[openssl.org #693] [PATCH] Ensure OpenSSL stores Kerberos principal's instance
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN html head title/title /head body font size=2font face=Helvetica,sans-serifnbsp;nbsp;nbsp; A Kerberos principal is composed of the name, instance, and realm.br When using OpenSSL with Kerberos, an OpenSSL server places the client'sbr principal into ssl-gt;kssl_ctx-gt;client_princ.nbsp; However, due to a bug inbr kssl.c:kssl_ctx_setprinc(), the instance information is never copied.br br That is:br br Kerberos principalnbsp;nbsp;nbsp; Current behaviornbsp;nbsp; Patched behaviorbr a class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/anbsp;nbsp;nbsp; nbsp;nbsp;nbsp; a class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/anbsp;nbsp; nbsp;nbsp; a class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/abr a class=moz-txt-link-abbreviated href=mailto:foo/[EMAIL PROTECTED]foo/[EMAIL PROTECTED]/anbsp;nbsp;nbsp; a class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/anbsp;nbsp; a class=moz-txt-link-abbreviated href=mailto:foo/[EMAIL PROTECTED]foo/[EMAIL PROTECTED]/abr br nbsp;nbsp;nbsp; The attached patch updates kssl_ctx_setprinc() in kssl.[ch] to ensure ssl-gt;kssl_ctx-gt;client_princ reflects the full principal.br br nbsp;nbsp;nbsp; In addition, the patch update s_server.c:init_ssl_connection() to print the Kerberos principal on connect (just like init_ssl_connection() prints any client certificate information).br br nbsp;nbsp;nbsp; Tested on Solaris [78], HP-UX 11.00, RH7.2 and RHAS21 with MIT Kerberos 1.2.xbr br Thanks-br nbsp;Danbr br br diff -ur openssl-0.9.7-stable-SNAP-20030922/apps/s_server.c openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.cbr --- openssl-0.9.7-stable-SNAP-20030922/apps/s_server.cnbsp; Thu Jan 30 14:16:30 2003br +++ openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.cnbsp;nbsp;nbsp;nbsp; Mon Sep 22 14:35:15 2003br @@ -1264,6 +1264,13 @@br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; TLS1_FLAGS_TLS_PADDING_BUG)br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; BIO_printf(bio_s_out,Peer has incorrect TLSv1 block padding\n);br br +#ifndef OPENSSL_NO_KRB5br +nbsp;nbsp;nbsp; if (con-gt;kssl_ctx-gt;client_princ != NULL)br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; {br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; BIO_printf(bio_s_out,Kerberos peer principal is %s\n,br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; con-gt;kssl_ctx-gt;client_princ);br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br +#endif /* OPENSSL_NO_KRB5 */br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; return(1);br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br br diff -ur openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.c openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.cbr --- openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.cnbsp;nbsp;nbsp;nbsp;nbsp;nbsp; Wed Mar 26 14:16:38 2003br +++ openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.cnbsp; Mon Sep 22 14:34:20 2003br @@ -1497,7 +1497,8 @@br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; amp;krb5ticket-gt;enc_part2-gt;client-gt;realm,br -nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5ticket-gt;enc_part2-gt;client-gt;data))br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5ticket-gt;enc_part2-gt;client-gt;data,br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5ticket-gt;enc_part2-gt;client-gt;length))br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; {br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; kssl_ctx_setprinc() fails.\n);br @@ -1564,16 +1565,17 @@br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br br br -/*nbsp;nbsp;nbsp;nbsp; Given a (krb5_data *) entity (and optional realm),br +/*nbsp;nbsp;nbsp;nbsp; Given an array of (krb5_data) entity (and optional realm),br nbsp;**nbsp;nbsp;nbsp;nbsp; set the plain (char *) client_princ or service_host memberbr nbsp;**nbsp;nbsp;nbsp;nbsp; of the kssl_ctx struct.br nbsp;*/br nbsp;krb5_error_codebr nbsp;kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,br -nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5_data *realm, krb5_data *entity)br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5_data *realm, krb5_data *entity, int nentities)br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; {br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; charnbsp;nbsp;nbsp; **princ;br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; intnbsp;nbsp;nbsp;nbsp; length;br +nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; intnbsp;nbsp;nbsp;nbsp; i;br br nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; if
[PATCH] kssl_ctx_setprinc
[resend, this time cc'd to [EMAIL PROTECTED]] All, The current kssl_ctx_setprinc does not handle instances. I may have a principal of: [EMAIL PROTECTED], [EMAIL PROTECTED] or (technically) [EMAIL PROTECTED]. The current implementation will only place [EMAIL PROTECTED] in kssl_ctx-client_princ. These different parts of the client principal are stored in an array of krb5_data: krb5ticket-enc_part2-client-data[0..krb5ticket-enc_part2-client-length-1] I've changed kssl.c:kssl_ctx_setprinc() to: 1) Take an additional argument (nentities) 2) calloc(3) enough memory for all of the entity[]-data elements, plus the '/' separator characters 3) Build the principal with all of the entity[]-data elements, placing a '/' between elements 4) No longer put '\0' bytes at the end of the string we're assembling. Since we used calloc(3) and strncat (the data has an explicitly-stated length), the buffer already has the terminating '\0' in the right place. Tested with MIT 1.2.x on Solaris and HP-UX 11.00. Thanks- Dan diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c openssl-0.9.7-working/ssl/kssl.c --- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c Mon Mar 18 21:07:15 2002 +++ openssl-0.9.7-working/ssl/kssl.cTue Mar 26 16:10:38 2002 @@ -1514,7 +1514,8 @@ } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, krb5ticket-enc_part2-client-realm, -krb5ticket-enc_part2-client-data)) +krb5ticket-enc_part2-client-data, +krb5ticket-enc_part2-client-length)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, kssl_ctx_setprinc() fails.\n); @@ -1581,16 +1582,17 @@ } -/* Given a (krb5_data *) entity (and optional realm), +/* Given an array of (krb5_data) entity (and optional realm), ** set the plain (char *) client_princ or service_host member ** of the kssl_ctx struct. */ krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, -krb5_data *realm, krb5_data *entity) +krb5_data *realm, krb5_data *entity, int nentities) { char**princ; int length; + int i; if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; @@ -1602,18 +1604,32 @@ } if (*princ) free(*princ); - length = entity-length + ((realm)? realm-length + 2: 1); + /* Add up all the entity-lengths */ + length = 0; + for (i=0; i nentities; i++) + { + length += entity[i].length; + } + /* Add in space for the '/' separator(s) (if any) */ + length += nentities-1; + /* Space for the ('@'+realm+NULL | NULL) */ + length += ((realm)? realm-length + 2: 1); if ((*princ = calloc(1, length)) == NULL) return KSSL_CTX_ERR; else { - strncpy(*princ, entity-data, entity-length); - (*princ)[entity-length]='\0'; + for (i = 0; i nentities; i++) + { + strncat(*princ, entity[i].data, entity[i].length); + if (i nentities-1) + { + strcat (*princ, /); + } + } if (realm) { strcat (*princ, @); (void) strncat(*princ, realm-data, realm-length); - (*princ)[entity-length+1+realm-length]='\0'; } } diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h openssl-0.9.7-working/ssl/kssl.h --- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h Wed Oct 10 03:55:01 2001 +++ openssl-0.9.7-working/ssl/kssl.hTue Mar 26 16:14:25 2002 @@ -149,7 +149,7 @@ KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx); void kssl_ctx_show(KSSL_CTX *kssl_ctx); krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, -krb5_data *realm, krb5_data *entity); +krb5_data *realm, krb5_data *entity, int nentities); krb5_error_codekssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp, krb5_data *authenp, KSSL_ERR *kssl_err); krb5_error_codekssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] kssl_ctx_setprinc
All, The current kssl_ctx_setprinc does not handle instances. I may have a principal of: [EMAIL PROTECTED], [EMAIL PROTECTED] or (technically) [EMAIL PROTECTED]. The current implementation will only place [EMAIL PROTECTED] in kssl_ctx-client_princ. These different parts of the client principal are stored in an array of krb5_data: krb5ticket-enc_part2-client-data[0..krb5ticket-enc_part2-client-length-1] I've changed kssl.c:kssl_ctx_setprinc() to: 1) Take an additional argument (nentities) 2) calloc(3) enough memory for all of the entity[]-data elements, plus the '/' separator characters 3) Build the principal with all of the entity[]-data elements, placing a '/' between elements 4) No longer put '\0' bytes at the end of the string we're assembling. Since we used calloc(3) and strncat (the data has an explicitly-stated length), the buffer already has the terminating '\0' in the right place. Tested with MIT 1.2.x on Solaris and HP-UX 11.00. Thanks- Dan diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c openssl-0.9.7-working/ssl/kssl.c --- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c Mon Mar 18 21:07:15 2002 +++ openssl-0.9.7-working/ssl/kssl.cTue Mar 26 16:10:38 2002 @@ -1514,7 +1514,8 @@ } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, krb5ticket-enc_part2-client-realm, -krb5ticket-enc_part2-client-data)) +krb5ticket-enc_part2-client-data, +krb5ticket-enc_part2-client-length)) { kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, kssl_ctx_setprinc() fails.\n); @@ -1581,16 +1582,17 @@ } -/* Given a (krb5_data *) entity (and optional realm), +/* Given an array of (krb5_data) entity (and optional realm), ** set the plain (char *) client_princ or service_host member ** of the kssl_ctx struct. */ krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, -krb5_data *realm, krb5_data *entity) +krb5_data *realm, krb5_data *entity, int nentities) { char**princ; int length; + int i; if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; @@ -1602,18 +1604,32 @@ } if (*princ) free(*princ); - length = entity-length + ((realm)? realm-length + 2: 1); + /* Add up all the entity-lengths */ + length = 0; + for (i=0; i nentities; i++) + { + length += entity[i].length; + } + /* Add in space for the '/' separator(s) (if any) */ + length += nentities-1; + /* Space for the ('@'+realm+NULL | NULL) */ + length += ((realm)? realm-length + 2: 1); if ((*princ = calloc(1, length)) == NULL) return KSSL_CTX_ERR; else { - strncpy(*princ, entity-data, entity-length); - (*princ)[entity-length]='\0'; + for (i = 0; i nentities; i++) + { + strncat(*princ, entity[i].data, entity[i].length); + if (i nentities-1) + { + strcat (*princ, /); + } + } if (realm) { strcat (*princ, @); (void) strncat(*princ, realm-data, realm-length); - (*princ)[entity-length+1+realm-length]='\0'; } } diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h openssl-0.9.7-working/ssl/kssl.h --- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h Wed Oct 10 03:55:01 2001 +++ openssl-0.9.7-working/ssl/kssl.hTue Mar 26 16:14:25 2002 @@ -149,7 +149,7 @@ KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx); void kssl_ctx_show(KSSL_CTX *kssl_ctx); krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, -krb5_data *realm, krb5_data *entity); +krb5_data *realm, krb5_data *entity, int nentities); krb5_error_codekssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp, krb5_data *authenp, KSSL_ERR *kssl_err); krb5_error_codekssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] Initialize cipher context in ssl/s3_(clnt|srvr).c
A ciph_ctx is declared auto, but not initialized in the SSL_kKRB5 codepath. diff -ur openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_clnt.c openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_clnt.c --- openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_clnt.c Mon Jan 14 18:40:23 2002 +++ openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_clnt.c Thu Mar 14 00:35:18 2002 @@ -1494,6 +1494,8 @@ + EVP_MAX_IV_LENGTH]; int padl, outl = sizeof(epms); + EVP_CIPHER_CTX_init (ciph_ctx); + #ifdef KSSL_DEBUG printf(ssl3_send_client_key_exchange(%lx %lx)\n, l, SSL_kKRB5); diff -ur openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_srvr.c openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_srvr.c --- openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_srvr.c Tue Mar 12 15:07:06 2002 +++ openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_srvr.c Thu Mar 14 00:35:44 2002 @@ -1559,6 +1559,8 @@ if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); + EVP_CIPHER_CTX_init (ciph_ctx); + n2s(p,i); enc_ticket.length = i; enc_ticket.data = (char *)p; __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]