diff options
Diffstat (limited to 'package/libs/openssl/patches')
11 files changed, 20 insertions, 109 deletions
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index d8789f4b45..3125e37a94 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -1,4 +1,4 @@ -From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:29:21 -0300 Subject: Do not use host kernel version to disable AFALG @@ -9,7 +9,6 @@ version to disable building the AFALG engine on openwrt targets. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/Configure b/Configure -index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure @@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch index 828c14d21d..9d5db6cfd1 100644 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -1,4 +1,4 @@ -From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:30:24 -0300 Subject: Add openwrt targets @@ -9,7 +9,6 @@ Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf new file mode 100644 -index 0000000000..86a86d31e4 --- /dev/null +++ b/Configurations/25-openwrt.conf @@ -0,0 +1,52 @@ diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch index 7faec9ab88..20fe21f2ac 100644 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -1,4 +1,4 @@ -From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:31:38 -0300 Subject: Avoid exposing build directories @@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/crypto/build.info b/crypto/build.info -index 2c619c62e8..893128345a 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch index 7f33cb9dae..4707554d2d 100644 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -1,4 +1,4 @@ -From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:34:38 -0300 Subject: Do not build tests and fuzz directories @@ -8,7 +8,6 @@ This shortens build time. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/Configure b/Configure -index 74d057c219..5813e9f8fe 100755 --- a/Configure +++ b/Configure @@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch index b293db28f7..b2418006a9 100644 --- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -1,4 +1,4 @@ -From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:44:39 -0300 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option @@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 6724ccf2d2..96d959427e 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -173,9 +173,15 @@ extern "C" { @@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644 # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_AES_128_GCM_SHA256" diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 27a1b2ec68..7039811323 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index c90fce2442..387c3ce11e 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,17 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cotequeiroz@gmail.com> +Date: Sat, 27 Mar 2021 17:43:25 -0300 +Subject: openssl.cnf: add engine configuration + +This adds configuration options for engines, loading all cnf files under +/etc/ssl/engines.d/. + +Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,99 @@ oid_section = new_oids +@@ -22,6 +22,13 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -9,93 +20,7 @@ +[openssl_conf] +engines=engines + -+[engines] -+# To enable an engine, install the package, and uncomment it here: -+#devcrypto=devcrypto -+#afalg=afalg -+#padlock=padlock -+##gost=gost -+ -+[afalg] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# The following commands are only available if using the alternative -+# (sync) AFALG engine -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a -+# comma-separated list of ciphers to enable [default=NO_ECB] -+# Starting in 1.2.0, if you use a cipher list, each cipher may be -+# followed by a colon (:) and the minimum request length to use -+# AF_ALG drivers for that cipher; smaller requests are processed by -+# softare; a negative value will use the default for that cipher -+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[devcrypto] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to -+# enable [default=ALL] -+# It is recommended to disable the ECB ciphers; in most cases, it will -+# only be used for PRNG, in small blocks, where performance is poor, -+# and there may be problems with apps forking with open crypto -+# contexts, leading to failures. The CBC ciphers work well: -+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[padlock] -+default_algorithms = ALL -+ -+[gost] -+default_algorithms = ALL -+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the -+# user to choose between different parameter sets of symmetric cipher -+# algorithm. RFC 4357 specifies several parameters for the -+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface -+# to choose one when encrypting. So use engine configuration parameter -+# instead. -+# Value of this parameter can be either short name, defined in OpenSSL -+# obj_dat.h header file or numeric representation of OID, defined in -+# RFC 4357. Defaults to id-tc26-gost-28147-param-Z -+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z -+ -+# PBE_PARAMS: Shortname of default digest alg for PBE -+#PBE_PARAMS = ++.include /etc/ssl/engines.cnf.d + [ new_oids ] diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch index 84c68b16a2..71c9fdd438 100644 --- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch @@ -1,4 +1,4 @@ -From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Mon, 5 Nov 2018 15:54:17 -0200 Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT @@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a727c6f646..a2c9a966f7 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -461,6 +461,7 @@ struct digest_ctx { diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch index ad83a51a10..83989a3625 100644 --- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch @@ -1,4 +1,4 @@ -From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Tue, 6 Nov 2018 22:54:07 -0200 Subject: eng_devcrypto: add command to dump driver info @@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index 5ec38ca8f3..64dc6b891d 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch index ea3f8fb8a7..1298efe546 100644 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -9,7 +9,6 @@ engines/e_devcrypto.c. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/crypto/engine/build.info b/crypto/engine/build.info -index e00802a3fd..47fe948966 100644 --- a/crypto/engine/build.info +++ b/crypto/engine/build.info @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ @@ -20,7 +19,6 @@ index e00802a3fd..47fe948966 100644 - SOURCE[../../libcrypto]=eng_devcrypto.c -ENDIF diff --git a/crypto/init.c b/crypto/init.c -index 1b0d523bea..ee3e2eb075 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) @@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644 if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) diff --git a/engines/build.info b/engines/build.info -index 1db771971c..33a25d7004 100644 --- a/engines/build.info +++ b/engines/build.info @@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] @@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c similarity index 95% rename from crypto/engine/eng_devcrypto.c rename to engines/e_devcrypto.c -index 2c1b52d572..eff1ed3a7d 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/engines/e_devcrypto.c @@ -7,7 +7,7 @@ diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch index 1f1cd7a582..fd4701307e 100644 --- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -20,7 +20,6 @@ turn them on if it is safe and fast enough. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index 3fcd81de7a..d25230d366 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -852,7 +852,7 @@ static void prepare_digest_methods(void) diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch index bc514b88c9..bf1c98b104 100644 --- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -9,7 +9,6 @@ session. It may have been closed by another process after a fork. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index d25230d366..f4570f1666 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, |