb5creds));
1077
1078         if (!kssl_ctx)
1079                 {
1080                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1081                         "No kssl_ctx defined.\n");
1082                 goto err;
1083                 }
1084         else if (!kssl_ctx->service_host)
1085                 {
1086                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1087                         "kssl_ctx service_host undefined.\n");
1088                 goto err;
1089                 }
1090
1091         if ((krb5rc = krb5_init_context(&krb5context)) != 0)
1092                 {
1093                 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
1094                         "krb5_init_context() fails: %d\n", krb5rc);
1095                 kssl_err->reason = SSL_R_KRB5_C_INIT;
1096                 goto err;
1097                 }
1098
1099         if ((krb5rc = krb5_sname_to_principal(krb5context,
1100                 kssl_ctx->service_host,
1101                 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
1102                 KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
1103                 {
1104                 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
1105                         "krb5_sname_to_principal() fails for %s/%s\n",
1106                         kssl_ctx->service_host,
1107                         (kssl_ctx->service_name)? kssl_ctx->service_name:
1108                                                   KRB5SVC);
1109                 kssl_err->reason = SSL_R_KRB5_C_INIT;
1110                 goto err;
1111                 }
1112
1113         if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
1114                 {
1115                 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
1116                         "krb5_cc_default fails.\n");
1117                 goto err;
1118                 }
1119
1120         if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
1121                 &krb5creds.client)) != 0)
1122                 {
1123                 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
1124                         "krb5_cc_get_principal() fails.\n");
1125                 goto err;
1126                 }
1127
1128         if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
1129                 &krb5creds, &krb5credsp)) != 0)
1130                 {
1131                 kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
1132                         "krb5_get_credentials() fails.\n");
1133                 goto err;
1134                 }
1135
1136         *enc_ticketp = &krb5credsp->ticket;
1137 #ifdef KRB5_HEIMDAL
1138         kssl_ctx->enctype = krb5credsp->session.keytype;
1139 #else
1140         kssl_ctx->enctype = krb5credsp->keyblock.enctype;
1141 #endif
1142
1143         krb5rc = KRB5KRB_ERR_GENERIC;
1144         /*      caller should free data of krb5_app_req  */
1145         /*  20010406 VRS deleted for real KerberosWrapper
1146          *  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
1147          */
1148         krb5_app_req.length = 0;
1149         if (authenp)
1150                 {
1151                 krb5_data       krb5in_data;
1152                 const unsigned char     *p;
1153                 long            arlen;
1154                 KRB5_APREQBODY  *ap_req;
1155
1156                 authenp->length = 0;
1157                 krb5in_data.data = NULL;
1158                 krb5in_data.length = 0;
1159                 if ((krb5rc = krb5_mk_req_extended(krb5context,
1160                         &krb5auth_context, 0, &krb5in_data, krb5credsp,
1161                         &krb5_app_req)) != 0)
1162                         {
1163                         kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
1164                                 "krb5_mk_req_extended() fails.\n");
1165                         goto err;
1166                         }
1167
1168                 arlen = krb5_app_req.length;
1169                 p = (unsigned char *)krb5_app_req.data;
1170                 ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
1171                 if (ap_req)
1172                         {
1173                         authenp->length = i2d_KRB5_ENCDATA(
1174                                         ap_req->authenticator, NULL);
1175                         if (authenp->length  && 
1176                                 (authenp->data = malloc(authenp->length)))
1177                                 {
1178                                 unsigned char   *adp = (unsigned char *)authenp->data;
1179                                 authenp->length = i2d_KRB5_ENCDATA(
1180                                                 ap_req->authenticator, &adp);
1181                                 }
1182                         }
1183
1184                 if (ap_req)  KRB5_APREQ_free((KRB5_APREQ *) ap_req);
1185                 if (krb5_app_req.length)  
1186                         kssl_krb5_free_data_contents(krb5context,&krb5_app_req);
1187                 }
1188 #ifdef KRB5_HEIMDAL
1189         if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
1190                 {
1191                 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
1192                         "kssl_ctx_setkey() fails.\n");
1193                 }
1194 #else
1195         if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
1196                 {
1197                 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
1198                         "kssl_ctx_setkey() fails.\n");
1199                 }
1200 #endif
1201         else    krb5rc = 0;
1202
1203  err:
1204 #ifdef KSSL_DEBUG
1205         kssl_ctx_show(kssl_ctx);
1206 #endif  /* KSSL_DEBUG */
1207
1208         if (krb5creds.client)   krb5_free_principal(krb5context,
1209                                                         krb5creds.client);
1210         if (krb5creds.server)   krb5_free_principal(krb5context,
1211                                                         krb5creds.server);
1212         if (krb5auth_context)   krb5_auth_con_free(krb5context,
1213                                                         krb5auth_context);
1214         if (krb5context)        krb5_free_context(krb5context);
1215         return (krb5rc);
1216         }
1217
1218
1219 /*-
1220  *  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
1221  *  Return Kerberos error code and kssl_err struct on error.
1222  *  Allocates krb5_ticket and krb5_principal; caller should free these.
1223  *
1224  *      20010410        VRS     Implemented krb5_decode_ticket() as
1225  *                              old_krb5_decode_ticket(). Missing from MIT1.0.6.
1226  *      20010615        VRS     Re-cast as openssl/asn1 d2i_*() functions.
1227  *                              Re-used some of the old krb5_decode_ticket()
1228  *                              code here.  This tkt should alloc/free just
1229  *                              like the real thing.
1230  */
1231 static krb5_error_code
1232 kssl_TKT2tkt(   /* IN     */    krb5_context    krb5context,
1233                 /* IN     */    KRB5_TKTBODY    *asn1ticket,
1234                 /* OUT    */    krb5_ticket     **krb5ticket,
1235                 /* OUT    */    KSSL_ERR *kssl_err  )
1236         {
1237         krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
1238         krb5_ticket                     *new5ticket = NULL;
1239         ASN1_GENERALSTRING              *gstr_svc, *gstr_host;
1240
1241         *krb5ticket = NULL;
1242
1243         if (asn1ticket == NULL  ||  asn1ticket->realm == NULL  ||
1244                 asn1ticket->sname == NULL  || 
1245                 sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
1246                 {
1247                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1248                         "Null field in asn1ticket.\n");
1249                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1250                 return KRB5KRB_ERR_GENERIC;
1251                 }
1252
1253         if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL)
1254                 {
1255                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1256                         "Unable to allocate new krb5_ticket.\n");
1257                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1258                 return ENOMEM;          /*  or  KRB5KRB_ERR_GENERIC;    */
1259                 }
1260
1261         gstr_svc  = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
1262         gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
1263
1264         if ((krb5rc = kssl_build_principal_2(krb5context,
1265                         &new5ticket->server,
1266                         asn1ticket->realm->length, (char *)asn1ticket->realm->data,
1267                         gstr_svc->length,  (char *)gstr_svc->data,
1268                         gstr_host->length, (char *)gstr_host->data)) != 0)
1269                 {
1270                 free(new5ticket);
1271                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1272                         "Error building ticket server principal.\n");
1273                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1274                 return krb5rc;          /*  or  KRB5KRB_ERR_GENERIC;    */
1275                 }
1276
1277         krb5_princ_type(krb5context, new5ticket->server) =
1278                         asn1ticket->sname->nametype->data[0];
1279         new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0];
1280         new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0];
1281         new5ticket->enc_part.ciphertext.length =
1282                         asn1ticket->encdata->cipher->length;
1283         if ((new5ticket->enc_part.ciphertext.data =
1284                 calloc(1, asn1ticket->encdata->cipher->length)) == NULL)
1285                 {
1286                 free(new5ticket);
1287                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1288                         "Error allocating cipher in krb5ticket.\n");
1289                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1290                 return KRB5KRB_ERR_GENERIC;
1291                 }
1292         else
1293                 {
1294                 memcpy(new5ticket->enc_part.ciphertext.data,
1295                         asn1ticket->encdata->cipher->data,
1296                         asn1ticket->encdata->cipher->length);
1297                 }
1298
1299         *krb5ticket = new5ticket;
1300         return 0;
1301         }
1302
1303
1304 /*-
1305  *      Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
1306  *              and krb5 AP_REQ message & message length,
1307  *      Return Kerberos session key and client principle
1308  *              to SSL Server in KSSL_CTX *kssl_ctx.
1309  *
1310  *      19990702        VRS     Started.
1311  */
1312 krb5_error_code
1313 kssl_sget_tkt(  /* UPDATE */    KSSL_CTX                *kssl_ctx,
1314                 /* IN     */    krb5_data               *indata,
1315                 /* OUT    */    krb5_ticket_times       *ttimes,
1316                 /* OUT    */    KSSL_ERR                *kssl_err  )
1317         {
1318         krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
1319         static krb5_context             krb5context = NULL;
1320         static krb5_auth_context        krb5auth_context = NULL;
1321         krb5_ticket                     *krb5ticket = NULL;
1322         KRB5_TKTBODY                    *asn1ticket = NULL;
1323         const unsigned char             *p;
1324         krb5_keytab                     krb5keytab = NULL;
1325         krb5_keytab_entry               kt_entry;
1326         krb5_principal                  krb5server;
1327         krb5_rcache                     rcache = NULL;
1328
1329         kssl_err_set(kssl_err, 0, "");
1330
1331         if (!kssl_ctx)
1332                 {
1333                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1334                         "No kssl_ctx defined.\n");
1335                 goto err;
1336                 }
1337
1338 #ifdef KSSL_DEBUG
1339         fprintf(stderr,"in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
1340 #endif  /* KSSL_DEBUG */
1341
1342         if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
1343                 {
1344                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1345                         "krb5_init_context() fails.\n");
1346                 goto err;
1347                 }
1348         if (krb5auth_context  &&
1349                 (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context)))
1350                 {
1351                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1352                         "krb5_auth_con_free() fails.\n");
1353                 goto err;
1354                 }
1355         else  krb5auth_context = NULL;
1356         if (!krb5auth_context  &&
1357                 (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context)))
1358                 {
1359                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1360                         "krb5_auth_con_init() fails.\n");
1361                 goto err;
1362                 }
