Date: Wed, 05 Jul 2023 23:56:42 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Ed Maste <emaste@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, Mark Johnston <markj@freebsd.org> Subject: Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9 Message-ID: <4FF6DBAE-F9FC-4D20-81C9-B0E0130DF06E@FreeBSD.org> In-Reply-To: <202306232319.35NNJsPv044302@gitrepo.freebsd.org> References: <202306232319.35NNJsPv044302@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 24 Jun 2023, at 1:19, Ed Maste wrote: > The branch main has been updated by emaste: > > URL: = > https://cgit.FreeBSD.org/src/commit/?id=3Db077aed33b7b6aefca7b17ddb250c= f521f938613 > > commit b077aed33b7b6aefca7b17ddb250cf521f938613 > Merge: b08ee10c0646 b84c4564effd > Author: Pierre Pronchery <pierre@freebsdfoundation.org> > AuthorDate: 2023-06-23 22:53:35 +0000 > Commit: Ed Maste <emaste@FreeBSD.org> > CommitDate: 2023-06-23 22:53:36 +0000 > > Merge OpenSSL 3.0.9 > > Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 = > (the > version we were previously using) will be EOL as of 2023-09-11. > > Most of the base system has already been updated for a seamless = > switch > to OpenSSL 3.0. For many components we've added > `-DOPENSSL_API_COMPAT=3D0x10100000L` to CFLAGS to specify the API = > version, > which avoids deprecation warnings from OpenSSL 3.0. Changes have = > also > been made to avoid OpenSSL APIs that were already deprecated in = > OpenSSL > 1.1.1. The process of updating to contemporary APIs can continue = > after > this merge. > > Additional changes are still required for libarchive and Kerberos- > related libraries or tools; workarounds will immediately follow = > this > commit. Fixes are in progress in the upstream projects and will = > be > incorporated when those are next updated. > > There are some performance regressions in benchmarks (certain = > tests in > `openssl speed`) and in some OpenSSL consumers in ports (e.g. = > haproxy). > Investigation will continue for these. > > Netflix's testing showed no functional regression and a rather = > small, > albeit statistically significant, increase in CPU consumption with > OpenSSL 3.0. > > Thanks to ngie@ and des@ for updating base system components, to > antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, = > and to > Netflix and everyone who tested prior to commit or contributed to = > this > update in other ways. > > PR: 271615 > PR: 271656 [exp-run] > Relnotes: Yes > Sponsored by: The FreeBSD Foundation > It looks like we missed adding a file. Security/opensc doesn=E2=80=99t build any more: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270076 It fails to find d2i_KeyParams when linking. The opensc code does this: #if OPENSSL_VERSION_NUMBER < 0x30000000L if (!d2i_ECParameters(&ec, &a, = (long)len)) util_fatal("cannot parse = EC_PARAMS"); EVP_PKEY_assign_EC_KEY(pkey, ec); #else if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, = &a, len)) util_fatal("cannot parse = EC_PARAMS"); #endif d2i_KeyParams() appears to be new on openssl 3. It=E2=80=99s defined in = d2i_param.c, which we don=E2=80=99t build. I=E2=80=99ve tested with this = patch, and = that appears to fix things: diff --git a/secure/lib/libcrypto/Makefile = b/secure/lib/libcrypto/Makefile index 28258e796984..ef5652e8c27c 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -74,7 +74,7 @@ SRCS+=3D n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c = p5_scrypt.c p8_pkey.c SRCS+=3D t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c SRCS+=3D tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c = x_algor.c SRCS+=3D x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c = x_spki.c -SRCS+=3D x_val.c +SRCS+=3D x_val.c d2i_param.c # async SRCS+=3D async.c async_err.c async_posix.c async_wait.c diff --git a/secure/lib/libcrypto/Version.map = b/secure/lib/libcrypto/Version.map index 421819324961..74d0b8b3cef1 100644 --- a/secure/lib/libcrypto/Version.map +++ b/secure/lib/libcrypto/Version.map @@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 { d2i_IPAddressOrRange; d2i_IPAddressRange; d2i_ISSUING_DIST_POINT; + d2i_KeyParams; + d2i_KeyParams_bio; d2i_NETSCAPE_CERT_SEQUENCE; d2i_NETSCAPE_SPKAC; d2i_NETSCAPE_SPKI; Best regards, Kristof --=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html> <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"= > </head> <body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty= le=3D"white-space: normal;"> <p dir=3D"auto">On 24 Jun 2023, at 1:19, Ed Maste wrote:</p> </div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote= style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136= BCE; color: #136BCE;"><p dir=3D"auto">The branch main has been updated by= emaste:</p> <p dir=3D"auto">URL: <a href=3D"https://cgit.FreeBSD.org/src/commit/?id=3D= b077aed33b7b6aefca7b17ddb250cf521f938613">https://cgit.FreeBSD.org/src/co= mmit/?id=3Db077aed33b7b6aefca7b17ddb250cf521f938613</a></p> <p dir=3D"auto">commit b077aed33b7b6aefca7b17ddb250cf521f938613 <br> Merge: b08ee10c0646 b84c4564effd <br> Author: Pierre Pronchery <pierre@freebsdfoundation.org> <br> AuthorDate: 2023-06-23 22:53:35 +0000 <br> Commit: Ed Maste <emaste@FreeBSD.org> <br> CommitDate: 2023-06-23 22:53:36 +0000</p> <p dir=3D"auto"> Merge OpenSSL 3.0.9</p> <p dir=3D"auto"> Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. O= penSSL 1.1.1 (the <br> version we were previously using) will be EOL as of 2023-09-11.