Date: Sat, 14 Oct 2023 17:30:53 GMT From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 55f9ba2974ae - main - security/openssl30: Moved to security/openssl Message-ID: <202310141730.39EHUrkP090463@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=55f9ba2974aef548d368cb2a211928008f7b917d commit 55f9ba2974aef548d368cb2a211928008f7b917d Author: Bernard Spil <brnrd@FreeBSD.org> AuthorDate: 2023-10-14 17:13:45 +0000 Commit: Bernard Spil <brnrd@FreeBSD.org> CommitDate: 2023-10-14 17:23:12 +0000 security/openssl30: Moved to security/openssl --- MOVED | 1 + security/openssl30/Makefile | 194 -------- security/openssl30/distinfo | 3 - security/openssl30/files/extra-patch-ktls | 540 --------------------- .../openssl30/files/extra-patch-util_find-doc-nits | 20 - .../files/patch-Configurations_10-main.conf | 35 -- security/openssl30/files/patch-Configure | 11 - security/openssl30/files/patch-crypto_ppccap.c | 34 -- .../files/patch-crypto_threads__pthread.c | 13 - .../files/patch-util_perl_OpenSSL_config.pm | 14 - security/openssl30/pkg-descr | 13 - security/openssl30/pkg-plist | 275 ----------- security/openssl30/version.mk | 1 - 13 files changed, 1 insertion(+), 1153 deletions(-) diff --git a/MOVED b/MOVED index 6c1263ef89a1..558c94415356 100644 --- a/MOVED +++ b/MOVED @@ -7945,3 +7945,4 @@ devel/rubygem-google-protobuf323|devel/rubygem-google-protobuf|2023-10-11|Remove audio/rem||2023-10-12|Has expired: Deprecated, replaced by libre net/openmpi3|net/openmpi|2023-10-12|Has expired: OpenMPI 3 is not maintained by the upstream project anymore and will be removed graphics/tiffgt||2023-10-14|Has expired: Upstream support stopped +security/openssl30|security/openssl|2023-10-14|Upgrade security/openssl to 3.0 diff --git a/security/openssl30/Makefile b/security/openssl30/Makefile deleted file mode 100644 index 6a9300d60d5d..000000000000 --- a/security/openssl30/Makefile +++ /dev/null @@ -1,194 +0,0 @@ -PORTNAME= openssl -PORTVERSION= 3.0.11 -PORTREVISION= 1 -CATEGORIES= security devel -MASTER_SITES= https://www.openssl.org/source/ \ - ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ -PKGNAMESUFFIX= 30 - -MAINTAINER= brnrd@FreeBSD.org -COMMENT= TLSv1.3 capable SSL and crypto library -WWW= https://www.openssl.org/ - -LICENSE= APACHE20 -LICENSE_FILE= ${WRKSRC}/LICENSE.txt - -CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl3[12] openssl-quictls - -HAS_CONFIGURE= yes -CONFIGURE_SCRIPT= config -CONFIGURE_ENV= PERL="${PERL}" -CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ - --prefix=${PREFIX} - -USES= cpe perl5 -USE_PERL5= build -TEST_TARGET= test - -LDFLAGS_i386= -Wl,-znotext - -MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" -MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= - -OPTIONS_GROUP= CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS -OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS -OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 -OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS -OPTIONS_GROUP_MODULES= FIPS LEGACY -OPTIONS_DEFINE_i386= I386 -OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2 - -OPTIONS_DEFINE= ASYNC CRYPTODEV CT KTLS MAN3 RFC3779 SHARED ZLIB - -OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 NEXTPROTONEG \ - RFC3779 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2 - -OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} \ - ${${OSVERSION} > 1300000:?CRYPTODEV:} - -OPTIONS_GROUP_OPTIMIZE_amd64= EC - -.if ${MACHINE_ARCH} == "amd64" -OPTIONS_GROUP_OPTIMIZE+= EC -.elif ${MACHINE_ARCH} == "mips64el" -OPTIONS_GROUP_OPTIMIZE+= EC -.endif - -OPTIONS_SUB= yes - -ARIA_DESC= ARIA (South Korean standard) -ASM_DESC= Assembler code -ASYNC_DESC= Asynchronous mode -CIPHERS_DESC= Block Cipher Support -CRYPTODEV_DESC= /dev/crypto support -CT_DESC= Certificate Transparency Support -DES_DESC= (Triple) Data Encryption Standard -EC_DESC= Optimize NIST elliptic curves -FIPS_DESC= Build FIPS provider -GOST_DESC= GOST (Russian standard) -HASHES_DESC= Hash Function Support -I386_DESC= i386 (instead of i486+) -IDEA_DESC= International Data Encryption Algorithm -KTLS_DESC= Use in-kernel TLS (FreeBSD >13) -LEGACY_DESC= Older algorithms -MAN3_DESC= Install API manpages (section 3, 7) -MD2_DESC= MD2 (obsolete) (requires LEGACY) -MD4_DESC= MD4 (unsafe) -MDC2_DESC= MDC-2 (patented, requires DES) -MODULES_DESC= Provider modules -NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) -OPTIMIZE_DESC= Optimizations -PROTOCOLS_DESC= Protocol Support -RC2_DESC= RC2 (unsafe) -RC4_DESC= RC4 (unsafe) -RC5_DESC= RC5 (patented) -RMD160_DESC= RIPEMD-160 -RFC3779_DESC= RFC3779 support (BGP) -SCTP_DESC= SCTP (Stream Control Transmission) -SHARED_DESC= Build shared libraries -SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) -SM3_DESC= SM3 256bit (Chinese standard) -SM4_DESC= SM4 128bit (Chinese standard) -SSE2_DESC= Runtime SSE2 detection -SSL3_DESC= SSLv3 (unsafe) -TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) -TLS1_1_DESC= TLSv1.1 (requires TLS1_2) -TLS1_2_DESC= TLSv1.2 -WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) - -# Upstream default disabled options -.for _option in fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib -${_option:tu}_CONFIGURE_ON= enable-${_option} -.endfor - -# Upstream default enabled options -.for _option in aria asm async ct des gost idea md4 mdc2 legacy \ - nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \ - threads tls1 tls1_1 tls1_2 -${_option:tu}_CONFIGURE_OFF= no-${_option} -.endfor - -MD2_IMPLIES= LEGACY -MDC2_IMPLIES= DES -TLS1_IMPLIES= TLS1_1 -TLS1_1_IMPLIES= TLS1_2 - -EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 -FIPS_VARS= shlibs+=lib/ossl-modules/fips.so -I386_CONFIGURE_ON= 386 -KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls -LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so -MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits -SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} -SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} -SHARED_USE= ldconfig=yes -SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \ - lib/libssl.so.${OPENSSL_SHLIBVER} \ - lib/engines-${OPENSSL_SHLIBVER}/capi.so \ - lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \ - lib/engines-${OPENSSL_SHLIBVER}/padlock.so" -SSL3_CONFIGURE_ON+= enable-ssl3-method -ZLIB_CONFIGURE_ON= zlib-dynamic - -SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so - -.include <bsd.port.options.mk> - -.if ${ARCH} == powerpc64 -CONFIGURE_ARGS+= BSD-ppc64 -.elif ${ARCH} == powerpc64le -CONFIGURE_ARGS+= BSD-ppc64le -.elif ${ARCH} == riscv64 -CONFIGURE_ARGS+= BSD-riscv64 -.endif - -.include <bsd.port.pre.mk> -.if ${PREFIX} == /usr -IGNORE= the OpenSSL port can not be installed over the base version -.endif - -.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1300000 && !${PORT_OPTIONS:MCRYPTODEV} -CONFIGURE_ARGS+= no-devcryptoeng -.endif - -OPENSSLDIR?= ${PREFIX}/openssl -PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} - -.include "version.mk" - -.if ${PORT_OPTIONS:MASM} -BROKEN_sparc64= option ASM generates illegal instructions -.endif - -post-patch: - ${REINPLACE_CMD} -Ee 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \ - -e 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \ - ${WRKSRC}/Configurations/unix-Makefile.tmpl - ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \ - ${WRKSRC}/VERSION.dat - -post-configure: - ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump ) - -post-configure-MAN3-off: - ${REINPLACE_CMD} \ - -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \ - -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \ - ${WRKSRC}/Makefile - -post-install-SHARED-on: -.for i in ${SHLIBS} - -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i -.endfor - -post-install-SHARED-off: - ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12 - -post-install: - ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl - -post-install-MAN3-on: - ( cd ${STAGEDIR}/${PREFIX} ; find man/man3 -not -type d ; \ - find man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST} - -.include <bsd.port.post.mk> diff --git a/security/openssl30/distinfo b/security/openssl30/distinfo deleted file mode 100644 index a62e9e8bb1d6..000000000000 --- a/security/openssl30/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1695134169 -SHA256 (openssl-3.0.11.tar.gz) = b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55 -SIZE (openssl-3.0.11.tar.gz) = 15198318 diff --git a/security/openssl30/files/extra-patch-ktls b/security/openssl30/files/extra-patch-ktls deleted file mode 100644 index 8a46c272d95c..000000000000 --- a/security/openssl30/files/extra-patch-ktls +++ /dev/null @@ -1,540 +0,0 @@ -diff --git include/internal/ktls.h include/internal/ktls.h -index 95492fd065..3c82cae26b 100644 ---- include/internal/ktls.h -+++ include/internal/ktls.h -@@ -40,6 +40,11 @@ - # define OPENSSL_KTLS_AES_GCM_128 - # define OPENSSL_KTLS_AES_GCM_256 - # define OPENSSL_KTLS_TLS13 -+# ifdef TLS_CHACHA20_IV_LEN -+# ifndef OPENSSL_NO_CHACHA -+# define OPENSSL_KTLS_CHACHA20_POLY1305 -+# endif -+# endif - - typedef struct tls_enable ktls_crypto_info_t; - -diff --git ssl/ktls.c ssl/ktls.c -index 79d980959e..e343d382cc 100644 ---- ssl/ktls.c -+++ ssl/ktls.c -@@ -10,6 +10,67 @@ - #include "ssl_local.h" - #include "internal/ktls.h" - -+#ifndef OPENSSL_NO_KTLS_RX -+ /* -+ * Count the number of records that were not processed yet from record boundary. -+ * -+ * This function assumes that there are only fully formed records read in the -+ * record layer. If read_ahead is enabled, then this might be false and this -+ * function will fail. -+ */ -+static int count_unprocessed_records(SSL *s) -+{ -+ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); -+ PACKET pkt, subpkt; -+ int count = 0; -+ -+ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) -+ return -1; -+ -+ while (PACKET_remaining(&pkt) > 0) { -+ /* Skip record type and version */ -+ if (!PACKET_forward(&pkt, 3)) -+ return -1; -+ -+ /* Read until next record */ -+ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) -+ return -1; -+ -+ count += 1; -+ } -+ -+ return count; -+} -+ -+/* -+ * The kernel cannot offload receive if a partial TLS record has been read. -+ * Check the read buffer for unprocessed records. If the buffer contains a -+ * partial record, fail and return 0. Otherwise, update the sequence -+ * number at *rec_seq for the count of unprocessed records and return 1. -+ */ -+static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) -+{ -+ int bit, count_unprocessed; -+ -+ count_unprocessed = count_unprocessed_records(s); -+ if (count_unprocessed < 0) -+ return 0; -+ -+ /* increment the crypto_info record sequence */ -+ while (count_unprocessed) { -+ for (bit = 7; bit >= 0; bit--) { /* increment */ -+ ++rec_seq[bit]; -+ if (rec_seq[bit] != 0) -+ break; -+ } -+ count_unprocessed--; -+ -+ } -+ -+ return 1; -+} -+#endif -+ - #if defined(__FreeBSD__) - # include "crypto/cryptodev.h" - -@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, - case SSL_AES128GCM: - case SSL_AES256GCM: - return 1; -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ case SSL_CHACHA20POLY1305: -+ return 1; -+# endif - case SSL_AES128: - case SSL_AES256: - if (s->ext.use_etm) -@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, - } - - /* Function to configure kernel TLS structure */ --int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, -+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - void *rl_sequence, ktls_crypto_info_t *crypto_info, -- unsigned char **rec_seq, unsigned char *iv, -+ int is_tx, unsigned char *iv, - unsigned char *key, unsigned char *mac_key, - size_t mac_secret_size) - { -@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - else - crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; - break; -+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -+ case SSL_CHACHA20POLY1305: -+ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; -+ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd); -+ break; -+# endif - case SSL_AES128: - case SSL_AES256: - switch (s->s3.tmp.new_cipher->algorithm_mac) { -@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - crypto_info->tls_vminor = (s->version & 0x000000ff); - # ifdef TCP_RXTLS_ENABLE - memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); -- if (rec_seq != NULL) -- *rec_seq = crypto_info->rec_seq; -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) -+ return 0; - # else -- if (rec_seq != NULL) -- *rec_seq = NULL; -+ if (!is_tx) -+ return 0; - # endif - return 1; - }; -@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, - } - - /* Function to configure kernel TLS structure */ --int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, -+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - void *rl_sequence, ktls_crypto_info_t *crypto_info, -- unsigned char **rec_seq, unsigned char *iv, -+ int is_tx, unsigned char *iv, - unsigned char *key, unsigned char *mac_key, - size_t mac_secret_size) - { - unsigned char geniv[12]; - unsigned char *iiv = iv; - -+# ifdef OPENSSL_NO_KTLS_RX -+ if (!is_tx) -+ return 0; -+# endif -+ - if (s->version == TLS1_2_VERSION && - EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { - if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, -@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); - memcpy(crypto_info->gcm128.rec_seq, rl_sequence, - TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); -- if (rec_seq != NULL) -- *rec_seq = crypto_info->gcm128.rec_seq; -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) -+ return 0; - return 1; - # endif - # ifdef OPENSSL_KTLS_AES_GCM_256 -@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); - memcpy(crypto_info->gcm256.rec_seq, rl_sequence, - TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); -- if (rec_seq != NULL) -- *rec_seq = crypto_info->gcm256.rec_seq; -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) -+ return 0; - return 1; - # endif - # ifdef OPENSSL_KTLS_AES_CCM_128 -@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); - memcpy(crypto_info->ccm128.rec_seq, rl_sequence, - TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); -- if (rec_seq != NULL) -- *rec_seq = crypto_info->ccm128.rec_seq; -+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) -+ return 0; - return 1; - # endif - # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 -@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - EVP_CIPHER_get_key_length(c)); - memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, - TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); -- if (rec_seq != NULL) -- *rec_seq = crypto_info->chacha20poly1305.rec_seq; -+ if (!is_tx -+ && !check_rx_read_ahead(s, -+ crypto_info->chacha20poly1305.rec_seq)) -+ return 0; - return 1; - # endif - default: -diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c -index d8ef018741..63caac080f 100644 ---- ssl/record/ssl3_record.c -+++ ssl/record/ssl3_record.c -@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s) - int imac_size; - size_t num_recs = 0, max_recs, j; - PACKET pkt, sslv2pkt; -- int is_ktls_left; -+ int using_ktls; - SSL_MAC_BUF *macbufs = NULL; - int ret = -1; - - rr = RECORD_LAYER_get_rrec(&s->rlayer); - rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); -- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); - max_recs = s->max_pipelines; - if (max_recs == 0) - max_recs = 1; - sess = s->session; - -+ /* -+ * KTLS reads full records. If there is any data left, -+ * then it is from before enabling ktls. -+ */ -+ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0; -+ - do { - thisrr = &rr[num_recs]; - -@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s) - } - } - -- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { -+ if (SSL_IS_TLS13(s) -+ && s->enc_read_ctx != NULL -+ && !using_ktls) { - if (thisrr->type != SSL3_RT_APPLICATION_DATA - && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC - || !SSL_IS_FIRST_HANDSHAKE(s)) -@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s) - } - - if (SSL_IS_TLS13(s)) { -- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { -+ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH; -+ -+ /* KTLS strips the inner record type. */ -+ if (using_ktls) -+ len = SSL3_RT_MAX_ENCRYPTED_LENGTH; -+ -+ if (thisrr->length > len) { - SSLfatal(s, SSL_AD_RECORD_OVERFLOW, - SSL_R_ENCRYPTED_LENGTH_TOO_LONG); - return -1; -@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s) - #endif - - /* KTLS may use all of the buffer */ -- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) -+ if (using_ktls) - len = SSL3_BUFFER_get_left(rbuf); - - if (thisrr->length > len) { -@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s) - return 1; - } - -- /* -- * KTLS reads full records. If there is any data left, -- * then it is from before enabling ktls -- */ -- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) -+ if (using_ktls) - goto skip_decryption; - - if (s->read_hash != NULL) { -@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s) - if (SSL_IS_TLS13(s) - && s->enc_read_ctx != NULL - && thisrr->type != SSL3_RT_ALERT) { -- size_t end; -+ /* -+ * The following logic are irrelevant in KTLS: the kernel provides -+ * unprotected record and thus record type represent the actual -+ * content type, and padding is already removed and thisrr->type and -+ * thisrr->length should have the correct values. -+ */ -+ if (!using_ktls) { -+ size_t end; - -- if (thisrr->length == 0 -- || thisrr->type != SSL3_RT_APPLICATION_DATA) { -- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); -- goto end; -+ if (thisrr->length == 0 -+ || thisrr->type != SSL3_RT_APPLICATION_DATA) { -+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); -+ goto end; -+ } -+ -+ /* Strip trailing padding */ -+ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; -+ end--) -+ continue; -+ -+ thisrr->length = end; -+ thisrr->type = thisrr->data[end]; - } -- -- /* Strip trailing padding */ -- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; -- end--) -- continue; -- -- thisrr->length = end; -- thisrr->type = thisrr->data[end]; - if (thisrr->type != SSL3_RT_APPLICATION_DATA - && thisrr->type != SSL3_RT_ALERT - && thisrr->type != SSL3_RT_HANDSHAKE) { -@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s) - } - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, -- &thisrr->data[end], 1, s, s->msg_callback_arg); -+ &thisrr->type, 1, s, s->msg_callback_arg); - } - - /* -@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s) - * Therefore we have to rely on KTLS to check the plaintext length - * limit in the kernel. - */ -- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH -- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { -+ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) { - SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); - goto end; - } -diff --git ssl/ssl_local.h ssl/ssl_local.h -index 5471e900b8..79ced2f468 100644 ---- ssl/ssl_local.h -+++ ssl/ssl_local.h -@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, - /* ktls.c */ - int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, - const EVP_CIPHER_CTX *dd); --int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, -+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, - void *rl_sequence, ktls_crypto_info_t *crypto_info, -- unsigned char **rec_seq, unsigned char *iv, -+ int is_tx, unsigned char *iv, - unsigned char *key, unsigned char *mac_key, - size_t mac_secret_size); - # endif -diff --git ssl/t1_enc.c ssl/t1_enc.c -index 237a19cd93..900ba14fbd 100644 ---- ssl/t1_enc.c -+++ ssl/t1_enc.c -@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) - return ret; - } - --#ifndef OPENSSL_NO_KTLS -- /* -- * Count the number of records that were not processed yet from record boundary. -- * -- * This function assumes that there are only fully formed records read in the -- * record layer. If read_ahead is enabled, then this might be false and this -- * function will fail. -- */ --# ifndef OPENSSL_NO_KTLS_RX --static int count_unprocessed_records(SSL *s) --{ -- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); -- PACKET pkt, subpkt; -- int count = 0; -- -- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) -- return -1; -- -- while (PACKET_remaining(&pkt) > 0) { -- /* Skip record type and version */ -- if (!PACKET_forward(&pkt, 3)) -- return -1; -- -- /* Read until next record */ -- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) -- return -1; -- -- count += 1; -- } -- -- return count; --} --# endif --#endif -- -- - int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, - const EVP_CIPHER *ciph, - const EVP_MD *md) -@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which) - int reuse_dd = 0; - #ifndef OPENSSL_NO_KTLS - ktls_crypto_info_t crypto_info; -- unsigned char *rec_seq; - void *rl_sequence; --# ifndef OPENSSL_NO_KTLS_RX -- int count_unprocessed; -- int bit; --# endif - BIO *bio; - #endif - -@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which) - else - rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); - -- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, -- iv, key, ms, *mac_secret_size)) -+ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, -+ which & SSL3_CC_WRITE, iv, key, ms, -+ *mac_secret_size)) - goto skip_ktls; - -- if (which & SSL3_CC_READ) { --# ifndef OPENSSL_NO_KTLS_RX -- count_unprocessed = count_unprocessed_records(s); -- if (count_unprocessed < 0) -- goto skip_ktls; -- -- /* increment the crypto_info record sequence */ -- while (count_unprocessed) { -- for (bit = 7; bit >= 0; bit--) { /* increment */ -- ++rec_seq[bit]; -- if (rec_seq[bit] != 0) -- break; -- } -- count_unprocessed--; -- } --# else -- goto skip_ktls; --# endif -- } -- - /* ktls works with user provided buffers directly */ - if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { - if (which & SSL3_CC_WRITE) -diff --git ssl/tls13_enc.c ssl/tls13_enc.c -index 12388922e3..eaab0e2a74 100644 ---- ssl/tls13_enc.c -+++ ssl/tls13_enc.c -@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which) - const EVP_CIPHER *cipher = NULL; - #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) - ktls_crypto_info_t crypto_info; -+ void *rl_sequence; - BIO *bio; - #endif - -@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which) - s->statem.enc_write_state = ENC_WRITE_STATE_VALID; - #ifndef OPENSSL_NO_KTLS - # if defined(OPENSSL_KTLS_TLS13) -- if (!(which & SSL3_CC_WRITE) -- || !(which & SSL3_CC_APPLICATION) -+ if (!(which & SSL3_CC_APPLICATION) - || (s->options & SSL_OP_ENABLE_KTLS) == 0) - goto skip_ktls; - -@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which) - if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) - goto skip_ktls; - -- bio = s->wbio; -+ if (which & SSL3_CC_WRITE) -+ bio = s->wbio; -+ else -+ bio = s->rbio; - - if (!ossl_assert(bio != NULL)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which) - } - - /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ -- if (BIO_flush(bio) <= 0) -- goto skip_ktls; -+ if (which & SSL3_CC_WRITE) { -+ if (BIO_flush(bio) <= 0) -+ goto skip_ktls; -+ } - - /* configure kernel crypto structure */ -- if (!ktls_configure_crypto(s, cipher, ciph_ctx, -- RECORD_LAYER_get_write_sequence(&s->rlayer), -- &crypto_info, NULL, iv, key, NULL, 0)) -+ if (which & SSL3_CC_WRITE) -+ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); -+ else -+ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); -+ -+ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, -+ which & SSL3_CC_WRITE, iv, key, NULL, 0)) - goto skip_ktls; - - /* ktls works with user provided buffers directly */ -- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) -- ssl3_release_write_buffer(s); -+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { -+ if (which & SSL3_CC_WRITE) -+ ssl3_release_write_buffer(s); -+ } - skip_ktls: - # endif - #endif -diff --git test/sslapitest.c test/sslapitest.c -index 2911d6e94b..faf2eec2bc 100644 ---- test/sslapitest.c -+++ test/sslapitest.c -@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, - #if defined(OPENSSL_NO_KTLS_RX) - rx_supported = 0; - #else -- rx_supported = (tls_version != TLS1_3_VERSION); -+ rx_supported = 1; - #endif - if (!cis_ktls || !rx_supported) { - if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) diff --git a/security/openssl30/files/extra-patch-util_find-doc-nits b/security/openssl30/files/extra-patch-util_find-doc-nits deleted file mode 100644 index e4fc20a06252..000000000000 --- a/security/openssl30/files/extra-patch-util_find-doc-nits +++ /dev/null @@ -1,20 +0,0 @@ ---- util/find-doc-nits.orig 2023-08-01 13:47:24 UTC -+++ util/find-doc-nits -@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt'; - my $OUT; - my $status = 0; - --$opt_m = "man1,man3,man5,man7" unless $opt_m; -+$opt_m = "man1,man5" unless $opt_m; - die "Argument of -m option may contain only man1, man3, man5, and/or man7" - unless $opt_m =~ /^(man[1357][, ]?)*$/; - my @sections = ( split /[, ]/, $opt_m ); -@@ -725,7 +725,7 @@ sub check { - next if $target eq ''; # Skip if links within page, or - next if $target =~ /::/; # links to a Perl module, or - next if $target =~ /^https?:/; # is a URL link, or -- next if $target =~ /\([1357]\)$/; # it has a section -+ next if $target =~ /\([15]\)$/; # it has a section - err($id, "Missing man section number (likely, $mansect) in L<$target>") - } - # Check for proper links to commands. diff --git a/security/openssl30/files/patch-Configurations_10-main.conf b/security/openssl30/files/patch-Configurations_10-main.conf deleted file mode 100644 index 82503c0ff90c..000000000000 --- a/security/openssl30/files/patch-Configurations_10-main.conf +++ /dev/null @@ -1,35 +0,0 @@ ---- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC -+++ Configurations/10-main.conf -@@ -1069,6 +1069,32 @@ my %targets = ( - perlasm_scheme => "linux64", - }, - -+ "BSD-ppc" => { -+ inherit_from => [ "BSD-generic32" ], -+ asm_arch => 'ppc32', -+ perlasm_scheme => "linux32", -+ lib_cppflags => add("-DB_ENDIAN"), -+ }, -+ -+ "BSD-ppc64" => { -+ inherit_from => [ "BSD-generic64" ], -+ cflags => add("-m64"), -+ cxxflags => add("-m64"), -+ lib_cppflags => add("-DB_ENDIAN"), -+ asm_arch => 'ppc64', -+ perlasm_scheme => "linux64", -+ }, -+ -+ "BSD-ppc64le" => { -+ inherit_from => [ "BSD-generic64" ], -+ cflags => add("-m64"), -+ cxxflags => add("-m64"), -+ lib_cppflags => add("-DL_ENDIAN"), -+ asm_arch => 'ppc64', -+ perlasm_scheme => "linux64le", -+ }, -+ -+ - "bsdi-elf-gcc" => { - inherit_from => [ "BASE_unix" ], - CC => "gcc", diff --git a/security/openssl30/files/patch-Configure b/security/openssl30/files/patch-Configure deleted file mode 100644 index c26823c674f3..000000000000 --- a/security/openssl30/files/patch-Configure +++ /dev/null @@ -1,11 +0,0 @@ ---- Configure.orig 2022-04-12 16:30:34 UTC -+++ Configure -@@ -1549,7 +1549,7 @@ my %predefined_CXX = $config{CXX} - - unless ($disabled{asm}) { - # big endian systems can use ELFv2 ABI -- if ($target eq "linux-ppc64") { -+ if ($target eq "linux-ppc64" || $target eq "BSD-ppc64") { - $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2); - } - } diff --git a/security/openssl30/files/patch-crypto_ppccap.c b/security/openssl30/files/patch-crypto_ppccap.c deleted file mode 100644 index 14da11dedd4b..000000000000 --- a/security/openssl30/files/patch-crypto_ppccap.c +++ /dev/null @@ -1,34 +0,0 @@ ---- crypto/ppccap.c.orig 2022-04-12 16:31:27 UTC -+++ crypto/ppccap.c -@@ -117,14 +117,18 @@ static unsigned long getauxval(unsigned long key) - #endif - - /* I wish <sys/auxv.h> was universally available */ --#define HWCAP 16 /* AT_HWCAP */ -+#ifndef AT_HWCAP -+# define AT_HWCAP 16 /* AT_HWCAP */ -+#endif - #define HWCAP_PPC64 (1U << 30) - #define HWCAP_ALTIVEC (1U << 28) - #define HWCAP_FPU (1U << 27) - #define HWCAP_POWER6_EXT (1U << 9) - #define HWCAP_VSX (1U << 7) - --#define HWCAP2 26 /* AT_HWCAP2 */ -+#ifndef AT_HWCAP2 -+# define AT_HWCAP2 26 /* AT_HWCAP2 */ -+#endif - #define HWCAP_VEC_CRYPTO (1U << 25) - #define HWCAP_ARCH_3_00 (1U << 23) - -@@ -215,8 +219,8 @@ void OPENSSL_cpuid_setup(void) - - #ifdef OSSL_IMPLEMENT_GETAUXVAL - { -- unsigned long hwcap = getauxval(HWCAP); -- unsigned long hwcap2 = getauxval(HWCAP2); -+ unsigned long hwcap = getauxval(AT_HWCAP); -+ unsigned long hwcap2 = getauxval(AT_HWCAP2); - - if (hwcap & HWCAP_FPU) { - OPENSSL_ppccap_P |= PPC_FPU; diff --git a/security/openssl30/files/patch-crypto_threads__pthread.c b/security/openssl30/files/patch-crypto_threads__pthread.c deleted file mode 100644 index 3347170e0bd0..000000000000 --- a/security/openssl30/files/patch-crypto_threads__pthread.c +++ /dev/null @@ -1,13 +0,0 @@ ---- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC -+++ crypto/threads_pthread.c -@@ -29,6 +29,10 @@ - #define BROKEN_CLANG_ATOMICS - #endif - -+#if defined(__FreeBSD__) && defined(__i386__) -+#define BROKEN_CLANG_ATOMICS -+#endif -+ - #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) - - # if defined(OPENSSL_SYS_UNIX) diff --git a/security/openssl30/files/patch-util_perl_OpenSSL_config.pm b/security/openssl30/files/patch-util_perl_OpenSSL_config.pm deleted file mode 100644 index 9c669372a4f1..000000000000 --- a/security/openssl30/files/patch-util_perl_OpenSSL_config.pm +++ /dev/null @@ -1,14 +0,0 @@ ---- util/perl/OpenSSL/config.pm.orig 2022-04-12 16:34:06 UTC -+++ util/perl/OpenSSL/config.pm -@@ -747,8 +747,9 @@ EOF - disable => [ 'sse2' ] } ], - [ 'alpha.*-.*-.*bsd.*', { target => "BSD-generic64", - defines => [ 'L_ENDIAN' ] } ], -- [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64", -- defines => [ 'B_ENDIAN' ] } ], -+ [ 'powerpc-.*-.*bsd.*', { target => "BSD-ppc" } ], -+ [ 'powerpc64-.*-.*bsd.*', { target => "BSD-ppc64" } ], -+ [ 'powerpc64le-.*-.*bsd.*', { target => "BSD-ppc64le" } ], - [ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ], - [ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ], - [ 'ia64-.*-.*bsd.*', { target => "BSD-ia64" } ], diff --git a/security/openssl30/pkg-descr b/security/openssl30/pkg-descr deleted file mode 100644 index c7704288547a..000000000000 --- a/security/openssl30/pkg-descr +++ /dev/null @@ -1,13 +0,0 @@ -The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing -the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, -v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. -The project is managed by a worldwide community of volunteers that use -the Internet to communicate, plan, and develop the OpenSSL tookit -and its related documentation. - -OpenSSL is based on the excellent SSLeay library developed by Eric -A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under -an Apache-style licence, which basically means that you are free -to get and use it for commercial and non-commercial purposes subject -to some simple license conditions. diff --git a/security/openssl30/pkg-plist b/security/openssl30/pkg-plist deleted file mode 100644 index 04b64446394e..000000000000 --- a/security/openssl30/pkg-plist +++ /dev/null @@ -1,275 +0,0 @@ -bin/c_rehash -bin/openssl -include/openssl/aes.h -include/openssl/asn1.h -include/openssl/asn1_mac.h -include/openssl/asn1err.h -include/openssl/asn1t.h *** 275 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310141730.39EHUrkP090463>