krb5 commit: Build support for TLS used by HTTPS proxy support
Greg Hudson
ghudson at MIT.EDU
Mon Jun 2 18:53:28 EDT 2014
https://github.com/krb5/krb5/commit/d0be57ac45ea639baa3cff0dd2108c34e834bfa7
commit d0be57ac45ea639baa3cff0dd2108c34e834bfa7
Author: Robbie Harwood (frozencemetery) <rharwood at club.cc.cmu.edu>
Date: Fri Aug 16 12:45:03 2013 -0400
Build support for TLS used by HTTPS proxy support
Add a --with-proxy-tls-impl option to configure, taking 'openssl',
'auto', or invocation as --without-proxy-tls-impl. Use related CFLAGS
when building lib/krb5/os, and LIBS when linking libkrb5. Call the
OpenSSL library startup functions during library initialization.
ticket: 7929
src/Makefile.in | 1 +
src/config/pre.in | 5 +++++
src/configure.in | 40 ++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/Makefile.in | 3 ++-
src/lib/krb5/krb5_libinit.c | 2 ++
src/lib/krb5/os/Makefile.in | 2 +-
src/lib/krb5/os/os-proto.h | 1 +
src/lib/krb5/os/sendto_kdc.c | 14 ++++++++++++++
8 files changed, 66 insertions(+), 2 deletions(-)
diff --git a/src/Makefile.in b/src/Makefile.in
index 1725093..5e2cf4e 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -553,6 +553,7 @@ pyrunenv.vals: Makefile
for i in $(RUN_VARS); do \
eval echo 'env['\\\'$$i\\\''] = '\\\'\$$$$i\\\'; \
done > $@
+ echo "proxy_tls_impl = '$(PROXY_TLS_IMPL)'" >> $@
runenv.py: pyrunenv.vals
echo 'env = {}' > $@
diff --git a/src/config/pre.in b/src/config/pre.in
index fbc5c11..e1d7e4b 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -428,6 +428,11 @@ PKINIT_CRYPTO_IMPL = @PKINIT_CRYPTO_IMPL@
PKINIT_CRYPTO_IMPL_CFLAGS = @PKINIT_CRYPTO_IMPL_CFLAGS@
PKINIT_CRYPTO_IMPL_LIBS = @PKINIT_CRYPTO_IMPL_LIBS@
+# TLS implementation selection for HTTPS proxy support
+PROXY_TLS_IMPL = @PROXY_TLS_IMPL@
+PROXY_TLS_IMPL_CFLAGS = @PROXY_TLS_IMPL_CFLAGS@
+PROXY_TLS_IMPL_LIBS = @PROXY_TLS_IMPL_LIBS@
+
# error table rules
#
### /* these are invoked as $(...) foo.et, which works, but could be better */
diff --git a/src/configure.in b/src/configure.in
index 9bc4663..39e3738 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -272,6 +272,46 @@ AC_SUBST(PKINIT_CRYPTO_IMPL)
AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS)
AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS)
+# WITH_PROXY_TLS_IMPL
+
+AC_ARG_WITH([proxy-tls-impl],
+AC_HELP_STRING([--with-proxy-tls-impl=IMPL],
+ [use specified TLS implementation for HTTPS @<:@auto@:>@]),
+[PROXY_TLS_IMPL=$withval],[PROXY_TLS_IMPL=auto])
+case "$PROXY_TLS_IMPL" in
+openssl|auto)
+ AC_CHECK_LIB(ssl,SSL_CTX_new,[have_lib_ssl=true],[have_lib_ssl=false],
+ -lcrypto)
+ AC_MSG_CHECKING([for OpenSSL])
+ if test x$have_lib_ssl = xtrue ; then
+ AC_DEFINE(PROXY_TLS_IMPL_OPENSSL,1,
+ [Define if HTTPS TLS implementation is OpenSSL])
+ AC_MSG_RESULT([yes])
+ PROXY_TLS_IMPL_LIBS="-lssl -lcrypto"
+ PROXY_TLS_IMPL=openssl
+ AC_MSG_NOTICE(HTTPS support will use TLS from '$PROXY_TLS_IMPL')
+ else
+ if test "$PROXY_TLS_IMPL" = openssl ; then
+ AC_MSG_ERROR([OpenSSL not found!])
+ else
+ AC_MSG_WARN([OpenSSL not found!])
+ fi
+ PROXY_TLS_IMPL=no
+ AC_MSG_NOTICE(building without HTTPS support)
+ fi
+ ;;
+no)
+ AC_MSG_NOTICE(building without HTTPS support)
+ ;;
+*)
+ AC_MSG_ERROR([Unsupported HTTPS proxy TLS implementation $withval])
+ ;;
+esac
+
+AC_SUBST(PROXY_TLS_IMPL)
+AC_SUBST(PROXY_TLS_IMPL_CFLAGS)
+AC_SUBST(PROXY_TLS_IMPL_LIBS)
+
AC_ARG_ENABLE([aesni],
AC_HELP_STRING([--disable-aesni],[Do not build with AES-NI support]), ,
enable_aesni=check)
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
index d9cddc1..472c008 100644
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -56,7 +56,8 @@ RELDIR=krb5
SHLIB_EXPDEPS = \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
-SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)
+SHLIB_EXPLIBS=-lk5crypto -lcom_err $(PROXY_TLS_IMPL_LIBS) $(SUPPORT_LIB) \
+ @GEN_LIB@ $(LIBS)
all-unix:: all-liblinks
diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c
index f83d25b..f2382d1 100644
--- a/src/lib/krb5/krb5_libinit.c
+++ b/src/lib/krb5/krb5_libinit.c
@@ -58,6 +58,8 @@ int krb5int_lib_init(void)
if (err)
return err;
+ k5_sendto_kdc_initialize();
+
return 0;
}
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index 5add9f9..fb4001a 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -2,7 +2,7 @@ mydir=lib$(S)krb5$(S)os
BUILDTOP=$(REL)..$(S)..$(S)..
DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\" -DBINDIR=\"$(CLIENT_BINDIR)\" \
-DSBINDIR=\"$(ADMIN_BINDIR)\"
-LOCALINCLUDES=-I$(top_srcdir)/util/profile
+LOCALINCLUDES= $(PROXY_TLS_IMPL_CFLAGS) -I$(top_srcdir)/util/profile
##DOS##BUILDTOP = ..\..\..
##DOS##PREFIXDIR=os
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index 3196bca..f23dda5 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -184,5 +184,6 @@ krb5_error_code localauth_k5login_initvt(krb5_context context, int maj_ver,
krb5_plugin_vtable vtable);
krb5_error_code localauth_an2ln_initvt(krb5_context context, int maj_ver,
int min_ver, krb5_plugin_vtable vtable);
+void k5_sendto_kdc_initialize(void);
#endif /* KRB5_LIBOS_INT_PROTO__ */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 3f99ce8..c6aae8e 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -48,6 +48,10 @@
#endif
#endif
+#ifdef PROXY_TLS_IMPL_OPENSSL
+#include <openssl/ssl.h>
+#endif
+
#define MAX_PASS 3
#define DEFAULT_UDP_PREF_LIMIT 1465
#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */
@@ -107,6 +111,16 @@ struct conn_state {
krb5_boolean defer;
};
+void
+k5_sendto_kdc_initialize(void)
+{
+#ifdef PROXY_TLS_IMPL_OPENSSL
+ SSL_library_init();
+ SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
+#endif
+}
+
/* Get current time in milliseconds. */
static krb5_error_code
get_curtime_ms(time_ms *time_out)
More information about the cvs-krb5
mailing list