From nobody Thu May 4 16:30:45 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QBzpD4Pcyz49HWg for ; Thu, 4 May 2023 16:31:00 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QBzpC698cz3vc7; Thu, 4 May 2023 16:30:59 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1aad55244b7so5042405ad.2; Thu, 04 May 2023 09:30:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683217858; x=1685809858; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=JoBbX44k49QxDUFDuu8LvbhlRhLlmtoJ2JoZ+cFoQbA=; b=PUxM/hcp2gW8uXyzcLaFCu98OC5VhFqR/xdZgkJhNr7RUi82v2EIANl+vatGgy88ng Sq01Czd+8T5akTx20MP3jqg7HfyVEUISEtPLLS5VxeFmUaOU0IR7TcldiS0j9eKQUqeV 9wakM2nQ9HzCgAMkxDhfoSOi+z6opn1yLHnlDF+D/JnlE9TAx4HKy7t7rTVFc9/jrE7U 7Gv4c8gCFpx8AkahAxI9u2k7/Uyc0Js7EuN4e/7q/xULwquTasLD0oPLNM4wiM+31qd8 OI0PPAN1w0pQd9Y3WgtyJEOC1DPW4UhpbIrR/PWGs/avSlQuLbhbcq81/LXgwmPVdTXO iSuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683217858; x=1685809858; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JoBbX44k49QxDUFDuu8LvbhlRhLlmtoJ2JoZ+cFoQbA=; b=emm3wjspmlDQmk5wkBbkGPlldGao3xaI93K8qt2ElrQYJxqKDvJrGg6xmhTfMfUimG Jc3n10VPLzgZwmjyry3URanpuduB8HDXpQXGG+trOxyrApF3KqcdkRiVA6+oi4ekW8HV WAclu4pxew5+l3Cgp+Tj0j4rVrtbepcivi6+jmict9iPLABb8UQoweimCMNv+umyv2Km G1tqK33sz1kFdRYKNz0ePOuVK1wzpnr8Skjtu09kMzL0zn/OhYvQALobnSizNfjrQi3U IUuscfZPGuST77oDxRWj4Adzve5GI9fx0NgSvSmmU3IB8p2bpRQYKJ+cR2+hiaH52kcp ouQA== X-Gm-Message-State: AC+VfDxA17O4/9yoBu8d43IglxZqpiXh9IiWkj4Joo4sFrBp+fFWRgwY Y+7YRitNJGsmaHK6TKtmjvEYUq2gJw0f8Q== X-Google-Smtp-Source: ACHHUZ6eKfDB1xqRZ3ubEhyzUysfkhNItPrzUY0zU0lEICgoaCXMc7yQ+Q6hCA9MgQIkezX5v7zFjg== X-Received: by 2002:a17:903:18f:b0:1a9:6bd4:236a with SMTP id z15-20020a170903018f00b001a96bd4236amr5124823plg.69.1683217857631; Thu, 04 May 2023 09:30:57 -0700 (PDT) Received: from smtpclient.apple (c-73-19-52-228.hsd1.wa.comcast.net. [73.19.52.228]) by smtp.gmail.com with ESMTPSA id j13-20020a170902c3cd00b001a6d4ffc760sm4073874plj.244.2023.05.04.09.30.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 May 2023 09:30:57 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Enji Cooper List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Date: Thu, 4 May 2023 09:30:45 -0700 Message-Id: <4D1AF540-5A02-45A2-8DD0-70209F639C66@gmail.com> References: Cc: freebsd-arch@freebsd.org, andrew@freebsd.org In-Reply-To: To: Pierre Pronchery X-Mailer: iPhone Mail (20D67) X-Rspamd-Queue-Id: 4QBzpC698cz3vc7 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N > On May 3, 2023, at 16:10, Pierre Pronchery w= rote: >=20 > =EF=BB=BF Hi everyone, >=20 >> On 5/2/23 23:24, John Baldwin wrote: >>> On 5/2/23 2:59 AM, Antoine Brodin wrote: >>> On Tue, May 2, 2023 at 1:55=E2=80=AFAM Enji Cooper wrote: >>>>=20 >>>> Hello, >>>> One of the must-haves for 14.0-RELEASE is the introduction of OpenSSL 3= .0 into the base system. This is a must because, in short, OpenSSL 1.1 is no= longer supported as of 09/26/2023 [1]. >>>>=20 >>>> I am proposing OpenSSL be made private along with all dependent librari= es, for the following reasons: >>>> 1. More than a handful of core ports, e.g., security/py-cryptography [2= ] [3], still do not support OpenSSL 3.0. >>>> i. If other dependent ports (like lang/python38, etc) move to OpenSSL 3= , the distributed modules would break on load due to clashing symbols if the= right mix of modules were dlopen=E2=80=99ed in a specific order (importing s= sl, then importing hazmat=E2=80=99s crypto would fail). >>>> ii. Such ports should be deprecated/marked broken as I=E2=80=99ve recom= mended on the 3.0 exp-run PR [4]. >>>> 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes linking in bo= th libraries at runtime impossible without resorting to a number of linker t= ricks hiding the namespaces using symbol prefixing of public symbols, etc. >>>>=20 >>>> The libraries which would need to be made private are as follows: >>>> - kerberos >>>> - libarchive >>>> - libbsnmp >>>> - libfetch [5] >>>> - libgeli >>>> - libldns >>>> - libmp >>>> - libradius >>>> - libunbound >>>=20 >>> In my opinion this is a huge amount of work a few weeks before the >>> release. Focusing on updating OpenSSL and those core ports may be >>> simpler. >> This is my view. I think making OpenSSL private is a very huge task, and= >> fraught with peril in ways that haven't been thought about yet (e.g. PAM)= >> and that we can't hold up OpenSSL 3 while we wait for this. Instead, I t= hink >> we need to be moving forward with OpenSSL 3 in base as-is. We will have t= o >> fix ports to work with OpenSSL 3 regardless (though this does make that p= ain >> in ports happen sooner). Moving libraries private can happen orthogonall= y >> with getting base to work with OpensSL 3. >=20 > I have started to look at updating OpenSSL to version 3.0.8 in base, using= the existing vendor/openssl-3.0 branch. >=20 > My progress can be found at https://github.com/khorben/freebsd-src/tree/kh= orben/openssl-3.0. I regularly force-push to keep a consistent and nice comm= it history, before possibly applying for a merge. >=20 > So far the status is: >=20 > - libssl, libcrypto build on amd64, i386, less sure about aarch64, other a= rchitectures not tested > - libfetch builds, uses libmd in addition to OpenSSL > - libradius builds, same thing > - libarchive builds > - libunbound builds, but not unbound > - libmp builds >=20 > I used libmd to reach a buildable status faster, since the equivalent MD5_= *() API is now deprecated in OpenSSL 3. If MD5 is still allowed in OpenSSL 3= , we can avoid the dependency on libmd again. (anyone got sample code for th= is?) >=20 > Meanwhile I keep trying to build the rest of the system, hopefully in time= for a possible inclusion in -14. >=20 > Reviews and tests on the whole thing will be more than welcome in any case= ! I=E2=80=99ll take a look at your fork/branch and pitch in some of the areas y= ou mentioned above where you switched to libmd, etc. One thing that I noticed which was potentially a sticking point was the aarc= h64 support. I=E2=80=99m not sure if you ran into this as well, but someone w= ith aarch64/arm64 expertise will need to help validate the branch/changes on= that platform family. Thanks! -Enji=