Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 07 Jul 2023 19:43:55 UTC
On 7 Jul 2023, at 19:52, Kristof Provost wrote:
>> On 7 Jul 2023, at 18:35, Mark Johnston <markj@freebsd.org> wrote:
>>
>> On Wed, Jul 05, 2023 at 11:56:42PM +0200, Kristof Provost wrote:
>>>> On 24 Jun 2023, at 1:19, Ed Maste wrote:
>>>> The branch main has been updated by emaste:
>>>>
>>>> URL: https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613
>>>>
>>>> commit b077aed33b7b6aefca7b17ddb250cf521f938613
>>>> Merge: b08ee10c0646 b84c4564effd
>>>> Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
>>>> AuthorDate: 2023-06-23 22:53:35 +0000
>>>> Commit:     Ed Maste <emaste@FreeBSD.org>
>>>> CommitDate: 2023-06-23 22:53:36 +0000
>>>>
>>>>    Merge OpenSSL 3.0.9
>>>>
>>>
>>> It looks like we missed adding a file.
>>> Security/opensc doesn’t build any more:
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076
>>>
>>> It fails to find d2i_KeyParams when linking. The opensc code does this:
>>>
>>>    #if OPENSSL_VERSION_NUMBER < 0x30000000L
>>>                                    if (!d2i_ECParameters(&ec, &a, (long)len))
>>>                                            util_fatal("cannot parse
>>> EC_PARAMS");
>>>                                    EVP_PKEY_assign_EC_KEY(pkey, ec);
>>>    #else
>>>                                    if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, &a,
>>> len))
>>>                                            util_fatal("cannot parse
>>> EC_PARAMS");
>>>    #endif
>>>
>>> d2i_KeyParams() appears to be new on openssl 3. It’s defined in d2i_param.c,
>>> which we don’t build. I’ve tested with this patch, and that appears to fix
>>> things:
>>
>> Hi Kristof,
>>
>> Would you mind posting the patch on phabricator?  I can take a closer
>> look in the next day, and Pierre might be available to look as well.
>
> Sure, but I might not be able to do that until Sunday afternoon.
>
https://reviews.freebsd.org/D40914

>>> Based on your analysis I think this should go into the OPENSSL_3_0_9
>> namespace?
>>
> I have no idea. I’ll try to dig a bit, but we’re pretty far outside my comfort zone here.
>
Ah, I see what you meant. That should be fixed in the version in the review.

Best regards,
Kristof