Date: Wed, 05 Jul 2023 23:56:42 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Ed Maste <emaste@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, Mark Johnston <markj@freebsd.org> Subject: Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9 Message-ID: <4FF6DBAE-F9FC-4D20-81C9-B0E0130DF06E@FreeBSD.org> In-Reply-To: <202306232319.35NNJsPv044302@gitrepo.freebsd.org> References: <202306232319.35NNJsPv044302@gitrepo.freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 24 Jun 2023, at 1:19, Ed Maste wrote: > The branch main has been updated by emaste: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613 > > commit b077aed33b7b6aefca7b17ddb250cf521f938613 > Merge: b08ee10c0646 b84c4564effd > Author: Pierre Pronchery <pierre@freebsdfoundation.org> > AuthorDate: 2023-06-23 22:53:35 +0000 > Commit: Ed Maste <emaste@FreeBSD.org> > CommitDate: 2023-06-23 22:53:36 +0000 > > Merge OpenSSL 3.0.9 > > Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 > (the > version we were previously using) will be EOL as of 2023-09-11. > > Most of the base system has already been updated for a seamless > switch > to OpenSSL 3.0. For many components we've added > `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API > version, > which avoids deprecation warnings from OpenSSL 3.0. Changes have > also > been made to avoid OpenSSL APIs that were already deprecated in > OpenSSL > 1.1.1. The process of updating to contemporary APIs can continue > after > this merge. > > Additional changes are still required for libarchive and Kerberos- > related libraries or tools; workarounds will immediately follow > this > commit. Fixes are in progress in the upstream projects and will > be > incorporated when those are next updated. > > There are some performance regressions in benchmarks (certain > tests in > `openssl speed`) and in some OpenSSL consumers in ports (e.g. > haproxy). > Investigation will continue for these. > > Netflix's testing showed no functional regression and a rather > small, > albeit statistically significant, increase in CPU consumption with > OpenSSL 3.0. > > Thanks to ngie@ and des@ for updating base system components, to > antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, > and to > Netflix and everyone who tested prior to commit or contributed to > this > update in other ways. > > PR: 271615 > PR: 271656 [exp-run] > Relnotes: Yes > Sponsored by: The FreeBSD Foundation > It looks like we missed adding a file. Security/opensc doesn’t build any more: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076 It fails to find d2i_KeyParams when linking. The opensc code does this: #if OPENSSL_VERSION_NUMBER < 0x30000000L if (!d2i_ECParameters(&ec, &a, (long)len)) util_fatal("cannot parse EC_PARAMS"); EVP_PKEY_assign_EC_KEY(pkey, ec); #else if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, &a, len)) util_fatal("cannot parse EC_PARAMS"); #endif d2i_KeyParams() appears to be new on openssl 3. It’s defined in d2i_param.c, which we don’t build. I’ve tested with this patch, and that appears to fix things: diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile index 28258e796984..ef5652e8c27c 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -74,7 +74,7 @@ SRCS+= n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c p5_scrypt.c p8_pkey.c SRCS+= t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c SRCS+= tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c x_algor.c SRCS+= x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c x_spki.c -SRCS+= x_val.c +SRCS+= x_val.c d2i_param.c # async SRCS+= async.c async_err.c async_posix.c async_wait.c diff --git a/secure/lib/libcrypto/Version.map b/secure/lib/libcrypto/Version.map index 421819324961..74d0b8b3cef1 100644 --- a/secure/lib/libcrypto/Version.map +++ b/secure/lib/libcrypto/Version.map @@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 { d2i_IPAddressOrRange; d2i_IPAddressRange; d2i_ISSUING_DIST_POINT; + d2i_KeyParams; + d2i_KeyParams_bio; d2i_NETSCAPE_CERT_SEQUENCE; d2i_NETSCAPE_SPKAC; d2i_NETSCAPE_SPKI; Best regards, Kristof [-- Attachment #2 --] <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8"> </head> <body><div style="font-family: sans-serif;"><div class="markdown" style="white-space: normal;"> <p dir="auto">On 24 Jun 2023, at 1:19, Ed Maste wrote:</p> </div><div class="plaintext" style="white-space: normal;"><blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; color: #136BCE;"><p dir="auto">The branch main has been updated by emaste:</p> <p dir="auto">URL: <a href="https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613">https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613</a></p>; <p dir="auto">commit b077aed33b7b6aefca7b17ddb250cf521f938613 <br> Merge: b08ee10c0646 b84c4564effd <br> Author: Pierre Pronchery <pierre@freebsdfoundation.org> <br> AuthorDate: 2023-06-23 22:53:35 +0000 <br> Commit: Ed Maste <emaste@FreeBSD.org> <br> CommitDate: 2023-06-23 22:53:36 +0000</p> <p dir="auto"> Merge OpenSSL 3.0.9</p> <p dir="auto"> Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the <br> version we were previously using) will be EOL as of 2023-09-11.</p> <p dir="auto"> Most of the base system has already been updated for a seamless switch <br> to OpenSSL 3.0. For many components we've added <br> `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, <br> which avoids deprecation warnings from OpenSSL 3.0. Changes have also <br> been made to avoid OpenSSL APIs that were already deprecated in OpenSSL <br> 1.1.1. The process of updating to contemporary APIs can continue after <br> this merge.</p> <p dir="auto"> Additional changes are still required for libarchive and Kerberos- <br> related libraries or tools; workarounds will immediately follow this <br> commit. Fixes are in progress in the upstream projects and will be <br> incorporated when those are next updated.</p> <p dir="auto"> There are some performance regressions in benchmarks (certain tests in <br> `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). <br> Investigation will continue for these.</p> <p dir="auto"> Netflix's testing showed no functional regression and a rather small, <br> albeit statistically significant, increase in CPU consumption with <br> OpenSSL 3.0.</p> <p dir="auto"> Thanks to ngie@ and des@ for updating base system components, to <br> antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to <br> Netflix and everyone who tested prior to commit or contributed to this <br> update in other ways.</p> <p dir="auto"> PR: 271615 <br> PR: 271656 [exp-run] <br> Relnotes: Yes <br> Sponsored by: The FreeBSD Foundation</p> <br></blockquote></div> <div class="markdown" style="white-space: normal;"> <p dir="auto">It looks like we missed adding a file.<br> Security/opensc doesn’t build any more: <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076</a></p>; <p dir="auto">It fails to find d2i_KeyParams when linking. The opensc code does this:</p> <pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code style="padding: 0 0.25em; background-color: #E4E4E4;">#if OPENSSL_VERSION_NUMBER < 0x30000000L if (!d2i_ECParameters(&ec, &a, (long)len)) util_fatal("cannot parse EC_PARAMS"); EVP_PKEY_assign_EC_KEY(pkey, ec); #else if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, &a, len)) util_fatal("cannot parse EC_PARAMS"); #endif </code></pre> <p dir="auto">d2i_KeyParams() appears to be new on openssl 3. It’s defined in d2i_param.c, which we don’t build. I’ve tested with this patch, and that appears to fix things:</p> <pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code style="padding: 0 0.25em; background-color: #E4E4E4;">diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile index 28258e796984..ef5652e8c27c 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -74,7 +74,7 @@ SRCS+= n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c p5_scrypt.c p8_pkey.c SRCS+= t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c SRCS+= tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c x_algor.c SRCS+= x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c x_spki.c -SRCS+= x_val.c +SRCS+= x_val.c d2i_param.c # async SRCS+= async.c async_err.c async_posix.c async_wait.c diff --git a/secure/lib/libcrypto/Version.map b/secure/lib/libcrypto/Version.map index 421819324961..74d0b8b3cef1 100644 --- a/secure/lib/libcrypto/Version.map +++ b/secure/lib/libcrypto/Version.map @@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 { d2i_IPAddressOrRange; d2i_IPAddressRange; d2i_ISSUING_DIST_POINT; + d2i_KeyParams; + d2i_KeyParams_bio; d2i_NETSCAPE_CERT_SEQUENCE; d2i_NETSCAPE_SPKAC; d2i_NETSCAPE_SPKI; </code></pre> <p dir="auto">Best regards,<br> Kristof</p> </div> </div> </body> </html>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF6DBAE-F9FC-4D20-81C9-B0E0130DF06E>