Update OpenSSL 3 provider handling to clean up properly
Resolves: #1955873
This commit is contained in:
parent
e7aeea399f
commit
f1e7f38975
@ -1,4 +1,4 @@
|
|||||||
From 2ff2d98511cd86d0dba9500367a6ab0f6ee0d5fb Mon Sep 17 00:00:00 2001
|
From 418e64100d1e3f8c8e3f773909347bad270a2921 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
Date: Thu, 11 Feb 2021 15:33:10 +0100
|
Date: Thu, 11 Feb 2021 15:33:10 +0100
|
||||||
Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration
|
Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From cef07ebf97be9ed7aac4e2cecd96b82e6c030b96 Mon Sep 17 00:00:00 2001
|
From 4c2f596da5ddb8a1687a4f9c969d5a8dcd2cbcc7 Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Thu, 3 Jun 2021 16:03:07 -0400
|
Date: Thu, 3 Jun 2021 16:03:07 -0400
|
||||||
Subject: [PATCH] Allow kinit with keytab to defer canonicalization
|
Subject: [PATCH] Allow kinit with keytab to defer canonicalization
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From d324514a8bee6d267555917f960560c3091dc137 Mon Sep 17 00:00:00 2001
|
From 92a4b760d741494dacbb4d9db4cf2db9e3b01f2c Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Mon, 29 Mar 2021 14:32:56 -0400
|
Date: Mon, 29 Mar 2021 14:32:56 -0400
|
||||||
Subject: [PATCH] Fix KCM flag transmission for remove_cred
|
Subject: [PATCH] Fix KCM flag transmission for remove_cred
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 63474541158d74bfd9133d4952fcad6d1d8bc7ad Mon Sep 17 00:00:00 2001
|
From b4f3df953015bf6d2d4c973b458f778f31615c11 Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Tue, 11 May 2021 14:04:07 -0400
|
Date: Tue, 11 May 2021 14:04:07 -0400
|
||||||
Subject: [PATCH] Fix KCM retrieval support for sssd
|
Subject: [PATCH] Fix KCM retrieval support for sssd
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From bebfa3616a34b58a4e29501412c7f5b8b2d56716 Mon Sep 17 00:00:00 2001
|
From ddbd548562d951d327a10c9dcb975418427f6fea Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Mon, 7 Jun 2021 15:00:41 -0400
|
Date: Mon, 7 Jun 2021 15:00:41 -0400
|
||||||
Subject: [PATCH] Fix kadmin -k with fallback or referral realm
|
Subject: [PATCH] Fix kadmin -k with fallback or referral realm
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c6ec47dfe95c1ccbabe039fb56b730ed6422b422 Mon Sep 17 00:00:00 2001
|
From 8f70ad82a645ccb7fb1677d260baa5e4112890d4 Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Mon, 7 Jun 2021 13:27:29 -0400
|
Date: Mon, 7 Jun 2021 13:27:29 -0400
|
||||||
Subject: [PATCH] Fix some principal realm canonicalization cases
|
Subject: [PATCH] Fix some principal realm canonicalization cases
|
||||||
|
@ -1,23 +1,28 @@
|
|||||||
From c4b890e5b033fc7c5ed0faa1c66883368e29ec24 Mon Sep 17 00:00:00 2001
|
From e3f3d31a3db23f6c8437cd0efe45f67a7f4fc6aa Mon Sep 17 00:00:00 2001
|
||||||
From: Robbie Harwood <rharwood@redhat.com>
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
Date: Sat, 15 May 2021 21:18:06 -0400
|
Date: Sat, 15 May 2021 21:18:06 -0400
|
||||||
Subject: [PATCH] Handle OpenSSL 3's providers
|
Subject: [PATCH] Handle OpenSSL 3's providers
|
||||||
|
|
||||||
OpenSSL 3 compartmentalizes what algorithms it uses, which for us means
|
OpenSSL 3 compartmentalizes what algorithms it uses, which for us means
|
||||||
another hoop to jump through to use dubious cryptography. Right now, we
|
another hoop to jump through to use dubious cryptography. (Right now,
|
||||||
need to load "legacy" in order to access MD4 and RC4.
|
we need to load "legacy" in order to access MD4 and RC4.)
|
||||||
|
|
||||||
(cherry picked from commit faac961a0d02c7818aad87c765eb344b87e668fa)
|
Use our normal initializer logic to set up providers both in the OpenSSL
|
||||||
[rharwood@redhat.com: des3 removal, rc4 FIPSification]
|
provider an the PKINIT plugin. Since DT_FINI is too late, release them
|
||||||
|
using atexit() as OpenSSL does.
|
||||||
|
|
||||||
|
(cherry picked from commit bea5a703a06da1f1ab56821b77a2d3661cb0dda4)
|
||||||
|
[rharwood@redhat.com: work around des3 removal and rc4 fips changes]
|
||||||
---
|
---
|
||||||
src/configure.ac | 1 +
|
src/configure.ac | 1 +
|
||||||
src/lib/crypto/openssl/enc_provider/aes.c | 16 +++++++
|
src/lib/crypto/openssl/enc_provider/aes.c | 16 ++++++
|
||||||
.../crypto/openssl/enc_provider/camellia.c | 16 +++++++
|
.../crypto/openssl/enc_provider/camellia.c | 16 ++++++
|
||||||
src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++
|
src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++
|
||||||
.../crypto/openssl/hash_provider/hash_evp.c | 5 ++
|
.../crypto/openssl/hash_provider/hash_evp.c | 5 ++
|
||||||
src/lib/crypto/openssl/init.c | 47 +++++++++++++++++++
|
src/lib/crypto/openssl/init.c | 53 +++++++++++++++++++
|
||||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 25 ++++++++--
|
src/plugins/preauth/pkinit/Makefile.in | 1 +
|
||||||
7 files changed, 111 insertions(+), 3 deletions(-)
|
.../preauth/pkinit/pkinit_crypto_openssl.c | 33 ++++++++++--
|
||||||
|
8 files changed, 126 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/configure.ac b/src/configure.ac
|
diff --git a/src/configure.ac b/src/configure.ac
|
||||||
index 9c2e816fe..20066918b 100644
|
index 9c2e816fe..20066918b 100644
|
||||||
@ -128,20 +133,20 @@ index f79679a0b..7cc7fc6fb 100644
|
|||||||
if (ivec && ivec->data){
|
if (ivec && ivec->data){
|
||||||
if (ivec->length != sizeof(iv_cts))
|
if (ivec->length != sizeof(iv_cts))
|
||||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
index 9bf407899..4e7af3555 100644
|
index 9bf407899..a10cb5192 100644
|
||||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||||
@@ -69,6 +69,10 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
@@ -66,6 +66,10 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||||
if (FIPS_mode())
|
EVP_CIPHER_CTX *ctx = NULL;
|
||||||
return KRB5_CRYPTO_INTERNAL;
|
struct arcfour_state *arcstate;
|
||||||
|
|
||||||
+ ret = krb5int_crypto_init();
|
+ ret = krb5int_crypto_init();
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+
|
+
|
||||||
arcstate = (state != NULL) ? (void *)state->data : NULL;
|
if (FIPS_mode())
|
||||||
if (arcstate != NULL) {
|
return KRB5_CRYPTO_INTERNAL;
|
||||||
ctx = arcstate->ctx;
|
|
||||||
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||||
index 2eb5139c0..09d7b3896 100644
|
index 2eb5139c0..09d7b3896 100644
|
||||||
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||||
@ -159,10 +164,10 @@ index 2eb5139c0..09d7b3896 100644
|
|||||||
if (output->length != (unsigned int)EVP_MD_size(type))
|
if (output->length != (unsigned int)EVP_MD_size(type))
|
||||||
return KRB5_CRYPTO_INTERNAL;
|
return KRB5_CRYPTO_INTERNAL;
|
||||||
diff --git a/src/lib/crypto/openssl/init.c b/src/lib/crypto/openssl/init.c
|
diff --git a/src/lib/crypto/openssl/init.c b/src/lib/crypto/openssl/init.c
|
||||||
index 1139bce53..8342dece1 100644
|
index 1139bce53..f72dbfe81 100644
|
||||||
--- a/src/lib/crypto/openssl/init.c
|
--- a/src/lib/crypto/openssl/init.c
|
||||||
+++ b/src/lib/crypto/openssl/init.c
|
+++ b/src/lib/crypto/openssl/init.c
|
||||||
@@ -26,6 +26,51 @@
|
@@ -26,12 +26,65 @@
|
||||||
|
|
||||||
#include "crypto_int.h"
|
#include "crypto_int.h"
|
||||||
|
|
||||||
@ -177,8 +182,19 @@ index 1139bce53..8342dece1 100644
|
|||||||
+
|
+
|
||||||
+#include <openssl/provider.h>
|
