src/secure/lib/libssl/Makefile, branch main FreeBSD source tree OpenSSL: update Makefiles to reflect 3.5.1 release 2025-09-18T19:17:44+00:00 Enji Cooper ngie@FreeBSD.org 2025-09-08T03:20:42+00:00 d5984d5f29a7c717b88ccd17a85a747792403cdf This is a targeted effort to update the INCS and SRCS entries for libcrypto, the legacy provider, and libssl to match what upstream (OpenSSL) builds in their respective libraries. The number of stylistic changes were kept at a minimum. Another incoming change will reformat this file to make future maintenance easier. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D52554 
This is a targeted effort to update the INCS and SRCS entries for
libcrypto, the legacy provider, and libssl to match what upstream
(OpenSSL) builds in their respective libraries.

The number of stylistic changes were kept at a minimum.

Another incoming change will reformat this file to make future
maintenance easier.

MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D52554
openssl: Disable KTLS in bootstrap libraries 2025-09-04T13:28:39+00:00 Mark Johnston markj@FreeBSD.org 2025-09-04T13:28:39+00:00 407c4d1eeb80caadcf24e60b827ea6686d3adf3a We need to build OpenSSL when bootstrapping certctl. On MacOS ktls_enable() isn't defined anywhere, so without this the build fails. We don't need KTLS in the bootstrap library, so just disable it. Reviewed by: khorben, ngie Differential Revision: https://reviews.freebsd.org/D52341 
We need to build OpenSSL when bootstrapping certctl.  On MacOS
ktls_enable() isn't defined anywhere, so without this the build fails.
We don't need KTLS in the bootstrap library, so just disable it.

Reviewed by:	khorben, ngie
Differential Revision:	https://reviews.freebsd.org/D52341
packages: Improve handling of -lib packages 2025-08-23T00:57:23+00:00 Lexi Winter ivy@FreeBSD.org 2025-08-22T23:50:20+00:00 929f5966a9fd3d050c7b604513c6fb4ac9b5d335 For some packages (OpenSSL, Kerberos) we want to ship runtime libraries in a separate package, e.g. openssl and openssl-lib. Currently this is done using PACKAGE=openssl-lib, but that creates packages with strange names like openssl-lib-lib32. Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime libraries to be placed in a new -lib subpackage. This significantly improves the set of packages we create; for example, OpenSSL goes from: FreeBSD-openssl FreeBSD-openssl-dbg FreeBSD-openssl-lib FreeBSD-openssl-lib-dbg FreeBSD-openssl-lib-dbg-lib32 FreeBSD-openssl-lib-dev FreeBSD-openssl-lib-dev-lib32 FreeBSD-openssl-lib-lib32 FreeBSD-openssl-lib-man FreeBSD-openssl-man to: FreeBSD-openssl FreeBSD-openssl-dbg FreeBSD-openssl-dbg-lib32 FreeBSD-openssl-dev FreeBSD-openssl-dev-lib32 FreeBSD-openssl-lib FreeBSD-openssl-lib32 FreeBSD-openssl-man While here, move /usr/bin/krb5-config and /usr/bin/compile_et into the kerberos-dev package. Reviewed by: des Differential Revision: https://reviews.freebsd.org/D51925 
For some packages (OpenSSL, Kerberos) we want to ship runtime libraries
in a separate package, e.g. openssl and openssl-lib.  Currently this is
done using PACKAGE=openssl-lib, but that creates packages with strange
names like openssl-lib-lib32.

Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime
libraries to be placed in a new -lib subpackage.  This significantly
improves the set of packages we create; for example, OpenSSL goes from:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib-dbg
	FreeBSD-openssl-lib-dbg-lib32
	FreeBSD-openssl-lib-dev
	FreeBSD-openssl-lib-dev-lib32
	FreeBSD-openssl-lib-lib32
	FreeBSD-openssl-lib-man
	FreeBSD-openssl-man

to:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-dbg-lib32
	FreeBSD-openssl-dev
	FreeBSD-openssl-dev-lib32
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib32
	FreeBSD-openssl-man

While here, move /usr/bin/krb5-config and /usr/bin/compile_et into
the kerberos-dev package.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51925
libssl: unbreak building the library with KTLS 2025-08-21T16:28:02+00:00 Enji Cooper ngie@FreeBSD.org 2025-08-21T16:18:30+00:00 439685ee69e4fc066df5c54f802248d8e3805605 The 3.5.1 update dropped a `SRCS` entry for the MK_OPENSSL_KTLS != no case (the source was renamed from `ktls.c` to `ktls_meth.c`). Add the new file to SRCS in order to unbreak linking the library when KTLS is enabled. This bug isn't apparent now because KTLS is always disabled in `include/openssl/configuration.h` (this will be fixed soon). Found when doing `make universe` with KTLS enabled in `include/openssl/configuration.h`. Fixes: 4757b351ea9d59d ("openssl: Import version 3.5.1") 
The 3.5.1 update dropped a `SRCS` entry for the MK_OPENSSL_KTLS != no
case (the source was renamed from `ktls.c` to `ktls_meth.c`). Add the
new file to SRCS in order to unbreak linking the library when KTLS is
enabled.

This bug isn't apparent now because KTLS is always disabled in
`include/openssl/configuration.h` (this will be fixed soon).

Found when doing `make universe` with KTLS enabled in
`include/openssl/configuration.h`.

Fixes:	4757b351ea9d59d ("openssl: Import version 3.5.1")
openssl: Import version 3.5.1 2025-08-07T13:54:34+00:00 Pierre Pronchery khorben@FreeBSD.org 2025-07-11T21:57:10+00:00 4757b351ea9d59d71d4a38b82506d2d16fcd560d Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be EOL after 2026-09-07. Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D51613 
Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be
EOL after 2026-09-07.

Approved by:	philip (mentor)
Sponsored by:	Alpha-Omega Beach Cleaning Project
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D51613
build: remove the last vestiges of lint support 2025-06-05T23:55:34+00:00 Brooks Davis brooks@FreeBSD.org 2025-06-05T23:55:34+00:00 8e35800732573de6c4bc1dd3ac420447fca96231 Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure. A bunch of NO_LINT definitions remained (perhaps as a bootstrapping measture). Remove them. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D50704 
Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure.
A bunch of NO_LINT definitions remained (perhaps as a bootstrapping
measture).  Remove them.

Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D50704
Remove residual blank line at start of Makefile 2024-07-15T22:43:39+00:00 Warner Losh imp@FreeBSD.org 2024-07-15T04:46:32+00:00 e9ac41698b2f322d55ccf9da50a3596edb2c1800 This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix 
This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
Remove $FreeBSD$: one-line sh pattern 2023-08-16T17:55:03+00:00 Warner Losh imp@FreeBSD.org 2023-08-16T17:55:03+00:00 d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ 
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
pkgbase: reorganise caroot and openssl packages 2023-08-05T08:30:35+00:00 Doug Rabson dfr@FreeBSD.org 2023-07-31T14:38:45+00:00 1d7ffb373c9d639c9645a6b09ae46b2b92adb2e3 This splits out the certctl utility into a new certctl package and the openssl libs into an openssl-lib package. PR: 272816 Reviewed by: manu Differential Revision: https://reviews.freebsd.org/D41321 
This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.

PR:		272816
Reviewed by:	manu
Differential Revision: https://reviews.freebsd.org/D41321
Merge OpenSSL 3.0.9 2023-06-23T22:53:36+00:00 Pierre Pronchery pierre@freebsdfoundation.org 2023-06-23T22:53:35+00:00 b077aed33b7b6aefca7b17ddb250cf521f938613 Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation 
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0.  OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0.  For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0.  Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1.  The process of updating to contemporary APIs can continue after
this merge.

Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit.  Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g.  haproxy).
Investigation will continue for these.

Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.

PR:		271615
PR:		271656 [exp-run]
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation