OpenSSL-0.9.7-BETA3 has a problem in kssl.c, which prevents the
server portion of the kerberos authentication to function correctly.
The problem is related to how internal OpenSSL code handes des/des3
encryption/decryption verses how the Kerberos libraries handle the
logic. Since the code in kssl.c is processing data created by the
kerbeos libraries, then pass the result back to the Kerberos
libraries, then the Kerberos conventions must be used.
In the current version of kssl.c, lines 2050 to and including 2086
should be replaced with:
if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key,
iv))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"EVP_DecryptInit_ex error decrypting
authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
}
if (!EVP_DecryptUpdate(&ciph_ctx, unenc_authent, &outl,
dec_authent->cipher->data, dec_authent-
>cipher->length))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"EVP_DecryptUpdate error decrypting
authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
}
if (outl > unencbufsize)
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"Buffer overflow decrypting
authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
}
if (!EVP_DecryptFinal_ex(&ciph_ctx, &(unenc_authent[outl]),
&padl))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"EVP_DecryptFinal_ex error decrypting
authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
}
outl += padl;
if (outl > unencbufsize)
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
"Buffer overflow decrypting
authenticator.\n");
krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto err;
}
------- Forwarded message follows -------
Date sent: Tue, 10 Sep 2002 22:05:42 +0200
From: Lutz Jaenicke <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [openssl.org #277] COMP_zlib Problem
Organization: BTU Cottbus, Allgemeine Elektrotechnik
Send reply to: [EMAIL PROTECTED]
On Tue, Sep 10, 2002 at 01:07:01PM -0500, Kenneth R. Robinette wrote:
> Subject: Re: [openssl.org #277] COMP_zlib Problem
> From: "Lutz Jaenicke via RT" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Copies to: [EMAIL PROTECTED]
> Date sent: Tue, 10 Sep 2002 10:15:19 +0200 (METDST)
> Send reply to: [EMAIL PROTECTED]
>
> There is still a problem in kssl.c which prevents the OpenSSL-
> 0.9.7beta3 server code from working when Kerberos 5 authentcation is
> requested. I sent the code necessary to fix this many months ago (I
> worked with Dr. Henson on the problem). The code I sent must have
> been lost, thown away or discarded. It consisted of a short patch to
> kssl.c in the ssl directory.
>
> What is the correct procedure to follow to get this fixed? I really
> don't care if my patch is used or someone elses; I just would like to
> see this stuff work as distributed.
Please send you bug report and/or fix to [EMAIL PROTECTED]
(or [EMAIL PROTECTED] which is actually the same) and a ticket will
be created. (It may take some hours to show up, because I moderate
new submissions to prevent SPAM.)
I have installed RT2 (request tracker) to make sure, just because
things
from time to time got lost.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project
http://www.openssl.org
Development Mailing List openssl-
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
------- End of forwarded message -------
__________________________________________________
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
