-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libcrypto: fix the legacy and FIPS providers #787
Conversation
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation
I have installed FreeBSD head with this patch applied and it works fine. Programs requiring it are now able to load the legacy provider and work flawlessly. Thanks! |
Cc @markjdb |
Cc @ngie-eign |
@@ -82,10 +82,12 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn) | |||
* RFC2312 specifies a generator of 22. | |||
*/ | |||
|
|||
#ifndef FIPS_MODULE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why exactly is the ifdef needed? It's not mentioned in the commit log.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mentioned it in the pull request here:
It is not exactly clear to me why this required the change in
crypto/openssl/crypto/bn/bn_const.c
, however without it the FIPS module fails with:00B0AD22712F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/fips.so): /usr/lib/ossl-modules/fips.so: Undefined symbol "ossl_bignum_modp_1536_p"
For some reason it builds fine in the security/openssl30
port, without this patch. I tried to compare compiler flags, but did not see what could influence that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I missed that.
The same ifdef wraps modp_1536_p
in bn_dh.c, so this makes some sense. Still doesn't explain why upstream openssl doesn't have this problem.
Could you please amend the commit log message to explain this a bit further?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done! (in bb47d4b)
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation
4c94dd7
to
bc37781
Compare
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: #787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: #787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: #787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: #787
Merged, thank you. |
I ended up reverting this change due to some build breakage on arm64. I suspect that the solution is to move the include paths from libcrypto/Makefile to Makefile.common. I'll run a tinderbox with that change. |
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
Re-pushed with build fixes applied. There is still an issue in that the fips module doesn't load on arm64 due to a missing symbol, but the legacy provider loads. |
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: #787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: #787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: #787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: #787
I just confirmed that the FIPS module can be configured to load correctly, with this pull-up request applied, on my local amd64 machine:
|
This comment was marked as resolved.
This comment was marked as resolved.
I submitted https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272454 I'm not sure exactly what the problem is there, we should fix it before the release. |
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: freebsd/freebsd-src#787
These commits should help fix issues with various applications using OpenSSL, especially in relation to cryptography algorithms deemed legacy since OpenSSL 3 (e.g., RC4) or when enforcing FIPS compliance.
It is not exactly clear to me why this required the change in
crypto/openssl/crypto/bn/bn_const.c
, however without it the FIPS module fails with: