From e2a2673873e4364ea669439cbe58f478bc3a3b64 Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Tue, 21 Jan 2020 15:38:48 +0300 Subject: Release version 1.1.1+9 Enable zlib usage Don't define default directory paths Fix 'sslv3 alert bad record mac' failure for some libcrypto function calls --- README-DEV | 23 ++-- libcrypto/libcrypto/buildfile | 130 ++++++++++----------- .../libcrypto/downstream/openssl/opensslconf.h | 25 ++-- libcrypto/libcrypto/libcrypto.def | 1 + libcrypto/libcrypto/libcrypto.map | 1 + libcrypto/manifest | 3 +- libcrypto/tests/basic/driver.c | 3 +- libcrypto/tests/basic/testscript | 6 +- libssl/libssl/buildfile | 9 ++ libssl/manifest | 2 +- libssl/tests/basic/driver.c | 3 +- openssl/manifest | 2 +- openssl/openssl/buildfile | 9 ++ openssl/tests/encryption.testscript | 9 ++ openssl/tests/version.testscript | 6 +- repositories.manifest | 4 + 16 files changed, 131 insertions(+), 105 deletions(-) create mode 100644 openssl/tests/encryption.testscript diff --git a/README-DEV b/README-DEV index bff01af..3a44f62 100644 --- a/README-DEV +++ b/README-DEV @@ -61,17 +61,17 @@ The union of these feature sets translates into the following options, after suppressing the defaults: enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method - enable-weak-ssl-ciphers no-mdc2 enable-zlib + enable-weak-ssl-ciphers enable-zlib no-mdc2 -We drop enable-zlib (compress before encryption) and enable-sctp (both used by -Fedora only) not to create external dependencies. Besides that, we add no-asm -to suppress replacing C code with auto-generated ASM code for some algorithms. -Later, we can potentially pre-generate ASM code for architectures we support -and get rid of this option. Also we add no-devcryptoeng as devcryptoeng is -automatically enabled on BSDs. So the resulting options are: +We, however, drop the external dependencies that are not packaged for build2. +Besides that, we add no-asm to suppress replacing C code with auto-generated +ASM code for some algorithms. Later, we can potentially pre-generate ASM code +for architectures we support and get rid of this option. Also we add +no-devcryptoeng as devcryptoeng is automatically enabled on BSDs. So the +resulting options are: enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers - no-mdc2 no-asm no-devcryptoeng + enable-zlib no-mdc2 no-asm no-devcryptoeng Note that while we can use the upstream/INSTALL file to understand which of the 'enable-' or 'no-' options are the default ones, it is a @@ -90,7 +90,8 @@ On POSIX and for MinGW GCC: $ mkdir build $ cd build $ ../config enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ - enable-weak-ssl-ciphers no-mdc2 no-asm no-devcryptoeng >build.log 2>&1 + enable-weak-ssl-ciphers enable-zlib no-mdc2 no-asm no-devcryptoeng \ + >build.log 2>&1 $ make VERBOSE=1 >>build.log 2>&1 For MSVC: @@ -98,8 +99,8 @@ For MSVC: > mkdir build > cd build > perl ../Configure VC-WIN64A enable-md2 enable-rc5 enable-ssl3 ^ - enable-ssl3-method enable-weak-ssl-ciphers no-mdc2 no-asm no-devcryptoeng ^ - >build.log 2>&1 + enable-ssl3-method enable-weak-ssl-ciphers enable-zlib no-mdc2 no-asm ^ + no-devcryptoeng >build.log 2>&1 > nmake VERBOSE=1 >>build.log 2>&1 Note that when building with MSVC (as of 15.5) you may need to remove the diff --git a/libcrypto/libcrypto/buildfile b/libcrypto/libcrypto/buildfile index 