Merge pull request #242 from adfoster-r7/update-openssl-version

adfoster-r7 · web-flow · commit 8273bd66edb6 · 2026-03-29T20:14:16.000+01:00
Update openssl version
diff --git a/config/patches/openssl/openssl-3.2.4-enable-legacy-provider.patch b/config/patches/openssl/openssl-3.2.4-enable-legacy-provider.patch
@@ -0,0 +1,48 @@
+diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
+index ac858d6..d1cb967 100644
+--- a/apps/openssl-vms.cnf
++++ b/apps/openssl-vms.cnf
+@@ -56,6 +56,7 @@ providers = provider_sect
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
++legacy  = legacy_sect
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,8 +70,10 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
++activate = 1
+
++[legacy_sect]
++activate = 1
+
+ ####################################################################
+ [ ca ]
+diff --git a/apps/openssl.cnf b/apps/openssl.cnf
+index 12bc408..35a4282 100644
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -56,6 +56,7 @@ providers = provider_sect
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
++legacy  = legacy_sect
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,8 +70,10 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
++activate = 1
+
++[legacy_sect]
++activate = 1
+
+ ####################################################################
+ [ ca ]
diff --git a/config/patches/openssl/openssl-3.6.0-do-not-install-docs.patch b/config/patches/openssl/openssl-3.6.0-do-not-install-docs.patch
@@ -0,0 +1,21 @@
+--- openssl-3.6.0/Configurations/unix-Makefile.tmpl.org	2025-11-14 23:06:09.211938787 -0500
++++ openssl-3.6.0/Configurations/unix-Makefile.tmpl	2025-11-14 23:07:32.383914676 -0500
+@@ -670,7 +670,6 @@
+ install: Makefile ## Install software and documentation, create OpenSSL directories
+ 	$(MAKE) install_sw
+ 	$(MAKE) install_ssldirs
+-	{- "\$(MAKE) install_docs" if !$disabled{docs} -}
+ 	{- "\$(MAKE) install_fips" if !$disabled{fips} -}
+
+ uninstall: {- "uninstall_docs" if !$disabled{docs}; -} uninstall_sw {- $disabled{fips} ? "" : "uninstall_fips" -} ## Uninstall software and documentation
+
+--- openssl-3.6.0/Configurations/windows-makefile.tmpl.org	2025-11-14 23:06:09.211938787 -0500
++++ openssl-3.6.0/Configurations/windows-makefile.tmpl	2025-11-14 23:07:40.543912555 -0500
+@@ -466,7 +466,7 @@
+ 	@$(ECHO) "Tests are not supported with your chosen Configure options"
+ 	@{- output_on() if !$disabled{tests}; "\@rem" -}
+
+-install: install_sw install_ssldirs {- "install_docs" if !$disabled{docs}; -} {- $disabled{fips} ? "" : "install_fips" -}
++install: install_sw install_ssldirs {- $disabled{fips} ? "" : "install_fips" -}
+
+ uninstall: {- "uninstall_docs" if !$disabled{docs}; -} uninstall_sw {- $disabled{fips} ? "" : "uninstall_fips" -}
diff --git a/config/software/libatomic.rb b/config/software/libatomic.rb
@@ -0,0 +1,21 @@
+#
+# On 32-bit platforms (especially ARM), GCC's libatomic is required for
+# 64-bit atomic operations used by OpenSSL 3.x and other libraries.
+# This definition copies the system's libatomic into the embedded dir
+# so it ships with the package and satisfies the omnibus health check.
+#
+
+name "libatomic"
+description "GCC runtime library for atomic operations"
+license "GPL-3.0 (with GCC Runtime Library Exception)"
+skip_transitive_dependency_licensing true
+
+build do
+  block "Copy libatomic if needed" do
+    libatomic_path = shellout("gcc -print-file-name=libatomic.so.1 2>/dev/null").stdout.strip
+    if !libatomic_path.empty? && libatomic_path != "libatomic.so.1" && File.exist?(libatomic_path)
+      copy libatomic_path, "#{install_dir}/embedded/lib/libatomic.so.1"
+      link "#{install_dir}/embedded/lib/libatomic.so.1", "#{install_dir}/embedded/lib/libatomic.so"
+    end
+  end
+end
diff --git a/config/software/metasploit-framework.rb b/config/software/metasploit-framework.rb
@@ -39,7 +39,7 @@ def has_windows_metasploit_framework_repo?
 whitelist_file "#{install_dir}/embedded/framework/data/exploits/.*"
 whitelist_file "#{install_dir}//embedded/framework/data/exploits/.*"
 
