-
Notifications
You must be signed in to change notification settings - Fork 0
/
README-DEV
121 lines (93 loc) · 5.61 KB
/
README-DEV
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
This document describes an approach applied to packaging OpenSSL for build2.
In particular, this understanding will be useful when upgrading to a new
upstream version.
The upstream package contains the libcrypto and libssl libraries and the
openssl program that we all package separately (see respective README-DEV
files for details). It also contains dynamically loaded engines, providers,
and tests that we currently don't package.
We add the upstream package as a git submodule and symlink the required files
and subdirectories into the build2 package subdirectories. Then, when required,
we "overlay" the upstream with our own headers, placing them into the
library/program directories and their downstream/ subdirectories.
Note that symlinking upstream submodule subdirectories into a build2 package
subdirectory results in creating intermediate build files (.d, .o, etc) inside
upstream directory while building the package in source tree. That's why we
need to make sure that packages do not share upstream source files via
subdirectory symlinks, not to also share the related intermediate files. If
several packages need to compile the same upstream source file, then only one
of them can symlink it via the parent directory while others must symlink it
directly. We also add the `ignore = untracked` configuration option into
.gitmodules to make sure that git ignores the intermediate build files under
upstream/ subdirectory.
Normally, when packaging a project, we need to replace some auto-generated
headers with our own implementations and deduce compilation/linking options.
For autoconf/cmake-based projects we rely on the Makefile.am, CMakeList.txt
and .in/.cmake files for that. For OpenSSL, using its own Perl scripts-based
build infrastructure, that's not an option. Instead, we analyze the
auto-generated files (headers, makefiles, configdata.pm, etc.) and build logs,
produced for multiple platforms/architectures, and use some of them build-time.
For convenience, we have also stashed some of them in upstream-build/.
The upstream package can be configured to expose a specific feature set. We
reproduce the union of features configured for the upstream source package in
Debian and Fedora distributions. The configuration options defining these sets
are specified in the Debian's rules and Fedora's RPM .spec files. These files
can be obtained as follows:
$ wget https://kojipkgs.fedoraproject.org/packages/openssl/3.2.2/1.fc40/src/openssl-3.2.2-1.fc40.src.rpm
$ rpm2cpio openssl-3.2.2-1.fc40.src.rpm | cpio -civ '*.spec'
$ wget http://deb.debian.org/debian/pool/main/o/openssl/openssl_3.3.1-1.debian.tar.xz
$ tar xf openssl_3.3.1-1.debian.tar.xz debian/rules
As a side note, on Debian and Fedora the libraries, headers and utility are
packaged as follows:
libcrypto+libssl headers openssl
Debian/Ubuntu: libssl3 libssl-dev openssl
Fedora/RHEL: openssl-libs openssl-devel openssl
Search for the Debian and Fedora packages at https://packages.debian.org/search
and https://src.fedoraproject.org/.
Here are the discovered configuration options.
Debian:
no-idea no-mdc2 no-rc5 no-zlib no-ssl3 enable-unit-test no-ssl3-method
enable-rfc3779 enable-cms no-capieng no-rdrand enable-tfo enable-zstd
enable-zlib
Fedora:
enable-zlib enable-camellia enable-seed enable-rfc3779 enable-sctp
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips no-mdc2 no-ec2m
no-sm2 no-sm4 enable-buildtest-c++
The union of these feature sets translates into the following options, after
suppressing the defaults:
no-mdc2 enable-rc5 enable-zlib enable-rfc3779 enable-cms enable-zstd
enable-sctp enable-md2 enable-ktls enable-fips
We, however, drop the external dependencies that are not packaged for build2,
dynamically loaded engines and providers (fips, etc). Besides that, we add
no-asm to suppress replacing C code with auto-generated ASM code for some
algorithms. Later, we can potentially pre-generate ASM code for architectures
we support and get rid of this option. Also we add no-devcryptoeng as
devcryptoeng is automatically enabled on BSDs. So the resulting options are:
no-mdc2 enable-rc5 enable-zlib enable-rfc3779 enable-cms enable-zstd
enable-md2 enable-ktls no-dynamic-engine no-legacy no-asm no-devcryptoeng
Note that while we can use the upstream/{INSTALL,Configure} files to
understand which of the 'enable-<feature>' or 'no-<feature>' options are the
default ones, it is a good idea to verify the effective option set printed by
the `./configdata.pm --options` command run in the configuration directory.
Also note that on Windows you would need to additionally pass VC-WIN32 (i386)
or VC-WIN64A (x86_64) as a first argument to the Configure script when
configuring for building with VC (see upstream/INSTALL.md for details).
To build the upstream package and obtain the build log, run the following
commands in its root directory.
On POSIX and for MinGW GCC:
$ mkdir build
$ cd build
$ ../Configure no-mdc2 enable-rc5 enable-zlib enable-rfc3779 enable-cms \
enable-zstd enable-md2 enable-ktls no-dynamic-engine no-legacy no-asm \
no-devcryptoeng >build.log 2>&1
$ make VERBOSE=1 >>build.log 2>&1
For MSVC:
> mkdir build
> cd build
> perl ../Configure VC-WIN64A no-mdc2 enable-rc5 enable-zlib enable-rfc3779 ^
enable-cms enable-zstd enable-md2 enable-ktls no-dynamic-engine no-legacy ^
no-asm no-devcryptoeng >build.log 2>&1
> nmake VERBOSE=1 >>build.log 2>&1
When the packaging is complete, build all the project packages in source tree
and make sure that no OpenSSL headers are included from the system, running
the following command from the project root:
$ fgrep -a -e /usr/include/openssl `find . -type f -name '*.d'`