summaryrefslogtreecommitdiffstats
path: root/lib/libssl/src
diff options
context:
space:
mode:
authorjsing <jsing@openbsd.org>2014-04-14 17:06:44 +0000
committerjsing <jsing@openbsd.org>2014-04-14 17:06:44 +0000
commit352db1b7ba624ddb0f4207737ef5c2cfbf3fb21d (patch)
tree4e0b02439f6fdff34c80b2b5cb2097ce5a94844f /lib/libssl/src
parentremove auto-generated dependencies from the old unused build system, so (diff)
downloadwireguard-openbsd-352db1b7ba624ddb0f4207737ef5c2cfbf3fb21d.tar.xz
wireguard-openbsd-352db1b7ba624ddb0f4207737ef5c2cfbf3fb21d.zip
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using tr and md5.
Diffstat (limited to 'lib/libssl/src')
-rw-r--r--lib/libssl/src/ssl/kssl.c1417
1 files changed, 738 insertions, 679 deletions
diff --git a/lib/libssl/src/ssl/kssl.c b/lib/libssl/src/ssl/kssl.c
index a90c90fa6e4..2bbe3ab6474 100644
--- a/lib/libssl/src/ssl/kssl.c
+++ b/lib/libssl/src/ssl/kssl.c
@@ -87,11 +87,12 @@
/* memory allocation functions for non-temporary storage
* (e.g. stuff that gets saved into the kssl context) */
-static void* kssl_calloc(size_t nmemb, size_t size)
+static void*
+kssl_calloc(size_t nmemb, size_t size)
{
void* p;
-
- p=OPENSSL_malloc(nmemb*size);
+
+ p = OPENSSL_malloc(nmemb*size);
if (p){
memset(p, 0, nmemb*size);
}
@@ -105,11 +106,11 @@ static void* kssl_calloc(size_t nmemb, size_t size)
char
*kstring(char *string)
- {
- static char *null = "[NULL]";
+{
+ static char *null = "[NULL]";
- return ((string == NULL)? null: string);
- }
+ return ((string == NULL) ? null : string);
+}
/* Given KRB5 enctype (basically DES or 3DES),
** return closest match openssl EVP_ encryption algorithm.
@@ -118,25 +119,25 @@ char
*/
const EVP_CIPHER *
kssl_map_enc(krb5_enctype enctype)
- {
- switch (enctype)
- {
- case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */
+{
+ switch (enctype) {
+ case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES_CBC_RAW:
- return EVP_des_cbc();
- break;
- case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */
+ return EVP_des_cbc();
+ break;
+ case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */
case ENCTYPE_DES3_CBC_SHA:
case ENCTYPE_DES3_CBC_RAW:
- return EVP_des_ede3_cbc();
- break;
- default: return NULL;
- break;
- }
+ return EVP_des_ede3_cbc();
+ break;
+ default:
+ return NULL;
+ break;
}
+}
/* Return true:1 if p "looks like" the start of the real authenticator
@@ -144,31 +145,58 @@ kssl_map_enc(krb5_enctype enctype)
** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
** xx and yy are possibly multi-byte length fields.
*/
-static int kssl_test_confound(unsigned char *p)
- {
+static int
+kssl_test_confound(unsigned char *p)
+{
int len = 2;
int xx = 0, yy = 0;
- if (*p++ != 0x62) return 0;
- if (*p > 0x82) return 0;
- switch(*p) {
- case 0x82: p++; xx = (*p++ << 8); xx += *p++; break;
- case 0x81: p++; xx = *p++; break;
- case 0x80: return 0;
- default: xx = *p++; break;
- }
- if (*p++ != 0x30) return 0;
- if (*p > 0x82) return 0;
- switch(*p) {
- case 0x82: p++; len+=2; yy = (*p++ << 8); yy += *p++; break;
- case 0x81: p++; len++; yy = *p++; break;
- case 0x80: return 0;
- default: yy = *p++; break;
- }
-
- return (xx - len == yy)? 1: 0;
+ if (*p++ != 0x62)
+ return 0;
+ if (*p > 0x82)
+ return 0;
+ switch (*p) {
+ case 0x82:
+ p++;
+ xx = (*p++ << 8);
+ xx += *p++;
+ break;
+ case 0x81:
+ p++;
+ xx = *p++;
+ break;
+ case 0x80:
+ return 0;
+ default:
+ xx = *p++;
+ break;
+ }
+ if (*p++ != 0x30)
+ return 0;
+ if (*p > 0x82)
+ return 0;
+ switch (*p) {
+ case 0x82:
+ p++;
+ len += 2;
+ yy = (*p++ << 8);
+ yy += *p++;
+ break;
+ case 0x81:
+ p++;
+ len++;
+ yy = *p++;
+ break;
+ case 0x80:
+ return 0;
+ default:
+ yy = *p++;
+ break;
}
+ return (xx - len == yy) ? 1: 0;
+}
+
/* Allocate, fill, and return cksumlens array of checksum lengths.
** This array holds just the unique elements from the krb5_cksumarray[].
** array[n] == 0 signals end of data.
@@ -179,8 +207,9 @@ static int kssl_test_confound(unsigned char *p)
** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2
** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010.
*/
-static size_t *populate_cksumlens(void)
- {
+static size_t
+*populate_cksumlens(void)
+{
int i, j, n;
static size_t *cklens = NULL;
@@ -189,26 +218,30 @@ static size_t *populate_cksumlens(void)
#else
n = 0x0010;
#endif /* KRB5_MIT_OLD11 */
-
+
#ifdef KRB5CHECKAUTH
- if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1))) return NULL;
-
- for (i=0; i < n; i++) {
- if (!valid_cksumtype(i)) continue; /* array has holes */
- for (j=0; j < n; j++) {
- if (cklens[j] == 0) {
- cklens[j] = krb5_checksum_size(NULL,i);
- break; /* krb5 elem was new: add */
- }
- if (cklens[j] == krb5_checksum_size(NULL,i)) {
- break; /* ignore duplicate elements */
- }
+ if (!cklens && !(cklens = (size_t *)
+ calloc(sizeof(int), n + 1))) return NULL;
+
+ for (i = 0; i < n; i++) {
+ if (!valid_cksumtype(i))
+ continue; /* array has holes */
+ for (j = 0; j < n; j++) {
+ if (cklens[j] == 0) {
+ cklens[j] = krb5_checksum_size(NULL, i);
+ break;
+ /* krb5 elem was new: add */
+ }
+ if (cklens[j] == krb5_checksum_size(NULL, i)) {
+ break;
+ /* ignore duplicate elements */
}
}
+ }
#endif /* KRB5CHECKAUTH */
return cklens;
- }
+}
/* Return pointer to start of real authenticator within authenticator, or
** return NULL on error.
@@ -217,24 +250,26 @@ static size_t *populate_cksumlens(void)
** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
** krb5_auth_con_getcksumtype() function advertised in its krb5.h.
*/
-unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
- {
+unsigned char
+*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
+{
int i, conlen;
size_t cklen;
static size_t *cksumlens = NULL;
unsigned char *test_auth;
- conlen = (etype)? 8: 0;
+ conlen = (etype) ? 8: 0;
- if (!cksumlens && !(cksumlens = populate_cksumlens())) return NULL;
- for (i=0; (cklen = cksumlens[i]) != 0; i++)
- {
+ if (!cksumlens && !(cksumlens = populate_cksumlens()))
+ return NULL;
+ for (i = 0; (cklen = cksumlens[i]) != 0; i++) {
test_auth = a + conlen + cklen;
- if (kssl_test_confound(test_auth)) return test_auth;
- }
+ if (kssl_test_confound(test_auth))
+ return test_auth;
+ }
return NULL;
- }
+}
/* Set kssl_err error info when reason text is a simple string
@@ -242,89 +277,84 @@ unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
*/
void
kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
- {
- if (kssl_err == NULL) return;
+{
+ if (kssl_err == NULL)
+ return;
kssl_err->reason = reason;
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text);
return;
- }
+}
/* Display contents of krb5_data struct, for debugging
*/
void
print_krb5_data(char *label, krb5_data *kdata)
- {
+{
int i;
printf("%s[%d] ", label, kdata->length);
- for (i=0; i < (int)kdata->length; i++)
- {
- if (0 && isprint((int) kdata->data[i]))
- printf( "%c ", kdata->data[i]);
+ for (i = 0; i < (int)kdata->length; i++) {
+ if (0 && isprint((int) kdata->data[i]))
+ printf( "%c ", kdata->data[i]);
else
- printf( "%02x ", (unsigned char) kdata->data[i]);
- }
+ printf( "%02x ", (unsigned char) kdata->data[i]);
+ }
printf("\n");
- }
+}
/* Display contents of krb5_authdata struct, for debugging
*/
void
print_krb5_authdata(char *label, krb5_authdata **adata)
- {
- if (adata == NULL)
- {
+{
+ if (adata == NULL) {
printf("%s, authdata==0\n", label);
return;
- }
+ }
printf("%s [%p]\n", label, (void *)adata);
#if 0
{
- int i;
- printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
- for (i=0; i < adata->length; i++)
- {
- printf((isprint(adata->contents[i]))? "%c ": "%02x",
- adata->contents[i]);
+ int i;
+ printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+ for (i = 0; i < adata->length; i++) {
+ printf((isprint(adata->contents[i]))? "%c ": "%02x",
+ adata->contents[i]);
}
- printf("\n");
+ printf("\n");
}
#endif
- }
+}
/* Display contents of krb5_keyblock struct, for debugging
*/
void
print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
- {
+{
int i;
- if (keyblk == NULL)
- {
+ if (keyblk == NULL) {
printf("%s, keyblk==0\n", label);
return;
- }
+ }
#ifdef KRB5_HEIMDAL
printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
- keyblk->keyvalue->length);
- for (i=0; i < (int)keyblk->keyvalue->length; i++)
- {
+ keyblk->keyvalue->length);
+ for (i = 0; i < (int)keyblk->keyvalue->length; i++) {
printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
- }
+ }
printf("\n");
#else
printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
- for (i=0; i < (int)keyblk->length; i++)
- {
- printf("%02x",keyblk->contents[i]);
- }
+ for (i = 0; i < (int)keyblk->length; i++) {
+ printf("%02x", keyblk->contents[i]);
+ }
printf("\n");
#endif
- }
+}
/* Display contents of krb5_principal_data struct, for debugging
@@ -332,23 +362,24 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
*/
static void
print_krb5_princ(char *label, krb5_principal_data *princ)
- {
+{
int i, ui, uj;
printf("%s principal Realm: ", label);
- if (princ == NULL) return;
- for (ui=0; ui < (int)princ->realm.length; ui++) putchar(princ->realm.data[ui]);
- printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
- for (i=0; i < (int)princ->length; i++)
- {
+ if (princ == NULL)
+ return;
+ for (ui = 0; ui < (int)princ->realm.length; ui++)
+ putchar(princ->realm.data[ui]);
+ printf(" (nametype %d) has %d strings:\n", princ->type, princ->length);
+ for (i = 0; i < (int)princ->length; i++) {
printf("\t%d [%d]: ", i, princ->data[i].length);
- for (uj=0; uj < (int)princ->data[i].length; uj++) {
+ for (uj = 0; uj < (int)princ->data[i].length; uj++) {
putchar(princ->data[i].data[uj]);
- }
- printf("\n");
}
+ printf("\n");
+ }
return;
- }
+}
/* Given krb5 service (typically "kssl") and hostname in kssl_ctx,
@@ -362,11 +393,12 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
** 20010606 VRS May also return optional authenticator.
*/
krb5_error_code
-kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
- /* OUT */ krb5_data **enc_ticketp,
- /* UPDATE */ krb5_data *authenp,
- /* OUT */ KSSL_ERR *kssl_err)
- {
+kssl_cget_tkt(
+ /* UPDATE */ KSSL_CTX *kssl_ctx,
+ /* OUT */ krb5_data **enc_ticketp,
+ /* UPDATE */ krb5_data *authenp,
+ /* OUT */ KSSL_ERR *kssl_err)
+{
krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
krb5_context krb5context = NULL;
krb5_auth_context krb5auth_context = NULL;
@@ -377,47 +409,40 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
kssl_err_set(kssl_err, 0, "");
memset((char *)&krb5creds, 0, sizeof(krb5creds));
- if (!kssl_ctx)
- {
+ if (!kssl_ctx) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "No kssl_ctx defined.\n");
+ "No kssl_ctx defined.\n");
goto err;
- }
- else if (!kssl_ctx->service_host)
- {
+ } else if (!kssl_ctx->service_host) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "kssl_ctx service_host undefined.\n");
+ "kssl_ctx service_host undefined.\n");
goto err;
- }
+ }
- if ((krb5rc = krb5_init_context(&krb5context)) != 0)
- {
+ if ((krb5rc = krb5_init_context(&krb5context)) != 0) {
BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
- "krb5_init_context() fails: %d\n", krb5rc);
+ "krb5_init_context() fails: %d\n", krb5rc);
kssl_err->reason = SSL_R_KRB5_C_INIT;
goto err;
- }
+ }
- if ((krb5rc = krb5_sname_to_principal(krb5context,
- kssl_ctx->service_host,
- (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
- KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
- {
+ if ((krb5rc = krb5_sname_to_principal(
+ krb5context, kssl_ctx->service_host,
+ (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
+ KRB5_NT_SRV_HST, &krb5creds.server)) != 0) {
BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
- "krb5_sname_to_principal() fails for %s/%s\n",
- kssl_ctx->service_host,
- (kssl_ctx->service_name)? kssl_ctx->service_name:
- KRB5SVC);
+ "krb5_sname_to_principal() fails for %s/%s\n",
+ kssl_ctx->service_host,
+ (kssl_ctx->service_name) ? kssl_ctx->service_name: KRB5SVC);
kssl_err->reason = SSL_R_KRB5_C_INIT;
goto err;
- }
+ }
- if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
- {
+ if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) {
kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
- "krb5_cc_default fails.\n");
+ "krb5_cc_default fails.\n");
goto err;
- }
+ }
