Date: Mon, 02 Jul 2012 13:39:25 -0400 From: Jung-uk Kim <jkim@FreeBSD.org> To: freebsd-security@FreeBSD.org Cc: Ben Laurie <benl@freebsd.org>, Stanislav Sedov <stas@freebsd.org>, "Bjoern A. Zeeb" <bz@freebsd.org> Subject: [PATCH] Switch to OpenSSL 1.0.1 branch Message-ID: <4FF1DCCD.6060109@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have upgraded OpenSSL in the base to 0.9.8x for all supported branches. Now it is time to move *head* to OpenSSL 1.0.1 branch[1]. Here is the patch to switch OpenSSL from 0.9.8x to 1.0.1c: http://people.freebsd.org/~jkim/openssl-1.0.1c.diff.bz2 I had to compress it because the patch was too big, unfortunately. :-( Some notes: - - Configuration is relatively close to what you'd expect when you run config script with the following options[2]: enable-rc5 enable-rfc3779 shared - - MD2 was removed because a) it was deprecated by OpenSSL team and disabled by default and b) we did the same for libmd. - - Optimized i386 asm files are updated and new files are added. Optimized amd64 asm files are added. - - opensslconf-amd64.h and opensslconf-i386.h are merged to a new opensslconf-x86.h[3]. - - A small change to libfetch was necessary to avoid buildworld breakage: - --- lib/libfetch/common.h +++ lib/libfetch/common.h @@ -63,7 +63,7 @@ struct fetchconn { SSL *ssl; /* SSL handle */ SSL_CTX *ssl_ctx; /* SSL context */ X509 *ssl_cert; /* server certificate */ - - SSL_METHOD *ssl_meth; /* SSL method */ + const SSL_METHOD *ssl_meth; /* SSL method */ #endif int ref; /* reference count */ }; - - Another small change to OpenSSL was necessary to avoid buildworld breakage: - --- crypto/openssl/ssl/srtp.h +++ crypto/openssl/ssl/srtp.h @@ -135,7 +135,6 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl); - -SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); #ifdef __cplusplus } It was very briefly tested on amd64 (and on i386 chroot). Cheers, Jung-uk Kim 1. We have no plan to switch stable branches to 1.0.X. 2. Add "no-asm" for non-x86 platforms. I believe rc5 and rfc3779 were forcefully enabled on FreeBSD for POLA. 3. Very minimal changes were done for non-x86 platforms. They need platform maintainers' attention. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/x3M0ACgkQmlay1b9qnVMClwCdEL1Vq2+r6fm3UAcMXqG0lUeB +lMAnj9thNnXcgTd8JbzBzdlvfL59i7C =tJYx -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FF1DCCD.6060109>