Remove residual blank line at start of Makefile

This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

pkgbase: reorganise caroot and openssl packages

This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.

PR: 272816
Reviewed by: manu
Differ

pkgbase: reorganise caroot and openssl packages

This splits out the certctl utility into a new certctl package and the
openssl libs into an openssl-lib package.

PR: 272816
Reviewed by: manu
Differential Revision: https://reviews.freebsd.org/D41321

show more ...

Merge OpenSSL 3.0.9

Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been u

Merge OpenSSL 3.0.9

Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the
version we were previously using) will be EOL as of 2023-09-11.

Most of the base system has already been updated for a seamless switch
to OpenSSL 3.0. For many components we've added
`-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version,
which avoids deprecation warnings from OpenSSL 3.0. Changes have also
been made to avoid OpenSSL APIs that were already deprecated in OpenSSL
1.1.1. The process of updating to contemporary APIs can continue after
this merge.

Additional changes are still required for libarchive and Kerberos-
related libraries or tools; workarounds will immediately follow this
commit. Fixes are in progress in the upstream projects and will be
incorporated when those are next updated.

There are some performance regressions in benchmarks (certain tests in
`openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy).
Investigation will continue for these.

Netflix's testing showed no functional regression and a rather small,
albeit statistically significant, increase in CPU consumption with
OpenSSL 3.0.

Thanks to ngie@ and des@ for updating base system components, to
antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to
Netflix and everyone who tested prior to commit or contributed to this
update in other ways.

PR: 271615
PR: 271656 [exp-run]
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

openssl: install pc files

most programs in ports are looking for .pc files in order to get the
necessary information on how to compile and link against openssl.

The ports now also has a way to hide

openssl: install pc files

most programs in ports are looking for .pc files in order to get the
necessary information on how to compile and link against openssl.

The ports now also has a way to hide or force a path for pkgconf.

Providing .pc files along with openssl in base will allow (once all
the supported version of FreeBSD has it) so improve the framework to
deal with openssl in base vs openssl in ports (and libressl)

This will also greatly reduce the number of patches necessary to
workaround the build systems which only knows how to detect where
openssl is installed via pkgconf.

PR: 266051
MFC After: 3 weeks
Reviewed by: jkim, delphij
Exp-run by: antoine
Differential Revision: https://reviews.freebsd.org/D36360

show more ...

pkgbase: Put openssl in its own package

This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).

MFC after: 1 month
Diffe

pkgbase: Put openssl in its own package

This is useful for upgrade and also to make tiny jail so they won't
depend on FreeBSD-utilities (where openssl was packaged before).

MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D30081

show more ...

OpenSSL: Support for kernel TLS offload (KTLS)

This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile

OpenSSL: Support for kernel TLS offload (KTLS)

This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support. It defaults to enabled on amd64 and disabled on all
other architectures.

Reviewed by: jkim (earlier version)
Approved by: secteam
Obtained from: OpenSSL (patches from master)
MFC after: 1 week
Relnotes: yes
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D28273

show more ...

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

Merge ^/head r364082 through r364250.

Fix a typo in the cpp macro defined for PIC.

In practice this isn't used in OpenSSL outside of some sparc-specific
code.

Reviewed by: delphij
Differential Revision: https://reviews.freebsd.org/D260

Fix a typo in the cpp macro defined for PIC.

In practice this isn't used in OpenSSL outside of some sparc-specific
code.

Reviewed by: delphij
Differential Revision: https://reviews.freebsd.org/D26058

show more ...

Replace OPENSSL_NO_SSL3_METHODs with dummies

SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use

Replace OPENSSL_NO_SSL3_METHODs with dummies

SSLv3 has been deprecated since 2015 (and broken since 2014: "POODLE"); it
should not have shipped in FreeBSD 11 (2016) or 12 (2018). No one should use
it, and if they must, they can use some implementation outside of base.

There are three symbols removed with OPENSSL_NO_SSL3_METHOD:

SSLv3_client_method
SSLv3_method
SSLv3_server_method

These symbols exist to request an explicit SSLv3 connection to a server.
There is no good reason for an application to link or invoke these symbols
instead of TLS_method(), et al (née SSLv23_method, et al). Applications
that do so have broken cryptography.

Define these symbols for some pedantic definition of ABI stability, but
remove the functionality again (r361392) after r362620.

Reviewed by: gordon, jhb (earlier-but-equivalent version both)
Discussed with: bjk, kib
Differential Revision: https://reviews.freebsd.org/D25493

show more ...

Merge ^/head r339670 through r339812.

Bump base OpenSSL libraries versions to avoid conflict with port's libraries.

Reported by: many
Reviewed by: gjb
Sponsored by: The FreeBSD Foundation
MFC after: 3 hours

Merge ^/head r339015 through r339669.

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved b

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by: re (kib)
Sponsored by: The FreeBSD Foundation

show more ...

Build libssl for amd64.

Add OpenSSL symbol version maps.

Note the files are not automatically generated for now.

Catch up with manual page removal from secure/lib/libssl.

Update shlib version to 9.

MFH r289384-r293170

Sponsored by: The FreeBSD Foundation

Catch up with head (r291075).

Merge from head r290483

Clean up OpenSSL makefiles.

Merge from head

Merge OpenSSL 1.0.2d.