kerberos: Fix numerous segfaults when using weak crypto

Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.

When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().

PR:			272835
MFC after:		3 days
Differential Revision:	https://reviews.freebsd.org/D43009
Tested by:		netchild, Joerg Pulz <Joerg.Pulz@frm2.tum.de>
This commit is contained in:
Cy Schubert
2023-12-06 07:30:05 -08:00
parent ed1a88a311
commit cb350ba7bf
13 changed files with 81 additions and 8 deletions
+4
View File
@@ -17,5 +17,9 @@
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
#include <openssl/ecdh.h>
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
#include <openssl/provider.h>
#include "fbsd_ossl_provider.h"
#endif
#endif /* __crypto_headers_h__ */
+4
View File
@@ -0,0 +1,4 @@
#ifndef __fbsd_ossl_provider_h
#define __fbsd_ossl_provider_h
int fbsd_ossl_provider_load(void);
#endif
+8 -3
View File
@@ -2,7 +2,7 @@
PACKAGE= kerberos-lib
LIB= roken
LIBADD= crypt
LIBADD= crypt crypto
VERSION_MAP= ${KRB5DIR}/lib/roken/version-script.map
INCS= roken.h \
roken-common.h \
@@ -74,15 +74,20 @@ SRCS= base64.c \
vis.c \
warnerr.c \
write_pid.c \
xfree.c
xfree.c \
fbsd_ossl_provider_load.c
CFLAGS+=-I${KRB5DIR}/lib/roken -I.
CFLAGS+=-I${KRB5DIR}/lib/roken \
-I${SRCTOP}/kerberos5/include \
-I${KRB5DIR}/lib/krb5 \
-I${SRCTOP}/crypto/openssl/include -I.
CLEANFILES= roken.h
roken.h:
${MAKE_ROKEN} > ${.TARGET}
.include <bsd.lib.mk>
.PATH: ${KRB5DIR}/lib/roken
@@ -0,0 +1,41 @@
#include <errno.h>
#include <krb5_locl.h>
static void fbsd_ossl_provider_unload(void);
static OSSL_PROVIDER *legacy;
static OSSL_PROVIDER *deflt;
static int providers_loaded = 0;
int
fbsd_ossl_provider_load(void)
{
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
if (providers_loaded == 0) {
if ((legacy = OSSL_PROVIDER_load(NULL, "legacy")) == NULL)
return (EINVAL);
if ((deflt = OSSL_PROVIDER_load(NULL, "default")) == NULL) {
OSSL_PROVIDER_unload(legacy);
return (EINVAL);
}
if (atexit(fbsd_ossl_provider_unload)) {
fbsd_ossl_provider_unload();
return (errno);
}
providers_loaded = 1;
}
#endif
return (0);
}
static void
fbsd_ossl_provider_unload(void)
{
#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
if (providers_loaded == 1) {
OSSL_PROVIDER_unload(legacy);
OSSL_PROVIDER_unload(deflt);
providers_loaded = 0;
}
#endif
}
+1 -1
View File
@@ -11,7 +11,7 @@ SRCS= config.c \
CFLAGS+=-I${KRB5DIR}/lib/krb5 -I${KRB5DIR}/lib/asn1 -I${KRB5DIR}/lib/roken \
-I${KRB5DIR}/kdc -I${SRCTOP}/contrib/com_err ${LDAPCFLAGS}
LIBADD= kdc hdb krb5 roken crypt vers
LIBADD= kdc hdb krb5 roken crypt vers crypto
LDFLAGS=${LDAPLDFLAGS}
.include <bsd.prog.mk>