Modernizing the OpenSSL port 02 oct 2016 | Last updated: 02 oct 2016 00:00

Author: Bernard Spil | Category: FreeBSD
Tags: OpenSSL SSL FreeBSD Porting

During the last EuroBSDCon in Belgrade I took maintainership of the OpenSSL port in FreeBSD. At the same time there were OpenSSL releases fixing vulnerabilities and emergency fixes for regressions introduced. The port had not been updated to recent ports framework and I wanted to get it in line with latest porting techniques.

Modernizing the OpenSSL port

Introduction

The FreeBSD Ports framework has changed quite a bit over the past couple of years. Most changes make it easier to create ports as well as make them more readable.

All in all reworking the port reduced the number of lines by about a third. I've blogged about this before when creating the OpenSSL-devel port for 1.1.0.

OPTIONS_NG

The OPTIONS support in ports is pretty slick. It has been named OPTIONS_NG and is documented well in the Porter's Handbook.

Options-helpers

One of the main benefits is that repetitive constructs have been simplified. Where before you'd have

.if ${PORT_OPTIONS:MFOO}
CONFIGURE_ARGS+=    --enable-foo
.endif

you can now do that in a single line

FOO_CONFIGURE_ENABLE=   foo

which is a lot simpler. There's a complication in OpenSSL though, it doesn't use autoconf et. al. to configure the build but uses its own Perl Configure script. Autoconf uses --with-foo/--without-foo and --enable-bar/--no-bar for feature enabling/disabling but this doesn't always work. Luckily there's also the FOO_CONFIGURE_ON= foo/FOO_CONFIGURE_OFF= no-foo that we can use to work around the quirkyness of OpenSSL's Configure.

Basically OpenSSL comes with a default configuration and you need to only provide an extra option if you want the opposite of the default. Almost of the former .if ${PORT_OPTIONS:MFOO} blocks have been reworked into the options helpers. I've made some explicit (i.e. even add default options) to not get hit by changing options in coming releases.

ASM_CONFIGURE_OFF=  no-asm
EC_CONFIGURE_ON=    enable-ec_nistp_64_gcc_128
EC_CONFIGURE_OFF=   no-ec_nistp_64_gcc_128
I386_CONFIGURE_ON=  386
MD2_CONFIGURE_ON=   enable-md2
MD2_CONFIGURE_OFF=  no-md2
PADLOCK_PATCH_SITES=    http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
PADLOCK_PATCHFILES= 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
            1002-backport-changes-from-upstream-padlock-module.patch:padlock \
            1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
            1004-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
PADLOCK_VARS=       PATCH_DIST_STRIP=-p1
RC5_CONFIGURE_ON=   enable-rc5
RC5_CONFIGURE_OFF=  no-rc5
RFC3779_CONFIGURE_ON=   enable-rfc3779
RFC3779_CONFIGURE_OFF=  no-rfc3779
SCTP_CONFIGURE_ON=  sctp
SCTP_CONFIGURE_OFF= no-sctp
SHARED_CONFIGURE_ON=    shared
SHARED_MAKE_ENV=    SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_PLIST_SUB=   SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_USE=     ldconfig
SSE2_CONFIGURE_OFF= no-sse2
SSL2_CONFIGURE_ON=  enable-ssl2
SSL2_CONFIGURE_OFF= no-ssl2
SSL3_CONFIGURE_ON=  enable-ssl3
SSL3_CONFIGURE_OFF= no-ssl3 no-ssl3-method
THREADS_CONFIGURE_ON=   threads
THREADS_CONFIGURE_OFF=  no-threads
ZLIB_CONFIGURE_ON=  zlib zlib-dynamic
ZLIB_CONFIGURE_OFF= no-zlib no-zlib-dynamic

Order, standards

Most descriptions were defined using
<OPT>_DESC?= some description which is not standard. Replace ?= with a =

All OPTIONS should be kept together in a block as much as possible. Rearrange the descriptions to directly follow the other OPTIONS_* definitions

OPTIONS should be sorted alphabetically.

Grouping options

I see 4 groups in the options; ciphers, hashes, optimizations and protocols so add these as groups.

OPTIONS_GROUP=  CIPHERS HASHES OPTIMIZE PROTOCOLS
OPTIONS_GROUP_CIPHERS=  JPAKE RC2 RC4 RC5 DES
OPTIONS_GROUP_HASHES=   MD2 MD4
OPTIONS_GROUP_OPTIMS=   ASM I386 SSE2 SSL3
OPTIONS_GROUP_PROTOS=   SCTP SSL3
CIPHERS_DESC=   Cipher suites
HASHES_DESC=    Cryptographic Hash Functions
OPTIMIZE_DESC=  Optimizations
PROTOCOLS_DESC= Cryptographic protocols

This makes for a more structured and appealing make config dialog

Other changes

There were some more things in the port's Makefile that I wanted check. A short description follows.

MAKE_JOBS_UNSAFE

Back in 2009 the knob MAKE_JOBS_UNSAFE was defined for the OpenSSL port. I've not experienced issues in any of the builds I've done so it is removed now.

Shared libs conflicting with base

In 2006 a check was added to see if the base system had a higher SHLIBVER than the port which then resulted in a message and stopped building. This was at a time when there were still knobs for the port like WITH_OPENSSL_BETA, WITH_OPENSSL_097 and WITH_OPENSSL_SNAPSHOT that would result in different versions to be built and installed.

I currently can see no scenario in which this check would be valid. If at any point base (-CURRENT) has a newer version of OpenSSL than ports we can still add this check back in.

PORTVERSION

Last week I modified the PORTVERSION to no longer use the PORTREVISION suffix but to use the uptream version character(s). This also removes the need to set the CPE_VERSION as the default is OK.

MAN3 option

When you disabled MAN3 you'd still be generating all the section 3 manpages but they would be deleted shortly after. That was a waste of time and resources so this has now been changed to delete the .pod files after patching so we save ca. 3000 perl invocations.

This blog is proudly powered by Pelican, which takes great advantage of Python.

W3 Personal Blog is a flat bootstrap responsive theme designed by W3layouts ported to a pelican by Samael500.

Creative Commons LicenseThis work is CC-BY-4.0 licensed.