xref: /onnv-gate/usr/src/common/openssl/ssl/kssl.h (revision 2139:6243c3338933) 
10Sstevel@tonic-gate /* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
20Sstevel@tonic-gate /* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
30Sstevel@tonic-gate  * project 2000.
40Sstevel@tonic-gate  */
50Sstevel@tonic-gate /* ====================================================================
60Sstevel@tonic-gate  * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
70Sstevel@tonic-gate  *
80Sstevel@tonic-gate  * Redistribution and use in source and binary forms, with or without
90Sstevel@tonic-gate  * modification, are permitted provided that the following conditions
100Sstevel@tonic-gate  * are met:
110Sstevel@tonic-gate  *
120Sstevel@tonic-gate  * 1. Redistributions of source code must retain the above copyright
130Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer.
140Sstevel@tonic-gate  *
150Sstevel@tonic-gate  * 2. Redistributions in binary form must reproduce the above copyright
160Sstevel@tonic-gate  *    notice, this list of conditions and the following disclaimer in
170Sstevel@tonic-gate  *    the documentation and/or other materials provided with the
180Sstevel@tonic-gate  *    distribution.
190Sstevel@tonic-gate  *
200Sstevel@tonic-gate  * 3. All advertising materials mentioning features or use of this
210Sstevel@tonic-gate  *    software must display the following acknowledgment:
220Sstevel@tonic-gate  *    "This product includes software developed by the OpenSSL Project
230Sstevel@tonic-gate  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
240Sstevel@tonic-gate  *
250Sstevel@tonic-gate  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
260Sstevel@tonic-gate  *    endorse or promote products derived from this software without
270Sstevel@tonic-gate  *    prior written permission. For written permission, please contact
280Sstevel@tonic-gate  *    licensing@OpenSSL.org.
290Sstevel@tonic-gate  *
300Sstevel@tonic-gate  * 5. Products derived from this software may not be called "OpenSSL"
310Sstevel@tonic-gate  *    nor may "OpenSSL" appear in their names without prior written
320Sstevel@tonic-gate  *    permission of the OpenSSL Project.
330Sstevel@tonic-gate  *
340Sstevel@tonic-gate  * 6. Redistributions of any form whatsoever must retain the following
350Sstevel@tonic-gate  *    acknowledgment:
360Sstevel@tonic-gate  *    "This product includes software developed by the OpenSSL Project
370Sstevel@tonic-gate  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
380Sstevel@tonic-gate  *
390Sstevel@tonic-gate  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
400Sstevel@tonic-gate  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
410Sstevel@tonic-gate  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
420Sstevel@tonic-gate  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
430Sstevel@tonic-gate  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
440Sstevel@tonic-gate  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
450Sstevel@tonic-gate  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
460Sstevel@tonic-gate  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
470Sstevel@tonic-gate  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
480Sstevel@tonic-gate  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
490Sstevel@tonic-gate  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
500Sstevel@tonic-gate  * OF THE POSSIBILITY OF SUCH DAMAGE.
510Sstevel@tonic-gate  * ====================================================================
520Sstevel@tonic-gate  *
530Sstevel@tonic-gate  * This product includes cryptographic software written by Eric Young
540Sstevel@tonic-gate  * (eay@cryptsoft.com).  This product includes software written by Tim
550Sstevel@tonic-gate  * Hudson (tjh@cryptsoft.com).
560Sstevel@tonic-gate  *
570Sstevel@tonic-gate  */
580Sstevel@tonic-gate 
590Sstevel@tonic-gate /*
600Sstevel@tonic-gate **	19990701	VRS 	Started.
610Sstevel@tonic-gate */
620Sstevel@tonic-gate 
630Sstevel@tonic-gate #ifndef	KSSL_H
640Sstevel@tonic-gate #define	KSSL_H
650Sstevel@tonic-gate 
660Sstevel@tonic-gate #include <openssl/opensslconf.h>
670Sstevel@tonic-gate 
680Sstevel@tonic-gate #ifndef OPENSSL_NO_KRB5
690Sstevel@tonic-gate 
700Sstevel@tonic-gate #include <stdio.h>
710Sstevel@tonic-gate #include <ctype.h>
720Sstevel@tonic-gate #include <krb5.h>
730Sstevel@tonic-gate 
740Sstevel@tonic-gate #ifdef  __cplusplus
750Sstevel@tonic-gate extern "C" {
760Sstevel@tonic-gate #endif
770Sstevel@tonic-gate 
780Sstevel@tonic-gate /*
790Sstevel@tonic-gate **	Depending on which KRB5 implementation used, some types from
800Sstevel@tonic-gate **	the other may be missing.  Resolve that here and now
810Sstevel@tonic-gate */
820Sstevel@tonic-gate #ifdef KRB5_HEIMDAL
830Sstevel@tonic-gate typedef unsigned char krb5_octet;
840Sstevel@tonic-gate #define FAR
85*2139Sjp161948 #else
86*2139Sjp161948 
87*2139Sjp161948 #ifndef FAR
88*2139Sjp161948 #define FAR
89*2139Sjp161948 #endif
90*2139Sjp161948 
910Sstevel@tonic-gate #endif
920Sstevel@tonic-gate 
930Sstevel@tonic-gate /*	Uncomment this to debug kssl problems or
940Sstevel@tonic-gate **	to trace usage of the Kerberos session key
950Sstevel@tonic-gate **
960Sstevel@tonic-gate **	#define		KSSL_DEBUG
970Sstevel@tonic-gate */
980Sstevel@tonic-gate 
990Sstevel@tonic-gate #ifndef	KRB5SVC
1000Sstevel@tonic-gate #define KRB5SVC	"host"
1010Sstevel@tonic-gate #endif
1020Sstevel@tonic-gate 
1030Sstevel@tonic-gate #ifndef	KRB5KEYTAB
1040Sstevel@tonic-gate #define KRB5KEYTAB	"/etc/krb5.keytab"
1050Sstevel@tonic-gate #endif
1060Sstevel@tonic-gate 
1070Sstevel@tonic-gate #ifndef KRB5SENDAUTH
1080Sstevel@tonic-gate #define KRB5SENDAUTH	1
1090Sstevel@tonic-gate #endif
1100Sstevel@tonic-gate 
1110Sstevel@tonic-gate #ifndef KRB5CHECKAUTH
1120Sstevel@tonic-gate #define KRB5CHECKAUTH	1
1130Sstevel@tonic-gate #endif
1140Sstevel@tonic-gate 
1150Sstevel@tonic-gate #ifndef KSSL_CLOCKSKEW
1160Sstevel@tonic-gate #define	KSSL_CLOCKSKEW	300;
1170Sstevel@tonic-gate #endif
1180Sstevel@tonic-gate 
1190Sstevel@tonic-gate #define	KSSL_ERR_MAX	255
1200Sstevel@tonic-gate typedef struct kssl_err_st  {
1210Sstevel@tonic-gate 	int  reason;
1220Sstevel@tonic-gate 	char text[KSSL_ERR_MAX+1];
1230Sstevel@tonic-gate 	} KSSL_ERR;
1240Sstevel@tonic-gate 
1250Sstevel@tonic-gate 
1260Sstevel@tonic-gate /*	Context for passing
1270Sstevel@tonic-gate **		(1) Kerberos session key to SSL, and
1280Sstevel@tonic-gate **		(2)	Config data between application and SSL lib
1290Sstevel@tonic-gate */
1300Sstevel@tonic-gate typedef struct kssl_ctx_st
1310Sstevel@tonic-gate         {
1320Sstevel@tonic-gate                                 /*	used by:    disposition:            */
1330Sstevel@tonic-gate 	char *service_name;	/*	C,S	    default ok (kssl)       */
1340Sstevel@tonic-gate 	char *service_host;	/*	C	    input, REQUIRED         */
1350Sstevel@tonic-gate 	char *client_princ;	/*	S	    output from krb5 ticket */
1360Sstevel@tonic-gate 	char *keytab_file;	/*      S	    NULL (/etc/krb5.keytab) */
1370Sstevel@tonic-gate 	char *cred_cache;	/*	C	    NULL (default)          */
1380Sstevel@tonic-gate 	krb5_enctype enctype;
1390Sstevel@tonic-gate 	int length;
1400Sstevel@tonic-gate 	krb5_octet FAR *key;
1410Sstevel@tonic-gate 	} KSSL_CTX;
1420Sstevel@tonic-gate 
1430Sstevel@tonic-gate #define	KSSL_CLIENT 	1
1440Sstevel@tonic-gate #define KSSL_SERVER 	2
1450Sstevel@tonic-gate #define	KSSL_SERVICE	3
1460Sstevel@tonic-gate #define	KSSL_KEYTAB 	4
1470Sstevel@tonic-gate 
1480Sstevel@tonic-gate #define KSSL_CTX_OK 	0
1490Sstevel@tonic-gate #define KSSL_CTX_ERR	1
1500Sstevel@tonic-gate #define KSSL_NOMEM	2
1510Sstevel@tonic-gate 
1520Sstevel@tonic-gate /* Public (for use by applications that use OpenSSL with Kerberos 5 support */
1530Sstevel@tonic-gate krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
1540Sstevel@tonic-gate KSSL_CTX *kssl_ctx_new(void);
1550Sstevel@tonic-gate KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
1560Sstevel@tonic-gate void kssl_ctx_show(KSSL_CTX *kssl_ctx);
1570Sstevel@tonic-gate krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
1580Sstevel@tonic-gate         krb5_data *realm, krb5_data *entity, int nentities);
1590Sstevel@tonic-gate krb5_error_code	kssl_cget_tkt(KSSL_CTX *kssl_ctx,  krb5_data **enc_tktp,
1600Sstevel@tonic-gate         krb5_data *authenp, KSSL_ERR *kssl_err);
1610Sstevel@tonic-gate krb5_error_code	kssl_sget_tkt(KSSL_CTX *kssl_ctx,  krb5_data *indata,
1620Sstevel@tonic-gate         krb5_ticket_times *ttimes, KSSL_ERR *kssl_err);
1630Sstevel@tonic-gate krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
1640Sstevel@tonic-gate void	kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
1650Sstevel@tonic-gate void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
1660Sstevel@tonic-gate krb5_error_code  kssl_build_principal_2(krb5_context context,
1670Sstevel@tonic-gate 			krb5_principal *princ, int rlen, const char *realm,
1680Sstevel@tonic-gate 			int slen, const char *svc, int hlen, const char *host);
1690Sstevel@tonic-gate krb5_error_code  kssl_validate_times(krb5_timestamp atime,
1700Sstevel@tonic-gate 					krb5_ticket_times *ttimes);
1710Sstevel@tonic-gate krb5_error_code  kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp,
1720Sstevel@tonic-gate 			            krb5_timestamp *atimep, KSSL_ERR *kssl_err);
1730Sstevel@tonic-gate unsigned char	*kssl_skip_confound(krb5_enctype enctype, unsigned char *authn);
1740Sstevel@tonic-gate 
1750Sstevel@tonic-gate #ifdef  __cplusplus
1760Sstevel@tonic-gate }
1770Sstevel@tonic-gate #endif
1780Sstevel@tonic-gate #endif	/* OPENSSL_NO_KRB5	*/
1790Sstevel@tonic-gate #endif	/* KSSL_H 	*/
180