From nobody Sat Jan 13 14:11:22 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TC0gz0bSpz57dTB; Sat, 13 Jan 2024 14:11:27 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TC0gy1VCwz4Jpc; Sat, 13 Jan 2024 14:11:26 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTPS id OdUYrETVZxDxGOejNrVIUI; Sat, 13 Jan 2024 14:11:25 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id OejLr9WPRWIKPOejMr7hb5; Sat, 13 Jan 2024 14:11:25 +0000 X-Authority-Analysis: v=2.4 cv=D+pUl9dj c=1 sm=1 tr=0 ts=65a29a0d a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=dEuoMetlWLkA:10 a=VxmjJ2MpAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=jnMofEQN8Fceji3S_UUA:9 a=CjuIK1q_8ugA:10 a=ztI4eMwfBtkA:10 a=UuLlkBnjUTgA:10 a=7gXAzLPJhVmCkEl4_tsf:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 375795D3; Sat, 13 Jan 2024 06:11:23 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 01FCD22B; Sat, 13 Jan 2024 06:11:22 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Jessica Clarke , Cy Schubert , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" , so@greebsd.org Subject: Re: git: cb350ba7bf7c - main - kerberos: Fix numerous segfaults when using weak crypto In-reply-to: <20240112074339.A581B23D@slippy.cwsent.com> References: <202401111331.40BDVZfn015429@gitrepo.freebsd.org> <20240112071106.C72D8235@slippy.cwsent.com> <20240112074339.A581B23D@slippy.cwsent.com> Comments: In-reply-to Cy Schubert message dated "Thu, 11 Jan 2024 23:43:39 -0800." List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 13 Jan 2024 06:11:22 -0800 Message-Id: <20240113141123.01FCD22B@slippy.cwsent.com> X-CMAE-Envelope: MS4xfOjtIbgOZPFwgjGYRQ5y1PLnFEUhRUejnm5THc98ah5ZxZtEJcUBv3nU4aTniJnY8uo9BsZGKI/YQoQlGN2B76nni3g4+CNTCSIKCFWPkcSuX1P8z3/v YYBYYz3K8ygD5lRRTiyKEDEcqiWmWxIH+/xn4jgOV1TBZYsDMqFU0qIBors5zo6huiANSZFpLYVes7aHHbP+YeqimkPBQE7D5em59Llts++EPRcMS0Pvu2Xq EqcrRhOwwlbsAmBcjd1jz1HqXCY8A/JiKHBaqwDBkVYY5w9l9AFZQEwTSG3G70oqX/nYxJyr7ye/9zB0d3tB0eX+4Zlb7HxzSPhgoKPnK5mXypyZy+CkLrua QXQj2JPj X-Spamd-Bar: - X-Spamd-Result: default: False [-1.69 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.995]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; TO_DN_EQ_ADDR_SOME(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DMARC_NA(0.00)[cschubert.com]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_FIVE(0.00)[6] X-Rspamd-Queue-Id: 4TC0gy1VCwz4Jpc In message <20240112074339.A581B23D@slippy.cwsent.com>, Cy Schubert writes: > In message <20240112071106.C72D8235@slippy.cwsent.com>, Cy Schubert writes: > > In message , Jessica > > Clarke w > > rites: > > > On 11 Jan 2024, at 13:31, Cy Schubert wrote: > > > >=20 > > > > The branch main has been updated by cy: > > > >=20 > > > > URL: = > > > https://cgit.FreeBSD.org/src/commit/?id=3Dcb350ba7bf7ca7c4cb97ed2c20ab45a > f= > > > 60382cfb > > > >=20 > > > > commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb > > > > Author: Cy Schubert > > > > AuthorDate: 2023-12-06 15:30:05 +0000 > > > > Commit: Cy Schubert > > > > CommitDate: 2024-01-11 13:26:42 +0000 > > > >=20 > > > > kerberos: Fix numerous segfaults when using weak crypto > > > >=20 > > > > Weak crypto is provided by the openssl legacy provider which is > > > > not load by default. Load the legacy providers as needed. > > > >=20 > > > > When the legacy provider is loaded into the default context the = > > > default > > > > provider will no longer be automatically loaded. Without the = > > > default > > > > provider the various kerberos applicaions and functions will = > > > abort(). > > > > > > Hi, > > > This has completely broken macOS and Linux cross-building. Please > > > either fix this quickly or, if unable to, revert until such time as you > > > can. Note that patches can be tested by creating a PR against the > > > GitHub mirror. > > > > Thanks for the heads up. I see the problem and am working on a fix. > > I think the correct approach would be to separate the new > fbsd_ossl_provider_load() and unload functions into their own library > (instead of libroken). This avoids the less desirable option of including > bsd.cpu.mk in secure/lib/Makefile.common, which does build but could affect > future work. The alternative approach also requires secure/lib/libcrypto (because of libkrb5) being built during prebuild phase. Either way bsd.cpu.mk will need to be included in the secure/lib/libcrypto/Makefile.common. Both of these similar approaches, attempting to limit the change to local to Heimdal only result in the same Linux MacOS failure. This leaves us with enabling legacy (weak) crypto globally, like this: diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.c nf index 7996120cc67e..659c0b21abbd 100644 --- a/crypto/openssl/apps/openssl.cnf +++ b/crypto/openssl/apps/openssl.cnf @@ -57,6 +57,7 @@ providers = provider_sect # List of providers to load [provider_sect] default = default_sect +legacy = legacy_set # The fips section name should match the section name inside the # included fipsmodule.cnf. # fips = fips_sect @@ -70,8 +71,10 @@ default = default_sect # OpenSSL may not work correctly which could lead to significant system # problems including inability to remotely access the system. [default_sect] -# activate = 1 +activate = 1 +[legacy_sect] +activate = 1 #################################################################### [ ca ] Would this be acceptable or would we prefer to add bsd.cpu.mk to secure/libcrypto/Makefile.inc? -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0