Skip to content
Permalink
Browse files

openssl: update to version 1.1.1a

This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
openssl/openssl#7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
  • Loading branch information...
cotequeiroz authored and hauke committed Oct 24, 2018
1 parent be38922 commit d872d00b2f7e31b98e11e83922d1aaefc270647e
Showing with 774 additions and 492 deletions.
  1. +61 −4 package/libs/openssl/Config.in
  2. +60 −57 package/libs/openssl/Makefile
  3. +23 −0 package/libs/openssl/patches/100-Configure-afalg-support.patch
  4. +0 −44 package/libs/openssl/patches/100-openwrt_targets.patch
  5. +60 −0 package/libs/openssl/patches/110-openwrt_targets.patch
  6. +0 −64 package/libs/openssl/patches/110-perl-path.patch
  7. +0 −11 package/libs/openssl/patches/120-makefile-dirs.patch
  8. +21 −0 package/libs/openssl/patches/120-strip-cflags-from-binary.patch
  9. +0 −58 package/libs/openssl/patches/130-disable_doc_tests.patch
  10. +29 −0 package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
  11. +0 −8 package/libs/openssl/patches/140-bash_path.patch
  12. +0 −18 package/libs/openssl/patches/150-fix_link_segfault.patch
  13. +0 −23 package/libs/openssl/patches/160-remove_timestamp_check.patch
  14. +0 −184 package/libs/openssl/patches/170-parallel_build.patch
  15. +0 −21 package/libs/openssl/patches/180-strip-cflags-from-binary.patch
  16. +42 −0 package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch
  17. +37 −0 package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch
  18. +53 −0 package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch
  19. +46 −0 package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch
  20. +54 −0 package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch
  21. +217 −0 package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch
  22. +71 −0 package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch
@@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED
default y
prompt "Include deprecated APIs (See help for a list of packages that need this)"
help
Squid currently requires this.
Since openssl 1.1.x is still new to openwrt, some packages
requiring this option do not list it as a requirement yet:
* freeswitch-stable, freeswitch, python, python3, squid.

config OPENSSL_NO_DEPRECATED
bool
@@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES

comment "Protocol Support"

config OPENSSL_WITH_TLS13
bool
default y
prompt "Enable support for TLS 1.3"
select OPENSSL_WITH_EC
help
TLS 1.3 is the newest version of the TLS specification.
It aims:
* to increase the overall security of the protocol,
removing outdated algorithms, and encrypting more of the
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
It increases package size by ~4KB.

config OPENSSL_WITH_DTLS
bool
prompt "Enable DTLS support"
@@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M
This option enables the more efficient, yet less common, binary
field elliptic curves.

config OPENSSL_WITH_CHACHA_POLY1305
bool
default y
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
help
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
combining ChaCha stream cipher with Poly1305 MAC.
It is 3x faster than AES, when not using a CPU with AES-specific
instructions, as is the case of most embedded devices.

config OPENSSL_WITH_PSK
bool
default y
@@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK

comment "Less commonly used build options"

config OPENSSL_WITH_ARIA
bool
prompt "Enable ARIA support"
help
ARIA is a block cipher developed in South Korea, based on AES.

config OPENSSL_WITH_CAMELLIA
bool
prompt "Enable Camellia cipher support"
@@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.

config OPENSSL_WITH_SM234
bool
prompt "Enable SM2/3/4 algorithms support"
help
These algorithms are a set of "Commercial Cryptography"
algorithms approved for use in China.
* SM2 is an EC algorithm equivalent to ECDSA P-256
* SM3 is a hash function equivalent to SHA-256
* SM4 is a 128-block cipher equivalent to AES-128

config OPENSSL_WITH_BLAKE2
bool
prompt "Enable BLAKE2 digest support"
help
BLAKE2 is a cryptographic hash function based on the ChaCha
stream cipher.

config OPENSSL_WITH_MDC2
bool
prompt "Enable MDC2 digest support"
@@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO
API modules) for /dev/crypto to show up and use hardware
acceleration; otherwise it falls back to software.

config OPENSSL_ENGINE_DIGEST
config OPENSSL_WITH_ASYNC
bool
depends on OPENSSL_ENGINE_CRYPTO
prompt "/dev/crypto digest (md5/sha1) acceleration support"
prompt "Enable asynchronous jobs support"
depends on OPENSSL_ENGINE && USE_GLIBC
help
Enables async-aware applications to be able to use OpenSSL to
initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine.

config OPENSSL_WITH_GOST
bool
@@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST
help
This option prepares the library to accept engine support
for Russian GOST crypto algorithms.
The gost engine is not included in standard openwrt feeds.
To build such engine yourself, see:
https://github.com/gost-engine/engine

endif

@@ -8,11 +8,12 @@
include $(TOPDIR)/rules.mk

PKG_NAME:=openssl
PKG_BASE:=1.0.2
PKG_BUGFIX:=q
PKG_BASE:=1.1.1
PKG_BUGFIX:=a
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1

PKG_BUILD_PARALLEL:=0
PKG_BUILD_DEPENDS:=cryptodev-linux
@@ -24,20 +25,22 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
ENGINES_DIR=engines
PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41

PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
CONFIG_OPENSSL_ENGINE_DIGEST \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
@@ -51,8 +54,10 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_WITH_SSE2 \
CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL

include $(INCLUDE_DIR)/package.mk
@@ -85,7 +90,7 @@ $(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
TITLE+= (libraries)
ABI_VERSION:=1.0.0
ABI_VERSION:=1.1
MENU:=1
endef

@@ -111,18 +116,19 @@ $(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef

define Package/libopenssl-gost
define Package/libopenssl-afalg
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=Russian GOST algorithms engine
DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
TITLE:=AFALG hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user
endef

define Package/libopenssl-gost/description
This package adds an engine that enables Russian GOST algorithms.
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
The engine_id is "gost"
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "afalg"
endef

define Package/libopenssl-padlock
@@ -135,11 +141,23 @@ endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
To use it, you need to configure it in /etc/ssl/openssl.cnf.
See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "padlock"
endef

OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
OPENSSL_OPTIONS:= shared

ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
endif

ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
OPENSSL_OPTIONS += no-chacha no-poly1305
endif

ifndef CONFIG_OPENSSL_WITH_ASYNC
OPENSSL_OPTIONS += no-async
endif

ifndef CONFIG_OPENSSL_WITH_EC
OPENSSL_OPTIONS += no-ec
@@ -153,6 +171,18 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif

ifndef CONFIG_OPENSSL_WITH_TLS13
OPENSSL_OPTIONS += no-tls1_3
endif

ifndef CONFIG_OPENSSL_WITH_ARIA
OPENSSL_OPTIONS += no-aria
endif

ifndef CONFIG_OPENSSL_WITH_SM234
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
endif

ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
@@ -177,8 +207,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif

ifdef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += enable-rfc3779
ifndef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += no-rfc3779
endif

ifdef CONFIG_OPENSSL_NO_DEPRECATED
@@ -193,10 +223,10 @@ endif

ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
ifdef CONFIG_OPENSSL_ENGINE_DIGEST
OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
endif
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
@@ -209,10 +239,8 @@ ifndef CONFIG_OPENSSL_WITH_GOST
OPENSSL_OPTIONS += no-gost
endif

# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
# but openssl util gets built without it
ifndef CONFIG_OPENSSL_WITH_DTLS
OPENSSL_OPTIONS += no-dtls no-dtls1
OPENSSL_OPTIONS += no-dtls
endif

ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@@ -261,12 +289,6 @@ define Build/Configure
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
MAKEDEPPROG="$(TARGET_CROSS)gcc" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
depend
endef

TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
@@ -276,35 +298,16 @@ define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
build-shared
# Work around openssl build bug to link libssl.so with libcrypto.so.
-rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
do_linux-shared
$(MAKE) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
install
install_sw install_ssldirs
endef

define Build/InstallDev
@@ -334,17 +337,17 @@ define Package/openssl-util/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef

define Package/libopenssl-padlock/install
define Package/libopenssl-afalg/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
endef

define Package/libopenssl-gost/install
define Package/libopenssl-padlock/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
endef

$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-gost))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))
@@ -0,0 +1,23 @@
From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG

This patch prevents the Configure script from using the host kernel
version to disable building the AFALG engine on openwrt targets.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

--- a/Configure
+++ b/Configure
@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra

unless ($disabled{afalgeng}) {
$config{afalgeng}="";
- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ if ($target =~ m/openwrt$/) {
+ push @{$config{engdirs}}, "afalg";
+ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $minver = 4*10000 + 1*100 + 0;
if ($config{CROSS_COMPILE} eq "") {
my $verstr = `uname -r`;

0 comments on commit d872d00

Please sign in to comment.
You can’t perform that action at this time.