Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9
- Reply: Mark Johnston : "Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9"
- In reply to: Ed Maste : "git: b077aed33b7b - main - Merge OpenSSL 3.0.9"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 05 Jul 2023 21:56:42 UTC
On 24 Jun 2023, at 1:19, Ed Maste wrote: > The branch main has been updated by emaste: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613 > > commit b077aed33b7b6aefca7b17ddb250cf521f938613 > Merge: b08ee10c0646 b84c4564effd > Author: Pierre Pronchery <pierre@freebsdfoundation.org> > AuthorDate: 2023-06-23 22:53:35 +0000 > Commit: Ed Maste <emaste@FreeBSD.org> > CommitDate: 2023-06-23 22:53:36 +0000 > > Merge OpenSSL 3.0.9 > > Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 > (the > version we were previously using) will be EOL as of 2023-09-11. > > Most of the base system has already been updated for a seamless > switch > to OpenSSL 3.0. For many components we've added > `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API > version, > which avoids deprecation warnings from OpenSSL 3.0. Changes have > also > been made to avoid OpenSSL APIs that were already deprecated in > OpenSSL > 1.1.1. The process of updating to contemporary APIs can continue > after > this merge. > > Additional changes are still required for libarchive and Kerberos- > related libraries or tools; workarounds will immediately follow > this > commit. Fixes are in progress in the upstream projects and will > be > incorporated when those are next updated. > > There are some performance regressions in benchmarks (certain > tests in > `openssl speed`) and in some OpenSSL consumers in ports (e.g. > haproxy). > Investigation will continue for these. > > Netflix's testing showed no functional regression and a rather > small, > albeit statistically significant, increase in CPU consumption with > OpenSSL 3.0. > > Thanks to ngie@ and des@ for updating base system components, to > antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, > and to > Netflix and everyone who tested prior to commit or contributed to > this > update in other ways. > > PR: 271615 > PR: 271656 [exp-run] > Relnotes: Yes > Sponsored by: The FreeBSD Foundation > It looks like we missed adding a file. Security/opensc doesn’t build any more: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076 It fails to find d2i_KeyParams when linking. The opensc code does this: #if OPENSSL_VERSION_NUMBER < 0x30000000L if (!d2i_ECParameters(&ec, &a, (long)len)) util_fatal("cannot parse EC_PARAMS"); EVP_PKEY_assign_EC_KEY(pkey, ec); #else if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, &a, len)) util_fatal("cannot parse EC_PARAMS"); #endif d2i_KeyParams() appears to be new on openssl 3. It’s defined in d2i_param.c, which we don’t build. I’ve tested with this patch, and that appears to fix things: diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile index 28258e796984..ef5652e8c27c 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -74,7 +74,7 @@ SRCS+= n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c p5_scrypt.c p8_pkey.c SRCS+= t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c SRCS+= tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c x_algor.c SRCS+= x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c x_spki.c -SRCS+= x_val.c +SRCS+= x_val.c d2i_param.c # async SRCS+= async.c async_err.c async_posix.c async_wait.c diff --git a/secure/lib/libcrypto/Version.map b/secure/lib/libcrypto/Version.map index 421819324961..74d0b8b3cef1 100644 --- a/secure/lib/libcrypto/Version.map +++ b/secure/lib/libcrypto/Version.map @@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 { d2i_IPAddressOrRange; d2i_IPAddressRange; d2i_ISSUING_DIST_POINT; + d2i_KeyParams; + d2i_KeyParams_bio; d2i_NETSCAPE_CERT_SEQUENCE; d2i_NETSCAPE_SPKAC; d2i_NETSCAPE_SPKI; Best regards, Kristof