Bug 272281

Summary: net/freerdp: bhyve: CURRENT (OpenSSL 3): OpenSSL LEGACY provider failed to load, no md4 support available!
Product: Ports & Packages Reporter: O. Hartmann <ohartmann>
Component: Individual Port(s)Assignee: Vladimir Druzenko <vvd>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: cuicui, eduardo, gert, mikael
Priority: --- Flags: bugzilla: maintainer-feedback? (vvd)
Version: Latest   
Hardware: Any   
OS: Any   

Description O. Hartmann 2023-06-29 11:45:08 UTC 
Host: FreeBSD 14.0-CURRENT #10 main-n263871-fd774e065c5d: Thu Jun 29 05:26:55 CEST 2023 amd64
Host has OpenSSL 3.
ALL ports recompiled to meet OpenSSL 3 library requirements (portmaster -df ...).

Following https://wiki.freebsd.org/bhyve/Windows.

When booting a Win10 guest via bhyve and trying to to connect via RDP, the connect with net/freerdp fails with the error shown below.

xfreerdp /v:192.168.0.128:5900 /u:ohartmann
[13:21:44:952] [3013:7a612700] [WARN][com.winpr.utils.ssl] - OpenSSL LEGACY provider failed to load, no md4 support available!
[13:21:44:952] [3013:7a612700] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:12800067:DSO support routines::could not load the shared library
[13:21:44:952] [3013:7a612700] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:12800067:DSO support routines::could not load the shared library
[13:21:44:952] [3013:7a612700] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:07880025:common libcrypto routines::reason(524325)
[13:21:44:952] [3013:7a612700] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:21:44:961] [3013:7a612700] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 36: Operation now in progress
[13:21:44:961] [3013:7a612700] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:21:44:962] [3013:7a612700] [ERROR][com.freerdp.core] - freerdp_post_connect failed


bhyve guest setup:

[...]
bhyve -c 4 -m 4G -w -H \
    -s 0,hostbridge \
    -s 3,ahci-hd,/pool/home/ohartmann/bhyve/win10/disk_win10.img  \
    -s 5,virtio-net,tap0 \
    -s 29,fbuf,tcp=0.0.0.0:5900,tcp=[::]:5900,w=1920,h=1200,wait \
    -s 30,xhci,tablet \
    -s 31,lpc -l com1,stdio \
    -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
    windows10
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2023-06-29 12:22:05 UTC 
Current version doesn't support OpenSSL 3.
Check this: https://github.com/FreeRDP/FreeRDP/pull/8920
Comment 2 Mike Cui 2023-07-05 20:47:10 UTC 
It looks like like /usr/lib/ossl-modules/legacy.so is not built correctly. dlopen("/usr/lib/ossl-modules/legacy.so") fails with: Undefined symbol "ossl_md4_functions"

Looking at secure/lib/libcrypto/modules/legacy/Makefile, legacy.so is only built from legacyprov.c, but in upstream OpenSSL, legacy.a is built from the following:

providers/liblegacy.a: crypto/des/liblegacy-lib-des_enc.o \
                       crypto/des/liblegacy-lib-fcrypt_b.o \
                       crypto/liblegacy-lib-cpuid.o \
                       crypto/liblegacy-lib-ctype.o \
                       crypto/liblegacy-lib-x86_64cpuid.o \
                       crypto/md5/liblegacy-lib-md5-x86_64.o \
                       crypto/md5/liblegacy-lib-md5_dgst.o \
                       crypto/md5/liblegacy-lib-md5_one.o \
                       crypto/md5/liblegacy-lib-md5_sha1.o \
                       providers/common/liblegacy-lib-provider_util.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_des.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_desx.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_idea.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_idea_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_seed.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o \
                       providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o \
                       providers/implementations/digests/liblegacy-lib-md4_prov.o \
                       providers/implementations/digests/liblegacy-lib-mdc2_prov.o \
                       providers/implementations/digests/liblegacy-lib-ripemd_prov.o \
                       providers/implementations/digests/liblegacy-lib-wp_prov.o \
                       providers/implementations/kdfs/liblegacy-lib-pbkdf1.o \
                       providers/liblegacy-lib-prov_running.o
Comment 3 Gert Doering 2023-07-07 12:17:37 UTC 
I have the same problem with OpenVPN, trying to load the legacy provider to handle talking to peers that only support blowfish cipher.

So this is not a freerdp issue, but something about how openssl itself is built.

Test with:

gert@fbsd14:~ $ openssl list -provider legacy -providers
list: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
002041DFDB420000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/ossl-modules/legacy.so): /usr/lib/ossl-modules/legacy.so: Undefined symbol "ossl_md4_functions"
002041DFDB420000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:152:
002041DFDB420000:error:07880025:common libcrypto routines:provider_init:reason(524325):/usr/src/crypto/openssl/crypto/provider_core.c:912:name=legacy
Comment 4 Gert Doering 2023-07-07 12:28:45 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271656 references a commit as of yesterday that fixes legacy provider building.  Will test.
Comment 5 Vladimir Druzenko freebsd_committer freebsd_triage 2023-07-07 12:45:49 UTC 
So waiting testing on recent current?
Comment 6 Gert Doering 2023-07-08 08:41:52 UTC 
I can confirm that with src updated to commit commit c81495a621c461 (HEAD when I pulled yesterday), after a buildworld/installworld, legacy provider loading works again.  Both "openssl list -provider legacy -providers" and "openvpn --provider legacy default --show-tls" are back to normal.
Comment 7 Vladimir Druzenko freebsd_committer freebsd_triage 2023-07-08 12:03:31 UTC 
(In reply to Gert Doering from comment #6)
Thanks!
Comment 8 Nuno Teixeira freebsd_committer freebsd_triage 2023-08-11 10:30:43 UTC 
I have a similar problem with a R package that needs lagacy algorythms (14 1400093):

https://github.com/jeroen/openssl/issues/119

Could anyone take a quick look to check its relationship?

Thanks.