diff options
Diffstat (limited to 'security')
108 files changed, 1396 insertions, 838 deletions
diff --git a/security/Makefile b/security/Makefile index e7f3d95c9556..c25bff7144da 100644 --- a/security/Makefile +++ b/security/Makefile @@ -331,7 +331,6 @@ SUBDIR += libtasn1 SUBDIR += libtatsu SUBDIR += libtomcrypt - SUBDIR += libu2f-host SUBDIR += libwhisker SUBDIR += libxcrypt SUBDIR += libyubikey @@ -458,6 +457,7 @@ SUBDIR += openssl33-quictls SUBDIR += openssl34 SUBDIR += openssl35 + SUBDIR += openssl36 SUBDIR += openvas SUBDIR += openvpn SUBDIR += openvpn-admin @@ -649,15 +649,10 @@ SUBDIR += p5-Crypt-xDBM_File SUBDIR += p5-CryptX SUBDIR += p5-Dancer-Plugin-Auth-Extensible - SUBDIR += p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup - SUBDIR += p5-Dancer-Plugin-Passphrase SUBDIR += p5-Dancer2-Plugin-Auth-Extensible SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-DBIC SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-Database SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-IMAP - SUBDIR += p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup - SUBDIR += p5-Dancer2-Plugin-Passphrase - SUBDIR += p5-Data-Entropy SUBDIR += p5-Data-Password SUBDIR += p5-Digest SUBDIR += p5-Digest-Adler32 @@ -1002,7 +997,6 @@ SUBDIR += py-nvdlib SUBDIR += py-oauthlib SUBDIR += py-omemo-dr - SUBDIR += py-onlykey SUBDIR += py-openssh-wrapper SUBDIR += py-openssl SUBDIR += py-oscrypto @@ -1441,9 +1435,7 @@ SUBDIR += ylva SUBDIR += yubico-piv-tool SUBDIR += yubikey-agent - SUBDIR += yubikey-manager-qt SUBDIR += yubikey-personalization-gui - SUBDIR += yubioath-desktop SUBDIR += zaproxy SUBDIR += zeek SUBDIR += zeronet diff --git a/security/acmed/Makefile b/security/acmed/Makefile index 8e0aa0273009..6fec0c7fbe30 100644 --- a/security/acmed/Makefile +++ b/security/acmed/Makefile @@ -1,7 +1,7 @@ PORTNAME= acmed DISTVERSIONPREFIX= v DISTVERSION= 0.21.0 -PORTREVISION= 21 +PORTREVISION= 22 CATEGORIES= security MAINTAINER= ports@FreeBSD.org diff --git a/security/agave/Makefile b/security/agave/Makefile index aed19e0f2e41..44614004e259 100644 --- a/security/agave/Makefile +++ b/security/agave/Makefile @@ -1,7 +1,7 @@ PORTNAME= agave DISTVERSIONPREFIX= v DISTVERSION= 2.2.14 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security PKGNAMESUFFIX= -blockchain diff --git a/security/arti/Makefile b/security/arti/Makefile index 0827536cfb82..7ff5ced0400a 100644 --- a/security/arti/Makefile +++ b/security/arti/Makefile @@ -1,5 +1,6 @@ PORTNAME= arti DISTVERSION= 1.5.0 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= cs@FreeBSD.org diff --git a/security/authenticator/Makefile b/security/authenticator/Makefile index fb1d86d80305..191034a9fcca 100644 --- a/security/authenticator/Makefile +++ b/security/authenticator/Makefile @@ -1,6 +1,6 @@ PORTNAME= authenticator DISTVERSION= 4.4.0 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= security MAINTAINER= ports@FreeBSD.org diff --git a/security/authoscope/Makefile b/security/authoscope/Makefile index 94c87c4a6fdf..6645a15213a6 100644 --- a/security/authoscope/Makefile +++ b/security/authoscope/Makefile @@ -1,7 +1,7 @@ PORTNAME= authoscope DISTVERSIONPREFIX= v DISTVERSION= 0.8.1 -PORTREVISION= 23 +PORTREVISION= 24 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/aws-lc/Makefile b/security/aws-lc/Makefile index 1e0c61f021c8..b2c1dac66de6 100644 --- a/security/aws-lc/Makefile +++ b/security/aws-lc/Makefile @@ -1,8 +1,11 @@ PORTNAME= aws-lc -PORTVERSION= 1.55.0 +PORTVERSION= 1.57.1 DISTVERSIONPREFIX= v CATEGORIES= security +PATCH_SITES= https://github.com/aws/aws-lc/commit/ +PATCHFILES= 125f94c2c26559ed93a22f1cc5880efe46f0b937.patch:-p1 + MAINTAINER= sunpoet@FreeBSD.org COMMENT= AWS libcrypto WWW= https://github.com/aws/aws-lc diff --git a/security/aws-lc/distinfo b/security/aws-lc/distinfo index 0dbd7af0dc75..2327bcddd04b 100644 --- a/security/aws-lc/distinfo +++ b/security/aws-lc/distinfo @@ -1,3 +1,5 @@ -TIMESTAMP = 1751622349 -SHA256 (aws-aws-lc-v1.55.0_GH0.tar.gz) = a216e5e572ad9f68e6b93666f0bbca4d7792f400ca525731583196c139c12ce9 -SIZE (aws-aws-lc-v1.55.0_GH0.tar.gz) = 127105253 +TIMESTAMP = 1755062466 +SHA256 (aws-aws-lc-v1.57.1_GH0.tar.gz) = 1c434d294594a82f1c046aa4e172277b5b549f7b5c89225e3cb2222b94744ca8 +SIZE (aws-aws-lc-v1.57.1_GH0.tar.gz) = 127164147 +SHA256 (125f94c2c26559ed93a22f1cc5880efe46f0b937.patch) = a07ef67b487b47168384d70b7f7bd2b6a8479e037e09087c34f9f083c88411f2 +SIZE (125f94c2c26559ed93a22f1cc5880efe46f0b937.patch) = 2046 diff --git a/security/aws-lc/files/patch-powerpc64le b/security/aws-lc/files/patch-powerpc64le deleted file mode 100644 index 49cc0f44382b..000000000000 --- a/security/aws-lc/files/patch-powerpc64le +++ /dev/null @@ -1,20 +0,0 @@ -Obtained from: https://cgit.FreeBSD.org/ports/commit/?id=f08b67611f0b19c0ee8d9053ee4d22e09b03f2b1 - ---- crypto/fipsmodule/cpucap/cpu_ppc64le.c.orig 2024-07-03 21:50:24 UTC -+++ crypto/fipsmodule/cpucap/cpu_ppc64le.c -@@ -69,10 +69,15 @@ void OPENSSL_cpuid_setup(void) { - - void OPENSSL_cpuid_setup(void) { - #if defined(AT_HWCAP2) -+#if defined(__linux__) - OPENSSL_ppc64le_hwcap2 = getauxval(AT_HWCAP2); -+#elif defined(__FreeBSD__) -+ elf_aux_info(AT_HWCAP2, &OPENSSL_ppc64le_hwcap2, sizeof(OPENSSL_ppc64le_hwcap2)); -+#endif - #else - OPENSSL_ppc64le_hwcap2 = 0; - #endif -+ - OPENSSL_cpucap_initialized = 1; - - // OPENSSL_ppccap is a 64-bit hex string which may start with "0x". diff --git a/security/aws-lc/pkg-plist b/security/aws-lc/pkg-plist index 74bd41ebfb82..87899532d793 100644 --- a/security/aws-lc/pkg-plist +++ b/security/aws-lc/pkg-plist @@ -88,6 +88,7 @@ include/openssl/time.h include/openssl/tls1.h include/openssl/trust_token.h include/openssl/type_check.h +include/openssl/ui.h include/openssl/x509.h include/openssl/x509_vfy.h include/openssl/x509v3.h diff --git a/security/boringssl/Makefile b/security/boringssl/Makefile index 606bce9a84fe..72b0f36c6d29 100644 --- a/security/boringssl/Makefile +++ b/security/boringssl/Makefile @@ -13,7 +13,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE USES= cmake:insource cpe go:no_targets,1.24 localbase perl5 CONFLICTS_INSTALL= libressl libressl-devel openssl openssl111 \ - openssl3[2345] openssl-quictls openssl33-quictls + openssl3[23456] openssl-quictls openssl33-quictls CPE_VENDOR= google diff --git a/security/caldera-ot/Makefile b/security/caldera-ot/Makefile index 05d869e4dc11..549f91706aea 100644 --- a/security/caldera-ot/Makefile +++ b/security/caldera-ot/Makefile @@ -1,6 +1,6 @@ PORTNAME= caldera-ot DISTVERSION= 5.3.0 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security python MAINTAINER= acm@FreeBSD.org diff --git a/security/caldera/Makefile b/security/caldera/Makefile index 1e8b283724e1..871722852a27 100644 --- a/security/caldera/Makefile +++ b/security/caldera/Makefile @@ -1,6 +1,6 @@ PORTNAME= caldera DISTVERSION= 5.3.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security python MAINTAINER= acm@FreeBSD.org diff --git a/security/cargo-audit/Makefile b/security/cargo-audit/Makefile index 750963d30c54..968206cde143 100644 --- a/security/cargo-audit/Makefile +++ b/security/cargo-audit/Makefile @@ -1,7 +1,7 @@ PORTNAME= cargo-audit DISTVERSIONPREFIX= ${PORTNAME}/v DISTVERSION= 0.21.2 -PORTREVISION= 2 +PORTREVISION= 3 PORTEPOCH= 1 CATEGORIES= security diff --git a/security/clamav-lts/Makefile b/security/clamav-lts/Makefile index 4543bd7cfe81..b6539482641f 100644 --- a/security/clamav-lts/Makefile +++ b/security/clamav-lts/Makefile @@ -1,5 +1,6 @@ PORTNAME= clamav DISTVERSION= 1.0.9 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= https://www.clamav.net/downloads/production/ diff --git a/security/clamav/Makefile b/security/clamav/Makefile index cd3a95b8f21b..7a29dc981d0a 100644 --- a/security/clamav/Makefile +++ b/security/clamav/Makefile @@ -1,5 +1,6 @@ PORTNAME= clamav DISTVERSION= 1.4.3 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= https://www.clamav.net/downloads/production/ diff --git a/security/cloak/Makefile b/security/cloak/Makefile index 0dbc8fc8d3f6..5e766c9afb4e 100644 --- a/security/cloak/Makefile +++ b/security/cloak/Makefile @@ -1,7 +1,7 @@ PORTNAME= cloak DISTVERSIONPREFIX= v DISTVERSION= 0.3.0 -PORTREVISION= 31 +PORTREVISION= 32 CATEGORIES= security MAINTAINER= ports@FreeBSD.org diff --git a/security/diswall/Makefile b/security/diswall/Makefile index 0bb4161f86b7..fe69a0d58e55 100644 --- a/security/diswall/Makefile +++ b/security/diswall/Makefile @@ -1,7 +1,7 @@ PORTNAME= diswall DISTVERSIONPREFIX= v DISTVERSION= 0.6.0 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/flawz/Makefile b/security/flawz/Makefile index 189d9e0f0b76..5888307efb27 100644 --- a/security/flawz/Makefile +++ b/security/flawz/Makefile @@ -1,7 +1,7 @@ PORTNAME= flawz DISTVERSIONPREFIX= v DISTVERSION= 0.3.0 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/gpg-tui/Makefile b/security/gpg-tui/Makefile index 97881f10986a..bd53260d9ce8 100644 --- a/security/gpg-tui/Makefile +++ b/security/gpg-tui/Makefile @@ -1,7 +1,7 @@ PORTNAME= gpg-tui DISTVERSIONPREFIX= v DISTVERSION= 0.11.1 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MAINTAINER= se@FreeBSD.org diff --git a/security/hashcat/Makefile b/security/hashcat/Makefile index be113eb03c5f..f2c76ff7fa2b 100644 --- a/security/hashcat/Makefile +++ b/security/hashcat/Makefile @@ -1,6 +1,7 @@ PORTNAME= hashcat PORTVERSION= 7.1.2 DISTVERSIONPREFIX= v +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security diff --git a/security/kanidm/Makefile b/security/kanidm/Makefile index d26139ca5e75..54b16724b18c 100644 --- a/security/kanidm/Makefile +++ b/security/kanidm/Makefile @@ -1,6 +1,7 @@ PORTNAME= kanidm DISTVERSIONPREFIX= v DISTVERSION= 1.7.3 +PORTREVISION= 1 CATEGORIES= security net MAINTAINER= bofh@FreeBSD.org diff --git a/security/libsecret/Makefile b/security/libsecret/Makefile index 43d6825802cd..9d01aa01e974 100644 --- a/security/libsecret/Makefile +++ b/security/libsecret/Makefile @@ -25,4 +25,6 @@ MESON_ARGS= -Dbash_completion=disabled # see PR 287429 / https://gitlab.gnome.org/GNOME/libsecret/-/issues/106 MESON_ARGS+= -Dc_args="-DHAVE_CMSGCRED" +PIE_UNSAFE= yes + .include <bsd.port.mk> diff --git a/security/libu2f-host/Makefile b/security/libu2f-host/Makefile deleted file mode 100644 index 19795061d2a8..000000000000 --- a/security/libu2f-host/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -PORTNAME= libu2f-host -PORTVERSION= 1.1.10 -DISTVERSIONPREFIX= ${PORTNAME}- -PORTREVISION= 2 -CATEGORIES= security devel - -MAINTAINER= ports@FreeBSD.org -COMMENT= Yubico Universal 2nd Factor (U2F) Host C Library -WWW= https://developers.yubico.com/libu2f-host/ - -LICENSE= LGPL21+ GPLv3+ -LICENSE_COMB= multi - -DEPRECATED= This project is deprecated and is no longer being maintained. libfido2 is a new project with support for U2F and FIDO2. Use security/libfido2 instead -EXPIRATION_DATE=2025-05-31 - -BUILD_DEPENDS= gengetopt:devel/gengetopt \ - gtk-doc>0:textproc/gtk-doc \ - help2man:misc/help2man -LIB_DEPENDS= libhidapi.so:comms/hidapi \ - libjson-c.so:devel/json-c -RUN_DEPENDS= ${LOCALBASE}/etc/devd/u2f.conf:security/u2f-devd - -USES= autoreconf pkgconfig gmake libtool -USE_LDCONFIG= yes -GNU_CONFIGURE= yes -GNU_CONFIGURE_MANPREFIX=${PREFIX}/share -CONFIGURE_ARGS= -enable-gtk-doc -INSTALL_TARGET= install-strip - -USE_GITHUB= yes -GH_ACCOUNT= Yubico - -OPTIONS_DEFINE= DOCS -OPTIONS_SUB= yes - -.include <bsd.port.mk> diff --git a/security/libu2f-host/distinfo b/security/libu2f-host/distinfo deleted file mode 100644 index 424c6964723c..000000000000 --- a/security/libu2f-host/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1559205280 -SHA256 (Yubico-libu2f-host-libu2f-host-1.1.10_GH0.tar.gz) = 45937c6c04349f865d9f047d3a68cc50ea24e9085d18ac2c7d31fa38eb749303 -SIZE (Yubico-libu2f-host-libu2f-host-1.1.10_GH0.tar.gz) = 145840 diff --git a/security/libu2f-host/files/patch-u2f-host-u2fmisc.c b/security/libu2f-host/files/patch-u2f-host-u2fmisc.c deleted file mode 100644 index 686fd3a0377b..000000000000 --- a/security/libu2f-host/files/patch-u2f-host-u2fmisc.c +++ /dev/null @@ -1,29 +0,0 @@ ---- u2f-host/u2fmisc.c.orig 2019-05-15 11:54:11 UTC -+++ u2f-host/u2fmisc.c -@@ -30,7 +30,7 @@ - #define u2fh_json_object_object_get(obj, key, value) json_object_object_get_ex(obj, key, &value) - #else - typedef int json_bool; --#define u2fh_json_object_object_get(obj, key, value) (value = json_object_object_get(obj, key)) == NULL ? (json_bool)FALSE : (json_bool)TRUE -+#define u2fh_json_object_object_get(obj, key, value) (value = json_object_object_get(obj, key)) == NULL ? 0 : 1 - #endif - - static void -@@ -114,7 +114,7 @@ prepare_origin (const char *jsonstr, unsigned char *p) - if (debug) - fprintf (stderr, "JSON: %s\n", json_object_to_json_string (jo)); - -- if (u2fh_json_object_object_get (jo, "appId", k) == FALSE) -+ if (u2fh_json_object_object_get (jo, "appId", k) == 0) - return U2FH_JSON_ERROR; - - app_id = json_object_get_string (k); -@@ -390,7 +390,7 @@ get_fixed_json_data (const char *jsonstr, const char * - if (debug) - fprintf (stderr, "JSON: %s\n", json_object_to_json_string (jo)); - -- if (u2fh_json_object_object_get (jo, key, k) == FALSE) -+ if (u2fh_json_object_object_get (jo, key, k) == 0) - return U2FH_JSON_ERROR; - - urlb64 = json_object_get_string (k); diff --git a/security/libu2f-host/pkg-descr b/security/libu2f-host/pkg-descr deleted file mode 100644 index 77126da87be0..000000000000 --- a/security/libu2f-host/pkg-descr +++ /dev/null @@ -1,3 +0,0 @@ -Libu2f-host provides a C library and command-line tool that implements the -host-side of the U2F protocol. There are APIs to talk to a U2F device and -perform the U2F Register and U2F Authenticate operations. diff --git a/security/libu2f-host/pkg-plist b/security/libu2f-host/pkg-plist deleted file mode 100644 index 9485c17eaf73..000000000000 --- a/security/libu2f-host/pkg-plist +++ /dev/null @@ -1,24 +0,0 @@ -bin/u2f-host -include/u2f-host/u2f-host-types.h -include/u2f-host/u2f-host-version.h -include/u2f-host/u2f-host.h -lib/libu2f-host.a -lib/libu2f-host.so -lib/libu2f-host.so.0 -lib/libu2f-host.so.0.1.10 -libdata/pkgconfig/u2f-host.pc -share/man/man1/u2f-host.1.gz -%%DOCS%%share/gtk-doc/html/u2f-host/home.png -%%DOCS%%share/gtk-doc/html/u2f-host/index.html -%%DOCS%%share/gtk-doc/html/u2f-host/intro.html -%%DOCS%%share/gtk-doc/html/u2f-host/left-insensitive.png -%%DOCS%%share/gtk-doc/html/u2f-host/left.png -%%DOCS%%share/gtk-doc/html/u2f-host/right-insensitive.png -%%DOCS%%share/gtk-doc/html/u2f-host/right.png -%%DOCS%%share/gtk-doc/html/u2f-host/style.css -%%DOCS%%share/gtk-doc/html/u2f-host/u2f-host-u2f-host-types.html -%%DOCS%%share/gtk-doc/html/u2f-host/u2f-host-u2f-host-version.html -%%DOCS%%share/gtk-doc/html/u2f-host/u2f-host-u2f-host.html -%%DOCS%%share/gtk-doc/html/u2f-host/u2f-host.devhelp2 -%%DOCS%%share/gtk-doc/html/u2f-host/up-insensitive.png -%%DOCS%%share/gtk-doc/html/u2f-host/up.png diff --git a/security/openssl36/Makefile b/security/openssl36/Makefile new file mode 100644 index 000000000000..9604e260b8e0 --- /dev/null +++ b/security/openssl36/Makefile @@ -0,0 +1,206 @@ +PORTNAME= openssl +DISTVERSION= 3.6.0-alpha1 +PORTREVISION= 1 +CATEGORIES= security devel +PKGNAMESUFFIX= 36 +MASTER_SITES= https://github.com/openssl/openssl/releases/download/${DISTNAME}/ + +MAINTAINER= brnrd@FreeBSD.org +COMMENT= TLSv1.3 capable SSL and crypto library +WWW= https://www.openssl.org/ + +LICENSE= APACHE20 +LICENSE_FILE= ${WRKSRC}/LICENSE.txt + +CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl111 openssl3[1234] openssl*-quictls + +HAS_CONFIGURE= yes +CONFIGURE_SCRIPT= config +CONFIGURE_ENV= PERL="${PERL}" +CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ + --prefix=${PREFIX} + +USES= cpe perl5 +USE_PERL5= build +TEST_TARGET= test + +LDFLAGS_i386= -Wl,-znotext + +MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" +MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= + +OPTIONS_GROUP= CIPHERS COMPRESSION HASHES MODULES OPTIMIZE PQC \ + PROTOCOLS +OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 TLS-DEPRECATED-EC \ + WEAK-SSL-CIPHERS +OPTIONS_GROUP_COMPRESSION= BROTLI ZLIB ZSTD +OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 +OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS THREADPOOL +OPTIONS_GROUP_PQC= ML-DSA ML-KEM SLH-DSA +OPTIONS_GROUP_MODULES= FIPS LEGACY +OPTIONS_DEFINE_i386= I386 +OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG QUIC SCTP SSL3 TLS1 TLS1_1 TLS1_2 + +OPTIONS_DEFINE= ASYNC CT FIPS-JITTER KTLS MAN3 RFC3779 SHARED + +OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 ML-DSA ML-KEM \ + NEXTPROTONEG QUIC RFC3779 RC2 RC4 RMD160 SCTP SHARED SLH-DSA \ + SSE2 THREADPOOL THREADS TLS1 TLS1_1 TLS1_2 + +OPTIONS_GROUP_OPTIMIZE_amd64= EC + +.if ${MACHINE_ARCH} == "amd64" +OPTIONS_GROUP_OPTIMIZE+= EC +.elif ${MACHINE_ARCH} == "mips64el" +OPTIONS_GROUP_OPTIMIZE+= EC +.endif + +OPTIONS_SUB= yes + +ARIA_DESC= ARIA (South Korean standard) +ASM_DESC= Assembler code +ASYNC_DESC= Asynchronous mode +CIPHERS_DESC= Block Cipher Support +COMPRESSION_DESC= Compression Support +CT_DESC= Certificate Transparency Support +DES_DESC= (Triple) Data Encryption Standard +EC_DESC= Optimize NIST elliptic curves +FIPS_DESC= Build FIPS provider (Note: NOT yet FIPS validated) +FIPS-JITTER_DESC= Use JITTER seed source in FIPS provider +GOST_DESC= GOST (Russian standard) +HASHES_DESC= Hash Function Support +I386_DESC= i386 (instead of i486+) +IDEA_DESC= International Data Encryption Algorithm +KTLS_DESC= Use in-kernel TLS (FreeBSD >13) +LEGACY_DESC= Older algorithms +MAN3_DESC= Install API manpages (section 3, 7) +MD2_DESC= MD2 (obsolete) (requires LEGACY) +MD4_DESC= MD4 (unsafe) +MDC2_DESC= MDC-2 (patented, requires DES) +ML-DSA_DESC= ML-DSA CRYSTALS-Dilithium Digital Signature Algorithm +ML-KEM_DESC= ML-KEM Kyber Key Encapsulation Method +MODULES_DESC= Provider modules +NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) +OPTIMIZE_DESC= Optimizations +PQC_DESC= Post-Quantum Cryptography +PROTOCOLS_DESC= Protocol Support +QUIC_DESC= HTTP/3 +RC2_DESC= RC2 (unsafe) +RC4_DESC= RC4 (unsafe) +RC5_DESC= RC5 (patented) +RMD160_DESC= RIPEMD-160 +RFC3779_DESC= RFC3779 support (BGP) +SCTP_DESC= SCTP (Stream Control Transmission) +SHARED_DESC= Build shared libraries +SLH-DSA_DESC= SLH-DSA Sphinx+ Digital Signature Algorithm +SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) +SM3_DESC= SM3 256bit (Chinese standard) +SM4_DESC= SM4 128bit (Chinese standard) +SSE2_DESC= Runtime SSE2 detection +SSL3_DESC= SSLv3 (unsafe) +TLS-DEPRECATED-EC_DESC= Deprecated elliptic curve groups in TLS (unsafe) +TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) +TLS1_1_DESC= TLSv1.1 (requires TLS1_2) +TLS1_2_DESC= TLSv1.2 +THREADPOOL_DESC=Thread Pooling support +WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) + +# Upstream default disabled options +.for _option in brotli fips fips-jitter md2 ktls rc5 sctp ssl3 weak-ssl-ciphers zlib zstd +${_option:tu}_CONFIGURE_ON= enable-${_option} +.endfor + +# Upstream default enabled options +.for _option in aria asm async ct des gost idea md4 mdc2 ml-kem ml-dsa \ + legacy nextprotoneg quic rc2 rc4 rfc3779 rmd160 shared slh-dsa \ + sm2 sm3 sm4 sse2 threads tls-deprecated-ec tls1 tls1_1 tls1_2 +${_option:tu}_CONFIGURE_OFF= no-${_option} +.endfor + +FIPS-JITTER_IMPLIES= FIPS +MD2_IMPLIES= LEGACY +MDC2_IMPLIES= DES +TLS1_IMPLIES= TLS1_1 +TLS1_1_IMPLIES= TLS1_2 + +BROTLI_CFLAGS= -I${PREFIX}/include +BROTLI_CONFIGURE_ON= enable-brotli-dynamic +BROTLI_LIB_DEPENDS= libbrotlicommon.so:archivers/brotli +EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 +FIPS_VARS= shlibs+=lib/ossl-modules/fips.so +I386_CONFIGURE_ON= 386 +FIPS-JITTER_CFLAGS= -I${PREFIX}/include +FIPS-JITTER_LDFLAGS= -L${PREFIX}/lib +FIPS-JITTER_BUILD_DEPENDS= ${LOCALBASE}/lib/libjitterentropy.a:devel/libjitterentropy +LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so +MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits +SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} +SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} +SHARED_USE= ldconfig=yes +SHARED_VARS= shlibs+="lib/libcrypto.so.${OPENSSL_SHLIBVER} \ + lib/libssl.so.${OPENSSL_SHLIBVER} \ + lib/engines-${OPENSSL_SHLIBVER}/capi.so \ + lib/engines-${OPENSSL_SHLIBVER}/devcrypto.so \ + lib/engines-${OPENSSL_SHLIBVER}/padlock.so" +SSL3_CONFIGURE_ON= enable-ssl3 enable-ssl3-method +THREADPOOL_CONFIGURE_OFF= no-thread-pool +ZLIB_CONFIGURE_ON= zlib-dynamic +ZSTD_CFLAGS= -I${PREFIX}/include +ZSTD_CONFIGURE_ON= enable-zstd-dynamic +ZSTD_LIB_DEPENDS= libzstd.so:archivers/zstd + +SHLIBS= lib/engines-${OPENSSL_SHLIBVER}/loader_attic.so + +PORTSCOUT= limit:^${DISTVERSION:R:S/./\./g}\. + +.include <bsd.port.options.mk> + +.if ${ARCH} == powerpc64 +CONFIGURE_ARGS+= BSD-ppc64 +.elif ${ARCH} == powerpc64le +CONFIGURE_ARGS+= BSD-ppc64le +.elif ${ARCH} == riscv64 +CONFIGURE_ARGS+= BSD-riscv64 +.endif + +.include <bsd.port.pre.mk> +.if ${PREFIX} == /usr +IGNORE= the OpenSSL port can not be installed over the base version +.endif + +OPENSSLDIR?= ${PREFIX}/openssl +PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} + +.include "version.mk" + +post-patch: + ${REINPLACE_CMD} -Ee 's|^(build\|install)_docs: .*|\1_docs: \1_man_docs|' \ + ${WRKSRC}/Configurations/unix-Makefile.tmpl + ${REINPLACE_CMD} 's|SHLIB_VERSION=3|SHLIB_VERSION=${OPENSSL_SHLIBVER}|' \ + ${WRKSRC}/VERSION.dat + +post-configure: + ( cd ${WRKSRC} ; ${PERL} configdata.pm --dump ) + +post-configure-MAN3-off: + ${REINPLACE_CMD} \ + -e 's|^build_man_docs:.*|build_man_docs: $$(MANDOCS1) $$(MANDOCS5)|' \ + -e 's|dummy $$(MANDOCS[37]); do |dummy; do |' \ + ${WRKSRC}/Makefile + +post-install-SHARED-on: +.for i in ${SHLIBS} + -@${STRIP_CMD} ${STAGEDIR}${PREFIX}/$i +.endfor + +post-install-SHARED-off: + ${RMDIR} ${STAGEDIR}${PREFIX}/lib/engines-12 + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl + +post-install-MAN3-on: + ( cd ${STAGEDIR}/${PREFIX} ; find share/man/man3 -not -type d ; \ + find share/man/man7 -not -type d ) | sed 's/$$/.gz/' >> ${TMPPLIST} + +.include <bsd.port.post.mk> diff --git a/security/openssl36/distinfo b/security/openssl36/distinfo new file mode 100644 index 000000000000..864066f84ddb --- /dev/null +++ b/security/openssl36/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1756905754 +SHA256 (openssl-3.6.0-alpha1.tar.gz) = 214991128e68adbac1e41df435960c11a0899f762f9e586beb8112f2ca415778 +SIZE (openssl-3.6.0-alpha1.tar.gz) = 54968069 diff --git a/security/openssl36/files/extra-patch-ktls b/security/openssl36/files/extra-patch-ktls new file mode 100644 index 000000000000..8a46c272d95c --- /dev/null +++ b/security/openssl36/files/extra-patch-ktls @@ -0,0 +1,540 @@ +diff --git include/internal/ktls.h include/internal/ktls.h +index 95492fd065..3c82cae26b 100644 +--- include/internal/ktls.h ++++ include/internal/ktls.h +@@ -40,6 +40,11 @@ + # define OPENSSL_KTLS_AES_GCM_128 + # define OPENSSL_KTLS_AES_GCM_256 + # define OPENSSL_KTLS_TLS13 ++# ifdef TLS_CHACHA20_IV_LEN ++# ifndef OPENSSL_NO_CHACHA ++# define OPENSSL_KTLS_CHACHA20_POLY1305 ++# endif ++# endif + + typedef struct tls_enable ktls_crypto_info_t; + +diff --git ssl/ktls.c ssl/ktls.c +index 79d980959e..e343d382cc 100644 +--- ssl/ktls.c ++++ ssl/ktls.c +@@ -10,6 +10,67 @@ + #include "ssl_local.h" + #include "internal/ktls.h" + ++#ifndef OPENSSL_NO_KTLS_RX ++ /* ++ * Count the number of records that were not processed yet from record boundary. ++ * ++ * This function assumes that there are only fully formed records read in the ++ * record layer. If read_ahead is enabled, then this might be false and this ++ * function will fail. ++ */ ++static int count_unprocessed_records(SSL *s) ++{ ++ SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); ++ PACKET pkt, subpkt; ++ int count = 0; ++ ++ if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) ++ return -1; ++ ++ while (PACKET_remaining(&pkt) > 0) { ++ /* Skip record type and version */ ++ if (!PACKET_forward(&pkt, 3)) ++ return -1; ++ ++ /* Read until next record */ ++ if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) ++ return -1; ++ ++ count += 1; ++ } ++ ++ return count; ++} ++ ++/* ++ * The kernel cannot offload receive if a partial TLS record has been read. ++ * Check the read buffer for unprocessed records. If the buffer contains a ++ * partial record, fail and return 0. Otherwise, update the sequence ++ * number at *rec_seq for the count of unprocessed records and return 1. ++ */ ++static int check_rx_read_ahead(SSL *s, unsigned char *rec_seq) ++{ ++ int bit, count_unprocessed; ++ ++ count_unprocessed = count_unprocessed_records(s); ++ if (count_unprocessed < 0) ++ return 0; ++ ++ /* increment the crypto_info record sequence */ ++ while (count_unprocessed) { ++ for (bit = 7; bit >= 0; bit--) { /* increment */ ++ ++rec_seq[bit]; ++ if (rec_seq[bit] != 0) ++ break; ++ } ++ count_unprocessed--; ++ ++ } ++ ++ return 1; ++} ++#endif ++ + #if defined(__FreeBSD__) + # include "crypto/cryptodev.h" + +@@ -37,6 +98,10 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + case SSL_AES128GCM: + case SSL_AES256GCM: + return 1; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ return 1; ++# endif + case SSL_AES128: + case SSL_AES256: + if (s->ext.use_etm) +@@ -55,9 +120,9 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + } + + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { +@@ -71,6 +136,12 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + else + crypto_info->iv_len = EVP_GCM_TLS_FIXED_IV_LEN; + break; ++# ifdef OPENSSL_KTLS_CHACHA20_POLY1305 ++ case SSL_CHACHA20POLY1305: ++ crypto_info->cipher_algorithm = CRYPTO_CHACHA20_POLY1305; ++ crypto_info->iv_len = EVP_CIPHER_CTX_get_iv_length(dd); ++ break; ++# endif + case SSL_AES128: + case SSL_AES256: + switch (s->s3.tmp.new_cipher->algorithm_mac) { +@@ -101,11 +172,11 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + crypto_info->tls_vminor = (s->version & 0x000000ff); + # ifdef TCP_RXTLS_ENABLE + memcpy(crypto_info->rec_seq, rl_sequence, sizeof(crypto_info->rec_seq)); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->rec_seq)) ++ return 0; + # else +- if (rec_seq != NULL) +- *rec_seq = NULL; ++ if (!is_tx) ++ return 0; + # endif + return 1; + }; +@@ -154,15 +225,20 @@ int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + } + + /* Function to configure kernel TLS structure */ +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size) + { + unsigned char geniv[12]; + unsigned char *iiv = iv; + ++# ifdef OPENSSL_NO_KTLS_RX ++ if (!is_tx) ++ return 0; ++# endif ++ + if (s->version == TLS1_2_VERSION && + EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { + if (!EVP_CIPHER_CTX_get_updated_iv(dd, geniv, +@@ -186,8 +262,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm128.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_GCM_256 +@@ -201,8 +277,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->gcm256.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->gcm256.rec_seq, rl_sequence, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->gcm256.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->gcm256.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_AES_CCM_128 +@@ -216,8 +292,8 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + memcpy(crypto_info->ccm128.key, key, EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->ccm128.rec_seq, rl_sequence, + TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->ccm128.rec_seq; ++ if (!is_tx && !check_rx_read_ahead(s, crypto_info->ccm128.rec_seq)) ++ return 0; + return 1; + # endif + # ifdef OPENSSL_KTLS_CHACHA20_POLY1305 +@@ -231,8 +307,10 @@ int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + EVP_CIPHER_get_key_length(c)); + memcpy(crypto_info->chacha20poly1305.rec_seq, rl_sequence, + TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE); +- if (rec_seq != NULL) +- *rec_seq = crypto_info->chacha20poly1305.rec_seq; ++ if (!is_tx ++ && !check_rx_read_ahead(s, ++ crypto_info->chacha20poly1305.rec_seq)) ++ return 0; + return 1; + # endif + default: +diff --git ssl/record/ssl3_record.c ssl/record/ssl3_record.c +index d8ef018741..63caac080f 100644 +--- ssl/record/ssl3_record.c ++++ ssl/record/ssl3_record.c +@@ -185,18 +185,23 @@ int ssl3_get_record(SSL *s) + int imac_size; + size_t num_recs = 0, max_recs, j; + PACKET pkt, sslv2pkt; +- int is_ktls_left; ++ int using_ktls; + SSL_MAC_BUF *macbufs = NULL; + int ret = -1; + + rr = RECORD_LAYER_get_rrec(&s->rlayer); + rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- is_ktls_left = (SSL3_BUFFER_get_left(rbuf) > 0); + max_recs = s->max_pipelines; + if (max_recs == 0) + max_recs = 1; + sess = s->session; + ++ /* ++ * KTLS reads full records. If there is any data left, ++ * then it is from before enabling ktls. ++ */ ++ using_ktls = BIO_get_ktls_recv(s->rbio) && SSL3_BUFFER_get_left(rbuf) == 0; ++ + do { + thisrr = &rr[num_recs]; + +@@ -361,7 +366,9 @@ int ssl3_get_record(SSL *s) + } + } + +- if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) { ++ if (SSL_IS_TLS13(s) ++ && s->enc_read_ctx != NULL ++ && !using_ktls) { + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && (thisrr->type != SSL3_RT_CHANGE_CIPHER_SPEC + || !SSL_IS_FIRST_HANDSHAKE(s)) +@@ -391,7 +398,13 @@ int ssl3_get_record(SSL *s) + } + + if (SSL_IS_TLS13(s)) { +- if (thisrr->length > SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH) { ++ size_t len = SSL3_RT_MAX_TLS13_ENCRYPTED_LENGTH; ++ ++ /* KTLS strips the inner record type. */ ++ if (using_ktls) ++ len = SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ ++ if (thisrr->length > len) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, + SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + return -1; +@@ -409,7 +422,7 @@ int ssl3_get_record(SSL *s) + #endif + + /* KTLS may use all of the buffer */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + len = SSL3_BUFFER_get_left(rbuf); + + if (thisrr->length > len) { +@@ -518,11 +531,7 @@ int ssl3_get_record(SSL *s) + return 1; + } + +- /* +- * KTLS reads full records. If there is any data left, +- * then it is from before enabling ktls +- */ +- if (BIO_get_ktls_recv(s->rbio) && !is_ktls_left) ++ if (using_ktls) + goto skip_decryption; + + if (s->read_hash != NULL) { +@@ -677,21 +686,29 @@ int ssl3_get_record(SSL *s) + if (SSL_IS_TLS13(s) + && s->enc_read_ctx != NULL + && thisrr->type != SSL3_RT_ALERT) { +- size_t end; ++ /* ++ * The following logic are irrelevant in KTLS: the kernel provides ++ * unprotected record and thus record type represent the actual ++ * content type, and padding is already removed and thisrr->type and ++ * thisrr->length should have the correct values. ++ */ ++ if (!using_ktls) { ++ size_t end; + +- if (thisrr->length == 0 +- || thisrr->type != SSL3_RT_APPLICATION_DATA) { +- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); +- goto end; ++ if (thisrr->length == 0 ++ || thisrr->type != SSL3_RT_APPLICATION_DATA) { ++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_BAD_RECORD_TYPE); ++ goto end; ++ } ++ ++ /* Strip trailing padding */ ++ for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; ++ end--) ++ continue; ++ ++ thisrr->length = end; ++ thisrr->type = thisrr->data[end]; + } +- +- /* Strip trailing padding */ +- for (end = thisrr->length - 1; end > 0 && thisrr->data[end] == 0; +- end--) +- continue; +- +- thisrr->length = end; +- thisrr->type = thisrr->data[end]; + if (thisrr->type != SSL3_RT_APPLICATION_DATA + && thisrr->type != SSL3_RT_ALERT + && thisrr->type != SSL3_RT_HANDSHAKE) { +@@ -700,7 +717,7 @@ int ssl3_get_record(SSL *s) + } + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_INNER_CONTENT_TYPE, +- &thisrr->data[end], 1, s, s->msg_callback_arg); ++ &thisrr->type, 1, s, s->msg_callback_arg); + } + + /* +@@ -723,8 +740,7 @@ int ssl3_get_record(SSL *s) + * Therefore we have to rely on KTLS to check the plaintext length + * limit in the kernel. + */ +- if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH +- && (!BIO_get_ktls_recv(s->rbio) || is_ktls_left)) { ++ if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH && !using_ktls) { + SSLfatal(s, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); + goto end; + } +diff --git ssl/ssl_local.h ssl/ssl_local.h +index 5471e900b8..79ced2f468 100644 +--- ssl/ssl_local.h ++++ ssl/ssl_local.h +@@ -2760,9 +2760,9 @@ __owur int ssl_log_secret(SSL *ssl, const char *label, + /* ktls.c */ + int ktls_check_supported_cipher(const SSL *s, const EVP_CIPHER *c, + const EVP_CIPHER_CTX *dd); +-int ktls_configure_crypto(const SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, ++int ktls_configure_crypto(SSL *s, const EVP_CIPHER *c, EVP_CIPHER_CTX *dd, + void *rl_sequence, ktls_crypto_info_t *crypto_info, +- unsigned char **rec_seq, unsigned char *iv, ++ int is_tx, unsigned char *iv, + unsigned char *key, unsigned char *mac_key, + size_t mac_secret_size); + # endif +diff --git ssl/t1_enc.c ssl/t1_enc.c +index 237a19cd93..900ba14fbd 100644 +--- ssl/t1_enc.c ++++ ssl/t1_enc.c +@@ -98,42 +98,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) + return ret; + } + +-#ifndef OPENSSL_NO_KTLS +- /* +- * Count the number of records that were not processed yet from record boundary. +- * +- * This function assumes that there are only fully formed records read in the +- * record layer. If read_ahead is enabled, then this might be false and this +- * function will fail. +- */ +-# ifndef OPENSSL_NO_KTLS_RX +-static int count_unprocessed_records(SSL *s) +-{ +- SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); +- PACKET pkt, subpkt; +- int count = 0; +- +- if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) +- return -1; +- +- while (PACKET_remaining(&pkt) > 0) { +- /* Skip record type and version */ +- if (!PACKET_forward(&pkt, 3)) +- return -1; +- +- /* Read until next record */ +- if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) +- return -1; +- +- count += 1; +- } +- +- return count; +-} +-# endif +-#endif +- +- + int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, + const EVP_CIPHER *ciph, + const EVP_MD *md) +@@ -201,12 +165,7 @@ int tls1_change_cipher_state(SSL *s, int which) + int reuse_dd = 0; + #ifndef OPENSSL_NO_KTLS + ktls_crypto_info_t crypto_info; +- unsigned char *rec_seq; + void *rl_sequence; +-# ifndef OPENSSL_NO_KTLS_RX +- int count_unprocessed; +- int bit; +-# endif + BIO *bio; + #endif + +@@ -473,30 +432,11 @@ int tls1_change_cipher_state(SSL *s, int which) + else + rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); + +- if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, +- iv, key, ms, *mac_secret_size)) ++ if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, ++ which & SSL3_CC_WRITE, iv, key, ms, ++ *mac_secret_size)) + goto skip_ktls; + +- if (which & SSL3_CC_READ) { +-# ifndef OPENSSL_NO_KTLS_RX +- count_unprocessed = count_unprocessed_records(s); +- if (count_unprocessed < 0) +- goto skip_ktls; +- +- /* increment the crypto_info record sequence */ +- while (count_unprocessed) { +- for (bit = 7; bit >= 0; bit--) { /* increment */ +- ++rec_seq[bit]; +- if (rec_seq[bit] != 0) +- break; +- } +- count_unprocessed--; +- } +-# else +- goto skip_ktls; +-# endif +- } +- + /* ktls works with user provided buffers directly */ + if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { + if (which & SSL3_CC_WRITE) +diff --git ssl/tls13_enc.c ssl/tls13_enc.c +index 12388922e3..eaab0e2a74 100644 +--- ssl/tls13_enc.c ++++ ssl/tls13_enc.c +@@ -434,6 +434,7 @@ int tls13_change_cipher_state(SSL *s, int which) + const EVP_CIPHER *cipher = NULL; + #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) + ktls_crypto_info_t crypto_info; ++ void *rl_sequence; + BIO *bio; + #endif + +@@ -688,8 +689,7 @@ int tls13_change_cipher_state(SSL *s, int which) + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; + #ifndef OPENSSL_NO_KTLS + # if defined(OPENSSL_KTLS_TLS13) +- if (!(which & SSL3_CC_WRITE) +- || !(which & SSL3_CC_APPLICATION) ++ if (!(which & SSL3_CC_APPLICATION) + || (s->options & SSL_OP_ENABLE_KTLS) == 0) + goto skip_ktls; + +@@ -705,7 +705,10 @@ int tls13_change_cipher_state(SSL *s, int which) + if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) + goto skip_ktls; + +- bio = s->wbio; ++ if (which & SSL3_CC_WRITE) ++ bio = s->wbio; ++ else ++ bio = s->rbio; + + if (!ossl_assert(bio != NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); +@@ -713,18 +716,26 @@ int tls13_change_cipher_state(SSL *s, int which) + } + + /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ +- if (BIO_flush(bio) <= 0) +- goto skip_ktls; ++ if (which & SSL3_CC_WRITE) { ++ if (BIO_flush(bio) <= 0) ++ goto skip_ktls; ++ } + + /* configure kernel crypto structure */ +- if (!ktls_configure_crypto(s, cipher, ciph_ctx, +- RECORD_LAYER_get_write_sequence(&s->rlayer), +- &crypto_info, NULL, iv, key, NULL, 0)) ++ if (which & SSL3_CC_WRITE) ++ rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); ++ else ++ rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); ++ ++ if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, ++ which & SSL3_CC_WRITE, iv, key, NULL, 0)) + goto skip_ktls; + + /* ktls works with user provided buffers directly */ +- if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) +- ssl3_release_write_buffer(s); ++ if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { ++ if (which & SSL3_CC_WRITE) ++ ssl3_release_write_buffer(s); ++ } + skip_ktls: + # endif + #endif +diff --git test/sslapitest.c test/sslapitest.c +index 2911d6e94b..faf2eec2bc 100644 +--- test/sslapitest.c ++++ test/sslapitest.c +@@ -1243,7 +1243,7 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, + #if defined(OPENSSL_NO_KTLS_RX) + rx_supported = 0; + #else +- rx_supported = (tls_version != TLS1_3_VERSION); ++ rx_supported = 1; + #endif + if (!cis_ktls || !rx_supported) { + if (!TEST_false(BIO_get_ktls_recv(clientssl->rbio))) diff --git a/security/openssl36/files/extra-patch-util_find-doc-nits b/security/openssl36/files/extra-patch-util_find-doc-nits new file mode 100644 index 000000000000..bf70e9fee1ac --- /dev/null +++ b/security/openssl36/files/extra-patch-util_find-doc-nits @@ -0,0 +1,20 @@ +--- util/find-doc-nits.orig 2023-09-07 09:00:22 UTC ++++ util/find-doc-nits +@@ -80,7 +80,7 @@ my $temp = '/tmp/docnits.txt'; + my $OUT; + my $status = 0; + +-$opt_m = "man1,man3,man5,man7" unless $opt_m; ++$opt_m = "man1,man5" unless $opt_m; + die "Argument of -m option may contain only man1, man3, man5, and/or man7" + unless $opt_m =~ /^(man[1357][, ]?)