Re: OpenSSL legacy provider is broken

In reply to: Ian FREISLICH : "Re: OpenSSL legacy provider is broken"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Pierre Pronchery <khorben_at_defora.org>
Date: Thu, 14 Aug 2025 11:08:13 UTC
		Hey Ian, (ngie@, current@)

On Wed, 13 Aug 2025 21:33:37 -0400, Ian FREISLICH wrote:

> On 2025-08-13 21:26, Ian FREISLICH wrote:
>> On 2025-08-10 06:53, Pierre Pronchery wrote:
>>>             Hey,
>>>
>>>> On 10 Aug 2025, at 04:32, Enji Cooper (yaneurabeya)
>>>> <yaneurabeya@gmail.com> wrote:
>>>>
>>>>
>>>>> On Aug 9, 2025, at 7:08 AM, Ian FREISLICH <ianfreislich@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Previously this worked
>>>>>
>>>>> [brane] /usr/ports # openssl list -providers -provider legacy
>>>>> Providers:
>>>>> legacy
>>>>>    name: OpenSSL Legacy Provider version: 3.0.16 status: active
>>>>>
>>>>> Since the build last night,
>>>>>
>>>>> [router] /usr/ports/net/freeradius3 # openssl list -providers -
>>>>> provider legacy list: unable to load provider legacy Hint: use
>>>>> -provider-path option or OPENSSL_MODULES environment variable.
>>>>> 10B045DBE7340000:error:12800067:DSO support
>>>>> routines:dlfcn_load:could not load the shared library:/usr/src/
>>>>> crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-
>>>>> modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined
>>>>> symbol "ossl_kdf_pvk_functions"
>>>>> 10B045DBE7340000:error:12800067:DSO support routines:DSO_load:could
>>>>> not load the shared library:/usr/src/crypto/openssl/crypto/dso/
>>>>> dso_lib.c:147:
>>>>> 10B045DBE7340000:error:07880025:common libcrypto
>>>>> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/
>>>>> provider_core.c:1019:name=legacy
>>>>>
>>>>> and freeradius doesn't start because of this:
>>>>>
>>>>> [router] /usr/ports/net/freeradius3 # radiusd -fX FreeRADIUS Version
>>>>> 3.2.7 ...
>>>>> (TLS) Failed loading legacy provider
>>>>>
>>>>> I haven't yet figured out what part of my EAP configuration needs
>>>>> the legacy provider. It may be that EAP just needs a working legacy
>>>>> provider because it looks like the EAP module unconditionally
>>>>> attempts to load the provider and fails.
>>>
>>> It could well be that it does.
>>>
>>> Regardless I didn’t mean to break the legacy provider, but it’s
>>> certainly because of the OpenSSL 3.5.1 import. Sorry!
>>>
>>> I have pushed a partial fix here, and will keep pushing to that branch
>>> until I get it to work fully again:
>>> https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-
legacy
>> 
>> That fixes this missing symbol, but here's the next error:
>> 
>> [router] ~ # openssl list -providers -provider legacy list: unable to
>> load provider legacy Hint: use -provider-path option or OPENSSL_MODULES
>> environment variable. 10B0E52D30440000:error:12800067:DSO support
>> routines:dlfcn_load:could not load the shared
>> library:/usr/src/crypto/openssl/crypto/dso/
>> dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/
>> ossl-modules/legacy.so: Undefined symbol "ossl_param_find_pidx"
>> 10B0E52D30440000:error:12800067:DSO support routines:DSO_load:could not
>> load the shared
>> library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:147:
>> 10B0E52D30440000:error:07880025:common libcrypto
>> routines:provider_init:reason(37):/usr/src/crypto/openssl/crypto/
>> provider_core.c:1019:name=legacy
>> 
>> Is there a target/directory I can make in that compile will compile
>> just this? The no clean default on buildworld doesn't seem to work and
>> compiling everything takes forever.
> 
> Replying to myself... This seems to fix it
> 
> --- a/secure/lib/libcrypto/modules/legacy/Makefile +++
> b/secure/lib/libcrypto/modules/legacy/Makefile @@ -1,7 +1,7 @@
>   SHLIB_NAME?=   legacy.so LIBADD=                crypto
> 
> -SRCS+= legacyprov.c prov_running.c +SRCS+= legacyprov.c prov_running.c
> params_idx.c
> 
>   # ciphers SRCS+= ciphercommon.c ciphercommon_hw.c ciphercommon_block.c
>   \
> @@ -22,10 +22,12 @@ SRCS+=      md4_prov.c wp_prov.c ripemd_prov.c
> 
>   # kdfs SRCS+= pbkdf1.c
> +SRCS+= pvkkdf.c
> 
>   .include <bsd.lib.mk>
> 
>   .PATH: ${LCRYPTO_SRC}/providers/implementations/ciphers \
>          ${LCRYPTO_SRC}/providers/implementations/digests \
>          ${LCRYPTO_SRC}/providers/implementations/kdfs \
> -       ${LCRYPTO_SRC}/ssl +       ${LCRYPTO_SRC}/ssl \
> +       ${LCRYPTO_SRC}/crypto

Thank you for looking into this; I have created a new review in Phabricator 
to track this issue:
https://reviews.freebsd.org/D51897

You will see there that while it cures the remaining symptoms, adding 
params_idx.c to the list of files built into legacy.so may not be the most 
correct fix.

We can use this review for gathering expertise on the matter, and prepare 
the corresponding commit.

Cheers & HTH,
-- 
khorben