mit-krb5-1.12.1 libressl compatability: autodetect cms

Benjamin Kaduk kaduk at MIT.EDU
Sun Aug 10 18:28:20 EDT 2014

Hi Paul,

On Sun, 10 Aug 2014, junk4me46806 at wrote:

> I am performing compatibility testing for libressl portable (the
> openssl fork developed by the openbsd team).
> mit-krb5-1.12.1 has a minor and easy to fix incompatibility.  libressl
> portable 2.0.5 has cms disabled and reports an OPENSSL_VERSION_NUMBER
> of 0x20000000L.  mit-krb5-1.12.1 file plugins/preauth/pkinit/
> pkinit_crypto_openssl.c checks if the version number is > 0x10000000L
> to determine if cms is available.  This check erroniously assumes that
> cms is enabled and compilation fails.
> I have developed a patch that updates the configure script to check if
> openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it is.  I
> then modified pkinit_crypto_openssl.c to use this flag.  The advantage
> of this fix verses more complex version number checks is that it will
> continue to work as expected if libressl ever enables cms or openssl
> ever disables it.
> The patch is available on github at:
> The patch has been tested with libressl 2.0.5 and openssl 1.0.1h.  It
> compiles with "fallback" cms support with libressl and full cms support
> with openssl.

Please feel free to submit a pull request against krb5/krb5 on github.

I will note from a cursory examination that k5-platform.h already includes
autoconf.h at the top, so the addition of that include to
pkinit_crypto_openssl.c is redundant.

-Ben Kaduk

More information about the krbdev mailing list