diff --git a/crypto/openssl/FREEBSD-upgrade b/crypto/openssl/FREEBSD-upgrade deleted file mode 100644 --- a/crypto/openssl/FREEBSD-upgrade +++ /dev/null @@ -1,122 +0,0 @@ - FreeBSD maintainer's guide to OpenSSL - ===================================== - - These instructions assume you have a clone of the FreeBSD git repo - main branch in src/freebsd/main, and will store vendor trees under - src/freebsd/vendor/. In addition, this assumes there is a "freebsd" - origin pointing to git(repo).freebsd.org/src.git. - -01) Switch to the vendor branch: - - $ cd src/freebsd/main - $ git worktree add -b vendor/openssl-X.Y ../vendor/openssl-X.Y freebsd/vendor/openssl-X.Y - $ cd ../vendor/openssl-X.Y - -02) Download the latest OpenSSL tarball and signature from the official - website (https://www.openssl.org/source/). - - $ (cd .. && fetch https://github.com/openssl/openssl/releases/download/openssl-X.Y.Z/openssl-X.Y.Z.tar.gz) - $ (cd .. && fetch https://github.com/openssl/openssl/releases/download/openssl-X.Y.Z/openssl-X.Y.Z.tar.gz.asc) - -03) Verify the signature: - - $ gpg --verify ../openssl-X.Y.Z.tar.gz.asc ../openssl-X.Y.Z.tar.gz - -04) Unpack the OpenSSL tarball to the parent directory: - - $ tar xf ../openssl-X.Y.Z.tar.gz -C .. - -05) Copy to the vendor branch: - - $ rsync --exclude .git --delete -av ../openssl-X.Y.Z/ . - -06) Take care of added / deleted files: - - $ git add -A - -07) Commit: - - $ git commit -m "openssl: Vendor import of OpenSSL X.Y.Z" - -08) Tag: - - $ git tag -a -m "Tag OpenSSL X.Y.Z" vendor/openssl/X.Y.Z - - At this point the vendor branch can be pushed to the FreeBSD repo via: - - $ git push freebsd vendor/openssl-X.Y - $ git push freebsd vendor/openssl/X.Y.Z - - Note the second "git push" command is used to push the tag, which is - not pushed by default. - - It is also possible to push the branch and tag together, but use - --dry-run first to ensure that no undesired tags will be pushed: - - $ git push --dry-run --follow-tags freebsd vendor/openssl-X.Y - $ git push --follow-tags freebsd vendor/openssl-X.Y - - The update and tag could instead be pushed later, along with the merge - to main, but pushing now allows others to collaborate. - -09) Merge from the vendor branch: - - $ git subtree merge -P crypto/openssl vendor/openssl-X.Y - - A number of files have been deleted from FreeBSD's copy of OpenSSL. - If git prompts for these deleted files during the merge, choose 'd' - (leaving them deleted). - -10) Resolve conflicts. Remember to bump the version and date in - secure/lib/libcrypto/Makefile.inc and - crypto/openssl/include/openssl/opensslv.h. - -11) Diff against the vendor branch: - - $ git diff --diff-filter=M vendor/openssl/X.Y.Z HEAD:crypto/openssl - - Review the diff for any unexpected changes. - -12) Re-generate the assembly files: - - $ cd secure/lib/libcrypto - $ make cleanasm buildasm - -13) Update the appropriate makefiles to reflect changes in the vendor's - build.info files. This is especially important if source files have - been added or removed. Keep in mind that the assembly files generated - belong to sys/crypto/openssl, and will therefore affect the kernel as - well. - -14) If symbols have been added or removed, update the appropriate - Version.map to reflect these changes. - -15) Compare compilation flags, the list of files built and included, the - list of symbols generated with the corresponding port if available. - -16) Re-generate the manual files: - - $ tar xzf openssl-X.Y.Z.tar.gz - $ (cd openssl-X.Y.Z && ./Configure --prefix=/usr --openssldir=/etc/ssl && - make build_man_docs) - [...] - $ find openssl-X.Y.Z/doc/man/man1 -name '*.1' -exec cp {} secure/usr.bin/openssl/man/ \; - $ find openssl-X.Y.Z/doc/man/man3 -name '*.3' -exec cp {} secure/lib/libcrypto/man/man3/ \; - $ find openssl-X.Y.Z/doc/man/man5 -name '*.5' -exec cp {} secure/lib/libcrypto/man/man5/ \; - $ find openssl-X.Y.Z/doc/man/man7 -name '*.7' -exec cp {} secure/lib/libcrypto/man/man7/ \; - $ grep -nrF usr/local secure/lib/libcrypto/man secure/usr.bin/openssl/man - [correct the references to the prefix and OpenSSL directories] - $ git commit --amend secure/lib/libcrypto/man secure/usr.bin/openssl/man - - Review the diff and tree status for anything requiring attention. - -16) Build and install world, reboot, test. - -17) Test the legacy provider as well: (here with "test" as the password) - - $ echo test | openssl rc4 -provider legacy -e -a -pbkdf2 - enter RC4 encryption password: - Verifying - enter RC4 encryption password: - U2FsdGVkX1+JvhqxLMOvlxvTi1/h - -18) Commit and hope you did not miss anything. diff --git a/crypto/openssl/FREEBSD-upgrade.md b/crypto/openssl/FREEBSD-upgrade.md new file mode 100644 --- /dev/null +++ b/crypto/openssl/FREEBSD-upgrade.md @@ -0,0 +1,204 @@ +# FreeBSD maintainer's guide to OpenSSL + +## Assumptions + +These instructions assume the following: + +- A git clone of FreeBSD will be available at `$GIT_ROOT/src/freebsd/main` with + an origin named `freebsd`. Example: + ``` +git clone -o freebsd git@gitrepo.freebsd.org:src.git "$GIT_ROOT/src/freebsd/main" + ``` +- The vendor trees will be stored under `$GIT_ROOT/src/freebsd/vendor/`. + +## Software requirements + +The following additional software must be installed from ports: + +- lang/perl5 +- lang/python +- net/rsync +- security/gnupg + +## Warning + +This is a long and complicated process, in part because OpenSSL is a large, +complex, and foundational software component in the FreeBSD distribution. A +lot of the overall process has been automated to reduce potential human error, +but some rough edges still exist. These rough edges have been highlighted in +the directions. + +## Process + +### Notes + +The following directions use X.Y.Z to describe the major, minor, subminor +versions, respectively for the OpenSSL release. Please substitute the values as +appropriate in the directions below. + +All single commands are prefixed with `%`. + +### Variables + +``` +% OPENSSL_VER_MAJOR_MINOR=X.Y +% OPENSSL_VER_FULL=X.Y.Z +% RELEASE_TARFILE="openssl-${OPENSSL_VER_FULL}.tar.gz" +% BASE_URL="https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VER_FULL}/${RELEASE_TARFILE}" +``` + +### Switch to the vendor branch + +``` +% cd "$GIT_ROOT/src/freebsd/main" +% git worktree add -b vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} \ + ../vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} \ + freebsd/vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} +% cd "$GIT_ROOT/src/freebsd/vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} +``` + +### Download the latest OpenSSL release + +The following instructions demonstrate how to fetch a recent OpenSSL release +and its corresponding artifacts (release SHA256 checksum; release PGP +signature) from the [official website](https://www.openssl.org/source/). + +``` +% (cd .. && fetch ${BASE_URL} ${BASE_URL}.asc ${BASE_URL}.sha256) +``` + +### Verify the release authenticity and integrity + +**NOTE**: this step requires importing the project author's PGP keys beforehand. +See the [sources webpage](https://openssl-library.org/source/) for more +details. + +This step uses the PGP signature and SHA256 checksum files to verify the release +authenticity and integrity, respectively. + +``` +% (cd .. && sha256sum -c ${RELEASE_TARFILE}.sha256) +% (cd .. && gpg --verify ${RELEASE_TARFILE}.asc) +``` + +### Unpack the OpenSSL tarball to the parent directory + +``` +% (cd .. && tar xf ../${RELEASE_TARFILE}) +``` + +### Update the sources in the vendor branch + +**IMPORTANT**: the trailing slash in the source directory is required! + +``` +% rsync --exclude .git --delete -av ../openssl-${OPENSSL_VER_FULL}/ . +``` + +### Take care of added / deleted files + +``` +% git add -A +``` + +### Commit, tag, and push + +``` +% git commit -m "openssl: Vendor import of OpenSSL ${OPENSSL_VER_FULL}" +% git tag -a -m "Tag OpenSSL ${OPENSSL_VER_FULL}" vendor/openssl/${OPENSSL_VER_FULL} +``` + +The update and tag could instead be pushed later, along with the merge +to main, but pushing now allows others to collaborate. + +#### Push branch update and tag separately + +At this point the vendor branch can be pushed to the FreeBSD repo via: +``` +% git push freebsd vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} +% git push freebsd vendor/openssl/${OPENSSL_VER_FULL} +``` + +**NOTE**: the second "git push" command is used to push the tag, which is not +pushed by default. + +#### Push branch update and tag simultaneously + +It is also possible to push the branch and tag together, but use +`--dry-run` first to ensure that no undesired tags will be pushed: + +``` +% git push --dry-run --follow-tags freebsd vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} +% git push --follow-tags freebsd vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} +``` + +### Remove any existing patches and generated files. + +``` +% make clean +``` + +Please note that this step does not remove any generated manpages: this happens +in a later step. + +### Merge from the vendor branch and resolve conflicts + +``` +% git subtree merge -P crypto/openssl vendor/openssl-${OPENSSL_VER_MAJOR_MINOR} +``` + +**NOTE**: Some files may have been deleted from FreeBSD's copy of OpenSSL. +If git prompts for these deleted files during the merge, choose 'd' +(leaving them deleted). + +### Patch, configure, and regenerate all files + +The following commands turn the crank associated with the vendor release +update: + +``` +% make patch +% make configure +% make all +``` + +This process updates all generated files, syncs the manpages with the new release, +regenerates assembly files, etc. + +For now, any build-related changes, e.g., a assembly source was removed, a manpage +was added, etc, will require makefile updates. + +### Diff against the vendor branch + +Review the diff for any unexpected changes: + +``` +% git diff --diff-filter=M vendor/openssl/${OPENSSL_VER_FULL} HEAD:crypto/openssl +``` + +The net-result should be just the applied patches from the freebsd/ directory. + +### Make build-related changes + +**IMPORTANT**: manual adjustments/care needed here. + +Update the appropriate makefiles to reflect changes in the vendor's +`build.info` metadata file. This is especially important if source files have +been added or removed. Keep in mind that the assembly files generated belong in +`sys/crypto/openssl`, and will therefore affect the kernel as well. + +If symbols have been added or removed, update the appropriate `Version.map` to +reflect these changes. Please try to stick to the new versioning scheme in the +target OpenSSL release to improve interoperability with binaries compiled +dynamically against the ports version of OpenSSL, for instance. + +Compare compilation flags, the list of files built and included, the list of +symbols generated with the corresponding port if available. + +### Build, install, and test + +Build and install a new version of world and the kernel with the newer release +of OpenSSL. Reboot the test host and run any appropriate tests using kyua, +`make checkworld`, etc. + +### Commit and push