mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-24 10:34:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu>

Browse Source
This commit is contained in:
Richard Levitte 2000-11-30 22:53:34 +00:00
parent fc2e05c2d5
commit f9b3bff6f7
21 changed files with 1870 additions and 808 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Configure
View File

@ -10,7 +10,7 @@ use strict;
# see INSTALL for instructions.
my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [no-threads] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx=vvv] os/compiler[:flags]\n";
# Options:
#
@ -23,6 +23,16 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
# default). This needn't be set in advance, you can
# just as well use "make INSTALL_PREFIX=/whatever install".
#
# --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected
# to live in the subdirectory lib/ and the header files in
# include/.
# --with-krb5-lib Declare where the Kerberos 5 libraries live.
# (Default: KRB5_DIR/lib)
# --with-krb5-include Declare where the Kerberos 5 header files live.
# (Default: KRB5_DIR/include)
# --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
# supported values are "MIT" and "Heimdal".
#
# no-hw-xxx do not compile support for specific crypto hardware.
# Generic OpenSSL-style methods relating to this support
# are always compiled but return NULL if the hardware
@ -35,6 +45,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
# no-asm do not use assembler
# no-dso do not compile in any native shared-library methods. This
# will ensure that all methods just return NULL.
# no-krb5 do not compile in any KRB5 library or code.
# 386 generate 80386 code
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
@ -423,6 +434,7 @@ my $openssldir="";
my $install_prefix="";
my $no_threads=0;
my $no_shared=1;
my $no_krb5=0;
my $threads=0;
my $no_asm=0;
my $no_dso=0;
@ -465,6 +477,7 @@ my $libs;
my $target;
my $options;
my $symlink;
my %withargs=();
my @argvcopy=@ARGV;
my $argvstring="";
@ -509,6 +522,8 @@ PROCESS_ARGS:
}
elsif (/^no-dso$/)
{ $no_dso=1; }
elsif (/^no-krb5$/)
{ $no_krb5=1; }
elsif (/^no-threads$/)
{ $no_threads=1; }
elsif (/^threads$/)
@ -589,6 +604,10 @@ PROCESS_ARGS:
{
$install_prefix=$1;
}
elsif (/^--with-krb5-(dir|lib|include|flavor)=(.*)$/)
{
$withargs{"krb5-".$1}=$2;
}
else
{
print STDERR $usage;
@ -653,6 +672,38 @@ print "IsWindows=$IsWindows\n";
split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
$cflags="$flags$cflags" if ($flags ne "");
# Kerberos settings. The flavor must be provided from outside, either through
# the script "config" or manually.
if ($no_krb5
|| !defined($withargs{"krb5-flavor"})
|| $withargs{"krb5-flavor"} eq "")
{
$cflags="-DNO_KRB5 $cflags";
}
else
{
if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
{
$withargs{"krb5-dir"} = "/usr/heimdal"
if $withargs{"krb5-dir"} eq "";
$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
"/lib -lgssapi -lkrb5 -lcom_err"
if $withargs{"krb5-lib"} eq "";
$cflags="-DKRB5_HEIMDAL $cflags";
}
if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]$/)
{
$withargs{"krb5-dir"} = "/usr/kerberos"
if $withargs{"krb5-dir"} eq "";
$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"
if $withargs{"krb5-lib"} eq "";
$cflags="-DKRB5_MIT $cflags";
}
$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"
if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne "";
}
# The DSO code currently always implements all functions so that no
# applications will have to worry about that from a compilation point
# of view. However, the "method"s may return zero unless that platform
@ -845,6 +896,8 @@ while (<IN>)
s/^PROCESSOR=.*/PROCESSOR= $processor/;
s/^RANLIB=.*/RANLIB= $ranlib/;
s/^PERL=.*/PERL= $perl/;
s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
@ -878,6 +931,10 @@ print "RMD160_OBJ_ASM=$rmd160_obj\n";
print "PROCESSOR =$processor\n";
print "RANLIB =$ranlib\n";
print "PERL =$perl\n";
print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"
if $withargs{"krb5-include"} ne "";
print "LIBKRB5 =",$withargs{"krb5-lib"},"\n"
if $withargs{"krb5-lib"} ne "";
my $des_ptr=0;
my $des_risc1=0;

10
Makefile.org
View File

@ -149,6 +149,10 @@ RMD160_ASM_OBJ= asm/rm86-out.o
#RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD
#RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi
# KRB5 stuff
KRB5_INCLUDES=
LIBKRB5=
# When we're prepared to use shared libraries in the programs we link here
# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
SHLIB_MARK=
@ -204,7 +208,7 @@ sub_all:
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
@ -373,7 +377,7 @@ links:
@for i in $(DIRS); do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making links in $$i..." && \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
fi; \
done;
@ -396,7 +400,7 @@ test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' TESTS='${TESTS}' tests );
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' tests );
@apps/openssl version -a
report:

341
apps/Makefile.ssl
View File

@ -5,7 +5,7 @@
DIR= apps
TOP= ..
CC= cc
INCLUDES= -I../include
INCLUDES= -I../include $(KRB5_INCLUDES)
CFLAG= -g -static
INSTALL_PREFIX=
INSTALLTOP= /usr/local/ssl
@ -15,6 +15,9 @@ MAKEDEPEND= $(TOP)/util/domd $(TOP)
MAKEFILE= Makefile.ssl
PERL=/usr/local/bin/perl
RM= rm -f
# KRB5 stuff
KRB5_INCLUDES=
LIBKRB5=
PEX_LIBS=
EX_LIBS=
@ -134,7 +137,7 @@ $(DLIBCRYPTO):
$(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
$(RM) $(PROGRAM)
$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS)
-(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs)
progs.h: progs.pl
@ -241,22 +244,23 @@ ciphers.o: ../include/openssl/dh.h ../include/openssl/dsa.h
ciphers.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
ciphers.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
ciphers.o: ../include/openssl/idea.h ../include/openssl/lhash.h
ciphers.o: ../include/openssl/md2.h ../include/openssl/md4.h
ciphers.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
ciphers.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
ciphers.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
ciphers.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
ciphers.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
ciphers.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
ciphers.o: ../include/openssl/idea.h ../include/openssl/kssl.h
ciphers.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ciphers.o: ../include/openssl/md4.h ../include/openssl/md5.h
ciphers.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ciphers.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
ciphers.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
ciphers.o: ../include/openssl/rand.h ../include/openssl/rc2.h
ciphers.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
ciphers.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
ciphers.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
ciphers.o: ../include/openssl/tls1.h ../include/openssl/x509.h
ciphers.o: ../include/openssl/x509_vfy.h apps.h
crl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
crl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
crl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -421,22 +425,23 @@ engine.o: ../include/openssl/dh.h ../include/openssl/dsa.h
engine.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
engine.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
engine.o: ../include/openssl/err.h ../include/openssl/evp.h
engine.o: ../include/openssl/idea.h ../include/openssl/lhash.h
engine.o: ../include/openssl/md2.h ../include/openssl/md4.h
engine.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
engine.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
engine.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
engine.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
engine.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
engine.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
engine.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
engine.o: ../include/openssl/idea.h ../include/openssl/kssl.h
engine.o: ../include/openssl/lhash.h ../include/openssl/md2.h
engine.o: ../include/openssl/md4.h ../include/openssl/md5.h
engine.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
engine.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
engine.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
engine.o: ../include/openssl/rand.h ../include/openssl/rc2.h
engine.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
engine.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
engine.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
engine.o: ../include/openssl/safestack.h ../include/openssl/sha.h
engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
engine.o: ../include/openssl/tls1.h ../include/openssl/x509.h
engine.o: ../include/openssl/x509_vfy.h apps.h
errstr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
errstr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
errstr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -446,22 +451,23 @@ errstr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
errstr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
errstr.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
errstr.o: ../include/openssl/idea.h ../include/openssl/lhash.h
errstr.o: ../include/openssl/md2.h ../include/openssl/md4.h
errstr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
errstr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
errstr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
errstr.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
errstr.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
errstr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
errstr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
errstr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
errstr.o: ../include/openssl/md4.h ../include/openssl/md5.h
errstr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
errstr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
errstr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
errstr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
errstr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
errstr.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
errstr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
errstr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
errstr.o: ../include/openssl/x509_vfy.h apps.h
gendh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
gendh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
gendh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -559,23 +565,23 @@ openssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
openssl.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
openssl.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
openssl.o: ../include/openssl/idea.h ../include/openssl/lhash.h
openssl.o: ../include/openssl/md2.h ../include/openssl/md4.h
openssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
openssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
openssl.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
openssl.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
openssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
openssl.o: progs.h s_apps.h
openssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h
openssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
openssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
openssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
openssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
openssl.o: ../include/openssl/rand.h ../include/openssl/rc2.h
openssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
openssl.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
openssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
openssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
openssl.o: ../include/openssl/x509_vfy.h apps.h progs.h s_apps.h
passwd.o: ../include/openssl/asn1.h ../include/openssl/bio.h
passwd.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
passwd.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -762,22 +768,23 @@ s_cb.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s_cb.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s_cb.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
s_cb.o: ../include/openssl/idea.h ../include/openssl/lhash.h
s_cb.o: ../include/openssl/md2.h ../include/openssl/md4.h
s_cb.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
s_cb.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
s_cb.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s_cb.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
s_cb.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
s_cb.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h s_apps.h
s_cb.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s_cb.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s_cb.o: ../include/openssl/md4.h ../include/openssl/md5.h
s_cb.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s_cb.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
s_cb.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s_cb.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s_cb.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
s_cb.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
s_cb.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s_cb.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
s_client.o: ../include/openssl/asn1.h ../include/openssl/bio.h
s_client.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
s_client.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -787,23 +794,23 @@ s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s_client.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s_client.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
s_client.o: ../include/openssl/idea.h ../include/openssl/lhash.h
s_client.o: ../include/openssl/md2.h ../include/openssl/md4.h
s_client.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
s_client.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s_client.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
s_client.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
s_client.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
s_client.o: s_apps.h
s_client.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s_client.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s_client.o: ../include/openssl/md4.h ../include/openssl/md5.h
s_client.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
s_client.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s_client.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s_client.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
s_client.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
s_client.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s_client.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s_client.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
s_server.o: ../include/openssl/asn1.h ../include/openssl/bio.h
s_server.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
s_server.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -813,23 +820,23 @@ s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s_server.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s_server.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
s_server.o: ../include/openssl/idea.h ../include/openssl/lhash.h
s_server.o: ../include/openssl/md2.h ../include/openssl/md4.h
s_server.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
s_server.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s_server.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
s_server.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
s_server.o: s_apps.h
s_server.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s_server.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s_server.o: ../include/openssl/md4.h ../include/openssl/md5.h
s_server.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
s_server.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s_server.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s_server.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
s_server.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
s_server.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s_server.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
s_socket.o: ../include/openssl/asn1.h ../include/openssl/bio.h
s_socket.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
s_socket.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -839,22 +846,23 @@ s_socket.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s_socket.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s_socket.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
s_socket.o: ../include/openssl/evp.h ../include/openssl/idea.h
s_socket.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s_socket.o: ../include/openssl/md4.h ../include/openssl/md5.h
s_socket.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
s_socket.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s_socket.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s_socket.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
s_socket.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
s_socket.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s_socket.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s_socket.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
s_socket.o: ../include/openssl/md2.h ../include/openssl/md4.h
s_socket.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
s_socket.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s_socket.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
s_socket.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
s_socket.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
s_socket.o: s_apps.h
s_time.o: ../include/openssl/asn1.h ../include/openssl/bio.h
s_time.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
s_time.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -864,23 +872,23 @@ s_time.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s_time.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s_time.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
s_time.o: ../include/openssl/idea.h ../include/openssl/lhash.h
s_time.o: ../include/openssl/md2.h ../include/openssl/md4.h
s_time.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
s_time.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
s_time.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s_time.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
s_time.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
s_time.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
s_time.o: s_apps.h
s_time.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s_time.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s_time.o: ../include/openssl/md4.h ../include/openssl/md5.h
s_time.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s_time.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
s_time.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s_time.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s_time.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
s_time.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
s_time.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s_time.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
sess_id.o: ../include/openssl/asn1.h ../include/openssl/bio.h
sess_id.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
sess_id.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@ -890,22 +898,23 @@ sess_id.o: ../include/openssl/dh.h ../include/openssl/dsa.h
sess_id.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
sess_id.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
sess_id.o: ../include/openssl/idea.h ../include/openssl/lhash.h
sess_id.o: ../include/openssl/md2.h ../include/openssl/md4.h
sess_id.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
sess_id.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
sess_id.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
sess_id.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
sess_id.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
sess_id.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
sess_id.o: ../include/openssl/idea.h ../include/openssl/kssl.h
sess_id.o: ../include/openssl/lhash.h ../include/openssl/md2.h
sess_id.o: ../include/openssl/md4.h ../include/openssl/md5.h
sess_id.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
sess_id.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
sess_id.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
sess_id.o: ../include/openssl/rand.h ../include/openssl/rc2.h
sess_id.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
sess_id.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
sess_id.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h
sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
sess_id.o: ../include/openssl/tls1.h ../include/openssl/x509.h
sess_id.o: ../include/openssl/x509_vfy.h apps.h
smime.o: ../include/openssl/asn1.h ../include/openssl/bio.h
smime.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
smime.o: ../include/openssl/buffer.h ../include/openssl/cast.h

6
apps/s_client.c
View File

@ -420,6 +420,12 @@ bad:
con=SSL_new(ctx);
#ifndef NO_KRB5
if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
}
#endif /* NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
re_start:

7
apps/s_server.c
View File

@ -821,6 +821,13 @@ static int sv_body(char *hostname, int s, unsigned char *context)
if (con == NULL) {
con=SSL_new(ctx);
#ifndef NO_KRB5
if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
}
#endif /* NO_KRB5 */
if(context)
SSL_set_session_id_context(con, context,
strlen((char *)context));