</p> <p dir=3D"auto"> Most of the base system has already been updated for = a seamless switch <br> to OpenSSL 3.0. For many components we've added <br> `-DOPENSSL_API_COMPAT=3D0x10100000L` to CFLAGS to specify the API ver= sion, <br> which avoids deprecation warnings from OpenSSL 3.0. Changes have als= o <br> been made to avoid OpenSSL APIs that were already deprecated in OpenS= SL <br> 1.1.1. The process of updating to contemporary APIs can continue aft= er <br> this merge.</p> <p dir=3D"auto"> Additional changes are still required for libarchive = and Kerberos- <br> related libraries or tools; workarounds will immediately follow this <br> commit. Fixes are in progress in the upstream projects and will be <br> incorporated when those are next updated.</p> <p dir=3D"auto"> There are some performance regressions in benchmarks = (certain tests in <br> `openssl speed`) and in some OpenSSL consumers in ports (e.g. haprox= y). <br> Investigation will continue for these.</p> <p dir=3D"auto"> Netflix's testing showed no functional regression and= a rather small, <br> albeit statistically significant, increase in CPU consumption with <br> OpenSSL 3.0.</p> <p dir=3D"auto"> Thanks to ngie@ and des@ for updating base system com= ponents, to <br> antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and= to <br> Netflix and everyone who tested prior to commit or contributed to thi= s <br> update in other ways.</p> <p dir=3D"auto"> PR: 271615 <br> PR: 271656 [exp-run] <br> Relnotes: Yes <br> Sponsored by: The FreeBSD Foundation</p> <br></blockquote></div> <div class=3D"markdown" style=3D"white-space: normal;"> <p dir=3D"auto">It looks like we missed adding a file.<br> Security/opensc doesn=E2=80=99t build any more: <a href=3D"https://bugs.f= reebsd.org/bugzilla/show_bug.cgi?id=3D270076">https://bugs.freebsd.org/bu= gzilla/show_bug.cgi?id=3D270076</a></p> <p dir=3D"auto">It fails to find d2i_KeyParams when linking. The opensc c= ode does this:</p> <pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border= : thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #= E4E4E4;"><code style=3D"padding: 0 0.25em; background-color: #E4E4E4;">#i= f OPENSSL_VERSION_NUMBER < 0x30000000L if (!d2i_ECParameters(&ec, &a, (l= ong)len)) util_fatal("cannot parse EC_= PARAMS"); EVP_PKEY_assign_EC_KEY(pkey, ec); #else if (!d2i_KeyParams(EVP_PKEY_EC, &pkey= , &a, len)) util_fatal("cannot parse EC_= PARAMS"); #endif </code></pre> <p dir=3D"auto">d2i_KeyParams() appears to be new on openssl 3. It=E2=80=99= s defined in d2i_param.c, which we don=E2=80=99t build. I=E2=80=99ve test= ed with this patch, and that appears to fix things:</p> <pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border= : thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #= E4E4E4;"><code style=3D"padding: 0 0.25em; background-color: #E4E4E4;">di= ff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile index 28258e796984..ef5652e8c27c 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -74,7 +74,7 @@ SRCS+=3D n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c p5= _scrypt.c p8_pkey.c SRCS+=3D t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c SRCS+=3D tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c x_algor.= c SRCS+=3D x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c x_spki.= c -SRCS+=3D x_val.c +SRCS+=3D x_val.c d2i_param.c # async SRCS+=3D async.c async_err.c async_posix.c async_wait.c diff --git a/secure/lib/libcrypto/Version.map b/secure/lib/libcrypto/Vers= ion.map index 421819324961..74d0b8b3cef1 100644 --- a/secure/lib/libcrypto/Version.map +++ b/secure/lib/libcrypto/Version.map @@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 { d2i_IPAddressOrRange; d2i_IPAddressRange; d2i_ISSUING_DIST_POINT; + d2i_KeyParams; + d2i_KeyParams_bio; d2i_NETSCAPE_CERT_SEQUENCE; d2i_NETSCAPE_SPKAC; d2i_NETSCAPE_SPKI; </code></pre> <p dir=3D"auto">Best regards,<br> Kristof</p> </div> </div> </body> </html> --=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF6DBAE-F9FC-4D20-81C9-B0E0130DF06E>