Build support for TLS used by HTTPS proxy support

Add a --with-proxy-tls-impl option to configure, taking 'openssl',
'auto', or invocation as --without-proxy-tls-impl.  Use related CFLAGS
when building lib/krb5/os, and LIBS when linking libkrb5.  Call the
OpenSSL library startup functions during library initialization.

ticket: 7929

8 files changed, 66 insertions, 2 deletions

diff --git a/src/Makefile.in b/src/Makefile.in
index 172509307..5e2cf4ed1 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -553,6 +553,7 @@ pyrunenv.vals: Makefile
 	for i in $(RUN_VARS); do \
 		eval echo 'env['\\\'$$i\\\''] = '\\\'\$$$$i\\\'; \
 	done > $@
+	echo "proxy_tls_impl = '$(PROXY_TLS_IMPL)'" >> $@
 
 runenv.py: pyrunenv.vals
 	echo 'env = {}' > $@
diff --git a/src/config/pre.in b/src/config/pre.in
index fbc5c11e4..e1d7e4b64 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -428,6 +428,11 @@ PKINIT_CRYPTO_IMPL		= @PKINIT_CRYPTO_IMPL@
 PKINIT_CRYPTO_IMPL_CFLAGS	= @PKINIT_CRYPTO_IMPL_CFLAGS@
 PKINIT_CRYPTO_IMPL_LIBS		= @PKINIT_CRYPTO_IMPL_LIBS@
 
+# TLS implementation selection for HTTPS proxy support
+PROXY_TLS_IMPL                  = @PROXY_TLS_IMPL@
+PROXY_TLS_IMPL_CFLAGS           = @PROXY_TLS_IMPL_CFLAGS@
+PROXY_TLS_IMPL_LIBS             = @PROXY_TLS_IMPL_LIBS@
+
 # error table rules
 #
 ### /* these are invoked as $(...) foo.et, which works, but could be better */
diff --git a/src/configure.in b/src/configure.in
index 9bc4663d1..39e37381a 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -272,6 +272,46 @@ AC_SUBST(PKINIT_CRYPTO_IMPL)
 AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS)
 AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS)
 
+# WITH_PROXY_TLS_IMPL
+
+AC_ARG_WITH([proxy-tls-impl],
+AC_HELP_STRING([--with-proxy-tls-impl=IMPL],
+               [use specified TLS implementation for HTTPS @<:@auto@:>@]),
+[PROXY_TLS_IMPL=$withval],[PROXY_TLS_IMPL=auto])
+case "$PROXY_TLS_IMPL" in
+openssl|auto)
+  AC_CHECK_LIB(ssl,SSL_CTX_new,[have_lib_ssl=true],[have_lib_ssl=false],
+               -lcrypto)
+  AC_MSG_CHECKING([for OpenSSL])
+  if test x$have_lib_ssl = xtrue ; then
+    AC_DEFINE(PROXY_TLS_IMPL_OPENSSL,1,
+              [Define if HTTPS TLS implementation is OpenSSL])
+    AC_MSG_RESULT([yes])
+    PROXY_TLS_IMPL_LIBS="-lssl -lcrypto"
+    PROXY_TLS_IMPL=openssl
+    AC_MSG_NOTICE(HTTPS support will use TLS from '$PROXY_TLS_IMPL')
+  else
+    if test "$PROXY_TLS_IMPL" = openssl ; then
+      AC_MSG_ERROR([OpenSSL not found!])
+    else
+      AC_MSG_WARN([OpenSSL not found!])
+    fi
+    PROXY_TLS_IMPL=no
+    AC_MSG_NOTICE(building without HTTPS support)
+  fi
+  ;;
+no)
+  AC_MSG_NOTICE(building without HTTPS support)
+  ;;
+*)
+  AC_MSG_ERROR([Unsupported HTTPS proxy TLS implementation $withval])
+  ;;
+esac
+
+AC_SUBST(PROXY_TLS_IMPL)
+AC_SUBST(PROXY_TLS_IMPL_CFLAGS)
+AC_SUBST(PROXY_TLS_IMPL_LIBS)
+
 AC_ARG_ENABLE([aesni],
 AC_HELP_STRING([--disable-aesni],[Do not build with AES-NI support]), ,
 enable_aesni=check)
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
index d9cddc1c6..472c0081d 100644
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -56,7 +56,8 @@ RELDIR=krb5
 SHLIB_EXPDEPS = \
 	$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
 	$(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
-SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)
+SHLIB_EXPLIBS=-lk5crypto -lcom_err $(PROXY_TLS_IMPL_LIBS) $(SUPPORT_LIB) \
+	@GEN_LIB@ $(LIBS)
 
 all-unix:: all-liblinks
 
diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c
index f83d25b1c..f2382d1d8 100644
--- a/src/lib/krb5/krb5_libinit.c
+++ b/src/lib/krb5/krb5_libinit.c
@@ -58,6 +58,8 @@ int krb5int_lib_init(void)
     if (err)
         return err;
 
+    k5_sendto_kdc_initialize();
+
     return 0;
 }
 
diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
index 5add9f98e..fb4001a29 100644
--- a/src/lib/krb5/os/Makefile.in
+++ b/src/lib/krb5/os/Makefile.in
@@ -2,7 +2,7 @@ mydir=lib$(S)krb5$(S)os
 BUILDTOP=$(REL)..$(S)..$(S)..
 DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\" -DBINDIR=\"$(CLIENT_BINDIR)\" \
 	-DSBINDIR=\"$(ADMIN_BINDIR)\"
-LOCALINCLUDES=-I$(top_srcdir)/util/profile
+LOCALINCLUDES= $(PROXY_TLS_IMPL_CFLAGS) -I$(top_srcdir)/util/profile
 
 ##DOS##BUILDTOP = ..\..\..
 ##DOS##PREFIXDIR=os
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index 3196bca3f..f23dda579 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -184,5 +184,6 @@ krb5_error_code localauth_k5login_initvt(krb5_context context, int maj_ver,
                                          krb5_plugin_vtable vtable);
 krb5_error_code localauth_an2ln_initvt(krb5_context context, int maj_ver,
                                        int min_ver, krb5_plugin_vtable vtable);
+void k5_sendto_kdc_initialize(void);
 
 #endif /* KRB5_LIBOS_INT_PROTO__ */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 3f99ce80c..c6aae8ef3 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -48,6 +48,10 @@
 #endif
 #endif
 
+#ifdef PROXY_TLS_IMPL_OPENSSL
+#include <openssl/ssl.h>
+#endif
+
 #define MAX_PASS                    3
 #define DEFAULT_UDP_PREF_LIMIT   1465
 #define HARD_UDP_LIMIT          32700 /* could probably do 64K-epsilon ? */
@@ -107,6 +111,16 @@ struct conn_state {
     krb5_boolean defer;
 };
 
+void
+k5_sendto_kdc_initialize(void)
+{
+#ifdef PROXY_TLS_IMPL_OPENSSL
+    SSL_library_init();
+    SSL_load_error_strings();
+    OpenSSL_add_all_algorithms();
+#endif
+}
+
 /* Get current time in milliseconds. */
 static krb5_error_code
 get_curtime_ms(time_ms *time_out)