diff options
Diffstat (limited to 'secure')
| -rwxr-xr-x | secure/caroot/MAca-bundle.pl | 305 | ||||
| -rw-r--r-- | secure/caroot/Makefile | 3 | ||||
| -rwxr-xr-x | secure/caroot/ca-extract.pl | 253 | ||||
| -rw-r--r-- | secure/caroot/trusted/Makefile | 6 | ||||
| -rw-r--r-- | secure/caroot/untrusted/Makefile | 5 | ||||
| -rw-r--r-- | secure/lib/libcrypto/Makefile | 6 | ||||
| -rw-r--r-- | secure/lib/libcrypto/Makefile.common | 2 | ||||
| -rw-r--r-- | secure/lib/libcrypto/Makefile.inc | 6 | ||||
| -rw-r--r-- | secure/lib/libcrypto/Makefile.version | 2 | ||||
| -rw-r--r-- | secure/lib/libcrypto/engines/Makefile.inc | 3 | ||||
| -rw-r--r-- | secure/lib/libcrypto/modules/Makefile.inc | 3 | ||||
| -rw-r--r-- | secure/lib/libssl/Makefile | 3 | ||||
| -rw-r--r-- | secure/libexec/sshd-session/Makefile | 2 | ||||
| -rw-r--r-- | secure/ssh.mk | 3 | ||||
| -rw-r--r-- | secure/usr.bin/ssh/Makefile | 2 | ||||
| -rw-r--r-- | secure/usr.sbin/sshd/Makefile | 2 |
16 files changed, 283 insertions, 323 deletions
diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl deleted file mode 100755 index 58cfe1cbf6fa..000000000000 --- a/secure/caroot/MAca-bundle.pl +++ /dev/null @@ -1,305 +0,0 @@ -#!/usr/bin/env perl -## -## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt -## -## Rewritten in September 2011 by Matthias Andree to heed untrust -## - -## Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org> -## All rights reserved. -## Copyright (c) 2018, Allan Jude <allanjude@FreeBSD.org> -## -## Redistribution and use in source and binary forms, with or without -## modification, are permitted provided that the following conditions are -## met: -## -## * Redistributions of source code must retain the above copyright -## notice, this list of conditions and the following disclaimer. -## -## * Redistributions in binary form must reproduce the above copyright -## notice, this list of conditions and the following disclaimer in the -## documentation and/or other materials provided with the distribution. -## -## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN -## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -## POSSIBILITY OF SUCH DAMAGE. - -use strict; -use Carp; -use MIME::Base64; -use Getopt::Long; -use Time::Local qw( timegm_posix ); -use POSIX qw( strftime ); - -my $generated = '@' . 'generated'; -my $inputfh = *STDIN; -my $debug = 0; -my $infile; -my $outputdir; -my %labels; -my %certs; -my %trusts; - -$debug++ - if defined $ENV{'WITH_DEBUG'} - and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/; - -GetOptions ( - "debug+" => \$debug, - "infile:s" => \$infile, - "outputdir:s" => \$outputdir) - or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n"); - -if ($infile) { - open($inputfh, "<", $infile) or die "Failed to open $infile"; -} - -sub print_header($$) -{ - my $dstfile = shift; - my $label = shift; - - if ($outputdir) { - print $dstfile <<EOFH; -## -## $label -## -## This is a single X.509 certificate for a public Certificate -## Authority (CA). It was automatically extracted from Mozilla's -## root CA list (the file `certdata.txt' in security/nss). -## -## It contains a certificate trusted for server authentication. -## -## Extracted from nss -## -## $generated -## -EOFH - } else { - print $dstfile <<EOH; -## -## ca-root-nss.crt -- Bundle of CA Root Certificates -## -## This is a bundle of X.509 certificates of public Certificate -## Authorities (CA). These were automatically extracted from Mozilla's -## root CA list (the file `certdata.txt'). -## -## It contains certificates trusted for server authentication. -## -## Extracted from nss -## -## $generated -## -EOH - } -} - -sub printcert($$$) -{ - my ($fh, $label, $certdata) = @_; - return unless $certdata; - open(OUT, "|openssl x509 -text -inform DER -fingerprint") - or die "could not pipe to openssl x509"; - print OUT $certdata; - close(OUT) or die "openssl x509 failed with exit code $?"; -} - -# converts a datastream that is to be \177-style octal constants -# from <> to a (binary) string and returns it -sub graboct($) -{ - my $ifh = shift; - my $data; - - while (<$ifh>) { - last if /^END/; - my (undef,@oct) = split /\\/; - my @bin = map(chr(oct), @oct); - $data .= join('', @bin); - } - - return $data; -} - -sub grabcert($) -{ - my $ifh = shift; - my $certdata; - my $cka_label = ''; - my $serial = 0; - my $distrust = 0; - - while (<$ifh>) { - chomp; - last if ($_ eq ''); - - if (/^CKA_LABEL UTF8 "([^"]+)"/) { - $cka_label = $1; - } - - if (/^CKA_VALUE MULTILINE_OCTAL/) { - $certdata = graboct($ifh); - } - - if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { - $serial = graboct($ifh); - } - - if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/) - { - my $distrust_after = graboct($ifh); - my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after; - $distrust_after = timegm_posix( $sec, $min, $hour, $mday, $mon - 1, $year + 100); - my $time_now = time; - # When a CA is distrusted before its NotAfter date, issued certificates - # are valid for a maximum of 398 days after that date. - if ($time_now >= $distrust_after + 398 * 24 * 60 * 60) { $distrust = 1; } - if ($debug) { - printf STDERR "line $.: $cka_label ser #%d: distrust 398 days after %s, now: %s -> distrust $distrust\n", $serial, - strftime("%FT%TZ", gmtime($distrust_after)), strftime("%FT%TZ", gmtime($time_now)); - } - if ($distrust) { - return undef; - } - } - } - return ($serial, $cka_label, $certdata); -} - -sub grabtrust($) { - my $ifh = shift; - my $cka_label; - my $serial; - my $maytrust = 0; - my $distrust = 0; - - while (<$ifh>) { - chomp; - last if ($_ eq ''); - - if (/^CKA_LABEL UTF8 "([^"]+)"/) { - $cka_label = $1; - } - - if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { - $serial = graboct($ifh); - } - - if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) - { - if ($1 eq 'CKT_NSS_NOT_TRUSTED') { - $distrust = 1; - } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { - $maytrust = 1; - } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') { - confess "Unknown trust setting on line $.:\n" - . "$_\n" - . "Script must be updated:"; - } - } - } - - if (!$maytrust && !$distrust && $debug) { - print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; - } - - my $trust = ($maytrust and not $distrust); - return ($serial, $cka_label, $trust); -} - -if (!$outputdir) { - print_header(*STDOUT, ""); -} - -my $untrusted = 0; - -while (<$inputfh>) { - if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { - my ($serial, $label, $certdata) = grabcert($inputfh); - if (defined $certs{$label."\0".$serial}) { - warn "Certificate $label duplicated!\n"; - } - if (defined $certdata) { - $certs{$label."\0".$serial} = $certdata; - # We store the label in a separate hash because truncating the key - # with \0 was causing garbage data after the end of the text. - $labels{$label."\0".$serial} = $label; - } else { # $certdata undefined? distrust_after in effect - $untrusted ++; - } - } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { - my ($serial, $label, $trust) = grabtrust($inputfh); - if (defined $trusts{$label."\0".$serial}) { - warn "Trust for $label duplicated!\n"; - } - $trusts{$label."\0".$serial} = $trust; - $labels{$label."\0".$serial} = $label; - } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { - print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; - } -} - -sub label_to_filename(@) { - my @res = @_; - map { s/\0.*//; s/[^[:alnum:]\-]/_/g; $_ = "$_.pem"; } @res; - return wantarray ? @res : $res[0]; -} - -# weed out untrusted certificates -foreach my $it (keys %trusts) { - if (!$trusts{$it}) { - if (!exists($certs{$it})) { - warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug; - } else { - delete $certs{$it}; - warn "Skipping untrusted $labels{$it}\n" if $debug; - $untrusted++; - } - } -} - -if (!$outputdir) { - print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; -} -print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; - -my $certcount = 0; -foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { - my $fh = *STDOUT; - my $filename; - if (!exists($trusts{$it})) { - die "Found certificate without trust block,\naborting"; - } - if ($outputdir) { - $filename = label_to_filename($labels{$it}); - open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename"; - print_header($fh, $labels{$it}); - } - printcert($fh, $labels{$it}, $certs{$it}); - if ($outputdir) { - close($fh) or die "Unable to close: $filename"; - } else { - print $fh "\n\n\n"; - } - $certcount++; - print STDERR "Trusting $certcount: $labels{$it}\n" if $debug; -} - -if ($certcount < 25) { - die "Certificate count of $certcount is implausibly low.\nAbort"; -} - -if (!$outputdir) { - print "## Number of certificates: $certcount\n"; - print "## End of file.\n"; -} -print STDERR "## Number of certificates: $certcount\n"; diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile index ace802a906a3..e0ef4623b498 100644 --- a/secure/caroot/Makefile +++ b/secure/caroot/Makefile @@ -13,4 +13,5 @@ cleancerts: .PHONY @${MAKE} -C ${.CURDIR}/trusted ${.TARGET} updatecerts: .PHONY cleancerts fetchcerts - perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt -o ${.CURDIR}/trusted + perl ${.CURDIR}/ca-extract.pl -i certdata.txt \ + -t ${.CURDIR}/trusted -u ${.CURDIR}/untrusted diff --git a/secure/caroot/ca-extract.pl b/secure/caroot/ca-extract.pl new file mode 100755 index 000000000000..75f8352e384e --- /dev/null +++ b/secure/caroot/ca-extract.pl @@ -0,0 +1,253 @@ +#!/usr/bin/env perl +#- +# SPDX-License-Identifier: BSD-2-Clause +# +# Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org> +# Copyright (c) 2018 Allan Jude <allanjude@FreeBSD.org> +# Copyright (c) 2025 Dag-Erling Smørgrav <des@FreeBSD.org> +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# +# ca-extract.pl -- Extract trusted and untrusted certificates from +# Mozilla's certdata.txt. +# +# Rewritten in September 2011 by Matthias Andree to heed untrust +# + +use strict; +use warnings; +use Carp; +use MIME::Base64; +use Getopt::Long; +use Time::Local qw( timegm_posix ); +use POSIX qw( strftime ); + +my $generated = '@' . 'generated'; +my $inputfh = *STDIN; +my $debug = 0; +my $infile; +my $trustdir = "trusted"; +my $untrustdir = "untrusted"; +my %labels; +my %certs; +my %trusts; +my %expires; + +$debug++ + if defined $ENV{'WITH_DEBUG'} + and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/; + +GetOptions ( + "debug+" => \$debug, + "infile:s" => \$infile, + "trustdir:s" => \$trustdir, + "untrustdir:s" => \$untrustdir) + or die("Error in command line arguments\n$0 [-d] [-i input-file] [-t trust-dir] [-u untrust-dir]\n"); + +if ($infile) { + open($inputfh, "<", $infile) or die "Failed to open $infile"; +} + +sub print_header($$) +{ + my $dstfile = shift; + my $label = shift; + + print $dstfile <<EOFH; +## +## $label +## +## This is a single X.509 certificate for a public Certificate +## Authority (CA). It was automatically extracted from Mozilla's +## root CA list (the file `certdata.txt' in security/nss). +## +## $generated +## +EOFH +} + +sub printcert($$$) +{ + my ($fh, $label, $certdata) = @_; + return unless $certdata; + open(OUT, "|-", qw(openssl x509 -text -inform DER -fingerprint)) + or die "could not pipe to openssl x509"; + print OUT $certdata; + close(OUT) or die "openssl x509 failed with exit code $?"; +} + +# converts a datastream that is to be \177-style octal constants +# from <> to a (binary) string and returns it +sub graboct($) +{ + my $ifh = shift; + my $data = ""; + + while (<$ifh>) { + last if /^END/; + $data .= join('', map { chr(oct($_)) } m/\\([0-7]{3})/g); + } + + return $data; +} + +sub grabcert($) +{ + my $ifh = shift; + my $certdata; + my $cka_label = ''; + my $serial = 0; + my $distrust = 0; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_VALUE MULTILINE_OCTAL/) { + $certdata = graboct($ifh); + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + + if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/) + { + my $distrust_after = graboct($ifh); + my ($year, $mon, $mday, $hour, $min, $sec) = unpack "A2A2A2A2A2A2", $distrust_after; + $distrust_after = timegm_posix($sec, $min, $hour, $mday, $mon - 1, $year + 100); + $expires{$cka_label."\0".$serial} = $distrust_after; + } + } + return ($serial, $cka_label, $certdata); +} + +sub grabtrust($) { + my $ifh = shift; + my $cka_label; + my $serial; + my $maytrust = 0; + my $distrust = 0; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + + if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) { + if ($1 eq 'CKT_NSS_NOT_TRUSTED') { + $distrust = 1; + } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + $maytrust = 1; + } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + confess "Unknown trust setting on line $.:\n" + . "$_\n" + . "Script must be updated:"; + } + } + } + + if (!$maytrust && !$distrust && $debug) { + print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; + } + + my $trust = ($maytrust and not $distrust); + return ($serial, $cka_label, $trust); +} + +while (<$inputfh>) { + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + my ($serial, $label, $certdata) = grabcert($inputfh); + if (defined $certs{$label."\0".$serial}) { + warn "Certificate $label duplicated!\n"; + } + if (defined $certdata) { + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; + } + } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { + my ($serial, $label, $trust) = grabtrust($inputfh); + if (defined $trusts{$label."\0".$serial}) { + warn "Trust for $label duplicated!\n"; + } + $trusts{$label."\0".$serial} = $trust; + $labels{$label."\0".$serial} = $label; + } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { + print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; + } +} + +sub label_to_filename(@) { + my @res = @_; + map { s/\0.*//; s/[^[:alnum:]\-]/_/g; $_ = "$_.pem"; } @res; + return wantarray ? @res : $res[0]; +} + +my $untrusted = 0; +my $trusted = 0; +my $now = time; + +foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { + my $fh = *STDOUT; + my $outputdir; + my $filename; + if (exists($expires{$it}) && + $now >= $expires{$it} + 398 * 24 * 60 * 60) { + print(STDERR "## Expired: $labels{$it}\n"); + $outputdir = $untrustdir; + $untrusted++; + } elsif (!$trusts{$it}) { + print(STDERR "## Untrusted: $labels{$it}\n"); + $outputdir = $untrustdir; + $untrusted++; + } else { + print(STDERR "## Trusted: $labels{$it}\n"); + $outputdir = $trustdir; + $trusted++; + } + $filename = label_to_filename($labels{$it}); + open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $outputdir/$filename"; + print_header($fh, $labels{$it}); + printcert($fh, $labels{$it}, $certs{$it}); + if ($outputdir) { + close($fh) or die "Unable to close: $filename"; + } else { + print $fh "\n\n\n"; + } +} + +printf STDERR "## Trusted certificates: %4d\n", $trusted; +printf STDERR "## Untrusted certificates: %4d\n", $untrusted; diff --git a/secure/caroot/trusted/Makefile b/secure/caroot/trusted/Makefile index b2fe43fcb802..a47e781262b8 100644 --- a/secure/caroot/trusted/Makefile +++ b/secure/caroot/trusted/Makefile @@ -1,10 +1,10 @@ BINDIR= /usr/share/certs/trusted -TRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true +TRUSTED_CERTS!= (cd ${.CURDIR} && echo *.pem) FILES+= ${TRUSTED_CERTS} -cleancerts: - @[ -z "${TRUSTED_CERTS}" ] || rm ${TRUSTED_CERTS} +cleancerts: .PHONY + @(cd ${.CURDIR} && rm -f ${TRUSTED_CERTS}) .include <bsd.prog.mk> diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile index 19d7359ddcb9..45df0a55ebd9 100644 --- a/secure/caroot/untrusted/Makefile +++ b/secure/caroot/untrusted/Makefile @@ -1,7 +1,10 @@ BINDIR= /usr/share/certs/untrusted -UNTRUSTED_CERTS!= echo ${.CURDIR}/*.pem 2> /dev/null || true +UNTRUSTED_CERTS!= (cd ${.CURDIR} && echo *.pem) FILES+= ${UNTRUSTED_CERTS} +cleancerts: .PHONY + @(cd ${.CURDIR} && rm -f ${UNTRUSTED_CERTS}) + .include <bsd.prog.mk> diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile index e7e491124241..f8f8d291ee9e 100644 --- a/secure/lib/libcrypto/Makefile +++ b/secure/lib/libcrypto/Makefile @@ -1,12 +1,14 @@ SHLIBDIR?= /lib -.if !defined(LIBCRYPTO_WITHOUT_SUBDIRS) +.if !defined(LIBCRYPTO_WITHOUT_SUBDIRS) && !defined(BOOTSTRAPPING) SUBDIR= engines modules .endif +.ifdef BOOTSTRAPPING +CFLAGS+= -DOPENSSL_NO_SCTP +.endif .include <bsd.own.mk> .include <src.opts.mk> -PACKAGE= openssl-lib LIB= crypto SHLIB_MAJOR= 35 VERSION_MAP= ${.CURDIR}/Version.map diff --git a/secure/lib/libcrypto/Makefile.common b/secure/lib/libcrypto/Makefile.common index afcc2a48660c..ad48e2b434cf 100644 --- a/secure/lib/libcrypto/Makefile.common +++ b/secure/lib/libcrypto/Makefile.common @@ -6,7 +6,7 @@ CFLAGS+= -DL_ENDIAN CFLAGS+= -DB_ENDIAN .endif -.ifndef WITHOUT_AUTO_ASM +.if !defined(WITHOUT_AUTO_ASM) && !defined(BOOTSTRAPPING) .if ${MACHINE_CPUARCH} == "aarch64" || ${MACHINE_CPUARCH} == "amd64" || \ ${MACHINE_CPUARCH} == "arm" || ${MACHINE_CPUARCH} == "i386" ASM_${MACHINE_CPUARCH}= diff --git a/secure/lib/libcrypto/Makefile.inc b/secure/lib/libcrypto/Makefile.inc index 55e1687b58cf..4d5e9c68a1fe 100644 --- a/secure/lib/libcrypto/Makefile.inc +++ b/secure/lib/libcrypto/Makefile.inc @@ -1,8 +1,10 @@ .include <bsd.own.mk> +PACKAGE= openssl +LIB_PACKAGE= + # OpenSSL version used for manual page generation -OPENSSL_VER= 3.5.0 -OPENSSL_DATE= 2025-07-01 +.include "Makefile.version" LCRYPTO_SRC= ${SRCTOP}/crypto/openssl LCRYPTO_DOC= ${LCRYPTO_SRC}/doc diff --git a/secure/lib/libcrypto/Makefile.version b/secure/lib/libcrypto/Makefile.version new file mode 100644 index 000000000000..e802a1f11618 --- /dev/null +++ b/secure/lib/libcrypto/Makefile.version @@ -0,0 +1,2 @@ +OPENSSL_VER= 3.5.1 +OPENSSL_DATE= 2025-07-01 diff --git a/secure/lib/libcrypto/engines/Makefile.inc b/secure/lib/libcrypto/engines/Makefile.inc index 777193ba3f9a..146c2f794eb6 100644 --- a/secure/lib/libcrypto/engines/Makefile.inc +++ b/secure/lib/libcrypto/engines/Makefile.inc @@ -1,4 +1,5 @@ -PACKAGE?= openssl-lib +PACKAGE?= openssl +LIB_PACKAGE= SHLIBDIR= ${LIBDIR}/engines-3 diff --git a/secure/lib/libcrypto/modules/Makefile.inc b/secure/lib/libcrypto/modules/Makefile.inc index 363b7f4bc766..4b3d9fc512ce 100644 --- a/secure/lib/libcrypto/modules/Makefile.inc +++ b/secure/lib/libcrypto/modules/Makefile.inc @@ -1,4 +1,5 @@ -PACKAGE?= openssl-lib +PACKAGE?= openssl +LIB_PACKAGE= SHLIBDIR= ${LIBDIR}/ossl-modules LCRYPTO_SRC= ${SRCTOP}/crypto/openssl diff --git a/secure/lib/libssl/Makefile b/secure/lib/libssl/Makefile index 45f23c9e9ca2..acb63549c1c8 100644 --- a/secure/lib/libssl/Makefile +++ b/secure/lib/libssl/Makefile @@ -3,7 +3,6 @@ LIB= ssl SHLIB_MAJOR= 35 VERSION_MAP= ${.CURDIR}/Version.map -PACKAGE= openssl-lib NO_LINT= @@ -73,6 +72,8 @@ SRCS+= rio_notifier.c poll_builder.c .if ${MK_OPENSSL_KTLS} == "no" CFLAGS+=-DOPENSSL_NO_KTLS +.else +SRCS+= ktls_meth.c .endif LIBADD= crypto diff --git a/secure/libexec/sshd-session/Makefile b/secure/libexec/sshd-session/Makefile index 37e099794bd5..5ed459fe492a 100644 --- a/secure/libexec/sshd-session/Makefile +++ b/secure/libexec/sshd-session/Makefile @@ -38,7 +38,7 @@ LIBADD+= blacklist LDFLAGS+=-L${LIBBLACKLISTDIR} .endif -.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +.if ${MK_KERBEROS_SUPPORT} != "no" .if ${MK_MITKRB5} != "no" LIBADD+= gssapi_krb5 krb5 .include "../../krb5/Makefile.inc" diff --git a/secure/ssh.mk b/secure/ssh.mk index bb6dd9b748e4..97dd089d98e8 100644 --- a/secure/ssh.mk +++ b/secure/ssh.mk @@ -9,12 +9,11 @@ SKSRCS= ssh-sk-client.c CFLAGS+= -I${SSHDIR} -include ssh_namespace.h -.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +.if ${MK_KERBEROS_SUPPORT} != "no" CFLAGS+= -include krb5_config.h .if ${MK_MITKRB5} == "no" CFLAGS+= -DHEIMDAL=1 .endif - .endif CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE:U/usr/local}/bin/xauth\" diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile index a4f36d0fe2df..2b11b783c007 100644 --- a/secure/usr.bin/ssh/Makefile +++ b/secure/usr.bin/ssh/Makefile @@ -17,7 +17,7 @@ SRCS+= gss-genr.c LIBADD= ssh -.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +.if ${MK_KERBEROS_SUPPORT} != "no" .if ${MK_MITKRB5} == "no" LIBADD+= gssapi .else diff --git a/secure/usr.sbin/sshd/Makefile b/secure/usr.sbin/sshd/Makefile index f37dfe1c1b3a..433a87984e42 100644 --- a/secure/usr.sbin/sshd/Makefile +++ b/secure/usr.sbin/sshd/Makefile @@ -18,7 +18,7 @@ moduli: .MADE LIBADD= ssh util -.if ${MK_GSSAPI} != "no" && ${MK_KERBEROS_SUPPORT} != "no" +.if ${MK_KERBEROS_SUPPORT} != "no" .if ${MK_MITKRB5} == "no" LIBADD+= gssapi_krb5 gssapi krb5 .else |