Print this page
8982 Support building with OpenSSL 1.1
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+++ new/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h
1 1 /*
2 2 * COPYRIGHT (C) 2006,2007
3 3 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
4 4 * ALL RIGHTS RESERVED
5 5 *
6 6 * Permission is granted to use, copy, create derivative works
7 7 * and redistribute this software and such derivative works
8 8 * for any purpose, so long as the name of The University of
9 9 * Michigan is not used in any advertising or publicity
10 10 * pertaining to the use of distribution of this software
11 11 * without specific, written prior authorization. If the
12 12 * above copyright notice or any other identification of the
13 13 * University of Michigan is included in any copy of any
14 14 * portion of this software, then the disclaimer below must
15 15 * also be included.
16 16 *
17 17 * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18 18 * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19 19 * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20 20 * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21 21 * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22 22 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
|
↓ open down ↓ |
22 lines elided |
↑ open up ↑ |
23 23 * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24 24 * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25 25 * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26 26 * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27 27 * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28 28 * SUCH DAMAGES.
29 29 */
30 30
31 31 /*
32 32 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
33 + * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
33 34 */
34 35
35 36 #ifndef _PKINIT_CRYPTO_OPENSSL_H
36 37 #define _PKINIT_CRYPTO_OPENSSL_H
37 38
38 39 #include <openssl/bn.h>
39 40 #include <openssl/dh.h>
40 41 #include <openssl/x509.h>
41 42 #include <openssl/pkcs7.h>
42 43 #include <openssl/pkcs12.h>
43 44 #include <openssl/obj_mac.h>
44 45 #include <openssl/x509v3.h>
45 46 #include <openssl/err.h>
46 47 #include <openssl/evp.h>
47 -#include <openssl/asn1_mac.h>
48 48 #include <openssl/sha.h>
49 49 #include <openssl/asn1.h>
50 50 #include <openssl/pem.h>
51 +#include <openssl/rsa.h>
51 52
53 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
54 +#include <openssl/asn1_mac.h>
55 +#else
56 +#include <openssl/asn1t.h>
57 +#endif
58 +
52 59 #include "pkinit.h"
53 60
54 61 #define DN_BUF_LEN 256
55 62 #define MAX_CREDS_ALLOWED 20
56 63
57 64 struct _pkinit_cred_info {
58 65 X509 *cert;
59 66 EVP_PKEY *key;
60 67 #ifndef WITHOUT_PKCS11
61 68 CK_BYTE_PTR cert_id;
62 69 int cert_id_len;
63 70 #endif
64 71 };
65 72 typedef struct _pkinit_cred_info * pkinit_cred_info;
66 73
67 74 struct _pkinit_identity_crypto_context {
68 75 pkinit_cred_info creds[MAX_CREDS_ALLOWED+1];
69 76 STACK_OF(X509) *my_certs; /* available user certs */
70 77 int cert_index; /* cert to use out of available certs*/
71 78 EVP_PKEY *my_key; /* available user keys if in filesystem */
72 79 STACK_OF(X509) *trustedCAs; /* available trusted ca certs */
73 80 STACK_OF(X509) *intermediateCAs; /* available intermediate ca certs */
74 81 STACK_OF(X509_CRL) *revoked; /* available crls */
75 82 int pkcs11_method;
76 83 krb5_prompter_fct prompter;
77 84 void *prompter_data;
78 85 #ifndef WITHOUT_PKCS11
79 86 char *p11_module_name;
80 87 CK_SLOT_ID slotid;
81 88 char *token_label;
82 89 char *cert_label;
83 90 char *PIN; /* Solaris Kerberos: */
84 91 /* These are crypto-specific */
85 92 void *p11_module;
86 93 CK_SESSION_HANDLE session;
87 94 CK_FUNCTION_LIST_PTR p11;
88 95 CK_BYTE_PTR cert_id;
89 96 int cert_id_len;
90 97 CK_MECHANISM_TYPE mech;
91 98 /* Solaris Kerberos: need to keep some state */
92 99 uint_t p11flags;
93 100 /*
94 101 * Solaris Kerberos:
95 102 * If PKCS#11 is already being used by the process then C_Finalize should
96 103 * not be called by pkinit as it would invalidate any PKCS#11 sessions the
97 104 * process was using prior to loading the pkinit plugin. "finalize_pkcs11"
98 105 * indicates whether or not C_Finalize should be called by pkinit.
99 106 */
100 107 krb5_boolean finalize_pkcs11;
101 108 #endif
102 109 };
103 110
104 111 /* Solaris Kerberos: need to know if login was done */
105 112 #define C_LOGIN_DONE 0x1 /* The session is logged in. */
106 113 #define C_PROMPTED_USER 0x2 /* The user was prompted for token. */
107 114 #define C_SKIP_PKCS11_AUTH 0x4 /* User does not want to do PKCS11 auth */
108 115
109 116 struct _pkinit_plg_crypto_context {
110 117 DH *dh_1024;
111 118 DH *dh_2048;
112 119 DH *dh_4096;
113 120 ASN1_OBJECT *id_pkinit_authData;
114 121 ASN1_OBJECT *id_pkinit_authData9;
115 122 ASN1_OBJECT *id_pkinit_DHKeyData;
116 123 ASN1_OBJECT *id_pkinit_rkeyData;
117 124 ASN1_OBJECT *id_pkinit_san;
118 125 ASN1_OBJECT *id_ms_san_upn;
119 126 ASN1_OBJECT *id_pkinit_KPClientAuth;
120 127 ASN1_OBJECT *id_pkinit_KPKdc;
121 128 ASN1_OBJECT *id_ms_kp_sc_logon;
122 129 ASN1_OBJECT *id_kp_serverAuth;
123 130 };
124 131
125 132 struct _pkinit_req_crypto_context {
126 133 X509 *received_cert;
127 134 DH *dh;
128 135 };
129 136
130 137 #define CERT_MAGIC 0x53534c43
131 138 struct _pkinit_cert_data {
132 139 unsigned int magic;
133 140 pkinit_plg_crypto_context plgctx;
134 141 pkinit_req_crypto_context reqctx;
135 142 pkinit_identity_crypto_context idctx;
136 143 pkinit_cred_info cred;
137 144 unsigned int index; /* Index of this cred in the creds[] array */
138 145 };
139 146
140 147 #define ITER_MAGIC 0x53534c49
141 148 struct _pkinit_cert_iter_data {
142 149 unsigned int magic;
143 150 pkinit_plg_crypto_context plgctx;
144 151 pkinit_req_crypto_context reqctx;
145 152 pkinit_identity_crypto_context idctx;
146 153 unsigned int index;
147 154 };
148 155
149 156 /* Solaris Kerberos */
150 157 static krb5_error_code openssl_init(void);
151 158
152 159 static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
153 160 static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
154 161
|
↓ open down ↓ |
93 lines elided |
↑ open up ↑ |
155 162 static krb5_error_code pkinit_init_dh_params(pkinit_plg_crypto_context );
156 163 static void pkinit_fini_dh_params(pkinit_plg_crypto_context );
157 164
158 165 static krb5_error_code pkinit_init_certs(pkinit_identity_crypto_context ctx);
159 166 static void pkinit_fini_certs(pkinit_identity_crypto_context ctx);
160 167
161 168 static krb5_error_code pkinit_init_pkcs11(pkinit_identity_crypto_context ctx);
162 169 static void pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx);
163 170
164 171 static krb5_error_code pkinit_encode_dh_params
165 - (BIGNUM *, BIGNUM *, BIGNUM *, unsigned char **, unsigned int *);
172 + (const BIGNUM *, const BIGNUM *, const BIGNUM *,
173 + unsigned char **, unsigned int *);
166 174 static DH *pkinit_decode_dh_params
167 175 (DH **, unsigned char **, unsigned int );
168 176 static int pkinit_check_dh_params
169 - (BIGNUM * p1, BIGNUM * p2, BIGNUM * g1, BIGNUM * q1);
177 + (const BIGNUM *p1, const BIGNUM *p2, const BIGNUM *g1,
178 + const BIGNUM *q1);
170 179
171 180 static krb5_error_code pkinit_sign_data
172 181 (krb5_context context, pkinit_identity_crypto_context cryptoctx,
173 182 unsigned char *data, unsigned int data_len,
174 183 unsigned char **sig, unsigned int *sig_len);
175 184
176 185 static krb5_error_code create_signature
177 186 (unsigned char **, unsigned int *, unsigned char *, unsigned int,
178 187 EVP_PKEY *pkey);
179 188
180 189 static krb5_error_code pkinit_decode_data
181 190 (krb5_context context, pkinit_identity_crypto_context cryptoctx,
182 191 unsigned char *data, unsigned int data_len,
183 192 unsigned char **decoded, unsigned int *decoded_len);
184 193
185 194 static krb5_error_code decode_data
186 195 (unsigned char **, unsigned int *, unsigned char *, unsigned int,
187 196 EVP_PKEY *pkey, X509 *cert);
188 197
189 198 #ifdef DEBUG_DH
190 199 static void print_dh(DH *, char *);
191 200 static void print_pubkey(BIGNUM *, char *);
192 201 #endif
193 202
194 203 static int prepare_enc_data
195 204 (unsigned char *indata, int indata_len, unsigned char **outdata,
196 205 int *outdata_len);
197 206
198 207 static int openssl_callback (int, X509_STORE_CTX *);
