16a770c04SPierre Pronchery FreeBSD maintainer's guide to OpenSSL 26a770c04SPierre Pronchery ===================================== 36a770c04SPierre Pronchery 46a770c04SPierre Pronchery These instructions assume you have a clone of the FreeBSD git repo 56a770c04SPierre Pronchery main branch in src/freebsd/main, and will store vendor trees under 66a770c04SPierre Pronchery src/freebsd/vendor/. In addition, this assumes there is a "freebsd" 76a770c04SPierre Pronchery origin pointing to git(repo).freebsd.org/src.git. 86a770c04SPierre Pronchery 96a770c04SPierre Pronchery01) Switch to the vendor branch: 106a770c04SPierre Pronchery 116a770c04SPierre Pronchery $ cd src/freebsd/main 124086a063SGordon Tetlow $ git worktree add -b vendor/openssl-X.Y ../vendor/openssl-X.Y freebsd/vendor/openssl-X.Y 136a770c04SPierre Pronchery $ cd ../vendor/openssl-X.Y 146a770c04SPierre Pronchery 156a770c04SPierre Pronchery02) Download the latest OpenSSL tarball and signature from the official 166a770c04SPierre Pronchery website (https://www.openssl.org/source/). 176a770c04SPierre Pronchery 18*cab90be6SGordon Tetlow $ (cd .. && fetch https://github.com/openssl/openssl/releases/download/openssl-X.Y.Z/openssl-X.Y.Z.tar.gz) 19*cab90be6SGordon Tetlow $ (cd .. && fetch https://github.com/openssl/openssl/releases/download/openssl-X.Y.Z/openssl-X.Y.Z.tar.gz.asc) 206a770c04SPierre Pronchery 216a770c04SPierre Pronchery03) Verify the signature: 226a770c04SPierre Pronchery 236a770c04SPierre Pronchery $ gpg --verify ../openssl-X.Y.Z.tar.gz.asc ../openssl-X.Y.Z.tar.gz 246a770c04SPierre Pronchery 256a770c04SPierre Pronchery04) Unpack the OpenSSL tarball to the parent directory: 266a770c04SPierre Pronchery 274086a063SGordon Tetlow $ tar xf ../openssl-X.Y.Z.tar.gz -C .. 286a770c04SPierre Pronchery 296a770c04SPierre Pronchery05) Copy to the vendor branch: 306a770c04SPierre Pronchery 314086a063SGordon Tetlow $ rsync --exclude .git --delete -av ../openssl-X.Y.Z/ . 326a770c04SPierre Pronchery 336a770c04SPierre Pronchery06) Take care of added / deleted files: 346a770c04SPierre Pronchery 356a770c04SPierre Pronchery $ git add -A 366a770c04SPierre Pronchery 376a770c04SPierre Pronchery07) Commit: 386a770c04SPierre Pronchery 396a770c04SPierre Pronchery $ git commit -m "openssl: Vendor import of OpenSSL X.Y.Z" 406a770c04SPierre Pronchery 416a770c04SPierre Pronchery08) Tag: 426a770c04SPierre Pronchery 436a770c04SPierre Pronchery $ git tag -a -m "Tag OpenSSL X.Y.Z" vendor/openssl/X.Y.Z 446a770c04SPierre Pronchery 456a770c04SPierre Pronchery At this point the vendor branch can be pushed to the FreeBSD repo via: 466a770c04SPierre Pronchery 476a770c04SPierre Pronchery $ git push freebsd vendor/openssl-X.Y 486a770c04SPierre Pronchery $ git push freebsd vendor/openssl/X.Y.Z 496a770c04SPierre Pronchery 506a770c04SPierre Pronchery Note the second "git push" command is used to push the tag, which is 516a770c04SPierre Pronchery not pushed by default. 526a770c04SPierre Pronchery 536a770c04SPierre Pronchery It is also possible to push the branch and tag together, but use 546a770c04SPierre Pronchery --dry-run first to ensure that no undesired tags will be pushed: 556a770c04SPierre Pronchery 566a770c04SPierre Pronchery $ git push --dry-run --follow-tags freebsd vendor/openssl-X.Y 576a770c04SPierre Pronchery $ git push --follow-tags freebsd vendor/openssl-X.Y 586a770c04SPierre Pronchery 596a770c04SPierre Pronchery The update and tag could instead be pushed later, along with the merge 606a770c04SPierre Pronchery to main, but pushing now allows others to collaborate. 616a770c04SPierre Pronchery 626a770c04SPierre Pronchery09) Merge from the vendor branch: 636a770c04SPierre Pronchery 646a770c04SPierre Pronchery $ git subtree merge -P crypto/openssl vendor/openssl-X.Y 656a770c04SPierre Pronchery 666a770c04SPierre Pronchery A number of files have been deleted from FreeBSD's copy of OpenSSL. 676a770c04SPierre Pronchery If git prompts for these deleted files during the merge, choose 'd' 686a770c04SPierre Pronchery (leaving them deleted). 696a770c04SPierre Pronchery 706a770c04SPierre Pronchery10) Resolve conflicts. Remember to bump the version and date in 716a770c04SPierre Pronchery secure/lib/libcrypto/Makefile.inc and 726a770c04SPierre Pronchery crypto/openssl/include/openssl/opensslv.h. 736a770c04SPierre Pronchery 746a770c04SPierre Pronchery11) Diff against the vendor branch: 756a770c04SPierre Pronchery 766a770c04SPierre Pronchery $ git diff --diff-filter=M vendor/openssl/X.Y.Z HEAD:crypto/openssl 776a770c04SPierre Pronchery 786a770c04SPierre Pronchery Review the diff for any unexpected changes. 796a770c04SPierre Pronchery 806a770c04SPierre Pronchery12) Re-generate the assembly files: 816a770c04SPierre Pronchery 826a770c04SPierre Pronchery $ cd secure/lib/libcrypto 836a770c04SPierre Pronchery $ make cleanasm buildasm 846a770c04SPierre Pronchery 856a770c04SPierre Pronchery13) Update the appropriate makefiles to reflect changes in the vendor's 866a770c04SPierre Pronchery build.info files. This is especially important if source files have 876a770c04SPierre Pronchery been added or removed. Keep in mind that the assembly files generated 886a770c04SPierre Pronchery belong to sys/crypto/openssl, and will therefore affect the kernel as 896a770c04SPierre Pronchery well. 906a770c04SPierre Pronchery 916a770c04SPierre Pronchery14) If symbols have been added or removed, update the appropriate 926a770c04SPierre Pronchery Version.map to reflect these changes. 936a770c04SPierre Pronchery 946a770c04SPierre Pronchery15) Compare compilation flags, the list of files built and included, the 956a770c04SPierre Pronchery list of symbols generated with the corresponding port if available. 966a770c04SPierre Pronchery 976a770c04SPierre Pronchery16) Re-generate the manual files: 986a770c04SPierre Pronchery 996a770c04SPierre Pronchery $ tar xzf openssl-X.Y.Z.tar.gz 1006a770c04SPierre Pronchery $ (cd openssl-X.Y.Z && ./Configure --prefix=/usr --openssldir=/etc/ssl && 1016a770c04SPierre Pronchery make build_man_docs) 1026a770c04SPierre Pronchery [...] 1036a770c04SPierre Pronchery $ find openssl-X.Y.Z/doc/man/man1 -name '*.1' -exec cp {} secure/usr.bin/openssl/man/ \; 1046a770c04SPierre Pronchery $ find openssl-X.Y.Z/doc/man/man3 -name '*.3' -exec cp {} secure/lib/libcrypto/man/man3/ \; 1056a770c04SPierre Pronchery $ find openssl-X.Y.Z/doc/man/man5 -name '*.5' -exec cp {} secure/lib/libcrypto/man/man5/ \; 1066a770c04SPierre Pronchery $ find openssl-X.Y.Z/doc/man/man7 -name '*.7' -exec cp {} secure/lib/libcrypto/man/man7/ \; 1076a770c04SPierre Pronchery $ grep -nrF usr/local secure/lib/libcrypto/man secure/usr.bin/openssl/man 1086a770c04SPierre Pronchery [correct the references to the prefix and OpenSSL directories] 1096a770c04SPierre Pronchery $ git commit --amend secure/lib/libcrypto/man secure/usr.bin/openssl/man 1106a770c04SPierre Pronchery 1116a770c04SPierre Pronchery Review the diff and tree status for anything requiring attention. 1126a770c04SPierre Pronchery 1136a770c04SPierre Pronchery16) Build and install world, reboot, test. 1146a770c04SPierre Pronchery 1154086a063SGordon Tetlow17) Test the legacy provider as well: (here with "test" as the password) 1166a770c04SPierre Pronchery 1176a770c04SPierre Pronchery $ echo test | openssl rc4 -provider legacy -e -a -pbkdf2 1186a770c04SPierre Pronchery enter RC4 encryption password: 1196a770c04SPierre Pronchery Verifying - enter RC4 encryption password: 1206a770c04SPierre Pronchery U2FsdGVkX1+JvhqxLMOvlxvTi1/h 1216a770c04SPierre Pronchery 1226a770c04SPierre Pronchery18) Commit and hope you did not miss anything. 123