Re: borgbackup: switch to openssl/3.1

[Bjorn Ketelaars]

On Tue 24/10/2023 17:59, Theo Buehler wrote:
> I want to remove openssl/3.0 soon: it's very slow, doesn't have landing
> pads in its asm and there's no real reason for us to use it as we don't
> care about FIPS and we don't care about it being LTS. One member from
> the OpenSSL 3 family is enough at this point in time.
> 
> This passes regress, but I don't use borgbackup, so it's not tested
> otherwise.
> 
> I'll update the comment about bumps in openssl/3.*/Makefile as well.

The OpenSSL version is hardcoded in setup.py, and needs to be patched.
With the diff below all tests pass successfully.

With the change below, OK bket@


diff --git Makefile Makefile
index 258ccfa52d8..a542de1e61c 100644
--- Makefile
+++ Makefile
@@ -1,14 +1,14 @@
-# Static linking with OpenSSL 1.1
+# Static linking with OpenSSL 3.1
 .if ${MACHINE_ARCH} != aarch64 && ${MACHINE_ARCH} != amd64 && ${MACHINE_ARCH} 
!= riscv64
 USE_NOEXECONLY=                Yes
 .endif
 
 MODPY_EGG_VERSION =    2.0.0b7
-REVISION =             1
+REVISION =             2
 
 # OpenSSL used for EVP_aes_256_ocb. It is linked statically to avoid 
conflicting
 # with shared libcrypto from the base OS pulled in via dependencies.
-BUILD_DEPENDS =                security/openssl/3.0
+BUILD_DEPENDS =                security/openssl/3.1
 RUN_DEPENDS =          security/py-argon2-cffi${MODPY_FLAVOR} \
                        sysutils/py-platformdirs${MODPY_FLAVOR}>=3.8.1
 
diff --git patches/patch-setup_py patches/patch-setup_py
new file mode 100644
index 00000000000..1fa42d53314
--- /dev/null
+++ patches/patch-setup_py
@@ -0,0 +1,14 @@
+Index: setup.py
+--- setup.py.orig
++++ setup.py
+@@ -161,8 +161,8 @@ if not on_rtd:
+         # Use openssl (not libressl) because we need AES-OCB via EVP api. Link
+         # it statically to avoid conflicting with shared libcrypto from the 
base
+         # OS pulled in via dependencies.
+-        crypto_ext_lib = {"include_dirs": ["/usr/local/include/eopenssl30"]}
+-        crypto_extra_objects += ["/usr/local/lib/eopenssl30/libcrypto.a"]
++        crypto_ext_lib = {"include_dirs": ["/usr/local/include/eopenssl31"]}
++        crypto_extra_objects += ["/usr/local/lib/eopenssl31/libcrypto.a"]
+     else:
+         crypto_ext_lib = lib_ext_kwargs(pc, "BORG_OPENSSL_PREFIX", "crypto", 
"libcrypto", ">=1.1.1")
+