OpenSSL: update Makefiles to reflect 3.5.1 release
ClosedPublic
Actions

Authored by ngie on Mon, Sep 15, 6:08 PM.

Details

Reviewers

khorben
gordon

Commits

rGd5984d5f29a7: OpenSSL: update Makefiles to reflect 3.5.1 release

Summary

This is a targeted effort to update the INCS and SRCS entries for
libcrypto, the legacy provider, and libssl to match what upstream
(OpenSSL) builds in their respective libraries.

The number of stylistic changes were kept at a minimum.

Another incoming change will reformat this file to make future
maintenance easier.

MFC after: 1 week

Test Plan

Confirmed that basic functionality with the library and legacy provider functioned as desired on a recent version of main.
Did some basic cryptographic operations.
Used libssl in limited client applications.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ngie created this revision.Mon, Sep 15, 6:08 PM

Herald added subscribers: emaste, imp, bdrewery. · View Herald TranscriptMon, Sep 15, 6:08 PM

ngie requested review of this revision.Mon, Sep 15, 6:08 PM

Harbormaster completed remote builds in B67054: Diff 162080.Mon, Sep 15, 6:08 PM

ngie edited the test plan for this revision. (Show Details)Mon, Sep 15, 6:09 PM

ngie added a reviewer: khorben.

ngie added a subscriber: philip.

ngie added a subscriber: jhb.

ngie added inline comments.Mon, Sep 15, 6:13 PM

secure/lib/libcrypto/Makefile
623–627	This section rendered oddly in Phabricator. It looks correct on the branch.

ngie edited the test plan for this revision. (Show Details)Mon, Sep 15, 6:14 PM

ngie added inline comments.

secure/lib/libcrypto/Makefile
427	These `SRCS` (in the file and elsewhere) were removed because they're technically legacy algorithms and should not be in the base/default provider.

Is anyone interested in reviewing this change?

ngie added a subscriber: secteam.Tue, Sep 16, 11:13 PM

How did you come up with these changes? What was the methodology that got this changeset?

In D52554#1200774, @gordon wrote:

How did you come up with these changes? What was the methodology that got this changeset?

Ah, fair!

The changes originally came from a larger change, D52009, which was based on a python Makefile generator [1] I wrote which parsed the Makefiles produced and consumed by the upstream OpenSSL project.

As I said in this CR, my goal is to take the larger change from D52009 and remove the unnecessary stylistic changes so the net result is easier to visualize for reviewers.

Unfortunately I lost the version which generated the last batch of Makefiles -.-...

ngie mentioned this in D52009: secure/lib/lib{crypto,ssl}: regenerate Makefiles.Wed, Sep 17, 12:00 AM

Looking at what should be in the legacy provider, I fell down this rabbit hole by looking at a completely stock build of 3.5.4-dev on my Mac (I should probably check on a FreeBSD system and see if it is any different, but that would require a small amount of effort and I'm about to go to a dinner) and see this list as the primary objects that end up in the legacy provider:

crypto/des/liblegacy-lib-des_enc.o
crypto/des/liblegacy-lib-fcrypt_b.o
crypto/md5/liblegacy-lib-md5-aarch64.o
crypto/md5/liblegacy-lib-md5_dgst.o
crypto/md5/liblegacy-lib-md5_one.o
crypto/md5/liblegacy-lib-md5_sha1.o
crypto/rc4/liblegacy-lib-rc4_enc.o
crypto/rc4/liblegacy-lib-rc4_skey.o
providers/common/liblegacy-lib-provider_util.o
providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o
providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o
providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_des.o
providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_desx.o
providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_idea.o
providers/implementations/ciphers/liblegacy-lib-cipher_idea_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_seed.o
providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o
providers/implementations/digests/liblegacy-lib-md4_prov.o
providers/implementations/digests/liblegacy-lib-mdc2_prov.o
providers/implementations/digests/liblegacy-lib-ripemd_prov.o
providers/implementations/digests/liblegacy-lib-wp_prov.o
providers/implementations/kdfs/liblegacy-lib-pbkdf1.o
providers/implementations/kdfs/liblegacy-lib-pvkkdf.o
providers/liblegacy-lib-prov_running.o

secure/lib/libcrypto/modules/legacy/Makefile
6	Missing: cipher_idea.c cipher_idea_hw.c
32	Missing: mdc2_prov.c

In D52554#1200798, @gordon wrote:

Looking at what should be in the legacy provider, I fell down this rabbit hole by looking at a completely stock build of 3.5.4-dev on my Mac (I should probably check on a FreeBSD system and see if it is any different, but that would require a small amount of effort and I'm about to go to a dinner) and see this list as the primary objects that end up in the legacy provider:

crypto/des/liblegacy-lib-des_enc.o
crypto/des/liblegacy-lib-fcrypt_b.o
crypto/md5/liblegacy-lib-md5-aarch64.o
crypto/md5/liblegacy-lib-md5_dgst.o
crypto/md5/liblegacy-lib-md5_one.o
crypto/md5/liblegacy-lib-md5_sha1.o
crypto/rc4/liblegacy-lib-rc4_enc.o
crypto/rc4/liblegacy-lib-rc4_skey.o
providers/common/liblegacy-lib-provider_util.o
providers/implementations/ciphers/liblegacy-lib-cipher_blowfish.o
providers/implementations/ciphers/liblegacy-lib-cipher_blowfish_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_cast5.o
providers/implementations/ciphers/liblegacy-lib-cipher_cast5_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_des.o
providers/implementations/ciphers/liblegacy-lib-cipher_des_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_desx.o
providers/implementations/ciphers/liblegacy-lib-cipher_desx_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_idea.o
providers/implementations/ciphers/liblegacy-lib-cipher_idea_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc2.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc2_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hmac_md5_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_rc4_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_seed.o
providers/implementations/ciphers/liblegacy-lib-cipher_seed_hw.o
providers/implementations/ciphers/liblegacy-lib-cipher_tdes_common.o
providers/implementations/digests/liblegacy-lib-md4_prov.o
providers/implementations/digests/liblegacy-lib-mdc2_prov.o
providers/implementations/digests/liblegacy-lib-ripemd_prov.o
providers/implementations/digests/liblegacy-lib-wp_prov.o
providers/implementations/kdfs/liblegacy-lib-pbkdf1.o
providers/implementations/kdfs/liblegacy-lib-pvkkdf.o
providers/liblegacy-lib-prov_running.o

Yup! That's the gist of what my template script ingested and mapped out to appropriate INCS, SRCS, etc.

secure/lib/libcrypto/modules/legacy/Makefile
6	The IDEA algorithm is explicitly disabled in `crypto/openssl/BSDmakefile`. Interestingly enough we used to ship with IDEA on in stable/13, but disabled it in stable/14. Huh... Not sure if it should be enabled or disabled given documentation about it being broken back in 2011/2012, but I feel like enabling it is outside the scope of this review (but possibly worthy addressing as a separate commit).
32	mdc2 is also disabled explicitly in crypto/openssl/BSDmakefile, for consistency with the original delivered 3.0/3.5 product. The last time we shipped mdc2 was in stable/13 as well. mdc2 appears to have had some patent concerns in the past, but that seems to no longer be an issue: https://en.wikipedia.org/wiki/MDC-2#Patent_issues Not sure if mdc2 should be enabled, but if so, it should be enabled on 3.0 as well as 3.5 as part of a separate commit, like IDEA (IMHO0.

Seems fine to me. I haven't tested at all, just reviewed the change on Phab. Everything here makes as much sense as I can make out of it (take that for what you will :-)

This revision is now accepted and ready to land.Thu, Sep 18, 12:32 AM

Closed by commit rGd5984d5f29a7: OpenSSL: update Makefiles to reflect 3.5.1 release (authored by ngie). · Explain WhyThu, Sep 18, 7:18 PM

This revision was automatically updated to reflect the committed changes.

ngie added a commit: rGd5984d5f29a7: OpenSSL: update Makefiles to reflect 3.5.1 release.