Commit Graph

46 Commits

Author SHA1 Message Date
Rich Salz
df8ef5f31a RT 1229; typo in comment "dont't"->"don't" 2014-07-01 13:02:57 -04:00
Ben Laurie
71fa451343 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
Dr. Stephen Henson
4f7a2ab8b1 make kerberos work with OPENSSL_NO_SSL_INTERN 2011-05-11 22:50:18 +00:00
Dr. Stephen Henson
cca1cd9a34 Submitted by: Tomas Hoger <thoger@redhat.com>
Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
2010-03-03 15:41:18 +00:00
Dr. Stephen Henson
ef236ec3b2 Merge from 1.0.0-stable branch. 2009-04-23 16:32:42 +00:00
Dr. Stephen Henson
8711efb498 Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
477fd4596f PR: 1835
Submitted by: Damien Miller <djm@mindrot.org>
Approved by: steve@openssl.org

Fix various typos.
2009-02-14 21:49:38 +00:00
Nils Larsch
15780a1ea0 use user-supplied malloc functions for persistent kssl objects
PR: 1467
Submitted by: Andrei Pelinescu-Onciul <andrei@iptel.org>
2007-02-10 10:42:48 +00:00
Geoff Thorpe
05fc7018f8 Fix PEDANTIC compilation, using the same trick as elsewhere. 2005-07-26 04:05:03 +00:00
Andy Polyakov
83e68987b3 Eliminate dependency on UNICODE macro. 2005-06-27 21:27:23 +00:00
Richard Levitte
fbd63d0784 Do not undefine _XOPEN_SOURCE. This is currently experimental, and
will be firmed up as soon as it's been verified not to break anything.
2005-06-16 22:20:55 +00:00
Richard Levitte
fe8bf9560d When _XOPEN_SOURCE is defined, make sure it's defined to 500. Required in
http://www.opengroup.org/onlinepubs/007908799/xsh/compilation.html.

Notified by David Wolfe <dwolfe5272@yahoo.com>
2005-05-21 17:39:43 +00:00
Dr. Stephen Henson
384dba6edb Make kerberos ciphersuite code compile again.
Avoid more shadow warnings.
2005-04-20 21:48:48 +00:00
Dr. Stephen Henson
0858b71b41 Make kerberos ciphersuite code work with newer header files 2005-04-09 23:55:55 +00:00
Dr. Stephen Henson
4e8172d6da Avoid warnings. 2004-03-16 13:51:11 +00:00
Richard Levitte
253e893c2b Include the instance in the Kerberos ticket information.
In s_server, print the received Kerberos information.
PR: 693
2003-09-27 17:55:13 +00:00
Richard Levitte
c4d00669a0 Let's limit the extent of the definition of _XOPEN_SOURCE. 2003-03-25 21:17:28 +00:00
Lutz Jänicke
ea8e0cc7c2 Some more adjustments
Submitted by: Jeffrey Altman <jaltman@columbia.edu>, "Kenneth R. Robinette" <support@securenetterm.com>
2002-12-24 21:55:57 +00:00
Lutz Jänicke
1004c99c29 Fix Kerberos5/SSL interaction
Submitted by: "Kenneth R. Robinette" <support@securenetterm.com>
Reviewed by:
PR:
2002-12-20 12:48:00 +00:00
Richard Levitte
4579924b7e Cleanse memory using the new OPENSSL_cleanse() function.
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
Ben Laurie
54a656ef08 Security fixes brought forward from 0.9.7. 2002-11-13 15:43:43 +00:00
Dr. Stephen Henson
611ba3f4a1 Initialize ciph_ctx in kssl.c 2002-03-19 01:28:00 +00:00
Dr. Stephen Henson
497810cae7 Undo previous patch: avoid warnings by #undef'ing
duplicate definitions.

Suggested by "Kenneth R. Robinette" <support@securenetterm.com>
2002-03-13 13:59:38 +00:00
Dr. Stephen Henson
cbc9d9713d Fix Kerberos warnings with VC++. 2002-03-12 19:37:18 +00:00
Dr. Stephen Henson
0b4c91c0fc Fix various warnings when compiling with KRB5 code. 2002-03-12 02:59:37 +00:00
Richard Levitte
26414ee013 Increase internal security when using strncpy, by making sure the resulting string is NUL-terminated 2002-02-28 12:42:19 +00:00
Bodo Möller
47ff5c6279 For future portability reasons MIT is moving all macros to function
calls.  This patch allows compilation either way.

Submitted by: Jeffrey Altman <jaltman@columbia.edu>
2001-11-23 21:50:50 +00:00
Dr. Stephen Henson
581f1c8494 Modify EVP cipher behaviour in a similar way
to digests to retain compatibility.
2001-10-17 00:37:12 +00:00
Richard Levitte
116daf4c2f To avoid commit wars over dependencies, let's make it so things that
depend on the environment, like the presence of the OpenBSD crypto
device or of Kerberos, do not change the dependencies within OpenSSL.
2001-10-10 07:55:02 +00:00
Richard Levitte
fdc2bbcacb Correct most of the unsigned vs. signed warnings (or int vs. size_t),
and rename some local variables to avoid name shadowing.
2001-07-31 08:45:40 +00:00
Richard Levitte
882e891284 More Kerberos SSL changes from Jeffrey Altman <jaltman@columbia.edu>
His comments are:

First, it corrects a problem introduced in the last patch where the
kssl_map_enc() would intentionally return NULL for valid ENCTYPE
values.  This was done to prevent verification of the kerberos 5
authenticator from being performed when Derived Key ciphers were
in use.  Unfortunately, the authenticator verification routine was
not the only place that function was used.  And it caused core dumps.

