From dcef8d6093cd54aa990a5ae0099a16e88a18dfbd Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 19 Mar 2020 16:12:15 -0300 Subject: [PATCH] openssl: update to 1.1.1e This version includes bug and security fixes, including medium-severity CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 6 +-- ...o-make-the-dev-crypto-engine-dynamic.patch | 43 ++++++------------- ...default-to-not-use-digests-in-engine.patch | 8 ++-- ...to-ignore-error-when-closing-session.patch | 6 +-- 4 files changed, 22 insertions(+), 41 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index ca393be88fd..353ae453f54 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=d +PKG_BUGFIX:=e PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=3 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2 +PKG_HASH:=694f61ac11cb51c9bf73f54e771ff6022b0327a43bbdfa1b2f19de1662a6dcbe PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch index ee33942426c..71dc5bf99bc 100644 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -1,4 +1,4 @@ -From f3cef70b34afde3afd13ce3636232d41533b0162 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Tue, 6 Nov 2018 10:57:03 -0200 Subject: e_devcrypto: make the /dev/crypto engine dynamic @@ -20,7 +20,7 @@ index e00802a3fd..47fe948966 100644 - SOURCE[../../libcrypto]=eng_devcrypto.c -ENDIF diff --git a/crypto/init.c b/crypto/init.c -index 9fc0e8ef68..b387559920 100644 +index 1b0d523bea..ee3e2eb075 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) @@ -116,7 +116,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c similarity index 95% rename from crypto/engine/eng_devcrypto.c rename to engines/e_devcrypto.c -index 64dc6b891d..fb5c6e1636 100644 +index 0d420e50aa..3fcd81de7a 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/engines/e_devcrypto.c @@ -7,7 +7,7 @@ @@ -128,15 +128,7 @@ index 64dc6b891d..fb5c6e1636 100644 #include #include #include -@@ -23,26 +23,26 @@ - #include - #include - --#include "internal/engine.h" -- - /* #define ENGINE_DEVCRYPTO_DEBUG */ - - #if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX +@@ -31,18 +31,20 @@ # define CHECK_BSD_STYLE_MACROS #endif @@ -160,18 +152,7 @@ index 64dc6b891d..fb5c6e1636 100644 /* * cipher/digest status & acceleration definitions -@@ -66,6 +66,10 @@ struct driver_info_st { - char *driver_name; - }; - -+#ifdef OPENSSL_NO_DYNAMIC_ENGINE -+void engine_load_devcrypto_int(void); -+#endif -+ - static int clean_devcrypto_session(struct session_op *sess) { - if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { - SYSerr(SYS_F_IOCTL, errno); -@@ -341,6 +345,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) +@@ -341,6 +343,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) struct cipher_ctx *to_cipher_ctx; switch (type) { @@ -179,7 +160,7 @@ index 64dc6b891d..fb5c6e1636 100644 case EVP_CTRL_COPY: if (cipher_ctx == NULL) return 1; -@@ -702,7 +707,6 @@ static int digest_init(EVP_MD_CTX *ctx) +@@ -702,7 +705,6 @@ static int digest_init(EVP_MD_CTX *ctx) SYSerr(SYS_F_IOCTL, errno); return 0; } @@ -187,7 +168,7 @@ index 64dc6b891d..fb5c6e1636 100644 return 1; } -@@ -1058,7 +1062,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { +@@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) "=use if acceleration can't be determined) [default=" @@ -196,7 +177,7 @@ index 64dc6b891d..fb5c6e1636 100644 ENGINE_CMD_FLAG_NUMERIC}, #endif -@@ -1166,55 +1170,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) +@@ -1166,55 +1168,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) * *****/ @@ -284,12 +265,12 @@ index 64dc6b891d..fb5c6e1636 100644 - || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) + || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) + return 0; -+ + + prepare_cipher_methods(); +#ifdef IMPLEMENT_DIGEST + prepare_digest_methods(); +#endif - ++ + return (ENGINE_set_ciphers(e, devcrypto_ciphers) +#ifdef IMPLEMENT_DIGEST + && ENGINE_set_digests(e, devcrypto_digests) @@ -297,7 +278,7 @@ index 64dc6b891d..fb5c6e1636 100644 /* * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD * implementations, it seems to only exist in FreeBSD, and regarding the -@@ -1237,23 +1256,36 @@ void engine_load_devcrypto_int() +@@ -1237,23 +1254,36 @@ void engine_load_devcrypto_int() */ #if 0 # ifndef OPENSSL_NO_RSA @@ -343,7 +324,7 @@ index 64dc6b891d..fb5c6e1636 100644 ENGINE_free(e); return; } -@@ -1262,3 +1294,22 @@ void engine_load_devcrypto_int() +@@ -1262,3 +1292,22 @@ void engine_load_devcrypto_int() ENGINE_free(e); /* Loose our local reference */ ERR_clear_error(); } diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch index 89385fa4773..1f1cd7a5829 100644 --- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -1,4 +1,4 @@ -From 52ddedc09ee81fe05ea2fa384fce89afe92d6d72 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 11 Mar 2019 09:29:13 -0300 Subject: e_devcrypto: default to not use digests in engine @@ -20,10 +20,10 @@ turn them on if it is safe and fast enough. Signed-off-by: Eneas U de Queiroz diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index fb5c6e1636..7741138b82 100644 +index 3fcd81de7a..d25230d366 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -854,7 +854,7 @@ static void prepare_digest_methods(void) +@@ -852,7 +852,7 @@ static void prepare_digest_methods(void) for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { @@ -32,7 +32,7 @@ index fb5c6e1636..7741138b82 100644 /* * Check that the digest is usable -@@ -1074,7 +1074,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { +@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { #ifdef IMPLEMENT_DIGEST {DEVCRYPTO_CMD_DIGESTS, "DIGESTS", diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch index 087994376d1..bc514b88c9d 100644 --- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -1,4 +1,4 @@ -From b6b2744f06f64922b449b3cb4bf0ad3df3efba71 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 11 Mar 2019 10:15:14 -0300 Subject: e_devcrypto: ignore error when closing session @@ -9,10 +9,10 @@ session. It may have been closed by another process after a fork. Signed-off-by: Eneas U de Queiroz diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index 7741138b82..2480bdbd57 100644 +index d25230d366..f4570f1666 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -197,9 +197,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); /* cleanup a previous session */ -- 2.30.2