HomeFreeBSD

Replace OpenSSL 1.1.0 with upstream ones

Description

Replace OpenSSL 1.1.0 with upstream ones

The patches from bug 228902 and added in r481850 are not entirely compatible
with older OpenSSL versions, to the point that the qca-ossl plugin refuses to
load at all on FreeBSD 11.2, for example (see bug 232784 and its duplicates).

Fix it by replacing our patches with backports from upstream the same way
OpenSUSE does it (the OpenSSL 1.1.0 upstream patch was authored by SUSE):

  • Revert an upstream commit made only to the 2.1 branch disabling a few ciphers in the unit tests.
  • Backport a change to the master branch that never made it to the 2.1 branch disabling the ciphers mentioned above as well as a few other ones, so that we can backport the actual change adding support for OpenSSL 1.1.0 more clealy.
  • Backport the actual OpenSSL 1.1.0 support commit, with a few conflicts resolved due to the lack of a commit adding suport for AES GCM and AES CCM in the 2.1 branch. The patch was actually obtained from OpenSUSE's repositories, since they had to resolve the same conflict as well.

The port built fine on 11.2-i386, an old 12-CURRENT snapshot on amd64 as well
as 13-CURRENT on amd64, and all unit tests are passing except for some PGP ones
that are unrelated. With the patches we have in the tree, a lot of unit tests
failed on 11.2 due to the qca-ossl plugin failing to load.

PR: 228902
PR: 232784
Reviewed by: tcberner
Differential Revision: https://reviews.freebsd.org/D19347

Details

Committed
rakucoFeb 27 2019, 7:22 PM
Reviewer
tcberner
Differential Revision
D19347: devel/qca: Replace OpenSSL 1.1.0 with upstream ones
Parents
rP494078: net/ceph: rename to net/ceph12, update 12.2.7 -> 12.2.11
Branches
Unknown
Tags
Unknown