aboutsummaryrefslogtreecommitdiff
path: root/secure/lib/libcrypto
Commit message (Collapse)AuthorAgeFilesLines
* libcrypto: Install tests in the tests packageLexi Winter2025-11-051-1/+1
| | | | | | | | | | | | libcrypto's Makefile.inc used PACKAGE=openssl, which overrides the PACKAGE=tests in libcrypto/tests/Makefile. Use PACKAGE?=openssl instead to avoid this. This puts the OpenSSL tests in the tests package where they belong. MFC after: 1 day Reviewed by: manu, ngie Sponsored by: https://www.patreon.com/bsdivy Differential Revision: https://reviews.freebsd.org/D53595
* OpenSSL: install .pc files from the exporters subdirEnji Cooper2025-10-172-11/+3
| | | | | | | | | | | | | | | | | | | | | | | | The .pc files generated in the root directory are used as part of the build; they should never be installed. Use the versions from the exporters subdirectory--which should be installed--as the .pc files which are distributed with FreeBSD. This avoids the need for "fixing up" these files after the fact (see `crypto/openssl/BSDmakefile` for more details as part of this change). Garbage collect `secure/lib/libcrypto/Makefile.version`, et al, as they're orphaned files. They were technically unused prior to this change as the vendor process properly embeds the version numbers in various files, but this commit formalizes the removal. This correction/clarification on the .pc files will be made in an upcoming release of OpenSSL [1]. References: 1. https://github.com/openssl/openssl/issues/28803 Suggested by: Richard Levitte (OpenSSL project) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53043
* openssl: add a simple smoke test for the legacy providerEnji Cooper2025-10-173-0/+48
| | | | | | | | | | | This change adds a simple smoke test for the legacy provider to ensure that the provider doesn't break in the future when performing updates. This is not a functional or system test; the OpenSSL test suite does a much better job at doing this than we can. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D53045
* crypto/openssl: update generated files to match 3.5.4 artifactsEnji Cooper2025-10-07833-852/+857
| | | | | | MFC with: 046c625e9382 Fixes: 046c625e9382 ("crypto/openssl: update to 3.5.4") Reported by: Herbert J. Skuhra <herbert@gojira.at>
* crypto/openssl: update build artifacts for the 3.5.3 releaseEnji Cooper2025-09-22833-936/+983
| | | | | | | | | This change updates the build artifacts to match the 3.5.3 release. Much of the change involves updating version numbers and release dates to match the release version's metadata. MFC after: 1 week MFC with: 88b8b7f0c4e9948667a2279e78e975a784049cba
* OpenSSL: update Makefiles to reflect 3.5.1 releaseEnji Cooper2025-09-183-31/+66
| | | | | | | | | | | | | | This is a targeted effort to update the INCS and SRCS entries for libcrypto, the legacy provider, and libssl to match what upstream (OpenSSL) builds in their respective libraries. The number of stylistic changes were kept at a minimum. Another incoming change will reformat this file to make future maintenance easier. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D52554
* Update the installed manpages to match OpenSSL 3.5.1Enji Cooper2025-09-082-1983/+2768
| | | | | MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D52008
* openssl: Disable KTLS in bootstrap librariesMark Johnston2025-09-041-1/+2
| | | | | | | | | We need to build OpenSSL when bootstrapping certctl. On MacOS ktls_enable() isn't defined anywhere, so without this the build fails. We don't need KTLS in the bootstrap library, so just disable it. Reviewed by: khorben, ngie Differential Revision: https://reviews.freebsd.org/D52341
* openssl: link enough files for the legacy provider to actually loadGleb Smirnoff2025-09-011-3/+4
| | | | | Reviewed by: khorben, ngie Differential Revision: https://reviews.freebsd.org/D52113
