Page MenuHomeFreeBSD

secure: import OpenSSL version 3.5.1
AbandonedPublic

Authored by khorben on Jul 28 2025, 11:26 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Oct 11, 3:33 PM
Unknown Object (File)
Sat, Oct 11, 3:33 PM
Unknown Object (File)
Sat, Oct 11, 3:33 PM
Unknown Object (File)
Sat, Oct 11, 7:01 AM
Unknown Object (File)
Sat, Oct 11, 7:01 AM
Unknown Object (File)
Sat, Oct 11, 7:01 AM
Unknown Object (File)
Sat, Oct 11, 7:01 AM
Unknown Object (File)
Fri, Oct 10, 11:44 PM
Subscribers

Details

Summary

This differential contains the changes required after the corresponding vendor update, in order to integrate OpenSSL 3.5 into FreeBSD's base system.

This includes:

  • Build support for amd64, arm64, arm, powerpc64, powerpc64le, powerpc, riscv64
  • Re-generation of the assembly files
  • Updated manual pages

The full changes can be found in the following branch on GitHub:
https://github.com/khorben/freebsd-src/tree/khorben/openssl-3.5.1-stabweek-2025-Jul

Test Plan
  • I haven't tested a kernel yet
  • Bootstrapping pkg is expected to fail: missing libcrypto.so.30 and libssl.so.30 due to version bump to 35
  • I could not include the full context here as the resulting diff was too big

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

khorben added a reviewer: ngie.

I don't think PowerPC 32 failing is a blocker for main or stable/15: we're ending support for 32 bit platforms. Do we ever plan to merge this to stable/14 though?

I don't think PowerPC 32 failing is a blocker for main or stable/15: we're ending support for 32 bit platforms. Do we ever plan to merge this to stable/14 though?

From what I heard:

  • 32-bit PowerPC is not a blocker for main nor stable/15, as it is already disabled by default in main.
  • There is no plan to merge OpenSSL 3.5 into stable/14.

I am now trying to build 32-bit PowerPC with this set in secure/lib/libcrypto/Makefile.common:

+.if ${MACHINE_ARCH} == "powerpc"
+PICFLAG=       -fPIC
+.endif

It seems to help, but I have to restart a build from scratch to be sure.

khorben edited the summary of this revision. (Show Details)
khorben edited the test plan for this revision. (Show Details)
khorben added a reviewer: glebius.

Got 32-bit PowerPC to build.

I don't think PowerPC 32 failing is a blocker for main or stable/15: we're ending support for 32 bit platforms. Do we ever plan to merge this to stable/14 though?

No. OpenSSL breaks enough ABIs between minor versions that things like this cannot be backported without a ton of pain to downstream consumers.

I'll look at this sometime in the future. I've been off-grid for quite a while now for a variety of personal reasons.

secure/lib/libcrypto/man/man3/DSA_generate_key.3
2

IMHO we should really nuke these comments to ensure repeatable builds.

In D51613#1179498, @khorben_defora.org wrote:

I don't think PowerPC 32 failing is a blocker for main or stable/15: we're ending support for 32 bit platforms. Do we ever plan to merge this to stable/14 though?

From what I heard:

  • 32-bit PowerPC is not a blocker for main nor stable/15, as it is already disabled by default in main.
  • There is no plan to merge OpenSSL 3.5 into stable/14.

While 32-bit powerpc is disabled as a "full" architecture in main, lib32 is still a thing for powerpc64, and libcrypto/libssl are built as part of lib32, so you still need powerpc 32-bit to work in practice.

Using -fPIC is fine, as noted in e-mail, we already use -fPIC in a a few other places in the tree for 32-bit powerpc.

Committed as e7be843b4a162e68651d3911f0357ed464915629 and 4757b351ea9d59d71d4a38b82506d2d16fcd560d.