openssl: start the journey towards v1.1

omniosorg · Aug 23, 2017 · 01f3b09 · 01f3b09
1 parent 76eae03
commit 01f3b09
Show file tree

Hide file tree

Showing 18 changed files with 16,453 additions and 16,284 deletions.
diff --git a/build/curl/build.sh b/build/curl/build.sh
@@ -33,8 +33,7 @@ PKG=web/curl    # Package name (without prefix)
 SUMMARY="$PROG - command line tool for transferring data with URL syntax"
 DESC="$SUMMARY"
 
-DEPENDS_IPS="web/ca-bundle library/security/openssl@1.0.2 library/zlib
-    library/libidn library/nghttp2"
+DEPENDS_IPS="web/ca-bundle library/libidn"
 
 CONFIGURE_OPTS="--enable-thread --with-ca-bundle=/etc/ssl/cacert.pem"
 # curl actually has arch-dependent headers. Boo.

diff --git a/build/git/build.sh b/build/git/build.sh
@@ -36,11 +36,6 @@ DESC="$SUMMARY"
 
 BUILD_DEPENDS_IPS="compatibility/ucb developer/build/autoconf archiver/gnu-tar"
 
-DEPENDS_IPS="runtime/python-27 \
-             web/curl \
-             library/security/openssl@1.0.2 \
-             library/zlib"
-
 TAR=gtar
 
 # For inet_ntop which isn't detected properly in the configure script

diff --git a/build/mercurial/build.sh b/build/mercurial/build.sh
@@ -33,10 +33,7 @@ PKG=developer/versioning/mercurial
 SUMMARY="$PROG - a free and open source, distributed version control system"
 DESC="$SUMMARY"
 
-DEPENDS_IPS="runtime/python-27 \
-             web/curl \
-             library/security/openssl@1.0.2
-             library/zlib"
+DEPENDS_IPS="web/curl library/security/openssl"
 
 # For inet_ntop which isn't detected properly in the configure script
 CONFIGURE_OPTS=""

diff --git a/build/openssl/README b/build/openssl/README
@@ -0,0 +1,23 @@
+
+The openssl package contains both OpenSSL 1.0.x and 1.1.x versions,
+separated by mediators but with the runtime libraries for both always
+present.
+
+OpenSSL 1.0.2 will not reach end-of-life until the end of 2019.
+
+The following packages do not yet build with openssl 1.1
+
+* illumos-omnios
+* developer/versioning/git
+* library/python-2/m2crypto-27
+* library/python-2/pyopenssl-27
+* library/security/trousers
+* network/dns/bind
+* network/openssh
+* network/openssh-server
+* service/network/ntp
+* system/management/ipmitool
+* terminal/tmux
+* web/curl
+* web/wget
+
diff --git a/build/openssl/build.sh b/build/openssl/build.sh
@@ -29,22 +29,18 @@
 . ../../lib/functions.sh
 
 PROG=openssl
-VER=1.0.2l
+VER=1.1.0f
+LVER=1.0.2l
 VERHUMAN=$VER
-PKG=library/security/openssl # Package name (without prefix)
-SUMMARY="$PROG - A toolkit for Secure Sockets Layer (SSL v2/v3) and Transport Layer (TLS v1) protocols and general purpose cryptographic library"
+PKG=library/security/openssl
+SUMMARY="$PROG - A toolkit for Secure Sockets Layer and Transport Layer protocols and general purpose cryptographic library"
 DESC="$SUMMARY"
 
 DEPENDS_IPS="SUNWcs system/library system/library/gcc-5-runtime library/zlib"
 BUILD_DEPENDS_IPS="$DEPENDS_IPS developer/sunstudio12.1"
 
 # Generic configure optons for both 32 and 64bit variants
-OPENSSL_CONFIG_OPTS="
-		--pk11-libname=/usr/lib/libpkcs11.so.1 
-		shared
-		threads
-		zlib
-		enable-ssl2"
+base_OPENSSL_CONFIG_OPTS="shared threads zlib enable-ssl2 enable-ssl3"
 
 # Configure options specific to a 32bit build
 OPENSSL_CONFIG_32_OPTS=""
@@ -73,7 +69,7 @@ configure32() {
 	${OPENSSL_CONFIG_OPTS} \
 	${OPENSSL_CONFIG_32_OPTS} \
         || logerr "Failed to run configure"
-    SHARED_LDFLAGS="-shared -Wl,-z,text"
+    SHARED_LDFLAGS="-shared -Wl,-z,text -Wl,-z,aslr"
 }
 
 configure64() {
@@ -87,13 +83,7 @@ configure64() {
 	${OPENSSL_CONFIG_OPTS} \
 	${OPENSSL_CONFIG_64_OPTS} \
         || logerr "Failed to run configure"
-    SHARED_LDFLAGS="-m64 -shared -Wl,-z,text"
-}
-
-make_install() {
-    logmsg "--- make install"
-    logcmd make INSTALL_PREFIX=$DESTDIR install ||
-        logerr "Failed to make install"
+    SHARED_LDFLAGS="-m64 -shared -Wl,-z,text,-z,aslr"
 }
 
 install_pkcs11()
@@ -114,7 +104,7 @@ ord26() {
 
 save_function make_package make_package_orig
 make_package() {
-    if [[ -n "`echo $VER | grep [a-z]`" ]]; then
+    if echo $VER | egrep -s '[a-z]'; then
         NUMVER=${VER::$((${#VER} -1))}
         ALPHAVER=${VER:$((${#VER} -1))}
         VER=${NUMVER}.$(ord26 ${ALPHAVER})
@@ -134,22 +124,101 @@ move_libs() {
         logerr "Failed to move libs (64-bit)"
 }
 
