Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: passepartoutvpn/openssl-apple
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: cossacklabs/openssl-apple
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: cossacklabs
Choose a head ref

Commits on May 8, 2020

  1. Don't symlink macOS framework if not building it

    If only iOS frameworks are being build, we should not try to create
    macOS framework by symlinking stuff. Do this only if the framework
    actually requested by the arch/target selection.
    ilammy committed May 8, 2020
    Copy the full SHA
    60551b4 View commit details
  2. Lower SDK minimums to iOS 8.0 and macOS 10.9

    These are the versions currently supported by Themis. While we can
    definitely bump them up to iOS 10.0 and macOS 10.14 somewhere in 2020,
    let's keep them matching Themis requirements for now.
    ilammy committed May 8, 2020
    Copy the full SHA
    444d952 View commit details
  3. Update Info.plist metadata with CossackLabs branding

    Change the bundle ID to something related to us so that we're not
    infringing on "org.openssl" namespace (used by the original project),
    and have the binary we build clearly associated with us.
    
    Similarly, we are going to offer OpenSSL 1.0.2u, hence update the
    marketing version of the bundle to reflect that. Also update the
    default version in the build script so that we can use it directly.
    ilammy committed May 8, 2020
    Copy the full SHA
    c954f18 View commit details
  4. Use targets CossackLabs cares about by default

    Update the default architecture/target list to include only the
    architectures we care about:
    
      - iOS Simulator i386
      - iOS Simulator x86_64
      - iOS ARM64
      - iOS ARMv7s
      - iOS ARMv7
      - macOS x86_64
    
    Note that we need i386 and ARMv7 iOS Simulator builds due to the minimum
    SDK version requirements we use. macOS has been x86_64-only for a while.
    
    Currently we do not support tvOS and watchOS, so don't build frameworks
    for those targets by default.
    
    The full set of available targets has been updated to include all that
    for future reference.
    ilammy committed May 8, 2020
    Copy the full SHA
    27e6a21 View commit details
  5. Verify OpenSSL tarball checksums

    It's not nice to just download whatever source code from the Internet
    and build a cryptography library from that. At least verify that the
    checksum of the file is the expected one.
    
    The checksums are retrieved via a trusted Web browser from a trusted
    network from the official Web site. We check that the file we download
    is the one we should expect, just in case openssl.org gets MITMed.
    ilammy committed May 8, 2020
    Copy the full SHA
    641757d View commit details
  6. Binary project specifications for Carthage

    Host the specs so that Carthage projects can depend on this library.
    Note that we still have to respect Carthage versioning policy.
    ilammy committed May 8, 2020
    Copy the full SHA
    d5a33a6 View commit details

Commits on May 10, 2020

  1. Copy the full SHA
    fde0916 View commit details

Commits on Jul 21, 2020

  1. Merge branch 'master' into cossacklabs

    Resolved conflicts in favor of master with its more generic approach to
    defining minimum SDK versions.
    ilammy committed Jul 21, 2020
    Copy the full SHA
    b7c970e View commit details

Commits on Jul 28, 2020

  1. Maintainer Makefile (#2)

    * Maintainer Makefile
    
    Add a Makefile to make releasing new versions easier. It encapsulates
    common tasks for preparing a release. With this Makefile, the release
    flow should be something like this:
    
     1. Update OpenSSL version and checksum in build-libssl.sh
    
        Update minimum and target API versions as necessary too.
    
     2. Run "make". Wait.
    
     3. Commit, tag, push changes.
    
     4. Create GitHub release, attach framework packages from "output".
    
    Currently we support only Carthage publishing. Carthage packages are
    published when the tag and commit are pushed.
    
    Later CocoaPods will be added into the flow. This will require
    additional validation step *after* the tag is published and GitHub
    release is created, followed by manual podspec publishing.
    
    Carthage binary project specs have a new naming, more consistent with
    platform names used by OpenSSL build scripts. However, we still keep the
    old specs around because they may still be needed on the "cossacklabs"
    branch. They can be removed only after the release is made, when we are
    sure that all users of the experimental branches have migrated away.
    
    * Move modifications into Makefile
    
    Newer version of the build-libssl.sh script allow more configurability
    so we do not have to modify it to achieve what we want. Roll back our
    changes and move them into the Makefile instead, changing relevant
    defaults using the commmand-line options.
    ilammy authored Jul 28, 2020
    Copy the full SHA
    37bcb04 View commit details

Commits on Jul 30, 2020

  1. Update to OpenSSL 1.1.1g (#4)

    As of now, OpenSSL 1.1.1g is the latest stable version of OpenSSL.
    ilammy authored Jul 30, 2020
    Copy the full SHA
    200ffc0 View commit details

Commits on Aug 3, 2020

  1. CocoaPods spec: CLOpenSSL (#3)

    Support publishing our OpenSSL build on CocoaPods. Now running
    "make specs" will also generate "cocoapods/CLOpenSSL.podspec" which can
    be uploaded to CocoaPods repositories.
    
    The spec does not actually build OpenSSL on the user machine. Instead,
    it downloads prebuilt frameworks (the same as used by Carthage). This
    results in considerable savings of the installation time. The framework
    binaries are currently hosted as GitHub releases. Not checking them into
    the repository also gives some savings (or rather, will give over time).
    
    Since the spec still clones *this* repository, it will be possible to
    build OpenSSL from source on developers' machines, if needed.
    
    Only dynamic frameworks are supported with CocoaPods. There is an option
    to include static frameworks, but that does not work out of the box and
    is very inconvenient for us to support.
    
    Note that at the moment there is no "v1.0.221" tag in this repository so
    the produced Podspec will not pass linting. It can be properly and fully
    linted only after the tag is published. (That's how Cocoapods works.)
    ilammy authored Aug 3, 2020
    Copy the full SHA
    045d3d8 View commit details

Commits on Aug 6, 2020

  1. OpenSSL 1.1.1g

    ilammy committed Aug 6, 2020
    Copy the full SHA
    6bbc5dc View commit details
  2. Document release process (#5)

    Since we've made the first proper release, let's document the process
    so that it goes quicker next time.
    ilammy authored Aug 6, 2020
    Copy the full SHA
    214f628 View commit details

Commits on Aug 7, 2020

  1. Build OpenSSL for arm64e (#6)

    I have missed this architecture from the default list. It is important
    for more security featuress of iOS [1], let's add it. The architecture
    has been available for a while, and it looks like latest devices are
    going to require it.
    
    [1]: https://developer.apple.com/documentation/security/preparing_your_app_to_work_with_pointer_authentication
    
    Co-Authored-By: vixentael <vixentael@users.noreply.github.com>
    
    Co-authored-by: vixentael <vixentael@users.noreply.github.com>
    ilammy and vixentael authored Aug 7, 2020
    Copy the full SHA
    c05395c View commit details

Commits on Aug 10, 2020

  1. Use original OpenSSL version for static frameworks (#7)

    ...but use the semversified version for dynamic frameworks. That is, for
    OpenSSL 1.1.1g static frameworks will have "1.1.1g" in their Info.plist,
    dynamic frameworks will have "1.1.107" in their Info.plist, and the tag
    on the repository will be "v1.1.107".
    
    This is becase we need to keep the version in static frameworks
    distributed for Carthage (static ones) so that certain dependency
    checkers are happy. We need to modify the version in dynamic frameworks
    as they are going to be included into the app bundle and we need to make
    the App Store happy. We need to have the tag semver-valid too because
    Carthage needs to be still happy. But what if there is CocoaPods project
    which also uses a dependency checked which will be thrown off guard with
    a weird OpenSSL version? Well, the thing is, you as a maintainer are not
    entitled to be happy. All package managers apparently want you to suffer
    until you submit to their demands, so does the App Store where all the
    apps are going to be submitted. Ultimately, you do want that shiny money,
    right? If you didn't, you'd be working for a different ecosystem. IDK,
    making desktop Linux great again, or Plan 9, or Raku.
    
    There is a moment when a person breaks. This is it for me. If someone
    demands the version to be a picture, or a dance, or a poem, then the
    version will be just that. If this commit causes you trouble -- whoever
    is reading this in "git blame" -- because you don't understand why the
    versioning is so weird, why there is this change that causes merge
    conflicts, why your customers are not happy because a weird version of
    dependency of a dependency prevents the app from validating. If any of
    this happens, please know that I'm deeply sorry for this, but it's your
    turn. I hope you can make the world a better place, as I hope that no
    one will have to touch this magic and it will continue working long past
    anyone remembers why. Until it breaks, that is.
    
    It's 3:10 AM and I probably should not be submitting this change,
    waiting for a cool down, but... whatever vOv
    ilammy authored Aug 10, 2020
    Copy the full SHA
    891134d View commit details

Commits on Sep 28, 2020

  1. Drop historical Carthage specs (#8)

    Now all production users are using new, consistently named spec files.
    Drop old files which are not actively used by any of our projects.
    ilammy authored Sep 28, 2020
    Copy the full SHA
    aac0a14 View commit details

Commits on Oct 26, 2020

  1. Apple Silicon support (#9)

    * Apple Silicon support
    
    Add architecture configuration for OpenSSL based on changes suggested
    by Sasmito [1]. Since we're interested only in macOS and iOS, add only
    those simulators, cross-compiled for arm64.
    
    This only lets the compiler to compile something as support for arm64
    is not complete in OpenSSL [2]. For example, you can see that we disable
    inline assembly, so the code might actually run slower. It's not much of
    an issue right now though since there is no arm64 hardware yet on the
    public market.
    
    [1]: balthisar#6
    [2]: openssl/openssl#12254
    
    However, don't add the new arm64 architecture to the list of default
    architectures and targets to compile OpenSSL for (DEFAULTARCHS and
    DEFAULTTARGETS in "build-libssl.h"). This is because arm64 is currently
    supported only in Xcode betas, it's not available yet for the stable
    releases. Those wishing to experiment with arm64 architecture will have
    to specify appropriate targets manually on the command line.
    
    Suggested-by: Sasmito Adibowo <adib@basil-salad.com>
    
    * Differentiate iOS Simulator headers
    
    New arm64 architecture for iOS Simulator is conflicting with arm64
    architecture for the real iOS devices. Though the architecture is the
    same, the target is not. A different SDK is used to build arm64 for
    Apple Silicon devices, and it's not compatible in the strict sense.
    
    OpenSSL currently has per-architecture headers with platform-specific
    details. Make sure that iOS ones don't conflict with iOS Simulator by
    making iOS use "openssl_ios_arm64.h" and iOS Simulator will be using
    "openssl_ios_sim_arm64.h"
    
    * Add platform-specific headers for arm64
    
    Introduce conditionals to check for and use arm64 on macOS and for the
    iOS Simulator builds.
    ilammy authored Oct 26, 2020
    Copy the full SHA
    4e7bf92 View commit details
  2. Build arm64 slices if requested (#10)

    * Bump minimum platform versions of iOS and macOS
    
    Bring them in line with the current recommendations of Xcode 12 and
    current requirements of Themis which is the main consumer of CLOpenSSL
    at the moment.
    
    * Enable building arm64 if requested
    
    Add arm64 to the list of architectures to build when requested by the
    user, this can be done by setting APPLE_SILICON_SUPPORT environment or
    Make variable to "yes", for example:
    
       make APPLE_SILICON_SUPPORT=yes
    
    We intend to provide arm64 builds in the default package, but until it
    is available in stable Xcode releases, arm64 capability will be under
    the feature gate to avoid breaking stable Xcode builds. Currently using
    APPLE_SILICON_SUPPORT requires Xcode 12+ beta to be active.
    
    Also note that currently only the macOS build is enabled. It is possible
    to build arm64 for iOS Simulator, but it's currently not possible to
    package the results into the same fat binary along with the arm64 slice
    for the actual iOS devices. This issue will be solved later. It seems
    that using XCFrameworks should allow mixing targets the way we need it.
    ilammy authored Oct 26, 2020
    Copy the full SHA
    62ccf2e View commit details
  3. Extra package version digits (#11)

    Teenage mutant ninja turtles
    ...sorry.
    
    Occasionally we need to publish the same OpenSSL version several times,
    such as when the version did not really change but Apple platforms did.
    Normally you increment the "patch version" for this, or some dedicated
    "package version", but we don't have that luxury with OpenSSL. We must
    keep the version strictly semver, and all the digits are already taken
    with OpenSSL version, even with some extra on top.
    
    The current latest version of OpenSSL is 1.1.1h. However, semver does
    not allow letters so we transform that into 1.1.108:
    
       1.1.1h => 1.1.(1 * 100) + ('h' - 'a' + 1) => 1.1.108
    
    In the similar vein, add yet another 'package version' part to this
    whole mess:
    
       1.1.1h-1 => 1.1.((1 * 100) + ('h' - 'a' + 1)) * 100 + 1 => 1.1.10801
    
    It's not the prettiest solution but... doin' what I can with what I got.
    This approach is semver-compatible, pleasing our fruit company overlords.
    The resulting version ordering is useful. Since the 1.1.107 has been the
    only release so far, migration to 1.1.10701 is smooth. The transformation
    is reversible and unambiguous (well, let's hope we won't need to release
    more than 100 versions of the same OpenSSL).
    
    The source of truth for CLOpenSSL is the PACKAGE_VERSION variable in the
    Makefile. Bump it to release a new package version. Reset it to "1" when
    updating OpenSSL version.
    
    Note that the tag names are using the same approach because they are
    significant to Carthage and CocoaPods.
    ilammy authored Oct 26, 2020
    Copy the full SHA
    0afb091 View commit details
  4. Temporarily exclude arm64 for iOS Simulator (#12)

    As it was noted before [1], we are currently unable to support arm64 for
    both iOS and iOS simulators. Disable the arm64 slice for iOS Simulator
    to let the podspec be linted properly.
    
    This requires Xcode 12 to compile and use.
    
    [1]: cossacklabs#9
    ilammy authored Oct 26, 2020
    Copy the full SHA
    eb48f8a View commit details

Commits on Oct 27, 2020

  1. Use static frameworks for CocoaPods (#13)

    Okay, let's try this again. Previously we have experimented with 'static
    framworks' -- regular frameworks but with static libraries in them
    instead of dynamic ones. It turns out that a special CocoaPods option
    seems to make them work after all.
    
    Convert CLOpenSSL into a static framework for CocoaPods too, like we
    already do for Carthage.
    ilammy authored Oct 27, 2020
    Copy the full SHA
    d21e3b7 View commit details
  2. Fix minimum OS version setup (#14)

    Make sure to export the MIN_IOS_SDK and MIN_OSX_SDK variables from the
    makefile as they are needed in "scripts/update-specs.sh" to properly
    fill in the minimum version requirements in generated CocoaPods spec.
    Otherwise we only pass them to the OpenSSL build scripts and end up
    with the spec requesting more broad minimum versions than the range
    actually supported by the binaries.
    
    Instead of exporting the variables to specific script invocations, just
    make sure that Make exports them to all tools that it launches. That way
    it's harder to forget to add them for some script.
    ilammy authored Oct 27, 2020
    Copy the full SHA
    6d9f6cd View commit details
  3. Update to OpenSSL 1.1.1h (#15)

    There is nothing notable about this release, just some bugfix [1].
    
    [1]: https://www.openssl.org/news/changelog.html#openssl-111
    ilammy authored Oct 27, 2020
    Copy the full SHA
    9b3000c View commit details
  4. Make podspec summary short (#16)

    CocoaPods issues a warning if the summary is long, it expects it to be
    tweet-sized (under 140 characters). Well, split the current summary into
    a short part and move OpenSSL description into "description".
    
    Now it should be possible to lint the spec without "--allow-warnings".
    ilammy authored Oct 27, 2020
    Copy the full SHA
    3622f35 View commit details
  5. OpenSSL 1.1.1h

    ilammy committed Oct 27, 2020
    Copy the full SHA
    8ba2cea View commit details

Commits on Nov 22, 2020

  1. Merge branch 'master' into cossacklabs

    Sync our branch with upstream updates. The updates add Apple Silicon
    support (with hardware acceleration), XCFrameworks, and other updates.
    
    The following commits on our branch are now obsolete:
    
      - 4e7bf92
    
    Note that due to the changes our Makefile build system is currently
    broken. The following commits will fix this. This one only gets the
    merge correctly.
    ilammy committed Nov 22, 2020
    Copy the full SHA
    12b15ba View commit details
  2. Revert "Merge branch 'master' into cossacklabs" (#19)

    This reverts commit 12b15ba, reversing
    changes made to 8ba2cea.
    
    We have been a bit early merging these changes so revert them for now.
    We still want to push out a version of CLOpenSSL with proper dynamic
    frameworks (the last one) and are not ready for working on XCF now.
    ilammy authored Nov 22, 2020
    Copy the full SHA
    6a8e199 View commit details
  3. Remove arm64e slice; return dyn linking for CocoaPods (#18)

    * Automatically enable Apple Silicon support
    
    Since Xcode 12.2 (stable) is out, Apple Silicon support can be enabled
    automatically there. Check the version of the command-line tools and
    set APPLE_SILICON_SUPPORT value automatically if possible.
    
    After a while, once Xcode 12.0.1 and earlier are not longer supported
    and widely used, this variable can be removed completely. Right now
    it won't be really necessary to set it explicitly, unless you want
    something strange.
    
    * Revert "Use static frameworks for CocoaPods (#13)"
    
    This reverts commit d21e3b7.
    
    We can't just migrate CLOpenSSL to static frameworks as that requires
    all upstream dependencies to migrate to static frameworks too, and
    that breaks builds left, right, and center.
    
    Instead, we have figured out what has been breaking dynamic linkage
    with CocoaPods, and now we're coming back to using dynamic linkage.
    
    If static versions of CLOpenSSL are published, they will be published
    in a separate podspec.
    
    * Drop arm64e to work around CocoaPods issues
    
    arm64e builds are included to test the pointer authentication feature of
    iOS devices. We have to include it in binary CLOpenSSL builds so that
    upstream users of CLOpenSSL might enable it themselves for testing.
    
    However, inclusion of this architecture slice causes issues with
    CocoaPods handling of vendored binary frameworks. arm64e builds include
    a certain linker command -- LC_DYLD_CHAINED_FIXUPS (0x80000034) -- which
    confuses CocoaPods' detector of dynamic binaries, making it believe that
    the vendored framework in a static one, not dynamic. This in turn causes
    issues when using CLOpenSSL as CocoaPods refuses to link "static" binary
    without "static_framework = true".
    
    This is a know issue in CocoaPods, stemming from the missing features in
    Homebrew's Mach-O parser [1][2].
    
    [1]: Homebrew/brew#7857
    [2]: Homebrew/ruby-macho#261
    
    There is nothing we can do about it right now, other than disable
    "arm64e" builds for the time being. This does not affect deployment to
    App Store, but will break dependencies of CLOpenSSL which expect this
    architecture to be present. The dependencies will have to disable arm64e
    in their projects, if they have it explicitly enabled. (Considering that
    CocoaPods packaging of CLOpenSSL was never in good shape, the actual
    impact of this change should be minimal.)
    
    * Set install name during linkage
    
    Instead of using "install_name_tool" to fix the LC_ID_DYLIB value of the
    dylib, pass the "-install_name" parameter to the linker directly. This
    doesn't change anything in the resulting binary but looks a bit cleaner.
    
    * Use ABI-correct install name on macOS
    
    On macOS -- contrary to iOS, watchOS, and tvOS -- it is customary for
    frameworks to provide additional internal structure which helps with
    binary compatibility. For example, on iOS/watchOS/tvOS a framework
    typically has flat structure:
    
        openssl.framework
        ├── Headers
        ├── Info.plist
        └── openssl
    
    while on macOS it's a bit more involved:
    
        frameworks/MacOSX/openssl.framework
        ├── Headers -> Versions/Current/Headers
        ├── Resources -> Versions/Current/Resources
        ├── Versions
        │   ├── A
        │   └── Current -> A
        └── openssl -> Versions/Current/openssl
    
    Note that the top-level files are actually symlinks to the
    "Versions/Current" which in turn is a symlink to the "A" version,
    which actually contains the framework content:
    
        openssl.framework/Versions/A
        ├── Headers
        ├── Resources
        │   └── Info.plist
        └── openssl
    
    Currently, the 'install name' of all "openssl" binaries is set to
    "@rpath/openssl.framework/openssl", which makes the linked binaries
    remember and use this path when loading OpenSSL. On macOS this will
    involve two additional symlink resolutions. Another thing here is that
    if we will need to introduce a different version of OpenSSL framework
    on macOS, existing applications will still look up the current one,
    instead of using the A version that they should.
    
    Update the install name computation to use
    
        @rpath/openssl.framework/openssl
    
    for iOS, watchOS, tvOS while using more explicit
    
        @rpath/openssl.framework/Versions/A/openssl
    
    for macOS.
    
    This is how Apple's system frameworks do it. Though they have a pressing
    issue of supporting multiple possible ABIs and it's not that important
    in our case, you never know when this turns out to be necessary or
    whether some weird tool might choke on the symlinks.
    vixentael authored Nov 22, 2020
    Copy the full SHA
    75b8306 View commit details

Commits on Nov 23, 2020

  1. OpenSSL 1.1.1h 1.1.10802

    vixentael committed Nov 23, 2020
    Copy the full SHA
    d57682e View commit details

Commits on Nov 24, 2020

  1. Merge branch 'master' into cossacklabs, again (#20)

    This reverts commit 6a8e199, which
    itself was a revert of the 12b15ba
    merge. Now the merge of upstream into our branch is there again,
    bringing in updates for ARM64 and adding XCFramework support.
    ilammy authored Nov 24, 2020
    Copy the full SHA
    cf2c68b View commit details
  2. XCFramework support and packaging (#21)

    * Drop support for OpenSSL 1.0.x
    
    Upstream commit 184673f has removed
    support for OpenSSL 1.0.x, now the archirectures to build for are
    specified only via "--targets" option, "--archs" is not supported.
    Do not set it up and do not pass it to the build script.
    
    * Restore removed iOS 10.0 targets
    
    Upstream has moved to using iOS 12.0 as the default minimum supported
    version. With this, several architectures has been removed in commit
    2be1214. However, we are still using
    iOS 10.0 as our minimum supported version and still the removed 32-bit
    architectures: armv7 and arm7s for iOS devices and i386 for simulators.
    If they are not included in the binary frameworks, Xcode will complain
    about missing architecture slices.
    
    * Adjust packaging to XCFrameworks
    
    Upstream has moved to packaging a single XCFramework with all targets in
    it. This brings good news as now Apple Silicon will be supported for iOS
    Simulators, removing the need for some hacks. This also brings bad news
    because this is a breaking change for CLOpenSSL users.
    
    In order to avoid breakage, the packages are renamed. CocoaPods' pod is
    now named "CLOpenSSL-XCF" and Carthage binary dependencies should be
    retrieved using the "openssl-{static,dynamic}-xcframework.json" specs.
    
    The reason for this is that Carthage users will have to adjust their
    binary dependencies to download the unified XCFramework instead of two
    separate frameworks for iOS and macOS. They will also need to adjust
    their Xcode projects to use "openssl.xcframework" instead of the usual
    "openssl.framework". While CocoaPods should automatically figure this
    out, we won't take chances and will make this a flag day for CocoaPods
    users as well.
    
    This is also a breaking change for our build system as the upstream
    build system now builds iOS (device) and iOS Simulator frameworks
    separately. This means that there are two "openssl.framework" binaries
    for iOS and neither is usable with both iOS and iOS Simulator, as it was
    before. We can't package them as an "iPhone" target to maintain backward
    compatibility with previous Carthage packaging.
    
    Overall, this means that the next release of CLOpenSSL is a flag day for
    its users. Users of the previous version MUST migrate their builds if
    they wish to future updates. Otherwise they can continue using 1.1.10802.
    
    * Include arm64 slice for iOS Simulators
    
    Now that we are building XCFrameworks, we can also include the arm64
    slice for iOS Simulator (if Xcode supports Apple Silicon), without
    getting any errors from linker.
    
    It is also not necessary now to exclude this slice from projects
    generated by CocoaPods. That is, for CLOpenSSL consumers. Upstream
    library users like Themis might still need the exclusion until they are
    producing XCFramework-compatible artifacts. However, CLOpenSSL does not
    need to enforce this exclusion by itself from now on.
    ilammy authored Nov 24, 2020
    Copy the full SHA
    1a8a267 View commit details

Commits on Dec 15, 2020

  1. Update README.md

    vixentael authored Dec 15, 2020
    Copy the full SHA
    0674511 View commit details

Commits on Mar 11, 2021

  1. Copy the full SHA
    4b0b616 View commit details

Commits on Apr 26, 2021

  1. updated release instructions

    julepka committed Apr 26, 2021
    Copy the full SHA
    721919c View commit details
  2. Copy the full SHA
    70cbfcf View commit details

Commits on Apr 27, 2021

  1. Merge pull request #22 from julepka/spm-xcf-support

    Swift Package Manager support with xcframework
    julepka authored Apr 27, 2021
    Copy the full SHA
    5efca9f View commit details
  2. OpenSSL 1.1.1h

    julepka committed Apr 27, 2021
    Copy the full SHA
    19b79d4 View commit details

Commits on Apr 29, 2021

  1. OpenSSL 1.1.1k

    julepka committed Apr 29, 2021
    Copy the full SHA
    afd16d4 View commit details

Commits on May 6, 2021

  1. Copy the full SHA
    5898308 View commit details

Commits on Aug 3, 2023

  1. OpenSSL 1.1.1u

    radetsky committed Aug 3, 2023
    Copy the full SHA
    6c19a16 View commit details
  2. Merge pull request #25 from cossacklabs/openssl-1.1.1u

    OpenSSL 1.1.1u
    radetsky authored Aug 3, 2023
    Copy the full SHA
    60271d8 View commit details

Commits on Sep 6, 2023

  1. Copy the full SHA
    44edb34 View commit details
  2. Copy the full SHA
    16e3360 View commit details

Commits on Sep 7, 2023

  1. Copy the full SHA
    a34cfaa View commit details
  2. Copy the full SHA
    a5ffe8e View commit details
  3. Copy the full SHA
    fcab6ae View commit details
  4. OpenSSL 1.1.1v

    radetsky committed Sep 7, 2023
    Copy the full SHA
    e937003 View commit details

Commits on Sep 11, 2023

  1. Merge pull request #26 from cossacklabs/openssl-1.1.1v

    Openssl 1.1.1v + improvements
    radetsky authored Sep 11, 2023
    Copy the full SHA
    f35370a View commit details

Commits on May 22, 2024

  1. OpenSSL 1.1.1w

    radetsky committed May 22, 2024
    Copy the full SHA
    5357563 View commit details
  2. assets for VisionOS

    radetsky committed May 22, 2024
    Copy the full SHA
    e1604be View commit details
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -14,3 +14,9 @@ include/openssl
*.xcodeproj/project.xcworkspace
*.xcodeproj/xcuserdata
Pods
.swiftpm/

# Cossack Labs packaging
output
cocoapods/CLOpenSSL-XCF.podspec

155 changes: 155 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
# Set default goal for "make"
.DEFAULT_GOAL := specs

ifeq ($(MAKECMDGOALS),)
GOAL := $(.DEFAULT_GOAL)
else
GOAL := $(MAKECMDGOALS)
endif


#===== Versioning ==============================================================

## OpenSSL version to build
VERSION ?= 1.1.1w

## Extra version of the distributed package
PACKAGE_VERSION ?= 1
export PACKAGE_VERSION

MIN_IOS_SDK = 11.0
MIN_OSX_SDK = 10.13
MIN_XROS_SDK = 1.1
export MIN_IOS_SDK MIN_OSX_SDK MIN_XROS_SDK

BUILD_TARGETS += ios-sim-cross-x86_64
BUILD_TARGETS += ios64-cross-arm64
BUILD_TARGETS += macos64-x86_64
BUILD_TARGETS += visionos-sim-cross-x86_64 visionos-sim-cross-arm64 visionos-cross-arm64

# Automatically enable Apple Silicon support if running with Xcode 12.2+
# unless the user has decided explicitly.
ifeq ($(APPLE_SILICON_SUPPORT),)
xcode_version := $(shell xcodebuild -version | awk '/Xcode/ {print $$2}')
ifeq ($(shell printf '%s\n' "12.2" "$(xcode_version)" | sort -V | head -1),12.2)
APPLE_SILICON_SUPPORT := yes
endif
endif

# Not all currently used Xcode versions support building for Apple Silicon.
# Enable this architecture only when requested.
ifeq ($(APPLE_SILICON_SUPPORT),yes)
BUILD_TARGETS += macos64-arm64
BUILD_TARGETS += ios-sim-cross-arm64
endif

BUILD_FLAGS += --version=$(VERSION)
BUILD_FLAGS += --targets="$(BUILD_TARGETS)"
BUILD_FLAGS += --min-ios-sdk=$(MIN_IOS_SDK)
BUILD_FLAGS += --min-macos-sdk=$(MIN_OSX_SDK)
BUILD_FLAGS += --min-xros-sdk=$(MIN_XROS_SDK)


#===== Building ================================================================

## Output directory
OUTPUT ?= output

## Build OpenSSL binaries
build: $(OUTPUT)/done.build
ifeq ($(GOAL),build)
@echo "Now you can package OpenSSL binaries:"
@echo
@echo " make package"
@echo
endif

.PHONY: build

$(OUTPUT)/done.build:
@echo $(BUILD_FLAGS)
@./build-libssl.sh $(BUILD_FLAGS)
@mkdir -p $(OUTPUT)
@touch $(OUTPUT)/done.build

## Force rebuild of OpenSSL binaries
rebuild:
@./build-libssl.sh $(BUILD_FLAGS)
@mkdir -p $(OUTPUT)
@touch $(OUTPUT)/done.build
ifeq ($(GOAL),rebuild)
@echo "Now you can package OpenSSL binaries:"
@echo
@echo " make package"
@echo
endif

.PHONY: rebuild


#===== Packaging ===============================================================

## Prepare OpenSSL packages for upload
packages: $(OUTPUT)/done.packages
ifeq ($(GOAL),packages)
@echo "Now you can update package specs:"
@echo
@echo " make specs"
@echo
endif

.PHONY: packages

$(OUTPUT)/done.packages: $(OUTPUT)/done.build
@scripts/create-packages.sh
@mkdir -p $(OUTPUT)
@touch $(OUTPUT)/done.packages


#===== Spec updates ============================================================

## Update package spec files
specs: $(OUTPUT)/done.specs
ifeq ($(GOAL),specs)
@echo "Now you can commit the changes:"
@echo
@echo " git add -p"
@echo " git commit -em \"OpenSSL $(VERSION)\""
@echo
@echo "Submit a pull request against the \"cossacklabs\" branch."
@echo "Wait for it to be merged, then prepare a signed release tag:"
@echo
@echo " git checkout cossacklabs"
@echo " git pull"
@echo
@echo " # The tag must contain the 'semversified' version of OpenSSL"
@echo " # (e.g., $$(cat "$(OUTPUT)/version") instead of $(VERSION))"
@echo " git tag -sem \"OpenSSL $(VERSION)\" $$(cat "$(OUTPUT)/version")"
@echo " git push --tags"
@echo
@echo "Finally, create a pre-release on GitHub from this tag:"
@echo
@echo " https://github.com/cossacklabs/openssl-apple/releases/new"
@echo
@echo "and attach the following files to the release:"
@echo
@find $(OUTPUT) -type f -name 'openssl-*.zip' | sort | sed 's/^/ /g'
@echo
endif

.PHONY: specs

$(OUTPUT)/done.specs: $(OUTPUT)/done.packages
@scripts/update-specs.sh
@mkdir -p $(OUTPUT)
@touch $(OUTPUT)/done.specs


#===== Miscellaneous ===========================================================

## Remove build artifacts
clean:
@rm -rf bin lib src frameworks include/openssl
@rm -rf $(OUTPUT)

.PHONY: clean
22 changes: 22 additions & 0 deletions Package.swift
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// swift-tools-version:5.3
// The swift-tools-version declares the minimum version of Swift required to build this package.

import PackageDescription

let package = Package(
name: "cl-openssl",
products: [
.library(
name: "cl-openssl",
targets: ["openssl"]),
],
dependencies: [],
targets: [
.binaryTarget(name: "openssl",
// update version in URL path
url:"https://github.com/cossacklabs/openssl-apple/releases/download/1.1.12301/openssl-static-xcframework.zip",
// Run from package directory:
// swift package compute-checksum output/openssl-static-xcframework.zip
checksum: "de57be260816d4d651ee479f802af95baf18e25c48ede3ab8869451b560ff3de"),
]
)
210 changes: 210 additions & 0 deletions RELEASING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,210 @@
How to update to newer OpenSSL version, build, and publish a release.

1. **Clone this repository.**

```shell
git clone https://github.com/cossacklabs/openssl-apple
```

Make sure you're on the `cossacklabs` branch.

2. **Update OpenSSL version.**

The version number is in the [`Makefile`](Makefile).

Increment `PACKAGE_VERSION` if you are repackaging the same OpenSSL version.
Otherwise, update `VERSION` to OpenSSL version and reset `PACKAGE_VERSION` to `1`.

```
## OpenSSL version to build
VERSION ?= 1.1.1v
## Extra version of the distributed package
PACKAGE_VERSION ?= 1
```

Also update tarball checksums in [`build-libssl.sh`](build-libssl.sh).
```
# Default version in case no version is specified
# Official checksums available at https://www.openssl.org/source/
DEFAULTVERSION="1.1.1u"
OPENSSL_CHECKSUMS="
1.1.1k 892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
1.1.1u e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6
1.1.1v d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0
"
```

3. **Update platform configuration.**

Things like minimum OS SDK versions, architectures, etc.
You can find all this in the [`Makefile`](Makefile).

4. **Build OpenSSL.**

To build from scratch - remove output folder.

```shell
make clean && make
```

This can take a while.
Not only it builds the library, this also packages it,
and updates the project specs.

Check the cocoapods/CLOpenSSL-XCF.podspec. It have to be created from podpec.template file with actual version, hash and filenames.

Note: semversioned number of framework is taken from ```frameworks/MacOSX/openssl.framework```.


5. **Update SPM package settings**

Update [`Package.swift`](Package.swift) file with the new URL of the binary framework and its checksum:

```swift
.binaryTarget(name: "openssl",
// update version in URL path
url:"https://github.com/cossacklabs/openssl-apple/releases/download/1.1.12201/openssl-static-xcframework.zip",
// Run from package directory:
// swift package compute-checksum output/openssl-static-xcframework.zip
checksum: "a3363e4297428d2497c481791f6ac3c17c118b6829ee6246781efe0a3593ae16"),
```
Remember: actual version you can see in output/version file. It is created by authors of the OpenSSL library.

6. **Update the Carthage package settings and prepare the copy of files**
During the 'make' process, the scripts in the 'scripts' folder had to update the json files in the carthage folder. Check it out.

`cat carthage/openssl-dynamic-xcframework.json`
```
{
"1.1.12201": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.12201/openssl-dynamic-xcframework.zip",
"1.1.12101": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.12101/openssl-dynamic-xcframework.zip",
"1.1.11101": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.11101/openssl-dynamic-xcframework.zip",
"1.1.10803": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.10803/openssl-dynamic-xcframework.zip",
}
```

`cat carthage/openssl-static-framework.json`
```
rad@Oleksiis-M1-2021 ~/g/p/t/openssl-apple (openssl-1.1.1v)> cat carthage/openssl-static-xcframework.json
{
"1.1.12201": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.12201/openssl-static-xcframework.zip",
"1.1.12101": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.12101/openssl-static-xcframework.zip",
"1.1.11101": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.11101/openssl-static-xcframework.zip",
"1.1.10803": "https://github.com/cossacklabs/openssl-apple/releases/download/1.1.10803/openssl-static-xcframework.zip",
}
```

Also carthage will use files with the name that contain ".xcframework". So, you need to copy files in output directory to corresponding names.
`openssl-dynamic-xcframework.zip` to `openssl-dynamic.xcframework.zip`.
And `openssl-static-xcframework.zip` to `openssl-static.xcframework.zip`
You will upload these files later into the release.

7. **Cocoapods podspec**
During the 'make' process scripts had to generate new podspec file from the template located in 'cocoapods' directory.
So, you will see the new file: CLOpenSSL-XCF.podspec
Check it out. You have to see newly created version and hash checksum in the body of the file.
```
openssl_version = "1.1.12201"
XCFramework_archive_hash = "bc9d20b7e4369b3cec2f30115e455f610c9d61aefc569676805b006d83e77944"
```

You can compare the hash with the result of command `swift package compute-checksum output/openssl-dynamic-xcframework.zip`
It should be equal.
openssl_version have to be equal to `cat output/version`

8. **Commit, tag, push the release.**

Commit the changes. Changes must contain new version settings, SPM, Carthage, and Cocoapods updates. Optionally, other files.

Tag should be in a semver format. Do not add cocoapods/CLOpenSSL-XCF.podspec to the git. It is generated every time.

```shell
git add carthage
git add Package.swift
git commit -S -e -m "OpenSSL 1.1.1v"
git tag -s -e -m "OpenSSL 1.1.1v" 1.1.12201
git push origin cossacklabs # Push the branch
git push origin 1.1.12201 # Push the tag
```

Make will remind you how to do this.
(Use the correct versions there.)
Take care to make signed commits and tags, this is important for vanity.

Congratulations!
You have just published broken Carthage and SPM packages :)

9. **Publish GitHub release with binary framework files.**

Go to GitHub release page for the tag:

https://github.com/cossacklabs/openssl-apple/releases/tag/1.1.12201

press **Edit tag** and upload `*.zip` packages from `output` directory. Do not forget to upload also .xcframework.zip files too. It is important for carthage binary prebuilt scheme.

Also, describe the release, press the **Publish release** when done.

Congratulations!
You should have fixed the Carthage and SPM packages with this.

10. **Publish podspec.**

```shell
pod spec lint
pod trunk push cocoapods/CLOpenSSL-XCF.podspec
```

This lints the podspec before publishing it.
If it does not lint then curse at CocoaPods and scrub the release.

Congratulations!
You have published a CocoaPods package.

Actually, you have published all of the OpenSSL.
Now is the time to go check if it *actually* works.

You can use [Themis](https://github.com/cossacklabs/themis) for that.

11. **Test the CLOpenSSL-XCF release**

##### SPM

1. Create a new Xcode project.
2. Add the package from the URL: https://github.com/cossacklabs/openssl-apple
3. Select the exact version (Which you released recently)
4. Compile and run project (Build, Archive)

##### Carthage
1. Create a new Xcode project
2. Create Cartfile near the .xcodeproj or .xcworkspace file
3. Add similar content
```
“github "cossacklabs/openssl-apple" ~> 1.1.12201
```

Run

```
carthage update --use-xcframeworks
```

4. Drag the downloaded `.xcframework` bundles from `Carthage/Build` into the "Frameworks and Libraries" section of your application’s Xcode project.

##### Cocoapods
1. Create new Xcode project
2. run pod init from the root of the project
3. Add

```bash
pod 'CLOpenSSL-XCF'
```

4. Run

```bash
pod install
```

Open .xcworkspace file and run test the project


Loading