Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 13 Aug 2023 21:04:29 -0700
From:      Mark Millard <marklmi@yahoo.com>
To:        Gleb Popov <arrowd@freebsd.org>, Current FreeBSD <freebsd-current@freebsd.org>
Subject:   Re: OpenSSL 3 ports fallout
Message-ID:  <A8620D5E-4A89-46EC-88FB-716852DC6D82@yahoo.com>
References:  <A8620D5E-4A89-46EC-88FB-716852DC6D82.ref@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Gleb Popov <arrowd_at_freebsd.org> wrote on
Date: Sun, 13 Aug 2023 20:30:48 UTC :

> Some of the ports I'm using are failing to build after OpenSSL 3
> import due to the following problem. OpenSSL headers that are shipped
> in base contain declarations of various deprecated functions for which
> libcrypto.so doesn't contain definitions. Some of them are
> RSA_generate_key and ERR_* family. These declarations aren't guarded
> by any #ifdef and are visible for ports software. VirtualBox and
> net-p2p/cardano-node detect these functions, try to use them and then
> fail to link due to undefined references. I believe this should be
> fixed in the base rather than patching each port?


FreeBSD ports is using a 2021-08-24 version of cryptography/hazmat/ for
which there have long been more recent versions that no longer have
the kind of issue below:

  File =
"/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/opens=
sl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: =
/usr/local/lib/python3.9/site-packages/cryptography/hazmat/bindings/_opens=
sl.abi3.so: Undefined symbol "ERR_GET_FUNC"

=46rom what I wrote on the lists back on 2023-Jul-10:

QUOTE
In use: security/py-cryptography is at 3.4.8 (2021-08-24)
Vintage fixed: 35.0.0 of cryptography dates back to 2021-09-29.
Current for cryptography is 41.0.1 (2023-06-01).
END QUOTE

The full fix is inside cryptography, not in the environments that
use it (such as FreeBSD).

To me it looks like the tradeoffs now in place suggest adjusting
the constraints that are stopping progressing past 3.4.8 in ports,
even if there are some other consequences for some people.

Note: The above message is from a broken kyua test's backtrace. A
bunch of kyua testing involves use of python and ends up with
cryptography/hazmat/ involved (and, so, the python is broken in
some way).

=3D=3D=3D
Mark Millard
marklmi at yahoo.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A8620D5E-4A89-46EC-88FB-716852DC6D82>