298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

openssl: optimizations based on ARCH/small flash

Browse Source
This commit is contained in:
coolsnowwolf 2019-02-13 23:03:23 +08:00
parent 8a7c3566ea
commit ed9daec69e
24 changed files with 1183 additions and 884 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
package/libs/openssl/Config.in
View File

@ -1,72 +1,289 @@
if PACKAGE_libopenssl
config OPENSSL_WITH_EC
bool
default y
prompt "Enable elliptic curve support"
comment "Build Options"
config OPENSSL_WITH_EC2M
bool
depends on OPENSSL_WITH_EC
prompt "Enable ec2m support"
config OPENSSL_WITH_SSL3
config OPENSSL_OPTIMIZE_SPEED
bool
default n
prompt "Enable sslv3 support"
default y if x86_64 || i386
prompt "Enable optimization for speed instead of size"
select OPENSSL_WITH_ASM
help
Enabling this option increases code size (around 20%) and
performance. The increase in performance and size depends on the
target CPU. EC and AES seem to benefit the most, with EC speed
increased by 20%-50% (mipsel & x86).
AES-GCM is supposed to be 3x faster on x86. YMMV.
config OPENSSL_WITH_ASM
bool
default y if !SMALL_FLASH || !arm
prompt "Compile with optimized assembly code"
depends on !arc
help
Disabling this option will reduce code size and performance.
The increase in performance and size depends on the target
CPU and on the algorithms being optimized. As of 1.1.0i*:
Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305
arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305
i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60%
mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305
powerpc 20K BN, aes, sha1, sha256, sha512, poly1305
x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
* Only most common algorithms shown. Your mileage may vary.
BN (bignum) performance was measured using RSA sign/verify.
config OPENSSL_WITH_SSE2
bool
default y if !TARGET_x86_legacy && !TARGET_x86_geode
prompt "Enable use of x86 SSE2 instructions"
depends on OPENSSL_WITH_ASM && i386
help
Use of SSE2 instructions greatly increase performance (up to
3x faster) with a minimum (~0.2%, or 23KB) increase in package
size, but it will bring no benefit if your hardware does not
support them, such as Geode GX and LX. In this case you may
save 23KB by saying yes here. AMD Geode NX, and Intel
Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
prompt "Include deprecated APIs"
prompt "Include deprecated APIs (See help for a list of packages that need this)"
help
Since openssl 1.1.x is still new to openwrt, some packages
requiring this option do not list it as a requirement yet:
* freeswitch-stable, freeswitch, python, python3, squid.
config OPENSSL_NO_DEPRECATED
bool
default !OPENSSL_WITH_DEPRECATED
config OPENSSL_WITH_ERROR_MESSAGES
bool
default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
prompt "Include error messages"
help
This option aids debugging, but increases package size and
memory usage.
comment "Protocol Support"
config OPENSSL_WITH_TLS13
bool
default y
prompt "Enable support for TLS 1.3"
select OPENSSL_WITH_EC
help
TLS 1.3 is the newest version of the TLS specification.
It aims:
* to increase the overall security of the protocol,
removing outdated algorithms, and encrypting more of the
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
It increases package size by ~4KB.
config OPENSSL_WITH_DTLS
bool
default n
prompt "Enable DTLS support"
config OPENSSL_WITH_COMPRESSION
bool
default n
prompt "Enable compression support"
help
Datagram Transport Layer Security (DTLS) provides TLS-like security
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
config OPENSSL_WITH_NPN
bool
default y
prompt "Enable NPN support"
config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
help
NPN is a TLS extension, obsoleted and replaced with ALPN,
used to negotiate SPDY, and HTTP/2.
config OPENSSL_WITH_SRP
bool
default y
prompt "Enable SRP support"
help
The Secure Remote Password protocol (SRP) is an augmented
password-authenticated key agreement (PAKE) protocol, specifically
designed to work around existing patents.
config OPENSSL_ENGINE_DIGEST
config OPENSSL_WITH_CMS
bool
depends on OPENSSL_ENGINE_CRYPTO
prompt "Digests acceleration support"
default y
prompt "Enable CMS (RFC 5652) support"
help
Cryptographic Message Syntax (CMS) is used to digitally sign,
digest, authenticate, or encrypt arbitrary message content.
config OPENSSL_HARDWARE_SUPPORT
comment "Algorithm Selection"
config OPENSSL_WITH_EC
bool
default n
prompt "Enable hardware support"
default y
prompt "Enable elliptic curve support"
help
Elliptic-curve cryptography (ECC) is an approach to public-key
cryptography based on the algebraic structure of elliptic curves
over finite fields. ECC requires smaller keys compared to non-ECC
cryptography to provide equivalent security.
config OPENSSL_OPTIMIZE_SPEED
config OPENSSL_WITH_EC2M
bool
default n
prompt "Enable optimization for speed instead of size"
depends on OPENSSL_WITH_EC
prompt "Enable ec2m support"
help
This option enables the more efficient, yet less common, binary
field elliptic curves.
endif
config OPENSSL_WITH_CHACHA_POLY1305
bool
default y
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
help
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
combining ChaCha stream cipher with Poly1305 MAC.
It is 3x faster than AES, when not using a CPU with AES-specific
instructions, as is the case of most embedded devices.
config OPENSSL_PREFER_CHACHA_OVER_GCM
bool
default y if !x86_64 && !aarch64
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
depends on OPENSSL_WITH_CHACHA_POLY1305
help
The default openssl preference is for AES-GCM before ChaCha, but
that takes into account AES-NI capable chips. It is not the
case with most embedded chips, so it may be better to invert
that preference. This is just for the default case. The
application can always override this.
config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
help
Build support for Pre-Shared Key based cipher suites.
comment "Less commonly used build options"
config OPENSSL_WITH_ARIA
bool
prompt "Enable ARIA support"
help
ARIA is a block cipher developed in South Korea, based on AES.
config OPENSSL_WITH_CAMELLIA
bool
prompt "Enable Camellia cipher support"
help
Camellia is a bock cipher with security levels and processing
abilities comparable to AES.
config OPENSSL_WITH_IDEA
bool
prompt "Enable IDEA cipher support"
help
IDEA is a block cipher with 128-bit keys.
config OPENSSL_WITH_SEED
bool
prompt "Enable SEED cipher support"
help
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
config OPENSSL_WITH_SM234
bool
prompt "Enable SM2/3/4 algorithms support"
help
These algorithms are a set of "Commercial Cryptography"
algorithms approved for use in China.
* SM2 is an EC algorithm equivalent to ECDSA P-256
* SM3 is a hash function equivalent to SHA-256
* SM4 is a 128-block cipher equivalent to AES-128
config OPENSSL_WITH_BLAKE2
bool
prompt "Enable BLAKE2 digest support"
help
BLAKE2 is a cryptographic hash function based on the ChaCha
stream cipher.
config OPENSSL_WITH_MDC2
bool
prompt "Enable MDC2 digest support"
config OPENSSL_WITH_WHIRLPOOL
bool
prompt "Enable Whirlpool digest support"
config OPENSSL_WITH_COMPRESSION
bool
prompt "Enable compression support"
help
TLS compression is not recommended, as it is deemed insecure.
The CRIME attack exploits this weakness.
Even with this option turned on, it is disabled by default, and the
application must explicitly turn it on.
config OPENSSL_WITH_RFC3779
bool
prompt "Enable RFC3779 support (BGP)"
help
RFC 3779 defines two X.509 v3 certificate extensions. The first
binds a list of IP address blocks, or prefixes, to the subject of a
certificate. The second binds a list of autonomous system
identifiers to the subject of a certificate. These extensions may be
used to convey the authorization of the subject to use the IP
addresses and autonomous system identifiers contained in the
extensions.
comment "Engine/Hardware Support"
config OPENSSL_ENGINE
bool "Enable engine support"
help
This enables alternative cryptography implementations,
most commonly for interfacing with external crypto devices,
or supporting new/alternative ciphers and digests.
Note that you need to enable KERNEL_AIO to be able to build the
afalg engine package.
config OPENSSL_ENGINE_CRYPTO
bool
select OPENSSL_HARDWARE_SUPPORT
prompt "Crypto acceleration support" if PACKAGE_libopenssl
select OPENSSL_ENGINE
select PACKAGE_kmod-cryptodev
select PACKAGE_libopenssl-conf
prompt "Acceleration support through /dev/crypto"
help
This enables use of hardware acceleration through OpenBSD
Cryptodev API (/dev/crypto) interface.
You must install kmod-cryptodev (under Kernel modules, Cryptographic
API modules) for /dev/crypto to show up and use hardware
acceleration; otherwise it falls back to software.
config OPENSSL_WITH_ASYNC
bool
prompt "Enable asynchronous jobs support"
depends on OPENSSL_ENGINE && USE_GLIBC
help
Enables async-aware applications to be able to use OpenSSL to
initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine.
config OPENSSL_WITH_GOST
bool
prompt "Prepare library for GOST engine"
depends on OPENSSL_ENGINE
help
This option prepares the library to accept engine support
for Russian GOST crypto algorithms.
The gost engine is not included in standard openwrt feeds.
To build such engine yourself, see:
https://github.com/gost-engine/engine
endif

292
package/libs/openssl/Makefile
View File

@ -8,41 +8,58 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.0.2
PKG_BUGFIX:=p
PKG_BASE:=1.1.1
PKG_BUGFIX:=a
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
PKG_BUILD_PARALLEL:=0
PKG_BUILD_DEPENDS:=cryptodev-linux
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
http://ftp.fi.muni.cz/pub/openssl/source/ \
http://ftp.linux.hr/pub/openssl/source/ \
http://gd.tuwien.ac.at/infosys/security/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
PKG_HASH:=50a98e07b1a89eb8f6a99477f262df71c6fa7bef77df4dc83025a2845c827d00
PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
CONFIG_OPENSSL_ENGINE_DIGEST \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
CONFIG_OPENSSL_WITH_EC \
CONFIG_OPENSSL_WITH_EC2M \
CONFIG_OPENSSL_WITH_SSL3 \
CONFIG_OPENSSL_HARDWARE_SUPPORT \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_WITH_DTLS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
CONFIG_OPENSSL_WITH_GOST \
CONFIG_OPENSSL_WITH_IDEA \
CONFIG_OPENSSL_WITH_MDC2 \
CONFIG_OPENSSL_WITH_NPN \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_OPTIMIZE_SPEED
CONFIG_OPENSSL_WITH_SSE2 \
CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
@ -54,6 +71,8 @@ endif
define Package/openssl/Default
TITLE:=Open source SSL toolkit
URL:=http://www.openssl.org/
SECTION:=libs
CATEGORY:=Libraries
endef
define Package/libopenssl/config
@ -62,19 +81,17 @@ endef
define Package/openssl/Default/description
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well
as a full-strength general purpose cryptography library.
commercial-grade, full-featured, and Open Source toolkit implementing the
Transport Layer Security (TLS) protocol as well as a full-strength
general-purpose cryptography library.
endef
define Package/libopenssl
$(call Package/openssl/Default)
SECTION:=libs
SUBMENU:=SSL
CATEGORY:=Libraries
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
TITLE+= (libraries)
ABI_VERSION:=$(PKG_VERSION)
ABI_VERSION:=1.1
MENU:=1
endef
@ -87,31 +104,78 @@ define Package/openssl-util
$(call Package/openssl/Default)
SECTION:=utils
CATEGORY:=Utilities
DEPENDS:=+libopenssl
DEPENDS:=+libopenssl +libopenssl-conf
TITLE+= (utility)
endef
define Package/openssl-util/conffiles
/etc/ssl/openssl.cnf
endef
define Package/openssl-util/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
define Package/libopenssl-conf
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=/etc/ssl/openssl.cnf config file
DEPENDS:=libopenssl
endef
OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \
no-whrlpool no-whirlpool no-seed no-jpake
OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
endef
ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
ifdef CONFIG_OPENSSL_ENGINE_DIGEST
OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
endif
define Package/libopenssl-conf/description
$(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
define Package/libopenssl-afalg
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=AFALG hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user \
+libopenssl-conf
endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "afalg"
endef
define Package/libopenssl-padlock
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=VIA Padlock hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock \
+libopenssl-conf
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
To use it, you need to configure it in /etc/ssl/openssl.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "padlock"
endef
OPENSSL_OPTIONS:= shared
ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
endif
ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
OPENSSL_OPTIONS += no-chacha no-poly1305
else
OPENSSL_OPTIONS += no-engines
ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
endif
endif
ifndef CONFIG_OPENSSL_WITH_ASYNC
OPENSSL_OPTIONS += no-async
endif
ifndef CONFIG_OPENSSL_WITH_EC
@ -122,18 +186,78 @@ ifndef CONFIG_OPENSSL_WITH_EC2M
OPENSSL_OPTIONS += no-ec2m
endif
ifndef CONFIG_OPENSSL_WITH_SSL3
OPENSSL_OPTIONS += no-ssl3 no-ssl3-method
ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif
ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT
OPENSSL_OPTIONS += no-hw
ifndef CONFIG_OPENSSL_WITH_TLS13
OPENSSL_OPTIONS += no-tls1_3
endif
ifndef CONFIG_OPENSSL_WITH_ARIA
OPENSSL_OPTIONS += no-aria
endif
ifndef CONFIG_OPENSSL_WITH_SM234
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
endif
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
ifndef CONFIG_OPENSSL_WITH_IDEA
OPENSSL_OPTIONS += no-idea
endif
ifndef CONFIG_OPENSSL_WITH_SEED
OPENSSL_OPTIONS += no-seed
endif
ifndef CONFIG_OPENSSL_WITH_MDC2
OPENSSL_OPTIONS += no-mdc2
endif
ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
OPENSSL_OPTIONS += no-whirlpool
endif
ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif
ifndef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += no-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
OPENSSL_OPTIONS += no-deprecated
endif
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
else
OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
endif
ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
endif
else
OPENSSL_OPTIONS += no-engine
endif
ifndef CONFIG_OPENSSL_WITH_GOST
OPENSSL_OPTIONS += no-gost
endif
ifndef CONFIG_OPENSSL_WITH_DTLS
OPENSSL_OPTIONS += no-dtls
endif
@ -156,27 +280,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP
OPENSSL_OPTIONS += no-srp
endif
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3
ifndef CONFIG_OPENSSL_WITH_ASM
OPENSSL_OPTIONS += no-asm
endif
ifeq ($(CONFIG_x86_64),y)
OPENSSL_TARGET:=linux-x86_64-openwrt
OPENSSL_MAKEFLAGS += LIBDIR=lib
else
OPENSSL_OPTIONS+=no-sse2
ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y)
OPENSSL_TARGET:=linux-mips-openwrt
else ifeq ($(CONFIG_aarch64),y)
OPENSSL_TARGET:=linux-aarch64-openwrt
else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y)
OPENSSL_TARGET:=linux-armv4-openwrt
else
OPENSSL_TARGET:=linux-generic-openwrt
OPENSSL_OPTIONS+=no-perlasm
ifdef CONFIG_i386
ifndef CONFIG_OPENSSL_WITH_SSE2
OPENSSL_OPTIONS += no-sse2
endif
endif
OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5)
define Build/Configure
@ -187,57 +302,31 @@ define Build/Configure
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
$(TARGET_CPPFLAGS) \
$(TARGET_LDFLAGS) -ldl \
$(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \
$(OPENSSL_NO_CIPHERS) \
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
MAKEDEPPROG="$(TARGET_CROSS)gcc" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
depend
endef
TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
build-shared
# Work around openssl build bug to link libssl.so with libcrypto.so.
-rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
do_linux-shared
$(MAKE) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
install
install_sw install_ssldirs
endef
define Build/InstallDev
@ -251,20 +340,37 @@ define Build/InstallDev
endef
define Package/libopenssl/install
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/etc/ssl
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(INSTALL_DIR) $(1)/etc/ssl/certs
$(INSTALL_DIR) $(1)/etc/ssl/private
chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
endef
define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
define Package/libopenssl-afalg/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
endef
define Package/libopenssl-padlock/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))

292
package/libs/openssl/include/crypto/cryptodev.h
View File

@ -1,292 +0,0 @@
/* This is a source compatible implementation with the original API of
* cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h.
* Placed under public domain */
#ifndef L_CRYPTODEV_H
#define L_CRYPTODEV_H
#include <linux/types.h>
#ifndef __KERNEL__
#define __user
#endif
/* API extensions for linux */
#define CRYPTO_HMAC_MAX_KEY_LEN 512
#define CRYPTO_CIPHER_MAX_KEY_LEN 64
/* All the supported algorithms
*/
enum cryptodev_crypto_op_t {
CRYPTO_DES_CBC = 1,
CRYPTO_3DES_CBC = 2,
CRYPTO_BLF_CBC = 3,
CRYPTO_CAST_CBC = 4,
CRYPTO_SKIPJACK_CBC = 5,
CRYPTO_MD5_HMAC = 6,
CRYPTO_SHA1_HMAC = 7,
CRYPTO_RIPEMD160_HMAC = 8,
CRYPTO_MD5_KPDK = 9,
CRYPTO_SHA1_KPDK = 10,
CRYPTO_RIJNDAEL128_CBC = 11,
CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC,
CRYPTO_ARC4 = 12,
CRYPTO_MD5 = 13,
CRYPTO_SHA1 = 14,
CRYPTO_DEFLATE_COMP = 15,
CRYPTO_NULL = 16,
CRYPTO_LZS_COMP = 17,
CRYPTO_SHA2_256_HMAC = 18,
CRYPTO_SHA2_384_HMAC = 19,
CRYPTO_SHA2_512_HMAC = 20,
CRYPTO_AES_CTR = 21,
CRYPTO_AES_XTS = 22,
CRYPTO_AES_ECB = 23,
CRYPTO_AES_GCM = 50,
CRYPTO_CAMELLIA_CBC = 101,
CRYPTO_RIPEMD160,
CRYPTO_SHA2_224,
CRYPTO_SHA2_256,
CRYPTO_SHA2_384,
CRYPTO_SHA2_512,
CRYPTO_SHA2_224_HMAC,
CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */
};
#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1)
/* Values for ciphers */
#define DES_BLOCK_LEN 8
#define DES3_BLOCK_LEN 8
#define RIJNDAEL128_BLOCK_LEN 16
#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN
#define CAMELLIA_BLOCK_LEN 16
#define BLOWFISH_BLOCK_LEN 8
#define SKIPJACK_BLOCK_LEN 8
#define CAST128_BLOCK_LEN 8
/* the maximum of the above */
#define EALG_MAX_BLOCK_LEN 16
/* Values for hashes/MAC */
#define AALG_MAX_RESULT_LEN 64
/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */
#define CRYPTODEV_MAX_ALG_NAME 64
#define HASH_MAX_LEN 64
/* input of CIOCGSESSION */
struct session_op {
/* Specify either cipher or mac
*/
__u32 cipher; /* cryptodev_crypto_op_t */
__u32 mac; /* cryptodev_crypto_op_t */
__u32 keylen;
__u8 __user *key;
__u32 mackeylen;
__u8 __user *mackey;
__u32 ses; /* session identifier */
};
struct session_info_op {
__u32 ses; /* session identifier */
/* verbose names for the requested ciphers */
struct alg_info {
char cra_name[CRYPTODEV_MAX_ALG_NAME];
char cra_driver_name[CRYPTODEV_MAX_ALG_NAME];
} cipher_info, hash_info;
__u16 alignmask; /* alignment constraints */
__u32 flags; /* SIOP_FLAGS_* */
};
/* If this flag is set then this algorithm uses
* a driver only available in kernel (software drivers,
* or drivers based on instruction sets do not set this flag).
*
* If multiple algorithms are involved (as in AEAD case), then
* if one of them is kernel-driver-only this flag will be set.
*/
#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1
#define COP_ENCRYPT 0
#define COP_DECRYPT 1
/* input of CIOCCRYPT */
struct crypt_op {
__u32 ses; /* session identifier */
__u16 op; /* COP_ENCRYPT or COP_DECRYPT */
__u16 flags; /* see COP_FLAG_* */
__u32 len; /* length of source data */
__u8 __user *src; /* source data */
__u8 __user *dst; /* pointer to output data */
/* pointer to output data for hash/MAC operations */
__u8 __user *mac;
/* initialization vector for encryption operations */
__u8 __user *iv;
};
/* input of CIOCAUTHCRYPT */
struct crypt_auth_op {
__u32 ses; /* session identifier */
__u16 op; /* COP_ENCRYPT or COP_DECRYPT */
__u16 flags; /* see COP_FLAG_AEAD_* */
__u32 len; /* length of source data */
__u32 auth_len; /* length of auth data */
__u8 __user *auth_src; /* authenticated-only data */
/* The current implementation is more efficient if data are
* encrypted in-place (src==dst). */
__u8 __user *src; /* data to be encrypted and authenticated */
__u8 __user *dst; /* pointer to output data. Must have
* space for tag. For TLS this should be at least
* len + tag_size + block_size for padding */
__u8 __user *tag; /* where the tag will be copied to. TLS mode
* doesn't use that as tag is copied to dst.
* SRTP mode copies tag there. */
__u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */
/* initialization vector for encryption operations */
__u8 __user *iv;
__u32 iv_len;
};
/* In plain AEAD mode the following are required:
* flags : 0
* iv : the initialization vector (12 bytes)
* auth_len: the length of the data to be authenticated
* auth_src: the data to be authenticated
* len : length of data to be encrypted
* src : the data to be encrypted
* dst : space to hold encrypted data. It must have
* at least a size of len + tag_size.
* tag_size: the size of the desired authentication tag or zero to use
* the maximum tag output.
*
* Note tag isn't being used because the Linux AEAD interface
* copies the tag just after data.
*/
/* In TLS mode (used for CBC ciphers that required padding)
* the following are required:
* flags : COP_FLAG_AEAD_TLS_TYPE
* iv : the initialization vector
* auth_len: the length of the data to be authenticated only
* len : length of data to be encrypted
* auth_src: the data to be authenticated
* src : the data to be encrypted
* dst : space to hold encrypted data (preferably in-place). It must have
* at least a size of len + tag_size + blocksize.
* tag_size: the size of the desired authentication tag or zero to use
* the default mac output.
*
* Note that the padding used is the minimum padding.
*/
/* In SRTP mode the following are required:
* flags : COP_FLAG_AEAD_SRTP_TYPE
* iv : the initialization vector
* auth_len: the length of the data to be authenticated. This must
* include the SRTP header + SRTP payload (data to be encrypted) + rest
*
* len : length of data to be encrypted
* auth_src: pointer the data to be authenticated. Should point at the same buffer as src.
* src : pointer to the data to be encrypted.
* dst : This is mandatory to be the same as src (in-place only).
* tag_size: the size of the desired authentication tag or zero to use
* the default mac output.
* tag : Pointer to an address where the authentication tag will be copied.
*/
/* struct crypt_op flags */
#define COP_FLAG_NONE (0 << 0) /* totally no flag */
#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */
#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */
#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */
#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */
#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the
* TLS protocol rules */
#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the
* SRTP protocol rules */
#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state.
* should be used in combination
* with COP_FLAG_UPDATE */
/* Stuff for bignum arithmetic and public key
* cryptography - not supported yet by linux
* cryptodev.
*/
#define CRYPTO_ALG_FLAG_SUPPORTED 1
#define CRYPTO_ALG_FLAG_RNG_ENABLE 2
#define CRYPTO_ALG_FLAG_DSA_SHA 4
struct crparam {
__u8 *crp_p;
__u32 crp_nbits;
};
#define CRK_MAXPARAM 8
/* input of CIOCKEY */
struct crypt_kop {
__u32 crk_op; /* cryptodev_crk_op_t */
__u32 crk_status;
__u16 crk_iparams;
__u16 crk_oparams;
__u32 crk_pad1;
struct crparam crk_param[CRK_MAXPARAM];
};
enum cryptodev_crk_op_t {
CRK_MOD_EXP = 0,
CRK_MOD_EXP_CRT = 1,
CRK_DSA_SIGN = 2,
CRK_DSA_VERIFY = 3,
CRK_DH_COMPUTE_KEY = 4,
CRK_ALGORITHM_ALL
};
#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1)
/* features to be queried with CIOCASYMFEAT ioctl
*/
#define CRF_MOD_EXP (1 << CRK_MOD_EXP)
#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT)
#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN)
#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY)
#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY)
/* ioctl's. Compatible with old linux cryptodev.h
*/
#define CRIOGET _IOWR('c', 101, __u32)
#define CIOCGSESSION _IOWR('c', 102, struct session_op)
#define CIOCFSESSION _IOW('c', 103, __u32)
#define CIOCCRYPT _IOWR('c', 104, struct crypt_op)
#define CIOCKEY _IOWR('c', 105, struct crypt_kop)
#define CIOCASYMFEAT _IOR('c', 106, __u32)
#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op)
/* to indicate that CRIOGET is not required in linux
*/
#define CRIOGET_NOT_NEEDED 1
/* additional ioctls for AEAD */
#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op)
/* additional ioctls for asynchronous operation.
* These are conditionally enabled since version 1.6.
*/
#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op)
#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op)
#endif /* L_CRYPTODEV_H */

23
package/libs/openssl/patches/100-Configure-afalg-support.patch Normal file
View File

@ -0,0 +1,23 @@
From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
This patch prevents the Configure script from using the host kernel
version to disable building the AFALG engine on openwrt targets.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ if ($target =~ m/openwrt$/) {
+ push @{$config{engdirs}}, "afalg";
+ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $minver = 4*10000 + 1*100 + 0;
if ($config{CROSS_COMPILE} eq "") {
my $verstr = `uname -r`;

60
package/libs/openssl/patches/110-openwrt_targets.patch Normal file
View File

@ -0,0 +1,60 @@
From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,48 @@
+## Openwrt "CONFIG_ARCH" matching targets.
+
+# The targets need to end in '-openwrt' for the AFALG patch to work
+
+my %targets = (
+ "openwrt" => {
+ template => 1,
+ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
+ },
+ "linux-aarch64-openwrt" => {
+ inherit_from => [ "linux-aarch64", "openwrt" ],
+ },
+ "linux-arc-openwrt" => {
+ inherit_from => [ "linux-generic32", "openwrt" ],
+ },
+ "linux-arm-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],
+ },
+ "linux-armeb-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],
+ },
+ "linux-i386-openwrt" => {
+ inherit_from => [ "linux-x86", "openwrt" ],
+ },
+ "linux-mips-openwrt" => {
+ inherit_from => [ "linux-mips32", "openwrt" ],
+ },
+ "linux-mips64-openwrt" => {
+ inherit_from => [ "linux64-mips64", "openwrt" ],
+ },
+ "linux-mips64el-openwrt" => {
+ inherit_from => [ "linux64-mips64", "openwrt" ],
+ },
+ "linux-mipsel-openwrt" => {
+ inherit_from => [ "linux-mips32", "openwrt" ],
+ },
+ "linux-powerpc-openwrt" => {
+ inherit_from => [ "linux-ppc", "openwrt" ],
+ },
+ "linux-x86_64-openwrt" => {
+ inherit_from => [ "linux-x86_64", "openwrt" ],
+ },
+
+### Basic default option
+ "linux-generic32-openwrt" => {
+ inherit_from => [ "linux-generic32", "openwrt" ],
+ },
+);

16
package/libs/openssl/patches/110-optimize-for-size.patch
View File

@ -1,16 +0,0 @@
--- a/Configure
+++ b/Configure
@@ -470,6 +470,13 @@ my %table=(
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+# OpenWrt targets
+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
# Android: linux-* but without pointers to headers and libs.
"android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

21
package/libs/openssl/patches/120-strip-cflags-from-binary.patch Normal file
View File

@ -0,0 +1,21 @@
From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:31:38 -0300
Subject: void exposing build directories
The CFLAGS contain the build directories, and are shown by calling
OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink
ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
DEPEND[cversion.o]=buildinf.h
-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
DEPEND[buildinf.h]=../configdata.pm
GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)

29
package/libs/openssl/patches/130-dont-build-tests-fuzz.patch Normal file
View File

@ -0,0 +1,29 @@
From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
This shortens build time.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -299,7 +299,7 @@ my $auto_threads=1; # enable threads
my $default_ranlib;
# Top level directories to build
-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ];
# crypto/ subdirectories to build
$config{sdirs} = [
"objects",
@@ -311,7 +311,7 @@ $config{sdirs} = [
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
# test/ subdirectories to build
-$config{tdirs} = [ "ossl_shim" ];
+$config{tdirs} = [];
# Known TLS and DTLS protocols
my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);

64
package/libs/openssl/patches/130-perl-path.patch
View File

@ -1,64 +0,0 @@
--- a/Configure
+++ b/Configure
@@ -1,4 +1,4 @@
-:
+#!/usr/bin/perl
eval 'exec perl -S $0 ${1+"$@"}'
if $running_under_some_shell;
##
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
# Perl c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
--- a/util/clean-depend.pl
+++ b/util/clean-depend.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
# Clean the dependency list in a makefile of standard includes...
# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
#
# generate a .def file
#
--- a/util/mkerr.pl
+++ b/util/mkerr.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
my $config = "crypto/err/openssl.ec";
my $hprefix = "openssl/";
--- a/util/mkstack.pl
+++ b/util/mkstack.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
# This is a utility that searches out "DECLARE_STACK_OF()"
# declarations in .h and .c files, and updates/creates/replaces
--- a/util/pod2man.pl
+++ b/util/pod2man.pl
@@ -1,4 +1,4 @@
-: #!/usr/bin/perl-5.005
+#!/usr/bin/perl
eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
if $running_under_some_shell;
--- a/util/selftest.pl
+++ b/util/selftest.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
#
# Run the test suite and generate a report
#

78
package/libs/openssl/patches/140-allow-prefer-chacha20.patch Normal file
View File

@ -0,0 +1,78 @@
From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:44:39 -0300
Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
This enables a compile-time option to prefer ChaCha20-Poly1305 over
AES-GCM in the openssl default ciphersuite, which is useful in systems
without AES specific CPU instructions.
OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
Note that this does not have the same effect as the
SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
when the client has it on top of its ciphersuite preference.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -173,9 +173,15 @@ extern "C" {
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
+ "TLS_AES_128_GCM_SHA256"
+# else
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256"
+# endif
# else
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1464,11 +1464,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
&tail);
+ /*
+ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
+ * will be placed before AES-256. Otherwise, the default behavior of
+ * preferring GCM over CHACHA is used.
+ * This is useful for systems that do not have AES-specific CPU
+ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
+ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
+ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
+ * of its ciphersuite preference.
+ */
+
+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
+ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
+#else
/* Within each strength group, we prefer GCM over CHACHA... */
ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
&head, &tail);
ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
&head, &tail);
+#endif
/*
* ...and generally, our preferred cipher is AES.
@@ -1524,7 +1542,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* Within each group, ciphers remain sorted by strength and previous
* preference, i.e.,
* 1) ECDHE > DHE
- * 2) GCM > CHACHA
+ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
* 3) AES > rest
* 4) TLS 1.2 > legacy
*

11
package/libs/openssl/patches/140-makefile-dirs.patch
View File

@ -1,11 +0,0 @@
--- a/Makefile.org
+++ b/Makefile.org
@@ -137,7 +137,7 @@ FIPSCANLIB=
BASEADDR=
-DIRS= crypto ssl engines apps test tools
+DIRS= crypto ssl apps
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl

81
package/libs/openssl/patches/150-no_engines.patch
View File

@ -1,81 +0,0 @@
--- a/Configure
+++ b/Configure
@@ -2144,6 +2144,11 @@ EOF
close(OUT);
}
+# ugly hack to disable engines
+if($target eq "mingwx") {
+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile");
+}
+
print <<EOF;
Configured for $target.
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -2075,7 +2075,6 @@ PKCS7_ATTR_SIGN_it
UI_add_error_string 2633 EXIST::FUNCTION:
KRB5_CHECKSUM_free 2634 EXIST::FUNCTION:
OCSP_REQUEST_get_ext 2635 EXIST::FUNCTION:
-ENGINE_load_ubsec 2636 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE
PKEY_USAGE_PERIOD_it 2638 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
PKEY_USAGE_PERIOD_it 2638 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2549,7 +2548,6 @@ OCSP_RESPONSE_new
AES_set_encrypt_key 3024 EXIST::FUNCTION:AES
OCSP_resp_count 3025 EXIST::FUNCTION:
KRB5_CHECKSUM_new 3026 EXIST::FUNCTION:
-ENGINE_load_cswift 3027 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
OCSP_onereq_get0_id 3028 EXIST::FUNCTION:
ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE
NOTICEREF_it 3030 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2580,7 +2578,6 @@ ASN1_primitive_free
i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION:
i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION:
asn1_enc_save 3054 EXIST::FUNCTION:
-ENGINE_load_nuron 3055 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
_ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES
PKCS12_MAC_DATA_it 3057 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
PKCS12_MAC_DATA_it 3057 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2604,7 +2601,6 @@ asn1_get_choice_selector
i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION:
ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE
AES_options 3074 EXIST::FUNCTION:AES
-ENGINE_load_chil 3075 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
OCSP_id_cmp 3076 EXIST::FUNCTION:
OCSP_BASICRESP_new 3077 EXIST::FUNCTION:
OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION:
@@ -2671,7 +2667,6 @@ OCSP_CRLID_it
OCSP_CRLID_it 3127 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
i2d_KRB5_AUTHENTBODY 3128 EXIST::FUNCTION:
OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION:
-ENGINE_load_atalla 3130 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
X509_NAME_it 3131 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
X509_NAME_it 3131 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
USERNOTICE_it 3132 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2766,8 +2761,6 @@ DES_read_2passwords
DES_read_password 3207 EXIST::FUNCTION:DES
UI_UTIL_read_pw 3208 EXIST::FUNCTION:
UI_UTIL_read_pw_string 3209 EXIST::FUNCTION:
-ENGINE_load_aep 3210 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
-ENGINE_load_sureware 3211 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
OPENSSL_add_all_algorithms_noconf 3212 EXIST:!VMS:FUNCTION:
OPENSSL_add_all_algo_noconf 3212 EXIST:VMS:FUNCTION:
OPENSSL_add_all_algorithms_conf 3213 EXIST:!VMS:FUNCTION:
@@ -2776,7 +2769,6 @@ OPENSSL_load_builtin_modules
AES_ofb128_encrypt 3215 EXIST::FUNCTION:AES
AES_ctr128_encrypt 3216 EXIST::FUNCTION:AES
AES_cfb128_encrypt 3217 EXIST::FUNCTION:AES
-ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
_ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES
EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES
EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES
@@ -3111,7 +3103,6 @@ EC_GFp_nist_method
STORE_meth_set_modify_fn 3530 NOEXIST::FUNCTION:
STORE_method_set_modify_function 3530 NOEXIST::FUNCTION:
STORE_parse_attrs_next 3531 NOEXIST::FUNCTION:
-ENGINE_load_padlock 3532 EXIST::FUNCTION:ENGINE,STATIC_ENGINE
EC_GROUP_set_curve_name 3533 EXIST::FUNCTION:EC
X509_CERT_PAIR_it 3534 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
X509_CERT_PAIR_it 3534 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:

58
package/libs/openssl/patches/160-disable_doc_tests.patch
View File

@ -1,58 +0,0 @@
--- a/Makefile
+++ b/Makefile
@@ -139,7 +139,7 @@ FIPSCANLIB=
BASEADDR=0xFB00000
-DIRS= crypto ssl engines apps test tools
+DIRS= crypto ssl engines apps tools
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
@@ -157,7 +157,7 @@ SDIRS= \
# tests to perform. "alltests" is a special word indicating that all tests
# should be performed.
-TESTS = alltests
+TESTS =
MAKEFILE= Makefile
@@ -171,7 +171,7 @@ SHELL=/bin/sh
TOP= .
ONEDIRS=out tmp
-EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS
+EDIRS= times bugs util include certs ms shlib mt demos perl sf dep VMS
WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
@@ -276,7 +276,7 @@ reflect:
sub_all: build_all
-build_all: build_libs build_apps build_tests build_tools
+build_all: build_libs build_apps build_tools
build_libs: build_libcrypto build_libssl openssl.pc
@@ -542,7 +542,7 @@ dist:
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-install: all install_docs install_sw
+install: all install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
--- a/Makefile.org
+++ b/Makefile.org
@@ -540,7 +540,7 @@ dist:
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-install: all install_docs install_sw
+install: all install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \

8
package/libs/openssl/patches/170-bash_path.patch
View File

@ -1,8 +0,0 @@
--- a/util/domd
+++ b/util/domd
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
# Do a makedepend, only leave out the standard headers
# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999

18
package/libs/openssl/patches/180-fix_link_segfault.patch
View File

@ -1,18 +0,0 @@
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -95,7 +95,6 @@ LINK_APP= \
LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
LINK_SO= \
@@ -105,7 +104,6 @@ LINK_SO= \
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \

23
package/libs/openssl/patches/190-remove_timestamp_check.patch
View File

@ -1,23 +0,0 @@
--- a/Makefile.org
+++ b/Makefile.org
@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
-all: Makefile build_all
+all: build_all
# as we stick to -e, CLEARENV ensures that local variables in lower
# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -404,11 +404,6 @@ openssl.pc: Makefile
echo 'Version: '$(VERSION); \
echo 'Requires: libssl libcrypto' ) > openssl.pc
-Makefile: Makefile.org Configure config
- @echo "Makefile is older than Makefile.org, Configure or config."
- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
- @false
-
libclean:
rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib

42
package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch Normal file
View File

@ -0,0 +1,42 @@
From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 17:59:42 -0200
Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables
Call functions to prepare methods after confirming that /dev/crytpo was
sucessfully open and that the destroy function has been set.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -619,11 +619,6 @@ void engine_load_devcrypto_int()
return;
}
- prepare_cipher_methods();
-#ifdef IMPLEMENT_DIGEST
- prepare_digest_methods();
-#endif
-
if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
@@ -636,6 +631,11 @@ void engine_load_devcrypto_int()
return;
}
+ prepare_cipher_methods();
+#ifdef IMPLEMENT_DIGEST
+ prepare_digest_methods();
+#endif
+
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")

184
package/libs/openssl/patches/200-parallel_build.patch
View File

@ -1,184 +0,0 @@
--- a/Makefile.org
+++ b/Makefile.org
@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi
build_libssl: build_ssl libssl.pc
build_crypto:
- @dir=crypto; target=all; $(BUILD_ONE_CMD)
+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
build_ssl: build_crypto
- @dir=ssl; target=all; $(BUILD_ONE_CMD)
+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines: build_crypto
- @dir=engines; target=all; $(BUILD_ONE_CMD)
+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
build_apps: build_libs
- @dir=apps; target=all; $(BUILD_ONE_CMD)
+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
build_tests: build_libs
- @dir=test; target=all; $(BUILD_ONE_CMD)
+ +@dir=test; target=all; $(BUILD_ONE_CMD)
build_tools: build_libs
- @dir=tools; target=all; $(BUILD_ONE_CMD)
+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
build_testapps:
@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut
@set -e; target=update; $(RECURSIVE_BUILD_CMD)
depend:
- @set -e; target=depend; $(RECURSIVE_BUILD_CMD)
+ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
lint:
@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
@@ -535,9 +535,9 @@ dist:
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-install: all install_sw
+install: install_sw
-install_sw:
+install_dirs:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
@@ -546,12 +546,19 @@ install_sw:
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+ @$(PERL) $(TOP)/util/mkdir-p.pl \
+ $(INSTALL_PREFIX)$(MANDIR)/man1 \
+ $(INSTALL_PREFIX)$(MANDIR)/man3 \
+ $(INSTALL_PREFIX)$(MANDIR)/man5 \
+ $(INSTALL_PREFIX)$(MANDIR)/man7
+
+install_sw: install_dirs
@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
do \
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
do \
if [ -f "$$i" ]; then \
@@ -635,12 +642,7 @@ install_html_docs:
done; \
done
-install_docs:
- @$(PERL) $(TOP)/util/mkdir-p.pl \
- $(INSTALL_PREFIX)$(MANDIR)/man1 \
- $(INSTALL_PREFIX)$(MANDIR)/man3 \
- $(INSTALL_PREFIX)$(MANDIR)/man5 \
- $(INSTALL_PREFIX)$(MANDIR)/man7
+install_docs: install_dirs
@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
here="`pwd`"; \
filecase=; \
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -120,6 +120,7 @@ SYMLINK_SO= \
done; \
fi; \
if [ -n "$$SHLIB_SOVER" ]; then \
+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
fi; \
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -85,11 +85,11 @@ testapps:
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
subdirs:
- @target=all; $(RECURSIVE_MAKE)
+ +@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
- @target=files; $(RECURSIVE_MAKE)
+ +@target=files; $(RECURSIVE_MAKE)
links:
@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
@@ -100,7 +100,7 @@ links:
# lib: $(LIB): are splitted to avoid end-less loop
lib: $(LIB)
@touch lib
-$(LIB): $(LIBOBJ)
+$(LIB): $(LIBOBJ) | subdirs
$(AR) $(LIB) $(LIBOBJ)
test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs
fi
libs:
- @target=lib; $(RECURSIVE_MAKE)
+ +@target=lib; $(RECURSIVE_MAKE)
install:
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
@@ -120,7 +120,7 @@ install:
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
- @target=install; $(RECURSIVE_MAKE)
+ +@target=install; $(RECURSIVE_MAKE)
lint:
@target=lint; $(RECURSIVE_MAKE)
--- a/engines/Makefile
+++ b/engines/Makefile
@@ -72,7 +72,7 @@ top:
all: lib subdirs
-lib: $(LIBOBJ)
+lib: $(LIBOBJ) | subdirs
@if [ -n "$(SHARED_LIBS)" ]; then \
set -e; \
for l in $(LIBNAMES); do \
@@ -89,7 +89,7 @@ lib: $(LIBOBJ)
subdirs:
echo $(EDIRS)
- @target=all; $(RECURSIVE_MAKE)
+ +@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -128,7 +128,7 @@ install:
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi
- @target=install; $(RECURSIVE_MAKE)
+ +@target=install; $(RECURSIVE_MAKE)
tags:
ctags $(SRC)
--- a/test/Makefile
+++ b/test/Makefile
@@ -145,7 +145,7 @@ install:
tags:
ctags $(SRC)
-tests: exe apps $(TESTS)
+tests: exe $(TESTS)
apps:
@(cd ..; $(MAKE) DIRS=apps all)
@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
# fi
dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
- @target=dummytest; $(BUILD_CMD)
+ +@target=dummytest; $(BUILD_CMD)
# DO NOT DELETE THIS LINE -- make depend depends on it.

37
package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch Normal file
View File

@ -0,0 +1,37 @@
From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 14 Nov 2018 11:22:14 -0200
Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases
Return failure when the digest_ctx is null in digest_update and
digest_final, and when md is null in digest_final.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx
if (count == 0)
return 1;
+ if (digest_ctx == NULL)
+ return 0;
+
if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx,
struct digest_ctx *digest_ctx =
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+ if (md == NULL || digest_ctx == NULL)
+ return 0;
if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;

53
package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch Normal file
View File

@ -0,0 +1,53 @@
From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 14 Nov 2018 13:58:06 -0200
Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest
If the source ctx has not been initialized, don't initialize the copy
either.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e,
struct digest_ctx {
struct session_op sess;
- int init;
+ /* This signals that the init function was called, not that it succeeded. */
+ int init_called;
};
static const struct digest_data_st {
@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx)
const struct digest_data_st *digest_d =
get_digest_data(EVP_MD_CTX_type(ctx));
- digest_ctx->init = 1;
+ digest_ctx->init_called = 1;
memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
digest_ctx->sess.mac = digest_d->devcryptoid;
@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c
(struct digest_ctx *)EVP_MD_CTX_md_data(to);
struct cphash_op cphash;
- if (digest_from == NULL)
+ if (digest_from == NULL || digest_from->init_called != 1)
return 1;
- if (digest_from->init != 1) {
- SYSerr(SYS_F_IOCTL, EINVAL);
- return 0;
- }
-
if (!digest_init(to)) {
SYSerr(SYS_F_IOCTL, errno);
return 0;

46
package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch Normal file
View File

@ -0,0 +1,46 @@
From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 15:59:44 -0200
Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final
Close the session in digest_cleanup instead of digest_final. A failure
in closing the session does not mean a previous successful digest final
has failed as well.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx,
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
- }
return 1;
}
@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c
static int digest_cleanup(EVP_MD_CTX *ctx)
{
+ struct digest_ctx *digest_ctx =
+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+
+ if (digest_ctx == NULL)
+ return 1;
+ if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
+ }
return 1;
}

54
package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch Normal file
View File

@ -0,0 +1,54 @@
From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Tue, 13 Nov 2018 09:23:22 -0200
Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function
The engine needs a custom cipher context copy function to open a new
/dev/crypto session.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C
return 1;
}
+static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
+{
+ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
+ struct cipher_ctx *cipher_ctx;
+
+ if (type == EVP_CTRL_COPY) {
+ /* when copying the context, a new session needs to be initialized */
+ cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ return (cipher_ctx == NULL)
+ || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
+ (cipher_ctx->op == COP_ENCRYPT));
+ }
+
+ return -1;
+}
+
static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
{
struct cipher_ctx *cipher_ctx =
@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void)
cipher_data[i].ivlen)
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
cipher_data[i].flags
+ | EVP_CIPH_CUSTOM_COPY
| EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
cipher_do_cipher)
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],

217
package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch Normal file
View File

@ -0,0 +1,217 @@
From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 28 Nov 2018 11:26:27 -0200
Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode
Make CTR mode behave like a stream cipher.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -47,10 +47,12 @@ static int cfd;
struct cipher_ctx {
struct session_op sess;
-
- /* to pass from init to do_cipher */
- const unsigned char *iv;
int op; /* COP_ENCRYPT or COP_DECRYPT */
+ unsigned long mode; /* EVP_CIPH_*_MODE */
+
+ /* to handle ctr mode being a stream cipher */
+ unsigned char partial[EVP_MAX_BLOCK_LENGTH];
+ unsigned int blocksize, num;
};
static const struct cipher_data_st {
@@ -87,9 +89,9 @@ static const struct cipher_data_st {
{ NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
#endif
#if 0 /* Not yet supported */
{ NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
cipher_ctx->sess.keylen = cipher_d->keylen;
cipher_ctx->sess.key = (void *)key;
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
+ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
+ cipher_ctx->blocksize = cipher_d->blocksize;
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C
struct cipher_ctx *cipher_ctx =
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
struct crypt_op cryp;
+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
#if !defined(COP_FLAG_WRITE_IV)
unsigned char saved_iv[EVP_MAX_IV_LENGTH];
+ const unsigned char *ivptr;
+ size_t nblocks, ivlen;
#endif
memset(&cryp, 0, sizeof(cryp));
@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C
cryp.len = inl;
cryp.src = (void *)in;
cryp.dst = (void *)out;
- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
+ cryp.iv = (void *)iv;
cryp.op = cipher_ctx->op;
#if !defined(COP_FLAG_WRITE_IV)
cryp.flags = 0;
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
- if (!EVP_CIPHER_CTX_encrypting(ctx)) {
- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
+ ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+ if (ivlen > 0)
+ switch (cipher_ctx->mode) {
+ case EVP_CIPH_CBC_MODE:
+ assert(inl >= ivlen);
+ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ ivptr = in + inl - ivlen;
+ memcpy(saved_iv, ivptr, ivlen);
+ }
+ break;
+
+ case EVP_CIPH_CTR_MODE:
+ break;
- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
+ default: /* should not happen */
+ return 0;
}
- }
#else
cryp.flags = COP_FLAG_WRITE_IV;
#endif
@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C
}
#if !defined(COP_FLAG_WRITE_IV)
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- unsigned char *ivptr = saved_iv;
+ if (ivlen > 0)
+ switch (cipher_ctx->mode) {
+ case EVP_CIPH_CBC_MODE:
+ assert(inl >= ivlen);
+ if (EVP_CIPHER_CTX_encrypting(ctx))
+ ivptr = out + inl - ivlen;
+ else
+ ivptr = saved_iv;
+
+ memcpy(iv, ivptr, ivlen);
+ break;
+
+ case EVP_CIPH_CTR_MODE:
+ nblocks = (inl + cipher_ctx->blocksize - 1)
+ / cipher_ctx->blocksize;
+ do {
+ ivlen--;
+ nblocks += iv[ivlen];
+ iv[ivlen] = (uint8_t) nblocks;
+ nblocks >>= 8;
+ } while (ivlen);
+ break;
+
+ default: /* should not happen */
+ return 0;
+ }
+#endif
+
+ return 1;
+}
- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
- if (!EVP_CIPHER_CTX_encrypting(ctx))
- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
+static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ struct cipher_ctx *cipher_ctx =
+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ size_t nblocks, len;
- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
- EVP_CIPHER_CTX_iv_length(ctx));
+ /* initial partial block */
+ while (cipher_ctx->num && inl) {
+ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
+ --inl;
+ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
+ }
+
+ /* full blocks */
+ if (inl > (unsigned int) cipher_ctx->blocksize) {
+ nblocks = inl/cipher_ctx->blocksize;
+ len = nblocks * cipher_ctx->blocksize;
+ if (cipher_do_cipher(ctx, out, in, len) < 1)
+ return 0;
+ inl -= len;
+ out += len;
+ in += len;
+ }
+
+ /* final partial block */
+ if (inl) {
+ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
+ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
+ cipher_ctx->blocksize) < 1)
+ return 0;
+ while (inl--) {
+ out[cipher_ctx->num] = in[cipher_ctx->num]
+ ^ cipher_ctx->partial[cipher_ctx->num];
+ cipher_ctx->num++;
+ }
}
-#endif
return 1;
}
@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
+ unsigned long cipher_mode;
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void)
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
+
if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
- cipher_data[i].blocksize,
+ cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
+ cipher_data[i].blocksize,
cipher_data[i].keylen)) == NULL
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
cipher_data[i].ivlen)
@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void)
| EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+ cipher_mode == EVP_CIPH_CTR_MODE ?
+ ctr_do_cipher :
cipher_do_cipher)
|| !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],

71
package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch Normal file
View File

@ -0,0 +1,71 @@
From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Sat, 8 Dec 2018 18:01:04 -0200
Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy
Digest must be able to do partial-state copy to be used.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct
return 1;
}
+static int devcrypto_test_digest(size_t digest_data_index)
+{
+ struct session_op sess1, sess2;
+ struct cphash_op cphash;
+ int ret=0;
+
+ memset(&sess1, 0, sizeof(sess1));
+ memset(&sess2, 0, sizeof(sess2));
+ sess1.mac = digest_data[digest_data_index].devcryptoid;
+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
+ return 0;
+ /* Make sure the driver is capable of hash state copy */
+ sess2.mac = sess1.mac;
+ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
+ cphash.src_ses = sess1.ses;
+ cphash.dst_ses = sess2.ses;
+ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
+ ret = 1;
+ ioctl(cfd, CIOCFSESSION, &sess2.ses);
+ }
+ ioctl(cfd, CIOCFSESSION, &sess1.ses);
+ return ret;
+}
+
/*
* Keep a table of known nids and associated methods.
* Note that known_digest_nids[] isn't necessarily indexed the same way as
@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL
static void prepare_digest_methods(void)
{
size_t i;
- struct session_op sess;
-
- memset(&sess, 0, sizeof(sess));
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
/*
- * Check that the algo is really availably by trying to open and close
- * a session.
+ * Check that the algo is usable
*/
- sess.mac = digest_data[i].devcryptoid;
- if (ioctl(cfd, CIOCGSESSION, &sess) < 0
- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+ if (!devcrypto_test_digest(i))
continue;
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,