Commit f9b3bff6 authored by Richard Levitte's avatar Richard Levitte
Browse files

First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. ... 

First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS.  Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu>
parent fc2e05c2

Configure

+58 −1
Original line number Diff line number Diff line
@@ -10,7 +10,7 @@ use strict; 


# see INSTALL for instructions.



my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";

my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [no-threads] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx=vvv] os/compiler[:flags]\n";



# Options:

#
@@ -23,6 +23,16 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [- 
#               default).  This needn't be set in advance, you can

#               just as well use "make INSTALL_PREFIX=/whatever install".

#

# --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected

#		to live in the subdirectory lib/ and the header files in

#		include/.

# --with-krb5-lib  Declare where the Kerberos 5 libraries live.

#		(Default: KRB5_DIR/lib)

# --with-krb5-include  Declare where the Kerberos 5 header files live.

#		(Default: KRB5_DIR/include)

# --with-krb5-flavor  Declare what flavor of Kerberos 5 is used.  Currently

#		supported values are "MIT" and "Heimdal".

#

# no-hw-xxx     do not compile support for specific crypto hardware.

#               Generic OpenSSL-style methods relating to this support

#               are always compiled but return NULL if the hardware
@@ -35,6 +45,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [- 
# no-asm        do not use assembler

# no-dso        do not compile in any native shared-library methods. This

#               will ensure that all methods just return NULL.

# no-krb5       do not compile in any KRB5 library or code.

# 386           generate 80386 code

# no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)

# -<xxx> +<xxx> compiler options are passed through
@@ -423,6 +434,7 @@ my $openssldir=""; 
my $install_prefix="";

my $no_threads=0;

my $no_shared=1;

my $no_krb5=0;

my $threads=0;

my $no_asm=0;

my $no_dso=0;
@@ -465,6 +477,7 @@ my $libs; 
my $target;

my $options;

my $symlink;

my %withargs=();



my @argvcopy=@ARGV;

my $argvstring="";
@@ -509,6 +522,8 @@ PROCESS_ARGS: 
			}

		elsif (/^no-dso$/)

			{ $no_dso=1; }

		elsif (/^no-krb5$/)

			{ $no_krb5=1; }

		elsif (/^no-threads$/)

			{ $no_threads=1; }

		elsif (/^threads$/)
@@ -589,6 +604,10 @@ PROCESS_ARGS: 
				{

				$install_prefix=$1;

				}

			elsif (/^--with-krb5-(dir|lib|include|flavor)=(.*)$/)

				{

				$withargs{"krb5-".$1}=$2;

				}

			else

				{

				print STDERR $usage;
@@ -653,6 +672,38 @@ print "IsWindows=$IsWindows\n"; 
	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);

$cflags="$flags$cflags" if ($flags ne "");



# Kerberos settings.  The flavor must be provided from outside, either through

# the script "config" or manually.

if ($no_krb5

	|| !defined($withargs{"krb5-flavor"})

	|| $withargs{"krb5-flavor"} eq "")

	{

	$cflags="-DNO_KRB5 $cflags";

	}

else

	{

	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)

		{

		$withargs{"krb5-dir"} = "/usr/heimdal"

			if $withargs{"krb5-dir"} eq "";

		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.

			"/lib -lgssapi -lkrb5 -lcom_err"

			if $withargs{"krb5-lib"} eq "";

		$cflags="-DKRB5_HEIMDAL $cflags";

		}

	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]$/)

		{

		$withargs{"krb5-dir"} = "/usr/kerberos"

			if $withargs{"krb5-dir"} eq "";

		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.

			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"

			if $withargs{"krb5-lib"} eq "";

		$cflags="-DKRB5_MIT $cflags";

		}

	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"

		if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne "";

	}



# The DSO code currently always implements all functions so that no

# applications will have to worry about that from a compilation point

# of view. However, the "method"s may return zero unless that platform
@@ -845,6 +896,8 @@ while (<IN>) 
	s/^PROCESSOR=.*/PROCESSOR= $processor/;

	s/^RANLIB=.*/RANLIB= $ranlib/;

	s/^PERL=.*/PERL= $perl/;

	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;

	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;

	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;

	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;

	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
@@ -878,6 +931,10 @@ print "RMD160_OBJ_ASM=$rmd160_obj\n"; 
print "PROCESSOR     =$processor\n";

print "RANLIB        =$ranlib\n";

print "PERL          =$perl\n";

print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"

	if $withargs{"krb5-include"} ne "";

print "LIBKRB5       =",$withargs{"krb5-lib"},"\n"

	if $withargs{"krb5-lib"} ne "";



my $des_ptr=0;

my $des_risc1=0;

Makefile.org

+7 −3
Original line number Diff line number Diff line
@@ -149,6 +149,10 @@ RMD160_ASM_OBJ= asm/rm86-out.o 
#RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD

#RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi



# KRB5 stuff

KRB5_INCLUDES=

LIBKRB5=



# When we're prepared to use shared libraries in the programs we link here

# we might set SHLIB_MARK to '$(SHARED_LIBS)'.

SHLIB_MARK=
@@ -204,7 +208,7 @@ sub_all: 
	do \

	if [ -d "$$i" ]; then \

		(cd $$i && echo "making all in $$i..." && \

		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \

		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' all ) || exit 1; \

	else \

		$(MAKE) $$i; \

	fi; \
@@ -373,7 +377,7 @@ links: 
	@for i in $(DIRS); do \

	if [ -d "$$i" ]; then \

		(cd $$i && echo "making links in $$i..." && \

		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \

		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \

	fi; \

	done;
@@ -396,7 +400,7 @@ test: tests 


tests: rehash

	@(cd test && echo "testing..." && \

	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' TESTS='${TESTS}' tests );

	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' tests );

	@apps/openssl version -a



report:

apps/Makefile.ssl

+175 −166

File changed.

Preview size limit exceeded, changes collapsed.

apps/s_client.c

+6 −0
Original line number Diff line number Diff line
@@ -420,6 +420,12 @@ bad: 




	con=SSL_new(ctx);

#ifndef NO_KRB5

	if (con  &&  (con->kssl_ctx = kssl_ctx_new()) != NULL)

                {

                kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);

		}

#endif	/* NO_KRB5  */

/*	SSL_set_cipher_list(con,"RC4-MD5"); */



re_start:

apps/s_server.c

+7 −0
Original line number Diff line number Diff line
@@ -821,6 +821,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) 


	if (con == NULL) {

		con=SSL_new(ctx);

#ifndef NO_KRB5

		if ((con->kssl_ctx = kssl_ctx_new()) != NULL)

                        {

                        kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);

                        kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);

                        }

#endif	/* NO_KRB5 */

		if(context)

		      SSL_set_session_id_context(con, context,

						 strlen((char *)context));