From 5cd97adeb33f5fc92ad1ff319b4ba34535c0a65b Mon Sep 17 00:00:00 2001 From: John Crispin Date: Tue, 23 Aug 2022 08:59:23 +0200 Subject: [PATCH] openssl: backport from 22.06-rc3 Signed-off-by: John Crispin --- include/openssl-engine.mk | 50 +++++++++++ package/libs/openssl/Config.in | 11 --- package/libs/openssl/Makefile | 64 ++++++-------- package/libs/openssl/files/afalg.cnf | 3 + package/libs/openssl/files/devcrypto.cnf | 31 +++++++ package/libs/openssl/files/openssl.init | 31 +++++++ package/libs/openssl/files/padlock.cnf | 3 + ...m-ppc-xlate.pl-add-linux64v2-flavour.patch | 56 +++++++++++++ .../patches/100-Configure-afalg-support.patch | 5 +- .../openssl/patches/110-openwrt_targets.patch | 9 +- .../120-strip-cflags-from-binary.patch | 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch | 83 ++++--------------- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 12 +-- ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 19 files changed, 232 insertions(+), 144 deletions(-) create mode 100644 include/openssl-engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf create mode 100644 package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch diff --git a/include/openssl-engine.mk b/include/openssl-engine.mk new file mode 100644 index 0000000000..d8baba482e --- /dev/null +++ b/include/openssl-engine.mk @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Copyright (C) 2022 Enéas Ulir de Queiroz + +ENGINES_DIR=engines-1.1 + +define Package/openssl/engine/Default + SECTION:=libs + CATEGORY:=Libraries + SUBMENU:=SSL + DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf +endef + +# 1 = engine name +# 2 - package name, defaults to libopenssl-$(1) +define Package/openssl/add-engine + OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1)) + Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf + + define Package/$$(OSSL_ENG_PKG)/install + $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR) + $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \ + $$(1)/usr/lib/$(ENGINES_DIR) + $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d + $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/ + endef + + define Package/$$(OSSL_ENG_PKG)/postinst := +#!/bin/sh +OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl" + +[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 + +cat << EOF >> "$$$${OPENSSL_UCI}" + +config engine '$(1)' + option enabled '1' +EOF + +[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload + endef + + define Package/$$(OSSL_ENG_PKG)/postrm := +#!/bin/sh +[ -n "$$$${IPKG_INSTROOT}" ] && exit 0 +uci delete openssl.$(1) +uci commit openssl +/etc/init.d/openssl reload + endef +endef diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index d1281ec6fa..bc2f0584b6 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC initiate crypto operations asynchronously. In order to work this will require the presence of an async capable engine. -config OPENSSL_WITH_GOST - bool - prompt "Prepare library for GOST engine" - depends on OPENSSL_ENGINE - help - This option prepares the library to accept engine support - for Russian GOST crypto algorithms. - The gost engine is not included in standard openwrt feeds. - To build such engine yourself, see: - https://github.com/gost-engine/engine - endif diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 0397ab90c4..09bada3915 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,11 +9,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=l +PKG_BUGFIX:=q PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=$(AUTORELEASE) PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -26,7 +25,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 +PKG_HASH:=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE @@ -52,7 +51,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_DTLS \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ - CONFIG_OPENSSL_WITH_GOST \ CONFIG_OPENSSL_WITH_IDEA \ CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ @@ -66,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/openssl-engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -129,6 +128,8 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -136,51 +137,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ + @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ + @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -289,10 +289,6 @@ else OPENSSL_OPTIONS += no-engine endif -ifndef CONFIG_OPENSSL_WITH_GOST - OPENSSL_OPTIONS += no-gost -endif - ifndef CONFIG_OPENSSL_WITH_DTLS OPENSSL_OPTIONS += no-dtls endif @@ -381,8 +377,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ + echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), + $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install @@ -390,21 +395,6 @@ define Package/openssl-util/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef -define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) -endef - -define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) -endef - -define Package/libopenssl-padlock/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) -endef - $(eval $(call BuildPackage,libopenssl)) $(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-afalg)) diff --git a/package/libs/openssl/files/afalg.cnf b/package/libs/openssl/files/afalg.cnf new file mode 100644 index 0000000000..4f573d757c --- /dev/null +++ b/package/libs/openssl/files/afalg.cnf @@ -0,0 +1,3 @@ +[afalg] +default_algorithms = ALL + diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf new file mode 100644 index 0000000000..549275600d --- /dev/null +++ b/package/libs/openssl/files/devcrypto.cnf @@ -0,0 +1,31 @@ +[devcrypto] +# Leave this alone and configure algorithms with CIPERS/DIGESTS below +default_algorithms = ALL + +# Configuration commands: +# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a +# list of supported algorithms, along with their driver, whether they +# are hw accelerated or not, and the engine's configuration commands. + +# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) +# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use +# if acceleration can't be determined) [default=2] +#USE_SOFTDRIVERS = 2 + +# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to +# enable [default=ALL] +# It is recommended to disable the ECB ciphers; in most cases, it will +# only be used for PRNG, in small blocks, where performance is poor, +# and there may be problems with apps forking with open crypto +# contexts, leading to failures. The CBC ciphers work well: +#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC + +# DIGESTS: either ALL, NONE, or a comma-separated list of digests to +# enable [default=NONE] +# It is strongly recommended not to enable digests; their performance +# is poor, and there are many cases in which they will not work, +# especially when calling fork with open crypto contexts. Openssh, +# for example, does this, and you may not be able to login. +#DIGESTS = NONE + + diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init new file mode 100755 index 0000000000..21e253e7a5 --- /dev/null +++ b/package/libs/openssl/files/openssl.init @@ -0,0 +1,31 @@ +#!/bin/sh /etc/rc.common + +START=13 +ENGINES_CNF_D="/etc/ssl/engines.cnf.d" +ENGINES_CNF="/var/etc/ssl/engines.cnf" +ENGINES_DIR="%ENGINES_DIR%" + +config_engine() { + local enabled force + config_get_bool enabled "$1" enabled 1 + config_get_bool force "$1" force 0 + [ "$enabled" = 0 ] && return + if [ "$force" = 0 ] && \ + [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \ + [ ! -f "${ENGINES_DIR}/$1.so" ]; then + echo Skipping engine "$1": not installed + return + fi + echo Enabling engine "$1" + echo "$1=$1" >> "${ENGINES_CNF}" +} + +start() { + mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1 + echo Generating engines.cnf + echo "# This file is automatically generated from /etc/config/openssl." \ + > "${ENGINES_CNF}" || \ + { echo Error writing ${ENGINES_CNF} >&2; exit 1; } + config_load openssl + config_foreach config_engine engine +} diff --git a/package/libs/openssl/files/padlock.cnf b/package/libs/openssl/files/padlock.cnf new file mode 100644 index 0000000000..ef91079e5d --- /dev/null +++ b/package/libs/openssl/files/padlock.cnf @@ -0,0 +1,3 @@ +[padlock] +default_algorithms = ALL + diff --git a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch new file mode 100644 index 0000000000..e52a3d52ea --- /dev/null +++ b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch @@ -0,0 +1,56 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Sun, 5 May 2019 18:25:50 +0200 +Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is a big endian ELFv2 configuration. ELFv2 was already being +used for little endian, and big endian was traditionally ELFv1 +but there are practical configurations that use ELFv2 with big +endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.) + +Reviewed-by: Paul Dale +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8883) + +diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl +--- a/crypto/perlasm/ppc-xlate.pl ++++ b/crypto/perlasm/ppc-xlate.pl +@@ -49,7 +49,7 @@ my $globl = sub { + /osx/ && do { $name = "_$name"; + last; + }; +- /linux.*(32|64le)/ ++ /linux.*(32|64(le|v2))/ + && do { $ret .= ".globl $name"; + if (!$$type) { + $ret .= "\n.type $name,\@function"; +@@ -80,7 +80,7 @@ my $globl = sub { + }; + my $text = sub { + my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text"; +- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/); ++ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64(le|v2)/); + $ret; + }; + my $machine = sub { +@@ -186,7 +186,7 @@ my $vmr = sub { + + # Some ABIs specify vrsave, special-purpose register #256, as reserved + # for system use. +-my $no_vrsave = ($flavour =~ /aix|linux64le/); ++my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/); + my $mtspr = sub { + my ($f,$idx,$ra) = @_; + if ($idx == 256 && $no_vrsave) { +@@ -318,7 +318,7 @@ while($line=<>) { + if ($label) { + my $xlated = ($GLOBALS{$label} or $label); + print "$xlated:"; +- if ($flavour =~ /linux.*64le/) { ++ if ($flavour =~ /linux.*64(le|v2)/) { + if ($TYPES{$label} =~ /function/) { + printf "\n.localentry %s,0\n",$xlated; + } diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 98944103b5..3125e37a94 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -1,4 +1,4 @@ -From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:29:21 -0300 Subject: Do not use host kernel version to disable AFALG @@ -9,10 +9,9 @@ version to disable building the AFALG engine on openwrt targets. Signed-off-by: Eneas U de Queiroz diff --git a/Configure b/Configure -index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch index d0530b4661..9d5db6cfd1 100644 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -1,4 +1,4 @@ -From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:30:24 -0300 Subject: Add openwrt targets @@ -9,10 +9,9 @@ Signed-off-by: Eneas U de Queiroz diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf new file mode 100644 -index 0000000000..86a86d31e4 --- /dev/null +++ b/Configurations/25-openwrt.conf -@@ -0,0 +1,48 @@ +@@ -0,0 +1,52 @@ +## Openwrt "CONFIG_ARCH" matching targets. + +# The targets need to end in '-openwrt' for the AFALG patch to work @@ -52,6 +51,10 @@ index 0000000000..86a86d31e4 + "linux-powerpc-openwrt" => { + inherit_from => [ "linux-ppc", "openwrt" ], + }, ++ "linux-powerpc64-openwrt" => { ++ inherit_from => [ "linux-ppc64", "openwrt" ], ++ perlasm_scheme => "linux64v2", ++ }, + "linux-x86_64-openwrt" => { + inherit_from => [ "linux-x86_64", "openwrt" ], + }, diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch index 7faec9ab88..20fe21f2ac 100644 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -1,4 +1,4 @@ -From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:31:38 -0300 Subject: Avoid exposing build directories @@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a Signed-off-by: Eneas U de Queiroz diff --git a/crypto/build.info b/crypto/build.info -index 2c619c62e8..893128345a 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch index 7f33cb9dae..4707554d2d 100644 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -1,4 +1,4 @@ -From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:34:38 -0300 Subject: Do not build tests and fuzz directories @@ -8,7 +8,6 @@ This shortens build time. Signed-off-by: Eneas U de Queiroz diff --git a/Configure b/Configure -index 74d057c219..5813e9f8fe 100755 --- a/Configure +++ b/Configure @@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch index b293db28f7..b2418006a9 100644 --- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -1,4 +1,4 @@ -From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:44:39 -0300 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option @@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference. Signed-off-by: Eneas U de Queiroz diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 6724ccf2d2..96d959427e 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -173,9 +173,15 @@ extern "C" { @@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644 # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_AES_128_GCM_SHA256" diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 27a1b2ec68..7039811323 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 81d41963c6..8851116347 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,17 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Sat, 27 Mar 2021 17:43:25 -0300 +Subject: openssl.cnf: add engine configuration + +This adds configuration options for engines, loading all cnf files under +/etc/ssl/engines.cnf.d/. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,82 @@ oid_section = new_oids +@@ -22,6 +22,16 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -10,75 +21,9 @@ +engines=engines + +[engines] -+# To enable an engine, install the package, and uncomment it here: -+#devcrypto=devcrypto -+#afalg=afalg -+#padlock=padlock ++.include /var/etc/ssl/engines.cnf + -+[afalg] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# The following commands are only available if using the alternative -+# (sync) AFALG engine -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a -+# comma-separated list of ciphers to enable [default=NO_ECB] -+# Starting in 1.2.0, if you use a cipher list, each cipher may be -+# followed by a colon (:) and the minimum request length to use -+# AF_ALG drivers for that cipher; smaller requests are processed by -+# softare; a negative value will use the default for that cipher -+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[devcrypto] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to -+# enable [default=ALL] -+# It is recommended to disable the ECB ciphers; in most cases, it will -+# only be used for PRNG, in small blocks, where performance is poor, -+# and there may be problems with apps forking with open crypto -+# contexts, leading to failures. The CBC ciphers work well: -+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[padlock] -+default_algorithms = ALL ++.include /etc/ssl/engines.cnf.d + [ new_oids ] diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch index 84c68b16a2..71c9fdd438 100644 --- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch @@ -1,4 +1,4 @@ -From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 5 Nov 2018 15:54:17 -0200 Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT @@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a727c6f646..a2c9a966f7 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -461,6 +461,7 @@ struct digest_ctx { diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch index ad83a51a10..83989a3625 100644 --- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch @@ -1,4 +1,4 @@ -From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Tue, 6 Nov 2018 22:54:07 -0200 Subject: eng_devcrypto: add command to dump driver info @@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index 5ec38ca8f3..64dc6b891d 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch index ea3f8fb8a7..da9b704501 100644 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -9,7 +9,6 @@ engines/e_devcrypto.c. Signed-off-by: Eneas U de Queiroz diff --git a/crypto/engine/build.info b/crypto/engine/build.info -index e00802a3fd..47fe948966 100644 --- a/crypto/engine/build.info +++ b/crypto/engine/build.info @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ @@ -20,10 +19,9 @@ index e00802a3fd..47fe948966 100644 - SOURCE[../../libcrypto]=eng_devcrypto.c -ENDIF diff --git a/crypto/init.c b/crypto/init.c -index 1b0d523bea..ee3e2eb075 100644 --- a/crypto/init.c +++ b/crypto/init.c -@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) +@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) engine_load_openssl_int(); return 1; } @@ -42,7 +40,7 @@ index 1b0d523bea..ee3e2eb075 100644 # ifndef OPENSSL_NO_RDRAND static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; -@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) +@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) return 1; } # ifndef OPENSSL_NO_STATIC_ENGINE @@ -61,7 +59,7 @@ index 1b0d523bea..ee3e2eb075 100644 # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) -@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) +@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) return 0; @@ -73,7 +71,7 @@ index 1b0d523bea..ee3e2eb075 100644 # ifndef OPENSSL_NO_RDRAND if ((opts & OPENSSL_INIT_ENGINE_RDRAND) && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) -@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) +@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) return 0; # ifndef OPENSSL_NO_STATIC_ENGINE @@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644 if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) diff --git a/engines/build.info b/engines/build.info -index 1db771971c..33a25d7004 100644 --- a/engines/build.info +++ b/engines/build.info @@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] @@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c similarity index 95% rename from crypto/engine/eng_devcrypto.c rename to engines/e_devcrypto.c -index 2c1b52d572..eff1ed3a7d 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/engines/e_devcrypto.c @@ -7,7 +7,7 @@ diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch index 1f1cd7a582..fd4701307e 100644 --- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -20,7 +20,6 @@ turn them on if it is safe and fast enough. Signed-off-by: Eneas U de Queiroz diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index 3fcd81de7a..d25230d366 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -852,7 +852,7 @@ static void prepare_digest_methods(void) diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch index bc514b88c9..bf1c98b104 100644 --- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -9,7 +9,6 @@ session. It may have been closed by another process after a fork. Signed-off-by: Eneas U de Queiroz diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index d25230d366..f4570f1666 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, -- 2.25.1