diff options
4 files changed, 73 insertions, 5 deletions
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 153d14a446..90aaafd31f 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_VERSION:=3.0.8 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf index 549275600d..8afd9b1b00 100644 --- a/package/libs/openssl/files/devcrypto.cnf +++ b/package/libs/openssl/files/devcrypto.cnf @@ -17,8 +17,9 @@ default_algorithms = ALL # It is recommended to disable the ECB ciphers; in most cases, it will # only be used for PRNG, in small blocks, where performance is poor, # and there may be problems with apps forking with open crypto -# contexts, leading to failures. The CBC ciphers work well: -#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC +# contexts, leading to failures. The CBC ciphers work well. +CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \ + AES-128-CTR, AES-192-CTR, AES-256-CTR # DIGESTS: either ALL, NONE, or a comma-separated list of digests to # enable [default=NONE] @@ -26,6 +27,8 @@ default_algorithms = ALL # is poor, and there are many cases in which they will not work, # especially when calling fork with open crypto contexts. Openssh, # for example, does this, and you may not be able to login. -#DIGESTS = NONE - +# Sysupgrade will fail as well. If you're adventurous enough to change +# this, you should change it back to NONE, and reboot before running +# sysupgrade! +DIGESTS = NONE diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch new file mode 100644 index 0000000000..f183263858 --- /dev/null +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 11 Mar 2019 09:29:13 -0300 +Subject: e_devcrypto: default to not use digests in engine + +Digests are almost always slower when using /dev/crypto because of the +cost of the context switches. Only for large blocks it is worth it. + +Also, when forking, the open context structures are duplicated, but the +internal kernel sessions are still shared between forks, which means an +update/close operation in one fork affects all processes using that +session. + +This affects digests, especially for HMAC, where the session with the +key hash is used as a source for subsequent operations. At least one +popular application does this across a fork. Disabling digests by +default will mitigate the problem, while still allowing the user to +turn them on if it is safe and fast enough. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -905,7 +905,7 @@ static void prepare_digest_methods(void) + for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); + i++) { + +- selected_digests[i] = 1; ++ selected_digests[i] = 0; + + /* + * Check that the digest is usable +@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c + #ifdef IMPLEMENT_DIGEST + {DEVCRYPTO_CMD_DIGESTS, + "DIGESTS", +- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]", + ENGINE_CMD_FLAG_STRING}, + #endif + diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch new file mode 100644 index 0000000000..40b1dc78d3 --- /dev/null +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Mon, 11 Mar 2019 10:15:14 -0300 +Subject: e_devcrypto: ignore error when closing session + +In cipher_init, ignore an eventual error when closing the previous +session. It may have been closed by another process after a fork. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c + int ret; + + /* cleanup a previous session */ +- if (cipher_ctx->sess.ses != 0 && +- clean_devcrypto_session(&cipher_ctx->sess) == 0) +- return 0; ++ if (cipher_ctx->sess.ses != 0) ++ clean_devcrypto_session(&cipher_ctx->sess); + + cipher_ctx->sess.cipher = cipher_d->devcryptoid; + cipher_ctx->sess.keylen = cipher_d->keylen; |