Re: OpenSSL legacy provider is broken

On 2025-08-13 21:26, Ian FREISLICH wrote:
> On 2025-08-10 06:53, Pierre Pronchery wrote:
>>             Hey,
>>
>>> On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya) 
>>> <yaneurabeya@gmail.com> wrote:
>>>
>>>
>>>> On Aug 9, 2025, at 7:08 AM, Ian FREISLICH <ianfreislich@gmail.com> 
>>>> wrote:
>>>>
>>>> Previously this worked
>>>>
>>>> [brane] /usr/ports # openssl list -providers -provider legacy
>>>> Providers:
>>>> legacy
>>>>    name: OpenSSL Legacy Provider
>>>>    version: 3.0.16
>>>>    status: active
>>>>
>>>> Since the build last night,
>>>>
>>>> [router] /usr/ports/net/freeradius3 # openssl list -providers - 
>>>> provider legacy
>>>> list: unable to load provider legacy
>>>> Hint: use -provider-path option or OPENSSL_MODULES environment 
>>>> variable.
>>>> 10B045DBE7340000:error:12800067:DSO support 
>>>> routines:dlfcn_load:could not load the shared library:/usr/src/ 
>>>> crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl- 
>>>> modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined 
>>>> symbol "ossl_kdf_pvk_functions"
>>>> 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could 
>>>> not load the shared library:/usr/src/crypto/openssl/crypto/dso/ 
>>>> dso_lib.c:147:
>>>> 10B045DBE7340000:error:07880025:common libcrypto 
>>>> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ 
>>>> provider_core.c:1019:name=legacy
>>>>
>>>> and freeradius doesn't start because of this:
>>>>
>>>> [router] /usr/ports/net/freeradius3 # radiusd -fX
>>>> FreeRADIUS Version 3.2.7
>>>> ...
>>>> (TLS) Failed loading legacy provider
>>>>
>>>> I haven't yet figured out what part of my EAP configuration needs 
>>>> the legacy provider. It may be that EAP just needs a working legacy 
>>>> provider because it looks like the EAP module unconditionally 
>>>> attempts to load the provider and fails.
>>
>> It could well be that it does.
>>
>> Regardless I didn’t mean to break the legacy provider, but it’s
>> certainly because of the OpenSSL 3.5.1 import. Sorry!
>>
>> I have pushed a partial fix here, and will keep pushing to that
>> branch until I get it to work fully again:
>> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-legacy
> 
> That fixes this missing symbol, but here's the next error:
> 
> [router] ~ # openssl list -providers -provider legacy
> list: unable to load provider legacy
> Hint: use -provider-path option or OPENSSL_MODULES environment variable.
> 10B0E52D30440000:error:12800067:DSO support routines:dlfcn_load:could 
> not load the shared library:/usr/src/crypto/openssl/crypto/dso/ 
> dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ 
> ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx"
> 10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not 
> load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147:
> 10B0E52D30440000:error:07880025:common libcrypto 
> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ 
> provider_core.c:1019:name=legacy
> 
> Is there a target/directory I can make in that compile will compile just 
> this? The no clean default on buildworld doesn't seem to work and 
> compiling everything takes forever.

Replying to myself... This seems to fix it

--- a/secure/lib/libcrypto/modules/legacy/Makefile
+++ b/secure/lib/libcrypto/modules/legacy/Makefile
@@ -1,7 +1,7 @@
  SHLIB_NAME?=   legacy.so
  LIBADD=                crypto

-SRCS+= legacyprov.c prov_running.c
+SRCS+= legacyprov.c prov_running.c params_idx.c

  # ciphers
  SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \
@@ -22,10 +22,12 @@ SRCS+=      md4_prov.c wp_prov.c ripemd_prov.c

  # kdfs
  SRCS+= pbkdf1.c
+SRCS+= pvkkdf.c

  .include <bsd.lib.mk>

  .PATH: ${LCRYPTO_SRC}/providers/implementations/ciphers \
         ${LCRYPTO_SRC}/providers/implementations/digests \
         ${LCRYPTO_SRC}/providers/implementations/kdfs \
-       ${LCRYPTO_SRC}/ssl
+       ${LCRYPTO_SRC}/ssl \
+       ${LCRYPTO_SRC}/crypto