Commit Graph

775 Commits

Author SHA1 Message Date
Jung-uk Kim
a9e3baa562 Install man5 and man7 for OpenSSL.
Note config.5 and crypto.7 are not installed because we have conflicts.

Requested by:	phk
MFC after:	1 month
2020-01-22 01:15:57 +00:00
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
Simon J. Gerraty
5ab1c5846f Add Makefile.depend.options
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
2019-12-11 17:37:37 +00:00
Kyle Evans
ce32663b93 caroot update to latest tip: one (1) addition, none (0) removed
Added:
- Entrust Root Certification Authority - G4
2019-12-04 02:59:50 +00:00
Kyle Evans
b25bf676f0 caroot: commit initial bundle
Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
    certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
    certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from:	secteam
Relnotes:	Definite maybe
2019-10-04 02:34:20 +00:00
Kyle Evans
a9fe8c68aa caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are
still generated.  If they end up in a review, it would be helpful to also
take the hint and hide them.
2019-10-02 01:27:50 +00:00
Kyle Evans
f27f39db77 [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16856
2019-10-02 01:05:29 +00:00
Jung-uk Kim
da327cd22e Merge OpenSSL 1.1.1d. 2019-09-10 21:08:17 +00:00
Emmanuel Vadot
a7b5a3d486 pkgbase: Put a lot of binaries and lib in FreeBSD-runtime
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.

Reviewed by:    bapt, gjb
Differential Revision:  https://reviews.freebsd.org/D21503
2019-09-05 14:13:08 +00:00
Jung-uk Kim
610a21fd82 Merge OpenSSL 1.1.1c. 2019-05-28 21:54:12 +00:00
Dag-Erling Smørgrav
77c2fe20df Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00
Jung-uk Kim
6935a639f0 Merge OpenSSL 1.1.1b. 2019-02-26 19:31:33 +00:00
Jung-uk Kim
f622545b79 Enable devcryptoeng for OpenSSL.
Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been
deprecated in favor of this new engine.  However, this engine is not
throughly tested on FreeBSD because it was originally written for Linux.

http://cryptodev-linux.org/

Also, the author actually meant to enable it by default on BSD platforms but
he failed to do so because there was a bug in the Configure script.

https://github.com/openssl/openssl/pull/7882

Now they found that it was more generic issue.

https://github.com/openssl/openssl/pull/7885

Therefore, we need to enable this engine on head to give it more exposure.
2018-12-12 21:56:47 +00:00
Jung-uk Kim
c9cf7b5cb1 Merge OpenSSL 1.1.1a. 2018-11-20 21:10:04 +00:00
Konstantin Belousov
89250cff0c Bump base OpenSSL libraries versions to avoid conflict with port's libraries.
Reported by:	many
Reviewed by:	gjb
Sponsored by:	The FreeBSD Foundation
MFC after:	3 hours
2018-10-25 13:37:57 +00:00
Ed Maste
c4cff94134 libcrypto: have buildinf.h depend on Makefile
So that it will be regenerated after Makefile changes affecting the
file's content - specifically, the OpenSSL 1.1.1 update adds a DATE
macro which did not exist previously.

