LibreBSD

Location for the patch-sets to replace OpenSSL with LibreSSL in FreeBSD

Branch	For	Status
FreeBSD-10.3	FreeBSD 10.3	No longer maintained
FreeBSD-11.0	FreeBSD-11.0	Currently maintained
master	FreeBSD HEAD	Needs updating

Note: There's no patch-set for the master branch, checkout the repo and use it as overlay for HEAD.

@attilagyorffy created a complete repo for 10.3 with the patches included.

Before you ask: This will not be a fork! I intend to maintain this as a patch-set for the most recent release of FreeBSD and will maintain it for HardenedBSD as well.

Over the past weekend I managed to get LibreSSL to build, and all binaries to link to it on HardenedBSD. The patches were created on a derivative of the -to be released later this year- FreeBSD 11. See my earlier blog-posts for more details (Part I and Part II).

I had tried to replace OpenSSL in FreeBSD 10 when I was at OpenBSD's LibreSSL hackathon in Varaždin (Croatia) last year but hadn't managed to complete the project. The release of LibreSSL 2.4 also removed SSLv3 so my attention was on fixing fallout from that removal. 'Evidence' of that work and the patches can be found in the No-SSLv3 wiki article. As it turned out this time, it wasn't extremely difficult to do so I thought it wouldn't take too much time to do this for FreeBSD 10 as well. FreeBSD 10.3 is nearing its completion, so where better to start than with the current first Release Candidate!

Feedback appreciated: I haven't replayed all the steps here, do let me know where I've hidden my typos and mistakes! (email, Twitter, GitHub, Facebook, avionary)

The 'recipe'

You'll need to select the correct branch for your FreeBSD version

Download the LibreSSL 2.4 tarball

Extract this tarball into /usr/src/crypto and rename the directory from libressl-2.4.2 to libressl

Apply the patch-set from my GitHub repo
(Add WITH_LIBRESSL=yes to /etc/src.conf) No longer required as it now is enabled by default
Rebuild and install your kernel and world (see the FreeBSD handbook chapter for detail)
Reboot

Commands

As commands (assuming you already have checked out FreeBSD 11.0 into /usr/src)

#!sh
cd ~
mkdir download && cd download
fetch http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.2.tar.gz
fetch https://raw.githubusercontent.com/Sp1l/LibreBSD/FreeBSD-11.0/patchset/11.0-RC1.svndiff
cd /usr/src/crypto
tar xf ~/download/libressl-2.4.2.tar.gz
mv libressl-2.4.2/* libressl/
cd /usr/src
patch -p0 < ~/download/11.0-RC1.svndiff
make buildworld && make buildkernel && make installkernel && make installworld
reboot

Line 3: You should verify the tarball using signify or gpg. Line 11: This should take quite a lot of time (probably hours) and is NOT the canonical way to do this. See the handbook chapter on rebuilding your system for a complete description!

Now that was easy wasn't it?

Update your ports

After upgrading the kernel and world you'll need to rebuild all ports. If before you had defined

DEFAULT_VERSIONS+=	ssl:libressl-devel
# The old way of doing this
# WITH_OPENSSL_PORT=	yes
# OPENSSL_PORT=		security/libressl-devel

you can now remove these lines, but then you should rebuild world and kernel after every update of LibreSSL. Unless the shared library version -and thus the ABI- stay the same. ## Updating LibreSSL

Updating LibreSSL

LibreSSL frequently changes the shared library version -as proper software does-. Yet at times a new version is released that retains the same shared library version as the previous release.

The files here will also be updated shortly after every LibreSSL release

Shared library versions unchanged

If LibreSSL receives an update that has the same shared library version, you can use my guidance from the FreeBSD wiki after downloading/extracting the latest LibreSSL tarball as discussed in the previous paragraph.

#!sh
cd /usr/src/secure/lib/libcrypto
make obj && make depend && make includes && make
make install
cd /usr/src/secure/lib/libssl
make clean && make depend && make includes && make
make install
cd /usr/src/secure/usr.bin/openssl
make clean && make
make install

Shared library version changed

The process is largely the same as the complete process, apart from applying the complete patches. The library version needs to be updated in the Makefile corresponding to the library. The files that you need are in files named VERSION in the corresponding directory in the LibreSSL sources. Copy that version to the Makefile for the library

SHLIB_MAJOR=    38

Additionally you should update the following info in secure/lib/libcrypto/Makefile.inc.libressl

OPENSSL_VER=    2.4.2
OPENSSL_DATE=   2016-08-01

The detail

Next to the patchset, I've also added all the files that were changed to my GitHub repo. The files are in their original location so you can use these as an overlay for your /usr/src.

LibreSSL patches

FreeBSD 11 changed quite a lot in the build framework, so I had to adapt the patches for libcrypto, libssl and openssl accordingly. This made the build for the openssl binary fail, so I had to change

	LIBADD+= crypto ssl

into

	DPADD=  ${LIBSSL} ${LIBCRYPTO}
	LDADD=  -lssl -lcrypto

The bulk of the patches I created for HardenedBSD just worked just fine on 10.3

base software patches

Most of the patches that I created for HardenedBSD applied cleanly.

The wpa patches are not required for 10.3, there's a much older version that doesn't have all the OpenSSL version checks.

Buildworld fails on libldns

Hi Bernard,

I do apologize but since the other issue was closed, I am opening a new issue. Please do let me know if there's any other method you would like me to use.

The build still failed even though I added WITH_LIBRESSL= "yes" to /etc/src.conf :
===> lib/libldns (obj,all,install)
echo libprivateldns.so.5.full: /usr/obj/usr/src/tmp/usr/lib/libcrypto.a >> .depend
cc -O2 -pipe -I/usr/src/lib/libldns/../../contrib/ldns -MD -MF.depend.buffer.o -MTbuffer.o -std=gnu99 -fstack-protector-strong -Wsystem-headers -Werror -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wno-uninitialized -Wno-pointer-sign -Wno-empty-body -Wno-string-plus-int -Wno-unused-const-variable -Wno-tautological-compare -Wno-unused-value -Wno-parentheses-equality -Wno-unused-function -Wno-enum-conversion -Wno-unused-local-typedef -Qunused-arguments -c /usr/src/lib/libldns/../../contrib/ldns/buffer.c -o buffer.o
In file included from /usr/src/lib/libldns/../../contrib/ldns/buffer.c:12:
In file included from /usr/src/lib/libldns/../../contrib/ldns/ldns/ldns.h:98:
In file included from /usr/src/lib/libldns/../../contrib/ldns/ldns/dane.h:31:
/usr/obj/usr/src/tmp/usr/include/openssl/ssl.h:146:11: fatal error:
'openssl/e_os2.h' file not found

include
^

1 error generated.
*** Error code 1

Stop.
make[4]: stopped in /usr/src/lib/libldns
*** Error code 1

Stop.
make[3]: stopped in /usr/src
*** Error code 1

Stop.
make[2]: stopped in /usr/src
*** Error code 1

Stop.
make[1]: stopped in /usr/src
*** Error code 1

Stop.
make: stopped in /usr/src

With kind regards,
Michel

sp1l / librebsd-patches Goto Github PK

librebsd-patches's Introduction

LibreBSD

The 'recipe'

Commands

Update your ports

Updating LibreSSL

Shared library versions unchanged

Shared library version changed

The detail

LibreSSL patches

base software patches

librebsd-patches's People

Contributors

Stargazers

Watchers

Forkers

librebsd-patches's Issues

Recommend Projects

Recommend Topics

Recommend Org