mit-krb5-1.12.1 libressl compatability: autodetect cms
Benjamin Kaduk
kaduk at MIT.EDU
Sun Aug 10 18:28:20 EDT 2014
Hi Paul,
On Sun, 10 Aug 2014, junk4me46806 at yahoo.com wrote:
> I am performing compatibility testing for libressl portable (the
> openssl fork developed by the openbsd team). http://www.libressl.org
>
> mit-krb5-1.12.1 has a minor and easy to fix incompatibility. libressl
> portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER
> of 0x20000000L. mit-krb5-1.12.1 file plugins/preauth/pkinit/
> pkinit_crypto_openssl.c checks if the version number is > 0x10000000L
> to determine if cms is available. This check erroniously assumes that
> cms is enabled and compilation fails.
>
> I have developed a patch that updates the configure script to check if
> openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it is. I
> then modified pkinit_crypto_openssl.c to use this flag. The advantage
> of this fix verses more complex version number checks is that it will
> continue to work as expected if libressl ever enables cms or openssl
> ever disables it.
>
> The patch is available on github at:
> http://tinyurl.com/krb5-libressl
>
> The patch has been tested with libressl 2.0.5 and openssl 1.0.1h. It
> compiles with "fallback" cms support with libressl and full cms support
> with openssl.
Please feel free to submit a pull request against krb5/krb5 on github.
I will note from a cursory examination that k5-platform.h already includes
autoconf.h at the top, so the addition of that include to
pkinit_crypto_openssl.c is redundant.
-Ben Kaduk
More information about the krbdev
mailing list