21
config
View File

@ -536,6 +536,27 @@ do
fi
done
# Discover Kerberos 5 (since it's still a prototype, we don't
# do any guesses yet, that's why this section is commented away.
#if [ -d /usr/kerberos ]; then
# krb5_dir=/usr/kerberos
# if [ \( -f $krb5_dir/lib/libgssapi_krb5.a -o -f $krb5_dir/lib/libgssapi_krb5.so* \)\
# -a \( -f $krb5_dir/lib/libkrb5.a -o -f $krb5_dir/lib/libkrb5.so* \)\
# -a \( -f $krb5_dir/lib/libcom_err.a -o -f $krb5_dir/lib/libcom_err.so* \)\
# -a \( -f $krb5_dir/lib/libk5crypto.a -o -f $krb5_dir/lib/libk5crypto.so* \)\
# -a \( -f $krb5_dir/include/krb5.h \) ]; then
# options="$options --with-krb5-flavor=MIT"
# fi
#elif [ -d /usr/heimdal ]; then
# krb5_dir=/usr/heimdal
# if [ \( -f $krb5_dir/lib/libgssapi.a -o -f $krb5_dir/lib/libgssapi.so* \)\
# -a \( -f $krb5_dir/lib/libkrb5.a -o -f $krb5_dir/lib/libkrb5.so* \)\
# -a \( -f $krb5_dir/lib/libcom_err.a -o -f $krb5_dir/lib/libcom_err.so* \)\
# -a \( -f $krb5_dir/include/krb5.h \) ]; then
# options="$options --with-krb5-flavor=Heimdal"
# fi
#fi
if [ -z "$OUT" ]; then
OUT="$CC"
fi

21
crypto/evp/e_des3.c
View File

@ -93,6 +93,17 @@ static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
#ifdef KSSL_DEBUG
{
int i;
char *cp;
printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
printf("\t iv= ");
for(i=0;i<8;i++)
printf("%02X",ctx->iv[i]);
printf("\n");
}
#endif /* KSSL_DEBUG */
des_ede3_cbc_encrypt(in, out, (long)inl,
ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
(des_cblock *)ctx->iv, ctx->encrypt);
@ -145,6 +156,16 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
des_cblock *deskey = (des_cblock *)key;
#ifdef KSSL_DEBUG
{
int i;
printf("des_ede3_init_key(ctx=%lx)\n", ctx);
printf("\tKEY= ");
for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
printf("\t IV= ");
for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);

1140
ssl/Makefile.ssl
View File

File diff suppressed because it is too large Load Diff

494
ssl/kssl.c
View File

@ -65,6 +65,412 @@
#include <string.h>
#include <openssl/ssl.h>
/*
* When OpenSSL is built on Windows, we do not want to require that
* the Kerberos DLLs be available in order for the OpenSSL DLLs to
* work. Therefore, all Kerberos routines are loaded at run time
* and we do not link to a .LIB file.
*/
#if defined(WINDOWS) || defined(WIN32)
/*
* The purpose of the following pre-processor statements is to provide
* compatibility with different releases of MIT Kerberos for Windows.
* All versions up to 1.2 used macros. But macros do not allow for
* a binary compatible interface for DLLs. Therefore, all macros are
* being replaced by function calls. The following code will allow
* an OpenSSL DLL built on Windows to work whether or not the macro
* or function form of the routines are utilized.
*/
#ifdef krb5_cc_get_principal
#define NO_DEF_KRB5_CCACHE
#undef krb5_cc_get_principal
#endif
#define krb5_cc_get_principal kssl_krb5_cc_get_principal
#define krb5_free_data_contents kssl_krb5_free_data_contents
#define krb5_free_context kssl_krb5_free_context
#define krb5_auth_con_free kssl_krb5_auth_con_free
#define krb5_free_principal kssl_krb5_free_principal
#define krb5_mk_req_extended kssl_krb5_mk_req_extended
#define krb5_get_credentials kssl_krb5_get_credentials
#define krb5_cc_default kssl_krb5_cc_default
#define krb5_sname_to_principal kssl_krb5_sname_to_principal
#define krb5_init_context kssl_krb5_init_context
#define krb5_free_ticket kssl_krb5_free_ticket
#define krb5_rd_req kssl_krb5_rd_req
#define krb5_kt_default kssl_krb5_kt_default
#define krb5_kt_resolve kssl_krb5_kt_resolve
#define krb5_auth_con_init kssl_krb5_auth_con_init
/* Prototypes for built in stubs */
void kssl_krb5_free_data_contents(krb5_context, krb5_data *);
void kssl_krb5_free_principal(krb5_context, krb5_principal );
krb5_error_code kssl_krb5_kt_resolve(krb5_context,
krb5_const char *,
krb5_keytab *);
krb5_error_code kssl_krb5_kt_default(krb5_context,
krb5_keytab *);
krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *);
krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *,
krb5_const krb5_data *,
krb5_const_principal, krb5_keytab,
krb5_flags *,krb5_ticket **);
krb5_error_code kssl_krb5_mk_req_extended(krb5_context,
krb5_auth_context *,
krb5_const krb5_flags,
krb5_data *,
krb5_creds *,
krb5_data * );
krb5_error_code kssl_krb5_init_context(krb5_context *);
void kssl_krb5_free_context(krb5_context);
krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *);
krb5_error_code kssl_krb5_sname_to_principal(krb5_context,
krb5_const char *,
krb5_const char *,
krb5_int32,
krb5_principal *);
krb5_error_code kssl_krb5_get_credentials(krb5_context,
krb5_const krb5_flags,
krb5_ccache,
krb5_creds *,
krb5_creds * *);
krb5_error_code kssl_krb5_auth_con_init(krb5_context,
krb5_auth_context *);
krb5_error_code kssl_krb5_cc_get_principal(krb5_context context,
krb5_ccache cache,
krb5_principal *principal);
krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context);
/* Function pointers (almost all Kerberos functions are _stdcall) */
static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *)=NULL;
static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal )=NULL;
static krb5_error_code(_stdcall *p_krb5_kt_resolve)(krb5_context, krb5_const char *,
krb5_keytab *)=NULL;
static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context,
krb5_keytab *)=NULL;
static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context,
krb5_ticket *)=NULL;
static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context,
krb5_auth_context *,
krb5_const krb5_data *,
krb5_const_principal,
krb5_keytab, krb5_flags *,
krb5_ticket **)=NULL;
static krb5_error_code (_stdcall *p_krb5_mk_req_extended) (krb5_context,
krb5_auth_context *,
krb5_const krb5_flags,
krb5_data *,
krb5_creds *,
krb5_data * )=NULL;
static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL;
static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL;
static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context,
krb5_ccache *)=NULL;
static krb5_error_code (_stdcall *p_krb5_sname_to_principal)(krb5_context,
krb5_const char *,
krb5_const char *,
krb5_int32,
krb5_principal *)=NULL;
static krb5_error_code (_stdcall *p_krb5_get_credentials)(krb5_context,
krb5_const krb5_flags,
krb5_ccache,
krb5_creds *,
krb5_creds * *)=NULL;
static krb5_error_code (_stdcall *p_krb5_auth_con_init)(krb5_context,
krb5_auth_context *)=NULL;
static krb5_error_code (_stdcall *p_krb5_cc_get_principal)(krb5_context context,
krb5_ccache cache,
krb5_principal *principal)=NULL;
static krb5_error_code (_stdcall *p_krb5_auth_con_free)(krb5_context,
krb5_auth_context)=NULL;
static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */
/* Function to Load the Kerberos 5 DLL and initialize function pointers */
void
load_krb5_dll(void)
{
HANDLE hKRB5_32;
krb5_loaded++;
hKRB5_32 = LoadLibrary("KRB5_32");
if (!hKRB5_32)
return;
(FARPROC) p_krb5_free_data_contents =
GetProcAddress( hKRB5_32, "krb5_free_data_contents" );
(FARPROC) p_krb5_free_context =
GetProcAddress( hKRB5_32, "krb5_free_context" );
(FARPROC) p_krb5_auth_con_free =
GetProcAddress( hKRB5_32, "krb5_auth_con_free" );
(FARPROC) p_krb5_free_principal =
GetProcAddress( hKRB5_32, "krb5_free_principal" );
(FARPROC) p_krb5_mk_req_extended =
GetProcAddress( hKRB5_32, "krb5_mk_req_extended" );
(FARPROC) p_krb5_get_credentials =
GetProcAddress( hKRB5_32, "krb5_get_credentials" );
(FARPROC) p_krb5_cc_get_principal =
GetProcAddress( hKRB5_32, "krb5_cc_get_principal" );
(FARPROC) p_krb5_cc_default =
GetProcAddress( hKRB5_32, "krb5_cc_default" );
(FARPROC) p_krb5_sname_to_principal =
GetProcAddress( hKRB5_32, "krb5_sname_to_principal" );
(FARPROC) p_krb5_init_context =
GetProcAddress( hKRB5_32, "krb5_init_context" );
(FARPROC) p_krb5_free_ticket =
GetProcAddress( hKRB5_32, "krb5_free_ticket" );
(FARPROC) p_krb5_rd_req =
GetProcAddress( hKRB5_32, "krb5_rd_req" );
(FARPROC) p_krb5_kt_default =
GetProcAddress( hKRB5_32, "krb5_kt_default" );
(FARPROC) p_krb5_kt_resolve =
GetProcAddress( hKRB5_32, "krb5_kt_resolve" );
(FARPROC) p_krb5_auth_con_init =
GetProcAddress( hKRB5_32, "krb5_auth_con_init" );
}
/* Stubs for each function to be dynamicly loaded */
void
kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_free_data_contents )
p_krb5_free_data_contents(CO,data);
}
krb5_error_code
kssl_krb5_mk_req_extended (krb5_context CO,
krb5_auth_context * pACO,
krb5_const krb5_flags F,
krb5_data * pD1,
krb5_creds * pC,
krb5_data * pD2)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_mk_req_extended )
return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_auth_con_init(krb5_context CO,
krb5_auth_context * pACO)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_auth_con_init )
return(p_krb5_auth_con_init(CO,pACO));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_auth_con_free (krb5_context CO,
krb5_auth_context ACO)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_auth_con_free )
return(p_krb5_auth_con_free(CO,ACO));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_get_credentials(krb5_context CO,
krb5_const krb5_flags F,
krb5_ccache CC,
krb5_creds * pCR,
krb5_creds ** ppCR)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_get_credentials )
return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_sname_to_principal(krb5_context CO,
krb5_const char * pC1,
krb5_const char * pC2,
krb5_int32 I,
krb5_principal * pPR)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_sname_to_principal )
return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_cc_default(krb5_context CO,
krb5_ccache * pCC)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_cc_default )
return(p_krb5_cc_default(CO,pCC));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_init_context(krb5_context * pCO)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_init_context )
return(p_krb5_init_context(pCO));
else
return KRB5KRB_ERR_GENERIC;
}
void
kssl_krb5_free_context(krb5_context CO)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_free_context )
p_krb5_free_context(CO);
}
void
kssl_krb5_free_principal(krb5_context c, krb5_principal p)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_free_principal )
p_krb5_free_principal(c,p);
}
krb5_error_code
kssl_krb5_kt_resolve(krb5_context con,
krb5_const char * sz,
krb5_keytab * kt)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_kt_resolve )
return(p_krb5_kt_resolve(con,sz,kt));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_kt_default(krb5_context con,
krb5_keytab * kt)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_kt_default )
return(p_krb5_kt_default(con,kt));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_free_ticket(krb5_context con,
krb5_ticket * kt)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_free_ticket )
return(p_krb5_free_ticket(con,kt));
else
return KRB5KRB_ERR_GENERIC;
}
krb5_error_code
kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon,
krb5_const krb5_data * data,
krb5_const_principal princ, krb5_keytab keytab,
krb5_flags * flags, krb5_ticket ** pptkt)
{
if (!krb5_loaded)
load_krb5_dll();
if ( p_krb5_rd_req )
return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt));
else
return KRB5KRB_ERR_GENERIC;
}
/* Structure definitions */
#ifndef NO_DEF_KRB5_CCACHE
#ifndef krb5_x
#define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
#define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
#endif
typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */
typedef struct _krb5_ccache
{
krb5_magic magic;
struct _krb5_cc_ops FAR *ops;
krb5_pointer data;
} *krb5_ccache;
typedef struct _krb5_cc_ops
{
krb5_magic magic;
char *prefix;
char * (KRB5_CALLCONV *get_name) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
krb5_error_code (KRB5_CALLCONV *resolve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache *,
const char *));
krb5_error_code (KRB5_CALLCONV *gen_new) KRB5_NPROTOTYPE((krb5_context, krb5_ccache *));
krb5_error_code (KRB5_CALLCONV *init) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_principal));
krb5_error_code (KRB5_CALLCONV *destroy) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
krb5_error_code (KRB5_CALLCONV *close) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
krb5_error_code (KRB5_CALLCONV *store) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_creds *));
krb5_error_code (KRB5_CALLCONV *retrieve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_flags, krb5_creds *,
krb5_creds *));
krb5_error_code (KRB5_CALLCONV *get_princ) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_principal *));
krb5_error_code (KRB5_CALLCONV *get_first) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_cc_cursor *));
krb5_error_code (KRB5_CALLCONV *get_next) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_cc_cursor *, krb5_creds *));
krb5_error_code (KRB5_CALLCONV *end_get) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_cc_cursor *));
krb5_error_code (KRB5_CALLCONV *remove_cred) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_flags, krb5_creds *));
krb5_error_code (KRB5_CALLCONV *set_flags) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
krb5_flags));
} krb5_cc_ops;
#endif /* NO_DEF_KRB5_CCACHE */
krb5_error_code
kssl_krb5_cc_get_principal
(krb5_context context, krb5_ccache cache,
krb5_principal *principal)
{
if ( p_krb5_cc_get_principal )
return(p_krb5_cc_get_principal(context,cache,principal));
else
return(krb5_x ((cache)->ops->get_princ,(context, cache, principal)));
}
#endif /* WINDOWS || WIN32 */
char
*kstring(char *string)
{
@ -88,7 +494,7 @@ char
}
return (buf);
}
}
/* Set kssl_err error info when reason text is a simple string
@ -147,7 +553,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata)
printf("\n");
}
#endif
}
}
/* Display contents of krb5_keyblock struct, for debugging
@ -162,12 +568,21 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
printf("%s, keyblk==0\n", label);
return;
}
#ifdef KRB5_HEIMDAL
printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, keyblk->keyvalue->length);
for (i=0; i < keyblk->keyvalue->length; i++)
{
printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
}
printf("\n");
#else
printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
for (i=0; i < keyblk->length; i++)
{
printf("%02x",keyblk->contents[i]);
}
printf("\n");
#endif
}
@ -179,7 +594,7 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
krb5_error_code
kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
/* OUT */ krb5_data *krb5_app_req, KSSL_ERR *kssl_err)
{
{
krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
krb5_context krb5context = NULL;
krb5_auth_context krb5auth_context = NULL;
@ -259,11 +674,19 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
"krb5_mk_req_extended() fails.\n");
goto err;
}
#ifdef KRB5_HEIMDAL
else if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
{
kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
"kssl_ctx_setkey() fails.\n");
}
#else
else if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
{
kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
"kssl_ctx_setkey() fails.\n");
}
#endif
else krb5rc = 0;
err:
@ -276,7 +699,7 @@ kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
if (krb5auth_context) krb5_auth_con_free(krb5context, krb5auth_context);
if (krb5context) krb5_free_context(krb5context);
return (krb5rc);
}
}
/* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
@ -343,15 +766,29 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
goto err;
}
if (kssl_ctx->keytab_file &&
((krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
&krb5keytab))))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, "krb5_kt_resolve() fails.\n");
goto err;
}
/* kssl_ctx->keytab_file == NULL ==> use Kerberos default /etc/krb5.keytab
/* kssl_ctx->keytab_file == NULL ==> use Kerberos default
*/
if (kssl_ctx->keytab_file)
{
krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
&krb5keytab);
if (krb5c)
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"krb5_kt_resolve() fails.\n");
goto err;
}
}
else
{
krb5rc = krb5_kt_default(krb5context,&krb5keytab);
if (krb5rc)
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"krb5_kt_default() fails.\n");
goto err;
}
}
/* Actual Kerberos5 krb5_recvauth() has initial conversation here
** o check KRB5_SENDAUTH_BADAUTHVERS unless KRB5_RECVAUTH_SKIP_VERSION
@ -362,8 +799,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
krb5in_data.data = msg;
krb5in_data.length = msglen;
if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, &krb5in_data,
krb5server, krb5keytab, &ap_option, &krb5ticket))
!= 0)
krb5server, krb5keytab, &ap_option, &krb5ticket)) != 0)
{
BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
"krb5_rd_req() fails with %x.\n", krb5rc);
@ -399,6 +835,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
if (krb5keytab) krb5_kt_close(krb5context, krb5keytab);
if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket);
if (krb5server) krb5_free_principal(krb5context, krb5server);
return (krb5rc);
@ -456,7 +893,8 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
if (*princ) free(*princ);
length = entity->length + ((realm)? realm->length + 2: 1);
if ((*princ = calloc(1, length)) == NULL) return KSSL_CTX_ERR;
if ((*princ = calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
else
{
strncpy(*princ, entity->data, entity->length);
@ -473,8 +911,8 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
/* Set one of the plain (char *) string members of the kssl_ctx struct.
** Default values should be:
** which == KSSL_SERVICE => "kssl" (KRB5SVC)
** which == KSSL_KEYTAB => "/etc/krb5.keytab.kssl" (KRB5KEYTAB)
** which == KSSL_SERVICE => "khost" (KRB5SVC)
** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB)
*/
krb5_error_code
kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
@ -499,8 +937,10 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
return KSSL_CTX_OK;
}
if ((*string = calloc(1, strlen(text) + 1)) == NULL) return KSSL_CTX_ERR;
else strcpy(*string, text);
if ((*string = calloc(1, strlen(text) + 1)) == NULL)
return KSSL_CTX_ERR;
else
strcpy(*string, text);
return KSSL_CTX_OK;
}
@ -538,7 +978,8 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
kssl_ctx->length = 0;
return KSSL_CTX_ERR;
}
else memcpy(kssl_ctx->key, session->contents, session->length);
else
memcpy(kssl_ctx->key, session->contents, session->length);
return KSSL_CTX_OK;
}
@ -557,7 +998,8 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
printf("NULL\n");
return;
}
else printf("%p\n", kssl_ctx);
else
printf("%p\n", kssl_ctx);
printf("\tservice:\t%s\n",
(kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
@ -578,5 +1020,15 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
return;
}
void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
{
#ifdef KRB5_HEIMDAL
data->length = 0;
free(data->if (data->data) data);
#else
krb5_free_data_contents(NULL, data);
#endif
}
#endif /* NO_KRB5 */

