aboutsummaryrefslogtreecommitdiff
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* openssh: Support building with MIT KRB5Cy Schubert2025-06-162-0/+13
| | | | | | | | | | | | Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition to the Makefile in order to control whether we're building under Heimdal or MIT. Add MIT KRB5 LIBS and INCLUDES to the openssh build. Sponsored by: The FreeBSD Foundation Reviewed by: markj Differential revision: https://reviews.freebsd.org/D50782
* build: remove the last vestiges of lint supportBrooks Davis2025-06-053-5/+0
| | | | | | | | | Commit 1cbb58886a47 (shipped in 12.0.0) removed all lint infrastructure. A bunch of NO_LINT definitions remained (perhaps as a bootstrapping measture). Remove them. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D50704
* caroot: Update certdata URL for GitHub switchMichael Osipov2025-05-281-1/+1
| | | | | | | | | | | Mozilla has migrated its projects' source code to GitHub, update certdata URL along with it. Reference: https://github.com/curl/curl/pull/17321 Reviewed by: jrm (mentor), otis (mentor), kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D50575
* openssh: Add ${SKSRCS} to libsshJose Luis Duran2025-05-201-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | sshkey.c references sshsk_sign(), which is defined in ${SKSRCS}. Due to how FreeBSD builds libssh, or put differently, due to upstream not building a shared libssh.so, we need to partially revert 65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere"), and add ${SKSRCS} back, to avoid linking problems, especially when building with GCC: /usr/local/bin/ld: /usr/obj/usr/src/amd64.amd64/secure/lib/libssh/libprivatessh.so: undefined reference to `sshsk_sign' collect2: error: ld returned 1 exit status` Put the sources in a separate line, to maintain line-by-line compatibility with upstream Makefile.in PR: 286580 Reviewed by: emaste Approved by: emaste (mentor) Fixes: 65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere") Differential Revision: https://reviews.freebsd.org/D50020
* libcrypto: move engines and modules to openssl-libLexi Winter2025-05-052-0/+3
| | | | | | | | | | | | | | | | | currently, some OpenSSL-related files end up in the utilities package: /usr/lib/engines-3/capi.so /usr/lib/engines-3/devcrypto.so /usr/lib/engines-3/loader_attic.so /usr/lib/engines-3/padlock.so /usr/lib/ossl-modules/legacy.so since these are part of OpenSSL and are not useful without it, move them to the openssl-lib package. Reviewed by: manu, des, emaste Approved by: des (mentor) Differential Revision: https://reviews.freebsd.org/D50144
* secure: Add ssh-sk-client to all consumers of libsshJohn Baldwin2025-04-223-3/+3
| | | | | | | These all failed to link with ld.bfd used by GCC due to Fssh_sshsk_sign being an unresolved symbol. Fixes: 65d8491719bb ("secure: Adapt Makefile to ssh-sk-client everywhere")
* secure: Adapt Makefile to ssh-sk-client everywhereJose Luis Duran2025-04-1711-11/+11
| | | | | | | | | Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere") adapted the Makefiles to ssh-sk-client. Do the same here. Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49795
* secure: Match SRCS with upstream Makefile.inJose Luis Duran2025-04-171-1/+2
| | | | | | Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49794
* secure: Rearrange Makefile SRCS to match upstream Makefile.inJose Luis Duran2025-04-177-14/+24
| | | | | | | | | | | SRCS entries are kept in the same order and with the same line breaks as upstream, to make comparison easier. No functional change intended. Reviewed by: emaste Approved by: emaste (mentor) Differential Revision: https://reviews.freebsd.org/D49793
* openssh: Request the OpenSSL 1.1 APIJose Luis Duran2025-03-271-0/+2
| | | | | | | | | | | | | Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL 1.1.0), in order to avoid warnings about deprecated functions. Do the same here, to avoid getting those warnings. Reviewed by: emaste Approved by: emaste (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49517
* openssl: update ASM and version info for 3.0.16 importEnji Cooper2025-03-141-2/+2
| | | | | | MFC after: 1 week MFC with: 0d0c8621fd181e507f0fb50ffcca606faf66a8c2 Differential Revision: https://reviews.freebsd.org/D49297
* caroot: update the root bundleMichael Osipov2025-03-1325-1465/+781
| | | | | | | | | | | Summary: - Seven (7) new roots - Four (4) distrusted roots - Fifteen (15) removed (expired) roots Reviewed by: kevans MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49294
