Commit Graph

912 Commits

Author SHA1 Message Date
Enji Cooper 0881f6cf3f crypto/openssl: update artifacts to match 3.5.7 release
MFC after:	3 days
MFC with:	1523ccfd9
2026-06-10 08:32:35 -07:00
Ed Maste 2574974648 OpenSSH: Update to 10.3p1
Full release notes are available at
https://www.openssh.com/txt/release-10.3

Selected highlights from the release notes:

 * ssh(1), sshd(8): remove bug compatibility for implementations
   that don't support rekeying. If such an implementation tries to
   interoperate with OpenSSH, it will now eventually fail when the
   transport needs rekeying.

 * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
   forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
   names is advertised via the EXT_INFO message. If a server offers
   support for the new names, then they are used preferentially.

 * ssh(1): add a ~I escape option that shows information about the
   current SSH connection.

 * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is
   applied to login attempts for usernames that do not match real
   accounts. Defaults to 5s to match 'authfail' but allows
   administrators to block such attempts for longer if desired.

 * Support the ed25519 signature scheme via libcrypto.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56999
2026-05-14 18:59:30 +00:00
Ed Maste 644b4646c7 OpenSSH: Update to 10.1p1
Full release notes are available at
https://www.openssh.com/txt/release-10.1

Selected highlights from the release notes:

Potentially-incompatible changes

 * ssh(1): add a warning when the connection negotiates a non-post
   quantum key agreement algorithm.

 * ssh(1), sshd(8): major changes to handling of DSCP marking/IPQoS

 * ssh(1), sshd(8): deprecate support for IPv4 type-of-service (ToS)
   keywords in the IPQoS configuration directive.

 * ssh-add(1): when adding certificates to an agent, set the expiry
   to the certificate expiry time plus a short (5 min) grace period.

 * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
   under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
   in sshd(8).

Security

 * ssh(1): disallow control characters in usernames passed via the
   commandline or expanded using %-sequences from the configuration
   file, and disallow \0 characters in ssh:// URIs.

New features

 * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
   session information.

Sponsored by:	The FreeBSD Foundation
2026-05-12 20:24:10 +00:00
Dag-Erling Smørgrav 07b52233e8 caroot: Regenerate
Regenerate using certificate data from NSS 3.123.1.

MFC after:	1 week
Reviewed by:	kevans
2026-04-27 11:33:09 +02:00
Dag-Erling Smørgrav ce33d6396a caroot: Clean up
* Get certdata.txt directly from the NSS Mercurial repository, rather
  than from the Mozilla Firefox repository which imports it from NSS at
  irregular intervals.

* Instead of always fetching the latest certdata.txt, fetch a specific
  version.  For this commit, we set this to the version that was last
  imported in May 2025.

* Add a refrence to the MPL to the generated files.

* Regenerate with latest OpenSSL.  This is purely cosmetic; mostly, the
  certificate names now contain less unnecessary whitespace and some
  elements are quoted.

MFC after:	1 week
Reviewed by:	michaelo, kevans
Differential Revision:	https://reviews.freebsd.org/D56620
2026-04-27 11:33:09 +02:00
Enji Cooper 48d6db4932 OpenSSL: move -DOPENSSL_PIC from PIC_FLAG to SHARED_CFLAGS
`PIC_FLAG` should be used strictly for `-fPIC`, `-fpic`, etc, options.
`SHARED_CFLAGS` is the more appropriate place to this flag to be set.

Requested by:	jrtc27
MFC after:	3 days
MFC with:	3797fe720a
2026-04-22 13:34:25 -07:00
Po-Chuan Hsieh 98118af4f0 [OpenSSL] Add missing header file (openssl/ml_kem.h)
Add missing header file (openssl/ml_kem.h) of OpenSSL 3.5

Reviewed by:	fluffy, ngie
Approved by:	ngie (maintainer)
Differential Revision:	https://reviews.freebsd.org/D56291
2026-04-12 11:07:24 -07:00
Enji Cooper 9f7080ba6b crypto/openssl: add new manpage from release 3.5.6
MFC after:      1 day (the security issues warrant a quick backport).
MFC with:       10a428653e
2026-04-08 19:00:10 -07:00
Enji Cooper 5254e16213 crypto/openssl: update artifacts to match 3.5.6 release artifacts
A new manpage and any associated links will be added in the next commit.

MFC after:      1 day (the security issues warrant a quick backport).
MFC with:	10a428653e
2026-04-08 18:55:43 -07:00
Enji Cooper 3797fe720a libcrypto: compile all PIC objects with -DOPENSSL_PIC -fPIC
This change modifies the libcrypto PIC objects to always compile with
`-DOPENSSL_PIC -fPIC` to restore parity with the upstream build process.
This ensures that the legacy provider is built with parity to the
upstream legacy provider.

MFC after:              12 days
Tested with:		`make check` (legacy provider), `make universe`
Fixes:			14b9955e
Differential Revision:  https://reviews.freebsd.org/D44896
2026-03-21 18:38:49 -07:00
Enji Cooper 67b918e034 Revert "libcrypto: compile all PIC objects with -DOPENSSL_PIC"
This commit broke the build with some build options.

Some validation needs to be done to confirm that moving the preprocessor
argument to `secure/lib/libcrypto/Makefile.inc` works without breaking
the build, but revert for now until a `tinderbox` run can be done with
the change.

PR:		293934
Reported by:	Jenkins, Trond Endrestøl

This reverts commit 14b9955e57.
2026-03-20 13:12:26 -07:00
Enji Cooper 14b9955e57 libcrypto: compile all PIC objects with -DOPENSSL_PIC
This change modifies the libcrypto PIC objects to always compile with
`-DOPENSSL_PIC` to restore parity with the upstream build process. This
ensures that `-DOPENSSL_PIC` is used whenever building the auxiliary
shared objects. In this case, just the legacy provider (we no longer
distribute the fips provider).

MFC after:		2 weeks
Differential Revision:	https://reviews.freebsd.org/D44896
2026-03-19 17:51:51 -07:00
Brooks Davis c4130a8a84 OpenSSL: install EVP_CIPHER_CTX_get_app_data.3 once
A separate EVP_CIPHER_CTX_get_app_data.3 was added in the OpenSSL 3.5.5
import, but the link to EVP_EncryptInit.3 was still being installed
which stomped on the file and created inconsistent entries in the METALOG.

Reviewed by:	emaste
Found by:	package_check script in Cirrus-CI
Fixes:		1731fc70f7 ("OpenSSL: update vendor sources to match 3.5.5 content")
Sponsored by:	Innovate UK
Differential Revision:	https://reviews.freebsd.org/D55332
2026-02-17 18:24:29 +00:00
Enji Cooper 1731fc70f7 OpenSSL: update vendor sources to match 3.5.5 content
MFC with:	f25b8c9fb4
MFC after:	1 week
2026-01-31 14:07:17 -08:00
Lexi Winter c3b853fe52 libcrypto: Install tests in the tests package
libcrypto's Makefile.inc used PACKAGE=openssl, which overrides the
PACKAGE=tests in libcrypto/tests/Makefile.  Use PACKAGE?=openssl
instead to avoid this.  This puts the OpenSSL tests in the tests
package where they belong.

MFC after:	1 day
Reviewed by:	manu, ngie
Sponsored by:	https://www.patreon.com/bsdivy
Differential Revision:	https://reviews.freebsd.org/D53595
2025-11-05 21:17:31 +00:00
Enji Cooper 97388e7215 OpenSSL: install .pc files from the exporters subdir
The .pc files generated in the root directory are used as part of the
build; they should never be installed. Use the versions from the
exporters subdirectory--which should be installed--as the .pc files
which are distributed with FreeBSD. This avoids the need for "fixing up"
these files after the fact (see `crypto/openssl/BSDmakefile` for more
details as part of this change).

Garbage collect `secure/lib/libcrypto/Makefile.version`, et al,
as they're orphaned files. They were technically unused prior to this
change as the vendor process properly embeds the version numbers in
various files, but this commit formalizes the removal.

This correction/clarification on the .pc files will be made in an
upcoming release of OpenSSL [1].

References:
1. https://github.com/openssl/openssl/issues/28803

Suggested by:	Richard Levitte (OpenSSL project)
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D53043
2025-10-16 23:42:13 -07:00
Enji Cooper 3b6442370a openssl: add a simple smoke test for the legacy provider
This change adds a simple smoke test for the legacy provider to ensure
that the provider doesn't break in the future when performing updates.

This is not a functional or system test; the OpenSSL test suite does a
much better job at doing this than we can.

MFC after:		1 week
Differential Revision:	https://reviews.freebsd.org/D53045
2025-10-16 23:36:15 -07:00
Jose Luis Duran 7238317403 blocklist: Rename blacklist to blocklist
Follow up upstream rename from blacklist to blocklist.

- Old names and rc scripts are still valid, but emitting an ugly warning
- Old firewall rules and anchor names should work, but emitting an ugly
  warning
- Old MK_BLACKLIST* knobs are wired to the new ones

Although care has been taken not to break current configurations, this
is a large patch containing mostly duplicated code.  If issues arise, it
will be swiftly reverted.

Reviewed by:	ivy (pkgbase)
Approved by:	emaste (mentor)
MFC after:	2 days
Relnotes:	yes
2025-10-12 17:14:27 +00:00
Lexi Winter 349f4fd382 libpkgecc: Remove -ffreestanding
This incorporates pkg(8) commit a31c8c3682a3 for consistency.

https://github.com/freebsd/pkg/commit/a31c8c3682a3

MFC after:	1 day
Reviewed by:	kevans
Sponsored by:	https://www.patreon.com/bsdivy
Differential Revision:	https://reviews.freebsd.org/D52920
2025-10-08 04:23:32 +01:00
Enji Cooper d4033e6d37 crypto/openssl: update generated files to match 3.5.4 artifacts
MFC with:	046c625e93
Fixes:		046c625e93 ("crypto/openssl: update to 3.5.4")
Reported by:	Herbert J. Skuhra <herbert@gojira.at>
2025-10-07 16:14:13 -07:00
Enji Cooper d9cc3d558d crypto/openssl: update build artifacts for the 3.5.3 release
This change updates the build artifacts to match the 3.5.3 release. Much
of the change involves updating version numbers and release dates to
match the release version's metadata.

MFC after:	1 week
MFC with:	88b8b7f0c4
2025-09-22 15:38:36 -07:00
Enji Cooper d5984d5f29 OpenSSL: update Makefiles to reflect 3.5.1 release
This is a targeted effort to update the INCS and SRCS entries for
libcrypto, the legacy provider, and libssl to match what upstream
(OpenSSL) builds in their respective libraries.

The number of stylistic changes were kept at a minimum.

Another incoming change will reformat this file to make future
maintenance easier.

MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D52554
2025-09-18 12:17:44 -07:00
Enji Cooper fdb3b695a4 Update the installed manpages to match OpenSSL 3.5.1
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D52008
2025-09-07 18:28:29 -07:00
Mark Johnston 407c4d1eeb openssl: Disable KTLS in bootstrap libraries
We need to build OpenSSL when bootstrapping certctl.  On MacOS
ktls_enable() isn't defined anywhere, so without this the build fails.
We don't need KTLS in the bootstrap library, so just disable it.

Reviewed by:	khorben, ngie
Differential Revision:	https://reviews.freebsd.org/D52341
2025-09-04 13:28:39 +00:00
Gleb Smirnoff b370fb00c8 openssl: link enough files for the legacy provider to actually load
Reviewed by:		khorben, ngie
Differential Revision:	https://reviews.freebsd.org/D52113
2025-09-01 09:39:14 -07:00
Ed Maste 665bf6ffb5 sshd-auth: Chase MK_GSSAPI changes
Fixes: 8e28d84935 ("OpenSSH: Update to 10.0p2")
Sponsored by: The FreeBSD Foundation
2025-08-26 15:13:07 -04:00
Ed Maste 8e28d84935 OpenSSH: Update to 10.0p2
Full release notes are available at
https://www.openssh.com/txt/release-10.0

Selected highlights from the release notes:

Potentially-incompatible changes

- This release removes support for the weak DSA signature algorithm.
  [This change was previously merged to FreeBSD main.]

- This release has the version number 10.0 and announces itself as
  "SSH-2.0-OpenSSH_10.0".  Software that naively matches versions using
  patterns like "OpenSSH_1*" may be confused by this.

- sshd(8): this release removes the code responsible for the user
  authentication phase of the protocol from the per-connection
  sshd-session binary to a new sshd-auth binary.

Security

- sshd(8): fix the DisableForwarding directive, which was failing to
  disable X11 forwarding and agent forwarding as documented.
  [This change was previously merged to FreeBSD main.]

New features

- ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256 is now
  used by default for key agreement.

Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51630
2025-08-26 15:04:16 -04:00
Dag-Erling Smørgrav 0886019bf8 caroot: Rename script and normalize license
MFC after:	1 week
Reviewed by:	mandree, markj
Differential Revision:	https://reviews.freebsd.org/D51775
2025-08-25 23:41:52 +02:00
Dag-Erling Smørgrav b88b0bb784 caroot: Generate both trusted and untrusted
Until now, the untrusted directory has been maintained manually.  Modify
the script used to maintain the trusted directory so it can handle both.
While here, clean it up a bit.

MFC after:	1 week
Reviewed by:	mandree, markj
Differential Revision:	https://reviews.freebsd.org/D51774
2025-08-25 23:41:36 +02:00
Lexi Winter 929f5966a9 packages: Improve handling of -lib packages
For some packages (OpenSSL, Kerberos) we want to ship runtime libraries
in a separate package, e.g. openssl and openssl-lib.  Currently this is
done using PACKAGE=openssl-lib, but that creates packages with strange
names like openssl-lib-lib32.

Instead, add a new LIB_PACKAGE option to bsd.lib.mk that causes runtime
libraries to be placed in a new -lib subpackage.  This significantly
improves the set of packages we create; for example, OpenSSL goes from:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib-dbg
	FreeBSD-openssl-lib-dbg-lib32
	FreeBSD-openssl-lib-dev
	FreeBSD-openssl-lib-dev-lib32
	FreeBSD-openssl-lib-lib32
	FreeBSD-openssl-lib-man
	FreeBSD-openssl-man

to:

	FreeBSD-openssl
	FreeBSD-openssl-dbg
	FreeBSD-openssl-dbg-lib32
	FreeBSD-openssl-dev
	FreeBSD-openssl-dev-lib32
	FreeBSD-openssl-lib
	FreeBSD-openssl-lib32
	FreeBSD-openssl-man

While here, move /usr/bin/krb5-config and /usr/bin/compile_et into
the kerberos-dev package.

Reviewed by:	des
Differential Revision:	https://reviews.freebsd.org/D51925
2025-08-23 01:57:23 +01:00
Enji Cooper 267f8c1f4b crypto/openssl: make vendor imports easier/less error prone
This change adds a custom BSD makefile containing multiple high-level PHONY
targets, similar to targets provided by the ports framework.

The Makefile does the following:
- Reruns Configure with a deterministic set of arguments to ensure that
  all appropriate features have been enabled/disabled in OpenSSL.
- Preens the pkgconfig files to remove duplicate paths in their
  `CFLAGS` and `includedir` variables.
- Rebuilds all ASM files to ensure that the content contained is fresh.
- Rebuilds all manpages to ensure that the content contained in the
  manpages is fresh.

Some additional work needs to be done to make the manpage regeneration
"operation" reproducible (the date the manpages were generated is
embedded in the files).

All dynamic configuration previously captured in
`include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been
moved to `freebsd/include/dynamic_freebsd_configuration.h` and
`freebsd/include/crypto/bn_conf.h`, respectively. This helps
ensure that future updates don't wipe out FreeBSD customizations to
these files, which tune behavior on a per-target architecture basis, e.g.,
ARM vs x86, 32-bit vs 64-bit, etc.

MFC after: 1 month
Differential Revision:	https://reviews.freebsd.org/D51663
2025-08-21 10:02:46 -07:00
Enji Cooper 439685ee69 libssl: unbreak building the library with KTLS
The 3.5.1 update dropped a `SRCS` entry for the MK_OPENSSL_KTLS != no
case (the source was renamed from `ktls.c` to `ktls_meth.c`). Add the
new file to SRCS in order to unbreak linking the library when KTLS is
enabled.

This bug isn't apparent now because KTLS is always disabled in
`include/openssl/configuration.h` (this will be fixed soon).

Found when doing `make universe` with KTLS enabled in
`include/openssl/configuration.h`.

Fixes:	4757b351ea ("openssl: Import version 3.5.1")
2025-08-21 09:28:02 -07:00
Lexi Winter dc5ba6b8b4 Remove MK_GSSAPI
For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled.  Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err and compile_et to be selected by
MK_KERBEROS, not MK_KERBEROS_SUPPORT, since these are part of Kerberos
and third-party users might need it even if Kerberos support is disabled
in the base system.  This means MK_KERBEROS_SUPPORT installs the same
files with both MIT and Heimdal.

Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D51859
2025-08-20 19:42:20 +01:00
Kyle Evans aef16fc30b build: remove certctl requirement for host OpenSSL libs on macOS
Some platforms, like macOS, do not expose headers for the system's
libcrypto for public consumption.  libcrypto is relatively heavy and
needs to know, e.g., the host system's endianness, so we scope the build
down to macOS where OpenSSL headers are known to not be present and we
can be reasonably certain that most of the systems today that would be
cross-building are little endian.

We still don't bother if building WITHOUT_OPENSSL since the end result
is expected to be used by OpenSSL, but perhaps we could revisit that
independently in case one, e.g., brings their own implementation.

Reported by:	jrtc27
Reviewed by:	jrtc27, ngie
Fixes:	c340ef28fd ("certctl: Reimplement in C")
Differential Revision:	https://reviews.freebsd.org/D51935
2025-08-18 23:27:59 -05:00
Pierre Pronchery 4757b351ea openssl: Import version 3.5.1
Migrate to OpenSSL 3.5 in advance of FreeBSD 15.0. OpenSSL 3.0 will be
EOL after 2026-09-07.

Approved by:	philip (mentor)
Sponsored by:	Alpha-Omega Beach Cleaning Project
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D51613
2025-08-07 15:54:34 +02:00
Cy Schubert e26259f48a gssapi,krb5: Replace libgssapi with the MIT version
lib/libgssapi is based on Heimdal. As on Linux systems, the MIT
libgssapi_krb5 replaces it. With both gssapi libraries and header files
installed results in broken buildworld (gssd) and ports that will not
build without modifications to support the MIT gssapi in an alternate
location.

73ed0c7992 removed the MIT GSSAPI headers from /usr/include. Apps using
MIT KRB5 gssapi functions and structures will fail to build without this
patch.

This patch includes a temporary patch to usr.sbin/gssd to allow it
to build with this patch. rmacklem@ has a patch for this and for
kgssapi that uses this patch to resolve kgssapi issues for NFS with
Kerberos.

This patch is an updated version of D51661 to allow it to build following
additional patchs to the tree.

This should have been implmented with 7e35117eb0.

Fixes:			7e35117eb0, 73ed0c7992
Differential Revision:	https://reviews.freebsd.org/D51661
2025-08-07 10:17:00 -07:00
Cy Schubert 70371c7959 openssh: Support building with MIT KRB5
Remove HEIMDAL=1 from openssh/krb5_config.h and move the definition
to the Makefile in order to control whether we're building under
Heimdal or MIT.

Add MIT KRB5 LIBS and INCLUDES to the openssh build.

Sponsored by:		The FreeBSD Foundation
Reviewed by:		markj
Differential revision:	https://reviews.freebsd.org/D50782
2025-06-15 19:49:36 -07:00
Brooks Davis 8e35800732 build: remove the last vestiges of lint support
Commit 1cbb58886a (shipped in 12.0.0) removed all lint infrastructure.
A bunch of NO_LINT definitions remained (perhaps as a bootstrapping
measture).  Remove them.

Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D50704
2025-06-06 00:55:34 +01:00
Michael Osipov 87c46facc3 caroot: Update certdata URL for GitHub switch
Mozilla has migrated its projects' source code to GitHub, update certdata URL
along with it.

Reference: https://github.com/curl/curl/pull/17321

Reviewed by:	jrm (mentor), otis (mentor), kevans
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D50575
2025-05-28 20:55:11 +02:00
Jose Luis Duran ac62b97951 openssh: Add ${SKSRCS} to libssh
sshkey.c references sshsk_sign(), which is defined in ${SKSRCS}.

Due to how FreeBSD builds libssh, or put differently, due to upstream
not building a shared libssh.so, we need to partially revert
65d8491719 ("secure: Adapt Makefile to ssh-sk-client everywhere"), and
add ${SKSRCS} back, to avoid linking problems, especially when building
with GCC:

    /usr/local/bin/ld:
    /usr/obj/usr/src/amd64.amd64/secure/lib/libssh/libprivatessh.so:
    undefined reference to `sshsk_sign'
    collect2: error: ld returned 1 exit status`

Put the sources in a separate line, to maintain line-by-line
compatibility with upstream Makefile.in

PR:		286580
Reviewed by:	emaste
Approved by:	emaste (mentor)
Fixes:	65d8491719 ("secure: Adapt Makefile to ssh-sk-client everywhere")
Differential Revision:	https://reviews.freebsd.org/D50020
2025-05-20 22:58:23 +00:00
Lexi Winter c853409d69 libcrypto: move engines and modules to openssl-lib
currently, some OpenSSL-related files end up in the utilities package:

	/usr/lib/engines-3/capi.so
	/usr/lib/engines-3/devcrypto.so
	/usr/lib/engines-3/loader_attic.so
	/usr/lib/engines-3/padlock.so
	/usr/lib/ossl-modules/legacy.so

since these are part of OpenSSL and are not useful without it, move them
to the openssl-lib package.

Reviewed by:	manu, des, emaste
Approved by:	des (mentor)
Differential Revision:	https://reviews.freebsd.org/D50144
2025-05-05 22:49:57 +01:00
John Baldwin a098111a28 secure: Add ssh-sk-client to all consumers of libssh
These all failed to link with ld.bfd used by GCC due to
Fssh_sshsk_sign being an unresolved symbol.

Fixes:		65d8491719 ("secure: Adapt Makefile to ssh-sk-client everywhere")
2025-04-21 22:05:28 -04:00
Jose Luis Duran 65d8491719 secure: Adapt Makefile to ssh-sk-client everywhere
Upstream commit 7b47b40b1 ("adapt Makefile to ssh-sk-client everywhere")
adapted the Makefiles to ssh-sk-client.  Do the same here.

Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49795
2025-04-17 19:12:39 +00:00
Jose Luis Duran 8c6bf983a9 secure: Match SRCS with upstream Makefile.in
Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49794
2025-04-17 19:12:22 +00:00
Jose Luis Duran 9440aad19d secure: Rearrange Makefile SRCS to match upstream Makefile.in
SRCS entries are kept in the same order and with the same line breaks as
upstream, to make comparison easier.

No functional change intended.

Reviewed by:	emaste
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D49793
2025-04-17 19:12:05 +00:00
Jose Luis Duran d4f438357e openssh: Request the OpenSSL 1.1 API
Upstream OpenSSH commit f51423bda ("request 1.1x API compatibility for
OpenSSL >=3.x") requests OPENSSL_API_COMPAT version 0x10100000L (OpenSSL
1.1.0), in order to avoid warnings about deprecated functions.

Do the same here, to avoid getting those warnings.

Reviewed by:	emaste
Approved by:	emaste (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D49517
2025-03-27 00:19:14 +00:00
Enji Cooper d2a55e6a93 openssl: update ASM and version info for 3.0.16 import
MFC after:	1 week
MFC with:	0d0c8621fd
Differential Revision:	https://reviews.freebsd.org/D49297
2025-03-13 23:42:02 -07:00
Michael Osipov 0100da4deb caroot: update the root bundle
Summary:
- Seven (7) new roots
- Four (4) distrusted roots
- Fifteen (15) removed (expired) roots

Reviewed by:	kevans
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D49294
2025-03-13 08:46:01 +01:00
Michael Osipov 457c03b397 caroot: Ignore soft distrust of server CA certificates after 398 days
Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
a CA certificate will be distrusted in the future before its NotAfter time.
This means that the CA stops issuing new certificates, but previous ones are
still valid, but at most for 398 days after the distrust date.

See also:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
* https://github.com/Lukasa/mkcert/issues/19
* https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
* https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c

Tested by:	michaelo
Reviewed by:	emaste
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D49075
2025-03-08 16:33:44 +01:00
Ed Maste d71e7e57fc ssh: Consolidate HAVE_LDNS / LIBWRAP in ssh.mk
Commit 9d63429fa1 ("ssh: move common Makefile boilerplate to a new
ssh.mk") introduced ssh.mk for common OpenSSH paths and flags, as part
of enabling FIDO/U2F.  Move duplicated MK_LDNS and MK_TCP_WRAPPERS
handling there.

Reviewed by:	kevans
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D31896
2025-02-20 18:33:46 -05:00