Page MenuHomeFreeBSD

libcrypto: add err_all_legacy.c to the build
ClosedPublic

Authored by emaste on Aug 18 2023, 6:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 10, 4:35 PM
Unknown Object (File)
Fri, Jan 10, 12:57 PM
Unknown Object (File)
Nov 27 2024, 6:44 AM
Unknown Object (File)
Nov 23 2024, 11:15 PM
Unknown Object (File)
Nov 22 2024, 5:17 PM
Unknown Object (File)
Nov 21 2024, 6:43 AM
Unknown Object (File)
Nov 14 2024, 1:46 PM
Unknown Object (File)
Nov 9 2024, 8:15 AM
Subscribers

Details

Summary

It provides the now-deprecated ERR_load_*_strings routines.

PR: 272580

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

emaste created this revision.
$ nm secure/lib/libcrypto/obj/libcrypto.so.30 | grep ERR_load
00000000002cdcc0 T ERR_load_ASN1_strings
00000000002cdcd0 T ERR_load_ASYNC_strings
00000000002cdce0 T ERR_load_BIO_strings
00000000002cdcf0 T ERR_load_BN_strings
00000000002cdd00 T ERR_load_BUF_strings
00000000002cdd10 T ERR_load_CMS_strings
00000000002cdd20 T ERR_load_COMP_strings
00000000002cdd30 T ERR_load_CONF_strings
00000000002cdd40 T ERR_load_CRYPTO_strings
00000000002cdd50 T ERR_load_CT_strings
00000000002cdd60 T ERR_load_DH_strings
00000000002cdd70 T ERR_load_DSA_strings
00000000002cdd80 T ERR_load_EC_strings
00000000002cdd90 T ERR_load_ENGINE_strings
00000000002cdda0 T ERR_load_ERR_strings
00000000002cddb0 T ERR_load_EVP_strings
0000000000307630 T ERR_load_KDF_strings
00000000002cddc0 T ERR_load_OBJ_strings
00000000002cddd0 T ERR_load_OCSP_strings
00000000002cde30 T ERR_load_OSSL_STORE_strings
00000000002cdde0 T ERR_load_PEM_strings
00000000002cddf0 T ERR_load_PKCS12_strings
00000000002cde00 T ERR_load_PKCS7_strings
00000000002cde10 T ERR_load_RAND_strings
00000000002cde20 T ERR_load_RSA_strings
00000000002cde40 T ERR_load_TS_strings
00000000002cde50 T ERR_load_UI_strings
00000000002cde70 T ERR_load_X509V3_strings
00000000002cde60 T ERR_load_X509_strings
00000000002cc460 T ERR_load_strings
00000000002cc500 T ERR_load_strings_const
kbowling added a subscriber: bofh.

@bofh do you know if this was something you had to mark BROKEN or work around?

This revision is now accepted and ready to land.Aug 18 2023, 6:40 PM

At least mine net-p2p/cardano-node, but I will take care of it.

This revision was automatically updated to reflect the committed changes.

Wait, this is probably not enough. cardano-node was failing due to missing RSA_generate_key, which is also deprecated.

Wait, this is probably not enough. cardano-node was failing due to missing RSA_generate_key, which is also deprecated.

Yes this change is necessary but not sufficient. I think it's enough for vbox though?

@kbowling identified rsa_depr.c for RSA_generate_key; I'm looking at what else might be needed now.

This is the right thing to do, given that this gets compiled/linked in unconditionally upstream.

I think we (I'm signing myself up for this) should audit the build.info files -- it looks like there are some items that should be audited for sanity. While perusing the files I found this:

IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}]
  SOURCE[../../providers/liblegacy.a]=$ALL
ENDIF

It would be a good idea to check and make sure the legacy provider we build is 100% compatible with what upstream provides, given that we don't disable the legacy provider in world.

Wait, this is probably not enough. cardano-node was failing due to missing RSA_generate_key, which is also deprecated.

Yes this change is necessary but not sufficient. I think it's enough for vbox though?

@kbowling identified rsa_depr.c for RSA_generate_key; I'm looking at what else might be needed now.

@arrowd :
Virtualbox should be updated to use RSA_generate_key_ex (available in 1.x) or the EVP-equivalent API (which is generally available in 1.1+).

crypto/openssl/include/openssl/rsa.h:OSSL_DEPRECATEDIN_0_9_8 RSA *RSA_generate_key(int bits, unsigned long e, void
crypto/openssl/include/openssl/rsa.h:OSSL_DEPRECATEDIN_3_0 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,

This might make keeping boringSSL and libreSSL support more difficult, but they're based on 1.x -- which has a monolithic architecture.

I bring up supporting boringSSL and libreSSL, because more third-parties seem to be moving towards supporting the OpenSSL 3.x model (which is modular), as it makes adding module-based crypto providers, e.g., FIPS 140-2/140-3, easier to do -- making downstream consumers more "crypto agile" (I've been told).

net-p2p/cardano-node still fails to build, now with undefined reference to DSA_generate_parameters.

net-p2p/cardano-node still fails to build, now with undefined reference to DSA_generate_parameters.

can you check again after 8f37b3a142f2f7197896cd283c44c7e4fb64aaf3 (which includes additional openssl fixes in parent commits), and open a PR if there is still an issue?

How to build this change quicker than make buildworld?

How to build this change quicker than make buildworld?

You can just do make -C secure/lib/libcrypto. (You can also run make buildenv first and do the libcrypto build in there, if you have a recent buildworld already and your host does not match the version you're building.)

It seems that didn't help. This is what I did:

fetch -o /dev/stdout 'https://reviews.freebsd.org/file/data/nrhuojeq3ijpd2qw6szl/PHID-FILE-pfpfqsfp5jhnoi2kcy5k/file' | patch -p1
make -C secure/lib/libcrypto
make -C secure/lib/libcrypto install
cp /usr/lib/ossl-modules/fips.so /usr/local/poudriere/jails/default/usr/lib/ossl-modules/fips.so
poudriere testport -j default net-p2p/cardano-node

This resulted in the same linker error.

Do we care if this bug will end up in the release? If we don't I'll stop pinging this issue.

Do we care if this bug will end up in the release? If we don't I'll stop pinging this issue.

Is there a PR for it?