Date: Mon, 04 May 2026 16:53:14 +0000 From: Rene Ladan <rene@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e6564f63212a - main - security/openssl111: Remove expired port Message-ID: <69f8cefa.25b45.75d6c0a5@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by rene: URL: https://cgit.FreeBSD.org/ports/commit/?id=e6564f63212a6da3668df7dd9eb188ce4a13c817 commit e6564f63212a6da3668df7dd9eb188ce4a13c817 Author: Rene Ladan <rene@FreeBSD.org> AuthorDate: 2026-05-04 16:53:01 +0000 Commit: Rene Ladan <rene@FreeBSD.org> CommitDate: 2026-05-04 16:53:01 +0000 security/openssl111: Remove expired port 2026-04-30 security/openssl111: End-of-life since 2023-09-11, see https://www.openssl.org/blog/blog/2023/09/11/eol-111/ port will be removed when FreeBSD 13 is EoL --- MOVED | 1 + security/Makefile | 1 - security/openssl111/Makefile | 161 - security/openssl111/distinfo | 3 - security/openssl111/files/extra-patch-ktls | 3435 -------------------- .../files/extra-patch-util_process__docs.pl | 20 - .../files/patch-crypto_async_arch_async__posix.h | 32 - security/openssl111/files/pkg-message.in | 8 - security/openssl111/pkg-descr | 13 - security/openssl111/pkg-plist | 226 -- security/openssl111/version.mk | 1 - 11 files changed, 1 insertion(+), 3900 deletions(-) diff --git a/MOVED b/MOVED index ddf9a65e5ded..6b88e4581f29 100644 --- a/MOVED +++ b/MOVED @@ -5279,3 +5279,4 @@ sysutils/cfengine321||2026-05-04|Has expired: No longer supported by upstream sysutils/cfengine-masterfiles321||2026-05-04|Has expired: No longer supported by upstream sysutils/cfengine323||2026-05-04|Has expired: No longer supported by upstream sysutils/cfengine-masterfiles323||2026-05-04|Has expired: No longer supported by upstream +security/openssl111||2026-05-04|Has expired: End-of-life since 2023-09-11, see https://www.openssl.org/blog/blog/2023/09/11/eol-111/ port will be removed when FreeBSD 13 is EoL diff --git a/security/Makefile b/security/Makefile index 58e13ca5652f..8726d32a2f4f 100644 --- a/security/Makefile +++ b/security/Makefile @@ -457,7 +457,6 @@ SUBDIR += openssl-oqsprovider SUBDIR += openssl-pkcs11provider SUBDIR += openssl-unsafe - SUBDIR += openssl111 SUBDIR += openssl34 SUBDIR += openssl35 SUBDIR += openssl36 diff --git a/security/openssl111/Makefile b/security/openssl111/Makefile deleted file mode 100644 index b8a8d42319b0..000000000000 --- a/security/openssl111/Makefile +++ /dev/null @@ -1,161 +0,0 @@ -PORTNAME= openssl -PORTVERSION= 1.1.1w -PORTREVISION= 2 -CATEGORIES= security devel -MASTER_SITES= https://www.openssl.org/source/ \ - ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ -PKGNAMESUFFIX= 111 - -MAINTAINER= brnrd@FreeBSD.org -COMMENT= TLSv1.3 capable SSL and crypto library -WWW= https://www.openssl.org/ - -LICENSE= OpenSSL -LICENSE_FILE= ${WRKSRC}/LICENSE - -DEPRECATED= End-of-life since 2023-09-11, see https://www.openssl.org/blog/blog/2023/09/11/eol-111/ \ - port will be removed when FreeBSD 13 is EoL -EXPIRATION_DATE= 2026-04-30 - -CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl[34]* - -USES= cpe perl5 -USE_PERL5= build -TEST_TARGET= test - -HAS_CONFIGURE= yes -CONFIGURE_SCRIPT= config -CONFIGURE_ENV= PERL="${PERL}" -CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ - --prefix=${PREFIX} - -LDFLAGS_i386= -Wl,-znotext - -MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" -MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= - -OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS -OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS -OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 -OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS -OPTIONS_DEFINE_i386= I386 -OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2 - -OPTIONS_DEFINE= ASYNC CT KTLS MAN3 RFC3779 SHARED ZLIB - -OPTIONS_DEFAULT=ASM ASYNC CT GOST DES EC KTLS MAN3 MD4 NEXTPROTONEG RC2 \ - RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2 - -.if ${MACHINE_ARCH} == "amd64" -OPTIONS_GROUP_OPTIMIZE+= EC -.elif ${MACHINE_ARCH} == "mips64el" -OPTIONS_GROUP_OPTIMIZE+= EC -.endif - -OPTIONS_SUB= yes - -ARIA_DESC= ARIA (South Korean standard) -ASM_DESC= Assembler code -ASYNC_DESC= Asynchronous mode -CIPHERS_DESC= Block Cipher Support -CT_DESC= Certificate Transparency Support -DES_DESC= (Triple) Data Encryption Standard -EC_DESC= Optimize NIST elliptic curves -GOST_DESC= GOST (Russian standard) -HASHES_DESC= Hash Function Support -I386_DESC= i386 (instead of i486+) -IDEA_DESC= International Data Encryption Algorithm -KTLS_DESC= Kernel TLS offload -MAN3_DESC= Install API manpages (section 3, 7) -MD2_DESC= MD2 (obsolete) -MD4_DESC= MD4 (unsafe) -MDC2_DESC= MDC-2 (patented, requires DES) -NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) -OPTIMIZE_DESC= Optimizations -PROTOCOLS_DESC= Protocol Support -RC2_DESC= RC2 (unsafe) -RC4_DESC= RC4 (unsafe) -RC5_DESC= RC5 (patented) -RMD160_DESC= RIPEMD-160 -RFC3779_DESC= RFC3779 support (BGP) -SCTP_DESC= SCTP (Stream Control Transmission) -SHARED_DESC= Build shared libraries -SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) -SM3_DESC= SM3 256bit (Chinese standard) -SM4_DESC= SM4 128bit (Chinese standard) -SSE2_DESC= Runtime SSE2 detection -SSL3_DESC= SSLv3 (unsafe) -TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) -TLS1_1_DESC= TLSv1.1 (requires TLS1_2) -TLS1_2_DESC= TLSv1.2 -WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) - -# Upstream default disabled options -.for _option in ktls md2 rc5 sctp ssl3 zlib weak-ssl-ciphers -${_option:tu}_CONFIGURE_ON= enable-${_option} -.endfor - -# Upstream default enabled options -.for _option in aria asm async ct des gost idea md4 mdc2 nextprotoneg rc2 rc4 \ - rfc3779 rmd160 shared sm2 sm3 sm4 sse2 threads tls1 tls1_1 tls1_2 -${_option:tu}_CONFIGURE_OFF= no-${_option} -.endfor - -MDC2_IMPLIES= DES -TLS1_IMPLIES= TLS1_1 -TLS1_1_IMPLIES= TLS1_2 - -EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 -I386_CONFIGURE_ON= 386 -KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls -MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_process__docs.pl -SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} -SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} -SHARED_USE= ldconfig=yes -SSL3_CONFIGURE_ON+= enable-ssl3-method -ZLIB_CONFIGURE_ON= zlib-dynamic - -PORTSCOUT= limit:^1\.1\.1 - -.include <bsd.port.pre.mk> -.if ${PREFIX} == /usr -IGNORE= the OpenSSL port can not be installed over the base version -.endif - -OPENSSLDIR?= ${PREFIX}/openssl -PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} - -.include "version.mk" - -post-patch: - ${REINPLACE_CMD} \ - -e 's| install_html_docs$$||' \ - -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ - ${WRKSRC}/Configurations/unix-Makefile.tmpl - ${REINPLACE_CMD} -e 's|\^GNU ld|GNU|' ${WRKSRC}/Configurations/shared-info.pl - -post-configure: - ${REINPLACE_CMD} \ - -e 's|SHLIB_VERSION_NUMBER=1.1|SHLIB_VERSION_NUMBER=${OPENSSL_SHLIBVER}|' \ - ${WRKSRC}/Makefile - ${REINPLACE_CMD} \ - -e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \ - ${WRKSRC}/include/openssl/opensslv.h - -post-install-SHARED-on: -.for i in libcrypto libssl - ${INSTALL_LIB} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib - ${LN} -sf $i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib/$i.so -.endfor -.for i in capi padlock - ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/engines-1.1/${i}.so -.endfor - -post-install: - ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl - -post-install-MAN3-on: - ( cd ${STAGEDIR}/${PREFIX} ; ${FIND} share/man/man3 share/man/man7 -not -type d ) | \ - ${SED} 's/$$/.gz/' >>${TMPPLIST} - -.include <bsd.port.post.mk> diff --git a/security/openssl111/distinfo b/security/openssl111/distinfo deleted file mode 100644 index 11a9beb18815..000000000000 --- a/security/openssl111/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1694449777 -SHA256 (openssl-1.1.1w.tar.gz) = cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 -SIZE (openssl-1.1.1w.tar.gz) = 9893384 diff --git a/security/openssl111/files/extra-patch-ktls b/security/openssl111/files/extra-patch-ktls deleted file mode 100644 index d38a70e779e3..000000000000 --- a/security/openssl111/files/extra-patch-ktls +++ /dev/null @@ -1,3435 +0,0 @@ -diff --git CHANGES CHANGES -index a5522e5fa5..98961effc0 100644 ---- CHANGES -+++ CHANGES -@@ -606,6 +606,11 @@ - necessary to configure just to create a source distribution. - [Richard Levitte] - -+ *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path -+ improves application performance by removing data copies and providing -+ applications with zero-copy system calls such as sendfile and splice. -+ [Boris Pismenny] -+ - Changes between 1.1.1 and 1.1.1a [20 Nov 2018] - - *) Timing vulnerability in DSA signature generation -diff --git Configure Configure -index 4bea49d7da..e656814a7f 100755 ---- Configure -+++ Configure -@@ -341,6 +341,7 @@ my @dtls = qw(dtls1 dtls1_2); - # For developers: keep it sorted alphabetically - - my @disablables = ( -+ "ktls", - "afalgeng", - "aria", - "asan", -@@ -474,6 +475,7 @@ our %disabled = ( # "what" => "comment" - "weak-ssl-ciphers" => "default", - "zlib" => "default", - "zlib-dynamic" => "default", -+ "ktls" => "default", - ); - - # Note: => pair form used for aesthetics, not to truly make a hash table -@@ -1583,6 +1585,33 @@ unless ($disabled{devcryptoeng}) { - } - } - -+unless ($disabled{ktls}) { -+ $config{ktls}=""; -+ if ($target =~ m/^linux/) { -+ my $usr = "/usr/$config{cross_compile_prefix}"; -+ chop($usr); -+ if ($config{cross_compile_prefix} eq "") { -+ $usr = "/usr"; -+ } -+ my $minver = (4 << 16) + (13 << 8) + 0; -+ my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`); -+ -+ if ($verstr[2] < $minver) { -+ disable('too-old-kernel', 'ktls'); -+ } -+ } elsif ($target =~ m/^BSD/) { -+ my $cc = $config{CROSS_COMPILE}.$config{CC}; -+ system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1"); -+ if ($? != 0) { -+ disable('too-old-freebsd', 'ktls'); -+ } -+ } else { -+ disable('not-linux-or-freebsd', 'ktls'); -+ } -+} -+ -+push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); -+ - # Get the extra flags used when building shared libraries and modules. We - # do this late because some of them depend on %disabled. - -diff --git INSTALL INSTALL -index f3ac727183..f6f754fd5e 100644 ---- INSTALL -+++ INSTALL -@@ -263,6 +263,15 @@ - Don't build the AFALG engine. This option will be forced if - on a platform that does not support AFALG. - -+ enable-ktls -+ Build with Kernel TLS support. This option will enable the -+ use of the Kernel TLS data-path, which can improve -+ performance and allow for the use of sendfile and splice -+ system calls on TLS sockets. The Kernel may use TLS -+ accelerators if any are available on the system. -+ This option will be forced off on systems that do not support -+ the Kernel TLS data-path. -+ - enable-asan - Build with the Address sanitiser. This is a developer option - only. It may not work on all platforms and should never be -diff --git apps/s_client.c apps/s_client.c -index 00effc8037..5664e7e04e 100644 ---- apps/s_client.c -+++ apps/s_client.c -@@ -3295,6 +3295,12 @@ static void print_stuff(BIO *bio, SSL *s, int full) - BIO_printf(bio, "Expansion: %s\n", - expansion ? SSL_COMP_get_name(expansion) : "NONE"); - #endif -+#ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_send(SSL_get_wbio(s))) -+ BIO_printf(bio_err, "Using Kernel TLS for sending\n"); -+ if (BIO_get_ktls_recv(SSL_get_rbio(s))) -+ BIO_printf(bio_err, "Using Kernel TLS for receiving\n"); -+#endif - - #ifdef SSL_DEBUG - { -diff --git apps/s_server.c apps/s_server.c -index 64d53e68d0..9fcb8d7a7b 100644 ---- apps/s_server.c -+++ apps/s_server.c -@@ -2934,6 +2934,12 @@ static void print_connection_info(SSL *con) - } - OPENSSL_free(exportedkeymat); - } -+#ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_send(SSL_get_wbio(con))) -+ BIO_printf(bio_err, "Using Kernel TLS for sending\n"); -+ if (BIO_get_ktls_recv(SSL_get_rbio(con))) -+ BIO_printf(bio_err, "Using Kernel TLS for receiving\n"); -+#endif - - (void)BIO_flush(bio_s_out); - } -diff --git crypto/bio/b_sock2.c crypto/bio/b_sock2.c -index 104ff31b0d..771729880e 100644 ---- crypto/bio/b_sock2.c -+++ crypto/bio/b_sock2.c -@@ -12,6 +12,7 @@ - #include <errno.h> - - #include "bio_local.h" -+#include "internal/ktls.h" - - #include <openssl/err.h> - -@@ -50,6 +51,17 @@ int BIO_socket(int domain, int socktype, int protocol, int options) - BIOerr(BIO_F_BIO_SOCKET, BIO_R_UNABLE_TO_CREATE_SOCKET); - return INVALID_SOCKET; - } -+# ifndef OPENSSL_NO_KTLS -+ { -+ /* -+ * The new socket is created successfully regardless of ktls_enable. -+ * ktls_enable doesn't change any functionality of the socket, except -+ * changing the setsockopt to enable the processing of ktls_start. -+ * Thus, it is not a problem to call it for non-TLS sockets. -+ */ -+ ktls_enable(sock); -+ } -+# endif - - return sock; - } -diff --git crypto/bio/bss_conn.c crypto/bio/bss_conn.c -index 807a82b23b..10cf20871c 100644 ---- crypto/bio/bss_conn.c -+++ crypto/bio/bss_conn.c -@@ -11,6 +11,7 @@ - #include <errno.h> - - #include "bio_local.h" -+#include "internal/ktls.h" - - #ifndef OPENSSL_NO_SOCK - -@@ -20,6 +21,9 @@ typedef struct bio_connect_st { - char *param_hostname; - char *param_service; - int connect_mode; -+# ifndef OPENSSL_NO_KTLS -+ unsigned char record_type; -+# endif - - BIO_ADDRINFO *addr_first; - const BIO_ADDRINFO *addr_iter; -@@ -320,7 +324,12 @@ static int conn_read(BIO *b, char *out, int outl) - - if (out != NULL) { - clear_socket_error(); -- ret = readsocket(b->num, out, outl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_recv(b)) -+ ret = ktls_read_record(b->num, out, outl); -+ else -+# endif -+ ret = readsocket(b->num, out, outl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -345,7 +354,16 @@ static int conn_write(BIO *b, const char *in, int inl) - } - - clear_socket_error(); -- ret = writesocket(b->num, in, inl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_should_ktls_ctrl_msg_flag(b)) { -+ ret = ktls_send_ctrl_message(b->num, data->record_type, in, inl); -+ if (ret >= 0) { -+ ret = inl; -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ } -+ } else -+# endif -+ ret = writesocket(b->num, in, inl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -361,6 +379,9 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) - const char **pptr = NULL; - long ret = 1; - BIO_CONNECT *data; -+# ifndef OPENSSL_NO_KTLS -+ ktls_crypto_info_t *crypto_info; -+# endif - - data = (BIO_CONNECT *)b->ptr; - -@@ -518,8 +539,29 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) - } - break; - case BIO_CTRL_EOF: -- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; -+ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; - break; -+# ifndef OPENSSL_NO_KTLS -+ case BIO_CTRL_SET_KTLS: -+ crypto_info = (ktls_crypto_info_t *)ptr; -+ ret = ktls_start(b->num, crypto_info, num); -+ if (ret) -+ BIO_set_ktls_flag(b, num); -+ break; -+ case BIO_CTRL_GET_KTLS_SEND: -+ return BIO_should_ktls_flag(b, 1) != 0; -+ case BIO_CTRL_GET_KTLS_RECV: -+ return BIO_should_ktls_flag(b, 0) != 0; -+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: -+ BIO_set_ktls_ctrl_msg_flag(b); -+ data->record_type = num; -+ ret = 0; -+ break; -+ case BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG: -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ ret = 0; -+ break; -+# endif - default: - ret = 0; - break; -diff --git crypto/bio/bss_fd.c crypto/bio/bss_fd.c -index ccbe1626ba..8d03e48ce9 100644 ---- crypto/bio/bss_fd.c -+++ crypto/bio/bss_fd.c -@@ -189,7 +189,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) - ret = 1; - break; - case BIO_CTRL_EOF: -- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; -+ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; - break; - default: - ret = 0; -diff --git crypto/bio/bss_sock.c crypto/bio/bss_sock.c -index 6251f3d46a..8de1f58292 100644 ---- crypto/bio/bss_sock.c -+++ crypto/bio/bss_sock.c -@@ -11,6 +11,7 @@ - #include <errno.h> - #include "bio_local.h" - #include "internal/cryptlib.h" -+#include "internal/ktls.h" - - #ifndef OPENSSL_NO_SOCK - -@@ -64,6 +65,17 @@ BIO *BIO_new_socket(int fd, int close_flag) - if (ret == NULL) - return NULL; - BIO_set_fd(ret, fd, close_flag); -+# ifndef OPENSSL_NO_KTLS -+ { -+ /* -+ * The new socket is created successfully regardless of ktls_enable. -+ * ktls_enable doesn't change any functionality of the socket, except -+ * changing the setsockopt to enable the processing of ktls_start. -+ * Thus, it is not a problem to call it for non-TLS sockets. -+ */ -+ ktls_enable(fd); -+ } -+# endif - return ret; - } - -@@ -96,7 +108,12 @@ static int sock_read(BIO *b, char *out, int outl) - - if (out != NULL) { - clear_socket_error(); -- ret = readsocket(b->num, out, outl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_get_ktls_recv(b)) -+ ret = ktls_read_record(b->num, out, outl); -+ else -+# endif -+ ret = readsocket(b->num, out, outl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -110,10 +127,20 @@ static int sock_read(BIO *b, char *out, int outl) - - static int sock_write(BIO *b, const char *in, int inl) - { -- int ret; -+ int ret = 0; - - clear_socket_error(); -- ret = writesocket(b->num, in, inl); -+# ifndef OPENSSL_NO_KTLS -+ if (BIO_should_ktls_ctrl_msg_flag(b)) { -+ unsigned char record_type = (intptr_t)b->ptr; -+ ret = ktls_send_ctrl_message(b->num, record_type, in, inl); -+ if (ret >= 0) { -+ ret = inl; -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ } -+ } else -+# endif -+ ret = writesocket(b->num, in, inl); - BIO_clear_retry_flags(b); - if (ret <= 0) { - if (BIO_sock_should_retry(ret)) -@@ -126,6 +153,9 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) - { - long ret = 1; - int *ip; -+# ifndef OPENSSL_NO_KTLS -+ ktls_crypto_info_t *crypto_info; -+# endif - - switch (cmd) { - case BIO_C_SET_FD: -@@ -153,8 +183,29 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) - case BIO_CTRL_FLUSH: - ret = 1; - break; -+# ifndef OPENSSL_NO_KTLS -+ case BIO_CTRL_SET_KTLS: -+ crypto_info = (ktls_crypto_info_t *)ptr; -+ ret = ktls_start(b->num, crypto_info, num); -+ if (ret) -+ BIO_set_ktls_flag(b, num); -+ break; -+ case BIO_CTRL_GET_KTLS_SEND: -+ return BIO_should_ktls_flag(b, 1) != 0; -+ case BIO_CTRL_GET_KTLS_RECV: -+ return BIO_should_ktls_flag(b, 0) != 0; -+ case BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG: -+ BIO_set_ktls_ctrl_msg_flag(b); -+ b->ptr = (void *)num; -+ ret = 0; -+ break; -+ case BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG: -+ BIO_clear_ktls_ctrl_msg_flag(b); -+ ret = 0; -+ break; -+# endif - case BIO_CTRL_EOF: -- ret = (b->flags & BIO_FLAGS_IN_EOF) != 0 ? 1 : 0; -+ ret = (b->flags & BIO_FLAGS_IN_EOF) != 0; - break; - default: - ret = 0; -diff --git crypto/err/openssl.txt crypto/err/openssl.txt -index 902e97b843..846c896359 100644 ---- crypto/err/openssl.txt -+++ crypto/err/openssl.txt -@@ -1319,6 +1319,7 @@ SSL_F_SSL_RENEGOTIATE:516:SSL_renegotiate - SSL_F_SSL_RENEGOTIATE_ABBREVIATED:546:SSL_renegotiate_abbreviated - SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT:320:* - SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT:321:* -+SSL_F_SSL_SENDFILE:639:SSL_sendfile - SSL_F_SSL_SESSION_DUP:348:ssl_session_dup - SSL_F_SSL_SESSION_NEW:189:SSL_SESSION_new - SSL_F_SSL_SESSION_PRINT_FP:190:SSL_SESSION_print_fp -diff --git crypto/evp/e_aes.c crypto/evp/e_aes.c -index a1d3ab90fa..715fac9f88 100644 ---- crypto/evp/e_aes.c -+++ crypto/evp/e_aes.c -@@ -2889,6 +2889,14 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - memcpy(ptr, c->buf, arg); - return 1; - -+ case EVP_CTRL_GET_IV: -+ if (gctx->iv_gen != 1) -+ return 0; -+ if (gctx->ivlen != arg) -+ return 0; -+ memcpy(ptr, gctx->iv, arg); -+ return 1; -+ - case EVP_CTRL_GCM_SET_IV_FIXED: - /* Special case: -1 length restores whole IV */ - if (arg == -1) { -diff --git doc/man3/BIO_ctrl.pod doc/man3/BIO_ctrl.pod -index cf6ba135df..fc51173c8d 100644 ---- doc/man3/BIO_ctrl.pod -+++ doc/man3/BIO_ctrl.pod -@@ -5,7 +5,8 @@ - BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset, - BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close, - BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending, --BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb -+BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb, BIO_get_ktls_send, -+BIO_get_ktls_recv - - BIO control operations - - =head1 SYNOPSIS -@@ -34,6 +35,9 @@ BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb - int BIO_get_info_callback(BIO *b, BIO_info_cb **cbp); - int BIO_set_info_callback(BIO *b, BIO_info_cb *cb); - -+ int BIO_get_ktls_send(BIO *b); -+ int BIO_get_ktls_recv(BIO *b); -+ - =head1 DESCRIPTION - - BIO_ctrl(), BIO_callback_ctrl(), BIO_ptr_ctrl() and BIO_int_ctrl() -@@ -72,6 +76,11 @@ Not all BIOs support these calls. BIO_ctrl_pending() and BIO_ctrl_wpending() - return a size_t type and are functions, BIO_pending() and BIO_wpending() are - macros which call BIO_ctrl(). - -+BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -+sending. Otherwise, it returns zero. -+BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -+receiving. Otherwise, it returns zero. -+ - =head1 RETURN VALUES - - BIO_reset() normally returns 1 for success and 0 or -1 for failure. File -@@ -92,6 +101,11 @@ BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. - BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending() - return the amount of pending data. - -+BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for -+sending. Otherwise, it returns zero. -+BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for -+receiving. Otherwise, it returns zero. -+ - =head1 NOTES - - BIO_flush(), because it can write data may return 0 or -1 indicating -@@ -124,6 +138,11 @@ particular a return value of 0 can be returned if an operation is not - supported, if an error occurred, if EOF has not been reached and in - the case of BIO_seek() on a file BIO for a successful operation. - -+=head1 HISTORY -+ -+The BIO_get_ktls_send() and BIO_get_ktls_recv() functions were added in -+OpenSSL 3.0.0. -+ - =head1 COPYRIGHT - - Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. -diff --git doc/man3/SSL_CONF_cmd.pod doc/man3/SSL_CONF_cmd.pod -index 7f0e088687..c7cce5486b 100644 ---- doc/man3/SSL_CONF_cmd.pod -+++ doc/man3/SSL_CONF_cmd.pod -@@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in - other ways and in such cases the built-in OpenSSL functionality is not required. - Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>. - -+B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported -+by the negotiated ciphersuites and extensions. Equivalent to -+B<SSL_OP_ENABLE_KTLS>. -+ - =item B<VerifyMode> - - The B<value> argument is a comma separated list of flags to set. -diff --git doc/man3/SSL_CTX_set_options.pod doc/man3/SSL_CTX_set_options.pod -index 969e0366c4..231fe92d8e 100644 ---- doc/man3/SSL_CTX_set_options.pod -+++ doc/man3/SSL_CTX_set_options.pod -@@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by - setting this option. This is a server-side opton only. It is ignored by - clients. - -+=item SSL_OP_ENABLE_KTLS -+ -+Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must -+have been compiled with support for it, and it must be supported by the -+negotiated ciphersuites and extensions. The specific ciphersuites and extensions -+that are supported may vary by platform and kernel version. -+ -+The kernel TLS data-path implements the record layer, and the encryption -+algorithm. The kernel will utilize the best hardware -+available for encryption. Using the kernel data-path should reduce the memory -+footprint of OpenSSL because no buffering is required. Also, the throughput -+should improve because data copy is avoided when user data is encrypted into -+kernel memory instead of the usual encrypt then copy to kernel. -+ -+Kernel TLS might not support all the features of OpenSSL. For instance, -+renegotiation, and setting the maximum fragment size is not possible as of -+Linux 4.20. -+ -+Note that with kernel TLS enabled some cryptographic operations are performed -+by the kernel directly and not via any available OpenSSL Providers. This might -+be undesirable if, for example, the application requires all cryptographic -+operations to be performed by the FIPS provider. -+ - =back - - The following options no longer have any effect but their identifiers are -diff --git doc/man3/SSL_CTX_set_record_padding_callback.pod doc/man3/SSL_CTX_set_record_padding_callback.pod -index 13e56f0c57..247a39fc03 100644 ---- doc/man3/SSL_CTX_set_record_padding_callback.pod -+++ doc/man3/SSL_CTX_set_record_padding_callback.pod -@@ -16,7 +16,7 @@ SSL_set_block_padding - install callback to specify TLS 1.3 record padding - #include <openssl/ssl.h> - - void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); -- void SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); -+ int SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); - - void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); - void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx); -@@ -32,6 +32,8 @@ SSL_set_block_padding - install callback to specify TLS 1.3 record padding - SSL_CTX_set_record_padding_callback() or SSL_set_record_padding_callback() - can be used to assign a callback function I<cb> to specify the padding - for TLS 1.3 records. The value set in B<ctx> is copied to a new SSL by SSL_new(). -+Kernel TLS is not possible if the record padding callback is set, and the callback -+function cannot be set if Kernel TLS is already configured for the current SSL object. - - SSL_CTX_set_record_padding_callback_arg() and SSL_set_record_padding_callback_arg() - assign a value B<arg> that is passed to the callback when it is invoked. The value -@@ -64,6 +66,9 @@ indicates no padding will be added. A return value that causes the record to - exceed the maximum record size (SSL3_RT_MAX_PLAIN_LENGTH) will pad out to the - maximum record size. - -+The SSL_CTX_get_record_padding_callback_arg() function returns 1 on success or 0 if -+the callback function is not set because Kernel TLS is configured for the SSL object. -+ - =head1 NOTES - - The default behavior is to add no padding to the record. -@@ -84,6 +89,9 @@ L<ssl(7)>, L<SSL_new(3)> - - The record padding API was added for TLS 1.3 support in OpenSSL 1.1.1. - -+The return type of SSL_CTX_set_record_padding_callback() function was -+changed to int in OpenSSL 3.0. -+ - =head1 COPYRIGHT - - Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. -diff --git doc/man3/SSL_write.pod doc/man3/SSL_write.pod -index 5e3ce1e7e4..9b271d8e65 100644 ---- doc/man3/SSL_write.pod -+++ doc/man3/SSL_write.pod -@@ -2,12 +2,13 @@ - - =head1 NAME - --SSL_write_ex, SSL_write - write bytes to a TLS/SSL connection -+SSL_write_ex, SSL_write, SSL_sendfile - write bytes to a TLS/SSL connection - - =head1 SYNOPSIS - - #include <openssl/ssl.h> - -+ ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags); - int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written); - int SSL_write(SSL *ssl, const void *buf, int num); - -@@ -17,6 +18,14 @@ SSL_write_ex() and SSL_write() write B<num> bytes from the buffer B<buf> into - the specified B<ssl> connection. On success SSL_write_ex() will store the number - of bytes written in B<*written>. - -+SSL_sendfile() writes B<size> bytes from offset B<offset> in the file -+descriptor B<fd> to the specified SSL connection B<s>. This function provides -+efficient zero-copy semantics. SSL_sendfile() is available only when -+Kernel TLS is enabled, which can be checked by calling BIO_get_ktls_send(). -+It is provided here to allow users to maintain the same interface. -+The meaning of B<flags> is platform dependent. -+Currently, under Linux it is ignored. -+ - =head1 NOTES - - In the paragraphs below a "write function" is defined as one of either -@@ -104,17 +113,36 @@ You should instead call SSL_get_error() to find out if it's retryable. - - =back - -+For SSL_sendfile(), the following return values can occur: -+ -+=over 4 -+ -+=item Z<>>= 0 -+ -+The write operation was successful, the return value is the number -+of bytes of the file written to the TLS/SSL connection. The return -+value can be less than B<size> for a partial write. -+ -+=item E<lt> 0 -+ -+The write operation was not successful, because either the connection was -+closed, an error occured or action must be taken by the calling process. -+Call SSL_get_error() with the return value to find out the reason. -+ -+=back -+ - =head1 SEE ALSO - - L<SSL_get_error(3)>, L<SSL_read_ex(3)>, L<SSL_read(3)> - L<SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)>, - L<SSL_connect(3)>, L<SSL_accept(3)> --L<SSL_set_connect_state(3)>, -+L<SSL_set_connect_state(3)>, L<BIO_ctrl(3)>, - L<ssl(7)>, L<bio(7)> - - =head1 HISTORY - - The SSL_write_ex() function was added in OpenSSL 1.1.1. -+The SSL_sendfile() function was added in OpenSSL 3.0.0. - - =head1 COPYRIGHT - -diff --git engines/e_afalg.c engines/e_afalg.c -index 2d16c13834..748969204e 100644 ---- engines/e_afalg.c -+++ engines/e_afalg.c -@@ -407,7 +407,7 @@ static int afalg_start_cipher_sk(afalg_ctx *actx, const unsigned char *in, - size_t inl, const unsigned char *iv, - unsigned int enc) - { -- struct msghdr msg = { 0 }; -+ struct msghdr msg; - struct cmsghdr *cmsg; - struct iovec iov; - ssize_t sbytes; -@@ -416,6 +416,7 @@ static int afalg_start_cipher_sk(afalg_ctx *actx, const unsigned char *in, - # endif - char cbuf[CMSG_SPACE(ALG_IV_LEN(ALG_AES_IV_LEN)) + CMSG_SPACE(ALG_OP_LEN)]; - -+ memset(&msg, 0, sizeof(msg)); - memset(cbuf, 0, sizeof(cbuf)); - msg.msg_control = cbuf; - msg.msg_controllen = sizeof(cbuf); -diff --git include/internal/bio.h include/internal/bio.h -index c343b27629..365d41dabb 100644 ---- include/internal/bio.h -+++ include/internal/bio.h -@@ -7,6 +7,9 @@ - * https://www.openssl.org/source/license.html - */ - -+#ifndef HEADER_INTERNAL_BIO_H -+# define HEADER_INTERNAL_BIO_H -+ - #include <openssl/bio.h> - - struct bio_method_st { -@@ -31,3 +34,39 @@ void bio_cleanup(void); - /* Old style to new style BIO_METHOD conversion functions */ - int bwrite_conv(BIO *bio, const char *data, size_t datal, size_t *written); - int bread_conv(BIO *bio, char *data, size_t datal, size_t *read); -+ -+/* Changes to these internal BIOs must also update include/openssl/bio.h */ -+# define BIO_CTRL_SET_KTLS 72 -+# define BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG 74 -+# define BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG 75 -+ -+/* -+ * This is used with socket BIOs: -+ * BIO_FLAGS_KTLS_TX means we are using ktls with this BIO for sending. -+ * BIO_FLAGS_KTLS_TX_CTRL_MSG means we are about to send a ctrl message next. -+ * BIO_FLAGS_KTLS_RX means we are using ktls with this BIO for receiving. -+ */ -+# define BIO_FLAGS_KTLS_TX_CTRL_MSG 0x1000 -+# define BIO_FLAGS_KTLS_RX 0x2000 -+# define BIO_FLAGS_KTLS_TX 0x4000 -+ -+/* KTLS related controls and flags */ -+# define BIO_set_ktls_flag(b, is_tx) \ -+ BIO_set_flags(b, (is_tx) ? BIO_FLAGS_KTLS_TX : BIO_FLAGS_KTLS_RX) -+# define BIO_should_ktls_flag(b, is_tx) \ -+ BIO_test_flags(b, (is_tx) ? BIO_FLAGS_KTLS_TX : BIO_FLAGS_KTLS_RX) -+# define BIO_set_ktls_ctrl_msg_flag(b) \ -+ BIO_set_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -+# define BIO_should_ktls_ctrl_msg_flag(b) \ -+ BIO_test_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -+# define BIO_clear_ktls_ctrl_msg_flag(b) \ -+ BIO_clear_flags(b, BIO_FLAGS_KTLS_TX_CTRL_MSG) -+ -+# define BIO_set_ktls(b, keyblob, is_tx) \ -+ BIO_ctrl(b, BIO_CTRL_SET_KTLS, is_tx, keyblob) -+# define BIO_set_ktls_ctrl_msg(b, record_type) \ -+ BIO_ctrl(b, BIO_CTRL_SET_KTLS_TX_SEND_CTRL_MSG, record_type, NULL) -+# define BIO_clear_ktls_ctrl_msg(b) \ -+ BIO_ctrl(b, BIO_CTRL_CLEAR_KTLS_TX_CTRL_MSG, 0, NULL) -+ -+#endif -diff --git include/internal/ktls.h include/internal/ktls.h -new file mode 100644 -index 0000000000..5f9e3f91ed ---- /dev/null -+++ include/internal/ktls.h -@@ -0,0 +1,407 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#if defined(OPENSSL_SYS_LINUX) -+# ifndef OPENSSL_NO_KTLS -+# include <linux/version.h> -+# if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0) -+# define OPENSSL_NO_KTLS -+# ifndef PEDANTIC -+# warning "KTLS requires Kernel Headers >= 4.13.0" -+# warning "Skipping Compilation of KTLS" -+# endif -+# endif -+# endif -+#endif -+ -+#ifndef HEADER_INTERNAL_KTLS -+# define HEADER_INTERNAL_KTLS -+# ifndef OPENSSL_NO_KTLS -+ -+# if defined(__FreeBSD__) -+# include <sys/types.h> -+# include <sys/socket.h> -+# include <sys/ktls.h> -+# include <netinet/in.h> -+# include <netinet/tcp.h> -+# include "openssl/ssl3.h" -+ -+# ifndef TCP_RXTLS_ENABLE -+# define OPENSSL_NO_KTLS_RX -+# endif -+# define OPENSSL_KTLS_AES_GCM_128 -+# define OPENSSL_KTLS_AES_GCM_256 -+# define OPENSSL_KTLS_TLS13 -+# ifdef TLS_CHACHA20_IV_LEN -+# ifndef OPENSSL_NO_CHACHA -+# define OPENSSL_KTLS_CHACHA20_POLY1305 -+# endif -+# endif -+ -+typedef struct tls_enable ktls_crypto_info_t; -+ -+/* -+ * FreeBSD does not require any additional steps to enable KTLS before -+ * setting keys. -+ */ *** 3014 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f8cefa.25b45.75d6c0a5>