aboutsummaryrefslogtreecommitdiff
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* OpenSSL: Regenerate manual pages.Jung-uk Kim2021-01-28537-644/+1269
| | | | MFC after: 1 week
* OpenSSL: Support for kernel TLS offload (KTLS)John Baldwin2021-01-284-5/+28
| | | | | | | | | | | | | | | | | | | | This merges upstream patches from OpenSSL's master branch to add KTLS infrastructure for TLS 1.0-1.3 including both RX and TX offload and SSL_sendfile support on both Linux and FreeBSD. Note that TLS 1.3 only supports TX offload. A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with KTLS support. It defaults to enabled on amd64 and disabled on all other architectures. Reviewed by: jkim (earlier version) Approved by: secteam Obtained from: OpenSSL (patches from master) MFC after: 1 week Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D28273
* caroot: drop $FreeBSD$ expansion from root bundleKyle Evans2020-12-28139-139/+139
| | | | | | | | This debatably could have waited until the next update would have taken place, but it's easier to see what changes if we get it out of the way now. MFC after: 3 days
* caroot: update bundleKyle Evans2020-12-1111-0/+134
| | | | | | | | | | | Summary: - One (1) added - Ten (10) removed MFC after: 3 days Notes: svn path=/head/; revision=368555
* Merge OpenSSL 1.1.1i.Jung-uk Kim2020-12-09434-875/+877
| | | | Notes: svn path=/head/; revision=368472
* Replace literal uses of /usr/local in C sources with _PATH_LOCALBASEStefan Eßer2020-10-272-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | Literal references to /usr/local exist in a large number of files in the FreeBSD base system. Many are in contributed software, in configuration files, or in the documentation, but 19 uses have been identified in C source files or headers outside the contrib and sys/contrib directories. This commit makes it possible to set _PATH_LOCALBASE in paths.h to use a different prefix for locally installed software. In order to avoid changes to openssh source files, LOCALBASE is passed to the build via Makefiles under src/secure. While _PATH_LOCALBASE could have been used here, there is precedent in the construction of the path used to a xauth program which depends on the LOCALBASE value passed on the compiler command line to select a non-default directory. This could be changed in a later commit to make the openssh build consistently use _PATH_LOCALBASE. It is considered out-of-scope for this commit. Reviewed by: imp MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D26942 Notes: svn path=/head/; revision=367075
* Move generated OpenSSL assembly routines into the kernel sources.John Baldwin2020-10-2083-204615/+2
| | | | | | | Sponsored by: Netflix Notes: svn path=/head/; revision=366898
* Merge OpenSSL 1.1.1h.Jung-uk Kim2020-09-22537-1617/+1745
| | | | Notes: svn path=/head/; revision=366004
* caroot: update base storeKyle Evans2020-09-195-0/+265
| | | | | | | | | | | Count: - Two (2) removed - Three (3) added MFC after: 3 days Notes: svn path=/head/; revision=365896
* build: provide a default WARNS for all in-tree buildsKyle Evans2020-09-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The current default is provided in various Makefile.inc in some top-level directories and covers a good portion of the tree, but doesn't cover parts of the build a little deeper (e.g. libcasper). Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that variable is defined. This lets us relatively cleanly provide a default WARNS no matter where you're building in the src tree without breaking things outside of the tree. Crunchgen has been updated as a bootstrap tool to work on this change because it needs r365605 at a minimum to succeed. The cleanup necessary to successfully walk over this change on WITHOUT_CLEAN builds has been added. There is a supplemental project to this to list all of the warnings that are encountered when the environment has WARNS=6 NO_WERROR=yes: https://warns.kevans.dev -- this project will hopefully eventually go away in favor of CI doing a much better job than it. Reviewed by: emaste, brooks, ngie (all earlier version) Reviewed by: emaste, arichardson (depend-cleanup.sh change) Differential Revision: https://reviews.freebsd.org/D26455 Notes: svn path=/head/; revision=365887
* caroot: properly remove old distrusted rootsKyle Evans2020-09-027-0/+698
| | | | | | | | | | | | | | | | | | | | | The proper procedure was not followed in r364943; all of these that were deleted should have instead been moved over to the blacklist so that certctl can DTRT. Users must still `certctl rehash` after this, but this should generally be done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note that freebsd-update doesn't come into play for this particular update, as these have not yet made it into a release. Future work (after svn -> git) will likely change the script that updatecert invokes to facilitate the process, rather than trusting that kevans or whomever updates in the future will remember. Reported by: Helge Oldach <freebsd oldach net> MFC after: 3 days Notes: svn path=/head/; revision=365248
* carrot: update bundleKyle Evans2020-08-2911-698/+401
| | | | | | | | | | | Stats: - Seven (7) removed - Four (4) added MFC after: 3 days Notes: svn path=/head/; revision=364943
* Regen X86 assembly files after r364822.Jung-uk Kim2020-08-2622-86/+44039
| | | | Notes: svn path=/head/; revision=364823
* caroot: switch to using echo+shell glob to enumerate certsKyle Evans2020-08-232-2/+2
| | | | | | | | | | | | This solves an issue on stable/12 that causes certs to not get installed. ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up blank and nothing gets installed. We don't really require anything ls-specific, though, so let's just simplify it. MFC after: 3 days Notes: svn path=/head/; revision=364600
* Fix a typo in the cpp macro defined for PIC.John Baldwin2020-08-131-1/+1
| | | | | | | | | | | In practice this isn't used in OpenSSL outside of some sparc-specific code. Reviewed by: delphij Differential Revision: https://reviews.freebsd.org/D26058 Notes: svn path=/head/; revision=364218
* Replace OPENSSL_NO_SSL3_METHODs with dummiesConrad Meyer2020-07-013-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use it, and if they must, they can use some implementation outside of base. There are three symbols removed with OPENSSL_NO_SSL3_METHOD: SSLv3_client_method SSLv3_method SSLv3_server_method These symbols exist to request an explicit SSLv3 connection to a server. There is no good reason for an application to link or invoke these symbols instead of TLS_method(), et al (née SSLv23_method, et al). Applications that do so have broken cryptography. Define these symbols for some pedantic definition of ABI stability, but remove the functionality again (r361392) after r362620. Reviewed by: gordon, jhb (earlier-but-equivalent version both) Discussed with: bjk, kib Differential Revision: https://reviews.freebsd.org/D25493 Notes: svn path=/head/; revision=362818
* Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.Gordon Tetlow2020-06-251-3/+0
| | | | | | | | | | | | | | | This define caused a couple of symbols to disappear. To keep ABI compatibility, we are going to keep the symbols exposed, but leave SSLv3 as not in the default config (this is what OPENSSL_NO_SSL3 achieves). The ramifications of this is an application can still use SSLv3 if it specifically calls the SSLv3_method family of APIs. Reported by: kib, others Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D25451 Notes: svn path=/head/; revision=362620
* Install 32-bit libcrypto engines in /usr/lib32/engines instead ofTijl Coosemans2020-06-012-2/+2
| | | | | | | | | | /usr/lib32 and let 32-bit libcrypto search that location instead of /usr/lib/engines. Reviewed by: jkim Notes: svn path=/head/; revision=361700
* Remove support for SSLv3 from the OpenSSL build.Gordon Tetlow2020-05-221-0/+6
| | | | | | | | | | | | This is the default configuration in OpenSSL 1.1.1 already. This moves to align with that default. Reported by: jmg Approved by: jkim, cem, emaste, philip Differential Revision: https://reviews.freebsd.org/D24945 Notes: svn path=/head/; revision=361392
* Merge OpenSSL 1.1.1g.Jung-uk Kim2020-04-21536-541/+753
| | | | Notes: svn path=/head/; revision=360175
* Merge OpenSSL 1.1.1f.Jung-uk Kim2020-03-31534-540/+565
| | | | Notes: svn path=/head/; revision=359486
* Reduce diff with the vendor version. No functional change.Jung-uk Kim2020-03-181-3/+3
| | | | Notes: svn path=/head/; revision=359061
* Merge OpenSSL 1.1.1e.Jung-uk Kim2020-03-18571-45572/+3173
| | | | Notes: svn path=/head/; revision=359060
* pkgbase: fix caroot packaging and add post-install scriptKyle Evans2020-01-292-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | The original intention for caroot was to be packaged separately, perhaps so that users can have a more/less conservative upgrade policy for this separated from the rest of base. secure/caroot/Makefile doesn't have anything interesting to package, but its subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted and trusted get packaged consistently into the correct one rather than the default -utilities. Also tag the directories for package=caroot, as they could also be empty; blacklisted is empty by default, but trusted is not. Add a post-install script to do certctl rehash, along with a note should we eventually come up with a way to detect that files have been added or removed that requires a rehash. -caroot gets a dependency on -utilities, as that's where we provide certctl at the moment. We can perhaps reconsider this and put certctl into this package in the future, but there are some bits within -utilities that unconditionally invoke certctl so let's hold off for now. Reviewed by: manu (earlier version, before -utilities dep added) Differential Revision: https://reviews.freebsd.org/D23352 Notes: svn path=/head/; revision=357264
* caroot: blacklisted: automatically pick up *.pem in the treeKyle Evans2020-01-281-1/+3
| | | | | | | | | | | | | | | This kind of automagica got picked up in trusted/ prior to the initial commit, but never got applied over in blacklisted. Ideally no one will be using blacklisted/ to store arbitrary certs that they don't intend to blacklist, so we should just install anything that's in here rather than force consumer to first copy cert into place and then modify the file listing in the Makefile. Wise man once say: "it is better to restrict too much, than not enough. sometimes." Notes: svn path=/head/; revision=357193
* caroot: use bsd.obj.mk, not bsd.prog.mkKyle Evans2020-01-241-2/+1
| | | | | | | | | | This directory stages certdata into .OBJDIR and processes it, but does not actually build a prog-shaped object; bsd.obj.mk provides the minimal support that we actually need, an .OBJDIR and descent into subdirs. This is admittedly the nittiest of nits. Notes: svn path=/head/; revision=357084
* Install man5 and man7 for OpenSSL.Jung-uk Kim2020-01-22486-3809/+8973
| | | | | | | | | | Note config.5 and crypto.7 are not installed because we have conflicts. Requested by: phk MFC after: 1 month Notes: svn path=/head/; revision=356963
* Update Makefile.depend filesSimon J. Gerraty2019-12-115-18/+6
| | | | | | | | | | | | | Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494 Notes: svn path=/head/; revision=355617
* Add Makefile.depend.optionsSimon J. Gerraty2019-12-112-0/+12
| | | | | | | | | | | | | | | | | | | | Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 Notes: svn path=/head/; revision=355616
* caroot update to latest tip: one (1) addition, none (0) removedKyle Evans2019-12-041-0/+137
| | | | | | | | Added: - Entrust Root Certification Authority - G4 Notes: svn path=/head/; revision=355376
* caroot: commit initial bundleKyle Evans2019-10-04149-0/+15631
| | | | | | | | | | | | | | | | | | | Interested users can blacklist any/all of these with certctl(8), examples: - mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \ certctl rehash - certctl blacklist /usr/share/certs/trusted/*; \ certctl rehash Certs can be easily examined after installation with `certctl list`, and certctl blacklist will accept the hashed filename as output by list or as seen in /etc/ssl/certs No objection from: secteam Relnotes: Definite maybe Notes: svn path=/head/; revision=353095
* caroot: add @generated tags to extracted .pemKyle Evans2019-10-021-0/+5
| | | | | | | | | As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them. Notes: svn path=/head/; revision=352951
* [1/3] Initial infrastructure for SSL root bundle in baseKyle Evans2019-10-026-0/+348
| | | | | | | | | | | | | | | | | | | | | | | | This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856 Notes: svn path=/head/; revision=352948
* Merge OpenSSL 1.1.1d.Jung-uk Kim2019-09-10523-13180/+1909
| | | | Notes: svn path=/head/; revision=352191
* pkgbase: Put a lot of binaries and lib in FreeBSD-runtimeEmmanuel Vadot2019-09-051-0/+1
| | | | | | | | | | | | All of them are needed to be able to boot to single user and be able to repair a existing FreeBSD installation so put them directly into FreeBSD-runtime. Reviewed by: bapt, gjb Differential Revision: https://reviews.freebsd.org/D21503 Notes: svn path=/head/; revision=351855
* Merge OpenSSL 1.1.1c.Jung-uk Kim2019-05-28514-977/+1083
| | | | Notes: svn path=/head/; revision=348340
* Add workaround for a QoS-related bug in VMWare Workstation.Dag-Erling Smørgrav2019-03-271-0/+3
| | | | | | | | Submitted by: yuripv Differential Revision: https://reviews.freebsd.org/D18636 Notes: svn path=/head/; revision=345579
* Merge OpenSSL 1.1.1b.Jung-uk Kim2019-02-26530-12017/+14344
| | | | Notes: svn path=/head/; revision=344602
* Enable devcryptoeng for OpenSSL.Jung-uk Kim2018-12-122-5/+2
| | | | | | | | | | | | | | | | | | | | | | Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been deprecated in favor of this new engine. However, this engine is not throughly tested on FreeBSD because it was originally written for Linux. http://cryptodev-linux.org/ Also, the author actually meant to enable it by default on BSD platforms but he failed to do so because there was a bug in the Configure script. https://github.com/openssl/openssl/pull/7882 Now they found that it was more generic issue. https://github.com/openssl/openssl/pull/7885 Therefore, we need to enable this engine on head to give it more exposure. Notes: svn path=/head/; revision=342009
* Merge OpenSSL 1.1.1a.Jung-uk Kim2018-11-20517-1178/+1241
| | | | Notes: svn path=/head/; revision=340703
* Bump base OpenSSL libraries versions to avoid conflict with port's libraries.Konstantin Belousov2018-10-252-2/+2
| | | | | | | | | | Reported by: many Reviewed by: gjb Sponsored by: The FreeBSD Foundation MFC after: 3 hours Notes: svn path=/head/; revision=339709
* libcrypto: have buildinf.h depend on MakefileEd Maste2018-10-051-1/+1
| | | | | | | | | | | So that it will be regenerated after Makefile changes affecting the file's content - specifically, the OpenSSL 1.1.1 update adds a DATE macro which did not exist previously. Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/openssl111/; revision=339209
* MFH r338661 through r339200.Glen Barber2018-10-051-0/+2
|\ | | | | | | | | | | | | Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/openssl111/; revision=339201
| * Move the openssl.cnf install to secure/usr.bin/openssl/Brad Davis2018-09-201-0/+2
| | | | | | | | | | | | | | | | | | | | This leverages CONFS to do the install Approved by: re (pkgbase, blanket), bapt (mentor) Differential Revision: https://reviews.freebsd.org/D17245 Notes: svn path=/head/; revision=338825
* | openssh: connect libressl-api-compat.c and regen config.hEd Maste2018-10-031-1/+3
| | | | | | | | | | | | | | Differential Revision: https://reviews.freebsd.org/D17390 Notes: svn path=/projects/openssl111/; revision=339157
* | Drop pre-AVX toolchain for amd64 and i386 to simplify the makefile.Jung-uk Kim2018-10-011-9/+2
| | | | | | | | | | | | | | Especially, head does not support old toolchains because of ifunc support. Notes: svn path=/projects/openssl111/; revision=339070
* | Remove MD dirdeps from Makefile.depend.Jung-uk Kim2018-09-252-2/+0
| | | | | | | | | | | | | | It can't be right. :-( Notes: svn path=/projects/openssl111/; revision=338936
* | Make it more meta mode friendly.Jung-uk Kim2018-09-251-3/+6
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338935
* | Fix CLEANFILES.Jung-uk Kim2018-09-251-1/+1
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338934
* | Regen Makefile.depend.Jung-uk Kim2018-09-253-2/+3
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338933
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 17:40:45 +0000