On 24 Jun 2023, at 1:19, Ed Maste wrote:
The branch main has been updated by emaste:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b077aed33b7b6aefca7b17ddb250cf521f938613
commit b077aed33b7b6aefca7b17ddb250cf521f938613
Merge: b08ee10c0646 b84c4564effd
Author: Pierre Pronchery <pie...@freebsdfoundation.org>
AuthorDate: 2023-06-23 22:53:35 +0000
Commit: Ed Maste <ema...@freebsd.org>
CommitDate: 2023-06-23 22:53:36 +0000
Merge OpenSSL 3.0.9
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1
(the
version we were previously using) will be EOL as of 2023-09-11.
Most of the base system has already been updated for a seamless
switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API
version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have
also
been made to avoid OpenSSL APIs that were already deprecated in
OpenSSL
1.1.1. The process of updating to contemporary APIs can continue
after
this merge.
Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow
this
commit. Fixes are in progress in the upstream projects and will
be
incorporated when those are next updated.
There are some performance regressions in benchmarks (certain
tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g.
haproxy).
Investigation will continue for these.
Netflix's testing showed no functional regression and a rather
small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.
Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds,
and to
Netflix and everyone who tested prior to commit or contributed to
this
update in other ways.
PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
It looks like we missed adding a file.
Security/opensc doesn’t build any more:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270076
It fails to find d2i_KeyParams when linking. The opensc code does this:
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (!d2i_ECParameters(&ec, &a,
(long)len))
util_fatal("cannot parse
EC_PARAMS");
EVP_PKEY_assign_EC_KEY(pkey, ec);
#else
if (!d2i_KeyParams(EVP_PKEY_EC, &pkey,
&a, len))
util_fatal("cannot parse
EC_PARAMS");
#endif
d2i_KeyParams() appears to be new on openssl 3. It’s defined in
d2i_param.c, which we don’t build. I’ve tested with this patch, and
that appears to fix things:
diff --git a/secure/lib/libcrypto/Makefile
b/secure/lib/libcrypto/Makefile
index 28258e796984..ef5652e8c27c 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -74,7 +74,7 @@ SRCS+= n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c
p5_scrypt.c p8_pkey.c
SRCS+= t_bitst.c t_pkey.c t_spki.c tasn_dec.c tasn_enc.c tasn_fre.c
SRCS+= tasn_new.c tasn_prn.c tasn_scn.c tasn_typ.c tasn_utl.c
x_algor.c
SRCS+= x_bignum.c x_info.c x_int64.c x_long.c x_pkey.c x_sig.c
x_spki.c
-SRCS+= x_val.c
+SRCS+= x_val.c d2i_param.c
# async
SRCS+= async.c async_err.c async_posix.c async_wait.c
diff --git a/secure/lib/libcrypto/Version.map
b/secure/lib/libcrypto/Version.map
index 421819324961..74d0b8b3cef1 100644
--- a/secure/lib/libcrypto/Version.map
+++ b/secure/lib/libcrypto/Version.map
@@ -3564,6 +3564,8 @@ OPENSSL_1_1_0 {
d2i_IPAddressOrRange;
d2i_IPAddressRange;
d2i_ISSUING_DIST_POINT;
+ d2i_KeyParams;
+ d2i_KeyParams_bio;
d2i_NETSCAPE_CERT_SEQUENCE;
d2i_NETSCAPE_SPKAC;
d2i_NETSCAPE_SPKI;
Best regards,
Kristof
