Commit Graph

853 Commits

Author SHA1 Message Date
Graham Percival
c7c3ef8949 manuals: Remove trailing spaces
Some checks are pending
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-14, /usr/lib/llvm-14/bin, ubuntu-22.04, bmake libarchive-dev clang-14 lld-14, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-14, /usr/lib/llvm-14/bin, ubuntu-22.04, bmake libarchive-dev clang-14 lld-14, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-18, /opt/homebrew/opt/llvm@18/bin, macos-latest, bmake libarchive llvm@18, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-18, /opt/homebrew/opt/llvm@18/bin, macos-latest, bmake libarchive llvm@18, arm64, aarch64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-18, /usr/lib/llvm-18/bin, ubuntu-24.04, bmake libarchive-dev clang-18 lld-18, amd64, amd64) (push) Waiting to run
Cross-build Kernel / ${{ matrix.target_arch }} ${{ matrix.os }} (${{ matrix.compiler }}) (clang-18, /usr/lib/llvm-18/bin, ubuntu-24.04, bmake libarchive-dev clang-18 lld-18, arm64, aarch64) (push) Waiting to run
This does not change the rendered ascii at all.

Signed-off-by:	Graham Percival <gperciva@tarsnap.com>
Reviewed by:	mhorne, Alexander Ziaee <concussious.bugzilla@runbox.com>
MFC after:	3 days
Sponsored by:	Tarsnap Backup Inc.
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1473
2024-11-04 11:26:14 -04:00
Simon J. Gerraty
a64729f507 Update Makefile.depend files
After building packages we have a number of new
and updated Makefile.depend files

Reviewed by:	stevek
2024-10-14 10:26:17 -07:00
Enji Cooper
cc717b574d Update config/build info for OpenSSL 3.0.15
This is a companion commit to the OpenSSL 3.0.15 update.

`opensslv.h` was regenerated via the following process:

```
cd crypto/openssl
./config
git reset --hard
gmake include/openssl/opensslv.h
```

`Makefile.inc` has been updated to match.

MFC after:	1 week
MFC with:	a7148ab39c
Differential Revision:	https://reviews.freebsd.org/D46603
2024-09-07 21:34:18 -07:00
Gordon Tetlow
86dd740dd7
openssl: Remove fips module from base system.
To comply with FIPS 140 guidance, you must be using a specifically
validated and approved version of the fips module. Currently, only
OpenSSL 3.0.8 and 3.0.9 have been approved by NIST for FIPS 140
validation. As such, we need to stop shipping later versions of the
module in the base system.

MFC after:	1 week
Differential Revision: https://reviews.freebsd.org/D46223
2024-08-31 09:24:30 -07:00
Warner Losh
e9ac41698b Remove residual blank line at start of Makefile
This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix
2024-07-15 16:43:39 -06:00
Enji Cooper
303596eac3 Update config/build info for OpenSSL
This is a companion commit to the OpenSSL 3.0.14 update.

MFC after:      3 days
MFC with:       44096ebd22
2024-06-26 16:51:25 -07:00
Brooks Davis
5ffb5c849c openssl: don't export nonexistant symbols
These are all OpenSSL 1.1.0 and 1.1.1 symbols that aren't present in our
OpenSSL 3.0 builds.

Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D44249
2024-04-22 21:28:51 +01:00
Enji Cooper
572948d00d Revert "OpenSSL: use the upstream provided version.map files for the fips/legacy providers"
This change is still under review and should not have been merged
directly to main (yet).

This is a case and point for using `push.default` to nothing instead of
matching or simple.

This reverts commit 42ce242e35.
2024-04-21 09:58:31 -07:00
Enji Cooper
42ce242e35 OpenSSL: use the upstream provided version.map files for the fips/legacy providers
This change introduces a static copy of the fips and legacy linker version maps
generated by the OpenSSL 3.0.13 build process.

This unbreaks the fips and legacy providers by not exposing unnecessary
symbols from the fips/legacy provider shared objects shared with other
providers (base, default) and libcrypto.

More discussion:

Prior to this change, loading the fips provider indirectly from a
FreeBSD 14.0-CURRENT and 15.0-CURRENT host would result in a
process-wide deadlock when invoking select OpenSSL APIs
(CONF_modules_load* in this particular example).

Speaking with the upstream maintainers [1], it became obvious that
the FreeBSD base system was incorrectly building/linking the fips
provider, resulting in a symbol collision at runtime, and thus a
process-wide deadlock in specific circumstances. The fips provider
would deadlock when trying to acquire a write lock on internal
structures which should have only been available to the base and
default providers, as certain preprocessor ifdefs only allow specific
internal calls to be made with the base and default providers.

1. https://github.com/openssl/openssl/issues/24202

Differential Revision:	https://reviews.freebsd.org/D44892
2024-04-21 09:35:19 -07:00
Kyle Evans
0d3b2bdbf7 caroot: routine update
Changes:
- One (1) modified
- Eight (8) added
- One (1) expired, now untrusted

MFC after:	3 days
2024-02-11 00:35:16 -06:00
Cy Schubert
74fe298c82 OpenSSL: Update version strings
Reported by:	"Herbert J. Skuhra" <herbert@gojira.at>
Fixes:		9eb4e0b42d
MFC after:	3 days
2024-02-02 16:34:36 -08:00
Ed Maste
069ac18495 ssh: Update to OpenSSH 9.6p1
From the release notes,

> This release contains a number of security fixes, some small features
> and bugfixes.

The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol.  The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.

Full release notes at https://www.openssh.com/txt/release-9.6

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2024-01-04 22:16:30 -05:00
Mark Johnston
e655cc70df ossl: Move arm_arch.h to a common subdirectory
OpenSSL itself keeps only a single copy of this header.  Do the same in
sys/crypto/openssl to avoid the extra maintenance burden.  This requires
adjusting the include paths for generated asm files.

No functional change intended.

Reported by:	jrtc27
Reviewed by:	jhb
MFC after:	3 months
Differential Revision:	https://reviews.freebsd.org/D42866
2023-12-04 12:29:11 -05:00
Warner Losh
c8813424c9 secure: Automated cleanup of cdefs and other formatting
Apply the following automated changes to try to eliminate
no-longer-needed sys/cdefs.h includes as well as now-empty
blank lines in a row.

Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/
Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/
Remove /\n+#if.*\n#endif.*\n+/
Remove /^#if.*\n#endif.*\n/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/
Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/

Sponsored by:		Netflix
2023-11-26 22:23:59 -07:00
Warner Losh
174c0ac687 secure: Remove ancient SCCS tags.
Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by:		Netflix
2023-11-26 22:23:29 -07:00
Ed Maste
5f4c09dd85 Track upstream project rename in contrib/blocklistd
Upstream is now https://github.com/zoulasc/blocklist/.  Rename the
contrib directory and update Makefiles to match, in advance of the next
vendor branch update.

Sponsored by:	The FreeBSD Foundation
2023-11-03 16:53:04 -04:00
Ed Maste
ad991e4c14 OpenSSL: update to 3.0.12
OpenSSL 3.0.12 addresses:

 * Fix incorrect key and IV resizing issues when calling
   EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
   with OSSL_PARAM parameters that alter the key or IV length
   ([CVE-2023-5363]).

Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2023-10-24 14:55:56 -04:00
Pierre Pronchery
6f1af0d7d2 OpenSSL: update to 3.0.11
OpenSSL 3.0.11 addresses:

    POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)

Relnotes:	Yes
Pull request:	https://github.com/freebsd/freebsd-src/pull/852
Sponsored by:	The FreeBSD Foundation
2023-10-09 15:00:26 -04:00
Andrew Turner
c97a82d4a4 libcrypto: Copy the arm64 header when building asm
It may be needed when it's updated so is best to keep in sync with the
assembly files.

Reviewed by:	emaste
Sponsored by:	Arm Ltd
Differential Revision:	https://reviews.freebsd.org/D41938
2023-09-22 18:15:13 +01:00
Pierre Pronchery
8f37b3a142 libcrypto: fix the FIPS provider on amd64
This corrects the list of source files required for the FIPS provider.

To test:

```
INSTALL PASSED
enter AES-128-CBC encryption password:
Verifying - enter AES-128-CBC encryption password:
U2FsdGVkX1+MGm7LbZou29UWU+KAyBX/PxF5T1pO9VM=
```

Reviewed by:	emaste
Fixes:		b077aed33b ("Merge OpenSSL 3.0.9")
Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/837
Differential Revision: https://reviews.freebsd.org/D41720
2023-09-21 11:38:02 -04:00
Pierre Pronchery
b15b395216 libcrypto: complete the support for the 0.9.8 API
When importing OpenSSL 3 in base, some but not all source files
implementing the deprecated 0.9.8 API were imported. With this change,
it becomes possible again to compile software targeting this API.

PR:		272220
Fixes:		b077aed33b ("Merge OpenSSL 3.0.9")
Reviewed by:	emaste
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/851
2023-09-21 11:07:24 -04:00
Pierre Pronchery
1a18383a52 libcrypto: link engines and the legacy provider to libcrypto
OpenSSL's legacy provider module and engines need to link to
libcrypto.so, as it provides some of the actual implementations of
legacy routines.

This is a little tricky due to build order issues.  Introduce a small
hack (LIBCRYPTO_WITHOUT_SUBDIRS) that builds libcrypto.so in its usual
early phase without any OpenSSL provider modules or engines.  This is
intended to restore the test suite; a future change should remove the
hack and replace it with a better approach.

PR:		254853, 273528
Discussed with:	Folks at EuroBSDCon in Coimbra
Sponsored by:	The FreeBSD Foundation
2023-09-16 16:55:12 +01:00
John Baldwin
47d997021f libcrypto: Switch back to the generated assembly in sys/crypto/openssl
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D41569
2023-08-29 14:46:44 -07:00
John Baldwin
73653b72af libcrypto: Add buildasm and cleanasm targets
These targets generate all the assembly files in sys/crypto/openssl.

Reviewed by:	markj, emaste (earlier version)
Differential Revision:	https://reviews.freebsd.org/D41590
2023-08-29 14:43:51 -07:00
John Baldwin
c0fe6b9d75 libcrypto: Refactor Makefile.asm so it can be run outside of buildenv
Currently Makefile.asm relies on the current buildenv to set CFLAGS
for i386.  The current approach also leaves various temporary *.s
files around in the current directory.  To make this a bit better:

- Instead of using CFLAGS from buildenv for i386, define the actual
  flags the perl scripts need: -DOPENSSL_IA32_SSE2 to enable SSE2.

- Change i386 to have the perl scripts write to /dev/stdout to avoid
  creating temporaries.  Previously i386 was generating the temporary
  files in the OpenSSL contrib src.

- Cleanup temporary *.s files in the all target after generating the
  real *.S files for architectures which need them.

- Remove a duplicate rule for aes-armv4.S.

Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D41589
2023-08-29 14:39:36 -07:00
John Baldwin
7406b6f976 Makefile.asm: Simplify variable expansions in generated headers
The :R:S expressions removed the .pl extension only to add it back
again, so just trim them to using :T alone.

Reviewed by:	Pierre Pronchery <pierre@freebsdfoundation.org>, markj, emaste
Differential Revision:	https://reviews.freebsd.org/D41588
2023-08-29 14:38:27 -07:00
Kyle Evans
8ed0ecf802 caroot: regenerate the root bundle with OpenSSL 3
No functional change intended.
2023-08-25 20:16:36 -05:00
Kyle Evans
65fd80909e caroot: update the root bundle
Summary:
- Six (6) new roots
- Four (4) distrusted roots

Note that this was intentionally generated with OpenSSL 1.1.1 to avoid
mixing updates and non-functional changes -- there will be some churn
with OpenSSL 3.  The next commit will update the current batch of
trusted certs with the format OpenSSL 3 produces, which I've tested
against OpenSSL 1.1.1 to be sure that that doesn't hurt us in older
branches.
2023-08-25 20:16:36 -05:00
Kyle Evans
3f84d4b0fe caroot: drop the VERSION tag from already-processed certs
An update is imminent; drop these now to make it easier to audit the
results.
2023-08-25 20:16:36 -05:00
Kyle Evans
bbc8585ef5 caroot: drop VERSION tags from certs
With this change, we'll drop the "with $FreeBSD$" lines from trusted/
certs in the next update. untrusted/ will need to be done manually, but
I'll likely just do them all manually, commit, then run the script and
commit any legitimate updates after confirming the output matches what
I did manually.

Reported by:	imp
Reviewed by:	imp
Differential Revision:	https://reviews.freebsd.org/D41597
2023-08-25 20:16:35 -05:00
John Baldwin
80e9ea426c Makefile.asm: Drop mention of $FreeBSD$ from instructions. 2023-08-22 14:48:40 -07:00
John Baldwin
3250c9d527 libcrypto: Update assembly build glue for x86 for OpenSSL 3.0.
Notably, define AES_ASM which is required for any AES acceleration
(OpenSSL 1.0 gated all AES acceleration on OPENSSL_CPUID_OBJ instead).
Enabling this exposed that new assembly files added in OpenSSL 3.0
needed to be included in the build (aes-x86-64.S and aes-586.S).  Both
of these files supplant both aes_core.c and aes_cbc.c.  The last file
had to be moved out of the MI SRCS line for aes and into each ASM_*
for non-x86.

As part of this I audited the generated configdata.pm for amd64, i386,
and aarch64 and found the following additional discrepecancies that are
fixed here as well:

- Enabled BSAES_ASM on amd64 which requires bsase-x86_64.S

- Enabled WHIRLPOOL_ASM on amd64 (asm sources already built)

- Enabled CMLL_ASM on amd64 and i386 (asm sources already built)

aarch64 had no discreprecancies in configdata.pm, and no *.pl asm
generators were missing for aarch64 in Makefile.asm.  I did not check
powerpc or armv7, but for armv7 all of the asm generators seem to be
present in Makefile.asm.

Reported by:	gallatin (AES-GCM using plain software on amd64)
Reviewed by:	gallatin, ngie, emaste
Differential Revision:	https://reviews.freebsd.org/D41539
2023-08-21 21:02:42 -07:00
John Baldwin
74d73bb743 libcrypto: Generate new files added in OpenSSL 3.0.
Reviewed by:	gallatin, ngie, emaste
Differential Revision:	https://reviews.freebsd.org/D41538
2023-08-21 21:02:29 -07:00
John Baldwin
f3cac6c020 libcrypto: Add new assembly files added in OpenSSL 3.0.
This only affects amd64 and i386, but in particular includes wrappers
for AES encryption/decryption that gate all of the accelerated AES.

Reviewed by:	gallatin, ngie, emaste
Differential Revision:	https://reviews.freebsd.org/D41537
2023-08-21 21:02:12 -07:00
John Baldwin
7a56f5af71 libcrypto: Don't embed $FreeBSD$ in generated assembly files
Reviewed by:	gallatin, ngie, emaste
Differential Revision:	https://reviews.freebsd.org/D41536
2023-08-21 21:01:48 -07:00
Ed Maste
57a3b81785 libcrypto: add rsa_depr.c to the build
It provides the RSA_generate_key function, which is deprecated as of
3.0 but is used by various ports.

Reviewed by:	kbowling
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41506
2023-08-18 16:15:48 -04:00
Ed Maste
e5e6a86535 libcrypto: add err_all_legacy.c to the build
It provides the ERR_load_*_strings routines, which are deprecated as of
3.0 but are used by various ports.

