Commit Graph

749 Commits

Author SHA1 Message Date
kevans
03fb2b6f1e carrot: update bundle
Stats:
- Seven (7) removed
- Four (4) added

MFC after:	3 days
2020-08-29 02:46:25 +00:00
jkim
10c9cacb42 Regen X86 assembly files after r364822. 2020-08-26 16:56:44 +00:00
kevans
fa9e237d3d caroot: switch to using echo+shell glob to enumerate certs
This solves an issue on stable/12 that causes certs to not get installed.
ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up
blank and nothing gets installed. We don't really require anything
ls-specific, though, so let's just simplify it.

MFC after:	3 days
2020-08-23 23:56:57 +00:00
jhb
6370d3a20f Fix a typo in the cpp macro defined for PIC.
In practice this isn't used in OpenSSL outside of some sparc-specific
code.

Reviewed by:	delphij
Differential Revision:	https://reviews.freebsd.org/D26058
2020-08-13 20:28:35 +00:00
cem
aca1b4e63b Replace OPENSSL_NO_SSL3_METHODs with dummies
SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018).  No one should use
it, and if they must, they can use some implementation outside of base.

There are three symbols removed with OPENSSL_NO_SSL3_METHOD:

SSLv3_client_method
SSLv3_method
SSLv3_server_method

These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al).  Applications
that do so have broken cryptography.

Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.

Reviewed by:	gordon, jhb (earlier-but-equivalent version both)
Discussed with:	bjk, kib
Differential Revision:	https://reviews.freebsd.org/D25493
2020-07-01 00:59:28 +00:00
gordon
d4b59ea833 Revert OPENSSL_NO_SSL3_METHOD to keep ABI compatibility.
This define caused a couple of symbols to disappear. To keep ABI
compatibility, we are going to keep the symbols exposed, but leave SSLv3 as
not in the default config (this is what OPENSSL_NO_SSL3 achieves). The
ramifications of this is an application can still use SSLv3 if it
specifically calls the SSLv3_method family of APIs.

Reported by:	kib, others
Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D25451
2020-06-25 19:35:37 +00:00
tijl
4f66341ce7 Install 32-bit libcrypto engines in /usr/lib32/engines instead of
/usr/lib32 and let 32-bit libcrypto search that location instead of
/usr/lib/engines.

Reviewed by:	jkim
2020-06-01 18:58:09 +00:00
gordon
a79d65915c Remove support for SSLv3 from the OpenSSL build.
This is the default configuration in OpenSSL 1.1.1 already. This moves
to align with that default.

Reported by:	jmg
Approved by:	jkim, cem, emaste, philip
Differential Revision:	https://reviews.freebsd.org/D24945
2020-05-22 16:53:39 +00:00
jkim
2cab490663 Merge OpenSSL 1.1.1g. 2020-04-21 19:38:32 +00:00
jkim
ad8f31575b Merge OpenSSL 1.1.1f. 2020-03-31 15:47:55 +00:00
jkim
4770df60f3 Reduce diff with the vendor version. No functional change. 2020-03-18 02:20:03 +00:00
jkim
75ab9779fe Merge OpenSSL 1.1.1e. 2020-03-18 02:13:12 +00:00
kevans
5dd1654222 pkgbase: fix caroot packaging and add post-install script
The original intention for caroot was to be packaged separately, perhaps so
that users can have a more/less conservative upgrade policy for this
separated from the rest of base.

secure/caroot/Makefile doesn't have anything interesting to package, but its
subdirectories might. Move the PACKAGE= to Makefile.inc so both blacklisted
and trusted get packaged consistently into the correct one rather than the
default -utilities. Also tag the directories for package=caroot, as they
could also be empty; blacklisted is empty by default, but trusted is not.

Add a post-install script to do certctl rehash, along with a note should we
eventually come up with a way to detect that files have been added or
removed that requires a rehash.