* packages: Improve handling of -lib packagesLexi Winter2025-08-234-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For some packages (OpenSSL, Kerberos) we want to ship runtime libraries in a separate package, e.g. openssl and openssl-lib. Currently this is done using PACKAGE=openssl-lib, but that creates packages with strange names like openssl-lib-lib32. Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime libraries to be placed in a new -lib subpackage. This significantly improves the set of packages we create; for example, OpenSSL goes from: FreeBSD-openssl FreeBSD-openssl-dbg FreeBSD-openssl-lib FreeBSD-openssl-lib-dbg FreeBSD-openssl-lib-dbg-lib32 FreeBSD-openssl-lib-dev FreeBSD-openssl-lib-dev-lib32 FreeBSD-openssl-lib-lib32 FreeBSD-openssl-lib-man FreeBSD-openssl-man to: FreeBSD-openssl FreeBSD-openssl-dbg FreeBSD-openssl-dbg-lib32 FreeBSD-openssl-dev FreeBSD-openssl-dev-lib32 FreeBSD-openssl-lib FreeBSD-openssl-lib32 FreeBSD-openssl-man While here, move /usr/bin/krb5-config and /usr/bin/compile_et into the kerberos-dev package. Reviewed by: des Differential Revision: https://reviews.freebsd.org/D51925
* crypto/openssl: make vendor imports easier/less error proneEnji Cooper2025-08-212-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds a custom BSD makefile containing multiple high-level PHONY targets, similar to targets provided by the ports framework. The Makefile does the following: - Reruns Configure with a deterministic set of arguments to ensure that all appropriate features have been enabled/disabled in OpenSSL. - Preens the pkgconfig files to remove duplicate paths in their `CFLAGS` and `includedir` variables. - Rebuilds all ASM files to ensure that the content contained is fresh. - Rebuilds all manpages to ensure that the content contained in the manpages is fresh. Some additional work needs to be done to make the manpage regeneration "operation" reproducible (the date the manpages were generated is embedded in the files). All dynamic configuration previously captured in `include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been moved to `freebsd/include/dynamic_freebsd_configuration.h` and `freebsd/include/crypto/bn_conf.h`, respectively. This helps ensure that future updates don't wipe out FreeBSD customizations to these files, which tune behavior on a per-target architecture basis, e.g., ARM vs x86, 32-bit vs 64-bit, etc. MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D51663
* build: remove certctl requirement for host OpenSSL libs on macOSKyle Evans2025-08-192-2/+5
| | | | | | | | | | | | | | | | | | Some platforms, like macOS, do not expose headers for the system's libcrypto for public consumption. libcrypto is relatively heavy and needs to know, e.g., the host system's endianness, so we scope the build down to macOS where OpenSSL headers are known to not be present and we can be reasonably certain that most of the systems today that would be cross-building are little endian. We still don't bother if building WITHOUT_OPENSSL since the end result is expected to be used by OpenSSL, but perhaps we could revisit that independently in case one, e.g., brings their own implementation. Reported by: jrtc27 Reviewed by: jrtc27, ngie Fixes: c340ef28fd38 ("certctl: Reimplement in C") Differential Revision: https://reviews.freebsd.org/D51935
* openssl: Import version 3.5.1Pierre Pronchery2025-08-07843-81863/+53885
| | | | | | | | | | Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be EOL after 2026-09-07. Approved by: philip (mentor) Sponsored by: Alpha-Omega Beach Cleaning Project Sponsored by: The FreeBSD Foundation Differential revision: https://reviews.freebsd.org/D51613
* build: remove the last vestiges of lint supportBrooks Davis2025-06-051-1/+0
| | | | | | | | | Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure. A bunch of NO_LINT definitions remained (perhaps as a bootstrapping measture). Remove them. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D50704
* libcrypto: move engines and modules to openssl-libLexi Winter2025-05-052-0/+3
| | | | | | | | | | | | | | | | | currently, some OpenSSL-related files end up in the utilities package: /usr/lib/engines-3/capi.so /usr/lib/engines-3/devcrypto.so /usr/lib/engines-3/loader_attic.so /usr/lib/engines-3/padlock.so /usr/lib/ossl-modules/legacy.so since these are part of OpenSSL and are not useful without it, move them to the openssl-lib package. Reviewed by: manu, des, emaste Approved by: des (mentor) Differential Revision: https://reviews.freebsd.org/D50144
* openssl: update ASM and version info for 3.0.16 importEnji Cooper2025-03-141-2/+2
