OS-8334 Bring OpenSSL 3 to the platform

Reviewed by: Brian Bennett <brian.bennett@joyent.com>
Reviewed by: Mike Zeller <mike.zeller@joyent.com>
Approved by: Brian Bennett <brian.bennett@joyent.com>

Makefile

@@ -45,6 +45,7 @@ SUBDIRS = \
 	node.js \
 	nss-nspr \
 	openssl1x \
+	openssl3 \
 	perl \
 	$(EXTRA_COMPILERS) \
 	$(STRAP_ONLY)
@@ -82,6 +83,7 @@ SUBDIRS = \
 	openldap \
 	openlldp \
 	openssl1x \
+	openssl3 \
 	openssh \
 	pbzip2 \
 	perl \
@@ -124,15 +126,15 @@ all: $(SUBDIRS)
 
 strap: $(SUBDIRS)
 
-curl: libz openssl1x libidn2
+curl: libz openssl3 libidn2
 gzip: libz
 node.js: libz openssl1x
 dialog: ncurses
-socat: openssl1x
-wget: openssl1x libidn
-openldap: openssl1x
-ntp: perl openssl1x
-openssh: openssl1x
+socat: openssl3
+wget: openssl3 libidn
+openldap: openssl3
+ntp: perl openssl3
+openssh: openssl3
 
 #
 # pkg-config may be installed. This will actually only hurt us rather than help

ipmitool/Patches/openssl-11-api.diff

@@ -0,0 +1,99 @@
+
+Can be removed next time ipmitool is upgraded.
+
+From b57487e360916ab3eaa50aa6d021c73b6337a4a0 Mon Sep 17 00:00:00 2001
+From: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
+Date: Wed, 30 Nov 2016 17:33:00 +0100
+Subject: [PATCH] ID:461 - OpenSSL 1.1 compatibility - "error: storage size of
+ 'ctx' isn't known"
+
+In OpenSSL 1.1 EVP_CIPHER_CTX became opaque, cf. `man 3ssl EVP_EncryptInit`
+
+Fixes: ID:461
+diff -wpruN '--exclude=*.orig' a~/src/plugins/lanplus/lanplus_crypt_impl.c a/src/plugins/lanplus/lanplus_crypt_impl.c
+--- a~/src/plugins/lanplus/lanplus_crypt_impl.c	1970-01-01 00:00:00
++++ a/src/plugins/lanplus/lanplus_crypt_impl.c	1970-01-01 00:00:00
+@@ -164,10 +164,10 @@ lanplus_encrypt_aes_cbc_128(const uint8_
+ 							uint8_t       * output,
+ 							uint32_t        * bytes_written)
+ {
+-	EVP_CIPHER_CTX ctx;
+-	EVP_CIPHER_CTX_init(&ctx);
+-	EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv);
+-	EVP_CIPHER_CTX_set_padding(&ctx, 0);
++	EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
++	EVP_CIPHER_CTX_reset(ctx);
++	EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
++	EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+
+ 	*bytes_written = 0;
+@@ -191,7 +191,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_
+ 	assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
+
+
+-	if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length))
++	if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length))
+ 	{
+ 		/* Error */
+ 		*bytes_written = 0;
+@@ -201,7 +201,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_
+ 	{
+ 		uint32_t tmplen;
+
+-		if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen))
++		if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen))
+ 		{
+ 			*bytes_written = 0;
+ 			return; /* Error */
+@@ -210,7 +210,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_
+ 		{
+ 			/* Success */
+ 			*bytes_written += tmplen;
+-			EVP_CIPHER_CTX_cleanup(&ctx);
++			EVP_CIPHER_CTX_free(ctx);
+ 		}
+ 	}
+ }
+@@ -239,10 +239,10 @@ lanplus_decrypt_aes_cbc_128(const uint8_
+ 							uint8_t       * output,
+ 							uint32_t        * bytes_written)
+ {
+-	EVP_CIPHER_CTX ctx;
+-	EVP_CIPHER_CTX_init(&ctx);
+-	EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv);
+-	EVP_CIPHER_CTX_set_padding(&ctx, 0);
++	EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
++	EVP_CIPHER_CTX_reset(ctx);
++	EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
++	EVP_CIPHER_CTX_set_padding(ctx, 0);
+
+
+ 	if (verbose >= 5)
+@@ -266,7 +266,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_
+ 	assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
+
+
+-	if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length))
++	if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length))
+ 	{
+ 		/* Error */
+ 		lprintf(LOG_DEBUG, "ERROR: decrypt update failed");
+@@ -277,7 +277,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_
+ 	{
+ 		uint32_t tmplen;
+
+-		if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen))
++		if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen))
+ 		{
+ 			char buffer[1000];
+ 			ERR_error_string(ERR_get_error(), buffer);
+@@ -290,7 +290,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_
+ 		{
+ 			/* Success */
+ 			*bytes_written += tmplen;
+-			EVP_CIPHER_CTX_cleanup(&ctx);
++			EVP_CIPHER_CTX_free(ctx);
+ 		}
+ 	}
+

manifest

@@ -397,14 +397,13 @@ f usr/openldap/bin/ldapmodrdn 0555 root bin
 f usr/openldap/bin/ldappasswd 0555 root bin
 f usr/openldap/bin/ldapsearch 0555 root bin
 f usr/openldap/bin/ldapurl 0555 root bin
+f usr/openldap/bin/ldapvc 0555 root bin
 f usr/openldap/bin/ldapwhoami 0555 root bin
 d usr/openldap/lib 0755 root bin
-s usr/openldap/lib/liblber-2.4.so.2=liblber-2.4.so.2.7.1
-f usr/openldap/lib/liblber-2.4.so.2.7.1 0555 root bin
-s usr/openldap/lib/libldap-2.4.so.2=libldap-2.4.so.2.7.1
-f usr/openldap/lib/libldap-2.4.so.2.7.1 0555 root bin
-s usr/openldap/lib/libldap_r-2.4.so.2=libldap_r-2.4.so.2.7.1
-f usr/openldap/lib/libldap_r-2.4.so.2.7.1 0555 root bin
+s usr/openldap/lib/liblber-2.5.so.0=liblber-2.5.so.0.1.3
+f usr/openldap/lib/liblber-2.5.so.0.1.3 0555 root bin
+s usr/openldap/lib/libldap-2.5.so.0=libldap-2.5.so.0.1.3
+f usr/openldap/lib/libldap-2.5.so.0.1.3 0555 root bin
 d usr/openldap/share 0755 root bin
 d usr/openldap/share/man 0755 root bin
 d usr/openldap/share/man/man1 0755 root bin
@@ -417,6 +416,7 @@ f usr/openldap/share/man/man1/ldapmodrdn.1 0444 root bin
 f usr/openldap/share/man/man1/ldappasswd.1 0444 root bin
 f usr/openldap/share/man/man1/ldapsearch.1 0444 root bin
 f usr/openldap/share/man/man1/ldapurl.1 0444 root bin
+f usr/openldap/share/man/man1/ldapvc.1 0444 root bin
 f usr/openldap/share/man/man1/ldapwhoami.1 0444 root bin
 d usr/openldap/share/man/man5 0755 root bin
 f usr/openldap/share/man/man5/ldap.conf.5 0444 root bin
@@ -428,13 +428,21 @@ f usr/sbin/lldpneighbors 0555 root bin
 # openssl
 f usr/bin/amd64/openssl 0555 root bin
 s usr/sfw/bin/amd64/openssl=../../../bin/amd64/openssl
+f lib/amd64/libcrypto-smartos.so.3 0755 root bin
 f lib/amd64/libsunw_crypto.so.1.0.0 0755 root bin
+s usr/lib/amd64/libcrypto-smartos.so.3=../../../lib/amd64/libcrypto-smartos.so.3
 s usr/lib/amd64/libsunw_crypto.so.1.0.0=../../../lib/amd64/libsunw_crypto.so.1.0.0
+f lib/amd64/libssl-smartos.so.3 0755 root bin
 f lib/amd64/libsunw_ssl.so.1.0.0 0755 root bin
+s usr/lib/amd64/libssl-smartos.so.3=../../../lib/amd64/libssl-smartos.so.3
 s usr/lib/amd64/libsunw_ssl.so.1.0.0=../../../lib/amd64/libsunw_ssl.so.1.0.0
+f lib/libcrypto-smartos.so.3 0755 root bin
 f lib/libsunw_crypto.so.1.0.0 0755 root bin
+s usr/lib/libcrypto-smartos.so.3=../../lib/libcrypto-smartos.so.3
 s usr/lib/libsunw_crypto.so.1.0.0=../../lib/libsunw_crypto.so.1.0.0
+f lib/libssl-smartos.so.3 0755 root bin
 f lib/libsunw_ssl.so.1.0.0 0755 root bin
+s usr/lib/libssl-smartos.so.3=../../lib/libssl-smartos.so.3
 s usr/lib/libsunw_ssl.so.1.0.0=../../lib/libsunw_ssl.so.1.0.0
 f usr/bin/openssl 0555 root bin
 s usr/sfw/bin/openssl=../../bin/openssl

node.js/Makefile

@@ -18,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2020 Joyent, Inc.
+# Copyright 2021 Joyent, Inc.
 #
 
 MAJOR_VER =	0.10
@@ -29,6 +29,13 @@ include ../Makefile.defs
 NODE_ROOT =	$(DESTDIR)/usr/node/$(MAJOR_VER)
 VERSIONJS =	$(NODE_ROOT)/node_modules/platform_node_version.js
 
+#
+# Because we're stuck with OpenSSL 1.0.x, and the shared-openssl-includes below
+# appear to be blown-off by Node's autoconf, be a little more forceful, and
+# a little more immediate.
+#
+CPPFLAGS += -I$(DESTDIR)/opt/1x
+
 #
 # ../deps/v8/src/objects.h:5188:44: error: left operand of shift expression
 # '(-1 << 3)' is negative
@@ -74,10 +81,10 @@ endif
 AUTOCONF_OPTS += \
 	--with-dtrace \
 	--without-snapshot \
-	--openssl-use-sys \
-	--openssl-libpath=$(DESTDIR)/lib \
-	--openssl-includes=$(DESTDIR)/usr/include \
-	--shared-openssl-libname=sunw_crypto,sunw_ssl \
+	--shared-openssl \
+	--shared-openssl-includes=$(DESTDIR)/opt/1x \
+	--shared-openssl-libpath=$(DESTDIR)/lib \
+	--shared-openssl-libname=sunw1x_crypto,sunw1x_ssl \
 	--shared-zlib \
 	--shared-zlib-libpath=$(DESTDIR)/lib \
 	--shared-zlib-includes=$(DESTDIR)/usr/include \

openldap/Makefile

@@ -18,10 +18,10 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2012, Joyent, Inc.  All rights reserved.
+# Copyright 2021 Joyent, Inc.
 #
 
-VER =	openldap-2.4.26
+VER =	openldap-2.5.8
 
 include ../Makefile.defs