-caroot gets a dependency on -utilities, as that's where we provide certctl
at the moment. We can perhaps reconsider this and put certctl into this
package in the future, but there are some bits within -utilities that
unconditionally invoke certctl so let's hold off for now.

Reviewed by:	manu (earlier version, before -utilities dep added)
Differential Revision:	https://reviews.freebsd.org/D23352
2020-01-29 18:47:08 +00:00
kevans
1d512ca4f7 caroot: blacklisted: automatically pick up *.pem in the tree
This kind of automagica got picked up in trusted/ prior to the initial
commit, but never got applied over in blacklisted. Ideally no one will be
using blacklisted/ to store arbitrary certs that they don't intend to
blacklist, so we should just install anything that's in here rather than
force consumer to first copy cert into place and then modify the file
listing in the Makefile.

Wise man once say: "it is better to restrict too much, than not enough.
sometimes."
2020-01-28 03:02:18 +00:00
kevans
d0d87a9fe7 caroot: use bsd.obj.mk, not bsd.prog.mk
This directory stages certdata into .OBJDIR and processes it, but does not
actually build a prog-shaped object; bsd.obj.mk provides the minimal support
that we actually need, an .OBJDIR and descent into subdirs. This is
admittedly the nittiest of nits.
2020-01-24 16:43:02 +00:00
jkim
772217fb1b Install man5 and man7 for OpenSSL.
Note config.5 and crypto.7 are not installed because we have conflicts.

Requested by:	phk
MFC after:	1 month
2020-01-22 01:15:57 +00:00
sjg
16923f2426 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
sjg
7ee5f04e26 Add Makefile.depend.options
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
2019-12-11 17:37:37 +00:00
kevans
2c86a3dbde caroot update to latest tip: one (1) addition, none (0) removed
Added:
- Entrust Root Certification Authority - G4
2019-12-04 02:59:50 +00:00
kevans
3f9110bf50 caroot: commit initial bundle
Interested users can blacklist any/all of these with certctl(8), examples:

- mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \
    certctl rehash
- certctl blacklist /usr/share/certs/trusted/*; \
    certctl rehash

Certs can be easily examined after installation with `certctl list`, and
certctl blacklist will accept the hashed filename as output by list or as
seen in /etc/ssl/certs

No objection from:	secteam
Relnotes:	Definite maybe
2019-10-04 02:34:20 +00:00
kevans
c13136b1b6 caroot: add @generated tags to extracted .pem
As is the current trend; while these files are manually curated, they are
still generated.  If they end up in a review, it would be helpful to also
take the hint and hide them.
2019-10-02 01:27:50 +00:00
kevans
4ed49b4dcb [1/3] Initial infrastructure for SSL root bundle in base
This setup will add the trusted certificates from the Mozilla NSS bundle
to base.

This commit includes:
- CAROOT option to opt out of installation of certs
- mtree amendments for final destinations
- infrastructure to fetch/update certs, along with instructions

A follow-up commit will add a certctl(8) utility to give the user control
over trust specifics. Another follow-up commit will actually commit the
initial result of updatecerts.

This work was done primarily by allanjude@, with minor contributions by
myself.

No objection from:	secteam
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D16856
2019-10-02 01:05:29 +00:00
jkim
556ce8d8d3 Merge OpenSSL 1.1.1d. 2019-09-10 21:08:17 +00:00
manu
5fc62085dd pkgbase: Put a lot of binaries and lib in FreeBSD-runtime
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.

Reviewed by:    bapt, gjb
Differential Revision:  https://reviews.freebsd.org/D21503
2019-09-05 14:13:08 +00:00
jkim
5b4ef83c65 Merge OpenSSL 1.1.1c. 2019-05-28 21:54:12 +00:00
des
cf475d661f Add workaround for a QoS-related bug in VMWare Workstation.
Submitted by:	yuripv
Differential Revision:	https://reviews.freebsd.org/D18636
2019-03-27 15:17:29 +00:00
jkim
d6ebbcc6a2 Merge OpenSSL 1.1.1b. 2019-02-26 19:31:33 +00:00
jkim
53c4fca8e5 Enable devcryptoeng for OpenSSL.
Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been
deprecated in favor of this new engine.  However, this engine is not
throughly tested on FreeBSD because it was originally written for Linux.

http://cryptodev-linux.org/

Also, the author actually meant to enable it by default on BSD platforms but
he failed to do so because there was a bug in the Configure script.

https://github.com/openssl/openssl/pull/7882

Now they found that it was more generic issue.

https://github.com/openssl/openssl/pull/7885

Therefore, we need to enable this engine on head to give it more exposure.
2018-12-12 21:56:47 +00:00
jkim
af5a2716ea Merge OpenSSL 1.1.1a. 2018-11-20 21:10:04 +00:00
kib
f37256a01f Bump base OpenSSL libraries versions to avoid conflict with port's libraries.
Reported by:	many
Reviewed by:	gjb
Sponsored by:	The FreeBSD Foundation
MFC after:	3 hours
2018-10-25 13:37:57 +00:00
emaste
5f7be1f9c7 libcrypto: have buildinf.h depend on Makefile
So that it will be regenerated after Makefile changes affecting the
file's content - specifically, the OpenSSL 1.1.1 update adds a DATE
macro which did not exist previously.

Sponsored by:	The FreeBSD Foundation
2018-10-05 20:49:54 +00:00
gjb
fcf5119e83 MFH r338661 through r339200.
Sponsored by:	The FreeBSD Foundation
2018-10-05 17:53:47 +00:00
emaste
e0d48e3a14 openssh: connect libressl-api-compat.c and regen config.h
Differential Revision:	https://reviews.freebsd.org/D17390
2018-10-03 16:38:36 +00:00
jkim
683d164a60 Drop pre-AVX toolchain for amd64 and i386 to simplify the makefile.
Especially, head does not support old toolchains because of ifunc support.
2018-10-01 18:16:36 +00:00
jkim
a178e72a82 Remove MD dirdeps from Makefile.depend.
It can't be right. :-(
2018-09-25 22:21:36 +00:00
jkim
e4b73ece31 Make it more meta mode friendly. 2018-09-25 22:15:47 +00:00
jkim
6ac49d7d55 Fix CLEANFILES. 2018-09-25 22:14:52 +00:00
jkim
2ef0b644bd Regen Makefile.depend. 2018-09-25 21:12:36 +00:00
jkim
ace1a9b008 Connect an assembly file for aarch64 to build. 2018-09-22 23:02:45 +00:00
jkim
6ffe902342 Add missing ACFLAGS for aarch64. 2018-09-22 06:50:56 +00:00
jkim
f77ce519bc Fix typos in the previous commit. 2018-09-22 05:59:43 +00:00
jkim
501d69edde Add a missing source file for SHA. 2018-09-22 05:30:55 +00:00
jkim
4764c18aca Add CFLAGS for aarch64/arm assembly files. 2018-09-22 05:16:06 +00:00
jkim
bbc4f61dae Add another include directory for aarch64 and arm. 2018-09-22 04:32:44 +00:00
jkim
9568d517c9 Regen cpuid assembly files for aarch64 and arm. 2018-09-22 03:54:40 +00:00
jkim
0d413d4bb4 Connect assembly files for arm to build. 2018-09-22 02:43:24 +00:00
jkim
18c5ff13a8 Regen assembly files for arm. 2018-09-22 02:42:51 +00:00
jkim
3d40891a01 Connect assembly files for aarch64 to build. 2018-09-22 02:23:42 +00:00
jkim
2a49205fa1 Regen assemply files for aarch64. 2018-09-22 02:23:03 +00:00
jkim
3fe75bf103 Unify opensslconf.h templates.
There is no MD macro in this file any more.
2018-09-21 22:26:00 +00:00