> Jeffrey Altman wrote:
> > My guess at the moment is that the easist place is in the functions
> > that convert stacks of ciphers to/from byte streams of ciphers since
> > those functions must be called in all of the appropriate places.
>
> OK, but this seems like a nasty hack to me. Unfortunately I haven't got
> time right now to investigate a less nasty hack.
>
> However, I did have occasion to wander through this area of the code a
> while back, and I don't remember there being many places that would be
> affected, and I also have a vague memory of there being some kind of
> filtering going on already.
>
> BTW, if there's no callback into the app, are you envisaging a patch to
> OpenSSL? Would it make OpenSSL Kerberos specific?
>
> Cheers,
>
> Ben.
Vern, Richard and I are already working on adding support to OpenSSL
for the Kerbeors 5 ciphers. All of the Kerberos library calls are
being placed into two new source files in the ssl directory. The
other affected files will only make calls to the new support
functions. OpenSSL can be built with or without Kerbeors 5 support.
The changes to ssl_lib.c will look something like
#ifdef KRB5
if ((cipher & KRB5_MASK) && !kssl_krb5_client_ready())
skip cipher when building list;
#endif
and
#ifdef KRB5
if ((cipher & KRB5_MASK) && !kssl_krb5_server_ready())
skip cipher when processing client's cipher list;
#endif
The change is really small. Is it a hack. Yes. But its a start. It
can always be re-implemented in a better way later on.
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
