summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKaren Arutyunov <karen@codesynthesis.com>2020-01-21 12:38:48 (GMT)
committerKaren Arutyunov <karen@codesynthesis.com>2020-01-21 12:38:48 (GMT)
commite2a2673873e4364ea669439cbe58f478bc3a3b64 (patch)
tree767f55381df9c6907a026b9160c31d6a71ca5209
parent27af3fd089cbd21e546ed4a71fcdb796e121d423 (diff)
Release version 1.1.1+9v1.1.1+9
Enable zlib usage Don't define default directory paths Fix 'sslv3 alert bad record mac' failure for some libcrypto function calls
-rw-r--r--README-DEV23
-rw-r--r--libcrypto/libcrypto/buildfile130
-rw-r--r--libcrypto/libcrypto/downstream/openssl/opensslconf.h25
-rw-r--r--libcrypto/libcrypto/libcrypto.def1
-rw-r--r--libcrypto/libcrypto/libcrypto.map1
-rw-r--r--libcrypto/manifest3
-rw-r--r--libcrypto/tests/basic/driver.c3
-rw-r--r--libcrypto/tests/basic/testscript6
-rw-r--r--libssl/libssl/buildfile9
-rw-r--r--libssl/manifest2
-rw-r--r--libssl/tests/basic/driver.c3
-rw-r--r--openssl/manifest2
-rw-r--r--openssl/openssl/buildfile9
-rw-r--r--openssl/tests/encryption.testscript9
-rw-r--r--openssl/tests/version.testscript6
-rw-r--r--repositories.manifest4
16 files changed, 131 insertions, 105 deletions
diff --git a/README-DEV b/README-DEV
index bff01af..3a44f62 100644
--- a/README-DEV
+++ b/README-DEV
@@ -61,17 +61,17 @@ The union of these feature sets translates into the following options, after
suppressing the defaults:
enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method
- enable-weak-ssl-ciphers no-mdc2 enable-zlib
+ enable-weak-ssl-ciphers enable-zlib no-mdc2
-We drop enable-zlib (compress before encryption) and enable-sctp (both used by
-Fedora only) not to create external dependencies. Besides that, we add no-asm
-to suppress replacing C code with auto-generated ASM code for some algorithms.
-Later, we can potentially pre-generate ASM code for architectures we support
-and get rid of this option. Also we add no-devcryptoeng as devcryptoeng is
-automatically enabled on BSDs. So the resulting options are:
+We, however, drop the external dependencies that are not packaged for build2.
+Besides that, we add no-asm to suppress replacing C code with auto-generated
+ASM code for some algorithms. Later, we can potentially pre-generate ASM code
+for architectures we support and get rid of this option. Also we add
+no-devcryptoeng as devcryptoeng is automatically enabled on BSDs. So the
+resulting options are:
enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
- no-mdc2 no-asm no-devcryptoeng
+ enable-zlib no-mdc2 no-asm no-devcryptoeng
Note that while we can use the upstream/INSTALL file to understand which of
the 'enable-<feature>' or 'no-<feature>' options are the default ones, it is a
@@ -90,7 +90,8 @@ On POSIX and for MinGW GCC:
$ mkdir build
$ cd build
$ ../config enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
- enable-weak-ssl-ciphers no-mdc2 no-asm no-devcryptoeng >build.log 2>&1
+ enable-weak-ssl-ciphers enable-zlib no-mdc2 no-asm no-devcryptoeng \
+ >build.log 2>&1
$ make VERBOSE=1 >>build.log 2>&1
For MSVC:
@@ -98,8 +99,8 @@ For MSVC:
> mkdir build
> cd build
> perl ../Configure VC-WIN64A enable-md2 enable-rc5 enable-ssl3 ^
- enable-ssl3-method enable-weak-ssl-ciphers no-mdc2 no-asm no-devcryptoeng ^
- >build.log 2>&1
+ enable-ssl3-method enable-weak-ssl-ciphers enable-zlib no-mdc2 no-asm ^
+ no-devcryptoeng >build.log 2>&1
> nmake VERBOSE=1 >>build.log 2>&1
Note that when building with MSVC (as of 15.5) you may need to remove the
diff --git a/libcrypto/libcrypto/buildfile b/libcrypto/libcrypto/buildfile
index 69380a7..0b794ac 100644
--- a/libcrypto/libcrypto/buildfile
+++ b/libcrypto/libcrypto/buildfile
@@ -2,24 +2,28 @@
# copyright : Copyright (c) 2018-2019 Code Synthesis Ltd
# license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file
+import imp_libs = libz%lib{z}
+
# Exclude source code of unused features (engines, disabled algorithms, etc).
#
# Note: crypto/LPdir_*.c and crypto/des/ncbc_enc.c are actually headers.
#
-lib{crypto}: {h }{** -buildinf-body} \
- {h }{buildinf-body} \
- crypto/{ c}{** -LPdir_* -*cap \
- -aes/aes_x86core \
- -bn/asm/x86_64-gcc \
- -des/ncbc_enc \
- -ec/ecp_nistz256* \
- -engine/eng_devcrypto \
- -mdc2/** \
- -poly1305/poly1305_ieee754 \
- -poly1305/poly1305_base2_44} \
- { def}{libcrypto} \
- crypto/{file}{LPdir_*.c des/ncbc_enc.c} \
- {file}{libcrypto.map}
+lib{crypto}: {h }{** -buildinf-body} \
+ {h }{buildinf-body} \
+ crypto/{ c}{** -LPdir_* -*cap \
+ -aes/aes_x86core \
+ -bn/asm/x86_64-gcc \
+ -bn/rsaz_exp \
+ -des/ncbc_enc \
+ -ec/ecp_nistz256* \
+ -engine/eng_devcrypto \
+ -mdc2/** \
+ -poly1305/poly1305_ieee754 \
+ -poly1305/poly1305_base2_44} \
+ { def}{libcrypto} \
+ crypto/{file}{LPdir_*.c des/ncbc_enc.c} \
+ {file}{libcrypto.map} \
+ $imp_libs
# Symlinked where appropriate.
#
@@ -39,7 +43,11 @@ windows = ($tclass == 'windows')
# Pass -DLIBCRYPTO_BUILD to define the above macros only while building the
# libcrypto library.
#
-c.poptions += -DLIBCRYPTO_BUILD
+# Note that upstream also passes -DNDEBUG. Let's omit it for now to enable
+# assertions to gain some extra confidence that we didn't break anything while
+# packaging.
+#
+c.poptions += -DLIBCRYPTO_BUILD -DZLIB
# Note that the upstream package uses -pthread compiler/linker option on
# Linux and FreeBSD. The option is currently unsupported by build2, so we use
@@ -105,61 +113,6 @@ switch $c.class
}
}
-# Define the OPENSSLDIR and ENGINESDIR macros as the upstream package does it
-# in the most of cases.
-#
-# Note that upstream defines them differently for some
-# platforms/distributions. For example, it defines ENGINESDIR as
-# /usr/local/lib64/engines-1.1 on Fedora and /usr/local/lib/engines-1_1 for
-# MinGW GCC (which doesn't make much sense).
-#
-# Also note that Linux distributions may define them differently. For example:
-#
-# Debian/Ubuntu: /usr/lib/ssl and /usr/lib/x86_64-linux-gnu/engines-1.1
-# Fedora/RHEL: /etc/pki/tls and /usr/lib64/engines-1.1
-#
-# Overall, the thinking is that if any of these directories are actually
-# needed, then one should probably be using the system-installed OpenSSL.
-#
-lib_version = ($version.pre_release ? "$version.project_id" : "$abi_version")
-
-if! $windows
-{
- root = ($install.root != [null] \
- ? $install.resolve($install.root) \
- : [dir_path] /usr/local)
-
- lib = ($install.root != [null] \
- ? $install.resolve($install.lib) \
- : $root/lib)
-
- openssldir = "$root/ssl"
- enginesdir = "$lib/engines-$lib_version"
-}
-else
-{
- arc = ($i686 ? ' (x86)' : '')
-
- root = ($install.root != [null] \
- ? $install.resolve($install.root) \
- : [dir_path] "C:/Program Files$arc/Common Files")
-
- lib = ($install.root != [null] \
- ? $install.resolve($install.lib) \
- : [dir_path] "C:/Program Files$arc/OpenSSL/lib")
-
- openssldir = "$root/SSL"
- enginesdir = "$lib/engines-$regex.replace($lib_version, '-', '_')"
-}
-
-# Escape backslashes and quotes in the directory paths prior to representing
-# them as C string literals.
-#
-od = $regex.replace($openssldir, '(\\|")', '\\\1')
-ed = $regex.replace($enginesdir, '(\\|")', '\\\1')
-
-c.poptions += -DOPENSSLDIR="\"$od\"" -DENGINESDIR="\"$ed\""
-
# Escape backslashes and quotes in the compilation flags and substitute them
# into internal/buildinf-body.h as string literals, one per line.
#
@@ -185,6 +138,38 @@ crypto/ c.poptions =+ "-I$src_base/include"
crypto/evp/ c.poptions =+ "-I$src_root/libcrypto/crypto/modes"
crypto/ec/curve448/ c.poptions =+ "-I$src_base" "-I$src_base/arch_32"
+# Note that upstream defines OPENSSLDIR and ENGINESDIR differently for
+# different platforms/distributions. For example, it defines ENGINESDIR as
+# /usr/local/lib64/engines-1.1 on Fedora and /usr/local/lib/engines-1_1 for
+# MinGW GCC (which doesn't make much sense).
+#
+# Also note that Linux distributions may also define them differently. For
+# example:
+#
+# Debian/Ubuntu: /usr/lib/ssl and /usr/lib/x86_64-linux-gnu/engines-1.1
+# Fedora/RHEL: /etc/pki/tls and /usr/lib64/engines-1.1
+#
+# We will not define these directories as there is no guarantee that they
+# exist and contain data that is safe to use. Overall, the thinking is that if
+# any of these directories are actually needed, then one should probably be
+# using the system-installed OpenSSL or configure these directories manually
+# at runtime (e.g., via environment variables, API, etc).
+#
+# Note that we cannot just leave the macros undefined as the project will fail
+# to compile. Using empty paths may seem like a good idea but will end up in
+# potentially existing filesystem entries (/certs, /cert.pem, etc; see
+# upstream's cryptlib.h). Thus, we define them as "\0" which results in the
+# empty string literal for the macros defined as follows:
+#
+# # define X509_CERT_DIR OPENSSLDIR "/certs"
+#
+# Also note that for the crypto/obj{cversion} target we instead need to leave
+# OPENSSLDIR and ENGINESDIR undefined not to break strings used by the
+# OpenSSL_version() function (see crypto/cversion.c for details).
+#
+ns = $regex.apply({**.c -crypto/cversion.c}, '.c$', '')
+obj{$ns}: c.poptions += -DOPENSSLDIR='"\0"' -DENGINESDIR='"\0"'
+
crypto/obj{cversion}: c.poptions =+ "-I$src_root/libcrypto/downstream/internal"
switch $tclass, $tsys
@@ -229,7 +214,10 @@ lib{crypto}: cc.export.poptions = "-I$src_base/downstream" "-I$src_base"
# See bootstrap.build for details.
#
-lib{crypto}: bin.lib.version = @"-$lib_version"
+if $version.pre_release
+ lib{crypto}: bin.lib.version = @"-$version.project_id"
+else
+ lib{crypto}: bin.lib.version = @"-$abi_version"
# Install headers from the upstream and downstream openssl/ subdirectories
# only.
diff --git a/libcrypto/libcrypto/downstream/openssl/opensslconf.h b/libcrypto/libcrypto/downstream/openssl/opensslconf.h
index f6692c8..810306b 100644
--- a/libcrypto/libcrypto/downstream/openssl/opensslconf.h
+++ b/libcrypto/libcrypto/downstream/openssl/opensslconf.h
@@ -7,13 +7,9 @@
#define LIBCRYPTO_DOWNSTREAM_OPENSSL_OPENSSLCONF_H
/*
- * Include upstream's auto-generated platform-specific opensslconf.h.
- */
-#include <openssl/opensslconf/platform.h>
-
-/*
- * Define OPENSSL_PIC and {L|B}_ENDIAN macros if we are building libcrypto
- * (see ../../buildfile for details).
+ * Define OPENSSL_PIC and {L|B}_ENDIAN macros (that upstream defines on the
+ * command line via -D) if we are building libcrypto (see ../../buildfile for
+ * details).
*/
#ifdef LIBCRYPTO_BUILD
# define OPENSSL_PIC
@@ -26,13 +22,17 @@
# else
# if defined(_WIN32)
# ifndef BYTE_ORDER
-# define BYTE_ORDER LITTLE_ENDIAN
+# define BIG_ENDIAN 4321
+# define LITTLE_ENDIAN 1234
+# define BYTE_ORDER LITTLE_ENDIAN
# endif
# else
-# include <sys/param.h> /* BYTE_ORDER/__BYTE_ORDER */
+# include <sys/param.h> /* BYTE_ORDER/__BYTE_ORDER */
# ifndef BYTE_ORDER
# ifdef __BYTE_ORDER
-# define BYTE_ORDER __BYTE_ORDER
+# define BYTE_ORDER __BYTE_ORDER
+# define BIG_ENDIAN __BIG_ENDIAN
+# define LITTLE_ENDIAN __LITTLE_ENDIAN
# else
# error no BYTE_ORDER/__BYTE_ORDER define
# endif
@@ -47,4 +47,9 @@
# endif
#endif
+/*
+ * Include upstream's auto-generated platform-specific opensslconf.h.
+ */
+#include <openssl/opensslconf/platform.h>
+
#endif /* LIBCRYPTO_DOWNSTREAM_OPENSSL_OPENSSLCONF_H */
diff --git a/libcrypto/libcrypto/libcrypto.def b/libcrypto/libcrypto/libcrypto.def
index 195c0df..860c233 100644
--- a/libcrypto/libcrypto/libcrypto.def
+++ b/libcrypto/libcrypto/libcrypto.def
@@ -355,6 +355,7 @@ EXPORTS
BIO_f_nbio_test
BIO_f_null
BIO_f_reliable
+ BIO_f_zlib
BIO_fd_non_fatal_error
BIO_fd_should_retry
BIO_find_type
diff --git a/libcrypto/libcrypto/libcrypto.map b/libcrypto/libcrypto/libcrypto.map
index 0cb9c89..69e37a2 100644
--- a/libcrypto/libcrypto/libcrypto.map
+++ b/libcrypto/libcrypto/libcrypto.map
@@ -291,6 +291,7 @@ OPENSSL_1_1_0 {
BIO_f_nbio_test;
BIO_f_null;
BIO_f_reliable;
+ BIO_f_zlib;
BIO_fd_non_fatal_error;
BIO_fd_should_retry;
BIO_find_type;
diff --git a/libcrypto/manifest b/libcrypto/manifest
index 7e1b433..29a223d 100644
--- a/libcrypto/manifest
+++ b/libcrypto/manifest
@@ -3,7 +3,7 @@ name: libcrypto
# Note: remember to update doc-url below!
#
-version: 1.1.1+8
+version: 1.1.1+9
upstream-version: 1.1.1d
project: openssl
@@ -22,3 +22,4 @@ build-error-email: builds@build2.org
builds: all
depends: * build2 >= 0.12.0
depends: * bpkg >= 0.12.0
+depends: libz >= 1.2.1100
diff --git a/libcrypto/tests/basic/driver.c b/libcrypto/tests/basic/driver.c
index d398269..2206c22 100644
--- a/libcrypto/tests/basic/driver.c
+++ b/libcrypto/tests/basic/driver.c
@@ -1,5 +1,4 @@
-/*
- * file : tests/basic/driver.c
+/* file : tests/basic/driver.c
* copyright : Copyright (c) 2009-2019 Code Synthesis Tools CC
* license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file
*/
diff --git a/libcrypto/tests/basic/testscript b/libcrypto/tests/basic/testscript
index bb6d094..aa7d09d 100644
--- a/libcrypto/tests/basic/testscript
+++ b/libcrypto/tests/basic/testscript
@@ -6,7 +6,7 @@ $* >>~"%EOO%"
version: OpenSSL 1.1.1d 10 Sep 2019
%built on: .+ UTC%
%platform: $c.target.class-$c.target.cpu%
- %compiler: $c.class .*-DLIBCRYPTO_BUILD .*-DOPENSSLDIR=".+" -DENGINESDIR=".+".*%
- %OPENSSLDIR: ".+"%
- %ENGINESDIR: ".+"%
+ %compiler: $c.class .*-DLIBCRYPTO_BUILD -DZLIB .*%
+ OPENSSLDIR: N/A
+ ENGINESDIR: N/A
EOO
diff --git a/libssl/libssl/buildfile b/libssl/libssl/buildfile
index 6b41c17..7be45fe 100644
--- a/libssl/libssl/buildfile
+++ b/libssl/libssl/buildfile
@@ -11,6 +11,15 @@ tsys = $c.target.system
# Build options.
#
+# Note that libssl doesn't use zlib directly. However, it may use
+# functionality that libcrypto additionally provides when zlib is enabled.
+#
+# Also note that upstream also passes -DNDEBUG. Let's omit it for now to
+# enable assertions to gain some extra confidence that we didn't break
+# anything while packaging.
+#
+c.poptions += -DZLIB
+
# Drop -DOPENSSL_PIC, -D{L|B}_ENDIAN, -DOPENSSLDIR and -DENGINESDIR as they
# are not used in the libssl source code nor in the libcrypto public headers.
#
diff --git a/libssl/manifest b/libssl/manifest
index 412b39b..f685ac7 100644
--- a/libssl/manifest
+++ b/libssl/manifest
@@ -3,7 +3,7 @@ name: libssl
# Note: remember to update doc-url below!
#
-version: 1.1.1+8
+version: 1.1.1+9
upstream-version: 1.1.1d
project: openssl
diff --git a/libssl/tests/basic/driver.c b/libssl/tests/basic/driver.c
index 56e9c5f..8f526e6 100644
--- a/libssl/tests/basic/driver.c
+++ b/libssl/tests/basic/driver.c
@@ -1,5 +1,4 @@
-/*
- * file : tests/basic/driver.c
+/* file : tests/basic/driver.c
* copyright : Copyright (c) 2009-2019 Code Synthesis Tools CC
* license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file
*/
diff --git a/openssl/manifest b/openssl/manifest
index 6b30ea6..a90ba1e 100644
--- a/openssl/manifest
+++ b/openssl/manifest
@@ -3,7 +3,7 @@ name: openssl
# Note: remember to update doc-url below!
#
-version: 1.1.1+8
+version: 1.1.1+9
upstream-version: 1.1.1d
priority: security
diff --git a/openssl/openssl/buildfile b/openssl/openssl/buildfile
index f9e317a..8cc2107 100644
--- a/openssl/openssl/buildfile
+++ b/openssl/openssl/buildfile
@@ -16,6 +16,15 @@ exe{openssl}: apps/c{win32_init}: include = $windows
# Build options.
#
+# Note that openssl doesn't use zlib directly. However, it uses functionality
+# that libcrypto additionally provide when zlib is enabled.
+#
+# Also note that upstream also passes -DNDEBUG. Let's omit it for now to
+# enable assertions to gain some extra confidence that we didn't break
+# anything while packaging.
+#
+c.poptions += -DZLIB
+
# Note that the upstream package uses -pthread compiler/linker option on
# Linux and FreeBSD. The option is currently unsupported by build2, so we use
# -D_REENTRANT and -lpthread preprocessor/linker options instead.
diff --git a/openssl/tests/encryption.testscript b/openssl/tests/encryption.testscript
new file mode 100644
index 0000000..6326858
--- /dev/null
+++ b/openssl/tests/encryption.testscript
@@ -0,0 +1,9 @@
+# file : tests/encryption.testscript
+# copyright : Copyright (c) 2016-2019 Code Synthesis Ltd
+# license : OpenSSL and SSLeay Licenses; see accompanying LICENSE file
+
+enc = $* aes-256-cbc -e -salt -base64 -md sha256 -pass pass:123 -pbkdf2
+dec = $* aes-256-cbc -d -salt -base64 -md sha256 -pass pass:123 -pbkdf2
+
+$enc <'ABC' | $dec >'ABC' : no-zlib
+$enc -z <'ABC' | $dec -z >'ABC' : zlib
diff --git a/openssl/tests/version.testscript b/openssl/tests/version.testscript
index 1759e5f..325ba9b 100644
--- a/openssl/tests/version.testscript
+++ b/openssl/tests/version.testscript
@@ -7,8 +7,8 @@ $* version -a >>~"%EOO%"
%built on: .+ UTC%
%platform: $c.target.class-$c.target.cpu%
%options: .+%
- %compiler: $c.class .*-DLIBCRYPTO_BUILD.*%
- %OPENSSLDIR: ".+"%
- %ENGINESDIR: ".+"%
+ %compiler: $c.class .*-DLIBCRYPTO_BUILD -DZLIB .*%
+ OPENSSLDIR: N/A
+ ENGINESDIR: N/A
%Seeding source: .+%
EOO
diff --git a/repositories.manifest b/repositories.manifest
index 5207655..074f7e4 100644
--- a/repositories.manifest
+++ b/repositories.manifest
@@ -1,2 +1,6 @@
: 1
summary: OpenSSL build2 package repository
+
+:
+role: prerequisite
+location: ../../zlib/zlib.git##HEAD