From 888bc144da94c9bf8d2c35ab38868e748c059de3 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 5 Sep 2014 17:51:35 -0400
Subject: Add HTTPS patches from master

Pull in a stack of patches to add support for accessing servers via
HTTPS proxies, such as python-kdcproxy or the KDC Proxy Service on a
properly-outfitted Windows box.  Pull in the patch to move the logic out
of libkrb5 proper and into a loadable plugin to avoid linking our local
applications against our libkrb5 against libssl against the installed
copy of libgssapi_krb5 and our local libkrb5support.  Adjust a couple of
other patches to apply correctly after them.
---
 ...pport-for-TLS-used-by-HTTPS-proxy-support.patch | 187 +++++++++++++++++++++
 1 file changed, 187 insertions(+)
 create mode 100644 0004-Build-support-for-TLS-used-by-HTTPS-proxy-support.patch

(limited to '0004-Build-support-for-TLS-used-by-HTTPS-proxy-support.patch')

diff --git a/0004-Build-support-for-TLS-used-by-HTTPS-proxy-support.patch b/0004-Build-support-for-TLS-used-by-HTTPS-proxy-support.patch
new file mode 100644
index 0000000..df4707d
--- /dev/null
+++ b/0004-Build-support-for-TLS-used-by-HTTPS-proxy-support.patch
@@ -0,0 +1,187 @@
+From d0be57ac45ea639baa3cff0dd2108c34e834bfa7 Mon Sep 17 00:00:00 2001
+From: "Robbie Harwood (frozencemetery)" <rharwood@club.cc.cmu.edu>
+Date: Fri, 16 Aug 2013 12:45:03 -0400
+Subject: [PATCH 04/13] Build support for TLS used by HTTPS proxy support
+
+Add a --with-proxy-tls-impl option to configure, taking 'openssl',
+'auto', or invocation as --without-proxy-tls-impl.  Use related CFLAGS
+when building lib/krb5/os, and LIBS when linking libkrb5.  Call the
+OpenSSL library startup functions during library initialization.
+
+ticket: 7929
+---
+ src/Makefile.in              |  1 +
+ src/config/pre.in            |  5 +++++
+ src/configure.in             | 40 ++++++++++++++++++++++++++++++++++++++++
+ src/lib/krb5/Makefile.in     |  3 ++-
+ src/lib/krb5/krb5_libinit.c  |  2 ++
+ src/lib/krb5/os/Makefile.in  |  2 +-
+ src/lib/krb5/os/os-proto.h   |  1 +
+ src/lib/krb5/os/sendto_kdc.c | 14 ++++++++++++++
+ 8 files changed, 66 insertions(+), 2 deletions(-)
+
+diff --git a/src/Makefile.in b/src/Makefile.in
+index 1725093..5e2cf4e 100644
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -553,6 +553,7 @@ pyrunenv.vals: Makefile
+ 	for i in $(RUN_VARS); do \
+ 		eval echo 'env['\\\'$$i\\\''] = '\\\'\$$$$i\\\'; \
+ 	done > $@
++	echo "proxy_tls_impl = '$(PROXY_TLS_IMPL)'" >> $@
+ 
+ runenv.py: pyrunenv.vals
+ 	echo 'env = {}' > $@
+diff --git a/src/config/pre.in b/src/config/pre.in
+index fbc5c11..e1d7e4b 100644
+--- a/src/config/pre.in
++++ b/src/config/pre.in
+@@ -428,6 +428,11 @@ PKINIT_CRYPTO_IMPL		= @PKINIT_CRYPTO_IMPL@
+ PKINIT_CRYPTO_IMPL_CFLAGS	= @PKINIT_CRYPTO_IMPL_CFLAGS@
+ PKINIT_CRYPTO_IMPL_LIBS		= @PKINIT_CRYPTO_IMPL_LIBS@
+ 
++# TLS implementation selection for HTTPS proxy support
++PROXY_TLS_IMPL                  = @PROXY_TLS_IMPL@
++PROXY_TLS_IMPL_CFLAGS           = @PROXY_TLS_IMPL_CFLAGS@
++PROXY_TLS_IMPL_LIBS             = @PROXY_TLS_IMPL_LIBS@
++
+ # error table rules
+ #
+ ### /* these are invoked as $(...) foo.et, which works, but could be better */
+diff --git a/src/configure.in b/src/configure.in
+index 9bc4663..39e3738 100644
+--- a/src/configure.in
++++ b/src/configure.in
+@@ -272,6 +272,46 @@ AC_SUBST(PKINIT_CRYPTO_IMPL)
+ AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS)
+ AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS)
+ 
++# WITH_PROXY_TLS_IMPL
++
++AC_ARG_WITH([proxy-tls-impl],
++AC_HELP_STRING([--with-proxy-tls-impl=IMPL],
++               [use specified TLS implementation for HTTPS @<:@auto@:>@]),
++[PROXY_TLS_IMPL=$withval],[PROXY_TLS_IMPL=auto])
++case "$PROXY_TLS_IMPL" in
++openssl|auto)
