Commit 2a1ef754 authored by Richard Levitte's avatar Richard Levitte
Browse files

Patches from Vern Staats <staatsvr@asc.hpc.mil> to get Kerberos 5 in 

SSL according to RFC 2712.  His comment is:

This is a patch to openssl-SNAP-20010702 to support Kerberized SSL
authentication.  I'm expecting to have the full kssl-0.5 kit up on
sourceforge by the end of the week.  The full kit includes patches
for mod-ssl, apache, and a few text clients.  The sourceforge URL
is http://sourceforge.net/projects/kssl/ .

Thanks to a note from Simon Wilkinson I've replaced my KRB5 AP_REQ
message with a real KerberosWrapper struct.  I think this is fully
RFC 2712 compliant now, including support for the optional
authenticator field.  I also added openssl-style ASN.1 macros for
a few Kerberos structs; see crypto/krb5/ if you're interested.
parent c148d709

Configure

+21 −2
Original line number Diff line number Diff line
@@ -723,6 +723,7 @@ if ($no_krb5 
	}

else

	{

	my ($lresolv, $lpath, $lext);

	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)

		{

		$withargs{"krb5-dir"} = "/usr/heimdal"
@@ -732,7 +733,7 @@ else 
			if $withargs{"krb5-lib"} eq "";

		$cflags="-DKRB5_HEIMDAL $cflags";

		}

	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]$/)

	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/)

		{

		$withargs{"krb5-dir"} = "/usr/kerberos"

			if $withargs{"krb5-dir"} eq "";
@@ -740,9 +741,27 @@ else 
			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"

			if $withargs{"krb5-lib"} eq "";

		$cflags="-DKRB5_MIT $cflags";

		$withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//;

		if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/)

			{

			$cflags="-DKRB5_MIT_OLD11 $cflags";

			}

		}

	LRESOLV:

	foreach $lpath ("/lib", "/usr/lib")

		{

		foreach $lext ("a", "so")

			{

			$lresolv = "$lpath/libresolv.$lext";

			last LRESOLV	if (-r "$lresolv");

			$lresolv = "";

			}

		}

	$withargs{"krb5-lib"} .= " -lresolv"

		if ("$lresolv");

	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"

		if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne "";

		if $withargs{"krb5-include"} eq "" &&

		   $withargs{"krb5-dir"} ne "";

	}



# The DSO code currently always implements all functions so that no

Makefile.org

+2 −2
Original line number Diff line number Diff line
@@ -168,7 +168,7 @@ SDIRS= \ 
	des rc2 rc4 rc5 idea bf cast \

	bn ec rsa dsa dh dso engine rijndael \

	buffer bio stack lhash rand err objects \

	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui

	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5



# tests to perform.  "alltests" is a special word indicating that all tests

# should be performed.
@@ -458,7 +458,7 @@ depend: 
	do \

	if [ -d "$$i" ]; then \

		(cd $$i && echo "making dependencies $$i..." && \

		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' depend ) || exit 1; \

		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' depend ) || exit 1; \

	fi; \

	done;

apps/s_server.c

+11 −2
Original line number Diff line number Diff line
@@ -863,8 +863,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) 
#ifndef OPENSSL_NO_KRB5

		if ((con->kssl_ctx = kssl_ctx_new()) != NULL)

                        {

                        kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);

                        kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);

                        kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,

								KRB5SVC);

                        kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,

								KRB5KEYTAB);

                        }

#endif	/* OPENSSL_NO_KRB5 */

		if(context)
@@ -1249,6 +1251,13 @@ static int www_body(char *hostname, int s, unsigned char *context) 
	if (!BIO_set_write_buffer_size(io,bufsize)) goto err;



	if ((con=SSL_new(ctx)) == NULL) goto err;

#ifndef OPENSSL_NO_KRB5

	if ((con->kssl_ctx = kssl_ctx_new()) != NULL)

		{

		kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);

		kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);

		}

#endif	/* OPENSSL_NO_KRB5 */

	if(context) SSL_set_session_id_context(con, context,

					       strlen((char *)context));

crypto/asn1/asn1.h

+1 −0
Original line number Diff line number Diff line
@@ -822,6 +822,7 @@ DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT) 
DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)

DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING)

DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING)

DECLARE_ASN1_FUNCTIONS(ASN1_GENERALSTRING)

DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME)

DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)

DECLARE_ASN1_FUNCTIONS(ASN1_TIME)

crypto/asn1/tasn_typ.c

+3 −0
Original line number Diff line number Diff line
@@ -91,6 +91,9 @@ IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING) 
IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING)

IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING)



IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING)

IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING)



IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME)

IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME)