HardenedBSD/NOTES-VMS.md
Pierre Pronchery b84c4564ef openssl: Vendor import of OpenSSL-3.0.9
Summary:

Release notes can be found at
https://www.openssl.org/news/openssl-3.0-notes.html .

Obtained from:  https://www.openssl.org/source/openssl-3.0.9.tar.gz

Test Plan:
```
$ git status
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
$ (cd ..; fetch http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz http://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc)
openssl-3.0.9.tar.gz                                    14 MB   74 MBps    01s
openssl-3.0.9.tar.gz.asc                               833  B   10 MBps    00s
$ set | egrep '(XLIST|OSSLVER)='
OSSLVER=3.0.9
XLIST=FREEBSD-Xlist
$ gpg --list-keys
/home/khorben/.gnupg/pubring.kbx
--------------------------------
pub   rsa4096 2021-07-16 [SC] [expires: 2031-07-14]
      A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C
uid           [ unknown] Tomáš Mráz <tm@t8m.info>
uid           [ unknown] Tomáš Mráz <tomas@arleto.cz>
uid           [ unknown] Tomáš Mráz <tomas@openssl.org>
sub   rsa4096 2021-07-16 [S] [expires: 2027-07-15]
sub   rsa4096 2021-07-16 [E] [expires: 2031-07-14]

$ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz
gpg: Signature made Tue May 30 14:32:24 2023 CEST
gpg:                using RSA key DC7032662AF885E2F47F243F527466A21CA79E6D
gpg: Good signature from "Tomáš Mráz <tm@t8m.info>" [unknown]
gpg:                 aka "Tomáš Mráz <tomas@arleto.cz>" [unknown]
gpg:                 aka "Tomáš Mráz <tomas@openssl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A21F AB74 B008 8AA3 6115  2586 B8EF 1A6B A9DA 2D5C
     Subkey fingerprint: DC70 3266 2AF8 85E2 F47F  243F 5274 66A2 1CA7 9E6D

$ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C ..
$ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* .
[...]
$ diff -arq ../openssl-${OSSLVER}  .
Only in .: .git
Only in .: FREEBSD-Xlist
Only in .: FREEBSD-upgrade
$ git status FREEBSD*
On branch vendor/openssl-3.0
Your branch is up to date with 'origin/vendor/openssl-3.0'.

nothing to commit, working tree clean
```
2023-06-23 09:13:27 -04:00

4.7 KiB

Notes for the OpenVMS platform

Requirement details

In addition to the requirements and instructions listed in INSTALL.md, this are required as well:

  • At least ODS-5 disk organization for source and build. Installation can be done on any existing disk organization.

About ANSI C compiler

An ANSI C compiled is needed among other things. This means that VAX C is not and will not be supported.

We have only tested with DEC C (aka HP VMS C / VSI C) and require version 7.1 or later. Compiling with a different ANSI C compiler may require some work.

Please avoid using C RTL feature logical names DECC$* when building and testing OpenSSL. Most of all, they can be disruptive when running the tests, as they affect the Perl interpreter.

About ODS-5 directory names and Perl

It seems that the perl function canonpath() in the File::Spec module doesn't treat file specifications where the last directory name contains periods very well. Unfortunately, some versions of VMS tar will keep the periods in the OpenSSL source directory instead of converting them to underscore, thereby leaving your source in something like [.openssl-1^.1^.0]. This will lead to issues when configuring and building OpenSSL.

We have no replacement for Perl's canonpath(), so the best workaround for now is to rename the OpenSSL source directory, as follows (please adjust for the actual source directory name you have):

$ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR

About MMS and DCL

MMS has certain limitations when it comes to line length, and DCL has certain limitations when it comes to total command length. We do what we can to mitigate, but there is the possibility that it's not enough. Should you run into issues, a very simple solution is to set yourself up a few logical names for the directory trees you're going to use.

About debugging

If you build for debugging, the default on VMS is that image activation starts the debugger automatically, giving you a debug prompt. Unfortunately, this disrupts all other uses, such as running test programs in the test framework.

Generally speaking, if you build for debugging, only use the programs directly for debugging. Do not try to use them from a script, such as running the test suite.

The following is not available on Alpha

As a compromise, we're turning off the flag that makes the debugger start automatically. If there is a program that you need to debug, you need to turn that flag back on first, for example:

$ set image /flag=call_debug [.test]evp_test.exe

Then just run it and you will find yourself in a debugging session. When done, we recommend that you turn that flag back off:

$ set image /flag=nocall_debug [.test]evp_test.exe

About assembler acceleration

OpenSSL has assembler acceleration for a number of BIGNUM and crypto routines. The VMS config targets tries to look for a selection of assemblers and will use what they find. If none of the assemblers are found, OpenSSL will be built as if no-asm was configured.

For Itanium / IA64 / I64

  • There is only one assembler, a port of Intel's ias, found in the HP Open Source Tools CD, available through DECUSlib. It's assumed to be set up as per the instructions, where disk and dir are expected to be adapted to local conditions:

    $ ias :== $disk:[dir]iasi64.exe
    

Checking the distribution

There have been reports of places where the distribution didn't quite get through, for example if you've copied the tree from a NFS-mounted Unix mount point.

The easiest way to check if everything got through as it should is to check that this file exists:

[.include.openssl]configuration^.h.in

The best way to get a correct distribution is to download the gzipped tar file from ftp://ftp.openssl.org/source/, use GZIP -d to uncompress it and VMSTAR to unpack the resulting tar file.

Gzip and VMSTAR are available here:

http://antinode.info/dec/index.html#Software

Should you need it, you can find UnZip for VMS here:

http://www.info-zip.org/UnZip.html

How the value of 'arch' is determined

'arch' is mentioned in INSTALL. It's value is determined like this:

arch = f$edit( f$getsyi( "arch_name"), "upcase")