Hi i updated openssl to 1.0.0b it seems most of the ocf stuff isnt needed any more ...
the only thing i wasn't shure about was ... -+ if (do_cpu) -+ get_cpu(s); i removed this lines and openssl works nice without them here but maybe they are needed - i dont know .... everyone is encouraged to test this patch :) btw: to use openssl 1.0.0b every prog linked against openssl 0.9.8* must be rebuild.... greets
diff --git a/package/openssl/Makefile b/package/openssl/Makefile index f9b4c0a..e6b1784 100644 --- a/package/openssl/Makefile +++ b/package/openssl/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_VERSION:=0.9.8p +PKG_VERSION:=1.0.0b PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -16,7 +16,7 @@ PKG_SOURCE_URL:=http://www.openssl.org/source/ \ ftp://ftp.funet.fi/pub/crypt/cryptography/libs/openssl/source/ \ ftp://ftp.webmonster.de/pub/openssl/source/ \ ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/ -PKG_MD5SUM:=7f24047f70364c9eabc94899e356ce39 +PKG_MD5SUM:=104deb3b7e6820cae6de3f49ba0ff2b0 PKG_BUILD_DEPENDS:=ocf-crypto-headers PKG_CONFIG_DEPENDS:=CONFIG_OPENSSL_ENGINE diff --git a/package/openssl/patches/110-optimize-for-size.patch b/package/openssl/patches/110-optimize-for-size.patch index ae35f50..13c5a8c 100644 --- a/package/openssl/patches/110-optimize-for-size.patch +++ b/package/openssl/patches/110-optimize-for-size.patch @@ -1,9 +1,9 @@ --- a/Configure +++ b/Configure -@@ -370,6 +370,8 @@ my %table=( - "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", - "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}", +@@ -379,6 +379,8 @@ my %table=( + "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", + "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +# OpenWrt targets +"linux-openwrt","gcc:-DTERMIO \$(OPENWRT_OPTIMIZATION_FLAGS) -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/package/openssl/patches/120-makedepend.patch b/package/openssl/patches/120-makedepend.patch deleted file mode 100644 index 4ed6f6d..0000000 --- a/package/openssl/patches/120-makedepend.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/util/domd -+++ b/util/domd -@@ -22,7 +22,7 @@ if expr "$MAKEDEPEND" : '.*gcc$' > /dev/ - done - sed -e '/^# DO NOT DELETE.*/,$d' < Makefile > Makefile.tmp - echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp -- ${CC:-gcc} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp -+ ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp - ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new - rm -f Makefile.tmp - else diff --git a/package/openssl/patches/130-perl-path.patch b/package/openssl/patches/130-perl-path.patch index d5722b2..dd4fa54 100644 --- a/package/openssl/patches/130-perl-path.patch +++ b/package/openssl/patches/130-perl-path.patch @@ -18,7 +18,7 @@ +++ b/util/clean-depend.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w -+#!/usr/bin/perl -w ++#!/usr/bin/perl # Clean the dependency list in a makefile of standard includes... # Written by Ben Laurie <b...@algroup.co.uk> 19 Jan 1999 @@ -37,7 +37,7 @@ +#!/usr/bin/perl my $config = "crypto/err/openssl.ec"; - my $debug = 0; + my $hprefix = "openssl/"; --- a/util/mkstack.pl +++ b/util/mkstack.pl @@ -1,4 +1,4 @@ diff --git a/package/openssl/patches/140-makefile-dirs.patch b/package/openssl/patches/140-makefile-dirs.patch index 84eee83..c252be9 100644 --- a/package/openssl/patches/140-makefile-dirs.patch +++ b/package/openssl/patches/140-makefile-dirs.patch @@ -1,11 +1,11 @@ --- a/Makefile.org +++ b/Makefile.org -@@ -132,7 +132,7 @@ FIPSCANLIB= +@@ -109,7 +109,7 @@ LIBKRB5= + ZLIB_INCLUDE= + LIBZLIB= - BASEADDR= +-DIRS= crypto ssl engines apps test tools ++DIRS= crypto ssl apps + ENGDIRS= ccgost + SHLIBDIRS= crypto ssl --DIRS= crypto fips ssl engines apps test tools -+DIRS= crypto fips ssl apps - SHLIBDIRS= crypto ssl fips - - # dirs in crypto to build diff --git a/package/openssl/patches/150-no_engines.patch b/package/openssl/patches/150-no_engines.patch index ed34698..dabdfd3 100644 --- a/package/openssl/patches/150-no_engines.patch +++ b/package/openssl/patches/150-no_engines.patch @@ -1,6 +1,6 @@ --- a/Configure +++ b/Configure -@@ -1904,6 +1904,11 @@ EOF +@@ -1878,6 +1878,11 @@ EOF close(OUT); } @@ -8,13 +8,13 @@ +if($target eq "mingwx") { + system("sed -e s/^LIB/XLIB/g -i engines/Makefile"); +} -+ ++ print <<EOF; Configured for $target. --- a/util/libeay.num +++ b/util/libeay.num -@@ -2071,7 +2071,6 @@ PKCS7_ATTR_SIGN_it +@@ -2071,7 +2071,6 @@ PKCS7_ATTR_SIGN_it 2632 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI UI_add_error_string 2633 EXIST::FUNCTION: KRB5_CHECKSUM_free 2634 EXIST::FUNCTION: OCSP_REQUEST_get_ext 2635 EXIST::FUNCTION: @@ -22,7 +22,7 @@ ENGINE_register_all_digests 2637 EXIST::FUNCTION:ENGINE PKEY_USAGE_PERIOD_it 2638 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKEY_USAGE_PERIOD_it 2638 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -@@ -2545,7 +2544,6 @@ OCSP_RESPONSE_new +@@ -2545,7 +2544,6 @@ OCSP_RESPONSE_new 3023 EXIST::FUNCTION: AES_set_encrypt_key 3024 EXIST::FUNCTION:AES OCSP_resp_count 3025 EXIST::FUNCTION: KRB5_CHECKSUM_new 3026 EXIST::FUNCTION: @@ -30,7 +30,7 @@ OCSP_onereq_get0_id 3028 EXIST::FUNCTION: ENGINE_set_default_ciphers 3029 EXIST::FUNCTION:ENGINE NOTICEREF_it 3030 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -@@ -2576,7 +2574,6 @@ ASN1_primitive_free +@@ -2576,7 +2574,6 @@ ASN1_primitive_free 3051 EXIST::FUNCTION: i2d_EXTENDED_KEY_USAGE 3052 EXIST::FUNCTION: i2d_OCSP_SIGNATURE 3053 EXIST::FUNCTION: asn1_enc_save 3054 EXIST::FUNCTION: @@ -38,7 +38,7 @@ _ossl_old_des_pcbc_encrypt 3056 EXIST::FUNCTION:DES PKCS12_MAC_DATA_it 3057 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: PKCS12_MAC_DATA_it 3057 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -@@ -2600,7 +2597,6 @@ asn1_get_choice_selector +@@ -2600,7 +2597,6 @@ asn1_get_choice_selector 3071 EXIST::FUNCTION: i2d_KRB5_CHECKSUM 3072 EXIST::FUNCTION: ENGINE_set_table_flags 3073 EXIST::FUNCTION:ENGINE AES_options 3074 EXIST::FUNCTION:AES @@ -46,7 +46,7 @@ OCSP_id_cmp 3076 EXIST::FUNCTION: OCSP_BASICRESP_new 3077 EXIST::FUNCTION: OCSP_REQUEST_get_ext_by_NID 3078 EXIST::FUNCTION: -@@ -2667,7 +2663,6 @@ OCSP_CRLID_it +@@ -2667,7 +2663,6 @@ OCSP_CRLID_it 3127 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA OCSP_CRLID_it 3127 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: i2d_KRB5_AUTHENTBODY 3128 EXIST::FUNCTION: OCSP_REQUEST_get_ext_count 3129 EXIST::FUNCTION: @@ -54,7 +54,7 @@ X509_NAME_it 3131 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_NAME_it 3131 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: USERNOTICE_it 3132 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -@@ -2762,8 +2757,6 @@ DES_read_2passwords +@@ -2762,8 +2757,6 @@ DES_read_2passwords 3206 EXIST::FUNCTION:DES DES_read_password 3207 EXIST::FUNCTION:DES UI_UTIL_read_pw 3208 EXIST::FUNCTION: UI_UTIL_read_pw_string 3209 EXIST::FUNCTION: @@ -63,7 +63,7 @@ OPENSSL_add_all_algorithms_noconf 3212 EXIST:!VMS:FUNCTION: OPENSSL_add_all_algo_noconf 3212 EXIST:VMS:FUNCTION: OPENSSL_add_all_algorithms_conf 3213 EXIST:!VMS:FUNCTION: -@@ -2772,7 +2765,6 @@ OPENSSL_load_builtin_modules +@@ -2772,7 +2765,6 @@ OPENSSL_load_builtin_modules 3214 EXIST::FUNCTION: AES_ofb128_encrypt 3215 EXIST::FUNCTION:AES AES_ctr128_encrypt 3216 EXIST::FUNCTION:AES AES_cfb128_encrypt 3217 EXIST::FUNCTION:AES @@ -71,11 +71,11 @@ _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES -@@ -3107,7 +3099,6 @@ EC_GFp_nist_method - STORE_method_set_modify_function 3530 EXIST:!VMS:FUNCTION: - STORE_meth_set_modify_fn 3530 EXIST:VMS:FUNCTION: - STORE_parse_attrs_next 3531 EXIST::FUNCTION: --ENGINE_load_padlock 3532 EXIST::FUNCTION:ENGINE +@@ -3107,7 +3099,6 @@ EC_GFp_nist_method 3529 EXIST::FUNCTION:EC + STORE_meth_set_modify_fn 3530 NOEXIST::FUNCTION: + STORE_method_set_modify_function 3530 NOEXIST::FUNCTION: + STORE_parse_attrs_next 3531 NOEXIST::FUNCTION: +-ENGINE_load_padlock 3532 EXIST::FUNCTION:ENGINE,STATIC_ENGINE EC_GROUP_set_curve_name 3533 EXIST::FUNCTION:EC X509_CERT_PAIR_it 3534 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_CERT_PAIR_it 3534 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: diff --git a/package/openssl/patches/160-disable_doc_tests.patch b/package/openssl/patches/160-disable_doc_tests.patch index 8c042ef..4ae35b1 100644 --- a/package/openssl/patches/160-disable_doc_tests.patch +++ b/package/openssl/patches/160-disable_doc_tests.patch @@ -1,15 +1,15 @@ --- a/Makefile +++ b/Makefile -@@ -134,7 +134,7 @@ FIPSCANLIB= - - BASEADDR=0xFB00000 +@@ -111,7 +111,7 @@ LIBKRB5= + ZLIB_INCLUDE= + LIBZLIB= -DIRS= crypto ssl engines apps test tools +DIRS= crypto ssl engines apps tools + ENGDIRS= ccgost SHLIBDIRS= crypto ssl - # dirs in crypto to build -@@ -151,7 +151,7 @@ SDIRS= \ +@@ -129,7 +129,7 @@ SDIRS= \ # tests to perform. "alltests" is a special word indicating that all tests # should be performed. @@ -18,7 +18,7 @@ MAKEFILE= Makefile -@@ -163,7 +163,7 @@ SHELL=/bin/sh +@@ -143,7 +143,7 @@ SHELL=/bin/sh TOP= . ONEDIRS=out tmp @@ -27,16 +27,16 @@ WDIRS= windows LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) -@@ -323,7 +323,7 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \ - ../crypto/uid.o +@@ -239,7 +239,7 @@ reflect: + @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) sub_all: build_all -build_all: build_libs build_apps build_tests build_tools +build_all: build_libs build_apps build_tools - build_libs: build_crypto build_fips build_ssl build_shared build_engines + build_libs: build_crypto build_ssl build_engines -@@ -617,7 +617,7 @@ dist: +@@ -494,7 +494,7 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) @@ -47,7 +47,7 @@ @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ --- a/Makefile.org +++ b/Makefile.org -@@ -615,7 +615,7 @@ dist: +@@ -492,7 +492,7 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) diff --git a/package/openssl/patches/200-ocf-20100325.patch b/package/openssl/patches/200-ocf-20100325.patch index e53c447..bb2654e 100644 --- a/package/openssl/patches/200-ocf-20100325.patch +++ b/package/openssl/patches/200-ocf-20100325.patch @@ -121,7 +121,7 @@ echo "ppc-apple-darwin${VERSION}" ;; *) -- echo "i386-apple-darwin${VERSION}" +- echo "i686-apple-darwin${VERSION}" + echo "${MACHINE}-apple-darwin${VERSION}" ;; esac @@ -135,19 +135,6 @@ if [ "$GCCVER" != "" ]; then # then strip off whatever prefix egcs prepends the number with... # Hopefully, this will work for any future prefixes as well. -@@ -488,6 +488,12 @@ echo Operating system: $GUESSOS - # script above so we end up with values in vars but that would take - # more time that I want to waste at the moment - case "$GUESSOS" in -+ uClinux*64*) -+ OUT=uClinux-dist64 -+ ;; -+ uClinux*) -+ OUT=uClinux-dist -+ ;; - mips2-sgi-irix) - CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` - CPU=${CPU:-0} --- a/apps/apps.h +++ b/apps/apps.h @@ -112,7 +112,7 @@ @@ -159,18 +146,6 @@ #include <openssl/bio.h> #include <openssl/x509.h> ---- a/apps/progs.h -+++ b/apps/progs.h -@@ -129,7 +129,9 @@ FUNCTION functions[] = { - #ifndef OPENSSL_NO_ENGINE - {FUNC_TYPE_GENERAL,"engine",engine_main}, - #endif -+#ifndef OPENSSL_NO_OCSP - {FUNC_TYPE_GENERAL,"ocsp",ocsp_main}, -+#endif - {FUNC_TYPE_GENERAL,"prime",prime_main}, - #ifndef OPENSSL_NO_MD2 - {FUNC_TYPE_MD,"md2",dgst_main}, --- a/apps/speed.c +++ b/apps/speed.c @@ -302,7 +302,7 @@ static const char *names[ALGOR_NUM]={ @@ -262,19 +237,9 @@ + +#endif + - #if defined(OPENSSL_SYS_NETWARE) - - /* for NetWare the best we can do is use clock() which returns the -@@ -372,6 +448,9 @@ static double Time_F(int s) - { - double ret; + #if defined(_WIN32) -+ if (do_cpu) -+ get_cpu(s); -+ - #ifdef USE_TOD - if(usertime) - { + #define SIGALRM @@ -839,6 +918,14 @@ int MAIN(int argc, char **argv) j--; /* Otherwise, -elapsed gets confused with an algorithm. */ @@ -558,597 +523,8 @@ #ifdef OPENSSL_USE_APPLINK #define BIO_FLAGS_UPLINK 0x8000 ---- a/crypto/engine/eng_all.c -+++ b/crypto/engine/eng_all.c -@@ -113,7 +113,7 @@ void ENGINE_load_builtin_engines(void) - #endif - } - --#if defined(__OpenBSD__) || defined(__FreeBSD__) -+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) - void ENGINE_setup_bsd_cryptodev(void) { - static int bsd_cryptodev_default_loaded = 0; - if (!bsd_cryptodev_default_loaded) { --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c -@@ -72,6 +72,16 @@ ENGINE_load_cryptodev(void) - struct dev_crypto_state { - struct session_op d_sess; - int d_fd; -+ -+#ifdef USE_CRYPTODEV_DIGESTS -+ char dummy_mac_key[20]; -+ -+ unsigned char digest_res[20]; -+ char *mac_data; -+ int mac_len; -+ -+ int copy; -+#endif - }; - - static u_int32_t cryptodev_asymfeat = 0; -@@ -79,9 +89,6 @@ static u_int32_t cryptodev_asymfeat = 0; - static int get_asym_dev_crypto(void); - static int open_dev_crypto(void); - static int get_dev_crypto(void); --static int cryptodev_max_iv(int cipher); --static int cryptodev_key_length_valid(int cipher, int len); --static int cipher_nid_to_cryptodev(int nid); - static int get_cryptodev_ciphers(const int **cnids); - /*static int get_cryptodev_digests(const int **cnids);*/ - static int cryptodev_usable_ciphers(const int **nids); -@@ -134,9 +141,12 @@ static struct { - int ivmax; - int keylen; - } ciphers[] = { -+ { CRYPTO_ARC4, NID_rc4, 0, 16, }, - { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, - { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, - { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, -+ { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, }, -+ { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, }, - { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, - { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, - { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, -@@ -147,14 +157,16 @@ static struct { - static struct { - int id; - int nid; -+ int keylen; - } digests[] = { -- { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, }, -- { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, }, -- { CRYPTO_MD5_KPDK, NID_undef, }, -- { CRYPTO_SHA1_KPDK, NID_undef, }, -- { CRYPTO_MD5, NID_md5, }, -- { CRYPTO_SHA1, NID_undef, }, -- { 0, NID_undef, }, -+ { CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16}, -+ { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20}, -+ { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16/*?*/}, -+ { CRYPTO_MD5_KPDK, NID_undef, 0}, -+ { CRYPTO_SHA1_KPDK, NID_undef, 0}, -+ { CRYPTO_MD5, NID_md5, 16}, -+ { CRYPTO_SHA1, NID_sha1, 20}, -+ { 0, NID_undef, 0}, - }; - #endif - -@@ -182,10 +194,17 @@ open_dev_crypto(void) - static int - get_dev_crypto(void) - { -- int fd, retfd; -+ static int fd = -1; -+ int retfd; - -- if ((fd = open_dev_crypto()) == -1) -- return (-1); -+ if (fd == -1) { -+ if ((fd = open_dev_crypto()) == -1) -+ return (-1); -+ if (fcntl(fd, F_SETFD, 1) == -1) { -+ close(fd); -+ return (-1); -+ } -+ } - if (ioctl(fd, CRIOGET, &retfd) == -1) - return (-1); - -@@ -209,50 +228,6 @@ get_asym_dev_crypto(void) - } - - /* -- * XXXX this needs to be set for each alg - and determined from -- * a running card. -- */ --static int --cryptodev_max_iv(int cipher) --{ -- int i; -- -- for (i = 0; ciphers[i].id; i++) -- if (ciphers[i].id == cipher) -- return (ciphers[i].ivmax); -- return (0); --} -- --/* -- * XXXX this needs to be set for each alg - and determined from -- * a running card. For now, fake it out - but most of these -- * for real devices should return 1 for the supported key -- * sizes the device can handle. -- */ --static int --cryptodev_key_length_valid(int cipher, int len) --{ -- int i; -- -- for (i = 0; ciphers[i].id; i++) -- if (ciphers[i].id == cipher) -- return (ciphers[i].keylen == len); -- return (0); --} -- --/* convert libcrypto nids to cryptodev */ --static int --cipher_nid_to_cryptodev(int nid) --{ -- int i; -- -- for (i = 0; ciphers[i].id; i++) -- if (ciphers[i].nid == nid) -- return (ciphers[i].id); -- return (0); --} -- --/* - * Find out what ciphers /dev/crypto will let us have a session for. - * XXX note, that some of these openssl doesn't deal with yet! - * returning them here is harmless, as long as we return NULL -@@ -270,7 +245,7 @@ get_cryptodev_ciphers(const int **cnids) - return (0); - } - memset(&sess, 0, sizeof(sess)); -- sess.key = (caddr_t)"123456781234567812345678"; -+ sess.key = (caddr_t)"123456789abcdefghijklmno"; - - for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { - if (ciphers[i].nid == NID_undef) -@@ -310,10 +285,12 @@ get_cryptodev_digests(const int **cnids) - return (0); - } - memset(&sess, 0, sizeof(sess)); -+ sess.mackey = (caddr_t)"123456789abcdefghijklmno"; - for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { - if (digests[i].nid == NID_undef) - continue; - sess.mac = digests[i].id; -+ sess.mackeylen = digests[i].keylen; - sess.cipher = 0; - if (ioctl(fd, CIOCGSESSION, &sess) != -1 && - ioctl(fd, CIOCFSESSION, &sess.ses) != -1) -@@ -360,6 +337,9 @@ cryptodev_usable_ciphers(const int **nid - static int - cryptodev_usable_digests(const int **nids) - { -+#ifdef USE_CRYPTODEV_DIGESTS -+ return (get_cryptodev_digests(nids)); -+#else - /* - * XXXX just disable all digests for now, because it sucks. - * we need a better way to decide this - i.e. I may not -@@ -374,6 +354,7 @@ cryptodev_usable_digests(const int **nid - */ - *nids = NULL; - return (0); -+#endif - } - - static int -@@ -436,16 +417,20 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, - { - struct dev_crypto_state *state = ctx->cipher_data; - struct session_op *sess = &state->d_sess; -- int cipher; -- -- if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) -- return (0); -+ int cipher, i; - -- if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) -- return (0); -+ for (i = 0; ciphers[i].id; i++) -+ if (ctx->cipher->nid == ciphers[i].nid && -+ ctx->cipher->iv_len <= ciphers[i].ivmax && -+ ctx->key_len == ciphers[i].keylen) { -+ cipher = ciphers[i].id; -+ break; -+ } - -- if (!cryptodev_key_length_valid(cipher, ctx->key_len)) -+ if (!ciphers[i].id) { -+ state->d_fd = -1; - return (0); -+ } - - memset(sess, 0, sizeof(struct session_op)); - -@@ -505,6 +490,20 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) - * gets called when libcrypto requests a cipher NID. - */ - -+/* RC4 */ -+const EVP_CIPHER cryptodev_rc4 = { -+ NID_rc4, -+ 1, 16, 0, -+ EVP_CIPH_VARIABLE_LENGTH, -+ cryptodev_init_key, -+ cryptodev_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ NULL, -+ NULL, -+ NULL -+}; -+ - /* DES CBC EVP */ - const EVP_CIPHER cryptodev_des_cbc = { - NID_des_cbc, -@@ -572,6 +571,32 @@ const EVP_CIPHER cryptodev_aes_cbc = { - NULL - }; - -+const EVP_CIPHER cryptodev_aes_192_cbc = { -+ NID_aes_192_cbc, -+ 16, 24, 16, -+ EVP_CIPH_CBC_MODE, -+ cryptodev_init_key, -+ cryptodev_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ NULL -+}; -+ -+const EVP_CIPHER cryptodev_aes_256_cbc = { -+ NID_aes_256_cbc, -+ 16, 32, 16, -+ EVP_CIPH_CBC_MODE, -+ cryptodev_init_key, -+ cryptodev_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ NULL -+}; -+ - /* - * Registered by the ENGINE when used to find out how to deal with - * a particular NID in the ENGINE. this says what we'll do at the -@@ -585,6 +610,9 @@ cryptodev_engine_ciphers(ENGINE *e, cons - return (cryptodev_usable_ciphers(nids)); - - switch (nid) { -+ case NID_rc4: -+ *cipher = &cryptodev_rc4; -+ break; - case NID_des_ede3_cbc: - *cipher = &cryptodev_3des_cbc; - break; -@@ -600,6 +628,12 @@ cryptodev_engine_ciphers(ENGINE *e, cons - case NID_aes_128_cbc: - *cipher = &cryptodev_aes_cbc; - break; -+ case NID_aes_192_cbc: -+ *cipher = &cryptodev_aes_192_cbc; -+ break; -+ case NID_aes_256_cbc: -+ *cipher = &cryptodev_aes_256_cbc; -+ break; - default: - *cipher = NULL; - break; -@@ -607,6 +641,234 @@ cryptodev_engine_ciphers(ENGINE *e, cons - return (*cipher != NULL); - } - -+ -+#ifdef USE_CRYPTODEV_DIGESTS -+ -+/* convert digest type to cryptodev */ -+static int -+digest_nid_to_cryptodev(int nid) -+{ -+ int i; -+ -+ for (i = 0; digests[i].id; i++) -+ if (digests[i].nid == nid) -+ return (digests[i].id); -+ return (0); -+} -+ -+ -+static int -+digest_key_length(int nid) -+{ -+ int i; -+ -+ for (i = 0; digests[i].id; i++) -+ if (digests[i].nid == nid) -+ return digests[i].keylen; -+ return (0); -+} -+ -+ -+static int cryptodev_digest_init(EVP_MD_CTX *ctx) -+{ -+ struct dev_crypto_state *state = ctx->md_data; -+ struct session_op *sess = &state->d_sess; -+ int digest; -+ -+ if ((digest = digest_nid_to_cryptodev(ctx->digest->type)) == NID_undef){ -+ fprintf(stderr, "cryptodev_digest_init: Can't get digest \n"); -+ return (0); -+ } -+ -+ memset(state, 0, sizeof(struct dev_crypto_state)); -+ -+ if ((state->d_fd = get_dev_crypto()) < 0) { -+ fprintf(stderr, "cryptodev_digest_init: Can't get Dev \n"); -+ return (0); -+ } -+ -+ sess->mackey = state->dummy_mac_key; -+ sess->mackeylen = digest_key_length(ctx->digest->type); -+ sess->mac = digest; -+ -+ if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) { -+ close(state->d_fd); -+ state->d_fd = -1; -+ fprintf(stderr, "cryptodev_digest_init: Open session failed\n"); -+ return (0); -+ } -+ -+ return (1); -+} -+ -+static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, -+ size_t count) -+{ -+ struct crypt_op cryp; -+ struct dev_crypto_state *state = ctx->md_data; -+ struct session_op *sess = &state->d_sess; -+ -+ if (!data || state->d_fd < 0) { -+ fprintf(stderr, "cryptodev_digest_update: illegal inputs \n"); -+ return (0); -+ } -+ -+ if (!count) { -+ return (0); -+ } -+ -+ if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) { -+ /* if application doesn't support one buffer */ -+ state->mac_data = OPENSSL_realloc(state->mac_data, state->mac_len + count); -+ -+ if (!state->mac_data) { -+ fprintf(stderr, "cryptodev_digest_update: realloc failed\n"); -+ return (0); -+ } -+ -+ memcpy(state->mac_data + state->mac_len, data, count); -+ state->mac_len += count; -+ -+ return (1); -+ } -+ -+ memset(&cryp, 0, sizeof(cryp)); -+ -+ cryp.ses = sess->ses; -+ cryp.flags = 0; -+ cryp.len = count; -+ cryp.src = (caddr_t) data; -+ cryp.dst = NULL; -+ cryp.mac = state->digest_res; -+ if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { -+ fprintf(stderr, "cryptodev_digest_update: digest failed\n"); -+ return (0); -+ } -+ return (1); -+} -+ -+ -+static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md) -+{ -+ struct crypt_op cryp; -+ struct dev_crypto_state *state = ctx->md_data; -+ struct session_op *sess = &state->d_sess; -+ -+ int ret = 1; -+ -+ if (!md || state->d_fd < 0) { -+ fprintf(stderr, "cryptodev_digest_final: illegal input\n"); -+ return(0); -+ } -+ -+ if (! (ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) ) { -+ /* if application doesn't support one buffer */ -+ memset(&cryp, 0, sizeof(cryp)); -+ -+ cryp.ses = sess->ses; -+ cryp.flags = 0; -+ cryp.len = state->mac_len; -+ cryp.src = state->mac_data; -+ cryp.dst = NULL; -+ cryp.mac = md; -+ -+ if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { -+ fprintf(stderr, "cryptodev_digest_final: digest failed\n"); -+ return (0); -+ } -+ -+ return 1; -+ } -+ -+ memcpy(md, state->digest_res, ctx->digest->md_size); -+ -+ return (ret); -+} -+ -+ -+static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx) -+{ -+ int ret = 1; -+ struct dev_crypto_state *state = ctx->md_data; -+ struct session_op *sess = &state->d_sess; -+ -+ if (state->d_fd < 0) { -+ fprintf(stderr, "cryptodev_digest_cleanup: illegal input\n"); -+ return (0); -+ } -+ -+ if (state->mac_data) { -+ OPENSSL_free(state->mac_data); -+ state->mac_data = NULL; -+ state->mac_len = 0; -+ } -+ -+ if (state->copy) -+ return 1; -+ -+ if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) < 0) { -+ fprintf(stderr, "cryptodev_digest_cleanup: failed to close session\n"); -+ ret = 0; -+ } else { -+ ret = 1; -+ } -+ close(state->d_fd); -+ state->d_fd = -1; -+ -+ return (ret); -+} -+ -+static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from) -+{ -+ struct dev_crypto_state *fstate = from->md_data; -+ struct dev_crypto_state *dstate = to->md_data; -+ -+ memcpy(dstate, fstate, sizeof(struct dev_crypto_state)); -+ -+ if (fstate->mac_len != 0) { -+ dstate->mac_data = OPENSSL_malloc(fstate->mac_len); -+ memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len); -+ } -+ -+ dstate->copy = 1; -+ -+ return 1; -+} -+ -+ -+const EVP_MD cryptodev_sha1 = { -+ NID_sha1, -+ NID_undef, -+ SHA_DIGEST_LENGTH, -+ EVP_MD_FLAG_ONESHOT, -+ cryptodev_digest_init, -+ cryptodev_digest_update, -+ cryptodev_digest_final, -+ cryptodev_digest_copy, -+ cryptodev_digest_cleanup, -+ EVP_PKEY_NULL_method, -+ SHA_CBLOCK, -+ sizeof(struct dev_crypto_state), -+}; -+ -+const EVP_MD cryptodev_md5 = { -+ NID_md5, -+ NID_undef, -+ 16 /* MD5_DIGEST_LENGTH */, -+ EVP_MD_FLAG_ONESHOT, -+ cryptodev_digest_init, -+ cryptodev_digest_update, -+ cryptodev_digest_final, -+ cryptodev_digest_copy, -+ cryptodev_digest_cleanup, -+ EVP_PKEY_NULL_method, -+ 64 /* MD5_CBLOCK */, -+ sizeof(struct dev_crypto_state), -+}; -+ -+#endif /* USE_CRYPTODEV_DIGESTS */ -+ -+ - static int - cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, - const int **nids, int nid) -@@ -615,10 +877,15 @@ cryptodev_engine_digests(ENGINE *e, cons - return (cryptodev_usable_digests(nids)); - - switch (nid) { -+#ifdef USE_CRYPTODEV_DIGESTS - case NID_md5: -- *digest = NULL; /* need to make a clean md5 critter */ -+ *digest = &cryptodev_md5; - break; -+ case NID_sha1: -+ *digest = &cryptodev_sha1; -+ break; - default: -+#endif /* USE_CRYPTODEV_DIGESTS */ - *digest = NULL; - break; - } -@@ -646,6 +913,7 @@ bn2crparam(const BIGNUM *a, struct crpar - b = malloc(bytes); - if (b == NULL) - return (1); -+ memset(b, 0, bytes); - - crp->crp_p = (char *)b; - crp->crp_nbits = bits; -@@ -690,7 +958,7 @@ zapparams(struct crypt_kop *kop) - { - int i; - -- for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) { -+ for (i = 0; i < kop->crk_iparams + kop->crk_oparams; i++) { - if (kop->crk_param[i].crp_p) - free(kop->crk_param[i].crp_p); - kop->crk_param[i].crp_p = NULL; -@@ -776,7 +1044,6 @@ static int - cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) - { - int r; -- - r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); - return (r); - } -@@ -920,6 +1187,9 @@ cryptodev_dsa_do_sign(const unsigned cha - const DSA_METHOD *meth = DSA_OpenSSL(); - BN_free(r); - BN_free(s); -+ fprintf(stderr, "cryptodev_asym: CRK_DSA_SIGN %s failed, " -+ "Running in software\n", errno==kop.crk_status ? -+ "hardware operation" : "asym process"); - dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa); - } - err: -@@ -961,6 +1231,9 @@ cryptodev_dsa_verify(const unsigned char - } else { - const DSA_METHOD *meth = DSA_OpenSSL(); - -+ fprintf(stderr, "cryptodev_asym: CRK_DSA_VERIFY %s failed, " -+ "Running in software\n", errno==kop.crk_status ? -+ "hardware operation" : "asym process"); - dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa); - } - err: @@ -994,8 +1267,8 @@ static int cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { @@ -1169,67 +545,34 @@ memset(&kop, 0, sizeof kop); kop.crk_op = CRK_DH_COMPUTE_KEY; -@@ -1018,14 +1291,18 @@ cryptodev_dh_compute_key(unsigned char * +@@ -1281,14 +1281,17 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) kop.crk_iparams = 3; - kop.crk_param[3].crp_p = (char *)key; + kop.crk_param[3].crp_p = (caddr_t) key; - kop.crk_param[3].crp_nbits = keylen * 8; + kop.crk_param[3].crp_nbits = keybits; kop.crk_oparams = 1; if (ioctl(fd, CIOCKEY, &kop) == -1) { const DH_METHOD *meth = DH_OpenSSL(); - +- + fprintf(stderr, "cryptodev_asym: CRK_DH_COMPUTE_KEY %s failed, " + "Running in software\n", errno==kop.crk_status ? + "hardware operation" : "asym process"); dhret = (meth->compute_key)(key, pub_key, dh); - } -+ } else ++ }else + dhret = (keybits + 7) / 8; err: kop.crk_param[3].crp_p = NULL; zapparams(&kop); ---- a/crypto/engine/engine.h -+++ b/crypto/engine/engine.h -@@ -705,7 +705,7 @@ typedef int (*dynamic_bind_engine)(ENGIN - * values. */ - void *ENGINE_get_static_state(void); - --#if defined(__OpenBSD__) || defined(__FreeBSD__) -+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) - void ENGINE_setup_bsd_cryptodev(void); - #endif - ---- a/crypto/evp/c_all.c -+++ b/crypto/evp/c_all.c -@@ -83,7 +83,7 @@ void OPENSSL_add_all_algorithms_noconf(v - OpenSSL_add_all_ciphers(); - OpenSSL_add_all_digests(); - #ifndef OPENSSL_NO_ENGINE --# if defined(__OpenBSD__) || defined(__FreeBSD__) -+# if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) - ENGINE_setup_bsd_cryptodev(); - # endif - #endif ---- a/crypto/evp/c_alld.c -+++ b/crypto/evp/c_alld.c -@@ -78,7 +78,7 @@ void OpenSSL_add_all_digests(void) - EVP_add_digest(EVP_dss()); - #endif - #endif --#ifndef OPENSSL_NO_SHA -+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) - EVP_add_digest(EVP_sha1()); - EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); - EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); --- a/engines/Makefile +++ b/engines/Makefile -@@ -97,6 +97,7 @@ install: - ( echo installing $$l; \ +@@ -113,6 +113,7 @@ install: + pfx=lib; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ case "$(CFLAGS)" in \ + *OPENSSL_NO_HW*) continue;; \ - *DSO_DLFCN*) sfx="so";; \ - *DSO_DL*) sfx="sl";; \ - *) sfx="bad";; \ + *DSO_BEOS*) sfx=".so";; \ + *DSO_DLFCN*) sfx=`expr "$(SHLIB_EXT)" : '.*\(\.[a-z][a-z]*\)' \| ".so"`;; \ + *DSO_DL*) sfx=".sl";; \
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
