openssl: update to version 1.1.1a

This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index fe7322991578b8f83bc0b98d3d18f69ba1ab0acd..53b91ddb942a77f8ad5d39d69cfd7295b1533690 100644 (file)
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -53,7 +53,9 @@ config OPENSSL_WITH_DEPRECATED
        default y
        prompt "Include deprecated APIs (See help for a list of packages that need this)"
        help
        default y
        prompt "Include deprecated APIs (See help for a list of packages that need this)"
        help

-               Squid currently requires this.
+               Since openssl 1.1.x is still new to openwrt, some packages
+               requiring this option do not list it as a requirement yet:
+                * freeswitch-stable, freeswitch, python, python3, squid.

 
 config OPENSSL_NO_DEPRECATED
        bool
 
 config OPENSSL_NO_DEPRECATED
        bool


@@ -68,6 +70,21 @@ config OPENSSL_WITH_ERROR_MESSAGES
 
 comment "Protocol Support"
 
 
 comment "Protocol Support"
 

+config OPENSSL_WITH_TLS13
+       bool
+       default y
+       prompt "Enable support for TLS 1.3"
+       select OPENSSL_WITH_EC
+       help
+               TLS 1.3 is the newest version of the TLS specification.
+               It aims:
+                * to increase the overall security of the protocol,
+                  removing outdated algorithms, and encrypting more of the
+                  protocol;
+                * to increase performance by reducing the number of round-trips
+                  when performing a full handshake.
+               It increases package size by ~4KB.
+

 config OPENSSL_WITH_DTLS
        bool
        prompt "Enable DTLS support"
 config OPENSSL_WITH_DTLS
        bool
        prompt "Enable DTLS support"


@@ -120,6 +137,16 @@ config OPENSSL_WITH_EC2M
                This option enables the more efficient, yet less common, binary
                field elliptic curves.
 
                This option enables the more efficient, yet less common, binary
                field elliptic curves.
 

+config OPENSSL_WITH_CHACHA_POLY1305
+       bool
+       default y
+       prompt "Enable ChaCha20-Poly1305 ciphersuite support"
+       help
+               ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
+               combining ChaCha stream cipher with Poly1305 MAC.
+               It is 3x faster than AES, when not using a CPU with AES-specific
+               instructions, as is the case of most embedded devices.
+

 config OPENSSL_WITH_PSK
        bool
        default y
 config OPENSSL_WITH_PSK
        bool
        default y


@@ -129,6 +156,12 @@ config OPENSSL_WITH_PSK
 
 comment "Less commonly used build options"
 
 
 comment "Less commonly used build options"
 

+config OPENSSL_WITH_ARIA
+       bool
+       prompt "Enable ARIA support"
+       help
+               ARIA is a block cipher developed in South Korea, based on AES.
+

 config OPENSSL_WITH_CAMELLIA
        bool
        prompt "Enable Camellia cipher support"
 config OPENSSL_WITH_CAMELLIA
        bool
        prompt "Enable Camellia cipher support"


@@ -149,6 +182,23 @@ config OPENSSL_WITH_SEED
                SEED is a block cipher with 128-bit keys broadly used in
                South Korea, but seldom found elsewhere.
 
                SEED is a block cipher with 128-bit keys broadly used in
                South Korea, but seldom found elsewhere.
 

+config OPENSSL_WITH_SM234
+       bool
+       prompt "Enable SM2/3/4 algorithms support"
+       help
+               These algorithms are a set of "Commercial Cryptography"
+               algorithms approved for use in China.
+                 * SM2 is an EC algorithm equivalent to ECDSA P-256
+                 * SM3 is a hash function equivalent to SHA-256
+                 * SM4 is a 128-block cipher equivalent to AES-128
+
+config OPENSSL_WITH_BLAKE2
+       bool
+       prompt "Enable BLAKE2 digest support"
+       help
+               BLAKE2 is a cryptographic hash function based on the ChaCha
+               stream cipher.
+

 config OPENSSL_WITH_MDC2
        bool
        prompt "Enable MDC2 digest support"
 config OPENSSL_WITH_MDC2
        bool
        prompt "Enable MDC2 digest support"


@@ -199,10 +249,14 @@ config OPENSSL_ENGINE_CRYPTO
                API modules) for /dev/crypto to show up and use hardware
                acceleration; otherwise it falls back to software.
 
                API modules) for /dev/crypto to show up and use hardware
                acceleration; otherwise it falls back to software.
 

-config OPENSSL_ENGINE_DIGEST
+config OPENSSL_WITH_ASYNC

        bool
        bool

-       depends on OPENSSL_ENGINE_CRYPTO
-       prompt "/dev/crypto digest (md5/sha1) acceleration support"
+       prompt "Enable asynchronous jobs support"
+       depends on OPENSSL_ENGINE && USE_GLIBC
+       help
+               Enables async-aware applications to be able to use OpenSSL to
+               initiate crypto operations asynchronously. In order to work
+               this will require the presence of an async capable engine.

 
 config OPENSSL_WITH_GOST
        bool
 
 config OPENSSL_WITH_GOST
        bool


@@ -211,6 +265,9 @@ config OPENSSL_WITH_GOST
        help
                This option prepares the library to accept engine support
                for Russian GOST crypto algorithms.
        help
                This option prepares the library to accept engine support
                for Russian GOST crypto algorithms.

+               The gost engine is not included in standard openwrt feeds.
+               To build such engine yourself, see:
+               https://github.com/gost-engine/engine

 
 endif
 
 
 endif
 

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index d9b1de2581e6a698b33c013a01fc2e231fbf151e..27746c15c6206b3daba6f9aecb3df6e8dc342308 100644 (file)
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -8,11 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl

-PKG_BASE:=1.0.2
-PKG_BUGFIX:=q
+PKG_BASE:=1.1.1
+PKG_BUGFIX:=a

 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=2
 PKG_USE_MIPS16:=0

+ENGINES_DIR=engines-1.1

 
 PKG_BUILD_PARALLEL:=0
 PKG_BUILD_DEPENDS:=cryptodev-linux
 
 PKG_BUILD_PARALLEL:=0
 PKG_BUILD_DEPENDS:=cryptodev-linux


@@ -24,8 +25,7 @@ PKG_SOURCE_URL:= \
        ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
        http://www.openssl.org/source/ \
        http://www.openssl.org/source/old/$(PKG_BASE)/
        ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
        http://www.openssl.org/source/ \
        http://www.openssl.org/source/old/$(PKG_BASE)/

-PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684
-ENGINES_DIR=engines
+PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41

 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE


@@ -33,11 +33,14 @@ PKG_CPE_ID:=cpe:/a:openssl:openssl
 PKG_CONFIG_DEPENDS:= \
        CONFIG_OPENSSL_ENGINE \
        CONFIG_OPENSSL_ENGINE_CRYPTO \
 PKG_CONFIG_DEPENDS:= \
        CONFIG_OPENSSL_ENGINE \
        CONFIG_OPENSSL_ENGINE_CRYPTO \

-       CONFIG_OPENSSL_ENGINE_DIGEST \

        CONFIG_OPENSSL_NO_DEPRECATED \
        CONFIG_OPENSSL_OPTIMIZE_SPEED \
        CONFIG_OPENSSL_NO_DEPRECATED \
        CONFIG_OPENSSL_OPTIMIZE_SPEED \

+       CONFIG_OPENSSL_WITH_ARIA \

        CONFIG_OPENSSL_WITH_ASM \
        CONFIG_OPENSSL_WITH_ASM \

+       CONFIG_OPENSSL_WITH_ASYNC \
+       CONFIG_OPENSSL_WITH_BLAKE2 \

        CONFIG_OPENSSL_WITH_CAMELLIA \
        CONFIG_OPENSSL_WITH_CAMELLIA \

+       CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \

        CONFIG_OPENSSL_WITH_CMS \
        CONFIG_OPENSSL_WITH_COMPRESSION \
        CONFIG_OPENSSL_WITH_DTLS \
        CONFIG_OPENSSL_WITH_CMS \
        CONFIG_OPENSSL_WITH_COMPRESSION \
        CONFIG_OPENSSL_WITH_DTLS \


@@ -51,8 +54,10 @@ PKG_CONFIG_DEPENDS:= \
        CONFIG_OPENSSL_WITH_PSK \
        CONFIG_OPENSSL_WITH_RFC3779 \
        CONFIG_OPENSSL_WITH_SEED \
        CONFIG_OPENSSL_WITH_PSK \
        CONFIG_OPENSSL_WITH_RFC3779 \
        CONFIG_OPENSSL_WITH_SEED \

+       CONFIG_OPENSSL_WITH_SM234 \

        CONFIG_OPENSSL_WITH_SRP \
        CONFIG_OPENSSL_WITH_SSE2 \
        CONFIG_OPENSSL_WITH_SRP \
        CONFIG_OPENSSL_WITH_SSE2 \

+       CONFIG_OPENSSL_WITH_TLS13 \

        CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
        CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk


@@ -85,7 +90,7 @@ $(call Package/openssl/Default)
   SUBMENU:=SSL
   DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
   TITLE+= (libraries)
   SUBMENU:=SSL
   DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
   TITLE+= (libraries)

-  ABI_VERSION:=1.0.0
+  ABI_VERSION:=1.1

   MENU:=1
 endef
 
   MENU:=1
 endef
 


@@ -111,18 +116,19 @@ $(call Package/openssl/Default/description)
 This package contains the OpenSSL command-line utility.
 endef
 
 This package contains the OpenSSL command-line utility.
 endef
 

-define Package/libopenssl-gost
+define Package/libopenssl-afalg

   $(call Package/openssl/Default)
   SUBMENU:=SSL
   $(call Package/openssl/Default)
   SUBMENU:=SSL

-  TITLE:=Russian GOST algorithms engine
-  DEPENDS:=libopenssl +@OPENSSL_WITH_GOST
+  TITLE:=AFALG hardware acceleration engine
+  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO @!LINUX_3_18 +kmod-crypto-user

 endef
 
 endef
 

-define Package/libopenssl-gost/description
-This package adds an engine that enables Russian GOST algorithms.
+define Package/libopenssl-afalg/description
+This package adds an engine that enables hardware acceleration
+through the AF_ALG kernel interface.

 To use it, you need to configure the engine in /etc/ssl/openssl.cnf
 To use it, you need to configure the engine in /etc/ssl/openssl.cnf

-See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
-The engine_id is "gost"
+See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
+The engine_id is "afalg"

 endef
 
 define Package/libopenssl-padlock
 endef
 
 define Package/libopenssl-padlock


@@ -135,11 +141,23 @@ endef
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
 To use it, you need to configure it in /etc/ssl/openssl.cnf.
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
 To use it, you need to configure it in /etc/ssl/openssl.cnf.

-See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE
+See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module

 The engine_id is "padlock"
 endef
 
 The engine_id is "padlock"
 endef
 

-OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method
+OPENSSL_OPTIONS:= shared
+
+ifndef CONFIG_OPENSSL_WITH_BLAKE2
+  OPENSSL_OPTIONS += no-blake2
+endif
+
+ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
+  OPENSSL_OPTIONS += no-chacha no-poly1305
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ASYNC
+  OPENSSL_OPTIONS += no-async
+endif

 
 ifndef CONFIG_OPENSSL_WITH_EC
   OPENSSL_OPTIONS += no-ec
 
 ifndef CONFIG_OPENSSL_WITH_EC
   OPENSSL_OPTIONS += no-ec


@@ -153,6 +171,18 @@ ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
   OPENSSL_OPTIONS += no-err
 endif
 
   OPENSSL_OPTIONS += no-err
 endif
 

+ifndef CONFIG_OPENSSL_WITH_TLS13
+  OPENSSL_OPTIONS += no-tls1_3
+endif
+
+ifndef CONFIG_OPENSSL_WITH_ARIA
+  OPENSSL_OPTIONS += no-aria
+endif
+
+ifndef CONFIG_OPENSSL_WITH_SM234
+  OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
+endif
+

 ifndef CONFIG_OPENSSL_WITH_CAMELLIA
   OPENSSL_OPTIONS += no-camellia
 endif
 ifndef CONFIG_OPENSSL_WITH_CAMELLIA
   OPENSSL_OPTIONS += no-camellia
 endif


@@ -177,8 +207,8 @@ ifndef CONFIG_OPENSSL_WITH_CMS
   OPENSSL_OPTIONS += no-cms
 endif
 
   OPENSSL_OPTIONS += no-cms
 endif
 

-ifdef CONFIG_OPENSSL_WITH_RFC3779
-  OPENSSL_OPTIONS += enable-rfc3779
+ifndef CONFIG_OPENSSL_WITH_RFC3779
+  OPENSSL_OPTIONS += no-rfc3779

 endif
 
 ifdef CONFIG_OPENSSL_NO_DEPRECATED
 endif
 
 ifdef CONFIG_OPENSSL_NO_DEPRECATED


@@ -193,10 +223,10 @@ endif
 
 ifdef CONFIG_OPENSSL_ENGINE
   ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
 
 ifdef CONFIG_OPENSSL_ENGINE
   ifdef CONFIG_OPENSSL_ENGINE_CRYPTO

-    OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
-    ifdef CONFIG_OPENSSL_ENGINE_DIGEST
-      OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS
-    endif
+    OPENSSL_OPTIONS += enable-devcryptoeng
+  endif
+  ifndef CONFIG_PACKAGE_libopenssl-afalg
+    OPENSSL_OPTIONS += no-afalgeng

   endif
   ifndef CONFIG_PACKAGE_libopenssl-padlock
     OPENSSL_OPTIONS += no-hw-padlock
   endif
   ifndef CONFIG_PACKAGE_libopenssl-padlock
     OPENSSL_OPTIONS += no-hw-padlock


@@ -209,10 +239,8 @@ ifndef CONFIG_OPENSSL_WITH_GOST
   OPENSSL_OPTIONS += no-gost
 endif
 
   OPENSSL_OPTIONS += no-gost
 endif
 

-# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code,
-# but openssl util gets built without it

 ifndef CONFIG_OPENSSL_WITH_DTLS
 ifndef CONFIG_OPENSSL_WITH_DTLS

-  OPENSSL_OPTIONS += no-dtls no-dtls1
+  OPENSSL_OPTIONS += no-dtls

 endif
 
 ifdef CONFIG_OPENSSL_WITH_COMPRESSION
 endif
 
 ifdef CONFIG_OPENSSL_WITH_COMPRESSION


@@ -261,12 +289,6 @@ define Build/Configure
                        $(TARGET_LDFLAGS) \
                        $(OPENSSL_OPTIONS) \
        )
                        $(TARGET_LDFLAGS) \
                        $(OPENSSL_OPTIONS) \
        )

-       +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-               CROSS_COMPILE="$(TARGET_CROSS)" \
-               MAKEDEPPROG="$(TARGET_CROSS)gcc" \
-               OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
-               $(OPENSSL_MAKEFLAGS) \
-               depend

 endef
 
 TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
 endef
 
 TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections


@@ -276,35 +298,16 @@ define Build/Compile
        +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
                CROSS_COMPILE="$(TARGET_CROSS)" \
                CC="$(TARGET_CC)" \
        +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
                CROSS_COMPILE="$(TARGET_CROSS)" \
                CC="$(TARGET_CC)" \

-               ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
-               AR="$(TARGET_CROSS)ar r" \
-               RANLIB="$(TARGET_CROSS)ranlib" \
+               SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \

                OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
                $(OPENSSL_MAKEFLAGS) \
                all
                OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
                $(OPENSSL_MAKEFLAGS) \
                all

-       +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-               CROSS_COMPILE="$(TARGET_CROSS)" \
-               CC="$(TARGET_CC)" \
-               ASFLAGS="$(TARGET_ASFLAGS) -I$(PKG_BUILD_DIR)/crypto -c" \
-               AR="$(TARGET_CROSS)ar r" \
-               RANLIB="$(TARGET_CROSS)ranlib" \
-               OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
-               $(OPENSSL_MAKEFLAGS) \
-               build-shared
-       # Work around openssl build bug to link libssl.so with libcrypto.so.
-       -rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
-       +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-               CROSS_COMPILE="$(TARGET_CROSS)" \
-               CC="$(TARGET_CC)" \
-               OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
-               $(OPENSSL_MAKEFLAGS) \
-               do_linux-shared

        $(MAKE) -C $(PKG_BUILD_DIR) \
                CROSS_COMPILE="$(TARGET_CROSS)" \
                CC="$(TARGET_CC)" \
        $(MAKE) -C $(PKG_BUILD_DIR) \
                CROSS_COMPILE="$(TARGET_CROSS)" \
                CC="$(TARGET_CC)" \

-               INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
+               DESTDIR="$(PKG_INSTALL_DIR)" \

                $(OPENSSL_MAKEFLAGS) \
                $(OPENSSL_MAKEFLAGS) \

-               install
+               install_sw install_ssldirs

 endef
 
 define Build/InstallDev
 endef
 
 define Build/InstallDev


@@ -334,17 +337,17 @@ define Package/openssl-util/install
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
 endef
 
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
 endef
 

-define Package/libopenssl-padlock/install
+define Package/libopenssl-afalg/install

        $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
        $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)

-       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)

 endef
 
 endef
 

-define Package/libopenssl-gost/install
+define Package/libopenssl-padlock/install

        $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
        $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)

-       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR)
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)

 endef
 
 $(eval $(call BuildPackage,libopenssl))
 endef
 
 $(eval $(call BuildPackage,libopenssl))

-$(eval $(call BuildPackage,libopenssl-gost))
+$(eval $(call BuildPackage,libopenssl-afalg))

 $(eval $(call BuildPackage,libopenssl-padlock))
 $(eval $(call BuildPackage,openssl-util))
 $(eval $(call BuildPackage,libopenssl-padlock))
 $(eval $(call BuildPackage,openssl-util))

diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch
new file mode 100644 (file)
index 0000000..f5f32c2
--- /dev/null
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -0,0 +1,23 @@
+From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:29:21 -0300
+Subject: Do not use host kernel version to disable AFALG
+
+This patch prevents the Configure script from using the host kernel
+version to disable building the AFALG engine on openwrt targets.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -1554,7 +1554,9 @@ unless ($disabled{"crypto-mdebug-backtra
+ 
+ unless ($disabled{afalgeng}) {
+     $config{afalgeng}="";
+-    if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
++    if ($target =~ m/openwrt$/) {
++        push @{$config{engdirs}}, "afalg";
++    } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+         my $minver = 4*10000 + 1*100 + 0;
+         if ($config{CROSS_COMPILE} eq "") {
+             my $verstr = `uname -r`;

diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch
deleted file mode 100644 (file)
index 52a51f9..0000000
--- a/package/libs/openssl/patches/100-openwrt_targets.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 26 Sep 2018 16:21:27 -0300
-Subject: Add openwrt targets
-
-Targets are named: linux-$(CONFIG_ARCH)-openwrt
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
-
---- a/Configure
-+++ b/Configure
-@@ -470,6 +470,32 @@ my %table=(
- "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
- 
-+# OpenWrt targets
-+# from linux-aarch64
-+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-generic32
-+"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-armv4
-+"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-armv4
-+"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-elf
-+"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-mips32
-+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux64-mips64
-+"linux-mips64-openwrt",   "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux64-mips64
-+"linux-mips64el-openwrt",   "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux-mips32
-+"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-ppc
-+"linux-powerpc-openwrt",      "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+# from linux-x86_64
-+"linux-x86_64-openwrt",       "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-+# from linux-generic32
-+"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+
- # Android: linux-* but without pointers to headers and libs.
- "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch
new file mode 100644 (file)
index 0000000..bc49e27
--- /dev/null
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -0,0 +1,60 @@
+From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:30:24 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- /dev/null
++++ b/Configurations/25-openwrt.conf
+@@ -0,0 +1,48 @@
++## Openwrt "CONFIG_ARCH" matching targets.
++
++# The targets need to end in '-openwrt' for the AFALG patch to work
++
++my %targets = (
++    "openwrt" => {
++      template        => 1,
++      CFLAGS          => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
++    },
++    "linux-aarch64-openwrt" => {
++        inherit_from    => [ "linux-aarch64", "openwrt" ],
++    },
++    "linux-arc-openwrt" => {
++        inherit_from    => [ "linux-generic32", "openwrt" ],
++    },
++    "linux-arm-openwrt" => {
++        inherit_from    => [ "linux-armv4", "openwrt" ],
++    },
++    "linux-armeb-openwrt" => {
++        inherit_from    => [ "linux-armv4", "openwrt" ],
++    },
++    "linux-i386-openwrt" => {
++        inherit_from    => [ "linux-x86", "openwrt" ],
++    },
++    "linux-mips-openwrt" => {
++        inherit_from    => [ "linux-mips32", "openwrt" ],
++    },
++    "linux-mips64-openwrt" => {
++        inherit_from    => [ "linux64-mips64", "openwrt" ],
++    },
++    "linux-mips64el-openwrt" => {
++        inherit_from    => [ "linux64-mips64", "openwrt" ],
++    },
++    "linux-mipsel-openwrt" => {
++        inherit_from    => [ "linux-mips32", "openwrt" ],
++    },
++    "linux-powerpc-openwrt" => {
++        inherit_from    => [ "linux-ppc", "openwrt" ],
++    },
++    "linux-x86_64-openwrt" => {
++        inherit_from    => [ "linux-x86_64", "openwrt" ],
++    },
++
++### Basic default option
++    "linux-generic32-openwrt" => {
++        inherit_from    => [ "linux-generic32", "openwrt" ],
++    },
++);

diff --git a/package/libs/openssl/patches/110-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch
deleted file mode 100644 (file)
index 2dbdc76..0000000
--- a/package/libs/openssl/patches/110-perl-path.patch
+++ /dev/null
@@ -1,64 +0,0 @@
---- a/Configure
-+++ b/Configure
-@@ -1,4 +1,4 @@
--:
-+#!/usr/bin/perl
- eval 'exec perl -S $0 ${1+"$@"}'
-     if $running_under_some_shell;
- ##
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl
-+#!/usr/bin/perl
- 
- # Perl c_rehash script, scan all files in a directory
- # and add symbolic links to their hash values.
---- a/util/clean-depend.pl
-+++ b/util/clean-depend.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- # Clean the dependency list in a makefile of standard includes...
- # Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
- 
---- a/util/mkdef.pl
-+++ b/util/mkdef.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- #
- # generate a .def file
- #
---- a/util/mkerr.pl
-+++ b/util/mkerr.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- 
- my $config = "crypto/err/openssl.ec";
- my $hprefix = "openssl/";
---- a/util/mkstack.pl
-+++ b/util/mkstack.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- 
- # This is a utility that searches out "DECLARE_STACK_OF()"
- # declarations in .h and .c files, and updates/creates/replaces
---- a/util/pod2man.pl
-+++ b/util/pod2man.pl
-@@ -1,4 +1,4 @@
--: #!/usr/bin/perl-5.005
-+#!/usr/bin/perl
-     eval 'exec /usr/bin/perl -S $0 ${1+"$@"}'
-       if $running_under_some_shell;
- 
---- a/util/selftest.pl
-+++ b/util/selftest.pl
-@@ -1,4 +1,4 @@
--#!/usr/local/bin/perl -w
-+#!/usr/bin/perl
- #
- # Run the test suite and generate a report
- #

diff --git a/package/libs/openssl/patches/120-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch
deleted file mode 100644 (file)
index 5bcb316..0000000
--- a/package/libs/openssl/patches/120-makefile-dirs.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -137,7 +137,7 @@ FIPSCANLIB=
- 
- BASEADDR=
- 
--DIRS=   crypto ssl engines apps test tools
-+DIRS=   crypto ssl engines apps
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
- 

diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
new file mode 100644 (file)
index 0000000..d6e35b7
--- /dev/null
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:31:38 -0300
+Subject: void exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink
+         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
+ 
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
+ DEPEND[buildinf.h]=../configdata.pm
+ 
+ GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)

diff --git a/package/libs/openssl/patches/130-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch
deleted file mode 100644 (file)
index e38d44a..0000000
--- a/package/libs/openssl/patches/130-disable_doc_tests.patch
+++ /dev/null
@@ -1,58 +0,0 @@
---- a/Makefile
-+++ b/Makefile
-@@ -139,7 +139,7 @@ FIPSCANLIB=
- 
- BASEADDR=0xFB00000
- 
--DIRS=   crypto ssl engines apps test tools
-+DIRS=   crypto ssl engines apps tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
- 
-@@ -157,7 +157,7 @@ SDIRS=  \
- 
- # tests to perform.  "alltests" is a special word indicating that all tests
- # should be performed.
--TESTS = alltests
-+TESTS =
- 
- MAKEFILE= Makefile
- 
-@@ -171,7 +171,7 @@ SHELL=/bin/sh
- 
- TOP=    .
- ONEDIRS=out tmp
--EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
-+EDIRS=  times bugs util include certs ms shlib mt demos perl sf dep VMS
- WDIRS=  windows
- LIBS=   libcrypto.a libssl.a
- SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
-@@ -276,7 +276,7 @@ reflect:
- 
- sub_all: build_all
- 
--build_all: build_libs build_apps build_tests build_tools
-+build_all: build_libs build_apps build_tools
- 
- build_libs: build_libcrypto build_libssl openssl.pc
- 
-@@ -542,7 +542,7 @@ dist:
-       @$(MAKE) SDIRS='$(SDIRS)' clean
-       @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
- 
--install: all install_docs install_sw
-+install: all install_sw
- 
- install_sw:
-       @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -540,7 +540,7 @@ dist:
-       @$(MAKE) SDIRS='$(SDIRS)' clean
-       @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
- 
--install: all install_docs install_sw
-+install: all install_sw
- 
- install_sw:
-       @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \

diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
new file mode 100644 (file)
index 0000000..7c61b1e
--- /dev/null
+++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
@@ -0,0 +1,29 @@
+From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:34:38 -0300
+Subject: Do not build tests and fuzz directories
+
+This shortens build time.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -299,7 +299,7 @@ my $auto_threads=1;    # enable threads
+ my $default_ranlib;
+ 
+ # Top level directories to build
+-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
++$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ];
+ # crypto/ subdirectories to build
+ $config{sdirs} = [
+     "objects",
+@@ -311,7 +311,7 @@ $config{sdirs} = [
+     "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
+     ];
+ # test/ subdirectories to build
+-$config{tdirs} = [ "ossl_shim" ];
++$config{tdirs} = [];
+ 
+ # Known TLS and DTLS protocols
+ my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);

diff --git a/package/libs/openssl/patches/140-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch
deleted file mode 100644 (file)
index c29b59a..0000000
--- a/package/libs/openssl/patches/140-bash_path.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/util/domd
-+++ b/util/domd
-@@ -1,4 +1,4 @@
--#!/bin/sh
-+#!/usr/bin/env bash
- # Do a makedepend, only leave out the standard headers
- # Written by Ben Laurie <ben@algroup.co.uk> 19 Jan 1999
- 

diff --git a/package/libs/openssl/patches/150-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch
deleted file mode 100644 (file)
index 3e36beb..0000000
--- a/package/libs/openssl/patches/150-fix_link_segfault.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -95,7 +95,6 @@ LINK_APP=    \
-     LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
--    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
- 
- LINK_SO=      \
-@@ -105,7 +104,6 @@ LINK_SO=   \
-     SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
-     LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
-     LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
--    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-     $${SHAREDCMD} $${SHAREDFLAGS} \
-       -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-       $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \

diff --git a/package/libs/openssl/patches/160-remove_timestamp_check.patch b/package/libs/openssl/patches/160-remove_timestamp_check.patch
deleted file mode 100644 (file)
index 424e660..0000000
--- a/package/libs/openssl/patches/160-remove_timestamp_check.patch
+++ /dev/null
@@ -1,23 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -185,7 +185,7 @@ TARFILE=        ../$(NAME).tar
- EXHEADER=       e_os2.h
- HEADER=         e_os.h
- 
--all: Makefile build_all
-+all: build_all
- 
- # as we stick to -e, CLEARENV ensures that local variables in lower
- # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-@@ -404,11 +404,6 @@ openssl.pc: Makefile
-           echo 'Version: '$(VERSION); \
-           echo 'Requires: libssl libcrypto' ) > openssl.pc
- 
--Makefile: Makefile.org Configure config
--      @echo "Makefile is older than Makefile.org, Configure or config."
--      @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
--      @false
--
- libclean:
-       rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
- 

diff --git a/package/libs/openssl/patches/170-parallel_build.patch b/package/libs/openssl/patches/170-parallel_build.patch
deleted file mode 100644 (file)
index cbe5d51..0000000
--- a/package/libs/openssl/patches/170-parallel_build.patch
+++ /dev/null
@@ -1,184 +0,0 @@
---- a/Makefile.org
-+++ b/Makefile.org
-@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi
- build_libssl: build_ssl libssl.pc
- 
- build_crypto:
--      @dir=crypto; target=all; $(BUILD_ONE_CMD)
-+      +@dir=crypto; target=all; $(BUILD_ONE_CMD)
- build_ssl: build_crypto
--      @dir=ssl; target=all; $(BUILD_ONE_CMD)
-+      +@dir=ssl; target=all; $(BUILD_ONE_CMD)
- build_engines: build_crypto
--      @dir=engines; target=all; $(BUILD_ONE_CMD)
-+      +@dir=engines; target=all; $(BUILD_ONE_CMD)
- build_apps: build_libs
--      @dir=apps; target=all; $(BUILD_ONE_CMD)
-+      +@dir=apps; target=all; $(BUILD_ONE_CMD)
- build_tests: build_libs
--      @dir=test; target=all; $(BUILD_ONE_CMD)
-+      +@dir=test; target=all; $(BUILD_ONE_CMD)
- build_tools: build_libs
--      @dir=tools; target=all; $(BUILD_ONE_CMD)
-+      +@dir=tools; target=all; $(BUILD_ONE_CMD)
- 
- all_testapps: build_libs build_testapps
- build_testapps:
-@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut
-       @set -e; target=update; $(RECURSIVE_BUILD_CMD)
- 
- depend:
--      @set -e; target=depend; $(RECURSIVE_BUILD_CMD)
-+      +@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
- 
- lint:
-       @set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-@@ -535,9 +535,9 @@ dist:
-       @$(MAKE) SDIRS='$(SDIRS)' clean
-       @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
- 
--install: all install_sw
-+install: install_sw
- 
--install_sw:
-+install_dirs:
-       @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-               $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-               $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -546,12 +546,19 @@ install_sw:
-               $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-               $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-               $(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+      @$(PERL) $(TOP)/util/mkdir-p.pl \
-+              $(INSTALL_PREFIX)$(MANDIR)/man1 \
-+              $(INSTALL_PREFIX)$(MANDIR)/man3 \
-+              $(INSTALL_PREFIX)$(MANDIR)/man5 \
-+              $(INSTALL_PREFIX)$(MANDIR)/man7
-+
-+install_sw: install_dirs
-       @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
-       do \
-       (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-       chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-       done;
--      @set -e; target=install; $(RECURSIVE_BUILD_CMD)
-+      +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-       @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
-       do \
-               if [ -f "$$i" ]; then \
-@@ -635,12 +642,7 @@ install_html_docs:
-               done; \
-       done
- 
--install_docs:
--      @$(PERL) $(TOP)/util/mkdir-p.pl \
--              $(INSTALL_PREFIX)$(MANDIR)/man1 \
--              $(INSTALL_PREFIX)$(MANDIR)/man3 \
--              $(INSTALL_PREFIX)$(MANDIR)/man5 \
--              $(INSTALL_PREFIX)$(MANDIR)/man7
-+install_docs: install_dirs
-       @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
-       here="`pwd`"; \
-       filecase=; \
---- a/Makefile.shared
-+++ b/Makefile.shared
-@@ -120,6 +120,7 @@ SYMLINK_SO=        \
-                       done; \
-               fi; \
-               if [ -n "$$SHLIB_SOVER" ]; then \
-+                      [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
-                       ( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
-                         ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
-               fi; \
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -87,11 +87,11 @@ testapps:
-       @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
- 
- subdirs:
--      @target=all; $(RECURSIVE_MAKE)
-+      +@target=all; $(RECURSIVE_MAKE)
- 
- files:
-       $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
--      @target=files; $(RECURSIVE_MAKE)
-+      +@target=files; $(RECURSIVE_MAKE)
- 
- links:
-       @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
-@@ -102,7 +102,7 @@ links:
- # lib: $(LIB): are splitted to avoid end-less loop
- lib:  $(LIB)
-       @touch lib
--$(LIB):       $(LIBOBJ)
-+$(LIB):       $(LIBOBJ) | subdirs
-       $(AR) $(LIB) $(LIBOBJ)
-       test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
-       $(RANLIB) $(LIB) || echo Never mind.
-@@ -113,7 +113,7 @@ shared: buildinf.h lib subdirs
-       fi
- 
- libs:
--      @target=lib; $(RECURSIVE_MAKE)
-+      +@target=lib; $(RECURSIVE_MAKE)
- 
- install:
-       @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-@@ -122,7 +122,7 @@ install:
-       (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-       chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-       done;
--      @target=install; $(RECURSIVE_MAKE)
-+      +@target=install; $(RECURSIVE_MAKE)
- 
- lint:
-       @target=lint; $(RECURSIVE_MAKE)
---- a/engines/Makefile
-+++ b/engines/Makefile
-@@ -72,7 +72,7 @@ top:
- 
- all:  lib subdirs
- 
--lib:  $(LIBOBJ)
-+lib:  $(LIBOBJ) | subdirs
-       @if [ -n "$(SHARED_LIBS)" ]; then \
-               set -e; \
-               for l in $(LIBNAMES); do \
-@@ -89,7 +89,7 @@ lib: $(LIBOBJ)
- 
- subdirs:
-       echo $(EDIRS)
--      @target=all; $(RECURSIVE_MAKE)
-+      +@target=all; $(RECURSIVE_MAKE)
- 
- files:
-       $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-@@ -128,7 +128,7 @@ install:
-                         mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
-               done; \
-       fi
--      @target=install; $(RECURSIVE_MAKE)
-+      +@target=install; $(RECURSIVE_MAKE)
- 
- tags:
-       ctags $(SRC)
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -145,7 +145,7 @@ install:
- tags:
-       ctags $(SRC)
- 
--tests:        exe apps $(TESTS)
-+tests:        exe $(TESTS)
- 
- apps:
-       @(cd ..; $(MAKE) DIRS=apps all)
-@@ -593,7 +593,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
- #     fi
- 
- dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
--      @target=dummytest; $(BUILD_CMD)
-+      +@target=dummytest; $(BUILD_CMD)
- 
- # DO NOT DELETE THIS LINE -- make depend depends on it.
- 

diff --git a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch b/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
deleted file mode 100644 (file)
index e70bd07..0000000
--- a/package/libs/openssl/patches/180-strip-cflags-from-binary.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From f17f027c258338994a6167091a398c0cc1588acb Mon Sep 17 00:00:00 2001
-From: Eneas U de Queiroz <cote2004-github@yahoo.com>
-Date: Wed, 26 Sep 2018 18:04:58 -0300
-Subject: Avoid exposing build directories
-
-The CFLAGS contain the build directories, and are shown by calling
-SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a
-
-Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
-
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -57,7 +57,7 @@ top:
- all: shared
- 
- buildinf.h: ../Makefile
--      $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h
-+      $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap%  -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h
- 
- x86cpuid.s:   x86cpuid.pl perlasm/x86asm.pl
-       $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@

diff --git a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch
new file mode 100644 (file)
index 0000000..228654f
--- /dev/null
+++ b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch
@@ -0,0 +1,42 @@
+From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 5 Nov 2018 17:59:42 -0200
+Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables
+
+Call functions to prepare methods after confirming that /dev/crytpo was
+sucessfully open and that the destroy function has been set.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -619,11 +619,6 @@ void engine_load_devcrypto_int()
+         return;
+     }
+ 
+-    prepare_cipher_methods();
+-#ifdef IMPLEMENT_DIGEST
+-    prepare_digest_methods();
+-#endif
+-
+     if ((e = ENGINE_new()) == NULL
+         || !ENGINE_set_destroy_function(e, devcrypto_unload)) {
+         ENGINE_free(e);
+@@ -636,6 +631,11 @@ void engine_load_devcrypto_int()
+         return;
+     }
+ 
++    prepare_cipher_methods();
++#ifdef IMPLEMENT_DIGEST
++    prepare_digest_methods();
++#endif
++
+     if (!ENGINE_set_id(e, "devcrypto")
+         || !ENGINE_set_name(e, "/dev/crypto engine")
+ 

diff --git a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch
new file mode 100644 (file)
index 0000000..9e59a16
--- /dev/null
+++ b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch
@@ -0,0 +1,37 @@
+From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 14 Nov 2018 11:22:14 -0200
+Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases
+
+Return failure when the digest_ctx is null in digest_update and
+digest_final, and when md is null in digest_final.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx
+     if (count == 0)
+         return 1;
+ 
++    if (digest_ctx == NULL)
++        return 0;
++
+     if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;
+@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx,
+     struct digest_ctx *digest_ctx =
+         (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+ 
++    if (md == NULL || digest_ctx == NULL)
++        return 0;
+     if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;

diff --git a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch
new file mode 100644 (file)
index 0000000..2cfff60
--- /dev/null
+++ b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch
@@ -0,0 +1,53 @@
+From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 14 Nov 2018 13:58:06 -0200
+Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest
+
+If the source ctx has not been initialized, don't initialize the copy
+either.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e,
+ 
+ struct digest_ctx {
+     struct session_op sess;
+-    int init;
++    /* This signals that the init function was called, not that it succeeded. */
++    int init_called;
+ };
+ 
+ static const struct digest_data_st {
+@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx)
+     const struct digest_data_st *digest_d =
+         get_digest_data(EVP_MD_CTX_type(ctx));
+ 
+-    digest_ctx->init = 1;
++    digest_ctx->init_called = 1;
+ 
+     memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
+     digest_ctx->sess.mac = digest_d->devcryptoid;
+@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c
+         (struct digest_ctx *)EVP_MD_CTX_md_data(to);
+     struct cphash_op cphash;
+ 
+-    if (digest_from == NULL)
++    if (digest_from == NULL || digest_from->init_called != 1)
+         return 1;
+ 
+-    if (digest_from->init != 1) {
+-        SYSerr(SYS_F_IOCTL, EINVAL);
+-        return 0;
+-    }
+-
+     if (!digest_init(to)) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;

diff --git a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch
new file mode 100644 (file)
index 0000000..050853a
--- /dev/null
+++ b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch
@@ -0,0 +1,46 @@
+From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 5 Nov 2018 15:59:44 -0200
+Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final
+
+Close the session in digest_cleanup instead of digest_final.  A failure
+in closing the session does not mean a previous successful digest final
+has failed as well.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx,
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;
+     }
+-    if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
+-        SYSerr(SYS_F_IOCTL, errno);
+-        return 0;
+-    }
+ 
+     return 1;
+ }
+@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c
+ 
+ static int digest_cleanup(EVP_MD_CTX *ctx)
+ {
++    struct digest_ctx *digest_ctx =
++        (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
++
++    if (digest_ctx == NULL)
++        return 1;
++    if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
++        SYSerr(SYS_F_IOCTL, errno);
++        return 0;
++    }
+     return 1;
+ }
+ 

diff --git a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch
new file mode 100644 (file)
index 0000000..948ff7c
--- /dev/null
+++ b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch
@@ -0,0 +1,54 @@
+From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Tue, 13 Nov 2018 09:23:22 -0200
+Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function
+
+The engine needs a custom cipher context copy function to open a new
+/dev/crypto session.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     return 1;
+ }
+ 
++static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
++{
++    EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
++    struct cipher_ctx *cipher_ctx;
++
++    if (type == EVP_CTRL_COPY) {
++        /* when copying the context, a new session needs to be initialized */
++        cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
++        return (cipher_ctx == NULL)
++            || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
++                           (cipher_ctx->op == COP_ENCRYPT));
++    }
++
++    return -1;
++}
++
+ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+     struct cipher_ctx *cipher_ctx =
+@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void)
+                                               cipher_data[i].ivlen)
+             || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
+                                           cipher_data[i].flags
++                                          | EVP_CIPH_CUSTOM_COPY
+                                           | EVP_CIPH_FLAG_DEFAULT_ASN1)
+             || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+             || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+                                               cipher_do_cipher)
++            || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+             || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
+                                             cipher_cleanup)
+             || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],

diff --git a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch
new file mode 100644 (file)
index 0000000..54a9236
--- /dev/null
+++ b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch
@@ -0,0 +1,217 @@
+From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Wed, 28 Nov 2018 11:26:27 -0200
+Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode
+
+Make CTR mode behave like a stream cipher.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -47,10 +47,12 @@ static int cfd;
+ 
+ struct cipher_ctx {
+     struct session_op sess;
+-
+-    /* to pass from init to do_cipher */
+-    const unsigned char *iv;
+     int op;                      /* COP_ENCRYPT or COP_DECRYPT */
++    unsigned long mode;          /* EVP_CIPH_*_MODE */
++
++    /* to handle ctr mode being a stream cipher */
++    unsigned char partial[EVP_MAX_BLOCK_LENGTH];
++    unsigned int blocksize, num;
+ };
+ 
+ static const struct cipher_data_st {
+@@ -87,9 +89,9 @@ static const struct cipher_data_st {
+     { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
+ #endif
+ #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
+-    { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+-    { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+-    { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
++    { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ #endif
+ #if 0                            /* Not yet supported */
+     { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
+@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+     cipher_ctx->sess.keylen = cipher_d->keylen;
+     cipher_ctx->sess.key = (void *)key;
+     cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
++    cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
++    cipher_ctx->blocksize = cipher_d->blocksize;
+     if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
+         SYSerr(SYS_F_IOCTL, errno);
+         return 0;
+@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     struct cipher_ctx *cipher_ctx =
+         (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+     struct crypt_op cryp;
++    unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
+ #if !defined(COP_FLAG_WRITE_IV)
+     unsigned char saved_iv[EVP_MAX_IV_LENGTH];
++    const unsigned char *ivptr;
++    size_t nblocks, ivlen;
+ #endif
+ 
+     memset(&cryp, 0, sizeof(cryp));
+@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     cryp.len = inl;
+     cryp.src = (void *)in;
+     cryp.dst = (void *)out;
+-    cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
++    cryp.iv = (void *)iv;
+     cryp.op = cipher_ctx->op;
+ #if !defined(COP_FLAG_WRITE_IV)
+     cryp.flags = 0;
+ 
+-    if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+-        assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
+-        if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+-            unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
++    ivlen = EVP_CIPHER_CTX_iv_length(ctx);
++    if (ivlen > 0)
++        switch (cipher_ctx->mode) {
++        case EVP_CIPH_CBC_MODE:
++            assert(inl >= ivlen);
++            if (!EVP_CIPHER_CTX_encrypting(ctx)) {
++                ivptr = in + inl - ivlen;
++                memcpy(saved_iv, ivptr, ivlen);
++            }
++            break;
++
++        case EVP_CIPH_CTR_MODE:
++            break;
+ 
+-            memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
++        default: /* should not happen */
++            return 0;
+         }
+-    }
+ #else
+     cryp.flags = COP_FLAG_WRITE_IV;
+ #endif
+@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C
+     }
+ 
+ #if !defined(COP_FLAG_WRITE_IV)
+-    if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
+-        unsigned char *ivptr = saved_iv;
++    if (ivlen > 0)
++        switch (cipher_ctx->mode) {
++        case EVP_CIPH_CBC_MODE:
++            assert(inl >= ivlen);
++            if (EVP_CIPHER_CTX_encrypting(ctx))
++                ivptr = out + inl - ivlen;
++            else
++                ivptr = saved_iv;
++
++            memcpy(iv, ivptr, ivlen);
++            break;
++
++        case EVP_CIPH_CTR_MODE:
++            nblocks = (inl + cipher_ctx->blocksize - 1)
++                      / cipher_ctx->blocksize;
++            do {
++                ivlen--;
++                nblocks += iv[ivlen];
++                iv[ivlen] = (uint8_t) nblocks;
++                nblocks >>= 8;
++            } while (ivlen);
++            break;
++
++        default: /* should not happen */
++            return 0;
++        }
++#endif
++
++    return 1;
++}
+ 
+-        assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
+-        if (!EVP_CIPHER_CTX_encrypting(ctx))
+-            ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
++static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++                         const unsigned char *in, size_t inl)
++{
++    struct cipher_ctx *cipher_ctx =
++        (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
++    size_t nblocks, len;
+ 
+-        memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
+-               EVP_CIPHER_CTX_iv_length(ctx));
++    /* initial partial block */
++    while (cipher_ctx->num && inl) {
++        (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
++        --inl;
++        cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
++    }
++
++    /* full blocks */
++    if (inl > (unsigned int) cipher_ctx->blocksize) {
++        nblocks = inl/cipher_ctx->blocksize;
++        len = nblocks * cipher_ctx->blocksize;
++        if (cipher_do_cipher(ctx, out, in, len) < 1)
++            return 0;
++        inl -= len;
++        out += len;
++        in += len;
++    }
++
++    /* final partial block */
++    if (inl) {
++        memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
++        if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
++            cipher_ctx->blocksize) < 1)
++            return 0;
++        while (inl--) {
++            out[cipher_ctx->num] = in[cipher_ctx->num]
++                                   ^ cipher_ctx->partial[cipher_ctx->num];
++            cipher_ctx->num++;
++        }
+     }
+-#endif
+ 
+     return 1;
+ }
+@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void)
+ {
+     size_t i;
+     struct session_op sess;
++    unsigned long cipher_mode;
+ 
+     memset(&sess, 0, sizeof(sess));
+     sess.key = (void *)"01234567890123456789012345678901234567890123456789";
+@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void)
+             || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+             continue;
+ 
++        cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
++
+         if ((known_cipher_methods[i] =
+                  EVP_CIPHER_meth_new(cipher_data[i].nid,
+-                                     cipher_data[i].blocksize,
++                                     cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
++                                                    cipher_data[i].blocksize,
+                                      cipher_data[i].keylen)) == NULL
+             || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
+                                               cipher_data[i].ivlen)
+@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void)
+                                           | EVP_CIPH_FLAG_DEFAULT_ASN1)
+             || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
+             || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
++                                     cipher_mode == EVP_CIPH_CTR_MODE ?
++                                              ctr_do_cipher :
+                                               cipher_do_cipher)
+             || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
+             || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],

diff --git a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch
new file mode 100644 (file)
index 0000000..df87192
--- /dev/null
+++ b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch
@@ -0,0 +1,71 @@
+From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Sat, 8 Dec 2018 18:01:04 -0200
+Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy
+
+Digest must be able to do partial-state copy to be used.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7585)
+
+(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b)
+
+--- a/crypto/engine/eng_devcrypto.c
++++ b/crypto/engine/eng_devcrypto.c
+@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct
+     return 1;
+ }
+ 
++static int devcrypto_test_digest(size_t digest_data_index)
++{
++    struct session_op sess1, sess2;
++    struct cphash_op cphash;
++    int ret=0;
++
++    memset(&sess1, 0, sizeof(sess1));
++    memset(&sess2, 0, sizeof(sess2));
++    sess1.mac = digest_data[digest_data_index].devcryptoid;
++    if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
++        return 0;
++    /* Make sure the driver is capable of hash state copy */
++    sess2.mac = sess1.mac;
++    if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
++        cphash.src_ses = sess1.ses;
++        cphash.dst_ses = sess2.ses;
++        if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
++            ret = 1;
++        ioctl(cfd, CIOCFSESSION, &sess2.ses);
++    }
++    ioctl(cfd, CIOCFSESSION, &sess1.ses);
++    return ret;
++}
++
+ /*
+  * Keep a table of known nids and associated methods.
+  * Note that known_digest_nids[] isn't necessarily indexed the same way as
+@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL
+ static void prepare_digest_methods(void)
+ {
+     size_t i;
+-    struct session_op sess;
+-
+-    memset(&sess, 0, sizeof(sess));
+ 
+     for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+          i++) {
+ 
+         /*
+-         * Check that the algo is really availably by trying to open and close
+-         * a session.
++         * Check that the algo is usable
+          */
+-        sess.mac = digest_data[i].devcryptoid;
+-        if (ioctl(cfd, CIOCGSESSION, &sess) < 0
+-            || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
++        if (!devcrypto_test_digest(i))
+             continue;
+ 
+         if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,