*$/; + my @sections = ( split /[, ]/, $opt_m ); +@@ -725,7 +725,7 @@ sub check { + next if $target eq ''; # Skip if links within page, or + next if $target =~ /::/; # links to a Perl module, or + next if $target =~ /^https?:/; # is a URL link, or +- next if $target =~ /\([1357]\)$/; # it has a section ++ next if $target =~ /\([15]\)$/; # it has a section + err($id, "Missing man section number (likely, $mansect) in L<$target>") + } + # Check for proper links to commands. diff --git a/security/openssl36/files/patch-Configurations_10-main.conf b/security/openssl36/files/patch-Configurations_10-main.conf new file mode 100644 index 000000000000..82503c0ff90c --- /dev/null +++ b/security/openssl36/files/patch-Configurations_10-main.conf @@ -0,0 +1,35 @@ +--- Configurations/10-main.conf.orig 2022-04-12 16:29:42 UTC ++++ Configurations/10-main.conf +@@ -1069,6 +1069,32 @@ my %targets = ( + perlasm_scheme => "linux64", + }, + ++ "BSD-ppc" => { ++ inherit_from => [ "BSD-generic32" ], ++ asm_arch => 'ppc32', ++ perlasm_scheme => "linux32", ++ lib_cppflags => add("-DB_ENDIAN"), ++ }, ++ ++ "BSD-ppc64" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DB_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64", ++ }, ++ ++ "BSD-ppc64le" => { ++ inherit_from => [ "BSD-generic64" ], ++ cflags => add("-m64"), ++ cxxflags => add("-m64"), ++ lib_cppflags => add("-DL_ENDIAN"), ++ asm_arch => 'ppc64', ++ perlasm_scheme => "linux64le", ++ }, ++ ++ + "bsdi-elf-gcc" => { + inherit_from => [ "BASE_unix" ], + CC => "gcc", diff --git a/security/openssl36/files/patch-crypto_threads__pthread.c b/security/openssl36/files/patch-crypto_threads__pthread.c new file mode 100644 index 000000000000..3347170e0bd0 --- /dev/null +++ b/security/openssl36/files/patch-crypto_threads__pthread.c @@ -0,0 +1,13 @@ +--- crypto/threads_pthread.c.orig 2022-11-01 14:14:36 UTC ++++ crypto/threads_pthread.c +@@ -29,6 +29,10 @@ + #define BROKEN_CLANG_ATOMICS + #endif + ++#if defined(__FreeBSD__) && defined(__i386__) ++#define BROKEN_CLANG_ATOMICS ++#endif ++ + #if defined(OPENSSL_THREADS) && !defined(CRYPTO_TDEBUG) && !defined(OPENSSL_SYS_WINDOWS) + + # if defined(OPENSSL_SYS_UNIX) diff --git a/security/openssl36/pkg-descr b/security/openssl36/pkg-descr new file mode 100644 index 000000000000..c7704288547a --- /dev/null +++ b/security/openssl36/pkg-descr @@ -0,0 +1,13 @@ +The OpenSSL Project is a collaborative effort to develop a robust, +commercial-grade, full-featured, and Open Source toolkit implementing +the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, +v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. +The project is managed by a worldwide community of volunteers that use +the Internet to communicate, plan, and develop the OpenSSL tookit +and its related documentation. + +OpenSSL is based on the excellent SSLeay library developed by Eric +A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under +an Apache-style licence, which basically means that you are free +to get and use it for commercial and non-commercial purposes subject +to some simple license conditions. diff --git a/security/openssl36/pkg-message b/security/openssl36/pkg-message new file mode 100644 index 000000000000..0ed980ee3513 --- /dev/null +++ b/security/openssl36/pkg-message @@ -0,0 +1,14 @@ +[ +{ type: install + message: <<EOM +This OpenSSL version is in an ALPHA stage +Do NOT use for production! +EOM +} +{ type: upgrade + message: <<EOM +This OpenSSL version is in an ALPHA stage +Do NOT use for production! +EOM +} +] diff --git a/security/openssl36/pkg-plist b/security/openssl36/pkg-plist new file mode 100644 index 000000000000..7bd599c31899 --- /dev/null +++ b/security/openssl36/pkg-plist @@ -0,0 +1,286 @@ +bin/c_rehash +bin/openssl +include/openssl/aes.h +include/openssl/asn1.h +include/openssl/asn1err.h +include/openssl/asn1t.h +include/openssl/async.h +include/openssl/asyncerr.h +include/openssl/bio.h +include/openssl/bioerr.h +include/openssl/blowfish.h +include/openssl/bn.h +include/openssl/bnerr.h +include/openssl/buffer.h +include/openssl/buffererr.h +include/openssl/byteorder.h +include/openssl/camellia.h +include/openssl/cast.h +include/openssl/cmac.h +include/openssl/cmp.h +include/openssl/cmp_util.h +include/openssl/cmperr.h +include/openssl/cms.h +include/openssl/cmserr.h +include/openssl/comp.h +include/openssl/comperr.h +include/openssl/conf.h +include/openssl/conf_api.h +include/openssl/conferr.h +include/openssl/configuration.h +include/openssl/conftypes.h +include/openssl/core.h +include/openssl/core_dispatch.h +include/openssl/core_names.h +include/openssl/core_object.h +include/openssl/crmf.h +include/openssl/crmferr.h +include/openssl/crypto.h +include/openssl/cryptoerr.h +include/openssl/cryptoerr_legacy.h +include/openssl/ct.h +include/openssl/cterr.h +include/openssl/decoder.h +include/openssl/decodererr.h +include/openssl/des.h +include/openssl/dh.h +include/openssl/dherr.h +include/openssl/dsa.h +include/openssl/dsaerr.h +include/openssl/dtls1.h +include/openssl/e_os2.h +include/openssl/e_ostime.h +include/openssl/ebcdic.h +include/openssl/ec.h +include/openssl/ecdh.h +include/openssl/ecdsa.h +include/openssl/ecerr.h +include/openssl/encoder.h +include/openssl/encodererr.h +include/openssl/engine.h +include/openssl/engineerr.h +include/openssl/err.h +include/openssl/ess.h +include/openssl/esserr.h +include/openssl/evp.h +include/openssl/evperr.h +include/openssl/fips_names.h +include/openssl/fipskey.h +include/openssl/hmac.h +include/openssl/hpke.h +include/openssl/http.h +include/openssl/httperr.h +include/openssl/idea.h +include/openssl/indicator.h +include/openssl/kdf.h +include/openssl/kdferr.h +include/openssl/lhash.h +include/openssl/macros.h +include/openssl/md2.h +include/openssl/md4.h +include/openssl/md5.h +include/openssl/mdc2.h +include/openssl/ml_kem.h +include/openssl/modes.h +include/openssl/obj_mac.h +include/openssl/objects.h +include/openssl/objectserr.h +include/openssl/ocsp.h +include/openssl/ocsperr.h +include/openssl/opensslconf.h +include/openssl/opensslv.h +include/openssl/ossl_typ.h +include/openssl/param_build.h +include/openssl/params.h +include/openssl/pem.h +include/openssl/pem2.h +include/openssl/pemerr.h +include/openssl/pkcs12.h +include/openssl/pkcs12err.h +include/openssl/pkcs7.h +include/openssl/pkcs7err.h +include/openssl/prov_ssl.h +include/openssl/proverr.h +include/openssl/provider.h +include/openssl/quic.h +include/openssl/rand.h +include/openssl/randerr.h +include/openssl/rc2.h +include/openssl/rc4.h +include/openssl/rc5.h +include/openssl/ripemd.h +include/openssl/rsa.h +include/openssl/rsaerr.h +include/openssl/safestack.h +include/openssl/seed.h +include/openssl/self_test.h +include/openssl/sha.h +include/openssl/srp.h +include/openssl/srtp.h +include/openssl/ssl.h +include/openssl/ssl2.h +include/openssl/ssl3.h +include/openssl/sslerr.h +include/openssl/sslerr_legacy.h +include/openssl/stack.h +include/openssl/store.h +include/openssl/storeerr.h +include/openssl/symhacks.h +include/openssl/thread.h +include/openssl/tls1.h +include/openssl/trace.h +include/openssl/ts.h +include/openssl/tserr.h +include/openssl/txt_db.h +include/openssl/types.h +include/openssl/ui.h +include/openssl/uierr.h +include/openssl/whrlpool.h +include/openssl/x509.h +include/openssl/x509_acert.h +include/openssl/x509_vfy.h +include/openssl/x509err.h +include/openssl/x509v3.h +include/openssl/x509v3err.h +lib/cmake/OpenSSL/OpenSSLConfig.cmake +lib/cmake/OpenSSL/OpenSSLConfigVersion.cmake +%%SHARED%%lib/engines-%%SHLIBVER%%/capi.so +%%SHARED%%lib/engines-%%SHLIBVER%%/devcrypto.so +%%SHARED%%lib/engines-%%SHLIBVER%%/loader_attic.so +%%SHARED%%lib/engines-%%SHLIBVER%%/padlock.so +lib/libcrypto.a +%%SHARED%%lib/libcrypto.so +%%SHARED%%lib/libcrypto.so.%%SHLIBVER%% +lib/libssl.a +%%SHARED%%lib/libssl.so +%%SHARED%%lib/libssl.so.%%SHLIBVER%% +%%FIPS%%%%SHARED%%lib/ossl-modules/fips.so +%%LEGACY%%%%SHARED%%lib/ossl-modules/legacy.so +libdata/pkgconfig/libcrypto.pc +libdata/pkgconfig/libssl.pc +libdata/pkgconfig/openssl.pc +share/man/man1/CA.pl.1ossl.gz +share/man/man1/asn1parse.1ossl.gz +share/man/man1/c_rehash.1ossl.gz +share/man/man1/ca.1ossl.gz +share/man/man1/ciphers.1ossl.gz +share/man/man1/cmp.1ossl.gz +share/man/man1/cms.1ossl.gz +share/man/man1/crl.1ossl.gz +share/man/man1/crl2pkcs7.1ossl.gz +share/man/man1/dgst.1ossl.gz +share/man/man1/dhparam.1ossl.gz +share/man/man1/dsa.1ossl.gz +share/man/man1/dsaparam.1ossl.gz +share/man/man1/ec.1ossl.gz +share/man/man1/ecparam.1ossl.gz +share/man/man1/enc.1ossl.gz +share/man/man1/engine.1ossl.gz +share/man/man1/errstr.1ossl.gz +share/man/man1/gendsa.1ossl.gz +share/man/man1/genpkey.1ossl.gz +share/man/man1/genrsa.1ossl.gz +share/man/man1/info.1ossl.gz +share/man/man1/kdf.1ossl.gz +share/man/man1/mac.1ossl.gz +share/man/man1/nseq.1ossl.gz +share/man/man1/ocsp.1ossl.gz +share/man/man1/openssl-asn1parse.1ossl.gz +share/man/man1/openssl-ca.1ossl.gz +share/man/man1/openssl-ciphers.1ossl.gz +share/man/man1/openssl-cmds.1ossl.gz +share/man/man1/openssl-cmp.1ossl.gz +share/man/man1/openssl-cms.1ossl.gz +share/man/man1/openssl-configutl.1ossl.gz +share/man/man1/openssl-crl.1ossl.gz +share/man/man1/openssl-crl2pkcs7.1ossl.gz +share/man/man1/openssl-dgst.1ossl.gz +share/man/man1/openssl-dhparam.1ossl.gz +share/man/man1/openssl-dsa.1ossl.gz +share/man/man1/openssl-dsaparam.1ossl.gz +share/man/man1/openssl-ec.1ossl.gz +share/man/man1/openssl-ecparam.1ossl.gz +share/man/man1/openssl-enc.1ossl.gz +share/man/man1/openssl-engine.1ossl.gz +share/man/man1/openssl-errstr.1ossl.gz +share/man/man1/openssl-fipsinstall.1ossl.gz +share/man/man1/openssl-format-options.1ossl.gz +share/man/man1/openssl-gendsa.1ossl.gz +share/man/man1/openssl-genpkey.1ossl.gz +share/man/man1/openssl-genrsa.1ossl.gz +share/man/man1/openssl-info.1ossl.gz +share/man/man1/openssl-kdf.1ossl.gz +share/man/man1/openssl-list.1ossl.gz +share/man/man1/openssl-mac.1ossl.gz +share/man/man1/openssl-namedisplay-options.1ossl.gz +share/man/man1/openssl-nseq.1ossl.gz +share/man/man1/openssl-ocsp.1ossl.gz +share/man/man1/openssl-passphrase-options.1ossl.gz +share/man/man1/openssl-passwd.1ossl.gz +share/man/man1/openssl-pkcs12.1ossl.gz +share/man/man1/openssl-pkcs7.1ossl.gz +share/man/man1/openssl-pkcs8.1ossl.gz +share/man/man1/openssl-pkey.1ossl.gz +share/man/man1/openssl-pkeyparam.1ossl.gz +share/man/man1/openssl-pkeyutl.1ossl.gz +share/man/man1/openssl-prime.1ossl.gz +share/man/man1/openssl-rand.1ossl.gz +share/man/man1/openssl-rehash.1ossl.gz +share/man/man1/openssl-req.1ossl.gz +share/man/man1/openssl-rsa.1ossl.gz +share/man/man1/openssl-rsautl.1ossl.gz +share/man/man1/openssl-s_client.1ossl.gz +share/man/man1/openssl-s_server.1ossl.gz +share/man/man1/openssl-s_time.1ossl.gz +share/man/man1/openssl-sess_id.1ossl.gz +share/man/man1/openssl-skeyutl.1ossl.gz +share/man/man1/openssl-smime.1ossl.gz +share/man/man1/openssl-speed.1ossl.gz +share/man/man1/openssl-spkac.1ossl.gz +share/man/man1/openssl-srp.1ossl.gz +share/man/man1/openssl-storeutl.1ossl.gz +share/man/man1/openssl-ts.1ossl.gz +share/man/man1/openssl-verification-options.1ossl.gz +share/man/man1/openssl-verify.1ossl.gz +share/man/man1/openssl-version.1ossl.gz +share/man/man1/openssl-x509.1ossl.gz +share/man/man1/openssl.1ossl.gz +share/man/man1/passwd.1ossl.gz +share/man/man1/pkcs12.1ossl.gz +share/man/man1/pkcs7.1ossl.gz +share/man/man1/pkcs8.1ossl.gz +share/man/man1/pkey.1ossl.gz +share/man/man1/pkeyparam.1ossl.gz +share/man/man1/pkeyutl.1ossl.gz +share/man/man1/prime.1ossl.gz +share/man/man1/rand.1ossl.gz +share/man/man1/rehash.1ossl.gz +share/man/man1/req.1ossl.gz +share/man/man1/rsa.1ossl.gz +share/man/man1/rsautl.1ossl.gz +share/man/man1/s_client.1ossl.gz +share/man/man1/s_server.1ossl.gz +share/man/man1/s_time.1ossl.gz +share/man/man1/sess_id.1ossl.gz +share/man/man1/smime.1ossl.gz +share/man/man1/speed.1ossl.gz +share/man/man1/spkac.1ossl.gz +share/man/man1/srp.1ossl.gz +share/man/man1/storeutl.1ossl.gz +share/man/man1/ts.1ossl.gz +share/man/man1/tsget.1ossl.gz +share/man/man1/verify.1ossl.gz +share/man/man1/version.1ossl.gz +share/man/man1/x509.1ossl.gz +share/man/man5/config.5ossl.gz +share/man/man5/fips_config.5ossl.gz +share/man/man5/x509v3_config.5ossl.gz +%%OPENSSLDIR%%/misc/CA.pl +@comment %%OPENSSLDIR%%/misc/tsget.pl +%%OPENSSLDIR%%/misc/tsget +@sample %%OPENSSLDIR%%/ct_log_list.cnf.dist %%OPENSSLDIR%%/ct_log_list.cnf +%%FIPS%%%%OPENSSLDIR%%/fipsmodule.cnf +@sample %%OPENSSLDIR%%/openssl.cnf.dist %%OPENSSLDIR%%/openssl.cnf +@dir lib/ossl-modules +@dir %%OPENSSLDIR%%/private +@dir %%OPENSSLDIR%%/certs diff --git a/security/openssl36/version.mk b/security/openssl36/version.mk new file mode 100644 index 000000000000..7bf1106dadd0 --- /dev/null +++ b/security/openssl36/version.mk @@ -0,0 +1 @@ +OPENSSL_SHLIBVER?= 18 diff --git a/security/p5-CPAN-Audit/Makefile b/security/p5-CPAN-Audit/Makefile index 952aab98f16a..2dc3c0e06245 100644 --- a/security/p5-CPAN-Audit/Makefile +++ b/security/p5-CPAN-Audit/Makefile @@ -1,5 +1,5 @@ PORTNAME= CPAN-Audit -PORTVERSION= 20250115.001 +PORTVERSION= 20250829.001 CATEGORIES= security perl5 MASTER_SITES= CPAN PKGNAMEPREFIX= p5- diff --git a/security/p5-CPAN-Audit/distinfo b/security/p5-CPAN-Audit/distinfo index 4492473e7a23..3c03376eda2a 100644 --- a/security/p5-CPAN-Audit/distinfo +++ b/security/p5-CPAN-Audit/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1737010616 -SHA256 (CPAN-Audit-20250115.001.tar.gz) = 4052d1ffe721805af4203ab3af9da3e3193ce30ef98bab67d01c1fc4a147f708 -SIZE (CPAN-Audit-20250115.001.tar.gz) = 32382 +TIMESTAMP = 1756709907 +SHA256 (CPAN-Audit-20250829.001.tar.gz) = ec711a2277e01dc813954dfc698ffc2dbfca83c7e16252cfdfba7333b12cd502 +SIZE (CPAN-Audit-20250829.001.tar.gz) = 32403 diff --git a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/Makefile b/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/Makefile deleted file mode 100644 index 2a1ba4015789..000000000000 --- a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -PORTNAME= Dancer-Plugin-Auth-Extensible-Provider-Usergroup -PORTVERSION= 0.21 -PORTREVISION= 2 -CATEGORIES= security perl5 -MASTER_SITES= CPAN -PKGNAMEPREFIX= p5- - -MAINTAINER= perl@FreeBSD.org -COMMENT= Extensible authentication framework for Dancer apps -WWW= https://metacpan.org/pod/Dancer::Plugin::Auth::Extensible::Provider::Usergroup - -LICENSE= ART10 GPLv1+ -LICENSE_COMB= dual - -DEPRECATED= Depends on expired security/p5-Data-Entropy via security/p5-Dancer-Plugin-Passphrase -EXPIRATION_DATE=2025-09-01 - -BUILD_DEPENDS= ${RUN_DEPENDS} -RUN_DEPENDS= p5-Dancer>=1.3118:www/p5-Dancer \ - p5-Dancer-Plugin-Auth-Extensible>=0:security/p5-Dancer-Plugin-Auth-Extensible \ - p5-Dancer-Plugin-Passphrase>=0:security/p5-Dancer-Plugin-Passphrase \ - p5-Dancer-Plugin-DBIC>=0:databases/p5-Dancer-Plugin-DBIC - -USES= perl5 -USE_PERL5= configure - -.include <bsd.port.mk> diff --git a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/distinfo b/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/distinfo deleted file mode 100644 index 6923eb3bd9d4..000000000000 --- a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/distinfo +++ /dev/null @@ -1,2 +0,0 @@ -SHA256 (Dancer-Plugin-Auth-Extensible-Provider-Usergroup-0.21.tar.gz) = 3917f4e0568d892e57a5941230ac261e66ae024bbc57f8e04bf1ceb1c46612a6 -SIZE (Dancer-Plugin-Auth-Extensible-Provider-Usergroup-0.21.tar.gz) = 10033 diff --git a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/pkg-descr b/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/pkg-descr deleted file mode 100644 index 298b35a308ff..000000000000 --- a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/pkg-descr +++ /dev/null @@ -1,4 +0,0 @@ -authenticate as a member of a group - -Define that a user must be logged in and have the proper permissions to -access a route diff --git a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/pkg-plist b/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/pkg-plist deleted file mode 100644 index b8a29876bdfe..000000000000 --- a/security/p5-Dancer-Plugin-Auth-Extensible-Provider-Usergroup/pkg-plist +++ /dev/null @@ -1,2 +0,0 @@ -%%PERL5_MAN3%%/Dancer::Plugin::Auth::Extensible::Provider::Usergroup.3.gz -%%SITE_PERL%%/Dancer/Plugin/Auth/Extensible/Provider/Usergroup.pm diff --git a/security/p5-Dancer-Plugin-Passphrase/Makefile b/security/p5-Dancer-Plugin-Passphrase/Makefile deleted file mode 100644 index 4ae937fe5568..000000000000 --- a/security/p5-Dancer-Plugin-Passphrase/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -PORTNAME= Dancer-Plugin-Passphrase -PORTVERSION= 2.0.1 -PORTREVISION= 2 -CATEGORIES= security perl5 -MASTER_SITES= CPAN -MASTER_SITE_SUBDIR= CPAN:JAITKEN -PKGNAMEPREFIX= p5- - -MAINTAINER= perl@FreeBSD.org -COMMENT= Passphrases and Passwords as objects for Dancer -WWW= https://metacpan.org/release/Dancer-Plugin-Passphrase - -LICENSE= ART10 GPLv1+ -LICENSE_COMB= dual -LICENSE_FILE= ${WRKSRC}/LICENSE - -DEPRECATED= Depends on expired security/p5-Data-Entropy -EXPIRATION_DATE=2025-09-01 - -BUILD_DEPENDS= ${RUN_DEPENDS} -RUN_DEPENDS= p5-Dancer>=0:www/p5-Dancer \ - p5-Data-Entropy>=0.005:security/p5-Data-Entropy \ - p5-Digest-Bcrypt>=0:security/p5-Digest-Bcrypt - -NO_ARCH= yes -USES= perl5 -USE_PERL5= configure - -.include <bsd.port.mk> diff --git a/security/p5-Dancer-Plugin-Passphrase/distinfo b/security/p5-Dancer-Plugin-Passphrase/distinfo deleted file mode 100644 index dc3dc85dcd8e..000000000000 --- a/security/p5-Dancer-Plugin-Passphrase/distinfo +++ /dev/null @@ -1,2 +0,0 @@ -SHA256 (Dancer-Plugin-Passphrase-2.0.1.tar.gz) = 33b49fd46cf6732ccf2b0cf2761c6e72911e9e029f93b914a1f8b7f7ea4f7ba5 -SIZE (Dancer-Plugin-Passphrase-2.0.1.tar.gz) = 25992 diff --git a/security/p5-Dancer-Plugin-Passphrase/pkg-descr b/security/p5-Dancer-Plugin-Passphrase/pkg-descr deleted file mode 100644 index d10429f90a92..000000000000 --- a/security/p5-Dancer-Plugin-Passphrase/pkg-descr +++ /dev/null @@ -1,4 +0,0 @@ -Dancer::Plugin::Passphrase manages the hashing of passwords for Dancer apps, -allowing developers to follow cryptography best practices without having to -become a cryptography expert. It uses the bcrypt algorithm as the default, -while also supporting any hashing function provided by Digest. diff --git a/security/p5-Dancer-Plugin-Passphrase/pkg-plist b/security/p5-Dancer-Plugin-Passphrase/pkg-plist deleted file mode 100644 index 59e6cb2e5a92..000000000000 --- a/security/p5-Dancer-Plugin-Passphrase/pkg-plist +++ /dev/null @@ -1,2 +0,0 @@ -%%SITE_PERL%%/Dancer/Plugin/Passphrase.pm -%%PERL5_MAN3%%/Dancer::Plugin::Passphrase.3.gz diff --git a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/Makefile b/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/Makefile deleted file mode 100644 index 8e9c296c3689..000000000000 --- a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -PORTNAME= Dancer2-Plugin-Auth-Extensible-Provider-Usergroup -PORTVERSION= 0.709 -CATEGORIES= security perl5 -MASTER_SITES= CPAN -PKGNAMEPREFIX= p5- - -MAINTAINER= perl@FreeBSD.org -COMMENT= Extensible authentication framework for Dancer2 apps -WWW= https://metacpan.org/release/Dancer2-Plugin-Auth-Extensible-Provider-Usergroup - -LICENSE= ART10 GPLv1+ -LICENSE_COMB= dual - -DEPRECATED= Depends on expired security/p5-Data-Entropy via security/p5-Dancer2-Plugin-Passphrase -EXPIRATION_DATE=2025-09-01 - -BUILD_DEPENDS= ${RUN_DEPENDS} -RUN_DEPENDS= p5-Dancer2>=0.204001:www/p5-Dancer2 \ - p5-Dancer2-Plugin-Auth-Extensible>=0.709:security/p5-Dancer2-Plugin-Auth-Extensible \ - p5-Dancer2-Plugin-Passphrase>=3.3.0:security/p5-Dancer2-Plugin-Passphrase \ - p5-Dancer2-Plugin-DBIC>=0.0013:databases/p5-Dancer2-Plugin-DBIC - -USES= perl5 -USE_PERL5= configure - -NO_ARCH= yes - -.include <bsd.port.mk> diff --git a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/distinfo b/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/distinfo deleted file mode 100644 index 50e050b0e6ff..000000000000 --- a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1595416755 -SHA256 (Dancer2-Plugin-Auth-Extensible-Provider-Usergroup-0.709.tar.gz) = ea182b6ba4166597f34e23099a2d694ce930c8472a1cf65a6583d0547228dd42 -SIZE (Dancer2-Plugin-Auth-Extensible-Provider-Usergroup-0.709.tar.gz) = 13017 diff --git a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/pkg-descr b/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/pkg-descr deleted file mode 100644 index bf30ea5f1cae..000000000000 --- a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/pkg-descr +++ /dev/null @@ -1,2 +0,0 @@ -Define that a user must be logged in and have the proper permissions to -access a route diff --git a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/pkg-plist b/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/pkg-plist deleted file mode 100644 index 27e9162c43f2..000000000000 --- a/security/p5-Dancer2-Plugin-Auth-Extensible-Provider-Usergroup/pkg-plist +++ /dev/null @@ -1,2 +0,0 @@ -%%SITE_PERL%%/Dancer2/Plugin/Auth/Extensible/Provider/Usergroup.pm -%%PERL5_MAN3%%/Dancer2::Plugin::Auth::Extensible::Provider::Usergroup.3.gz diff --git a/security/p5-Dancer2-Plugin-Passphrase/Makefile b/security/p5-Dancer2-Plugin-Passphrase/Makefile deleted file mode 100644 index 9ccffa262016..000000000000 --- a/security/p5-Dancer2-Plugin-Passphrase/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -PORTNAME= Dancer2-Plugin-Passphrase -PORTVERSION= 3.4.1 -CATEGORIES= security perl5 -MASTER_SITES= CPAN -PKGNAMEPREFIX= p5- - -MAINTAINER= perl@FreeBSD.org -COMMENT= Passphrases and Passwords as objects for Dancer2 -WWW= https://metacpan.org/release/Dancer2-Plugin-Passphrase - -LICENSE= ART10 GPLv1+ -LICENSE_COMB= dual - -DEPRECATED= Depends on expired security/p5-Data-Entropy -EXPIRATION_DATE=2025-09-01 - -BUILD_DEPENDS= ${RUN_DEPENDS} -RUN_DEPENDS= p5-Crypt-Bcrypt>=0.006:security/p5-Crypt-Bcrypt \ - p5-Dancer2>=0.200000:www/p5-Dancer2 \ - p5-Data-Entropy>=0.007:security/p5-Data-Entropy \ - p5-Digest-Bcrypt>=1.212:security/p5-Digest-Bcrypt - -USES= perl5 -USE_PERL5= configure - -NO_ARCH= yes - -.include <bsd.port.mk> diff --git a/security/p5-Dancer2-Plugin-Passphrase/distinfo b/security/p5-Dancer2-Plugin-Passphrase/distinfo deleted file mode 100644 index 3c4aabeebc7b..000000000000 --- a/security/p5-Dancer2-Plugin-Passphrase/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1654275989 -SHA256 (Dancer2-Plugin-Passphrase-3.4.1.tar.gz) = ea18cae7fc21b0db92b7ca0544ad97947a8442afdf78a39fb4aa2eaf514cf50f -SIZE (Dancer2-Plugin-Passphrase-3.4.1.tar.gz) = 19675 diff --git a/security/p5-Dancer2-Plugin-Passphrase/pkg-descr b/security/p5-Dancer2-Plugin-Passphrase/pkg-descr deleted file mode 100644 index 063cdc71f28f..000000000000 --- a/security/p5-Dancer2-Plugin-Passphrase/pkg-descr +++ /dev/null @@ -1,4 +0,0 @@ -Dancer2::Plugin::Passphrase manages the hashing of passwords for Dancer apps, -allowing developers to follow cryptography best practices without having to -become a cryptography expert. It uses the bcrypt algorithm as the default, -while also supporting any hashing function provided by Digest. diff --git a/security/p5-Dancer2-Plugin-Passphrase/pkg-plist b/security/p5-Dancer2-Plugin-Passphrase/pkg-plist deleted file mode 100644 index 6b920ec57fdc..000000000000 --- a/security/p5-Dancer2-Plugin-Passphrase/pkg-plist +++ /dev/null @@ -1,6 +0,0 @@ -%%SITE_PERL%%/Dancer2/Plugin/Passphrase.pm -%%SITE_PERL%%/Dancer2/Plugin/Passphrase/Core.pm -%%SITE_PERL%%/Dancer2/Plugin/Passphrase/Hashed.pm -%%PERL5_MAN3%%/Dancer2::Plugin::Passphrase.3.gz -%%PERL5_MAN3%%/Dancer2::Plugin::Passphrase::Core.3.gz -%%PERL5_MAN3%%/Dancer2::Plugin::Passphrase::Hashed.3.gz diff --git a/security/p5-Data-Entropy/Makefile b/security/p5-Data-Entropy/Makefile deleted file mode 100644 index 9908d5079b59..000000000000 --- a/security/p5-Data-Entropy/Makefile +++ /dev/null @@ -1,30 +0,0 @@ -PORTNAME= Data-Entropy -PORTVERSION= 0.008 -CATEGORIES= security perl5 -MASTER_SITES= CPAN -PKGNAMEPREFIX= p5- - -MAINTAINER= perl@FreeBSD.org -COMMENT= Entropy (randomness) management -WWW= https://metacpan.org/release/Data-Entropy - -LICENSE= ART10 GPLv1+ -LICENSE_COMB= dual - -DEPRECATED= The maintainer of this distribution has indicated that it is deprecated and no longer suitable for use -EXPIRATION_DATE=2025-05-31 - -BUILD_DEPENDS= ${RUN_DEPENDS} -RUN_DEPENDS= p5-Crypt-Rijndael>=0:security/p5-Crypt-Rijndael \ - p5-Crypt-URandom>=0.36:security/p5-Crypt-URandom \ - p5-Data-Float>=0.008:math/p5-Data-Float \ - p5-HTTP-Lite>=2.20:www/p5-HTTP-Lite \ - p5-Module-Build>=0:devel/p5-Module-Build \ - p5-Params-Classify>=0:devel/p5-Params-Classify - -USES= perl5 -USE_PERL5= configure - -NO_ARCH= yes - -.include <bsd.port.mk> diff --git a/security/p5-Data-Entropy/distinfo b/security/p5-Data-Entropy/distinfo deleted file mode 100644 index e50fa82fd6e0..000000000000 --- a/security/p5-Data-Entropy/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1744289416 -SHA256 (Data-Entropy-0.008.tar.gz) = 18a52b1386e82c6b8cdb384a39861d60220a442a790e077010be72dd853b67b3 -SIZE (Data-Entropy-0.008.tar.gz) = 40697 diff --git a/security/p5-Data-Entropy/pkg-descr b/security/p5-Data-Entropy/pkg-descr deleted file mode 100644 index e308b55388d9..000000000000 --- a/security/p5-Data-Entropy/pkg-descr +++ /dev/null @@ -1,18 +0,0 @@ -This module maintains a concept of a current selection of entropy -source. Algorithms that require entropy can use the source nominated -by this module, avoiding the need for entropy source objects to be -explicitly passed around. This is convenient because usually one -entropy source will be used for an entire program run and so an -explicit entropy source parameter would rarely vary. There is also a -default entropy source, avoiding the need to explicitly configure a -source at all. - -If nothing is done to set a source then it defaults to the use of -Rijndael (AES) in counter mode (see -Data::Entropy::RawSource::CryptCounter and Crypt::Rijndael), keyed -using Perl's built-in rand function. This gives a data stream that -looks like concentrated entropy, but really only has at most the -entropy of the rand seed. Within a single run it is cryptographically -difficult to detect the correlation between parts of the -pseudo-entropy stream. If more true entropy is required then it is -necessary to configure a different entropy source. diff --git a/security/p5-Data-Entropy/pkg-plist b/security/p5-Data-Entropy/pkg-plist deleted file mode 100644 index e83105a04eb9..000000000000 --- a/security/p5-Data-Entropy/pkg-plist +++ /dev/null @@ -1,14 +0,0 @@ -%%SITE_PERL%%/Data/Entropy.pm -%%SITE_PERL%%/Data/Entropy/Algorithms.pm -%%SITE_PERL%%/Data/Entropy/RawSource/CryptCounter.pm -%%SITE_PERL%%/Data/Entropy/RawSource/Local.pm -%%SITE_PERL%%/Data/Entropy/RawSource/RandomOrg.pm -%%SITE_PERL%%/Data/Entropy/RawSource/RandomnumbersInfo.pm -%%SITE_PERL%%/Data/Entropy/Source.pm -%%PERL5_MAN3%%/Data::Entropy.3.gz -%%PERL5_MAN3%%/Data::Entropy::Algorithms.3.gz -%%PERL5_MAN3%%/Data::Entropy::RawSource::CryptCounter.3.gz -%%PERL5_MAN3%%/Data::Entropy::RawSource::Local.3.gz -%%PERL5_MAN3%%/Data::Entropy::RawSource::RandomOrg.3.gz -%%PERL5_MAN3%%/Data::Entropy::RawSource::RandomnumbersInfo.3.gz -%%PERL5_MAN3%%/Data::Entropy::Source.3.gz diff --git a/security/pam_rssh/Makefile b/security/pam_rssh/Makefile index dcea9616f1c4..07652f65ae6e 100644 --- a/security/pam_rssh/Makefile +++ b/security/pam_rssh/Makefile @@ -1,7 +1,7 @@ PORTNAME= pam_rssh DISTVERSIONPREFIX=v DISTVERSION= 1.1.0 -PORTREVISION= 18 +PORTREVISION= 19 CATEGORIES= security MAINTAINER= romain@FreeBSD.org diff --git a/security/pdfrip/Makefile b/security/pdfrip/Makefile index afb4e2d25e80..bf4a65566578 100644 --- a/security/pdfrip/Makefile +++ b/security/pdfrip/Makefile @@ -1,6 +1,7 @@ PORTNAME= pdfrip DISTVERSIONPREFIX= v DISTVERSION= 2.0.1 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= fox@FreeBSD.org diff --git a/security/pidgin-encryption/Makefile b/security/pidgin-encryption/Makefile index 27911a16a7f9..4bf8d64e55ca 100644 --- a/security/pidgin-encryption/Makefile +++ b/security/pidgin-encryption/Makefile @@ -1,6 +1,6 @@ PORTNAME= pidgin PORTVERSION= 3.1 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= security MASTER_SITES= SF/${PORTNAME}-encrypt/Releases/${PORTVERSION} PKGNAMESUFFIX= -encryption diff --git a/security/py-angr/Makefile b/security/py-angr/Makefile index 4ffe1c4e8adf..7a3aace13fe1 100644 --- a/security/py-angr/Makefile +++ b/security/py-angr/Makefile @@ -1,7 +1,7 @@ PORTNAME= angr DISTVERSIONPREFIX= v DISTVERSION= ${ANGR_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security devel python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-bcrypt/Makefile b/security/py-bcrypt/Makefile index fe1618ce8018..f600a9238ade 100644 --- a/security/py-bcrypt/Makefile +++ b/security/py-bcrypt/Makefile @@ -1,6 +1,6 @@ PORTNAME= bcrypt DISTVERSION= 4.3.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-certifi/Makefile b/security/py-certifi/Makefile index 43a6cf3fd110..7931c8da5906 100644 --- a/security/py-certifi/Makefile +++ b/security/py-certifi/Makefile @@ -1,5 +1,5 @@ PORTNAME= certifi -PORTVERSION= 2025.7.14 +PORTVERSION= 2025.8.3 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-certifi/distinfo b/security/py-certifi/distinfo index 693b25863be4..46a418fec79c 100644 --- a/security/py-certifi/distinfo +++ b/security/py-certifi/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1752566722 -SHA256 (certifi-2025.7.14.tar.gz) = 8ea99dbdfaaf2ba2f9bac77b9249ef62ec5218e7c2b2e903378ed5fccf765995 -SIZE (certifi-2025.7.14.tar.gz) = 163981 +TIMESTAMP = 1755062576 +SHA256 (certifi-2025.8.3.tar.gz) = e564105f78ded564e3ae7c923924435e1daa7463faeab5bb932bc53ffae63407 +SIZE (certifi-2025.8.3.tar.gz) = 162386 diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile index b42dbc8ae694..4196068bf9b6 100644 --- a/security/py-cryptography/Makefile +++ b/security/py-cryptography/Makefile @@ -1,6 +1,6 @@ PORTNAME= cryptography PORTVERSION= 44.0.3 -PORTREVISION= 2 +PORTREVISION= 3 PORTEPOCH= 1 CATEGORIES= security python MASTER_SITES= PYPI diff --git a/security/py-onlykey/Makefile b/security/py-onlykey/Makefile deleted file mode 100644 index ef1985208211..000000000000 --- a/security/py-onlykey/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -PORTNAME= onlykey -PORTVERSION= 1.2.2 -PORTREVISION= 4 -CATEGORIES= security python -MASTER_SITES= PYPI -PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} - -MAINTAINER= dmytro@posteo.net -COMMENT= Python command line tool for configuring and using OnlyKey -WWW= https://github.com/trustcrypto/python-onlykey - -LICENSE= MIT - -DEPRECATED= Depends on expired security/libu2f-host -EXPIRATION_DATE=2025-09-01 - -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}hidapi>0:comms/py-hidapi@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}aenum>0:devel/py-aenum@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}six>0:devel/py-six@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}prompt-toolkit>=2:devel/py-prompt-toolkit@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}pynacl>=1.4.0:security/py-pynacl@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}ecdsa>=0.13:security/py-ecdsa@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}cython>=0.23.4:lang/cython@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}libusb1>0:devel/py-libusb1@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}uhid-freebsd>0:devel/py-uhid-freebsd@${PY_FLAVOR} \ - u2f-host:security/libu2f-host - -USES= python -USE_PYTHON= autoplist distutils - -SUB_FILES= pkg-message - -PLIST_FILES= "@sample ${PREFIX}/etc/devd/onlykey.conf.sample" \ - "${PREFIX}/share/man/man1/onlykey-cli.1.gz" - -NO_ARCH= yes - -post-install: - @${MKDIR} ${STAGEDIR}${PREFIX}/etc/devd - ${INSTALL_DATA} ${FILESDIR}/onlykey.conf.sample \ - ${STAGEDIR}${PREFIX}/etc/devd - ${INSTALL_MAN} ${FILESDIR}/onlykey-cli.1 ${STAGEDIR}${PREFIX}/share/man/man1 - -.include <bsd.port.mk> diff --git a/security/py-onlykey/distinfo b/security/py-onlykey/distinfo deleted file mode 100644 index 7e00628c1ffa..000000000000 --- a/security/py-onlykey/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1603049784 -SHA256 (onlykey-1.2.2.tar.gz) = b17197715e9197885574a0806cce8af087756f99c87d27415be7d15e967a6be2 -SIZE (onlykey-1.2.2.tar.gz) = 11911 diff --git a/security/py-onlykey/files/onlykey-cli.1 b/security/py-onlykey/files/onlykey-cli.1 deleted file mode 100644 index d8bf2f0583cb..000000000000 --- a/security/py-onlykey/files/onlykey-cli.1 +++ /dev/null @@ -1,230 +0,0 @@ -.Dd October 23, 2020 -.Dt ONLYKEY-CLI 1 -.Os -.Sh NAME -.Nm onlykey-cli -.Nd Python client for interacting with the OnlyKey -.Sh SYNOPSIS -.Nm -.Op Ar command -.Sh DESCRIPTION -.Nm -is a command line interface to the OnlyKey that can be used for -configuration (similar functionality to OnlyKey App). You can either -provide a -.Ar command -to get it executed immediately or run -.Nm -without parameters to open an interactive prompt and type commands there. -.Sh COMMANDS -.Bl -tag -width 2n -.It Xo -.Cm init -.Xc -.Pp -Sets OnlyKey into initial configuration mode (setting PIN). -.It Xo -.Cm settime -.Xc -.Pp -Sets time on OnlyKey, time is needed for TOTP (Google Authenticator). -.It Xo -.Cm getlabels -.Xc -.Pp -Prints label for each slot. -.It Xo -.Cm getkeylabels -.Xc -.Pp -Prints key label for each RSA and ECC key. -.It Xo -.Cm setslot -.Ar slot_id -.Ar type -.Ar value -.Xc -.Pp -For the specified slot sets parameter of the specified -.Ar type -to the -.Ar value -provided. -.Bl -tag -width indent -.It Ar slot_id -Slot id: 1a-6b. -.It Ar type -Type of the parameter to set. Must be one of the following: -.Bl -tag -offset 4n -width 8n -.It Sy label -The slot label. -.It Sy url -URL of the login page. -.It Sy delay1 -Delay after entering URL, seconds: 0-9. -.It Sy add_char1 -Additional character before username: 1 for TAB, 0 to clear. -.It Sy username -Username to login. -.It Sy add_char2 -Additional character after username: 1 for TAB, 2 for RETURN. -.It Sy delay2 -Delay after entering username, seconds: 0-9. -.It Sy password -Password to login. -.It Sy add_char3 -Additional character after password: 1 for TAB, 2 for RETURN. -.It Sy delay3 -Delay after entering password, seconds: 0-9. -.It Sy add_char4 -Additional character before OTP: 1 for TAB, 2 for RETURN. -.It Sy 2fa -Type of two factor authentication: g for Google Authenticator, y - Yubico OTP, u - U2F. -.It Sy totpkey -Google Authenticator key. -.It Sy add_char5 -Additional character after OTP: 1 for TAB, 2 for RETURN. -.El -.It Ar value -Value to set, see accepted values in each parameter type description above. -.El -.It Xo -.Cm wipeslot -.Ar slot_id -.Xc -.Pp -Erases all the data (URL/username/password/label/etc.) of the slot with provided -.Ar slot_id -(1a-6b). -.It Xo -.Cm setkey -.Ar key_slot -.Ar key_type -.Xc -.Pp -Sets custom key of provided -.Ar key_type -to the -.Ar key_slot . -.It Xo -.Cm wipekey -.Ar key_slot -.Xc -.Pp -Wipes custom key from the provided -.Ar key_slot . -.It Xo -.Cm idletimeout -.Ar timeout -.Xc -.Pp -Sets the OnlyKey auto-lock time value to -.Ar timout -minutes: 1-255; default is 30; 0 to disable. -.It Xo -.Cm wipemode -.Ar mode_id -.Xc -.Pp -Configures how the OnlyKey responds to a factory reset. Accepted -.Ar mode_id -values are: -.Bl -tag -width indent -.It 1 -Only sensitive data will be wiped (default). -.It 2 -Entire OnlyKey device will be wiped, including firmware. Firmware must be -reloaded after factory reset. This mode is recommended for plausible -deniability users. WARNING: setting to this mode cannot be changed. -.El -.It Xo -.Cm keylayout -.Ar layout_id -.Xc -.Pp -Configures the OnlyKey keyboard layout. Accepted -.Ar layout_id -values are: -.Bl -tag -width indent -.It 1 -USA_ENGLISH (default). -.It 2 -CANADIAN_FRENCH. -.It 3 -CANADIAN_MULTILINGUAL. -.It 4 -DANISH. -.It 5 -FINNISH. -.It 6 -FRENCH. -.It 7 -FRENCH_BELGIAN. -.It 8 -FRENCH_SWISS. -.It 9 -GERMAN. -.It 10 -GERMAN_MAC. -.It 11 -GERMAN_SWISS. -.It 12 -ICELANDIC. -.It 13 -IRISH. -.It 14 -ITALIAN. -.It 15 -NORWEGIAN. -.It 16 -PORTUGUESE. -.It 17 -PORTUGUESE_BRAZILIAN. -.It 18 -SPANISH. -.It 19 -SPANISH_LATIN_AMERICA. -.It 20 -SWEDISH. -.It 21 -TURKISH. -.It 22 -UNITED_KINGDOM. -.It 23 -CZECH. -.It 24 -SERBIAN_LATIN_ONLY. -.It 25 -HUNGARIAN. -.El -.It Xo -.Cm keytypespeed -.Ar speed -.Xc -.Pp -Sets type -.Ar speed -: 1 is slowest; 10 is fastest; 4 is default. -.Sh BUGS -Sometimes the -.Nm -doesn't recognize that PIN has been entered and the OnlyKey in unlocked -successfully. -In such case any command to the OnlyKey fails with an -error 'OnlyKey is locked, enter PIN to unlock'. -The workaround for such issue is to just retry one more time. -.Sh AUTHORS -This manual page is a -.Xr mdoc 7 -reimplementation of the OnlyKey PIP module's README.md, -modified and customized for -.Fx . The -.Xr mdoc 7 -implementation of this manual page was initially written by -.An Dmytro Bilokha Aq dmytro@posteo.net . -.Sh WWW -Main OnlyKey product page: https://onlykey.io/ - -OnlyKey documentation site: https://docs.crp.to/ - -Source code: https://github.com/trustcrypto/python-onlykey diff --git a/security/py-onlykey/files/onlykey.conf.sample b/security/py-onlykey/files/onlykey.conf.sample deleted file mode 100644 index 703ab3be66de..000000000000 --- a/security/py-onlykey/files/onlykey.conf.sample +++ /dev/null @@ -1,31 +0,0 @@ -# OnlyKey Security KEY -notify 100 { - match "system" "USB"; - match "subsystem" "DEVICE"; - match "type" "ATTACH"; - match "vendor" "0x1d50"; - match "product" "0x60fc"; - action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev"; -}; - -notify 100 { - match "system" "USB"; - match "subsystem" "DEVICE"; - match "type" "ATTACH"; - match "vendor" "0x16c0"; - match "product" "0x0486"; - action "chgrp u2f /dev/$cdev; chmod g+rw /dev/$cdev"; -}; - -attach 100 { - match "vendor" "0x1d50"; - match "product" "0x60fc"; - action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name"; -}; - -attach 100 { - match "vendor" "0x16c0"; - match "product" "0x0486"; - action "chgrp u2f /dev/$device-name; chmod g+rw /dev/$device-name"; -}; - diff --git a/security/py-onlykey/files/pkg-message.in b/security/py-onlykey/files/pkg-message.in deleted file mode 100644 index 3b82056a0726..000000000000 --- a/security/py-onlykey/files/pkg-message.in +++ /dev/null @@ -1,8 +0,0 @@ -[ -{ type: install - message: <<EOM -By default the usage of OnlyKey will be allowed to users of the 'u2f' -group. To override this edit %%PREFIX%%/etc/devd/onlykey.conf -EOM -} -] diff --git a/security/py-onlykey/pkg-descr b/security/py-onlykey/pkg-descr deleted file mode 100644 index 05fff212216a..000000000000 --- a/security/py-onlykey/pkg-descr +++ /dev/null @@ -1,2 +0,0 @@ -Python command line tool for configuring and using the OnlyKey -hardware password manager. diff --git a/security/py-passhole/Makefile b/security/py-passhole/Makefile index 5cddfbe4da36..08723f8862cb 100644 --- a/security/py-passhole/Makefile +++ b/security/py-passhole/Makefile @@ -1,5 +1,6 @@ PORTNAME= passhole DISTVERSION= 1.10.1 +PORTREVISION= 1 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-pyhanko-cli/Makefile b/security/py-pyhanko-cli/Makefile index 9072a46e37ba..d5834355e802 100644 --- a/security/py-pyhanko-cli/Makefile +++ b/security/py-pyhanko-cli/Makefile @@ -1,6 +1,7 @@ PORTNAME= pyhanko-cli DISTNAME= pyhanko_cli-${PORTVERSION} PORTVERSION= 0.1.2 +PORTREVISION= 1 CATEGORIES= security python MASTER_SITES= PYPI PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-pyhanko/Makefile b/security/py-pyhanko/Makefile index d2474bde825d..15de838aa27f 100644 --- a/security/py-pyhanko/Makefile +++ b/security/py-pyhanko/Makefile @@ -1,5 +1,6 @@ PORTNAME= pyhanko PORTVERSION= 0.29.1 +PORTREVISION= 1 CATEGORIES= security python MASTER_SITES= PYPI \ https://github.com/MatthiasValvekens/pyHanko/releases/download/v${PORTVERSION}/ diff --git a/security/rage-encryption/Makefile b/security/rage-encryption/Makefile index 6a0dd637ff94..688f7197901f 100644 --- a/security/rage-encryption/Makefile +++ b/security/rage-encryption/Makefile @@ -1,7 +1,7 @@ PORTNAME= rage DISTVERSIONPREFIX= v DISTVERSION= 0.11.1 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= security PKGNAMESUFFIX= -encryption diff --git a/security/ratify/Makefile b/security/ratify/Makefile index db9db6f9fdb5..8c9a246dcef4 100644 --- a/security/ratify/Makefile +++ b/security/ratify/Makefile @@ -1,6 +1,6 @@ PORTNAME= ratify DISTVERSION= 2.2.0 -PORTREVISION= 9 +PORTREVISION= 10 CATEGORIES= security MAINTAINER= yuri@FreeBSD.org diff --git a/security/rpm-sequoia/Makefile b/security/rpm-sequoia/Makefile index 3b78fd2817a8..344c34f5b2cf 100644 --- a/security/rpm-sequoia/Makefile +++ b/security/rpm-sequoia/Makefile @@ -1,6 +1,7 @@ PORTNAME= rpm-sequoia DISTVERSIONPREFIX= v DISTVERSION= 1.9.0 +PORTREVISION= 1 CATEGORIES= security archivers MAINTAINER= yuri@FreeBSD.org diff --git a/security/rubygem-acme-client/Makefile b/security/rubygem-acme-client/Makefile index 1e962af25ae9..f3f78774f3e4 100644 --- a/security/rubygem-acme-client/Makefile +++ b/security/rubygem-acme-client/Makefile @@ -1,5 +1,5 @@ PORTNAME= acme-client -PORTVERSION= 2.0.22 +PORTVERSION= 2.0.23 CATEGORIES= security rubygems MASTER_SITES= RG diff --git a/security/rubygem-acme-client/distinfo b/security/rubygem-acme-client/distinfo index f1249e2a15c4..0e4cb4a697a8 100644 --- a/security/rubygem-acme-client/distinfo +++ b/security/rubygem-acme-client/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1751622403 -SHA256 (rubygem/acme-client-2.0.22.gem) = 817534b743e2c93b3e498dad6b0f1a96a8e6df273bb04e37525d586a519176f7 -SIZE (rubygem/acme-client-2.0.22.gem) = 21504 +TIMESTAMP = 1755062612 +SHA256 (rubygem/acme-client-2.0.23.gem) = 33241b5bdb5179283ad52591c751bafcc4225e62d81c003c23891e48a3c107ac +SIZE (rubygem/acme-client-2.0.23.gem) = 21504 diff --git a/security/rubygem-gitlab-cloud-connector/Makefile b/security/rubygem-gitlab-cloud-connector/Makefile index 6636b36e9282..45f94f9b9f71 100644 --- a/security/rubygem-gitlab-cloud-connector/Makefile +++ b/security/rubygem-gitlab-cloud-connector/Makefile @@ -1,5 +1,5 @@ PORTNAME= gitlab-cloud-connector -PORTVERSION= 1.26.0 +PORTVERSION= 1.31.0 CATEGORIES= security rubygems MASTER_SITES= RG diff --git a/security/rubygem-gitlab-cloud-connector/distinfo b/security/rubygem-gitlab-cloud-connector/distinfo index f8e69490bb53..b78319ef695e 100644 --- a/security/rubygem-gitlab-cloud-connector/distinfo +++ b/security/rubygem-gitlab-cloud-connector/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1755677339 -SHA256 (rubygem/gitlab-cloud-connector-1.26.0.gem) = c1c8f82ae7f28b7d69e1fbe79c121f894d1166a9e0da01abcf741467150f0bcc -SIZE (rubygem/gitlab-cloud-connector-1.26.0.gem) = 19456 +TIMESTAMP = 1756619785 +SHA256 (rubygem/gitlab-cloud-connector-1.31.0.gem) = 9eca91864372b2e634ace0ba868a8341b2a822f736c42729d866694ed7f38d25 +SIZE (rubygem/gitlab-cloud-connector-1.31.0.gem) = 19968 diff --git a/security/rustls-ffi/Makefile b/security/rustls-ffi/Makefile index 65a625c0905d..9c6efa0fa885 100644 --- a/security/rustls-ffi/Makefile +++ b/security/rustls-ffi/Makefile @@ -1,7 +1,7 @@ PORTNAME= rustls-ffi DISTVERSIONPREFIX= v DISTVERSION= 0.15.0 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MAINTAINER= brnrd@FreeBSD.org diff --git a/security/rustls-ffi/files/patch-cargo-crates_aws-lc-sys-0.24.0_aws-lc_include_openssl_target.h b/security/rustls-ffi/files/patch-cargo-crates_aws-lc-sys-0.24.0_aws-lc_include_openssl_target.h new file mode 100644 index 000000000000..c95774d5f41f --- /dev/null +++ b/security/rustls-ffi/files/patch-cargo-crates_aws-lc-sys-0.24.0_aws-lc_include_openssl_target.h @@ -0,0 +1,20 @@ +--- cargo-crates/aws-lc-sys-0.24.0/aws-lc/include/openssl/target.h.orig 2025-09-03 10:05:29 UTC ++++ cargo-crates/aws-lc-sys-0.24.0/aws-lc/include/openssl/target.h +@@ -34,14 +34,14 @@ + #elif defined(__ARMEL__) || defined(_M_ARM) + #define OPENSSL_32_BIT + #define OPENSSL_ARM +-#elif (defined(__PPC64__) || defined(__powerpc64__)) && defined(_LITTLE_ENDIAN) ++#elif (defined(__PPC64__) || defined(__powerpc64__)) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + #define OPENSSL_64_BIT + #define OPENSSL_PPC64LE +-#elif (defined(__PPC64__) || defined(__powerpc64__)) && defined(_BIG_ENDIAN) ++#elif (defined(__PPC64__) || defined(__powerpc64__)) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + #define OPENSSL_64_BIT + #define OPENSSL_PPC64BE + #define OPENSSL_BIG_ENDIAN +-#elif (defined(__PPC__) || defined(__powerpc__)) && defined(_BIG_ENDIAN) ++#elif (defined(__PPC__) || defined(__powerpc__)) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + #define OPENSSL_32_BIT + #define OPENSSL_PPC32BE + #define OPENSSL_BIG_ENDIAN diff --git a/security/rustscan/Makefile b/security/rustscan/Makefile index 0c0e061e5907..403a1d9714a0 100644 --- a/security/rustscan/Makefile +++ b/security/rustscan/Makefile @@ -1,6 +1,6 @@ PORTNAME= rustscan PORTVERSION= 2.4.1 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MAINTAINER= bofh@FreeBSD.org diff --git a/security/sequoia-chameleon-gnupg/Makefile b/security/sequoia-chameleon-gnupg/Makefile index 31ac7bb3e6d0..f66d9dcdaadb 100644 --- a/security/sequoia-chameleon-gnupg/Makefile +++ b/security/sequoia-chameleon-gnupg/Makefile @@ -1,7 +1,7 @@ PORTNAME= sequoia-chameleon-gnupg DISTVERSIONPREFIX= v DISTVERSION= 0.13.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MAINTAINER= vishwin@FreeBSD.org diff --git a/security/sequoia-sq/Makefile b/security/sequoia-sq/Makefile index 4ce523dcf47c..26e06e16fa59 100644 --- a/security/sequoia-sq/Makefile +++ b/security/sequoia-sq/Makefile @@ -1,7 +1,7 @@ PORTNAME= sq DISTVERSIONPREFIX= v DISTVERSION= 1.3.1 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security PKGNAMEPREFIX= sequoia- diff --git a/security/shibboleth-sp/Makefile b/security/shibboleth-sp/Makefile index d7673458c7f6..96c934a50720 100644 --- a/security/shibboleth-sp/Makefile +++ b/security/shibboleth-sp/Makefile @@ -1,6 +1,5 @@ PORTNAME= shibboleth-sp -PORTVERSION= 3.5.0 -PORTREVISION= 3 +PORTVERSION= 3.5.1 CATEGORIES= security www MASTER_SITES= http://shibboleth.net/downloads/service-provider/${PORTVERSION}/ diff --git a/security/shibboleth-sp/distinfo b/security/shibboleth-sp/distinfo index 483bd5f40c67..34c8b575369e 100644 --- a/security/shibboleth-sp/distinfo +++ b/security/shibboleth-sp/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1729173100 -SHA256 (shibboleth-sp-3.5.0.tar.bz2) = f301604bd17ee4d94a66e6dd7ad1c3f0917949a4a12176d55614483d78fefe58 -SIZE (shibboleth-sp-3.5.0.tar.bz2) = 834909 +TIMESTAMP = 1756924496 +SHA256 (shibboleth-sp-3.5.1.tar.bz2) = 05da3a09d76c3ba1a5ddd7f919fd942be2d87025f214aba139c2b64b804f9a99 +SIZE (shibboleth-sp-3.5.1.tar.bz2) = 837446 diff --git a/security/shibboleth-sp/pkg-plist b/security/shibboleth-sp/pkg-plist index 44d5c5a1a91c..0111f1e8eb89 100644 --- a/security/shibboleth-sp/pkg-plist +++ b/security/shibboleth-sp/pkg-plist @@ -92,7 +92,7 @@ include/shibsp/util/TemplateParameters.h include/shibsp/version.h lib/libshibsp.so lib/libshibsp.so.12 -lib/libshibsp.so.12.0.0 +lib/libshibsp.so.12.0.1 lib/shibboleth/adfs-lite.so lib/shibboleth/adfs.so @comment %%MEMCACHED%%lib/shibboleth/memcache-store.so @@ -104,7 +104,7 @@ lib/shibboleth/plugins.so %%FASTCGI%%lib/shibboleth/shibresponder lib/libshibsp-lite.so lib/libshibsp-lite.so.12 -lib/libshibsp-lite.so.12.0.0 +lib/libshibsp-lite.so.12.0.1 libdata/pkgconfig/shibsp-lite.pc libdata/pkgconfig/shibsp.pc sbin/shibd diff --git a/security/sniffglue/Makefile b/security/sniffglue/Makefile index 9a1ab670897b..d7331e6fdaf9 100644 --- a/security/sniffglue/Makefile +++ b/security/sniffglue/Makefile @@ -1,7 +1,7 @@ PORTNAME= sniffglue DISTVERSIONPREFIX= v DISTVERSION= 0.16.1 -PORTREVISION= 6 +PORTREVISION= 7 CATEGORIES= security MAINTAINER= freebsd@sysctl.cz diff --git a/security/ssh-vault/Makefile b/security/ssh-vault/Makefile index b987279ac1eb..7b45ec510645 100644 --- a/security/ssh-vault/Makefile +++ b/security/ssh-vault/Makefile @@ -1,6 +1,6 @@ PORTNAME= ssh-vault PORTVERSION= 1.0.10 -PORTREVISION= 13 +PORTREVISION= 14 CATEGORIES= security MASTER_SITES= CRATESIO DISTFILES= ${CARGO_DIST_SUBDIR}/${DISTNAME}${CARGO_CRATE_EXT} diff --git a/security/sudo-rs/Makefile b/security/sudo-rs/Makefile index 1f27827c26f6..a76bfdb2f580 100644 --- a/security/sudo-rs/Makefile +++ b/security/sudo-rs/Makefile @@ -1,6 +1,7 @@ PORTNAME= sudo-rs DISTVERSIONPREFIX= v DISTVERSION= 0.2.8 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= marc@trifectatech.org diff --git a/security/suricata/Makefile b/security/suricata/Makefile index 9cc82a37e912..ac84d4d9587d 100644 --- a/security/suricata/Makefile +++ b/security/suricata/Makefile @@ -1,5 +1,6 @@ PORTNAME= suricata DISTVERSION= 7.0.11 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= https://www.openinfosecfoundation.org/download/ diff --git a/security/trivy/Makefile b/security/trivy/Makefile index 25ee7423ffe0..73dc6b9c2181 100644 --- a/security/trivy/Makefile +++ b/security/trivy/Makefile @@ -1,7 +1,6 @@ PORTNAME= trivy DISTVERSIONPREFIX= v -DISTVERSION= 0.65.0 -PORTREVISION= 1 +DISTVERSION= 0.66.0 CATEGORIES= security MAINTAINER= mfechner@FreeBSD.org diff --git a/security/trivy/distinfo b/security/trivy/distinfo index 46e3fca7da86..c7848514d223 100644 --- a/security/trivy/distinfo +++ b/security/trivy/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1754018480 -SHA256 (go/security_trivy/trivy-v0.65.0/v0.65.0.mod) = 2aa9419ba4e6e58feb3f2c87aac23fba02f1bc260265682007d4a3a74638bc22 -SIZE (go/security_trivy/trivy-v0.65.0/v0.65.0.mod) = 26160 -SHA256 (go/security_trivy/trivy-v0.65.0/v0.65.0.zip) = fa97802cb042c4627e6fe3f2ad5664a2efb85281ed38c63c76ffaa24aeac5065 -SIZE (go/security_trivy/trivy-v0.65.0/v0.65.0.zip) = 59139682 +TIMESTAMP = 1756878437 +SHA256 (go/security_trivy/trivy-v0.66.0/v0.66.0.mod) = 41bedcea560a0f606080b34320349b4c21d920aeadb0e57a81d5fcbc4cf58823 +SIZE (go/security_trivy/trivy-v0.66.0/v0.66.0.mod) = 25763 +SHA256 (go/security_trivy/trivy-v0.66.0/v0.66.0.zip) = 78fb7cca5602ee1927808488e3306a9d0d1ba26c4817ceff055d10ed04da9d1b +SIZE (go/security_trivy/trivy-v0.66.0/v0.66.0.zip) = 59145292 diff --git a/security/vaultwarden/Makefile b/security/vaultwarden/Makefile index 63c287e2119f..82a26d7d1c4b 100644 --- a/security/vaultwarden/Makefile +++ b/security/vaultwarden/Makefile @@ -1,5 +1,6 @@ PORTNAME= vaultwarden DISTVERSION= 1.34.3 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= mr@FreeBSD.org diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml index d587a9dae0e9..a7e620621142 100644 --- a/security/vuxml/vuln/2025.xml +++ b/security/vuxml/vuln/2025.xml @@ -1,3 +1,169 @@ + <vuln vid="340dc4c1-895a-11f0-b6e5-4ccc6adda413"> + <topic>exiv2 -- Denial-of-service</topic> + <affects> + <package> + <name>exiv2</name> + <range><lt>0.28.