Re: git: e5dd5bfa55dc - main - pkg(7): now that we do use libmd, use it completly

From: Enji Cooper <yaneurabeya_at_gmail.com>
Date: Fri, 10 Mar 2023 18:45:02 UTC
> On Mar 9, 2023, at 12:31 PM, Baptiste Daroussin <bapt@FreeBSD.org> wrote:
> 
> The branch main has been updated by bapt:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=e5dd5bfa55dc82686870330f547932486ba48db2
> 
> commit e5dd5bfa55dc82686870330f547932486ba48db2
> Author:     Baptiste Daroussin <bapt@FreeBSD.org>
> AuthorDate: 2023-03-09 20:29:15 +0000
> Commit:     Baptiste Daroussin <bapt@FreeBSD.org>
> CommitDate: 2023-03-09 20:31:30 +0000
> 
>    pkg(7): now that we do use libmd, use it completly
> 
>    Use SHA256_Fd and SHA256_Data instead of home made equivalent.
>    wrap those functions into hash.c to avoid header collition between
>    openssl and libmd
> 
>    Suggested by:   kevans


Hi bapt@,

Thank you for the quick build fix!

- The Makefile wasn’t updated to use just libmd or libcrypto — it’s linking both today (there are other areas in base where this is present, though, so it’s less of an issue).
- I don’t remember the details 100%, but I vaguely remember there being an effort in the past to avoid overlinking binaries with libmd and libcrypto. Some components like ntp for instance go out of their way to link one implementation or the other, not both.
- The libmd library exports interfaces named like the OpenSSL 3 deprecated interfaces. Not sure if that’s going to cause issues in the future.
- When going to OpenSSL 3, FreeBSD and third-parties will have access to a FIPS 140-3 certified crypto provider library — libmd doesn’t have that same guarantee. It would be good if the entire system was linked with either libcrypto or libmd so the crypto interface would be consistent across the board.

I’m going to post an email to arch@ soon about the need for the OpenSSL 1.1 -> OpenSSL 3 import. I think some of these topics should be brought up as requirements/prerequisites for doing the work or considerations to make when doing it. What do you think?

Cheers,
-Enji