From nobody Tue Apr 25 09:30:03 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q5Gtj27nRz46w9d for ; Tue, 25 Apr 2023 09:30:05 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q5Gtj1Gk4z3tY7; Tue, 25 Apr 2023 09:30:05 +0000 (UTC) (envelope-from bapt@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1682415005; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=I6bSLzSvse3oNGnHTxmbkyh7zPGygvUKosbOsChL+7c=; b=jn274JUisvI/wzwVp+f29dFdAU1/xF7FLy1+xyyIyT0A+ybb2/jBB7VpbBpupxggNAjI3k 4h9VqfQElWQe9g5oN3z23OMnc0XkIRFceSOR6NM9L/ms0gVagjOug5+wOMi6W9l2Er+FbB MEeV3pCxWwLcTdmKWbPkMBNJ5mCVEN/XnaF0uyl/KZwx+hHCsY03CeJaB2zPZovHwCB0sq qizT7KAGzPLq7hEWH2qMixGbF6F5RbasUv5m1M+YydNsqUTCqkNopiTTVHmJ4/PC+N5WUI u38PFzg5gXogTE/ZizX2pwlJ9OCSGlrLXgvHkcGbOf5ss88/OEIuVjOTblvHtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1682415005; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=I6bSLzSvse3oNGnHTxmbkyh7zPGygvUKosbOsChL+7c=; b=sxQEFiF8/fjIK6TlJStEvlmISa9JDZ/+3EmpX2udblUPB3BSrknpaNgxIlVlUJOqn2f8/b Of9T4g+CL8bH89CgAz6S2D3I/ckjQ0m11aMtm1xybzuFl2CoCCUA4jR85kUzDz56hMQso4 oeVgwu9cN82DBfS2Ml4diCX1QSrYxJat9R8wvhJq545CmqS2TsmiVehMeZHRCxm4SrmNqk YhSzdlBktRUHMrGruvivjWxOuOQq/q6TzcM6BLi9Bic3t+ZYjZ6uA5gp8Z1H75it4lU24P 3rdt/Owj95vCkdcUvjrAJkfhN6TMXD5/zhjCIlYiAXx+hWHcyNDaHfJ6cI2oZw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1682415005; a=rsa-sha256; cv=none; b=jnGN0072b3NjwKkY7qI36pyC6qXIFXZ7cn5zuIylAa4vzpKP2+keGI7293cV+myX0BHxAo hbg/PGNRa78Oa8w7ZYKi6JQUhX8VwPLdNcB/7g0T2G0CPap4QQ9BClWf56faCi+l0mV73g 6A+oN3txei9auNk1lb5O4VD1YnrFbpa3MUcciesLeP3aU4GErb2U1QS1ERwrth9YhdBOzm g8MZcDEfqqsnmzSLzNL90l54VkW8oSzhNGu9KBjyRj1dodtWv80Trp0osWr+LBFpRZMOzN aF8tLxhK3QbW/v52U5qtq7PjfJ8uWw4NqliqYl1V2G1/6qgTFnt+GRyWYmkZcg== Received: from aniel.nours.eu (nours.eu [176.31.115.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Q5Gth6n7Yz13vC; Tue, 25 Apr 2023 09:30:04 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: by aniel.nours.eu (Postfix, from userid 1001) id 7E3051D77A2; Tue, 25 Apr 2023 11:30:03 +0200 (CEST) Date: Tue, 25 Apr 2023 11:30:03 +0200 From: Baptiste Daroussin To: Ed Maste Cc: Konstantin Belousov , freebsd-arch Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14 Message-ID: References: List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-ThisMailContainsUnwantedMimeParts: N On Mon, Apr 24, 2023 at 01:06:14PM -0400, Ed Maste wrote: > On Wed, 19 Apr 2023 at 18:08, Konstantin Belousov wrote: > > > > On Wed, Apr 19, 2023 at 12:50:59PM -0400, Ed Maste wrote: > > > A related issue is base system libraries that depend on OpenSSL would > > > also need to be made private. This includes gssapi, heimdal, and > > > libfetch. > > Does ssh and pam in the base depend on the base openssl? > > If yes, then it still leaks into the applications despite being private. > > Yes, I see the following libraries which bring in libssl: > > /usr/lib/libprivateldns.so.5 > /usr/lib/libprivatessh.so.5 > /usr/lib/libprivateunbound.so.5 > /usr/lib/pam_ssh.so.6 > /usr/lib/libfetch.so.6 > > and libcrypto (privatelibs excluded): > > /lib/libzfsbootenv.so.1 via inheritance from libzfs.so.4 not directly linked to libcrypto > /lib/libbe.so.1 via inheritance from libzfs.so.4 not directly linked to libcrypto > /lib/libzfs.so.4 "only used" for libzfs_crypto > /usr/lib/pam_zfs_key.so.6 > /usr/lib/libkafs5.so.11 > /usr/lib/libgssapi_ntlm.so.10 > /usr/lib/libarchive.so.7 Ports already uses libarchive from ports unconditionnaly so not a pb here. I was due to the fact that libarchive was linked to libmd instead on libcrypto in the past, and was causing issues when libmd symbols where in collision with libcrypto (which is fixed since but the ports tree did not move). So not a problem here. > /usr/lib/libkdc.so.11 > /usr/lib/libradius.so.4 > /usr/lib/libgssapi_krb5.so.10 > /usr/lib/libkrb5.so.11 > /usr/lib/libhx509.so.11 > /usr/lib/pam_radius.so.6 > /usr/lib/libssl.so.111 > /usr/lib/libkadm5srv.so.11 > /usr/lib/libkadm5clnt.so.11 > /usr/lib/libhdb.so.11 > /usr/lib/pam_ssh.so.6 > /usr/lib/libheimntlm.so.11 > /usr/lib/libfetch.so.6 > /usr/lib/libmp.so.7 > /usr/lib/pam_krb5.so.6 > /usr/lib/libbsnmp.so.6 > /usr/lib/pam_ksu.so.6 > > Baptiste reported elsewhere that libfetch's use in ports is very > limited, so it could easily be made into a private lib. > Or even an internallib considering there will be do consumer left but fetch(1) best regards, Bapt