summaryrefslogtreecommitdiff
path: root/README-DEV
blob: bff01afa4a6d021bde6e33b69d4dd7f71f53243a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
This document describes an approach applied to packaging OpenSSL for build2.
In particular, this understanding will be useful when upgrading to a new
upstream version.

The upstream package contains the libcrypto and libssl libraries and the
openssl program that we all package separately (see respective README-DEV
files for details). It also contains dynamically loaded engines and tests that
we currently don't package.

We add the upstream package as a git submodule and symlink the required files
and subdirectories into the build2 package subdirectories. Then, when required,
we "overlay" the upstream with our own headers, placing them into the
library/program directories and their downstream/ subdirectories.

Note that symlinking upstream submodule subdirectories into a build2 package
subdirectory results in creating intermediate build files (.d, .o, etc) inside
upstream directory while building the package in source tree. That's why we
need to make sure that packages do not share upstream source files via
subdirectory symlinks, not to also share the related intermediate files. If
several packages need to compile the same upstream source file, then only one
of them can symlink it via the parent directory while others must symlink it
directly. We also add the `ignore = untracked` configuration option into
.gitmodules to make sure that git ignores the intermediate build files under
upstream/ subdirectory.

Normally, when packaging a project, we need to replace some auto-generated
headers with our own implementations and deduce compilation/linking options.
For autoconf/cmake-based projects we rely on the Makefile.am, CMakeList.txt
and .in/.cmake files for that. For OpenSSL, using its own Perl scripts-based
build infrastructure, that's not an option. Instead, we analyze the
auto-generated files (headers, makefiles, configdata.pm, etc.) and build logs,
produced for multiple platforms/architectures, and use some of them build-time.
For convenience, we have also stashed some of them in upstream-build/.

The upstream package can be configured to expose a specific feature set. We
reproduce the union of features configured for the upstream source package in
Debian and Fedora distributions. The configuration options defining these sets
are specified in the Debian's rules and Fedora's RPM .spec files. These files
can be obtained as follows:

$ wget https://kojipkgs.fedoraproject.org/packages/openssl/1.1.1d/5.fc32/src/openssl-1.1.1d-5.fc32.src.rpm
$ rpm2cpio openssl-1.1.1d-5.fc32.src.rpm | cpio -civ '*.spec'

$ wget http://deb.debian.org/debian/pool/main/o/openssl/openssl_1.1.1d-2.debian.tar.xz
$ tar xf openssl_1.1.1d-2.debian.tar.xz debian/rules

Here are the discovered configuration options.

Debian:

  no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method
  enable-rfc3779 enable-cms

Fedora:

  zlib enable-camellia enable-seed enable-rfc3779 enable-sctp
  enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method
  enable-weak-ssl-ciphers no-mdc2 no-ec2m no-sm2 no-sm4

The union of these feature sets translates into the following options, after
suppressing the defaults:

  enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method
  enable-weak-ssl-ciphers no-mdc2 enable-zlib

We drop enable-zlib (compress before encryption) and enable-sctp (both used by
Fedora only) not to create external dependencies. Besides that, we add no-asm
to suppress replacing C code with auto-generated ASM code for some algorithms.
Later, we can potentially pre-generate ASM code for architectures we support
and get rid of this option. Also we add no-devcryptoeng as devcryptoeng is
automatically enabled on BSDs. So the resulting options are:

  enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
  no-mdc2 no-asm no-devcryptoeng

Note that while we can use the upstream/INSTALL file to understand which of
the 'enable-<feature>' or 'no-<feature>' options are the default ones, it is a
good idea to verify the effective option set printed by the
`./configdata.pm --options` command run in the configuration directory.

Also note that on Windows you would need to additionally pass VC-WIN32 (i386)
or VC-WIN64A (x86_64) as a first argument to the Configure script when
configuring for building with VC (see upstream/INSTALL for details).

To build the upstream package and obtain the build log, run the following
commands in its root directory.

On POSIX and for MinGW GCC:

$ mkdir build
$ cd build
$ ../config enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
  enable-weak-ssl-ciphers no-mdc2 no-asm no-devcryptoeng >build.log 2>&1
$ make VERBOSE=1 >>build.log 2>&1

For MSVC:

> mkdir build
> cd build
> perl ../Configure VC-WIN64A enable-md2 enable-rc5 enable-ssl3 ^
  enable-ssl3-method enable-weak-ssl-ciphers no-mdc2 no-asm no-devcryptoeng ^
  >build.log 2>&1
> nmake VERBOSE=1 >>build.log 2>&1

Note that when building with MSVC (as of 15.5) you may need to remove the
/O2 option from the makefile prior to running nmake, to prevent the compiler
from hanging.

When the packaging is complete, build all the project packages in source tree
and make sure that no OpenSSL headers are included from the system, running
the following command from the project root:

$ fgrep -a -e /usr/include/openssl `find . -type f -name '*.d'`

As a side note, on Debian and Fedora the libraries, headers and utility are
packaged as follows:

                libcrypto+libssl  headers        openssl
Debian/Ubuntu:  libssl1.1         libssl-dev     openssl
Fedora/RHEL:    openssl-libs      openssl-devel  openssl

Search for the Debian and Fedora packages at https://packages.debian.org/search
and https://apps.fedoraproject.org/packages/.