Second, it attempt to add to SSL_SESSION the Kerberos 5 Client
Principal Name.
2001-07-31 07:21:06 +00:00
Richard Levitte
acdf4afb91 More Kerberos SSL patches from Vern Staats <staatsvr@asc.hpc.mil>.
His comments are:

This patch fixes the problem of modern Kerberos using "derived keys"
to encrypt the authenticator by disabling the authenticator check
for all derived keys enctypes.

I think I've got all the bugfixes that Jeffrey and I discussed rolled
into this.  There were some problems with Jeffrey's code to convert
the authenticator's Kerberos timestring into struct tm (e.g. Z, -1900;
it helps to have an actual decryptable authenticator to play with).
So I've shamelessly pushed in my code, while stealing some bits from
Jeffrey.
2001-07-21 09:43:43 +00:00
Richard Levitte
45442167b0 Prevent KSSL server from requesting a client certificate.
Submitted by Jeffrey Altman <jaltman@columbia.edu>
2001-07-12 16:17:33 +00:00
Richard Levitte
131645ecce paddr may be NULL. Do not crash if it is. 2001-07-12 15:54:10 +00:00
Richard Levitte
a5224c3420 Changes to the Kerberos SSL code by Jeffrey Altman <jaltman@columbia.edu>
His comments are:

 . adds use of replay cache to protect against replay attacks

 . adds functions kssl_tgt_is_available() and
   kssl_keytab_is_available() which are used within s3_lib.c
   and ssl_lib.c to determine at runtime whether or not
   KRB5 ciphers can be supported during the current session.
2001-07-11 19:03:58 +00:00
Richard Levitte
ab603c6987 Code to avoid the use of non-standard strptime(). By
Jeffrey Altman <jaltman@columbia.edu>

(Really, the time that's being parsed is a GeneralizedTime, so if
ASN1_GENERALIZEDTIME_get() ever gets implemented, it should be used
instead)
2001-07-11 16:13:36 +00:00
Richard Levitte
8de83bf876 Changes to the Kerberos SSL code by Jeffrey Altman <jaltman@columbia.edu>
His comments are:

 . Fixed all of the Windows dynamic loading functions, prototypes, etc.

 . Corrected all of the unsigned/signed comparison warnings

 . Replaced the references to krb5_cksumarray[] for two reasons.
   First, it was an internal variable that should not have been
   referenced outside the library; nor could it have been with
   a shared library with restricted exports.  Second, the
   variable is no longer used in current Kerberos implementations.
   I replaced the code with equivalent functionality using functions
   that are exported from the library.
2001-07-11 15:31:45 +00:00
Richard Levitte
7e99812432 If I define _XOPEN_SOURCE before including *any* system header file,
things will work much more smoothly.
2001-07-09 21:51:03 +00:00
Richard Levitte
2a1ef75435 Patches from Vern Staats <staatsvr@asc.hpc.mil> to get Kerberos 5 in
SSL according to RFC 2712.  His comment is:

This is a patch to openssl-SNAP-20010702 to support Kerberized SSL
authentication.  I'm expecting to have the full kssl-0.5 kit up on
sourceforge by the end of the week.  The full kit includes patches
for mod-ssl, apache, and a few text clients.  The sourceforge URL
is http://sourceforge.net/projects/kssl/ .

Thanks to a note from Simon Wilkinson I've replaced my KRB5 AP_REQ
message with a real KerberosWrapper struct.  I think this is fully
RFC 2712 compliant now, including support for the optional
authenticator field.  I also added openssl-style ASN.1 macros for
a few Kerberos structs; see crypto/krb5/ if you're interested.
2001-07-09 21:46:58 +00:00
Richard Levitte
32d0ad41a4 DEC C on VMS is pedantic by definition. 2001-02-20 13:06:55 +00:00
Richard Levitte
bc36ee6227 Use new-style system-id macros everywhere possible. I hope I haven't
missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
Ulf Möller
7bd51947e5 Temporary fix for build break.
It's still inconsistent - probably better to undo the whole OPENSSL_NO_* thing.
2001-02-19 23:42:09 +00:00
Ben Laurie
b0dc680f71 Fix warnings. 2000-12-03 10:04:22 +00:00
Richard Levitte
3e7a6396ed Typo corrected. 2000-12-01 14:33:19 +00:00
Richard Levitte
f9b3bff6f7 First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu> 2000-11-30 22:53:34 +00:00
Richard Levitte
43fcc1b096 I've checked again and again. There really is no need to expand a to
4 times it's size when bn_sqr_recursive() won't look farther than the
original length.  Thereby, constification is no longer a problem.
2000-11-16 21:35:41 +00:00