freebsd/ports
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security/openssl31: Remove port

Browse Source 
Unmaintained upstream version
This commit is contained in:
Bastard Operator from Hell 2025-04-28 14:55:21 +02:00
parent 02d15a10d5
commit 1314c8ce9c
No known key found for this signature in database
GPG Key ID: BDB9B5A617C0BC91
23 changed files with 25 additions and 1113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.portsignore
View File

@ -5537,6 +5537,7 @@ security/nitrokey-app
security/openconnect-gui
security/opencryptoki
security/openssl111
security/openssl31
security/openssl31-quictls
security/openvpn-admin
security/p5-Authen-Simple-SMB

2
Mk/Scripts/qa.sh
View File

@ -621,7 +621,7 @@ proxydeps_suggest_uses() {
# When updating this, please also update the versions list in
# bsd.default-versions.mk and ssl.mk!
elif [ ${pkg} = "security/openssl" \
-o ${pkg} = "security/openssl31" -o ${pkg} = "security/openssl32" \
-o ${pkg} = "security/openssl32" \
-o ${pkg} = "security/openssl33" \
-o ${pkg} = "security/libressl" -o ${pkg} = "security/libressl-devel" \
]; then

2
Mk/Uses/ssl.mk
View File

@ -10,7 +10,7 @@
#
# When updating this, please also update the same list in bsd.default-versions.mk
# and the checks for USES=ssl in qa.sh!
# Variants being base, openssl, openssl31, openssl32,
# Variants being base, openssl, openssl32,
# openssl33, libressl, and libressl-devel.
#
# The Makefile sets these variables:

2
Mk/bsd.default-versions.mk
View File

@ -148,7 +148,7 @@ RUST_DEFAULT?= rust
SAMBA_DEFAULT?= 4.16
# When updating this, please also update the same list in ssl.mk and the checks
# for USES=ssl in qa.sh!
# Possible values: base, openssl, openssl31, openssl32, openssl33, libressl, libressl-devel
# Possible values: base, openssl, openssl32, openssl33, libressl, libressl-devel
. if !defined(SSL_DEFAULT)
# If no preference was set, check for an installed base version
# but give an installed port preference over it.

2
devel/ptlib/Makefile
View File

@ -14,7 +14,7 @@ LIB_DEPENDS= libexpat.so:textproc/expat2
USES= autoreconf:build bison:wrapper compiler:c11 gmake localbase:ldflags \
pathfix pkgconfig ssl tar:xz
BROKEN_SSL= openssl openssl31
BROKEN_SSL= openssl
BROKEN_SSL_REASON= Uses OpenSSL 3.0.0 deprecated BIO_s_file_internal
USE_LDCONFIG= yes

2
mail/enma/Makefile
View File

@ -17,7 +17,7 @@ CONFIGURE_ARGS= --with-ssl-incdir=${OPENSSLINC} \
--with-ssl-libdir=${OPENSSLLIB}
USES= gmake libtool perl5 ssl
BROKEN_SSL= openssl openssl31
BROKEN_SSL= openssl
BROKEN_SSL_REASON= Fails to build with error undefined reference due to --no-allow-shlib-undefined: EVP
USE_RC_SUBR= milter-enma
USE_LDCONFIG= yes

2
mail/exim/Makefile
View File

@ -285,8 +285,6 @@ SEDLIST+= -e 's,^\# (EXIM_MONITOR=),\1,'
USES+= ssl
SEDLIST+= -e 's,^\# (USE_OPENSSL=),\1,'
SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lssl[[:space:]]),\1,'
BROKEN_SSL= openssl31
BROKEN_SSL_REASON= error: token is not a valid binary operator in a preprocessor subexpression
.else
SEDLIST+= -e 's,^\# (USE_GNUTLS=),\1,'
SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lgnutls[[:space:]]),\1,'

2
mail/spamilter/Makefile
View File

@ -42,7 +42,7 @@ LIBSPF_CFLAGS= -I${LOCALBASE}/include
LIBSPF_LDFLAGS= -L${LOCALBASE}/lib
IPFWMTAD_PLIST_FILES= bin/ipfwmtad
IPFWMTAD_USES= ssl
BROKEN_SSL= base openssl openssl31 openssl32 openssl33
BROKEN_SSL= base openssl openssl32 openssl33
BROKEN_SSL_REASON= Option IPFWMTAD requires OpenSSL 1.1.1
.include <bsd.port.options.mk>

1
security/Makefile
View File

@ -388,7 +388,6 @@
SUBDIR += openssl-oqsprovider
SUBDIR += openssl-quictls
SUBDIR += openssl-unsafe
SUBDIR += openssl31
SUBDIR += openssl32
SUBDIR += openssl33
SUBDIR += openssl34

185
security/openssl31/Makefile
View File

@ -1,185 +0,0 @@
PORTNAME= openssl
PORTVERSION= 3.1.8
CATEGORIES= security devel
PKGNAMESUFFIX= 31
MASTER_SITES= https://github.com/openssl/openssl/releases/download/${DISTNAME}/
MAINTAINER= brnrd@FreeBSD.org
COMMENT= TLSv1.3 capable SSL and crypto library
WWW= https://www.openssl.org/
LICENSE= APACHE20
LICENSE_FILE= ${WRKSRC}/LICENSE.txt
#EXPIRATION_DATE= 2025-03-14
CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl3[2345] openssl*-quictls
HAS_CONFIGURE= yes
CONFIGURE_SCRIPT= config
CONFIGURE_ENV= PERL="${PERL}"
CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \
--prefix=${PREFIX}
USES= cpe perl5
USE_PERL5= build
TEST_TARGET= test
LDFLAGS_i386= -Wl,-znotext
MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}"
MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
EXTRA_PATCHES+= ${.CURDIR}/../openssl/files/patch-crypto_async_arch_async__posix.h
OPTIONS_GROUP= CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS
OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS
OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3
OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS
OPTIONS_GROUP_MODULES= FIPS LEGACY
OPTIONS_DEFINE_i386= I386
OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2
OPTIONS_DEFINE= ASYNC CT KTLS MAN3 RFC3779 SHARED ZLIB
OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 NEXTPROTONEG \
RFC3779 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2
OPTIONS_GROUP_OPTIMIZE_amd64= EC
.if ${MACHINE_ARCH} == "amd64"
OPTIONS_GROUP_OPTIMIZE+= EC
.elif ${MACHINE_ARCH} == "mips64el"
OPTIONS_GROUP_OPTIMIZE+= EC
.endif
OPTIONS_SUB= yes
ARIA_DESC= ARIA (South Korean standard)
ASM_DESC= Assembler code
ASYNC_DESC= Asynchronous mode
CIPHERS_DESC= Block Cipher Support
CT_DESC= Certificate Transparency Support
DES_DESC= (Triple) Data Encryption Standard
EC_DESC= Optimize NIST elliptic curves
FIPS_DESC= Build FIPS provider
GOST_DESC= GOST (Russian standard)
HASHES_DESC= Hash Function Support
I386_DESC= i386 (instead of i486+)
IDEA_DESC= International Data Encryption Algorithm
KTLS_DESC= Use in-kernel TLS (FreeBSD >13)
LEGACY_DESC= Older algorithms
MAN3_DESC= Install API manpages (section 3, 7)
MD2_DESC= MD2 (obsolete) (requires LEGACY)
MD4_DESC= MD4 (unsafe)
MDC2_DESC= MDC-2 (patented, requires DES)
MODULES_DESC= Provider modules
NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY)
OPTIMIZE_DESC= Optimizations
PROTOCOLS_DESC= Protocol Support
RC2_DESC= RC2 (unsafe)
RC4_DESC= RC4 (unsafe)
RC5_DESC= RC5 (patented)
RMD160_DESC= RIPEMD-160
RFC3779_DESC= RFC3779 support (BGP)
SCTP_DESC= SCTP (Stream Control Transmission)
SHARED_DESC= Build shared libraries
SM2_DESC= SM2 Elliptic Curve DH (Chinese standard)
SM3_DESC= SM3 256bit (Chinese standard)
SM4_DESC= SM4 128bit (Chinese standard)
SSE2_DESC= Runtime SSE2 detection
SSL3_DESC= SSLv3 (unsafe)
TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2)
TLS1_1_DESC= TLSv1.1 (requires TLS1_2)
TLS1_2_DESC= TLSv1.2
WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe)
# Upstream default disabled options
.for _option in fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib
${_option:tu}_CONFIGURE_ON= enable-${_option}
.endfor
# Upstream default enabled options
.for _option in aria asm async ct des gost idea md4 mdc2 legacy \
nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \
threads tls1 tls1_1 tls1_2
${_option:tu}_CONFIGURE_OFF= no-${_option}
.endfor
MD2_IMPLIES= LEGACY
MDC2_IMPLIES= DES
TLS1_IMPLIES= TLS1_1
TLS1_1_IMPLIES= TLS1_2
EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128
FIPS_VARS= shlibs+=lib/ossl-modules/fips.so
I386_CONFIGURE_ON= 386
KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls
LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so
MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits
SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_USE= ldconfig=yes
SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \
lib/libssl.so.${OPENSSL_SHLIBVER} \
lib/engines-${OPENSSL_SHLIBVER}/capi.so \
lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \
lib/engines-${OPENSSL_SHLIBVER}/padlock.so"
SSL3_CONFIGURE_ON+= enable-ssl3-method
ZLIB_CONFIGURE_ON= zlib-dynamic
SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so
PORTSCOUT= limit:^${DISTVERSION:R:S/./\./g}\.
.include <bsd.port.options.mk>
.if ${ARCH} == powerpc64
CONFIGURE_ARGS+= BSD-ppc64
.elif ${ARCH} == powerpc64le
CONFIGURE_ARGS+= BSD-ppc64le
.elif ${ARCH} == riscv64
CONFIGURE_ARGS+= BSD-riscv64
.endif
.include <bsd.port.pre.mk>
.if ${PREFIX} == /usr
IGNORE= the OpenSSL port can not be installed over the base version
.endif
OPENSSLDIR?= ${PREFIX}/openssl
PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
.include "version.mk"
post-patch:
${REINPLACE_CMD} -Ee 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \
${WRKSRC}/Configurations/unix-Makefile.tmpl
${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \
${WRKSRC}/VERSION.dat
post-configure:
( cd ${WRKSRC} ; ${PERL} configdata.pm --dump )
post-configure-MAN3-off:
${REINPLACE_CMD} \
-e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \
-e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \
${WRKSRC}/Makefile
post-install-SHARED-on:
.for i in ${SHLIBS}
-@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i
.endfor
post-install-SHARED-off:
${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12
post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl
post-install-MAN3-on:
( cd ${STAGEDIR}/${PREFIX} ; find share/man/man3 -not -type d ; \
find share/man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST}
.include <bsd.port.post.mk>

3
security/openssl31/distinfo
View File

@ -1,3 +0,0 @@
TIMESTAMP = 1739293895
SHA256 (openssl-3.1.8.tar.gz) = d319da6aecde3aa6f426b44bbf997406d95275c5c59ab6f6ef53caaa079f456f
SIZE (openssl-3.1.8.tar.gz) = 15706439

540
security/openssl31/files/extra-patch-ktls
View File

@ -1,540 +0,0 @@
diff --git include/internal/ktls.h include/internal/ktls.h
index 95492fd065..3c82cae26b 100644
--- include/internal/ktls.h
+++ include/internal/ktls.h
@@ -40,6 +40,11 @@
# define OPENSSL_KTLS_AES_GCM_128
# define OPENSSL_KTLS_AES_GCM_256
# define OPENSSL_KTLS_TLS13
+# ifdef TLS_CHACHA20_IV_LEN
+# ifndef OPENSSL_NO_CHACHA
+# define OPENSSL_KTLS_CHACHA20_POLY1305
+# endif
+# endif
typedef struct tls_enable ktls_crypto_info_t;
diff --git ssl/ktls.c ssl/ktls.c
index 79d980959e..e343d382cc 100644
--- ssl/ktls.c
+++ ssl/ktls.c
@@ -10,6 +10,67 @@
#include "ssl_local.h"
#include "internal/ktls.h"
+#ifndef OPENSSL_NO_KTLS_RX
+ /*
+ * Count the number of records that were not processed yet from record boundary.
+ *
+ * This function assumes that there are only fully formed records read in the
+ * record layer. If read_ahead is enabled, then this might be false and this
+ * function will fail.
+ */
+static int count_unprocessed_records(SSL *s)
+{
+ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
+ PACKET pkt, subpkt;
+ int count = 0;
+
+ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
+ return -1;
+
+ while (PACKET_remaining(&pkt) > 0) {
+ /* Skip record type and version */
+ if (!PACKET_forward(&pkt, 3))
+ return -1;
+
+ /* Read until next record */
+ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
+ return -1;
+
+ count += 1;
+ }
+
+ return count;
+}
+
+/*
+ * The kernel cannot offload receive if a partial TLS record has been read.
+ * Check the read buffer for unprocessed records. If the buffer contains a
+ * partial record, fail and return 0. Otherwise, update the sequence
+ * number at *rec_seq for the count of unprocessed records and return 1.
+ */
+static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq)
+{
+ int bit, count_unprocessed;
+
+ count_unprocessed = count_unprocessed_records(s);
+ if (count_unprocessed < 0)
+ return 0;
+
+ /* increment the crypto_info record sequence */
+ while (count_unprocessed) {
+ for (bit = 7; bit >= 0; bit--) { /* increment */
+ ++rec_seq[bit];
+ if (rec_seq[bit] != 0)
+ break;
+ }
+ count_unprocessed--;
+
+ }
+
+ return 1;
+}
+#endif
+
#if defined(__FreeBSD__)
# include "crypto/cryptodev.h"
@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
case SSL_AES128GCM:
case SSL_AES256GCM:
return 1;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+ case SSL_CHACHA20POLY1305:
+ return 1;
+# endif
case SSL_AES128:
case SSL_AES256:
if (s->ext.use_etm)
@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
}
/* Function to configure kernel TLS structure */
-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
void *rl_sequence, ktls_crypto_info_t *crypto_info,
- unsigned char **rec_seq, unsigned char *iv,
+ int is_tx, unsigned char *iv,
unsigned char *key, unsigned char *mac_key,
size_t mac_secret_size)
{
@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
else
crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
break;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+ case SSL_CHACHA20POLY1305:
+ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
+ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd);
+ break;
+# endif
case SSL_AES128:
case SSL_AES256:
switch (s->s3.tmp.new_cipher->algorithm_mac) {
@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
crypto_info->tls_vminor = (s->version & 0x000000ff);
# ifdef TCP_RXTLS_ENABLE
memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq));
- if (rec_seq != NULL)
- *rec_seq = crypto_info->rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq))
+ return 0;
# else
- if (rec_seq != NULL)
- *rec_seq = NULL;
+ if (!is_tx)
+ return 0;
# endif
return 1;
};
@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
}
/* Function to configure kernel TLS structure */
-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
void *rl_sequence, ktls_crypto_info_t *crypto_info,
- unsigned char **rec_seq, unsigned char *iv,
+ int is_tx, unsigned char *iv,
unsigned char *key, unsigned char *mac_key,
size_t mac_secret_size)
{
unsigned char geniv[12];
unsigned char *iiv = iv;
+# ifdef OPENSSL_NO_KTLS_RX
+ if (!is_tx)
+ return 0;
+# endif
+
if (s->version == TLS1_2_VERSION &&
EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) {
if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv,
@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->gcm128.rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq))
+ return 0;
return 1;
# endif
# ifdef OPENSSL_KTLS_AES_GCM_256
@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->gcm256.rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq))
+ return 0;
return 1;
# endif
# ifdef OPENSSL_KTLS_AES_CCM_128
@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->ccm128.rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq))
+ return 0;
return 1;
# endif
# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->chacha20poly1305.rec_seq;
+ if (!is_tx
+ && !check_rx_read_ahead(s,
+ crypto_info->chacha20poly1305.rec_seq))
+ return 0;
return 1;
# endif
default:
diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c
index d8ef018741..63caac080f 100644
--- ssl/record/ssl3_record.c
+++ ssl/record/ssl3_record.c
@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s)
int imac_size;
size_t num_recs = 0, max_recs, j;
PACKET pkt, sslv2pkt;
- int is_ktls_left;
+ int using_ktls;
SSL_MAC_BUF *macbufs = NULL;
int ret = -1;
rr = RECORD_LAYER_get_rrec(&s->rlayer);
rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0);
max_recs = s->max_pipelines;
if (max_recs == 0)
max_recs = 1;
sess = s->session;
+ /*
+ * KTLS reads full records. If there is any data left,
+ * then it is from before enabling ktls.
+ */
+ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0;
+
do {
thisrr = &rr[num_recs];
@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s)
}
}
- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
+ if (SSL_IS_TLS13(s)
+ && s->enc_read_ctx != NULL
+ && !using_ktls) {
if (thisrr->type != SSL3_RT_APPLICATION_DATA
&& (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
|| !SSL_IS_FIRST_HANDSHAKE(s))
@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s)
}
if (SSL_IS_TLS13(s)) {
- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
+ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
+
+ /* KTLS strips the inner record type. */
+ if (using_ktls)
+ len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
+
+ if (thisrr->length > len) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
return -1;
@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s)
#endif
/* KTLS may use all of the buffer */
- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+ if (using_ktls)
len = SSL3_BUFFER_get_left(rbuf);
if (thisrr->length > len) {
@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s)
return 1;
}
- /*
- * KTLS reads full records. If there is any data left,
- * then it is from before enabling ktls
- */
- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+ if (using_ktls)
goto skip_decryption;
if (s->read_hash != NULL) {
@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s)
if (SSL_IS_TLS13(s)
&& s->enc_read_ctx != NULL
&& thisrr->type != SSL3_RT_ALERT) {
- size_t end;
+ /*
+ * The following logic are irrelevant in KTLS: the kernel provides
+ * unprotected record and thus record type represent the actual
+ * content type, and padding is already removed and thisrr->type and
+ * thisrr->length should have the correct values.
+ */
+ if (!using_ktls) {
+ size_t end;
- if (thisrr->length == 0
- || thisrr->type != SSL3_RT_APPLICATION_DATA) {
- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
- goto end;
+ if (thisrr->length == 0
+ || thisrr->type != SSL3_RT_APPLICATION_DATA) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
+ goto end;
+ }
+
+ /* Strip trailing padding */
+ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
+ end--)
+ continue;
+
+ thisrr->length = end;
+ thisrr->type = thisrr->data[end];
}
-
- /* Strip trailing padding */
- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
- end--)
- continue;
-
- thisrr->length = end;
- thisrr->type = thisrr->data[end];
if (thisrr->type != SSL3_RT_APPLICATION_DATA
&& thisrr->type != SSL3_RT_ALERT
&& thisrr->type != SSL3_RT_HANDSHAKE) {
@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s)
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
- &thisrr->data[end], 1, s, s->msg_callback_arg);
+ &thisrr->type, 1, s, s->msg_callback_arg);
}
/*
@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s)
* Therefore we have to rely on KTLS to check the plaintext length
* limit in the kernel.
*/
- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH
- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) {
+ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
goto end;
}
diff --git ssl/ssl_local.h ssl/ssl_local.h
index 5471e900b8..79ced2f468 100644
--- ssl/ssl_local.h
+++ ssl/ssl_local.h
@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
/* ktls.c */
int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
const EVP_CIPHER_CTX *dd);
-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
void *rl_sequence, ktls_crypto_info_t *crypto_info,
- unsigned char **rec_seq, unsigned char *iv,
+ int is_tx, unsigned char *iv,
unsigned char *key, unsigned char *mac_key,
size_t mac_secret_size);
# endif
diff --git ssl/t1_enc.c ssl/t1_enc.c
index 237a19cd93..900ba14fbd 100644
--- ssl/t1_enc.c
+++ ssl/t1_enc.c
@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
return ret;
}
-#ifndef OPENSSL_NO_KTLS
- /*
- * Count the number of records that were not processed yet from record boundary.
- *
- * This function assumes that there are only fully formed records read in the
- * record layer. If read_ahead is enabled, then this might be false and this
- * function will fail.
- */
-# ifndef OPENSSL_NO_KTLS_RX
-static int count_unprocessed_records(SSL *s)
-{
- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
- PACKET pkt, subpkt;
- int count = 0;
-
- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
- return -1;
-
- while (PACKET_remaining(&pkt) > 0) {
- /* Skip record type and version */
- if (!PACKET_forward(&pkt, 3))
- return -1;
-
- /* Read until next record */
- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
- return -1;
-
- count += 1;
- }
-
- return count;
-}
-# endif
-#endif
-
-
int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *ciph,
const EVP_MD *md)
@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which)
int reuse_dd = 0;
#ifndef OPENSSL_NO_KTLS
ktls_crypto_info_t crypto_info;
- unsigned char *rec_seq;
void *rl_sequence;
-# ifndef OPENSSL_NO_KTLS_RX
- int count_unprocessed;
- int bit;
-# endif
BIO *bio;
#endif
@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which)
else
rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq,
- iv, key, ms, *mac_secret_size))
+ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info,
+ which & SSL3_CC_WRITE, iv, key, ms,
+ *mac_secret_size))
goto skip_ktls;
- if (which & SSL3_CC_READ) {
-# ifndef OPENSSL_NO_KTLS_RX
- count_unprocessed = count_unprocessed_records(s);
- if (count_unprocessed < 0)
- goto skip_ktls;
-
- /* increment the crypto_info record sequence */
- while (count_unprocessed) {
- for (bit = 7; bit >= 0; bit--) { /* increment */
- ++rec_seq[bit];
- if (rec_seq[bit] != 0)
- break;
- }
- count_unprocessed--;
- }
-# else
- goto skip_ktls;
-# endif
- }
-
/* ktls works with user provided buffers directly */
if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
if (which & SSL3_CC_WRITE)
diff --git ssl/tls13_enc.c ssl/tls13_enc.c
index 12388922e3..eaab0e2a74 100644
--- ssl/tls13_enc.c
+++ ssl/tls13_enc.c
@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which)
const EVP_CIPHER *cipher = NULL;
#if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13)
ktls_crypto_info_t crypto_info;
+ void *rl_sequence;
BIO *bio;
#endif
@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which)
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
#ifndef OPENSSL_NO_KTLS
# if defined(OPENSSL_KTLS_TLS13)
- if (!(which & SSL3_CC_WRITE)
- || !(which & SSL3_CC_APPLICATION)
+ if (!(which & SSL3_CC_APPLICATION)
|| (s->options & SSL_OP_ENABLE_KTLS) == 0)
goto skip_ktls;
@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which)
if (!ktls_check_supported_cipher(s, cipher, ciph_ctx))
goto skip_ktls;
- bio = s->wbio;
+ if (which & SSL3_CC_WRITE)
+ bio = s->wbio;
+ else
+ bio = s->rbio;
if (!ossl_assert(bio != NULL)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which)
}
/* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
- if (BIO_flush(bio) <= 0)
- goto skip_ktls;
+ if (which & SSL3_CC_WRITE) {
+ if (BIO_flush(bio) <= 0)
+ goto skip_ktls;
+ }
/* configure kernel crypto structure */
- if (!ktls_configure_crypto(s, cipher, ciph_ctx,
- RECORD_LAYER_get_write_sequence(&s->rlayer),
- &crypto_info, NULL, iv, key, NULL, 0))
+ if (which & SSL3_CC_WRITE)
+ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer);
+ else
+ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
+
+ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info,
+ which & SSL3_CC_WRITE, iv, key, NULL, 0))
goto skip_ktls;
/* ktls works with user provided buffers directly */
- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE))
- ssl3_release_write_buffer(s);
+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
+ if (which & SSL3_CC_WRITE)
+ ssl3_release_write_buffer(s);
+ }
skip_ktls:
# endif
#endif
diff --git test/sslapitest.c test/sslapitest.c
index 2911d6e94b..faf2eec2bc 100644
--- test/sslapitest.c
+++ test/sslapitest.c
@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
#if defined(OPENSSL_NO_KTLS_RX)
rx_supported = 0;
#else
- rx_supported = (tls_version != TLS1_3_VERSION);
+ rx_supported = 1;
#endif
if (!cis_ktls || !rx_supported) {
if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))

