[Bug 276415] security/heimdal: kinit FreeBSD 14.0 fails with kinit: rc4 8: EVP_CipherInit_ex einit

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276415

            Bug ID: 276415
           Summary: security/heimdal: kinit FreeBSD 14.0 fails with kinit:
                    rc4 8: EVP_CipherInit_ex einit
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: hrs@FreeBSD.org
          Reporter: jborean93@gmail.com
             Flags: maintainer-feedback?(hrs@FreeBSD.org)
          Assignee: hrs@FreeBSD.org

Created attachment 247736
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=247736&action=edit
Rudimentary diff to get this working again

Using the security/heimdal port fails on FreeBSD 14.0 when trying to use kinit
to get a Kerberos ticket for a user. The error message is

> kinit: rc4 8: EVP_CipherInit_ex einit

I've spent some time trying to track this down as like the issue
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275915 it's due to OpenSSL
policies disabling the RC4 cipher. Unlike issue 275915 you cannot work around
this code as even though the etype used in the Kerberos exchange is based on
AES the code itself is doing a basic validation test to see if RC4 is available
https://github.com/heimdal/heimdal/blob/366016b1f6ceb760c99231b15033e4dacf5060c9/lib/hcrypto/validate.c#L104-L212.
The only way to get this working is to remove the tests and recompile the code.

Potentially there's a way to re-enable RC4 in OpenSSL but I need to look
further into this.

I've also submitted an issue report on the upstream Heimdal repo
https://github.com/heimdal/heimdal/issues/1224 which contains more details on
the bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.