21
ssl/kssl.h
View File

@ -73,6 +73,15 @@
extern "C" {
#endif
/*
** Depending on which KRB5 implementation used, some types from
** the other may be missing. Resolve that here and now
*/
#ifdef KRB5_HEIMDAL
typedef unsigned char krb5_octet;
#define FAR
#endif
/* Uncomment this to debug kssl problems or
** to trace usage of the Kerberos session key
**
@ -106,6 +115,7 @@ typedef struct kssl_ctx_st
char *service_host; /* C input, REQUIRED */
char *client_princ; /* S output from krb5 ticket */
char *keytab_file; /* S NULL (/etc/krb5.keytab) */
char *cred_cache; /* C NULL (default) */
krb5_enctype enctype;
int length;
krb5_octet FAR *key;
@ -121,6 +131,7 @@ typedef struct kssl_ctx_st
#define KSSL_NOMEM 2
/* Private (internal to OpenSSL) */
void print_krb5_data(char *label, krb5_data *kdata);
void print_krb5_authdata(char *label, krb5_authdata **adata);
void print_krb5_keyblock(char *label, krb5_keyblock *keyblk);
@ -129,20 +140,20 @@ char *kstring(char *string);
char *knumber(int len, krb5_octet *contents);
void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
/* Public (for use by applications that use OpenSSL with Kerberos 5 support */
krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
KSSL_CTX *kssl_ctx_new(void);
KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
void kssl_ctx_show(KSSL_CTX *kssl_ctx);
krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
krb5_data *realm, krb5_data *entity);
krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data *ap_req,
KSSL_ERR *kssl_err);
krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, char *msg, int msglen,
KSSL_ERR *kssl_err);
krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
#ifdef __cplusplus
}

