FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.4 2026-02-03T07:54:20Z 2026-02-03T07:54:20Z Enji Cooper ngie@FreeBSD.org 2025-10-11T20:47:20Z urn:sha1:9a64f277bf5b422d1ebb3d960f8f6a5920dc3131 The .pc files generated in the root directory are used as part of the build; they should never be installed. Use the versions from the exporters subdirectory--which should be installed--as the .pc files which are distributed with FreeBSD. This avoids the need for "fixing up" these files after the fact (see `crypto/openssl/BSDmakefile` for more details as part of this change). Garbage collect `secure/lib/libcrypto/Makefile.version`, et al, as they're orphaned files. They were technically unused prior to this change as the vendor process properly embeds the version numbers in various files, but this commit formalizes the removal. This correction/clarification on the .pc files will be made in an upcoming release of OpenSSL [1]. References: 1. https://github.com/openssl/openssl/issues/28803 Suggested by: Richard Levitte (OpenSSL project) MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D53043 (cherry picked from commit 97388e7215e080f2cb9fd446f4be4e46a9aeb114) 2026-02-03T07:35:24Z Enji Cooper ngie@FreeBSD.org 2026-02-03T07:35:24Z urn:sha1:aed5a47b3a8a105f1452554a176a7d6c0a750854 The files committed match the output of the new vendor process. Much of this involves regenerating manpages to catch up to content from the initial 3.0 import. This is a direct commit to stable/14. 2026-02-03T06:23:29Z Enji Cooper ngie@FreeBSD.org 2025-08-01T04:03:33Z urn:sha1:d03be8cf3346dae1e438ded3aae4453045b77486 This change adds a custom BSD makefile containing multiple high-level PHONY targets, similar to targets provided by the ports framework. The Makefile does the following: - Reruns Configure with a deterministic set of arguments to ensure that all appropriate features have been enabled/disabled in OpenSSL. - Preens the pkgconfig files to remove duplicate paths in their `CFLAGS` and `includedir` variables. - Rebuilds all ASM files to ensure that the content contained is fresh. - Rebuilds all manpages to ensure that the content contained in the manpages is fresh. Some additional work needs to be done to make the manpage regeneration "operation" reproducible (the date the manpages were generated is embedded in the files). All dynamic configuration previously captured in `include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been moved to `freebsd/include/dynamic_freebsd_configuration.h` and `freebsd/include/crypto/bn_conf.h`, respectively. This helps ensure that future updates don't wipe out FreeBSD customizations to these files, which tune behavior on a per-target architecture basis, e.g., ARM vs x86, 32-bit vs 64-bit, etc. MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D51663 Conflicts: crypto/openssl/apps/CA.pl crypto/openssl/configdata.pm crypto/openssl/include/openssl/configuration.h crypto/openssl/include/openssl/fipskey.h crypto/openssl/tools/c_rehash crypto/openssl/util/shlib_wrap.sh crypto/openssl/util/wrap.pl secure/lib/libcrypto/Makefile.inc (cherry picked from commit 267f8c1f4b09431b335d5f48d84586047471f978) 2025-03-25T21:07:59Z Enji Cooper ngie@FreeBSD.org 2025-03-06T18:07:54Z urn:sha1:0d61082e3c64a43f52ec5f1bf3d85671d97d9514 MFC after: 1 week MFC with: 0d0c8621fd181e507f0fb50ffcca606faf66a8c2 Differential Revision: https://reviews.freebsd.org/D49297 (cherry picked from commit d2a55e6a9348bb55038dbc6b727ab041085f22db) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-04-12T13:18:20Z urn:sha1:74776eba28d86b9384faa7fce5a699a73afced99 Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896 (cherry picked from commit d71e7e57fc1472e3ea6d31c44e187c2819d2c71e) 2025-03-11T14:39:36Z Ed Maste emaste@FreeBSD.org 2022-03-02T14:45:23Z urn:sha1:be7b176511003be3d47ae463fd6bea5659446c70 Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409 (cherry picked from commit 7f916236044d9a733de8b3c47b5dcbf71988cb03) 2025-02-20T17:50:31Z Ed Maste emaste@FreeBSD.org 2025-02-19T19:08:59Z urn:sha1:802386cd37f638eec9606cb10d3dd03c8f1d6c17 Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947 (cherry picked from commit 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a) Approved by: re (accelerated MFC) 2025-02-20T17:50:11Z Ed Maste emaste@FreeBSD.org 2025-02-19T17:20:44Z urn:sha1:ff2fd01609cc10bcdc87ebe4de42efaf7ffe2ee9 Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC) 2025-02-20T02:31:22Z Ed Maste emaste@FreeBSD.org 2025-02-06T19:21:12Z urn:sha1:8a02eb2c1e4f3847fccf3eb1e7ff914871e35be4 It is used only by scp and sftp, and already included directly in their Makefiles. It does not belong in libssh. Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48871 (cherry picked from commit c0af32952564099fe30a34aeb335f95a6dc811ba) 2025-01-11T02:48:24Z Kyle Evans kevans@FreeBSD.org 2025-01-01T21:10:27Z urn:sha1:616156f8e6eaefe5e3e0df6621129f4bf9003344 libecc is not intended to be general use, other applications should really be using openssl. pkg(7) uses libecc to align with the pkg(8) project and its goals. This will be used in the upcoming support for ECC in pkg(7). Reviewed by: emaste (cherry picked from commit 05427f4639bcf2703329a9be9d25ec09bb782742)