Re: git: cb350ba7bf7c - main - kerberos: Fix numerous segfaults when using weak crypto

From: Cy Schubert <Cy.Schubert_at_cschubert.com>
Date: Fri, 12 Jan 2024 07:43:39 UTC
In message <20240112071106.C72D8235@slippy.cwsent.com>, Cy Schubert writes:
> In message <CF222483-972B-4F25-93F6-EA3161AE2FCA@freebsd.org>, Jessica 
> Clarke w
> rites:
> > On 11 Jan 2024, at 13:31, Cy Schubert <cy@FreeBSD.org> wrote:
> > >=20
> > > The branch main has been updated by cy:
> > >=20
> > > URL: =
> > https://cgit.FreeBSD.org/src/commit/?id=3Dcb350ba7bf7ca7c4cb97ed2c20ab45af=
> > 60382cfb
> > >=20
> > > commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb
> > > Author:     Cy Schubert <cy@FreeBSD.org>
> > > AuthorDate: 2023-12-06 15:30:05 +0000
> > > Commit:     Cy Schubert <cy@FreeBSD.org>
> > > CommitDate: 2024-01-11 13:26:42 +0000
> > >=20
> > >    kerberos: Fix numerous segfaults when using weak crypto
> > >=20
> > >    Weak crypto is provided by the openssl legacy provider which is
> > >    not load by default. Load the legacy providers as needed.
> > >=20
> > >    When the legacy provider is loaded into the default context the =
> > default
> > >    provider will no longer be automatically loaded. Without the =
> > default
> > >    provider the various kerberos applicaions and functions will =
> > abort().
> >
> > Hi,
> > This has completely broken macOS and Linux cross-building. Please
> > either fix this quickly or, if unable to, revert until such time as you
> > can. Note that patches can be tested by creating a PR against the
> > GitHub mirror.
>
> Thanks for the heads up. I see the problem and am working on a fix.

I think the correct approach would be to separate the new 
fbsd_ossl_provider_load() and unload functions into their own library 
(instead of libroken). This avoids the less desirable option of including 
bsd.cpu.mk in secure/lib/Makefile.common, which does build but could affect 
future work.


-- 
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy@nwtime.org>    Web:  https://nwtime.org

			e^(i*pi)+1=0