diff options
author | Tim Hudson <tjh@openssl.org> | 2014-12-28 12:48:40 +1000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-12-30 22:10:26 +0000 |
commit | 1d97c8435171a7af575f73c526d79e1ef0ee5960 (patch) | |
tree | 99405d276f1713c41130162ac64f6b01c95a0751 /ssl/kssl.c | |
parent | aa8a9266f91ce05068c5bf7eab44263c99d366f3 (diff) | |
download | openssl-1d97c8435171a7af575f73c526d79e1ef0ee5960.tar.gz |
mark all block comments that need format preserving so that
indent will not alter them when reformatting comments
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl/kssl.c')
-rw-r--r-- | ssl/kssl.c | 245 |
1 files changed, 124 insertions, 121 deletions
diff --git a/ssl/kssl.c b/ssl/kssl.c index 10687f03ea..7009a580a4 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -56,15 +56,16 @@ */ -/* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl -** -** 19990701 VRS Started. -** 200011?? Jeffrey Altman, Richard Levitte -** Generalized for Heimdal, Newer MIT, & Win32. -** Integrated into main OpenSSL 0.9.7 snapshots. -** 20010413 Simon Wilkinson, VRS -** Real RFC2712 KerberosWrapper replaces AP_REQ. -*/ +/*- + * ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl + * + * 19990701 VRS Started. + * 200011?? Jeffrey Altman, Richard Levitte + * Generalized for Heimdal, Newer MIT, & Win32. + * Integrated into main OpenSSL 0.9.7 snapshots. + * 20010413 Simon Wilkinson, VRS + * Real RFC2712 KerberosWrapper replaces AP_REQ. + */ #include <openssl/opensslconf.h> @@ -808,10 +809,10 @@ char } /* Given KRB5 enctype (basically DES or 3DES), -** return closest match openssl EVP_ encryption algorithm. -** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. -** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. -*/ + * return closest match openssl EVP_ encryption algorithm. + * Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. + * Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. + */ const EVP_CIPHER * kssl_map_enc(krb5_enctype enctype) { @@ -836,10 +837,10 @@ kssl_map_enc(krb5_enctype enctype) /* Return true:1 if p "looks like" the start of the real authenticator -** described in kssl_skip_confound() below. The ASN.1 pattern is -** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and -** xx and yy are possibly multi-byte length fields. -*/ + * described in kssl_skip_confound() below. The ASN.1 pattern is + * "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and + * xx and yy are possibly multi-byte length fields. + */ static int kssl_test_confound(unsigned char *p) { int len = 2; @@ -866,15 +867,15 @@ static int kssl_test_confound(unsigned char *p) } /* Allocate, fill, and return cksumlens array of checksum lengths. -** This array holds just the unique elements from the krb5_cksumarray[]. -** array[n] == 0 signals end of data. -** -** The krb5_cksumarray[] was an internal variable that has since been -** replaced by a more general method for storing the data. It should -** not be used. Instead we use real API calls and make a guess for -** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 -** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. -*/ + * This array holds just the unique elements from the krb5_cksumarray[]. + * array[n] == 0 signals end of data. + * + * The krb5_cksumarray[] was an internal variable that has since been + * replaced by a more general method for storing the data. It should + * not be used. Instead we use real API calls and make a guess for + * what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 + * it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. + */ static size_t *populate_cksumlens(void) { int i, j, n; @@ -907,12 +908,12 @@ static size_t *populate_cksumlens(void) } /* Return pointer to start of real authenticator within authenticator, or -** return NULL on error. -** Decrypted authenticator looks like this: -** [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] -** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the -** krb5_auth_con_getcksumtype() function advertised in its krb5.h. -*/ + * return NULL on error. + * Decrypted authenticator looks like this: + * [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] + * This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the + * krb5_auth_con_getcksumtype() function advertised in its krb5.h. + */ unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) { int i, conlen; @@ -934,8 +935,8 @@ unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) /* Set kssl_err error info when reason text is a simple string -** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; } -*/ + * kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; } + */ void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) { @@ -1024,8 +1025,8 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk) /* Display contents of krb5_principal_data struct, for debugging -** (krb5_principal is typedef'd == krb5_principal_data *) -*/ + * (krb5_principal is typedef'd == krb5_principal_data *) + */ static void print_krb5_princ(char *label, krb5_principal_data *princ) { @@ -1047,16 +1048,16 @@ print_krb5_princ(char *label, krb5_principal_data *princ) } -/* Given