From c235f680281548c9bb1f81ae6e2dbb8f0b4fcfb9 Mon Sep 17 00:00:00 2001 From: LEAN-ESX Date: Sat, 9 Nov 2019 02:16:08 -0800 Subject: [PATCH] qBittorrent: rollback qt5 and openssl --- package/lean/qBittorrent/Makefile | 4 +- package/lean/qt5/Makefile | 11 +- package/libs/openssl/Config.in | 137 +---- package/libs/openssl/Makefile | 224 +++---- .../patches/100-Configure-afalg-support.patch | 25 - .../openssl/patches/100-openwrt_targets.patch | 44 ++ .../openssl/patches/110-openwrt_targets.patch | 63 -- .../libs/openssl/patches/110-perl-path.patch | 64 ++ .../openssl/patches/120-makefile-dirs.patch | 11 + .../120-strip-cflags-from-binary.patch | 23 - .../patches/130-disable_doc_tests.patch | 58 ++ .../patches/130-dont-build-tests-fuzz.patch | 31 - .../patches/140-allow-prefer-chacha20.patch | 82 --- .../libs/openssl/patches/140-bash_path.patch | 8 + .../patches/150-fix_link_segfault.patch | 18 + .../150-openssl.cnf-add-engines-conf.patch | 56 -- .../patches/160-remove_timestamp_check.patch | 23 + .../openssl/patches/170-parallel_build.patch | 184 ++++++ .../180-strip-cflags-from-binary.patch | 21 + ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 60 -- ..._devcrypto-add-configuration-options.patch | 569 ------------------ ...ypto-add-command-to-dump-driver-info.patch | 275 --------- ...o-make-the-dev-crypto-engine-dynamic.patch | 368 ----------- ...default-to-not-use-digests-in-engine.patch | 43 -- ...to-ignore-error-when-closing-session.patch | 26 - 25 files changed, 543 insertions(+), 1885 deletions(-) delete mode 100644 package/libs/openssl/patches/100-Configure-afalg-support.patch create mode 100644 package/libs/openssl/patches/100-openwrt_targets.patch delete mode 100644 package/libs/openssl/patches/110-openwrt_targets.patch create mode 100644 package/libs/openssl/patches/110-perl-path.patch create mode 100644 package/libs/openssl/patches/120-makefile-dirs.patch delete mode 100644 package/libs/openssl/patches/120-strip-cflags-from-binary.patch create mode 100644 package/libs/openssl/patches/130-disable_doc_tests.patch delete mode 100644 package/libs/openssl/patches/130-dont-build-tests-fuzz.patch delete mode 100644 package/libs/openssl/patches/140-allow-prefer-chacha20.patch create mode 100644 package/libs/openssl/patches/140-bash_path.patch create mode 100644 package/libs/openssl/patches/150-fix_link_segfault.patch delete mode 100644 package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch create mode 100644 package/libs/openssl/patches/160-remove_timestamp_check.patch create mode 100644 package/libs/openssl/patches/170-parallel_build.patch create mode 100644 package/libs/openssl/patches/180-strip-cflags-from-binary.patch delete mode 100644 package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch delete mode 100644 package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch delete mode 100644 package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch delete mode 100644 package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch delete mode 100644 package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch delete mode 100644 package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch diff --git a/package/lean/qBittorrent/Makefile b/package/lean/qBittorrent/Makefile index 5e3650c6e..9fbe23ab5 100644 --- a/package/lean/qBittorrent/Makefile +++ b/package/lean/qBittorrent/Makefile @@ -1,13 +1,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=qBittorrent -PKG_VERSION:=4.1.8 +PKG_VERSION:=4.1.7 PKG_RELEASE=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/qbittorrent/qBittorrent.git PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=0de5cbaa4becf4eb89245324cb76c9a7c9412a33 +PKG_SOURCE_VERSION:=05a82afeb6c927bfc0cda4fe8fb25ecc3faecd86 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_LICENSE:=GPL-2.0+ diff --git a/package/lean/qt5/Makefile b/package/lean/qt5/Makefile index 42cc834e6..e34fa844c 100644 --- a/package/lean/qt5/Makefile +++ b/package/lean/qt5/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=qt5 -PKG_VERSION:=5.12 -PKG_RELEASE:=4 -PKG_MD5SUM:=dda95b0239d13c5276834177af3a8588 +PKG_VERSION:=5.8 +PKG_RELEASE:=0 +PKG_MD5SUM:=a9f2494f75f966e2f22358ec367d8f41 -PKG_SOURCE:=qt-everywhere-src-$(PKG_VERSION).$(PKG_RELEASE).tar.xz +PKG_SOURCE:=qt-everywhere-opensource-src-$(PKG_VERSION).$(PKG_RELEASE).tar.gz PKG_SOURCE_URL:=http://download.qt-project.org/archive/qt/$(PKG_VERSION)/$(PKG_VERSION).$(PKG_RELEASE)/single -PKG_BUILD_DIR=$(BUILD_DIR)/qt-everywhere-src-$(PKG_VERSION).$(PKG_RELEASE) +PKG_BUILD_DIR=$(BUILD_DIR)/qt-everywhere-opensource-src-$(PKG_VERSION).$(PKG_RELEASE) PKG_BUILD_PARALLEL:=1 PKG_USE_MIPS16:=0 @@ -106,6 +106,7 @@ define Build/Configure -no-iconv \ -no-pch \ -no-rpath \ + -no-qml-debug \ -no-strip \ -no-cups \ -no-dbus \ diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 42d384508..82f6c61c7 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -54,9 +54,7 @@ config OPENSSL_WITH_DEPRECATED default y prompt "Include deprecated APIs (See help for a list of packages that need this)" help - Since openssl 1.1.x is still new to openwrt, some packages - requiring this option do not list it as a requirement yet: - * freeswitch-stable, freeswitch, python, python3, squid. + Squid currently requires this. config OPENSSL_NO_DEPRECATED bool @@ -64,7 +62,6 @@ config OPENSSL_NO_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool - default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT prompt "Include error messages" help This option aids debugging, but increases package size and @@ -72,20 +69,6 @@ config OPENSSL_WITH_ERROR_MESSAGES comment "Protocol Support" -config OPENSSL_WITH_TLS13 - bool - default y - prompt "Enable support for TLS 1.3" - help - TLS 1.3 is the newest version of the TLS specification. - It aims: - * to increase the overall security of the protocol, - removing outdated algorithms, and encrypting more of the - protocol; - * to increase performance by reducing the number of round-trips - when performing a full handshake. - It increases package size by ~4KB. - config OPENSSL_WITH_DTLS bool prompt "Enable DTLS support" @@ -95,6 +78,7 @@ config OPENSSL_WITH_DTLS config OPENSSL_WITH_NPN bool + default y prompt "Enable NPN support" help NPN is a TLS extension, obsoleted and replaced with ALPN, @@ -119,35 +103,24 @@ config OPENSSL_WITH_CMS comment "Algorithm Selection" +config OPENSSL_WITH_EC + bool + default y + prompt "Enable elliptic curve support" + help + Elliptic-curve cryptography (ECC) is an approach to public-key + cryptography based on the algebraic structure of elliptic curves + over finite fields. ECC requires smaller keys compared to non-ECC + cryptography to provide equivalent security. + config OPENSSL_WITH_EC2M bool + depends on OPENSSL_WITH_EC prompt "Enable ec2m support" help This option enables the more efficient, yet less common, binary field elliptic curves. -config OPENSSL_WITH_CHACHA_POLY1305 - bool - default y - prompt "Enable ChaCha20-Poly1305 ciphersuite support" - help - ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, - combining ChaCha stream cipher with Poly1305 MAC. - It is 3x faster than AES, when not using a CPU with AES-specific - instructions, as is the case of most embedded devices. - -config OPENSSL_PREFER_CHACHA_OVER_GCM - bool - default y if !x86_64 && !aarch64 - prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" - depends on OPENSSL_WITH_CHACHA_POLY1305 - help - The default openssl preference is for AES-GCM before ChaCha, but - that takes into account AES-NI capable chips. It is not the - case with most embedded chips, so it may be better to invert - that preference. This is just for the default case. The - application can always override this. - config OPENSSL_WITH_PSK bool default y @@ -157,12 +130,6 @@ config OPENSSL_WITH_PSK comment "Less commonly used build options" -config OPENSSL_WITH_ARIA - bool - prompt "Enable ARIA support" - help - ARIA is a block cipher developed in South Korea, based on AES. - config OPENSSL_WITH_CAMELLIA bool prompt "Enable Camellia cipher support" @@ -183,23 +150,6 @@ config OPENSSL_WITH_SEED SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. -config OPENSSL_WITH_SM234 - bool - prompt "Enable SM2/3/4 algorithms support" - help - These algorithms are a set of "Commercial Cryptography" - algorithms approved for use in China. - * SM2 is an EC algorithm equivalent to ECDSA P-256 - * SM3 is a hash function equivalent to SHA-256 - * SM4 is a 128-block cipher equivalent to AES-128 - -config OPENSSL_WITH_BLAKE2 - bool - prompt "Enable BLAKE2 digest support" - help - BLAKE2 is a cryptographic hash function based on the ChaCha - stream cipher. - config OPENSSL_WITH_MDC2 bool prompt "Enable MDC2 digest support" @@ -234,66 +184,27 @@ comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" default y - select PACKAGE_libopenssl-devcrypto help This enables alternative cryptography implementations, most commonly for interfacing with external crypto devices, or supporting new/alternative ciphers and digests. - If you compile the library with this option disabled, packages built - using an engine-enabled library (i.e. from the official repo) may - fail to run. Compile and install the packages with engine support - disabled, and you should be fine. - Note that you need to enable KERNEL_AIO to be able to build the - afalg engine package. -config OPENSSL_ENGINE_BUILTIN - bool "Build chosen engines into libcrypto" - depends on OPENSSL_ENGINE - help - This builds all chosen engines into libcrypto.so, instead of building - them as dynamic engines in separate packages. - The benefit of building the engines into libcrypto is that they won't - require any configuration to be used by default. - -config OPENSSL_ENGINE_BUILTIN_AFALG +config OPENSSL_ENGINE_CRYPTO bool - prompt "Acceleration support through AF_ALG sockets engine" - depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO - select PACKAGE_libopenssl-conf - help - This enables use of hardware acceleration through the - AF_ALG kernel interface. - -config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO - bool - default y + select OPENSSL_ENGINE + select PACKAGE_kmod-cryptodev prompt "Acceleration support through /dev/crypto" - depends on OPENSSL_ENGINE_BUILTIN - select PACKAGE_libopenssl-conf help This enables use of hardware acceleration through OpenBSD Cryptodev API (/dev/crypto) interface. - Even though configuration is not strictly needed, it is worth seeing - https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators - for information on how to configure the engine. + You must install kmod-cryptodev (under Kernel modules, Cryptographic + API modules) for /dev/crypto to show up and use hardware + acceleration; otherwise it falls back to software. -config OPENSSL_ENGINE_BUILTIN_PADLOCK +config OPENSSL_ENGINE_DIGEST bool - prompt "VIA Padlock Acceleration support engine" - depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86 - select PACKAGE_libopenssl-conf - help - This enables use of hardware acceleration through the - VIA Padlock module. - -config OPENSSL_WITH_ASYNC - bool - prompt "Enable asynchronous jobs support" - depends on OPENSSL_ENGINE && USE_GLIBC - help - Enables async-aware applications to be able to use OpenSSL to - initiate crypto operations asynchronously. In order to work - this will require the presence of an async capable engine. + depends on OPENSSL_ENGINE_CRYPTO + prompt "/dev/crypto digest (md5/sha1) acceleration support" config OPENSSL_WITH_GOST bool @@ -302,8 +213,6 @@ config OPENSSL_WITH_GOST help This option prepares the library to accept engine support for Russian GOST crypto algorithms. - The gost engine is not included in standard openwrt feeds. - To build such engine yourself, see: - https://github.com/gost-engine/engine endif + diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index eb267f31f..b5cd165e9 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_BASE:=1.1.1 -PKG_BUGFIX:=d +PKG_BASE:=1.0.2 +PKG_BUGFIX:=q PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 -PKG_BUILD_PARALLEL:=1 +PKG_BUILD_PARALLEL:=0 +PKG_BUILD_DEPENDS:=cryptodev-linux PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -24,30 +24,24 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 +PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 +ENGINES_DIR=engines PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE \ - CONFIG_OPENSSL_ENGINE_BUILTIN \ - CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \ - CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \ - CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \ + CONFIG_OPENSSL_ENGINE_CRYPTO \ + CONFIG_OPENSSL_ENGINE_DIGEST \ CONFIG_OPENSSL_NO_DEPRECATED \ CONFIG_OPENSSL_OPTIMIZE_SPEED \ - CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ - CONFIG_OPENSSL_WITH_ARIA \ CONFIG_OPENSSL_WITH_ASM \ - CONFIG_OPENSSL_WITH_ASYNC \ - CONFIG_OPENSSL_WITH_BLAKE2 \ CONFIG_OPENSSL_WITH_CAMELLIA \ - CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \ CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_WITH_EC \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ CONFIG_OPENSSL_WITH_GOST \ @@ -57,10 +51,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_PSK \ CONFIG_OPENSSL_WITH_RFC3779 \ CONFIG_OPENSSL_WITH_SEED \ - CONFIG_OPENSSL_WITH_SM234 \ CONFIG_OPENSSL_WITH_SRP \ CONFIG_OPENSSL_WITH_SSE2 \ - CONFIG_OPENSSL_WITH_TLS13 \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk @@ -91,12 +83,9 @@ endef define Package/libopenssl $(call Package/openssl/Default) SUBMENU:=SSL - DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \ - +OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \ - +OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \ - +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock + DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib TITLE+= (libraries) - ABI_VERSION:=1.1 + ABI_VERSION:=1.0.0 MENU:=1 endef @@ -109,97 +98,51 @@ define Package/openssl-util $(call Package/openssl/Default) SECTION:=utils CATEGORY:=Utilities - DEPENDS:=+libopenssl +libopenssl-conf + DEPENDS:=+libopenssl TITLE+= (utility) endef +define Package/openssl-util/conffiles +/etc/ssl/openssl.cnf +endef + define Package/openssl-util/description $(call Package/openssl/Default/description) This package contains the OpenSSL command-line utility. endef -define Package/libopenssl-conf +define Package/libopenssl-gost $(call Package/openssl/Default) SUBMENU:=SSL - TITLE:=/etc/ssl/openssl.cnf config file - DEPENDS:=libopenssl + TITLE:=Russian GOST algorithms engine + DEPENDS:=libopenssl +@OPENSSL_WITH_GOST endef -define Package/libopenssl-conf/conffiles -/etc/ssl/openssl.cnf -endef - -define Package/libopenssl-conf/description -$(call Package/openssl/Default/description) -This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. -endef - -define Package/libopenssl-afalg - $(call Package/openssl/Default) - SUBMENU:=SSL - TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN -endef - -define Package/libopenssl-afalg/description -This package adds an engine that enables hardware acceleration -through the AF_ALG kernel interface. +define Package/libopenssl-gost/description +This package adds an engine that enables Russian GOST algorithms. To use it, you need to configure the engine in /etc/ssl/openssl.cnf -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module -and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators -The engine_id is "afalg" -endef - -define Package/libopenssl-devcrypto - $(call Package/openssl/Default) - SUBMENU:=SSL - TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN -endef - -define Package/libopenssl-devcrypto/description -This package adds an engine that enables hardware acceleration -through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module -and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators -The engine_id is "devcrypto" +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "gost" endef define Package/libopenssl-padlock $(call Package/openssl/Default) SUBMENU:=SSL TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. To use it, you need to configure it in /etc/ssl/openssl.cnf. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module -and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE The engine_id is "padlock" endef -OPENSSL_OPTIONS:= shared +OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method -ifndef CONFIG_OPENSSL_WITH_BLAKE2 - OPENSSL_OPTIONS += no-blake2 -endif - -ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305 - OPENSSL_OPTIONS += no-chacha no-poly1305 -else - ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM - OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM - endif -endif - -ifndef CONFIG_OPENSSL_WITH_ASYNC - OPENSSL_OPTIONS += no-async +ifndef CONFIG_OPENSSL_WITH_EC + OPENSSL_OPTIONS += no-ec endif ifndef CONFIG_OPENSSL_WITH_EC2M @@ -210,18 +153,6 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES OPENSSL_OPTIONS += no-err endif -ifndef CONFIG_OPENSSL_WITH_TLS13 - OPENSSL_OPTIONS += no-tls1_3 -endif - -ifndef CONFIG_OPENSSL_WITH_ARIA - OPENSSL_OPTIONS += no-aria -endif - -ifndef CONFIG_OPENSSL_WITH_SM234 - OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4 -endif - ifndef CONFIG_OPENSSL_WITH_CAMELLIA OPENSSL_OPTIONS += no-camellia endif @@ -246,8 +177,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS OPENSSL_OPTIONS += no-cms endif -ifndef CONFIG_OPENSSL_WITH_RFC3779 - OPENSSL_OPTIONS += no-rfc3779 +ifdef CONFIG_OPENSSL_WITH_RFC3779 + OPENSSL_OPTIONS += enable-rfc3779 endif ifdef CONFIG_OPENSSL_NO_DEPRECATED @@ -261,28 +192,15 @@ else endif ifdef CONFIG_OPENSSL_ENGINE - ifdef CONFIG_OPENSSL_ENGINE_BUILTIN - OPENSSL_OPTIONS += disable-dynamic-engine - ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG - OPENSSL_OPTIONS += no-afalgeng - endif - ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO - OPENSSL_OPTIONS += enable-devcryptoeng - endif - ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK - OPENSSL_OPTIONS += no-hw-padlock - endif - else - ifdef CONFIG_PACKAGE_libopenssl-devcrypto - OPENSSL_OPTIONS += enable-devcryptoeng - endif - ifndef CONFIG_PACKAGE_libopenssl-afalg - OPENSSL_OPTIONS += no-afalgeng - endif - ifndef CONFIG_PACKAGE_libopenssl-padlock - OPENSSL_OPTIONS += no-hw-padlock + ifdef CONFIG_OPENSSL_ENGINE_CRYPTO + OPENSSL_OPTIONS += -DHAVE_CRYPTODEV + ifdef CONFIG_OPENSSL_ENGINE_DIGEST + OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS endif endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock + endif else OPENSSL_OPTIONS += no-engine endif @@ -291,8 +209,10 @@ ifndef CONFIG_OPENSSL_WITH_GOST OPENSSL_OPTIONS += no-gost endif +# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code, +# but openssl util gets built without it ifndef CONFIG_OPENSSL_WITH_DTLS - OPENSSL_OPTIONS += no-dtls + OPENSSL_OPTIONS += no-dtls no-dtls1 endif ifdef CONFIG_OPENSSL_WITH_COMPRESSION @@ -328,6 +248,10 @@ OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure + [ -f $(STAMP_CONFIGURED) ] || { \ + rm -f $(PKG_BUILD_DIR)/*.so.* $(PKG_BUILD_DIR)/*.a; \ + find $(PKG_BUILD_DIR) -name \*.o | xargs rm -f; \ + } (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ @@ -335,9 +259,14 @@ define Build/Configure --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ - $(OPENSSL_OPTIONS) && \ - { [ -f $(STAMP_CONFIGURED) ] || make clean; } \ + $(OPENSSL_OPTIONS) \ ) + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + MAKEDEPPROG="$(TARGET_CROSS)gcc" \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + depend endef TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections @@ -347,16 +276,35 @@ define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ + ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ + AR="$(TARGET_CROSS)ar r" \ + RANLIB="$(TARGET_CROSS)ranlib" \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + CC="$(TARGET_CC)" \ + ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ + AR="$(TARGET_CROSS)ar r" \ + RANLIB="$(TARGET_CROSS)ranlib" \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + build-shared + # Work around openssl build bug to link libssl.so with libcrypto.so. + -rm $(PKG_BUILD_DIR)/libssl.so.*.*.* + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + CC="$(TARGET_CC)" \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + do_linux-shared $(MAKE) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - DESTDIR="$(PKG_INSTALL_DIR)" \ + INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ - install_sw install_ssldirs + install endef define Build/InstallDev @@ -379,34 +327,24 @@ define Package/libopenssl/install $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) endef -define Package/libopenssl-conf/install +define Package/openssl-util/install $(INSTALL_DIR) $(1)/etc/ssl $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ -endef - -define Package/openssl-util/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef -define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) -endef - -define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) -endef - define Package/libopenssl-padlock/install $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) endef +define Package/libopenssl-gost/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR) +endef + $(eval $(call BuildPackage,libopenssl)) -$(eval $(call BuildPackage,libopenssl-conf)) -$(eval $(call BuildPackage,libopenssl-afalg)) -$(eval $(call BuildPackage,libopenssl-devcrypto)) +$(eval $(call BuildPackage,libopenssl-gost)) $(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch deleted file mode 100644 index 0f91a9d5d..000000000 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:29:21 -0300 -Subject: Do not use host kernel version to disable AFALG - -This patch prevents the Configure script from using the host kernel -version to disable building the AFALG engine on openwrt targets. - -Signed-off-by: Eneas U de Queiroz - -diff --git a/Configure b/Configure -index 5a699836f3..74d057c219 100755 ---- a/Configure -+++ b/Configure -@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) - - unless ($disabled{afalgeng}) { - $config{afalgeng}=""; -- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { -+ if ($target =~ m/openwrt$/) { -+ push @{$config{engdirs}}, "afalg"; -+ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) { - my $minver = 4*10000 + 1*100 + 0; - if ($config{CROSS_COMPILE} eq "") { - my $verstr = `uname -r`; diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch new file mode 100644 index 000000000..52a51f9f4 --- /dev/null +++ b/package/libs/openssl/patches/100-openwrt_targets.patch @@ -0,0 +1,44 @@ +From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 26 Sep 2018 16:21:27 -0300 +Subject: Add openwrt targets + +Targets are named: linux-$(CONFIG_ARCH)-openwrt + +Signed-off-by: Eneas U de Queiroz + +--- a/Configure ++++ b/Configure +@@ -470,6 +470,32 @@ my %table=( + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + ++# OpenWrt targets ++# from linux-aarch64 ++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-generic32 ++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-armv4 ++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-armv4 ++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-elf ++"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-mips32 ++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux64-mips64 ++"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux64-mips64 ++"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux-mips32 ++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-ppc ++"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-x86_64 ++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux-generic32 ++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++ + # Android: linux-* but without pointers to headers and libs. + "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch deleted file mode 100644 index d0530b466..000000000 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:30:24 -0300 -Subject: Add openwrt targets - -Targets are named: linux-$(CONFIG_ARCH)-openwrt - -Signed-off-by: Eneas U de Queiroz - -diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf -new file mode 100644 -index 0000000000..86a86d31e4 ---- /dev/null -+++ b/Configurations/25-openwrt.conf -@@ -0,0 +1,48 @@ -+## Openwrt "CONFIG_ARCH" matching targets. -+ -+# The targets need to end in '-openwrt' for the AFALG patch to work -+ -+my %targets = ( -+ "openwrt" => { -+ template => 1, -+ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"), -+ }, -+ "linux-aarch64-openwrt" => { -+ inherit_from => [ "linux-aarch64", "openwrt" ], -+ }, -+ "linux-arc-openwrt" => { -+ inherit_from => [ "linux-generic32", "openwrt" ], -+ }, -+ "linux-arm-openwrt" => { -+ inherit_from => [ "linux-armv4", "openwrt" ], -+ }, -+ "linux-armeb-openwrt" => { -+ inherit_from => [ "linux-armv4", "openwrt" ], -+ }, -+ "linux-i386-openwrt" => { -+ inherit_from => [ "linux-x86", "openwrt" ], -+ }, -+ "linux-mips-openwrt" => { -+ inherit_from => [ "linux-mips32", "openwrt" ], -+ }, -+ "linux-mips64-openwrt" => { -+ inherit_from => [ "linux64-mips64", "openwrt" ], -+ }, -+ "linux-mips64el-openwrt" => { -+ inherit_from => [ "linux64-mips64", "openwrt" ], -+ }, -+ "linux-mipsel-openwrt" => { -+ inherit_from => [ "linux-mips32", "openwrt" ], -+ }, -+ "linux-powerpc-openwrt" => { -+ inherit_from => [ "linux-ppc", "openwrt" ], -+ }, -+ "linux-x86_64-openwrt" => { -+ inherit_from => [ "linux-x86_64", "openwrt" ], -+ }, -+ -+### Basic default option -+ "linux-generic32-openwrt" => { -+ inherit_from => [ "linux-generic32", "openwrt" ], -+ }, -+); diff --git a/package/libs/openssl/patches/110-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch new file mode 100644 index 000000000..2dbdc7601 --- /dev/null +++ b/package/libs/openssl/patches/110-perl-path.patch @@ -0,0 +1,64 @@ +--- a/Configure ++++ b/Configure +@@ -1,4 +1,4 @@ +-: ++#!/usr/bin/perl + eval 'exec perl -S $0 ${1+"$@"}' + if $running_under_some_shell; + ## +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl ++#!/usr/bin/perl + + # Perl c_rehash script, scan all files in a directory + # and add symbolic links to their hash values. +--- a/util/clean-depend.pl ++++ b/util/clean-depend.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + # Clean the dependency list in a makefile of standard includes... + # Written by Ben Laurie 19 Jan 1999 + +--- a/util/mkdef.pl ++++ b/util/mkdef.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + # + # generate a .def file + # +--- a/util/mkerr.pl ++++ b/util/mkerr.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + + my $config = "crypto/err/openssl.ec"; + my $hprefix = "openssl/"; +--- a/util/mkstack.pl ++++ b/util/mkstack.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + + # This is a utility that searches out "DECLARE_STACK_OF()" + # declarations in .h and .c files, and updates/creates/replaces +--- a/util/pod2man.pl ++++ b/util/pod2man.pl +@@ -1,4 +1,4 @@ +-: #!/usr/bin/perl-5.005 ++#!/usr/bin/perl + eval 'exec /usr/bin/perl -S $0 ${1+"$@"}' + if $running_under_some_shell; + +--- a/util/selftest.pl ++++ b/util/selftest.pl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl -w ++#!/usr/bin/perl + # + # Run the test suite and generate a report + # diff --git a/package/libs/openssl/patches/120-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch new file mode 100644 index 000000000..5bcb31648 --- /dev/null +++ b/package/libs/openssl/patches/120-makefile-dirs.patch @@ -0,0 +1,11 @@ +--- a/Makefile.org ++++ b/Makefile.org +@@ -137,7 +137,7 @@ FIPSCANLIB= + + BASEADDR= + +-DIRS= crypto ssl engines apps test tools ++DIRS= crypto ssl engines apps + ENGDIRS= ccgost + SHLIBDIRS= crypto ssl + diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch deleted file mode 100644 index 7faec9ab8..000000000 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:31:38 -0300 -Subject: Avoid exposing build directories - -The CFLAGS contain the build directories, and are shown by calling -OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a - -Signed-off-by: Eneas U de Queiroz - -diff --git a/crypto/build.info b/crypto/build.info -index 2c619c62e8..893128345a 100644 ---- a/crypto/build.info -+++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl - - DEPEND[cversion.o]=buildinf.h --GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" -+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) diff --git a/package/libs/openssl/patches/130-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch new file mode 100644 index 000000000..e38d44a76 --- /dev/null +++ b/package/libs/openssl/patches/130-disable_doc_tests.patch @@ -0,0 +1,58 @@ +--- a/Makefile ++++ b/Makefile +@@ -139,7 +139,7 @@ FIPSCANLIB= + + BASEADDR=0xFB00000 + +-DIRS= crypto ssl engines apps test tools ++DIRS= crypto ssl engines apps tools + ENGDIRS= ccgost + SHLIBDIRS= crypto ssl + +@@ -157,7 +157,7 @@ SDIRS= \ + + # tests to perform. "alltests" is a special word indicating that all tests + # should be performed. +-TESTS = alltests ++TESTS = + + MAKEFILE= Makefile + +@@ -171,7 +171,7 @@ SHELL=/bin/sh + + TOP= . + ONEDIRS=out tmp +-EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS ++EDIRS= times bugs util include certs ms shlib mt demos perl sf dep VMS + WDIRS= windows + LIBS= libcrypto.a libssl.a + SHARED_CRYPTO=libcrypto$(SHLIB_EXT) +@@ -276,7 +276,7 @@ reflect: + + sub_all: build_all + +-build_all: build_libs build_apps build_tests build_tools ++build_all: build_libs build_apps build_tools + + build_libs: build_libcrypto build_libssl openssl.pc + +@@ -542,7 +542,7 @@ dist: + @$(MAKE) SDIRS='$(SDIRS)' clean + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar + +-install: all install_docs install_sw ++install: all install_sw + + install_sw: + @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ +--- a/Makefile.org ++++ b/Makefile.org +@@ -540,7 +540,7 @@ dist: + @$(MAKE) SDIRS='$(SDIRS)' clean + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar + +-install: all install_docs install_sw ++install: all install_sw + + install_sw: + @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch deleted file mode 100644 index fa79cc602..000000000 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:34:38 -0300 -Subject: Do not build tests and fuzz directories - -This shortens build time. - -Signed-off-by: Eneas U de Queiroz - -diff --git a/Configure b/Configure -index 74d057c219..5813e9f8fe 100755 ---- a/Configure -+++ b/Configure -@@ -296,7 +296,7 @@ my $auto_threads=1; # enable threads automatically? true by default - my $default_ranlib; - - # Top level directories to build --$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; -+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ]; - # crypto/ subdirectories to build - $config{sdirs} = [ - "objects", -@@ -308,7 +308,7 @@ $config{sdirs} = [ - "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" - ]; - # test/ subdirectories to build --$config{tdirs} = [ "ossl_shim" ]; -+$config{tdirs} = []; - - # Known TLS and DTLS protocols - my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch deleted file mode 100644 index b293db28f..000000000 --- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:44:39 -0300 -Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option - -This enables a compile-time option to prefer ChaCha20-Poly1305 over -AES-GCM in the openssl default ciphersuite, which is useful in systems -without AES specific CPU instructions. -OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it. - -Note that this does not have the same effect as the -SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only -when the client has it on top of its ciphersuite preference. - -Signed-off-by: Eneas U de Queiroz - -diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 6724ccf2d2..96d959427e 100644 ---- a/include/openssl/ssl.h -+++ b/include/openssl/ssl.h -@@ -173,9 +173,15 @@ extern "C" { - # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" - /* This is the default set of TLSv1.3 ciphersuites */ - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) --# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -- "TLS_CHACHA20_POLY1305_SHA256:" \ -- "TLS_AES_128_GCM_SHA256" -+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM -+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_AES_128_GCM_SHA256" -+# else -+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_128_GCM_SHA256" -+# endif - # else - # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_AES_128_GCM_SHA256" -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 27a1b2ec68..7039811323 100644 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, - ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, - &tail); - -+ /* -+ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305 -+ * will be placed before AES-256. Otherwise, the default behavior of -+ * preferring GCM over CHACHA is used. -+ * This is useful for systems that do not have AES-specific CPU -+ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES. -+ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA -+ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top -+ * of its ciphersuite preference. -+ */ -+ -+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM -+ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, -+ &head, &tail); -+ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, -+ &head, &tail); -+#else - /* Within each strength group, we prefer GCM over CHACHA... */ - ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, - &head, &tail); - ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, - &head, &tail); -+#endif - - /* - * ...and generally, our preferred cipher is AES. -@@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, - * Within each group, ciphers remain sorted by strength and previous - * preference, i.e., - * 1) ECDHE > DHE -- * 2) GCM > CHACHA -+ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined - * 3) AES > rest - * 4) TLS 1.2 > legacy - * diff --git a/package/libs/openssl/patches/140-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch new file mode 100644 index 000000000..c29b59afd --- /dev/null +++ b/package/libs/openssl/patches/140-bash_path.patch @@ -0,0 +1,8 @@ +--- a/util/domd ++++ b/util/domd +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/usr/bin/env bash + # Do a makedepend, only leave out the standard headers + # Written by Ben Laurie 19 Jan 1999 + diff --git a/package/libs/openssl/patches/150-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch new file mode 100644 index 000000000..3e36beb49 --- /dev/null +++ b/package/libs/openssl/patches/150-fix_link_segfault.patch @@ -0,0 +1,18 @@ +--- a/Makefile.shared ++++ b/Makefile.shared +@@ -95,7 +95,6 @@ LINK_APP= \ + LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \ + LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ + LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ +- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ + $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} ) + + LINK_SO= \ +@@ -105,7 +104,6 @@ LINK_SO= \ + SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ + LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ + LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ +- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ + $${SHAREDCMD} $${SHAREDFLAGS} \ + -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ + $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch deleted file mode 100644 index 6c7143dd7..000000000 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ /dev/null @@ -1,56 +0,0 @@ ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -22,6 +22,53 @@ oid_section = new_oids - # (Alternatively, use a configuration file that has only - # X.509v3 extensions in its main [= default] section.) - -+openssl_conf=openssl_conf -+ -+[openssl_conf] -+engines=engines -+ -+[engines] -+# To enable an engine, install the package, and uncomment it here: -+#devcrypto=devcrypto -+#afalg=afalg -+#padlock=padlock -+ -+[afalg] -+default_algorithms = ALL -+ -+[devcrypto] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to -+# enable [default=ALL] -+# It is recommended to disable the ECB ciphers; in most cases, it will -+# only be used for PRNG, in small blocks, where performance is poor, -+# and there may be problems with apps forking with open crypto -+# contexts, leading to failures. The CBC ciphers work well: -+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[padlock] -+default_algorithms = ALL -+ - [ new_oids ] - - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. diff --git a/package/libs/openssl/patches/160-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch new file mode 100644 index 000000000..424e66063 --- /dev/null +++ b/package/libs/openssl/patches/160-remove_timestamp_check.patch @@ -0,0 +1,23 @@ +--- a/Makefile.org ++++ b/Makefile.org +@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar + EXHEADER= e_os2.h + HEADER= e_os.h + +-all: Makefile build_all ++all: build_all + + # as we stick to -e, CLEARENV ensures that local variables in lower + # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn +@@ -404,11 +404,6 @@ openssl.pc: Makefile + echo 'Version: '$(VERSION); \ + echo 'Requires: libssl libcrypto' ) > openssl.pc + +-Makefile: Makefile.org Configure config +- @echo "Makefile is older than Makefile.org, Configure or config." +- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." +- @false +- + libclean: + rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib + diff --git a/package/libs/openssl/patches/170-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch new file mode 100644 index 000000000..cbe5d5124 --- /dev/null +++ b/package/libs/openssl/patches/170-parallel_build.patch @@ -0,0 +1,184 @@ +--- a/Makefile.org ++++ b/Makefile.org +@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi + build_libssl: build_ssl libssl.pc + + build_crypto: +- @dir=crypto; target=all; $(BUILD_ONE_CMD) ++ +@dir=crypto; target=all; $(BUILD_ONE_CMD) + build_ssl: build_crypto +- @dir=ssl; target=all; $(BUILD_ONE_CMD) ++ +@dir=ssl; target=all; $(BUILD_ONE_CMD) + build_engines: build_crypto +- @dir=engines; target=all; $(BUILD_ONE_CMD) ++ +@dir=engines; target=all; $(BUILD_ONE_CMD) + build_apps: build_libs +- @dir=apps; target=all; $(BUILD_ONE_CMD) ++ +@dir=apps; target=all; $(BUILD_ONE_CMD) + build_tests: build_libs +- @dir=test; target=all; $(BUILD_ONE_CMD) ++ +@dir=test; target=all; $(BUILD_ONE_CMD) + build_tools: build_libs +- @dir=tools; target=all; $(BUILD_ONE_CMD) ++ +@dir=tools; target=all; $(BUILD_ONE_CMD) + + all_testapps: build_libs build_testapps + build_testapps: +@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + + depend: +- @set -e; target=depend; $(RECURSIVE_BUILD_CMD) ++ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD) + + lint: + @set -e; target=lint; $(RECURSIVE_BUILD_CMD) +@@ -535,9 +535,9 @@ dist: + @$(MAKE) SDIRS='$(SDIRS)' clean + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar + +-install: all install_sw ++install: install_sw + +-install_sw: ++install_dirs: + @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ +@@ -546,12 +546,19 @@ install_sw: + $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/private ++ @$(PERL) $(TOP)/util/mkdir-p.pl \ ++ $(INSTALL_PREFIX)$(MANDIR)/man1 \ ++ $(INSTALL_PREFIX)$(MANDIR)/man3 \ ++ $(INSTALL_PREFIX)$(MANDIR)/man5 \ ++ $(INSTALL_PREFIX)$(MANDIR)/man7 ++ ++install_sw: install_dirs + @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; +- @set -e; target=install; $(RECURSIVE_BUILD_CMD) ++ +@set -e; target=install; $(RECURSIVE_BUILD_CMD) + @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ + do \ + if [ -f "$$i" ]; then \ +@@ -635,12 +642,7 @@ install_html_docs: + done; \ + done + +-install_docs: +- @$(PERL) $(TOP)/util/mkdir-p.pl \ +- $(INSTALL_PREFIX)$(MANDIR)/man1 \ +- $(INSTALL_PREFIX)$(MANDIR)/man3 \ +- $(INSTALL_PREFIX)$(MANDIR)/man5 \ +- $(INSTALL_PREFIX)$(MANDIR)/man7 ++install_docs: install_dirs + @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ + here="`pwd`"; \ + filecase=; \ +--- a/Makefile.shared ++++ b/Makefile.shared +@@ -120,6 +120,7 @@ SYMLINK_SO= \ + done; \ + fi; \ + if [ -n "$$SHLIB_SOVER" ]; then \ ++ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \ + ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \ + ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \ + fi; \ +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -87,11 +87,11 @@ testapps: + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + + subdirs: +- @target=all; $(RECURSIVE_MAKE) ++ +@target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO +- @target=files; $(RECURSIVE_MAKE) ++ +@target=files; $(RECURSIVE_MAKE) + + links: + @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) +@@ -102,7 +102,7 @@ links: + # lib: $(LIB): are splitted to avoid end-less loop + lib: $(LIB) + @touch lib +-$(LIB): $(LIBOBJ) ++$(LIB): $(LIBOBJ) | subdirs + $(AR) $(LIB) $(LIBOBJ) + test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o + $(RANLIB) $(LIB) || echo Never mind. +@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs + fi + + libs: +- @target=lib; $(RECURSIVE_MAKE) ++ +@target=lib; $(RECURSIVE_MAKE) + + install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... +@@ -122,7 +122,7 @@ install: + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; +- @target=install; $(RECURSIVE_MAKE) ++ +@target=install; $(RECURSIVE_MAKE) + + lint: + @target=lint; $(RECURSIVE_MAKE) +--- a/engines/Makefile ++++ b/engines/Makefile +@@ -72,7 +72,7 @@ top: + + all: lib subdirs + +-lib: $(LIBOBJ) ++lib: $(LIBOBJ) | subdirs + @if [ -n "$(SHARED_LIBS)" ]; then \ + set -e; \ + for l in $(LIBNAMES); do \ +@@ -89,7 +89,7 @@ lib: $(LIBOBJ) + + subdirs: + echo $(EDIRS) +- @target=all; $(RECURSIVE_MAKE) ++ +@target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO +@@ -128,7 +128,7 @@ install: + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ + done; \ + fi +- @target=install; $(RECURSIVE_MAKE) ++ +@target=install; $(RECURSIVE_MAKE) + + tags: + ctags $(SRC) +--- a/test/Makefile ++++ b/test/Makefile +@@ -145,7 +145,7 @@ install: + tags: + ctags $(SRC) + +-tests: exe apps $(TESTS) ++tests: exe $(TESTS) + + apps: + @(cd ..; $(MAKE) DIRS=apps all) +@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl + # fi + + dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) +- @target=dummytest; $(BUILD_CMD) ++ +@target=dummytest; $(BUILD_CMD) + + # DO NOT DELETE THIS LINE -- make depend depends on it. + diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch new file mode 100644 index 000000000..e70bd077d --- /dev/null +++ b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch @@ -0,0 +1,21 @@ +From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 26 Sep 2018 18:04:58 -0300 +Subject: Avoid exposing build directories + +The CFLAGS contain the build directories, and are shown by calling +SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a + +Signed-off-by: Eneas U de Queiroz + +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -57,7 +57,7 @@ top: + all: shared + + buildinf.h: ../Makefile +- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h ++ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h + + x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl + $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch deleted file mode 100644 index 84c68b16a..000000000 --- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +++ /dev/null @@ -1,60 +0,0 @@ -From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Mon, 5 Nov 2018 15:54:17 -0200 -Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT - -Since each ioctl causes a context switch, slowing things down, if -EVP_MD_CTX_FLAG_ONESHOT is set, then: - - call the ioctl in digest_update, saving the result; and - - just copy the result in digest_final, instead of using another ioctl. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a727c6f646..a2c9a966f7 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -461,6 +461,7 @@ struct digest_ctx { - struct session_op sess; - /* This signals that the init function was called, not that it succeeded. */ - int init_called; -+ unsigned char digest_res[HASH_MAX_LEN]; - }; - - static const struct digest_data_st { -@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) - if (digest_ctx == NULL) - return 0; - -- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) -+ return 1; -+ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { -+ return 1; - } - -- return 1; -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; - } - - static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) -@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) - - if (md == NULL || digest_ctx == NULL) - return 0; -- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { -+ -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); -+ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; - } diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch deleted file mode 100644 index 8745364cf..000000000 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ /dev/null @@ -1,569 +0,0 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Sat, 3 Nov 2018 15:41:10 -0300 -Subject: eng_devcrypto: add configuration options - -USE_SOFTDRIVERS: whether to use software (not accelerated) drivers -CIPHERS: list of ciphers to enable -DIGESTS: list of digests to enable - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -16,6 +16,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -36,6 +37,30 @@ - * saner... why re-open /dev/crypto for every session? - */ - static int cfd; -+#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ -+#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ -+#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ -+ -+#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -+ -+/* -+ * cipher/digest status & acceleration definitions -+ * Make sure the defaults are set to 0 -+ */ -+struct driver_info_st { -+ enum devcrypto_status_t { -+ DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ } status; -+ -+ enum devcrypto_accelerated_t { -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ } accelerated; -+}; - - static int clean_devcrypto_session(struct session_op *sess) { - if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { -@@ -119,13 +144,22 @@ static const struct cipher_data_st { - #endif - }; - --static size_t get_cipher_data_index(int nid) -+static size_t find_cipher_data_index(int nid) - { - size_t i; - - for (i = 0; i < OSSL_NELEM(cipher_data); i++) - if (nid == cipher_data[i].nid) - return i; -+ return (size_t)-1; -+} -+ -+static size_t get_cipher_data_index(int nid) -+{ -+ size_t i = find_cipher_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; - - /* - * Code further down must make sure that only NIDs in the table above -@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) - } - - /* -- * Keep a table of known nids and associated methods. -+ * Keep tables of known nids, associated methods, selected ciphers, and driver -+ * info. - * Note that known_cipher_nids[] isn't necessarily indexed the same way as -- * cipher_data[] above, which known_cipher_methods[] is. -+ * cipher_data[] above, which the other tables are. - */ - static int known_cipher_nids[OSSL_NELEM(cipher_data)]; - static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ - static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -+static int selected_ciphers[OSSL_NELEM(cipher_data)]; -+static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; -+ -+ -+static int devcrypto_test_cipher(size_t cipher_data_index) -+{ -+ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_ciphers[cipher_data_index] == 1 -+ && (cipher_driver_info[cipher_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (cipher_driver_info[cipher_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} - - static void prepare_cipher_methods(void) - { - size_t i; - struct session_op sess; - unsigned long cipher_mode; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ -+ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); - - memset(&sess, 0, sizeof(sess)); - sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -@@ -353,15 +408,16 @@ static void prepare_cipher_methods(void) - for (i = 0, known_cipher_nids_amount = 0; - i < OSSL_NELEM(cipher_data); i++) { - -+ selected_ciphers[i] = 1; - /* -- * Check that the algo is really availably by trying to open and close -- * a session. -+ * Check that the cipher is usable - */ - sess.cipher = cipher_data[i].devcryptoid; - sess.keylen = cipher_data[i].keylen; -- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 -- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) -+ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - continue; -+ } - - cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; - -@@ -387,15 +443,41 @@ static void prepare_cipher_methods(void) - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], - sizeof(struct cipher_ctx))) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - EVP_CIPHER_meth_free(known_cipher_methods[i]); - known_cipher_methods[i] = NULL; - } else { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+#ifdef CIOCGSESSINFO -+ siop.ses = sess.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+#endif /* CIOCGSESSINFO */ -+ } -+ ioctl(cfd, CIOCFSESSION, &sess.ses); -+ if (devcrypto_test_cipher(i)) { - known_cipher_nids[known_cipher_nids_amount++] = - cipher_data[i].nid; - } - } - } - -+static void rebuild_known_cipher_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { -+ if (devcrypto_test_cipher(i)) -+ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; -+ } -+ ENGINE_unregister_ciphers(e); -+ ENGINE_register_ciphers(e); -+} -+ - static const EVP_CIPHER *get_cipher_method(int nid) - { - size_t i = get_cipher_data_index(nid); -@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - return *cipher != NULL; - } - -+static void devcrypto_select_all_ciphers(int *cipher_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ cipher_list[i] = 1; -+} -+ -+static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) -+{ -+ int *cipher_list = (int *)usr; -+ char *name; -+ const EVP_CIPHER *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_cipherbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); -+ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) -+ cipher_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: cipher %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ - /* - * We only support digests if the cryptodev implementation supports multiple - * data updates and session copying. Otherwise, we would be forced to maintain -@@ -493,13 +605,22 @@ static const struct digest_data_st { - #endif - }; - --static size_t get_digest_data_index(int nid) -+static size_t find_digest_data_index(int nid) - { - size_t i; - - for (i = 0; i < OSSL_NELEM(digest_data); i++) - if (nid == digest_data[i].nid) - return i; -+ return (size_t)-1; -+} -+ -+static size_t get_digest_data_index(int nid) -+{ -+ size_t i = find_digest_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; - - /* - * Code further down must make sure that only NIDs in the table above -@@ -516,8 +637,8 @@ static const struct digest_data_st *get_digest_data(int nid) - } - - /* -- * Following are the four necessary functions to map OpenSSL functionality -- * with cryptodev. -+ * Following are the five necessary functions to map OpenSSL functionality -+ * with cryptodev: init, update, final, cleanup, and copy. - */ - - static int digest_init(EVP_MD_CTX *ctx) -@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx) - return clean_devcrypto_session(&digest_ctx->sess); - } - --static int devcrypto_test_digest(size_t digest_data_index) --{ -- struct session_op sess1, sess2; -- struct cphash_op cphash; -- int ret=0; -- -- memset(&sess1, 0, sizeof(sess1)); -- memset(&sess2, 0, sizeof(sess2)); -- sess1.mac = digest_data[digest_data_index].devcryptoid; -- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) -- return 0; -- /* Make sure the driver is capable of hash state copy */ -- sess2.mac = sess1.mac; -- if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { -- cphash.src_ses = sess1.ses; -- cphash.dst_ses = sess2.ses; -- if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) -- ret = 1; -- ioctl(cfd, CIOCFSESSION, &sess2.ses); -- } -- ioctl(cfd, CIOCFSESSION, &sess1.ses); -- return ret; --} -- - /* -- * Keep a table of known nids and associated methods. -+ * Keep tables of known nids, associated methods, selected digests, and -+ * driver info. - * Note that known_digest_nids[] isn't necessarily indexed the same way as -- * digest_data[] above, which known_digest_methods[] is. -+ * digest_data[] above, which the other tables are. - */ - static int known_digest_nids[OSSL_NELEM(digest_data)]; - static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ - static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -+static int selected_digests[OSSL_NELEM(digest_data)]; -+static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; -+ -+static int devcrypto_test_digest(size_t digest_data_index) -+{ -+ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_digests[digest_data_index] == 1 -+ && (digest_driver_info[digest_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (digest_driver_info[digest_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} -+ -+static void rebuild_known_digest_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ } -+ ENGINE_unregister_digests(e); -+ ENGINE_register_digests(e); -+} - - static void prepare_digest_methods(void) - { - size_t i; -+ struct session_op sess1, sess2; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ struct cphash_op cphash; -+ -+ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); -+ -+ memset(&sess1, 0, sizeof(sess1)); -+ memset(&sess2, 0, sizeof(sess2)); - - for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); - i++) { - -+ selected_digests[i] = 1; -+ - /* -- * Check that the algo is usable -+ * Check that the digest is usable - */ -- if (!devcrypto_test_digest(i)) -- continue; -+ sess1.mac = digest_data[i].devcryptoid; -+ sess2.ses = 0; -+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } - -+#ifdef CIOCGSESSINFO -+ /* gather hardware acceleration info from the driver */ -+ siop.ses = sess1.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+#endif -+ -+ /* digest must be capable of hash state copy */ -+ sess2.mac = sess1.mac; -+ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } -+ cphash.src_ses = sess1.ses; -+ cphash.dst_ses = sess2.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, - NID_undef)) == NULL - || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], -@@ -689,11 +852,18 @@ static void prepare_digest_methods(void) - || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) - || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], - sizeof(struct digest_ctx))) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - EVP_MD_meth_free(known_digest_methods[i]); - known_digest_methods[i] = NULL; -- } else { -- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ goto finish; - } -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+finish: -+ ioctl(cfd, CIOCFSESSION, &sess1.ses); -+ if (sess2.ses != 0) -+ ioctl(cfd, CIOCFSESSION, &sess2.ses); -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; - } - } - -@@ -739,8 +909,154 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, - return *digest != NULL; - } - -+static void devcrypto_select_all_digests(int *digest_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ digest_list[i] = 1; -+} -+ -+static int cryptodev_select_digest_cb(const char *str, int len, void *usr) -+{ -+ int *digest_list = (int *)usr; -+ char *name; -+ const EVP_MD *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_digestbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown digest %s\n", name); -+ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) -+ digest_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: digest %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ -+#endif -+ -+/****************************************************************************** -+ * -+ * CONTROL COMMANDS -+ * -+ *****/ -+ -+#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE -+#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) -+#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) -+#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) -+ -+/* Helper macros for CPP string composition */ -+#ifndef OPENSSL_MSTR -+# define OPENSSL_MSTR_HELPER(x) #x -+# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) -+#endif -+ -+static const ENGINE_CMD_DEFN devcrypto_cmds[] = { -+#ifdef CIOCGSESSINFO -+ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, -+ "USE_SOFTDRIVERS", -+ "specifies whether to use software (not accelerated) drivers (" -+ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) -+ "=use if acceleration can't be determined) [default=" -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -+ ENGINE_CMD_FLAG_NUMERIC}, -+#endif -+ -+ {DEVCRYPTO_CMD_CIPHERS, -+ "CIPHERS", -+ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, -+ -+#ifdef IMPLEMENT_DIGEST -+ {DEVCRYPTO_CMD_DIGESTS, -+ "DIGESTS", -+ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, - #endif - -+ {0, NULL, NULL, 0} -+}; -+ -+static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) -+{ -+ int *new_list; -+ switch (cmd) { -+#ifdef CIOCGSESSINFO -+ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: -+ switch (i) { -+ case DEVCRYPTO_REQUIRE_ACCELERATED: -+ case DEVCRYPTO_USE_SOFTWARE: -+ case DEVCRYPTO_REJECT_SOFTWARE: -+ break; -+ default: -+ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); -+ return 0; -+ } -+ if (use_softdrivers == i) -+ return 1; -+ use_softdrivers = i; -+#ifdef IMPLEMENT_DIGEST -+ rebuild_known_digest_nids(e); -+#endif -+ rebuild_known_cipher_nids(e); -+ return 1; -+#endif /* CIOCGSESSINFO */ -+ -+ case DEVCRYPTO_CMD_CIPHERS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_ciphers(selected_ciphers); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_ciphers, 0, sizeof(selected_ciphers)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_cipher_nids(e); -+ return 1; -+ -+#ifdef IMPLEMENT_DIGEST -+ case DEVCRYPTO_CMD_DIGESTS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_digests(selected_digests); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_digests, 0, sizeof(selected_digests)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_digests)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_digests, new_list, sizeof(selected_digests)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_digest_nids(e); -+ return 1; -+#endif /* IMPLEMENT_DIGEST */ -+ -+ default: -+ break; -+ } -+ return 0; -+} -+ - /****************************************************************************** - * - * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() - - if (!ENGINE_set_id(e, "devcrypto") - || !ENGINE_set_name(e, "/dev/crypto engine") -+ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) - - /* - * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch deleted file mode 100644 index ad83a51a1..000000000 --- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +++ /dev/null @@ -1,275 +0,0 @@ -From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Tue, 6 Nov 2018 22:54:07 -0200 -Subject: eng_devcrypto: add command to dump driver info - -This is useful to determine the kernel driver running each algorithm. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index 5ec38ca8f3..64dc6b891d 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; - */ - struct driver_info_st { - enum devcrypto_status_t { -- DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ -- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ -+ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ -+ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ - } status; - - enum devcrypto_accelerated_t { -- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ - } accelerated; -+ -+ char *driver_name; - }; - - static int clean_devcrypto_session(struct session_op *sess) { -@@ -415,7 +419,7 @@ static void prepare_cipher_methods(void) - sess.cipher = cipher_data[i].devcryptoid; - sess.keylen = cipher_data[i].keylen; - if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; - continue; - } - -@@ -443,19 +447,24 @@ static void prepare_cipher_methods(void) - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], - sizeof(struct cipher_ctx))) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - EVP_CIPHER_meth_free(known_cipher_methods[i]); - known_cipher_methods[i] = NULL; - } else { - cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; - #ifdef CIOCGSESSINFO - siop.ses = sess.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { - cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -- else -- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } else { -+ cipher_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.cipher_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } - #endif /* CIOCGSESSINFO */ - } - ioctl(cfd, CIOCFSESSION, &sess.ses); -@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(void) - { - size_t i; - -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { - destroy_cipher_method(cipher_data[i].nid); -+ OPENSSL_free(cipher_driver_info[i].driver_name); -+ cipher_driver_info[i].driver_name = NULL; -+ } - } - - static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, -@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) - return 1; - } - -+static void dump_cipher_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -+ name = OBJ_nid2sn(cipher_data[i].nid); -+ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", -+ name ? name : "unknown", cipher_data[i].nid, -+ cipher_data[i].devcryptoid); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { -+ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); -+ continue; -+ } -+ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? -+ cipher_driver_info[i].driver_name : "unknown"); -+ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, "(hw accelerated)"); -+ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, "(software)"); -+ else -+ fprintf(stderr, "(acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed"); -+ fprintf(stderr, "\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ - /* - * We only support digests if the cryptodev implementation supports multiple - * data updates and session copying. Otherwise, we would be forced to maintain -@@ -812,31 +858,36 @@ static void prepare_digest_methods(void) - sess1.mac = digest_data[i].devcryptoid; - sess2.ses = 0; - if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; - goto finish; - } - - #ifdef CIOCGSESSINFO - /* gather hardware acceleration info from the driver */ - siop.ses = sess1.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { - digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -- else -- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } else { -+ digest_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.hash_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } - #endif - - /* digest must be capable of hash state copy */ - sess2.mac = sess1.mac; - if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - goto finish; - } - cphash.src_ses = sess1.ses; - cphash.dst_ses = sess2.ses; - if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; - goto finish; - } - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, -@@ -852,7 +903,7 @@ static void prepare_digest_methods(void) - || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) - || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], - sizeof(struct digest_ctx))) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - EVP_MD_meth_free(known_digest_methods[i]); - known_digest_methods[i] = NULL; - goto finish; -@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(void) - { - size_t i; - -- for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { - destroy_digest_method(digest_data[i].nid); -+ OPENSSL_free(digest_driver_info[i].driver_name); -+ digest_driver_info[i].driver_name = NULL; -+ } - } - - static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, -@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(const char *str, int len, void *usr) - return 1; - } - -+static void dump_digest_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about digests supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { -+ name = OBJ_nid2sn(digest_data[i].nid); -+ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", -+ name ? name : "unknown", digest_data[i].nid, -+ digest_data[i].devcryptoid, -+ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); -+ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { -+ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); -+ continue; -+ } -+ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, " (hw accelerated)"); -+ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, " (software)"); -+ else -+ fprintf(stderr, " (acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed\n"); -+ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) -+ fprintf(stderr, ", CIOCCPHASH failed\n"); -+ else -+ fprintf(stderr, ", CIOCCPHASH capable\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ - #endif - - /****************************************************************************** -@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { - ENGINE_CMD_FLAG_STRING}, - #endif - -+ {DEVCRYPTO_CMD_DUMP_INFO, -+ "DUMP_INFO", -+ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", -+ ENGINE_CMD_FLAG_NO_INPUT}, -+ - {0, NULL, NULL, 0} - }; - -@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - return 1; - #endif /* IMPLEMENT_DIGEST */ - -+ case DEVCRYPTO_CMD_DUMP_INFO: -+ dump_cipher_info(); -+#ifdef IMPLEMENT_DIGEST -+ dump_digest_info(); -+#endif -+ return 1; -+ - default: - break; - } diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch deleted file mode 100644 index ee3394242..000000000 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ /dev/null @@ -1,368 +0,0 @@ -From f3cef70b34afde3afd13ce3636232d41533b0162 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Tue, 6 Nov 2018 10:57:03 -0200 -Subject: e_devcrypto: make the /dev/crypto engine dynamic - -Engine has been moved from crypto/engine/eng_devcrypto.c to -engines/e_devcrypto.c. - -Signed-off-by: Eneas U de Queiroz - -diff --git a/crypto/engine/build.info b/crypto/engine/build.info -index e00802a3fd..47fe948966 100644 ---- a/crypto/engine/build.info -+++ b/crypto/engine/build.info -@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ - tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c tb_eckey.c \ - eng_openssl.c eng_cnf.c eng_dyn.c \ - eng_rdrand.c --IF[{- !$disabled{devcryptoeng} -}] -- SOURCE[../../libcrypto]=eng_devcrypto.c --ENDIF -diff --git a/crypto/init.c b/crypto/init.c -index 9fc0e8ef68..b387559920 100644 ---- a/crypto/init.c -+++ b/crypto/init.c -@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) - engine_load_openssl_int(); - return 1; - } --# ifndef OPENSSL_NO_DEVCRYPTOENG --static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; --DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) --{ --# ifdef OPENSSL_INIT_DEBUG -- fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -- "engine_load_devcrypto_int()\n"); --# endif -- engine_load_devcrypto_int(); -- return 1; --} --# endif - - # ifndef OPENSSL_NO_RDRAND - static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; -@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) - return 1; - } - # ifndef OPENSSL_NO_STATIC_ENGINE -+# ifndef OPENSSL_NO_DEVCRYPTOENG -+static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; -+DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) -+{ -+# ifdef OPENSSL_INIT_DEBUG -+ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -+ "engine_load_devcrypto_int()\n"); -+# endif -+ engine_load_devcrypto_int(); -+ return 1; -+} -+# endif - # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) - static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; - DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) -@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) - if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) - && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) - return 0; --# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_DEVCRYPTOENG) -- if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -- && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) -- return 0; --# endif - # ifndef OPENSSL_NO_RDRAND - if ((opts & OPENSSL_INIT_ENGINE_RDRAND) - && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) -@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) - && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) - return 0; - # ifndef OPENSSL_NO_STATIC_ENGINE -+# ifndef OPENSSL_NO_DEVCRYPTOENG -+ if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -+ && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) -+ return 0; -+# endif - # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) - if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) - && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) -diff --git a/engines/build.info b/engines/build.info -index 1db771971c..33a25d7004 100644 ---- a/engines/build.info -+++ b/engines/build.info -@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] - IF[{- !$disabled{afalgeng} -}] - SOURCE[../libcrypto]=e_afalg.c - ENDIF -+ IF[{- !$disabled{"devcryptoeng"} -}] -+ SOURCE[../libcrypto]=e_devcrypto.c -+ ENDIF - ELSE - IF[{- !$disabled{hw} && !$disabled{'hw-padlock'} -}] - ENGINES=padlock -@@ -30,6 +33,12 @@ IF[{- !$disabled{"engine"} -}] - DEPEND[afalg]=../libcrypto - INCLUDE[afalg]= ../include - ENDIF -+ IF[{- !$disabled{"devcryptoeng"} -}] -+ ENGINES=devcrypto -+ SOURCE[devcrypto]=e_devcrypto.c -+ DEPEND[devcrypto]=../libcrypto -+ INCLUDE[devcrypto]=../include -+ ENDIF - - ENGINES_NO_INST=ossltest dasync - SOURCE[dasync]=e_dasync.c -diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c -similarity index 95% -rename from crypto/engine/eng_devcrypto.c -rename to engines/e_devcrypto.c -index 64dc6b891d..fb5c6e1636 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/engines/e_devcrypto.c -@@ -7,7 +7,7 @@ - * https://www.openssl.org/source/license.html - */ - --#include "e_os.h" -+#include "../e_os.h" - #include - #include - #include -@@ -23,26 +23,26 @@ - #include - #include - --#include "internal/engine.h" -- - /* #define ENGINE_DEVCRYPTO_DEBUG */ - - #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX - # define CHECK_BSD_STYLE_MACROS - #endif - -+#define engine_devcrypto_id "devcrypto" -+ - /* - * ONE global file descriptor for all sessions. This allows operations - * such as digest session data copying (see digest_copy()), but is also - * saner... why re-open /dev/crypto for every session? - */ --static int cfd; -+static int cfd = -1; - #define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ - #define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ - #define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ - --#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE --static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -+#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; - - /* - * cipher/digest status & acceleration definitions -@@ -66,6 +66,10 @@ struct driver_info_st { - char *driver_name; - }; - -+#ifdef OPENSSL_NO_DYNAMIC_ENGINE -+void engine_load_devcrypto_int(void); -+#endif -+ - static int clean_devcrypto_session(struct session_op *sess) { - if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { - SYSerr(SYS_F_IOCTL, errno); -@@ -341,6 +345,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) - struct cipher_ctx *to_cipher_ctx; - - switch (type) { -+ - case EVP_CTRL_COPY: - if (cipher_ctx == NULL) - return 1; -@@ -702,7 +707,6 @@ static int digest_init(EVP_MD_CTX *ctx) - SYSerr(SYS_F_IOCTL, errno); - return 0; - } -- - return 1; - } - -@@ -1058,7 +1062,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { - OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " - OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) - "=use if acceleration can't be determined) [default=" -- OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", - ENGINE_CMD_FLAG_NUMERIC}, - #endif - -@@ -1166,55 +1170,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - * - *****/ - --static int devcrypto_unload(ENGINE *e) --{ -- destroy_all_cipher_methods(); --#ifdef IMPLEMENT_DIGEST -- destroy_all_digest_methods(); --#endif -- -- close(cfd); -- -- return 1; --} - /* -- * This engine is always built into libcrypto, so it doesn't offer any -- * ability to be dynamically loadable. -+ * Opens /dev/crypto - */ --void engine_load_devcrypto_int() -+static int open_devcrypto(void) - { -- ENGINE *e = NULL; -+ if (cfd >= 0) -+ return 1; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { - #ifndef ENGINE_DEVCRYPTO_DEBUG - if (errno != ENOENT) - #endif - fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); -- return; -+ return 0; - } - -- if ((e = ENGINE_new()) == NULL -- || !ENGINE_set_destroy_function(e, devcrypto_unload)) { -- ENGINE_free(e); -- /* -- * We know that devcrypto_unload() won't be called when one of the -- * above two calls have failed, so we close cfd explicitly here to -- * avoid leaking resources. -- */ -- close(cfd); -- return; -+ return 1; -+} -+ -+static int close_devcrypto(void) -+{ -+ int ret; -+ -+ if (cfd < 0) -+ return 1; -+ ret = close(cfd); -+ cfd = -1; -+ if (ret != 0) { -+ fprintf(stderr, "Error closing /dev/crypto: %s\n", strerror(errno)); -+ return 0; - } -+ return 1; -+} - -- prepare_cipher_methods(); -+static int devcrypto_unload(ENGINE *e) -+{ -+ destroy_all_cipher_methods(); - #ifdef IMPLEMENT_DIGEST -- prepare_digest_methods(); -+ destroy_all_digest_methods(); - #endif - -- if (!ENGINE_set_id(e, "devcrypto") -+ close_devcrypto(); -+ -+ return 1; -+} -+ -+static int bind_devcrypto(ENGINE *e) { -+ -+ if (!ENGINE_set_id(e, engine_devcrypto_id) - || !ENGINE_set_name(e, "/dev/crypto engine") -+ || !ENGINE_set_destroy_function(e, devcrypto_unload) - || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) -+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) -+ return 0; -+ -+ prepare_cipher_methods(); -+#ifdef IMPLEMENT_DIGEST -+ prepare_digest_methods(); -+#endif - -+ return (ENGINE_set_ciphers(e, devcrypto_ciphers) -+#ifdef IMPLEMENT_DIGEST -+ && ENGINE_set_digests(e, devcrypto_digests) -+#endif - /* - * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD - * implementations, it seems to only exist in FreeBSD, and regarding the -@@ -1237,23 +1256,36 @@ void engine_load_devcrypto_int() - */ - #if 0 - # ifndef OPENSSL_NO_RSA -- || !ENGINE_set_RSA(e, devcrypto_rsa) -+ && ENGINE_set_RSA(e, devcrypto_rsa) - # endif - # ifndef OPENSSL_NO_DSA -- || !ENGINE_set_DSA(e, devcrypto_dsa) -+ && ENGINE_set_DSA(e, devcrypto_dsa) - # endif - # ifndef OPENSSL_NO_DH -- || !ENGINE_set_DH(e, devcrypto_dh) -+ && ENGINE_set_DH(e, devcrypto_dh) - # endif - # ifndef OPENSSL_NO_EC -- || !ENGINE_set_EC(e, devcrypto_ec) -+ && ENGINE_set_EC(e, devcrypto_ec) - # endif - #endif -- || !ENGINE_set_ciphers(e, devcrypto_ciphers) --#ifdef IMPLEMENT_DIGEST -- || !ENGINE_set_digests(e, devcrypto_digests) --#endif -- ) { -+ ); -+} -+ -+#ifdef OPENSSL_NO_DYNAMIC_ENGINE -+/* -+ * In case this engine is built into libcrypto, then it doesn't offer any -+ * ability to be dynamically loadable. -+ */ -+void engine_load_devcrypto_int(void) -+{ -+ ENGINE *e = NULL; -+ -+ if (!open_devcrypto()) -+ return; -+ -+ if ((e = ENGINE_new()) == NULL -+ || !bind_devcrypto(e)) { -+ close_devcrypto(); - ENGINE_free(e); - return; - } -@@ -1262,3 +1294,22 @@ void engine_load_devcrypto_int() - ENGINE_free(e); /* Loose our local reference */ - ERR_clear_error(); - } -+ -+#else -+ -+static int bind_helper(ENGINE *e, const char *id) -+{ -+ if ((id && (strcmp(id, engine_devcrypto_id) != 0)) -+ || !open_devcrypto()) -+ return 0; -+ if (!bind_devcrypto(e)) { -+ close_devcrypto(); -+ return 0; -+ } -+ return 1; -+} -+ -+IMPLEMENT_DYNAMIC_CHECK_FN() -+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) -+ -+#endif diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch deleted file mode 100644 index 89385fa47..000000000 --- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 52ddedc09ee81fe05ea2fa384fce89afe92d6d72 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Mon, 11 Mar 2019 09:29:13 -0300 -Subject: e_devcrypto: default to not use digests in engine - -Digests are almost always slower when using /dev/crypto because of the -cost of the context switches. Only for large blocks it is worth it. - -Also, when forking, the open context structures are duplicated, but the -internal kernel sessions are still shared between forks, which means an -update/close operation in one fork affects all processes using that -session. - -This affects digests, especially for HMAC, where the session with the -key hash is used as a source for subsequent operations. At least one -popular application does this across a fork. Disabling digests by -default will mitigate the problem, while still allowing the user to -turn them on if it is safe and fast enough. - -Signed-off-by: Eneas U de Queiroz - -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index fb5c6e1636..7741138b82 100644 ---- a/engines/e_devcrypto.c -+++ b/engines/e_devcrypto.c -@@ -854,7 +854,7 @@ static void prepare_digest_methods(void) - for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); - i++) { - -- selected_digests[i] = 1; -+ selected_digests[i] = 0; - - /* - * Check that the digest is usable -@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { - #ifdef IMPLEMENT_DIGEST - {DEVCRYPTO_CMD_DIGESTS, - "DIGESTS", -- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", -+ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]", - ENGINE_CMD_FLAG_STRING}, - #endif - diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch deleted file mode 100644 index 087994376..000000000 --- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ /dev/null @@ -1,26 +0,0 @@ -From b6b2744f06f64922b449b3cb4bf0ad3df3efba71 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Mon, 11 Mar 2019 10:15:14 -0300 -Subject: e_devcrypto: ignore error when closing session - -In cipher_init, ignore an eventual error when closing the previous -session. It may have been closed by another process after a fork. - -Signed-off-by: Eneas U de Queiroz - -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index 7741138b82..2480bdbd57 100644 ---- a/engines/e_devcrypto.c -+++ b/engines/e_devcrypto.c -@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); - - /* cleanup a previous session */ -- if (cipher_ctx->sess.ses != 0 && -- clean_devcrypto_session(&cipher_ctx->sess) == 0) -- return 0; -+ if (cipher_ctx->sess.ses != 0) -+ clean_devcrypto_session(&cipher_ctx->sess); - - cipher_ctx->sess.cipher = cipher_d->devcryptoid; - cipher_ctx->sess.keylen = cipher_d->keylen;