20
security/openssl31/files/extra-patch-util_find-doc-nits
View File

@ -1,20 +0,0 @@
--- util/find-doc-nits.orig 2021-09-07 11:46:32 UTC
+++ util/find-doc-nits
@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt';
my $OUT;
my $status = 0;
-$opt_m = "man1,man3,man5,man7" unless $opt_m;
+$opt_m = "man1,man5" unless $opt_m;
die "Argument of -m option may contain only man1, man3, man5, and/or man7"
unless $opt_m =~ /^(man[1357][, ]?)*$/;
my @sections = ( split /[, ]/, $opt_m );
@@ -721,7 +721,7 @@ sub check {
next if $target eq ''; # Skip if links within page, or
next if $target =~ /::/; # links to a Perl module, or
next if $target =~ /^https?:/; # is a URL link, or
- next if $target =~ /\([1357]\)$/; # it has a section
+ next if $target =~ /\([15]\)$/; # it has a section
err($id, "Section missing in $target")
}
# Check for proper links to commands.

35
security/openssl31/files/patch-Configurations_10-main.conf
View File

@ -1,35 +0,0 @@
--- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC
+++ Configurations/10-main.conf
@@ -1069,6 +1069,32 @@ my %targets = (
perlasm_scheme => "linux64",
},
+ "BSD-ppc" => {
+ inherit_from => [ "BSD-generic32" ],
+ asm_arch => 'ppc32',
+ perlasm_scheme => "linux32",
+ lib_cppflags => add("-DB_ENDIAN"),
+ },
+
+ "BSD-ppc64" => {
+ inherit_from => [ "BSD-generic64" ],
+ cflags => add("-m64"),
+ cxxflags => add("-m64"),
+ lib_cppflags => add("-DB_ENDIAN"),
+ asm_arch => 'ppc64',
+ perlasm_scheme => "linux64",
+ },
+
+ "BSD-ppc64le" => {
+ inherit_from => [ "BSD-generic64" ],
+ cflags => add("-m64"),
+ cxxflags => add("-m64"),
+ lib_cppflags => add("-DL_ENDIAN"),
+ asm_arch => 'ppc64',
+ perlasm_scheme => "linux64le",
+ },
+
+
"bsdi-elf-gcc" => {
inherit_from => [ "BASE_unix" ],
CC => "gcc",

13
security/openssl31/files/patch-crypto_threads__pthread.c
View File

@ -1,13 +0,0 @@
--- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC
+++ crypto/threads_pthread.c
@@ -29,6 +29,10 @@
#define BROKEN_CLANG_ATOMICS
#endif
+#if defined(__FreeBSD__) && defined(__i386__)
+#define BROKEN_CLANG_ATOMICS
+#endif
+
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
# if defined(OPENSSL_SYS_UNIX)

13
security/openssl31/pkg-descr
View File

@ -1,13 +0,0 @@
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1,
v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide.
The project is managed by a worldwide community of volunteers that use
the Internet to communicate, plan, and develop the OpenSSL tookit
and its related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
an Apache-style licence, which basically means that you are free
to get and use it for commercial and non-commercial purposes subject
to some simple license conditions.

275
security/openssl31/pkg-plist
View File

@ -1,275 +0,0 @@
bin/c_rehash
bin/openssl
include/openssl/aes.h
include/openssl/asn1.h
include/openssl/asn1_mac.h
include/openssl/asn1err.h
include/openssl/asn1t.h
include/openssl/async.h
include/openssl/asyncerr.h
include/openssl/bio.h
include/openssl/bioerr.h
include/openssl/blowfish.h
include/openssl/bn.h
include/openssl/bnerr.h
include/openssl/buffer.h
include/openssl/buffererr.h
include/openssl/camellia.h
include/openssl/cast.h
include/openssl/cmac.h
include/openssl/cmp.h
include/openssl/cmp_util.h
include/openssl/cmperr.h
include/openssl/cms.h
include/openssl/cmserr.h
include/openssl/comp.h
include/openssl/comperr.h
include/openssl/conf.h
include/openssl/conf_api.h
include/openssl/conferr.h
include/openssl/configuration.h
include/openssl/conftypes.h
include/openssl/core.h
include/openssl/core_dispatch.h
include/openssl/core_names.h
include/openssl/core_object.h
include/openssl/crmf.h
include/openssl/crmferr.h
include/openssl/crypto.h
include/openssl/cryptoerr.h
include/openssl/cryptoerr_legacy.h
include/openssl/ct.h
include/openssl/cterr.h
include/openssl/decoder.h
include/openssl/decodererr.h
include/openssl/des.h
include/openssl/dh.h
include/openssl/dherr.h
include/openssl/dsa.h
include/openssl/dsaerr.h
include/openssl/dtls1.h
include/openssl/e_os2.h
include/openssl/ebcdic.h
include/openssl/ec.h
include/openssl/ecdh.h
include/openssl/ecdsa.h
include/openssl/ecerr.h
include/openssl/encoder.h
include/openssl/encodererr.h
include/openssl/engine.h
include/openssl/engineerr.h
include/openssl/err.h
include/openssl/ess.h
include/openssl/esserr.h
include/openssl/evp.h
include/openssl/evperr.h
include/openssl/fips_names.h
include/openssl/fipskey.h
include/openssl/hmac.h
include/openssl/http.h
include/openssl/httperr.h
include/openssl/idea.h
include/openssl/kdf.h
include/openssl/kdferr.h
include/openssl/lhash.h
include/openssl/macros.h
include/openssl/md2.h
include/openssl/md4.h
include/openssl/md5.h
include/openssl/mdc2.h
include/openssl/modes.h
include/openssl/obj_mac.h
include/openssl/objects.h
include/openssl/objectserr.h
include/openssl/ocsp.h
include/openssl/ocsperr.h
include/openssl/opensslconf.h
include/openssl/opensslv.h
include/openssl/ossl_typ.h
include/openssl/param_build.h
include/openssl/params.h
include/openssl/pem.h
include/openssl/pem2.h
include/openssl/pemerr.h
include/openssl/pkcs12.h
include/openssl/pkcs12err.h
include/openssl/pkcs7.h
include/openssl/pkcs7err.h
include/openssl/prov_ssl.h
include/openssl/proverr.h
include/openssl/provider.h
include/openssl/rand.h
include/openssl/randerr.h
include/openssl/rc2.h
include/openssl/rc4.h
include/openssl/rc5.h
include/openssl/ripemd.h
include/openssl/rsa.h
include/openssl/rsaerr.h
include/openssl/safestack.h
include/openssl/seed.h
include/openssl/self_test.h
include/openssl/sha.h
include/openssl/srp.h
include/openssl/srtp.h
include/openssl/ssl.h
include/openssl/ssl2.h
include/openssl/ssl3.h
include/openssl/sslerr.h
include/openssl/sslerr_legacy.h
include/openssl/stack.h
include/openssl/store.h
include/openssl/storeerr.h
include/openssl/symhacks.h
include/openssl/tls1.h
include/openssl/trace.h
include/openssl/ts.h
include/openssl/tserr.h
include/openssl/txt_db.h
include/openssl/types.h
include/openssl/ui.h
include/openssl/uierr.h
include/openssl/whrlpool.h
include/openssl/x509.h
include/openssl/x509_vfy.h
include/openssl/x509err.h
include/openssl/x509v3.h
include/openssl/x509v3err.h
%%SHARED%%lib/engines-%%SHLIBVER%%/capi.so
%%SHARED%%lib/engines-%%SHLIBVER%%/devcrypto.so
%%SHARED%%lib/engines-%%SHLIBVER%%/loader_attic.so
%%SHARED%%lib/engines-%%SHLIBVER%%/padlock.so
lib/libcrypto.a
%%SHARED%%lib/libcrypto.so
%%SHARED%%lib/libcrypto.so.%%SHLIBVER%%
lib/libssl.a
%%SHARED%%lib/libssl.so
%%SHARED%%lib/libssl.so.%%SHLIBVER%%
%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so
%%LEGACY%%%%SHARED%%lib/ossl-modules/legacy.so
libdata/pkgconfig/libcrypto.pc
libdata/pkgconfig/libssl.pc
libdata/pkgconfig/openssl.pc
share/man/man1/CA.pl.1ossl.gz
share/man/man1/asn1parse.1ossl.gz
share/man/man1/c_rehash.1ossl.gz
share/man/man1/ca.1ossl.gz
share/man/man1/ciphers.1ossl.gz
