Update OpenSSL to version 3.0.8 in the base system#740
Update OpenSSL to version 3.0.8 in the base system#740khorben wants to merge 33 commits intofreebsd:mainfrom
Conversation
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.8.tar.gz Differential Revision: https://reviews.freebsd.org/D38835 Test Plan: ``` $ git status On branch vendor/openssl-3.0 nothing to commit, working tree clean $ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.8.tar.gz 14 MB 4507 kBps 04s openssl-3.0.8.tar.gz.asc 833 B 10 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.8 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/ngie/.gnupg/pubring.kbx ----------------------------- pub rsa4096 2014-10-04 [SC] 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C uid [ unknown] Richard Levitte <richard@levitte.org> uid [ unknown] Richard Levitte <levitte@lp.se> uid [ unknown] Richard Levitte <levitte@openssl.org> sub rsa4096 2014-10-04 [E] $ gpg --verify openssl-${OSSLVER}.tar.gz.asc openssl-${OSSLVER}.tar.gz gpg: Signature made Tue Feb 7 05:43:55 2023 PST gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown] gpg: aka "Richard Levitte <levitte@lp.se>" [unknown] gpg: aka "Richard Levitte <levitte@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C $ (cd vendor.checkout/; git status; find . -type f -or -type l | cut -c 3- | sort > ../old) On branch vendor/openssl-3.0 nothing to commit, working tree clean $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . $ cat .git gitdir: /home/ngie/git/freebsd-src/.git/worktrees/vendor.checkout $ diff -arq ../openssl-3.0.8 . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 nothing to commit, working tree clean $ ``` Reviewers: emaste, jkim Subscribers: imp, andrew, dab Differential Revision: https://reviews.freebsd.org/D38835
|
@khorben : you're awesome! Would you be opposed to me taking bits of your work, cherry-picking/squashing them, then pushing bits and pieces into base? |
|
My brain cells have been under stimulated lately. I'd really like to do some straightforward FreeBSD development. |
|
Hmm.. the build failed with amd64. Let's see if I can track down why and propose a change in the PR. |
This is great to hear and absolutely, feel free to sort it out and clear the way :) |
khorben
force-pushed
the
khorben/openssl-3.0-ldns-modules
branch
from
d5b355b to
1508a74
Compare
Classic, I forgot to |
| .if ${MK_OPENSSL} == "no" | ||
| CFLAGS+=-DNO_OPENSSL | ||
| .else | ||
| CFLAGS+= -DOPENSSL_API_COMPAT=0x10100000L |
| CFLAGS+= -D_FIDO_MAJOR=1 | ||
| CFLAGS+= -D_FIDO_MINOR=10 | ||
| CFLAGS+= -D_FIDO_PATCH=0 | ||
| CFLAGS+= -DOPENSSL_API_COMPAT=0x10100000L |
There was a problem hiding this comment.
Does updating libfido2 fix this issue?
There was a problem hiding this comment.
libfido2's upstream build does:
if(CRYPTO_VERSION VERSION_GREATER_EQUAL 3.0)
add_definitions(-DOPENSSL_API_COMPAT=0x10100000L)
endif()
with a few special case #if OPENSSL_VERSION_NUMBER >= 0x30000000 here and there, but I imagine a future update will address this.
|
@ngie-eign I think all of the I used "specify OpenSSL 1.1 API" instead of "fix building with OpenSSL 3.0" in the commit message subjects, and these commits should have a |
|
Hmm, dma fails with Indeed,
so IMO we should update dma and add the |
Approved internal change for merge with FreeBSD. |
I've committed that for now, will replace with upstream dma after your change is in. |
ngie-eign
left a comment
ngie-eign
left a comment
There was a problem hiding this comment.
Submitted upstream as libarchive/libarchive#1869 .
| .if ${MK_OPENSSL} != "no" | ||
| CFLAGS+= -DWITH_OPENSSL | ||
| LIBADD+= crypto | ||
| LIBADD+= ssl crypto |
There was a problem hiding this comment.
This seems wrong. Bringing in libssl as a dependency seems like overlinking to me.
What issues were you running into before?
There was a problem hiding this comment.
Following up on my comment... libssl should not be required here. None of the libssl-related APIs are used in libarchive.
My guess is that this change was made based on similar code in the upstream pkg-config. I submitted libarchive/libarchive#1870 to correct the overlinking in the spec.
ngie-eign
left a comment
ngie-eign
left a comment
There was a problem hiding this comment.
This isn't right. libmd and libcrypto shouldn't be mixed.
To be clear (because my last statement wasn't potentially): the implementations can mix by design, but there's no reason why there should be 2 crypto implementations linked into a library. This effectively overlinks libmd into libfetch when MK_OPENSSL != no. |
Merge commit 'e4520c8bd1d300a7a338d0ed4af171a2d0e583ef' into khorben/openssl-3.0
With the update to OpenSSL 3.0, engines are installed into a different folder, and modular providers can be installed into a dedicated folder as well.
Ed has a better commit message for this in commit 3e98230.
This also requires lowering the level of warnings for archive_hmac.c when building with OpenSSL 3.
This disables warning-errors for:
archive_hmac.c:241:64: error: passing argument 2 of
'OSSL_PARAM_construct_utf8_string' discards 'const' qualifier from
pointer target type [-Werror=discarded-qualifiers]
This commit leveraged the updated Makefile.asm in order to re-generate the assembly files provided by OpenSSL.
This casts the second parameter to OSSL_PARAM_construct_utf8_string() as a char * for a string litteral, as documented in EVP_MAC(3).
ec_nistp_64_gcc_128 is only supported on 64-bit systems, but also only on little-endian systems. This fixes the build on PowerPC 64 (big-endian).
khorben
force-pushed
the
khorben/openssl-3.0-ldns-modules
branch
2 times, most recently
from
c4f45c1 to
ac32131
Compare
khorben
force-pushed
the
khorben/openssl-3.0-ldns-modules
branch
from
ac32131 to
c9f9966
Compare
|
I have now marked this PR as "ready", with the following to keep in mind:
|
|
cc @bsdjhb |
khorben
force-pushed
the
khorben/openssl-3.0-ldns-modules
branch
from
cd93b73 to
069e79e
Compare
|
Unfortunately this pull-up request has to go back to draft after the update to 1.1.1u in |
|
Closing this pull-up request now that the direct update to OpenSSL 3.0.9 is almost ready in #760. |
4 participants
This branch is the closest I am currently to a functional update to OpenSSL 3.0.8 in FreeBSD's base system. It was started from the existing
vendor/openssl-3.0branch.The thorough review expected should include:
security/openssl30port with the legacy provider enabled)secure/lib/libcrypto/Version.mapandsecure/lib/libssl/Version.mapSHLIB_MAJORis good (currently30since3is already obsolete)ossl-modulesprovidersvendor/ldns-1.8.3tag by YT)sys/crypto/opensslto avoid any trouble with the kernel, and re-imports them intocrypto/opensslinstead; security fixes beware of both locationsIn most software users of OpenSSL, a compatibility compilation flag was used in order to expose and use the former OpenSSL API.
PR: 271615
Sponsored by: FreeBSD Foundation