Build support for TLS used by HTTPS proxy support

author Robbie Harwood (frozencemetery) <rharwood@club.cc.cmu.edu>

Fri, 16 Aug 2013 16:45:03 +0000 (12:45 -0400)

committer Greg Hudson <ghudson@mit.edu>

Mon, 2 Jun 2014 21:58:26 +0000 (17:58 -0400)
author Robbie Harwood (frozencemetery) <rharwood@club.cc.cmu.edu>
Fri, 16 Aug 2013 16:45:03 +0000 (12:45 -0400)
committer Greg Hudson <ghudson@mit.edu>
Mon, 2 Jun 2014 21:58:26 +0000 (17:58 -0400)
diff --git a/src/Makefile.in b/src/Makefile.in

index 1725093071f30ec326899f637fc3eefa7c1bea61..5e2cf4ed1e71fec0ef3a729133c6906fa7fdee01 100644 (file)
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -553,6 +553,7 @@ pyrunenv.vals: Makefile
         for i in $(RUN_VARS); do \
                 eval echo 'env['\\\'$$i\\\''] = '\\\'\$$$$i\\\'; \
         done > $@
+       echo "proxy_tls_impl = '$(PROXY_TLS_IMPL)'" >> $@
  
  runenv.py: pyrunenv.vals
         echo 'env = {}' > $@
diff --git a/src/config/pre.in b/src/config/pre.in

index fbc5c11e411fe4298702fbd5a09750f8184e5cb6..e1d7e4b64dd9493f24f291e4b648f562e0a08d16 100644 (file)
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -428,6 +428,11 @@ PKINIT_CRYPTO_IMPL         = @PKINIT_CRYPTO_IMPL@
  PKINIT_CRYPTO_IMPL_CFLAGS      = @PKINIT_CRYPTO_IMPL_CFLAGS@
  PKINIT_CRYPTO_IMPL_LIBS                = @PKINIT_CRYPTO_IMPL_LIBS@
  
+# TLS implementation selection for HTTPS proxy support
+PROXY_TLS_IMPL                  = @PROXY_TLS_IMPL@
+PROXY_TLS_IMPL_CFLAGS           = @PROXY_TLS_IMPL_CFLAGS@
+PROXY_TLS_IMPL_LIBS             = @PROXY_TLS_IMPL_LIBS@
+
  # error table rules
  #
  ### /* these are invoked as $(...) foo.et, which works, but could be better */
diff --git a/src/configure.in b/src/configure.in

index 9bc4663d1a6f0fa5f9c83c2c8c2430b483193276..39e37381afe7c7dd615333e6388b34596f465d74 100644 (file)
--- a/src/configure.in
+++ b/src/configure.in
@@ -272,6 +272,46 @@ AC_SUBST(PKINIT_CRYPTO_IMPL)
  AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS)
  AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS)
  
+# WITH_PROXY_TLS_IMPL
+
+AC_ARG_WITH([proxy-tls-impl],
+AC_HELP_STRING([--with-proxy-tls-impl=IMPL],
+               [use specified TLS implementation for HTTPS @<:@auto@:>@]),
+[PROXY_TLS_IMPL=$withval],[PROXY_TLS_IMPL=auto])
+case "$PROXY_TLS_IMPL" in
+openssl|auto)
+  AC_CHECK_LIB(ssl,SSL_CTX_new,[have_lib_ssl=true],[have_lib_ssl=false],
+               -lcrypto)
+  AC_MSG_CHECKING([for OpenSSL])
+  if test x$have_lib_ssl = xtrue ; then
+    AC_DEFINE(PROXY_TLS_IMPL_OPENSSL,1,
+              [Define if HTTPS TLS implementation is OpenSSL])
+    AC_MSG_RESULT([yes])
+    PROXY_TLS_IMPL_LIBS="-lssl -lcrypto"
+    PROXY_TLS_IMPL=openssl
+    AC_MSG_NOTICE(HTTPS support will use TLS from '$PROXY_TLS_IMPL')
+  else
+    if test "$PROXY_TLS_IMPL" = openssl ; then
+      AC_MSG_ERROR([OpenSSL not found!])
+    else
+      AC_MSG_WARN([OpenSSL not found!])
+    fi
+    PROXY_TLS_IMPL=no
+    AC_MSG_NOTICE(building without HTTPS support)
+  fi
+  ;;
+no)
+  AC_MSG_NOTICE(building without HTTPS support)
+  ;;
+*)
+  AC_MSG_ERROR([Unsupported HTTPS proxy TLS implementation $withval])
+  ;;
+esac
+
+AC_SUBST(PROXY_TLS_IMPL)
+AC_SUBST(PROXY_TLS_IMPL_CFLAGS)
+AC_SUBST(PROXY_TLS_IMPL_LIBS)
+
  AC_ARG_ENABLE([aesni],
  AC_HELP_STRING([--disable-aesni],[Do not build with AES-NI support]), ,
  enable_aesni=check)
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in

index d9cddc1c6155e697b82ab07ac272bcf13a597049..472c0081d8bee28f37e44d0dca6b3873be44c3f7 100644 (file)
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -56,7 +56,8 @@ RELDIR=krb5
  SHLIB_EXPDEPS = \
         $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
         $(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
-SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)
+SHLIB_EXPLIBS=-lk5crypto -lcom_err $(PROXY_TLS_IMPL_LIBS) $(SUPPORT_LIB) \
+       @GEN_LIB@ $(LIBS)
  
  all-unix:: all-liblinks
  
diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c

index f83d25b1cf5b0326835ba640a8a47b36bcdca928..f2382d1d8c084888bf7b7442bf835d088b8a1a78 100644 (file)
--- a/src/lib/krb5/krb5_libinit.c
+++ b/src/lib/krb5/krb5_libinit.c
@@ -58,6 +58,8 @@ int krb5int_lib_init(void)
      if (err)
          return err;
  
+    k5_sendto_kdc_initialize();
+
      return 0;
  }
  
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in

index 5add9f98e51df3c83d19cd689a5284c6bf91dc0e..fb4001a299ef1f548ee20013320d7f27751997ba 100644 (file)
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -2,7 +2,7 @@ mydir=lib$(S)krb5$(S)os
  BUILDTOP=$(REL)..$(S)..$(S)..
  DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\" -DBINDIR=\"$(CLIENT_BINDIR)\" \
         -DSBINDIR=\"$(ADMIN_BINDIR)\"
-LOCALINCLUDES=-I$(top_srcdir)/util/profile
+LOCALINCLUDES= $(PROXY_TLS_IMPL_CFLAGS) -I$(top_srcdir)/util/profile
  
  ##DOS##BUILDTOP = ..\..\..
  ##DOS##PREFIXDIR=os
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h

index 3196bca3f7bbfe953bf5ad513b62184dc89700da..f23dda5798405ddb3aa1d40a3a34a07c6b0baeea 100644 (file)
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -184,5 +184,6 @@ krb5_error_code localauth_k5login_initvt(krb5_context context, int maj_ver,
                                           krb5_plugin_vtable vtable);
  krb5_error_code localauth_an2ln_initvt(krb5_context context, int maj_ver,
                                         int min_ver, krb5_plugin_vtable vtable);
+void k5_sendto_kdc_initialize(void);
  
  #endif /* KRB5_LIBOS_INT_PROTO__ */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c

index 3f99ce80c114a7e2c2c06c141809f20eaddcc2bb..c6aae8ef3acb413a15b83c0588a3d563b7228b7b 100644 (file)
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -48,6 +48,10 @@
  #endif
  #endif
  
+#ifdef PROXY_TLS_IMPL_OPENSSL
+#include <openssl/ssl.h>
+#endif
+
  #define MAX_PASS                    3
  #define DEFAULT_UDP_PREF_LIMIT   1465
  #define HARD_UDP_LIMIT          32700 /* could probably do 64K-epsilon ? */
@@ -107,6 +111,16 @@ struct conn_state {
      krb5_boolean defer;
  };
  
+void
+k5_sendto_kdc_initialize(void)
+{
+#ifdef PROXY_TLS_IMPL_OPENSSL
+    SSL_library_init();
+    SSL_load_error_strings();
+    OpenSSL_add_all_algorithms();
+#endif
+}
+
  /* Get current time in milliseconds. */
  static krb5_error_code
  get_curtime_ms(time_ms *time_out)
author	Robbie Harwood (frozencemetery) <rharwood@club.cc.cmu.edu>
	Fri, 16 Aug 2013 16:45:03 +0000 (12:45 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Mon, 2 Jun 2014 21:58:26 +0000 (17:58 -0400)
src/Makefile.in		patch \| blob \| blame \| history
src/config/pre.in		patch \| blob \| blame \| history
src/configure.in		patch \| blob \| blame \| history
src/lib/krb5/Makefile.in		patch \| blob \| blame \| history
src/lib/krb5/krb5_libinit.c		patch \| blob \| blame \| history
src/lib/krb5/os/Makefile.in		patch \| blob \| blame \| history
src/lib/krb5/os/os-proto.h		patch \| blob \| blame \| history
src/lib/krb5/os/sendto_kdc.c		patch \| blob \| blame \| history