Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).

Submitted by: Damien Miller <djm@mindrot.org>
Approved by: steve@openssl.org

Fix various typos.

PR: 1467
Submitted by: Andrei Pelinescu-Onciul <andrei@iptel.org>

will be firmed up as soon as it's been verified not to break anything.

http://www.opengroup.org/onlinepubs/007908799/xsh/compilation.html.

Notified by David Wolfe <dwolfe5272@yahoo.com>

Avoid more shadow warnings.

In s_server, print the received Kerberos information.
PR: 693

Submitted by: Jeffrey Altman <jaltman@columbia.edu>, "Kenneth R. Robinette" <support@securenetterm.com>

Submitted by: "Kenneth R. Robinette" <support@securenetterm.com>
Reviewed by:
PR:

I've covered all the memset()s I felt safe modifying, but may have missed some.

Undo previous patch: avoid warnings by #undef'ing
duplicate definitions.

Suggested by "Kenneth R. Robinette" <support@securenetterm.com>

Fix Kerberos warnings with VC++.

Fix various warnings when compiling with KRB5 code.

Increase internal security when using strncpy, by making sure the resulting string is NUL-terminated

calls.  This patch allows compilation either way.

Submitted by: Jeffrey Altman <jaltman@columbia.edu>

to digests to retain compatibility.

depend on the environment, like the presence of the OpenBSD crypto
device or of Kerberos, do not change the dependencies within OpenSSL.

and rename some local variables to avoid name shadowing.

His comments are:

First, it corrects a problem introduced in the last patch where the
kssl_map_enc() would intentionally return NULL for valid ENCTYPE
values.  This was done to prevent verification of the kerberos 5
authenticator from being performed when Derived Key ciphers were
in use.  Unfortunately, the authenticator verification routine was
not the only place that function was used.  And it caused core dumps.

Second, it attempt to add to SSL_SESSION the Kerberos 5 Client
Principal Name.

His comments are:

This patch fixes the problem of modern Kerberos using "derived keys"
to encrypt the authenticator by disabling the authenticator check
for all derived keys enctypes.

I think I've got all the bugfixes that Jeffrey and I discussed rolled
into this.  There were some problems with Jeffrey's code to convert
the authenticator's Kerberos timestring into struct tm (e.g. Z, -1900;
it helps to have an actual decryptable authenticator to play with).
So I've shamelessly pushed in my code, while stealing some bits from
Jeffrey.

Submitted by Jeffrey Altman <jaltman@columbia.edu>

His comments are:

 . adds use of replay cache to protect against replay attacks

 . adds functions kssl_tgt_is_available() and
   kssl_keytab_is_available() which are used within s3_lib.c
   and ssl_lib.c to determine at runtime whether or not
   KRB5 ciphers can be supported during the current session.

Jeffrey Altman <jaltman@columbia.edu>

(Really, the time that's being parsed is a GeneralizedTime, so if
ASN1_GENERALIZEDTIME_get() ever gets implemented, it should be used
instead)

His comments are:

 . Fixed all of the Windows dynamic loading functions, prototypes, etc.

 . Corrected all of the unsigned/signed comparison warnings

 . Replaced the references to krb5_cksumarray[] for two reasons.
   First, it was an internal variable that should not have been
   referenced outside the library; nor could it have been with
   a shared library with restricted exports.  Second, the
   variable is no longer used in current Kerberos implementations.
   I replaced the code with equivalent functionality using functions
   that are exported from the library.

things will work much more smoothly.

SSL according to RFC 2712.  His comment is:

This is a patch to openssl-SNAP-20010702 to support Kerberized SSL
authentication.  I'm expecting to have the full kssl-0.5 kit up on
sourceforge by the end of the week.  The full kit includes patches
for mod-ssl, apache, and a few text clients.  The sourceforge URL
is http://sourceforge.net/projects/kssl/ .

Thanks to a note from Simon Wilkinson I've replaced my KRB5 AP_REQ
message with a real KerberosWrapper struct.  I think this is fully
RFC 2712 compliant now, including support for the optional
authenticator field.  I also added openssl-style ASN.1 macros for
a few Kerberos structs; see crypto/krb5/ if you're interested.

missed any.

This compiles and runs on Linux, and external applications have no
problems with it.  The definite test will be to build this on VMS.

It's still inconsistent - probably better to undo the whole OPENSSL_NO_* thing.