[openssl.org #693] [PATCH] Ensure OpenSSL stores Kerberos principal's instance
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN
html
head
title/title
/head
body
font size=2font face=Helvetica,sans-serifnbsp;nbsp;nbsp; A Kerberos
principal is composed of the name, instance, and realm.br
When using OpenSSL with Kerberos, an OpenSSL server places the client'sbr
principal into ssl-gt;kssl_ctx-gt;client_princ.nbsp; However, due to a
bug inbr
kssl.c:kssl_ctx_setprinc(), the instance information is never copied.br
br
That is:br
br
Kerberos principalnbsp;nbsp;nbsp; Current behaviornbsp;nbsp; Patched behaviorbr
a class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL
PROTECTED]/anbsp;nbsp;nbsp; nbsp;nbsp;nbsp; a
class=moz-txt-link-abbreviated href=mailto:[EMAIL PROTECTED][EMAIL
PROTECTED]/anbsp;nbsp; nbsp;nbsp; a class=moz-txt-link-abbreviated
href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/abr
a class=moz-txt-link-abbreviated href=mailto:foo/[EMAIL PROTECTED]foo/[EMAIL
PROTECTED]/anbsp;nbsp;nbsp; a class=moz-txt-link-abbreviated
href=mailto:[EMAIL PROTECTED][EMAIL PROTECTED]/anbsp;nbsp; a
class=moz-txt-link-abbreviated href=mailto:foo/[EMAIL PROTECTED]foo/[EMAIL
PROTECTED]/abr
br
nbsp;nbsp;nbsp; The attached patch updates kssl_ctx_setprinc() in kssl.[ch] to
ensure ssl-gt;kssl_ctx-gt;client_princ reflects the full principal.br
br
nbsp;nbsp;nbsp; In addition, the patch update s_server.c:init_ssl_connection() to
print the Kerberos principal on connect (just like
init_ssl_connection() prints any client certificate information).br
br
nbsp;nbsp;nbsp; Tested on Solaris [78], HP-UX 11.00, RH7.2 and RHAS21 with MIT
Kerberos 1.2.xbr
br
Thanks-br
nbsp;Danbr
br
br
diff -ur openssl-0.9.7-stable-SNAP-20030922/apps/s_server.c
openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.cbr
--- openssl-0.9.7-stable-SNAP-20030922/apps/s_server.cnbsp; Thu Jan 30
14:16:30 2003br
+++ openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.cnbsp;nbsp;nbsp;nbsp;
Mon Sep
22 14:35:15 2003br
@@ -1264,6 +1264,13 @@br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
TLS1_FLAGS_TLS_PADDING_BUG)br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
BIO_printf(bio_s_out,Peer has incorrect TLSv1 block
padding\n);br
br
+#ifndef OPENSSL_NO_KRB5br
+nbsp;nbsp;nbsp; if (con-gt;kssl_ctx-gt;client_princ != NULL)br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; {br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; BIO_printf(bio_s_out,Kerberos peer
principal is %s\n,br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
con-gt;kssl_ctx-gt;client_princ);br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br
+#endif /* OPENSSL_NO_KRB5 */br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; return(1);br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br
br
diff -ur openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.c
openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.cbr
--- openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.cnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
Wed Mar 26
14:16:38 2003br
+++ openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.cnbsp; Mon Sep 22
14:34:20 2003br
@@ -1497,7 +1497,8 @@br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
}br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; else if (kssl_ctx_setprinc(kssl_ctx,
KSSL_CLIENT,br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
amp;krb5ticket-gt;enc_part2-gt;client-gt;realm,br
-nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
krb5ticket-gt;enc_part2-gt;client-gt;data))br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
krb5ticket-gt;enc_part2-gt;client-gt;data,br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
krb5ticket-gt;enc_part2-gt;client-gt;length))br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
{br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;
kssl_ctx_setprinc() fails.\n);br
@@ -1564,16 +1565,17 @@br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; }br
br
br
-/*nbsp;nbsp;nbsp;nbsp; Given a (krb5_data *) entity (and optional realm),br
+/*nbsp;nbsp;nbsp;nbsp; Given an array of (krb5_data) entity (and optional
realm),br
nbsp;**nbsp;nbsp;nbsp;nbsp; set the plain (char *) client_princ or service_host
memberbr
nbsp;**nbsp;nbsp;nbsp;nbsp; of the kssl_ctx struct.br
nbsp;*/br
nbsp;krb5_error_codebr
nbsp;kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,br
-nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5_data *realm, krb5_data *entity)br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; krb5_data *realm, krb5_data *entity, int
nentities)br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; {br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; charnbsp;nbsp;nbsp; **princ;br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; intnbsp;nbsp;nbsp;nbsp; length;br
+nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; intnbsp;nbsp;nbsp;nbsp; i;br
br
nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; if
[PATCH] kssl_ctx_setprinc
[resend, this time cc'd to [EMAIL PROTECTED]]
All,
The current kssl_ctx_setprinc does not handle instances. I may have
a principal of: [EMAIL PROTECTED], [EMAIL PROTECTED] or
(technically) [EMAIL PROTECTED]. The current
implementation will only place [EMAIL PROTECTED] in
kssl_ctx-client_princ.
These different parts of the client principal are stored in an array
of krb5_data:
krb5ticket-enc_part2-client-data[0..krb5ticket-enc_part2-client-length-1]
I've changed kssl.c:kssl_ctx_setprinc() to:
1) Take an additional argument (nentities)
2) calloc(3) enough memory for all of the entity[]-data elements, plus
the '/' separator characters
3) Build the principal with all of the entity[]-data elements, placing
a '/' between elements
4) No longer put '\0' bytes at the end of the string we're assembling.
Since we used calloc(3) and strncat (the data has an explicitly-stated
length), the buffer already has the terminating '\0' in the right place.
Tested with MIT 1.2.x on Solaris and HP-UX 11.00.
Thanks-
Dan
diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c
openssl-0.9.7-working/ssl/kssl.c
--- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c Mon Mar 18
21:07:15 2002
+++ openssl-0.9.7-working/ssl/kssl.cTue Mar 26 16:10:38 2002
@@ -1514,7 +1514,8 @@
}
else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
krb5ticket-enc_part2-client-realm,
-krb5ticket-enc_part2-client-data))
+krb5ticket-enc_part2-client-data,
+krb5ticket-enc_part2-client-length))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
kssl_ctx_setprinc() fails.\n);
@@ -1581,16 +1582,17 @@
}
-/* Given a (krb5_data *) entity (and optional realm),
+/* Given an array of (krb5_data) entity (and optional realm),
** set the plain (char *) client_princ or service_host member
** of the kssl_ctx struct.
*/
krb5_error_code
kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-krb5_data *realm, krb5_data *entity)
+krb5_data *realm, krb5_data *entity, int nentities)
{
char**princ;
int length;
+ int i;
if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
@@ -1602,18 +1604,32 @@
}
if (*princ) free(*princ);
- length = entity-length + ((realm)? realm-length + 2: 1);
+ /* Add up all the entity-lengths */
+ length = 0;
+ for (i=0; i nentities; i++)
+ {
+ length += entity[i].length;
+ }
+ /* Add in space for the '/' separator(s) (if any) */
+ length += nentities-1;
+ /* Space for the ('@'+realm+NULL | NULL) */
+ length += ((realm)? realm-length + 2: 1);
if ((*princ = calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
else
{
- strncpy(*princ, entity-data, entity-length);
- (*princ)[entity-length]='\0';
+ for (i = 0; i nentities; i++)
+ {
+ strncat(*princ, entity[i].data,
entity[i].length);
+ if (i nentities-1)
+ {
+ strcat (*princ, /);
+ }
+ }
if (realm)
{
strcat (*princ, @);
(void) strncat(*princ, realm-data,
realm-length);
- (*princ)[entity-length+1+realm-length]='\0';
}
}
diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h
openssl-0.9.7-working/ssl/kssl.h
--- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h Wed Oct 10
03:55:01 2001
+++ openssl-0.9.7-working/ssl/kssl.hTue Mar 26 16:14:25 2002
@@ -149,7 +149,7 @@
KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
void kssl_ctx_show(KSSL_CTX *kssl_ctx);
krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-krb5_data *realm, krb5_data *entity);
+krb5_data *realm, krb5_data *entity, int nentities);
krb5_error_codekssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data
**enc_tktp,
krb5_data *authenp, KSSL_ERR *kssl_err);
krb5_error_codekssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data
*indata,
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[PATCH] kssl_ctx_setprinc
All,
The current kssl_ctx_setprinc does not handle instances. I may have
a principal of: [EMAIL PROTECTED], [EMAIL PROTECTED] or
(technically) [EMAIL PROTECTED]. The current
implementation will only place [EMAIL PROTECTED] in
kssl_ctx-client_princ.
These different parts of the client principal are stored in an array
of krb5_data:
krb5ticket-enc_part2-client-data[0..krb5ticket-enc_part2-client-length-1]
I've changed kssl.c:kssl_ctx_setprinc() to:
1) Take an additional argument (nentities)
2) calloc(3) enough memory for all of the entity[]-data elements, plus
the '/' separator characters
3) Build the principal with all of the entity[]-data elements, placing
a '/' between elements
4) No longer put '\0' bytes at the end of the string we're assembling.
Since we used calloc(3) and strncat (the data has an explicitly-stated
length), the buffer already has the terminating '\0' in the right place.
Tested with MIT 1.2.x on Solaris and HP-UX 11.00.
Thanks-
Dan
diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c
openssl-0.9.7-working/ssl/kssl.c
--- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.c Mon Mar 18
21:07:15 2002
+++ openssl-0.9.7-working/ssl/kssl.cTue Mar 26 16:10:38 2002
@@ -1514,7 +1514,8 @@
}
else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
krb5ticket-enc_part2-client-realm,
-krb5ticket-enc_part2-client-data))
+krb5ticket-enc_part2-client-data,
+krb5ticket-enc_part2-client-length))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
kssl_ctx_setprinc() fails.\n);
@@ -1581,16 +1582,17 @@
}
-/* Given a (krb5_data *) entity (and optional realm),
+/* Given an array of (krb5_data) entity (and optional realm),
** set the plain (char *) client_princ or service_host member
** of the kssl_ctx struct.
*/
krb5_error_code
kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-krb5_data *realm, krb5_data *entity)
+krb5_data *realm, krb5_data *entity, int nentities)
{
char**princ;
int length;
+ int i;
if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
@@ -1602,18 +1604,32 @@
}
if (*princ) free(*princ);
- length = entity-length + ((realm)? realm-length + 2: 1);
+ /* Add up all the entity-lengths */
+ length = 0;
+ for (i=0; i nentities; i++)
+ {
+ length += entity[i].length;
+ }
+ /* Add in space for the '/' separator(s) (if any) */
+ length += nentities-1;
+ /* Space for the ('@'+realm+NULL | NULL) */
+ length += ((realm)? realm-length + 2: 1);
if ((*princ = calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
else
{
- strncpy(*princ, entity-data, entity-length);
- (*princ)[entity-length]='\0';
+ for (i = 0; i nentities; i++)
+ {
+ strncat(*princ, entity[i].data,
entity[i].length);
+ if (i nentities-1)
+ {
+ strcat (*princ, /);
+ }
+ }
if (realm)
{
strcat (*princ, @);
(void) strncat(*princ, realm-data,
realm-length);
- (*princ)[entity-length+1+realm-length]='\0';
}
}
diff -ur openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h
openssl-0.9.7-working/ssl/kssl.h
--- openssl-0.9.7-stable-SNAP-20020325/ssl/kssl.h Wed Oct 10
03:55:01 2001
+++ openssl-0.9.7-working/ssl/kssl.hTue Mar 26 16:14:25 2002
@@ -149,7 +149,7 @@
KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
void kssl_ctx_show(KSSL_CTX *kssl_ctx);
krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-krb5_data *realm, krb5_data *entity);
+krb5_data *realm, krb5_data *entity, int nentities);
krb5_error_codekssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data
**enc_tktp,
krb5_data *authenp, KSSL_ERR *kssl_err);
krb5_error_codekssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data
*indata,
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[PATCH] Initialize cipher context in ssl/s3_(clnt|srvr).c
A ciph_ctx is declared auto, but not initialized in the SSL_kKRB5 codepath. diff -ur openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_clnt.c openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_clnt.c --- openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_clnt.c Mon Jan 14 18:40:23 2002 +++ openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_clnt.c Thu Mar 14 00:35:18 2002 @@ -1494,6 +1494,8 @@ + EVP_MAX_IV_LENGTH]; int padl, outl = sizeof(epms); + EVP_CIPHER_CTX_init (ciph_ctx); + #ifdef KSSL_DEBUG printf(ssl3_send_client_key_exchange(%lx %lx)\n, l, SSL_kKRB5); diff -ur openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_srvr.c openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_srvr.c --- openssl-0.9.7-stable-SNAP-20020312-orig/ssl/s3_srvr.c Tue Mar 12 15:07:06 2002 +++ openssl-0.9.7-stable-SNAP-20020312-work/ssl/s3_srvr.c Thu Mar 14 00:35:44 2002 @@ -1559,6 +1559,8 @@ if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); + EVP_CIPHER_CTX_init (ciph_ctx); + n2s(p,i); enc_ticket.length = i; enc_ticket.data = (char *)p; __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
