Index: head/etc/mtree/BSD.usr.dist =================================================================== --- head/etc/mtree/BSD.usr.dist (revision 352947) +++ head/etc/mtree/BSD.usr.dist (revision 352948) @@ -1,1238 +1,1244 @@ # $FreeBSD$ # # Please see the file src/etc/mtree/README before making changes to this file. # /set type=dir uname=root gname=wheel mode=0755 . bin .. include private bsdstat .. event .. gmock internal custom .. .. .. gtest internal custom .. .. .. sqlite3 .. ucl .. zstd .. .. .. lib aout .. clang 8.0.1 include sanitizer .. .. lib freebsd .. .. .. .. compat aout .. .. dtrace .. engines .. i18n .. libxo encoder .. .. .. libdata gcc .. ldscripts .. pkgconfig .. .. libexec bsdconfig 020.docsinstall include .. .. 030.packages include .. .. 040.password include .. .. 050.diskmgmt include .. .. 070.usermgmt include .. .. 080.console include .. .. 090.timezone include .. .. 110.mouse include .. .. 120.networking include .. .. 130.security include .. .. 140.startup include .. .. 150.ttys include .. .. dot include .. .. include .. includes include .. .. .. bsdinstall .. dwatch .. hyperv .. lpr ru .. .. sendmail .. sm.bin .. .. local .. obj nochange .. sbin .. share atf .. bsdconfig media .. networking .. packages .. password .. startup .. timezone .. usermgmt .. .. calendar de_AT.ISO_8859-15 .. de_DE.ISO8859-1 .. fr_FR.ISO8859-1 .. hr_HR.ISO8859-2 .. hu_HU.ISO8859-2 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. uk_UA.KOI8-U .. .. + certs + blacklisted + .. + trusted + .. + .. dict .. doc IPv6 .. atf .. legal .. llvm clang .. .. ncurses .. ntp drivers icons .. scripts .. .. hints .. icons .. pic .. scripts .. .. pjdfstest .. .. dtrace .. examples BSD_daemon .. FreeBSD_version .. IPv6 .. bhyve .. bootforth .. bsdconfig .. csh .. diskless .. dma .. drivers .. dwatch .. etc defaults .. .. find_interface .. hast .. hostapd .. indent .. ipfilter .. ipfw .. jails .. kld cdev module .. test .. .. dyn_sysctl .. firmware fwconsumer .. fwimage .. .. khelp .. syscall module .. test .. .. .. libusb20 .. libvgl .. mdoc .. netgraph .. perfmon .. pf .. ppi .. ppp .. printing .. scsi_target .. ses getencstat .. sesd .. setencstat .. setobjstat .. srcs .. .. smbfs print .. .. sunrpc dir .. msg .. sort .. .. tcsh .. uefisign .. ypldap .. .. firmware .. games fortune .. .. i18n csmapper APPLE .. AST .. BIG5 .. CNS .. CP .. EBCDIC .. GB .. GEORGIAN .. ISO-8859 .. ISO646 .. JIS .. KAZAKH .. KOI .. KS .. MISC .. TCVN .. .. esdb APPLE .. AST .. BIG5 .. CP .. DEC .. EBCDIC .. EUC .. GB .. GEORGIAN .. ISO-2022 .. ISO-8859 .. ISO646 .. KAZAKH .. KOI .. MISC .. TCVN .. UTF .. .. .. keys pkg revoked tags=package=runtime .. trusted tags=package=runtime .. .. .. locale af_ZA.ISO8859-1 .. af_ZA.ISO8859-15 .. af_ZA.UTF-8 .. ar_AE.UTF-8 .. ar_EG.UTF-8 .. ar_JO.UTF-8 .. ar_MA.UTF-8 .. ar_QA.UTF-8 .. ar_SA.UTF-8 .. am_ET.UTF-8 .. be_BY.CP1131 .. be_BY.CP1251 .. be_BY.ISO8859-5 .. be_BY.UTF-8 .. bg_BG.CP1251 .. bg_BG.UTF-8 .. ca_AD.ISO8859-1 .. ca_AD.ISO8859-15 .. ca_ES.ISO8859-1 .. ca_ES.ISO8859-15 .. ca_FR.ISO8859-1 .. ca_FR.ISO8859-15 .. ca_IT.ISO8859-1 .. ca_IT.ISO8859-15 .. ca_AD.UTF-8 .. ca_ES.UTF-8 .. ca_FR.UTF-8 .. ca_IT.UTF-8 .. cs_CZ.ISO8859-2 .. cs_CZ.UTF-8 .. da_DK.ISO8859-1 .. da_DK.ISO8859-15 .. da_DK.UTF-8 .. de_AT.ISO8859-1 .. de_AT.ISO8859-15 .. de_AT.UTF-8 .. de_CH.ISO8859-1 .. de_CH.ISO8859-15 .. de_CH.UTF-8 .. de_DE.ISO8859-1 .. de_DE.ISO8859-15 .. de_DE.UTF-8 .. el_GR.ISO8859-7 .. el_GR.UTF-8 .. en_AU.ISO8859-1 .. en_AU.ISO8859-15 .. en_AU.US-ASCII .. en_AU.UTF-8 .. en_CA.ISO8859-1 .. en_CA.ISO8859-15 .. en_CA.US-ASCII .. en_CA.UTF-8 .. en_GB.ISO8859-1 .. en_GB.ISO8859-15 .. en_GB.US-ASCII .. en_GB.UTF-8 .. en_HK.ISO8859-1 .. en_HK.UTF-8 .. en_IE.ISO8859-1 .. en_IE.ISO8859-15 .. en_IE.UTF-8 .. en_NZ.ISO8859-1 .. en_NZ.ISO8859-15 .. en_NZ.US-ASCII .. en_NZ.UTF-8 .. en_PH.UTF-8 .. en_SG.ISO8859-1 .. en_SG.UTF-8 .. en_US.ISO8859-1 .. en_US.ISO8859-15 .. en_US.US-ASCII .. en_US.UTF-8 .. en_ZA.ISO8859-1 .. en_ZA.ISO8859-15 .. en_ZA.US-ASCII .. en_ZA.UTF-8 .. es_AR.ISO8859-1 .. es_AR.UTF-8 .. es_CR.UTF-8 .. es_ES.ISO8859-1 .. es_ES.ISO8859-15 .. es_ES.UTF-8 .. es_MX.ISO8859-1 .. es_MX.UTF-8 .. et_EE.ISO8859-1 .. et_EE.ISO8859-15 .. et_EE.UTF-8 .. eu_ES.ISO8859-1 .. eu_ES.ISO8859-15 .. eu_ES.UTF-8 .. fi_FI.ISO8859-1 .. fi_FI.ISO8859-15 .. fi_FI.UTF-8 .. fr_BE.ISO8859-1 .. fr_BE.ISO8859-15 .. fr_BE.UTF-8 .. fr_CA.ISO8859-1 .. fr_CA.ISO8859-15 .. fr_CA.UTF-8 .. fr_CH.ISO8859-1 .. fr_CH.ISO8859-15 .. fr_CH.UTF-8 .. fr_FR.ISO8859-1 .. fr_FR.ISO8859-15 .. fr_FR.UTF-8 .. ga_IE.UTF-8 .. he_IL.UTF-8 .. hi_IN.ISCII-DEV .. hi_IN.UTF-8 .. hr_HR.ISO8859-2 .. hr_HR.UTF-8 .. hu_HU.ISO8859-2 .. hu_HU.UTF-8 .. hy_AM.ARMSCII-8 .. hy_AM.UTF-8 .. is_IS.ISO8859-1 .. is_IS.ISO8859-15 .. is_IS.UTF-8 .. it_CH.ISO8859-1 .. it_CH.ISO8859-15 .. it_CH.UTF-8 .. it_IT.ISO8859-1 .. it_IT.ISO8859-15 .. it_IT.UTF-8 .. ja_JP.SJIS .. ja_JP.UTF-8 .. ja_JP.eucJP .. kk_KZ.UTF-8 .. ko_KR.CP949 .. ko_KR.UTF-8 .. ko_KR.eucKR .. lt_LT.ISO8859-13 .. lt_LT.UTF-8 .. lv_LV.ISO8859-13 .. lv_LV.UTF-8 .. mn_MN.UTF-8 .. nb_NO.ISO8859-1 .. nb_NO.ISO8859-15 .. nb_NO.UTF-8 .. nl_BE.ISO8859-1 .. nl_BE.ISO8859-15 .. nl_BE.UTF-8 .. nl_NL.ISO8859-1 .. nl_NL.ISO8859-15 .. nl_NL.UTF-8 .. nn_NO.ISO8859-1 .. nn_NO.ISO8859-15 .. nn_NO.UTF-8 .. pl_PL.ISO8859-2 .. pl_PL.UTF-8 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. pt_PT.ISO8859-1 .. pt_PT.ISO8859-15 .. pt_PT.UTF-8 .. ro_RO.ISO8859-2 .. ro_RO.UTF-8 .. ru_RU.CP1251 .. ru_RU.CP866 .. ru_RU.ISO8859-5 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. se_FI.UTF-8 .. se_NO.UTF-8 .. sk_SK.ISO8859-2 .. sk_SK.UTF-8 .. sl_SI.ISO8859-2 .. sl_SI.UTF-8 .. sr_RS.ISO8859-5 .. sr_RS.UTF-8 .. sr_RS.ISO8859-2 .. sr_RS.UTF-8@latin .. sv_FI.ISO8859-1 .. sv_FI.ISO8859-15 .. sv_FI.UTF-8 .. sv_SE.ISO8859-1 .. sv_SE.ISO8859-15 .. sv_SE.UTF-8 .. tr_TR.ISO8859-9 .. tr_TR.UTF-8 .. uk_UA.CP1251 .. uk_UA.ISO8859-5 .. uk_UA.KOI8-U .. uk_UA.UTF-8 .. zh_CN.GB18030 .. zh_CN.GB2312 .. zh_CN.GBK .. zh_CN.eucCN .. zh_CN.UTF-8 .. zh_HK.UTF-8 .. zh_TW.Big5 .. zh_TW.UTF-8 .. .. man man1 .. man2 .. man3 .. man4 aarch64 .. amd64 .. arm .. i386 .. powerpc .. sparc64 .. .. man5 .. man6 .. man7 .. man8 amd64 .. i386 .. powerpc .. sparc64 .. .. man9 .. .. misc fonts .. .. mk .. nls C .. af_ZA.ISO8859-1 .. af_ZA.ISO8859-15 .. af_ZA.UTF-8 .. am_ET.UTF-8 .. be_BY.CP1131 .. be_BY.CP1251 .. be_BY.ISO8859-5 .. be_BY.UTF-8 .. bg_BG.CP1251 .. bg_BG.UTF-8 .. ca_ES.ISO8859-1 .. ca_ES.ISO8859-15 .. ca_ES.UTF-8 .. cs_CZ.ISO8859-2 .. cs_CZ.UTF-8 .. da_DK.ISO8859-1 .. da_DK.ISO8859-15 .. da_DK.UTF-8 .. de_AT.ISO8859-1 .. de_AT.ISO8859-15 .. de_AT.UTF-8 .. de_CH.ISO8859-1 .. de_CH.ISO8859-15 .. de_CH.UTF-8 .. de_DE.ISO8859-1 .. de_DE.ISO8859-15 .. de_DE.UTF-8 .. el_GR.ISO8859-7 .. el_GR.UTF-8 .. en_AU.ISO8859-1 .. en_AU.ISO8859-15 .. en_AU.US-ASCII .. en_AU.UTF-8 .. en_CA.ISO8859-1 .. en_CA.ISO8859-15 .. en_CA.US-ASCII .. en_CA.UTF-8 .. en_GB.ISO8859-1 .. en_GB.ISO8859-15 .. en_GB.US-ASCII .. en_GB.UTF-8 .. en_IE.UTF-8 .. en_NZ.ISO8859-1 .. en_NZ.ISO8859-15 .. en_NZ.US-ASCII .. en_NZ.UTF-8 .. en_US.ISO8859-1 .. en_US.ISO8859-15 .. en_US.UTF-8 .. es_ES.ISO8859-1 .. es_ES.ISO8859-15 .. es_ES.UTF-8 .. et_EE.ISO8859-15 .. et_EE.UTF-8 .. fi_FI.ISO8859-1 .. fi_FI.ISO8859-15 .. fi_FI.UTF-8 .. fr_BE.ISO8859-1 .. fr_BE.ISO8859-15 .. fr_BE.UTF-8 .. fr_CA.ISO8859-1 .. fr_CA.ISO8859-15 .. fr_CA.UTF-8 .. fr_CH.ISO8859-1 .. fr_CH.ISO8859-15 .. fr_CH.UTF-8 .. fr_FR.ISO8859-1 .. fr_FR.ISO8859-15 .. fr_FR.UTF-8 .. gl_ES.ISO8859-1 .. he_IL.UTF-8 .. hi_IN.ISCII-DEV .. hr_HR.ISO8859-2 .. hr_HR.UTF-8 .. hu_HU.ISO8859-2 .. hu_HU.UTF-8 .. hy_AM.ARMSCII-8 .. hy_AM.UTF-8 .. is_IS.ISO8859-1 .. is_IS.ISO8859-15 .. is_IS.UTF-8 .. it_CH.ISO8859-1 .. it_CH.ISO8859-15 .. it_CH.UTF-8 .. it_IT.ISO8859-1 .. it_IT.ISO8859-15 .. it_IT.UTF-8 .. ja_JP.SJIS .. ja_JP.UTF-8 .. ja_JP.eucJP .. kk_KZ.PT154 .. kk_KZ.UTF-8 .. ko_KR.CP949 .. ko_KR.UTF-8 .. ko_KR.eucKR .. lt_LT.ISO8859-13 .. lt_LT.UTF-8 .. lv_LV.ISO8859-13 .. lv_LV.UTF-8 .. mn_MN.UTF-8 .. nl_BE.ISO8859-1 .. nl_BE.ISO8859-15 .. nl_BE.UTF-8 .. nl_NL.ISO8859-1 .. nl_NL.ISO8859-15 .. nl_NL.UTF-8 .. no_NO.ISO8859-1 .. no_NO.ISO8859-15 .. no_NO.UTF-8 .. pl_PL.ISO8859-2 .. pl_PL.UTF-8 .. pt_BR.ISO8859-1 .. pt_BR.UTF-8 .. pt_PT.ISO8859-1 .. pt_PT.ISO8859-15 .. pt_PT.UTF-8 .. ro_RO.ISO8859-2 .. ro_RO.UTF-8 .. ru_RU.CP1251 .. ru_RU.CP866 .. ru_RU.ISO8859-5 .. ru_RU.KOI8-R .. ru_RU.UTF-8 .. sk_SK.ISO8859-2 .. sk_SK.UTF-8 .. sl_SI.ISO8859-2 .. sl_SI.UTF-8 .. sr_YU.ISO8859-2 .. sr_YU.ISO8859-5 .. sr_YU.UTF-8 .. sv_SE.ISO8859-1 .. sv_SE.ISO8859-15 .. sv_SE.UTF-8 .. tr_TR.ISO8859-9 .. tr_TR.UTF-8 .. uk_UA.ISO8859-5 .. uk_UA.KOI8-U .. uk_UA.UTF-8 .. zh_CN.GB18030 .. zh_CN.GB2312 .. zh_CN.GBK .. zh_CN.UTF-8 .. zh_CN.eucCN .. zh_HK.UTF-8 .. zh_TW.UTF-8 .. .. openssl man man1 .. man3 .. .. .. security .. sendmail .. skel .. snmp defs .. mibs .. .. syscons fonts .. keymaps .. scrnmaps .. .. tabset .. vi catalog .. .. vt fonts .. keymaps .. .. zoneinfo Africa .. America Argentina .. Indiana .. Kentucky .. North_Dakota .. .. Antarctica .. Arctic .. Asia .. Atlantic .. Australia .. Etc .. Europe .. Indian .. Pacific .. SystemV .. .. .. src nochange .. .. Index: head/secure/Makefile =================================================================== --- head/secure/Makefile (revision 352947) +++ head/secure/Makefile (revision 352948) @@ -1,39 +1,41 @@ # $FreeBSD$ .include SUBDIR= lib .WAIT \ libexec usr.bin usr.sbin SUBDIR_PARALLEL= SUBDIR.${MK_TESTS}+= tests +SUBDIR.${MK_CAROOT}+= caroot + # These are the programs which depend on crypto, but not Kerberos. SPROGS= lib/libfetch lib/libpam lib/libradius lib/libtelnet \ bin/ed libexec/telnetd usr.bin/fetch usr.bin/telnet \ usr.sbin/ppp usr.sbin/tcpdump/tcpdump .if ${MK_SENDMAIL} != "no" SPROGS+=usr.sbin/sendmail .endif # This target is used to rebuild these programs with crypto. secure: .MAKE .PHONY .for entry in ${SPROGS} cd ${.CURDIR:H}/${entry}; \ ${MAKE} cleandir; \ ${MAKE} obj; \ ${MAKE} all; \ ${MAKE} install .endfor # This target is used to rebuild these programs without crypto. insecure: .MAKE .PHONY .for entry in ${SPROGS} cd ${.CURDIR:H}/${entry}; \ ${MAKE} MK_CRYPT=no cleandir; \ ${MAKE} MK_CRYPT=no obj; \ ${MAKE} MK_CRYPT=no all; \ ${MAKE} MK_CRYPT=no install .endfor .include Index: head/secure/caroot/MAca-bundle.pl =================================================================== --- head/secure/caroot/MAca-bundle.pl (nonexistent) +++ head/secure/caroot/MAca-bundle.pl (revision 352948) @@ -0,0 +1,272 @@ +#!/usr/bin/env perl +## +## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt +## +## Rewritten in September 2011 by Matthias Andree to heed untrust +## + +## Copyright (c) 2011, 2013 Matthias Andree +## All rights reserved. +## Copyright (c) 2018, Allan Jude +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions are +## met: +## +## * Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## +## * Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the distribution. +## +## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +## POSSIBILITY OF SUCH DAMAGE. + +use strict; +use Carp; +use MIME::Base64; +use Getopt::Long; + +my $VERSION = '$FreeBSD$'; +my $inputfh = *STDIN; +my $debug = 0; +my $infile; +my $outputdir; +my %labels; +my %certs; +my %trusts; + +$debug++ + if defined $ENV{'WITH_DEBUG'} + and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/; + +GetOptions ( + "debug+" => \$debug, + "infile:s" => \$infile, + "outputdir:s" => \$outputdir) + or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n"); + +if ($infile) { + open($inputfh, "<", $infile) or die "Failed to open $infile"; +} + +sub print_header($$) +{ + my $dstfile = shift; + my $label = shift; + + if ($outputdir) { + print $dstfile <) { + last if /^END/; + my (undef,@oct) = split /\\/; + my @bin = map(chr(oct), @oct); + $data .= join('', @bin); + } + + return $data; +} + + +sub grabcert($) +{ + my $ifh = shift; + my $certdata; + my $cka_label; + my $serial; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_VALUE MULTILINE_OCTAL/) { + $certdata = graboct($ifh); + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + } + return ($serial, $cka_label, $certdata); +} + +sub grabtrust($) { + my $ifh = shift; + my $cka_label; + my $serial; + my $maytrust = 0; + my $distrust = 0; + + while (<$ifh>) { + chomp; + last if ($_ eq ''); + + if (/^CKA_LABEL UTF8 "([^"]+)"/) { + $cka_label = $1; + } + + if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { + $serial = graboct($ifh); + } + + if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) + { + if ($2 eq 'CKT_NSS_NOT_TRUSTED') { + $distrust = 1; + } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + $maytrust = 1; + } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + confess "Unknown trust setting on line $.:\n" + . "$_\n" + . "Script must be updated:"; + } + } + } + + if (!$maytrust && !$distrust && $debug) { + print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; + } + + my $trust = ($maytrust and not $distrust); + return ($serial, $cka_label, $trust); +} + +if (!$outputdir) { + print_header(*STDOUT, ""); +} + +while (<$inputfh>) { + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + my ($serial, $label, $certdata) = grabcert($inputfh); + if (defined $certs{$label."\0".$serial}) { + warn "Certificate $label duplicated!\n"; + } + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; + } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { + my ($serial, $label, $trust) = grabtrust($inputfh); + if (defined $trusts{$label."\0".$serial}) { + warn "Trust for $label duplicated!\n"; + } + $trusts{$label."\0".$serial} = $trust; + $labels{$label."\0".$serial} = $label; + } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { + print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; + } +} + +sub label_to_filename(@) { + my @res = @_; + map { s/\0.*//; s/[^[:alnum:]\-]/_/g; $_ = "$_.pem"; } @res; + return wantarray ? @res : $res[0]; +} + +# weed out untrusted certificates +my $untrusted = 0; +foreach my $it (keys %trusts) { + if (!$trusts{$it}) { + if (!exists($certs{$it})) { + warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug; + } else { + delete $certs{$it}; + warn "Skipping untrusted $labels{$it}\n" if $debug; + $untrusted++; + } + } +} + +if (!$outputdir) { + print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; +} +print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; + +my $certcount = 0; +foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { + my $fh = *STDOUT; + my $filename; + if (!exists($trusts{$it})) { + die "Found certificate without trust block,\naborting"; + } + if ($outputdir) { + $filename = label_to_filename($labels{$it}); + open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename"; + print_header($fh, $labels{$it}); + } + printcert($fh, $labels{$it}, $certs{$it}); + if ($outputdir) { + close($fh) or die "Unable to close: $filename"; + } else { + print $fh "\n\n\n"; + } + $certcount++; + print STDERR "Trusting $certcount: $labels{$it}\n" if $debug; +} + +if ($certcount < 25) { + die "Certificate count of $certcount is implausibly low.\nAbort"; +} + +if (!$outputdir) { + print "## Number of certificates: $certcount\n"; + print "## End of file.\n"; +} +print STDERR "## Number of certificates: $certcount\n"; Property changes on: head/secure/caroot/MAca-bundle.pl ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:executable ## -0,0 +1 ## +* \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/secure/caroot/Makefile =================================================================== --- head/secure/caroot/Makefile (nonexistent) +++ head/secure/caroot/Makefile (revision 352948) @@ -0,0 +1,21 @@ +# $FreeBSD$ + +PACKAGE= caroot + +CLEANFILES+= certdata.txt + +SUBDIR+= trusted +SUBDIR+= blacklisted + +.include + +# To be used by secteam@ to update the trusted certificates + +fetchcerts: .PHONY + fetch --no-sslv3 --no-tlsv1 -o certdata.txt 'https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt' + +cleancerts: .PHONY + @${MAKE} -C ${.CURDIR}/trusted ${.TARGET} + +updatecerts: .PHONY cleancerts fetchcerts + perl ${.CURDIR}/MAca-bundle.pl -i certdata.txt -o ${.CURDIR}/trusted Property changes on: head/secure/caroot/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/secure/caroot/README =================================================================== --- head/secure/caroot/README (nonexistent) +++ head/secure/caroot/README (revision 352948) @@ -0,0 +1,34 @@ +# $FreeBSD$ + +This directory contains the scripts to update the TLS CA Root Certificates +that comprise the 'root trust store'. + +The 'updatecerts' make target should be run periodically by secteam@ +specifically when there is an important change to the list of trusted root +certificates included by Mozilla. + +It will: + 1) Remove the old trusted certificates (cleancerts) + 2) Download the latest certdata.txt from Mozilla (fetchcerts) + 3) Split certdata.txt into the individual .pem files (updatecerts) + +Then the results should manually be inspected (svn status) + 1) Any no-longer-trusted certificates should be moved to the + blacklisted directory (svn mv) + 2) any newly added certificates will need to be added (svn add) + + +The following make targets exist: + +cleancerts: + Delete the old certificates, run as a dependency of updatecerts. + +fetchcerts: + Download the latest certdata.txt from the Mozilla NSS hg repo + See the changelog here: + https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt + +updatecerts: + Runs a perl script (MAca-bundle.pl) on the downloaded certdata.txt + to generate the individual certificate files (.pem) and store them + in the trusted/ directory. Property changes on: head/secure/caroot/README ___________________________________________________________________ Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Index: head/secure/caroot/blacklisted/Makefile =================================================================== --- head/secure/caroot/blacklisted/Makefile (nonexistent) +++ head/secure/caroot/blacklisted/Makefile (revision 352948) @@ -0,0 +1,7 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/blacklisted + +FILES= + +.include Property changes on: head/secure/caroot/blacklisted/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/secure/caroot/trusted/Makefile =================================================================== --- head/secure/caroot/trusted/Makefile (nonexistent) +++ head/secure/caroot/trusted/Makefile (revision 352948) @@ -0,0 +1,12 @@ +# $FreeBSD$ + +BINDIR= /usr/share/certs/trusted + +TRUSTED_CERTS!= ls ${.CURDIR}/*.pem 2> /dev/null || true + +FILES+= ${TRUSTED_CERTS} + +cleancerts: + @[ -z "${TRUSTED_CERTS}" ] || rm ${TRUSTED_CERTS} + +.include Property changes on: head/secure/caroot/trusted/Makefile ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/share/mk/src.opts.mk =================================================================== --- head/share/mk/src.opts.mk (revision 352947) +++ head/share/mk/src.opts.mk (revision 352948) @@ -1,597 +1,598 @@ # $FreeBSD$ # # Option file for FreeBSD /usr/src builds. # # Users define WITH_FOO and WITHOUT_FOO on the command line or in /etc/src.conf # and /etc/make.conf files. These translate in the build system to MK_FOO={yes,no} # with sensible (usually) defaults. # # Makefiles must include bsd.opts.mk after defining specific MK_FOO options that # are applicable for that Makefile (typically there are none, but sometimes there # are exceptions). Recursive makes usually add MK_FOO=no for options that they wish # to omit from that make. # # Makefiles must include bsd.mkopt.mk before they test the value of any MK_FOO # variable. # # Makefiles may also assume that this file is included by src.opts.mk should it # need variables defined there prior to the end of the Makefile where # bsd.{subdir,lib.bin}.mk is traditionally included. # # The old-style YES_FOO and NO_FOO are being phased out. No new instances of them # should be added. Old instances should be removed since they were just to # bridge the gap between FreeBSD 4 and FreeBSD 5. # # Makefiles should never test WITH_FOO or WITHOUT_FOO directly (although an # exception is made for _WITHOUT_SRCONF which turns off this mechanism # completely inside bsd.*.mk files). # .if !target(____) ____: .include # # Define MK_* variables (which are either "yes" or "no") for users # to set via WITH_*/WITHOUT_* in /etc/src.conf and override in the # make(1) environment. # These should be tested with `== "no"' or `!= "no"' in makefiles. # The NO_* variables should only be set by makefiles for variables # that haven't been converted over. # # These options are used by the src builds. Those listed in # __DEFAULT_YES_OPTIONS default to 'yes' and will build unless turned # off. __DEFAULT_NO_OPTIONS will default to 'no' and won't build # unless turned on. Any options listed in 'BROKEN_OPTIONS' will be # hard-wired to 'no'. "Broken" here means not working or # not-appropriate and/or not supported. It doesn't imply something is # wrong with the code. There's not a single good word for this, so # BROKEN was selected as the least imperfect one considered at the # time. Options are added to BROKEN_OPTIONS list on a per-arch basis. # At this time, there's no provision for mutually incompatible options. __DEFAULT_YES_OPTIONS = \ ACCT \ ACPI \ AMD \ APM \ AT \ ATM \ AUDIT \ AUTHPF \ AUTOFS \ BHYVE \ BINUTILS \ BINUTILS_BOOTSTRAP \ BLACKLIST \ BLUETOOTH \ BOOT \ BOOTPARAMD \ BOOTPD \ BSD_CPIO \ BSD_CRTBEGIN \ BSDINSTALL \ BSNMP \ BZIP2 \ CALENDAR \ CAPSICUM \ + CAROOT \ CASPER \ CCD \ CDDL \ CPP \ CROSS_COMPILER \ CRYPT \ CUSE \ CXX \ CXGBETOOL \ DIALOG \ DICT \ DMAGENT \ DYNAMICROOT \ EE \ EFI \ ELFTOOLCHAIN_BOOTSTRAP \ EXAMPLES \ FDT \ FILE \ FINGER \ FLOPPY \ FMTREE \ FORTH \ FP_LIBC \ FREEBSD_UPDATE \ FTP \ GAMES \ GCOV \ GDB \ GNU_DIFF \ GNU_GREP \ GPIO \ HAST \ HTML \ HYPERV \ ICONV \ INET \ INET6 \ INETD \ IPFILTER \ IPFW \ ISCSI \ JAIL \ KDUMP \ KVM \ LDNS \ LDNS_UTILS \ LEGACY_CONSOLE \ LIB32 \ LIBPTHREAD \ LIBTHR \ LLVM_COV \ LOADER_GELI \ LOADER_LUA \ LOADER_OFW \ LOADER_UBOOT \ LOCALES \ LOCATE \ LPR \ LS_COLORS \ LZMA_SUPPORT \ MAIL \ MAILWRAPPER \ MAKE \ MLX5TOOL \ NDIS \ NETCAT \ NETGRAPH \ NLS_CATALOGS \ NS_CACHING \ NTP \ NVME \ OFED \ OPENSSL \ PAM \ PF \ PKGBOOTSTRAP \ PMC \ PORTSNAP \ PPP \ QUOTAS \ RADIUS_SUPPORT \ RBOOTD \ RESCUE \ ROUTED \ SENDMAIL \ SERVICESDB \ SETUID_LOGIN \ SHAREDOCS \ SOURCELESS \ SOURCELESS_HOST \ SOURCELESS_UCODE \ SVNLITE \ SYSCONS \ SYSTEM_COMPILER \ SYSTEM_LINKER \ TALK \ TCP_WRAPPERS \ TCSH \ TELNET \ TEXTPROC \ TFTP \ UNBOUND \ USB \ UTMPX \ VI \ VT \ WIRELESS \ WPA_SUPPLICANT_EAPOL \ ZFS \ LOADER_ZFS \ ZONEINFO __DEFAULT_NO_OPTIONS = \ BEARSSL \ BSD_GREP \ CLANG_EXTRAS \ DTRACE_TESTS \ EXPERIMENTAL \ GNU_GREP_COMPAT \ HESIOD \ HTTPD \ LIBSOFT \ LOADER_FIREWIRE \ LOADER_FORCE_LE \ LOADER_VERBOSE \ LOADER_VERIEXEC_PASS_MANIFEST \ OFED_EXTRA \ OPENLDAP \ REPRODUCIBLE_BUILD \ RPCBIND_WARMSTART_SUPPORT \ SHARED_TOOLCHAIN \ SORT_THREADS \ SVN \ ZONEINFO_LEAPSECONDS_SUPPORT \ ZONEINFO_OLD_TIMEZONES_SUPPORT \ # LEFT/RIGHT. Left options which default to "yes" unless their corresponding # RIGHT option is disabled. __DEFAULT_DEPENDENT_OPTIONS= \ CLANG_FULL/CLANG \ LLVM_TARGET_ALL/CLANG \ LOADER_VERIEXEC/BEARSSL \ LOADER_EFI_SECUREBOOT/LOADER_VERIEXEC \ VERIEXEC/BEARSSL \ # MK_*_SUPPORT options which default to "yes" unless their corresponding # MK_* variable is set to "no". # .for var in \ BLACKLIST \ BZIP2 \ INET \ INET6 \ KERBEROS \ KVM \ NETGRAPH \ PAM \ TESTS \ WIRELESS __DEFAULT_DEPENDENT_OPTIONS+= ${var}_SUPPORT/${var} .endfor # # Default behaviour of some options depends on the architecture. Unfortunately # this means that we have to test TARGET_ARCH (the buildworld case) as well # as MACHINE_ARCH (the non-buildworld case). Normally TARGET_ARCH is not # used at all in bsd.*.mk, but we have to make an exception here if we want # to allow defaults for some things like clang to vary by target architecture. # Additional, per-target behavior should be rarely added only after much # gnashing of teeth and grinding of gears. # .if defined(TARGET_ARCH) __T=${TARGET_ARCH} .else __T=${MACHINE_ARCH} .endif .if defined(TARGET) __TT=${TARGET} .else __TT=${MACHINE} .endif # Default GOOGLETEST to off for MIPS while LLVM PR 43263 is active. Part # of the fusefs tests trigger excessively long compile times. It does # eventually succeed, but this shouldn't be forced on those building by default. .if ${__TT} == "mips" __DEFAULT_NO_OPTIONS+= GOOGLETEST .else __DEFAULT_YES_OPTIONS+= GOOGLETEST .endif # All supported backends for LLVM_TARGET_XXX __LLVM_TARGETS= \ aarch64 \ arm \ mips \ powerpc \ sparc \ x86 __LLVM_TARGET_FILT= C/(amd64|i386)/x86/:S/sparc64/sparc/:S/arm64/aarch64/:S/powerpc64/powerpc/ .for __llt in ${__LLVM_TARGETS} # Default the given TARGET's LLVM_TARGET support to the value of MK_CLANG. .if ${__TT:${__LLVM_TARGET_FILT}} == ${__llt} __DEFAULT_DEPENDENT_OPTIONS+= LLVM_TARGET_${__llt:${__LLVM_TARGET_FILT}:tu}/CLANG # Disable other targets for arm and armv6, to work around "relocation truncated # to fit" errors with BFD ld, since libllvm.a will get too large to link. .elif ${__T} == "arm" || ${__T} == "armv6" __DEFAULT_NO_OPTIONS+=LLVM_TARGET_${__llt:tu} # aarch64 needs arm for -m32 support. .elif ${__TT} == "arm64" && ${__llt} == "arm" __DEFAULT_DEPENDENT_OPTIONS+= LLVM_TARGET_ARM/LLVM_TARGET_AARCH64 # Default the rest of the LLVM_TARGETs to the value of MK_LLVM_TARGET_ALL # which is based on MK_CLANG. .else __DEFAULT_DEPENDENT_OPTIONS+= LLVM_TARGET_${__llt:${__LLVM_TARGET_FILT}:tu}/LLVM_TARGET_ALL .endif .endfor __DEFAULT_NO_OPTIONS+=LLVM_TARGET_BPF __DEFAULT_NO_OPTIONS+=LLVM_TARGET_RISCV .include # If the compiler is not C++11 capable, disable Clang and use GCC instead. # This means that architectures that have GCC 4.2 as default can not # build Clang without using an external compiler. .if ${COMPILER_FEATURES:Mc++11} && (${__T} == "aarch64" || \ ${__T} == "amd64" || ${__TT} == "arm" || ${__T} == "i386") # Clang is enabled, and will be installed as the default /usr/bin/cc. __DEFAULT_YES_OPTIONS+=CLANG CLANG_BOOTSTRAP CLANG_IS_CC LLD __DEFAULT_NO_OPTIONS+=GCC GCC_BOOTSTRAP GNUCXX GPL_DTC .elif ${COMPILER_FEATURES:Mc++11} && ${__T:Mriscv*} == "" && ${__T} != "sparc64" # If an external compiler that supports C++11 is used as ${CC} and Clang # supports the target, then Clang is enabled but GCC is installed as the # default /usr/bin/cc. __DEFAULT_YES_OPTIONS+=CLANG GCC GCC_BOOTSTRAP GNUCXX GPL_DTC LLD __DEFAULT_NO_OPTIONS+=CLANG_BOOTSTRAP CLANG_IS_CC .else # Everything else disables Clang, and uses GCC instead. __DEFAULT_YES_OPTIONS+=GCC GCC_BOOTSTRAP GNUCXX GPL_DTC __DEFAULT_NO_OPTIONS+=CLANG CLANG_BOOTSTRAP CLANG_IS_CC LLD .endif # In-tree binutils/gcc are older versions without modern architecture support. .if ${__T} == "aarch64" || ${__T:Mriscv*} != "" BROKEN_OPTIONS+=BINUTILS BINUTILS_BOOTSTRAP GCC GCC_BOOTSTRAP GDB .endif .if ${__T:Mriscv*} != "" BROKEN_OPTIONS+=OFED .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" || \ ${__T:Mriscv*} != "" || ${__TT} == "mips" __DEFAULT_YES_OPTIONS+=LLVM_LIBUNWIND .else __DEFAULT_NO_OPTIONS+=LLVM_LIBUNWIND .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "armv7" || \ ${__T} == "i386" __DEFAULT_YES_OPTIONS+=LLD_BOOTSTRAP LLD_IS_LD .else __DEFAULT_NO_OPTIONS+=LLD_BOOTSTRAP LLD_IS_LD .endif .if ${__T} == "aarch64" || ${__T} == "amd64" || ${__T} == "i386" __DEFAULT_YES_OPTIONS+=LLDB .else __DEFAULT_NO_OPTIONS+=LLDB .endif # LLVM lacks support for FreeBSD 64-bit atomic operations for ARMv4/ARMv5 .if ${__T} == "arm" BROKEN_OPTIONS+=LLDB .endif # GDB in base is generally less functional than GDB in ports. Ports GDB # sparc64 kernel support has not been tested. .if ${__T} == "sparc64" __DEFAULT_NO_OPTIONS+=GDB_LIBEXEC .else __DEFAULT_YES_OPTIONS+=GDB_LIBEXEC .endif # Only doing soft float API stuff on armv6 and armv7 .if ${__T} != "armv6" && ${__T} != "armv7" BROKEN_OPTIONS+=LIBSOFT .endif .if ${__T:Mmips*} BROKEN_OPTIONS+=SSP .endif # EFI doesn't exist on mips, powerpc, sparc or riscv. .if ${__T:Mmips*} || ${__T:Mpowerpc*} || ${__T:Msparc64} || ${__T:Mriscv*} BROKEN_OPTIONS+=EFI .endif # OFW is only for powerpc and sparc64, exclude others .if ${__T:Mpowerpc*} == "" && ${__T:Msparc64} == "" BROKEN_OPTIONS+=LOADER_OFW .endif # UBOOT is only for arm, mips and powerpc, exclude others .if ${__T:Marm*} == "" && ${__T:Mmips*} == "" && ${__T:Mpowerpc*} == "" BROKEN_OPTIONS+=LOADER_UBOOT .endif # GELI and Lua in loader currently cause boot failures on sparc64 and powerpc. # Further debugging is required -- probably they are just broken on big # endian systems generically (they jump to null pointers or try to read # crazy high addresses, which is typical of endianness problems). .if ${__T} == "sparc64" || ${__T:Mpowerpc*} BROKEN_OPTIONS+=LOADER_GELI LOADER_LUA .endif .if ${__T:Mmips64*} # profiling won't work on MIPS64 because there is only assembly for o32 BROKEN_OPTIONS+=PROFILE .endif .if ${__T} != "aarch64" && ${__T} != "amd64" && ${__T} != "i386" && \ ${__T} != "powerpc64" && ${__T} != "sparc64" BROKEN_OPTIONS+=CXGBETOOL BROKEN_OPTIONS+=MLX5TOOL .endif # HyperV is currently x86-only .if ${__T} != "amd64" && ${__T} != "i386" BROKEN_OPTIONS+=HYPERV .endif # NVME is only aarch64, x86 and powerpc64 .if ${__T} != "aarch64" && ${__T} != "amd64" && ${__T} != "i386" && ${__T} != "powerpc64" BROKEN_OPTIONS+=NVME .endif # Sparc64 need extra crt*.o files .if ${__T:Msparc64} BROKEN_OPTIONS+=BSD_CRTBEGIN .endif .if ${COMPILER_FEATURES:Mc++11} && (${__T} == "amd64" || ${__T} == "i386") __DEFAULT_YES_OPTIONS+=OPENMP .else __DEFAULT_NO_OPTIONS+=OPENMP .endif .include # # MK_* options that default to "yes" if the compiler is a C++11 compiler. # .for var in \ LIBCPLUSPLUS .if !defined(MK_${var}) .if ${COMPILER_FEATURES:Mc++11} .if defined(WITHOUT_${var}) MK_${var}:= no .else MK_${var}:= yes .endif .else .if defined(WITH_${var}) MK_${var}:= yes .else MK_${var}:= no .endif .endif .endif .endfor # # Force some options off if their dependencies are off. # Order is somewhat important. # .if !${COMPILER_FEATURES:Mc++11} MK_GOOGLETEST:= no MK_LLVM_LIBUNWIND:= no .endif .if ${MK_CAPSICUM} == "no" MK_CASPER:= no .endif .if ${MK_LIBPTHREAD} == "no" MK_LIBTHR:= no .endif .if ${MK_LDNS} == "no" MK_LDNS_UTILS:= no MK_UNBOUND:= no .endif .if ${MK_SOURCELESS} == "no" MK_SOURCELESS_HOST:= no MK_SOURCELESS_UCODE:= no .endif .if ${MK_CDDL} == "no" MK_ZFS:= no MK_LOADER_ZFS:= no MK_CTF:= no .endif .if ${MK_CRYPT} == "no" MK_OPENSSL:= no MK_OPENSSH:= no MK_KERBEROS:= no .endif .if ${MK_CXX} == "no" MK_CLANG:= no MK_GNUCXX:= no MK_TESTS:= no .endif .if ${MK_DIALOG} == "no" MK_BSDINSTALL:= no .endif .if ${MK_MAIL} == "no" MK_MAILWRAPPER:= no MK_SENDMAIL:= no MK_DMAGENT:= no .endif .if ${MK_NETGRAPH} == "no" MK_ATM:= no MK_BLUETOOTH:= no .endif .if ${MK_NLS} == "no" MK_NLS_CATALOGS:= no .endif .if ${MK_OPENSSL} == "no" MK_OPENSSH:= no MK_KERBEROS:= no .endif .if ${MK_PF} == "no" MK_AUTHPF:= no .endif .if ${MK_OFED} == "no" MK_OFED_EXTRA:= no .endif .if ${MK_PORTSNAP} == "no" # freebsd-update depends on phttpget from portsnap MK_FREEBSD_UPDATE:= no .endif .if ${MK_TESTS} == "no" MK_DTRACE_TESTS:= no .endif .if ${MK_TESTS_SUPPORT} == "no" MK_GOOGLETEST:= no .endif .if ${MK_ZONEINFO} == "no" MK_ZONEINFO_LEAPSECONDS_SUPPORT:= no MK_ZONEINFO_OLD_TIMEZONES_SUPPORT:= no .endif .if ${MK_CROSS_COMPILER} == "no" MK_BINUTILS_BOOTSTRAP:= no MK_CLANG_BOOTSTRAP:= no MK_ELFTOOLCHAIN_BOOTSTRAP:= no MK_GCC_BOOTSTRAP:= no MK_LLD_BOOTSTRAP:= no .endif .if ${MK_TOOLCHAIN} == "no" MK_BINUTILS:= no MK_CLANG:= no MK_GCC:= no MK_GDB:= no MK_INCLUDES:= no MK_LLD:= no MK_LLDB:= no .endif .if ${MK_CLANG} == "no" MK_CLANG_EXTRAS:= no MK_CLANG_FULL:= no MK_LLVM_COV:= no .endif .if ${MK_LOADER_VERIEXEC} == "no" MK_LOADER_VERIEXEC_PASS_MANIFEST := no .endif # # MK_* options whose default value depends on another option. # .for vv in \ GSSAPI/KERBEROS \ MAN_UTILS/MAN .if defined(WITH_${vv:H}) MK_${vv:H}:= yes .elif defined(WITHOUT_${vv:H}) MK_${vv:H}:= no .else MK_${vv:H}:= ${MK_${vv:T}} .endif .endfor # # Set defaults for the MK_*_SUPPORT variables. # .if !${COMPILER_FEATURES:Mc++11} MK_LLDB:= no .endif # gcc 4.8 and newer supports libc++, so suppress gnuc++ in that case. # while in theory we could build it with that, we don't want to do # that since it creates too much confusion for too little gain. # XXX: This is incomplete and needs X_COMPILER_TYPE/VERSION checks too # to prevent Makefile.inc1 from bootstrapping unneeded dependencies # and to support 'make delete-old' when supplying an external toolchain. .if ${COMPILER_TYPE} == "gcc" && ${COMPILER_VERSION} >= 40800 MK_GNUCXX:=no MK_GCC:=no .endif .endif # !target(____)