mit-krb5-1.12.1 libressl compatability: autodetect cms
junk4me46806@yahoo.com
junk4me46806 at yahoo.com
Sun Aug 10 17:38:28 EDT 2014
I am performing compatibility testing for libressl portable (the
openssl fork developed by the openbsd team). http://www.libressl.org
mit-krb5-1.12.1 has a minor and easy to fix incompatibility. libressl
portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER
of 0x20000000L. mit-krb5-1.12.1 file plugins/preauth/pkinit/
pkinit_crypto_openssl.c checks if the version number is > 0x10000000L
to determine if cms is available. This check erroniously assumes that
cms is enabled and compilation fails.
I have developed a patch that updates the configure script to check if
openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it is. I
then modified pkinit_crypto_openssl.c to use this flag. The advantage
of this fix verses more complex version number checks is that it will
continue to work as expected if libressl ever enables cms or openssl
ever disables it.
The patch is available on github at:
http://tinyurl.com/krb5-libressl
The patch has been tested with libressl 2.0.5 and openssl 1.0.1h. It
compiles with "fallback" cms support with libressl and full cms support
with openssl.
--
Paul Maurer
junk4me46806 at yahoo.com
More information about the krbdev
mailing list