-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update OpenSSL to version 3.0.8 in the base system #740
Conversation
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.8.tar.gz Differential Revision: https://reviews.freebsd.org/D38835 Test Plan: ``` $ git status On branch vendor/openssl-3.0 nothing to commit, working tree clean $ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.8.tar.gz 14 MB 4507 kBps 04s openssl-3.0.8.tar.gz.asc 833 B 10 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.8 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/ngie/.gnupg/pubring.kbx ----------------------------- pub rsa4096 2014-10-04 [SC] 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C uid [ unknown] Richard Levitte <[email protected]> uid [ unknown] Richard Levitte <[email protected]> uid [ unknown] Richard Levitte <[email protected]> sub rsa4096 2014-10-04 [E] $ gpg --verify openssl-${OSSLVER}.tar.gz.asc openssl-${OSSLVER}.tar.gz gpg: Signature made Tue Feb 7 05:43:55 2023 PST gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C gpg: Good signature from "Richard Levitte <[email protected]>" [unknown] gpg: aka "Richard Levitte <[email protected]>" [unknown] gpg: aka "Richard Levitte <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C $ (cd vendor.checkout/; git status; find . -type f -or -type l | cut -c 3- | sort > ../old) On branch vendor/openssl-3.0 nothing to commit, working tree clean $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . $ cat .git gitdir: /home/ngie/git/freebsd-src/.git/worktrees/vendor.checkout $ diff -arq ../openssl-3.0.8 . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 nothing to commit, working tree clean $ ``` Reviewers: emaste, jkim Subscribers: imp, andrew, dab Differential Revision: https://reviews.freebsd.org/D38835
@khorben : you're awesome! Would you be opposed to me taking bits of your work, cherry-picking/squashing them, then pushing bits and pieces into base? |
My brain cells have been under stimulated lately. I'd really like to do some straightforward FreeBSD development. |
Hmm.. the build failed with amd64. Let's see if I can track down why and propose a change in the PR. |
This is great to hear and absolutely, feel free to sort it out and clear the way :) |
d5b355b
to
1508a74
Compare
Classic, I forgot to |
usr.sbin/bhyve/Makefile
Outdated
@@ -110,6 +110,7 @@ LIBADD+= netgraph | |||
.if ${MK_OPENSSL} == "no" | |||
CFLAGS+=-DNO_OPENSSL | |||
.else | |||
CFLAGS+= -DOPENSSL_API_COMPAT=0x10100000L |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lib/libfido2/Makefile
Outdated
@@ -68,6 +68,7 @@ CFLAGS+= -DTLS=__thread | |||
CFLAGS+= -D_FIDO_MAJOR=1 | |||
CFLAGS+= -D_FIDO_MINOR=10 | |||
CFLAGS+= -D_FIDO_PATCH=0 | |||
CFLAGS+= -DOPENSSL_API_COMPAT=0x10100000L |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one done in 469c325
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does updating libfido2 fix this issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
libfido2's upstream build does:
if(CRYPTO_VERSION VERSION_GREATER_EQUAL 3.0)
add_definitions(-DOPENSSL_API_COMPAT=0x10100000L)
endif()
with a few special case #if OPENSSL_VERSION_NUMBER >= 0x30000000
here and there, but I imagine a future update will address this.
@ngie-eign I think all of the I used "specify OpenSSL 1.1 API" instead of "fix building with OpenSSL 3.0" in the commit message subjects, and these commits should have a |
Hmm, dma fails with
Indeed,
so IMO we should update dma and add the |
Approved internal change for merge with FreeBSD. |
I've committed that for now, will replace with upstream dma after your change is in. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Submitted upstream as libarchive/libarchive#1869 .
lib/libarchive/Makefile.inc
Outdated
@@ -10,7 +10,7 @@ CFLAGS+= -DPLATFORM_CONFIG_H=\"${.CURDIR}/config_freebsd.h\" | |||
|
|||
.if ${MK_OPENSSL} != "no" | |||
CFLAGS+= -DWITH_OPENSSL | |||
LIBADD+= crypto | |||
LIBADD+= ssl crypto |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems wrong. Bringing in libssl as a dependency seems like overlinking to me.
What issues were you running into before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Following up on my comment... libssl should not be required here. None of the libssl-related APIs are used in libarchive.
My guess is that this change was made based on similar code in the upstream pkg-config. I submitted libarchive/libarchive#1870 to correct the overlinking in the spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't right. libmd and libcrypto shouldn't be mixed.
To be clear (because my last statement wasn't potentially): the implementations can mix by design, but there's no reason why there should be 2 crypto implementations linked into a library. This effectively overlinks libmd into libfetch when MK_OPENSSL != no. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The lib/ldns change was submitted as c6750dd.
Merge commit 'e4520c8bd1d300a7a338d0ed4af171a2d0e583ef' into khorben/openssl-3.0
With the update to OpenSSL 3.0, engines are installed into a different folder, and modular providers can be installed into a dedicated folder as well.
Ed has a better commit message for this in commit 3e98230.
This also requires lowering the level of warnings for archive_hmac.c when building with OpenSSL 3.
This disables warning-errors for: archive_hmac.c:241:64: error: passing argument 2 of 'OSSL_PARAM_construct_utf8_string' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
This commit leveraged the updated Makefile.asm in order to re-generate the assembly files provided by OpenSSL.
This casts the second parameter to OSSL_PARAM_construct_utf8_string() as a char * for a string litteral, as documented in EVP_MAC(3).
ec_nistp_64_gcc_128 is only supported on 64-bit systems, but also only on little-endian systems. This fixes the build on PowerPC 64 (big-endian).
c4f45c1
to
ac32131
Compare
ac32131
to
c9f9966
Compare
I have now marked this PR as "ready", with the following to keep in mind:
|
cc @bsdjhb |
cd93b73
to
069e79e
Compare
Unfortunately this pull-up request has to go back to draft after the update to 1.1.1u in |
Closing this pull-up request now that the direct update to OpenSSL 3.0.9 is almost ready in #760. |
This branch is the closest I am currently to a functional update to OpenSSL 3.0.8 in FreeBSD's base system. It was started from the existing
vendor/openssl-3.0
branch.The thorough review expected should include:
security/openssl30
port with the legacy provider enabled)secure/lib/libcrypto/Version.map
andsecure/lib/libssl/Version.map
SHLIB_MAJOR
is good (currently30
since3
is already obsolete)ossl-modules
providersvendor/ldns-1.8.3
tag by YT)sys/crypto/openssl
to avoid any trouble with the kernel, and re-imports them intocrypto/openssl
instead; security fixes beware of both locationsIn most software users of OpenSSL, a compatibility compilation flag was used in order to expose and use the former OpenSSL API.
PR: 271615
Sponsored by: FreeBSD Foundation