NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/57610: kerberos segfault with legacy crypto on 10.0_BETA post openssl3

>Number:         57610
>Category:       lib
>Synopsis:       kerberos segfault with legacy crypto on 10.0_BETA post openssl3
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 08 03:20:00 +0000 2023
>Originator:     Mark Davies
>Release:        NetBSD 10.0_BETA
ECS, Victoria Uni. of Wellington, New Zealand.
System: NetBSD 10.0_BETA NetBSD 10.0_BETA (GENERIC) #8: Fri Aug 25 12:17:44 NZST 2023 amd64
Architecture: x86_64
Machine: amd64
	Since openssl3 was pulled up to 10.0_BETA kadmin will die with segfault with a jump
	to NULL when performing operations that end up calling ARCFOUR_string_to_key().
	And similarly kadmind and kpasswdd if requested to do the operation from a remote client.

	see discussion thread starting at
	where Taylor R Campbell says:

	      This looks like a jump to null in the RC4 logic using EVP_md4().

	      For EVP_rc4 we have a hack in Heimdal to do

		   EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")

	      but I'm not sure it actually works -- I can't get it to do anything in
	      a test program without also calling OSSL_PROVIDER_load("legacy"), at
	      which point it becomes unnecessary -- and we don't do it for MD4.

	      So if we can convince Heimdal to call OSSL_PROVIDER_load("legacy") at
	      some point on startup, I bet that will fix it.

	On a kdc run:
	   kadmin -l passwd username
           kadmin -l add -r host/xx

        kadmin will segfault with a backtrace along the lines of:

	Core was generated by `kadmin'.
	Program terminated with signal SIGSEGV, Segmentation fault.
	#0  0x0000000000000000 in ?? ()
	(gdb) where
	#0  0x0000000000000000 in ?? ()
	#1  0x00007f11ca0423d4 in ARCFOUR_string_to_key (context=0x7f11cafc7000, enctype=KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
    	    password=..., salt=..., opaque=..., key=0x7f11caf514d8)
    	    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/salt-arcfour.c:83
	#2  0x00007f11ca041531 in krb5_string_to_key_data_salt (context=context@entry=0x7f11cafc7000,
    	    enctype=KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, password=..., salt=..., key=0x7f11caf514d8)
            at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/salt.c:173


Home | Main Index | Thread Index | Old Index