aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/libs/openssl/Config.in11
-rw-r--r--package/libs/openssl/Makefile5
-rw-r--r--package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch41
-rw-r--r--package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch24
4 files changed, 79 insertions, 2 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index 235f38e787..ecb9eea389 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -269,7 +269,13 @@ config OPENSSL_ENGINE_BUILTIN_AFALG
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
- AF_ALG kenrel interface.
+ AF_ALG kernel interface.
+
+config OPENSSL_ENGINE_CRYPTO
+ # This symbol is deprecated. Currently it is used by the openssh package.
+ # Once openwrt/packages#8272 is merged, this can be safely removed.
+ bool
+ default OPENSSL_ENGINE_BUILTIN_DEVCRYPTO || PACKAGE_libopenssl-devcrypto
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
bool
@@ -279,6 +285,9 @@ config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
help
This enables use of hardware acceleration through OpenBSD
Cryptodev API (/dev/crypto) interface.
+ Even though configuration is not strictly needed, it is worth seeing
+ https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
+ for information on how to configure the engine.
config OPENSSL_ENGINE_BUILTIN_PADLOCK
bool
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index a9dd16f3e7..56e95af793 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=b
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
@@ -147,6 +147,7 @@ This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
@@ -163,6 +164,7 @@ This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
@@ -178,6 +180,7 @@ define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
To use it, you need to configure it in /etc/ssl/openssl.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
new file mode 100644
index 0000000000..bca198eb34
--- /dev/null
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
@@ -0,0 +1,41 @@
+From 5d3be6bc8ed7d73ab2c4d389fb0f0a03dacd04b1 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 09:29:13 -0300
+Subject: [PATCH] e_devcrypto: default to not use digests in engine
+
+Digests are almost always slower when using /dev/crypto because of the
+cost of the context switches. Only for large blocks it is worth it.
+
+Also, when forking, the open context structures are duplicated, but the
+internal kernel sessions are still shared between forks, which means an
+update/close operation in one fork affects all processes using that
+session.
+
+This affects digests, especially for HMAC, where the session with the
+key hash is used as a source for subsequent operations. At least one
+popular application does this across a fork. Disabling digests by
+default will mitigate the problem, while still allowing the user to
+turn them on if it is safe and fast enough.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -854,7 +854,7 @@ static void prepare_digest_methods(void)
+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+ i++) {
+
+- selected_digests[i] = 1;
++ selected_digests[i] = 0;
+
+ /*
+ * Check that the digest is usable
+@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+ #ifdef IMPLEMENT_DIGEST
+ {DEVCRYPTO_CMD_DIGESTS,
+ "DIGESTS",
+- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
+ ENGINE_CMD_FLAG_STRING},
+ #endif
+
diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
new file mode 100644
index 0000000000..fb69599aeb
--- /dev/null
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
@@ -0,0 +1,24 @@
+From b6e6d157367bae91a8015434769572e430257d40 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 10:15:14 -0300
+Subject: [PATCH] e_devcrypto: ignore error when closing session
+
+In cipher_init, ignore an eventual error when closing the previous
+session. It may have been closed by another process after a fork.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+ get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
+
+ /* cleanup a previous session */
+- if (cipher_ctx->sess.ses != 0 &&
+- clean_devcrypto_session(&cipher_ctx->sess) == 0)
+- return 0;
++ if (cipher_ctx->sess.ses != 0)
++ clean_devcrypto_session(&cipher_ctx->sess);
+
+ cipher_ctx->sess.cipher = cipher_d->devcryptoid;
+ cipher_ctx->sess.keylen = cipher_d->keylen;