I just applied your patch in the 0.9.7 and the 0.9.8-dev branches. Please test tomorrow's snapshot.
Thanks for your contribution. Ticket resolved. [EMAIL PROTECTED] - Mon Sep 22 21:37:29 2003]: > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> > <html> > <head> > <title></title> > </head> > <body> > <font size="2"><font face="Helvetica,sans-serif"> A > Kerberos > principal is composed of the name, instance, and realm.<br> > When using OpenSSL with Kerberos, an OpenSSL server places the > client's<br> > principal into ssl->kssl_ctx->client_princ. However, due > to a > bug in<br> > kssl.c:kssl_ctx_setprinc(), the instance information is never > copied.<br> > <br> > That is:<br> > <br> > Kerberos principal Current behavior > Patched behavior<br> > <a class="moz-txt-link-abbreviated" > href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a> > <a class="moz-txt-link-abbreviated" > href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a> > <a class="moz-txt-link-abbreviated" > href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a><br> > <a class="moz-txt-link-abbreviated" > href="mailto:foo/[EMAIL PROTECTED]">foo/[EMAIL PROTECTED]</a> > <a class="moz-txt-link-abbreviated" > href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a> <a > class="moz-txt-link-abbreviated" > href="mailto:foo/[EMAIL PROTECTED]">foo/[EMAIL PROTECTED]</a><br> > <br> > The attached patch updates kssl_ctx_setprinc() in > kssl.[ch] to > ensure ssl->kssl_ctx->client_princ reflects the full > principal.<br> > <br> > In addition, the patch update > s_server.c:init_ssl_connection() to > print the Kerberos principal on connect (just like > init_ssl_connection() prints any client certificate information).<br> > <br> > Tested on Solaris [78], HP-UX 11.00, RH7.2 and > RHAS21 with MIT > Kerberos 1.2.x<br> > <br> > Thanks-<br> > Dan<br> > <br> > <br> > diff -ur openssl-0.9.7-stable-SNAP-20030922/apps/s_server.c > openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.c<br> > --- openssl-0.9.7-stable-SNAP-20030922/apps/s_server.c Thu Jan > 30 > 14:16:30 2003<br> > +++ openssl-0.9.7-stable-SNAP-20030922- > work/apps/s_server.c Mon Sep > 22 14:35:15 2003<br> > @@ -1264,6 +1264,13 @@<br> > > TLS1_FLAGS_TLS_PADDING_BUG)<br> > > BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block > padding\n");<br> > <br> > +#ifndef OPENSSL_NO_KRB5<br> > + if (con->kssl_ctx->client_princ != NULL)<br> > + {<br> > + > BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",<br> > + > con->kssl_ctx->client_princ);<br> > + }<br> > +#endif /* OPENSSL_NO_KRB5 */<br> > return(1);<br> > }<br> > <br> > diff -ur openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.c > openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.c<br> > --- openssl-0.9.7-stable-SNAP- > 20030922/ssl/kssl.c Wed Mar 26 > 14:16:38 2003<br> > +++ openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.c Mon Sep > 22 > 14:34:20 2003<br> > @@ -1497,7 +1497,8 @@<br> > > }<br> > else if > (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,<br> > > &krb5ticket->enc_part2->client->realm,<br> > - > krb5ticket->enc_part2->client->data))<br> > + > krb5ticket->enc_part2->client->data,<br> > + > krb5ticket->enc_part2->client->length))<br> > > {<br> > > kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,<br> > > "kssl_ctx_setprinc() fails.\n");<br> > @@ -1564,16 +1565,17 @@<br> > }<br> > <br> > <br> > -/* Given a (krb5_data *) entity (and optional > realm),<br> > +/* Given an array of (krb5_data) entity (and > optional realm),<br> > ** set the plain (char *) client_princ > or service_host member<br> > ** of the kssl_ctx struct.<br> > */<br> > krb5_error_code<br> > kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,<br> > - krb5_data *realm, > krb5_data *entity)<br> > + krb5_data *realm, > krb5_data *entity, int nentities)<br> > {<br> > char > **princ;<br> > int > length;<br> > + int > i;<br> > <br> > if (kssl_ctx == NULL > || entity == NULL) return KSSL_CTX_ERR;<br> > <br> > @@ -1585,18 +1587,32 @@<br> > > }<br> > if (*princ) > free(*princ);<br> > <br> > - length = entity->length + > ((realm)? realm->length + 2: 1);<br> > + /* Add up all the entity- > >lengths */<br> > + length = 0;<br> > + for (i=0; i < nentities; > i++)<br> > + > {<br> > + > length += entity[i].length;<br> > + > }<br> > + /* Add in space for the '/' > character(s) (if any) */<br> > + length += nentities-1;<br> > + /* Space for the ('@'+realm+NULL > | NULL) */<br> > + length += ((realm)? realm- > >length + 2: 1);<br> > if ((*princ = calloc(1, > length)) == NULL)<br> > > return KSSL_CTX_ERR;<br> > else<br> > > {<br> > - > strncpy(*princ, entity->data, entity->length);<br> > - > (*princ)[entity->length]='\0';<br> > + > for (i = 0; i < nentities; i++)<br> > + > {<br> > + > strncat(*princ, entity[i].data, > entity[i].length);<br> > + > if (i < nentities-1)<br> > + > {<br> > + > strcat (*princ, "/");<br> > + > }<br> > + > }<br> > > if (realm)<br> > > {<br> > > strcat (*princ, "@");<br> > > (void) strncat(*princ, realm->data, > realm->length);<br> > - > (*princ)[entity->length+1+realm->length]='\0';<br> > > }<br> > > }<br> > <br> > diff -ur openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.h > openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.h<br> > --- openssl-0.9.7-stable-SNAP- > 20030922/ssl/kssl.h Tue Nov 26 > 06:03:00 2002<br> > +++ openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.h Mon Sep > 22 > 14:26:24 2003<br> > @@ -149,7 +149,7 @@<br> > KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);<br> > void kssl_ctx_show(KSSL_CTX *kssl_ctx);<br> > krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int > which,<br> > - krb5_data *realm, > krb5_data *entity);<br> > + krb5_data *realm, > krb5_data *entity, int nentities);<br> > krb5_error_code > kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data > **enc_tktp,<br> > krb5_data *authenp, > KSSL_ERR *kssl_err);<br> > krb5_error_code > kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data > *indata,<br> > <br> > <br> > </font></font><br> > </body> > </html> > -- Richard Levitte [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
