diff --git a/security/Makefile b/security/Makefile index 73dec2fb875d..7c1f96aaed71 100644 --- a/security/Makefile +++ b/security/Makefile @@ -1,1398 +1,1399 @@ COMMENT = Security tools SUBDIR += 0d1n SUBDIR += 1password-client SUBDIR += 1password-client2 SUBDIR += 1password-client2-beta SUBDIR += 2fa SUBDIR += ADMsmb SUBDIR += ADMsnmp SUBDIR += R-cran-ROAuth SUBDIR += R-cran-askpass SUBDIR += R-cran-credentials SUBDIR += R-cran-digest SUBDIR += R-cran-gitcreds SUBDIR += R-cran-openssl SUBDIR += R-cran-sodium SUBDIR += acme.sh SUBDIR += acmed SUBDIR += acmetool SUBDIR += aescrypt SUBDIR += aespipe SUBDIR += afl++ SUBDIR += afterglow SUBDIR += age SUBDIR += aide SUBDIR += akmos SUBDIR += amavisd-milter SUBDIR += amavisd-new SUBDIR += apache-xml-security-c SUBDIR += apg SUBDIR += apkid SUBDIR += archlinux-keyring SUBDIR += arpCounterattack SUBDIR += arti SUBDIR += asignify SUBDIR += assh SUBDIR += authenticator SUBDIR += authoscope SUBDIR += autossh SUBDIR += aws-c-auth SUBDIR += aws-c-cal SUBDIR += aws-iam-authenticator SUBDIR += aws-vault SUBDIR += axc SUBDIR += barnyard2 SUBDIR += barnyard2-sguil SUBDIR += bastillion SUBDIR += bcrypt SUBDIR += bcwipe SUBDIR += bdes SUBDIR += bearssl SUBDIR += beecrypt SUBDIR += beid SUBDIR += belier SUBDIR += bfbtester SUBDIR += binwalk SUBDIR += bitwarden-cli SUBDIR += blst SUBDIR += boringssl SUBDIR += botan2 SUBDIR += botan3 SUBDIR += bruteblock SUBDIR += bsdsfv SUBDIR += bsmtrace SUBDIR += bsmtrace3 SUBDIR += bzrtp SUBDIR += ca_root_nss SUBDIR += caesarcipher SUBDIR += caldera SUBDIR += caldera-ot SUBDIR += caldera4 SUBDIR += calife SUBDIR += cardpeek SUBDIR += cargo-audit SUBDIR += ccrypt SUBDIR += ccsrch SUBDIR += certmgr SUBDIR += certspotter SUBDIR += cfs SUBDIR += cfssl SUBDIR += cfv SUBDIR += chaosreader SUBDIR += checkpassword SUBDIR += checkpassword-pam SUBDIR += chkrootkit SUBDIR += chntpw SUBDIR += chroot_safe SUBDIR += chrootuid SUBDIR += ckpass SUBDIR += cksfv SUBDIR += cl-md5 SUBDIR += cl-md5-sbcl SUBDIR += clamassassin SUBDIR += clamav SUBDIR += clamav-lts SUBDIR += clamav-unofficial-sigs SUBDIR += clamd-stream-client SUBDIR += clamfs SUBDIR += clamsmtp SUBDIR += clamtk SUBDIR += cloak SUBDIR += clusterssh SUBDIR += cops SUBDIR += courier-authlib SUBDIR += courier-authlib-base SUBDIR += courierpassd SUBDIR += courierpasswd SUBDIR += courieruserinfo SUBDIR += cowrie SUBDIR += cpfx SUBDIR += cracklib SUBDIR += crackpkcs12 SUBDIR += create-cert SUBDIR += crlfuzz SUBDIR += crowdsec SUBDIR += crowdsec-blocklist-mirror SUBDIR += crowdsec-firewall-bouncer SUBDIR += cryptlib SUBDIR += cryptopp SUBDIR += ct-submit SUBDIR += cvechecker SUBDIR += cvm SUBDIR += cyberchef SUBDIR += cyrus-sasl2 SUBDIR += cyrus-sasl2-gssapi SUBDIR += cyrus-sasl2-ldapdb SUBDIR += cyrus-sasl2-saslauthd SUBDIR += cyrus-sasl2-sql SUBDIR += cyrus-sasl2-srp SUBDIR += cyrus-sasl2-xoauth2 SUBDIR += d0_blind_id SUBDIR += debian-keyring SUBDIR += dehydrated SUBDIR += denyhosts SUBDIR += destroy SUBDIR += diffcode SUBDIR += digestpp SUBDIR += dirbuster SUBDIR += dirmngr SUBDIR += distcache SUBDIR += diswall SUBDIR += doas SUBDIR += dotdotpwn SUBDIR += dropbear SUBDIR += dsniff SUBDIR += dsvpn SUBDIR += duo SUBDIR += duo_openvpn SUBDIR += easy-rsa SUBDIR += enc SUBDIR += enchive SUBDIR += eschalot SUBDIR += expiretable SUBDIR += fakeident SUBDIR += fakeroot SUBDIR += farmhash SUBDIR += fcrackzip SUBDIR += ffuf SUBDIR += fiked SUBDIR += fizz SUBDIR += flawfinder SUBDIR += fprint_demo SUBDIR += fprintd SUBDIR += fragroute SUBDIR += fragrouter SUBDIR += fswatch SUBDIR += ftimes SUBDIR += fuzz SUBDIR += fwanalog SUBDIR += fwknop SUBDIR += fwlogwatch SUBDIR += gcr SUBDIR += gef SUBDIR += git-credential-azure SUBDIR += git-credential-gopass SUBDIR += git-credential-oauth SUBDIR += git-crypt SUBDIR += git-remote-gcrypt SUBDIR += git-secret SUBDIR += gitjacker SUBDIR += globalprotect-openconnect SUBDIR += gnome-keyring SUBDIR += gnome-keyring-sharp SUBDIR += gnome-ssh-askpass SUBDIR += gnupg SUBDIR += gnupg-pkcs11-scd SUBDIR += gnupg1 SUBDIR += gnutls SUBDIR += go-cve-dictionary SUBDIR += gokart SUBDIR += gokey SUBDIR += gonepass SUBDIR += gopass SUBDIR += gorilla SUBDIR += gosec SUBDIR += gost-engine SUBDIR += gostsum SUBDIR += gpa SUBDIR += gpg-gui SUBDIR += gpg-tui SUBDIR += gpgdir SUBDIR += gpgme SUBDIR += gpgme-cpp SUBDIR += gpgme-qt SUBDIR += gpgme-qt-headers SUBDIR += gsa SUBDIR += gsad SUBDIR += gsasl SUBDIR += gstreamer1-plugins-dtls SUBDIR += gtkpasman SUBDIR += gvm SUBDIR += gvm-libs SUBDIR += gvmd SUBDIR += hardening-check SUBDIR += hash SUBDIR += hashcat SUBDIR += heaan SUBDIR += headscale SUBDIR += heimdal SUBDIR += heimdal-devel SUBDIR += helib SUBDIR += hexl SUBDIR += highwayhash SUBDIR += hitch SUBDIR += hockeypuck SUBDIR += honeytrap SUBDIR += honggfuzz SUBDIR += horcrux SUBDIR += howdy SUBDIR += hpenc SUBDIR += hs-cryptol SUBDIR += hydra SUBDIR += hyperhotp SUBDIR += i2p SUBDIR += i2pd SUBDIR += iaikpkcs11wrapper SUBDIR += iddawc SUBDIR += idea SUBDIR += identify SUBDIR += imds-filterd SUBDIR += intel-ipsec-mb SUBDIR += ipfmeta SUBDIR += ipguard SUBDIR += ipsec-tools SUBDIR += ipv6toolkit SUBDIR += isal-kmod SUBDIR += ismtp SUBDIR += isnprober SUBDIR += john SUBDIR += kbfsd SUBDIR += kc SUBDIR += kdbxviewer SUBDIR += keepass SUBDIR += keepass-plugin-keepassrpc SUBDIR += keepassxc SUBDIR += keybase SUBDIR += keychain SUBDIR += keyprint SUBDIR += keysmith SUBDIR += kf5-kdesu SUBDIR += kf6-kdesu SUBDIR += kgpg SUBDIR += kickpass SUBDIR += klee SUBDIR += kleopatra SUBDIR += knock SUBDIR += knocker SUBDIR += kpcli SUBDIR += kpkpass SUBDIR += kpmenu SUBDIR += krb5 SUBDIR += krb5-119 SUBDIR += krb5-120 SUBDIR += krb5-121 SUBDIR += krb5-devel SUBDIR += kstart SUBDIR += ktls_isa-l_crypto-kmod SUBDIR += kuku SUBDIR += kwalletmanager SUBDIR += l0pht-watch SUBDIR += lasso SUBDIR += lastpass-cli SUBDIR += lego SUBDIR += libargon2 SUBDIR += libassuan SUBDIR += libcaes SUBDIR += libcryptui SUBDIR += libdecaf SUBDIR += libecc SUBDIR += libfido2 SUBDIR += libfprint SUBDIR += libgcrypt SUBDIR += libgnome-keyring SUBDIR += libgpg-error SUBDIR += libgsasl SUBDIR += libhijack SUBDIR += libident SUBDIR += libkleo SUBDIR += libkpass SUBDIR += libksba SUBDIR += libmcrypt SUBDIR += libnitrokey SUBDIR += libntlm SUBDIR += libomemo SUBDIR += libomemo-c SUBDIR += liboqs SUBDIR += libotr SUBDIR += libotr3 SUBDIR += libp11 SUBDIR += libpki SUBDIR += libprelude SUBDIR += libpreludedb SUBDIR += libpwquality SUBDIR += libressl SUBDIR += libressl-devel SUBDIR += libreswan SUBDIR += libretls SUBDIR += libscep SUBDIR += libscrypt SUBDIR += libsecret SUBDIR += libsectok SUBDIR += libsodium SUBDIR += libssh SUBDIR += libssh2 SUBDIR += libtasn1 SUBDIR += libtomcrypt SUBDIR += libu2f-host SUBDIR += libuecc SUBDIR += libwhisker SUBDIR += libxcrypt SUBDIR += libyubikey SUBDIR += lime SUBDIR += linux-bitwarden-cli SUBDIR += linux-c7-ca-certificates SUBDIR += linux-c7-cyrus-sasl2 SUBDIR += linux-c7-gnutls SUBDIR += linux-c7-libgcrypt SUBDIR += linux-c7-libgpg-error SUBDIR += linux-c7-libssh2 SUBDIR += linux-c7-libtasn1 SUBDIR += linux-c7-nettle SUBDIR += linux-c7-nss SUBDIR += linux-c7-openssl-devel SUBDIR += linux-c7-p11-kit SUBDIR += linux-c7-trousers SUBDIR += local-php-security-checker SUBDIR += logcheck SUBDIR += lua-argon2 SUBDIR += lua-bcrypt SUBDIR += lua-resty-hmac SUBDIR += lua-resty-jwt SUBDIR += lua-resty-openidc SUBDIR += lua-resty-openssl SUBDIR += luasec SUBDIR += lxqt-openssh-askpass SUBDIR += lxqt-sudo SUBDIR += lynis SUBDIR += mac-robber SUBDIR += maia SUBDIR += mailzu SUBDIR += makepasswd SUBDIR += maltrail SUBDIR += masscan SUBDIR += mate-pam-helper SUBDIR += mbedtls SUBDIR += mcrypt SUBDIR += md5deep SUBDIR += medusa SUBDIR += meek SUBDIR += metasploit SUBDIR += mhash SUBDIR += mindterm-binary SUBDIR += minisign SUBDIR += mkp224o SUBDIR += modsecurity3 SUBDIR += modsecurity3-nginx SUBDIR += monkeysphere SUBDIR += monocypher SUBDIR += munge SUBDIR += n2n SUBDIR += ncrack SUBDIR += ncrypt SUBDIR += nebula SUBDIR += nettle SUBDIR += nextcloud-end_to_end_encryption SUBDIR += nextcloud-passman SUBDIR += nextcloud-twofactor_admin SUBDIR += nextcloud-twofactor_nextcloud_notification SUBDIR += nextcloud-twofactor_webauthn SUBDIR += nflib SUBDIR += ngrok SUBDIR += nikto SUBDIR += nist-kat SUBDIR += nitrokey-app SUBDIR += nmap SUBDIR += nss SUBDIR += nss_compat_ossl SUBDIR += nuclei SUBDIR += nyx SUBDIR += oath-toolkit SUBDIR += obfs4proxy-tor SUBDIR += ocaml-cryptgps SUBDIR += ocaml-cryptokit SUBDIR += ocaml-ssl SUBDIR += oidentd SUBDIR += oinkmaster SUBDIR += olm SUBDIR += onionscan SUBDIR += op SUBDIR += openbsm SUBDIR += openca-ocspd SUBDIR += openconnect SUBDIR += openconnect-freebsd-daemon SUBDIR += openconnect-gui SUBDIR += opencryptoki SUBDIR += openct SUBDIR += openfhe SUBDIR += openfortivpn SUBDIR += openiked SUBDIR += openiked-portable SUBDIR += opensaml SUBDIR += opensc SUBDIR += openssh-askpass SUBDIR += openssh-portable SUBDIR += openssl SUBDIR += openssl-agent SUBDIR += openssl-quictls SUBDIR += openssl-unsafe SUBDIR += openssl111 SUBDIR += openssl31 SUBDIR += openssl31-quictls SUBDIR += openssl32 + SUBDIR += openssl33 SUBDIR += openvas SUBDIR += openvpn SUBDIR += openvpn-admin SUBDIR += openvpn-auth-ldap SUBDIR += openvpn-auth-radius SUBDIR += openvpn-auth-script SUBDIR += openvpn-devel SUBDIR += ophcrack SUBDIR += opie SUBDIR += ossec-hids SUBDIR += ossec-hids-agent SUBDIR += ossec-hids-agent-config SUBDIR += ossec-hids-local SUBDIR += ossec-hids-local-config SUBDIR += ossec-hids-server SUBDIR += ossec-hids-server-config SUBDIR += osslsigncode SUBDIR += osv-scanner SUBDIR += otpw SUBDIR += owasp-dependency-check SUBDIR += p11-kit SUBDIR += p5-Alt-Crypt-RSA-BigInt SUBDIR += p5-Apache-Htpasswd SUBDIR += p5-App-Acmeman SUBDIR += p5-App-Genpass SUBDIR += p5-App-TLSMe SUBDIR += p5-Auth-YubikeyDecrypter SUBDIR += p5-AuthCAS SUBDIR += p5-Authen-Bitcard SUBDIR += p5-Authen-Captcha SUBDIR += p5-Authen-CyrusSASL SUBDIR += p5-Authen-DecHpwd SUBDIR += p5-Authen-Htpasswd SUBDIR += p5-Authen-Krb5 SUBDIR += p5-Authen-Krb5-Simple SUBDIR += p5-Authen-Libwrap SUBDIR += p5-Authen-NTLM SUBDIR += p5-Authen-OATH SUBDIR += p5-Authen-PAAS SUBDIR += p5-Authen-PAM SUBDIR += p5-Authen-Passphrase SUBDIR += p5-Authen-PluggableCaptcha SUBDIR += p5-Authen-Radius SUBDIR += p5-Authen-SASL SUBDIR += p5-Authen-SASL-Cyrus SUBDIR += p5-Authen-SASL-SASLprep SUBDIR += p5-Authen-SCRAM SUBDIR += p5-Authen-Simple SUBDIR += p5-Authen-Simple-DBI SUBDIR += p5-Authen-Simple-DBM SUBDIR += p5-Authen-Simple-HTTP SUBDIR += p5-Authen-Simple-Kerberos SUBDIR += p5-Authen-Simple-LDAP SUBDIR += p5-Authen-Simple-Net SUBDIR += p5-Authen-Simple-PAM SUBDIR += p5-Authen-Simple-Passwd SUBDIR += p5-Authen-Simple-RADIUS SUBDIR += p5-Authen-Simple-SMB SUBDIR += p5-Authen-Simple-SSH SUBDIR += p5-Authen-Smb SUBDIR += p5-Authen-TacacsPlus SUBDIR += p5-Authen-Ticket SUBDIR += p5-Authen-TypeKey SUBDIR += p5-Business-PayPal-EWP SUBDIR += p5-Bytes-Random-Secure SUBDIR += p5-Bytes-Random-Secure-Tiny SUBDIR += p5-CACertOrg-CA SUBDIR += p5-CPAN-Audit SUBDIR += p5-CSP SUBDIR += p5-Cisco-Hash SUBDIR += p5-Crypt-Anubis SUBDIR += p5-Crypt-AppleTwoFish SUBDIR += p5-Crypt-Argon2 SUBDIR += p5-Crypt-Bcrypt SUBDIR += p5-Crypt-Blowfish SUBDIR += p5-Crypt-Blowfish_PP SUBDIR += p5-Crypt-CAST5 SUBDIR += p5-Crypt-CAST5_PP SUBDIR += p5-Crypt-CBC SUBDIR += p5-Crypt-CBCeasy SUBDIR += p5-Crypt-CFB SUBDIR += p5-Crypt-Caesar SUBDIR += p5-Crypt-Camellia_PP SUBDIR += p5-Crypt-Chimera SUBDIR += p5-Crypt-CipherSaber SUBDIR += p5-Crypt-Cracklib SUBDIR += p5-Crypt-Ctr SUBDIR += p5-Crypt-Curve25519 SUBDIR += p5-Crypt-DES SUBDIR += p5-Crypt-DES_EDE3 SUBDIR += p5-Crypt-DES_PP SUBDIR += p5-Crypt-DH SUBDIR += p5-Crypt-DSA SUBDIR += p5-Crypt-Dining SUBDIR += p5-Crypt-ECB SUBDIR += p5-Crypt-Eksblowfish SUBDIR += p5-Crypt-Enigma SUBDIR += p5-Crypt-Format SUBDIR += p5-Crypt-GCrypt SUBDIR += p5-Crypt-GOST SUBDIR += p5-Crypt-GOST_PP SUBDIR += p5-Crypt-GPG SUBDIR += p5-Crypt-GeneratePassword SUBDIR += p5-Crypt-GpgME SUBDIR += p5-Crypt-HCE_MD5 SUBDIR += p5-Crypt-HCE_SHA SUBDIR += p5-Crypt-HSXKPasswd SUBDIR += p5-Crypt-IDEA SUBDIR += p5-Crypt-Imail SUBDIR += p5-Crypt-JWT SUBDIR += p5-Crypt-Juniper SUBDIR += p5-Crypt-Khazad SUBDIR += p5-Crypt-LE SUBDIR += p5-Crypt-LibSCEP SUBDIR += p5-Crypt-License SUBDIR += p5-Crypt-Lite SUBDIR += p5-Crypt-Loki97 SUBDIR += p5-Crypt-MySQL SUBDIR += p5-Crypt-NULL SUBDIR += p5-Crypt-OFB SUBDIR += p5-Crypt-OICQ SUBDIR += p5-Crypt-OTP SUBDIR += p5-Crypt-OpenPGP SUBDIR += p5-Crypt-OpenSSL-AES SUBDIR += p5-Crypt-OpenSSL-Bignum SUBDIR += p5-Crypt-OpenSSL-CA SUBDIR += p5-Crypt-OpenSSL-DSA SUBDIR += p5-Crypt-OpenSSL-EC SUBDIR += p5-Crypt-OpenSSL-ECDSA SUBDIR += p5-Crypt-OpenSSL-Guess SUBDIR += p5-Crypt-OpenSSL-PKCS10 SUBDIR += p5-Crypt-OpenSSL-RSA SUBDIR += p5-Crypt-OpenSSL-Random SUBDIR += p5-Crypt-OpenSSL-Verify SUBDIR += p5-Crypt-OpenSSL-X509 SUBDIR += p5-Crypt-PBKDF2 SUBDIR += p5-Crypt-PKCS10 SUBDIR += p5-Crypt-PWSafe3 SUBDIR += p5-Crypt-PassGen SUBDIR += p5-Crypt-Passwd-XS SUBDIR += p5-Crypt-PasswdMD5 SUBDIR += p5-Crypt-Password-Util SUBDIR += p5-Crypt-Perl SUBDIR += p5-Crypt-Primes SUBDIR += p5-Crypt-RC4 SUBDIR += p5-Crypt-RC5 SUBDIR += p5-Crypt-RC6 SUBDIR += p5-Crypt-RHash SUBDIR += p5-Crypt-RIPEMD160 SUBDIR += p5-Crypt-RSA SUBDIR += p5-Crypt-RSA-Parse SUBDIR += p5-Crypt-RSA-Yandex SUBDIR += p5-Crypt-Rabbit SUBDIR += p5-Crypt-RandPasswd SUBDIR += p5-Crypt-Random SUBDIR += p5-Crypt-Random-Seed SUBDIR += p5-Crypt-Random-Source SUBDIR += p5-Crypt-Random-TESHA2 SUBDIR += p5-Crypt-Rijndael SUBDIR += p5-Crypt-Rijndael_PP SUBDIR += p5-Crypt-SKey SUBDIR += p5-Crypt-SMIME SUBDIR += p5-Crypt-SSLeay SUBDIR += p5-Crypt-SSSS SUBDIR += p5-Crypt-Salt SUBDIR += p5-Crypt-SaltedHash SUBDIR += p5-Crypt-Serpent SUBDIR += p5-Crypt-Shark SUBDIR += p5-Crypt-Simple SUBDIR += p5-Crypt-SmbHash SUBDIR += p5-Crypt-Sodium SUBDIR += p5-Crypt-Solitaire SUBDIR += p5-Crypt-TEA SUBDIR += p5-Crypt-T_e_a SUBDIR += p5-Crypt-Tea_JS SUBDIR += p5-Crypt-TripleDES SUBDIR += p5-Crypt-Twofish SUBDIR += p5-Crypt-Twofish2 SUBDIR += p5-Crypt-Twofish_PP SUBDIR += p5-Crypt-URandom SUBDIR += p5-Crypt-UnixCrypt SUBDIR += p5-Crypt-UnixCrypt_XS SUBDIR += p5-Crypt-X509 SUBDIR += p5-Crypt-X509-CRL SUBDIR += p5-Crypt-XTEA SUBDIR += p5-Crypt-xDBM_File SUBDIR += p5-CryptX SUBDIR += p5-Dancer-Plugin-Auth-Extensible SUBDIR += p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup SUBDIR += p5-Dancer-Plugin-Passphrase SUBDIR += p5-Dancer2-Plugin-Auth-Extensible SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-DBIC SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-Database SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-IMAP SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup SUBDIR += p5-Dancer2-Plugin-Passphrase SUBDIR += p5-Data-Entropy SUBDIR += p5-Data-Password SUBDIR += p5-Digest SUBDIR += p5-Digest-Adler32 SUBDIR += p5-Digest-Bcrypt SUBDIR += p5-Digest-BubbleBabble SUBDIR += p5-Digest-CRC SUBDIR += p5-Digest-Crc32 SUBDIR += p5-Digest-DJB SUBDIR += p5-Digest-DMAC SUBDIR += p5-Digest-EMAC SUBDIR += p5-Digest-Elf SUBDIR += p5-Digest-FNV SUBDIR += p5-Digest-GOST SUBDIR += p5-Digest-HMAC SUBDIR += p5-Digest-Hashcash SUBDIR += p5-Digest-Haval256 SUBDIR += p5-Digest-JHash SUBDIR += p5-Digest-MD2 SUBDIR += p5-Digest-MD4 SUBDIR += p5-Digest-MD5 SUBDIR += p5-Digest-MD5-File SUBDIR += p5-Digest-MD5-M4p SUBDIR += p5-Digest-MD5-Reverse SUBDIR += p5-Digest-ManberHash SUBDIR += p5-Digest-MurmurHash SUBDIR += p5-Digest-Nilsimsa SUBDIR += p5-Digest-Pearson SUBDIR += p5-Digest-Pearson-PurePerl SUBDIR += p5-Digest-Perl-MD4 SUBDIR += p5-Digest-Perl-MD5 SUBDIR += p5-Digest-SHA SUBDIR += p5-Digest-SHA-PurePerl SUBDIR += p5-Digest-SHA1 SUBDIR += p5-Digest-SHA3 SUBDIR += p5-Digest-SV1 SUBDIR += p5-Digest-Tiger SUBDIR += p5-Digest-Whirlpool SUBDIR += p5-File-KeePass SUBDIR += p5-File-KeePass-Agent SUBDIR += p5-File-Scan SUBDIR += p5-File-Scan-ClamAV SUBDIR += p5-Filter-CBC SUBDIR += p5-Filter-Crypto SUBDIR += p5-GD-SecurityImage SUBDIR += p5-GSSAPI SUBDIR += p5-GnuPG SUBDIR += p5-GnuPG-Interface SUBDIR += p5-HTML-Email-Obfuscate SUBDIR += p5-Heimdal-Kadm5 SUBDIR += p5-IO-Async-SSL SUBDIR += p5-IO-Socket-SSL SUBDIR += p5-MD5 SUBDIR += p5-Mcrypt SUBDIR += p5-Module-Signature SUBDIR += p5-Net-Daemon-SSL SUBDIR += p5-Net-OpenID-Common SUBDIR += p5-Net-OpenID-JanRain SUBDIR += p5-Net-OpenID-Server SUBDIR += p5-Net-Radius-Server SUBDIR += p5-Net-SAML2 SUBDIR += p5-Net-SSH-AuthorizedKeysFile SUBDIR += p5-Net-SSL-ExpireDate SUBDIR += p5-Net-SSLGlue SUBDIR += p5-Net-SSLeay SUBDIR += p5-Net-Server-Mail-ESMTP-AUTH SUBDIR += p5-Net-SinFP SUBDIR += p5-Nmap-Parser SUBDIR += p5-Nmap-Scanner SUBDIR += p5-OpenCA-CRL SUBDIR += p5-OpenCA-CRR SUBDIR += p5-OpenCA-REQ SUBDIR += p5-OpenCA-X509 SUBDIR += p5-PBKDF2-Tiny SUBDIR += p5-PGP SUBDIR += p5-PGP-Sign SUBDIR += p5-POE-Component-SSLify SUBDIR += p5-POE-Filter-SSL SUBDIR += p5-Parse-Snort SUBDIR += p5-PerlCryptLib SUBDIR += p5-Protocol-ACME SUBDIR += p5-SAVI-Perl SUBDIR += p5-SHA SUBDIR += p5-Safe-Hole SUBDIR += p5-Session-Token SUBDIR += p5-Snort-Rule SUBDIR += p5-String-MkPasswd SUBDIR += p5-Sudo SUBDIR += p5-Text-Password-Pronounceable SUBDIR += p5-Tie-EncryptedHash SUBDIR += p5-Tree-Authz SUBDIR += p5-URN-OASIS-SAML2 SUBDIR += p5-Unix-Passwd-File SUBDIR += p5-Unix-setuid SUBDIR += p5-Yahoo-BBAuth SUBDIR += p5-dicewaregen SUBDIR += p5-openxpki SUBDIR += p5-openxpki-i18n SUBDIR += p5-plog SUBDIR += palisade SUBDIR += pam-modules SUBDIR += pam-mysql SUBDIR += pam-pgsql SUBDIR += pam_fprint SUBDIR += pam_google_authenticator SUBDIR += pam_helper SUBDIR += pam_howdy SUBDIR += pam_jail SUBDIR += pam_kde SUBDIR += pam_krb5 SUBDIR += pam_krb5-rh SUBDIR += pam_ldap SUBDIR += pam_mkhomedir SUBDIR += pam_ocra SUBDIR += pam_p11 SUBDIR += pam_pkcs11 SUBDIR += pam_pwdfile SUBDIR += pam_require SUBDIR += pam_rssh SUBDIR += pam_script SUBDIR += pam_search_list SUBDIR += pam_ssh_agent_auth SUBDIR += pam_u2f SUBDIR += pam_yubico SUBDIR += pamtester SUBDIR += paperkey SUBDIR += passh SUBDIR += passivedns SUBDIR += pcsc-tools SUBDIR += pdfcrack SUBDIR += pear-Auth SUBDIR += pear-Auth_HTTP SUBDIR += pear-Auth_PrefManager SUBDIR += pear-Auth_SASL SUBDIR += pear-Auth_SASL2 SUBDIR += pear-Crypt_Blowfish SUBDIR += pear-Crypt_CBC SUBDIR += pear-Crypt_CHAP SUBDIR += pear-Crypt_DiffieHellman SUBDIR += pear-Crypt_GPG SUBDIR += pear-Crypt_HMAC2 SUBDIR += pear-Crypt_MicroID SUBDIR += pear-Crypt_RC4 SUBDIR += pear-Crypt_RSA SUBDIR += pear-Crypt_XXTEA SUBDIR += pear-File_HtAccess SUBDIR += pear-File_Passwd SUBDIR += pear-File_SMBPasswd SUBDIR += pear-HTML_Crypt SUBDIR += pear-Horde_Auth SUBDIR += pear-Horde_Crypt SUBDIR += pear-Horde_Crypt_Blowfish SUBDIR += pear-Horde_Group SUBDIR += pear-Horde_Oauth SUBDIR += pear-Horde_Perms SUBDIR += pear-Horde_Secret SUBDIR += pear-Horde_Share SUBDIR += pear-LiveUser SUBDIR += pear-LiveUser_Admin SUBDIR += pear-Net_Portscan SUBDIR += pear-Text_Password SUBDIR += pecl-crypto SUBDIR += pecl-gnupg SUBDIR += pecl-krb5 SUBDIR += pecl-libsodium SUBDIR += pecl-mcrypt SUBDIR += pecl-pam SUBDIR += pecl-pkcs11 SUBDIR += pecl-scrypt SUBDIR += pecl-ssh2 SUBDIR += pecl-xxtea SUBDIR += peda SUBDIR += pev SUBDIR += pgpdump SUBDIR += pgpgpg SUBDIR += pgpin SUBDIR += php81-filter SUBDIR += php81-sodium SUBDIR += php82-filter SUBDIR += php82-sodium SUBDIR += php83-filter SUBDIR += php83-sodium SUBDIR += picocrypt SUBDIR += picosha2 SUBDIR += pidgin-encryption SUBDIR += pidgin-otr SUBDIR += pinentry SUBDIR += pinentry-curses SUBDIR += pinentry-efl SUBDIR += pinentry-fltk SUBDIR += pinentry-gnome SUBDIR += pinentry-gtk2 SUBDIR += pinentry-qt5 SUBDIR += pinentry-tty SUBDIR += pixiewps SUBDIR += pkcrack SUBDIR += pkcs11-dump SUBDIR += pkcs11-gateway SUBDIR += pkcs11-helper SUBDIR += pkcs11-tools SUBDIR += pkesh SUBDIR += pks SUBDIR += plasma5-kscreenlocker SUBDIR += plasma5-ksshaskpass SUBDIR += plasma5-kwallet-pam SUBDIR += plasma6-kscreenlocker SUBDIR += plasma6-ksshaskpass SUBDIR += plasma6-kwallet-pam SUBDIR += please SUBDIR += portacl-rc SUBDIR += proftpd-mod_clamav SUBDIR += proxycheck SUBDIR += proxytunnel SUBDIR += pssh SUBDIR += pulledpork SUBDIR += pure-sfv SUBDIR += putty SUBDIR += putty-nogtk SUBDIR += pvk SUBDIR += pwauth SUBDIR += pwman SUBDIR += pwned-check SUBDIR += py-RestrictedPython SUBDIR += py-SecretStorage SUBDIR += py-YubiOTP SUBDIR += py-acme SUBDIR += py-acme-tiny SUBDIR += py-ailment SUBDIR += py-aiohttp-security SUBDIR += py-angr SUBDIR += py-argon2-cffi SUBDIR += py-argon2-cffi-bindings SUBDIR += py-artifacts SUBDIR += py-asyncssh SUBDIR += py-authlib SUBDIR += py-azure-keyvault-certificates SUBDIR += py-azure-keyvault-keys SUBDIR += py-azure-keyvault-secrets SUBDIR += py-badkeys SUBDIR += py-base58 SUBDIR += py-bcrypt SUBDIR += py-bitbox02 SUBDIR += py-btchip-python SUBDIR += py-cerealizer SUBDIR += py-cert-human SUBDIR += py-certbot SUBDIR += py-certbot-apache SUBDIR += py-certbot-dns-cloudflare SUBDIR += py-certbot-dns-cpanel SUBDIR += py-certbot-dns-digitalocean SUBDIR += py-certbot-dns-dnsimple SUBDIR += py-certbot-dns-dnsmadeeasy SUBDIR += py-certbot-dns-gandi SUBDIR += py-certbot-dns-gehirn SUBDIR += py-certbot-dns-google SUBDIR += py-certbot-dns-linode SUBDIR += py-certbot-dns-luadns SUBDIR += py-certbot-dns-nsone SUBDIR += py-certbot-dns-ovh SUBDIR += py-certbot-dns-powerdns SUBDIR += py-certbot-dns-rfc2136 SUBDIR += py-certbot-dns-route53 SUBDIR += py-certbot-dns-sakuracloud SUBDIR += py-certbot-dns-standalone SUBDIR += py-certbot-nginx SUBDIR += py-certifi SUBDIR += py-certomancer SUBDIR += py-certstream SUBDIR += py-ckcc-protocol SUBDIR += py-coincurve SUBDIR += py-cpe SUBDIR += py-cryptography SUBDIR += py-cryptography-legacy SUBDIR += py-cryptography-vectors SUBDIR += py-ctypescrypto SUBDIR += py-cybox SUBDIR += py-detect-secrets SUBDIR += py-dfdatetime SUBDIR += py-dfvfs SUBDIR += py-dfwinreg SUBDIR += py-dirhash SUBDIR += py-django-auth-kerberos SUBDIR += py-docker-pycreds SUBDIR += py-ecdsa SUBDIR += py-ed25519ll SUBDIR += py-exscript SUBDIR += py-fail2ban SUBDIR += py-fido2 SUBDIR += py-first-server SUBDIR += py-flask-bcrypt SUBDIR += py-flask-httpauth SUBDIR += py-flask-kerberos SUBDIR += py-flask-saml SUBDIR += py-gixy SUBDIR += py-gnupg SUBDIR += py-gnutls SUBDIR += py-google-auth SUBDIR += py-google-auth-httplib2 SUBDIR += py-google-auth-oauthlib SUBDIR += py-gpgme SUBDIR += py-gpsoauth SUBDIR += py-greenbone-feed-sync SUBDIR += py-gssapi SUBDIR += py-gvm-tools SUBDIR += py-hkdf SUBDIR += py-htpasswd SUBDIR += py-httpx-auth SUBDIR += py-iris-check-module SUBDIR += py-iris-client SUBDIR += py-iris-evtx-module SUBDIR += py-iris-intelowl-module SUBDIR += py-iris-misp-module SUBDIR += py-iris-module-interface SUBDIR += py-iris-vt-module SUBDIR += py-iris-webhooks-module SUBDIR += py-itsdangerous SUBDIR += py-josepy SUBDIR += py-joserfc SUBDIR += py-jwcrypto SUBDIR += py-keepkey SUBDIR += py-kerberos SUBDIR += py-keyring SUBDIR += py-keyrings.alt SUBDIR += py-krb5 SUBDIR += py-libnacl SUBDIR += py-liboqs-python SUBDIR += py-m2crypto SUBDIR += py-maec SUBDIR += py-merkletools SUBDIR += py-mixbox SUBDIR += py-mnemonic SUBDIR += py-msoffcrypto-tool SUBDIR += py-muacrypt SUBDIR += py-nassl SUBDIR += py-netbox-secrets SUBDIR += py-netmiko SUBDIR += py-noiseprotocol SUBDIR += py-notus-scanner SUBDIR += py-ntlm-auth SUBDIR += py-oauth2client SUBDIR += py-oauthlib SUBDIR += py-omemo-dr SUBDIR += py-onlykey SUBDIR += py-openssl SUBDIR += py-oscrypto SUBDIR += py-ospd-openvas SUBDIR += py-paramiko SUBDIR += py-pass-audit SUBDIR += py-pass-git-helper SUBDIR += py-passlib SUBDIR += py-pbkdf2 SUBDIR += py-pem SUBDIR += py-pgpdump SUBDIR += py-pgpy SUBDIR += py-plaso SUBDIR += py-pnu-vuxml SUBDIR += py-potr SUBDIR += py-pwntools SUBDIR += py-pyaes SUBDIR += py-pyaff4 SUBDIR += py-pyaxo SUBDIR += py-pyclamd SUBDIR += py-pycryptodome SUBDIR += py-pycryptodome-test-vectors SUBDIR += py-pycryptodomex SUBDIR += py-pyelliptic SUBDIR += py-pyhanko SUBDIR += py-pyhanko-certvalidator SUBDIR += py-pylibacl SUBDIR += py-pymacaroons SUBDIR += py-pynacl SUBDIR += py-pyotp SUBDIR += py-pyotp2289 SUBDIR += py-pysaml2 SUBDIR += py-pysaml24 SUBDIR += py-pysaml26 SUBDIR += py-pyscard SUBDIR += py-pysodium SUBDIR += py-pyspnego SUBDIR += py-python-axolotl SUBDIR += py-python-axolotl-curve25519 SUBDIR += py-python-cas SUBDIR += py-python-gnupg SUBDIR += py-python-gvm SUBDIR += py-python-jose SUBDIR += py-python-nss SUBDIR += py-python-openid SUBDIR += py-python-pam SUBDIR += py-python-pkcs11 SUBDIR += py-python-registry SUBDIR += py-python3-openid SUBDIR += py-python3-saml SUBDIR += py-pyvex SUBDIR += py-pywinrm SUBDIR += py-requests-credssp SUBDIR += py-requests-kerberos SUBDIR += py-ropgadget SUBDIR += py-ropper SUBDIR += py-rsa SUBDIR += py-safe SUBDIR += py-scp SUBDIR += py-scramp SUBDIR += py-scrypt SUBDIR += py-secure SUBDIR += py-securesystemslib SUBDIR += py-service-identity SUBDIR += py-signedjson SUBDIR += py-social-auth-core SUBDIR += py-spake2 SUBDIR += py-ssh-audit SUBDIR += py-sshpubkeys SUBDIR += py-sslyze SUBDIR += py-stem SUBDIR += py-stix SUBDIR += py-stix2 SUBDIR += py-stix2-patterns SUBDIR += py-taxii2-client SUBDIR += py-tinyaes SUBDIR += py-tls-parser SUBDIR += py-tlslite SUBDIR += py-tlslite-ng SUBDIR += py-trezor SUBDIR += py-trustme SUBDIR += py-truststore SUBDIR += py-tuf SUBDIR += py-txtorcon SUBDIR += py-uhashring SUBDIR += py-vici SUBDIR += py-virustotal-api SUBDIR += py-volatility3 SUBDIR += py-vpn-slice SUBDIR += py-vulndb SUBDIR += py-webauthn SUBDIR += py-xkcdpass SUBDIR += py-xmlsec SUBDIR += py-yara SUBDIR += py-yara-python-dex SUBDIR += py-yubikey-manager SUBDIR += py-zkg SUBDIR += py-zope.password SUBDIR += py-zxcvbn SUBDIR += pygost SUBDIR += qtkeychain SUBDIR += quantis-kmod SUBDIR += racoon2 SUBDIR += rage-encryption SUBDIR += ratproxy SUBDIR += rats SUBDIR += rcracki_mt SUBDIR += reop SUBDIR += rhash SUBDIR += rhonabwy SUBDIR += ridl SUBDIR += rifiuti2 SUBDIR += rkhunter SUBDIR += rndpassw SUBDIR += rnp SUBDIR += rotate SUBDIR += rpm-sequoia SUBDIR += rubygem-acme-client SUBDIR += rubygem-aes_key_wrap SUBDIR += rubygem-airbrussh SUBDIR += rubygem-android_key_attestation SUBDIR += rubygem-attr_encrypted SUBDIR += rubygem-attr_encrypted3 SUBDIR += rubygem-bcrypt SUBDIR += rubygem-bcrypt-ruby SUBDIR += rubygem-bcrypt_pbkdf SUBDIR += rubygem-cose SUBDIR += rubygem-cvss-suite SUBDIR += rubygem-declarative_policy SUBDIR += rubygem-devise-two-factor SUBDIR += rubygem-devise-two-factor-rails5 SUBDIR += rubygem-devise-two-factor-rails70 SUBDIR += rubygem-devise-two-factor41-rails70 SUBDIR += rubygem-devise_pam_authenticatable2 SUBDIR += rubygem-devise_pam_authenticatable2-rails61 SUBDIR += rubygem-digest SUBDIR += rubygem-digest-crc SUBDIR += rubygem-doorkeeper SUBDIR += rubygem-doorkeeper-openid_connect SUBDIR += rubygem-doorkeeper-rails5 SUBDIR += rubygem-doorkeeper-rails50 SUBDIR += rubygem-doorkeeper-rails61 SUBDIR += rubygem-doorkeeper-rails70 SUBDIR += rubygem-duo_api SUBDIR += rubygem-ed25519 SUBDIR += rubygem-encryptor SUBDIR += rubygem-ezcrypto SUBDIR += rubygem-googleauth SUBDIR += rubygem-gpgme SUBDIR += rubygem-gpgr SUBDIR += rubygem-gssapi SUBDIR += rubygem-haiti-hash SUBDIR += rubygem-hkdf SUBDIR += rubygem-hkdf0 SUBDIR += rubygem-hrr_rb_ssh SUBDIR += rubygem-hrr_rb_ssh-ed25519 SUBDIR += rubygem-lockbox SUBDIR += rubygem-metasploit-aggregator SUBDIR += rubygem-metasploit-concern SUBDIR += rubygem-metasploit-credential SUBDIR += rubygem-metasploit-model SUBDIR += rubygem-metasploit-payloads SUBDIR += rubygem-metasploit_data_models SUBDIR += rubygem-metasploit_payloads-mettle SUBDIR += rubygem-nessus_rest SUBDIR += rubygem-net-scp SUBDIR += rubygem-net-scp1 SUBDIR += rubygem-net-sftp SUBDIR += rubygem-net-sftp2 SUBDIR += rubygem-net-ssh SUBDIR += rubygem-net-ssh-gateway SUBDIR += rubygem-net-ssh-krb SUBDIR += rubygem-net-ssh-multi SUBDIR += rubygem-net-ssh5 SUBDIR += rubygem-net-ssh6 SUBDIR += rubygem-net-telnet SUBDIR += rubygem-nexpose SUBDIR += rubygem-nmap-parser SUBDIR += rubygem-omniauth SUBDIR += rubygem-omniauth-alicloud SUBDIR += rubygem-omniauth-atlassian-oauth2 SUBDIR += rubygem-omniauth-bitbucket SUBDIR += rubygem-omniauth-cas SUBDIR += rubygem-omniauth-dingtalk-oauth2 SUBDIR += rubygem-omniauth-gitlab SUBDIR += rubygem-omniauth-jwt SUBDIR += rubygem-omniauth-multipassword SUBDIR += rubygem-omniauth-oauth2-generic SUBDIR += rubygem-omniauth-rails_csrf_protection SUBDIR += rubygem-omniauth-saml SUBDIR += rubygem-omniauth-saml1 SUBDIR += rubygem-omniauth-shibboleth SUBDIR += rubygem-omniauth-shibboleth-redux SUBDIR += rubygem-omniauth1 SUBDIR += rubygem-openssl SUBDIR += rubygem-openssl-ccm SUBDIR += rubygem-openssl-cmac SUBDIR += rubygem-openssl-signature_algorithm SUBDIR += rubygem-openvas-omp SUBDIR += rubygem-origami SUBDIR += rubygem-pbkdf2-ruby SUBDIR += rubygem-pundit SUBDIR += rubygem-pundit61 SUBDIR += rubygem-pyu-ruby-sasl SUBDIR += rubygem-rack-oauth2 SUBDIR += rubygem-rack-oauth21 SUBDIR += rubygem-rasn1 SUBDIR += rubygem-razorback-scriptNugget SUBDIR += rubygem-rbnacl SUBDIR += rubygem-rbnacl-libsodium SUBDIR += rubygem-recog SUBDIR += rubygem-rex-arch SUBDIR += rubygem-rex-bin_tools SUBDIR += rubygem-rex-core SUBDIR += rubygem-rex-encoder SUBDIR += rubygem-rex-exploitation SUBDIR += rubygem-rex-java SUBDIR += rubygem-rex-mime SUBDIR += rubygem-rex-nop SUBDIR += rubygem-rex-ole SUBDIR += rubygem-rex-powershell SUBDIR += rubygem-rex-random_identifier SUBDIR += rubygem-rex-registry SUBDIR += rubygem-rex-rop_builder SUBDIR += rubygem-rex-socket SUBDIR += rubygem-rex-sslscan SUBDIR += rubygem-rex-struct2 SUBDIR += rubygem-rex-text SUBDIR += rubygem-rex-zip SUBDIR += rubygem-roauth SUBDIR += rubygem-rpam2 SUBDIR += rubygem-ruby-hmac SUBDIR += rubygem-ruby-rc4 SUBDIR += rubygem-ruby-saml SUBDIR += rubygem-ruby-saml115 SUBDIR += rubygem-safety_net_attestation SUBDIR += rubygem-scrypt SUBDIR += rubygem-securecompare SUBDIR += rubygem-securerandom SUBDIR += rubygem-signet SUBDIR += rubygem-six SUBDIR += rubygem-ssh_data SUBDIR += rubygem-sshkey SUBDIR += rubygem-sshkit SUBDIR += rubygem-sslshake SUBDIR += rubygem-ssrf_filter SUBDIR += rubygem-timfel-krb5 SUBDIR += rubygem-tpm-key_attestation SUBDIR += rubygem-twitter_oauth SUBDIR += rubygem-unix-crypt SUBDIR += rubygem-vault SUBDIR += rubygem-webauthn SUBDIR += rubygem-webpush SUBDIR += rustscan SUBDIR += s2n-tls SUBDIR += safesh SUBDIR += samhain SUBDIR += samhain-client SUBDIR += samhain-server SUBDIR += sancp SUBDIR += sasp SUBDIR += scanlogd SUBDIR += scrypt SUBDIR += seahorse SUBDIR += seal SUBDIR += seccure SUBDIR += seclists SUBDIR += secpanel SUBDIR += sectok SUBDIR += secure_delete SUBDIR += sedutil SUBDIR += sequoia SUBDIR += sequoia-sq SUBDIR += setaudit SUBDIR += sha1collisiondetection SUBDIR += sha2wordlist SUBDIR += shibboleth-idp SUBDIR += shibboleth-sp SUBDIR += sig2dot SUBDIR += signify SUBDIR += signing-party SUBDIR += silktools SUBDIR += sks SUBDIR += smurflog SUBDIR += sniffglue SUBDIR += snoopy SUBDIR += snort SUBDIR += snort-rep SUBDIR += snort2pfcd SUBDIR += snort3 SUBDIR += snortsam SUBDIR += snortsnarf SUBDIR += snowflake-tor SUBDIR += snuffleupagus SUBDIR += softether SUBDIR += softether-devel SUBDIR += softether5 SUBDIR += softhsm2 SUBDIR += solana SUBDIR += sops SUBDIR += spass SUBDIR += spass-qt5 SUBDIR += spectre-meltdown-checker SUBDIR += spm SUBDIR += sqlmap SUBDIR += sqlninja SUBDIR += srm SUBDIR += ssb SUBDIR += ssdeep SUBDIR += ssh-import-id SUBDIR += ssh-multiadd SUBDIR += ssh-tools SUBDIR += ssh-vault SUBDIR += sshguard SUBDIR += sshpass SUBDIR += ssl-admin SUBDIR += ssllabs-scan SUBDIR += sslproxy SUBDIR += sslscan SUBDIR += sslsplit SUBDIR += sssd SUBDIR += sssd2 SUBDIR += ssss SUBDIR += sst SUBDIR += starttls SUBDIR += steghide SUBDIR += stegify SUBDIR += step-certificates SUBDIR += step-cli SUBDIR += stoken SUBDIR += strongswan SUBDIR += stunnel SUBDIR += su-exec SUBDIR += subversion-gnome-keyring SUBDIR += sudo SUBDIR += sudoscript SUBDIR += super SUBDIR += suricata SUBDIR += swatchdog SUBDIR += tailscale SUBDIR += tang SUBDIR += tclsasl SUBDIR += tcpcrypt SUBDIR += teleport SUBDIR += testssl.sh SUBDIR += tfhe SUBDIR += tfsec SUBDIR += theonionbox SUBDIR += tinc SUBDIR += tinc-devel SUBDIR += tinyca SUBDIR += tls-check SUBDIR += tlsc SUBDIR += tor SUBDIR += totp-cli SUBDIR += tpm-quote-tools SUBDIR += tpm-tools SUBDIR += tpm2-abrmd SUBDIR += tpm2-pkcs11 SUBDIR += tpm2-tools SUBDIR += tpm2-tss SUBDIR += transcrypt SUBDIR += trezord SUBDIR += tripwire SUBDIR += trivy SUBDIR += trousers SUBDIR += trufflehog SUBDIR += tthsum SUBDIR += u2f-devd SUBDIR += uacme SUBDIR += ubuntu-keyring SUBDIR += unhide SUBDIR += unix-selfauth-helper SUBDIR += vanguards-tor SUBDIR += vault SUBDIR += vaultwarden SUBDIR += veracrypt SUBDIR += vigenere SUBDIR += vlock SUBDIR += vm-to-tor SUBDIR += vouch-proxy SUBDIR += vpnc SUBDIR += vuls SUBDIR += vulsrepo SUBDIR += vuxml SUBDIR += vxquery SUBDIR += wapiti SUBDIR += wazuh-agent SUBDIR += wazuh-dashboard SUBDIR += wazuh-indexer SUBDIR += wazuh-manager SUBDIR += wazuh-server SUBDIR += webfwlog SUBDIR += webtunnel-tor SUBDIR += weggli SUBDIR += whatweb SUBDIR += wipe SUBDIR += wolfssh SUBDIR += wolfssl SUBDIR += wpa_supplicant SUBDIR += wpa_supplicant-devel SUBDIR += wpa_supplicant29 SUBDIR += xca SUBDIR += xhash SUBDIR += xinetd SUBDIR += xml-security SUBDIR += xmlsec1 SUBDIR += xorsearch SUBDIR += xray-core SUBDIR += yafic SUBDIR += yapet SUBDIR += yara SUBDIR += yersinia SUBDIR += ykclient SUBDIR += ykpers SUBDIR += ylva SUBDIR += yubico-piv-tool SUBDIR += yubikey-agent SUBDIR += yubikey-manager-qt SUBDIR += yubikey-personalization-gui SUBDIR += yubioath-desktop SUBDIR += zaproxy SUBDIR += zeek SUBDIR += zeronet SUBDIR += zlint SUBDIR += zzuf .include diff --git a/security/openssl33/Makefile b/security/openssl33/Makefile new file mode 100644 index 000000000000..85198c07e44d --- /dev/null +++ b/security/openssl33/Makefile @@ -0,0 +1,199 @@ +PORTNAME= openssl +DISTVERSION= 3.3.0-alpha1 +CATEGORIES= security devel +MASTER_SITES= https://www.openssl.org/source/ \ + ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ +PKGNAMESUFFIX= 33 + +MAINTAINER= brnrd@FreeBSD.org +COMMENT= TLSv1.3 capable SSL and crypto library +WWW= https://www.openssl.org/ + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE.txt + +CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl111 openssl3[12] openssl*-quictls + +HAS_CONFIGURE= yes +CONFIGURE_SCRIPT= config +CONFIGURE_ENV= PERL="${PERL}" +CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ + --prefix=${PREFIX} + +USES= cpe perl5 +USE_PERL5= build +TEST_TARGET= test + +LDFLAGS_i386= -Wl,-znotext + +MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" +MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= + +OPTIONS_GROUP= CIPHERS COMPRESSION HASHES MODULES OPTIMIZE PROTOCOLS +OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS +OPTIONS_GROUP_COMPRESSION= BROTLI ZLIB ZSTD +OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 +OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS THREADPOOL +OPTIONS_GROUP_MODULES= FIPS LEGACY +OPTIONS_DEFINE_i386= I386 +OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG QUIC SCTP SSL3 TLS1 TLS1_1 TLS1_2 + +OPTIONS_DEFINE= ASYNC CRYPTODEV CT KTLS MAN3 RFC3779 SHARED + +OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST MAN3 MD4 NEXTPROTONEG \ + QUIC RFC3779 RC2 RC4 RMD160 SCTP SHARED SSE2 \ + THREADPOOL THREADS TLS1 TLS1_1 TLS1_2 +#OPTIONS_DEFAULT+= KTLS pending updated KTLS patch + +OPTIONS_EXCLUDE=CRYPTODEV + +OPTIONS_GROUP_OPTIMIZE_amd64= EC + +.if ${MACHINE_ARCH} == "amd64" +OPTIONS_GROUP_OPTIMIZE+= EC +.elif ${MACHINE_ARCH} == "mips64el" +OPTIONS_GROUP_OPTIMIZE+= EC +.endif + +OPTIONS_SUB= yes + +ARIA_DESC= ARIA (South Korean standard) +ASM_DESC= Assembler code +ASYNC_DESC= Asynchronous mode +CIPHERS_DESC= Block Cipher Support +COMPRESSION_DESC= Compression Support +CRYPTODEV_DESC= /dev/crypto support +CT_DESC= Certificate Transparency Support +DES_DESC= (Triple) Data Encryption Standard +EC_DESC= Optimize NIST elliptic curves +FIPS_DESC= Build FIPS provider (Note: NOT yet FIPS validated) +GOST_DESC= GOST (Russian standard) +HASHES_DESC= Hash Function Support +I386_DESC= i386 (instead of i486+) +IDEA_DESC= International Data Encryption Algorithm +KTLS_DESC= Use in-kernel TLS (FreeBSD >13) +LEGACY_DESC= Older algorithms +MAN3_DESC= Install API manpages (section 3, 7) +MD2_DESC= MD2 (obsolete) (requires LEGACY) +MD4_DESC= MD4 (unsafe) +MDC2_DESC= MDC-2 (patented, requires DES) +MODULES_DESC= Provider modules +NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) +OPTIMIZE_DESC= Optimizations +PROTOCOLS_DESC= Protocol Support +QUIC_DESC= HTTP/3 +RC2_DESC= RC2 (unsafe) +RC4_DESC= RC4 (unsafe) +RC5_DESC= RC5 (patented) +RMD160_DESC= RIPEMD-160 +RFC3779_DESC= RFC3779 support (BGP) +SCTP_DESC= SCTP (Stream Control Transmission) +SHARED_DESC= Build shared libraries +SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) +SM3_DESC= SM3 256bit (Chinese standard) +SM4_DESC= SM4 128bit (Chinese standard) +SSE2_DESC= Runtime SSE2 detection +SSL3_DESC= SSLv3 (unsafe) +TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) +TLS1_1_DESC= TLSv1.1 (requires TLS1_2) +TLS1_2_DESC= TLSv1.2 +THREADPOOL_DESC=Thread Pooling support +WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) + +# Upstream default disabled options +.for _option in brotli fips md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib zstd +${_option:tu}_CONFIGURE_ON= enable-${_option} +.endfor + +# Upstream default enabled options +.for _option in aria asm async ct des gost idea md4 mdc2 legacy \ + nextprotoneg quic rc2 rc4 rfc3779 rmd160 shared sm2 sm3 sm4 \ + sse2 threads tls1 tls1_1 tls1_2 +${_option:tu}_CONFIGURE_OFF= no-${_option} +.endfor + +MD2_IMPLIES= LEGACY +MDC2_IMPLIES= DES +TLS1_IMPLIES= TLS1_1 +TLS1_1_IMPLIES= TLS1_2 + +BROTLI_CFLAGS= -I${PREFIX}/include +BROTLI_CONFIGURE_ON= enable-brotli-dynamic +BROTLI_LIB_DEPENDS= libbrotlicommon.so:archivers/brotli +EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 +FIPS_VARS= shlibs+=lib/ossl-modules/fips.so +I386_CONFIGURE_ON= 386 +KTLS_BROKEN= Pending updated KTLS patch +KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls +LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so +MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits +SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} +SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} +SHARED_USE= ldconfig=yes +SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \ + lib/libssl.so.${OPENSSL_SHLIBVER} \ + lib/engines-${OPENSSL_SHLIBVER}/capi.so \ + lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \ + lib/engines-${OPENSSL_SHLIBVER}/padlock.so" +SSL3_CONFIGURE_ON= enable-ssl3-method +THREADPOOL_CONFIGURE_OFF= no-thread-pool +ZLIB_CONFIGURE_ON= zlib-dynamic +ZSTD_CFLAGS= -I${PREFIX}/include +ZSTD_CONFIGURE_ON= enable-zstd-dynamic +ZSTD_LIB_DEPENDS= libzstd.so:archivers/zstd + +SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so + +PORTSCOUT= limit=^3\.2\. + +.include + +.if ${ARCH} == powerpc64 +CONFIGURE_ARGS+= BSD-ppc64 +.elif ${ARCH} == powerpc64le +CONFIGURE_ARGS+= BSD-ppc64le +.elif ${ARCH} == riscv64 +CONFIGURE_ARGS+= BSD-riscv64 +.endif + +.include +.if ${PREFIX} == /usr +IGNORE= the OpenSSL port can not be installed over the base version +.endif + +OPENSSLDIR?= ${PREFIX}/openssl +PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} + +.include "version.mk" + +post-patch: + ${REINPLACE_CMD} -Ee 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \ + ${WRKSRC}/Configurations/unix-Makefile.tmpl + ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \ + ${WRKSRC}/VERSION.dat + +post-configure: + ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump ) + +post-configure-MAN3-off: + ${REINPLACE_CMD} \ + -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \ + -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \ + ${WRKSRC}/Makefile + +post-install-SHARED-on: +.for i in ${SHLIBS} + -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i +.endfor + +post-install-SHARED-off: + ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12 + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl + +post-install-MAN3-on: + ( cd ${STAGEDIR}/${PREFIX} ; find share/man/man3 -not -type d ; \ + find share/man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST} + +.include diff --git a/security/openssl33/distinfo b/security/openssl33/distinfo new file mode 100644 index 000000000000..59d93bf1a6a2 --- /dev/null +++ b/security/openssl33/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1710946541 +SHA256 (openssl-3.3.0-alpha1.tar.gz) = f74e03087a48828b64b627039ccd50bcecc5c331692de612fba3d505e2a6d22c +SIZE (openssl-3.3.0-alpha1.tar.gz) = 18034597 diff --git a/security/openssl33/files/extra-patch-ktls b/security/openssl33/files/extra-patch-ktls new file mode 100644 index 000000000000..8a46c272d95c --- /dev/null +++ b/security/openssl33/files/extra-patch-ktls @@ -0,0 +1,540 @@ +diff --git include/internal/ktls.h include/internal/ktls.h +index 95492fd065..3c82cae26b 100644 +--- include/internal/ktls.h ++++ include/internal/ktls.h +@@ -40,6 +40,11 @@ + # define OPENSSL_KTLS_AES_GCM_128 + # define OPENSSL_KTLS_AES_GCM_256 + # define OPENSSL_KTLS_TLS13 ++# ifdef TLS_CHACHA20_IV_LEN ++# ifndef OPENSSL_NO_CHACHA ++# define OPENSSL_KTLS_CHACHA20_POLY1305 ++# endif ++# endif + + typedef struct tls_enable ktls_crypto_info_t; + +diff --git ssl/ktls.c ssl/ktls.c +index 79d980959e..e343d382cc 100644 +--- ssl/ktls.c ++++ ssl/ktls.c +@@ -10,6 +10,67 @@ + #include "ssl_local.h" + #include "internal/ktls.h" + ++#ifndef OPENSSL_NO_KTLS_RX ++ /* ++ * Count the number of records that were not processed yet from record boundary. ++ * ++ * This function assumes that there are only fully formed records read in the ++ * record layer. If read_ahead is enabled, then this might be false and this ++ * function will fail. ++ */ ++static int count_unprocessed_records(SSL *s) ++{ ++ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); ++ PACKET pkt, subpkt; ++ int count = 0; ++ ++ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) ++ return -1; ++ ++ while (PACKET_remaining(&pkt) > 0) { ++ /* Skip record type and version */ ++ if (!PACKET_forward(&pkt, 3)) ++ return -1; ++ ++ /* Read until next record */ ++ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) ++ return -1; ++ ++ count += 1; ++ } ++ ++ return count; ++} ++ ++/* ++ * The kernel cannot offload receive if a partial TLS record has been read. ++ * Check the read buffer for unprocessed records. If the buffer contains a ++ * partial record, fail and return 0. Otherwise, update the sequence ++ * number at *rec_seq for the count of unprocessed records and return 1. ++ */ ++static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) ++{ ++ int bit, count_unprocessed; ++ ++ count_unprocessed = count_unprocessed_records(s); ++ if (count_unprocessed < 0) ++ return 0; ++ ++ /* increment the crypto_info record sequence */ ++ while (count_unprocessed) { ++ for (bit = 7; bit >= 0; bit--) { /* increment */ ++ ++rec_seq[bit]; ++ if (rec_seq[bit] != 0) ++ break; ++ } ++ count_unprocessed--; ++ ++ } ++ ++ return 1; ++} ++#endif ++ + #if defined(__FreeBSD__) + # include "crypto/cryptodev.h" + +@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + case SSL_AES128GCM: + case SSL_AES256GCM: + return 1; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ return 1; ++# endif + case SSL_AES128: + case SSL_AES256: + if (s->ext.use_etm) +@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + } + + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { +@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + else + crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; + break; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; ++ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd); ++ break; ++# endif + case SSL_AES128: + case SSL_AES256: + switch (s->s3.tmp.new_cipher->algorithm_mac) { +@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + crypto_info->tls_vminor = (s->version & 0x000000ff); + # ifdef TCP_RXTLS_ENABLE + memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) ++ return 0; + # else +- if (rec_seq != NULL) +- *rec_seq = NULL; ++ if (!is_tx) ++ return 0; + # endif + return 1; + }; +@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + } + + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { + unsigned char geniv[12]; + unsigned char *iiv = iv; + ++# ifdef OPENSSL_NO_KTLS_RX ++ if (!is_tx) ++ return 0; ++# endif ++ + if (s->version == TLS1_2_VERSION && + EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { + if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, +@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_GCM_256 +@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm256.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm256.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_CCM_128 +@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->ccm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->ccm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 +@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->chacha20poly1305.rec_seq; ++ if (!is_tx ++ && !check_rx_read_ahead(s, ++ crypto_info->chacha20poly1305.rec_seq)) ++ return 0; + return 1; + # endif + default: +diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c +index d8ef018741..63caac080f 100644 +--- ssl/record/ssl3_record.c ++++ ssl/record/ssl3_record.c +@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s) + int imac_size; + size_t num_recs = 0, max_recs, j; + PACKET pkt, sslv2pkt; +- int is_ktls_left; ++ int using_ktls; + SSL_MAC_BUF *macbufs = NULL; + int ret = -1; + + rr = RECORD_LAYER_get_rrec(&s->rlayer); + rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); + max_recs = s->max_pipelines; + if (max_recs == 0) + max_recs = 1; + sess = s->session; + ++ /* ++ * KTLS reads full records. If there is any data left, ++ * then it is from before enabling ktls. ++ */ ++ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0; ++ + do { + thisrr = &rr[num_recs]; + +@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s) + } + } + +- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { ++ if (SSL_IS_TLS13(s) ++ && s->enc_read_ctx != NULL ++ && !using_ktls) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s)) +@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s) + } + + if (SSL_IS_TLS13(s)) { +- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { ++ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH; ++ ++ /* KTLS strips the inner record type. */ ++ if (using_ktls) ++ len = SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ ++ if (thisrr->length > len) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; +@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s) + #endif + + /* KTLS may use all of the buffer */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + len = SSL3_BUFFER_get_left(rbuf); + + if (thisrr->length > len) { +@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s) + return 1; + } + +- /* +- * KTLS reads full records. If there is any data left, +- * then it is from before enabling ktls +- */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + goto skip_decryption; + + if (s->read_hash != NULL) { +@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s) + if (SSL_IS_TLS13(s) + && s->enc_read_ctx != NULL + && thisrr->type != SSL3_RT_ALERT) { +- size_t end; ++ /* ++ * The following logic are irrelevant in KTLS: the kernel provides ++ * unprotected record and thus record type represent the actual ++ * content type, and padding is already removed and thisrr->type and ++ * thisrr->length should have the correct values. ++ */ ++ if (!using_ktls) { ++ size_t end; + +- if (thisrr->length == 0 +- || thisrr->type != SSL3_RT_APPLICATION_DATA) { +- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); +- goto end; ++ if (thisrr->length == 0 ++ || thisrr->type != SSL3_RT_APPLICATION_DATA) { ++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); ++ goto end; ++ } ++ ++ /* Strip trailing padding */ ++ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; ++ end--) ++ continue; ++ ++ thisrr->length = end; ++ thisrr->type = thisrr->data[end]; + } +- +- /* Strip trailing padding */ +- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; +- end--) +- continue; +- +- thisrr->length = end; +- thisrr->type = thisrr->data[end]; + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && thisrr->type != SSL3_RT_ALERT + && thisrr->type != SSL3_RT_HANDSHAKE) { +@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s) + } + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, +- &thisrr->data[end], 1, s, s->msg_callback_arg); ++ &thisrr->type, 1, s, s->msg_callback_arg); + } + + /* +@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s) + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ +- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH +- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { ++ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); + goto end; + } +diff --git ssl/ssl_local.h ssl/ssl_local.h +index 5471e900b8..79ced2f468 100644 +--- ssl/ssl_local.h ++++ ssl/ssl_local.h +@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, + /* ktls.c */ + int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + const EVP_CIPHER_CTX *dd); +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size); + # endif +diff --git ssl/t1_enc.c ssl/t1_enc.c +index 237a19cd93..900ba14fbd 100644 +--- ssl/t1_enc.c ++++ ssl/t1_enc.c +@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) + return ret; + } + +-#ifndef OPENSSL_NO_KTLS +- /* +- * Count the number of records that were not processed yet from record boundary. +- * +- * This function assumes that there are only fully formed records read in the +- * record layer. If read_ahead is enabled, then this might be false and this +- * function will fail. +- */ +-# ifndef OPENSSL_NO_KTLS_RX +-static int count_unprocessed_records(SSL *s) +-{ +- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- PACKET pkt, subpkt; +- int count = 0; +- +- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) +- return -1; +- +- while (PACKET_remaining(&pkt) > 0) { +- /* Skip record type and version */ +- if (!PACKET_forward(&pkt, 3)) +- return -1; +- +- /* Read until next record */ +- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) +- return -1; +- +- count += 1; +- } +- +- return count; +-} +-# endif +-#endif +- +- + int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, + const EVP_CIPHER *ciph, + const EVP_MD *md) +@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which) + int reuse_dd = 0; + #ifndef OPENSSL_NO_KTLS + ktls_crypto_info_t crypto_info; +- unsigned char *rec_seq; + void *rl_sequence; +-# ifndef OPENSSL_NO_KTLS_RX +- int count_unprocessed; +- int bit; +-# endif + BIO *bio; + #endif + +@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which) + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); + +- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, +- iv, key, ms, *mac_secret_size)) ++ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, ++ which & SSL3_CC_WRITE, iv, key, ms, ++ *mac_secret_size)) + goto skip_ktls; + +- if (which & SSL3_CC_READ) { +-# ifndef OPENSSL_NO_KTLS_RX +- count_unprocessed = count_unprocessed_records(s); +- if (count_unprocessed < 0) +- goto skip_ktls; +- +- /* increment the crypto_info record sequence */ +- while (count_unprocessed) { +- for (bit = 7; bit >= 0; bit--) { /* increment */ +- ++rec_seq[bit]; +- if (rec_seq[bit] != 0) +- break; +- } +- count_unprocessed--; +- } +-# else +- goto skip_ktls; +-# endif +- } +- + /* ktls works with user provided buffers directly */ + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) +diff --git ssl/tls13_enc.c ssl/tls13_enc.c +index 12388922e3..eaab0e2a74 100644 +--- ssl/tls13_enc.c ++++ ssl/tls13_enc.c +@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which) + const EVP_CIPHER *cipher = NULL; + #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) + ktls_crypto_info_t crypto_info; ++ void *rl_sequence; + BIO *bio; + #endif + +@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which) + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + #ifndef OPENSSL_NO_KTLS + # if defined(OPENSSL_KTLS_TLS13) +- if (!(which & SSL3_CC_WRITE) +- || !(which & SSL3_CC_APPLICATION) ++ if (!(which & SSL3_CC_APPLICATION) + || (s->options & SSL_OP_ENABLE_KTLS) == 0) + goto skip_ktls; + +@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which) + if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) + goto skip_ktls; + +- bio = s->wbio; ++ if (which & SSL3_CC_WRITE) ++ bio = s->wbio; ++ else ++ bio = s->rbio; + + if (!ossl_assert(bio != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); +@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which) + } + + /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ +- if (BIO_flush(bio) <= 0) +- goto skip_ktls; ++ if (which & SSL3_CC_WRITE) { ++ if (BIO_flush(bio) <= 0) ++ goto skip_ktls; ++ } + + /* configure kernel crypto structure */ +- if (!ktls_configure_crypto(s, cipher, ciph_ctx, +- RECORD_LAYER_get_write_sequence(&s->rlayer), +- &crypto_info, NULL, iv, key, NULL, 0)) ++ if (which & SSL3_CC_WRITE) ++ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); ++ else ++ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); ++ ++ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, ++ which & SSL3_CC_WRITE, iv, key, NULL, 0)) + goto skip_ktls; + + /* ktls works with user provided buffers directly */ +- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) +- ssl3_release_write_buffer(s); ++ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { ++ if (which & SSL3_CC_WRITE) ++ ssl3_release_write_buffer(s); ++ } + skip_ktls: + # endif + #endif +diff --git test/sslapitest.c test/sslapitest.c +index 2911d6e94b..faf2eec2bc 100644 +--- test/sslapitest.c ++++ test/sslapitest.c +@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, + #if defined(OPENSSL_NO_KTLS_RX) + rx_supported = 0; + #else +- rx_supported = (tls_version != TLS1_3_VERSION); ++ rx_supported = 1; + #endif + if (!cis_ktls || !rx_supported) { + if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) diff --git a/security/openssl33/files/extra-patch-util_find-doc-nits b/security/openssl33/files/extra-patch-util_find-doc-nits new file mode 100644 index 000000000000..bf70e9fee1ac --- /dev/null +++ b/security/openssl33/files/extra-patch-util_find-doc-nits @@ -0,0 +1,20 @@ +--- util/find-doc-nits.orig 2023-09-07 09:00:22 UTC ++++ util/find-doc-nits +@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt'; + my $OUT; + my $status = 0; + +-$opt_m = "man1,man3,man5,man7" unless $opt_m; ++$opt_m = "man1,man5" unless $opt_m; + die "Argument of -m option may contain only man1, man3, man5, and/or man7" + unless $opt_m =~ /^(man[1357][, ]?)*$/; + my @sections = ( split /[, ]/, $opt_m ); +@@ -725,7 +725,7 @@ sub check { + next if $target eq ''; # Skip if links within page, or + next if $target =~ /::/; # links to a Perl module, or + next if $target =~ /^https?:/; # is a URL link, or +- next if $target =~ /\([1357]\)$/; # it has a section ++ next if $target =~ /\([15]\)$/; # it has a section + err($id, "Missing man section number (likely, $mansect) in L<$target>") + } + # Check for proper links to commands. diff --git a/security/openssl33/files/patch-Configurations_10-main.conf b/security/openssl33/files/patch-Configurations_10-main.conf new file mode 100644 index 000000000000..82503c0ff90c --- /dev/null +++ b/security/openssl33/files/patch-Configurations_10-main.conf @@ -0,0 +1,35 @@ +--- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC ++++ Configurations/10-main.conf +@@ -1069,6 +1069,32 @@ my %targets = ( + perlasm_scheme => "linux64", + }, + ++ "BSD-ppc" => { ++ inherit_from => [ "BSD-generic32" ], ++ asm_arch => 'ppc32', ++ perlasm_scheme => "linux32", ++ lib_cppflags => add("-DB_ENDIAN"), ++ }, ++ ++ "BSD-ppc64" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DB_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64", ++ }, ++ ++ "BSD-ppc64le" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DL_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64le", ++ }, ++ ++ + "bsdi-elf-gcc" => { + inherit_from => [ "BASE_unix" ], + CC => "gcc", diff --git a/security/openssl33/files/patch-crypto_threads__pthread.c b/security/openssl33/files/patch-crypto_threads__pthread.c new file mode 100644 index 000000000000..3347170e0bd0 --- /dev/null +++ b/security/openssl33/files/patch-crypto_threads__pthread.c @@ -0,0 +1,13 @@ +--- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC ++++ crypto/threads_pthread.c +@@ -29,6 +29,10 @@ + #define BROKEN_CLANG_ATOMICS + #endif + ++#if defined(__FreeBSD__) && defined(__i386__) ++#define BROKEN_CLANG_ATOMICS ++#endif ++ + #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) + + # if defined(OPENSSL_SYS_UNIX) diff --git a/security/openssl33/pkg-descr b/security/openssl33/pkg-descr new file mode 100644 index 000000000000..c7704288547a --- /dev/null +++ b/security/openssl33/pkg-descr @@ -0,0 +1,13 @@ +The OpenSSL Project is a collaborative effort to develop a robust, +commercial-grade, full-featured, and Open Source toolkit implementing +the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, +v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. +The project is managed by a worldwide community of volunteers that use +the Internet to communicate, plan, and develop the OpenSSL tookit +and its related documentation. + +OpenSSL is based on the excellent SSLeay library developed by Eric +A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under +an Apache-style licence, which basically means that you are free +to get and use it for commercial and non-commercial purposes subject +to some simple license conditions. diff --git a/security/openssl33/pkg-message b/security/openssl33/pkg-message new file mode 100644 index 000000000000..3978993de2f0 --- /dev/null +++ b/security/openssl33/pkg-message @@ -0,0 +1,21 @@ +[ +{ type: install + message: <