Patches from Vern Staats <staatsvr@asc.hpc.mil> to get Kerberos 5 in
SSL according to RFC 2712. His comment is: This is a patch to openssl-SNAP-20010702 to support Kerberized SSL authentication. I'm expecting to have the full kssl-0.5 kit up on sourceforge by the end of the week. The full kit includes patches for mod-ssl, apache, and a few text clients. The sourceforge URL is http://sourceforge.net/projects/kssl/ . Thanks to a note from Simon Wilkinson I've replaced my KRB5 AP_REQ message with a real KerberosWrapper struct. I think this is fully RFC 2712 compliant now, including support for the optional authenticator field. I also added openssl-style ASN.1 macros for a few Kerberos structs; see crypto/krb5/ if you're interested.
This commit is contained in:
		
							
								
								
									
										23
									
								
								Configure
									
									
									
									
									
								
							
							
						
						
									
										23
									
								
								Configure
									
									
									
									
									
								
							| @@ -723,6 +723,7 @@ if ($no_krb5 | |||||||
| 	} | 	} | ||||||
| else | else | ||||||
| 	{ | 	{ | ||||||
|  | 	my ($lresolv, $lpath, $lext); | ||||||
| 	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/) | 	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/) | ||||||
| 		{ | 		{ | ||||||
| 		$withargs{"krb5-dir"} = "/usr/heimdal" | 		$withargs{"krb5-dir"} = "/usr/heimdal" | ||||||
| @@ -732,7 +733,7 @@ else | |||||||
| 			if $withargs{"krb5-lib"} eq ""; | 			if $withargs{"krb5-lib"} eq ""; | ||||||
| 		$cflags="-DKRB5_HEIMDAL $cflags"; | 		$cflags="-DKRB5_HEIMDAL $cflags"; | ||||||
| 		} | 		} | ||||||
| 	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]$/) | 	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/) | ||||||
| 		{ | 		{ | ||||||
| 		$withargs{"krb5-dir"} = "/usr/kerberos" | 		$withargs{"krb5-dir"} = "/usr/kerberos" | ||||||
| 			if $withargs{"krb5-dir"} eq ""; | 			if $withargs{"krb5-dir"} eq ""; | ||||||
| @@ -740,9 +741,27 @@ else | |||||||
| 			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto" | 			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto" | ||||||
| 			if $withargs{"krb5-lib"} eq ""; | 			if $withargs{"krb5-lib"} eq ""; | ||||||
| 		$cflags="-DKRB5_MIT $cflags"; | 		$cflags="-DKRB5_MIT $cflags"; | ||||||
|  | 		$withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//; | ||||||
|  | 		if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/) | ||||||
|  | 			{ | ||||||
|  | 			$cflags="-DKRB5_MIT_OLD11 $cflags"; | ||||||
|  | 			} | ||||||
| 		} | 		} | ||||||
|  | 	LRESOLV: | ||||||
|  | 	foreach $lpath ("/lib", "/usr/lib") | ||||||
|  | 		{ | ||||||
|  | 		foreach $lext ("a", "so") | ||||||
|  | 			{ | ||||||
|  | 			$lresolv = "$lpath/libresolv.$lext"; | ||||||
|  | 			last LRESOLV	if (-r "$lresolv"); | ||||||
|  | 			$lresolv = ""; | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	$withargs{"krb5-lib"} .= " -lresolv" | ||||||
|  | 		if ("$lresolv"); | ||||||
| 	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include" | 	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include" | ||||||
| 		if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne ""; | 		if $withargs{"krb5-include"} eq "" && | ||||||
|  | 		   $withargs{"krb5-dir"} ne ""; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| # The DSO code currently always implements all functions so that no | # The DSO code currently always implements all functions so that no | ||||||
|   | |||||||
| @@ -168,7 +168,7 @@ SDIRS=  \ | |||||||
| 	des rc2 rc4 rc5 idea bf cast \ | 	des rc2 rc4 rc5 idea bf cast \ | ||||||
| 	bn ec rsa dsa dh dso engine rijndael \ | 	bn ec rsa dsa dh dso engine rijndael \ | ||||||
| 	buffer bio stack lhash rand err objects \ | 	buffer bio stack lhash rand err objects \ | ||||||
| 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui | 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 | ||||||
|  |  | ||||||
| # tests to perform.  "alltests" is a special word indicating that all tests | # tests to perform.  "alltests" is a special word indicating that all tests | ||||||
| # should be performed. | # should be performed. | ||||||
| @@ -458,7 +458,7 @@ depend: | |||||||
| 	do \ | 	do \ | ||||||
| 	if [ -d "$$i" ]; then \ | 	if [ -d "$$i" ]; then \ | ||||||
| 		(cd $$i && echo "making dependencies $$i..." && \ | 		(cd $$i && echo "making dependencies $$i..." && \ | ||||||
| 		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' depend ) || exit 1; \ | 		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' depend ) || exit 1; \ | ||||||
| 	fi; \ | 	fi; \ | ||||||
| 	done; | 	done; | ||||||
|  |  | ||||||
|   | |||||||
| @@ -863,8 +863,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) | |||||||
| #ifndef OPENSSL_NO_KRB5 | #ifndef OPENSSL_NO_KRB5 | ||||||
| 		if ((con->kssl_ctx = kssl_ctx_new()) != NULL) | 		if ((con->kssl_ctx = kssl_ctx_new()) != NULL) | ||||||
|                         { |                         { | ||||||
|                         kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC); |                         kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, | ||||||
|                         kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB); | 								KRB5SVC); | ||||||
|  |                         kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, | ||||||
|  | 								KRB5KEYTAB); | ||||||
|                         } |                         } | ||||||
| #endif	/* OPENSSL_NO_KRB5 */ | #endif	/* OPENSSL_NO_KRB5 */ | ||||||
| 		if(context) | 		if(context) | ||||||
| @@ -1249,6 +1251,13 @@ static int www_body(char *hostname, int s, unsigned char *context) | |||||||
| 	if (!BIO_set_write_buffer_size(io,bufsize)) goto err; | 	if (!BIO_set_write_buffer_size(io,bufsize)) goto err; | ||||||
|  |  | ||||||
| 	if ((con=SSL_new(ctx)) == NULL) goto err; | 	if ((con=SSL_new(ctx)) == NULL) goto err; | ||||||
|  | #ifndef OPENSSL_NO_KRB5 | ||||||
|  | 	if ((con->kssl_ctx = kssl_ctx_new()) != NULL) | ||||||
|  | 		{ | ||||||
|  | 		kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC); | ||||||
|  | 		kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB); | ||||||
|  | 		} | ||||||
|  | #endif	/* OPENSSL_NO_KRB5 */ | ||||||
| 	if(context) SSL_set_session_id_context(con, context, | 	if(context) SSL_set_session_id_context(con, context, | ||||||
| 					       strlen((char *)context)); | 					       strlen((char *)context)); | ||||||
|  |  | ||||||
|   | |||||||
| @@ -822,6 +822,7 @@ DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT) | |||||||
| DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING) | DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING) | ||||||
| DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING) | DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING) | ||||||
| DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING) | DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(ASN1_GENERALSTRING) | ||||||
| DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME) | DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME) | ||||||
| DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME) | DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME) | ||||||
| DECLARE_ASN1_FUNCTIONS(ASN1_TIME) | DECLARE_ASN1_FUNCTIONS(ASN1_TIME) | ||||||
|   | |||||||
| @@ -91,6 +91,9 @@ IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING) | |||||||
| IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING) | IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING) | ||||||
| IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING) | IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING) | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING) | ||||||
|  |  | ||||||
| IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME) | IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME) | ||||||
| IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME) | IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME) | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										90
									
								
								crypto/krb5/Makefile.ssl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										90
									
