src/lib/libfetch/common.c, branch release/14.4.0FreeBSD source treehttps://cgit-dev.freebsd.org/src/atom?h=release%2F14.4.02026-02-26T18:00:38Zlibfetch: Fail hard if interrupted while connecting2026-02-26T18:00:38ZDag-Erling Smørgravdes@FreeBSD.org2026-02-21T01:18:15Zurn:sha1:ca76ec7c4e563292a0c75781683b0421a4439a02
This fixes an issue where the first address that DNS returns is blocked
by a packet filter, so we hang for a while, then the user hits Ctrl-C,
interrupting connect(2), whereupon we move on to the next address, get
a connection, request the file, and return to fetch(1), which sees that
SIGINT was caught and bails.
Note that we make no attempt to enforce fetchTimeout in the connection
phase, and never have. It's feasible, but non-trivial, so we'll leave
it as an exercise for future us.
PR: 293312
MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D55406
(cherry picked from commit afbdcd402bb439bd3d487baaad63b68e95929265)
(cherry picked from commit cca6f5eadb796b03379eb21f38c74ca46a64e45b)
libfetch: Restore timeout functionality2026-02-19T19:21:21ZDag-Erling Smørgravdes@FreeBSD.org2026-02-18T15:10:47Zurn:sha1:8755b5f3a590560996fb122abe22644d3be3836a
PR: 293124
MFC after: 1 week
Fixes: 792ef1ae7b94 ("Refactor fetch_connect() and fetch_bind() to improve readability and avoid repeating the same DNS lookups.")
Reverts: 8f8a7f6fffd7 ("libfetch: apply timeout to SSL_read()")
Reviewed by: eugen, imp
Differential Revision: https://reviews.freebsd.org/D55293
(cherry picked from commit 73b82d1b0a2f09224e6d0f7a13dd73c66d740207)
(insta-mfc requested by re@)
(cherry picked from commit d97c824f5b4c9e7e3a1400699022cba146e450fa)
libfetch: Check for failure to create SSL context2026-02-12T21:24:34ZDag-Erling Smørgravdes@FreeBSD.org2026-02-07T14:24:40Zurn:sha1:53e0a1d1ff9b9a8bd27fa65e0f84ca95f0e41298
* Drop the ssl_meth member, there is no reason to hang on to it.
* Replace deprecated SSLv23_client_method() with TLS_client_method().
* Check the return value from SSL_CTX_new().
Approved by: re (cperciva)
MFC after: 1 week
PR: 292903
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D55098
(cherry picked from commit 4e160c6197f75fda3d5d5997ce893087058cf718)
(cherry picked from commit 4781aeb5b9cb564a53fee8128f6827402deaf9df)
MFC: libfetch: allow disabling TLS v1.3 when negotiating the connection2026-01-25T04:16:30ZEugene Grosbeineugen@FreeBSD.org2026-01-22T14:37:54Zurn:sha1:c41b12651a80e5c3c227e7428c2804f66ec17f2c
(cherry picked from commit 129aec72250266e60c07ff4643623188f7c27a9d)
MFC: libfetch: apply timeout to SSL_read()2026-01-25T04:13:02ZEugene Grosbeineugen@FreeBSD.org2026-01-22T08:40:35Zurn:sha1:fae1c84e95f7be4deacdab8a97f140714d8d2ae8
Currently, fetchTimeout works for non-SSL connections only, so does fetch -T.
Fix it applying specified timeout to SSL_read().
(cherry picked from commit 8f8a7f6fffd7dca09013f7c4bfa075bc3825fb8e)
lib: Fix calls that naively set F_SETFD.2025-08-25T13:57:56ZRicardo Brancorbranco@suse.de2025-07-14T20:10:38Zurn:sha1:a58eb4d233bfdddff243faec071f8dc18d3e5492
With the recent inclusion of the FD_CLOFORK and FD_RESOLVE_BENEATH flags,
we must avoid clearing them when setting only FD_CLOEXEC.
Signed-off-by: Ricardo Branco <rbranco@suse.de>
Reviewed by: kib, markj
MFC after: 1 month
Pull Request: https://github.com/freebsd/freebsd-src/pull/1766
(cherry picked from commit 8768b60de16a3d72a8783ec1241a711a782a36a9)
libfetch: don't rely on ca_root_nss for certificate validation2023-10-05T00:03:16ZMichael Osipovmichael.osipov@siemens.com2023-10-03T05:53:20Zurn:sha1:fb058a9a40a5adc82721ed822fb4fba213446a7b
Before certctl(8), there was no system trust store, and libfetch
relied on the CA certificate bundle from the ca_root_nss port to
verify peers.
We now have a system trust store and a reliable mechanism for
manipulating it (to explicitly add, remove, or revoke certificates),
but if ca_root_nss is installed, libfetch will still prefer that to
the system trust store.
With this change, unless explicitly overridden, libfetch will rely on
OpenSSL to pick up the default system trust store.
PR: 256902
MFC after: 3 days
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42059
(cherry picked from commit 09f5c1e118bb4eca77b83a0d08f559b20f60aa59)
Remove $FreeBSD$: one-line .c pattern2023-08-16T17:54:42ZWarner Loshimp@FreeBSD.org2023-08-16T17:54:42Zurn:sha1:1d386b48a555f61cb7325543adbbb5c3f3407a66
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
libfetch: remove all old OpenSSL support2023-06-24T08:45:02ZEnji Cooperngie@FreeBSD.org2023-06-22T03:53:54Zurn:sha1:bc1027a7785166fde9c2a3b48e6e70d198377d4b
This change removes pre-OpenSSL 1.1 supporting code and removes/adjusted
preprocessor conditionals which were tautilogically true as FreeBSD main
has shipped with OpenSSL 1.1+ for some time.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D40711
libfetch: do not call deprecated OpenSSL functions2023-05-25T16:20:15ZEd Masteemaste@FreeBSD.org2023-05-25T15:24:48Zurn:sha1:01aee8c92d936470c44821736e0d9e11ed7ce812
As of OpenSSL 1.1 SSL_library_init() and SSL_load_error_strings() are
deprecated. There are replacement initialization functions but they do
not need to be called: "As of version 1.1.0 OpenSSL will automatically
allocate all resources that it needs so no explicit initialisation is
required."
Wrap both calls in an OPENSSL_VERSION_NUMBER block.
PR: 271615
Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>
Event: Kitchener-Waterloo Hackathon 202305
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40265