OpenSSL: install .pc files from the exporters subdir
The .pc files generated in the root directory are used as part of the
build; they should never be installed. Use the versions from the
exporters subdirectory--which should be installed--as the .pc files
which are distributed with FreeBSD. This avoids the need for "fixing up"
these files after the fact (see `crypto/openssl/BSDmakefile` for more
details as part of this change).
Garbage collect `secure/lib/libcrypto/Makefile.version`, et al,
as they're orphaned files. They were technically unused prior to this
change as the vendor process properly embeds the version numbers in
various files, but this commit formalizes the removal.
This correction/clarification on the .pc files will be made in an
upcoming release of OpenSSL [1].
References:
1. https://github.com/openssl/openssl/issues/28803
[8 lines not shown]
crypto/openssl: remove autogenerated files
These files contain build host paths and other configuration details
that can be regenerated via the standard vendor import process. Don't
clutter up the FreeBSD tree with these files.
Add the paths to .gitignore to prevent them from accidentally being
added in a future update.
Approved by: re (cperciva)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53044
(cherry picked from commit d271d2ce152435b14e309bd8b25f47a0f4a2040f)
(cherry picked from commit 0d5ef734e91e6b03312b54ab3463ed5608ed27fa)
openssl: add a simple smoke test for the legacy provider
This change adds a simple smoke test for the legacy provider to ensure
that the provider doesn't break in the future when performing updates.
This is not a functional or system test; the OpenSSL test suite does a
much better job at doing this than we can.
Approved by: re (cperciva)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53045
(cherry picked from commit 3b6442370a17c57c4c290b9a8e1e8328da820705)
(cherry picked from commit 9b3c89ce8b2b6455d50e364708988c832672a042)
crypto/openssl: update component to 3.5.3
This change updates the sources for crypto/openssl. The subsequent
commit will update the build artifacts to match the 3.5.3 release.
More details about the update can be found in the related vendor branch
commits.
Approved by: re (cperciva)
MFC after: 1 week
Merge commit 'aed904c48f330dc76da942a8ee2d6eef9d11f572'
(cherry picked from commit 779e075df98da07468ec5dd13b44241110a2abf2)
crypto/openssl: apply polish to new vendor import process
This change does the following 2 things:
- Makes the build more repeatable by isolating the environment. This
prevents bmake from leaking variables into gmake and makes the overall
process a bit more robust.
- Add debug printouts to make the process more straightforward to the
reader and whoever is executing doing the current vendor import.
Approved by: re (cperciva)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D52420
(cherry picked from commit d18058b7b850c78f2ca1be746ab411c0bed5acc9)
(cherry picked from commit 22382d9e706baddac193f66c3a48b086fc53e98c)
ipfw: pmod: avoid further rule processing after tcp-mod failures
m_pullup() here will have freed the mbuf chain, but we pass back an
IP_FW_DENY without any signal that the outer loop should finish. Thus,
rule processing continues without an mbuf and there's a chance that we
conclude that the packet may pass (but there's no mbuf remaining)
depending on the rules that follow it.
Approved by: re (cperciva)
PR: 284606
Reviewed by: ae
(cherry picked from commit c0382512bfce872102d213b9bc2550de0bc30b67)
(cherry picked from commit 21d55ae111aada3c5426632253ad8df9103d3423)
dtrace/arm64: properly traverse the symbol table
LINKER_EACH_FUNCTION_NAMEVAL() stops processing the symbol table if a
callback function returns a non-zero value.
The fbt_provide_module_function() callback should not return 1 when
ignoring symbols. Instead, always return 0, as in dtrace/x86.
Approved by: re (cperciva)
Fixes: 30b68ecda84e ("Changes that improve DTrace FBT reliability on freebsd/arm64:")
Reviewed by: markj, oshogbo
Approved by: oshogbo (mentor)
Obtained from: CheriBSD
Differential Revision: https://reviews.freebsd.org/D53399
(cherry picked from commit 2acdec9e4d915ec61d0ca45b408f9beb7aa4b772)
(cherry picked from commit 76a0a5f91d2c8f30760cb223d732863761e268a9)
static_libpam: Don't install pam.d.5 twice
static_libpam's Makefile includes libpam's Makefile after setting some
variables (like MAN) to empty to avoid installing the manpages twice.