Sponsored by:	The FreeBSD Foundation
2018-10-05 20:49:54 +00:00
Glen Barber
01d4e2149e MFH r338661 through r339200.
Sponsored by:	The FreeBSD Foundation
2018-10-05 17:53:47 +00:00
Ed Maste
4b6d416b32 openssh: connect libressl-api-compat.c and regen config.h
Differential Revision:	https://reviews.freebsd.org/D17390
2018-10-03 16:38:36 +00:00
Jung-uk Kim
2f0b51ed02 Drop pre-AVX toolchain for amd64 and i386 to simplify the makefile.
Especially, head does not support old toolchains because of ifunc support.
2018-10-01 18:16:36 +00:00
Jung-uk Kim
8fef2de1fc Remove MD dirdeps from Makefile.depend.
It can't be right. :-(
2018-09-25 22:21:36 +00:00
Jung-uk Kim
8f1d871786 Make it more meta mode friendly. 2018-09-25 22:15:47 +00:00
Jung-uk Kim
4552330800 Fix CLEANFILES. 2018-09-25 22:14:52 +00:00
Jung-uk Kim
c66de03c60 Regen Makefile.depend. 2018-09-25 21:12:36 +00:00
Jung-uk Kim
024217024c Connect an assembly file for aarch64 to build. 2018-09-22 23:02:45 +00:00
Jung-uk Kim
8072609dd0 Add missing ACFLAGS for aarch64. 2018-09-22 06:50:56 +00:00
Jung-uk Kim
f294b00a88 Fix typos in the previous commit. 2018-09-22 05:59:43 +00:00
Jung-uk Kim
4f4ab23a54 Add a missing source file for SHA. 2018-09-22 05:30:55 +00:00
Jung-uk Kim
604871c9df Add CFLAGS for aarch64/arm assembly files. 2018-09-22 05:16:06 +00:00
Jung-uk Kim
d55590888d Add another include directory for aarch64 and arm. 2018-09-22 04:32:44 +00:00
Jung-uk Kim
61fab32360 Regen cpuid assembly files for aarch64 and arm. 2018-09-22 03:54:40 +00:00
Jung-uk Kim
ea19bcde21 Connect assembly files for arm to build. 2018-09-22 02:43:24 +00:00
Jung-uk Kim
2c17169a65 Regen assembly files for arm. 2018-09-22 02:42:51 +00:00
Jung-uk Kim
4b7c498f1f Connect assembly files for aarch64 to build. 2018-09-22 02:23:42 +00:00
Jung-uk Kim
bde62812ae Regen assemply files for aarch64. 2018-09-22 02:23:03 +00:00
Jung-uk Kim
0633b14ba1 Unify opensslconf.h templates.
There is no MD macro in this file any more.
2018-09-21 22:26:00 +00:00
Jung-uk Kim
7c1dfe5b38 Remove pthread from LIBADD for openssl(1).
libcrypto is linked with pthread since r338816.
2018-09-20 23:06:59 +00:00
Jung-uk Kim
63ffbd00fc Regen assembly files for i386 after r338846. 2018-09-20 22:48:34 +00:00
Jung-uk Kim
4cd58f1ace Add CFLAGS for i386 assembly files. 2018-09-20 22:47:55 +00:00
Jung-uk Kim
fde4ab539f Sort assembly source files for i386. 2018-09-20 22:45:42 +00:00
Jung-uk Kim
b023ea8a2e Connect engines to the build. 2018-09-20 21:59:47 +00:00
Jung-uk Kim
e5631d6f60 Connect i386 assembly files to build. 2018-09-20 21:36:52 +00:00
Jung-uk Kim
d0f1d030b3 Regen assembly files for i386. 2018-09-20 21:34:05 +00:00
Brad Davis
d465a4b0b3 Move the openssl.cnf install to secure/usr.bin/openssl/
This leverages CONFS to do the install

Approved by:	re (pkgbase, blanket), bapt (mentor)
Differential Revision:	https://reviews.freebsd.org/D17245
2018-09-20 09:34:55 +00:00
Jung-uk Kim
acd3ae1266 Link libcrypto with pthread. 2018-09-20 00:20:04 +00:00
Jung-uk Kim
2aeec0c46f Remove an obsolete compiler option. 2018-09-20 00:17:41 +00:00
Jung-uk Kim
ff73837b94 Build openssl(1). 2018-09-19 06:29:06 +00:00
Jung-uk Kim
85a025545f Build libssl for amd64. 2018-09-19 00:24:00 +00:00
Jung-uk Kim
6cc2d4a4da Build libcrypto for amd64. 2018-09-19 00:07:09 +00:00
Jung-uk Kim
9cd2ada182 Do not build engines for now. 2018-09-19 00:06:48 +00:00
Jung-uk Kim
c28e4d8488 Do not generate unused AVX2 and AVX-512 assembly files for amd64. 2018-09-18 01:51:28 +00:00
Jung-uk Kim
015dcc7906 Remove unused AVX2 and AVX-512 assembly files for amd64. 2018-09-18 01:47:01 +00:00
Jung-uk Kim
cec27dca41 Add OpenSSL symbol version maps.
Note the files are not automatically generated for now.
2018-09-13 23:51:54 +00:00
Jung-uk Kim
0ea17a70ce Catch up with manual page removal from secure/lib/libssl. 2018-09-13 23:46:27 +00:00
Jung-uk Kim
23bb9f3ae1 Update initial opensslconf.h for amd64. 2018-09-13 23:31:56 +00:00
Jung-uk Kim
54967a4e95 Regen manual pages.
Note the manual pages are not automatically generated for now.
2018-09-13 23:14:57 +00:00
Jung-uk Kim
9b21da0ecb Regen amd64 assembly files for OpenSSL 1.1.1. 2018-09-13 21:07:09 +00:00
Jung-uk Kim
6b090f69cd Update shlib version to 9. 2018-09-13 20:53:51 +00:00
Jung-uk Kim
e4c7e8068f Update OpenSSL version number. 2018-09-13 20:51:19 +00:00
Dag-Erling Smørgrav
190cef3d52 Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
Bryan Drewery
b749a1b999 Fix build after r337852: Don't rebuild moduli based on unrelated moduli.c
Reported by:	many, delphij (moduli.c issue)
2018-08-16 19:48:07 +00:00
Brad Davis
f0a51d9df4 Move ssh config file handling into the ssh Makefiles.
This helps with pkgbase by using CONFS and tagging these as config files.

