Bug 276415

Summary:

security/heimdal: kinit FreeBSD 14.0 fails with kinit: rc4 8: EVP_CipherInit_ex einit

Product:

Ports & Packages

Reporter:

jborean93

Component:

Individual Port(s)

Assignee:

Hiroki Sato <hrs>

Status:

New ---

Severity:

Affects Some People

CC:

mmpestorich

Priority:

---

Flags:

bugzilla: maintainer-feedback? (hrs)

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
Rudimentary diff to get this working again	none

Description jborean93 2024-01-18 05:33:57 UTC

Created attachment 247736 [details]
Rudimentary diff to get this working again

Using the security/heimdal port fails on FreeBSD 14.0 when trying to use kinit to get a Kerberos ticket for a user. The error message is

> kinit: rc4 8: EVP_CipherInit_ex einit

I've spent some time trying to track this down as like the issue https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275915 it's due to OpenSSL policies disabling the RC4 cipher. Unlike issue 275915 you cannot work around this code as even though the etype used in the Kerberos exchange is based on AES the code itself is doing a basic validation test to see if RC4 is available https://github.com/heimdal/heimdal/blob/366016b1f6ceb760c99231b15033e4dacf5060c9/lib/hcrypto/validate.c#L104-L212. The only way to get this working is to remove the tests and recompile the code.

Potentially there's a way to re-enable RC4 in OpenSSL but I need to look further into this.

I've also submitted an issue report on the upstream Heimdal repo https://github.com/heimdal/heimdal/issues/1224 which contains more details on the bug.

Comment 1 jborean93 2024-01-18 06:12:52 UTC

A workaround to enable the legacy provider in OpenSSL is to create a file

```
openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1
```

Then use `OPENSSL_CONF=/path/to/openssl.cnf kinit user@DOMAIN.COM`. This can also be set in the system wide configuration `/etc/ssl/openssl.cnf` but the env var way allows you to get `kinit` working for now.