When _XOPEN_SOURCE is defined, make sure it's defined to 500. Required in

[openssl.git] / ssl / kssl.c

diff --git a/ssl/kssl.c b/ssl/kssl.c
index d9e1160550c7919dd778b7060465106a6b689841..b8192cdfc719d937d6baaa3035326be86cb67818 100644 (file)
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -67,16 +67,25 @@
 */
 
 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_KRB5
-#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
+
+#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */
 #include <time.h>
+#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
 #include <string.h>
 
+#define KRB5_PRIVATE   1
+
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/krb5_asn.h>
 
+#ifndef OPENSSL_NO_KRB5
+
+#ifndef ENOMEM
+#define ENOMEM KRB5KRB_ERR_GENERIC
+#endif
+
 /* 
  * When OpenSSL is built on Windows, we do not want to require that
  * the Kerberos DLLs be available in order for the OpenSSL DLLs to
@@ -113,16 +122,35 @@
 #define krb5_rd_req              kssl_krb5_rd_req               
 #define krb5_kt_default          kssl_krb5_kt_default           
 #define krb5_kt_resolve          kssl_krb5_kt_resolve           
+/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */
+#ifndef krb5_kt_close
+#define krb5_kt_close            kssl_krb5_kt_close
+#endif /* krb5_kt_close */
+#ifndef krb5_kt_get_entry
+#define krb5_kt_get_entry        kssl_krb5_kt_get_entry
+#endif /* krb5_kt_get_entry */
 #define krb5_auth_con_init       kssl_krb5_auth_con_init        
 
 #define krb5_principal_compare   kssl_krb5_principal_compare
-/* macro  #define krb5_kt_get_entry        kssl_krb5_kt_get_entry  */
 #define krb5_decrypt_tkt_part    kssl_krb5_decrypt_tkt_part
 #define krb5_timeofday           kssl_krb5_timeofday
 #define krb5_rc_default           kssl_krb5_rc_default
+
+#ifdef krb5_rc_initialize
+#undef krb5_rc_initialize
+#endif
 #define krb5_rc_initialize   kssl_krb5_rc_initialize
+
+#ifdef krb5_rc_get_lifespan
+#undef krb5_rc_get_lifespan
+#endif
 #define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan
+
+#ifdef krb5_rc_destroy
+#undef krb5_rc_destroy
+#endif
 #define krb5_rc_destroy      kssl_krb5_rc_destroy
+
 #define valid_cksumtype      kssl_valid_cksumtype
 #define krb5_checksum_size   kssl_krb5_checksum_size
 #define krb5_kt_free_entry   kssl_krb5_kt_free_entry
@@ -252,6 +280,12 @@ static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context,
 static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, 
                                                       krb5_auth_context,
                                                       krb5_rcache *)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, 
+                                                    krb5_keytab keytab)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, 
+                                                        krb5_keytab keytab,
+                       krb5_const_principal principal, krb5_kvno vno,
+                       krb5_enctype enctype, krb5_keytab_entry *entry)=NULL;
 static int krb5_loaded = 0;     /* only attempt to initialize func ptrs once */
 
 /* Function to Load the Kerberos 5 DLL and initialize function pointers */
@@ -321,6 +355,10 @@ load_krb5_dll(void)
                 GetProcAddress( hKRB5_32, "krb5_get_server_rcache" );
         (FARPROC) p_krb5_auth_con_getrcache =
                 GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" );
+        (FARPROC) p_krb5_kt_close =
+                GetProcAddress( hKRB5_32, "krb5_kt_close" );
+        (FARPROC) p_krb5_kt_get_entry =
+                GetProcAddress( hKRB5_32, "krb5_kt_get_entry" );
        }
 
 /* Stubs for each function to be dynamicly loaded */
@@ -707,20 +745,40 @@ krb5_error_code
 kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data,
                             krb5_rcache * rcache) 
         {
-                 if ( p_krb5_get_server_rcache )
-                         return(p_krb5_get_server_rcache(con,data,rcache));
-                 else
-                         return KRB5KRB_ERR_GENERIC;
+       if ( p_krb5_get_server_rcache )
+               return(p_krb5_get_server_rcache(con,data,rcache));
+       else
+               return KRB5KRB_ERR_GENERIC;
         }
 
 krb5_error_code
 kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon,
                              krb5_rcache * prcache)
         {
-                 if ( p_krb5_auth_con_getrcache )
-                         return(p_krb5_auth_con_getrcache(con,acon, prcache));
-                 else
-                         return KRB5KRB_ERR_GENERIC;
+       if ( p_krb5_auth_con_getrcache )
+               return(p_krb5_auth_con_getrcache(con,acon, prcache));
+       else
+               return KRB5KRB_ERR_GENERIC;
+       }
+ 
+krb5_error_code
+kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab)
+       {
+       if ( p_krb5_kt_close )
+               return(p_krb5_kt_close(context,keytab));
+       else 
+               return KRB5KRB_ERR_GENERIC;
+       }
+
+krb5_error_code
+kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+                       krb5_const_principal principal, krb5_kvno vno,
+                       krb5_enctype enctype, krb5_keytab_entry *entry)
+       {
+       if ( p_krb5_kt_get_entry )
+               return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry));
+       else
+               return KRB5KRB_ERR_GENERIC;
         }
 #endif  /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
 
@@ -732,52 +790,29 @@ char
        return ((string == NULL)? null: string);
         }
 
-#define        MAXKNUM 255
-char
-*knumber(int len, krb5_octet *contents)
-        {
-       static char     buf[MAXKNUM+1];
-       int             i;
-
-       BIO_snprintf(buf, MAXKNUM, "[%d] ", len);
-
-       for (i=0; i < len  &&  MAXKNUM > strlen(buf)+3; i++)
-                {
-                BIO_snprintf(&buf[strlen(buf)], 3, "%02x", contents[i]);
-                }
-
-       return (buf);
-       }
-
-
 /*     Given KRB5 enctype (basically DES or 3DES),
 **     return closest match openssl EVP_ encryption algorithm.
 **     Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
 **     Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
 */
-EVP_CIPHER *
+const EVP_CIPHER *
 kssl_map_enc(krb5_enctype enctype)
         {
        switch (enctype)
                {
-#if ! defined(KRB5_MIT_OLD11)
-                                       /*     cannot handle derived keys  */
-       case ENCTYPE_DES3_CBC_SHA1:             /*    EVP_des_ede3_cbc();  */
        case ENCTYPE_DES_HMAC_SHA1:             /*    EVP_des_cbc();       */
-                               return (EVP_CIPHER *) NULL;
-                               break;
-#endif
        case ENCTYPE_DES_CBC_CRC:
        case ENCTYPE_DES_CBC_MD4:
        case ENCTYPE_DES_CBC_MD5:
        case ENCTYPE_DES_CBC_RAW:
-                               return (EVP_CIPHER *) EVP_des_cbc();
+                               return EVP_des_cbc();
                                break;
+       case ENCTYPE_DES3_CBC_SHA1:             /*    EVP_des_ede3_cbc();  */
        case ENCTYPE_DES3_CBC_SHA:
        case ENCTYPE_DES3_CBC_RAW:
-                               return (EVP_CIPHER *) EVP_des_ede3_cbc();
+                               return EVP_des_ede3_cbc();
                                break;
-       default:                return (EVP_CIPHER *) NULL;
+       default:                return NULL;
                                break;
                }
        }
@@ -823,7 +858,7 @@ int         kssl_test_confound(unsigned char *p)
 **      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
 **      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
 */
-int    *populate_cksumlens(void)
+size_t  *populate_cksumlens(void)
        {
        int             i, j, n;
        static size_t   *cklens = NULL;
@@ -863,8 +898,9 @@ int         *populate_cksumlens(void)
 */
 unsigned char  *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
        {
-       int             i, cklen, conlen;
-       static int      *cksumlens = NULL;
+       int             i, conlen;
+       size_t          cklen;
+       static size_t   *cksumlens = NULL;
        unsigned char   *test_auth;
 
        conlen = (etype)? 8: 0;
@@ -899,10 +935,10 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
 void
 print_krb5_data(char *label, krb5_data *kdata)
         {
-       unsigned int    i;
+       int i;
 
        printf("%s[%d] ", label, kdata->length);
-       for (i=0; i < kdata->length; i++)
+       for (i=0; i < (int)kdata->length; i++)
                 {
                if (0 &&  isprint((int) kdata->data[i]))
                         printf(        "%c ",  kdata->data[i]);
@@ -923,7 +959,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
                printf("%s, authdata==0\n", label);
                return;
                }
-       printf("%s [%p]\n", label, adata);
+       printf("%s [%p]\n", label, (void *)adata);
 #if 0
        {
         int    i;
@@ -944,7 +980,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
 void
 print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
         {
-       unsigned int    i;
+       int i;
 
        if (keyblk == NULL)
                 {
@@ -954,14 +990,14 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 #ifdef KRB5_HEIMDAL
        printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
                                           keyblk->keyvalue->length);
-       for (i=0; i < keyblk->keyvalue->length; i++)
+       for (i=0; i < (int)keyblk->keyvalue->length; i++)
                 {
                printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
                }
        printf("\n");
 #else
        printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
-       for (i=0; i < keyblk->length; i++)
+       for (i=0; i < (int)keyblk->length; i++)
                 {
                printf("%02x",keyblk->contents[i]);
                }
@@ -976,17 +1012,16 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 void
 print_krb5_princ(char *label, krb5_principal_data *princ)
         {
-       unsigned int    ui, uj;
-        int i;
+       int i, ui, uj;
 
        printf("%s principal Realm: ", label);
        if (princ == NULL)  return;
-       for (ui=0; ui < princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
+       for (ui=0; ui < (int)princ->realm.length; ui++)  putchar(princ->realm.data[ui]);
        printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
-       for (i=0; i < princ->length; i++)
+       for (i=0; i < (int)princ->length; i++)
                 {
                printf("\t%d [%d]: ", i, princ->data[i].length);
-               for (uj=0; uj < princ->data[i].length; uj++)  {
+               for (uj=0; uj < (int)princ->data[i].length; uj++)  {
                        putchar(princ->data[i].data[uj]);
                        }
                printf("\n");
@@ -1095,7 +1130,7 @@ kssl_cget_tkt(    /* UPDATE */    KSSL_CTX *kssl_ctx,
        if (authenp)
                 {
                krb5_data       krb5in_data;
-               unsigned char   *p;
+               const unsigned char     *p;
                long            arlen;
                KRB5_APREQBODY  *ap_req;
 
@@ -1112,7 +1147,7 @@ kssl_cget_tkt(    /* UPDATE */    KSSL_CTX *kssl_ctx,
                        }
 
                arlen = krb5_app_req.length;
-               p = krb5_app_req.data;
+               p = (unsigned char *)krb5_app_req.data;
                ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
                if (ap_req)
                        {
@@ -1121,9 +1156,9 @@ kssl_cget_tkt(    /* UPDATE */    KSSL_CTX *kssl_ctx,
                        if (authenp->length  && 
                                (authenp->data = malloc(authenp->length)))
                                {
-                               unsigned char   *p = authenp->data;
+                               unsigned char   *adp = (unsigned char *)authenp->data;
                                authenp->length = i2d_KRB5_ENCDATA(
-                                               ap_req->authenticator, &p);
+                                               ap_req->authenticator, &adp);
                                }
                        }
 
@@ -1187,8 +1222,7 @@ kssl_TKT2tkt(     /* IN     */    krb5_context    krb5context,
 
        if (asn1ticket == NULL  ||  asn1ticket->realm == NULL  ||
                asn1ticket->sname == NULL  || 
-               asn1ticket->sname->namestring == NULL  ||
-               asn1ticket->sname->namestring->num < 2)
+               sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
                {
                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
                        "Null field in asn1ticket.\n");
@@ -1204,14 +1238,14 @@ kssl_TKT2tkt(   /* IN     */    krb5_context    krb5context,
                return ENOMEM;          /*  or  KRB5KRB_ERR_GENERIC;    */
                }
 
