Page MenuHomeFreeBSD

secure: fix OpenSSL's legacy provider module
AbandonedPublic

Authored by khorben on Aug 14 2025, 10:55 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 15, 11:11 PM
Unknown Object (File)
Sat, Oct 11, 5:44 AM
Unknown Object (File)
Sat, Oct 11, 5:44 AM
Unknown Object (File)
Fri, Oct 10, 10:33 PM
Unknown Object (File)
Fri, Oct 10, 8:27 AM
Unknown Object (File)
Sun, Sep 21, 9:50 PM
Unknown Object (File)
Sat, Sep 20, 10:45 PM
Unknown Object (File)
Sep 14 2025, 9:42 AM

Details

Reviewers
philip
ngie
Summary

This should include the remaining missing symbols in legacy.so.

Suggested by: Ian Freislich
Sponsored by: Alpha-Omega Beach Cleaning Project
Sponsored by: The FreeBSD Foundation

Test Plan

Before the changes:

$ openssl list -provider legacy
list: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
1090455349410000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/home/khorben/Projects/FreeBSD/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_kdf_pvk_functions"
1090455349410000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/home/khorben/Projects/FreeBSD/src/crypto/openssl/crypto/dso/dso_lib.c:147:
1090455349410000:error:07880025:common libcrypto routines:provider_init:reason(37):/home/khorben/Projects/FreeBSD/src/crypto/openssl/crypto/provider_core.c:1019:name=legacy

After the changes:

$ openssl list -provider legacy
$ echo $?
0

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

Note that I have reservations about the part adding params_idx.c to the list of files built: from what I can tell, OpenSSL expects this to be available from libcrypto.so, instead of a copy inside the legacy provider module.
I suspect the more correct fix is to add the ossl_param_find_pidx to secure/lib/libcrypto/Version.map instead - which also kinda feels wrong.

This revision is now accepted and ready to land.Aug 15 2025, 12:54 AM

Approved by: philip (mentor)

Note that I have reservations about the part adding params_idx.c to the list of files built: from what I can tell, OpenSSL expects this to be available from libcrypto.so, instead of a copy inside the legacy provider module.
I suspect the more correct fix is to add the ossl_param_find_pidx to secure/lib/libcrypto/Version.map instead - which also kinda feels wrong.

This symbol isn't exported via either library.

Here're the objects which OpenSSL uses for the legacy provider:

24414 providers/liblegacy.a: crypto/des/liblegacy-lib-des_enc.o \                 
24415                        crypto/des/liblegacy-lib-fcrypt_b.o \              
24416                        crypto/md5/liblegacy-lib-md5-x86_64.o \    
24417                        crypto/md5/liblegacy-lib-md5_dgst.o \          
24418                        crypto/md5/liblegacy-lib-md5_one.o \                      
24419                        crypto/md5/liblegacy-lib-md5_sha1.o \                                             
24420                        crypto/rc4/liblegacy-lib-rc4-md5-x86_64.o \        
24421                        crypto/rc4/liblegacy-lib-rc4-x86_64.o \                                           
24422                        providers/common/liblegacy-lib-provider_util.o \            
24423                        providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o \
24424                        providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o \                                                                                                                
24425                        providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o \
24426                        providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o \                                              
24427                        providers/implementations/ciphers/liblegacy-lib-cipher_des.o \                      
24428                        providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o \
24429                        providers/implementations/ciphers/liblegacy-lib-cipher_desx.o \                       
24430                        providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o \
24431                        providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o \
24432                        providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o \
24433                        providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o \                                             
24434                        providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o \                                        
24435                        providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o \
24436                        providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o \               
24437                        providers/implementations/ciphers/liblegacy-lib-cipher_seed.o \                     
24438                        providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o \
24439                        providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o \
24440                        providers/implementations/digests/liblegacy-lib-md4_prov.o \
24441                        providers/implementations/digests/liblegacy-lib-ripemd_prov.o \
24442                        providers/implementations/digests/liblegacy-lib-wp_prov.o \                                                                                                                                       
24443                        providers/implementations/kdfs/liblegacy-lib-pbkdf1.o \                                                              
24444                        providers/implementations/kdfs/liblegacy-lib-pvkkdf.o \                                          
24445                        providers/liblegacy-lib-prov_running.o 
...
24993 providers/legacy.so: crypto/legacy-dso-cpuid.o crypto/legacy-dso-ctype.o \
24994                      crypto/legacy-dso-x86_64cpuid.o \
24995                      providers/legacy-dso-legacyprov.o providers/legacy.ld \
24996                      providers/liblegacy.a providers/libcommon.a \  
24997                      libcrypto.so

The OpenSSL build process uses "tricks" to "uniquify" the objects produced, since libcrypto.so and legacy.so could have symbols collisions due to compile time/link time flags and the like. We should get this with .PATH adjusted to handle the .OBJDIRs appropriately, but this might need adjusting post 3.5.1 import.

params_idx.o is used in libcrypto.{a,so} according to the upstream Makefile.

params_idx.c is missing from secure/lib/libcrypto/Makefile. That's where the source should be plugged in (not the legacy provider).

ngie requested changes to this revision.Aug 15 2025, 1:49 AM
This revision now requires changes to proceed.Aug 15 2025, 1:49 AM

This is an example of why I think we need to have vendor updates like with OpenSSL better automated -- even if it's purely from an auditing perspective, i.e., not necessarily fully generating Makefiles, but at the very least providing helpful tips on where symbols and sources could be missing.

This is sort of what the SRCS should be in libcrypto.so: https://gist.github.com/ngie-eign/e3fb2de6dc32bdfddb9be119058c4792 (it's not a complete picture, but it's a start).

params_idx.c is missing from secure/lib/libcrypto/Makefile. That's where the source should be plugged in (not the legacy provider).

It's already there in line 25:

SRCS+=  time.c params_idx.c

This is sort of what the SRCS should be in libcrypto.so: https://gist.github.com/ngie-eign/e3fb2de6dc32bdfddb9be119058c4792 (it's not a complete picture, but it's a start).

Yes I'll be happy with the Makefiles changed like this instead.
Do you want to look into it? Otherwise I can do it in a couple weeks.