CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Enji Cooper <ngie@FreeBSD.org>
	Sat, 20 Apr 2024 19:12:50 +0000 (12:12 -0700)
committer	Enji Cooper <ngie@FreeBSD.org>
	Sun, 21 Apr 2024 16:35:19 +0000 (09:35 -0700)
commit	42ce242e353065dfbaa248955f6657005a395a95
tree	0bbbd30aeffd5ae33f9bf11e0f40c639b9462513	tree \| snapshot
parent	b571bcea5495327fd210378109b0b2aed08bebc3	commit \| diff

OpenSSL: use the upstream provided version.map files for the fips/legacy providers

This change introduces a static copy of the fips and legacy linker version maps
generated by the OpenSSL 3.0.13 build process.

This unbreaks the fips and legacy providers by not exposing unnecessary
symbols from the fips/legacy provider shared objects shared with other
providers (base, default) and libcrypto.

More discussion:

Prior to this change, loading the fips provider indirectly from a
FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a
process-wide deadlock when invoking select OpenSSL APIs
(CONF_modules_load* in this particular example).

Speaking with the upstream maintainers [1], it became obvious that
the FreeBSD base system was incorrectly building/linking the fips
provider, resulting in a symbol collision at runtime, and thus a
process-wide deadlock in specific circumstances. The fips provider
would deadlock when trying to acquire a write lock on internal
structures which should have only been available to the base and
default providers, as certain preprocessor ifdefs only allow specific
internal calls to be made with the base and default providers.

1. https://github.com/openssl/openssl/issues/24202

Differential Revision: https://reviews.freebsd.org/D44892

crypto/openssl/providers/fips.ld	[new file with mode: 0644]	blob
crypto/openssl/providers/legacy.ld	[new file with mode: 0644]	blob
secure/lib/libcrypto/modules/fips/Makefile		diff \| blob \| history
secure/lib/libcrypto/modules/legacy/Makefile		diff \| blob \| history