krb5 service (typically "kssl") and hostname in kssl_ctx, -** Return encrypted Kerberos ticket for service @ hostname. -** If authenp is non-NULL, also return encrypted authenticator, -** whose data should be freed by caller. -** (Originally was: Create Kerberos AP_REQ message for SSL Client.) -** -** 19990628 VRS Started; Returns Kerberos AP_REQ message. -** 20010409 VRS Modified for RFC2712; Returns enc tkt. -** 20010606 VRS May also return optional authenticator. -*/ +/*- Given krb5 service (typically "kssl") and hostname in kssl_ctx, + * Return encrypted Kerberos ticket for service @ hostname. + * If authenp is non-NULL, also return encrypted authenticator, + * whose data should be freed by caller. + * (Originally was: Create Kerberos AP_REQ message for SSL Client.) + * + * 19990628 VRS Started; Returns Kerberos AP_REQ message. + * 20010409 VRS Modified for RFC2712; Returns enc tkt. + * 20010606 VRS May also return optional authenticator. + */ krb5_error_code kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, /* OUT */ krb5_data **enc_ticketp, @@ -1141,8 +1142,8 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, krb5rc = KRB5KRB_ERR_GENERIC; /* caller should free data of krb5_app_req */ /* 20010406 VRS deleted for real KerberosWrapper - ** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper - */ + * 20010605 VRS reinstated to offer Authenticator to KerberosWrapper + */ krb5_app_req.length = 0; if (authenp) { @@ -1214,17 +1215,18 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, } -/* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. -** Return Kerberos error code and kssl_err struct on error. -** Allocates krb5_ticket and krb5_principal; caller should free these. -** -** 20010410 VRS Implemented krb5_decode_ticket() as -** old_krb5_decode_ticket(). Missing from MIT1.0.6. -** 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. -** Re-used some of the old krb5_decode_ticket() -** code here. This tkt should alloc/free just -** like the real thing. -*/ +/*- + * Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. + * Return Kerberos error code and kssl_err struct on error. + * Allocates krb5_ticket and krb5_principal; caller should free these. + * + * 20010410 VRS Implemented krb5_decode_ticket() as + * old_krb5_decode_ticket(). Missing from MIT1.0.6. + * 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. + * Re-used some of the old krb5_decode_ticket() + * code here. This tkt should alloc/free just + * like the real thing. + */ static krb5_error_code kssl_TKT2tkt( /* IN */ krb5_context krb5context, /* IN */ KRB5_TKTBODY *asn1ticket, @@ -1299,12 +1301,12 @@ kssl_TKT2tkt( /* IN */ krb5_context krb5context, /* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), -** and krb5 AP_REQ message & message length, -** Return Kerberos session key and client principle -** to SSL Server in KSSL_CTX *kssl_ctx. -** -** 19990702 VRS Started. -*/ + * and krb5 AP_REQ message & message length, + * Return Kerberos session key and client principle + * to SSL Server in KSSL_CTX *kssl_ctx. + * + * 19990702 VRS Started. + */ krb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, /* IN */ krb5_data *indata, @@ -1419,19 +1421,20 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, } } - /* Actual Kerberos5 krb5_recvauth() has initial conversation here - ** o check KRB5_SENDAUTH_BADAUTHVERS - ** unless KRB5_RECVAUTH_SKIP_VERSION - ** o check KRB5_SENDAUTH_BADAPPLVERS - ** o send "0" msg if all OK - */ + /*- Actual Kerberos5 krb5_recvauth() has initial conversation here + * o check KRB5_SENDAUTH_BADAUTHVERS + * unless KRB5_RECVAUTH_SKIP_VERSION + * o check KRB5_SENDAUTH_BADAPPLVERS + * o send "0" msg if all OK + */ - /* 20010411 was using AP_REQ instead of true KerberosWrapper - ** - ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, - ** &krb5in_data, krb5server, krb5keytab, - ** &ap_option, &krb5ticket)) != 0) { Error } - */ + /*- + * 20010411 was using AP_REQ instead of true KerberosWrapper + * + * if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, + * &krb5in_data, krb5server, krb5keytab, + * &ap_option, &krb5ticket)) != 0) { Error } + */ p = (unsigned char *)indata->data; if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, @@ -1568,8 +1571,8 @@ kssl_ctx_new(void) /* Frees a kssl_ctx struct and any allocated memory it holds. -** Returns NULL. -*/ + * Returns NULL. + */ KSSL_CTX * kssl_ctx_free(KSSL_CTX *kssl_ctx) { @@ -1589,9 +1592,9 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx) /* Given an array of (krb5_data *) entity (and optional realm), -** set the plain (char *) client_princ or service_host member -** of the kssl_ctx struct. -*/ + * set the plain (char *) client_princ or service_host member + * of the kssl_ctx struct. + */ krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, krb5_data *realm, krb5_data *entity, int nentities) @@ -1644,11 +1647,11 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, } -/* Set one of the plain (char *) string members of the kssl_ctx struct. -** Default values should be: -** which == KSSL_SERVICE => "khost" (KRB5SVC) -** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) -*/ +/*- Set one of the plain (char *) string members of the kssl_ctx struct. + * Default values should be: + * which == KSSL_SERVICE => "khost" (KRB5SVC) + * which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) + */ krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) { @@ -1682,8 +1685,8 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) /* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx -** struct. Clear kssl_ctx->key if Kerberos session key is NULL. -*/ + * struct. Clear kssl_ctx->key if Kerberos session key is NULL. + */ krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) { @@ -1897,12 +1900,12 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) /* Given pointers to KerberosTime and struct tm structs, convert the -** KerberosTime string to struct tm. Note that KerberosTime is a -** ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional -** seconds as defined in RFC 1510. -** Return pointer to the (partially) filled in struct tm on success, -** return NULL on failure. -*/ + * KerberosTime string to struct tm. Note that KerberosTime is a + * ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional + * seconds as defined in RFC 1510. + * Return pointer to the (partially) filled in struct tm on success, + * return NULL on failure. + */ static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) { char c, *p; @@ -1925,10 +1928,10 @@ static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) /* Helper function for kssl_validate_times(). -** We need context->clockskew, but krb5_context is an opaque struct. -** So we try to sneek the clockskew out through the replay cache. -** If that fails just return a likely default (300 seconds). -*/ + * We need context->clockskew, but krb5_context is an opaque struct. + * So we try to sneek the clockskew out through the replay cache. + * If that fails just return a likely default (300 seconds). + */ static krb5_deltat get_rc_clockskew(krb5_context context) { krb5_rcache rc; @@ -1945,15 +1948,15 @@ static krb5_deltat get_rc_clockskew(krb5_context context) /* kssl_validate_times() combines (and more importantly exposes) -** the MIT KRB5 internal function krb5_validate_times() and the -** in_clock_skew() macro. The authenticator client time is checked -** to be within clockskew secs of the current time and the current -** time is checked to be within the ticket start and expire times. -** Either check may be omitted by supplying a NULL value. -** Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. -** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c -** 20010420 VRS -*/ + * the MIT KRB5 internal function krb5_validate_times() and the + * in_clock_skew() macro. The authenticator client time is checked + * to be within clockskew secs of the current time and the current + * time is checked to be within the ticket start and expire times. + * Either check may be omitted by supplying a NULL value. + * Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. + * See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c + * 20010420 VRS + */ krb5_error_code kssl_validate_times( krb5_timestamp atime, krb5_ticket_times *ttimes) { @@ -1985,12 +1988,12 @@ krb5_error_code kssl_validate_times( krb5_timestamp atime, /* Decode and decrypt given DER-encoded authenticator, then pass -** authenticator ctime back in *atimep (or 0 if time unavailable). -** Returns krb5_error_code and kssl_err on error. A NULL -** authenticator (authentp->length == 0) is not considered an error. -** Note that kssl_check_authent() makes use of the KRB5 session key; -** you must call kssl_sget_tkt() to get the key before calling this routine. -*/ + * authenticator ctime back in *atimep (or 0 if time unavailable). + * Returns krb5_error_code and kssl_err on error. A NULL + * authenticator (authentp->length == 0) is not considered an error. + * Note that kssl_check_authent() makes use of the KRB5 session key; + * you must call kssl_sget_tkt() to get the key before calling this routine. + */ krb5_error_code kssl_check_authent( /* IN */ KSSL_CTX *kssl_ctx, /* IN */ krb5_data *authentp, @@ -2069,9 +2072,9 @@ krb5_error_code kssl_check_authent( if (enc == NULL) { /* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. - ** This enctype indicates the authenticator was encrypted - ** using key-usage derived keys which openssl cannot decrypt. - */ + * This enctype indicates the authenticator was encrypted + * using key-usage derived keys which openssl cannot decrypt. + */ goto err; } @@ -2148,10 +2151,10 @@ krb5_error_code kssl_check_authent( /* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), -** because I don't know how to stub varargs. -** Returns krb5_error_code == ENOMEM on alloc error, otherwise -** passes back newly constructed principal, which should be freed by caller. -*/ + * because I don't know how to stub varargs. + * Returns krb5_error_code == ENOMEM on alloc error, otherwise + * passes back newly constructed principal, which should be freed by caller. + */ krb5_error_code kssl_build_principal_2( /* UPDATE */ krb5_context context, /* OUT */ krb5_principal *princ, |