69380a7..0b794ac 100644 --- a/libcrypto/libcrypto/buildfile +++ b/libcrypto/libcrypto/buildfile @@ -2,24 +2,28 @@ # copyright : Copyright (c) 2018-2019 Code Synthesis Ltd # license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file +import imp_libs = libz%lib{z} + # Exclude source code of unused features (engines, disabled algorithms, etc). # # Note: crypto/LPdir_*.c and crypto/des/ncbc_enc.c are actually headers. # -lib{crypto}: {h }{** -buildinf-body} \ - {h }{buildinf-body} \ - crypto/{ c}{** -LPdir_* -*cap \ - -aes/aes_x86core \ - -bn/asm/x86_64-gcc \ - -des/ncbc_enc \ - -ec/ecp_nistz256* \ - -engine/eng_devcrypto \ - -mdc2/** \ - -poly1305/poly1305_ieee754 \ - -poly1305/poly1305_base2_44} \ - { def}{libcrypto} \ - crypto/{file}{LPdir_*.c des/ncbc_enc.c} \ - {file}{libcrypto.map} +lib{crypto}: {h }{** -buildinf-body} \ + {h }{buildinf-body} \ + crypto/{ c}{** -LPdir_* -*cap \ + -aes/aes_x86core \ + -bn/asm/x86_64-gcc \ + -bn/rsaz_exp \ + -des/ncbc_enc \ + -ec/ecp_nistz256* \ + -engine/eng_devcrypto \ + -mdc2/** \ + -poly1305/poly1305_ieee754 \ + -poly1305/poly1305_base2_44} \ + { def}{libcrypto} \ + crypto/{file}{LPdir_*.c des/ncbc_enc.c} \ + {file}{libcrypto.map} \ + $imp_libs # Symlinked where appropriate. # @@ -39,7 +43,11 @@ windows = ($tclass == 'windows') # Pass -DLIBCRYPTO_BUILD to define the above macros only while building the # libcrypto library. # -c.poptions += -DLIBCRYPTO_BUILD +# Note that upstream also passes -DNDEBUG. Let's omit it for now to enable +# assertions to gain some extra confidence that we didn't break anything while +# packaging. +# +c.poptions += -DLIBCRYPTO_BUILD -DZLIB # Note that the upstream package uses -pthread compiler/linker option on # Linux and FreeBSD. The option is currently unsupported by build2, so we use @@ -105,61 +113,6 @@ switch $c.class } } -# Define the OPENSSLDIR and ENGINESDIR macros as the upstream package does it -# in the most of cases. -# -# Note that upstream defines them differently for some -# platforms/distributions. For example, it defines ENGINESDIR as -# /usr/local/lib64/engines-1.1 on Fedora and /usr/local/lib/engines-1_1 for -# MinGW GCC (which doesn't make much sense). -# -# Also note that Linux distributions may define them differently. For example: -# -# Debian/Ubuntu: /usr/lib/ssl and /usr/lib/x86_64-linux-gnu/engines-1.1 -# Fedora/RHEL: /etc/pki/tls and /usr/lib64/engines-1.1 -# -# Overall, the thinking is that if any of these directories are actually -# needed, then one should probably be using the system-installed OpenSSL. -# -lib_version = ($version.pre_release ? "$version.project_id" : "$abi_version") - -if! $windows -{ - root = ($install.root != [null] \ - ? $install.resolve($install.root) \ - : [dir_path] /usr/local) - - lib = ($install.root != [null] \ - ? $install.resolve($install.lib) \ - : $root/lib) - - openssldir = "$root/ssl" - enginesdir = "$lib/engines-$lib_version" -} -else -{ - arc = ($i686 ? ' (x86)' : '') - - root = ($install.root != [null] \ - ? $install.resolve($install.root) \ - : [dir_path] "C:/Program Files$arc/Common Files") - - lib = ($install.root != [null] \ - ? $install.resolve($install.lib) \ - : [dir_path] "C:/Program Files$arc/OpenSSL/lib") - - openssldir = "$root/SSL" - enginesdir = "$lib/engines-$regex.replace($lib_version, '-', '_')" -} - -# Escape backslashes and quotes in the directory paths