Commit Graph

796 Commits

Author SHA1 Message Date
Stefan Eßer
1f474190fc Replace literal uses of /usr/local in C sources with _PATH_LOCALBASE
Literal references to /usr/local exist in a large number of files in
the FreeBSD base system. Many are in contributed software, in configuration
files, or in the documentation, but 19 uses have been identified in C
source files or headers outside the contrib and sys/contrib directories.

This commit makes it possible to set _PATH_LOCALBASE in paths.h to use
a different prefix for locally installed software.

In order to avoid changes to openssh source files, LOCALBASE is passed to
the build via Makefiles under src/secure. While _PATH_LOCALBASE could have
been used here, there is precedent in the construction of the path used to
a xauth program which depends on the LOCALBASE value passed on the compiler
command line to select a non-default directory.

This could be changed in a later commit to make the openssh build
consistently use _PATH_LOCALBASE. It is considered out-of-scope for this
commit.

Reviewed by:	imp
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D26942
2020-10-27 11:29:11 +00:00
John Baldwin
bc3d569800 Move generated OpenSSL assembly routines into the kernel sources.
Sponsored by:	Netflix
2020-10-20 17:00:43 +00:00
Jung-uk Kim
58f351825a Merge OpenSSL 1.1.1h. 2020-09-22 16:18:31 +00:00
Kyle Evans
eef96401a9 caroot: update base store
Count:
- Two (2) removed
- Three (3) added

MFC after:	3 days
2020-09-19 01:59:17 +00:00
Kyle Evans
fe815331bb build: provide a default WARNS for all in-tree builds
The current default is provided in various Makefile.inc in some top-level
directories and covers a good portion of the tree, but doesn't cover parts
of the build a little deeper (e.g. libcasper).

Provide a default in src.sys.mk and set WARNS to it in bsd.sys.mk if that
variable is defined. This lets us relatively cleanly provide a default WARNS
no matter where you're building in the src tree without breaking things
outside of the tree.

Crunchgen has been updated as a bootstrap tool to work on this change
because it needs r365605 at a minimum to succeed. The cleanup necessary to
successfully walk over this change on WITHOUT_CLEAN builds has been added.

There is a supplemental project to this to list all of the warnings that are
encountered when the environment has WARNS=6 NO_WERROR=yes:
https://warns.kevans.dev -- this project will hopefully eventually go away
in favor of CI doing a much better job than it.

Reviewed by:	emaste, brooks, ngie (all earlier version)
Reviewed by:	emaste, arichardson (depend-cleanup.sh change)
Differential Revision:	https://reviews.freebsd.org/D26455
2020-09-18 17:17:46 +00:00
Kyle Evans
8e0dc55e68 caroot: properly remove old distrusted roots
The proper procedure was not followed in r364943; all of these that were
deleted should have instead been moved over to the blacklist so that certctl
can DTRT.

Users must still `certctl rehash` after this, but this should generally be
done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note
that freebsd-update doesn't come into play for this particular update, as
these have not yet made it into a release.

Future work (after svn -> git) will likely change the script that updatecert
invokes to facilitate the process, rather than trusting that kevans or
whomever updates in the future will remember.

Reported by:	Helge Oldach <freebsd oldach net>
MFC after:	3 days
2020-09-02 12:57:34 +00:00
Kyle Evans
681d595125 carrot: update bundle
Stats:
- Seven (7) removed
- Four (4) added

MFC after:	3 days
2020-08-29 02:46:25 +00:00
Jung-uk Kim
3971092e11 Regen X86 assembly files after r364822. 2020-08-26 16:56:44 +00:00
Kyle Evans
cc249d7800 caroot: switch to using echo+shell glob to enumerate certs
This solves an issue on stable/12 that causes certs to not get installed.
ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up
blank and nothing gets installed. We don't really require anything
ls-specific, though, so let's just simplify it.

MFC after:	3 days
2020-08-23 23:56:57 +00:00
John Baldwin
1e04d9ff3e Fix a typo in the cpp macro defined for PIC.
In practice this isn't used in OpenSSL outside of some sparc-specific
code.

Reviewed by:	delphij
Differential Revision:	https://reviews.freebsd.org/D26058
2020-08-13 20:28:35 +00:00
Conrad Meyer
80a315ffb6 Replace OPENSSL_NO_SSL3_METHODs with dummies
SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018).  No one should use
it, and if they must, they can use some implementation outside of base.

There are three symbols removed with OPENSSL_NO_SSL3_METHOD:

SSLv3_client_method
SSLv3_method
SSLv3_server_method

These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al).  Applications
that do so have broken cryptography.

Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.

Reviewed by:	gordon, jhb (earlier-but-equivalent version both)
Discussed with:	bjk, kib
Differential Revision:	https://reviews.freebsd.org/D25493
2020-07-01 00:59:28 +00:00
Gordon Tetlow
e398139415 Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.
This define caused a couple of symbols to disappear. To keep ABI
compatibility, we are going to keep the symbols exposed, but leave SSLv3 as
not in the default config (this is what OPENSSL_NO_SSL3 achieves). The
ramifications of this is an application can still use SSLv3 if it
specifically calls the SSLv3_method family of APIs.

Reported by:	kib, others
Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D25451
2020-06-25 19:35:37 +00:00
Tijl Coosemans
82c3a6548f Install 32-bit libcrypto engines in /usr/lib32/engines instead of
/usr/lib32 and let 32-bit libcrypto search that location instead of
/usr/lib/engines.

Reviewed by:	jkim
2020-06-01 18:58:09 +00:00
Gordon Tetlow
f7732201a2 Remove support for SSLv3 from the OpenSSL build.
This is the default configuration in OpenSSL 1.1.1 already. This moves
to align with that default.

Reported by:	jmg
Approved by:	jkim, cem, emaste, philip
Differential Revision:	https://reviews.freebsd.org/D24945
2020-05-22 16:53:39 +00:00
Jung-uk Kim
cfac584b60 Merge OpenSSL 1.1.1g. 2020-04-21 19:38:32 +00:00
Jung-uk Kim
11c7efe3a4 Merge OpenSSL 1.1.1f. 2020-03-31 15:47:55 +00:00
Jung-uk Kim
0a70e97c94 Reduce diff with the vendor version. No functional change. 2020-03-18 02:20:03 +00:00
Jung-uk Kim
17f01e9963 Merge OpenSSL 1.1.1e. 2020-03-18 02:13:12 +00:00
Kyle Evans
fbd46fe94a pkgbase: fix caroot packaging and add post-install script
The original intention for caroot was to be packaged separately, perhaps so
that users can have a more/less conservative upgrade policy for this
separated from the rest of base.

secure/caroot/Makefile doesn't have anything interesting to package, but its
subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted
and trusted get packaged consistently into the correct one rather than the
default -utilities. Also tag the directories for package=caroot, as they
could also be empty; blacklisted is empty by default, but trusted is not.

Add a post-install script to do certctl rehash, along with a note should we
eventually come up with a way to detect that files have been added or
removed that requires a rehash.

-caroot gets a dependency on -utilities, as that's where we provide certctl
at the moment. We can perhaps reconsider this and put certctl into this
package in the future, but there are some bits within -utilities that
unconditionally invoke certctl so let's hold off for now.

Reviewed by:	manu (earlier version, before -utilities dep added)
Differential Revision:	https://reviews.freebsd.org/D23352
2020-01-29 18:47:08 +00:00
Kyle Evans
bb302e707a caroot: blacklisted: automatically pick up *.pem in the tree
This kind of automagica got picked up in trusted/ prior to the initial
commit, but never got applied over in blacklisted. Ideally no one will be
using blacklisted/ to store arbitrary certs that they don't intend to
blacklist, so we should just install anything that's in here rather than
force consumer to first copy cert into place and then modify the file
listing in the Makefile.

Wise man once say: "it is better to restrict too much, than not enough.
sometimes."
2020-01-28 03:02:18 +00:00
Kyle Evans
0428b669a6 caroot: use bsd.obj.mk, not bsd.prog.mk
This directory stages certdata into .OBJDIR and processes it, but does not
actually build a prog-shaped object; bsd.obj.mk provides the minimal support
that we actually need, an .OBJDIR and descent into subdirs. This is
admittedly the nittiest of nits.
2020-01-24 16:43:02 +00:00
Jung-uk Kim
a9e3baa562 Install man5 and man7 for OpenSSL.
Note config.5 and crypto.7 are not installed because we have conflicts.

Requested by:	phk
MFC after:	1 month
2020-01-22 01:15:57 +00:00
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
Simon J. Gerraty
5ab1c5846f Add Makefile.depend.options
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
2019-12-11 17:37:37 +00:00
Kyle Evans
ce32663b93 caroot update to latest tip: one (1) addition, none (0) removed
Added:
- Entrust Root Certification Authority - G4
2019-12-04 02:59:50 +00:00
Kyle Evans
b25bf676f0 caroot: commit initial bundle
Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
    certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
    certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from:	secteam
Relnotes:	Definite maybe
2019-10-04 02:34:20 +00:00
Kyle Evans
a9fe8c68aa caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are
still generated.  If they end up in a review, it would be helpful to also
take the hint and hide them.
2019-10-02 01:27:50 +00:00
Kyle Evans
f27f39db77 [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16856
2019-10-02 01:05:29 +00:00
Jung-uk Kim
da327cd22e Merge OpenSSL 1.1.1d. 2019-09-10 21:08:17 +00:00
Emmanuel Vadot
a7b5a3d486 pkgbase: Put a lot of binaries and lib in FreeBSD-runtime
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.

Reviewed by:    bapt, gjb
Differential Revision:  https://reviews.freebsd.org/D21503
2019-09-05 14:13:08 +00:00
Jung-uk Kim
610a21fd82 Merge OpenSSL 1.1.1c. 2019-05-28 21:54:12 +00:00
Dag-Erling Smørgrav
77c2fe20df Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00
Jung-uk Kim
6935a639f0 Merge OpenSSL 1.1.1b. 2019-02-26 19:31:33 +00:00
Jung-uk Kim
f622545b79 Enable devcryptoeng for OpenSSL.
Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been
deprecated in favor of this new engine.  However, this engine is not
throughly tested on FreeBSD because it was originally written for Linux.

http://cryptodev-linux.org/

Also, the author actually meant to enable it by default on BSD platforms but
he failed to do so because there was a bug in the Configure script.

https://github.com/openssl/openssl/pull/7882

Now they found that it was more generic issue.

https://github.com/openssl/openssl/pull/7885

Therefore, we need to enable this engine on head to give it more exposure.
2018-12-12 21:56:47 +00:00
Jung-uk Kim
c9cf7b5cb1 Merge OpenSSL 1.1.1a. 2018-11-20 21:10:04 +00:00
Konstantin Belousov
89250cff0c Bump base OpenSSL libraries versions to avoid conflict with port's libraries.
Reported by:	many
Reviewed by:	gjb
Sponsored by:	The FreeBSD Foundation
MFC after:	3 hours
2018-10-25 13:37:57 +00:00
Ed Maste
c4cff94134 libcrypto: have buildinf.h depend on Makefile
So that it will be regenerated after Makefile changes affecting the
file's content - specifically, the OpenSSL 1.1.1 update adds a DATE
macro which did not exist previously.

Sponsored by:	The FreeBSD Foundation
2018-10-05 20:49:54 +00:00
Glen Barber
01d4e2149e MFH r338661 through r339200.
Sponsored by:	The FreeBSD Foundation
2018-10-05 17:53:47 +00:00
Ed Maste
4b6d416b32 openssh: connect libressl-api-compat.c and regen config.h
Differential Revision:	https://reviews.freebsd.org/D17390
2018-10-03 16:38:36 +00:00
Jung-uk Kim
2f0b51ed02 Drop pre-AVX toolchain for amd64 and i386 to simplify the makefile.
Especially, head does not support old toolchains because of ifunc support.
2018-10-01 18:16:36 +00:00
Jung-uk Kim
8fef2de1fc Remove MD dirdeps from Makefile.depend.
It can't be right. :-(
2018-09-25 22:21:36 +00:00
Jung-uk Kim
8f1d871786 Make it more meta mode friendly. 2018-09-25 22:15:47 +00:00
Jung-uk Kim
4552330800 Fix CLEANFILES. 2018-09-25 22:14:52 +00:00
Jung-uk Kim
c66de03c60 Regen Makefile.depend. 2018-09-25 21:12:36 +00:00
Jung-uk Kim
024217024c Connect an assembly file for aarch64 to build. 2018-09-22 23:02:45 +00:00
Jung-uk Kim
8072609dd0 Add missing ACFLAGS for aarch64. 2018-09-22 06:50:56 +00:00
Jung-uk Kim
f294b00a88 Fix typos in the previous commit. 2018-09-22 05:59:43 +00:00
Jung-uk Kim
4f4ab23a54 Add a missing source file for SHA. 2018-09-22 05:30:55 +00:00
Jung-uk Kim
604871c9df Add CFLAGS for aarch64/arm assembly files. 2018-09-22 05:16:06 +00:00
Jung-uk Kim
d55590888d Add another include directory for aarch64 and arm. 2018-09-22 04:32:44 +00:00
Jung-uk Kim
61fab32360 Regen cpuid assembly files for aarch64 and arm. 2018-09-22 03:54:40 +00:00
Jung-uk Kim
ea19bcde21 Connect assembly files for arm to build. 2018-09-22 02:43:24 +00:00
Jung-uk Kim
2c17169a65 Regen assembly files for arm. 2018-09-22 02:42:51 +00:00
Jung-uk Kim
4b7c498f1f Connect assembly files for aarch64 to build. 2018-09-22 02:23:42 +00:00
Jung-uk Kim
bde62812ae Regen assemply files for aarch64. 2018-09-22 02:23:03 +00:00
Jung-uk Kim
0633b14ba1 Unify opensslconf.h templates.
There is no MD macro in this file any more.
2018-09-21 22:26:00 +00:00
Jung-uk Kim
7c1dfe5b38 Remove pthread from LIBADD for openssl(1).
libcrypto is linked with pthread since r338816.
2018-09-20 23:06:59 +00:00
Jung-uk Kim
63ffbd00fc Regen assembly files for i386 after r338846. 2018-09-20 22:48:34 +00:00
Jung-uk Kim
4cd58f1ace Add CFLAGS for i386 assembly files. 2018-09-20 22:47:55 +00:00
Jung-uk Kim
fde4ab539f Sort assembly source files for i386. 2018-09-20 22:45:42 +00:00
Jung-uk Kim
b023ea8a2e Connect engines to the build. 2018-09-20 21:59:47 +00:00
Jung-uk Kim
e5631d6f60 Connect i386 assembly files to build. 2018-09-20 21:36:52 +00:00
Jung-uk Kim
d0f1d030b3 Regen assembly files for i386. 2018-09-20 21:34:05 +00:00
Brad Davis
d465a4b0b3 Move the openssl.cnf install to secure/usr.bin/openssl/
This leverages CONFS to do the install

Approved by:	re (pkgbase, blanket), bapt (mentor)
Differential Revision:	https://reviews.freebsd.org/D17245
2018-09-20 09:34:55 +00:00
Jung-uk Kim
acd3ae1266 Link libcrypto with pthread. 2018-09-20 00:20:04 +00:00
Jung-uk Kim
2aeec0c46f Remove an obsolete compiler option. 2018-09-20 00:17:41 +00:00
Jung-uk Kim
ff73837b94 Build openssl(1). 2018-09-19 06:29:06 +00:00
Jung-uk Kim
85a025545f Build libssl for amd64. 2018-09-19 00:24:00 +00:00
Jung-uk Kim
6cc2d4a4da Build libcrypto for amd64. 2018-09-19 00:07:09 +00:00
Jung-uk Kim
9cd2ada182 Do not build engines for now. 2018-09-19 00:06:48 +00:00
Jung-uk Kim
c28e4d8488 Do not generate unused AVX2 and AVX-512 assembly files for amd64. 2018-09-18 01:51:28 +00:00
Jung-uk Kim
015dcc7906 Remove unused AVX2 and AVX-512 assembly files for amd64. 2018-09-18 01:47:01 +00:00
Jung-uk Kim
cec27dca41 Add OpenSSL symbol version maps.
Note the files are not automatically generated for now.
2018-09-13 23:51:54 +00:00
Jung-uk Kim
0ea17a70ce Catch up with manual page removal from secure/lib/libssl. 2018-09-13 23:46:27 +00:00
Jung-uk Kim
23bb9f3ae1 Update initial opensslconf.h for amd64. 2018-09-13 23:31:56 +00:00
Jung-uk Kim
54967a4e95 Regen manual pages.
Note the manual pages are not automatically generated for now.
2018-09-13 23:14:57 +00:00
Jung-uk Kim
9b21da0ecb Regen amd64 assembly files for OpenSSL 1.1.1. 2018-09-13 21:07:09 +00:00
Jung-uk Kim
6b090f69cd Update shlib version to 9. 2018-09-13 20:53:51 +00:00
Jung-uk Kim
e4c7e8068f Update OpenSSL version number. 2018-09-13 20:51:19 +00:00
Dag-Erling Smørgrav
190cef3d52 Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
Bryan Drewery
b749a1b999 Fix build after r337852: Don't rebuild moduli based on unrelated moduli.c
Reported by:	many, delphij (moduli.c issue)
2018-08-16 19:48:07 +00:00
Brad Davis
f0a51d9df4 Move ssh config file handling into the ssh Makefiles.
This helps with pkgbase by using CONFS and tagging these as config files.

