aboutsummaryrefslogtreecommitdiff
path: root/secure/lib/libcrypto
Commit message (Collapse)AuthorAgeFilesLines
...
* openssl: include d2i_KeyParams() and d2i_KeyParams_bio()Kristof Provost2023-07-092-2/+4
| | | | | | | | | | | | These functions are new, and some ports (e.g.opensc) expect to have them available. Add the file they're defined in to the build, and add them to Version.map. PR: 270076 Reviewed by: markj, emaste, pierre Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D40914
* libcrypto: group definitions for libcrypto and fipsPierre Pronchery2023-07-054-224/+131
| | | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: expand the common Makefile for providersPierre Pronchery2023-07-053-8/+5
| | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: add missing symbols to the fips providerPierre Pronchery2023-07-051-1/+355
| | | | | | | | | | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: add missing symbols to the legacy providerPierre Pronchery2023-07-052-2/+35
| | | | | | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: Revert recent changes to fix legacy and fips providersMark Johnston2023-07-045-398/+107
| | | | | | | They break the !amd64 builds due to an underspecified include path and will be re-applied once that's fixed. Reported by: Ronald Klop <ronald-lists@klop.ws>
* libcrypto: group definitions for libcrypto and fipsPierre Pronchery2023-07-043-214/+121
| | | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change makes sure the FIPS module matches build instructions used for libcrypto. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: expand the common Makefile for providersPierre Pronchery2023-07-043-8/+5
| | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. This change adds mandatory source files to every provider. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: add missing symbols to the fips providerPierre Pronchery2023-07-041-1/+355
| | | | | | | | | | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "fips", ships with OpenSSL 3 directly, and groups algorithms that can be FIPS 140-2 validated. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`. This change is consistent with crypto/bn/bn_dh.c though. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: add missing symbols to the legacy providerPierre Pronchery2023-07-042-2/+35
| | | | | | | | | | | | | OpenSSL 3 supports a modular architecture, allowing different providers to bring specific implementations of cryptographical algorithms. One such provider, "legacy", ships with OpenSSL 3 directly, and groups obsoleted algorithms that can still optionally be used anyway. The import of OpenSSL 3.0.9 was building this provider incorrectly, missing symbols required for proper operation. Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/787
* libcrypto: build nistp* on all little-endian 64-bit targetsEd Maste2023-06-251-2/+4
| | | | | | | | | | | | | libcrypto intends to provide these routines on little-endian 64-bit targets. This was previously done by including them in the ASM_aarch64 and ASM_amd64 blocks in the Makefile, but this excluded powerpc64le and riscv64. Reported by: ci.freebsd.org Reviewed by: jrtc27 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D40749
* Do not expose architecture specific symbolsEnji Cooper2023-06-241-3/+0
| | | | | | | | | | | | | The following methods have existed since 1.0.2, however, they are deprecated and are not available on all architectures. - EC_GFp_nistp224_method - EC_GFp_nistp256_method - EC_GFp_nistp521_method Do not expose them via libcrypto. Discussed with: emaste
* Merge OpenSSL 3.0.9Pierre Pronchery2023-06-23890-9851/+384345
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation
* OpenSSL: Merge OpenSSL 1.1.1uJung-uk Kim2023-05-301-1/+0
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1uJung-uk Kim2023-05-30486-490/+495
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1tJung-uk Kim2023-02-07485-485/+485
|
* OpenSSL: Merge OpenSSL 1.1.1tJung-uk Kim2023-02-072-2/+3
|
* libcrypto padlock.so: Link with -z noexecstack for ld.bfd.John Baldwin2022-11-221-0/+2
| | | | | The assembly source files do not contain GNU-stack annotations, so ld.bfd defaults to using an executable stack.
* OpenSSL: Regen manual pages for OpenSSL 1.1.1sJung-uk Kim2022-11-01487-640/+693
|
* openssl: install pc filesBaptiste Daroussin2022-09-063-0/+19
| | | | | | | | | | | | | | | | | | | | | most programs in ports are looking for .pc files in order to get the necessary information on how to compile and link against openssl. The ports now also has a way to hide or force a path for pkgconf. Providing .pc files along with openssl in base will allow (once all the supported version of FreeBSD has it) so improve the framework to deal with openssl in base vs openssl in ports (and libressl) This will also greatly reduce the number of patches necessary to workaround the build systems which only knows how to detect where openssl is installed via pkgconf. PR: 266051 MFC After: 3 weeks Reviewed by: jkim, delphij Exp-run by: antoine Differential Revision: https://reviews.freebsd.org/D36360
* libcrypto: Work around strict aliasing violations in bn_nist.cJessica Clarke2022-07-251-0/+5
| | | | | | | | | | | | | | | | | This file is full of strict aliasing violations. Previously it was only optimised in ways that broke the code by CHERI LLVM, but now it appears that the in-tree LLVM also breaks it for RISC-V, resulting in broken ECDSA signature validation with error messages like the following: root@unmatched:/usr/src # ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key is not a key file. root@unmatched:/usr/src # git fetch fatal: unable to access 'https://git.FreeBSD.org/src.git/': error:1012606B:elliptic curve routines:EC_POINT_set_affine_coordinates:point is not on curve Reviewed by: dim, jkim Obtained from: CheriBSD MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D35885
* OpenSSL: Regen manual pages for OpenSSL 1.1.1qJung-uk Kim2022-07-05486-490/+490
|
* OpenSSL: Regen manual pages for OpenSSL 1.1.1pJung-uk Kim2022-06-21487-977/+989
|
* OpenSSL: Merge OpenSSL 1.1.1oJung-uk Kim2022-05-03486-488/+498
|
* OpenSSL: Merge OpenSSL 1.1.1nJung-uk Kim2022-03-15487-517/+611
|
* OpenSSL: Merge OpenSSL 1.1.1mJung-uk Kim2021-12-14487-564/+589
|
* Add assembly optimized code for OpenSSL on powerpc, powerpc64 and powerpc64lePiotr Kubaj2021-11-233-2/+272
| | | | | | | | | | | | Summary: 1. https://github.com/openssl/openssl/commit/34ab13b7d8e3e723adb60be8142e38b7c9cd382a needs to be merged for ELFv2 support on big-endian. 2. crypto/openssl/crypto/ppccap.c needs to be patched. Same reason as in https://github.com/openssl/openssl/pull/17082. Approved by: jkim, jhibbits MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33076
* OpenSSL: Reduce diff with the upstreamJung-uk Kim2021-09-011-0/+5
| | | | No functional change expected.
* OpenSSL: Regen manual pages for 1.1.1lJung-uk Kim2021-09-01487-1019/+1033
|
* libcrypto: Add symbol versions for symbols added since 1.1.1d.John Baldwin2021-05-281-1/+16
| | | | | | | | | | While here, trim a spurious local: I missed when added SSL_sendfile. PR: 255277 Reported by: yuri Reviewed by: jkim MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30483
* pkgbase: Put openssl in its own packageEmmanuel Vadot2021-05-131-1/+1
| | | | | | | | This is useful for upgrade and also to make tiny jail so they won't depend on FreeBSD-utilities (where openssl was packaged before). MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D30081
* OpenSSL: Regen manual pages for 1.1.1kJung-uk Kim2021-03-25486-487/+487
|
* OpenSSL: Regen manual page for the previous commitJung-uk Kim2021-02-171-2/+3
| | | | | | This is regen for 9b2f020c14af71a2606012143432dd717c7cf90e. MFC after: 1 week
* OpenSSL: Remove obsolete include directoryJung-uk Kim2021-02-171-1/+0
| | | | | | This directory was deprecated since OpenSSL 1.1.1e. https://github.com/openssl/openssl/pull/9681
* OpenSSL: Regen manual pages for OpenSSL 1.1.1j.Jung-uk Kim2021-02-16489-1061/+536
|
* OpenSSL: Regenerate manual pages.Jung-uk Kim2021-01-28488-593/+1218
| | | | MFC after: 1 week
* OpenSSL: Support for kernel TLS offload (KTLS)John Baldwin2021-01-282-5/+16
| | | | | | | | | | | | | | | | | | | | This merges upstream patches from OpenSSL's master branch to add KTLS infrastructure for TLS 1.0-1.3 including both RX and TX offload and SSL_sendfile support on both Linux and FreeBSD. Note that TLS 1.3 only supports TX offload. A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with KTLS support. It defaults to enabled on amd64 and disabled on all other architectures. Reviewed by: jkim (earlier version) Approved by: secteam Obtained from: OpenSSL (patches from master) MFC after: 1 week Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D28273