| | | | | | MFC after: 1 week MFC with: 0d0c8621fd181e507f0fb50ffcca606faf66a8c2 Differential Revision: https://reviews.freebsd.org/D49297
* manuals: Remove trailing spacesGraham Percival2024-11-043-4/+4
| | | | | | | | | | This does not change the rendered ascii at all. Signed-off-by: Graham Percival <gperciva@tarsnap.com> Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com> MFC after: 3 days Sponsored by: Tarsnap Backup Inc. Pull Request: https://github.com/freebsd/freebsd-src/pull/1473
* Update config/build info for OpenSSL 3.0.15Enji Cooper2024-09-081-2/+2
| | | | | | | | | | | | | | | | | | | This is a companion commit to the OpenSSL 3.0.15 update. `opensslv.h` was regenerated via the following process: ``` cd crypto/openssl ./config git reset --hard gmake include/openssl/opensslv.h ``` `Makefile.inc` has been updated to match. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 Differential Revision: https://reviews.freebsd.org/D46603
* openssl: Remove fips module from base system.Gordon Tetlow2024-08-312-341/+1
| | | | | | | | | | | To comply with FIPS 140 guidance, you must be using a specifically validated and approved version of the fips module. Currently, only OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140 validation. As such, we need to stop shipping later versions of the module in the base system. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46223
* Remove residual blank line at start of MakefileWarner Losh2024-07-1513-13/+0
| | | | | | | This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix
* Update config/build info for OpenSSLEnji Cooper2024-06-261-2/+2
| | | | | | | This is a companion commit to the OpenSSL 3.0.14 update. MFC after: 3 days MFC with: 44096ebd22ddd0081a357011714eff8963614b65
* openssl: don't export nonexistant symbolsBrooks Davis2024-04-221-133/+0
| | | | | | | | These are all OpenSSL 1.1.0 and 1.1.1 symbols that aren't present in our OpenSSL 3.0 builds. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D44249
* Revert "OpenSSL: use the upstream provided version.map files for the ↵Enji Cooper2024-04-212-4/+0
| | | | | | | | | | | | fips/legacy providers" This change is still under review and should not have been merged directly to main (yet). This is a case and point for using `push.default` to nothing instead of matching or simple. This reverts commit 42ce242e353065dfbaa248955f6657005a395a95.
* OpenSSL: use the upstream provided version.map files for the fips/legacy ↵Enji Cooper2024-04-212-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | providers This change introduces a static copy of the fips and legacy linker version maps generated by the OpenSSL 3.0.13 build process. This unbreaks the fips and legacy providers by not exposing unnecessary symbols from the fips/legacy provider shared objects shared with other providers (base, default) and libcrypto. More discussion: Prior to this change, loading the fips provider indirectly from a FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a process-wide deadlock when invoking select OpenSSL APIs (CONF_modules_load* in this particular example). Speaking with the upstream maintainers [1], it became obvious that the FreeBSD base system was incorrectly building/linking the fips provider, resulting in a symbol collision at runtime, and thus a process-wide deadlock in specific circumstances. The fips provider would deadlock when trying to acquire a write lock on internal structures which should have only been available to the base and default providers, as certain preprocessor ifdefs only allow specific internal calls to be made with the base and default providers. 1. https://github.com/openssl/openssl/issues/24202 Differential Revision: https://reviews.freebsd.org/D44892
* OpenSSL: Update version stringsCy Schubert2024-02-031-2/+2
| | | | | | Reported by: "Herbert J. Skuhra" <herbert@gojira.at> Fixes: 9eb4e0b42d7c MFC after: 3 days
* ossl: Move arm_arch.h to a common subdirectoryMark Johnston2023-12-041-1/+2
| | | | | | | | | | | | | OpenSSL itself keeps only a single copy of this header. Do the same in sys/crypto/openssl to avoid the extra maintenance burden. This requires adjusting the include paths for generated asm files. No functional change intended. Reported by: jrtc27 Reviewed by: jhb MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D42866
