crypto/openssl: make vendor imports easier/less error prone

This change adds a custom BSD makefile containing multiple high-level PHONY
targets, similar to targets provided by the ports framework.

The Makefile does the following:
- Reruns Configure with a deterministic set of arguments to ensure that
  all appropriate features have been enabled/disabled in OpenSSL.
- Preens the pkgconfig files to remove duplicate paths in their
  `CFLAGS` and `includedir` variables.
- Rebuilds all ASM files to ensure that the content contained is fresh.
- Rebuilds all manpages to ensure that the content contained in the
  manpages is fresh.

Some additional work needs to be done to make the manpage regeneration
"operation" reproducible (the date the manpages were generated is
embedded in the files).

All dynamic configuration previously captured in
`include/openssl/configuration.h` and `include/crypto/bn_conf.h` has been
moved to `freebsd/include/dynamic_freebsd_configuration.h` and
`freebsd/include/crypto/bn_conf.h`, respectively. This helps
ensure that future updates don't wipe out FreeBSD customizations to
these files, which tune behavior on a per-target architecture basis, e.g.,
ARM vs x86, 32-bit vs 64-bit, etc.

MFC after: 1 month
Differential Revision:	https://reviews.freebsd.org/D51663

Author: ngie-eign

crypto/openssl/BSDmakefile

@@ -0,0 +1,99 @@
+# This BSD makefile helps provide a deterministic means of doing a "clean"
+# vendor import of OpenSSL.
+#
+# Recommended use:
+#
+#   % make clean
+#   % make all
+
+NO_OBJ=
+
+LCRYPTO_SRC=	${SRCTOP}/crypto/openssl
+LCRYPTO_DOC=	${LCRYPTO_SRC}/doc
+
+CAT?=		/bin/cat
+MV?=		/bin/mv
+PERL?=		perl
+
+BN_CONF_H=		include/crypto/bn_conf.h
+BN_CONF_H_ORIG=		${BN_CONF_H}.orig
+CONFIGURATION_H=	include/openssl/configuration.h
+CONFIGURATION_H_ORIG=	${CONFIGURATION_H}.orig
+
+.PHONY: configure patch all
+.ORDER: configure patch all
+
+configure:
+	@cd ${.CURDIR} && \
+	    ${PERL} ./Configure \
+	    disable-aria \
+	    disable-egd \
+	    disable-idea \
+	    disable-mdc2 \
+	    disable-sm2 \
+	    disable-sm3 \
+	    disable-sm4 \
+	    enable-ec_nistp_64_gcc_128 \
+	    enable-ktls \
+	    enable-sctp \
+	    --openssldir=etc \
+	    --prefix=/usr
+	@cd ${.CURDIR} && gmake configdata.pm
+	@cd ${LCRYPTO_SRC} && ${PERL} \
+	    ${LCRYPTO_SRC}/freebsd/dump_version_from_configdata.pl > \
+	    ${SRCTOP}/secure/lib/libcrypto/Makefile.version
+
+all: patch
+	# Passing `-j ${.MAKE.JOBS}` doesn't work here for some reason.
+	@cd ${.CURDIR} && gmake build_all_generated
+
+	# Clean the pkgconfig files:
+	# 1. Fix --prefix (not sure why configure --prefix isn't honored properly).
+	# 2. Remove duplicate path in CFLAGS.
+	# 3. Remove duplicate path in includedir(s).
+	@find . -name \*.pc -print -exec sed -i '' -E \
+	    -e 's,^prefix=.+,prefix=/usr,' \
+	    -e 's,[[:space:]]+(\-I)?\$\{prefix\}/\./include[[:space:]]*,,g' \
+	    {} +
+
+	@cd ${SRCTOP}/secure/lib/libcrypto && \
+	    ${MAKE} cleanasm && \
+	    ${MAKE} buildasm
+
+	@rsync -a --delete \
+	    --exclude 'Makefile*' --exclude '*.1' \
+	    ${LCRYPTO_DOC}/man/ \
+	    ${SRCTOP}/secure/lib/libcrypto/man
+
+	@rsync -a --delete \
+	    --exclude 'Makefile*' --exclude '*.[357]' \
+	    ${LCRYPTO_DOC}/man/man1/ \
+	    ${SRCTOP}/secure/usr.bin/openssl/man
+
+
+# This doesn't use standard patching since the generated files can vary
+# depending on the host architecture.
+patch: configure
+	# Spam arch-specific overrides to config files.
+
+	@cd ${.CURDIR} && gmake ${BN_CONF_H} && \
+	${MV} ${BN_CONF_H} ${BN_CONF_H_ORIG} && \
+	${CAT} ${BN_CONF_H}.orig \
+	    ${LCRYPTO_SRC}/freebsd/${BN_CONF_H} >> \
+	    ${BN_CONF_H}
+
+	@cd ${.CURDIR} && \
+	 ${MV} ${CONFIGURATION_H} ${CONFIGURATION_H_ORIG} && \
+	 ${CAT} ${CONFIGURATION_H_ORIG} \
+	    ${LCRYPTO_SRC}/freebsd/${CONFIGURATION_H} >> \
+	    ${CONFIGURATION_H}
+
+
+clean: .PHONY
+	@cd ${.CURDIR} && rm -f ${BN_CONF_H_ORIG} ${CONFIGURATION_H_ORIG}
+
+	@cd ${SRCTOP}/secure/lib/libcrypto && ${MAKE} cleanasm
+
+	-@cd ${.CURDIR} && gmake ${.TARGET}
+
+.include <sys.mk>