Approved by:	allanjude (mentor), des
Differential Revision:	https://reviews.freebsd.org/D16678
2018-08-15 14:53:42 +00:00
Jung-uk Kim
dea77ea6fc Merge OpenSSL 1.0.2p. 2018-08-14 17:48:02 +00:00
Dag-Erling Smørgrav
47dd1d1b61 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
Dag-Erling Smørgrav
4f52dfbb8d Upgrade to OpenSSH 7.6p1. This will be followed shortly by 7.7p1.
This completely removes client-side support for the SSH 1 protocol,
which was already disabled in 12 but is still enabled in 11.  For that
reason, we will not be able to merge 7.6p1 or newer back to 11.
2018-05-08 23:13:11 +00:00
Jung-uk Kim
dee36b4f92 Merge OpenSSL 1.0.2o. 2018-03-27 17:17:58 +00:00
Jung-uk Kim
56b4f63142 Remove c_rehash(1) to not confuse users. We do not install the Perl script.
MFC after:	3 days
2018-02-08 19:55:03 +00:00
Jung-uk Kim
c4ad4dffb3 Merge OpenSSL 1.0.2n. 2017-12-07 18:02:57 +00:00
Eitan Adler
7a9e3b169f secure: chase removal of pkg_install 2017-11-11 07:21:49 +00:00
Jung-uk Kim
47902a71f3 Merge OpenSSL 1.0.2m. 2017-11-02 18:04:29 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Enji Cooper
4b330699f8 Convert traditional ${MK_TESTS} conditional idiom for including test
directories to SUBDIR.${MK_TESTS} idiom

This is being done to pave the way for future work (and homogenity) in
^/projects/make-check-sandbox .

No functional change intended.

MFC after:	1 weeks
2017-08-02 08:35:51 +00:00
Jung-uk Kim
ed7112f094 Merge OpenSSL 1.0.2l. 2017-05-25 20:52:16 +00:00
Bryan Drewery
ad5b34a247 Fix invalid .o SRCS from r314527.
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2017-05-09 01:48:02 +00:00
Dag-Erling Smørgrav
ca86bcf253 Upgrade to OpenSSH 7.4p1. 2017-03-06 01:37:05 +00:00
Enji Cooper
b71fb1a4aa crypto: normalize paths using SRCTOP-relative paths or :H when possible
This simplifies make logic/output

MFC after:	1 month
Sponsored by:	Dell EMC Isilon
2017-03-04 11:35:30 +00:00
Dag-Erling Smørgrav
076ad2f836 Upgrade to OpenSSH 7.3p1. 2017-03-02 00:11:32 +00:00
Allan Jude
39f8282b48 Remove bdes(1)
The use of DES for anything is discouraged, especially with a static IV of 0

If you still need bdes(1) to decrypt Kirk's video lectures, see
security/bdes in ports.

This commit brought to you by the FOSDEM DevSummit and the
"remove unneeded dependancies on openssl in base" working group

Reviewed by:	bapt, brnrd
Relnotes:	yes
Sponsored by:	FOSDEM DevSummit
Differential Revision:	https://reviews.freebsd.org/D9424
2017-02-06 08:27:19 +00:00
Jung-uk Kim
6cf8931a2f Merge OpenSSL 1.0.2k. 2017-01-26 19:10:29 +00:00
Enji Cooper
233932cc2a Conditionalize building libwrap support into sshd
Only build libwrap support into sshd if MK_TCP_WRAPPERS != no

This will unbreak the build if libwrap has been removed from the system

MFC after:	2 weeks
PR:		210141
Submitted by:	kpect@protonmail.com
Differential Revision:	D9049
2017-01-07 08:08:35 +00:00
Enji Cooper
94ef145e6b Only bake krb5_config.h support in to ssh(3), etc if both MK_GSSAPI and
MK_KERBEROS_SUPPORT != no

This fixes the odd case where someone specified MK_GSSAPI=no and
MK_KERBEROS_SUPPORT=yes (which admittedly, probably doesn't make sense,
but the build system doesn't prevent this case today, and it didn't when
I filed the bug back in 2011 either).

MFC after:	2 weeks
PR:		159745
2017-01-02 20:29:50 +00:00
Jung-uk Kim
46f6fa3cba Prefer ACFLAGS over CFLAGS for compiling aarch64 assembly files. 2016-10-26 20:12:30 +00:00
Jung-uk Kim
7518a9bd2b Build OpenSSL assembly sources for aarch64. Tested with ThunderX by andrew. 2016-10-26 20:02:22 +00:00
Jung-uk Kim
f1fe58d376 Merge OpenSSL 1.0.2j. 2016-09-26 14:22:17 +00:00
Jung-uk Kim
aeb5019c48 Merge OpenSSL 1.0.2i. 2016-09-22 13:27:44 +00:00
Bryan Drewery
776d5e11e9 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	EMC / Isilon Storage Division
2016-08-31 19:30:46 +00:00
Kurt Lidl
b2af61ec69 Add refactored blacklist support to sshd
Change the calls to of blacklist_init() and blacklist_notify to be
macros defined in the blacklist_client.h file.  This avoids
the need for #ifdef USE_BLACKLIST / #endif except in the
blacklist.c file.

Remove redundent initialization attempts from within
blacklist_notify - everything always goes through
blacklistd_init().

Added UseBlacklist option to sshd, which defaults to off.
To enable the functionality, use '-o UseBlacklist=yes' on
the command line, or uncomment in the sshd_config file.

Reviewed by:	des
Approved by:	des
MFC after:		1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D7051
2016-08-30 14:09:24 +00:00
Jung-uk Kim
69afce5e64 Prefer C-style comments in assembly sources. 2016-08-22 21:49:17 +00:00
Jung-uk Kim
0f7bb790d3 Fix white spaces in assembly sources. 2016-08-22 21:30:59 +00:00
Jung-uk Kim
43e4bca77d Build OpenSSL assembly sources for arm. Tested with Raspberry Pi 2 Model B.
MFC after:	1 week
2016-08-22 20:59:34 +00:00
Jung-uk Kim
d8a16c14cb Disable assembly sources when compiler/assembler cannot compile certain
instructions.  For example, GCC 4.2.1 + binutils 2.17.50 does not support
AVX instructions.

Reported by:	bde
MFC after:	2 weeks
2016-08-17 22:13:39 +00:00
Ed Schouten
5f521d7ba7 Make libcrypt thread-safe. Add crypt_r(3).
glibc has a pretty nice function called crypt_r(3), which is nothing
more than crypt(3), but thread-safe. It accomplishes this by introducing
a 'struct crypt_data' structure that contains a buffer that is large
enough to hold the resulting string.

Let's go ahead and also add this function. It would be a shame if a
useful function like this wouldn't be usable in multithreaded apps.
Refactor crypt.c and all of the backends to no longer declare static
arrays, but write their output in a provided buffer.

There is no need to do any buffer length computation here, as we'll just
need to ensure that 'struct crypt_data' is large enough, which it is.
_PASSWORD_LEN is defined to 128 bytes, but in this case I'm picking 256,
as this is going to be part of the actual ABI.

Differential Revision:	https://reviews.freebsd.org/D7306
2016-08-10 15:16:28 +00:00
Glen Barber
faebc97a1c Revert r301551, which added blacklistd(8) to sshd(8).
This change has functional impact, and other concerns raised
by the OpenSSH maintainer.

Requested by:	des
PR:		210479 (related)
Approved by:	re (marius)
Sponsored by:	The FreeBSD Foundation
2016-06-24 23:22:42 +00:00
Bryan Drewery
8779595527 DIRDEPS_BUILD: Update dependencies
Approved by:	re (gjb)
Sponsored by:	EMC / Isilon Storage Division
2016-06-14 16:55:05 +00:00
Kurt Lidl
c0cc364181 Add blacklist support to sshd
Reviewed by:	rpaulo
Approved by:	rpaulo (earlier version of changes)
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5915
2016-06-07 16:18:09 +00:00
Jung-uk Kim
bbe0cb3df6 Regen x86 assembly files for r299480. 2016-05-11 20:11:21 +00:00
Jung-uk Kim
207be92102 Set CC environment variable for Perl scripts. This is for detecting
assembler/compiler capabilities, e.g., AVX instructions.
2016-05-11 20:06:23 +00:00
Jung-uk Kim
82d668d29c Refine comments to add its origin. 2016-05-11 19:59:05 +00:00
Ed Maste
94e989e75f libcrypto: add "Do not modify" comment to generated source files
Reviewed by:	jkim
Differential Revision:	https://reviews.freebsd.org/D6237
2016-05-11 16:53:56 +00:00
Jung-uk Kim
169235ef8a Enable linker error if libcrypto.so contains a relocation against text. It
is position independent on all platforms since r299389.

Submitted by:	kib
2016-05-11 16:45:58 +00:00
Jung-uk Kim
cdeae6df97 Make libcrypto.so position independent on i386. 2016-05-10 20:31:09 +00:00