HardenedBSD/src e34690ecrypto/openssl/crypto/ec ecp_nistz256_table.c curve25519.c, crypto/openssl/ssl s3_lib.c

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+14,894-9,513crypto/openssl/crypto/ec/ecp_nistz256_table.c
+10,184-10,183crypto/openssl/test/ecdsatest.h
+9,620-1,938crypto/openssl/test/quic_record_test.c
+3,601-3,206crypto/openssl/ssl/s3_lib.c
+2,877-2,722crypto/openssl/test/sslapitest.c
+2,625-2,478crypto/openssl/crypto/ec/curve25519.c
+43,801-30,0403,235 files not shown
+215,463-173,1343,241 files

HardenedBSD/ports e73674fdatabases/datafusion-cli distinfo Makefile.crates, databases/py-datafusion distinfo

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+1,197-0databases/datafusion-cli/distinfo
+1,003-0databases/rainfrog/distinfo
+531-433math/py-pcodec/distinfo
+435-437databases/py-datafusion/distinfo
+597-0databases/datafusion-cli/Makefile.crates
+500-0databases/rainfrog/Makefile.crates
+4,263-8701,583 files not shown
+9,952-5,5851,589 files

HardenedBSD/src 43dc4b3tests/sys/fs/fusefs Makefile

Account for the ctl test needing the ctl(4) module

This testcase does not function unless the /dev/ctl/... node exists,
which is created by the ctl(4) module. Require the ctl(4) module to be
loaded so the test can be executed.

MFC after: 1 week
Differential Revision:  https://reviews.freebsd.org/D54518

(cherry picked from commit da59b3147b01203bb18bcd03cce7a6d5916e87c3)
DeltaFile
+3-0tests/sys/fs/fusefs/Makefile
+3-01 files

HardenedBSD/src 1f5795bshare/man/man4 vt.4, share/syscons/fonts INDEX.fonts

INDEX.fonts: Minor maintenance

+ Mention relevance of this file in the vt manual screen.font entry
+ The vidfont manual is in section one, not eight
+ Remove leftover blank line from freebsd tag removal

MFC after:      3 days
DeltaFile
+3-0share/man/man4/vt.4
+1-2share/vt/fonts/INDEX.fonts
+1-2stand/fonts/INDEX.fonts
+1-2share/syscons/fonts/INDEX.fonts
+6-64 files

HardenedBSD/src f43d0accrypto/openssl BSDmakefile

crypto/openssl: fix importing new versions from pristine trees

Prior to this change, CC was not being passed through to Configure,
which was resulting in failures when Configure was running compiler
checks.

Pass through CC via `WRK_ENV` to Configure so the compiler is defined
properly as part of the initial build.

MFC after:      1 month
Fixes:          d18058b7b850 ("crypto/openssl: apply polish to new vendor import process")
Differential Revision:  https://reviews.freebsd.org/D52595

(cherry picked from commit 52c4b76d1dd385fbe33b78172e39a10749b83d13)
DeltaFile
+6-1crypto/openssl/BSDmakefile
+6-11 files

HardenedBSD/src f5828b8sys/sys param.h

Bump `__FreeBSD_version` for ee6882e6b1287aa9

While the change in ee6882e6b1287aa9 was likely benign, this commit is
playing it safe by updating __FreeBSD_version, per the libcrypto
dependencies change, as libcrypto now explicitly depends on libpthread
and has threading support explicitly enabled.

This is a direct commit to stable/15.
DeltaFile
+1-1sys/sys/param.h
+1-11 files

HardenedBSD/src ee6882esecure/lib/libcrypto Makefile, secure/lib/libcrypto/modules Makefile.inc

OpenSSL: update Makefiles to reflect 3.5.1 release

This is a targeted effort to update the INCS and SRCS entries for
libcrypto, the legacy provider, and libssl to match what upstream
(OpenSSL) builds in their respective libraries.

The number of stylistic changes were kept at a minimum.

Another incoming change will reformat this file to make future
maintenance easier.

MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D52554

(cherry picked from commit d5984d5f29a7c717b88ccd17a85a747792403cdf)
DeltaFile
+30-19secure/lib/libcrypto/Makefile
+36-5secure/lib/libcrypto/modules/legacy/Makefile
+0-7secure/lib/libcrypto/modules/Makefile.inc
+1-1share/mk/src.libnames.mk
+1-1secure/lib/libssl/Makefile
+68-335 files

HardenedBSD/ports 541a42dnet/wireguard-tools Makefile

net/wireguard-tools: Set maintainer

Improve port:
- Replace PORTVERSION with DISTVERSION.
- Remove MAKE_ENV+=MANDIR="${PREFIX}/share/man" - it's default value.
- Fix warnings from portclippy.
- Improve indents.
- Replace ".if ${PORT_OPTIONS:MWGQUICK}" with
  "WGQUICK_VARS= USE_RC_SUBR=wireguard_wgquick".
- Add strip bin/wg.

PR:             292620
Approved by:    Juhani Krekelä <juhani at krekela.fi> (new maintainer)
DeltaFile
+16-18net/wireguard-tools/Makefile
+16-181 files

HardenedBSD/src 48ba16fsys/modules/iwlwifi Makefile

iwlwifi: fix the gcc build

- Only apply the previously added CWARNFLAGS to `drv.c` instead of the
  whole module.
- Only apply `-Wno-initializer-overrides` to CWARNFLAGS in the clang
  scenario as it's not supported with gcc.

This fixes building the module with gcc and avoids accidentally
introducing tech debt with the module, in the event other issues are
accidentally introduced.

MFC after:      3 days
Fixes:          6b627f8858 ("iwlwifi: update Intel's mvm/mld drivers")
Differential Revision:  https://reviews.freebsd.org/D53591

(cherry picked from commit 2ec6a2e5f01120ea8d4e667e7773d8b140e40c75)
DeltaFile
+2-2sys/modules/iwlwifi/Makefile
+2-21 files

HardenedBSD/src 631ff52crypto/openssl FREEBSD-upgrade.md FREEBSD-upgrade

crypto/openssl: update vendor update instructions

This change fills out the requirements for doing vendor updates,
documents the new vendor update process, and guides whoever needs to do
the next version update a bit better than the documentation did prior to
this change so everyone can pitch in with version updates a bit better.

Convert the document to Markdown while here to make it easier to
render/print out the directions in a structured format.

MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D53190

(cherry picked from commit 08cdcff58acb2aec881e42c7f097d6492d864898)
DeltaFile
+202-0crypto/openssl/FREEBSD-upgrade.md
+0-122crypto/openssl/FREEBSD-upgrade
+202-1222 files

HardenedBSD/src 1731fc7crypto/openssl/include/openssl ssl.h bio.h

OpenSSL: update vendor sources to match 3.5.5 content

MFC with:       f25b8c9fb4f58cf61adb47d7570abe7caa6d385d
MFC after:      1 week
DeltaFile
+1,423-1,416crypto/openssl/include/openssl/ssl.h
+538-532crypto/openssl/include/openssl/bio.h
+451-462crypto/openssl/include/openssl/asn1t.h
+403-358crypto/openssl/include/openssl/x509v3.h
+344-346crypto/openssl/include/openssl/x509.h
+331-330crypto/openssl/include/openssl/x509_vfy.h
+3,490-3,444946 files not shown
+15,475-11,782952 files

HardenedBSD/src f25b8c9crypto/openssl/crypto/ec ecp_nistz256_table.c curve25519.c, crypto/openssl/ssl s3_lib.c

openssl: import 3.5.5

This change adds OpenSSL 3.5.5 from upstream [1].

The 3.5.5 artifact was been verified via PGP key [2] and by SHA256 checksum [3].

This is a security release, but also contains several bugfixes. All of
the CVE-worthy issues have already been addressed on the target
branch(es), so the net-result is that this is a bugfix release.

More information about the release (from a high level) can be found in
the release notes [4].

MFC after:      1 week

1. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz
2. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.asc
3. https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz.sha256
4. https://github.com/openssl/openssl/blob/openssl-3.5.5/NEWS.md

    [2 lines not shown]
DeltaFile
+14,894-9,513crypto/openssl/crypto/ec/ecp_nistz256_table.c
+10,184-10,183crypto/openssl/test/ecdsatest.h
+9,620-1,938crypto/openssl/test/quic_record_test.c
+3,601-3,206crypto/openssl/ssl/s3_lib.c
+2,877-2,722crypto/openssl/test/sslapitest.c
+2,625-2,478crypto/openssl/crypto/ec/curve25519.c
+43,801-30,0402,263 files not shown
+199,825-161,2952,269 files

HardenedBSD/ports 200782emath/wxmaxima Makefile, math/wxmaxima/files patch-src_Maxima.cpp patch-src_Maxima.h

math/wxmaxima: Use wx 3.2, fix connection to maxima

- Use wx 3.2
- Fix connection to maxima by reverting upstream patch:
https://github.com/wxMaxima-developers/wxmaxima/issues/2028

PR:             289270
Approved by:    eduardo (mentor)
DeltaFile
+45-0math/wxmaxima/files/patch-src_Maxima.cpp
+28-0math/wxmaxima/files/patch-src_Maxima.h
+2-2math/wxmaxima/files/patch-src_Dirstructure.cpp
+2-1math/wxmaxima/Makefile
+77-34 files

HardenedBSD/ports 8586e16devel/pthreadpool Makefile distinfo

devel/pthreadpool: update 0.1-126 → 0.1.147

PR:             291106
Reported by:    Mikhail Teterin <mi at FreeBSD.org>
DeltaFile
+4-2devel/pthreadpool/Makefile
+3-3devel/pthreadpool/distinfo
+7-52 files

HardenedBSD/ports 7abdcdfgames/chessx Makefile distinfo, games/chessx/files patch-chessx.pro

games/chessx: update 1.6.2 -> 1.6.8

- submitter is maintainer

Changes:        https://github.com/Isarhamster/chessx/blob/master/ChangeLog.md
PR:             292841
DeltaFile
+19-6games/chessx/files/patch-chessx.pro
+1-7games/chessx/Makefile
+3-3games/chessx/distinfo
+23-163 files

HardenedBSD/src fe81e39usr.bin/sockstat main.c

sockstat: Surround explicit IPv6 addresses with brackets

PR:             254611
Approved by:    otis, tuexen, des
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D54375
DeltaFile
+9-1usr.bin/sockstat/main.c
+9-11 files

HardenedBSD/ports 381b947graphics/drm-latest-kmod Makefile

graphics/drm-latest-kmod: apply 2b49118158d0aa7cb to port

This unbreaks the package build with clang 21+.

MFH:            2026Q1
Approved by:    emaste (maintainer)
Reviewed by:    emaste, dim
Differential Revision:  https://reviews.freebsd.org/D54993
DeltaFile
+7-1graphics/drm-latest-kmod/Makefile
+7-11 files

HardenedBSD/ports 00bbdd2graphics/lightzone Makefile

graphics/lightzone: force jdk8 because it does not build with jdk11+

PR:             292671
DeltaFile
+3-2graphics/lightzone/Makefile
+3-21 files

HardenedBSD/ports d2ac78cgames/lizzie Makefile

games/lizzie: force jdk8 because it does not build with jdk11+

PR:             292662
DeltaFile
+2-1games/lizzie/Makefile
+2-11 files

HardenedBSD/ports 090d584devel/gitleaks Makefile

devel/gitleaks: Update WWW
DeltaFile
+2-1devel/gitleaks/Makefile
+2-11 files

HardenedBSD/ports 98250c2devel/got distinfo Makefile, devel/got/files patch-Makefile.in

devel/got: update to 0.121

No user-visible changes.
DeltaFile
+6-4devel/got/files/patch-Makefile.in
+3-3devel/got/distinfo
+1-1devel/got/Makefile
+10-83 files

HardenedBSD/ports 12e5207databases/mysql80-server/files patch-router_src_harness_include_mysql_harness_stdx_expected.h

databases/mysql80-server: fix build with libc++ 20 and higher

With libc++ 20 and higher, databases/mysql80-server fails to compile,
resulting in errors similar to:

    In file included from /wrkdirs/usr/ports/databases/mysql80-server/work/mysql-8.0.44/router/src/harness/src/stdx/filesystem.cc:40:
    /wrkdirs/usr/ports/databases/mysql80-server/work/mysql-8.0.44/router/src/harness/src/../include/mysql/harness/stdx/expected.h:74:8: error: 'is_default_constructible' cannot be specialized: Users are not allowed to specialize this standard library entity [-Winvalid-specialization]
       74 | struct is_default_constructible<std::unique_ptr<T, void (*)(T *)>>
          |        ^
    /usr/include/c++/v1/__type_traits/is_constructible.h:49:8: note: marked '_Clang::no_specializations' here
       49 | struct _LIBCPP_NO_SPECIALIZATIONS is_default_constructible : integral_constant<bool, __is_constructible(_Tp)> {};
          |        ^
    /usr/include/c++/v1/__config:1167:9: note: expanded from macro '_LIBCPP_NO_SPECIALIZATIONS'
     1167 |       [[_Clang::__no_specializations__("Users are not allowed to specialize this standard library entity")]]
          |         ^

This is due to a workaround for a std::unique_ptr problem which is only
applicable to gcc before 7.1, so the whole workaround can be deleted,
which fixes the problem.

    [6 lines not shown]
DeltaFile
+29-0databases/mysql80-server/files/patch-router_src_harness_include_mysql_harness_stdx_expected.h
+29-01 files

HardenedBSD/ports b03d74dsysutils/auto-admin distinfo Makefile

sysutils/auto-admin: Update to 0.8.4.14

auto-cups-setup: Tolerate missing drivers (prep for deprecation)
auto-install-base-components: Check for pkgbase
auto-ly-enable: New script to enable ly login manager
auto-pkg-latest:
    Fix missing _${VERSION_MINOR} in kmods repo config
    Offer to overwrite config file when already using latest
auto-update-system: Include /etc/pkg in repo checks
auto-dreckly-setup: Fix pkgsrc wip URL
DeltaFile
+3-3sysutils/auto-admin/distinfo
+2-2sysutils/auto-admin/Makefile
+1-0sysutils/auto-admin/pkg-plist
+6-53 files

HardenedBSD/ports 40a0dd4devel/gitleaks Makefile

devel/gitleaks: Fix version option

PR:             292559
DeltaFile
+2-2devel/gitleaks/Makefile
+2-21 files

HardenedBSD/ports 5ced306devel/taskflow pkg-plist distinfo

devel/taskflow: Fix fetch because 4.0.0 was re-rolled

PR:             292433
Reported by:    Sebastian Oswald <sko at rostwald.de>
DeltaFile
+0-8devel/taskflow/pkg-plist
+3-3devel/taskflow/distinfo
+2-1devel/taskflow/Makefile
+5-123 files

HardenedBSD/ports 1256587emulators/virtualbox-ose-additions-70 Makefile, emulators/virtualbox-ose-additions-71 Makefile

emulators/virtualbox-ose-additions-7{0,1,2}: Fix build on i386

Runtime not tested.

MFH:    2026Q1
DeltaFile
+2-1emulators/virtualbox-ose-additions-70/Makefile
+2-1emulators/virtualbox-ose-additions-71/Makefile
+2-1emulators/virtualbox-ose-additions-72/Makefile
+6-33 files

HardenedBSD/ports 1fe6f24math/vtk9/files patch-ThirdParty_fmt_vtkfmt_vtkfmt_format.h

math/vtk9: fix build with libc++ 21

With libc++ 21, math/vtk9 fails to compile, resulting in errors similar
to:

    In file included from /wrkdirs/usr/ports/math/vtk9/work/VTK-9.5.2/ThirdParty/fmt/vtkfmt/src/os.cc:14:
    In file included from /wrkdirs/usr/ports/math/vtk9/work/VTK-9.5.2/ThirdParty/fmt/vtkfmt/vtkfmt/os.h:11:
    /wrkdirs/usr/ports/math/vtk9/work/VTK-9.5.2/ThirdParty/fmt/vtkfmt/vtkfmt/format.h:747:28: error: use of undeclared identifier 'malloc'
      747 |     T* p = static_cast<T*>(malloc(n * sizeof(T)));
          |                            ^~~~~~
    /wrkdirs/usr/ports/math/vtk9/work/VTK-9.5.2/ThirdParty/fmt/vtkfmt/vtkfmt/format.h:752:35: error: use of undeclared identifier 'free'
      752 |   void deallocate(T* p, size_t) { free(p); }
          |                                   ^~~~

This is because malloc and free are defined in <cstdlib>, which is not
included in vtk's format.h. Add the include to fix the build.

PR:             292590
Approved by:    yuri (maintainer)
MFH:            2026Q1
DeltaFile
+10-0math/vtk9/files/patch-ThirdParty_fmt_vtkfmt_vtkfmt_format.h
+10-01 files

HardenedBSD/ports 3bd3c19misc/py-pytorch Makefile, misc/py-pytorch/files patch-third__party_fmt_include_fmt_format.h

misc/py-pytorch: fix build with clang >= 19 and libc++ 21

In ports f07b5ade5369 misc/py-pytorch was forced onto llvm:max=15, with
the reason "fix build on 14". Remove this, and add a patch to make it
build with clang >= 19 and libc++ 21.

PR:             292664
Approved by:    yuri (maintainer)
MFH:            2026Q1
DeltaFile
+10-0misc/py-pytorch/files/patch-third__party_fmt_include_fmt_format.h
+0-4misc/py-pytorch/Makefile
+10-42 files

HardenedBSD/ports a7c0dcesysutils/mise Makefile

sysutils/mise: No longer requires rust-nightly

PR:             291744
Reported by:    James TD Smith <ahktenzero+freebsd at mohorovi.cc>
DeltaFile
+0-2sysutils/mise/Makefile
+0-21 files

HardenedBSD/src d195b37sys/kern uipc_socket.c

sctp: fix socket type created by sctp_peeloff()

When calling sctp_peeloff() on a SOCK_SEQPACKET socket, the created
and returned socket has the type SOCK_STREAM.
This is specified in section 9.2 of RFC 6458.

Reported by:    Xin Long
MFC after:      3 days
DeltaFile
+4-2sys/kern/uipc_socket.c
+4-21 files