From nobody Thu Aug 14 11:08:13 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c2jT85mZ8z64HFQ for ; Thu, 14 Aug 2025 11:20:12 +0000 (UTC) (envelope-from freebsd-current@m.gmane-mx.org) Received: from ciao.gmane.io (ciao.gmane.io [116.202.254.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4c2jT7297Xz40xn for ; Thu, 14 Aug 2025 11:20:11 +0000 (UTC) (envelope-from freebsd-current@m.gmane-mx.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of freebsd-current@m.gmane-mx.org designates 116.202.254.214 as permitted sender) smtp.mailfrom=freebsd-current@m.gmane-mx.org; dmarc=fail reason="SPF not aligned (strict), No valid DKIM" header.from=defora.org (policy=reject) Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1umW02-0003h1-FW for freebsd-current@freebsd.org; Thu, 14 Aug 2025 13:20:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: Pierre Pronchery Subject: Re: OpenSSL legacy provider is broken Date: Thu, 14 Aug 2025 11:08:13 -0000 (UTC) Message-ID: <107kg2t$15kf$1@ciao.gmane.io> References: <5FCF8EF0-4473-40E9-94D2-FA5AD96D2418@defora.org> <4927c49f-5a92-415e-bc3c-6618e852a5d8@gmail.com> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit User-Agent: Pan/0.160 (Toresk; ) X-Spamd-Result: default: False [1.71 / 15.00]; DMARC_POLICY_REJECT(2.00)[defora.org : SPF not aligned (strict), No valid DKIM,reject]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_SPAM_MEDIUM(1.00)[0.997]; NEURAL_HAM_SHORT(-0.99)[-0.988]; MV_CASE(0.50)[]; FORGED_SENDER(0.30)[khorben@defora.org,freebsd-current@m.gmane-mx.org]; R_SPF_ALLOW(-0.20)[+mx]; ONCE_RECEIVED(0.20)[]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:24940, ipnet:116.202.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; FROM_NEQ_ENVFROM(0.00)[khorben@defora.org,freebsd-current@m.gmane-mx.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4c2jT7297Xz40xn X-Spamd-Bar: + Hey Ian, (ngie@, current@) On Wed, 13 Aug 2025 21:33:37 -0400, Ian FREISLICH wrote: > On 2025-08-13 21:26, Ian FREISLICH wrote: >> On 2025-08-10 06:53, Pierre Pronchery wrote: >>>             Hey, >>> >>>> On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya) >>>> wrote: >>>> >>>> >>>>> On Aug 9, 2025, at 7:08 AM, Ian FREISLICH >>>>> wrote: >>>>> >>>>> Previously this worked >>>>> >>>>> [brane] /usr/ports # openssl list -providers -provider legacy >>>>> Providers: >>>>> legacy >>>>>    name: OpenSSL Legacy Provider version: 3.0.16 status: active >>>>> >>>>> Since the build last night, >>>>> >>>>> [router] /usr/ports/net/freeradius3 # openssl list -providers - >>>>> provider legacy list: unable to load provider legacy Hint: use >>>>> -provider-path option or OPENSSL_MODULES environment variable. >>>>> 10B045DBE7340000:error:12800067:DSO support >>>>> routines:dlfcn_load:could not load the shared library:/usr/src/ >>>>> crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl- >>>>> modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined >>>>> symbol "ossl_kdf_pvk_functions" >>>>> 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could >>>>> not load the shared library:/usr/src/crypto/openssl/crypto/dso/ >>>>> dso_lib.c:147: >>>>> 10B045DBE7340000:error:07880025:common libcrypto >>>>> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ >>>>> provider_core.c:1019:name=legacy >>>>> >>>>> and freeradius doesn't start because of this: >>>>> >>>>> [router] /usr/ports/net/freeradius3 # radiusd -fX FreeRADIUS Version >>>>> 3.2.7 ... >>>>> (TLS) Failed loading legacy provider >>>>> >>>>> I haven't yet figured out what part of my EAP configuration needs >>>>> the legacy provider. It may be that EAP just needs a working legacy >>>>> provider because it looks like the EAP module unconditionally >>>>> attempts to load the provider and fails. >>> >>> It could well be that it does. >>> >>> Regardless I didn’t mean to break the legacy provider, but it’s >>> certainly because of the OpenSSL 3.5.1 import. Sorry! >>> >>> I have pushed a partial fix here, and will keep pushing to that branch >>> until I get it to work fully again: >>> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1- legacy >> >> That fixes this missing symbol, but here's the next error: >> >> [router] ~ # openssl list -providers -provider legacy list: unable to >> load provider legacy Hint: use -provider-path option or OPENSSL_MODULES >> environment variable. 10B0E52D30440000:error:12800067:DSO support >> routines:dlfcn_load:could not load the shared >> library:/usr/src/crypto/openssl/crypto/dso/ >> dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ >> ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx" >> 10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not >> load the shared >> library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147: >> 10B0E52D30440000:error:07880025:common libcrypto >> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ >> provider_core.c:1019:name=legacy >> >> Is there a target/directory I can make in that compile will compile >> just this? The no clean default on buildworld doesn't seem to work and >> compiling everything takes forever. > > Replying to myself... This seems to fix it > > --- a/secure/lib/libcrypto/modules/legacy/Makefile +++ > b/secure/lib/libcrypto/modules/legacy/Makefile @@ -1,7 +1,7 @@ > SHLIB_NAME?= legacy.so LIBADD= crypto > > -SRCS+= legacyprov.c prov_running.c +SRCS+= legacyprov.c prov_running.c > params_idx.c > > # ciphers SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c > \ > @@ -22,10 +22,12 @@ SRCS+= md4_prov.c wp_prov.c ripemd_prov.c > > # kdfs SRCS+= pbkdf1.c > +SRCS+= pvkkdf.c > > .include > > .PATH: ${LCRYPTO_SRC}/providers/implementations/ciphers \ > ${LCRYPTO_SRC}/providers/implementations/digests \ > ${LCRYPTO_SRC}/providers/implementations/kdfs \ > - ${LCRYPTO_SRC}/ssl + ${LCRYPTO_SRC}/ssl \ > + ${LCRYPTO_SRC}/crypto Thank you for looking into this; I have created a new review in Phabricator to track this issue: https://reviews.freebsd.org/D51897 You will see there that while it cures the remaining symptoms, adding params_idx.c to the list of files built into legacy.so may not be the most correct fix. We can use this review for gathering expertise on the matter, and prepare the corresponding commit. Cheers & HTH, -- khorben