| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Full release notes are available at
https://www.openssh.com/txt/release-10.3
Selected highlights from the release notes:
* ssh(1), sshd(8): remove bug compatibility for implementations
that don't support rekeying. If such an implementation tries to
interoperate with OpenSSH, it will now eventually fail when the
transport needs rekeying.
* ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
names is advertised via the EXT_INFO message. If a server offers
support for the new names, then they are used preferentially.
* ssh(1): add a ~I escape option that shows information about the
current SSH connection.
* sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is
applied to login attempts for usernames that do not match real
accounts. Defaults to 5s to match 'authfail' but allows
administrators to block such attempts for longer if desired.
* Support the ed25519 signature scheme via libcrypto.
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56999
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Full release notes are available at
https://www.openssh.com/txt/release-10.1
Selected highlights from the release notes:
Potentially-incompatible changes
* ssh(1): add a warning when the connection negotiates a non-post
quantum key agreement algorithm.
* ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS
* ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
keywords in the IPQoS configuration directive.
* ssh-add(1): when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.
* ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
in sshd(8).
Security
* ssh(1): disallow control characters in usernames passed via the
commandline or expanded using %-sequences from the configuration
file, and disallow \0 characters in ssh:// URIs.
New features
* ssh(1), sshd(8): add SIGINFO handlers to log active channel and
session information.
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
| |
`PIC_FLAG` should be used strictly for `-fPIC`, `-fpic`, etc, options.
`SHARED_CFLAGS` is the more appropriate place to this flag to be set.
Requested by: jrtc27
MFC after: 3 days
MFC with: 3797fe720a
|
| |
|
|
|
|
|
|
| |
Add missing header file (openssl/ml_kem.h) of OpenSSL 3.5
Reviewed by: fluffy, ngie
Approved by: ngie (maintainer)
Differential Revision: https://reviews.freebsd.org/D56291
|
| |
|
|
|
| |
MFC after: 1 day (the security issues warrant a quick backport).
MFC with: 10a428653ee7216475f1ddce3fb4cbf1200319f8
|
| |
|
|
|
|
|
| |
A new manpage and any associated links will be added in the next commit.
MFC after: 1 day (the security issues warrant a quick backport).
MFC with: 10a428653ee7216475f1ddce3fb4cbf1200319f8
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This change modifies the libcrypto PIC objects to always compile with
`-DOPENSSL_PIC -fPIC` to restore parity with the upstream build process.
This ensures that the legacy provider is built with parity to the
upstream legacy provider.
MFC after: 12 days
Tested with: `make check` (legacy provider), `make universe`
Fixes: 14b9955e
Differential Revision: https://reviews.freebsd.org/D44896
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit broke the build with some build options.
Some validation needs to be done to confirm that moving the preprocessor
argument to `secure/lib/libcrypto/Makefile.inc` works without breaking
the build, but revert for now until a `tinderbox` run can be done with
the change.
PR: 293934
Reported by: Jenkins, Trond Endrestøl
This reverts commit 14b9955e57cc28b61e785165b9effcbe620edb46.
|
| |
|
|
|
|
|
|
|
|
|
| |
This change modifies the libcrypto PIC objects to always compile with
`-DOPENSSL_PIC` to restore parity with the upstream build process. This
ensures that `-DOPENSSL_PIC` is used whenever building the auxiliary
shared objects. In this case, just the legacy provider (we no longer
distribute the fips provider).
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D44896
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A separate EVP_CIPHER_CTX_get_app_data.3 was added in the OpenSSL 3.5.5
import, but the link to EVP_EncryptInit.3 was still being installed
which stomped on the file and created inconsistent entries in the METALOG.
Reviewed by: emaste
Found by: package_check script in Cirrus-CI
Fixes: 1731fc70f734 ("OpenSSL: update vendor sources to match 3.5.5 content")
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D55332
|
| |
|
|
|
| |
MFC with: f25b8c9fb4f58cf61adb47d7570abe7caa6d385d
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
| |
libcrypto's Makefile.inc used PACKAGE=openssl, which overrides the
PACKAGE=tests in libcrypto/tests/Makefile. Use PACKAGE?=openssl
instead to avoid this. This puts the OpenSSL tests in the tests
package where they belong.
