mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-18 00:10:04 +00:00
Code Issues Releases Activity

security/openssl30: Moved to security/openssl

Browse Source
This commit is contained in:
Bernard Spil 2023-10-14 19:13:45 +02:00
parent d5ec2e12f3
commit 55f9ba2974
13 changed files with 1 additions and 1153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MOVED
View File

@ -7945,3 +7945,4 @@ devel/rubygem-google-protobuf323|devel/rubygem-google-protobuf|2023-10-11|Remove
audio/rem||2023-10-12|Has expired: Deprecated, replaced by libre
net/openmpi3|net/openmpi|2023-10-12|Has expired: OpenMPI 3 is not maintained by the upstream project anymore and will be removed
graphics/tiffgt||2023-10-14|Has expired: Upstream support stopped
security/openssl30|security/openssl|2023-10-14|Upgrade security/openssl to 3.0

194
security/openssl30/Makefile
View File

@ -1,194 +0,0 @@
PORTNAME= openssl
PORTVERSION= 3.0.11
PORTREVISION= 1
CATEGORIES= security devel
MASTER_SITES= https://www.openssl.org/source/ \
ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/
PKGNAMESUFFIX= 30
MAINTAINER= brnrd@FreeBSD.org
COMMENT= TLSv1.3 capable SSL and crypto library
WWW= https://www.openssl.org/
LICENSE= APACHE20
LICENSE_FILE= ${WRKSRC}/LICENSE.txt
CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl3[12] openssl-quictls
HAS_CONFIGURE= yes
CONFIGURE_SCRIPT= config
CONFIGURE_ENV= PERL="${PERL}"
CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \
--prefix=${PREFIX}
USES= cpe perl5
USE_PERL5= build
TEST_TARGET= test
LDFLAGS_i386= -Wl,-znotext
MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}"
MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
OPTIONS_GROUP= CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS
OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS
OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3
OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS
OPTIONS_GROUP_MODULES= FIPS LEGACY
OPTIONS_DEFINE_i386= I386
OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2
OPTIONS_DEFINE= ASYNC CRYPTODEV CT KTLS MAN3 RFC3779 SHARED ZLIB
OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 NEXTPROTONEG \
RFC3779 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2
OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} \
${${OSVERSION} > 1300000:?CRYPTODEV:}
OPTIONS_GROUP_OPTIMIZE_amd64= EC
.if ${MACHINE_ARCH} == "amd64"
OPTIONS_GROUP_OPTIMIZE+= EC
.elif ${MACHINE_ARCH} == "mips64el"
OPTIONS_GROUP_OPTIMIZE+= EC
.endif
OPTIONS_SUB= yes
ARIA_DESC= ARIA (South Korean standard)
ASM_DESC= Assembler code
ASYNC_DESC= Asynchronous mode
CIPHERS_DESC= Block Cipher Support
CRYPTODEV_DESC= /dev/crypto support
CT_DESC= Certificate Transparency Support
DES_DESC= (Triple) Data Encryption Standard
EC_DESC= Optimize NIST elliptic curves
FIPS_DESC= Build FIPS provider
GOST_DESC= GOST (Russian standard)
HASHES_DESC= Hash Function Support
I386_DESC= i386 (instead of i486+)
IDEA_DESC= International Data Encryption Algorithm
KTLS_DESC= Use in-kernel TLS (FreeBSD >13)
LEGACY_DESC= Older algorithms
MAN3_DESC= Install API manpages (section 3, 7)
MD2_DESC= MD2 (obsolete) (requires LEGACY)
MD4_DESC= MD4 (unsafe)
MDC2_DESC= MDC-2 (patented, requires DES)
MODULES_DESC= Provider modules
NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY)
OPTIMIZE_DESC= Optimizations
PROTOCOLS_DESC= Protocol Support
RC2_DESC= RC2 (unsafe)
RC4_DESC= RC4 (unsafe)
RC5_DESC= RC5 (patented)
RMD160_DESC= RIPEMD-160
RFC3779_DESC= RFC3779 support (BGP)
SCTP_DESC= SCTP (Stream Control Transmission)
SHARED_DESC= Build shared libraries
SM2_DESC= SM2 Elliptic Curve DH (Chinese standard)
SM3_DESC= SM3 256bit (Chinese standard)
SM4_DESC= SM4 128bit (Chinese standard)
SSE2_DESC= Runtime SSE2 detection
SSL3_DESC= SSLv3 (unsafe)
TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2)
TLS1_1_DESC= TLSv1.1 (requires TLS1_2)
TLS1_2_DESC= TLSv1.2
WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe)
# Upstream default disabled options
.for _option in fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib
${_option:tu}_CONFIGURE_ON= enable-${_option}
.endfor
# Upstream default enabled options
.for _option in aria asm async ct des gost idea md4 mdc2 legacy \
nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \
threads tls1 tls1_1 tls1_2
${_option:tu}_CONFIGURE_OFF= no-${_option}
.endfor
MD2_IMPLIES= LEGACY
MDC2_IMPLIES= DES
TLS1_IMPLIES= TLS1_1
TLS1_1_IMPLIES= TLS1_2
EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128
FIPS_VARS= shlibs+=lib/ossl-modules/fips.so
I386_CONFIGURE_ON= 386
KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls
LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so
MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits
SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_USE= ldconfig=yes
SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \
lib/libssl.so.${OPENSSL_SHLIBVER} \
lib/engines-${OPENSSL_SHLIBVER}/capi.so \
lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \
lib/engines-${OPENSSL_SHLIBVER}/padlock.so"
SSL3_CONFIGURE_ON+= enable-ssl3-method
ZLIB_CONFIGURE_ON= zlib-dynamic
SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so
.include <bsd.port.options.mk>
.if ${ARCH} == powerpc64
CONFIGURE_ARGS+= BSD-ppc64
.elif ${ARCH} == powerpc64le
CONFIGURE_ARGS+= BSD-ppc64le
.elif ${ARCH} == riscv64
CONFIGURE_ARGS+= BSD-riscv64
.endif
.include <bsd.port.pre.mk>
.if ${PREFIX} == /usr
IGNORE= the OpenSSL port can not be installed over the base version
.endif
.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1300000 && !${PORT_OPTIONS:MCRYPTODEV}
CONFIGURE_ARGS+= no-devcryptoeng
.endif
OPENSSLDIR?= ${PREFIX}/openssl
PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
.include "version.mk"
.if ${PORT_OPTIONS:MASM}
BROKEN_sparc64= option ASM generates illegal instructions
.endif
post-patch:
${REINPLACE_CMD} -Ee 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \
-e 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \
${WRKSRC}/Configurations/unix-Makefile.tmpl
${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \
${WRKSRC}/VERSION.dat
post-configure:
( cd ${WRKSRC} ; ${PERL} configdata.pm --dump )
post-configure-MAN3-off:
${REINPLACE_CMD} \
-e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \
-e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \
${WRKSRC}/Makefile
post-install-SHARED-on:
.for i in ${SHLIBS}
-@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i
.endfor
post-install-SHARED-off:
${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12
post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl
post-install-MAN3-on:
( cd ${STAGEDIR}/${PREFIX} ; find man/man3 -not -type d ; \
find man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST}
.include <bsd.port.post.mk>

3
security/openssl30/distinfo
View File

@ -1,3 +0,0 @@
TIMESTAMP = 1695134169
SHA256 (openssl-3.0.11.tar.gz) = b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55
SIZE (openssl-3.0.11.tar.gz) = 15198318

540
security/openssl30/files/extra-patch-ktls
View File

@ -1,540 +0,0 @@
diff --git include/internal/ktls.h include/internal/ktls.h
index 95492fd065..3c82cae26b 100644
--- include/internal/ktls.h
+++ include/internal/ktls.h
@@ -40,6 +40,11 @@
# define OPENSSL_KTLS_AES_GCM_128
# define OPENSSL_KTLS_AES_GCM_256
# define OPENSSL_KTLS_TLS13
+# ifdef TLS_CHACHA20_IV_LEN
+# ifndef OPENSSL_NO_CHACHA
+# define OPENSSL_KTLS_CHACHA20_POLY1305
+# endif
+# endif
typedef struct tls_enable ktls_crypto_info_t;
diff --git ssl/ktls.c ssl/ktls.c
index 79d980959e..e343d382cc 100644
--- ssl/ktls.c
+++ ssl/ktls.c
@@ -10,6 +10,67 @@
#include "ssl_local.h"
#include "internal/ktls.h"
+#ifndef OPENSSL_NO_KTLS_RX
+ /*
+ * Count the number of records that were not processed yet from record boundary.
+ *
+ * This function assumes that there are only fully formed records read in the
+ * record layer. If read_ahead is enabled, then this might be false and this
+ * function will fail.
+ */
+static int count_unprocessed_records(SSL *s)
+{
+ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
+ PACKET pkt, subpkt;
+ int count = 0;
+
+ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
+ return -1;
+
+ while (PACKET_remaining(&pkt) > 0) {
+ /* Skip record type and version */
+ if (!PACKET_forward(&pkt, 3))
+ return -1;
+
+ /* Read until next record */
+ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
+ return -1;
+
+ count += 1;
+ }
+
+ return count;
+}
+
+/*
+ * The kernel cannot offload receive if a partial TLS record has been read.
+ * Check the read buffer for unprocessed records. If the buffer contains a
+ * partial record, fail and return 0. Otherwise, update the sequence
+ * number at *rec_seq for the count of unprocessed records and return 1.
+ */
+static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq)
+{
+ int bit, count_unprocessed;
+
+ count_unprocessed = count_unprocessed_records(s);
+ if (count_unprocessed < 0)
+ return 0;
+
+ /* increment the crypto_info record sequence */
+ while (count_unprocessed) {
+ for (bit = 7; bit >= 0; bit--) { /* increment */
+ ++rec_seq[bit];
+ if (rec_seq[bit] != 0)
+ break;
+ }
+ count_unprocessed--;
+
+ }
+
+ return 1;
+}
+#endif
+
#if defined(__FreeBSD__)
# include "crypto/cryptodev.h"
@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
case SSL_AES128GCM:
case SSL_AES256GCM:
return 1;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+ case SSL_CHACHA20POLY1305:
+ return 1;
+# endif
case SSL_AES128:
case SSL_AES256:
if (s->ext.use_etm)
@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
}
/* Function to configure kernel TLS structure */
-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
void *rl_sequence, ktls_crypto_info_t *crypto_info,
- unsigned char **rec_seq, unsigned char *iv,
+ int is_tx, unsigned char *iv,
unsigned char *key, unsigned char *mac_key,
size_t mac_secret_size)
{
@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
else
crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
break;
+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
+ case SSL_CHACHA20POLY1305:
+ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
+ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd);
+ break;
+# endif
case SSL_AES128:
case SSL_AES256:
switch (s->s3.tmp.new_cipher->algorithm_mac) {
@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
crypto_info->tls_vminor = (s->version & 0x000000ff);
# ifdef TCP_RXTLS_ENABLE
memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq));
- if (rec_seq != NULL)
- *rec_seq = crypto_info->rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq))
+ return 0;
# else
- if (rec_seq != NULL)
- *rec_seq = NULL;
+ if (!is_tx)
+ return 0;
# endif
return 1;
};
@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
}
/* Function to configure kernel TLS structure */
-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
void *rl_sequence, ktls_crypto_info_t *crypto_info,
- unsigned char **rec_seq, unsigned char *iv,
+ int is_tx, unsigned char *iv,
unsigned char *key, unsigned char *mac_key,
size_t mac_secret_size)
{
unsigned char geniv[12];
unsigned char *iiv = iv;
+# ifdef OPENSSL_NO_KTLS_RX
+ if (!is_tx)
+ return 0;
+# endif
+
if (s->version == TLS1_2_VERSION &&
EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) {
if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv,
@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->gcm128.rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq))
+ return 0;
return 1;
# endif
# ifdef OPENSSL_KTLS_AES_GCM_256
@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->gcm256.rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq))
+ return 0;
return 1;
# endif
# ifdef OPENSSL_KTLS_AES_CCM_128
@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->ccm128.rec_seq;
+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq))
+ return 0;
return 1;
# endif
# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
EVP_CIPHER_get_key_length(c));
memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
- if (rec_seq != NULL)
- *rec_seq = crypto_info->chacha20poly1305.rec_seq;
+ if (!is_tx
+ && !check_rx_read_ahead(s,
+ crypto_info->chacha20poly1305.rec_seq))
+ return 0;
return 1;
# endif
default:
diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c
index d8ef018741..63caac080f 100644
--- ssl/record/ssl3_record.c
+++ ssl/record/ssl3_record.c
@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s)
int imac_size;
size_t num_recs = 0, max_recs, j;
PACKET pkt, sslv2pkt;
- int is_ktls_left;
+ int using_ktls;
SSL_MAC_BUF *macbufs = NULL;
int ret = -1;
rr = RECORD_LAYER_get_rrec(&s->rlayer);
rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0);
max_recs = s->max_pipelines;
if (max_recs == 0)
max_recs = 1;
sess = s->session;
+ /*
+ * KTLS reads full records. If there is any data left,
+ * then it is from before enabling ktls.
+ */
+ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0;
+
do {
thisrr = &rr[num_recs];
@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s)
}
}
- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
+ if (SSL_IS_TLS13(s)
+ && s->enc_read_ctx != NULL
+ && !using_ktls) {
if (thisrr->type != SSL3_RT_APPLICATION_DATA
&& (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
|| !SSL_IS_FIRST_HANDSHAKE(s))
@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s)
}
if (SSL_IS_TLS13(s)) {
- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
+ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
+
+ /* KTLS strips the inner record type. */
+ if (using_ktls)
+ len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
+
+ if (thisrr->length > len) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
return -1;
@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s)
#endif
/* KTLS may use all of the buffer */
- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+ if (using_ktls)
len = SSL3_BUFFER_get_left(rbuf);
if (thisrr->length > len) {
@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s)
return 1;
}
- /*
- * KTLS reads full records. If there is any data left,
- * then it is from before enabling ktls
- */
- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
+ if (using_ktls)
goto skip_decryption;
if (s->read_hash != NULL) {
@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s)
if (SSL_IS_TLS13(s)
&& s->enc_read_ctx != NULL
&& thisrr->type != SSL3_RT_ALERT) {
- size_t end;
+ /*
+ * The following logic are irrelevant in KTLS: the kernel provides
+ * unprotected record and thus record type represent the actual
+ * content type, and padding is already removed and thisrr->type and
+ * thisrr->length should have the correct values.
+ */
+ if (!using_ktls) {
+ size_t end;
- if (thisrr->length == 0
- || thisrr->type != SSL3_RT_APPLICATION_DATA) {
- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
- goto end;
+ if (thisrr->length == 0
+ || thisrr->type != SSL3_RT_APPLICATION_DATA) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
+ goto end;
+ }
+
+ /* Strip trailing padding */
+ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
+ end--)
+ continue;
+
+ thisrr->length = end;
+ thisrr->type = thisrr->data[end];
}
-
- /* Strip trailing padding */
- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
- end--)
- continue;
-
- thisrr->length = end;
- thisrr->type = thisrr->data[end];
if (thisrr->type != SSL3_RT_APPLICATION_DATA
&& thisrr->type != SSL3_RT_ALERT
&& thisrr->type != SSL3_RT_HANDSHAKE) {
@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s)
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
- &thisrr->data[end], 1, s, s->msg_callback_arg);
+ &thisrr->type, 1, s, s->msg_callback_arg);
}
/*
@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s)
* Therefore we have to rely on KTLS to check the plaintext length
* limit in the kernel.
*/
- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH
- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) {
+ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
goto end;
}
diff --git ssl/ssl_local.h ssl/ssl_local.h
index 5471e900b8..79ced2f468 100644
--- ssl/ssl_local.h
+++ ssl/ssl_local.h
@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
/* ktls.c */
int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
const EVP_CIPHER_CTX *dd);
-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
void *rl_sequence, ktls_crypto_info_t *crypto_info,
- unsigned char **rec_seq, unsigned char *iv,
+ int is_tx, unsigned char *iv,
unsigned char *key, unsigned char *mac_key,
size_t mac_secret_size);
# endif
diff --git ssl/t1_enc.c ssl/t1_enc.c
index 237a19cd93..900ba14fbd 100644
--- ssl/t1_enc.c
+++ ssl/t1_enc.c
@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
return ret;
}
-#ifndef OPENSSL_NO_KTLS
- /*
- * Count the number of records that were not processed yet from record boundary.
- *
- * This function assumes that there are only fully formed records read in the
- * record layer. If read_ahead is enabled, then this might be false and this
- * function will fail.
- */
-# ifndef OPENSSL_NO_KTLS_RX
-static int count_unprocessed_records(SSL *s)
-{
- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
- PACKET pkt, subpkt;
- int count = 0;
-
- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
- return -1;
-
- while (PACKET_remaining(&pkt) > 0) {
- /* Skip record type and version */
- if (!PACKET_forward(&pkt, 3))
- return -1;
-
- /* Read until next record */
- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
- return -1;
-
- count += 1;
- }
-
- return count;
-}
-# endif
-#endif
-
-
int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *ciph,
const EVP_MD *md)
@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which)
int reuse_dd = 0;
#ifndef OPENSSL_NO_KTLS
ktls_crypto_info_t crypto_info;
- unsigned char *rec_seq;
void *rl_sequence;
-# ifndef OPENSSL_NO_KTLS_RX
- int count_unprocessed;
- int bit;
-# endif
BIO *bio;
#endif
@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which)
else
rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq,
- iv, key, ms, *mac_secret_size))
+ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info,
+ which & SSL3_CC_WRITE, iv, key, ms,
+ *mac_secret_size))
goto skip_ktls;
- if (which & SSL3_CC_READ) {
-# ifndef OPENSSL_NO_KTLS_RX
- count_unprocessed = count_unprocessed_records(s);
- if (count_unprocessed < 0)
- goto skip_ktls;
-
- /* increment the crypto_info record sequence */
- while (count_unprocessed) {
- for (bit = 7; bit >= 0; bit--) { /* increment */
- ++rec_seq[bit];
- if (rec_seq[bit] != 0)
- break;
- }
- count_unprocessed--;
- }
-# else
- goto skip_ktls;
-# endif
- }
-
/* ktls works with user provided buffers directly */
if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
if (which & SSL3_CC_WRITE)
diff --git ssl/tls13_enc.c ssl/tls13_enc.c
index 12388922e3..eaab0e2a74 100644
--- ssl/tls13_enc.c
+++ ssl/tls13_enc.c
@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which)
const EVP_CIPHER *cipher = NULL;
#if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13)
ktls_crypto_info_t crypto_info;
+ void *rl_sequence;
BIO *bio;
#endif
@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which)
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
#ifndef OPENSSL_NO_KTLS
# if defined(OPENSSL_KTLS_TLS13)
- if (!(which & SSL3_CC_WRITE)
- || !(which & SSL3_CC_APPLICATION)
+ if (!(which & SSL3_CC_APPLICATION)
|| (s->options & SSL_OP_ENABLE_KTLS) == 0)
goto skip_ktls;
@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which)
if (!ktls_check_supported_cipher(s, cipher, ciph_ctx))
goto skip_ktls;
- bio = s->wbio;
+ if (which & SSL3_CC_WRITE)
+ bio = s->wbio;
+ else
+ bio = s->rbio;
if (!ossl_assert(bio != NULL)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which)
}
/* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
- if (BIO_flush(bio) <= 0)
- goto skip_ktls;
+ if (which & SSL3_CC_WRITE) {
+ if (BIO_flush(bio) <= 0)
+ goto skip_ktls;
+ }
/* configure kernel crypto structure */
- if (!ktls_configure_crypto(s, cipher, ciph_ctx,
- RECORD_LAYER_get_write_sequence(&s->rlayer),
- &crypto_info, NULL, iv, key, NULL, 0))
+ if (which & SSL3_CC_WRITE)
+ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer);
+ else
+ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
+
+ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info,
+ which & SSL3_CC_WRITE, iv, key, NULL, 0))
goto skip_ktls;
/* ktls works with user provided buffers directly */
- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE))
- ssl3_release_write_buffer(s);
+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
+ if (which & SSL3_CC_WRITE)
+ ssl3_release_write_buffer(s);
+ }
skip_ktls:
# endif
#endif
diff --git test/sslapitest.c test/sslapitest.c
index 2911d6e94b..faf2eec2bc 100644
--- test/sslapitest.c
+++ test/sslapitest.c
@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
#if defined(OPENSSL_NO_KTLS_RX)
rx_supported = 0;
#else
- rx_supported = (tls_version != TLS1_3_VERSION);
+ rx_supported = 1;
#endif
if (!cis_ktls || !rx_supported) {
if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))

20
security/openssl30/files/extra-patch-util_find-doc-nits
View File

@ -1,20 +0,0 @@
--- util/find-doc-nits.orig 2023-08-01 13:47:24 UTC
+++ util/find-doc-nits
@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt';
my $OUT;
my $status = 0;
-$opt_m = "man1,man3,man5,man7" unless $opt_m;
+$opt_m = "man1,man5" unless $opt_m;
die "Argument of -m option may contain only man1, man3, man5, and/or man7"
unless $opt_m =~ /^(man[1357][, ]?)*$/;
my @sections = ( split /[, ]/, $opt_m );
@@ -725,7 +725,7 @@ sub check {
next if $target eq ''; # Skip if links within page, or
next if $target =~ /::/; # links to a Perl module, or
next if $target =~ /^https?:/; # is a URL link, or
- next if $target =~ /\([1357]\)$/; # it has a section
+ next if $target =~ /\([15]\)$/; # it has a section
err($id, "Missing man section number (likely, $mansect) in L<$target>")
}
# Check for proper links to commands.

35
security/openssl30/files/patch-Configurations_10-main.conf
View File

@ -1,35 +0,0 @@
--- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC
+++ Configurations/10-main.conf
@@ -1069,6 +1069,32 @@ my %targets = (
perlasm_scheme => "linux64",
},
+ "BSD-ppc" => {
+ inherit_from => [ "BSD-generic32" ],
+ asm_arch => 'ppc32',
+ perlasm_scheme => "linux32",
+ lib_cppflags => add("-DB_ENDIAN"),
+ },
+
+ "BSD-ppc64" => {
+ inherit_from => [ "BSD-generic64" ],
+ cflags => add("-m64"),
+ cxxflags => add("-m64"),
+ lib_cppflags => add("-DB_ENDIAN"),
+ asm_arch => 'ppc64',
+ perlasm_scheme => "linux64",
+ },
+
+ "BSD-ppc64le" => {
+ inherit_from => [ "BSD-generic64" ],
+ cflags => add("-m64"),
+ cxxflags => add("-m64"),
+ lib_cppflags => add("-DL_ENDIAN"),
+ asm_arch => 'ppc64',
+ perlasm_scheme => "linux64le",
+ },
+
+
"bsdi-elf-gcc" => {
inherit_from => [ "BASE_unix" ],
CC => "gcc",

11
security/openssl30/files/patch-Configure
View File

@ -1,11 +0,0 @@
--- Configure.orig 2022-04-12 16:30:34 UTC
+++ Configure
@@ -1549,7 +1549,7 @@ my %predefined_CXX = $config{CXX}
unless ($disabled{asm}) {
# big endian systems can use ELFv2 ABI
- if ($target eq "linux-ppc64") {
+ if ($target eq "linux-ppc64" || $target eq "BSD-ppc64") {
$target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2);
}
}

34
security/openssl30/files/patch-crypto_ppccap.c
View File

@ -1,34 +0,0 @@
--- crypto/ppccap.c.orig 2022-04-12 16:31:27 UTC
+++ crypto/ppccap.c
@@ -117,14 +117,18 @@ static unsigned long getauxval(unsigned long key)
#endif
/* I wish <sys/auxv.h> was universally available */
-#define HWCAP 16 /* AT_HWCAP */
+#ifndef AT_HWCAP
+# define AT_HWCAP 16 /* AT_HWCAP */
+#endif
#define HWCAP_PPC64 (1U << 30)
#define HWCAP_ALTIVEC (1U << 28)
#define HWCAP_FPU (1U << 27)
#define HWCAP_POWER6_EXT (1U << 9)
#define HWCAP_VSX (1U << 7)
-#define HWCAP2 26 /* AT_HWCAP2 */
+#ifndef AT_HWCAP2
+# define AT_HWCAP2 26 /* AT_HWCAP2 */
+#endif
#define HWCAP_VEC_CRYPTO (1U << 25)
#define HWCAP_ARCH_3_00 (1U << 23)
@@ -215,8 +219,8 @@ void OPENSSL_cpuid_setup(void)
#ifdef OSSL_IMPLEMENT_GETAUXVAL
{
- unsigned long hwcap = getauxval(HWCAP);
- unsigned long hwcap2 = getauxval(HWCAP2);
+ unsigned long hwcap = getauxval(AT_HWCAP);
+ unsigned long hwcap2 = getauxval(AT_HWCAP2);
if (hwcap & HWCAP_FPU) {
OPENSSL_ppccap_P |= PPC_FPU;

13
security/openssl30/files/patch-crypto_threads__pthread.c
View File

@ -1,13 +0,0 @@
--- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC
+++ crypto/threads_pthread.c
@@ -29,6 +29,10 @@
#define BROKEN_CLANG_ATOMICS
#endif
+#if defined(__FreeBSD__) && defined(__i386__)
+#define BROKEN_CLANG_ATOMICS
+#endif
+
#if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
# if defined(OPENSSL_SYS_UNIX)

14
security/openssl30/files/patch-util_perl_OpenSSL_config.pm
View File

@ -1,14 +0,0 @@
--- util/perl/OpenSSL/config.pm.orig 2022-04-12 16:34:06 UTC
+++ util/perl/OpenSSL/config.pm
@@ -747,8 +747,9 @@ EOF
disable => [ 'sse2' ] } ],
[ 'alpha.*-.*-.*bsd.*', { target => "BSD-generic64",
defines => [ 'L_ENDIAN' ] } ],
- [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64",
- defines => [ 'B_ENDIAN' ] } ],
+ [ 'powerpc-.*-.*bsd.*', { target => "BSD-ppc" } ],
+ [ 'powerpc64-.*-.*bsd.*', { target => "BSD-ppc64" } ],
+ [ 'powerpc64le-.*-.*bsd.*', { target => "BSD-ppc64le" } ],
[ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ],
[ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ],
[ 'ia64-.*-.*bsd.*', { target => "BSD-ia64" } ],

13
security/openssl30/pkg-descr
View File

@ -1,13 +0,0 @@
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1,
v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide.
The project is managed by a worldwide community of volunteers that use
the Internet to communicate, plan, and develop the OpenSSL tookit
and its related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
an Apache-style licence, which basically means that you are free
to get and use it for commercial and non-commercial purposes subject
to some simple license conditions.

275
security/openssl30/pkg-plist
View File

@ -1,275 +0,0 @@
bin/c_rehash
bin/openssl
include/openssl/aes.h
include/openssl/asn1.h
include/openssl/asn1_mac.h
include/openssl/asn1err.h
include/openssl/asn1t.h
include/openssl/async.h
include/openssl/asyncerr.h
include/openssl/bio.h
include/openssl/bioerr.h
include/openssl/blowfish.h
include/openssl/bn.h
include/openssl/bnerr.h
include/openssl/buffer.h
include/openssl/buffererr.h
include/openssl/camellia.h
include/openssl/cast.h
include/openssl/cmac.h
include/openssl/cmp.h
include/openssl/cmp_util.h
include/openssl/cmperr.h
include/openssl/cms.h
include/openssl/cmserr.h
include/openssl/comp.h
include/openssl/comperr.h
include/openssl/conf.h
include/openssl/conf_api.h
include/openssl/conferr.h
include/openssl/configuration.h
include/openssl/conftypes.h
include/openssl/core.h
include/openssl/core_dispatch.h
include/openssl/core_names.h
include/openssl/core_object.h
include/openssl/crmf.h
include/openssl/crmferr.h
include/openssl/crypto.h
include/openssl/cryptoerr.h
include/openssl/cryptoerr_legacy.h
include/openssl/ct.h
include/openssl/cterr.h
include/openssl/decoder.h
include/openssl/decodererr.h
include/openssl/des.h
include/openssl/dh.h
include/openssl/dherr.h
include/openssl/dsa.h
include/openssl/dsaerr.h
include/openssl/dtls1.h
include/openssl/e_os2.h
include/openssl/ebcdic.h
include/openssl/ec.h
include/openssl/ecdh.h
include/openssl/ecdsa.h
include/openssl/ecerr.h
include/openssl/encoder.h
include/openssl/encodererr.h
include/openssl/engine.h
include/openssl/engineerr.h
include/openssl/err.h
include/openssl/ess.h
include/openssl/esserr.h
include/openssl/evp.h
include/openssl/evperr.h
include/openssl/fips_names.h
include/openssl/fipskey.h
include/openssl/hmac.h
include/openssl/http.h
include/openssl/httperr.h
include/openssl/idea.h
include/openssl/kdf.h
include/openssl/kdferr.h
include/openssl/lhash.h
include/openssl/macros.h
include/openssl/md2.h
include/openssl/md4.h
include/openssl/md5.h
include/openssl/mdc2.h
include/openssl/modes.h
include/openssl/obj_mac.h
include/openssl/objects.h
include/openssl/objectserr.h
include/openssl/ocsp.h
include/openssl/ocsperr.h
include/openssl/opensslconf.h
include/openssl/opensslv.h
include/openssl/ossl_typ.h
include/openssl/param_build.h
include/openssl/params.h
include/openssl/pem.h
include/openssl/pem2.h
include/openssl/pemerr.h
include/openssl/pkcs12.h
include/openssl/pkcs12err.h
include/openssl/pkcs7.h
include/openssl/pkcs7err.h
include/openssl/prov_ssl.h
include/openssl/proverr.h
include/openssl/provider.h
include/openssl/rand.h
include/openssl/randerr.h
include/openssl/rc2.h
include/openssl/rc4.h
include/openssl/rc5.h
include/openssl/ripemd.h
include/openssl/rsa.h
include/openssl/rsaerr.h
include/openssl/safestack.h
include/openssl/seed.h
include/openssl/self_test.h
include/openssl/sha.h
include/openssl/srp.h
include/openssl/srtp.h
include/openssl/ssl.h
include/openssl/ssl2.h
include/openssl/ssl3.h
include/openssl/sslerr.h
include/openssl/sslerr_legacy.h
include/openssl/stack.h
include/openssl/store.h
include/openssl/storeerr.h
include/openssl/symhacks.h
include/openssl/tls1.h
include/openssl/trace.h
include/openssl/ts.h
include/openssl/tserr.h
include/openssl/txt_db.h
include/openssl/types.h
include/openssl/ui.h
include/openssl/uierr.h
include/openssl/whrlpool.h
include/openssl/x509.h
include/openssl/x509_vfy.h
include/openssl/x509err.h
include/openssl/x509v3.h
include/openssl/x509v3err.h
%%SHARED%%lib/engines-%%SHLIBVER%%/capi.so
%%CRYPTODEV%%%%SHARED%%lib/engines-%%SHLIBVER%%/devcrypto.so
%%SHARED%%lib/engines-%%SHLIBVER%%/loader_attic.so
%%SHARED%%lib/engines-%%SHLIBVER%%/padlock.so
lib/libcrypto.a
%%SHARED%%lib/libcrypto.so
%%SHARED%%lib/libcrypto.so.%%SHLIBVER%%
lib/libssl.a
%%SHARED%%lib/libssl.so
%%SHARED%%lib/libssl.so.%%SHLIBVER%%
%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so
%%LEGACY%%%%SHARED%%lib/ossl-modules/legacy.so
libdata/pkgconfig/libcrypto.pc
libdata/pkgconfig/libssl.pc
libdata/pkgconfig/openssl.pc
man/man1/CA.pl.1ossl.gz
man/man1/asn1parse.1ossl.gz
man/man1/c_rehash.1ossl.gz
man/man1/ca.1ossl.gz
man/man1/ciphers.1ossl.gz
man/man1/cmp.1ossl.gz
man/man1/cms.1ossl.gz
man/man1/crl.1ossl.gz
man/man1/crl2pkcs7.1ossl.gz
man/man1/dgst.1ossl.gz
man/man1/dhparam.1ossl.gz
man/man1/dsa.1ossl.gz
man/man1/dsaparam.1ossl.gz
man/man1/ec.1ossl.gz
man/man1/ecparam.1ossl.gz
man/man1/enc.1ossl.gz
man/man1/engine.1ossl.gz
man/man1/errstr.1ossl.gz
man/man1/gendsa.1ossl.gz
man/man1/genpkey.1ossl.gz
man/man1/genrsa.1ossl.gz
man/man1/info.1ossl.gz
man/man1/kdf.1ossl.gz
man/man1/mac.1ossl.gz
man/man1/nseq.1ossl.gz
man/man1/ocsp.1ossl.gz
man/man1/openssl-asn1parse.1ossl.gz
man/man1/openssl-ca.1ossl.gz
man/man1/openssl-ciphers.1ossl.gz
man/man1/openssl-cmds.1ossl.gz
man/man1/openssl-cmp.1ossl.gz
man/man1/openssl-cms.1ossl.gz
man/man1/openssl-crl.1ossl.gz
man/man1/openssl-crl2pkcs7.1ossl.gz
man/man1/openssl-dgst.1ossl.gz
man/man1/openssl-dhparam.1ossl.gz
man/man1/openssl-dsa.1ossl.gz
man/man1/openssl-dsaparam.1ossl.gz
man/man1/openssl-ec.1ossl.gz
man/man1/openssl-ecparam.1ossl.gz
man/man1/openssl-enc.1ossl.gz
man/man1/openssl-engine.1ossl.gz
man/man1/openssl-errstr.1ossl.gz
man/man1/openssl-fipsinstall.1ossl.gz
man/man1/openssl-format-options.1ossl.gz
man/man1/openssl-gendsa.1ossl.gz
man/man1/openssl-genpkey.1ossl.gz
man/man1/openssl-genrsa.1ossl.gz
man/man1/openssl-info.1ossl.gz
man/man1/openssl-kdf.1ossl.gz
man/man1/openssl-list.1ossl.gz
man/man1/openssl-mac.1ossl.gz
man/man1/openssl-namedisplay-options.1ossl.gz
man/man1/openssl-nseq.1ossl.gz
man/man1/openssl-ocsp.1ossl.gz
man/man1/openssl-passphrase-options.1ossl.gz
man/man1/openssl-passwd.1ossl.gz
man/man1/openssl-pkcs12.1ossl.gz
man/man1/openssl-pkcs7.1ossl.gz
man/man1/openssl-pkcs8.1ossl.gz
man/man1/openssl-pkey.1ossl.gz
man/man1/openssl-pkeyparam.1ossl.gz
man/man1/openssl-pkeyutl.1ossl.gz
man/man1/openssl-prime.1ossl.gz
man/man1/openssl-rand.1ossl.gz
man/man1/openssl-rehash.1ossl.gz
man/man1/openssl-req.1ossl.gz
man/man1/openssl-rsa.1ossl.gz
man/man1/openssl-rsautl.1ossl.gz
man/man1/openssl-s_client.1ossl.gz
man/man1/openssl-s_server.1ossl.gz
man/man1/openssl-s_time.1ossl.gz
man/man1/openssl-sess_id.1ossl.gz
man/man1/openssl-smime.1ossl.gz
man/man1/openssl-speed.1ossl.gz
man/man1/openssl-spkac.1ossl.gz
man/man1/openssl-srp.1ossl.gz
man/man1/openssl-storeutl.1ossl.gz
man/man1/openssl-ts.1ossl.gz
man/man1/openssl-verification-options.1ossl.gz
man/man1/openssl-verify.1ossl.gz
man/man1/openssl-version.1ossl.gz
man/man1/openssl-x509.1ossl.gz
man/man1/openssl.1ossl.gz
man/man1/passwd.1ossl.gz
man/man1/pkcs12.1ossl.gz
man/man1/pkcs7.1ossl.gz
man/man1/pkcs8.1ossl.gz
man/man1/pkey.1ossl.gz
man/man1/pkeyparam.1ossl.gz
man/man1/pkeyutl.1ossl.gz
man/man1/prime.1ossl.gz
man/man1/rand.1ossl.gz
man/man1/rehash.1ossl.gz
man/man1/req.1ossl.gz
man/man1/rsa.1ossl.gz
man/man1/rsautl.1ossl.gz
man/man1/s_client.1ossl.gz
man/man1/s_server.1ossl.gz
man/man1/s_time.1ossl.gz
man/man1/sess_id.1ossl.gz
man/man1/smime.1ossl.gz
man/man1/speed.1ossl.gz
man/man1/spkac.1ossl.gz
man/man1/srp.1ossl.gz
man/man1/storeutl.1ossl.gz
man/man1/ts.1ossl.gz
man/man1/tsget.1ossl.gz
man/man1/verify.1ossl.gz
man/man1/version.1ossl.gz
man/man1/x509.1ossl.gz
man/man5/config.5ossl.gz
man/man5/fips_config.5ossl.gz
man/man5/x509v3_config.5ossl.gz
%%OPENSSLDIR%%/misc/CA.pl
@comment %%OPENSSLDIR%%/misc/tsget.pl
%%OPENSSLDIR%%/misc/tsget
@sample %%OPENSSLDIR%%/ct_log_list.cnf.dist %%OPENSSLDIR%%/ct_log_list.cnf
%%FIPS%%%%OPENSSLDIR%%/fipsmodule.cnf
@sample %%OPENSSLDIR%%/openssl.cnf.dist %%OPENSSLDIR%%/openssl.cnf
@dir lib/ossl-modules
@dir %%OPENSSLDIR%%/private
@dir %%OPENSSLDIR%%/certs

1
security/openssl30/version.mk
View File

@ -1 +0,0 @@
OPENSSL_SHLIBVER?= 12