1*08cdcff5SEnji Cooper# FreeBSD maintainer's guide to OpenSSL 2*08cdcff5SEnji Cooper 3*08cdcff5SEnji Cooper## Assumptions 4*08cdcff5SEnji Cooper 5*08cdcff5SEnji CooperThese instructions assume the following: 6*08cdcff5SEnji Cooper 7*08cdcff5SEnji Cooper- A git clone of FreeBSD will be available at `$GIT_ROOT/src/freebsd/main` with 8*08cdcff5SEnji Cooper an origin named `freebsd`. Example: 9*08cdcff5SEnji Cooper `git clone -o freebsd git@gitrepo.freebsd.org:src.git "$GIT_ROOT/src/freebsd/main"` 10*08cdcff5SEnji Cooper- The vendor trees will be stored under `$GIT_ROOT/src/freebsd/vendor/`. 11*08cdcff5SEnji Cooper 12*08cdcff5SEnji Cooper## Software requirements 13*08cdcff5SEnji Cooper 14*08cdcff5SEnji CooperThe following additional software must be installed from ports: 15*08cdcff5SEnji Cooper 16*08cdcff5SEnji Cooper- lang/perl5 17*08cdcff5SEnji Cooper- lang/python 18*08cdcff5SEnji Cooper- net/rsync 19*08cdcff5SEnji Cooper- security/gnupg 20*08cdcff5SEnji Cooper 21*08cdcff5SEnji Cooper## Warning 22*08cdcff5SEnji Cooper 23*08cdcff5SEnji CooperThis is a long and complicated process, in part because OpenSSL is a large, 24*08cdcff5SEnji Coopercomplex, and foundational software component in the FreeBSD distribution. A 25*08cdcff5SEnji Cooperlot of the overall process has been automated to reduce potential human error, 26*08cdcff5SEnji Cooperbut some rough edges still exist. These rough edges have been highlighted in 27*08cdcff5SEnji Cooperthe directions. 28*08cdcff5SEnji Cooper 29*08cdcff5SEnji Cooper## Process 30*08cdcff5SEnji Cooper 31*08cdcff5SEnji Cooper### Notes 32*08cdcff5SEnji Cooper 33*08cdcff5SEnji CooperThe following directions use X.Y.Z to describe the major, minor, subminor 34*08cdcff5SEnji Cooperversions, respectively for the OpenSSL release. Please substitute the values as 35*08cdcff5SEnji Cooperappropriate in the directions below. 36*08cdcff5SEnji Cooper 37*08cdcff5SEnji CooperAll single commands are prefixed with `%`. 38*08cdcff5SEnji Cooper 39*08cdcff5SEnji Cooper### Variables 40*08cdcff5SEnji Cooper 41*08cdcff5SEnji Cooper``` 42*08cdcff5SEnji Cooper% OPENSSL_VER_MAJOR_MINOR=X.Y 43*08cdcff5SEnji Cooper% OPENSSL_VER_FULL=X.Y.Z 44*08cdcff5SEnji Cooper% RELEASE_TARFILE="openssl-${OPENSSL_VER_FULL}.tar.gz" 45*08cdcff5SEnji Cooper% BASE_URL="https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VER_FULL}/${RELEASE_TARFILE}" 46*08cdcff5SEnji Cooper``` 47*08cdcff5SEnji Cooper 48*08cdcff5SEnji Cooper### Switch to the vendor branch 49*08cdcff5SEnji Cooper 50*08cdcff5SEnji Cooper``` 51*08cdcff5SEnji Cooper% cd "$GIT_ROOT/src/freebsd/main" 52*08cdcff5SEnji Cooper% git worktree add -b vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} \ 53*08cdcff5SEnji Cooper ../vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} \ 54*08cdcff5SEnji Cooper freebsd/vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} 55*08cdcff5SEnji Cooper% cd "$GIT_ROOT/src/freebsd/vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} 56*08cdcff5SEnji Cooper``` 57*08cdcff5SEnji Cooper 58*08cdcff5SEnji Cooper### Download the latest OpenSSL release 59*08cdcff5SEnji Cooper 60*08cdcff5SEnji CooperThe following instructions demonstrate how to fetch a recent OpenSSL release 61*08cdcff5SEnji Cooperand its corresponding artifacts (release SHA256 checksum; release PGP 62*08cdcff5SEnji Coopersignature) from the [official website](https://www.openssl.org/source/). 63*08cdcff5SEnji Cooper 64*08cdcff5SEnji Cooper``` 65*08cdcff5SEnji Cooper% (cd .. && fetch ${BASE_URL} ${BASE_URL}.asc ${BASE_URL}.sha256) 66*08cdcff5SEnji Cooper``` 67*08cdcff5SEnji Cooper 68*08cdcff5SEnji Cooper### Verify the release authenticity and integrity 69*08cdcff5SEnji Cooper 70*08cdcff5SEnji Cooper**NOTE**: this step requires importing the project author's PGP keys beforehand. 71*08cdcff5SEnji CooperSee the [sources webpage](https://openssl-library.org/source/) for more 72*08cdcff5SEnji Cooperdetails. 73*08cdcff5SEnji Cooper 74*08cdcff5SEnji CooperThis step uses the PGP signature and SHA256 checksum files to verify the release 75*08cdcff5SEnji Cooperauthenticity and integrity, respectively. 76*08cdcff5SEnji Cooper 77*08cdcff5SEnji Cooper``` 78*08cdcff5SEnji Cooper% (cd .. && sha256sum -c ${RELEASE_TARFILE}.sha256) 79*08cdcff5SEnji Cooper% (cd .. && gpg --verify ${RELEASE_TARFILE}.asc) 80*08cdcff5SEnji Cooper``` 81*08cdcff5SEnji Cooper 82*08cdcff5SEnji Cooper### Unpack the OpenSSL tarball to the parent directory 83*08cdcff5SEnji Cooper 84*08cdcff5SEnji Cooper``` 85*08cdcff5SEnji Cooper% (cd .. && tar xf ../${RELEASE_TARFILE}) 86*08cdcff5SEnji Cooper``` 87*08cdcff5SEnji Cooper 88*08cdcff5SEnji Cooper### Update the sources in the vendor branch 89*08cdcff5SEnji Cooper 90*08cdcff5SEnji Cooper**IMPORTANT**: the trailing slash in the source directory is required! 91*08cdcff5SEnji Cooper 92*08cdcff5SEnji Cooper``` 93*08cdcff5SEnji Cooper% rsync --exclude .git --delete -av ../openssl-${OPENSSL_VER_FULL}/ . 94*08cdcff5SEnji Cooper``` 95*08cdcff5SEnji Cooper 96*08cdcff5SEnji Cooper### Take care of added / deleted files 97*08cdcff5SEnji Cooper 98*08cdcff5SEnji Cooper``` 99*08cdcff5SEnji Cooper% git add -A 100*08cdcff5SEnji Cooper``` 101*08cdcff5SEnji Cooper 102*08cdcff5SEnji Cooper### Commit, tag, and push 103*08cdcff5SEnji Cooper 104*08cdcff5SEnji Cooper``` 105*08cdcff5SEnji Cooper% git commit -m "openssl: Vendor import of OpenSSL ${OPENSSL_VER_FULL}" 106*08cdcff5SEnji Cooper% git tag -a -m "Tag OpenSSL ${OPENSSL_VER_FULL}" vendor/openssl/${OPENSSL_VER_FULL} 107*08cdcff5SEnji Cooper``` 108*08cdcff5SEnji Cooper 109*08cdcff5SEnji CooperThe update and tag could instead be pushed later, along with the merge 110*08cdcff5SEnji Cooperto main, but pushing now allows others to collaborate. 111*08cdcff5SEnji Cooper 112*08cdcff5SEnji Cooper#### Push branch update and tag separately 113*08cdcff5SEnji Cooper 114*08cdcff5SEnji CooperAt this point the vendor branch can be pushed to the FreeBSD repo via: 115*08cdcff5SEnji Cooper``` 116*08cdcff5SEnji Cooper% git push freebsd vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} 117*08cdcff5SEnji Cooper% git push freebsd vendor/openssl/${OPENSSL_VER_FULL} 118*08cdcff5SEnji Cooper``` 119*08cdcff5SEnji Cooper 120*08cdcff5SEnji Cooper**NOTE**: the second "git push" command is used to push the tag, which is not 121*08cdcff5SEnji Cooperpushed by default. 122*08cdcff5SEnji Cooper 123*08cdcff5SEnji Cooper#### Push branch update and tag simultaneously 124*08cdcff5SEnji Cooper 125*08cdcff5SEnji CooperIt is also possible to push the branch and tag together, but use 126*08cdcff5SEnji Cooper`--dry-run` first to ensure that no undesired tags will be pushed: 127*08cdcff5SEnji Cooper 128*08cdcff5SEnji Cooper``` 129*08cdcff5SEnji Cooper% git push --dry-run --follow-tags freebsd vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} 130*08cdcff5SEnji Cooper% git push --follow-tags freebsd vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} 131*08cdcff5SEnji Cooper``` 132*08cdcff5SEnji Cooper 133*08cdcff5SEnji Cooper### Remove any existing patches and generated files. 134*08cdcff5SEnji Cooper 135*08cdcff5SEnji Cooper``` 136*08cdcff5SEnji Cooper% make clean 137*08cdcff5SEnji Cooper``` 138*08cdcff5SEnji Cooper 139*08cdcff5SEnji CooperPlease note that this step does not remove any generated manpages: this happens 140*08cdcff5SEnji Cooperin a later step. 141*08cdcff5SEnji Cooper 142*08cdcff5SEnji Cooper### Merge from the vendor branch and resolve conflicts 143*08cdcff5SEnji Cooper 144*08cdcff5SEnji Cooper``` 145*08cdcff5SEnji Cooper% git subtree merge -P crypto/openssl vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} 146*08cdcff5SEnji Cooper``` 147*08cdcff5SEnji Cooper 148*08cdcff5SEnji Cooper**NOTE**: Some files may have been deleted from FreeBSD's copy of OpenSSL. 149*08cdcff5SEnji CooperIf git prompts for these deleted files during the merge, choose 'd' 150*08cdcff5SEnji Cooper(leaving them deleted). 151*08cdcff5SEnji Cooper 152*08cdcff5SEnji Cooper### Patch, configure, and regenerate all files 153*08cdcff5SEnji Cooper 154*08cdcff5SEnji CooperThe following commands turn the crank associated with the vendor release 155*08cdcff5SEnji Cooperupdate: 156*08cdcff5SEnji Cooper 157*08cdcff5SEnji Cooper``` 158*08cdcff5SEnji Cooper% make patch 159*08cdcff5SEnji Cooper% make configure 160*08cdcff5SEnji Cooper% make all 161*08cdcff5SEnji Cooper``` 162*08cdcff5SEnji Cooper 163*08cdcff5SEnji CooperThis process updates all generated files, syncs the manpages with the new release, 164*08cdcff5SEnji Cooperregenerates assembly files, etc. 165*08cdcff5SEnji Cooper 166*08cdcff5SEnji CooperFor now, any build-related changes, e.g., a assembly source was removed, a manpage 167*08cdcff5SEnji Cooperwas added, etc, will require makefile updates. 168*08cdcff5SEnji Cooper 169*08cdcff5SEnji Cooper### Diff against the vendor branch 170*08cdcff5SEnji Cooper 171*08cdcff5SEnji CooperReview the diff for any unexpected changes: 172*08cdcff5SEnji Cooper 173*08cdcff5SEnji Cooper``` 174*08cdcff5SEnji Cooper% git diff --diff-filter=M vendor/openssl/${OPENSSL_VER_FULL} HEAD:crypto/openssl 175*08cdcff5SEnji Cooper``` 176*08cdcff5SEnji Cooper 177*08cdcff5SEnji CooperThe net-result should be just the applied patches from the freebsd/ directory. 178*08cdcff5SEnji Cooper 179*08cdcff5SEnji Cooper### Make build-related changes 180*08cdcff5SEnji Cooper 181*08cdcff5SEnji Cooper**IMPORTANT**: manual adjustments/care needed here. 182*08cdcff5SEnji Cooper 183*08cdcff5SEnji CooperUpdate the appropriate makefiles to reflect changes in the vendor's 184*08cdcff5SEnji Cooper`build.info` metadata file. This is especially important if source files have 185*08cdcff5SEnji Cooperbeen added or removed. Keep in mind that the assembly files generated belong in 186*08cdcff5SEnji Cooper`sys/crypto/openssl`, and will therefore affect the kernel as well. 187*08cdcff5SEnji Cooper 188*08cdcff5SEnji CooperIf symbols have been added or removed, update the appropriate `Version.map` to 189*08cdcff5SEnji Cooperreflect these changes. Please try to stick to the new versioning scheme in the 190*08cdcff5SEnji Coopertarget OpenSSL release to improve interoperability with binaries compiled 191*08cdcff5SEnji Cooperdynamically against the ports version of OpenSSL, for instance. 192*08cdcff5SEnji Cooper 193*08cdcff5SEnji CooperCompare compilation flags, the list of files built and included, the list of 194*08cdcff5SEnji Coopersymbols generated with the corresponding port if available. 195*08cdcff5SEnji Cooper 196*08cdcff5SEnji Cooper### Build, install, and test 197*08cdcff5SEnji Cooper 198*08cdcff5SEnji CooperBuild and install a new version of world and the kernel with the newer release 199*08cdcff5SEnji Cooperof OpenSSL. Reboot the test host and run any appropriate tests using kyua, 200*08cdcff5SEnji Cooper`make checkworld`, etc. 201*08cdcff5SEnji Cooper 202*08cdcff5SEnji Cooper### Commit and push 203