kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is not load by default. Load the legacy providers as needed. When the legacy provider is loaded into the default context the default provider will no longer be automatically loaded. Without the default provider the various kerberos applicaions and functions will abort(). PR: 272835 MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D43009 Tested by: netchild, Joerg Pulz <Joerg.Pulz@frm2.tum.de>
This commit is contained in:
@@ -17,5 +17,9 @@
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/ecdsa.h>
|
||||
#include <openssl/ecdh.h>
|
||||
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
|
||||
#include <openssl/provider.h>
|
||||
#include "fbsd_ossl_provider.h"
|
||||
#endif
|
||||
|
||||
#endif /* __crypto_headers_h__ */
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
#ifndef __fbsd_ossl_provider_h
|
||||
#define __fbsd_ossl_provider_h
|
||||
int fbsd_ossl_provider_load(void);
|
||||
#endif
|
||||
@@ -2,7 +2,7 @@
|
||||
PACKAGE= kerberos-lib
|
||||
|
||||
LIB= roken
|
||||
LIBADD= crypt
|
||||
LIBADD= crypt crypto
|
||||
VERSION_MAP= ${KRB5DIR}/lib/roken/version-script.map
|
||||
INCS= roken.h \
|
||||
roken-common.h \
|
||||
@@ -74,15 +74,20 @@ SRCS= base64.c \
|
||||
vis.c \
|
||||
warnerr.c \
|
||||
write_pid.c \
|
||||
xfree.c
|
||||
xfree.c \
|
||||
fbsd_ossl_provider_load.c
|
||||
|
||||
CFLAGS+=-I${KRB5DIR}/lib/roken -I.
|
||||
CFLAGS+=-I${KRB5DIR}/lib/roken \
|
||||
-I${SRCTOP}/kerberos5/include \
|
||||
-I${KRB5DIR}/lib/krb5 \
|
||||
-I${SRCTOP}/crypto/openssl/include -I.
|
||||
|
||||
CLEANFILES= roken.h
|
||||
|
||||
roken.h:
|
||||
${MAKE_ROKEN} > ${.TARGET}
|
||||
|
||||
|
||||
.include <bsd.lib.mk>
|
||||
|
||||
.PATH: ${KRB5DIR}/lib/roken
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
#include <errno.h>
|
||||
#include <krb5_locl.h>
|
||||
|
||||
static void fbsd_ossl_provider_unload(void);
|
||||
|
||||
static OSSL_PROVIDER *legacy;
|
||||
static OSSL_PROVIDER *deflt;
|
||||
static int providers_loaded = 0;
|
||||
|
||||
int
|
||||
fbsd_ossl_provider_load(void)
|
||||
{
|
||||
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
|
||||
if (providers_loaded == 0) {
|
||||
if ((legacy = OSSL_PROVIDER_load(NULL, "legacy")) == NULL)
|
||||
return (EINVAL);
|
||||
if ((deflt = OSSL_PROVIDER_load(NULL, "default")) == NULL) {
|
||||
OSSL_PROVIDER_unload(legacy);
|
||||
return (EINVAL);
|
||||
}
|
||||
if (atexit(fbsd_ossl_provider_unload)) {
|
||||
fbsd_ossl_provider_unload();
|
||||
return (errno);
|
||||
}
|
||||
providers_loaded = 1;
|
||||
}
|
||||
#endif
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
fbsd_ossl_provider_unload(void)
|
||||
{
|
||||
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
|
||||
if (providers_loaded == 1) {
|
||||
OSSL_PROVIDER_unload(legacy);
|
||||
OSSL_PROVIDER_unload(deflt);
|
||||
providers_loaded = 0;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
@@ -11,7 +11,7 @@ SRCS= config.c \
|
||||
|
||||
CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \
|
||||
-I${KRB5DIR}/kdc -I${SRCTOP}/contrib/com_err ${LDAPCFLAGS}
|
||||
LIBADD= kdc hdb krb5 roken crypt vers
|
||||
LIBADD= kdc hdb krb5 roken crypt vers crypto
|
||||
LDFLAGS=${LDAPLDFLAGS}
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
||||
Reference in New Issue
Block a user