if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
&krb5creds.client)) != 0)
@@ -428,12 +453,11 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
}
if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
- &krb5creds, &krb5credsp)) != 0)
- {
+ &krb5creds, &krb5credsp)) != 0) {
kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
- "krb5_get_credentials() fails.\n");
+ "krb5_get_credentials() fails.\n");
goto err;
- }
+ }
*enc_ticketp = &krb5credsp->ticket;
#ifdef KRB5_HEIMDAL
@@ -448,8 +472,7 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper
*/
krb5_app_req.length = 0;
- if (authenp)
- {
+ if (authenp) {
krb5_data krb5in_data;
const unsigned char *p;
long arlen;
@@ -459,63 +482,61 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
krb5in_data.data = NULL;
krb5in_data.length = 0;
if ((krb5rc = krb5_mk_req_extended(krb5context,
- &krb5auth_context, 0, &krb5in_data, krb5credsp,
- &krb5_app_req)) != 0)
- {
+ &krb5auth_context, 0, &krb5in_data, krb5credsp,
+ &krb5_app_req)) != 0) {
kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
- "krb5_mk_req_extended() fails.\n");
+ "krb5_mk_req_extended() fails.\n");
goto err;
- }
+ }
arlen = krb5_app_req.length;
p = (unsigned char *)krb5_app_req.data;
ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
- if (ap_req)
- {
+ if (ap_req) {
authenp->length = i2d_KRB5_ENCDATA(
- ap_req->authenticator, NULL);
- if (authenp->length &&
- (authenp->data = malloc(authenp->length)))
- {
+ ap_req->authenticator, NULL);
+ if (authenp->length &&
+ (authenp->data = malloc(authenp->length))) {
unsigned char *adp = (unsigned char *)authenp->data;
authenp->length = i2d_KRB5_ENCDATA(
- ap_req->authenticator, &adp);
- }
+ ap_req->authenticator, &adp);
}
-
- if (ap_req) KRB5_APREQ_free((KRB5_APREQ *) ap_req);
- if (krb5_app_req.length)
- kssl_krb5_free_data_contents(krb5context,&krb5_app_req);
}
+
+ if (ap_req)
+ KRB5_APREQ_free((KRB5_APREQ *) ap_req);
+ if (krb5_app_req.length)
+ kssl_krb5_free_data_contents(krb5context, &krb5_app_req);
+ }
#ifdef KRB5_HEIMDAL
- if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
- {
+ if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) {
kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
- "kssl_ctx_setkey() fails.\n");
- }
+ "kssl_ctx_setkey() fails.\n");
+ }
#else
- if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
- {
+ if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) {
kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
- "kssl_ctx_setkey() fails.\n");
- }
+ "kssl_ctx_setkey() fails.\n");
+ }
#endif
- else krb5rc = 0;
+ else
+ krb5rc = 0;
- err:
+ err:
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
- if (krb5creds.client) krb5_free_principal(krb5context,
- krb5creds.client);
- if (krb5creds.server) krb5_free_principal(krb5context,
- krb5creds.server);
- if (krb5auth_context) krb5_auth_con_free(krb5context,
- krb5auth_context);
- if (krb5context) krb5_free_context(krb5context);
+ if (krb5creds.client)
+ krb5_free_principal(krb5context, krb5creds.client);
+ if (krb5creds.server)
+ krb5_free_principal(krb5context, krb5creds.server);
+ if (krb5auth_context)
+ krb5_auth_con_free(krb5context, krb5auth_context);
+ if (krb5context)
+ krb5_free_context(krb5context);
return (krb5rc);
- }
+}
/* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
@@ -530,76 +551,71 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
** like the real thing.
*/
static krb5_error_code
-kssl_TKT2tkt( /* IN */ krb5_context krb5context,
- /* IN */ KRB5_TKTBODY *asn1ticket,
- /* OUT */ krb5_ticket **krb5ticket,
- /* OUT */ KSSL_ERR *kssl_err )
- {
+kssl_TKT2tkt(
+ /* IN */ krb5_context krb5context,
+ /* IN */ KRB5_TKTBODY *asn1ticket,
+ /* OUT */ krb5_ticket **krb5ticket,
+ /* OUT */ KSSL_ERR *kssl_err )
+{
krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
krb5_ticket *new5ticket = NULL;
ASN1_GENERALSTRING *gstr_svc, *gstr_host;
*krb5ticket = NULL;
- if (asn1ticket == NULL || asn1ticket->realm == NULL ||
- asn1ticket->sname == NULL ||
- sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
- {
+ if (asn1ticket == NULL || asn1ticket->realm == NULL ||
+ asn1ticket->sname == NULL ||
+ sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) {
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "Null field in asn1ticket.\n");
+ "Null field in asn1ticket.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
return KRB5KRB_ERR_GENERIC;
- }
+ }
- if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL)
- {
+ if ((new5ticket =
+ (krb5_ticket *)calloc(1, sizeof(krb5_ticket))) == NULL) {
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "Unable to allocate new krb5_ticket.\n");
+ "Unable to allocate new krb5_ticket.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
- return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */
- }
+ return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */
+ }
- gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
+ gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
- if ((krb5rc = kssl_build_principal_2(krb5context,
- &new5ticket->server,
- asn1ticket->realm->length, (char *)asn1ticket->realm->data,
- gstr_svc->length, (char *)gstr_svc->data,
- gstr_host->length, (char *)gstr_host->data)) != 0)
- {
+ if ((krb5rc = kssl_build_principal_2(krb5context, &new5ticket->server,
+ asn1ticket->realm->length, (char *)asn1ticket->realm->data,
+ gstr_svc->length, (char *)gstr_svc->data, gstr_host->length,
+ (char *)gstr_host->data)) != 0) {
free(new5ticket);
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "Error building ticket server principal.\n");
+ "Error building ticket server principal.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
- return krb5rc; /* or KRB5KRB_ERR_GENERIC; */
- }
+ return krb5rc; /* or KRB5KRB_ERR_GENERIC; */
+ }
krb5_princ_type(krb5context, new5ticket->server) =
- asn1ticket->sname->nametype->data[0];
+ asn1ticket->sname->nametype->data[0];
new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0];
new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0];
new5ticket->enc_part.ciphertext.length =
- asn1ticket->encdata->cipher->length;
+ asn1ticket->encdata->cipher->length;
if ((new5ticket->enc_part.ciphertext.data =
- calloc(1, asn1ticket->encdata->cipher->length)) == NULL)
- {
+ calloc(1, asn1ticket->encdata->cipher->length)) == NULL) {
free(new5ticket);
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "Error allocating cipher in krb5ticket.\n");
+ "Error allocating cipher in krb5ticket.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
return KRB5KRB_ERR_GENERIC;
- }
- else
- {
+ } else {
memcpy(new5ticket->enc_part.ciphertext.data,
- asn1ticket->encdata->cipher->data,
- asn1ticket->encdata->cipher->length);
- }
+ asn1ticket->encdata->cipher->data,
+ asn1ticket->encdata->cipher->length);
+ }
*krb5ticket = new5ticket;
return 0;
- }
+}
/* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
@@ -610,11 +626,12 @@ kssl_TKT2tkt( /* IN */ krb5_context krb5context,
** 19990702 VRS Started.
*/
krb5_error_code
-kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
- /* IN */ krb5_data *indata,
- /* OUT */ krb5_ticket_times *ttimes,
- /* OUT */ KSSL_ERR *kssl_err )
- {
+kssl_sget_tkt(
+ /* UPDATE */ KSSL_CTX *kssl_ctx,
+ /* IN */ krb5_data *indata,
+ /* OUT */ krb5_ticket_times *ttimes,
+ /* OUT */ KSSL_ERR *kssl_err )
+{
krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
static krb5_context krb5context = NULL;
static krb5_auth_context krb5auth_context = NULL;
@@ -628,100 +645,86 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
kssl_err_set(kssl_err, 0, "");
- if (!kssl_ctx)
- {
+ if (!kssl_ctx) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "No kssl_ctx defined.\n");
+ "No kssl_ctx defined.\n");
goto err;
- }
+ }
#ifdef KSSL_DEBUG
printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
#endif /* KSSL_DEBUG */
- if (!krb5context && (krb5rc = krb5_init_context(&krb5context)))
- {
+ if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_init_context() fails.\n");
+ "krb5_init_context() fails.\n");
goto err;
- }
- if (krb5auth_context &&
- (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context)))
- {
+ }
+ if (krb5auth_context &&
+ (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_auth_con_free() fails.\n");
+ "krb5_auth_con_free() fails.\n");
goto err;
- }
- else krb5auth_context = NULL;
- if (!krb5auth_context &&
- (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context)))
- {
+ } else
+ krb5auth_context = NULL;
+ if (!krb5auth_context &&
+ (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_auth_con_init() fails.\n");
+ "krb5_auth_con_init() fails.\n");
goto err;
- }
+ }
-
if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context,
- &rcache)))
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_auth_con_getrcache() fails.\n");
- goto err;
- }
-
+ &rcache))) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_auth_con_getrcache() fails.\n");
+ goto err;
+ }
+
if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
- (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
- KRB5_NT_SRV_HST, &krb5server)) != 0)
- {
+ (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
+ KRB5_NT_SRV_HST, &krb5server)) != 0) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_sname_to_principal() fails.\n");
+ "krb5_sname_to_principal() fails.\n");
goto err;
+ }
+
+ if (rcache == NULL) {
+ if ((krb5rc = krb5_get_server_rcache(krb5context,
+ krb5_princ_component(krb5context, krb5server, 0),
+ &rcache))) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_get_server_rcache() fails.\n");
+ goto err;
}
+ }
- if (rcache == NULL)
- {
- if ((krb5rc = krb5_get_server_rcache(krb5context,
- krb5_princ_component(krb5context, krb5server, 0),
- &rcache)))
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_get_server_rcache() fails.\n");
- goto err;
- }
- }
-
- if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache)))
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_auth_con_setrcache() fails.\n");
- goto err;
- }
+ if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context,
+ rcache))) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_auth_con_setrcache() fails.\n");
+ goto err;
+ }
/* kssl_ctx->keytab_file == NULL ==> use Kerberos default
*/
- if (kssl_ctx->keytab_file)
- {
+ if (kssl_ctx->keytab_file) {
krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
- &krb5keytab);
- if (krb5rc)
- {
+ &krb5keytab);
+ if (krb5rc) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_kt_resolve() fails.\n");
+ "krb5_kt_resolve() fails.\n");
goto err;
- }
}
- else
- {
- krb5rc = krb5_kt_default(krb5context,&krb5keytab);
- if (krb5rc)
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "krb5_kt_default() fails.\n");
+ } else {
+ krb5rc = krb5_kt_default(krb5context, &krb5keytab);
+ if (krb5rc) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_kt_default() fails.\n");
goto err;
- }
}
+ }
/* Actual Kerberos5 krb5_recvauth() has initial conversation here
** o check KRB5_SENDAUTH_BADAUTHVERS
@@ -739,157 +742,156 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
p = (unsigned char *)indata->data;
if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
- (long) indata->length)) == NULL)
- {
+ (long)indata->length)) == NULL) {
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
+ "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
goto err;
- }
-
+ }
+
/* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */
if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket,
- kssl_err)) != 0)
- {
+ kssl_err)) != 0) {
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "Error converting ASN.1 ticket to krb5_ticket.\n");
+ "Error converting ASN.1 ticket to krb5_ticket.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
goto err;
- }
+ }
- if (! krb5_principal_compare(krb5context, krb5server,
- krb5ticket->server)) {
+ if (!krb5_principal_compare(krb5context, krb5server,
+ krb5ticket->server)) {
krb5rc = KRB5_PRINC_NOMATCH;
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "server principal != ticket principal\n");
+ "server principal != ticket principal\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
goto err;
- }
+ }
if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
- krb5ticket->server, krb5ticket->enc_part.kvno,
- krb5ticket->enc_part.enctype, &kt_entry)) != 0) {
+ krb5ticket->server, krb5ticket->enc_part.kvno,
+ krb5ticket->enc_part.enctype, &kt_entry)) != 0) {
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "krb5_kt_get_entry() fails with %x.\n", krb5rc);
+ "krb5_kt_get_entry() fails with %x.\n", krb5rc);
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
goto err;
- }
+ }
if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key,
- krb5ticket)) != 0) {
+ krb5ticket)) != 0) {
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
- "krb5_decrypt_tkt_part() failed.\n");
+ "krb5_decrypt_tkt_part() failed.\n");
kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
goto err;
- }
- else {
+ } else {
krb5_kt_free_entry(krb5context, &kt_entry);
#ifdef KSSL_DEBUG
{
- int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
- printf("Decrypted ticket fields:\n");
- printf("\tflags: %X, transit-type: %X",
+ int i;
+ krb5_address **paddr = krb5ticket->enc_part2->caddrs;
+ printf("Decrypted ticket fields:\n");
+ printf("\tflags: %X, transit-type: %X",
krb5ticket->enc_part2->flags,
krb5ticket->enc_part2->transited.tr_type);
- print_krb5_data("\ttransit-data: ",
+ print_krb5_data("\ttransit-data: ",
&(krb5ticket->enc_part2->transited.tr_contents));
- printf("\tcaddrs: %p, authdata: %p\n",
+ printf("\tcaddrs: %p, authdata: %p\n",
krb5ticket->enc_part2->caddrs,
krb5ticket->enc_part2->authorization_data);
- if (paddr)
- {
- printf("\tcaddrs:\n");
- for (i=0; paddr[i] != NULL; i++)
- {
- krb5_data d;
- d.length=paddr[i]->length;
- d.data=paddr[i]->contents;
- print_krb5_data("\t\tIP: ", &d);
+ if (paddr) {
+ printf("\tcaddrs:\n");
+ for (i = 0; paddr[i] != NULL; i++) {
+ krb5_data d;
+ d.length = paddr[i]->length;
+ d.data = paddr[i]->contents;
+ print_krb5_data("\t\tIP: ", &d);
}
}
- printf("\tstart/auth/end times: %d / %d / %d\n",
+ printf("\tstart/auth/end times: %d / %d / %d\n",
krb5ticket->enc_part2->times.starttime,
krb5ticket->enc_part2->times.authtime,
krb5ticket->enc_part2->times.endtime);
}
#endif /* KSSL_DEBUG */
- }
+ }
krb5rc = KRB5_NO_TKT_SUPPLIED;
- if (!krb5ticket || !krb5ticket->enc_part2 ||
- !krb5ticket->enc_part2->client ||
- !krb5ticket->enc_part2->client->data ||
- !krb5ticket->enc_part2->session)
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
- "bad ticket from krb5_rd_req.\n");
- }
- else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
- &krb5ticket->enc_part2->client->realm,
- krb5ticket->enc_part2->client->data,
- krb5ticket->enc_part2->client->length))
- {
+ if (!krb5ticket || !krb5ticket->enc_part2 ||
+ !krb5ticket->enc_part2->client ||
+ !krb5ticket->enc_part2->client->data ||
+ !krb5ticket->enc_part2->session) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
- "kssl_ctx_setprinc() fails.\n");
- }
- else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session))
- {
+ "bad ticket from krb5_rd_req.\n");
+ } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
+ &krb5ticket->enc_part2->client->realm,
+ krb5ticket->enc_part2->client->data,
+ krb5ticket->enc_part2->client->length)) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
- "kssl_ctx_setkey() fails.\n");
- }
- else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID)
- {
+ "kssl_ctx_setprinc() fails.\n");
+ } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+ "kssl_ctx_setkey() fails.\n");
+ } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) {
krb5rc = KRB5KRB_AP_ERR_TKT_INVALID;
- kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
- "invalid ticket from krb5_rd_req.\n");
- }
- else krb5rc = 0;
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+ "invalid ticket from krb5_rd_req.\n");
+ } else
+ krb5rc = 0;
- kssl_ctx->enctype = krb5ticket->enc_part.enctype;
- ttimes->authtime = krb5ticket->enc_part2->times.authtime;
- ttimes->starttime = krb5ticket->enc_part2->times.starttime;
- ttimes->endtime = krb5ticket->enc_part2->times.endtime;
- ttimes->renew_till = krb5ticket->enc_part2->times.renew_till;
+ kssl_ctx->enctype = krb5ticket->enc_part.enctype;
+ ttimes->authtime = krb5ticket->enc_part2->times.authtime;
+ ttimes->starttime = krb5ticket->enc_part2->times.starttime;
+ ttimes->endtime = krb5ticket->enc_part2->times.endtime;
+ ttimes->renew_till = krb5ticket->enc_part2->times.renew_till;
- err:
+ err:
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
- if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
- if (krb5keytab) krb5_kt_close(krb5context, krb5keytab);
- if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket);
- if (krb5server) krb5_free_principal(krb5context, krb5server);
+ if (asn1ticket)
+ KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
+ if (krb5keytab)
+ krb5_kt_close(krb5context, krb5keytab);
+ if (krb5ticket)
+ krb5_free_ticket(krb5context, krb5ticket);
+ if (krb5server)
+ krb5_free_principal(krb5context, krb5server);
return (krb5rc);
- }
+}
/* Allocate & return a new kssl_ctx struct.
*/
-KSSL_CTX *
+KSSL_CTX *
kssl_ctx_new(void)
- {
+{
return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX)));
- }
+}
/* Frees a kssl_ctx struct and any allocated memory it holds.
** Returns NULL.
*/
-KSSL_CTX *
+KSSL_CTX *
kssl_ctx_free(KSSL_CTX *kssl_ctx)
- {
- if (kssl_ctx == NULL) return kssl_ctx;
+{
+ if (kssl_ctx == NULL)
+ return kssl_ctx;
- if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key,
- kssl_ctx->length);
- if (kssl_ctx->key) kssl_free(kssl_ctx->key);
- if (kssl_ctx->client_princ) kssl_free(kssl_ctx->client_princ);
- if (kssl_ctx->service_host) kssl_free(kssl_ctx->service_host);
- if (kssl_ctx->service_name) kssl_free(kssl_ctx->service_name);
- if (kssl_ctx->keytab_file) kssl_free(kssl_ctx->keytab_file);
+ if (kssl_ctx->key)
+ OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
+ if (kssl_ctx->key)
+ kssl_free(kssl_ctx->key);
+ if (kssl_ctx->client_princ)
+ kssl_free(kssl_ctx->client_princ);
+ if (kssl_ctx->service_host)
+ kssl_free(kssl_ctx->service_host);
+ if (kssl_ctx->service_name)
+ kssl_free(kssl_ctx->service_name);
+ if (kssl_ctx->keytab_file)
+ kssl_free(kssl_ctx->keytab_file);
kssl_free(kssl_ctx);
return (KSSL_CTX *) NULL;
- }
+}
/* Given an array of (krb5_data *) entity (and optional realm),
@@ -897,55 +899,57 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
** of the kssl_ctx struct.
*/
krb5_error_code
-kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
- krb5_data *realm, krb5_data *entity, int nentities)
- {
+kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, krb5_data *realm,
+ krb5_data *entity, int nentities)
+{
char **princ;
int length;
int i;
- if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
+ if (kssl_ctx == NULL || entity == NULL)
+ return KSSL_CTX_ERR;
- switch (which)
- {
- case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break;
- case KSSL_SERVER: princ = &kssl_ctx->service_host; break;
- default: return KSSL_CTX_ERR; break;
- }
- if (*princ) kssl_free(*princ);
+ switch (which) {
+ case KSSL_CLIENT:
+ princ = &kssl_ctx->client_princ;
+ break;
+ case KSSL_SERVER:
+ princ = &kssl_ctx->service_host;
+ break;
+ default:
+ return KSSL_CTX_ERR;
+ break;
+ }
+ if (*princ)
+ kssl_free(*princ);
/* Add up all the entity->lengths */
length = 0;
- for (i=0; i < nentities; i++)
- {
+ for (i = 0; i < nentities; i++) {
length += entity[i].length;
- }
+ }
/* Add in space for the '/' character(s) (if any) */
- length += nentities-1;
+ length += nentities - 1;
/* Space for the ('@'+realm+NULL | NULL) */
- length += ((realm)? realm->length + 2: 1);
+ length += ((realm) ? realm->length + 2 : 1);
if ((*princ = kssl_calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
- else
- {
- for (i = 0; i < nentities; i++)
- {
+ else {
+ for (i = 0; i < nentities; i++) {
strncat(*princ, entity[i].data, entity[i].length);
- if (i < nentities-1)
- {
+ if (i < nentities - 1) {
strcat (*princ, "/");
- }
}
- if (realm)
- {
+ }
+ if (realm) {
strcat (*princ, "@");
(void) strncat(*princ, realm->data, realm->length);
- }
}
+ }
return KSSL_CTX_OK;
- }
+}
/* Set one of the plain (char *) string members of the kssl_ctx struct.
@@ -955,26 +959,36 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
*/
krb5_error_code
kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
- {
+{
char **string;
- if (!kssl_ctx) return KSSL_CTX_ERR;
+ if (!kssl_ctx)
+ return KSSL_CTX_ERR;
- switch (which)
- {
- case KSSL_SERVICE: string = &kssl_ctx->service_name; break;
- case KSSL_SERVER: string = &kssl_ctx->service_host; break;
- case KSSL_CLIENT: string = &kssl_ctx->client_princ; break;
- case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break;
- default: return KSSL_CTX_ERR; break;
- }
- if (*string) kssl_free(*string);
+ switch (which) {
+ case KSSL_SERVICE:
+ string = &kssl_ctx->service_name;
+ break;
+ case KSSL_SERVER:
+ string = &kssl_ctx->service_host;
+ break;
+ case KSSL_CLIENT:
+ string = &kssl_ctx->client_princ;
+ break;
+ case KSSL_KEYTAB:
+ string = &kssl_ctx->keytab_file;
+ break;
+ default:
+ return KSSL_CTX_ERR;
+ break;
+ }
+ if (*string)
+ kssl_free(*string);
- if (!text)
- {
+ if (!text) {
*string = '\0';
return KSSL_CTX_OK;
- }
+ }
if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL)
return KSSL_CTX_ERR;
@@ -982,7 +996,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
memcpy(*string, text, strlen(text) + 1);
return KSSL_CTX_OK;
- }
+}
/* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
@@ -990,21 +1004,20 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
*/
krb5_error_code
kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
- {
+{
int length;
krb5_enctype enctype;
krb5_octet FAR *contents = NULL;
- if (!kssl_ctx) return KSSL_CTX_ERR;
+ if (!kssl_ctx)
+ return KSSL_CTX_ERR;
- if (kssl_ctx->key)
- {
+ if (kssl_ctx->key) {
OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
kssl_free(kssl_ctx->key);
- }
+ }
- if (session)
- {
+ if (session) {
#ifdef KRB5_HEIMDAL
length = session->keyvalue->length;
@@ -1016,186 +1029,182 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
contents = session->contents;
#endif
kssl_ctx->enctype = enctype;
- kssl_ctx->length = length;
- }
- else
- {
+ kssl_ctx->length = length;
+ } else {
kssl_ctx->enctype = ENCTYPE_UNKNOWN;
- kssl_ctx->length = 0;
+ kssl_ctx->length = 0;
return KSSL_CTX_OK;
- }
+ }
if ((kssl_ctx->key =
- (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL)
- {
- kssl_ctx->length = 0;
+ (krb5_octet FAR *)kssl_calloc(1, kssl_ctx->length)) == NULL) {
+ kssl_ctx->length = 0;
return KSSL_CTX_ERR;
- }
- else
+ } else
memcpy(kssl_ctx->key, contents, length);
return KSSL_CTX_OK;
- }
+}
/* Display contents of kssl_ctx struct
*/
void
kssl_ctx_show(KSSL_CTX *kssl_ctx)
- {
+{
int i;
printf("kssl_ctx: ");
- if (kssl_ctx == NULL)
- {
+ if (kssl_ctx == NULL) {
printf("NULL\n");
return;
- }
- else
+ } else
printf("%p\n", (void *)kssl_ctx);
printf("\tservice:\t%s\n",
- (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
+ (kssl_ctx->service_name) ? kssl_ctx->service_name : "NULL");
printf("\tclient:\t%s\n",
- (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL");
+ (kssl_ctx->client_princ) ? kssl_ctx->client_princ : "NULL");
printf("\tserver:\t%s\n",
- (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL");
+ (kssl_ctx->service_host) ? kssl_ctx->service_host : "NULL");
printf("\tkeytab:\t%s\n",
- (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL");
+ (kssl_ctx->keytab_file) ? kssl_ctx->keytab_file : "NULL");
printf("\tkey [%d:%d]:\t",
- kssl_ctx->enctype, kssl_ctx->length);
+ kssl_ctx->enctype, kssl_ctx->length);
- for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++)
- {
+ for (i = 0; i < kssl_ctx->length && kssl_ctx->key; i++) {
printf("%02x", kssl_ctx->key[i]);
- }
+ }
printf("\n");
return;
- }
+}
- int
- kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
+int
+kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
{
- krb5_context krb5context = NULL;
- krb5_keytab krb5keytab = NULL;
- krb5_keytab_entry entry;
- krb5_principal princ = NULL;
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
- int rc = 0;
+ krb5_context krb5context = NULL;
+ krb5_keytab krb5keytab = NULL;
+ krb5_keytab_entry entry;
+ krb5_principal princ = NULL;
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ int rc = 0;
- if ((krb5rc = krb5_init_context(&krb5context)))
- return(0);
+ if ((krb5rc = krb5_init_context(&krb5context)))
+ return (0);
/* kssl_ctx->keytab_file == NULL ==> use Kerberos default
*/
- if (kssl_ctx->keytab_file)
- {
- krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
- &krb5keytab);
- if (krb5rc)
- goto exit;
- }
- else
- {
- krb5rc = krb5_kt_default(krb5context,&krb5keytab);
- if (krb5rc)
- goto exit;
- }
-
- /* the host key we are looking for */
- krb5rc = krb5_sname_to_principal(krb5context, NULL,
- kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
- KRB5_NT_SRV_HST, &princ);
-
- if (krb5rc)
- goto exit;
-
- krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
- princ,
- 0 /* IGNORE_VNO */,
- 0 /* IGNORE_ENCTYPE */,
- &entry);
- if ( krb5rc == KRB5_KT_NOTFOUND ) {
- rc = 1;
- goto exit;
- } else if ( krb5rc )
- goto exit;
-
- krb5_kt_free_entry(krb5context, &entry);
- rc = 1;
-
- exit:
- if (krb5keytab) krb5_kt_close(krb5context, krb5keytab);
- if (princ) krb5_free_principal(krb5context, princ);
- if (krb5context) krb5_free_context(krb5context);
- return(rc);
+ if (kssl_ctx->keytab_file) {
+ krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
+ &krb5keytab);
+ if (krb5rc)
+ goto exit;
+ } else {
+ krb5rc = krb5_kt_default(krb5context, &krb5keytab);
+ if (krb5rc)
+ goto exit;
+ }
+
+ /* the host key we are looking for */
+ krb5rc = krb5_sname_to_principal(krb5context, NULL,
+ kssl_ctx->service_name ? kssl_ctx->service_name : KRB5SVC,
+ KRB5_NT_SRV_HST, &princ);
+
+ if (krb5rc)
+ goto exit;
+
+ krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ,
+ 0 /* IGNORE_VNO */,
+ 0 /* IGNORE_ENCTYPE */,
+ &entry);
+ if (krb5rc == KRB5_KT_NOTFOUND) {
+ rc = 1;
+ goto exit;
+ } else if (krb5rc)
+ goto exit;
+
+ krb5_kt_free_entry(krb5context, &entry);
+ rc = 1;
+
+ exit:
+ if (krb5keytab)
+ krb5_kt_close(krb5context, krb5keytab);
+ if (princ)
+ krb5_free_principal(krb5context, princ);
+ if (krb5context)
+ krb5_free_context(krb5context);
+ return (rc);
}
-int
+int
kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
- {
- krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
- krb5_context krb5context = NULL;
- krb5_ccache krb5ccdef = NULL;
- krb5_creds krb5creds, *krb5credsp = NULL;
- int rc = 0;
+{
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ krb5_context krb5context = NULL;
+ krb5_ccache krb5ccdef = NULL;
+ krb5_creds krb5creds, *krb5credsp = NULL;
+ int rc = 0;
- memset((char *)&krb5creds, 0, sizeof(krb5creds));
+ memset((char *)&krb5creds, 0, sizeof(krb5creds));
- if (!kssl_ctx)
- return(0);
+ if (!kssl_ctx)
+ return (0);
- if (!kssl_ctx->service_host)
- return(0);
+ if (!kssl_ctx->service_host)
+ return (0);
- if ((krb5rc = krb5_init_context(&krb5context)) != 0)
- goto err;
+ if ((krb5rc = krb5_init_context(&krb5context)) != 0)
+ goto err;
- if ((krb5rc = krb5_sname_to_principal(krb5context,
- kssl_ctx->service_host,
- (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
- KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
- goto err;
+ if ((krb5rc = krb5_sname_to_principal(
+ krb5context, kssl_ctx->service_host,
+ (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
+ KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
+ goto err;
- if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
- goto err;
+ if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
+ goto err;
- if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
- &krb5creds.client)) != 0)
- goto err;
+ if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
+ &krb5creds.client)) != 0)
+ goto err;
- if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
- &krb5creds, &krb5credsp)) != 0)
- goto err;
+ if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
+ &krb5creds, &krb5credsp)) != 0)
+ goto err;
- rc = 1;
+ rc = 1;
- err:
+ err:
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
- if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client);
- if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server);
- if (krb5context) krb5_free_context(krb5context);
- return(rc);
- }
+ if (krb5creds.client)
+ krb5_free_principal(krb5context, krb5creds.client);
+ if (krb5creds.server)
+ krb5_free_principal(krb5context, krb5creds.server);
+ if (krb5context)
+ krb5_free_context(krb5context);
+ return (rc);
+}
-void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
- {
+void
+kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
+{
#ifdef KRB5_HEIMDAL
data->length = 0;
- if (data->data)
- free(data->data);
+ if (data->data)
+ free(data->data);
#elif defined(KRB5_MIT_OLD11)
if (data->data) {
krb5_xfree(data->data);
data->data = 0;
- }
+ }
#else
krb5_free_data_contents(NULL, data);
#endif
- }
+}
/* Given pointers to KerberosTime and struct tm structs, convert the
** KerberosTime string to struct tm. Note that KerberosTime is a
@@ -1204,25 +1213,52 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
** Return pointer to the (partially) filled in struct tm on success,
** return NULL on failure.
*/
-static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
- {
+static struct tm
+*k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) {
char c, *p;
- if (!k_tm) return NULL;
- if (gtime == NULL || gtime->length < 14) return NULL;
- if (gtime->data == NULL) return NULL;
+ if (!k_tm)
+ return NULL;
+ if (gtime == NULL || gtime->length < 14)
+ return NULL;
+ if (gtime->data == NULL)
+ return NULL;
p = (char *)&gtime->data[14];
- c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c;
- c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c;
- c = *p; *p = '\0'; p -= 2; k_tm->tm_hour = atoi(p); *(p+2) = c;
- c = *p; *p = '\0'; p -= 2; k_tm->tm_mday = atoi(p); *(p+2) = c;
- c = *p; *p = '\0'; p -= 2; k_tm->tm_mon = atoi(p)-1; *(p+2) = c;
- c = *p; *p = '\0'; p -= 4; k_tm->tm_year = atoi(p)-1900; *(p+4) = c;
+ c = *p;
+ *p = '\0';
+ p -= 2;
+ k_tm->tm_sec = atoi(p);
+ *(p + 2) = c;
+ c = *p;
+ *p = '\0';
+ p -= 2;
+ k_tm->tm_min = atoi(p);
+ *(p + 2) = c;
+ c = *p;
+ *p = '\0';
+ p -= 2;
+ k_tm->tm_hour = atoi(p);
+ *(p + 2) = c;
+ c = *p;
+ *p = '\0';
+ p -= 2;
+ k_tm->tm_mday = atoi(p);
+ *(p + 2) = c;
+ c = *p;
+ *p = '\0';
+ p -= 2;
+ k_tm->tm_mon = atoi(p) - 1;
+ *(p + 2) = c;
+ c = *p;
+ *p = '\0';
+ p -= 4;
+ k_tm->tm_year = atoi(p) - 1900;
+ *(p + 4) = c;
return k_tm;
- }
+}
/* Helper function for kssl_validate_times().
@@ -1230,19 +1266,22 @@ static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
** So we try to sneek the clockskew out through the replay cache.
** If that fails just return a likely default (300 seconds).
*/
-static krb5_deltat get_rc_clockskew(krb5_context context)
- {
+static krb5_deltat
+get_rc_clockskew(krb5_context context)
+{
krb5_rcache rc;
krb5_deltat clockskew;
- if (krb5_rc_default(context, &rc)) return KSSL_CLOCKSKEW;
- if (krb5_rc_initialize(context, rc, 0)) return KSSL_CLOCKSKEW;
+ if (krb5_rc_default(context, &rc))
+ return KSSL_CLOCKSKEW;
+ if (krb5_rc_initialize(context, rc, 0))
+ return KSSL_CLOCKSKEW;
if (krb5_rc_get_lifespan(context, rc, &clockskew)) {
clockskew = KSSL_CLOCKSKEW;
- }
- (void) krb5_rc_destroy(context, rc);
- return clockskew;
}
+ (void)krb5_rc_destroy(context, rc);
+ return clockskew;
+}
/* kssl_validate_times() combines (and more importantly exposes)
@@ -1255,34 +1294,41 @@ static krb5_deltat get_rc_clockskew(krb5_context context)
** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
** 20010420 VRS
*/
-krb5_error_code kssl_validate_times( krb5_timestamp atime,
- krb5_ticket_times *ttimes)
- {
+krb5_error_code
+kssl_validate_times(krb5_timestamp atime, krb5_ticket_times *ttimes)
+{
krb5_deltat skew;
krb5_timestamp start, now;
krb5_error_code rc;
krb5_context context;
- if ((rc = krb5_init_context(&context))) return SSL_R_KRB5_S_BAD_TICKET;
- skew = get_rc_clockskew(context);
- if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET;
+ if ((rc = krb5_init_context(&context)))
+ return SSL_R_KRB5_S_BAD_TICKET;
+ skew = get_rc_clockskew(context);
+
+ if ((rc = krb5_timeofday(context, &now)))
+ return SSL_R_KRB5_S_BAD_TICKET;
krb5_free_context(context);
- if (atime && labs(atime - now) >= skew) return SSL_R_KRB5_S_TKT_SKEW;
+ if (atime && labs(atime - now) >= skew)
+ return SSL_R_KRB5_S_TKT_SKEW;
- if (! ttimes) return 0;
+ if (!ttimes)
+ return 0;
- start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime;
- if (start - now > skew) return SSL_R_KRB5_S_TKT_NYV;
- if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED;
+ start = (ttimes->starttime != 0) ? ttimes->starttime : ttimes->authtime;
+ if (start - now > skew)
+ return SSL_R_KRB5_S_TKT_NYV;
+ if ((now - ttimes->endtime) > skew)
+ return SSL_R_KRB5_S_TKT_EXPIRED;
#ifdef KSSL_DEBUG
printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n",
- start, atime, now, skew, ttimes->endtime);
+ start, atime, now, skew, ttimes->endtime);
#endif /* KSSL_DEBUG */
return 0;
- }
+}
/* Decode and decrypt given DER-encoded authenticator, then pass
@@ -1292,12 +1338,13 @@ krb5_error_code kssl_validate_times( krb5_timestamp atime,
** Note that kssl_check_authent() makes use of the KRB5 session key;
** you must call kssl_sget_tkt() to get the key before calling this routine.
*/
-krb5_error_code kssl_check_authent(
- /* IN */ KSSL_CTX *kssl_ctx,
- /* IN */ krb5_data *authentp,
- /* OUT */ krb5_timestamp *atimep,
- /* OUT */ KSSL_ERR *kssl_err )
- {
+krb5_error_code
+kssl_check_authent(
+ /* IN */ KSSL_CTX *kssl_ctx,
+ /* IN */ krb5_data *authentp,
+ /* OUT */ krb5_timestamp *atimep,
+ /* OUT */ KSSL_ERR *kssl_err )
+{
krb5_error_code krb5rc = 0;
KRB5_ENCDATA *dec_authent = NULL;
KRB5_AUTHENTBODY *auth = NULL;
@@ -1323,114 +1370,112 @@ krb5_error_code kssl_check_authent(
#endif
#endif /* KRB5CHECKAUTH */
- if (authentp == NULL || authentp->length == 0) return 0;
+ if (authentp == NULL || authentp->length == 0)
+ return 0;
#ifdef KSSL_DEBUG
- {
- unsigned int ui;
- printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
- p = authentp->data;
- for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]);
- printf("\n");
- }
+ {
+ unsigned int ui;
+ printf("kssl_check_authent: authenticator[%d]:\n", authentp->length);
+ p = authentp->data;
+
+ for (ui = 0; ui < authentp->length; ui++) printf("%02x ", p[ui]);
+ printf("\n");
+ }
#endif /* KSSL_DEBUG */
unencbufsize = 2 * authentp->length;
- if ((unenc_authent = calloc(1, unencbufsize)) == NULL)
- {
+ if ((unenc_authent = calloc(1, unencbufsize)) == NULL) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "Unable to allocate authenticator buffer.\n");
+ "Unable to allocate authenticator buffer.\n");
krb5rc = KRB5KRB_ERR_GENERIC;
goto err;
- }
+ }
p = (unsigned char *)authentp->data;
if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
- (long) authentp->length)) == NULL)
- {
+ (long)authentp->length)) == NULL) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "Error decoding authenticator.\n");
+ "Error decoding authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
- }
+ }
enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */
#if !defined(KRB5_MIT_OLD11)
- switch ( enctype ) {
- case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */
- case ENCTYPE_DES3_CBC_SHA:
- case ENCTYPE_DES3_CBC_RAW:
- krb5rc = 0; /* Skip, can't handle derived keys */
- goto err;
- }
+ switch (enctype ) {
+ case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */
+ case ENCTYPE_DES3_CBC_SHA:
+ case ENCTYPE_DES3_CBC_RAW:
+ krb5rc = 0;
+ /* Skip, can't handle derived keys */
+ goto err;
+ }
#endif
enc = kssl_map_enc(enctype);
- memset(iv, 0, sizeof iv); /* per RFC 1510 */
+ memset(iv, 0, sizeof iv);
+ /* per RFC 1510 */
- if (enc == NULL)