crypto/openssl/apps/CA.pl

@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/env perl
 # Copyright 2000-2025 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use

crypto/openssl/apps/progs.c

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by apps/progs.pl
  *
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -89,6 +89,7 @@ FUNCTION functions[] = {
     {FT_general, "s_time", s_time_main, s_time_options, NULL, NULL},
 #endif
     {FT_general, "sess_id", sess_id_main, sess_id_options, NULL, NULL},
+    {FT_general, "skeyutl", skeyutl_main, skeyutl_options, NULL, NULL},
     {FT_general, "smime", smime_main, smime_options, NULL, NULL},
     {FT_general, "speed", speed_main, speed_options, NULL, NULL},
     {FT_general, "spkac", spkac_main, spkac_options, NULL, NULL},
@@ -225,9 +226,15 @@ FUNCTION functions[] = {
     {FT_cipher, "camellia-256-ecb", enc_main, enc_options, NULL},
 #endif
     {FT_cipher, "base64", enc_main, enc_options, NULL},
-#ifdef ZLIB
+#ifndef OPENSSL_NO_ZLIB
     {FT_cipher, "zlib", enc_main, enc_options, NULL},
 #endif
+#ifndef OPENSSL_NO_BROTLI
+    {FT_cipher, "brotli", enc_main, enc_options, NULL},
+#endif
+#ifndef OPENSSL_NO_ZSTD
+    {FT_cipher, "zstd", enc_main, enc_options, NULL},
+#endif
 #ifndef OPENSSL_NO_DES
     {FT_cipher, "des", enc_main, enc_options, NULL},
 #endif

crypto/openssl/apps/progs.h

@@ -2,7 +2,7 @@
  * WARNING: do not edit!
  * Generated by apps/progs.pl
  *
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -56,6 +56,7 @@ extern int s_client_main(int argc, char *argv[]);
 extern int s_server_main(int argc, char *argv[]);
 extern int s_time_main(int argc, char *argv[]);
 extern int sess_id_main(int argc, char *argv[]);
+extern int skeyutl_main(int argc, char *argv[]);
 extern int smime_main(int argc, char *argv[]);
 extern int speed_main(int argc, char *argv[]);
 extern int spkac_main(int argc, char *argv[]);
@@ -110,6 +111,7 @@ extern const OPTIONS s_client_options[];
 extern const OPTIONS s_server_options[];
 extern const OPTIONS s_time_options[];
 extern const OPTIONS sess_id_options[];
+extern const OPTIONS skeyutl_options[];
 extern const OPTIONS smime_options[];
 extern const OPTIONS speed_options[];
 extern const OPTIONS spkac_options[];