298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-14 11:13:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

openssl: bump to 3.0.10

Browse Source 
This is a major update to the current LTS version, supported until
2026-09-07.

Changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.10/CHANGES.md

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This commit is contained in:
Eneas U de Queiroz 2023-02-07 18:14:27 -03:00
parent a2a0e5b9f6
commit 7494eb1618
23 changed files with 355 additions and 3884 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
include/openssl-engine.mk
View File

@ -1,50 +0,0 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2022 Enéas Ulir de Queiroz
ENGINES_DIR=engines-1.1
define Package/openssl/engine/Default
SECTION:=libs
CATEGORY:=Libraries
SUBMENU:=SSL
DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf
endef
# 1 = engine name
# 2 - package name, defaults to libopenssl-$(1)
define Package/openssl/add-engine
OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1))
Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf
define Package/$$(OSSL_ENG_PKG)/install
$$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR)
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \
$$(1)/usr/lib/$(ENGINES_DIR)
$$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d
$$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/
endef
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
cat << EOF >> "$$$${OPENSSL_UCI}"
config engine '$(1)'
option enabled '1'
EOF
[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
endef
define Package/$$(OSSL_ENG_PKG)/postrm :=
#!/bin/sh
[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
uci delete openssl.$(1)
uci commit openssl
/etc/init.d/openssl reload
endef
endef

79
include/openssl-module.mk Normal file
View File

@ -0,0 +1,79 @@
# SPDX-License-Identifier: GPL-2.0-only
#
# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
ENGINES_DIR=engines-3
define Package/openssl/module/Default
SECTION:=libs
CATEGORY:=Libraries
SUBMENU:=SSL
DEPENDS:=libopenssl +libopenssl-conf
endef
define Package/openssl/engine/Default
$(Package/openssl/module/Default)
DEPENDS+=@OPENSSL_ENGINE
endef
# 1 = moudule type (engine|provider)
# 2 = module name
# 3 = directory to save .so file
# 4 = [ package name, defaults to libopenssl-$(2) ]
define Package/openssl/add-module
$(eval MOD_TYPE:=$(1))
$(eval MOD_NAME:=$(2))
$(eval MOD_DIR:=$(3))
$(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME)))
$(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)')
$(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)')
Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf
define Package/$(OSSL_PKG)/install
$$(INSTALL_DIR) $$(1)/$(MOD_DIR)
$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \
$$(1)/$(MOD_DIR)
$$(INSTALL_DIR) $$(1)/etc/ssl/modules.cnf.d
$$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/
endef
define Package/$(OSSL_PKG)/postinst
#!/bin/sh
OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
[ -z "$$$${IPKG_INSTROOT}" ] \
&& uci -q get openssl.$(MOD_NAME) >/dev/null \
&& exit 0
cat << EOF >> "$$$${OPENSSL_UCI}"
config $(MOD_TYPE) '$(MOD_NAME)'
option enabled '1'
EOF
[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
exit 0
endef
define Package/$(OSSL_PKG)/postrm
#!/bin/sh
[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
uci -q delete openssl.$(MOD_NAME) && uci commit openssl
/etc/init.d/openssl reload
exit 0
endef
endef
# 1 = engine name
# 2 - package name, defaults to libopenssl-$(1)
define Package/openssl/add-engine
$(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2))
endef
# 1 = provider name
# 2 = [ package name, defaults to libopenssl-$(1) ]
define Package/openssl/add-provider
$(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2))
endef

97
package/libs/openssl/Config.in
View File

@ -4,15 +4,27 @@ comment "Build Options"
config OPENSSL_OPTIMIZE_SPEED
bool
default y
default y if (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
prompt "Enable optimization for speed instead of size"
select OPENSSL_WITH_ASM
help
Enabling this option increases code size (around 20%) and
performance. The increase in performance and size depends on the
target CPU. EC and AES seem to benefit the most, with EC speed
increased by 20%-50% (mipsel & x86).
AES-GCM is supposed to be 3x faster on x86. YMMV.
Enabling this option increases code size and performance.
The increase in performance and size depends on the
target CPU. EC and AES seem to benefit the most.
config OPENSSL_SMALL_FOOTPRINT
bool
depends on !OPENSSL_OPTIMIZE_SPEED
default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
help
This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
1-3% of of the ipk size. The performance drop depends on
architecture and algorithm. MIPS drops 13% of performance for
a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
size, ghash and GCM performance decreases 90%, while
Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
for 3% of performance. Other arches have not been tested.
config OPENSSL_WITH_ASM
bool
@ -22,41 +34,25 @@ config OPENSSL_WITH_ASM
help
Disabling this option will reduce code size and performance.
The increase in performance and size depends on the target
CPU and on the algorithms being optimized. As of 1.1.0i*:
Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
* Only most common algorithms shown. Your mileage may vary.
BN (bignum) performance was measured using RSA sign/verify.
CPU and on the algorithms being optimized.
config OPENSSL_WITH_SSE2
bool
default y if x86_64 || i386 && !TARGET_x86_legacy
default y if !TARGET_x86_legacy && !TARGET_x86_geode
prompt "Enable use of x86 SSE2 instructions"
depends on OPENSSL_WITH_ASM && x86_64 || i386
depends on OPENSSL_WITH_ASM && i386
help
Use of SSE2 instructions greatly increase performance (up to
3x faster) with a minimum (~0.2%, or 23KB) increase in package
size, but it will bring no benefit if your hardware does not
support them, such as Geode GX and LX. In this case you may
save 23KB by saying yes here. AMD Geode NX, and Intel
Pentium 4 and above support SSE2.
Use of SSE2 instructions greatly increase performance with a
minimum increase in package size, but it will bring no benefit
if your hardware does not support them, such as Geode GX and LX.
AMD Geode NX, and Intel Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
prompt "Include deprecated APIs (See help for a list of packages that need this)"
prompt "Include deprecated APIs"
help
Since openssl 1.1.x is still new to openwrt, some packages
requiring this option do not list it as a requirement yet:
* freeswitch-stable, freeswitch, python, python3, squid.
This drops all deprecated API, including engine support.
config OPENSSL_NO_DEPRECATED
bool
@ -64,7 +60,7 @@ config OPENSSL_NO_DEPRECATED
config OPENSSL_WITH_ERROR_MESSAGES
bool
default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
prompt "Include error messages"
help
This option aids debugging, but increases package size and
@ -84,7 +80,6 @@ config OPENSSL_WITH_TLS13
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
It increases package size by ~4KB.
config OPENSSL_WITH_DTLS
bool
@ -138,7 +133,7 @@ config OPENSSL_WITH_CHACHA_POLY1305
config OPENSSL_PREFER_CHACHA_OVER_GCM
bool
default y if !x86_64
default y if !x86_64 && !aarch64
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
depends on OPENSSL_WITH_CHACHA_POLY1305
help
@ -172,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA
config OPENSSL_WITH_IDEA
bool
prompt "Enable IDEA cipher support"
default y if !SMALL_FLASH
prompt "Enable IDEA cipher support (needs legacy provider)"
help
IDEA is a block cipher with 128-bit keys.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SEED
bool
prompt "Enable SEED cipher support"
default y if !SMALL_FLASH
prompt "Enable SEED cipher support (needs legacy provider)"
help
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SM234
bool
@ -202,11 +205,21 @@ config OPENSSL_WITH_BLAKE2
config OPENSSL_WITH_MDC2
bool
prompt "Enable MDC2 digest support"
default y if !SMALL_FLASH
prompt "Enable MDC2 digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_WHIRLPOOL
bool
prompt "Enable Whirlpool digest support"
default y if !SMALL_FLASH
prompt "Enable Whirlpool digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_COMPRESSION
bool
@ -233,8 +246,8 @@ comment "Engine/Hardware Support"
config OPENSSL_ENGINE
bool "Enable engine support"
select OPENSSL_WITH_DEPRECATED
default y
select PACKAGE_libopenssl-devcrypto
help
This enables alternative cryptography implementations,
most commonly for interfacing with external crypto devices,
@ -248,7 +261,7 @@ config OPENSSL_ENGINE
config OPENSSL_ENGINE_BUILTIN
bool "Build chosen engines into libcrypto"
default y
default y if !SMALL_FLASH
depends on OPENSSL_ENGINE
help
This builds all chosen engines into libcrypto.so, instead of building
@ -258,7 +271,7 @@ config OPENSSL_ENGINE_BUILTIN
config OPENSSL_ENGINE_BUILTIN_AFALG
bool
default y
default y if !SMALL_FLASH
prompt "Acceleration support through AF_ALG sockets engine"
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
select PACKAGE_libopenssl-conf
@ -268,7 +281,7 @@ config OPENSSL_ENGINE_BUILTIN_AFALG
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
bool
default y
default y if !SMALL_FLASH
prompt "Acceleration support through /dev/crypto"
depends on OPENSSL_ENGINE_BUILTIN
select PACKAGE_libopenssl-conf

83
package/libs/openssl/Makefile
View File

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=v
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_VERSION:=3.0.10
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_BUILD_FLAGS:=gc-sections no-lto
PKG_BUILD_PARALLEL:=1
PKG_BASE:=$(subst $(space),.,$(wordlist 1,2,$(subst .,$(space),$(PKG_VERSION))))
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
https://mirrors.tencent.com/openssl/source/ \
@ -27,9 +27,9 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
PKG_HASH:=d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0
PKG_HASH:=1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323
PKG_LICENSE:=OpenSSL
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
PKG_CPE_ID:=cpe:/a:openssl:openssl
@ -42,6 +42,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
CONFIG_OPENSSL_SMALL_FOOTPRINT \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
@ -66,7 +67,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/openssl-engine.mk
include $(INCLUDE_DIR)/openssl-module.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
@ -97,9 +98,10 @@ $(call Package/openssl/Default)
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
+OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
+OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock \
+(arm||armeb||mips||mipsel||powerpc||arc):libatomic
TITLE+= (libraries)
ABI_VERSION:=1.1
ABI_VERSION:=$(firstword $(subst .,$(space),$(PKG_VERSION)))
MENU:=1
endef
@ -130,8 +132,8 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
endef
define Package/libopenssl-conf/description
@ -139,6 +141,37 @@ $(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
ifneq ($(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK)$(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),)
define Package/libopenssl-conf/postinst
#!/bin/sh
add_engine_config() {
if [ -z "$${IPKG_INSTROOT}" ] && uci -q get "openssl.$$1" >/dev/null; then
[ "$$(uci -q get "openssl.$$1.builtin")" = 1 ] && return
uci set "openssl.$$1.builtin=1" && uci commit openssl
return
fi
}
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),add_engine_config devcrypto)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
endef
endif
$(eval $(call Package/openssl/add-provider,legacy))
define Package/libopenssl-legacy
$(call Package/openssl/Default)
$(call Package/openssl/module/Default)
TITLE:=OpenSSL legacy provider
endef
define Package/libopenssl-legacy/description
The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy. Such algorithms have commonly fallen out of use, have
been deemed insecure by the cryptography community, or something similar. See
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
endef
$(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg
$(call Package/openssl/Default)
@ -151,7 +184,7 @@ endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
@ -167,7 +200,7 @@ endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
@ -183,12 +216,12 @@ endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
OPENSSL_OPTIONS:= shared
OPENSSL_OPTIONS:= shared no-tests
ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
@ -260,7 +293,9 @@ endif
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
else
endif
ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y)
OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
endif
@ -274,7 +309,7 @@ ifdef CONFIG_OPENSSL_ENGINE
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
OPENSSL_OPTIONS += no-hw-padlock
OPENSSL_OPTIONS += no-padlockeng
endif
else
ifdef CONFIG_PACKAGE_libopenssl-devcrypto
@ -284,7 +319,7 @@ ifdef CONFIG_OPENSSL_ENGINE
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
OPENSSL_OPTIONS += no-padlockeng
endif
endif
else
@ -342,8 +377,7 @@ define Build/Configure
)
endef
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
TARGET_CFLAGS += $(FPIC)
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
@ -380,17 +414,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
$(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "config engine 'devcrypto'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
$(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl)
endef
define Package/openssl-util/install
@ -402,5 +436,6 @@ $(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto))
$(eval $(call BuildPackage,libopenssl-legacy))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))

2
package/libs/openssl/files/afalg.cnf
View File

@ -1,3 +1,3 @@
[afalg]
[afalg_sect]
default_algorithms = ALL

13
package/libs/openssl/files/devcrypto.cnf
View File

@ -1,4 +1,4 @@
[devcrypto]
[devcrypto_sect]
# Leave this alone and configure algorithms with CIPERS/DIGESTS below
default_algorithms = ALL
@ -17,8 +17,9 @@ default_algorithms = ALL
# It is recommended to disable the ECB ciphers; in most cases, it will
# only be used for PRNG, in small blocks, where performance is poor,
# and there may be problems with apps forking with open crypto
# contexts, leading to failures. The CBC ciphers work well:
#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
# contexts, leading to failures. The CBC ciphers work well.
CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \
AES-128-CTR, AES-192-CTR, AES-256-CTR
# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
# enable [default=NONE]
@ -26,6 +27,8 @@ default_algorithms = ALL
# is poor, and there are many cases in which they will not work,
# especially when calling fork with open crypto contexts. Openssh,
# for example, does this, and you may not be able to login.
#DIGESTS = NONE
# Sysupgrade will fail as well. If you're adventurous enough to change
# this, you should change it back to NONE, and reboot before running
# sysupgrade!
DIGESTS = NONE

3
package/libs/openssl/files/legacy.cnf Normal file
View File

@ -0,0 +1,3 @@
[legacy_sect]
activate = 1

79
package/libs/openssl/files/openssl.init
View File

@ -1,31 +1,72 @@
#!/bin/sh /etc/rc.common
START=13
ENGINES_CNF_D="/etc/ssl/engines.cnf.d"
ENGINES_CNF="/var/etc/ssl/engines.cnf"
ENGINES_DIR="%ENGINES_DIR%"
ENGINES_CNF=/var/etc/ssl/engines.cnf
ENGINES_DIR=%ENGINES_DIR%
MODULES_DIR=/usr/lib/ossl-modules
PROVIDERS_CNF=/var/etc/ssl/providers.cnf
config_engine() {
local enabled force
#1: cnf file
write_cnf_header() {
mkdir -p "$(dirname "$1")" && \
echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
echo "Error writing to $1."
return 1
}
}
#1: module name
#2: output cnf file
#3: module.so
enable_module() {
local builtin enabled force
config_get_bool builtin "$1" builtin 0
config_get_bool enabled "$1" enabled 1
config_get_bool force "$1" force 0
[ "$enabled" = 0 ] && return
if [ "$force" = 0 ] && \
[ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \
[ ! -f "${ENGINES_DIR}/$1.so" ]; then
echo Skipping engine "$1": not installed
return
if [ "$enabled" = 0 ]; then
[ "$builtin" = 0 ] && return 1
echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
elif [ "$force" = 1 ]; then
printf "[Forced] "
elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
echo "$1: Could not find section [$1] in config files."
return 1
elif [ "$builtin" = 1 ]; then
printf "[Builtin] "
elif [ ! -f "$3" ];then
echo "Skipping $1: $3 not found."
return 1
fi
echo Enabling engine "$1"
echo "$1=$1" >> "${ENGINES_CNF}"
echo "Enabling $1"
echo "$1=$1_sect" >>"$2"
}
config_engine() {
enable_module "$1" "$ENGINES_CNF" \
"${ENGINES_DIR}/${1}.so"
}
config_provider() {
enable_module "$1" "$PROVIDERS_CNF" \
"${MODULES_DIR}/${1}.so"
}
start() {
mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1
echo Generating engines.cnf
echo "# This file is automatically generated from /etc/config/openssl." \
> "${ENGINES_CNF}" || \
{ echo Error writing ${ENGINES_CNF} >&2; exit 1; }
local ret=0
config_load openssl
config_foreach config_engine engine
echo Generating engines.cnf
write_cnf_header "${ENGINES_CNF}" && \
config_foreach config_engine engine || ret=$?
echo Generating providers.cnf
write_cnf_header "${PROVIDERS_CNF}" && \
config_foreach config_provider provider || ret=$?
return $ret
}

2
package/libs/openssl/files/padlock.cnf
View File

@ -1,3 +1,3 @@
[padlock]
[padlock_sect]
default_algorithms = ALL

55
package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
View File

@ -1,55 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Sun, 5 May 2019 18:25:50 +0200
Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a big endian ELFv2 configuration. ELFv2 was already being
used for little endian, and big endian was traditionally ELFv1
but there are practical configurations that use ELFv2 with big
endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)
--- a/crypto/perlasm/ppc-xlate.pl
+++ b/crypto/perlasm/ppc-xlate.pl
@@ -49,7 +49,7 @@ my $globl = sub {
/osx/ && do { $name = "_$name";
last;
};
- /linux.*(32|64le)/
+ /linux.*(32|64(le|v2))/
&& do { $ret .= ".globl $name";
if (!$$type) {
$ret .= "\n.type $name,\@function";
@@ -80,7 +80,7 @@ my $globl = sub {
};
my $text = sub {
my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/);
+ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64(le|v2)/);
$ret;
};
my $machine = sub {
@@ -186,7 +186,7 @@ my $vmr = sub {
# Some ABIs specify vrsave, special-purpose register #256, as reserved
# for system use.
-my $no_vrsave = ($flavour =~ /aix|linux64le/);
+my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/);
my $mtspr = sub {
my ($f,$idx,$ra) = @_;
if ($idx == 256 && $no_vrsave) {
@@ -318,7 +318,7 @@ while($line=<>) {
if ($label) {
my $xlated = ($GLOBALS{$label} or $label);
print "$xlated:";
- if ($flavour =~ /linux.*64le/) {
+ if ($flavour =~ /linux.*64(le|v2)/) {
if ($TYPES{$label} =~ /function/) {
printf "\n.localentry %s,0\n",$xlated;
}

2
package/libs/openssl/patches/100-Configure-afalg-support.patch
View File

@ -10,7 +10,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtra
@@ -1674,7 +1674,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
unless ($disabled{afalgeng}) {
$config{afalgeng}="";

2
package/libs/openssl/patches/110-openwrt_targets.patch
View File

@ -23,7 +23,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+ inherit_from => [ "linux-aarch64", "openwrt" ],
+ },
+ "linux-arc-openwrt" => {
+ inherit_from => [ "linux-generic32", "openwrt" ],
+ inherit_from => [ "linux-latomic", "openwrt" ],
+ },
+ "linux-arm-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],

8
package/libs/openssl/patches/120-strip-cflags-from-binary.patch
View File

@ -10,12 +10,12 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink
ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
@@ -111,7 +111,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
DEPEND[info.o]=buildinf.h
DEPEND[cversion.o]=buildinf.h
-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
DEPEND[buildinf.h]=../configdata.pm
GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl

20
package/libs/openssl/patches/130-dont-build-fuzz-docs.patch Normal file
View File

@ -0,0 +1,20 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
This shortens build time.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/build.info
+++ b/build.info
@@ -1,7 +1,7 @@
# Note that some of these directories are filtered in Configure. Look for
# %skipdir there for further explanations.
-SUBDIRS=crypto ssl apps util tools fuzz providers doc
+SUBDIRS=crypto ssl apps util tools providers
IF[{- !$disabled{tests} -}]
SUBDIRS=test
ENDIF

29
package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
View File

@ -1,29 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
This shortens build time.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads
my $default_ranlib;
# Top level directories to build
-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ];
# crypto/ subdirectories to build
$config{sdirs} = [
"objects",
@@ -330,7 +330,7 @@ $config{sdirs} = [
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
# test/ subdirectories to build
-$config{tdirs} = [ "ossl_shim" ];
+$config{tdirs} = [];
# Known TLS and DTLS protocols
my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);

60
package/libs/openssl/patches/140-allow-prefer-chacha20.patch
View File

@ -14,30 +14,9 @@ when the client has it on top of its ciphersuite preference.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -173,9 +173,15 @@ extern "C" {
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
+ "TLS_AES_128_GCM_SHA256"
+# else
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256"
+# endif
# else
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1465,11 +1465,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1505,11 +1505,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
&tail);
@ -67,7 +46,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
/*
* ...and generally, our preferred cipher is AES.
@@ -1525,7 +1543,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
@@ -1564,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* Within each group, ciphers remain sorted by strength and previous
* preference, i.e.,
* 1) ECDHE > DHE
@ -76,3 +55,38 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* 3) AES > rest
* 4) TLS 1.2 > legacy
*
@@ -2235,7 +2253,13 @@ const char *OSSL_default_cipher_list(voi
*/
const char *OSSL_default_ciphersuites(void)
{
+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+ return "TLS_CHACHA20_POLY1305_SHA256:"
+ "TLS_AES_256_GCM_SHA384:"
+ "TLS_AES_128_GCM_SHA256";
+#else
return "TLS_AES_256_GCM_SHA384:"
"TLS_CHACHA20_POLY1305_SHA256:"
"TLS_AES_128_GCM_SHA256";
+#endif
}
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -195,9 +195,15 @@ extern "C" {
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
* Update both macro and function simultaneously
*/
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
+ "TLS_AES_128_GCM_SHA256"
+# else
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256"
+# endif
# endif
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always

32
package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
View File

@ -10,20 +10,32 @@ Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -22,6 +22,16 @@ oid_section = new_oids
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
+openssl_conf=openssl_conf
[openssl_init]
providers = provider_sect
+engines = engines_sect
# List of providers to load
[provider_sect]
default = default_sect
+.include /var/etc/ssl/providers.cnf
+
+[openssl_conf]
+engines=engines
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -69,7 +72,13 @@ default = default_sect
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
-# activate = 1
+activate = 1
+
+[engines]
+[engines_sect]
+.include /var/etc/ssl/engines.cnf
+
+.include /etc/ssl/engines.cnf.d
+.include /etc/ssl/modules.cnf.d
+
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
####################################################################

58
package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch
View File

@ -1,58 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 15:54:17 -0200
Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT
Since each ioctl causes a context switch, slowing things down, if
EVP_MD_CTX_FLAG_ONESHOT is set, then:
- call the ioctl in digest_update, saving the result; and
- just copy the result in digest_final, instead of using another ioctl.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -461,6 +461,7 @@ struct digest_ctx {
struct session_op sess;
/* This signals that the init function was called, not that it succeeded. */
int init_called;
+ unsigned char digest_res[HASH_MAX_LEN];
};
static const struct digest_data_st {
@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx
if (digest_ctx == NULL)
return 0;
- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) {
+ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0)
+ return 1;
+ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) {
+ return 1;
}
- return 1;
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
}
static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx,
if (md == NULL || digest_ctx == NULL)
return 0;
- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
+
+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) {
+ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx));
+ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}

566
package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
View File

@ -1,566 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Sat, 3 Nov 2018 15:41:10 -0300
Subject: eng_devcrypto: add configuration options
USE_SOFTDRIVERS: whether to use software (not accelerated) drivers
CIPHERS: list of ciphers to enable
DIGESTS: list of digests to enable
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -16,6 +16,7 @@
#include <unistd.h>
#include <assert.h>
+#include <openssl/conf.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/engine.h>
@@ -36,6 +37,30 @@
* saner... why re-open /dev/crypto for every session?
*/
static int cfd;
+#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */
+#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */
+#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */
+
+#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE
+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS;
+
+/*
+ * cipher/digest status & acceleration definitions
+ * Make sure the defaults are set to 0
+ */
+struct driver_info_st {
+ enum devcrypto_status_t {
+ DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */
+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */
+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */
+ } status;
+
+ enum devcrypto_accelerated_t {
+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */
+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */
+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */
+ } accelerated;
+};
static int clean_devcrypto_session(struct session_op *sess) {
if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) {
@@ -119,13 +144,22 @@ static const struct cipher_data_st {
#endif
};
-static size_t get_cipher_data_index(int nid)
+static size_t find_cipher_data_index(int nid)
{
size_t i;
for (i = 0; i < OSSL_NELEM(cipher_data); i++)
if (nid == cipher_data[i].nid)
return i;
+ return (size_t)-1;
+}
+
+static size_t get_cipher_data_index(int nid)
+{
+ size_t i = find_cipher_data_index(nid);
+
+ if (i != (size_t)-1)
+ return i;
/*
* Code further down must make sure that only NIDs in the table above
@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX
}
/*
- * Keep a table of known nids and associated methods.
+ * Keep tables of known nids, associated methods, selected ciphers, and driver
+ * info.
* Note that known_cipher_nids[] isn't necessarily indexed the same way as
- * cipher_data[] above, which known_cipher_methods[] is.
+ * cipher_data[] above, which the other tables are.
*/
static int known_cipher_nids[OSSL_NELEM(cipher_data)];
static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
+static int selected_ciphers[OSSL_NELEM(cipher_data)];
+static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)];
+
+
+static int devcrypto_test_cipher(size_t cipher_data_index)
+{
+ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE
+ && selected_ciphers[cipher_data_index] == 1
+ && (cipher_driver_info[cipher_data_index].accelerated
+ == DEVCRYPTO_ACCELERATED
+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE
+ || (cipher_driver_info[cipher_data_index].accelerated
+ != DEVCRYPTO_NOT_ACCELERATED
+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE)));
+}
static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
unsigned long cipher_mode;
+#ifdef CIOCGSESSINFO
+ struct session_info_op siop;
+#endif
+
+ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info));
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
@@ -353,15 +408,16 @@ static void prepare_cipher_methods(void)
for (i = 0, known_cipher_nids_amount = 0;
i < OSSL_NELEM(cipher_data); i++) {
+ selected_ciphers[i] = 1;
/*
- * Check that the algo is really availably by trying to open and close
- * a session.
+ * Check that the cipher is usable
*/
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
- if (ioctl(cfd, CIOCGSESSION, &sess) < 0
- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) {
+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
continue;
+ }
cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
@@ -387,15 +443,41 @@ static void prepare_cipher_methods(void)
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
sizeof(struct cipher_ctx))) {
+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
EVP_CIPHER_meth_free(known_cipher_methods[i]);
known_cipher_methods[i] = NULL;
} else {
+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE;
+#ifdef CIOCGSESSINFO
+ siop.ses = sess.ses;
+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0)
+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN;
+ else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY))
+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
+ else
+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
+#endif /* CIOCGSESSINFO */
+ }
+ ioctl(cfd, CIOCFSESSION, &sess.ses);
+ if (devcrypto_test_cipher(i)) {
known_cipher_nids[known_cipher_nids_amount++] =
cipher_data[i].nid;
}
}
}
+static void rebuild_known_cipher_nids(ENGINE *e)
+{
+ size_t i;
+
+ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) {
+ if (devcrypto_test_cipher(i))
+ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid;
+ }
+ ENGINE_unregister_ciphers(e);
+ ENGINE_register_ciphers(e);
+}
+
static const EVP_CIPHER *get_cipher_method(int nid)
{
size_t i = get_cipher_data_index(nid);
@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e,
return *cipher != NULL;
}
+static void devcrypto_select_all_ciphers(int *cipher_list)
+{
+ size_t i;
+
+ for (i = 0; i < OSSL_NELEM(cipher_data); i++)
+ cipher_list[i] = 1;
+}
+
+static int cryptodev_select_cipher_cb(const char *str, int len, void *usr)
+{
+ int *cipher_list = (int *)usr;
+ char *name;
+ const EVP_CIPHER *EVP;
+ size_t i;
+
+ if (len == 0)
+ return 1;
+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL)
+ return 0;
+ EVP = EVP_get_cipherbyname(name);
+ if (EVP == NULL)
+ fprintf(stderr, "devcrypto: unknown cipher %s\n", name);
+ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1)
+ cipher_list[i] = 1;
+ else
+ fprintf(stderr, "devcrypto: cipher %s not available\n", name);
+ OPENSSL_free(name);
+ return 1;
+}
+
/*
* We only support digests if the cryptodev implementation supports multiple
* data updates and session copying. Otherwise, we would be forced to maintain
@@ -493,13 +605,22 @@ static const struct digest_data_st {
#endif
};
-static size_t get_digest_data_index(int nid)
+static size_t find_digest_data_index(int nid)
{
size_t i;
for (i = 0; i < OSSL_NELEM(digest_data); i++)
if (nid == digest_data[i].nid)
return i;
+ return (size_t)-1;
+}
+
+static size_t get_digest_data_index(int nid)
+{
+ size_t i = find_digest_data_index(nid);
+
+ if (i != (size_t)-1)
+ return i;
/*
* Code further down must make sure that only NIDs in the table above
@@ -516,8 +637,8 @@ static const struct digest_data_st *get_
}
/*
- * Following are the four necessary functions to map OpenSSL functionality
- * with cryptodev.
+ * Following are the five necessary functions to map OpenSSL functionality
+ * with cryptodev: init, update, final, cleanup, and copy.
*/
static int digest_init(EVP_MD_CTX *ctx)
@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ct
return clean_devcrypto_session(&digest_ctx->sess);
}
-static int devcrypto_test_digest(size_t digest_data_index)
-{
- struct session_op sess1, sess2;
- struct cphash_op cphash;
- int ret=0;
-
- memset(&sess1, 0, sizeof(sess1));
- memset(&sess2, 0, sizeof(sess2));
- sess1.mac = digest_data[digest_data_index].devcryptoid;
- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
- return 0;
- /* Make sure the driver is capable of hash state copy */
- sess2.mac = sess1.mac;
- if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
- cphash.src_ses = sess1.ses;
- cphash.dst_ses = sess2.ses;
- if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
- ret = 1;
- ioctl(cfd, CIOCFSESSION, &sess2.ses);
- }
- ioctl(cfd, CIOCFSESSION, &sess1.ses);
- return ret;
-}
-
/*
- * Keep a table of known nids and associated methods.
+ * Keep tables of known nids, associated methods, selected digests, and
+ * driver info.
* Note that known_digest_nids[] isn't necessarily indexed the same way as
- * digest_data[] above, which known_digest_methods[] is.
+ * digest_data[] above, which the other tables are.
*/
static int known_digest_nids[OSSL_NELEM(digest_data)];
static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, };
+static int selected_digests[OSSL_NELEM(digest_data)];
+static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)];
+
+static int devcrypto_test_digest(size_t digest_data_index)
+{
+ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE
+ && selected_digests[digest_data_index] == 1
+ && (digest_driver_info[digest_data_index].accelerated
+ == DEVCRYPTO_ACCELERATED
+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE
+ || (digest_driver_info[digest_data_index].accelerated
+ != DEVCRYPTO_NOT_ACCELERATED
+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE)));
+}
+
+static void rebuild_known_digest_nids(ENGINE *e)
+{
+ size_t i;
+
+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) {
+ if (devcrypto_test_digest(i))
+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
+ }
+ ENGINE_unregister_digests(e);
+ ENGINE_register_digests(e);
+}
static void prepare_digest_methods(void)
{
size_t i;
+ struct session_op sess1, sess2;
+#ifdef CIOCGSESSINFO
+ struct session_info_op siop;
+#endif
+ struct cphash_op cphash;
+
+ memset(&digest_driver_info, 0, sizeof(digest_driver_info));
+
+ memset(&sess1, 0, sizeof(sess1));
+ memset(&sess2, 0, sizeof(sess2));
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
+ selected_digests[i] = 1;
+
/*
- * Check that the algo is usable
+ * Check that the digest is usable
*/
- if (!devcrypto_test_digest(i))
- continue;
+ sess1.mac = digest_data[i].devcryptoid;
+ sess2.ses = 0;
+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) {
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ goto finish;
+ }
+#ifdef CIOCGSESSINFO
+ /* gather hardware acceleration info from the driver */
+ siop.ses = sess1.ses;
+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0)
+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN;
+ else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)
+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
+ else
+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
+#endif
+
+ /* digest must be capable of hash state copy */
+ sess2.mac = sess1.mac;
+ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) {
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ goto finish;
+ }
+ cphash.src_ses = sess1.ses;
+ cphash.dst_ses = sess2.ses;
+ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) {
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ goto finish;
+ }
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
NID_undef)) == NULL
|| !EVP_MD_meth_set_input_blocksize(known_digest_methods[i],
@@ -689,11 +852,18 @@ static void prepare_digest_methods(void)
|| !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup)
|| !EVP_MD_meth_set_app_datasize(known_digest_methods[i],
sizeof(struct digest_ctx))) {
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
EVP_MD_meth_free(known_digest_methods[i]);
known_digest_methods[i] = NULL;
- } else {
- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
+ goto finish;
}
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE;
+finish:
+ ioctl(cfd, CIOCFSESSION, &sess1.ses);
+ if (sess2.ses != 0)
+ ioctl(cfd, CIOCFSESSION, &sess2.ses);
+ if (devcrypto_test_digest(i))
+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
}
}
@@ -739,7 +909,153 @@ static int devcrypto_digests(ENGINE *e,
return *digest != NULL;
}
+static void devcrypto_select_all_digests(int *digest_list)
+{
+ size_t i;
+
+ for (i = 0; i < OSSL_NELEM(digest_data); i++)
+ digest_list[i] = 1;
+}
+
+static int cryptodev_select_digest_cb(const char *str, int len, void *usr)
+{
+ int *digest_list = (int *)usr;
+ char *name;
+ const EVP_MD *EVP;
+ size_t i;
+
+ if (len == 0)
+ return 1;
+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL)
+ return 0;
+ EVP = EVP_get_digestbyname(name);
+ if (EVP == NULL)
+ fprintf(stderr, "devcrypto: unknown digest %s\n", name);
+ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1)
+ digest_list[i] = 1;
+ else
+ fprintf(stderr, "devcrypto: digest %s not available\n", name);
+ OPENSSL_free(name);
+ return 1;
+}
+
+#endif
+
+/******************************************************************************
+ *
+ * CONTROL COMMANDS
+ *
+ *****/
+
+#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE
+#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1)
+#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2)
+#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3)
+
+/* Helper macros for CPP string composition */
+#ifndef OPENSSL_MSTR
+# define OPENSSL_MSTR_HELPER(x) #x
+# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x)
+#endif
+
+static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
+#ifdef CIOCGSESSINFO
+ {DEVCRYPTO_CMD_USE_SOFTDRIVERS,
+ "USE_SOFTDRIVERS",
+ "specifies whether to use software (not accelerated) drivers ("
+ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, "
+ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, "
+ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE)
+ "=use if acceleration can't be determined) [default="
+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]",
+ ENGINE_CMD_FLAG_NUMERIC},
+#endif
+
+ {DEVCRYPTO_CMD_CIPHERS,
+ "CIPHERS",
+ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]",
+ ENGINE_CMD_FLAG_STRING},
+
+#ifdef IMPLEMENT_DIGEST
+ {DEVCRYPTO_CMD_DIGESTS,
+ "DIGESTS",
+ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
+ ENGINE_CMD_FLAG_STRING},
+#endif
+
+ {0, NULL, NULL, 0}
+};
+
+static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
+{
+ int *new_list;
+ switch (cmd) {
+#ifdef CIOCGSESSINFO
+ case DEVCRYPTO_CMD_USE_SOFTDRIVERS:
+ switch (i) {
+ case DEVCRYPTO_REQUIRE_ACCELERATED:
+ case DEVCRYPTO_USE_SOFTWARE:
+ case DEVCRYPTO_REJECT_SOFTWARE:
+ break;
+ default:
+ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i);
+ return 0;
+ }
+ if (use_softdrivers == i)
+ return 1;
+ use_softdrivers = i;
+#ifdef IMPLEMENT_DIGEST
+ rebuild_known_digest_nids(e);
#endif
+ rebuild_known_cipher_nids(e);
+ return 1;
+#endif /* CIOCGSESSINFO */
+
+ case DEVCRYPTO_CMD_CIPHERS:
+ if (p == NULL)
+ return 1;
+ if (strcasecmp((const char *)p, "ALL") == 0) {
+ devcrypto_select_all_ciphers(selected_ciphers);
+ } else if (strcasecmp((const char*)p, "NONE") == 0) {
+ memset(selected_ciphers, 0, sizeof(selected_ciphers));
+ } else {
+ new_list=OPENSSL_zalloc(sizeof(selected_ciphers));
+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) {
+ OPENSSL_free(new_list);
+ return 0;
+ }
+ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers));
+ OPENSSL_free(new_list);
+ }
+ rebuild_known_cipher_nids(e);
+ return 1;
+
+#ifdef IMPLEMENT_DIGEST
+ case DEVCRYPTO_CMD_DIGESTS:
+ if (p == NULL)
+ return 1;
+ if (strcasecmp((const char *)p, "ALL") == 0) {
+ devcrypto_select_all_digests(selected_digests);
+ } else if (strcasecmp((const char*)p, "NONE") == 0) {
+ memset(selected_digests, 0, sizeof(selected_digests));
+ } else {
+ new_list=OPENSSL_zalloc(sizeof(selected_digests));
+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) {
+ OPENSSL_free(new_list);
+ return 0;
+ }
+ memcpy(selected_digests, new_list, sizeof(selected_digests));
+ OPENSSL_free(new_list);
+ }
+ rebuild_known_digest_nids(e);
+ return 1;
+#endif /* IMPLEMENT_DIGEST */
+
+ default:
+ break;
+ }
+ return 0;
+}
/******************************************************************************
*
@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int()
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")
+ || !ENGINE_set_cmd_defns(e, devcrypto_cmds)
+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD

273
package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch
View File

@ -1,273 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Tue, 6 Nov 2018 22:54:07 -0200
Subject: eng_devcrypto: add command to dump driver info
This is useful to determine the kernel driver running each algorithm.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_D
*/
struct driver_info_st {
enum devcrypto_status_t {
- DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */
- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */
- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */
+ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */
+ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */
+ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */
+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */
+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */
} status;
enum devcrypto_accelerated_t {
- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */
- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */
- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */
+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */
+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */
+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */
} accelerated;
+
+ char *driver_name;
};
static int clean_devcrypto_session(struct session_op *sess) {
@@ -415,7 +419,7 @@ static void prepare_cipher_methods(void)
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
if (ioctl(cfd, CIOCGSESSION, &sess) < 0) {
- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION;
continue;
}
@@ -443,19 +447,24 @@ static void prepare_cipher_methods(void)
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
sizeof(struct cipher_ctx))) {
- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE;
EVP_CIPHER_meth_free(known_cipher_methods[i]);
known_cipher_methods[i] = NULL;
} else {
cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE;
#ifdef CIOCGSESSINFO
siop.ses = sess.ses;
- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0)
+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) {
cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN;
- else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY))
- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
- else
- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
+ } else {
+ cipher_driver_info[i].driver_name =
+ OPENSSL_strndup(siop.cipher_info.cra_driver_name,
+ CRYPTODEV_MAX_ALG_NAME);
+ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY))
+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
+ else
+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
+ }
#endif /* CIOCGSESSINFO */
}
ioctl(cfd, CIOCFSESSION, &sess.ses);
@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(v
{
size_t i;
- for (i = 0; i < OSSL_NELEM(cipher_data); i++)
+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) {
destroy_cipher_method(cipher_data[i].nid);
+ OPENSSL_free(cipher_driver_info[i].driver_name);
+ cipher_driver_info[i].driver_name = NULL;
+ }
}
static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(co
return 1;
}
+static void dump_cipher_info(void)
+{
+ size_t i;
+ const char *name;
+
+ fprintf (stderr, "Information about ciphers supported by the /dev/crypto"
+ " engine:\n");
+#ifndef CIOCGSESSINFO
+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n");
+#endif
+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) {
+ name = OBJ_nid2sn(cipher_data[i].nid);
+ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ",
+ name ? name : "unknown", cipher_data[i].nid,
+ cipher_data[i].devcryptoid);
+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) {
+ fprintf (stderr, "CIOCGSESSION (session open call) failed\n");
+ continue;
+ }
+ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ?
+ cipher_driver_info[i].driver_name : "unknown");
+ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED)
+ fprintf(stderr, "(hw accelerated)");
+ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED)
+ fprintf(stderr, "(software)");
+ else
+ fprintf(stderr, "(acceleration status unknown)");
+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE)
+ fprintf (stderr, ". Cipher setup failed");
+ fprintf(stderr, "\n");
+ }
+ fprintf(stderr, "\n");
+}
+
/*
* We only support digests if the cryptodev implementation supports multiple
* data updates and session copying. Otherwise, we would be forced to maintain
@@ -812,31 +858,36 @@ static void prepare_digest_methods(void)
sess1.mac = digest_data[i].devcryptoid;
sess2.ses = 0;
if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) {
- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION;
goto finish;
}
#ifdef CIOCGSESSINFO
/* gather hardware acceleration info from the driver */
siop.ses = sess1.ses;
- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0)
+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) {
digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN;
- else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)
- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
- else
- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
+ } else {
+ digest_driver_info[i].driver_name =
+ OPENSSL_strndup(siop.hash_info.cra_driver_name,
+ CRYPTODEV_MAX_ALG_NAME);
+ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)
+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED;
+ else
+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED;
+ }
#endif
/* digest must be capable of hash state copy */
sess2.mac = sess1.mac;
if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) {
- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE;
goto finish;
}
cphash.src_ses = sess1.ses;
cphash.dst_ses = sess2.ses;
if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) {
- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH;
goto finish;
}
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
@@ -852,7 +903,7 @@ static void prepare_digest_methods(void)
|| !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup)
|| !EVP_MD_meth_set_app_datasize(known_digest_methods[i],
sizeof(struct digest_ctx))) {
- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE;
+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE;
EVP_MD_meth_free(known_digest_methods[i]);
known_digest_methods[i] = NULL;
goto finish;
@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(v
{
size_t i;
- for (i = 0; i < OSSL_NELEM(digest_data); i++)
+ for (i = 0; i < OSSL_NELEM(digest_data); i++) {
destroy_digest_method(digest_data[i].nid);
+ OPENSSL_free(digest_driver_info[i].driver_name);
+ digest_driver_info[i].driver_name = NULL;
+ }
}
static int devcrypto_digests(ENGINE *e, const EVP_MD **digest,
@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(co
return 1;
}
+static void dump_digest_info(void)
+{
+ size_t i;
+ const char *name;
+
+ fprintf (stderr, "Information about digests supported by the /dev/crypto"
+ " engine:\n");
+#ifndef CIOCGSESSINFO
+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n");
+#endif
+
+ for (i = 0; i < OSSL_NELEM(digest_data); i++) {
+ name = OBJ_nid2sn(digest_data[i].nid);
+ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s",
+ name ? name : "unknown", digest_data[i].nid,
+ digest_data[i].devcryptoid,
+ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown");
+ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) {
+ fprintf (stderr, ". CIOCGSESSION (session open) failed\n");
+ continue;
+ }
+ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED)
+ fprintf(stderr, " (hw accelerated)");
+ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED)
+ fprintf(stderr, " (software)");
+ else
+ fprintf(stderr, " (acceleration status unknown)");
+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE)
+ fprintf (stderr, ". Cipher setup failed\n");
+ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH)
+ fprintf(stderr, ", CIOCCPHASH failed\n");
+ else
+ fprintf(stderr, ", CIOCCPHASH capable\n");
+ }
+ fprintf(stderr, "\n");
+}
+
#endif
/******************************************************************************
@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_c
ENGINE_CMD_FLAG_STRING},
#endif
+ {DEVCRYPTO_CMD_DUMP_INFO,
+ "DUMP_INFO",
+ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'",
+ ENGINE_CMD_FLAG_NO_INPUT},
+
{0, NULL, NULL, 0}
};
@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int
return 1;
#endif /* IMPLEMENT_DIGEST */
+ case DEVCRYPTO_CMD_DUMP_INFO:
+ dump_cipher_info();
+#ifdef IMPLEMENT_DIGEST
+ dump_digest_info();
+#endif
+ return 1;
+
default:
break;
}

2718
package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
View File

File diff suppressed because it is too large Load Diff

4
package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
View File

@ -21,7 +21,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -852,7 +852,7 @@ static void prepare_digest_methods(void)
@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
@ -30,7 +30,7 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
/*
* Check that the digest is usable
@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
#ifdef IMPLEMENT_DIGEST
{DEVCRYPTO_CMD_DIGESTS,
"DIGESTS",

4
package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
View File

@ -10,8 +10,8 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
int ret;
/* cleanup a previous session */
- if (cipher_ctx->sess.ses != 0 &&