From nobody Thu Aug 14 01:33:37 2025 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c2SSN3bJvz64qwl for ; Thu, 14 Aug 2025 01:33:40 +0000 (UTC) (envelope-from ianfreislich@gmail.com) Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c2SSM52Vzz41Jp for ; Thu, 14 Aug 2025 01:33:39 +0000 (UTC) (envelope-from ianfreislich@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=i8hXHANo; spf=pass (mx1.freebsd.org: domain of ianfreislich@gmail.com designates 2607:f8b0:4864:20::b2b as permitted sender) smtp.mailfrom=ianfreislich@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-e931cdba209so479788276.3 for ; Wed, 13 Aug 2025 18:33:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755135218; x=1755740018; darn=freebsd.org; h=content-transfer-encoding:in-reply-to:content-language:references :cc:to:from:subject:user-agent:mime-version:date:message-id:from:to :cc:subject:date:message-id:reply-to; bh=9wuPoCJFJ/+GNDvl1EbYCATUzLWUis0MBqM5nulIq6g=; b=i8hXHANoDUOTo/wQ7BmjWoe44bMFb1Q0REA8bY27VmnScwOQ8bs6KC6wg6PhTLrTYd xuYXtK6vpV99BY1YpCKhZVjuO7+3NbK0+DClD0cPGS+i19h3ue+5frTnqnNEmVpnEa+X WuXJ5GwlRLMI8ozp185kG6YO6HeQI4CY9+DEadap0X6iuwGK3POFwvcpzRuh+cssfHMl wEGn+u2soT8gWh7s1lAxBk6oylAFFZZo3IlNcqdZeyKzXycTxkOU1rClS9X4x0Tnd0li Hin11pf2MM4ITmECMio1kr4yybHfTeaDr4kneauTU4j1hkRDoVNZSHA+Tsnr4ELjkWN+ YKLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755135218; x=1755740018; h=content-transfer-encoding:in-reply-to:content-language:references :cc:to:from:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9wuPoCJFJ/+GNDvl1EbYCATUzLWUis0MBqM5nulIq6g=; b=pCpBzyAKvWLokK/Hmn+zf1MtzrRA7UBhoc6owh5EI/b42xo4/scst9OeZOoUXU8gYV 3EA65Y1YfaEudYfZazB6q6cWpqVOqQ2kW9v77xHRE1JzFbpvribU2Wfk8RHgKNHnuRh9 HEQQj8Cb343/FI0Dk3ZO/gy1RXu+8+SvfJOt3EPdWVH4imUaznmec7vxEKl8r8xKB4te WxZ9HjhrweOXAjq46R/BHqZeazHd7MsgKnrqubCRD5TwIvYQXOHv2Kf8lMuWZ9hu4Xg4 LCUQHloC60ILMuMuAm+freh/dLtTJhEqGQv1LqWQLM3jcxDMz/a9xV2OvgfAGfaJV/TQ Wgdw== X-Gm-Message-State: AOJu0YwxTiBnmiRb6QaVgsCaUcMgA7iaNiDOYsegF/NU1Fyu3tG9GMYf CSApwBavPehmpIaXUnhOOl3kQuoR0LY8xppXQEpNUrQFSb6KkZV2yi3Q X-Gm-Gg: ASbGncv8n4hyW7rwVWzwUCLVoKJ14/1qi06a1WFZYxvEV6vJ7AsMhBJlmzjeNeI7Hqu 33/w1jmaCAsbq21rvxkXiVD7YQlaHSnwx5CzzBJL87q3FvzqiXHbtf16UtHXyG2NPoZuL6JQRFe 5RS3pCe1kn4xt5AuZWDLnJnUJUHyczZnvWTA0GI26DJHQ/13d1QsDXVOKCR0DXLhIWVe1+vsL9C cmJufp1O1q/DyBjEU0urPqKruNAOBG804FvHxNj86PGc9JdQNuPZNnSir3HmNlA8voRdpukymtK Ye07DW71wi7tuqbKj8sPCxCp9uZ063o/ssx8tqQsxhCZGK/qUFmfJ9DgAm/R1Fte8oWjCmlgco5 UMp5gfLEibcIgnIgvmK+NTe9Tm4ACLwOZaH779524NU2j7bpPF7Lk0rWsGf/mCdoKnfPgceP1QR jj X-Google-Smtp-Source: AGHT+IHn6RmoOiTQaudOalvKTglDCNiJMiYc+oIkGGZMW3bRYi15M+2Oz7k9+7uNFaUtrIwhRSMDIQ== X-Received: by 2002:a05:6902:2181:b0:e8f:e1f0:a226 with SMTP id 3f1490d57ef6-e931e11bb75mr1732789276.7.1755135217802; Wed, 13 Aug 2025 18:33:37 -0700 (PDT) Received: from ?IPV6:2600:1700:18f0:6812:129a:8666:ef01:3293? ([2600:1700:18f0:6812:129a:8666:ef01:3293]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e931d68ea82sm315960276.33.2025.08.13.18.33.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Aug 2025 18:33:37 -0700 (PDT) Message-ID: <4927c49f-5a92-415e-bc3c-6618e852a5d8@gmail.com> Date: Wed, 13 Aug 2025 21:33:37 -0400 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 User-Agent: Thunderbird Daily Subject: Re: OpenSSL legacy provider is broken From: Ian FREISLICH To: Pierre Pronchery , "Enji Cooper (yaneurabeya)" Cc: FreeBSD Current References: <5FCF8EF0-4473-40E9-94D2-FA5AD96D2418@defora.org> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.84 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-0.96)[-0.964]; NEURAL_HAM_SHORT(-0.88)[-0.883]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; TO_DN_ALL(0.00)[]; FREEMAIL_TO(0.00)[defora.org,gmail.com]; ARC_NA(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; DKIM_TRACE(0.00)[gmail.com:+]; FROM_HAS_DN(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[current@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[current@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b2b:from] X-Rspamd-Queue-Id: 4c2SSM52Vzz41Jp X-Spamd-Bar: --- On 2025-08-13 21:26, Ian FREISLICH wrote: > On 2025-08-10 06:53, Pierre Pronchery wrote: >>             Hey, >> >>> On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya) >>> wrote: >>> >>> >>>> On Aug 9, 2025, at 7:08 AM, Ian FREISLICH >>>> wrote: >>>> >>>> Previously this worked >>>> >>>> [brane] /usr/ports # openssl list -providers -provider legacy >>>> Providers: >>>> legacy >>>>    name: OpenSSL Legacy Provider >>>>    version: 3.0.16 >>>>    status: active >>>> >>>> Since the build last night, >>>> >>>> [router] /usr/ports/net/freeradius3 # openssl list -providers - >>>> provider legacy >>>> list: unable to load provider legacy >>>> Hint: use -provider-path option or OPENSSL_MODULES environment >>>> variable. >>>> 10B045DBE7340000:error:12800067:DSO support >>>> routines:dlfcn_load:could not load the shared library:/usr/src/ >>>> crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl- >>>> modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined >>>> symbol "ossl_kdf_pvk_functions" >>>> 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could >>>> not load the shared library:/usr/src/crypto/openssl/crypto/dso/ >>>> dso_lib.c:147: >>>> 10B045DBE7340000:error:07880025:common libcrypto >>>> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ >>>> provider_core.c:1019:name=legacy >>>> >>>> and freeradius doesn't start because of this: >>>> >>>> [router] /usr/ports/net/freeradius3 # radiusd -fX >>>> FreeRADIUS Version 3.2.7 >>>> ... >>>> (TLS) Failed loading legacy provider >>>> >>>> I haven't yet figured out what part of my EAP configuration needs >>>> the legacy provider. It may be that EAP just needs a working legacy >>>> provider because it looks like the EAP module unconditionally >>>> attempts to load the provider and fails. >> >> It could well be that it does. >> >> Regardless I didn’t mean to break the legacy provider, but it’s >> certainly because of the OpenSSL 3.5.1 import. Sorry! >> >> I have pushed a partial fix here, and will keep pushing to that >> branch until I get it to work fully again: >> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-legacy > > That fixes this missing symbol, but here's the next error: > > [router] ~ # openssl list -providers -provider legacy > list: unable to load provider legacy > Hint: use -provider-path option or OPENSSL_MODULES environment variable. > 10B0E52D30440000:error:12800067:DSO support routines:dlfcn_load:could > not load the shared library:/usr/src/crypto/openssl/crypto/dso/ > dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ > ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx" > 10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not > load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147: > 10B0E52D30440000:error:07880025:common libcrypto > routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/ > provider_core.c:1019:name=legacy > > Is there a target/directory I can make in that compile will compile just > this? The no clean default on buildworld doesn't seem to work and > compiling everything takes forever. Replying to myself... This seems to fix it --- a/secure/lib/libcrypto/modules/legacy/Makefile +++ b/secure/lib/libcrypto/modules/legacy/Makefile @@ -1,7 +1,7 @@ SHLIB_NAME?= legacy.so LIBADD= crypto -SRCS+= legacyprov.c prov_running.c +SRCS+= legacyprov.c prov_running.c params_idx.c # ciphers SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \ @@ -22,10 +22,12 @@ SRCS+= md4_prov.c wp_prov.c ripemd_prov.c # kdfs SRCS+= pbkdf1.c +SRCS+= pvkkdf.c .include .PATH: ${LCRYPTO_SRC}/providers/implementations/ciphers \ ${LCRYPTO_SRC}/providers/implementations/digests \ ${LCRYPTO_SRC}/providers/implementations/kdfs \ - ${LCRYPTO_SRC}/ssl + ${LCRYPTO_SRC}/ssl \ + ${LCRYPTO_SRC}/crypto