-       gstr_svc  = (ASN1_GENERALSTRING*)asn1ticket->sname->namestring->data[0];
-       gstr_host = (ASN1_GENERALSTRING*)asn1ticket->sname->namestring->data[1];
+       gstr_svc  = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
+       gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
 
        if ((krb5rc = kssl_build_principal_2(krb5context,
                        &new5ticket->server,
-                       asn1ticket->realm->length, asn1ticket->realm->data,
-                       gstr_svc->length,  gstr_svc->data,
-                       gstr_host->length, gstr_host->data)) != 0)
+                       asn1ticket->realm->length, (char *)asn1ticket->realm->data,
+                       gstr_svc->length,  (char *)gstr_svc->data,
+                       gstr_host->length, (char *)gstr_host->data)) != 0)
                {
                free(new5ticket);
                BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
@@ -1265,7 +1299,7 @@ kssl_sget_tkt(    /* UPDATE */    KSSL_CTX                *kssl_ctx,
        static krb5_auth_context        krb5auth_context = NULL;
        krb5_ticket                     *krb5ticket = NULL;
        KRB5_TKTBODY                    *asn1ticket = NULL;
-       unsigned char                   *p;
+       const unsigned char             *p;
        krb5_keytab                     krb5keytab = NULL;
        krb5_keytab_entry               kt_entry;
        krb5_principal                  krb5server;
@@ -1382,7 +1416,7 @@ kssl_sget_tkt(    /* UPDATE */    KSSL_CTX                *kssl_ctx,
        **                      &ap_option, &krb5ticket)) != 0)  { Error }
        */
 
-       p = indata->data;
+       p = (unsigned char *)indata->data;
        if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
                                                (long) indata->length)) == NULL)
                {
@@ -1468,8 +1502,9 @@ kssl_sget_tkt(    /* UPDATE */    KSSL_CTX                *kssl_ctx,
                         "bad ticket from krb5_rd_req.\n");
                }
        else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
-                &krb5ticket->enc_part2->client->realm,
-                krb5ticket->enc_part2->client->data))
+                &krb5ticket->enc_part2->client->realm,
+                krb5ticket->enc_part2->client->data,
+                krb5ticket->enc_part2->client->length))
                 {
                kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
                         "kssl_ctx_setprinc() fails.\n");
@@ -1523,7 +1558,7 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
         {
        if (kssl_ctx == NULL)  return kssl_ctx;
 
-       if (kssl_ctx->key)              memset(kssl_ctx->key, 0,
+       if (kssl_ctx->key)              OPENSSL_cleanse(kssl_ctx->key,
                                                              kssl_ctx->length);
        if (kssl_ctx->key)              free(kssl_ctx->key);
        if (kssl_ctx->client_princ)     free(kssl_ctx->client_princ);
@@ -1536,16 +1571,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
         }
 
 
-/*     Given a (krb5_data *) entity (and optional realm),
+/*     Given an array of (krb5_data *) entity (and optional realm),
 **     set the plain (char *) client_princ or service_host member
 **     of the kssl_ctx struct.
 */
 krb5_error_code
 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-        krb5_data *realm, krb5_data *entity)
+        krb5_data *realm, krb5_data *entity, int nentities)
         {
        char    **princ;
        int     length;
+       int i;
 
        if (kssl_ctx == NULL  ||  entity == NULL)  return KSSL_CTX_ERR;
 
@@ -1557,12 +1593,29 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
                }
        if (*princ)  free(*princ);
 
-       length = entity->length + ((realm)? realm->length + 2: 1);
+       /* Add up all the entity->lengths */
+       length = 0;
+       for (i=0; i < nentities; i++)
+               {
+               length += entity[i].length;
+               }
+       /* Add in space for the '/' character(s) (if any) */
+       length += nentities-1;
+       /* Space for the ('@'+realm+NULL | NULL) */
+       length += ((realm)? realm->length + 2: 1);
+
        if ((*princ = calloc(1, length)) == NULL)
                return KSSL_CTX_ERR;
        else
-                {
-               strncpy(*princ, entity->data, entity->length);
+               {
+               for (i = 0; i < nentities; i++)
+                       {
+                       strncat(*princ, entity[i].data, entity[i].length);
+                       if (i < nentities-1)
+                               {
+                               strcat (*princ, "/");
+                               }
+                       }
                if (realm)
                         {
                        strcat (*princ, "@");
@@ -1625,7 +1678,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
 
        if (kssl_ctx->key)
                 {
-               memset(kssl_ctx->key, 0, kssl_ctx->length);
+               OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
                free(kssl_ctx->key);
                }
 