								
								crypto/krb5/Makefile.ssl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,90 @@ | |||||||
|  | # | ||||||
|  | # OpenSSL/krb5/Makefile.ssl | ||||||
|  | # | ||||||
|  |  | ||||||
|  | DIR=	krb5 | ||||||
|  | TOP=	../.. | ||||||
|  | CC=	cc | ||||||
|  | INCLUDES= -I.. -I$(TOP) -I../../include | ||||||
|  | CFLAG=-g | ||||||
|  | INSTALL_PREFIX= | ||||||
|  | OPENSSLDIR=     /usr/local/ssl | ||||||
|  | INSTALLTOP=/usr/local/ssl | ||||||
|  | MAKE=		make -f Makefile.ssl | ||||||
|  | MAKEDEPPROG=	makedepend | ||||||
|  | MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) | ||||||
|  | MAKEFILE=	Makefile.ssl | ||||||
|  | AR=		ar r | ||||||
|  |  | ||||||
|  | CFLAGS= $(INCLUDES) $(CFLAG) | ||||||
|  |  | ||||||
|  | GENERAL=Makefile README | ||||||
|  | TEST= | ||||||
|  | APPS= | ||||||
|  |  | ||||||
|  | LIB=$(TOP)/libcrypto.a | ||||||
|  | LIBSRC= krb5_asn.c | ||||||
|  |  | ||||||
|  | LIBOBJ= krb5_asn.o | ||||||
|  |  | ||||||
|  | SRC= $(LIBSRC) | ||||||
|  |  | ||||||
|  | EXHEADER= krb5_asn.h | ||||||
|  | HEADER=	$(EXHEADER) | ||||||
|  |  | ||||||
|  | ALL=    $(GENERAL) $(SRC) $(HEADER) | ||||||
|  |  | ||||||
|  | top: | ||||||
|  | 	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all) | ||||||
|  |  | ||||||
|  | all:	lib | ||||||
|  |  | ||||||
|  | lib:	$(LIBOBJ) | ||||||
|  | 	$(AR) $(LIB) $(LIBOBJ) | ||||||
|  | 	$(RANLIB) $(LIB) | ||||||
|  | 	@touch lib | ||||||
|  |  | ||||||
|  | files: | ||||||
|  | 	perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO | ||||||
|  |  | ||||||
|  | links: | ||||||
|  | 	$(TOP)/util/point.sh Makefile.ssl Makefile ; | ||||||
|  | 	$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) | ||||||
|  | 	$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) | ||||||
|  | 	$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) | ||||||
|  |  | ||||||
|  | install: | ||||||
|  | 	@for i in $(EXHEADER) ; \ | ||||||
|  | 	do  \ | ||||||
|  | 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ | ||||||
|  | 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ | ||||||
|  | 	done; | ||||||
|  |  | ||||||
|  | tags: | ||||||
|  | 	ctags $(SRC) | ||||||
|  |  | ||||||
|  | tests: | ||||||
|  |  | ||||||
|  | lint: | ||||||
|  | 	lint -DLINT $(INCLUDES) $(SRC)>fluff | ||||||
|  |  | ||||||
|  | depend: | ||||||
|  | 	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC) | ||||||
|  |  | ||||||
|  | dclean: | ||||||
|  | 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new | ||||||
|  | 	mv -f Makefile.new $(MAKEFILE) | ||||||
|  |  | ||||||
|  | clean: | ||||||
|  | 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff | ||||||
|  |  | ||||||
|  | # DO NOT DELETE THIS LINE -- make depend depends on it. | ||||||
|  |  | ||||||
|  | krb5_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h | ||||||
|  | krb5_asn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h | ||||||
|  | krb5_asn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h | ||||||
|  | krb5_asn.o: ../../include/openssl/krb5_asn.h | ||||||
|  | krb5_asn.o: ../../include/openssl/opensslconf.h | ||||||
|  | krb5_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h | ||||||
|  | krb5_asn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h | ||||||
|  | krb5_asn.o: krb5_asn.c | ||||||
							
								
								
									
										164
									
								
								crypto/krb5/krb5_asn.c
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										164
									
								
								crypto/krb5/krb5_asn.c
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,164 @@ | |||||||
|  | /* krb5_asn.c */ | ||||||
|  | /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project, | ||||||
|  | ** using ocsp/{*.h,*asn*.c} as a starting point | ||||||
|  | */ | ||||||
|  | /* ==================================================================== | ||||||
|  |  * Copyright (c) 2000 The OpenSSL Project.  All rights reserved. | ||||||
|  |  * | ||||||
|  |  * Redistribution and use in source and binary forms, with or without | ||||||
|  |  * modification, are permitted provided that the following conditions | ||||||
|  |  * are met: | ||||||
|  |  * | ||||||
|  |  * 1. Redistributions of source code must retain the above copyright | ||||||
|  |  *    notice, this list of conditions and the following disclaimer.  | ||||||
|  |  * | ||||||
|  |  * 2. Redistributions in binary form must reproduce the above copyright | ||||||
|  |  *    notice, this list of conditions and the following disclaimer in | ||||||
|  |  *    the documentation and/or other materials provided with the | ||||||
|  |  *    distribution. | ||||||
|  |  * | ||||||
|  |  * 3. All advertising materials mentioning features or use of this | ||||||
|  |  *    software must display the following acknowledgment: | ||||||
|  |  *    "This product includes software developed by the OpenSSL Project | ||||||
|  |  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | ||||||
|  |  * | ||||||
|  |  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||||||
|  |  *    endorse or promote products derived from this software without | ||||||
|  |  *    prior written permission. For written permission, please contact | ||||||
|  |  *    licensing@OpenSSL.org. | ||||||
|  |  * | ||||||
|  |  * 5. Products derived from this software may not be called "OpenSSL" | ||||||
|  |  *    nor may "OpenSSL" appear in their names without prior written | ||||||
|  |  *    permission of the OpenSSL Project. | ||||||
|  |  * | ||||||
|  |  * 6. Redistributions of any form whatsoever must retain the following | ||||||
|  |  *    acknowledgment: | ||||||
|  |  *    "This product includes software developed by the OpenSSL Project | ||||||
|  |  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | ||||||
|  |  * | ||||||
|  |  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||||||
|  |  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||||||
|  |  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||||||
|  |  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||||||
|  |  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||||||
|  |  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||||||
|  |  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||||||
|  |  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||||
|  |  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||||||
|  |  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||||||
|  |  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||||||
|  |  * OF THE POSSIBILITY OF SUCH DAMAGE. | ||||||
|  |  * ==================================================================== | ||||||
|  |  * | ||||||
|  |  * This product includes cryptographic software written by Eric Young | ||||||
|  |  * (eay@cryptsoft.com).  This product includes software written by Tim | ||||||
|  |  * Hudson (tjh@cryptsoft.com). | ||||||
|  |  * | ||||||
|  |  */ | ||||||
|  | #include <openssl/asn1.h> | ||||||
|  | #include <openssl/asn1t.h> | ||||||
|  | #include <openssl/krb5_asn.h> | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ASN1_SEQUENCE(KRB5_ENCDATA) = { | ||||||
|  | 	ASN1_EXP(KRB5_ENCDATA, etype,		ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP_OPT(KRB5_ENCDATA, kvno,	ASN1_INTEGER,	  1), | ||||||
|  | 	ASN1_EXP(KRB5_ENCDATA, cipher,		ASN1_OCTET_STRING,2) | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_ENCDATA) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCDATA) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ASN1_SEQUENCE(KRB5_PRINCNAME) = { | ||||||
|  | 	ASN1_EXP(KRB5_PRINCNAME, nametype,	ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP_SEQUENCE_OF(KRB5_PRINCNAME, namestring, ASN1_GENERALSTRING, 1) | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_PRINCNAME) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_PRINCNAME) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /* [APPLICATION 1] = 0x61 */ | ||||||
|  | ASN1_SEQUENCE(KRB5_TKTBODY) = { | ||||||
|  | 	ASN1_EXP(KRB5_TKTBODY, tktvno,		ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP(KRB5_TKTBODY, realm, 		ASN1_GENERALSTRING, 1), | ||||||
|  | 	ASN1_EXP(KRB5_TKTBODY, sname,		KRB5_PRINCNAME,	  2), | ||||||
|  | 	ASN1_EXP(KRB5_TKTBODY, encdata,		KRB5_ENCDATA,	  3) | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_TKTBODY) | ||||||
|  |  | ||||||
|  | ASN1_ITEM_TEMPLATE(KRB5_TICKET) =  | ||||||
|  | 	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 1, | ||||||
|  | 			KRB5_TICKET, KRB5_TKTBODY) | ||||||
|  | ASN1_ITEM_TEMPLATE_END(KRB5_TICKET) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_TICKET) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /* [APPLICATION 14] = 0x6e */ | ||||||
|  | ASN1_SEQUENCE(KRB5_APREQBODY) = { | ||||||
|  | 	ASN1_EXP(KRB5_APREQBODY, pvno,		ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP(KRB5_APREQBODY, msgtype,	ASN1_INTEGER,	  1), | ||||||
|  | 	ASN1_EXP(KRB5_APREQBODY, apoptions,	ASN1_BIT_STRING,  2), | ||||||
|  | 	ASN1_EXP(KRB5_APREQBODY, ticket, 	KRB5_TICKET,	  3), | ||||||
|  | 	ASN1_EXP(KRB5_APREQBODY, authenticator,	KRB5_ENCDATA,	  4), | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_APREQBODY) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQBODY) | ||||||
|  |  | ||||||
|  | ASN1_ITEM_TEMPLATE(KRB5_APREQ) =  | ||||||
|  | 	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 14, | ||||||
|  | 			KRB5_APREQ, KRB5_APREQBODY) | ||||||
|  | ASN1_ITEM_TEMPLATE_END(KRB5_APREQ) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQ) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*  Authenticator stuff 	*/ | ||||||
|  |  | ||||||
|  | ASN1_SEQUENCE(KRB5_CHECKSUM) = { | ||||||
|  | 	ASN1_EXP(KRB5_CHECKSUM, ctype,		ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP(KRB5_CHECKSUM, checksum,	ASN1_OCTET_STRING,1) | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_CHECKSUM) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_CHECKSUM) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ASN1_SEQUENCE(KRB5_ENCKEY) = { | ||||||
|  | 	ASN1_EXP(KRB5_ENCKEY,	ktype,		ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP(KRB5_ENCKEY,	keyvalue,	ASN1_OCTET_STRING,1) | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_ENCKEY) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCKEY) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /* SEQ OF SEQ; see ASN1_EXP_SEQUENCE_OF_OPT() below */ | ||||||
|  | ASN1_SEQUENCE(KRB5_AUTHDATA) = { | ||||||
|  | 	ASN1_EXP(KRB5_AUTHDATA,	adtype,		ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP(KRB5_AUTHDATA,	addata, 	ASN1_OCTET_STRING,1) | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_AUTHDATA) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHDATA) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /* [APPLICATION 2] = 0x62 */ | ||||||
|  | ASN1_SEQUENCE(KRB5_AUTHENTBODY) = { | ||||||
|  | 	ASN1_EXP(KRB5_AUTHENTBODY,	avno,	ASN1_INTEGER,	  0), | ||||||
|  | 	ASN1_EXP(KRB5_AUTHENTBODY,	crealm,	ASN1_GENERALSTRING, 1), | ||||||
|  | 	ASN1_EXP(KRB5_AUTHENTBODY,	cname,	KRB5_PRINCNAME,	  2), | ||||||
|  | 	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	cksum,	KRB5_CHECKSUM,	  3), | ||||||
|  | 	ASN1_EXP(KRB5_AUTHENTBODY,	cusec,	ASN1_INTEGER,	  4), | ||||||
|  | 	ASN1_EXP(KRB5_AUTHENTBODY,	ctime,	ASN1_GENERALIZEDTIME, 5), | ||||||
|  | 	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	subkey,	KRB5_ENCKEY,	  6), | ||||||
|  | 	ASN1_EXP_OPT(KRB5_AUTHENTBODY,	seqnum,	ASN1_INTEGER,	  7), | ||||||
|  | 	ASN1_EXP_SEQUENCE_OF_OPT | ||||||
|  | 		    (KRB5_AUTHENTBODY,	authorization,	KRB5_AUTHDATA, 8), | ||||||
|  | } ASN1_SEQUENCE_END(KRB5_AUTHENTBODY) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENTBODY) | ||||||
|  |  | ||||||
|  | ASN1_ITEM_TEMPLATE(KRB5_AUTHENT) =  | ||||||
|  | 	ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 2, | ||||||
|  | 			KRB5_AUTHENT, KRB5_AUTHENTBODY) | ||||||
|  | ASN1_ITEM_TEMPLATE_END(KRB5_AUTHENT) | ||||||
|  |  | ||||||
|  | IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENT) | ||||||
|  |  | ||||||
							
								
								
									
										256
									
								
								crypto/krb5/krb5_asn.h
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										256
									
								
								crypto/krb5/krb5_asn.h
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,256 @@ | |||||||
|  | /* krb5_asn.h */ | ||||||
|  | /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project, | ||||||
|  | ** using ocsp/{*.h,*asn*.c} as a starting point | ||||||
|  | */ | ||||||
|  |  | ||||||
|  | /* ==================================================================== | ||||||
|  |  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved. | ||||||
|  |  * | ||||||
|  |  * Redistribution and use in source and binary forms, with or without | ||||||
|  |  * modification, are permitted provided that the following conditions | ||||||
|  |  * are met: | ||||||
|  |  * | ||||||
|  |  * 1. Redistributions of source code must retain the above copyright | ||||||
|  |  *    notice, this list of conditions and the following disclaimer.  | ||||||
|  |  * | ||||||
|  |  * 2. Redistributions in binary form must reproduce the above copyright | ||||||
|  |  *    notice, this list of conditions and the following disclaimer in | ||||||
|  |  *    the documentation and/or other materials provided with the | ||||||
|  |  *    distribution. | ||||||
|  |  * | ||||||
|  |  * 3. All advertising materials mentioning features or use of this | ||||||
|  |  *    software must display the following acknowledgment: | ||||||
|  |  *    "This product includes software developed by the OpenSSL Project | ||||||
|  |  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | ||||||
|  |  * | ||||||
|  |  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||||||
|  |  *    endorse or promote products derived from this software without | ||||||
|  |  *    prior written permission. For written permission, please contact | ||||||
|  |  *    openssl-core@openssl.org. | ||||||
|  |  * | ||||||
|  |  * 5. Products derived from this software may not be called "OpenSSL" | ||||||
|  |  *    nor may "OpenSSL" appear in their names without prior written | ||||||
|  |  *    permission of the OpenSSL Project. | ||||||
|  |  * | ||||||
|  |  * 6. Redistributions of any form whatsoever must retain the following | ||||||
|  |  *    acknowledgment: | ||||||
|  |  *    "This product includes software developed by the OpenSSL Project | ||||||
|  |  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)" | ||||||
|  |  * | ||||||
|  |  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||||||
|  |  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||||||
|  |  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||||||
|  |  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||||||
|  |  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||||||
|  |  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||||||
|  |  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||||||
|  |  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||||||
|  |  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||||||
|  |  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||||||
|  |  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||||||
|  |  * OF THE POSSIBILITY OF SUCH DAMAGE. | ||||||
|  |  * ==================================================================== | ||||||
|  |  * | ||||||
|  |  * This product includes cryptographic software written by Eric Young | ||||||
|  |  * (eay@cryptsoft.com).  This product includes software written by Tim | ||||||
|  |  * Hudson (tjh@cryptsoft.com). | ||||||
|  |  * | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | #ifndef HEADER_KRB5_ASN_H | ||||||
|  | #define HEADER_KRB5_ASN_H | ||||||
|  |  | ||||||
|  | /* | ||||||
|  | #include <krb5.h> | ||||||
|  | */ | ||||||
|  | #include <openssl/safestack.h> | ||||||
|  |  | ||||||
|  | #ifdef  __cplusplus | ||||||
|  | extern "C" { | ||||||
|  | #endif | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	ASN.1 from Kerberos RFC 1510 | ||||||
|  | */ | ||||||
|  |  | ||||||
|  | /*	EncryptedData ::=   SEQUENCE { | ||||||
|  | **		etype[0]                      INTEGER, -- EncryptionType | ||||||
|  | **		kvno[1]                       INTEGER OPTIONAL, | ||||||
|  | **		cipher[2]                     OCTET STRING -- ciphertext | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef	struct	krb5_encdata_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*etype; | ||||||
|  | 	ASN1_INTEGER			*kvno; | ||||||
|  | 	ASN1_OCTET_STRING		*cipher; | ||||||
|  | 	}	KRB5_ENCDATA; | ||||||
|  |  | ||||||
|  | DECLARE_STACK_OF(KRB5_ENCDATA) | ||||||
|  |  | ||||||
|  | /*	PrincipalName ::=   SEQUENCE { | ||||||
|  | **		name-type[0]                  INTEGER, | ||||||
|  | **		name-string[1]                SEQUENCE OF GeneralString | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef	struct	krb5_princname_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*nametype; | ||||||
|  | 	STACK_OF(ASN1_GENERALSTRING)	*namestring; | ||||||
|  | 	}	KRB5_PRINCNAME; | ||||||
|  |  | ||||||
|  | DECLARE_STACK_OF(KRB5_PRINCNAME) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	Ticket ::=	[APPLICATION 1] SEQUENCE { | ||||||
|  | **		tkt-vno[0]                    INTEGER, | ||||||
|  | **		realm[1]                      Realm, | ||||||
|  | **		sname[2]                      PrincipalName, | ||||||
|  | **		enc-part[3]                   EncryptedData | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef	struct	krb5_tktbody_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*tktvno; | ||||||
|  | 	ASN1_GENERALSTRING		*realm; | ||||||
|  | 	KRB5_PRINCNAME			*sname; | ||||||
|  | 	KRB5_ENCDATA			*encdata; | ||||||
|  | 	}	KRB5_TKTBODY; | ||||||
|  |  | ||||||
|  | typedef STACK_OF(KRB5_TKTBODY) KRB5_TICKET; | ||||||
|  | DECLARE_STACK_OF(KRB5_TKTBODY) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	AP-REQ ::=      [APPLICATION 14] SEQUENCE { | ||||||
|  | **		pvno[0]                       INTEGER, | ||||||
|  | **		msg-type[1]                   INTEGER, | ||||||
|  | **		ap-options[2]                 APOptions, | ||||||
|  | **		ticket[3]                     Ticket, | ||||||
|  | **		authenticator[4]              EncryptedData | ||||||
|  | **	} | ||||||
|  | ** | ||||||
|  | **	APOptions ::=   BIT STRING { | ||||||
|  | **		reserved(0), use-session-key(1), mutual-required(2) } | ||||||
|  | */ | ||||||
|  | typedef	struct	krb5_ap_req_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*pvno; | ||||||
|  | 	ASN1_INTEGER			*msgtype; | ||||||
|  | 	ASN1_BIT_STRING			*apoptions; | ||||||
|  | 	KRB5_TICKET			*ticket; | ||||||
|  | 	KRB5_ENCDATA			*authenticator; | ||||||
|  | 	}	KRB5_APREQBODY; | ||||||
|  |  | ||||||
|  | typedef STACK_OF(KRB5_APREQBODY) KRB5_APREQ; | ||||||
|  | DECLARE_STACK_OF(KRB5_APREQBODY) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	Authenticator Stuff	*/ | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	Checksum ::=   SEQUENCE { | ||||||
|  | **		cksumtype[0]                  INTEGER, | ||||||
|  | **		checksum[1]                   OCTET STRING | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef	struct	krb5_checksum_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*ctype; | ||||||
|  | 	ASN1_OCTET_STRING		*checksum; | ||||||
|  | 	}	KRB5_CHECKSUM; | ||||||
|  |  | ||||||
|  | DECLARE_STACK_OF(KRB5_CHECKSUM) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	EncryptionKey ::=   SEQUENCE { | ||||||
|  | **		keytype[0]                    INTEGER, | ||||||
|  | **		keyvalue[1]                   OCTET STRING | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef struct  krb5_encryptionkey_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*ktype; | ||||||
|  | 	ASN1_OCTET_STRING		*keyvalue; | ||||||
|  | 	}	KRB5_ENCKEY; | ||||||
|  |  | ||||||
|  | DECLARE_STACK_OF(KRB5_ENCKEY) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*	AuthorizationData ::=   SEQUENCE OF SEQUENCE { | ||||||
|  | **		ad-type[0]                    INTEGER, | ||||||
|  | **              ad-data[1]                    OCTET STRING | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef struct	krb5_authorization_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*adtype; | ||||||
|  | 	ASN1_OCTET_STRING		*addata; | ||||||
|  | 	}	KRB5_AUTHDATA; | ||||||
|  |  | ||||||
|  | DECLARE_STACK_OF(KRB5_AUTHDATA); | ||||||
|  |  | ||||||
|  | 			 | ||||||
|  | /*	-- Unencrypted authenticator | ||||||
|  | **	Authenticator ::=    [APPLICATION 2] SEQUENCE    { | ||||||
|  | **		authenticator-vno[0]          INTEGER, | ||||||
|  | **		crealm[1]                     Realm, | ||||||
|  | **		cname[2]                      PrincipalName, | ||||||
|  | **		cksum[3]                      Checksum OPTIONAL, | ||||||
|  | **		cusec[4]                      INTEGER, | ||||||
|  | **		ctime[5]                      KerberosTime, | ||||||
|  | **		subkey[6]                     EncryptionKey OPTIONAL, | ||||||
|  | **		seq-number[7]                 INTEGER OPTIONAL, | ||||||
|  | **		authorization-data[8]         AuthorizationData OPTIONAL | ||||||
|  | **	} | ||||||
|  | */ | ||||||
|  | typedef struct	krb5_authenticator_st | ||||||
|  | 	{ | ||||||
|  | 	ASN1_INTEGER			*avno; | ||||||
|  | 	ASN1_GENERALSTRING		*crealm; | ||||||
|  | 	KRB5_PRINCNAME			*cname; | ||||||
|  | 	KRB5_CHECKSUM			*cksum; | ||||||
|  | 	ASN1_INTEGER			*cusec; | ||||||
|  | 	ASN1_GENERALIZEDTIME		*ctime; | ||||||
|  | 	KRB5_ENCKEY			*subkey; | ||||||
|  | 	ASN1_INTEGER			*seqnum; | ||||||
|  | 	KRB5_AUTHDATA			*authorization; | ||||||
|  | 	}	KRB5_AUTHENTBODY; | ||||||
|  |  | ||||||
|  | typedef STACK_OF(KRB5_AUTHENTBODY) KRB5_AUTHENT; | ||||||
|  | DECLARE_STACK_OF(KRB5_AUTHENTBODY) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /*  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) = | ||||||
|  | **	type *name##_new(void); | ||||||
|  | **	void name##_free(type *a); | ||||||
|  | **	DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) = | ||||||
|  | **	 DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) = | ||||||
|  | **	  type *d2i_##name(type **a, unsigned char **in, long len); | ||||||
|  | **	  int i2d_##name(type *a, unsigned char **out); | ||||||
|  | **	  DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it | ||||||
|  | */ | ||||||
|  |  | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_ENCDATA) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_PRINCNAME) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_TKTBODY) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_APREQBODY) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_TICKET) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_APREQ) | ||||||
|  |  | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_CHECKSUM) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_ENCKEY) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_AUTHDATA) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENTBODY) | ||||||
|  | DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENT) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /* BEGIN ERROR CODES */ | ||||||
|  | /* The following lines are auto generated by the script mkerr.pl. Any changes | ||||||
|  |  * made after this point may be overwritten when the script is next run. | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | #ifdef  __cplusplus | ||||||
|  | } | ||||||
|  | #endif | ||||||
|  | #endif | ||||||
|  |  | ||||||
							
								
								
									
										948
									
								
								ssl/kssl.c
									
									
									
									
									
								
							
							
						
						
									
										948
									
								
								ssl/kssl.c
									
									
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										29
									
								
								ssl/kssl.h
									
									
									
									
									
								
							
							
						
						
									
										29
									
								
								ssl/kssl.h
									
									
									
									
									
								
							| @@ -96,6 +96,17 @@ typedef unsigned char krb5_octet; | |||||||
| #define KRB5KEYTAB	"/etc/krb5.keytab" | #define KRB5KEYTAB	"/etc/krb5.keytab" | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
|  | #ifndef KRB5SENDAUTH | ||||||
|  | #define KRB5SENDAUTH	1 | ||||||
|  | #endif | ||||||
|  |  | ||||||
|  | #ifndef KRB5CHECKAUTH | ||||||
|  | #define KRB5CHECKAUTH	1 | ||||||
|  | #endif | ||||||
|  |  | ||||||
|  | #ifndef KSSL_CLOCKSKEW | ||||||
|  | #define	KSSL_CLOCKSKEW	300; | ||||||
|  | #endif | ||||||
|  |  | ||||||
| #define	KSSL_ERR_MAX	255 | #define	KSSL_ERR_MAX	255 | ||||||
| typedef struct kssl_err_st  { | typedef struct kssl_err_st  { | ||||||
| @@ -139,6 +150,8 @@ void print_krb5_keyblock(char *label, krb5_keyblock *keyblk); | |||||||
| char *kstring(char *string); | char *kstring(char *string); | ||||||
| char *knumber(int len, krb5_octet *contents); | char *knumber(int len, krb5_octet *contents); | ||||||
|  |  | ||||||
|  | EVP_CIPHER *kssl_map_enc(krb5_enctype enctype); | ||||||
|  |  | ||||||
|  |  | ||||||
| /* Public (for use by applications that use OpenSSL with Kerberos 5 support */ | /* Public (for use by applications that use OpenSSL with Kerberos 5 support */ | ||||||
| krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text); | krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text); | ||||||
| @@ -147,13 +160,21 @@ KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx); | |||||||
| void kssl_ctx_show(KSSL_CTX *kssl_ctx); | void kssl_ctx_show(KSSL_CTX *kssl_ctx); | ||||||
| krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, | krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, | ||||||
|         krb5_data *realm, krb5_data *entity); |         krb5_data *realm, krb5_data *entity); | ||||||
| krb5_error_code	kssl_cget_tkt(KSSL_CTX *kssl_ctx,  krb5_data *ap_req, | krb5_error_code	kssl_cget_tkt(KSSL_CTX *kssl_ctx,  krb5_data **enc_tktp, | ||||||
|         KSSL_ERR *kssl_err); |         krb5_data *authenp, KSSL_ERR *kssl_err); | ||||||
| krb5_error_code	kssl_sget_tkt(KSSL_CTX *kssl_ctx,  char *msg, int msglen, | krb5_error_code	kssl_sget_tkt(KSSL_CTX *kssl_ctx,  krb5_data *indata, | ||||||
|         KSSL_ERR *kssl_err); |         krb5_ticket_times *ttimes, KSSL_ERR *kssl_err); | ||||||
| krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session); | krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session); | ||||||
| void	kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text); | void	kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text); | ||||||
| void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data); | void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data); | ||||||
|  | krb5_error_code  kssl_build_principal_2(krb5_context context, | ||||||
|  | 			krb5_principal *princ, int rlen, const char *realm, | ||||||
|  | 			int slen, const char *svc, int hlen, const char *host); | ||||||
|  | krb5_error_code  kssl_validate_times(krb5_timestamp atime, | ||||||
|  | 					krb5_ticket_times *ttimes); | ||||||
|  | krb5_error_code  kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp, | ||||||
|  | 			            krb5_timestamp *atimep, KSSL_ERR *kssl_err); | ||||||
|  | unsigned char	*kssl_skip_confound(krb5_enctype enctype, unsigned char *authn); | ||||||
|  |  | ||||||
| #ifdef  __cplusplus | #ifdef  __cplusplus | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										146
									
								
								ssl/s3_clnt.c
									
									
									
									
									
								
							
							
						
						
									
										146
									
								
								ssl/s3_clnt.c
									
									
									
									
									
