OpenSSL 3 supports a modular architecture, allowing different providers
to bring specific implementations of cryptographical algorithms. This
change makes sure the FIPS module matches build instructions used for
libcrypto.
Sponsored by: The FreeBSD Foundation
Pull Request: https://github.com/freebsd/freebsd-src/pull/787
libcrypto intends to provide these routines on little-endian 64-bit
targets. This was previously done by including them in the ASM_aarch64
and ASM_amd64 blocks in the Makefile, but this excluded powerpc64le and
riscv64.
Reported by: ci.freebsd.org
Reviewed by: jrtc27
Fixes: b077aed33b ("Merge OpenSSL 3.0.9")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40749
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.
Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1. The process of updating to contemporary APIs can continue after
this merge.
Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.
There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy).
Investigation will continue for these.
Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.
Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.
PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
most programs in ports are looking for .pc files in order to get the
necessary information on how to compile and link against openssl.
The ports now also has a way to hide or force a path for pkgconf.
Providing .pc files along with openssl in base will allow (once all
the supported version of FreeBSD has it) so improve the framework to
deal with openssl in base vs openssl in ports (and libressl)
This will also greatly reduce the number of patches necessary to
workaround the build systems which only knows how to detect where
openssl is installed via pkgconf.
PR: 266051
MFC After: 3 weeks
Reviewed by: jkim, delphij
Exp-run by: antoine
Differential Revision: https://reviews.freebsd.org/D36360
This file is full of strict aliasing violations. Previously it was only
optimised in ways that broke the code by CHERI LLVM, but now it appears
that the in-tree LLVM also breaks it for RISC-V, resulting in broken
ECDSA signature validation with error messages like the following:
root@unmatched:/usr/src # ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key is not a key file.
root@unmatched:/usr/src # git fetch
fatal: unable to access 'https://git.FreeBSD.org/src.git/': error:1012606B:elliptic curve routines:EC_POINT_set_affine_coordinates:point is not on curve
Reviewed by: dim, jkim
Obtained from: CheriBSD
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35885
This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D30081
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.
Note that TLS 1.3 only supports TX offload.
A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.
Reviewed by: jkim (earlier version)
Approved by: secteam
Obtained from: OpenSSL (patches from master)
MFC after: 1 week
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D28273
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.
Reviewed by: bapt, gjb
Differential Revision: https://reviews.freebsd.org/D21503
Since OpenSSL 1.1.1, the good old BSD-specific cryptodev engine has been
deprecated in favor of this new engine. However, this engine is not
throughly tested on FreeBSD because it was originally written for Linux.
http://cryptodev-linux.org/
Also, the author actually meant to enable it by default on BSD platforms but
he failed to do so because there was a bug in the Configure script.
https://github.com/openssl/openssl/pull/7882
Now they found that it was more generic issue.
https://github.com/openssl/openssl/pull/7885
Therefore, we need to enable this engine on head to give it more exposure.
So that it will be regenerated after Makefile changes affecting the
file's content - specifically, the OpenSSL 1.1.1 update adds a DATE
macro which did not exist previously.
Sponsored by: The FreeBSD Foundation
Prior to this change libcrypto ended up with a .text relocation.
Submitted by: Rafael Espíndola (earlier version)
Reviewed by: kib
Approved by: so (glebius)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6164
Since METAMODE has been added, sys.mk loads bsd.mkopt.mk which ends load loading
bsd.own.mk which then defines SHLIBDIR before all the Makefile.inc everywhere.
This makes /lib being populated again.
Reported by: many
Some users build FreeBSD as non-root in Perforce workspaces. By default,
Perforce sets files read-only unless they're explicitly being edited.
As a result, the -f argument must be used to cp in order to override the
read-only flag when copying source files to object directories. Bare use of
'cp' should be avoided in the future.
Update all current users of 'cp' in the src tree.
Reviewed by: emaste
MFC after: 1 week
Sponsored by: Spectra Logic
