From adfb2c714977a5603d5a8375630461d6af9ed072 Mon Sep 17 00:00:00 2001 From: John Marino Date: Sun, 16 Oct 2016 17:34:39 -0500 Subject: [PATCH] Step 1/2 of OpenSSL remove: Suppress building As of now, the NO_OPENSSL directive has been replaced with an undocumented FORCE_OPENSSL directive. Unless FORCE_OPENSSL is defined in make.conf, the OpenSSL libraries, headers, and man pages will no longer be built and installed. Existing OpenSSL files will remain installed unless REMOVE_OPENSSL_FILES is defined for the upgrade command, e.g. > make upgrade REMOVE_OPENSSL_FILES=yes It is recommended that all remaining programs and libraries linked to the base OpenSSL libraries be rebuilt to use one of the DPorts SSL libraries. The DPorts packages have been built with DPorts LibreSSL for a few weeks now, so ensuring all installed packages are reinstalled or rebuilt will be sufficient for most users, but don't forget about software built outside of DPorts. The OpenSSL sources and makefiles will be removed within a month (step 2), but FORCE_OPENSSL will work in the meantime to continue building OpenSSL although it will receive no further updates. --- Makefile.inc1 | 2 +- Makefile_upgrade.inc | 12 ++++++++++++ UPDATING | 20 ++++++++++++++++++++ etc/defaults/make.conf | 1 - secure/lib/Makefile | 2 +- share/man/Makefile | 5 ----- share/man/man5/make.conf.5 | 3 --- 7 files changed, 34 insertions(+), 11 deletions(-) diff --git a/Makefile.inc1 b/Makefile.inc1 index 4600409063..c8e886fd49 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -1044,7 +1044,7 @@ lib/libopie__L lib/libradius__L lib/libtacplus__L: lib/libmd__L _generic_libs+= lib .if !defined(NO_CRYPT) -.if !defined(NO_OPENSSL) +.if defined(FORCE_OPENSSL) _prebuild_libs+= secure/lib/libcrypto secure/lib/libssl .endif .if !defined(NO_LIBRESSL) diff --git a/Makefile_upgrade.inc b/Makefile_upgrade.inc index fa2e5a4613..2acabfab64 100644 --- a/Makefile_upgrade.inc +++ b/Makefile_upgrade.inc @@ -3145,5 +3145,17 @@ TO_REMOVE+=/usr/share/installer/sources.conf TO_REMOVE+=/usr/share/man/man8/installer.8.gz .endif +.if defined(REMOVE_OPENSSL_FILES) +TO_REMOVE+=/lib/libcrypto.so.5 +TO_REMOVE+=/usr/lib/libssl.a +TO_REMOVE+=/usr/lib/libssl.so +TO_REMOVE+=/usr/lib/libssl.so.5 +TO_REMOVE+=/usr/lib/engines +TO_REMOVE+=/usr/lib/libcrypto.so +TO_REMOVE+=/usr/lib/libcrypto.a +TO_REMOVE+=/usr/include/openssl +TO_REMOVE+=/usr/share/openssl +.endif + # XXX Remove when pfsync(4) has been fixed TO_REMOVE+=/usr/share/man/man4/pfsync.4.gz diff --git a/UPDATING b/UPDATING index c0714b4a80..da627fc12a 100644 --- a/UPDATING +++ b/UPDATING @@ -12,6 +12,26 @@ + UPGRADING DRAGONFLY FROM 4.6 TO LATER VERSIONS + +-----------------------------------------------------------------------+ +OPENSSL REMOVED +--------------- + +OpenSSL has been removed from base and replaced with a private version of +LibreSSL. The previously installed OpenSSL libraries, headers, and man +pages will remain on the system unless the "make upgrade" command is +specifically instructed to remove them. To do this, define +REMOVE_OPENSSL_FILES for the upgrade command, e.g. +"make upgrade REMOVE_OPENSSL_FILES=yes" + +It is recommended that the OpenSSL files be removed to avoid configuration +scripts from using the stale and potentially vulnerable version, but all +binaries that are dynamically linked to the OpenSSL libraries should be +rebuilt first to avoid breakage. + +16 Oct 2016: The OpenSSL sources and makefiles haven't been removed yet. +They can still be built by putting "FORCE_OPENSSL=yes" in make.conf. +This feature will likely be removed within a month, and definitely +before the release of DF 4.8. + CS, EX AND VX DRIVERS REMOVED ----------------------------- diff --git a/etc/defaults/make.conf b/etc/defaults/make.conf index cfe7ecc892..139166af46 100644 --- a/etc/defaults/make.conf +++ b/etc/defaults/make.conf @@ -121,7 +121,6 @@ THREAD_LIB?= thread_xu #NO_LIBC_R= true # do not build libc_r (re-entrant version of libc) #NO_LPR= true # do not build lpr and related programs #NO_MODULES= true # do not build modules with the kernel -#NO_OPENSSL= true # do not build OpenSSL #NO_LIBRESSL= true # do not build LibreSSL #NO_SHARE= true # do not enter the share subdirectory #NOMAN= true # do not build manual pages diff --git a/secure/lib/Makefile b/secure/lib/Makefile index c5931f5c7b..369852df96 100644 --- a/secure/lib/Makefile +++ b/secure/lib/Makefile @@ -1,7 +1,7 @@ # $FreeBSD: src/secure/lib/Makefile,v 1.19.2.5 2003/04/04 21:33:15 ru Exp $ SUBDIR= libcipher -.if !defined(NO_OPENSSL) +.if defined(FORCE_OPENSSL) # to be removed during 4.8 development SUBDIR+=libcrypto libssl .endif .if !defined(NO_LIBRESSL) diff --git a/share/man/Makefile b/share/man/Makefile index ac89cc5bbd..37a3dd6fa9 100644 --- a/share/man/Makefile +++ b/share/man/Makefile @@ -1,17 +1,12 @@ # @(#)Makefile 8.2 (Berkeley) 4/16/94 # $FreeBSD: src/share/man/Makefile,v 1.11.2.1 2003/04/16 11:28:45 ru Exp $ -# $DragonFly: src/share/man/Makefile,v 1.5 2005/09/06 18:55:38 dillon Exp $ -# XXX MISSING: man3f SUBDIR= man1 man3 man4 man5 man6 man7 man8 man9 MAKEWHATIS= /usr/sbin/makewhatis makedb: ${MAKEWHATIS} ${DESTDIR}${BINDIR}/man -.if !defined(NO_CRYPT) && !defined(NO_OPENSSL) - ${MAKEWHATIS} ${DESTDIR}${BINDIR}/openssl/man -.endif .include "${.CURDIR}/../Makefile.inc" .include diff --git a/share/man/man5/make.conf.5 b/share/man/man5/make.conf.5 index 5ecbd77cca..0c99cbca0d 100644 --- a/share/man/man5/make.conf.5 +++ b/share/man/man5/make.conf.5 @@ -417,9 +417,6 @@ Set to not build Set to not build .Xr lpr 1 and related programs. -.It Va NO_OPENSSL -.Pq Vt bool -Set to not build OpenSSL and everything that depends on that library. .It Va NO_LIBRESSL .Pq Vt bool Set to not build LibreSSL and everything that depends on that library. -- 2.41.0