Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Make OpenSSL an hcrypto backend proper
This adds a new backend for libhcrypto: the OpenSSL backend. Now libhcrypto has these backends: - hcrypto itself (i.e., the algorithms coded in lib/hcrypto) - Common Crypto (OS X) - PKCS#11 (specifically for Solaris, but not Solaris-specific) - Windows CNG (Windows) - OpenSSL (generic) The ./configure --with-openssl=... option no longer disables the use of hcrypto. Instead it enables the use of OpenSSL as a (and the default) backend in libhcrypto. The libhcrypto framework is now always used. OpenSSL should no longer be used directly within Heimdal, except in the OpenSSL hcrypto backend itself, and files where elliptic curve (EC) crypto is needed. Because libhcrypto's EC support is incomplete, we can only use OpenSSL for EC. Currently that means separating all EC-using code so that it does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has been moved out of the files it used to be in.
- Loading branch information
1 parent
9df8820
commit 490337f
Showing
60 changed files
with
2,206 additions
and
976 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,7 @@ CLEANFILES = \ | |
rc4.h \ | ||
rsa.h \ | ||
sha.h \ | ||
ui.h | ||
ui.h \ | ||
undef.h | ||
|
||
EXTRA_DIST = NTMakefile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nicowilliams
hi Nico!
I have been looking into this change and trying to guess whether this change or something else is leading to PKI problems.
PKI certificate based TGT request started to fail.
Usecase:
so instead of username/password, certificate is used.
this was working in old Heimdal 1.4. but stopped working in 7.7.
After debugging, i found that issues seems to be around BIGNUM.
The issue seems to occur due to a random number being returned for the private key size in the hx509 library crypto.c implementation of rsa_create_signature().
The rsa key size is returned via:
Heimdal has its own implementations of BIGNUM functions in bn.c which are different to OpenSSL. It seems that this library is attempting to cast a BIGNUM
struct bignum_st {
BN_ULONG d; / Pointer to an array of 'BN_BITS2' bit
* chunks. /
int top; / Index of last used d +1. /
/ The next are internal book keeping for bn_expand. /
int dmax; / Size of the d array. /
int neg; / one if the number is negative */
int flags;
};
to a heim_integer
typedef struct heim_integer {
size_t length;
void *data;
int negative;
} heim_integer;
and then using fields of the latter structure which give nonsense results, eg
int
BN_num_bytes(const BIGNUM *bn)
{
return ((const heim_integer *)bn)->length;
}
and hx509_cms_create_signed() where apparently normal credential data leads to a very large output from ASN1_MALLOC_ENCODE, (this macro is identical to 1.4 so it's more likely that the input data structure is flawed somehow).
The message data length is very large > 4 MB compared to 1.4 at 2914 bytes.
And the server was immediately disconnecting due to the large message size.
could you look at this please? any ideas?
also, I wonder, can we locally revert this commit?
regards,
Alibek
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can try locally reverting but other things have changed in hcrypto since so, fixing it properly is always better :)
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Heimdal and OpenSSL's BIGNUM implementations shouldn't be getting mixed up, all the Heimdal symbols should be renamed by
bn.h
to have ahc_
prefix. Not saying there's not a bug, but it may be elsewhere...490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, so basically:
so it could be that 2nd condition was not always hold and in this case, it was mixed up (and different structure was casted)
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is entirely possible. I'm not super-familiar with the code so @nicowilliams might be the right person to answer, but I could dig in if necessary.
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok. thanks for offering your help. let me first dig some more before I ask you to help. I would like to exclude any configuration issues, etc. and will read code in more detail. may be I can spot or at least narrow down the problem.
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
f.y.i. reproduction of this issue is relatively simple (as I mentioned earlier) - just try to use certs instead of username and password. but one needs to write plug-in, so that Heimdal can call back and pick up certs application wants to use, using krb5_hx509_ks_register
490337f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will keep digging and will post more. but if any insights, please let me know. cheers!