From c9a76b8d766fff7135954911bb58b2d59a170ba5 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Tue, 23 Aug 2022 09:01:07 +0200 Subject: [PATCH] openssl: update to 22.03-rc6 version Fixes: WIFI-10390 Signed-off-by: John Crispin --- ...0036-openssl-backport-from-22.06-rc3.patch | 779 ++++++++++++++++++ 1 file changed, 779 insertions(+) create mode 100644 patches/backports/0036-openssl-backport-from-22.06-rc3.patch diff --git a/patches/backports/0036-openssl-backport-from-22.06-rc3.patch b/patches/backports/0036-openssl-backport-from-22.06-rc3.patch new file mode 100644 index 000000000..55031e639 --- /dev/null +++ b/patches/backports/0036-openssl-backport-from-22.06-rc3.patch @@ -0,0 +1,779 @@ +From 5cd97adeb33f5fc92ad1ff319b4ba34535c0a65b Mon Sep 17 00:00:00 2001 +From: John Crispin +Date: Tue, 23 Aug 2022 08:59:23 +0200 +Subject: [PATCH] openssl: backport from 22.06-rc3 + +Signed-off-by: John Crispin +--- + include/openssl-engine.mk | 50 +++++++++++ + package/libs/openssl/Config.in | 11 --- + package/libs/openssl/Makefile | 64 ++++++-------- + package/libs/openssl/files/afalg.cnf | 3 + + package/libs/openssl/files/devcrypto.cnf | 31 +++++++ + package/libs/openssl/files/openssl.init | 31 +++++++ + package/libs/openssl/files/padlock.cnf | 3 + + ...m-ppc-xlate.pl-add-linux64v2-flavour.patch | 56 +++++++++++++ + .../patches/100-Configure-afalg-support.patch | 5 +- + .../openssl/patches/110-openwrt_targets.patch | 9 +- + .../120-strip-cflags-from-binary.patch | 3 +- + .../patches/130-dont-build-tests-fuzz.patch | 3 +- + .../patches/140-allow-prefer-chacha20.patch | 4 +- + .../150-openssl.cnf-add-engines-conf.patch | 83 ++++--------------- + ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- + ...ypto-add-command-to-dump-driver-info.patch | 3 +- + ...o-make-the-dev-crypto-engine-dynamic.patch | 12 +-- + ...default-to-not-use-digests-in-engine.patch | 1 - + ...to-ignore-error-when-closing-session.patch | 1 - + 19 files changed, 232 insertions(+), 144 deletions(-) + create mode 100644 include/openssl-engine.mk + create mode 100644 package/libs/openssl/files/afalg.cnf + create mode 100644 package/libs/openssl/files/devcrypto.cnf + create mode 100755 package/libs/openssl/files/openssl.init + create mode 100644 package/libs/openssl/files/padlock.cnf + create mode 100644 package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch + +diff --git a/include/openssl-engine.mk b/include/openssl-engine.mk +new file mode 100644 +index 0000000000..d8baba482e +--- /dev/null ++++ b/include/openssl-engine.mk +@@ -0,0 +1,50 @@ ++# SPDX-License-Identifier: GPL-2.0-only ++# ++# Copyright (C) 2022 Enéas Ulir de Queiroz ++ ++ENGINES_DIR=engines-1.1 ++ ++define Package/openssl/engine/Default ++ SECTION:=libs ++ CATEGORY:=Libraries ++ SUBMENU:=SSL ++ DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf ++endef ++ ++# 1 = engine name ++# 2 - package name, defaults to libopenssl-$(1) ++define Package/openssl/add-engine ++ OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1)) ++ Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf ++ ++ define Package/$$(OSSL_ENG_PKG)/install ++ $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR) ++ $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \ ++ $$(1)/usr/lib/$(ENGINES_DIR) ++ $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d ++ $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/ ++ endef ++ ++ define Package/$$(OSSL_ENG_PKG)/postinst := ++#!/bin/sh ++OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl" ++ ++[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 ++ ++cat << EOF >> "$$$${OPENSSL_UCI}" ++ ++config engine '$(1)' ++ option enabled '1' ++EOF ++ ++[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload ++ endef ++ ++ define Package/$$(OSSL_ENG_PKG)/postrm := ++#!/bin/sh ++[ -n "$$$${IPKG_INSTROOT}" ] && exit 0 ++uci delete openssl.