diff options
author | Richard Levitte <levitte@openssl.org> | 2001-07-31 07:21:06 +0000 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2001-07-31 07:21:06 +0000 |
commit | 882e891284c81c7a49b2bce28f44df3e8d6f7ffc (patch) | |
tree | fe1e72c9ff5edce490f7da03e639ad7e54cfe0f9 /ssl/kssl.c | |
parent | 05bbf78afd4cc10c776ad141749c13c25a2daa5e (diff) |
More Kerberos SSL changes from Jeffrey Altman <jaltman@columbia.edu>
His comments are:
First, it corrects a problem introduced in the last patch where the
kssl_map_enc() would intentionally return NULL for valid ENCTYPE
values. This was done to prevent verification of the kerberos 5
authenticator from being performed when Derived Key ciphers were
in use. Unfortunately, the authenticator verification routine was
not the only place that function was used. And it caused core dumps.
Second, it attempt to add to SSL_SESSION the Kerberos 5 Client
Principal Name.
Diffstat (limited to 'ssl/kssl.c')
-rw-r--r-- | ssl/kssl.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/ssl/kssl.c b/ssl/kssl.c index d9e1160550..cd9144f2be 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -760,19 +760,14 @@ kssl_map_enc(krb5_enctype enctype) { switch (enctype) { -#if ! defined(KRB5_MIT_OLD11) - /* cannot handle derived keys */ - case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ - return (EVP_CIPHER *) NULL; - break; -#endif case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_RAW: return (EVP_CIPHER *) EVP_des_cbc(); break; + case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ case ENCTYPE_DES3_CBC_SHA: case ENCTYPE_DES3_CBC_RAW: return (EVP_CIPHER *) EVP_des_ede3_cbc(); @@ -1979,6 +1974,15 @@ krb5_error_code kssl_check_authent( } enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ +#if !defined(KRB5_MIT_OLD11) + switch ( enctype ) { + case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ + case ENCTYPE_DES3_CBC_SHA: + case ENCTYPE_DES3_CBC_RAW: + krb5rc = 0; /* Skip, can't handle derived keys */ + goto err; + } +#endif enc = kssl_map_enc(enctype); memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */ |