Add OpenSSL

[nazar-pc]

This adds OpenSSL 1.1.1k

Important notes:

• abuses Node.js
• doesn't support ASM on Windows (there are TODOs in code if anyone cares to test)
• includes scripting for building release archive with generated files, will generate files with meson setup if those aren't present already
• includes readme that describes design decisions and other important details
• can build both libraries (libcrypto and libssl) and openssl executable
• tested on Linux x86-64 (Ubuntu and Alpine), macOS 11 x86-64 and Windows Server 2019 (MinWG GCC 8.1.0, Clang 12.0.1 and MSVC 19.29.30038.1 with GitHub Actions)

Fixes #109

[jpakkane]

Thanks for working on this, there seems to be a fair bit of demand for it. However there is a policy issues to note:

Wrapdb uses the exact unmodified release file provided by upstream. Thus a package called openssl must contain the "official" OpenSSL release tarball, not any fork of it.

[nazar-pc]

Should I rename it to openssl-quic then, do you think that would be fair? I think it would be nice to get this in under any name.

Making this work with upstream OpenSSL is possible, but it is going to be very, very messy and I'd rather reuse the work done by Node.js.

[nazar-pc]

Hm, sanity_checks.py doesn't like tooling files that I have added. I think they are quite important to have to be able to upgrade to never OpenSSL releases, do you have suggestions on what to do about those, maybe I should place them in a different directory?

I will try to replace OpenSSL with upstream version and see how it goes.

[nazar-pc]

Yeah, I made it work with upstream OpenSSL and it got really messy (all of generated-config folder is auto-generated) and is the reason of huge diff.

If this is acceptable and sanity_checks.py can be tweaked to not complain this should be it.

[nazar-pc]

Split changes into 2 commits to ease review: one without auto-generated files and another with just generated files

[jpakkane]

Nice. Though this now faces its own problem. Because OpenSSL is security critical, shipping prebuilt source files that come from "somewhere" is problematic. If downstream developers want to audit the full product (as they should and many do) then they need to go through all that code.

Ideally those asm files would get regenerated during Meson reconfigure. That is probably a fair bit of work, though. Would it be possible to only support the asmless version for now and not provide any of those asm files? The generation logic can be added later if there is a demand for it.

[nazar-pc]

If downstream developers want to audit the full product (as they should and many do) then they need to go through all that code.

It is not necessarily as bad. update-build-files.sh providcan be used to re-generate those files on demand, so anyone can clone the repo, run the script on their machine and confirm that generated files match those that are present in the repository, were not modified in any way and come directly from OpenSSL source files.

Ideally those asm files would get regenerated during Meson reconfigure. That is probably a fair bit of work, though.

Ideally yes, but on top of being significant amount of work (though certainly doable), it is also a challenge for adoption since it will add Perl 5 as a dependency for build process for instance. Mediasoup wants to migrate away from GYP (which made me start this in the first place) and adding Perl to build dependencies for all users (especially on Windows) would be a challenge.

Would it be possible to only support the asmless version for now and not provide any of those asm files?

Certainly possible, but there are some simple generated header files even for non-asm cases as you can see here for example: https://github.com/nazar-pc/wrapdb/tree/6737e80d4aa76d651132fef4c926916437b354b3/subprojects/packagefiles/openssl/generated-config/archs/linux-x86_64/no-asm

Also there is already an option in meson_options.txt called openssl_asm that one can set to false and disable ASM if so desired.

[tp-m]

I haven't looked at this yet, but I was wondering if it was possible to not require perl5 as build-time dep, but then instead have an optional target that uses perl to regenerate/verify the produced/shipped build files in some way (which could be run on a CI for example).

I agree we need confidence, but if perl is required for the build that'd render it useless for the purpose I wanted an openssl wrap for most (which is for gst-build on Windows).

[xclaesse]

If perl is required then better use external-project module, a lot less work for us... IMHO the whole point here is to not require it.

I'm not sure I'm comfortable with supporting a non trivial fork of the build system for such a core security module, it means we need to be reactive in updating the wrap for each security fixes... I feel we are understaffed for that unless @nazar-pc commits himself in doing that for the years to come.

That said, it is super useful in ci or developer use-cases, but when a product that uses OpenSSL is distributed it probably should not rely on the wrap. Thinking out loud here, but a warning() in the meson.build could be needed?

[jpakkane]

One way of not having a Perl dependency is to rewrite the scripts to Python. Which is some amount of work, yes, but it only needs to be done once.

[nazar-pc]

I have a suspicion you might underestimate a bit the involvement of Perl in OpenSSL. For instance, Perl is used as a templating language to conditionally generate platform-specific versions of assembly files like here: https://github.com/openssl/openssl/blob/ca001524971ccd595bc0e9843611e6784adfc981/crypto/aes/asm/aes-x86_64.pl

I do not think it is feasible to do anything except actually using real Perl during build time in such cases or pre-generating all of such files (that this PR does, really smart workaround by Node.js authors). So it is not just the "external" build system that wraps everything together, it is inherent to OpenSSL implementation in general.

[jpakkane]

I have a suspicion you might underestimate a bit the involvement of Perl in OpenSSL.

I have done my fair share of converting old Perl code to Python. I'm not saying that it would be easy or that it would not take effort. Most definitely it would. But we have the advantage that WrapDB does not need to support all of OpenSSL. Starting with no ASM at all is already functional (if not as performant) as I understand it. Then adding x64_64, arm32, aarch64 and maybe x86 would get most use cases. People who care about the remaining platforms can then submit fixes to their arches if they find it useful.

Trying chomp all of OpenSSL in a single bite would most definitely lead to failure, so let's not even try.

[nazar-pc]

That is fair, but I don't see how ASM support can be added without Perl at the moment, except if maintaining a significantly diverged fork.

And no-ASM version leaves a lot of performance on the table, for mediasoup the difference in CPU usage with -O3 was ~2x, hence it would be a serious downgrade if migration from GYP to Meson would also imply 2x CPU usage increase there.

A healthier solution would be if upstream could include these pre-generated files in official tarballs, but I haven't seen too much enthusiasm in actively supporting other build systems from tickets in their repo.

[xclaesse]

maybe far fetched, but... is it possible to build perl as subproject? Are there stripped down versions of perl that could be enough for openssl build system?

[nirbheek]

Do I understand correctly that Perl is only needed to generate those files? If so, maybe we can make the generated files reproducible, and have a CI step that verifies that the checked-in files are the same as would be generated by the openssl Perl-based build system?

Having looked at the openssl build system in detail (for painful-to-remember reasons), I agree with Nazar that it is not feasible to port it to Python. Even if you could spend the dozens / hundreds of hours needed to do that, keeping it in-sync with upstream changes would be too hard.

I like this approach overall, but the auditability of the generateds file is something we need to fix.

[nirbheek]

In the interest of getting something merged, maybe it makes sense to publish a non-ASM version first and then we can figure out how to fix the generated files issue? Is that possible? That would enable subproject use of openssl for development use at least, which is valuable.

Generated headers are easier to audit than generated assembly.

[xclaesse]

If so, maybe we can make the generated files reproducible, and have a CI step that verifies that the checked-in files are the same as would be generated by the openssl Perl-based build system?

We could special-case OpenSSL in WrapDB CI script and generate those files when generating the patch tarball. That way we don't even have to check them in.

[nazar-pc]

Is there anything I can do here to move things forward somehow?

[nirbheek]

Is there anything I can do here to move things forward somehow?

Yes, like I said above, I think for a first iteration it would be ok to not generate assembly and only generate (and check-in) headers. I can do the review for those.

The next step would be what Xavier said.

[nazar-pc]

I can do that. What about files that do not pass sanity check script, do you want me to move them somewhere else, like creating a directory in the root of the repo?

[nirbheek]

What does sanity_checks.py do, exactly? Is that something you've added or something that node.js has added? I couldn't find it in the review commit that contains non-generated files.

[nirbheek]

Oh that's the wrapdb script. nvm. Let me take a look.

[nirbheek]

@xclaesse should we add a per-project list of extensions that are permitted? In a file that's named something obvious like EXTRA_PERMITTED_FILE_EXTS?

[xclaesse]

@xclaesse should we add a per-project list of extensions that are permitted? In a file that's named something obvious like EXTRA_PERMITTED_FILE_EXTS?

I don't mind having some specific exceptions, yes. Many wraps actually don't pass the sanity check already, the idea is we'll need to fix or whitelist when someone update them.

[nazar-pc]

Updated PR with just non-ASM header files

[eli-schwartz]

What tradeoff? :D The current state of affairs is that it only works on *nix CI and via downloading the generated release archive, this is a pure win if now "some of the time it no longer fails with -Dwraps=openssl"

[nirbheek]

LGTM, I will test it locally too (comparing compiler invocations) and then we can merge it.

[nirbheek]

I've casually compared build lines between OpenSSL's make-based build system and this Meson port and besides what I have commented, the rest looks good. Nice work!

[nirbheek]

Okay, all looks good to me. Let's merge this!

@xclaesse @jpakkane one of you should do it since I am not sure if just hitting the merge button is enough for wrapdb.

[nirbheek]

Oh also we probably want to squash it all (while retaining the commit messages).

[eli-schwartz]

I don't think any of the commit messages are useful for wrapdb history, they all express facts about that commit's difference from the previous unready commit which is only relevant to the PR process itself -- and IMO, force-pushing already shows the range-diff (or something close enough).

Squashing is especially important, because some of those commits include approaches which were ultimately rejected, like checking in tons of generated files... one reason for which was "this bloats the repository quite a bit, all things considered".

So this really needs to be properly squashed and the commit messages cleaned up before merging.

[nazar-pc]

I don't think incremental commit messages are important in this case as this is the initial implementation. You can squash everything during merge, such that PR will still have multiple commits for history, but there will be just one merged commit. Or I can squash and force-push if you prefer it.

[xclaesse]

Yes please squash and force push to the PR.

[nazar-pc]

Are we just waiting for someone to click a button or is there something else left to be done?