Page MenuHomeFreeBSD

devel/qca: Replace OpenSSL 1.1.0 with upstream ones

Authored by rakuco on Feb 25 2019, 2:21 PM.



The patches from bug 228902 and added in r481850 are not entirely compatible with older OpenSSL versions, to the point that the qca-ossl plugin refuses to load at all on FreeBSD 11.2, for example (see bug 232784 and its duplicates).

Fix it by replacing our patches with backports from upstream the same way OpenSUSE does it (the OpenSSL 1.1.0 upstream patch was authored by SUSE):

  • Revert an upstream commit made only to the 2.1 branch disabling a few ciphers in the unit tests.
  • Backport a change to the master branch that never made it to the 2.1 branch disabling the ciphers mentioned above as well as a few other ones, so that we can backport the actual change adding support for OpenSSL 1.1.0 more clealy.
  • Backport the actual OpenSSL 1.1.0 support commit, with a few conflicts resolved due to the lack of a commit adding suport for AES GCM and AES CCM in the 2.1 branch. The patch was actually obtained from OpenSUSE's repositories, since they had to resolve the same conflict as well.
Test Plan

The port built on 11.2-i386, an old 12-CURRENT snapshot on amd64 as well as 13-CURRENT on amd64. In all architectures, I hacked devel/qca's Makefile to enable unit tests again, and all tests are passing except for some PGP ones that are unrelated. With the patches we have in the tree, a lot of unit tests failed on 11.2 due to the qca-ossl plugin failing to load. I have no idea about LibreSSL though.

Diff Detail

rP FreeBSD ports repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.