From 540fe95b29213643eead5ac55d115758f78cac07 Mon Sep 17 00:00:00 2001 From: LEAN-ESX Date: Mon, 14 Oct 2019 03:18:50 -0700 Subject: [PATCH] =?UTF-8?q?openssl:=20optimization=20speed=20for=20x64=20?= =?UTF-8?q?=EF=BC=88Compile=20with=20SSE2=20and=20optimized=20assembly=20c?= =?UTF-8?q?ode)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- be3892284ca77a69615351b106b8dfbadad.patch | 1188 +++++++++++++++++ package/libs/openssl/Config.in | 216 ++- package/libs/openssl/Makefile | 192 ++- .../libs/openssl/include/crypto/cryptodev.h | 292 ---- .../openssl/patches/100-openwrt_targets.patch | 44 + .../patches/110-optimize-for-size.patch | 16 - ...30-perl-path.patch => 110-perl-path.patch} | 0 ...ile-dirs.patch => 120-makefile-dirs.patch} | 2 +- ...ests.patch => 130-disable_doc_tests.patch} | 0 ...70-bash_path.patch => 140-bash_path.patch} | 0 ...ault.patch => 150-fix_link_segfault.patch} | 0 .../libs/openssl/patches/150-no_engines.patch | 81 -- ...patch => 160-remove_timestamp_check.patch} | 0 ...l_build.patch => 170-parallel_build.patch} | 8 +- .../180-strip-cflags-from-binary.patch | 21 + 15 files changed, 1575 insertions(+), 485 deletions(-) create mode 100644 be3892284ca77a69615351b106b8dfbadad.patch delete mode 100644 package/libs/openssl/include/crypto/cryptodev.h create mode 100644 package/libs/openssl/patches/100-openwrt_targets.patch delete mode 100644 package/libs/openssl/patches/110-optimize-for-size.patch rename package/libs/openssl/patches/{130-perl-path.patch => 110-perl-path.patch} (100%) rename package/libs/openssl/patches/{140-makefile-dirs.patch => 120-makefile-dirs.patch} (83%) rename package/libs/openssl/patches/{160-disable_doc_tests.patch => 130-disable_doc_tests.patch} (100%) rename package/libs/openssl/patches/{170-bash_path.patch => 140-bash_path.patch} (100%) rename package/libs/openssl/patches/{180-fix_link_segfault.patch => 150-fix_link_segfault.patch} (100%) delete mode 100644 package/libs/openssl/patches/150-no_engines.patch rename package/libs/openssl/patches/{190-remove_timestamp_check.patch => 160-remove_timestamp_check.patch} (100%) rename package/libs/openssl/patches/{200-parallel_build.patch => 170-parallel_build.patch} (97%) create mode 100644 package/libs/openssl/patches/180-strip-cflags-from-binary.patch diff --git a/be3892284ca77a69615351b106b8dfbadad.patch b/be3892284ca77a69615351b106b8dfbadad.patch new file mode 100644 index 000000000..1cab9022a --- /dev/null +++ b/be3892284ca77a69615351b106b8dfbadad.patch @@ -0,0 +1,1188 @@ +From be3892284ca77a69615351b106b8dfbadad728c4 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 22 Oct 2018 11:32:56 -0300 +Subject: [PATCH] openssl: add configuration options, disable ssl3 + +Adds the following configuration options: +* using optimized assembler code (was always on before) +* use of x86 SSE2 instructions +* dyanic engine support +* include error messages +* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms +* RFC3779, CMS protocols +* VIA padlock hardware acceleration engine + +Installs openssl.cnf with the library as it is used by engines +independent of the openssl util. + +Fixes DTLS option that was innefective before. + +Disables insecure SSL3 protocol and SHA0. + +Adds openwrt-specific targets to Configure script, including asm support +for i386, ppc and mips64. + +Strips building dirs from CFLAGS shown in binary. + +Skips the fuzz directory during build. + +Removed include/crypto/devcrypto.h that was included here, to use the +cryptodev-linux package, now that it was been moved from the packages +feed to the main openwrt repository. + +This decreses the size of the ipk binray on MIPS32 by about 3.3%: +old: +706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk +199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk + +new: +693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk +193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk + +Signed-off-by: Eneas U de Queiroz +--- + package/libs/openssl/Config.in | 206 ++++++++++-- + package/libs/openssl/Makefile | 182 ++++++++--- + .../libs/openssl/include/crypto/cryptodev.h | 292 ------------------ + .../openssl/patches/100-openwrt_targets.patch | 44 +++ + .../patches/110-optimize-for-size.patch | 16 - + ...30-perl-path.patch => 110-perl-path.patch} | 0 + ...ile-dirs.patch => 120-makefile-dirs.patch} | 2 +- + ...ests.patch => 130-disable_doc_tests.patch} | 0 + ...70-bash_path.patch => 140-bash_path.patch} | 0 + ...ault.patch => 150-fix_link_segfault.patch} | 0 + .../libs/openssl/patches/150-no_engines.patch | 81 ----- + ...patch => 160-remove_timestamp_check.patch} | 0 + ...l_build.patch => 170-parallel_build.patch} | 8 +- + .../180-strip-cflags-from-binary.patch | 21 ++ + 14 files changed, 376 insertions(+), 476 deletions(-) + delete mode 100644 package/libs/openssl/include/crypto/cryptodev.h + create mode 100644 package/libs/openssl/patches/100-openwrt_targets.patch + delete mode 100644 package/libs/openssl/patches/110-optimize-for-size.patch + rename package/libs/openssl/patches/{130-perl-path.patch => 110-perl-path.patch} (100%) + rename package/libs/openssl/patches/{140-makefile-dirs.patch => 120-makefile-dirs.patch} (83%) + rename package/libs/openssl/patches/{160-disable_doc_tests.patch => 130-disable_doc_tests.patch} (100%) + rename package/libs/openssl/patches/{170-bash_path.patch => 140-bash_path.patch} (100%) + rename package/libs/openssl/patches/{180-fix_link_segfault.patch => 150-fix_link_segfault.patch} (100%) + delete mode 100644 package/libs/openssl/patches/150-no_engines.patch + rename package/libs/openssl/patches/{190-remove_timestamp_check.patch => 160-remove_timestamp_check.patch} (100%) + rename package/libs/openssl/patches/{200-parallel_build.patch => 170-parallel_build.patch} (97%) + create mode 100644 package/libs/openssl/patches/180-strip-cflags-from-binary.patch + +diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in +index c39e28510f0..fe732299157 100644 +--- a/package/libs/openssl/Config.in ++++ b/package/libs/openssl/Config.in +@@ -1,72 +1,216 @@ + if PACKAGE_libopenssl + +-config OPENSSL_WITH_EC ++comment "Build Options" ++ ++config OPENSSL_OPTIMIZE_SPEED ++ bool ++ prompt "Enable optimization for speed instead of size" ++ select OPENSSL_WITH_ASM ++ help ++ Enabling this option increases code size (around 20%) and ++ performance. The increase in performance and size depends on the ++ target CPU. EC and AES seem to benefit the most, with EC speed ++ increased by 20%-50% (mipsel & x86). ++ AES-GCM is supposed to be 3x faster on x86. YMMV. ++ ++config OPENSSL_WITH_ASM + bool + default y +- prompt "Enable elliptic curve support" ++ prompt "Compile with optimized assembly code" ++ depends on !arc ++ help ++ Disabling this option will reduce code size and performance. ++ The increase in performance and size depends on the target ++ CPU and on the algorithms being optimized. As of 1.1.0i*: + +-config OPENSSL_WITH_EC2M +- bool +- depends on OPENSSL_WITH_EC +- prompt "Enable ec2m support" ++ Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase ++ aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 ++ arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 ++ i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% ++ mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% ++ mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 ++ powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 ++ x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% + +-config OPENSSL_WITH_SSL3 ++ * Only most common algorithms shown. Your mileage may vary. ++ BN (bignum) performance was measured using RSA sign/verify. ++ ++config OPENSSL_WITH_SSE2 + bool +- default n +- prompt "Enable sslv3 support" ++ default y if !TARGET_x86_legacy && !TARGET_x86_geode ++ prompt "Enable use of x86 SSE2 instructions" ++ depends on OPENSSL_WITH_ASM && i386 ++ help ++ Use of SSE2 instructions greatly increase performance (up to ++ 3x faster) with a minimum (~0.2%, or 23KB) increase in package ++ size, but it will bring no benefit if your hardware does not ++ support them, such as Geode GX and LX. In this case you may ++ save 23KB by saying yes here. AMD