diff options
Diffstat (limited to 'package/libs/openssl')
20 files changed, 356 insertions, 1514 deletions
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index bc2f0584b63..871080a4cbe 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -8,33 +8,33 @@ config OPENSSL_OPTIMIZE_SPEED prompt "Enable optimization for speed instead of size" select OPENSSL_WITH_ASM help - Enabling this option increases code size (around 20%) and - performance. The increase in performance and size depends on the - target CPU. EC and AES seem to benefit the most, with EC speed - increased by 20%-50% (mipsel & x86). - AES-GCM is supposed to be 3x faster on x86. YMMV. + Enabling this option increases code size and performance. + The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most. + +config OPENSSL_SMALL_FOOTPRINT + bool + depends on !OPENSSL_OPTIMIZE_SPEED + default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT + prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)" + help + This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only + 1-3% of of the ipk size. The performance drop depends on + architecture and algorithm. MIPS drops 13% of performance for + a 3% decrease in ipk size. On Aarch64, for a 1% reduction in + size, ghash and GCM performance decreases 90%, while + Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size + for 3% of performance. Other arches have not been tested. config OPENSSL_WITH_ASM bool - default y if !SMALL_FLASH || !arm + default y prompt "Compile with optimized assembly code" depends on !arc help Disabling this option will reduce code size and performance. The increase in performance and size depends on the target - CPU and on the algorithms being optimized. As of 1.1.0i*: - - Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase - aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 - arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 - i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% - mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% - mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 - powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 - x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% - - * Only most common algorithms shown. Your mileage may vary. - BN (bignum) performance was measured using RSA sign/verify. + CPU and on the algorithms being optimized. config OPENSSL_WITH_SSE2 bool @@ -42,21 +42,17 @@ config OPENSSL_WITH_SSE2 prompt "Enable use of x86 SSE2 instructions" depends on OPENSSL_WITH_ASM && i386 help - Use of SSE2 instructions greatly increase performance (up to - 3x faster) with a minimum (~0.2%, or 23KB) increase in package - size, but it will bring no benefit if your hardware does not - support them, such as Geode GX and LX. In this case you may - save 23KB by saying yes here. AMD Geode NX, and Intel - Pentium 4 and above support SSE2. + Use of SSE2 instructions greatly increase performance with a + minimum increase in package size, but it will bring no benefit + if your hardware does not support them, such as Geode GX and LX. + AMD Geode NX, and Intel Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y - prompt "Include deprecated APIs (See help for a list of packages that need this)" + prompt "Include deprecated APIs" help - Since openssl 1.1.x is still new to openwrt, some packages - requiring this option do not list it as a requirement yet: - * freeswitch-stable, freeswitch, python, python3, squid. + This drops all deprecated API, including engine support. config OPENSSL_NO_DEPRECATED bool @@ -64,7 +60,7 @@ config OPENSSL_NO_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool - default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT + default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) prompt "Include error messages" help This option aids debugging, but increases package size and @@ -84,7 +80,6 @@ config OPENSSL_WITH_TLS13 protocol; * to increase performance by reducing the number of round-trips when performing a full handshake. - It increases package size by ~4KB. config OPENSSL_WITH_DTLS bool @@ -172,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA config OPENSSL_WITH_IDEA bool - prompt "Enable IDEA cipher support" + default y if !SMALL_FLASH + prompt "Enable IDEA cipher support (needs legacy provider)" help IDEA is a block cipher with 128-bit keys. + To use the cipher, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_SEED bool - prompt "Enable SEED cipher support" + default y if !SMALL_FLASH + prompt "Enable SEED cipher support (needs legacy provider)" help SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. + To use the cipher, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_SM234 bool @@ -202,11 +205,21 @@ config OPENSSL_WITH_BLAKE2 config OPENSSL_WITH_MDC2 bool - prompt "Enable MDC2 digest support" + default y if !SMALL_FLASH + prompt "Enable MDC2 digest support (needs legacy provider)" + help + To use the digest, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_WHIRLPOOL bool - prompt "Enable Whirlpool digest support" + default y if !SMALL_FLASH + prompt "Enable Whirlpool digest support (needs legacy provider)" + help + To use the digest, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_COMPRESSION bool @@ -233,6 +246,7 @@ comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" + select OPENSSL_WITH_DEPRECATED default y help This enables alternative cryptography implementations, diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 11e5ecfccbc..3bb60bc5ed7 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -8,15 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_BASE:=1.1.1 -PKG_BUGFIX:=k -PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) +PKG_VERSION:=3.0.13 PKG_RELEASE:=1 -PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 +PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto PKG_BUILD_PARALLEL:=1 +PKG_BASE:=$(subst $(space),.,$(wordlist 1,2,$(subst .,$(space),$(PKG_VERSION)))) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://www.openssl.org/source/ \ @@ -26,9 +24,9 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313 -PKG_LICENSE:=OpenSSL +PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com> PKG_CPE_ID:=cpe:/a:openssl:openssl @@ -41,6 +39,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_NO_DEPRECATED \ CONFIG_OPENSSL_OPTIMIZE_SPEED \ CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ + CONFIG_OPENSSL_SMALL_FOOTPRINT \ CONFIG_OPENSSL_WITH_ARIA \ CONFIG_OPENSSL_WITH_ASM \ CONFIG_OPENSSL_WITH_ASYNC \ @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/openssl-module.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -95,9 +95,10 @@ $(call Package/openssl/Default) DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \ +OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \ +OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \ - +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock + +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock \ + +(arm||armeb||mips||mipsel||powerpc||arc):libatomic TITLE+= (libraries) - ABI_VERSION:=1.1 + ABI_VERSION:=$(firstword $(subst .,$(space),$(PKG_VERSION))) MENU:=1 endef @@ -128,6 +129,8 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,57 +138,87 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +ifneq ($(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK)$(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),) +define Package/libopenssl-conf/postinst +#!/bin/sh + +add_engine_config() { + if [ -z "$${IPKG_INSTROOT}" ] && uci -q get "openssl.$$1" >/dev/null; then + [ "$$(uci -q get "openssl.$$1.builtin")" = 1 ] && return + uci set "openssl.$$1.builtin=1" && uci commit openssl + return + fi +} + +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),add_engine_config devcrypto) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock) +endef +endif + +$(eval $(call Package/openssl/add-provider,legacy)) +define Package/libopenssl-legacy + $(call Package/openssl/Default) + $(call Package/openssl/module/Default) + TITLE:=OpenSSL legacy provider +endef + +define Package/libopenssl-legacy/description +The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that +have been deemed legacy. Such algorithms have commonly fallen out of use, have +been deemed insecure by the cryptography community, or something similar. See +https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html +endef + +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ + @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ + @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" endef -OPENSSL_OPTIONS:= shared +OPENSSL_OPTIONS:= shared no-tests ifndef CONFIG_OPENSSL_WITH_BLAKE2 OPENSSL_OPTIONS += no-blake2 @@ -257,7 +290,9 @@ endif ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 -else +endif + +ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y) OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT endif @@ -271,7 +306,7 @@ ifdef CONFIG_OPENSSL_ENGINE OPENSSL_OPTIONS += enable-devcryptoeng endif ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK - OPENSSL_OPTIONS += no-hw-padlock + OPENSSL_OPTIONS += no-padlockeng endif else ifdef CONFIG_PACKAGE_libopenssl-devcrypto @@ -281,7 +316,7 @@ ifdef CONFIG_OPENSSL_ENGINE OPENSSL_OPTIONS += no-afalgeng endif ifndef CONFIG_PACKAGE_libopenssl-padlock - OPENSSL_OPTIONS += no-hw-padlock + OPENSSL_OPTIONS += no-padlockeng endif endif else @@ -331,6 +366,7 @@ define Build/Configure --libdir=lib \ --openssldir=/etc/ssl \ --cross-compile-prefix="$(TARGET_CROSS)" \ + $(TARGET_CFLAGS) \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ @@ -338,8 +374,7 @@ define Build/Configure ) endef -TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections -TARGET_LDFLAGS += -Wl,--gc-sections +TARGET_CFLAGS += $(FPIC) define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ @@ -376,8 +411,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/ + echo -e "config engine 'devcrypto'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl) + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), + $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/ + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install @@ -385,24 +429,10 @@ define Package/openssl-util/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef -define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) -endef - -define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) -endef - -define Package/libopenssl-padlock/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) -endef - $(eval $(call BuildPackage,libopenssl)) $(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-afalg)) $(eval $(call BuildPackage,libopenssl-devcrypto)) +$(eval $(call BuildPackage,libopenssl-legacy)) $(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/files/afalg.cnf b/package/libs/openssl/files/afalg.cnf new file mode 100644 index 00000000000..fd206361bf3 --- /dev/null +++ b/package/libs/openssl/files/afalg.cnf @@ -0,0 +1,3 @@ +[afalg_sect] +default_algorithms = ALL + diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf new file mode 100644 index 00000000000..91d0eee17fa --- /dev/null +++ b/package/libs/openssl/files/devcrypto.cnf @@ -0,0 +1,34 @@ +[devcrypto_sect] +# Leave this alone and configure algorithms with CIPERS/DIGESTS below +default_algorithms = ALL + +# Configuration commands: +# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a +# list of supported algorithms, along with their driver, whether they +# are hw accelerated or not, and the engine's configuration commands. + +# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) +# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use +# if acceleration can't be determined) [default=2] +#USE_SOFTDRIVERS = 2 + +# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to +# enable [default=ALL] +# It is recommended to disable the ECB ciphers; in most cases, it will +# only be used for PRNG, in small blocks, where performance is poor, +# and there may be problems with apps forking with open crypto +# contexts, leading to failures. The CBC ciphers work well. +CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \ + AES-128-CTR, AES-192-CTR, AES-256-CTR + +# DIGESTS: either ALL, NONE, or a comma-separated list of digests to +# enable [default=NONE] +# It is strongly recommended not to enable digests; their performance +# is poor, and there are many cases in which they will not work, +# especially when calling fork with open crypto contexts. Openssh, +# for example, does this, and you may not be able to login. +# Sysupgrade will fail as well. If you're adventurous enough to change +# this, you should change it back to NONE, and reboot before running +# sysupgrade! +DIGESTS = NONE + diff --git a/package/libs/openssl/files/legacy.cnf b/package/libs/openssl/files/legacy.cnf new file mode 100644 index 00000000000..4c20617444b --- /dev/null +++ b/package/libs/openssl/files/legacy.cnf @@ -0,0 +1,3 @@ +[legacy_sect] +activate = 1 + diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init new file mode 100755 index 00000000000..1c1e8745ffe --- /dev/null +++ b/package/libs/openssl/files/openssl.init @@ -0,0 +1,72 @@ +#!/bin/sh /etc/rc.common + +START=13 +ENGINES_CNF=/var/etc/ssl/engines.cnf +ENGINES_DIR=%ENGINES_DIR% +MODULES_DIR=/usr/lib/ossl-modules +PROVIDERS_CNF=/var/etc/ssl/providers.cnf + +#1: cnf file +write_cnf_header() { + mkdir -p "$(dirname "$1")" && \ + echo "# This file is automatically generated from /etc/config/openssl." >"$1" || { + echo "Error writing to $1." + return 1 + } +} + + +#1: module name +#2: output cnf file +#3: module.so +enable_module() { + local builtin enabled force + + config_get_bool builtin "$1" builtin 0 + config_get_bool enabled "$1" enabled 1 + config_get_bool force "$1" force 0 + + if [ "$enabled" = 0 ]; then + [ "$builtin" = 0 ] && return 1 + echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." + echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl." + elif [ "$force" = 1 ]; then + printf "[Forced] " + elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then + echo "$1: Could not find section [$1] in config files." + return 1 + elif [ "$builtin" = 1 ]; then + printf "[Builtin] " + elif [ ! -f "$3" ];then + echo "Skipping $1: $3 not found." + return 1 + fi + echo "Enabling $1" + echo "$1=$1_sect" >>"$2" +} + +config_engine() { + enable_module "$1" "$ENGINES_CNF" \ + "${ENGINES_DIR}/${1}.so" +} + +config_provider() { + enable_module "$1" "$PROVIDERS_CNF" \ + "${MODULES_DIR}/${1}.so" +} + +start() { + local ret=0 + + config_load openssl + + echo Generating engines.cnf + write_cnf_header "${ENGINES_CNF}" && \ + config_foreach config_engine engine || ret=$? + + echo Generating providers.cnf + write_cnf_header "${PROVIDERS_CNF}" && \ + config_foreach config_provider provider || ret=$? + + return $ret +} diff --git a/package/libs/openssl/files/padlock.cnf b/package/libs/openssl/files/padlock.cnf new file mode 100644 index 00000000000..f4085d907b4 --- /dev/null +++ b/package/libs/openssl/files/padlock.cnf @@ -0,0 +1,3 @@ +[padlock_sect] +default_algorithms = ALL + diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 98944103b54..e9cd7bf9c1a 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -1,4 +1,4 @@ -From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:29:21 -0300 Subject: Do not use host kernel version to disable AFALG @@ -8,11 +8,9 @@ version to disable building the AFALG engine on openwrt targets. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> -diff --git a/Configure b/Configure -index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1677,7 +1677,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl- unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch index d0530b4661f..a97c603fa7c 100644 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -1,4 +1,4 @@ -From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:30:24 -0300 Subject: Add openwrt targets @@ -7,12 +7,9 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> -diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf -new file mode 100644 -index 0000000000..86a86d31e4 --- /dev/null +++ b/Configurations/25-openwrt.conf -@@ -0,0 +1,48 @@ +@@ -0,0 +1,56 @@ +## Openwrt "CONFIG_ARCH" matching targets. + +# The targets need to end in '-openwrt' for the AFALG patch to work @@ -26,7 +23,7 @@ index 0000000000..86a86d31e4 + inherit_from => [ "linux-aarch64", "openwrt" ], + }, + "linux-arc-openwrt" => { -+ inherit_from => [ "linux-generic32", "openwrt" ], ++ inherit_from => [ "linux-latomic", "openwrt" ], + }, + "linux-arm-openwrt" => { + inherit_from => [ "linux-armv4", "openwrt" ], @@ -52,6 +49,14 @@ index 0000000000..86a86d31e4 + "linux-powerpc-openwrt" => { + inherit_from => [ "linux-ppc", "openwrt" ], + }, ++ "linux-powerpc64-openwrt" => { ++ inherit_from => [ "linux-ppc64", "openwrt" ], ++ perlasm_scheme => "linux64v2", ++ }, ++ "linux-riscv64-openwrt" => { ++ inherit_from => [ "linux-generic64", "openwrt" ], ++ perlasm_scheme => "linux64", ++ }, + "linux-x86_64-openwrt" => { + inherit_from => [ "linux-x86_64", "openwrt" ], + }, diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch index 7faec9ab887..ebdb940b426 100644 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -1,4 +1,4 @@ -From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:31:38 -0300 Subject: Avoid exposing build directories @@ -8,16 +8,14 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> -diff --git a/crypto/build.info b/crypto/build.info -index 2c619c62e8..893128345a 100644 --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl +@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF + DEPEND[info.o]=buildinf.h DEPEND[cversion.o]=buildinf.h -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) + GENERATE[uplink-x86.S]=../ms/uplink-x86.pl + GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl diff --git a/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch new file mode 100644 index 00000000000..60c46639239 --- /dev/null +++ b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch @@ -0,0 +1,20 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cote2004-github@yahoo.com> +Date: Thu, 27 Sep 2018 08:34:38 -0300 +Subject: Do not build tests and fuzz directories + +This shortens build time. + +Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> + +--- a/build.info ++++ b/build.info +@@ -1,7 +1,7 @@ + # Note that some of these directories are filtered in Configure. Look for + # %skipdir there for further explanations. + +-SUBDIRS=crypto ssl apps util tools fuzz providers doc ++SUBDIRS=crypto ssl apps util tools providers + IF[{- !$disabled{tests} -}] + SUBDIRS=test + ENDIF diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch deleted file mode 100644 index 7f33cb9daea..00000000000 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Thu, 27 Sep 2018 08:34:38 -0300 -Subject: Do not build tests and fuzz directories - -This shortens build time. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -diff --git a/Configure b/Configure -index 74d057c219..5813e9f8fe 100755 ---- a/Configure -+++ b/Configure -@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default - my $default_ranlib; - - # Top level directories to build --$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; -+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ]; - # crypto/ subdirectories to build - $config{sdirs} = [ - "objects", -@@ -330,7 +330,7 @@ $config{sdirs} = [ - "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" - ]; - # test/ subdirectories to build --$config{tdirs} = [ "ossl_shim" ]; -+$config{tdirs} = []; - - # Known TLS and DTLS protocols - my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch index b293db28f7e..fb7bc843617 100644 --- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -1,4 +1,4 @@ -From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz <cote2004-github@yahoo.com> Date: Thu, 27 Sep 2018 08:44:39 -0300 Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option @@ -14,34 +14,9 @@ when the client has it on top of its ciphersuite preference. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> -diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 6724ccf2d2..96d959427e 100644 ---- a/include/openssl/ssl.h -+++ b/include/openssl/ssl.h -@@ -173,9 +173,15 @@ extern "C" { - # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" - /* This is the default set of TLSv1.3 ciphersuites */ - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) --# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -- "TLS_CHACHA20_POLY1305_SHA256:" \ -- "TLS_AES_128_GCM_SHA256" -+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM -+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_AES_128_GCM_SHA256" -+# else -+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_128_GCM_SHA256" -+# endif - # else - # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_AES_128_GCM_SHA256" -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 27a1b2ec68..7039811323 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1506,11 +1506,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); @@ -71,7 +46,7 @@ index 27a1b2ec68..7039811323 100644 /* * ...and generally, our preferred cipher is AES. -@@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1565,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * Within each group, ciphers remain sorted by strength and previous * preference, i.e., * 1) ECDHE > DHE @@ -80,3 +55,38 @@ index 27a1b2ec68..7039811323 100644 * 3) AES > rest * 4) TLS 1.2 > legacy * +@@ -2236,7 +2254,13 @@ const char *OSSL_default_cipher_list(voi + */ + const char *OSSL_default_ciphersuites(void) + { ++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++ return "TLS_CHACHA20_POLY1305_SHA256:" ++ "TLS_AES_256_GCM_SHA384:" ++ "TLS_AES_128_GCM_SHA256"; ++#else + return "TLS_AES_256_GCM_SHA384:" + "TLS_CHACHA20_POLY1305_SHA256:" + "TLS_AES_128_GCM_SHA256"; ++#endif + } +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -195,9 +195,15 @@ extern "C" { + * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() + * Update both macro and function simultaneously + */ +-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +- "TLS_CHACHA20_POLY1305_SHA256:" \ +- "TLS_AES_128_GCM_SHA256" ++# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_AES_128_GCM_SHA256" ++# else ++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_128_GCM_SHA256" ++# endif + # endif + /* + * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index c90fce24427..9fe9cdf590c 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,102 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz <cotequeiroz@gmail.com> +Date: Sat, 27 Mar 2021 17:43:25 -0300 +Subject: openssl.cnf: add engine configuration + +This adds configuration options for engines, loading all cnf files under +/etc/ssl/engines.cnf.d/. + +Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> + --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,99 @@ oid_section = new_oids - # (Alternatively, use a configuration file that has only - # X.509v3 extensions in its main [= default] section.) +@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7 -+openssl_conf=openssl_conf -+ -+[openssl_conf] -+engines=engines -+ -+[engines] -+# To enable an engine, install the package, and uncomment it here: -+#devcrypto=devcrypto -+#afalg=afalg -+#padlock=padlock -+##gost=gost -+ -+[afalg] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# The following commands are only available if using the alternative -+# (sync) AFALG engine -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a -+# comma-separated list of ciphers to enable [default=NO_ECB] -+# Starting in 1.2.0, if you use a cipher list, each cipher may be -+# followed by a colon (:) and the minimum request length to use -+# AF_ALG drivers for that cipher; smaller requests are processed by -+# softare; a negative value will use the default for that cipher -+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[devcrypto] -+# Leave this alone and configure algorithms with CIPERS/DIGESTS below -+default_algorithms = ALL -+ -+# Configuration commands: -+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a -+# list of supported algorithms, along with their driver, whether they -+# are hw accelerated or not, and the engine's configuration commands. -+ -+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) -+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use -+# if acceleration can't be determined) [default=2] -+#USE_SOFTDRIVERS = 2 -+ -+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to -+# enable [default=ALL] -+# It is recommended to disable the ECB ciphers; in most cases, it will -+# only be used for PRNG, in small blocks, where performance is poor, -+# and there may be problems with apps forking with open crypto -+# contexts, leading to failures. The CBC ciphers work well: -+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC -+ -+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to -+# enable [default=NONE] -+# It is strongly recommended not to enable digests; their performance -+# is poor, and there are many cases in which they will not work, -+# especially when calling fork with open crypto contexts. Openssh, -+# for example, does this, and you may not be able to login. -+#DIGESTS = NONE -+ -+[padlock] -+default_algorithms = ALL -+ -+[gost] -+default_algorithms = ALL -+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the -+# user to choose between different parameter sets of symmetric cipher -+# algorithm. RFC 4357 specifies several parameters for the -+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface -+# to choose one when encrypting. So use engine configuration parameter -+# instead. -+# Value of this parameter can be either short name, defined in OpenSSL -+# obj_dat.h header file or numeric representation of OID, defined in -+# RFC 4357. Defaults to id-tc26-gost-28147-param-Z -+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z -+ -+# PBE_PARAMS: Shortname of default digest alg for PBE -+#PBE_PARAMS = + [openssl_init] + providers = provider_sect ++engines = engines_sect + + # List of providers to load + [provider_sect] + default = default_sect ++.include /var/etc/ssl/providers.cnf ++ + # The fips section name should match the section name inside the + # included fipsmodule.cnf. + # fips = fips_sect +@@ -69,7 +72,13 @@ default = default_sect + # OpenSSL may not work correctly which could lead to significant system + # problems including inability to remotely access the system. + [default_sect] +-# activate = 1 ++activate = 1 ++ ++[engines_sect] ++.include /var/etc/ssl/engines.cnf ++ ++.include /etc/ssl/modules.cnf.d + - [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. + + #################################################################### diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch deleted file mode 100644 index 84c68b16a29..00000000000 --- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +++ /dev/null @@ -1,60 +0,0 @@ -From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Mon, 5 Nov 2018 15:54:17 -0200 -Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT - -Since each ioctl causes a context switch, slowing things down, if -EVP_MD_CTX_FLAG_ONESHOT is set, then: - - call the ioctl in digest_update, saving the result; and - - just copy the result in digest_final, instead of using another ioctl. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a727c6f646..a2c9a966f7 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -461,6 +461,7 @@ struct digest_ctx { - struct session_op sess; - /* This signals that the init function was called, not that it succeeded. */ - int init_called; -+ unsigned char digest_res[HASH_MAX_LEN]; - }; - - static const struct digest_data_st { -@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) - if (digest_ctx == NULL) - return 0; - -- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) -+ return 1; -+ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { -+ return 1; - } - -- return 1; -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; - } - - static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) -@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) - - if (md == NULL || digest_ctx == NULL) - return 0; -- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { -+ -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); -+ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; - } diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch deleted file mode 100644 index 8745364cf28..00000000000 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ /dev/null @@ -1,569 +0,0 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Sat, 3 Nov 2018 15:41:10 -0300 -Subject: eng_devcrypto: add configuration options - -USE_SOFTDRIVERS: whether to use software (not accelerated) drivers -CIPHERS: list of ciphers to enable -DIGESTS: list of digests to enable - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -16,6 +16,7 @@ - #include <unistd.h> - #include <assert.h> - -+#include <openssl/conf.h> - #include <openssl/evp.h> - #include <openssl/err.h> - #include <openssl/engine.h> -@@ -36,6 +37,30 @@ - * saner... why re-open /dev/crypto for every session? - */ - static int cfd; -+#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ -+#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ -+#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ -+ -+#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -+ -+/* -+ * cipher/digest status & acceleration definitions -+ * Make sure the defaults are set to 0 -+ */ -+struct driver_info_st { -+ enum devcrypto_status_t { -+ DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ } status; -+ -+ enum devcrypto_accelerated_t { -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ } accelerated; -+}; - - static int clean_devcrypto_session(struct session_op *sess) { - if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { -@@ -119,13 +144,22 @@ static const struct cipher_data_st { - #endif - }; - --static size_t get_cipher_data_index(int nid) -+static size_t find_cipher_data_index(int nid) - { - size_t i; - - for (i = 0; i < OSSL_NELEM(cipher_data); i++) - if (nid == cipher_data[i].nid) - return i; -+ return (size_t)-1; -+} -+ -+static size_t get_cipher_data_index(int nid) -+{ -+ size_t i = find_cipher_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; - - /* - * Code further down must make sure that only NIDs in the table above -@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) - } - - /* -- * Keep a table of known nids and associated methods. -+ * Keep tables of known nids, associated methods, selected ciphers, and driver -+ * info. - * Note that known_cipher_nids[] isn't necessarily indexed the same way as -- * cipher_data[] above, which known_cipher_methods[] is. -+ * cipher_data[] above, which the other tables are. - */ - static int known_cipher_nids[OSSL_NELEM(cipher_data)]; - static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ - static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -+static int selected_ciphers[OSSL_NELEM(cipher_data)]; -+static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; -+ -+ -+static int devcrypto_test_cipher(size_t cipher_data_index) -+{ -+ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_ciphers[cipher_data_index] == 1 -+ && (cipher_driver_info[cipher_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (cipher_driver_info[cipher_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} - - static void prepare_cipher_methods(void) - { - size_t i; - struct session_op sess; - unsigned long cipher_mode; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ -+ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); - - memset(&sess, 0, sizeof(sess)); - sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -@@ -353,15 +408,16 @@ static void prepare_cipher_methods(void) - for (i = 0, known_cipher_nids_amount = 0; - i < OSSL_NELEM(cipher_data); i++) { - -+ selected_ciphers[i] = 1; - /* -- * Check that the algo is really availably by trying to open and close -- * a session. -+ * Check that the cipher is usable - */ - sess.cipher = cipher_data[i].devcryptoid; - sess.keylen = cipher_data[i].keylen; -- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 -- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) -+ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - continue; -+ } - - cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; - -@@ -387,15 +443,41 @@ static void prepare_cipher_methods(void) - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], - sizeof(struct cipher_ctx))) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - EVP_CIPHER_meth_free(known_cipher_methods[i]); - known_cipher_methods[i] = NULL; - } else { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+#ifdef CIOCGSESSINFO -+ siop.ses = sess.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+#endif /* CIOCGSESSINFO */ -+ } -+ ioctl(cfd, CIOCFSESSION, &sess.ses); -+ if (devcrypto_test_cipher(i)) { - known_cipher_nids[known_cipher_nids_amount++] = - cipher_data[i].nid; - } - } - } - -+static void rebuild_known_cipher_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { -+ if (devcrypto_test_cipher(i)) -+ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; -+ } -+ ENGINE_unregister_ciphers(e); -+ ENGINE_register_ciphers(e); -+} -+ - static const EVP_CIPHER *get_cipher_method(int nid) - { - size_t i = get_cipher_data_index(nid); -@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - return *cipher != NULL; - } - -+static void devcrypto_select_all_ciphers(int *cipher_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ cipher_list[i] = 1; -+} -+ -+static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) -+{ -+ int *cipher_list = (int *)usr; -+ char *name; -+ const EVP_CIPHER *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_cipherbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); -+ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) -+ cipher_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: cipher %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ - /* - * We only support digests if the cryptodev implementation supports multiple - * data updates and session copying. Otherwise, we would be forced to maintain -@@ -493,13 +605,22 @@ static const struct digest_data_st { - #endif - }; - --static size_t get_digest_data_index(int nid) -+static size_t find_digest_data_index(int nid) - { - size_t i; - - for (i = 0; i < OSSL_NELEM(digest_data); i++) - if (nid == digest_data[i].nid) - return i; -+ return (size_t)-1; -+} -+ -+static size_t get_digest_data_index(int nid) -+{ -+ size_t i = find_digest_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; - - /* - * Code further down must make sure that only NIDs in the table above -@@ -516,8 +637,8 @@ static const struct digest_data_st *get_digest_data(int nid) - } - - /* -- * Following are the four necessary functions to map OpenSSL functionality -- * with cryptodev. -+ * Following are the five necessary functions to map OpenSSL functionality -+ * with cryptodev: init, update, final, cleanup, and copy. - */ - - static int digest_init(EVP_MD_CTX *ctx) -@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx) - return clean_devcrypto_session(&digest_ctx->sess); - } - --static int devcrypto_test_digest(size_t digest_data_index) --{ -- struct session_op sess1, sess2; -- struct cphash_op cphash; -- int ret=0; -- -- memset(&sess1, 0, sizeof(sess1)); -- memset(&sess2, 0, sizeof(sess2)); -- sess1.mac = digest_data[digest_data_index].devcryptoid; -- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) -- return 0; -- /* Make sure the driver is capable of hash state copy */ -- sess2.mac = sess1.mac; -- if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { -- cphash.src_ses = sess1.ses; -- cphash.dst_ses = sess2.ses; -- if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) -- ret = 1; -- ioctl(cfd, CIOCFSESSION, &sess2.ses); -- } -- ioctl(cfd, CIOCFSESSION, &sess1.ses); -- return ret; --} -- - /* -- * Keep a table of known nids and associated methods. -+ * Keep tables of known nids, associated methods, selected digests, and -+ * driver info. - * Note that known_digest_nids[] isn't necessarily indexed the same way as -- * digest_data[] above, which known_digest_methods[] is. -+ * digest_data[] above, which the other tables are. - */ - static int known_digest_nids[OSSL_NELEM(digest_data)]; - static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ - static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -+static int selected_digests[OSSL_NELEM(digest_data)]; -+static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; -+ -+static int devcrypto_test_digest(size_t digest_data_index) -+{ -+ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_digests[digest_data_index] == 1 -+ && (digest_driver_info[digest_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (digest_driver_info[digest_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} -+ -+static void rebuild_known_digest_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ } -+ ENGINE_unregister_digests(e); -+ ENGINE_register_digests(e); -+} - - static void prepare_digest_methods(void) - { - size_t i; -+ struct session_op sess1, sess2; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ struct cphash_op cphash; -+ -+ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); -+ -+ memset(&sess1, 0, sizeof(sess1)); -+ memset(&sess2, 0, sizeof(sess2)); - - for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); - i++) { - -+ selected_digests[i] = 1; -+ - /* -- * Check that the algo is usable -+ * Check that the digest is usable - */ -- if (!devcrypto_test_digest(i)) -- continue; -+ sess1.mac = digest_data[i].devcryptoid; -+ sess2.ses = 0; -+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } - -+#ifdef CIOCGSESSINFO -+ /* gather hardware acceleration info from the driver */ -+ siop.ses = sess1.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+#endif -+ -+ /* digest must be capable of hash state copy */ -+ sess2.mac = sess1.mac; -+ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } -+ cphash.src_ses = sess1.ses; -+ cphash.dst_ses = sess2.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, - NID_undef)) == NULL - || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], -@@ -689,11 +852,18 @@ static void prepare_digest_methods(void) - || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) - || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], - sizeof(struct digest_ctx))) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - EVP_MD_meth_free(known_digest_methods[i]); - known_digest_methods[i] = NULL; -- } else { -- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ goto finish; - } -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+finish: -+ ioctl(cfd, CIOCFSESSION, &sess1.ses); -+ if (sess2.ses != 0) -+ ioctl(cfd, CIOCFSESSION, &sess2.ses); -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; - } - } - -@@ -739,8 +909,154 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, - return *digest != NULL; - } - -+static void devcrypto_select_all_digests(int *digest_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ digest_list[i] = 1; -+} -+ -+static int cryptodev_select_digest_cb(const char *str, int len, void *usr) -+{ -+ int *digest_list = (int *)usr; -+ char *name; -+ const EVP_MD *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_digestbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown digest %s\n", name); -+ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) -+ digest_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: digest %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ -+#endif -+ -+/****************************************************************************** -+ * -+ * CONTROL COMMANDS -+ * -+ *****/ -+ -+#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE -+#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) -+#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) -+#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) -+ -+/* Helper macros for CPP string composition */ -+#ifndef OPENSSL_MSTR -+# define OPENSSL_MSTR_HELPER(x) #x -+# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) -+#endif -+ -+static const ENGINE_CMD_DEFN devcrypto_cmds[] = { -+#ifdef CIOCGSESSINFO -+ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, -+ "USE_SOFTDRIVERS", -+ "specifies whether to use software (not accelerated) drivers (" -+ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) -+ "=use if acceleration can't be determined) [default=" -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -+ ENGINE_CMD_FLAG_NUMERIC}, -+#endif -+ -+ {DEVCRYPTO_CMD_CIPHERS, -+ "CIPHERS", -+ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, -+ -+#ifdef IMPLEMENT_DIGEST -+ {DEVCRYPTO_CMD_DIGESTS, -+ "DIGESTS", -+ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, - #endif - -+ {0, NULL, NULL, 0} -+}; -+ -+static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) -+{ -+ int *new_list; -+ switch (cmd) { -+#ifdef CIOCGSESSINFO -+ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: -+ switch (i) { -+ case DEVCRYPTO_REQUIRE_ACCELERATED: -+ case DEVCRYPTO_USE_SOFTWARE: -+ case DEVCRYPTO_REJECT_SOFTWARE: -+ break; -+ default: -+ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); -+ return 0; -+ } -+ if (use_softdrivers == i) -+ return 1; -+ use_softdrivers = i; -+#ifdef IMPLEMENT_DIGEST -+ rebuild_known_digest_nids(e); -+#endif -+ rebuild_known_cipher_nids(e); -+ return 1; -+#endif /* CIOCGSESSINFO */ -+ -+ case DEVCRYPTO_CMD_CIPHERS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_ciphers(selected_ciphers); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_ciphers, 0, sizeof(selected_ciphers)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_cipher_nids(e); -+ return 1; -+ -+#ifdef IMPLEMENT_DIGEST -+ case DEVCRYPTO_CMD_DIGESTS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_digests(selected_digests); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_digests, 0, sizeof(selected_digests)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_digests)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_digests, new_list, sizeof(selected_digests)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_digest_nids(e); -+ return 1; -+#endif /* IMPLEMENT_DIGEST */ -+ -+ default: -+ break; -+ } -+ return 0; -+} -+ - /****************************************************************************** - * - * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() - - if (!ENGINE_set_id(e, "devcrypto") - || !ENGINE_set_name(e, "/dev/crypto engine") -+ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) - - /* - * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch deleted file mode 100644 index ad83a51a106..00000000000 --- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +++ /dev/null @@ -1,275 +0,0 @@ -From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Tue, 6 Nov 2018 22:54:07 -0200 -Subject: eng_devcrypto: add command to dump driver info - -This is useful to determine the kernel driver running each algorithm. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index 5ec38ca8f3..64dc6b891d 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; - */ - struct driver_info_st { - enum devcrypto_status_t { -- DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ -- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ -+ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ -+ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ - } status; - - enum devcrypto_accelerated_t { -- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ - } accelerated; -+ -+ char *driver_name; - }; - - static int clean_devcrypto_session(struct session_op *sess) { -@@ -415,7 +419,7 @@ static void prepare_cipher_methods(void) - sess.cipher = cipher_data[i].devcryptoid; - sess.keylen = cipher_data[i].keylen; - if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; - continue; - } - -@@ -443,19 +447,24 @@ static void prepare_cipher_methods(void) - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], - sizeof(struct cipher_ctx))) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - EVP_CIPHER_meth_free(known_cipher_methods[i]); - known_cipher_methods[i] = NULL; - } else { - cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; - #ifdef CIOCGSESSINFO - siop.ses = sess.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { - cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -- else -- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } else { -+ cipher_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.cipher_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } - #endif /* CIOCGSESSINFO */ - } - ioctl(cfd, CIOCFSESSION, &sess.ses); -@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(void) - { - size_t i; - -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { - destroy_cipher_method(cipher_data[i].nid); -+ OPENSSL_free(cipher_driver_info[i].driver_name); -+ cipher_driver_info[i].driver_name = NULL; -+ } - } - - static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, -@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) - return 1; - } - -+static void dump_cipher_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -+ name = OBJ_nid2sn(cipher_data[i].nid); -+ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", -+ name ? name : "unknown", cipher_data[i].nid, -+ cipher_data[i].devcryptoid); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { -+ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); -+ continue; -+ } -+ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? -+ cipher_driver_info[i].driver_name : "unknown"); -+ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, "(hw accelerated)"); -+ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, "(software)"); -+ else -+ fprintf(stderr, "(acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed"); -+ fprintf(stderr, "\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ - /* - * We only support digests if the cryptodev implementation supports multiple - * data updates and session copying. Otherwise, we would be forced to maintain -@@ -812,31 +858,36 @@ static void prepare_digest_methods(void) - sess1.mac = digest_data[i].devcryptoid; - sess2.ses = 0; - if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; - goto finish; - } - - #ifdef CIOCGSESSINFO - /* gather hardware acceleration info from the driver */ - siop.ses = sess1.