Attachment 246893 Details for Bug 272835 – Enable legacy provider

[patch] Enable legacy provider

0001-kerberos-Fix-numerous-segfaults-when-using-weak-cryp.patch (text/plain), 8.17 KB, created by Cy Schubert on 2023-12-08 07:17:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Cy Schubert

Created: 2023-12-08 07:17:07 UTC

Size: 8.17 KB

patch

obsolete

>From 2c0df625991d5246a8fa809c4710d9d35645bdc9 Mon Sep 17 00:00:00 2001
>From: Cy Schubert <cy@FreeBSD.org>
>Date: Wed, 6 Dec 2023 07:30:05 -0800
>Subject: [PATCH] kerberos: Fix numerous segfaults when using weak crypto
>
>Weak crypto is provided by the openssl legacy provider which is
>not load by default. Load the legacy providers as needed.
>
>When the legacy provider is loaded into the default context the default
>provider will no longer be automatically loaded. Without the default
>provider the various kerberos applicaions and functions will abort().
>
>MFC after:		3 days
>---
> crypto/heimdal/lib/kadm5/create_s.c           |  4 ++
> crypto/heimdal/lib/kadm5/kadm5_locl.h         |  1 +
> crypto/heimdal/lib/krb5/context.c             |  2 +
> crypto/heimdal/lib/krb5/crypto.c              |  1 +
> crypto/heimdal/lib/krb5/salt.c                |  5 +++
> crypto/heimdal/lib/roken/version-script.map   |  1 +
> kerberos5/include/crypto-headers.h            |  4 ++
> kerberos5/include/fbsd_ossl_provider.h        |  4 ++
> kerberos5/lib/libroken/Makefile               | 10 +++--
> .../lib/libroken/fbsd_ossl_provider_load.c    | 40 +++++++++++++++++++
> kerberos5/libexec/kdc/Makefile                |  2 +-
> share/mk/src.libnames.mk                      |  2 +-
> 12 files changed, 71 insertions(+), 5 deletions(-)
> create mode 100644 kerberos5/include/fbsd_ossl_provider.h
> create mode 100644 kerberos5/lib/libroken/fbsd_ossl_provider_load.c
>
>diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c
>index 1033ca103239..267e9bbda2a0 100644
>--- a/crypto/heimdal/lib/kadm5/create_s.c
>+++ b/crypto/heimdal/lib/kadm5/create_s.c
>@@ -169,6 +169,10 @@ kadm5_s_create_principal(void *server_handle,
>     ent.entry.keys.len = 0;
>     ent.entry.keys.val = NULL;
> 
>+    ret = fbsd_ossl_provider_load();
>+    if (ret)
>+	goto out;
>+
>     ret = _kadm5_set_keys(context, &ent.entry, password);
>     if (ret)
> 	goto out;
>diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h
>index 68b6a5ebf024..63b367ab7e21 100644
>--- a/crypto/heimdal/lib/kadm5/kadm5_locl.h
>+++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h
>@@ -79,5 +79,6 @@
> #include <der.h>
> #include <parse_units.h>
> #include "private.h"
>+#include "fbsd_ossl_provider.h"
> 
> #endif /* __KADM5_LOCL_H__ */
>diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c
>index 86bfe539b974..b002ce651a7f 100644
>--- a/crypto/heimdal/lib/krb5/context.c
>+++ b/crypto/heimdal/lib/krb5/context.c
>@@ -392,6 +392,8 @@ krb5_init_context(krb5_context *context)
>     }
>     HEIMDAL_MUTEX_init(p->mutex);
> 
