krb5 commit: Use builtin MD4, RC4 for OpenSSL 3.0

Greg Hudson ghudson at mit.edu
Thu Oct 28 15:33:58 EDT 2021 

https://github.com/krb5/krb5/commit/e557f051d1605ee980b136cae020866873ffb223
commit e557f051d1605ee980b136cae020866873ffb223
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Oct 8 17:45:03 2021 -0400

    Use builtin MD4, RC4 for OpenSSL 3.0
    
    In OpenSSL 3.0, to use MD4 or RC4 one must load the "legacy" crypto
    provider.  To do this in libk5crypto, we would need to create and use
    an OpenSSL library context to avoid interfering with other users of
    the library.  Tearing down this context at finalization time would be
    further complicated by OpenSSL's use of atexit() for library
    finalization, which causes its finalizer to be run earlier than
    properly registered finalizers on Linux.
    
    For simplicity, use the builtin implementations of MD4 and RC4 for
    OpenSSL 3.0 and later.  Also use the builtin DES key parity
    implementation since OpenSSL 3.0 deprecates DES_set_odd_parity() with
    no replacement.
    
    ticket: 9034 (new)

 src/lib/crypto/krb/crypto_int.h |   21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h
index 974bea0..82474aa 100644
--- a/src/lib/crypto/krb/crypto_int.h
+++ b/src/lib/crypto/krb/crypto_int.h
@@ -34,15 +34,30 @@
 
 #if defined(CRYPTO_OPENSSL)
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+/*
+ * OpenSSL 3.0 relegates MD4 and RC4 to the legacy provider, which must be
+ * explicitly loaded into a library context.  Performing this loading within a
+ * library carries complications, so use the built-in implementations of these
+ * primitives instead.  OpenSSL 3.0 also deprecates DES_set_odd_parity() with
+ * no replacement.
+ */
+#define K5_BUILTIN_DES_KEY_PARITY
+#define K5_BUILTIN_MD4
+#define K5_BUILTIN_RC4
+#else
+#define K5_OPENSSL_DES_KEY_PARITY
+#define K5_OPENSSL_MD4
+#define K5_OPENSSL_RC4
+#endif
+
 #define K5_OPENSSL_AES
 #define K5_OPENSSL_CAMELLIA
 #define K5_OPENSSL_DES
-#define K5_OPENSSL_DES_KEY_PARITY
 #define K5_OPENSSL_HMAC
-#define K5_OPENSSL_MD4
 #define K5_OPENSSL_MD5
 #define K5_OPENSSL_PBKDF2
-#define K5_OPENSSL_RC4
 #define K5_OPENSSL_SHA1
 #define K5_OPENSSL_SHA2

More information about the cvs-krb5 mailing list