aboutsummaryrefslogtreecommitdiff
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* secure/caroot, certctl: Rename secure/caroot/blacklistedCeri Davies2021-06-1840-12/+12
| | | | | | | Old certctl commands still work for compatability, but are deprecated. Approved by: secteam (gordon) Differential Revision: https://reviews.freebsd.org/D30807
* crypt_r(3): fix reentrancy problems with DESEdward Tomasz Napierala2021-06-151-29/+29
| | | | | | | | | | | | | | | | | | | This code was originally written for non-reentrant crypt(3). In 5f521d7ba72, a thread-safe crypt_r(3) was introduced. However, it looks like the DES implementation is still not re-entrant; routines like setup_salt() or des_setkey() still use global variables. Instead of something drastic, eg removing DES support altogether, just mark those variables as thread-local. This adds about 30kB of data per thread. Given that this only applies to DES, I think the impact is minimal. Reviewed By: markj Sponsored by: NetApp, Inc. Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D30674
* libcrypto: Add symbol versions for symbols added since 1.1.1d.John Baldwin2021-05-282-2/+16
| | | | | | | | | | While here, trim a spurious local: I missed when added SSL_sendfile. PR: 255277 Reported by: yuri Reviewed by: jkim MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30483
* pkgbase: Put openssl in its own packageEmmanuel Vadot2021-05-133-1/+3
| | | | | | | | This is useful for upgrade and also to make tiny jail so they won't depend on FreeBSD-utilities (where openssl was packaged before). MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D30081
* Revert "Add workaround for a QoS-related bug in VMWare Workstation."Ed Maste2021-04-251-3/+0
| | | | | | | | | | | | | | | This reverts commit 77c2fe20df6a9a7c1a353e1a4ab2ba80fefab881. The VMware Workstation issue was fixed in 2019[1], and we'd rather not carry unnecessary local changes in OpenSSH. [1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470 PR: 234426 Discussed with: yuripv Approved by: des MFC after: 2 weeks Sponsored by: The FreeBSD Foundation
* caroot: reroll the remaining certsKyle Evans2021-04-13125-0/+250
| | | | | | | This adds a specific note that these are explicitly trusted for server auth. MFC after: 3 days
* caroot: remove certs distrusted for server authKyle Evans2021-04-1315-0/+0
| | | | | | - Fifteen (15) removed MFC after: 3 days
* caroot: update CA bundle processorKyle Evans2021-04-131-12/+43
| | | | | | | | | | | | Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER. Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot. MFC after: 3 days
* caroot: routine cert updateKyle Evans2021-04-135-0/+263
| | | | | | | - Three (3) added - Two (2) removed MFC after: 3 days
* OpenSSL: Regen manual pages for 1.1.1kJung-uk Kim2021-03-25535-536/+536
|
* OpenSSL: Regen manual page for the previous commitJung-uk Kim2021-02-171-2/+3
| | | | | | This is regen for 9b2f020c14af71a2606012143432dd717c7cf90e. MFC after: 1 week
* OpenSSL: Remove obsolete include directoryJung-uk Kim2021-02-171-1/+0
| | | | | | This directory was deprecated since OpenSSL 1.1.1e. https://github.com/openssl/openssl/pull/9681
* OpenSSL: Regen manual pages for OpenSSL 1.1.1j.Jung-uk Kim2021-02-16539-1167/+642
|
* OpenSSL: Regenerate manual pages.Jung-uk Kim2021-01-28537-644/+1269
| | | | MFC after: 1 week
* OpenSSL: Support for kernel TLS offload (KTLS)John Baldwin2021-01-284-5/+28
| | | | | | | | | | | | | | | | | | | | This merges upstream patches from OpenSSL's master branch to add KTLS infrastructure for TLS 1.0-1.3 including both RX and TX offload and SSL_sendfile support on both Linux and FreeBSD. Note that TLS 1.3 only supports TX offload. A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with KTLS support. It defaults to enabled on amd64 and disabled on all other architectures. Reviewed by: jkim (earlier version) Approved by: secteam Obtained from: OpenSSL (patches from master) MFC after: 1 week Relnotes: yes Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D28273
* caroot: drop $FreeBSD$ expansion from root bundleKyle Evans2020-12-28139-139/+139
| | | | | | | | This debatably could have waited until the next update would have taken place, but it's easier to see what changes if we get it out of the way now. MFC after: 3 days
* caroot: update bundleKyle Evans2020-12-1111-0/+134
| | | | | | | | | | | Summary: - One (1) added - Ten (10) removed MFC after: 3 days Notes: svn path=/head/; revision=368555
* Merge OpenSSL 1.1.1i.Jung-uk Kim2020-12-09434-875/+877
| | | | Notes: svn path=/head/; revision=368472
* Replace literal uses of /usr/local in C sources with _PATH_LOCALBASEStefan Eßer2020-10-272-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | Literal references to /usr/local exist in a large number of files in the FreeBSD base system. Many are in contributed software, in configuration files, or in the documentation, but 19 uses have been identified in C source files or headers outside the contrib and sys/contrib directories. This commit makes it possible to set _PATH_LOCALBASE in paths.h to use a different prefix for locally installed software. In order to avoid changes to openssh source files, LOCALBASE is passed to the build via Makefiles under src/secure. While _PATH_LOCALBASE could have been used here, there is precedent in the construction of the path used to a xauth program which depends on the LOCALBASE value passed on the compiler command line to select a non-default directory. This could be changed in a later commit to make the openssh build consistently use _PATH_LOCALBASE. It is considered out-of-scope for this commit. Reviewed by: imp MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D26942 Notes: svn path=/head/; revision=367075
* Move generated OpenSSL assembly routines into the kernel sources.John Baldwin2020-10-2083-204615/+2
| | | | | | | Sponsored by: Netflix Notes: svn path=/head/; revision=366898
* Merge OpenSSL 1.1.1h.Jung-uk Kim2020-09-22537-1617/+1745
| | | | Notes: svn path=/head/; revision=366004
* caroot: update base storeKyle Evans2020-09-195-0/+265
| | | | | | | | | | | Count: - Two (2) removed - Three (3) added MFC after: 3 days Notes: svn path=/head/; revision=365896
* build: provide a default WARNS for all in-tree buildsKyle Evans2020-09-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The current default is provided in various Makefile.inc in some top-level directories and covers a good portion of the tree, but doesn't cover parts of the build a little deeper (e.g. libcasper). Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that variable is defined. This lets us relatively cleanly provide a default WARNS no matter where you're building in the src tree without breaking things outside of the tree. Crunchgen has been updated as a bootstrap tool to work on this change because it needs r365605 at a minimum to succeed. The cleanup necessary to successfully walk over this change on WITHOUT_CLEAN builds has been added. There is a supplemental project to this to list all of the warnings that are encountered when the environment has WARNS=6 NO_WERROR=yes: https://warns.kevans.dev -- this project will hopefully eventually go away in favor of CI doing a much better job than it. Reviewed by: emaste, brooks, ngie (all earlier version) Reviewed by: emaste, arichardson (depend-cleanup.sh change) Differential Revision: https://reviews.freebsd.org/D26455 Notes: svn path=/head/; revision=365887
* caroot: properly remove old distrusted rootsKyle Evans2020-09-027-0/+698
| | | | | | | | | | | | | | | | | | | | | The proper procedure was not followed in r364943; all of these that were deleted should have instead been moved over to the blacklist so that certctl can DTRT. Users must still `certctl rehash` after this, but this should generally be done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note that freebsd-update doesn't come into play for this particular update, as these have not yet made it into a release. Future work (after svn -> git) will likely change the script that updatecert invokes to facilitate the process, rather than trusting that kevans or whomever updates in the future will remember. Reported by: Helge Oldach <freebsd oldach net> MFC after: 3 days Notes: svn path=/head/; revision=365248
* carrot: update bundleKyle Evans2020-08-2911-698/+401
| | | | | | | | | | | Stats: - Seven (7) removed - Four (4) added MFC after: 3 days Notes: svn path=/head/; revision=364943
* Regen X86 assembly files after r364822.Jung-uk Kim2020-08-2622-86/+44039
| | | | Notes: svn path=/head/; revision=364823
* caroot: switch to using echo+shell glob to enumerate certsKyle Evans2020-08-232-2/+2
| | | | | | | | | | | | This solves an issue on stable/12 that causes certs to not get installed. ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up blank and nothing gets installed. We don't really require anything ls-specific, though, so let's just simplify it. MFC after: 3 days Notes: svn path=/head/; revision=364600
* Fix a typo in the cpp macro defined for PIC.John Baldwin2020-08-131-1/+1
| | | | | | | | | | | In practice this isn't used in OpenSSL outside of some sparc-specific code. Reviewed by: delphij Differential Revision: https://reviews.freebsd.org/D26058 Notes: svn path=/head/; revision=364218
* Replace OPENSSL_NO_SSL3_METHODs with dummiesConrad Meyer2020-07-013-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use it, and if they must, they can use some implementation outside of base. There are three symbols removed with OPENSSL_NO_SSL3_METHOD: SSLv3_client_method SSLv3_method SSLv3_server_method These symbols exist to request an explicit SSLv3 connection to a server. There is no good reason for an application to link or invoke these symbols instead of TLS_method(), et al (née SSLv23_method, et al). Applications that do so have broken cryptography. Define these symbols for some pedantic definition of ABI stability, but remove the functionality again (r361392) after r362620. Reviewed by: gordon, jhb (earlier-but-equivalent version both) Discussed with: bjk, kib Differential Revision: https://reviews.freebsd.org/D25493 Notes: svn path=/head/; revision=362818
* Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.Gordon Tetlow2020-06-251-3/+0
| | | | | | | | | | | | | | | This define caused a couple of symbols to disappear. To keep ABI compatibility, we are going to keep the symbols exposed, but leave SSLv3 as not in the default config (this is what OPENSSL_NO_SSL3 achieves). The ramifications of this is an application can still use SSLv3 if it specifically calls the SSLv3_method family of APIs. Reported by: kib, others Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D25451 Notes: svn path=/head/; revision=362620
* Install 32-bit libcrypto engines in /usr/lib32/engines instead ofTijl Coosemans2020-06-012-2/+2
| | | | | | | | | | /usr/lib32 and let 32-bit libcrypto search that location instead of /usr/lib/engines. Reviewed by: jkim Notes: svn path=/head/; revision=361700
* Remove support for SSLv3 from the OpenSSL build.Gordon Tetlow2020-05-221-0/+6
| | | | | | | | | | | | This is the default configuration in OpenSSL 1.1.1 already. This moves to align with that default. Reported by: jmg Approved by: jkim, cem, emaste, philip Differential Revision: https://reviews.freebsd.org/D24945 Notes: svn path=/head/; revision=361392
* Merge OpenSSL 1.1.1g.Jung-uk Kim2020-04-21536-541/+753
| | | | Notes: svn path=/head/; revision=360175
* Merge OpenSSL 1.1.1f.Jung-uk Kim2020-03-31534-540/+565
| | | | Notes: svn path=/head/; revision=359486
* Reduce diff with the vendor version. No functional change.Jung-uk Kim2020-03-181-3/+3
| | | | Notes: svn path=/head/; revision=359061
* Merge OpenSSL 1.1.1e.Jung-uk Kim2020-03-18571-45572/+3173
| | | | Notes: svn path=/head/; revision=359060
* pkgbase: fix caroot packaging and add post-install scriptKyle Evans2020-01-292-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | The original intention for caroot was to be packaged separately, perhaps so that users can have a more/less conservative upgrade policy for this separated from the rest of base. secure/caroot/Makefile doesn't have anything interesting to package, but its subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted and trusted get packaged consistently into the correct one rather than the default -utilities. Also tag the directories for package=caroot, as they could also be empty; blacklisted is empty by default, but trusted is not. Add a post-install script to do certctl rehash, along with a note should we eventually come up with a way to detect that files have been added or removed that requires a rehash. -caroot gets a dependency on -utilities, as that's where we provide certctl at the moment. We can perhaps reconsider this and put certctl into this package in the future, but there are some bits within -utilities that unconditionally invoke certctl so let's hold off for now. Reviewed by: manu (earlier version, before -utilities dep added) Differential Revision: https://reviews.freebsd.org/D23352 Notes: svn path=/head/; revision=357264
* caroot: blacklisted: automatically pick up *.pem in the treeKyle Evans2020-01-281-1/+3
| | | | | | | | | | | | | | | This kind of automagica got picked up in trusted/ prior to the initial commit, but never got applied over in blacklisted. Ideally no one will be using blacklisted/ to store arbitrary certs that they don't intend to blacklist, so we should just install anything that's in here rather than force consumer to first copy cert into place and then modify the file listing in the Makefile. Wise man once say: "it is better to restrict too much, than not enough. sometimes." Notes: svn path=/head/; revision=357193
* caroot: use bsd.obj.mk, not bsd.prog.mkKyle Evans2020-01-241-2/+1
| | | | | | | | | | This directory stages certdata into .OBJDIR and processes it, but does not actually build a prog-shaped object; bsd.obj.mk provides the minimal support that we actually need, an .OBJDIR and descent into subdirs. This is admittedly the nittiest of nits. Notes: svn path=/head/; revision=357084
* Install man5 and man7 for OpenSSL.Jung-uk Kim2020-01-22486-3809/+8973
| | | | | | | | | | Note config.5 and crypto.7 are not installed because we have conflicts. Requested by: phk MFC after: 1 month Notes: svn path=/head/; revision=356963
* Update Makefile.depend filesSimon J. Gerraty2019-12-115-18/+6
| | | | | | | | | | | | | Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494 Notes: svn path=/head/; revision=355617
* Add Makefile.depend.optionsSimon J. Gerraty2019-12-112-0/+12
| | | | | | | | | | | | | | | | | | | | Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 Notes: svn path=/head/; revision=355616
* caroot update to latest tip: one (1) addition, none (0) removedKyle Evans2019-12-041-0/+137
| | | | | | | | Added: - Entrust Root Certification Authority - G4 Notes: svn path=/head/; revision=355376
* caroot: commit initial bundleKyle Evans2019-10-04149-0/+15631
| | | | | | | | | | | | | | | | | | | Interested users can blacklist any/all of these with certctl(8), examples: - mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \ certctl rehash - certctl blacklist /usr/share/certs/trusted/*; \ certctl rehash Certs can be easily examined after installation with `certctl list`, and certctl blacklist will accept the hashed filename as output by list or as seen in /etc/ssl/certs No objection from: secteam Relnotes: Definite maybe Notes: svn path=/head/; revision=353095
* caroot: add @generated tags to extracted .pemKyle Evans2019-10-021-0/+5
| | | | | | | | | As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them. Notes: svn path=/head/; revision=352951
* [1/3] Initial infrastructure for SSL root bundle in baseKyle Evans2019-10-026-0/+348
| | | | | | | | | | | | | | | | | | | | | | | | This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. No objection from: secteam Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16856 Notes: svn path=/head/; revision=352948
* Merge OpenSSL 1.1.1d.Jung-uk Kim2019-09-10523-13180/+1909
| | | | Notes: svn path=/head/; revision=352191
* pkgbase: Put a lot of binaries and lib in FreeBSD-runtimeEmmanuel Vadot2019-09-051-0/+1
| | | | | | | | | | | | All of them are needed to be able to boot to single user and be able to repair a existing FreeBSD installation so put them directly into FreeBSD-runtime. Reviewed by: bapt, gjb Differential Revision: https://reviews.freebsd.org/D21503 Notes: svn path=/head/; revision=351855
* Merge OpenSSL 1.1.1c.Jung-uk Kim2019-05-28514-977/+1083
| | | | Notes: svn path=/head/; revision=348340
* Add workaround for a QoS-related bug in VMWare Workstation.Dag-Erling Smørgrav2019-03-271-0/+3
| | | | | | | | Submitted by: yuripv Differential Revision: https://reviews.freebsd.org/D18636 Notes: svn path=/head/; revision=345579