Patches from Vern Staats <staatsvr@asc.hpc.mil> to get Kerberos 5 in
SSL according to RFC 2712. His comment is:
This is a patch to openssl-SNAP-20010702 to support Kerberized SSL
authentication. I'm expecting to have the full kssl-0.5 kit up on
sourceforge by the end of the week. The full kit includes patches
for mod-ssl, apache, and a few text clients. The sourceforge URL
is http://sourceforge.net/projects/kssl/ .
Thanks to a note from Simon Wilkinson I've replaced my KRB5 AP_REQ
message with a real KerberosWrapper struct. I think this is fully
RFC 2712 compliant now, including support for the optional
authenticator field. I also added openssl-style ASN.1 macros for
a few Kerberos structs; see crypto/krb5/ if you're interested.
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 09fcc59..9fcf8c0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -66,6 +66,7 @@
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include <openssl/krb5_asn.h>
#include "ssl_locl.h"
#ifndef OPENSSL_NO_KRB5
@@ -1452,13 +1453,46 @@
#ifndef OPENSSL_NO_KRB5
if (l & SSL_kKRB5)
{
- krb5_error_code krb5rc;
- KSSL_CTX *kssl_ctx = s->kssl_ctx;
+ krb5_error_code krb5rc;
+ krb5_data enc_ticket;
+ krb5_data authenticator;
+ krb5_data enc_pms;
+ KSSL_CTX *kssl_ctx = s->kssl_ctx;
+ EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER *enc = NULL;
+ unsigned char iv[EVP_MAX_IV_LENGTH];
+ unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];
+ int padl, outl = sizeof(pms);
+ krb5_timestamp authtime = 0;
+ krb5_ticket_times ttimes;
if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
- if ((krb5rc = kssl_sget_tkt(kssl_ctx,
- s->init_buf->data, s->init_buf->length,
- &kssl_err)) != 0)
+
+ n2s(p,i);
+ enc_ticket.length = i;
+ enc_ticket.data = p;
+ p+=enc_ticket.length;
+
+ n2s(p,i);
+ authenticator.length = i;
+ authenticator.data = p;
+ p+=authenticator.length;
+
+ n2s(p,i);
+ enc_pms.length = i;
+ enc_pms.data = p;
+ p+=enc_pms.length;
+
+ if (n != enc_ticket.length + authenticator.length +
+ enc_pms.length + 6)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
+ if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
+ &kssl_err)) != 0)
{
#ifdef KSSL_DEBUG
printf("kssl_sget_tkt rtn %d [%d]\n",
@@ -1471,34 +1505,71 @@
goto err;
}
+ /* Note: no authenticator is not considered an error,
+ ** but will return authtime == 0.
+ */
+ if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
+ &authtime, &kssl_err)) != 0)
+ {
+#ifdef KSSL_DEBUG
+ printf("kssl_check_authent rtn %d [%d]\n",
+ krb5rc, kssl_err.reason);
+ if (kssl_err.text)
+ printf("kssl_err text= %s\n", kssl_err.text);
+#endif /* KSSL_DEBUG */
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ kssl_err.reason);
+ goto err;
+ }
+
+ if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
+ {
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
+ goto err;
+ }
+
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
- /* 19991013 VRS - 3DES is kind of bogus here,
- ** at least until Kerberos supports 3DES. The only
- ** real secret is the 8-byte Kerberos session key;
- ** the other key material (client_random, server_random)
- ** could be sniffed. Nonces may help against replays though.
- **
- ** Alternate code for Kerberos Purists:
- **
- ** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
- ** s->session->master_key_length = kssl_ctx->length;
- */
+ enc = kssl_map_enc(kssl_ctx->enctype);
+ memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */
+
+ EVP_DecryptInit(&ciph_ctx,enc,kssl_ctx->key,iv);
+ EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
+ enc_pms.data, enc_pms.length);
+ if (outl > SSL_MAX_MASTER_KEY_LENGTH)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+ EVP_DecryptFinal(&ciph_ctx,&(pms[outl]),&padl);
+ outl += padl;
+ if (outl > SSL_MAX_MASTER_KEY_LENGTH)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
- s->session->master_key, kssl_ctx->key, kssl_ctx->length);
- /* Was doing kssl_ctx_free() here, but it caused problems for apache.
- ** kssl_ctx = kssl_ctx_free(kssl_ctx);
- ** if (s->kssl_ctx) s->kssl_ctx = NULL;
+ s->session->master_key, pms, outl);
+
+ /* Was doing kssl_ctx_free() here,
+ ** but it caused problems for apache.
+ ** kssl_ctx = kssl_ctx_free(kssl_ctx);
+ ** if (s->kssl_ctx) s->kssl_ctx = NULL;
*/
}
else
#endif /* OPENSSL_NO_KRB5 */
{
al=SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_UNKNOWN_CIPHER_TYPE);
goto f_err;
}