+version_files() {
+	ver=$2
+	[ -d "$1~" ] || cp -rp "$1" "$1~"
+	pushd $1
+	mv usr/include/openssl usr/include/openssl-$ver
+	for f in usr/bin/*; do
+		mv $f $f-$ver
+	done
+	[ -d usr/share/man ] && mv usr/share/man usr/ssl/man
+
+	mkdir usr/ssl/lib usr/ssl/lib/amd64
+	mv usr/lib/pkgconfig usr/ssl/lib/pkgconfig
+	mv usr/lib/amd64/pkgconfig usr/ssl/lib/amd64/pkgconfig
+	mv lib/llib* lib/lib*.a usr/ssl/lib
+	mv lib/amd64/llib* lib/amd64/lib*.a usr/ssl/lib/amd64
+
+	rm -f lib/lib{crypto,ssl}.so
+	rm -f lib/amd64/lib{crypto,ssl}.so
+
+	[ -d usr/ssl/certs ] && rm -rf usr/ssl/certs
+	(cd usr/ssl; ln -s ../../etc/ssl/certs)
+
+	mv usr/ssl usr/ssl-$ver
+	popd
+}
+
+merge_package() {
+	version_files $DESTDIR `echo $VER | cut -d. -f1-2`
+	version_files $LDESTDIR `echo $LVER | cut -d. -f1-2`
+
+	( cd $LDESTDIR; find . | cpio -pvmud $DESTDIR )
+}
+
 ######################################################################
 
 init
 
-### Openssl 1.0.x build
+######################################################################
+### OpenSSL 1.1.x build
+
+note "Building OpenSSL $VER"
+
+OPENSSL_CONFIG_OPTS="$base_OPENSSL_CONFIG_OPTS --api=1.0.0"
 download_source $PROG $PROG $VER
 patch_source
-install_pkcs11
 prep_build
 build
 run_testsuite
 move_libs
+make_lintlibs crypto /lib /usr/include "openssl/!(asn1_mac|ssl*|*tls*).h"
+make_lintlibs ssl /lib /usr/include "openssl/{ssl,*tls}*.h"
+
+######################################################################
+### OpenSSL 1.0.x build
 
+note "Building OpenSSL $LVER"
+
+oDESTDIR=$DESTDIR
+oPKG=$PKG
+oPKGE=$PKGE
+
+PKG=${PKG}_legacy	# Use different directory for build
+OPENSSL_CONFIG_OPTS="$base_OPENSSL_CONFIG_OPTS"
+OPENSSL_CONFIG_OPTS+=" --pk11-libname=/usr/lib/libpkcs11.so.1"
+BUILDDIR=$PROG-$LVER
+
+# OpenSSL uses INSTALL_PREFIX= instead of DESTDIR=
+make_install() {
+    logmsg "--- make install"
+    logcmd make INSTALL_PREFIX=$DESTDIR install ||
+        logerr "Failed to make install"
+}
+
+PATCHDIR=patches-1.0
+download_source $PROG $PROG $LVER
+patch_source
+install_pkcs11
+prep_build
+build
+run_testsuite test "" testsuite.1.0.log
+move_libs
 make_lintlibs crypto /lib /usr/include "openssl/!(ssl*|*tls*).h"
 make_lintlibs ssl /lib /usr/include "openssl/{ssl,*tls}*.h"
-make_isa_stub
+
+PKG=$oPKG
+PKGE=$oPKGE
+LDESTDIR="$DESTDIR"
+DESTDIR="$oDESTDIR"
+
+######################################################################
+### Packaging
+
+merge_package
+# Use legacy version for the package as long as it's the default mediator
+VER=$LVER
 make_package
 clean_up
 
diff --git a/build/openssl/local.mog b/build/openssl/local.mog
@@ -19,27 +19,92 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2011-2012 OmniTI Computer Consulting, Inc.  All rights reserved.
 # Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
 # Use is subject to license terms.
 
