aboutsummaryrefslogtreecommitdiff
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* OpenSSL: install .pc files from the exporters subdirEnji Cooper8 days2-11/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | The .pc files generated in the root directory are used as part of the build; they should never be installed. Use the versions from the exporters subdirectory--which should be installed--as the .pc files which are distributed with FreeBSD. This avoids the need for "fixing up" these files after the fact (see `crypto/openssl/BSDmakefile` for more details as part of this change). Garbage collect `secure/lib/libcrypto/Makefile.version`, et al, as they're orphaned files. They were technically unused prior to this change as the vendor process properly embeds the version numbers in various files, but this commit formalizes the removal. This correction/clarification on the .pc files will be made in an upcoming release of OpenSSL [1]. References: 1. https://github.com/openssl/openssl/issues/28803 Suggested by: Richard Levitte (OpenSSL project) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53043 (cherry picked from commit 97388e7215e080f2cb9fd446f4be4e46a9aeb114)
* OpenSSL: update build artifacts to match 3.0.16 releaseEnji Cooper8 days799-90810/+32277
| | | | | | | | The files committed match the output of the new vendor process. Much of this involves regenerating manpages to catch up to content from the initial 3.0 import. This is a direct commit to stable/14.
* crypto/openssl: make vendor imports easier/less error proneEnji Cooper8 days2-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change adds a custom BSD makefile containing multiple high-level PHONY targets, similar to targets provided by the ports framework. The Makefile does the following: - Reruns Configure with a deterministic set of arguments to ensure that all appropriate features have been enabled/disabled in OpenSSL. - Preens the pkgconfig files to remove duplicate paths in their `CFLAGS` and `includedir` variables. - Rebuilds all ASM files to ensure that the content contained is fresh. - Rebuilds all manpages to ensure that the content contained in the manpages is fresh. Some additional work needs to be done to make the manpage regeneration "operation" reproducible (the date the manpages were generated is embedded in the files). All dynamic configuration previously captured in `include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been moved to `freebsd/include/dynamic_freebsd_configuration.h` and `freebsd/include/crypto/bn_conf.h`, respectively. This helps ensure that future updates don't wipe out FreeBSD customizations to these files, which tune behavior on a per-target architecture basis, e.g., ARM vs x86, 32-bit vs 64-bit, etc. MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D51663 Conflicts: crypto/openssl/apps/CA.pl crypto/openssl/configdata.pm crypto/openssl/include/openssl/configuration.h crypto/openssl/include/openssl/fipskey.h crypto/openssl/tools/c_rehash crypto/openssl/util/shlib_wrap.sh crypto/openssl/util/wrap.pl secure/lib/libcrypto/Makefile.inc (cherry picked from commit 267f8c1f4b09431b335d5f48d84586047471f978)
* OpenSSH: Update to 10.0p2Ed Maste2026-01-203-3/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Full release notes are available at https://www.openssh.com/txt/release-10.0 Selected highlights from the release notes: Potentially-incompatible changes - This release removes support for the weak DSA signature algorithm. [This change was previously merged to FreeBSD main.] - This release has the version number 10.0 and announces itself as "SSH-2.0-OpenSSH_10.0". Software that naively matches versions using patterns like "OpenSSH_1*" may be confused by this. - sshd(8): this release removes the code responsible for the user authentication phase of the protocol from the per-connection sshd-session binary to a new sshd-auth binary. Security - sshd(8): fix the DisableForwarding directive, which was failing to disable X11 forwarding and agent forwarding as documented. [This change was previously merged to FreeBSD main.] New features - ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now used by default for key agreement. Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D51630 (cherry picked from commit 8e28d84935f2f0ee081d44f9803f3052b960e50b) (cherry picked from commit e600fc7295a7082041388113a5d677f6c4cf7ce7)
* caroot: Update certdata URL for GitHub switchMichael Osipov2025-06-041-1/+1
| | | | | | | | | | | | | Mozilla has migrated its projects' source code to GitHub, update certdata URL along with it. Reference: https://github.com/curl/curl/pull/17321 Reviewed by: jrm (mentor), otis (mentor), kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D50575 (cherry picked from commit 87c46facc3cf1744c30ecc9f63c10a778a1af104)
* openssh: Request the OpenSSL 1.1 APIJose Luis Duran2025-04-031-0/+2
| | | | | | | | | | | | | | | Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL 1.1.0), in order to avoid warnings about deprecated functions. Do the same here, to avoid getting those warnings. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49517 (cherry picked from commit d4f438357e90ee1cb12819d092913fdbce813626)
* openssl: update ASM and version info for 3.0.16 importEnji Cooper2025-03-251-2/+2
| | | | | | | | MFC after: 1 week MFC with: 0d0c8621fd181e507f0fb50ffcca606faf66a8c2 Differential Revision: https://reviews.freebsd.org/D49297 (cherry picked from commit d2a55e6a9348bb55038dbc6b727ab041085f22db)
* caroot: update the root bundleMichael Osipov2025-03-2025-1465/+781
| | | | | | | | | | | | | Summary: - Seven (7) new roots - Four (4) distrusted roots - Fifteen (15) removed (expired) roots Reviewed by: kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49294 (cherry picked from commit 0100da4deb96e15acf72d7655127c6faafa4148f)
* caroot: Ignore soft distrust of server CA certificates after 398 daysMichael Osipov2025-03-151-10/+10
| | | | | | | | | | | | | | | | | | | | Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that a CA certificate will be distrusted in the future before its NotAfter time. This means that the CA stops issuing new certificates, but previous ones are still valid, but at most for 398 days after the distrust date. See also: * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 * https://github.com/Lukasa/mkcert/issues/19 * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16 * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c Tested by: michaelo Reviewed by: emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49075 (cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02)
* ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mkEd Maste2025-03-1114-76/+13
| | | | | | | | | | | | | Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e)
* ssh: tidy include handlingEd Maste2025-03-115-12/+4
| | | | | | | | | | | | | Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03)
* pkgbase: fix inclusion of tests in ssh, bsnmp, clibs-devIsaac Freund2025-02-272-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, files that belong in the tests package are included in the ssh, bsnmp, and clibs-dev packages: ssh.plist 24:@dir(root,wheel,0755,) /usr/tests/secure/libexec 25:@(root,wheel,0444,) /usr/tests/secure/libexec/Kyuafile bsnmp.plist 82:@dir(root,wheel,0755,) /usr/tests/lib/libbsnmp 83:@(root,wheel,0444,) /usr/tests/lib/libbsnmp/Kyuafile 84:@(root,wheel,0555,) /usr/tests/lib/libbsnmp/bsnmpd_test clibs-dev.plist 2518:@dir(root,wheel,0755,) /usr/tests/lib/csu 2519:@(root,wheel,0444,) /usr/tests/lib/csu/Kyuafile This is caused by the PACKAGE=foo assignment in foo/Makefile.inc which overrides the default PACKAGE?=tests in bsd.test.mk. To fix this, instead use PACKAGE?=foo in foo/Makefile.inc and set PACKAGE=tests in foo/tests/Makefile. PR: 249144 Reviewed by: bapt, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47025 (cherry picked from commit 3a56015a2f5d630910177fa79a522bb95511ccf7)
* openssh: Update to 9.9p1Ed Maste2025-02-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947 (cherry picked from commit 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a) Approved by: re (accelerated MFC)
* openssh: Update to 9.8p1Ed Maste2025-02-204-40/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC)
* libssh: Remove progressmeterEd Maste2025-02-201-1/+1
| | | | | | | | | | | It is used only by scp and sftp, and already included directly in their Makefiles. It does not belong in libssh. Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48871 (cherry picked from commit c0af32952564099fe30a34aeb335f95a6dc811ba)
* ssh: Move XAUTH_PATH setting to ssh.mkEd Maste2025-02-193-7/+2
| | | | | | | | | | | | | | | | XAUTH_PATH is normally set (in the upstream build infrastructure) in config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE is set, and over time have sometimes also defined it in config.h. Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so that it will be set when building all ssh libraries and programs but still be set by LOCALBASE. Reviewed by: jlduran Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48907 (cherry picked from commit a63701848fe5462c4e8bbff0131bb42979e603ec)
* secure: hook up libecc as libpkgeccKyle Evans2025-01-113-1/+160
| | | | | | | | | | | libecc is not intended to be general use, other applications should really be using openssl. pkg(7) uses libecc to align with the pkg(8) project and its goals. This will be used in the upcoming support for ECC in pkg(7). Reviewed by: emaste (cherry picked from commit 05427f4639bcf2703329a9be9d25ec09bb782742)
* openssl: Import OpenSSL 3.0.15.Enji Cooper2024-09-281-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This release incorporates the following bug fixes and mitigations: - Fixed possible denial of service in X.509 name checks ([CVE-2024-6119]) - Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535]) Release notes can be found at: https://openssl-library.org/news/openssl-3.0-notes/index.html Co-authored-by: gordon MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46602 Merge commit '108164cf95d9594884c2dcccba2691335e6f221b' (cherry picked from commit a7148ab39c03abd4d1a84997c70bf96f15dd2a09) Update config/build info for OpenSSL 3.0.15 This is a companion commit to the OpenSSL 3.0.15 update. `opensslv.h` was regenerated via the following process: ``` cd crypto/openssl ./config git reset --hard gmake include/openssl/opensslv.h ``` `Makefile.inc` has been updated to match. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 Differential Revision: https://reviews.freebsd.org/D46603 (cherry picked from commit cc717b574d7faa2e0b2de1a985076286cef74187) sys/crypto/openssl: update powerpc* ASM This change updates the crypto powerpc* ASM via the prescribed process documented in `crypto/openssl/FREEBSD-upgrade`. This change syncs the ASM with 3.0.15's generated ASM. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 MFC with: cc717b574d7faa2e0b2de1a985076286cef74187 Differential Revision: https://reviews.freebsd.org/D46604 (cherry picked from commit 77864b545b0aaa91bc78b1156c477825007a6233)
* openssl: Remove fips module from base system.Gordon Tetlow2024-09-072-343/+1
| | | | | | | | | | | | To comply with FIPS 140 guidance, you must be using a specifically validated and approved version of the fips module. Currently, only OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140 validation. As such, we need to stop shipping later versions of the module in the base system. Differential Revision: https://reviews.freebsd.org/D46223 (cherry picked from commit 86dd740dd73aa88477ff450b2359abda1ad68534)
* Update config/build info for OpenSSLEnji Cooper2024-06-291-2/+2
| | | | | | | | | This is a companion commit to the OpenSSL 3.0.14 update. MFC after: 3 days MFC with: 44096ebd22ddd0081a357011714eff8963614b65 (cherry picked from commit 303596eac3f5a7fed63f1084028d811919d37eaf)
* ossl: Move arm_arch.h to a common subdirectoryMark Johnston2024-03-291-1/+2
| | | | | | | | | | | | | | | OpenSSL itself keeps only a single copy of this header. Do the same in sys/crypto/openssl to avoid the extra maintenance burden. This requires adjusting the include paths for generated asm files. No functional change intended. Reported by: jrtc27 Reviewed by: jhb MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D42866 (cherry picked from commit e655cc70dfcda5cfedb5a1d9bef1e87d55519f64)
* caroot: routine updateKyle Evans2024-02-1310-59/+875
| | | | | | | | | | | Changes: - One (1) modified - Eight (8) added - One (1) expired, now untrusted MFC after: 3 days (cherry picked from commit 0d3b2bdbf719ac6b5719a47387558ca9c34a4b2c)
* OpenSSL: Update version stringsCy Schubert2024-02-051-2/+2
| | | | | | | Reported by: "Herbert J. Skuhra" <herbert@gojira.at> Fixes: 9eb4e0b42d7c (cherry picked from commit 74fe298c8299fdb8c8f761728ddd245b0c3fe04a)
* ssh: Update to OpenSSH 9.6p1Ed Maste2024-01-071-1/+1
| | | | | | | | | | | | | | | | | | From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
* Track upstream project rename in contrib/blocklistdEd Maste2024-01-071-1/+1
| | | | | | | | | | Upstream is now https://github.com/zoulasc/blocklist/. Rename the contrib directory and update Makefiles to match, in advance of the next vendor branch update. Sponsored by: The FreeBSD Foundation (cherry picked from commit 5f4c09dd85bff675e0ca63c55ea3c517e0fddfcc)
* OpenSSL: update to 3.0.12Ed Maste2023-10-251-2/+2
| | | | | | | | | | | | | | | OpenSSL 3.0.12 addresses: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length ([CVE-2023-5363]). Relnotes: Yes Sponsored by: The FreeBSD Foundation (cherry picked from commit ad991e4c142ebabad7aef488ad97b189ecabb270) (cherry picked from commit 575878a533823aa3e5bab715928d9cdffbc4dcbc)
* libcrypto: Copy the arm64 header when building asmAndrew Turner2023-10-251-0/+1
| | | | | | | | | | | It may be needed when it's updated so is best to keep in sync with the assembly files. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D41938 (cherry picked from commit c97a82d4a4a0288ed2a456f4ce41d57483724f17)
* OpenSSL: update to 3.0.11Pierre Pronchery2023-10-12793-2445/+2513
| | | | | | | | | | | | OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/852 Sponsored by: The FreeBSD Foundation (cherry picked from commit 6f1af0d7d2af54b339b5212434cd6d4fda628d80)
* libcrypto: complete the support for the 0.9.8 APIPierre Pronchery2023-09-241-4/+4
| | | | | | | | | | | | | | When importing OpenSSL 3 in base, some but not all source files implementing the deprecated 0.9.8 API were imported. With this change, it becomes possible again to compile software targeting this API. PR: 272220 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Reviewed by: emaste Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/851 (cherry picked from commit b15b39521644ebffdcc091bd283ed410b0ae9274)
* libcrypto: fix the FIPS provider on amd64Pierre Pronchery2023-09-221-10/+10
| | | | | | | | | | | | | | | | | | | | | This corrects the list of source files required for the FIPS provider. To test: ``` INSTALL PASSED enter AES-128-CBC encryption password: Verifying - enter AES-128-CBC encryption password: U2FsdGVkX1+MGm7LbZou29UWU+KAyBX/PxF5T1pO9VM= ``` Reviewed by: emaste Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/837 Differential Revision: https://reviews.freebsd.org/D41720 (cherry picked from commit 8f37b3a142f2f7197896cd283c44c7e4fb64aaf3)
* libcrypto: link engines and the legacy provider to libcryptoPierre Pronchery2023-09-193-0/+5
| | | | | | | | | | | | | | | | | | OpenSSL's legacy provider module and engines need to link to libcrypto.so, as it provides some of the actual implementations of legacy routines. This is a little tricky due to build order issues. Introduce a small hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual early phase without any OpenSSL provider modules or engines. This is intended to restore the test suite; a future change should remove the hack and replace it with a better approach. PR: 254853, 273528 Discussed with: Folks at EuroBSDCon in Coimbra Sponsored by: The FreeBSD Foundation (cherry picked from commit 1a18383a52bc373e316d224cef1298debf6f7e25)
* libcrypto: Switch back to the generated assembly in sys/crypto/opensslJohn Baldwin2023-09-08145-310557/+5
| | | | | | | Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41569 (cherry picked from commit 47d997021fbc7b662e9507deec1897d514d1224c)
* libcrypto: Add buildasm and cleanasm targetsJohn Baldwin2023-09-082-0/+9
| | | | | | | | | These targets generate all the assembly files in sys/crypto/openssl. Reviewed by: markj, emaste (earlier version) Differential Revision: https://reviews.freebsd.org/D41590 (cherry picked from commit 73653b72af65e294dcfedc43a8ea09b2137d72ed)
* libcrypto: Refactor Makefile.asm so it can be run outside of buildenvJohn Baldwin2023-09-081-13/+14
| | | | | | | | | | | | | | | | | | | | | | | Currently Makefile.asm relies on the current buildenv to set CFLAGS for i386. The current approach also leaves various temporary *.s files around in the current directory. To make this a bit better: - Instead of using CFLAGS from buildenv for i386, define the actual flags the perl scripts need: -DOPENSSL_IA32_SSE2 to enable SSE2. - Change i386 to have the perl scripts write to /dev/stdout to avoid creating temporaries. Previously i386 was generating the temporary files in the OpenSSL contrib src. - Cleanup temporary *.s files in the all target after generating the real *.S files for architectures which need them. - Remove a duplicate rule for aes-armv4.S. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41589 (cherry picked from commit c0fe6b9d7506d6ce6f9ec3688ee0cc5656a8707e)
* Makefile.asm: Simplify variable expansions in generated headersJohn Baldwin2023-09-081-15/+15
| | | | | | | | | | The :R:S expressions removed the .pl extension only to add it back again, so just trim them to using :T alone. Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>, markj, emaste Differential Revision: https://reviews.freebsd.org/D41588 (cherry picked from commit 7406b6f9761c35eb53f91f54d1a687d96d638907)
* caroot: regenerate the root bundle with OpenSSL 3Kyle Evans2023-09-05191-3791/+3872
| | | | | | | | No functional change intended. Approved by: re (kib) (cherry picked from commit 8ed0ecf8024d10e9cd21f5880723a6cec4fd4ae6)
* caroot: update the root bundleKyle Evans2023-09-0510-0/+605
| | | | | | | | | | | | | | | | | Summary: - Six (6) new roots - Four (4) distrusted roots Note that this was intentionally generated with OpenSSL 1.1.1 to avoid mixing updates and non-functional changes -- there will be some churn with OpenSSL 3. The next commit will update the current batch of trusted certs with the format OpenSSL 3 produces, which I've tested against OpenSSL 1.1.1 to be sure that that doesn't hurt us in older branches. Approved by: re (kib) (cherry picked from commit 65fd80909e196c8be2ce5e948775e9cbda2ef069)
* caroot: drop the VERSION tag from already-processed certsKyle Evans2023-09-05166-166/+0
| | | | | | | | | An update is imminent; drop these now to make it easier to audit the results. Approved by: re (kib) (cherry picked from commit 3f84d4b0fe1445bca5f3b6a70fc5641b88c31217)
* caroot: drop VERSION tags from certsKyle Evans2023-09-051-3/+0
| | | | | | | | | | | | | | With this change, we'll drop the "with $FreeBSD$" lines from trusted/ certs in the next update. untrusted/ will need to be done manually, but I'll likely just do them all manually, commit, then run the script and commit any legitimate updates after confirming the output matches what I did manually. Reported by: imp Reviewed by: imp Approved by: re (kib) (cherry picked from commit bbc8585ef557be36b3fda75e3a41d725aedb1c1e)
* Makefile.asm: Drop mention of $FreeBSD$ from instructions.John Baldwin2023-08-221-1/+1
|
* libcrypto: Update assembly build glue for x86 for OpenSSL 3.0.John Baldwin2023-08-222-10/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Notably, define AES_ASM which is required for any AES acceleration (OpenSSL 1.0 gated all AES acceleration on OPENSSL_CPUID_OBJ instead). Enabling this exposed that new assembly files added in OpenSSL 3.0 needed to be included in the build (aes-x86-64.S and aes-586.S). Both of these files supplant both aes_core.c and aes_cbc.c. The last file had to be moved out of the MI SRCS line for aes and into each ASM_* for non-x86. As part of this I audited the generated configdata.pm for amd64, i386, and aarch64 and found the following additional discrepecancies that are fixed here as well: - Enabled BSAES_ASM on amd64 which requires bsase-x86_64.S - Enabled WHIRLPOOL_ASM on amd64 (asm sources already built) - Enabled CMLL_ASM on amd64 and i386 (asm sources already built) aarch64 had no discreprecancies in configdata.pm, and no *.pl asm generators were missing for aarch64 in Makefile.asm. I did not check powerpc or armv7, but for armv7 all of the asm generators seem to be present in Makefile.asm. Reported by: gallatin (AES-GCM using plain software on amd64) Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41539
* libcrypto: Generate new files added in OpenSSL 3.0.John Baldwin2023-08-223-0/+11943
| | | | | Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41538
* libcrypto: Add new assembly files added in OpenSSL 3.0.John Baldwin2023-08-221-4/+5
| | | | | | | | This only affects amd64 and i386, but in particular includes wrappers for AES encryption/decryption that gate all of the accelerated AES. Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41537
* libcrypto: Don't embed $FreeBSD$ in generated assembly filesJohn Baldwin2023-08-221-38/+19
| | | | | Reviewed by: gallatin, ngie, emaste Differential Revision: https://reviews.freebsd.org/D41536
* libcrypto: add rsa_depr.c to the buildEd Maste2023-08-181-1/+1
| | | | | | | | | It provides the RSA_generate_key function, which is deprecated as of 3.0 but is used by various ports. Reviewed by: kbowling Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41506
* libcrypto: add err_all_legacy.c to the buildEd Maste2023-08-181-1/+1
| | | | | | | | | | It provides the ERR_load_*_strings routines, which are deprecated as of 3.0 but are used by various ports. PR: 272580 Reviewed by: kbowling Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D41505
* Remove $FreeBSD$: one-line sh patternWarner Losh2023-08-1677-77/+0
| | | | Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
* Remove $FreeBSD$: one-line .c patternWarner Losh2023-08-163-6/+0
| | | | Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
* Remove $FreeBSD$: one-line .c comment patternWarner Losh2023-08-16139-139/+0
| | | | Remove /^/[*/]\s*\$FreeBSD\$.*\n/
* Remove $FreeBSD$: two-line .h patternWarner Losh2023-08-161-2/+0
| | | | Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-11 14:26:03 +0000