diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2023-12-06 15:30:05 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2024-01-18 07:46:57 +0000 |
| commit | 476d63e091c2e663b51d18acf6acb282e1f22bbc (patch) | |
| tree | 9152a75101033aad29c2d7a62621bc75686a6ea1 /kerberos5 | |
| parent | 7a4d1d1df0b2e369adcb32aea9ef8c180f885751 (diff) | |
| download | src-476d63e091c2e663b51d18acf6acb282e1f22bbc.tar.gz src-476d63e091c2e663b51d18acf6acb282e1f22bbc.zip | |
kerberos: Fix numerous segfaults when using weak crypto
Weak crypto is provided by the openssl legacy provider which is
not load by default. Load the legacy providers as needed.
When the legacy provider is loaded into the default context the default
provider will no longer be automatically loaded. Without the default
provider the various kerberos applicaions and functions will abort().
This is the second attempt at this patch. Instead of linking
secure/lib/libcrypto at build time we now link it at runtime, avoiding
buildworld failures under Linux and MacOS. This is because
TARGET_ENDIANNESS is undefined at pre-build time.
PR: 272835
MFC after: 3 days
X-MFC: only to stable/14
Tested by: netchild
Joerg Pulz <Joerg.Pulz@frm2.tum.de> (previous version)
Diffstat (limited to 'kerberos5')
| -rw-r--r-- | kerberos5/include/crypto-headers.h | 4 | ||||
| -rw-r--r-- | kerberos5/include/fbsd_ossl_provider.h | 4 | ||||
| -rw-r--r-- | kerberos5/lib/libroken/Makefile | 8 | ||||
| -rw-r--r-- | kerberos5/lib/libroken/fbsd_ossl_provider_load.c | 77 |
4 files changed, 91 insertions, 2 deletions
diff --git a/kerberos5/include/crypto-headers.h b/kerberos5/include/crypto-headers.h index 3ae0d9624ffd..2cc870642964 100644 --- a/kerberos5/include/crypto-headers.h +++ b/kerberos5/include/crypto-headers.h @@ -17,5 +17,9 @@ #include <openssl/ec.h> #include <openssl/ecdsa.h> #include <openssl/ecdh.h> +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) +#include <openssl/provider.h> +#include "fbsd_ossl_provider.h" +#endif #endif /* __crypto_headers_h__ */ diff --git a/kerberos5/include/fbsd_ossl_provider.h b/kerberos5/include/fbsd_ossl_provider.h new file mode 100644 index 000000000000..013983ca9f83 --- /dev/null +++ b/kerberos5/include/fbsd_ossl_provider.h @@ -0,0 +1,4 @@ +#ifndef __fbsd_ossl_provider_h +#define __fbsd_ossl_provider_h +int fbsd_ossl_provider_load(void); +#endif diff --git a/kerberos5/lib/libroken/Makefile b/kerberos5/lib/libroken/Makefile index 0c46ba6c4cb5..ca6d090e64f0 100644 --- a/kerberos5/lib/libroken/Makefile +++ b/kerberos5/lib/libroken/Makefile @@ -74,9 +74,13 @@ SRCS= base64.c \ vis.c \ warnerr.c \ write_pid.c \ - xfree.c + xfree.c \ + fbsd_ossl_provider_load.c -CFLAGS+=-I${KRB5DIR}/lib/roken -I. +CFLAGS+=-I${KRB5DIR}/lib/roken \ + -I${SRCTOP}/kerberos5/include \ + -I${KRB5DIR}/lib/krb5 \ + -I${SRCTOP}/crypto/openssl/include -I. CLEANFILES= roken.h diff --git a/kerberos5/lib/libroken/fbsd_ossl_provider_load.c b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c new file mode 100644 index 000000000000..497b32124f96 --- /dev/null +++ b/kerberos5/lib/libroken/fbsd_ossl_provider_load.c @@ -0,0 +1,77 @@ +#include <dlfcn.h> +#include <errno.h> +#include <stdio.h> +#include <stdlib.h> +#include <openssl/provider.h> + +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) +static void fbsd_ossl_provider_unload(void); +static void print_dlerror(char *); +static OSSL_PROVIDER *legacy; +static OSSL_PROVIDER *deflt; +static int providers_loaded = 0; +static OSSL_PROVIDER * (*ossl_provider_load)(OSSL_LIB_CTX *, const char*) = NULL; +static int (*ossl_provider_unload)(OSSL_PROVIDER *) = NULL; +static void *crypto_lib_handle = NULL; + +static void +fbsd_ossl_provider_unload(void) +{ + if (ossl_provider_unload == NULL) { + if (!(ossl_provider_unload = (int (*)(OSSL_PROVIDER*)) dlsym(crypto_lib_handle, "OSSL_PROVIDER_unload"))) { + print_dlerror("Unable to link OSSL_PROVIDER_unload"); + return; + } + } + if (providers_loaded == 1) { + (*ossl_provider_unload)(legacy); + (*ossl_provider_unload)(deflt); + providers_loaded = 0; + } +} + +static void +print_dlerror(char *message) +{ + char *errstr; + + if ((errstr = dlerror()) != NULL) + fprintf(stderr, "%s: %s\n", + message, errstr); +} +#endif + +int +fbsd_ossl_provider_load(void) +{ +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) + if (crypto_lib_handle == NULL) { + if (!(crypto_lib_handle = dlopen("/usr/lib/libcrypto.so", + RTLD_LAZY|RTLD_GLOBAL))) { + print_dlerror("Unable to load libcrypto.so"); + return (EINVAL); + } + } + if (ossl_provider_load == NULL) { + if (!(ossl_provider_load = (OSSL_PROVIDER * (*)(OSSL_LIB_CTX*, const char *)) dlsym(crypto_lib_handle, "OSSL_PROVIDER_load"))) { + print_dlerror("Unable to link OSSL_PROVIDER_load"); + return(ENOENT); + } + } + + if (providers_loaded == 0) { + if ((legacy = (*ossl_provider_load)(NULL, "legacy")) == NULL) + return (EINVAL); + if ((deflt = (*ossl_provider_load)(NULL, "default")) == NULL) { + (*ossl_provider_unload)(legacy); + return (EINVAL); + } + if (atexit(fbsd_ossl_provider_unload)) { + fbsd_ossl_provider_unload(); + return (errno); + } + providers_loaded = 1; + } +#endif + return (0); +} |