- {
+ if (enc == NULL) {
/* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
** This enctype indicates the authenticator was encrypted
** using key-usage derived keys which openssl cannot decrypt.
*/
goto err;
- }
+ }
- if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "EVP_CipherInit error decrypting authenticator.\n");
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- goto err;
- }
- outl = dec_authent->cipher->length;
- if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
- {
- kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "EVP_Cipher error decrypting authenticator.\n");
- krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
- goto err;
- }
- EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ if (!EVP_CipherInit(&ciph_ctx, enc, kssl_ctx->key, iv, 0)) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "EVP_CipherInit error decrypting authenticator.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+ outl = dec_authent->cipher->length;
+ if (!EVP_Cipher(&ciph_ctx, unenc_authent, dec_authent->cipher->data, outl)) {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "EVP_Cipher error decrypting authenticator.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
#ifdef KSSL_DEBUG
{
- int padl;
- printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
- for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
- printf("\n");
+ int padl;
+ printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+ for (padl = 0; padl < outl; padl++) printf("%02x ", unenc_authent[padl]);
+ printf("\n");
}
#endif /* KSSL_DEBUG */
- if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL)
- {
+ if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "confounded by authenticator.\n");
+ "confounded by authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
- }
+ }
outl -= p - unenc_authent;
- if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p,
- (long) outl))==NULL)
- {
+ if ((auth = (KRB5_AUTHENTBODY *)d2i_KRB5_AUTHENT(NULL, &p,
+ (long)outl)) == NULL) {
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
- "Error decoding authenticator body.\n");
+ "Error decoding authenticator body.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
- }
+ }
- memset(&tm_time,0,sizeof(struct tm));
- if (k_gmtime(auth->ctime, &tm_time) &&
- ((tr = mktime(&tm_time)) != (time_t)(-1)))
- {
- now = time(&now);
- tm_l = localtime(&now); tl = mktime(tm_l);
- tm_g = gmtime(&now); tg = mktime(tm_g);
- tz_offset = tg - tl;
+ memset(&tm_time, 0, sizeof(struct tm));
+ if (k_gmtime(auth->ctime, &tm_time) &&
+ ((tr = mktime(&tm_time)) != (time_t)(-1))) {
+ now = time(&now);
+ tm_l = localtime(&now);
+ tl = mktime(tm_l);
+ tm_g = gmtime(&now);
+ tg = mktime(tm_g);
+ tz_offset = tg - tl;
*atimep = (krb5_timestamp)(tr - tz_offset);
- }
+ }
#ifdef KSSL_DEBUG
printf("kssl_check_authent: returns %d for client time ", *atimep);
@@ -1439,13 +1484,16 @@ krb5_error_code kssl_check_authent(
else printf("NULL\n");
#endif /* KSSL_DEBUG */
- err:
- if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
- if (dec_authent) KRB5_ENCDATA_free(dec_authent);
- if (unenc_authent) free(unenc_authent);
+err:
+ if (auth)
+ KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
+ if (dec_authent)
+ KRB5_ENCDATA_free(dec_authent);
+ if (unenc_authent)
+ free(unenc_authent);
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
return krb5rc;
- }
+}
/* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
@@ -1453,33 +1501,38 @@ krb5_error_code kssl_check_authent(
** Returns krb5_error_code == ENOMEM on alloc error, otherwise
** passes back newly constructed principal, which should be freed by caller.
*/
-krb5_error_code kssl_build_principal_2(
- /* UPDATE */ krb5_context context,
- /* OUT */ krb5_principal *princ,
- /* IN */ int rlen, const char *realm,
- /* IN */ int slen, const char *svc,
- /* IN */ int hlen, const char *host)
- {
+krb5_error_code
+kssl_build_principal_2(
+ /* UPDATE */ krb5_context context,
+ /* OUT */ krb5_principal *princ,
+ /* IN */ int rlen, const char *realm,
+ /* IN */ int slen, const char *svc,
+ /* IN */ int hlen, const char *host)
+{
krb5_data *p_data = NULL;
krb5_principal new_p = NULL;
char *new_r = NULL;
- if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL ||
- (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data)))
- == NULL) goto err;
+ if ((p_data = (krb5_data *)calloc(2, sizeof(krb5_data))) == NULL ||
+ (new_p = (krb5_principal)calloc(1, sizeof(krb5_principal_data)))
+ == NULL)
+ goto err;
new_p->length = 2;
new_p->data = p_data;
- if ((new_r = calloc(1, rlen + 1)) == NULL) goto err;
+ if ((new_r = calloc(1, rlen + 1)) == NULL)
+ goto err;
memcpy(new_r, realm, rlen);
krb5_princ_set_realm_length(context, new_p, rlen);
krb5_princ_set_realm_data(context, new_p, new_r);
- if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) goto err;
+ if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL)
+ goto err;
memcpy(new_p->data[0].data, svc, slen);
new_p->data[0].length = slen;
- if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) goto err;
+ if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL)
+ goto err;
memcpy(new_p->data[1].data, host, hlen);
new_p->data[1].length = hlen;
@@ -1487,32 +1540,38 @@ krb5_error_code kssl_build_principal_2(
*princ = new_p;
return 0;
- err:
- if (new_p && new_p[0].data) free(new_p[0].data);
- if (new_p && new_p[1].data) free(new_p[1].data);
- if (new_p) free(new_p);
- if (new_r) free(new_r);
+err:
+ if (new_p && new_p[0].data)
+ free(new_p[0].data);
+ if (new_p && new_p[1].data)
+ free(new_p[1].data);
+ if (new_p)
+ free(new_p);
+ if (new_r)
+ free(new_r);
return ENOMEM;
- }
+}
-void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx)
- {
+void
+SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx)
+{
s->kssl_ctx = kctx;
- }
+}
-KSSL_CTX * SSL_get0_kssl_ctx(SSL *s)
- {
+KSSL_CTX *
+SSL_get0_kssl_ctx(SSL *s)
+{
return s->kssl_ctx;
- }
+}
-char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx)
- {
+char *
+kssl_ctx_get0_client_princ(KSSL_CTX *kctx)
+{
if (kctx)
return kctx->client_princ;
return NULL;
- }
+}
#else /* !OPENSSL_NO_KRB5 */
#endif /* !OPENSSL_NO_KRB5 */
-
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.