diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index c39e28510f002..2b536c272a81f 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -1,72 +1,306 @@ if PACKAGE_libopenssl -config OPENSSL_WITH_EC +comment "Build Options" + +config OPENSSL_OPTIMIZE_SPEED bool - default y - prompt "Enable elliptic curve support" + default y if x86_64 || i386 + prompt "Enable optimization for speed instead of size" + select OPENSSL_WITH_ASM + help + Enabling this option increases code size (around 20%) and + performance. The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most, with EC speed + increased by 20%-50% (mipsel & x86). + AES-GCM is supposed to be 3x faster on x86. YMMV. -config OPENSSL_WITH_EC2M - bool - depends on OPENSSL_WITH_EC - prompt "Enable ec2m support" +config OPENSSL_WITH_ASM + bool + default y if !SMALL_FLASH || !arm + prompt "Compile with optimized assembly code" + depends on !arc + help + Disabling this option will reduce code size and performance. + The increase in performance and size depends on the target + CPU and on the algorithms being optimized. As of 1.1.0i*: + + Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase + aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 + arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 + i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% + mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% + mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 + powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 + x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% -config OPENSSL_WITH_SSL3 + * Only most common algorithms shown. Your mileage may vary. + BN (bignum) performance was measured using RSA sign/verify. + +config OPENSSL_WITH_SSE2 bool - default n - prompt "Enable sslv3 support" + default y if !TARGET_x86_legacy && !TARGET_x86_geode + prompt "Enable use of x86 SSE2 instructions" + depends on OPENSSL_WITH_ASM && i386 + help + Use of SSE2 instructions greatly increase performance (up to + 3x faster) with a minimum (~0.2%, or 23KB) increase in package + size, but it will bring no benefit if your hardware does not + support them, such as Geode GX and LX. In this case you may + save 23KB by saying yes here. AMD Geode NX, and Intel + Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y - prompt "Include deprecated APIs" + prompt "Include deprecated APIs (See help for a list of packages that need this)" + help + Since openssl 1.1.x is still new to openwrt, some packages + requiring this option do not list it as a requirement yet. + + For openssl version 1.1.x: + * freeswitch-stable, freeswitch, python, python3, squid. + + For openssl 1.0.2, squid currently requires this. config OPENSSL_NO_DEPRECATED bool default !OPENSSL_WITH_DEPRECATED -config OPENSSL_WITH_DTLS +config OPENSSL_WITH_ERROR_MESSAGES bool - default n - prompt "Enable DTLS support" + default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT + prompt "Include error messages" + help + This option aids debugging, but increases package size and + memory usage. -config OPENSSL_WITH_COMPRESSION +comment "Protocol Support" + +config OPENSSL_WITH_TLS13 + bool + default y + prompt "Enable support for TLS 1.3" + select OPENSSL_WITH_EC + help + TLS 1.3 is the newest version of the TLS specification. + It aims: + * to increase the overall security of the protocol, + removing outdated algorithms, and encrypting more of the + protocol; + * to increase performance by reducing the number of round-trips + when performing a full handshake. + It increases package size by ~4KB. + +config OPENSSL_WITH_DTLS bool default n - prompt "Enable compression support" + prompt "Enable DTLS support" + help + Datagram Transport Layer Security (DTLS) provides TLS-like security + for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. config OPENSSL_WITH_NPN bool default y prompt "Enable NPN support" + help + NPN is a TLS extension, obsoleted and replaced with ALPN, + used to negotiate SPDY, and HTTP/2. + +config OPENSSL_WITH_SRP + bool + default y + prompt "Enable SRP support" + help + The Secure Remote Password protocol (SRP) is an augmented + password-authenticated key agreement (PAKE) protocol, specifically + designed to work around existing patents. + +config OPENSSL_WITH_CMS + bool + default y + prompt "Enable CMS (RFC 5652) support" + help + Cryptographic Message Syntax (CMS) is used to digitally sign, + digest, authenticate, or encrypt arbitrary message content. + +comment "Algorithm Selection" + +config OPENSSL_WITH_EC + bool + default y + prompt "Enable elliptic curve support" + help + Elliptic-curve cryptography (ECC) is an approach to public-key + cryptography based on the algebraic structure of elliptic curves + over finite fields. ECC requires smaller keys compared to non-ECC + cryptography to provide equivalent security. + +config OPENSSL_WITH_EC2M + bool + depends on OPENSSL_WITH_EC + prompt "Enable ec2m support" + help + This option enables the more efficient, yet less common, binary + field elliptic curves. + +config OPENSSL_WITH_CHACHA_POLY1305 + bool + default y + prompt "Enable ChaCha20-Poly1305 ciphersuite support" + help + ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys, + combining ChaCha stream cipher with Poly1305 MAC. + It is 3x faster than AES, when not using a CPU with AES-specific + instructions, as is the case of most embedded devices. + +config OPENSSL_PREFER_CHACHA_OVER_GCM + bool + default y if !x86_64 && !aarch64 + prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default" + depends on OPENSSL_WITH_CHACHA_POLY1305 + help + The default openssl preference is for AES-GCM before ChaCha, but + that takes into account AES-NI capable chips. It is not the + case with most embedded chips, so it may be better to invert + that preference. This is just for the default case. The + application can always override this. config OPENSSL_WITH_PSK bool default y prompt "Enable PSK support" + help + Build support for Pre-Shared Key based cipher suites. -config OPENSSL_WITH_SRP +comment "Less commonly used build options" + +config OPENSSL_WITH_ARIA bool - default y - prompt "Enable SRP support" + default n + prompt "Enable ARIA support" + help + ARIA is a block cipher developed in South Korea, based on AES. -config OPENSSL_ENGINE_DIGEST +config OPENSSL_WITH_CAMELLIA bool - depends on OPENSSL_ENGINE_CRYPTO - prompt "Digests acceleration support" + default n + prompt "Enable Camellia cipher support" + help + Camellia is a bock cipher with security levels and processing + abilities comparable to AES. -config OPENSSL_HARDWARE_SUPPORT +config OPENSSL_WITH_IDEA bool default n - prompt "Enable hardware support" + prompt "Enable IDEA cipher support" + help + IDEA is a block cipher with 128-bit keys. -config OPENSSL_OPTIMIZE_SPEED +config OPENSSL_WITH_SEED bool default n - prompt "Enable optimization for speed instead of size" + prompt "Enable SEED cipher support" + help + SEED is a block cipher with 128-bit keys broadly used in + South Korea, but seldom found elsewhere. -endif +config OPENSSL_WITH_SM234 + bool + default n + prompt "Enable SM2/3/4 algorithms support" + help + These algorithms are a set of "Commercial Cryptography" + algorithms approved for use in China. + * SM2 is an EC algorithm equivalent to ECDSA P-256 + * SM3 is a hash function equivalent to SHA-256 + * SM4 is a 128-block cipher equivalent to AES-128 + +config OPENSSL_WITH_BLAKE2 + bool + default n + prompt "Enable BLAKE2 digest support" + help + BLAKE2 is a cryptographic hash function based on the ChaCha + stream cipher. + +config OPENSSL_WITH_MDC2 + bool + default n + prompt "Enable MDC2 digest support" + +config OPENSSL_WITH_WHIRLPOOL + bool + default n + prompt "Enable Whirlpool digest support" + +config OPENSSL_WITH_COMPRESSION + bool + default n + prompt "Enable compression support" + help + TLS compression is not recommended, as it is deemed insecure. + The CRIME attack exploits this weakness. + Even with this option turned on, it is disabled by default, and the + application must explicitly turn it on. + +config OPENSSL_WITH_RFC3779 + bool + default n + prompt "Enable RFC3779 support (BGP)" + help + RFC 3779 defines two X.509 v3 certificate extensions. The first + binds a list of IP address blocks, or prefixes, to the subject of a + certificate. The second binds a list of autonomous system + identifiers to the subject of a certificate. These extensions may be + used to convey the authorization of the subject to use the IP + addresses and autonomous system identifiers contained in the + extensions. + +comment "Engine/Hardware Support" + +config OPENSSL_ENGINE + bool "Enable engine support" + help + This enables alternative cryptography implementations, + most commonly for interfacing with external crypto devices, + or supporting new/alternative ciphers and digests. + Note that you need to enable KERNEL_AIO to be able to build the + afalg engine package. config OPENSSL_ENGINE_CRYPTO bool - select OPENSSL_HARDWARE_SUPPORT - prompt "Crypto acceleration support" if PACKAGE_libopenssl + select OPENSSL_ENGINE + select PACKAGE_kmod-cryptodev + select PACKAGE_libopenssl-conf + prompt "Acceleration support through /dev/crypto" + help + This enables use of hardware acceleration through OpenBSD + Cryptodev API (/dev/crypto) interface. + You must install kmod-cryptodev (under Kernel modules, Cryptographic + API modules) for /dev/crypto to show up and use hardware + acceleration; otherwise it falls back to software. + +config OPENSSL_WITH_ASYNC + bool + default n + prompt "Enable asynchronous jobs support" + depends on OPENSSL_ENGINE && USE_GLIBC + help + Enables async-aware applications to be able to use OpenSSL to + initiate crypto operations asynchronously. In order to work + this will require the presence of an async capable engine. + +config OPENSSL_WITH_GOST + bool + default n + prompt "Prepare library for GOST engine" + depends on OPENSSL_ENGINE + help + This option prepares the library to accept engine support + for Russian GOST crypto algorithms. + The gost engine is not included in standard openwrt feeds. + To build such engine yourself, see: + https://github.com/gost-engine/engine + +endif diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 71c2c9c028f3c..12b41bd2524a3 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -8,14 +8,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_BASE:=1.0.2 -PKG_BUGFIX:=q +PKG_BASE:=1.1.1 +PKG_BUGFIX:=a PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=2 PKG_USE_MIPS16:=0 +ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=0 - +PKG_BUILD_DEPENDS:=cryptodev-linux PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -24,25 +25,41 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 +PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ + CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_ENGINE_CRYPTO \ - CONFIG_OPENSSL_ENGINE_DIGEST \ - CONFIG_OPENSSL_WITH_EC \ - CONFIG_OPENSSL_WITH_EC2M \ - CONFIG_OPENSSL_WITH_SSL3 \ - CONFIG_OPENSSL_HARDWARE_SUPPORT \ CONFIG_OPENSSL_NO_DEPRECATED \ - CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_OPTIMIZE_SPEED \ + CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ + CONFIG_OPENSSL_WITH_ARIA \ + CONFIG_OPENSSL_WITH_ASM \ + CONFIG_OPENSSL_WITH_ASYNC \ + CONFIG_OPENSSL_WITH_BLAKE2 \ + CONFIG_OPENSSL_WITH_CAMELLIA \ + CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \ + CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ + CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_WITH_EC \ + CONFIG_OPENSSL_WITH_EC2M \ + CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ + CONFIG_OPENSSL_WITH_GOST \ + CONFIG_OPENSSL_WITH_IDEA \ + CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ CONFIG_OPENSSL_WITH_PSK \ + CONFIG_OPENSSL_WITH_RFC3779 \ + CONFIG_OPENSSL_WITH_SEED \ + CONFIG_OPENSSL_WITH_SM234 \ CONFIG_OPENSSL_WITH_SRP \ - CONFIG_OPENSSL_OPTIMIZE_SPEED + CONFIG_OPENSSL_WITH_SSE2 \ + CONFIG_OPENSSL_WITH_TLS13 \ + CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk @@ -54,6 +71,8 @@ endif define Package/openssl/Default TITLE:=Open source SSL toolkit URL:=http://www.openssl.org/ + SECTION:=libs + CATEGORY:=Libraries endef define Package/libopenssl/config @@ -62,19 +81,17 @@ endef define Package/openssl/Default/description The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing the Secure -Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well -as a full-strength general purpose cryptography library. +commercial-grade, full-featured, and Open Source toolkit implementing the +Transport Layer Security (TLS) protocol as well as a full-strength +general-purpose cryptography library. endef define Package/libopenssl $(call Package/openssl/Default) - SECTION:=libs SUBMENU:=SSL - CATEGORY:=Libraries DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib TITLE+= (libraries) - ABI_VERSION:=1.0.0 + ABI_VERSION:=1.1 MENU:=1 endef @@ -87,31 +104,78 @@ define Package/openssl-util $(call Package/openssl/Default) SECTION:=utils CATEGORY:=Utilities - DEPENDS:=+libopenssl + DEPENDS:=+libopenssl +libopenssl-conf TITLE+= (utility) endef -define Package/openssl-util/conffiles +define Package/openssl-util/description +$(call Package/openssl/Default/description) +This package contains the OpenSSL command-line utility. +endef + +define Package/libopenssl-conf + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=/etc/ssl/openssl.cnf config file + DEPENDS:=libopenssl +endef + +define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf endef -define Package/openssl-util/description +define Package/libopenssl-conf/description $(call Package/openssl/Default/description) -This package contains the OpenSSL command-line utility. +This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +define Package/libopenssl-afalg + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=AFALG hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user \ + +libopenssl-conf +endef -OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ - no-whrlpool no-whirlpool no-seed no-jpake -OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats +define Package/libopenssl-afalg/description +This package adds an engine that enables hardware acceleration +through the AF_ALG kernel interface. +To use it, you need to configure the engine in /etc/ssl/openssl.cnf +See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +The engine_id is "afalg" +endef -ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += -DHAVE_CRYPTODEV - ifdef CONFIG_OPENSSL_ENGINE_DIGEST - OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS - endif +define Package/libopenssl-padlock + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=VIA Padlock hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock \ + +libopenssl-conf +endef + +define Package/libopenssl-padlock/description +This package adds an engine that enables VIA Padlock hardware acceleration. +To use it, you need to configure it in /etc/ssl/openssl.cnf. +See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +The engine_id is "padlock" +endef + +OPENSSL_OPTIONS:= shared + +ifndef CONFIG_OPENSSL_WITH_BLAKE2 + OPENSSL_OPTIONS += no-blake2 +endif + +ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305 + OPENSSL_OPTIONS += no-chacha no-poly1305 else - OPENSSL_OPTIONS += no-engines + ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM + OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM + endif +endif + +ifndef CONFIG_OPENSSL_WITH_ASYNC + OPENSSL_OPTIONS += no-async endif ifndef CONFIG_OPENSSL_WITH_EC @@ -122,18 +186,81 @@ ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif -ifndef CONFIG_OPENSSL_WITH_SSL3 - OPENSSL_OPTIONS += no-ssl3 no-ssl3-method +ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES + OPENSSL_OPTIONS += no-err +endif + +ifndef CONFIG_OPENSSL_WITH_TLS13 + OPENSSL_OPTIONS += no-tls1_3 +endif + +ifndef CONFIG_OPENSSL_WITH_ARIA + OPENSSL_OPTIONS += no-aria +endif + +ifndef CONFIG_OPENSSL_WITH_SM234 + OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4 +endif + +ifndef CONFIG_OPENSSL_WITH_CAMELLIA + OPENSSL_OPTIONS += no-camellia +endif + +ifndef CONFIG_OPENSSL_WITH_IDEA + OPENSSL_OPTIONS += no-idea +endif + +ifndef CONFIG_OPENSSL_WITH_SEED + OPENSSL_OPTIONS += no-seed endif -ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT - OPENSSL_OPTIONS += no-hw +ifndef CONFIG_OPENSSL_WITH_MDC2 + OPENSSL_OPTIONS += no-mdc2 +endif + +ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL + OPENSSL_OPTIONS += no-whirlpool +endif + +ifndef CONFIG_OPENSSL_WITH_CMS + OPENSSL_OPTIONS += no-cms +endif + +# rfc3779 defaults as enabled in 1.1.0 and disabled in 1.0.2 +ifndef CONFIG_OPENSSL_WITH_RFC3779 + OPENSSL_OPTIONS += no-rfc3779 +else + OPENSSL_OPTIONS += enable-rfc3779 endif ifdef CONFIG_OPENSSL_NO_DEPRECATED OPENSSL_OPTIONS += no-deprecated endif +ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) + TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 +else + OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT +endif + +ifdef CONFIG_OPENSSL_ENGINE + ifdef CONFIG_OPENSSL_ENGINE_CRYPTO + OPENSSL_OPTIONS += enable-devcryptoeng + endif + ifndef CONFIG_PACKAGE_libopenssl-afalg + OPENSSL_OPTIONS += no-afalgeng + endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock + endif +else + OPENSSL_OPTIONS += no-engine +endif + +ifndef CONFIG_OPENSSL_WITH_GOST + OPENSSL_OPTIONS += no-gost +endif + ifndef CONFIG_OPENSSL_WITH_DTLS OPENSSL_OPTIONS += no-dtls endif @@ -156,27 +283,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP OPENSSL_OPTIONS += no-srp endif -ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) - TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3 +ifndef CONFIG_OPENSSL_WITH_ASM + OPENSSL_OPTIONS += no-asm endif -ifeq ($(CONFIG_x86_64),y) - OPENSSL_TARGET:=linux-x86_64-openwrt - OPENSSL_MAKEFLAGS += LIBDIR=lib -else - OPENSSL_OPTIONS+=no-sse2 - ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y) - OPENSSL_TARGET:=linux-mips-openwrt - else ifeq ($(CONFIG_aarch64),y) - OPENSSL_TARGET:=linux-aarch64-openwrt - else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y) - OPENSSL_TARGET:=linux-armv4-openwrt - else - OPENSSL_TARGET:=linux-generic-openwrt - OPENSSL_OPTIONS+=no-perlasm +ifdef CONFIG_i386 + ifndef CONFIG_OPENSSL_WITH_SSE2 + OPENSSL_OPTIONS += no-sse2 endif endif +OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt + STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure @@ -187,57 +305,31 @@ define Build/Configure (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ + --libdir=lib \ --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ - $(TARGET_LDFLAGS) -ldl \ - $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \ - $(OPENSSL_NO_CIPHERS) \ + $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) \ ) - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - MAKEDEPPROG="$(TARGET_CROSS)gcc" \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - depend endef -TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections +TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ - AR="$(TARGET_CROSS)ar r" \ - RANLIB="$(TARGET_CROSS)ranlib" \ + SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - CC="$(TARGET_CC)" \ - ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \ - AR="$(TARGET_CROSS)ar r" \ - RANLIB="$(TARGET_CROSS)ranlib" \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - build-shared - # Work around openssl build bug to link libssl.so with libcrypto.so. - -rm $(PKG_BUILD_DIR)/libssl.so.*.*.* - +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ - CC="$(TARGET_CC)" \ - OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ - $(OPENSSL_MAKEFLAGS) \ - do_linux-shared $(MAKE) -C $(PKG_BUILD_DIR) \ CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ - INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ - install + install_sw install_ssldirs endef define Build/InstallDev @@ -251,20 +343,37 @@ define Build/InstallDev endef define Package/libopenssl/install + $(INSTALL_DIR) $(1)/etc/ssl/certs + $(INSTALL_DIR) $(1)/etc/ssl/private + chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/ + $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) endef -define Package/openssl-util/install +define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(INSTALL_DIR) $(1)/etc/ssl/certs - $(INSTALL_DIR) $(1)/etc/ssl/private - chmod 0700 $(1)/etc/ssl/private +endef + +define Package/openssl-util/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef +define Package/libopenssl-afalg/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) +endef + +define Package/libopenssl-padlock/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) +endef + $(eval $(call BuildPackage,libopenssl)) +$(eval $(call BuildPackage,libopenssl-conf)) +$(eval $(call BuildPackage,libopenssl-afalg)) +$(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h deleted file mode 100644 index 7fb9c7dcdae5e..0000000000000 --- a/package/libs/openssl/include/crypto/cryptodev.h +++ /dev/null @@ -1,292 +0,0 @@ -/* This is a source compatible implementation with the original API of - * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h. - * Placed under public domain */ - -#ifndef L_CRYPTODEV_H -#define L_CRYPTODEV_H - -#include -#ifndef __KERNEL__ -#define __user -#endif - -/* API extensions for linux */ -#define CRYPTO_HMAC_MAX_KEY_LEN 512 -#define CRYPTO_CIPHER_MAX_KEY_LEN 64 - -/* All the supported algorithms - */ -enum cryptodev_crypto_op_t { - CRYPTO_DES_CBC = 1, - CRYPTO_3DES_CBC = 2, - CRYPTO_BLF_CBC = 3, - CRYPTO_CAST_CBC = 4, - CRYPTO_SKIPJACK_CBC = 5, - CRYPTO_MD5_HMAC = 6, - CRYPTO_SHA1_HMAC = 7, - CRYPTO_RIPEMD160_HMAC = 8, - CRYPTO_MD5_KPDK = 9, - CRYPTO_SHA1_KPDK = 10, - CRYPTO_RIJNDAEL128_CBC = 11, - CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC, - CRYPTO_ARC4 = 12, - CRYPTO_MD5 = 13, - CRYPTO_SHA1 = 14, - CRYPTO_DEFLATE_COMP = 15, - CRYPTO_NULL = 16, - CRYPTO_LZS_COMP = 17, - CRYPTO_SHA2_256_HMAC = 18, - CRYPTO_SHA2_384_HMAC = 19, - CRYPTO_SHA2_512_HMAC = 20, - CRYPTO_AES_CTR = 21, - CRYPTO_AES_XTS = 22, - CRYPTO_AES_ECB = 23, - CRYPTO_AES_GCM = 50, - - CRYPTO_CAMELLIA_CBC = 101, - CRYPTO_RIPEMD160, - CRYPTO_SHA2_224, - CRYPTO_SHA2_256, - CRYPTO_SHA2_384, - CRYPTO_SHA2_512, - CRYPTO_SHA2_224_HMAC, - CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */ -}; - -#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1) - -/* Values for ciphers */ -#define DES_BLOCK_LEN 8 -#define DES3_BLOCK_LEN 8 -#define RIJNDAEL128_BLOCK_LEN 16 -#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN -#define CAMELLIA_BLOCK_LEN 16 -#define BLOWFISH_BLOCK_LEN 8 -#define SKIPJACK_BLOCK_LEN 8 -#define CAST128_BLOCK_LEN 8 - -/* the maximum of the above */ -#define EALG_MAX_BLOCK_LEN 16 - -/* Values for hashes/MAC */ -#define AALG_MAX_RESULT_LEN 64 - -/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */ -#define CRYPTODEV_MAX_ALG_NAME 64 - -#define HASH_MAX_LEN 64 - -/* input of CIOCGSESSION */ -struct session_op { - /* Specify either cipher or mac - */ - __u32 cipher; /* cryptodev_crypto_op_t */ - __u32 mac; /* cryptodev_crypto_op_t */ - - __u32 keylen; - __u8 __user *key; - __u32 mackeylen; - __u8 __user *mackey; - - __u32 ses; /* session identifier */ -}; - -struct session_info_op { - __u32 ses; /* session identifier */ - - /* verbose names for the requested ciphers */ - struct alg_info { - char cra_name[CRYPTODEV_MAX_ALG_NAME]; - char cra_driver_name[CRYPTODEV_MAX_ALG_NAME]; - } cipher_info, hash_info; - - __u16 alignmask; /* alignment constraints */ - __u32 flags; /* SIOP_FLAGS_* */ -}; - -/* If this flag is set then this algorithm uses - * a driver only available in kernel (software drivers, - * or drivers based on instruction sets do not set this flag). - * - * If multiple algorithms are involved (as in AEAD case), then - * if one of them is kernel-driver-only this flag will be set. - */ -#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1 - -#define COP_ENCRYPT 0 -#define COP_DECRYPT 1 - -/* input of CIOCCRYPT */ -struct crypt_op { - __u32 ses; /* session identifier */ - __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ - __u16 flags; /* see COP_FLAG_* */ - __u32 len; /* length of source data */ - __u8 __user *src; /* source data */ - __u8 __user *dst; /* pointer to output data */ - /* pointer to output data for hash/MAC operations */ - __u8 __user *mac; - /* initialization vector for encryption operations */ - __u8 __user *iv; -}; - -/* input of CIOCAUTHCRYPT */ -struct crypt_auth_op { - __u32 ses; /* session identifier */ - __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ - __u16 flags; /* see COP_FLAG_AEAD_* */ - __u32 len; /* length of source data */ - __u32 auth_len; /* length of auth data */ - __u8 __user *auth_src; /* authenticated-only data */ - - /* The current implementation is more efficient if data are - * encrypted in-place (src==dst). */ - __u8 __user *src; /* data to be encrypted and authenticated */ - __u8 __user *dst; /* pointer to output data. Must have - * space for tag. For TLS this should be at least - * len + tag_size + block_size for padding */ - - __u8 __user *tag; /* where the tag will be copied to. TLS mode - * doesn't use that as tag is copied to dst. - * SRTP mode copies tag there. */ - __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */ - - /* initialization vector for encryption operations */ - __u8 __user *iv; - __u32 iv_len; -}; - -/* In plain AEAD mode the following are required: - * flags : 0 - * iv : the initialization vector (12 bytes) - * auth_len: the length of the data to be authenticated - * auth_src: the data to be authenticated - * len : length of data to be encrypted - * src : the data to be encrypted - * dst : space to hold encrypted data. It must have - * at least a size of len + tag_size. - * tag_size: the size of the desired authentication tag or zero to use - * the maximum tag output. - * - * Note tag isn't being used because the Linux AEAD interface - * copies the tag just after data. - */ - -/* In TLS mode (used for CBC ciphers that required padding) - * the following are required: - * flags : COP_FLAG_AEAD_TLS_TYPE - * iv : the initialization vector - * auth_len: the length of the data to be authenticated only - * len : length of data to be encrypted - * auth_src: the data to be authenticated - * src : the data to be encrypted - * dst : space to hold encrypted data (preferably in-place). It must have - * at least a size of len + tag_size + blocksize. - * tag_size: the size of the desired authentication tag or zero to use - * the default mac output. - * - * Note that the padding used is the minimum padding. - */ - -/* In SRTP mode the following are required: - * flags : COP_FLAG_AEAD_SRTP_TYPE - * iv : the initialization vector - * auth_len: the length of the data to be authenticated. This must - * include the SRTP header + SRTP payload (data to be encrypted) + rest - * - * len : length of data to be encrypted - * auth_src: pointer the data to be authenticated. Should point at the same buffer as src. - * src : pointer to the data to be encrypted. - * dst : This is mandatory to be the same as src (in-place only). - * tag_size: the size of the desired authentication tag or zero to use - * the default mac output. - * tag : Pointer to an address where the authentication tag will be copied. - */ - - -/* struct crypt_op flags */ - -#define COP_FLAG_NONE (0 << 0) /* totally no flag */ -#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */ -#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */ -#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */ -#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */ -#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the - * TLS protocol rules */ -#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the - * SRTP protocol rules */ -#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state. - * should be used in combination - * with COP_FLAG_UPDATE */ - - -/* Stuff for bignum arithmetic and public key - * cryptography - not supported yet by linux - * cryptodev. - */ - -#define CRYPTO_ALG_FLAG_SUPPORTED 1 -#define CRYPTO_ALG_FLAG_RNG_ENABLE 2 -#define CRYPTO_ALG_FLAG_DSA_SHA 4 - -struct crparam { - __u8 *crp_p; - __u32 crp_nbits; -}; - -#define CRK_MAXPARAM 8 - -/* input of CIOCKEY */ -struct crypt_kop { - __u32 crk_op; /* cryptodev_crk_op_t */ - __u32 crk_status; - __u16 crk_iparams; - __u16 crk_oparams; - __u32 crk_pad1; - struct crparam crk_param[CRK_MAXPARAM]; -}; - -enum cryptodev_crk_op_t { - CRK_MOD_EXP = 0, - CRK_MOD_EXP_CRT = 1, - CRK_DSA_SIGN = 2, - CRK_DSA_VERIFY = 3, - CRK_DH_COMPUTE_KEY = 4, - CRK_ALGORITHM_ALL -}; - -#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1) - -/* features to be queried with CIOCASYMFEAT ioctl - */ -#define CRF_MOD_EXP (1 << CRK_MOD_EXP) -#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT) -#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN) -#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY) -#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY) - - -/* ioctl's. Compatible with old linux cryptodev.h - */ -#define CRIOGET _IOWR('c', 101, __u32) -#define CIOCGSESSION _IOWR('c', 102, struct session_op) -#define CIOCFSESSION _IOW('c', 103, __u32) -#define CIOCCRYPT _IOWR('c', 104, struct crypt_op) -#define CIOCKEY _IOWR('c', 105, struct crypt_kop) -#define CIOCASYMFEAT _IOR('c', 106, __u32) -#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op) - -/* to indicate that CRIOGET is not required in linux - */ -#define CRIOGET_NOT_NEEDED 1 - -/* additional ioctls for AEAD */ -#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op) - -/* additional ioctls for asynchronous operation. - * These are conditionally enabled since version 1.6. - */ -#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op) -#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op) - -#endif /* L_CRYPTODEV_H */ diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch new file mode 100644 index 0000000000000..0adbda9b4998d --- /dev/null +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -0,0 +1,28 @@ +From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:29:21 -0300 +Subject: Do not use host kernel version to disable AFALG + +This patch prevents the Configure script from using the host kernel +version to disable building the AFALG engine on openwrt targets. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/Configure b/Configure +index 3baa8ce016..2dd423f165 100755 +--- a/Configure ++++ b/Configure +@@ -1549,7 +1549,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) + + unless ($disabled{afalgeng}) { + $config{afalgeng}=""; +- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { ++ if ($target =~ m/openwrt$/) { ++ push @{$config{engdirs}}, "afalg"; ++ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) { + my $minver = 4*10000 + 1*100 + 0; + if ($config{CROSS_COMPILE} eq "") { + my $verstr = `uname -r`; +-- +2.16.4 + diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch new file mode 100644 index 0000000000000..92e0321664d98 --- /dev/null +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -0,0 +1,66 @@ +From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:30:24 -0300 +Subject: Add openwrt targets + +Targets are named: linux-$(CONFIG_ARCH)-openwrt + +Signed-off-by: Eneas U de Queiroz + +diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf +new file mode 100644 +index 0000000000..86a86d31e4 +--- /dev/null ++++ b/Configurations/25-openwrt.conf +@@ -0,0 +1,48 @@ ++## Openwrt "CONFIG_ARCH" matching targets. ++ ++# The targets need to end in '-openwrt' for the AFALG patch to work ++ ++my %targets = ( ++ "openwrt" => { ++ template => 1, ++ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"), ++ }, ++ "linux-aarch64-openwrt" => { ++ inherit_from => [ "linux-aarch64", "openwrt" ], ++ }, ++ "linux-arc-openwrt" => { ++ inherit_from => [ "linux-generic32", "openwrt" ], ++ }, ++ "linux-arm-openwrt" => { ++ inherit_from => [ "linux-armv4", "openwrt" ], ++ }, ++ "linux-armeb-openwrt" => { ++ inherit_from => [ "linux-armv4", "openwrt" ], ++ }, ++ "linux-i386-openwrt" => { ++ inherit_from => [ "linux-x86", "openwrt" ], ++ }, ++ "linux-mips-openwrt" => { ++ inherit_from => [ "linux-mips32", "openwrt" ], ++ }, ++ "linux-mips64-openwrt" => { ++ inherit_from => [ "linux64-mips64", "openwrt" ], ++ }, ++ "linux-mips64el-openwrt" => { ++ inherit_from => [ "linux64-mips64", "openwrt" ], ++ }, ++ "linux-mipsel-openwrt" => { ++ inherit_from => [ "linux-mips32", "openwrt" ], ++ }, ++ "linux-powerpc-openwrt" => { ++ inherit_from => [ "linux-ppc", "openwrt" ], ++ }, ++ "linux-x86_64-openwrt" => { ++ inherit_from => [ "linux-x86_64", "openwrt" ], ++ }, ++ ++### Basic default option ++ "linux-generic32-openwrt" => { ++ inherit_from => [ "linux-generic32", "openwrt" ], ++ }, ++); +-- +2.16.4 + diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch deleted file mode 100644 index d6d4a211110f8..0000000000000 --- a/package/libs/openssl/patches/110-optimize-for-size.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -470,6 +470,13 @@ my %table=( - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - -+# OpenWrt targets -+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+ - # Android: linux-* but without pointers to headers and libs. - "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch new file mode 100644 index 0000000000000..e8ab32e2bbe22 --- /dev/null +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -0,0 +1,26 @@ +From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:31:38 -0300 +Subject: void exposing build directories + +The CFLAGS contain the build directories, and are shown by calling +OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a + +Signed-off-by: Eneas U de Queiroz + +diff --git a/crypto/build.info b/crypto/build.info +index b515b7318e..33aab460bd 100644 +--- a/crypto/build.info ++++ b/crypto/build.info +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ + ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl + + DEPEND[cversion.o]=buildinf.h +-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" ++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" + DEPEND[buildinf.h]=../configdata.pm + + GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) +-- +2.16.4 + diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch new file mode 100644 index 0000000000000..b947cb29b808a --- /dev/null +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -0,0 +1,34 @@ +From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:34:38 -0300 +Subject: Do not build tests and fuzz directories + +This shortens build time. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/Configure b/Configure +index 2dd423f165..07320b8884 100755 +--- a/Configure ++++ b/Configure +@@ -299,7 +299,7 @@ my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + + # Top level directories to build +-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; ++$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ]; + # crypto/ subdirectories to build + $config{sdirs} = [ + "objects", +@@ -311,7 +311,7 @@ $config{sdirs} = [ + "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" + ]; + # test/ subdirectories to build +-$config{tdirs} = [ "ossl_shim" ]; ++$config{tdirs} = []; + + # Known TLS and DTLS protocols + my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); +-- +2.16.4 + diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/130-perl-path.patch deleted file mode 100644 index 2dbdc76010270..0000000000000 --- a/package/libs/openssl/patches/130-perl-path.patch +++ /dev/null @@ -1,64 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -1,4 +1,4 @@ --: -+#!/usr/bin/perl - eval 'exec perl -S $0 ${1+"$@"}' - if $running_under_some_shell; - ## ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -+#!/usr/bin/perl - - # Perl c_rehash script, scan all files in a directory - # and add symbolic links to their hash values. ---- a/util/clean-depend.pl -+++ b/util/clean-depend.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - # Clean the dependency list in a makefile of standard includes... - # Written by Ben Laurie 19 Jan 1999 - ---- a/util/mkdef.pl -+++ b/util/mkdef.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - # - # generate a .def file - # ---- a/util/mkerr.pl -+++ b/util/mkerr.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - - my $config = "crypto/err/openssl.ec"; - my $hprefix = "openssl/"; ---- a/util/mkstack.pl -+++ b/util/mkstack.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - - # This is a utility that searches out "DECLARE_STACK_OF()" - # declarations in .h and .c files, and updates/creates/replaces ---- a/util/pod2man.pl -+++ b/util/pod2man.pl -@@ -1,4 +1,4 @@ --: #!/usr/bin/perl-5.005 -+#!/usr/bin/perl - eval 'exec /usr/bin/perl -S $0 ${1+"$@"}' - if $running_under_some_shell; - ---- a/util/selftest.pl -+++ b/util/selftest.pl -@@ -1,4 +1,4 @@ --#!/usr/local/bin/perl -w -+#!/usr/bin/perl - # - # Run the test suite and generate a report - # diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch new file mode 100644 index 0000000000000..9e76a1ffc2dbc --- /dev/null +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -0,0 +1,85 @@ +From 286e015bf0d30530707a5e7b3b871509f2ab50d7 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:44:39 -0300 +Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option + +This enables a compile-time option to prefer ChaCha20-Poly1305 over +AES-GCM in the openssl default ciphersuite, which is useful in systems +without AES specific CPU instructions. +OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it. + +Note that this does not have the same effect as the +SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only +when the client has it on top of its ciphersuite preference. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index 0a18a43544..5cac74af4f 100644 +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -173,9 +173,15 @@ extern "C" { + # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" + /* This is the default set of TLSv1.3 ciphersuites */ + # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +- "TLS_CHACHA20_POLY1305_SHA256:" \ +- "TLS_AES_128_GCM_SHA256" ++# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_AES_128_GCM_SHA256" ++# else ++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_128_GCM_SHA256" ++# endif + # else + # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ + "TLS_AES_128_GCM_SHA256" +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index b60cc79a2f..79f27e8b07 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -1464,11 +1464,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, + &tail); + ++ /* ++ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305 ++ * will be placed before AES-256. Otherwise, the default behavior of ++ * preferring GCM over CHACHA is used. ++ * This is useful for systems that do not have AES-specific CPU ++ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES. ++ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA ++ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top ++ * of its ciphersuite preference. ++ */ ++ ++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, ++ &head, &tail); ++ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, ++ &head, &tail); ++#else + /* Within each strength group, we prefer GCM over CHACHA... */ + ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, + &head, &tail); + ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, + &head, &tail); ++#endif + + /* + * ...and generally, our preferred cipher is AES. +@@ -1524,7 +1542,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + * Within each group, ciphers remain sorted by strength and previous + * preference, i.e., + * 1) ECDHE > DHE +- * 2) GCM > CHACHA ++ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined + * 3) AES > rest + * 4) TLS 1.2 > legacy + * +-- +2.16.4 + diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/140-makefile-dirs.patch deleted file mode 100644 index 83c412f4443b8..0000000000000 --- a/package/libs/openssl/patches/140-makefile-dirs.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -137,7 +137,7 @@ FIPSCANLIB= - - BASEADDR= - --DIRS= crypto ssl engines apps test tools -+DIRS= crypto ssl apps - ENGDIRS= ccgost - SHLIBDIRS= crypto ssl - diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch deleted file mode 100644 index a518a00496605..0000000000000 --- a/package/libs/openssl/patches/150-no_engines.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -2144,6 +2144,11 @@ EOF - close(OUT); - } - -+# ugly hack to disable engines -+if($target eq "mingwx") { -+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile"); -+} -+ - print < 19 Jan 1999 - diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/180-fix_link_segfault.patch deleted file mode 100644 index 3e36beb49c83a..0000000000000 --- a/package/libs/openssl/patches/180-fix_link_segfault.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/Makefile.shared -+++ b/Makefile.shared -@@ -95,7 +95,6 @@ LINK_APP= \ - LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \ - LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ - LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ -- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ - $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} ) - - LINK_SO= \ -@@ -105,7 +104,6 @@ LINK_SO= \ - SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \ - LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ - LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ -- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ - $${SHAREDCMD} $${SHAREDFLAGS} \ - -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ - $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ diff --git a/package/libs/openssl/patches/190-remove_timestamp_check.patch b/package/libs/openssl/patches/190-remove_timestamp_check.patch deleted file mode 100644 index 424e66063ca96..0000000000000 --- a/package/libs/openssl/patches/190-remove_timestamp_check.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar - EXHEADER= e_os2.h - HEADER= e_os.h - --all: Makefile build_all -+all: build_all - - # as we stick to -e, CLEARENV ensures that local variables in lower - # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn -@@ -404,11 +404,6 @@ openssl.pc: Makefile - echo 'Version: '$(VERSION); \ - echo 'Requires: libssl libcrypto' ) > openssl.pc - --Makefile: Makefile.org Configure config -- @echo "Makefile is older than Makefile.org, Configure or config." -- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." -- @false -- - libclean: - rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib - diff --git a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch new file mode 100644 index 0000000000000..1d7e1cab7b058 --- /dev/null +++ b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch @@ -0,0 +1,44 @@ +From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 5 Nov 2018 17:59:42 -0200 +Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables + +Call functions to prepare methods after confirming that /dev/crytpo was +sucessfully open and that the destroy function has been set. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 4a0ba09a38..ee26398b69 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -619,11 +619,6 @@ void engine_load_devcrypto_int() + return; + } + +- prepare_cipher_methods(); +-#ifdef IMPLEMENT_DIGEST +- prepare_digest_methods(); +-#endif +- + if ((e = ENGINE_new()) == NULL + || !ENGINE_set_destroy_function(e, devcrypto_unload)) { + ENGINE_free(e); +@@ -636,6 +631,11 @@ void engine_load_devcrypto_int() + return; + } + ++ prepare_cipher_methods(); ++#ifdef IMPLEMENT_DIGEST ++ prepare_digest_methods(); ++#endif ++ + if (!ENGINE_set_id(e, "devcrypto") + || !ENGINE_set_name(e, "/dev/crypto engine") + diff --git a/package/libs/openssl/patches/200-parallel_build.patch b/package/libs/openssl/patches/200-parallel_build.patch deleted file mode 100644 index 37134e403038b..0000000000000 --- a/package/libs/openssl/patches/200-parallel_build.patch +++ /dev/null @@ -1,184 +0,0 @@ ---- a/Makefile.org -+++ b/Makefile.org -@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi - build_libssl: build_ssl libssl.pc - - build_crypto: -- @dir=crypto; target=all; $(BUILD_ONE_CMD) -+ +@dir=crypto; target=all; $(BUILD_ONE_CMD) - build_ssl: build_crypto -- @dir=ssl; target=all; $(BUILD_ONE_CMD) -+ +@dir=ssl; target=all; $(BUILD_ONE_CMD) - build_engines: build_crypto -- @dir=engines; target=all; $(BUILD_ONE_CMD) -+ +@dir=engines; target=all; $(BUILD_ONE_CMD) - build_apps: build_libs -- @dir=apps; target=all; $(BUILD_ONE_CMD) -+ +@dir=apps; target=all; $(BUILD_ONE_CMD) - build_tests: build_libs -- @dir=test; target=all; $(BUILD_ONE_CMD) -+ +@dir=test; target=all; $(BUILD_ONE_CMD) - build_tools: build_libs -- @dir=tools; target=all; $(BUILD_ONE_CMD) -+ +@dir=tools; target=all; $(BUILD_ONE_CMD) - - all_testapps: build_libs build_testapps - build_testapps: -@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut - @set -e; target=update; $(RECURSIVE_BUILD_CMD) - - depend: -- @set -e; target=depend; $(RECURSIVE_BUILD_CMD) -+ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD) - - lint: - @set -e; target=lint; $(RECURSIVE_BUILD_CMD) -@@ -535,9 +535,9 @@ dist: - @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar - --install: all install_sw -+install: install_sw - --install_sw: -+install_dirs: - @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ - $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ -@@ -546,12 +546,19 @@ install_sw: - $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private -+ @$(PERL) $(TOP)/util/mkdir-p.pl \ -+ $(INSTALL_PREFIX)$(MANDIR)/man1 \ -+ $(INSTALL_PREFIX)$(MANDIR)/man3 \ -+ $(INSTALL_PREFIX)$(MANDIR)/man5 \ -+ $(INSTALL_PREFIX)$(MANDIR)/man7 -+ -+install_sw: install_dirs - @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; -- @set -e; target=install; $(RECURSIVE_BUILD_CMD) -+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD) - @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ - do \ - if [ -f "$$i" ]; then \ -@@ -635,12 +642,7 @@ install_html_docs: - done; \ - done - --install_docs: -- @$(PERL) $(TOP)/util/mkdir-p.pl \ -- $(INSTALL_PREFIX)$(MANDIR)/man1 \ -- $(INSTALL_PREFIX)$(MANDIR)/man3 \ -- $(INSTALL_PREFIX)$(MANDIR)/man5 \ -- $(INSTALL_PREFIX)$(MANDIR)/man7 -+install_docs: install_dirs - @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ - here="`pwd`"; \ - filecase=; \ ---- a/Makefile.shared -+++ b/Makefile.shared -@@ -120,6 +120,7 @@ SYMLINK_SO= \ - done; \ - fi; \ - if [ -n "$$SHLIB_SOVER" ]; then \ -+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \ - ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \ - ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \ - fi; \ ---- a/crypto/Makefile -+++ b/crypto/Makefile -@@ -85,11 +85,11 @@ testapps: - @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi - - subdirs: -- @target=all; $(RECURSIVE_MAKE) -+ +@target=all; $(RECURSIVE_MAKE) - - files: - $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO -- @target=files; $(RECURSIVE_MAKE) -+ +@target=files; $(RECURSIVE_MAKE) - - links: - @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) -@@ -100,7 +100,7 @@ links: - # lib: $(LIB): are splitted to avoid end-less loop - lib: $(LIB) - @touch lib --$(LIB): $(LIBOBJ) -+$(LIB): $(LIBOBJ) | subdirs - $(AR) $(LIB) $(LIBOBJ) - test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o - $(RANLIB) $(LIB) || echo Never mind. -@@ -111,7 +111,7 @@ shared: buildinf.h lib subdirs - fi - - libs: -- @target=lib; $(RECURSIVE_MAKE) -+ +@target=lib; $(RECURSIVE_MAKE) - - install: - @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... -@@ -120,7 +120,7 @@ install: - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ - done; -- @target=install; $(RECURSIVE_MAKE) -+ +@target=install; $(RECURSIVE_MAKE) - - lint: - @target=lint; $(RECURSIVE_MAKE) ---- a/engines/Makefile -+++ b/engines/Makefile -@@ -72,7 +72,7 @@ top: - - all: lib subdirs - --lib: $(LIBOBJ) -+lib: $(LIBOBJ) | subdirs - @if [ -n "$(SHARED_LIBS)" ]; then \ - set -e; \ - for l in $(LIBNAMES); do \ -@@ -89,7 +89,7 @@ lib: $(LIBOBJ) - - subdirs: - echo $(EDIRS) -- @target=all; $(RECURSIVE_MAKE) -+ +@target=all; $(RECURSIVE_MAKE) - - files: - $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO -@@ -128,7 +128,7 @@ install: - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ - done; \ - fi -- @target=install; $(RECURSIVE_MAKE) -+ +@target=install; $(RECURSIVE_MAKE) - - tags: - ctags $(SRC) ---- a/test/Makefile -+++ b/test/Makefile -@@ -145,7 +145,7 @@ install: - tags: - ctags $(SRC) - --tests: exe apps $(TESTS) -+tests: exe $(TESTS) - - apps: - @(cd ..; $(MAKE) DIRS=apps all) -@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl - # fi - - dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) -- @target=dummytest; $(BUILD_CMD) -+ +@target=dummytest; $(BUILD_CMD) - - # DO NOT DELETE THIS LINE -- make depend depends on it. - diff --git a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch new file mode 100644 index 0000000000000..13ea5617521b2 --- /dev/null +++ b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch @@ -0,0 +1,39 @@ +From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 14 Nov 2018 11:22:14 -0200 +Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases + +Return failure when the digest_ctx is null in digest_update and +digest_final, and when md is null in digest_final. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index ee26398b69..6f6bcb8dc6 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) + if (count == 0) + return 1; + ++ if (digest_ctx == NULL) ++ return 0; ++ + if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; +@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) + struct digest_ctx *digest_ctx = + (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); + ++ if (md == NULL || digest_ctx == NULL) ++ return 0; + if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; diff --git a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch new file mode 100644 index 0000000000000..0e99679400b27 --- /dev/null +++ b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch @@ -0,0 +1,55 @@ +From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 14 Nov 2018 13:58:06 -0200 +Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest + +If the source ctx has not been initialized, don't initialize the copy +either. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 6f6bcb8dc6..a9ddc9c86b 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + + struct digest_ctx { + struct session_op sess; +- int init; ++ /* This signals that the init function was called, not that it succeeded. */ ++ int init_called; + }; + + static const struct digest_data_st { +@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx) + const struct digest_data_st *digest_d = + get_digest_data(EVP_MD_CTX_type(ctx)); + +- digest_ctx->init = 1; ++ digest_ctx->init_called = 1; + + memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); + digest_ctx->sess.mac = digest_d->devcryptoid; +@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) + (struct digest_ctx *)EVP_MD_CTX_md_data(to); + struct cphash_op cphash; + +- if (digest_from == NULL) ++ if (digest_from == NULL || digest_from->init_called != 1) + return 1; + +- if (digest_from->init != 1) { +- SYSerr(SYS_F_IOCTL, EINVAL); +- return 0; +- } +- + if (!digest_init(to)) { + SYSerr(SYS_F_IOCTL, errno); + return 0; diff --git a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch new file mode 100644 index 0000000000000..29a1601f48087 --- /dev/null +++ b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch @@ -0,0 +1,48 @@ +From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 5 Nov 2018 15:59:44 -0200 +Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final + +Close the session in digest_cleanup instead of digest_final. A failure +in closing the session does not mean a previous successful digest final +has failed as well. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index a9ddc9c86b..1b87774c8a 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) + SYSerr(SYS_F_IOCTL, errno); + return 0; + } +- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } + + return 1; + } +@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) + + static int digest_cleanup(EVP_MD_CTX *ctx) + { ++ struct digest_ctx *digest_ctx = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); ++ ++ if (digest_ctx == NULL) ++ return 1; ++ if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } + return 1; + } + diff --git a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch new file mode 100644 index 0000000000000..e4666041db031 --- /dev/null +++ b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch @@ -0,0 +1,56 @@ +From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Tue, 13 Nov 2018 09:23:22 -0200 +Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function + +The engine needs a custom cipher context copy function to open a new +/dev/crypto session. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 1b87774c8a..c882592554 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + return 1; + } + ++static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) ++{ ++ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; ++ struct cipher_ctx *cipher_ctx; ++ ++ if (type == EVP_CTRL_COPY) { ++ /* when copying the context, a new session needs to be initialized */ ++ cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ return (cipher_ctx == NULL) ++ || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), ++ (cipher_ctx->op == COP_ENCRYPT)); ++ } ++ ++ return -1; ++} ++ + static int cipher_cleanup(EVP_CIPHER_CTX *ctx) + { + struct cipher_ctx *cipher_ctx = +@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void) + cipher_data[i].ivlen) + || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], + cipher_data[i].flags ++ | EVP_CIPH_CUSTOM_COPY + | EVP_CIPH_FLAG_DEFAULT_ASN1) + || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], + cipher_do_cipher) ++ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], + cipher_cleanup) + || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], diff --git a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch new file mode 100644 index 0000000000000..7cf063356150d --- /dev/null +++ b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch @@ -0,0 +1,220 @@ +From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 28 Nov 2018 11:26:27 -0200 +Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode + +Make CTR mode behave like a stream cipher. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index c882592554..32d9a9766c 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -47,10 +47,12 @@ static int cfd; + + struct cipher_ctx { + struct session_op sess; +- +- /* to pass from init to do_cipher */ +- const unsigned char *iv; + int op; /* COP_ENCRYPT or COP_DECRYPT */ ++ unsigned long mode; /* EVP_CIPH_*_MODE */ ++ ++ /* to handle ctr mode being a stream cipher */ ++ unsigned char partial[EVP_MAX_BLOCK_LENGTH]; ++ unsigned int blocksize, num; + }; + + static const struct cipher_data_st { +@@ -87,9 +89,9 @@ static const struct cipher_data_st { + { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, + #endif + #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) +- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, + #endif + #if 0 /* Not yet supported */ + { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + cipher_ctx->sess.keylen = cipher_d->keylen; + cipher_ctx->sess.key = (void *)key; + cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; ++ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; ++ cipher_ctx->blocksize = cipher_d->blocksize; + if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { + SYSerr(SYS_F_IOCTL, errno); + return 0; +@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + struct cipher_ctx *cipher_ctx = + (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); + struct crypt_op cryp; ++ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); + #if !defined(COP_FLAG_WRITE_IV) + unsigned char saved_iv[EVP_MAX_IV_LENGTH]; ++ const unsigned char *ivptr; ++ size_t nblocks, ivlen; + #endif + + memset(&cryp, 0, sizeof(cryp)); +@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + cryp.len = inl; + cryp.src = (void *)in; + cryp.dst = (void *)out; +- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx); ++ cryp.iv = (void *)iv; + cryp.op = cipher_ctx->op; + #if !defined(COP_FLAG_WRITE_IV) + cryp.flags = 0; + +- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { +- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx)); +- if (!EVP_CIPHER_CTX_encrypting(ctx)) { +- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx); +- +- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx)); ++ ivlen = EVP_CIPHER_CTX_iv_length(ctx); ++ if (ivlen > 0) ++ switch (cipher_ctx->mode) { ++ case EVP_CIPH_CBC_MODE: ++ assert(inl >= ivlen); ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ ivptr = in + inl - ivlen; ++ memcpy(saved_iv, ivptr, ivlen); ++ } ++ break; ++ ++ case EVP_CIPH_CTR_MODE: ++ break; ++ ++ default: /* should not happen */ ++ return 0; + } +- } + #else + cryp.flags = COP_FLAG_WRITE_IV; + #endif +@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + } + + #if !defined(COP_FLAG_WRITE_IV) +- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { +- unsigned char *ivptr = saved_iv; ++ if (ivlen > 0) ++ switch (cipher_ctx->mode) { ++ case EVP_CIPH_CBC_MODE: ++ assert(inl >= ivlen); ++ if (EVP_CIPHER_CTX_encrypting(ctx)) ++ ivptr = out + inl - ivlen; ++ else ++ ivptr = saved_iv; ++ ++ memcpy(iv, ivptr, ivlen); ++ break; ++ ++ case EVP_CIPH_CTR_MODE: ++ nblocks = (inl + cipher_ctx->blocksize - 1) ++ / cipher_ctx->blocksize; ++ do { ++ ivlen--; ++ nblocks += iv[ivlen]; ++ iv[ivlen] = (uint8_t) nblocks; ++ nblocks >>= 8; ++ } while (ivlen); ++ break; ++ ++ default: /* should not happen */ ++ return 0; ++ } ++#endif + +- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx)); +- if (!EVP_CIPHER_CTX_encrypting(ctx)) +- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx); ++ return 1; ++} + +- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr, +- EVP_CIPHER_CTX_iv_length(ctx)); ++static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ ++ struct cipher_ctx *cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ size_t nblocks, len; ++ ++ /* initial partial block */ ++ while (cipher_ctx->num && inl) { ++ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; ++ --inl; ++ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; ++ } ++ ++ /* full blocks */ ++ if (inl > (unsigned int) cipher_ctx->blocksize) { ++ nblocks = inl/cipher_ctx->blocksize; ++ len = nblocks * cipher_ctx->blocksize; ++ if (cipher_do_cipher(ctx, out, in, len) < 1) ++ return 0; ++ inl -= len; ++ out += len; ++ in += len; ++ } ++ ++ /* final partial block */ ++ if (inl) { ++ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); ++ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, ++ cipher_ctx->blocksize) < 1) ++ return 0; ++ while (inl--) { ++ out[cipher_ctx->num] = in[cipher_ctx->num] ++ ^ cipher_ctx->partial[cipher_ctx->num]; ++ cipher_ctx->num++; ++ } + } +-#endif + + return 1; + } +@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void) + { + size_t i; + struct session_op sess; ++ unsigned long cipher_mode; + + memset(&sess, 0, sizeof(sess)); + sess.key = (void *)"01234567890123456789012345678901234567890123456789"; +@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void) + || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) + continue; + ++ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; ++ + if ((known_cipher_methods[i] = + EVP_CIPHER_meth_new(cipher_data[i].nid, +- cipher_data[i].blocksize, ++ cipher_mode == EVP_CIPH_CTR_MODE ? 1 : ++ cipher_data[i].blocksize, + cipher_data[i].keylen)) == NULL + || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], + cipher_data[i].ivlen) +@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void) + | EVP_CIPH_FLAG_DEFAULT_ASN1) + || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) + || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], ++ cipher_mode == EVP_CIPH_CTR_MODE ? ++ ctr_do_cipher : + cipher_do_cipher) + || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) + || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], diff --git a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch new file mode 100644 index 0000000000000..f91f8485c3325 --- /dev/null +++ b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch @@ -0,0 +1,73 @@ +From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Sat, 8 Dec 2018 18:01:04 -0200 +Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy + +Digest must be able to do partial-state copy to be used. + +Signed-off-by: Eneas U de Queiroz + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7585) + +(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b) + +diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +index 32d9a9766c..65f1720a0c 100644 +--- a/crypto/engine/eng_devcrypto.c ++++ b/crypto/engine/eng_devcrypto.c +@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ctx) + return 1; + } + ++static int devcrypto_test_digest(size_t digest_data_index) ++{ ++ struct session_op sess1, sess2; ++ struct cphash_op cphash; ++ int ret=0; ++ ++ memset(&sess1, 0, sizeof(sess1)); ++ memset(&sess2, 0, sizeof(sess2)); ++ sess1.mac = digest_data[digest_data_index].devcryptoid; ++ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) ++ return 0; ++ /* Make sure the driver is capable of hash state copy */ ++ sess2.mac = sess1.mac; ++ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { ++ cphash.src_ses = sess1.ses; ++ cphash.dst_ses = sess2.ses; ++ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) ++ ret = 1; ++ ioctl(cfd, CIOCFSESSION, &sess2.ses); ++ } ++ ioctl(cfd, CIOCFSESSION, &sess1.ses); ++ return ret; ++} ++ + /* + * Keep a table of known nids and associated methods. + * Note that known_digest_nids[] isn't necessarily indexed the same way as +@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; + static void prepare_digest_methods(void) + { + size_t i; +- struct session_op sess; +- +- memset(&sess, 0, sizeof(sess)); + + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + + /* +- * Check that the algo is really availably by trying to open and close +- * a session. ++ * Check that the algo is usable + */ +- sess.mac = digest_data[i].devcryptoid; +- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 +- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) ++ if (!devcrypto_test_digest(i)) + continue; + + if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,