From nobody Wed Jul 5 21:56:42 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QxD5V4kShz4lmRZ; Wed, 5 Jul 2023 21:56:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QxD5V48xPz3xpm; Wed, 5 Jul 2023 21:56:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1688594206; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ngrBekppv8Wcy8i2TYS4er9ZfatBkV279p8Ge7J5Q5s=; b=ZQK3x9fIlrI5R3bxm3jiF8w+gvn/pV9x9jyGeYYnlHKAAC778JJ1GGrGeYpPnzV0Bt0qr6 iEJpg49CNs0CyfeY0CU8mN1JQobqHY6EUgESr5uO6Z6TVzvPWjlVzukafZTWB+rRS6uQcr oo4eg38kmZUykfL+O8SGsV1JhGAp5iLZ3HDQZe2Bbnd2oaY9FTVcYVL+D5vrTIitCDXeKI C794PLo2nkYuzCvVT8RlJk2LlcrnfzDWR5drC3P29If4MKPBAarlojsAnHgGuLJaL34QVu SW+AQ/6ls97nZb8bv6wvnbVt4sUsnEqDg4GemQp+CMcoTa1b6IbOByFCLy1HdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1688594206; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ngrBekppv8Wcy8i2TYS4er9ZfatBkV279p8Ge7J5Q5s=; b=pWAqO3YTlMw3t47UuL+ayhs4WYURgM6vrMFi7NzJY89KLSehxz7DkGrzwZwCyDWOWxqW4Q 0NRdnc1Oh58H0rjhbMXXZM+pZCbLYnpXsgk5RWkpkDhhZgaaFjrbYZknVkQ9FO8hgIqxPm y74XAawcgEKtvTNOovJctS9uf2W9nw+Is1Smwc0ZTzodI1T6h9b6sWtMegEx6Kv412zMFE vFvbu/thc7MEjdO0vUZ562YYs4WQJL9DZZ7ixN4vKCoGWQVYLJB3vYvyD9ow6fYyiBeJvJ U2Mva/YH/KgVrD2A1DuEDqMNULWxuhpp425MzmYaR/OuRV0XK2Z/RriQMveqtA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1688594206; a=rsa-sha256; cv=none; b=L13vqMm4Znpa0eDVosuNK6TSFcmmMcp1RT0/cjBCDfdSFt6skzAIw5DoAngRQzKV0AGwrs p9bJYVCCA7CMwTP6xgeTPD7z8g/Nf0xLv3Ejqs7cRzuSRgfAGgwxFlozaNsDYZhcHaldzb AijEJgFDxKQGCLTWcyiJYp/RhUxv08qmsT6aRDZsufYyzDQQcQfxYJxih9fS0T1grV1gn1 vmNpm9nfcPNvq5GT++lz4ZhFE0OzxrS6wxv+7LZmFqdz8LOtgOUsfwnDEd6XchjPtMbUlZ iAHOFDDbt3Ct1P4c4XxeR7aq36rGlGeCFV5plHVmPm7H9bs/kZLbWVDtsr61hg== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4QxD5V1tHrzwnm; Wed, 5 Jul 2023 21:56:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 5243B2CB62; Wed, 5 Jul 2023 23:56:43 +0200 (CEST) From: Kristof Provost To: Ed Maste Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, Mark Johnston Subject: Re: git: b077aed33b7b - main - Merge OpenSSL 3.0.9 Date: Wed, 05 Jul 2023 23:56:42 +0200 X-Mailer: MailMate (1.14r5937) Message-ID: <4FF6DBAE-F9FC-4D20-81C9-B0E0130DF06E@FreeBSD.org> In-Reply-To: <202306232319.35NNJsPv044302@gitrepo.freebsd.org> References: <202306232319.35NNJsPv044302@gitrepo.freebsd.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_=" X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 24 Jun 2023, at 1:19, Ed Maste wrote: > The branch main has been updated by emaste: > > URL: = > https://cgit.FreeBSD.org/src/commit/?id=3Db077aed33b7b6aefca7b17ddb250c= f521f938613 > > commit b077aed33b7b6aefca7b17ddb250cf521f938613 > Merge: b08ee10c0646 b84c4564effd > Author: Pierre Pronchery > AuthorDate: 2023-06-23 22:53:35 +0000 > Commit: Ed Maste > CommitDate: 2023-06-23 22:53:36 +0000 > > Merge OpenSSL 3.0.9 > > Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 = > (the > version we were previously using) will be EOL as of 2023-09-11. > > Most of the base system has already been updated for a seamless = > switch > to OpenSSL 3.0. For many components we've added > `-DOPENSSL_API_COMPAT=3D0x10100000L` to CFLAGS to specify the API = > version, > which avoids deprecation warnings from OpenSSL 3.0. Changes have = > also > been made to avoid OpenSSL APIs that were already deprecated in = > OpenSSL > 1.1.1. The process of updating to contemporary APIs can continue = > after > this merge. > > Additional changes are still required for libarchive and Kerberos- > related libraries or tools; workarounds will immediately follow = > this > commit. Fixes are in progress in the upstream projects and will = > be > incorporated when those are next updated. > > There are some performance regressions in benchmarks (certain = > tests in > `openssl speed`) and in some OpenSSL consumers in ports (e.g. = > haproxy). > Investigation will continue for these. > > Netflix's testing showed no functional regression and a rather = > small, > albeit statistically significant, increase in CPU consumption with > OpenSSL 3.0. > > Thanks to ngie@ and des@ for updating base system components, to > antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, = > and to > Netflix and everyone who tested prior to commit or contributed to = > this > update in other ways. > > PR: 271615 > PR: 271656 [exp-run] > Relnotes: Yes > Sponsored by: The FreeBSD Foundation > It looks like we missed adding a file. Security/opensc doesn=E2=80=99t build any more: = https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270076 It fails to find d2i_KeyParams when linking. The opensc code does this: #if OPENSSL_VERSION_NUMBER < 0x30000000L if (!d2i_ECParameters(&ec, &a, = (long)len)) util_fatal("cannot parse = EC_PARAMS"); EVP_PKEY_assign_EC_KEY(pkey, ec); #else if (!d2i_KeyParams(EVP_PKEY_EC, &pkey, = &a, len)) util_fatal("cannot parse = EC_PARAMS"); #endif d2i_KeyParams() appears to be new on openssl 3. It=E2=80=99s defined in = d2i_param.c, which we don=E2=80=99t build. I=E2=80=99ve tested with this = patch, and = that appears to fix things: diff --git a/secure/lib/libcrypto/Makefile = b/secure/lib/libcrypto/Makefile index 28258e796984..ef5652e8c27c 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -74,7 +74,7 @@ SRCS+=3D n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c = p5_scrypt.c p8_pkey.c SRCS+=3D t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c SRCS+=3D tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c = x_algor.c SRCS+=3D x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c = x_spki.c -SRCS+=3D x_val.c +SRCS+=3D x_val.c d2i_param.c # async SRCS+=3D async.c async_err.c async_posix.c async_wait.c diff --git a/secure/lib/libcrypto/Version.map = b/secure/lib/libcrypto/Version.map index 421819324961..74d0b8b3cef1 100644 --- a/secure/lib/libcrypto/Version.map +++ b/secure/lib/libcrypto/Version.map @@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 { d2i_IPAddressOrRange; d2i_IPAddressRange; d2i_ISSUING_DIST_POINT; + d2i_KeyParams; + d2i_KeyParams_bio; d2i_NETSCAPE_CERT_SEQUENCE; d2i_NETSCAPE_SPKAC; d2i_NETSCAPE_SPKI; Best regards, Kristof --=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 24 Jun 2023, at 1:19, Ed Maste wrote:

The branch main has been updated by= emaste:

URL: https://cgit.FreeBSD.org/src/co= mmit/?id=3Db077aed33b7b6aefca7b17ddb250cf521f938613

commit b077aed33b7b6aefca7b17ddb250cf521f938613
Merge: b08ee10c0646 b84c4564effd
Author: Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2023-06-23 22:53:35 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-06-23 22:53:36 +0000

Merge OpenSSL 3.0.9

Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. O= penSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for = a seamless switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=3D0x10100000L` to CFLAGS to specify the API ver= sion,
which avoids deprecation warnings from OpenSSL 3.0. Changes have als= o
been made to avoid OpenSSL APIs that were already deprecated in OpenS= SL
1.1.1. The process of updating to contemporary APIs can continue aft= er
this merge.

Additional changes are still required for libarchive = and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks = (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g. haprox= y).
Investigation will continue for these.

Netflix's testing showed no functional regression and= a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system com= ponents, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and= to
Netflix and everyone who tested prior to commit or contributed to thi= s
update in other ways.

PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation


It looks like we missed adding a file.
Security/opensc doesn=E2=80=99t build any more: https://bugs.freebsd.org/bu= gzilla/show_bug.cgi?id=3D270076

It fails to find d2i_KeyParams when linking. The opensc c= ode does this:

#i=
f OPENSSL_VERSION_NUMBER < 0x30000000L
                                if (!d2i_ECParameters(&ec, &a, (l=
ong)len))
                                        util_fatal("cannot parse EC_=
PARAMS");
                                EVP_PKEY_assign_EC_KEY(pkey, ec);
#else
                                if (!d2i_KeyParams(EVP_PKEY_EC, &pkey=
, &a, len))
                                        util_fatal("cannot parse EC_=
PARAMS");
#endif

d2i_KeyParams() appears to be new on openssl 3. It=E2=80=99= s defined in d2i_param.c, which we don=E2=80=99t build. I=E2=80=99ve test= ed with this patch, and that appears to fix things:

di=
ff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile
index 28258e796984..ef5652e8c27c 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -74,7 +74,7 @@ SRCS+=3D        n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c p5=
_scrypt.c p8_pkey.c
 SRCS+=3D t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c
 SRCS+=3D tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c x_algor.=
c
 SRCS+=3D x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c x_spki.=
c
-SRCS+=3D x_val.c
+SRCS+=3D x_val.c d2i_param.c

 # async
 SRCS+=3D async.c async_err.c async_posix.c async_wait.c
diff --git a/secure/lib/libcrypto/Version.map b/secure/lib/libcrypto/Vers=
ion.map
index 421819324961..74d0b8b3cef1 100644
--- a/secure/lib/libcrypto/Version.map
+++ b/secure/lib/libcrypto/Version.map
@@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 {
         d2i_IPAddressOrRange;
         d2i_IPAddressRange;
         d2i_ISSUING_DIST_POINT;
+        d2i_KeyParams;
+        d2i_KeyParams_bio;
         d2i_NETSCAPE_CERT_SEQUENCE;
         d2i_NETSCAPE_SPKAC;
         d2i_NETSCAPE_SPKI;

Best regards,
Kristof

--=_MailMate_BF0CF653-7A42-42AD-AA16-BE462CEDC986_=--