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Kevin Backhouse reports:</p> + <blockquote cite="https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g"> + <p>A denial-of-service was found in Exiv2 version v0.28.5: a quadratic + algorithm in the ICC profile parsing code in jpegBase::readMetadata() + can cause Exiv2 to run for a long time. Exiv2 is a command-line utility + and C++ library for reading, writing, deleting, and modifying the + metadata of image files. The denial-of-service is triggered when Exiv2 + is used to read the metadata of a crafted jpg image file.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-55304</cvename> + <url>https://github.com/Exiv2/exiv2/security/advisories/GHSA-m54q-mm9w-fp6g</url> + </references> + <dates> + <discovery>2025-08-29</discovery> + <entry>2025-09-04</entry> + </dates> + </vuln> + + <vuln vid="84a77710-8958-11f0-b6e5-4ccc6adda413"> + <topic>exiv2 -- Out-of-bounds read in Exiv2::EpsImage::writeMetadata()</topic> + <affects> + <package> + <name>exiv2</name> + <range><lt>0.28.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Kevin Backhouse reports:</p> + <blockquote cite="https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39"> + <p>An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. + Exiv2 is a command-line utility and C++ library for reading, writing, + deleting, and modifying the metadata of image files. The out-of-bounds + read is triggered when Exiv2 is used to write metadata into a crafted + image file. An attacker could potentially exploit the vulnerability to + cause a denial of service by crashing Exiv2, if they can trick the victim + into running Exiv2 on a crafted image file.</p> + <p>Note that this bug is only triggered when writing the metadata, which + is a less frequently used Exiv2 operation than reading the metadata. For + example, to trigger the bug in the Exiv2 command-line application, you + need to add an extra command-line argument such as delete.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-54080</cvename> + <url>https://github.com/Exiv2/exiv2/security/advisories/GHSA-496f-x7cq-cq39</url> + </references> + <dates> + <discovery>2025-08-29</discovery> + <entry>2025-09-04</entry> + </dates> + </vuln> + + <vuln vid="0db8684f-8938-11f0-8325-bc2411f8eb0b"> + <topic>Django -- multiple vulnerabilities</topic> + <affects> + <package> + <name>py39-django42</name> + <name>py310-django42</name> + <name>py311-django42</name> + <range><lt>4.2.24</lt></range> + </package> + <package> + <name>py310-django51</name> + <name>py311-django51</name> + <range><lt>5.1.12</lt></range> + </package> + <package> + <name>py310-django52</name> + <name>py311-django52</name> + <range><lt>5.2.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Django reports:</p> + <blockquote cite="https://www.djangoproject.com/weblog/2025/sep/03/security-releases/"> + <p>CVE-2025-57833: Potential SQL injection in FilteredRelation column aliases.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-57833</cvename> + <url>https://www.djangoproject.com/weblog/2025/sep/03/security-releases/</url> + </references> + <dates> + <discovery>2025-09-01</discovery> + <entry>2025-09-04</entry> + </dates> + </vuln> + + <vuln vid="9f9b0b37-88fa-11f0-90a2-6cc21735f730"> + <topic>Shibboleth Service Provider -- SQL injection vulnerability in ODBC plugin</topic> + <affects> + <package> + <name>shibboleth-sp</name> + <range><lt>3.5.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Internet2 reports:</p> + <blockquote cite="https://shibboleth.net/community/advisories/secadv_20250903.txt"> + <p>The Shibboleth Service Provider includes a storage API usable + for a number of different use cases such as the session cache, + replay cache, and relay state management. An ODBC extension + plugin is provided with some distributions of the software + (notably on Windows).</p> + <p>A SQL injection vulnerability was identified in some of the + queries issued by the plugin, and this can be creatively + exploited through specially crafted inputs to exfiltrate + information stored in the database used by the SP.</p> + </blockquote> + </body> + </description> + <references> + <url>https://shibboleth.net/community/advisories/secadv_20250903.txt</url> + </references> + <dates> + <discovery>2025-09-03</discovery> + <entry>2025-09-03</entry> + </dates> + </vuln> + + <vuln vid="aaa060af-88d6-11f0-a294-b0416f0c4c67"> + <topic>Vieb -- Remote Code Execution via Visiting Untrusted URLs</topic> + <affects> + <package> + <name>linux-vieb</name> + <range><lt>12.4.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Zhengyu Liu, Jianjia Yu, Jelmer van Arnhem report:</p> + <blockquote cite="https://github.com/Jelmerro/Vieb/security/advisories/GHSA-h2fq-667q-7gpm"> + <p>We discovered a remote code execution (RCE) vulnerability in the latest + release of the Vieb browser (v12.3.0). By luring a user to visit a + malicious website, an attacker can achieve arbitrary code execution on the + victim’s machine.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/Jelmerro/Vieb/security/advisories/GHSA-h2fq-667q-7gpm</url> + </references> + <dates> + <discovery>2025-07-31</discovery> + <entry>2025-09-03</entry> + </dates> + </vuln> + <vuln vid="d7b7e505-8486-11f0-9d03-2cf05da270f3"> <topic>Gitlab -- vulnerabilities</topic> <affects> diff --git a/security/yubikey-manager-qt/Makefile b/security/yubikey-manager-qt/Makefile deleted file mode 100644 index 9a92a11991df..000000000000 --- a/security/yubikey-manager-qt/Makefile +++ /dev/null @@ -1,50 +0,0 @@ -PORTNAME= yubikey-manager-qt -DISTVERSIONPREFIX= yubikey-manager-qt- -DISTVERSION= 1.2.0 -PORTREVISION= 1 -CATEGORIES= security - -MAINTAINER= daniel@shafer.cc -COMMENT= Cross-platform application for configuring any YubiKey -WWW= https://developers.yubico.com/yubikey-manager-qt/ - -LICENSE= BSD2CLAUSE -LICENSE_FILE= ${WRKSRC}/COPYING - -DEPRECATED= Depends on expired security/libu2f-host via security/py-yubikey-manager -EXPIRATION_DATE=2025-09-01 - -BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yubikey-manager>0:security/py-yubikey-manager@${PY_FLAVOR} \ - pyotherside-qt5>0:devel/pyotherside-qt5 -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yubikey-manager>0:security/py-yubikey-manager@${PY_FLAVOR} \ - pyotherside-qt5>0:devel/pyotherside-qt5 - -USES= compiler:c++11-lang gl pkgconfig python qt:5 qmake \ - shebangfix -USE_GL= gl -USE_QT= core declarative graphicaleffects gui network quickcontrols \ - quickcontrols2 svg widgets buildtools:build - -USE_GITHUB= yes -GH_ACCOUNT= Yubico - -SHEBANG_FILES= ykman-gui/py/yubikey.py \ - ykman-cli/test.py \ - ykman-cli/py/cli.py \ - build_qrc.py - -PLIST_FILES= bin/ykman-gui \ - share/applications/ykman-gui.desktop \ - share/pixmaps/ykman.png - -post-extract: - @${REINPLACE_CMD} -e '/system/s|python|${PYTHON_CMD}|g' ${WRKSRC}/ykman-gui/ykman-gui.pro \ - ${WRKSRC}/ykman-cli/ykman-cli.pro - @${REINPLACE_CMD} -e 's|/usr/bin/ykman-gui|${PREFIX}/bin/ykman-gui|g' ${WRKSRC}/resources/linux/AppRun - @${REINPLACE_CMD} -e 's|target.path = /usr/bin|target.path = ${PREFIX}/bin|g' ${WRKSRC}/ykman-gui/deployment.pri - -post-install: - ${INSTALL_DATA} ${WRKSRC}/resources/ykman-gui.desktop ${STAGEDIR}${PREFIX}/share/applications - ${INSTALL_DATA} ${WRKSRC}/resources/icons/ykman.png ${STAGEDIR}${PREFIX}/share/pixmaps - -.include <bsd.port.mk> diff --git a/security/yubikey-manager-qt/distinfo b/security/yubikey-manager-qt/distinfo deleted file mode 100644 index d8ad64d7c0ac..000000000000 --- a/security/yubikey-manager-qt/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1616216055 -SHA256 (Yubico-yubikey-manager-qt-yubikey-manager-qt-1.2.0_GH0.tar.gz) = 3f3c998f93b74b869c232f5f951a9d7b2f68b007c20be8e39a698e24ea7aae0b -SIZE (Yubico-yubikey-manager-qt-yubikey-manager-qt-1.2.0_GH0.tar.gz) = 17311666 diff --git a/security/yubikey-manager-qt/pkg-descr b/security/yubikey-manager-qt/pkg-descr deleted file mode 100644 index 86b0e115ab9f..000000000000 --- a/security/yubikey-manager-qt/pkg-descr +++ /dev/null @@ -1,2 +0,0 @@ -Cross-platform application for configuring any YubiKey -over all USB interfaces. diff --git a/security/yubikey-manager-qt/pkg-message b/security/yubikey-manager-qt/pkg-message deleted file mode 100644 index 69e21c9701be..000000000000 --- a/security/yubikey-manager-qt/pkg-message +++ /dev/null @@ -1,7 +0,0 @@ -[ -{ type: install - message: <<EOM -In addition to the application itself, you may also need to manually install and start the pcscd service <devel/pcsc-lite> for CCID support. -EOM -} -] diff --git a/security/yubioath-desktop/Makefile b/security/yubioath-desktop/Makefile deleted file mode 100644 index 7f536c778050..000000000000 --- a/security/yubioath-desktop/Makefile +++ /dev/null @@ -1,48 +0,0 @@ -PORTNAME= yubioath-desktop -DISTVERSIONPREFIX= yubioath-desktop- -DISTVERSION= 5.0.4 -PORTREVISION= 2 -CATEGORIES= security - -MAINTAINER= daniel@shafer.cc -COMMENT= GUI for displaying OATH codes with a Yubikey -WWW= https://developers.yubico.com/yubioath-desktop/ - -LICENSE= BSD2CLAUSE -LICENSE_FILE= ${WRKSRC}/COPYING - -DEPRECATED= Depends on expired security/libu2f-host via security/py-yubikey-manager -EXPIRATION_DATE=2025-09-01 - -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}yubikey-manager>=0.7.0:security/py-yubikey-manager@${PY_FLAVOR} \ - pyotherside-qt5>0:devel/pyotherside-qt5 \ - RSA_SecurID_getpasswd:devel/libccid \ - libffi>0:devel/libffi \ - pcscd:devel/pcsc-lite \ - swig:devel/swig - -USES= compiler:c++11-lang desktop-file-utils gl python qmake qt:5 \ - shebangfix ssl -USE_GL= gl -USE_QT= core declarative gui network quickcontrols2 svg widgets buildtools:build - -USE_GITHUB= yes -GH_ACCOUNT= Yubico - -SHEBANG_FILES= build_qrc.py \ - py/yubikey.py \ - -PLIST_FILES= bin/yubioath-desktop \ - share/applications/com.yubico.yubioath.desktop \ - share/pixmaps/com.yubico.yubioath.png - -post-patch: - @${REINPLACE_CMD} -e '/PYTHON_CMD/s|python3|${PYTHON_CMD}|g' \ - ${WRKSRC}/yubioath-desktop.pro - @${REINPLACE_CMD} -e 's|target.path = /usr/bin|target.path = ${PREFIX}/bin|g' ${WRKSRC}/deployment.pri - -post-install: - ${INSTALL_DATA} ${WRKSRC}/resources/com.yubico.yubioath.desktop ${STAGEDIR}${PREFIX}/share/applications - ${INSTALL_DATA} ${WRKSRC}/resources/icons/com.yubico.yubioath.png ${STAGEDIR}${PREFIX}/share/pixmaps - -.include <bsd.port.mk> diff --git a/security/yubioath-desktop/distinfo b/security/yubioath-desktop/distinfo deleted file mode 100644 index 568b3dd1904e..000000000000 --- a/security/yubioath-desktop/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1616213145 -SHA256 (Yubico-yubioath-desktop-yubioath-desktop-5.0.4_GH0.tar.gz) = b47c8715e415b0e0ea0237e6f56d328fc8d3303a87ad89d4540d4f4a93138bd7 -SIZE (Yubico-yubioath-desktop-yubioath-desktop-5.0.4_GH0.tar.gz) = 5657338 diff --git a/security/yubioath-desktop/pkg-descr b/security/yubioath-desktop/pkg-descr deleted file mode 100644 index 8a3575b7be09..000000000000 --- a/security/yubioath-desktop/pkg-descr +++ /dev/null @@ -1,3 +0,0 @@ -Cross-platform application for generating Open Authentication (OATH) time-based -TOTP and event-based HOTP one-time password codes, with the help of a YubiKey -that protects the shared secrets. diff --git a/security/yubioath-desktop/pkg-message b/security/yubioath-desktop/pkg-message deleted file mode 100644 index 7f4f2a2c4875..000000000000 --- a/security/yubioath-desktop/pkg-message +++ /dev/null @@ -1,7 +0,0 @@ -[ -{ type: install - message: <<EOM - Before running make sure that the pcscd service is enabled and running -EOM -} -] |