-# This depends on Openssl 1.x
+# This depends on Openssl 3.x
 whitelist_file "#{install_dir}/embedded/lib/ruby/gems/#{ruby_abi_version}/gems/metasploit-payloads.*"
 
 # Also whitelist mettle
@@ -62,7 +62,7 @@ def has_windows_metasploit_framework_repo?
       replacements = {
         'stringio (= 3.1.1)' => 'stringio (= 3.1.2)',
         'stringio (3.1.1)' => 'stringio (3.1.2)',
-        "spec.add_runtime_dependency 'stringio', '3.1.1'" => "spec.add_runtime_dependency 'stringio', '3.1.2'" 
+        "spec.add_runtime_dependency 'stringio', '3.1.1'" => "spec.add_runtime_dependency 'stringio', '3.1.2'"
       }
       # Remove problematic dependencies for Windows; Fiddle will need to be re-added in a future build for Ruby 3.3 support
       if windows?
diff --git a/config/software/openssl.rb b/config/software/openssl.rb
@@ -20,10 +20,14 @@
 license_file "LICENSE"
 skip_transitive_dependency_licensing true
 
-dependency "cacerts"
-dependency "openssl-fips" if fips_mode?
+# https://github.com/chef/omnibus-software/pull/2032
+default_version "3.6.0" # # do not remove - Rapid7 custom - do not remove
 
-default_version "1.1.1t" # # do not remove - Rapid7 custom - do not remove
+dependency "cacerts"
+dependency "openssl-fips" if fips_mode? && !(version.satisfies?(">= 3.0.0"))
+# On 32-bit ARM, GCC emits calls to libatomic for 64-bit atomic operations.
+# 64-bit ARM (aarch64) has native 64-bit atomics and doesn't need this.
+dependency "libatomic" if linux? && RUBY_PLATFORM =~ /armv7l/
 
 # Openssl builds engines as libraries into a special directory. We need to include
 # that directory in lib_dirs so omnibus can sign them during macOS deep signing.
@@ -47,7 +51,19 @@
   internal_source url: "#{ENV["ARTIFACTORY_REPO_URL"]}/#{name}/#{name}-#{version}.tar.gz", extract: :lax_tar,
                   authorization: "X-JFrog-Art-Api:#{ENV["ARTIFACTORY_TOKEN"]}"
 end
+version("3.2.6") { source sha256: "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148" }
+version("3.2.4") { source sha256: "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716" }
+version("3.3.3") { source sha256: "712590fd20aaa60ec75d778fe5b810d6b829ca7fb1e530577917a131f9105539" }
+version("3.4.1") { source sha256: "002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3" }
+version("3.4.4") { source sha256: "7bdf55ac20f2779e99e5eca306f824fad2b37dee5a06cc35ed5a8b85a6060010" }
+version("3.6.0") { source sha256: "b6a5f44b7eb69e3fa35dbf15524405b44837a481d43d81daddde3ff21fcbb8e9" }
 
+version("3.1.2") { source sha256: "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539" } # FIPS validated
+
+version("3.0.15") { source sha256: "23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533" }
+version("3.0.12") { source sha256: "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61" }
+version("3.0.11")  { source sha256: "b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55" }
+version("3.0.9")   { source sha256: "eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90" } # FIPS validated
 version("3.0.5")   { source sha256: "aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a" }
 version("3.0.4")   { source sha256: "2831843e9a668a0ab478e7020ad63d2d65e51f72977472dc73efcefbafc0c00f" }
 version("3.0.3")   { source sha256: "ee0078adcef1de5f003c62c80cc96527721609c6f3bb42b7795df31f8b558c0b" }
@@ -72,6 +88,7 @@
 
 build do
   env = with_standard_compiler_flags(with_embedded_path)
+
   if aix?
     env["M4"] = "/opt/freeware/bin/m4"
   elsif mac_os_x? && arm?
@@ -94,21 +111,30 @@
     "no-idea",
     "no-mdc2",
     "no-rc5",
-    "no-ssl2",
     "no-ssl3",
     "no-zlib",
     "shared",
   ]
 
+  # no-ssl2 is only valid for OpenSSL < 3.0; SSLv2 was fully removed in 3.x
+  configure_args << "no-ssl2" if version.satisfies?("< 3.0.0")
+
   configure_args += ["--libdir=#{install_dir}/embedded/lib"] if version.satisfies?(">=3.0.1")
 
+  # OpenSSL >= 3.2 uses C99 syntax and may generate assembly that requires
+  # binutils >= 2.22. Detect the assembler version at build time and disable
+  # asm if it's too old. Also ensure C99 mode for old GCC.
+  if version.satisfies?(">= 3.2.0") && linux?
+    env["CFLAGS"] << " -std=gnu99"
+  end
+
   # https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
   configure_args += [ "-DOPENSSL_TRUSTED_FIRST_DEFAULT" ] if version.satisfies?(">= 1.0.2zb") && version.satisfies?("< 1.1.0")
 
   if version.satisfies?("< 3.0.0")
     configure_args += ["--with-fipsdir=#{install_dir}/embedded", "fips"] if fips_mode?
   else
-    configure_args += ["-enable-fips"] if fips_mode?
+    configure_args += ["enable-fips"] if fips_mode?
   end
 
   configure_cmd =
@@ -128,7 +154,7 @@
         "./Configure #{platform} -static-libgcc"
       end
     elsif windows?
-      platform = windows_arch_i386? ? "mingw" : "mingw64"
+      platform = "mingw64"
       "perl.exe ./Configure #{platform}"
     else
       prefix =
@@ -159,8 +185,21 @@
     patch source: "openssl-1.0.1f-do-not-build-docs.patch", env: patch_env
   elsif version.start_with? "1.1"
     patch source: "openssl-1.1.0f-do-not-install-docs.patch", env: patch_env
-  elsif version.start_with? "3.0"
+  elsif version.start_with?("3.0") || version.start_with?("3.1")
     patch source: "openssl-3.0.1-do-not-install-docs.patch", env: patch_env
+    # Some of the algorithms which are being used are deprecated in OpenSSL3 and moved to legacy provider.
+    # We need those algorithms for the working of chef-workstation and other packages.
+    # This patch will enable the legacy providers!
+    configure_args << "enable-legacy"
+    patch source: "openssl-3.0.0-enable-legacy-provider.patch", env: patch_env
+  elsif version.satisfies?(">= 3.2.4", "< 3.6")
+    patch source: "openssl-3.2.4-do-not-install-docs.patch", env: patch_env
+    configure_args << "enable-legacy"
+    patch source: "openssl-3.2.4-enable-legacy-provider.patch", env: patch_env
+  elsif version.satisfies?(">= 3.6.0")
+    patch source: "openssl-3.6.0-do-not-install-docs.patch", env: patch_env
+    configure_args << "enable-legacy"
+    patch source: "openssl-3.2.4-enable-legacy-provider.patch", env: patch_env
   end
 
   if version.start_with?("1.0.2") && mac_os_x? && arm?
@@ -172,19 +211,56 @@
     patch source: "openssl-1.0.1q-fix-compiler-flags-table-for-msys.patch", env: env
   end
 
+  # OpenSSL >= 3.2 requires additional Perl modules (IPC::Cmd, Time::Piece, etc.)
+  # that may not be present on older systems like CentOS 6.
+  if version.satisfies?(">= 3.2.0")
+    if windows?
+      command "perl.exe -MIPC::Cmd -e 1 2>nul || cpan IPC::Cmd", env: env
+      command "perl.exe -MTime::Piece -e 1 2>nul || cpan Time::Piece", env: env
+    else
+      command "perl -MIPC::Cmd -e 1 2>/dev/null || " \
+              "sudo yum install -y perl-IPC-Cmd 2>/dev/null || " \
+              "sudo apt-get install -y libipc-cmd-perl 2>/dev/null || " \
+              "cpan -T IPC::Cmd", env: env
+      command "perl -MTime::Piece -e 1 2>/dev/null || " \
+              "sudo yum install -y perl-Time-Piece 2>/dev/null || " \
+              "sudo apt-get install -y libtime-piece-perl 2>/dev/null || " \
+              "cpan -T Time::Piece", env: env
+    end
+  end
+
   # Out of abundance of caution, we put the feature flags first and then
   # the crazy platform specific compiler flags at the end.
   configure_args << env["CFLAGS"]
 
