git: 3091cdb11fb0 - main - Revert "kerberos: Fix numerous segfaults when using weak crypto"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 12 Jan 2024 07:43:34 UTC
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=3091cdb11fb05e554a54710116be87ee1f55c287 commit 3091cdb11fb05e554a54710116be87ee1f55c287 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-01-12 07:39:02 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-01-12 07:42:33 +0000 Revert "kerberos: Fix numerous segfaults when using weak crypto" This revision breaks Linux and MacOS cross builds because TARGET_ENDIANNESS is not define during bootstrapping on these platforms. I think the correct approach would be to separate the new fbsd_ossl_provider_load() and unload functions into their own library (instead of libroken). This avoids the less desirable option of including bsd.cpu.mk in secure/lib/Makefile.common, which does build but could complicate future work. Reported by: jrtc27 This reverts commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb. --- Makefile.inc1 | 7 ++-- crypto/heimdal/lib/kadm5/create_s.c | 4 --- crypto/heimdal/lib/kadm5/kadm5_locl.h | 1 - crypto/heimdal/lib/krb5/context.c | 4 --- crypto/heimdal/lib/krb5/crypto.c | 3 -- crypto/heimdal/lib/krb5/salt.c | 5 --- crypto/heimdal/lib/roken/version-script.map | 1 - kerberos5/include/crypto-headers.h | 4 --- kerberos5/include/fbsd_ossl_provider.h | 4 --- kerberos5/lib/libroken/Makefile | 11 ++----- kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 41 ------------------------ kerberos5/libexec/kdc/Makefile | 2 +- share/mk/src.libnames.mk | 2 +- 13 files changed, 8 insertions(+), 81 deletions(-) diff --git a/Makefile.inc1 b/Makefile.inc1 index 864b5151692f..34b49ee319ec 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -2635,10 +2635,9 @@ ${_bt}-usr.bin/grep: ${_bt}-lib/libbz2 _other_bootstrap_tools+=lib/libz ${_bt}-lib/libdwarf: ${_bt}-lib/libz -# libroken depends on libcrypt and libcrypto +# libroken depends on libcrypt _other_bootstrap_tools+=lib/libcrypt -_other_bootstrap_tools+=secure/lib/libcrypto -${_bt}-lib/libroken: ${_bt}-lib/libcrypt ${_bt}-lib/libcrypto +${_bt}-lib/libroken: ${_bt}-lib/libcrypt .else # All tools in _basic_bootstrap_tools have the same name as the subdirectory # so we can use :T to get the name of the symlinks that we need to create. @@ -3284,7 +3283,7 @@ kerberos5/lib/libkrb5__L: kerberos5/lib/libasn1__L lib/libcom_err__L \ lib/libcrypt__L secure/lib/libcrypto__L kerberos5/lib/libhx509__L \ kerberos5/lib/libroken__L kerberos5/lib/libwind__L \ kerberos5/lib/libheimbase__L kerberos5/lib/libheimipcc__L -kerberos5/lib/libroken__L: lib/libcrypt__L secure/lib/libcrypto__L +kerberos5/lib/libroken__L: lib/libcrypt__L kerberos5/lib/libwind__L: kerberos5/lib/libroken__L lib/libcom_err__L kerberos5/lib/libheimbase__L: lib/libthr__L kerberos5/lib/libheimipcc__L: kerberos5/lib/libroken__L kerberos5/lib/libheimbase__L lib/libthr__L diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c index 267e9bbda2a0..1033ca103239 100644 --- a/crypto/heimdal/lib/kadm5/create_s.c +++ b/crypto/heimdal/lib/kadm5/create_s.c @@ -169,10 +169,6 @@ kadm5_s_create_principal(void *server_handle, ent.entry.keys.len = 0; ent.entry.keys.val = NULL; - ret = fbsd_ossl_provider_load(); - if (ret) - goto out; - ret = _kadm5_set_keys(context, &ent.entry, password); if (ret) goto out; diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h index 63b367ab7e21..68b6a5ebf024 100644 --- a/crypto/heimdal/lib/kadm5/kadm5_locl.h +++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h @@ -79,6 +79,5 @@ #include <der.h> #include <parse_units.h> #include "private.h" -#include "fbsd_ossl_provider.h" #endif /* __KADM5_LOCL_H__ */ diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c index 681bc9a0982f..86bfe539b974 100644 --- a/crypto/heimdal/lib/krb5/context.c +++ b/crypto/heimdal/lib/krb5/context.c @@ -392,10 +392,6 @@ krb5_init_context(krb5_context *context) } HEIMDAL_MUTEX_init(p->mutex); - ret = fbsd_ossl_provider_load(); - if(ret) - goto out; - p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; ret = krb5_get_default_config_files(&files); diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 6ee22609a4d5..67ecef62e875 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -2054,9 +2054,6 @@ krb5_crypto_init(krb5_context context, *crypto = NULL; return ret; } - ret = fbsd_ossl_provider_load(); - if (ret) - return ret; (*crypto)->key.schedule = NULL; (*crypto)->num_key_usage = 0; (*crypto)->key_usage = NULL; diff --git a/crypto/heimdal/lib/krb5/salt.c b/crypto/heimdal/lib/krb5/salt.c index 2b1fbee80ab6..5e4c8a1c8572 100644 --- a/crypto/heimdal/lib/krb5/salt.c +++ b/crypto/heimdal/lib/krb5/salt.c @@ -43,8 +43,6 @@ krb5_salttype_to_string (krb5_context context, struct _krb5_encryption_type *e; struct salt_type *st; - (void) fbsd_ossl_provider_load(); - e = _krb5_find_enctype (etype); if (e == NULL) { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, @@ -77,8 +75,6 @@ krb5_string_to_salttype (krb5_context context, struct _krb5_encryption_type *e; struct salt_type *st; - (void) fbsd_ossl_provider_load(); - e = _krb5_find_enctype (etype); if (e == NULL) { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, @@ -200,7 +196,6 @@ krb5_string_to_key_data_salt_opaque (krb5_context context, enctype); return KRB5_PROG_ETYPE_NOSUPP; } - (void) fbsd_ossl_provider_load(); for(st = et->keytype->string_to_key; st && st->type; st++) if(st->type == salt.salttype) return (*st->string_to_key)(context, enctype, password, diff --git a/crypto/heimdal/lib/roken/version-script.map b/crypto/heimdal/lib/roken/version-script.map index bb2139ed74cc..72d2ea7e4f7c 100644 --- a/crypto/heimdal/lib/roken/version-script.map +++ b/crypto/heimdal/lib/roken/version-script.map @@ -13,7 +13,6 @@ HEIMDAL_ROKEN_1.0 { ct_memcmp; err; errx; - fbsd_ossl_provider_load; free_getarg_strings; get_default_username; get_window_size; diff --git a/kerberos5/include/crypto-headers.h b/kerberos5/include/crypto-headers.h index 2cc870642964..3ae0d9624ffd 100644 --- a/kerberos5/include/crypto-headers.h +++ b/kerberos5/include/crypto-headers.h @@ -17,9 +17,5 @@ #include <openssl/ec.h> #include <openssl/ecdsa.h> #include <openssl/ecdh.h> -#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) -#include <openssl/provider.h> -#include "fbsd_ossl_provider.h" -#endif #endif /* __crypto_headers_h__ */ diff --git a/kerberos5/include/fbsd_ossl_provider.h b/kerberos5/include/fbsd_ossl_provider.h deleted file mode 100644 index 013983ca9f83..000000000000 --- a/kerberos5/include/fbsd_ossl_provider.h +++ /dev/null @@ -1,4 +0,0 @@ -#ifndef __fbsd_ossl_provider_h -#define __fbsd_ossl_provider_h -int fbsd_ossl_provider_load(void); -#endif diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile index 24dc3a5b2c45..0c46ba6c4cb5 100644 --- a/kerberos5/lib/libroken/Makefile +++ b/kerberos5/lib/libroken/Makefile @@ -2,7 +2,7 @@ PACKAGE= kerberos-lib LIB= roken -LIBADD= crypt crypto +LIBADD= crypt VERSION_MAP= ${KRB5DIR}/lib/roken/version-script.map INCS= roken.h \ roken-common.h \ @@ -74,20 +74,15 @@ SRCS= base64.c \ vis.c \ warnerr.c \ write_pid.c \ - xfree.c \ - fbsd_ossl_provider_load.c + xfree.c -CFLAGS+=-I${KRB5DIR}/lib/roken \ - -I${SRCTOP}/kerberos5/include \ - -I${KRB5DIR}/lib/krb5 \ - -I${SRCTOP}/crypto/openssl/include -I. +CFLAGS+=-I${KRB5DIR}/lib/roken -I. CLEANFILES= roken.h roken.h: ${MAKE_ROKEN} > ${.TARGET} - .include <bsd.lib.mk> .PATH: ${KRB5DIR}/lib/roken diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c deleted file mode 100644 index f49c8746c9e4..000000000000 --- a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c +++ /dev/null @@ -1,41 +0,0 @@ -#include <errno.h> -#include <krb5_locl.h> - -static void fbsd_ossl_provider_unload(void); - -static OSSL_PROVIDER *legacy; -static OSSL_PROVIDER *deflt; -static int providers_loaded = 0; - -int -fbsd_ossl_provider_load(void) -{ -#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) - if (providers_loaded == 0) { - if ((legacy = OSSL_PROVIDER_load(NULL, "legacy")) == NULL) - return (EINVAL); - if ((deflt = OSSL_PROVIDER_load(NULL, "default")) == NULL) { - OSSL_PROVIDER_unload(legacy); - return (EINVAL); - } - if (atexit(fbsd_ossl_provider_unload)) { - fbsd_ossl_provider_unload(); - return (errno); - } - providers_loaded = 1; - } -#endif - return (0); -} - -static void -fbsd_ossl_provider_unload(void) -{ -#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) - if (providers_loaded == 1) { - OSSL_PROVIDER_unload(legacy); - OSSL_PROVIDER_unload(deflt); - providers_loaded = 0; - } -#endif -} diff --git a/kerberos5/libexec/kdc/Makefile b/kerberos5/libexec/kdc/Makefile index 211f4f379054..41fde9115c00 100644 --- a/kerberos5/libexec/kdc/Makefile +++ b/kerberos5/libexec/kdc/Makefile @@ -11,7 +11,7 @@ SRCS= config.c \ CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \ -I${KRB5DIR}/kdc -I${SRCTOP}/contrib/com_err ${LDAPCFLAGS} -LIBADD= kdc hdb krb5 roken crypt vers crypto +LIBADD= kdc hdb krb5 roken crypt vers LDFLAGS=${LDAPLDFLAGS} .include <bsd.prog.mk> diff --git a/share/mk/src.libnames.mk b/share/mk/src.libnames.mk index e4fd3270a3d3..33b8507a9eb9 100644 --- a/share/mk/src.libnames.mk +++ b/share/mk/src.libnames.mk @@ -367,7 +367,7 @@ _DP_pam+= ssh .if ${MK_NIS} != "no" _DP_pam+= ypclnt .endif -_DP_roken= crypt crypto +_DP_roken= crypt _DP_kadm5clnt= com_err krb5 roken _DP_kadm5srv= com_err hdb krb5 roken _DP_heimntlm= crypto com_err krb5 roken