src/secure/lib/libcrypto/engines, branch main FreeBSD source tree packages: Improve handling of -lib packages 2025-08-23T00:57:23+00:00 Lexi Winter ivy@FreeBSD.org 2025-08-22T23:50:20+00:00 929f5966a9fd3d050c7b604513c6fb4ac9b5d335 For some packages (OpenSSL, Kerberos) we want to ship runtime libraries in a separate package, e.g. openssl and openssl-lib. Currently this is done using PACKAGE=openssl-lib, but that creates packages with strange names like openssl-lib-lib32. Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime libraries to be placed in a new -lib subpackage. This significantly improves the set of packages we create; for example, OpenSSL goes from: FreeBSD-openssl FreeBSD-openssl-dbg FreeBSD-openssl-lib FreeBSD-openssl-lib-dbg FreeBSD-openssl-lib-dbg-lib32 FreeBSD-openssl-lib-dev FreeBSD-openssl-lib-dev-lib32 FreeBSD-openssl-lib-lib32 FreeBSD-openssl-lib-man FreeBSD-openssl-man to: FreeBSD-openssl FreeBSD-openssl-dbg FreeBSD-openssl-dbg-lib32 FreeBSD-openssl-dev FreeBSD-openssl-dev-lib32 FreeBSD-openssl-lib FreeBSD-openssl-lib32 FreeBSD-openssl-man While here, move /usr/bin/krb5-config and /usr/bin/compile_et into the kerberos-dev package. Reviewed by: des Differential Revision: https://reviews.freebsd.org/D51925 
For some packages (OpenSSL, Kerberos) we want to ship runtime libraries
in a separate package, e.g. openssl and openssl-lib.  Currently this is
done using PACKAGE=openssl-lib, but that creates packages with strange
names like openssl-lib-lib32.

Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime
libraries to be placed in a new -lib subpackage.  This significantly
improves the set of packages we create; for example, OpenSSL goes from:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib-dbg
	FreeBSD-openssl-lib-dbg-lib32
	FreeBSD-openssl-lib-dev
	FreeBSD-openssl-lib-dev-lib32
	FreeBSD-openssl-lib-lib32
	FreeBSD-openssl-lib-man
	FreeBSD-openssl-man

to:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-dbg-lib32
	FreeBSD-openssl-dev
	FreeBSD-openssl-dev-lib32
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib32
	FreeBSD-openssl-man

While here, move /usr/bin/krb5-config and /usr/bin/compile_et into
the kerberos-dev package.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51925
libcrypto: move engines and modules to openssl-lib 2025-05-05T21:49:57+00:00 Lexi Winter ivy@FreeBSD.org 2025-05-05T21:49:57+00:00 c853409d69c4186b65b0dd63d0a8faf63c1a5cac currently, some OpenSSL-related files end up in the utilities package: /usr/lib/engines-3/capi.so /usr/lib/engines-3/devcrypto.so /usr/lib/engines-3/loader_attic.so /usr/lib/engines-3/padlock.so /usr/lib/ossl-modules/legacy.so since these are part of OpenSSL and are not useful without it, move them to the openssl-lib package. Reviewed by: manu, des, emaste Approved by: des (mentor) Differential Revision: https://reviews.freebsd.org/D50144 
currently, some OpenSSL-related files end up in the utilities package:

	/usr/lib/engines-3/capi.so
	/usr/lib/engines-3/devcrypto.so
	/usr/lib/engines-3/loader_attic.so
	/usr/lib/engines-3/padlock.so
	/usr/lib/ossl-modules/legacy.so

since these are part of OpenSSL and are not useful without it, move them
to the openssl-lib package.

Reviewed by:	manu, des, emaste
Approved by:	des (mentor)
Differential Revision:	https://reviews.freebsd.org/D50144
Remove residual blank line at start of Makefile 2024-07-15T22:43:39+00:00 Warner Losh imp@FreeBSD.org 2024-07-15T04:46:32+00:00 e9ac41698b2f322d55ccf9da50a3596edb2c1800 This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix 
This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
libcrypto: link engines and the legacy provider to libcrypto 2023-09-16T15:55:12+00:00 Pierre Pronchery pierre@freebsdfoundation.org 2023-09-15T15:14:16+00:00 1a18383a52bc373e316d224cef1298debf6f7e25 OpenSSL's legacy provider module and engines need to link to libcrypto.so, as it provides some of the actual implementations of legacy routines. This is a little tricky due to build order issues. Introduce a small hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual early phase without any OpenSSL provider modules or engines. This is intended to restore the test suite; a future change should remove the hack and replace it with a better approach. PR: 254853, 273528 Discussed with: Folks at EuroBSDCon in Coimbra Sponsored by: The FreeBSD Foundation 
OpenSSL's legacy provider module and engines need to link to
libcrypto.so, as it provides some of the actual implementations of
legacy routines.

This is a little tricky due to build order issues.  Introduce a small
hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual
early phase without any OpenSSL provider modules or engines.  This is
intended to restore the test suite; a future change should remove the
hack and replace it with a better approach.

PR:		254853, 273528
Discussed with:	Folks at EuroBSDCon in Coimbra
Sponsored by:	The FreeBSD Foundation
libcrypto: Switch back to the generated assembly in sys/crypto/openssl 2023-08-29T21:46:44+00:00 John Baldwin jhb@FreeBSD.org 2023-08-29T21:46:44+00:00 47d997021fbc7b662e9507deec1897d514d1224c Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41569 
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D41569
Remove $FreeBSD$: one-line sh pattern 2023-08-16T17:55:03+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:55:03+00:00 d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ 
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
Merge OpenSSL 3.0.9 2023-06-23T22:53:36+00:00 Pierre Pronchery pierre@freebsdfoundation.org 2023-06-23T22:53:35+00:00 b077aed33b7b6aefca7b17ddb250cf521f938613 Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation 
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0.  OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0.  For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0.  Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1.  The process of updating to contemporary APIs can continue after
this merge.

Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit.  Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g.  haproxy).
Investigation will continue for these.

Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.

PR:		271615
PR:		271656 [exp-run]
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
libcrypto padlock.so: Link with -z noexecstack for ld.bfd. 2022-11-22T16:37:04+00:00 John Baldwin jhb@FreeBSD.org 2022-11-22T16:37:04+00:00 99df55bbb711150e7e3515f5c5a2c4d44654c278 The assembly source files do not contain GNU-stack annotations, so ld.bfd defaults to using an executable stack. 
The assembly source files do not contain GNU-stack annotations, so
ld.bfd defaults to using an executable stack.
Move generated OpenSSL assembly routines into the kernel sources. 2020-10-20T17:00:43+00:00 John Baldwin jhb@FreeBSD.org 2020-10-20T17:00:43+00:00 bc3d5698008e9b3b19495e853cbc2598979ccf8a Sponsored by: Netflix 
Sponsored by:	Netflix
build: provide a default WARNS for all in-tree builds 2020-09-18T17:17:46+00:00 Kyle Evans kevans@FreeBSD.org 2020-09-18T17:17:46+00:00 fe815331bb40604ba31312acf7e4619674631777 The current default is provided in various Makefile.inc in some top-level directories and covers a good portion of the tree, but doesn't cover parts of the build a little deeper (e.g. libcasper). Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that variable is defined. This lets us relatively cleanly provide a default WARNS no matter where you're building in the src tree without breaking things outside of the tree. Crunchgen has been updated as a bootstrap tool to work on this change because it needs r365605 at a minimum to succeed. The cleanup necessary to successfully walk over this change on WITHOUT_CLEAN builds has been added. There is a supplemental project to this to list all of the warnings that are encountered when the environment has WARNS=6 NO_WERROR=yes: https://warns.kevans.dev -- this project will hopefully eventually go away in favor of CI doing a much better job than it. Reviewed by: emaste, brooks, ngie (all earlier version) Reviewed by: emaste, arichardson (depend-cleanup.sh change) Differential Revision: https://reviews.freebsd.org/D26455 
The current default is provided in various Makefile.inc in some top-level
directories and covers a good portion of the tree, but doesn't cover parts
of the build a little deeper (e.g. libcasper).

Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that
variable is defined. This lets us relatively cleanly provide a default WARNS
no matter where you're building in the src tree without breaking things
outside of the tree.

Crunchgen has been updated as a bootstrap tool to work on this change
because it needs r365605 at a minimum to succeed. The cleanup necessary to
successfully walk over this change on WITHOUT_CLEAN builds has been added.

There is a supplemental project to this to list all of the warnings that are
encountered when the environment has WARNS=6 NO_WERROR=yes:
https://warns.kevans.dev -- this project will hopefully eventually go away
in favor of CI doing a much better job than it.

Reviewed by:	emaste, brooks, ngie (all earlier version)
Reviewed by:	emaste, arichardson (depend-cleanup.sh change)
Differential Revision:	https://reviews.freebsd.org/D26455