199 208 static int openssl_callback_ignore_crls (int, X509_STORE_CTX *);
200 209
201 210 static int pkcs7_decrypt
202 211 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
203 212 PKCS7 *p7, BIO *bio);
204 213
205 214 static BIO * pkcs7_dataDecode
206 215 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
207 216 PKCS7 *p7);
208 217
209 218 static ASN1_OBJECT * pkinit_pkcs7type2oid
210 219 (pkinit_plg_crypto_context plg_cryptoctx, int pkcs7_type);
211 220
212 221 static krb5_error_code pkinit_create_sequence_of_principal_identifiers
213 222 (krb5_context context, pkinit_plg_crypto_context plg_cryptoctx,
214 223 pkinit_req_crypto_context req_cryptoctx,
215 224 pkinit_identity_crypto_context id_cryptoctx,
216 225 int type, krb5_data **out_data);
217 226
218 227 #ifndef WITHOUT_PKCS11
219 228 static krb5_error_code pkinit_find_private_key
220 229 (pkinit_identity_crypto_context, CK_ATTRIBUTE_TYPE usage,
221 230 CK_OBJECT_HANDLE *objp);
222 231 static krb5_error_code pkinit_login
223 232 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
224 233 CK_TOKEN_INFO *tip);
225 234 static void * pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p);
226 235 static CK_RV pkinit_C_UnloadModule(void *handle);
227 236 #ifdef SILLYDECRYPT
228 237 CK_RV pkinit_C_Decrypt
229 238 (pkinit_identity_crypto_context id_cryptoctx,
230 239 CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
231 240 CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen);
232 241 #endif
233 242
234 243 static krb5_error_code pkinit_sign_data_pkcs11
235 244 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
236 245 unsigned char *data, unsigned int data_len,
237 246 unsigned char **sig, unsigned int *sig_len);
238 247 static krb5_error_code pkinit_decode_data_pkcs11
239 248 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
240 249 unsigned char *data, unsigned int data_len,
241 250 unsigned char **decoded_data, unsigned int *decoded_data_len);
242 251 #endif /* WITHOUT_PKCS11 */
243 252
244 253 static krb5_error_code pkinit_sign_data_fs
245 254 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
246 255 unsigned char *data, unsigned int data_len,
247 256 unsigned char **sig, unsigned int *sig_len);
248 257 static krb5_error_code pkinit_decode_data_fs
249 258 (krb5_context context, pkinit_identity_crypto_context id_cryptoctx,
250 259 unsigned char *data, unsigned int data_len,
251 260 unsigned char **decoded_data, unsigned int *decoded_data_len);
252 261
253 262 static krb5_error_code der_decode_data
254 263 (unsigned char *, long, unsigned char **, long *);
255 264
256 265 static krb5_error_code
257 266 create_krb5_invalidCertificates(krb5_context context,
258 267 pkinit_plg_crypto_context plg_cryptoctx,
259 268 pkinit_req_crypto_context req_cryptoctx,
260 269 pkinit_identity_crypto_context id_cryptoctx,
261 270 krb5_external_principal_identifier *** ids);
262 271
263 272 static krb5_error_code
264 273 create_identifiers_from_stack(STACK_OF(X509) *sk,
265 274 krb5_external_principal_identifier *** ids);
266 275 #ifdef LONGHORN_BETA_COMPAT
267 276 static int
|
↓ open down ↓ |
88 lines elided |
↑ open up ↑ |
268 277 wrap_signeddata(unsigned char *data, unsigned int data_len,
269 278 unsigned char **out, unsigned int *out_len,
270 279 int is_longhorn_server);
271 280 #else
272 281 static int
273 282 wrap_signeddata(unsigned char *data, unsigned int data_len,
274 283 unsigned char **out, unsigned int *out_len);
275 284 #endif
276 285
277 286 /* This handy macro borrowed from crypto/x509v3/v3_purp.c */
287 +
288 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
278 289 #define ku_reject(x, usage) \
279 290 (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
291 +#else
292 +#define ku_reject(x, usage) \
293 + ((X509_get_extension_flags(x) & EXFLAG_KUSAGE) && \
294 + !(X509_get_key_usage(x) & (usage)))
295 +#endif
280 296
281 297 static char *
282 298 pkinit_pkcs11_code_to_text(int err);
283 299
284 300 #endif /* _PKINIT_CRYPTO_OPENSSL_H */
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX