From f1e7f38975650da0b0b61c959df38c7a140b52bb Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 14 Jul 2021 16:32:30 -0400
Subject: [PATCH] Update OpenSSL 3 provider handling to clean up properly

Resolves: #1955873
---
 ...P_GET_CRED_LIST-for-faster-iteration.patch |   2 +-
 ...ith-keytab-to-defer-canonicalization.patch |   2 +-
 ...CM-flag-transmission-for-remove_cred.patch |   2 +-
 Fix-KCM-retrieval-support-for-sssd.patch      |   2 +-
 ...in-k-with-fallback-or-referral-realm.patch |   2 +-
 ...incipal-realm-canonicalization-cases.patch |   2 +-
 Handle-OpenSSL-3-s-providers.patch            | 131 +++++++++++-------
 ...teration-fallback-work-with-sssd-kcm.patch |   2 +-
 ...dejagnu-kadmin-tests-to-Python-tests.patch |   2 +-
 Use-KCM_OP_RETRIEVE-in-KCM-client.patch       |   2 +-
 krb5.spec                                     |   6 +-
 11 files changed, 96 insertions(+), 59 deletions(-)

diff --git a/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch b/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
index e8097ed..5187e5c 100644
--- a/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
+++ b/Add-KCM_OP_GET_CRED_LIST-for-faster-iteration.patch
@@ -1,4 +1,4 @@
-From 2ff2d98511cd86d0dba9500367a6ab0f6ee0d5fb Mon Sep 17 00:00:00 2001
+From 418e64100d1e3f8c8e3f773909347bad270a2921 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
 Date: Thu, 11 Feb 2021 15:33:10 +0100
 Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration
diff --git a/Allow-kinit-with-keytab-to-defer-canonicalization.patch b/Allow-kinit-with-keytab-to-defer-canonicalization.patch
index 37327fa..269eec4 100644
--- a/Allow-kinit-with-keytab-to-defer-canonicalization.patch
+++ b/Allow-kinit-with-keytab-to-defer-canonicalization.patch
@@ -1,4 +1,4 @@
-From cef07ebf97be9ed7aac4e2cecd96b82e6c030b96 Mon Sep 17 00:00:00 2001
+From 4c2f596da5ddb8a1687a4f9c969d5a8dcd2cbcc7 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 3 Jun 2021 16:03:07 -0400
 Subject: [PATCH] Allow kinit with keytab to defer canonicalization
diff --git a/Fix-KCM-flag-transmission-for-remove_cred.patch b/Fix-KCM-flag-transmission-for-remove_cred.patch
index de5679b..e084c39 100644
--- a/Fix-KCM-flag-transmission-for-remove_cred.patch
+++ b/Fix-KCM-flag-transmission-for-remove_cred.patch
@@ -1,4 +1,4 @@
-From d324514a8bee6d267555917f960560c3091dc137 Mon Sep 17 00:00:00 2001
+From 92a4b760d741494dacbb4d9db4cf2db9e3b01f2c Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 29 Mar 2021 14:32:56 -0400
 Subject: [PATCH] Fix KCM flag transmission for remove_cred
diff --git a/Fix-KCM-retrieval-support-for-sssd.patch b/Fix-KCM-retrieval-support-for-sssd.patch
index bf130b6..a0cd5ad 100644
--- a/Fix-KCM-retrieval-support-for-sssd.patch
+++ b/Fix-KCM-retrieval-support-for-sssd.patch
@@ -1,4 +1,4 @@
-From 63474541158d74bfd9133d4952fcad6d1d8bc7ad Mon Sep 17 00:00:00 2001
+From b4f3df953015bf6d2d4c973b458f778f31615c11 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Tue, 11 May 2021 14:04:07 -0400
 Subject: [PATCH] Fix KCM retrieval support for sssd
diff --git a/Fix-kadmin-k-with-fallback-or-referral-realm.patch b/Fix-kadmin-k-with-fallback-or-referral-realm.patch
index 73a119b..07a202d 100644
--- a/Fix-kadmin-k-with-fallback-or-referral-realm.patch
+++ b/Fix-kadmin-k-with-fallback-or-referral-realm.patch
@@ -1,4 +1,4 @@
-From bebfa3616a34b58a4e29501412c7f5b8b2d56716 Mon Sep 17 00:00:00 2001
+From ddbd548562d951d327a10c9dcb975418427f6fea Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 7 Jun 2021 15:00:41 -0400
 Subject: [PATCH] Fix kadmin -k with fallback or referral realm
diff --git a/Fix-some-principal-realm-canonicalization-cases.patch b/Fix-some-principal-realm-canonicalization-cases.patch
index 4a68959..5473b5d 100644
--- a/Fix-some-principal-realm-canonicalization-cases.patch
+++ b/Fix-some-principal-realm-canonicalization-cases.patch
@@ -1,4 +1,4 @@
-From c6ec47dfe95c1ccbabe039fb56b730ed6422b422 Mon Sep 17 00:00:00 2001
+From 8f70ad82a645ccb7fb1677d260baa5e4112890d4 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Mon, 7 Jun 2021 13:27:29 -0400
 Subject: [PATCH] Fix some principal realm canonicalization cases
diff --git a/Handle-OpenSSL-3-s-providers.patch b/Handle-OpenSSL-3-s-providers.patch
index 8591963..d7b0d90 100644
--- a/Handle-OpenSSL-3-s-providers.patch
+++ b/Handle-OpenSSL-3-s-providers.patch
@@ -1,23 +1,28 @@
-From c4b890e5b033fc7c5ed0faa1c66883368e29ec24 Mon Sep 17 00:00:00 2001
+From e3f3d31a3db23f6c8437cd0efe45f67a7f4fc6aa Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Sat, 15 May 2021 21:18:06 -0400
 Subject: [PATCH] Handle OpenSSL 3's providers
 
 OpenSSL 3 compartmentalizes what algorithms it uses, which for us means
-another hoop to jump through to use dubious cryptography.  Right now, we
-need to load "legacy" in order to access MD4 and RC4.
+another hoop to jump through to use dubious cryptography.  (Right now,
+we need to load "legacy" in order to access MD4 and RC4.)
 
-(cherry picked from commit faac961a0d02c7818aad87c765eb344b87e668fa)
-[rharwood@redhat.com: des3 removal, rc4 FIPSification]
+Use our normal initializer logic to set up providers both in the OpenSSL
+provider an the PKINIT plugin.  Since DT_FINI is too late, release them
+using atexit() as OpenSSL does.
+
+(cherry picked from commit bea5a703a06da1f1ab56821b77a2d3661cb0dda4)
+[rharwood@redhat.com: work around des3 removal and rc4 fips changes]
 ---
  src/configure.ac                              |  1 +
- src/lib/crypto/openssl/enc_provider/aes.c     | 16 +++++++
- .../crypto/openssl/enc_provider/camellia.c    | 16 +++++++
+ src/lib/crypto/openssl/enc_provider/aes.c     | 16 ++++++
+ .../crypto/openssl/enc_provider/camellia.c    | 16 ++++++
  src/lib/crypto/openssl/enc_provider/rc4.c     |  4 ++
  .../crypto/openssl/hash_provider/hash_evp.c   |  5 ++
- src/lib/crypto/openssl/init.c                 | 47 +++++++++++++++++++
- .../preauth/pkinit/pkinit_crypto_openssl.c    | 25 ++++++++--
- 7 files changed, 111 insertions(+), 3 deletions(-)
+ src/lib/crypto/openssl/init.c                 | 53 +++++++++++++++++++
+ src/plugins/preauth/pkinit/Makefile.in        |  1 +
+ .../preauth/pkinit/pkinit_crypto_openssl.c    | 33 ++++++++++--
+ 8 files changed, 126 insertions(+), 3 deletions(-)
 
 diff --git a/src/configure.ac b/src/configure.ac
 index 9c2e816fe..20066918b 100644
@@ -128,20 +133,20 @@ index f79679a0b..7cc7fc6fb 100644
      if (ivec && ivec->data){
          if (ivec->length != sizeof(iv_cts))
 diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
-index 9bf407899..4e7af3555 100644
+index 9bf407899..a10cb5192 100644
 --- a/src/lib/crypto/openssl/enc_provider/rc4.c
 +++ b/src/lib/crypto/openssl/enc_provider/rc4.c
-@@ -69,6 +69,10 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
-     if (FIPS_mode())
-         return KRB5_CRYPTO_INTERNAL;
+@@ -66,6 +66,10 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
+     EVP_CIPHER_CTX *ctx = NULL;
+     struct arcfour_state *arcstate;
  
 +    ret = krb5int_crypto_init();
 +    if (ret)
 +        return ret;
 +
-     arcstate = (state != NULL) ? (void *)state->data : NULL;
-     if (arcstate != NULL) {
-         ctx = arcstate->ctx;
+     if (FIPS_mode())
+         return KRB5_CRYPTO_INTERNAL;
+ 
 diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
 index 2eb5139c0..09d7b3896 100644
 --- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
@@ -159,10 +164,10 @@ index 2eb5139c0..09d7b3896 100644
      if (output->length != (unsigned int)EVP_MD_size(type))
          return KRB5_CRYPTO_INTERNAL;
 diff --git a/src/lib/crypto/openssl/init.c b/src/lib/crypto/openssl/init.c
-index 1139bce53..8342dece1 100644
+index 1139bce53..f72dbfe81 100644
 --- a/src/lib/crypto/openssl/init.c
 +++ b/src/lib/crypto/openssl/init.c
-@@ -26,6 +26,51 @@
+@@ -26,12 +26,65 @@
  
  #include "crypto_int.h"
  
@@ -177,8 +182,19 @@ index 1139bce53..8342dece1 100644
 +
 +#include <openssl/provider.h>
 +
-+OSSL_PROVIDER *legacy_provider = NULL;
-+OSSL_PROVIDER *default_provider = NULL;
++static OSSL_PROVIDER *legacy_provider = NULL;
++static OSSL_PROVIDER *default_provider = NULL;
++
++static void
++unload_providers(void)
++{
++    if (default_provider != NULL)
++        (void)OSSL_PROVIDER_unload(default_provider);
++    if (legacy_provider != NULL)
++        (void)OSSL_PROVIDER_unload(legacy_provider);
++    default_provider = NULL;
++    legacy_provider = NULL;
++}
 +
 +int
 +krb5int_crypto_impl_init(void)
@@ -194,56 +210,76 @@ index 1139bce53..8342dece1 100644
 +    if (legacy_provider == NULL || default_provider == NULL)
 +        abort();
 +
++    /*
++     * If we attempt to do this with our normal LIBFINIFUNC logic (DT_FINI),
++     * OpenSSL will have cleaned itself up by the time we're invoked.  OpenSSL
++     * registers its cleanup (OPENSSL_cleanup) with atexit() - do the same and
++     * we'll be higher on the stack.
++     */
++    atexit(unload_providers);
 +    return 0;
 +}
 +
-+void
-+krb5int_crypto_impl_cleanup(void)
-+{
-+    if (legacy_provider != NULL)
-+        OSSL_PROVIDER_unload(legacy_provider);
-+    if (default_provider != NULL)
-+        OSSL_PROVIDER_unload(default_provider);
-+
-+    legacy_provider = NULL;
-+    default_provider = NULL;
-+}
-+
 +#else /* !HAVE_OSSL_PROVIDER_LOAD */
 +
  int
  krb5int_crypto_impl_init(void)
  {
-@@ -36,3 +81,5 @@ void
+     return 0;
+ }
+ 
++#endif
++
+ void
  krb5int_crypto_impl_cleanup(void)
  {
- }
-+
-+#endif
+diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
+index 15ca0eb48..d20fb18a8 100644
+--- a/src/plugins/preauth/pkinit/Makefile.in
++++ b/src/plugins/preauth/pkinit/Makefile.in
+@@ -5,6 +5,7 @@ MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
+ LIBBASE=pkinit
+ LIBMAJOR=0
+ LIBMINOR=0
++LIBINITFUNC=pkinit_openssl_init
+ RELDIR=../plugins/preauth/pkinit
+ # Depends on libk5crypto and libkrb5
+ SHLIB_EXPDEPS = \
 diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-index 350c2118a..284702432 100644
+index 350c2118a..42e5c581d 100644
 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
 +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
-@@ -44,6 +44,14 @@
+@@ -44,6 +44,13 @@
  #include <openssl/params.h>
  #endif
  