$(1) ++uci commit openssl ++/etc/init.d/openssl reload ++ endef ++endef +diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in +index d1281ec6fa..bc2f0584b6 100644 +--- a/package/libs/openssl/Config.in ++++ b/package/libs/openssl/Config.in +@@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC + initiate crypto operations asynchronously. In order to work + this will require the presence of an async capable engine. + +-config OPENSSL_WITH_GOST +- bool +- prompt "Prepare library for GOST engine" +- depends on OPENSSL_ENGINE +- help +- This option prepares the library to accept engine support +- for Russian GOST crypto algorithms. +- The gost engine is not included in standard openwrt feeds. +- To build such engine yourself, see: +- https://github.com/gost-engine/engine +- + endif +diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile +index 0397ab90c4..09bada3915 100644 +--- a/package/libs/openssl/Makefile ++++ b/package/libs/openssl/Makefile +@@ -9,11 +9,10 @@ include $(TOPDIR)/rules.mk + + PKG_NAME:=openssl + PKG_BASE:=1.1.1 +-PKG_BUGFIX:=l ++PKG_BUGFIX:=q + PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) +-PKG_RELEASE:=1 ++PKG_RELEASE:=$(AUTORELEASE) + PKG_USE_MIPS16:=0 +-ENGINES_DIR=engines-1.1 + + PKG_BUILD_PARALLEL:=1 + +@@ -26,7 +25,7 @@ PKG_SOURCE_URL:= \ + ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ + ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ + +-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 ++PKG_HASH:=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca + + PKG_LICENSE:=OpenSSL + PKG_LICENSE_FILES:=LICENSE +@@ -52,7 +51,6 @@ PKG_CONFIG_DEPENDS:= \ + CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_WITH_EC2M \ + CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ +- CONFIG_OPENSSL_WITH_GOST \ + CONFIG_OPENSSL_WITH_IDEA \ + CONFIG_OPENSSL_WITH_MDC2 \ + CONFIG_OPENSSL_WITH_NPN \ +@@ -66,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ + CONFIG_OPENSSL_WITH_WHIRLPOOL + + include $(INCLUDE_DIR)/package.mk ++include $(INCLUDE_DIR)/openssl-engine.mk + + ifneq ($(CONFIG_CCACHE),) + HOSTCC=$(HOSTCC_NOCACHE) +@@ -129,6 +128,8 @@ endef + + define Package/libopenssl-conf/conffiles + /etc/ssl/openssl.cnf ++$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) ++$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) + endef + + define Package/libopenssl-conf/description +@@ -136,51 +137,50 @@ $(call Package/openssl/Default/description) + This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. + endef + ++$(eval $(call Package/openssl/add-engine,afalg)) + define Package/libopenssl-afalg + $(call Package/openssl/Default) +- SUBMENU:=SSL ++ $(call Package/openssl/engine/Default) + TITLE:=AFALG hardware acceleration engine +- DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ +- +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN ++ DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ ++ @!OPENSSL_ENGINE_BUILTIN + endef + + define Package/libopenssl-afalg/description + This package adds an engine that enables hardware acceleration + through the AF_ALG kernel interface. +-To use it, you need to configure the engine in /etc/ssl/openssl.cnf + See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module + and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + The engine_id is "afalg" + endef + ++$(eval $(call Package/openssl/add-engine,devcrypto)) + define Package/libopenssl-devcrypto + $(call Package/openssl/Default) +- SUBMENU:=SSL ++ $(call Package/openssl/engine/Default) + TITLE:=/dev/crypto hardware acceleration engine +- DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ +- @!OPENSSL_ENGINE_BUILTIN ++ DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN + endef + + define Package/libopenssl-devcrypto/description + This package adds an engine that enables hardware acceleration + through the /dev/crypto kernel interface. +-To use it, you need to configure the engine in /etc/ssl/openssl.cnf + See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module + and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + The engine_id is "devcrypto" + endef + ++$(eval $(call Package/openssl/add-engine,padlock)) + define Package/libopenssl-padlock + $(call Package/openssl/Default) +- SUBMENU:=SSL ++ $(call Package/openssl/engine/Default) + TITLE:=VIA Padlock hardware acceleration engine +- DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +- +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN ++ DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ ++ @!OPENSSL_ENGINE_BUILTIN + endef + + define Package/libopenssl-padlock/description + This package adds an engine that enables VIA Padlock hardware acceleration. +-To use it, you need to configure it in /etc/ssl/openssl.cnf. + See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module + and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators + The engine_id is "padlock" +@@ -289,10 +289,6 @@ else + OPENSSL_OPTIONS += no-engine + endif + +-ifndef CONFIG_OPENSSL_WITH_GOST +- OPENSSL_OPTIONS += no-gost +-endif +- + ifndef CONFIG_OPENSSL_WITH_DTLS + OPENSSL_OPTIONS += no-dtls + endif +@@ -381,8 +377,17 @@ define Package/libopenssl/install + endef + + define Package/libopenssl-conf/install +- $(INSTALL_DIR) $(1)/etc/ssl ++ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d + $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ ++ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl ++ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl ++ touch $(1)/etc/config/openssl ++ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), ++ $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ ++ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) ++ $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), ++ $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ ++ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) + endef + + define Package/openssl-util/install +@@ -390,21 +395,6 @@ define Package/openssl-util/install + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ + endef + +-define Package/libopenssl-afalg/install +- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) +- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) +-endef +- +-define Package/libopenssl-devcrypto/install +- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) +- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) +-endef +- +-define Package/libopenssl-padlock/install +- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) +- $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) +-endef +- + $(eval $(call BuildPackage,libopenssl)) + $(eval $(call BuildPackage,libopenssl-conf)) + $(eval $(call BuildPackage,libopenssl-afalg)) +diff --git a/package/libs/openssl/files/afalg.cnf b/package/libs/openssl/files/afalg.cnf +new file mode 100644 +index 0000000000..4f573d757c +--- /dev/null ++++ b/package/libs/openssl/files/afalg.cnf +@@ -0,0 +1,3 @@ ++[afalg] ++default_algorithms = ALL ++ +diff --git a/package/libs/openssl/files/devcrypto.cnf b/package/libs/openssl/files/devcrypto.cnf +new file mode 100644 +index 0000000000..549275600d +--- /dev/null ++++ b/package/libs/openssl/files/devcrypto.cnf +@@ -0,0 +1,31 @@ ++[devcrypto] ++# Leave this alone and configure algorithms with CIPERS/DIGESTS below ++default_algorithms = ALL ++ ++# Configuration commands: ++# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a ++# list of supported algorithms, along with their driver, whether they ++# are hw accelerated or not, and the engine's configuration commands. ++ ++# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) ++# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use ++# if acceleration can't be determined) [default=2] ++#USE_SOFTDRIVERS = 2 ++ ++# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to ++# enable [default=ALL] ++# It is recommended to disable the ECB ciphers; in most cases, it will ++# only be used for PRNG, in small blocks, where performance is poor, ++# and there may be problems with apps forking with open crypto ++# contexts, leading to failures. The CBC ciphers work well: ++#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC ++ ++# DIGESTS: either ALL, NONE, or a comma-separated list of digests to ++# enable [default=NONE] ++# It is strongly recommended not to enable digests; their performance ++# is poor, and there are many cases in which they will not work, ++# especially when calling fork with open crypto contexts. Openssh, ++# for example, does this, and you may not be able to login. ++#DIGESTS = NONE ++ ++ +diff --git a/package/libs/openssl/files/openssl.init b/package/libs/openssl/files/openssl.init +new file mode 100755 +index 0000000000..21e253e7a5 +--- /dev/null ++++ b/package/libs/openssl/files/openssl.init +@@ -0,0 +1,31 @@ ++#!/bin/sh /etc/rc.common ++ ++START=13 ++ENGINES_CNF_D="/etc/ssl/engines.cnf.d" ++ENGINES_CNF="/var/etc/ssl/engines.cnf" ++ENGINES_DIR="%ENGINES_DIR%" ++ ++config_engine() { ++ local enabled force ++ config_get_bool enabled "$1" enabled 1 ++ config_get_bool force "$1" force 0 ++ [ "$enabled" = 0 ] && return ++ if [ "$force" = 0 ] && \ ++ [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \ ++ [ ! -f "${ENGINES_DIR}/$1.so" ]; then ++ echo Skipping engine "$1": not installed ++ return ++ fi ++ echo Enabling engine "$1" ++ echo "$1=$1" >> "${ENGINES_CNF}" ++} ++ ++start() { ++ mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1 ++ echo Generating engines.cnf ++ echo "# This file is automatically generated from /etc/config/openssl." \ ++ > "${ENGINES_CNF}" || \ ++ { echo Error writing ${ENGINES_CNF} >&2; exit 1; } ++ config_load openssl ++ config_foreach config_engine engine ++} +diff --git a/package/libs/openssl/files/padlock.cnf b/package/libs/openssl/files/padlock.cnf +new file mode 100644 +index 0000000000..ef91079e5d +--- /dev/null ++++ b/package/libs/openssl/files/padlock.cnf +@@ -0,0 +1,3 @@ ++[padlock] ++default_algorithms = ALL ++ +diff --git a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch +new file mode 100644 +index 0000000000..e52a3d52ea +--- /dev/null ++++ b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch +@@ -0,0 +1,56 @@ ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 ++From: Andy Polyakov ++Date: Sun, 5 May 2019 18:25:50 +0200 ++Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour ++MIME-Version: 1.0 ++Content-Type: text/plain; charset=UTF-8 ++Content-Transfer-Encoding: 8bit ++ ++This is a big endian ELFv2 configuration. ELFv2 was already being ++used for little endian, and big endian was traditionally ELFv1 ++but there are practical configurations that use ELFv2 with big ++endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.) ++ ++Reviewed-by: Paul Dale ++Reviewed-by: Richard Levitte ++(Merged from https://github.com/openssl/openssl/pull/8883) ++ ++diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl ++--- a/crypto/perlasm/ppc-xlate.pl +++++ b/crypto/perlasm/ppc-xlate.pl ++@@ -49,7 +49,7 @@ my $globl = sub { ++ /osx/ && do { $name = "_$name"; ++ last; ++ }; ++- /linux.*(32|64le)/ +++ /linux.*(32|64(le|v2))/ ++ && do { $ret .= ".globl $name"; ++ if (!$$type) { ++ $ret .= "\n.type $name,\@function"; ++@@ -80,7 +80,7 @@ my $globl = sub { ++ }; ++ my $text = sub { ++ my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text"; ++- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/); +++ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64(le|v2)/); ++ $ret; ++ }; ++ my $machine = sub { ++@@ -186,7 +186,7 @@ my $vmr = sub { ++ ++ # Some ABIs specify vrsave, special-purpose register #256, as reserved ++ # for system use. ++-my $no_vrsave = ($flavour =~ /aix|linux64le/); +++my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/); ++ my $mtspr = sub { ++ my ($f,$idx,$ra) = @_; ++ if ($idx == 256 && $no_vrsave) { ++@@ -318,7 +318,7 @@ while($line=<>) { ++ if ($label) { ++ my $xlated = ($GLOBALS{$label} or $label); ++ print "$xlated:"; ++- if ($flavour =~ /linux.*64le/) { +++ if ($flavour =~ /linux.*64(le|v2)/) { ++ if ($TYPES{$label} =~ /function/) { ++ printf "\n.localentry %s,0\n",$xlated; ++ } +diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch +index 98944103b5..3125e37a94 100644 +--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch ++++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch +@@ -1,4 +1,4 @@ +-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Thu, 27 Sep 2018 08:29:21 -0300 + Subject: Do not use host kernel version to disable AFALG +@@ -9,10 +9,9 @@ version to disable building the AFALG engine on openwrt targets. + Signed-off-by: Eneas U de Queiroz + + diff --git a/Configure b/Configure +-index 5a699836f3..74d057c219 100755 + --- a/Configure + +++ b/Configure +-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) ++@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) + + unless ($disabled{afalgeng}) { + $config{afalgeng}=""; +diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch +index d0530b4661..9d5db6cfd1 100644 +--- a/package/libs/openssl/patches/110-openwrt_targets.patch ++++ b/package/libs/openssl/patches/110-openwrt_targets.patch +@@ -1,4 +1,4 @@ +-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Thu, 27 Sep 2018 08:30:24 -0300 + Subject: Add openwrt targets +@@ -9,10 +9,9 @@ Signed-off-by: Eneas U de Queiroz + + diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf + new file mode 100644 +-index 0000000000..86a86d31e4 + --- /dev/null + +++ b/Configurations/25-openwrt.conf +-@@ -0,0 +1,48 @@ ++@@ -0,0 +1,52 @@ + +## Openwrt "CONFIG_ARCH" matching targets. + + + +# The targets need to end in '-openwrt' for the AFALG patch to work +@@ -52,6 +51,10 @@ index 0000000000..86a86d31e4 + + "linux-powerpc-openwrt" => { + + inherit_from => [ "linux-ppc", "openwrt" ], + + }, +++ "linux-powerpc64-openwrt" => { +++ inherit_from => [ "linux-ppc64", "openwrt" ], +++ perlasm_scheme => "linux64v2", +++ }, + + "linux-x86_64-openwrt" => { + + inherit_from => [ "linux-x86_64", "openwrt" ], + + }, +diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +index 7faec9ab88..20fe21f2ac 100644 +--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch ++++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +@@ -1,4 +1,4 @@ +-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Thu, 27 Sep 2018 08:31:38 -0300 + Subject: Avoid exposing build directories +@@ -9,7 +9,6 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a + Signed-off-by: Eneas U de Queiroz + + diff --git a/crypto/build.info b/crypto/build.info +-index 2c619c62e8..893128345a 100644 + --- a/crypto/build.info + +++ b/crypto/build.info + @@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ +diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +index 7f33cb9dae..4707554d2d 100644 +--- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch ++++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +@@ -1,4 +1,4 @@ +-From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Thu, 27 Sep 2018 08:34:38 -0300 + Subject: Do not build tests and fuzz directories +@@ -8,7 +8,6 @@ This shortens build time. + Signed-off-by: Eneas U de Queiroz + + diff --git a/Configure b/Configure +-index 74d057c219..5813e9f8fe 100755 + --- a/Configure + +++ b/Configure + @@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default +diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +index b293db28f7..b2418006a9 100644 +--- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch ++++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +@@ -1,4 +1,4 @@ +-From 4f7ab2040bb71f03a8f8388911144559aa2a5b60 Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Thu, 27 Sep 2018 08:44:39 -0300 + Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option +@@ -15,7 +15,6 @@ when the client has it on top of its ciphersuite preference. + Signed-off-by: Eneas U de Queiroz + + diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +-index 6724ccf2d2..96d959427e 100644 + --- a/include/openssl/ssl.h + +++ b/include/openssl/ssl.h + @@ -173,9 +173,15 @@ extern "C" { +@@ -38,7 +37,6 @@ index 6724ccf2d2..96d959427e 100644 + # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ + "TLS_AES_128_GCM_SHA256" + diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +-index 27a1b2ec68..7039811323 100644 + --- a/ssl/ssl_ciph.c + +++ b/ssl/ssl_ciph.c + @@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +index 81d41963c6..8851116347 100644 +--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch ++++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +@@ -1,6 +1,17 @@ ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 ++From: Eneas U de Queiroz ++Date: Sat, 27 Mar 2021 17:43:25 -0300 ++Subject: openssl.cnf: add engine configuration ++ ++This adds configuration options for engines, loading all cnf files under ++/etc/ssl/engines.cnf.d/. ++ ++Signed-off-by: Eneas U de Queiroz ++ ++diff --git a/apps/openssl.cnf b/apps/openssl.cnf + --- a/apps/openssl.cnf + +++ b/apps/openssl.cnf +-@@ -22,6 +22,82 @@ oid_section = new_oids ++@@ -22,6 +22,16 @@ oid_section = new_oids + # (Alternatively, use a configuration file that has only + # X.509v3 extensions in its main [= default] section.) + +@@ -10,75 +21,9 @@ + +engines=engines + + + +[engines] +-+# To enable an engine, install the package, and uncomment it here: +-+#devcrypto=devcrypto +-+#afalg=afalg +-+#padlock=padlock +++.include /var/etc/ssl/engines.cnf + + +-+[afalg] +-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below +-+default_algorithms = ALL +-+ +-+# The following commands are only available if using the alternative +-+# (sync) AFALG engine +-+# Configuration commands: +-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a +-+# list of supported algorithms, along with their driver, whether they +-+# are hw accelerated or not, and the engine's configuration commands. +-+ +-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) +-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use +-+# if acceleration can't be determined) [default=2] +-+#USE_SOFTDRIVERS = 2 +-+ +-+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a +-+# comma-separated list of ciphers to enable [default=NO_ECB] +-+# Starting in 1.2.0, if you use a cipher list, each cipher may be +-+# followed by a colon (:) and the minimum request length to use +-+# AF_ALG drivers for that cipher; smaller requests are processed by +-+# softare; a negative value will use the default for that cipher +-+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0 +-+ +-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to +-+# enable [default=NONE] +-+# It is strongly recommended not to enable digests; their performance +-+# is poor, and there are many cases in which they will not work, +-+# especially when calling fork with open crypto contexts. Openssh, +-+# for example, does this, and you may not be able to login. +-+#DIGESTS = NONE +-+ +-+[devcrypto] +-+# Leave this alone and configure algorithms with CIPERS/DIGESTS below +-+default_algorithms = ALL +-+ +-+# Configuration commands: +-+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a +-+# list of supported algorithms, along with their driver, whether they +-+# are hw accelerated or not, and the engine's configuration commands. +-+ +-+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) +-+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use +-+# if acceleration can't be determined) [default=2] +-+#USE_SOFTDRIVERS = 2 +-+ +-+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to +-+# enable [default=ALL] +-+# It is recommended to disable the ECB ciphers; in most cases, it will +-+# only be used for PRNG, in small blocks, where performance is poor, +-+# and there may be problems with apps forking with open crypto +-+# contexts, leading to failures. The CBC ciphers work well: +-+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC +-+ +-+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to +-+# enable [default=NONE] +-+# It is strongly recommended not to enable digests; their performance +-+# is poor, and there are many cases in which they will not work, +-+# especially when calling fork with open crypto contexts. Openssh, +-+# for example, does this, and you may not be able to login. +-+#DIGESTS = NONE +-+ +-+[padlock] +-+default_algorithms = ALL +++.include /etc/ssl/engines.cnf.d + + + [ new_oids ] + +diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +index 84c68b16a2..71c9fdd438 100644 +--- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch ++++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +@@ -1,4 +1,4 @@ +-From f14345422747a495a52f9237a43b8be189f21912 Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Mon, 5 Nov 2018 15:54:17 -0200 + Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT +@@ -15,7 +15,6 @@ Reviewed-by: Richard Levitte + (Merged from https://github.com/openssl/openssl/pull/7585) + + diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +-index a727c6f646..a2c9a966f7 100644 + --- a/crypto/engine/eng_devcrypto.c + +++ b/crypto/engine/eng_devcrypto.c + @@ -461,6 +461,7 @@ struct digest_ctx { +diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +index ad83a51a10..83989a3625 100644 +--- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch ++++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +@@ -1,4 +1,4 @@ +-From 78e7b1cc7119622645bc5a8542c55b6c95dc7868 Mon Sep 17 00:00:00 2001 ++From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 + From: Eneas U de Queiroz + Date: Tue, 6 Nov 2018 22:54:07 -0200 + Subject: eng_devcrypto: add command to dump driver info +@@ -12,7 +12,6 @@ Reviewed-by: Richard Levitte + (Merged from https://github.com/openssl/openssl/pull/7585) + + diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c +-index 5ec38ca8f3..64dc6b891d 100644 + --- a/crypto/engine/eng_devcrypto.c + +++ b/crypto/engine/eng_devcrypto.c + @@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; +diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +index ea3f8fb8a7..da9b704501 100644 +--- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch ++++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +@@ -9,7 +9,6 @@ engines/e_devcrypto.c. + Signed-off-by: Eneas U de Queiroz + + diff --git a/crypto/engine/build.info b/crypto/engine/build.info +-index e00802a3fd..47fe948966 100644 + --- a/crypto/engine/build.info + +++ b/crypto/engine/build.info + @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ +@@ -20,10 +19,9 @@ index e00802a3fd..47fe948966 100644 + - SOURCE[../../libcrypto]=eng_devcrypto.c + -ENDIF + diff --git a/crypto/init.c b/crypto/init.c +-index 1b0d523bea..ee3e2eb075 100644 + --- a/crypto/init.c + +++ b/crypto/init.c +-@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) ++@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) + engine_load_openssl_int(); + return 1; + } +@@ -42,7 +40,7 @@ index 1b0d523bea..ee3e2eb075 100644 + + # ifndef OPENSSL_NO_RDRAND + static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; +-@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) ++@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) + return 1; + } + # ifndef OPENSSL_NO_STATIC_ENGINE +@@ -61,7 +59,7 @@ index 1b0d523bea..ee3e2eb075 100644 + # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; + DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) +-@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) ++@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) + && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) + return 0; +@@ -73,7 +71,7 @@ index 1b0d523bea..ee3e2eb075 100644 + # ifndef OPENSSL_NO_RDRAND + if ((opts & OPENSSL_INIT_ENGINE_RDRAND) + && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) +-@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) ++@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) + && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) + return 0; + # ifndef OPENSSL_NO_STATIC_ENGINE +@@ -86,7 +84,6 @@ index 1b0d523bea..ee3e2eb075 100644 + if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) + && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) + diff --git a/engines/build.info b/engines/build.info +-index 1db771971c..33a25d7004 100644 + --- a/engines/build.info + +++ b/engines/build.info + @@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] +@@ -116,7 +113,6 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c + similarity index 95% + rename from crypto/engine/eng_devcrypto.c + rename to engines/e_devcrypto.c +-index 2c1b52d572..eff1ed3a7d 100644 + --- a/crypto/engine/eng_devcrypto.c + +++ b/engines/e_devcrypto.c + @@ -7,7 +7,7 @@ +diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +index 1f1cd7a582..fd4701307e 100644 +--- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch ++++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +@@ -20,7 +20,6 @@ turn them on if it is safe and fast enough. + Signed-off-by: Eneas U de Queiroz + + diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c +-index 3fcd81de7a..d25230d366 100644 + --- a/engines/e_devcrypto.c + +++ b/engines/e_devcrypto.c + @@ -852,7 +852,7 @@ static void prepare_digest_methods(void) +diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +index bc514b88c9..bf1c98b104 100644 +--- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch ++++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +@@ -9,7 +9,6 @@ session. It may have been closed by another process after a fork. + Signed-off-by: Eneas U de Queiroz + + diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c +-index d25230d366..f4570f1666 100644 + --- a/engines/e_devcrypto.c + +++ b/engines/e_devcrypto.c + @@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +-- +2.25.1 +