diff options
Diffstat (limited to 'security')
103 files changed, 1548 insertions, 130 deletions
diff --git a/security/2fa/Makefile b/security/2fa/Makefile index f7baf8708f3e..49626ceb3c0b 100644 --- a/security/2fa/Makefile +++ b/security/2fa/Makefile @@ -1,7 +1,7 @@ PORTNAME= 2fa DISTVERSIONPREFIX= v DISTVERSION= 1.2.0 -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security MAINTAINER= mauroeldritch@gmail.com diff --git a/security/Makefile b/security/Makefile index 31a8eae02cf9..fbfc8471a1f5 100644 --- a/security/Makefile +++ b/security/Makefile @@ -457,6 +457,7 @@ SUBDIR += openssl33-quictls SUBDIR += openssl34 SUBDIR += openssl35 + SUBDIR += openssl36 SUBDIR += openvas SUBDIR += openvpn SUBDIR += openvpn-admin @@ -1434,7 +1435,9 @@ SUBDIR += ylva SUBDIR += yubico-piv-tool SUBDIR += yubikey-agent + SUBDIR += yubikey-manager-qt SUBDIR += yubikey-personalization-gui + SUBDIR += yubioath-desktop SUBDIR += zaproxy SUBDIR += zeek SUBDIR += zeronet diff --git a/security/acmetool/Makefile b/security/acmetool/Makefile index be2f921a29c0..01022633705a 100644 --- a/security/acmetool/Makefile +++ b/security/acmetool/Makefile @@ -1,7 +1,7 @@ PORTNAME= acmetool DISTVERSIONPREFIX= v DISTVERSION= 0.2.2 -PORTREVISION= 19 +PORTREVISION= 20 CATEGORIES= security MAINTAINER= samm@FreeBSD.org diff --git a/security/age/Makefile b/security/age/Makefile index cc387501e1b4..c5571bb026f8 100644 --- a/security/age/Makefile +++ b/security/age/Makefile @@ -1,7 +1,7 @@ PORTNAME= age DISTVERSIONPREFIX= v DISTVERSION= 1.2.1 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/assh/Makefile b/security/assh/Makefile index 99abada502ef..a9d3e0166031 100644 --- a/security/assh/Makefile +++ b/security/assh/Makefile @@ -1,7 +1,7 @@ PORTNAME= assh DISTVERSIONPREFIX= v DISTVERSION= 2.15.0 -PORTREVISION= 23 +PORTREVISION= 24 CATEGORIES= security MAINTAINER= ashish@FreeBSD.org diff --git a/security/aws-iam-authenticator/Makefile b/security/aws-iam-authenticator/Makefile index 4dff9e6a0a33..b47641ae1615 100644 --- a/security/aws-iam-authenticator/Makefile +++ b/security/aws-iam-authenticator/Makefile @@ -1,7 +1,7 @@ PORTNAME= aws-iam-authenticator PORTVERSION= 0.7.5 DISTVERSIONPREFIX= v -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= danilo@FreeBSD.org diff --git a/security/aws-vault/Makefile b/security/aws-vault/Makefile index 0db83a5b6da4..44951aa51216 100644 --- a/security/aws-vault/Makefile +++ b/security/aws-vault/Makefile @@ -1,7 +1,7 @@ PORTNAME= aws-vault DISTVERSIONPREFIX= v DISTVERSION= 6.6.2 -PORTREVISION= 20 +PORTREVISION= 21 CATEGORIES= security MAINTAINER= mauroeldritch@gmail.com diff --git a/security/boringssl/Makefile b/security/boringssl/Makefile index 606bce9a84fe..28e061773d37 100644 --- a/security/boringssl/Makefile +++ b/security/boringssl/Makefile @@ -1,5 +1,6 @@ PORTNAME= boringssl PORTVERSION= 0.20250818.0 +PORTREVISION= 1 CATEGORIES= security EXTRACT_ONLY= ${GH_ACCOUNT}-${PORTNAME}-${PORTVERSION}_GH0.tar.gz @@ -13,7 +14,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE USES= cmake:insource cpe go:no_targets,1.24 localbase perl5 CONFLICTS_INSTALL= libressl libressl-devel openssl openssl111 \ - openssl3[2345] openssl-quictls openssl33-quictls + openssl3[23456] openssl-quictls openssl33-quictls CPE_VENDOR= google diff --git a/security/caldera-ot/Makefile b/security/caldera-ot/Makefile index 549f91706aea..0e6e7fefbb69 100644 --- a/security/caldera-ot/Makefile +++ b/security/caldera-ot/Makefile @@ -1,6 +1,6 @@ PORTNAME= caldera-ot DISTVERSION= 5.3.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security python MAINTAINER= acm@FreeBSD.org diff --git a/security/caldera/Makefile b/security/caldera/Makefile index 871722852a27..d3761c9b6dfc 100644 --- a/security/caldera/Makefile +++ b/security/caldera/Makefile @@ -1,6 +1,6 @@ PORTNAME= caldera DISTVERSION= 5.3.0 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= security python MAINTAINER= acm@FreeBSD.org diff --git a/security/certificate_maker/Makefile b/security/certificate_maker/Makefile index c322ca9d3cd0..73e65a61f456 100644 --- a/security/certificate_maker/Makefile +++ b/security/certificate_maker/Makefile @@ -1,7 +1,7 @@ PORTNAME= certificate_maker DISTVERSIONPREFIX= v DISTVERSION= 1.7.1 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/certmgr/Makefile b/security/certmgr/Makefile index 8ef39b4f6fcf..b8899bab302c 100644 --- a/security/certmgr/Makefile +++ b/security/certmgr/Makefile @@ -1,7 +1,7 @@ PORTNAME= certmgr DISTVERSIONPREFIX= v DISTVERSION= 3.0.3 -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security net MAINTAINER= fuz@FreeBSD.org diff --git a/security/cfssl/Makefile b/security/cfssl/Makefile index 71ad591947b1..22400075f2e0 100644 --- a/security/cfssl/Makefile +++ b/security/cfssl/Makefile @@ -1,7 +1,7 @@ PORTNAME= cfssl DISTVERSIONPREFIX= v DISTVERSION= 1.6.5 -PORTREVISION= 12 +PORTREVISION= 13 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/cosign/Makefile b/security/cosign/Makefile index 317ebaa1c7d7..af140597692c 100644 --- a/security/cosign/Makefile +++ b/security/cosign/Makefile @@ -1,7 +1,7 @@ PORTNAME= cosign DISTVERSIONPREFIX= v DISTVERSION= 2.5.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/crlfuzz/Makefile b/security/crlfuzz/Makefile index 2331286ca7fa..99b7c6614272 100644 --- a/security/crlfuzz/Makefile +++ b/security/crlfuzz/Makefile @@ -1,7 +1,7 @@ PORTNAME= crlfuzz PORTVERSION= 1.4.1 DISTVERSIONPREFIX= v -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security MAINTAINER= dutra@FreeBSD.org diff --git a/security/crowdsec-blocklist-mirror/Makefile b/security/crowdsec-blocklist-mirror/Makefile index b91a2ba80ea1..d06cec2b434d 100644 --- a/security/crowdsec-blocklist-mirror/Makefile +++ b/security/crowdsec-blocklist-mirror/Makefile @@ -2,7 +2,7 @@ PORTNAME= crowdsec-blocklist-mirror DISTVERSIONPREFIX= v DISTVERSION= 0.0.2 DISTVERSIONSUFFIX= -freebsd -PORTREVISION= 16 +PORTREVISION= 17 CATEGORIES= security MAINTAINER= marco@crowdsec.net diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile index 02b7be73fcd8..9881bf5c0792 100644 --- a/security/crowdsec-firewall-bouncer/Makefile +++ b/security/crowdsec-firewall-bouncer/Makefile @@ -1,7 +1,7 @@ PORTNAME= crowdsec-firewall-bouncer DISTVERSIONPREFIX= v DISTVERSION= 0.0.32 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= marco@crowdsec.net diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile index 68b3ba268fef..6def3753de60 100644 --- a/security/crowdsec/Makefile +++ b/security/crowdsec/Makefile @@ -1,7 +1,7 @@ PORTNAME= crowdsec DISTVERSIONPREFIX= v DISTVERSION= 1.6.11 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= marco@crowdsec.net diff --git a/security/ct-submit/Makefile b/security/ct-submit/Makefile index 6350daebccf0..c2edb344b792 100644 --- a/security/ct-submit/Makefile +++ b/security/ct-submit/Makefile @@ -1,6 +1,6 @@ PORTNAME= ct-submit PORTVERSION= 1.1.2 -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security www MAINTAINER= jim@ohlste.in diff --git a/security/enc/Makefile b/security/enc/Makefile index b534f63164eb..e3d13aae3cf9 100644 --- a/security/enc/Makefile +++ b/security/enc/Makefile @@ -1,6 +1,6 @@ PORTNAME= enc DISTVERSION= 1.1.4 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MAINTAINER= dtxdf@FreeBSD.org diff --git a/security/ffuf/Makefile b/security/ffuf/Makefile index fbe49eb00c28..176f48536c13 100644 --- a/security/ffuf/Makefile +++ b/security/ffuf/Makefile @@ -1,7 +1,7 @@ PORTNAME= ffuf DISTVERSIONPREFIX=v DISTVERSION= 2.1.0 -PORTREVISION= 14 +PORTREVISION= 15 CATEGORIES= security www MAINTAINER= dutra@FreeBSD.org diff --git a/security/git-credential-azure/Makefile b/security/git-credential-azure/Makefile index ee4448f25181..d9b9156e55cd 100644 --- a/security/git-credential-azure/Makefile +++ b/security/git-credential-azure/Makefile @@ -1,7 +1,7 @@ PORTNAME= git-credential-azure DISTVERSIONPREFIX= v DISTVERSION= 0.3.1 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= security MAINTAINER= ehaupt@FreeBSD.org diff --git a/security/git-credential-oauth/Makefile b/security/git-credential-oauth/Makefile index e3ed01c7fe53..0d9f7f1b24f1 100644 --- a/security/git-credential-oauth/Makefile +++ b/security/git-credential-oauth/Makefile @@ -1,7 +1,7 @@ PORTNAME= git-credential-oauth DISTVERSIONPREFIX= v DISTVERSION= 0.15.1 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= ehaupt@FreeBSD.org diff --git a/security/gitjacker/Makefile b/security/gitjacker/Makefile index 3c1d6102911a..bf9de433f0da 100644 --- a/security/gitjacker/Makefile +++ b/security/gitjacker/Makefile @@ -1,7 +1,7 @@ PORTNAME= gitjacker DISTVERSIONPREFIX= v DISTVERSION= 0.1.0 -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/go-cve-dictionary/Makefile b/security/go-cve-dictionary/Makefile index 6857e6c8d502..0bd36a5bca62 100644 --- a/security/go-cve-dictionary/Makefile +++ b/security/go-cve-dictionary/Makefile @@ -1,7 +1,7 @@ PORTNAME= go-cve-dictionary DISTVERSIONPREFIX=v DISTVERSION= 0.11.0 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= security MAINTAINER= girgen@FreeBSD.org diff --git a/security/go-tuf/Makefile b/security/go-tuf/Makefile index 7ddc31097234..c60ba8a8793f 100644 --- a/security/go-tuf/Makefile +++ b/security/go-tuf/Makefile @@ -1,7 +1,7 @@ PORTNAME= go-tuf DISTVERSIONPREFIX= v DISTVERSION= 2.1.1 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/gokart/Makefile b/security/gokart/Makefile index 83bfcfb43af6..2428dfd745d0 100644 --- a/security/gokart/Makefile +++ b/security/gokart/Makefile @@ -1,7 +1,7 @@ PORTNAME= gokart DISTVERSIONPREFIX= v DISTVERSION= 0.5.1 -PORTREVISION= 23 +PORTREVISION= 24 CATEGORIES= security MAINTAINER= dutra@FreeBSD.org diff --git a/security/gokey/Makefile b/security/gokey/Makefile index 458ef44b4a90..cb8222051743 100644 --- a/security/gokey/Makefile +++ b/security/gokey/Makefile @@ -1,7 +1,7 @@ PORTNAME= gokey DISTVERSIONPREFIX= v DISTVERSION= 0.1.3 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= ports@FreeBSD.org diff --git a/security/gopass/Makefile b/security/gopass/Makefile index 84548014ca1b..b856a4e599cb 100644 --- a/security/gopass/Makefile +++ b/security/gopass/Makefile @@ -1,7 +1,7 @@ PORTNAME= gopass DISTVERSIONPREFIX= v DISTVERSION= 1.15.16 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= security MAINTAINER= eduardo@FreeBSD.org diff --git a/security/gosec/Makefile b/security/gosec/Makefile index e06ce8594cbf..7821519afa1b 100644 --- a/security/gosec/Makefile +++ b/security/gosec/Makefile @@ -1,7 +1,7 @@ PORTNAME= gosec DISTVERSIONPREFIX= v DISTVERSION= 2.22.0 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= security devel MAINTAINER= yuri@FreeBSD.org diff --git a/security/govulncheck/Makefile b/security/govulncheck/Makefile index 83986767631a..0ec895c47fa6 100644 --- a/security/govulncheck/Makefile +++ b/security/govulncheck/Makefile @@ -1,7 +1,7 @@ PORTNAME= govulncheck DISTVERSIONPREFIX= v DISTVERSION= 1.1.4 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MAINTAINER= einar@isnic.is diff --git a/security/headscale/Makefile b/security/headscale/Makefile index c678b39eb0f1..f5c71ac4e8f0 100644 --- a/security/headscale/Makefile +++ b/security/headscale/Makefile @@ -1,7 +1,7 @@ PORTNAME= headscale PORTVERSION= 0.26.1 DISTVERSIONPREFIX= v -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security net-vpn MAINTAINER= m.muenz@gmail.com diff --git a/security/hidden-lake/Makefile b/security/hidden-lake/Makefile index 4acd0a642028..3128df93d9f9 100644 --- a/security/hidden-lake/Makefile +++ b/security/hidden-lake/Makefile @@ -1,7 +1,7 @@ PORTNAME= hidden-lake DISTVERSIONPREFIX= v -DISTVERSION= 1.8.6 -PORTREVISION= 2 +DISTVERSION= 1.9.0 +PORTREVISION= 1 CATEGORIES= security net-p2p MAINTAINER= alven@FreeBSD.org @@ -14,13 +14,14 @@ LICENSE_FILE= ${WRKSRC}/LICENSE USES= go:modules GO_MODULE= github.com/number571/hidden-lake -GO_TARGET= ./cmd/hla/hla_tcp:hla_tcp \ +GO_TARGET= ./cmd/hla/hla-http:hla-http \ + ./cmd/hla/hla-tcp:hla-tcp \ ./cmd/hlc:hlc \ - ./cmd/hlf:hlf \ - ./cmd/hlm:hlm \ - ./cmd/hlp:hlp \ - ./cmd/hlr:hlr \ - ./cmd/hls:hls + ./cmd/hlk:hlk \ + ./cmd/hls/hls-filesharer:hls-filesharer \ + ./cmd/hls/hls-messenger:hls-messenger \ + ./cmd/hls/hls-pinger:hls-pinger \ + ./cmd/hls/hls-remoter:hls-remoter TEST_TARGET= test-run diff --git a/security/hidden-lake/distinfo b/security/hidden-lake/distinfo index 45882d770589..e2025a2a90d5 100644 --- a/security/hidden-lake/distinfo +++ b/security/hidden-lake/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1749829911 -SHA256 (go/security_hidden-lake/hidden-lake-v1.8.6/v1.8.6.mod) = af5da6e07886561d70f87bfc232dc0effefc286c3ec66acb6ea5a6ef77a19121 -SIZE (go/security_hidden-lake/hidden-lake-v1.8.6/v1.8.6.mod) = 340 -SHA256 (go/security_hidden-lake/hidden-lake-v1.8.6/v1.8.6.zip) = 33d2c50ad079614d85954af115673ea41a0ce214d4ce21d6e97e32dd5bb334be -SIZE (go/security_hidden-lake/hidden-lake-v1.8.6/v1.8.6.zip) = 11188051 +TIMESTAMP = 1755749357 +SHA256 (go/security_hidden-lake/hidden-lake-v1.9.0/v1.9.0.mod) = 63e461d57f3f49cebe5696f97cf82a652a9afe45e3d17e1aaa7cac4340eca63b +SIZE (go/security_hidden-lake/hidden-lake-v1.9.0/v1.9.0.mod) = 340 +SHA256 (go/security_hidden-lake/hidden-lake-v1.9.0/v1.9.0.zip) = 9cbb358b10607e5b3b20eae34c367f8ad578340bec4bb2203795704c80fcb5a0 +SIZE (go/security_hidden-lake/hidden-lake-v1.9.0/v1.9.0.zip) = 10690371 diff --git a/security/hidden-lake/pkg-plist b/security/hidden-lake/pkg-plist index d2d728bd8408..d5c970a3b5a0 100644 --- a/security/hidden-lake/pkg-plist +++ b/security/hidden-lake/pkg-plist @@ -1,10 +1,11 @@ -bin/hla_tcp +bin/hla-http +bin/hla-tcp bin/hlc -bin/hlf -bin/hlm -bin/hlp -bin/hlr -bin/hls +bin/hlk +bin/hls-filesharer +bin/hls-messenger +bin/hls-pinger +bin/hls-remoter %%PORTDOCS%%%%DOCSDIR%%/CODESTYLE.md %%PORTDOCS%%%%DOCSDIR%%/DEF_PORTS.md %%PORTDOCS%%%%DOCSDIR%%/README.md diff --git a/security/hockeypuck/Makefile b/security/hockeypuck/Makefile index b7506daa1afa..4f76e01013f9 100644 --- a/security/hockeypuck/Makefile +++ b/security/hockeypuck/Makefile @@ -1,6 +1,6 @@ PORTNAME= hockeypuck DISTVERSION= 2.2.4 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MAINTAINER= me@svmhdvn.name diff --git a/security/honeytrap/Makefile b/security/honeytrap/Makefile index 4a3352865c03..ea11abf504e2 100644 --- a/security/honeytrap/Makefile +++ b/security/honeytrap/Makefile @@ -1,6 +1,6 @@ PORTNAME= honeytrap DISTVERSION= g20210510 -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security MAINTAINER= ezri.mudde@dutchsec.com diff --git a/security/horcrux/Makefile b/security/horcrux/Makefile index c59ca34bf592..3a26d585fb3a 100644 --- a/security/horcrux/Makefile +++ b/security/horcrux/Makefile @@ -1,7 +1,7 @@ PORTNAME= horcrux DISTVERSIONPREFIX= v DISTVERSION= 0.3 -PORTREVISION= 28 +PORTREVISION= 29 CATEGORIES= security MAINTAINER= lcook@FreeBSD.org diff --git a/security/keybase/Makefile b/security/keybase/Makefile index cbee3c327569..89c01e84b716 100644 --- a/security/keybase/Makefile +++ b/security/keybase/Makefile @@ -1,7 +1,7 @@ PORTNAME= keybase PORTVERSION= 6.5.1 DISTVERSIONPREFIX= v -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= sunpoet@FreeBSD.org diff --git a/security/kpmenu/Makefile b/security/kpmenu/Makefile index d34c8fba9960..e2af7f3b7c7b 100644 --- a/security/kpmenu/Makefile +++ b/security/kpmenu/Makefile @@ -1,7 +1,7 @@ PORTNAME= kpmenu DISTVERSIONPREFIX= v DISTVERSION= 1.4.1 -PORTREVISION= 29 +PORTREVISION= 30 CATEGORIES= security MAINTAINER= bapt@FreeBSD.org diff --git a/security/lego/Makefile b/security/lego/Makefile index cdc574d87bc1..3dc4af5aefa6 100644 --- a/security/lego/Makefile +++ b/security/lego/Makefile @@ -1,6 +1,7 @@ PORTNAME= lego DISTVERSIONPREFIX= v DISTVERSION= 4.25.2 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= matt@matthoran.com diff --git a/security/meek/Makefile b/security/meek/Makefile index afb92731ff83..9483477599f1 100644 --- a/security/meek/Makefile +++ b/security/meek/Makefile @@ -1,7 +1,7 @@ PORTNAME= meek DISTVERSIONPREFIX=v DISTVERSION= 0.37.0 -PORTREVISION= 25 +PORTREVISION= 26 CATEGORIES= security net MAINTAINER= egypcio@FreeBSD.org diff --git a/security/metasploit/Makefile b/security/metasploit/Makefile index de9d739a3813..424f1c11602f 100644 --- a/security/metasploit/Makefile +++ b/security/metasploit/Makefile @@ -1,6 +1,6 @@ PORTNAME= metasploit DISTVERSION= 6.4.58 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= tanawts@gmail.com diff --git a/security/naabu/Makefile b/security/naabu/Makefile index 35da9279b69d..383cfec25a03 100644 --- a/security/naabu/Makefile +++ b/security/naabu/Makefile @@ -1,7 +1,7 @@ PORTNAME= naabu DISTVERSIONPREFIX= v DISTVERSION= 2.3.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= dutra@FreeBSD.org diff --git a/security/nebula/Makefile b/security/nebula/Makefile index d38485d10c6d..d809fe4e5504 100644 --- a/security/nebula/Makefile +++ b/security/nebula/Makefile @@ -1,7 +1,7 @@ PORTNAME= nebula DISTVERSIONPREFIX= v DISTVERSION= 1.8.2 -PORTREVISION= 13 +PORTREVISION= 14 CATEGORIES= security MAINTAINER= ashish@FreeBSD.org diff --git a/security/netbird/Makefile b/security/netbird/Makefile index 1ea7f5225c50..9a0ac9619973 100644 --- a/security/netbird/Makefile +++ b/security/netbird/Makefile @@ -1,6 +1,7 @@ PORTNAME= netbird DISTVERSIONPREFIX= v DISTVERSION= 0.55.1 +PORTREVISION= 1 CATEGORIES= security net net-vpn MAINTAINER= hakan.external@netbird.io diff --git a/security/obfs4proxy-tor/Makefile b/security/obfs4proxy-tor/Makefile index 964c21c2f3fd..76b061e30825 100644 --- a/security/obfs4proxy-tor/Makefile +++ b/security/obfs4proxy-tor/Makefile @@ -1,6 +1,6 @@ PORTNAME= obfs4proxy DISTVERSION= 0.0.14 -PORTREVISION= 23 +PORTREVISION= 24 CATEGORIES= security net PKGNAMESUFFIX= -tor DISTFILES= ${DISTNAME}${EXTRACT_SUFX} diff --git a/security/onionscan/Makefile b/security/onionscan/Makefile index a3bf6157d030..b08feed23913 100644 --- a/security/onionscan/Makefile +++ b/security/onionscan/Makefile @@ -1,7 +1,7 @@ PORTNAME= onionscan DISTVERSIONPREFIX= OnionScan- DISTVERSION= 0.2 -PORTREVISION= 31 +PORTREVISION= 32 CATEGORIES= security net MAINTAINER= egypcio@FreeBSD.org diff --git a/security/openssl36/Makefile b/security/openssl36/Makefile new file mode 100644 index 000000000000..9604e260b8e0 --- /dev/null +++ b/security/openssl36/Makefile @@ -0,0 +1,206 @@ +PORTNAME= openssl +DISTVERSION= 3.6.0-alpha1 +PORTREVISION= 1 +CATEGORIES= security devel +PKGNAMESUFFIX= 36 +MASTER_SITES= https://github.com/openssl/openssl/releases/download/${DISTNAME}/ + +MAINTAINER= brnrd@FreeBSD.org +COMMENT= TLSv1.3 capable SSL and crypto library +WWW= https://www.openssl.org/ + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE.txt + +CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl111 openssl3[1234] openssl*-quictls + +HAS_CONFIGURE= yes +CONFIGURE_SCRIPT= config +CONFIGURE_ENV= PERL="${PERL}" +CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ + --prefix=${PREFIX} + +USES= cpe perl5 +USE_PERL5= build +TEST_TARGET= test + +LDFLAGS_i386= -Wl,-znotext + +MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" +MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= + +OPTIONS_GROUP= CIPHERS COMPRESSION HASHES MODULES OPTIMIZE PQC \ + PROTOCOLS +OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 TLS-DEPRECATED-EC \ + WEAK-SSL-CIPHERS +OPTIONS_GROUP_COMPRESSION= BROTLI ZLIB ZSTD +OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 +OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS THREADPOOL +OPTIONS_GROUP_PQC= ML-DSA ML-KEM SLH-DSA +OPTIONS_GROUP_MODULES= FIPS LEGACY +OPTIONS_DEFINE_i386= I386 +OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG QUIC SCTP SSL3 TLS1 TLS1_1 TLS1_2 + +OPTIONS_DEFINE= ASYNC CT FIPS-JITTER KTLS MAN3 RFC3779 SHARED + +OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 ML-DSA ML-KEM \ + NEXTPROTONEG QUIC RFC3779 RC2 RC4 RMD160 SCTP SHARED SLH-DSA \ + SSE2 THREADPOOL THREADS TLS1 TLS1_1 TLS1_2 + +OPTIONS_GROUP_OPTIMIZE_amd64= EC + +.if ${MACHINE_ARCH} == "amd64" +OPTIONS_GROUP_OPTIMIZE+= EC +.elif ${MACHINE_ARCH} == "mips64el" +OPTIONS_GROUP_OPTIMIZE+= EC +.endif + +OPTIONS_SUB= yes + +ARIA_DESC= ARIA (South Korean standard) +ASM_DESC= Assembler code +ASYNC_DESC= Asynchronous mode +CIPHERS_DESC= Block Cipher Support +COMPRESSION_DESC= Compression Support +CT_DESC= Certificate Transparency Support +DES_DESC= (Triple) Data Encryption Standard +EC_DESC= Optimize NIST elliptic curves +FIPS_DESC= Build FIPS provider (Note: NOT yet FIPS validated) +FIPS-JITTER_DESC= Use JITTER seed source in FIPS provider +GOST_DESC= GOST (Russian standard) +HASHES_DESC= Hash Function Support +I386_DESC= i386 (instead of i486+) +IDEA_DESC= International Data Encryption Algorithm +KTLS_DESC= Use in-kernel TLS (FreeBSD >13) +LEGACY_DESC= Older algorithms +MAN3_DESC= Install API manpages (section 3, 7) +MD2_DESC= MD2 (obsolete) (requires LEGACY) +MD4_DESC= MD4 (unsafe) +MDC2_DESC= MDC-2 (patented, requires DES) +ML-DSA_DESC= ML-DSA CRYSTALS-Dilithium Digital Signature Algorithm +ML-KEM_DESC= ML-KEM Kyber Key Encapsulation Method +MODULES_DESC= Provider modules +NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) +OPTIMIZE_DESC= Optimizations +PQC_DESC= Post-Quantum Cryptography +PROTOCOLS_DESC= Protocol Support +QUIC_DESC= HTTP/3 +RC2_DESC= RC2 (unsafe) +RC4_DESC= RC4 (unsafe) +RC5_DESC= RC5 (patented) +RMD160_DESC= RIPEMD-160 +RFC3779_DESC= RFC3779 support (BGP) +SCTP_DESC= SCTP (Stream Control Transmission) +SHARED_DESC= Build shared libraries +SLH-DSA_DESC= SLH-DSA Sphinx+ Digital Signature Algorithm +SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) +SM3_DESC= SM3 256bit (Chinese standard) +SM4_DESC= SM4 128bit (Chinese standard) +SSE2_DESC= Runtime SSE2 detection +SSL3_DESC= SSLv3 (unsafe) +TLS-DEPRECATED-EC_DESC= Deprecated elliptic curve groups in TLS (unsafe) +TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) +TLS1_1_DESC= TLSv1.1 (requires TLS1_2) +TLS1_2_DESC= TLSv1.2 +THREADPOOL_DESC=Thread Pooling support +WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) + +# Upstream default disabled options +.for _option in brotli fips fips-jitter md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib zstd +${_option:tu}_CONFIGURE_ON= enable-${_option} +.endfor + +# Upstream default enabled options +.for _option in aria asm async ct des gost idea md4 mdc2 ml-kem ml-dsa \ + legacy nextprotoneg quic rc2 rc4 rfc3779 rmd160 shared slh-dsa \ + sm2 sm3 sm4 sse2 threads tls-deprecated-ec tls1 tls1_1 tls1_2 +${_option:tu}_CONFIGURE_OFF= no-${_option} +.endfor + +FIPS-JITTER_IMPLIES= FIPS +MD2_IMPLIES= LEGACY +MDC2_IMPLIES= DES +TLS1_IMPLIES= TLS1_1 +TLS1_1_IMPLIES= TLS1_2 + +BROTLI_CFLAGS= -I${PREFIX}/include +BROTLI_CONFIGURE_ON= enable-brotli-dynamic +BROTLI_LIB_DEPENDS= libbrotlicommon.so:archivers/brotli +EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 +FIPS_VARS= shlibs+=lib/ossl-modules/fips.so +I386_CONFIGURE_ON= 386 +FIPS-JITTER_CFLAGS= -I${PREFIX}/include +FIPS-JITTER_LDFLAGS= -L${PREFIX}/lib +FIPS-JITTER_BUILD_DEPENDS= ${LOCALBASE}/lib/libjitterentropy.a:devel/libjitterentropy +LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so +MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits +SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} +SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} +SHARED_USE= ldconfig=yes +SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \ + lib/libssl.so.${OPENSSL_SHLIBVER} \ + lib/engines-${OPENSSL_SHLIBVER}/capi.so \ + lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \ + lib/engines-${OPENSSL_SHLIBVER}/padlock.so" +SSL3_CONFIGURE_ON= enable-ssl3 enable-ssl3-method +THREADPOOL_CONFIGURE_OFF= no-thread-pool +ZLIB_CONFIGURE_ON= zlib-dynamic +ZSTD_CFLAGS= -I${PREFIX}/include +ZSTD_CONFIGURE_ON= enable-zstd-dynamic +ZSTD_LIB_DEPENDS= libzstd.so:archivers/zstd + +SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so + +PORTSCOUT= limit:^${DISTVERSION:R:S/./\./g}\. + +.include <bsd.port.options.mk> + +.if ${ARCH} == powerpc64 +CONFIGURE_ARGS+= BSD-ppc64 +.elif ${ARCH} == powerpc64le +CONFIGURE_ARGS+= BSD-ppc64le +.elif ${ARCH} == riscv64 +CONFIGURE_ARGS+= BSD-riscv64 +.endif + +.include <bsd.port.pre.mk> +.if ${PREFIX} == /usr +IGNORE= the OpenSSL port can not be installed over the base version +.endif + +OPENSSLDIR?= ${PREFIX}/openssl +PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} + +.include "version.mk" + +post-patch: + ${REINPLACE_CMD} -Ee 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \ + ${WRKSRC}/Configurations/unix-Makefile.tmpl + ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \ + ${WRKSRC}/VERSION.dat + +post-configure: + ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump ) + +post-configure-MAN3-off: + ${REINPLACE_CMD} \ + -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \ + -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \ + ${WRKSRC}/Makefile + +post-install-SHARED-on: +.for i in ${SHLIBS} + -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i +.endfor + +post-install-SHARED-off: + ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12 + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl + +post-install-MAN3-on: + ( cd ${STAGEDIR}/${PREFIX} ; find share/man/man3 -not -type d ; \ + find share/man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST} + +.include <bsd.port.post.mk> diff --git a/security/openssl36/distinfo b/security/openssl36/distinfo new file mode 100644 index 000000000000..864066f84ddb --- /dev/null +++ b/security/openssl36/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1756905754 +SHA256 (openssl-3.6.0-alpha1.tar.gz) = 214991128e68adbac1e41df435960c11a0899f762f9e586beb8112f2ca415778 +SIZE (openssl-3.6.0-alpha1.tar.gz) = 54968069 diff --git a/security/openssl36/files/extra-patch-ktls b/security/openssl36/files/extra-patch-ktls new file mode 100644 index 000000000000..8a46c272d95c --- /dev/null +++ b/security/openssl36/files/extra-patch-ktls @@ -0,0 +1,540 @@ +diff --git include/internal/ktls.h include/internal/ktls.h +index 95492fd065..3c82cae26b 100644 +--- include/internal/ktls.h ++++ include/internal/ktls.h +@@ -40,6 +40,11 @@ + # define OPENSSL_KTLS_AES_GCM_128 + # define OPENSSL_KTLS_AES_GCM_256 + # define OPENSSL_KTLS_TLS13 ++# ifdef TLS_CHACHA20_IV_LEN ++# ifndef OPENSSL_NO_CHACHA ++# define OPENSSL_KTLS_CHACHA20_POLY1305 ++# endif ++# endif + + typedef struct tls_enable ktls_crypto_info_t; + +diff --git ssl/ktls.c ssl/ktls.c +index 79d980959e..e343d382cc 100644 +--- ssl/ktls.c ++++ ssl/ktls.c +@@ -10,6 +10,67 @@ + #include "ssl_local.h" + #include "internal/ktls.h" + ++#ifndef OPENSSL_NO_KTLS_RX ++ /* ++ * Count the number of records that were not processed yet from record boundary. ++ * ++ * This function assumes that there are only fully formed records read in the ++ * record layer. If read_ahead is enabled, then this might be false and this ++ * function will fail. ++ */ ++static int count_unprocessed_records(SSL *s) ++{ ++ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); ++ PACKET pkt, subpkt; ++ int count = 0; ++ ++ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) ++ return -1; ++ ++ while (PACKET_remaining(&pkt) > 0) { ++ /* Skip record type and version */ ++ if (!PACKET_forward(&pkt, 3)) ++ return -1; ++ ++ /* Read until next record */ ++ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) ++ return -1; ++ ++ count += 1; ++ } ++ ++ return count; ++} ++ ++/* ++ * The kernel cannot offload receive if a partial TLS record has been read. ++ * Check the read buffer for unprocessed records. If the buffer contains a ++ * partial record, fail and return 0. Otherwise, update the sequence ++ * number at *rec_seq for the count of unprocessed records and return 1. ++ */ ++static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) ++{ ++ int bit, count_unprocessed; ++ ++ count_unprocessed = count_unprocessed_records(s); ++ if (count_unprocessed < 0) ++ return 0; ++ ++ /* increment the crypto_info record sequence */ ++ while (count_unprocessed) { ++ for (bit = 7; bit >= 0; bit--) { /* increment */ ++ ++rec_seq[bit]; ++ if (rec_seq[bit] != 0) ++ break; ++ } ++ count_unprocessed--; ++ ++ } ++ ++ return 1; ++} ++#endif ++ + #if defined(__FreeBSD__) + # include "crypto/cryptodev.h" + +@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + case SSL_AES128GCM: + case SSL_AES256GCM: + return 1; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ return 1; ++# endif + case SSL_AES128: + case SSL_AES256: + if (s->ext.use_etm) +@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + } + + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { +@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + else + crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; + break; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; ++ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd); ++ break; ++# endif + case SSL_AES128: + case SSL_AES256: + switch (s->s3.tmp.new_cipher->algorithm_mac) { +@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + crypto_info->tls_vminor = (s->version & 0x000000ff); + # ifdef TCP_RXTLS_ENABLE + memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) ++ return 0; + # else +- if (rec_seq != NULL) +- *rec_seq = NULL; ++ if (!is_tx) ++ return 0; + # endif + return 1; + }; +@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + } + + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { + unsigned char geniv[12]; + unsigned char *iiv = iv; + ++# ifdef OPENSSL_NO_KTLS_RX ++ if (!is_tx) ++ return 0; ++# endif ++ + if (s->version == TLS1_2_VERSION && + EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { + if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, +@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_GCM_256 +@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm256.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm256.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_CCM_128 +@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->ccm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->ccm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 +@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->chacha20poly1305.rec_seq; ++ if (!is_tx ++ && !check_rx_read_ahead(s, ++ crypto_info->chacha20poly1305.rec_seq)) ++ return 0; + return 1; + # endif + default: +diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c +index d8ef018741..63caac080f 100644 +--- ssl/record/ssl3_record.c ++++ ssl/record/ssl3_record.c +@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s) + int imac_size; + size_t num_recs = 0, max_recs, j; + PACKET pkt, sslv2pkt; +- int is_ktls_left; ++ int using_ktls; + SSL_MAC_BUF *macbufs = NULL; + int ret = -1; + + rr = RECORD_LAYER_get_rrec(&s->rlayer); + rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); + max_recs = s->max_pipelines; + if (max_recs == 0) + max_recs = 1; + sess = s->session; + ++ /* ++ * KTLS reads full records. If there is any data left, ++ * then it is from before enabling ktls. ++ */ ++ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0; ++ + do { + thisrr = &rr[num_recs]; + +@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s) + } + } + +- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { ++ if (SSL_IS_TLS13(s) ++ && s->enc_read_ctx != NULL ++ && !using_ktls) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s)) +@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s) + } + + if (SSL_IS_TLS13(s)) { +- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { ++ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH; ++ ++ /* KTLS strips the inner record type. */ ++ if (using_ktls) ++ len = SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ ++ if (thisrr->length > len) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; +@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s) + #endif + + /* KTLS may use all of the buffer */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + len = SSL3_BUFFER_get_left(rbuf); + + if (thisrr->length > len) { +@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s) + return 1; + } + +- /* +- * KTLS reads full records. If there is any data left, +- * then it is from before enabling ktls +- */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + goto skip_decryption; + + if (s->read_hash != NULL) { +@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s) + if (SSL_IS_TLS13(s) + && s->enc_read_ctx != NULL + && thisrr->type != SSL3_RT_ALERT) { +- size_t end; ++ /* ++ * The following logic are irrelevant in KTLS: the kernel provides ++ * unprotected record and thus record type represent the actual ++ * content type, and padding is already removed and thisrr->type and ++ * thisrr->length should have the correct values. ++ */ ++ if (!using_ktls) { ++ size_t end; + +- if (thisrr->length == 0 +- || thisrr->type != SSL3_RT_APPLICATION_DATA) { +- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); +- goto end; ++ if (thisrr->length == 0 ++ || thisrr->type != SSL3_RT_APPLICATION_DATA) { ++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); ++ goto end; ++ } ++ ++ /* Strip trailing padding */ ++ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; ++ end--) ++ continue; ++ ++ thisrr->length = end; ++ thisrr->type = thisrr->data[end]; + } +- +- /* Strip trailing padding */ +- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; +- end--) +- continue; +- +- thisrr->length = end; +- thisrr->type = thisrr->data[end]; + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && thisrr->type != SSL3_RT_ALERT + && thisrr->type != SSL3_RT_HANDSHAKE) { +@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s) + } + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, +- &thisrr->data[end], 1, s, s->msg_callback_arg); ++ &thisrr->type, 1, s, s->msg_callback_arg); + } + + /* +@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s) + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ +- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH +- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { ++ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); + goto end; + } +diff --git ssl/ssl_local.h ssl/ssl_local.h +index 5471e900b8..79ced2f468 100644 +--- ssl/ssl_local.h ++++ ssl/ssl_local.h +@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, + /* ktls.c */ + int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + const EVP_CIPHER_CTX *dd); +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size); + # endif +diff --git ssl/t1_enc.c ssl/t1_enc.c +index 237a19cd93..900ba14fbd 100644 +--- ssl/t1_enc.c ++++ ssl/t1_enc.c +@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) + return ret; + } + +-#ifndef OPENSSL_NO_KTLS +- /* +- * Count the number of records that were not processed yet from record boundary. +- * +- * This function assumes that there are only fully formed records read in the +- * record layer. If read_ahead is enabled, then this might be false and this +- * function will fail. +- */ +-# ifndef OPENSSL_NO_KTLS_RX +-static int count_unprocessed_records(SSL *s) +-{ +- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- PACKET pkt, subpkt; +- int count = 0; +- +- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) +- return -1; +- +- while (PACKET_remaining(&pkt) > 0) { +- /* Skip record type and version */ +- if (!PACKET_forward(&pkt, 3)) +- return -1; +- +- /* Read until next record */ +- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) +- return -1; +- +- count += 1; +- } +- +- return count; +-} +-# endif +-#endif +- +- + int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, + const EVP_CIPHER *ciph, + const EVP_MD *md) +@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which) + int reuse_dd = 0; + #ifndef OPENSSL_NO_KTLS + ktls_crypto_info_t crypto_info; +- unsigned char *rec_seq; + void *rl_sequence; +-# ifndef OPENSSL_NO_KTLS_RX +- int count_unprocessed; +- int bit; +-# endif + BIO *bio; + #endif + +@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which) + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); + +- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, +- iv, key, ms, *mac_secret_size)) ++ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, ++ which & SSL3_CC_WRITE, iv, key, ms, ++ *mac_secret_size)) + goto skip_ktls; + +- if (which & SSL3_CC_READ) { +-# ifndef OPENSSL_NO_KTLS_RX +- count_unprocessed = count_unprocessed_records(s); +- if (count_unprocessed < 0) +- goto skip_ktls; +- +- /* increment the crypto_info record sequence */ +- while (count_unprocessed) { +- for (bit = 7; bit >= 0; bit--) { /* increment */ +- ++rec_seq[bit]; +- if (rec_seq[bit] != 0) +- break; +- } +- count_unprocessed--; +- } +-# else +- goto skip_ktls; +-# endif +- } +- + /* ktls works with user provided buffers directly */ + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) +diff --git ssl/tls13_enc.c ssl/tls13_enc.c +index 12388922e3..eaab0e2a74 100644 +--- ssl/tls13_enc.c ++++ ssl/tls13_enc.c +@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which) + const EVP_CIPHER *cipher = NULL; + #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) + ktls_crypto_info_t crypto_info; ++ void *rl_sequence; + BIO *bio; + #endif + +@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which) + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + #ifndef OPENSSL_NO_KTLS + # if defined(OPENSSL_KTLS_TLS13) +- if (!(which & SSL3_CC_WRITE) +- || !(which & SSL3_CC_APPLICATION) ++ if (!(which & SSL3_CC_APPLICATION) + || (s->options & SSL_OP_ENABLE_KTLS) == 0) + goto skip_ktls; + +@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which) + if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) + goto skip_ktls; + +- bio = s->wbio; ++ if (which & SSL3_CC_WRITE) ++ bio = s->wbio; ++ else ++ bio = s->rbio; + + if (!ossl_assert(bio != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); +@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which) + } + + /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ +- if (BIO_flush(bio) <= 0) +- goto skip_ktls; ++ if (which & SSL3_CC_WRITE) { ++ if (BIO_flush(bio) <= 0) ++ goto skip_ktls; ++ } + + /* configure kernel crypto structure */ +- if (!ktls_configure_crypto(s, cipher, ciph_ctx, +- RECORD_LAYER_get_write_sequence(&s->rlayer), +- &crypto_info, NULL, iv, key, NULL, 0)) ++ if (which & SSL3_CC_WRITE) ++ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); ++ else ++ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); ++ ++ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, ++ which & SSL3_CC_WRITE, iv, key, NULL, 0)) + goto skip_ktls; + + /* ktls works with user provided buffers directly */ +- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) +- ssl3_release_write_buffer(s); ++ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { ++ if (which & SSL3_CC_WRITE) ++ ssl3_release_write_buffer(s); ++ } + skip_ktls: + # endif + #endif +diff --git test/sslapitest.c test/sslapitest.c +index 2911d6e94b..faf2eec2bc 100644 +--- test/sslapitest.c ++++ test/sslapitest.c +@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, + #if defined(OPENSSL_NO_KTLS_RX) + rx_supported = 0; + #else +- rx_supported = (tls_version != TLS1_3_VERSION); ++ rx_supported = 1; + #endif + if (!cis_ktls || !rx_supported) { + if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) diff --git a/security/openssl36/files/extra-patch-util_find-doc-nits b/security/openssl36/files/extra-patch-util_find-doc-nits new file mode 100644 index 000000000000..bf70e9fee1ac --- /dev/null +++ b/security/openssl36/files/extra-patch-util_find-doc-nits @@ -0,0 +1,20 @@ +--- util/find-doc-nits.orig 2023-09-07 09:00:22 UTC ++++ util/find-doc-nits +@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt'; + my $OUT; + my $status = 0; + +-$opt_m = "man1,man3,man5,man7" unless $opt_m; ++$opt_m = "man1,man5" unless $opt_m; + die "Argument of -m option may contain only man1, man3, man5, and/or man7" + unless $opt_m =~ /^(man[1357][, ]?)*$/; + my @sections = ( split /[, ]/, $opt_m ); +@@ -725,7 +725,7 @@ sub check { + next if $target eq ''; # Skip if links within page, or + next if $target =~ /::/; # links to a Perl module, or + next if $target =~ /^https?:/; # is a URL link, or +- next if $target =~ /\([1357]\)$/; # it has a section ++ next if $target =~ /\([15]\)$/; # it has a section + err($id, "Missing man section number (likely, $mansect) in L<$target>") + } + # Check for proper links to commands. diff --git a/security/openssl36/files/patch-Configurations_10-main.conf b/security/openssl36/files/patch-Configurations_10-main.conf new file mode 100644 index 000000000000..82503c0ff90c --- /dev/null +++ b/security/openssl36/files/patch-Configurations_10-main.conf @@ -0,0 +1,35 @@ +--- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC ++++ Configurations/10-main.conf +@@ -1069,6 +1069,32 @@ my %targets = ( + perlasm_scheme => "linux64", + }, + ++ "BSD-ppc" => { ++ inherit_from => [ "BSD-generic32" ], ++ asm_arch => 'ppc32', ++ perlasm_scheme => "linux32", ++ lib_cppflags => add("-DB_ENDIAN"), ++ }, ++ ++ "BSD-ppc64" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DB_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64", ++ }, ++ ++ "BSD-ppc64le" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DL_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64le", ++ }, ++ ++ + "bsdi-elf-gcc" => { + inherit_from => [ "BASE_unix" ], + CC => "gcc", diff --git a/security/openssl36/files/patch-crypto_threads__pthread.c b/security/openssl36/files/patch-crypto_threads__pthread.c new file mode 100644 index 000000000000..3347170e0bd0 --- /dev/null +++ b/security/openssl36/files/patch-crypto_threads__pthread.c @@ -0,0 +1,13 @@ +--- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC ++++ crypto/threads_pthread.c +@@ -29,6 +29,10 @@ + #define BROKEN_CLANG_ATOMICS + #endif + ++#if defined(__FreeBSD__) && defined(__i386__) ++#define BROKEN_CLANG_ATOMICS ++#endif ++ + #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) + + # if defined(OPENSSL_SYS_UNIX) diff --git a/security/openssl36/pkg-descr b/security/openssl36/pkg-descr new file mode 100644 index 000000000000..c7704288547a --- /dev/null +++ b/security/openssl36/pkg-descr @@ -0,0 +1,13 @@ +The OpenSSL Project is a collaborative effort to develop a robust, +commercial-grade, full-featured, and Open Source toolkit implementing +the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, +v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. +The project is managed by a worldwide community of volunteers that use +the Internet to communicate, plan, and develop the OpenSSL tookit +and its related documentation. + +OpenSSL is based on the excellent SSLeay library developed by Eric +A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under +an Apache-style licence, which basically means that you are free +to get and use it for commercial and non-commercial purposes subject +to some simple license conditions. diff --git a/security/openssl36/pkg-message b/security/openssl36/pkg-message new file mode 100644 index 000000000000..0ed980ee3513 --- /dev/null +++ b/security/openssl36/pkg-message @@ -0,0 +1,14 @@ +[ +{ type: install + message: <<EOM +This OpenSSL version is in an ALPHA stage +Do NOT use for production! +EOM +} +{ type: upgrade + message: <<EOM +This OpenSSL version is in an ALPHA stage +Do NOT use for production! +EOM +} +] diff --git a/security/openssl36/pkg-plist b/security/openssl36/pkg-plist new file mode 100644 index 000000000000..7bd599c31899 --- /dev/null +++ b/security/openssl36/pkg-plist @@ -0,0 +1,286 @@ +bin/c_rehash +bin/openssl +include/openssl/aes.h +include/openssl/asn1.h +include/openssl/asn1err.h +include/openssl/asn1t.h +include/openssl/async.h +include/openssl/asyncerr.h +include/openssl/bio.h +include/openssl/bioerr.h +include/openssl/blowfish.h +include/openssl/bn.h +include/openssl/bnerr.h +include/openssl/buffer.h +include/openssl/buffererr.h +include/openssl/byteorder.h +include/openssl/camellia.h +include/openssl/cast.h +include/openssl/cmac.h +include/openssl/cmp.h +include/openssl/cmp_util.h +include/openssl/cmperr.h +include/openssl/cms.h +include/openssl/cmserr.h +include/openssl/comp.h +include/openssl/comperr.h +include/openssl/conf.h +include/openssl/conf_api.h +include/openssl/conferr.h +include/openssl/configuration.h +include/openssl/conftypes.h +include/openssl/core.h +include/openssl/core_dispatch.h +include/openssl/core_names.h +include/openssl/core_object.h +include/openssl/crmf.h +include/openssl/crmferr.h +include/openssl/crypto.h +include/openssl/cryptoerr.h +include/openssl/cryptoerr_legacy.h +include/openssl/ct.h +include/openssl/cterr.h +include/openssl/decoder.h +include/openssl/decodererr.h +include/openssl/des.h +include/openssl/dh.h +include/openssl/dherr.h +include/openssl/dsa.h +include/openssl/dsaerr.h +include/openssl/dtls1.h +include/openssl/e_os2.h +include/openssl/e_ostime.h +include/openssl/ebcdic.h +include/openssl/ec.h +include/openssl/ecdh.h +include/openssl/ecdsa.h +include/openssl/ecerr.h +include/openssl/encoder.h +include/openssl/encodererr.h +include/openssl/engine.h +include/openssl/engineerr.h +include/openssl/err.h +include/openssl/ess.h +include/openssl/esserr.h +include/openssl/evp.h +include/openssl/evperr.h +include/openssl/fips_names.h +include/openssl/fipskey.h +include/openssl/hmac.h +include/openssl/hpke.h +include/openssl/http.h +include/openssl/httperr.h +include/openssl/idea.h +include/openssl/indicator.h +include/openssl/kdf.h +include/openssl/kdferr.h +include/openssl/lhash.h +include/openssl/macros.h +include/openssl/md2.h +include/openssl/md4.h +include/openssl/md5.h +include/openssl/mdc2.h +include/openssl/ml_kem.h +include/openssl/modes.h +include/openssl/obj_mac.h +include/openssl/objects.h +include/openssl/objectserr.h +include/openssl/ocsp.h +include/openssl/ocsperr.h +include/openssl/opensslconf.h +include/openssl/opensslv.h +include/openssl/ossl_typ.h +include/openssl/param_build.h +include/openssl/params.h +include/openssl/pem.h +include/openssl/pem2.h +include/openssl/pemerr.h +include/openssl/pkcs12.h +include/openssl/pkcs12err.h +include/openssl/pkcs7.h +include/openssl/pkcs7err.h +include/openssl/prov_ssl.h +include/openssl/proverr.h +include/openssl/provider.h +include/openssl/quic.h +include/openssl/rand.h +include/openssl/randerr.h +include/openssl/rc2.h +include/openssl/rc4.h +include/openssl/rc5.h +include/openssl/ripemd.h +include/openssl/rsa.h +include/openssl/rsaerr.h +include/openssl/safestack.h +include/openssl/seed.h +include/openssl/self_test.h +include/openssl/sha.h +include/openssl/srp.h +include/openssl/srtp.h +include/openssl/ssl.h +include/openssl/ssl2.h +include/openssl/ssl3.h +include/openssl/sslerr.h +include/openssl/sslerr_legacy.h +include/openssl/stack.h +include/openssl/store.h +include/openssl/storeerr.h +include/openssl/symhacks.h +include/openssl/thread.h +include/openssl/tls1.h +include/openssl/trace.h +include/openssl/ts.h +include/openssl/tserr.h +include/openssl/txt_db.h +include/openssl/types.h +include/openssl/ui.h +include/openssl/uierr.h +include/openssl/whrlpool.h +include/openssl/x509.h +include/openssl/x509_acert.h +include/openssl/x509_vfy.h +include/openssl/x509err.h +include/openssl/x509v3.h +include/openssl/x509v3err.h +lib/cmake/OpenSSL/OpenSSLConfig.cmake +lib/cmake/OpenSSL/OpenSSLConfigVersion.cmake +%%SHARED%%lib/engines-%%SHLIBVER%%/capi.so +%%SHARED%%lib/engines-%%SHLIBVER%%/devcrypto.so +%%SHARED%%lib/engines-%%SHLIBVER%%/loader_attic.so +%%SHARED%%lib/engines-%%SHLIBVER%%/padlock.so +lib/libcrypto.a +%%SHARED%%lib/libcrypto.so +%%SHARED%%lib/libcrypto.so.%%SHLIBVER%% +lib/libssl.a +%%SHARED%%lib/libssl.so +%%SHARED%%lib/libssl.so.%%SHLIBVER%% +%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so +%%LEGACY%%%%SHARED%%lib/ossl-modules/legacy.so +libdata/pkgconfig/libcrypto.pc +libdata/pkgconfig/libssl.pc +libdata/pkgconfig/openssl.pc +share/man/man1/CA.pl.1ossl.gz +share/man/man1/asn1parse.1ossl.gz +share/man/man1/c_rehash.1ossl.gz +share/man/man1/ca.1ossl.gz +share/man/man1/ciphers.1ossl.gz +share/man/man1/cmp.1ossl.gz +share/man/man1/cms.1ossl.gz +share/man/man1/crl.1ossl.gz +share/man/man1/crl2pkcs7.1ossl.gz +share/man/man1/dgst.1ossl.gz +share/man/man1/dhparam.1ossl.gz +share/man/man1/dsa.1ossl.gz +share/man/man1/dsaparam.1ossl.gz +share/man/man1/ec.1ossl.gz +share/man/man1/ecparam.1ossl.gz +share/man/man1/enc.1ossl.gz +share/man/man1/engine.1ossl.gz +share/man/man1/errstr.1ossl.gz +share/man/man1/gendsa.1ossl.gz +share/man/man1/genpkey.1ossl.gz +share/man/man1/genrsa.1ossl.gz +share/man/man1/info.1ossl.gz +share/man/man1/kdf.1ossl.gz +share/man/man1/mac.1ossl.gz +share/man/man1/nseq.1ossl.gz +share/man/man1/ocsp.1ossl.gz +share/man/man1/openssl-asn1parse.1ossl.gz +share/man/man1/openssl-ca.1ossl.gz +share/man/man1/openssl-ciphers.1ossl.gz +share/man/man1/openssl-cmds.1ossl.gz +share/man/man1/openssl-cmp.1ossl.gz +share/man/man1/openssl-cms.1ossl.gz +share/man/man1/openssl-configutl.1ossl.gz +share/man/man1/openssl-crl.1ossl.gz +share/man/man1/openssl-crl2pkcs7.1ossl.gz +share/man/man1/openssl-dgst.1ossl.gz +share/man/man1/openssl-dhparam.1ossl.gz +share/man/man1/openssl-dsa.1ossl.gz +share/man/man1/openssl-dsaparam.1ossl.gz +share/man/man1/openssl-ec.1ossl.gz +share/man/man1/openssl-ecparam.1ossl.gz +share/man/man1/openssl-enc.1ossl.gz +share/man/man1/openssl-engine.1ossl.gz +share/man/man1/openssl-errstr.1ossl.gz +share/man/man1/openssl-fipsinstall.1ossl.gz +share/man/man1/openssl-format-options.1ossl.gz +share/man/man1/openssl-gendsa.1ossl.gz +share/man/man1/openssl-genpkey.1ossl.gz +share/man/man1/openssl-genrsa.1ossl.gz +share/man/man1/openssl-info.1ossl.gz +share/man/man1/openssl-kdf.1ossl.gz +share/man/man1/openssl-list.1ossl.gz +share/man/man1/openssl-mac.1ossl.gz +share/man/man1/openssl-namedisplay-options.1ossl.gz +share/man/man1/openssl-nseq.1ossl.gz +share/man/man1/openssl-ocsp.1ossl.gz +share/man/man1/openssl-passphrase-options.1ossl.gz +share/man/man1/openssl-passwd.1ossl.gz +share/man/man1/openssl-pkcs12.1ossl.gz +share/man/man1/openssl-pkcs7.1ossl.gz +share/man/man1/openssl-pkcs8.1ossl.gz +share/man/man1/openssl-pkey.1ossl.gz +share/man/man1/openssl-pkeyparam.1ossl.gz +share/man/man1/openssl-pkeyutl.1ossl.gz +share/man/man1/openssl-prime.1ossl.gz +share/man/man1/openssl-rand.1ossl.gz +share/man/man1/openssl-rehash.1ossl.gz +share/man/man1/openssl-req.1ossl.gz +share/man/man1/openssl-rsa.1ossl.gz +share/man/man1/openssl-rsautl.1ossl.gz +share/man/man1/openssl-s_client.1ossl.gz +share/man/man1/openssl-s_server.1ossl.gz +share/man/man1/openssl-s_time.1ossl.gz +share/man/man1/openssl-sess_id.1ossl.gz +share/man/man1/openssl-skeyutl.1ossl.gz +share/man/man1/openssl-smime.1ossl.gz +share/man/man1/openssl-speed.1ossl.gz +share/man/man1/openssl-spkac.1ossl.gz +share/man/man1/openssl-srp.1ossl.gz +share/man/man1/openssl-storeutl.1ossl.gz +share/man/man1/openssl-ts.1ossl.gz +share/man/man1/openssl-verification-options.1ossl.gz +share/man/man1/openssl-verify.1ossl.gz +share/man/man1/openssl-version.1ossl.gz +share/man/man1/openssl-x509.1ossl.gz +share/man/man1/openssl.1ossl.gz +share/man/man1/passwd.1ossl.gz +share/man/man1/pkcs12.1ossl.gz +share/man/man1/pkcs7.1ossl.gz +share/man/man1/pkcs8.1ossl.gz +share/man/man1/pkey.1ossl.gz +share/man/man1/pkeyparam.1ossl.gz +share/man/man1/pkeyutl.1ossl.gz +share/man/man1/prime.1ossl.gz +share/man/man1/rand.1ossl.gz +share/man/man1/rehash.1ossl.gz +share/man/man1/req.1ossl.gz +share/man/man1/rsa.1ossl.gz +share/man/man1/rsautl.1ossl.gz +share/man/man1/s_client.1ossl.gz +share/man/man1/s_server.1ossl.gz +share/man/man1/s_time.1ossl.gz +share/man/man1/sess_id.1ossl.gz +share/man/man1/smime.1ossl.gz +share/man/man1/speed.1ossl.gz +share/man/man1/spkac.1ossl.gz +share/man/man1/srp.1ossl.gz +share/man/man1/storeutl.1ossl.gz +share/man/man1/ts.1ossl.gz +share/man/man1/tsget.1ossl.gz +share/man/man1/verify.1ossl.gz +share/man/man1/version.1ossl.gz +share/man/man1/x509.1ossl.gz +share/man/man5/config.5ossl.gz +share/man/man5/fips_config.5ossl.gz +share/man/man5/x509v3_config.5ossl.gz +%%OPENSSLDIR%%/misc/CA.pl +@comment %%OPENSSLDIR%%/misc/tsget.pl +%%OPENSSLDIR%%/misc/tsget +@sample %%OPENSSLDIR%%/ct_log_list.cnf.dist %%OPENSSLDIR%%/ct_log_list.cnf +%%FIPS%%%%OPENSSLDIR%%/fipsmodule.cnf +@sample %%OPENSSLDIR%%/openssl.cnf.dist %%OPENSSLDIR%%/openssl.cnf +@dir lib/ossl-modules +@dir %%OPENSSLDIR%%/private +@dir %%OPENSSLDIR%%/certs diff --git a/security/openssl36/version.mk b/security/openssl36/version.mk new file mode 100644 index 000000000000..7bf1106dadd0 --- /dev/null +++ b/security/openssl36/version.mk @@ -0,0 +1 @@ +OPENSSL_SHLIBVER?= 18 diff --git a/security/openvpn-auth-oauth2/Makefile b/security/openvpn-auth-oauth2/Makefile index 444fc1962136..921a17d7fca6 100644 --- a/security/openvpn-auth-oauth2/Makefile +++ b/security/openvpn-auth-oauth2/Makefile @@ -1,6 +1,7 @@ PORTNAME= openvpn-auth-oauth2 DISTVERSIONPREFIX= v DISTVERSION= 1.25.2 +PORTREVISION= 1 CATEGORIES= security net net-vpn MAINTAINER= otis@FreeBSD.org diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile index bf3005b49f02..bc04c60e5f14 100644 --- a/security/openvpn-devel/Makefile +++ b/security/openvpn-devel/Makefile @@ -1,5 +1,5 @@ PORTNAME= openvpn -DISTVERSION= g20250801 +DISTVERSION= g20250905 PORTREVISION= 0 # leave in even if 0 to avoid accidental PORTEPOCH bumps PORTEPOCH= 1 CATEGORIES= security net net-vpn @@ -21,7 +21,7 @@ LIB_DEPENDS+= liblzo2.so:archivers/lzo2 USES= autoreconf cpe libtool pkgconfig python:build shebangfix tar:xz IGNORE_SSL= libressl libressl-devel USE_GITLAB= yes -GL_TAGNAME= 7b1b283478ec008fad163c8a54659a1ed97ed727 +GL_TAGNAME= 1e7b9a0fb021f0a64e76369f4efd2001d50ef42b USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \ @@ -63,7 +63,6 @@ OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only DCO_DESC= Build with Data Channel Offload (ovpn(4)) support EASYRSA_DESC= Install security/easy-rsa RSA helper package -MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) PKCS11_DESC= Use security/pkcs11-helper SMALL_DESC= Build a smaller executable with fewer features X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) @@ -77,7 +76,7 @@ EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 LZ4_CONFIGURE_OFF= --disable-lz4 -MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls2 +MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls3 MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls OPENSSL_USES= ssl diff --git a/security/openvpn-devel/distinfo b/security/openvpn-devel/distinfo index 642485f91297..5af62172f472 100644 --- a/security/openvpn-devel/distinfo +++ b/security/openvpn-devel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1754042576 -SHA256 (openvpn-openvpn-7b1b283478ec008fad163c8a54659a1ed97ed727_GL0.tar.gz) = 6aae8dff746465fa30cfebece17aee8b5c8b18def9d1f44385403d9a5a17d942 -SIZE (openvpn-openvpn-7b1b283478ec008fad163c8a54659a1ed97ed727_GL0.tar.gz) = 1330547 +TIMESTAMP = 1757057338 +SHA256 (openvpn-openvpn-1e7b9a0fb021f0a64e76369f4efd2001d50ef42b_GL0.tar.gz) = bbc283697162a50ea3a107c00f319216eba8ec0ba4b2ff4ea29ca85f92d60f3a +SIZE (openvpn-openvpn-1e7b9a0fb021f0a64e76369f4efd2001d50ef42b_GL0.tar.gz) = 1333583 diff --git a/security/osv-scanner/Makefile b/security/osv-scanner/Makefile index a67332b5ff08..e1b4fc3acda3 100644 --- a/security/osv-scanner/Makefile +++ b/security/osv-scanner/Makefile @@ -1,6 +1,7 @@ PORTNAME= osv-scanner DISTVERSIONPREFIX= v DISTVERSION= 2.2.1 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= dutra@FreeBSD.org diff --git a/security/picocrypt/Makefile b/security/picocrypt/Makefile index c713ce6cc77b..f6483ced31b9 100644 --- a/security/picocrypt/Makefile +++ b/security/picocrypt/Makefile @@ -1,6 +1,6 @@ PORTNAME= picocrypt DISTVERSION= 1.49 # Missing modules.txt, generate one with `go mod vendor` and place it in ${FILESDIR} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= eduardo@FreeBSD.org diff --git a/security/pwdsafety/Makefile b/security/pwdsafety/Makefile index c143543bf2cc..23dfe9f40408 100644 --- a/security/pwdsafety/Makefile +++ b/security/pwdsafety/Makefile @@ -1,7 +1,7 @@ PORTNAME= pwdsafety DISTVERSIONPREFIX= v DISTVERSION= 0.4.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= olgeni@FreeBSD.org diff --git a/security/py-yara-python-dex/Makefile b/security/py-yara-python-dex/Makefile index c311734a66db..316aaa8d2e14 100644 --- a/security/py-yara-python-dex/Makefile +++ b/security/py-yara-python-dex/Makefile @@ -1,6 +1,5 @@ PORTNAME= yara-python-dex -PORTVERSION= 1.0.7.1 -PORTREVISION= 1 +PORTVERSION= 1.0.9 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -26,6 +25,6 @@ USE_PYTHON= distutils LDFLAGS+= -s .endif -PLIST_SUB= VER=${PORTVERSION:R} +PLIST_FILES= %%PYTHON_SITELIBDIR%%/yara%%PYTHON_TAG%%.so .include <bsd.port.mk> diff --git a/security/py-yara-python-dex/distinfo b/security/py-yara-python-dex/distinfo index 5a6611163bd9..d1571c0f5ca6 100644 --- a/security/py-yara-python-dex/distinfo +++ b/security/py-yara-python-dex/distinfo @@ -1,6 +1,6 @@ -TIMESTAMP = 1736800627 -SHA256 (MobSF-yara-python-dex-1.0.7.1_GH0.tar.gz) = 9b2febf8341d724480ee15f94adde22ea6f9f902346f59e2e9b92ec029b7ade2 -SIZE (MobSF-yara-python-dex-1.0.7.1_GH0.tar.gz) = 4505 +TIMESTAMP = 1757003675 +SHA256 (MobSF-yara-python-dex-1.0.9_GH0.tar.gz) = 1e135345d961f019c5dd31a85876aa6552aa471a9604fcc5683c85fab93e7425 +SIZE (MobSF-yara-python-dex-1.0.9_GH0.tar.gz) = 4748 SHA256 (VirusTotal-yara-python-188cb6e85137f715fef563f61c6b4f21ad026562_GH0.tar.gz) = f685495d280ba2105fa4ca31e0ac8173f16c93c28514c2e66b25a57c7d2d45b8 SIZE (VirusTotal-yara-python-188cb6e85137f715fef563f61c6b4f21ad026562_GH0.tar.gz) = 31860 SHA256 (VirusTotal-yara-ed1a1a430c64cf908b61a5fadc3958866a840bc6_GH0.tar.gz) = 282b97f106076f389e8f74e8e957bdcefbe87cc34887a8be6b5efd64cc96f920 diff --git a/security/py-yara-python-dex/pkg-plist b/security/py-yara-python-dex/pkg-plist deleted file mode 100644 index 5f948a5fbca8..000000000000 --- a/security/py-yara-python-dex/pkg-plist +++ /dev/null @@ -1,6 +0,0 @@ -%%PYTHON_SITELIBDIR%%/yara%%PYTHON_TAG%%.so -%%PYTHON_SITELIBDIR%%/yara_python_dex-%%VER%%-py%%PYTHON_VER%%.egg-info/PKG-INFO -%%PYTHON_SITELIBDIR%%/yara_python_dex-%%VER%%-py%%PYTHON_VER%%.egg-info/SOURCES.txt -%%PYTHON_SITELIBDIR%%/yara_python_dex-%%VER%%-py%%PYTHON_VER%%.egg-info/dependency_links.txt -%%PYTHON_SITELIBDIR%%/yara_python_dex-%%VER%%-py%%PYTHON_VER%%.egg-info/not-zip-safe -%%PYTHON_SITELIBDIR%%/yara_python_dex-%%VER%%-py%%PYTHON_VER%%.egg-info/top_level.txt diff --git a/security/rekor/Makefile b/security/rekor/Makefile index 331e75973e2b..558b50c586fc 100644 --- a/security/rekor/Makefile +++ b/security/rekor/Makefile @@ -1,7 +1,7 @@ PORTNAME= rekor DISTVERSIONPREFIX= v DISTVERSION= 1.3.10 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/shibboleth-sp/Makefile b/security/shibboleth-sp/Makefile index d7673458c7f6..96c934a50720 100644 --- a/security/shibboleth-sp/Makefile +++ b/security/shibboleth-sp/Makefile @@ -1,6 +1,5 @@ PORTNAME= shibboleth-sp -PORTVERSION= 3.5.0 -PORTREVISION= 3 +PORTVERSION= 3.5.1 CATEGORIES= security www MASTER_SITES= http://shibboleth.net/downloads/service-provider/${PORTVERSION}/ diff --git a/security/shibboleth-sp/distinfo b/security/shibboleth-sp/distinfo index 483bd5f40c67..34c8b575369e 100644 --- a/security/shibboleth-sp/distinfo +++ b/security/shibboleth-sp/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1729173100 -SHA256 (shibboleth-sp-3.5.0.tar.bz2) = f301604bd17ee4d94a66e6dd7ad1c3f0917949a4a12176d55614483d78fefe58 -SIZE (shibboleth-sp-3.5.0.tar.bz2) = 834909 +TIMESTAMP = 1756924496 +SHA256 (shibboleth-sp-3.5.1.tar.bz2) = 05da3a09d76c3ba1a5ddd7f919fd942be2d87025f214aba139c2b64b804f9a99 +SIZE (shibboleth-sp-3.5.1.tar.bz2) = 837446 diff --git a/security/shibboleth-sp/pkg-plist b/security/shibboleth-sp/pkg-plist index 44d5c5a1a91c..0111f1e8eb89 100644 --- a/security/shibboleth-sp/pkg-plist +++ b/security/shibboleth-sp/pkg-plist @@ -92,7 +92,7 @@ include/shibsp/util/TemplateParameters.h include/shibsp/version.h lib/libshibsp.so lib/libshibsp.so.12 -lib/libshibsp.so.12.0.0 +lib/libshibsp.so.12.0.1 lib/shibboleth/adfs-lite.so lib/shibboleth/adfs.so @comment %%MEMCACHED%%lib/shibboleth/memcache-store.so @@ -104,7 +104,7 @@ lib/shibboleth/plugins.so %%FASTCGI%%lib/shibboleth/shibresponder lib/libshibsp-lite.so lib/libshibsp-lite.so.12 -lib/libshibsp-lite.so.12.0.0 +lib/libshibsp-lite.so.12.0.1 libdata/pkgconfig/shibsp-lite.pc libdata/pkgconfig/shibsp.pc sbin/shibd diff --git a/security/snort3/Makefile b/security/snort3/Makefile index 8a7d723304fe..7064f6c2546e 100644 --- a/security/snort3/Makefile +++ b/security/snort3/Makefile @@ -1,5 +1,5 @@ PORTNAME= snort -DISTVERSION= 3.9.3.0 +DISTVERSION= 3.9.5.0 PORTEPOCH= 1 CATEGORIES= security PKGNAMESUFFIX= 3 diff --git a/security/snort3/distinfo b/security/snort3/distinfo index 5149faaa6b94..4822b69ada6a 100644 --- a/security/snort3/distinfo +++ b/security/snort3/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1754971093 -SHA256 (snort3-snort3-3.9.3.0_GH0.tar.gz) = c7c2f7488b1a9ec5b60b9706fc3f2f3f9c0e1eb57f384e077676c452570468cf -SIZE (snort3-snort3-3.9.3.0_GH0.tar.gz) = 3521227 +TIMESTAMP = 1757072847 +SHA256 (snort3-snort3-3.9.5.0_GH0.tar.gz) = e2e36a8db2c4c26a6ff58ea58839339260319eba25d0eb901ddb7210f4fa4b4c +SIZE (snort3-snort3-3.9.5.0_GH0.tar.gz) = 3525177 diff --git a/security/snowflake-tor/Makefile b/security/snowflake-tor/Makefile index 0049a5ddf87c..0e82f830ff48 100644 --- a/security/snowflake-tor/Makefile +++ b/security/snowflake-tor/Makefile @@ -1,7 +1,7 @@ PORTNAME= snowflake DISTVERSIONPREFIX= v PORTVERSION= 2.5.1 -PORTREVISION= 22 +PORTREVISION= 23 CATEGORIES= security net PKGNAMESUFFIX= -tor diff --git a/security/ssb/Makefile b/security/ssb/Makefile index 734453ff1fd1..d0938babaec5 100644 --- a/security/ssb/Makefile +++ b/security/ssb/Makefile @@ -1,7 +1,7 @@ PORTNAME= ssb DISTVERSIONPREFIX= v DISTVERSION= 0.1.1 -PORTREVISION= 28 +PORTREVISION= 29 CATEGORIES= security MAINTAINER= ports@FreeBSD.org diff --git a/security/ssl-checker/Makefile b/security/ssl-checker/Makefile index c49b5c6df697..93673abb45d9 100644 --- a/security/ssl-checker/Makefile +++ b/security/ssl-checker/Makefile @@ -1,7 +1,7 @@ PORTNAME= ssl-checker DISTVERSIONPREFIX= v DISTVERSION= 0.1.7 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= olgeni@FreeBSD.org diff --git a/security/ssllabs-scan/Makefile b/security/ssllabs-scan/Makefile index 1d6aba12355c..a36d64259294 100644 --- a/security/ssllabs-scan/Makefile +++ b/security/ssllabs-scan/Makefile @@ -1,7 +1,7 @@ PORTNAME= ssllabs-scan DISTVERSIONPREFIX= v DISTVERSION= 1.5.0 -PORTREVISION= 28 +PORTREVISION= 29 CATEGORIES= security net MAINTAINER= egypcio@FreeBSD.org diff --git a/security/stegify/Makefile b/security/stegify/Makefile index 7a63858191d3..06d7e41a9747 100644 --- a/security/stegify/Makefile +++ b/security/stegify/Makefile @@ -2,7 +2,7 @@ PORTNAME= stegify DISTVERSIONPREFIX= v DISTVERSION= 1.2-2 DISTVERSIONSUFFIX= -g62518ca -PORTREVISION= 28 +PORTREVISION= 29 CATEGORIES= security graphics MAINTAINER= yuri@FreeBSD.org diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile index 0673446306c3..a4c4b5d22cae 100644 --- a/security/tailscale/Makefile +++ b/security/tailscale/Makefile @@ -1,6 +1,7 @@ PORTNAME= tailscale PORTVERSION= 1.86.4 DISTVERSIONPREFIX= v +PORTREVISION= 1 CATEGORIES= security net-vpn MAINTAINER= ashish@FreeBSD.org diff --git a/security/teleport/Makefile b/security/teleport/Makefile index 93aaf2da4f8d..498f279fe1dd 100644 --- a/security/teleport/Makefile +++ b/security/teleport/Makefile @@ -1,7 +1,7 @@ PORTNAME= teleport DISTVERSIONPREFIX= v DISTVERSION= 5.2.5 -PORTREVISION= 17 +PORTREVISION= 18 CATEGORIES= security MAINTAINER= kraileth@elderlinux.org diff --git a/security/timestamp-authority/Makefile b/security/timestamp-authority/Makefile index 4d278042cdd3..f121f3c4b9a1 100644 --- a/security/timestamp-authority/Makefile +++ b/security/timestamp-authority/Makefile @@ -1,7 +1,7 @@ PORTNAME= timestamp-authority DISTVERSIONPREFIX= v DISTVERSION= 1.2.8 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/totp-cli/Makefile b/security/totp-cli/Makefile index ed3416a3c81c..b6fad616d90f 100644 --- a/security/totp-cli/Makefile +++ b/security/totp-cli/Makefile @@ -1,7 +1,7 @@ PORTNAME= totp-cli PORTVERSION= 1.9.2 DISTVERSIONPREFIX= v -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= security MAINTAINER= sunpoet@FreeBSD.org diff --git a/security/trillian/Makefile b/security/trillian/Makefile index 7c587b69320c..7bdeb3e299f9 100644 --- a/security/trillian/Makefile +++ b/security/trillian/Makefile @@ -1,7 +1,7 @@ PORTNAME= trillian DISTVERSIONPREFIX= v DISTVERSION= 1.7.2 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/trivy/Makefile b/security/trivy/Makefile index 73dc6b9c2181..a3a64eed48e0 100644 --- a/security/trivy/Makefile +++ b/security/trivy/Makefile @@ -1,6 +1,7 @@ PORTNAME= trivy DISTVERSIONPREFIX= v DISTVERSION= 0.66.0 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= mfechner@FreeBSD.org diff --git a/security/tscli/Makefile b/security/tscli/Makefile index 6ec2f243475d..730a440763dc 100644 --- a/security/tscli/Makefile +++ b/security/tscli/Makefile @@ -1,7 +1,7 @@ PORTNAME= tscli DISTVERSIONPREFIX= v DISTVERSION= 0.0.15 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= dtxdf@FreeBSD.org diff --git a/security/vault/Makefile b/security/vault/Makefile index 590a93f11d40..7906ac22206e 100644 --- a/security/vault/Makefile +++ b/security/vault/Makefile @@ -1,6 +1,6 @@ PORTNAME= vault DISTVERSIONPREFIX= v -DISTVERSION= 1.20.2 +DISTVERSION= 1.20.3 CATEGORIES= security MASTER_SITES= https://raw.githubusercontent.com/hashicorp/vault/${DISTVERSIONFULL}/ \ LOCAL/bofh/security/${PORTNAME}/:web_ui @@ -46,7 +46,7 @@ GROUPS= vault PLIST_FILES= bin/${PORTNAME} -GITID= 824d12909d5b596ddd3f34d9c8f169b4f9701a0c +GITID= 7665ff29d77e5cb3ea9ddbeaed49ee312e53c6b8 .include <bsd.port.pre.mk> diff --git a/security/vault/distinfo b/security/vault/distinfo index c17babae63fa..c8a637c2add4 100644 --- a/security/vault/distinfo +++ b/security/vault/distinfo @@ -1,17 +1,17 @@ -TIMESTAMP = 1754685277 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/go.mod) = cd83bd31fc0bfb55d172ae8fc8f8bc3930bc52602a5b73b2cccbf5428e144241 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/go.mod) = 30390 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/go.mod) = c0d25838a7b72c0a5450c0c346e22eea9d24074c637f99e13941fd74980330e5 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/go.mod) = 1659 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/auth/approle/go.mod) = 94d14c8d7b0e143e5cda121829d639935bcd5bab9cc4961ca4ac432ec675a5b9 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/auth/approle/go.mod) = 1065 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/auth/kubernetes/go.mod) = bb4af50f74cdf95fd886651b1911dff90e118c62270497102ce144f5c76c9b1d -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/auth/kubernetes/go.mod) = 1068 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/auth/userpass/go.mod) = e92fff72dd8294c27b29ba8fc653d28edf322d8f59d98258ea87691dd5777b56 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/api/auth/userpass/go.mod) = 1066 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/sdk/go.mod) = a3da120c91c4a0a9a2ad7e2fac36034da35a1527668359a6c9f19800aa88f2f1 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/sdk/go.mod) = 6759 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/vault-web_ui-1.20.2.tar.gz) = 5d6a244ae81312a78c847abeec525a01cfe92fdf2f7df6d812a884f14561cc96 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/vault-web_ui-1.20.2.tar.gz) = 3584329 -SHA256 (go/security_vault/hashicorp-vault-v1.20.2_GH0/hashicorp-vault-v1.20.2_GH0.tar.gz) = cff7c65f4cfdebbf2a419e77debe5dda1abd93d48f673e8bbbd4c5e5161233e2 -SIZE (go/security_vault/hashicorp-vault-v1.20.2_GH0/hashicorp-vault-v1.20.2_GH0.tar.gz) = 41645004 +TIMESTAMP = 1756981575 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/go.mod) = 7113bb21f1f4e49f214b327ab6bf38e61c7a1d6a90945d800af5c95adfe35ef4 +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/go.mod) = 30603 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/go.mod) = c0d25838a7b72c0a5450c0c346e22eea9d24074c637f99e13941fd74980330e5 +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/go.mod) = 1659 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/auth/approle/go.mod) = 94d14c8d7b0e143e5cda121829d639935bcd5bab9cc4961ca4ac432ec675a5b9 +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/auth/approle/go.mod) = 1065 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/auth/kubernetes/go.mod) = bb4af50f74cdf95fd886651b1911dff90e118c62270497102ce144f5c76c9b1d +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/auth/kubernetes/go.mod) = 1068 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/auth/userpass/go.mod) = e92fff72dd8294c27b29ba8fc653d28edf322d8f59d98258ea87691dd5777b56 +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/api/auth/userpass/go.mod) = 1066 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/sdk/go.mod) = aa3fe5aee6ec08608f8f97f1238b1a132bb89973069985e0ae24d9e492b2df7c +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/sdk/go.mod) = 6786 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/vault-web_ui-1.20.3.tar.gz) = 4131d8f602bce1ced7275ea2925e18ccd202d03a0fcc69e3f338fafcbaeb22d8 +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/vault-web_ui-1.20.3.tar.gz) = 3513752 +SHA256 (go/security_vault/hashicorp-vault-v1.20.3_GH0/hashicorp-vault-v1.20.3_GH0.tar.gz) = 024dbc999b4149551da398355008d29827459e52f4379a129eb20c5284647050 +SIZE (go/security_vault/hashicorp-vault-v1.20.3_GH0/hashicorp-vault-v1.20.3_GH0.tar.gz) = 41634047 diff --git a/security/vouch-proxy/Makefile b/security/vouch-proxy/Makefile index 9d4136e4cbdf..f430df7765fd 100644 --- a/security/vouch-proxy/Makefile +++ b/security/vouch-proxy/Makefile @@ -1,7 +1,7 @@ PORTNAME= vouch-proxy DISTVERSIONPREFIX=v DISTVERSION= 0.45.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= decke@FreeBSD.org diff --git a/security/vuls/Makefile b/security/vuls/Makefile index f2c58e968a83..0a3bfc140f06 100644 --- a/security/vuls/Makefile +++ b/security/vuls/Makefile @@ -1,6 +1,7 @@ PORTNAME= vuls DISTVERSIONPREFIX=v DISTVERSION= 0.33.4 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= girgen@FreeBSD.org diff --git a/security/vulsrepo/Makefile b/security/vulsrepo/Makefile index a8bed60e8097..da2e8927160c 100644 --- a/security/vulsrepo/Makefile +++ b/security/vulsrepo/Makefile @@ -1,7 +1,7 @@ PORTNAME= vulsrepo PORTVERSION= 0.7.1 DISTVERSIONPREFIX=v -PORTREVISION= 12 +PORTREVISION= 13 CATEGORIES= security www MASTER_SITES= https://raw.githubusercontent.com/${GH_ACCOUNT}/${PORTNAME}/v${PORTVERSION}/server/:gomod DISTFILES= go.mod:gomod diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index d587a9dae0e9..0a19623ed18f 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,169 @@ + <vuln vid="340dc4c1-895a-11f0-b6e5-4ccc6adda413"> + <topic>exiv2 -- Denial-of-service</topic> + <affects> + <package> + <name>exiv2</name> + <range><lt>0.28.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Kevin Backhouse reports:</p> + <blockquote cite="https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g"> + <p>A denial-of-service was found in Exiv2 version v0.28.5: a quadratic + algorithm in the ICC profile parsing code in jpegBase::readMetadata() + can cause Exiv2 to run for a long time. Exiv2 is a command-line utility + and C++ library for reading, writing, deleting, and modifying the + metadata of image files. The denial-of-service is triggered when Exiv2 + is used to read the metadata of a crafted jpg image file.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-55304</cvename> + <url>https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g</url> + </references> + <dates> + <discovery>2025-08-29</discovery> + <entry>2025-09-04</entry> + </dates> + </vuln> + + <vuln vid="84a77710-8958-11f0-b6e5-4ccc6adda413"> + <topic>exiv2 -- Out-of-bounds read in Exiv2::EpsImage::writeMetadata()</topic> + <affects> + <package> + <name>exiv2</name> + <range><lt>0.28.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Kevin Backhouse reports:</p> + <blockquote cite="https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39"> + <p>An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. + Exiv2 is a command-line utility and C++ library for reading, writing, + deleting, and modifying the metadata of image files. The out-of-bounds + read is triggered when Exiv2 is used to write metadata into a crafted + image file. An attacker could potentially exploit the vulnerability to + cause a denial of service by crashing Exiv2, if they can trick the victim + into running Exiv2 on a crafted image file.</p> + <p>Note that this bug is only triggered when writing the metadata, which + is a less frequently used Exiv2 operation than reading the metadata. For + example, to trigger the bug in the Exiv2 command-line application, you + need to add an extra command-line argument such as delete.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-54080</cvename> + <url>https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39</url> + </references> + <dates> + <discovery>2025-08-29</discovery> + <entry>2025-09-04</entry> + </dates> + </vuln> + + <vuln vid="0db8684f-8938-11f0-8325-bc2411f8eb0b"> + <topic>Django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py39-django42</name> + <name>py310-django42</name> + <name>py311-django42</name> + <range><lt>4.2.24</lt></range> + </package> + <package> + <name>py310-django51</name> + <name>py311-django51</name> + <range><lt>5.1.12</lt></range> + </package> + <package> + <name>py310-django52</name> + <name>py311-django52</name> + <range><lt>5.2.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Django reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2025/sep/03/security-releases/"> + <p>CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-57833</cvename> + <url>https://www.djangoproject.com/weblog/2025/sep/03/security-releases/</url> + </references> + <dates> + <discovery>2025-09-01</discovery> + <entry>2025-09-04</entry> + </dates> + </vuln> + + <vuln vid="9f9b0b37-88fa-11f0-90a2-6cc21735f730"> + <topic>Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin</topic> + <affects> + <package> + <name>shibboleth-sp</name> + <range><lt>3.5.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Internet2 reports:</p> + <blockquote cite="https://shibboleth.net/community/advisories/secadv_20250903.txt"> + <p>The Shibboleth Service Provider includes a storage API usable + for a number of different use cases such as the session cache, + replay cache, and relay state management. An ODBC extension + plugin is provided with some distributions of the software + (notably on Windows).</p> + <p>A SQL injection vulnerability was identified in some of the + queries issued by the plugin, and this can be creatively + exploited through specially crafted inputs to exfiltrate + information stored in the database used by the SP.</p> + </blockquote> + </body> + </description> + <references> + <url>https://shibboleth.net/community/advisories/secadv_20250903.txt</url> + </references> + <dates> + <discovery>2025-09-03</discovery> + <entry>2025-09-03</entry> + </dates> + </vuln> + + <vuln vid="aaa060af-88d6-11f0-a294-b0416f0c4c67"> + <topic>Vieb -- Remote Code Execution via Visiting Untrusted URLs</topic> + <affects> + <package> + <name>linux-vieb</name> + <range><lt>12.4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Zhengyu Liu, Jianjia Yu, Jelmer van Arnhem report:</p> + <blockquote cite="https://github.com/Jelmerro/Vieb/security/advisories/GHSA-h2fq-667q-7gpm"> + <p>We discovered a remote code execution (RCE) vulnerability in the latest + release of the Vieb browser (v12.3.0). By luring a user to visit a + malicious website, an attacker can achieve arbitrary code execution on the + victim’s machine.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/Jelmerro/Vieb/security/advisories/GHSA-h2fq-667q-7gpm</url> + </references> + <dates> + <discovery>2025-07-31</discovery> + <entry>2025-09-03</entry> + </dates> + </vuln> + <vuln vid="d7b7e505-8486-11f0-9d03-2cf05da270f3"> <topic>Gitlab -- vulnerabilities</topic> <affects> @@ -2067,7 +2233,7 @@ <affects> <package> <name>libxslt</name> - <range><lt>2</lt></range> <!-- adjust should libxslt ever be fixed --> + <range><lt>1.1.43_2</lt></range> <!-- adjust should libxslt ever be fixed --> </package> <package> <name>linux-c7-libxslt</name> diff --git a/security/webtunnel-tor/Makefile b/security/webtunnel-tor/Makefile index c7513b884ffd..e8f1ab7cd74f 100644 --- a/security/webtunnel-tor/Makefile +++ b/security/webtunnel-tor/Makefile @@ -1,6 +1,6 @@ PORTNAME= webtunnel PORTVERSION= 0.0.1 -PORTREVISION= 16 +PORTREVISION= 17 CATEGORIES= security net PKGNAMESUFFIX= -tor diff --git a/security/xhash/Makefile b/security/xhash/Makefile index 03808fd1144d..7436f73301cb 100644 --- a/security/xhash/Makefile +++ b/security/xhash/Makefile @@ -1,7 +1,7 @@ PORTNAME= xhash DISTVERSIONPREFIX= v DISTVERSION= 3.6.3 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MAINTAINER= rbranco@suse.com diff --git a/security/xray-core/Makefile b/security/xray-core/Makefile index 6030334ae8fc..310320cfe4ab 100644 --- a/security/xray-core/Makefile +++ b/security/xray-core/Makefile @@ -1,7 +1,7 @@ PORTNAME= xray-core DISTVERSIONPREFIX= v DISTVERSION= 25.7.26 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= https://github.com/v2fly/geoip/releases/download/202507050144/:geoip \ https://github.com/v2fly/domain-list-community/releases/download/20250627153051/:geosite diff --git a/security/yubikey-agent/Makefile b/security/yubikey-agent/Makefile index 06d0f27154a4..5c886fbca140 100644 --- a/security/yubikey-agent/Makefile +++ b/security/yubikey-agent/Makefile @@ -1,7 +1,7 @@ PORTNAME= yubikey-agent DISTVERSIONPREFIX= v DISTVERSION= 0.1.6 -PORTREVISION= 21 +PORTREVISION= 22 CATEGORIES= security sysutils MAINTAINER= egypcio@FreeBSD.org diff --git a/security/yubikey-manager-qt/Makefile b/security/yubikey-manager-qt/Makefile new file mode 100644 index 000000000000..70f1c79cd6e9 --- /dev/null +++ b/security/yubikey-manager-qt/Makefile @@ -0,0 +1,47 @@ +PORTNAME= yubikey-manager-qt +DISTVERSIONPREFIX= yubikey-manager-qt- +DISTVERSION= 1.2.0 +PORTREVISION= 1 +CATEGORIES= security + +MAINTAINER= daniel@shafer.cc +COMMENT= Cross-platform application for configuring any YubiKey +WWW= https://developers.yubico.com/yubikey-manager-qt/ + +LICENSE= BSD2CLAUSE +LICENSE_FILE= ${WRKSRC}/COPYING + +BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yubikey-manager>0:security/py-yubikey-manager@${PY_FLAVOR} \ + pyotherside-qt5>0:devel/pyotherside-qt5 +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yubikey-manager>0:security/py-yubikey-manager@${PY_FLAVOR} \ + pyotherside-qt5>0:devel/pyotherside-qt5 + +USES= compiler:c++11-lang gl pkgconfig python qt:5 qmake \ + shebangfix +USE_GL= gl +USE_QT= core declarative graphicaleffects gui network quickcontrols \ + quickcontrols2 svg widgets buildtools:build + +USE_GITHUB= yes +GH_ACCOUNT= Yubico + +SHEBANG_FILES= ykman-gui/py/yubikey.py \ + ykman-cli/test.py \ + ykman-cli/py/cli.py \ + build_qrc.py + +PLIST_FILES= bin/ykman-gui \ + share/applications/ykman-gui.desktop \ + share/pixmaps/ykman.png + +post-extract: + @${REINPLACE_CMD} -e '/system/s|python|${PYTHON_CMD}|g' ${WRKSRC}/ykman-gui/ykman-gui.pro \ + ${WRKSRC}/ykman-cli/ykman-cli.pro + @${REINPLACE_CMD} -e 's|/usr/bin/ykman-gui|${PREFIX}/bin/ykman-gui|g' ${WRKSRC}/resources/linux/AppRun + @${REINPLACE_CMD} -e 's|target.path = /usr/bin|target.path = ${PREFIX}/bin|g' ${WRKSRC}/ykman-gui/deployment.pri + +post-install: + ${INSTALL_DATA} ${WRKSRC}/resources/ykman-gui.desktop ${STAGEDIR}${PREFIX}/share/applications + ${INSTALL_DATA} ${WRKSRC}/resources/icons/ykman.png ${STAGEDIR}${PREFIX}/share/pixmaps + +.include <bsd.port.mk> diff --git a/security/yubikey-manager-qt/distinfo b/security/yubikey-manager-qt/distinfo new file mode 100644 index 000000000000..d8ad64d7c0ac --- /dev/null +++ b/security/yubikey-manager-qt/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1616216055 +SHA256 (Yubico-yubikey-manager-qt-yubikey-manager-qt-1.2.0_GH0.tar.gz) = 3f3c998f93b74b869c232f5f951a9d7b2f68b007c20be8e39a698e24ea7aae0b +SIZE (Yubico-yubikey-manager-qt-yubikey-manager-qt-1.2.0_GH0.tar.gz) = 17311666 diff --git a/security/yubikey-manager-qt/pkg-descr b/security/yubikey-manager-qt/pkg-descr new file mode 100644 index 000000000000..86b0e115ab9f --- /dev/null +++ b/security/yubikey-manager-qt/pkg-descr @@ -0,0 +1,2 @@ +Cross-platform application for configuring any YubiKey +over all USB interfaces. diff --git a/security/yubikey-manager-qt/pkg-message b/security/yubikey-manager-qt/pkg-message new file mode 100644 index 000000000000..69e21c9701be --- /dev/null +++ b/security/yubikey-manager-qt/pkg-message @@ -0,0 +1,7 @@ +[ +{ type: install + message: <<EOM +In addition to the application itself, you may also need to manually install and start the pcscd service <devel/pcsc-lite> for CCID support. +EOM +} +] diff --git a/security/yubioath-desktop/Makefile b/security/yubioath-desktop/Makefile new file mode 100644 index 000000000000..5f2373a67822 --- /dev/null +++ b/security/yubioath-desktop/Makefile @@ -0,0 +1,45 @@ +PORTNAME= yubioath-desktop +DISTVERSIONPREFIX= yubioath-desktop- +DISTVERSION= 5.0.4 +PORTREVISION= 2 +CATEGORIES= security + +MAINTAINER= daniel@shafer.cc +COMMENT= GUI for displaying OATH codes with a Yubikey +WWW= https://developers.yubico.com/yubioath-desktop/ + +LICENSE= BSD2CLAUSE +LICENSE_FILE= ${WRKSRC}/COPYING + +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yubikey-manager>=0.7.0:security/py-yubikey-manager@${PY_FLAVOR} \ + pyotherside-qt5>0:devel/pyotherside-qt5 \ + RSA_SecurID_getpasswd:devel/libccid \ + libffi>0:devel/libffi \ + pcscd:devel/pcsc-lite \ + swig:devel/swig + +USES= compiler:c++11-lang desktop-file-utils gl python qmake qt:5 \ + shebangfix ssl +USE_GL= gl +USE_QT= core declarative gui network quickcontrols2 svg widgets buildtools:build + +USE_GITHUB= yes +GH_ACCOUNT= Yubico + +SHEBANG_FILES= build_qrc.py \ + py/yubikey.py \ + +PLIST_FILES= bin/yubioath-desktop \ + share/applications/com.yubico.yubioath.desktop \ + share/pixmaps/com.yubico.yubioath.png + +post-patch: + @${REINPLACE_CMD} -e '/PYTHON_CMD/s|python3|${PYTHON_CMD}|g' \ + ${WRKSRC}/yubioath-desktop.pro + @${REINPLACE_CMD} -e 's|target.path = /usr/bin|target.path = ${PREFIX}/bin|g' ${WRKSRC}/deployment.pri + +post-install: + ${INSTALL_DATA} ${WRKSRC}/resources/com.yubico.yubioath.desktop ${STAGEDIR}${PREFIX}/share/applications + ${INSTALL_DATA} ${WRKSRC}/resources/icons/com.yubico.yubioath.png ${STAGEDIR}${PREFIX}/share/pixmaps + +.include <bsd.port.mk> diff --git a/security/yubioath-desktop/distinfo b/security/yubioath-desktop/distinfo new file mode 100644 index 000000000000..568b3dd1904e --- /dev/null +++ b/security/yubioath-desktop/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1616213145 +SHA256 (Yubico-yubioath-desktop-yubioath-desktop-5.0.4_GH0.tar.gz) = b47c8715e415b0e0ea0237e6f56d328fc8d3303a87ad89d4540d4f4a93138bd7 +SIZE (Yubico-yubioath-desktop-yubioath-desktop-5.0.4_GH0.tar.gz) = 5657338 diff --git a/security/yubioath-desktop/pkg-descr b/security/yubioath-desktop/pkg-descr new file mode 100644 index 000000000000..8a3575b7be09 --- /dev/null +++ b/security/yubioath-desktop/pkg-descr @@ -0,0 +1,3 @@ +Cross-platform application for generating Open Authentication (OATH) time-based +TOTP and event-based HOTP one-time password codes, with the help of a YubiKey +that protects the shared secrets. diff --git a/security/yubioath-desktop/pkg-message b/security/yubioath-desktop/pkg-message new file mode 100644 index 000000000000..7f4f2a2c4875 --- /dev/null +++ b/security/yubioath-desktop/pkg-message @@ -0,0 +1,7 @@ +[ +{ type: install + message: <<EOM + Before running make sure that the pcscd service is enabled and running +EOM +} +] |