This should include the remaining missing symbols in legacy.so.
Suggested by: Ian Freislich
Sponsored by: Alpha-Omega Beach Cleaning Project
Sponsored by: The FreeBSD Foundation
Differential D51897
secure: fix OpenSSL's legacy provider module khorben on Aug 14 2025, 10:55 AM. Authored by Tags None Referenced Files
Subscribers
Details This should include the remaining missing symbols in legacy.so. Suggested by: Ian Freislich Before the changes: $ openssl list -provider legacy list: unable to load provider legacy Hint: use -provider-path option or OPENSSL_MODULES environment variable. 1090455349410000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/home/khorben/Projects/FreeBSD/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_kdf_pvk_functions" 1090455349410000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/home/khorben/Projects/FreeBSD/src/crypto/openssl/crypto/dso/dso_lib.c:147: 1090455349410000:error:07880025:common libcrypto routines:provider_init:reason(37):/home/khorben/Projects/FreeBSD/src/crypto/openssl/crypto/provider_core.c:1019:name=legacy After the changes: $ openssl list -provider legacy $ echo $? 0
Diff Detail
Event TimelineComment Actions Note that I have reservations about the part adding params_idx.c to the list of files built: from what I can tell, OpenSSL expects this to be available from libcrypto.so, instead of a copy inside the legacy provider module. Comment Actions This symbol isn't exported via either library. Here're the objects which OpenSSL uses for the legacy provider: 24414 providers/liblegacy.a: crypto/des/liblegacy-lib-des_enc.o \ 24415 crypto/des/liblegacy-lib-fcrypt_b.o \ 24416 crypto/md5/liblegacy-lib-md5-x86_64.o \ 24417 crypto/md5/liblegacy-lib-md5_dgst.o \ 24418 crypto/md5/liblegacy-lib-md5_one.o \ 24419 crypto/md5/liblegacy-lib-md5_sha1.o \ 24420 crypto/rc4/liblegacy-lib-rc4-md5-x86_64.o \ 24421 crypto/rc4/liblegacy-lib-rc4-x86_64.o \ 24422 providers/common/liblegacy-lib-provider_util.o \ 24423 providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o \ 24424 providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o \ 24425 providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o \ 24426 providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o \ 24427 providers/implementations/ciphers/liblegacy-lib-cipher_des.o \ 24428 providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o \ 24429 providers/implementations/ciphers/liblegacy-lib-cipher_desx.o \ 24430 providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o \ 24431 providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o \ 24432 providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o \ 24433 providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o \ 24434 providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o \ 24435 providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o \ 24436 providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o \ 24437 providers/implementations/ciphers/liblegacy-lib-cipher_seed.o \ 24438 providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o \ 24439 providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o \ 24440 providers/implementations/digests/liblegacy-lib-md4_prov.o \ 24441 providers/implementations/digests/liblegacy-lib-ripemd_prov.o \ 24442 providers/implementations/digests/liblegacy-lib-wp_prov.o \ 24443 providers/implementations/kdfs/liblegacy-lib-pbkdf1.o \ 24444 providers/implementations/kdfs/liblegacy-lib-pvkkdf.o \ 24445 providers/liblegacy-lib-prov_running.o ... 24993 providers/legacy.so: crypto/legacy-dso-cpuid.o crypto/legacy-dso-ctype.o \ 24994 crypto/legacy-dso-x86_64cpuid.o \ 24995 providers/legacy-dso-legacyprov.o providers/legacy.ld \ 24996 providers/liblegacy.a providers/libcommon.a \ 24997 libcrypto.so The OpenSSL build process uses "tricks" to "uniquify" the objects produced, since libcrypto.so and legacy.so could have symbols collisions due to compile time/link time flags and the like. We should get this with .PATH adjusted to handle the .OBJDIRs appropriately, but this might need adjusting post 3.5.1 import. Comment Actions params_idx.c is missing from secure/lib/libcrypto/Makefile. That's where the source should be plugged in (not the legacy provider). Comment Actions This is an example of why I think we need to have vendor updates like with OpenSSL better automated -- even if it's purely from an auditing perspective, i.e., not necessarily fully generating Makefiles, but at the very least providing helpful tips on where symbols and sources could be missing. Comment Actions This is sort of what the SRCS should be in libcrypto.so: https://gist.github.com/ngie-eign/e3fb2de6dc32bdfddb9be119058c4792 (it's not a complete picture, but it's a start). Comment Actions Yes I'll be happy with the Makefiles changed like this instead. |