PR:		272580
Reviewed by:	kbowling
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D41505
2023-08-18 14:56:22 -04:00
Warner Losh
d0b2dbfa0e Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
2023-08-16 11:55:03 -06:00
Warner Losh
1d386b48a5 Remove $FreeBSD$: one-line .c pattern
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
2023-08-16 11:54:42 -06:00
Warner Losh
2a63c3be15 Remove $FreeBSD$: one-line .c comment pattern
Remove /^/[*/]\s*\$FreeBSD\$.*\n/
2023-08-16 11:54:29 -06:00
Warner Losh
b3e7694832 Remove $FreeBSD$: two-line .h pattern
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
2023-08-16 11:54:16 -06:00
Pierre Pronchery
aa79573457 OpenSSL: update to 3.0.10
OpenSSL 3.0.10 addresses:
- CVE-2023-3817
- CVE-2023-3446
- CVE-2023-2975

(Note that the vendor branch commit incorrectly referenced 3.0.9.)

Relnotes:	Yes
Pull request:	https://github.com/freebsd/freebsd-src/pull/808
Sponsored by:	The FreeBSD Foundation
2023-08-10 12:07:32 -04:00
Doug Rabson
1d7ffb373c pkgbase: reorganise caroot and openssl packages
This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.

PR:		272816
Reviewed by:	manu
Differential Revision: https://reviews.freebsd.org/D41321
2023-08-05 09:30:35 +01:00
Pierre Pronchery
1c42ed54bf libcrypto: add missing symbols to the FIPS provider
The fips.so provider module exposing FIPS-validated algorithms was still
missing a number of symbols.

PR:		272454
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D41018
2023-07-20 15:05:12 -04:00
Kristof Provost
ebd508a0b2 openssl: include d2i_KeyParams() and d2i_KeyParams_bio()
These functions are new, and some ports (e.g.opensc) expect to have them
available. Add the file they're defined in to the build, and add them
to Version.map.

PR:		270076
Reviewed by:	markj, emaste, pierre
Fixes:	b077aed33b ("Merge OpenSSL 3.0.9")
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D40914
2023-07-09 15:18:21 +02:00
Pierre Pronchery
544deacc90 libcrypto: group definitions for libcrypto and fips
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. This
change makes sure the FIPS module matches build instructions used for
libcrypto.

Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/787
2023-07-05 16:00:54 -04:00
Pierre Pronchery
4a3cc17e31 libcrypto: expand the common Makefile for providers
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. This
change adds mandatory source files to every provider.

Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/787
2023-07-05 16:00:54 -04:00
Pierre Pronchery
7a991ecd1a libcrypto: add missing symbols to the fips provider
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. One
such provider, "fips", ships with OpenSSL 3 directly, and groups
algorithms that can be FIPS 140-2 validated.

The import of OpenSSL 3.0.9 was building this provider incorrectly,
missing symbols required for proper operation.

In addition, without the change in OpenSSL's crypto/bn/bn_const.c, the
FIPS module fails loading: `Undefined symbol "ossl_bignum_modp_1536_p"`.
This change is consistent with crypto/bn/bn_dh.c though.

Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/787
2023-07-05 16:00:54 -04:00
Pierre Pronchery
87e08018b1 libcrypto: add missing symbols to the legacy provider
OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. One
such provider, "legacy", ships with OpenSSL 3 directly, and groups
obsoleted algorithms that can still optionally be used anyway.

The import of OpenSSL 3.0.9 was building this provider incorrectly,
missing symbols required for proper operation.

Sponsored by:	The FreeBSD Foundation
Pull Request:	https://github.com/freebsd/freebsd-src/pull/787
2023-07-05 16:00:53 -04:00
Mark Johnston
8e7046ff29 libcrypto: Revert recent changes to fix legacy and fips providers
They break the !amd64 builds due to an underspecified include path and
will be re-applied once that's fixed.

Reported by:	Ronald Klop <ronald-lists@klop.ws>
2023-07-04 16:38:26 -04:00