138
ssl/s3_clnt.c
View File

@ -65,6 +65,10 @@
#include <openssl/evp.h>
#include "ssl_locl.h"
#ifndef NO_KRB5
#include "kssl.h"
#endif
static SSL_METHOD *ssl3_get_client_method(int ver);
static int ssl3_client_hello(SSL *s);
static int ssl3_get_server_hello(SSL *s);
@ -687,6 +691,7 @@ static int ssl3_get_server_certificate(SSL *s)
STACK_OF(X509) *sk=NULL;
SESS_CERT *sc;
EVP_PKEY *pkey=NULL;
int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
n=ssl3_get_message(s,
SSL3_ST_CR_CERT_A,
@ -782,10 +787,23 @@ static int ssl3_get_server_certificate(SSL *s)
* certificate, which we don't include in s3_srvr.c */
x=sk_X509_value(sk,0);
sk=NULL;
/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end */
pkey=X509_get_pubkey(x);
if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
/* VRS: allow null cert if auth == KRB5 */
need_cert =
((s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
== (SSL_aKRB5|SSL_kKRB5))? 0: 1;
#ifdef KSSL_DEBUG
printf("pkey,x = %p, %p\n", pkey,x);
printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
s->s3->tmp.new_cipher->algorithms, need_cert);
#endif /* KSSL_DEBUG */
if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
{
x=NULL;
al=SSL3_AL_FATAL;
@ -794,7 +812,7 @@ static int ssl3_get_server_certificate(SSL *s)
}
i=ssl_cert_type(x,pkey);
if (i < 0)
if (need_cert && i < 0)
{
x=NULL;
al=SSL3_AL_FATAL;
@ -802,19 +820,31 @@ static int ssl3_get_server_certificate(SSL *s)
goto f_err;
}
sc->peer_cert_type=i;
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen?
* We just created sc a couple of
* lines ago. */
X509_free(sc->peer_pkeys[i].x509);
sc->peer_pkeys[i].x509=x;
sc->peer_key= &(sc->peer_pkeys[i]);
if (need_cert)
{
sc->peer_cert_type=i;
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
/* Why would the following ever happen?
* We just created sc a couple of lines ago. */
if (sc->peer_pkeys[i].x509 != NULL)
X509_free(sc->peer_pkeys[i].x509);
sc->peer_pkeys[i].x509=x;
sc->peer_key= &(sc->peer_pkeys[i]);
if (s->session->peer != NULL)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
if (s->session->peer != NULL)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
}
else
{
sc->peer_cert_type=i;
sc->peer_key= NULL;
if (s->session->peer != NULL)
X509_free(s->session->peer);
s->session->peer=NULL;
}
s->session->verify_result = s->verify_result;
x=NULL;
@ -1322,6 +1352,9 @@ static int ssl3_send_client_key_exchange(SSL *s)
unsigned char *q;
EVP_PKEY *pkey=NULL;
#endif
#ifndef NO_KRB5
KSSL_ERR kssl_err;
#endif /* NO_KRB5 */
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
@ -1330,8 +1363,10 @@ static int ssl3_send_client_key_exchange(SSL *s)
l=s->s3->tmp.new_cipher->algorithms;
/* Fool emacs indentation */
if (0) {}
#ifndef NO_RSA
if (l & SSL_kRSA)
else if (l & SSL_kRSA)
{
RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@ -1388,10 +1423,75 @@ static int ssl3_send_client_key_exchange(SSL *s)
tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
}
else
#endif
#ifndef NO_KRB5
else if (l & SSL_kKRB5)
{
krb5_error_code krb5rc;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
krb5_data krb5_ap_req;
#ifdef KSSL_DEBUG
printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
l, SSL_kKRB5);
#endif /* KSSL_DEBUG */
/*
** Tried to send random tmp_buf[] as PMS in Kerberos ticket
** by passing krb5_mk_req_extended(ctx,authctx,opts, tmp_buf, ...)
** but: I can't retrieve the PMS on the other side! There is
** some indication in the krb5 source that this is only used
** to generate a checksum. OTOH, the Tung book shows data
** ("GET widget01.txt") being passed in krb5_mk_req_extended()
** by way of krb5_sendauth(). I don't get it.
** Until Kerberos goes 3DES, the big PMS secret would only be
** encrypted in 1-DES anyway. So losing the PMS shouldn't be
** a big deal.
*/
krb5rc = kssl_cget_tkt(kssl_ctx, &krb5_ap_req,
&kssl_err);
#ifdef KSSL_DEBUG
{
printf("kssl_cget_tkt rtn %d\n", krb5rc);
kssl_ctx_show(kssl_ctx);
if (krb5rc && kssl_err.text)
printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
}
#endif /* KSSL_DEBUG */
if (krb5rc)
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason);
goto err;
}
/* Send ticket (copy to *p, set n = length)
*/
n = krb5_ap_req.length;
memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
if (krb5_ap_req.data)
kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
/* 19991013 VRS - 3DES is kind of bogus here,
** at least until Kerberos supports 3DES. The only
** real secret is the 8-byte Kerberos session key;
** the other key material ((s->) client_random, server_random)
** could be sniffed. Mixing in these nonces should help
** protect against replay attacks, however.
**
** Alternate code for Kerberos Purists:
**
** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
** s->session->master_key_length = kssl_ctx->length;
*/
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, kssl_ctx->key,kssl_ctx->length);
}
#endif
#ifndef NO_DH
if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
DH *dh_srvr,*dh_clnt;
@ -1445,8 +1545,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
/* perhaps clean things up a bit EAY EAY EAY EAY*/
}
else
#endif
else
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
@ -1641,7 +1741,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
algs=s->s3->tmp.new_cipher->algorithms;
/* we don't have a certificate */
if (algs & (SSL_aDH|SSL_aNULL))
if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
return(1);
#ifndef NO_RSA

99
ssl/s3_lib.c
View File

@ -473,6 +473,95 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
#ifndef NO_KRB5
/* The Kerberos ciphers
** 20000107 VRS: And the first shall be last,
** in hopes of avoiding the lynx ssl renegotiation problem.
*/
/* Cipher 21 VRS */
{
1,
SSL3_TXT_KRB5_DES_40_CBC_SHA,
SSL3_CK_KRB5_DES_40_CBC_SHA,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 22 VRS */
{
1,
SSL3_TXT_KRB5_DES_40_CBC_MD5,
SSL3_CK_KRB5_DES_40_CBC_MD5,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 23 VRS */
{
1,
SSL3_TXT_KRB5_DES_64_CBC_SHA,
SSL3_CK_KRB5_DES_64_CBC_SHA,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 24 VRS */
{
1,
SSL3_TXT_KRB5_DES_64_CBC_MD5,
SSL3_CK_KRB5_DES_64_CBC_MD5,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 25 VRS */
{
1,
SSL3_TXT_KRB5_DES_192_CBC3_SHA,
SSL3_CK_KRB5_DES_192_CBC3_SHA,
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
112,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 26 VRS */
{
1,
SSL3_TXT_KRB5_DES_192_CBC3_MD5,
SSL3_CK_KRB5_DES_192_CBC3_MD5,
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
112,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif /* NO_KRB5 */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* New TLS Export CipherSuites */
/* Cipher 60 */
@ -1076,10 +1165,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
#ifdef CIPHER_DEBUG
printf("Have:\n");
for(i=0 ; i < sk_num(pref) ; ++i)
printf("Have %d from %p:\n", sk_SSL_CIPHER_num(pref), pref);
for(i=0 ; i < sk_SSL_CIPHER_num(pref) ; ++i)
{
c=(SSL_CIPHER *)sk_value(pref,i);
c=sk_SSL_CIPHER_value(pref,i);
printf("%p:%s\n",c,c->name);
}
#endif
@ -1092,6 +1181,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
mask=cert->mask;
emask=cert->export_mask;
#ifdef KSSL_DEBUG
printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
#endif /* KSSL_DEBUG */
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (SSL_C_IS_EXPORT(c))
{