MFC after: 1 day
Reviewed by: manu, ngie
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53595
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The .pc files generated in the root directory are used as part of the
build; they should never be installed. Use the versions from the
exporters subdirectory--which should be installed--as the .pc files
which are distributed with FreeBSD. This avoids the need for "fixing up"
these files after the fact (see `crypto/openssl/BSDmakefile` for more
details as part of this change).
Garbage collect `secure/lib/libcrypto/Makefile.version`, et al,
as they're orphaned files. They were technically unused prior to this
change as the vendor process properly embeds the version numbers in
various files, but this commit formalizes the removal.
This correction/clarification on the .pc files will be made in an
upcoming release of OpenSSL [1].
References:
1. https://github.com/openssl/openssl/issues/28803
Suggested by: Richard Levitte (OpenSSL project)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53043
|
| |
|
|
|
|
|
|
|
|
|
| |
This change adds a simple smoke test for the legacy provider to ensure
that the provider doesn't break in the future when performing updates.
This is not a functional or system test; the OpenSSL test suite does a
much better job at doing this than we can.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53045
|
| |
|
|
|
|
|
|
|
|
|
| |
This incorporates pkg(8) commit a31c8c3682a3 for consistency.
https://github.com/freebsd/pkg/commit/a31c8c3682a3
MFC after: 1 day
Reviewed by: kevans
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D52920
|
| |
|
|
|
|
| |
MFC with: 046c625e9382
Fixes: 046c625e9382 ("crypto/openssl: update to 3.5.4")
Reported by: Herbert J. Skuhra <herbert@gojira.at>
|
| |
|
|
|
|
|
|
|
| |
This change updates the build artifacts to match the 3.5.3 release. Much
of the change involves updating version numbers and release dates to
match the release version's metadata.
MFC after: 1 week
MFC with: 88b8b7f0c4e9948667a2279e78e975a784049cba
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a targeted effort to update the INCS and SRCS entries for
libcrypto, the legacy provider, and libssl to match what upstream
(OpenSSL) builds in their respective libraries.
The number of stylistic changes were kept at a minimum.
Another incoming change will reformat this file to make future
maintenance easier.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52554
|
| |
|
|
|
| |
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52008
|
| |
|
|
|
|
|
|
|
| |
We need to build OpenSSL when bootstrapping certctl. On MacOS
ktls_enable() isn't defined anywhere, so without this the build fails.
We don't need KTLS in the bootstrap library, so just disable it.
Reviewed by: khorben, ngie
Differential Revision: https://reviews.freebsd.org/D52341
|
| |
|
|
|
| |
Reviewed by: khorben, ngie
Differential Revision: https://reviews.freebsd.org/D52113
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some packages (OpenSSL, Kerberos) we want to ship runtime libraries
in a separate package, e.g. openssl and openssl-lib. Currently this is
done using PACKAGE=openssl-lib, but that creates packages with strange
names like openssl-lib-lib32.
Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime
libraries to be placed in a new -lib subpackage. This significantly
improves the set of packages we create; for example, OpenSSL goes from:
FreeBSD-openssl
FreeBSD-openssl-dbg
FreeBSD-openssl-lib
FreeBSD-openssl-lib-dbg
FreeBSD-openssl-lib-dbg-lib32
FreeBSD-openssl-lib-dev
FreeBSD-openssl-lib-dev-lib32
FreeBSD-openssl-lib-lib32
FreeBSD-openssl-lib-man
FreeBSD-openssl-man
to:
FreeBSD-openssl
FreeBSD-openssl-dbg
FreeBSD-openssl-dbg-lib32
FreeBSD-openssl-dev
FreeBSD-openssl-dev-lib32
FreeBSD-openssl-lib
FreeBSD-openssl-lib32
FreeBSD-openssl-man
While here, move /usr/bin/krb5-config and /usr/bin/compile_et into
the kerberos-dev package.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D51925
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds a custom BSD makefile containing multiple high-level PHONY
targets, similar to targets provided by the ports framework.
The Makefile does the following:
- Reruns Configure with a deterministic set of arguments to ensure that
all appropriate features have been enabled/disabled in OpenSSL.
- Preens the pkgconfig files to remove duplicate paths in their
`CFLAGS` and `includedir` variables.
- Rebuilds all ASM files to ensure that the content contained is fresh.
- Rebuilds all manpages to ensure that the content contained in the
manpages is fresh.
