projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
When _XOPEN_SOURCE is defined, make sure it's defined to 500. Required in
[openssl.git] / ssl / kssl.c
diff --git a/ssl/kssl.c b/ssl/kssl.c
index 46f63d7f4f00589e9d14ad3a7c7012a7cdd256b0..b8192cdfc719d937d6baaa3035326be86cb67818 100644 (file)
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -67,16 +67,25 @@
 */
 
 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_KRB5
-#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
+
+#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */
 #include <time.h>
+#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
 #include <string.h>
 
+#define KRB5_PRIVATE   1
+
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/krb5_asn.h>
 
+#ifndef OPENSSL_NO_KRB5
+
+#ifndef ENOMEM
+#define ENOMEM KRB5KRB_ERR_GENERIC
+#endif
+
 /* 
  * When OpenSSL is built on Windows, we do not want to require that
  * the Kerberos DLLs be available in order for the OpenSSL DLLs to
@@ -113,16 +122,35 @@
 #define krb5_rd_req              kssl_krb5_rd_req               
 #define krb5_kt_default          kssl_krb5_kt_default           
 #define krb5_kt_resolve          kssl_krb5_kt_resolve           
+/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */
+#ifndef krb5_kt_close
+#define krb5_kt_close            kssl_krb5_kt_close
+#endif /* krb5_kt_close */
+#ifndef krb5_kt_get_entry
+#define krb5_kt_get_entry        kssl_krb5_kt_get_entry
+#endif /* krb5_kt_get_entry */
 #define krb5_auth_con_init       kssl_krb5_auth_con_init        
 
 #define krb5_principal_compare   kssl_krb5_principal_compare
-/* macro  #define krb5_kt_get_entry        kssl_krb5_kt_get_entry  */
 #define krb5_decrypt_tkt_part    kssl_krb5_decrypt_tkt_part
 #define krb5_timeofday           kssl_krb5_timeofday
 #define krb5_rc_default           kssl_krb5_rc_default
+
+#ifdef krb5_rc_initialize
+#undef krb5_rc_initialize
+#endif
 #define krb5_rc_initialize   kssl_krb5_rc_initialize
+
+#ifdef krb5_rc_get_lifespan
+#undef krb5_rc_get_lifespan
+#endif
 #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan
+
+#ifdef krb5_rc_destroy
+#undef krb5_rc_destroy
+#endif
 #define krb5_rc_destroy      kssl_krb5_rc_destroy
+
 #define valid_cksumtype      kssl_valid_cksumtype
 #define krb5_checksum_size   kssl_krb5_checksum_size
 #define krb5_kt_free_entry   kssl_krb5_kt_free_entry
@@ -252,6 +280,12 @@ static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context,
 static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, 
                                                       krb5_auth_context,
                                                       krb5_rcache *)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, 
+                                                    krb5_keytab keytab)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, 
+                                                        krb5_keytab keytab,
+                       krb5_const_principal principal, krb5_kvno vno,
+                       krb5_enctype enctype, krb5_keytab_entry *entry)=NULL;
 static int krb5_loaded = 0;     /* only attempt to initialize func ptrs once */
 
 /* Function to Load the Kerberos 5 DLL and initialize function pointers */
@@ -321,6 +355,10 @@ load_krb5_dll(void)
                 GetProcAddress( hKRB5_32, "krb5_get_server_rcache" );
         (FARPROC) p_krb5_auth_con_getrcache =
                 GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" );
+        (FARPROC) p_krb5_kt_close =
+                GetProcAddress( hKRB5_32, "krb5_kt_close" );
+        (FARPROC) p_krb5_kt_get_entry =
+                GetProcAddress( hKRB5_32, "krb5_kt_get_entry" );
        }
 
 /* Stubs for each function to be dynamicly loaded */
@@ -707,20 +745,40 @@ krb5_error_code
 kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data,
                             krb5_rcache * rcache) 
         {
-                 if ( p_krb5_get_server_rcache )
-                         return(p_krb5_get_server_rcache(con,data,rcache));
-                 else
-                         return KRB5KRB_ERR_GENERIC;
+       if ( p_krb5_get_server_rcache )
+               return(p_krb5_get_server_rcache(con,data,rcache));
+       else
+               return KRB5KRB_ERR_GENERIC;
         }
 
 krb5_error_code
 kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon,
                              krb5_rcache * prcache)
         {
-                 if ( p_krb5_auth_con_getrcache )
-                         return(p_krb5_auth_con_getrcache(con,acon, prcache));
-                 else
-                         return KRB5KRB_ERR_GENERIC;
+       if ( p_krb5_auth_con_getrcache )
+               return(p_krb5_auth_con_getrcache(con,acon, prcache));
+       else
+               return KRB5KRB_ERR_GENERIC;
+       }
+krb5_error_code
+kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab)
+       {
+       if ( p_krb5_kt_close )
+               return(p_krb5_kt_close(context,keytab));
+       else 
+               return KRB5KRB_ERR_GENERIC;
+       }
+
+krb5_error_code
+kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+                       krb5_const_principal principal, krb5_kvno vno,
+                       krb5_enctype enctype, krb5_keytab_entry *entry)
+       {
+       if ( p_krb5_kt_get_entry )
+               return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry));
+       else
+               return KRB5KRB_ERR_GENERIC;
         }
 #endif  /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
 
@@ -732,48 +790,29 @@ char
        return ((string == NULL)? null: string);
         }
 
-#define        MAXKNUM 255
-char
-*knumber(int len, krb5_octet *contents)
-        {
-       static char     buf[MAXKNUM+1];
-       int             i;
-
-       BIO_snprintf(buf, MAXKNUM, "[%d] ", len);
-
-       for (i=0; i < len  &&  MAXKNUM > strlen(buf)+3; i++)
-                {
-                BIO_snprintf(&buf[strlen(buf)], 3, "%02x", contents[i]);
-                }
-
-       return (buf);
-       }
-
-
-/*     Given KRB5 enctype (basically DES or 3DES), return
+/*     Given KRB5 enctype (basically DES or 3DES),
+**     return closest match openssl EVP_ encryption algorithm.
+**     Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
+**     Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
 */
-EVP_CIPHER *
+const EVP_CIPHER *
 kssl_map_enc(krb5_enctype enctype)
         {
        switch (enctype)
                {
+       case ENCTYPE_DES_HMAC_SHA1:             /*    EVP_des_cbc();       */
        case ENCTYPE_DES_CBC_CRC:
        case ENCTYPE_DES_CBC_MD4:
        case ENCTYPE_DES_CBC_MD5:
        case ENCTYPE_DES_CBC_RAW:
-#if ! defined(KRB5_MIT_OLD11)
-       case ENCTYPE_DES_HMAC_SHA1:
-#endif
-                               return (EVP_CIPHER *) EVP_des_cbc();
+                               return EVP_des_cbc();
                                break;
+       case ENCTYPE_DES3_CBC_SHA1:             /*    EVP_des_ede3_cbc();  */
        case ENCTYPE_DES3_CBC_SHA:
        case ENCTYPE_DES3_CBC_RAW:
-#if ! defined(KRB5_MIT_OLD11)
-       case ENCTYPE_DES3_CBC_SHA1:
-#endif
-                               return (EVP_CIPHER *) EVP_des_ede3_cbc();
+                               return EVP_des_ede3_cbc();
                                break;
-       default:                return (EVP_CIPHER *) NULL;
+       default:                return NULL;
                                break;
                }
        }
@@ -819,13 +858,19 @@ int       kssl_test_confound(unsigned char *p)
 **      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
 **      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
 */
-int    *populate_cksumlens(void)
+size_t  *populate_cksumlens(void)
        {
-       int             i, j, n = 0x0010+1;
+       int             i, j, n;
        static size_t   *cklens = NULL;
 
+#ifdef KRB5_MIT_OLD11
+       n = krb5_max_cksum;
+#else
+       n = 0x0010;
+#endif /* KRB5_MIT_OLD11 */
 #ifdef KRB5CHECKAUTH
-       if (!cklens && !(cklens = (size_t *) calloc(sizeof(int), n)))  return NULL;
+       if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1)))  return NULL;
 
        for (i=0; i < n; i++)  {
                if (!valid_cksumtype(i))  continue;     /*  array has holes  */
@@ -853,8 +898,9 @@ int         *populate_cksumlens(void)
 */
 unsigned char  *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
        {
-       int             i, cklen, conlen;
-       static int      *cksumlens = NULL;
+       int             i, conlen;
+       size_t          cklen;
+       static size_t   *cksumlens = NULL;
        unsigned char   *test_auth;
 
        conlen = (etype)? 8: 0;
@@ -889,10 +935,10 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
 void
 print_krb5_data(char *label, krb5_data *kdata)
         {
-       unsigned int    i;
+       int i;
 
        printf("%s[%d] ", label, kdata->length);
-       for (i=0; i < kdata->length; i++)
+       for (i=0; i < (int)kdata->length; i++)
                 {
                if (0 &&  isprint((int) kdata->data[i]))
                         printf(        "%c ",  kdata->data[i]);
@@ -913,7 +959,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
                printf("%s, authdata==0\n", label);
                return;
                }
-       printf("%s [%p]\n", label, adata);
+       printf("%s [%p]\n", label, (void *)adata);
 #if 0
        {
         int    i;
@@ -934,7 +980,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
 void
 print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
         {
-       unsigned int    i;
+       int i;
 
        if (keyblk == NULL)
                 {
@@ -944,14 +990,14 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 #ifdef KRB5_HEIMDAL
        printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
                                           keyblk->keyvalue->length);
-       for (i=0; i < keyblk->keyvalue->length; i++)
+       for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
                printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
                }
        printf("\n");
 #else
        printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
-       for (i=0; i < keyblk->length; i++)
+       for (i=0; i < (int)keyblk->length; i++)
                 {
                printf("%02x",keyblk->contents[i]);
                }
@@ -966,17 +1012,16 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 void
 print_krb5_princ(char *label, krb5_principal_data *princ)
         {
-       unsigned int    ui, uj;
-        int i;
+       int i, ui, uj;
 
        printf("%s principal Realm: ", label);
        if (princ == NULL)  return;
-       for (ui=0; ui < princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
+       for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
        printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
-       for (i=0; i < princ->length; i++)
+       for (i=0; i < (int)princ->length; i++)
                 {
                printf("\t%d [%d]: ", i, princ->data[i].length);
-               for (uj=0; uj < princ->data[i].length; uj++)  {
+               for (uj=0; uj < (int)princ->data[i].length; uj++)  {
                        putchar(princ->data[i].data[uj]);
                        }
                printf("\n");
@@ -1085,7 +1130,7 @@ kssl_cget_tkt(    /* UPDATE */    KSSL_CTX *kssl_ctx,
        if (authenp)
                 {
                krb5_data       krb5in_data;
-               unsigned char   *p;
+               const unsigned char     *p;
                long            arlen;
                KRB5_APREQBODY  *ap_req;
 
@@ -1102,7 +1147,7 @@ kssl_cget_tkt(    /* UPDATE */    KSSL_CTX *kssl_ctx,
                        }
 
                arlen = krb5_app_req.length;
-               p = krb5_app_req.data;
+               p = (unsigned char *)krb5_app_req.data;
                ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
                if (ap_req)
                        {
@@ -1111,9 +1156,9 @@ kssl_cget_tkt(    /* UPDATE */    KSSL_CTX *kssl_ctx,
                        if (authenp->length  && 
                                (authenp->data = malloc(authenp->length)))
                                {
-                               unsigned char   *p = authenp->data;
+                               unsigned char   *adp = (unsigned char *)authenp->data;
                                authenp->length = i2d_KRB5_ENCDATA(
-                                               ap_req->authenticator, &p);
+                                               ap_req->authenticator, &adp);
                                }
                        }
 
@@ -1177,8 +1222,7 @@ kssl_TKT2tkt(     /* IN     */    krb5_context    krb5context,
 
        if (asn1ticket == NULL  ||  asn1ticket->realm == NULL  ||
                asn1ticket->sname == NULL  || 
-               asn1ticket->sname->namestring == NULL  ||
-               asn1ticket->sname->namestring->num < 2)
+               sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
                {
                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
                        "Null field in asn1ticket.\n");
@@ -1194,14 +1238,14 @@ kssl_TKT2tkt(   /* IN     */    krb5_context    krb5context,
                return ENOMEM;          /*  or  KRB5KRB_ERR_GENERIC;    */
                }
 
-       gstr_svc  = (ASN1_GENERALSTRING*)asn1ticket->sname->namestring->data[0];
-       gstr_host = (ASN1_GENERALSTRING*)asn1ticket->sname->namestring->data[1];
+       gstr_svc  = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
+       gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
 
        if ((krb5rc = kssl_build_principal_2(krb5context,
                        &new5ticket->server,
-                       asn1ticket->realm->length, asn1ticket->realm->data,
-                       gstr_svc->length,  gstr_svc->data,
-                       gstr_host->length, gstr_host->data)) != 0)
+                       asn1ticket->realm->length, (char *)asn1ticket->realm->data,
+                       gstr_svc->length,  (char *)gstr_svc->data,
+                       gstr_host->length, (char *)gstr_host->data)) != 0)
                {
                free(new5ticket);
                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
@@ -1255,7 +1299,7 @@ kssl_sget_tkt(    /* UPDATE */    KSSL_CTX                *kssl_ctx,
        static krb5_auth_context        krb5auth_context = NULL;
        krb5_ticket                     *krb5ticket = NULL;
        KRB5_TKTBODY                    *asn1ticket = NULL;
-       unsigned char                   *p;
+       const unsigned char             *p;
        krb5_keytab                     krb5keytab = NULL;
        krb5_keytab_entry               kt_entry;
        krb5_principal                  krb5server;
@@ -1372,7 +1416,7 @@ kssl_sget_tkt(    /* UPDATE */    KSSL_CTX                *kssl_ctx,
        **                      &ap_option, &krb5ticket)) != 0)  { Error }
        */
 
-       p = indata->data;
+       p = (unsigned char *)indata->data;
        if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
                                                (long) indata->length)) == NULL)
                {
@@ -1429,11 +1473,16 @@ kssl_sget_tkt(  /* UPDATE */    KSSL_CTX                *kssl_ctx,
                printf("\tcaddrs: %p, authdata: %p\n",
                        krb5ticket->enc_part2->caddrs,
                        krb5ticket->enc_part2->authorization_data);
-               printf("\tcaddrs:\n");
-               for (i=0; paddr[i] != NULL; i++)
-                       {  krb5_data d;
-                       d.length=paddr[i]->length; d.data=paddr[i]->contents;
-                       print_krb5_data("\t\tIP: ", &d);
+               if (paddr)
+                       {
+                       printf("\tcaddrs:\n");
+                       for (i=0; paddr[i] != NULL; i++)
+                               {
+                               krb5_data d;
+                               d.length=paddr[i]->length;
+                               d.data=paddr[i]->contents;
+                               print_krb5_data("\t\tIP: ", &d);
+                               }
                        }
                printf("\tstart/auth/end times: %d / %d / %d\n",
                        krb5ticket->enc_part2->times.starttime,
@@ -1453,8 +1502,9 @@ kssl_sget_tkt(    /* UPDATE */    KSSL_CTX                *kssl_ctx,
                         "bad ticket from krb5_rd_req.\n");
                }
        else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
-                &krb5ticket->enc_part2->client->realm,
-                krb5ticket->enc_part2->client->data))
+                &krb5ticket->enc_part2->client->realm,
+                krb5ticket->enc_part2->client->data,
+                krb5ticket->enc_part2->client->length))
                 {
                kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
                         "kssl_ctx_setprinc() fails.\n");
@@ -1508,7 +1558,7 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
         {
        if (kssl_ctx == NULL)  return kssl_ctx;
 
-       if (kssl_ctx->key)              memset(kssl_ctx->key, 0,
+       if (kssl_ctx->key)              OPENSSL_cleanse(kssl_ctx->key,
                                                              kssl_ctx->length);
        if (kssl_ctx->key)              free(kssl_ctx->key);
        if (kssl_ctx->client_princ)     free(kssl_ctx->client_princ);
@@ -1521,16 +1571,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
         }
 
 
-/*     Given a (krb5_data *) entity (and optional realm),
+/*     Given an array of (krb5_data *) entity (and optional realm),
 **     set the plain (char *) client_princ or service_host member
 **     of the kssl_ctx struct.
 */
 krb5_error_code
 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-        krb5_data *realm, krb5_data *entity)
+        krb5_data *realm, krb5_data *entity, int nentities)
         {
        char    **princ;
        int     length;
+       int i;
 
        if (kssl_ctx == NULL  ||  entity == NULL)  return KSSL_CTX_ERR;
 
@@ -1542,12 +1593,29 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
                }
        if (*princ)  free(*princ);
 
-       length = entity->length + ((realm)? realm->length + 2: 1);
+       /* Add up all the entity->lengths */
+       length = 0;
+       for (i=0; i < nentities; i++)
+               {
+               length += entity[i].length;
+               }
+       /* Add in space for the '/' character(s) (if any) */
+       length += nentities-1;
+       /* Space for the ('@'+realm+NULL | NULL) */
+       length += ((realm)? realm->length + 2: 1);
+
        if ((*princ = calloc(1, length)) == NULL)
                return KSSL_CTX_ERR;
        else
-                {
-               strncpy(*princ, entity->data, entity->length);
+               {
+               for (i = 0; i < nentities; i++)
+                       {
+                       strncat(*princ, entity[i].data, entity[i].length);
+                       if (i < nentities-1)
+                               {
+                               strcat (*princ, "/");
+                               }
+                       }
                if (realm)
                         {
                        strcat (*princ, "@");
@@ -1610,7 +1678,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
 
        if (kssl_ctx->key)
                 {
-               memset(kssl_ctx->key, 0, kssl_ctx->length);
+               OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
                free(kssl_ctx->key);
                }
 
@@ -1663,7 +1731,7 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
                return;
                }
        else
-               printf("%p\n", kssl_ctx);
+               printf("%p\n", (void *)kssl_ctx);
 
        printf("\tservice:\t%s\n",
                 (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
@@ -1807,6 +1875,35 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
        }
 #endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */
 
+
+/*  Given pointers to KerberosTime and struct tm structs, convert the
+**  KerberosTime string to struct tm.  Note that KerberosTime is a
+**  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
+**  seconds as defined in RFC 1510.
+**  Return pointer to the (partially) filled in struct tm on success,
+**  return NULL on failure.
+*/
+struct tm      *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
+       {
+       char            c, *p;
+
+       if (!k_tm)  return NULL;
+       if (gtime == NULL  ||  gtime->length < 14)  return NULL;
+       if (gtime->data == NULL)  return NULL;
+
+       p = (char *)&gtime->data[14];
+
+       c = *p;  *p = '\0';  p -= 2;  k_tm->tm_sec  = atoi(p);      *(p+2) = c;
+       c = *p;  *p = '\0';  p -= 2;  k_tm->tm_min  = atoi(p);      *(p+2) = c;
+       c = *p;  *p = '\0';  p -= 2;  k_tm->tm_hour = atoi(p);      *(p+2) = c;
+       c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mday = atoi(p);      *(p+2) = c;
+       c = *p;  *p = '\0';  p -= 2;  k_tm->tm_mon  = atoi(p)-1;    *(p+2) = c;
+       c = *p;  *p = '\0';  p -= 4;  k_tm->tm_year = atoi(p)-1900; *(p+4) = c;
+
+       return k_tm;
+       }
+
+
 /*  Helper function for kssl_validate_times().
 **  We need context->clockskew, but krb5_context is an opaque struct.
 **  So we try to sneek the clockskew out through the replay cache.
@@ -1885,11 +1982,15 @@ krb5_error_code  kssl_check_authent(
        KRB5_AUTHENTBODY        *auth = NULL;
        krb5_enctype            enctype;
        EVP_CIPHER_CTX          ciph_ctx;
-       EVP_CIPHER              *enc = NULL;
+       const EVP_CIPHER        *enc = NULL;
        unsigned char           iv[EVP_MAX_IV_LENGTH];
-       unsigned char           *p, *unenc_authent, *tbuf = NULL;
-       int                     padl, outl, unencbufsize;
+       const unsigned char     *p;
+       unsigned char           *unenc_authent;
+       int                     outl, unencbufsize;
+       struct tm               tm_time, *tm_l, *tm_g;
+       time_t                  now, tl, tg, tr, tz_offset;
 
+       EVP_CIPHER_CTX_init(&ciph_ctx);
        *atimep = 0;
        kssl_err_set(kssl_err, 0, "");
 
@@ -1904,10 +2005,13 @@ krb5_error_code  kssl_check_authent(
        if (authentp == NULL  ||  authentp->length == 0)  return 0;
 
 #ifdef KSSL_DEBUG
+        {
+        unsigned int ui;
        printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
        p = authentp->data; 
-       for (padl=0; padl < authentp->length; padl++)  printf("%02x ",p[padl]);
+       for (ui=0; ui < authentp->length; ui++)  printf("%02x ",p[ui]);
        printf("\n");
+        }
 #endif /* KSSL_DEBUG */
 
        unencbufsize = 2 * authentp->length;
@@ -1919,7 +2023,7 @@ krb5_error_code  kssl_check_authent(
                goto err;
                }
 
-       p = authentp->data;
+       p = (unsigned char *)authentp->data;
        if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
                                        (long) authentp->length)) == NULL) 
                {
@@ -1930,29 +2034,43 @@ krb5_error_code  kssl_check_authent(
                }
 
        enctype = dec_authent->etype->data[0];  /* should = kssl_ctx->enctype */
+#if !defined(KRB5_MIT_OLD11)
+            switch ( enctype ) {
+            case ENCTYPE_DES3_CBC_SHA1:                /*    EVP_des_ede3_cbc();  */
+            case ENCTYPE_DES3_CBC_SHA:
+            case ENCTYPE_DES3_CBC_RAW:
+                krb5rc = 0;                     /* Skip, can't handle derived keys */
+                goto err;
+            }
+#endif
        enc = kssl_map_enc(enctype);
-       memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+       memset(iv, 0, sizeof iv);       /* per RFC 1510 */
 
-       EVP_DecryptInit(&ciph_ctx, enc, kssl_ctx->key, iv);
-       EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl,
-                       dec_authent->cipher->data, dec_authent->cipher->length);
-       if (outl > unencbufsize)
+       if (enc == NULL)
                {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "Buffer overflow decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+               /*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
+               **  This enctype indicates the authenticator was encrypted
+               **  using key-usage derived keys which openssl cannot decrypt.
+               */
                goto err;
                }
-       EVP_DecryptFinal(&ciph_ctx, &(unenc_authent[outl]), &padl);
-       outl += padl;
-       if (outl > unencbufsize)
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "Buffer overflow decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-               }
-       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+        if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_CipherInit error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        outl = dec_authent->cipher->length;
+        if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_Cipher error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
        printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
@@ -1977,67 +2095,31 @@ krb5_error_code  kssl_check_authent(
                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
                goto err;
                }
-       if ((tbuf = calloc(1, auth->ctime->length + 1)) == NULL)
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                       "Unable to allocate atime buffer.\n");
-               krb5rc = KRB5KRB_ERR_GENERIC;
-               goto err;
-               }
-       else    strncpy(tbuf, auth->ctime->data, auth->ctime->length);
-       
-       if ( auth->ctime->length >= 9 && auth->ctime->length <= 14  )  
-               /* tbuf == "%Y%m%d%H%M%S" */
-               {
-               struct tm               tm_time, *tm_l, *tm_g;
-               time_t                  now, tl, tg, tr, tz_offset;
-               int                     i;
-               char                    *p = tbuf;
-               memset(&tm_time,0,sizeof(struct tm));
-               for ( i=0; 
-                     i<4 && isdigit(*p);
-                     i++, p++ )
-                       tm_time.tm_year = tm_time.tm_year*10 + (*p-'0');
-               for ( i=0; 
-                     i<2 && isdigit(*p) && tm_time.tm_mon <= 1; 
-                     i++, p++ )
-                       tm_time.tm_mon = tm_time.tm_mon*10 + (*p-'0');
-               for ( i=0; 
-                     i<2 && isdigit(*p) && tm_time.tm_mday <= 3;
-                     i++, p++ )
-                       tm_time.tm_mday = tm_time.tm_mday*10 + (*p-'0');
-               for ( i=0; 
-                     i<2 && isdigit(*p) && tm_time.tm_hour <= 2;
-                     i++, p++ )
-                       tm_time.tm_hour = tm_time.tm_hour*10 + (*p-'0');
-               for ( i=0;
-                     i<2 && isdigit(*p) && tm_time.tm_min <= 6;
-                     i++, p++ )
-                       tm_time.tm_min = tm_time.tm_min*10 + (*p-'0');
-               for ( i=0; 
-                     i<2 && isdigit(*p) && tm_time.tm_sec <= 6;
-                     i++, p++ )
-                       tm_time.tm_sec = tm_time.tm_sec*10 + (*p-'0');
-
-               now  = time(&now);
-               tm_l = localtime(&now);         tl = mktime(tm_l);
-               tm_g = gmtime(&now);            tg = mktime(tm_g);
-               tz_offset = tg - tl;
-               tr = mktime(&tm_time);
-
-               if (tr != (time_t)(-1))
-                       *atimep = mktime(&tm_time) - tz_offset;
-               }
+
+       memset(&tm_time,0,sizeof(struct tm));
+       if (k_gmtime(auth->ctime, &tm_time)  &&
+               ((tr = mktime(&tm_time)) != (time_t)(-1)))
+               {
+               now  = time(&now);
+               tm_l = localtime(&now);         tl = mktime(tm_l);
+               tm_g = gmtime(&now);            tg = mktime(tm_g);
+               tz_offset = tg - tl;
+
+               *atimep = tr - tz_offset;
+               }
+
 #ifdef KSSL_DEBUG
-       printf("kssl_check_authent: client time %s = %d\n", tbuf, *atimep);
+       printf("kssl_check_authent: returns %d for client time ", *atimep);
+       if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
+               printf("%.*s\n", auth->ctime->length, auth->ctime->data);
+       else    printf("NULL\n");
 #endif /* KSSL_DEBUG */
 
  err:
-       if (tbuf)               free(tbuf);
        if (auth)               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
        if (dec_authent)        KRB5_ENCDATA_free(dec_authent);
        if (unenc_authent)      free(unenc_authent);
+       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
        return krb5rc;
        }
 
Unnamed repository; edit this file 'description' to name the repository.