 +#ifdef HAVE_OSSL_PROVIDER_LOAD
 +#include <openssl/provider.h>
 +
-+/* TODO these leak - where to release them? */
-+OSSL_PROVIDER *legacy_provider = NULL;
-+OSSL_PROVIDER *default_provider = NULL;
++static OSSL_PROVIDER *legacy_provider = NULL;
++static OSSL_PROVIDER *default_provider = NULL;
 +#endif
 +
  static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
  static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
  
-@@ -2937,12 +2945,23 @@ cleanup:
+@@ -2937,12 +2944,32 @@ cleanup:
      return retval;
  }
  
-+/* Initialize OpenSSL. */
++/* pkinit_openssl_init() and unload_providers() are largely duplicated from
++ * lib/crypto/openssl/init.c - see explanations there. */
++static void
++unload_providers(void)
++{
++    if (default_provider != NULL)
++        (void)OSSL_PROVIDER_unload(default_provider);
++    if (legacy_provider != NULL)
++        (void)OSSL_PROVIDER_unload(legacy_provider);
++    default_provider = NULL;
++    legacy_provider = NULL;
++}
++
  int
  pkinit_openssl_init()
  {
@@ -254,13 +290,10 @@ index 350c2118a..284702432 100644
 +    legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
 +    default_provider = OSSL_PROVIDER_load(NULL, "default");
 +
-+    /*
-+     * Someone might build openssl without the legacy provider.  They will
-+     * have a bad time, but some things will still work.  I don't know think
-+     * this configuration is worth supporting.
-+     */
 +    if (legacy_provider == NULL || default_provider == NULL)
 +        abort();
++
++    atexit(unload_providers);
 +#endif
 +
      return 0;
diff --git a/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch b/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
index c8686f3..b4ef05b 100644
--- a/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
+++ b/Make-KCM-iteration-fallback-work-with-sssd-kcm.patch
@@ -1,4 +1,4 @@
-From e36bd9d3d31be5eef0625753dd27fb2182520ba2 Mon Sep 17 00:00:00 2001
+From 68a557557ab8a3208fab8a70daf4d970b9fc4787 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
 Date: Tue, 30 Mar 2021 14:35:28 +0200
 Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm
diff --git a/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch b/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
index 45c1722..aba67b9 100644
--- a/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
+++ b/Move-some-dejagnu-kadmin-tests-to-Python-tests.patch
@@ -1,4 +1,4 @@
-From 45dd9fa8f227a7119816eae2f5e40823b74f5a85 Mon Sep 17 00:00:00 2001
+From d467303bd7c5dba858b0af30349ce796cebd193f Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Thu, 22 Apr 2021 15:51:36 -0400
 Subject: [PATCH] Move some dejagnu kadmin tests to Python tests
diff --git a/Use-KCM_OP_RETRIEVE-in-KCM-client.patch b/Use-KCM_OP_RETRIEVE-in-KCM-client.patch
index f6f47c3..4884d1f 100644
--- a/Use-KCM_OP_RETRIEVE-in-KCM-client.patch
+++ b/Use-KCM_OP_RETRIEVE-in-KCM-client.patch
@@ -1,4 +1,4 @@
-From c02c77660cee3f61482bd4ad1274271b4838cf31 Mon Sep 17 00:00:00 2001
+From 43e3bca2a711de257091454bc5e25a985340d847 Mon Sep 17 00:00:00 2001
 From: Greg Hudson <ghudson@mit.edu>
 Date: Fri, 26 Mar 2021 23:38:54 -0400
 Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client
diff --git a/krb5.spec b/krb5.spec
index ff3f72e..e9e00c8 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}9%{?dist}
+Release: %{?zdpd}10%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -649,6 +649,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Jul 14 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10
+- Update OpenSSL 3 provider handling to clean up properly
+- Resolves: #1955873
+
 * Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
 - Sync openssl3 patches with upstream
 - Resolves: #1955873