diff --git a/crypto/openssl/BSDmakefile b/crypto/openssl/BSDmakefile new file mode 100644 --- /dev/null +++ b/crypto/openssl/BSDmakefile @@ -0,0 +1,91 @@ +# This BSD makefile helps provide a deterministic means of doing a "clean" +# vendor import of OpenSSL. +# +# Recommended use: +# +# % make clean +# % make all + +NO_OBJ= + +LCRYPTO_SRC= ${SRCTOP}/crypto/openssl +LCRYPTO_DOC= ${LCRYPTO_SRC}/doc + +CAT?= /bin/cat +MV?= /bin/mv +PERL?= perl + +BN_CONF_H= include/crypto/bn_conf.h +BN_CONF_H_ORIG= ${BN_CONF_H}.orig +CONFIGURATION_H= include/openssl/configuration.h +CONFIGURATION_H_ORIG= ${CONFIGURATION_H}.orig + +.PHONY: configure patch all +.ORDER: configure patch all + +# XXX: 3.0.16 fails to configure properly when `enable-tests` is specified due to +# missing sources under test/ ; this was fixed in 3.0.17. +configure: + @cd ${.CURDIR} && \ + ${PERL} ./Configure \ + disable-aria \ + disable-idea \ + disable-mdc2 \ + disable-sm2 \ + disable-sm3 \ + disable-sm4 \ + disable-tests \ + enable-ktls \ + enable-sctp \ + --openssldir=etc \ + --prefix=/usr + @cd ${.CURDIR} && gmake configdata.pm + @cd ${LCRYPTO_SRC} && ${PERL} \ + ${LCRYPTO_SRC}/freebsd/dump_version_from_configdata.pl > \ + ${SRCTOP}/secure/lib/libcrypto/Makefile.version + +all: patch + # Passing `-j ${.MAKE.JOBS}` doesn't work here for some reason. + @cd ${.CURDIR} && gmake build_all_generated + + @cd ${SRCTOP}/secure/lib/libcrypto && \ + ${MAKE} cleanasm && \ + ${MAKE} buildasm + + @rsync -a --delete \ + --exclude 'Makefile*' --exclude '*.1' \ + ${LCRYPTO_DOC}/man/ \ + ${SRCTOP}/secure/lib/libcrypto/man + + @rsync -a --delete \ + --exclude 'Makefile*' --exclude '*.[357]' \ + ${LCRYPTO_DOC}/man/man1/ \ + ${SRCTOP}/secure/usr.bin/openssl/man + + +# This doesn't use standard patching since the generated files can vary +# depending on the host architecture. +patch: configure + # Spam arch-specific overrides to config files. + + @cd ${.CURDIR} && gmake ${BN_CONF_H} && \ + ${MV} ${BN_CONF_H} ${BN_CONF_H_ORIG} && \ + ${CAT} ${BN_CONF_H}.orig \ + ${LCRYPTO_SRC}/freebsd/${BN_CONF_H} >> \ + ${BN_CONF_H} + + @cd ${.CURDIR} && \ + ${MV} ${CONFIGURATION_H} ${CONFIGURATION_H_ORIG} && \ + ${CAT} ${CONFIGURATION_H_ORIG} \ + ${LCRYPTO_SRC}/freebsd/${CONFIGURATION_H} >> \ + ${CONFIGURATION_H} + + +clean: .PHONY + @cd ${.CURDIR} && rm -f ${BN_CONF_H_ORIG} ${CONFIGURATION_H_ORIG} + + @cd ${SRCTOP}/secure/lib/libcrypto && ${MAKE} cleanasm + + -@cd ${.CURDIR} && gmake ${.TARGET} + +.include diff --git a/crypto/openssl/freebsd/dump_version_from_configdata.pl b/crypto/openssl/freebsd/dump_version_from_configdata.pl new file mode 100644 --- /dev/null +++ b/crypto/openssl/freebsd/dump_version_from_configdata.pl @@ -0,0 +1,21 @@ +#!/usr/bin/env perl +# +# This dumps out the values needed to generate manpages and other artifacts +# which include the release version/date. +# +# See also: `secure/lib/libcrypto/Makefile.version`. + +use Cwd qw(realpath); +use File::Basename qw(dirname); +use Time::Piece; + +use lib dirname(dirname(realpath($0))); + +use configdata qw(%config); + +$OPENSSL_DATE = Time::Piece->strptime($config{"release_date"}, "%d %b %Y")->strftime("%Y-%m-%d"); + +$OPENSSL_VER = "$config{'major'}.$config{'minor'}.$config{'patch'}"; + +print("OPENSSL_VER=\t${OPENSSL_VER}\n"); +print("OPENSSL_DATE=\t${OPENSSL_DATE}\n"); diff --git a/crypto/openssl/freebsd/include/crypto/bn_conf.h b/crypto/openssl/freebsd/include/crypto/bn_conf.h new file mode 100644 --- /dev/null +++ b/crypto/openssl/freebsd/include/crypto/bn_conf.h @@ -0,0 +1,28 @@ + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_BN_CONF_H__ +#define __FREEBSD_BN_CONF_H__ + +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT + +# if __SIZEOF_LONG__ == 8 +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif +# endif + +#endif /* __FREEBSD_BN_CONF_H__ */ diff --git a/crypto/openssl/freebsd/include/openssl/configuration.h b/crypto/openssl/freebsd/include/openssl/configuration.h new file mode 100644 --- /dev/null +++ b/crypto/openssl/freebsd/include/openssl/configuration.h @@ -0,0 +1,38 @@ + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_CONFIGURATION_H__ +#define __FREEBSD_CONFIGURATION_H__ + +# undef OPENSSL_NO_EC_NISTP_64_GCC_128 +# if __SIZEOF_LONG__ == 4 || __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__ +# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 +# endif +# endif + +# undef BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# if !defined(OPENSSL_SYS_UEFI) +# if __SIZEOF_LONG__ == 8 +# undef BN_LLONG +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +# define BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif +# endif + +#endif /* __FREEBSD_CONFIGURATION_H__ */ diff --git a/crypto/openssl/include/crypto/bn_conf.h b/crypto/openssl/include/crypto/bn_conf.h --- a/crypto/openssl/include/crypto/bn_conf.h +++ b/crypto/openssl/include/crypto/bn_conf.h @@ -1,10 +1,9 @@ -/* $FreeBSD$ */ /* WARNING: do not edit! */ /* Generated by Makefile from include/crypto/bn_conf.h.in */ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -12,6 +11,7 @@ #ifndef OSSL_CRYPTO_BN_CONF_H # define OSSL_CRYPTO_BN_CONF_H +# pragma once /* * The contents of this file are not used in the UEFI build, as @@ -22,16 +22,38 @@ /* Should we define BN_DIV2W here? */ /* Only one for the following should be defined */ -# if __SIZEOF_LONG__ == 8 -# define SIXTY_FOUR_BIT_LONG -# undef SIXTY_FOUR_BIT -# undef THIRTY_TWO_BIT -# elif __SIZEOF_LONG__ == 4 -# undef SIXTY_FOUR_BIT_LONG -# undef SIXTY_FOUR_BIT -# define THIRTY_TWO_BIT -# else -# error Unsupported size of long -# endif +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT #endif + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_BN_CONF_H__ +#define __FREEBSD_BN_CONF_H__ + +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT + +# if __SIZEOF_LONG__ == 8 +/* Only one for the following should be defined */ +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# elif __SIZEOF_LONG__ == 4 +/* Only one for the following should be defined */ +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# define THIRTY_TWO_BIT +# else +# error Unsupported size of long +# endif +# endif + +#endif /* __FREEBSD_BN_CONF_H__ */ diff --git a/crypto/openssl/include/crypto/dso_conf.h b/crypto/openssl/include/crypto/dso_conf.h --- a/crypto/openssl/include/crypto/dso_conf.h +++ b/crypto/openssl/include/crypto/dso_conf.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* WARNING: do not edit! */ /* Generated by Makefile from include/crypto/dso_conf.h.in */ /* diff --git a/crypto/openssl/include/openssl/bio.h b/crypto/openssl/include/openssl/bio.h --- a/crypto/openssl/include/openssl/bio.h +++ b/crypto/openssl/include/openssl/bio.h @@ -867,7 +867,7 @@ int (*puts) (BIO *, const char *)); int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, - int (*gets) (BIO *, char *, int)); + int (*ossl_gets) (BIO *, char *, int)); long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); diff --git a/crypto/openssl/include/openssl/configuration.h b/crypto/openssl/include/openssl/configuration.h --- a/crypto/openssl/include/openssl/configuration.h +++ b/crypto/openssl/include/openssl/configuration.h @@ -34,6 +34,9 @@ # ifndef OPENSSL_THREADS # define OPENSSL_THREADS # endif +# ifndef OPENSSL_NO_ACVP_TESTS +# define OPENSSL_NO_ACVP_TESTS +# endif # ifndef OPENSSL_NO_AFALGENG # define OPENSSL_NO_AFALGENG # endif @@ -49,10 +52,8 @@ # ifndef OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE # define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE # endif -# if !defined(__LP64__) || __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__ -# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -# define OPENSSL_NO_EC_NISTP_64_GCC_128 -# endif +# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 # endif # ifndef OPENSSL_NO_EGD # define OPENSSL_NO_EGD @@ -60,6 +61,9 @@ # ifndef OPENSSL_NO_EXTERNAL_TESTS # define OPENSSL_NO_EXTERNAL_TESTS # endif +# ifndef OPENSSL_NO_FIPS_SECURITYCHECKS +# define OPENSSL_NO_FIPS_SECURITYCHECKS +# endif # ifndef OPENSSL_NO_FUZZ_AFL # define OPENSSL_NO_FUZZ_AFL # endif @@ -123,6 +127,42 @@ * The following are cipher-specific, but are part of the public API. */ # if !defined(OPENSSL_SYS_UEFI) +# undef BN_LLONG +/* Only one for the following should be defined */ +# define SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# endif + +# define RC4_INT unsigned int + +# ifdef __cplusplus +} +# endif + +#endif /* OPENSSL_CONFIGURATION_H */ + +/** + * OpenSSL's Configure script generates these values automatically for the host + * architecture, but FreeBSD provides values which are universal for all + * supported target architectures. + */ + +#ifndef __FREEBSD_CONFIGURATION_H__ +#define __FREEBSD_CONFIGURATION_H__ + +# undef OPENSSL_NO_EC_NISTP_64_GCC_128 +# if __SIZEOF_LONG__ == 4 || __BYTE_ORDER__ != __ORDER_LITTLE_ENDIAN__ +# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 +# endif +# endif + +# undef BN_LLONG +# undef SIXTY_FOUR_BIT_LONG +# undef SIXTY_FOUR_BIT +# undef THIRTY_TWO_BIT +# if !defined(OPENSSL_SYS_UEFI) # if __SIZEOF_LONG__ == 8 # undef BN_LLONG /* Only one for the following should be defined */ @@ -140,10 +180,4 @@ # endif # endif -# define RC4_INT unsigned int - -# ifdef __cplusplus -} -# endif - -#endif /* OPENSSL_CONFIGURATION_H */ +#endif /* __FREEBSD_CONFIGURATION_H__ */ diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h --- a/crypto/openssl/include/openssl/opensslv.h +++ b/crypto/openssl/include/openssl/opensslv.h @@ -29,7 +29,7 @@ */ # define OPENSSL_VERSION_MAJOR 3 # define OPENSSL_VERSION_MINOR 0 -# define OPENSSL_VERSION_PATCH 16 +# define OPENSSL_VERSION_PATCH 17 /* * Additional version information @@ -74,21 +74,21 @@ * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and * OPENSSL_VERSION_BUILD_METADATA_STR appended. */ -# define OPENSSL_VERSION_STR "3.0.16" -# define OPENSSL_FULL_VERSION_STR "3.0.16" +# define OPENSSL_VERSION_STR "3.0.17" +# define OPENSSL_FULL_VERSION_STR "3.0.17" /* * SECTION 3: ADDITIONAL METADATA * * These strings are defined separately to allow them to be parsable. */ -# define OPENSSL_RELEASE_DATE "11 Feb 2025" +# define OPENSSL_RELEASE_DATE "1 Jul 2025" /* * SECTION 4: BACKWARD COMPATIBILITY */ -# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.16 11 Feb 2025" +# define OPENSSL_VERSION_TEXT "OpenSSL 3.0.17 1 Jul 2025" /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */ # ifdef OPENSSL_VERSION_PRE_RELEASE diff --git a/secure/lib/libcrypto/Makefile.inc b/secure/lib/libcrypto/Makefile.inc --- a/secure/lib/libcrypto/Makefile.inc +++ b/secure/lib/libcrypto/Makefile.inc @@ -1,8 +1,7 @@ .include # OpenSSL version used for manual page generation -OPENSSL_VER= 3.0.16 -OPENSSL_DATE= 2025-02-11 +.include "Makefile.version" LCRYPTO_SRC= ${SRCTOP}/crypto/openssl LCRYPTO_DOC= ${LCRYPTO_SRC}/doc diff --git a/secure/lib/libcrypto/Makefile.version b/secure/lib/libcrypto/Makefile.version new file mode 100644 --- /dev/null +++ b/secure/lib/libcrypto/Makefile.version @@ -0,0 +1,2 @@ +OPENSSL_VER= 3.0.16 +OPENSSL_DATE= 2025-02-11