mit-krb5-1.12.1 libressl compatability: autodetect cms

[junk4me46806@yahoo.com]

On 08/10/2014 06:28:20 PM, Benjamin Kaduk wrote:
> Hi Paul,
> 
> On Sun, 10 Aug 2014, junk4me46806 at yahoo.com wrote:
> 
> > I am performing compatibility testing for libressl portable (the
> > openssl fork developed by the openbsd team). 
> http://www.libressl.org
> >
> > mit-krb5-1.12.1 has a minor and easy to fix incompatibility. 
> libressl
> > portable 2.0.5 has cms disabled and reports an
> OPENSSL_VERSION_NUMBER
> > of 0x20000000L.  mit-krb5-1.12.1 file plugins/preauth/pkinit/
> > pkinit_crypto_openssl.c checks if the version number is >
> 0x10000000L
> > to determine if cms is available.  This check erroniously assumes
> that
> > cms is enabled and compilation fails.
> >
> > I have developed a patch that updates the configure script to check
> if
> > openssl/cms.h is compilable and defines HAVE_OPENSSL_CMS_H if it 
> is.
>  I
> > then modified pkinit_crypto_openssl.c to use this flag.  The
> advantage
> > of this fix verses more complex version number checks is that it
> will
> > continue to work as expected if libressl ever enables cms or 
> openssl
> > ever disables it.
> >
> > The patch is available on github at:
> > http://tinyurl.com/krb5-libressl
> >
> > The patch has been tested with libressl 2.0.5 and openssl 1.0.1h. 
> It
> > compiles with "fallback" cms support with libressl and full cms
> support
> > with openssl.
> 
> Please feel free to submit a pull request against krb5/krb5 on 
> github.
> 
> I will note from a cursory examination that k5-platform.h already
> includes
> autoconf.h at the top, so the addition of that include to
> pkinit_crypto_openssl.c is redundant.
> 
> -Ben Kaduk
> 

I have created the pull request, removed the #include <autoconf.h> as 
suggested by Ben Kaduk and changed the test to a link test based on 
Greg Hudson's recommendation.  This should be ready to merge, unless 
someone has further comments.

https://github.com/krb5/krb5/pull/189

-- 
Paul Maurer
junk4me46806 at yahoo.com