Compare encodings in X509_cmp as well as hash.
[openssl.git] / ssl / kssl.c
1 /* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */
2 /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
3  */
4 /* ====================================================================
5  * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer. 
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com).
55  *
56  */
57
58
59 /*  ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
60 **
61 **  19990701    VRS     Started.
62 **  200011??    Jeffrey Altman, Richard Levitte
63 **                      Generalized for Heimdal, Newer MIT, & Win32.
64 **                      Integrated into main OpenSSL 0.9.7 snapshots.
65 **  20010413    Simon Wilkinson, VRS
66 **                      Real RFC2712 KerberosWrapper replaces AP_REQ.
67 */
68
69 #include <openssl/opensslconf.h>
70
71 #include <string.h>
72
73 #define KRB5_PRIVATE    1
74
75 #include <openssl/ssl.h>
76 #include <openssl/evp.h>
77 #include <openssl/objects.h>
78 #include <openssl/krb5_asn.h>
79 #include "kssl_lcl.h"
80
81 #ifndef OPENSSL_NO_KRB5
82
83 #ifndef ENOMEM
84 #define ENOMEM KRB5KRB_ERR_GENERIC
85 #endif
86
87 /* 
88  * When OpenSSL is built on Windows, we do not want to require that
89  * the Kerberos DLLs be available in order for the OpenSSL DLLs to
90  * work.  Therefore, all Kerberos routines are loaded at run time
91  * and we do not link to a .LIB file.
92  */
93
94 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
95 /* 
96  * The purpose of the following pre-processor statements is to provide
97  * compatibility with different releases of MIT Kerberos for Windows.
98  * All versions up to 1.2 used macros.  But macros do not allow for
99  * a binary compatible interface for DLLs.  Therefore, all macros are
100  * being replaced by function calls.  The following code will allow
101  * an OpenSSL DLL built on Windows to work whether or not the macro
102  * or function form of the routines are utilized.
103  */
104 #ifdef  krb5_cc_get_principal
105 #define NO_DEF_KRB5_CCACHE
106 #undef  krb5_cc_get_principal
107 #endif
108 #define krb5_cc_get_principal    kssl_krb5_cc_get_principal
109
110 #define krb5_free_data_contents  kssl_krb5_free_data_contents   
111 #define krb5_free_context        kssl_krb5_free_context         
112 #define krb5_auth_con_free       kssl_krb5_auth_con_free        
113 #define krb5_free_principal      kssl_krb5_free_principal       
114 #define krb5_mk_req_extended     kssl_krb5_mk_req_extended      
115 #define krb5_get_credentials     kssl_krb5_get_credentials      
116 #define krb5_cc_default          kssl_krb5_cc_default           
117 #define krb5_sname_to_principal  kssl_krb5_sname_to_principal   
118 #define krb5_init_context        kssl_krb5_init_context         
119 #define krb5_free_ticket         kssl_krb5_free_ticket          
120 #define krb5_rd_req              kssl_krb5_rd_req               
121 #define krb5_kt_default          kssl_krb5_kt_default           
122 #define krb5_kt_resolve          kssl_krb5_kt_resolve           
123 /* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */
124 #ifndef krb5_kt_close
125 #define krb5_kt_close            kssl_krb5_kt_close
126 #endif /* krb5_kt_close */
127 #ifndef krb5_kt_get_entry
128 #define krb5_kt_get_entry        kssl_krb5_kt_get_entry
129 #endif /* krb5_kt_get_entry */
130 #define krb5_auth_con_init       kssl_krb5_auth_con_init        
131
132 #define krb5_principal_compare   kssl_krb5_principal_compare
133 #define krb5_decrypt_tkt_part    kssl_krb5_decrypt_tkt_part
134 #define krb5_timeofday           kssl_krb5_timeofday
135 #define krb5_rc_default          kssl_krb5_rc_default
136
137 #ifdef krb5_rc_initialize
138 #undef krb5_rc_initialize
139 #endif
140 #define krb5_rc_initialize   kssl_krb5_rc_initialize
141
142 #ifdef krb5_rc_get_lifespan
143 #undef krb5_rc_get_lifespan
144 #endif
145 #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan
146
147 #ifdef krb5_rc_destroy
148 #undef krb5_rc_destroy
149 #endif
150 #define krb5_rc_destroy      kssl_krb5_rc_destroy
151
152 #define valid_cksumtype      kssl_valid_cksumtype
153 #define krb5_checksum_size   kssl_krb5_checksum_size
154 #define krb5_kt_free_entry   kssl_krb5_kt_free_entry
155 #define krb5_auth_con_setrcache  kssl_krb5_auth_con_setrcache
156 #define krb5_auth_con_getrcache  kssl_krb5_auth_con_getrcache
157 #define krb5_get_server_rcache   kssl_krb5_get_server_rcache
158
159 /* Prototypes for built in stubs */
160 void kssl_krb5_free_data_contents(krb5_context, krb5_data *);
161 void kssl_krb5_free_principal(krb5_context, krb5_principal );
162 krb5_error_code kssl_krb5_kt_resolve(krb5_context,
163                                      krb5_const char *,
164                                      krb5_keytab *);
165 krb5_error_code kssl_krb5_kt_default(krb5_context,
166                                      krb5_keytab *);
167 krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *);
168 krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, 
169                                  krb5_const krb5_data *,
170                                  krb5_const_principal, krb5_keytab, 
171                                  krb5_flags *,krb5_ticket **);
172
173 krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal,
174                                          krb5_const_principal);
175 krb5_error_code kssl_krb5_mk_req_extended(krb5_context,
176                                           krb5_auth_context  *,
177                                           krb5_const krb5_flags,
178                                           krb5_data  *,
179                                           krb5_creds  *,
180                                           krb5_data  * );
181 krb5_error_code kssl_krb5_init_context(krb5_context *);
182 void kssl_krb5_free_context(krb5_context);
183 krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache  *);
184 krb5_error_code kssl_krb5_sname_to_principal(krb5_context,
185                                              krb5_const char  *,
186                                              krb5_const char  *,
187                                              krb5_int32,
188                                              krb5_principal  *);
189 krb5_error_code kssl_krb5_get_credentials(krb5_context,
190                                           krb5_const krb5_flags,
191                                           krb5_ccache,
192                                           krb5_creds  *,
193                                           krb5_creds  *  *);
194 krb5_error_code kssl_krb5_auth_con_init(krb5_context,
195                                         krb5_auth_context  *);
196 krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, 
197                                            krb5_ccache cache,
198                                            krb5_principal *principal);
199 krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context);
200 size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype);
201 krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype);
202 krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * );
203 krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, 
204                                              krb5_auth_context, 
205                                              krb5_rcache);
206 krb5_error_code kssl_krb5_get_server_rcache(krb5_context, 
207                                             krb5_const krb5_data *,
208                                             krb5_rcache *);
209 krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, 
210                                              krb5_auth_context,
211                                              krb5_rcache *);
212
213 /* Function pointers (almost all Kerberos functions are _stdcall) */
214 static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *)
215         =NULL;
216 static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal )
217         =NULL;
218 static krb5_error_code(_stdcall *p_krb5_kt_resolve)
219                         (krb5_context, krb5_const char *, krb5_keytab *)=NULL;
220 static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context,
221                                                      krb5_keytab *)=NULL;
222 static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, 
223                                                       krb5_ticket *)=NULL;
224 static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, 
225                                                  krb5_auth_context *, 
226                                                  krb5_const krb5_data *,
227                                                  krb5_const_principal, 
228                                                  krb5_keytab, krb5_flags *,
229                                                  krb5_ticket **)=NULL;
230 static krb5_error_code (_stdcall *p_krb5_mk_req_extended)
231                         (krb5_context, krb5_auth_context *,
232                          krb5_const krb5_flags, krb5_data *, krb5_creds *,
233                          krb5_data * )=NULL;
234 static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL;
235 static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL;
236 static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context,
237                                                      krb5_ccache  *)=NULL;
238 static krb5_error_code (_stdcall *p_krb5_sname_to_principal)
239                         (krb5_context, krb5_const char *, krb5_const char *,
240                          krb5_int32, krb5_principal *)=NULL;
241 static krb5_error_code (_stdcall *p_krb5_get_credentials)
242                         (krb5_context, krb5_const krb5_flags, krb5_ccache,
243                          krb5_creds *, krb5_creds **)=NULL;
244 static krb5_error_code (_stdcall *p_krb5_auth_con_init)
245                         (krb5_context, krb5_auth_context *)=NULL;
246 static krb5_error_code (_stdcall *p_krb5_cc_get_principal)
247                         (krb5_context context, krb5_ccache cache,
248                          krb5_principal *principal)=NULL;
249 static krb5_error_code (_stdcall *p_krb5_auth_con_free)
250                         (krb5_context, krb5_auth_context)=NULL;
251 static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part)
252                         (krb5_context, krb5_const krb5_keyblock *,
253                                            krb5_ticket *)=NULL;
254 static krb5_error_code (_stdcall *p_krb5_timeofday)
255                         (krb5_context context, krb5_int32 *timeret)=NULL;
256 static krb5_error_code (_stdcall *p_krb5_rc_default)
257                         (krb5_context context, krb5_rcache *rc)=NULL;
258 static krb5_error_code (_stdcall *p_krb5_rc_initialize)
259                         (krb5_context context, krb5_rcache rc,
260                                      krb5_deltat lifespan)=NULL;
261 static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan)
262                         (krb5_context context, krb5_rcache rc,
263                                        krb5_deltat *lifespan)=NULL;
264 static krb5_error_code (_stdcall *p_krb5_rc_destroy)
265                         (krb5_context context, krb5_rcache rc)=NULL;
266 static krb5_boolean (_stdcall *p_krb5_principal_compare)
267                      (krb5_context, krb5_const_principal, krb5_const_principal)=NULL;
268 static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL;
269 static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL;
270 static krb5_error_code (_stdcall *p_krb5_kt_free_entry)
271                         (krb5_context,krb5_keytab_entry * )=NULL;
272 static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, 
273                                                                krb5_auth_context, 
274                                                                krb5_rcache)=NULL;
275 static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, 
276                                                               krb5_const krb5_data *, 
277                                                               krb5_rcache *)=NULL;
278 static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, 
279                                                       krb5_auth_context,
280                                                       krb5_rcache *)=NULL;
281 static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, 
282                                                     krb5_keytab keytab)=NULL;
283 static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, 
284                                                         krb5_keytab keytab,
285                        krb5_const_principal principal, krb5_kvno vno,
286                        krb5_enctype enctype, krb5_keytab_entry *entry)=NULL;
287 static int krb5_loaded = 0;     /* only attempt to initialize func ptrs once */
288
289 /* Function to Load the Kerberos 5 DLL and initialize function pointers */
290 void
291 load_krb5_dll(void)
292         {
293         HANDLE hKRB5_32;
294     
295         krb5_loaded++;
296         hKRB5_32 = LoadLibrary(TEXT("KRB5_32"));
297         if (!hKRB5_32)
298                 return;
299
300         (FARPROC) p_krb5_free_data_contents =
301                 GetProcAddress( hKRB5_32, "krb5_free_data_contents" );
302         (FARPROC) p_krb5_free_context =
303                 GetProcAddress( hKRB5_32, "krb5_free_context" );
304         (FARPROC) p_krb5_auth_con_free =
305                 GetProcAddress( hKRB5_32, "krb5_auth_con_free" );
306         (FARPROC) p_krb5_free_principal =
307                 GetProcAddress( hKRB5_32, "krb5_free_principal" );
308         (FARPROC) p_krb5_mk_req_extended =
309                 GetProcAddress( hKRB5_32, "krb5_mk_req_extended" );
310         (FARPROC) p_krb5_get_credentials =
311                 GetProcAddress( hKRB5_32, "krb5_get_credentials" );
312         (FARPROC) p_krb5_cc_get_principal =
313                 GetProcAddress( hKRB5_32, "krb5_cc_get_principal" );
314         (FARPROC) p_krb5_cc_default =
315                 GetProcAddress( hKRB5_32, "krb5_cc_default" );
316         (FARPROC) p_krb5_sname_to_principal =
317                 GetProcAddress( hKRB5_32, "krb5_sname_to_principal" );
318         (FARPROC) p_krb5_init_context =
319                 GetProcAddress( hKRB5_32, "krb5_init_context" );
320         (FARPROC) p_krb5_free_ticket =
321                 GetProcAddress( hKRB5_32, "krb5_free_ticket" );
322         (FARPROC) p_krb5_rd_req =
323                 GetProcAddress( hKRB5_32, "krb5_rd_req" );
324         (FARPROC) p_krb5_principal_compare =
325                 GetProcAddress( hKRB5_32, "krb5_principal_compare" );
326         (FARPROC) p_krb5_decrypt_tkt_part =
327                 GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" );
328         (FARPROC) p_krb5_timeofday =
329                 GetProcAddress( hKRB5_32, "krb5_timeofday" );
330         (FARPROC) p_krb5_rc_default =
331                 GetProcAddress( hKRB5_32, "krb5_rc_default" );
332         (FARPROC) p_krb5_rc_initialize =
333                 GetProcAddress( hKRB5_32, "krb5_rc_initialize" );
334         (FARPROC) p_krb5_rc_get_lifespan =
335                 GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" );
336         (FARPROC) p_krb5_rc_destroy =
337                 GetProcAddress( hKRB5_32, "krb5_rc_destroy" );
338         (FARPROC) p_krb5_kt_default =
339                 GetProcAddress( hKRB5_32, "krb5_kt_default" );
340         (FARPROC) p_krb5_kt_resolve =
341                 GetProcAddress( hKRB5_32, "krb5_kt_resolve" );
342         (FARPROC) p_krb5_auth_con_init =
343                 GetProcAddress( hKRB5_32, "krb5_auth_con_init" );
344         (FARPROC) p_valid_cksumtype =
345                 GetProcAddress( hKRB5_32, "valid_cksumtype" );
346         (FARPROC) p_krb5_checksum_size =
347                 GetProcAddress( hKRB5_32, "krb5_checksum_size" );
348         (FARPROC) p_krb5_kt_free_entry =
349                 GetProcAddress( hKRB5_32, "krb5_kt_free_entry" );
350         (FARPROC) p_krb5_auth_con_setrcache =
351                 GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" );
352         (FARPROC) p_krb5_get_server_rcache =
353                 GetProcAddress( hKRB5_32, "krb5_get_server_rcache" );
354         (FARPROC) p_krb5_auth_con_getrcache =
355                 GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" );
356         (FARPROC) p_krb5_kt_close =
357                 GetProcAddress( hKRB5_32, "krb5_kt_close" );
358         (FARPROC) p_krb5_kt_get_entry =
359                 GetProcAddress( hKRB5_32, "krb5_kt_get_entry" );
360         }
361
362 /* Stubs for each function to be dynamicly loaded */
363 void
364 kssl_krb5_free_data_contents(krb5_context CO, krb5_data  * data)
365         {
366         if (!krb5_loaded)
367                 load_krb5_dll();
368
369         if ( p_krb5_free_data_contents )
370                 p_krb5_free_data_contents(CO,data);
371         }
372
373 krb5_error_code
374 kssl_krb5_mk_req_extended (krb5_context CO,
375                           krb5_auth_context  * pACO,
376                           krb5_const krb5_flags F,
377                           krb5_data  * pD1,
378                           krb5_creds  * pC,
379                           krb5_data  * pD2)
380         {
381         if (!krb5_loaded)
382                 load_krb5_dll();
383
384         if ( p_krb5_mk_req_extended )
385                 return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2));
386         else
387                 return KRB5KRB_ERR_GENERIC;
388         }
389 krb5_error_code
390 kssl_krb5_auth_con_init(krb5_context CO,
391                        krb5_auth_context  * pACO)
392         {
393         if (!krb5_loaded)
394                 load_krb5_dll();
395
396         if ( p_krb5_auth_con_init )
397                 return(p_krb5_auth_con_init(CO,pACO));
398         else
399                 return KRB5KRB_ERR_GENERIC;
400         }
401 krb5_error_code
402 kssl_krb5_auth_con_free (krb5_context CO,
403                         krb5_auth_context ACO)
404         {
405         if (!krb5_loaded)
406                 load_krb5_dll();
407
408         if ( p_krb5_auth_con_free )
409                 return(p_krb5_auth_con_free(CO,ACO));
410         else
411                 return KRB5KRB_ERR_GENERIC;
412         }
413 krb5_error_code
414 kssl_krb5_get_credentials(krb5_context CO,
415                          krb5_const krb5_flags F,
416                          krb5_ccache CC,
417                          krb5_creds  * pCR,
418                          krb5_creds  ** ppCR)
419         {
420         if (!krb5_loaded)
421                 load_krb5_dll();
422
423         if ( p_krb5_get_credentials )
424                 return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR));
425         else
426                 return KRB5KRB_ERR_GENERIC;
427         }
428 krb5_error_code
429 kssl_krb5_sname_to_principal(krb5_context CO,
430                             krb5_const char  * pC1,
431                             krb5_const char  * pC2,
432                             krb5_int32 I,
433                             krb5_principal  * pPR)
434         {
435         if (!krb5_loaded)
436                 load_krb5_dll();
437
438         if ( p_krb5_sname_to_principal )
439                 return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR));
440         else
441                 return KRB5KRB_ERR_GENERIC;
442         }
443
444 krb5_error_code
445 kssl_krb5_cc_default(krb5_context CO,
446                     krb5_ccache  * pCC)
447         {
448         if (!krb5_loaded)
449                 load_krb5_dll();
450
451         if ( p_krb5_cc_default )
452                 return(p_krb5_cc_default(CO,pCC));
453         else
454                 return KRB5KRB_ERR_GENERIC;
455         }
456
457 krb5_error_code
458 kssl_krb5_init_context(krb5_context * pCO)
459         {
460         if (!krb5_loaded)
461                 load_krb5_dll();
462
463         if ( p_krb5_init_context )
464                 return(p_krb5_init_context(pCO));
465         else
466                 return KRB5KRB_ERR_GENERIC;
467         }
468
469 void
470 kssl_krb5_free_context(krb5_context CO)
471         {
472         if (!krb5_loaded)
473                 load_krb5_dll();
474
475         if ( p_krb5_free_context )
476                 p_krb5_free_context(CO);
477         }
478
479 void
480 kssl_krb5_free_principal(krb5_context c, krb5_principal p)
481         {
482         if (!krb5_loaded)
483                 load_krb5_dll();
484
485         if ( p_krb5_free_principal )
486                 p_krb5_free_principal(c,p);
487         }
488
489 krb5_error_code
490 kssl_krb5_kt_resolve(krb5_context con,
491                     krb5_const char * sz,
492                     krb5_keytab * kt)
493         {
494         if (!krb5_loaded)
495                 load_krb5_dll();
496
497         if ( p_krb5_kt_resolve )
498                 return(p_krb5_kt_resolve(con,sz,kt));
499         else
500                 return KRB5KRB_ERR_GENERIC;
501         }
502
503 krb5_error_code
504 kssl_krb5_kt_default(krb5_context con,
505                     krb5_keytab * kt)
506         {
507         if (!krb5_loaded)
508                 load_krb5_dll();
509
510         if ( p_krb5_kt_default )
511                 return(p_krb5_kt_default(con,kt));
512         else
513                 return KRB5KRB_ERR_GENERIC;
514         }
515
516 krb5_error_code
517 kssl_krb5_free_ticket(krb5_context con,
518                      krb5_ticket * kt)
519         {
520         if (!krb5_loaded)
521                 load_krb5_dll();
522
523         if ( p_krb5_free_ticket )
524                 return(p_krb5_free_ticket(con,kt));
525         else
526                 return KRB5KRB_ERR_GENERIC;
527         }
528
529 krb5_error_code
530 kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon,
531                 krb5_const krb5_data * data,
532                 krb5_const_principal princ, krb5_keytab keytab,
533                 krb5_flags * flags, krb5_ticket ** pptkt)
534         {
535         if (!krb5_loaded)
536                 load_krb5_dll();
537
538         if ( p_krb5_rd_req )
539                 return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt));
540         else
541                 return KRB5KRB_ERR_GENERIC;
542         }
543
544 krb5_boolean
545 krb5_principal_compare(krb5_context con, krb5_const_principal princ1,
546                 krb5_const_principal princ2)
547         {
548         if (!krb5_loaded)
549                 load_krb5_dll();
550
551         if ( p_krb5_principal_compare )
552                 return(p_krb5_principal_compare(con,princ1,princ2));
553         else
554                 return KRB5KRB_ERR_GENERIC;
555         }
556
557 krb5_error_code
558 krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys,
559                 krb5_ticket *ticket)
560         {
561         if (!krb5_loaded)
562                 load_krb5_dll();
563
564         if ( p_krb5_decrypt_tkt_part )
565                 return(p_krb5_decrypt_tkt_part(con,keys,ticket));
566         else
567                 return KRB5KRB_ERR_GENERIC;
568         }
569
570 krb5_error_code
571 krb5_timeofday(krb5_context con, krb5_int32 *timeret)
572         {
573         if (!krb5_loaded)
574                 load_krb5_dll();
575
576         if ( p_krb5_timeofday )
577                 return(p_krb5_timeofday(con,timeret));
578         else
579                 return KRB5KRB_ERR_GENERIC;
580         }
581
582 krb5_error_code
583 krb5_rc_default(krb5_context con, krb5_rcache *rc)
584         {
585         if (!krb5_loaded)
586                 load_krb5_dll();
587
588         if ( p_krb5_rc_default )
589                 return(p_krb5_rc_default(con,rc));
590         else
591                 return KRB5KRB_ERR_GENERIC;
592         }
593
594 krb5_error_code
595 krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan)
596         {
597         if (!krb5_loaded)
598                 load_krb5_dll();
599
600         if ( p_krb5_rc_initialize )
601                 return(p_krb5_rc_initialize(con, rc, lifespan));
602         else
603                 return KRB5KRB_ERR_GENERIC;
604         }
605
606 krb5_error_code
607 krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp)
608         {
609         if (!krb5_loaded)
610                 load_krb5_dll();
611
612         if ( p_krb5_rc_get_lifespan )
613                 return(p_krb5_rc_get_lifespan(con, rc, lifespanp));
614         else
615                 return KRB5KRB_ERR_GENERIC;
616         }
617
618 krb5_error_code
619 krb5_rc_destroy(krb5_context con, krb5_rcache rc)
620         {
621         if (!krb5_loaded)
622                 load_krb5_dll();
623
624         if ( p_krb5_rc_destroy )
625                 return(p_krb5_rc_destroy(con, rc));
626         else
627                 return KRB5KRB_ERR_GENERIC;
628         }
629
630 size_t 
631 krb5_checksum_size(krb5_context context,krb5_cksumtype ctype)
632         {
633         if (!krb5_loaded)
634                 load_krb5_dll();
635
636         if ( p_krb5_checksum_size )
637                 return(p_krb5_checksum_size(context, ctype));
638         else
639                 return KRB5KRB_ERR_GENERIC;
640         }
641
642 krb5_boolean 
643 valid_cksumtype(krb5_cksumtype ctype)
644         {
645         if (!krb5_loaded)
646                 load_krb5_dll();
647
648         if ( p_valid_cksumtype )
649                 return(p_valid_cksumtype(ctype));
650         else
651                 return KRB5KRB_ERR_GENERIC;
652         }
653
654 krb5_error_code 
655 krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry)
656         {
657         if (!krb5_loaded)
658                 load_krb5_dll();
659
660         if ( p_krb5_kt_free_entry )
661                 return(p_krb5_kt_free_entry(con,entry));
662         else
663                 return KRB5KRB_ERR_GENERIC;
664         }
665                  
666 /* Structure definitions  */
667 #ifndef NO_DEF_KRB5_CCACHE
668 #ifndef krb5_x
669 #define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
670 #define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
671 #endif 
672
673 typedef krb5_pointer    krb5_cc_cursor; /* cursor for sequential lookup */
674
675 typedef struct _krb5_ccache
676         {
677         krb5_magic magic;
678         struct _krb5_cc_ops FAR *ops;
679         krb5_pointer data;
680         } *krb5_ccache;
681
682 typedef struct _krb5_cc_ops
683         {
684         krb5_magic magic;
685         char  *prefix;
686         char  * (KRB5_CALLCONV *get_name)
687                 (krb5_context, krb5_ccache);
688         krb5_error_code (KRB5_CALLCONV *resolve)
689                 (krb5_context, krb5_ccache  *, const char  *);
690         krb5_error_code (KRB5_CALLCONV *gen_new)
691                 (krb5_context, krb5_ccache  *);
692         krb5_error_code (KRB5_CALLCONV *init)
693                 (krb5_context, krb5_ccache, krb5_principal);
694         krb5_error_code (KRB5_CALLCONV *destroy)
695                 (krb5_context, krb5_ccache);
696         krb5_error_code (KRB5_CALLCONV *close)
697                 (krb5_context, krb5_ccache);
698         krb5_error_code (KRB5_CALLCONV *store)
699                 (krb5_context, krb5_ccache, krb5_creds  *);
700         krb5_error_code (KRB5_CALLCONV *retrieve)
701                 (krb5_context, krb5_ccache,
702                 krb5_flags, krb5_creds  *, krb5_creds  *);
703         krb5_error_code (KRB5_CALLCONV *get_princ)
704                 (krb5_context, krb5_ccache, krb5_principal  *);
705         krb5_error_code (KRB5_CALLCONV *get_first)
706                 (krb5_context, krb5_ccache, krb5_cc_cursor  *);
707         krb5_error_code (KRB5_CALLCONV *get_next)
708                 (krb5_context, krb5_ccache,
709                 krb5_cc_cursor  *, krb5_creds  *);
710         krb5_error_code (KRB5_CALLCONV *end_get)
711                 (krb5_context, krb5_ccache, krb5_cc_cursor  *);
712         krb5_error_code (KRB5_CALLCONV *remove_cred)
713                 (krb5_context, krb5_ccache,
714                 krb5_flags, krb5_creds  *);
715         krb5_error_code (KRB5_CALLCONV *set_flags)
716                 (krb5_context, krb5_ccache, krb5_flags);
717         } krb5_cc_ops;
718 #endif /* NO_DEF_KRB5_CCACHE */
719
720 krb5_error_code 
721 kssl_krb5_cc_get_principal
722     (krb5_context context, krb5_ccache cache,
723       krb5_principal *principal)
724         {
725         if ( p_krb5_cc_get_principal )
726                 return(p_krb5_cc_get_principal(context,cache,principal));
727         else
728                 return(krb5_x
729                         ((cache)->ops->get_princ,(context, cache, principal)));
730         }
731
732 krb5_error_code
733 kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon,
734                              krb5_rcache rcache)
735         {
736         if ( p_krb5_auth_con_setrcache )
737                  return(p_krb5_auth_con_setrcache(con,acon,rcache));
738         else
739                  return KRB5KRB_ERR_GENERIC;
740         }
741
742 krb5_error_code
743 kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data,
744                             krb5_rcache * rcache) 
745         {
746         if ( p_krb5_get_server_rcache )
747                 return(p_krb5_get_server_rcache(con,data,rcache));
748         else
749                 return KRB5KRB_ERR_GENERIC;
750         }
751
752 krb5_error_code
753 kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon,
754                              krb5_rcache * prcache)
755         {
756         if ( p_krb5_auth_con_getrcache )
757                 return(p_krb5_auth_con_getrcache(con,acon, prcache));
758         else
759                 return KRB5KRB_ERR_GENERIC;
760         }
761  
762 krb5_error_code
763 kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab)
764         {
765         if ( p_krb5_kt_close )
766                 return(p_krb5_kt_close(context,keytab));
767         else 
768                 return KRB5KRB_ERR_GENERIC;
769         }
770
771 krb5_error_code
772 kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
773                        krb5_const_principal principal, krb5_kvno vno,
774                        krb5_enctype enctype, krb5_keytab_entry *entry)
775         {
776         if ( p_krb5_kt_get_entry )
777                 return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry));
778         else
779                 return KRB5KRB_ERR_GENERIC;
780         }
781 #endif  /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
782
783
784 /* memory allocation functions for non-temporary storage
785  * (e.g. stuff that gets saved into the kssl context) */
786 static void* kssl_calloc(size_t nmemb, size_t size)
787 {
788         void* p;
789         
790         p=OPENSSL_malloc(nmemb*size);
791         if (p){
792                 memset(p, 0, nmemb*size);
793         }
794         return p;
795 }
796
797 #define kssl_malloc(size) OPENSSL_malloc((size))
798 #define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size)
799 #define kssl_free(ptr) OPENSSL_free((ptr))
800
801
802 char
803 *kstring(char *string)
804         {
805         static char     *null = "[NULL]";
806
807         return ((string == NULL)? null: string);
808         }
809
810 /*      Given KRB5 enctype (basically DES or 3DES),
811 **      return closest match openssl EVP_ encryption algorithm.
812 **      Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
813 **      Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
814 */
815 const EVP_CIPHER *
816 kssl_map_enc(krb5_enctype enctype)
817         {
818         switch (enctype)
819                 {
820         case ENCTYPE_DES_HMAC_SHA1:             /*    EVP_des_cbc();       */
821         case ENCTYPE_DES_CBC_CRC:
822         case ENCTYPE_DES_CBC_MD4:
823         case ENCTYPE_DES_CBC_MD5:
824         case ENCTYPE_DES_CBC_RAW:
825                                 return EVP_des_cbc();
826                                 break;
827         case ENCTYPE_DES3_CBC_SHA1:             /*    EVP_des_ede3_cbc();  */
828         case ENCTYPE_DES3_CBC_SHA:
829         case ENCTYPE_DES3_CBC_RAW:
830                                 return EVP_des_ede3_cbc();
831                                 break;
832         default:                return NULL;
833                                 break;
834                 }
835         }
836
837
838 /*      Return true:1 if p "looks like" the start of the real authenticator
839 **      described in kssl_skip_confound() below.  The ASN.1 pattern is
840 **      "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
841 **      xx and yy are possibly multi-byte length fields.
842 */
843 static int      kssl_test_confound(unsigned char *p)
844         {
845         int     len = 2;
846         int     xx = 0, yy = 0;
847
848         if (*p++ != 0x62)  return 0;
849         if (*p > 0x82)  return 0;
850         switch(*p)  {
851                 case 0x82:  p++;          xx = (*p++ << 8);  xx += *p++;  break;
852                 case 0x81:  p++;          xx =  *p++;  break;
853                 case 0x80:  return 0;
854                 default:    xx = *p++;  break;
855                 }
856         if (*p++ != 0x30)  return 0;
857         if (*p > 0x82)  return 0;
858         switch(*p)  {
859                 case 0x82:  p++; len+=2;  yy = (*p++ << 8);  yy += *p++;  break;
860                 case 0x81:  p++; len++;   yy =  *p++;  break;
861                 case 0x80:  return 0;
862                 default:    yy = *p++;  break;
863                 }
864
865         return (xx - len == yy)? 1: 0;
866         }
867
868 /*      Allocate, fill, and return cksumlens array of checksum lengths.
869 **      This array holds just the unique elements from the krb5_cksumarray[].
870 **      array[n] == 0 signals end of data.
871 **
872 **      The krb5_cksumarray[] was an internal variable that has since been
873 **      replaced by a more general method for storing the data.  It should
874 **      not be used.  Instead we use real API calls and make a guess for 
875 **      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
876 **      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
877 */
878 static size_t  *populate_cksumlens(void)
879         {
880         int             i, j, n;
881         static size_t   *cklens = NULL;
882
883 #ifdef KRB5_MIT_OLD11
884         n = krb5_max_cksum;
885 #else
886         n = 0x0010;
887 #endif  /* KRB5_MIT_OLD11 */
888  
889 #ifdef KRB5CHECKAUTH
890         if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1)))  return NULL;
891
892         for (i=0; i < n; i++)  {
893                 if (!valid_cksumtype(i))  continue;     /*  array has holes  */
894                 for (j=0; j < n; j++)  {
895                         if (cklens[j] == 0)  {
896                                 cklens[j] = krb5_checksum_size(NULL,i);
897                                 break;          /*  krb5 elem was new: add   */
898                                 }
899                         if (cklens[j] == krb5_checksum_size(NULL,i))  {
900                                 break;          /*  ignore duplicate elements */
901                                 }
902                         }
903                 }
904 #endif  /* KRB5CHECKAUTH */
905
906         return cklens;
907         }
908
909 /*      Return pointer to start of real authenticator within authenticator, or
910 **      return NULL on error.
911 **      Decrypted authenticator looks like this:
912 **              [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
913 **      This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
914 **      krb5_auth_con_getcksumtype() function advertised in its krb5.h.
915 */
916 unsigned char   *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
917         {
918         int             i, conlen;
919         size_t          cklen;
920         static size_t   *cksumlens = NULL;
921         unsigned char   *test_auth;
922
923         conlen = (etype)? 8: 0;
924
925         if (!cksumlens  &&  !(cksumlens = populate_cksumlens()))  return NULL;
926         for (i=0; (cklen = cksumlens[i]) != 0; i++)
927                 {
928                 test_auth = a + conlen + cklen;
929                 if (kssl_test_confound(test_auth))  return test_auth;
930                 }
931
932         return NULL;
933         }
934
935
936 /*      Set kssl_err error info when reason text is a simple string
937 **              kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
938 */
939 void
940 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
941         {
942         if (kssl_err == NULL)  return;
943
944         kssl_err->reason = reason;
945         BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text);
946         return;
947         }
948
949
950 /*      Display contents of krb5_data struct, for debugging
951 */
952 void
953 print_krb5_data(char *label, krb5_data *kdata)
954         {
955         int i;
956
957         printf("%s[%d] ", label, kdata->length);
958         for (i=0; i < (int)kdata->length; i++)
959                 {
960                 if (0 &&  isprint((int) kdata->data[i]))
961                         printf( "%c ",  kdata->data[i]);
962                 else
963                         printf( "%02x ", (unsigned char) kdata->data[i]);
964                 }
965         printf("\n");
966         }
967
968
969 /*      Display contents of krb5_authdata struct, for debugging
970 */
971 void
972 print_krb5_authdata(char *label, krb5_authdata **adata)
973         {
974         if (adata == NULL)
975                 {
976                 printf("%s, authdata==0\n", label);
977                 return;
978                 }
979         printf("%s [%p]\n", label, (void *)adata);
980 #if 0
981         {
982         int     i;
983         printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
984         for (i=0; i < adata->length; i++)
985                 {
986                 printf((isprint(adata->contents[i]))? "%c ": "%02x",
987                         adata->contents[i]);
988                 }
989         printf("\n");
990         }
991 #endif
992         }
993
994
995 /*      Display contents of krb5_keyblock struct, for debugging
996 */
997 void
998 print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
999         {
1000         int i;
1001
1002         if (keyblk == NULL)
1003                 {
1004                 printf("%s, keyblk==0\n", label);
1005                 return;
1006                 }
1007 #ifdef KRB5_HEIMDAL
1008         printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
1009                                            keyblk->keyvalue->length);
1010         for (i=0; i < (int)keyblk->keyvalue->length; i++)
1011                 {
1012                 printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
1013                 }
1014         printf("\n");
1015 #else
1016         printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
1017         for (i=0; i < (int)keyblk->length; i++)
1018                 {
1019                 printf("%02x",keyblk->contents[i]);
1020                 }
1021         printf("\n");
1022 #endif
1023         }
1024
1025
1026 /*      Display contents of krb5_principal_data struct, for debugging
1027 **      (krb5_principal is typedef'd == krb5_principal_data *)
1028 */
1029 static void
1030 print_krb5_princ(char *label, krb5_principal_data *princ)
1031         {
1032         int i, ui, uj;
1033
1034         printf("%s principal Realm: ", label);
1035         if (princ == NULL)  return;
1036         for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
1037         printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
1038         for (i=0; i < (int)princ->length; i++)
1039                 {
1040                 printf("\t%d [%d]: ", i, princ->data[i].length);
1041                 for (uj=0; uj < (int)princ->data[i].length; uj++)  {
1042                         putchar(princ->data[i].data[uj]);
1043                         }
1044                 printf("\n");
1045                 }
1046         return;
1047         }
1048
1049
1050 /*      Given krb5 service (typically "kssl") and hostname in kssl_ctx,
1051 **      Return encrypted Kerberos ticket for service @ hostname.
1052 **      If authenp is non-NULL, also return encrypted authenticator,
1053 **      whose data should be freed by caller.
1054 **      (Originally was: Create Kerberos AP_REQ message for SSL Client.)
1055 **
1056 **      19990628        VRS     Started; Returns Kerberos AP_REQ message.
1057 **      20010409        VRS     Modified for RFC2712; Returns enc tkt.
1058 **      20010606        VRS     May also return optional authenticator.
1059 */
1060 krb5_error_code
1061 kssl_cget_tkt(  /* UPDATE */    KSSL_CTX *kssl_ctx,
1062                 /* OUT    */    krb5_data **enc_ticketp,
1063                 /* UPDATE */    krb5_data *authenp,
1064                 /* OUT    */    KSSL_ERR *kssl_err)
1065         {
1066         krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
1067         krb5_context            krb5context = NULL;
1068         krb5_auth_context       krb5auth_context = NULL;
1069         krb5_ccache             krb5ccdef = NULL;
1070         krb5_creds              krb5creds, *krb5credsp = NULL;
1071         krb5_data               krb5_app_req;
1072
1073         kssl_err_set(kssl_err, 0, "");
1074         memset((char *)&krb5creds, 0, sizeof(krb5creds));
1075
1076         if (!kssl_ctx)
1077                 {
1078                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1079                         "No kssl_ctx defined.\n");
1080                 goto err;
1081                 }
1082         else if (!kssl_ctx->service_host)
1083                 {
1084                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1085                         "kssl_ctx service_host undefined.\n");
1086                 goto err;
1087                 }
1088
1089         if ((krb5rc = krb5_init_context(&krb5context)) != 0)
1090                 {
1091                 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
1092                         "krb5_init_context() fails: %d\n", krb5rc);
1093                 kssl_err->reason = SSL_R_KRB5_C_INIT;
1094                 goto err;
1095                 }
1096
1097         if ((krb5rc = krb5_sname_to_principal(krb5context,
1098                 kssl_ctx->service_host,
1099                 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
1100                 KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
1101                 {
1102                 BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
1103                         "krb5_sname_to_principal() fails for %s/%s\n",
1104                         kssl_ctx->service_host,
1105                         (kssl_ctx->service_name)? kssl_ctx->service_name:
1106                                                   KRB5SVC);
1107                 kssl_err->reason = SSL_R_KRB5_C_INIT;
1108                 goto err;
1109                 }
1110
1111         if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
1112                 {
1113                 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
1114                         "krb5_cc_default fails.\n");
1115                 goto err;
1116                 }
1117
1118         if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
1119                 &krb5creds.client)) != 0)
1120                 {
1121                 kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
1122                         "krb5_cc_get_principal() fails.\n");
1123                 goto err;
1124                 }
1125
1126         if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
1127                 &krb5creds, &krb5credsp)) != 0)
1128                 {
1129                 kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
1130                         "krb5_get_credentials() fails.\n");
1131                 goto err;
1132                 }
1133
1134         *enc_ticketp = &krb5credsp->ticket;
1135 #ifdef KRB5_HEIMDAL
1136         kssl_ctx->enctype = krb5credsp->session.keytype;
1137 #else
1138         kssl_ctx->enctype = krb5credsp->keyblock.enctype;
1139 #endif
1140
1141         krb5rc = KRB5KRB_ERR_GENERIC;
1142         /*      caller should free data of krb5_app_req  */
1143         /*  20010406 VRS deleted for real KerberosWrapper
1144         **  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
1145         */
1146         krb5_app_req.length = 0;
1147         if (authenp)
1148                 {
1149                 krb5_data       krb5in_data;
1150                 const unsigned char     *p;
1151                 long            arlen;
1152                 KRB5_APREQBODY  *ap_req;
1153
1154                 authenp->length = 0;
1155                 krb5in_data.data = NULL;
1156                 krb5in_data.length = 0;
1157                 if ((krb5rc = krb5_mk_req_extended(krb5context,
1158                         &krb5auth_context, 0, &krb5in_data, krb5credsp,
1159                         &krb5_app_req)) != 0)
1160                         {
1161                         kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
1162                                 "krb5_mk_req_extended() fails.\n");
1163                         goto err;
1164                         }
1165
1166                 arlen = krb5_app_req.length;
1167                 p = (unsigned char *)krb5_app_req.data;
1168                 ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
1169                 if (ap_req)
1170                         {
1171                         authenp->length = i2d_KRB5_ENCDATA(
1172                                         ap_req->authenticator, NULL);
1173                         if (authenp->length  && 
1174                                 (authenp->data = malloc(authenp->length)))
1175                                 {
1176                                 unsigned char   *adp = (unsigned char *)authenp->data;
1177                                 authenp->length = i2d_KRB5_ENCDATA(
1178                                                 ap_req->authenticator, &adp);
1179                                 }
1180                         }
1181
1182                 if (ap_req)  KRB5_APREQ_free((KRB5_APREQ *) ap_req);
1183                 if (krb5_app_req.length)  
1184                         kssl_krb5_free_data_contents(krb5context,&krb5_app_req);
1185                 }
1186 #ifdef KRB5_HEIMDAL
1187         if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
1188                 {
1189                 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
1190                         "kssl_ctx_setkey() fails.\n");
1191                 }
1192 #else
1193         if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
1194                 {
1195                 kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
1196                         "kssl_ctx_setkey() fails.\n");
1197                 }
1198 #endif
1199         else    krb5rc = 0;
1200
1201  err:
1202 #ifdef KSSL_DEBUG
1203         kssl_ctx_show(kssl_ctx);
1204 #endif  /* KSSL_DEBUG */
1205
1206         if (krb5creds.client)   krb5_free_principal(krb5context,
1207                                                         krb5creds.client);
1208         if (krb5creds.server)   krb5_free_principal(krb5context,
1209                                                         krb5creds.server);
1210         if (krb5auth_context)   krb5_auth_con_free(krb5context,
1211                                                         krb5auth_context);
1212         if (krb5context)        krb5_free_context(krb5context);
1213         return (krb5rc);
1214         }
1215
1216
1217 /*  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
1218 **  Return Kerberos error code and kssl_err struct on error.
1219 **  Allocates krb5_ticket and krb5_principal; caller should free these.
1220 **
1221 **      20010410        VRS     Implemented krb5_decode_ticket() as
1222 **                              old_krb5_decode_ticket(). Missing from MIT1.0.6.
1223 **      20010615        VRS     Re-cast as openssl/asn1 d2i_*() functions.
1224 **                              Re-used some of the old krb5_decode_ticket()
1225 **                              code here.  This tkt should alloc/free just
1226 **                              like the real thing.
1227 */
1228 static krb5_error_code
1229 kssl_TKT2tkt(   /* IN     */    krb5_context    krb5context,
1230                 /* IN     */    KRB5_TKTBODY    *asn1ticket,
1231                 /* OUT    */    krb5_ticket     **krb5ticket,
1232                 /* OUT    */    KSSL_ERR *kssl_err  )
1233         {
1234         krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
1235         krb5_ticket                     *new5ticket = NULL;
1236         ASN1_GENERALSTRING              *gstr_svc, *gstr_host;
1237
1238         *krb5ticket = NULL;
1239
1240         if (asn1ticket == NULL  ||  asn1ticket->realm == NULL  ||
1241                 asn1ticket->sname == NULL  || 
1242                 sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
1243                 {
1244                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1245                         "Null field in asn1ticket.\n");
1246                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1247                 return KRB5KRB_ERR_GENERIC;
1248                 }
1249
1250         if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL)
1251                 {
1252                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1253                         "Unable to allocate new krb5_ticket.\n");
1254                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1255                 return ENOMEM;          /*  or  KRB5KRB_ERR_GENERIC;    */
1256                 }
1257
1258         gstr_svc  = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
1259         gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
1260
1261         if ((krb5rc = kssl_build_principal_2(krb5context,
1262                         &new5ticket->server,
1263                         asn1ticket->realm->length, (char *)asn1ticket->realm->data,
1264                         gstr_svc->length,  (char *)gstr_svc->data,
1265                         gstr_host->length, (char *)gstr_host->data)) != 0)
1266                 {
1267                 free(new5ticket);
1268                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1269                         "Error building ticket server principal.\n");
1270                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1271                 return krb5rc;          /*  or  KRB5KRB_ERR_GENERIC;    */
1272                 }
1273
1274         krb5_princ_type(krb5context, new5ticket->server) =
1275                         asn1ticket->sname->nametype->data[0];
1276         new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0];
1277         new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0];
1278         new5ticket->enc_part.ciphertext.length =
1279                         asn1ticket->encdata->cipher->length;
1280         if ((new5ticket->enc_part.ciphertext.data =
1281                 calloc(1, asn1ticket->encdata->cipher->length)) == NULL)
1282                 {
1283                 free(new5ticket);
1284                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1285                         "Error allocating cipher in krb5ticket.\n");
1286                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1287                 return KRB5KRB_ERR_GENERIC;
1288                 }
1289         else
1290                 {
1291                 memcpy(new5ticket->enc_part.ciphertext.data,
1292                         asn1ticket->encdata->cipher->data,
1293                         asn1ticket->encdata->cipher->length);
1294                 }
1295
1296         *krb5ticket = new5ticket;
1297         return 0;
1298         }
1299
1300
1301 /*      Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
1302 **              and krb5 AP_REQ message & message length,
1303 **      Return Kerberos session key and client principle
1304 **              to SSL Server in KSSL_CTX *kssl_ctx.
1305 **
1306 **      19990702        VRS     Started.
