Re: kerberos issues with 10.0_BETA post openssl update

To: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Subject: Re: kerberos issues with 10.0_BETA post openssl update
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Tue, 5 Sep 2023 23:56:28 +0000

> Date: Wed, 6 Sep 2023 09:54:16 +1200
> From: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
> 
> OK, found a simpler reproducible crash.  Run "kadmin -l" on a kdc and 
> try to change a password.
> 
> xen2# kadmin -l
> kadmin> passwd ecsproctor
> ecsproctor%ECS.VUW.AC.NZ@localhost's Password:
> Verifying - ecsproctor%ECS.VUW.AC.NZ@localhost's Password:
> Segmentation fault (core dumped)
> 
> Here is the backtrace
> 
> Core was generated by `kadmin'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x0000000000000000 in ?? ()
> (gdb) where
> #0  0x0000000000000000 in ?? ()
> #1  0x00007f11ca0423d4 in ARCFOUR_string_to_key (context=0x7f11cafc7000, 
> enctype=KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
>      password=..., salt=..., opaque=..., key=0x7f11caf514d8)
>      at 
> /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/salt-arcfour.c:83

This looks like a jump to null in the RC4 logic using EVP_md4().

For EVP_rc4 we have a hack in Heimdal to do

	EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")

but I'm not sure it actually works -- I can't get it to do anything in
a test program without also calling OSSL_PROVIDER_load("legacy"), at
which point it becomes unnecessary -- and we don't do it for MD4.

So if we can convince Heimdal to call OSSL_PROVIDER_load("legacy") at
some point on startup, I bet that will fix it.

It looks like the EVP_CIPHER_fetch hack (or EVP_MD_fetch hack) is also
a memory leak, according to
<https://www.openssl.org/docs/man3.0/man7/crypto.html>:

   These functions usually have the name APINAME_fetch, where APINAME
   is the name of the operation.  For example EVP_MD_fetch(3) can be
   used to explicitly fetch a digest algorithm implementation.  The
   user is responsible for freeing the object returned from the
   APINAME_fetch function using APINAME_free when it is no longer
   needed.

So I'm not sure we should be using it at all.

> as to the su issue, I think that is a separate problem related to 
> revision 1.10 of pam_ksu.c.  If I revert that then su works.

Got a stack trace for that?

Follow-Ups:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

References:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

Prev by Date: Automated report: NetBSD-current/i386 build success
Next by Date: Re: kerberos issues with 10.0_BETA post openssl update
Previous by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index