| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
- One (1) modified
- Eight (8) added
- One (1) expired, now untrusted
Approved by: re (cperciva)
MFC after: 3 days
(cherry picked from commit 0d3b2bdbf719ac6b5719a47387558ca9c34a4b2c)
(cherry picked from commit 9b7611d9c7b48e68f017c43ec67d4182a4bc11c4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From the release notes,
> This release contains a number of security fixes, some small features
> and bugfixes.
The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
Full release notes at https://www.openssh.com/txt/release-9.6
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
(cherry picked from commit a25789646d7130f5be166cac63d5c8b2b07c4706)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
- Six (6) new roots
- Four (4) distrusted roots
Note that this was intentionally generated with OpenSSL 1.1.1 to avoid
mixing updates and non-functional changes -- there will be some churn
with OpenSSL 3. The next commit will update the current batch of
trusted certs with the format OpenSSL 3 produces, which I've tested
against OpenSSL 1.1.1 to be sure that that doesn't hurt us in older
branches.
This MFC also regenerates all of the trusted certs with OpenSSL 3 to
reduce the diff of future ENs -- this update has no existing certs
modified, so it's the perfect time.
(cherry picked from commit 65fd80909e196c8be2ce5e948775e9cbda2ef069)
(cherry picked from commit 8ed0ecf8024d10e9cd21f5880723a6cec4fd4ae6)
|
| |
|
|
|
|
|
| |
An update is imminent; drop these now to make it easier to audit the
results.
(cherry picked from commit 3f84d4b0fe1445bca5f3b6a70fc5641b88c31217)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With this change, we'll drop the "with $FreeBSD$" lines from trusted/
certs in the next update. untrusted/ will need to be done manually, but
I'll likely just do them all manually, commit, then run the script and
commit any legitimate updates after confirming the output matches what
I did manually.
Reported by: imp
Reviewed by: imp
(cherry picked from commit bbc8585ef557be36b3fda75e3a41d725aedb1c1e)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Reviewed by: gallatin, ngie, emaste
Differential Revision: https://reviews.freebsd.org/D41536
(With ppc assembler stuff removed, since that's no in stable/13 yet)
(cherry picked from commit 7a56f5af71851c8b502720ca956629c302821430)
|
| |
|
|
|
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
Similar commit in main:
(cherry picked from commit d0b2dbfa0ecf)
|
| |
|
|
|
|
|
| |
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
Similar commit in main:
(cherry picked from commit 1d386b48a555)
|
| |
|
|
|
|
|
| |
Remove /^/[*/]\s*\$FreeBSD\$.*\n/
Similar commit in main:
(cherry picked from commit 2a63c3be1582)
|
| |
|
|
|
|
|
| |
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
Similar commit in main:
(cherry picked from commit b3e7694832e8)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Based on dates, these were likely just missed in the last update... add
them now.
- Twenty (20) new
(cherry picked from commit ee0aa1ce12b3caea34477a31e9d2111a329e33b9)
|
| |
|
|
|
|
|
|
|
| |
Summary:
- Zero (0) newly trusted
- Five (5) modified
- Nine (9) distrusted
(cherry picked from commit f5e5dcdbeb699bda5a43c5600b522108cc612ac8)
|
| |
|
|
| |
(cherry picked from commit 5b1268252c56d96d3858969108a8cd6add9d5776)
|
| |
|
|
| |
(cherry picked from commit 84ffbd7782d2e98e440782b453f4e64cd1026d33)
|
| |
|
|
|
|
|
| |
The assembly source files do not contain GNU-stack annotations, so
ld.bfd defaults to using an executable stack.
(cherry picked from commit 99df55bbb711150e7e3515f5c5a2c4d44654c278)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release fixes a number of security bugs and has minor new
features and bug fixes. Security fixes, from the release notes
(https://www.openssh.com/txt/release-9.3):
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
Accelerated MFC to prepare for inclusion in 13.2-RELEASE.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release notes are available at https://www.openssh.com/txt/release-9.2
OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.
Some other notable items from the release notes:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
X11, agent and TCP forwarding channels.
* sshd(8): add a sshd_config UnusedConnectionTimeout option to
terminate client connections that have no open channels for a
length of time. This complements the ChannelTimeout option above.
* sshd(8): add a -V (version) option to sshd like the ssh client has.
* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
allow control over some SFTP protocol parameters: the copy buffer
length and the number of in-flight requests, both of which are used
during upload/download. Previously these could be controlled in
sftp(1) only. This makes them available in both SFTP protocol
clients using the same option character sequence.
* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
it will be expanded to all possible addresses in the range
including the all-0s and all-1s addresses. bz#976
* ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing. bz#3499
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit f374ba41f55c1a127303d92d830dd58eef2f5243)
|
| |
|
|
| |
(cherry picked from commit eb9b98fb5aea1b20d71b0be948454f472b024da7)
|
| |
|
|
| |
(cherry picked from commit fb3134558138e52322ebcdf66fee8288ee308d78)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This file is full of strict aliasing violations. Previously it was only
optimised in ways that broke the code by CHERI LLVM, but now it appears
that the in-tree LLVM also breaks it for RISC-V, resulting in broken
ECDSA signature validation with error messages like the following:
root@unmatched:/usr/src # ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key is not a key file.
root@unmatched:/usr/src # git fetch
fatal: unable to access 'https://git.FreeBSD.org/src.git/': error:1012606B:elliptic curve routines:EC_POINT_set_affine_coordinates:point is not on curve
Reviewed by: dim, jkim
Obtained from: CheriBSD
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35885
(cherry picked from commit 3b41ae32124ad7b61b2297b2e7f3aa5d76b30c53)
|
| |
|
|
| |
(cherry picked from commit 93381ae06bb043a85d6b26459b511ccacc2045e2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release notes are available at https://www.openssh.com/txt/release-9.1
9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.
Some highlights copied from the release notes:
Potentially-incompatible changes
--------------------------------
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.
New features
------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.
* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path@openssh.com", but some other
clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429
MFC after: 2 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
most programs in ports are looking for .pc files in order to get the
necessary information on how to compile and link against openssl.
The ports now also has a way to hide or force a path for pkgconf.
Providing .pc files along with openssl in base will allow (once all
the supported version of FreeBSD has it) so improve the framework to
deal with openssl in base vs openssl in ports (and libressl)
This will also greatly reduce the number of patches necessary to
workaround the build systems which only knows how to detect where
openssl is installed via pkgconf.
PR: 266051
MFC After: 3 weeks
Reviewed by: jkim, delphij
Exp-run by: antoine
Differential Revision: https://reviews.freebsd.org/D36360
(cherry picked from commit b323fa85f15268ac44b8ff90faf90bce5d87b608)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 1323ec571215a77ddd21294f0871979d5ad6b992)
(cherry picked from commit 58def461e256e3a05c3ff15a87ed702fe0c3662c)
|
| |
|
|
| |
(cherry picked from commit 25fb2515923796b329329b5c1c17d200ff416e84)
|
| |
|
|
| |
(cherry picked from commit b4bdc8f9253d9db46f598f17cc546c2fe0f8038d)
|
| |
|
|
| |
(cherry picked from commit 9a3583bfbd1740a158b3916432286190e0f2bf60)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An upcoming OpenSSH update has multiple config.h settings that change
depending on whether builtin security key support is enabled. Prepare
for this by moving ENABLE_SK_INTERNAL to a new sk_config.h header
(similar to the approach used for optional krb5 support) and optionally
including that, instead of defining the macro directly from CFLAGS.
Reviewed by: kevans
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34407
(cherry picked from commit 92ef98b8fa9273049af3cf2fcb4f5e13a6775ff8)
|
| |
|
|
| |
(cherry picked from commit 5ac766ab8ec23e780f108b7903d46e553d5e39d1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):
This release adds support for FIDO/U2F hardware authenticators to
OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
authentication hardware that are widely used for website
authentication. In OpenSSH FIDO devices are supported by new public
key types "ecdsa-sk" and "ed25519-sk", along with corresponding
certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after
which they may be used much like any other key type supported by
OpenSSH, so long as the hardware token is attached when the keys are
used. FIDO tokens also generally require the user explicitly
authorise operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will
usually require the user tap the token to confirm the operation:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
This will yield a public and private key-pair. The private key file
should be useless to an attacker who does not have access to the
physical token. After generation, this key may be used like any
other supported key in OpenSSH and may be listed in authorized_keys,
added to ssh-agent(1), etc. The only additional stipulation is that
the FIDO token that the key belongs to must be attached when the key
is used.
To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).
devd integration is not included in this change, and is under
investigation for the base system. In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.
Reviewed by: delphij, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32509
(cherry picked from commit e9a994639b2af232f994ba2ad23ca45a17718d2b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
(cherry picked from commit 19261079b74319502c6ffa1249920079f0f69a72)
(cherry picked from commit f448c3ed4ae1281861913a56377f9d93d49f8e8e)
(cherry picked from commit 1f290c707a19d1695c303e6c8ead9cc414ccc6dc)
(cherry picked from commit 0f9bafdfc325779e4ecc5154d5bb06c752297138)
(cherry picked from commit adb56e58e8db84d8087ebe3d3e7def0074cb5a90)
(cherry picked from commit 576b58108c1723c85e4dd00355e29bfe301dab11)
(cherry picked from commit 1c99af1ebe61cbaf633792941640dcd254acf921)
(cherry picked from commit 87152f34054921632016bc5eb4ab9f836fbaa522)
(cherry picked from commit 172fa4aa7577915bf5ace5783251821d3774dc05)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
1. https://github.com/openssl/openssl/commit/34ab13b7d8e3e723adb60be8142e38b7c9cd382a
needs to be merged for ELFv2 support on big-endian.
2. crypto/openssl/crypto/ppccap.c needs to be patched.
Same reason as in https://github.com/openssl/openssl/pull/17082.
Approved by: jkim, jhibbits, alfredo (MFC to stable/13)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D33076
(cherry picked from commit 3a60869237b8b315fe66497cf5299ec08b688533)
|
| |
|
|
| |
(cherry picked from commit 754c4757c9cb225c66eb3297f2a8be198786fcc9)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This moves SSHDIR and ssh_namespace.h handling to a common location,
and will simplify future work such as adding U2F support (D32509).
Reviewed by: kevans
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32808
(cherry picked from commit 9d63429fa16352f58037ac2aa6ddc734b25e8331)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a note in all existing certs that they are explicitly trusted
for server auth, and also:
- Seven (7) added
- Nineteen (19) removed
(cherry picked from commit 446169e0b6f04b96960540784539c218f5a14c86)
(cherry picked from commit 3016c5c2bf68d8c6ebf303939f20092478e7a4ca)
(cherry picked from commit fac832b27105d926d9f8728d7147adb547b937d8)
(cherry picked from commit 76461921dac18b300489e326ba3df61d2809f364)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.
Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.
(cherry picked from commit c3510c941c0dddd09389915a9395e6f059088bab)
|
| |
|
|
| |
(cherry picked from commit 649ccdd753790069623e192185d133fd26a03bf9)
|
| |
|
|
| |
(cherry picked from commit d594d17b8569fb7bc22263e7da3fd626b99d9203)
|
| |
|
|
|
|
|
|
| |
This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D30081
|
| |
|
|
|
|
|
|
|
|
|
| |
While here, trim a spurious local: I missed when added SSL_sendfile.
PR: 255277
Reported by: yuri
Reviewed by: jkim
Differential Revision: https://reviews.freebsd.org/D30483
(cherry picked from commit 7ad70d22c667173586c04fc13dd315995d78fbbf)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 77c2fe20df6a9a7c1a353e1a4ab2ba80fefab881.
The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.
[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470
PR: 234426
Discussed with: yuripv
Approved by: des
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d55bf492f8f587e4a99f4dcb39a96159b4431782)
|
| |
|
|
| |
(cherry picked from commit 7595394130a163b7ff53d9ef3f28fcb87f629d17)
|
| |
|
|
|
|
|
|
| |
This is regen for 9b2f020c14af71a2606012143432dd717c7cf90e.
MFC after: 1 week
(cherry picked from commit 351d06eeb509a420f3470c96b4a265467c87e2c2)
|
| |
|
|
|
|
|
|
| |
This directory was deprecated since OpenSSL 1.1.1e.
https://github.com/openssl/openssl/pull/9681
(cherry picked from commit b84081606110af6b5df764e3568c0271a5699daa)
|
| |
|
|
| |
(cherry picked from commit e25db73fea9b641a7dcf29303cf104e0d3847d6c)
|
| |
|
|
| |
(cherry picked from commit bb8acd558e66bd4bae31602fcbe569863f47382c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Sponsored by: Netflix
(cherry picked from commit aa906e2a4957db700d9e6cc60857e1afe1aecc85)
|
| |
|
|
|
|
|
|
| |
This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.
MFC after: 3 days
|