								
							| @@ -785,13 +785,13 @@ static int ssl3_get_server_certificate(SSL *s) | |||||||
| 	 * certificate, which we don't include in s3_srvr.c */ | 	 * certificate, which we don't include in s3_srvr.c */ | ||||||
| 	x=sk_X509_value(sk,0); | 	x=sk_X509_value(sk,0); | ||||||
| 	sk=NULL; | 	sk=NULL; | ||||||
|  	/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end */ |  	/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ | ||||||
|  |  | ||||||
| 	pkey=X509_get_pubkey(x); | 	pkey=X509_get_pubkey(x); | ||||||
|  |  | ||||||
|         /* VRS: allow null cert if auth == KRB5 */ |         /* VRS: allow null cert if auth == KRB5 */ | ||||||
|         need_cert = |         need_cert =	((s->s3->tmp.new_cipher->algorithms | ||||||
|                 ((s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | 			& (SSL_MKEY_MASK|SSL_AUTH_MASK)) | ||||||
|                         == (SSL_aKRB5|SSL_kKRB5))? 0: 1; |                         == (SSL_aKRB5|SSL_kKRB5))? 0: 1; | ||||||
|  |  | ||||||
| #ifdef KSSL_DEBUG | #ifdef KSSL_DEBUG | ||||||
| @@ -801,11 +801,12 @@ static int ssl3_get_server_certificate(SSL *s) | |||||||
|                 s->s3->tmp.new_cipher->algorithms, need_cert); |                 s->s3->tmp.new_cipher->algorithms, need_cert); | ||||||
| #endif    /* KSSL_DEBUG */ | #endif    /* KSSL_DEBUG */ | ||||||
|  |  | ||||||
| 	if (need_cert  &&  ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) | 	if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) | ||||||
| 		{ | 		{ | ||||||
| 		x=NULL; | 		x=NULL; | ||||||
| 		al=SSL3_AL_FATAL; | 		al=SSL3_AL_FATAL; | ||||||
| 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); | 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | ||||||
|  | 			SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); | ||||||
| 		goto f_err; | 		goto f_err; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| @@ -814,7 +815,8 @@ static int ssl3_get_server_certificate(SSL *s) | |||||||
| 		{ | 		{ | ||||||
| 		x=NULL; | 		x=NULL; | ||||||
| 		al=SSL3_AL_FATAL; | 		al=SSL3_AL_FATAL; | ||||||
| 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE); | 		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, | ||||||
|  | 			SSL_R_UNKNOWN_CERTIFICATE_TYPE); | ||||||
| 		goto f_err; | 		goto f_err; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| @@ -1427,65 +1429,121 @@ static int ssl3_send_client_key_exchange(SSL *s) | |||||||
|                         { |                         { | ||||||
|                         krb5_error_code	krb5rc; |                         krb5_error_code	krb5rc; | ||||||
|                         KSSL_CTX	*kssl_ctx = s->kssl_ctx; |                         KSSL_CTX	*kssl_ctx = s->kssl_ctx; | ||||||
|                         krb5_data	krb5_ap_req; |                         /*  krb5_data	krb5_ap_req;  */ | ||||||
|  |                         krb5_data	*enc_ticket; | ||||||
|  |                         krb5_data	authenticator, *authp = NULL; | ||||||
|  | 			EVP_CIPHER_CTX	ciph_ctx; | ||||||
|  | 			EVP_CIPHER	*enc = NULL; | ||||||
|  | 			unsigned char	iv[EVP_MAX_IV_LENGTH]; | ||||||
|  | 			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; | ||||||
|  | 			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH  | ||||||
|  | 						+ EVP_MAX_IV_LENGTH]; | ||||||
|  | 			int 		padl, outl = sizeof(epms); | ||||||
|  |  | ||||||
| #ifdef KSSL_DEBUG | #ifdef KSSL_DEBUG | ||||||
|                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n", |                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n", | ||||||
|                                 l, SSL_kKRB5); |                                 l, SSL_kKRB5); | ||||||
| #endif	/* KSSL_DEBUG */ | #endif	/* KSSL_DEBUG */ | ||||||
|  |  | ||||||
|                         /* | 			authp = NULL; | ||||||
|                         **	Tried to send random tmp_buf[] as PMS in Kerberos ticket | #ifdef KRB5SENDAUTH | ||||||
|                         **	by passing  krb5_mk_req_extended(ctx,authctx,opts, tmp_buf, ...) | 			if (KRB5SENDAUTH)  authp = &authenticator; | ||||||
|                         **	but: I can't retrieve the PMS on the other side!  There is | #endif	/* KRB5SENDAUTH */ | ||||||
|                         **	some indication in the krb5 source that this is only used |  | ||||||
|                         **	to generate a checksum.  OTOH, the Tung book shows data |                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, | ||||||
|                         **	("GET widget01.txt") being passed in krb5_mk_req_extended() | 				&kssl_err); | ||||||
|                         **	by way of krb5_sendauth().  I don't get it. | 			enc = kssl_map_enc(kssl_ctx->enctype); | ||||||
|                         **	Until Kerberos goes 3DES, the big PMS secret would only be |  | ||||||
|                         **	encrypted in 1-DES anyway.  So losing the PMS shouldn't be |  | ||||||
|                         **	a big deal. |  | ||||||
|                         */ |  | ||||||
|                         krb5rc = kssl_cget_tkt(kssl_ctx, &krb5_ap_req, |  | ||||||
|                                 &kssl_err); |  | ||||||
| #ifdef KSSL_DEBUG | #ifdef KSSL_DEBUG | ||||||
|                         { |                         { | ||||||
|                         printf("kssl_cget_tkt rtn %d\n", krb5rc); |                         printf("kssl_cget_tkt rtn %d\n", krb5rc); | ||||||
|                         kssl_ctx_show(kssl_ctx); |  | ||||||
|                         if (krb5rc && kssl_err.text) |                         if (krb5rc && kssl_err.text) | ||||||
|                                 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); | 			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); | ||||||
|                         } |                         } | ||||||
| #endif	/* KSSL_DEBUG */ | #endif	/* KSSL_DEBUG */ | ||||||
|  |  | ||||||
|                         if (krb5rc) |                         if (krb5rc) | ||||||
|                                 { |                                 { | ||||||
|                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); |                                 ssl3_send_alert(s,SSL3_AL_FATAL, | ||||||
|                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); | 						SSL_AD_HANDSHAKE_FAILURE); | ||||||
|  |                                 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||||||
|  | 						kssl_err.reason); | ||||||
|                                 goto err; |                                 goto err; | ||||||
|                                 } |                                 } | ||||||
|  |  | ||||||
|                         /*	Send ticket (copy to *p, set n = length) | 			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ | ||||||
|                          */ | 			**  in place of RFC 2712 KerberosWrapper, as in: | ||||||
|                         n = krb5_ap_req.length; | 			** | ||||||
|                         memcpy(p, krb5_ap_req.data, krb5_ap_req.length); |                         **  Send ticket (copy to *p, set n = length) | ||||||
|                         if (krb5_ap_req.data)   |                         **  n = krb5_ap_req.length; | ||||||
|                                 kssl_krb5_free_data_contents(NULL,&krb5_ap_req); |                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length); | ||||||
|  |                         **  if (krb5_ap_req.data)   | ||||||
|  |                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req); | ||||||
|  |                         ** | ||||||
|  | 			**  Now using real RFC 2712 KerberosWrapper | ||||||
|  | 			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) | ||||||
|  | 			**  Note: 2712 "opaque" types are here replaced | ||||||
|  | 			**  with a 2-byte length followed by the value. | ||||||
|  | 			**  Example: | ||||||
|  | 			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms | ||||||
|  | 			**  Where "xx xx" = length bytes.  Shown here with | ||||||
|  | 			**  optional authenticator omitted. | ||||||
|  | 			*/ | ||||||
|  |  | ||||||
|  | 			/*  KerberosWrapper.Ticket		*/ | ||||||
|  | 			s2n(enc_ticket->length,p); | ||||||
|  | 			memcpy(p, enc_ticket->data, enc_ticket->length); | ||||||
|  | 			p+= enc_ticket->length; | ||||||
|  | 			n = enc_ticket->length + 2; | ||||||
|  |  | ||||||
|  | 			/*  KerberosWrapper.Authenticator	*/ | ||||||
|  | 			if (authp  &&  authp->length)   | ||||||
|  | 				{ | ||||||
|  | 				s2n(authp->length,p); | ||||||
|  | 				memcpy(p, authp->data, authp->length); | ||||||
|  | 				p+= authp->length; | ||||||
|  | 				n+= authp->length + 2; | ||||||
|  | 				 | ||||||
|  | 				free(authp->data); | ||||||
|  | 				authp->data = NULL; | ||||||
|  | 				authp->length = 0; | ||||||
|  | 				} | ||||||
|  | 			else | ||||||
|  | 				{ | ||||||
|  | 				s2n(0,p);/*  null authenticator length	*/ | ||||||
|  | 				n+=2; | ||||||
|  | 				} | ||||||
|  |   | ||||||
|  | 			if (RAND_bytes(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH) <= 0) | ||||||
|  | 			    goto err; | ||||||
|  |  | ||||||
|  | 			/*  20010420 VRS.  Tried it this way; failed. | ||||||
|  | 			**	EVP_EncryptInit(&ciph_ctx,enc, NULL,NULL); | ||||||
|  | 			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx, | ||||||
|  | 			**				kssl_ctx->length); | ||||||
|  | 			**	EVP_EncryptInit(&ciph_ctx,NULL, key,iv); | ||||||
|  | 			*/ | ||||||
|  |  | ||||||
|  | 			memset(iv, 0, EVP_MAX_IV_LENGTH);  /* per RFC 1510 */ | ||||||
|  | 			EVP_EncryptInit(&ciph_ctx,enc, kssl_ctx->key,iv); | ||||||
|  | 			EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, | ||||||
|  | 						SSL_MAX_MASTER_KEY_LENGTH); | ||||||
|  | 			EVP_EncryptFinal(&ciph_ctx,&(epms[outl]),&padl); | ||||||
|  | 			outl += padl; | ||||||
|  | 			EVP_CIPHER_CTX_cleanup(&ciph_ctx); | ||||||
|  |  | ||||||
|  | 			/*  KerberosWrapper.EncryptedPreMasterSecret	*/ | ||||||
|  | 			s2n(outl,p); | ||||||
|  | 			memcpy(p, epms, outl); | ||||||
|  | 			p+=outl; | ||||||
|  | 			n+=outl + 2; | ||||||
|  |  | ||||||
|                         /*	19991013 VRS -	3DES is kind of bogus here, |  | ||||||
|                         **	at least until Kerberos supports 3DES.  The only |  | ||||||
|                         **	real secret is the 8-byte Kerberos session key; |  | ||||||
|                         **	the other key material ((s->) client_random, server_random) |  | ||||||
|                         **	could be sniffed.  Mixing in these nonces should help |  | ||||||
|                         **	protect against replay attacks, however. |  | ||||||
|                         ** |  | ||||||
|                         **	Alternate code for Kerberos Purists: |  | ||||||
|                         ** |  | ||||||
|                         **	memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length); |  | ||||||
|                         **	s->session->master_key_length = kssl_ctx->length; |  | ||||||
|                         */ |  | ||||||
|                         s->session->master_key_length= |                         s->session->master_key_length= | ||||||
|                                 s->method->ssl3_enc->generate_master_secret(s, |                                 s->method->ssl3_enc->generate_master_secret(s, | ||||||
|                                         s->session->master_key,	kssl_ctx->key,kssl_ctx->length); | 					s->session->master_key, | ||||||
|  | 					tmp_buf, SSL_MAX_MASTER_KEY_LENGTH); | ||||||
|  |  | ||||||
|  | 			memset(tmp_buf, 0, SSL_MAX_MASTER_KEY_LENGTH); | ||||||
|  | 			memset(epms, 0, outl); | ||||||
|                         } |                         } | ||||||
| #endif | #endif | ||||||
| #ifndef OPENSSL_NO_DH | #ifndef OPENSSL_NO_DH | ||||||
|   | |||||||
							
								
								
									
										113
									
								
								ssl/s3_srvr.c
									
									
									
									
									
								
							
							
						
						
									
										113
									
								
								ssl/s3_srvr.c
									
									
									
									
									
								
							| @@ -66,6 +66,7 @@ | |||||||
| #include <openssl/objects.h> | #include <openssl/objects.h> | ||||||
| #include <openssl/evp.h> | #include <openssl/evp.h> | ||||||
| #include <openssl/x509.h> | #include <openssl/x509.h> | ||||||
|  | #include <openssl/krb5_asn.h> | ||||||
| #include "ssl_locl.h" | #include "ssl_locl.h" | ||||||
|  |  | ||||||
| #ifndef OPENSSL_NO_KRB5 | #ifndef OPENSSL_NO_KRB5 | ||||||
| @@ -1452,13 +1453,46 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||||||
| #ifndef OPENSSL_NO_KRB5 | #ifndef OPENSSL_NO_KRB5 | ||||||
|         if (l & SSL_kKRB5) |         if (l & SSL_kKRB5) | ||||||
|                 { |                 { | ||||||
|                 krb5_error_code	krb5rc; |                 krb5_error_code		krb5rc; | ||||||
|                 KSSL_CTX	*kssl_ctx = s->kssl_ctx; | 		krb5_data		enc_ticket; | ||||||
|  | 		krb5_data		authenticator; | ||||||
|  | 		krb5_data		enc_pms; | ||||||
|  |                 KSSL_CTX		*kssl_ctx = s->kssl_ctx; | ||||||
|  | 		EVP_CIPHER_CTX		ciph_ctx; | ||||||
|  | 		EVP_CIPHER		*enc = NULL; | ||||||
|  | 		unsigned char		iv[EVP_MAX_IV_LENGTH]; | ||||||
|  | 		unsigned char		pms[SSL_MAX_MASTER_KEY_LENGTH]; | ||||||
|  | 		int 			padl, outl = sizeof(pms); | ||||||
|  | 		krb5_timestamp		authtime = 0; | ||||||
|  | 		krb5_ticket_times	ttimes; | ||||||
|  |  | ||||||
|                 if (!kssl_ctx)  kssl_ctx = kssl_ctx_new(); |                 if (!kssl_ctx)  kssl_ctx = kssl_ctx_new(); | ||||||
|                 if ((krb5rc = kssl_sget_tkt(kssl_ctx, |  | ||||||
|                         s->init_buf->data, s->init_buf->length, | 		n2s(p,i); | ||||||
|                         &kssl_err)) != 0) | 		enc_ticket.length = i; | ||||||
|  | 		enc_ticket.data = p; | ||||||
|  | 		p+=enc_ticket.length; | ||||||
|  |  | ||||||
|  | 		n2s(p,i); | ||||||
|  | 		authenticator.length = i; | ||||||
|  | 		authenticator.data = p; | ||||||
|  | 		p+=authenticator.length; | ||||||
|  |  | ||||||
|  | 		n2s(p,i); | ||||||
|  | 		enc_pms.length = i; | ||||||
|  | 		enc_pms.data = p; | ||||||
|  | 		p+=enc_pms.length; | ||||||
|  |  | ||||||
|  | 		if (n != enc_ticket.length + authenticator.length + | ||||||
|  | 						enc_pms.length + 6) | ||||||
|  | 			{ | ||||||
|  | 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||||||
|  | 				SSL_R_DATA_LENGTH_TOO_LONG); | ||||||
|  | 			goto err; | ||||||
|  | 			} | ||||||
|  |  | ||||||
|  |                 if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, | ||||||
|  | 					&kssl_err)) != 0) | ||||||
|                         { |                         { | ||||||
| #ifdef KSSL_DEBUG | #ifdef KSSL_DEBUG | ||||||
|                         printf("kssl_sget_tkt rtn %d [%d]\n", |                         printf("kssl_sget_tkt rtn %d [%d]\n", | ||||||
| @@ -1471,34 +1505,71 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||||||
|                         goto err; |                         goto err; | ||||||
|                         } |                         } | ||||||
|  |  | ||||||
|  | 		/*  Note: no authenticator is not considered an error, | ||||||
|  | 		**  but will return authtime == 0. | ||||||
|  | 		*/ | ||||||
|  | 		if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, | ||||||
|  | 					&authtime, &kssl_err)) != 0) | ||||||
|  | 			{ | ||||||
|  | #ifdef KSSL_DEBUG | ||||||
|  |                         printf("kssl_check_authent rtn %d [%d]\n", | ||||||
|  |                                 krb5rc, kssl_err.reason); | ||||||
|  |                         if (kssl_err.text) | ||||||
|  |                                 printf("kssl_err text= %s\n", kssl_err.text); | ||||||
|  | #endif	/* KSSL_DEBUG */ | ||||||
|  |                         SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, | ||||||
|  |                                 kssl_err.reason); | ||||||
|  |                         goto err; | ||||||
|  | 			} | ||||||
|  |  | ||||||
|  | 		if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) | ||||||
|  | 			{ | ||||||
|  | 			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc); | ||||||
|  |                         goto err; | ||||||
|  | 			} | ||||||
|  |  | ||||||
| #ifdef KSSL_DEBUG | #ifdef KSSL_DEBUG | ||||||
|                 kssl_ctx_show(kssl_ctx); |                 kssl_ctx_show(kssl_ctx); | ||||||
| #endif	/* KSSL_DEBUG */ | #endif	/* KSSL_DEBUG */ | ||||||
|  |  | ||||||
|                 /*	19991013 VRS -	3DES is kind of bogus here, | 		enc = kssl_map_enc(kssl_ctx->enctype); | ||||||
|                 **	at least until Kerberos supports 3DES.  The only | 		memset(iv, 0, EVP_MAX_IV_LENGTH);	/* per RFC 1510 */ | ||||||
|                 **	real secret is the 8-byte Kerberos session key; |  | ||||||
|                 **	the other key material (client_random, server_random) | 		EVP_DecryptInit(&ciph_ctx,enc,kssl_ctx->key,iv); | ||||||
|                 **	could be sniffed.  Nonces may help against replays though. | 		EVP_DecryptUpdate(&ciph_ctx, pms,&outl, | ||||||
|                 ** | 					enc_pms.data, enc_pms.length); | ||||||
|                 **	Alternate code for Kerberos Purists: | 		if (outl > SSL_MAX_MASTER_KEY_LENGTH) | ||||||
|                 ** | 			{ | ||||||
|                 **	memcpy(s->session->master_key,	kssl_ctx->key, kssl_ctx->length); | 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||||||