* caroot: Ignore soft distrust of server CA certificates after 398 daysMichael Osipov2025-03-081-10/+10
| | | | | | | | | | | | | | | | | | Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that a CA certificate will be distrusted in the future before its NotAfter time. This means that the CA stops issuing new certificates, but previous ones are still valid, but at most for 398 days after the distrust date. See also: * https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 * https://github.com/Lukasa/mkcert/issues/19 * https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16 * https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c Tested by: michaelo Reviewed by: emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D49075
* ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mkEd Maste2025-02-2014-76/+13
| | | | | | | | | | | Commit 9d63429fa163 ("ssh: move common Makefile boilerplate to a new ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part of enabling FIDO/U2F. Move duplicated MK_LDNS and MK_TCP_WRAPPERS handling there. Reviewed by: kevans Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D31896
* ssh: tidy include handlingEd Maste2025-02-205-12/+4
| | | | | | | | | | | Centralize optional krb5_config.h handling in ssh.mk. Do not add headers (that are committed to the src tree) to SRCS as there is no need. Reviewed by: imp, jlduran, kevans (all earlier) MFC after: 1 month Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34409
* openssh: Add GSSAPI and Kerberos support to sshd MakefileJose Luis Duran2025-02-201-0/+6
| | | | | | | Reported by: cy Reviewed by: emaste Approved by: emaste (mentor) Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1")
* openssh: Update to 9.9p1Ed Maste2025-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Highlights from the release notes are reproduced below. Bug fixes and improvements that were previously merged into FreeBSD have been elided. See the upstream release notes for full details of the 9.9p1 release (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * ssh(1): remove support for pre-authentication compression. * ssh(1), sshd(8): processing of the arguments to the "Match" configuration directive now follows more shell-like rules for quoted strings, including allowing nested quotes and \-escaped characters. New features ------------ * ssh(1), sshd(8): add support for a new hybrid post-quantum key exchange based on the FIPS 203 Module-Lattice Key Enapsulation mechanism (ML-KEM) combined with X25519 ECDH as described by https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03 This algorithm "mlkem768x25519-sha256" is available by default. * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being included in core dump files for most of their lifespans. This is in addition to pre-existing controls in ssh-agent(1) and sshd(8) that prevented coredumps. This feature is supported on OpenBSD, Linux and FreeBSD. * All: convert key handling to use the libcrypto EVP_PKEY API, with the exception of DSA. Bugfixes -------- * sshd(8): do not apply authorized_keys options when signature verification fails. Prevents more restrictive key options being incorrectly applied to subsequent keys in authorized_keys. bz3733 * ssh-keygen(1): include pathname in some of ssh-keygen's passphrase prompts. Helps the user know what's going on when ssh-keygen is invoked via other tools. Requested in GHPR503 * ssh(1), ssh-add(1): make parsing user@host consistently look for the last '@' in the string rather than the first. This makes it possible to more consistently use usernames that contain '@' characters. * ssh(1), sshd(8): be more strict in parsing key type names. Only allow short names (e.g "rsa") in user-interface code and require full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725 * ssh-keygen(1): clarify that ed25519 is the default key type generated and clarify that rsa-sha2-512 is the default signature scheme when RSA is in use. GHPR505 --- Reviewed by: jlduran (build infrastructure) Reviewed by: cy (build infrastructure) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48947
* ssh: Remove unintended XAUTH_PATH settingEd Maste2025-02-191-4/+0
| | | | | | | | This crept in while rebasing the OpenSSH 9.8p1 update across a63701848fe5 ("ssh: Move XAUTH_PATH setting to ssh.mk"). Fixes: 0fdf8fae8b56 ("openssh: Update to 9.8p1") Sponsored by: The FreeBSD Foundation
* openssh: Update to 9.8p1Ed Maste2025-02-194-46/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914
* ssh: Move XAUTH_PATH setting to ssh.mkEd Maste2025-02-103-7/+2
| | | | | | | | | | | | | | XAUTH_PATH is normally set (in the upstream build infrastructure) in config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE is set, and over time have sometimes also defined it in config.h. Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so that it will be set when building all ssh libraries and programs but still be set by LOCALBASE. Reviewed by: jlduran Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48907
* libssh: Remove progressmeterEd Maste2025-02-081-1/+1
| | | | | | | | | It is used only by scp and sftp, and already included directly in their Makefiles. It does not belong in libssh. Fixes: d8b043c8d497 ("Update for 3.6.1p1; also remove Kerberos IV shims.") Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48871
* secure: hook up libecc as libpkgeccKyle Evans2025-01-013-1/+160
| | | | | | | | | | libecc is not intended to be general use, other applications should really be using openssl. pkg(7) uses libecc to align with the pkg(8) project and its goals. This will be used in the upcoming support for ECC in pkg(7). Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D48117
* pkgbase: fix inclusion of tests in ssh, bsnmp, clibs-devIsaac Freund2024-12-232-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, files that belong in the tests package are included in the ssh, bsnmp, and clibs-dev packages: ssh.plist 24:@dir(root,wheel,0755,) /usr/tests/secure/libexec 25:@(root,wheel,0444,) /usr/tests/secure/libexec/Kyuafile bsnmp.plist 82:@dir(root,wheel,0755,) /usr/tests/lib/libbsnmp 83:@(root,wheel,0444,) /usr/tests/lib/libbsnmp/Kyuafile 84:@(root,wheel,0555,) /usr/tests/lib/libbsnmp/bsnmpd_test clibs-dev.plist 2518:@dir(root,wheel,0755,) /usr/tests/lib/csu 2519:@(root,wheel,0444,) /usr/tests/lib/csu/Kyuafile This is caused by the PACKAGE=foo assignment in foo/Makefile.inc which overrides the default PACKAGE?=tests in bsd.test.mk. To fix this, instead use PACKAGE?=foo in foo/Makefile.inc and set PACKAGE=tests in foo/tests/Makefile. PR: 249144 Reviewed by: bapt, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47025
* manuals: Remove trailing spacesGraham Percival2024-11-044-5/+5
| | | | | | | | | | This does not change the rendered ascii at all. Signed-off-by: Graham Percival <gperciva@tarsnap.com> Reviewed by: mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com> MFC after: 3 days Sponsored by: Tarsnap Backup Inc. Pull Request: https://github.com/freebsd/freebsd-src/pull/1473
* Update Makefile.depend filesSimon J. Gerraty2024-10-141-1/+0
| | | | | | | After building packages we have a number of new and updated Makefile.depend files Reviewed by: stevek
* Update config/build info for OpenSSL 3.0.15Enji Cooper2024-09-081-2/+2
| | | | | | | | | | | | | | | | | | | This is a companion commit to the OpenSSL 3.0.15 update. `opensslv.h` was regenerated via the following process: ``` cd crypto/openssl ./config git reset --hard gmake include/openssl/opensslv.h ``` `Makefile.inc` has been updated to match. MFC after: 1 week MFC with: a7148ab39c03abd4d1a84997c70bf96f15dd2a09 Differential Revision: https://reviews.freebsd.org/D46603
* openssl: Remove fips module from base system.Gordon Tetlow2024-08-312-341/+1
| | | | | | | | | | | To comply with FIPS 140 guidance, you must be using a specifically validated and approved version of the fips module. Currently, only OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140 validation. As such, we need to stop shipping later versions of the module in the base system. MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D46223
* Remove residual blank line at start of MakefileWarner Losh2024-07-1546-46/+0
| | | | | | | This is a residual of the $FreeBSD$ removal. MFC After: 3 days (though I'll just run the command on the branches) Sponsored by: Netflix
* Update config/build info for OpenSSLEnji Cooper2024-06-261-2/+2
| | | | | | | This is a companion commit to the OpenSSL 3.0.14 update. MFC after: 3 days MFC with: 44096ebd22ddd0081a357011714eff8963614b65
* openssl: don't export nonexistant symbolsBrooks Davis2024-04-222-137/+0
| | | | | | | | These are all OpenSSL 1.1.0 and 1.1.1 symbols that aren't present in our OpenSSL 3.0 builds. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D44249
* Revert "OpenSSL: use the upstream provided version.map files for the ↵Enji Cooper2024-04-212-4/+0
| | | | | | | | | | | | fips/legacy providers" This change is still under review and should not have been merged directly to main (yet). This is a case and point for using `push.default` to nothing instead of matching or simple. This reverts commit 42ce242e353065dfbaa248955f6657005a395a95.
* OpenSSL: use the upstream provided version.map files for the fips/legacy ↵Enji Cooper2024-04-212-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | providers This change introduces a static copy of the fips and legacy linker version maps generated by the OpenSSL 3.0.13 build process. This unbreaks the fips and legacy providers by not exposing unnecessary symbols from the fips/legacy provider shared objects shared with other providers (base, default) and libcrypto. More discussion: Prior to this change, loading the fips provider indirectly from a FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a process-wide deadlock when invoking select OpenSSL APIs (CONF_modules_load* in this particular example). Speaking with the upstream maintainers [1], it became obvious that the FreeBSD base system was incorrectly building/linking the fips provider, resulting in a symbol collision at runtime, and thus a process-wide deadlock in specific circumstances. The fips provider would deadlock when trying to acquire a write lock on internal structures which should have only been available to the base and default providers, as certain preprocessor ifdefs only allow specific internal calls to be made with the base and default providers. 1. https://github.com/openssl/openssl/issues/24202 Differential Revision: https://reviews.freebsd.org/D44892
* caroot: routine updateKyle Evans2024-02-1110-59/+875
| | | | | | | | | Changes: - One (1) modified - Eight (8) added - One (1) expired, now untrusted MFC after: 3 days
* OpenSSL: Update version stringsCy Schubert2024-02-031-2/+2
| | | | | | Reported by: "Herbert J. Skuhra" <herbert@gojira.at> Fixes: 9eb4e0b42d7c MFC after: 3 days
* ssh: Update to OpenSSH 9.6p1Ed Maste2024-01-051-1/+1
| | | | | | | | | | | | | | | | From the release notes, > This release contains a number of security fixes, some small features > and bugfixes. The most significant change in 9.6p1 is a set of fixes for a newly- discovered weakness in the SSH transport protocol. The fix was already merged into FreeBSD and released as FreeBSD-SA-23:19.openssh. Full release notes at https://www.openssh.com/txt/release-9.6 Relnotes: Yes Sponsored by: The FreeBSD Foundation
* ossl: Move arm_arch.h to a common subdirectoryMark Johnston2023-12-041-1/+2
| | | | | | | | | | | | | OpenSSL itself keeps only a single copy of this header. Do the same in sys/crypto/openssl to avoid the extra maintenance burden. This requires adjusting the include paths for generated asm files. No functional change intended. Reported by: jrtc27 Reviewed by: jhb MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D42866
* secure: Automated cleanup of cdefs and other formattingWarner Losh2023-11-271-1/+0
| | | | | | | | | | | | | | | | Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
* secure: Remove ancient SCCS tags.Warner Losh2023-11-27792-1584/+0
| | | | | | | | Remove ancient SCCS tags from the tree, automated scripting, with two minor fixup to keep things compiling. All the common forms in the tree were removed with a perl script. Sponsored by: Netflix
* Track upstream project rename in contrib/blocklistdEd Maste2023-11-031-1/+1
| | | | | | | | Upstream is now https://github.com/zoulasc/blocklist/. Rename the contrib directory and update Makefiles to match, in advance of the next vendor branch update. Sponsored by: The FreeBSD Foundation
* OpenSSL: update to 3.0.12Ed Maste2023-10-241-2/+2
| | | | | | | | | | | | OpenSSL 3.0.12 addresses: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length ([CVE-2023-5363]). Relnotes: Yes Sponsored by: The FreeBSD Foundation
* OpenSSL: update to 3.0.11Pierre Pronchery2023-10-09793-2445/+2513
| | | | | | | | | | OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) Relnotes: Yes Pull request: https://github.com/freebsd/freebsd-src/pull/852 Sponsored by: The FreeBSD Foundation
* libcrypto: Copy the arm64 header when building asmAndrew Turner2023-09-221-0/+1
| | | | | | | | | It may be needed when it's updated so is best to keep in sync with the assembly files. Reviewed by: emaste Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D41938
* libcrypto: fix the FIPS provider on amd64Pierre Pronchery2023-09-211-10/+10
| | | | | | | | | | | | | | | | | | | This corrects the list of source files required for the FIPS provider. To test: ``` INSTALL PASSED enter AES-128-CBC encryption password: Verifying - enter AES-128-CBC encryption password: U2FsdGVkX1+MGm7LbZou29UWU+KAyBX/PxF5T1pO9VM= ``` Reviewed by: emaste Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/837 Differential Revision: https://reviews.freebsd.org/D41720
* libcrypto: complete the support for the 0.9.8 APIPierre Pronchery2023-09-211-4/+4
| | | | | | | | | | | | | When importing OpenSSL 3 in base, some but not all source files implementing the deprecated 0.9.8 API were imported. With this change, it becomes possible again to compile software targeting this API. PR: 272220 Fixes: b077aed33b7b ("Merge OpenSSL 3.0.9") Reviewed by: emaste MFC after: 3 days Sponsored by: The FreeBSD Foundation Pull Request: https://github.com/freebsd/freebsd-src/pull/851
* libcrypto: link engines and the legacy provider to libcryptoPierre Pronchery2023-09-163-0/+5
| | | | | | | | | | | | | | | | OpenSSL's legacy provider module and engines need to link to libcrypto.so, as it provides some of the actual implementations of legacy routines. This is a little tricky due to build order issues. Introduce a small hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual early phase without any OpenSSL provider modules or engines. This is intended to restore the test suite; a future change should remove the hack and replace it with a better approach. PR: 254853, 273528 Discussed with: Folks at EuroBSDCon in Coimbra Sponsored by: The FreeBSD Foundation
* libcrypto: Switch back to the generated assembly in sys/crypto/opensslJohn Baldwin2023-08-29145-310557/+5
| | | | | Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41569
* libcrypto: Add buildasm and cleanasm targetsJohn Baldwin2023-08-292-0/+9
| | | | | | | These targets generate all the assembly files in sys/crypto/openssl. Reviewed by: markj, emaste (earlier version) Differential Revision: https://reviews.freebsd.org/D41590
* libcrypto: Refactor Makefile.asm so it can be run outside of buildenvJohn Baldwin2023-08-291-13/+14
| | | | | | | | | | | | | | | | | | | | | Currently Makefile.asm relies on the current buildenv to set CFLAGS for i386. The current approach also leaves various temporary *.s files around in the current directory. To make this a bit better: - Instead of using CFLAGS from buildenv for i386, define the actual flags the perl scripts need: -DOPENSSL_IA32_SSE2 to enable SSE2. - Change i386 to have the perl scripts write to /dev/stdout to avoid creating temporaries. Previously i386 was generating the temporary files in the OpenSSL contrib src. - Cleanup temporary *.s files in the all target after generating the real *.S files for architectures which need them. - Remove a duplicate rule for aes-armv4.S. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D41589
* Makefile.asm: Simplify variable expansions in generated headersJohn Baldwin2023-08-291-15/+15
| | | | | | | | The :R:S expressions removed the .pl extension only to add it back again, so just trim them to using :T alone. Reviewed by: Pierre Pronchery <pierre@freebsdfoundation.org>, markj, emaste Differential Revision: https://reviews.freebsd.org/D41588
* caroot: regenerate the root bundle with OpenSSL 3Kyle Evans2023-08-26191-3791/+3872
| | | | No functional change intended.
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-22 22:27:57 +0000