diff --git a/UPDATING b/UPDATING index 10a57980b74c..382cf5f5bd48 100644 --- a/UPDATING +++ b/UPDATING @@ -1,5479 +1,5496 @@ This file documents some of the problems you may encounter when upgrading your ports. We try our best to minimize these disruptions, but sometimes they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20231014: + AFFECTS: users of security/openssl and security/openssl30 + AUTHOR: brnrd@FreeBSD.org + + The openssl port was renamed to openssl111 and subsequently the + openssl30 port was renamed to openssl. + + The shared library version of OpenSSL has been bumped. + + Users of DEFAULT_VERSIONS= ssl=openssl30 must update this to + ssl=openssl. + Users of DEFAULT_VERSIONS= ssl=openssl should not change this unless + they use ports that require the deprecated OpenSSL 1.1.1 version. + + You must rebuild all ports that depend on OpenSSL if you use OpenSSL + from ports. + 20231011: AFFECTS: users of www/caddy AUTHOR: adamw@FreeBSD.org The default admin endpoint has changed from localhost:2019 to /var/run/caddy/caddy.sock. Using a Unix socket is more secure, allowing it to be secured by filesystem permissions rather than requiring a firewall. If you only control caddy from the rc(8) script (service caddy ...), you don't need to do anything. If you access the API yourself, you will want to update your scripts to use the new socket. To use the old endpoint, add the following to /etc/rc.conf: caddy_admin="localhost:2019" 20231009: AFFECTS: users of net/ntpd-rs AUTHOR: mikael@freebsd.org In 1.0.0 the configuration has been completely reworked, please check the documentation for details. Configuration will not automatically migrate. 20231004: AFFECTS: www/gitlab-ce AUTHOR: mfechner@FreeBSD.org Before you upgrade to version 16.4.x or higher, make sure you did the upgrade to 16.3.x! The database migration for 16.4.1 can fail due to unexpected name of a foreign key. So it is recommended to have a database backup available in case the solution described in the update manual does not work for you. The upgrade manual can be found as usual here: https://gitlab.fechner.net/mfechner/Gitlab-docu/-/blob/master/update/16.3-16.4-freebsd.md 20230930: AFFECTS: users of Transmission (net-p2p/transmission@*) AUTHOR: mondo.debater_0q@icloud.com Fixes Bug 274065 by reorganizing the port as a metaport (net-p2p/transmission) and components port (net-p2p/transmission-components). Each component may be installed through the flavors of transmission-componenents (@cli, @daemon, @docs, @gtk, @qt, @utils). Alternatively, one or more component may be installed by running make config on the metaport net-p2p/transmission. AFFECTS: users of devel/php-composer2 AUTHOR: madpilot@FreeBSD.org The composer2 ports has been moved over the old devel/php-composer port, which was still providing the old EOLed version 1 of the software. Please use `pkg install php81-composer` (substitute 81 with the PHP version you're using) to properly upgrade. 20230924: AFFECTS: users of XFCE desktop (x11-wm/xfce4) AUTHOR: madpilot@FreeBSD.org XFCE 4.18 is incompatible with the latest version of the adwaita icon theme (version 42.0 and newer), which was used as the default one. Due to this the default icon theme has been changed to x11-themes/xfce-icons-elementary. Users that have XFCE already installed and are using the adwaita icon theme will notice missing icons. To fix this you can install any other icon theme (like x11-themes/xfce-icons-elementary) and configure XFCE to use that via the "appearance" settings application, under the "icons" tab. 20230919: AFFECTS: users of net-p2p/transmission AUTHOR: mondo.debater_0q@icloud.com The 4.0 port haphazardly consolidated prior slave ports into flavors of a single port. The flavors have now been revised to better match releases prior to 4.0. The -full flavor included in the 4.0 port has been replaced with -default, which restores the compile-time options of prior release's metaport. Other flavors allow for more piecemeal installs. The prior -web slave port can be installed through the -default flavor or the -daemon flavor. See Bug 273841 for more details. 20230915: AFFECTS: users of print/ghostscript10 AUTHOR: michael.osipov@siemens.com The port flavors have been replaced with a default port option of X11. The flavors approach creates conflicting dependencies with other ports which cannot be solved this time with the ports framework. See PRs 270989 and 272541 for details. 20230910: AFFECTS: users of dns/powerdns AUTHOR: tremere@cainites.net In Authoritative Server 4.8, the LMDB backend gains a new Lightning Stream-compatible schema, which requires a data migration (this is automatic, and there is no migration back to the old schema). LMDB backend users should pay extra attention to the Upgrade Notes (https://doc.powerdns.com/authoritative/upgrading.html). 20230910: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org 1. Please make sure that the PostgreSQL server for the NetBox instance is running version 12 or higher. This is because Django 4.2 requires PostgreSQL 12 as a minimum. 2. Please also check the pkg-message and the changelogs for further info. 20230908: AFFECTS: users of databases/postgresql* and other software using PostgreSQL to run AUTHOR: kbowling@FreeBSD.org The default version of PostgreSQL has been switched from 13 to 15. The upgrade procedure can use up twice the space the databases currently needs. If you have a big amount of stored data take a closer look at the manpage of pg_upgrade for avoidance and/or speedup of the upgrade. The upgrade instructions consider a basic usage and do not match complex scenarios like replication, sharding, or similar. Upgrade instructions: First stop your PostgreSQL, create PostgreSQL-binaries and backup your data. If you have another Version of PostgreSQL installed, for example 13, your files are named according to this. # service postgresql stop # pkg create postgresql13-server postgresql13-contrib # mkdir /tmp/pg-upgrade # tar xf postgresql13-server-13.12.pkg -C /tmp/pg-upgrade # tar xf postgresql13-contrib-13.12.pkg -C /tmp/pg-upgrade # pkg delete -f databases/postgresql13-server databases/postgresql13-contrib databases/postgresql13-client Now update PostgreSQL: pkg user: # pkg install databases/postgresql15-server databases/postgresql15-contrib # pkg upgrade Portmaster users: # portmaster databases/postgresql15-server databases/postgresql15-contrib # portmaster -a Portupgrade users: # portinstall databases/postgresql15-server databases/postgresql15-contrib # portupgrade -a After installing the new PostgreSQL version you need to convert all your databases to new version: # su -l postgres -c "/usr/local/bin/initdb --encoding=utf-8 --lc-collate=C -D /var/db/postgres/data15 -U postgres" # su -l postgres -c "pg_upgrade -b /tmp/pg-upgrade/usr/local/bin/ -d /var/db/postgres/data13/ -B /usr/local/bin/ -D /var/db/postgres/data15/ -U postgres " Now the migration is finished. You can start PostgreSQL again with: # service postgresql start ATTENTION: 1) The default user changed from "pgsql" to "postgres" in 11. The migration steps above now assume the "postgres" database user and FreeBSD user. 2) See the updating entry 20190829 if you are updating from a release prior to 11. 3) If you use non-default initdb options, you have to adjust the initdb-command accordingly 20230906: AUTHOR: jrm@FreeBSD.org AFFECTS: users of sysutils/devcpu-data* The CPU microcode ports have been reorganized. The new ports are: sysutils/cpu-microcode, sysutils/cpu-microcode-amd, sysutils/cpu-microcode-intel, and cpu-microcode-rc. To install all CPU microcode packages: pkg install cpu-microcode To install only packages for a specific CPU vendor: pkg install cpu-microcode-amd or pkg install cpu-microcode-intel To give users time to adjust to these changes, sysutils/devcpu-data will remain in the tree until the end of 2023. The port has been converted to a metaport and now provides the same functionality as sysutils/cpu-microcode. Refer to the commit log in bc7829212d153aeff69b439d08e2e3001ef88ba3 for an explanation as to why these changes were made. 20230904: AUTHOR: netchild@FreeBSD.org AFFECTS: users of misc/openhab The rc.d script of 4.0.2 had an error which didn't take the user to run openhab into account. After installing the update and stopping openhab run (for the default settings) chown -R openhab:openhab /var/db/openhab/userdata /var/log/openhab If you use other directories for the userdata and logs, you need to adapt accordingly. 20230822: AUTHOR: arrowd@FreeBSD.org AFFECTS: users of sysutils/polkit together with sysutils/consolekit2 ConsoleKit2 has grown some logind1 compatibility which resulted in breaking changes in its API. One of its consumers, Polkit, is patched to handle it, so make sure to update both ports simultaneously. 20230822: AUTHOR: leres@FreeBSD.org AFFECTS: users of security/zeek Zeek has been upgraded to 6.0.0 and the NETMAP option was removed; it was too difficult to build it without zeek being installed in %%PREFIX%%. The consensus was that this was a rarely used feature, please reach out to me if need this (I've done some work on a new security/zeek-netmap port that is probably the right way forward). When I upgraded zeek on my systems I found some cruft left over from previous versions. The way I recommend upgrading from 5.0.9 to 6.0.0 is: service zeek stop pkg delete -fy zeek py311-zkg [clean up leftover files in /usr/local/lib/zeek] pkg install -y zeek service zeek deploy 20230817: AFFECTS: users of databases/redis AUTHOR: yasu@FreeBSD.org The databases/redis port has been updated to 7.2. Users wanting to stay on 7.0 can replace databases/redis with databases/redis70 with one of the following commands. If you use pkg with binary packages: # pkg set -o databases/redis:databases/redis70 # pkg upgrade If you use portmaster: # portmaster -o databases/redis70 databases/redis If you use portupgrade: # portupgrade -o databases/redis70 databases/redis 20230814: AFFECTS: usrs of www/kdsoap AUTHOR: kde@FreeBSD.org The port www/kdsoap has been flavorized to support both Qt5 and Qt6. For symmetry, the Qt5 package has been renamed to kdsoap-qt5. 20230811: AFFECTS: users of www/p5-AnyEvent-WebSocket-Client AUTHOR: rodrigo@FreeBSD.org The update to AnyEvent-WebSocket-Client 0.55 introduce a change in behavior: close() default return code is now 1000 instead of 1005 20230730: AFFECTS: users of lang/perl5* AUTHOR: delphij@FreeBSD.org The default Perl version has been switched to Perl 5.34. If you are using binary packages to upgrade your system, you do not have anything to do, pkg upgrade will do the right thing. For the other people, follow the instructions in entry 20181213, it should still be the same. 20230726: AFFECTS: users of misc/openhab AUTHOR: netchild@FreeBSD.org The update to openhab 4.0.0 may require changes to the running 3.x setup. Read the release notes at https://github.com/openhab/openhab-distro/releases/tag/4.0.0 and the blog entry at https://www.openhab.org/blog/2023-07-23-openhab-4-0-release.html for manual changes which are required before updating the port. After the update the pkg-message provides some more info about manual changes which are required to perform before the first start of 4.0.0. Note, this includes a switch from java 11 to java 17. You can deinstall openjdk11 afterwards, if it is not needed for something else. 20230723: AFFECTS: users of security/py-cryptography AUTHOR: tcberner@FreeBSD.org Modern py-cryptography uses rust. In order to still support the Tier-2 architectures without rust support, a new default-version was added: PYCRYPTOGRAPHY it allows for the values 'rust' and 'legacy'. The default is 'rust' on all platforms supporting this. Note: users that are relying on the 'legacy' version will also take care of using a non-base OpenSSL in the future. 20230620: AFFECTS: users of lang/elixir-devel AUTHOR: dch@FreeBSD.org Note that Elixir now *requires* OTP25+ or better at runtime. For the -devel flavour you are still free to choose OTP25 or OTP26, but the default OTP24 from lang/erlang will *not* work. 20230618: AFFECTS: users of devel/soft-serve AUTHOR: ashish@FreeBSD.org soft-serve no longer uses config repository for configuration. To migrate configuration from 0.4.x to 0.5.x, please review the upgrade documentation at: https://github.com/charmbracelet/soft-serve/releases/tag/v0.5.0 The migration process has been incorporated in rc.d script's migrate command, and can be performed using following instructions: 0. Please make sure to backup repository data 1. Stop existing process: # /usr/local/etc/rc.d/soft-serve stop 2. Run the rc.d script to migrate, e.g. # /usr/local/etc/rc.d/soft-serve migrate INFO Setting SSH listen address... INFO Copying SSH host key... INFO Reading config repository... INFO Setting server settings... INFO Copying repos... INFO Copying repo ports INFO Copying readme from "config" to ".soft-serve" INFO Setting repos metadata & collabs... INFO Creating users & collabs... INFO Creating user "ashish" INFO Writing config... INFO Done! Another variable is introduced in rc.d script, soft_serve_data_path, indicating the path to data directory used by soft-serve. 20230618: AFFECTS: textproc/apache-solr* AUTHOR: mfechner@FreeBSD.org Apache solr is upgraded to version 9. Data migration is required, examples for dovecot data can be found here: https://dovecot.org/pipermail/dovecot/2022-May/124701.html https://dovecot.org/pipermail/dovecot/2022-May/124711.html If you like to stay on version8: # pkg delete apache-solr # pkg install apache-solr8 20230609: AFFECTS: users of security/sequoia AUTHOR: vishwin@FreeBSD.org sq has been split to security/sequoia-sq; security/sequoia becomes a meta-port, where security/sequoia-sq is currently the only dependency. As other programs are individually ported over, they will become OPTIONS in the meta-port. Per upstream, FFI is deprecated in favour of point solutions. 20230602: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org 1. If the plugin security/py-netbox-secretstore is used, which is no longer maintained by upstream, the following steps must be done before upgrading to NetBox 3.5: * Migrate from security/py-netbox-secretstore (= 1.4.2_2) to security/py-netbox-secrets (= 1.7.6) with a NetBox 3.4.x instance. It is very important that the versions of py-netbox-secretstore and py-netbox-secrets match as specified otherwise the migration will not be successful. The reason for this is that py-netbox-secrets 1.8.x is not backwards compatible with Netbox 3.4. For further details please see the updating instructions of py-netbox-secretstore or the UPDATING entry of 2023-05-11. 2. Please also check the pkg-message and the changelogs for further info. 20230531: AFFECTS: users of net-mgmt/netdisco AUTHOR: dgeo@centrale-marseille.fr The netdisco user now needs a HOME and a shell. For existing installs you will need to set HOME to /usr/local/etc/netdisco and shell to /bin/sh. For example in one shell line: pw user mod netdisco -d /usr/local/etc/netdisco -s /bin/sh 20230526: AFFECTS: users of mail/exim AUTHOR: pi@FreeBSD.org The port changes from USE_DB to USE_NDBM. Any existing configuration like ${lookup{$needle}dbm{haystack.db}} will need to change to ${lookup{$needle}dbm{haystack}}. Please also rename your old DBM files while the exim daemon is stopped: find /var/spool/exim/db/* -not -name \*.lockfile -exec mv -i {} {}.db \; 20230513: AFFECTS: users of www/tt-rss AUTHOR: dereks@lifeofadishwasher.com www/tt-rss now expects the user to install the database drivers by hand allowing the port to be database independent however it would be best if you mark the php driver packages as a non-automatic package such that pkg-autoremove doesn't uninstall them. Change 80 to your corresponding php version (80, 81, 82) mysql: pkg set -yA 0 php80-mysqli php80-pdo_mysql; pgsql: pkg set -yA 0 php80-pgsql php80-pdo_pgsql; 20230511: AFFECTS: users of net-mgmt/py-netbox-secretstore AUTHOR: kai@FreeBSD.org Upstream no longer maintains py-netbox-secretstore which it is not compatible with NetBox 3.5 or newer. To ensure compatibility with newer releases of NetBox, the py-netbox-secrets plugin should be used instead. To migrate from security/py-netbox-secretstore to security/py-netbox-secrets please do following steps: 1. Make a backup. 2. Install security/py-netbox-secrets 3. Enable both plugins by updating the following line in the netbox configuration (e.g. /usr/local/share/netbox/netbox/configuration.py): PLUGINS = ['netbox_secretstore', 'netbox_secrets'] 4. Run NetBox migrations: # cd /usr/local/share/netbox # python3.9 manage.py migrate 5. Re-adjust the indices for the netbox-secrets plugin: # python3.9 manage.py sqlsequencereset netbox_secrets > output.sql 6. Run the output of the previous command in the database, e.g.: # psql -d NETBOXDB < output.sql 7. You can now remove netbox-secretstore from the application by removing it from the PLUGINS line in the netbox configuration: PLUGINS = ['netbox_secrets'] 8. Collect static files of the netbox-secrets plugin: # python3.9 manage.py collectstatic --no-input 9. Restart WSGI/httpd environment (supervisord/apache/nginx/etc.). 10. You may have clean up your database of the old tables manually, e.g.: DROP TABLE netbox_secretstore_secret; DROP TABLE netbox_secretstore_secretrole; DROP TABLE netbox_secretstore_sessionkey; DROP TABLE netbox_secretstore_userkey; 11. Uninstall security/py-netbox-secretstore. 20230505: AFFECTS: users of mail/mutt AUTHOR: dereks@lifeofadishwasher.com The patches included in the mail/mutt port will be removed in approximately a month making the port more inline with upstream. If you require any of these features most are available in mail/neomutt or it's possible to use EXTRA_PATCH_TREE to patch a port when building locally. 20230504: AFFECTS: users of sysutils/py-mqttwarn AUTHOR: dvl@FreeBSD.org The redis option REISPUB has been renamed to REDISPUB You should update any make.conf setting etc which refer to this. e.g. change sysutils_py-mqttwarn_REISPUB to sysutils_py-mqttwarn_REDISPUB 20230416: AFFECTS: users of databases/mongodb50, databases/mongodb44 and databases/mongodb60 AUTHOR: ronald@FreeBSD.org MongoDB removed the settings 'fork' and 'pidFilePath' from the default etc/mongodb.conf file. This does not affect mongod started by etc/rc.d/mongod as the settings are passed as arguments. Please verify custom uses of mongod. 20230414: AFFECTS: users of www/gitea AUTHOR: fernape@FreeBSD.org Gitea 1.19.1 contains a breaking change. actions unit has ben renamed to to repo.actions. 20230407: AFFECTS: users of devel/sonarqube-community AUTHOR: netchild@FreeBSD.org You need to make sure to update missing and changed values in PREFIX/libexec/sonarqube/conf/sonar.properties from PREFIX/libexec/sonarqube/conf/sonar.properties.sample 20230318: AFFECTS: users of security/libressl AUTHOR: brnrd@FreeBSD.org The port has been updated to the latest stable version 3.6 of LibreSSL. The shared library versions of the libraries have been bumped. After upgrading, manually update all packages that depend on any of the libraries provided by LibreSSL (libssl, libcrypto and libtls) since the versions of these libraries have changed. Normally, you can obtain the list of dependent software by running the following command: # pkg info -r libressl Then you should rebuild all ports depending on libressl to avoid dangling shared library dependencies. 20230315: AFFECTS: users of lang/ruby30 AUTHOR: yasu@FreeBSD.org The default ruby version has been updated from 3.0 to 3.1. If you compile your own ports you may keep 3.0 as the default version by adding the following lines to your /etc/make.conf file: # # Keep ruby 3.0 as default version # DEFAULT_VERSIONS+=ruby=3.0 If you wish to update to the new default version, you need to first stop any software that uses ruby. Then, you will need to follow these steps, depending upon how you manage your system. If you use pkg, simply upgrade: # pkg upgrade If you do not use pkg, please check entry 20190420. The description there should also work for this version. 20230314: AFFECTS: users of security/openssl-devel AUTHOR: brnrd@FreeBSD.org Users using DEFAULT_VERSIONS=ssl=openssl-devel must update their configuration to DEFAULT_VERSIONS=ssl=openssl30 or openssl31. 20230313: AFFECTS: users of databases/sqlite3 AUTHOR: fuz@FreeBSD.org Due to various ports not being prepared for this change (see 20230227 entry), the DQS option of databases/sqlite3 has been reenabled as a stop gap measure. It is scheduled to be disabled again for good no earlier than 20240101, giving downstream software authors more time to fix their queries. See also: https://sqlite.org/quirks.html#dblquote 20230311: AFFECTS: users of net/dshell AUTHOR: nobutaka@FreeBSD.org net/dshell now depends on net/py-pcapy-ng instead of net/py-pcapy. Because net/py-pcapy-ng conflicts with net/py-pcapy, please uninstall py39-pcapy with the following command before upgrading: # pkg delete -f py39-pcapy 20230310: AFFECTS: users of net-mgmt/unifi7 AUTHOR: otis@FreeBSD.org The mongodb dependency has been changed from 36 to 44, as MongoDB 3.6 is long out out support and end of life. The upgrade path should be as following: 1. Take a backup from within the unifi7 application PRIOR to updating! 2. Stop the unifi7 service (if running) 3. Copy the "backup" directory from LOCALBASE/share/java/unifi/data to a safe location. Also copy keystore and system.properties if you have made any modifications to those files 4. Remove files and directories under LOCALBASE/share/java/unifi/data 5. Upgrade the package 6. Copy the "backup" directory from a safe location back to LOCALBASE/share/java/unifi/data 7. Start the service 8. Restore the configuration from backup As an optional step, review system.properties and keystore to merge any manual modifications you have made (this has to be done with the application stopped) 20230310: AFFECTS: user of benchmarks/ddosify AUTHOR: fernape@FreeBSD.org keep-alive is removed from config file. In default mode, the engine will use keep-alive for all requests. If you want to disable keep-alive for a step, you can add Connection: close header to the step. 20230306: AFFECTS: users of www/qt5-webengine AUTHOR: kai@FreeBSD.org Users that upgrade www/qt5-webengine without using pkg/poudriere might experience failures due to conflicts with the installed version of 5.15.2. In that case, pkg delete -f the qt5-webengine package before building the updated version. 20230304: AFFECTS: users of accessibility/atk and accessibilty/at-spi2-atk AUTHOR: tcberner@FreeBSD.org The packages accessibility/atk and accessibility/at-spi2-atk have been integrated upstream into at-spi2-core. Users of these packages can manually remove them prior to updating accessibility/at-spi2-core using pkg delete -f atk at-spi2-atk if the pkg update process fails due to conflicting files. 20230227: AFFECTS: users of databases/sqlite3 AUTHOR: fuz@FreeBSD.org Option DQS is now disabled by default. This option controls the "double quoted string literals are accepted" quirk, permitting the use of double quotes around string literals if enabled. Users who rely on this quirk need to manually build databases/sqlite3 with the DQS option enabled. See also: https://sqlite.org/quirks.html#dblquote 20230227: AFFECTS: users of mail/py-spf-engine AUTHOR: yasu@FreeBSD.org Default configuration file path of pyspf-milter has changed. Since it looks for ${PREFIX}/etc/etc/pyspf-milter/pyspf-milter.conf now, you should edit the file if you run pyspf-milter. Alternatively you can specify other configuration file path by setting pyspf_milter_conffile variable in /etc/rc.conf. 20230222: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org 1. Please make sure that the PostgreSQL server for the NetBox instance is running version 11 or higher. This is because PostgreSQL 10 is End-of-Life since November 2022 and Django 4.1 requires PostgreSQL 11 as a minimum. 2. Please also check the pkg-message and the changelogs for further info. 20230218: AFFECTS: users of databases/mysql57-(server|client) AUTHOR: joneum@FreeBSD.org The default MySQL version has been updated from 5.7 to 8.0. If you compile your own ports you may keep 5.7 as the default version by adding the following lines to your /etc/make.conf file: # # Keep MySQL 5.7 as default version # DEFAULT_VERSIONS+=mysql=5.7 If you wish to update to the new default version, you need to first stop any running server instance. Then, you will need to follow these steps, depending on installed packages. # pkg set -o databases/mysql57-client:databases/mysql80-client # pkg set -o databases/mysql57-server:databases/mysql80-server # pkg upgrade 20230213: Affects: users of sysutils/nut* AUTHOR: cy@FreeBSD.org The nut file ownership fixups due to the UID/GID change from uucp/uucp to nut/nut may not be desireable for all users. Some users with custom file ownership may wish ownership to remain untouched. This revision to the nut family of ports/packages allows users to optionally disable automatic fixup of nut file ownership. 20230213: AFFECTS: users of security/logcheck AUTHOR: yasu@FreeBSD.org Since 1.4.1 ${PREFIX}/etc/logcheck/logcheck.logfiles is empty and files to be checked by logcheck are specified in ${PREFIX}/etc/logcheck/logcheck.logfiles.d/syslog.logfiles. So if you previously edited the former, then you should edit the latter now. 20230210: AFFECTS: users of mail/fetchmail AUTHOR: fernape@FreeBSD.org Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7, and rejects wolfSSL older than 5.5.1. 20230209: AFFECTS: users of audio/jack AUTHOR: fernape@FreeBSD.org audio/jack 1.9.22 fixes an issue with latency correction on FreeBSD. Latency correction parameters have to be measured again after update. 20230130: AFFECTS: users of USES=nodejs, www/node*, www/npm* and www/yarn* AUTHOR: sunpoet@FreeBSD.org The current USES=nodejs has the following issues: - www/node is not the default version while www/node16 is. - It also means inconsistent naming of node ports. - www/npm duplicates with www/npm-node16. - www/yarn duplicates with www/yarn-node16. The notable changes are introduced to fix the above issues: - Rewrite Mk/Uses/nodejs.mk. - Add new LTS version of nodejs (www/node18). - Add new current version of nodejs (www/node19). - Change default nodejs version from 16 to 18 (latest LTS), - Use consistent naming for all supported node versions. - Convert www/node, www/npm and www/yarn to meta ports. After these changes: - All supported node versions are named as node{14,16,18,19}. - www/node is a meta port which depends on the default version (e.g. www/node18) - www/npm is a meta port which depends on the default version (e.g. www/npm-node18) - www/yarn is a meta port which depends on the default version (e.g. www/yarn-node18) 20230129: AFFECTS: users of benchmarks/ddosify AUTHOR: fernape@freebsd.org In 0.13.0 some configuration keys have been renamed for consistency. Have a look at https://github.com/ddosify/ddosify/releases/tag/v0.13.0 for details. 20230127: AFFECTS: users of security/openvpn AUTHOR: mandree@freebsd.org OpenVPN has been updated to the new upstream release v2.6.0, which is quite compatible with v2.5 versions. A copy of the latest v2.5.8 port is being kept as security/openvpn25 (or openvpn25 package) until end of March 2023. 20230116: AFFECTS: users of sysutils/nut and sysutils/nut-devel AUTHOR: cy@freebsd.org As of PR/268960 Network UPS Tools will now run under its own UID and GID instead of uucp. Users who wish to continue using the uucp user and group may add NUT_USER=uucp and NUT_GROUP=uucp to their make.conf. After upgrading sysutils/nut or sysutils/nut-devel with this patch, restart devd. Then restart nut. This will fix up the permissions of UPS USB devices and allow nut to start normally. 20230111: AFFECTS: users of sysutils/graylog AUTHOR: dch@freebsd.org Graylog 5.x and higher effectively constrains ElasticSearch dependencies, and in most cases will force a migration to OpenSearch 2.x, now available in ports. Plan accordingly. 20230104: AFFECTS: users of mail/spamassassin AUTHOR: cy@freebsd.org As of spamassassin 4.0.0 (3fdfceb36029) the deprecated HashCash plug-in was finally removed. Users using the HashCash plug-in will need to remove references to it. 20221226: AFFECTS: users of sysutils/zrepl AUTHOR: driesm@FreeBSD.org The Prometheus metric zrepl_version_daemon has been converted to the zrepl_start_time metric. The metric still reports the zrepl verison in a label. But the metric value is now the Unix timestamp at the time the daemon was started. The Grafana dashboard in dist/grafana has been updated. The RPC protocol version has also been bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. 20221220: AFFECTS: users of net-mgmt/unbound_exporter AUTHOR: thomas@beingboiled.info The config defaults for the log file and certificates have been changed. See /usr/local/etc/rc.d/unbound_exporter for possible options and adjust your rc.conf accordingly. 20221215: AFFECTS: users of security/clamav AUTHOR: yasu@FreeBSD.org Many users report that after updating ClamAV to 1.0.0 clamd and freshclam fails to start with integrity check error of databases. According to the result of investigation it happens with following conditions. 1. ClamAV is built on non-cleanroom environment (that is, neither FreeBSD official ClamAV package is used nor the package is built by user with poudriere). 2. math/tomsfastmath is installed in the system that ClamAV is built. So if the errror happens on you system, uninstall TomsFastMath first and then rebuild and reinstall ClamAV. The problem should disappear. 20221128: AFFECTS: devel/py-proxmoxer AUTHOR: einar@isnic.is AuthenticationError Moved proxmoxer.backends.https.AuthenticationError was moved to proxmoxer.AuthenticationError (the class itself is the same). Any imports or references to proxmoxer.backends.https.AuthenticationError should be changed to proxmoxer.AuthenticationError. ProxmoxResourceBase Removed While this should be a fully internal change, the ProxmoxResourceBase class was removed. Use ProxmoxResource instead. Removed ProxmoxHTTPTicketAuth The auth_token and csrf_token arguments are no longer supported. If an existing (still valid) token needs to be used, you can pass the token as password and proxmoxer will attempt to renew the ticket and retrieve a new token and CSRF token. 20221126: AFFECTS: textproc/kibana8 AUTHOR: otis@FreeBSD.org kibana8 now installs kibana-specific utilities into LOCALBASE/bin as symbolic links. Please check whether it will overwrite your local files with names same as these utilities and if so, please rename them or move out of the way in a different manner. 20221126: AFFECTS: textproc/elasticsearch8 AUTHOR: otis@FreeBSD.org elasticsearch8 now installs elasticsearch-specific utilities into LOCALBASE/bin as symbolic links (i.e. elasticsearch-cli and similar). Please check whether it will overwrite your local files with names same as these utilities and if so, please rename them or move out of the way in a different manner. 20221126: AFFECTS: users of lang/php80 AUTHOR: bofh@FreeBSD.org The default version of PHP has been switched from 8.0 to 8.1. If you use binary packages you should make a list of php packages before running 'pkg upgrade': # pkg info \*php80\* > ~/installed-php-ports-list After the upgrade, check with such list if all your php extensions are still installed, and reinstall them if needed. If you use mod_php80 you need to deinstall it and install mod_php81. 20221123: AFFECTS: x11-wm/jwm AUTHOR: fernape@FreeBSD.org jwm 2.4 introduces changes in the configuration. To convert an existing v2.3 configuration file using xsltproc, run: cp ~/.jwmrc ~/.jwmrc.old xsltproc jwm-2.4.xslt ~/.jwmrc.old > ~/.jwmrc If you have multiple configuration files, it may be necessary to apply the XSLT to some or all of them depending on what configuration options are stored in the file. 20221017: AFFECTS: archivers/star AUTHOR: fernape@FreeBSD.org With the update of devel/schilybase to 2022-10-16 a new port archivers/tartest has been splitted off from archivers/star. 20221016: AFFECTS: textproc/apache-solr AUTHOR: mfechner@FreeBSD.org Apache solr version 9 is released and made available as extra port textproc/apache-solr9. Version 9 cannot start directly with data from version 8. Additional steps for data migration is required. If you like to use the new version, deinstall the old version and install the new version: # pkg delete apache-solr # pkg install apache-solr9 After this you need to migrate data and migration, for this check the solr documentation. 20221015: AFFECTS: users of gstreamer1-* when upgrading via port builds on the host AUTHOR: riggs@FreeBSD.org The update of the gstreamer1-* ports to 1.20.3 requires a clean install of gstreamer1-* ports. In particular, when trying to update ports in-place using portupgrade or portmaster, the builds are likely to fail due to dependency mismatches. If this is your preferred update path, you need to deinstall (pkg delete -f) gstreamer1 and the plugins before reinstalling them from the ports tree. Note that pkg upgrade will do the right thing: If you use official FreeBSD packages or build your own set of packages using poudriere, nothing special is needed. 20221012: AFFECTS: devel/websvn AUTHOR: michael.osipov@siemens.com WebSVN 2.8.0 includes full PHP 8.x support which requires a change from PEAR to Composer 2. You must manually install dependencies through it, the ports system will not handle it anymore for you since */horde* (PR 266552) has been marked as incompatible with PHP 8.x for the time being. See pkg-message for detailed instructions. 20221011: AFFECTS: users of security/acme.sh AUTHOR: dvl@FreeBSD.org This update may break your install if you were using a symlink to %%EXAMPLESDIR%%/acme.sh.conf - that file is no longer installed. Instead, a log rotation configuration is now installed to etc/cron.d/acme.sh.sample you should modify etc/cron.d/acme.sh to needs. The port now installs a log rotation file to etc/newsyslog.d/acme.sh.sample and you you should update etc/newsyslog.d/acme.sh to suit your needs. This file has long been part of the port, but was never installed. Neither the log rotation nor the crontab are active until you remove the comments. 20221002: AFFECTS: users of shells/bash AUTHOR: ehaupt@FreeBSD.org Bash has been updated to version 5.2. In previous versions, the default port option-set used to link against libreadline from ports. However, the current version of devel/readline is too old for bash 5.2. For now, the default option has been switched to use the bundled version of libreadline and the other option is marked broken. Once devel/readline is updated this can be reverted. If you're updating bash from source and you've previously explicitly set to use use PORTS_READLINE, you'll have to disable the PORTS_READLINE option before updating: # cd /usr/ports/shells/bash # make config or flush it entirely: # cd /usr/ports/shells/bash # make rmconfig 20220929: AFFECTS: users of graphics/bmeps AUTHOR: takefu@airport.fm The executable name has been changed from this edition from bmpp to bitmap2pp 20220925: AFFECTS: users of security/libressl AUTHOR: brnrd@FreeBSD.org The port has been updated to the latest stable version 3.5 of LibreSSL. The shared library versions of the libraries have been bumped. After upgrading, manually update all packages that depend on any of the libraries provided by LibreSSL (libssl, libcrypto and libtls) since the versions of these libraries have changed. Normally, you can obtain the list of dependent software by running the following command: # pkg info -r libressl Then you should rebuild all ports depending on libressl to avoid dangling shared library dependencies. 20220919: AFFECTS: users of audio/strawberry AUTHOR: mandree@FreeBSD.org strawberry now uses FLAVORs based on the qt version, offering -qt5 and -qt6, with -qt5 the default. You may need to explicitly install either of the new flavors. 20220919: AFFECTS: users of sysutils/schilyutils AUTHOR: fuz@fuz.su Schilyutils has been split up into two ports. If you want the bosh shell, the new port is shells/bosh, which can be installed with: # pkg install bosh or # portmaster -o shells/bosh 20220918: AFFECTS: users of mail/roundcube AUTHOR: brnrd@FreeBSD.org Roundcube has been upgraded to 1.6.0 and introduces breaking changes to configuration options of remote services (imap, smtp, ldap, sieve). Check https://roundcube.net/news/2022/07/28/roundcube-1.6.0-released for details. Version 1.6 no longer includes the Classic and Larry skins, which are now available as separate mail/roundcube-classic and mail/roundcube-larry ports. 20220910: AFFECTS: users of devel/cmake AUTHOR: diizzy@FreeBSD.org CMake has been converted to a meta-port and new CMake packages created causes conflicts with old binary packages prior to this change. If CMake was installed using binary packages via pkg it needs to be uninstalled using pkg delete before installing CMake and related packages after this change. pkg delete cmake pkg install cmake-core If you're using portmaster you also need to delete the old CMake package before upgrading. 20220909: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org emulators/qemu has been updated to 7.1.0. Previous 7.0.X branch has been repocopied to emulators/qemu70. If someone wants to stick with 7.0.X branch please use one of the following command: # pkg install qemu70/qemu70-nox11(based on flavor used) or # portmaster -o emulators/qemu70 emulators/qemu or # portupgrade -o emulators/qemu70 emulators/qemu 20220903: AFFECTS: users of editors/vim AUTHOR: adamw@FreeBSD.org The Vim port no longer installs a system-wide vimrc. It drastically affected config loading order, and led to various settings being clobbered, duplicated, or ignored. Vim's provided defaults.vim (/usr/local/share/vim/vim90/defaults.vim) continues to be read just as before, but its settings are no longer clobbered. Take a look in there for any settings you may want to change, and do ':h initialization' to see where Vim looks for config files. 20220903: AFFECTS: users of archivers/py-borgbackup AUTHOR: mandree@FreeBSD.org Borgbackup has been upgraded to version 1.2. For users who you wish to continue using version 1.1, use either of these commands for upgrading: With binary packages through pkg: pkg set -o archivers/py-borgbackup:archivers/py-borgbackup11 pkg upgrade With portmaster or portupgrade (replace the command accordingly): portmaster -o archivers/py-borgbackup11 archivers/py-borgbackup 20220901: AFFECTS: users of mail/rainloop-community AUTHOR: yasu@FreeBSD.org Since 1.17.0 upstream distributes only one "legacy" edition under MIT license and mail/rainloop-community is removed as a result. So please uninstall mail/rainloop-community (rainloop-community-phpXY) and install mail/rainloop (rainloop-phpXY) instead. 20220831: AFFECTS: users of x11/xscreensaver on 13.1-RELEASE AUTHOR: zirias@FreeBSD.org With the update to 6.04, xscreensaver now uses security/unix-selfauth-helper for PAM authentication. This relies on pam_exec.so, which had a bug causing a segfault on authentication attempts prior to 13.1-RELEASE-p1. For details, please see https://www.freebsd.org/security/advisories/FreeBSD-EN-22:19.pam_exec.asc Make sure your system is fully upgraded, otherwise you might be unable to unlock your screen. 20220825: AFFECTS: users of net/xrdp or net/xrdp-devel AUTHOR: meta@FreeBSD.org After xorg upgrade to 21.1.4, xorgxrdp session doesn't start as before This is because bin/Xorg has been replaced with X server binary wrapper. You must manually edit the Xorg section in etc/xrdp/sesman.ini to get it working again. The following is a short example of where, how to modify sesman.ini. Make sure to replace LOCALBASE with your actual path. [Xorg] ; Specify the path of non-suid Xorg executable. It might differ depending ; on your distribution and version. Find out the appropreate path for your ; environment. The typical path is known as follows: ; ; Fedora 26 or later : param=/usr/libexec/Xorg ; Debian 9 or later : param=/usr/lib/xorg/Xorg ; Ubuntu 16.04 or later : param=/usr/lib/xorg/Xorg ; Arch Linux : param=/usr/lib/Xorg ; CentOS 7 : param=/usr/bin/Xorg or param=Xorg ; CentOS 8 : param=/usr/libexec/Xorg ; -param=Xorg +param=LOCALBASE/libexec/Xorg 20220815: AFFECTS: users of net/keycloak AUTHOR: fernape@FreeBSD.org The flavors -mysql and -postgres were removed, the necessary configuration for those database backends was rolled into the base release by upstream. The configuration files changed completely, so they need to be rebuilt from scratch. 20220807: AFFECTS: users of news/inn AUTHOR: kbowling@FreeBSD.org The inn port has been updated to 2.7 release. Users upgrading from prior versions should read through the announcement for any manual upgrading steps that apply to your environment. https://lists.isc.org/pipermail/inn-announce/2022-July/000015.html 20220711: AFFECTS: users of security/stunnel AUTHOR: zi@FreeBSD.org The stunnel port has been updated to drop privileges to the stunnel user by default. As a result of this change, the pid file location has changed. If you have a running copy of stunnel, you should stop the process before performing the upgrade. Alternatively, you will need to # pkill stunnel;service stunnel start after the upgrade has been completed. 202207XYZ: AFFECTS: users of devel/maven-wrapper and devel/maven AUTHOR: michaelo@apache.org The environment variable M2_HOME has been replaced with more common MAVEN_HOME which can be used to pass a custom Maven home directory. 20220629: AFFECTS: updating x11-servers/xorg-server from a port AUTHOR: se@FreeBSD.org The xorg-server port now has a library dependency on x11/libxcvt, which cannot be installed when the previous version of xorg-server is present. To be able to update xorg-server from a port, the previous version needs to be manually deinstalled to allow libxcvt to be installed. 20220628: AFFECTS: users of Erlang and Elixir AUTHOR: dch@FreeBSD.org For more than a decade, the Elixir Mix tool and the Erlang rebar or erlang.mk build tools have been the de facto way of installing and managing packages for specific applications. All main-stream applications, from Riak, CouchDB, RabbitMQ, Phoenix, and Elixir, expect that packages are fetched and compiled into an OTP Release, with in-built version locking, external package management. There is no point in maintaining a large number of libraries, that are used neither for development, nor operations. Users are directed to https://rebar3.org/ https://erlang.mk/ or https://elixir-lang.org/getting-started/mix-otp/introduction-to-mix.html to fetch custom packages. https://www.freebsd.org/status/report-2021-07-2021-09/#_freebsd_erlang_ecosystem_ports_update 20220626: AFFECTS: users of python AUTHOR: thierry@FreeBSD.org The default version of python3 and python was switched to 3.9. For ports users wanting to keep version 3.8 as default, add DEFAULT_VERSIONS+= python=3.8 python3=3.8 to make.conf Following procedures may ease the upgrade: For users of pre-build packages: # sh # for i in $(pkg query -g %n 'py38-*'); do pkg set -yn ${i}:py39-${i#py38-}; done # pkg upgrade For portmaster users: # sh # portmaster -o lang/python39 python38 # REINSTALL="$(pkg info -o "*py38*" | awk '{printf "%s ", $2}')" # pkg delete -f "*py38*" # portmaster $REINSTALL # REBUILD=$(pkg query -g "%n:%dn" '*' | grep py3 | grep -v py39 | cut -d : -f 1 | sort -u) # portmaster $REBUILD # REBUILD2=$(pkg list | grep python-38 | xargs pkg which | awk '{print $6}' | sort -u) # portmaster $REBUILD2 Final steps (for pre-built packages & portmaster): If no longer required, Python 3.8 can be removed via "pkg remove python38" and the directory /usr/local/lib/python3.8 can then be deleted afterwards, if not empty. 20220625: AFFECTS: users of sysutils/fusefs-bindfs AUTHOR: doralitze@chaotikum.org Bindfs defaults to use direct I/O since version 1.16. While this results in major performance improvements as well as several bug fixes, this also breaks direct legacy calls to mmap. If your application still uses them consider these two options: 1. Mount using `--no-direct-io` 2. Upgrade your application in order to query mapping guards 20220623: AFFECTS: users of science/gramps AUTHOR: fernape@FreeBSD.org databases/py-bsddb3 is deprecated and will be removed in the future. With that gramps will lose the ability to load family trees using Berkeley DB. It is suggested to migrate all family trees using Berkeley DB by exporting them to gramps xml and import that gramps xml into a family tree using sqlite as database. 20220620: AFFECTS: users of www/selenium AUTHOR: fernape@FreeBSD.org The port has changed startup args so if you are using selenium_args= in rc.conf you need to add the parameter "standalone" manually. 20220616: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org /!\ WARNING /!\ The NetBox 3.2 release contains major changes, so at least items 1.), 2.) and 3.) must be checked before proceeding with the upgrade! /!\ WARNING /!\ 1. This release includes a database migration that will remove the "asn", "contact_name", "contact_phone", and "contact_email" fields from the site model. (These fields have been superseded by the ASN and contact models introduced in NetBox v3.1.) To protect against the accidental destruction of data, the upgrade process will fail if any sites still have data in any of these fields. To bypass this safeguard, set the NETBOX_DELETE_LEGACY_DATA environment variable when running the upgrade script, which will permit the destruction of legacy data. A set of migration scripts is available to assist with the migration of legacy site data: https://github.com/netbox-community/migration-scripts 2. NetBox v3.2 requires Python 3.8 or later. 3. If the NetBox Plugin "net-mgmt/py-netbox-plugin-extension" is used, please disable it before the migrations are applied. This can be done by removing the entry "netbox_plugin_extensions" from the "PLUGINS" section in the NetBox configuration. Once the upgrade is done, this port/package can be safely removed as it's no longer required. 4. Please also check the pkg-message and the changelogs for further info. 20220608: AFFECTS: devel/autoconf-wrapper, devel/autoconf213 AUTHOR: tijl@FreeBSD.org These ports have been renamed to devel/autoconf-switch and devel/autoconf2.13 respectively. If your favourite port updating tool cannot handle that then just remove the packages with "pkg delete" and then install the new port. 20220607: AFFECTS: security/openssh-portable AUTHOR: bdrewery@FreeBSD.org OpenSSH has been updated to 9.0p1 with incompatible changes. See https://www.openssh.com/txt/release-9.0 for details. 20220602: AFFECTS: sysutils/graylog AUTHOR: dch@FreeBSD.org Graylog 4.3.0+ fails to start if graylog's internal collector for system statistics is enabled. This will eventually be addressed upstream. Add disable_native_system_stats_collector=true to your graylog.conf. 20220513: AFFECTS: devel/nexus2-oss AUTHOR: michael.osipov@siemens.com Nexus 2.15.x introduces incompatible configuration changes. You must review changes in ETCDIR/wrapper.conf and ETCDIR/jetty*.xml with updated samples as well as NEXUS_WORKDIR/conf/logback-nexus.xml with its origin from DATADIR/nexus/WEB-INF/lib/nexus-core-VERSION.jar!/META-INF/log/logback-nexus.xml, grant write access to files in ETCDIR since Nexus itself might update files in place otherwise your instance will not properly work after the update. 20220510 AFFECTS: sysutils/zrepl AUTHOR: monwarez@gmail.com The zrepl update to 0.5.0.8 includes the following breaking changes: - The Prometheus metric zrepl_version_daemon was converted to zrepl_start_time The metric still reports the zrepl version in a label. But the metric *value* is now the Unix timestamp at the time the daemon was started. The Grafana dashboard in zrepl examples directory has been updated. 20220502: AFFECTS: mail/mutt AUTHOR: dereks@lifeofadishwasher.com Default header cache option has been changed to the new option LMDB using databases/lmdb. The BDB option still exists but now uses databases/db18 due to the EOL of databases/db5. 20220501: AFFECTS: users of drm-current-kmod and drm-devel-kmod AUTHOR: manu@FreeBSD.org Both ports where removed. If you were using either one of them directly (i.e. without using graphics/drm-kmod metaport) use graphics/drm-510-kmod. If you have some problems with this one try drm-54-kmod and report a bug on https://github.com/freebsd/drm-kmod. 20220428: AFFECTS: users of databases/redis AUTHOR: yasu@FreeBSD.org The databases/redis port has been updated to 7.0. Users wanting to stay on 6.2 can replace databases/redis with databases/redis62 with one of the following commands. If you use pkg with binary packages: # pkg set -o databases/redis:databases/redis62 # pkg upgrade If you use portmaster: # portmaster -o databases/redis62 databases/redis If you use portupgrade: # portupgrade -o databases/redis62 databases/redis 20220426: AFFECTS: users of deskutils/grantleetheme AUTHOR: kde@FreeBSD.org The pkg update of deskutils/grantleetheme to 22.04 can fail due to a filesystem location having changed from being a file to being a directory. This leads to pkg's temporary file creation throwing an error. To update to KDE Gear 22.04 please run # pkg delete -f grantleetheme prior to the update. 20220424: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org emulators/qemu has been updated to 7.0.0. Previous 6.2.X branch has been repocopied to emulators/qemu6. If someone wants to stick with 6.2.X branch please use one of the following command: # pkg install qemu6/qemu6-nox11(based on flavor used) or # portmaster -o emulators/qemu6 emulators/qemu or # portupgrade -o emulators/qemu6 emulators/qemu 20220421: AFFECTS: users of lang/ruby27 AUTHOR: yasu@FreeBSD.org The default ruby version has been updated from 2.7 to 3.0. If you compile your own ports you may keep 2.7 as the default version by adding the following lines to your /etc/make.conf file: # # Keep ruby 2.7 as default version # DEFAULT_VERSIONS+=ruby=2.7 If you wish to update to the new default version, you need to first stop any software that uses ruby. Then, you will need to follow these steps, depending upon how you manage your system. If you use pkg, simply upgrade: # pkg upgrade If you do not use pkg, please check entry 20190420. The description there should also work for this version. 20220413: AFFECTS: users of net-im/py-matrix-synapse AUTHOR: ports@skyforge.at Synapse will now refuse to start up if open registration is enabled, in order to help mitigate abuse across the federation. If you would like to provide registration to anyone, consider adding email, recaptcha or token-based verification in order to prevent automated registration from bad actors. This check can be disabled by setting the enable_registration_without_verification option in your homeserver configuration file to true. More details are available in the upgrade notes[0]. Synapse will additionally now refuse to start when using PostgreSQL with a non-C values for COLLATE and CTYPE, unless the config flag allow_unsafe_locale, found in the database section of the configuration file, is set to true. See the upgrade notes[1] for details. [0] https://matrix-org.github.io/synapse/v1.56/upgrade.html#open-registration-without-verification-is-now-disabled-by-default [1] https://matrix-org.github.io/synapse/v1.56/upgrade#change-in-behaviour-for-postgresql-databases-with-unsafe-locale 20220410: AFFECTS: users of sysutils/screen AUTHOR: cy@FreeBSD.org As of sysutils/screen-4.9.0_5, the MULTUSER option is default, reverting to the traditional setuid-root behavior. People who wish to secure their screen install must terminate all screen sessions, then install screen without the MULTIUSER option. The option was reversed because it caused too much astonishment among users of screen. 20220401: AFFECTS: security/sshguard AUTHOR: kevinz5000@gmail.com Blacklisting is now disabled by default to avoid overriding the setting in sshguard.conf. To enable blacklisting, uncomment the BLACKLIST_FILE line in sshguard.conf. 20220329: AFFECTS: users of sysutils/screen AUTHOR: cy@FreeBSD.org As of sysutils/screen-4.9.0_3, the multiuser feature is not supported by default. The multiuser feature requires setuid root to function. This creates a security risk. Some Linux distributions have had non-setuuid root screen for a dozen or more years. FreeBSD is following suit. A new MULTIUSER option has been added to enable users to install setuid root screen. The MULTIUSER option default is OFF. Users who wish to use the multiuser feature may, - Build screen using the MULTIUSER option, or - Poudriere users can use poudriere-options to enable the MULTIUSER option, or - Users can chmod the setuid bit for ${LOCALBASE}/bin/screen-4.9.0, making screen setuid root to enable the multiuser feature. 20220326: AFFECTS: users of misc/freebsd-doc-* AUTHOR: blackend@FreeBSD.org A change to the doc toolchain prevents the build of individual localized HTML versions of the documentation without building the en_US version. HTML option is currently disabled until a good solution is found. PDF version, the default option, is now the only available option. Please re-run "make config" to pick up this new default. 20220313: AFFECTS: users of net/unison AUTHOR: madpilot@FreeBSD.org unison has been updated to version 2.52. The new version introduces a new wire protocol and on disk archive format. This new version is compatible with 2.51 clients for communication, so it's now possible to upgrade one side and then the other. The archive files are automatically converted to the new version, but once they are converted the y are incompatible with the previous version. In case you need version 2.51, the previous version of the port is preserved in net/unison251. 20220311: AFFECTS: users of multimedia/get_iplayer AUTHOR: jamie@catflap.org get_iplayer has a number of changes to quality settings that may break existing configurations. Please see the release notes for further information: https://github.com/get-iplayer/get_iplayer/wiki/release320to329#release329 20220311: AFFECTS: users of emulators/virtualbox-ose AUTHOR: grembo@FreeBSD.org In order to comply to hier(7), VirtualBox's configuration of non-default IP ranges to be used in host-only mode moved from /etc/vbox/networks.conf to ${LOCALBASE}/etc/vbox/networks.conf. 20220311: AFFECTS: users of net/nats-server AUTHOR: olgeni@FreeBSD.org A dedicated 'nats' user was added, replacing 'nobody' in the startup script. You should check your configuration and assign updated ownership to your data files. 20220227: AFFECTS: users of graphics/bmeps AUTHOR: takefu@airport.fm The binary and man page have been renamed from bmpp{.1.gz} to bitmap2pp{.1.gz} 20220225: AFFECTS: users of x11-toolkits/py-wxPython40 AUTHOR: lbartoletti@FreeBSD.org x11-toolkits/py-wxPython40 has been removed to be replaced by the 4.1 version. However the new wxPython ports is now named x11-toolkits/py-wxPython4. Depending on the tools you use, you may have to remove the port before ports upgrade. 20220224: AFFECTS: users of net-im/openfire AUTHOR: nikita@druba.su The port version have been updated from 4.6.x to 4.7.x. It is recommended to do database and configs backup before updating. 20220219: AFFECTS: users of sysutils/intel-pcm-devel AUTHOR: egypcio@FreeBSD.org sysutils/intel-pcm-devel became quite obsolete once sysutils/intel-pcm is now pretty much following a constant and stable update cycle, so users of the -devel version are encouraged to switch to it. If you still have sysutils/intel-pcm-devel installed, please delete it from your system and install sysutils/intel-pcm instead: # pkg delete sysutils/intel-pcm-devel # pkg install sysutils/intel-pcm 20220219: AFFECTS: users of math/qhull* AUTHOR: stephen@FreeBSD.org Because of entries in MOVED, portupgrade can get confused updating qhull. It is recommended that you delete qhull and ports depending upon it, and then reinstalling all the dependent ports. 20220218: AFFECTS: users of TeX* AUTHOR: bofh@FreeBSD.org TeX system has been updated to 2021 from 2015. Normal pkg upgrade or portmaster -a should handle all the upgrade properly. In case not please create a ticket or send a mail to tex@FreeBSD.org print/tex-aleph has been removed as per upstream. This package should be removed manually. Additionally users have reported to delete texlive-texmf prior to starting update, or pkg-static will indicate there is a conflict during the upgrade of texlive-base : # pkg remove tex-aleph texlive-texmf 20220218: AFFECTS: users of net-mgmt/librenms AUTHOR: dvl@FreeBSD.org The storage directory has moved from WWWDIR to /var/db/librenms/storage to comply with man 7 hier. When upgrading, you may need to manually create this symlink. 20220212: AFFECTS: users of lang/php8[01][-extensions]? AUTHOR: bofh@FreeBSD.org Non-Default OPTION MYSQL80 has been removed in lieu of making php8[01]-openssl as part of DEFAULT php8[01] installation. Although for php74 it is not the case. Ports that depends on security/php8[01]-openssl will no longer be installed as these have been removed. There is no side effect of this for ports which have USE_PHP=openssl. In case for php74 as the default php74-openssl will be installed otherwise it will be used from php installation. If you are using pkg, you have to remove php8[01]-openssl manually after the upgrade : # pkg info \*php8\* > ~/installed-php-ports-list # pkg upgrade -y # pkg delete -f php8[01]-openssl # service -R While rebuilding from ports users old php.conf is not overwritten. So have to manually remove the ports. For portmaster users: # sh # REINSTALL="$(pkg info -o "*php80*" | grep -v openssl | awk '{printf "%s ", $2}')" # pkg delete -f "*php80*" # portmaster $REINSTALL # portmaster -a 20220207: AFFECTS: users of security/amavisd-new AUTHOR: flo@FreeBSD.org Amavis does now depend on archivers/7-zip (7zz) you might need to update your amavisd.conf and replace all ocurances of p7zip (7zr) accordingly. 20220129: AFFECTS: users of editors/neovim AUTHOR: adamw@FreeBSD.org Neovim now uses luajit-openresty as the Lua provider. Many neovim plugins compile some of their code (Packer does this, as do many LSP plugins). Neovim will produce errors and fail to load the plugins. Deleting and reinstalling any plugins that produce errors should fix the startup. If you use Packer, you also want to delete the startup cache: # rm -rf ~/.config/nvim/plugin/packer_compiled.lua 20220128: AFFECTS: users of x11-fonts/source-sans-ttf AUTHOR: fernape@FreeBSD.org The font name has changed its prefix from SourceSansPro* to SourceSans*. Users of this font might need to change their configurations to pick up the new names. 20220128: AFFECTS: users of net-im/dendrite AUTHOR: ashish@FreeBSD.org The configuration needs to be updated to version 2 following upgrade to Dendrite v0.6. Please refer to /usr/local/etc/dendrite/dendrite.yaml.sample for a sample configuration. 20220127: AFFECTS: users of PyQt AUTHOR: kde@FreeBSD.org Most of the PyQt ports have been merged into single port devel/py-qt5-pyqt. `pkg upgrade` will handle update automatically . 20220126: AFFECTS: users of mail/bogofilter, mail/bogofilter-lmdb AUTHOR: mandree@FreeBSD.org The default version of mail/bogofilter now uses LMDB instead of Berkeley DB. It is not compatible and cannot read databases. Your options are: 1. use bogoutil on each wordlist for each of your users first, ONLY THEN reinstall bogofilter, THEN reload the databases with bogoutil, OR 2. install the matching bogofilter version and If you had been using bogofilter-lmdb so far, install bogofilter. If you had been using bogofilter so far, install bogofilter-bdb. 20220125: AFFECTS: users of lang/php74 AUTHOR: tz@FreeBSD.org The default version of PHP has been switched from 7.4 to 8.0. If you use binary packages you should make a list of php packages before running 'pkg upgrade': # pkg info \*php7\* > ~/installed-php-ports-list After the upgrade, check with such list if all your php extensions are still installed, and reinstall them if needed. If you use mod_php74 you need to deinstall it and install mod_php80. 20220120: AFFECTS: users of x11-wm/dwm AUTHOR: 0mp@FreeBSD.org dwm has been updated to 6.3. The option RUGAPS is no longer available because it depends on a patch only available for version 6.2. RUGAPS can be reintroduced if desired once it is ported to 6.3 by the interested party. 20220118: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org 1. Please make sure that the PostgreSQL server for the NetBox instance is running version 10 or higher. This is because PostgreSQL 9.6 is End-of-Life since November 2021 and NetBox 3.1 makes use of the "macaddr8" field which was introduced with PostgreSQL 10. 2. Please also check the pkg-message and the changelogs for further info. 20220110: AFFECTS: users of security/bastillion AUTHOR: netchild@FreeBSD.org If you already performed the actions of the next entry, the following action in this entry needs to be performed regardless. If you did not already perform the actions of the next entry, only the action of this entry needs to be performed. The datastore of bastillion needs to be upgraded (if you do not see users / can not login, you forgot to upgrade it): java -jar %%PREFIX%%/jetty_bastillion/upgrade/bastillion-upgrade-4.00.01.jar %%PREFIX%%/jetty_bastillion/bastillion/WEB-INF/classes/BastillionConfig.properties 20220104: AFFECTS: users of security/bastillion AUTHOR: netchild@FreeBSD.org The datastore of bastillion needs to be upgraded (if you do not see users / can not login, you forgot to upgrade it): java -jar %%PREFIX%%/jetty_bastillion/upgrade/bastillion-upgrade-4.00.00.jar %%PREFIX%%/jetty_bastillion/bastillion/WEB-INF/classes/BastillionConfig.properties 20220102: AFFECTS: users of sysutils/py-azure-cli AUTHOR: dbaio@FreeBSD.org When upgrading to Azure CLI v2.31.0, you will need to re-authenticate on Azure services. $ az login --use-device-code Starting in version 2.30.0, Azure CLI uses MSAL as the underlying authentication library. MSAL uses AAD v2.0 authentication flow to provide more functionality and increases security for token cache. More info: https://docs.microsoft.com/en-us/cli/azure/msal-based-azure-cli 20211220: AFFECTS: users of devel/notcurses AUTHOR: nickblack@linux.com Notcurses 3 introduces a new SONAME and significant API/ABI changes. Dependent applications must be recompiled at a minimum. A complete guide to updating for the new API is available under "Porting API2 Applications to API3" at https://github.com/dankamongmen/notcurses/releases/tag/v3.0.0 20211220: AFFECTS: users of net-im/openfire AUTHOR: nikita@druba.su The port options have been renamed to be more readable. When not using the default options, they have to be regenerated. # cd /usr/ports/net-im/openfire # make config 20211213: AFFECTS: users of emulators/qemu-utils AUTHOR: bofh@FreeBSD.org New port emulators/qemu@tools has been introduced which is similar to emulators/qemu-utils. qemu-utils has also been DEPRECATED in favor for this as it's MASTER port has also been marked DEPRECATED and set to expire on 2022-01-09. For updating to qemu-tools please use one of the following command: # pkg install qemu-tools or # portmaster -o emulators/qemu-utils emulators/qemu@tools 20211116: AFFECTS: users of emulators/qemu50 AUTHOR: bofh@FreeBSD.org emulators/qemu50 has been moved to emulators/qemu5 and updated to 5.2.0 which is the last version from 5.X.X branch. This is done in preparation of updating emulators/qemu into latest 6.X branch. If someone wants to stick with 5.X.X branch please use one of the following command: # pkg install qemu5 or # portmaster -o emulators/qemu50 emulators/qemu5 This version also introduces a stripped nox11 version which can be installed with: # pkg install qemu5-nox11 or # portmaster emulators/qemu5@nox11 20211115: AFFECTS: AFFECTS: users of *-emacs2x-* packages AUTHOR: jrm@FreeBSD.org To avoid problems when editors/emacs or editors/emacs-devel are updated, the emacs major version has been removed from these package names. For example, the old and new package names of devel/magit are ----------------------------------------------------------- | Old Package Name | New Package Name | |-------------------------- |-----------------------------| | magit-emacs27 | magit | | magit-emacs27_nox | magit-emacs_nox | | magit-emacs27_canna | magit-emacs_canna | | | | | magit-emacs29_nox | magit-emacs_devel_nox | | magit-emacs29 | magit-emacs_devel | ----------------------------------------------------------- To handle these final package name changes, follow a similar procedure as the one described in the 20200811 entry. That is, simply running `pkg upgrade` will not upgrade, e.g., foo-emacs27_nox to foo-emacs_nox. Binary package users: To update these packages, run these commands under /bin/sh with superuser privileges before upgrading. # default flavor of editors/emacs installed for i in $(pkg query -g %n '*-emacs27'); do if [ "$i" != "notmuch-emacs27" ]; then nn=$(echo "$i" | sed -e 's/-emacs27//') else nn=$(echo "$i" | sed -e 's/-emacs27/-emacs/') fi pkg set -yn "$i":"$nn" done # canna or nox flavor of editors/emacs installed for i in $(pkg query -g %n '*-emacs27*'); do nn=$(echo "$i" | sed -e 's/emacs27/emacs/') pkg set -yn "$i":"$nn" done # editors/emacs-devel installed for i in $(pkg query -g %n '*-emacs29*'); do nn=$(echo "$i" | sed -e 's/emacs29/emacs_devel/') pkg set -yn "$i":"$nn" done portmaster users: portmaster -r emacs 20211110: AFFECTS: users of www/node*, www/npm*, www/yarn* AUTHOR: mfechner@FreeBSD.org The port framework was updated to use a default version for nodejs. The default version is pointing to the latest LTS version which is currently version 16. You can overwrite this by defining in /etc/make.conf, e.g. version 17: DEFAULT_VERSIONS=nodejs=17 Or if you would like to stick always to the current version use: DEFAULT_VERSIONS=nodejs=current If you would like to use yarn or npm together with nodejs version 17, just install the package that is pulling the wanted dependency to nodejs: # pkg install yarn-node17 # pkg install npm-node17 20211109: AFFECTS: users of security/libressl AUTHOR: brnrd@FreeBSD.org The port has been updated to the latest stable version 3.4 of LibreSSL. The shared library versions of the libraries have been bumped. After upgrading, manually update all packages that depend on any of the libraries provided by LibreSSL (libssl, libcrypto and libtls) since the versions of these libraries have changed. Normally, you can obtain the list of dependent software by running the following command: # pkg info -r libressl Then you should rebuild all ports depending on libressl to avoid dangling shared library dependencies. 20211107: AFFECTS: users of sysutils/devcpu-data AUTHOR: jrm@FreeBSD.org The RC variable name microcode_cpus is now deprecated. Users should instead use the variable microcode_update_cpus. Two new ports were branched from sysutils/devcpu-data, sysustils/devcpu-data-amd and sysustils/devcpu-data-intel. The two new ports contain only the CPU microcode updates for each vendor and sysutils/devcpu-data now only contains an RC script. Both new ports are on-by-default, optional dependencies of sysutils/devcpu-data. 20211101: AFFECTS: users of textproc/redisearch AUTHOR: osa@FreeBSD.org The textproc/redisearch port has been updated to the recent stable release - v2.2. Users wanting to stay on v2.0 can replace textproc/redisearch with textproc/redisearch20 with one of the following commands: # pkg install textproc/redisearch20 or # portmaster -o textproc/redisearch20 textproc/redisearch or # portupgrade -o textproc/redisearch20 textproc/redisearch NOTE: The textproc/redisearch20 brings a new name for the module, i.e. redisearch20.so, so be careful. 20211024: AFFECTS: sysutils/beats7 AUTHOR: otis@FreeBSD.org The following breaking changes apply to beats 7.15.0 and newer: - All beats: Loading Kibana assets (dashboards, index templates) rely on Saved Object API. So to provide a reliable service, Beats can only import and export dashboards using at least Kibana 7.15. - Filebeat: - Remove all alias fields pointing to ECS fields from modules. This affects the Suricata and Traefik modules. - Fix Crowdstrike ingest pipeline that was creating flattened process fields. - Rename log.path to log.file.path in filestream to be consistent with log input and ECS. - Heartbeat: - Remove long deprecated watch_poll functionality. - Fix inconsistency in event.dataset values between heartbeat and fleet by always setting this value to the monitor type / fleet dataset. - Metricbeat: - Fix Elasticsearch jvm.gc.collectors.old being exposed as young Full changelog: https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-7.15.0.html https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-7.15.1.html 20211024: AFFECTS: users of databases/postgresql* and other software using PostgreSQL to run AUTHOR: kbowling@FreeBSD.org The default version of PostgreSQL has been switched from 12 to 13. The upgrade procedure can use up twice the space the databases currently needs. If you have a big amount of stored data take a closer look at the manpage of pg_upgrade for avoidance and/or speedup of the upgrade. The upgrade instructions consider a basic usage and do not match complex scenarios like replication, sharding, or similar. Upgrade instructions: First stop your PostgreSQL, create PostgreSQL-binaries and backup your data. If you have another Version of PostgreSQL installed, for example 12.8, your files are named according to this. # service postgresql stop # pkg create postgresql12-server postgresql12-contrib # mkdir /tmp/pg-upgrade # tar xf postgresql12-server-12.8.pkg -C /tmp/pg-upgrade # tar xf postgresql12-contrib-12.8.pkg -C /tmp/pg-upgrade # pkg delete -f databases/postgresql12-server databases/postgresql12-contrib databases/postgresql12-client Now update PostgreSQL: pkg user: # pkg install databases/postgresql13-server databases/postgresql13-contrib # pkg upgrade Portmaster users: # portmaster databases/postgresql13-server databases/postgresql13-contrib # portmaster -a Portupgrade users: # portinstall databases/postgresql13-server databases/postgresql13-contrib # portupgrade -a After installing the new PostgreSQL version you need to convert all your databases to new version: # su -l postgres -c "/usr/local/bin/initdb --encoding=utf-8 --lc-collate=C -D /var/db/postgres/data13 -U postgres" # su -l postgres -c "pg_upgrade -b /tmp/pg-upgrade/usr/local/bin/ -d /var/db/postgres/data12/ -B /usr/local/bin/ -D /var/db/postgres/data13/ -U postgres " Now the migration is finished. You can start PostgreSQL again with: # service postgresql start ATTENTION: 1) The default user changed from "pgsql" to "postgres" in 11. The migration steps above now assume the "postgres" database user and FreeBSD user. 2) See the updating entry 20190829 if you are updating from a release prior to 11. 3) If you use non-default initdb options, you have to adjust the initdb-command accordingly 20211023: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v17.0.0, the latest upstream release. A new port, www/node16, has been created for the upcoming v16.x LTS branch. Users wanting to stay on v16.x can replace www/node with www/node16 with one of the following commands: # pkg install www/node16 or # portmaster -o www/node16 www/node or # portupgrade -o www/node16 www/node 20211012: AFFECTS: users of devel/git AUTHOR: garga@FreeBSD.org devel/git port was split into multiple sub-ports that depend on devel/git and install additional files: - devel/git-cvs - CVS related scripts and man pages - devel/git-gui - GUI related scripts and man pages - devel/git-p4 - Perforce related scripts and man pages - devel/git-svn - Subversion related scripts and man pages Due to these changes, CVS, GUI, PERFORCE, and SUBVERSION options as well as gui and svn flavors were removed from the port. 20211010: AFFECTS: users of gtk2 flavored devel/geany* AUTHOR: madpilot@FreeBSD.org Upstream dropped support for gtk2. Due to this the ports are now unflavored, installing only with gtk3 support. If you are already using the default gtk3 flavor will get the new version with a simple "pkg upgrade". To upgrade when using the gtk2 flavors you need to use "pkg install" to install the new unflavored gtk3 packages, pkg will automatically uninstall the old gtk2 flavors. If using ports, you will need to uninstall all geany packages and its plugins and reinstall from an updated ports tree. The "geany-plugin-multiterm" plugin was only available as a gtk2 flavor when installing the gtk2 flavor of geany and has not been ported to gtk3, so has been removed from the tree, so the geany-plugin-multiterm-gtk2 package should be removed from the system. 20211007: AFFECTS: user of security/clamav AUTHOR: yasu@FreeBSD.org Upstream changed end-of-life policy and introduced long time support (LTS) feature release. * LTS feature release will be identified approximately every two years and supported for at least three years from the initial publication date of that LTS feature version. * Regular (non-LTS) feature releases will be supported for at least four months from the initial publication date of the next feature release or until the feature release after that is published. According to it new port security/clamav-lts is added for users who want to use LTS version of ClamAV. Users wanting to switch to LTS version can replace security/clamav with security/clamav-lts with one of following commands. If you use pkg with binary packages: # pkg set -o security/clamav:security/clamav-lts # pkg upgrade If you use portmaster: # portmaster -o security/clamav-lts security/clamav If you use portupgrade: # portupgrade -o security/clamav-lts security/clamav 20211006: AFFECTS: users of misc/freebsd-doc-* AUTHOR: blackend@FreeBSD.org The misc/freebsd-doc-* ports have been updated to the new doc toolchain, and use a somewhat different arrangement of directories and symlinks, which pkg 1.17 does not handle well. Users are encouraged to delete the misc/freebsd-doc-* ports, then reinstall the new ones without using the pkg upgrade facility. 20211006: AFFECTS: users of net/kafkacat AUTHOR: sergey@akhmatov.ru kafkacat has been renamed to kcat upstream. So switch to net/kcat instead. 20211004: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org /!\ WARNING /!\ The NetBox 3.0 release contains major changes, so at least items 1.), 2.) and 3.) must be checked before proceeding with the upgrade! /!\ WARNING /!\ 1. Please ensure that your local installation of net-mgmt/netbox is at the 2.11 release before attempting to upgrade to NetBox 3.0 or later. 2. Please also note that the previously deprecated secrets functionality has been removed with NetBox 3.0. This means, all of the secrets still remain in the database once upgraded, only the secrets functionality on the part of NetBox is no longer given. In order to continue to be able to access the stored secrets as usual (and then possibly migrate them to another solution, e.g. security/vault), please install the security/py-netbox-secretstore port once NetBox has been upgraded to 3.x and follow its installation instructions how to enable the plugin. 3. If plugins are used, they should be temporarily deactivated to avoid disruptions during the upgrade process. 4. Please also check the pkg-message and the changelogs for further info. 20211004: AFFECTS: users of www/py-pyjwt AUTHOR: rhurlin@FreeBSD.org To make it possible to easily import py-pyjwt v2.x the current port was moved to a versioned directory. If you use portmaster: portmaster -o www/py-pyjwt1 www/py-pyjwt If you use portupgrade: portupgrade -fo www/py-pyjwt1 www/py-pyjwt If you use pkg with binary packages: pkg set -o www/py-pyjwt:www/py-pyjwt1 20210912: AFFECTS: x11-wm/cage, x11-wm/hikari, x11-wm/labwc, x11-wm/sway, x11-wm/wayfire AUTHOR: jbeich@FreeBSD.org SUID option has been removed in favor of seatd-launch(1) which doesn't require special handling in every consumer and doesn't bypass group permissions. If you've already enabled seatd service or use consolekit2 then nothing changes. Otherwise, $ sway 00:00:00.001 [ERROR] [wlr] [libseat] [libseat/libseat.c:83] No backend was able to open a seat 00:00:00.001 [ERROR] [wlr] [backend/session/session.c:84] Unable to create seat: Function not implemented 00:00:00.001 [ERROR] [wlr] [backend/session/session.c:218] Failed to load session backend 00:00:00.001 [ERROR] [wlr] [backend/backend.c:353] Failed to start a DRM session 00:00:00.001 [ERROR] [sway/server.c:53] Unable to create backend can be fixed by $ ck-launch-session sway or $ seatd-launch sway or # sysrc seatd_enable=YES # service seatd start $ sway Replace "sway" with your compositor e.g., "cage", "hikari", "labwc", "wayfire". 20210907: AFFECTS: consumers of math/eigen[23] AUTHOR: adridg@FreeBSD.org math/eigen2 has been marked deprecated. There do not seem to be any consumers in FreeBSD ports. math/eigen3 has had its options re-vamped. The default options previously pulled in multiple useless library dependencies. The options also forced a specific BLAS implementation. The new options depend only on the default BLAS (whatever USES=blaslapack picks), but this can be turned off. The previous multiple useless libraries -- which are not useless when running the tests in Eigen -- are now hidden behind the default-off TEST option. Users of a carefully-tuned Eigen build should re-evaluate the options available. 20210902: AFFECTS: users of editors/vim AUTHOR: adamw@FreeBSD.org The vim ports have been completely reworked to take advantage of flavors. The biggest change is that the `vim' package is now console-only. If you want the GTk3 GUI, you'll need to install the `vim-gtk3' package instead. All the GUI toolkits have their own package now: vim-gtk3, vim-gtk2, -athena, -motif, and -x11. The vim-tiny package still exists. Also: only python3 bindings are included now. There are very few plugins written in Perl or Ruby, so there really wasn't a need to bundle those languages with Vim. They still exist as OPTIONS, so you can still enable them if you'd like. Also, support for py27 has been dropped. 20210901: AFFECTS: users of audio/ampache AUTHOR: crees@FreeBSD.org With the upgrade to Ampache 5.0.0, the root Ampache folder has changed to %%WWWDIR%%/ampache/public. Please update your web server aliases, for example if you use Apache, then in httpd.conf make sure the lines look like this: Alias /ampache /usr/local/www/ampache/public If you have customised your .htaccess files to allow for a different alias, you'll need to move them to the new location after upgrading: # sh -c 'cd /usr/local/www/ampache && for f in */.htaccess; do mv $f public/$f; done' More upgrade notes can be found on Github: https://github.com/ampache/ampache/releases/tag/5.0.0 20210823: AFFECTS: users of mail/mu AUTHOR: hrs@FreeBSD.org mail/mu now uses XDG Base Directory Specification for the default locations for various files. The mu database now lives under ~/.cache/mu rather than ~/.mu by default. After upgrading, move the contents under ~/.mu to ~/.cache/mu. 20210823: AFFECTS: users of mail/postfixadmin AUTHOR: ports.maintainer@evilphi.com The 3.2->3.3 upgrade requires generating a new setup password hash. The normal post-upgrade visit to setup.php will walk you through the steps. For more information, see the "Version 3.3" section of the change log: https://github.com/postfixadmin/postfixadmin/blob/postfixadmin-3.3.9/CHANGELOG.TXT 20210818: AFFECTS: users of databases/redis AUTHOR: osa@FreeBSD.org The databases/redis port has been updated to the recent stable release. Users wanting to stay on v6.0 can replace databases/redis with databases/redis6 with one of the following commands: # pkg install databases/redis6 or # portmaster -o databases/redis6 databases/redis or # portupgrade -o databases/redis6 databases/redis 20210805: AFFECTS: users of sysutils/beats7 AUTHOR: otis@FreeBSD.org Beats may not be sending data to some distributions of Elasticsearch In this release, Elastic is enabling a licensing change that was broadly communicated earlier in 2021. This change would imply that 7.13 instances of Beats would fail to connect to 7.10 or earlier open source distributions of Elasticsearch and Kibana. The most visible effect is that sysutils/beats7 users can expect difficulties to send data to Elastic instances hosted in AWS. For more information, see: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.13.html 20210801: AFFECTS: users of OpenLDAP AUTHOR: delphij@FreeBSD.org SASL is now always enabled for OpenLDAP. If you use portmaster: portmaster -o net/openldap24-client openldap-sasl-client If you use portupgrade: portupgrade -fo net/openldap24-client openldap-sasl-client If you use pkg with binary packages: pkg set -o net/openldap24-sasl-client:net/openldap24-client 20210730: AFFECTS: users of multimedia/mlt, multimedia/mlt-qt and multimedia/py-mlt AUTHOR: kde@FreeBSD.org multimedia/{py-,}mlt{-qt5,} has been moved to multimedia/{py-,}mlt6{-qt5,} to make room for importin the next major version of the mlt framework. 20210721: AFFECTS: users of x11/rxvt-unicode AUTHOR: thierry@FreeBSD.org Since 9.26, there is a regression in resource parsing, which no longer accepts a prefix of the form "URxvt*keysym" ("*." is equivalent to "*"). Changing "*." to "." should make your bindings work again. 20210704: AFFECTS: users of misc/qtchooser AUTHOR: kde@FreeBSD.org QtChooser allows you to select your version of Qt among those installed. However, this tool is no longer supported upstream and will not be available for Qt6. By default, our Qt installations are done in: ${LOCALBASE}/lib/qt${QT_VERSION} as recommended. We have added symbolic linking for the main binaries to ${LOCALBASE}/bin with the suffix -qt5. 20210628: AFFECTS: users of misc/openhab AUTHOR: netchild@FreeBSD.org You need to run sed -i -e 's:^karaf.framework.equinox=.*:karaf.framework.equinox=mvn\:org.eclipse.platform/org.eclipse.osgi/3.16.200: ; s:^karaf.framework.felix=.*:karaf.framework.felix=mvn\:org.apache.felix/org.apache.felix.framework/6.0.4:' /var/db/openhab/userdata/etc/config.properties to update the version numbers of some components in a config file. 20210621: AFFECTS: users of www/gitlab-ce AUTHOR: mfechner@FreeBSD.org The upgrade of Gitlab 14.0.0 is in preparation. You must upgrade first to 13.12. For more information see here: https://about.gitlab.com/blog/2021/06/04/gitlab-moving-to-14-breaking-changes/ To do the upgrade, make sure you follow the upgrade manuals: https://gitlab.fechner.net/mfechner/Gitlab-docu/-/tree/master/update I will merge the 14.0.0 upgrade later to quarterly branch to give you some time for the upgrade to 13.12. 20210620: AFFECTS: users of misc/openhab2 AUTHOR: netchild@FreeBSD.org The openhab v3 port has been committed. Upstream has removed the version from the name, as such the FreeBSD port follows in all places (start script name, directory names, ...). Users are encouraged to migrate from misc/openhab2 to misc/openhab. No automatic config migration is available Both versions can be installed in parallel, but an users has to take care to not run both at the same time on the same port. 20210617: AFFECTS: users of graphics/mesa-libs and x11/nvidia-driver AUTHOR: kbowling@FreeBSD.org Some libraries from mesa-libs are now provided by libglvnd while others were renamed. nvidia-driver already used libglvnd but bundled a copy which is now provided as a separate package. When building outside poudriere make sure to remove mesa-libs and nvidia-driver first in order to avoid conflict with libglvnd. For portmaster users: # pkg delete -f mesa-libs nvidia-driver # portmaster -a For portupgrade users: # pkg delete -f mesa-libs nvidia-driver # portupgrade -a 20210523: AFFECTS: users of www/tt-rss AUTHOR: dereks@lifeofadishwasher.com tt-rss config.php syntax has changed. You can find detailed changes here https://tt-rss.org/wiki/GlobalConfig or look at config.php.sample. Expect your config.php to not work with newer www/tt-rss releases. Due to changes in ttrssd before updating you should stop ttrssd or otherwise kill the php process running update_daemon2.php. 20210516: AFFECTS: users of security/bitwarden_rs AUTHOR: mr@FreeBSD.org bitwarden_rs has been renamed to vaultwarden upstream. So switch to security/vaultwarden instead. 20210515: AFFECTS: users of databases/postgresql??-server AUTHOR: girgen@FreeBSD.org The rc.conf parameter for the login class of the postgresql daemon has changed name from postgresql_class to postgresql_login_class. rc.subr(8) states that the parameter should be named ${name}_login_class. 20210512: AFFECTS: users of sysutils/ansible* AUTHOR: 0mp@FreeBSD.org Ansible has been updated to 3.3.0. Please follow the porting guide to update the rulesets: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_3.html 20210508: AFFECTS: users of devel/pycharm-ce AUTHOR: bsam@FreeBSD.org Pycharm-ce has switched to the supported java version 11. 20210506: AFFECTS: users of mail/postfix AUTHOR: ohauer@FreeBSD.org Postfix 3.6 and higher requires minimum OpenSSL 1.1.1 FreeBSD 11 users using base OpenSSL can switch to mail/postfix35 If you wish to use postfix35 until FreeBSD 11 EoL you might run the following command: # pkg set -o mail/postfix:mail/postfix35 # pkg upgrade 20210505: AFFECTS: users of sysutils/terraform AUTHOR: 0mp@FreeBSD.org Terraform has been updated from 0.13 to 0.15, which introduces several incompatible changes. Please follow upgrading guide when updating the package. https://www.terraform.io/upgrade-guides/0-14.html https://www.terraform.io/upgrade-guides/0-15.html 20210426: AFFECTS: users of x11-fonts/iosevka AUTHOR: 0mp@FreeBSD.org The selection of options for Iosevka has become less granular as the port has switched from TTF-based distfiles to super-TTC-based distfiles. Now all the spacing variants are contained within one file for each Iosevka style. 20210425: AFFECTS: users of python AUTHOR: kai@FreeBSD.org The default version of python3 and python was switched to 3.8. For ports users wanting to keep version 3.7 as default, add DEFAULT_VERSIONS+= python=3.7 python3=3.7 to make.conf Following procedures may ease the upgrade: For users of pre-build packages: # sh # for i in $(pkg query -g %n 'py37-*'); do pkg set -yn ${i}:py38-${i#py37-}; done # pkg upgrade For portmaster users: # sh # portmaster -o lang/python38 python37 # REINSTALL="$(pkg info -o "*py37*" | awk '{printf "%s ", $2}')" # pkg delete -f "*py37*" # portmaster $REINSTALL # REBUILD=$(pkg query -g "%n:%dn" '*' | grep py3 | grep -v py38 | cut -d : -f 1 | sort -u) # portmaster $REBUILD # REBUILD2=$(pkg list | grep python-37 | xargs pkg which | awk '{print $6}' | sort -u) # portmaster $REBUILD2 20210420: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v16.0.0, the latest upstream release. This is a major release, including many significant changes. Users are encouraged to read the release announcements before upgrading: https://nodejs.org/en/blog/release/v16.0.0/ 20210416: AFFECTS: Users of shells/bash, shells/bash-static with PORTS_READLINE=off AUTHOR: olce.freebsd@certner.fr Bundled readline now will use LOCALBASE/etc/inputrc as its ultimate default inputrc file (instead of /etc/inputrc). This puts these ports in line with what devel/readline has been doing recently (since 20210103). 20210414: AFFECTS: users of graphics/OpenEXR or graphics/ilmbase AUTHOR: mandree@FreeBSD.org graphics/ilmbase was removed in favor of math/Imath 3.0.1, and graphics/OpenEXR was updated to 3.0.1. Ports that depend on OpenEXR and/or ilmbase according to INDEX were patched, for ports where OpenEXR is an option that defaults to off, these typical items needs to be changed - file bug reports in that case, preferably with tested patches: - The IlmBase parts Imath and half are now repackaged as Imath - The IlmThread and Iex libraries are now part of OpenEXR - Some header files were rearranged accordingly, into ${LOCALBASE}/include/OpenEXR vs. ${LOCALBASE}/include/Imath - Some code needs a few #include statements added, often #include or #include - Some classes were removed, and the C++11 standard library features need to be used, f. i. std::numeric_limits. - Some code used Int64 or SInt64 should use uint64_t or int64_t. Detailed porting hints are available here: https://github.com/AcademySoftwareFoundation/Imath/blob/v3.0.1/docs/PortingGuide2-3.md 20210411: AFFECTS: users or devel/py-RPyC AUTHOR: skozlov@FreeBSD.org devel/py-RPyC has been updated to version 5.0.1, which have some incompatibilities with 4.x branch. Be sure to check them out before upgrading: https://rpyc.readthedocs.io/en/latest/changelog.html#backwards-incompatible 20210414: AFFECTS: users of x11-fonts/oldschool-pc-fonts AUTHOR: evgeniy@khramtsov.org x11-fonts/oldschool-pc-fonts has been upgraded to 2.2. This version changed names of many fonts. If you have configuration files with specific font names set, you need to update your configurations after upgrade. 20210406: AFFECTS: users of www/phpvirtualbox AUTHOR: dereks@lifeofadishwasher.com www/phpvirtualbox has been updated to version 6.1. This new version only supports version 6.1 of VirtualBox. Version 5.x of phpvirtualbox has been preserved as www/phpvirtualbox-legacy. If you require support for VirtualBox 5.x please install this version. Remember to copy your configuration file in the new legacy installation. 20210328: AFFECTS: users of www/caddy AUTHOR: adamw@FreeBSD.org The default locations for caddy runtime files have changed. - Caddy's runtime log is now /var/log/caddy/caddy.log (was /var/log/caddy.log) - Automatic SSL certs are now stored in /var/db/caddy/data/caddy (was /root/.local/share/caddy) - Configuration autosaves are now stored in /var/db/caddy/config/caddy (was /root/.config/caddy) You can change these defaults. See /usr/local/etc/rc.d/caddy for the list of settings. 20210322: AFFECTS: users of net/wireguard AUTHOR: decke@FreeBSD.org A wireguard kernel implementation supporting FreeBSD 12.1 and newer was added as net/wireguard-kmod recently. The new default for users of net/wireguard is the kernel module. If you experience problems with it you can switch back to wireguard-go by removing net/wireguard-kmod and making sure net/wireguard-go is installed. The userland tools wg-quick(8) and wg(8) try to use kernel support if the kernel module is available and otherwise fall back to wireguard-go automatically. Config files are fully compatible. 20210317: AFFECTS: users of security/strongswan AUTHOR: driesm@FreeBSD.org The stroke starter interface has been deprecated by upstream for some time now. The default interface for controlling the charon daemon has switched from stroke to vici. Users still using the legacy config files such as ipsec.conf and ipsec.secret (stroke, starter) can easily revert to the old behavior by: # sysrc strongswan_interface="stroke" It is recommended to use the vici interface which is configured by swanctl.conf. Check : https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf to ease the transition from ipsec.* to swanctl.conf 20210313: AFFECTS: users of net-mgmt/phpipam AUTHOR: marko.cupac@mimar.rs ipaddresses table in phpipam database is likely to contain incorrect datetime values which prevent successful upgrade. Make sure to create backup of phpipam database. Before starting upgrade wizard in web interface run the following SQL query on phpipam database: UPDATE ipaddresses SET lastSeen='1970-01-01 00:00:01' WHERE lastSeen < '0000-01-01 00:00:00'; 20210310: AFFECTS: users of textproc/redisearch AUTHOR: osa@FreeBSD.org The textproc/redisearch port has been updated to the recent stable release - v2.0. Users wanting to stay on v1.6 can replace textproc/redisearch with textproc/redisearch16 with one of the following commands: # pkg install textproc/redisearch16 or # portmaster -o textproc/redisearch16 textproc/redisearch or # portupgrade -o textproc/redisearch16 textproc/redisearch NOTE: The textproc/redisearch16 brings a new name for the module, i.e. redisearch16.so, so be careful. 20210309: AFFECTS: users of emulators/virtualbox-ose AUTHOR: madpilot@FreeBSD.org emulators/virtualbox-ose has been updated to 6.1.18. This new version only works on amd64 hardware. Previous version 5.x of the virtualbox ports have been preserved as emulators/virtualbox-ose-legacy and similarly named ports for the other parts. If you can't run the latest version or wish to stay with the old version, please install the legacy ports. Also the additions at present build successfully only for amd64. If you need i386 additions you can fallback to the old legacy ones. NOTE: There is no support for moving saved running machine states across major updates of virtualbox. It is recommended to properly shutdown all virtual machines before upgrading. Otherwise the saved state can simply be discarded after the upgrade, if it's not important to preserve it. It should also be possible to downgrade to the legacy ports and shutdown the machine properly from the saved state and then upgrade back again. 20210302: AFFECTS: users of editors/emacs-devel AUTHOR: jrm@FreeBSD.org If you get the error "Symbol's value as variable is void: minor-modes", rebuild the offending Emacs packages. See https://lists.gnu.org/archive/html/emacs-devel/2021-02/msg01164.html for details. 20210220: AFFECTS: users of math/py-mathics AUTHOR: thierry@FreeBSD.org math/py-mathics has been split into several ports, and Mathics Core only provides a rudimentary command-line shell called mathics. To get the same functionality as in 1.x, you need to install either mathicsscript or Mathics-Django. 20210219: AFFECTS: users of games/mangband AUTHOR: adridg@FreeBSD.org The client has updated from 1.1.3 (which has a single public server left) to the current 1.5.3 (which has more public servers). If you update, you can NOT connect to the old server any more. Remember to finish your game before updating. 20210210: AFFECTS: users of audio/spotifyd AUTHOR: rodrigo@FreeBSD.org The configuration format for audio/spotifyd is now TOML, make sure to update your configuration file after upgrading the port. Look at the sample configuration file for a working example. https://github.com/Spotifyd/spotifyd/blob/master/docs/src/config/File.md 20210208: AFFECTS: users of mail/mailscanner AUTHOR: crees@FreeBSD.org The clamavmodule has finally been removed after a long deprecation period. Please remove all references to it in your mailscanner.conf as it will now count as a syntax error and may stop MailScanner starting! 20210204: AFFECTS: users of www/unit AUTHOR: osa@FreeBSD.org The default location for NGINX Unit's state directory has changed. It was moved from /usr/local/libexec/unit to /var/db/unit in order to avoid write operations on /usr/local filesystem. 20210130: AFFECTS: users of graphics/opencv-core AUTHOR: tcberner@FreeBSD.org graphics/opencv-core has been reintegrated into graphics/opencv. So there is no longer a circular dependency opencv-core -> ffmpeg -> opencv If you experience problems updating the packages, try pkg delete -f opencv-core 20210124: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org The Django templating language (DTL) is no longer supported for export templates. Please ensure that all export templates use Jinja2 before upgrading. Also the support for embedded graphs was completely removed and several changes to the REST API were made. Please check the changelogs for further details. 20210114: AFFECTS: users of net-im/matterircd AUTHOR: norrland@nullbyte.se Commandline switches Switched to viper for cmdline parsing, which does not support "short" flags. You'll need to use --flag instead of -flag. Eg ./matterircd --debug Bridge specific configuration is now only in configuration file. This means the following flags have been removed: -restrict,-mmteam,-mmserver, -mminsecure,-mmskiptlsverify. You can set those in matterircd.toml, see the example file. Config changes BlacklistUser feature for slack has been renamed to DenyUsers. JoinMpImOnTalk feature has been renamed to JoinDM and is available for slack/mattermost JoinInclude, JoinExclude now support regexp (see matterircd.toml.example) 20210113: AFFECTS: users of databases/redis[-devel] AUTHOR: osa@FreeBSD.org The databases/redis port has been updated to the recent stable release. Users wanting to stay on v5.x can replace databases/redis with databases/redis5 with one of the following commands: # pkg install databases/redis5 or # portmaster -o databases/redis5 databases/redis or # portupgrade -o databases/redis5 databases/redis 20210106: AFFECTS: mail/dovecot AUTHOR: pi@FreeBSD.org The VPOPMAIL option was removed, because it was dropped upstream, so please check your config before upgrading. 20210106: AFFECTS: sysutils/graylog AUTHOR: dch@FreeBSD.org graylog 4.0 and higher now use a new license, the SSPL. For more details, see https://www.graylog.org/post/graylog-v4-0-licensing-sspl 20210102: AFFECTS: x11/libexo, XFCE4 desktop users AUTHOR: madpilot@FreeBSD.org XFCE4 has been updated to version 4.16. Unluckily due to how the update works out it interacts badly with a defect in pkg which can cause files from the libexo package to be absent after upgrade. To avoid the issue, before upgrading all packages, please update libexo by itself: # pkg upgrade libexo # pkg upgrade If you have already upgraded and you notice XFCE issues due to missing libraries you can recover easily by forcing reinstallation of libexo: # pkg upgrade -f libexo Users upgrading via ports should not be affected. 20201228: AFFECTS: www/py-flexget AUTHOR: jbeich@FreeBSD.org py-flexget (or py37-flexget) has been renamed to flexget. "pkg upgrade" doesn't track MOVED file unlike portmaster, so provide a hint e.g., $ pkg upgrade -x flexget or install again, letting pkg remove the old version $ pkg install flexget 20201218: AFFECTS: users of www/qt5-webengine AUTHOR: kai@FreeBSD.org Users that upgrade www/qt5-webengine without using pkg/poudriere might experience failures due to conflicts with the installed version of 5.15.2. In that case, pkg delete -f the qt5-webengine package before building the updated version. 20201130: AFFECTS: users of graphics/jpeg AUTHOR: rene@FreeBSD.org The graphics/jpeg port has been removed in favor of graphics/jpeg-turbo. The former port was vulnerable and used an outdated ABI and API. Please check your make configuration for JPEG_PORT and remove it or set it to "jpeg-turbo" if it is currently set to "jpeg". 20201128: AFFECTS: users of databases/cego AUTHOR: pi@FreeBSD.org Database updates from 2.45.x to 2.46.x require a xml tableset export and import, since table structure information has been changed. 20201128: AFFECTS: users of lang/ruby26 AUTHOR: mfechner@FreeBSD.org The default ruby version has been updated from 2.6 to 2.7. If you compile your own ports you may keep 2.6 as the default version by adding the following lines to your /etc/make.conf file: # # Keep ruby 2.6 as default version # DEFAULT_VERSIONS+=ruby=2.6 If you wish to update to the new default version, you need to first stop any software that uses ruby. Then, you will need to follow these steps, depending upon how you manage your system. If you use pkg, simply upgrade: # pkg upgrade If you do not use pkg, please check entry 20190420. The description there should also work for this version. 20201112: AFFECTS: users of net-mgmt/pushgateway AUTHOR: rhurlin@FreeBSD.org The v0.10.0 release changes the storage format. v0.10 can read the storage format of v0.5--v0.9. It will then persist the new format so that a downgrade won't be possible anymore [1]. For later releases >= v1.0.0 only persistence files created by v0.10+ are usable. So please, upgrade to v0.10 first to convert existing persistence files. It is intended to replace v0.10.0 in about four weeks from now (not before 2020-12-12) by >= v1.3.0. [1] https://github.com/prometheus/pushgateway/releases/tag/v0.10.0 20201110: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org Changes related to the NetBox configuration: 1. If in use, LDAP authentication must be enabled by setting REMOTE_AUTH_BACKEND to 'netbox.authentication.LDAPBackend'. (The LDAP configuration parameters in ldap_config.py remain unchanged.) 2. REMOTE_AUTH_DEFAULT_PERMISSIONS now takes a dictionary rather than a list. This is a mapping of permission names to a dictionary of constraining attributes, or None. For example, ['dcim.add_site', 'dcim.change_site'] would become {'dcim.add_site': None, 'dcim.change_site': None}. 3. Support for the DEFAULT_TIMEOUT parameter under REDIS database configuration was removed. Set RQ_DEFAULT_TIMEOUT as a global configuration parameter instead. Please also check the pkg-message and the changelogs for further info. 20201106: AFFECTS: users of www/samdruckerserver AUTHOR: dvl@FreeBSD.org If upgrading from < 0.2.4, the database schema has changed. Run these scripts to update your database: * PostgreSQL/updates-2020.08.28.sql * PostgreSQL/procedures.sql These scripts are in /usr/local/share/samdrucker/PostgreSQL 20201030: AFFECTS: users of security/openvpn AUTHOR: mandree@FreeBSD.org The security/openvpn port has been updated to v2.5.0, which brings a change to the default ciphersuite, which no longer contains BF-CBC. Some options have been removed. Also, if you need to support very old (v2.3) and unsupported clients or servers, you will need to adjust the configuration. For details, see: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25 20201029: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v15.0.0, the latest upstream release. A new port, www/node14, has been created for the v14.x LTS branch. Users wanting to stay on v14.x can replace www/node with www/node14 with one of the following commands: # pkg install www/node14 or # portmaster -o www/node14 www/node or # portupgrade -o www/node14 www/node 20201026: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org emulators/qemu has been updated to 5.0.1. Previous 4.2.X branch has been repocopied to emulators/qemu42. If someone wants to stick with 4.2.X branch please use one of the following command: # pkg install emulators/qemu42 or # portmaster -o emulators/qemu42 emulators/qemu or # portupgrade -o emulators/qemu42 emulators/qemu 20201021: AFFECTS: users of www/py-unit AUTHOR: osa@FreeBSD.org The www/py-unit port has been renamed to www/unit-python. 20201012: AFFECTS: Users of mesa-dri with VAAPI or VDPAU options AUTHOR: manu@FreeBSD.org The nondefault options VAAPI and VDPAU were removed from the mesa-dri port and two new ports, mesa-gallium-va and mesa-gallium-vdpau now contain the necessary libraries for using VAAPI or VDPAU on AMD hardware. 20201012: AFFECTS: users of devel/libsoup-gnome AUTHOR: bapt@FreeBSD.org libsoup-gnome has been merged back into libsoup for people building locally: first delete libsoup-gnome before installing the new libsoup $ pkg delete -f libsoup-gnome 20201011: AFFECTS: users of sysutils/rundeck3 who use MySQL as database AUTHOR: daniel.tihanyi@tetragir.com Please note that the MySQL JDBC driver is no longer bundled with Rundeck. Please make sure that you migrate to the MariaDB Connector or copy the driver yourself. More instructions: https://docs.rundeck.com/docs/upgrading/upgrading-to-rundeck-3.3.4.html 20201006: AFFECTS: users of sysutils/tenshi AUTHOR: 0mp@FreeBSD.org The default location for tenshi's configuration file has changed. It was moved to /usr/local/etc/tenshi/tenshi.conf from /usr/local/etc/tenshi.conf in order to follow upstream defaults. 20201002: AFFECTS: users of mail/fetchmail beginning with 6.4.12_1 AUTHOR: mandree@FreeBSD.org Note that if you are using fetchmail in a multi-user setup, i. e. with the fetchmail_users (mind the -s!) variable set, the $fetchmail_home_prefix + user second-guess work has been replaced by a real lookup of the user's home directory. In the majority of configurations, this should not make a difference, in some setups, it may open up some flexibility. The fetchmail_home_prefix variable is ignored from 6.4.12_1 onwards. Also, the rc script redirects its input from /dev/null so that passwords will not be interactively queried from an rcfile. Put passwords into the [.]fetchmailrc or into a .netrc file. 20201002: AFFECTS: users of sysutils/modules AUTHOR: 0mp@FreeBSD.org The upstream developers of the Modules port encourage users to consult the MIGRATING document, which describes the major changes occurring between versions of Modules. It provides an overview of the new features and changed behaviors that will be encountered when upgrading: https://modules.readthedocs.io/en/v4.6.0/MIGRATING.html 20200930: AFFECTS: users of sysutils/syslog-ng32[789] AUTHOR: cy@FreeBSD.org rc.conf variables syslog_ng_config and syslog_ng_pid have been replaced by syslog_ng_flags and syslog_ng_pidfile respectively, making them consistent with the rest of the ports tree. syslog_ng_config and syslog_ng_pid will continue to work until syslog-ng331 has been released and imported into ports. 20200924: AFFECTS: users of net/freeradius3, who need python support AUTHOR: zi@FreeBSD.org FreeRADIUS 3.x currently uses python 2.7 for rlm_python support, which has been deprecated and will be removed from the tree at the end of this year. Starting in 3.0.21_2, the PYTHON option has been converted to use python 3.x. Users should verify their python scripts are 3.x compatible and upgrade to 3.0.21_2 (or higher) to bring in python 3.x support. 20200921: AFFECTS: users of databases/postgresql* and other software using PostgreSQL to run AUTHOR: kbowling@FreeBSD.org The default version of PostgreSQL has been switched from 11 to 12. The upgrade procedure can use up twice the space the databases currently needs. If you have a big amount of stored data take a closer look at the manpage of pg_upgrade for avoidance and/or speedup of the upgrade. The upgrade instructions consider a basic usage and do not match complex scenarios like replication, sharding, or similar. Upgrade instructions: First stop your PostgreSQL, create PostgreSQL-binaries and backup your data. If you have another Version of PostgreSQL installed, for example 11.9, your files are named according to this. # service postgresql stop # pkg create postgresql11-server postgresql11-contrib # mkdir /tmp/pg-upgrade # tar xf postgresql11-server-11.9.txz -C /tmp/pg-upgrade # tar xf postgresql11-contrib-11.9.txz -C /tmp/pg-upgrade # pkg delete -f databases/postgresql11-server databases/postgresql11-contrib databases/postgresql11-client Now update PostgreSQL: pkg user: # pkg install databases/postgresql12-server databases/postgresql12-contrib # pkg upgrade Portmaster users: # portmaster databases/postgresql12-server databases/postgresql12-contrib # portmaster -a Portupgrade users: # portinstall databases/postgresql12-server databases/postgresql12-contrib # portupgrade -a After installing the new PostgreSQL version you need to convert all your databases to new version: # su -l postgres -c "/usr/local/bin/initdb --encoding=utf-8 --lc-collate=C -D /var/db/postgres/data12 -U postgres" # su -l postgres -c "pg_upgrade -b /tmp/pg-upgrade/usr/local/bin/ -d /var/db/postgres/data11/ -B /usr/local/bin/ -D /var/db/postgres/data12/ -U postgres " Now the migration is finished. You can start PostgreSQL again with: # service postgresql start ATTENTION: 1) The default user changed from "pgsql" to "postgres" in 11. The migration steps above now assume the "postgres" database user and FreeBSD user. 2) See the updating entry 20190829 if you are updating from a release prior to 11. 3) If you use non-default initdb options, you have to adjust the initdb-command accordingly 20200918: AFFECTS: users of mail/thunderbird AUTHOR: cmt@FreeBSD.org Thunderbird has been updated to the 78esr series. Thunderbird will try to convert old profiles on first start, but conversion may fail especially on old profiles. Also, older versions of Thunderbird will not be able to use a profile once it has been converted. It is strongly recommended to move any ~/.thunderbird folder away before starting Thunderbird 78 for the first time, thus creating a new and empty profile. Also note that OpenPGP functionality has been integrated into Thunderbird, obsoleting the Enigmail extension. Check https://wiki.mozilla.org/Thunderbird:OpenPGP for details, and especially https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards if your private key lives on a smartcard. 20200914: AFFECTS: users of lang/php72 AUTHOR: tz@FreeBSD.org The default version of PHP has been switched from 7.2 to 7.4. If you use binary packages you should make a list of php packages before running 'pkg upgrade': # pkg info php7\* > ~/installed-php-ports-list After the upgrade, check with such list if all your php extensions are still installed, and reinstall them if needed. If you use mod_php72 you need to deinstall it and install mod_php74. 20200811: AFFECTS: users of *-emacs26-* packages AUTHOR: jrm@FreeBSD.org With the release of Emacs version 27.1, the major version of editors/emacs has changed from 26 to 27. This means the names of some dependent packages have also changed, so simply running `pkg upgrade` will not upgrade foo-emacs26-x to foo-emacs27-x. To update these packages, run these commands with superuser privileges. Binary package users: # sh # for i in $(pkg query -g %n '*-emacs26*'); do \ nn=$(echo "$i" | sed -e 's/emacs26/emacs27/'); \ pkg set -yn "$i":"$nn"; \ done; # pkg upgrade portmaster users: # portmaster -r emacs 20200803: AFFECTS: users of lang/perl5* AUTHOR: mat@FreeBSD.org The default Perl version has been switched to Perl 5.32. If you are using binary packages to upgrade your system, you do not have anything to do, pkg upgrade will do the right thing. For the other people, follow the instructions in entry 20181213, it should still be the same. 20200726: AFFECTS: users of net-mgmt/librenms AUTHOR: dvl@FreeBSD.org The %%WWWDIR%%%/logs directory has been relocated to /var/log/librenms/ via the APP_LOG directive in %%WWWDIR%%%/.env.example - this won't affect existing installs, but you are strongly encouraged to update your .env file settings and relocate your logs. Logs which were going to /var/log/messages and /var/log/librenms/ now only go to /var/log/librenms/ 20200720: AFFECTS: users of net-mgmt/librenms AUTHOR: dvl@FreeBSD.org As mentioned previously in 20200503 polling via cronjob has been removed as of release 1.63 - see https://community.librenms.org/t/dropping-support-for-php-7-1-and-python-2/11851 A database upgrade is required: cd /usr/local/www/librenms sudo ./lnms migrate You must migrate to the Dispatch Service: https://docs.librenms.org/Extensions/Dispatcher-Service/ You may need to add LIBRENMS_USER to .env (see .env.example). These steps should get you running: * comment out the crontab entries listed above under PYPOLLER * populate %%WWWDIR%%/.env with: * APP_KEY - see farther below for how to create * NODE_ID - see just below for how to create * DB_HOST * DB_DATABASE * DB_USERNAME * DB_PASSWORD * you can create a NODE_ID with: php -r 'echo uniqid() . "\n";' * sysrc librenms_enable="YES" * service librenms start 20200719: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org emulators/qemu has been updated to 4.2.1. Previous 4.1.X branch has been repocopied to emulators/qemu41. If someone wants to stick with 4.1.X branch please use one of the following command: # pkg install emulators/qemu41 or # portmaster -o emulators/qemu41 emulators/qemu or # portupgrade -o emulators/qemu41 emulators/qemu 20200716: AFFECTS: users of shells/bash, shells/bash-static AUTHOR: ehaupt@FreeBSD.org In order to cleanly decouple bash from base, bash now reads `profile` from LOCALBASE/etc insead of from /etc. If you are using system wide bash configuration in /etc/profile please migrate to LOCALBASE/etc/profile # cp /etc/profile /usr/local/etc/profile or create a symlink # ln -s /etc/profile /usr/local/etc/ If you encounter the following error, you may have the obsolete /lib/libreadline.so.8 lying around after an incomplete base update: ld-elf.so.1: Undefined symbol "rl_signal_event_hook" referenced from COPY relocation in /usr/local/bin/bash Please refer to to (23.5.6.2) in the FreeBSD Handbook on how to safely check for outdated files and libraries: https://www.freebsd.org/doc/en/books/handbook/makeworld.html 20200713: AFFECTS: users of mail/php7[2-4]-imap AUTHOR: tz@FreeBSD.org The imap module of PHP was compiled against cclient till now. But this lib is unmaintained for over 7 years. When combined with modern OpenSSL there are various crashes reported. Switching to the fork panda-cclient fixes these issues. Therefore we make the usage of Panda cclient the new default. If you want to use the old cclient, you need to enable it now! 20200616: AFFECTS: users of www/baikal AUTHOR: gahr@FreeBSD.org The www/baikal has been updated to 0.7.1. With the 0.7.0 release, our configuration format was updated to use YAML files. You need to go through the installer again but we pre-fill most values with the ones from your old installation. We recommend that you make a full backup of your data, as a safety measure. Starting with 0.7.0, Baikal stores data in both the Specific and the config folders. Keep this in mind when upgrading! Known issue:: Upgrading from versions older than 0.6.1 does not work. 20200613: AFFECTS: users of editors/libreoffice AUTHOR: fluffy@FreeBSD.org LibreOffice was updated to 6.4 branch with some critical changes: - GTK2 option is obsolete by upstream - GTK3 option is not more set by default because of unstable yet and have visual glitches - QT5 option is set by default to provide comfy visual style for every user - KDE option was renamed to KF5 follows upstream Please re-run "make config" to pick up the new defaults 20200610: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v14.0.0, the latest upstream release. This is a major release, including many significant changes. Users are encouraged to read the release announcements before upgrading: https://nodejs.org/en/blog/release/v14.0.0/ 20200602: AFFECTS: users of www/radicale AUTHOR: decke@FreeBSD.org Migration from radicale 1.x to 2.x requires that you export the storage with radicale 1.1.6 before updating. Migration instructions are available at: https://web.archive.org/web/20190314225402/https://radicale.org/1to2/ 20200602: AFFECTS: users of sysutils/py-salt AUTHOR: krion@FreeBSD.org This port is moved to sysutils/py-salt-2019 and sysutils/py-salt was updated to version 3000. If you wish to use pysalt-2019 in the future, you might run the following command: # pkg set -o sysutils/py-salt:sysutils/py-salt-2019 # pkg upgrade 20200531: AFFECTS: users of mail/postfix-policyd-spf-python AUTHOR: yasu@utahime.org This port is now deprecated because upstream project is superseded by its successor. So uninstall this port and install mail/py-spf-engine instead. Keep in mind that the path of configuration file is changed from ${PREFIX}/etc/postfix-policyd-spf-python/policyd-spf.conf to ${PREFIX}/etc/python-policyd-spf/policyd-spf.conf. So you need to move it to new location unless you use the default one without changing. 20200526: AFFECTS: users of databases/mariadb104-client, databases/mariadb104-server AUTHOR: brnrd@FreeBSD.org The ports now add sample configuration files to /usr/local/etc/mysql. You must merge your client configuration with the conf.d/client.cnf and your server configuration with conf.d/server.cnf. 20200518: AFFECTS: users of converters/libiconv AUTHOR: zeising@FreeBSD.org Support for the Japanese specific patches have been discontinued. These were previously added in a nondefault ports options, for people who needed them. If you still need them, it might be possible to create a port of libiconv 1.14 which includes those patches. 20200517: AFFECTS: users of x11/sddm AUTHOR: arrowd@FreeBSD.org The home directory of sddm user has been moved to /var/lib/sddm. It is advised to run following commands as root after updating the package: # pw usermod -n sddm -d /var/lib/sddm # pwd_mkdb /etc/master.passwd # mv /usr/local/etc/sddm/home/state.conf /var/lib/sddm/state.conf # rm -rf /usr/local/etc/sddm/home Otherwise, SDDM will keep using /usr/local/etc/sddm/home/ as its HOME. 20200515: AFFECTS: users of devel/libphutil, devel/arcanist-lib, devel/phabricator AUTHOR: grembo@FreeBSD.org Upstream fully deprecated devel/libphutil and merged its functionality into devel/arcanist-lib and devel/phabricator. As a result, the devel/libphutil port will be removed from the ports tree. After upgrading devel/(arcanist-lib|phabricator) to version 20200514, it is recommended to remove the orphaned libphutil package by running: # pkg delete php\*-libphutil Alternatively, 'pkg autoremove' will also work as expected, but might remove orphaned packages unrelated to this update. 20200505: AFFECTS: users of net-im/pidgin-rocketchat AUTHOR: tobias.rehbein@web.de This port has been turned into a libpurple plugin (net-im/purple-rocketchat) to support other libpurple clients than pidgin. This also changes some dependencies and you should run the following command to prevent pidgin from being autoremoved. # mark pidgin as being not automatically installed pkg set -A 0 pidgin 20200504: AFFECTS: users of x11-wm/hs-xmonad AUTHOR: arrowd@FreeBSD.org From now, it is recommended to use "build script" method to compile XMonad config. See https://github.com/xmonad/xmonad-testing/ for general info and port's pkg-message for concrete steps. 20200503: AFFECTS: users of net-mgmt/librenms AUTHOR: dvl@FreeBSD.org Polling via cronjob is deprecated as of release 1.63 Please see https://community.librenms.org/t/dropping-support-for-php-7-1-and-python-2/11851 Please migrate to the Dispatch Service: https://docs.librenms.org/Extensions/Dispatcher-Service/ These steps should get you running: * comment out the crontab entries listed above under PYPOLLER * populate %%WWWDIR%%/.env with: * APP_KEY - see farther below for how to create * NODE_ID - see just below for how to create * DB_HOST * DB_DATABASE * DB_USERNAME * DB_PASSWORD * you can create a NODE_ID with: php -r 'echo uniqid() . "\n";' * sysrc librenms_enable="YES" * service librenms start 20200501: AFFECTS: users of www/phpmyfaq AUTHOR: flo@FreeBSD.org phpMyFAQ has been updated to 3.0.2, old templates are not compatible with this new version. Please see: https://www.phpmyfaq.de/docs/3.0#3.4 20200428: AFFECTS: users of sysutils/ansible AUTHOR: bofh@FreeBSD.org Ansible has been updated to 2.9.7. Please follow the porting guide to update the rulesets: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.9.html If you wish to stay with 2.8 version, you can switch to new sysutils/ansible28 port, which tracks stable 2.8 branch: # pkg set -n ansible:ansible28 20200428: AFFECTS: x11-servers/xwayland-devel AUTHOR: jbeich@FreeBSD.org DRI3 is enabled by default since mesa-libs-18.3.2_4, so you no longer need to define LIBGL_DRI3_ENABLE in ~/.profile or ~/.login. See 20200308 entry for more details. 20200422: AFFECTS: users of devel/kyua AUTHOR: brooks@FreeBSD.org A tests group has been added and the tests user should be a member of it by default rather than nobody. You should update your password database to match (change the group from 65534 to 977 after updating). Please use the following command to do so: pw usermod -n tests -g tests 20200408: AFFECTS: users of security/openssh-portable AUTHOR: bdrewery@FreeBSD.org OpenSSH was upgraded to 8.2p1 on 2020-03-23. A restart of sshd is required after upgrade due to an incompatibility introduced in 8.2. Please see https://www.openssh.com/txt/release-8.2 for upcoming deprecation notices. 20200408 AFFECTS: users of net/irrd AUTHOR: bofh@FreeBSD.org Legacy version of net/irrd has been moved to net/irrd-legacy. net/irrd has been upgraded to 4.X branch. If someone wants to stick with legacy version then pkg users have to do something like # pkg set -o net/irrd:net/irrd-legacy For portmaster users # portmaster -o net/irrd-legacy net/irrd Both of the version can be installed and used concurrently in case there is a need for migration 20200403: AFFECTS: users of x11-fonts/fontconfig AUTHOR: desktop@FreeBSD.org Fontconfig 2.13.1 generated .uuid files in the fonts directory which where not properly registered to the packages. To clean them up, please execute the following command: find /usr/local/share/fonts -type f -name .uuid -delete 20200326: AFFECTS: users of devel/sonarqube and devel/sonar-ant-task AUTHOR: netchild@FreeBSD.org The outdated port devel/sonarqube has moved to devel/sonarqube-community to make it clear that it is the community edition. The log and DB files are still stored in the same location. The devel/sonar-ant-task port has moved to devel/sonarqube-ant-task to match the upstream-name. The install location is renamed accordingly. At the same time the user/group of the sonarqube port changed from www:www to sonarqube:sonarqube. It is expected that nobody was using the 6.2 version from 2016 anymore and no change needs to be done. No analysis was done to check if the old 6.2 version can be updated in-place to the 8.2 version. As such if there is still someone using the old 6.2 version, you may have to delete /var/log/sonarqube and /var/db/sonarqube before installing the new version. 20200320 AFFECTS: users of devel/qca AUTHOR: kde@FreeBSD.org New versions of devel/qca stopped supporting OpenSSL < 1.1. For this reason devel/qca-legacy has been added, which is held back at an older version until FreeBSD 11 goes EOL. Ports depending on devel/qca should stop adding direct LIB_DEPENDS and switch to depending on it via USES=qca. FreeBSD 11 users might want to run something like pkg set -o devel/qca:devel/qca-legacy 20200320: AFFECTS: users of x11/libxkbcommon AUTHOR: zeising@FreeBSD.org The libxkbcommon library (x11/libxkbcommon), used to handle keyboards in some applications, most notably kde and wayland, have been switched to use evdev rules by default on FreeBSD 12 and later. Some keys, most notably arrow keys, may not work in applications using libxkbcommon if you are using xf86-input-keyboard rather than xf86-input-libinput. If you have trouble with the keyboard keys, and if /var/log/Xorg.*.log shows that the "kbd" or "keyboard" driver is being used, you need to switch to legacy rules by setting the environment variable XKB_DEFAULT_RULES to xorg. This switch is made to match the default configuration on FreeBSD 12.1 and later, the default configuration on FreeBSD 11.3 still uses the legacy rules. 20200316: AFFECTS: users of net-im/slack-term AUTHOR: dmgk@FreeBSD.org The config file location was changed from ~/.slack-term to ~/.config/slack-term/config, please move your existing config file accordingly. 20200308 AFFECTS: users of graphics/mesa-libs and legacy graphics drivers AUTHOR: zeising@FreeBSD.org The mesa OpenGL library (graphics/mesa-libs) has been switched to use DRI3 by default, instead of the older DRI2 interface. This might cause regressions when using the legacy graphics drivers, either through graphics/drm-legacy-kmod or the graphics drivers in base. If you experience issues when running OpenGL applications it is possible to force the use of DRI2 by setting the LIBGL_DRI3_DISABLE environment variable to 1 before starting any OpenGL application. The easiest way to do this is by adding it to either your shell startup files or .xinitrc. 20200306 AFFECTS: users of databases/mysql80-server AUTHOR: joneum@FreeBSD.org As of MySQL 8.0.16, the MySQL server performs the upgrade tasks previously handled by mysql_upgrade. Consequently, mysql_upgrade is unneeded and is deprecated as of that version, and will be removed in a future MySQL version. Because mysql_upgrade no longer performs upgrade tasks, it exits with status 0 unconditionally. 20200303: AFFECTS: users of net-mgmt/librenms AUTHOR: dvl@FreeBSD.org 1. Apache / mod_php options removed The APACHEMOD option has been removed. LibreNMS can be used with other webservers, not just Apache. In order to simplify the port, the option was removed. Now you manually install the webserver of your preference. If upgrading from LibreNMS < 1.61, you can do this to prevent 'pkg autoremove' from uninstalling Apache / mod_php: $ sudo pkg set -A 0 apache24 mod_php74 Mark apache24-2.4.41 as not automatically installed? [y/N]: y Mark mod_php74-7.4.3 as not automatically installed? [y/N]: y Adjust mod_php74 to suit the version of mod_php you have. 2. include/defaults.inc.php is gone The file include/defaults.inc.php is no longer distributed by the upstream project. The FreeBSD port patched this file to correct the paths to common tools such as ping, snmpwalk, etc. These values previously adjusted by the port must now be specified in config.php. New installs will have this automatically, but existing installs must be updated manually. These are the entries you should add if upgrading from LibreNMS < 1.61: $config['snmpwalk'] = '/usr/local/bin/snmpwalk'; $config['snmpget'] = '/usr/local/bin/snmpget'; $config['snmpbulkwalk'] = '/usr/local/bin/snmpbulkwalk'; $config['snmptranslate'] = '/usr/local/bin/snmptranslate'; $config['ping'] = '/sbin/ping'; $config['mtr'] = '/usr/local/bin/mtr'; $config['nmap'] = '/usr/local/bin/nmap'; $config['nagios_plugins'] = '/usr/local/libexec/nagios'; $config['ipmitool'] = '/usr/local/bin/ipmitool'; $config['virsh'] = '/usr/local/bin/virsh'; $config['dot'] = '/usr/local/bin/dot'; $config['sfdp'] = '/usr/local/bin/sfdp'; $config['nfdump'] = '/usr/local/bin/nfdump'; 20200229: AFFECTS: users of textproc/apache-solr AUTHOR: mfechner@FreeBSD.org Apache-solr switched to the supported java LTS version 11. Make sure you update the following files accordingly: /usr/local/etc/solr.in.sh (see /usr/local/etc/solr.in.sh.sample) /usr/local/etc/javavm_opts.conf (JAVA_HOME=/usr/local/openjdk11/) 20200225: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org 1. Removal of the Topology Maps feature The deprecated topology maps feature has been removed. Please replicate any required data to another source before upgrading NetBox to v2.7.7, as any existing topology maps will be deleted. 2. Changed REDIS database configuration settings The REDIS database configuration parameters were splitted up in two discrete subsections named "webhooks" and "caching" with the 2.7 release. This requires modification of the REDIS parameter in configuration.py as follows: Old Redis sample configuration: REDIS = { 'HOST': 'localhost', 'PORT': 6379, 'PASSWORD': '', 'DATABASE': 0, 'CACHE_DATABASE': 1, 'DEFAULT_TIMEOUT': 300, 'SSL': False, } New Redis sample configuration: REDIS = { 'webhooks': { 'HOST': 'redis.example.com', 'PORT': 1234, 'PASSWORD': 'foobar', 'DATABASE': 0, 'DEFAULT_TIMEOUT': 300, 'SSL': False, }, 'caching': { 'HOST': 'localhost', 'PORT': 6379, 'PASSWORD': '', 'DATABASE': 1, 'DEFAULT_TIMEOUT': 300, 'SSL': False, } } Note that the CACHE_DATABASE parameter has been removed and the connection settings have been duplicated for both webhooks and caching. This allows one to make use of separate Redis instances if desired. It is fine to use the same Redis service for both functions, although the database identifiers should be different. Please also check the pkg-message and the changelogs for further info. 20200223: AFFECTS: users of security/gsasl AUTHOR: hrs@FreeBSD.org The library part of security/gsasl has been split into security/libgsasl. The security/gsasl now depends on security/libgsasl. Due to this change, old security/gsasl conflicts with the new security/libgsasl and it can prevent the installed security/gsasl from upgrading. Please remove the installed security/gsasl before upgrading if a conflict error occurs. 20200220: AFFECTS: users of x11-servers/xorg-server AUTHOR: zeising@FreeBSD.org x11-servers/xorg-server has been updated to 1.20.7. With this update, xorg-server has switched from using the devd backend to the udev backend for device configuration on FreeBSD 12 and 13. If you have issues with input devices, please see the install message for details. The HAL backend option has been completely removed, as it was deprecated. If you have problems with input devices, ensure that both x11/libinput and x11-drivers/xf86-input-libinput are installed. They are installed in the default configuration, but if you have a custom configuration, they might not be. 20200210: AFFECTS: users of net-im/prosody AUTHOR: thomas@beingboiled.info Prosody's pid file and data directory have moved to a new location. If you are upgrading from a version with the pid file and data directory in /usr/local/var/lib/prosody please perform these steps: # stop Prosody pkill -F /usr/local/var/lib/prosody/prosody.pid # copy the data directory cp -a /usr/local/var/lib/prosody /var/db/ rm -f /var/db/prosody/prosody.pid Make sure your prosody config has the following option set: pidfile = "/var/run/prosody/prosody.pid" Then start Prosody again. Everything should be working as before and the /usr/local/var/lib/prosody directory can now be removed. 20200207: AFFECTS: users of security/nss AUTHOR: lwhsu@FreeBSD.org NSS header files and libraries have been moved from ${PREFIX}/include/nss/nss and ${PREFIX}/lib/nss to ${PREFIX}/include/nss and ${PREFIX}/lib 20200204: AFFECTS: users of editors/vim AUTHOR: adamw@FreeBSD.org The PYTHON2 and PYTHON3 options have been turned into a single PYTHON option that uses whichever python you've set as default. However, this means that you cannot have both python2 and python3 support at the same time. 20200126: AFFECTS: users of multimedia/gstreamer1-plugins[-bad] AUTHOR: kwm@freebsd.org In GStreamer 1.16 some files moved from the gstreamer1-plugins-bad package to the gstreamer1-plugins package. If your using a tool like portmaster or portupgrade delete the old -bad port and then follow the normal upgrade method. # pkg delete -f gstreamer1-plugins-bad 20200126: AFFECTS: users of sysutils/helm AUTHOR: danilo@FreeBSD.org The Helm project have deprecated the Tiller utility in Helm 3. If you are using Helm 2 you will need to migrate the configuration to be compatible with Helm 3. Please, refer to the following documentation for more information about the migration process: https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ Note that the 2to3 plugin binary is not available for FreeBSD and you will need to compile it yourself. 20200113: AFFECTS: users of python and net/samba410, devel/talloc, devel/tevent, databases/tdb, databases/ldb* AUTHOR: timur@FreeBSD.org In the entry 20191216 for the Python update the filtering constrains are too limiting and omit the Samba supplimentary libraries, which do have Python bindings to the default Python 3.x version. With the update of the default Python3 version you also need to rebuild all the supplementary Samba libraries and samba410 itself. For portmaster users it would be enough to run: # portmaster devel/talloc devel/tevent databases/tdb databases/ldb15 net/samba410 20200109: AFFECTS: www/firefox AUTHOR: gecko@FreeBSD.org Firefox requires Capsicum since r522464 for IPC and in future will require Capsicum for process sandboxing. If you use a custom kernel make sure to copy the following lines from GENERIC kernel: options CAPABILITY_MODE # Capsicum capability mode options CAPABILITIES # Capsicum capabilities 20200107: AFFECTS: Users of *-emacs27-* packages AUTHOR: ashish@FreeBSD.org There is a major version bump in 28.0.50, therefore to upgrade all the packages dependent on editors/emacs-devel, please use the following commands: # sh # for i in $(pkg query -g %n '*-emacs27*'); do \ nn=$(echo "$i" | sed -e 's/emacs27/emacs28/'); \ pkg set -yn "$i":"$nn"; done; # pkg upgrade 20200106: AFFECTS: users of net/gnatsd AUTHOR: olgeni@FreeBSD.org net/gnatsd has been replaced by net/nats-server to reflect the new naming upstream. All options in rc.conf should be renamed by replacing 'gnats' with 'nats' (nats_enable, nats_user, nats_options). 20200101: AFFECTS: users of security/openssl and security/openssl111 AUTHOR: brnrd@FreeBSD.org The openssl port was removed on 2019-12-31, subsequently the openssl111 port was renamed to openssl on 2020-01-01. The shared library version of OpenSSL has been bumped. Users of DEFAULT_VERSIONS= ssl=openssl111 must update this to ssl=openssl. You must rebuild all ports that depend on OpenSSL if you use OpenSSL from ports. 20191226: AFFECTS: users of sysutils/dsbmd AUTHOR: mk@freeshell.de With version 1.10 dsbmd now uses sysutils/fusefs-jmtpfs for mounting MTP devices. Please adjust your dsbmd.conf or recreate it from the new dsbmd.conf.sample. 20191225: AFFECTS: multimedia/libva-intel-media-driver AUTHOR: jbeich@FreeBSD.org As of libva 2.6.0 iHD driver is automatically enabled, so you no longer need to adjust LIBVA_DRIVER_NAME in ~/.profile or ~/.login. 20191221: AFFECTS: users of misc/openhab2 AUTHOR: netchild@FreeBSD.org If you upgrade from a pevious version, make a backup of /var/db/openhab2 read about the breaking changes in the release notes at https://github.com/openhab/openhab-distro/releases/tag/2.5.0 and run %%PREFIX%%/libexec/openhab2/runtime/bin/update.freebsd which takes care about changes for: - Textual Configuration - Next Generation Rule Engine 20191216: AFFECTS: users of python AUTHOR: antoine@FreeBSD.org Default version of python3 and python was switched to 3.7. For ports users wanting to keep version 3.6 as default, add DEFAULT_VERSIONS+= python=3.6 python3=3.6 to make.conf This may ease the upgrade for users of pre-build packages: # sh # for i in $(pkg query -g %n 'py36-*'); do pkg set -yn ${i}:py37-${i#py36-}; done # pkg upgrade For portmaster users: # sh # portmaster -o lang/python37 python36 # REINSTALL="$(pkg info -o py36-\* | awk '{printf "%s ", $2}')" # pkg delete -f py36-\* # portmaster $REINSTALL # REBUILD=$(pkg query -g "%n:%dn" '*' | grep py3 | grep -v py37 | cut -d : -f 1 | sort -u) # portmaster $REBUILD # REBUILD2=$(pkg list | grep python-36 | xargs pkg which | awk '{print $6}' | sort -u) # portmaster $REBUILD2 20191204 AFFECTS: users of mail/nextcloud-mail AUTHOR: brnrd@FreeBSD.org Version 0.20.0 removed the default mail configuration via config.php. All users will be prompted to enter account and SMTP- and IMAP-server details for sending and reading email. 20191126: AFFECTS: consumers of net/py-urllib3 AUTHOR: kai@FreeBSD.org Since version 1.25 HTTPS connections are now verified by default which is done via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on. Various consumers of net/py-urllib3 already have implemented routines that either explicitly enable or disable HTTPS certificate verification (e.g. via configuration settings, CLI arguments, etc.). Yet it may happen that there are still some consumers which don't explicitly enable/disable certificate verification for HTTPS connections which could then lead to errors (as is often the case with self-signed certificates). In case of an error one should try first to temporarily disable certificate verification of the problematic urllib3 consumer to see if this approach will remedy the issue. 20191125: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org emulators/qemu31 has been updated to 4.1.1. Previous 3.1.X branch has been repocopied to emulators/qemu31. If someone wants to stick with 3.1.X branch please use one of the following command: # pkg install emulators/qemu31 or # portmaster -o emulators/qemu31 emulators/qemu or # portupgrade -o emulators/qemu31 emulators/qemu 20191124: AFFECTS: users of irc/eggdrop AUTHOR: dbaio@FreeBSD.org The irc/eggdrop port has been updated to 1.8.4 and its config is not backward compatible with 1.6.21. A new port was created to keep 1.6.21 version available at irc/eggdrop16 and it will be available for 3 months until users have time to upgrade their configuration. More information at: https://raw.githubusercontent.com/eggheads/eggdrop/v1.8.4/NEWS If you would like to keep using 1.6.21, please run the following command to update pkg database: pkg set -n eggdrop:eggdrop16 pkg set -o irc/eggdrop:irc/eggdrop16 20191108: AFFECTS: users of databases/redis[-devel] AUTHOR: osa@FreeBSD.org The databases/redis port has been updated to the recent stable release. Users wanting to stay on v4.x can replace databases/redis with databases/redis4 with one of the following commands: # pkg install databases/redis4 or # portmaster -o databases/redis4 databases/redis or # portupgrade -o databases/redis4 databases/redis 20191103: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v13.0.0, the latest upstream release. A new port, www/node12, has been created for the v12.x LTS branch. Users wanting to stay on v12.x can replace www/node with www/node12 with one of the following commands: # pkg install www/node12 or # portmaster -o www/node12 www/node or # portupgrade -o www/node12 www/node 20191029: AFFECTS: users of emulators/open-vm-tools[-nox11] AUTHOR: jpaetzel@FreeBSD.org open-vm-tools 11.0.1 has removed the vmxnet driver. This driver has been in tree for quite some time and hopefully everyone is using the in tree version, however if you had removed device vmx from your kernel, or are running an unsupported version of FreeBSD which didn't have the driver included in the base system, updating your open-vm-tools version will leave you without networking. 20191026: AFFECTS: users of www/qt5-webengine AUTHOR: kai@FreeBSD.org Users that upgrade www/qt5-webengine without using pkg/poudriere might experience failures due to conflicts with the installed version of 5.12.2. In that case, pkg delete -f the qt5-webengine package before building the updated version. 20191025: AFFECTS: users of x11/nvidia-driver (and slave ports) AUTHOR: danfe@FreeBSD.org x11/nvidia-driver* ports no longer install Linux programs and libraries, which had been moved to their own ports (x11/linux-nvidia-libs*). When updating the driver package next time, remember to install them manually if you need to run Linux OpenGL programs. 20191016: AFFECTS: users of KDE Plasma Desktop (x11/plasma5*) AUTHOR: kde@FreeBSD.org With Plasma 5.17 the startup script has been renamed. People who use the .xinitrc method to start Plasma have to call the new binary. Previously: exec ck-launch-session startkde Change to: exec ck-launch-session startplasma-x11 20191014: AFFECTS: users of mail/rspamd, mail/rspamd-devel AUTHOR: vsevolod@FreeBSD.org Sample configuration files has been removed as default configuration files are NOT intended for modification by users and SHOULD be overwritten on port upgrade. Make sure the default configuration files are unmodified and migrate all configuration changes to the proper places, before you continue. 20191002: AFFECTS: users of textproc/groff AUTHOR: bapt@FreeBSD.org with groff 1.2.4_3, groff does not depend anymore on ghostscript and netpbm. In order to be able to properly use the html backend the user can install ghostscript and netpbm from ports without the need of reinstalling the package. Also note that the X11 option has been removed. 20190930: AFFECTS: users of net-mgmt/netbox AUTHOR: kai@FreeBSD.org Since the 2.6 release a running Redis server instance is required for caching objects to run. Also the following settings like below need to be added (or modified) in the existing configuration.py: REDIS = { 'HOST': 'localhost', 'PORT': 6397, 'PASSWORD': '' 'DATABASE': 0, 'CACHE_DATABASE': 1, 'DEFAULT_TIMEOUT': 300, 'SSL': False, } Note that if you were using these settings in a prior release with webhooks, the DATABASE setting remains the same but an additional CACHE_DATABASE settings has been added with a default value of 1 to support the caching backend. The DATABASE setting will be renamed in a future release of NetBox to better relay the meaning of the setting. It is highly recommended to keep the webhook and cache databases separate. Using the same database number for both may result in webhook processing data being lost during cache flushing events. Please also check the pkg-message and the changelogs for further info. 20190927: AFFECTS: users of emulators/qemu-devel AUTHOR: bofh@FreeBSD.org qemu-devel has been updated to 4.1.0 and 4.0.0 has been merged into a new port emulators/qemu40. If you want to stick with 4.0.X branch, simply use: # portmaster -o emulators/qemu-devel emulators/qemu40 20190927: AFFECTS: users of XFCE desktop (x11-wm/xfce4) AUTHOR: madpilot@FreeBSD.org Due to changes in the XFCE 4.14 metaport, systems could end up with both xscreensaver and xfce4-screensaver installed and enabled simultaneously. This can cause conflicts and problems unlocking the screen. To avoid problems, please make sure to have only one enabled by going to the Application Autostart tab of the Session and Startup settings applet and enable only one Screensaver there. Some further information can be found in the xfce4-session pkg-message displayed on installation and upgrade. 20190920: AFFECTS: users of net-mgmt/pushgateway AUTHOR: 0mp@FreeBSD.org The persistent storage format used by pushgateway in the latest version is not backwards compatible. See the pushgateway changelogs for details. 20190911: AFFECTS: users of security/bastillion AUTHOR: netchild@FreeBSD.org The datastore of bastillion needs to be updated: java -jar $PREFIX/jetty_bastillion/upgrade/bastillion-upgrade-3.08.00.jar \ $PREFIX/jetty_bastillion/bastillion/WEB-INF/classes/BastillionConfig.properties 20190909: AFFECTS: users of lang/ruby25 AUTHOR: mfechner@FreeBSD.org The default ruby version has been updated from 2.5 to 2.6. If you compile your own ports you may keep 2.5 as the default version by adding the following lines to your /etc/make.conf file: # # Keep ruby 2.5 as default version # DEFAULT_VERSIONS+=ruby=2.5 If you wish to update to the new default version, you need to first stop any software that uses ruby. Then, you will need to follow these steps, depending upon how you manage your system. If you use pkgng, simply upgrade: # pkg upgrade If you do not use pkg, please check entry 20190420. The description there should also work for this version. 20190906: AFFECTS: users of devel/py-fabric AUTHOR: dbaio@FreeBSD.org Fabric (devel/py-fabric) was upgraded to 2.5.0, Fabric (2+) represents a near-total reimplementation and reorganization of the software. Fabric 2 is not at 100% feature parity with 1.x! Some features have been explicitly dropped, but others simply have not been ported over yet, either due to time constraints or because said features need to be re-examined in a modern context. More information at: https://www.fabfile.org/upgrading.html#upgrading https://www.fabfile.org/upgrading.html#upgrade-specifics If you would like to keep using 1.x, please run the following command to update pkg database: pkg set -n py27-fabric:py27-fabric1 pkg set -o devel/py-fabric:devel/py-fabric1 20190830: AFFECTS: users of www/gitlab-ce AUTHOR: mfechner@FreeBSD.org Make sure you upgrade your PostgreSQL to version 11 as described in 20190829, before you upgrade your gitlab-ce version. Gitlab-ce 12.1 needs at least PostgreSQL version 9.6. After this you can follow the usual upgrade guide: https://gitlab.fechner.net/mfechner/Gitlab-docu/blob/master/update/12.0-12.1-freebsd.md 20190829: AFFECTS: users of databases/postgresql* and other software using PostgreSQL to run AUTHOR: tz@FreeBSD.org The default version of PostgreSQL has been switched from 9.5 to 11. The upgrade procedure can use up twice the space the databases currently needs. If you have a big amount of stored data take a closer look at the manpage of pg_upgrade for avoidance and/or speedup of the upgrade. The upgrade instructions consider a basic usage and do not match complex scenarios like replication, sharding, or similar. Upgrade instructions: First stop your PostgreSQL, create PostgreSQL-binaries and backup your data. If you have another Version of PostgreSQL installed, for example 9.5.19, your files are named according to this. # service postgresql stop # pkg create postgresql95-server postgresql95-contrib # mkdir /tmp/pg-upgrade # tar xf postgresql95-server-9.5.19.txz -C /tmp/pg-upgrade # tar xf postgresql95-contrib-9.5.19.txz -C /tmp/pg-upgrade # pkg delete -f databases/postgresql95-server databases/postgresql95-contrib databases/postgresql95-client Now update PostgreSQL: pkg user: # pkg install databases/postgresql11-server databases/postgresql11-contrib # pkg upgrade Portmaster users: # portmaster databases/postgresql11-server databases/postgresql11-contrib # portmaster -a Portupgrade users: # portinstall databases/postgresql11-server databases/postgresql11-contrib # portupgrade -a After installing the new PostgreSQL version you need to convert all your databases to new version: # su -l postgres -c "/usr/local/bin/initdb --encoding=utf-8 --lc-collate=C -D /var/db/postgres/data11 -U pgsql" # chown -R postgres /usr/local/pgsql/data/ # su -l postgres -c "pg_upgrade -b /tmp/pg-upgrade/usr/local/bin/ -d /usr/local/pgsql/data/ -B /usr/local/bin/ -D /var/db/postgres/data11/ -U pgsql " Now the migration is finished. You can start PostgreSQL again with: # service postgresql start ATTENTION: 1) The default user changed from "pgsql" to "postgres". The migration steps above preserve the "pgsql" database user while the database daemon is now executed as the "postgres" FreeBSD user. 2) The default data dir changed from "/usr/local/pgsql/data/" to "/var/db/postgres/data11/" 3) If you use non-default initdb options, you have to adjust the initdb-command accordingly 20190816: AFFECTS: users of net-im/ejabberd AUTHOR: ashish@FreeBSD.org Riak support has been removed by upstream. For update instructions from 19.05, please refer to: https://docs.ejabberd.im/admin/upgrade/from_19.05_to_19.08/ 20190812: AFFECTS: users of lang/perl5* AUTHOR: mat@FreeBSD.org The default Perl version has been switched to Perl 5.30. If you are using binary packages to upgrade your system, you do not have anything to do, pkg upgrade will do the right thing. For the other people, follow the instructions in entry 20181213, it should still be the same. 20190801: AFFECTS: users of www/ot-recorder AUTHOR: dvl@FreeBSD.org The data directory has moved from /var/spool/owntracks to /var/db/owntracks Be sure to stop otrecorder, move the directory, and start otrecorder. service ot-recorder stop cd /var/spool mv owntracks /var/db service ot-recorder start 20190728: AFFECTS: users of net-im/py-matrix-synapse AUTHOR: kai@FreeBSD.org The support for Python 2.7 has been dropped with the 1.1.0 release of net/py-matrix-synapse. Users that still use the Python 2.7 version of net-im/py-matrix-synapse should switch to a newer Python version, e.g. 3.6, which is the default Python version since April 2019. 20190717: AFFECTS: users of net-p2p/zetacoin and net-p2p/zetacoin-nox11 AUTHOR: daniel@morante.net Zetacoin will default to using modern versions of BDB (5.x or 6.x) when the WALLET option is selected. See pkg-help for explanation. The zetacoin-nox11 slave port was renamed to zetacoin-daemon to align with the net-p2p/bitcoin format. The zetacoin-cli and zetacoin-tx utilities have been re-packaged into a separate port. If you require these programs, or use the zetacoin-cli program to access the daemon or the GUI, install net-p2p/zetacoin-utils to reinstall them. 20190717: AFFECTS: users of sysutils/py-borgmatic AUTHOR: egypcio@FreeBSD.org The default location for borgmatic's configurations changed. We moved it from '/etc/borgmatic' to '/usr/local/etc/borgmatic' in order to follow recommended standards used on FreeBSD. 20190710: AFFECTS: users with DEFAULT_VERSIONS+=linux=c6 or c6_64 in /etc/make.conf AUTHOR: tijl@FreeBSD.org On amd64 adding DEFAULT_VERSIONS+=linux=c6 to /etc/make.conf made Linux infrastructure ports (linux_base-c6 and linux-c6*) install i386 CentOS 6 packages. Using c6_64 instead of c6 made them install mixed amd64/i386 CentOS 6 packages and allowed Linux application ports to install amd64 binaries when available. The i386-only configuration was only useful for users of x11/nvidia-driver* which didn't provide Linux amd64 emulation until recently. With x11/nvidia-driver* now supporting Linux amd64 there's no longer a need for i386-only Linux on amd64 so DEFAULT_VERSIONS+=linux=c6 has been changed to make Linux infrastructure ports install mixed amd64/i386 CentOS 6 packages, like c6_64 before, and support for c6_64 has been removed. Users with DEFAULT_VERSIONS+=linux=c6 should reinstall linux_base-c6 and all packages that depend on it. A list of dependent packages can be obtained with the following command: pkg info -r linux_base-c6 Users with DEFAULT_VERSIONS+=linux=c6_64 only need to replace c6_64 with c6 in /etc/make.conf. Users of x11/nvidia-driver* should upgrade to FreeBSD 11.3 or 12.0 if they want to run Linux amd64 OpenGL programs. If you are running an older version you may want to postpone installing or updating Linux application ports until you find the time to upgrade because application ports may install amd64 binaries now. Infrastructure ports are safe to reinstall, and so is x11/nvidia-driver*. On i386 nothing has changed. 20190707: AFFECTS: users of www/gitlab-ce AUTHOR: mfechner@FreeBSD.org You must at first upgrade to version 11.11.5 before you can upgrade to version 12. Support for MySQL will be dropped with next version. Make sure you use at least PostgreSQL version 9.6. Follow the normal upgrade manual that can be found here: https://gitlab.fechner.net/mfechner/Gitlab-docu/blob/master/update/11.11-12.0-freebsd.md 20190705: AFFECTS: users of net/serviio which bought a license for the non-free features AUTHOR: netchild@FreeBSD.org Version 2 of serviio needs a new license file. Updating without a new license file will disable the non-free features. 20190701: AFFECTS: users of databases/mysql56-(server|client) AUTHOR: ale@FreeBSD.org The default MySQL version has been updated from 5.6 to 5.7. If you compile your own ports you may keep 5.6 as the default version by adding the following lines to your /etc/make.conf file: # # Keep MySQL 5.6 as default version # DEFAULT_VERSIONS+=mysql=5.6 If you wish to update to the new default version, you need to first stop any running server instance. Then, you will need to follow these steps, depending on installed packages. # pkg set -o databases/mysql56-client:databases/mysql57-client # pkg set -o databases/mysql56-server:databases/mysql57-server # pkg upgrade 20190630: AFFECTS: users of net/samba410 AUTHOR: timur@FreeBSD.org If you used Samba in AD/DC mode with the previous versions of the port on UFS2 backed storage you have to add usage of vfs_freebsd VFS module for at least SYSVOL share and configure it to use 'legacy' mode(see manpage). The reason behind this is that previous versions Samba port used a hack to workaround broken mapping of Linux security and trusted extended attributes into FreeBSD namespace. In particular, essential security.NTACL attribute was replaced with the user.NTACL and placed in a insecure USER namespace. This port dropped this hack in favor of vfs_freebsd module, which should provide more controlled way of such a mapping. To maintain the compatibility with the previous installations on UFS2 storage (as ZFS uses it's own way of mapping SYSVOL, thanks to the iXsystems patches) the vfs_freebsd module provides 'legacy' mode that implements old functionality. For the fresh installations it is recommended to use 'secure' mode of operations for this module and use it as a global vfs objects. Caution: The given module is still considered EXPERIMENTAL. 20190630: AFFECTS: users of net/samba410, net/samba4[6-8] and devel/talloc?, devel/tevent?, databases/tdb?, databases/ldb* AUTHOR: timur@FreeBSD.org The port of the new version of Samba 4.10 is introduced. Due necessarily to keep backwards compatibility for the legacy samba4[6-8] ports the upgrade procedure is a bit convoluted. You are safe to perform fresh new install of samba410 port. In case you are upgrading from the previous versions of Samba, please use the following procedure: 0. Take backups of all the relevant files, in particular PREFIX/etc/smb4.conf and /var/db/samba4/ subdirectory. Keep in mind that files there (may) have extended attributes, so use appropriate tools to preserve them. 1a. If you haven't updated Samba between 20190619 and 20190630 then next step should be as simple as: portmaster -o net/samba410 net/samba48 1b. If you have been affected by the archiving legacy versions of Samba-related libraries for legacy versions of Samba, which happened in the given time frame, then you need to reverse operation from the 20190619 entry: for users of portmaster: portmaster -o devel/talloc devel/talloc1 portmaster -o devel/tevent devel/tevent1 portmaster -o databases/tdb databases/tdb1 portmaster -o net/samba410 net/samba48 for users of portupgrade: portupgrade -o devel/talloc devel/talloc1 portupgrade -o devel/tevent devel/tevent1 portupgrade -o databases/tdb databases/tdb1 portupgrade -o net/samba410 net/samba48 20190619: AFFECTS: users of samba4[6-8] and devel/talloc, devel/tevent, databases/tdb, databases/ldb* AUTHOR: timur@FreeBSD.org To introduce samba410(we deliberately skip samba49 due the complexity of handling) and to drop dependency on deprecated Python 2.7, Samba supplementary libraries talloc, tevent and tdb were split into current Python 3 compatible versions and legacy ones, with the suffix "1". Old versions of Samba were changed to depend on the legacy supplementary libraries, so if you need to install samba46, samba47 or samba48 over previous Samba installations you need to downgrade supplementary libs with the following commands: for users of portmaster: portmaster -o devel/talloc1 devel/talloc portmaster -o devel/tevent1 devel/tevent portmaster -o databases/tdb1 databases/tdb portmaster -r talloc1 for users of portupgrade: portupgrade -o devel/talloc1 devel/talloc portupgrade -o devel/tevent1 devel/tevent portupgrade -o databases/tdb1 databases/tdb portupgrade -fr devel/talloc1 20190613: AFFECTS: users of www/qt5-webengine AUTHOR: kai@FreeBSD.org Users that upgrade www/qt5-webengine without using pkg/poudriere might experience failures due to conflicts with the installed version of 5.12.2. In that case, pkg delete -f the qt5-webengine package before building the updated version. 20190611: AFFECTS: users of net/routinator AUTHOR: rodrigo@FreeBSD.org Release 0.4.0 fundamentally changes the command line options for running the server and introduces a new way to initialize the local RPKI repository used by Routinator. If you have been using previous releases, you will likely have to adjust your tooling. We apologize for this, but we also feel that the new commands are more intuitive and logical. 20190604: AFFECTS: users of net/samba47 AUTHOR: antoine@FreeBSD.org The default version of samba has been switched from 4.7 to 4.8. Upgrade instructions: For package users having samba47 installed indirectly (as a dependency): # pkg upgrade For package users having samba47 installed directly (leaf port): # pkg upgrade # pkg install samba48 For ports users: If you want to keep samba47, add DEFAULT_VERSIONS+= samba=4.7 to make.conf If you want to upgrade to samba48, remove samba47: # pkg delete -f samba47 Portmaster users: # portmaster net/samba48 # portmaster -a Portupgrade users: # portinstall net/samba48 # portupgrade -a 20180601: AFFECTS: www/tt-rss AUTHOR: dereks@lifeofadishwasher.com tt-rss now uses php intl for extension; a web server reload will be required if intl extension isn't already loaded. 20190522: AFFECTS: users of sysutils/graylog AUTHOR: dch@FreeBSD.org The port has been updated to the latest stable version 3.0.2, which includes more plugins by default, but also requires manual changes to graylog's configuration files, possibly port and URL changes, such as X-Graylog-Server-URL settings, and elasticsearch must be >= 5. The location of configuration files has been amended to align with the official distribution files and locations. After upgrading, manually review and merge changes from your /usr/local/etc/graylog/server/server.conf into /usr/local/etc/graylog/graylog.conf Consult https://www.graylog.org/post/announcing-graylog-v3-0-ga for further details. 20190506: AFFECTS: users of www/gitea AUTHOR: stb@lassitu.de Gitea requires the addition of another secret to the config file in order to start up. Either manually add JWT_SECRET to the ${PREFIX}/etc/gitea/conf/app.ini config file (see app.ini.sample), or allow Gitea to make the change for you by making the config file writable to the git user. 20190424: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v12.0.0, the latest upstream release. This is a major release, including many significant changes. Users are encouraged to read the release announcements before upgrading: https://nodejs.org/en/blog/release/v12.0.0/ 20190423: AFFECTS: users of www/gitlab-ce AUTHOR: mfechner@FreeBSD.org The directory where all repositories and ssh permissions are stored was changed from /usr/home/git back to /usr/local/git, to match again the recommended standards on FreeBSD. This will cause now some other git management packages to collide with gitlab. Make sure you migrate all you git repositories to gitlab first, before you continue. Make sure /usr/local/git/repositories and /usr/local/git/.ssh are not existing! Otherwise the next commands can break your installation for managing git repositories within gitlab and with your other gitlab management software! You must move the old files to the new location with: # service gitlab stop # mv /usr/home/git /usr/local/ # pkg upg Make sure you update your config files, diff shows you what you maybe must change: # cd /usr/local/www/gitlab-ce # git diff config/gitlab.yml.sample config/gitlab.yml # cd /usr/local/share/gitlab-shell/ # git diff config.yml.sample config.yml # cd /usr/local/share/gitaly # git diff config.toml.sample config.toml # Change home directory of user git back to /usr/local/git # vipw The line should now looks like: git:*:211:211::0:0:gitosis user:/usr/local/git:/bin/sh If you do an upgrade of gitlab follow the upgrade guide. If not, just start gitlab again with: # service gitlab start 20190422: AFFECTS: users of security/libressl AUTHOR: brnrd@FreeBSD.org The port has been updated to the latest stable version 2.9 of LibreSSL. The shared library versions of the libraries have been bumped. After upgrading, manually update all packages that depend on any of the libraries provided by LibreSSL (libssl, libcrypto and libtls) since the versions of these libraries have changed. Normally, you can obtain the list of dependent software by running the following command: # pkg info -r libressl Then you should rebuild all ports depending on libressl to avoid dangling shared library dependencies. Poudriere and pkg handle this correctly, portmaster and portupgrade users can use the following to rebuild all dependent ports. Portmaster users: portmaster -r libressl Portupgrade users: portupgrade -fr security/libressl 20190421: AFFECTS: users of databases/cego AUTHOR: pi@FreeBSD.org To upgrade from cego 2.39.16 to 2.44.1, you need to export to xml before the upgrade and import from xml after the upgrade, because the internal storage has changed for some types. Use these steps: - export your database while it runs, see http://www.lemke-it.com/litexec?request=pubcegodoc&user=&lang=en§ion=cgdoc_database_running.html#tsimpexp_mode for details. - stop the database service cego stop - upgrade the port/package - re-create the database cego --mode=create --tableset= --dbxml=.xml - import the database cego --mode=xmlimport --tableset= \ --dbxml=.xml --impfile=export.xml --doLogging - modify /etc/rc.conf by adding cego__cpdump="YES" cego__cleanup="YES" - start the database service cego start 20190420: AFFECTS: users of lang/ruby24 AUTHOR: mfechner@FreeBSD.org The default ruby version has been updated from 2.4 to 2.5. If you compile your own ports you may keep 2.4 as the default version by adding the following lines to your /etc/make.conf file: # # Keep ruby 2.4 as default version # DEFAULT_VERSIONS+=ruby=2.4 If you wish to update to the new default version, you need to first stop any software that uses ruby. Then, you will need to follow these steps, depending upon how you manage your system. If you use pkgng, simply upgrade: # pkg upgrade If you use portmaster, install new ruby, then rebuild all ports that depend on ruby: # portmaster -o lang/ruby25 lang/ruby24 # portmaster -R -r ruby-2.5 If you use portupgrade, install new ruby, then rebuild all ports that depend on ruby: # pkg delete -f ruby portupgrade # make -C /usr/ports/ports-mgmt/portupgrade install clean # pkg set -o lang/ruby24:lang/ruby25 # portupgrade -x ruby-2.5.\* -fr lang/ruby25 20190419: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org qemu 2.X version has been moved to qemu2. If you would like to use 2.X you should use qemu2. Otherwise you can use the new stable upstream branch of 3.0.X. Portmaster users will need to run this command: portmaster -o emulators/qemu2 emulators/qemu 20190410: AFFECTS: users of python AUTHOR: antoine@FreeBSD.org Default version of python was switched to 3.6. For ports users wanting to keep version 2.7 as default, add DEFAULT_VERSIONS+= python=2.7 to make.conf 20190328: AFFECTS: www/firefox-i18n, www/firefox-esr-i18n, mail/thunderbird-i18n, www/seamonkey-i18n AUTHOR: gecko@FreeBSD.org Separate packages for localization packs are no longer supported. Firefox 65+ has in-browser menu while Firefox ESR60, Thunderbird 60 or SeaMonkey 2.49 should download preferred .xpi manually. Refer to the following article (including previous revisions) how to do this. https://support.mozilla.org/kb/use-firefox-another-language 20190328: AFFECTS: users of www/qt5-webengine AUTHOR: kde@FreeBSD.org Users that upgrade www/qt5-webengine without using pkg/poudriere might experience failures due to conflicts with the installed version of 5.9.5. In that case, pkg delete -f the qt5-webengine package before building the updated version. 20190314: AFFECTS: users of mail/rspamd, mail/rspamd-devel AUTHOR: vsevolod@FreeBSD.org User and group that rspamd run as are changed from nobody:nobody to rspamd:rspamd. Unless it is clean install you need to execute following command. # chown -R rspamd:rspamd /var/db/rspamd /var/log/rspamd /var/run/rspamd 20190311: AFFECTS: users of x11/xorg, x11-fonts/mkfontscale, x11-fonts/mkfontdir AUTHOR: zeising@FreeBSD.org The x11-fonts/mkfontdir port has been removed and the functionality has been merged into x11-fonts/mkfontscale. This might cause issues with upgrading. If you get conflicts between mkfontscale and mkfontdir please remove mkfontdir before upgrading. To do this, simply run the following: pkg delete -f mkfontdir 20190311: AFFECTS: users of www/igal2 AUTHOR: rodrigo@freebsd.org www/igal2 2.2-1 is now built with graphics/ImageMagick6-nox11 and don't install the ImageMagick X11 dependencies anymore. A build option allows you to restore the previous behaviour. 20190303: AFFECTS: users of x11-fonts/noto* AUTHOR: sunpoet@FreeBSD.org Google Noto Fonts family has been converted to several ports. x11-fonts/noto is a meta port which includes 1 old port and 5 new ports as follows: - x11-fonts/noto-basic (was noto-lite): basic fonts set with emoji - x11-fonts/noto-extra: extra fonts set - x11-fonts/noto-jp: Japanese fonts set - x11-fonts/noto-kr: Korean fonts set - x11-fonts/noto-sc: Simplified Chinese fonts set - x11-fonts/noto-tc: Traditional Chinese fonts set 20190302: AFFECTS: users of sysutils/paladin AUTHOR: Ryan Westlund The way paladin parses its config file has changed, please check the provided sample config. 20190227: AFFECTS: users of security/softether, security/softether-devel AUTHOR: meta@FreeBSD.org These ports' bridge, client, server daemon unintendedly had spit out chain_certs (certificate chain) directory on libexec directory until r494024. If your ${PREFIX}/libexec/softether/chain_certs directory is empty, you can remove the directory safely. If the directory is not empty, move it to ${SE_DBDIR} when upgrading softether. Following commands should help: service softether_(bridge|client|server) stop (portmaster, portupgrade or pkg upgrade) mv ${PREFIX}/libexec/softether/chain_certs ${SE_DBDIR}/ service softether_(bridge|client|server) start With the default Makefile settings, ${SE_DBDIR} is set to /var/db/softether. 20190224: AFFECTS: users of security/gnutls AUTHOR: tijl@FreeBSD.org GnuTLS now looks for its configuration files in PREFIX/etc (/usr/local/etc) instead of /etc. If the following files exist they have to be moved. On a default installation these files do not exist. /etc/gnutls/default-priorities /etc/gnutls/pkcs11.conf /etc/tpasswd /etc/tpasswd.conf 20190215: AFFECTS: users of net-im/ejabberd AUTHOR: ashish@FreeBSD.org If you've mod_mam enabled with compress_xml set to true, then you're affected by bug where the XML namespace, and tag elements get interchanged in the MAM cache which results in invalid XML, and causing XMPP clients to disconnect. For more details, please refer to: https://github.com/processone/ejabberd/issues/2744 This upgrade contains the patch that fixes the problem going forward. For fixing already affected users, you'll need to wipe off the MAM cache for the affected users: sudo -u ejabberd -H ejabberdctl remove_mam_for_user 20190207: AFFECTS: users of net-mgmt/mk-livestatus AUTHOR: egypcio@FreeBSD.org The default Nagios version supported by net-mgmt/mk-livestatus changed from Nagios 3 to Nagios 4 - the respective Nagios package was added to net-mgmt/mk-livestatus' runtime dependencies. If you still need support for Nagios 3 you just need to change the options for net-mgmt/mk-livestatus and compile the port yourself. 20190202: AFFECTS: users of archivers/urbackup-server AUTHOR: freebsd@coombscloud.com Some of the port's sources previously included absolute references to /etc/urbackup. The upgrade now changes these references to ${PREFIX}/etc/urbackup. If you have placed any configuration files within /etc/urbackup, these should be relocated to ${PREFIX}/etc/urbackup. 20190130: AFFECTS: users of sysutils/password-store AUTHOR: rene@FreeBSD.org password-store now stores plugins in ${PREFIX}/libexec instead of ${PREFIX}/lib. Ensure to move your own extensions there too and update your scripts to avoid breakage. 20190124: AFFECTS: users of sysutils/rubygem-fluentd, sysutils/fluent-bit AUTHOR: girgen@FreeBSD.org The fluentd port has been upgraded from the 0.12 line to 1.3.3. The upgrade is mostly non-disruptive since there is a backward compatibility with 0.12 plugins and configuration files, but care should be taken about the order of server upgrades since fluentd 1.x is unable to send it's data to version 0.12 instances. You should carefully read https://docs.fluentd.org/v1.0/articles/update-from-v0.12 before performing any upgrade activities. 20190120: AFFECTS: users of mail/fetchmail AUTHOR: mandree@FreeBSD.org The fetchmail port no longer offers the X11 option and no longer depends on Python. The corresponding fetchmailconf Python program has now been split out into a separate port or package, so that fetchmail itself will no longer require Python. Users who wish to use fetchmailconf should install the new fetchmailconf port or package. 20190119: AFFECTS: users of german/webalizer2, japanese/webalizer, polish/webalizer2, portuguese/webalizer-pt_BR, portuguese/webalizer-pt_PT, ukrainian/webalizer, www/geolizer, www/webalizer AUTHOR: dinoex@FreeBSD.org The option GEOIP has been changed to used the new database. Either copy GeoLite2-Country.mmdb in the working directory, or set the GeoIPDatabase option to the location of the file. 20190114: AFFECTS: users of graphics/qgis AUTHOR: rhurlin@gwdg.de GIS 3.4 LTR, the first long-term release (LTR) of QGIS 3, has landed in the FreeBSD ports tree. It will also replace the previous 2.18 LTR in the QGIS package repositories in February 2019 [1]. Beside, the latest Qt4 version 4.8.7 has been EOL since December 2015 and its expiration date on FreeBSD is set to March, 15th 2019. Because QGIS 2 is based on Qt4 and Python2, it was decided to not create a legacy port for QGIS 2, after graphics/qgis changed to QGIS 3. For users moving over from the 2.18 LTR there is a huge list of new features and impactful changes in this new 3.4 LTR version. Most notably 3.x plugins are incompatible with 2.x plugins, so please review your plugin usage carefully. Before moving over, if you have not already done so, take a look at the changelogs from versions 3.0, 3.2, and 3.4 [2][3][4] to understand the full scope of changes in the 3.x release. [1] https://qgis.org/en/site/getinvolved/development/roadmap.html#release-schedule [2] http://changelog.qgis.org/en/qgis/version/3.0.0/ [3] http://changelog.qgis.org/en/qgis/version/3.2.0/ [4] http://changelog.qgis.org/en/qgis/version/3.4-LTR/ 20190114: AFFECTS: x11-wm/sway AUTHOR: jbeich@FreeBSD.org swayidle and swaylock split out into x11/swayidle and x11/swaylock. Check your sway config and install those if required. 20190113: AFFECTS: users of net/GeoIP AUTHOR: adamw@FreeBSD.org Maxmind no longer provides geolocation data in the legacy format used by net/GeoIP. All GEOIP-related OPTIONS have been removed, and all GeoIP-dependent ports will be removed soon. Where possible, you must switch to net/libmaxminddb, which uses the newer (and fully supported) GeoIP 2 format. Unfortunately, this is not a drop-in replacement. To fetch the GeoIP 2 geolocation databases, whether the free or paid versions, you must use net/geoipupdate (pkg install geoipupdate). The legacy database is no longer available, and we cannot distribute it by the Maxmind license, so the legacy GeoIP format is essentially dead. 20190108: AFFECTS: users of databases/mysql-connector-java AUTHOR: matthew@FreeBSD.org The databases/mysql-connector-java port has been updated to 8.0.13, which requires a minimum of Java 1.8, so dropping support for Java 1.6 and 1.7. Users of those versions of Java should substitute the databases/mysql-connector-java51 port which remains at version 5.1.47 20190103: AFFECTS: users of multimedia/vlc* AUTHOR: riggs@FreeBSD.org The multimedia/vlc port has been upgraded to 3.0.5, the latest upstream release. Subsequently, multimedia/vlc-qt4 and multimedia/vlc3 have been retired and removed from the ports tree. Users who previously used multimedia/vlc3 might want to switch to multimedia/vlc with the following commands: # pkg install multimedia/vlc or # portmaster -o multimedia/vlc multimedia/vlc3 or # portupgrade -o multimedia/vlc multimedia/vlc3 20190102: AFFECTS: users of net/serviio AUTHOR: netchild@FreeBSD.org If you have customized your etc/serviio/profile.xml you need to review and merge changes from the profile.xml.sample file, else you may not be able to watch mkv files. 20181228: AFFECTS: users of devel/trio AUTHOR: rodrigo@freebsd.org Since trio 1.16-1, the shared lib previously misnamed libtrio.so.2.0.0 is now named libtrio.so.2 and the symlink libtrio.so is created. 20181222: AFFECTS: users of net/ntopng AUTHOR: madpilot@FreeBSD.org Since ntopng 3.7, for security reasons, the default setting for the data directory has been changed to "/var/db/ntopng", and the default user has been changed to "ntopng". This new directory is created automatically by the port/package with correct permissions. In order to maintain backward compatibility, if you are already using "/var/tmp/ntopng" as data directory, ntopng keeps using that folder, owned by "nobody". This said, using the old defaults is not recommended and a manual action is required in order to migrate to the new settings, unless you are already using a custom directory: # service ntopng stop # mv /var/tmp/ntopng/* /var/db/ntopng/ # chown -R ntopng:ntopng /var/db/ntopng # service ntopng start Please check the upstream FAQ for reference: https://www.ntop.org/support/faq/migrate-the-data-directory-in-ntopng/ 20181218: AFFECTS: users of misc/openhab2 AUTHOR: netchild@FreeBSD.org If you upgrade from a previous version, make a backup of /var/db/openhab2 and run %%PREFIX%%/libexec/openhab2/runtime/bin/update.freebsd Config specific info (changes from 2.3.0 to 2.4.0): Astro Binding: The 'kilometer' and 'miles' channels have been replaced by a new 'distance' channel Jeelink Binding: The 'currentWatt' and 'maxWatt' channels have been replaced with 'currentPower' and 'maxPower' channels WeatherUnderground Binding: A bridge has been added on top of the current things, you need to add a bridge containing your api-key. ZWave Binding: Major changes have been merged to support features such as security. All things must be deleted and re-added. Refer to https://community.openhab.org/t/zwave-binding-updates/51080 for further information. Synop Binding is now using UoM. 'wind-speed-ms' and 'wind-speed-knots' channels have been replaced by a single 'wind-speed' channel. Amazonechocontrol Binding: The account thing does not have settings anymore. You have to login at amazon once again through the proxy server http(s):///amazonechocontrol Milight Binding: The various available bulb types do not appear in the Paper UI Inbox anymore. The correct bulb need to be added manually. The bulb "zone" is now a configuration. Bulb Things need to be recreated to apply this change. Hue emulation: The item to hue ID mapping is no longer stored in files, but in the openHAB storage service. You need to rediscover "devices" in all services that use the hue emulation (Amazon Echo, Google Home, etc). 20181215: AFFECTS: users of sysutils/graylog AUTHOR: dch@FreeBSD.org The dependent ports for ElasticSearch and MongoDB have both changed, and upstream changes to the configuration file may require minor changes to work correctly. Refer to the new sample files installed alongside the port for reference: server.conf log4j.xml graylog_logging.xml 20181213: AFFECTS: users of lang/perl5* AUTHOR: mat@FreeBSD.org The default Perl version has been switched to Perl 5.28. If you are using binary packages to upgrade your system, you do not have anything to do, pkg upgrade will do the right thing. For the other people, assuming you are migrating from 5.26 to 5.28, do: First, add to /etc/make.conf: DEFAULT_VERSIONS+= perl5=5.28 Portupgrade users: portupgrade -o lang/perl5.28 -f lang/perl5.26 You can now remove the DEFAULT_VERSIONS line added earlier from /etc/make.conf Then you will need to rebuild everything that uses libperl.so, you can do so with: portupgrade -f `pkg shlib -qR libperl.so.5.26` If, for some reason, this command fails at one point, it is safe to run it again, it will not rebuild what it already rebuilt, as the ports that have been rebuilt no longer depend on libperl.so.5.26 but on libperl.so.5.28. Portmaster users: portmaster -o lang/perl5.28 lang/perl5.26 You can now remove the DEFAULT_VERSIONS line added earlier from /etc/make.conf Then you will need to rebuild everything that uses libperl.so, you can do so with: portmaster -f `pkg shlib -qR libperl.so.5.26` If, for some reason, this command fails at one point, it is safe to run it again, it will not rebuild what it already rebuilt, as the ports that have been rebuilt no longer depend on libperl.so.5.26 but on libperl.so.5.28. 20181212: AFFECTS: users of net-im/ejabberd AUTHOR: ashish@FreeBSD.org There are some new features added in ejabberd 18.12, esp. related to bookmarks, and XML compression in message archive storage. Please refer to: https://blog.process-one.net/ejabberd-18-12/ 20181211: AFFECTS: users of news/inn when upgrading to FreeBSD 12 AUTHOR: naddy@FreeBSD.org When upgrading from FreeBSD 11 to 12, a change in the size of the ino_t type causes a binary incompatibility in the overview database if the default tradindexed format is used. After upgrading the inn package, remove the overview/group.index file and regenerate the history and overview database with makehistory(8) before starting innd. # echo '. /usr/local/news/lib/innshellvars && \ rm -f $OVERVIEWDIR/group.index && \ $NEWSBIN/makehistory -O -s `wc -l <$HISTORY`' | \ su -fm news -c '/bin/sh -s' 20181209: AFFECTS: users of DRM ports other than graphics/drm-kmod AUTHOR: jmd@FreeBSD.org In order to facilitate future porting efforts and help in supporting multiple FreeBSD versions, the DRM ports other than drm-kmod (graphics/drm-stable-kmod, graphics/drm-next-kmod, graphics/drm-devel-kmod) have been renamed to include the FreeBSD version they are designed for. drm-stable-kmod is drm-fbsd11.2-kmod drm-next-kmod is drm-fbsd12.0-kmod drm-devel-kmod is drm-current-kmod 20181209 AFFECTS: users of devel/geany and devel/geany-plugins AUTHOR: madpilot@FreeBSD.org Geany and its plugins port have been moved to gtk3 and a new gtk2 flavor has been added. The gtk2 flavor has a -gtk2 suffix added to the package name. If you want to stay with the gtk2 version you need to use "pkg install" to install the new gtk2 flavor, pkg will automatically deinstall the gtk3 flavors. If using port, to maintain the gtk2 version, you will need to deinstall geany and its plugins and reinstall specifying the gtk2 flavor. Note that the following plugins are not available if using the new gtk3 flavor: * geany-plugin-debugger * geany-plugin-devhelp * geany-plugin-geanypy * geany-plugin-multiterm * geany-plugin-scope 20181208: AFFECTS: users of misc/openhab2 AUTHOR: netchild@FreeBSD.org If you upgrade from a previous version, make a backup of /var/db/openhab2 and run %%PREFIX%%/libexec/openhab2/runtime/bin/update.freebsd Config specific info (changes from 2.2.0 to 2.3.0): Nest Binding: The 'camera' Thing Type now has channel groups. Add 'camera#' before the channel ID in the channel UID of existing camera channels. The 'time_to_target_mins' channel of the 'thermostat' Thing Type is renamed to 'time_to_target' Oceanic Binding: The 'softener' Thing Type no longer exists and is replaced by the 'serial' and 'ethernet' Thing Types Yamaha Receiver Binding: The configuration parameter names now use lower camel case convention. Change 'HOST' to 'host', 'PORT' to 'port' etc 20181124: AFFECTS: users of sysutils/munin-master, sysutils/munin-node, www/owncloud, mail/mailman, net/ntpa AUTHOR: woodsb02@FreeBSD.org The newsyslog.conf(5) filename installed by the port has been changed: OLD: ${PREFIX}/etc/newsyslog.conf.d/${PORTNAME} NEW: ${PREFIX}/etc/newsyslog.conf.d/${PORTNAME}.conf Any file found at the old location will be automatically moved to the new location. This will ensure log rotation will continue to work after change r340318 to FreeBSD base, where the default newsyslog configuration now only includes filenames that end with '.conf' and do not begin with '.'. If you use provisioning/configuration management tools to create or edit this file, you will need to change their configuration to use the new filename. 20181111 AFFECTS: users of graphics/mesa-libs AUTHOR: jbeich@FreeBSD.org Wayland support has been enabled in ports where it doesn't exclude X11 support in order to make the binary packages usable with Wayland compositors. If you get strange build failures re-run "make config" to pick up the new defaults. If the extra dependencies are not desired add the following to make.conf: OPTIONS_UNSET += WAYLAND 20181109 AFFECTS: users of security/ossec-hids-server AUTHOR: dominik.lisiak@bemsoft.pl The "ossechids_enable" rc variable has been renamed to "ossec_hids_enable". If using database output, you need to recreate database using new schema provided in /usr/local/share/doc/ossec-hids. 20181109 AFFECTS: users of security/ossec-hids-local AUTHOR: dominik.lisiak@bemsoft.pl The "ossechids_enable" rc variable has been renamed to "ossec_hids_enable". If using database output, you need to recreate database using new schema provided in /usr/local/share/doc/ossec-hids. 20181109 AFFECTS: users of security/ossec-hids-client AUTHOR: dominik.lisiak@bemsoft.pl The ossec-hids-client port has been renamed to ossec-hids-agent. Portmaster users will need to run this command: portmaster -o security/ossec-hids-agent security/ossec-hids-client If the switch doesn't happen automatically for you, just delete the ossec-hids-client package and install ossec-hids-agent. The "ossechids_enable" rc variable has been renamed to "ossec_hids_enable". 20181104: AFFECTS: users of sysutils/ansible* AUTHOR: lifanov@FreeBSD.org Default Ansible configuration location changed to LOCALBASE/etc/ansible instead of a per-flavor directory. If you use system-wide Ansible configuration, please migrate from a flavored directory to a common one: # mv /usr/local/etc/py27-ansible /usr/local/etc/ansible 20181031: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org The www/node port has been updated to Node.js v11.0.0, the latest upstream release. A new port, www/node10, has been created for the v10.x LTS branch. Users wanting to stay on v10.x can replace www/node with www/node8 with one of the following commands: # pkg install www/node10 or # portmaster -o www/node10 www/node or # portupgrade -o www/node10 www/node 20181022: AFFECTS: users of lang/php71 AUTHOR: joneum@FreeBSD.org The default version of PHP has been switched from 7.1 to 7.2. If you use binary packages you should make a list of php packages before running 'pkg upgrade': # pkg info php7\* > ~/installed-php-ports-list After the upgrade, check with such list if all your php extensions are still installed, and reinstall them if needed. If you use mod_php71 you need to deinstall it and install mod_php72. 20181020: AFFECTS: users of security/libressl AUTHOR: brnrd@FreeBSD.org The port has been updated to the latest stable version 2.8 of LibreSSL. The shared library versions of the libraries have been bumped. After upgrading, manually update all packages that depend on any of the libraries provided by LibreSSL (libssl, libcrypto and libtls) since the versions of these libraries have changed. Normally, you can obtain the list of dependent software by running the following command: # pkg info -r libressl Then you should rebuild all ports depending on libressl to avoid dangling shared library dependencies. Poudriere and pkg handle this correctly, portmaster and portupgrade users can use the following to rebuild all dependent ports. Portmaster users: portmaster -r libressl Portupgrade users: portupgrade -fr security/libressl 20181018: AFFECTS: users of security/hitch AUTHOR: zi@FreeBSD.org Hitch has been updated to run as the hitch user/group, instead of the previous default of nobody/nobody. You should review your hitch configuration to ensure that everything has been updated to reflect this change. 20181014: AFFECTS: users of sysutils/ansible AUTHOR: lifanov@FreeBSD.org Ansible has been updated to 2.7.0. Please follow the porting guide to update the rulesets: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.7.html If you wish to stay with 2.6 version, you can switch to new sysutils/ansible2.6 port, which tracks stable 2.6 branch: # pkg set -n ansible:ansible26 20181010: AFFECTS: users of mail/courier-imap and other courier ports AUTHOR: madpilot@FreeBSD.org Courier-IMAP 5.0.0 added IMAP UTF8 support, and converted maildir folders' names to Unicode. Updating an existing system to Courier-IMAP 5.0, and later, requires a manual one-time conversion of all existing maildirs using the maildirmake command. See the maildirmake(1) manual page for more information. All other courier ports accessing maildirs also need to be updated at the same time. 20181009: AFFECTS: users of devel/pecl-xdebug* AUTHOR: pizzamig@FreeBSD.org xdebug 2.6.1 (devel/pecl-xdebug) is the new default version and it supports PHP from 7.0 to 7.2 included. If you're using PHP 5.6, the previous compatible xdebug version is still available in devel/pecl-xdebug25 If you're using PHP 7.3, the only compatible xdebug version is available in devel/pecl-xdebug-devel diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 77b05e43a321..0d829246a3e9 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,169 +1,193 @@ PORTNAME= openssl -PORTVERSION= 1.1.1w +PORTVERSION= 3.0.11 PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ MAINTAINER= brnrd@FreeBSD.org COMMENT= TLSv1.3 capable SSL and crypto library WWW= https://www.openssl.org/ -LICENSE= OpenSSL -LICENSE_FILE= ${WRKSRC}/LICENSE +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE.txt -CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl3[012] openssl-quictls +#EXPIRES= 2025-03-25 + +CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl111 openssl3[12] openssl-quictls + +USES= cpe perl5 +USE_PERL5= build +TEST_TARGET= test HAS_CONFIGURE= yes CONFIGURE_SCRIPT= config CONFIGURE_ENV= PERL="${PERL}" CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ --prefix=${PREFIX} -USES= cpe perl5 -USE_PERL5= build -TEST_TARGET= test - LDFLAGS_i386= -Wl,-znotext MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= -OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS +OPTIONS_GROUP= CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS +OPTIONS_GROUP_MODULES= FIPS LEGACY OPTIONS_DEFINE_i386= I386 OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2 OPTIONS_DEFINE= ASYNC CRYPTODEV CT KTLS MAN3 RFC3779 SHARED ZLIB -OPTIONS_DEFAULT=ASM ASYNC CT GOST DES EC KTLS MAN3 MD4 NEXTPROTONEG RC2 \ - RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2 +OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 NEXTPROTONEG \ + RFC3779 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2 OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} \ ${${OSVERSION} > 1300000:?CRYPTODEV:} -OPTIONS_GROUP_OPTIMIZE_amd64= EC - .if ${MACHINE_ARCH} == "amd64" OPTIONS_GROUP_OPTIMIZE+= EC .elif ${MACHINE_ARCH} == "mips64el" OPTIONS_GROUP_OPTIMIZE+= EC .endif OPTIONS_SUB= yes ARIA_DESC= ARIA (South Korean standard) ASM_DESC= Assembler code ASYNC_DESC= Asynchronous mode CIPHERS_DESC= Block Cipher Support CRYPTODEV_DESC= /dev/crypto support CT_DESC= Certificate Transparency Support DES_DESC= (Triple) Data Encryption Standard EC_DESC= Optimize NIST elliptic curves +FIPS_DESC= Build FIPS provider GOST_DESC= GOST (Russian standard) HASHES_DESC= Hash Function Support I386_DESC= i386 (instead of i486+) IDEA_DESC= International Data Encryption Algorithm -KTLS_DESC= Kernel TLS offload +KTLS_DESC= Use in-kernel TLS (FreeBSD >13) +LEGACY_DESC= Older algorithms MAN3_DESC= Install API manpages (section 3, 7) -MD2_DESC= MD2 (obsolete) +MD2_DESC= MD2 (obsolete) (requires LEGACY) MD4_DESC= MD4 (unsafe) MDC2_DESC= MDC-2 (patented, requires DES) +MODULES_DESC= Provider modules NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) OPTIMIZE_DESC= Optimizations PROTOCOLS_DESC= Protocol Support RC2_DESC= RC2 (unsafe) RC4_DESC= RC4 (unsafe) RC5_DESC= RC5 (patented) RMD160_DESC= RIPEMD-160 RFC3779_DESC= RFC3779 support (BGP) SCTP_DESC= SCTP (Stream Control Transmission) SHARED_DESC= Build shared libraries SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) SM3_DESC= SM3 256bit (Chinese standard) SM4_DESC= SM4 128bit (Chinese standard) SSE2_DESC= Runtime SSE2 detection SSL3_DESC= SSLv3 (unsafe) TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) TLS1_1_DESC= TLSv1.1 (requires TLS1_2) TLS1_2_DESC= TLSv1.2 WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) # Upstream default disabled options -.for _option in ktls md2 rc5 sctp ssl3 zlib weak-ssl-ciphers +.for _option in fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib ${_option:tu}_CONFIGURE_ON= enable-${_option} .endfor # Upstream default enabled options -.for _option in aria asm async ct des gost idea md4 mdc2 nextprotoneg rc2 rc4 \ - rfc3779 rmd160 shared sm2 sm3 sm4 sse2 threads tls1 tls1_1 tls1_2 +.for _option in aria asm async ct des gost idea md4 mdc2 legacy \ + nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \ + threads tls1 tls1_1 tls1_2 ${_option:tu}_CONFIGURE_OFF= no-${_option} .endfor +MD2_IMPLIES= LEGACY MDC2_IMPLIES= DES TLS1_IMPLIES= TLS1_1 TLS1_1_IMPLIES= TLS1_2 EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 +FIPS_VARS= shlibs+=lib/ossl-modules/fips.so I386_CONFIGURE_ON= 386 KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls -MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_process__docs.pl +LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so +MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_USE= ldconfig=yes +SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \ + lib/libssl.so.${OPENSSL_SHLIBVER} \ + lib/engines-${OPENSSL_SHLIBVER}/capi.so \ + lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \ + lib/engines-${OPENSSL_SHLIBVER}/padlock.so" SSL3_CONFIGURE_ON+= enable-ssl3-method ZLIB_CONFIGURE_ON= zlib-dynamic +SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so + +.include + +.if ${ARCH} == powerpc64 +CONFIGURE_ARGS+= BSD-ppc64 +.elif ${ARCH} == powerpc64le +CONFIGURE_ARGS+= BSD-ppc64le +.elif ${ARCH} == riscv64 +CONFIGURE_ARGS+= BSD-riscv64 +.endif + .include .if ${PREFIX} == /usr IGNORE= the OpenSSL port can not be installed over the base version .endif .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1300000 && !${PORT_OPTIONS:MCRYPTODEV} CONFIGURE_ARGS+= no-devcryptoeng .endif OPENSSLDIR?= ${PREFIX}/openssl PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} .include "version.mk" .if ${PORT_OPTIONS:MASM} BROKEN_sparc64= option ASM generates illegal instructions .endif post-patch: - ${REINPLACE_CMD} \ - -e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \ - -e 's| install_html_docs$$||' \ - -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ + ${REINPLACE_CMD} -Ee 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \ + -e 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \ ${WRKSRC}/Configurations/unix-Makefile.tmpl - ${REINPLACE_CMD} -e 's|\^GNU ld|GNU|' ${WRKSRC}/Configurations/shared-info.pl + ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \ + ${WRKSRC}/VERSION.dat post-configure: + ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump ) + +post-configure-MAN3-off: ${REINPLACE_CMD} \ - -e 's|SHLIB_VERSION_NUMBER=1.1|SHLIB_VERSION_NUMBER=${OPENSSL_SHLIBVER}|' \ + -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \ + -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \ ${WRKSRC}/Makefile - ${REINPLACE_CMD} \ - -e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \ - ${WRKSRC}/include/openssl/opensslv.h post-install-SHARED-on: -.for i in libcrypto libssl - ${INSTALL_LIB} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib - ${LN} -sf $i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib/$i.so -.endfor -.for i in capi padlock - ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/engines-1.1/${i}.so +.for i in ${SHLIBS} + -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i .endfor +post-install-SHARED-off: + ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12 + post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl post-install-MAN3-on: - ( cd ${STAGEDIR}/${PREFIX} ; ${FIND} man/man3 man/man7 -not -type d ) | \ - ${SED} 's/$$/.gz/' >>${TMPPLIST} + ( cd ${STAGEDIR}/${PREFIX} ; ${FIND} man/man3 -not -type d ; \ + ${FIND} man/man7 -not -type d ) | ${SED} 's/$$/.gz/' >> ${TMPPLIST} .include diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 11a9beb18815..a62e9e8bb1d6 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1694449777 -SHA256 (openssl-1.1.1w.tar.gz) = cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 -SIZE (openssl-1.1.1w.tar.gz) = 9893384 +TIMESTAMP = 1695134169 +SHA256 (openssl-3.0.11.tar.gz) = b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55 +SIZE (openssl-3.0.11.tar.gz) = 15198318 diff --git a/security/openssl/files/extra-patch-ktls b/security/openssl/files/extra-patch-ktls index d38a70e779e3..8a46c272d95c 100644 --- a/security/openssl/files/extra-patch-ktls +++ b/security/openssl/files/extra-patch-ktls @@ -1,3435 +1,540 @@ -diff --git CHANGES CHANGES -index a5522e5fa5..98961effc0 100644 ---- CHANGES -+++ CHANGES -@@ -606,6 +606,11 @@ - necessary to configure just to create a source distribution. - [Richard Levitte] - -+ *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path -+ improves application performance by removing data copies and providing -+ applications with zero-copy system calls such as sendfile and splice. -+ [Boris Pismenny] -+ - Changes between 1.1.1 and 1.1.1a [20 Nov 2018] - - *) Timing vulnerability in DSA signature generation -diff --git Configure Configure -index 4bea49d7da..e656814a7f 100755 ---- Configure -+++ Configure -@@ -341,6 +341,7 @@ my @dtls = qw(dtls1 dtls1_2); - # For developers: keep it sorted alphabetically +diff --git include/internal/ktls.h include/internal/ktls.h +index 95492fd065..3c82cae26b 100644 +--- include/internal/ktls.h ++++ include/internal/ktls.h +@@ -40,6 +40,11 @@ + # define OPENSSL_KTLS_AES_GCM_128 + # define OPENSSL_KTLS_AES_GCM_256 + # define OPENSSL_KTLS_TLS13 ++# ifdef TLS_CHACHA20_IV_LEN ++# ifndef OPENSSL_NO_CHACHA ++# define OPENSSL_KTLS_CHACHA20_POLY1305 ++# endif ++# endif - my @disablables = ( -+ "ktls", - "afalgeng", - "aria", - "asan", -@@ -474,6 +475,7 @@ our %disabled = ( # "what" => "comment" - "weak-ssl-ciphers" => "default", - "zlib" => "default", - "zlib-dynamic" => "default", -+ "ktls" => "default", - ); + typedef struct tls_enable ktls_crypto_info_t; - # Note: => pair form used for aesthetics, not to truly make a hash table -@@ -1583,6 +1585,33 @@ unless ($disabled{devcryptoeng}) { - } - } +diff --git ssl/ktls.c ssl/ktls.c +index 79d980959e..e343d382cc 100644 +--- ssl/ktls.c ++++ ssl/ktls.c +@@ -10,6 +10,67 @@ + #include "ssl_local.h" + #include "internal/ktls.h" -+unless ($disabled{ktls}) { -+ $config{ktls}=""; -+ if ($target =~ m/^linux/) { -+ my $usr = "/usr/$config{cross_compile_prefix}"; -+ chop($usr); -+ if ($config{cross_compile_prefix} eq "") { -+ $usr = "/usr"; -+ } -+ my $minver = (4 << 16) + (13 << 8) + 0; -+ my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`); ++#ifndef OPENSSL_NO_KTLS_RX ++ /* ++ * Count the number of records that were not processed yet from record boundary. ++ * ++ * This function assumes that there are only fully formed records read in the ++ * record layer. If read_ahead is enabled, then this might be false and this ++ * function will fail. ++ */ ++static int count_unprocessed_records(SSL *s) ++{ ++ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); ++ PACKET pkt, subpkt; ++ int count = 0; + -+ if ($verstr[2] < $minver) { -+ disable('too-old-kernel', 'ktls'); -+ } -+ } elsif ($target =~ m/^BSD/) { -+ my $cc = $config{CROSS_COMPILE}.$config{CC}; -+ system("printf '#include \n#include ' | $cc -E - >/dev/null 2>&1"); -+ if ($? != 0) { -+ disable('too-old-freebsd', 'ktls'); -+ } -+ } else { -+ disable('not-linux-or-freebsd', 'ktls'); ++ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) ++ return -1; ++ ++ while (PACKET_remaining(&pkt) > 0) { ++ /* Skip record type and version */ ++ if (!PACKET_forward(&pkt, 3)) ++ return -1; ++ ++ /* Read until next record */ ++ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) ++ return -1; ++ ++ count += 1; + } ++ ++ return count; +} + -+push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); ++/* ++ * The kernel cannot offload receive if a partial TLS record has been read. ++ * Check the read buffer for unprocessed records. If the buffer contains a ++ * partial record, fail and return 0. Otherwise, update the sequence ++ * number at *rec_seq for the count of unprocessed records and return 1. ++ */ ++static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) ++{ ++ int bit, count_unprocessed; + - # Get the extra flags used when building shared libraries and modules. We - # do this late because some of them depend on %disabled. - -diff --git INSTALL INSTALL -index f3ac727183..f6f754fd5e 100644 ---- INSTALL -+++ INSTALL -@@ -263,6 +263,15 @@ - Don't build the AFALG engine. This option will be forced if - on a platform that does not support AFALG. - -+ enable-ktls -+ Build with Kernel TLS support. This option will enable the -+ use of the Kernel TLS data-path, which can improve -+ performance and allow for the use of sendfile and splice -+ system calls on TLS sockets. The Kernel may use TLS -+ accelerators if any are available on the system. -+ This option will be forced off on systems that do not support -+ the Kernel TLS data-path. ++ count_unprocessed = count_unprocessed_records(s); ++ if (count_unprocessed < 0) ++ return 0; + - enable-asan - Build with the Address sanitiser. This is a developer option - only. It may not work on all platforms and should never be -diff --git apps/s_client.c apps/s_client.c -index 00effc8037..5664e7e04e 100644 ---- apps/s_client.c -+++ apps/s_client.c -@@ -3295,6 +3295,12 @@ static void print_stuff(BIO *bio, SSL *s, int full) - BIO_printf(bio, "Expansion: %s\n", - expansion ? SSL_COMP_get_name(expansion) : "NONE"); - #endif -+#ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_send(SSL_get_wbio(s))) -+ BIO_printf(bio_err, "Using Kernel TLS for sending\n"); -+ if (BIO_get_ktls_recv(SSL_get_rbio(s))) -+ BIO_printf(bio_err, "Using Kernel TLS for receiving\n"); -+#endif - - #ifdef SSL_DEBUG - { -diff --git apps/s_server.c apps/s_server.c -index 64d53e68d0..9fcb8d7a7b 100644 ---- apps/s_server.c -+++ apps/s_server.c -@@ -2934,6 +2934,12 @@ static void print_connection_info(SSL *con) - } - OPENSSL_free(exportedkeymat); - } -+#ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_send(SSL_get_wbio(con))) -+ BIO_printf(bio_err, "Using Kernel TLS for sending\n"); -+ if (BIO_get_ktls_recv(SSL_get_rbio(con))) -+ BIO_printf(bio_err, "Using Kernel TLS for receiving\n"); ++ /* increment the crypto_info record sequence */ ++ while (count_unprocessed) { ++ for (bit = 7; bit >= 0; bit--) { /* increment */ ++ ++rec_seq[bit]; ++ if (rec_seq[bit] != 0) ++ break; ++ } ++ count_unprocessed--; ++ ++ } ++ ++ return 1; ++} +#endif ++ + #if defined(__FreeBSD__) + # include "crypto/cryptodev.h" - (void)BIO_flush(bio_s_out); - } -diff --git crypto/bio/b_sock2.c crypto/bio/b_sock2.c -index 104ff31b0d..771729880e 100644 ---- crypto/bio/b_sock2.c -+++ crypto/bio/b_sock2.c -@@ -12,6 +12,7 @@ - #include - - #include "bio_local.h" -+#include "internal/ktls.h" - - #include - -@@ -50,6 +51,17 @@ int BIO_socket(int domain, int socktype, int protocol, int options) - BIOerr(BIO_F_BIO_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET); - return INVALID_SOCKET; - } -+# ifndef OPENSSL_NO_KTLS -+ { -+ /* -+ * The new socket is created successfully regardless of ktls_enable. -+ * ktls_enable doesn't change any functionality of the socket, except -+ * changing the setsockopt to enable the processing of ktls_start. -+ * Thus, it is not a problem to call it for non-TLS sockets. -+ */ -+ ktls_enable(sock); -+ } +@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + case SSL_AES128GCM: + case SSL_AES256GCM: + return 1; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ return 1; +# endif - - return sock; + case SSL_AES128: + case SSL_AES256: + if (s->ext.use_etm) +@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, } -diff --git crypto/bio/bss_conn.c crypto/bio/bss_conn.c -index 807a82b23b..10cf20871c 100644 ---- crypto/bio/bss_conn.c -+++ crypto/bio/bss_conn.c -@@ -11,6 +11,7 @@ - #include - - #include "bio_local.h" -+#include "internal/ktls.h" - - #ifndef OPENSSL_NO_SOCK - -@@ -20,6 +21,9 @@ typedef struct bio_connect_st { - char *param_hostname; - char *param_service; - int connect_mode; -+# ifndef OPENSSL_NO_KTLS -+ unsigned char record_type; -+# endif - - BIO_ADDRINFO *addr_first; - const BIO_ADDRINFO *addr_iter; -@@ -320,7 +324,12 @@ static int conn_read(BIO *b, char *out, int outl) - - if (out != NULL) { - clear_socket_error(); -- ret = readsocket(b->num, out, outl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_recv(b)) -+ ret = ktls_read_record(b->num, out, outl); -+ else -+# endif -+ ret = readsocket(b->num, out, outl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -345,7 +354,16 @@ static int conn_write(BIO *b, const char *in, int inl) - } - - clear_socket_error(); -- ret = writesocket(b->num, in, inl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_should_ktls_ctrl_msg_flag(b)) { -+ ret = ktls_send_ctrl_message(b->num, data->record_type, in, inl); -+ if (ret >= 0) { -+ ret = inl; -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ } -+ } else -+# endif -+ ret = writesocket(b->num, in, inl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -361,6 +379,9 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) - const char **pptr = NULL; - long ret = 1; - BIO_CONNECT *data; -+# ifndef OPENSSL_NO_KTLS -+ ktls_crypto_info_t *crypto_info; -+# endif - data = (BIO_CONNECT *)b->ptr; - -@@ -518,8 +539,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) - } - break; - case BIO_CTRL_EOF: -- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; -+ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { +@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + else + crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; break; -+# ifndef OPENSSL_NO_KTLS -+ case BIO_CTRL_SET_KTLS: -+ crypto_info = (ktls_crypto_info_t *)ptr; -+ ret = ktls_start(b->num, crypto_info, num); -+ if (ret) -+ BIO_set_ktls_flag(b, num); -+ break; -+ case BIO_CTRL_GET_KTLS_SEND: -+ return BIO_should_ktls_flag(b, 1) != 0; -+ case BIO_CTRL_GET_KTLS_RECV: -+ return BIO_should_ktls_flag(b, 0) != 0; -+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: -+ BIO_set_ktls_ctrl_msg_flag(b); -+ data->record_type = num; -+ ret = 0; -+ break; -+ case BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG: -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ ret = 0; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; ++ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd); + break; +# endif - default: - ret = 0; - break; -diff --git crypto/bio/bss_fd.c crypto/bio/bss_fd.c -index ccbe1626ba..8d03e48ce9 100644 ---- crypto/bio/bss_fd.c -+++ crypto/bio/bss_fd.c -@@ -189,7 +189,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) - ret = 1; - break; - case BIO_CTRL_EOF: -- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; -+ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; - break; - default: - ret = 0; -diff --git crypto/bio/bss_sock.c crypto/bio/bss_sock.c -index 6251f3d46a..8de1f58292 100644 ---- crypto/bio/bss_sock.c -+++ crypto/bio/bss_sock.c -@@ -11,6 +11,7 @@ - #include - #include "bio_local.h" - #include "internal/cryptlib.h" -+#include "internal/ktls.h" - - #ifndef OPENSSL_NO_SOCK - -@@ -64,6 +65,17 @@ BIO *BIO_new_socket(int fd, int close_flag) - if (ret == NULL) - return NULL; - BIO_set_fd(ret, fd, close_flag); -+# ifndef OPENSSL_NO_KTLS -+ { -+ /* -+ * The new socket is created successfully regardless of ktls_enable. -+ * ktls_enable doesn't change any functionality of the socket, except -+ * changing the setsockopt to enable the processing of ktls_start. -+ * Thus, it is not a problem to call it for non-TLS sockets. -+ */ -+ ktls_enable(fd); -+ } -+# endif - return ret; + case SSL_AES128: + case SSL_AES256: + switch (s->s3.tmp.new_cipher->algorithm_mac) { +@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + crypto_info->tls_vminor = (s->version & 0x000000ff); + # ifdef TCP_RXTLS_ENABLE + memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) ++ return 0; + # else +- if (rec_seq != NULL) +- *rec_seq = NULL; ++ if (!is_tx) ++ return 0; + # endif + return 1; + }; +@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, } -@@ -96,7 +108,12 @@ static int sock_read(BIO *b, char *out, int outl) - - if (out != NULL) { - clear_socket_error(); -- ret = readsocket(b->num, out, outl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_recv(b)) -+ ret = ktls_read_record(b->num, out, outl); -+ else -+# endif -+ ret = readsocket(b->num, out, outl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -110,10 +127,20 @@ static int sock_read(BIO *b, char *out, int outl) - - static int sock_write(BIO *b, const char *in, int inl) - { -- int ret; -+ int ret = 0; - - clear_socket_error(); -- ret = writesocket(b->num, in, inl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_should_ktls_ctrl_msg_flag(b)) { -+ unsigned char record_type = (intptr_t)b->ptr; -+ ret = ktls_send_ctrl_message(b->num, record_type, in, inl); -+ if (ret >= 0) { -+ ret = inl; -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ } -+ } else -+# endif -+ ret = writesocket(b->num, in, inl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -126,6 +153,9 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) { - long ret = 1; - int *ip; -+# ifndef OPENSSL_NO_KTLS -+ ktls_crypto_info_t *crypto_info; -+# endif + unsigned char geniv[12]; + unsigned char *iiv = iv; - switch (cmd) { - case BIO_C_SET_FD: -@@ -153,8 +183,29 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) - case BIO_CTRL_FLUSH: - ret = 1; - break; -+# ifndef OPENSSL_NO_KTLS -+ case BIO_CTRL_SET_KTLS: -+ crypto_info = (ktls_crypto_info_t *)ptr; -+ ret = ktls_start(b->num, crypto_info, num); -+ if (ret) -+ BIO_set_ktls_flag(b, num); -+ break; -+ case BIO_CTRL_GET_KTLS_SEND: -+ return BIO_should_ktls_flag(b, 1) != 0; -+ case BIO_CTRL_GET_KTLS_RECV: -+ return BIO_should_ktls_flag(b, 0) != 0; -+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: -+ BIO_set_ktls_ctrl_msg_flag(b); -+ b->ptr = (void *)num; -+ ret = 0; -+ break; -+ case BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG: -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ ret = 0; -+ break; ++# ifdef OPENSSL_NO_KTLS_RX ++ if (!is_tx) ++ return 0; +# endif - case BIO_CTRL_EOF: -- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; -+ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; - break; - default: - ret = 0; -diff --git crypto/err/openssl.txt crypto/err/openssl.txt -index 902e97b843..846c896359 100644 ---- crypto/err/openssl.txt -+++ crypto/err/openssl.txt -@@ -1319,6 +1319,7 @@ SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate - SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated - SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* - SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* -+SSL_F_SSL_SENDFILE:639:SSL_sendfile - SSL_F_SSL_SESSION_DUP:348:ssl_session_dup - SSL_F_SSL_SESSION_NEW:189:SSL_SESSION_new - SSL_F_SSL_SESSION_PRINT_FP:190:SSL_SESSION_print_fp -diff --git crypto/evp/e_aes.c crypto/evp/e_aes.c -index a1d3ab90fa..715fac9f88 100644 ---- crypto/evp/e_aes.c -+++ crypto/evp/e_aes.c -@@ -2889,6 +2889,14 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - memcpy(ptr, c->buf, arg); ++ + if (s->version == TLS1_2_VERSION && + EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { + if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, +@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) ++ return 0; return 1; - -+ case EVP_CTRL_GET_IV: -+ if (gctx->iv_gen != 1) + # endif + # ifdef OPENSSL_KTLS_AES_GCM_256 +@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm256.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm256.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) + return 0; -+ if (gctx->ivlen != arg) + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_CCM_128 +@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->ccm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->ccm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) + return 0; -+ memcpy(ptr, gctx->iv, arg); -+ return 1; -+ - case EVP_CTRL_GCM_SET_IV_FIXED: - /* Special case: -1 length restores whole IV */ - if (arg == -1) { -diff --git doc/man3/BIO_ctrl.pod doc/man3/BIO_ctrl.pod -index cf6ba135df..fc51173c8d 100644 ---- doc/man3/BIO_ctrl.pod -+++ doc/man3/BIO_ctrl.pod -@@ -5,7 +5,8 @@ - BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset, - BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close, - BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending, --BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb -+BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb, BIO_get_ktls_send, -+BIO_get_ktls_recv - - BIO control operations - - =head1 SYNOPSIS -@@ -34,6 +35,9 @@ BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb - int BIO_get_info_callback(BIO *b, BIO_info_cb **cbp); - int BIO_set_info_callback(BIO *b, BIO_info_cb *cb); - -+ int BIO_get_ktls_send(BIO *b); -+ int BIO_get_ktls_recv(BIO *b); -+ - =head1 DESCRIPTION - - BIO_ctrl(), BIO_callback_ctrl(), BIO_ptr_ctrl() and BIO_int_ctrl() -@@ -72,6 +76,11 @@ Not all BIOs support these calls. BIO_ctrl_pending() and BIO_ctrl_wpending() - return a size_t type and are functions, BIO_pending() and BIO_wpending() are - macros which call BIO_ctrl(). - -+BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -+sending. Otherwise, it returns zero. -+BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -+receiving. Otherwise, it returns zero. -+ - =head1 RETURN VALUES - - BIO_reset() normally returns 1 for success and 0 or -1 for failure. File -@@ -92,6 +101,11 @@ BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. - BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() - return the amount of pending data. - -+BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -+sending. Otherwise, it returns zero. -+BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -+receiving. Otherwise, it returns zero. -+ - =head1 NOTES + return 1; + # endif + # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 +@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->chacha20poly1305.rec_seq; ++ if (!is_tx ++ && !check_rx_read_ahead(s, ++ crypto_info->chacha20poly1305.rec_seq)) ++ return 0; + return 1; + # endif + default: +diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c +index d8ef018741..63caac080f 100644 +--- ssl/record/ssl3_record.c ++++ ssl/record/ssl3_record.c +@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s) + int imac_size; + size_t num_recs = 0, max_recs, j; + PACKET pkt, sslv2pkt; +- int is_ktls_left; ++ int using_ktls; + SSL_MAC_BUF *macbufs = NULL; + int ret = -1; - BIO_flush(), because it can write data may return 0 or -1 indicating -@@ -124,6 +138,11 @@ particular a return value of 0 can be returned if an operation is not - supported, if an error occurred, if EOF has not been reached and in - the case of BIO_seek() on a file BIO for a successful operation. + rr = RECORD_LAYER_get_rrec(&s->rlayer); + rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); + max_recs = s->max_pipelines; + if (max_recs == 0) + max_recs = 1; + sess = s->session; -+=head1 HISTORY -+ -+The BIO_get_ktls_send() and BIO_get_ktls_recv() functions were added in -+OpenSSL 3.0.0. ++ /* ++ * KTLS reads full records. If there is any data left, ++ * then it is from before enabling ktls. ++ */ ++ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0; + - =head1 COPYRIGHT - - Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. -diff --git doc/man3/SSL_CONF_cmd.pod doc/man3/SSL_CONF_cmd.pod -index 7f0e088687..c7cce5486b 100644 ---- doc/man3/SSL_CONF_cmd.pod -+++ doc/man3/SSL_CONF_cmd.pod -@@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in - other ways and in such cases the built-in OpenSSL functionality is not required. - Disabling anti-replay is equivalent to setting B. + do { + thisrr = &rr[num_recs]; -+B: Enables kernel TLS if support has been compiled in, and it is supported -+by the negotiated ciphersuites and extensions. Equivalent to -+B. -+ - =item B +@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s) + } + } - The B argument is a comma separated list of flags to set. -diff --git doc/man3/SSL_CTX_set_options.pod doc/man3/SSL_CTX_set_options.pod -index 969e0366c4..231fe92d8e 100644 ---- doc/man3/SSL_CTX_set_options.pod -+++ doc/man3/SSL_CTX_set_options.pod -@@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by - setting this option. This is a server-side opton only. It is ignored by - clients. +- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { ++ if (SSL_IS_TLS13(s) ++ && s->enc_read_ctx != NULL ++ && !using_ktls) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s)) +@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s) + } -+=item SSL_OP_ENABLE_KTLS -+ -+Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must -+have been compiled with support for it, and it must be supported by the -+negotiated ciphersuites and extensions. The specific ciphersuites and extensions -+that are supported may vary by platform and kernel version. -+ -+The kernel TLS data-path implements the record layer, and the encryption -+algorithm. The kernel will utilize the best hardware -+available for encryption. Using the kernel data-path should reduce the memory -+footprint of OpenSSL because no buffering is required. Also, the throughput -+should improve because data copy is avoided when user data is encrypted into -+kernel memory instead of the usual encrypt then copy to kernel. -+ -+Kernel TLS might not support all the features of OpenSSL. For instance, -+renegotiation, and setting the maximum fragment size is not possible as of -+Linux 4.20. + if (SSL_IS_TLS13(s)) { +- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { ++ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH; + -+Note that with kernel TLS enabled some cryptographic operations are performed -+by the kernel directly and not via any available OpenSSL Providers. This might -+be undesirable if, for example, the application requires all cryptographic -+operations to be performed by the FIPS provider. ++ /* KTLS strips the inner record type. */ ++ if (using_ktls) ++ len = SSL3_RT_MAX_ENCRYPTED_LENGTH; + - =back ++ if (thisrr->length > len) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; +@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s) + #endif - The following options no longer have any effect but their identifiers are -diff --git doc/man3/SSL_CTX_set_record_padding_callback.pod doc/man3/SSL_CTX_set_record_padding_callback.pod -index 13e56f0c57..247a39fc03 100644 ---- doc/man3/SSL_CTX_set_record_padding_callback.pod -+++ doc/man3/SSL_CTX_set_record_padding_callback.pod -@@ -16,7 +16,7 @@ SSL_set_block_padding - install callback to specify TLS 1.3 record padding - #include + /* KTLS may use all of the buffer */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + len = SSL3_BUFFER_get_left(rbuf); - void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); -- void SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); -+ int SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); + if (thisrr->length > len) { +@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s) + return 1; + } - void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); - void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx); -@@ -32,6 +32,8 @@ SSL_set_block_padding - install callback to specify TLS 1.3 record padding - SSL_CTX_set_record_padding_callback() or SSL_set_record_padding_callback() - can be used to assign a callback function I to specify the padding - for TLS 1.3 records. The value set in B is copied to a new SSL by SSL_new(). -+Kernel TLS is not possible if the record padding callback is set, and the callback -+function cannot be set if Kernel TLS is already configured for the current SSL object. +- /* +- * KTLS reads full records. If there is any data left, +- * then it is from before enabling ktls +- */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + goto skip_decryption; - SSL_CTX_set_record_padding_callback_arg() and SSL_set_record_padding_callback_arg() - assign a value B that is passed to the callback when it is invoked. The value -@@ -64,6 +66,9 @@ indicates no padding will be added. A return value that causes the record to - exceed the maximum record size (SSL3_RT_MAX_PLAIN_LENGTH) will pad out to the - maximum record size. + if (s->read_hash != NULL) { +@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s) + if (SSL_IS_TLS13(s) + && s->enc_read_ctx != NULL + && thisrr->type != SSL3_RT_ALERT) { +- size_t end; ++ /* ++ * The following logic are irrelevant in KTLS: the kernel provides ++ * unprotected record and thus record type represent the actual ++ * content type, and padding is already removed and thisrr->type and ++ * thisrr->length should have the correct values. ++ */ ++ if (!using_ktls) { ++ size_t end; -+The SSL_CTX_get_record_padding_callback_arg() function returns 1 on success or 0 if -+the callback function is not set because Kernel TLS is configured for the SSL object. +- if (thisrr->length == 0 +- || thisrr->type != SSL3_RT_APPLICATION_DATA) { +- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); +- goto end; ++ if (thisrr->length == 0 ++ || thisrr->type != SSL3_RT_APPLICATION_DATA) { ++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); ++ goto end; ++ } + - =head1 NOTES - - The default behavior is to add no padding to the record. -@@ -84,6 +89,9 @@ L, L - - The record padding API was added for TLS 1.3 support in OpenSSL 1.1.1. - -+The return type of SSL_CTX_set_record_padding_callback() function was -+changed to int in OpenSSL 3.0. -+ - =head1 COPYRIGHT - - Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. -diff --git doc/man3/SSL_write.pod doc/man3/SSL_write.pod -index 5e3ce1e7e4..9b271d8e65 100644 ---- doc/man3/SSL_write.pod -+++ doc/man3/SSL_write.pod -@@ -2,12 +2,13 @@ - - =head1 NAME - --SSL_write_ex, SSL_write - write bytes to a TLS/SSL connection -+SSL_write_ex, SSL_write, SSL_sendfile - write bytes to a TLS/SSL connection - - =head1 SYNOPSIS - - #include - -+ ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags); - int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written); - int SSL_write(SSL *ssl, const void *buf, int num); - -@@ -17,6 +18,14 @@ SSL_write_ex() and SSL_write() write B bytes from the buffer B into - the specified B connection. On success SSL_write_ex() will store the number - of bytes written in B<*written>. - -+SSL_sendfile() writes B bytes from offset B in the file -+descriptor B to the specified SSL connection B. This function provides -+efficient zero-copy semantics. SSL_sendfile() is available only when -+Kernel TLS is enabled, which can be checked by calling BIO_get_ktls_send(). -+It is provided here to allow users to maintain the same interface. -+The meaning of B is platform dependent. -+Currently, under Linux it is ignored. -+ - =head1 NOTES - - In the paragraphs below a "write function" is defined as one of either -@@ -104,17 +113,36 @@ You should instead call SSL_get_error() to find out if it's retryable. - - =back - -+For SSL_sendfile(), the following return values can occur: -+ -+=over 4 -+ -+=item Z<>>= 0 -+ -+The write operation was successful, the return value is the number -+of bytes of the file written to the TLS/SSL connection. The return -+value can be less than B for a partial write. -+ -+=item E 0 -+ -+The write operation was not successful, because either the connection was -+closed, an error occured or action must be taken by the calling process. -+Call SSL_get_error() with the return value to find out the reason. -+ -+=back -+ - =head1 SEE ALSO - - L, L, L - L, L, - L, L --L, -+L, L, - L, L - - =head1 HISTORY - - The SSL_write_ex() function was added in OpenSSL 1.1.1. -+The SSL_sendfile() function was added in OpenSSL 3.0.0. - - =head1 COPYRIGHT - -diff --git engines/e_afalg.c engines/e_afalg.c -index 2d16c13834..748969204e 100644 ---- engines/e_afalg.c -+++ engines/e_afalg.c -@@ -407,7 +407,7 @@ static int afalg_start_cipher_sk(afalg_ctx *actx, const unsigned char *in, - size_t inl, const unsigned char *iv, - unsigned int enc) - { -- struct msghdr msg = { 0 }; -+ struct msghdr msg; - struct cmsghdr *cmsg; - struct iovec iov; - ssize_t sbytes; -@@ -416,6 +416,7 @@ static int afalg_start_cipher_sk(afalg_ctx *actx, const unsigned char *in, - # endif - char cbuf[CMSG_SPACE(ALG_IV_LEN(ALG_AES_IV_LEN)) + CMSG_SPACE(ALG_OP_LEN)]; - -+ memset(&msg, 0, sizeof(msg)); - memset(cbuf, 0, sizeof(cbuf)); - msg.msg_control = cbuf; - msg.msg_controllen = sizeof(cbuf); -diff --git include/internal/bio.h include/internal/bio.h -index c343b27629..365d41dabb 100644 ---- include/internal/bio.h -+++ include/internal/bio.h -@@ -7,6 +7,9 @@ - * https://www.openssl.org/source/license.html - */ - -+#ifndef HEADER_INTERNAL_BIO_H -+# define HEADER_INTERNAL_BIO_H -+ - #include - - struct bio_method_st { -@@ -31,3 +34,39 @@ void bio_cleanup(void); - /* Old style to new style BIO_METHOD conversion functions */ - int bwrite_conv(BIO *bio, const char *data, size_t datal, size_t *written); - int bread_conv(BIO *bio, char *data, size_t datal, size_t *read); -+ -+/* Changes to these internal BIOs must also update include/openssl/bio.h */ -+# define BIO_CTRL_SET_KTLS 72 -+# define BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG 74 -+# define BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG 75 -+ -+/* -+ * This is used with socket BIOs: -+ * BIO_FLAGS_KTLS_TX means we are using ktls with this BIO for sending. -+ * BIO_FLAGS_KTLS_TX_CTRL_MSG means we are about to send a ctrl message next. -+ * BIO_FLAGS_KTLS_RX means we are using ktls with this BIO for receiving. -+ */ -+# define BIO_FLAGS_KTLS_TX_CTRL_MSG 0x1000 -+# define BIO_FLAGS_KTLS_RX 0x2000 -+# define BIO_FLAGS_KTLS_TX 0x4000 -+ -+/* KTLS related controls and flags */ -+# define BIO_set_ktls_flag(b, is_tx) \ -+ BIO_set_flags(b, (is_tx) ? BIO_FLAGS_KTLS_TX : BIO_FLAGS_KTLS_RX) -+# define BIO_should_ktls_flag(b, is_tx) \ -+ BIO_test_flags(b, (is_tx) ? BIO_FLAGS_KTLS_TX : BIO_FLAGS_KTLS_RX) -+# define BIO_set_ktls_ctrl_msg_flag(b) \ -+ BIO_set_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -+# define BIO_should_ktls_ctrl_msg_flag(b) \ -+ BIO_test_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -+# define BIO_clear_ktls_ctrl_msg_flag(b) \ -+ BIO_clear_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -+ -+# define BIO_set_ktls(b, keyblob, is_tx) \ -+ BIO_ctrl(b, BIO_CTRL_SET_KTLS, is_tx, keyblob) -+# define BIO_set_ktls_ctrl_msg(b, record_type) \ -+ BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) -+# define BIO_clear_ktls_ctrl_msg(b) \ -+ BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) -+ -+#endif -diff --git include/internal/ktls.h include/internal/ktls.h -new file mode 100644 -index 0000000000..5f9e3f91ed ---- /dev/null -+++ include/internal/ktls.h -@@ -0,0 +1,407 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#if defined(OPENSSL_SYS_LINUX) -+# ifndef OPENSSL_NO_KTLS -+# include -+# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) -+# define OPENSSL_NO_KTLS -+# ifndef PEDANTIC -+# warning "KTLS requires Kernel Headers >= 4.13.0" -+# warning "Skipping Compilation of KTLS" -+# endif -+# endif -+# endif -+#endif -+ -+#ifndef HEADER_INTERNAL_KTLS -+# define HEADER_INTERNAL_KTLS -+# ifndef OPENSSL_NO_KTLS -+ -+# if defined(__FreeBSD__) -+# include -+# include -+# include -+# include -+# include -+# include "openssl/ssl3.h" -+ -+# ifndef TCP_RXTLS_ENABLE -+# define OPENSSL_NO_KTLS_RX -+# endif -+# define OPENSSL_KTLS_AES_GCM_128 -+# define OPENSSL_KTLS_AES_GCM_256 -+# define OPENSSL_KTLS_TLS13 -+# ifdef TLS_CHACHA20_IV_LEN -+# ifndef OPENSSL_NO_CHACHA -+# define OPENSSL_KTLS_CHACHA20_POLY1305 -+# endif -+# endif -+ -+typedef struct tls_enable ktls_crypto_info_t; -+ -+/* -+ * FreeBSD does not require any additional steps to enable KTLS before -+ * setting keys. -+ */ -+static ossl_inline int ktls_enable(int fd) -+{ -+ return 1; -+} -+ -+/* -+ * The TCP_TXTLS_ENABLE socket option marks the outgoing socket buffer -+ * as using TLS. If successful, then data sent using this socket will -+ * be encrypted and encapsulated in TLS records using the tls_en -+ * provided here. -+ * -+ * The TCP_RXTLS_ENABLE socket option marks the incoming socket buffer -+ * as using TLS. If successful, then data received for this socket will -+ * be authenticated and decrypted using the tls_en provided here. -+ */ -+static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *tls_en, int is_tx) -+{ -+ if (is_tx) -+ return setsockopt(fd, IPPROTO_TCP, TCP_TXTLS_ENABLE, -+ tls_en, sizeof(*tls_en)) ? 0 : 1; -+# ifndef OPENSSL_NO_KTLS_RX -+ return setsockopt(fd, IPPROTO_TCP, TCP_RXTLS_ENABLE, tls_en, -+ sizeof(*tls_en)) ? 0 : 1; -+# else -+ return 0; -+# endif -+} -+ -+/* -+ * Send a TLS record using the tls_en provided in ktls_start and use -+ * record_type instead of the default SSL3_RT_APPLICATION_DATA. -+ * When the socket is non-blocking, then this call either returns EAGAIN or -+ * the entire record is pushed to TCP. It is impossible to send a partial -+ * record using this control message. -+ */ -+static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, -+ const void *data, size_t length) -+{ -+ struct msghdr msg = { 0 }; -+ int cmsg_len = sizeof(record_type); -+ struct cmsghdr *cmsg; -+ char buf[CMSG_SPACE(cmsg_len)]; -+ struct iovec msg_iov; /* Vector of data to send/receive into */ -+ -+ msg.msg_control = buf; -+ msg.msg_controllen = sizeof(buf); -+ cmsg = CMSG_FIRSTHDR(&msg); -+ cmsg->cmsg_level = IPPROTO_TCP; -+ cmsg->cmsg_type = TLS_SET_RECORD_TYPE; -+ cmsg->cmsg_len = CMSG_LEN(cmsg_len); -+ *((unsigned char *)CMSG_DATA(cmsg)) = record_type; -+ msg.msg_controllen = cmsg->cmsg_len; -+ -+ msg_iov.iov_base = (void *)data; -+ msg_iov.iov_len = length; -+ msg.msg_iov = &msg_iov; -+ msg.msg_iovlen = 1; -+ -+ return sendmsg(fd, &msg, 0); -+} -+ -+# ifdef OPENSSL_NO_KTLS_RX -+ -+static ossl_inline int ktls_read_record(int fd, void *data, size_t length) -+{ -+ return -1; -+} -+ -+# else /* !defined(OPENSSL_NO_KTLS_RX) */ -+ -+/* -+ * Receive a TLS record using the tls_en provided in ktls_start. The -+ * kernel strips any explicit IV and authentication tag, but provides -+ * the TLS record header via a control message. If there is an error -+ * with the TLS record such as an invalid header, invalid padding, or -+ * authentication failure recvmsg() will fail with an error. -+ */ -+static ossl_inline int ktls_read_record(int fd, void *data, size_t length) -+{ -+ struct msghdr msg = { 0 }; -+ int cmsg_len = sizeof(struct tls_get_record); -+ struct tls_get_record *tgr; -+ struct cmsghdr *cmsg; -+ char buf[CMSG_SPACE(cmsg_len)]; -+ struct iovec msg_iov; /* Vector of data to send/receive into */ -+ int ret; -+ unsigned char *p = data; -+ const size_t prepend_length = SSL3_RT_HEADER_LENGTH; -+ -+ if (length <= prepend_length) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ msg.msg_control = buf; -+ msg.msg_controllen = sizeof(buf); -+ -+ msg_iov.iov_base = p + prepend_length; -+ msg_iov.iov_len = length - prepend_length; -+ msg.msg_iov = &msg_iov; -+ msg.msg_iovlen = 1; -+ -+ ret = recvmsg(fd, &msg, 0); -+ if (ret <= 0) -+ return ret; -+ -+ if ((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) != MSG_EOR) { -+ errno = EMSGSIZE; -+ return -1; -+ } -+ -+ if (msg.msg_controllen == 0) { -+ errno = EBADMSG; -+ return -1; -+ } -+ -+ cmsg = CMSG_FIRSTHDR(&msg); -+ if (cmsg->cmsg_level != IPPROTO_TCP || cmsg->cmsg_type != TLS_GET_RECORD -+ || cmsg->cmsg_len != CMSG_LEN(cmsg_len)) { -+ errno = EBADMSG; -+ return -1; -+ } -+ -+ tgr = (struct tls_get_record *)CMSG_DATA(cmsg); -+ p[0] = tgr->tls_type; -+ p[1] = tgr->tls_vmajor; -+ p[2] = tgr->tls_vminor; -+ *(uint16_t *)(p + 3) = htons(ret); -+ -+ return ret + prepend_length; -+} -+ -+# endif /* OPENSSL_NO_KTLS_RX */ -+ -+/* -+ * KTLS enables the sendfile system call to send data from a file over -+ * TLS. -+ */ -+static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, -+ size_t size, int flags) -+{ -+ off_t sbytes = 0; -+ int ret; -+ -+ ret = sendfile(fd, s, off, size, NULL, &sbytes, flags); -+ if (ret == -1 && sbytes == 0) -+ return -1; -+ return sbytes; -+} -+ -+# endif /* __FreeBSD__ */ -+ -+# if defined(OPENSSL_SYS_LINUX) -+ -+# include -+# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0) -+# define OPENSSL_NO_KTLS_RX -+# ifndef PEDANTIC -+# warning "KTLS requires Kernel Headers >= 4.17.0 for receiving" -+# warning "Skipping Compilation of KTLS receive data path" -+# endif -+# endif -+# define OPENSSL_KTLS_AES_GCM_128 -+# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) -+# define OPENSSL_KTLS_AES_GCM_256 -+# define OPENSSL_KTLS_TLS13 -+# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) -+# define OPENSSL_KTLS_AES_CCM_128 -+# if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0) -+# ifndef OPENSSL_NO_CHACHA -+# define OPENSSL_KTLS_CHACHA20_POLY1305 -+# endif -+# endif -+# endif -+# endif -+ -+# include -+# include -+# include -+# include "openssl/ssl3.h" -+# include "openssl/tls1.h" -+# include "openssl/evp.h" -+ -+# ifndef SOL_TLS -+# define SOL_TLS 282 -+# endif -+ -+# ifndef TCP_ULP -+# define TCP_ULP 31 -+# endif -+ -+# ifndef TLS_RX -+# define TLS_RX 2 -+# endif -+ -+struct tls_crypto_info_all { -+ union { -+# ifdef OPENSSL_KTLS_AES_GCM_128 -+ struct tls12_crypto_info_aes_gcm_128 gcm128; -+# endif -+# ifdef OPENSSL_KTLS_AES_GCM_256 -+ struct tls12_crypto_info_aes_gcm_256 gcm256; -+# endif -+# ifdef OPENSSL_KTLS_AES_CCM_128 -+ struct tls12_crypto_info_aes_ccm_128 ccm128; -+# endif -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ struct tls12_crypto_info_chacha20_poly1305 chacha20poly1305; -+# endif -+ }; -+ size_t tls_crypto_info_len; -+}; -+ -+typedef struct tls_crypto_info_all ktls_crypto_info_t; -+ -+/* -+ * When successful, this socket option doesn't change the behaviour of the -+ * TCP socket, except changing the TCP setsockopt handler to enable the -+ * processing of SOL_TLS socket options. All other functionality remains the -+ * same. -+ */ -+static ossl_inline int ktls_enable(int fd) -+{ -+ return setsockopt(fd, SOL_TCP, TCP_ULP, "tls", sizeof("tls")) ? 0 : 1; -+} -+ -+/* -+ * The TLS_TX socket option changes the send/sendmsg handlers of the TCP socket. -+ * If successful, then data sent using this socket will be encrypted and -+ * encapsulated in TLS records using the crypto_info provided here. -+ * The TLS_RX socket option changes the recv/recvmsg handlers of the TCP socket. -+ * If successful, then data received using this socket will be decrypted, -+ * authenticated and decapsulated using the crypto_info provided here. -+ */ -+static ossl_inline int ktls_start(int fd, ktls_crypto_info_t *crypto_info, -+ int is_tx) -+{ -+ return setsockopt(fd, SOL_TLS, is_tx ? TLS_TX : TLS_RX, -+ crypto_info, crypto_info->tls_crypto_info_len) ? 0 : 1; -+} -+ -+/* -+ * Send a TLS record using the crypto_info provided in ktls_start and use -+ * record_type instead of the default SSL3_RT_APPLICATION_DATA. -+ * When the socket is non-blocking, then this call either returns EAGAIN or -+ * the entire record is pushed to TCP. It is impossible to send a partial -+ * record using this control message. -+ */ -+static ossl_inline int ktls_send_ctrl_message(int fd, unsigned char record_type, -+ const void *data, size_t length) -+{ -+ struct msghdr msg; -+ int cmsg_len = sizeof(record_type); -+ struct cmsghdr *cmsg; -+ union { -+ struct cmsghdr hdr; -+ char buf[CMSG_SPACE(sizeof(unsigned char))]; -+ } cmsgbuf; -+ struct iovec msg_iov; /* Vector of data to send/receive into */ -+ -+ memset(&msg, 0, sizeof(msg)); -+ msg.msg_control = cmsgbuf.buf; -+ msg.msg_controllen = sizeof(cmsgbuf.buf); -+ cmsg = CMSG_FIRSTHDR(&msg); -+ cmsg->cmsg_level = SOL_TLS; -+ cmsg->cmsg_type = TLS_SET_RECORD_TYPE; -+ cmsg->cmsg_len = CMSG_LEN(cmsg_len); -+ *((unsigned char *)CMSG_DATA(cmsg)) = record_type; -+ msg.msg_controllen = cmsg->cmsg_len; -+ -+ msg_iov.iov_base = (void *)data; -+ msg_iov.iov_len = length; -+ msg.msg_iov = &msg_iov; -+ msg.msg_iovlen = 1; -+ -+ return sendmsg(fd, &msg, 0); -+} -+ -+/* -+ * KTLS enables the sendfile system call to send data from a file over TLS. -+ * @flags are ignored on Linux. (placeholder for FreeBSD sendfile) -+ * */ -+static ossl_inline ossl_ssize_t ktls_sendfile(int s, int fd, off_t off, size_t size, int flags) -+{ -+ return sendfile(s, fd, &off, size); -+} -+ -+# ifdef OPENSSL_NO_KTLS_RX -+ -+ -+static ossl_inline int ktls_read_record(int fd, void *data, size_t length) -+{ -+ return -1; -+} -+ -+# else /* !defined(OPENSSL_NO_KTLS_RX) */ -+ -+/* -+ * Receive a TLS record using the crypto_info provided in ktls_start. -+ * The kernel strips the TLS record header, IV and authentication tag, -+ * returning only the plaintext data or an error on failure. -+ * We add the TLS record header here to satisfy routines in rec_layer_s3.c -+ */ -+static ossl_inline int ktls_read_record(int fd, void *data, size_t length) -+{ -+ struct msghdr msg; -+ struct cmsghdr *cmsg; -+ union { -+ struct cmsghdr hdr; -+ char buf[CMSG_SPACE(sizeof(unsigned char))]; -+ } cmsgbuf; -+ struct iovec msg_iov; -+ int ret; -+ unsigned char *p = data; -+ const size_t prepend_length = SSL3_RT_HEADER_LENGTH; -+ -+ if (length < prepend_length + EVP_GCM_TLS_TAG_LEN) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ memset(&msg, 0, sizeof(msg)); -+ msg.msg_control = cmsgbuf.buf; -+ msg.msg_controllen = sizeof(cmsgbuf.buf); -+ -+ msg_iov.iov_base = p + prepend_length; -+ msg_iov.iov_len = length - prepend_length - EVP_GCM_TLS_TAG_LEN; -+ msg.msg_iov = &msg_iov; -+ msg.msg_iovlen = 1; -+ -+ ret = recvmsg(fd, &msg, 0); -+ if (ret < 0) -+ return ret; -+ -+ if (msg.msg_controllen > 0) { -+ cmsg = CMSG_FIRSTHDR(&msg); -+ if (cmsg->cmsg_type == TLS_GET_RECORD_TYPE) { -+ p[0] = *((unsigned char *)CMSG_DATA(cmsg)); -+ p[1] = TLS1_2_VERSION_MAJOR; -+ p[2] = TLS1_2_VERSION_MINOR; -+ /* returned length is limited to msg_iov.iov_len above */ -+ p[3] = (ret >> 8) & 0xff; -+ p[4] = ret & 0xff; -+ ret += prepend_length; -+ } -+ } -+ -+ return ret; -+} -+ -+# endif /* OPENSSL_NO_KTLS_RX */ -+ -+# endif /* OPENSSL_SYS_LINUX */ -+# endif /* OPENSSL_NO_KTLS */ -+#endif /* HEADER_INTERNAL_KTLS */ -diff --git include/openssl/bio.h include/openssl/bio.h -index ae559a5105..66fc0d7c4a 100644 ---- include/openssl/bio.h -+++ include/openssl/bio.h -@@ -141,6 +141,26 @@ extern "C" { - - # define BIO_CTRL_DGRAM_SET_PEEK_MODE 71 - -+/* -+ * internal BIO see include/internal/bio.h: -+ * # define BIO_CTRL_SET_KTLS_SEND 72 -+ * # define BIO_CTRL_SET_KTLS_SEND_CTRL_MSG 74 -+ * # define BIO_CTRL_CLEAR_KTLS_CTRL_MSG 75 -+ */ -+ -+# define BIO_CTRL_GET_KTLS_SEND 73 -+# define BIO_CTRL_GET_KTLS_RECV 76 -+ -+# ifndef OPENSSL_NO_KTLS -+# define BIO_get_ktls_send(b) \ -+ BIO_ctrl(b, BIO_CTRL_GET_KTLS_SEND, 0, NULL) -+# define BIO_get_ktls_recv(b) \ -+ BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, 0, NULL) -+# else -+# define BIO_get_ktls_send(b) (0) -+# define BIO_get_ktls_recv(b) (0) -+# endif -+ - /* modifiers */ - # define BIO_FP_READ 0x02 - # define BIO_FP_WRITE 0x04 -@@ -171,6 +191,8 @@ extern "C" { - # define BIO_FLAGS_NONCLEAR_RST 0x400 - # define BIO_FLAGS_IN_EOF 0x800 - -+/* the BIO FLAGS values 0x1000 to 0x4000 are reserved for internal KTLS flags */ -+ - typedef union bio_addr_st BIO_ADDR; - typedef struct bio_addrinfo_st BIO_ADDRINFO; - -diff --git include/openssl/err.h include/openssl/err.h -index b49f88129e..dce9885d3f 100644 ---- include/openssl/err.h -+++ include/openssl/err.h -@@ -169,6 +169,7 @@ typedef struct err_state_st { - # define SYS_F_STAT 22 - # define SYS_F_FCNTL 23 - # define SYS_F_FSTAT 24 -+# define SYS_F_SENDFILE 25 - - /* reasons */ - # define ERR_R_SYS_LIB ERR_LIB_SYS/* 2 */ -diff --git include/openssl/evp.h include/openssl/evp.h -index a411f3f2f9..60103707d2 100644 ---- include/openssl/evp.h -+++ include/openssl/evp.h -@@ -352,6 +352,8 @@ int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, - # define EVP_CTRL_SET_PIPELINE_INPUT_LENS 0x24 - - # define EVP_CTRL_GET_IVLEN 0x25 -+/* Get the IV used by the cipher */ -+# define EVP_CTRL_GET_IV 0x26 - - /* Padding modes */ - #define EVP_PADDING_PKCS7 1 -diff --git include/openssl/ssl.h include/openssl/ssl.h -index fd0c5a9996..cfb87e6322 100644 ---- include/openssl/ssl.h -+++ include/openssl/ssl.h -@@ -303,7 +303,9 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); - /* Allow initial connection to servers that don't support RI */ - # define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004U - --/* Reserved value (until OpenSSL 1.2.0) 0x00000008U */ -+/* Enable support for Kernel TLS */ -+# define SSL_OP_ENABLE_KTLS 0x00000008U -+ - # define SSL_OP_TLSEXT_PADDING 0x00000010U - /* Reserved value (until OpenSSL 1.2.0) 0x00000020U */ - # define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040U -@@ -1837,6 +1839,8 @@ __owur int SSL_read_early_data(SSL *s, void *buf, size_t num, - size_t *readbytes); - __owur int SSL_peek(SSL *ssl, void *buf, int num); - __owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); -+__owur ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, -+ int flags); - __owur int SSL_write(SSL *ssl, const void *buf, int num); - __owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written); - __owur int SSL_write_early_data(SSL *s, const void *buf, size_t num, -@@ -2123,7 +2127,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); - void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx); - int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size); - --void SSL_set_record_padding_callback(SSL *ssl, -+int SSL_set_record_padding_callback(SSL *ssl, - size_t (*cb) (SSL *ssl, int type, - size_t len, void *arg)); - void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg); -diff --git include/openssl/sslerr.h include/openssl/sslerr.h -index 701d61c6e9..c0310941c4 100644 ---- include/openssl/sslerr.h -+++ include/openssl/sslerr.h -@@ -220,6 +220,7 @@ int ERR_load_SSL_strings(void); - # define SSL_F_SSL_RENEGOTIATE_ABBREVIATED 546 - # define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320 - # define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 321 -+# define SSL_F_SSL_SENDFILE 639 - # define SSL_F_SSL_SESSION_DUP 348 - # define SSL_F_SSL_SESSION_NEW 189 - # define SSL_F_SSL_SESSION_PRINT_FP 190 -diff --git ssl/build.info ssl/build.info -index bb2f1deb53..1c49ac9aee 100644 ---- ssl/build.info -+++ ssl/build.info -@@ -1,4 +1,5 @@ - LIBS=../libssl -+ - SOURCE[../libssl]=\ - pqueue.c packet.c \ - statem/statem_srvr.c statem/statem_clnt.c s3_lib.c s3_enc.c record/rec_layer_s3.c \ -@@ -13,3 +14,7 @@ SOURCE[../libssl]=\ - bio_ssl.c ssl_err.c tls_srp.c t1_trce.c ssl_utst.c \ - record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \ - statem/statem.c record/ssl3_record_tls13.c -+ -+IF[{- !$disabled{ktls} -}] -+ SOURCE[../libssl]=ktls.c -+ENDIF -diff --git ssl/ktls.c ssl/ktls.c -new file mode 100644 -index 0000000000..68482ac480 ---- /dev/null -+++ ssl/ktls.c -@@ -0,0 +1,321 @@ -+/* -+ * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "ssl_local.h" -+#include "internal/ktls.h" -+ -+#ifndef OPENSSL_NO_KTLS_RX -+ /* -+ * Count the number of records that were not processed yet from record boundary. -+ * -+ * This function assumes that there are only fully formed records read in the -+ * record layer. If read_ahead is enabled, then this might be false and this -+ * function will fail. -+ */ -+static int count_unprocessed_records(SSL *s) -+{ -+ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); -+ PACKET pkt, subpkt; -+ int count = 0; -+ -+ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) -+ return -1; -+ -+ while (PACKET_remaining(&pkt) > 0) { -+ /* Skip record type and version */ -+ if (!PACKET_forward(&pkt, 3)) -+ return -1; -+ -+ /* Read until next record */ -+ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) -+ return -1; -+ -+ count += 1; -+ } -+ -+ return count; -+} -+ -+/* -+ * The kernel cannot offload receive if a partial TLS record has been read. -+ * Check the read buffer for unprocessed records. If the buffer contains a -+ * partial record, fail and return 0. Otherwise, update the sequence -+ * number at *rec_seq for the count of unprocessed records and return 1. -+ */ -+static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) -+{ -+ int bit, count_unprocessed; -+ -+ count_unprocessed = count_unprocessed_records(s); -+ if (count_unprocessed < 0) -+ return 0; -+ -+ /* increment the crypto_info record sequence */ -+ while (count_unprocessed) { -+ for (bit = 7; bit >= 0; bit--) { /* increment */ -+ ++rec_seq[bit]; -+ if (rec_seq[bit] != 0) -+ break; -+ } -+ count_unprocessed--; -+ -+ } -+ -+ return 1; -+} -+#endif -+ -+#if defined(__FreeBSD__) -+# include -+ -+/*- -+ * Check if a given cipher is supported by the KTLS interface. -+ * The kernel might still fail the setsockopt() if no suitable -+ * provider is found, but this checks if the socket option -+ * supports the cipher suite used at all. -+ */ -+int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, -+ const EVP_CIPHER_CTX *dd) -+{ -+ -+ switch (s->version) { -+ case TLS1_VERSION: -+ case TLS1_1_VERSION: -+ case TLS1_2_VERSION: -+ case TLS1_3_VERSION: -+ break; -+ default: -+ return 0; -+ } -+ -+ switch (s->s3->tmp.new_cipher->algorithm_enc) { -+ case SSL_AES128GCM: -+ case SSL_AES256GCM: -+ return 1; -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ case SSL_CHACHA20POLY1305: -+ return 1; -+# endif -+ case SSL_AES128: -+ case SSL_AES256: -+ if (s->ext.use_etm) -+ return 0; -+ switch (s->s3->tmp.new_cipher->algorithm_mac) { -+ case SSL_SHA1: -+ case SSL_SHA256: -+ case SSL_SHA384: -+ return 1; -+ default: -+ return 0; -+ } -+ default: -+ return 0; -+ } -+} -+ -+/* Function to configure kernel TLS structure */ -+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, -+ void *rl_sequence, ktls_crypto_info_t *crypto_info, -+ int is_tx, unsigned char *iv, -+ unsigned char *key, unsigned char *mac_key, -+ size_t mac_secret_size) -+{ -+ memset(crypto_info, 0, sizeof(*crypto_info)); -+ switch (s->s3->tmp.new_cipher->algorithm_enc) { -+ case SSL_AES128GCM: -+ case SSL_AES256GCM: -+ crypto_info->cipher_algorithm = CRYPTO_AES_NIST_GCM_16; -+ if (s->version == TLS1_3_VERSION) -+ crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd); -+ else -+ crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; -+ break; -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ case SSL_CHACHA20POLY1305: -+ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; -+ crypto_info->iv_len = EVP_CIPHER_CTX_iv_length(dd); -+ break; -+# endif -+ case SSL_AES128: -+ case SSL_AES256: -+ switch (s->s3->tmp.new_cipher->algorithm_mac) { -+ case SSL_SHA1: -+ crypto_info->auth_algorithm = CRYPTO_SHA1_HMAC; -+ break; -+ case SSL_SHA256: -+ crypto_info->auth_algorithm = CRYPTO_SHA2_256_HMAC; -+ break; -+ case SSL_SHA384: -+ crypto_info->auth_algorithm = CRYPTO_SHA2_384_HMAC; -+ break; -+ default: -+ return 0; -+ } -+ crypto_info->cipher_algorithm = CRYPTO_AES_CBC; -+ crypto_info->iv_len = EVP_CIPHER_iv_length(c); -+ crypto_info->auth_key = mac_key; -+ crypto_info->auth_key_len = mac_secret_size; -+ break; -+ default: -+ return 0; -+ } -+ crypto_info->cipher_key = key; -+ crypto_info->cipher_key_len = EVP_CIPHER_key_length(c); -+ crypto_info->iv = iv; -+ crypto_info->tls_vmajor = (s->version >> 8) & 0x000000ff; -+ crypto_info->tls_vminor = (s->version & 0x000000ff); -+# ifdef TCP_RXTLS_ENABLE -+ memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) -+ return 0; -+# else -+ if (!is_tx) -+ return 0; -+# endif -+ return 1; -+}; -+ -+#endif /* __FreeBSD__ */ -+ -+#if defined(OPENSSL_SYS_LINUX) -+ -+/* Function to check supported ciphers in Linux */ -+int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, -+ const EVP_CIPHER_CTX *dd) -+{ -+ switch (s->version) { -+ case TLS1_2_VERSION: -+ case TLS1_3_VERSION: -+ break; -+ default: -+ return 0; -+ } -+ -+ /* check that cipher is AES_GCM_128, AES_GCM_256, AES_CCM_128 -+ * or Chacha20-Poly1305 -+ */ -+# ifdef OPENSSL_KTLS_AES_CCM_128 -+ if (EVP_CIPHER_is_a(c, "AES-128-CCM")) { -+ if (s->version == TLS_1_3_VERSION /* broken on 5.x kernels */ -+ || EVP_CIPHER_CTX_get_tag_length(dd) != EVP_CCM_TLS_TAG_LEN) -+ return 0; -+ return 1; -+ } else -+# endif -+ if (0 -+# ifdef OPENSSL_KTLS_AES_GCM_128 -+ || EVP_CIPHER_is_a(c, "AES-128-GCM") -+# endif -+# ifdef OPENSSL_KTLS_AES_GCM_256 -+ || EVP_CIPHER_is_a(c, "AES-256-GCM") -+# endif -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ || EVP_CIPHER_is_a(c, "ChaCha20-Poly1305") -+# endif -+ ) { -+ return 1; -+ } -+ return 0; -+} -+ -+/* Function to configure kernel TLS structure */ -+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, -+ void *rl_sequence, ktls_crypto_info_t *crypto_info, -+ int is_tx, unsigned char *iv, -+ unsigned char *key, unsigned char *mac_key, -+ size_t mac_secret_size) -+{ -+ unsigned char geniv[12]; -+ unsigned char *iiv = iv; -+ -+# ifdef OPENSSL_NO_KTLS_RX -+ if (!is_tx) -+ return 0; -+# endif -+ -+ if (s->version == TLS1_2_VERSION && -+ EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { -+ EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GET_IV, -+ EVP_GCM_TLS_FIXED_IV_LEN + EVP_GCM_TLS_EXPLICIT_IV_LEN, -+ geniv); -+ iiv = geniv; -+ } -+ -+ memset(crypto_info, 0, sizeof(*crypto_info)); -+ switch (EVP_CIPHER_nid(c)) -+ { -+# ifdef OPENSSL_KTLS_AES_GCM_128 -+ case NID_aes_128_gcm: -+ crypto_info->gcm128.info.cipher_type = TLS_CIPHER_AES_GCM_128; -+ crypto_info->gcm128.info.version = s->version; -+ crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm128); -+ memcpy(crypto_info->gcm128.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN, -+ TLS_CIPHER_AES_GCM_128_IV_SIZE); -+ memcpy(crypto_info->gcm128.salt, iiv, TLS_CIPHER_AES_GCM_128_SALT_SIZE); -+ memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_key_length(c)); -+ memcpy(crypto_info->gcm128.rec_seq, rl_sequence, -+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) -+ return 0; -+ return 1; -+# endif -+# ifdef OPENSSL_KTLS_AES_GCM_256 -+ case NID_aes_256_gcm: -+ crypto_info->gcm256.info.cipher_type = TLS_CIPHER_AES_GCM_256; -+ crypto_info->gcm256.info.version = s->version; -+ crypto_info->tls_crypto_info_len = sizeof(crypto_info->gcm256); -+ memcpy(crypto_info->gcm256.iv, iiv + EVP_GCM_TLS_FIXED_IV_LEN, -+ TLS_CIPHER_AES_GCM_256_IV_SIZE); -+ memcpy(crypto_info->gcm256.salt, iiv, TLS_CIPHER_AES_GCM_256_SALT_SIZE); -+ memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_key_length(c)); -+ memcpy(crypto_info->gcm256.rec_seq, rl_sequence, -+ TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) -+ return 0; -+ return 1; -+# endif -+# ifdef OPENSSL_KTLS_AES_CCM_128 -+ case NID_aes_128_ccm: -+ crypto_info->ccm128.info.cipher_type = TLS_CIPHER_AES_CCM_128; -+ crypto_info->ccm128.info.version = s->version; -+ crypto_info->tls_crypto_info_len = sizeof(crypto_info->ccm128); -+ memcpy(crypto_info->ccm128.iv, iiv + EVP_CCM_TLS_FIXED_IV_LEN, -+ TLS_CIPHER_AES_CCM_128_IV_SIZE); -+ memcpy(crypto_info->ccm128.salt, iiv, TLS_CIPHER_AES_CCM_128_SALT_SIZE); -+ memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_key_length(c)); -+ memcpy(crypto_info->ccm128.rec_seq, rl_sequence, -+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) -+ return 0; -+ return 1; -+# endif -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ case NID_chacha20_poly1305: -+ crypto_info->chacha20poly1305.info.cipher_type = TLS_CIPHER_CHACHA20_POLY1305; -+ crypto_info->chacha20poly1305.info.version = s->version; -+ crypto_info->tls_crypto_info_len = sizeof(crypto_info->chacha20poly1305); -+ memcpy(crypto_info->chacha20poly1305.iv, iiv, -+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE); -+ memcpy(crypto_info->chacha20poly1305.key, key, -+ EVP_CIPHER_get_key_length(c)); -+ memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, -+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); -+ if (!is_tx -+ && !check_rx_read_ahead(s, -+ crypto_info->chacha20poly1305.rec_seq)) -+ return 0; -+ return 1; -+# endif -+ default: -+ return 0; -+ } -+ -+} -+ -+#endif /* OPENSSL_SYS_LINUX */ -diff --git ssl/record/rec_layer_s3.c ssl/record/rec_layer_s3.c -index 8249b4ace9..1356bd7b7b 100644 ---- ssl/record/rec_layer_s3.c -+++ ssl/record/rec_layer_s3.c -@@ -281,11 +281,15 @@ - return -1; - } - -- /* We always act like read_ahead is set for DTLS */ -- if (!s->rlayer.read_ahead && !SSL_IS_DTLS(s)) -+ /* -+ * Ktls always reads full records. -+ * Also, we always act like read_ahead is set for DTLS. -+ */ -+ if (!BIO_get_ktls_recv(s->rbio) && !s->rlayer.read_ahead -+ && !SSL_IS_DTLS(s)) { - /* ignore max parameter */ - max = n; -- else { -+ } else { - if (max < n) - max = n; - if (max > rb->len - rb->offset) -@@ -435,6 +439,7 @@ - len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && - s->compress == NULL && s->msg_callback == NULL && - !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && -+ (BIO_get_ktls_send(s->wbio) == 0) && - EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & - EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { - unsigned char aad[13]; -@@ -764,6 +769,19 @@ - s->s3->empty_fragment_done = 1; - } - -+ if (BIO_get_ktls_send(s->wbio)) { -+ /* -+ * ktls doesn't modify the buffer, but to avoid a warning we need to -+ * discard the const qualifier. -+ * This doesn't leak memory because the buffers have been released when -+ * switching to ktls. -+ */ -+ SSL3_BUFFER_set_buf(&s->rlayer.wbuf[0], (unsigned char *)buf); -+ SSL3_BUFFER_set_offset(&s->rlayer.wbuf[0], 0); -+ SSL3_BUFFER_set_app_buffer(&s->rlayer.wbuf[0], 1); -+ goto wpacket_init_complete; -+ } -+ - if (create_empty_fragment) { - wb = &s->rlayer.wbuf[0]; - #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 -@@ -833,6 +851,8 @@ - } - } - -+ wpacket_init_complete: -+ - totlen = 0; - /* Clear our SSL3_RECORD structures */ - memset(wr, 0, sizeof(wr)); -@@ -874,15 +894,19 @@ - if (s->compress != NULL) - maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; - -- /* write the header */ -- if (!WPACKET_put_bytes_u8(thispkt, rectype) -+ /* -+ * When using offload kernel will write the header. -+ * Otherwise write the header now -+ */ -+ if (!BIO_get_ktls_send(s->wbio) -+ && (!WPACKET_put_bytes_u8(thispkt, rectype) - || !WPACKET_put_bytes_u16(thispkt, version) - || !WPACKET_start_sub_packet_u16(thispkt) - || (eivlen > 0 - && !WPACKET_allocate_bytes(thispkt, eivlen, NULL)) - || (maxcomplen > 0 - && !WPACKET_reserve_bytes(thispkt, maxcomplen, -- &compressdata))) { -+ &compressdata)))) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, - ERR_R_INTERNAL_ERROR); - goto err; -@@ -908,15 +932,20 @@ - goto err; - } - } else { -- if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, -- ERR_R_INTERNAL_ERROR); -- goto err; -+ if (BIO_get_ktls_send(s->wbio)) { -+ SSL3_RECORD_reset_data(&wr[j]); -+ } else { -+ if (!WPACKET_memcpy(thispkt, thiswr->input, thiswr->length)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, -+ ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ SSL3_RECORD_reset_input(&wr[j]); - } -- SSL3_RECORD_reset_input(&wr[j]); - } - - if (SSL_TREAT_AS_TLS13(s) -+ && !BIO_get_ktls_send(s->wbio) - && s->enc_write_ctx != NULL - && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS - || type != SSL3_RT_ALERT)) { -@@ -972,7 +1001,7 @@ - * in the wb->buf - */ - -- if (!SSL_WRITE_ETM(s) && mac_size != 0) { -+ if (!BIO_get_ktls_send(s->wbio) && !SSL_WRITE_ETM(s) && mac_size != 0) { - unsigned char *mac; - - if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) -@@ -989,26 +1018,27 @@ - * max encrypted overhead does not need to include an allocation for that - * MAC - */ -- if (!WPACKET_reserve_bytes(thispkt, -- SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD -- - mac_size, -- NULL) -- /* -- * We also need next the amount of bytes written to this -- * sub-packet -- */ -+ if (!BIO_get_ktls_send(s->wbio)) { -+ if (!WPACKET_reserve_bytes(thispkt, -+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD -+ - mac_size, -+ NULL) -+ /* -+ * We also need next the amount of bytes written to this -+ * sub-packet -+ */ - || !WPACKET_get_length(thispkt, &len)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, - ERR_R_INTERNAL_ERROR); - goto err; -- } -+ } - -- /* Get a pointer to the start of this record excluding header */ -- recordstart = WPACKET_get_curr(thispkt) - len; -- -- SSL3_RECORD_set_data(thiswr, recordstart); -- SSL3_RECORD_reset_input(thiswr); -- SSL3_RECORD_set_length(thiswr, len); -+ /* Get a pointer to the start of this record excluding header */ -+ recordstart = WPACKET_get_curr(thispkt) - len; -+ SSL3_RECORD_set_data(thiswr, recordstart); -+ SSL3_RECORD_reset_input(thiswr); -+ SSL3_RECORD_set_length(thiswr, len); -+ } - } - - if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) { -@@ -1024,12 +1054,14 @@ - goto err; - } - } else { -- if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) { -- if (!ossl_statem_in_error(s)) { -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, -- ERR_R_INTERNAL_ERROR); -+ if (!BIO_get_ktls_send(s->wbio)) { -+ if (s->method->ssl3_enc->enc(s, wr, numpipes, 1) < 1) { -+ if (!ossl_statem_in_error(s)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, -+ ERR_R_INTERNAL_ERROR); -+ } -+ goto err; - } -- goto err; - } - } - -@@ -1039,6 +1071,9 @@ - thispkt = &pkt[j]; - thiswr = &wr[j]; - -+ if (BIO_get_ktls_send(s->wbio)) -+ goto mac_done; -+ - /* Allocate bytes for the encryption overhead */ - if (!WPACKET_get_length(thispkt, &origlen) - /* Check we allowed enough room for the encryption growth */ -@@ -1048,7 +1083,8 @@ - || origlen > thiswr->length - || (thiswr->length > origlen - && !WPACKET_allocate_bytes(thispkt, -- thiswr->length - origlen, NULL))) { -+ thiswr->length - origlen, -+ NULL))) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, - ERR_R_INTERNAL_ERROR); - goto err; -@@ -1093,13 +1129,8 @@ - goto err; - } - -- /* -- * we should now have thiswr->data pointing to the encrypted data, which -- * is thiswr->length long -- */ -- SSL3_RECORD_set_type(thiswr, type); /* not needed but helps for -- * debugging */ -- SSL3_RECORD_add_length(thiswr, SSL3_RT_HEADER_LENGTH); -+ /* header is added by the kernel when using offload */ -+ SSL3_RECORD_add_length(&wr[j], SSL3_RT_HEADER_LENGTH); - - if (create_empty_fragment) { - /* -@@ -1116,6 +1147,14 @@ - return 1; - } - -+ mac_done: -+ /* -+ * we should now have thiswr->data pointing to the encrypted data, which -+ * is thiswr->length long -+ */ -+ SSL3_RECORD_set_type(thiswr, type); /* not needed but helps for -+ * debugging */ -+ - /* now let's set up wb */ - SSL3_BUFFER_set_left(&s->rlayer.wbuf[j], - prefix_len + SSL3_RECORD_get_length(thiswr)); -@@ -1169,6 +1208,17 @@ - clear_sys_error(); - if (s->wbio != NULL) { - s->rwstate = SSL_WRITING; -+ -+ /* -+ * To prevent coalescing of control and data messages, -+ * such as in buffer_write, we flush the BIO -+ */ -+ if (BIO_get_ktls_send(s->wbio) && type != SSL3_RT_APPLICATION_DATA) { -+ i = BIO_flush(s->wbio); -+ if (i <= 0) -+ return i; -+ BIO_set_ktls_ctrl_msg(s->wbio, type); -+ } - /* TODO(size_t): Convert this call */ - i = BIO_write(s->wbio, (char *) - &(SSL3_BUFFER_get_buf(&wb[currbuf]) -@@ -1181,7 +1231,15 @@ - SSL_R_BIO_NOT_SET); - i = -1; - } -- if (i > 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { -+ -+ /* -+ * When an empty fragment is sent on a connection using KTLS, -+ * it is sent as a write of zero bytes. If this zero byte -+ * write succeeds, i will be 0 rather than a non-zero value. -+ * Treat i == 0 as success rather than an error for zero byte -+ * writes to permit this case. -+ */ -+ if (i >= 0 && tmpwrit == SSL3_BUFFER_get_left(&wb[currbuf])) { - SSL3_BUFFER_set_left(&wb[currbuf], 0); - SSL3_BUFFER_add_offset(&wb[currbuf], tmpwrit); - if (currbuf + 1 < s->rlayer.numwpipes) -diff --git ssl/record/record.h ssl/record/record.h -index af56206e07..10fdde71a8 100644 ---- ssl/record/record.h -+++ ssl/record/record.h -@@ -25,6 +25,8 @@ typedef struct ssl3_buffer_st { - size_t offset; - /* how many bytes left */ - size_t left; -+ /* 'buf' is from application for KTLS */ -+ int app_buffer; - } SSL3_BUFFER; - - #define SEQ_NUM_SIZE 8 -diff --git ssl/record/record_local.h ssl/record/record_local.h -index 5e8dd7f704..4760eeb7d8 100644 ---- ssl/record/record_local.h -+++ ssl/record/record_local.h -@@ -65,6 +65,8 @@ void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); - #define SSL3_BUFFER_add_offset(b, o) ((b)->offset += (o)) - #define SSL3_BUFFER_is_initialised(b) ((b)->buf != NULL) - #define SSL3_BUFFER_set_default_len(b, l) ((b)->default_len = (l)) -+#define SSL3_BUFFER_set_app_buffer(b, l) ((b)->app_buffer = (l)) -+#define SSL3_BUFFER_is_app_buffer(b) ((b)->app_buffer) - - void SSL3_BUFFER_clear(SSL3_BUFFER *b); - void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, size_t n); -@@ -88,6 +90,7 @@ int ssl3_release_write_buffer(SSL *s); - #define SSL3_RECORD_get_input(r) ((r)->input) - #define SSL3_RECORD_set_input(r, i) ((r)->input = (i)) - #define SSL3_RECORD_reset_input(r) ((r)->input = (r)->data) -+#define SSL3_RECORD_reset_data(r) ((r)->data = (r)->input) - #define SSL3_RECORD_get_seq_num(r) ((r)->seq_num) - #define SSL3_RECORD_get_off(r) ((r)->off) - #define SSL3_RECORD_set_off(r, o) ((r)->off = (o)) -diff --git ssl/record/ssl3_buffer.c ssl/record/ssl3_buffer.c -index b9ba25e0c3..10d11ab76c 100644 ---- ssl/record/ssl3_buffer.c -+++ ssl/record/ssl3_buffer.c -@@ -110,23 +110,27 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len) - for (currpipe = 0; currpipe < numwpipes; currpipe++) { - SSL3_BUFFER *thiswb = &wb[currpipe]; - -- if (thiswb->buf != NULL && thiswb->len != len) { -+ if (thiswb->len != len) { - OPENSSL_free(thiswb->buf); - thiswb->buf = NULL; /* force reallocation */ - } - - if (thiswb->buf == NULL) { -- p = OPENSSL_malloc(len); -- if (p == NULL) { -- s->rlayer.numwpipes = currpipe; -- /* -- * We've got a malloc failure, and we're still initialising -- * buffers. We assume we're so doomed that we won't even be able -- * to send an alert. -- */ -- SSLfatal(s, SSL_AD_NO_ALERT, -- SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); -- return 0; -+ if (s->wbio == NULL || !BIO_get_ktls_send(s->wbio)) { -+ p = OPENSSL_malloc(len); -+ if (p == NULL) { -+ s->rlayer.numwpipes = currpipe; -+ /* -+ * We've got a malloc failure, and we're still initialising -+ * buffers. We assume we're so doomed that we won't even be able -+ * to send an alert. -+ */ -+ SSLfatal(s, SSL_AD_NO_ALERT, -+ SSL_F_SSL3_SETUP_WRITE_BUFFER, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ } else { -+ p = NULL; - } - memset(thiswb, 0, sizeof(SSL3_BUFFER)); - thiswb->buf = p; -@@ -159,7 +163,10 @@ int ssl3_release_write_buffer(SSL *s) - while (pipes > 0) { - wb = &RECORD_LAYER_get_wbuf(&s->rlayer)[pipes - 1]; - -- OPENSSL_free(wb->buf); -+ if (SSL3_BUFFER_is_app_buffer(wb)) -+ SSL3_BUFFER_set_app_buffer(wb, 0); -+ else -+ OPENSSL_free(wb->buf); - wb->buf = NULL; - pipes--; - } -diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c -index f158544789..da549995e0 100644 ---- ssl/record/ssl3_record.c -+++ ssl/record/ssl3_record.c -@@ -186,6 +186,7 @@ int ssl3_get_record(SSL *s) - size_t num_recs = 0, max_recs, j; - PACKET pkt, sslv2pkt; - size_t first_rec_len; -+ int using_ktls; - - rr = RECORD_LAYER_get_rrec(&s->rlayer); - rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); -@@ -194,6 +195,12 @@ int ssl3_get_record(SSL *s) - max_recs = 1; - sess = s->session; - -+ /* -+ * KTLS reads full records. If there is any data left, -+ * then it is from before enabling ktls. -+ */ -+ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0; -+ - do { - thisrr = &rr[num_recs]; - -@@ -207,8 +214,32 @@ int ssl3_get_record(SSL *s) - rret = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, - SSL3_BUFFER_get_len(rbuf), 0, - num_recs == 0 ? 1 : 0, &n); -- if (rret <= 0) -- return rret; /* error or non-blocking */ -+ if (rret <= 0) { -+#ifndef OPENSSL_NO_KTLS -+ if (!BIO_get_ktls_recv(s->rbio) || rret == 0) -+ return rret; /* error or non-blocking */ -+ switch (errno) { -+ case EBADMSG: -+ SSLfatal(s, SSL_AD_BAD_RECORD_MAC, -+ SSL_F_SSL3_GET_RECORD, -+ SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); -+ break; -+ case EMSGSIZE: -+ SSLfatal(s, SSL_AD_RECORD_OVERFLOW, -+ SSL_F_SSL3_GET_RECORD, -+ SSL_R_PACKET_LENGTH_TOO_LONG); -+ break; -+ case EINVAL: -+ SSLfatal(s, SSL_AD_PROTOCOL_VERSION, -+ SSL_F_SSL3_GET_RECORD, -+ SSL_R_WRONG_VERSION_NUMBER); -+ break; -+ default: -+ break; -+ } -+#endif -+ return rret; -+ } - RECORD_LAYER_set_rstate(&s->rlayer, SSL_ST_READ_BODY); - - p = RECORD_LAYER_get_packet(&s->rlayer); -@@ -339,7 +370,9 @@ int ssl3_get_record(SSL *s) - } - } - -- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { -+ if (SSL_IS_TLS13(s) -+ && s->enc_read_ctx != NULL -+ && !using_ktls) { - if (thisrr->type != SSL3_RT_APPLICATION_DATA - && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC - || !SSL_IS_FIRST_HANDSHAKE(s)) -@@ -369,7 +402,13 @@ int ssl3_get_record(SSL *s) - } - - if (SSL_IS_TLS13(s)) { -- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { -+ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH; -+ -+ /* KTLS strips the inner record type. */ -+ if (using_ktls) -+ len = SSL3_RT_MAX_ENCRYPTED_LENGTH; -+ -+ if (thisrr->length > len) { - SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, - SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - return -1; -@@ -386,6 +425,10 @@ int ssl3_get_record(SSL *s) - len -= SSL3_RT_MAX_COMPRESSED_OVERHEAD; - #endif - -+ /* KTLS may use all of the buffer */ -+ if (using_ktls) -+ len = SSL3_BUFFER_get_left(rbuf); -+ - if (thisrr->length > len) { - SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, - SSL_R_ENCRYPTED_LENGTH_TOO_LONG); -@@ -404,6 +447,7 @@ int ssl3_get_record(SSL *s) - } else { - more = thisrr->length; - } -+ - if (more > 0) { - /* now s->rlayer.packet_length == SSL3_RT_HEADER_LENGTH */ - -@@ -491,6 +535,9 @@ int ssl3_get_record(SSL *s) - return 1; - } - -+ if (using_ktls) -+ goto skip_decryption; -+ - /* - * If in encrypt-then-mac mode calculate mac from encrypted record. All - * the details below are public so no timing details can leak. -@@ -678,6 +725,8 @@ int ssl3_get_record(SSL *s) - return -1; - } - -+ skip_decryption: -+ - for (j = 0; j < num_recs; j++) { - thisrr = &rr[j]; - -@@ -698,22 +747,30 @@ int ssl3_get_record(SSL *s) - if (SSL_IS_TLS13(s) - && s->enc_read_ctx != NULL - && thisrr->type != SSL3_RT_ALERT) { -- size_t end; -+ /* -+ * The following logic are irrelevant in KTLS: the kernel provides -+ * unprotected record and thus record type represent the actual -+ * content type, and padding is already removed and thisrr->type and -+ * thisrr->length should have the correct values. -+ */ -+ if (!using_ktls) { -+ size_t end; - -- if (thisrr->length == 0 -- || thisrr->type != SSL3_RT_APPLICATION_DATA) { -- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_GET_RECORD, -- SSL_R_BAD_RECORD_TYPE); -- return -1; -+ if (thisrr->length == 0 -+ || thisrr->type != SSL3_RT_APPLICATION_DATA) { -+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, -+ SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE); -+ return -1; -+ } -+ -+ /* Strip trailing padding */ -+ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; -+ end--) -+ continue; ++ /* Strip trailing padding */ ++ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; ++ end--) ++ continue; + + thisrr->length = end; + thisrr->type = thisrr->data[end]; } - - /* Strip trailing padding */ - for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; - end--) - continue; - - thisrr->length = end; - thisrr->type = thisrr->data[end]; if (thisrr->type != SSL3_RT_APPLICATION_DATA && thisrr->type != SSL3_RT_ALERT && thisrr->type != SSL3_RT_HANDSHAKE) { -@@ -723,7 +780,7 @@ int ssl3_get_record(SSL *s) +@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s) } if (s->msg_callback) s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, - &thisrr->data[end], 1, s, s->msg_callback_arg); + &thisrr->type, 1, s, s->msg_callback_arg); } /* -@@ -739,13 +796,25 @@ int ssl3_get_record(SSL *s) - return -1; - } - -- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) { -+ /* -+ * Usually thisrr->length is the length of a single record, but when -+ * KTLS handles the decryption, thisrr->length may be larger than -+ * SSL3_RT_MAX_PLAIN_LENGTH because the kernel may have coalesced -+ * multiple records. -+ * Therefore we have to rely on KTLS to check the plaintext length -+ * limit in the kernel. -+ */ +@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s) + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ +- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH +- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { + if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) { - SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, - SSL_R_DATA_LENGTH_TOO_LONG); - return -1; - } - -- /* If received packet overflows current Max Fragment Length setting */ -+ /* -+ * Check if the received packet overflows the current -+ * Max Fragment Length setting. -+ * Note: USE_MAX_FRAGMENT_LENGTH_EXT and KTLS are mutually exclusive. -+ */ - if (s->session != NULL && USE_MAX_FRAGMENT_LENGTH_EXT(s->session) - && thisrr->length > GET_MAX_FRAGMENT_LENGTH(s->session)) { - SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_F_SSL3_GET_RECORD, -diff --git ssl/ssl_conf.c ssl/ssl_conf.c -index 0a3fef7c8c..8013c62f07 100644 ---- ssl/ssl_conf.c -+++ ssl/ssl_conf.c -@@ -391,7 +391,8 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) - SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), - SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), - SSL_FLAG_TBL("MiddleboxCompat", SSL_OP_ENABLE_MIDDLEBOX_COMPAT), -- SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY) -+ SSL_FLAG_TBL_INV("AntiReplay", SSL_OP_NO_ANTI_REPLAY), -+ SSL_FLAG_TBL("KTLS", SSL_OP_ENABLE_KTLS) - }; - if (value == NULL) - return -3; -diff --git ssl/ssl_err.c ssl/ssl_err.c -index 324f2ccbb0..03273204ee 100644 ---- ssl/ssl_err.c -+++ ssl/ssl_err.c -@@ -313,6 +313,7 @@ static const ERR_STRING_DATA SSL_str_functs[] = { - "SSL_renegotiate_abbreviated"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT, 0), ""}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 0), ""}, -+ {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SENDFILE, 0), "SSL_sendfile"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_DUP, 0), "ssl_session_dup"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_NEW, 0), "SSL_SESSION_new"}, - {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_PRINT_FP, 0), -diff --git ssl/ssl_lib.c ssl/ssl_lib.c -index 25a1a44785..1fbad29b23 100644 ---- ssl/ssl_lib.c -+++ ssl/ssl_lib.c -@@ -11,6 +11,7 @@ - - #include - #include "ssl_local.h" -+#include "e_os.h" - #include - #include - #include -@@ -22,6 +23,7 @@ - #include - #include "internal/cryptlib.h" - #include "internal/refcount.h" -+#include "internal/ktls.h" - - const char SSL_version_str[] = OPENSSL_VERSION_TEXT; - -@@ -1159,11 +1161,15 @@ void SSL_free(SSL *s) - dane_final(&s->dane); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); - -+ RECORD_LAYER_release(&s->rlayer); -+ - /* Ignore return value */ - ssl_free_wbio_buffer(s); - - BIO_free_all(s->wbio); -+ s->wbio = NULL; - BIO_free_all(s->rbio); -+ s->rbio = NULL; - - BUF_MEM_free(s->init_buf); - -@@ -1220,8 +1226,6 @@ void SSL_free(SSL *s) - if (s->method != NULL) - s->method->ssl_free(s); - -- RECORD_LAYER_release(&s->rlayer); -- - SSL_CTX_free(s->ctx); - - ASYNC_WAIT_CTX_free(s->waitctx); -@@ -1361,6 +1365,15 @@ int SSL_set_fd(SSL *s, int fd) - } - BIO_set_fd(bio, fd, BIO_NOCLOSE); - SSL_set_bio(s, bio, bio); -+#ifndef OPENSSL_NO_KTLS -+ /* -+ * The new socket is created successfully regardless of ktls_enable. -+ * ktls_enable doesn't change any functionality of the socket, except -+ * changing the setsockopt to enable the processing of ktls_start. -+ * Thus, it is not a problem to call it for non-TLS sockets. -+ */ -+ ktls_enable(fd); -+#endif /* OPENSSL_NO_KTLS */ - ret = 1; - err: - return ret; -@@ -1380,6 +1393,15 @@ int SSL_set_wfd(SSL *s, int fd) + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); + goto end; } - BIO_set_fd(bio, fd, BIO_NOCLOSE); - SSL_set0_wbio(s, bio); -+#ifndef OPENSSL_NO_KTLS -+ /* -+ * The new socket is created successfully regardless of ktls_enable. -+ * ktls_enable doesn't change any functionality of the socket, except -+ * changing the setsockopt to enable the processing of ktls_start. -+ * Thus, it is not a problem to call it for non-TLS sockets. -+ */ -+ ktls_enable(fd); -+#endif /* OPENSSL_NO_KTLS */ - } else { - BIO_up_ref(rbio); - SSL_set0_wbio(s, rbio); -@@ -1963,6 +1985,70 @@ int ssl_write_internal(SSL *s, const void *buf, size_t num, size_t *written) - } - } - -+ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags) -+{ -+ ossl_ssize_t ret; -+ -+ if (s->handshake_func == NULL) { -+ SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); -+ return -1; -+ } -+ -+ if (s->shutdown & SSL_SENT_SHUTDOWN) { -+ s->rwstate = SSL_NOTHING; -+ SSLerr(SSL_F_SSL_SENDFILE, SSL_R_PROTOCOL_IS_SHUTDOWN); -+ return -1; -+ } -+ -+ if (!BIO_get_ktls_send(s->wbio)) { -+ SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); -+ return -1; -+ } -+ -+ /* If we have an alert to send, lets send it */ -+ if (s->s3->alert_dispatch) { -+ ret = (ossl_ssize_t)s->method->ssl_dispatch_alert(s); -+ if (ret <= 0) { -+ /* SSLfatal() already called if appropriate */ -+ return ret; -+ } -+ /* if it went, fall through and send more stuff */ -+ } -+ -+ s->rwstate = SSL_WRITING; -+ if (BIO_flush(s->wbio) <= 0) { -+ if (!BIO_should_retry(s->wbio)) { -+ s->rwstate = SSL_NOTHING; -+ } else { -+#ifdef EAGAIN -+ set_sys_error(EAGAIN); -+#endif -+ } -+ return -1; -+ } -+ -+#ifdef OPENSSL_NO_KTLS -+ SYSerr(SSL_F_SSL_SENDFILE, ERR_R_INTERNAL_ERROR); -+ ERR_add_error_data(1, "calling sendfile()"); -+ return -1; -+#else -+ ret = ktls_sendfile(SSL_get_wfd(s), fd, offset, size, flags); -+ if (ret < 0) { -+#if defined(EAGAIN) && defined(EINTR) && defined(EBUSY) -+ if ((get_last_sys_error() == EAGAIN) || -+ (get_last_sys_error() == EINTR) || -+ (get_last_sys_error() == EBUSY)) -+ BIO_set_retry_write(s->wbio); -+ else -+#endif -+ SSLerr(SSL_F_SSL_SENDFILE, SSL_R_UNINITIALIZED); -+ return ret; -+ } -+ s->rwstate = SSL_NOTHING; -+ return ret; -+#endif -+} -+ - int SSL_write(SSL *s, const void *buf, int num) - { - int ret; -@@ -2213,6 +2299,10 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) - case SSL_CTRL_SET_MAX_SEND_FRAGMENT: - if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) - return 0; -+#ifndef OPENSSL_NO_KTLS -+ if (s->wbio != NULL && BIO_get_ktls_send(s->wbio)) -+ return 0; -+#endif /* OPENSSL_NO_KTLS */ - s->max_send_fragment = larg; - if (s->max_send_fragment < s->split_send_fragment) - s->split_send_fragment = s->max_send_fragment; -@@ -4471,11 +4561,18 @@ int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size) - return 1; - } - --void SSL_set_record_padding_callback(SSL *ssl, -+int SSL_set_record_padding_callback(SSL *ssl, - size_t (*cb) (SSL *ssl, int type, - size_t len, void *arg)) - { -- ssl->record_padding_cb = cb; -+ BIO *b; -+ -+ b = SSL_get_wbio(ssl); -+ if (b == NULL || !BIO_get_ktls_send(b)) { -+ ssl->record_padding_cb = cb; -+ return 1; -+ } -+ return 0; - } - - void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg) diff --git ssl/ssl_local.h ssl/ssl_local.h -index 9f346e30e8..587064cc18 100644 +index 5471e900b8..79ced2f468 100644 --- ssl/ssl_local.h +++ ssl/ssl_local.h -@@ -34,6 +34,8 @@ - # include "internal/dane.h" - # include "internal/refcount.h" - # include "internal/tsan_assist.h" -+# include "internal/bio.h" -+# include "internal/ktls.h" - - # ifdef OPENSSL_BUILD_SHLIBSSL - # undef OPENSSL_EXTERN -@@ -2617,6 +2619,17 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, - #define EARLY_EXPORTER_SECRET_LABEL "EARLY_EXPORTER_SECRET" - #define EXPORTER_SECRET_LABEL "EXPORTER_SECRET" - -+# ifndef OPENSSL_NO_KTLS -+/* ktls.c */ -+int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, -+ const EVP_CIPHER_CTX *dd); +@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, + /* ktls.c */ + int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + const EVP_CIPHER_CTX *dd); +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, +int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, -+ void *rl_sequence, ktls_crypto_info_t *crypto_info, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, + int is_tx, unsigned char *iv, -+ unsigned char *key, unsigned char *mac_key, -+ size_t mac_secret_size); -+# endif -+ - /* s3_cbc.c */ - __owur char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); - __owur int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size); + # endif diff --git ssl/t1_enc.c ssl/t1_enc.c -index f8e53d4efc..46191908ab 100644 +index 237a19cd93..900ba14fbd 100644 --- ssl/t1_enc.c +++ ssl/t1_enc.c -@@ -10,10 +10,14 @@ - - #include - #include "ssl_local.h" -+#include "record/record_local.h" -+#include "internal/ktls.h" -+#include "internal/cryptlib.h" - #include - #include - #include - #include -+#include +@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) + return ret; + } - /* seed1 through seed5 are concatenated */ - static int tls1_PRF(SSL *s, -@@ -94,6 +98,11 @@ int tls1_change_cipher_state(SSL *s, int which) - EVP_PKEY *mac_key; - size_t n, i, j, k, cl; +-#ifndef OPENSSL_NO_KTLS +- /* +- * Count the number of records that were not processed yet from record boundary. +- * +- * This function assumes that there are only fully formed records read in the +- * record layer. If read_ahead is enabled, then this might be false and this +- * function will fail. +- */ +-# ifndef OPENSSL_NO_KTLS_RX +-static int count_unprocessed_records(SSL *s) +-{ +- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- PACKET pkt, subpkt; +- int count = 0; +- +- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) +- return -1; +- +- while (PACKET_remaining(&pkt) > 0) { +- /* Skip record type and version */ +- if (!PACKET_forward(&pkt, 3)) +- return -1; +- +- /* Read until next record */ +- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) +- return -1; +- +- count += 1; +- } +- +- return count; +-} +-# endif +-#endif +- +- + int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, + const EVP_CIPHER *ciph, + const EVP_MD *md) +@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which) int reuse_dd = 0; -+#ifndef OPENSSL_NO_KTLS -+ ktls_crypto_info_t crypto_info; -+ void *rl_sequence; -+ BIO *bio; -+#endif + #ifndef OPENSSL_NO_KTLS + ktls_crypto_info_t crypto_info; +- unsigned char *rec_seq; + void *rl_sequence; +-# ifndef OPENSSL_NO_KTLS_RX +- int count_unprocessed; +- int bit; +-# endif + BIO *bio; + #endif + +@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which) + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); - c = s->s3->tmp.new_sym_enc; - m = s->s3->tmp.new_hash; -@@ -312,6 +321,62 @@ int tls1_change_cipher_state(SSL *s, int which) - ERR_R_INTERNAL_ERROR); - goto err; - } -+#ifndef OPENSSL_NO_KTLS -+ if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0) -+ goto skip_ktls; -+ -+ /* ktls supports only the maximum fragment size */ -+ if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) -+ goto skip_ktls; -+ -+ /* check that cipher is supported */ -+ if (!ktls_check_supported_cipher(s, c, dd)) -+ goto skip_ktls; -+ -+ if (which & SSL3_CC_WRITE) -+ bio = s->wbio; -+ else -+ bio = s->rbio; -+ -+ if (!ossl_assert(bio != NULL)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, -+ ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ -+ if (which & SSL3_CC_WRITE) { -+ if (BIO_flush(bio) <= 0) -+ goto skip_ktls; -+ } -+ -+ /* ktls doesn't support renegotiation */ -+ if ((BIO_get_ktls_send(s->wbio) && (which & SSL3_CC_WRITE)) || -+ (BIO_get_ktls_recv(s->rbio) && (which & SSL3_CC_READ))) { -+ SSLfatal(s, SSL_AD_NO_RENEGOTIATION, SSL_F_TLS1_CHANGE_CIPHER_STATE, -+ ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (which & SSL3_CC_WRITE) -+ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); -+ else -+ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); -+ +- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, +- iv, key, ms, *mac_secret_size)) + if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, + which & SSL3_CC_WRITE, iv, key, ms, + *mac_secret_size)) -+ goto skip_ktls; -+ -+ /* ktls works with user provided buffers directly */ -+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { -+ if (which & SSL3_CC_WRITE) -+ ssl3_release_write_buffer(s); -+ SSL_set_options(s, SSL_OP_NO_RENEGOTIATION); -+ } -+ -+ skip_ktls: -+#endif /* OPENSSL_NO_KTLS */ - s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + goto skip_ktls; - #ifdef SSL_DEBUG +- if (which & SSL3_CC_READ) { +-# ifndef OPENSSL_NO_KTLS_RX +- count_unprocessed = count_unprocessed_records(s); +- if (count_unprocessed < 0) +- goto skip_ktls; +- +- /* increment the crypto_info record sequence */ +- while (count_unprocessed) { +- for (bit = 7; bit >= 0; bit--) { /* increment */ +- ++rec_seq[bit]; +- if (rec_seq[bit] != 0) +- break; +- } +- count_unprocessed--; +- } +-# else +- goto skip_ktls; +-# endif +- } +- + /* ktls works with user provided buffers directly */ + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) diff --git ssl/tls13_enc.c ssl/tls13_enc.c -index b8fb07f210..109227e556 100644 +index 12388922e3..eaab0e2a74 100644 --- ssl/tls13_enc.c +++ ssl/tls13_enc.c -@@ -9,6 +9,8 @@ - - #include - #include "ssl_local.h" -+#include "internal/ktls.h" -+#include "record/record_local.h" - #include "internal/cryptlib.h" - #include - #include -@@ -363,9 +365,9 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, - const unsigned char *hash, - const unsigned char *label, - size_t labellen, unsigned char *secret, -- unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) -+ unsigned char *key, unsigned char *iv, -+ EVP_CIPHER_CTX *ciph_ctx) - { -- unsigned char key[EVP_MAX_KEY_LENGTH]; - size_t ivlen, keylen, taglen; - int hashleni = EVP_MD_size(md); - size_t hashlen; -@@ -374,14 +376,14 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, - if (!ossl_assert(hashleni >= 0)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, - ERR_R_EVP_LIB); -- goto err; -+ return 0; - } - hashlen = (size_t)hashleni; - - if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, - secret, hashlen, 1)) { - /* SSLfatal() already called */ -- goto err; -+ return 0; - } - - /* TODO(size_t): convert me */ -@@ -401,7 +403,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, - } else { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, - ERR_R_EVP_LIB); -- goto err; -+ return 0; - } - if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) - taglen = EVP_CCM8_TLS_TAG_LEN; -@@ -415,7 +417,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, - if (!tls13_derive_key(s, md, secret, key, keylen) - || !tls13_derive_iv(s, md, secret, iv, ivlen)) { - /* SSLfatal() already called */ -- goto err; -+ return 0; - } - - if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 -@@ -425,13 +427,10 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, - || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, - ERR_R_EVP_LIB); -- goto err; -+ return 0; - } - - return 1; -- err: -- OPENSSL_cleanse(key, sizeof(key)); -- return 0; - } - - int tls13_change_cipher_state(SSL *s, int which) -@@ -456,6 +455,7 @@ int tls13_change_cipher_state(SSL *s, int which) - static const unsigned char early_exporter_master_secret[] = "e exp master"; - #endif - unsigned char *iv; -+ unsigned char key[EVP_MAX_KEY_LENGTH]; - unsigned char secret[EVP_MAX_MD_SIZE]; - unsigned char hashval[EVP_MAX_MD_SIZE]; - unsigned char *hash = hashval; -@@ -469,6 +469,11 @@ int tls13_change_cipher_state(SSL *s, int which) - int ret = 0; - const EVP_MD *md = NULL; +@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which) const EVP_CIPHER *cipher = NULL; -+#if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) -+ ktls_crypto_info_t crypto_info; + #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) + ktls_crypto_info_t crypto_info; + void *rl_sequence; -+ BIO *bio; -+#endif - - if (which & SSL3_CC_READ) { - if (s->enc_read_ctx != NULL) { -@@ -671,9 +676,13 @@ int tls13_change_cipher_state(SSL *s, int which) - } - } + BIO *bio; + #endif -+ /* check whether cipher is known */ -+ if(!ossl_assert(cipher != NULL)) -+ goto err; -+ - if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, -- insecret, hash, label, labellen, secret, iv, -- ciph_ctx)) { -+ insecret, hash, label, labellen, secret, key, -+ iv, ciph_ctx)) { - /* SSLfatal() already called */ - goto err; - } -@@ -714,8 +723,62 @@ int tls13_change_cipher_state(SSL *s, int which) - s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; - else +@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which) s->statem.enc_write_state = ENC_WRITE_STATE_VALID; -+#ifndef OPENSSL_NO_KTLS -+# if defined(OPENSSL_KTLS_TLS13) + #ifndef OPENSSL_NO_KTLS + # if defined(OPENSSL_KTLS_TLS13) +- if (!(which & SSL3_CC_WRITE) +- || !(which & SSL3_CC_APPLICATION) + if (!(which & SSL3_CC_APPLICATION) -+ || (s->options & SSL_OP_ENABLE_KTLS) == 0) -+ goto skip_ktls; -+ -+ /* ktls supports only the maximum fragment size */ -+ if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) -+ goto skip_ktls; -+ -+ /* ktls does not support record padding */ -+ if (s->record_padding_cb != NULL) -+ goto skip_ktls; -+ -+ /* check that cipher is supported */ -+ if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) -+ goto skip_ktls; -+ + || (s->options & SSL_OP_ENABLE_KTLS) == 0) + goto skip_ktls; + +@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which) + if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) + goto skip_ktls; + +- bio = s->wbio; + if (which & SSL3_CC_WRITE) + bio = s->wbio; + else + bio = s->rbio; -+ -+ if (!ossl_assert(bio != NULL)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, -+ ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ + + if (!ossl_assert(bio != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); +@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which) + } + + /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ +- if (BIO_flush(bio) <= 0) +- goto skip_ktls; + if (which & SSL3_CC_WRITE) { + if (BIO_flush(bio) <= 0) + goto skip_ktls; + } -+ -+ /* configure kernel crypto structure */ + + /* configure kernel crypto structure */ +- if (!ktls_configure_crypto(s, cipher, ciph_ctx, +- RECORD_LAYER_get_write_sequence(&s->rlayer), +- &crypto_info, NULL, iv, key, NULL, 0)) + if (which & SSL3_CC_WRITE) + rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); + + if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, + which & SSL3_CC_WRITE, iv, key, NULL, 0)) -+ goto skip_ktls; -+ -+ /* ktls works with user provided buffers directly */ + goto skip_ktls; + + /* ktls works with user provided buffers directly */ +- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) +- ssl3_release_write_buffer(s); + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) + ssl3_release_write_buffer(s); + } -+skip_ktls: -+# endif -+#endif - ret = 1; - err: -+ OPENSSL_cleanse(key, sizeof(key)); - OPENSSL_cleanse(secret, sizeof(secret)); - return ret; - } -@@ -729,6 +792,7 @@ int tls13_update_key(SSL *s, int sending) + skip_ktls: + # endif #endif - const EVP_MD *md = ssl_handshake_md(s); - size_t hashlen = EVP_MD_size(md); -+ unsigned char key[EVP_MAX_KEY_LENGTH]; - unsigned char *insecret, *iv; - unsigned char secret[EVP_MAX_MD_SIZE]; - EVP_CIPHER_CTX *ciph_ctx; -@@ -753,8 +817,8 @@ int tls13_update_key(SSL *s, int sending) - if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), - s->s3->tmp.new_sym_enc, insecret, NULL, - application_traffic, -- sizeof(application_traffic) - 1, secret, iv, -- ciph_ctx)) { -+ sizeof(application_traffic) - 1, secret, key, -+ iv, ciph_ctx)) { - /* SSLfatal() already called */ - goto err; - } -@@ -764,6 +828,7 @@ int tls13_update_key(SSL *s, int sending) - s->statem.enc_write_state = ENC_WRITE_STATE_VALID; - ret = 1; - err: -+ OPENSSL_cleanse(key, sizeof(key)); - OPENSSL_cleanse(secret, sizeof(secret)); - return ret; - } -diff --git test/build.info test/build.info -index 6357a7f2fe..3b8d5ee765 100644 ---- test/build.info -+++ test/build.info -@@ -546,7 +546,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN - # We disable this test completely in a shared build because it deliberately - # redefines some internal libssl symbols. This doesn't work in a non-shared - # build -- IF[{- !$disabled{shared} -}] -+ IF[{- !$disabled{shared} && $disabled{ktls} -}] - PROGRAMS_NO_INST=tls13secretstest - SOURCE[tls13secretstest]=tls13secretstest.c - SOURCE[tls13secretstest]= ../ssl/tls13_enc.c ../ssl/packet.c -diff --git test/recipes/80-test_ssl_old.t test/recipes/80-test_ssl_old.t -index 19772f61ef..f3cfda0507 100644 ---- test/recipes/80-test_ssl_old.t -+++ test/recipes/80-test_ssl_old.t -@@ -327,11 +327,9 @@ sub testssl { - } - - -- # plan tests => 11; -- - subtest 'standard SSL tests' => sub { -- ###################################################################### -- plan tests => 13; -+ ###################################################################### -+ plan tests => 19; - - SKIP: { - skip "SSLv3 is not supported by this OpenSSL build", 4 -@@ -356,8 +354,8 @@ sub testssl { - } - - SKIP: { -- skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 8 -- if $no_anytls; -+ skip "Neither SSLv3 nor any TLS version are supported by this OpenSSL build", 14 -+ if $no_anytls; - - SKIP: { - skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; -@@ -378,17 +376,29 @@ sub testssl { - 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); - - SKIP: { -- skip "No IPv4 available on this machine", 1 -+ skip "No IPv4 available on this machine", 4 - unless !disabled("sock") && have_IPv4(); - ok(run(test([@ssltest, "-ipv4"])), - 'test TLS via IPv4'); -+ ok(run(test([@ssltest, "-ipv4", "-client_ktls"])), -+ 'test TLS via IPv4 + ktls(client)'); -+ ok(run(test([@ssltest, "-ipv4", "-server_ktls"])), -+ 'test TLS via IPv4 + ktls(server)'); -+ ok(run(test([@ssltest, "-ipv4", "-client_ktls", "-server_ktls"])), -+ 'test TLS via IPv4 + ktls'); - } - - SKIP: { -- skip "No IPv6 available on this machine", 1 -+ skip "No IPv6 available on this machine", 4 - unless !disabled("sock") && have_IPv6(); - ok(run(test([@ssltest, "-ipv6"])), - 'test TLS via IPv6'); -+ ok(run(test([@ssltest, "-ipv6", "-client_ktls"])), -+ 'test TLS via IPv6 + ktls(client)'); -+ ok(run(test([@ssltest, "-ipv6", "-server_ktls"])), -+ 'test TLS via IPv6 + ktls(client)'); -+ ok(run(test([@ssltest, "-ipv6", "-client_ktls", "-server_ktls"])), -+ 'test TLS via IPv6 + ktls'); - } - } - }; -diff --git test/recipes/90-test_tls13secrets.t test/recipes/90-test_tls13secrets.t -index 5490885309..3478e540ed 100644 ---- test/recipes/90-test_tls13secrets.t -+++ test/recipes/90-test_tls13secrets.t -@@ -13,7 +13,7 @@ my $test_name = "tls13secrets"; - setup($test_name); - - plan skip_all => "$test_name is not supported in this build" -- if disabled("tls1_3") || disabled("shared"); -+ if disabled("tls1_3") || disabled("shared") || !disabled("ktls"); - - plan tests => 1; - diff --git test/sslapitest.c test/sslapitest.c -index 6b5d9449a0..47ba76f0a5 100644 +index 2911d6e94b..faf2eec2bc 100644 --- test/sslapitest.c +++ test/sslapitest.c -@@ -7,6 +7,7 @@ - * https://www.openssl.org/source/license.html - */ - -+#include - #include - - #include -@@ -17,12 +18,14 @@ - #include - #include - #include -+#include - #include - - #include "ssltestlib.h" - #include "testutil.h" - #include "testutil/output.h" - #include "internal/nelem.h" -+#include "internal/ktls.h" - #include "../ssl/ssl_local.h" - - #ifndef OPENSSL_NO_TLS1_3 -@@ -780,6 +783,433 @@ static int execute_test_large_message(const SSL_METHOD *smeth, - return testresult; - } - -+#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ -+ !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) -+/* sock must be connected */ -+static int ktls_chk_platform(int sock) -+{ -+ if (!ktls_enable(sock)) -+ return 0; -+ return 1; -+} -+ -+static int ping_pong_query(SSL *clientssl, SSL *serverssl) -+{ -+ static char count = 1; -+ unsigned char cbuf[16000] = {0}; -+ unsigned char sbuf[16000]; -+ size_t err = 0; -+ char crec_wseq_before[SEQ_NUM_SIZE]; -+ char crec_wseq_after[SEQ_NUM_SIZE]; -+ char crec_rseq_before[SEQ_NUM_SIZE]; -+ char crec_rseq_after[SEQ_NUM_SIZE]; -+ char srec_wseq_before[SEQ_NUM_SIZE]; -+ char srec_wseq_after[SEQ_NUM_SIZE]; -+ char srec_rseq_before[SEQ_NUM_SIZE]; -+ char srec_rseq_after[SEQ_NUM_SIZE]; -+ -+ cbuf[0] = count++; -+ memcpy(crec_wseq_before, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); -+ memcpy(crec_rseq_before, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); -+ memcpy(srec_wseq_before, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); -+ memcpy(srec_rseq_before, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); -+ -+ if (!TEST_true(SSL_write(clientssl, cbuf, sizeof(cbuf)) == sizeof(cbuf))) -+ goto end; -+ -+ while ((err = SSL_read(serverssl, &sbuf, sizeof(sbuf))) != sizeof(sbuf)) { -+ if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_READ) { -+ goto end; -+ } -+ } -+ -+ if (!TEST_true(SSL_write(serverssl, sbuf, sizeof(sbuf)) == sizeof(sbuf))) -+ goto end; -+ -+ while ((err = SSL_read(clientssl, &cbuf, sizeof(cbuf))) != sizeof(cbuf)) { -+ if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) { -+ goto end; -+ } -+ } -+ -+ memcpy(crec_wseq_after, &clientssl->rlayer.write_sequence, SEQ_NUM_SIZE); -+ memcpy(crec_rseq_after, &clientssl->rlayer.read_sequence, SEQ_NUM_SIZE); -+ memcpy(srec_wseq_after, &serverssl->rlayer.write_sequence, SEQ_NUM_SIZE); -+ memcpy(srec_rseq_after, &serverssl->rlayer.read_sequence, SEQ_NUM_SIZE); -+ -+ /* verify the payload */ -+ if (!TEST_mem_eq(cbuf, sizeof(cbuf), sbuf, sizeof(sbuf))) -+ goto end; -+ -+ /* -+ * If ktls is used then kernel sequences are used instead of -+ * OpenSSL sequences -+ */ -+ if (!BIO_get_ktls_send(clientssl->wbio)) { -+ if (!TEST_mem_ne(crec_wseq_before, SEQ_NUM_SIZE, -+ crec_wseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } else { -+ if (!TEST_mem_eq(crec_wseq_before, SEQ_NUM_SIZE, -+ crec_wseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } -+ -+ if (!BIO_get_ktls_send(serverssl->wbio)) { -+ if (!TEST_mem_ne(srec_wseq_before, SEQ_NUM_SIZE, -+ srec_wseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } else { -+ if (!TEST_mem_eq(srec_wseq_before, SEQ_NUM_SIZE, -+ srec_wseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } -+ -+ if (!BIO_get_ktls_recv(clientssl->wbio)) { -+ if (!TEST_mem_ne(crec_rseq_before, SEQ_NUM_SIZE, -+ crec_rseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } else { -+ if (!TEST_mem_eq(crec_rseq_before, SEQ_NUM_SIZE, -+ crec_rseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } -+ -+ if (!BIO_get_ktls_recv(serverssl->wbio)) { -+ if (!TEST_mem_ne(srec_rseq_before, SEQ_NUM_SIZE, -+ srec_rseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } else { -+ if (!TEST_mem_eq(srec_rseq_before, SEQ_NUM_SIZE, -+ srec_rseq_after, SEQ_NUM_SIZE)) -+ goto end; -+ } -+ -+ return 1; -+end: -+ return 0; -+} -+ -+static int execute_test_ktls(int cis_ktls, int sis_ktls, -+ int tls_version, const char *cipher) -+{ -+ SSL_CTX *cctx = NULL, *sctx = NULL; -+ SSL *clientssl = NULL, *serverssl = NULL; -+ int ktls_used = 0, testresult = 0; -+ int cfd = -1, sfd = -1; -+ int rx_supported; -+ -+ if (!TEST_true(create_test_sockets(&cfd, &sfd))) -+ goto end; -+ -+ /* Skip this test if the platform does not support ktls */ -+ if (!ktls_chk_platform(cfd)) { -+ TEST_info("Kernel does not support KTLS"); -+ testresult = 1; -+ goto end; -+ } -+ -+ /* Create a session based on SHA-256 */ -+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), -+ TLS_client_method(), -+ tls_version, tls_version, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ if (tls_version == TLS1_3_VERSION) { -+ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) -+ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) -+ goto end; -+ } else { -+ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) -+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) -+ goto end; -+ } -+ -+ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, -+ &clientssl, sfd, cfd))) -+ goto end; -+ -+ if (cis_ktls) { -+ if (!TEST_true(SSL_set_options(clientssl, SSL_OP_ENABLE_KTLS))) -+ goto end; -+ } -+ -+ if (sis_ktls) { -+ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) -+ goto end; -+ } -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ /* -+ * The running kernel may not support a given cipher suite -+ * or direction, so just check that KTLS isn't used when it -+ * isn't enabled. -+ */ -+ if (!cis_ktls) { -+ if (!TEST_false(BIO_get_ktls_send(clientssl->wbio))) -+ goto end; -+ } else { -+ if (BIO_get_ktls_send(clientssl->wbio)) -+ ktls_used = 1; -+ } -+ -+ if (!sis_ktls) { -+ if (!TEST_false(BIO_get_ktls_send(serverssl->wbio))) -+ goto end; -+ } else { -+ if (BIO_get_ktls_send(serverssl->wbio)) -+ ktls_used = 1; -+ } -+ -+#if defined(OPENSSL_NO_KTLS_RX) -+ rx_supported = 0; -+#else +@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, + #if defined(OPENSSL_NO_KTLS_RX) + rx_supported = 0; + #else +- rx_supported = (tls_version != TLS1_3_VERSION); + rx_supported = 1; -+#endif -+ if (!cis_ktls || !rx_supported) { -+ if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) -+ goto end; -+ } else { -+ if (BIO_get_ktls_send(clientssl->rbio)) -+ ktls_used = 1; -+ } -+ -+ if (!sis_ktls || !rx_supported) { -+ if (!TEST_false(BIO_get_ktls_recv(serverssl->rbio))) -+ goto end; -+ } else { -+ if (BIO_get_ktls_send(serverssl->rbio)) -+ ktls_used = 1; -+ } -+ -+ if ((cis_ktls || sis_ktls) && !ktls_used) { -+ TEST_info("KTLS not supported for %s cipher %s", -+ tls_version == TLS1_3_VERSION ? "TLS 1.3" : -+ "TLS 1.2", cipher); -+ testresult = 1; -+ goto end; -+ } -+ -+ if (!TEST_true(ping_pong_query(clientssl, serverssl))) -+ goto end; -+ -+ testresult = 1; -+end: -+ if (clientssl) { -+ SSL_shutdown(clientssl); -+ SSL_free(clientssl); -+ } -+ if (serverssl) { -+ SSL_shutdown(serverssl); -+ SSL_free(serverssl); -+ } -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ serverssl = clientssl = NULL; -+ if (cfd != -1) -+ close(cfd); -+ if (sfd != -1) -+ close(sfd); -+ return testresult; -+} -+ -+#define SENDFILE_SZ (16 * 4096) -+#define SENDFILE_CHUNK (4 * 4096) -+#define min(a,b) ((a) > (b) ? (b) : (a)) -+ -+static int execute_test_ktls_sendfile(int tls_version, const char *cipher) -+{ -+ SSL_CTX *cctx = NULL, *sctx = NULL; -+ SSL *clientssl = NULL, *serverssl = NULL; -+ unsigned char *buf, *buf_dst; -+ BIO *out = NULL, *in = NULL; -+ int cfd = -1, sfd = -1, ffd, err; -+ ssize_t chunk_size = 0; -+ off_t chunk_off = 0; -+ int testresult = 0; -+ FILE *ffdp; -+ -+ buf = OPENSSL_zalloc(SENDFILE_SZ); -+ buf_dst = OPENSSL_zalloc(SENDFILE_SZ); -+ if (!TEST_ptr(buf) || !TEST_ptr(buf_dst) -+ || !TEST_true(create_test_sockets(&cfd, &sfd))) -+ goto end; -+ -+ /* Skip this test if the platform does not support ktls */ -+ if (!ktls_chk_platform(sfd)) { -+ TEST_info("Kernel does not support KTLS"); -+ testresult = 1; -+ goto end; -+ } -+ -+ /* Create a session based on SHA-256 */ -+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), -+ TLS_client_method(), -+ tls_version, tls_version, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ if (tls_version == TLS1_3_VERSION) { -+ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, cipher)) -+ || !TEST_true(SSL_CTX_set_ciphersuites(sctx, cipher))) -+ goto end; -+ } else { -+ if (!TEST_true(SSL_CTX_set_cipher_list(cctx, cipher)) -+ || !TEST_true(SSL_CTX_set_cipher_list(sctx, cipher))) -+ goto end; -+ } -+ -+ if (!TEST_true(create_ssl_objects2(sctx, cctx, &serverssl, -+ &clientssl, sfd, cfd))) -+ goto end; -+ -+ if (!TEST_true(SSL_set_options(serverssl, SSL_OP_ENABLE_KTLS))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ if (!BIO_get_ktls_send(serverssl->wbio)) { -+ TEST_info("Failed to enable KTLS for %s cipher %s", -+ tls_version == TLS1_3_VERSION ? "TLS 1.3" : -+ "TLS 1.2", cipher); -+ testresult = 1; -+ goto end; -+ } -+ -+ RAND_bytes(buf, SENDFILE_SZ); -+ -+ out = BIO_new_file(tmpfilename, "wb"); -+ if (!TEST_ptr(out)) -+ goto end; -+ -+ if (BIO_write(out, buf, SENDFILE_SZ) != SENDFILE_SZ) -+ goto end; -+ -+ BIO_free(out); -+ out = NULL; -+ in = BIO_new_file(tmpfilename, "rb"); -+ BIO_get_fp(in, &ffdp); -+ ffd = fileno(ffdp); -+ -+ while (chunk_off < SENDFILE_SZ) { -+ chunk_size = min(SENDFILE_CHUNK, SENDFILE_SZ - chunk_off); -+ while ((err = SSL_sendfile(serverssl, -+ ffd, -+ chunk_off, -+ chunk_size, -+ 0)) != chunk_size) { -+ if (SSL_get_error(serverssl, err) != SSL_ERROR_WANT_WRITE) -+ goto end; -+ } -+ while ((err = SSL_read(clientssl, -+ buf_dst + chunk_off, -+ chunk_size)) != chunk_size) { -+ if (SSL_get_error(clientssl, err) != SSL_ERROR_WANT_READ) -+ goto end; -+ } -+ -+ /* verify the payload */ -+ if (!TEST_mem_eq(buf_dst + chunk_off, -+ chunk_size, -+ buf + chunk_off, -+ chunk_size)) -+ goto end; -+ -+ chunk_off += chunk_size; -+ } -+ -+ testresult = 1; -+end: -+ if (clientssl) { -+ SSL_shutdown(clientssl); -+ SSL_free(clientssl); -+ } -+ if (serverssl) { -+ SSL_shutdown(serverssl); -+ SSL_free(serverssl); -+ } -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ serverssl = clientssl = NULL; -+ BIO_free(out); -+ BIO_free(in); -+ if (cfd != -1) -+ close(cfd); -+ if (sfd != -1) -+ close(sfd); -+ OPENSSL_free(buf); -+ OPENSSL_free(buf_dst); -+ return testresult; -+} -+ -+static struct ktls_test_cipher { -+ int tls_version; -+ const char *cipher; -+} ktls_test_ciphers[] = { -+# if !defined(OPENSSL_NO_TLS1_2) -+# ifdef OPENSSL_KTLS_AES_GCM_128 -+ { TLS1_2_VERSION, "AES128-GCM-SHA256" }, -+# endif -+# ifdef OPENSSL_KTLS_AES_CCM_128 -+ { TLS1_2_VERSION, "AES128-CCM"}, -+# endif -+# ifdef OPENSSL_KTLS_AES_GCM_256 -+ { TLS1_2_VERSION, "AES256-GCM-SHA384"}, -+# endif -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ { TLS1_2_VERSION, "ECDHE-RSA-CHACHA20-POLY1305"}, -+# endif -+# endif -+# if !defined(OPENSSL_NO_TLS1_3) -+# ifdef OPENSSL_KTLS_AES_GCM_128 -+ { TLS1_3_VERSION, "TLS_AES_128_GCM_SHA256" }, -+# endif -+# ifdef OPENSSL_KTLS_AES_CCM_128 -+ { TLS1_3_VERSION, "TLS_AES_128_CCM_SHA256" }, -+# endif -+# ifdef OPENSSL_KTLS_AES_GCM_256 -+ { TLS1_3_VERSION, "TLS_AES_256_GCM_SHA384" }, -+# endif -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ { TLS1_3_VERSION, "TLS_CHACHA20_POLY1305_SHA256" }, -+# endif -+# endif -+}; -+ -+#define NUM_KTLS_TEST_CIPHERS \ -+ (sizeof(ktls_test_ciphers) / sizeof(ktls_test_ciphers[0])) -+ -+static int test_ktls(int test) -+{ -+ struct ktls_test_cipher *cipher; -+ int cis_ktls, sis_ktls; -+ -+ OPENSSL_assert(test / 4 < NUM_KTLS_TEST_CIPHERS); -+ cipher = &ktls_test_ciphers[test / 4]; -+ -+ cis_ktls = (test & 1) != 0; -+ sis_ktls = (test & 2) != 0; -+ -+ return execute_test_ktls(cis_ktls, sis_ktls, cipher->tls_version, -+ cipher->cipher); -+} -+ -+static int test_ktls_sendfile(int tst) -+{ -+ struct ktls_test_cipher *cipher; -+ -+ OPENSSL_assert(tst < NUM_KTLS_TEST_CIPHERS); -+ cipher = &ktls_test_ciphers[tst]; -+ -+ return execute_test_ktls_sendfile(cipher->tls_version, cipher->cipher); -+} -+#endif -+ - static int test_large_message_tls(void) - { - return execute_test_large_message(TLS_server_method(), TLS_client_method(), -@@ -6944,6 +7374,12 @@ int setup_tests(void) - return 0; - } - -+#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) -+# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) -+ ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); -+ ADD_ALL_TESTS(test_ktls_sendfile, NUM_KTLS_TEST_CIPHERS); -+# endif -+#endif - ADD_TEST(test_large_message_tls); - ADD_TEST(test_large_message_tls_read_ahead); - #ifndef OPENSSL_NO_DTLS -diff --git test/ssltest_old.c test/ssltest_old.c -index 3601066b50..96b38a4636 100644 ---- test/ssltest_old.c -+++ test/ssltest_old.c -@@ -731,6 +731,8 @@ static void sv_usage(void) - fprintf(stderr, " -client_sess_in - Read the client session from a file\n"); - fprintf(stderr, " -should_reuse - The expected state of reusing the session\n"); - fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n"); -+ fprintf(stderr, " -client_ktls - try to enable client KTLS\n"); -+ fprintf(stderr, " -server_ktls - try to enable server KTLS\n"); - } - - static void print_key_details(BIO *out, EVP_PKEY *key) -@@ -905,6 +907,7 @@ int main(int argc, char *argv[]) - int number = 1, reuse = 0; - int should_reuse = -1; - int no_ticket = 0; -+ int client_ktls = 0, server_ktls = 0; - long bytes = 256L; - #ifndef OPENSSL_NO_DH - DH *dh; -@@ -1215,6 +1218,10 @@ int main(int argc, char *argv[]) - should_reuse = !!atoi(*(++argv)); - } else if (strcmp(*argv, "-no_ticket") == 0) { - no_ticket = 1; -+ } else if (strcmp(*argv, "-client_ktls") == 0) { -+ client_ktls = 1; -+ } else if (strcmp(*argv, "-server_ktls") == 0) { -+ server_ktls = 1; - } else { - int rv; - arg = argv[0]; -@@ -1760,6 +1767,10 @@ int main(int argc, char *argv[]) - - if (sn_client) - SSL_set_tlsext_host_name(c_ssl, sn_client); -+ if (client_ktls) -+ SSL_set_options(c_ssl, SSL_OP_ENABLE_KTLS); -+ if (server_ktls) -+ SSL_set_options(s_ssl, SSL_OP_ENABLE_KTLS); - - if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) - goto end; -diff --git test/ssltestlib.c test/ssltestlib.c -index 456afdf471..a13fdbc4cc 100644 ---- test/ssltestlib.c -+++ test/ssltestlib.c -@@ -16,6 +16,14 @@ - - #ifdef OPENSSL_SYS_UNIX - # include -+#ifndef OPENSSL_NO_KTLS -+# include -+# include -+# include -+# include -+# include -+# include -+#endif - - static ossl_inline void ossl_sleep(unsigned int millis) - { -@@ -763,6 +771,113 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, - - #define MAXLOOPS 1000000 - -+#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) -+static int set_nb(int fd) -+{ -+ int flags; -+ -+ flags = fcntl(fd,F_GETFL,0); -+ if (flags == -1) -+ return flags; -+ flags = fcntl(fd, F_SETFL, flags | O_NONBLOCK); -+ return flags; -+} -+ -+int create_test_sockets(int *cfdp, int *sfdp) -+{ -+ struct sockaddr_in sin; -+ const char *host = "127.0.0.1"; -+ int cfd_connected = 0, ret = 0; -+ socklen_t slen = sizeof(sin); -+ int afd = -1, cfd = -1, sfd = -1; -+ -+ memset ((char *) &sin, 0, sizeof(sin)); -+ sin.sin_family = AF_INET; -+ sin.sin_addr.s_addr = inet_addr(host); -+ -+ afd = socket(AF_INET, SOCK_STREAM, 0); -+ if (afd < 0) -+ return 0; -+ -+ if (bind(afd, (struct sockaddr*)&sin, sizeof(sin)) < 0) -+ goto out; -+ -+ if (getsockname(afd, (struct sockaddr*)&sin, &slen) < 0) -+ goto out; -+ -+ if (listen(afd, 1) < 0) -+ goto out; -+ -+ cfd = socket(AF_INET, SOCK_STREAM, 0); -+ if (cfd < 0) -+ goto out; -+ -+ if (set_nb(afd) == -1) -+ goto out; -+ -+ while (sfd == -1 || !cfd_connected ) { -+ sfd = accept(afd, NULL, 0); -+ if (sfd == -1 && errno != EAGAIN) -+ goto out; -+ -+ if (!cfd_connected && connect(cfd, (struct sockaddr*)&sin, sizeof(sin)) < 0) -+ goto out; -+ else -+ cfd_connected = 1; -+ } -+ -+ if (set_nb(cfd) == -1 || set_nb(sfd) == -1) -+ goto out; -+ ret = 1; -+ *cfdp = cfd; -+ *sfdp = sfd; -+ goto success; -+ -+out: -+ if (cfd != -1) -+ close(cfd); -+ if (sfd != -1) -+ close(sfd); -+success: -+ if (afd != -1) -+ close(afd); -+ return ret; -+} -+ -+int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, -+ SSL **cssl, int sfd, int cfd) -+{ -+ SSL *serverssl = NULL, *clientssl = NULL; -+ BIO *s_to_c_bio = NULL, *c_to_s_bio = NULL; -+ -+ if (*sssl != NULL) -+ serverssl = *sssl; -+ else if (!TEST_ptr(serverssl = SSL_new(serverctx))) -+ goto error; -+ if (*cssl != NULL) -+ clientssl = *cssl; -+ else if (!TEST_ptr(clientssl = SSL_new(clientctx))) -+ goto error; -+ -+ if (!TEST_ptr(s_to_c_bio = BIO_new_socket(sfd, BIO_NOCLOSE)) -+ || !TEST_ptr(c_to_s_bio = BIO_new_socket(cfd, BIO_NOCLOSE))) -+ goto error; -+ -+ SSL_set_bio(clientssl, c_to_s_bio, c_to_s_bio); -+ SSL_set_bio(serverssl, s_to_c_bio, s_to_c_bio); -+ *sssl = serverssl; -+ *cssl = clientssl; -+ return 1; -+ -+ error: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ BIO_free(s_to_c_bio); -+ BIO_free(c_to_s_bio); -+ return 0; -+} -+#endif -+ - /* - * NOTE: Transfers control of the BIOs - this function will free them on error - */ -diff --git test/ssltestlib.h test/ssltestlib.h -index 17b278219a..756975435d 100644 ---- test/ssltestlib.h -+++ test/ssltestlib.h -@@ -20,6 +20,9 @@ int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, - SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio); - int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want, - int read); -+int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, -+ SSL **cssl, int sfd, int cfd); -+int create_test_sockets(int *cfd, int *sfd); - int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want); - void shutdown_ssl_connection(SSL *serverssl, SSL *clientssl); - -diff --git util/libssl.num util/libssl.num -index 297522c363..5b3c048871 100644 ---- util/libssl.num -+++ util/libssl.num -@@ -498,3 +498,4 @@ SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION: - SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION: - SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION: - SSL_get_signature_type_nid 501 1_1_1a EXIST::FUNCTION: -+SSL_sendfile 502 1_1_1e EXIST::FUNCTION: -diff --git util/private.num util/private.num -index bc7d967b5d..5bfbfc9fa4 100644 ---- util/private.num -+++ util/private.num -@@ -109,6 +109,8 @@ BIO_get_buffer_num_lines define - BIO_get_cipher_ctx define - BIO_get_cipher_status define - BIO_get_close define -+BIO_get_ktls_send define -+BIO_get_ktls_recv define - BIO_get_conn_address define - BIO_get_conn_hostname define - BIO_get_conn_port define + #endif + if (!cis_ktls || !rx_supported) { + if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) diff --git a/security/openssl/files/extra-patch-util_find-doc-nits b/security/openssl/files/extra-patch-util_find-doc-nits new file mode 100644 index 000000000000..e4fc20a06252 --- /dev/null +++ b/security/openssl/files/extra-patch-util_find-doc-nits @@ -0,0 +1,20 @@ +--- util/find-doc-nits.orig 2023-08-01 13:47:24 UTC ++++ util/find-doc-nits +@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt'; + my $OUT; + my $status = 0; + +-$opt_m = "man1,man3,man5,man7" unless $opt_m; ++$opt_m = "man1,man5" unless $opt_m; + die "Argument of -m option may contain only man1, man3, man5, and/or man7" + unless $opt_m =~ /^(man[1357][, ]?)*$/; + my @sections = ( split /[, ]/, $opt_m ); +@@ -725,7 +725,7 @@ sub check { + next if $target eq ''; # Skip if links within page, or + next if $target =~ /::/; # links to a Perl module, or + next if $target =~ /^https?:/; # is a URL link, or +- next if $target =~ /\([1357]\)$/; # it has a section ++ next if $target =~ /\([15]\)$/; # it has a section + err($id, "Missing man section number (likely, $mansect) in L<$target>") + } + # Check for proper links to commands. diff --git a/security/openssl/files/extra-patch-util_process__docs.pl b/security/openssl/files/extra-patch-util_process__docs.pl deleted file mode 100644 index d81c00d4656f..000000000000 --- a/security/openssl/files/extra-patch-util_process__docs.pl +++ /dev/null @@ -1,20 +0,0 @@ ---- util/process_docs.pl.orig 2018-09-11 12:48:25 UTC -+++ util/process_docs.pl -@@ -43,7 +43,7 @@ GetOptions(\%options, - ); - - unless ($options{section}) { -- $options{section} = [ 1, 3, 5, 7 ]; -+ $options{section} = [ 1, 5 ]; - } - unless ($options{sourcedir}) { - $options{sourcedir} = catdir($config{sourcedir}, "doc"); -@@ -98,7 +98,7 @@ foreach my $section (sort @{$options{sec - my $suffix = { man => ".$podinfo{section}".($options{suffix} // ""), - html => ".html" } -> {$options{type}}; - my $generate = { man => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"", -- html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=man1:man3:man5:man7 \"--infile=$podpath\" \"--title=$podname\" --quiet" -+ html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=man1:man5 \"--infile=$podpath\" \"--title=$podname\" --quiet" - } -> {$options{type}}; - my $output_dir = catdir($options{destdir}, "man$podinfo{section}"); - my $output_file = $podname . $suffix; diff --git a/security/openssl/files/patch-Configurations_10-main.conf b/security/openssl/files/patch-Configurations_10-main.conf new file mode 100644 index 000000000000..82503c0ff90c --- /dev/null +++ b/security/openssl/files/patch-Configurations_10-main.conf @@ -0,0 +1,35 @@ +--- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC ++++ Configurations/10-main.conf +@@ -1069,6 +1069,32 @@ my %targets = ( + perlasm_scheme => "linux64", + }, + ++ "BSD-ppc" => { ++ inherit_from => [ "BSD-generic32" ], ++ asm_arch => 'ppc32', ++ perlasm_scheme => "linux32", ++ lib_cppflags => add("-DB_ENDIAN"), ++ }, ++ ++ "BSD-ppc64" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DB_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64", ++ }, ++ ++ "BSD-ppc64le" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DL_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64le", ++ }, ++ ++ + "bsdi-elf-gcc" => { + inherit_from => [ "BASE_unix" ], + CC => "gcc", diff --git a/security/openssl/files/patch-Configure b/security/openssl/files/patch-Configure new file mode 100644 index 000000000000..c26823c674f3 --- /dev/null +++ b/security/openssl/files/patch-Configure @@ -0,0 +1,11 @@ +--- Configure.orig 2022-04-12 16:30:34 UTC ++++ Configure +@@ -1549,7 +1549,7 @@ my %predefined_CXX = $config{CXX} + + unless ($disabled{asm}) { + # big endian systems can use ELFv2 ABI +- if ($target eq "linux-ppc64") { ++ if ($target eq "linux-ppc64" || $target eq "BSD-ppc64") { + $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2); + } + } diff --git a/security/openssl/files/patch-crypto_ppccap.c b/security/openssl/files/patch-crypto_ppccap.c new file mode 100644 index 000000000000..14da11dedd4b --- /dev/null +++ b/security/openssl/files/patch-crypto_ppccap.c @@ -0,0 +1,34 @@ +--- crypto/ppccap.c.orig 2022-04-12 16:31:27 UTC ++++ crypto/ppccap.c +@@ -117,14 +117,18 @@ static unsigned long getauxval(unsigned long key) + #endif + + /* I wish was universally available */ +-#define HWCAP 16 /* AT_HWCAP */ ++#ifndef AT_HWCAP ++# define AT_HWCAP 16 /* AT_HWCAP */ ++#endif + #define HWCAP_PPC64 (1U << 30) + #define HWCAP_ALTIVEC (1U << 28) + #define HWCAP_FPU (1U << 27) + #define HWCAP_POWER6_EXT (1U << 9) + #define HWCAP_VSX (1U << 7) + +-#define HWCAP2 26 /* AT_HWCAP2 */ ++#ifndef AT_HWCAP2 ++# define AT_HWCAP2 26 /* AT_HWCAP2 */ ++#endif + #define HWCAP_VEC_CRYPTO (1U << 25) + #define HWCAP_ARCH_3_00 (1U << 23) + +@@ -215,8 +219,8 @@ void OPENSSL_cpuid_setup(void) + + #ifdef OSSL_IMPLEMENT_GETAUXVAL + { +- unsigned long hwcap = getauxval(HWCAP); +- unsigned long hwcap2 = getauxval(HWCAP2); ++ unsigned long hwcap = getauxval(AT_HWCAP); ++ unsigned long hwcap2 = getauxval(AT_HWCAP2); + + if (hwcap & HWCAP_FPU) { + OPENSSL_ppccap_P |= PPC_FPU; diff --git a/security/openssl/files/patch-crypto_threads__pthread.c b/security/openssl/files/patch-crypto_threads__pthread.c new file mode 100644 index 000000000000..3347170e0bd0 --- /dev/null +++ b/security/openssl/files/patch-crypto_threads__pthread.c @@ -0,0 +1,13 @@ +--- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC ++++ crypto/threads_pthread.c +@@ -29,6 +29,10 @@ + #define BROKEN_CLANG_ATOMICS + #endif + ++#if defined(__FreeBSD__) && defined(__i386__) ++#define BROKEN_CLANG_ATOMICS ++#endif ++ + #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) + + # if defined(OPENSSL_SYS_UNIX) diff --git a/security/openssl/files/patch-util_perl_OpenSSL_config.pm b/security/openssl/files/patch-util_perl_OpenSSL_config.pm new file mode 100644 index 000000000000..9c669372a4f1 --- /dev/null +++ b/security/openssl/files/patch-util_perl_OpenSSL_config.pm @@ -0,0 +1,14 @@ +--- util/perl/OpenSSL/config.pm.orig 2022-04-12 16:34:06 UTC ++++ util/perl/OpenSSL/config.pm +@@ -747,8 +747,9 @@ EOF + disable => [ 'sse2' ] } ], + [ 'alpha.*-.*-.*bsd.*', { target => "BSD-generic64", + defines => [ 'L_ENDIAN' ] } ], +- [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64", +- defines => [ 'B_ENDIAN' ] } ], ++ [ 'powerpc-.*-.*bsd.*', { target => "BSD-ppc" } ], ++ [ 'powerpc64-.*-.*bsd.*', { target => "BSD-ppc64" } ], ++ [ 'powerpc64le-.*-.*bsd.*', { target => "BSD-ppc64le" } ], + [ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ], + [ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ], + [ 'ia64-.*-.*bsd.*', { target => "BSD-ia64" } ], diff --git a/security/openssl/files/pkg-message.in b/security/openssl/files/pkg-message.in deleted file mode 100644 index 0cae95bfd9f1..000000000000 --- a/security/openssl/files/pkg-message.in +++ /dev/null @@ -1,8 +0,0 @@ -[ -{ type: install - message: <