Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9
- Reply: Mark Johnston : "Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9"
- In reply to: Ed Maste : "git: b077aed33b7b - main - Merge OpenSSL 3.0.9"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 05 Jul 2023 21:56:42 UTC
On 24 Jun 2023, at 1:19, Ed Maste wrote:
> The branch main has been updated by emaste:
>
> URL:
> https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613
>
> commit b077aed33b7b6aefca7b17ddb250cf521f938613
> Merge: b08ee10c0646 b84c4564effd
> Author: Pierre Pronchery <pierre@freebsdfoundation.org>
> AuthorDate: 2023-06-23 22:53:35 +0000
> Commit: Ed Maste <emaste@FreeBSD.org>
> CommitDate: 2023-06-23 22:53:36 +0000
>
> Merge OpenSSL 3.0.9
>
> Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1
> (the
> version we were previously using) will be EOL as of 2023-09-11.
>
> Most of the base system has already been updated for a seamless
> switch
> to OpenSSL 3.0. For many components we've added
> `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API
> version,
> which avoids deprecation warnings from OpenSSL 3.0. Changes have
> also
> been made to avoid OpenSSL APIs that were already deprecated in
> OpenSSL
> 1.1.1. The process of updating to contemporary APIs can continue
> after
> this merge.
>
> Additional changes are still required for libarchive and Kerberos-
> related libraries or tools; workarounds will immediately follow
> this
> commit. Fixes are in progress in the upstream projects and will
> be
> incorporated when those are next updated.
>
> There are some performance regressions in benchmarks (certain
> tests in
> `openssl speed`) and in some OpenSSL consumers in ports (e.g.
> haproxy).
> Investigation will continue for these.
>
> Netflix's testing showed no functional regression and a rather
> small,
> albeit statistically significant, increase in CPU consumption with
> OpenSSL 3.0.
>
> Thanks to ngie@ and des@ for updating base system components, to
> antoine@ and bofh@ for ports exp-runs and port fixes/workarounds,
> and to
> Netflix and everyone who tested prior to commit or contributed to
> this
> update in other ways.
>
> PR: 271615
> PR: 271656 [exp-run]
> Relnotes: Yes
> Sponsored by: The FreeBSD Foundation
>
It looks like we missed adding a file.
Security/opensc doesn’t build any more:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076
It fails to find d2i_KeyParams when linking. The opensc code does this:
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (!d2i_ECParameters(&ec, &a,
(long)len))
util_fatal("cannot parse
EC_PARAMS");
EVP_PKEY_assign_EC_KEY(pkey, ec);
#else
if (!d2i_KeyParams(EVP_PKEY_EC, &pkey,
&a, len))
util_fatal("cannot parse
EC_PARAMS");
#endif
d2i_KeyParams() appears to be new on openssl 3. It’s defined in
d2i_param.c, which we don’t build. I’ve tested with this patch, and
that appears to fix things:
diff --git a/secure/lib/libcrypto/Makefile
b/secure/lib/libcrypto/Makefile
index 28258e796984..ef5652e8c27c 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -74,7 +74,7 @@ SRCS+= n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c
p5_scrypt.c p8_pkey.c
SRCS+= t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c
SRCS+= tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c
x_algor.c
SRCS+= x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c
x_spki.c
-SRCS+= x_val.c
+SRCS+= x_val.c d2i_param.c
# async
SRCS+= async.c async_err.c async_posix.c async_wait.c
diff --git a/secure/lib/libcrypto/Version.map
b/secure/lib/libcrypto/Version.map
index 421819324961..74d0b8b3cef1 100644
--- a/secure/lib/libcrypto/Version.map
+++ b/secure/lib/libcrypto/Version.map
@@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 {
d2i_IPAddressOrRange;
d2i_IPAddressRange;
d2i_ISSUING_DIST_POINT;
+ d2i_KeyParams;
+ d2i_KeyParams_bio;
d2i_NETSCAPE_CERT_SEQUENCE;
d2i_NETSCAPE_SPKAC;
d2i_NETSCAPE_SPKI;
Best regards,
Kristof