1363
1364  
1365         if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context,
1366                 &rcache)))
1367                 {
1368                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1369                         "krb5_auth_con_getrcache() fails.\n");
1370                 goto err;
1371                 }
1372  
1373         if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
1374                 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
1375                 KRB5_NT_SRV_HST, &krb5server)) != 0)
1376                 {
1377                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1378                         "krb5_sname_to_principal() fails.\n");
1379                 goto err;
1380                 }
1381
1382         if (rcache == NULL) 
1383                 {
1384                 if ((krb5rc = krb5_get_server_rcache(krb5context,
1385                         krb5_princ_component(krb5context, krb5server, 0),
1386                         &rcache)))
1387                         {
1388                         kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1389                                 "krb5_get_server_rcache() fails.\n");
1390                         goto err;
1391                         }
1392                 }
1393
1394         if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache)))
1395                 {
1396                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1397                         "krb5_auth_con_setrcache() fails.\n");
1398                 goto err;
1399                 }
1400
1401
1402         /*      kssl_ctx->keytab_file == NULL ==> use Kerberos default
1403         */
1404         if (kssl_ctx->keytab_file)
1405                 {
1406                 krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
1407                         &krb5keytab);
1408                 if (krb5rc)
1409                         {
1410                         kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1411                                 "krb5_kt_resolve() fails.\n");
1412                         goto err;
1413                         }
1414                 }
1415         else
1416                 {
1417                 krb5rc = krb5_kt_default(krb5context,&krb5keytab);
1418                 if (krb5rc)
1419                         {
1420                         kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 
1421                                 "krb5_kt_default() fails.\n");
1422                         goto err;
1423                         }
1424                 }
1425
1426         /*-     Actual Kerberos5 krb5_recvauth() has initial conversation here
1427          *      o       check KRB5_SENDAUTH_BADAUTHVERS
1428          *              unless KRB5_RECVAUTH_SKIP_VERSION
1429          *      o       check KRB5_SENDAUTH_BADAPPLVERS
1430          *      o       send "0" msg if all OK
1431          */
1432
1433         /*- 
1434          * 20010411 was using AP_REQ instead of true KerberosWrapper
1435          *
1436          *  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
1437          *                      &krb5in_data, krb5server, krb5keytab,
1438          *                      &ap_option, &krb5ticket)) != 0)  { Error }
1439          */
1440
1441         p = (unsigned char *)indata->data;
1442         if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
1443                                                 (long) indata->length)) == NULL)
1444                 {
1445                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1446                         "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
1447                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1448                 goto err;
1449                 }
1450         
1451         /* Was:  krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */
1452         if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket,
1453                                         kssl_err)) != 0)
1454                 {
1455                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1456                         "Error converting ASN.1 ticket to krb5_ticket.\n");
1457                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1458                 goto err;
1459                 }
1460
1461         if (! krb5_principal_compare(krb5context, krb5server,
1462                                                   krb5ticket->server))  {
1463                 krb5rc = KRB5_PRINC_NOMATCH;
1464                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1465                         "server principal != ticket principal\n");
1466                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1467                 goto err;
1468                 }
1469         if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
1470                         krb5ticket->server, krb5ticket->enc_part.kvno,
1471                         krb5ticket->enc_part.enctype, &kt_entry)) != 0)  {
1472                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1473                         "krb5_kt_get_entry() fails with %x.\n", krb5rc);
1474                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1475                 goto err;
1476                 }
1477         if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key,
1478                         krb5ticket)) != 0)  {
1479                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1480                         "krb5_decrypt_tkt_part() failed.\n");
1481                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1482                 goto err;
1483                 }
1484         else  {
1485                 krb5_kt_free_entry(krb5context, &kt_entry);
1486 #ifdef KSSL_DEBUG
1487                 {
1488                 int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
1489                 fprintf(stderr,"Decrypted ticket fields:\n");
1490                 fprintf(stderr,"\tflags: %X, transit-type: %X",
1491                         krb5ticket->enc_part2->flags,
1492                         krb5ticket->enc_part2->transited.tr_type);
1493                 print_krb5_data("\ttransit-data: ",
1494                         &(krb5ticket->enc_part2->transited.tr_contents));
1495                 fprintf(stderr,"\tcaddrs: %p, authdata: %p\n",
1496                         krb5ticket->enc_part2->caddrs,
1497                         krb5ticket->enc_part2->authorization_data);
1498                 if (paddr)
1499                         {
1500                         fprintf(stderr,"\tcaddrs:\n");
1501                         for (i=0; paddr[i] != NULL; i++)
1502                                 {
1503                                 krb5_data d;
1504                                 d.length=paddr[i]->length;
1505                                 d.data=paddr[i]->contents;
1506                                 print_krb5_data("\t\tIP: ", &d);
1507                                 }
1508                         }
1509                 fprintf(stderr,"\tstart/auth/end times: %d / %d / %d\n",
1510                         krb5ticket->enc_part2->times.starttime,
1511                         krb5ticket->enc_part2->times.authtime,
1512                         krb5ticket->enc_part2->times.endtime);
1513                 }
1514 #endif  /* KSSL_DEBUG */
1515                 }
1516
1517         krb5rc = KRB5_NO_TKT_SUPPLIED;
1518         if (!krb5ticket  ||     !krb5ticket->enc_part2  ||
1519                 !krb5ticket->enc_part2->client  ||
1520                 !krb5ticket->enc_part2->client->data  ||
1521                 !krb5ticket->enc_part2->session)
1522                 {
1523                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1524                         "bad ticket from krb5_rd_req.\n");
1525                 }
1526         else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
1527                  &krb5ticket->enc_part2->client->realm,
1528                  krb5ticket->enc_part2->client->data,
1529                  krb5ticket->enc_part2->client->length))
1530                 {
1531                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1532                         "kssl_ctx_setprinc() fails.\n");
1533                 }
1534         else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session))
1535                 {
1536                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1537                         "kssl_ctx_setkey() fails.\n");
1538                 }
1539         else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID)
1540                 {
1541                 krb5rc = KRB5KRB_AP_ERR_TKT_INVALID;
1542                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1543                         "invalid ticket from krb5_rd_req.\n");
1544                 }
1545         else    krb5rc = 0;
1546
1547         kssl_ctx->enctype       = krb5ticket->enc_part.enctype;
1548         ttimes->authtime        = krb5ticket->enc_part2->times.authtime;
1549         ttimes->starttime       = krb5ticket->enc_part2->times.starttime;
1550         ttimes->endtime         = krb5ticket->enc_part2->times.endtime;
1551         ttimes->renew_till      = krb5ticket->enc_part2->times.renew_till;
1552
1553  err:
1554 #ifdef KSSL_DEBUG
1555         kssl_ctx_show(kssl_ctx);
1556 #endif  /* KSSL_DEBUG */
1557
1558         if (asn1ticket)         KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
1559         if (krb5keytab)         krb5_kt_close(krb5context, krb5keytab);
1560         if (krb5ticket)         krb5_free_ticket(krb5context, krb5ticket);
1561         if (krb5server)         krb5_free_principal(krb5context, krb5server);
1562         return (krb5rc);
1563         }
1564
1565
1566 /*      Allocate & return a new kssl_ctx struct.
1567 */
1568 KSSL_CTX        *
1569 kssl_ctx_new(void)
1570         {
1571         return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX)));
1572         }
1573
1574
1575 /*      Frees a kssl_ctx struct and any allocated memory it holds.
1576  *      Returns NULL.
1577  */
1578 KSSL_CTX        *
1579 kssl_ctx_free(KSSL_CTX *kssl_ctx)
1580         {
1581         if (kssl_ctx == NULL)  return kssl_ctx;
1582
1583         if (kssl_ctx->key)              OPENSSL_cleanse(kssl_ctx->key,
1584                                                               kssl_ctx->length);
1585         if (kssl_ctx->key)              kssl_free(kssl_ctx->key);
1586         if (kssl_ctx->client_princ)     kssl_free(kssl_ctx->client_princ);
1587         if (kssl_ctx->service_host)     kssl_free(kssl_ctx->service_host);
1588         if (kssl_ctx->service_name)     kssl_free(kssl_ctx->service_name);
1589         if (kssl_ctx->keytab_file)      kssl_free(kssl_ctx->keytab_file);
1590
1591         kssl_free(kssl_ctx);
1592         return (KSSL_CTX *) NULL;
1593         }
1594
1595
1596 /*      Given an array of (krb5_data *) entity (and optional realm),
1597  *      set the plain (char *) client_princ or service_host member
1598  *      of the kssl_ctx struct.
1599  */
1600 krb5_error_code
1601 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
1602         krb5_data *realm, krb5_data *entity, int nentities)
1603         {
1604         char    **princ;
1605         int     length;
1606         int i;
1607
1608         if (kssl_ctx == NULL  ||  entity == NULL)  return KSSL_CTX_ERR;
1609
1610         switch (which)
1611                 {
1612         case KSSL_CLIENT:       princ = &kssl_ctx->client_princ;        break;
1613         case KSSL_SERVER:       princ = &kssl_ctx->service_host;        break;
1614         default:                return KSSL_CTX_ERR;                    break;
1615                 }
1616         if (*princ)  kssl_free(*princ);
1617
1618         /* Add up all the entity->lengths */
1619         length = 0;
1620         for (i=0; i < nentities; i++)
1621                 {
1622                 length += entity[i].length;
1623                 }
1624         /* Add in space for the '/' character(s) (if any) */
1625         length += nentities-1;
1626         /* Space for the ('@'+realm+NULL | NULL) */
1627         length += ((realm)? realm->length + 2: 1);
1628
1629         if ((*princ = kssl_calloc(1, length)) == NULL)
1630                 return KSSL_CTX_ERR;
1631         else
1632                 {
1633                 for (i = 0; i < nentities; i++)
1634                         {
1635                         strncat(*princ, entity[i].data, entity[i].length);
1636                         if (i < nentities-1)
1637                                 {
1638                                 strcat (*princ, "/");
1639                                 }
1640                         }
1641                 if (realm)
1642                         {
1643                         strcat (*princ, "@");
1644                         (void) strncat(*princ, realm->data, realm->length);
1645                         }
1646                 }
1647
1648         return KSSL_CTX_OK;
1649         }
1650
1651
1652 /*-     Set one of the plain (char *) string members of the kssl_ctx struct.
1653  *      Default values should be:
1654  *              which == KSSL_SERVICE   =>      "khost" (KRB5SVC)
1655  *              which == KSSL_KEYTAB    =>      "/etc/krb5.keytab" (KRB5KEYTAB)
1656  */
1657 krb5_error_code
1658 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
1659         {
1660         char    **string;
1661
1662         if (!kssl_ctx)  return KSSL_CTX_ERR;
1663
1664         switch (which)
1665                 {
1666         case KSSL_SERVICE:      string = &kssl_ctx->service_name;       break;
1667         case KSSL_SERVER:       string = &kssl_ctx->service_host;       break;
1668         case KSSL_CLIENT:       string = &kssl_ctx->client_princ;       break;
1669         case KSSL_KEYTAB:       string = &kssl_ctx->keytab_file;        break;
1670         default:                return KSSL_CTX_ERR;                    break;
1671                 }
1672         if (*string)  kssl_free(*string);
1673
1674         if (!text)
1675                 {
1676                 *string = '\0';
1677                 return KSSL_CTX_OK;
1678                 }
1679
1680         if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL)
1681                 return KSSL_CTX_ERR;
1682         else
1683                 strcpy(*string, text);
1684
1685         return KSSL_CTX_OK;
1686         }
1687
1688
1689 /*      Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
1690  *      struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
1691  */
1692 krb5_error_code
1693 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
1694         {
1695         int             length;
1696         krb5_enctype    enctype;
1697         krb5_octet FAR  *contents = NULL;
1698
1699         if (!kssl_ctx)  return KSSL_CTX_ERR;
1700
1701         if (kssl_ctx->key)
1702                 {
1703                 OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
1704                 kssl_free(kssl_ctx->key);
1705                 }
1706
1707         if (session)
1708                 {
1709
1710 #ifdef KRB5_HEIMDAL
1711                 length = session->keyvalue->length;
1712                 enctype = session->keytype;
1713                 contents = session->keyvalue->contents;
1714 #else
1715                 length = session->length;
1716                 enctype = session->enctype;
1717                 contents = session->contents;
1718 #endif
1719                 kssl_ctx->enctype = enctype;
1720                 kssl_ctx->length  = length;
1721                 }
1722         else
1723                 {
1724                 kssl_ctx->enctype = ENCTYPE_UNKNOWN;
1725                 kssl_ctx->length  = 0;
1726                 return KSSL_CTX_OK;
1727                 }
1728
1729         if ((kssl_ctx->key =
1730                 (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL)
1731                 {
1732                 kssl_ctx->length  = 0;
1733                 return KSSL_CTX_ERR;
1734                 }
1735         else
1736                 memcpy(kssl_ctx->key, contents, length);
1737
1738         return KSSL_CTX_OK;
1739         }
1740
1741
1742 /*      Display contents of kssl_ctx struct
1743 */
1744 void
1745 kssl_ctx_show(KSSL_CTX *kssl_ctx)
1746         {
1747         int     i;
1748
1749         printf("kssl_ctx: ");
1750         if (kssl_ctx == NULL)
1751                 {
1752                 printf("NULL\n");
1753                 return;
1754                 }
1755         else
1756                 printf("%p\n", (void *)kssl_ctx);
1757
1758         printf("\tservice:\t%s\n",
1759                 (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
1760         printf("\tclient:\t%s\n",
1761                 (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL");
1762         printf("\tserver:\t%s\n",
1763                 (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL");
1764         printf("\tkeytab:\t%s\n",
1765                 (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL");
1766         printf("\tkey [%d:%d]:\t",
1767                 kssl_ctx->enctype, kssl_ctx->length);
1768
1769         for (i=0; i < kssl_ctx->length  &&  kssl_ctx->key; i++)
1770                 {
1771                 printf("%02x", kssl_ctx->key[i]);
1772                 }
1773         printf("\n");
1774         return;
1775         }
1776
1777     int 
1778     kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
1779 {
1780     krb5_context                krb5context = NULL;
1781     krb5_keytab                 krb5keytab = NULL;
1782     krb5_keytab_entry           entry;
1783     krb5_principal              princ = NULL;
1784     krb5_error_code             krb5rc = KRB5KRB_ERR_GENERIC;
1785     int rc = 0;
1786
1787     if ((krb5rc = krb5_init_context(&krb5context)))
1788         return(0);
1789
1790     /*  kssl_ctx->keytab_file == NULL ==> use Kerberos default
1791     */
1792     if (kssl_ctx->keytab_file)
1793     {
1794         krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
1795                                   &krb5keytab);
1796         if (krb5rc)
1797             goto exit;
1798     }
1799     else
1800     {
1801         krb5rc = krb5_kt_default(krb5context,&krb5keytab);
1802         if (krb5rc)
1803             goto exit;
1804     }
1805
1806     /* the host key we are looking for */
1807     krb5rc = krb5_sname_to_principal(krb5context, NULL, 
1808                                      kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
1809                                      KRB5_NT_SRV_HST, &princ);
1810
1811     if (krb5rc)
1812         goto exit;
1813
1814     krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 
1815                                 princ,
1816                                 /* IGNORE_VNO */
1817                                 0,
1818                                 /* IGNORE_ENCTYPE */
1819                                 0,
1820                                 &entry);
1821     if ( krb5rc == KRB5_KT_NOTFOUND ) {
1822         rc = 1;
1823         goto exit;
1824     } else if ( krb5rc )
1825         goto exit;
1826     
1827     krb5_kt_free_entry(krb5context, &entry);
1828     rc = 1;
1829
1830   exit:
1831     if (krb5keytab)     krb5_kt_close(krb5context, krb5keytab);
1832     if (princ)          krb5_free_principal(krb5context, princ);
1833     if (krb5context)    krb5_free_context(krb5context);
1834     return(rc);
1835 }
1836
1837 int 
1838 kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
1839         {
1840         krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
1841         krb5_context            krb5context = NULL;
1842         krb5_ccache             krb5ccdef = NULL;
1843         krb5_creds              krb5creds, *krb5credsp = NULL;
1844         int                     rc = 0;
1845
1846         memset((char *)&krb5creds, 0, sizeof(krb5creds));
1847
1848         if (!kssl_ctx)
1849             return(0);
1850
1851         if (!kssl_ctx->service_host)
1852             return(0);
1853
1854         if ((krb5rc = krb5_init_context(&krb5context)) != 0)
1855             goto err;
1856
1857         if ((krb5rc = krb5_sname_to_principal(krb5context,
1858                                               kssl_ctx->service_host,
1859                                               (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
1860                                               KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
1861             goto err;
1862
1863         if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
1864             goto err;
1865
1866         if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
1867                                              &krb5creds.client)) != 0)
1868             goto err;
1869
1870         if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
1871                                             &krb5creds, &krb5credsp)) != 0)
1872             goto err;
1873
1874         rc = 1;
1875
1876       err:
1877 #ifdef KSSL_DEBUG
1878         kssl_ctx_show(kssl_ctx);
1879 #endif  /* KSSL_DEBUG */
1880
1881         if (krb5creds.client)   krb5_free_principal(krb5context, krb5creds.client);
1882         if (krb5creds.server)   krb5_free_principal(krb5context, krb5creds.server);
1883         if (krb5context)        krb5_free_context(krb5context);
1884         return(rc);
1885         }
1886
1887 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32)
1888 void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
1889         {
1890 #ifdef KRB5_HEIMDAL
1891         data->length = 0;
1892         if (data->data)
1893             free(data->data);
1894 #elif defined(KRB5_MIT_OLD11)
1895         if (data->data)  {
1896                 krb5_xfree(data->data);
1897                 data->data = 0;
1898                 }
1899 #else
1900         krb5_free_data_contents(NULL, data);
1901 #endif
1902         }
1903 #endif
1904 /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */
1905
1906
1907 /*  Given pointers to KerberosTime and struct tm structs, convert the
1908  *  KerberosTime string to struct tm.  Note that KerberosTime is a
1909  *  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
1910  *  seconds as defined in RFC 1510.
1911  *  Return pointer to the (partially) filled in struct tm on success,
1912  *  return NULL on failure.
1913  */
1914 static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
1915         {
1916         char            c, *p;
1917
1918         if (!k_tm)  return NULL;
1919         if (gtime == NULL  ||  gtime->length < 14)  return NULL;
1920         if (gtime->data == NULL)  return NULL;
1921
1922         p = (char *)&gtime->data[14];
1923
1924         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_sec  = atoi(p);      *(p+2) = c;
1925         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_min  = atoi(p);      *(p+2) = c;
1926         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_hour = atoi(p);      *(p+2) = c;
1927         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mday = atoi(p);      *(p+2) = c;
1928         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mon  = atoi(p)-1;    *(p+2) = c;
1929         c = *p;  *p = '\0';  p -= 4;  k_tm->tm_year = atoi(p)-1900; *(p+4) = c;
1930
1931         return k_tm;
1932         }
1933
1934
1935 /*  Helper function for kssl_validate_times().
1936  *  We need context->clockskew, but krb5_context is an opaque struct.
1937  *  So we try to sneek the clockskew out through the replay cache.
1938  *      If that fails just return a likely default (300 seconds).
1939  */
1940 static krb5_deltat get_rc_clockskew(krb5_context context)
1941         {
1942         krb5_rcache     rc;
1943         krb5_deltat     clockskew;
1944
1945         if (krb5_rc_default(context, &rc))  return KSSL_CLOCKSKEW;
1946         if (krb5_rc_initialize(context, rc, 0))  return KSSL_CLOCKSKEW;
1947         if (krb5_rc_get_lifespan(context, rc, &clockskew))  {
1948                 clockskew = KSSL_CLOCKSKEW;
1949                 }
1950         (void) krb5_rc_destroy(context, rc);
1951         return clockskew;
1952         }
1953
1954
1955 /*  kssl_validate_times() combines (and more importantly exposes)
1956  *  the MIT KRB5 internal function krb5_validate_times() and the
1957  *  in_clock_skew() macro.  The authenticator client time is checked
1958  *  to be within clockskew secs of the current time and the current
1959  *  time is checked to be within the ticket start and expire times.
