lib/57610: kerberos segfault with legacy crypto on 10.0_BETA post openssl3

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/57610: kerberos segfault with legacy crypto on 10.0_BETA post openssl3
From: mark%ecs.vuw.ac.nz@localhost
Date: Fri, 8 Sep 2023 03:20:01 +0000 (UTC)

>Number:         57610
>Category:       lib
>Synopsis:       kerberos segfault with legacy crypto on 10.0_BETA post openssl3
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 08 03:20:00 +0000 2023
>Originator:     Mark Davies
>Release:        NetBSD 10.0_BETA
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
	
	
System: NetBSD turakirae.ecs.vuw.ac.nz 10.0_BETA NetBSD 10.0_BETA (GENERIC) #8: Fri Aug 25 12:17:44 NZST 2023  mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
	Since openssl3 was pulled up to 10.0_BETA kadmin will die with segfault with a jump
	to NULL when performing operations that end up calling ARCFOUR_string_to_key().
	And similarly kadmind and kpasswdd if requested to do the operation from a remote client.

	see discussion thread starting at https://mail-index.netbsd.org/current-users/2023/09/04/msg044368.html
	where Taylor R Campbell says:

	      This looks like a jump to null in the RC4 logic using EVP_md4().

	      For EVP_rc4 we have a hack in Heimdal to do

		   EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")

	      but I'm not sure it actually works -- I can't get it to do anything in
	      a test program without also calling OSSL_PROVIDER_load("legacy"), at
	      which point it becomes unnecessary -- and we don't do it for MD4.

	      So if we can convince Heimdal to call OSSL_PROVIDER_load("legacy") at
	      some point on startup, I bet that will fix it.

	
>How-To-Repeat:
	On a kdc run:
	   kadmin -l passwd username
	or
           kadmin -l add -r host/xx

        kadmin will segfault with a backtrace along the lines of:

	Core was generated by `kadmin'.
	Program terminated with signal SIGSEGV, Segmentation fault.
	#0  0x0000000000000000 in ?? ()
	(gdb) where
	#0  0x0000000000000000 in ?? ()
	#1  0x00007f11ca0423d4 in ARCFOUR_string_to_key (context=0x7f11cafc7000, enctype=KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
    	    password=..., salt=..., opaque=..., key=0x7f11caf514d8)
    	    at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/salt-arcfour.c:83
	#2  0x00007f11ca041531 in krb5_string_to_key_data_salt (context=context@entry=0x7f11cafc7000,
    	    enctype=KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, password=..., salt=..., key=0x7f11caf514d8)
            at /src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/salt.c:173
            [...]
	
>Fix:
	

>Unformatted:

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: kern/57606
Previous by Thread: Re: kern/51254: uvm assertion "!topdown || hint <= orig_hint" failed
Next by Thread: Re: kern/57606
Indexes:

Home | Main Index | Thread Index | Old Index