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { - digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -- else -- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } else { -+ digest_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.hash_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } - #endif - - /* digest must be capable of hash state copy */ - sess2.mac = sess1.mac; - if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - goto finish; - } - cphash.src_ses = sess1.ses; - cphash.dst_ses = sess2.ses; - if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; - goto finish; - } - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, -@@ -852,7 +903,7 @@ static void prepare_digest_methods(void) - || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) - || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], - sizeof(struct digest_ctx))) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - EVP_MD_meth_free(known_digest_methods[i]); - known_digest_methods[i] = NULL; - goto finish; -@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(void) - { - size_t i; - -- for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { - destroy_digest_method(digest_data[i].nid); -+ OPENSSL_free(digest_driver_info[i].driver_name); -+ digest_driver_info[i].driver_name = NULL; -+ } - } - - static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, -@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(const char *str, int len, void *usr) - return 1; - } - -+static void dump_digest_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about digests supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { -+ name = OBJ_nid2sn(digest_data[i].nid); -+ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", -+ name ? name : "unknown", digest_data[i].nid, -+ digest_data[i].devcryptoid, -+ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); -+ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { -+ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); -+ continue; -+ } -+ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, " (hw accelerated)"); -+ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, " (software)"); -+ else -+ fprintf(stderr, " (acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed\n"); -+ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) -+ fprintf(stderr, ", CIOCCPHASH failed\n"); -+ else -+ fprintf(stderr, ", CIOCCPHASH capable\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ - #endif - - /****************************************************************************** -@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { - ENGINE_CMD_FLAG_STRING}, - #endif - -+ {DEVCRYPTO_CMD_DUMP_INFO, -+ "DUMP_INFO", -+ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", -+ ENGINE_CMD_FLAG_NO_INPUT}, -+ - {0, NULL, NULL, 0} - }; - -@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - return 1; - #endif /* IMPLEMENT_DIGEST */ - -+ case DEVCRYPTO_CMD_DUMP_INFO: -+ dump_cipher_info(); -+#ifdef IMPLEMENT_DIGEST -+ dump_digest_info(); -+#endif -+ return 1; -+ - default: - break; - } diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch deleted file mode 100644 index ea3f8fb8a7f..00000000000 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ /dev/null @@ -1,348 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Tue, 6 Nov 2018 10:57:03 -0200 -Subject: e_devcrypto: make the /dev/crypto engine dynamic - -Engine has been moved from crypto/engine/eng_devcrypto.c to -engines/e_devcrypto.c. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -diff --git a/crypto/engine/build.info b/crypto/engine/build.info -index e00802a3fd..47fe948966 100644 ---- a/crypto/engine/build.info -+++ b/crypto/engine/build.info -@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ - tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c tb_eckey.c \ - eng_openssl.c eng_cnf.c eng_dyn.c \ - eng_rdrand.c --IF[{- !$disabled{devcryptoeng} -}] -- SOURCE[../../libcrypto]=eng_devcrypto.c --ENDIF -diff --git a/crypto/init.c b/crypto/init.c -index 1b0d523bea..ee3e2eb075 100644 ---- a/crypto/init.c -+++ b/crypto/init.c -@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) - engine_load_openssl_int(); - return 1; - } --# ifndef OPENSSL_NO_DEVCRYPTOENG --static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; --DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) --{ --# ifdef OPENSSL_INIT_DEBUG -- fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -- "engine_load_devcrypto_int()\n"); --# endif -- engine_load_devcrypto_int(); -- return 1; --} --# endif - - # ifndef OPENSSL_NO_RDRAND - static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; -@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) - return 1; - } - # ifndef OPENSSL_NO_STATIC_ENGINE -+# ifndef OPENSSL_NO_DEVCRYPTOENG -+static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; -+DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) -+{ -+# ifdef OPENSSL_INIT_DEBUG -+ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -+ "engine_load_devcrypto_int()\n"); -+# endif -+ engine_load_devcrypto_int(); -+ return 1; -+} -+# endif - # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) - static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; - DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) -@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) - if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) - && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) - return 0; --# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_DEVCRYPTOENG) -- if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -- && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) -- return 0; --# endif - # ifndef OPENSSL_NO_RDRAND - if ((opts & OPENSSL_INIT_ENGINE_RDRAND) - && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) -@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) - && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) - return 0; - # ifndef OPENSSL_NO_STATIC_ENGINE -+# ifndef OPENSSL_NO_DEVCRYPTOENG -+ if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -+ && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) -+ return 0; -+# endif - # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) - if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) - && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) -diff --git a/engines/build.info b/engines/build.info -index 1db771971c..33a25d7004 100644 ---- a/engines/build.info -+++ b/engines/build.info -@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] - IF[{- !$disabled{afalgeng} -}] - SOURCE[../libcrypto]=e_afalg.c - ENDIF -+ IF[{- !$disabled{"devcryptoeng"} -}] -+ SOURCE[../libcrypto]=e_devcrypto.c -+ ENDIF - ELSE - IF[{- !$disabled{hw} && !$disabled{'hw-padlock'} -}] - ENGINES=padlock -@@ -30,6 +33,12 @@ IF[{- !$disabled{"engine"} -}] - DEPEND[afalg]=../libcrypto - INCLUDE[afalg]= ../include - ENDIF -+ IF[{- !$disabled{"devcryptoeng"} -}] -+ ENGINES=devcrypto -+ SOURCE[devcrypto]=e_devcrypto.c -+ DEPEND[devcrypto]=../libcrypto -+ INCLUDE[devcrypto]=../include -+ ENDIF - - ENGINES_NO_INST=ossltest dasync - SOURCE[dasync]=e_dasync.c -diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c -similarity index 95% -rename from crypto/engine/eng_devcrypto.c -rename to engines/e_devcrypto.c -index 2c1b52d572..eff1ed3a7d 100644 ---- a/crypto/engine/eng_devcrypto.c -+++ b/engines/e_devcrypto.c -@@ -7,7 +7,7 @@ - * https://www.openssl.org/source/license.html - */ - --#include "e_os.h" -+#include "../e_os.h" - #include <string.h> - #include <sys/types.h> - #include <sys/stat.h> -@@ -31,18 +31,20 @@ - # define CHECK_BSD_STYLE_MACROS - #endif - -+#define engine_devcrypto_id "devcrypto" -+ - /* - * ONE global file descriptor for all sessions. This allows operations - * such as digest session data copying (see digest_copy()), but is also - * saner... why re-open /dev/crypto for every session? - */ --static int cfd; -+static int cfd = -1; - #define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ - #define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ - #define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ - --#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE --static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -+#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; - - /* - * cipher/digest status & acceleration definitions -@@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { - OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " - OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) - "=use if acceleration can't be determined) [default=" -- OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", - ENGINE_CMD_FLAG_NUMERIC}, - #endif - -@@ -1166,32 +1168,22 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - * - *****/ - --static int devcrypto_unload(ENGINE *e) --{ -- destroy_all_cipher_methods(); --#ifdef IMPLEMENT_DIGEST -- destroy_all_digest_methods(); --#endif -- -- close(cfd); -- -- return 1; --} - /* -- * This engine is always built into libcrypto, so it doesn't offer any -- * ability to be dynamically loadable. -+ * Opens /dev/crypto - */ --void engine_load_devcrypto_int() -+static int open_devcrypto(void) - { -- ENGINE *e = NULL; - int fd; - -+ if (cfd >= 0) -+ return 1; -+ - if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { - #ifndef ENGINE_DEVCRYPTO_DEBUG - if (errno != ENOENT) - #endif - fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); -- return; -+ return 0; - } - - #ifdef CRIOGET -@@ -1199,35 +1191,61 @@ void engine_load_devcrypto_int() - fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); - close(fd); - cfd = -1; -- return; -+ return 0; - } - close(fd); - #else - cfd = fd; - #endif - -- if ((e = ENGINE_new()) == NULL -- || !ENGINE_set_destroy_function(e, devcrypto_unload)) { -- ENGINE_free(e); -- /* -- * We know that devcrypto_unload() won't be called when one of the -- * above two calls have failed, so we close cfd explicitly here to -- * avoid leaking resources. -- */ -- close(cfd); -- return; -+ return 1; -+} -+ -+static int close_devcrypto(void) -+{ -+ int ret; -+ -+ if (cfd < 0) -+ return 1; -+ ret = close(cfd); -+ cfd = -1; -+ if (ret != 0) { -+ fprintf(stderr, "Error closing /dev/crypto: %s\n", strerror(errno)); -+ return 0; - } -+ return 1; -+} - -- prepare_cipher_methods(); -+static int devcrypto_unload(ENGINE *e) -+{ -+ destroy_all_cipher_methods(); - #ifdef IMPLEMENT_DIGEST -- prepare_digest_methods(); -+ destroy_all_digest_methods(); - #endif - -- if (!ENGINE_set_id(e, "devcrypto") -+ close_devcrypto(); -+ -+ return 1; -+} -+ -+static int bind_devcrypto(ENGINE *e) { -+ -+ if (!ENGINE_set_id(e, engine_devcrypto_id) - || !ENGINE_set_name(e, "/dev/crypto engine") -+ || !ENGINE_set_destroy_function(e, devcrypto_unload) - || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) -+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) -+ return 0; - -+ prepare_cipher_methods(); -+#ifdef IMPLEMENT_DIGEST -+ prepare_digest_methods(); -+#endif -+ -+ return (ENGINE_set_ciphers(e, devcrypto_ciphers) -+#ifdef IMPLEMENT_DIGEST -+ && ENGINE_set_digests(e, devcrypto_digests) -+#endif - /* - * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD - * implementations, it seems to only exist in FreeBSD, and regarding the -@@ -1250,23 +1268,36 @@ void engine_load_devcrypto_int() - */ - #if 0 - # ifndef OPENSSL_NO_RSA -- || !ENGINE_set_RSA(e, devcrypto_rsa) -+ && ENGINE_set_RSA(e, devcrypto_rsa) - # endif - # ifndef OPENSSL_NO_DSA -- || !ENGINE_set_DSA(e, devcrypto_dsa) -+ && ENGINE_set_DSA(e, devcrypto_dsa) - # endif - # ifndef OPENSSL_NO_DH -- || !ENGINE_set_DH(e, devcrypto_dh) -+ && ENGINE_set_DH(e, devcrypto_dh) - # endif - # ifndef OPENSSL_NO_EC -- || !ENGINE_set_EC(e, devcrypto_ec) -+ && ENGINE_set_EC(e, devcrypto_ec) - # endif - #endif -- || !ENGINE_set_ciphers(e, devcrypto_ciphers) --#ifdef IMPLEMENT_DIGEST -- || !ENGINE_set_digests(e, devcrypto_digests) --#endif -- ) { -+ ); -+} -+ -+#ifdef OPENSSL_NO_DYNAMIC_ENGINE -+/* -+ * In case this engine is built into libcrypto, then it doesn't offer any -+ * ability to be dynamically loadable. -+ */ -+void engine_load_devcrypto_int(void) -+{ -+ ENGINE *e = NULL; -+ -+ if (!open_devcrypto()) -+ return; -+ -+ if ((e = ENGINE_new()) == NULL -+ || !bind_devcrypto(e)) { -+ close_devcrypto(); - ENGINE_free(e); - return; - } -@@ -1275,3 +1306,22 @@ void engine_load_devcrypto_int() - ENGINE_free(e); /* Loose our local reference */ - ERR_clear_error(); - } -+ -+#else -+ -+static int bind_helper(ENGINE *e, const char *id) -+{ -+ if ((id && (strcmp(id, engine_devcrypto_id) != 0)) -+ || !open_devcrypto()) -+ return 0; -+ if (!bind_devcrypto(e)) { -+ close_devcrypto(); -+ return 0; -+ } -+ return 1; -+} -+ -+IMPLEMENT_DYNAMIC_CHECK_FN() -+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) -+ -+#endif diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch index 1f1cd7a5829..f1832638586 100644 --- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -19,11 +19,9 @@ turn them on if it is safe and fast enough. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index 3fcd81de7a..d25230d366 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -852,7 +852,7 @@ static void prepare_digest_methods(void) +@@ -905,7 +905,7 @@ static void prepare_digest_methods(void) for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { @@ -32,7 +30,7 @@ index 3fcd81de7a..d25230d366 100644 /* * Check that the digest is usable -@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { +@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c #ifdef IMPLEMENT_DIGEST {DEVCRYPTO_CMD_DIGESTS, "DIGESTS", diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch index bc514b88c9d..40b1dc78d31 100644 --- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -8,12 +8,10 @@ session. It may have been closed by another process after a fork. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index d25230d366..f4570f1666 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); +@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c + int ret; /* cleanup a previous session */ - if (cipher_ctx->sess.ses != 0 && |