openssl: Import OpenSSL 3.0.15.This release incorporates the following bug fixes and mitigations:- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])- Fixed possible buffer o
openssl: Import OpenSSL 3.0.15.This release incorporates the following bug fixes and mitigations:- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])Release notes can be found at:https://openssl-library.org/news/openssl-3.0-notes/index.htmlCo-authored-by: gordonMFC after: 1 weekDifferential Revision: https://reviews.freebsd.org/D46602Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
show more ...
Update to OpenSSL 3.0.14This release resolves 3 upstream found CVEs:- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)- Fixed an issue where checking excessively
Update to OpenSSL 3.0.14This release resolves 3 upstream found CVEs:- Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741)- Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603)- Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511)MFC after: 3 daysMerge commit '1070e7dca8223387baf5155524b28f62bfe7da3c'
OpenSSL: Vendor import of OpenSSL 3.0.13 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC
OpenSSL: Vendor import of OpenSSL 3.0.13 * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed Excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) * Fix excessive time spent in DH check / generation with large Q parameter value ([CVE-2023-5678])Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html.Approved by: emasteMFC after: 3 daysMerge commit '9dd13e84fa8eca8f3462bd55485aa3da8c37f54a'
OpenSSL: update to 3.0.12OpenSSL 3.0.12 addresses: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PAR
OpenSSL: update to 3.0.12OpenSSL 3.0.12 addresses: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length ([CVE-2023-5363]).Relnotes: YesSponsored by: The FreeBSD Foundation
OpenSSL: update to 3.0.11OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)Relnotes: YesPull request: https://github.com/freebsd/freebsd
OpenSSL: update to 3.0.11OpenSSL 3.0.11 addresses: POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807)Relnotes: YesPull request: https://github.com/freebsd/freebsd-src/pull/852Sponsored by: The FreeBSD Foundation
OpenSSL: clean up botched merges in OpenSSL 3.0.9 importNo functional change intended.
OpenSSL: update to 3.0.10OpenSSL 3.0.10 addresses:- CVE-2023-3817- CVE-2023-3446- CVE-2023-2975(Note that the vendor branch commit incorrectly referenced 3.0.9.)Relnotes: YesPull request: h
OpenSSL: update to 3.0.10OpenSSL 3.0.10 addresses:- CVE-2023-3817- CVE-2023-3446- CVE-2023-2975(Note that the vendor branch commit incorrectly referenced 3.0.9.)Relnotes: YesPull request: https://github.com/freebsd/freebsd-src/pull/808Sponsored by: The FreeBSD Foundation
Merge OpenSSL 3.0.9Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (theversion we were previously using) will be EOL as of 2023-09-11.Most of the base system has already been u
Merge OpenSSL 3.0.9Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (theversion we were previously using) will be EOL as of 2023-09-11.Most of the base system has already been updated for a seamless switchto OpenSSL 3.0. For many components we've added`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,which avoids deprecation warnings from OpenSSL 3.0. Changes have alsobeen made to avoid OpenSSL APIs that were already deprecated in OpenSSL1.1.1. The process of updating to contemporary APIs can continue afterthis merge.Additional changes are still required for libarchive and Kerberos-related libraries or tools; workarounds will immediately follow thiscommit. Fixes are in progress in the upstream projects and will beincorporated when those are next updated.There are some performance regressions in benchmarks (certain tests in`openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy).Investigation will continue for these.Netflix's testing showed no functional regression and a rather small,albeit statistically significant, increase in CPU consumption withOpenSSL 3.0.Thanks to ngie@ and des@ for updating base system components, toantoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and toNetflix and everyone who tested prior to commit or contributed to thisupdate in other ways.PR: 271615PR: 271656 [exp-run]Relnotes: YesSponsored by: The FreeBSD Foundation
OpenSSL: Merge OpenSSL 1.1.1u(cherry picked from commit 8ecb489345f08012fdc92a202a40119891cac330)
OpenSSL: Merge OpenSSL 1.1.1sMerge commit 'b6b67f23b82101d4c04c89f81d726b902ab77106'
OpenSSL: Merge OpenSSL 1.1.1qMerge commit 'f874e59ffcd8b5ecd018ad8311d78e866340f3e9'
OpenSSL: Merge OpenSSL 1.1.1pMerge commit '54ae8e38f717f22963c2a87f48af6ecefc6b3e9b'
OpenSSL: Merge OpenSSL 1.1.1oMerge commit 'cf0ffd7607ed8f39829c6951a65a55fa1eb3aafe'
OpenSSL: Merge OpenSSL 1.1.1n
Fix a bug in BN_mod_sqrt() that can cause it to loop forever.Obtained from: OpenSSL ProjectSecurity: CVE-2022-0778
OpenSSL: Merge OpenSSL 1.1.1mMerge commit '56eae1b760adf10835560a9ee595549a1f10410f'
Import OpenSSL 1.1.1l
OpenSSL: Update KTLS documentationKTLS support has been changed to be off by default, and configuration isvia a single "option" rather two "modes". Documentation is updatedaccordingly.Reviewed
OpenSSL: Update KTLS documentationKTLS support has been changed to be off by default, and configuration isvia a single "option" rather two "modes". Documentation is updatedaccordingly.Reviewed by: jkimObtained from: OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)MFC after: 5 daysSponsored by: NetflixDifferential Revision: https://reviews.freebsd.org/D31441
Handle partial data re-sending on ktls/sendfile on FreeBSDAdd a handler for EBUSY sendfile error in addition toEAGAIN. With EBUSY returned the data still can be partiallysent and user code has to
Handle partial data re-sending on ktls/sendfile on FreeBSDAdd a handler for EBUSY sendfile error in addition toEAGAIN. With EBUSY returned the data still can be partiallysent and user code has to be notified about it, otherwise itmay try to send data multiple times.PR: 251969Reviewed by: jkimObtained from: OpenSSL (dfcfd17f2818cf520ce6381aed9ec3d2fc12170d)MFC after: 1 weekSponsored by: Netflix (merging to FreeBSD)Differential Revision: https://reviews.freebsd.org/D28714
OpenSSL: Merge OpenSSL 1.1.1jMerge commit '4f55bd5321b72491d4eff396e4928e9ab0706735'
OpenSSL: Support for kernel TLS offload (KTLS)This merges upstream patches from OpenSSL's master branch to addKTLS infrastructure for TLS 1.0-1.3 including both RX and TXoffload and SSL_sendfile
OpenSSL: Support for kernel TLS offload (KTLS)This merges upstream patches from OpenSSL's master branch to addKTLS infrastructure for TLS 1.0-1.3 including both RX and TXoffload and SSL_sendfile support on both Linux and FreeBSD.Note that TLS 1.3 only supports TX offload.A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built withKTLS support. It defaults to enabled on amd64 and disabled on allother architectures.Reviewed by: jkim (earlier version)Approved by: secteamObtained from: OpenSSL (patches from master)MFC after: 1 weekRelnotes: yesSponsored by: NetflixDifferential Revision: https://reviews.freebsd.org/D28273
Merge OpenSSL 1.1.1i.
Merge OpenSSL 1.1.1h.
Merge OpenSSL 1.1.1g.
Merge OpenSSL 1.1.1f.
1234