+#include <openssl/provider.h>
|
||||||
+
|
+
|
||||||
+OSSL_PROVIDER *legacy_provider = NULL;
|
+static OSSL_PROVIDER *legacy_provider = NULL;
|
||||||
+OSSL_PROVIDER *default_provider = NULL;
|
+static OSSL_PROVIDER *default_provider = NULL;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+unload_providers(void)
|
||||||
|
+{
|
||||||
|
+ if (default_provider != NULL)
|
||||||
|
+ (void)OSSL_PROVIDER_unload(default_provider);
|
||||||
|
+ if (legacy_provider != NULL)
|
||||||
|
+ (void)OSSL_PROVIDER_unload(legacy_provider);
|
||||||
|
+ default_provider = NULL;
|
||||||
|
+ legacy_provider = NULL;
|
||||||
|
+}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+krb5int_crypto_impl_init(void)
|
+krb5int_crypto_impl_init(void)
|
||||||
@ -194,56 +210,76 @@ index 1139bce53..8342dece1 100644
|
|||||||
+ if (legacy_provider == NULL || default_provider == NULL)
|
+ if (legacy_provider == NULL || default_provider == NULL)
|
||||||
+ abort();
|
+ abort();
|
||||||
+
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If we attempt to do this with our normal LIBFINIFUNC logic (DT_FINI),
|
||||||
|
+ * OpenSSL will have cleaned itself up by the time we're invoked. OpenSSL
|
||||||
|
+ * registers its cleanup (OPENSSL_cleanup) with atexit() - do the same and
|
||||||
|
+ * we'll be higher on the stack.
|
||||||
|
+ */
|
||||||
|
+ atexit(unload_providers);
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
|
||||||
+krb5int_crypto_impl_cleanup(void)
|
|
||||||
+{
|
|
||||||
+ if (legacy_provider != NULL)
|
|
||||||
+ OSSL_PROVIDER_unload(legacy_provider);
|
|
||||||
+ if (default_provider != NULL)
|
|
||||||
+ OSSL_PROVIDER_unload(default_provider);
|
|
||||||
+
|
|
||||||
+ legacy_provider = NULL;
|
|
||||||
+ default_provider = NULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#else /* !HAVE_OSSL_PROVIDER_LOAD */
|
+#else /* !HAVE_OSSL_PROVIDER_LOAD */
|
||||||
+
|
+
|
||||||
int
|
int
|
||||||
krb5int_crypto_impl_init(void)
|
krb5int_crypto_impl_init(void)
|
||||||
{
|
{
|
||||||
@@ -36,3 +81,5 @@ void
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
void
|
||||||
krb5int_crypto_impl_cleanup(void)
|
krb5int_crypto_impl_cleanup(void)
|
||||||
{
|
{
|
||||||
}
|
diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
|
||||||
+
|
index 15ca0eb48..d20fb18a8 100644
|
||||||
+#endif
|
--- a/src/plugins/preauth/pkinit/Makefile.in
|
||||||
|
+++ b/src/plugins/preauth/pkinit/Makefile.in
|
||||||
|
@@ -5,6 +5,7 @@ MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
|
||||||
|
LIBBASE=pkinit
|
||||||
|
LIBMAJOR=0
|
||||||
|
LIBMINOR=0
|
||||||
|
+LIBINITFUNC=pkinit_openssl_init
|
||||||
|
RELDIR=../plugins/preauth/pkinit
|
||||||
|
# Depends on libk5crypto and libkrb5
|
||||||
|
SHLIB_EXPDEPS = \
|
||||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
index 350c2118a..284702432 100644
|
index 350c2118a..42e5c581d 100644
|
||||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||||
@@ -44,6 +44,14 @@
|
@@ -44,6 +44,13 @@
|
||||||
#include <openssl/params.h>
|
#include <openssl/params.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+#ifdef HAVE_OSSL_PROVIDER_LOAD
|
+#ifdef HAVE_OSSL_PROVIDER_LOAD
|
||||||
+#include <openssl/provider.h>
|
+#include <openssl/provider.h>
|
||||||
+
|
+
|
||||||
+/* TODO these leak - where to release them? */
|
+static OSSL_PROVIDER *legacy_provider = NULL;
|
||||||
+OSSL_PROVIDER *legacy_provider = NULL;
|
+static OSSL_PROVIDER *default_provider = NULL;
|
||||||
+OSSL_PROVIDER *default_provider = NULL;
|
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
|
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
|
||||||
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
|
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
|
||||||
|
|
||||||
@@ -2937,12 +2945,23 @@ cleanup:
|
@@ -2937,12 +2944,32 @@ cleanup:
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
+/* Initialize OpenSSL. */
|
+/* pkinit_openssl_init() and unload_providers() are largely duplicated from
|
||||||
|
+ * lib/crypto/openssl/init.c - see explanations there. */
|
||||||
|
+static void
|
||||||
|
+unload_providers(void)
|
||||||
|
+{
|
||||||
|
+ if (default_provider != NULL)
|
||||||
|
+ (void)OSSL_PROVIDER_unload(default_provider);
|
||||||
|
+ if (legacy_provider != NULL)
|
||||||
|
+ (void)OSSL_PROVIDER_unload(legacy_provider);
|
||||||
|
+ default_provider = NULL;
|
||||||
|
+ legacy_provider = NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
int
|
int
|
||||||
pkinit_openssl_init()
|
pkinit_openssl_init()
|
||||||
{
|
{
|
||||||
@ -254,13 +290,10 @@ index 350c2118a..284702432 100644
|
|||||||
+ legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
|
+ legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
|
||||||
+ default_provider = OSSL_PROVIDER_load(NULL, "default");
|
+ default_provider = OSSL_PROVIDER_load(NULL, "default");
|
||||||
+
|
+
|
||||||
+ /*
|
|
||||||
+ * Someone might build openssl without the legacy provider. They will
|
|
||||||
+ * have a bad time, but some things will still work. I don't know think
|
|
||||||
+ * this configuration is worth supporting.
|
|
||||||
+ */
|
|
||||||
+ if (legacy_provider == NULL || default_provider == NULL)
|
+ if (legacy_provider == NULL || default_provider == NULL)
|
||||||
+ abort();
|
+ abort();
|
||||||
|
+
|
||||||
|
+ atexit(unload_providers);
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From e36bd9d3d31be5eef0625753dd27fb2182520ba2 Mon Sep 17 00:00:00 2001
|
From 68a557557ab8a3208fab8a70daf4d970b9fc4787 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
Date: Tue, 30 Mar 2021 14:35:28 +0200
|
Date: Tue, 30 Mar 2021 14:35:28 +0200
|
||||||
Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm
|
Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 45dd9fa8f227a7119816eae2f5e40823b74f5a85 Mon Sep 17 00:00:00 2001
|
From d467303bd7c5dba858b0af30349ce796cebd193f Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Thu, 22 Apr 2021 15:51:36 -0400
|
Date: Thu, 22 Apr 2021 15:51:36 -0400
|
||||||
Subject: [PATCH] Move some dejagnu kadmin tests to Python tests
|
Subject: [PATCH] Move some dejagnu kadmin tests to Python tests
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From c02c77660cee3f61482bd4ad1274271b4838cf31 Mon Sep 17 00:00:00 2001
|
From 43e3bca2a711de257091454bc5e25a985340d847 Mon Sep 17 00:00:00 2001
|
||||||
From: Greg Hudson <ghudson@mit.edu>
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
Date: Fri, 26 Mar 2021 23:38:54 -0400
|
Date: Fri, 26 Mar 2021 23:38:54 -0400
|
||||||
Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client
|
Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client
|
||||||
|
@ -42,7 +42,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.19.1
|
Version: 1.19.1
|
||||||
Release: %{?zdpd}9%{?dist}
|
Release: %{?zdpd}10%{?dist}
|
||||||
|
|
||||||
# rharwood has trust path to signing key and verifies on check-in
|
# rharwood has trust path to signing key and verifies on check-in
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
||||||
@ -649,6 +649,10 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 14 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10
|
||||||
|
- Update OpenSSL 3 provider handling to clean up properly
|
||||||
|
- Resolves: #1955873
|
||||||
|
|
||||||
* Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
|
* Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
|
||||||
- Sync openssl3 patches with upstream
|
- Sync openssl3 patches with upstream
|
||||||
- Resolves: #1955873
|
- Resolves: #1955873
|
||||||
|
Loading…
Reference in New Issue
Block a user