From be3892284ca77a69615351b106b8dfbadad728c4 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 22 Oct 2018 11:32:56 -0300 Subject: [PATCH] openssl: add configuration options, disable ssl3 Adds the following configuration options: * using optimized assembler code (was always on before) * use of x86 SSE2 instructions * dyanic engine support * include error messages * Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms * RFC3779, CMS protocols * VIA padlock hardware acceleration engine Installs openssl.cnf with the library as it is used by engines independent of the openssl util. Fixes DTLS option that was innefective before. Disables insecure SSL3 protocol and SHA0. Adds openwrt-specific targets to Configure script, including asm support for i386, ppc and mips64. Strips building dirs from CFLAGS shown in binary. Skips the fuzz directory during build. Removed include/crypto/devcrypto.h that was included here, to use the cryptodev-linux package, now that it was been moved from the packages feed to the main openwrt repository. This decreses the size of the ipk binray on MIPS32 by about 3.3%: old: 706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Config.in | 206 ++++++++++-- package/libs/openssl/Makefile | 182 ++++++++--- .../libs/openssl/include/crypto/cryptodev.h | 292 ------------------ .../openssl/patches/100-openwrt_targets.patch | 44 +++ .../patches/110-optimize-for-size.patch | 16 - ...30-perl-path.patch => 110-perl-path.patch} | 0 ...ile-dirs.patch => 120-makefile-dirs.patch} | 2 +- ...ests.patch => 130-disable_doc_tests.patch} | 0 ...70-bash_path.patch => 140-bash_path.patch} | 0 ...ault.patch => 150-fix_link_segfault.patch} | 0 .../libs/openssl/patches/150-no_engines.patch | 81 ----- ...patch => 160-remove_timestamp_check.patch} | 0 ...l_build.patch => 170-parallel_build.patch} | 8 +- .../180-strip-cflags-from-binary.patch | 21 ++ 14 files changed, 376 insertions(+), 476 deletions(-) delete mode 100644 package/libs/openssl/include/crypto/cryptodev.h create mode 100644 package/libs/openssl/patches/100-openwrt_targets.patch delete mode 100644 package/libs/openssl/patches/110-optimize-for-size.patch rename package/libs/openssl/patches/{130-perl-path.patch => 110-perl-path.patch} (100%) rename package/libs/openssl/patches/{140-makefile-dirs.patch => 120-makefile-dirs.patch} (83%) rename package/libs/openssl/patches/{160-disable_doc_tests.patch => 130-disable_doc_tests.patch} (100%) rename package/libs/openssl/patches/{170-bash_path.patch => 140-bash_path.patch} (100%) rename package/libs/openssl/patches/{180-fix_link_segfault.patch => 150-fix_link_segfault.patch} (100%) delete mode 100644 package/libs/openssl/patches/150-no_engines.patch rename package/libs/openssl/patches/{190-remove_timestamp_check.patch => 160-remove_timestamp_check.patch} (100%) rename package/libs/openssl/patches/{200-parallel_build.patch => 170-parallel_build.patch} (97%) create mode 100644 package/libs/openssl/patches/180-strip-cflags-from-binary.patch diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index c39e28510f..fe73229915 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -1,72 +1,216 @@ if PACKAGE_libopenssl -config OPENSSL_WITH_EC +comment "Build Options" + +config OPENSSL_OPTIMIZE_SPEED + bool + prompt "Enable optimization for speed instead of size" + select OPENSSL_WITH_ASM + help + Enabling this option increases code size (around 20%) and + performance. The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most, with EC speed + increased by 20%-50% (mipsel & x86). + AES-GCM is supposed to be 3x faster on x86. YMMV. + +config OPENSSL_WITH_ASM bool default y - prompt "Enable elliptic curve support" + prompt "Compile with optimized assembly code" + depends on !arc + help + Disabling this option will reduce code size and performance. + The increase in performance and size depends on the target + CPU and on the algorithms being optimized. As of 1.1.0i*: -config OPENSSL_WITH_EC2M - bool - depends on OPENSSL_WITH_EC - prompt "Enable ec2m support" + Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase + aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 + arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 + i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% + mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% + mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 + powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 + x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% -config OPENSSL_WITH_SSL3 + * Only most common algorithms shown. Your mileage may vary. + BN (bignum) performance was measured using RSA sign/verify. + +config OPENSSL_WITH_SSE2 bool - default n - prompt "Enable sslv3 support" + default y if !TARGET_x86_legacy && !TARGET_x86_geode + prompt "Enable use of x86 SSE2 instructions" + depends on OPENSSL_WITH_ASM && i386 + help + Use of SSE2 instructions greatly increase performance (up to + 3x faster) with a minimum (~0.2%, or 23KB) increase in package + size, but it will bring no benefit if your hardware does not + support them, such as Geode GX and LX. In this case you may + save 23KB by saying yes here. AMD Geode NX, and Intel + Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y - prompt "Include deprecated APIs" + prompt "Include deprecated APIs (See help for a list of packages that need this)" + help + Squid currently requires this. config OPENSSL_NO_DEPRECATED bool default !OPENSSL_WITH_DEPRECATED -config OPENSSL_WITH_DTLS +config OPENSSL_WITH_ERROR_MESSAGES bool - default n - prompt "Enable DTLS support" + prompt "Include error messages" + help + This option aids debugging, but increases package size and + memory usage. -config OPENSSL_WITH_COMPRESSION +comment "Protocol Support" + +config OPENSSL_WITH_DTLS bool - default n - prompt "Enable compression support" + prompt "Enable DTLS support" + help + Datagram Transport Layer Security (DTLS) provides TLS-like security + for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications. config OPENSSL_WITH_NPN bool default y prompt "Enable NPN support" + help + NPN is a TLS extension, obsoleted and replaced with ALPN, + used to negotiate SPDY, and HTTP/2. + +config OPENSSL_WITH_SRP + bool + default y + prompt "Enable SRP support" + help + The Secure Remote Password protocol (SRP) is an augmented + password-authenticated key agreement (PAKE) protocol, specifically + designed to work around existing patents. + +config OPENSSL_WITH_CMS + bool + default y + prompt "Enable CMS (RFC 5652) support" + help + Cryptographic Message Syntax (CMS) is used to digitally sign, + digest, authenticate, or encrypt arbitrary message content. + +comment "Algorithm Selection" + +config OPENSSL_WITH_EC + bool + default y + prompt "Enable elliptic curve support" + help + Elliptic-curve cryptography (ECC) is an approach to public-key + cryptography based on the algebraic structure of elliptic curves + over finite fields. ECC requires smaller keys compared to non-ECC + cryptography to provide equivalent security. + +config OPENSSL_WITH_EC2M + bool + depends on OPENSSL_WITH_EC + prompt "Enable ec2m support" + help + This option enables the more efficient, yet less common, binary + field elliptic curves. config OPENSSL_WITH_PSK bool default y prompt "Enable PSK support" + help + Build support for Pre-Shared Key based cipher suites. -config OPENSSL_WITH_SRP +comment "Less commonly used build options" + +config OPENSSL_WITH_CAMELLIA bool - default y - prompt "Enable SRP support" + prompt "Enable Camellia cipher support" + help + Camellia is a bock cipher with security levels and processing + abilities comparable to AES. -config OPENSSL_ENGINE_DIGEST +config OPENSSL_WITH_IDEA bool - depends on OPENSSL_ENGINE_CRYPTO - prompt "Digests acceleration support" + prompt "Enable IDEA cipher support" + help + IDEA is a block cipher with 128-bit keys. -config OPENSSL_HARDWARE_SUPPORT +config OPENSSL_WITH_SEED bool - default n - prompt "Enable hardware support" + prompt "Enable SEED cipher support" + help + SEED is a block cipher with 128-bit keys broadly used in + South Korea, but seldom found elsewhere. -config OPENSSL_OPTIMIZE_SPEED +config OPENSSL_WITH_MDC2 bool - default n - prompt "Enable optimization for speed instead of size" + prompt "Enable MDC2 digest support" -endif +config OPENSSL_WITH_WHIRLPOOL + bool + prompt "Enable Whirlpool digest support" + +config OPENSSL_WITH_COMPRESSION + bool + prompt "Enable compression support" + help + TLS compression is not recommended, as it is deemed insecure. + The CRIME attack exploits this weakness. + Even with this option turned on, it is disabled by default, and the + application must explicitly turn it on. + +config OPENSSL_WITH_RFC3779 + bool + prompt "Enable RFC3779 support (BGP)" + help + RFC 3779 defines two X.509 v3 certificate extensions. The first + binds a list of IP address blocks, or prefixes, to the subject of a + certificate. The second binds a list of autonomous system + identifiers to the subject of a certificate. These extensions may be + used to convey the authorization of the subject to use the IP + addresses and autonomous system identifiers contained in the + extensions. + +comment "Engine/Hardware Support" + +config OPENSSL_ENGINE + bool "Enable engine support" + help + This enables alternative cryptography implementations, + most commonly for interfacing with external crypto devices, + or supporting new/alternative ciphers and digests. config OPENSSL_ENGINE_CRYPTO bool - select OPENSSL_HARDWARE_SUPPORT - prompt "Crypto acceleration support" if PACKAGE_libopenssl + select OPENSSL_ENGINE + select PACKAGE_kmod-cryptodev + prompt "Acceleration support through /dev/crypto" + help + This enables use of hardware acceleration through OpenBSD + Cryptodev API (/dev/crypto) interface. + You must install kmod-cryptodev (under Kernel modules, Cryptographic + API modules) for /dev/crypto to show up and use hardware + acceleration; otherwise it falls back to software. + +config OPENSSL_ENGINE_DIGEST + bool + depends on OPENSSL_ENGINE_CRYPTO + prompt "/dev/crypto digest (md5/sha1) acceleration support" + +config OPENSSL_WITH_GOST + bool + prompt "Prepare library for GOST engine" + depends on OPENSSL_ENGINE + help + This option prepares the library to accept engine support + for Russian GOST crypto algorithms. + +endif + diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 71c2c9c028..d9b1de2581 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -15,7 +15,7 @@ PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=0 - +PKG_BUILD_DEPENDS:=cryptodev-linux PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -25,24 +25,35 @@ PKG_SOURCE_URL:= \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 +ENGINES_DIR=engines PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ + CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_ENGINE_CRYPTO \ CONFIG_OPENSSL_ENGINE_DIGEST \ - CONFIG_OPENSSL_WITH_EC \ - CONFIG_OPENSSL_WITH_EC2M \ - CONFIG_OPENSSL_WITH_SSL3 \ - CONFIG_OPENSSL_HARDWARE_SUPPORT \ CONFIG_OPENSSL_NO_DEPRECATED \ - CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_OPTIMIZE_SPEED \ + CONFIG_OPENSSL_WITH_ASM \ + CONFIG_OPENSSL_WITH_CAMELLIA \ + CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ + CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_WITH_EC \ + CONFIG_OPENSSL_WITH_EC2M \ + CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ + CONFIG_OPENSSL_WITH_GOST \ + CONFIG_OPENSSL_WITH_IDEA \ + CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ CONFIG_OPENSSL_WITH_PSK \ + CONFIG_OPENSSL_WITH_RFC3779 \ + CONFIG_OPENSSL_WITH_SEED \ CONFIG_OPENSSL_WITH_SRP \ - CONFIG_OPENSSL_OPTIMIZE_SPEED + CONFIG_OPENSSL_WITH_SSE2 \ + CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk @@ -54,6 +65,8 @@ endif define Package/openssl/Default TITLE:=Open source SSL toolkit URL:=http://www.openssl.org/ + SECTION:=libs + CATEGORY:=Libraries endef define Package/libopenssl/config @@ -62,16 +75,14 @@ endef define Package/openssl/Default/description The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing the Secure -Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well -as a full-strength general purpose cryptography library. +commercial-grade, full-featured, and Open Source toolkit implementing the +Transport Layer Security (TLS) protocol as well as a full-strength +general-purpose cryptography library. endef define Package/libopenssl $(call Package/openssl/Default) - SECTION:=libs SUBMENU:=SSL - CATEGORY:=Libraries DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib TITLE+= (libraries) ABI_VERSION:=1.0.0 @@ -100,19 +111,35 @@ $(call Package/openssl/Default/description) This package contains the OpenSSL command-line utility. endef +define Package/libopenssl-gost + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=Russian GOST algorithms engine + DEPENDS:=libopenssl +@OPENSSL_WITH_GOST +endef + +define Package/libopenssl-gost/description +This package adds an engine that enables Russian GOST algorithms. +To use it, you need to configure the engine in /etc/ssl/openssl.cnf +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "gost" +endef -OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ - no-whrlpool no-whirlpool no-seed no-jpake -OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats +define Package/libopenssl-padlock + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=VIA Padlock hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock +endef -ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += -DHAVE_CRYPTODEV - ifdef CONFIG_OPENSSL_ENGINE_DIGEST - OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS - endif -else - OPENSSL_OPTIONS += no-engines -endif +define Package/libopenssl-padlock/description +This package adds an engine that enables VIA Padlock hardware acceleration. +To use it, you need to configure it in /etc/ssl/openssl.cnf. +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "padlock" +endef + +OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method ifndef CONFIG_OPENSSL_WITH_EC OPENSSL_OPTIONS += no-ec @@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif -ifndef CONFIG_OPENSSL_WITH_SSL3 - OPENSSL_OPTIONS += no-ssl3 no-ssl3-method +ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES + OPENSSL_OPTIONS += no-err +endif + +ifndef CONFIG_OPENSSL_WITH_CAMELLIA + OPENSSL_OPTIONS += no-camellia +endif + +ifndef CONFIG_OPENSSL_WITH_IDEA + OPENSSL_OPTIONS += no-idea +endif + +ifndef CONFIG_OPENSSL_WITH_SEED + OPENSSL_OPTIONS += no-seed endif -ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT - OPENSSL_OPTIONS += no-hw +ifndef CONFIG_OPENSSL_WITH_MDC2 + OPENSSL_OPTIONS += no-mdc2 +endif + +ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL + OPENSSL_OPTIONS += no-whirlpool +endif + +ifndef CONFIG_OPENSSL_WITH_CMS + OPENSSL_OPTIONS += no-cms +endif + +ifdef CONFIG_OPENSSL_WITH_RFC3779 + OPENSSL_OPTIONS += enable-rfc3779 endif ifdef CONFIG_OPENSSL_NO_DEPRECATED OPENSSL_OPTIONS += no-deprecated endif +ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) + TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 +else + OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT +endif + +ifdef CONFIG_OPENSSL_ENGINE + ifdef CONFIG_OPENSSL_ENGINE_CRYPTO + OPENSSL_OPTIONS += -DHAVE_CRYPTODEV + ifdef CONFIG_OPENSSL_ENGINE_DIGEST + OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS + endif + endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock + endif +else + OPENSSL_OPTIONS += no-engine +endif + +ifndef CONFIG_OPENSSL_WITH_GOST + OPENSSL_OPTIONS += no-gost +endif + +# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code, +# but openssl util gets built without it ifndef CONFIG_OPENSSL_WITH_DTLS - OPENSSL_OPTIONS += no-dtls + OPENSSL_OPTIONS += no-dtls no-dtls1 endif ifdef CONFIG_OPENSSL_WITH_COMPRESSION @@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP OPENSSL_OPTIONS += no-srp endif -ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) - TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3 +ifndef CONFIG_OPENSSL_WITH_ASM + OPENSSL_OPTIONS += no-asm endif -ifeq ($(CONFIG_x86_64),y) - OPENSSL_TARGET:=linux-x86_64-openwrt - OPENSSL_MAKEFLAGS += LIBDIR=lib -else - OPENSSL_OPTIONS+=no-sse2 - ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y) - OPENSSL_TARGET:=linux-mips-openwrt - else ifeq ($(CONFIG_aarch64),y) - OPENSSL_TARGET:=linux-aarch64-openwrt - else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y) - OPENSSL_TARGET:=linux-armv4-openwrt - else - OPENSSL_TARGET:=linux-generic-openwrt - OPENSSL_OPTIONS+=no-perlasm +ifdef CONFIG_i386 + ifndef CONFIG_OPENSSL_WITH_SSE2 + OPENSSL_OPTIONS += no-sse2 endif endif +OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt + STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure @@ -187,11 +255,10 @@ define Build/Configure (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ + --libdir=lib \ --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ - $(TARGET_LDFLAGS) -ldl \ - $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \ - $(OPENSSL_NO_CIPHERS) \ + $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) \ ) +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ @@ -202,7 +269,7 @@ define Build/Configure depend endef -TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections +TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile @@ -251,20 +318,33 @@ define Build/InstallDev endef define Package/libopenssl/install + $(INSTALL_DIR) $(1)/etc/ssl/certs + $(INSTALL_DIR) $(1)/etc/ssl/private + chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/ + $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) endef define Package/openssl-util/install $(INSTALL_DIR) $(1)/etc/ssl $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(INSTALL_DIR) $(1)/etc/ssl/certs - $(INSTALL_DIR) $(1)/etc/ssl/private - chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef +define Package/libopenssl-padlock/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) +endef + +define Package/libopenssl-gost/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR) +endef + $(eval $(call BuildPackage,libopenssl)) +$(eval $(call BuildPackage,libopenssl-gost)) +$(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/package/libs/openssl/include/crypto/cryptodev.h b/package/libs/openssl/include/crypto/cryptodev.h deleted file mode 100644 index 7fb9c7dcda..0000000000 --- a/package/libs/openssl/include/crypto/cryptodev.h +++ /dev/null @@ -1,292 +0,0 @@ -/* This is a source compatible implementation with the original API of - * cryptodev by Angelos D. Keromytis, found at openbsd cryptodev.h. - * Placed under public domain */ - -#ifndef L_CRYPTODEV_H -#define L_CRYPTODEV_H - -#include -#ifndef __KERNEL__ -#define __user -#endif - -/* API extensions for linux */ -#define CRYPTO_HMAC_MAX_KEY_LEN 512 -#define CRYPTO_CIPHER_MAX_KEY_LEN 64 - -/* All the supported algorithms - */ -enum cryptodev_crypto_op_t { - CRYPTO_DES_CBC = 1, - CRYPTO_3DES_CBC = 2, - CRYPTO_BLF_CBC = 3, - CRYPTO_CAST_CBC = 4, - CRYPTO_SKIPJACK_CBC = 5, - CRYPTO_MD5_HMAC = 6, - CRYPTO_SHA1_HMAC = 7, - CRYPTO_RIPEMD160_HMAC = 8, - CRYPTO_MD5_KPDK = 9, - CRYPTO_SHA1_KPDK = 10, - CRYPTO_RIJNDAEL128_CBC = 11, - CRYPTO_AES_CBC = CRYPTO_RIJNDAEL128_CBC, - CRYPTO_ARC4 = 12, - CRYPTO_MD5 = 13, - CRYPTO_SHA1 = 14, - CRYPTO_DEFLATE_COMP = 15, - CRYPTO_NULL = 16, - CRYPTO_LZS_COMP = 17, - CRYPTO_SHA2_256_HMAC = 18, - CRYPTO_SHA2_384_HMAC = 19, - CRYPTO_SHA2_512_HMAC = 20, - CRYPTO_AES_CTR = 21, - CRYPTO_AES_XTS = 22, - CRYPTO_AES_ECB = 23, - CRYPTO_AES_GCM = 50, - - CRYPTO_CAMELLIA_CBC = 101, - CRYPTO_RIPEMD160, - CRYPTO_SHA2_224, - CRYPTO_SHA2_256, - CRYPTO_SHA2_384, - CRYPTO_SHA2_512, - CRYPTO_SHA2_224_HMAC, - CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */ -}; - -#define CRYPTO_ALGORITHM_MAX (CRYPTO_ALGORITHM_ALL - 1) - -/* Values for ciphers */ -#define DES_BLOCK_LEN 8 -#define DES3_BLOCK_LEN 8 -#define RIJNDAEL128_BLOCK_LEN 16 -#define AES_BLOCK_LEN RIJNDAEL128_BLOCK_LEN -#define CAMELLIA_BLOCK_LEN 16 -#define BLOWFISH_BLOCK_LEN 8 -#define SKIPJACK_BLOCK_LEN 8 -#define CAST128_BLOCK_LEN 8 - -/* the maximum of the above */ -#define EALG_MAX_BLOCK_LEN 16 - -/* Values for hashes/MAC */ -#define AALG_MAX_RESULT_LEN 64 - -/* maximum length of verbose alg names (depends on CRYPTO_MAX_ALG_NAME) */ -#define CRYPTODEV_MAX_ALG_NAME 64 - -#define HASH_MAX_LEN 64 - -/* input of CIOCGSESSION */ -struct session_op { - /* Specify either cipher or mac - */ - __u32 cipher; /* cryptodev_crypto_op_t */ - __u32 mac; /* cryptodev_crypto_op_t */ - - __u32 keylen; - __u8 __user *key; - __u32 mackeylen; - __u8 __user *mackey; - - __u32 ses; /* session identifier */ -}; - -struct session_info_op { - __u32 ses; /* session identifier */ - - /* verbose names for the requested ciphers */ - struct alg_info { - char cra_name[CRYPTODEV_MAX_ALG_NAME]; - char cra_driver_name[CRYPTODEV_MAX_ALG_NAME]; - } cipher_info, hash_info; - - __u16 alignmask; /* alignment constraints */ - __u32 flags; /* SIOP_FLAGS_* */ -}; - -/* If this flag is set then this algorithm uses - * a driver only available in kernel (software drivers, - * or drivers based on instruction sets do not set this flag). - * - * If multiple algorithms are involved (as in AEAD case), then - * if one of them is kernel-driver-only this flag will be set. - */ -#define SIOP_FLAG_KERNEL_DRIVER_ONLY 1 - -#define COP_ENCRYPT 0 -#define COP_DECRYPT 1 - -/* input of CIOCCRYPT */ -struct crypt_op { - __u32 ses; /* session identifier */ - __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ - __u16 flags; /* see COP_FLAG_* */ - __u32 len; /* length of source data */ - __u8 __user *src; /* source data */ - __u8 __user *dst; /* pointer to output data */ - /* pointer to output data for hash/MAC operations */ - __u8 __user *mac; - /* initialization vector for encryption operations */ - __u8 __user *iv; -}; - -/* input of CIOCAUTHCRYPT */ -struct crypt_auth_op { - __u32 ses; /* session identifier */ - __u16 op; /* COP_ENCRYPT or COP_DECRYPT */ - __u16 flags; /* see COP_FLAG_AEAD_* */ - __u32 len; /* length of source data */ - __u32 auth_len; /* length of auth data */ - __u8 __user *auth_src; /* authenticated-only data */ - - /* The current implementation is more efficient if data are - * encrypted in-place (src==dst). */ - __u8 __user *src; /* data to be encrypted and authenticated */ - __u8 __user *dst; /* pointer to output data. Must have - * space for tag. For TLS this should be at least - * len + tag_size + block_size for padding */ - - __u8 __user *tag; /* where the tag will be copied to. TLS mode - * doesn't use that as tag is copied to dst. - * SRTP mode copies tag there. */ - __u32 tag_len; /* the length of the tag. Use zero for digest size or max tag. */ - - /* initialization vector for encryption operations */ - __u8 __user *iv; - __u32 iv_len; -}; - -/* In plain AEAD mode the following are required: - * flags : 0 - * iv : the initialization vector (12 bytes) - * auth_len: the length of the data to be authenticated - * auth_src: the data to be authenticated - * len : length of data to be encrypted - * src : the data to be encrypted - * dst : space to hold encrypted data. It must have - * at least a size of len + tag_size. - * tag_size: the size of the desired authentication tag or zero to use - * the maximum tag output. - * - * Note tag isn't being used because the Linux AEAD interface - * copies the tag just after data. - */ - -/* In TLS mode (used for CBC ciphers that required padding) - * the following are required: - * flags : COP_FLAG_AEAD_TLS_TYPE - * iv : the initialization vector - * auth_len: the length of the data to be authenticated only - * len : length of data to be encrypted - * auth_src: the data to be authenticated - * src : the data to be encrypted - * dst : space to hold encrypted data (preferably in-place). It must have - * at least a size of len + tag_size + blocksize. - * tag_size: the size of the desired authentication tag or zero to use - * the default mac output. - * - * Note that the padding used is the minimum padding. - */ - -/* In SRTP mode the following are required: - * flags : COP_FLAG_AEAD_SRTP_TYPE - * iv : the initialization vector - * auth_len: the length of the data to be authenticated. This must - * include the SRTP header + SRTP payload (data to be encrypted) + rest - * - * len : length of data to be encrypted - * auth_src: pointer the data to be authenticated. Should point at the same buffer as src. - * src : pointer to the data to be encrypted. - * dst : This is mandatory to be the same as src (in-place only). - * tag_size: the size of the desired authentication tag or zero to use - * the default mac output. - * tag : Pointer to an address where the authentication tag will be copied. - */ - - -/* struct crypt_op flags */ - -#define COP_FLAG_NONE (0 << 0) /* totally no flag */ -#define COP_FLAG_UPDATE (1 << 0) /* multi-update hash mode */ -#define COP_FLAG_FINAL (1 << 1) /* multi-update final hash mode */ -#define COP_FLAG_WRITE_IV (1 << 2) /* update the IV during operation */ -#define COP_FLAG_NO_ZC (1 << 3) /* do not zero-copy */ -#define COP_FLAG_AEAD_TLS_TYPE (1 << 4) /* authenticate and encrypt using the - * TLS protocol rules */ -#define COP_FLAG_AEAD_SRTP_TYPE (1 << 5) /* authenticate and encrypt using the - * SRTP protocol rules */ -#define COP_FLAG_RESET (1 << 6) /* multi-update reset the state. - * should be used in combination - * with COP_FLAG_UPDATE */ - - -/* Stuff for bignum arithmetic and public key - * cryptography - not supported yet by linux - * cryptodev. - */ - -#define CRYPTO_ALG_FLAG_SUPPORTED 1 -#define CRYPTO_ALG_FLAG_RNG_ENABLE 2 -#define CRYPTO_ALG_FLAG_DSA_SHA 4 - -struct crparam { - __u8 *crp_p; - __u32 crp_nbits; -}; - -#define CRK_MAXPARAM 8 - -/* input of CIOCKEY */ -struct crypt_kop { - __u32 crk_op; /* cryptodev_crk_op_t */ - __u32 crk_status; - __u16 crk_iparams; - __u16 crk_oparams; - __u32 crk_pad1; - struct crparam crk_param[CRK_MAXPARAM]; -}; - -enum cryptodev_crk_op_t { - CRK_MOD_EXP = 0, - CRK_MOD_EXP_CRT = 1, - CRK_DSA_SIGN = 2, - CRK_DSA_VERIFY = 3, - CRK_DH_COMPUTE_KEY = 4, - CRK_ALGORITHM_ALL -}; - -#define CRK_ALGORITHM_MAX (CRK_ALGORITHM_ALL-1) - -/* features to be queried with CIOCASYMFEAT ioctl - */ -#define CRF_MOD_EXP (1 << CRK_MOD_EXP) -#define CRF_MOD_EXP_CRT (1 << CRK_MOD_EXP_CRT) -#define CRF_DSA_SIGN (1 << CRK_DSA_SIGN) -#define CRF_DSA_VERIFY (1 << CRK_DSA_VERIFY) -#define CRF_DH_COMPUTE_KEY (1 << CRK_DH_COMPUTE_KEY) - - -/* ioctl's. Compatible with old linux cryptodev.h - */ -#define CRIOGET _IOWR('c', 101, __u32) -#define CIOCGSESSION _IOWR('c', 102, struct session_op) -#define CIOCFSESSION _IOW('c', 103, __u32) -#define CIOCCRYPT _IOWR('c', 104, struct crypt_op) -#define CIOCKEY _IOWR('c', 105, struct crypt_kop) -#define CIOCASYMFEAT _IOR('c', 106, __u32) -#define CIOCGSESSINFO _IOWR('c', 107, struct session_info_op) - -/* to indicate that CRIOGET is not required in linux - */ -#define CRIOGET_NOT_NEEDED 1 - -/* additional ioctls for AEAD */ -#define CIOCAUTHCRYPT _IOWR('c', 109, struct crypt_auth_op) - -/* additional ioctls for asynchronous operation. - * These are conditionally enabled since version 1.6. - */ -#define CIOCASYNCCRYPT _IOW('c', 110, struct crypt_op) -#define CIOCASYNCFETCH _IOR('c', 111, struct crypt_op) - -#endif /* L_CRYPTODEV_H */ diff --git a/package/libs/openssl/patches/100-openwrt_targets.patch b/package/libs/openssl/patches/100-openwrt_targets.patch new file mode 100644 index 0000000000..52a51f9f47 --- /dev/null +++ b/package/libs/openssl/patches/100-openwrt_targets.patch @@ -0,0 +1,44 @@ +From 1ce02d8c7ce3e4a2c16b92968c8aea5a15746917 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Wed, 26 Sep 2018 16:21:27 -0300 +Subject: Add openwrt targets + +Targets are named: linux-$(CONFIG_ARCH)-openwrt + +Signed-off-by: Eneas U de Queiroz + +--- a/Configure ++++ b/Configure +@@ -470,6 +470,32 @@ my %table=( + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + ++# OpenWrt targets ++# from linux-aarch64 ++"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-generic32 ++"linux-arc-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-armv4 ++"linux-arm-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-armv4 ++"linux-armeb-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-elf ++"linux-i386-openwrt", "gcc:-DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-mips32 ++"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux64-mips64 ++"linux-mips64-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux64-mips64 ++"linux-mips64el-openwrt", "gcc:-mabi=64 -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux-mips32 ++"linux-mipsel-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-ppc ++"linux-powerpc-openwrt", "gcc:-DB_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++# from linux-x86_64 ++"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", ++# from linux-generic32 ++"linux-generic32-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++ + # Android: linux-* but without pointers to headers and libs. + "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/110-optimize-for-size.patch b/package/libs/openssl/patches/110-optimize-for-size.patch deleted file mode 100644 index d6d4a21111..0000000000 --- a/package/libs/openssl/patches/110-optimize-for-size.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -470,6 +470,13 @@ my %table=( - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", - -+# OpenWrt targets -+"linux-armv4-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-aarch64-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-x86_64-openwrt", "gcc:-m64 -DL_ENDIAN -DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -+"linux-mips-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+"linux-generic-openwrt","gcc:-DTERMIOS \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -+ - # Android: linux-* but without pointers to headers and libs. - "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/libs/openssl/patches/130-perl-path.patch b/package/libs/openssl/patches/110-perl-path.patch similarity index 100% rename from package/libs/openssl/patches/130-perl-path.patch rename to package/libs/openssl/patches/110-perl-path.patch diff --git a/package/libs/openssl/patches/140-makefile-dirs.patch b/package/libs/openssl/patches/120-makefile-dirs.patch similarity index 83% rename from package/libs/openssl/patches/140-makefile-dirs.patch rename to package/libs/openssl/patches/120-makefile-dirs.patch index 83c412f444..5bcb316486 100644 --- a/package/libs/openssl/patches/140-makefile-dirs.patch +++ b/package/libs/openssl/patches/120-makefile-dirs.patch @@ -5,7 +5,7 @@ BASEADDR= -DIRS= crypto ssl engines apps test tools -+DIRS= crypto ssl apps ++DIRS= crypto ssl engines apps ENGDIRS= ccgost SHLIBDIRS= crypto ssl diff --git a/package/libs/openssl/patches/160-disable_doc_tests.patch b/package/libs/openssl/patches/130-disable_doc_tests.patch similarity index 100% rename from package/libs/openssl/patches/160-disable_doc_tests.patch rename to package/libs/openssl/patches/130-disable_doc_tests.patch diff --git a/package/libs/openssl/patches/170-bash_path.patch b/package/libs/openssl/patches/140-bash_path.patch similarity index 100% rename from package/libs/openssl/patches/170-bash_path.patch rename to package/libs/openssl/patches/140-bash_path.patch diff --git a/package/libs/openssl/patches/180-fix_link_segfault.patch b/package/libs/openssl/patches/150-fix_link_segfault.patch similarity index 100% rename from package/libs/openssl/patches/180-fix_link_segfault.patch rename to package/libs/openssl/patches/150-fix_link_segfault.patch diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch deleted file mode 100644 index a518a00496..0000000000 --- a/package/libs/openssl/patches/150-no_engines.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- a/Configure -+++ b/Configure -@@ -2144,6 +2144,11 @@ EOF - close(OUT); - } - -+# ugly hack to disable engines -+if($target eq "mingwx") { -+ system("sed -e s/^LIB/XLIB/g -i engines/Makefile"); -+} -+ - print < +Date: Wed, 26 Sep 2018 18:04:58 -0300 +Subject: Avoid exposing build directories + +The CFLAGS contain the build directories, and are shown by calling +SSLeay_version(SSLEAY_CFLAGS), or running openssl version -a + +Signed-off-by: Eneas U de Queiroz + +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -57,7 +57,7 @@ top: + all: shared + + buildinf.h: ../Makefile +- $(PERL) $(TOP)/util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)" >buildinf.h ++ $(PERL) $(TOP)/util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map%,$(CC) $(CFLAGS))" "$(PLATFORM)" >buildinf.h + + x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl + $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ -- 2.30.2