share/man/man1/cmp.1ossl.gz
share/man/man1/cms.1ossl.gz
share/man/man1/crl.1ossl.gz
share/man/man1/crl2pkcs7.1ossl.gz
share/man/man1/dgst.1ossl.gz
share/man/man1/dhparam.1ossl.gz
share/man/man1/dsa.1ossl.gz
share/man/man1/dsaparam.1ossl.gz
share/man/man1/ec.1ossl.gz
share/man/man1/ecparam.1ossl.gz
share/man/man1/enc.1ossl.gz
share/man/man1/engine.1ossl.gz
share/man/man1/errstr.1ossl.gz
share/man/man1/gendsa.1ossl.gz
share/man/man1/genpkey.1ossl.gz
share/man/man1/genrsa.1ossl.gz
share/man/man1/info.1ossl.gz
share/man/man1/kdf.1ossl.gz
share/man/man1/mac.1ossl.gz
share/man/man1/nseq.1ossl.gz
share/man/man1/ocsp.1ossl.gz
share/man/man1/openssl-asn1parse.1ossl.gz
share/man/man1/openssl-ca.1ossl.gz
share/man/man1/openssl-ciphers.1ossl.gz
share/man/man1/openssl-cmds.1ossl.gz
share/man/man1/openssl-cmp.1ossl.gz
share/man/man1/openssl-cms.1ossl.gz
share/man/man1/openssl-crl.1ossl.gz
share/man/man1/openssl-crl2pkcs7.1ossl.gz
share/man/man1/openssl-dgst.1ossl.gz
share/man/man1/openssl-dhparam.1ossl.gz
share/man/man1/openssl-dsa.1ossl.gz
share/man/man1/openssl-dsaparam.1ossl.gz
share/man/man1/openssl-ec.1ossl.gz
share/man/man1/openssl-ecparam.1ossl.gz
share/man/man1/openssl-enc.1ossl.gz
share/man/man1/openssl-engine.1ossl.gz
share/man/man1/openssl-errstr.1ossl.gz
share/man/man1/openssl-fipsinstall.1ossl.gz
share/man/man1/openssl-format-options.1ossl.gz
share/man/man1/openssl-gendsa.1ossl.gz
share/man/man1/openssl-genpkey.1ossl.gz
share/man/man1/openssl-genrsa.1ossl.gz
share/man/man1/openssl-info.1ossl.gz
share/man/man1/openssl-kdf.1ossl.gz
share/man/man1/openssl-list.1ossl.gz
share/man/man1/openssl-mac.1ossl.gz
share/man/man1/openssl-namedisplay-options.1ossl.gz
share/man/man1/openssl-nseq.1ossl.gz
share/man/man1/openssl-ocsp.1ossl.gz
share/man/man1/openssl-passphrase-options.1ossl.gz
share/man/man1/openssl-passwd.1ossl.gz
share/man/man1/openssl-pkcs12.1ossl.gz
share/man/man1/openssl-pkcs7.1ossl.gz
share/man/man1/openssl-pkcs8.1ossl.gz
share/man/man1/openssl-pkey.1ossl.gz
share/man/man1/openssl-pkeyparam.1ossl.gz
share/man/man1/openssl-pkeyutl.1ossl.gz
share/man/man1/openssl-prime.1ossl.gz
share/man/man1/openssl-rand.1ossl.gz
share/man/man1/openssl-rehash.1ossl.gz
share/man/man1/openssl-req.1ossl.gz
share/man/man1/openssl-rsa.1ossl.gz
share/man/man1/openssl-rsautl.1ossl.gz
share/man/man1/openssl-s_client.1ossl.gz
share/man/man1/openssl-s_server.1ossl.gz
share/man/man1/openssl-s_time.1ossl.gz
share/man/man1/openssl-sess_id.1ossl.gz
share/man/man1/openssl-smime.1ossl.gz
share/man/man1/openssl-speed.1ossl.gz
share/man/man1/openssl-spkac.1ossl.gz
share/man/man1/openssl-srp.1ossl.gz
share/man/man1/openssl-storeutl.1ossl.gz
share/man/man1/openssl-ts.1ossl.gz
share/man/man1/openssl-verification-options.1ossl.gz
share/man/man1/openssl-verify.1ossl.gz
share/man/man1/openssl-version.1ossl.gz
share/man/man1/openssl-x509.1ossl.gz
share/man/man1/openssl.1ossl.gz
share/man/man1/passwd.1ossl.gz
share/man/man1/pkcs12.1ossl.gz
share/man/man1/pkcs7.1ossl.gz
share/man/man1/pkcs8.1ossl.gz
share/man/man1/pkey.1ossl.gz
share/man/man1/pkeyparam.1ossl.gz
share/man/man1/pkeyutl.1ossl.gz
share/man/man1/prime.1ossl.gz
share/man/man1/rand.1ossl.gz
share/man/man1/rehash.1ossl.gz
share/man/man1/req.1ossl.gz
share/man/man1/rsa.1ossl.gz
share/man/man1/rsautl.1ossl.gz
share/man/man1/s_client.1ossl.gz
share/man/man1/s_server.1ossl.gz
share/man/man1/s_time.1ossl.gz
share/man/man1/sess_id.1ossl.gz
share/man/man1/smime.1ossl.gz
share/man/man1/speed.1ossl.gz
share/man/man1/spkac.1ossl.gz
share/man/man1/srp.1ossl.gz
share/man/man1/storeutl.1ossl.gz
share/man/man1/ts.1ossl.gz
share/man/man1/tsget.1ossl.gz
share/man/man1/verify.1ossl.gz
share/man/man1/version.1ossl.gz
share/man/man1/x509.1ossl.gz
share/man/man5/config.5ossl.gz
share/man/man5/fips_config.5ossl.gz
share/man/man5/x509v3_config.5ossl.gz
%%OPENSSLDIR%%/misc/CA.pl
@comment %%OPENSSLDIR%%/misc/tsget.pl
%%OPENSSLDIR%%/misc/tsget
@sample %%OPENSSLDIR%%/ct_log_list.cnf.dist %%OPENSSLDIR%%/ct_log_list.cnf
%%FIPS%%%%OPENSSLDIR%%/fipsmodule.cnf
@sample %%OPENSSLDIR%%/openssl.cnf.dist %%OPENSSLDIR%%/openssl.cnf
@dir lib/ossl-modules
@dir %%OPENSSLDIR%%/private
@dir %%OPENSSLDIR%%/certs

1
security/openssl31/version.mk
View File

@ -1 +0,0 @@
OPENSSL_SHLIBVER?= 13

2
security/p5-Filter-Crypto/Makefile
View File

@ -16,7 +16,7 @@ RUN_DEPENDS= p5-PAR-Packer>=0:devel/p5-PAR-Packer
TEST_DEPENDS= p5-CPAN-Changes>=0:devel/p5-CPAN-Changes
USES= perl5 ssl
BROKEN_SSL= openssl openssl31
BROKEN_SSL= openssl
BROKEN_SSL_REASON= Cannot detect OpenSSL 3.0.0 and later
USE_PERL5= configure

28
security/p5-openxpki/files/pkg-message.in
View File

@ -7,16 +7,16 @@
(translation is needed even for English language).
- Using database
= Install your favorite database (enable utf8 support), e.g.
databases/postgresql15-server
databases/postgresql15-server
and perl interface for it, e.g. databases/p5-DBD-Pg
= Examples, demos and tutorials of OpenXPKI traditionally use MariaDB
= Examples, demos and tutorials of OpenXPKI traditionally use MariaDB
database. But its use with OpenXPKI on FreeBSD is a bit tricky:
- Install e.g. databases/mariadb106-server
- Add value mysql to file /etc/make.conf like this:
DEFAULT_VERSIONS+= mysql=10.6m
- cd /usr/ports/databases/p5-DBD-mysql4 && make reinstall
Note that installing of databases/p5-DBD-MariaDB here may hinder
operation of your OpeXPKI setup.
operation of your OpeXPKI setup.
- Install your favorite web server.
Copy FastCGI scripts from %%EXAMPLESDIR%%/cgi-bin to the location
where your web server can use them. Set executable permissions for them.
@ -33,10 +33,10 @@
- If you want more complex role for your server inside the PKI infrastructure,
then perform further deployment procedure for your server atop
the basic deployment.
- Oversimplified example scripts and configs are provided herewith for
illustration only, and not for production use. All features of OpenXPI in
production should be acquired by setting up an appropriate server with
needed deployment procedure.
- Oversimplified example scripts and configs are provided herewith for
illustration only, and not for production use. All features of OpenXPI in
production should be acquired by setting up an appropriate server with
needed deployment procedure.
- This port has created user:group as openxpki:openxpki, which owns
the OpenXPKI server.
- After first fresh installation, create empty log files as follows
@ -61,18 +61,18 @@ install -m 660 -o www -g www /dev/null /var/log/openxpki/soap.log
/var/log/openxpki: server log files.
/var/tmp: temporary directory.
- Use of openssl/libressl
= This package comes (from FreeBSD build cluster) bound with
= This package comes (from FreeBSD build cluster) bound with
openssl from base system, cf: /usr/ports/Mk/Uses/ssl.mk
If you want to use openssl or libressl from ports instead, then:
1) add the name of respective port
(openssl, openssl30, openssl31, libressl, libressl-devel...)
1) add the name of respective port
(openssl, openssl30, openssl32, libressl, libressl-devel...)
to /etc/make.conf file e.g. like this:
DEFAULT_VERSIONS+= ssl=openssl31
2) install security/openssl31
DEFAULT_VERSIONS+= ssl=openssl32
2) install security/openssl32
3) cd /usr/ports/security/p5-openxpki && make reinstall
you do not need to rebuild dependencies, installed from packages.
= Using versions OpenSSL 1.0 or less can restrict features of the OpenXPI.
= OpenXPKI builds just fine with any available versions of OpenSSL or
= OpenXPKI builds just fine with any available versions of OpenSSL or
LibreSSL. But its operation with LibreSSL, or with OpenSSL 3+ has not
been fully tested. Report your respective story to the list
https://sourceforge.net/p/openxpki/mailman/
@ -81,7 +81,7 @@ EOM
}
{ type: upgrade
message: <<EOM
If you update existing installation, please check if extra handwork
If you update existing installation, please check if extra handwork
is needed in your case:
http://openxpki.readthedocs.io/en/latest/upgrading.html
https://sourceforge.net/p/openxpki/mailman/message/37607700/

3
security/pkcs11-tools/Makefile
View File

@ -13,10 +13,9 @@ LICENSE_NAME_THIRDPARTY= Third-party licenses
LICENSE_FILE_THIRDPARTY= ${WRKSRC}/docs/TPLICENSES.md
LICENSE_PERMS_THIRDPARTY= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
BROKEN_SSL= libressl openssl openssl31
BROKEN_SSL= libressl openssl
BROKEN_SSL_REASON_libressl= error: use of undeclared identifier 'EVP_PKEY_X25519' (LibreSSL has no support for Edwards curves)
BROKEN_SSL_REASON_openssl= error: undefined symbol: EVP_PKEY_*
BROKEN_SSL_REASON_openssl31= error: undefined symbol: EVP_PKEY_*
BUILD_DEPENDS= autoconf-archive>0:devel/autoconf-archive \
flex:textproc/flex

2
security/proxytunnel/Makefile
View File

@ -15,7 +15,7 @@ BUILD_DEPENDS= asciidoc:textproc/asciidoc \
minixmlto:textproc/minixmlto
USES= cpe gmake pkgconfig ssl
BROKEN_SSL= openssl openssl31
BROKEN_SSL= openssl
BROKEN_SSL_REASON= Fails to build with ld: error: undefined symbol: SSL_get_peer_certificate
USE_GITHUB= yes

2
sysutils/flowgger/Makefile
View File

@ -15,7 +15,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE
BUILD_DEPENDS= capnp:devel/capnproto
USES= cargo ssl
#BROKEN_SSL= openssl openssl31
#BROKEN_SSL= openssl
#BROKEN_SSL_REASON= Cannot detect OpenSSL 3.0.0 and later
CARGO_CRATES= addr2line-0.19.0 \
adler-1.0.2 \