git: 55f9ba2974ae - main - security/openssl30: Moved to security/openssl
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 14 Oct 2023 17:30:53 UTC
The branch main has been updated by brnrd:
URL: https://cgit.FreeBSD.org/ports/commit/?id=55f9ba2974aef548d368cb2a211928008f7b917d
commit 55f9ba2974aef548d368cb2a211928008f7b917d
Author: Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2023-10-14 17:13:45 +0000
Commit: Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2023-10-14 17:23:12 +0000
security/openssl30: Moved to security/openssl
---
MOVED | 1 +
security/openssl30/Makefile | 194 --------
security/openssl30/distinfo | 3 -
security/openssl30/files/extra-patch-ktls | 540 ---------------------
.../openssl30/files/extra-patch-util_find-doc-nits | 20 -
.../files/patch-Configurations_10-main.conf | 35 --
security/openssl30/files/patch-Configure | 11 -
security/openssl30/files/patch-crypto_ppccap.c | 34 --
.../files/patch-crypto_threads__pthread.c | 13 -
.../files/patch-util_perl_OpenSSL_config.pm | 14 -
security/openssl30/pkg-descr | 13 -
security/openssl30/pkg-plist | 275 -----------
security/openssl30/version.mk | 1 -
13 files changed, 1 insertion(+), 1153 deletions(-)
diff --git a/MOVED b/MOVED
index 6c1263ef89a1..558c94415356 100644
--- a/MOVED
+++ b/MOVED
@@ -7945,3 +7945,4 @@ devel/rubygem-google-protobuf323|devel/rubygem-google-protobuf|2023-10-11|Remove
audio/rem||2023-10-12|Has expired: Deprecated, replaced by libre
net/openmpi3|net/openmpi|2023-10-12|Has expired: OpenMPI 3 is not maintained by the upstream project anymore and will be removed
graphics/tiffgt||2023-10-14|Has expired: Upstream support stopped
+security/openssl30|security/openssl|2023-10-14|Upgrade security/openssl to 3.0
diff --git a/security/openssl30/Makefile b/security/openssl30/Makefile
deleted file mode 100644
index 6a9300d60d5d..000000000000
--- a/security/openssl30/Makefile
+++ /dev/null
@@ -1,194 +0,0 @@
-PORTNAME= openssl
-PORTVERSION= 3.0.11
-PORTREVISION= 1
-CATEGORIES= security devel
-MASTER_SITES= https://www.openssl.org/source/ \
- ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/
-PKGNAMESUFFIX= 30
-
-MAINTAINER= brnrd@FreeBSD.org
-COMMENT= TLSv1.3 capable SSL and crypto library
-WWW= https://www.openssl.org/
-
-LICENSE= APACHE20
-LICENSE_FILE= ${WRKSRC}/LICENSE.txt
-
-CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl3[12] openssl-quictls
-
-HAS_CONFIGURE= yes
-CONFIGURE_SCRIPT= config
-CONFIGURE_ENV= PERL="${PERL}"
-CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \
- --prefix=${PREFIX}
-
-USES= cpe perl5
-USE_PERL5= build
-TEST_TARGET= test
-
-LDFLAGS_i386= -Wl,-znotext
-
-MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}"
-MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
-
-OPTIONS_GROUP= CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS
-OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS
-OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3
-OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS
-OPTIONS_GROUP_MODULES= FIPS LEGACY
-OPTIONS_DEFINE_i386= I386
-OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2
-
-OPTIONS_DEFINE= ASYNC CRYPTODEV CT KTLS MAN3 RFC3779 SHARED ZLIB
-
-OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 NEXTPROTONEG \
- RFC3779 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2
-
-OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} \
- ${${OSVERSION} > 1300000:?CRYPTODEV:}
-
-OPTIONS_GROUP_OPTIMIZE_amd64= EC
-
-.if ${MACHINE_ARCH} == "amd64"
-OPTIONS_GROUP_OPTIMIZE+= EC
-.elif ${MACHINE_ARCH} == "mips64el"
-OPTIONS_GROUP_OPTIMIZE+= EC
-.endif
-
-OPTIONS_SUB= yes
-
-ARIA_DESC= ARIA (South Korean standard)
-ASM_DESC= Assembler code
-ASYNC_DESC= Asynchronous mode
-CIPHERS_DESC= Block Cipher Support
-CRYPTODEV_DESC= /dev/crypto support
-CT_DESC= Certificate Transparency Support
-DES_DESC= (Triple) Data Encryption Standard
-EC_DESC= Optimize NIST elliptic curves
-FIPS_DESC= Build FIPS provider
-GOST_DESC= GOST (Russian standard)
-HASHES_DESC= Hash Function Support
-I386_DESC= i386 (instead of i486+)
-IDEA_DESC= International Data Encryption Algorithm
-KTLS_DESC= Use in-kernel TLS (FreeBSD >13)
-LEGACY_DESC= Older algorithms
-MAN3_DESC= Install API manpages (section 3, 7)
-MD2_DESC= MD2 (obsolete) (requires LEGACY)
-MD4_DESC= MD4 (unsafe)
-MDC2_DESC= MDC-2 (patented, requires DES)
-MODULES_DESC= Provider modules
-NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY)
-OPTIMIZE_DESC= Optimizations
-PROTOCOLS_DESC= Protocol Support
-RC2_DESC= RC2 (unsafe)
-RC4_DESC= RC4 (unsafe)
-RC5_DESC= RC5 (patented)
-RMD160_DESC= RIPEMD-160
-RFC3779_DESC= RFC3779 support (BGP)
-SCTP_DESC= SCTP (Stream Control Transmission)
-SHARED_DESC= Build shared libraries
-SM2_DESC= SM2 Elliptic Curve DH (Chinese standard)
-SM3_DESC= SM3 256bit (Chinese standard)
-SM4_DESC= SM4 128bit (Chinese standard)
-SSE2_DESC= Runtime SSE2 detection
-SSL3_DESC= SSLv3 (unsafe)
-TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2)
-TLS1_1_DESC= TLSv1.1 (requires TLS1_2)
-TLS1_2_DESC= TLSv1.2
-WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe)
-
-# Upstream default disabled options
-.for _option in fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib
-${_option:tu}_CONFIGURE_ON= enable-${_option}
-.endfor
-
-# Upstream default enabled options
-.for _option in aria asm async ct des gost idea md4 mdc2 legacy \
- nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \
- threads tls1 tls1_1 tls1_2
-${_option:tu}_CONFIGURE_OFF= no-${_option}
-.endfor
-
-MD2_IMPLIES= LEGACY
-MDC2_IMPLIES= DES
-TLS1_IMPLIES= TLS1_1
-TLS1_1_IMPLIES= TLS1_2
-
-EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128
-FIPS_VARS= shlibs+=lib/ossl-modules/fips.so
-I386_CONFIGURE_ON= 386
-KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls
-LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so
-MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits
-SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
-SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER}
-SHARED_USE= ldconfig=yes
-SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \
- lib/libssl.so.${OPENSSL_SHLIBVER} \
- lib/engines-${OPENSSL_SHLIBVER}/capi.so \
- lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \
- lib/engines-${OPENSSL_SHLIBVER}/padlock.so"
-SSL3_CONFIGURE_ON+= enable-ssl3-method
-ZLIB_CONFIGURE_ON= zlib-dynamic
-
-SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so
-
-.include <bsd.port.options.mk>
-
-.if ${ARCH} == powerpc64
-CONFIGURE_ARGS+= BSD-ppc64
-.elif ${ARCH} == powerpc64le
-CONFIGURE_ARGS+= BSD-ppc64le
-.elif ${ARCH} == riscv64
-CONFIGURE_ARGS+= BSD-riscv64
-.endif
-
-.include <bsd.port.pre.mk>
-.if ${PREFIX} == /usr
-IGNORE= the OpenSSL port can not be installed over the base version
-.endif
-
-.if ${OPSYS} == FreeBSD && ${OSVERSION} < 1300000 && !${PORT_OPTIONS:MCRYPTODEV}
-CONFIGURE_ARGS+= no-devcryptoeng
-.endif
-
-OPENSSLDIR?= ${PREFIX}/openssl
-PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
-
-.include "version.mk"
-
-.if ${PORT_OPTIONS:MASM}
-BROKEN_sparc64= option ASM generates illegal instructions
-.endif
-
-post-patch:
- ${REINPLACE_CMD} -Ee 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \
- -e 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \
- ${WRKSRC}/Configurations/unix-Makefile.tmpl
- ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \
- ${WRKSRC}/VERSION.dat
-
-post-configure:
- ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump )
-
-post-configure-MAN3-off:
- ${REINPLACE_CMD} \
- -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \
- -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \
- ${WRKSRC}/Makefile
-
-post-install-SHARED-on:
-.for i in ${SHLIBS}
- -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i
-.endfor
-
-post-install-SHARED-off:
- ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12
-
-post-install:
- ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl
-
-post-install-MAN3-on:
- ( cd ${STAGEDIR}/${PREFIX} ; find man/man3 -not -type d ; \
- find man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST}
-
-.include <bsd.port.post.mk>
diff --git a/security/openssl30/distinfo b/security/openssl30/distinfo
deleted file mode 100644
index a62e9e8bb1d6..000000000000
--- a/security/openssl30/distinfo
+++ /dev/null
@@ -1,3 +0,0 @@
-TIMESTAMP = 1695134169
-SHA256 (openssl-3.0.11.tar.gz) = b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55
-SIZE (openssl-3.0.11.tar.gz) = 15198318
diff --git a/security/openssl30/files/extra-patch-ktls b/security/openssl30/files/extra-patch-ktls
deleted file mode 100644
index 8a46c272d95c..000000000000
--- a/security/openssl30/files/extra-patch-ktls
+++ /dev/null
@@ -1,540 +0,0 @@
-diff --git include/internal/ktls.h include/internal/ktls.h
-index 95492fd065..3c82cae26b 100644
---- include/internal/ktls.h
-+++ include/internal/ktls.h
-@@ -40,6 +40,11 @@
- # define OPENSSL_KTLS_AES_GCM_128
- # define OPENSSL_KTLS_AES_GCM_256
- # define OPENSSL_KTLS_TLS13
-+# ifdef TLS_CHACHA20_IV_LEN
-+# ifndef OPENSSL_NO_CHACHA
-+# define OPENSSL_KTLS_CHACHA20_POLY1305
-+# endif
-+# endif
-
- typedef struct tls_enable ktls_crypto_info_t;
-
-diff --git ssl/ktls.c ssl/ktls.c
-index 79d980959e..e343d382cc 100644
---- ssl/ktls.c
-+++ ssl/ktls.c
-@@ -10,6 +10,67 @@
- #include "ssl_local.h"
- #include "internal/ktls.h"
-
-+#ifndef OPENSSL_NO_KTLS_RX
-+ /*
-+ * Count the number of records that were not processed yet from record boundary.
-+ *
-+ * This function assumes that there are only fully formed records read in the
-+ * record layer. If read_ahead is enabled, then this might be false and this
-+ * function will fail.
-+ */
-+static int count_unprocessed_records(SSL *s)
-+{
-+ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
-+ PACKET pkt, subpkt;
-+ int count = 0;
-+
-+ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
-+ return -1;
-+
-+ while (PACKET_remaining(&pkt) > 0) {
-+ /* Skip record type and version */
-+ if (!PACKET_forward(&pkt, 3))
-+ return -1;
-+
-+ /* Read until next record */
-+ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
-+ return -1;
-+
-+ count += 1;
-+ }
-+
-+ return count;
-+}
-+
-+/*
-+ * The kernel cannot offload receive if a partial TLS record has been read.
-+ * Check the read buffer for unprocessed records. If the buffer contains a
-+ * partial record, fail and return 0. Otherwise, update the sequence
-+ * number at *rec_seq for the count of unprocessed records and return 1.
-+ */
-+static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq)
-+{
-+ int bit, count_unprocessed;
-+
-+ count_unprocessed = count_unprocessed_records(s);
-+ if (count_unprocessed < 0)
-+ return 0;
-+
-+ /* increment the crypto_info record sequence */
-+ while (count_unprocessed) {
-+ for (bit = 7; bit >= 0; bit--) { /* increment */
-+ ++rec_seq[bit];
-+ if (rec_seq[bit] != 0)
-+ break;
-+ }
-+ count_unprocessed--;
-+
-+ }
-+
-+ return 1;
-+}
-+#endif
-+
- #if defined(__FreeBSD__)
- # include "crypto/cryptodev.h"
-
-@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
- case SSL_AES128GCM:
- case SSL_AES256GCM:
- return 1;
-+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
-+ case SSL_CHACHA20POLY1305:
-+ return 1;
-+# endif
- case SSL_AES128:
- case SSL_AES256:
- if (s->ext.use_etm)
-@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
- }
-
- /* Function to configure kernel TLS structure */
--int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
-+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- void *rl_sequence, ktls_crypto_info_t *crypto_info,
-- unsigned char **rec_seq, unsigned char *iv,
-+ int is_tx, unsigned char *iv,
- unsigned char *key, unsigned char *mac_key,
- size_t mac_secret_size)
- {
-@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- else
- crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
- break;
-+# ifdef OPENSSL_KTLS_CHACHA20_POLY1305
-+ case SSL_CHACHA20POLY1305:
-+ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305;
-+ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd);
-+ break;
-+# endif
- case SSL_AES128:
- case SSL_AES256:
- switch (s->s3.tmp.new_cipher->algorithm_mac) {
-@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- crypto_info->tls_vminor = (s->version & 0x000000ff);
- # ifdef TCP_RXTLS_ENABLE
- memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq));
-- if (rec_seq != NULL)
-- *rec_seq = crypto_info->rec_seq;
-+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq))
-+ return 0;
- # else
-- if (rec_seq != NULL)
-- *rec_seq = NULL;
-+ if (!is_tx)
-+ return 0;
- # endif
- return 1;
- };
-@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
- }
-
- /* Function to configure kernel TLS structure */
--int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
-+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- void *rl_sequence, ktls_crypto_info_t *crypto_info,
-- unsigned char **rec_seq, unsigned char *iv,
-+ int is_tx, unsigned char *iv,
- unsigned char *key, unsigned char *mac_key,
- size_t mac_secret_size)
- {
- unsigned char geniv[12];
- unsigned char *iiv = iv;
-
-+# ifdef OPENSSL_NO_KTLS_RX
-+ if (!is_tx)
-+ return 0;
-+# endif
-+
- if (s->version == TLS1_2_VERSION &&
- EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) {
- if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv,
-@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c));
- memcpy(crypto_info->gcm128.rec_seq, rl_sequence,
- TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
-- if (rec_seq != NULL)
-- *rec_seq = crypto_info->gcm128.rec_seq;
-+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq))
-+ return 0;
- return 1;
- # endif
- # ifdef OPENSSL_KTLS_AES_GCM_256
-@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c));
- memcpy(crypto_info->gcm256.rec_seq, rl_sequence,
- TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
-- if (rec_seq != NULL)
-- *rec_seq = crypto_info->gcm256.rec_seq;
-+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq))
-+ return 0;
- return 1;
- # endif
- # ifdef OPENSSL_KTLS_AES_CCM_128
-@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c));
- memcpy(crypto_info->ccm128.rec_seq, rl_sequence,
- TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
-- if (rec_seq != NULL)
-- *rec_seq = crypto_info->ccm128.rec_seq;
-+ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq))
-+ return 0;
- return 1;
- # endif
- # ifdef OPENSSL_KTLS_CHACHA20_POLY1305
-@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- EVP_CIPHER_get_key_length(c));
- memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence,
- TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
-- if (rec_seq != NULL)
-- *rec_seq = crypto_info->chacha20poly1305.rec_seq;
-+ if (!is_tx
-+ && !check_rx_read_ahead(s,
-+ crypto_info->chacha20poly1305.rec_seq))
-+ return 0;
- return 1;
- # endif
- default:
-diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c
-index d8ef018741..63caac080f 100644
---- ssl/record/ssl3_record.c
-+++ ssl/record/ssl3_record.c
-@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s)
- int imac_size;
- size_t num_recs = 0, max_recs, j;
- PACKET pkt, sslv2pkt;
-- int is_ktls_left;
-+ int using_ktls;
- SSL_MAC_BUF *macbufs = NULL;
- int ret = -1;
-
- rr = RECORD_LAYER_get_rrec(&s->rlayer);
- rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
-- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0);
- max_recs = s->max_pipelines;
- if (max_recs == 0)
- max_recs = 1;
- sess = s->session;
-
-+ /*
-+ * KTLS reads full records. If there is any data left,
-+ * then it is from before enabling ktls.
-+ */
-+ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0;
-+
- do {
- thisrr = &rr[num_recs];
-
-@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s)
- }
- }
-
-- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
-+ if (SSL_IS_TLS13(s)
-+ && s->enc_read_ctx != NULL
-+ && !using_ktls) {
- if (thisrr->type != SSL3_RT_APPLICATION_DATA
- && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC
- || !SSL_IS_FIRST_HANDSHAKE(s))
-@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s)
- }
-
- if (SSL_IS_TLS13(s)) {
-- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) {
-+ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH;
-+
-+ /* KTLS strips the inner record type. */
-+ if (using_ktls)
-+ len = SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+
-+ if (thisrr->length > len) {
- SSLfatal(s, SSL_AD_RECORD_OVERFLOW,
- SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
- return -1;
-@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s)
- #endif
-
- /* KTLS may use all of the buffer */
-- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
-+ if (using_ktls)
- len = SSL3_BUFFER_get_left(rbuf);
-
- if (thisrr->length > len) {
-@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s)
- return 1;
- }
-
-- /*
-- * KTLS reads full records. If there is any data left,
-- * then it is from before enabling ktls
-- */
-- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left)
-+ if (using_ktls)
- goto skip_decryption;
-
- if (s->read_hash != NULL) {
-@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s)
- if (SSL_IS_TLS13(s)
- && s->enc_read_ctx != NULL
- && thisrr->type != SSL3_RT_ALERT) {
-- size_t end;
-+ /*
-+ * The following logic are irrelevant in KTLS: the kernel provides
-+ * unprotected record and thus record type represent the actual
-+ * content type, and padding is already removed and thisrr->type and
-+ * thisrr->length should have the correct values.
-+ */
-+ if (!using_ktls) {
-+ size_t end;
-
-- if (thisrr->length == 0
-- || thisrr->type != SSL3_RT_APPLICATION_DATA) {
-- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
-- goto end;
-+ if (thisrr->length == 0
-+ || thisrr->type != SSL3_RT_APPLICATION_DATA) {
-+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE);
-+ goto end;
-+ }
-+
-+ /* Strip trailing padding */
-+ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
-+ end--)
-+ continue;
-+
-+ thisrr->length = end;
-+ thisrr->type = thisrr->data[end];
- }
--
-- /* Strip trailing padding */
-- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0;
-- end--)
-- continue;
--
-- thisrr->length = end;
-- thisrr->type = thisrr->data[end];
- if (thisrr->type != SSL3_RT_APPLICATION_DATA
- && thisrr->type != SSL3_RT_ALERT
- && thisrr->type != SSL3_RT_HANDSHAKE) {
-@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s)
- }
- if (s->msg_callback)
- s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE,
-- &thisrr->data[end], 1, s, s->msg_callback_arg);
-+ &thisrr->type, 1, s, s->msg_callback_arg);
- }
-
- /*
-@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s)
- * Therefore we have to rely on KTLS to check the plaintext length
- * limit in the kernel.
- */
-- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH
-- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) {
-+ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) {
- SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG);
- goto end;
- }
-diff --git ssl/ssl_local.h ssl/ssl_local.h
-index 5471e900b8..79ced2f468 100644
---- ssl/ssl_local.h
-+++ ssl/ssl_local.h
-@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label,
- /* ktls.c */
- int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c,
- const EVP_CIPHER_CTX *dd);
--int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
-+int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd,
- void *rl_sequence, ktls_crypto_info_t *crypto_info,
-- unsigned char **rec_seq, unsigned char *iv,
-+ int is_tx, unsigned char *iv,
- unsigned char *key, unsigned char *mac_key,
- size_t mac_secret_size);
- # endif
-diff --git ssl/t1_enc.c ssl/t1_enc.c
-index 237a19cd93..900ba14fbd 100644
---- ssl/t1_enc.c
-+++ ssl/t1_enc.c
-@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
- return ret;
- }
-
--#ifndef OPENSSL_NO_KTLS
-- /*
-- * Count the number of records that were not processed yet from record boundary.
-- *
-- * This function assumes that there are only fully formed records read in the
-- * record layer. If read_ahead is enabled, then this might be false and this
-- * function will fail.
-- */
--# ifndef OPENSSL_NO_KTLS_RX
--static int count_unprocessed_records(SSL *s)
--{
-- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer);
-- PACKET pkt, subpkt;
-- int count = 0;
--
-- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left))
-- return -1;
--
-- while (PACKET_remaining(&pkt) > 0) {
-- /* Skip record type and version */
-- if (!PACKET_forward(&pkt, 3))
-- return -1;
--
-- /* Read until next record */
-- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt))
-- return -1;
--
-- count += 1;
-- }
--
-- return count;
--}
--# endif
--#endif
--
--
- int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx,
- const EVP_CIPHER *ciph,
- const EVP_MD *md)
-@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which)
- int reuse_dd = 0;
- #ifndef OPENSSL_NO_KTLS
- ktls_crypto_info_t crypto_info;
-- unsigned char *rec_seq;
- void *rl_sequence;
--# ifndef OPENSSL_NO_KTLS_RX
-- int count_unprocessed;
-- int bit;
--# endif
- BIO *bio;
- #endif
-
-@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which)
- else
- rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
-
-- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq,
-- iv, key, ms, *mac_secret_size))
-+ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info,
-+ which & SSL3_CC_WRITE, iv, key, ms,
-+ *mac_secret_size))
- goto skip_ktls;
-
-- if (which & SSL3_CC_READ) {
--# ifndef OPENSSL_NO_KTLS_RX
-- count_unprocessed = count_unprocessed_records(s);
-- if (count_unprocessed < 0)
-- goto skip_ktls;
--
-- /* increment the crypto_info record sequence */
-- while (count_unprocessed) {
-- for (bit = 7; bit >= 0; bit--) { /* increment */
-- ++rec_seq[bit];
-- if (rec_seq[bit] != 0)
-- break;
-- }
-- count_unprocessed--;
-- }
--# else
-- goto skip_ktls;
--# endif
-- }
--
- /* ktls works with user provided buffers directly */
- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
- if (which & SSL3_CC_WRITE)
-diff --git ssl/tls13_enc.c ssl/tls13_enc.c
-index 12388922e3..eaab0e2a74 100644
---- ssl/tls13_enc.c
-+++ ssl/tls13_enc.c
-@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which)
- const EVP_CIPHER *cipher = NULL;
- #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13)
- ktls_crypto_info_t crypto_info;
-+ void *rl_sequence;
- BIO *bio;
- #endif
-
-@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which)
- s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
- #ifndef OPENSSL_NO_KTLS
- # if defined(OPENSSL_KTLS_TLS13)
-- if (!(which & SSL3_CC_WRITE)
-- || !(which & SSL3_CC_APPLICATION)
-+ if (!(which & SSL3_CC_APPLICATION)
- || (s->options & SSL_OP_ENABLE_KTLS) == 0)
- goto skip_ktls;
-
-@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which)
- if (!ktls_check_supported_cipher(s, cipher, ciph_ctx))
- goto skip_ktls;
-
-- bio = s->wbio;
-+ if (which & SSL3_CC_WRITE)
-+ bio = s->wbio;
-+ else
-+ bio = s->rbio;
-
- if (!ossl_assert(bio != NULL)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which)
- }
-
- /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
-- if (BIO_flush(bio) <= 0)
-- goto skip_ktls;
-+ if (which & SSL3_CC_WRITE) {
-+ if (BIO_flush(bio) <= 0)
-+ goto skip_ktls;
-+ }
-
- /* configure kernel crypto structure */
-- if (!ktls_configure_crypto(s, cipher, ciph_ctx,
-- RECORD_LAYER_get_write_sequence(&s->rlayer),
-- &crypto_info, NULL, iv, key, NULL, 0))
-+ if (which & SSL3_CC_WRITE)
-+ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer);
-+ else
-+ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
-+
-+ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info,
-+ which & SSL3_CC_WRITE, iv, key, NULL, 0))
- goto skip_ktls;
-
- /* ktls works with user provided buffers directly */
-- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE))
-- ssl3_release_write_buffer(s);
-+ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
-+ if (which & SSL3_CC_WRITE)
-+ ssl3_release_write_buffer(s);
-+ }
- skip_ktls:
- # endif
- #endif
-diff --git test/sslapitest.c test/sslapitest.c
-index 2911d6e94b..faf2eec2bc 100644
---- test/sslapitest.c
-+++ test/sslapitest.c
-@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
- #if defined(OPENSSL_NO_KTLS_RX)
- rx_supported = 0;
- #else
-- rx_supported = (tls_version != TLS1_3_VERSION);
-+ rx_supported = 1;
- #endif
- if (!cis_ktls || !rx_supported) {
- if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio)))
diff --git a/security/openssl30/files/extra-patch-util_find-doc-nits b/security/openssl30/files/extra-patch-util_find-doc-nits
deleted file mode 100644
index e4fc20a06252..000000000000
--- a/security/openssl30/files/extra-patch-util_find-doc-nits
+++ /dev/null
@@ -1,20 +0,0 @@
---- util/find-doc-nits.orig 2023-08-01 13:47:24 UTC
-+++ util/find-doc-nits
-@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt';
- my $OUT;
- my $status = 0;
-
--$opt_m = "man1,man3,man5,man7" unless $opt_m;
-+$opt_m = "man1,man5" unless $opt_m;
- die "Argument of -m option may contain only man1, man3, man5, and/or man7"
- unless $opt_m =~ /^(man[1357][, ]?)*$/;
- my @sections = ( split /[, ]/, $opt_m );
-@@ -725,7 +725,7 @@ sub check {
- next if $target eq ''; # Skip if links within page, or
- next if $target =~ /::/; # links to a Perl module, or
- next if $target =~ /^https?:/; # is a URL link, or
-- next if $target =~ /\([1357]\)$/; # it has a section
-+ next if $target =~ /\([15]\)$/; # it has a section
- err($id, "Missing man section number (likely, $mansect) in L<$target>")
- }
- # Check for proper links to commands.
diff --git a/security/openssl30/files/patch-Configurations_10-main.conf b/security/openssl30/files/patch-Configurations_10-main.conf
deleted file mode 100644
index 82503c0ff90c..000000000000
--- a/security/openssl30/files/patch-Configurations_10-main.conf
+++ /dev/null
@@ -1,35 +0,0 @@
---- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC
-+++ Configurations/10-main.conf
-@@ -1069,6 +1069,32 @@ my %targets = (
- perlasm_scheme => "linux64",
- },
-
-+ "BSD-ppc" => {
-+ inherit_from => [ "BSD-generic32" ],
-+ asm_arch => 'ppc32',
-+ perlasm_scheme => "linux32",
-+ lib_cppflags => add("-DB_ENDIAN"),
-+ },
-+
-+ "BSD-ppc64" => {
-+ inherit_from => [ "BSD-generic64" ],
-+ cflags => add("-m64"),
-+ cxxflags => add("-m64"),
-+ lib_cppflags => add("-DB_ENDIAN"),
-+ asm_arch => 'ppc64',
-+ perlasm_scheme => "linux64",
-+ },
-+
-+ "BSD-ppc64le" => {
-+ inherit_from => [ "BSD-generic64" ],
-+ cflags => add("-m64"),
-+ cxxflags => add("-m64"),
-+ lib_cppflags => add("-DL_ENDIAN"),
-+ asm_arch => 'ppc64',
-+ perlasm_scheme => "linux64le",
-+ },
-+
-+
- "bsdi-elf-gcc" => {
- inherit_from => [ "BASE_unix" ],
- CC => "gcc",
diff --git a/security/openssl30/files/patch-Configure b/security/openssl30/files/patch-Configure
deleted file mode 100644
index c26823c674f3..000000000000
--- a/security/openssl30/files/patch-Configure
+++ /dev/null
@@ -1,11 +0,0 @@
---- Configure.orig 2022-04-12 16:30:34 UTC
-+++ Configure
-@@ -1549,7 +1549,7 @@ my %predefined_CXX = $config{CXX}
-
- unless ($disabled{asm}) {
- # big endian systems can use ELFv2 ABI
-- if ($target eq "linux-ppc64") {
-+ if ($target eq "linux-ppc64" || $target eq "BSD-ppc64") {
- $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2);
- }
- }
diff --git a/security/openssl30/files/patch-crypto_ppccap.c b/security/openssl30/files/patch-crypto_ppccap.c
deleted file mode 100644
index 14da11dedd4b..000000000000
--- a/security/openssl30/files/patch-crypto_ppccap.c
+++ /dev/null
@@ -1,34 +0,0 @@
---- crypto/ppccap.c.orig 2022-04-12 16:31:27 UTC
-+++ crypto/ppccap.c
-@@ -117,14 +117,18 @@ static unsigned long getauxval(unsigned long key)
- #endif
-
- /* I wish <sys/auxv.h> was universally available */
--#define HWCAP 16 /* AT_HWCAP */
-+#ifndef AT_HWCAP
-+# define AT_HWCAP 16 /* AT_HWCAP */
-+#endif
- #define HWCAP_PPC64 (1U << 30)
- #define HWCAP_ALTIVEC (1U << 28)
- #define HWCAP_FPU (1U << 27)
- #define HWCAP_POWER6_EXT (1U << 9)
- #define HWCAP_VSX (1U << 7)
-
--#define HWCAP2 26 /* AT_HWCAP2 */
-+#ifndef AT_HWCAP2
-+# define AT_HWCAP2 26 /* AT_HWCAP2 */
-+#endif
- #define HWCAP_VEC_CRYPTO (1U << 25)
- #define HWCAP_ARCH_3_00 (1U << 23)
-
-@@ -215,8 +219,8 @@ void OPENSSL_cpuid_setup(void)
-
- #ifdef OSSL_IMPLEMENT_GETAUXVAL
- {
-- unsigned long hwcap = getauxval(HWCAP);
-- unsigned long hwcap2 = getauxval(HWCAP2);
-+ unsigned long hwcap = getauxval(AT_HWCAP);
-+ unsigned long hwcap2 = getauxval(AT_HWCAP2);
-
- if (hwcap & HWCAP_FPU) {
- OPENSSL_ppccap_P |= PPC_FPU;
diff --git a/security/openssl30/files/patch-crypto_threads__pthread.c b/security/openssl30/files/patch-crypto_threads__pthread.c
deleted file mode 100644
index 3347170e0bd0..000000000000
--- a/security/openssl30/files/patch-crypto_threads__pthread.c
+++ /dev/null
@@ -1,13 +0,0 @@
---- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC
-+++ crypto/threads_pthread.c
-@@ -29,6 +29,10 @@
- #define BROKEN_CLANG_ATOMICS
- #endif
-
-+#if defined(__FreeBSD__) && defined(__i386__)
-+#define BROKEN_CLANG_ATOMICS
-+#endif
-+
- #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS)
-
- # if defined(OPENSSL_SYS_UNIX)
diff --git a/security/openssl30/files/patch-util_perl_OpenSSL_config.pm b/security/openssl30/files/patch-util_perl_OpenSSL_config.pm
deleted file mode 100644
index 9c669372a4f1..000000000000
--- a/security/openssl30/files/patch-util_perl_OpenSSL_config.pm
+++ /dev/null
@@ -1,14 +0,0 @@
---- util/perl/OpenSSL/config.pm.orig 2022-04-12 16:34:06 UTC
-+++ util/perl/OpenSSL/config.pm
-@@ -747,8 +747,9 @@ EOF
- disable => [ 'sse2' ] } ],
- [ 'alpha.*-.*-.*bsd.*', { target => "BSD-generic64",
- defines => [ 'L_ENDIAN' ] } ],
-- [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64",
-- defines => [ 'B_ENDIAN' ] } ],
-+ [ 'powerpc-.*-.*bsd.*', { target => "BSD-ppc" } ],
-+ [ 'powerpc64-.*-.*bsd.*', { target => "BSD-ppc64" } ],
-+ [ 'powerpc64le-.*-.*bsd.*', { target => "BSD-ppc64le" } ],
- [ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ],
- [ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ],
- [ 'ia64-.*-.*bsd.*', { target => "BSD-ia64" } ],
diff --git a/security/openssl30/pkg-descr b/security/openssl30/pkg-descr
deleted file mode 100644
index c7704288547a..000000000000
--- a/security/openssl30/pkg-descr
+++ /dev/null
@@ -1,13 +0,0 @@
-The OpenSSL Project is a collaborative effort to develop a robust,
-commercial-grade, full-featured, and Open Source toolkit implementing
-the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1,
-v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide.
-The project is managed by a worldwide community of volunteers that use
-the Internet to communicate, plan, and develop the OpenSSL tookit
-and its related documentation.
-
-OpenSSL is based on the excellent SSLeay library developed by Eric
-A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
-an Apache-style licence, which basically means that you are free
-to get and use it for commercial and non-commercial purposes subject
-to some simple license conditions.
diff --git a/security/openssl30/pkg-plist b/security/openssl30/pkg-plist
deleted file mode 100644
index 04b64446394e..000000000000
--- a/security/openssl30/pkg-plist
+++ /dev/null
@@ -1,275 +0,0 @@
-bin/c_rehash
-bin/openssl
-include/openssl/aes.h
-include/openssl/asn1.h
-include/openssl/asn1_mac.h
-include/openssl/asn1err.h
-include/openssl/asn1t.h
*** 275 LINES SKIPPED ***