aboutsummaryrefslogtreecommitdiffstats
path: root/secure
Commit message (Collapse)AuthorAgeFilesLines
* MFS: r366176Jung-uk Kim2020-09-25537-1617/+1745
| | | | | | | | | Merge OpenSSL 1.1.1h. Approved by: re (gjb) Notes: svn path=/releng/12.2/; revision=366177
* MFS r365986: caroot: update base storeKyle Evans2020-09-235-0/+265
| | | | | | | | | | | Count: - Two (2) removed - Three (3) added Approved by: re (gjb) Notes: svn path=/releng/12.2/; revision=366084
* MFC r365248: caroot: properly remove old distrusted rootsKyle Evans2020-09-057-0/+698
| | | | | | | | | | | | | | | | | | The proper procedure was not followed in r364943; all of these that were deleted should have instead been moved over to the blacklist so that certctl can DTRT. Users must still `certctl rehash` after this, but this should generally be done by one of mergemaster/etcupdate/freebsd-update/pkgbase already; note that freebsd-update doesn't come into play for this particular update, as these have not yet made it into a release. Future work (after svn -> git) will likely change the script that updatecert invokes to facilitate the process, rather than trusting that kevans or whomever updates in the future will remember. Notes: svn path=/stable/12/; revision=365357
* MFC r364943: carrot: update bundleKyle Evans2020-09-0211-698/+401
| | | | | | | | | Stats: - Seven (7) removed - Four (4) added Notes: svn path=/stable/12/; revision=365233
* MFC: r364822, r364823Jung-uk Kim2020-08-2922-86/+44039
| | | | | | | Fix Clang version detection and regen X86 assembly files. Notes: svn path=/stable/12/; revision=364963
* MFC r364600: caroot: switch to using echo+shell glob to enumerate certsKyle Evans2020-08-262-2/+2
| | | | | | | | | | This solves an issue on stable/12 that causes certs to not get installed. ls is apparently not in PATH during installworld, so TRUSTED_CERTS ends up blank and nothing gets installed. We don't really require anything ls-specific, though, so let's just simplify it. Notes: svn path=/stable/12/; revision=364792
* MFC r353095, r355376: add root bundleKyle Evans2020-04-27150-0/+15768
| | | | | | | | | | | | | | | | | | | | | | | | | | | r353095: caroot: commit initial bundle Interested users can blacklist any/all of these with certctl(8), examples: - mv /usr/share/certs/trusted/... /usr/share/certs/blacklisted/...; \ certctl rehash - certctl blacklist /usr/share/certs/trusted/*; \ certctl rehash Certs can be easily examined after installation with `certctl list`, and certctl blacklist will accept the hashed filename as output by list or as seen in /etc/ssl/certs r355376: caroot update to latest tip: one (1) addition, none (0) removed Added: - Entrust Root Certification Authority - G4 Relnotes: yes, please Notes: svn path=/stable/12/; revision=360395
* MFC: r360175Jung-uk Kim2020-04-24536-541/+753
| | | | | | | Merge OpenSSL 1.1.1g. Notes: svn path=/stable/12/; revision=360278
* MFC: r359486Jung-uk Kim2020-04-03534-540/+565
| | | | | | | | | Merge OpenSSL 1.1.1f. PR: 245073 Notes: svn path=/stable/12/; revision=359607
* MFC: r359060, r359061, r359066Jung-uk Kim2020-03-20572-45575/+3176
| | | | | | | Merge OpenSSL 1.1.1e. Notes: svn path=/stable/12/; revision=359186
* MFC r345579 by des: Add workaround for a QoS-related bug in VMWare WorkstationEd Maste2020-03-081-0/+3
| | | | | | | Submitted by: yuripv Notes: svn path=/stable/12/; revision=358773
* MFC: r356963Jung-uk Kim2020-02-21486-3809/+8973
| | | | | | | Install man5 and man7 for OpenSSL. Notes: svn path=/stable/12/; revision=358188
* MFC r357193: caroot: blacklisted: automatically pick up *.pem in the treeKyle Evans2020-02-061-1/+3
| | | | | | | | | | | | | | | This kind of automagica got picked up in trusted/ prior to the initial commit, but never got applied over in blacklisted. Ideally no one will be using blacklisted/ to store arbitrary certs that they don't intend to blacklist, so we should just install anything that's in here rather than force consumer to first copy cert into place and then modify the file listing in the Makefile. Wise man once say: "it is better to restrict too much, than not enough. sometimes." Notes: svn path=/stable/12/; revision=357633
* MFC r357084: caroot: use bsd.obj.mk, not bsd.prog.mkKyle Evans2020-01-281-2/+1
| | | | | | | | | | This directory stages certdata into .OBJDIR and processes it, but does not actually build a prog-shaped object; bsd.obj.mk provides the minimal support that we actually need, an .OBJDIR and descent into subdirs. This is admittedly the nittiest of nits. Notes: svn path=/stable/12/; revision=357192
* MFC r352948-r352951, r353002, r353066, r353070: caroot infrastructureKyle Evans2020-01-246-0/+353
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Infrastructure only -- no plans in place currently to commit any certs to these branches. r352948: [1/3] Initial infrastructure for SSL root bundle in base This setup will add the trusted certificates from the Mozilla NSS bundle to base. This commit includes: - CAROOT option to opt out of installation of certs - mtree amendments for final destinations - infrastructure to fetch/update certs, along with instructions A follow-up commit will add a certctl(8) utility to give the user control over trust specifics. Another follow-up commit will actually commit the initial result of updatecerts. This work was done primarily by allanjude@, with minor contributions by myself. r352949: [2/3] Add certctl(8) This is a simple utility to hash all trusted on the system into /etc/ssl/certs. It also allows the user to blacklist certificates they do not trust. This work was done primarily by allanjude@, with minor contributions by myself. r352950: [3/3] etcupdate and mergemaster support for certctl This commit add support for certctl in mergemaster and etcupdate. Both will either rehash or prompt for rehash as new certificates are trusted/blacklisted. This work was done primarily by allanjude@, with minor contributions by myself. r352951: caroot: add @generated tags to extracted .pem As is the current trend; while these files are manually curated, they are still generated. If they end up in a review, it would be helpful to also take the hint and hide them. r353002: Unbreak etcupdate(8) and mergemaster(8) after r352950 r352950 introduced improper case fall-through for shell scripts. Fix it with a pipe. r353066: certctl(8): realpath the file before creating the symlink Otherwise we end up creating broken relative symlinks in /etc/ssl/blacklisted. r353070: certctl(8): let one blacklist based on hashed filenames It seems reasonable to allow, for instance: $ certctl list # reviews output -- ah, yeah, I don't trust that one $ certctl blacklist ce5e74ef.0 $ certctl rehash We can unambiguously determine what cert "ce5e74ef.0" refers to, and we've described it to them in `certctl list` output -- I see little sense in forcing another level of filesystem inspection to determien what cert file this physically corresponds to. Relnotes: yes Notes: svn path=/stable/12/; revision=357082
* Add Makefile.depend.optionsSimon J. Gerraty2019-12-197-18/+18
| | | | | | | | | | | | | | | | | | | | | | | Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Also update affected Makefile.depend files. MFC of r355616 and r355617 Reviewed by: bdrewery Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 Notes: svn path=/stable/12/; revision=355906
* MFC: r352191Jung-uk Kim2019-09-10523-13180/+1909
| | | | | | | Merge OpenSSL 1.1.1d. Notes: svn path=/stable/12/; revision=352192
* MFC: r348340Jung-uk Kim2019-05-28514-977/+1083
| | | | | | | Merge OpenSSL 1.1.1c. Notes: svn path=/stable/12/; revision=348341
* MFC: r344602Jung-uk Kim2019-02-26530-12017/+14344
| | | | | | | Merge OpenSSL 1.1.1b. Notes: svn path=/stable/12/; revision=344603
* MFC: r340703Jung-uk Kim2018-11-20517-1178/+1241
| | | | | | | Merge OpenSSL 1.1.1a. Notes: svn path=/stable/12/; revision=340705
* MFC r339709:Konstantin Belousov2018-10-252-2/+2
| | | | | | | | | Bump base OpenSSL libraries versions to avoid conflict with port's libraries. Approved by: re (gjb) Notes: svn path=/stable/12/; revision=339732
* libcrypto: have buildinf.h depend on MakefileEd Maste2018-10-051-1/+1
| | | | | | | | | | | So that it will be regenerated after Makefile changes affecting the file's content - specifically, the OpenSSL 1.1.1 update adds a DATE macro which did not exist previously. Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/openssl111/; revision=339209
* MFH r338661 through r339200.Glen Barber2018-10-051-0/+2
|\ | | | | | | | | | | | | Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/openssl111/; revision=339201
| * Move the openssl.cnf install to secure/usr.bin/openssl/Brad Davis2018-09-201-0/+2
| | | | | | | | | | | | | | | | | | | | This leverages CONFS to do the install Approved by: re (pkgbase, blanket), bapt (mentor) Differential Revision: https://reviews.freebsd.org/D17245 Notes: svn path=/head/; revision=338825
* | openssh: connect libressl-api-compat.c and regen config.hEd Maste2018-10-031-1/+3
| | | | | | | | | | | | | | Differential Revision: https://reviews.freebsd.org/D17390 Notes: svn path=/projects/openssl111/; revision=339157
* | Drop pre-AVX toolchain for amd64 and i386 to simplify the makefile.Jung-uk Kim2018-10-011-9/+2
| | | | | | | | | | | | | | Especially, head does not support old toolchains because of ifunc support. Notes: svn path=/projects/openssl111/; revision=339070
* | Remove MD dirdeps from Makefile.depend.Jung-uk Kim2018-09-252-2/+0
| | | | | | | | | | | | | | It can't be right. :-( Notes: svn path=/projects/openssl111/; revision=338936
* | Make it more meta mode friendly.Jung-uk Kim2018-09-251-3/+6
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338935
* | Fix CLEANFILES.Jung-uk Kim2018-09-251-1/+1
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338934
* | Regen Makefile.depend.Jung-uk Kim2018-09-253-2/+3
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338933
* | Connect an assembly file for aarch64 to build.Jung-uk Kim2018-09-221-1/+3
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338894
* | Add missing ACFLAGS for aarch64.Jung-uk Kim2018-09-221-0/+3
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338884
* | Fix typos in the previous commit.Jung-uk Kim2018-09-221-2/+2
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338883
* | Add a missing source file for SHA.Jung-uk Kim2018-09-221-0/+2
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338882
* | Add CFLAGS for aarch64/arm assembly files.Jung-uk Kim2018-09-221-2/+15
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338881
* | Add another include directory for aarch64 and arm.Jung-uk Kim2018-09-221-0/+1
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338880
* | Regen cpuid assembly files for aarch64 and arm.Jung-uk Kim2018-09-223-2/+405
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338879
* | Connect assembly files for arm to build.Jung-uk Kim2018-09-221-1/+17
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338878
* | Regen assembly files for arm.Jung-uk Kim2018-09-2215-3082/+13495
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338877
* | Connect assembly files for aarch64 to build.Jung-uk Kim2018-09-221-7/+21
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338876
* | Regen assemply files for aarch64.Jung-uk Kim2018-09-2212-882/+13484
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338875
* | Unify opensslconf.h templates.Jung-uk Kim2018-09-218-1592/+1
| | | | | | | | | | | | | | There is no MD macro in this file any more. Notes: svn path=/projects/openssl111/; revision=338870
* | Remove pthread from LIBADD for openssl(1).Jung-uk Kim2018-09-201-1/+1
| | | | | | | | | | | | | | libcrypto is linked with pthread since r338816. Notes: svn path=/projects/openssl111/; revision=338848
* | Regen assembly files for i386 after r338846.Jung-uk Kim2018-09-2011-1687/+25243
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338847
* | Add CFLAGS for i386 assembly files.Jung-uk Kim2018-09-201-1/+14
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338846
* | Sort assembly source files for i386.Jung-uk Kim2018-09-201-1/+1
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338845
* | Connect engines to the build.Jung-uk Kim2018-09-2023-243/+37
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338844
* | Connect i386 assembly files to build.Jung-uk Kim2018-09-201-11/+50
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338843
* | Regen assembly files for i386.Jung-uk Kim2018-09-2028-22184/+18919
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338842
* | Link libcrypto with pthread.Jung-uk Kim2018-09-201-0/+2
| | | | | | | | Notes: svn path=/projects/openssl111/; revision=338816