THIS IS AN ABANDONED PROJECT
Based on the revised patch from Allan Jude the problems listed below have been solved.
FreeBSD has a 'private libaries' concept that makes the libraries unavailable for ports wanting to link to the libraries that have been made private.
This was done on a clean system (virtual machine) with the amd64 11 snapshot r293801 from 2016-01-13 and the base/head r294205.
Result of the following paragraphs can be found in updated PrivateSSL patch
Patching
The patch doesn't completely apply any longer due to
games no longer being part of base
lib/libc/tests/hash contains the patch already
With those 2 files removed from the patch it applies (albeit with some fuzzing)
Actions
Collected at FOSDEM '17 DevSummit
- Ask secteam and maintainer in base if there are current issues
- Make libraries private
- Hide the symbols using linker script or objcopy to separate namespace
- or version the shared library
Base deps
Executed on the system prior to installing any packages so we can check
#!/bin/sh
find / -type f > ~/allfiles.lst
while read file ; do
deps=`readelf -d $file 2>/dev/null | grep -E 'NEEDED.*(libssl|libcrypto)'`
[ "$deps" ] && echo $file
done < ~/allfiles.lst
Files in base currently requiring libcrypto or libssl
/bin
ed red
/lib/geom
geom_eli.so
/sbin
hastctl hastd
/usr/bin
bdes dc drill factor hxtool kadmin kinit kpasswd ksu ntpq openssl slogin ssh ssh-agent ssh-keygen string2key svnlite svnlitebench svnlitemucc svnliterdump svnlitesync telnet
/usr/lib
libarchive.so.6 libbsnmp.so.6 libfetch.so.6 libgssapi_krb5.so.10 libgssapi_ntlm.so.10 libheimntlm.so.11 libhx509.so.11 libkdc.so.11 libkrb5.so.11 libmp.so.7 libprivateldns.so.5 libprivatessh.so.5 libprivateunbound.so.5 libradius.so.4 libssl.so.8
/usr/lib32
libarchive.so.6 libbsnmp.so.6 libfetch.so.6 libgssapi_krb5.so.10 libgssapi_ntlm.so.10 libheimntlm.so.11 libhx509.so.11 libkdc.so.11 libkrb5.so.11 libmp.so.7 libprivateldns.so.5 libprivatessh.so.5 libprivateunbound.so.5 libradius.so.4 libssl.so.8
/usr/libexec
digest-service dma kcm kdigest ssh-keysign ssh-pkcs11-helper telnetd
/usr/libexec/sendmail
sendmail
/usr/sbin
auditdistd hostapd kstash ktutil ntp-keygen ntpd ntpdate ntpdc pkg ppp sntp sshd tcpdump uefisign unbound unbound-anchor unbound-control wpa_supplicant
Building
Clean build
No /etc/make.conf or /etc/src.conf
GENERIC kernel
Issues
These issues are gone
Build fails in `/usr/src/usr.bin/elfcopy`
Solution
This happens in the cross-tools target as libarchive requires elfcopy which needs libcrypto to build. Solution is to build libcrypto in the cross-tools stage as well. See latest patch.
Open issues
None at the moment
Patching 10.2
Here's an (incomplete) patch for 10.2. Skip to issues after applying this patch.
File |
Action |
share/mk/bsd.libnames.mk |
${LIBDIR} to ${LIBPRIVATEDIR} |
secure/lib/libcrypto/Makefile |
Add PRIVATELIB= true |
secure/lib/libssl/Makefile |
Add PRIVATELIB= true |
secure/usr.bin/openssl/Makefile |
ADD USEPRIVATELIB= crypto ssl |
Rebuild libcrypto, libssl, openssl
$ ldd /usr/bin/openssl
/usr/bin/openssl:
libssl.so.7 => /usr/lib/private/libssl.so.7 (0x800897000)
libcrypto.so.7 => /usr/lib/private/libcrypto.so.7 (0x800b04000)
libc.so.7 => /lib/libc.so.7 (0x800ef7000)So this was relatively easy.
Same for svnlite linking to the private libs
Issues
After applying the work-around, run buildworld again as
make -j4 -DNO_CLEAN buildworld
kerberos/usr.bin/hxtool
Missing hxtool-commands.h
cd /usr/src/kerberos cp -p ./usr.bin/hxtool/hxtool-commands.h ./include
rescue/rescue
Doesn't find the correct libcrypto.
cd /usr/obj/tmp/usr/lib
cp -p private/libcrypto.{a,.so.7} .
ln -s libcrypto.so.7 libcrypto.so
TODO
Permanent fixes for above issues
Result
After make installworld using DESTDIR=~/privssl-world I confirmed that no file is depending on /usr/lib/libcrypto.so nor /usr/lib/libssl.so
Packages
pkgng
ports-mgmt/pkg doesn't build cleanly without base OpenSSL.
Index: ports-mgmt/pkg/Makefile
===================================================================
--- ports-mgmt/pkg/Makefile (revision 407488)
+++ ports-mgmt/pkg/Makefile (working copy)
@@ -23,7 +23,9 @@
# Use a submake as 'deinstall install' needs to reevaluate PKG_CMD
# so that pkg-static is used from the wrkdir
USE_SUBMAKE= yes
-CFLAGS+= -Wno-error
+USE_OPENSSL= yes
+CFLAGS+= -Wno-error -I${OPENSSLINC}
+LDFLAGS+= -L/usr/lib -L${OPENSSLLIB}
.if !exists(/usr/include/jail.h)
EXTRA_PATCHES= ${FILESDIR}/extra-patch-docs_pkg.8
Built with the patch, pkg behaves fine on my jail with privatessl
PAM libraries
This is one of the concerns as /usr/lib/libpam.so is linked against private crypto libs. Other pam modules that o