Commit Graph

764 Commits

Author SHA1 Message Date
Ceri Davies
64e6e1e463 secure/caroot, certctl: Rename secure/caroot/blacklisted
Old certctl commands still work for compatability, but are deprecated.

Approved by:	secteam (gordon)
Differential Revision: https://reviews.freebsd.org/D30807
2021-06-18 13:38:07 +01:00
Edward Tomasz Napierala
7d681ad774 crypt_r(3): fix reentrancy problems with DES
This code was originally written for non-reentrant crypt(3).
In 5f521d7ba7, a thread-safe crypt_r(3) was introduced.  However,
it looks like the DES implementation is still not re-entrant;
routines like setup_salt() or des_setkey() still use global
variables.

Instead of something drastic, eg removing DES support altogether,
just mark those variables as thread-local.  This adds about 30kB
of data per thread.

Given that this only applies to DES, I think the impact is minimal.

Reviewed By:	markj
Sponsored by:	NetApp, Inc.
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D30674
2021-06-15 11:06:40 +01:00
John Baldwin
7ad70d22c6 libcrypto: Add symbol versions for symbols added since 1.1.1d.
While here, trim a spurious local: I missed when added SSL_sendfile.

PR:		255277
Reported by:	yuri
Reviewed by:	jkim
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D30483
2021-05-28 15:18:15 -07:00
Emmanuel Vadot
ca179c4d74 pkgbase: Put openssl in its own package
This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).

MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D30081
2021-05-13 17:42:29 +02:00
Ed Maste
d55bf492f8 Revert "Add workaround for a QoS-related bug in VMWare Workstation."
This reverts commit 77c2fe20df.

The VMware Workstation issue was fixed in 2019[1], and we'd rather not
carry unnecessary local changes in OpenSSH.

[1] https://communities.vmware.com/t5/VMware-Workstation-Pro/Regression-ssh-results-in-broken-pipe-upon-connecting-in-Vmware/m-p/486105/highlight/true#M25470

PR:		234426
Discussed with:	yuripv
Approved by:	des
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
2021-04-25 17:17:22 -04:00
Kyle Evans
3016c5c2bf caroot: reroll the remaining certs
This adds a specific note that these are explicitly trusted for
server auth.

MFC after:	3 days
2021-04-13 16:59:34 -05:00
Kyle Evans
fac832b271 caroot: remove certs distrusted for server auth
- Fifteen (15) removed

MFC after:	3 days
2021-04-13 16:59:34 -05:00
Kyle Evans
c3510c941c caroot: update CA bundle processor
Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.

Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.

MFC after:	3 days
2021-04-13 16:59:24 -05:00
Kyle Evans
446169e0b6 caroot: routine cert update
- Three (3) added
- Two (2) removed

MFC after:	3 days
2021-04-13 16:56:03 -05:00
Jung-uk Kim
7595394130 OpenSSL: Regen manual pages for 1.1.1k 2021-03-25 12:17:52 -04:00
Jung-uk Kim
351d06eeb5 OpenSSL: Regen manual page for the previous commit
This is regen for 9b2f020c14.

MFC after:	1 week
2021-02-17 18:19:13 -05:00
Jung-uk Kim
b840816061 OpenSSL: Remove obsolete include directory
This directory was deprecated since OpenSSL 1.1.1e.

https://github.com/openssl/openssl/pull/9681
2021-02-16 22:53:37 -05:00
Jung-uk Kim
e25db73fea OpenSSL: Regen manual pages for OpenSSL 1.1.1j. 2021-02-16 17:05:00 -05:00
Jung-uk Kim
bb8acd558e OpenSSL: Regenerate manual pages.
MFC after:	1 week
2021-01-28 10:24:24 -08:00
John Baldwin
aa906e2a49 OpenSSL: Support for kernel TLS offload (KTLS)
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support.  It defaults to enabled on amd64 and disabled on all
other architectures.

Reviewed by:	jkim (earlier version)
Approved by:	secteam
Obtained from:	OpenSSL (patches from master)
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D28273
2021-01-28 10:24:13 -08:00
Kyle Evans
f20c0e3319 caroot: drop $FreeBSD$ expansion from root bundle
This debatably could have waited until the next update would have taken
place, but it's easier to see what changes if we get it out of the way
now.

MFC after:	3 days
2020-12-27 21:47:41 -06:00
Kyle Evans
15d474afee caroot: update bundle
Summary:
- One (1) added
- Ten (10) removed

MFC after:	3 days
2020-12-11 18:14:43 +00:00
Jung-uk Kim
c3c73b4f0a Merge OpenSSL 1.1.1i. 2020-12-09 02:05:14 +00:00
Stefan Eßer
1f474190fc Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by:	imp
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D26942
2020-10-27 11:29:11 +00:00
John Baldwin
bc3d569800 Move generated OpenSSL assembly routines into the kernel sources.
Sponsored by:	Netflix
2020-10-20 17:00:43 +00:00
Jung-uk Kim
58f351825a Merge OpenSSL 1.1.1h. 2020-09-22 16:18:31 +00:00
Kyle Evans
eef96401a9 caroot: update base store
Count:
- Two (2) removed
- Three (3) added

MFC after:	3 days
2020-09-19 01:59:17 +00:00
Kyle Evans
fe815331bb build: provide a default WARNS for all in-tree builds
The current default is provided in various Makefile.inc in some top-level
directories and covers a good portion of the tree, but doesn't cover parts
of the build a little deeper (e.g. libcasper).

Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that
variable is defined. This lets us relatively cleanly provide a default WARNS
no matter where you're building in the src tree without breaking things
outside of the tree.

Crunchgen has been updated as a bootstrap tool to work on this change
because it needs r365605 at a minimum to succeed. The cleanup necessary to
successfully walk over this change on WITHOUT_CLEAN builds has been added.

There is a supplemental project to this to list all of the warnings that are
encountered when the environment has WARNS=6 NO_WERROR=yes:
https://warns.kevans.dev -- this project will hopefully eventually go away
in favor of CI doing a much better job than it.

Reviewed by:	emaste, brooks, ngie (all earlier version)
Reviewed by:	emaste, arichardson (depend-cleanup.sh change)
Differential Revision:	https://reviews.freebsd.org/D26455
2020-09-18 17:17:46 +00:00
Kyle Evans
8e0dc55e68 caroot: properly remove old distrusted roots
The proper procedure was not followed in r364943; all of these that were
deleted should have instead been moved over to the blacklist so that certctl
can DTRT.

Users must still `certctl rehash` after this, but this should generally be
done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
that freebsd-update doesn't come into play for this particular update, as
these have not yet made it into a release.

Future work (after svn -> git) will likely change the script that updatecert
invokes to facilitate the process, rather than trusting that kevans or
whomever updates in the future will remember.

Reported by:	Helge Oldach <freebsd oldach net>
MFC after:	3 days
2020-09-02 12:57:34 +00:00
Kyle Evans
681d595125 carrot: update bundle
Stats:
- Seven (7) removed
- Four (4) added

MFC after:	3 days
2020-08-29 02:46:25 +00:00
Jung-uk Kim
3971092e11 Regen X86 assembly files after r364822. 2020-08-26 16:56:44 +00:00
Kyle Evans
cc249d7800 caroot: switch to using echo+shell glob to enumerate certs
This solves an issue on stable/12 that causes certs to not get installed.
ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up
blank and nothing gets installed. We don't really require anything
ls-specific, though, so let's just simplify it.

MFC after:	3 days
2020-08-23 23:56:57 +00:00
John Baldwin
1e04d9ff3e Fix a typo in the cpp macro defined for PIC.
In practice this isn't used in OpenSSL outside of some sparc-specific
code.

Reviewed by:	delphij
Differential Revision:	https://reviews.freebsd.org/D26058
2020-08-13 20:28:35 +00:00
Conrad Meyer
80a315ffb6 Replace OPENSSL_NO_SSL3_METHODs with dummies
SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018).  No one should use
it, and if they must, they can use some implementation outside of base.

There are three symbols removed with OPENSSL_NO_SSL3_METHOD:

SSLv3_client_method
SSLv3_method
SSLv3_server_method

These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al).  Applications
that do so have broken cryptography.

Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.

Reviewed by:	gordon, jhb (earlier-but-equivalent version both)
Discussed with:	bjk, kib
Differential Revision:	https://reviews.freebsd.org/D25493
2020-07-01 00:59:28 +00:00
Gordon Tetlow
e398139415 Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.
This define caused a couple of symbols to disappear. To keep ABI
compatibility, we are going to keep the symbols exposed, but leave SSLv3 as
not in the default config (this is what OPENSSL_NO_SSL3 achieves). The
ramifications of this is an application can still use SSLv3 if it
specifically calls the SSLv3_method family of APIs.

Reported by:	kib, others
Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D25451
2020-06-25 19:35:37 +00:00
Tijl Coosemans
82c3a6548f Install 32-bit libcrypto engines in /usr/lib32/engines instead of
/usr/lib32 and let 32-bit libcrypto search that location instead of
/usr/lib/engines.

Reviewed by:	jkim
2020-06-01 18:58:09 +00:00
Gordon Tetlow
f7732201a2 Remove support for SSLv3 from the OpenSSL build.
This is the default configuration in OpenSSL 1.1.1 already. This moves
to align with that default.

Reported by:	jmg
Approved by:	jkim, cem, emaste, philip
Differential Revision:	https://reviews.freebsd.org/D24945
2020-05-22 16:53:39 +00:00
Jung-uk Kim
cfac584b60 Merge OpenSSL 1.1.1g. 2020-04-21 19:38:32 +00:00
Jung-uk Kim
11c7efe3a4 Merge OpenSSL 1.1.1f. 2020-03-31 15:47:55 +00:00
Jung-uk Kim
0a70e97c94 Reduce diff with the vendor version. No functional change. 2020-03-18 02:20:03 +00:00
Jung-uk Kim
17f01e9963 Merge OpenSSL 1.1.1e. 2020-03-18 02:13:12 +00:00
Kyle Evans
fbd46fe94a pkgbase: fix caroot packaging and add post-install script
The original intention for caroot was to be packaged separately, perhaps so
that users can have a more/less conservative upgrade policy for this
separated from the rest of base.

secure/caroot/Makefile doesn't have anything interesting to package, but its
subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted
and trusted get packaged consistently into the correct one rather than the
default -utilities. Also tag the directories for package=caroot, as they
could also be empty; blacklisted is empty by default, but trusted is not.

Add a post-install script to do certctl rehash, along with a note should we
eventually come up with a way to detect that files have been added or
removed that requires a rehash.

-caroot gets a dependency on -utilities, as that's where we provide certctl
at the moment. We can perhaps reconsider this and put certctl into this
package in the future, but there are some bits within -utilities that
unconditionally invoke certctl so let's hold off for now.

Reviewed by:	manu (earlier version, before -utilities dep added)
Differential Revision:	https://reviews.freebsd.org/D23352
2020-01-29 18:47:08 +00:00
Kyle Evans
bb302e707a caroot: blacklisted: automatically pick up *.pem in the tree
This kind of automagica got picked up in trusted/ prior to the initial
commit, but never got applied over in blacklisted. Ideally no one will be
using blacklisted/ to store arbitrary certs that they don't intend to
blacklist, so we should just install anything that's in here rather than
force consumer to first copy cert into place and then modify the file
listing in the Makefile.

Wise man once say: "it is better to restrict too much, than not enough.
sometimes."
2020-01-28 03:02:18 +00:00
Kyle Evans
0428b669a6 caroot: use bsd.obj.mk, not bsd.prog.mk
This directory stages certdata into .OBJDIR and processes it, but does not
actually build a prog-shaped object; bsd.obj.mk provides the minimal support
that we actually need, an .OBJDIR and descent into subdirs. This is
admittedly the nittiest of nits.
2020-01-24 16:43:02 +00:00
Jung-uk Kim
a9e3baa562 Install man5 and man7 for OpenSSL.
Note config.5 and crypto.7 are not installed because we have conflicts.

Requested by:	phk
MFC after:	1 month
2020-01-22 01:15:57 +00:00
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
Simon J. Gerraty
5ab1c5846f Add Makefile.depend.options
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
2019-12-11 17:37:37 +00:00
Kyle Evans
ce32663b93 caroot update to latest tip: one (1) addition, none (0) removed
Added:
- Entrust Root Certification Authority - G4
2019-12-04 02:59:50 +00:00
Kyle Evans
b25bf676f0 caroot: commit initial bundle
Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
    certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
    certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from:	secteam
Relnotes:	Definite maybe
2019-10-04 02:34:20 +00:00
Kyle Evans
a9fe8c68aa caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are
still generated.  If they end up in a review, it would be helpful to also
take the hint and hide them.
2019-10-02 01:27:50 +00:00
Kyle Evans
f27f39db77 [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16856
2019-10-02 01:05:29 +00:00
Jung-uk Kim
da327cd22e Merge OpenSSL 1.1.1d. 2019-09-10 21:08:17 +00:00
Emmanuel Vadot
a7b5a3d486 pkgbase: Put a lot of binaries and lib in FreeBSD-runtime
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.

Reviewed by:    bapt, gjb
Differential Revision:  https://reviews.freebsd.org/D21503
2019-09-05 14:13:08 +00:00
Jung-uk Kim
610a21fd82 Merge OpenSSL 1.1.1c. 2019-05-28 21:54:12 +00:00
Dag-Erling Smørgrav
77c2fe20df Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00