git: d03be8cf3346 - stable/14 - crypto/openssl: make vendor imports easier/less error prone
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 03 Feb 2026 07:37:52 UTC
The branch stable/14 has been updated by ngie:
URL: https://cgit.FreeBSD.org/src/commit/?id=d03be8cf3346dae1e438ded3aae4453045b77486
commit d03be8cf3346dae1e438ded3aae4453045b77486
Author: Enji Cooper <ngie@FreeBSD.org>
AuthorDate: 2025-08-01 04:03:33 +0000
Commit: Enji Cooper <ngie@FreeBSD.org>
CommitDate: 2026-02-03 06:23:29 +0000
crypto/openssl: make vendor imports easier/less error prone
This change adds a custom BSD makefile containing multiple high-level PHONY
targets, similar to targets provided by the ports framework.
The Makefile does the following:
- Reruns Configure with a deterministic set of arguments to ensure that
all appropriate features have been enabled/disabled in OpenSSL.
- Preens the pkgconfig files to remove duplicate paths in their
`CFLAGS` and `includedir` variables.
- Rebuilds all ASM files to ensure that the content contained is fresh.
- Rebuilds all manpages to ensure that the content contained in the
manpages is fresh.
Some additional work needs to be done to make the manpage regeneration
"operation" reproducible (the date the manpages were generated is
embedded in the files).
All dynamic configuration previously captured in
`include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been
moved to `freebsd/include/dynamic_freebsd_configuration.h` and
`freebsd/include/crypto/bn_conf.h`, respectively. This helps
ensure that future updates don't wipe out FreeBSD customizations to
these files, which tune behavior on a per-target architecture basis, e.g.,
ARM vs x86, 32-bit vs 64-bit, etc.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D51663
Conflicts:
crypto/openssl/apps/CA.pl
crypto/openssl/configdata.pm
crypto/openssl/include/openssl/configuration.h
crypto/openssl/include/openssl/fipskey.h
crypto/openssl/tools/c_rehash
crypto/openssl/util/shlib_wrap.sh
crypto/openssl/util/wrap.pl
secure/lib/libcrypto/Makefile.inc
(cherry picked from commit 267f8c1f4b09431b335d5f48d84586047471f978)
---
crypto/openssl/BSDmakefile | 99 ++++++++++++++++++++++
crypto/openssl/apps/progs.c | 11 ++-
crypto/openssl/apps/progs.h | 4 +-
crypto/openssl/exporters/libcrypto.pc | 13 +++
crypto/openssl/exporters/libssl.pc | 11 +++
crypto/openssl/exporters/openssl.pc | 9 ++
.../freebsd/dump_version_from_configdata.pl | 21 +++++
crypto/openssl/freebsd/include/crypto/bn_conf.h | 27 ++++++
.../freebsd/include/openssl/configuration.h | 38 +++++++++
crypto/openssl/include/crypto/bn_conf.h | 27 ++++++
crypto/openssl/libcrypto.pc | 13 +++
crypto/openssl/libssl.pc | 11 +++
crypto/openssl/openssl.pc | 9 ++
secure/lib/libcrypto/Makefile.inc | 3 +-
secure/lib/libcrypto/Makefile.version | 2 +
15 files changed, 293 insertions(+), 5 deletions(-)
diff --git a/crypto/openssl/BSDmakefile b/crypto/openssl/BSDmakefile
new file mode 100644
index 000000000000..bd2bfe0ea033
--- /dev/null
+++ b/crypto/openssl/BSDmakefile
@@ -0,0 +1,99 @@
+# This BSD makefile helps provide a deterministic means of doing a "clean"
+# vendor import of OpenSSL.
+#
+# Recommended use:
+#
+# % make clean
+# % make all
+
+NO_OBJ=
+
+LCRYPTO_SRC= ${SRCTOP}/crypto/openssl
+LCRYPTO_DOC= ${LCRYPTO_SRC}/doc
+
+CAT?= /bin/cat
+MV?= /bin/mv
+PERL?= perl
+
+BN_CONF_H= include/crypto/bn_conf.h
+BN_CONF_H_ORIG= ${BN_CONF_H}.orig
+CONFIGURATION_H= include/openssl/configuration.h
+CONFIGURATION_H_ORIG= ${CONFIGURATION_H}.orig
+
+.PHONY: configure patch all
+.ORDER: configure patch all
+
+configure:
+ @cd ${.CURDIR} && \
+ ${PERL} ./Configure \
+ disable-aria \
+ disable-egd \
+ disable-idea \
+ disable-mdc2 \
+ disable-sm2 \
+ disable-sm3 \
+ disable-sm4 \
+ enable-ec_nistp_64_gcc_128 \
+ enable-ktls \
+ enable-sctp \
+ --openssldir=etc \
+ --prefix=/usr
+ @cd ${.CURDIR} && gmake configdata.pm
+ @cd ${LCRYPTO_SRC} && ${PERL} \
+ ${LCRYPTO_SRC}/freebsd/dump_version_from_configdata.pl > \
+ ${SRCTOP}/secure/lib/libcrypto/Makefile.version
+
+all: patch
+ # Passing `-j ${.MAKE.JOBS}` doesn't work here for some reason.
+ @cd ${.CURDIR} && gmake build_all_generated
+
+ # Clean the pkgconfig files:
+ # 1. Fix --prefix (not sure why configure --prefix isn't honored properly).
+ # 2. Remove duplicate path in CFLAGS.
+ # 3. Remove duplicate path in includedir(s).
+ @find . -name \*.pc -print -exec sed -i '' -E \
+ -e 's,^prefix=.+,prefix=/usr,' \
+ -e 's,[[:space:]]+(\-I)?\$\{prefix\}/\./include[[:space:]]*,,g' \
+ {} +
+
+ @cd ${SRCTOP}/secure/lib/libcrypto && \
+ ${MAKE} cleanasm && \
+ ${MAKE} buildasm
+
+ @rsync -a --delete \
+ --exclude 'Makefile*' --exclude '*.1' \
+ ${LCRYPTO_DOC}/man/ \
+ ${SRCTOP}/secure/lib/libcrypto/man
+
+ @rsync -a --delete \
+ --exclude 'Makefile*' --exclude '*.[357]' \
+ ${LCRYPTO_DOC}/man/man1/ \
+ ${SRCTOP}/secure/usr.bin/openssl/man
+
+
+# This doesn't use standard patching since the generated files can vary
+# depending on the host architecture.
+patch: configure
+ # Spam arch-specific overrides to config files.
+
+ @cd ${.CURDIR} && gmake ${BN_CONF_H} && \
+ ${MV} ${BN_CONF_H} ${BN_CONF_H_ORIG} && \
+ ${CAT} ${BN_CONF_H}.orig \
+ ${LCRYPTO_SRC}/freebsd/${BN_CONF_H} >> \
+ ${BN_CONF_H}
+
+ @cd ${.CURDIR} && \
+ ${MV} ${CONFIGURATION_H} ${CONFIGURATION_H_ORIG} && \
+ ${CAT} ${CONFIGURATION_H_ORIG} \
+ ${LCRYPTO_SRC}/freebsd/${CONFIGURATION_H} >> \
+ ${CONFIGURATION_H}
+
+
+clean: .PHONY
+ @cd ${.CURDIR} && rm -f ${BN_CONF_H_ORIG} ${CONFIGURATION_H_ORIG}
+
+ @cd ${SRCTOP}/secure/lib/libcrypto && ${MAKE} cleanasm
+
+ -@cd ${.CURDIR} && gmake ${.TARGET}
+
+.include <sys.mk>
diff --git a/crypto/openssl/apps/progs.c b/crypto/openssl/apps/progs.c
index 2646a1a35bf3..acc204a3e6e7 100644
--- a/crypto/openssl/apps/progs.c
+++ b/crypto/openssl/apps/progs.c
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by apps/progs.pl
*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -89,6 +89,7 @@ FUNCTION functions[] = {
{FT_general, "s_time", s_time_main, s_time_options, NULL, NULL},
#endif
{FT_general, "sess_id", sess_id_main, sess_id_options, NULL, NULL},
+ {FT_general, "skeyutl", skeyutl_main, skeyutl_options, NULL, NULL},
{FT_general, "smime", smime_main, smime_options, NULL, NULL},
{FT_general, "speed", speed_main, speed_options, NULL, NULL},
{FT_general, "spkac", spkac_main, spkac_options, NULL, NULL},
@@ -225,9 +226,15 @@ FUNCTION functions[] = {
{FT_cipher, "camellia-256-ecb", enc_main, enc_options, NULL},
#endif
{FT_cipher, "base64", enc_main, enc_options, NULL},
-#ifdef ZLIB
+#ifndef OPENSSL_NO_ZLIB
{FT_cipher, "zlib", enc_main, enc_options, NULL},
#endif
+#ifndef OPENSSL_NO_BROTLI
+ {FT_cipher, "brotli", enc_main, enc_options, NULL},
+#endif
+#ifndef OPENSSL_NO_ZSTD
+ {FT_cipher, "zstd", enc_main, enc_options, NULL},
+#endif
#ifndef OPENSSL_NO_DES
{FT_cipher, "des", enc_main, enc_options, NULL},
#endif
diff --git a/crypto/openssl/apps/progs.h b/crypto/openssl/apps/progs.h
index 83c829a721bf..1b62ec37dec1 100644
--- a/crypto/openssl/apps/progs.h
+++ b/crypto/openssl/apps/progs.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by apps/progs.pl
*
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -56,6 +56,7 @@ extern int s_client_main(int argc, char *argv[]);
extern int s_server_main(int argc, char *argv[]);
extern int s_time_main(int argc, char *argv[]);
extern int sess_id_main(int argc, char *argv[]);
+extern int skeyutl_main(int argc, char *argv[]);
extern int smime_main(int argc, char *argv[]);
extern int speed_main(int argc, char *argv[]);
extern int spkac_main(int argc, char *argv[]);
@@ -110,6 +111,7 @@ extern const OPTIONS s_client_options[];
extern const OPTIONS s_server_options[];
extern const OPTIONS s_time_options[];
extern const OPTIONS sess_id_options[];
+extern const OPTIONS skeyutl_options[];
extern const OPTIONS smime_options[];
extern const OPTIONS speed_options[];
extern const OPTIONS spkac_options[];
diff --git a/crypto/openssl/exporters/libcrypto.pc b/crypto/openssl/exporters/libcrypto.pc
new file mode 100644
index 000000000000..e7f3953b7eae
--- /dev/null
+++ b/crypto/openssl/exporters/libcrypto.pc
@@ -0,0 +1,13 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+enginesdir=${libdir}/engines-3
+modulesdir=${libdir}/ossl-modules
+
+Name: OpenSSL-libcrypto
+Description: OpenSSL cryptography library
+Version: 3.5.1
+Libs: -L${libdir} -lcrypto
+Libs.private: -pthread
+Cflags: -I${includedir}
diff --git a/crypto/openssl/exporters/libssl.pc b/crypto/openssl/exporters/libssl.pc
new file mode 100644
index 000000000000..ed6fd275ca26
--- /dev/null
+++ b/crypto/openssl/exporters/libssl.pc
@@ -0,0 +1,11 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+
+Name: OpenSSL-libssl
+Description: Secure Sockets Layer and cryptography libraries
+Version: 3.5.1
+Requires.private: libcrypto
+Libs: -L${libdir} -lssl
+Cflags: -I${includedir}
diff --git a/crypto/openssl/exporters/openssl.pc b/crypto/openssl/exporters/openssl.pc
new file mode 100644
index 000000000000..892ef113ca0f
--- /dev/null
+++ b/crypto/openssl/exporters/openssl.pc
@@ -0,0 +1,9 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}/lib
+includedir=${prefix}/include
+
+Name: OpenSSL
+Description: Secure Sockets Layer and cryptography libraries and tools
+Version: 3.5.1
+Requires: libssl libcrypto
diff --git a/crypto/openssl/freebsd/dump_version_from_configdata.pl b/crypto/openssl/freebsd/dump_version_from_configdata.pl
new file mode 100644
index 000000000000..b6137718ba54
--- /dev/null
+++ b/crypto/openssl/freebsd/dump_version_from_configdata.pl
@@ -0,0 +1,21 @@
+#!/usr/bin/env perl
+#
+# This dumps out the values needed to generate manpages and other artifacts
+# which include the release version/date.
+#
+# See also: `secure/lib/libcrypto/Makefile.version`.
+
+use Cwd qw(realpath);
+use File::Basename qw(dirname);
+use Time::Piece;
+
+use lib dirname(dirname(realpath($0)));
+
+use configdata qw(%config);
+
+$OPENSSL_DATE = Time::Piece->strptime($config{"release_date"}, "%d %b %Y")->strftime("%Y-%m-%d");
+
+$OPENSSL_VER = "$config{'major'}.$config{'minor'}.$config{'patch'}";
+
+print("OPENSSL_VER=\t${OPENSSL_VER}\n");
+print("OPENSSL_DATE=\t${OPENSSL_DATE}\n");
diff --git a/crypto/openssl/freebsd/include/crypto/bn_conf.h b/crypto/openssl/freebsd/include/crypto/bn_conf.h
new file mode 100644
index 000000000000..442931b63339
--- /dev/null
+++ b/crypto/openssl/freebsd/include/crypto/bn_conf.h
@@ -0,0 +1,27 @@
+
+/**
+ * OpenSSL's Configure script generates these values automatically for the host
+ * architecture, but FreeBSD provides values which are universal for all
+ * supported target architectures.
+ */
+
+#ifndef __FREEBSD_BN_CONF_H__
+#define __FREEBSD_BN_CONF_H__
+
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# undef THIRTY_TWO_BIT
+
+# if __SIZEOF_LONG__ == 8
+# define SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# undef THIRTY_TWO_BIT
+# elif __SIZEOF_LONG__ == 4
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# define THIRTY_TWO_BIT
+# else
+# error Unsupported size of long
+# endif
+
+#endif /* __FREEBSD_BN_CONF_H__ */
diff --git a/crypto/openssl/freebsd/include/openssl/configuration.h b/crypto/openssl/freebsd/include/openssl/configuration.h
new file mode 100644
index 000000000000..faea78cb32c8
--- /dev/null
+++ b/crypto/openssl/freebsd/include/openssl/configuration.h
@@ -0,0 +1,38 @@
+
+/**
+ * OpenSSL's Configure script generates these values automatically for the host
+ * architecture, but FreeBSD provides values which are universal for all
+ * supported target architectures.
+ */
+
+#ifndef __FREEBSD_CONFIGURATION_H__
+#define __FREEBSD_CONFIGURATION_H__
+
+# undef OPENSSL_NO_EC_NISTP_64_GCC_128
+# if __SIZEOF_LONG__ == 4 || __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__
+# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+# define OPENSSL_NO_EC_NISTP_64_GCC_128
+# endif
+# endif
+
+# undef BN_LLONG
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# undef THIRTY_TWO_BIT
+# if !defined(OPENSSL_SYS_UEFI)
+# if __SIZEOF_LONG__ == 8
+# undef BN_LLONG
+# define SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# undef THIRTY_TWO_BIT
+# elif __SIZEOF_LONG__ == 4
+# define BN_LLONG
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# define THIRTY_TWO_BIT
+# else
+# error Unsupported size of long
+# endif
+# endif
+
+#endif /* __FREEBSD_CONFIGURATION_H__ */
diff --git a/crypto/openssl/include/crypto/bn_conf.h b/crypto/openssl/include/crypto/bn_conf.h
index 1252fd60e816..95eb5b22e5b3 100644
--- a/crypto/openssl/include/crypto/bn_conf.h
+++ b/crypto/openssl/include/crypto/bn_conf.h
@@ -35,3 +35,30 @@
# endif
#endif
+
+/**
+ * OpenSSL's Configure script generates these values automatically for the host
+ * architecture, but FreeBSD provides values which are universal for all
+ * supported target architectures.
+ */
+
+#ifndef __FREEBSD_BN_CONF_H__
+#define __FREEBSD_BN_CONF_H__
+
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# undef THIRTY_TWO_BIT
+
+# if __SIZEOF_LONG__ == 8
+# define SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# undef THIRTY_TWO_BIT
+# elif __SIZEOF_LONG__ == 4
+# undef SIXTY_FOUR_BIT_LONG
+# undef SIXTY_FOUR_BIT
+# define THIRTY_TWO_BIT
+# else
+# error Unsupported size of long
+# endif
+
+#endif /* __FREEBSD_BN_CONF_H__ */
diff --git a/crypto/openssl/libcrypto.pc b/crypto/openssl/libcrypto.pc
new file mode 100644
index 000000000000..97725059adfb
--- /dev/null
+++ b/crypto/openssl/libcrypto.pc
@@ -0,0 +1,13 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}
+includedir=${prefix}/include ${prefix}/./include
+enginesdir=${libdir}/engines
+modulesdir=${libdir}/providers
+
+Name: OpenSSL-libcrypto
+Description: OpenSSL cryptography library
+Version: 3.5.1
+Libs: -L${libdir} -lcrypto
+Libs.private: -pthread
+Cflags: -I${prefix}/include -I${prefix}/./include
diff --git a/crypto/openssl/libssl.pc b/crypto/openssl/libssl.pc
new file mode 100644
index 000000000000..e2662ee9e5fa
--- /dev/null
+++ b/crypto/openssl/libssl.pc
@@ -0,0 +1,11 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}
+includedir=${prefix}/include ${prefix}/./include
+
+Name: OpenSSL-libssl
+Description: Secure Sockets Layer and cryptography libraries
+Version: 3.5.1
+Requires.private: libcrypto
+Libs: -L${libdir} -lssl
+Cflags: -I${prefix}/include -I${prefix}/./include
diff --git a/crypto/openssl/openssl.pc b/crypto/openssl/openssl.pc
new file mode 100644
index 000000000000..ff0a0c2f4e09
--- /dev/null
+++ b/crypto/openssl/openssl.pc
@@ -0,0 +1,9 @@
+prefix=/usr
+exec_prefix=${prefix}
+libdir=${exec_prefix}
+includedir=${prefix}/include ${prefix}/./include
+
+Name: OpenSSL
+Description: Secure Sockets Layer and cryptography libraries and tools
+Version: 3.5.1
+Requires: libssl libcrypto
diff --git a/secure/lib/libcrypto/Makefile.inc b/secure/lib/libcrypto/Makefile.inc
index 8a20f1478bd5..5969b82d9ee0 100644
--- a/secure/lib/libcrypto/Makefile.inc
+++ b/secure/lib/libcrypto/Makefile.inc
@@ -2,8 +2,7 @@
.include <bsd.own.mk>
# OpenSSL version used for manual page generation
-OPENSSL_VER= 3.0.16
-OPENSSL_DATE= 2025-02-11
+.include "Makefile.version"
LCRYPTO_SRC= ${SRCTOP}/crypto/openssl
LCRYPTO_DOC= ${LCRYPTO_SRC}/doc
diff --git a/secure/lib/libcrypto/Makefile.version b/secure/lib/libcrypto/Makefile.version
new file mode 100644
index 000000000000..e802a1f11618
--- /dev/null
+++ b/secure/lib/libcrypto/Makefile.version
@@ -0,0 +1,2 @@
+OPENSSL_VER= 3.5.1
+OPENSSL_DATE= 2025-07-01