-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update OpenSSL to version 3.0.9 in the base system #760
Conversation
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.8.tar.gz Differential Revision: https://reviews.freebsd.org/D38835 Test Plan: ``` $ git status On branch vendor/openssl-3.0 nothing to commit, working tree clean $ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.8.tar.gz 14 MB 4507 kBps 04s openssl-3.0.8.tar.gz.asc 833 B 10 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.8 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/ngie/.gnupg/pubring.kbx ----------------------------- pub rsa4096 2014-10-04 [SC] 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C uid [ unknown] Richard Levitte <richard@levitte.org> uid [ unknown] Richard Levitte <levitte@lp.se> uid [ unknown] Richard Levitte <levitte@openssl.org> sub rsa4096 2014-10-04 [E] $ gpg --verify openssl-${OSSLVER}.tar.gz.asc openssl-${OSSLVER}.tar.gz gpg: Signature made Tue Feb 7 05:43:55 2023 PST gpg: using RSA key 7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C gpg: Good signature from "Richard Levitte <richard@levitte.org>" [unknown] gpg: aka "Richard Levitte <levitte@lp.se>" [unknown] gpg: aka "Richard Levitte <levitte@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C $ (cd vendor.checkout/; git status; find . -type f -or -type l | cut -c 3- | sort > ../old) On branch vendor/openssl-3.0 nothing to commit, working tree clean $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . $ cat .git gitdir: /home/ngie/git/freebsd-src/.git/worktrees/vendor.checkout $ diff -arq ../openssl-3.0.8 . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 nothing to commit, working tree clean $ ``` Reviewers: emaste, jkim Subscribers: imp, andrew, dab Differential Revision: https://reviews.freebsd.org/D38835
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.9.tar.gz Test Plan: ``` $ git status On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean $ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.9.tar.gz 14 MB 74 MBps 01s openssl-3.0.9.tar.gz.asc 833 B 10 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.9 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/khorben/.gnupg/pubring.kbx -------------------------------- pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14] A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C uid [ unknown] Tomáš Mráz <tm@t8m.info> uid [ unknown] Tomáš Mráz <tomas@arleto.cz> uid [ unknown] Tomáš Mráz <tomas@openssl.org> sub rsa4096 2021-07-16 [S] [expires: 2027-07-15] sub rsa4096 2021-07-16 [E] [expires: 2031-07-14] $ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz gpg: Signature made Tue May 30 14:32:24 2023 CEST gpg: using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown] gpg: aka "Tomáš Mráz <tomas@arleto.cz>" [unknown] gpg: aka "Tomáš Mráz <tomas@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C Subkey fingerprint: DC70 3266 2AF8 85E2 F47F 243F 5274 66A2 1CA7 9E6D $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . [...] $ diff -arq ../openssl-${OSSLVER} . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean ```
368c547
to
b3cdc8f
Compare
I realized moments ago that I haven't taken care of the manual pages yet; this will also require some work here. |
882d171
to
98d6bf8
Compare
The new manual pages are now generated, and the obsolete files listed. |
6a7cd56
to
9669855
Compare
9669855 is the HEAD of my candidate for inclusion.
|
Note that 8ec9669 reverts the pertinent part of |
@khorben please, could you rebase on top of today's HEAD? |
Hi @jurajlutter, sorry I got sick yesterday; I have just managed to push a first attempt at rebasing at https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.0.9-rebased. |
It's not clear that we're talking about the same thing. In the current version of this branch, There's no commit after 8ec9669 in this branch that puts |
d098e01
to
5c15257
Compare
Yes I'm sorry I remembered an issue with |
Yup, thanks! I had opened PR khorben#2 in case that was easier, but I've closed that now as it's been addressed and install looks happier now. |
OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update may migrate to use the OpenSSL 3.0 APIs. PR: 271615 Pull request: freebsd#757 Sponsored by: The FreeBSD Foundation
OPENSSL_API_COMPAT can be used to specify the OpenSSL API version in use for the purpose of hiding deprecated interfaces and enabling the appropriate deprecation notices. This change is a NFC while we're still using OpenSSL 1.1.1 but will avoid deprecation warnings upon the switch to OpenSSL 3.0. A future update may migrate to use the OpenSSL 3.0 APIs. PR: 271615 Sponsored by: The FreeBSD Foundation
This API is not supported on 32-bit platforms, or on big endian platforms.
Even though the .so file is at 30 in FreeBSD base (and perhaps wrongly at 12 in security/openssl30), calculations for API compatibility should match upstream here at 3.
Reported by @otis@bsd.network from Mastodon; thanks!
Use __SIZEOF_LONG__ to define either SIXTY_FOUR_BIT_LONG or THIRTY_TWO_BIT consistenly in crypto's bn_conf.h and openssl's configuration.h. Otherwise, for example on i386, the openssl bignum routines will attempt to use 32-bit shifts on 32-bit unsigned longs, which is undefined behavior.
It seems you have forgotten to add file |
Reported by: Vsevolod Stakhov (@vstakhov on GitHub)
61d17d8
to
1335516
Compare
@@ -210,8 +210,8 @@ SRCS+= dso_dlfcn.c dso_err.c dso_lib.c | |||
# ec | |||
SRCS+= curve25519.c curve448.c curve448_tables.c ec2_oct.c ec2_smpl.c | |||
SRCS+= ec_ameth.c ec_asn1.c ec_backend.c ec_check.c ec_curve.c ec_cvt.c | |||
SRCS+= ec_err.c ec_key.c ec_kmeth.c ec_lib.c ec_mult.c ec_oct.c ec_pmeth.c | |||
SRCS+= ec_print.c ecdh_kdf.c ecdh_ossl.c ecdsa_ossl.c ecdsa_sign.c | |||
SRCS+= ec_deprecated.c ec_err.c ec_key.c ec_kmeth.c ec_lib.c ec_mult.c ec_oct.c |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
For me: |
Hi Juraj,
Would you have more information about your build environment? Ideally the contents of your |
This branch is the closest I am currently to a functional update to OpenSSL 3.0.9 in FreeBSD's base system. It was started from an update to the
vendor/openssl-3.0
branch. (see https://reviews.freebsd.org/D40365)The thorough review expected should include:
security/openssl30
port with the legacy provider enabled)secure/lib/libcrypto/Version.map
andsecure/lib/libssl/Version.map
30
asSHLIB_MAJOR
is good for the.so
files (upstream's3
has already been obsoleted in FreeBSD's base system)ossl-modules
providerssys/crypto/openssl
to avoid any trouble with the kernel, and re-imports them intosecure/lib/libcrypto/arch
instead as perMakefile.asm
; security fixes beware of both locations.In most software users of OpenSSL, a compatibility compilation flag was used in order to expose and use the former OpenSSL 1.1 API, which is still provided by OpenSSL 3.0 on request.
PR: 271615
Sponsored by: The FreeBSD Foundation