openssl: update to version 1.1.1a

This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This commit is contained in:
Eneas U de Queiroz 2018-10-24 11:25:00 -03:00 committed by Hauke Mehrtens
parent be3892284c
commit d872d00b2f
22 changed files with 775 additions and 493 deletions

View File

@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED
default y
prompt "Include deprecated APIs (See help for a list of packages that need this)"
help
Squid currently requires this.
Since openssl 1.1.x is still new to openwrt, some packages
requiring this option do not list it as a requirement yet:
* freeswitch-stable, freeswitch, python, python3, squid.
config OPENSSL_NO_DEPRECATED
bool
@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES
comment "Protocol Support"
config OPENSSL_WITH_TLS13
bool
default y
prompt "Enable support for TLS 1.3"
select OPENSSL_WITH_EC
help
TLS 1.3 is the newest version of the TLS specification.
It aims:
* to increase the overall security of the protocol,
removing outdated algorithms, and encrypting more of the
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
It increases package size by ~4KB.
config OPENSSL_WITH_DTLS
bool
prompt "Enable DTLS support"
@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M
This option enables the more efficient, yet less common, binary
field elliptic curves.
config OPENSSL_WITH_CHACHA_POLY1305
bool
default y
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
help
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
combining ChaCha stream cipher with Poly1305 MAC.
It is 3x faster than AES, when not using a CPU with AES-specific
instructions, as is the case of most embedded devices.
config OPENSSL_WITH_PSK
bool
default y
@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK
comment "Less commonly used build options"
config OPENSSL_WITH_ARIA
bool
prompt "Enable ARIA support"
help
ARIA is a block cipher developed in South Korea, based on AES.
config OPENSSL_WITH_CAMELLIA
bool
prompt "Enable Camellia cipher support"
@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
config OPENSSL_WITH_SM234
bool
prompt "Enable SM2/3/4 algorithms support"
help
These algorithms are a set of "Commercial Cryptography"
algorithms approved for use in China.
* SM2 is an EC algorithm equivalent to ECDSA P-256
* SM3 is a hash function equivalent to SHA-256
* SM4 is a 128-block cipher equivalent to AES-128
config OPENSSL_WITH_BLAKE2
bool
prompt "Enable BLAKE2 digest support"
help
BLAKE2 is a cryptographic hash function based on the ChaCha
stream cipher.
config OPENSSL_WITH_MDC2
bool
prompt "Enable MDC2 digest support"
@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO
API modules) for /dev/crypto to show up and use hardware
acceleration; otherwise it falls back to software.
config OPENSSL_ENGINE_DIGEST
config OPENSSL_WITH_ASYNC
bool
depends on OPENSSL_ENGINE_CRYPTO
prompt "/dev/crypto digest (md5/sha1) acceleration support"
prompt "Enable asynchronous jobs support"
depends on OPENSSL_ENGINE && USE_GLIBC
help
Enables async-aware applications to be able to use OpenSSL to
initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine.
config OPENSSL_WITH_GOST
bool
@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST
help
This option prepares the library to accept engine support
for Russian GOST crypto algorithms.
The gost engine is not included in standard openwrt feeds.
To build such engine yourself, see:
https://github.com/gost-engine/engine
endif

View File

@ -8,11 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.0.2
PKG_BUGFIX:=q
PKG_BASE:=1.1.1
PKG_BUGFIX:=a
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
PKG_BUILD_PARALLEL:=0
PKG_BUILD_DEPENDS:=cryptodev-linux
@ -24,8 +25,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
ENGINES_DIR=engines
PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
@ -33,11 +33,14 @@ PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_CRYPTO \
CONFIG_OPENSSL_ENGINE_DIGEST \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
@ -51,8 +54,10 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_WITH_SSE2 \
CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
@ -85,7 +90,7 @@ $(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
TITLE+= (libraries)
ABI_VERSION:=1.0.0
ABI_VERSION:=1.1
MENU:=1
endef
@ -111,18 +116,19 @@ $(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
define Package/libopenssl-gost
define Package/libopenssl-afalg
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=Russian GOST algorithms engine
DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
TITLE:=AFALG hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user
endef
define Package/libopenssl-gost/description
This package adds an engine that enables Russian GOST algorithms.
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
The engine_id is "gost"
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "afalg"
endef
define Package/libopenssl-padlock
@ -135,11 +141,23 @@ endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
To use it, you need to configure it in /etc/ssl/openssl.cnf.
See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
The engine_id is "padlock"
endef
OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
OPENSSL_OPTIONS:= shared
ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
endif
ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
OPENSSL_OPTIONS += no-chacha no-poly1305
endif
ifndef CONFIG_OPENSSL_WITH_ASYNC
OPENSSL_OPTIONS += no-async
endif
ifndef CONFIG_OPENSSL_WITH_EC
OPENSSL_OPTIONS += no-ec
@ -153,6 +171,18 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif
ifndef CONFIG_OPENSSL_WITH_TLS13
OPENSSL_OPTIONS += no-tls1_3
endif
ifndef CONFIG_OPENSSL_WITH_ARIA
OPENSSL_OPTIONS += no-aria
endif
ifndef CONFIG_OPENSSL_WITH_SM234
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
endif
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
@ -177,8 +207,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif
ifdef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += enable-rfc3779
ifndef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += no-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
@ -193,10 +223,10 @@ endif
ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
ifdef CONFIG_OPENSSL_ENGINE_DIGEST
OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
endif
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
@ -209,10 +239,8 @@ ifndef CONFIG_OPENSSL_WITH_GOST
OPENSSL_OPTIONS += no-gost
endif
# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
# but openssl util gets built without it
ifndef CONFIG_OPENSSL_WITH_DTLS
OPENSSL_OPTIONS += no-dtls no-dtls1
OPENSSL_OPTIONS += no-dtls
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
@ -261,12 +289,6 @@ define Build/Configure
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) \
)
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
MAKEDEPPROG="$(TARGET_CROSS)gcc" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
depend
endef
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
@ -276,35 +298,16 @@ define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
AR="$(TARGET_CROSS)ar r" \
RANLIB="$(TARGET_CROSS)ranlib" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
build-shared
# Work around openssl build bug to link libssl.so with libcrypto.so.
-rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
do_linux-shared
$(MAKE) -C $(PKG_BUILD_DIR) \
CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
install
install_sw install_ssldirs
endef
define Build/InstallDev
@ -334,17 +337,17 @@ define Package/openssl-util/install
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
define Package/libopenssl-afalg/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
endef
define Package/libopenssl-padlock/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
endef
define Package/libopenssl-gost/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-gost))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))

View File

@ -0,0 +1,23 @@
From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
This patch prevents the Configure script from using the host kernel
version to disable building the AFALG engine on openwrt targets.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ if ($target =~ m/openwrt$/) {
+ push @{$config{engdirs}}, "afalg";
+ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $minver = 4*10000 + 1*100 + 0;
if ($config{CROSS_COMPILE} eq "") {
my $verstr = `uname -r`;

View File

@ -1,44 +0,0 @@
From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 26 Sep 2018 16:21:27 -0300
Subject: Add openwrt targets
Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -470,6 +470,32 @@ my %table=(
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+# OpenWrt targets
+# from linux-aarch64
+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-generic32
+"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-armv4
+"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-armv4
+"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-elf
+"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-mips32
+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux64-mips64
+"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+# from linux64-mips64
+"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+# from linux-mips32
+"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-ppc
+"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# from linux-x86_64
+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+# from linux-generic32
+"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
# Android: linux-* but without pointers to headers and libs.
"android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

View File

@ -0,0 +1,60 @@
From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,48 @@
+## Openwrt "CONFIG_ARCH" matching targets.
+
+# The targets need to end in '-openwrt' for the AFALG patch to work
+
+my %targets = (
+ "openwrt" => {
+ template => 1,
+ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
+ },
+ "linux-aarch64-openwrt" => {
+ inherit_from => [ "linux-aarch64", "openwrt" ],
+ },
+ "linux-arc-openwrt" => {
+ inherit_from => [ "linux-generic32", "openwrt" ],
+ },
+ "linux-arm-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],
+ },
+ "linux-armeb-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],
+ },
+ "linux-i386-openwrt" => {
+ inherit_from => [ "linux-x86", "openwrt" ],
+ },
+ "linux-mips-openwrt" => {
+ inherit_from => [ "linux-mips32", "openwrt" ],
+ },
+ "linux-mips64-openwrt" => {
+ inherit_from => [ "linux64-mips64", "openwrt" ],
+ },
+ "linux-mips64el-openwrt" => {
+ inherit_from => [ "linux64-mips64", "openwrt" ],
+ },
+ "linux-mipsel-openwrt" => {
+ inherit_from => [ "linux-mips32", "openwrt" ],
+ },
+ "linux-powerpc-openwrt" => {
+ inherit_from => [ "linux-ppc", "openwrt" ],
+ },
+ "linux-x86_64-openwrt" => {
+ inherit_from => [ "linux-x86_64", "openwrt" ],
+ },
+
+### Basic default option
+ "linux-generic32-openwrt" => {
+ inherit_from => [ "linux-generic32", "openwrt" ],
+ },
+);

View File

@ -1,64 +0,0 @@
--- a/Configure
+++ b/Configure
@@ -1,4 +1,4 @@
-:
+#!/usr/bin/perl
eval 'exec perl -S $0 ${1+"$@"}'
if $running_under_some_shell;
##
--- a/tools/c_rehash.in
+++ b/tools/c_rehash.in
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
# Perl c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
--- a/util/clean-depend.pl
+++ b/util/clean-depend.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
# Clean the dependency list in a makefile of standard includes...
# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
#
# generate a .def file
#
--- a/util/mkerr.pl
+++ b/util/mkerr.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
my $config = "crypto/err/openssl.ec";
my $hprefix = "openssl/";
--- a/util/mkstack.pl
+++ b/util/mkstack.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
# This is a utility that searches out "DECLARE_STACK_OF()"
# declarations in .h and .c files, and updates/creates/replaces
--- a/util/pod2man.pl
+++ b/util/pod2man.pl
@@ -1,4 +1,4 @@
-: #!/usr/bin/perl-5.005
+#!/usr/bin/perl
eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
if $running_under_some_shell;
--- a/util/selftest.pl
+++ b/util/selftest.pl
@@ -1,4 +1,4 @@
-#!/usr/local/bin/perl -w
+#!/usr/bin/perl
#
# Run the test suite and generate a report
#

View File

@ -1,11 +0,0 @@
--- a/Makefile.org
+++ b/Makefile.org
@@ -137,7 +137,7 @@ FIPSCANLIB=
BASEADDR=
-DIRS= crypto ssl engines apps test tools
+DIRS= crypto ssl engines apps
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl

View File

@ -0,0 +1,21 @@
From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:31:38 -0300
Subject: void exposing build directories
The CFLAGS contain the build directories, and are shown by calling
OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink
ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
DEPEND[cversion.o]=buildinf.h
-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
DEPEND[buildinf.h]=../configdata.pm
GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)

View File

@ -1,58 +0,0 @@
--- a/Makefile
+++ b/Makefile
@@ -139,7 +139,7 @@ FIPSCANLIB=
BASEADDR=0xFB00000
-DIRS= crypto ssl engines apps test tools
+DIRS= crypto ssl engines apps tools
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
@@ -157,7 +157,7 @@ SDIRS= \
# tests to perform. "alltests" is a special word indicating that all tests
# should be performed.
-TESTS = alltests
+TESTS =
MAKEFILE= Makefile
@@ -171,7 +171,7 @@ SHELL=/bin/sh
TOP= .
ONEDIRS=out tmp
-EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS
+EDIRS= times bugs util include certs ms shlib mt demos perl sf dep VMS
WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
@@ -276,7 +276,7 @@ reflect:
sub_all: build_all
-build_all: build_libs build_apps build_tests build_tools
+build_all: build_libs build_apps build_tools
build_libs: build_libcrypto build_libssl openssl.pc
@@ -542,7 +542,7 @@ dist:
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-install: all install_docs install_sw
+install: all install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
--- a/Makefile.org
+++ b/Makefile.org
@@ -540,7 +540,7 @@ dist:
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-install: all install_docs install_sw
+install: all install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \

View File

@ -0,0 +1,29 @@
From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
This shortens build time.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -299,7 +299,7 @@ my $auto_threads=1; # enable threads
my $default_ranlib;
# Top level directories to build
-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ];
# crypto/ subdirectories to build
$config{sdirs} = [
"objects",
@@ -311,7 +311,7 @@ $config{sdirs} = [
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
# test/ subdirectories to build
-$config{tdirs} = [ "ossl_shim" ];
+$config{tdirs} = [];
# Known TLS and DTLS protocols
my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);

View File

@ -1,8 +0,0 @@
--- a/util/domd
+++ b/util/domd
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
# Do a makedepend, only leave out the standard headers
# Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999

View File

@ -1,18 +0,0 @@
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -95,7 +95,6 @@ LINK_APP= \
LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
LINK_SO= \
@@ -105,7 +104,6 @@ LINK_SO= \
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \

View File

@ -1,23 +0,0 @@
--- a/Makefile.org
+++ b/Makefile.org
@@ -185,7 +185,7 @@ TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
-all: Makefile build_all
+all: build_all
# as we stick to -e, CLEARENV ensures that local variables in lower
# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -404,11 +404,6 @@ openssl.pc: Makefile
echo 'Version: '$(VERSION); \
echo 'Requires: libssl libcrypto' ) > openssl.pc
-Makefile: Makefile.org Configure config
- @echo "Makefile is older than Makefile.org, Configure or config."
- @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
- @false
-
libclean:
rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib

View File

@ -1,184 +0,0 @@
--- a/Makefile.org
+++ b/Makefile.org
@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi
build_libssl: build_ssl libssl.pc
build_crypto:
- @dir=crypto; target=all; $(BUILD_ONE_CMD)
+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
build_ssl: build_crypto
- @dir=ssl; target=all; $(BUILD_ONE_CMD)
+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines: build_crypto
- @dir=engines; target=all; $(BUILD_ONE_CMD)
+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
build_apps: build_libs
- @dir=apps; target=all; $(BUILD_ONE_CMD)
+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
build_tests: build_libs
- @dir=test; target=all; $(BUILD_ONE_CMD)
+ +@dir=test; target=all; $(BUILD_ONE_CMD)
build_tools: build_libs
- @dir=tools; target=all; $(BUILD_ONE_CMD)
+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
build_testapps:
@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut
@set -e; target=update; $(RECURSIVE_BUILD_CMD)
depend:
- @set -e; target=depend; $(RECURSIVE_BUILD_CMD)
+ +@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
lint:
@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
@@ -535,9 +535,9 @@ dist:
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
-install: all install_sw
+install: install_sw
-install_sw:
+install_dirs:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
@@ -546,12 +546,19 @@ install_sw:
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+ @$(PERL) $(TOP)/util/mkdir-p.pl \
+ $(INSTALL_PREFIX)$(MANDIR)/man1 \
+ $(INSTALL_PREFIX)$(MANDIR)/man3 \
+ $(INSTALL_PREFIX)$(MANDIR)/man5 \
+ $(INSTALL_PREFIX)$(MANDIR)/man7
+
+install_sw: install_dirs
@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
do \
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
do \
if [ -f "$$i" ]; then \
@@ -635,12 +642,7 @@ install_html_docs:
done; \
done
-install_docs:
- @$(PERL) $(TOP)/util/mkdir-p.pl \
- $(INSTALL_PREFIX)$(MANDIR)/man1 \
- $(INSTALL_PREFIX)$(MANDIR)/man3 \
- $(INSTALL_PREFIX)$(MANDIR)/man5 \
- $(INSTALL_PREFIX)$(MANDIR)/man7
+install_docs: install_dirs
@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
here="`pwd`"; \
filecase=; \
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -120,6 +120,7 @@ SYMLINK_SO= \
done; \
fi; \
if [ -n "$$SHLIB_SOVER" ]; then \
+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
fi; \
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -87,11 +87,11 @@ testapps:
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
subdirs:
- @target=all; $(RECURSIVE_MAKE)
+ +@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
- @target=files; $(RECURSIVE_MAKE)
+ +@target=files; $(RECURSIVE_MAKE)
links:
@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
@@ -102,7 +102,7 @@ links:
# lib: $(LIB): are splitted to avoid end-less loop
lib: $(LIB)
@touch lib
-$(LIB): $(LIBOBJ)
+$(LIB): $(LIBOBJ) | subdirs
$(AR) $(LIB) $(LIBOBJ)
test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
fi
libs:
- @target=lib; $(RECURSIVE_MAKE)
+ +@target=lib; $(RECURSIVE_MAKE)
install:
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
@@ -122,7 +122,7 @@ install:
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
- @target=install; $(RECURSIVE_MAKE)
+ +@target=install; $(RECURSIVE_MAKE)
lint:
@target=lint; $(RECURSIVE_MAKE)
--- a/engines/Makefile
+++ b/engines/Makefile
@@ -72,7 +72,7 @@ top:
all: lib subdirs
-lib: $(LIBOBJ)
+lib: $(LIBOBJ) | subdirs
@if [ -n "$(SHARED_LIBS)" ]; then \
set -e; \
for l in $(LIBNAMES); do \
@@ -89,7 +89,7 @@ lib: $(LIBOBJ)
subdirs:
echo $(EDIRS)
- @target=all; $(RECURSIVE_MAKE)
+ +@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -128,7 +128,7 @@ install:
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi
- @target=install; $(RECURSIVE_MAKE)
+ +@target=install; $(RECURSIVE_MAKE)
tags:
ctags $(SRC)
--- a/test/Makefile
+++ b/test/Makefile
@@ -145,7 +145,7 @@ install:
tags:
ctags $(SRC)
-tests: exe apps $(TESTS)
+tests: exe $(TESTS)
apps:
@(cd ..; $(MAKE) DIRS=apps all)
@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
# fi
dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
- @target=dummytest; $(BUILD_CMD)
+ +@target=dummytest; $(BUILD_CMD)
# DO NOT DELETE THIS LINE -- make depend depends on it.

View File

@ -1,21 +0,0 @@
From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 26 Sep 2018 18:04:58 -0300
Subject: Avoid exposing build directories
The CFLAGS contain the build directories, and are shown by calling
SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -57,7 +57,7 @@ top:
all: shared
buildinf.h: ../Makefile
- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
+ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@

View File

@ -0,0 +1,42 @@
From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 17:59:42 -0200
Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables
Call functions to prepare methods after confirming that /dev/crytpo was
sucessfully open and that the destroy function has been set.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -619,11 +619,6 @@ void engine_load_devcrypto_int()
return;
}
- prepare_cipher_methods();
-#ifdef IMPLEMENT_DIGEST
- prepare_digest_methods();
-#endif
-
if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
@@ -636,6 +631,11 @@ void engine_load_devcrypto_int()
return;
}
+ prepare_cipher_methods();
+#ifdef IMPLEMENT_DIGEST
+ prepare_digest_methods();
+#endif
+
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")

View File

@ -0,0 +1,37 @@
From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 14 Nov 2018 11:22:14 -0200
Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases
Return failure when the digest_ctx is null in digest_update and
digest_final, and when md is null in digest_final.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx
if (count == 0)
return 1;
+ if (digest_ctx == NULL)
+ return 0;
+
if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx,
struct digest_ctx *digest_ctx =
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+ if (md == NULL || digest_ctx == NULL)
+ return 0;
if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;

View File

@ -0,0 +1,53 @@
From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 14 Nov 2018 13:58:06 -0200
Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest
If the source ctx has not been initialized, don't initialize the copy
either.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e,
struct digest_ctx {
struct session_op sess;
- int init;
+ /* This signals that the init function was called, not that it succeeded. */
+ int init_called;
};
static const struct digest_data_st {
@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx)
const struct digest_data_st *digest_d =
get_digest_data(EVP_MD_CTX_type(ctx));
- digest_ctx->init = 1;
+ digest_ctx->init_called = 1;
memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
digest_ctx->sess.mac = digest_d->devcryptoid;
@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c
(struct digest_ctx *)EVP_MD_CTX_md_data(to);
struct cphash_op cphash;
- if (digest_from == NULL)
+ if (digest_from == NULL || digest_from->init_called != 1)
return 1;
- if (digest_from->init != 1) {
- SYSerr(SYS_F_IOCTL, EINVAL);
- return 0;
- }
-
if (!digest_init(to)) {
SYSerr(SYS_F_IOCTL, errno);
return 0;

View File

@ -0,0 +1,46 @@
From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 5 Nov 2018 15:59:44 -0200
Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final
Close the session in digest_cleanup instead of digest_final. A failure
in closing the session does not mean a previous successful digest final
has failed as well.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx,
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
- }
return 1;
}
@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c
static int digest_cleanup(EVP_MD_CTX *ctx)
{
+ struct digest_ctx *digest_ctx =
+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+
+ if (digest_ctx == NULL)
+ return 1;
+ if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
+ }
return 1;
}

View File

@ -0,0 +1,54 @@
From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Tue, 13 Nov 2018 09:23:22 -0200
Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function
The engine needs a custom cipher context copy function to open a new
/dev/crypto session.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C
return 1;
}
+static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
+{
+ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
+ struct cipher_ctx *cipher_ctx;
+
+ if (type == EVP_CTRL_COPY) {
+ /* when copying the context, a new session needs to be initialized */
+ cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ return (cipher_ctx == NULL)
+ || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
+ (cipher_ctx->op == COP_ENCRYPT));
+ }
+
+ return -1;
+}
+
static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
{
struct cipher_ctx *cipher_ctx =
@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void)
cipher_data[i].ivlen)
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
cipher_data[i].flags
+ | EVP_CIPH_CUSTOM_COPY
| EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
cipher_do_cipher)
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],

View File

@ -0,0 +1,217 @@
From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Wed, 28 Nov 2018 11:26:27 -0200
Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode
Make CTR mode behave like a stream cipher.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -47,10 +47,12 @@ static int cfd;
struct cipher_ctx {
struct session_op sess;
-
- /* to pass from init to do_cipher */
- const unsigned char *iv;
int op; /* COP_ENCRYPT or COP_DECRYPT */
+ unsigned long mode; /* EVP_CIPH_*_MODE */
+
+ /* to handle ctr mode being a stream cipher */
+ unsigned char partial[EVP_MAX_BLOCK_LENGTH];
+ unsigned int blocksize, num;
};
static const struct cipher_data_st {
@@ -87,9 +89,9 @@ static const struct cipher_data_st {
{ NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
#endif
#if 0 /* Not yet supported */
{ NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
cipher_ctx->sess.keylen = cipher_d->keylen;
cipher_ctx->sess.key = (void *)key;
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
+ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
+ cipher_ctx->blocksize = cipher_d->blocksize;
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C
struct cipher_ctx *cipher_ctx =
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
struct crypt_op cryp;
+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
#if !defined(COP_FLAG_WRITE_IV)
unsigned char saved_iv[EVP_MAX_IV_LENGTH];
+ const unsigned char *ivptr;
+ size_t nblocks, ivlen;
#endif
memset(&cryp, 0, sizeof(cryp));
@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C
cryp.len = inl;
cryp.src = (void *)in;
cryp.dst = (void *)out;
- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
+ cryp.iv = (void *)iv;
cryp.op = cipher_ctx->op;
#if !defined(COP_FLAG_WRITE_IV)
cryp.flags = 0;
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
- if (!EVP_CIPHER_CTX_encrypting(ctx)) {
- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
+ ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+ if (ivlen > 0)
+ switch (cipher_ctx->mode) {
+ case EVP_CIPH_CBC_MODE:
+ assert(inl >= ivlen);
+ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ ivptr = in + inl - ivlen;
+ memcpy(saved_iv, ivptr, ivlen);
+ }
+ break;
+
+ case EVP_CIPH_CTR_MODE:
+ break;
- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
+ default: /* should not happen */
+ return 0;
}
- }
#else
cryp.flags = COP_FLAG_WRITE_IV;
#endif
@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C
}
#if !defined(COP_FLAG_WRITE_IV)
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- unsigned char *ivptr = saved_iv;
+ if (ivlen > 0)
+ switch (cipher_ctx->mode) {
+ case EVP_CIPH_CBC_MODE:
+ assert(inl >= ivlen);
+ if (EVP_CIPHER_CTX_encrypting(ctx))
+ ivptr = out + inl - ivlen;
+ else
+ ivptr = saved_iv;
+
+ memcpy(iv, ivptr, ivlen);
+ break;
+
+ case EVP_CIPH_CTR_MODE:
+ nblocks = (inl + cipher_ctx->blocksize - 1)
+ / cipher_ctx->blocksize;
+ do {
+ ivlen--;
+ nblocks += iv[ivlen];
+ iv[ivlen] = (uint8_t) nblocks;
+ nblocks >>= 8;
+ } while (ivlen);
+ break;
+
+ default: /* should not happen */
+ return 0;
+ }
+#endif
+
+ return 1;
+}
- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
- if (!EVP_CIPHER_CTX_encrypting(ctx))
- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
+static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ struct cipher_ctx *cipher_ctx =
+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ size_t nblocks, len;
- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
- EVP_CIPHER_CTX_iv_length(ctx));
+ /* initial partial block */
+ while (cipher_ctx->num && inl) {
+ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
+ --inl;
+ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
+ }
+
+ /* full blocks */
+ if (inl > (unsigned int) cipher_ctx->blocksize) {
+ nblocks = inl/cipher_ctx->blocksize;
+ len = nblocks * cipher_ctx->blocksize;
+ if (cipher_do_cipher(ctx, out, in, len) < 1)
+ return 0;
+ inl -= len;
+ out += len;
+ in += len;
+ }
+
+ /* final partial block */
+ if (inl) {
+ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
+ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
+ cipher_ctx->blocksize) < 1)
+ return 0;
+ while (inl--) {
+ out[cipher_ctx->num] = in[cipher_ctx->num]
+ ^ cipher_ctx->partial[cipher_ctx->num];
+ cipher_ctx->num++;
+ }
}
-#endif
return 1;
}
@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
+ unsigned long cipher_mode;
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void)
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
+
if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
- cipher_data[i].blocksize,
+ cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
+ cipher_data[i].blocksize,
cipher_data[i].keylen)) == NULL
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
cipher_data[i].ivlen)
@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void)
| EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+ cipher_mode == EVP_CIPH_CTR_MODE ?
+ ctr_do_cipher :
cipher_do_cipher)
|| !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],

View File

@ -0,0 +1,71 @@
From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Sat, 8 Dec 2018 18:01:04 -0200
Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy
Digest must be able to do partial-state copy to be used.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7585)
(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b)
--- a/crypto/engine/eng_devcrypto.c
+++ b/crypto/engine/eng_devcrypto.c
@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct
return 1;
}
+static int devcrypto_test_digest(size_t digest_data_index)
+{
+ struct session_op sess1, sess2;
+ struct cphash_op cphash;
+ int ret=0;
+
+ memset(&sess1, 0, sizeof(sess1));
+ memset(&sess2, 0, sizeof(sess2));
+ sess1.mac = digest_data[digest_data_index].devcryptoid;
+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
+ return 0;
+ /* Make sure the driver is capable of hash state copy */
+ sess2.mac = sess1.mac;
+ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
+ cphash.src_ses = sess1.ses;
+ cphash.dst_ses = sess2.ses;
+ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
+ ret = 1;
+ ioctl(cfd, CIOCFSESSION, &sess2.ses);
+ }
+ ioctl(cfd, CIOCFSESSION, &sess1.ses);
+ return ret;
+}
+
/*
* Keep a table of known nids and associated methods.
* Note that known_digest_nids[] isn't necessarily indexed the same way as
@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL
static void prepare_digest_methods(void)
{
size_t i;
- struct session_op sess;
-
- memset(&sess, 0, sizeof(sess));
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
/*
- * Check that the algo is really availably by trying to open and close
- * a session.
+ * Check that the algo is usable
*/
- sess.mac = digest_data[i].devcryptoid;
- if (ioctl(cfd, CIOCGSESSION, &sess) < 0
- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+ if (!devcrypto_test_digest(i))
continue;
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,