prior to representing -# them as C string literals. -# -od = $regex.replace($openssldir, '(\\|")', '\\\1') -ed = $regex.replace($enginesdir, '(\\|")', '\\\1') - -c.poptions += -DOPENSSLDIR="\"$od\"" -DENGINESDIR="\"$ed\"" - # Escape backslashes and quotes in the compilation flags and substitute them # into internal/buildinf-body.h as string literals, one per line. # @@ -185,6 +138,38 @@ crypto/ c.poptions =+ "-I$src_base/include" crypto/evp/ c.poptions =+ "-I$src_root/libcrypto/crypto/modes" crypto/ec/curve448/ c.poptions =+ "-I$src_base" "-I$src_base/arch_32" +# Note that upstream defines OPENSSLDIR and ENGINESDIR differently for +# different platforms/distributions. For example, it defines ENGINESDIR as +# /usr/local/lib64/engines-1.1 on Fedora and /usr/local/lib/engines-1_1 for +# MinGW GCC (which doesn't make much sense). +# +# Also note that Linux distributions may also define them differently. For +# example: +# +# Debian/Ubuntu: /usr/lib/ssl and /usr/lib/x86_64-linux-gnu/engines-1.1 +# Fedora/RHEL: /etc/pki/tls and /usr/lib64/engines-1.1 +# +# We will not define these directories as there is no guarantee that they +# exist and contain data that is safe to use. Overall, the thinking is that if +# any of these directories are actually needed, then one should probably be +# using the system-installed OpenSSL or configure these directories manually +# at runtime (e.g., via environment variables, API, etc). +# +# Note that we cannot just leave the macros undefined as the project will fail +# to compile. Using empty paths may seem like a good idea but will end up in +# potentially existing filesystem entries (/certs, /cert.pem, etc; see +# upstream's cryptlib.h). Thus, we define them as "\0" which results in the +# empty string literal for the macros defined as follows: +# +# # define X509_CERT_DIR OPENSSLDIR "/certs" +# +# Also note that for the crypto/obj{cversion} target we instead need to leave +# OPENSSLDIR and ENGINESDIR undefined not to break strings used by the +# OpenSSL_version() function (see crypto/cversion.c for details). +# +ns = $regex.apply({**.c -crypto/cversion.c}, '.c$', '') +obj{$ns}: c.poptions += -DOPENSSLDIR='"\0"' -DENGINESDIR='"\0"' + crypto/obj{cversion}: c.poptions =+ "-I$src_root/libcrypto/downstream/internal" switch $tclass, $tsys @@ -229,7 +214,10 @@ lib{crypto}: cc.export.poptions = "-I$src_base/downstream" "-I$src_base" # See bootstrap.build for details. # -lib{crypto}: bin.lib.version = @"-$lib_version" +if $version.pre_release + lib{crypto}: bin.lib.version = @"-$version.project_id" +else + lib{crypto}: bin.lib.version = @"-$abi_version" # Install headers from the upstream and downstream openssl/ subdirectories # only. diff --git a/libcrypto/libcrypto/downstream/openssl/opensslconf.h b/libcrypto/libcrypto/downstream/openssl/opensslconf.h index f6692c8..810306b 100644 --- a/libcrypto/libcrypto/downstream/openssl/opensslconf.h +++ b/libcrypto/libcrypto/downstream/openssl/opensslconf.h @@ -7,13 +7,9 @@ #define LIBCRYPTO_DOWNSTREAM_OPENSSL_OPENSSLCONF_H /* - * Include upstream's auto-generated platform-specific opensslconf.h. - */ -#include - -/* - * Define OPENSSL_PIC and {L|B}_ENDIAN macros if we are building libcrypto - * (see ../../buildfile for details). + * Define OPENSSL_PIC and {L|B}_ENDIAN macros (that upstream defines on the + * command line via -D) if we