[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and OpenSSL

To: GOMBAS Gabor <gombasg@inf.elte.hu>
Subject: Re: heimdal and OpenSSL
From: "Jacques A. Vidrine" <n@nectar.com>
Date: Thu, 4 Jan 2001 19:04:55 -0600
Cc: heimdal-discuss@sics.se
In-Reply-To: <20010105012652.A15026@pandora.inf.elte.hu>; from gombasg@inf.elte.hu on Fri, Jan 05, 2001 at 01:26:52AM +0100
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,GOMBAS Gabor <gombasg@inf.elte.hu>, heimdal-discuss@sics.se
References: <20010104104221.B46732@hamlet.nectar.com> <20010104192845.V158614@pandora.inf.elte.hu> <20010104130745.B85350@hamlet.nectar.com> <20010104231114.C158614@pandora.inf.elte.hu> <20010104162409.A86191@hamlet.nectar.com> <20010105012652.A15026@pandora.inf.elte.hu>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.2.5i

Gabor,

Clearly I'm talking to a brick wall.  This is my last message to you
on this subject.  I'll post again to the list next week so that those
who have tuned out due to this inane discourse will have a chance to
comment.

On Fri, Jan 05, 2001 at 01:26:52AM +0100, GOMBAS Gabor wrote:
> Hello,
> 
> Ok, I've read the thread again. You have written: "Once this is done, then
> Heimdal can be built against OpenSSL 0.9.6 or later".

Yes: without my patch, one cannot use OpenSSL in place of libdes.
With my patch, you can, as long as you have des_new_random_key.  Or,
as I said, you can continue to use the included libdes.

> Now let's see:
> 
> 1. Download & install OpenSSL 0.9.6 - I think no questions here.

No questions?  This is where you got lost.  My changes do not make
OpenSSL part of Heimdal, nor do they make Heimdal require OpenSSL.
THEY MERELY MAKE THE APIs COMPATIBLE.

> 2. gzip -dc ~/heimdal-0.3d.tar.gz | tar xf -
> 3. cd heimdal-0.3d
> 4. [apply the patch sent to the list before to fix the "-rpath -L no" bug]

This has nothing to do with me.  I don't even know what this is about.

> 5. [apply your patch]

This corrects an abstraction error in otp_md.c: the typedef should
have been used instead of the underlying type.

> 6. [run your perl script]

This renames several API functions and one typedef.

> 7. CC=xlc CPPFLAGS='-I/pkg/include/openssl -I/pkg/include/db2 -I/pkg/include' LDFLAGS=-L/pkg/lib ./configure
> 8. gmake

This also has nothing to do with me, this is your futzing.

> Result:
> [...]
> xlc -g -o verify_krb5_conf verify_krb5_conf.o  -L/pkg/lib ./.libs/libkrb5.a /pkg/maint/build/tmp/tmp2/heimdal-0.3d/lib/asn1/.libs/libasn1.a /pkg/maint/build/tmp/tmp2/heimdal-0.3d/lib/roken/.libs/libroken.a -lcrypto ../../lib/asn1/.libs/libasn1.a ../../lib/vers/.libs/libvers.a ../../lib/roken/.libs/libroken.a -ldb
> ld: 0711-317 ERROR: Undefined symbol: .des_new_random_key
> ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
>
> You have written "The changes work on all platforms.". 

My changes do. 

> The above error message is on AIX. Shall I repeat the process on
> Solaris or on Linux to make you beleive? (If you really want, I have
> an account on a DG-UX machine so I can also try it there...)

I believe:
   1) That applying the patches I posted to the list will not break
      Heimdal on any platform.
   2) That it will make it possible to build Heimdal with OpenSSL on
      those platforms with appropriate support.

> I understand that *BSD ships a modified libcrypto library so your changes
> might be fine for *BSD. But do not claim that it is for supporting
> OpenSSL in general.

But it is.  It is a prerequisite to supporting OpenSSL.  I think they
are appropriate for all platforms -- certainly it won't harm anything
(with the exception that some applications might require recompiling
... but I don't know of the existence of any).

A complete solution apparently requires pulling rnd_keys.c out of
libdes as well for some platforms.  Maybe this is what you are asking
me to do -- it's hard to tell.  

> I have a _working_ Heimdal linked with OpenSSL's libcrypto on 3 different
> operating systems...

That's fabulous, I'm so happy for you.  Where are your patches?  Did
they not involve renaming the libdes API functions under discussion?

> > > Your proposed changes. If there is no /dev/urandom, the RNG will not be
> > > seeded.
> > 
> > That's not true.  The changes I posted do not change how anything is
> > seeded.   
> 
> Yes, they do. 

Please show me the exact place where they do.  I'm waiting.

> If you are using OpenSSL, you have to use its random number
> generator instead of Heimdal's (the later is simply not built and is
> broken anyway; have you tried using Pine4.31 with IMAP-GSS?). And
> the RNG must be seeded somehow. If you have /dev/urandom, OpenSSL
> will do this automatically on a call to des_random_key(), otherwise
> you have to do it yourself.

You've brought OpenSSL into this again.  OpenSSL is not on the table.
I did not suggest changing Heimdal to require OpenSSL -- in fact I
think that _you_ did.

Besides, if OpenSSL has a crappy PRNG on some platforms, that has
little to do with Heimdal.  Supply your patches to the OpenSSL folks.
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

Follow-Ups:
- Re: heimdal and OpenSSL
  - From: Richard Levitte - VMS Whacker <levitte@stacken.kth.se>
- Re: heimdal and OpenSSL
  - From: Brian May <bam@snoopy.apana.org.au>
- Re: heimdal and OpenSSL
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>

References:
- heimdal and OpenSSL
  - From: "Jacques A. Vidrine" <n@nectar.com>
- Re: heimdal and OpenSSL
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>
- Re: heimdal and OpenSSL
  - From: "Jacques A. Vidrine" <n@nectar.com>
- Re: heimdal and OpenSSL
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>
- Re: heimdal and OpenSSL
  - From: "Jacques A. Vidrine" <n@nectar.com>
- Re: heimdal and OpenSSL
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>

Prev by Date: Re: heimdal and OpenSSL
Next by Date: Re: heimdal and OpenSSL
Prev by thread: Re: heimdal and OpenSSL
Next by thread: Re: heimdal and OpenSSL
Index(es):
- Date
- Thread