1307 */
1308 krb5_error_code
1309 kssl_sget_tkt(  /* UPDATE */    KSSL_CTX                *kssl_ctx,
1310                 /* IN     */    krb5_data               *indata,
1311                 /* OUT    */    krb5_ticket_times       *ttimes,
1312                 /* OUT    */    KSSL_ERR                *kssl_err  )
1313         {
1314         krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
1315         static krb5_context             krb5context = NULL;
1316         static krb5_auth_context        krb5auth_context = NULL;
1317         krb5_ticket                     *krb5ticket = NULL;
1318         KRB5_TKTBODY                    *asn1ticket = NULL;
1319         const unsigned char             *p;
1320         krb5_keytab                     krb5keytab = NULL;
1321         krb5_keytab_entry               kt_entry;
1322         krb5_principal                  krb5server;
1323         krb5_rcache                     rcache = NULL;
1324
1325         kssl_err_set(kssl_err, 0, "");
1326
1327         if (!kssl_ctx)
1328                 {
1329                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1330                         "No kssl_ctx defined.\n");
1331                 goto err;
1332                 }
1333
1334 #ifdef KSSL_DEBUG
1335         printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
1336 #endif  /* KSSL_DEBUG */
1337
1338         if (!krb5context  &&  (krb5rc = krb5_init_context(&krb5context)))
1339                 {
1340                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1341                         "krb5_init_context() fails.\n");
1342                 goto err;
1343                 }
1344         if (krb5auth_context  &&
1345                 (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context)))
1346                 {
1347                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1348                         "krb5_auth_con_free() fails.\n");
1349                 goto err;
1350                 }
1351         else  krb5auth_context = NULL;
1352         if (!krb5auth_context  &&
1353                 (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context)))
1354                 {
1355                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1356                         "krb5_auth_con_init() fails.\n");
1357                 goto err;
1358                 }
1359
1360  
1361         if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context,
1362                 &rcache)))
1363                 {
1364                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1365                         "krb5_auth_con_getrcache() fails.\n");
1366                 goto err;
1367                 }
1368  
1369         if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
1370                 (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
1371                 KRB5_NT_SRV_HST, &krb5server)) != 0)
1372                 {
1373                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1374                         "krb5_sname_to_principal() fails.\n");
1375                 goto err;
1376                 }
1377
1378         if (rcache == NULL) 
1379                 {
1380                 if ((krb5rc = krb5_get_server_rcache(krb5context,
1381                         krb5_princ_component(krb5context, krb5server, 0),
1382                         &rcache)))
1383                         {
1384                         kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1385                                 "krb5_get_server_rcache() fails.\n");
1386                         goto err;
1387                         }
1388                 }
1389
1390         if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache)))
1391                 {
1392                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1393                         "krb5_auth_con_setrcache() fails.\n");
1394                 goto err;
1395                 }
1396
1397
1398         /*      kssl_ctx->keytab_file == NULL ==> use Kerberos default
1399         */
1400         if (kssl_ctx->keytab_file)
1401                 {
1402                 krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
1403                         &krb5keytab);
1404                 if (krb5rc)
1405                         {
1406                         kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
1407                                 "krb5_kt_resolve() fails.\n");
1408                         goto err;
1409                         }
1410                 }
1411         else
1412                 {
1413                 krb5rc = krb5_kt_default(krb5context,&krb5keytab);
1414                 if (krb5rc)
1415                         {
1416                         kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, 
1417                                 "krb5_kt_default() fails.\n");
1418                         goto err;
1419                         }
1420                 }
1421
1422         /*      Actual Kerberos5 krb5_recvauth() has initial conversation here
1423         **      o       check KRB5_SENDAUTH_BADAUTHVERS
1424         **              unless KRB5_RECVAUTH_SKIP_VERSION
1425         **      o       check KRB5_SENDAUTH_BADAPPLVERS
1426         **      o       send "0" msg if all OK
1427         */
1428
1429         /*  20010411 was using AP_REQ instead of true KerberosWrapper
1430         **
1431         **  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
1432         **                      &krb5in_data, krb5server, krb5keytab,
1433         **                      &ap_option, &krb5ticket)) != 0)  { Error }
1434         */
1435
1436         p = (unsigned char *)indata->data;
1437         if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
1438                                                 (long) indata->length)) == NULL)
1439                 {
1440                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1441                         "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
1442                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1443                 goto err;
1444                 }
1445         
1446         /* Was:  krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */
1447         if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket,
1448                                         kssl_err)) != 0)
1449                 {
1450                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1451                         "Error converting ASN.1 ticket to krb5_ticket.\n");
1452                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1453                 goto err;
1454                 }
1455
1456         if (! krb5_principal_compare(krb5context, krb5server,
1457                                                   krb5ticket->server))  {
1458                 krb5rc = KRB5_PRINC_NOMATCH;
1459                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1460                         "server principal != ticket principal\n");
1461                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1462                 goto err;
1463                 }
1464         if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
1465                         krb5ticket->server, krb5ticket->enc_part.kvno,
1466                         krb5ticket->enc_part.enctype, &kt_entry)) != 0)  {
1467                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1468                         "krb5_kt_get_entry() fails with %x.\n", krb5rc);
1469                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1470                 goto err;
1471                 }
1472         if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key,
1473                         krb5ticket)) != 0)  {
1474                 BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
1475                         "krb5_decrypt_tkt_part() failed.\n");
1476                 kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
1477                 goto err;
1478                 }
1479         else  {
1480                 krb5_kt_free_entry(krb5context, &kt_entry);
1481 #ifdef KSSL_DEBUG
1482                 {
1483                 int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
1484                 printf("Decrypted ticket fields:\n");
1485                 printf("\tflags: %X, transit-type: %X",
1486                         krb5ticket->enc_part2->flags,
1487                         krb5ticket->enc_part2->transited.tr_type);
1488                 print_krb5_data("\ttransit-data: ",
1489                         &(krb5ticket->enc_part2->transited.tr_contents));
1490                 printf("\tcaddrs: %p, authdata: %p\n",
1491                         krb5ticket->enc_part2->caddrs,
1492                         krb5ticket->enc_part2->authorization_data);
1493                 if (paddr)
1494                         {
1495                         printf("\tcaddrs:\n");
1496                         for (i=0; paddr[i] != NULL; i++)
1497                                 {
1498                                 krb5_data d;
1499                                 d.length=paddr[i]->length;
1500                                 d.data=paddr[i]->contents;
1501                                 print_krb5_data("\t\tIP: ", &d);
1502                                 }
1503                         }
1504                 printf("\tstart/auth/end times: %d / %d / %d\n",
1505                         krb5ticket->enc_part2->times.starttime,
1506                         krb5ticket->enc_part2->times.authtime,
1507                         krb5ticket->enc_part2->times.endtime);
1508                 }
1509 #endif  /* KSSL_DEBUG */
1510                 }
1511
1512         krb5rc = KRB5_NO_TKT_SUPPLIED;
1513         if (!krb5ticket  ||     !krb5ticket->enc_part2  ||
1514                 !krb5ticket->enc_part2->client  ||
1515                 !krb5ticket->enc_part2->client->data  ||
1516                 !krb5ticket->enc_part2->session)
1517                 {
1518                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1519                         "bad ticket from krb5_rd_req.\n");
1520                 }
1521         else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
1522                  &krb5ticket->enc_part2->client->realm,
1523                  krb5ticket->enc_part2->client->data,
1524                  krb5ticket->enc_part2->client->length))
1525                 {
1526                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1527                         "kssl_ctx_setprinc() fails.\n");
1528                 }
1529         else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session))
1530                 {
1531                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1532                         "kssl_ctx_setkey() fails.\n");
1533                 }
1534         else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID)
1535                 {
1536                 krb5rc = KRB5KRB_AP_ERR_TKT_INVALID;
1537                 kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
1538                         "invalid ticket from krb5_rd_req.\n");
1539                 }
1540         else    krb5rc = 0;
1541
1542         kssl_ctx->enctype       = krb5ticket->enc_part.enctype;
1543         ttimes->authtime        = krb5ticket->enc_part2->times.authtime;
1544         ttimes->starttime       = krb5ticket->enc_part2->times.starttime;
1545         ttimes->endtime         = krb5ticket->enc_part2->times.endtime;
1546         ttimes->renew_till      = krb5ticket->enc_part2->times.renew_till;
1547
1548  err:
1549 #ifdef KSSL_DEBUG
1550         kssl_ctx_show(kssl_ctx);
1551 #endif  /* KSSL_DEBUG */
1552
1553         if (asn1ticket)         KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
1554         if (krb5keytab)         krb5_kt_close(krb5context, krb5keytab);
1555         if (krb5ticket)         krb5_free_ticket(krb5context, krb5ticket);
1556         if (krb5server)         krb5_free_principal(krb5context, krb5server);
1557         return (krb5rc);
1558         }
1559
1560
1561 /*      Allocate & return a new kssl_ctx struct.
1562 */
1563 KSSL_CTX        *
1564 kssl_ctx_new(void)
1565         {
1566         return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX)));
1567         }
1568
1569
1570 /*      Frees a kssl_ctx struct and any allocated memory it holds.
1571 **      Returns NULL.
1572 */
1573 KSSL_CTX        *
1574 kssl_ctx_free(KSSL_CTX *kssl_ctx)
1575         {
1576         if (kssl_ctx == NULL)  return kssl_ctx;
1577
1578         if (kssl_ctx->key)              OPENSSL_cleanse(kssl_ctx->key,
1579                                                               kssl_ctx->length);
1580         if (kssl_ctx->key)              kssl_free(kssl_ctx->key);
1581         if (kssl_ctx->client_princ)     kssl_free(kssl_ctx->client_princ);
1582         if (kssl_ctx->service_host)     kssl_free(kssl_ctx->service_host);
1583         if (kssl_ctx->service_name)     kssl_free(kssl_ctx->service_name);
1584         if (kssl_ctx->keytab_file)      kssl_free(kssl_ctx->keytab_file);
1585
1586         kssl_free(kssl_ctx);
1587         return (KSSL_CTX *) NULL;
1588         }
1589
1590
1591 /*      Given an array of (krb5_data *) entity (and optional realm),
1592 **      set the plain (char *) client_princ or service_host member
1593 **      of the kssl_ctx struct.
1594 */
1595 krb5_error_code
1596 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
1597         krb5_data *realm, krb5_data *entity, int nentities)
1598         {
1599         char    **princ;
1600         int     length;
1601         int i;
1602
1603         if (kssl_ctx == NULL  ||  entity == NULL)  return KSSL_CTX_ERR;
1604
1605         switch (which)
1606                 {
1607         case KSSL_CLIENT:       princ = &kssl_ctx->client_princ;        break;
1608         case KSSL_SERVER:       princ = &kssl_ctx->service_host;        break;
1609         default:                return KSSL_CTX_ERR;                    break;
1610                 }
1611         if (*princ)  kssl_free(*princ);
1612
1613         /* Add up all the entity->lengths */
1614         length = 0;
1615         for (i=0; i < nentities; i++)
1616                 {
1617                 length += entity[i].length;
1618                 }
1619         /* Add in space for the '/' character(s) (if any) */
1620         length += nentities-1;
1621         /* Space for the ('@'+realm+NULL | NULL) */
1622         length += ((realm)? realm->length + 2: 1);
1623
1624         if ((*princ = kssl_calloc(1, length)) == NULL)
1625                 return KSSL_CTX_ERR;
1626         else
1627                 {
1628                 for (i = 0; i < nentities; i++)
1629                         {
1630                         strncat(*princ, entity[i].data, entity[i].length);
1631                         if (i < nentities-1)
1632                                 {
1633                                 strcat (*princ, "/");
1634                                 }
1635                         }
1636                 if (realm)
1637                         {
1638                         strcat (*princ, "@");
1639                         (void) strncat(*princ, realm->data, realm->length);
1640                         }
1641                 }
1642
1643         return KSSL_CTX_OK;
1644         }
1645
1646
1647 /*      Set one of the plain (char *) string members of the kssl_ctx struct.