++  AC_CHECK_LIB(ssl,SSL_CTX_new,[have_lib_ssl=true],[have_lib_ssl=false],
++               -lcrypto)
++  AC_MSG_CHECKING([for OpenSSL])
++  if test x$have_lib_ssl = xtrue ; then
++    AC_DEFINE(PROXY_TLS_IMPL_OPENSSL,1,
++              [Define if HTTPS TLS implementation is OpenSSL])
++    AC_MSG_RESULT([yes])
++    PROXY_TLS_IMPL_LIBS="-lssl -lcrypto"
++    PROXY_TLS_IMPL=openssl
++    AC_MSG_NOTICE(HTTPS support will use TLS from '$PROXY_TLS_IMPL')
++  else
++    if test "$PROXY_TLS_IMPL" = openssl ; then
++      AC_MSG_ERROR([OpenSSL not found!])
++    else
++      AC_MSG_WARN([OpenSSL not found!])
++    fi
++    PROXY_TLS_IMPL=no
++    AC_MSG_NOTICE(building without HTTPS support)
++  fi
++  ;;
++no)
++  AC_MSG_NOTICE(building without HTTPS support)
++  ;;
++*)
++  AC_MSG_ERROR([Unsupported HTTPS proxy TLS implementation $withval])
++  ;;
++esac
++
++AC_SUBST(PROXY_TLS_IMPL)
++AC_SUBST(PROXY_TLS_IMPL_CFLAGS)
++AC_SUBST(PROXY_TLS_IMPL_LIBS)
++
+ AC_ARG_ENABLE([aesni],
+ AC_HELP_STRING([--disable-aesni],[Do not build with AES-NI support]), ,
+ enable_aesni=check)
+diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
+index d9cddc1..472c008 100644
+--- a/src/lib/krb5/Makefile.in
++++ b/src/lib/krb5/Makefile.in
+@@ -56,7 +56,8 @@ RELDIR=krb5
+ SHLIB_EXPDEPS = \
+ 	$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
+ 	$(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)
+-SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)
++SHLIB_EXPLIBS=-lk5crypto -lcom_err $(PROXY_TLS_IMPL_LIBS) $(SUPPORT_LIB) \
++	@GEN_LIB@ $(LIBS)
+ 
+ all-unix:: all-liblinks
+ 
+diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c
+index f83d25b..f2382d1 100644
+--- a/src/lib/krb5/krb5_libinit.c
++++ b/src/lib/krb5/krb5_libinit.c
+@@ -58,6 +58,8 @@ int krb5int_lib_init(void)
+     if (err)
+         return err;
+ 
++    k5_sendto_kdc_initialize();
++
+     return 0;
+ }
+ 
+diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in
+index 5add9f9..fb4001a 100644
+--- a/src/lib/krb5/os/Makefile.in
++++ b/src/lib/krb5/os/Makefile.in
+@@ -2,7 +2,7 @@ mydir=lib$(S)krb5$(S)os
+ BUILDTOP=$(REL)..$(S)..$(S)..
+ DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\" -DBINDIR=\"$(CLIENT_BINDIR)\" \
+ 	-DSBINDIR=\"$(ADMIN_BINDIR)\"
+-LOCALINCLUDES=-I$(top_srcdir)/util/profile
++LOCALINCLUDES= $(PROXY_TLS_IMPL_CFLAGS) -I$(top_srcdir)/util/profile
+ 
+ ##DOS##BUILDTOP = ..\..\..
+ ##DOS##PREFIXDIR=os
+diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
+index 3196bca..f23dda5 100644
+--- a/src/lib/krb5/os/os-proto.h
++++ b/src/lib/krb5/os/os-proto.h
+@@ -184,5 +184,6 @@ krb5_error_code localauth_k5login_initvt(krb5_context context, int maj_ver,
+                                          krb5_plugin_vtable vtable);
+ krb5_error_code localauth_an2ln_initvt(krb5_context context, int maj_ver,
+                                        int min_ver, krb5_plugin_vtable vtable);
++void k5_sendto_kdc_initialize(void);
+ 
+ #endif /* KRB5_LIBOS_INT_PROTO__ */
+diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
+index 3f99ce8..c6aae8e 100644
+--- a/src/lib/krb5/os/sendto_kdc.c
++++ b/src/lib/krb5/os/sendto_kdc.c
+@@ -48,6 +48,10 @@
+ #endif
+ #endif
+ 
++#ifdef PROXY_TLS_IMPL_OPENSSL
++#include <openssl/ssl.h>
++#endif
++
+ #define MAX_PASS                    3
+ #define DEFAULT_UDP_PREF_LIMIT   1465
+ #define HARD_UDP_LIMIT          32700 /* could probably do 64K-epsilon ? */
+@@ -107,6 +111,16 @@ struct conn_state {
+     krb5_boolean defer;
+ };
+ 
++void
++k5_sendto_kdc_initialize(void)
++{
++#ifdef PROXY_TLS_IMPL_OPENSSL
++    SSL_library_init();
++    SSL_load_error_strings();
++    OpenSSL_add_all_algorithms();
++#endif
++}
++
+ /* Get current time in milliseconds. */
+ static krb5_error_code
+ get_curtime_ms(time_ms *time_out)
+-- 
+2.1.0
+
-- 
cgit