security/openssl-unsafe: Add OpenSSL port for scanning/testing

 - OpenSSL binary and libs for testing and scanning
 - Use with e.g. sslscan or testssl.sh

Differential Revision:	https://reviews.freebsd.org/D9483

11 files changed, 338 insertions, 0 deletions

diff --git a/security/openssl-unsafe/Makefile b/security/openssl-unsafe/Makefile
new file mode 100644
index 000000000000..7effaba91ccb
--- /dev/null
+++ b/security/openssl-unsafe/Makefile
@@ -0,0 +1,69 @@
+# Created by: Dirk Froemberg <dirk@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	openssl
+PORTVERSION=	1.0.2.20170706
+CATEGORIES=	security devel
+PKGNAMESUFFIX=	-unsafe
+
+MAINTAINER=	brnrd@FreeBSD.org
+COMMENT=	Unsafe SSL and crypto library
+
+LICENSE=	OpenSSL
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+CPE_VERSION=	1.0.2k
+
+USES=		cpe perl5
+USE_PERL5=	build
+MAKE_ENV+=	LIBRPATH="${PREFIX}/openssl-unsafe/lib" GREP_OPTIONS= SHLIBVER=${OPENSSL_SHLIBVER}
+CFLAGS+=	-fPIC -DPIC
+SUB_FILES=	pkg-message
+PLIST_SUB+=	SHLIBVER=${OPENSSL_SHLIBVER}
+USE_LDCONFIG=	yes
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	PeterMosmans
+GH_TAGNAME=	c9ba19c8b7fd131137373dbd1fccd6a8bb0628be
+
+MAKE_JOBS_UNSAFE=	yes
+
+CONFIGURE_ARGS=	enable-camellia enable-cms enable-ec enable-ec2m enable-ec_nistp_64_gcc_128 \
+		enable-ecdh enable-ecdsa enable-gost enable-idea enable-md2 enable-mdc2 \
+		enable-rc2 enable-rc5 enable-rfc3779 enable-seed enable-ssl-trace \
+		enable-ssl2 enable-ssl2-methods enable-ssl3 enable-weak-ssl-ciphers \
+		experimental-jpake experimental-store \
+		no-gmp sctp shared threads zlib zlib-dynamic
+
+OPENSSLDIR?=	${PREFIX}/openssl-unsafe/etc
+PLIST_SUB+=	OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
+
+NOT_FOR_ARCHS=	i386
+
+.include "version.mk"
+
+post-patch:
+	${REINPLACE_CMD} -e 's|m4 -B 8192|m4|g' \
+		${WRKSRC}/crypto/des/Makefile
+	${REINPLACE_CMD} -e 's|all install_docs |all |;s| tools$$||;s| build_tools$$||' ${WRKSRC}/Makefile.org
+
+do-configure:
+	${REINPLACE_CMD} -e "s|options 386|options|" \
+		${WRKSRC}/config
+	cd ${WRKSRC} \
+	&& ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \
+	./config --prefix=${PREFIX}/openssl-unsafe --openssldir=${OPENSSLDIR} \
+		--install_prefix=${STAGEDIR} \
+		-L${PREFIX}/openssl-unsafe/lib ${CONFIGURE_ARGS}
+
+post-configure:
+	${REINPLACE_CMD} \
+		-e 's|^MANDIR=.*$$|MANDIR=$$(PREFIX)/man|' \
+		-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
+		-e 's|LIBVERSION=[^ ]* |LIBVERSION=${OPENSSL_SHLIBVER} |' \
+		${WRKSRC}/Makefile
+
+test: build
+	cd ${WRKSRC} && ${MAKE} test
+
+.include <bsd.port.mk>
diff --git a/security/openssl-unsafe/distinfo b/security/openssl-unsafe/distinfo
new file mode 100644
index 000000000000..14611815093e
--- /dev/null
+++ b/security/openssl-unsafe/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1507535912
+SHA256 (PeterMosmans-openssl-1.0.2.20170706-c9ba19c8b7fd131137373dbd1fccd6a8bb0628be_GH0.tar.gz) = 02f561efd265b3303360fcafd57f7e32649cf76986aa7b981154ec18e9a752b3
+SIZE (PeterMosmans-openssl-1.0.2.20170706-c9ba19c8b7fd131137373dbd1fccd6a8bb0628be_GH0.tar.gz) = 5523256
diff --git a/security/openssl-unsafe/files/extra-patch-test_testssl b/security/openssl-unsafe/files/extra-patch-test_testssl
new file mode 100644
index 000000000000..3fc5d7945116
--- /dev/null
+++ b/security/openssl-unsafe/files/extra-patch-test_testssl
@@ -0,0 +1,15 @@
+Disable SSLv3 test when built without SSL3 option disabled
+
+ - Test for weak DH fails when enabled
+
+--- test/testssl.orig	2017-04-27 12:23:44 UTC
++++ test/testssl
+@@ -160,7 +160,7 @@ test_cipher() {
+ }
+ set -x
+ echo "Testing ciphersuites"
+-for protocol in TLSv1.2 SSLv3; do
++for protocol in TLSv1.2; do
+   echo "Testing ciphersuites for $protocol"
+   for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+     test_cipher $cipher $protocol
diff --git a/security/openssl-unsafe/files/patch-Configure b/security/openssl-unsafe/files/patch-Configure
new file mode 100644
index 000000000000..9b223546482e
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-Configure
@@ -0,0 +1,45 @@
+--- Configure.orig	2017-07-06 01:00:00 UTC
++++ Configure
+@@ -477,19 +477,20 @@ my %table=(
+ "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+ #### *BSD [do see comment about ${BSDthreads} above!]
+-"BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"debug-BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-sparcv8",	"gcc:-DB_ENDIAN -O3 -mcpu=v8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic32","$ENV{'FREEBSDCC'}:-O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"debug-BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall -g $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-sparcv8", "$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -mcpu=v8 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+-"BSD-generic64","gcc:-O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic64","$ENV{'FREEBSDCC'}:-O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
+ # simply *happens* to work around a compiler bug in gcc 3.3.3,
+ # triggered by RIPEMD160 code.
+-"BSD-sparc64",	"gcc:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-ia64",	"gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86_64",	"cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-sparc64",	"$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-ia64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86_64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-alpha",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+ "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+@@ -2075,10 +2076,12 @@ EOF
+ 	if ( $perl =~ m@^/@) {
+ 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
++	    &dofile("apps/tsget",$perl,'^#!/', '#!%s');
+ 	} else {
+ 	    # No path for Perl known ...
+ 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
++	    &dofile("apps/tsget",'/usr/local/bin/perl',,'^#!/', '#!%s');
+ 	}
+ 	if ($depflags ne $default_depflags && !$make_depend) {
+             $warn_make_depend++;
diff --git a/security/openssl-unsafe/files/patch-RFC-5705 b/security/openssl-unsafe/files/patch-RFC-5705
new file mode 100644
index 000000000000..888e82ab7c7b
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-RFC-5705
@@ -0,0 +1,37 @@
+--- ssl/ssl.h.orig	2017-07-06 01:00:00 UTC
++++ ssl/ssl.h
+@@ -2598,6 +2598,10 @@ const char *SSL_CIPHER_standard_name(con
+ const struct openssl_ssl_test_functions *SSL_test_functions(void);
+ # endif
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen);
++
+ /* BEGIN ERROR CODES */
+ /*
+  * The following lines are auto generated by the script mkerr.pl. Any changes
+--- ssl/t1_enc.c.orig	2017-07-06 01:00:00 UTC
++++ ssl/t1_enc.c
+@@ -1461,6 +1461,21 @@ int tls1_export_keying_material(SSL *s, 
+     return (rv);
+ }
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen)
++	{
++	unsigned char tmp[olen];
++	
++	tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
++			 label, label_len,
++			 s->s3->client_random,SSL3_RANDOM_SIZE,
++			 s->s3->server_random,SSL3_RANDOM_SIZE,
++			 context, context_len, NULL, 0,
++			 s->session->master_key, s->session->master_key_length,
++			 out, tmp, olen);
++	}
++
+ int tls1_alert_code(int code)
+ {
+     switch (code) {
diff --git a/security/openssl-unsafe/files/patch-apps_Makefile b/security/openssl-unsafe/files/patch-apps_Makefile
new file mode 100644
index 000000000000..421575524703
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-apps_Makefile
@@ -0,0 +1,11 @@
+--- apps/Makefile.orig	2017-07-06 01:00:00 UTC
++++ apps/Makefile
+@@ -118,7 +118,7 @@ install:
+ 	 done
+ 	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+ 	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
++	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.sample
+ 
+ tags:
+ 	ctags $(SRC)
diff --git a/security/openssl-unsafe/files/patch-config b/security/openssl-unsafe/files/patch-config
new file mode 100644
index 000000000000..f1e017098bb0
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-config
@@ -0,0 +1,19 @@
+--- config.orig	2017-07-06 01:00:00 UTC
++++ config
+@@ -753,14 +753,8 @@ case "$GUESSOS" in
+   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
+   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
+   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
+-  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
+-			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
+-			    libc=/usr/lib/libc.so
+-			else					# OpenBSD
+-			    # ld searches for highest libc.so.* and so do we
+-			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
+-			fi
+-			case "`(file -L $libc) 2>/dev/null`" in
++  *86*-*-*bsd*)	
++			case "`(file -L /bin/sh) 2>/dev/null`" in
+ 			*ELF*)	OUT="BSD-x86-elf" ;;
+ 			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
+ 			esac ;;
diff --git a/security/openssl-unsafe/files/pkg-message.in b/security/openssl-unsafe/files/pkg-message.in
new file mode 100644
index 000000000000..faa27e6e382d
--- /dev/null
+++ b/security/openssl-unsafe/files/pkg-message.in
@@ -0,0 +1,8 @@
+/!\ ================================ /!\ ============================== /!\
+/!\                                                                     /!\
+/!\ This openssl version is for security testing/scanning purposes only /!\
+/!\                                                                     /!\
+/!\                   DO NOT USE FOR PRODUCTION PURPOSES                /!\
+/!\                                                                     /!\
+/!\ ================================ /!\ ============================== /!\
+
diff --git a/security/openssl-unsafe/pkg-descr b/security/openssl-unsafe/pkg-descr
new file mode 100644
index 000000000000..a0d77866534a
--- /dev/null
+++ b/security/openssl-unsafe/pkg-descr
@@ -0,0 +1,21 @@
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and Open Source toolkit implementing
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
+(TLS v1) protocols with full-strength cryptography world-wide. The
+project is managed by a worldwide community of volunteers that use
+the Internet to communicate, plan, and develop the OpenSSL tookit
+and its related documentation.
+
+OpenSSL is based on the excellent SSLeay library developed by Eric
+A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
+an Apache-style licence, which basically means that you are free
+to get and use it for commercial and non-commercial purposes subject
+to some simple license conditions.
+
+This version of OpenSSL enables all possible features of OpenSSL.
+The libraries and binaries in this port must be considered vulnerable
+with known exploits available. Use for testing/scanning only.
+
+WWW: http://www.openssl.org/
+WWW: https://github.com/PeterMosmans/openssl
+WWW: https://onwebsecurity.com/pages/openssl.html
diff --git a/security/openssl-unsafe/pkg-plist b/security/openssl-unsafe/pkg-plist
new file mode 100644
index 000000000000..305b397560bf
--- /dev/null
+++ b/security/openssl-unsafe/pkg-plist
@@ -0,0 +1,109 @@
+openssl-unsafe/bin/openssl
+openssl-unsafe/include/openssl/aes.h
+openssl-unsafe/include/openssl/asn1.h
+openssl-unsafe/include/openssl/asn1_mac.h
+openssl-unsafe/include/openssl/asn1t.h
+openssl-unsafe/include/openssl/bio.h
+openssl-unsafe/include/openssl/blowfish.h
+openssl-unsafe/include/openssl/bn.h
+openssl-unsafe/include/openssl/buffer.h
+openssl-unsafe/include/openssl/camellia.h
+openssl-unsafe/include/openssl/cast.h
+openssl-unsafe/include/openssl/chacha.h
+openssl-unsafe/include/openssl/cmac.h
+openssl-unsafe/include/openssl/cms.h
+openssl-unsafe/include/openssl/comp.h
+openssl-unsafe/include/openssl/conf.h
+openssl-unsafe/include/openssl/conf_api.h
+openssl-unsafe/include/openssl/crypto.h
+openssl-unsafe/include/openssl/des.h
+openssl-unsafe/include/openssl/des_old.h
+openssl-unsafe/include/openssl/dh.h
+openssl-unsafe/include/openssl/dsa.h
+openssl-unsafe/include/openssl/dso.h
+openssl-unsafe/include/openssl/dtls1.h
+openssl-unsafe/include/openssl/e_os2.h
+openssl-unsafe/include/openssl/ebcdic.h
+openssl-unsafe/include/openssl/ec.h
+openssl-unsafe/include/openssl/ecdh.h
+openssl-unsafe/include/openssl/ecdsa.h
+openssl-unsafe/include/openssl/engine.h
+openssl-unsafe/include/openssl/err.h
+openssl-unsafe/include/openssl/evp.h
+openssl-unsafe/include/openssl/hmac.h
+openssl-unsafe/include/openssl/idea.h
+openssl-unsafe/include/openssl/jpake.h
+openssl-unsafe/include/openssl/krb5_asn.h
+openssl-unsafe/include/openssl/kssl.h
+openssl-unsafe/include/openssl/lhash.h
+openssl-unsafe/include/openssl/md2.h
+openssl-unsafe/include/openssl/md4.h
+openssl-unsafe/include/openssl/md5.h
+openssl-unsafe/include/openssl/mdc2.h
+openssl-unsafe/include/openssl/modes.h
+openssl-unsafe/include/openssl/obj_mac.h
+openssl-unsafe/include/openssl/objects.h
+openssl-unsafe/include/openssl/ocsp.h
+openssl-unsafe/include/openssl/opensslconf.h
+openssl-unsafe/include/openssl/opensslv.h
+openssl-unsafe/include/openssl/ossl_typ.h
+openssl-unsafe/include/openssl/pem.h
+openssl-unsafe/include/openssl/pem2.h
+openssl-unsafe/include/openssl/pkcs12.h
+openssl-unsafe/include/openssl/pkcs7.h
+openssl-unsafe/include/openssl/poly1305.h
+openssl-unsafe/include/openssl/pqueue.h
+openssl-unsafe/include/openssl/rand.h
+openssl-unsafe/include/openssl/rc2.h
+openssl-unsafe/include/openssl/rc4.h
+openssl-unsafe/include/openssl/rc5.h
+openssl-unsafe/include/openssl/ripemd.h
+openssl-unsafe/include/openssl/rsa.h
+openssl-unsafe/include/openssl/safestack.h
+openssl-unsafe/include/openssl/seed.h
+openssl-unsafe/include/openssl/sha.h
+openssl-unsafe/include/openssl/srp.h
+openssl-unsafe/include/openssl/srtp.h
+openssl-unsafe/include/openssl/ssl.h
+openssl-unsafe/include/openssl/ssl2.h
+openssl-unsafe/include/openssl/ssl23.h
+openssl-unsafe/include/openssl/ssl3.h
+openssl-unsafe/include/openssl/stack.h
+openssl-unsafe/include/openssl/store.h
+openssl-unsafe/include/openssl/symhacks.h
+openssl-unsafe/include/openssl/tls1.h
+openssl-unsafe/include/openssl/ts.h
+openssl-unsafe/include/openssl/txt_db.h
+openssl-unsafe/include/openssl/ui.h
+openssl-unsafe/include/openssl/ui_compat.h
+openssl-unsafe/include/openssl/whrlpool.h
+openssl-unsafe/include/openssl/x509.h
+openssl-unsafe/include/openssl/x509_vfy.h
+openssl-unsafe/include/openssl/x509v3.h
+openssl-unsafe/lib/engines/lib4758cca.so
+openssl-unsafe/lib/engines/libaep.so
+openssl-unsafe/lib/engines/libatalla.so
+openssl-unsafe/lib/engines/libcapi.so
+openssl-unsafe/lib/engines/libchil.so
+openssl-unsafe/lib/engines/libcswift.so
+openssl-unsafe/lib/engines/libgmp.so
+openssl-unsafe/lib/engines/libgost.so
+openssl-unsafe/lib/engines/libnuron.so
+openssl-unsafe/lib/engines/libpadlock.so
+openssl-unsafe/lib/engines/libsureware.so
+openssl-unsafe/lib/engines/libubsec.so
+openssl-unsafe/lib/libcrypto.a
+openssl-unsafe/lib/libcrypto.so
+openssl-unsafe/lib/libcrypto.so.%%SHLIBVER%%
+openssl-unsafe/lib/libssl.a
+openssl-unsafe/lib/libssl.so
+openssl-unsafe/lib/libssl.so.%%SHLIBVER%%
+openssl-unsafe/libdata/pkgconfig/libcrypto.pc
+openssl-unsafe/libdata/pkgconfig/libssl.pc
+openssl-unsafe/libdata/pkgconfig/openssl.pc
+%%OPENSSLDIR%%/misc/CA.pl
+%%OPENSSLDIR%%/misc/CA.sh
+%%OPENSSLDIR%%/misc/tsget
+@sample %%OPENSSLDIR%%/openssl.cnf.sample
+@dir %%OPENSSLDIR%%/private
+@dir %%OPENSSLDIR%%/certs
diff --git a/security/openssl-unsafe/version.mk b/security/openssl-unsafe/version.mk
new file mode 100644
index 000000000000..23118c8e01d6
--- /dev/null
+++ b/security/openssl-unsafe/version.mk
@@ -0,0 +1 @@
+OPENSSL_SHLIBVER?=	1.0.2