Date: Wed, 13 Aug 2025 21:33:37 -0400 From: Ian FREISLICH <ianfreislich@gmail.com> To: Pierre Pronchery <khorben@defora.org>, "Enji Cooper (yaneurabeya)" <yaneurabeya@gmail.com> Cc: FreeBSD Current <current@freebsd.org> Subject: Re: OpenSSL legacy provider is broken Message-ID: <4927c49f-5a92-415e-bc3c-6618e852a5d8@gmail.com> In-Reply-To: <a20e5fda-10c6-4df3-96ca-cf12b41da70b@gmail.com> References: <b3f09f1b-e946-4bf1-822d-243dcd0dcd02@gmail.com> <B43DA54A-0017-42CA-A1FE-15F28048FEF0@gmail.com> <5FCF8EF0-4473-40E9-94D2-FA5AD96D2418@defora.org> <a20e5fda-10c6-4df3-96ca-cf12b41da70b@gmail.com>
index | next in thread | previous in thread | raw e-mail
On 2025-08-13 21:26, Ian FREISLICH wrote: > On 2025-08-10 06:53, Pierre Pronchery wrote: >> Hey, >> >>> On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya) >>> <yaneurabeya@gmail.com> wrote: >>> >>> >>>> On Aug 9, 2025, at 7:08 AM, Ian FREISLICH <ianfreislich@gmail.com> >>>> wrote: >>>> >>>> Previously this worked >>>> >>>> [brane] /usr/ports # openssl list -providers -provider legacy >>>> Providers: >>>> legacy >>>> name: OpenSSL Legacy Provider >>>> version: 3.0.16 >>>> status: active >>>> >>>> Since the build last night, >>>> >>>> [router] /usr/ports/net/freeradius3 # openssl list -providers - >>>> provider legacy >>>> list: unable to load provider legacy >>>> Hint: use -provider-path option or OPENSSL_MODULES environment >>>> variable. >>>> 10B045DBE7340000:error:12800067:DSO support >>>> routines:dlfcn_load:could not load the shared library:/usr/src/ >>>> crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl- >>>> modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined >>>> symbol "ossl_kdf_pvk_functions" >>>> 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could >>>> not load the shared library:/usr/src/crypto/openssl/crypto/dso/ >>>> dso_lib.c:147: >>>> 10B045DBE7340000:error:07880025:common libcrypto >>>> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ >>>> provider_core.c:1019:name=legacy >>>> >>>> and freeradius doesn't start because of this: >>>> >>>> [router] /usr/ports/net/freeradius3 # radiusd -fX >>>> FreeRADIUS Version 3.2.7 >>>> ... >>>> (TLS) Failed loading legacy provider >>>> >>>> I haven't yet figured out what part of my EAP configuration needs >>>> the legacy provider. It may be that EAP just needs a working legacy >>>> provider because it looks like the EAP module unconditionally >>>> attempts to load the provider and fails. >> >> It could well be that it does. >> >> Regardless I didn’t mean to break the legacy provider, but it’s >> certainly because of the OpenSSL 3.5.1 import. Sorry! >> >> I have pushed a partial fix here, and will keep pushing to that >> branch until I get it to work fully again: >> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-legacy > > That fixes this missing symbol, but here's the next error: > > [router] ~ # openssl list -providers -provider legacy > list: unable to load provider legacy > Hint: use -provider-path option or OPENSSL_MODULES environment variable. > 10B0E52D30440000:error:12800067:DSO support routines:dlfcn_load:could > not load the shared library:/usr/src/crypto/openssl/crypto/dso/ > dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ > ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx" > 10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not > load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147: > 10B0E52D30440000:error:07880025:common libcrypto > routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ > provider_core.c:1019:name=legacy > > Is there a target/directory I can make in that compile will compile just > this? The no clean default on buildworld doesn't seem to work and > compiling everything takes forever. Replying to myself... This seems to fix it --- a/secure/lib/libcrypto/modules/legacy/Makefile +++ b/secure/lib/libcrypto/modules/legacy/Makefile @@ -1,7 +1,7 @@ SHLIB_NAME?= legacy.so LIBADD= crypto -SRCS+= legacyprov.c prov_running.c +SRCS+= legacyprov.c prov_running.c params_idx.c # ciphers SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \ @@ -22,10 +22,12 @@ SRCS+= md4_prov.c wp_prov.c ripemd_prov.c # kdfs SRCS+= pbkdf1.c +SRCS+= pvkkdf.c .include <bsd.lib.mk> .PATH: ${LCRYPTO_SRC}/providers/implementations/ciphers \ ${LCRYPTO_SRC}/providers/implementations/digests \ ${LCRYPTO_SRC}/providers/implementations/kdfs \ - ${LCRYPTO_SRC}/ssl + ${LCRYPTO_SRC}/ssl \ + ${LCRYPTO_SRC}/cryptohome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4927c49f-5a92-415e-bc3c-6618e852a5d8>