1960  *  Either check may be omitted by supplying a NULL value.
1961  *  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
1962  *  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
1963  *  20010420 VRS
1964  */
1965 krb5_error_code  kssl_validate_times(   krb5_timestamp atime,
1966                                         krb5_ticket_times *ttimes)
1967         {
1968         krb5_deltat     skew;
1969         krb5_timestamp  start, now;
1970         krb5_error_code rc;
1971         krb5_context    context;
1972
1973         if ((rc = krb5_init_context(&context)))  return SSL_R_KRB5_S_BAD_TICKET;
1974         skew = get_rc_clockskew(context); 
1975         if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET;
1976         krb5_free_context(context);
1977
1978         if (atime  &&  labs(atime - now) >= skew)  return SSL_R_KRB5_S_TKT_SKEW;
1979
1980         if (! ttimes)  return 0;
1981
1982         start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime;
1983         if (start - now > skew)  return SSL_R_KRB5_S_TKT_NYV;
1984         if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
1985
1986 #ifdef KSSL_DEBUG
1987         fprintf(stderr,"kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
1988                 start, atime, now, skew, ttimes->endtime);
1989 #endif  /* KSSL_DEBUG */
1990
1991         return 0;
1992         }
1993
1994
1995 /*  Decode and decrypt given DER-encoded authenticator, then pass
1996  *  authenticator ctime back in *atimep (or 0 if time unavailable).
1997  *  Returns krb5_error_code and kssl_err on error.  A NULL 
1998  *  authenticator (authentp->length == 0) is not considered an error.
1999  *  Note that kssl_check_authent() makes use of the KRB5 session key;
2000  *  you must call kssl_sget_tkt() to get the key before calling this routine.
2001  */
2002 krb5_error_code  kssl_check_authent(
2003                         /* IN     */    KSSL_CTX        *kssl_ctx,
2004                         /* IN     */    krb5_data       *authentp,
2005                         /* OUT    */    krb5_timestamp  *atimep,
2006                         /* OUT    */    KSSL_ERR        *kssl_err  )
2007         {
2008         krb5_error_code         krb5rc = 0;
2009         KRB5_ENCDATA            *dec_authent = NULL;
2010         KRB5_AUTHENTBODY        *auth = NULL;
2011         krb5_enctype            enctype;
2012         EVP_CIPHER_CTX          ciph_ctx;
2013         const EVP_CIPHER        *enc = NULL;
2014         unsigned char           iv[EVP_MAX_IV_LENGTH];
2015         const unsigned char     *p;
2016         unsigned char           *unenc_authent;
2017         int                     outl, unencbufsize;
2018         struct tm               tm_time, *tm_l, *tm_g;
2019         time_t                  now, tl, tg, tr, tz_offset;
2020
2021         EVP_CIPHER_CTX_init(&ciph_ctx);
2022         *atimep = 0;
2023         kssl_err_set(kssl_err, 0, "");
2024
2025 #ifndef KRB5CHECKAUTH
2026         authentp = NULL;
2027 #else
2028 #if     KRB5CHECKAUTH == 0
2029         authentp = NULL;
2030 #endif
2031 #endif  /* KRB5CHECKAUTH */
2032
2033         if (authentp == NULL  ||  authentp->length == 0)  return 0;
2034
2035 #ifdef KSSL_DEBUG
2036         {
2037         unsigned int ui;
2038         fprintf(stderr,"kssl_check_authent: authenticator[%d]:\n",authentp->length);
2039         p = authentp->data; 
2040         for (ui=0; ui < authentp->length; ui++)  fprintf(stderr,"%02x ",p[ui]);
2041         fprintf(stderr,"\n");
2042         }
2043 #endif  /* KSSL_DEBUG */
2044
2045         unencbufsize = 2 * authentp->length;
2046         if ((unenc_authent = calloc(1, unencbufsize)) == NULL)
2047                 {
2048                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2049                         "Unable to allocate authenticator buffer.\n");
2050                 krb5rc = KRB5KRB_ERR_GENERIC;
2051                 goto err;
2052                 }
2053
2054         p = (unsigned char *)authentp->data;
2055         if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
2056                                         (long) authentp->length)) == NULL) 
2057                 {
2058                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2059                         "Error decoding authenticator.\n");
2060                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2061                 goto err;
2062                 }
2063
2064         enctype = dec_authent->etype->data[0];  /* should = kssl_ctx->enctype */
2065 #if !defined(KRB5_MIT_OLD11)
2066             switch ( enctype ) {
2067             case ENCTYPE_DES3_CBC_SHA1:         /*    EVP_des_ede3_cbc();  */
2068             case ENCTYPE_DES3_CBC_SHA:
2069             case ENCTYPE_DES3_CBC_RAW:
2070                 krb5rc = 0;                     /* Skip, can't handle derived keys */
2071                 goto err;
2072             }
2073 #endif
2074         enc = kssl_map_enc(enctype);
2075         memset(iv, 0, sizeof iv);       /* per RFC 1510 */
2076
2077         if (enc == NULL)
2078                 {
2079                 /*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
2080                  *  This enctype indicates the authenticator was encrypted
2081                  *  using key-usage derived keys which openssl cannot decrypt.
2082                  */
2083                 goto err;
2084                 }
2085
2086         if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
2087                 {
2088                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2089                         "EVP_CipherInit error decrypting authenticator.\n");
2090                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2091                 goto err;
2092                 }
2093         outl = dec_authent->cipher->length;
2094         if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
2095                 {
2096                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2097                         "EVP_Cipher error decrypting authenticator.\n");
2098                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2099                 goto err;
2100                 }
2101         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2102
2103 #ifdef KSSL_DEBUG
2104         {
2105         int padl;
2106         fprintf(stderr,"kssl_check_authent: decrypted authenticator[%d] =\n", outl);
2107         for (padl=0; padl < outl; padl++) fprintf(stderr,"%02x ",unenc_authent[padl]);
2108         fprintf(stderr,"\n");
2109         }
2110 #endif  /* KSSL_DEBUG */
2111
2112         if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL)
2113                 {
2114                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2115                         "confounded by authenticator.\n");
2116                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2117                 goto err;
2118                 }
2119         outl -= p - unenc_authent;
2120
2121         if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p,
2122                                                           (long) outl))==NULL)
2123                 {
2124                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2125                         "Error decoding authenticator body.\n");
2126                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2127                 goto err;
2128                 }
2129
2130         memset(&tm_time,0,sizeof(struct tm));
2131         if (k_gmtime(auth->ctime, &tm_time)  &&
2132                 ((tr = mktime(&tm_time)) != (time_t)(-1)))
2133                 {
2134                 now  = time(&now);
2135                 tm_l = localtime(&now);         tl = mktime(tm_l);
2136                 tm_g = gmtime(&now);            tg = mktime(tm_g);
2137                 tz_offset = tg - tl;
2138
2139                 *atimep = (krb5_timestamp)(tr - tz_offset);
2140                 }
2141
2142 #ifdef KSSL_DEBUG
2143         fprintf(stderr,"kssl_check_authent: returns %d for client time ", *atimep);
2144         if (auth->ctime && auth->ctime->length && auth->ctime->data)
2145                 fprintf(stderr,"%.*s\n", auth->ctime->length, auth->ctime->data);
2146         else    fprintf(stderr,"NULL\n");
2147 #endif  /* KSSL_DEBUG */
2148
2149  err:
2150         if (auth)               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
2151         if (dec_authent)        KRB5_ENCDATA_free(dec_authent);
2152         if (unenc_authent)      free(unenc_authent);
2153         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2154         return krb5rc;
2155         }
2156
2157
2158 /*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
2159  *  because I don't know how to stub varargs.
2160  *  Returns krb5_error_code == ENOMEM on alloc error, otherwise
2161  *  passes back newly constructed principal, which should be freed by caller.
2162  */
2163 krb5_error_code  kssl_build_principal_2(
2164                         /* UPDATE */    krb5_context    context,
2165                         /* OUT    */    krb5_principal  *princ,
2166                         /* IN     */    int rlen,  const char *realm,
2167                         /* IN     */    int slen,  const char *svc,
2168                         /* IN     */    int hlen,  const char *host)
2169         {
2170         krb5_data               *p_data = NULL;
2171         krb5_principal          new_p = NULL;
2172         char                    *new_r = NULL;
2173
2174         if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL  ||
2175             (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data)))
2176                         == NULL)  goto err;
2177         new_p->length = 2;
2178         new_p->data = p_data;
2179
2180         if ((new_r = calloc(1, rlen + 1)) == NULL)  goto err;
2181         memcpy(new_r, realm, rlen);
2182         krb5_princ_set_realm_length(context, new_p, rlen);
2183         krb5_princ_set_realm_data(context, new_p, new_r);
2184
2185         if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL)  goto err;
2186         memcpy(new_p->data[0].data, svc, slen);
2187         new_p->data[0].length = slen;
2188
2189         if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL)  goto err;
2190         memcpy(new_p->data[1].data, host, hlen);
2191         new_p->data[1].length = hlen;
2192         
2193         krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN;
2194         *princ = new_p;
2195         return 0;
2196
2197  err:
2198         if (new_p  &&  new_p[0].data)   free(new_p[0].data);
2199         if (new_p  &&  new_p[1].data)   free(new_p[1].data);
2200         if (new_p)      free(new_p);
2201         if (new_r)      free(new_r);
2202         return ENOMEM;
2203         }
2204
2205 void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx)
2206         {
2207         s->kssl_ctx = kctx;
2208         } 
2209
2210 KSSL_CTX * SSL_get0_kssl_ctx(SSL *s)
2211         {
2212         return s->kssl_ctx;
2213         }
2214
2215 char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx)
2216         {
2217         if (kctx)
2218                 return kctx->client_princ;
2219         return NULL;
2220         }
2221
2222 #else /* !OPENSSL_NO_KRB5 */
2223
2224 #if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS)
2225 static void *dummy=&dummy;
2226 #endif
2227
2228 #endif  /* !OPENSSL_NO_KRB5     */
2229