66
ssl/s3_srvr.c
View File

@ -70,6 +70,10 @@
#include <openssl/x509.h>
#include "ssl_locl.h"
#ifndef NO_KRB5
#include "kssl.h"
#endif /* NO_KRB5 */
static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
static int ssl3_check_client_hello(SSL *s);
@ -262,7 +266,11 @@ int ssl3_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
if (s->options & SSL_OP_EPHEMERAL_RSA)
if ((s->options & SSL_OP_EPHEMERAL_RSA)
#ifndef NO_KRB5
&& !(l & SSL_KRB5)
#endif /* NO_KRB5 */
)
s->s3->tmp.use_rsa_tmp=1;
else
s->s3->tmp.use_rsa_tmp=0;
@ -1257,6 +1265,9 @@ static int ssl3_get_client_key_exchange(SSL *s)
BIGNUM *pub=NULL;
DH *dh_srvr;
#endif
#ifndef NO_KRB5
KSSL_ERR kssl_err;
#endif /* NO_KRB5 */
n=ssl3_get_message(s,
SSL3_ST_SR_KEY_EXCH_A,
@ -1417,6 +1428,53 @@ static int ssl3_get_client_key_exchange(SSL *s)
}
else
#endif
#ifndef NO_KRB5
if (l & SSL_kKRB5)
{
krb5_error_code krb5rc;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
if ((krb5rc = kssl_sget_tkt(kssl_ctx,
s->init_buf->data, s->init_buf->length,
&kssl_err)) != 0)
{
#ifdef KSSL_DEBUG
printf("kssl_sget_tkt rtn %d [%d]\n",
krb5rc, kssl_err.reason);
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
#endif /* KSSL_DEBUG */
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
/* 19991013 VRS - 3DES is kind of bogus here,
** at least until Kerberos supports 3DES. The only
** real secret is the 8-byte Kerberos session key;
** the other key material (client_random, server_random)
** could be sniffed. Nonces may help against replays though.
**
** Alternate code for Kerberos Purists:
**
** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
** s->session->master_key_length = kssl_ctx->length;
*/
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, kssl_ctx->key, kssl_ctx->length);
/* Was doing kssl_ctx_free() here, but it caused problems for apache.
** kssl_ctx = kssl_ctx_free(kssl_ctx);
** if (s->kssl_ctx) s->kssl_ctx = NULL;
*/
}
else
#endif /* NO_KRB5 */
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
@ -1737,7 +1795,11 @@ int ssl3_send_server_certificate(SSL *s)
if (s->state == SSL3_ST_SW_CERT_A)
{
x=ssl_get_server_send_cert(s);
if (x == NULL)
if (x == NULL &&
/* VRS: allow null cert if auth == KRB5 */
(s->s3->tmp.new_cipher->algorithms
& (SSL_MKEY_MASK|SSL_AUTH_MASK))
!= (SSL_aKRB5|SSL_kKRB5))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
return(0);

20
ssl/ssl.h
View File

@ -68,6 +68,9 @@
#ifndef NO_X509
#include <openssl/x509.h>
#endif
#ifndef NO_KRB5
#include <openssl/kssl.h>
#endif
#include <openssl/safestack.h>
#ifdef __cplusplus
@ -92,6 +95,15 @@ extern "C" {
#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
/* VRS Additional Kerberos5 entries
*/
#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
#define SSL_MAX_SID_CTX_LENGTH 32
@ -112,6 +124,10 @@ extern "C" {
#define SSL_TXT_eNULL "eNULL"
#define SSL_TXT_NULL "NULL"
#define SSL_TXT_kKRB5 "kKRB5"
#define SSL_TXT_aKRB5 "aKRB5"
#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_kRSA "kRSA"
#define SSL_TXT_kDHr "kDHr"
#define SSL_TXT_kDHd "kDHd"
@ -655,6 +671,10 @@ struct ssl_st
int error; /* error bytes to be written */
int error_code; /* actual code */
#ifndef NO_KRB5
KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
#endif /* NO_KRB5 */
SSL_CTX *ctx;
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
* and SSL_write() calls, good for nbio debuging :-) */

16
ssl/ssl3.h
View File

@ -105,6 +105,22 @@ extern "C" {
#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
/* VRS Additional Kerberos5 entries
*/
#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000021
#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000022
#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x03000023
#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000024
#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x03000025
#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000026
#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"

30
ssl/ssl_ciph.c
View File

@ -100,6 +100,7 @@ typedef struct cipher_order_st
static const SSL_CIPHER cipher_aliases[]={
/* Don't include eNULL unless specifically enabled */
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
@ -108,6 +109,7 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
{0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
@ -128,6 +130,7 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
@ -291,6 +294,9 @@ static unsigned long ssl_cipher_get_disabled(void)
#ifdef NO_DH
mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
#endif
#ifdef NO_KRB5
mask |= SSL_kKRB5|SSL_aKRB5;
#endif
#ifdef SSL_FORBID_ENULL
mask |= SSL_eNULL;
@ -336,6 +342,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
list[list_num].prev = NULL;
list[list_num].active = 0;
list_num++;
#ifdef KSSL_DEBUG
printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
#endif /* KSSL_DEBUG */
/*
if (!sk_push(ca_list,(char *)c)) goto err;
*/
@ -738,6 +747,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* it is used for allocation.
*/
num_of_ciphers = ssl_method->num_ciphers();
#ifdef KSSL_DEBUG
printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
#endif /* KSSL_DEBUG */
list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
if (list == NULL)
{
@ -872,8 +884,12 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
char *ver,*exp;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2,alg_s;
#ifdef KSSL_DEBUG
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
#else
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
#endif /* KSSL_DEBUG */
alg=cipher->algorithms;
alg_s=cipher->algo_strength;
alg2=cipher->algorithm2;
@ -901,6 +917,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_kDHd:
kx="DH/DSS";
break;
case SSL_kKRB5: /* VRS */
case SSL_KRB5: /* VRS */
kx="KRB5";
break;
case SSL_kFZA:
kx="Fortezza";
break;
@ -922,6 +942,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_aDH:
au="DH";
break;
case SSL_aKRB5: /* VRS */
case SSL_KRB5: /* VRS */
au="KRB5";
break;
case SSL_aFZA:
case SSL_aNULL:
au="None";
@ -982,7 +1006,11 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
else if (len < 128)
return("Buffer too small");
#ifdef KSSL_DEBUG
BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg);
#else
BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp);
#endif /* KSSL_DEBUG */
return(buf);
}

14
ssl/ssl_lib.c
View File

@ -191,6 +191,10 @@ SSL *SSL_new(SSL_CTX *ctx)
if (s == NULL) goto err;
memset(s,0,sizeof(SSL));
#ifndef NO_KRB5
s->kssl_ctx = kssl_ctx_new();
#endif /* NO_KRB5 */
if (ctx->cert != NULL)
{
/* Earlier library versions used to copy the pointer to
@ -1383,6 +1387,11 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
mask|=SSL_aNULL;
emask|=SSL_aNULL;
#ifndef NO_KRB5
mask|=SSL_kKRB5|SSL_aKRB5;
emask|=SSL_kKRB5|SSL_aKRB5;
#endif
c->mask=mask;
c->export_mask=emask;
c->valid=1;
@ -1415,6 +1424,11 @@ X509 *ssl_get_server_send_cert(SSL *s)
else
i=SSL_PKEY_RSA_ENC;
}
else if (kalg & SSL_aKRB5)
{
/* VRS something else here? */
return(NULL);
}
else /* if (kalg & SSL_aNULL) */
{
SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR);

