| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
This change adds a simple smoke test for the legacy provider to ensure
that the provider doesn't break in the future when performing updates.
This is not a functional or system test; the OpenSSL test suite does a
much better job at doing this than we can.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53045
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a targeted effort to update the INCS and SRCS entries for
libcrypto, the legacy provider, and libssl to match what upstream
(OpenSSL) builds in their respective libraries.
The number of stylistic changes were kept at a minimum.
Another incoming change will reformat this file to make future
maintenance easier.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52554
|
| |
|
|
|
|
|
|
|
| |
We need to build OpenSSL when bootstrapping certctl. On MacOS
ktls_enable() isn't defined anywhere, so without this the build fails.
We don't need KTLS in the bootstrap library, so just disable it.
Reviewed by: khorben, ngie
Differential Revision: https://reviews.freebsd.org/D52341
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some packages (OpenSSL, Kerberos) we want to ship runtime libraries
in a separate package, e.g. openssl and openssl-lib. Currently this is
done using PACKAGE=openssl-lib, but that creates packages with strange
names like openssl-lib-lib32.
Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime
libraries to be placed in a new -lib subpackage. This significantly
improves the set of packages we create; for example, OpenSSL goes from:
FreeBSD-openssl
FreeBSD-openssl-dbg
FreeBSD-openssl-lib
FreeBSD-openssl-lib-dbg
FreeBSD-openssl-lib-dbg-lib32
FreeBSD-openssl-lib-dev
FreeBSD-openssl-lib-dev-lib32
FreeBSD-openssl-lib-lib32
FreeBSD-openssl-lib-man
FreeBSD-openssl-man
to:
FreeBSD-openssl
FreeBSD-openssl-dbg
FreeBSD-openssl-dbg-lib32
FreeBSD-openssl-dev
FreeBSD-openssl-dev-lib32
FreeBSD-openssl-lib
FreeBSD-openssl-lib32
FreeBSD-openssl-man
While here, move /usr/bin/krb5-config and /usr/bin/compile_et into
the kerberos-dev package.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51925
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some platforms, like macOS, do not expose headers for the system's
libcrypto for public consumption. libcrypto is relatively heavy and
needs to know, e.g., the host system's endianness, so we scope the build
down to macOS where OpenSSL headers are known to not be present and we
can be reasonably certain that most of the systems today that would be
cross-building are little endian.
We still don't bother if building WITHOUT_OPENSSL since the end result
is expected to be used by OpenSSL, but perhaps we could revisit that
independently in case one, e.g., brings their own implementation.
Reported by: jrtc27
Reviewed by: jrtc27, ngie
Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Differential Revision: https://reviews.freebsd.org/D51935
|
| |
|
|
|
|
|
|
|
|
| |
Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be
EOL after 2026-09-07.
Approved by: philip (mentor)
Sponsored by: Alpha-Omega Beach Cleaning Project
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D51613
|
| |
|
|
|
|
|
|
|
| |
Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure.
A bunch of NO_LINT definitions remained (perhaps as a bootstrapping
measture). Remove them.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D50704
|
| |
|
|
|
|
|
| |
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When importing OpenSSL 3 in base, some but not all source files
implementing the deprecated 0.9.8 API were imported. With this change,
it becomes possible again to compile software targeting this API.
PR: 272220
Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9")
Reviewed by: emaste
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/851
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL's legacy provider module and engines need to link to
libcrypto.so, as it provides some of the actual implementations of
legacy routines.
This is a little tricky due to build order issues. Introduce a small
hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual
early phase without any OpenSSL provider modules or engines. This is
intended to restore the test suite; a future change should remove the
hack and replace it with a better approach.
PR: 254853, 273528
Discussed with: Folks at EuroBSDCon in Coimbra
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
| |
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D41569
|
| |
|
|
|
|
|
| |
These targets generate all the assembly files in sys/crypto/openssl.
Reviewed by: markj, emaste (earlier version)
Differential Revision: https://reviews.freebsd.org/D41590
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notably, define AES_ASM which is required for any AES acceleration
(OpenSSL 1.0 gated all AES acceleration on OPENSSL_CPUID_OBJ instead).
Enabling this exposed that new assembly files added in OpenSSL 3.0
needed to be included in the build (aes-x86-64.S and aes-586.S). Both
of these files supplant both aes_core.c and aes_cbc.c. The last file
had to be moved out of the MI SRCS line for aes and into each ASM_*
for non-x86.
As part of this I audited the generated configdata.pm for amd64, i386,
and aarch64 and found the following additional discrepecancies that are
fixed here as well:
- Enabled BSAES_ASM on amd64 which requires bsase-x86_64.S
- Enabled WHIRLPOOL_ASM on amd64 (asm sources already built)
- Enabled CMLL_ASM on amd64 and i386 (asm sources already built)
aarch64 had no discreprecancies in configdata.pm, and no *.pl asm
generators were missing for aarch64 in Makefile.asm. I did not check
powerpc or armv7, but for armv7 all of the asm generators seem to be
present in Makefile.asm.
Reported by: gallatin (AES-GCM using plain software on amd64)
Reviewed by: gallatin, ngie, emaste
Differential Revision: https://reviews.freebsd.org/D41539
|
| |
|
|
|
|
|
|
|
| |
It provides the RSA_generate_key function, which is deprecated as of
3.0 but is used by various ports.
Reviewed by: kbowling
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41506
|
| |
|
|
|
|
|
|
|
|
| |
It provides the ERR_load_*_strings routines, which are deprecated as of
3.0 but are used by various ports.
PR: 272580
Reviewed by: kbowling
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41505
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
|
|
|
|
|
| |
This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.
PR: 272816
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D41321
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These functions are new, and some ports (e.g.opensc) expect to have them
available. Add the file they're defined in to the build, and add them
to Version.map.
PR: 270076
Reviewed by: markj, emaste, pierre
Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9")
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D40914
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. This
change makes sure the FIPS module matches build instructions used for
libcrypto.
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/787
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
libcrypto intends to provide these routines on little-endian 64-bit
targets. This was previously done by including them in the ASM_aarch64
and ASM_amd64 blocks in the Makefile, but this excluded powerpc64le and
riscv64.
Reported by: ci.freebsd.org
Reviewed by: jrtc27
Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40749
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.
Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1. The process of updating to contemporary APIs can continue after
this merge.
Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.
There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy).
Investigation will continue for these.
Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.
Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.
PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
most programs in ports are looking for .pc files in order to get the
necessary information on how to compile and link against openssl.
The ports now also has a way to hide or force a path for pkgconf.
Providing .pc files along with openssl in base will allow (once all
the supported version of FreeBSD has it) so improve the framework to
deal with openssl in base vs openssl in ports (and libressl)
This will also greatly reduce the number of patches necessary to
workaround the build systems which only knows how to detect where
openssl is installed via pkgconf.
PR: 266051
MFC After: 3 weeks
Reviewed by: jkim, delphij
Exp-run by: antoine
Differential Revision: https://reviews.freebsd.org/D36360
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This file is full of strict aliasing violations. Previously it was only
optimised in ways that broke the code by CHERI LLVM, but now it appears
that the in-tree LLVM also breaks it for RISC-V, resulting in broken
ECDSA signature validation with error messages like the following:
root@unmatched:/usr/src # ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key is not a key file.
root@unmatched:/usr/src # git fetch
fatal: unable to access 'https://git.FreeBSD.org/src.git/': error:1012606B:elliptic curve routines:EC_POINT_set_affine_coordinates:point is not on curve
Reviewed by: dim, jkim
Obtained from: CheriBSD
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35885
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary:
1. https://github.com/openssl/openssl/commit/34ab13b7d8e3e723adb60be8142e38b7c9cd382a
needs to be merged for ELFv2 support on big-endian.
2. crypto/openssl/crypto/ppccap.c needs to be patched.
Same reason as in https://github.com/openssl/openssl/pull/17082.
Approved by: jkim, jhibbits
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33076
|
| |
|
|
|
|
|
|
| |
This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D30081
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Reviewed by: jkim (earlier version)
Approved by: secteam
Obtained from: OpenSSL (patches from master)
MFC after: 1 week
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D28273
|
| |
|
|
|
|
|
| |
Sponsored by: Netflix
Notes:
svn path=/head/; revision=366898
|
| |
|
|
|
|
|
|
|
|
| |
Note config.5 and crypto.7 are not installed because we have conflicts.
Requested by: phk
MFC after: 1 month
Notes:
svn path=/head/; revision=356963
|
| |
|
|
| |
Notes:
svn path=/head/; revision=352191
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.
Reviewed by: bapt, gjb
Differential Revision: https://reviews.freebsd.org/D21503
Notes:
svn path=/head/; revision=351855
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been
deprecated in favor of this new engine. However, this engine is not
throughly tested on FreeBSD because it was originally written for Linux.
http://cryptodev-linux.org/
Also, the author actually meant to enable it by default on BSD platforms but
he failed to do so because there was a bug in the Configure script.
https://github.com/openssl/openssl/pull/7882
Now they found that it was more generic issue.
https://github.com/openssl/openssl/pull/7885
Therefore, we need to enable this engine on head to give it more exposure.
Notes:
svn path=/head/; revision=342009
|
| |
|
|
| |
Notes:
svn path=/head/; revision=340703
|
| |
|
|
|
|
|
|
|
|
| |
Reported by: many
Reviewed by: gjb
Sponsored by: The FreeBSD Foundation
MFC after: 3 hours
Notes:
svn path=/head/; revision=339709
|
| |
|
|
|
|
|
|
|
|
|
| |
So that it will be regenerated after Makefile changes affecting the
file's content - specifically, the OpenSSL 1.1.1 update adds a DATE
macro which did not exist previously.
Sponsored by: The FreeBSD Foundation
Notes:
svn path=/projects/openssl111/; revision=339209
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338935
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338934
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338894
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338884
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338882
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338880
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338878
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338876
|
| |
|
|
|
|
|
| |
There is no MD macro in this file any more.
Notes:
svn path=/projects/openssl111/; revision=338870
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338845
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338843
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338816
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338815
|
| |
|
|
| |
Notes:
svn path=/projects/openssl111/; revision=338764
|