mit-krb5-1.12.1 libressl compatability: autodetect cms

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

mit-krb5-1.12.1 libressl compatability: autodetect cms

junk4me46806
I am performing compatibility testing for libressl portable (the
openssl fork developed by the openbsd team).  http://www.libressl.org

mit-krb5-1.12.1 has a minor and easy to fix incompatibility.  libressl
portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER
of 0x20000000L.  mit-krb5-1.12.1 file plugins/preauth/pkinit/
pkinit_crypto_openssl.c checks if the version number is > 0x10000000L
to determine if cms is available.  This check erroniously assumes that
cms is enabled and compilation fails.

I have developed a patch that updates the configure script to check if
openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it is.  I
then modified pkinit_crypto_openssl.c to use this flag.  The advantage
of this fix verses more complex version number checks is that it will
continue to work as expected if libressl ever enables cms or openssl
ever disables it.

The patch is available on github at:
http://tinyurl.com/krb5-libressl

The patch has been tested with libressl 2.0.5 and openssl 1.0.1h.  It
compiles with "fallback" cms support with libressl and full cms support
with openssl.

--
Paul Maurer
[hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: mit-krb5-1.12.1 libressl compatability: autodetect cms

Benjamin Kaduk-2
Hi Paul,

On Sun, 10 Aug 2014, [hidden email] wrote:

> I am performing compatibility testing for libressl portable (the
> openssl fork developed by the openbsd team).  http://www.libressl.org
>
> mit-krb5-1.12.1 has a minor and easy to fix incompatibility.  libressl
> portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER
> of 0x20000000L.  mit-krb5-1.12.1 file plugins/preauth/pkinit/
> pkinit_crypto_openssl.c checks if the version number is > 0x10000000L
> to determine if cms is available.  This check erroniously assumes that
> cms is enabled and compilation fails.
>
> I have developed a patch that updates the configure script to check if
> openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it is.  I
> then modified pkinit_crypto_openssl.c to use this flag.  The advantage
> of this fix verses more complex version number checks is that it will
> continue to work as expected if libressl ever enables cms or openssl
> ever disables it.
>
> The patch is available on github at:
> http://tinyurl.com/krb5-libressl
>
> The patch has been tested with libressl 2.0.5 and openssl 1.0.1h.  It
> compiles with "fallback" cms support with libressl and full cms support
> with openssl.

Please feel free to submit a pull request against krb5/krb5 on github.

I will note from a cursory examination that k5-platform.h already includes
autoconf.h at the top, so the addition of that include to
pkinit_crypto_openssl.c is redundant.

-Ben Kaduk
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: mit-krb5-1.12.1 libressl compatability: autodetect cms

Greg Hudson
In reply to this post by junk4me46806
On 08/10/2014 05:38 PM, [hidden email] wrote:
> mit-krb5-1.12.1 has a minor and easy to fix incompatibility.  libressl
> portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER
> of 0x20000000L.

Do you know why libressl has CMS disabled?  The fallback code is known
not to interoperate with some peer implementations, although they aren't
commonly used.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: mit-krb5-1.12.1 libressl compatability: autodetect cms

junk4me46806
On 08/10/2014 08:34:42 PM, Greg Hudson wrote:

> On 08/10/2014 05:38 PM, [hidden email] wrote:
> > mit-krb5-1.12.1 has a minor and easy to fix incompatibility.
> libressl
> > portable 2.0.5 has cms disabled and reports an
> OPENSSL_VERSION_NUMBER
> > of 0x20000000L.
>
> Do you know why libressl has CMS disabled?  The fallback code is
> known
> not to interoperate with some peer implementations, although they
> aren't
> commonly used.
>

I do not know for sure.  It appears that they only have so much
manpower and haven't had a chance to clean up the cms code yet.

Here is some discussion on the openbsd tech mailing list:
http://marc.info/?l=openbsd-tech&m=140711002103809&w=2

One advantage of the proposed autoconf fix is that if libressl turns on
cms in the future, it will be automatically picked up.

Would it make sense to have autoconf generate a warning if openssl cms
isn't found:
AC_MSG_WARN[System openssl does not support cms, using fallback code
that is known to have issues with some peers]

--
Paul Maurer
[hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: mit-krb5-1.12.1 libressl compatability: autodetect cms

junk4me46806
In reply to this post by Benjamin Kaduk-2
On 08/10/2014 06:28:20 PM, Benjamin Kaduk wrote:

> Hi Paul,
>
> On Sun, 10 Aug 2014, [hidden email] wrote:
>
> > I am performing compatibility testing for libressl portable (the
> > openssl fork developed by the openbsd team).
> http://www.libressl.org
> >
> > mit-krb5-1.12.1 has a minor and easy to fix incompatibility.
> libressl
> > portable 2.0.5 has cms disabled and reports an
> OPENSSL_VERSION_NUMBER
> > of 0x20000000L.  mit-krb5-1.12.1 file plugins/preauth/pkinit/
> > pkinit_crypto_openssl.c checks if the version number is >
> 0x10000000L
> > to determine if cms is available.  This check erroniously assumes
> that
> > cms is enabled and compilation fails.
> >
> > I have developed a patch that updates the configure script to check
> if
> > openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it
> is.
>  I
> > then modified pkinit_crypto_openssl.c to use this flag.  The
> advantage
> > of this fix verses more complex version number checks is that it
> will
> > continue to work as expected if libressl ever enables cms or
> openssl
> > ever disables it.
> >
> > The patch is available on github at:
> > http://tinyurl.com/krb5-libressl
> >
> > The patch has been tested with libressl 2.0.5 and openssl 1.0.1h.
> It
> > compiles with "fallback" cms support with libressl and full cms
> support
> > with openssl.
>
> Please feel free to submit a pull request against krb5/krb5 on
> github.
>
> I will note from a cursory examination that k5-platform.h already
> includes
> autoconf.h at the top, so the addition of that include to
> pkinit_crypto_openssl.c is redundant.
>
> -Ben Kaduk
>

I have created the pull request, removed the #include <autoconf.h> as
suggested by Ben Kaduk and changed the test to a link test based on
Greg Hudson's recommendation.  This should be ready to merge, unless
someone has further comments.

https://github.com/krb5/krb5/pull/189

--
Paul Maurer
[hidden email]

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev