THIS IS AN ABANDONED PROJECT

Based on the revised patch from Allan Jude the problems listed below have been solved.

FreeBSD has a 'private libaries' concept that makes the libraries unavailable for ports wanting to link to the libraries that have been made private.

This was done on a clean system (virtual machine) with the amd64 11 snapshot r293801 from 2016-01-13 and the base/head r294205.

Result of the following paragraphs can be found in updated PrivateSSL patch

Patching

The patch doesn't completely apply any longer due to

  1. games no longer being part of base

  2. lib/libc/tests/hash contains the patch already

With those 2 files removed from the patch it applies (albeit with some fuzzing)

Actions

Collected at FOSDEM '17 DevSummit

Base deps

Executed on the system prior to installing any packages so we can check

#!/bin/sh
find / -type f > ~/allfiles.lst
while read file ; do
   deps=`readelf -d $file 2>/dev/null | grep -E 'NEEDED.*(libssl|libcrypto)'`
   [ "$deps" ] && echo $file
done < ~/allfiles.lst

Files in base currently requiring libcrypto or libssl

/bin
   ed red
/lib/geom
   geom_eli.so
/sbin
   hastctl hastd
/usr/bin
    bdes dc drill factor hxtool kadmin kinit kpasswd ksu ntpq openssl slogin ssh ssh-agent ssh-keygen string2key svnlite svnlitebench svnlitemucc svnliterdump svnlitesync telnet 
/usr/lib
   libarchive.so.6 libbsnmp.so.6 libfetch.so.6 libgssapi_krb5.so.10 libgssapi_ntlm.so.10 libheimntlm.so.11 libhx509.so.11 libkdc.so.11 libkrb5.so.11 libmp.so.7 libprivateldns.so.5 libprivatessh.so.5 libprivateunbound.so.5 libradius.so.4  libssl.so.8
/usr/lib32
   libarchive.so.6 libbsnmp.so.6 libfetch.so.6 libgssapi_krb5.so.10 libgssapi_ntlm.so.10 libheimntlm.so.11 libhx509.so.11 libkdc.so.11 libkrb5.so.11 libmp.so.7 libprivateldns.so.5 libprivatessh.so.5 libprivateunbound.so.5 libradius.so.4 libssl.so.8 
/usr/libexec
   digest-service dma kcm kdigest ssh-keysign ssh-pkcs11-helper telnetd
/usr/libexec/sendmail
   sendmail
/usr/sbin
   auditdistd hostapd kstash ktutil ntp-keygen ntpd ntpdate ntpdc pkg ppp sntp sshd tcpdump uefisign unbound unbound-anchor unbound-control wpa_supplicant

Building

Clean build

Issues

These issues are gone

Build fails in `/usr/src/usr.bin/elfcopy`

Solution

This happens in the cross-tools target as libarchive requires elfcopy which needs libcrypto to build. Solution is to build libcrypto in the cross-tools stage as well. See latest patch.

Open issues

None at the moment

Patching 10.2

Here's an (incomplete) patch for 10.2. Skip to issues after applying this patch.

File

Action

share/mk/bsd.libnames.mk

${LIBDIR} to ${LIBPRIVATEDIR}

secure/lib/libcrypto/Makefile

Add PRIVATELIB= true

secure/lib/libssl/Makefile

Add PRIVATELIB= true

secure/usr.bin/openssl/Makefile

ADD USEPRIVATELIB= crypto ssl

Rebuild libcrypto, libssl, openssl

$ ldd /usr/bin/openssl
/usr/bin/openssl:
        libssl.so.7 => /usr/lib/private/libssl.so.7 (0x800897000)
        libcrypto.so.7 => /usr/lib/private/libcrypto.so.7 (0x800b04000)
        libc.so.7 => /lib/libc.so.7 (0x800ef7000)

So this was relatively easy.
Same for svnlite linking to the private libs

Issues

After applying the work-around, run buildworld again as

make -j4 -DNO_CLEAN buildworld

kerberos/usr.bin/hxtool

Missing hxtool-commands.h

cd /usr/src/kerberos
cp -p ./usr.bin/hxtool/hxtool-commands.h ./include

rescue/rescue

Doesn't find the correct libcrypto.

cd /usr/obj/tmp/usr/lib
cp -p private/libcrypto.{a,.so.7} .
ln -s libcrypto.so.7 libcrypto.so

TODO

Permanent fixes for above issues

Result

After make installworld using DESTDIR=~/privssl-world I confirmed that no file is depending on /usr/lib/libcrypto.so nor /usr/lib/libssl.so

Packages

pkgng

ports-mgmt/pkg doesn't build cleanly without base OpenSSL.

Index: ports-mgmt/pkg/Makefile
===================================================================
--- ports-mgmt/pkg/Makefile     (revision 407488)
+++ ports-mgmt/pkg/Makefile     (working copy)
@@ -23,7 +23,9 @@
 # Use a submake as 'deinstall install' needs to reevaluate PKG_CMD
 # so that pkg-static is used from the wrkdir
 USE_SUBMAKE=   yes
-CFLAGS+=       -Wno-error
+USE_OPENSSL=   yes
+CFLAGS+=       -Wno-error -I${OPENSSLINC}
+LDFLAGS+=      -L/usr/lib -L${OPENSSLLIB}

 .if !exists(/usr/include/jail.h)
 EXTRA_PATCHES= ${FILESDIR}/extra-patch-docs_pkg.8

Built with the patch, pkg behaves fine on my jail with privatessl

PAM libraries

This is one of the concerns as /usr/lib/libpam.so is linked against private crypto libs. Other pam modules that o


CategoryHistorical

OpenSSL/Base/Private (last edited 2018-06-11T22:32:29+0000 by MarkLinimon)