-  configure_command = configure_args.unshift(configure_cmd).join(" ")
+  # Detect old assembler at build time and add no-asm if needed.
+  # Also disable asm on 32-bit hosts where OpenSSL's generated assembly
+  # may use instructions unsupported by the target architecture.
+  # block runs at build time (not parse time), so shellout hits the actual build host.
+  block "Check assembler and libatomic" do
+    if version.satisfies?(">= 3.2.0") && linux?
+      is_32bit = shellout("getconf LONG_BIT 2>/dev/null").stdout.strip == "32"
+      as_output = shellout("as --version 2>/dev/null").stdout
+      as_ver = as_output.match(/(\d+\.\d+)/)
+      if is_32bit || as_ver.nil? || Gem::Version.new(as_ver[1]) < Gem::Version.new("2.22")
+        configure_args << "no-asm"
+      end
+    end
+  end
 
-  command configure_command, env: env, in_msys_bash: true
+  # block above mutates configure_args before this runs.
+  # In omnibus, block and command are both queued build steps executed in order.
+  block "Run Configure" do
+    configure_command = configure_args.unshift(configure_cmd).join(" ")
+    shellout!(configure_command, env: env, cwd: project_dir)
+  end
 
   if version.start_with?("1.0.2") && windows?
     patch source: "openssl-1.0.1j-windows-relocate-dll.patch", env: env
   end
 
-  make "depend", env: env
+  # make depend is only needed for OpenSSL < 3.0; removed in 3.x
+  make "depend", env: env if version.satisfies?("< 3.0.0")
   # make -j N on openssl is not reliable
   make env: env
   if aix?
@@ -197,5 +273,41 @@
     # Bug Ref: http://rt.openssl.org/Ticket/Display.html?id=2986&user=guest&pass=guest
     command "sudo /usr/sbin/slibclean", env: env
   end
+
   make "install", env: env
+
+  if fips_mode? && version.satisfies?(">= 3.0.0")
+    openssl_fips_version = project.overrides.dig(:openssl, :fips_version) || "3.0.9"
+
+    # Downloading the openssl-3.0.9.tar.gz file and extracting it
+    command "wget https://www.openssl.org/source/openssl-#{openssl_fips_version}.tar.gz"
+    command "tar -xf openssl-#{openssl_fips_version}.tar.gz"
+
+    # Configuring the fips provider
+    if windows?
+      platform = windows_arch_i386? ? "mingw" : "mingw64"
+      command "cd openssl-#{openssl_fips_version} && perl.exe Configure #{platform} enable-fips"
+    else
+      command "cd openssl-#{openssl_fips_version} && ./Configure enable-fips"
+    end
+
+    # Building the fips provider
+    command "cd openssl-#{openssl_fips_version} && make"
+
+    fips_provider_path = "#{install_dir}/embedded/lib/ossl-modules/fips.#{windows? ? "dll" : "so"}"
+    fips_cnf_file = "#{install_dir}/embedded/ssl/fipsmodule.cnf"
+
+    # Running the `openssl fipsinstall -out fipsmodule.cnf -module fips.so` command
+    command "#{install_dir}/embedded/bin/openssl fipsinstall -out #{fips_cnf_file} -module #{fips_provider_path}"
+
+    # Copying the fips provider and fipsmodule.cnf file to the embedded directory
+    command "cp openssl-#{openssl_fips_version}/providers/fips.#{windows? ? "dll" : "so"} #{install_dir}/embedded/lib/ossl-modules/"
+    command "cp openssl-#{openssl_fips_version}/providers/fipsmodule.cnf #{install_dir}/embedded/ssl/"
+
+    # Updating the openssl.cnf file to enable the fips provider
+    command "sed -i -e 's|# .include fipsmodule.cnf|.include #{fips_cnf_file}|g' #{install_dir}/embedded/ssl/openssl.cnf"
+    command "sed -i -e 's|# fips = fips_sect|fips = fips_sect|g' #{install_dir}/embedded/ssl/openssl.cnf"
+
+    command "#{install_dir}/embedded/bin/openssl list -providers"
+  end
 end