47
ssl/ssl_locl.h
View File

@ -168,48 +168,51 @@
* that the different entities within are mutually exclusive:
* ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
*/
#define SSL_MKEY_MASK 0x0000001FL
#define SSL_MKEY_MASK 0x0000003FL
#define SSL_kRSA 0x00000001L /* RSA key exchange */
#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
#define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */
#define SSL_kFZA 0x00000008L
#define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */
#define SSL_kKRB5 0x00000020L /* Kerberos5 key exchange */
#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
#define SSL_AUTH_MASK 0x000003e0L
#define SSL_aRSA 0x00000020L /* Authenticate with RSA */
#define SSL_aDSS 0x00000040L /* Authenticate with DSS */
#define SSL_AUTH_MASK 0x00000FC0L
#define SSL_aRSA 0x00000040L /* Authenticate with RSA */
#define SSL_aDSS 0x00000080L /* Authenticate with DSS */
#define SSL_DSS SSL_aDSS
#define SSL_aFZA 0x00000080L
#define SSL_aNULL 0x00000100L /* no Authenticate, ADH */
#define SSL_aDH 0x00000200L /* no Authenticate, ADH */
#define SSL_aFZA 0x00000100L
#define SSL_aNULL 0x00000200L /* no Authenticate, ADH */
#define SSL_aDH 0x00000400L /* no Authenticate, ADH */
#define SSL_aKRB5 0x00000800L /* Authenticate with KRB5 */
#define SSL_NULL (SSL_eNULL)
#define SSL_ADH (SSL_kEDH|SSL_aNULL)
#define SSL_RSA (SSL_kRSA|SSL_aRSA)
#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
#define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA)
#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
#define SSL_ENC_MASK 0x0001Fc00L
#define SSL_DES 0x00000400L
#define SSL_3DES 0x00000800L
#define SSL_RC4 0x00001000L
#define SSL_RC2 0x00002000L
#define SSL_IDEA 0x00004000L
#define SSL_eFZA 0x00008000L
#define SSL_eNULL 0x00010000L
#define SSL_ENC_MASK 0x0007F000L
#define SSL_DES 0x00001000L
#define SSL_3DES 0x00002000L
#define SSL_RC4 0x00004000L
#define SSL_RC2 0x00008000L
#define SSL_IDEA 0x00010000L
#define SSL_eFZA 0x00020000L
#define SSL_eNULL 0x00040000L
#define SSL_MAC_MASK 0x00060000L
#define SSL_MD5 0x00020000L
#define SSL_SHA1 0x00040000L
#define SSL_MAC_MASK 0x00180000L
#define SSL_MD5 0x00080000L
#define SSL_SHA1 0x00100000L
#define SSL_SHA (SSL_SHA1)
#define SSL_SSL_MASK 0x00180000L
#define SSL_SSLV2 0x00080000L
#define SSL_SSLV3 0x00100000L
#define SSL_SSL_MASK 0x00600000L
#define SSL_SSLV2 0x00200000L
#define SSL_SSLV3 0x00400000L
#define SSL_TLSV1 SSL_SSLV3 /* for now */
/* we have used 001fffff - 11 bits left to go */
/* we have used 007fffff - 9 bits left to go */
/*
* Export and cipher strength information. For each cipher we have to decide

14
ssl/ssltest.c
View File

@ -74,6 +74,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#ifdef WINDOWS
#include <winsock.h>
#include "../crypto/bio/bss_file.c"
#endif
@ -517,6 +518,19 @@ bad:
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
#ifndef NO_KRB5
if (c_ssl && c_ssl->kssl_ctx)
{
char localhost[257];
if (gethostname(localhost, 256) == 0)
{
kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
localhost);
}
}
#endif /* NO_KRB5 */
for (i=0; i<number; i++)
{
if (!reuse) SSL_set_session(c_ssl,NULL);

78
ssl/t1_enc.c
View File

@ -148,6 +148,17 @@ static void tls1_generate_key_block(SSL *s, unsigned char *km,
tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
s->session->master_key,s->session->master_key_length,
km,tmp,num);
#ifdef KSSL_DEBUG
printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
s->session->master_key_length);
{
int i;
for (i=0; i < s->session->master_key_length; i++)
{
printf("%02X", s->session->master_key[i]);
}
printf("\n"); }
#endif /* KSSL_DEBUG */
}
int tls1_change_cipher_state(SSL *s, int which)
@ -174,6 +185,21 @@ int tls1_change_cipher_state(SSL *s, int which)
comp=s->s3->tmp.new_compression;
key_block=s->s3->tmp.key_block;
#ifdef KSSL_DEBUG
printf("tls1_change_cipher_state(which= %d) w/\n", which);
printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
comp);
printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
c->nid,c->block_size,c->key_len,c->iv_len);
printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
{
int i;
for (i=0; i<s->s3->tmp.key_block_length; i++)
printf("%02x", key_block[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
if (which & SSL3_CC_READ)
{
if ((s->enc_read_ctx == NULL) &&
@ -309,6 +335,16 @@ printf("which = %04X\nmac key=",which);
}
s->session->key_arg_length=0;
#ifdef KSSL_DEBUG
{
int i;
printf("EVP_CipherInit(dd,c,key=,iv=,which)\n");
printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
printf("\n");
printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
printf("\n");
}
#endif /* KSSL_DEBUG */
EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
#ifdef TLS_DEBUG
@ -338,6 +374,10 @@ int tls1_setup_key_block(SSL *s)
int num;
SSL_COMP *comp;
#ifdef KSSL_DEBUG
printf ("tls1_setup_key_block()\n");
#endif /* KSSL_DEBUG */
if (s->s3->tmp.key_block_length != 0)
return(1);
@ -417,6 +457,10 @@ int tls1_enc(SSL *s, int send)
enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
}
#ifdef KSSL_DEBUG
printf("tls1_enc(%d)\n", send);
#endif /* KSSL_DEBUG */
if ((s->session == NULL) || (ds == NULL) ||
(enc == NULL))
{
@ -447,8 +491,35 @@ int tls1_enc(SSL *s, int send)
rec->length+=i;
}
#ifdef KSSL_DEBUG
{
unsigned long i;
printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
ds,rec->data,rec->input,l);
printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
ds->buf_len, ds->cipher->key_len,
DES_KEY_SZ, DES_SCHEDULE_SZ,
ds->cipher->iv_len);
printf("\t\tIV: ");
for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
printf("\n");
printf("\trec->input=");
for (i=0; i<l; i++) printf(" %02x", rec->input[i]);
printf("\n");
}
#endif /* KSSL_DEBUG */
EVP_Cipher(ds,rec->data,rec->input,l);
#ifdef KSSL_DEBUG
{
unsigned long i;
printf("\trec->data=");
for (i=0; i<l; i++)
printf(" %02x", rec->data[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
if ((bs != 1) && !send)
{
ii=i=rec->data[l-1];
@ -586,6 +657,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
#ifdef KSSL_DEBUG
printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
#endif /* KSSL_DEBUG */
/* Setup the stuff to munge */
memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
TLS_MD_MASTER_SECRET_CONST_SIZE);
@ -596,6 +671,9 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
tls1_PRF(s->ctx->md5,s->ctx->sha1,
buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
#ifdef KSSL_DEBUG
printf ("tls1_generate_master_secret() complete\n");
#endif /* KSSL_DEBUG */
return(SSL3_MASTER_SECRET_SIZE);
}

36
test/Makefile.ssl
View File

@ -5,7 +5,7 @@
DIR= test
TOP= ..
CC= cc
INCLUDES= -I../include
INCLUDES= -I../include $(KRB5_INCLUDES)
CFLAG= -g
INSTALL_PREFIX=
OPENSSLDIR= /usr/local/ssl
@ -328,7 +328,7 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
$(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
$(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS)
$(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO)
$(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
@ -445,19 +445,19 @@ ssltest.o: ../include/openssl/des.h ../include/openssl/dh.h
ssltest.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
ssltest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
ssltest.o: ../include/openssl/evp.h ../include/openssl/idea.h
ssltest.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssltest.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssltest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
ssltest.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
ssltest.o: ../include/openssl/rand.h ../include/openssl/rc2.h
ssltest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
ssltest.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
ssltest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
ssltest.o: ../include/openssl/x509_vfy.h
ssltest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
ssltest.o: ../include/openssl/md2.h ../include/openssl/md4.h
ssltest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
ssltest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
ssltest.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
ssltest.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h