diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 3ad8a66b9..c39e28510 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -1,289 +1,72 @@ if PACKAGE_libopenssl -comment "Build Options" - -config OPENSSL_OPTIMIZE_SPEED - bool - default y if x86_64 || i386 - prompt "Enable optimization for speed instead of size" - select OPENSSL_WITH_ASM - help - Enabling this option increases code size (around 20%) and - performance. The increase in performance and size depends on the - target CPU. EC and AES seem to benefit the most, with EC speed - increased by 20%-50% (mipsel & x86). - AES-GCM is supposed to be 3x faster on x86. YMMV. - -config OPENSSL_WITH_ASM - bool - default y if !SMALL_FLASH || !arm - prompt "Compile with optimized assembly code" - depends on !arc - help - Disabling this option will reduce code size and performance. - The increase in performance and size depends on the target - CPU and on the algorithms being optimized. As of 1.1.0i*: - - Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase - aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 - arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 - i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% - mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% - mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 - powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 - x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% - - * Only most common algorithms shown. Your mileage may vary. - BN (bignum) performance was measured using RSA sign/verify. - -config OPENSSL_WITH_SSE2 - bool - default y if !TARGET_x86_legacy && !TARGET_x86_geode - prompt "Enable use of x86 SSE2 instructions" - depends on OPENSSL_WITH_ASM && i386 - help - Use of SSE2 instructions greatly increase performance (up to - 3x faster) with a minimum (~0.2%, or 23KB) increase in package - size, but it will bring no benefit if your hardware does not - support them, such as Geode GX and LX. In this case you may - save 23KB by saying yes here. AMD Geode NX, and Intel - Pentium 4 and above support SSE2. - -config OPENSSL_WITH_DEPRECATED - bool - default y - prompt "Include deprecated APIs (See help for a list of packages that need this)" - help - Since openssl 1.1.x is still new to openwrt, some packages - requiring this option do not list it as a requirement yet: - * freeswitch-stable, freeswitch, python, python3, squid. - -config OPENSSL_NO_DEPRECATED - bool - default !OPENSSL_WITH_DEPRECATED - -config OPENSSL_WITH_ERROR_MESSAGES - bool - default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT - prompt "Include error messages" - help - This option aids debugging, but increases package size and - memory usage. - -comment "Protocol Support" - -config OPENSSL_WITH_TLS13 - bool - default y - prompt "Enable support for TLS 1.3" - select OPENSSL_WITH_EC - help - TLS 1.3 is the newest version of the TLS specification. - It aims: - * to increase the overall security of the protocol, - removing outdated algorithms, and encrypting more of the - protocol; - * to increase performance by reducing the number of round-trips - when performing a full handshake. - It increases package size by ~4KB. - -config OPENSSL_WITH_DTLS - bool - prompt "Enable DTLS support" - help - Datagram Transport Layer Security (DTLS) provides TLS-like security - for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. - -config OPENSSL_WITH_NPN - bool - default y - prompt "Enable NPN support" - help - NPN is a TLS extension, obsoleted and replaced with ALPN, - used to negotiate SPDY, and HTTP/2. - -config OPENSSL_WITH_SRP - bool - default y - prompt "Enable SRP support" - help - The Secure Remote Password protocol (SRP) is an augmented - password-authenticated key agreement (PAKE) protocol, specifically - designed to work around existing patents. - -config OPENSSL_WITH_CMS - bool - default y - prompt "Enable CMS (RFC 5652) support" - help - Cryptographic Message Syntax (CMS) is used to digitally sign, - digest, authenticate, or encrypt arbitrary message content. - -comment "Algorithm Selection" - config OPENSSL_WITH_EC bool default y prompt "Enable elliptic curve support" - help - Elliptic-curve cryptography (ECC) is an approach to public-key - cryptography based on the algebraic structure of elliptic curves - over finite fields. ECC requires smaller keys compared to non-ECC - cryptography to provide equivalent security. config OPENSSL_WITH_EC2M - bool - depends on OPENSSL_WITH_EC - prompt "Enable ec2m support" - help - This option enables the more efficient, yet less common, binary - field elliptic curves. + bool + depends on OPENSSL_WITH_EC + prompt "Enable ec2m support" -config OPENSSL_WITH_CHACHA_POLY1305 +config OPENSSL_WITH_SSL3 + bool + default n + prompt "Enable sslv3 support" + +config OPENSSL_WITH_DEPRECATED bool default y - prompt "Enable ChaCha20-Poly1305 ciphersuite support" - help - ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, - combining ChaCha stream cipher with Poly1305 MAC. - It is 3x faster than AES, when not using a CPU with AES-specific - instructions, as is the case of most embedded devices. + prompt "Include deprecated APIs" -config OPENSSL_PREFER_CHACHA_OVER_GCM +config OPENSSL_NO_DEPRECATED bool - default y if !x86_64 && !aarch64 - prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" - depends on OPENSSL_WITH_CHACHA_POLY1305 - help - The default openssl preference is for AES-GCM before ChaCha, but - that takes into account AES-NI capable chips. It is not the - case with most embedded chips, so it may be better to invert - that preference. This is just for the default case. The - application can always override this. + default !OPENSSL_WITH_DEPRECATED + +config OPENSSL_WITH_DTLS + bool + default n + prompt "Enable DTLS support" + +config OPENSSL_WITH_COMPRESSION + bool + default n + prompt "Enable compression support" + +config OPENSSL_WITH_NPN + bool + default y + prompt "Enable NPN support" config OPENSSL_WITH_PSK bool default y prompt "Enable PSK support" - help - Build support for Pre-Shared Key based cipher suites. -comment "Less commonly used build options" - -config OPENSSL_WITH_ARIA +config OPENSSL_WITH_SRP bool - prompt "Enable ARIA support" - help - ARIA is a block cipher developed in South Korea, based on AES. + default y + prompt "Enable SRP support" -config OPENSSL_WITH_CAMELLIA +config OPENSSL_ENGINE_DIGEST bool - prompt "Enable Camellia cipher support" - help - Camellia is a bock cipher with security levels and processing - abilities comparable to AES. + depends on OPENSSL_ENGINE_CRYPTO + prompt "Digests acceleration support" -config OPENSSL_WITH_IDEA +config OPENSSL_HARDWARE_SUPPORT bool - prompt "Enable IDEA cipher support" - help - IDEA is a block cipher with 128-bit keys. + default n + prompt "Enable hardware support" -config OPENSSL_WITH_SEED +config OPENSSL_OPTIMIZE_SPEED bool - prompt "Enable SEED cipher support" - help - SEED is a block cipher with 128-bit keys broadly used in - South Korea, but seldom found elsewhere. + default n + prompt "Enable optimization for speed instead of size" -config OPENSSL_WITH_SM234 - bool - prompt "Enable SM2/3/4 algorithms support" - help - These algorithms are a set of "Commercial Cryptography" - algorithms approved for use in China. - * SM2 is an EC algorithm equivalent to ECDSA P-256 - * SM3 is a hash function equivalent to SHA-256 - * SM4 is a 128-block cipher equivalent to AES-128 - -config OPENSSL_WITH_BLAKE2 - bool - prompt "Enable BLAKE2 digest support" - help - BLAKE2 is a cryptographic hash function based on the ChaCha - stream cipher. - -config OPENSSL_WITH_MDC2 - bool - prompt "Enable MDC2 digest support" - -config OPENSSL_WITH_WHIRLPOOL - bool - prompt "Enable Whirlpool digest support" - -config OPENSSL_WITH_COMPRESSION - bool - prompt "Enable compression support" - help - TLS compression is not recommended, as it is deemed insecure. - The CRIME attack exploits this weakness. - Even with this option turned on, it is disabled by default, and the - application must explicitly turn it on. - -config OPENSSL_WITH_RFC3779 - bool - prompt "Enable RFC3779 support (BGP)" - help - RFC 3779 defines two X.509 v3 certificate extensions. The first - binds a list of IP address blocks, or prefixes, to the subject of a - certificate. The second binds a list of autonomous system - identifiers to the subject of a certificate. These extensions may be - used to convey the authorization of the subject to use the IP - addresses and autonomous system identifiers contained in the - extensions. - -comment "Engine/Hardware Support" - -config OPENSSL_ENGINE - bool "Enable engine support" - help - This enables alternative cryptography implementations, - most commonly for interfacing with external crypto devices, - or supporting new/alternative ciphers and digests. - Note that you need to enable KERNEL_AIO to be able to build the - afalg engine package. +endif config OPENSSL_ENGINE_CRYPTO bool - select OPENSSL_ENGINE - select PACKAGE_kmod-cryptodev - select PACKAGE_libopenssl-conf - prompt "Acceleration support through /dev/crypto" - help - This enables use of hardware acceleration through OpenBSD - Cryptodev API (/dev/crypto) interface. - You must install kmod-cryptodev (under Kernel modules, Cryptographic - API modules) for /dev/crypto to show up and use hardware - acceleration; otherwise it falls back to software. - -config OPENSSL_WITH_ASYNC - bool - prompt "Enable asynchronous jobs support" - depends on OPENSSL_ENGINE && USE_GLIBC - help - Enables async-aware applications to be able to use OpenSSL to - initiate crypto operations asynchronously. In order to work - this will require the presence of an async capable engine. - -config OPENSSL_WITH_GOST - bool - prompt "Prepare library for GOST engine" - depends on OPENSSL_ENGINE - help - This option prepares the library to accept engine support - for Russian GOST crypto algorithms. - The gost engine is not included in standard openwrt feeds. - To build such engine yourself, see: - https://github.com/gost-engine/engine - -endif + select OPENSSL_HARDWARE_SUPPORT + prompt "Crypto acceleration support" if PACKAGE_libopenssl diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 732e3eb1c..1e2826756 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -8,58 +8,41 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_BASE:=1.1.1 -PKG_BUGFIX:=a +PKG_BASE:=1.0.2 +PKG_BUGFIX:=p PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=0 -PKG_BUILD_DEPENDS:=cryptodev-linux + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://ftp.fi.muni.cz/pub/openssl/source/ \ http://ftp.linux.hr/pub/openssl/source/ \ - ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ + http://gd.tuwien.ac.at/infosys/security/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 +PKG_HASH:=50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ - CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_ENGINE_CRYPTO \ - CONFIG_OPENSSL_NO_DEPRECATED \ - CONFIG_OPENSSL_OPTIMIZE_SPEED \ - CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ - CONFIG_OPENSSL_WITH_ARIA \ - CONFIG_OPENSSL_WITH_ASM \ - CONFIG_OPENSSL_WITH_ASYNC \ - CONFIG_OPENSSL_WITH_BLAKE2 \ - CONFIG_OPENSSL_WITH_CAMELLIA \ - CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \ - CONFIG_OPENSSL_WITH_CMS \ - CONFIG_OPENSSL_WITH_COMPRESSION \ - CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_ENGINE_DIGEST \ CONFIG_OPENSSL_WITH_EC \ CONFIG_OPENSSL_WITH_EC2M \ - CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ - CONFIG_OPENSSL_WITH_GOST \ - CONFIG_OPENSSL_WITH_IDEA \ - CONFIG_OPENSSL_WITH_MDC2 \ + CONFIG_OPENSSL_WITH_SSL3 \ + CONFIG_OPENSSL_HARDWARE_SUPPORT \ + CONFIG_OPENSSL_NO_DEPRECATED \ + CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_WITH_COMPRESSION \ CONFIG_OPENSSL_WITH_NPN \ CONFIG_OPENSSL_WITH_PSK \ - CONFIG_OPENSSL_WITH_RFC3779 \ - CONFIG_OPENSSL_WITH_SEED \ - CONFIG_OPENSSL_WITH_SM234 \ CONFIG_OPENSSL_WITH_SRP \ - CONFIG_OPENSSL_WITH_SSE2 \ - CONFIG_OPENSSL_WITH_TLS13 \ - CONFIG_OPENSSL_WITH_WHIRLPOOL + CONFIG_OPENSSL_OPTIMIZE_SPEED include $(INCLUDE_DIR)/package.mk @@ -71,8 +54,6 @@ endif define Package/openssl/Default TITLE:=Open source SSL toolkit URL:=http://www.openssl.org/ - SECTION:=libs - CATEGORY:=Libraries endef define Package/libopenssl/config @@ -81,17 +62,19 @@ endef define Package/openssl/Default/description The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing the -Transport Layer Security (TLS) protocol as well as a full-strength -general-purpose cryptography library. +commercial-grade, full-featured, and Open Source toolkit implementing the Secure +Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well +as a full-strength general purpose cryptography library. endef define Package/libopenssl $(call Package/openssl/Default) + SECTION:=libs SUBMENU:=SSL + CATEGORY:=Libraries DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib TITLE+= (libraries) - ABI_VERSION:=1.1 + ABI_VERSION:=$(PKG_VERSION) MENU:=1 endef @@ -104,78 +87,31 @@ define Package/openssl-util $(call Package/openssl/Default) SECTION:=utils CATEGORY:=Utilities - DEPENDS:=+libopenssl +libopenssl-conf + DEPENDS:=+libopenssl TITLE+= (utility) endef +define Package/openssl-util/conffiles +/etc/ssl/openssl.cnf +endef + define Package/openssl-util/description $(call Package/openssl/Default/description) This package contains the OpenSSL command-line utility. endef -define Package/libopenssl-conf - $(call Package/openssl/Default) - SUBMENU:=SSL - TITLE:=/etc/ssl/openssl.cnf config file - DEPENDS:=libopenssl -endef -define Package/libopenssl-conf/conffiles -/etc/ssl/openssl.cnf -endef +OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ + no-whrlpool no-whirlpool no-seed no-jpake +OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats -define Package/libopenssl-conf/description -$(call Package/openssl/Default/description) -This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. -endef - -define Package/libopenssl-afalg - $(call Package/openssl/Default) - SUBMENU:=SSL - TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user \ - +libopenssl-conf -endef - -define Package/libopenssl-afalg/description -This package adds an engine that enables hardware acceleration -through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module -The engine_id is "afalg" -endef - -define Package/libopenssl-padlock - $(call Package/openssl/Default) - SUBMENU:=SSL - TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock \ - +libopenssl-conf -endef - -define Package/libopenssl-padlock/description -This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module -The engine_id is "padlock" -endef - -OPENSSL_OPTIONS:= shared - -ifndef CONFIG_OPENSSL_WITH_BLAKE2 - OPENSSL_OPTIONS += no-blake2 -endif - -ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305 - OPENSSL_OPTIONS += no-chacha no-poly1305 -else - ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM - OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM +ifdef CONFIG_OPENSSL_ENGINE_CRYPTO + OPENSSL_OPTIONS += -DHAVE_CRYPTODEV + ifdef CONFIG_OPENSSL_ENGINE_DIGEST + OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS endif -endif - -ifndef CONFIG_OPENSSL_WITH_ASYNC - OPENSSL_OPTIONS += no-async +else + OPENSSL_OPTIONS += no-engines endif ifndef CONFIG_OPENSSL_WITH_EC @@ -186,78 +122,18 @@ ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif -ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES - OPENSSL_OPTIONS += no-err +ifndef CONFIG_OPENSSL_WITH_SSL3 + OPENSSL_OPTIONS += no-ssl3 no-ssl3-method endif -ifndef CONFIG_OPENSSL_WITH_TLS13 - OPENSSL_OPTIONS += no-tls1_3 -endif - -ifndef CONFIG_OPENSSL_WITH_ARIA - OPENSSL_OPTIONS += no-aria -endif - -ifndef CONFIG_OPENSSL_WITH_SM234 - OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4 -endif - -ifndef CONFIG_OPENSSL_WITH_CAMELLIA - OPENSSL_OPTIONS += no-camellia -endif - -ifndef CONFIG_OPENSSL_WITH_IDEA - OPENSSL_OPTIONS += no-idea -endif - -ifndef CONFIG_OPENSSL_WITH_SEED - OPENSSL_OPTIONS += no-seed -endif - -ifndef CONFIG_OPENSSL_WITH_MDC2 - OPENSSL_OPTIONS += no-mdc2 -endif - -ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL - OPENSSL_OPTIONS += no-whirlpool -endif - -ifndef CONFIG_OPENSSL_WITH_CMS - OPENSSL_OPTIONS += no-cms -endif - -ifndef CONFIG_OPENSSL_WITH_RFC3779 - OPENSSL_OPTIONS += no-rfc3779 +ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT + OPENSSL_OPTIONS += no-hw endif ifdef CONFIG_OPENSSL_NO_DEPRECATED OPENSSL_OPTIONS += no-deprecated endif -ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) - TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 -else - OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT -endif - -ifdef CONFIG_OPENSSL_ENGINE - ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += enable-devcryptoeng - endif - ifndef CONFIG_PACKAGE_libopenssl-afalg - OPENSSL_OPTIONS += no-afalgeng - endif - ifndef CONFIG_PACKAGE_libopenssl-padlock - OPENSSL_OPTIONS += no-hw-padlock - endif -else - OPENSSL_OPTIONS += no-engine -endif - -ifndef CONFIG_OPENSSL_WITH_GOST - OPENSSL_OPTIONS += no-gost -endif - ifndef CONFIG_OPENSSL_WITH_DTLS OPENSSL_OPTIONS += no-dtls endif @@ -280,18 +156,27 @@ ifndef CONFIG_OPENSSL_WITH_SRP OPENSSL_OPTIONS += no-srp endif -ifndef CONFIG_OPENSSL_WITH_ASM - OPENSSL_OPTIONS += no-asm +ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) + TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3 endif -ifdef CONFIG_i386 - ifndef CONFIG_OPENSSL_WITH_SSE2 - OPENSSL_OPTIONS += no-sse2 +ifeq ($(CONFIG_x86_64),y) + OPENSSL_TARGET:=linux-x86_64-openwrt + OPENSSL_MAKEFLAGS += LIBDIR=lib +else + OPENSSL_OPTIONS+=no-sse2 + ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y) + OPENSSL_TARGET:=linux-mips-openwrt + else ifeq ($(CONFIG_aarch64),y) + OPENSSL_TARGET:=linux-aarch64-openwrt + else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y) + OPENSSL_TARGET:=linux-armv4-openwrt + else + OPENSSL_TARGET:=linux-generic-openwrt + OPENSSL_OPTIONS+=no-perlasm endif endif -OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt - STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure @@ -302,31 +187,57 @@ define Build/Configure (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ - --libdir=lib \ --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ - $(TARGET_LDFLAGS) \ + $(TARGET_LDFLAGS) -ldl \ + $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \ + $(OPENSSL_NO_CIPHERS) \ $(OPENSSL_OPTIONS) \ ) + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + MAKEDEPPROG="$(TARGET_CROSS)gcc" \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + depend endef -TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections +TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ + ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ + AR="$(TARGET_CROSS)ar r" \ + RANLIB="$(TARGET_CROSS)ranlib" \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + CC="$(TARGET_CC)" \ + ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ + AR="$(TARGET_CROSS)ar r" \ + RANLIB="$(TARGET_CROSS)ranlib" \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + build-shared + # Work around openssl build bug to link libssl.so with libcrypto.so. + -rm $(PKG_BUILD_DIR)/libssl.so.*.*.* + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + CC="$(TARGET_CC)" \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + do_linux-shared $(MAKE) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - DESTDIR="$(PKG_INSTALL_DIR)" \ + INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ - install_sw install_ssldirs + install endef define Build/InstallDev @@ -340,37 +251,20 @@ define Build/InstallDev endef define Package/libopenssl/install - $(INSTALL_DIR) $(1)/etc/ssl/certs - $(INSTALL_DIR) $(1)/etc/ssl/private - chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/ - $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) -endef - -define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl - $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ endef define Package/openssl-util/install + $(INSTALL_DIR) $(1)/etc/ssl + $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(INSTALL_DIR) $(1)/etc/ssl/certs + $(INSTALL_DIR) $(1)/etc/ssl/private + chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef -define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) -endef - -define Package/libopenssl-padlock/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) -endef - $(eval $(call BuildPackage,libopenssl)) -$(eval $(call BuildPackage,libopenssl-conf)) -$(eval $(call BuildPackage,libopenssl-afalg)) -$(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h new file mode 100644 index 000000000..7fb9c7dcd --- /dev/null +++ b/package/libs/openssl/include/crypto/cryptodev.h @@ -0,0 +1,292 @@ +/* This is a source compatible implementation with the original API of + * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h. + * Placed under public domain */ + +#ifndef L_CRYPTODEV_H +#define L_CRYPTODEV_H + +#include +#ifndef __KERNEL__ +#define __user +#endif + +/* API extensions for linux */ +#define CRYPTO_HMAC_MAX_KEY_LEN 512 +#define CRYPTO_CIPHER_MAX_KEY_LEN 64 + +/* All the supported algorithms + */ +enum cryptodev_crypto_op_t { + CRYPTO_DES_CBC = 1, + CRYPTO_3DES_CBC = 2, + CRYPTO_BLF_CBC = 3, + CRYPTO_CAST_CBC = 4, + CRYPTO_SKIPJACK_CBC = 5, + CRYPTO_MD5_HMAC = 6, + CRYPTO_SHA1_HMAC = 7, + CRYPTO_RIPEMD160_HMAC = 8, + CRYPTO_MD5_KPDK = 9, + CRYPTO_SHA1_KPDK = 10, + CRYPTO_RIJNDAEL128_CBC = 11, + CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC, + CRYPTO_ARC4 = 12, + CRYPTO_MD5 = 13, + CRYPTO_SHA1 = 14, + CRYPTO_DEFLATE_COMP = 15, + CRYPTO_NULL = 16, + CRYPTO_LZS_COMP = 17, + CRYPTO_SHA2_256_HMAC = 18, + CRYPTO_SHA2_384_HMAC = 19, + CRYPTO_SHA2_512_HMAC = 20, + CRYPTO_AES_CTR = 21, + CRYPTO_AES_XTS = 22, + CRYPTO_AES_ECB = 23, + CRYPTO_AES_GCM = 50, + + CRYPTO_CAMELLIA_CBC = 101, + CRYPTO_RIPEMD160, + CRYPTO_SHA2_224, + CRYPTO_SHA2_256, + CRYPTO_SHA2_384, + CRYPTO_SHA2_512, + CRYPTO_SHA2_224_HMAC, + CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */ +}; + +#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1) + +/* Values for ciphers */ +#define DES_BLOCK_LEN 8 +#define DES3_BLOCK_LEN 8 +#define RIJNDAEL128_BLOCK_LEN 16 +#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN +#define CAMELLIA_BLOCK_LEN 16 +#define BLOWFISH_BLOCK_LEN 8 +#define SKIPJACK_BLOCK_LEN 8 +#define CAST128_BLOCK_LEN 8 + +/* the maximum of the above */ +#define EALG_MAX_BLOCK_LEN 16 + +/* Values for hashes/MAC */ +#define AALG_MAX_RESULT_LEN 64 + +/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */ +#define CRYPTODEV_MAX_ALG_NAME 64 + +#define HASH_MAX_LEN 64 + +/* input of CIOCGSESSION */ +struct session_op { + /* Specify either cipher or mac + */ + __u32 cipher; /* cryptodev_crypto_op_t */ + __u32 mac; /* cryptodev_crypto_op_t */ + + __u32 keylen; + __u8 __user *key; + __u32 mackeylen; + __u8 __user *mackey; + + __u32 ses; /* session identifier */ +}; + +struct session_info_op { + __u32 ses; /* session identifier */ + + /* verbose names for the requested ciphers */ + struct alg_info { + char cra_name[CRYPTODEV_MAX_ALG_NAME]; + char cra_driver_name[CRYPTODEV_MAX_ALG_NAME]; + } cipher_info, hash_info; + + __u16 alignmask; /* alignment constraints */ + __u32 flags; /* SIOP_FLAGS_* */ +}; + +/* If this flag is set then this algorithm uses + * a driver only available in kernel (software drivers, + * or drivers based on instruction sets do not set this flag). + * + * If multiple algorithms are involved (as in AEAD case), then + * if one of them is kernel-driver-only this flag will be set. + */ +#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1 + +#define COP_ENCRYPT 0 +#define COP_DECRYPT 1 + +/* input of CIOCCRYPT */ +struct crypt_op { + __u32 ses; /* session identifier */ + __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ + __u16 flags; /* see COP_FLAG_* */ + __u32 len; /* length of source data */ + __u8 __user *src; /* source data */ + __u8 __user *dst; /* pointer to output data */ + /* pointer to output data for hash/MAC operations */ + __u8 __user *mac; + /* initialization vector for encryption operations */ + __u8 __user *iv; +}; + +/* input of CIOCAUTHCRYPT */ +struct crypt_auth_op { + __u32 ses; /* session identifier */ + __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ + __u16 flags; /* see COP_FLAG_AEAD_* */ + __u32 len; /* length of source data */ + __u32 auth_len; /* length of auth data */ + __u8 __user *auth_src; /* authenticated-only data */ + + /* The current implementation is more efficient if data are + * encrypted in-place (src==dst). */ + __u8 __user *src; /* data to be encrypted and authenticated */ + __u8 __user *dst; /* pointer to output data. Must have + * space for tag. For TLS this should be at least + * len + tag_size + block_size for padding */ + + __u8 __user *tag; /* where the tag will be copied to. TLS mode + * doesn't use that as tag is copied to dst. + * SRTP mode copies tag there. */ + __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */ + + /* initialization vector for encryption operations */ + __u8 __user *iv; + __u32 iv_len; +}; + +/* In plain AEAD mode the following are required: + * flags : 0 + * iv : the initialization vector (12 bytes) + * auth_len: the length of the data to be authenticated + * auth_src: the data to be authenticated + * len : length of data to be encrypted + * src : the data to be encrypted + * dst : space to hold encrypted data. It must have + * at least a size of len + tag_size. + * tag_size: the size of the desired authentication tag or zero to use + * the maximum tag output. + * + * Note tag isn't being used because the Linux AEAD interface + * copies the tag just after data. + */ + +/* In TLS mode (used for CBC ciphers that required padding) + * the following are required: + * flags : COP_FLAG_AEAD_TLS_TYPE + * iv : the initialization vector + * auth_len: the length of the data to be authenticated only + * len : length of data to be encrypted + * auth_src: the data to be authenticated + * src : the data to be encrypted + * dst : space to hold encrypted data (preferably in-place). It must have + * at least a size of len + tag_size + blocksize. + * tag_size: the size of the desired authentication tag or zero to use + * the default mac output. + * + * Note that the padding used is the minimum padding. + */ + +/* In SRTP mode the following are required: + * flags : COP_FLAG_AEAD_SRTP_TYPE + * iv : the initialization vector + * auth_len: the length of the data to be authenticated. This must + * include the SRTP header + SRTP payload (data to be encrypted) + rest + * + * len : length of data to be encrypted + * auth_src: pointer the data to be authenticated. Should point at the same buffer as src. + * src : pointer to the data to be encrypted. + * dst : This is mandatory to be the same as src (in-place only). + * tag_size: the size of the desired authentication tag or zero to use + * the default mac output. + * tag : Pointer to an address where the authentication tag will be copied. + */ + + +/* struct crypt_op flags */ + +#define COP_FLAG_NONE (0 << 0) /* totally no flag */ +#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */ +#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */ +#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */ +#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */ +#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the + * TLS protocol rules */ +#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the + * SRTP protocol rules */ +#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state. + * should be used in combination + * with COP_FLAG_UPDATE */ + + +/* Stuff for bignum arithmetic and public key + * cryptography - not supported yet by linux + * cryptodev. + */ + +#define CRYPTO_ALG_FLAG_SUPPORTED 1 +#define CRYPTO_ALG_FLAG_RNG_ENABLE 2 +#define CRYPTO_ALG_FLAG_DSA_SHA 4 + +struct crparam { + __u8 *crp_p; + __u32 crp_nbits; +}; + +#define CRK_MAXPARAM 8 + +/* input of CIOCKEY */ +struct crypt_kop { + __u32 crk_op; /* cryptodev_crk_op_t */ + __u32 crk_status; + __u16 crk_iparams; + __u16 crk_oparams; + __u32 crk_pad1; + struct crparam crk_param[CRK_MAXPARAM]; +}; + +enum cryptodev_crk_op_t { + CRK_MOD_EXP = 0, + CRK_MOD_EXP_CRT = 1, + CRK_DSA_SIGN = 2, + CRK_DSA_VERIFY = 3, + CRK_DH_COMPUTE_KEY = 4, + CRK_ALGORITHM_ALL +}; + +#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1) + +/* features to be queried with CIOCASYMFEAT ioctl + */ +#define CRF_MOD_EXP (1 << CRK_MOD_EXP) +#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT) +#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN) +#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY) +#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY) + + +/* ioctl's. Compatible with old linux cryptodev.h + */ +#define CRIOGET _IOWR('c', 101, __u32) +#define CIOCGSESSION _IOWR('c', 102, struct session_op) +#define CIOCFSESSION _IOW('c', 103, __u32) +#define CIOCCRYPT _IOWR('c', 104, struct crypt_op) +#define CIOCKEY _IOWR('c', 105, struct crypt_kop) +#define CIOCASYMFEAT _IOR('c', 106, __u32) +#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op) + +/* to indicate that CRIOGET is not required in linux + */ +#define CRIOGET_NOT_NEEDED 1 + +/* additional ioctls for AEAD */ +#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op) + +/* additional ioctls for asynchronous operation. + * These are conditionally enabled since version 1.6. + */ +#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op) +#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op) + +#endif /* L_CRYPTODEV_H */ diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch deleted file mode 100644 index f5f32c281..000000000 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ /dev/null @@ -1,23 +0,0 @@ -From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:29:21 -0300 -Subject: Do not use host kernel version to disable AFALG - -This patch prevents the Configure script from using the host kernel -version to disable building the AFALG engine on openwrt targets. - -Signed-off-by: Eneas U de Queiroz - ---- a/Configure -+++ b/Configure -@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra - - unless ($disabled{afalgeng}) { - $config{afalgeng}=""; -- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { -+ if ($target =~ m/openwrt$/) { -+ push @{$config{engdirs}}, "afalg"; -+ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) { - my $minver = 4*10000 + 1*100 + 0; - if ($config{CROSS_COMPILE} eq "") { - my $verstr = `uname -r`; diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch deleted file mode 100644 index bc49e27ae..000000000 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:30:24 -0300 -Subject: Add openwrt targets - -Targets are named: linux-$(CONFIG_ARCH)-openwrt - -Signed-off-by: Eneas U de Queiroz - ---- /dev/null -+++ b/Configurations/25-openwrt.conf -@@ -0,0 +1,48 @@ -+## Openwrt "CONFIG_ARCH" matching targets. -+ -+# The targets need to end in '-openwrt' for the AFALG patch to work -+ -+my %targets = ( -+ "openwrt" => { -+ template => 1, -+ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"), -+ }, -+ "linux-aarch64-openwrt" => { -+ inherit_from => [ "linux-aarch64", "openwrt" ], -+ }, -+ "linux-arc-openwrt" => { -+ inherit_from => [ "linux-generic32", "openwrt" ], -+ }, -+ "linux-arm-openwrt" => { -+ inherit_from => [ "linux-armv4", "openwrt" ], -+ }, -+ "linux-armeb-openwrt" => { -+ inherit_from => [ "linux-armv4", "openwrt" ], -+ }, -+ "linux-i386-openwrt" => { -+ inherit_from => [ "linux-x86", "openwrt" ], -+ }, -+ "linux-mips-openwrt" => { -+ inherit_from => [ "linux-mips32", "openwrt" ], -+ }, -+ "linux-mips64-openwrt" => { -+ inherit_from => [ "linux64-mips64", "openwrt" ], -+ }, -+ "linux-mips64el-openwrt" => { -+ inherit_from => [ "linux64-mips64", "openwrt" ], -+ }, -+ "linux-mipsel-openwrt" => { -+ inherit_from => [ "linux-mips32", "openwrt" ], -+ }, -+ "linux-powerpc-openwrt" => { -+ inherit_from => [ "linux-ppc", "openwrt" ], -+ }, -+ "linux-x86_64-openwrt" => { -+ inherit_from => [ "linux-x86_64", "openwrt" ], -+ }, -+ -+### Basic default option -+ "linux-generic32-openwrt" => { -+ inherit_from => [ "linux-generic32", "openwrt" ], -+ }, -+); diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch new file mode 100644 index 000000000..d6d4a2111 --- /dev/null +++ b/package/libs/openssl/patches/110-optimize-for-size.patch @@ -0,0 +1,16 @@ +--- a/Configure ++++ b/Configure +@@ -470,6 +470,13 @@ my %table=( + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + ++# OpenWrt targets ++"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++ + # Android: linux-* but without pointers to headers and libs. + "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch deleted file mode 100644 index d6e35b745..000000000 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ /dev/null @@ -1,21 +0,0 @@ -From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:31:38 -0300 -Subject: void exposing build directories - -The CFLAGS contain the build directories, and are shown by calling -OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a - -Signed-off-by: Eneas U de Queiroz - ---- a/crypto/build.info -+++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl - - DEPEND[cversion.o]=buildinf.h --GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" -+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch deleted file mode 100644 index 7c61b1e29..000000000 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:34:38 -0300 -Subject: Do not build tests and fuzz directories - -This shortens build time. - -Signed-off-by: Eneas U de Queiroz - ---- a/Configure -+++ b/Configure -@@ -299,7 +299,7 @@ my $auto_threads=1; # enable threads - my $default_ranlib; - - # Top level directories to build --$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; -+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ]; - # crypto/ subdirectories to build - $config{sdirs} = [ - "objects", -@@ -311,7 +311,7 @@ $config{sdirs} = [ - "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" - ]; - # test/ subdirectories to build --$config{tdirs} = [ "ossl_shim" ]; -+$config{tdirs} = []; - - # Known TLS and DTLS protocols - my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/130-perl-path.patch new file mode 100644 index 000000000..2dbdc7601 --- /dev/null +++ b/package/libs/openssl/patches/130-perl-path.patch @@ -0,0 +1,64 @@ +--- a/Configure ++++ b/Configure +@@ -1,4 +1,4 @@ +-: ++#!/usr/bin/perl + eval 'exec perl -S $0 ${1+"$@"}' + if $running_under_some_shell; + ## +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl ++#!/usr/bin/perl + + # Perl c_rehash script, scan all files in a directory + # and add symbolic links to their hash values. +--- a/util/clean-depend.pl ++++ b/util/clean-depend.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + # Clean the dependency list in a makefile of standard includes... + # Written by Ben Laurie 19 Jan 1999 + +--- a/util/mkdef.pl ++++ b/util/mkdef.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + # + # generate a .def file + # +--- a/util/mkerr.pl ++++ b/util/mkerr.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + + my $config = "crypto/err/openssl.ec"; + my $hprefix = "openssl/"; +--- a/util/mkstack.pl ++++ b/util/mkstack.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + + # This is a utility that searches out "DECLARE_STACK_OF()" + # declarations in .h and .c files, and updates/creates/replaces +--- a/util/pod2man.pl ++++ b/util/pod2man.pl +@@ -1,4 +1,4 @@ +-: #!/usr/bin/perl-5.005 ++#!/usr/bin/perl + eval 'exec /usr/bin/perl -S $0 ${1+"$@"}' + if $running_under_some_shell; + +--- a/util/selftest.pl ++++ b/util/selftest.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + # + # Run the test suite and generate a report + # diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch deleted file mode 100644 index 9cbe22138..000000000 --- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:44:39 -0300 -Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option - -This enables a compile-time option to prefer ChaCha20-Poly1305 over -AES-GCM in the openssl default ciphersuite, which is useful in systems -without AES specific CPU instructions. -OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it. - -Note that this does not have the same effect as the -SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only -when the client has it on top of its ciphersuite preference. - -Signed-off-by: Eneas U de Queiroz - ---- a/include/openssl/ssl.h -+++ b/include/openssl/ssl.h -@@ -173,9 +173,15 @@ extern "C" { - # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" - /* This is the default set of TLSv1.3 ciphersuites */ - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) --# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -- "TLS_CHACHA20_POLY1305_SHA256:" \ -- "TLS_AES_128_GCM_SHA256" -+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM -+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_AES_128_GCM_SHA256" -+# else -+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_128_GCM_SHA256" -+# endif - # else - # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_AES_128_GCM_SHA256" ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1464,11 +1464,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, - &tail); - -+ /* -+ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305 -+ * will be placed before AES-256. Otherwise, the default behavior of -+ * preferring GCM over CHACHA is used. -+ * This is useful for systems that do not have AES-specific CPU -+ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES. -+ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA -+ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top -+ * of its ciphersuite preference. -+ */ -+ -+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM -+ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, -+ &head, &tail); -+ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, -+ &head, &tail); -+#else - /* Within each strength group, we prefer GCM over CHACHA... */ - ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, - &head, &tail); - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, - &head, &tail); -+#endif - - /* - * ...and generally, our preferred cipher is AES. -@@ -1524,7 +1542,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - * Within each group, ciphers remain sorted by strength and previous - * preference, i.e., - * 1) ECDHE > DHE -- * 2) GCM > CHACHA -+ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined - * 3) AES > rest - * 4) TLS 1.2 > legacy - * diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/140-makefile-dirs.patch new file mode 100644 index 000000000..83c412f44 --- /dev/null +++ b/package/libs/openssl/patches/140-makefile-dirs.patch @@ -0,0 +1,11 @@ +--- a/Makefile.org ++++ b/Makefile.org +@@ -137,7 +137,7 @@ FIPSCANLIB= + + BASEADDR= + +-DIRS= crypto ssl engines apps test tools ++DIRS= crypto ssl apps + ENGDIRS= ccgost + SHLIBDIRS= crypto ssl + diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch new file mode 100644 index 000000000..a518a0049 --- /dev/null +++ b/package/libs/openssl/patches/150-no_engines.patch @@ -0,0 +1,81 @@ +--- a/Configure ++++ b/Configure +@@ -2144,6 +2144,11 @@ EOF + close(OUT); + } + ++# ugly hack to disable engines ++if($target eq "mingwx") { ++ system("sed -e s/^LIB/XLIB/g -i engines/Makefile"); ++} ++ + print < 19 Jan 1999 + diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/180-fix_link_segfault.patch new file mode 100644 index 000000000..3e36beb49 --- /dev/null +++ b/package/libs/openssl/patches/180-fix_link_segfault.patch @@ -0,0 +1,18 @@ +--- a/Makefile.shared ++++ b/Makefile.shared +@@ -95,7 +95,6 @@ LINK_APP= \ + LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \ + LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ + LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ +- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ + $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} ) + + LINK_SO= \ +@@ -105,7 +104,6 @@ LINK_SO= \ + SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ + LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ + LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ +- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ + $${SHAREDCMD} $${SHAREDFLAGS} \ + -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ + $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ diff --git a/package/libs/openssl/patches/190-remove_timestamp_check.patch b/package/libs/openssl/patches/190-remove_timestamp_check.patch new file mode 100644 index 000000000..424e66063 --- /dev/null +++ b/package/libs/openssl/patches/190-remove_timestamp_check.patch @@ -0,0 +1,23 @@ +--- a/Makefile.org ++++ b/Makefile.org +@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar + EXHEADER= e_os2.h + HEADER= e_os.h + +-all: Makefile build_all ++all: build_all + + # as we stick to -e, CLEARENV ensures that local variables in lower + # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn +@@ -404,11 +404,6 @@ openssl.pc: Makefile + echo 'Version: '$(VERSION); \ + echo 'Requires: libssl libcrypto' ) > openssl.pc + +-Makefile: Makefile.org Configure config +- @echo "Makefile is older than Makefile.org, Configure or config." +- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." +- @false +- + libclean: + rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib + diff --git a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch deleted file mode 100644 index 228654f03..000000000 --- a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch +++ /dev/null @@ -1,42 +0,0 @@ -From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Mon, 5 Nov 2018 17:59:42 -0200 -Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables - -Call functions to prepare methods after confirming that /dev/crytpo was -sucessfully open and that the destroy function has been set. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -619,11 +619,6 @@ void engine_load_devcrypto_int() - return; - } - -- prepare_cipher_methods(); --#ifdef IMPLEMENT_DIGEST -- prepare_digest_methods(); --#endif -- - if ((e = ENGINE_new()) == NULL - || !ENGINE_set_destroy_function(e, devcrypto_unload)) { - ENGINE_free(e); -@@ -636,6 +631,11 @@ void engine_load_devcrypto_int() - return; - } - -+ prepare_cipher_methods(); -+#ifdef IMPLEMENT_DIGEST -+ prepare_digest_methods(); -+#endif -+ - if (!ENGINE_set_id(e, "devcrypto") - || !ENGINE_set_name(e, "/dev/crypto engine") - diff --git a/package/libs/openssl/patches/200-parallel_build.patch b/package/libs/openssl/patches/200-parallel_build.patch new file mode 100644 index 000000000..37134e403 --- /dev/null +++ b/package/libs/openssl/patches/200-parallel_build.patch @@ -0,0 +1,184 @@ +--- a/Makefile.org ++++ b/Makefile.org +@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi + build_libssl: build_ssl libssl.pc + + build_crypto: +- @dir=crypto; target=all; $(BUILD_ONE_CMD) ++ +@dir=crypto; target=all; $(BUILD_ONE_CMD) + build_ssl: build_crypto +- @dir=ssl; target=all; $(BUILD_ONE_CMD) ++ +@dir=ssl; target=all; $(BUILD_ONE_CMD) + build_engines: build_crypto +- @dir=engines; target=all; $(BUILD_ONE_CMD) ++ +@dir=engines; target=all; $(BUILD_ONE_CMD) + build_apps: build_libs +- @dir=apps; target=all; $(BUILD_ONE_CMD) ++ +@dir=apps; target=all; $(BUILD_ONE_CMD) + build_tests: build_libs +- @dir=test; target=all; $(BUILD_ONE_CMD) ++ +@dir=test; target=all; $(BUILD_ONE_CMD) + build_tools: build_libs +- @dir=tools; target=all; $(BUILD_ONE_CMD) ++ +@dir=tools; target=all; $(BUILD_ONE_CMD) + + all_testapps: build_libs build_testapps + build_testapps: +@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + + depend: +- @set -e; target=depend; $(RECURSIVE_BUILD_CMD) ++ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD) + + lint: + @set -e; target=lint; $(RECURSIVE_BUILD_CMD) +@@ -535,9 +535,9 @@ dist: + @$(MAKE) SDIRS='$(SDIRS)' clean + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar + +-install: all install_sw ++install: install_sw + +-install_sw: ++install_dirs: + @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ +@@ -546,12 +546,19 @@ install_sw: + $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/private ++ @$(PERL) $(TOP)/util/mkdir-p.pl \ ++ $(INSTALL_PREFIX)$(MANDIR)/man1 \ ++ $(INSTALL_PREFIX)$(MANDIR)/man3 \ ++ $(INSTALL_PREFIX)$(MANDIR)/man5 \ ++ $(INSTALL_PREFIX)$(MANDIR)/man7 ++ ++install_sw: install_dirs + @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; +- @set -e; target=install; $(RECURSIVE_BUILD_CMD) ++ +@set -e; target=install; $(RECURSIVE_BUILD_CMD) + @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ + do \ + if [ -f "$$i" ]; then \ +@@ -635,12 +642,7 @@ install_html_docs: + done; \ + done + +-install_docs: +- @$(PERL) $(TOP)/util/mkdir-p.pl \ +- $(INSTALL_PREFIX)$(MANDIR)/man1 \ +- $(INSTALL_PREFIX)$(MANDIR)/man3 \ +- $(INSTALL_PREFIX)$(MANDIR)/man5 \ +- $(INSTALL_PREFIX)$(MANDIR)/man7 ++install_docs: install_dirs + @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ + here="`pwd`"; \ + filecase=; \ +--- a/Makefile.shared ++++ b/Makefile.shared +@@ -120,6 +120,7 @@ SYMLINK_SO= \ + done; \ + fi; \ + if [ -n "$$SHLIB_SOVER" ]; then \ ++ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \ + ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \ + ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \ + fi; \ +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -85,11 +85,11 @@ testapps: + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + + subdirs: +- @target=all; $(RECURSIVE_MAKE) ++ +@target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO +- @target=files; $(RECURSIVE_MAKE) ++ +@target=files; $(RECURSIVE_MAKE) + + links: + @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) +@@ -100,7 +100,7 @@ links: + # lib: $(LIB): are splitted to avoid end-less loop + lib: $(LIB) + @touch lib +-$(LIB): $(LIBOBJ) ++$(LIB): $(LIBOBJ) | subdirs + $(AR) $(LIB) $(LIBOBJ) + test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o + $(RANLIB) $(LIB) || echo Never mind. +@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs + fi + + libs: +- @target=lib; $(RECURSIVE_MAKE) ++ +@target=lib; $(RECURSIVE_MAKE) + + install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... +@@ -120,7 +120,7 @@ install: + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; +- @target=install; $(RECURSIVE_MAKE) ++ +@target=install; $(RECURSIVE_MAKE) + + lint: + @target=lint; $(RECURSIVE_MAKE) +--- a/engines/Makefile ++++ b/engines/Makefile +@@ -72,7 +72,7 @@ top: + + all: lib subdirs + +-lib: $(LIBOBJ) ++lib: $(LIBOBJ) | subdirs + @if [ -n "$(SHARED_LIBS)" ]; then \ + set -e; \ + for l in $(LIBNAMES); do \ +@@ -89,7 +89,7 @@ lib: $(LIBOBJ) + + subdirs: + echo $(EDIRS) +- @target=all; $(RECURSIVE_MAKE) ++ +@target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO +@@ -128,7 +128,7 @@ install: + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ + done; \ + fi +- @target=install; $(RECURSIVE_MAKE) ++ +@target=install; $(RECURSIVE_MAKE) + + tags: + ctags $(SRC) +--- a/test/Makefile ++++ b/test/Makefile +@@ -145,7 +145,7 @@ install: + tags: + ctags $(SRC) + +-tests: exe apps $(TESTS) ++tests: exe $(TESTS) + + apps: + @(cd ..; $(MAKE) DIRS=apps all) +@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl + # fi + + dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) +- @target=dummytest; $(BUILD_CMD) ++ +@target=dummytest; $(BUILD_CMD) + + # DO NOT DELETE THIS LINE -- make depend depends on it. + diff --git a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch deleted file mode 100644 index 9e59a16ac..000000000 --- a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch +++ /dev/null @@ -1,37 +0,0 @@ -From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Wed, 14 Nov 2018 11:22:14 -0200 -Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases - -Return failure when the digest_ctx is null in digest_update and -digest_final, and when md is null in digest_final. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx - if (count == 0) - return 1; - -+ if (digest_ctx == NULL) -+ return 0; -+ - if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; -@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx, - struct digest_ctx *digest_ctx = - (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); - -+ if (md == NULL || digest_ctx == NULL) -+ return 0; - if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; diff --git a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch deleted file mode 100644 index 2cfff604b..000000000 --- a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Wed, 14 Nov 2018 13:58:06 -0200 -Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest - -If the source ctx has not been initialized, don't initialize the copy -either. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e, - - struct digest_ctx { - struct session_op sess; -- int init; -+ /* This signals that the init function was called, not that it succeeded. */ -+ int init_called; - }; - - static const struct digest_data_st { -@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx) - const struct digest_data_st *digest_d = - get_digest_data(EVP_MD_CTX_type(ctx)); - -- digest_ctx->init = 1; -+ digest_ctx->init_called = 1; - - memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); - digest_ctx->sess.mac = digest_d->devcryptoid; -@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c - (struct digest_ctx *)EVP_MD_CTX_md_data(to); - struct cphash_op cphash; - -- if (digest_from == NULL) -+ if (digest_from == NULL || digest_from->init_called != 1) - return 1; - -- if (digest_from->init != 1) { -- SYSerr(SYS_F_IOCTL, EINVAL); -- return 0; -- } -- - if (!digest_init(to)) { - SYSerr(SYS_F_IOCTL, errno); - return 0; diff --git a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch deleted file mode 100644 index 050853a3d..000000000 --- a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Mon, 5 Nov 2018 15:59:44 -0200 -Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final - -Close the session in digest_cleanup instead of digest_final. A failure -in closing the session does not mean a previous successful digest final -has failed as well. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx, - SYSerr(SYS_F_IOCTL, errno); - return 0; - } -- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } - - return 1; - } -@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c - - static int digest_cleanup(EVP_MD_CTX *ctx) - { -+ struct digest_ctx *digest_ctx = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -+ -+ if (digest_ctx == NULL) -+ return 1; -+ if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } - return 1; - } - diff --git a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch deleted file mode 100644 index 948ff7c2b..000000000 --- a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Tue, 13 Nov 2018 09:23:22 -0200 -Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function - -The engine needs a custom cipher context copy function to open a new -/dev/crypto session. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C - return 1; - } - -+static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) -+{ -+ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; -+ struct cipher_ctx *cipher_ctx; -+ -+ if (type == EVP_CTRL_COPY) { -+ /* when copying the context, a new session needs to be initialized */ -+ cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ return (cipher_ctx == NULL) -+ || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), -+ (cipher_ctx->op == COP_ENCRYPT)); -+ } -+ -+ return -1; -+} -+ - static int cipher_cleanup(EVP_CIPHER_CTX *ctx) - { - struct cipher_ctx *cipher_ctx = -@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void) - cipher_data[i].ivlen) - || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], - cipher_data[i].flags -+ | EVP_CIPH_CUSTOM_COPY - | EVP_CIPH_FLAG_DEFAULT_ASN1) - || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) - || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], - cipher_do_cipher) -+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) - || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], diff --git a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch deleted file mode 100644 index 54a9236f1..000000000 --- a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Wed, 28 Nov 2018 11:26:27 -0200 -Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode - -Make CTR mode behave like a stream cipher. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -47,10 +47,12 @@ static int cfd; - - struct cipher_ctx { - struct session_op sess; -- -- /* to pass from init to do_cipher */ -- const unsigned char *iv; - int op; /* COP_ENCRYPT or COP_DECRYPT */ -+ unsigned long mode; /* EVP_CIPH_*_MODE */ -+ -+ /* to handle ctr mode being a stream cipher */ -+ unsigned char partial[EVP_MAX_BLOCK_LENGTH]; -+ unsigned int blocksize, num; - }; - - static const struct cipher_data_st { -@@ -87,9 +89,9 @@ static const struct cipher_data_st { - { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, - #endif - #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) -- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, - #endif - #if 0 /* Not yet supported */ - { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c - cipher_ctx->sess.keylen = cipher_d->keylen; - cipher_ctx->sess.key = (void *)key; - cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; -+ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; -+ cipher_ctx->blocksize = cipher_d->blocksize; - if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; -@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C - struct cipher_ctx *cipher_ctx = - (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - struct crypt_op cryp; -+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); - #if !defined(COP_FLAG_WRITE_IV) - unsigned char saved_iv[EVP_MAX_IV_LENGTH]; -+ const unsigned char *ivptr; -+ size_t nblocks, ivlen; - #endif - - memset(&cryp, 0, sizeof(cryp)); -@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C - cryp.len = inl; - cryp.src = (void *)in; - cryp.dst = (void *)out; -- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx); -+ cryp.iv = (void *)iv; - cryp.op = cipher_ctx->op; - #if !defined(COP_FLAG_WRITE_IV) - cryp.flags = 0; - -- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { -- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx)); -- if (!EVP_CIPHER_CTX_encrypting(ctx)) { -- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx); -+ ivlen = EVP_CIPHER_CTX_iv_length(ctx); -+ if (ivlen > 0) -+ switch (cipher_ctx->mode) { -+ case EVP_CIPH_CBC_MODE: -+ assert(inl >= ivlen); -+ if (!EVP_CIPHER_CTX_encrypting(ctx)) { -+ ivptr = in + inl - ivlen; -+ memcpy(saved_iv, ivptr, ivlen); -+ } -+ break; -+ -+ case EVP_CIPH_CTR_MODE: -+ break; - -- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx)); -+ default: /* should not happen */ -+ return 0; - } -- } - #else - cryp.flags = COP_FLAG_WRITE_IV; - #endif -@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C - } - - #if !defined(COP_FLAG_WRITE_IV) -- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { -- unsigned char *ivptr = saved_iv; -+ if (ivlen > 0) -+ switch (cipher_ctx->mode) { -+ case EVP_CIPH_CBC_MODE: -+ assert(inl >= ivlen); -+ if (EVP_CIPHER_CTX_encrypting(ctx)) -+ ivptr = out + inl - ivlen; -+ else -+ ivptr = saved_iv; -+ -+ memcpy(iv, ivptr, ivlen); -+ break; -+ -+ case EVP_CIPH_CTR_MODE: -+ nblocks = (inl + cipher_ctx->blocksize - 1) -+ / cipher_ctx->blocksize; -+ do { -+ ivlen--; -+ nblocks += iv[ivlen]; -+ iv[ivlen] = (uint8_t) nblocks; -+ nblocks >>= 8; -+ } while (ivlen); -+ break; -+ -+ default: /* should not happen */ -+ return 0; -+ } -+#endif -+ -+ return 1; -+} - -- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx)); -- if (!EVP_CIPHER_CTX_encrypting(ctx)) -- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx); -+static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ size_t nblocks, len; - -- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr, -- EVP_CIPHER_CTX_iv_length(ctx)); -+ /* initial partial block */ -+ while (cipher_ctx->num && inl) { -+ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; -+ --inl; -+ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; -+ } -+ -+ /* full blocks */ -+ if (inl > (unsigned int) cipher_ctx->blocksize) { -+ nblocks = inl/cipher_ctx->blocksize; -+ len = nblocks * cipher_ctx->blocksize; -+ if (cipher_do_cipher(ctx, out, in, len) < 1) -+ return 0; -+ inl -= len; -+ out += len; -+ in += len; -+ } -+ -+ /* final partial block */ -+ if (inl) { -+ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); -+ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, -+ cipher_ctx->blocksize) < 1) -+ return 0; -+ while (inl--) { -+ out[cipher_ctx->num] = in[cipher_ctx->num] -+ ^ cipher_ctx->partial[cipher_ctx->num]; -+ cipher_ctx->num++; -+ } - } --#endif - - return 1; - } -@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void) - { - size_t i; - struct session_op sess; -+ unsigned long cipher_mode; - - memset(&sess, 0, sizeof(sess)); - sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void) - || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) - continue; - -+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; -+ - if ((known_cipher_methods[i] = - EVP_CIPHER_meth_new(cipher_data[i].nid, -- cipher_data[i].blocksize, -+ cipher_mode == EVP_CIPH_CTR_MODE ? 1 : -+ cipher_data[i].blocksize, - cipher_data[i].keylen)) == NULL - || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], - cipher_data[i].ivlen) -@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void) - | EVP_CIPH_FLAG_DEFAULT_ASN1) - || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) - || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], -+ cipher_mode == EVP_CIPH_CTR_MODE ? -+ ctr_do_cipher : - cipher_do_cipher) - || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) - || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], diff --git a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch deleted file mode 100644 index df871920b..000000000 --- a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Sat, 8 Dec 2018 18:01:04 -0200 -Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy - -Digest must be able to do partial-state copy to be used. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct - return 1; - } - -+static int devcrypto_test_digest(size_t digest_data_index) -+{ -+ struct session_op sess1, sess2; -+ struct cphash_op cphash; -+ int ret=0; -+ -+ memset(&sess1, 0, sizeof(sess1)); -+ memset(&sess2, 0, sizeof(sess2)); -+ sess1.mac = digest_data[digest_data_index].devcryptoid; -+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) -+ return 0; -+ /* Make sure the driver is capable of hash state copy */ -+ sess2.mac = sess1.mac; -+ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { -+ cphash.src_ses = sess1.ses; -+ cphash.dst_ses = sess2.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) -+ ret = 1; -+ ioctl(cfd, CIOCFSESSION, &sess2.ses); -+ } -+ ioctl(cfd, CIOCFSESSION, &sess1.ses); -+ return ret; -+} -+ - /* - * Keep a table of known nids and associated methods. - * Note that known_digest_nids[] isn't necessarily indexed the same way as -@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL - static void prepare_digest_methods(void) - { - size_t i; -- struct session_op sess; -- -- memset(&sess, 0, sizeof(sess)); - - for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); - i++) { - - /* -- * Check that the algo is really availably by trying to open and close -- * a session. -+ * Check that the algo is usable - */ -- sess.mac = digest_data[i].devcryptoid; -- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 -- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) -+ if (!devcrypto_test_digest(i)) - continue; - - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,