mit-krb5-1.12.1 libressl compatability: autodetect cms junk4me46806 at
Sun Aug 10 17:38:28 EDT 2014

I am performing compatibility testing for libressl portable (the 
openssl fork developed by the openbsd team).

mit-krb5-1.12.1 has a minor and easy to fix incompatibility.  libressl 
portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER 
of 0x20000000L.  mit-krb5-1.12.1 file plugins/preauth/pkinit/
pkinit_crypto_openssl.c checks if the version number is > 0x10000000L 
to determine if cms is available.  This check erroniously assumes that 
cms is enabled and compilation fails.

I have developed a patch that updates the configure script to check if 
openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it is.  I 
then modified pkinit_crypto_openssl.c to use this flag.  The advantage
of this fix verses more complex version number checks is that it will 
continue to work as expected if libressl ever enables cms or openssl 
ever disables it.

The patch is available on github at:

The patch has been tested with libressl 2.0.5 and openssl 1.0.1h.  It 
compiles with "fallback" cms support with libressl and full cms support 
with openssl.

Paul Maurer
junk4me46806 at

More information about the krbdev mailing list