@@ -1678,7 +1731,7 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
                return;
                }
        else
-               printf("%p\n", kssl_ctx);
+               printf("%p\n", (void *)kssl_ctx);
 
        printf("\tservice:\t%s\n",
                 (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
@@ -1830,15 +1883,15 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
 **  Return pointer to the (partially) filled in struct tm on success,
 **  return NULL on failure.
 */
-struct tm      *k_gmtime(ASN1_GENERALIZEDTIME *ctime, struct tm *k_tm)
+struct tm      *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
        {
        char            c, *p;
 
        if (!k_tm)  return NULL;
-       if (ctime == NULL  ||  ctime->length < 14)  return NULL;
-       if (ctime->data == NULL)  return NULL;
+       if (gtime == NULL  ||  gtime->length < 14)  return NULL;
+       if (gtime->data == NULL)  return NULL;
 
-       p = &ctime->data[14];
+       p = (char *)&gtime->data[14];
 
        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_sec  = atoi(p);      *(p+2) = c;
        c = *p;  *p = '\0';  p -= 2;  k_tm->tm_min  = atoi(p);      *(p+2) = c;
@@ -1929,13 +1982,15 @@ krb5_error_code  kssl_check_authent(
        KRB5_AUTHENTBODY        *auth = NULL;
        krb5_enctype            enctype;
        EVP_CIPHER_CTX          ciph_ctx;
-       EVP_CIPHER              *enc = NULL;
+       const EVP_CIPHER        *enc = NULL;
        unsigned char           iv[EVP_MAX_IV_LENGTH];
-       unsigned char           *p, *unenc_authent;
-       int                     padl, outl, unencbufsize;
+       const unsigned char     *p;
+       unsigned char           *unenc_authent;
+       int                     outl, unencbufsize;
        struct tm               tm_time, *tm_l, *tm_g;
        time_t                  now, tl, tg, tr, tz_offset;
 
+       EVP_CIPHER_CTX_init(&ciph_ctx);
        *atimep = 0;
        kssl_err_set(kssl_err, 0, "");
 
@@ -1968,7 +2023,7 @@ krb5_error_code  kssl_check_authent(
                goto err;
                }
 
-       p = authentp->data;
+       p = (unsigned char *)authentp->data;
        if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
                                        (long) authentp->length)) == NULL) 
                {
@@ -1979,8 +2034,17 @@ krb5_error_code  kssl_check_authent(
                }
 
        enctype = dec_authent->etype->data[0];  /* should = kssl_ctx->enctype */
+#if !defined(KRB5_MIT_OLD11)
+            switch ( enctype ) {
+            case ENCTYPE_DES3_CBC_SHA1:                /*    EVP_des_ede3_cbc();  */
+            case ENCTYPE_DES3_CBC_SHA:
+            case ENCTYPE_DES3_CBC_RAW:
+                krb5rc = 0;                     /* Skip, can't handle derived keys */
+                goto err;
+            }
+#endif
        enc = kssl_map_enc(enctype);
-       memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+       memset(iv, 0, sizeof iv);       /* per RFC 1510 */
 
        if (enc == NULL)
                {
@@ -1990,44 +2054,23 @@ krb5_error_code  kssl_check_authent(
                */
                goto err;
                }
-       if (!EVP_DecryptInit(&ciph_ctx, enc, kssl_ctx->key, iv))
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                       "EVP_DecryptInit error decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-               }
-       if (!EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl,
-                       dec_authent->cipher->data, dec_authent->cipher->length))
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                       "EVP_DecryptUpdate error decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-               }
-       if (outl > unencbufsize)
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "Buffer overflow decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-               }
-       if (!EVP_DecryptFinal(&ciph_ctx, &(unenc_authent[outl]), &padl))
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                       "EVP_DecryptFinal error decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-               }
-       outl += padl;
-       if (outl > unencbufsize)
-               {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                        "Buffer overflow decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-               }
-       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+        if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_CipherInit error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        outl = dec_authent->cipher->length;
+        if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
+                {
+                kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+                        "EVP_Cipher error decrypting authenticator.\n");
+                krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+                goto err;
+                }
+        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
 #ifdef KSSL_DEBUG
        printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
@@ -2076,6 +2119,7 @@ krb5_error_code  kssl_check_authent(
        if (auth)               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
        if (dec_authent)        KRB5_ENCDATA_free(dec_authent);
        if (unenc_authent)      free(unenc_authent);
+       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
        return krb5rc;
        }