Update OpenSSL 3 provider handling to clean up properly
Resolves: #1955873
This commit is contained in:
parent
e7aeea399f
commit
f1e7f38975
|
@ -1,4 +1,4 @@
|
|||
From 2ff2d98511cd86d0dba9500367a6ab0f6ee0d5fb Mon Sep 17 00:00:00 2001
|
||||
From 418e64100d1e3f8c8e3f773909347bad270a2921 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 11 Feb 2021 15:33:10 +0100
|
||||
Subject: [PATCH] Add KCM_OP_GET_CRED_LIST for faster iteration
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From cef07ebf97be9ed7aac4e2cecd96b82e6c030b96 Mon Sep 17 00:00:00 2001
|
||||
From 4c2f596da5ddb8a1687a4f9c969d5a8dcd2cbcc7 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Thu, 3 Jun 2021 16:03:07 -0400
|
||||
Subject: [PATCH] Allow kinit with keytab to defer canonicalization
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From d324514a8bee6d267555917f960560c3091dc137 Mon Sep 17 00:00:00 2001
|
||||
From 92a4b760d741494dacbb4d9db4cf2db9e3b01f2c Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 29 Mar 2021 14:32:56 -0400
|
||||
Subject: [PATCH] Fix KCM flag transmission for remove_cred
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From 63474541158d74bfd9133d4952fcad6d1d8bc7ad Mon Sep 17 00:00:00 2001
|
||||
From b4f3df953015bf6d2d4c973b458f778f31615c11 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Tue, 11 May 2021 14:04:07 -0400
|
||||
Subject: [PATCH] Fix KCM retrieval support for sssd
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From bebfa3616a34b58a4e29501412c7f5b8b2d56716 Mon Sep 17 00:00:00 2001
|
||||
From ddbd548562d951d327a10c9dcb975418427f6fea Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 7 Jun 2021 15:00:41 -0400
|
||||
Subject: [PATCH] Fix kadmin -k with fallback or referral realm
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From c6ec47dfe95c1ccbabe039fb56b730ed6422b422 Mon Sep 17 00:00:00 2001
|
||||
From 8f70ad82a645ccb7fb1677d260baa5e4112890d4 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Mon, 7 Jun 2021 13:27:29 -0400
|
||||
Subject: [PATCH] Fix some principal realm canonicalization cases
|
||||
|
|
|
@ -1,23 +1,28 @@
|
|||
From c4b890e5b033fc7c5ed0faa1c66883368e29ec24 Mon Sep 17 00:00:00 2001
|
||||
From e3f3d31a3db23f6c8437cd0efe45f67a7f4fc6aa Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Sat, 15 May 2021 21:18:06 -0400
|
||||
Subject: [PATCH] Handle OpenSSL 3's providers
|
||||
|
||||
OpenSSL 3 compartmentalizes what algorithms it uses, which for us means
|
||||
another hoop to jump through to use dubious cryptography. Right now, we
|
||||
need to load "legacy" in order to access MD4 and RC4.
|
||||
another hoop to jump through to use dubious cryptography. (Right now,
|
||||
we need to load "legacy" in order to access MD4 and RC4.)
|
||||
|
||||
(cherry picked from commit faac961a0d02c7818aad87c765eb344b87e668fa)
|
||||
[rharwood@redhat.com: des3 removal, rc4 FIPSification]
|
||||
Use our normal initializer logic to set up providers both in the OpenSSL
|
||||
provider an the PKINIT plugin. Since DT_FINI is too late, release them
|
||||
using atexit() as OpenSSL does.
|
||||
|
||||
(cherry picked from commit bea5a703a06da1f1ab56821b77a2d3661cb0dda4)
|
||||
[rharwood@redhat.com: work around des3 removal and rc4 fips changes]
|
||||
---
|
||||
src/configure.ac | 1 +
|
||||
src/lib/crypto/openssl/enc_provider/aes.c | 16 +++++++
|
||||
.../crypto/openssl/enc_provider/camellia.c | 16 +++++++
|
||||
src/lib/crypto/openssl/enc_provider/aes.c | 16 ++++++
|
||||
.../crypto/openssl/enc_provider/camellia.c | 16 ++++++
|
||||
src/lib/crypto/openssl/enc_provider/rc4.c | 4 ++
|
||||
.../crypto/openssl/hash_provider/hash_evp.c | 5 ++
|
||||
src/lib/crypto/openssl/init.c | 47 +++++++++++++++++++
|
||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 25 ++++++++--
|
||||
7 files changed, 111 insertions(+), 3 deletions(-)
|
||||
src/lib/crypto/openssl/init.c | 53 +++++++++++++++++++
|
||||
src/plugins/preauth/pkinit/Makefile.in | 1 +
|
||||
.../preauth/pkinit/pkinit_crypto_openssl.c | 33 ++++++++++--
|
||||
8 files changed, 126 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/configure.ac b/src/configure.ac
|
||||
index 9c2e816fe..20066918b 100644
|
||||
|
@ -128,20 +133,20 @@ index f79679a0b..7cc7fc6fb 100644
|
|||
if (ivec && ivec->data){
|
||||
if (ivec->length != sizeof(iv_cts))
|
||||
diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
index 9bf407899..4e7af3555 100644
|
||||
index 9bf407899..a10cb5192 100644
|
||||
--- a/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
+++ b/src/lib/crypto/openssl/enc_provider/rc4.c
|
||||
@@ -69,6 +69,10 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||
if (FIPS_mode())
|
||||
return KRB5_CRYPTO_INTERNAL;
|
||||
@@ -66,6 +66,10 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
struct arcfour_state *arcstate;
|
||||
|
||||
+ ret = krb5int_crypto_init();
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
arcstate = (state != NULL) ? (void *)state->data : NULL;
|
||||
if (arcstate != NULL) {
|
||||
ctx = arcstate->ctx;
|
||||
if (FIPS_mode())
|
||||
return KRB5_CRYPTO_INTERNAL;
|
||||
|
||||
diff --git a/src/lib/crypto/openssl/hash_provider/hash_evp.c b/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
index 2eb5139c0..09d7b3896 100644
|
||||
--- a/src/lib/crypto/openssl/hash_provider/hash_evp.c
|
||||
|
@ -159,10 +164,10 @@ index 2eb5139c0..09d7b3896 100644
|
|||
if (output->length != (unsigned int)EVP_MD_size(type))
|
||||
return KRB5_CRYPTO_INTERNAL;
|
||||
diff --git a/src/lib/crypto/openssl/init.c b/src/lib/crypto/openssl/init.c
|
||||
index 1139bce53..8342dece1 100644
|
||||
index 1139bce53..f72dbfe81 100644
|
||||
--- a/src/lib/crypto/openssl/init.c
|
||||
+++ b/src/lib/crypto/openssl/init.c
|
||||
@@ -26,6 +26,51 @@
|
||||
@@ -26,12 +26,65 @@
|
||||
|
||||
#include "crypto_int.h"
|
||||
|
||||
|
@ -177,8 +182,19 @@ index 1139bce53..8342dece1 100644
|
|||
+
|
||||
+#include <openssl/provider.h>
|
||||
+
|
||||
+OSSL_PROVIDER *legacy_provider = NULL;
|
||||
+OSSL_PROVIDER *default_provider = NULL;
|
||||
+static OSSL_PROVIDER *legacy_provider = NULL;
|
||||
+static OSSL_PROVIDER *default_provider = NULL;
|
||||
+
|
||||
+static void
|
||||
+unload_providers(void)
|
||||
+{
|
||||
+ if (default_provider != NULL)
|
||||
+ (void)OSSL_PROVIDER_unload(default_provider);
|
||||
+ if (legacy_provider != NULL)
|
||||
+ (void)OSSL_PROVIDER_unload(legacy_provider);
|
||||
+ default_provider = NULL;
|
||||
+ legacy_provider = NULL;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+krb5int_crypto_impl_init(void)
|
||||
|
@ -194,56 +210,76 @@ index 1139bce53..8342dece1 100644
|
|||
+ if (legacy_provider == NULL || default_provider == NULL)
|
||||
+ abort();
|
||||
+
|
||||
+ /*
|
||||
+ * If we attempt to do this with our normal LIBFINIFUNC logic (DT_FINI),
|
||||
+ * OpenSSL will have cleaned itself up by the time we're invoked. OpenSSL
|
||||
+ * registers its cleanup (OPENSSL_cleanup) with atexit() - do the same and
|
||||
+ * we'll be higher on the stack.
|
||||
+ */
|
||||
+ atexit(unload_providers);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+krb5int_crypto_impl_cleanup(void)
|
||||
+{
|
||||
+ if (legacy_provider != NULL)
|
||||
+ OSSL_PROVIDER_unload(legacy_provider);
|
||||
+ if (default_provider != NULL)
|
||||
+ OSSL_PROVIDER_unload(default_provider);
|
||||
+
|
||||
+ legacy_provider = NULL;
|
||||
+ default_provider = NULL;
|
||||
+}
|
||||
+
|
||||
+#else /* !HAVE_OSSL_PROVIDER_LOAD */
|
||||
+
|
||||
int
|
||||
krb5int_crypto_impl_init(void)
|
||||
{
|
||||
@@ -36,3 +81,5 @@ void
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#endif
|
||||
+
|
||||
void
|
||||
krb5int_crypto_impl_cleanup(void)
|
||||
{
|
||||
}
|
||||
+
|
||||
+#endif
|
||||
diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in
|
||||
index 15ca0eb48..d20fb18a8 100644
|
||||
--- a/src/plugins/preauth/pkinit/Makefile.in
|
||||
+++ b/src/plugins/preauth/pkinit/Makefile.in
|
||||
@@ -5,6 +5,7 @@ MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
|
||||
LIBBASE=pkinit
|
||||
LIBMAJOR=0
|
||||
LIBMINOR=0
|
||||
+LIBINITFUNC=pkinit_openssl_init
|
||||
RELDIR=../plugins/preauth/pkinit
|
||||
# Depends on libk5crypto and libkrb5
|
||||
SHLIB_EXPDEPS = \
|
||||
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
index 350c2118a..284702432 100644
|
||||
index 350c2118a..42e5c581d 100644
|
||||
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -44,6 +44,14 @@
|
||||
@@ -44,6 +44,13 @@
|
||||
#include <openssl/params.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_OSSL_PROVIDER_LOAD
|
||||
+#include <openssl/provider.h>
|
||||
+
|
||||
+/* TODO these leak - where to release them? */
|
||||
+OSSL_PROVIDER *legacy_provider = NULL;
|
||||
+OSSL_PROVIDER *default_provider = NULL;
|
||||
+static OSSL_PROVIDER *legacy_provider = NULL;
|
||||
+static OSSL_PROVIDER *default_provider = NULL;
|
||||
+#endif
|
||||
+
|
||||
static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context );
|
||||
static void pkinit_fini_pkinit_oids(pkinit_plg_crypto_context );
|
||||
|
||||
@@ -2937,12 +2945,23 @@ cleanup:
|
||||
@@ -2937,12 +2944,32 @@ cleanup:
|
||||
return retval;
|
||||
}
|
||||
|
||||
+/* Initialize OpenSSL. */
|
||||
+/* pkinit_openssl_init() and unload_providers() are largely duplicated from
|
||||
+ * lib/crypto/openssl/init.c - see explanations there. */
|
||||
+static void
|
||||
+unload_providers(void)
|
||||
+{
|
||||
+ if (default_provider != NULL)
|
||||
+ (void)OSSL_PROVIDER_unload(default_provider);
|
||||
+ if (legacy_provider != NULL)
|
||||
+ (void)OSSL_PROVIDER_unload(legacy_provider);
|
||||
+ default_provider = NULL;
|
||||
+ legacy_provider = NULL;
|
||||
+}
|
||||
+
|
||||
int
|
||||
pkinit_openssl_init()
|
||||
{
|
||||
|
@ -254,13 +290,10 @@ index 350c2118a..284702432 100644
|
|||
+ legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
|
||||
+ default_provider = OSSL_PROVIDER_load(NULL, "default");
|
||||
+
|
||||
+ /*
|
||||
+ * Someone might build openssl without the legacy provider. They will
|
||||
+ * have a bad time, but some things will still work. I don't know think
|
||||
+ * this configuration is worth supporting.
|
||||
+ */
|
||||
+ if (legacy_provider == NULL || default_provider == NULL)
|
||||
+ abort();
|
||||
+
|
||||
+ atexit(unload_providers);
|
||||
+#endif
|
||||
+
|
||||
return 0;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From e36bd9d3d31be5eef0625753dd27fb2182520ba2 Mon Sep 17 00:00:00 2001
|
||||
From 68a557557ab8a3208fab8a70daf4d970b9fc4787 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Tue, 30 Mar 2021 14:35:28 +0200
|
||||
Subject: [PATCH] Make KCM iteration fallback work with sssd-kcm
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From 45dd9fa8f227a7119816eae2f5e40823b74f5a85 Mon Sep 17 00:00:00 2001
|
||||
From d467303bd7c5dba858b0af30349ce796cebd193f Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu, 22 Apr 2021 15:51:36 -0400
|
||||
Subject: [PATCH] Move some dejagnu kadmin tests to Python tests
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From c02c77660cee3f61482bd4ad1274271b4838cf31 Mon Sep 17 00:00:00 2001
|
||||
From 43e3bca2a711de257091454bc5e25a985340d847 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Fri, 26 Mar 2021 23:38:54 -0400
|
||||
Subject: [PATCH] Use KCM_OP_RETRIEVE in KCM client
|
||||
|
|
|
@ -42,7 +42,7 @@
|
|||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.19.1
|
||||
Release: %{?zdpd}9%{?dist}
|
||||
Release: %{?zdpd}10%{?dist}
|
||||
|
||||
# rharwood has trust path to signing key and verifies on check-in
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
||||
|
@ -649,6 +649,10 @@ exit 0
|
|||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Wed Jul 14 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-10
|
||||
- Update OpenSSL 3 provider handling to clean up properly
|
||||
- Resolves: #1955873
|
||||
|
||||
* Mon Jun 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-9
|
||||
- Sync openssl3 patches with upstream
|
||||
- Resolves: #1955873
|
||||
|
|
Loading…
Reference in New Issue