From nobody Mon Jan 22 15:49:24 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TJZQs0xGwz57fmg; Mon, 22 Jan 2024 15:49:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TJZQs0Mfhz4NlB; Mon, 22 Jan 2024 15:49:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705938565; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=212154dIxDoYbSClHorq1WRpuYpdQSU2lnPwvPZ6UVE=; b=hqo+W/SO8qs/Q2yHTRN39dKyMfMm8Cf78arjcz/Zi4QdRd2vYMzP9w676MpXeOdXlO04x3 DPWqi9XAhRAcAfwdI9Yp2P6qOIYEQBuzgQEY+4dVSl1R+h8yR7Wu4xlwbI7gqjzUX0fV37 HKzxeNV8YFikAKZ/38hYssahqlCNkRxqUOJzAQmmDHEEdHXfuq9hUhO8ijm9OUT1Hrwu7y 5MkOrANgpXP1XL7yL1dWithkcSdvrsRn3DSKmaPfu8p2mSnv7LpNooIyuMdgXnZQMWpmtQ tNyGbjL3ApvMZlM892Nawe/MXYuOq3wicekPaATPRz9O2/FGZ7CRYSRpoajiBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705938565; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=212154dIxDoYbSClHorq1WRpuYpdQSU2lnPwvPZ6UVE=; b=FD/oP2cDOWxbCj+UNti93O12PzzL2kolXRTtCtGrWU6D+3SSgo9g2q95jCOWV8PojktlXj azftgOF/T9G0ghyQ3H22+VLyK+pwWomo6jCqhPE1mVRgDLvSqyG1nakQ7KFJXCPnql+KFP AQ/10eFRp1YAWVDMXdwVkynq9oNi1n6ANClPo8F1X3+ulACETdmxXThOYF+C/8f3lUGtQZ aH5w9o6xbENCRjBt5F37GiRLcv9O0OrP3tWE/cGVIK8BoQnMaVFssiVh4RTYkUQgW+0Ejj 3ebFjqz/bOd/j8xegtKqRnV6LM31+Ln3/aAGIG8eurREJIjDaFQ10v0JVqZZzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705938565; a=rsa-sha256; cv=none; b=fnDxlwCG0Xa9yVx/A0Fo+CGlZJz0u1fWZ47nydZWvEj85JpK77fdFtRqivxXq9MmJV76lw g93kvG2lDFQzoUcrNTJzX4lliA/pBs+q4RoOkP1bMnWbd2Fn1HiKtjwIdAv1hb4OtVx24l iQUFoFjw+B6+IXT0NVHTGZc5fZUPtff5wHuS24f5WYVdAKRqL3LMu9ixatA+w2dboab5tH 7qFB+aPI5RgRImPJaZ8dgVS7gAjNXJo8HwaIILvn9zrKd4PV0qpSfAx9tF2adH73d6sBCT HLFQi5Uv97GAtpPIpZp3YPrm7VkVSqxgqj0+Pr58frm3CAGyy3dPvjXEHu8Urg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TJZQr6XG8z17HY; Mon, 22 Jan 2024 15:49:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40MFnOie034985; Mon, 22 Jan 2024 15:49:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40MFnOoH034982; Mon, 22 Jan 2024 15:49:24 GMT (envelope-from git) Date: Mon, 22 Jan 2024 15:49:24 GMT Message-Id: <202401221549.40MFnOoH034982@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: c7db2e15e404 - stable/14 - kerberos: Fix numerous segfaults when using weak crypto List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: c7db2e15e4045e1daba939bb151fc5878f791c7b Auto-Submitted: auto-generated The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=c7db2e15e4045e1daba939bb151fc5878f791c7b commit c7db2e15e4045e1daba939bb151fc5878f791c7b Author: Cy Schubert AuthorDate: 2023-12-06 15:30:05 +0000 Commit: Cy Schubert CommitDate: 2024-01-22 15:48:51 +0000 kerberos: Fix numerous segfaults when using weak crypto Weak crypto is provided by the openssl legacy provider which is not load by default. Load the legacy providers as needed. When the legacy provider is loaded into the default context the default provider will no longer be automatically loaded. Without the default provider the various kerberos applicaions and functions will abort(). This is the second attempt at this patch. Instead of linking secure/lib/libcrypto at build time we now link it at runtime, avoiding buildworld failures under Linux and MacOS. This is because TARGET_ENDIANNESS is undefined at pre-build time. PR: 272835 Tested by: netchild Joerg Pulz (previous version) (cherry picked from commit 476d63e091c2e663b51d18acf6acb282e1f22bbc) --- crypto/heimdal/lib/kadm5/create_s.c | 4 ++ crypto/heimdal/lib/kadm5/kadm5_locl.h | 1 + crypto/heimdal/lib/krb5/context.c | 4 ++ crypto/heimdal/lib/krb5/crypto.c | 3 + crypto/heimdal/lib/krb5/salt.c | 5 ++ crypto/heimdal/lib/roken/version-script.map | 1 + kerberos5/include/crypto-headers.h | 4 ++ kerberos5/include/fbsd_ossl_provider.h | 4 ++ kerberos5/lib/libroken/Makefile | 8 ++- kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 77 ++++++++++++++++++++++++ 10 files changed, 109 insertions(+), 2 deletions(-) diff --git a/crypto/heimdal/lib/kadm5/create_s.c b/crypto/heimdal/lib/kadm5/create_s.c index 1033ca103239..267e9bbda2a0 100644 --- a/crypto/heimdal/lib/kadm5/create_s.c +++ b/crypto/heimdal/lib/kadm5/create_s.c @@ -169,6 +169,10 @@ kadm5_s_create_principal(void *server_handle, ent.entry.keys.len = 0; ent.entry.keys.val = NULL; + ret = fbsd_ossl_provider_load(); + if (ret) + goto out; + ret = _kadm5_set_keys(context, &ent.entry, password); if (ret) goto out; diff --git a/crypto/heimdal/lib/kadm5/kadm5_locl.h b/crypto/heimdal/lib/kadm5/kadm5_locl.h index 68b6a5ebf024..63b367ab7e21 100644 --- a/crypto/heimdal/lib/kadm5/kadm5_locl.h +++ b/crypto/heimdal/lib/kadm5/kadm5_locl.h @@ -79,5 +79,6 @@ #include #include #include "private.h" +#include "fbsd_ossl_provider.h" #endif /* __KADM5_LOCL_H__ */ diff --git a/crypto/heimdal/lib/krb5/context.c b/crypto/heimdal/lib/krb5/context.c index 86bfe539b974..681bc9a0982f 100644 --- a/crypto/heimdal/lib/krb5/context.c +++ b/crypto/heimdal/lib/krb5/context.c @@ -392,6 +392,10 @@ krb5_init_context(krb5_context *context) } HEIMDAL_MUTEX_init(p->mutex); + ret = fbsd_ossl_provider_load(); + if(ret) + goto out; + p->flags |= KRB5_CTX_F_HOMEDIR_ACCESS; ret = krb5_get_default_config_files(&files); diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 67ecef62e875..6ee22609a4d5 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -2054,6 +2054,9 @@ krb5_crypto_init(krb5_context context, *crypto = NULL; return ret; } + ret = fbsd_ossl_provider_load(); + if (ret) + return ret; (*crypto)->key.schedule = NULL; (*crypto)->num_key_usage = 0; (*crypto)->key_usage = NULL; diff --git a/crypto/heimdal/lib/krb5/salt.c b/crypto/heimdal/lib/krb5/salt.c index 5e4c8a1c8572..2b1fbee80ab6 100644 --- a/crypto/heimdal/lib/krb5/salt.c +++ b/crypto/heimdal/lib/krb5/salt.c @@ -43,6 +43,8 @@ krb5_salttype_to_string (krb5_context context, struct _krb5_encryption_type *e; struct salt_type *st; + (void) fbsd_ossl_provider_load(); + e = _krb5_find_enctype (etype); if (e == NULL) { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, @@ -75,6 +77,8 @@ krb5_string_to_salttype (krb5_context context, struct _krb5_encryption_type *e; struct salt_type *st; + (void) fbsd_ossl_provider_load(); + e = _krb5_find_enctype (etype); if (e == NULL) { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, @@ -196,6 +200,7 @@ krb5_string_to_key_data_salt_opaque (krb5_context context, enctype); return KRB5_PROG_ETYPE_NOSUPP; } + (void) fbsd_ossl_provider_load(); for(st = et->keytype->string_to_key; st && st->type; st++) if(st->type == salt.salttype) return (*st->string_to_key)(context, enctype, password, diff --git a/crypto/heimdal/lib/roken/version-script.map b/crypto/heimdal/lib/roken/version-script.map index 72d2ea7e4f7c..bb2139ed74cc 100644 --- a/crypto/heimdal/lib/roken/version-script.map +++ b/crypto/heimdal/lib/roken/version-script.map @@ -13,6 +13,7 @@ HEIMDAL_ROKEN_1.0 { ct_memcmp; err; errx; + fbsd_ossl_provider_load; free_getarg_strings; get_default_username; get_window_size; diff --git a/kerberos5/include/crypto-headers.h b/kerberos5/include/crypto-headers.h index 3ae0d9624ffd..2cc870642964 100644 --- a/kerberos5/include/crypto-headers.h +++ b/kerberos5/include/crypto-headers.h @@ -17,5 +17,9 @@ #include #include #include +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) +#include +#include "fbsd_ossl_provider.h" +#endif #endif /* __crypto_headers_h__ */ diff --git a/kerberos5/include/fbsd_ossl_provider.h b/kerberos5/include/fbsd_ossl_provider.h new file mode 100644 index 000000000000..013983ca9f83 --- /dev/null +++ b/kerberos5/include/fbsd_ossl_provider.h @@ -0,0 +1,4 @@ +#ifndef __fbsd_ossl_provider_h +#define __fbsd_ossl_provider_h +int fbsd_ossl_provider_load(void); +#endif diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile index 0c46ba6c4cb5..ca6d090e64f0 100644 --- a/kerberos5/lib/libroken/Makefile +++ b/kerberos5/lib/libroken/Makefile @@ -74,9 +74,13 @@ SRCS= base64.c \ vis.c \ warnerr.c \ write_pid.c \ - xfree.c + xfree.c \ + fbsd_ossl_provider_load.c -CFLAGS+=-I${KRB5DIR}/lib/roken -I. +CFLAGS+=-I${KRB5DIR}/lib/roken \ + -I${SRCTOP}/kerberos5/include \ + -I${KRB5DIR}/lib/krb5 \ + -I${SRCTOP}/crypto/openssl/include -I. CLEANFILES= roken.h diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c new file mode 100644 index 000000000000..497b32124f96 --- /dev/null +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c @@ -0,0 +1,77 @@ +#include +#include +#include +#include +#include + +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) +static void fbsd_ossl_provider_unload(void); +static void print_dlerror(char *); +static OSSL_PROVIDER *legacy; +static OSSL_PROVIDER *deflt; +static int providers_loaded = 0; +static OSSL_PROVIDER * (*ossl_provider_load)(OSSL_LIB_CTX *, const char*) = NULL; +static int (*ossl_provider_unload)(OSSL_PROVIDER *) = NULL; +static void *crypto_lib_handle = NULL; + +static void +fbsd_ossl_provider_unload(void) +{ + if (ossl_provider_unload == NULL) { + if (!(ossl_provider_unload = (int (*)(OSSL_PROVIDER*)) dlsym(crypto_lib_handle, "OSSL_PROVIDER_unload"))) { + print_dlerror("Unable to link OSSL_PROVIDER_unload"); + return; + } + } + if (providers_loaded == 1) { + (*ossl_provider_unload)(legacy); + (*ossl_provider_unload)(deflt); + providers_loaded = 0; + } +} + +static void +print_dlerror(char *message) +{ + char *errstr; + + if ((errstr = dlerror()) != NULL) + fprintf(stderr, "%s: %s\n", + message, errstr); +} +#endif + +int +fbsd_ossl_provider_load(void) +{ +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) + if (crypto_lib_handle == NULL) { + if (!(crypto_lib_handle = dlopen("/usr/lib/libcrypto.so", + RTLD_LAZY|RTLD_GLOBAL))) { + print_dlerror("Unable to load libcrypto.so"); + return (EINVAL); + } + } + if (ossl_provider_load == NULL) { + if (!(ossl_provider_load = (OSSL_PROVIDER * (*)(OSSL_LIB_CTX*, const char *)) dlsym(crypto_lib_handle, "OSSL_PROVIDER_load"))) { + print_dlerror("Unable to link OSSL_PROVIDER_load"); + return(ENOENT); + } + } + + if (providers_loaded == 0) { + if ((legacy = (*ossl_provider_load)(NULL, "legacy")) == NULL) + return (EINVAL); + if ((deflt = (*ossl_provider_load)(NULL, "default")) == NULL) { + (*ossl_provider_unload)(legacy); + return (EINVAL); + } + if (atexit(fbsd_ossl_provider_unload)) { + fbsd_ossl_provider_unload(); + return (errno); + } + providers_loaded = 1; + } +#endif + return (0); +}