Some additional work needs to be done to make the manpage regeneration
"operation" reproducible (the date the manpages were generated is
embedded in the files).
All dynamic configuration previously captured in
`include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been
moved to `freebsd/include/dynamic_freebsd_configuration.h` and
`freebsd/include/crypto/bn_conf.h`, respectively. This helps
ensure that future updates don't wipe out FreeBSD customizations to
these files, which tune behavior on a per-target architecture basis, e.g.,
ARM vs x86, 32-bit vs 64-bit, etc.
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D51663
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 3.5.1 update dropped a `SRCS` entry for the MK_OPENSSL_KTLS != no
case (the source was renamed from `ktls.c` to `ktls_meth.c`). Add the
new file to SRCS in order to unbreak linking the library when KTLS is
enabled.
This bug isn't apparent now because KTLS is always disabled in
`include/openssl/configuration.h` (this will be fixed soon).
Found when doing `make universe` with KTLS enabled in
`include/openssl/configuration.h`.
Fixes: 4757b351ea9d59d ("openssl: Import version 3.5.1")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some platforms, like macOS, do not expose headers for the system's
libcrypto for public consumption. libcrypto is relatively heavy and
needs to know, e.g., the host system's endianness, so we scope the build
down to macOS where OpenSSL headers are known to not be present and we
can be reasonably certain that most of the systems today that would be
cross-building are little endian.
We still don't bother if building WITHOUT_OPENSSL since the end result
is expected to be used by OpenSSL, but perhaps we could revisit that
independently in case one, e.g., brings their own implementation.
Reported by: jrtc27
Reviewed by: jrtc27, ngie
Fixes: c340ef28fd38 ("certctl: Reimplement in C")
Differential Revision: https://reviews.freebsd.org/D51935
|
| |
|
|
|
|
|
|
|
|
| |
Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be
EOL after 2026-09-07.
Approved by: philip (mentor)
Sponsored by: Alpha-Omega Beach Cleaning Project
Sponsored by: The FreeBSD Foundation
Differential revision: https://reviews.freebsd.org/D51613
|
| |
|
|
|
|
|
|
|
| |
Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure.
A bunch of NO_LINT definitions remained (perhaps as a bootstrapping
measture). Remove them.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D50704
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sshkey.c references sshsk_sign(), which is defined in ${SKSRCS}.
Due to how FreeBSD builds libssh, or put differently, due to upstream
not building a shared libssh.so, we need to partially revert
65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere"), and
add ${SKSRCS} back, to avoid linking problems, especially when building
with GCC:
/usr/local/bin/ld:
/usr/obj/usr/src/amd64.amd64/secure/lib/libssh/libprivatessh.so:
undefined reference to `sshsk_sign'
collect2: error: ld returned 1 exit status`
Put the sources in a separate line, to maintain line-by-line
compatibility with upstream Makefile.in
PR: 286580
Reviewed by: emaste
Approved by: emaste (mentor)
Fixes: 65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere")
Differential Revision: https://reviews.freebsd.org/D50020
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently, some OpenSSL-related files end up in the utilities package:
/usr/lib/engines-3/capi.so
/usr/lib/engines-3/devcrypto.so
/usr/lib/engines-3/loader_attic.so
/usr/lib/engines-3/padlock.so
/usr/lib/ossl-modules/legacy.so
since these are part of OpenSSL and are not useful without it, move them
to the openssl-lib package.
Reviewed by: manu, des, emaste
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50144
|
| |
|
|
|
|
|
|
|
| |
Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client. Do the same here.
Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49795
|
| |
|
|
|
|
|
|
|
|
|
| |
SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.
No functional change intended.
Reviewed by: emaste
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D49793
|
| |
|
|
|
|
| |
MFC after: 1 week
MFC with: 0d0c8621fd181e507f0fb50ffcca606faf66a8c2
Differential Revision: https://reviews.freebsd.org/D49297
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS
handling there.
Reviewed by: kevans
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31896
|
| |
|
|
|
|
|
|
|
|
|
| |
Centralize optional krb5_config.h handling in ssh.mk. Do not add
headers (that are committed to the src tree) to SRCS as there is no
need.
Reviewed by: imp, jlduran, kevans (all earlier)
MFC after: 1 month
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34409
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.
See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* ssh(1): remove support for pre-authentication compression.
* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters.
New features
------------
* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.
* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
Bugfixes
--------
* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733
* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503
* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.
* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725
* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505
---
Reviewed by: jlduran (build infrastructure)
Reviewed by: cy (build infrastructure)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).
---
Future deprecation notice
=========================
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.
Potentially-incompatible changes
--------------------------------
* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.
* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.
* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".
* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.
* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101
New features
------------
* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.
* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.
Portability
-----------
* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.
* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479
---
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914
|
| |
|
|
|
|
|
|
|
| |
It is used only by scp and sftp, and already included directly in their
Makefiles. It does not belong in libssh.
Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48871
|
| |
|
|
|
|
|
|
|
|
| |
libecc is not intended to be general use, other applications should
really be using openssl. pkg(7) uses libecc to align with the pkg(8)
project and its goals. This will be used in the upcoming support for
ECC in pkg(7).
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D48117
|
| |
|
|
|
|
|
|
|
|
| |
This does not change the rendered ascii at all.
Signed-off-by: Graham Percival <gperciva@tarsnap.com>
Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
MFC after: 3 days
Sponsored by: Tarsnap Backup Inc.
Pull Request: https://github.com/freebsd/freebsd-src/pull/1473
|
| |
|
|
|
|
|
| |
After building packages we have a number of new
and updated Makefile.depend files
Reviewed by: stevek
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a companion commit to the OpenSSL 3.0.15 update.
`opensslv.h` was regenerated via the following process:
```
cd crypto/openssl
./config
git reset --hard
gmake include/openssl/opensslv.h
```
`Makefile.inc` has been updated to match.
MFC after: 1 week
MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09
Differential Revision: https://reviews.freebsd.org/D46603
|
| |
|
|
|
|
|
|
|
|
|
| |
To comply with FIPS 140 guidance, you must be using a specifically
validated and approved version of the fips module. Currently, only
OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140
validation. As such, we need to stop shipping later versions of the
module in the base system.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D46223
|
| |
|
|
|
|
|
| |
This is a residual of the $FreeBSD$ removal.
MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
|
| |
|
|
|
|
|
| |
This is a companion commit to the OpenSSL 3.0.14 update.
MFC after: 3 days
MFC with: 44096ebd22ddd0081a357011714eff8963614b65
|
| |
|
|
|
|
|
|
| |
These are all OpenSSL 1.1.0 and 1.1.1 symbols that aren't present in our
OpenSSL 3.0 builds.
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D44249
|
| |
|
|
|
|
|
|
|
|
|
|
| |
fips/legacy providers"
This change is still under review and should not have been merged
directly to main (yet).
This is a case and point for using `push.default` to nothing instead of
matching or simple.
This reverts commit 42ce242e353065dfbaa248955f6657005a395a95.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
providers
This change introduces a static copy of the fips and legacy linker version maps
generated by the OpenSSL 3.0.13 build process.
This unbreaks the fips and legacy providers by not exposing unnecessary
symbols from the fips/legacy provider shared objects shared with other
providers (base, default) and libcrypto.
More discussion:
Prior to this change, loading the fips provider indirectly from a
FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a
process-wide deadlock when invoking select OpenSSL APIs
(CONF_modules_load* in this particular example).
Speaking with the upstream maintainers [1], it became obvious that
the FreeBSD base system was incorrectly building/linking the fips
provider, resulting in a symbol collision at runtime, and thus a
process-wide deadlock in specific circumstances. The fips provider
would deadlock when trying to acquire a write lock on internal
structures which should have only been available to the base and
default providers, as certain preprocessor ifdefs only allow specific
internal calls to be made with the base and default providers.
1. https://github.com/openssl/openssl/issues/24202
Differential Revision: https://reviews.freebsd.org/D44892
|
| |
|
|
|
|
| |
Reported by: "Herbert J. Skuhra" <herbert@gojira.at>
Fixes: 9eb4e0b42d7c
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL itself keeps only a single copy of this header. Do the same in
sys/crypto/openssl to avoid the extra maintenance burden. This requires
adjusting the include paths for generated asm files.
No functional change intended.
Reported by: jrtc27
Reviewed by: jhb
MFC after: 3 months
Differential Revision: https://reviews.freebsd.org/D42866
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.
Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/
Sponsored by: Netflix
|