-<transform dir file link path=usr/ssl/man/.* -> \
-    edit path usr/ssl/man usr/share/man>
-
-# Replace usr/ssl/certs with a relative link to etc/ssl/certs
-<transform dir path=usr/ssl/certs -> drop>
-link path=usr/ssl/certs target=../../etc/ssl/certs
+# Drop HTML docs
+<transform dir file path=usr/share/doc -> drop>
 
 # Create symlinks in /usr/lib
-link path=usr/lib/libssl.so target=../../lib/libssl.so.1.0.0
 link path=usr/lib/libssl.so.1.0.0 target=../../lib/libssl.so.1.0.0
-link path=usr/lib/amd64/libssl.so target=../../../lib/amd64/libssl.so.1.0.0
-link path=usr/lib/amd64/libssl.so.1.0.0 target=../../../lib/amd64/libssl.so.1.0.0
-
-link path=usr/lib/libcrypto.so target=../../lib/libcrypto.so.1.0.0
 link path=usr/lib/libcrypto.so.1.0.0 target=../../lib/libcrypto.so.1.0.0
-link path=usr/lib/amd64/libcrypto.so target=../../../lib/amd64/libcrypto.so.1.0.0
+link path=usr/lib/amd64/libssl.so.1.0.0 target=../../../lib/amd64/libssl.so.1.0.0
 link path=usr/lib/amd64/libcrypto.so.1.0.0 target=../../../lib/amd64/libcrypto.so.1.0.0
 
+link path=usr/lib/libssl.so.1.1 target=../../lib/libssl.so.1.1
+link path=usr/lib/libcrypto.so.1.1 target=../../lib/libcrypto.so.1.1
+link path=usr/lib/amd64/libssl.so.1.1 target=../../../lib/amd64/libssl.so.1.1
+link path=usr/lib/amd64/libcrypto.so.1.1 target=../../../lib/amd64/libcrypto.so.1.1
+
+# Mediated libraries
+
+# .. /lib
+<transform file path=lib/(lib[^.]+.so).(\d\.\d)(.*) -> emit \
+    link path=lib/%<1> target=%<1>.%<2>%<3> \
+    mediator=openssl mediator-version=%<2> >
+
+<transform file path=lib/amd64/(lib[^.]+.so).(\d\.\d)(.*) -> emit \
+    link path=lib/amd64/%<1> target=%<1>.%<2>%<3> \
+    mediator=openssl mediator-version=%<2> >
+
+# .. /usr/lib
+<transform file path=lib/(lib[^.]+.so).(\d\.\d)(.*) -> emit \
+    link path=usr/lib/%<1> target=%<1>.%<2>%<3> \
+    mediator=openssl mediator-version=%<2> >
+
+<transform file path=lib/amd64/(lib[^.]+.so).(\d\.\d)(.*) -> emit \
+    link path=usr/lib/amd64/%<1> target=%<1>.%<2>%<3> \
+    mediator=openssl mediator-version=%<2> >
+
+# Mediated binaries
+
+<transform file path=usr/bin/([^-]+)-(.*) -> emit \
+    link path=usr/bin/%<1> target=%<1>-%<2> \
+    mediator=openssl mediator-version=%<2> >
+
+# Static libraries
+
+<transform file path=usr/ssl-([^/]+)/lib/(lib.*\.a) -> emit \
+    link path=lib/%<2> target=../%(path) \
+    mediator=openssl mediator-version=%<1> >
+
+# lint libraries
+
+<transform file path=usr/ssl-([^/]+)/lib/(llib.*) -> emit \
+    link path=lib/%<2> target=../%(path) \
+    mediator=openssl mediator-version=%<1> >
+
+# pkgconfig
+
+<transform file path=usr/ssl-([^/]+)/lib/pkgconfig/(.*) -> emit \
+    link path=usr/libpkgconfig/%<2> target=../../../%(path) \
+    mediator=openssl mediator-version=%<1> >
+
+<transform file path=usr/ssl-([^/]+)/lib/amd64/pkgconfig/(.*) -> emit \
+    link path=usr/lib/amd64/pkgconfig/%<2> target=../../../../%(path) \
+    mediator=openssl mediator-version=%<1> >
+
+# Mediated include files
+
+<transform dir path=usr/include/openssl-(...)$ -> emit \
+    link path=usr/include/openssl target=openssl-%<1> \
+    mediator=openssl mediator-version=%<1> >
+
+# Mediated ssl directory
+
+<transform dir path=usr/ssl-(...)$ -> emit \
+    link path=usr/ssl target=ssl-%<1> \
+    mediator=openssl mediator-version=%<1> >
+
+# Mediated man pages
+
+<transform file path=usr/ssl-([^/]+)/man/(man\d)/(.*) -> emit \
+    link path=usr/share/man/%<2>ssl/%<3> target=/%(path) \
+    mediator=openssl mediator-version=%<1> >
+
+# Make version 1.0 the default
+
+<transform link mediator-version=1.0 -> set mediator-priority vendor>
+
 license LICENSE license=OpenSSL
 
diff --git a/build/openssl/patches/pkcs11.patch → build/openssl/patches-1.0/pkcs11.patch b/build/openssl/patches/pkcs11.patch → build/openssl/patches-1.0/pkcs11.patch
diff --git a/build/openssl/patches/series → build/openssl/patches-1.0/series b/build/openssl/patches/series → build/openssl/patches-1.0/series
@@ -1,3 +1,2 @@
 pkcs11.patch -p1
 unused-dep.patch -p0
-man_sections.patch
diff --git a/build/openssl/patches/unused-dep.patch → build/openssl/patches-1.0/unused-dep.patch b/build/openssl/patches/unused-dep.patch → build/openssl/patches-1.0/unused-dep.patch