From nobody Sun Apr 21 16:58:53 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VMvjT3BRNz5HKZd; Sun, 21 Apr 2024 16:58:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VMvjT2VmHz4SHM; Sun, 21 Apr 2024 16:58:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713718733; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CLUz7KmVPNnJ9ALqcx4yGCX2CtE0+GzgIN9elPn7juA=; b=iY708m1+bt0u27Todui8nMyr8Z29N9rFzxq1V7D0BX7+c2j3wI607O8N/kH+n43nIVrhwO hj0QF0YgTrpGPNzHAeKKkyP6AEDA53bnu2CPy3assQqD+W5PqjeHVAHDXFdsMOzpnltZ8L nUNnpBB9SHBJINyusbUN9oDtrZdRWx961qrUi8//nngwLtX6NQGuOHSeua5oU7dPN5RwUg wUnmXJZg5JpK8gYilW6H8vpPx31ItMG/PEKgqkvd0BFxLy1bYXe+ET+XrZIefJzo8ysweO TOc5+alYnvWb0V/NtfX9ziRQRDpUF+83cF4SUrk1CNPUf2hQKqxDmCuLOJCZqQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713718733; a=rsa-sha256; cv=none; b=s4jzJ6F2j5Oa0Nw6YN4+W2b7Oq2ZsjUO5DoZ8M39yRTGqYiHdoBHihJfawR8qAjvMSSo+3 lNcX2oplRJZuMTSHL8rz62cqZ0M/GCjemdLkZ26nfLcON4lf+bCGpTzjsaC0QF7q/lNDbG vbNULtGf/KrmvfE9xnvue3I1oDAsOrkRBTh5HNPwBvPdUyrdHYdmNoSUoM9oKJb27e2aKn a+VSPm9vm1BVZ+WqsBto54i3OwyWGLOKLHsh6q5HsG2KOgr/oePejXuOiKKoTSVsgizN/L KOl00dVgXJkkZOQISfb0QLzvrgxQ2VFxCfs+HjYZyPKSOdBcCLnHz46ZBVeNxQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1713718733; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CLUz7KmVPNnJ9ALqcx4yGCX2CtE0+GzgIN9elPn7juA=; b=QhbS2i0c9qtJ1CYYeaMb9ycevex8egULp6A91ykCmq3oXaTfFXHyCIGSVw5d3acPoJHqh9 imZiSq8X0C48zRSHybl0m6T46gqUI9fLGiHMt9DEiQPtlXGzkKT89xrYB3sbWs55+2oDFK wMZLzjlpicfQra0/BEwwiy+Sj++XpcvtrlVHVJcqadyuMkL6GXgFzRJj9/6vb943uCNKKl Upkq9d8632gQbQ9z0WyndARqVfELF7FFnxPbVudnBfxG7YKFjHG3ZHCuNqdj63WqJmGJUO rDWGUX96O1F73plfEzuVTSgeq6Brgx8vSXF2nPjSSs9Qg2vsulmtWMcJmd8EFw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VMvjT1qNRz1SBb; Sun, 21 Apr 2024 16:58:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43LGwrCF006865; Sun, 21 Apr 2024 16:58:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43LGwr5o006862; Sun, 21 Apr 2024 16:58:53 GMT (envelope-from git) Date: Sun, 21 Apr 2024 16:58:53 GMT Message-Id: <202404211658.43LGwr5o006862@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Enji Cooper Subject: git: 42ce242e3530 - main - OpenSSL: use the upstream provided version.map files for the fips/legacy providers List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ngie X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 42ce242e353065dfbaa248955f6657005a395a95 Auto-Submitted: auto-generated The branch main has been updated by ngie: URL: https://cgit.FreeBSD.org/src/commit/?id=42ce242e353065dfbaa248955f6657005a395a95 commit 42ce242e353065dfbaa248955f6657005a395a95 Author: Enji Cooper AuthorDate: 2024-04-20 19:12:50 +0000 Commit: Enji Cooper CommitDate: 2024-04-21 16:35:19 +0000 OpenSSL: use the upstream provided version.map files for the fips/legacy providers This change introduces a static copy of the fips and legacy linker version maps generated by the OpenSSL 3.0.13 build process. This unbreaks the fips and legacy providers by not exposing unnecessary symbols from the fips/legacy provider shared objects shared with other providers (base, default) and libcrypto. More discussion: Prior to this change, loading the fips provider indirectly from a FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a process-wide deadlock when invoking select OpenSSL APIs (CONF_modules_load* in this particular example). Speaking with the upstream maintainers [1], it became obvious that the FreeBSD base system was incorrectly building/linking the fips provider, resulting in a symbol collision at runtime, and thus a process-wide deadlock in specific circumstances. The fips provider would deadlock when trying to acquire a write lock on internal structures which should have only been available to the base and default providers, as certain preprocessor ifdefs only allow specific internal calls to be made with the base and default providers. 1. https://github.com/openssl/openssl/issues/24202 Differential Revision: https://reviews.freebsd.org/D44892 --- crypto/openssl/providers/fips.ld | 5 +++++ crypto/openssl/providers/legacy.ld | 5 +++++ secure/lib/libcrypto/modules/fips/Makefile | 2 ++ secure/lib/libcrypto/modules/legacy/Makefile | 2 ++ 4 files changed, 14 insertions(+) diff --git a/crypto/openssl/providers/fips.ld b/crypto/openssl/providers/fips.ld new file mode 100644 index 000000000000..1debaaa7ff65 --- /dev/null +++ b/crypto/openssl/providers/fips.ld @@ -0,0 +1,5 @@ +{ + global: + OSSL_provider_init; + local: *; +}; diff --git a/crypto/openssl/providers/legacy.ld b/crypto/openssl/providers/legacy.ld new file mode 100644 index 000000000000..1debaaa7ff65 --- /dev/null +++ b/crypto/openssl/providers/legacy.ld @@ -0,0 +1,5 @@ +{ + global: + OSSL_provider_init; + local: *; +}; diff --git a/secure/lib/libcrypto/modules/fips/Makefile b/secure/lib/libcrypto/modules/fips/Makefile index 8843cb9717c9..ceaa57ab066e 100644 --- a/secure/lib/libcrypto/modules/fips/Makefile +++ b/secure/lib/libcrypto/modules/fips/Makefile @@ -1,6 +1,8 @@ SHLIB_NAME?= fips.so +VERSION_MAP= ${SRCTOP}/crypto/openssl/providers/fips.ld + CFLAGS+= -DFIPS_MODULE SRCS+= fips_entry.c fipsprov.c self_test.c self_test_kats.c diff --git a/secure/lib/libcrypto/modules/legacy/Makefile b/secure/lib/libcrypto/modules/legacy/Makefile index a285d0b1148b..e435c5aa2c41 100644 --- a/secure/lib/libcrypto/modules/legacy/Makefile +++ b/secure/lib/libcrypto/modules/legacy/Makefile @@ -2,6 +2,8 @@ SHLIB_NAME?= legacy.so LIBADD= crypto +VERSION_MAP= ${SRCTOP}/crypto/openssl/providers/legacy.ld + SRCS+= legacyprov.c prov_running.c # ciphers