|                 **	s->session->master_key_length = kssl_ctx->length; | 				SSL_R_DATA_LENGTH_TOO_LONG); | ||||||
|                 */ | 			goto err; | ||||||
|  | 			} | ||||||
|  | 		EVP_DecryptFinal(&ciph_ctx,&(pms[outl]),&padl); | ||||||
|  | 		outl += padl; | ||||||
|  | 		if (outl > SSL_MAX_MASTER_KEY_LENGTH) | ||||||
|  | 			{ | ||||||
|  | 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||||||
|  | 				SSL_R_DATA_LENGTH_TOO_LONG); | ||||||
|  | 			goto err; | ||||||
|  | 			} | ||||||
|  | 		EVP_CIPHER_CTX_cleanup(&ciph_ctx); | ||||||
|  |  | ||||||
|                 s->session->master_key_length= |                 s->session->master_key_length= | ||||||
|                         s->method->ssl3_enc->generate_master_secret(s, |                         s->method->ssl3_enc->generate_master_secret(s, | ||||||
|                                 s->session->master_key, kssl_ctx->key, kssl_ctx->length); |                                 s->session->master_key, pms, outl); | ||||||
|                 /*	Was doing kssl_ctx_free() here, but it caused problems for apache. |  | ||||||
|                 **	kssl_ctx = kssl_ctx_free(kssl_ctx); |                 /*  Was doing kssl_ctx_free() here, | ||||||
|                 **	if (s->kssl_ctx)  s->kssl_ctx = NULL; | 		**  but it caused problems for apache. | ||||||
|  |                 **  kssl_ctx = kssl_ctx_free(kssl_ctx); | ||||||
|  |                 **  if (s->kssl_ctx)  s->kssl_ctx = NULL; | ||||||
|                 */ |                 */ | ||||||
|                 } |                 } | ||||||
| 	else | 	else | ||||||
| #endif	/* OPENSSL_NO_KRB5 */ | #endif	/* OPENSSL_NO_KRB5 */ | ||||||
| 		{ | 		{ | ||||||
| 		al=SSL_AD_HANDSHAKE_FAILURE; | 		al=SSL_AD_HANDSHAKE_FAILURE; | ||||||
| 		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE); | 		SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, | ||||||
|  | 				SSL_R_UNKNOWN_CIPHER_TYPE); | ||||||
| 		goto f_err; | 		goto f_err; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1459,13 +1459,17 @@ void ERR_load_SSL_strings(void); | |||||||
| #define SSL_R_INVALID_COMMAND				 280 | #define SSL_R_INVALID_COMMAND				 280 | ||||||
| #define SSL_R_INVALID_PURPOSE				 278 | #define SSL_R_INVALID_PURPOSE				 278 | ||||||
| #define SSL_R_INVALID_TRUST				 279 | #define SSL_R_INVALID_TRUST				 279 | ||||||
|  | #define SSL_R_KRB5					 1104 | ||||||
| #define SSL_R_KRB5_C_CC_PRINC				 1094 | #define SSL_R_KRB5_C_CC_PRINC				 1094 | ||||||
| #define SSL_R_KRB5_C_GET_CRED				 1095 | #define SSL_R_KRB5_C_GET_CRED				 1095 | ||||||
| #define SSL_R_KRB5_C_INIT				 1096 | #define SSL_R_KRB5_C_INIT				 1096 | ||||||
| #define SSL_R_KRB5_C_MK_REQ				 1097 | #define SSL_R_KRB5_C_MK_REQ				 1097 | ||||||
| #define SSL_R_KRB5_S_BAD_TICKET				 1098 | #define SSL_R_KRB5_S_BAD_TICKET				 1098 | ||||||
| #define SSL_R_KRB5_S_INIT				 1099 | #define SSL_R_KRB5_S_INIT				 1099 | ||||||
| #define SSL_R_KRB5_S_RD_REQ				 1100 | #define SSL_R_KRB5_S_RD_REQ				 1108 | ||||||
|  | #define SSL_R_KRB5_S_TKT_EXPIRED			 1105 | ||||||
|  | #define SSL_R_KRB5_S_TKT_NYV				 1106 | ||||||
|  | #define SSL_R_KRB5_S_TKT_SKEW				 1107 | ||||||
| #define SSL_R_LENGTH_MISMATCH				 159 | #define SSL_R_LENGTH_MISMATCH				 159 | ||||||
| #define SSL_R_LENGTH_TOO_SHORT				 160 | #define SSL_R_LENGTH_TOO_SHORT				 160 | ||||||
| #define SSL_R_LIBRARY_BUG				 274 | #define SSL_R_LIBRARY_BUG				 274 | ||||||
|   | |||||||
| @@ -273,13 +273,17 @@ static ERR_STRING_DATA SSL_str_reasons[]= | |||||||
| {SSL_R_INVALID_COMMAND                   ,"invalid command"}, | {SSL_R_INVALID_COMMAND                   ,"invalid command"}, | ||||||
| {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"}, | {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"}, | ||||||
| {SSL_R_INVALID_TRUST                     ,"invalid trust"}, | {SSL_R_INVALID_TRUST                     ,"invalid trust"}, | ||||||
| {SSL_R_KRB5_C_CC_PRINC                   ,"krb5 c cc princ"}, | {SSL_R_KRB5                              ,"krb5"}, | ||||||
| {SSL_R_KRB5_C_GET_CRED                   ,"krb5 c get cred"}, | {SSL_R_KRB5_C_CC_PRINC                   ,"krb5 client cc principal (no tkt?)"}, | ||||||
| {SSL_R_KRB5_C_INIT                       ,"krb5 c init"}, | {SSL_R_KRB5_C_GET_CRED                   ,"krb5 client get cred"}, | ||||||
| {SSL_R_KRB5_C_MK_REQ                     ,"krb5 c mk req"}, | {SSL_R_KRB5_C_INIT                       ,"krb5 client init"}, | ||||||
| {SSL_R_KRB5_S_BAD_TICKET                 ,"krb5 s bad ticket"}, | {SSL_R_KRB5_C_MK_REQ                     ,"krb5 client mk_req (expired tkt?)"}, | ||||||
| {SSL_R_KRB5_S_INIT                       ,"krb5 s init"}, | {SSL_R_KRB5_S_BAD_TICKET                 ,"krb5 server bad ticket"}, | ||||||
| {SSL_R_KRB5_S_RD_REQ                     ,"krb5 s rd req"}, | {SSL_R_KRB5_S_INIT                       ,"krb5 server init"}, | ||||||
|  | {SSL_R_KRB5_S_RD_REQ                     ,"krb5 server rd_req (keytab perms?)"}, | ||||||
|  | {SSL_R_KRB5_S_TKT_EXPIRED                ,"krb5 server tkt expired"}, | ||||||
|  | {SSL_R_KRB5_S_TKT_NYV                    ,"krb5 server tkt not yet valid"}, | ||||||
|  | {SSL_R_KRB5_S_TKT_SKEW                   ,"krb5 server tkt skew"}, | ||||||
| {SSL_R_LENGTH_MISMATCH                   ,"length mismatch"}, | {SSL_R_LENGTH_MISMATCH                   ,"length mismatch"}, | ||||||
| {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"}, | {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"}, | ||||||
| {SSL_R_LIBRARY_BUG                       ,"library bug"}, | {SSL_R_LIBRARY_BUG                       ,"library bug"}, | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Richard Levitte
					Richard Levitte