* secure: Remove ancient SCCS tags.Warner Losh2023-11-27732-1464/+0
| | | | | | | | Remove ancient SCCS tags from the tree, automated scripting, with two minor fixup to keep things compiling. All the common forms in the tree were removed with a perl script. Sponsored by: Netflix
* OpenSSL: update to 3.0.12Ed Maste2023-10-241-2/+2
| | | | | | | | | | | | OpenSSL 3.0.12 addresses: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length ([CVE-2023-5363]). Relnotes: Yes Sponsored by: The FreeBSD Foundation
* OpenSSL: update to 3.0.11Pierre Pronchery2023-10-09733-2248/+2307
| | | | | | | | | | OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/852 Sponsored by: The FreeBSD Foundation
* libcrypto: Copy the arm64 header when building asmAndrew Turner2023-09-221-0/+1
| | | | | | | | | It may be needed when it's updated so is best to keep in sync with the assembly files. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D41938
* libcrypto: fix the FIPS provider on amd64Pierre Pronchery2023-09-211-10/+10
| | | | | | | | | | | | | | | | | | | This corrects the list of source files required for the FIPS provider. To test: ``` INSTALL PASSED enter AES-128-CBC encryption password: Verifying - enter AES-128-CBC encryption password: U2FsdGVkX1+MGm7LbZou29UWU+KAyBX/PxF5T1pO9VM= ``` Reviewed by: emaste Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/837 Differential Revision: https://reviews.freebsd.org/D41720
* libcrypto: complete the support for the 0.9.8 APIPierre Pronchery2023-09-211-4/+4
| | | | | | | | | | | | | When importing OpenSSL 3 in base, some but not all source files implementing the deprecated 0.9.8 API were imported. With this change, it becomes possible again to compile software targeting this API. PR: 272220 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Reviewed by: emaste MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/851
* libcrypto: link engines and the legacy provider to libcryptoPierre Pronchery2023-09-163-0/+5
| | | | | | | | | | | | | | | | OpenSSL's legacy provider module and engines need to link to libcrypto.so, as it provides some of the actual implementations of legacy routines. This is a little tricky due to build order issues. Introduce a small hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual early phase without any OpenSSL provider modules or engines. This is intended to restore the test suite; a future change should remove the hack and replace it with a better approach. PR: 254853, 273528 Discussed with: Folks at EuroBSDCon in Coimbra Sponsored by: The FreeBSD Foundation
* libcrypto: Switch back to the generated assembly in sys/crypto/opensslJohn Baldwin2023-08-29145-310557/+5
| | | | | Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41569
* libcrypto: Add buildasm and cleanasm targetsJohn Baldwin2023-08-292-0/+9
| | | | | | | These targets generate all the assembly files in sys/crypto/openssl. Reviewed by: markj, emaste (earlier version) Differential Revision: https://reviews.freebsd.org/D41590
* libcrypto: Refactor Makefile.asm so it can be run outside of buildenvJohn Baldwin2023-08-291-13/+14
| | | | | | | | | | | | | | | | | | | | | Currently Makefile.asm relies on the current buildenv to set CFLAGS for i386. The current approach also leaves various temporary *.s files around in the current directory. To make this a bit better: - Instead of using CFLAGS from buildenv for i386, define the actual flags the perl scripts need: -DOPENSSL_IA32_SSE2 to enable SSE2. - Change i386 to have the perl scripts write to /dev/stdout to avoid creating temporaries. Previously i386 was generating the temporary files in the OpenSSL contrib src. - Cleanup temporary *.s files in the all target after generating the real *.S files for architectures which need them. - Remove a duplicate rule for aes-armv4.S. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41589
* Makefile.asm: Simplify variable expansions in generated headersJohn Baldwin2023-08-291-15/+15
| | | | | | | | The :R:S expressions removed the .pl extension only to add it back again, so just trim them to using :T alone. Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>, markj, emaste Differential Revision: https://reviews.freebsd.org/D41588
* Makefile.asm: Drop mention of $FreeBSD$ from instructions.John Baldwin2023-08-221-1/+1
|
* libcrypto: Update assembly build glue for x86 for OpenSSL 3.0.John Baldwin2023-08-222-10/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Notably, define AES_ASM which is required for any AES acceleration (OpenSSL 1.0 gated all AES acceleration on OPENSSL_CPUID_OBJ instead). Enabling this exposed that new assembly files added in OpenSSL 3.0 needed to be included in the build (aes-x86-64.S and aes-586.S). Both of these files supplant both aes_core.c and aes_cbc.c. The last file had to be moved out of the MI SRCS line for aes and into each ASM_* for non-x86. As part of this I audited the generated configdata.pm for amd64, i386, and aarch64 and found the following additional discrepecancies that are fixed here as well: - Enabled BSAES_ASM on amd64 which requires bsase-x86_64.S - Enabled WHIRLPOOL_ASM on amd64 (asm sources already built) - Enabled CMLL_ASM on amd64 and i386 (asm sources already built) aarch64 had no discreprecancies in configdata.pm, and no *.pl asm generators were missing for aarch64 in Makefile.asm. I did not check powerpc or armv7, but for armv7 all of the asm generators seem to be present in Makefile.asm. Reported by: gallatin (AES-GCM using plain software on amd64) Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41539
* libcrypto: Generate new files added in OpenSSL 3.0.John Baldwin2023-08-223-0/+11943
| | | | | Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41538
* libcrypto: Add new assembly files added in OpenSSL 3.0.John Baldwin2023-08-221-4/+5
| | | | | | | | This only affects amd64 and i386, but in particular includes wrappers for AES encryption/decryption that gate all of the accelerated AES. Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41537
* libcrypto: Don't embed $FreeBSD$ in generated assembly filesJohn Baldwin2023-08-221-38/+19
| | | | | Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41536
* libcrypto: add rsa_depr.c to the buildEd Maste2023-08-181-1/+1
| | | | | | | | | It provides the RSA_generate_key function, which is deprecated as of 3.0 but is used by various ports. Reviewed by: kbowling Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41506
* libcrypto: add err_all_legacy.c to the buildEd Maste2023-08-181-1/+1
| | | | | | | | | | It provides the ERR_load_*_strings routines, which are deprecated as of 3.0 but are used by various ports. PR: 272580 Reviewed by: kbowling Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41505
* Remove $FreeBSD$: one-line sh patternWarner Losh2023-08-1620-20/+0
| | | | Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
* Remove $FreeBSD$: one-line .c comment patternWarner Losh2023-08-16139-139/+0
| | | | Remove /^/[*/]\s*\$FreeBSD\$.*\n/
* OpenSSL: update to 3.0.10Pierre Pronchery2023-08-10734-879/+939
| | | | | | | | | | | | | OpenSSL 3.0.10 addresses: - CVE-2023-3817 - CVE-2023-3446 - CVE-2023-2975 (Note that the vendor branch commit incorrectly referenced 3.0.9.) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/808 Sponsored by: The FreeBSD Foundation
* pkgbase: reorganise caroot and openssl packagesDoug Rabson2023-08-051-1/+1
| | | | | | | | | This splits out the certctl utility into a new certctl package and the openssl libs into an openssl-lib package. PR: 272816 Reviewed by: manu Differential Revision: https://reviews.freebsd.org/D41321
* libcrypto: add missing symbols to the FIPS providerPierre Pronchery2023-07-201-0/+73
| | | | | | | | | | The fips.so provider module exposing FIPS-validated algorithms was still missing a number of symbols. PR: 272454 Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41018
* openssl: include d2i_KeyParams() and d2i_KeyParams_bio()Kristof Provost2023-07-092-2/+4
| | | | | | | | | | | | These functions are new, and some ports (e.g.opensc) expect to have them available. Add the file they're defined in to the build, and add them to Version.map. PR: 270076 Reviewed by: markj, emaste, pierre Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D40914
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-23 13:39:35 +0000