<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title></title> </head> <body> <font size="2"><font face="Helvetica,sans-serif"> A Kerberos principal is composed of the name, instance, and realm.<br> When using OpenSSL with Kerberos, an OpenSSL server places the client's<br> principal into ssl->kssl_ctx->client_princ. However, due to a bug in<br> kssl.c:kssl_ctx_setprinc(), the instance information is never copied.<br> <br> That is:<br> <br> Kerberos principal Current behavior Patched behavior<br> <a class="moz-txt-link-abbreviated" href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a> <a class="moz-txt-link-abbreviated" href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a> <a class="moz-txt-link-abbreviated" href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a><br> <a class="moz-txt-link-abbreviated" href="mailto:foo/[EMAIL PROTECTED]">foo/[EMAIL PROTECTED]</a> <a class="moz-txt-link-abbreviated" href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a> <a class="moz-txt-link-abbreviated" href="mailto:foo/[EMAIL PROTECTED]">foo/[EMAIL PROTECTED]</a><br> <br> The attached patch updates kssl_ctx_setprinc() in kssl.[ch] to ensure ssl->kssl_ctx->client_princ reflects the full principal.<br> <br> In addition, the patch update s_server.c:init_ssl_connection() to print the Kerberos principal on connect (just like init_ssl_connection() prints any client certificate information).<br> <br> Tested on Solaris [78], HP-UX 11.00, RH7.2 and RHAS21 with MIT Kerberos 1.2.x<br> <br> Thanks-<br> Dan<br> <br> <br> diff -ur openssl-0.9.7-stable-SNAP-20030922/apps/s_server.c openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.c<br> --- openssl-0.9.7-stable-SNAP-20030922/apps/s_server.c Thu Jan 30 14:16:30 2003<br> +++ openssl-0.9.7-stable-SNAP-20030922-work/apps/s_server.c Mon Sep 22 14:35:15 2003<br> @@ -1264,6 +1264,13 @@<br> TLS1_FLAGS_TLS_PADDING_BUG)<br> BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");<br> <br> +#ifndef OPENSSL_NO_KRB5<br> + if (con->kssl_ctx->client_princ != NULL)<br> + {<br> + BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",<br> + con->kssl_ctx->client_princ);<br> + }<br> +#endif /* OPENSSL_NO_KRB5 */<br> return(1);<br> }<br> <br> diff -ur openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.c openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.c<br> --- openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.c Wed Mar 26 14:16:38 2003<br> +++ openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.c Mon Sep 22 14:34:20 2003<br> @@ -1497,7 +1497,8 @@<br> }<br> else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,<br> &krb5ticket->enc_part2->client->realm,<br> - krb5ticket->enc_part2->client->data))<br> + krb5ticket->enc_part2->client->data,<br> + krb5ticket->enc_part2->client->length))<br> {<br> kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,<br> "kssl_ctx_setprinc() fails.\n");<br> @@ -1564,16 +1565,17 @@<br> }<br> <br> <br> -/* Given a (krb5_data *) entity (and optional realm),<br> +/* Given an array of (krb5_data) entity (and optional realm),<br> ** set the plain (char *) client_princ or service_host member<br> ** of the kssl_ctx struct.<br> */<br> krb5_error_code<br> kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,<br> - krb5_data *realm, krb5_data *entity)<br> + krb5_data *realm, krb5_data *entity, int nentities)<br> {<br> char **princ;<br> int length;<br> + int i;<br> <br> if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;<br> <br> @@ -1585,18 +1587,32 @@<br> }<br> if (*princ) free(*princ);<br> <br> - length = entity->length + ((realm)? realm->length + 2: 1);<br> + /* Add up all the entity->lengths */<br> + length = 0;<br> + for (i=0; i < nentities; i++)<br> + {<br> + length += entity[i].length;<br> + }<br> + /* Add in space for the '/' character(s) (if any) */<br> + length += nentities-1;<br> + /* Space for the ('@'+realm+NULL | NULL) */<br> + length += ((realm)? realm->length + 2: 1);<br> if ((*princ = calloc(1, length)) == NULL)<br> return KSSL_CTX_ERR;<br> else<br> {<br> - strncpy(*princ, entity->data, entity->length);<br> - (*princ)[entity->length]='\0';<br> + for (i = 0; i < nentities; i++)<br> + {<br> + strncat(*princ, entity[i].data, entity[i].length);<br> + if (i < nentities-1)<br> + {<br> + strcat (*princ, "/");<br> + }<br> + }<br> if (realm)<br> {<br> strcat (*princ, "@");<br> (void) strncat(*princ, realm->data, realm->length);<br> - (*princ)[entity->length+1+realm->length]='\0';<br> }<br> }<br> <br> diff -ur openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.h openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.h<br> --- openssl-0.9.7-stable-SNAP-20030922/ssl/kssl.h Tue Nov 26 06:03:00 2002<br> +++ openssl-0.9.7-stable-SNAP-20030922-work/ssl/kssl.h Mon Sep 22 14:26:24 2003<br> @@ -149,7 +149,7 @@<br> KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);<br> void kssl_ctx_show(KSSL_CTX *kssl_ctx);<br> krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,<br> - krb5_data *realm, krb5_data *entity);<br> + krb5_data *realm, krb5_data *entity, int nentities);<br> krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp,<br> krb5_data *authenp, KSSL_ERR *kssl_err);<br> krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata,<br> <br> <br> </font></font><br> </body> </html>
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]