From nobody Sat Jan 13 14:19:53 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TC0sn0X9fz57f9X; Sat, 13 Jan 2024 14:19:57 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TC0sm31d0z4Kfy; Sat, 13 Jan 2024 14:19:56 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com Received: from shw-obgw-4004a.ext.cloudfilter.net ([10.228.9.227]) by cmsmtp with ESMTPS id Oe6nrEUtZxDxGOerbrVJXu; Sat, 13 Jan 2024 14:19:55 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id Oerar9YaWWIKPOerbr7iGL; Sat, 13 Jan 2024 14:19:55 +0000 X-Authority-Analysis: v=2.4 cv=D+pUl9dj c=1 sm=1 tr=0 ts=65a29c0b a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=dEuoMetlWLkA:10 a=VxmjJ2MpAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=F2mt8MKA_61uHnqjoOgA:9 a=CjuIK1q_8ugA:10 a=pK3_ou3pLUoA:10 a=ztI4eMwfBtkA:10 a=UuLlkBnjUTgA:10 a=7gXAzLPJhVmCkEl4_tsf:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 267ED5E0; Sat, 13 Jan 2024 06:19:54 -0800 (PST) Received: by slippy.cwsent.com (Postfix, from userid 1000) id E79B716E; Sat, 13 Jan 2024 06:19:53 -0800 (PST) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Jessica Clarke , Cy Schubert , "src-committers@freebsd.org" , "dev-commits-src-all@freebsd.org" , "dev-commits-src-main@freebsd.org" , so@freebsd.org Subject: Re: git: cb350ba7bf7c - main - kerberos: Fix numerous segfaults when using weak crypto In-reply-to: <20240113141123.01FCD22B@slippy.cwsent.com> References: <202401111331.40BDVZfn015429@gitrepo.freebsd.org> <20240112071106.C72D8235@slippy.cwsent.com> <20240112074339.A581B23D@slippy.cwsent.com> <20240113141123.01FCD22B@slippy.cwsent.com> Comments: In-reply-to Cy Schubert message dated "Sat, 13 Jan 2024 06:11:22 -0800." List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 13 Jan 2024 06:19:53 -0800 Message-Id: <20240113141953.E79B716E@slippy.cwsent.com> X-CMAE-Envelope: MS4xfKLU4JPDAM/BW+QJXD7aEE0v57bNR9IbXxEw0IkTWjOMqgb7s2DPe1C6rkNYW+oc5Xn0qe3JDgozyGZT64GjFZoN+bHVPaUubqpY932W2L5ZDNS2VzAz 9METqoM1jWGPzGr0PkT4p7/La5MrHYsOeberqoJJe19w8FxRjM+pUjucItTUjkNJsqFel5Y07W/3T8SSy5cmJ98uzSLFUQ8iMdgIclORtTkm2ZiI26HqbbeD vwZunSya/BXpY12DKCErHvQUULfuDKDRYpczF1qFMUNCf5brACstBhus8qejR/ZrA2+MP1O1q15xgfZkpB8Pb55kAep+iFn8lgIxXgBI7iSSAr1Gl8EyS7bf bvqRrERIwNN/07XmndUFSmR88PdThg== X-Spamd-Bar: - X-Spamd-Result: default: False [-1.69 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.995]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[3.97.99.32:from]; TO_DN_EQ_ADDR_SOME(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org,dev-commits-src-main@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[cschubert.com]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; RCPT_COUNT_FIVE(0.00)[6] X-Rspamd-Queue-Id: 4TC0sm31d0z4Kfy In message <20240113141123.01FCD22B@slippy.cwsent.com>, Cy Schubert writes: > In message <20240112074339.A581B23D@slippy.cwsent.com>, Cy Schubert writes: > > In message <20240112071106.C72D8235@slippy.cwsent.com>, Cy Schubert writes: > > > In message , Jessica > > > Clarke w > > > rites: > > > > On 11 Jan 2024, at 13:31, Cy Schubert wrote: > > > > >=20 > > > > > The branch main has been updated by cy: > > > > >=20 > > > > > URL: = > > > > https://cgit.FreeBSD.org/src/commit/?id=3Dcb350ba7bf7ca7c4cb97ed2c20ab4 > 5a > > f= > > > > 60382cfb > > > > >=20 > > > > > commit cb350ba7bf7ca7c4cb97ed2c20ab45af60382cfb > > > > > Author: Cy Schubert > > > > > AuthorDate: 2023-12-06 15:30:05 +0000 > > > > > Commit: Cy Schubert > > > > > CommitDate: 2024-01-11 13:26:42 +0000 > > > > >=20 > > > > > kerberos: Fix numerous segfaults when using weak crypto > > > > >=20 > > > > > Weak crypto is provided by the openssl legacy provider which is > > > > > not load by default. Load the legacy providers as needed. > > > > >=20 > > > > > When the legacy provider is loaded into the default context the = > > > > default > > > > > provider will no longer be automatically loaded. Without the = > > > > default > > > > > provider the various kerberos applicaions and functions will = > > > > abort(). > > > > > > > > Hi, > > > > This has completely broken macOS and Linux cross-building. Please > > > > either fix this quickly or, if unable to, revert until such time as you > > > > can. Note that patches can be tested by creating a PR against the > > > > GitHub mirror. > > > > > > Thanks for the heads up. I see the problem and am working on a fix. > > > > I think the correct approach would be to separate the new > > fbsd_ossl_provider_load() and unload functions into their own library > > (instead of libroken). This avoids the less desirable option of including > > bsd.cpu.mk in secure/lib/Makefile.common, which does build but could affect > > > future work. > > The alternative approach also requires secure/lib/libcrypto (because of > libkrb5) being built during prebuild phase. Either way bsd.cpu.mk will need > to be included in the secure/lib/libcrypto/Makefile.common. Both of these > similar approaches, attempting to limit the change to local to Heimdal only > result in the same Linux MacOS failure. This leaves us with enabling legacy > (weak) crypto globally, like this: > > diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.c > nf > index 7996120cc67e..659c0b21abbd 100644 > --- a/crypto/openssl/apps/openssl.cnf > +++ b/crypto/openssl/apps/openssl.cnf > @@ -57,6 +57,7 @@ providers = provider_sect > # List of providers to load > [provider_sect] > default = default_sect > +legacy = legacy_set > # The fips section name should match the section name inside the > # included fipsmodule.cnf. > # fips = fips_sect > @@ -70,8 +71,10 @@ default = default_sect > # OpenSSL may not work correctly which could lead to significant system > # problems including inability to remotely access the system. > [default_sect] > -# activate = 1 > +activate = 1 > > +[legacy_sect] > +activate = 1 > > #################################################################### > [ ca ] > > Would this be acceptable or would we prefer to add bsd.cpu.mk to > secure/libcrypto/Makefile.inc? Adding so@freebsd.org. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0