Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 05 Jul 2023 21:56:42 UTC
On 24 Jun 2023, at 1:19, Ed Maste wrote:
> The branch main has been updated by emaste:
>
> URL: 
> https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613
>
> commit b077aed33b7b6aefca7b17ddb250cf521f938613
> Merge: b08ee10c0646 b84c4564effd
> Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
> AuthorDate: 2023-06-23 22:53:35 +0000
> Commit:     Ed Maste <emaste@FreeBSD.org>
> CommitDate: 2023-06-23 22:53:36 +0000
>
>     Merge OpenSSL 3.0.9
>
>     Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0.  OpenSSL 1.1.1 
> (the
>     version we were previously using) will be EOL as of 2023-09-11.
>
>     Most of the base system has already been updated for a seamless 
> switch
>     to OpenSSL 3.0.  For many components we've added
>     `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API 
> version,
>     which avoids deprecation warnings from OpenSSL 3.0.  Changes have 
> also
>     been made to avoid OpenSSL APIs that were already deprecated in 
> OpenSSL
>     1.1.1.  The process of updating to contemporary APIs can continue 
> after
>     this merge.
>
>     Additional changes are still required for libarchive and Kerberos-
>     related libraries or tools; workarounds will immediately follow 
> this
>     commit.  Fixes are in progress in the upstream projects and will 
> be
>     incorporated when those are next updated.
>
>     There are some performance regressions in benchmarks (certain 
> tests in
>     `openssl speed`) and in some OpenSSL consumers in ports (e.g.  
> haproxy).
>     Investigation will continue for these.
>
>     Netflix's testing showed no functional regression and a rather 
> small,
>     albeit statistically significant, increase in CPU consumption with
>     OpenSSL 3.0.
>
>     Thanks to ngie@ and des@ for updating base system components, to
>     antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, 
> and to
>     Netflix and everyone who tested prior to commit or contributed to 
> this
>     update in other ways.
>
>     PR:             271615
>     PR:             271656 [exp-run]
>     Relnotes:       Yes
>     Sponsored by:   The FreeBSD Foundation
>

It looks like we missed adding a file.
Security/opensc doesn’t build any more: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076

It fails to find d2i_KeyParams when linking. The opensc code does this:

	#if OPENSSL_VERSION_NUMBER < 0x30000000L
	                                if (!d2i_ECParameters(&ec, &a, 
(long)len))
	                                        util_fatal("cannot parse 
EC_PARAMS");
	                                EVP_PKEY_assign_EC_KEY(pkey, ec);
	#else
	                                if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, 
&a, len))
	                                        util_fatal("cannot parse 
EC_PARAMS");
	#endif

d2i_KeyParams() appears to be new on openssl 3. It’s defined in 
d2i_param.c, which we don’t build. I’ve tested with this patch, and 
that appears to fix things:

	diff --git a/secure/lib/libcrypto/Makefile 
b/secure/lib/libcrypto/Makefile
	index 28258e796984..ef5652e8c27c 100644
	--- a/secure/lib/libcrypto/Makefile
	+++ b/secure/lib/libcrypto/Makefile
	@@ -74,7 +74,7 @@ SRCS+=        n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c 
p5_scrypt.c p8_pkey.c
	 SRCS+= t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c
	 SRCS+= tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c 
x_algor.c
	 SRCS+= x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c 
x_spki.c
	-SRCS+= x_val.c
	+SRCS+= x_val.c d2i_param.c

	 # async
	 SRCS+= async.c async_err.c async_posix.c async_wait.c
	diff --git a/secure/lib/libcrypto/Version.map 
b/secure/lib/libcrypto/Version.map
	index 421819324961..74d0b8b3cef1 100644
	--- a/secure/lib/libcrypto/Version.map
	+++ b/secure/lib/libcrypto/Version.map
	@@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 {
	         d2i_IPAddressOrRange;
	         d2i_IPAddressRange;
	         d2i_ISSUING_DIST_POINT;
	+        d2i_KeyParams;
	+        d2i_KeyParams_bio;
	         d2i_NETSCAPE_CERT_SEQUENCE;
	         d2i_NETSCAPE_SPKAC;
	         d2i_NETSCAPE_SPKI;

Best regards,
Kristof