* Merge OpenSSL 1.1.1i.Jung-uk Kim2020-12-09387-777/+775
| | | | Notes: svn path=/head/; revision=368472
* Move generated OpenSSL assembly routines into the kernel sources.John Baldwin2020-10-2083-204615/+2
| | | | | | | Sponsored by: Netflix Notes: svn path=/head/; revision=366898
* Merge OpenSSL 1.1.1h.Jung-uk Kim2020-09-22488-1422/+1548
| | | | Notes: svn path=/head/; revision=366004
* build: provide a default WARNS for all in-tree buildsKyle Evans2020-09-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The current default is provided in various Makefile.inc in some top-level directories and covers a good portion of the tree, but doesn't cover parts of the build a little deeper (e.g. libcasper). Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that variable is defined. This lets us relatively cleanly provide a default WARNS no matter where you're building in the src tree without breaking things outside of the tree. Crunchgen has been updated as a bootstrap tool to work on this change because it needs r365605 at a minimum to succeed. The cleanup necessary to successfully walk over this change on WITHOUT_CLEAN builds has been added. There is a supplemental project to this to list all of the warnings that are encountered when the environment has WARNS=6 NO_WERROR=yes: https://warns.kevans.dev -- this project will hopefully eventually go away in favor of CI doing a much better job than it. Reviewed by: emaste, brooks, ngie (all earlier version) Reviewed by: emaste, arichardson (depend-cleanup.sh change) Differential Revision: https://reviews.freebsd.org/D26455 Notes: svn path=/head/; revision=365887
* Regen X86 assembly files after r364822.Jung-uk Kim2020-08-2622-86/+44039
| | | | Notes: svn path=/head/; revision=364823
* Replace OPENSSL_NO_SSL3_METHODs with dummiesConrad Meyer2020-07-011-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use it, and if they must, they can use some implementation outside of base. There are three symbols removed with OPENSSL_NO_SSL3_METHOD: SSLv3_client_method SSLv3_method SSLv3_server_method These symbols exist to request an explicit SSLv3 connection to a server. There is no good reason for an application to link or invoke these symbols instead of TLS_method(), et al (née SSLv23_method, et al). Applications that do so have broken cryptography. Define these symbols for some pedantic definition of ABI stability, but remove the functionality again (r361392) after r362620. Reviewed by: gordon, jhb (earlier-but-equivalent version both) Discussed with: bjk, kib Differential Revision: https://reviews.freebsd.org/D25493 Notes: svn path=/head/; revision=362818
* Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.Gordon Tetlow2020-06-251-3/+0
| | | | | | | | | | | | | | | This define caused a couple of symbols to disappear. To keep ABI compatibility, we are going to keep the symbols exposed, but leave SSLv3 as not in the default config (this is what OPENSSL_NO_SSL3 achieves). The ramifications of this is an application can still use SSLv3 if it specifically calls the SSLv3_method family of APIs. Reported by: kib, others Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D25451 Notes: svn path=/head/; revision=362620
* Install 32-bit libcrypto engines in /usr/lib32/engines instead ofTijl Coosemans2020-06-012-2/+2
| | | | | | | | | | /usr/lib32 and let 32-bit libcrypto search that location instead of /usr/lib/engines. Reviewed by: jkim Notes: svn path=/head/; revision=361700
* Remove support for SSLv3 from the OpenSSL build.Gordon Tetlow2020-05-221-0/+6
| | | | | | | | | | | | This is the default configuration in OpenSSL 1.1.1 already. This moves to align with that default. Reported by: jmg Approved by: jkim, cem, emaste, philip Differential Revision: https://reviews.freebsd.org/D24945 Notes: svn path=/head/; revision=361392
* Merge OpenSSL 1.1.1g.Jung-uk Kim2020-04-21487-490/+702
| | | | Notes: svn path=/head/; revision=360175
* Merge OpenSSL 1.1.1f.Jung-uk Kim2020-03-31485-491/+516
| | | | Notes: svn path=/head/; revision=359486
* Reduce diff with the vendor version. No functional change.Jung-uk Kim2020-03-181-3/+3
| | | | Notes: svn path=/head/; revision=359061
* Merge OpenSSL 1.1.1e.Jung-uk Kim2020-03-18522-45451/+3006
| | | | Notes: svn path=/head/; revision=359060
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-03 04:21:52 +0000