1648 **      Default values should be:
1649 **              which == KSSL_SERVICE   =>      "khost" (KRB5SVC)
1650 **              which == KSSL_KEYTAB    =>      "/etc/krb5.keytab" (KRB5KEYTAB)
1651 */
1652 krb5_error_code
1653 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
1654         {
1655         char    **string;
1656
1657         if (!kssl_ctx)  return KSSL_CTX_ERR;
1658
1659         switch (which)
1660                 {
1661         case KSSL_SERVICE:      string = &kssl_ctx->service_name;       break;
1662         case KSSL_SERVER:       string = &kssl_ctx->service_host;       break;
1663         case KSSL_CLIENT:       string = &kssl_ctx->client_princ;       break;
1664         case KSSL_KEYTAB:       string = &kssl_ctx->keytab_file;        break;
1665         default:                return KSSL_CTX_ERR;                    break;
1666                 }
1667         if (*string)  kssl_free(*string);
1668
1669         if (!text)
1670                 {
1671                 *string = '\0';
1672                 return KSSL_CTX_OK;
1673                 }
1674
1675         if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL)
1676                 return KSSL_CTX_ERR;
1677         else
1678                 strcpy(*string, text);
1679
1680         return KSSL_CTX_OK;
1681         }
1682
1683
1684 /*      Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
1685 **      struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
1686 */
1687 krb5_error_code
1688 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
1689         {
1690         int             length;
1691         krb5_enctype    enctype;
1692         krb5_octet FAR  *contents = NULL;
1693
1694         if (!kssl_ctx)  return KSSL_CTX_ERR;
1695
1696         if (kssl_ctx->key)
1697                 {
1698                 OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
1699                 kssl_free(kssl_ctx->key);
1700                 }
1701
1702         if (session)
1703                 {
1704
1705 #ifdef KRB5_HEIMDAL
1706                 length = session->keyvalue->length;
1707                 enctype = session->keytype;
1708                 contents = session->keyvalue->contents;
1709 #else
1710                 length = session->length;
1711                 enctype = session->enctype;
1712                 contents = session->contents;
1713 #endif
1714                 kssl_ctx->enctype = enctype;
1715                 kssl_ctx->length  = length;
1716                 }
1717         else
1718                 {
1719                 kssl_ctx->enctype = ENCTYPE_UNKNOWN;
1720                 kssl_ctx->length  = 0;
1721                 return KSSL_CTX_OK;
1722                 }
1723
1724         if ((kssl_ctx->key =
1725                 (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL)
1726                 {
1727                 kssl_ctx->length  = 0;
1728                 return KSSL_CTX_ERR;
1729                 }
1730         else
1731                 memcpy(kssl_ctx->key, contents, length);
1732
1733         return KSSL_CTX_OK;
1734         }
1735
1736
1737 /*      Display contents of kssl_ctx struct
1738 */
1739 void
1740 kssl_ctx_show(KSSL_CTX *kssl_ctx)
1741         {
1742         int     i;
1743
1744         printf("kssl_ctx: ");
1745         if (kssl_ctx == NULL)
1746                 {
1747                 printf("NULL\n");
1748                 return;
1749                 }
1750         else
1751                 printf("%p\n", (void *)kssl_ctx);
1752
1753         printf("\tservice:\t%s\n",
1754                 (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
1755         printf("\tclient:\t%s\n",
1756                 (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL");
1757         printf("\tserver:\t%s\n",
1758                 (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL");
1759         printf("\tkeytab:\t%s\n",
1760                 (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL");
1761         printf("\tkey [%d:%d]:\t",
1762                 kssl_ctx->enctype, kssl_ctx->length);
1763
1764         for (i=0; i < kssl_ctx->length  &&  kssl_ctx->key; i++)
1765                 {
1766                 printf("%02x", kssl_ctx->key[i]);
1767                 }
1768         printf("\n");
1769         return;
1770         }
1771
1772     int 
1773     kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
1774 {
1775     krb5_context                krb5context = NULL;
1776     krb5_keytab                 krb5keytab = NULL;
1777     krb5_keytab_entry           entry;
1778     krb5_principal              princ = NULL;
1779     krb5_error_code             krb5rc = KRB5KRB_ERR_GENERIC;
1780     int rc = 0;
1781
1782     if ((krb5rc = krb5_init_context(&krb5context)))
1783         return(0);
1784
1785     /*  kssl_ctx->keytab_file == NULL ==> use Kerberos default
1786     */
1787     if (kssl_ctx->keytab_file)
1788     {
1789         krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
1790                                   &krb5keytab);
1791         if (krb5rc)
1792             goto exit;
1793     }
1794     else
1795     {
1796         krb5rc = krb5_kt_default(krb5context,&krb5keytab);
1797         if (krb5rc)
1798             goto exit;
1799     }
1800
1801     /* the host key we are looking for */
1802     krb5rc = krb5_sname_to_principal(krb5context, NULL, 
1803                                      kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
1804                                      KRB5_NT_SRV_HST, &princ);
1805
1806     if (krb5rc)
1807         goto exit;
1808
1809     krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, 
1810                                 princ,
1811                                 0 /* IGNORE_VNO */,
1812                                 0 /* IGNORE_ENCTYPE */,
1813                                 &entry);
1814     if ( krb5rc == KRB5_KT_NOTFOUND ) {
1815         rc = 1;
1816         goto exit;
1817     } else if ( krb5rc )
1818         goto exit;
1819     
1820     krb5_kt_free_entry(krb5context, &entry);
1821     rc = 1;
1822
1823   exit:
1824     if (krb5keytab)     krb5_kt_close(krb5context, krb5keytab);
1825     if (princ)          krb5_free_principal(krb5context, princ);
1826     if (krb5context)    krb5_free_context(krb5context);
1827     return(rc);
1828 }
1829
1830 int 
1831 kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
1832         {
1833         krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
1834         krb5_context            krb5context = NULL;
1835         krb5_ccache             krb5ccdef = NULL;
1836         krb5_creds              krb5creds, *krb5credsp = NULL;
1837         int                     rc = 0;
1838
1839         memset((char *)&krb5creds, 0, sizeof(krb5creds));
1840
1841         if (!kssl_ctx)
1842             return(0);
1843
1844         if (!kssl_ctx->service_host)
1845             return(0);
1846
1847         if ((krb5rc = krb5_init_context(&krb5context)) != 0)
1848             goto err;
1849
1850         if ((krb5rc = krb5_sname_to_principal(krb5context,
1851                                               kssl_ctx->service_host,
1852                                               (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
1853                                               KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
1854             goto err;
1855
1856         if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
1857             goto err;
1858
1859         if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
1860                                              &krb5creds.client)) != 0)
1861             goto err;
1862
1863         if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
1864                                             &krb5creds, &krb5credsp)) != 0)
1865             goto err;
1866
1867         rc = 1;
1868
1869       err:
1870 #ifdef KSSL_DEBUG
1871         kssl_ctx_show(kssl_ctx);
1872 #endif  /* KSSL_DEBUG */
1873
1874         if (krb5creds.client)   krb5_free_principal(krb5context, krb5creds.client);
1875         if (krb5creds.server)   krb5_free_principal(krb5context, krb5creds.server);
1876         if (krb5context)        krb5_free_context(krb5context);
1877         return(rc);
1878         }
1879
1880 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32)
1881 void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
1882         {
1883 #ifdef KRB5_HEIMDAL
1884         data->length = 0;
1885         if (data->data)
1886             free(data->data);
1887 #elif defined(KRB5_MIT_OLD11)
1888         if (data->data)  {
1889                 krb5_xfree(data->data);
1890                 data->data = 0;
1891                 }
1892 #else
1893         krb5_free_data_contents(NULL, data);
1894 #endif
1895         }
1896 #endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */
1897
1898
1899 /*  Given pointers to KerberosTime and struct tm structs, convert the
1900 **  KerberosTime string to struct tm.  Note that KerberosTime is a
1901 **  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
1902 **  seconds as defined in RFC 1510.
1903 **  Return pointer to the (partially) filled in struct tm on success,
1904 **  return NULL on failure.
1905 */
1906 static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
1907         {
1908         char            c, *p;
1909
1910         if (!k_tm)  return NULL;
1911         if (gtime == NULL  ||  gtime->length < 14)  return NULL;
1912         if (gtime->data == NULL)  return NULL;
1913
1914         p = (char *)&gtime->data[14];
1915
1916         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_sec  = atoi(p);      *(p+2) = c;
1917         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_min  = atoi(p);      *(p+2) = c;
1918         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_hour = atoi(p);      *(p+2) = c;
1919         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mday = atoi(p);      *(p+2) = c;
1920         c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mon  = atoi(p)-1;    *(p+2) = c;
1921         c = *p;  *p = '\0';  p -= 4;  k_tm->tm_year = atoi(p)-1900; *(p+4) = c;
1922
1923         return k_tm;
1924         }
1925
1926
1927 /*  Helper function for kssl_validate_times().
1928 **  We need context->clockskew, but krb5_context is an opaque struct.
1929 **  So we try to sneek the clockskew out through the replay cache.
1930 **      If that fails just return a likely default (300 seconds).
1931 */
1932 static krb5_deltat get_rc_clockskew(krb5_context context)
1933         {
1934         krb5_rcache     rc;
1935         krb5_deltat     clockskew;
1936
1937         if (krb5_rc_default(context, &rc))  return KSSL_CLOCKSKEW;
1938         if (krb5_rc_initialize(context, rc, 0))  return KSSL_CLOCKSKEW;
1939         if (krb5_rc_get_lifespan(context, rc, &clockskew))  {
1940                 clockskew = KSSL_CLOCKSKEW;
1941                 }
1942         (void) krb5_rc_destroy(context, rc);
1943         return clockskew;
1944         }
1945
1946
1947 /*  kssl_validate_times() combines (and more importantly exposes)
1948 **  the MIT KRB5 internal function krb5_validate_times() and the
1949 **  in_clock_skew() macro.  The authenticator client time is checked
1950 **  to be within clockskew secs of the current time and the current
1951 **  time is checked to be within the ticket start and expire times.
