make kerberos work with OPENSSL_NO_SSL_INTERN

diff --git a/apps/s_client.c b/apps/s_client.c
index 2b8b1455ebcc13ce49913e48502bf833c17a9b05..683169aa687d70d513b881ddde18f980f1cc4111 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -539,6 +539,9 @@ int MAIN(int argc, char **argv)
        {
        unsigned int off=0, clr=0;
        SSL *con=NULL;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
        int s,k,width,state=0;
        char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
        int cbuf_len,cbuf_off;
@@ -1212,9 +1215,10 @@ bad:
                }
 #endif
 #ifndef OPENSSL_NO_KRB5
-       if (con  &&  (con->kssl_ctx = kssl_ctx_new()) != NULL)
+       if (con  &&  (kctx = kssl_ctx_new()) != NULL)
                 {
-                kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
+               SSL_set0_kssl_ctx(con, kctx);
+                kssl_ctx_setstring(kctx, KSSL_SERVER, host);
                }
 #endif /* OPENSSL_NO_KRB5  */
 /*     SSL_set_cipher_list(con,"RC4-MD5"); */

diff --git a/apps/s_server.c b/apps/s_server.c
index 56362aa95cd93fd76b5c19ed708c851970cd534e..17ee441009f352dcc032dfcde49e392ca856acb9 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1943,6 +1943,9 @@ static int sv_body(char *hostname, int s, unsigned char *context)
        unsigned long l;
        SSL *con=NULL;
        BIO *sbio;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
        struct timeval timeout;
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
        struct timeval tv;
@@ -1983,12 +1986,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                }
 #endif
 #ifndef OPENSSL_NO_KRB5
-               if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
+               if ((kctx = kssl_ctx_new()) != NULL)
                         {
-                        kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
-                                                               KRB5SVC);
-                        kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
-                                                               KRB5KEYTAB);
+                       SSL_set0_kssl_ctx(con, kctx);
+                        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+                        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
                         }
 #endif /* OPENSSL_NO_KRB5 */
                if(context)
@@ -2341,6 +2343,9 @@ static int init_ssl_connection(SSL *con)
        const unsigned char *next_proto_neg;
        unsigned next_proto_neg_len;
 #endif
+#ifndef OPENSSL_NO_KRB5
+       char *client_princ;
+#endif
 
        if ((i=SSL_accept(con)) <= 0)
                {
@@ -2394,10 +2399,11 @@ static int init_ssl_connection(SSL *con)
                TLS1_FLAGS_TLS_PADDING_BUG)
                BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
 #ifndef OPENSSL_NO_KRB5
-       if (con->kssl_ctx->client_princ != NULL)
+       client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
+       if (client_princ != NULL)
                {
                BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
-                       con->kssl_ctx->client_princ);
+                                                               client_princ);
                }
 #endif /* OPENSSL_NO_KRB5 */
        BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
@@ -2449,6 +2455,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
        SSL *con;
        const SSL_CIPHER *c;
        BIO *io,*ssl_bio,*sbio;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
 
        buf=OPENSSL_malloc(bufsize);
        if (buf == NULL) return(0);
@@ -2480,10 +2489,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
                        }
 #endif
 #ifndef OPENSSL_NO_KRB5
-       if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
+       if ((kctx = kssl_ctx_new()) != NULL)
                {
-               kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
-               kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
+               kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+               kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
                }
 #endif /* OPENSSL_NO_KRB5 */
        if(context) SSL_set_session_id_context(con, context,

diff --git a/ssl/kssl.c b/ssl/kssl.c
index 0033e9bf62e3857f27ea9dbda7047eb2a50a5f82..ee0e73e8acc82a462d348130137123684f1f7306 100644 (file)
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -2191,6 +2191,22 @@ krb5_error_code  kssl_build_principal_2(
        return ENOMEM;
        }
 
+void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx)
+       {
+       s->kssl_ctx = kctx;
+       } 
+
+KSSL_CTX * SSL_get0_kssl_ctx(SSL *s)
+       {
+       return s->kssl_ctx;
+       }
+
+char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx)
+       {
+       if (kctx)
+               return kctx->client_princ;
+       return NULL;
+       }
 
 #else /* !OPENSSL_NO_KRB5 */
 

diff --git a/ssl/kssl.h b/ssl/kssl.h
index a3d20e1ccbdc303f5a7522f6ef2e2f8d9d2930d8..8242fd5eeb650c0ac775e14a1cf7fe7a0ac32836 100644 (file)
--- a/ssl/kssl.h
+++ b/ssl/kssl.h
@@ -172,6 +172,10 @@ krb5_error_code  kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp,
                                    krb5_timestamp *atimep, KSSL_ERR *kssl_err);
 unsigned char  *kssl_skip_confound(krb5_enctype enctype, unsigned char *authn);
 
+void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx);
+KSSL_CTX * SSL_get0_kssl_ctx(SSL *s);
+char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx);
+
 #ifdef  __cplusplus
 }
 #endif