Skip to content

Commit

Permalink
Merge pull request #14900 from pshipton/openssl3
Browse files Browse the repository at this point in the history
Update to openssl 3.0.10
  • Loading branch information
keithc-ca authored Aug 24, 2023
2 parents 791e1ba + b6a3bb3 commit ac49658
Show file tree
Hide file tree
Showing 6 changed files with 103 additions and 60 deletions.
6 changes: 6 additions & 0 deletions NOTICES.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,9 @@ OpenSSL 1.1.1
* License: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/LICENSE
* Project: https://www.openssl.org/
* Source: https://github.com/openssl/openssl or https://github.com/ibmruntimes/openssl

OpenSSL 3.x

* License: https://www.openssl.org/source/apache-license-2.0.txt
* Project: https://www.openssl.org/
* Source: https://github.com/openssl/openssl or https://github.com/ibmruntimes/openssl
2 changes: 1 addition & 1 deletion buildenv/jenkins/variables/defaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ jitserver:
# OpenSSL
#========================================#
openssl:
extra_getsource_options: '--openssl-version=1.1.1v'
extra_getsource_options: '--openssl-version=3.0.10'
extra_configure_options: '--with-openssl=fetched'
#========================================#
# OpenSSL Bundling
Expand Down
42 changes: 26 additions & 16 deletions doc/build-instructions/Build_Instructions_V11.md
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ Now fetch additional sources from the Eclipse OpenJ9 project and its clone of Ec
bash get_source.sh
```

:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v1.1.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like 1.1.0 or 1.1.1. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.
:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v3.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like `3.0.10`. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.

### 3. Configure
:penguin:
Expand Down Expand Up @@ -225,7 +225,7 @@ OMR - f29d158
JCL - 98f2038 based on jdk-11+28)
```

:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.1.x support, the following acknowledgements apply in accordance with the license terms:
:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.x support, the following acknowledgments apply in accordance with the license terms:

- *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (https://www.openssl.org/).*
- *This product includes cryptographic software written by Eric Young ([email protected]).*
Expand Down Expand Up @@ -283,7 +283,7 @@ Now fetch additional sources from the Eclipse OpenJ9 project and its clone of Ec
bash get_source.sh
```

:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v1.1.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like 1.1.0 or 1.1.1. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.
:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v3.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like `3.0.10`. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.

### 3. Configure
:blue_book:
Expand Down Expand Up @@ -365,7 +365,7 @@ OMR - 28139f2
JCL - e5c64f5 based on jdk-11+21)
```

:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.1.x support, the following acknowledgements apply in accordance with the license terms:
:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.x support, the following acknowledgments apply in accordance with the license terms:

- *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (https://www.openssl.org/).*
- *This product includes cryptographic software written by Eric Young ([email protected]).*
Expand Down Expand Up @@ -448,7 +448,7 @@ bash get_source.sh

:pencil: Create the directory that is going to contain the OpenJDK clone by using the `mkdir` command in the Cygwin bash shell and not using Windows Explorer. This ensures that it will have proper Cygwin attributes, and that its children will inherit those attributes.

:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v1.1.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like 1.1.0 or 1.1.1. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.
:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v3.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like `3.0.10`. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.

### 3. Configure
:ledger:
Expand All @@ -475,12 +475,11 @@ Mixed references is the default to build when no options are specified. _Note th
- `--with-mixedrefs=static` (this is the default) create a mixed references build which avoids runtime checks by compiling source twice
- `--with-noncompressedrefs` create a build supporting non-compressed references only

:pencil: **OpenSSL support:** If you want to build an OpenJDK that includes OpenSSL, you must specify `--with-openssl={fetched|system|path_to_library}`
:pencil: **OpenSSL support:** If you want to build an OpenJDK that includes OpenSSL, you must specify `--with-openssl={fetched|path_to_library}`

where:

- `fetched` uses the OpenSSL source downloaded by `get-source.sh` in step **2. Get the source**.
- `system` uses the package installed OpenSSL library in the system.
- `path_to_library` uses a custom OpenSSL library that's already built.

If you want to include the OpenSSL cryptographic library in the OpenJDK binary, you must include `--enable-openssl-bundling`.
Expand Down Expand Up @@ -530,7 +529,7 @@ OMR - e2e4b67c
JCL - a786f96b13 based on jdk-11+21)
```

:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.1.x support, the following acknowledgements apply in accordance with the license terms:
:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.x support, the following acknowledgments apply in accordance with the license terms:

- *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (https://www.openssl.org/).*
- *This product includes cryptographic software written by Eric Young ([email protected]).*
Expand Down Expand Up @@ -602,7 +601,7 @@ Now fetch additional sources from the Eclipse OpenJ9 project and its clone of Ec
bash get_source.sh
```

:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v1.1.x available locally, you must obtain a prebuilt OpenSSL v1.1.x binary.
:pencil: **OpenSSL support:** If you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v3.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like `3.0.10`. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.

### 3. Configure
:apple:
Expand All @@ -628,7 +627,14 @@ Mixed references is the default to build when no options are specified. _Note th
- `--with-mixedrefs=static` (this is the default) create a mixed references build which avoids runtime checks by compiling source twice
- `--with-noncompressedrefs` create a build supporting non-compressed references only

:pencil: **OpenSSL support:** If you want to build an OpenJDK that includes OpenSSL, you must specify `--with-openssl=path_to_library`, where `path_to_library` specifies the path to the prebuilt OpenSSL library that you obtained in **2. Get the source**. If you want to include the OpenSSL cryptographic library in the OpenJDK binary, you must also include `--enable-openssl-bundling`.
:pencil: **OpenSSL support:** If you want to build an OpenJDK that includes OpenSSL, you must specify `--with-openssl={fetched|path_to_library}`

where:

- `fetched` uses the OpenSSL source downloaded by `get-source.sh` in step **2. Get the source**.
- `path_to_library` uses a custom OpenSSL library that's already built.

If you want to include the OpenSSL cryptographic library in the OpenJDK binary, you must include `--enable-openssl-bundling`.

:pencil: When building using `--with-cmake=no`, you must specify `freemarker.jar` with an absolute path, such as `--with-freemarker-jar=<path_to>/freemarker.jar`, where `<path_to>` is the location where you stored `freemarker.jar`.

Expand Down Expand Up @@ -679,7 +685,7 @@ OMR - d4cd7c31
JCL - 9da99f8b97 based on jdk-11+28)
```

:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.1.x support, the following acknowledgements apply in accordance with the license terms:
:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.x support, the following acknowledgments apply in accordance with the license terms:

- *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (https://www.openssl.org/).*
- *This product includes cryptographic software written by Eric Young ([email protected]).*
Expand Down Expand Up @@ -713,6 +719,8 @@ Now fetch additional sources from the Eclipse OpenJ9 project and its clone of Ec
bash get_source.sh
```

:pencil: **OpenSSL support:** On an AArch64 Linux system if you want to build an OpenJDK with OpenJ9 binary with OpenSSL support and you do not have a built version of OpenSSL v3.x available locally, you must specify `--openssl-version=<version>` where `<version>` is an OpenSSL level like `3.0.10`. If the specified version of OpenSSL is already available in the standard location (SRC_DIR/openssl), `get_source.sh` uses it. Otherwise, the script deletes the content and downloads the specified version of OpenSSL source to the standard location and builds it. If you already have the version of OpenSSL in the standard location but you want a fresh copy, you must delete your current copy.

### 3. Prepare for build on AArch64 Linux

You must install a number of software dependencies to create a suitable build environment on your AArch64 Linux system:
Expand Down Expand Up @@ -779,13 +787,15 @@ Mixed references is the default to build when no options are specified. _Note th
- `--with-mixedrefs=static` (this is the default) create a mixed references build which avoids runtime checks by compiling source twice
- `--with-noncompressedrefs` create a build supporting non-compressed references only

:pencil: **OpenSSL support:** If you want to build an OpenJDK that uses OpenSSL, you must specify `--with-openssl={system|path_to_library}`
::pencil: **OpenSSL support:** If you want to build an OpenJDK that uses OpenSSL, you must specify `--with-openssl={fetched|system|path_to_library}`

where:

- `fetched` uses the OpenSSL source downloaded by `get-source.sh` in step **2. Get the source**. Using `--with-openssl=fetched` will fail during the build in the Docker environment.
- `system` uses the package installed OpenSSL library in the system. Use this option when you build on your AArch64 Linux system.
- `path_to_library` uses an OpenSSL v1.1.x library that's already built. You can use `${OPENJ9_CC_DIR}/${OPENJ9_CC_PREFIX}/libc/usr` as `path_to_library` when you are configuring in the Docker container.
- Using `--with-openssl=fetched` will fail during the build in the Docker environment.
- `path_to_library` uses an OpenSSL v3.x library that's already built. You can use `${OPENJ9_CC_DIR}/${OPENJ9_CC_PREFIX}/libc/usr` as `path_to_library` when you are configuring in the Docker container.

If you want to include the OpenSSL cryptographic library in the OpenJDK binary, you must include `--enable-openssl-bundling`.

:pencil: **DDR support:** You can build DDR support only on AArch64 Linux. If you are building in a cross-compilation environment, you need the `--disable-ddr` option.

Expand Down Expand Up @@ -842,7 +852,7 @@ JCL - d247952 based on jdk-11.0.6+6)

:construction: AArch64 JIT compiler is not fully optimized at the time of writing this, compared with other platforms.

:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.1.x support, the following acknowledgements apply in accordance with the license terms:
:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.x support, the following acknowledgments apply in accordance with the license terms:

- *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (https://www.openssl.org/).*
- *This product includes cryptographic software written by Eric Young ([email protected]).*
Expand Down Expand Up @@ -1394,7 +1404,7 @@ Given that there is no JIT support for now, you might need to accelerate the com
:rocket:
(this section is based on verification result from HiFive U540 dev board / to be updated)

:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.1.x support, the following acknowledgements apply in accordance with the license terms:
:pencil: **OpenSSL support:** If you built an OpenJDK with OpenJ9 that includes OpenSSL v1.x support, the following acknowledgments apply in accordance with the license terms:

- *This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (https://www.openssl.org/).*
- *This product includes cryptographic software written by Eric Young ([email protected]).*
Expand Down
Loading

0 comments on commit ac49658

Please sign in to comment.