are building libcrypto (see ../../buildfile for + * details). */ #ifdef LIBCRYPTO_BUILD # define OPENSSL_PIC @@ -26,13 +22,17 @@ # else # if defined(_WIN32) # ifndef BYTE_ORDER -# define BYTE_ORDER LITTLE_ENDIAN +# define BIG_ENDIAN 4321 +# define LITTLE_ENDIAN 1234 +# define BYTE_ORDER LITTLE_ENDIAN # endif # else -# include /* BYTE_ORDER/__BYTE_ORDER */ +# include /* BYTE_ORDER/__BYTE_ORDER */ # ifndef BYTE_ORDER # ifdef __BYTE_ORDER -# define BYTE_ORDER __BYTE_ORDER +# define BYTE_ORDER __BYTE_ORDER +# define BIG_ENDIAN __BIG_ENDIAN +# define LITTLE_ENDIAN __LITTLE_ENDIAN # else # error no BYTE_ORDER/__BYTE_ORDER define # endif @@ -47,4 +47,9 @@ # endif #endif +/* + * Include upstream's auto-generated platform-specific opensslconf.h. + */ +#include + #endif /* LIBCRYPTO_DOWNSTREAM_OPENSSL_OPENSSLCONF_H */ diff --git a/libcrypto/libcrypto/libcrypto.def b/libcrypto/libcrypto/libcrypto.def index 195c0df..860c233 100644 --- a/libcrypto/libcrypto/libcrypto.def +++ b/libcrypto/libcrypto/libcrypto.def @@ -355,6 +355,7 @@ EXPORTS BIO_f_nbio_test BIO_f_null BIO_f_reliable + BIO_f_zlib BIO_fd_non_fatal_error BIO_fd_should_retry BIO_find_type diff --git a/libcrypto/libcrypto/libcrypto.map b/libcrypto/libcrypto/libcrypto.map index 0cb9c89..69e37a2 100644 --- a/libcrypto/libcrypto/libcrypto.map +++ b/libcrypto/libcrypto/libcrypto.map @@ -291,6 +291,7 @@ OPENSSL_1_1_0 { BIO_f_nbio_test; BIO_f_null; BIO_f_reliable; + BIO_f_zlib; BIO_fd_non_fatal_error; BIO_fd_should_retry; BIO_find_type; diff --git a/libcrypto/manifest b/libcrypto/manifest index 7e1b433..29a223d 100644 --- a/libcrypto/manifest +++ b/libcrypto/manifest @@ -3,7 +3,7 @@ name: libcrypto # Note: remember to update doc-url below! # -version: 1.1.1+8 +version: 1.1.1+9 upstream-version: 1.1.1d project: openssl @@ -22,3 +22,4 @@ build-error-email: builds@build2.org builds: all depends: * build2 >= 0.12.0 depends: * bpkg >= 0.12.0 +depends: libz >= 1.2.1100 diff --git a/libcrypto/tests/basic/driver.c b/libcrypto/tests/basic/driver.c index d398269..2206c22 100644 --- a/libcrypto/tests/basic/driver.c +++ b/libcrypto/tests/basic/driver.c @@ -1,5 +1,4 @@ -/* - * file : tests/basic/driver.c +/* file : tests/basic/driver.c * copyright : Copyright (c) 2009-2019 Code Synthesis Tools CC * license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file */ diff --git a/libcrypto/tests/basic/testscript b/libcrypto/tests/basic/testscript index bb6d094..aa7d09d 100644 --- a/libcrypto/tests/basic/testscript +++ b/libcrypto/tests/basic/testscript @@ -6,7 +6,7 @@ $* >>~"%EOO%" version: OpenSSL 1.1.1d 10 Sep 2019 %built on: .+ UTC% %platform: $c.target.class-$c.target.cpu% - %compiler: $c.class .*-DLIBCRYPTO_BUILD .*-DOPENSSLDIR=".+" -DENGINESDIR=".+".*% - %OPENSSLDIR: ".+"% - %ENGINESDIR: ".+"% + %compiler: $c.class .*-DLIBCRYPTO_BUILD -DZLIB .*% + OPENSSLDIR: N/A + ENGINESDIR: N/A EOO diff --git a/libssl/libssl/buildfile b/libssl/libssl/buildfile index 6b41c17..7be45fe 100644 --- a/libssl/libssl/buildfile +++ b/libssl/libssl/buildfile @@ -11,6 +11,15 @@ tsys = $c.target.system # Build options. # +# Note that libssl doesn't use zlib directly. However, it may use +# functionality that libcrypto additionally provides when zlib is enabled. +# +# Also note that upstream also passes -DNDEBUG. Let's omit it for now to +# enable assertions to gain some extra confidence that we didn't break +# anything while packaging. +# +c.poptions += -DZLIB + # Drop -DOPENSSL_PIC, -D{L|B}_ENDIAN, -DOPENSSLDIR and -DENGINESDIR as they # are not used in the libssl source code nor in the libcrypto public headers. # diff --git a/libssl/manifest b/libssl/manifest index 412b39b..f685ac7 100644 --- a/libssl/manifest +++ b/libssl/manifest @@ -3,7 +3,7 @@ name: libssl # Note: remember to update doc-url below! # -version: 1.1.1+8 +version: 1.1.1+9 upstream-version: 1.1.1d project: openssl diff --git a/libssl/tests/basic/driver.c b/libssl/tests/basic/driver.c index 56e9c5f..8f526e6 100644 --- a/libssl/tests/basic/driver.c +++ b/libssl/tests/basic/driver.c @@ -1,5 +1,4 @@ -/* - * file : tests/basic/driver.c +/* file : tests/basic/driver.c * copyright : Copyright (c) 2009-2019 Code Synthesis Tools CC * license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file */ diff --git a/openssl/manifest b/openssl/manifest index 6b30ea6..a90ba1e 100644 --- a/openssl/manifest +++ b/openssl/manifest @@ -3,7 +3,7 @@ name: openssl # Note: remember to update doc-url below! # -version: 1.1.1+8 +version: 1.1.1+9 upstream-version: 1.1.1d priority: security diff --git a/openssl/openssl/buildfile b/openssl/openssl/buildfile index f9e317a..8cc2107 100644 --- a/openssl/openssl/buildfile +++ b/openssl/openssl/buildfile @@ -16,6 +16,15 @@ exe{openssl}: apps/c{win32_init}: include = $windows # Build options. # +# Note that openssl doesn't use zlib directly. However, it uses functionality +# that libcrypto additionally provide when zlib is enabled. +# +# Also note that upstream also passes -DNDEBUG. Let's omit it for now to +# enable assertions to gain some extra confidence that we didn't break +# anything while packaging. +# +c.poptions += -DZLIB + # Note that the upstream package uses -pthread compiler/linker option on # Linux and FreeBSD. The option is currently unsupported by build2, so we use # -D_REENTRANT and -lpthread preprocessor/linker options instead. diff --git a/openssl/tests/encryption.testscript b/openssl/tests/encryption.testscript new file mode 100644 index 0000000..6326858 --- /dev/null +++ b/openssl/tests/encryption.testscript @@ -0,0 +1,9 @@ +# file : tests/encryption.testscript +# copyright : Copyright (c) 2016-2019 Code Synthesis Ltd +# license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file + +enc = $* aes-256-cbc -e -salt -base64 -md sha256 -pass pass:123 -pbkdf2 +dec = $* aes-256-cbc -d -salt -base64 -md sha256 -pass pass:123 -pbkdf2 + +$enc <'ABC' | $dec >'ABC' : no-zlib +$enc -z <'ABC' | $dec -z >'ABC' : zlib diff --git a/openssl/tests/version.testscript b/openssl/tests/version.testscript index 1759e5f..325ba9b 100644 --- a/openssl/tests/version.testscript +++ b/openssl/tests/version.testscript @@ -7,8 +7,8 @@ $* version -a >>~"%EOO%" %built on: .+ UTC% %platform: $c.target.class-$c.target.cpu% %options: .+% - %compiler: $c.class .*-DLIBCRYPTO_BUILD.*% - %OPENSSLDIR: ".+"% - %ENGINESDIR: ".+"% + %compiler: $c.class .*-DLIBCRYPTO_BUILD -DZLIB .*% + OPENSSLDIR: N/A + ENGINESDIR: N/A %Seeding source: .+% EOO diff --git a/repositories.manifest b/repositories.manifest index 5207655..074f7e4 100644 --- a/repositories.manifest +++ b/repositories.manifest @@ -1,2 +1,6 @@ : 1 summary: OpenSSL build2 package repository + +: +role: prerequisite +location: ../../zlib/zlib.git##HEAD -- cgit v1.1