After commit 031e711647c3, it neglected to do this for MANNODEVLINKS,
causing pam.d.5.gz to be installed twice. This is harmless for
installworld, but breaks some things that rely on METALOG (NO_ROOT
installs) since it causes two METALOG entries to be generated for
the same file.
Approved by: re (cperciva)
Fixes: 031e711647c3 ("packages: Install development manpages in the -dev package")
MFC after: 3 days
PR: 290708
Reported by: emaste
Reviewed by: emaste
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53512
[2 lines not shown]
ifconfig: Fix invalid free() in ifbridge
parse_vlans() does 's = strdup(str)', then calls strsep(&s, ...), then
attempts to free(s) at the end of the function. For the success case,
this is fine (s is NULL, so it's a trivial memory leak), but in the
error case, we will attempt to free an invalid pointer.
Fix this by storing the original return value from strdup() and freeing
that instead.
Approved by: re (cperciva)
MFC after: 3 seconds
Reported by: David Gwynne <dlg at openbsd.org>
Reviewed by: zlei, kevans
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D53545
(cherry picked from commit 0899f7a3b791ed4878e7cb3859636ec980c76832)
(cherry picked from commit fe2e534433778c038138510ff6a8f07066e72703)
truss: Properly display first argument to nmount
The first argument to nmount(2) is an nvlist in the form of an iovec,
which truss already knows how to decode. Set the correct flag so
this happens automatically.
MFC after: 1 week
PR: 290667
(cherry picked from commit b9f848ecbafce4e56ba9c8b7993b85347e83484a)
ipfilter: Don't trust userland supplied iph_size
ipf_htable_create() trusts a user-supplied iph_size from iphtable_t
and computes the allocation size as iph->iph_size * sizeof(*iph->iph_table)
without checking for integer overflow. A sufficiently large iph_size
causes the multiplication to wrap, resulting in an under-sized allocation
for the table pointer array. Subsequent code (e.g., in ipf_htent_insert())
can then write past the end of the allocated buffer, corrupting kernel
memory and causing DoS or potential privilege escalation.
This is not typically a problem when using the ipfilter provided
userland tools as calculate the correct lengths. This mitigates a
rogue actor calling ipfilter ioctls directly.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53286
ipfilter: Add an htable max size tuneable.
Add an ipfilter runtime option (ipf -T) to adjust the default
maximum hash table size. Default it to 1024 entries. It will be
used by a subsequent commit to limit any damage due to excessively
large hash table input by the user.
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53284
ipfilter: Add htable (hash table) tunable
This is in preparation for addition of a hash table max size.
Reviewed by: markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53283
ipfilter: Calculate the number of elements in ipf_errors
It serves no purpose to manually manage the IPF_NUM_ERRORS count.
Calculate it instead.
Reviewed by: emaste, markj
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53308
truss: Properly display first argument to nmount
The first argument to nmount(2) is an nvlist in the form of an iovec,
which truss already knows how to decode. Set the correct flag so
this happens automatically.
MFC after: 1 week
PR: 290667
(cherry picked from commit b9f848ecbafce4e56ba9c8b7993b85347e83484a)
blocklist: Update the blacklistd-helper script
Update the blacklistd-helper script, it provides a better mechanism for
detecting the active packet filter.
This is a direct commit to stable/14, as blacklist has been renamed to
blocklist.
PR: 290645
blacklist: Update the blacklistd-helper script
Update the blacklistd-helper script, it provides a better mechanism for
detecting the active packet filter.
This is a direct commit to stable/13, as blacklist has been renamed to
blocklist.
PR: 290645
mmc_fdt: handle broken-cd property
The documented properties [1] for card-detection are one of:
- cd-gpios
- non-removable
- broken-cd
In cd_setup() we handle the first two, but not the latter, resulting in
a silently undetected card on an affected system.
To work around this, force cd_disabled when broken-cd is specified, so
that the card detect helper function gets to run. A more complete
solution would implement some kind of polling mechanism to detect the
card's presence or removal.
Some variants of the Allwinner D1, such as the Lichee Rv, specify this
property in the mmc0 device node.
[1] sys/contrib/device-tree/Bindings/mmc/mmc-controller.yaml
[7 lines not shown]
libpfctl: fix error handling
In two cases we returned E2BIG where it should have been a boolean ('false').
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