Approved by:	allanjude (mentor), des
Differential Revision:	https://reviews.freebsd.org/D16678
2018-08-15 14:53:42 +00:00
Jung-uk Kim
dea77ea6fc Merge OpenSSL 1.0.2p. 2018-08-14 17:48:02 +00:00
Dag-Erling Smørgrav
47dd1d1b61 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
Dag-Erling Smørgrav
4f52dfbb8d Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11.  For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
2018-05-08 23:13:11 +00:00
Jung-uk Kim
dee36b4f92 Merge OpenSSL 1.0.2o. 2018-03-27 17:17:58 +00:00
Jung-uk Kim
56b4f63142 Remove c_rehash(1) to not confuse users. We do not install the Perl script.
MFC after:	3 days
2018-02-08 19:55:03 +00:00
Jung-uk Kim
c4ad4dffb3 Merge OpenSSL 1.0.2n. 2017-12-07 18:02:57 +00:00
Eitan Adler
7a9e3b169f secure: chase removal of pkg_install 2017-11-11 07:21:49 +00:00
Jung-uk Kim
47902a71f3 Merge OpenSSL 1.0.2m. 2017-11-02 18:04:29 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Enji Cooper
4b330699f8 Convert traditional ${MK_TESTS} conditional idiom for including test
directories to SUBDIR.${MK_TESTS} idiom

This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .

No functional change intended.

MFC after:	1 weeks
2017-08-02 08:35:51 +00:00
Jung-uk Kim
ed7112f094 Merge OpenSSL 1.0.2l. 2017-05-25 20:52:16 +00:00
Bryan Drewery
ad5b34a247 Fix invalid .o SRCS from r314527.
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-05-09 01:48:02 +00:00
Dag-Erling Smørgrav
ca86bcf253 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
Enji Cooper
b71fb1a4aa crypto: normalize paths using SRCTOP-relative paths or :H when possible
This simplifies make logic/output

MFC after:	1 month
Sponsored by:	Dell EMC Isilon
2017-03-04 11:35:30 +00:00
Dag-Erling Smørgrav
076ad2f836 Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
Allan Jude
39f8282b48 Remove bdes(1)
The use of DES for anything is discouraged, especially with a static IV of 0

If you still need bdes(1) to decrypt Kirk's video lectures, see
security/bdes in ports.

This commit brought to you by the FOSDEM DevSummit and the
"remove unneeded dependancies on openssl in base" working group

Reviewed by:	bapt, brnrd
Relnotes:	yes
Sponsored by:	FOSDEM DevSummit
Differential Revision:	https://reviews.freebsd.org/D9424
2017-02-06 08:27:19 +00:00
Jung-uk Kim
6cf8931a2f Merge OpenSSL 1.0.2k. 2017-01-26 19:10:29 +00:00
Enji Cooper
233932cc2a Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no

This will unbreak the build if libwrap has been removed from the system

MFC after:	2 weeks
PR:		210141
Submitted by:	kpect@protonmail.com
Differential Revision:	D9049
2017-01-07 08:08:35 +00:00