1952 **  Either check may be omitted by supplying a NULL value.
1953 **  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
1954 **  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
1955 **  20010420 VRS
1956 */
1957 krb5_error_code  kssl_validate_times(   krb5_timestamp atime,
1958                                         krb5_ticket_times *ttimes)
1959         {
1960         krb5_deltat     skew;
1961         krb5_timestamp  start, now;
1962         krb5_error_code rc;
1963         krb5_context    context;
1964
1965         if ((rc = krb5_init_context(&context)))  return SSL_R_KRB5_S_BAD_TICKET;
1966         skew = get_rc_clockskew(context); 
1967         if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET;
1968         krb5_free_context(context);
1969
1970         if (atime  &&  labs(atime - now) >= skew)  return SSL_R_KRB5_S_TKT_SKEW;
1971
1972         if (! ttimes)  return 0;
1973
1974         start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime;
1975         if (start - now > skew)  return SSL_R_KRB5_S_TKT_NYV;
1976         if ((now - ttimes->endtime) > skew)  return SSL_R_KRB5_S_TKT_EXPIRED;
1977
1978 #ifdef KSSL_DEBUG
1979         printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
1980                 start, atime, now, skew, ttimes->endtime);
1981 #endif  /* KSSL_DEBUG */
1982
1983         return 0;
1984         }
1985
1986
1987 /*  Decode and decrypt given DER-encoded authenticator, then pass
1988 **  authenticator ctime back in *atimep (or 0 if time unavailable).
1989 **  Returns krb5_error_code and kssl_err on error.  A NULL 
1990 **  authenticator (authentp->length == 0) is not considered an error.
1991 **  Note that kssl_check_authent() makes use of the KRB5 session key;
1992 **  you must call kssl_sget_tkt() to get the key before calling this routine.
1993 */
1994 krb5_error_code  kssl_check_authent(
1995                         /* IN     */    KSSL_CTX        *kssl_ctx,
1996                         /* IN     */    krb5_data       *authentp,
1997                         /* OUT    */    krb5_timestamp  *atimep,
1998                         /* OUT    */    KSSL_ERR        *kssl_err  )
1999         {
2000         krb5_error_code         krb5rc = 0;
2001         KRB5_ENCDATA            *dec_authent = NULL;
2002         KRB5_AUTHENTBODY        *auth = NULL;
2003         krb5_enctype            enctype;
2004         EVP_CIPHER_CTX          ciph_ctx;
2005         const EVP_CIPHER        *enc = NULL;
2006         unsigned char           iv[EVP_MAX_IV_LENGTH];
2007         const unsigned char     *p;
2008         unsigned char           *unenc_authent;
2009         int                     outl, unencbufsize;
2010         struct tm               tm_time, *tm_l, *tm_g;
2011         time_t                  now, tl, tg, tr, tz_offset;
2012
2013         EVP_CIPHER_CTX_init(&ciph_ctx);
2014         *atimep = 0;
2015         kssl_err_set(kssl_err, 0, "");
2016
2017 #ifndef KRB5CHECKAUTH
2018         authentp = NULL;
2019 #else
2020 #if     KRB5CHECKAUTH == 0
2021         authentp = NULL;
2022 #endif
2023 #endif  /* KRB5CHECKAUTH */
2024
2025         if (authentp == NULL  ||  authentp->length == 0)  return 0;
2026
2027 #ifdef KSSL_DEBUG
2028         {
2029         unsigned int ui;
2030         printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
2031         p = authentp->data; 
2032         for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
2033         printf("\n");
2034         }
2035 #endif  /* KSSL_DEBUG */
2036
2037         unencbufsize = 2 * authentp->length;
2038         if ((unenc_authent = calloc(1, unencbufsize)) == NULL)
2039                 {
2040                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2041                         "Unable to allocate authenticator buffer.\n");
2042                 krb5rc = KRB5KRB_ERR_GENERIC;
2043                 goto err;
2044                 }
2045
2046         p = (unsigned char *)authentp->data;
2047         if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
2048                                         (long) authentp->length)) == NULL) 
2049                 {
2050                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2051                         "Error decoding authenticator.\n");
2052                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2053                 goto err;
2054                 }
2055
2056         enctype = dec_authent->etype->data[0];  /* should = kssl_ctx->enctype */
2057 #if !defined(KRB5_MIT_OLD11)
2058             switch ( enctype ) {
2059             case ENCTYPE_DES3_CBC_SHA1:         /*    EVP_des_ede3_cbc();  */
2060             case ENCTYPE_DES3_CBC_SHA:
2061             case ENCTYPE_DES3_CBC_RAW:
2062                 krb5rc = 0;                     /* Skip, can't handle derived keys */
2063                 goto err;
2064             }
2065 #endif
2066         enc = kssl_map_enc(enctype);
2067         memset(iv, 0, sizeof iv);       /* per RFC 1510 */
2068
2069         if (enc == NULL)
2070                 {
2071                 /*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
2072                 **  This enctype indicates the authenticator was encrypted
2073                 **  using key-usage derived keys which openssl cannot decrypt.
2074                 */
2075                 goto err;
2076                 }
2077
2078         if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
2079                 {
2080                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2081                         "EVP_CipherInit error decrypting authenticator.\n");
2082                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2083                 goto err;
2084                 }
2085         outl = dec_authent->cipher->length;
2086         if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
2087                 {
2088                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2089                         "EVP_Cipher error decrypting authenticator.\n");
2090                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2091                 goto err;
2092                 }
2093         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2094
2095 #ifdef KSSL_DEBUG
2096         {
2097         int padl;
2098         printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
2099         for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
2100         printf("\n");
2101         }
2102 #endif  /* KSSL_DEBUG */
2103
2104         if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL)
2105                 {
2106                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2107                         "confounded by authenticator.\n");
2108                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2109                 goto err;
2110                 }
2111         outl -= p - unenc_authent;
2112
2113         if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p,
2114                                                           (long) outl))==NULL)
2115                 {
2116                 kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
2117                         "Error decoding authenticator body.\n");
2118                 krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
2119                 goto err;
2120                 }
2121
2122         memset(&tm_time,0,sizeof(struct tm));
2123         if (k_gmtime(auth->ctime, &tm_time)  &&
2124                 ((tr = mktime(&tm_time)) != (time_t)(-1)))
2125                 {
2126                 now  = time(&now);
2127                 tm_l = localtime(&now);         tl = mktime(tm_l);
2128                 tm_g = gmtime(&now);            tg = mktime(tm_g);
2129                 tz_offset = tg - tl;
2130
2131                 *atimep = (krb5_timestamp)(tr - tz_offset);
2132                 }
2133
2134 #ifdef KSSL_DEBUG
2135         printf("kssl_check_authent: returns %d for client time ", *atimep);
2136         if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
2137                 printf("%.*s\n", auth->ctime->length, auth->ctime->data);
2138         else    printf("NULL\n");
2139 #endif  /* KSSL_DEBUG */
2140
2141  err:
2142         if (auth)               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
2143         if (dec_authent)        KRB5_ENCDATA_free(dec_authent);
2144         if (unenc_authent)      free(unenc_authent);
2145         EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2146         return krb5rc;
2147         }
2148
2149
2150 /*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
2151 **  because I dont't know how to stub varargs.
2152 **  Returns krb5_error_code == ENOMEM on alloc error, otherwise
2153 **  passes back newly constructed principal, which should be freed by caller.
2154 */
2155 krb5_error_code  kssl_build_principal_2(
2156                         /* UPDATE */    krb5_context    context,
2157                         /* OUT    */    krb5_principal  *princ,
2158                         /* IN     */    int rlen,  const char *realm,
2159                         /* IN     */    int slen,  const char *svc,
2160                         /* IN     */    int hlen,  const char *host)
2161         {
2162         krb5_data               *p_data = NULL;
2163         krb5_principal          new_p = NULL;
2164         char                    *new_r = NULL;
2165
2166         if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL  ||
2167             (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data)))
2168                         == NULL)  goto err;
2169         new_p->length = 2;
2170         new_p->data = p_data;
2171
2172         if ((new_r = calloc(1, rlen + 1)) == NULL)  goto err;
2173         memcpy(new_r, realm, rlen);
2174         krb5_princ_set_realm_length(context, new_p, rlen);
2175         krb5_princ_set_realm_data(context, new_p, new_r);
2176
2177         if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL)  goto err;
2178         memcpy(new_p->data[0].data, svc, slen);
2179         new_p->data[0].length = slen;
2180
2181         if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL)  goto err;
2182         memcpy(new_p->data[1].data, host, hlen);
2183         new_p->data[1].length = hlen;
2184         
2185         krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN;
2186         *princ = new_p;
2187         return 0;
2188
2189  err:
2190         if (new_p  &&  new_p[0].data)   free(new_p[0].data);
2191         if (new_p  &&  new_p[1].data)   free(new_p[1].data);
2192         if (new_p)      free(new_p);
2193         if (new_r)      free(new_r);
2194         return ENOMEM;
2195         }
2196
2197 void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx)
2198         {
2199         s->kssl_ctx = kctx;
2200         } 
2201
2202 KSSL_CTX * SSL_get0_kssl_ctx(SSL *s)
2203         {
2204         return s->kssl_ctx;
2205         }
2206
2207 char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx)
2208         {
2209         if (kctx)
2210                 return kctx->client_princ;
2211         return NULL;
2212         }
2213
2214 #else /* !OPENSSL_NO_KRB5 */
2215
2216 #if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS)
2217 static void *dummy=&dummy;
2218 #endif
2219
2220 #endif  /* !OPENSSL_NO_KRB5     */
2221