From nobody Thu May 4 03:38:00 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QBffQ64yPz49ZjC for ; Thu, 4 May 2023 03:38:06 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QBffQ3rL7z3HZg; Thu, 4 May 2023 03:38:06 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-63b5465fc13so40889b3a.3; Wed, 03 May 2023 20:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683171484; x=1685763484; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=BoYi5FGfvsn+XZxGo6C9YRH1AoZuFRTV704HlUB2BU8=; b=ErhDtim6K0CgcYSWJ2YnkHdj1lYoLa8P7mqul4NGr16sA1y84/zzWvHDRUzhY/Nwaq WL+ukN7XaaBOT8tOdFaGHnuc7DGTN/jYx1+zAm44LxGk2UDoxz8k5WfFd1BIA1ufog/Y 96Rajs6uyNCGC9t2wqefRCa3+bD9wmU93iiWSOaUcNQkHMosv8pBuCFWkVnnLgITRj4I XF5CB5UczmpHLslcby+2+TXaXiqJ5d+YotPVELCIwpkX1JdmRVSMFGWsJ5lbHlWEsEl8 9b92805gZsFtHBhcnRT9fYobEcvT9ZG1wJ2Z3LCiu06V1EtfQLgrOTK1mGL+YeYU+Wro NI2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683171484; x=1685763484; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BoYi5FGfvsn+XZxGo6C9YRH1AoZuFRTV704HlUB2BU8=; b=XgFfyLKmbhn3vUCSBFWH1BY67tHC69lmMThlGKxv0MMD/CH8sr3QqGhhLh3nBOn6U5 D74e6gwH6BfdTDHo9yLxlgDkTci5M/uqvvRFmBNWLMkatjKmn/FYKmOBoHIg+SzcwENJ ss3bAwZ1AYaBH+U0cjBUHk0NLzAt8YL0R+2Xl/g22q4mTd57LIru0G3/4AK0YiOdGgWQ CFzlHNKmhNIeCfJxSco0d4XqVD10boyo1xCduQNIa0yPua4qzaonbAd4dD/tCNgkoHpA 4iSadbBSGrhSImV6rXm4J3yxn2V7VxoWmSafkN5A7wztKx3l9Y1n5WTStNIYSjZV6GP6 cb+w== X-Gm-Message-State: AC+VfDxa8WUZu80BU5hMQAbgN7MNUu7+imrFM9mcEarDnLBT94KY0LZ9 g8U+XXgf6/jOkzv0G2k/g08w6vfD5rK8uA== X-Google-Smtp-Source: ACHHUZ4PfxdTu7XHKpBptp/R+M3H5ndZmJ5/bd5Q9Vaw556RlEuzeOTKFpyeXkOjjEegfUXt8AjjlA== X-Received: by 2002:a05:6a20:8f1e:b0:ee:5625:662f with SMTP id b30-20020a056a208f1e00b000ee5625662fmr1061993pzk.22.1683171483588; Wed, 03 May 2023 20:38:03 -0700 (PDT) Received: from smtpclient.apple (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id 69-20020a621948000000b00634dde2992bsm24295830pfz.132.2023.05.03.20.38.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 May 2023 20:38:02 -0700 (PDT) From: Enji Cooper Message-Id: <0CA43F8D-E320-4537-AD89-5D10D21D31D8@gmail.com> Content-Type: multipart/signed; boundary="Apple-Mail=_137487B1-2513-48EF-B3CA-C852D95A0D13"; protocol="application/pgp-signature"; micalg=pgp-sha256 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\)) Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Date: Wed, 3 May 2023 20:38:00 -0700 In-Reply-To: Cc: Pierre Pronchery , freebsd-arch@freebsd.org To: John Baldwin References: <12f8559c-d696-5344-98d5-1751d04088af@FreeBSD.org> X-Mailer: Apple Mail (2.3696.120.41.1.3) X-Rspamd-Queue-Id: 4QBffQ3rL7z3HZg X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_137487B1-2513-48EF-B3CA-C852D95A0D13 Content-Type: multipart/alternative; boundary="Apple-Mail=_C598F332-56AE-4CA6-A5BD-E944CA65F837" --Apple-Mail=_C598F332-56AE-4CA6-A5BD-E944CA65F837 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 3, 2023, at 4:54 PM, John Baldwin wrote: >=20 > On 5/3/23 4:02 PM, Pierre Pronchery wrote: >> Hi everyone, >> On 5/2/23 23:24, John Baldwin wrote: >>> On 5/2/23 2:59 AM, Antoine Brodin wrote: >>>> On Tue, May 2, 2023 at 1:55=E2=80=AFAM Enji Cooper = wrote: >>>>>=20 >>>>> Hello, >>>>> One of the must-haves for 14.0-RELEASE is the introduction of = OpenSSL >>>>> 3.0 into the base system. This is a must because, in short, = OpenSSL >>>>> 1.1 is no longer supported as of 09/26/2023 [1]. >>>>>=20 >>>>> I am proposing OpenSSL be made private along with all dependent >>>>> libraries, for the following reasons: >>>>> 1. More than a handful of core ports, e.g., = security/py-cryptography >>>>> [2] [3], still do not support OpenSSL 3.0. >>>>> i. If other dependent ports (like lang/python38, etc) move to = OpenSSL >>>>> 3, the distributed modules would break on load due to clashing >>>>> symbols if the right mix of modules were dlopen=E2=80=99ed in a = specific >>>>> order (importing ssl, then importing hazmat=E2=80=99s crypto would = fail). >>>>> ii. Such ports should be deprecated/marked broken as I=E2=80=99ve = recommended >>>>> on the 3.0 exp-run PR [4]. >>>>> 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes linking = in >>>>> both libraries at runtime impossible without resorting to a number = of >>>>> linker tricks hiding the namespaces using symbol prefixing of = public >>>>> symbols, etc. >>>>>=20 >>>>> The libraries which would need to be made private are as follows: >>>>> - kerberos >>>>> - libarchive >>>>> - libbsnmp >>>>> - libfetch [5] >>>>> - libgeli >>>>> - libldns >>>>> - libmp >>>>> - libradius >>>>> - libunbound >>>>=20 >>>> In my opinion this is a huge amount of work a few weeks before the >>>> release. Focusing on updating OpenSSL and those core ports may be >>>> simpler. >>>=20 >>> This is my view. I think making OpenSSL private is a very huge = task, and >>> fraught with peril in ways that haven't been thought about yet (e.g. = PAM) >>> and that we can't hold up OpenSSL 3 while we wait for this. = Instead, I >>> think >>> we need to be moving forward with OpenSSL 3 in base as-is. We will = have to >>> fix ports to work with OpenSSL 3 regardless (though this does make = that >>> pain >>> in ports happen sooner). Moving libraries private can happen = orthogonally >>> with getting base to work with OpensSL 3. >> I have started to look at updating OpenSSL to version 3.0.8 in base, >> using the existing vendor/openssl-3.0 branch. >> My progress can be found at >> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0. I >> regularly force-push to keep a consistent and nice commit history, >> before possibly applying for a merge. >> So far the status is: >> - libssl, libcrypto build on amd64, i386, less sure about aarch64, = other >> architectures not tested >> - libfetch builds, uses libmd in addition to OpenSSL >> - libradius builds, same thing >> - libarchive builds >> - libunbound builds, but not unbound >> - libmp builds >> I used libmd to reach a buildable status faster, since the equivalent >> MD5_*() API is now deprecated in OpenSSL 3. If MD5 is still allowed = in >> OpenSSL 3, we can avoid the dependency on libmd again. (anyone got >> sample code for this?) >=20 > You can use the EVP_* API if desired. tools/cryto/cryptocheck.c has = examples > of using the EVP_* APIs for both "plain" hashes and HMAC constructions I'll echo this as well. This is what the library maintainers recommend = for crypto primitive algorithm =E2=80=9Cagility=E2=80=9D. Cheers, -Enji --Apple-Mail=_C598F332-56AE-4CA6-A5BD-E944CA65F837 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On = May 3, 2023, at 4:54 PM, John Baldwin <jhb@FreeBSD.org> = wrote:

On 5/3/23 4:02 PM, Pierre Pronchery wrote:
Hi = everyone,
On 5/2/23 23:24, John Baldwin wrote:
On 5/2/23 2:59 AM, = Antoine Brodin wrote:
On Tue, May 2, 2023 at 1:55=E2=80=AFAM Enji Cooper <yaneurabeya@gmail.com> wrote:

Hello,
One of the = must-haves for 14.0-RELEASE is the introduction of OpenSSL
3.0 into the base system. This is a must because, in short, = OpenSSL
1.1 is no longer supported as of 09/26/2023 = [1].

I am proposing OpenSSL be made private = along with all dependent
libraries, for the following = reasons:
1. More than a handful of core ports, e.g., = security/py-cryptography
[2] [3], still do not support = OpenSSL 3.0.
i. If other dependent ports (like = lang/python38, etc) move to OpenSSL
3, the distributed = modules would break on load due to clashing
symbols if the = right mix of modules were dlopen=E2=80=99ed in a specific
order (importing ssl, then importing hazmat=E2=80=99s crypto = would fail).
ii. Such ports should be deprecated/marked = broken as I=E2=80=99ve recommended
on the 3.0 exp-run PR = [4].
2. OpenSSL 1.1 and 3.0 have clashing symbols, which = makes linking in
both libraries at runtime impossible = without resorting to a number of
linker tricks hiding the = namespaces using symbol prefixing of public
symbols, = etc.

The libraries which would need to be = made private are as follows:
- kerberos
- = libarchive
- libbsnmp
- libfetch [5]
- libgeli
- libldns
- libmp
- libradius
- libunbound

In my opinion this is a huge = amount of work a few weeks before the
release.  = Focusing on updating OpenSSL and those core ports may be
simpler.

This is my = view.  I think making OpenSSL private is a very huge task, and
fraught with peril in ways that haven't been thought about = yet (e.g. PAM)
and that we can't hold up OpenSSL 3 while = we wait for this.  Instead, I
think
we = need to be moving forward with OpenSSL 3 in base as-is.  We will = have to
fix ports to work with OpenSSL 3 regardless = (though this does make that
pain
in ports = happen sooner).  Moving libraries private can happen = orthogonally
with getting base to work with OpensSL 3.
I have started to look at updating OpenSSL to = version 3.0.8 in base,
using the existing = vendor/openssl-3.0 branch.
My progress can be found at
https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0= . I
regularly force-push to keep a consistent and nice = commit history,
before possibly applying for a merge.
So far the status is:
- libssl, libcrypto build = on amd64, i386, less sure about aarch64, other
architectures= not tested
- libfetch builds, uses libmd in addition to = OpenSSL
- libradius builds, same thing
- = libarchive builds
- libunbound builds, but not unbound
- libmp builds
I used libmd to reach a = buildable status faster, since the equivalent
MD5_*() API = is now deprecated in OpenSSL 3. If MD5 is still allowed in
OpenSSL 3, we can avoid the dependency on libmd again. = (anyone got
sample code for this?)

You can use the EVP_* API if desired. =  tools/cryto/cryptocheck.c has examples
of using the EVP_* APIs for both = "plain" hashes and HMAC constructions

I'll echo this as well. This is what the = library maintainers recommend for crypto primitive algorithm = =E2=80=9Cagility=E2=80=9D.
Cheers,
-Enji
= --Apple-Mail=_C598F332-56AE-4CA6-A5BD-E944CA65F837-- --Apple-Mail=_137487B1-2513-48EF-B3CA-C852D95A0D13 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtvtxN6kOllEF3nmX5JFNMZeDGN4FAmRTKJkACgkQ5JFNMZeD GN71jQ/+NE9kOX+9cWIZVEAiKxdVZ819KQh1xX7f0+05aTzZD+JvyNBnytDJPOkF ORn1x04nQvVcrAS1RQSMfIfsUJuh5p4uPV7UvyLYTR8UWuz9wrLywEPrcQTq8LVb FrYNz8F2Sk887WTB1e+uaxUDcLzWNhAf0Yp3YesHV30TiX2gkQnIrmKP/ANMReTO Lt2LTtpQTNmMfug6eB418goTEIKBDuaJlynTGgeFObO/fuvfXZD4R+/JCYzVEOm7 RjnbRoMTKd9UCElWMHTaVr2BQpa3pWixk/VNJJs2xGDGnawn1RLLOvSehwF+8R2R gWYlpvLliQnG24ew5y2ctnIcb8Z6fqv2OUIhcW1VngpGDmwiPMtbuDr3jVo0r+Eh x8NyUQkONjOnsPpJEc8OEPZM4KnaN3FZ6QMMCeHv7q7WZ64KSNWPPhIRysIyeTfV i/fwZgDvgcMJOpBgTKXJQ5d61WxxHkNpj92RXTz9OmXk57adpy5kYuytoT46XOSe BJHVJrAXiogByeFaMo8OmaLlSFgUd4cBz8oZIsOjcmbMS1CvSNLVTgVxIudZNE7e wLDD4PqxmDbggGn+p4ft28fTFPbzAw6JZ6+UGsu/7YVUawX2GoTZaiwO5TdXBn8T csW8QkYB5fgUB/C82L2Aze2i18WcP6XmkzXSZ5pOFEz3Ume5yUU= =5yrL -----END PGP SIGNATURE----- --Apple-Mail=_137487B1-2513-48EF-B3CA-C852D95A0D13--