git: 2d1ee56d368a - main - security/openssl33-quictls: New port
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 02 Jul 2025 20:12:27 UTC
The branch main has been updated by brnrd:
URL: https://cgit.FreeBSD.org/ports/commit/?id=2d1ee56d368a642eb94545ad2e362121adc690f0
commit 2d1ee56d368a642eb94545ad2e362121adc690f0
Author: Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2025-07-02 20:11:36 +0000
Commit: Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2025-07-02 20:11:36 +0000
security/openssl33-quictls: New port
Upstream archived their openssl repo and switched to
a quictls repo.
---
security/Makefile | 1 +
security/openssl33-quictls/Makefile | 190 ++++++++++++++
security/openssl33-quictls/distinfo | 3 +
.../files/extra-patch-util_find-doc-nits | 20 ++
.../openssl33-quictls/files/patch-CVE-2024-9143 | 198 +++++++++++++++
security/openssl33-quictls/pkg-descr | 8 +
security/openssl33-quictls/pkg-message | 20 ++
security/openssl33-quictls/pkg-plist | 281 +++++++++++++++++++++
security/openssl33-quictls/version.mk | 1 +
9 files changed, 722 insertions(+)
diff --git a/security/Makefile b/security/Makefile
index af7067f0ae26..77f3408b22bf 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -456,6 +456,7 @@
SUBDIR += openssl31-quictls
SUBDIR += openssl32
SUBDIR += openssl33
+ SUBDIR += openssl33-quictls
SUBDIR += openssl34
SUBDIR += openssl35
SUBDIR += openvas
diff --git a/security/openssl33-quictls/Makefile b/security/openssl33-quictls/Makefile
new file mode 100644
index 000000000000..4d53a2b5a87d
--- /dev/null
+++ b/security/openssl33-quictls/Makefile
@@ -0,0 +1,190 @@
+PORTNAME= openssl
+DISTVERSIONPREFIX= ${PORTNAME}-
+PORTVERSION= 3.3.0
+CATEGORIES= security devel
+PKGNAMESUFFIX= 33-quictls
+
+MAINTAINER= brnrd@FreeBSD.org
+COMMENT= QUIC capable fork of OpenSSL
+WWW= https://www.github.com/quictls/quictls
+
+LICENSE= APACHE20
+LICENSE_FILE= ${WRKSRC}/LICENSE.txt
+
+CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl111 openssl3* openssl*-quictls
+
+BROKEN_i386= ld: error: undefined symbol: __atomic_is_lock_free
+
+HAS_CONFIGURE= yes
+CONFIGURE_SCRIPT= config
+CONFIGURE_ENV= PERL="${PERL}"
+CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \
+ --prefix=${PREFIX}
+
+USES= cpe perl5
+USE_PERL5= build
+USE_GITHUB= yes
+GH_ACCOUNT= quictls
+GH_PROJECT= quictls
+
+TEST_TARGET= test
+
+LDFLAGS_i386= -Wl,-znotext
+
+MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}"
+MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
+
+EXTRA_PATCHES+= ${.CURDIR}/../openssl/files/patch-crypto_async_arch_async__posix.h
+
+OPTIONS_GROUP= CIPHERS HASHES MODULES OPTIMIZE PROTOCOLS
+OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS
+OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3
+OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS
+OPTIONS_GROUP_MODULES= FIPS LEGACY
+OPTIONS_DEFINE_i386= I386
+OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2
+
+OPTIONS_DEFINE= ASYNC CT MAN3 RFC3779 SHARED ZLIB
+
+OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST MAN3 MD4 NEXTPROTONEG \
+ RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2
+
+OPTIONS_EXCLUDE_i386= FIPS
+
+OPTIONS_GROUP_OPTIMIZE_amd64= EC
+
+.if ${MACHINE_ARCH} == "amd64"
+OPTIONS_GROUP_OPTIMIZE+= EC
+.elif ${MACHINE_ARCH} == "mips64el"
+OPTIONS_GROUP_OPTIMIZE+= EC
+.endif
+
+OPTIONS_SUB= yes
+
+ARIA_DESC= ARIA (South Korean standard)
+ASM_DESC= Assembler code
+ASYNC_DESC= Asynchronous mode
+CIPHERS_DESC= Block Cipher Support
+CT_DESC= Certificate Transparency Support
+DES_DESC= (Triple) Data Encryption Standard
+EC_DESC= Optimize NIST elliptic curves
+FIPS_DESC= Build FIPS provider (Note: NOT yet FIPS validated)
+GOST_DESC= GOST (Russian standard)
+HASHES_DESC= Hash Function Support
+I386_DESC= i386 (instead of i486+)
+IDEA_DESC= International Data Encryption Algorithm
+LEGACY_DESC= Older algorithms
+MAN3_DESC= Install API manpages (section 3, 7)
+MD2_DESC= MD2 (obsolete) (requires LEGACY)
+MD4_DESC= MD4 (unsafe)
+MDC2_DESC= MDC-2 (patented, requires DES)
+MODULES_DESC= Provider modules
+NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY)
+OPTIMIZE_DESC= Optimizations
+PROTOCOLS_DESC= Protocol Support
+RC2_DESC= RC2 (unsafe)
+RC4_DESC= RC4 (unsafe)
+RC5_DESC= RC5 (patented)
+RMD160_DESC= RIPEMD-160
+RFC3779_DESC= RFC3779 support (BGP)
+SCTP_DESC= SCTP (Stream Control Transmission)
+SHARED_DESC= Build shared libraries
+SM2_DESC= SM2 Elliptic Curve DH (Chinese standard)
+SM3_DESC= SM3 256bit (Chinese standard)
+SM4_DESC= SM4 128bit (Chinese standard)
+SSE2_DESC= Runtime SSE2 detection
+SSL3_DESC= SSLv3 (unsafe)
+TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2)
+TLS1_1_DESC= TLSv1.1 (requires TLS1_2)
+TLS1_2_DESC= TLSv1.2
+WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe)
+
+# Upstream default disabled options
+.for _option in fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib
+${_option:tu}_CONFIGURE_ON= enable-${_option}
+.endfor
+
+# Upstream default enabled options
+.for _option in aria asm async ct des gost idea md4 mdc2 legacy \
+ nextprotoneg rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 sse2 \
+ threads tls1 tls1_1 tls1_2
+${_option:tu}_CONFIGURE_OFF= no-${_option}
+.endfor
+
+MD2_IMPLIES= LEGACY
+MDC2_IMPLIES= DES
+TLS1_IMPLIES= TLS1_1
+TLS1_1_IMPLIES= TLS1_2
+
+EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128
+FIPS_VARS= shlibs+=lib/ossl-modules/fips.so
+I386_CONFIGURE_ON= 386
+LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so
+MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits
+SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
+SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER}
+SHARED_USE= ldconfig=yes
+SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \
+ lib/libssl.so.${OPENSSL_SHLIBVER} \
+ lib/engines-${OPENSSL_SHLIBVER}/capi.so \
+ lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \
+ lib/engines-${OPENSSL_SHLIBVER}/padlock.so"
+SSL3_CONFIGURE_ON+= enable-ssl3-method
+ZLIB_CONFIGURE_ON= zlib-dynamic
+
+SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so
+
+PORTSCOUT= limit:^${DISTVERSION:R:S/./\./g}\.
+
+.include <bsd.port.options.mk>
+
+.if ${ARCH} == powerpc64
+CONFIGURE_ARGS+= BSD-ppc64
+.elif ${ARCH} == powerpc64le
+CONFIGURE_ARGS+= BSD-ppc64le
+.elif ${ARCH} == riscv64
+CONFIGURE_ARGS+= BSD-riscv64
+.endif
+
+.include <bsd.port.pre.mk>
+.if ${PREFIX} == /usr
+IGNORE= the OpenSSL port can not be installed over the base version
+.endif
+
+OPENSSLDIR?= ${PREFIX}/openssl
+PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
+
+.include "version.mk"
+
+post-patch:
+ ${REINPLACE_CMD} -Ee 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/share/man|' \
+ -e 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \
+ ${WRKSRC}/Configurations/unix-Makefile.tmpl
+ ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \
+ ${WRKSRC}/VERSION.dat
+
+post-configure:
+ ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump )
+
+post-configure-MAN3-off:
+ ${REINPLACE_CMD} \
+ -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \
+ -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \
+ ${WRKSRC}/Makefile
+
+post-install-SHARED-on:
+.for i in ${SHLIBS}
+ -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i
+.endfor
+
+post-install-SHARED-off:
+ ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-${OPENSSL_SHLIBVER}
+
+post-install:
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl
+
+post-install-MAN3-on:
+ ( cd ${STAGEDIR}/${PREFIX} ; find share/man/man3 -not -type d ; \
+ find share/man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST}
+
+.include <bsd.port.post.mk>
diff --git a/security/openssl33-quictls/distinfo b/security/openssl33-quictls/distinfo
new file mode 100644
index 000000000000..4003eb7cc283
--- /dev/null
+++ b/security/openssl33-quictls/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1751486314
+SHA256 (quictls-quictls-openssl-3.3.0_GH0.tar.gz) = ff194511e53c0bead06d316e6891deebb07e3713efc65ef938e22962a43579a4
+SIZE (quictls-quictls-openssl-3.3.0_GH0.tar.gz) = 18220759
diff --git a/security/openssl33-quictls/files/extra-patch-util_find-doc-nits b/security/openssl33-quictls/files/extra-patch-util_find-doc-nits
new file mode 100644
index 000000000000..947f7447a445
--- /dev/null
+++ b/security/openssl33-quictls/files/extra-patch-util_find-doc-nits
@@ -0,0 +1,20 @@
+--- util/find-doc-nits.orig 2023-08-03 13:45:48 UTC
++++ util/find-doc-nits
+@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt';
+ my $OUT;
+ my $status = 0;
+
+-$opt_m = "man1,man3,man5,man7" unless $opt_m;
++$opt_m = "man1,man5" unless $opt_m;
+ die "Argument of -m option may contain only man1, man3, man5, and/or man7"
+ unless $opt_m =~ /^(man[1357][, ]?)*$/;
+ my @sections = ( split /[, ]/, $opt_m );
+@@ -725,7 +725,7 @@ sub check {
+ next if $target eq ''; # Skip if links within page, or
+ next if $target =~ /::/; # links to a Perl module, or
+ next if $target =~ /^https?:/; # is a URL link, or
+- next if $target =~ /\([1357]\)$/; # it has a section
++ next if $target =~ /\([15]\)$/; # it has a section
+ err($id, "Missing man section number (likely, $mansect) in L<$target>")
+ }
+ # Check for proper links to commands.
diff --git a/security/openssl33-quictls/files/patch-CVE-2024-9143 b/security/openssl33-quictls/files/patch-CVE-2024-9143
new file mode 100644
index 000000000000..f36b97f194f7
--- /dev/null
+++ b/security/openssl33-quictls/files/patch-CVE-2024-9143
@@ -0,0 +1,198 @@
+From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction. A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large. Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates. These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters. The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+---
+ crypto/bn/bn_gf2m.c | 28 +++++++++++++++-------
+ test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index c811ae82d6b15..bcc66613cc14d 100644
+--- crypto/bn/bn_gf2m.c.orig
++++ crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+
+ /*
+ * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+ * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+ * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient. Array is terminated with -1. Up to max elements of the array
+- * will be filled. Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient. The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1. Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`. It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+ */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+ int i, j, k = 0;
+ BN_ULONG mask;
+
+- if (BN_is_zero(a))
++ if (!BN_is_odd(a))
+ return 0;
+
+ for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ }
+ }
+
+- if (k < max) {
++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++ return 0;
++
++ if (k < max)
+ p[k] = -1;
+- k++;
+- }
+
+- return k;
++ return k + 1;
+ }
+
+ /*
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 8c2cd05631696..02cfd4e9d8858 100644
+--- test/ec_internal_test.c.orig
++++ test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++ int ret = 0;
++ BN_CTX *ctx = BN_CTX_new();
++ BIGNUM *p, *a, *b;
++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++ TEST_info("Testing GF2m hardening\n");
++
++ BN_CTX_start(ctx);
++ p = BN_CTX_get(ctx);
++ a = BN_CTX_get(ctx);
++ if (!TEST_ptr(b = BN_CTX_get(ctx))
++ || !TEST_true(BN_one(a))
++ || !TEST_true(BN_one(b)))
++ goto out;
++
++ /* Even pentanomial value should be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf2)))
++ goto out;
++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Zero constant term accepted in GF2m polynomial");
++
++ /* Odd hexanomial should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0xf3)))
++ goto out;
++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("Hexanomial accepted as GF2m polynomial");
++
++ /* Excessive polynomial degree should also be rejected */
++ if (!TEST_true(BN_set_word(p, 0x71))
++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++ goto out;
++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++ TEST_error("GF2m polynomial degree > %d accepted",
++ OPENSSL_ECC_MAX_FIELD_BITS);
++
++ ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++ EC_GROUP_free(group1);
++ EC_GROUP_free(group2);
++ EC_GROUP_free(group3);
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++
++ return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+ ADD_TEST(field_tests_ecp_simple);
+ ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++ ADD_TEST(ec2m_field_sanity);
+ ADD_TEST(field_tests_ec2_simple);
+ #endif
+ ADD_ALL_TESTS(field_tests_default, crv_len);
diff --git a/security/openssl33-quictls/pkg-descr b/security/openssl33-quictls/pkg-descr
new file mode 100644
index 000000000000..0373df3f0b26
--- /dev/null
+++ b/security/openssl33-quictls/pkg-descr
@@ -0,0 +1,8 @@
+This is a fork of OpenSSL to enable QUIC. This fork adds API that can be
+used by QUIC implementations for connection handshakes.
+
+There is a community need for a QUIC capable TLS library. This fork is
+intended as stopgap solution to enable higher level frameworks and runtimes
+to use QUIC with the proven and reliable TLS functionality from OpenSSL.
+This fork will be maintained until OpenSSL officially provides reasonable
+support for QUIC implementations.
diff --git a/security/openssl33-quictls/pkg-message b/security/openssl33-quictls/pkg-message
new file mode 100644
index 000000000000..7cd49c285a43
--- /dev/null
+++ b/security/openssl33-quictls/pkg-message
@@ -0,0 +1,20 @@
+[
+{ type: install
+ message: <<EOM
+
+This QUIC capable OpenSSL fork is in an ALPHA stage
+
+Do NOT use for production!
+
+EOM
+}
+{ type: upgrade
+ message: <<EOM
+
+This QUIC capable OpenSSL fork is in an ALPHA stage
+
+Do NOT use for production!
+
+EOM
+}
+]
diff --git a/security/openssl33-quictls/pkg-plist b/security/openssl33-quictls/pkg-plist
new file mode 100644
index 000000000000..3e3f644f4a2c
--- /dev/null
+++ b/security/openssl33-quictls/pkg-plist
@@ -0,0 +1,281 @@
+bin/c_rehash
+bin/openssl
+include/openssl/aes.h
+include/openssl/asn1.h
+include/openssl/asn1_mac.h
+include/openssl/asn1err.h
+include/openssl/asn1t.h
+include/openssl/async.h
+include/openssl/asyncerr.h
+include/openssl/bio.h
+include/openssl/bioerr.h
+include/openssl/blowfish.h
+include/openssl/bn.h
+include/openssl/bnerr.h
+include/openssl/buffer.h
+include/openssl/buffererr.h
+include/openssl/camellia.h
+include/openssl/cast.h
+include/openssl/cmac.h
+include/openssl/cmp.h
+include/openssl/cmp_util.h
+include/openssl/cmperr.h
+include/openssl/cms.h
+include/openssl/cmserr.h
+include/openssl/comp.h
+include/openssl/comperr.h
+include/openssl/conf.h
+include/openssl/conf_api.h
+include/openssl/conferr.h
+include/openssl/configuration.h
+include/openssl/conftypes.h
+include/openssl/core.h
+include/openssl/core_dispatch.h
+include/openssl/core_names.h
+include/openssl/core_object.h
+include/openssl/crmf.h
+include/openssl/crmferr.h
+include/openssl/crypto.h
+include/openssl/cryptoerr.h
+include/openssl/cryptoerr_legacy.h
+include/openssl/ct.h
+include/openssl/cterr.h
+include/openssl/decoder.h
+include/openssl/decodererr.h
+include/openssl/des.h
+include/openssl/dh.h
+include/openssl/dherr.h
+include/openssl/dsa.h
+include/openssl/dsaerr.h
+include/openssl/dtls1.h
+include/openssl/e_os2.h
+include/openssl/e_ostime.h
+include/openssl/ebcdic.h
+include/openssl/ec.h
+include/openssl/ecdh.h
+include/openssl/ecdsa.h
+include/openssl/ecerr.h
+include/openssl/encoder.h
+include/openssl/encodererr.h
+include/openssl/engine.h
+include/openssl/engineerr.h
+include/openssl/err.h
+include/openssl/ess.h
+include/openssl/esserr.h
+include/openssl/evp.h
+include/openssl/evperr.h
+include/openssl/fips_names.h
+include/openssl/fipskey.h
+include/openssl/hmac.h
+include/openssl/hpke.h
+include/openssl/http.h
+include/openssl/httperr.h
+include/openssl/idea.h
+include/openssl/kdf.h
+include/openssl/kdferr.h
+include/openssl/lhash.h
+include/openssl/macros.h
+include/openssl/md2.h
+include/openssl/md4.h
+include/openssl/md5.h
+include/openssl/mdc2.h
+include/openssl/modes.h
+include/openssl/obj_mac.h
+include/openssl/objects.h
+include/openssl/objectserr.h
+include/openssl/ocsp.h
+include/openssl/ocsperr.h
+include/openssl/opensslconf.h
+include/openssl/opensslv.h
+include/openssl/ossl_typ.h
+include/openssl/param_build.h
+include/openssl/params.h
+include/openssl/pem.h
+include/openssl/pem2.h
+include/openssl/pemerr.h
+include/openssl/pkcs12.h
+include/openssl/pkcs12err.h
+include/openssl/pkcs7.h
+include/openssl/pkcs7err.h
+include/openssl/prov_ssl.h
+include/openssl/proverr.h
+include/openssl/provider.h
+include/openssl/quic.h
+include/openssl/rand.h
+include/openssl/randerr.h
+include/openssl/rc2.h
+include/openssl/rc4.h
+include/openssl/rc5.h
+include/openssl/ripemd.h
+include/openssl/rsa.h
+include/openssl/rsaerr.h
+include/openssl/safestack.h
+include/openssl/seed.h
+include/openssl/self_test.h
+include/openssl/sha.h
+include/openssl/srp.h
+include/openssl/srtp.h
+include/openssl/ssl.h
+include/openssl/ssl2.h
+include/openssl/ssl3.h
+include/openssl/sslerr.h
+include/openssl/sslerr_legacy.h
+include/openssl/stack.h
+include/openssl/store.h
+include/openssl/storeerr.h
+include/openssl/symhacks.h
+include/openssl/thread.h
+include/openssl/tls1.h
+include/openssl/trace.h
+include/openssl/ts.h
+include/openssl/tserr.h
+include/openssl/txt_db.h
+include/openssl/types.h
+include/openssl/ui.h
+include/openssl/uierr.h
+include/openssl/whrlpool.h
+include/openssl/x509.h
+include/openssl/x509_vfy.h
+include/openssl/x509err.h
+include/openssl/x509v3.h
+include/openssl/x509v3err.h
+lib/cmake/OpenSSL/OpenSSLConfig.cmake
+lib/cmake/OpenSSL/OpenSSLConfigVersion.cmake
+%%SHARED%%lib/engines-%%SHLIBVER%%/capi.so
+%%SHARED%%lib/engines-%%SHLIBVER%%/devcrypto.so
+%%SHARED%%lib/engines-%%SHLIBVER%%/loader_attic.so
+%%SHARED%%lib/engines-%%SHLIBVER%%/padlock.so
+lib/libcrypto.a
+%%SHARED%%lib/libcrypto.so
+%%SHARED%%lib/libcrypto.so.%%SHLIBVER%%
+lib/libssl.a
+%%SHARED%%lib/libssl.so
+%%SHARED%%lib/libssl.so.%%SHLIBVER%%
+%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so
+%%LEGACY%%%%SHARED%%lib/ossl-modules/legacy.so
+libdata/pkgconfig/libcrypto.pc
+libdata/pkgconfig/libssl.pc
+libdata/pkgconfig/openssl.pc
+share/man/man1/CA.pl.1ossl.gz
+share/man/man1/asn1parse.1ossl.gz
+share/man/man1/c_rehash.1ossl.gz
+share/man/man1/ca.1ossl.gz
+share/man/man1/ciphers.1ossl.gz
+share/man/man1/cms.1ossl.gz
+share/man/man1/cmp.1ossl.gz
+share/man/man1/crl.1ossl.gz
+share/man/man1/crl2pkcs7.1ossl.gz
+share/man/man1/dgst.1ossl.gz
+share/man/man1/dhparam.1ossl.gz
+share/man/man1/dsa.1ossl.gz
+share/man/man1/dsaparam.1ossl.gz
+share/man/man1/ec.1ossl.gz
+share/man/man1/ecparam.1ossl.gz
+share/man/man1/enc.1ossl.gz
+share/man/man1/engine.1ossl.gz
+share/man/man1/errstr.1ossl.gz
+share/man/man1/gendsa.1ossl.gz
+share/man/man1/genpkey.1ossl.gz
+share/man/man1/genrsa.1ossl.gz
+share/man/man1/info.1ossl.gz
+share/man/man1/kdf.1ossl.gz
+share/man/man1/mac.1ossl.gz
+share/man/man1/nseq.1ossl.gz
+share/man/man1/ocsp.1ossl.gz
+share/man/man1/openssl-asn1parse.1ossl.gz
+share/man/man1/openssl-ca.1ossl.gz
+share/man/man1/openssl-ciphers.1ossl.gz
+share/man/man1/openssl-cmds.1ossl.gz
+share/man/man1/openssl-cmp.1ossl.gz
+share/man/man1/openssl-cms.1ossl.gz
+share/man/man1/openssl-crl.1ossl.gz
+share/man/man1/openssl-crl2pkcs7.1ossl.gz
+share/man/man1/openssl-dgst.1ossl.gz
+share/man/man1/openssl-dhparam.1ossl.gz
+share/man/man1/openssl-dsa.1ossl.gz
+share/man/man1/openssl-dsaparam.1ossl.gz
+share/man/man1/openssl-ec.1ossl.gz
+share/man/man1/openssl-ecparam.1ossl.gz
+share/man/man1/openssl-enc.1ossl.gz
+share/man/man1/openssl-engine.1ossl.gz
+share/man/man1/openssl-errstr.1ossl.gz
+share/man/man1/openssl-fipsinstall.1ossl.gz
+share/man/man1/openssl-format-options.1ossl.gz
+share/man/man1/openssl-gendsa.1ossl.gz
+share/man/man1/openssl-genpkey.1ossl.gz
+share/man/man1/openssl-genrsa.1ossl.gz
+share/man/man1/openssl-info.1ossl.gz
+share/man/man1/openssl-kdf.1ossl.gz
+share/man/man1/openssl-list.1ossl.gz
+share/man/man1/openssl-mac.1ossl.gz
+share/man/man1/openssl-namedisplay-options.1ossl.gz
+share/man/man1/openssl-nseq.1ossl.gz
+share/man/man1/openssl-ocsp.1ossl.gz
+share/man/man1/openssl-passphrase-options.1ossl.gz
+share/man/man1/openssl-passwd.1ossl.gz
+share/man/man1/openssl-pkcs12.1ossl.gz
+share/man/man1/openssl-pkcs7.1ossl.gz
+share/man/man1/openssl-pkcs8.1ossl.gz
+share/man/man1/openssl-pkey.1ossl.gz
+share/man/man1/openssl-pkeyparam.1ossl.gz
+share/man/man1/openssl-pkeyutl.1ossl.gz
+share/man/man1/openssl-prime.1ossl.gz
+share/man/man1/openssl-rand.1ossl.gz
+share/man/man1/openssl-rehash.1ossl.gz
+share/man/man1/openssl-req.1ossl.gz
+share/man/man1/openssl-rsa.1ossl.gz
+share/man/man1/openssl-rsautl.1ossl.gz
+share/man/man1/openssl-s_client.1ossl.gz
+share/man/man1/openssl-s_server.1ossl.gz
+share/man/man1/openssl-s_time.1ossl.gz
+share/man/man1/openssl-sess_id.1ossl.gz
+share/man/man1/openssl-smime.1ossl.gz
+share/man/man1/openssl-speed.1ossl.gz
+share/man/man1/openssl-spkac.1ossl.gz
+share/man/man1/openssl-srp.1ossl.gz
+share/man/man1/openssl-storeutl.1ossl.gz
+share/man/man1/openssl-ts.1ossl.gz
+share/man/man1/openssl-verification-options.1ossl.gz
+share/man/man1/openssl-verify.1ossl.gz
+share/man/man1/openssl-version.1ossl.gz
+share/man/man1/openssl-x509.1ossl.gz
+share/man/man1/openssl.1ossl.gz
+share/man/man1/passwd.1ossl.gz
+share/man/man1/pkcs12.1ossl.gz
+share/man/man1/pkcs7.1ossl.gz
+share/man/man1/pkcs8.1ossl.gz
+share/man/man1/pkey.1ossl.gz
+share/man/man1/pkeyparam.1ossl.gz
+share/man/man1/pkeyutl.1ossl.gz
+share/man/man1/prime.1ossl.gz
+share/man/man1/rand.1ossl.gz
+share/man/man1/rehash.1ossl.gz
+share/man/man1/req.1ossl.gz
+share/man/man1/rsa.1ossl.gz
+share/man/man1/rsautl.1ossl.gz
+share/man/man1/s_client.1ossl.gz
+share/man/man1/s_server.1ossl.gz
+share/man/man1/s_time.1ossl.gz
+share/man/man1/sess_id.1ossl.gz
+share/man/man1/smime.1ossl.gz
+share/man/man1/speed.1ossl.gz
+share/man/man1/spkac.1ossl.gz
+share/man/man1/srp.1ossl.gz
+share/man/man1/storeutl.1ossl.gz
+share/man/man1/ts.1ossl.gz
+share/man/man1/tsget.1ossl.gz
+share/man/man1/verify.1ossl.gz
+share/man/man1/version.1ossl.gz
+share/man/man1/x509.1ossl.gz
+share/man/man5/config.5ossl.gz
+share/man/man5/fips_config.5ossl.gz
+share/man/man5/x509v3_config.5ossl.gz
+%%OPENSSLDIR%%/misc/CA.pl
+@comment %%OPENSSLDIR%%/misc/tsget.pl
+%%OPENSSLDIR%%/misc/tsget
+@sample %%OPENSSLDIR%%/ct_log_list.cnf.dist %%OPENSSLDIR%%/ct_log_list.cnf
+%%FIPS%%%%OPENSSLDIR%%/fipsmodule.cnf
+@sample %%OPENSSLDIR%%/openssl.cnf.dist %%OPENSSLDIR%%/openssl.cnf
+@dir lib/ossl-modules
+@dir %%OPENSSLDIR%%/private
+@dir %%OPENSSLDIR%%/certs
diff --git a/security/openssl33-quictls/version.mk b/security/openssl33-quictls/version.mk
new file mode 100644
index 000000000000..c3fe2e51c987
--- /dev/null
+++ b/security/openssl33-quictls/version.mk
@@ -0,0 +1 @@
+OPENSSL_SHLIBVER?= 15