Geode NX, and Intel ++ Pentium 4 and above support SSE2. + + config OPENSSL_WITH_DEPRECATED + bool + default y +- prompt "Include deprecated APIs" ++ prompt "Include deprecated APIs (See help for a list of packages that need this)" ++ help ++ Squid currently requires this. + + config OPENSSL_NO_DEPRECATED + bool + default !OPENSSL_WITH_DEPRECATED + +-config OPENSSL_WITH_DTLS ++config OPENSSL_WITH_ERROR_MESSAGES + bool +- default n +- prompt "Enable DTLS support" ++ prompt "Include error messages" ++ help ++ This option aids debugging, but increases package size and ++ memory usage. + +-config OPENSSL_WITH_COMPRESSION ++comment "Protocol Support" ++ ++config OPENSSL_WITH_DTLS + bool +- default n +- prompt "Enable compression support" ++ prompt "Enable DTLS support" ++ help ++ Datagram Transport Layer Security (DTLS) provides TLS-like security ++ for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. + + config OPENSSL_WITH_NPN + bool + default y + prompt "Enable NPN support" ++ help ++ NPN is a TLS extension, obsoleted and replaced with ALPN, ++ used to negotiate SPDY, and HTTP/2. ++ ++config OPENSSL_WITH_SRP ++ bool ++ default y ++ prompt "Enable SRP support" ++ help ++ The Secure Remote Password protocol (SRP) is an augmented ++ password-authenticated key agreement (PAKE) protocol, specifically ++ designed to work around existing patents. ++ ++config OPENSSL_WITH_CMS ++ bool ++ default y ++ prompt "Enable CMS (RFC 5652) support" ++ help ++ Cryptographic Message Syntax (CMS) is used to digitally sign, ++ digest, authenticate, or encrypt arbitrary message content. ++ ++comment "Algorithm Selection" ++ ++config OPENSSL_WITH_EC ++ bool ++ default y ++ prompt "Enable elliptic curve support" ++ help ++ Elliptic-curve cryptography (ECC) is an approach to public-key ++ cryptography based on the algebraic structure of elliptic curves ++ over finite fields. ECC requires smaller keys compared to non-ECC ++ cryptography to provide equivalent security. ++ ++config OPENSSL_WITH_EC2M ++ bool ++ depends on OPENSSL_WITH_EC ++ prompt "Enable ec2m support" ++ help ++ This option enables the more efficient, yet less common, binary ++ field elliptic curves. + + config OPENSSL_WITH_PSK + bool + default y + prompt "Enable PSK support" ++ help ++ Build support for Pre-Shared Key based cipher suites. + +-config OPENSSL_WITH_SRP ++comment "Less commonly used build options" ++ ++config OPENSSL_WITH_CAMELLIA + bool +- default y +- prompt "Enable SRP support" ++ prompt "Enable Camellia cipher support" ++ help ++ Camellia is a bock cipher with security levels and processing ++ abilities comparable to AES. + +-config OPENSSL_ENGINE_DIGEST ++config OPENSSL_WITH_IDEA + bool +- depends on OPENSSL_ENGINE_CRYPTO +- prompt "Digests acceleration support" ++ prompt "Enable IDEA cipher support" ++ help ++ IDEA is a block cipher with 128-bit keys. + +-config OPENSSL_HARDWARE_SUPPORT ++config OPENSSL_WITH_SEED + bool +- default n +- prompt "Enable hardware support" ++ prompt "Enable SEED cipher support" ++ help ++ SEED is a block cipher with 128-bit keys broadly used in ++ South Korea, but seldom found elsewhere. + +-config OPENSSL_OPTIMIZE_SPEED ++config OPENSSL_WITH_MDC2 + bool +- default n +- prompt "Enable optimization for speed instead of size" ++ prompt "Enable MDC2 digest support" + +-endif ++config OPENSSL_WITH_WHIRLPOOL ++ bool ++ prompt "Enable Whirlpool digest support" ++ ++config OPENSSL_WITH_COMPRESSION ++ bool ++ prompt "Enable compression support" ++ help ++ TLS compression is not recommended, as it is deemed insecure. ++ The CRIME attack exploits this weakness. ++ Even with this option turned on, it is disabled by default, and the ++ application must explicitly turn it on. ++ ++config OPENSSL_WITH_RFC3779 ++ bool ++ prompt "Enable RFC3779 support (BGP)" ++ help ++ RFC 3779 defines two X.509 v3 certificate extensions. The first ++ binds a list of IP address blocks, or prefixes, to the subject of a ++ certificate. The second binds a list of autonomous system ++ identifiers to the subject of a certificate. These extensions may be ++ used to convey the authorization of the subject to use the IP ++ addresses and autonomous system identifiers contained in the ++ extensions. ++ ++comment "Engine/Hardware Support" ++ ++config OPENSSL_ENGINE ++ bool "Enable engine support" ++ help ++ This enables alternative cryptography implementations, ++ most commonly for interfacing with external crypto devices, ++ or supporting new/alternative ciphers and digests. + + config OPENSSL_ENGINE_CRYPTO + bool +- select OPENSSL_HARDWARE_SUPPORT +- prompt "Crypto acceleration support" if PACKAGE_libopenssl ++ select OPENSSL_ENGINE ++ select PACKAGE_kmod-cryptodev ++ prompt "Acceleration support through /dev/crypto" ++ help ++ This enables use of hardware acceleration through OpenBSD ++ Cryptodev API (/dev/crypto) interface. ++ You must install kmod-cryptodev (under Kernel modules, Cryptographic ++ API modules) for /dev/crypto to show up and use hardware ++ acceleration; otherwise it falls back to software. ++ ++config OPENSSL_ENGINE_DIGEST ++ bool ++ depends on OPENSSL_ENGINE_CRYPTO ++ prompt "/dev/crypto digest (md5/sha1) acceleration support" ++ ++config OPENSSL_WITH_GOST ++ bool ++ prompt "Prepare library for GOST engine" ++ depends on OPENSSL_ENGINE ++ help ++ This option prepares the library to accept engine support ++ for Russian GOST crypto algorithms. ++ ++endif ++ +diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile +index 71c2c9c028f..d9b1de2581e 100644 +--- a/package/libs/openssl/Makefile ++++ b/package/libs/openssl/Makefile +@@ -15,7 +15,7 @@ PKG_RELEASE:=2 + PKG_USE_MIPS16:=0 + + PKG_BUILD_PARALLEL:=0 +- ++PKG_BUILD_DEPENDS:=cryptodev-linux + + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz + PKG_SOURCE_URL:= \ +@@ -25,24 +25,35 @@ PKG_SOURCE_URL:= \ + http://www.openssl.org/source/ \ + http://www.openssl.org/source/old/$(PKG_BASE)/ + PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 ++ENGINES_DIR=engines + + PKG_LICENSE:=OpenSSL + PKG_LICENSE_FILES:=LICENSE + PKG_CPE_ID:=cpe:/a:openssl:openssl + PKG_CONFIG_DEPENDS:= \ ++ CONFIG_OPENSSL_ENGINE \ + CONFIG_OPENSSL_ENGINE_CRYPTO \ + CONFIG_OPENSSL_ENGINE_DIGEST \ +- CONFIG_OPENSSL_WITH_EC \ +- CONFIG_OPENSSL_WITH_EC2M \ +- CONFIG_OPENSSL_WITH_SSL3 \ +- CONFIG_OPENSSL_HARDWARE_SUPPORT \ + CONFIG_OPENSSL_NO_DEPRECATED \ +- CONFIG_OPENSSL_WITH_DTLS \ ++ CONFIG_OPENSSL_OPTIMIZE_SPEED \ ++ CONFIG_OPENSSL_WITH_ASM \ ++ CONFIG_OPENSSL_WITH_CAMELLIA \ ++ CONFIG_OPENSSL_WITH_CMS \ + CONFIG_OPENSSL_WITH_COMPRESSION \ ++ CONFIG_OPENSSL_WITH_DTLS \ ++ CONFIG_OPENSSL_WITH_EC \ ++ CONFIG_OPENSSL_WITH_EC2M \ ++ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ ++ CONFIG_OPENSSL_WITH_GOST \ ++ CONFIG_OPENSSL_WITH_IDEA \ ++ CONFIG_OPENSSL_WITH_MDC2 \ + CONFIG_OPENSSL_WITH_NPN \ + CONFIG_OPENSSL_WITH_PSK \ ++ CONFIG_OPENSSL_WITH_RFC3779 \ ++ CONFIG_OPENSSL_WITH_SEED \ + CONFIG_OPENSSL_WITH_SRP \ +- CONFIG_OPENSSL_OPTIMIZE_SPEED ++ CONFIG_OPENSSL_WITH_SSE2 \ ++ CONFIG_OPENSSL_WITH_WHIRLPOOL + + include $(INCLUDE_DIR)/package.mk + +@@ -54,6 +65,8 @@ endif + define Package/openssl/Default + TITLE:=Open source SSL toolkit + URL:=http://www.openssl.org/ ++ SECTION:=libs ++ CATEGORY:=Libraries + endef + + define Package/libopenssl/config +@@ -62,16 +75,14 @@ endef + + define Package/openssl/Default/description + The OpenSSL Project is a collaborative effort to develop a robust, +-commercial-grade, full-featured, and Open Source toolkit implementing the Secure +-Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well +-as a full-strength general purpose cryptography library. ++commercial-grade, full-featured, and Open Source toolkit implementing the ++Transport Layer Security (TLS) protocol as well as a full-strength ++general-purpose cryptography library. + endef + + define Package/libopenssl + $(call Package/openssl/Default) +- SECTION:=libs + SUBMENU:=SSL +- CATEGORY:=Libraries + DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib + TITLE+= (libraries) + ABI_VERSION:=1.0.0 +@@ -100,19 +111,35 @@ $(call Package/openssl/Default/description) + This package contains the OpenSSL command-line utility. + endef + ++define Package/libopenssl-gost ++ $(call Package/openssl/Default) ++ SUBMENU:=SSL ++ TITLE:=Russian GOST algorithms engine ++ DEPENDS:=libopenssl +@OPENSSL_WITH_GOST ++endef ++ ++define Package/libopenssl-gost/description ++This package adds an engine that enables Russian GOST algorithms. ++To use it, you need to configure the engine in /etc/ssl/openssl.cnf ++See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE ++The engine_id is "gost" ++endef + +-OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ +- no-whrlpool no-whirlpool no-seed no-jpake +-OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats ++define Package/libopenssl-padlock ++ $(call Package/openssl/Default) ++ SUBMENU:=SSL ++ TITLE:=VIA Padlock hardware acceleration engine ++ DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock ++endef + +-ifdef CONFIG_OPENSSL_ENGINE_CRYPTO +- OPENSSL_OPTIONS += -DHAVE_CRYPTODEV +- ifdef CONFIG_OPENSSL_ENGINE_DIGEST +- OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS +- endif +-else +- OPENSSL_OPTIONS += no-engines +-endif ++define Package/libopenssl-padlock/description ++This package adds an engine that enables VIA Padlock hardware acceleration. ++To use it, you need to configure it in /etc/ssl/openssl.cnf. ++See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE ++The engine_id is "padlock" ++endef ++ ++OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method + + ifndef CONFIG_OPENSSL_WITH_EC + OPENSSL_OPTIONS += no-ec +@@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M + OPENSSL_OPTIONS += no-ec2m + endif + +-ifndef CONFIG_OPENSSL_WITH_SSL3 +- OPENSSL_OPTIONS += no-ssl3 no-ssl3-method ++ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES ++ OPENSSL_OPTIONS += no-err ++endif ++ ++ifndef CONFIG_OPENSSL_WITH_CAMELLIA ++ OPENSSL_OPTIONS += no-camellia ++endif ++ ++ifndef CONFIG_OPENSSL_WITH_IDEA ++ OPENSSL_OPTIONS += no-idea ++endif ++ ++ifndef CONFIG_OPENSSL_WITH_SEED ++ OPENSSL_OPTIONS += no-seed + endif + +-ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT +- OPENSSL_OPTIONS += no-hw ++ifndef CONFIG_OPENSSL_WITH_MDC2 ++ OPENSSL_OPTIONS += no-mdc2 ++endif ++ ++ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL ++ OPENSSL_OPTIONS += no-whirlpool ++endif ++ ++ifndef CONFIG_OPENSSL_WITH_CMS ++ OPENSSL_OPTIONS += no-cms ++endif ++ ++ifdef CONFIG_OPENSSL_WITH_RFC3779 ++ OPENSSL_OPTIONS += enable-rfc3779 + endif + + ifdef CONFIG_OPENSSL_NO_DEPRECATED + OPENSSL_OPTIONS += no-deprecated + endif + ++ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) ++ TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 ++else ++ OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT ++endif ++ ++ifdef CONFIG_OPENSSL_ENGINE ++ ifdef CONFIG_OPENSSL_ENGINE_CRYPTO ++ OPENSSL_OPTIONS += -DHAVE_CRYPTODEV ++ ifdef CONFIG_OPENSSL_ENGINE_DIGEST ++ OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS ++ endif ++ endif ++ ifndef CONFIG_PACKAGE_libopenssl-padlock ++ OPENSSL_OPTIONS += no-hw-padlock ++ endif ++else ++ OPENSSL_OPTIONS += no-engine ++endif ++ ++ifndef CONFIG_OPENSSL_WITH_GOST ++ OPENSSL_OPTIONS += no-gost ++endif ++ ++# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code, ++# but openssl util gets built without it + ifndef CONFIG_OPENSSL_WITH_DTLS +- OPENSSL_OPTIONS += no-dtls ++ OPENSSL_OPTIONS += no-dtls no-dtls1 + endif + + ifdef CONFIG_OPENSSL_WITH_COMPRESSION +@@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP + OPENSSL_OPTIONS += no-srp + endif + +-ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) +- TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3 ++ifndef CONFIG_OPENSSL_WITH_ASM ++ OPENSSL_OPTIONS += no-asm + endif + +-ifeq ($(CONFIG_x86_64),y) +- OPENSSL_TARGET:=linux-x86_64-openwrt +- OPENSSL_MAKEFLAGS += LIBDIR=lib +-else +- OPENSSL_OPTIONS+=no-sse2 +- ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y) +- OPENSSL_TARGET:=linux-mips-openwrt +- else ifeq ($(CONFIG_aarch64),y) +- OPENSSL_TARGET:=linux-aarch64-openwrt +- else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y) +- OPENSSL_TARGET:=linux-armv4-openwrt +- else +- OPENSSL_TARGET:=linux-generic-openwrt +- OPENSSL_OPTIONS+=no-perlasm ++ifdef CONFIG_i386 ++ ifndef CONFIG_OPENSSL_WITH_SSE2 ++ OPENSSL_OPTIONS += no-sse2 + endif + endif + ++OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt ++ + STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) + + define Build/Configure +@@ -187,11 +255,10 @@ define Build/Configure + (cd $(PKG_BUILD_DIR); \ + ./Configure $(OPENSSL_TARGET) \ + --prefix=/usr \ ++ --libdir=lib \ + --openssldir=/etc/ssl \ + $(TARGET_CPPFLAGS) \ +- $(TARGET_LDFLAGS) -ldl \ +- $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \ +- $(OPENSSL_NO_CIPHERS) \ ++ $(TARGET_LDFLAGS) \ + $(OPENSSL_OPTIONS) \ + ) + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ +@@ -202,7 +269,7 @@ define Build/Configure + depend + endef + +-TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections ++TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections + TARGET_LDFLAGS += -Wl,--gc-sections + + define Build/Compile +@@ -251,20 +318,33 @@ define Build/InstallDev + endef + + define Package/libopenssl/install ++ $(INSTALL_DIR) $(1)/etc/ssl/certs ++ $(INSTALL_DIR) $(1)/etc/ssl/private ++ chmod 0700 $(1)/etc/ssl/private + $(INSTALL_DIR) $(1)/usr/lib + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/ ++ $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) + endef + + define Package/openssl-util/install + $(INSTALL_DIR) $(1)/etc/ssl + $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ +- $(INSTALL_DIR) $(1)/etc/ssl/certs +- $(INSTALL_DIR) $(1)/etc/ssl/private +- chmod 0700 $(1)/etc/ssl/private + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ + endef + ++define Package/libopenssl-padlock/install ++ $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) ++ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) ++endef ++ ++define Package/libopenssl-gost/install ++ $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) ++ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR) ++endef ++ + $(eval $(call BuildPackage,libopenssl)) ++$(eval $(call BuildPackage,libopenssl-gost)) ++$(eval $(call BuildPackage,libopenssl-padlock)) + $(eval $(call BuildPackage,openssl-util)) +diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h +deleted file mode 100644 +index 7fb9c7dcdae..00000000000 +--- a/package/libs/openssl/include/crypto/cryptodev.h ++++ /dev/null +@@ -1,292 +0,0 @@ +-/* This is a source compatible implementation with the original API of +- * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h. +- * Placed under public domain */ +- +-#ifndef L_CRYPTODEV_H +-#define L_CRYPTODEV_H +- +-#include +-#ifndef __KERNEL__ +-#define __user +-#endif +- +-/* API extensions for linux */ +-#define CRYPTO_HMAC_MAX_KEY_LEN 512 +-#define CRYPTO_CIPHER_MAX_KEY_LEN 64 +- +-/* All the supported algorithms +- */ +-enum cryptodev_crypto_op_t { +- CRYPTO_DES_CBC = 1, +- CRYPTO_3DES_CBC = 2, +- CRYPTO_BLF_CBC = 3, +- CRYPTO_CAST_CBC = 4, +- CRYPTO_SKIPJACK_CBC = 5, +- CRYPTO_MD5_HMAC = 6, +- CRYPTO_SHA1_HMAC = 7, +- CRYPTO_RIPEMD160_HMAC = 8, +- CRYPTO_MD5_KPDK = 9, +- CRYPTO_SHA1_KPDK = 10, +- CRYPTO_RIJNDAEL128_CBC = 11, +- CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC, +- CRYPTO_ARC4 = 12, +- CRYPTO_MD5 = 13, +- CRYPTO_SHA1 = 14, +- CRYPTO_DEFLATE_COMP = 15, +- CRYPTO_NULL = 16, +- CRYPTO_LZS_COMP = 17, +- CRYPTO_SHA2_256_HMAC = 18, +- CRYPTO_SHA2_384_HMAC = 19, +- CRYPTO_SHA2_512_HMAC = 20, +- CRYPTO_AES_CTR = 21, +- CRYPTO_AES_XTS = 22, +- CRYPTO_AES_ECB = 23, +- CRYPTO_AES_GCM = 50, +- +- CRYPTO_CAMELLIA_CBC = 101, +- CRYPTO_RIPEMD160, +- CRYPTO_SHA2_224, +- CRYPTO_SHA2_256, +- CRYPTO_SHA2_384, +- CRYPTO_SHA2_512, +- CRYPTO_SHA2_224_HMAC, +- CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */ +-}; +- +-#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1) +- +-/* Values for ciphers */ +-#define DES_BLOCK_LEN 8 +-#define DES3_BLOCK_LEN 8 +-#define RIJNDAEL128_BLOCK_LEN 16 +-#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN +-#define CAMELLIA_BLOCK_LEN 16 +-#define BLOWFISH_BLOCK_LEN 8 +-#define SKIPJACK_BLOCK_LEN 8 +-#define CAST128_BLOCK_LEN 8 +- +-/* the maximum of the above */ +-#define EALG_MAX_BLOCK_LEN 16 +- +-/* Values for hashes/MAC */ +-#define AALG_MAX_RESULT_LEN 64 +- +-/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */ +-#define CRYPTODEV_MAX_ALG_NAME 64 +- +-#define HASH_MAX_LEN 64 +- +-/* input of CIOCGSESSION */ +-struct session_op { +- /* Specify either cipher or mac +- */ +- __u32 cipher; /* cryptodev_crypto_op_t */ +- __u32 mac; /* cryptodev_crypto_op_t */ +- +- __u32 keylen; +- __u8 __user *key; +- __u32 mackeylen; +- __u8 __user *mackey; +- +- __u32 ses; /* session identifier */ +-}; +- +-struct session_info_op { +- __u32 ses; /* session identifier */ +- +- /* verbose names for the requested ciphers */ +- struct alg_info { +- char cra_name[CRYPTODEV_MAX_ALG_NAME]; +- char cra_driver_name[CRYPTODEV_MAX_ALG_NAME]; +- } cipher_info, hash_info; +- +- __u16 alignmask; /* alignment constraints */ +- __u32 flags; /* SIOP_FLAGS_* */ +-}; +- +-/* If this flag is set then this algorithm uses +- * a driver only available in kernel (software drivers, +- * or drivers based on instruction sets do not set this flag). +- * +- * If multiple algorithms are involved (as in AEAD case), then +- * if one of them is kernel-driver-only this flag will be set. +- */ +-#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1 +- +-#define COP_ENCRYPT 0 +-#define COP_DECRYPT 1 +- +-/* input of CIOCCRYPT */ +-struct crypt_op { +- __u32 ses; /* session identifier */ +- __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ +- __u16 flags; /* see COP_FLAG_* */ +- __u32 len; /* length of source data */ +- __u8 __user *src; /* source data */ +- __u8 __user *dst; /* pointer to output data */ +- /* pointer to output data for hash/MAC operations */ +- __u8 __user *mac; +- /* initialization vector for encryption operations */ +- __u8 __user *iv; +-}; +- +-/* input of CIOCAUTHCRYPT */ +-struct crypt_auth_op { +- __u32 ses; /* session identifier */ +- __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ +- __u16 flags; /* see COP_FLAG_AEAD_* */ +- __u32 len; /* length of source data */ +- __u32 auth_len; /* length of auth data */ +- __u8 __user *auth_src; /* authenticated-only data */ +- +- /* The current implementation is more efficient if data are +- * encrypted in-place (src==dst). */ +- __u8 __user *src; /* data to be encrypted and authenticated */ +- __u8 __user *dst; /* pointer to output data. Must have +- * space for tag. For TLS this should be at least +- * len + tag_size + block_size for padding */ +- +- __u8 __user *tag; /* where the tag will be copied to. TLS mode +- * doesn't use that as tag is copied to dst. +- * SRTP mode copies tag there. */ +- __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */ +- +- /* initialization vector for encryption operations */ +- __u8 __user *iv; +- __u32 iv_len; +-}; +- +-/* In plain AEAD mode the following are required: +- * flags : 0 +- * iv : the initialization vector (12 bytes) +- * auth_len: the length of the data to be authenticated +- * auth_src: the data to be authenticated +- * len : length of data to be encrypted +- * src : the data to be encrypted +- * dst : space to hold encrypted data. It must have +- * at least a size of len + tag_size. +- * tag_size: the size of the desired authentication tag or zero to use +- * the maximum tag output. +- * +- * Note tag isn't being used because the Linux AEAD interface +- * copies the tag just after data. +- */ +- +-/* In TLS mode (used for CBC ciphers that required padding) +- * the following are required: +- * flags : COP_FLAG_AEAD_TLS_TYPE +- * iv : the initialization vector +- * auth_len: the length of the data to be authenticated only +- * len : length of data to be encrypted +- * auth_src: the data to be authenticated +- * src : the data to be encrypted +- * dst : space to hold encrypted data (preferably in-place). It must have +- * at least a size of len + tag_size + blocksize. +- * tag_size: the size of the desired authentication tag or zero to use +- * the default mac output. +- * +- * Note that the padding used is the minimum padding. +- */ +- +-/* In SRTP mode the following are required: +- * flags : COP_FLAG_AEAD_SRTP_TYPE +- * iv : the initialization vector +- * auth_len: the length of the data to be authenticated. This must +- * include the SRTP header + SRTP payload (data to be encrypted) + rest +- * +- * len : length of data to be encrypted +- * auth_src: pointer the data to be authenticated. Should point at the same buffer as src. +- * src : pointer to the data to be encrypted. +- * dst : This is mandatory to be the same as src (in-place only). +- * tag_size: the size of the desired authentication tag or zero to use +- * the default mac output. +- * tag : Pointer to an address where the authentication tag will be copied. +- */ +- +- +-/* struct crypt_op flags */ +- +-#define COP_FLAG_NONE (0 << 0) /* totally no flag */ +-#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */ +-#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */ +-#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */ +-#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */ +-#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the +- * TLS protocol rules */ +-#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the +- * SRTP protocol rules */ +-#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state. +- * should be used in combination +- * with COP_FLAG_UPDATE */ +- +- +-/* Stuff for bignum arithmetic and public key +- * cryptography - not supported yet by linux +- * cryptodev. +- */ +- +-#define CRYPTO_ALG_FLAG_SUPPORTED 1 +-#define CRYPTO_ALG_FLAG_RNG_ENABLE 2 +-#define CRYPTO_ALG_FLAG_DSA_SHA 4 +- +-struct crparam { +- __u8 *crp_p; +- __u32 crp_nbits; +-}; +- +-#define CRK_MAXPARAM 8 +- +-/* input of CIOCKEY */ +-struct crypt_kop { +- __u32 crk_op; /* cryptodev_crk_op_t */ +- __u32 crk_status; +- __u16 crk_iparams; +- __u16 crk_oparams; +- __u32 crk_pad1; +- struct crparam crk_param[CRK_MAXPARAM]; +-}; +- +-enum cryptodev_crk_op_t { +- CRK_MOD_EXP = 0, +- CRK_MOD_EXP_CRT = 1, +- CRK_DSA_SIGN = 2, +- CRK_DSA_VERIFY = 3, +- CRK_DH_COMPUTE_KEY = 4, +- CRK_ALGORITHM_ALL +-}; +- +-#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1) +- +-/* features to be queried with CIOCASYMFEAT ioctl +- */ +-#define CRF_MOD_EXP (1 << CRK_MOD_EXP) +-#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT) +-#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN) +-#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY) +-#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY) +- +- +-/* ioctl's. Compatible with old linux cryptodev.h +- */ +-#define CRIOGET _IOWR('c', 101, __u32) +-#define CIOCGSESSION _IOWR('c', 102, struct session_op) +-#define CIOCFSESSION _IOW('c', 103, __u32) +-#define CIOCCRYPT _IOWR('c', 104, struct crypt_op) +-#define CIOCKEY _IOWR('c', 105, struct crypt_kop) +-#define CIOCASYMFEAT _IOR('c', 106, __u32) +-#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op) +- +-/* to indicate that CRIOGET is not required in linux +- */ +-#define CRIOGET_NOT_NEEDED 1 +- +-/* additional ioctls for AEAD */ +-#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op) +- +-/* additional ioctls for asynchronous operation. +- * These are conditionally enabled since version 1.6. +- */ +-#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op) +-#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op) +- +-#endif /* L_CRYPTODEV_H */ +diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch +new file mode 100644 +index 00000000000..52a51f9f470 +--- /dev/null ++++ b/package/libs/openssl/patches/100-openwrt_targets.patch +@@ -0,0 +1,44 @@ ++From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001 ++From: Eneas U de Queiroz ++Date: Wed, 26 Sep 2018 16:21:27 -0300 ++Subject: Add openwrt targets ++ ++Targets are named: linux-$(CONFIG_ARCH)-openwrt ++ ++Signed-off-by: Eneas U de Queiroz ++ ++--- a/Configure +++++ b/Configure ++@@ -470,6 +470,32 @@ my %table=( ++ "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", ++ "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", ++ +++# OpenWrt targets +++# from linux-aarch64 +++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-generic32 +++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-armv4 +++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-armv4 +++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-elf +++"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-mips32 +++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux64-mips64 +++"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +++# from linux64-mips64 +++"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +++# from linux-mips32 +++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-ppc +++"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++# from linux-x86_64 +++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +++# from linux-generic32 +++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +++ ++ # Android: linux-* but without pointers to headers and libs. ++ "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++ "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch +deleted file mode 100644 +index d6d4a211110..00000000000 +--- a/package/libs/openssl/patches/110-optimize-for-size.patch ++++ /dev/null +@@ -1,16 +0,0 @@ +---- a/Configure +-+++ b/Configure +-@@ -470,6 +470,13 @@ my %table=( +- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +- +-+# OpenWrt targets +-+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-+ +- # Android: linux-* but without pointers to headers and libs. +- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch +similarity index 100% +rename from package/libs/openssl/patches/130-perl-path.patch +rename to package/libs/openssl/patches/110-perl-path.patch +diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch +similarity index 83% +rename from package/libs/openssl/patches/140-makefile-dirs.patch +rename to package/libs/openssl/patches/120-makefile-dirs.patch +index 83c412f4443..5bcb3164867 100644 +--- a/package/libs/openssl/patches/140-makefile-dirs.patch ++++ b/package/libs/openssl/patches/120-makefile-dirs.patch +@@ -5,7 +5,7 @@ + BASEADDR= + + -DIRS= crypto ssl engines apps test tools +-+DIRS= crypto ssl apps +++DIRS= crypto ssl engines apps + ENGDIRS= ccgost + SHLIBDIRS= crypto ssl + +diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch +similarity index 100% +rename from package/libs/openssl/patches/160-disable_doc_tests.patch +rename to package/libs/openssl/patches/130-disable_doc_tests.patch +diff --git a/package/libs/openssl/patches/170-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch +similarity index 100% +rename from package/libs/openssl/patches/170-bash_path.patch +rename to package/libs/openssl/patches/140-bash_path.patch +diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch +similarity index 100% +rename from package/libs/openssl/patches/180-fix_link_segfault.patch +rename to package/libs/openssl/patches/150-fix_link_segfault.patch +diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch +deleted file mode 100644 +index a518a004966..00000000000 +--- a/package/libs/openssl/patches/150-no_engines.patch ++++ /dev/null +@@ -1,81 +0,0 @@ +---- a/Configure +-+++ b/Configure +-@@ -2144,6 +2144,11 @@ EOF +- close(OUT); +- } +- +-+# ugly hack to disable engines +-+if($target eq "mingwx") { +-+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile"); +-+} +-+ +- print < ++Date: Wed, 26 Sep 2018 18:04:58 -0300 ++Subject: Avoid exposing build directories ++ ++The CFLAGS contain the build directories, and are shown by calling ++SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a ++ ++Signed-off-by: Eneas U de Queiroz ++ ++--- a/crypto/Makefile +++++ b/crypto/Makefile ++@@ -57,7 +57,7 @@ top: ++ all: shared ++ ++ buildinf.h: ../Makefile ++- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h +++ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h ++ ++ x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl ++ $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index c39e28510..82f6c61c7 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -1,72 +1,218 @@ if PACKAGE_libopenssl -config OPENSSL_WITH_EC +comment "Build Options" + +config OPENSSL_OPTIMIZE_SPEED bool default y - prompt "Enable elliptic curve support" + prompt "Enable optimization for speed instead of size" + select OPENSSL_WITH_ASM + help + Enabling this option increases code size (around 20%) and + performance. The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most, with EC speed + increased by 20%-50% (mipsel & x86). + AES-GCM is supposed to be 3x faster on x86. YMMV. -config OPENSSL_WITH_EC2M - bool - depends on OPENSSL_WITH_EC - prompt "Enable ec2m support" - -config OPENSSL_WITH_SSL3 +config OPENSSL_WITH_ASM bool - default n - prompt "Enable sslv3 support" + default y + prompt "Compile with optimized assembly code" + depends on !arc + help + Disabling this option will reduce code size and performance. + The increase in performance and size depends on the target + CPU and on the algorithms being optimized. As of 1.1.0i*: + + Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase + aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 + arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 + i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% + mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% + mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 + powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 + x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% + + * Only most common algorithms shown. Your mileage may vary. + BN (bignum) performance was measured using RSA sign/verify. + +config OPENSSL_WITH_SSE2 + bool + default y if !TARGET_x86_legacy && !TARGET_x86_geode + prompt "Enable use of x86 SSE2 instructions" + depends on OPENSSL_WITH_ASM && x86_64 || i386 + help + Use of SSE2 instructions greatly increase performance (up to + 3x faster) with a minimum (~0.2%, or 23KB) increase in package + size, but it will bring no benefit if your hardware does not + support them, such as Geode GX and LX. In this case you may + save 23KB by saying yes here. AMD Geode NX, and Intel + Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y - prompt "Include deprecated APIs" + prompt "Include deprecated APIs (See help for a list of packages that need this)" + help + Squid currently requires this. config OPENSSL_NO_DEPRECATED bool default !OPENSSL_WITH_DEPRECATED +config OPENSSL_WITH_ERROR_MESSAGES + bool + prompt "Include error messages" + help + This option aids debugging, but increases package size and + memory usage. + +comment "Protocol Support" + config OPENSSL_WITH_DTLS bool - default n prompt "Enable DTLS support" - -config OPENSSL_WITH_COMPRESSION - bool - default n - prompt "Enable compression support" + help + Datagram Transport Layer Security (DTLS) provides TLS-like security + for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. config OPENSSL_WITH_NPN bool default y prompt "Enable NPN support" - -config OPENSSL_WITH_PSK - bool - default y - prompt "Enable PSK support" + help + NPN is a TLS extension, obsoleted and replaced with ALPN, + used to negotiate SPDY, and HTTP/2. config OPENSSL_WITH_SRP bool default y prompt "Enable SRP support" + help + The Secure Remote Password protocol (SRP) is an augmented + password-authenticated key agreement (PAKE) protocol, specifically + designed to work around existing patents. + +config OPENSSL_WITH_CMS + bool + default y + prompt "Enable CMS (RFC 5652) support" + help + Cryptographic Message Syntax (CMS) is used to digitally sign, + digest, authenticate, or encrypt arbitrary message content. + +comment "Algorithm Selection" + +config OPENSSL_WITH_EC + bool + default y + prompt "Enable elliptic curve support" + help + Elliptic-curve cryptography (ECC) is an approach to public-key + cryptography based on the algebraic structure of elliptic curves + over finite fields. ECC requires smaller keys compared to non-ECC + cryptography to provide equivalent security. + +config OPENSSL_WITH_EC2M + bool + depends on OPENSSL_WITH_EC + prompt "Enable ec2m support" + help + This option enables the more efficient, yet less common, binary + field elliptic curves. + +config OPENSSL_WITH_PSK + bool + default y + prompt "Enable PSK support" + help + Build support for Pre-Shared Key based cipher suites. + +comment "Less commonly used build options" + +config OPENSSL_WITH_CAMELLIA + bool + prompt "Enable Camellia cipher support" + help + Camellia is a bock cipher with security levels and processing + abilities comparable to AES. + +config OPENSSL_WITH_IDEA + bool + prompt "Enable IDEA cipher support" + help + IDEA is a block cipher with 128-bit keys. + +config OPENSSL_WITH_SEED + bool + prompt "Enable SEED cipher support" + help + SEED is a block cipher with 128-bit keys broadly used in + South Korea, but seldom found elsewhere. + +config OPENSSL_WITH_MDC2 + bool + prompt "Enable MDC2 digest support" + +config OPENSSL_WITH_WHIRLPOOL + bool + prompt "Enable Whirlpool digest support" + +config OPENSSL_WITH_COMPRESSION + bool + prompt "Enable compression support" + help + TLS compression is not recommended, as it is deemed insecure. + The CRIME attack exploits this weakness. + Even with this option turned on, it is disabled by default, and the + application must explicitly turn it on. + +config OPENSSL_WITH_RFC3779 + bool + prompt "Enable RFC3779 support (BGP)" + help + RFC 3779 defines two X.509 v3 certificate extensions. The first + binds a list of IP address blocks, or prefixes, to the subject of a + certificate. The second binds a list of autonomous system + identifiers to the subject of a certificate. These extensions may be + used to convey the authorization of the subject to use the IP + addresses and autonomous system identifiers contained in the + extensions. + +comment "Engine/Hardware Support" + +config OPENSSL_ENGINE + bool "Enable engine support" + default y + help + This enables alternative cryptography implementations, + most commonly for interfacing with external crypto devices, + or supporting new/alternative ciphers and digests. + +config OPENSSL_ENGINE_CRYPTO + bool + select OPENSSL_ENGINE + select PACKAGE_kmod-cryptodev + prompt "Acceleration support through /dev/crypto" + help + This enables use of hardware acceleration through OpenBSD + Cryptodev API (/dev/crypto) interface. + You must install kmod-cryptodev (under Kernel modules, Cryptographic + API modules) for /dev/crypto to show up and use hardware + acceleration; otherwise it falls back to software. config OPENSSL_ENGINE_DIGEST bool depends on OPENSSL_ENGINE_CRYPTO - prompt "Digests acceleration support" + prompt "/dev/crypto digest (md5/sha1) acceleration support" -config OPENSSL_HARDWARE_SUPPORT +config OPENSSL_WITH_GOST bool - default n - prompt "Enable hardware support" - -config OPENSSL_OPTIMIZE_SPEED - bool - default n - prompt "Enable optimization for speed instead of size" + prompt "Prepare library for GOST engine" + depends on OPENSSL_ENGINE + help + This option prepares the library to accept engine support + for Russian GOST crypto algorithms. endif -config OPENSSL_ENGINE_CRYPTO - bool - select OPENSSL_HARDWARE_SUPPORT - prompt "Crypto acceleration support" if PACKAGE_libopenssl diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 1e2826756..b5cd165e9 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,40 +9,51 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.0.2 -PKG_BUGFIX:=p +PKG_BUGFIX:=q PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=0 - +PKG_BUILD_DEPENDS:=cryptodev-linux PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://ftp.fi.muni.cz/pub/openssl/source/ \ http://ftp.linux.hr/pub/openssl/source/ \ - http://gd.tuwien.ac.at/infosys/security/openssl/source/ \ + ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00 +PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 +ENGINES_DIR=engines PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ + CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_ENGINE_CRYPTO \ CONFIG_OPENSSL_ENGINE_DIGEST \ + CONFIG_OPENSSL_NO_DEPRECATED \ + CONFIG_OPENSSL_OPTIMIZE_SPEED \ + CONFIG_OPENSSL_WITH_ASM \ + CONFIG_OPENSSL_WITH_CAMELLIA \ + CONFIG_OPENSSL_WITH_CMS \ + CONFIG_OPENSSL_WITH_COMPRESSION \ + CONFIG_OPENSSL_WITH_DTLS \ CONFIG_OPENSSL_WITH_EC \ CONFIG_OPENSSL_WITH_EC2M \ - CONFIG_OPENSSL_WITH_SSL3 \ - CONFIG_OPENSSL_HARDWARE_SUPPORT \ - CONFIG_OPENSSL_NO_DEPRECATED \ - CONFIG_OPENSSL_WITH_DTLS \ - CONFIG_OPENSSL_WITH_COMPRESSION \ + CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ + CONFIG_OPENSSL_WITH_GOST \ + CONFIG_OPENSSL_WITH_IDEA \ + CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ CONFIG_OPENSSL_WITH_PSK \ + CONFIG_OPENSSL_WITH_RFC3779 \ + CONFIG_OPENSSL_WITH_SEED \ CONFIG_OPENSSL_WITH_SRP \ - CONFIG_OPENSSL_OPTIMIZE_SPEED + CONFIG_OPENSSL_WITH_SSE2 \ + CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk @@ -54,6 +65,8 @@ endif define Package/openssl/Default TITLE:=Open source SSL toolkit URL:=http://www.openssl.org/ + SECTION:=libs + CATEGORY:=Libraries endef define Package/libopenssl/config @@ -62,19 +75,17 @@ endef define Package/openssl/Default/description The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing the Secure -Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well -as a full-strength general purpose cryptography library. +commercial-grade, full-featured, and Open Source toolkit implementing the +Transport Layer Security (TLS) protocol as well as a full-strength +general-purpose cryptography library. endef define Package/libopenssl $(call Package/openssl/Default) - SECTION:=libs SUBMENU:=SSL - CATEGORY:=Libraries DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib TITLE+= (libraries) - ABI_VERSION:=$(PKG_VERSION) + ABI_VERSION:=1.0.0 MENU:=1 endef @@ -100,19 +111,35 @@ $(call Package/openssl/Default/description) This package contains the OpenSSL command-line utility. endef +define Package/libopenssl-gost + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=Russian GOST algorithms engine + DEPENDS:=libopenssl +@OPENSSL_WITH_GOST +endef -OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ - no-whrlpool no-whirlpool no-seed no-jpake -OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats +define Package/libopenssl-gost/description +This package adds an engine that enables Russian GOST algorithms. +To use it, you need to configure the engine in /etc/ssl/openssl.cnf +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "gost" +endef -ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += -DHAVE_CRYPTODEV - ifdef CONFIG_OPENSSL_ENGINE_DIGEST - OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS - endif -else - OPENSSL_OPTIONS += no-engines -endif +define Package/libopenssl-padlock + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=VIA Padlock hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock +endef + +define Package/libopenssl-padlock/description +This package adds an engine that enables VIA Padlock hardware acceleration. +To use it, you need to configure it in /etc/ssl/openssl.cnf. +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "padlock" +endef + +OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method ifndef CONFIG_OPENSSL_WITH_EC OPENSSL_OPTIONS += no-ec @@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif -ifndef CONFIG_OPENSSL_WITH_SSL3 - OPENSSL_OPTIONS += no-ssl3 no-ssl3-method +ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES + OPENSSL_OPTIONS += no-err endif -ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT - OPENSSL_OPTIONS += no-hw +ifndef CONFIG_OPENSSL_WITH_CAMELLIA + OPENSSL_OPTIONS += no-camellia +endif + +ifndef CONFIG_OPENSSL_WITH_IDEA + OPENSSL_OPTIONS += no-idea +endif + +ifndef CONFIG_OPENSSL_WITH_SEED + OPENSSL_OPTIONS += no-seed +endif + +ifndef CONFIG_OPENSSL_WITH_MDC2 + OPENSSL_OPTIONS += no-mdc2 +endif + +ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL + OPENSSL_OPTIONS += no-whirlpool +endif + +ifndef CONFIG_OPENSSL_WITH_CMS + OPENSSL_OPTIONS += no-cms +endif + +ifdef CONFIG_OPENSSL_WITH_RFC3779 + OPENSSL_OPTIONS += enable-rfc3779 endif ifdef CONFIG_OPENSSL_NO_DEPRECATED OPENSSL_OPTIONS += no-deprecated endif +ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) + TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 +else + OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT +endif + +ifdef CONFIG_OPENSSL_ENGINE + ifdef CONFIG_OPENSSL_ENGINE_CRYPTO + OPENSSL_OPTIONS += -DHAVE_CRYPTODEV + ifdef CONFIG_OPENSSL_ENGINE_DIGEST + OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS + endif + endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock + endif +else + OPENSSL_OPTIONS += no-engine +endif + +ifndef CONFIG_OPENSSL_WITH_GOST + OPENSSL_OPTIONS += no-gost +endif + +# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code, +# but openssl util gets built without it ifndef CONFIG_OPENSSL_WITH_DTLS - OPENSSL_OPTIONS += no-dtls + OPENSSL_OPTIONS += no-dtls no-dtls1 endif ifdef CONFIG_OPENSSL_WITH_COMPRESSION @@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP OPENSSL_OPTIONS += no-srp endif -ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) - TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3 +ifndef CONFIG_OPENSSL_WITH_ASM + OPENSSL_OPTIONS += no-asm endif -ifeq ($(CONFIG_x86_64),y) - OPENSSL_TARGET:=linux-x86_64-openwrt - OPENSSL_MAKEFLAGS += LIBDIR=lib -else - OPENSSL_OPTIONS+=no-sse2 - ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y) - OPENSSL_TARGET:=linux-mips-openwrt - else ifeq ($(CONFIG_aarch64),y) - OPENSSL_TARGET:=linux-aarch64-openwrt - else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y) - OPENSSL_TARGET:=linux-armv4-openwrt - else - OPENSSL_TARGET:=linux-generic-openwrt - OPENSSL_OPTIONS+=no-perlasm +ifdef CONFIG_i386 + ifndef CONFIG_OPENSSL_WITH_SSE2 + OPENSSL_OPTIONS += no-sse2 endif endif +OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt + STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure @@ -187,11 +255,10 @@ define Build/Configure (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ + --libdir=lib \ --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ - $(TARGET_LDFLAGS) -ldl \ - $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \ - $(OPENSSL_NO_CIPHERS) \ + $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) \ ) +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ @@ -202,7 +269,7 @@ define Build/Configure depend endef -TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections +TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile @@ -251,20 +318,33 @@ define Build/InstallDev endef define Package/libopenssl/install + $(INSTALL_DIR) $(1)/etc/ssl/certs + $(INSTALL_DIR) $(1)/etc/ssl/private + chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/ + $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) endef define Package/openssl-util/install $(INSTALL_DIR) $(1)/etc/ssl $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(INSTALL_DIR) $(1)/etc/ssl/certs - $(INSTALL_DIR) $(1)/etc/ssl/private - chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef +define Package/libopenssl-padlock/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) +endef + +define Package/libopenssl-gost/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR) +endef + $(eval $(call BuildPackage,libopenssl)) +$(eval $(call BuildPackage,libopenssl-gost)) +$(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h deleted file mode 100644 index 7fb9c7dcd..000000000 --- a/package/libs/openssl/include/crypto/cryptodev.h +++ /dev/null @@ -1,292 +0,0 @@ -/* This is a source compatible implementation with the original API of - * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h. - * Placed under public domain */ - -#ifndef L_CRYPTODEV_H -#define L_CRYPTODEV_H - -#include -#ifndef __KERNEL__ -#define __user -#endif - -/* API extensions for linux */ -#define CRYPTO_HMAC_MAX_KEY_LEN 512 -#define CRYPTO_CIPHER_MAX_KEY_LEN 64 - -/* All the supported algorithms - */ -enum cryptodev_crypto_op_t { - CRYPTO_DES_CBC = 1, - CRYPTO_3DES_CBC = 2, - CRYPTO_BLF_CBC = 3, - CRYPTO_CAST_CBC = 4, - CRYPTO_SKIPJACK_CBC = 5, - CRYPTO_MD5_HMAC = 6, - CRYPTO_SHA1_HMAC = 7, - CRYPTO_RIPEMD160_HMAC = 8, - CRYPTO_MD5_KPDK = 9, - CRYPTO_SHA1_KPDK = 10, - CRYPTO_RIJNDAEL128_CBC = 11, - CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC, - CRYPTO_ARC4 = 12, - CRYPTO_MD5 = 13, - CRYPTO_SHA1 = 14, - CRYPTO_DEFLATE_COMP = 15, - CRYPTO_NULL = 16, - CRYPTO_LZS_COMP = 17, - CRYPTO_SHA2_256_HMAC = 18, - CRYPTO_SHA2_384_HMAC = 19, - CRYPTO_SHA2_512_HMAC = 20, - CRYPTO_AES_CTR = 21, - CRYPTO_AES_XTS = 22, - CRYPTO_AES_ECB = 23, - CRYPTO_AES_GCM = 50, - - CRYPTO_CAMELLIA_CBC = 101, - CRYPTO_RIPEMD160, - CRYPTO_SHA2_224, - CRYPTO_SHA2_256, - CRYPTO_SHA2_384, - CRYPTO_SHA2_512, - CRYPTO_SHA2_224_HMAC, - CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */ -}; - -#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1) - -/* Values for ciphers */ -#define DES_BLOCK_LEN 8 -#define DES3_BLOCK_LEN 8 -#define RIJNDAEL128_BLOCK_LEN 16 -#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN -#define CAMELLIA_BLOCK_LEN 16 -#define BLOWFISH_BLOCK_LEN 8 -#define SKIPJACK_BLOCK_LEN 8 -#define CAST128_BLOCK_LEN 8 - -/* the maximum of the above */ -#define EALG_MAX_BLOCK_LEN 16 - -/* Values for hashes/MAC */ -#define AALG_MAX_RESULT_LEN 64 - -/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */ -#define CRYPTODEV_MAX_ALG_NAME 64 - -#define HASH_MAX_LEN 64 - -/* input of CIOCGSESSION */ -struct session_op { - /* Specify either cipher or mac - */ - __u32 cipher; /* cryptodev_crypto_op_t */ - __u32 mac; /* cryptodev_crypto_op_t */ - - __u32 keylen; - __u8 __user *key; - __u32 mackeylen; - __u8 __user *mackey; - - __u32 ses; /* session identifier */ -}; - -struct session_info_op { - __u32 ses; /* session identifier */ - - /* verbose names for the requested ciphers */ - struct alg_info { - char cra_name[CRYPTODEV_MAX_ALG_NAME]; - char cra_driver_name[CRYPTODEV_MAX_ALG_NAME]; - } cipher_info, hash_info; - - __u16 alignmask; /* alignment constraints */ - __u32 flags; /* SIOP_FLAGS_* */ -}; - -/* If this flag is set then this algorithm uses - * a driver only available in kernel (software drivers, - * or drivers based on instruction sets do not set this flag). - * - * If multiple algorithms are involved (as in AEAD case), then - * if one of them is kernel-driver-only this flag will be set. - */ -#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1 - -#define COP_ENCRYPT 0 -#define COP_DECRYPT 1 - -/* input of CIOCCRYPT */ -struct crypt_op { - __u32 ses; /* session identifier */ - __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ - __u16 flags; /* see COP_FLAG_* */ - __u32 len; /* length of source data */ - __u8 __user *src; /* source data */ - __u8 __user *dst; /* pointer to output data */ - /* pointer to output data for hash/MAC operations */ - __u8 __user *mac; - /* initialization vector for encryption operations */ - __u8 __user *iv; -}; - -/* input of CIOCAUTHCRYPT */ -struct crypt_auth_op { - __u32 ses; /* session identifier */ - __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ - __u16 flags; /* see COP_FLAG_AEAD_* */ - __u32 len; /* length of source data */ - __u32 auth_len; /* length of auth data */ - __u8 __user *auth_src; /* authenticated-only data */ - - /* The current implementation is more efficient if data are - * encrypted in-place (src==dst). */ - __u8 __user *src; /* data to be encrypted and authenticated */ - __u8 __user *dst; /* pointer to output data. Must have - * space for tag. For TLS this should be at least - * len + tag_size + block_size for padding */ - - __u8 __user *tag; /* where the tag will be copied to. TLS mode - * doesn't use that as tag is copied to dst. - * SRTP mode copies tag there. */ - __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */ - - /* initialization vector for encryption operations */ - __u8 __user *iv; - __u32 iv_len; -}; - -/* In plain AEAD mode the following are required: - * flags : 0 - * iv : the initialization vector (12 bytes) - * auth_len: the length of the data to be authenticated - * auth_src: the data to be authenticated - * len : length of data to be encrypted - * src : the data to be encrypted - * dst : space to hold encrypted data. It must have - * at least a size of len + tag_size. - * tag_size: the size of the desired authentication tag or zero to use - * the maximum tag output. - * - * Note tag isn't being used because the Linux AEAD interface - * copies the tag just after data. - */ - -/* In TLS mode (used for CBC ciphers that required padding) - * the following are required: - * flags : COP_FLAG_AEAD_TLS_TYPE - * iv : the initialization vector - * auth_len: the length of the data to be authenticated only - * len : length of data to be encrypted - * auth_src: the data to be authenticated - * src : the data to be encrypted - * dst : space to hold encrypted data (preferably in-place). It must have - * at least a size of len + tag_size + blocksize. - * tag_size: the size of the desired authentication tag or zero to use - * the default mac output. - * - * Note that the padding used is the minimum padding. - */ - -/* In SRTP mode the following are required: - * flags : COP_FLAG_AEAD_SRTP_TYPE - * iv : the initialization vector - * auth_len: the length of the data to be authenticated. This must - * include the SRTP header + SRTP payload (data to be encrypted) + rest - * - * len : length of data to be encrypted - * auth_src: pointer the data to be authenticated. Should point at the same buffer as src. - * src : pointer to the data to be encrypted. - * dst : This is mandatory to be the same as src (in-place only). - * tag_size: the size of the desired authentication tag or zero to use - * the default mac output. - * tag : Pointer to an address where the authentication tag will be copied. - */ - - -/* struct crypt_op flags */ - -#define COP_FLAG_NONE (0 << 0) /* totally no flag */ -#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */ -#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */ -#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */ -#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */ -#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the - * TLS protocol rules */ -#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the - * SRTP protocol rules */ -#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state. - * should be used in combination - * with COP_FLAG_UPDATE */ - - -/* Stuff for bignum arithmetic and public key - * cryptography - not supported yet by linux - * cryptodev. - */ - -#define CRYPTO_ALG_FLAG_SUPPORTED 1 -#define CRYPTO_ALG_FLAG_RNG_ENABLE 2 -#define CRYPTO_ALG_FLAG_DSA_SHA 4 - -struct crparam { - __u8 *crp_p; - __u32 crp_nbits; -}; - -#define CRK_MAXPARAM 8 - -/* input of CIOCKEY */ -struct crypt_kop { - __u32 crk_op; /* cryptodev_crk_op_t */ - __u32 crk_status; - __u16 crk_iparams; - __u16 crk_oparams; - __u32 crk_pad1; - struct crparam crk_param[CRK_MAXPARAM]; -}; - -enum cryptodev_crk_op_t { - CRK_MOD_EXP = 0, - CRK_MOD_EXP_CRT = 1, - CRK_DSA_SIGN = 2, - CRK_DSA_VERIFY = 3, - CRK_DH_COMPUTE_KEY = 4, - CRK_ALGORITHM_ALL -}; - -#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1) - -/* features to be queried with CIOCASYMFEAT ioctl - */ -#define CRF_MOD_EXP (1 << CRK_MOD_EXP) -#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT) -#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN) -#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY) -#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY) - - -/* ioctl's. Compatible with old linux cryptodev.h - */ -#define CRIOGET _IOWR('c', 101, __u32) -#define CIOCGSESSION _IOWR('c', 102, struct session_op) -#define CIOCFSESSION _IOW('c', 103, __u32) -#define CIOCCRYPT _IOWR('c', 104, struct crypt_op) -#define CIOCKEY _IOWR('c', 105, struct crypt_kop) -#define CIOCASYMFEAT _IOR('c', 106, __u32) -#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op) - -/* to indicate that CRIOGET is not required in linux - */ -#define CRIOGET_NOT_NEEDED 1 - -/* additional ioctls for AEAD */ -#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op) - -/* additional ioctls for asynchronous operation. - * These are conditionally enabled since version 1.6. - */ -#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op) -#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op) - -#endif /* L_CRYPTODEV_H */ diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch new file mode 100644 index 000000000..52a51f9f4 --- /dev/null +++ b/package/libs/openssl/patches/100-openwrt_targets.patch @@ -0,0 +1,44 @@ +From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 26 Sep 2018 16:21:27 -0300 +Subject: Add openwrt targets + +Targets are named: linux-$(CONFIG_ARCH)-openwrt + +Signed-off-by: Eneas U de Queiroz + +--- a/Configure ++++ b/Configure +@@ -470,6 +470,32 @@ my %table=( + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + ++# OpenWrt targets ++# from linux-aarch64 ++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-generic32 ++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-armv4 ++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-armv4 ++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-elf ++"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-mips32 ++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux64-mips64 ++"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux64-mips64 ++"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux-mips32 ++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-ppc ++"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-x86_64 ++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux-generic32 ++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++ + # Android: linux-* but without pointers to headers and libs. + "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch deleted file mode 100644 index d6d4a2111..000000000 --- a/package/libs/openssl/patches/110-optimize-for-size.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -470,6 +470,13 @@ my %table=( - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - -+# OpenWrt targets -+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+ - # Android: linux-* but without pointers to headers and libs. - "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch similarity index 100% rename from package/libs/openssl/patches/130-perl-path.patch rename to package/libs/openssl/patches/110-perl-path.patch diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch similarity index 83% rename from package/libs/openssl/patches/140-makefile-dirs.patch rename to package/libs/openssl/patches/120-makefile-dirs.patch index 83c412f44..5bcb31648 100644 --- a/package/libs/openssl/patches/140-makefile-dirs.patch +++ b/package/libs/openssl/patches/120-makefile-dirs.patch @@ -5,7 +5,7 @@ BASEADDR= -DIRS= crypto ssl engines apps test tools -+DIRS= crypto ssl apps ++DIRS= crypto ssl engines apps ENGDIRS= ccgost SHLIBDIRS= crypto ssl diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch similarity index 100% rename from package/libs/openssl/patches/160-disable_doc_tests.patch rename to package/libs/openssl/patches/130-disable_doc_tests.patch diff --git a/package/libs/openssl/patches/170-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch similarity index 100% rename from package/libs/openssl/patches/170-bash_path.patch rename to package/libs/openssl/patches/140-bash_path.patch diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch similarity index 100% rename from package/libs/openssl/patches/180-fix_link_segfault.patch rename to package/libs/openssl/patches/150-fix_link_segfault.patch diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch deleted file mode 100644 index a518a0049..000000000 --- a/package/libs/openssl/patches/150-no_engines.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -2144,6 +2144,11 @@ EOF - close(OUT); - } - -+# ugly hack to disable engines -+if($target eq "mingwx") { -+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile"); -+} -+ - print < +Date: Wed, 26 Sep 2018 18:04:58 -0300 +Subject: Avoid exposing build directories + +The CFLAGS contain the build directories, and are shown by calling +SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a + +Signed-off-by: Eneas U de Queiroz + +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -57,7 +57,7 @@ top: + all: shared + + buildinf.h: ../Makefile +- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h ++ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h + + x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl + $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@