>+    fbsd_ossl_provider_load();
>+
>     p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS;
> 
>     ret = krb5_get_default_config_files(&files);
>diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c
>index 67ecef62e875..19182b5c6ca3 100644
>--- a/crypto/heimdal/lib/krb5/crypto.c
>+++ b/crypto/heimdal/lib/krb5/crypto.c
>@@ -2054,6 +2054,7 @@ krb5_crypto_init(krb5_context context,
> 	*crypto = NULL;
> 	return ret;
>     }
>+    (void) fbsd_ossl_provider_load();
>     (*crypto)->key.schedule = NULL;
>     (*crypto)->num_key_usage = 0;
>     (*crypto)->key_usage = NULL;
>diff --git a/crypto/heimdal/lib/krb5/salt.c b/crypto/heimdal/lib/krb5/salt.c
>index 5e4c8a1c8572..2b1fbee80ab6 100644
>--- a/crypto/heimdal/lib/krb5/salt.c
>+++ b/crypto/heimdal/lib/krb5/salt.c
>@@ -43,6 +43,8 @@ krb5_salttype_to_string (krb5_context context,
>     struct _krb5_encryption_type *e;
>     struct salt_type *st;
> 
>+    (void) fbsd_ossl_provider_load();
>+
>     e = _krb5_find_enctype (etype);
>     if (e == NULL) {
> 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
>@@ -75,6 +77,8 @@ krb5_string_to_salttype (krb5_context context,
>     struct _krb5_encryption_type *e;
>     struct salt_type *st;
> 
>+    (void) fbsd_ossl_provider_load();
>+
>     e = _krb5_find_enctype (etype);
>     if (e == NULL) {
> 	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
>@@ -196,6 +200,7 @@ krb5_string_to_key_data_salt_opaque (krb5_context context,
> 			       enctype);
> 	return KRB5_PROG_ETYPE_NOSUPP;
>     }
>+    (void) fbsd_ossl_provider_load();
>     for(st = et->keytype->string_to_key; st && st->type; st++)
> 	if(st->type == salt.salttype)
> 	    return (*st->string_to_key)(context, enctype, password,
>diff --git a/crypto/heimdal/lib/roken/version-script.map b/crypto/heimdal/lib/roken/version-script.map
>index 72d2ea7e4f7c..bb2139ed74cc 100644
>--- a/crypto/heimdal/lib/roken/version-script.map
>+++ b/crypto/heimdal/lib/roken/version-script.map
>@@ -13,6 +13,7 @@ HEIMDAL_ROKEN_1.0 {
> 		ct_memcmp;
> 		err;
> 		errx;
>+		fbsd_ossl_provider_load;
> 		free_getarg_strings;
> 		get_default_username;
> 		get_window_size;
>diff --git a/kerberos5/include/crypto-headers.h b/kerberos5/include/crypto-headers.h
>index 3ae0d9624ffd..2cc870642964 100644
>--- a/kerberos5/include/crypto-headers.h
>+++ b/kerberos5/include/crypto-headers.h
>@@ -17,5 +17,9 @@
> #include <openssl/ec.h>
> #include <openssl/ecdsa.h>
> #include <openssl/ecdh.h>
>+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
>+#include <openssl/provider.h>
>+#include "fbsd_ossl_provider.h"
>+#endif
> 
> #endif /* __crypto_headers_h__ */
>diff --git a/kerberos5/include/fbsd_ossl_provider.h b/kerberos5/include/fbsd_ossl_provider.h
>new file mode 100644
>index 000000000000..013983ca9f83
>--- /dev/null
>+++ b/kerberos5/include/fbsd_ossl_provider.h
>@@ -0,0 +1,4 @@
>+#ifndef __fbsd_ossl_provider_h
>+#define __fbsd_ossl_provider_h
>+int  fbsd_ossl_provider_load(void);
>+#endif
>diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile
>index 0c46ba6c4cb5..150677f4879c 100644
>--- a/kerberos5/lib/libroken/Makefile
>+++ b/kerberos5/lib/libroken/Makefile
>@@ -2,7 +2,7 @@
> PACKAGE=	kerberos-lib
> 
> LIB=	roken
>-LIBADD=	crypt
>+LIBADD=	crypt crypto
> VERSION_MAP=	${KRB5DIR}/lib/roken/version-script.map
> INCS=	roken.h \
> 	roken-common.h \
>@@ -74,15 +74,19 @@ SRCS=	base64.c \
> 	vis.c \
> 	warnerr.c \
> 	write_pid.c \
>-	xfree.c
>+	xfree.c \
>+	fbsd_ossl_provider_load.c
> 
>-CFLAGS+=-I${KRB5DIR}/lib/roken -I.
>+CFLAGS+=-I${KRB5DIR}/lib/roken \
>+	-I${SRCTOP}/kerberos5/include \
>+	-I${KRB5DIR}/lib/krb5 -I.
> 
> CLEANFILES= roken.h
> 
> roken.h:
> 	${MAKE_ROKEN} > ${.TARGET}
> 
>+
> .include <bsd.lib.mk>
> 
> .PATH: ${KRB5DIR}/lib/roken
>diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
>new file mode 100644
>index 000000000000..06ad6f01b8b8
>--- /dev/null
>+++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c
>@@ -0,0 +1,40 @@
>+#include <krb5_locl.h>
>+
>+static void fbsd_ossl_provider_unload(void);
>+
>+static OSSL_PROVIDER *legacy;
>+static OSSL_PROVIDER *deflt;
>+static int providers_loaded = 0;
>+
>+int
>+fbsd_ossl_provider_load(void)
>+{
>+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
>+	if (providers_loaded == 0) {
>+		if ((legacy = OSSL_PROVIDER_load(NULL, "legacy")) == NULL)
>+			return (EINVAL);
>+		if ((deflt = OSSL_PROVIDER_load(NULL, "default")) == NULL) {
>+			OSSL_PROVIDER_unload(legacy);
>+			return (EINVAL);
>+		}
>+		providers_loaded = 1;
>+		if (atexit(fbsd_ossl_provider_unload)) {
>+			fbsd_ossl_provider_unload();
>+			return (ENOMEM);
>+		}
>+	}
>+#endif
>+	return (0);
>+}
>+
>+static void
>+fbsd_ossl_provider_unload(void)
>+{
>+#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
>+	if (providers_loaded == 1) {
>+		OSSL_PROVIDER_unload(legacy);
>+		OSSL_PROVIDER_unload(deflt);
>+		providers_loaded = 0;
>+	}
>+#endif
>+}
>diff --git a/kerberos5/libexec/kdc/Makefile b/kerberos5/libexec/kdc/Makefile
>index 41fde9115c00..211f4f379054 100644
>--- a/kerberos5/libexec/kdc/Makefile
>+++ b/kerberos5/libexec/kdc/Makefile
>@@ -11,7 +11,7 @@ SRCS=	config.c \
> 
> CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \
> 	-I${KRB5DIR}/kdc -I${SRCTOP}/contrib/com_err ${LDAPCFLAGS}
>-LIBADD=	kdc hdb krb5 roken crypt vers
>+LIBADD=	kdc hdb krb5 roken crypt vers crypto
> LDFLAGS=${LDAPLDFLAGS}
> 
> .include <bsd.prog.mk>
>diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk
>index 3317350a88a3..f3127562bd8f 100644
>--- a/share/mk/src.libnames.mk
>+++ b/share/mk/src.libnames.mk
>@@ -367,7 +367,7 @@ _DP_pam+=	ssh
> .if ${MK_NIS} != "no"
> _DP_pam+=	ypclnt
> .endif
>-_DP_roken=	crypt
>+_DP_roken=	crypt crypto
> _DP_kadm5clnt=	com_err krb5 roken
> _DP_kadm5srv=	com_err hdb krb5 roken
> _DP_heimntlm=	crypto com_err krb5 roken
>-- 
>2.43.0
>

Actions: View | Diff

Attachments on bug 272835: 246375 | 246458 | 246893 | 246909 | 246930 | 246994 | 246998 | 247680 | 247710 | 247730