[From nobody Thu Jun 25 05:55:04 2020 Received: from sonic306-21.consmr.mail.gq1.yahoo.com ([98.137.68.84]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gz6Q9-0007T7-Fz for openwrt-devel@lists.openwrt.org; Wed, 27 Feb 2019 21:07:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1551301628; bh=+l0vl+Bwc64p3Jr3bvLL1KunWv33/+qWt+8hMhYozXg=; h=From:To:Cc:Subject:Date:From:Subject; b=jfOjrhXD6G9r0+v6EoG2yT/7TlZGQQKZwOYLZDohX+TP7iV5vFh5aZqXRU5kEMxt+vTLzBUES76S7ESGXM0R6cT8p8nECyEthH5UTBjPDTFitmr526Ne4hNSnkZfEwQFOi/QKIJv6ior6rubny7fV017MT1QkQAlWlyjTbhP8fciblgfXtFM1v6Ua1+vYjWTUGFZP0HPdyY9LUqKo81cpJp0C1yLV3/RThC9enWrFcEinPHsNb5NR5e6QX1olHEE8i0Y96gkiG+qEMnosV7xTc/qtodqSHfTNAzCwszwvUwzf5taBh2zxomJTviE87QEg+UHK8ZdrSD2fEo2viA/Uw== X-YMail-OSG: vrl_ALgVM1kBDvnU6YAtKa0RNpeEAscrnbKY6r0dL_n1U79addokNb2DBNbAhA2 5DLzSd4UahPKNJU6x6fjLuM7O2qSul2wMEmISmVwlaiymGBm.D5xXcaWAGVx5tByP5h7Tqg49cC. AH.3H8ZwLD1EajFFS1HKk0Ugi7GU0HhH5VSEkpfag45Gtp3Mq5EhnzcAT5VGhgigSOAbU9jMYFLA 6hMiWgHXUQRJ6gGtx8GK4VhDYRejOb34qDDO7xALVeSnYilu7epE1azAgSCDNY8h5M_KBBeTP698 nFex7uI8nZBdEoS3v3.l._sMZxapQvalpc46PZ3q.CwjJBSgAygHSUNxlf3nhp4LfZ07Jos9rqme .iNTicj4jKzkgIfcuOo1KjpxdlSitaigQ7ihjYLbglzeIH0dhb64fApetoD9myQegtAzMqG_BhaH s75qYxKmlvObyR.t4iTta1.Pc9mxvzn5lJHp3s0VsQoYCEBrxE4ZpA5d3lbo7nv6ON.MA0fBHAII x.CyopmzgnzeR6MnP_J.6SzAt1vXl5Hk_LgA6.qA2zxvbxZladyD2X2wKv9ghLQPops1FFazBlXh Stm1EM8afWtLx.qwHF.hDukx.JsO1c4zdyuT47.0e3UXceCyn5s1DvHIwyCxNLiauE17ooGgPNMN RH9qd841XSHplo8Uhge9adI0GfsSVSt..aMi0B9Qx.BaN3h2.u3qEH2GKmaWJ1NN7c4MAwY98dzK _J7OmVeN0opvP9uOLDP29vFAlA3uuRc9Oo7SM0w.8BedfHpgt0ZW0ow3_fz.PzcUqXvY.ls4shq_ Zv8n6utmH.gpF.YN5jTHm5Y7.qxSewdW5ilBq0TbFC.dNDwJarUSLwzSj1VRlxc.RU2YvDdhcrsE T.WmCXfO_wdWwfVl_AVAAvwwEAttxslbV1AHWGhEZmKwn_CaDi1x7Hq7iCzFB9bOsbsCXRVe3il8 bvXV9GFsn_Utalap7lk5j0AOYRr4bwb4pE6wOYNhgwdIxGyXIJtZXAOpc_MQV.Bx3kH99oDuJBk5 bQufLWbvdlLw8gstbG8Hg0QCG92yL Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.gq1.yahoo.com with HTTP; Wed, 27 Feb 2019 21:07:08 +0000 Received: from 18.175.75.177.infopasa.com.br (EHLO gateway.troianet.com.br) ([177.75.175.18]) by smtp412.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID ac13c822cac627e0ba29e8cd27496c86; Wed, 27 Feb 2019 21:07:03 +0000 (UTC) From: Eneas U de Queiroz <cote2004-github@yahoo.com> To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz <cote2004-github@yahoo.com> Subject: [PATCH] openssl: bump to release 1.1.1b Date: Wed, 27 Feb 2019 18:06:44 -0300 Message-Id: <20190227210644.19179-1-cote2004-github@yahoo.com> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190227_130717_596996_711E39D1 X-CRM114-Status: GOOD ( 12.69 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [98.137.68.84 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (cote2004-github[at]yahoo.com) -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid This is bugfix release that incorporated all of the devcrypto engine patches currently in the tree. The cleaning procedure in Package/Configure was not removing the dependency files, causing linking errors during a rebuild with different options. It was replaced by a simple make clean. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> --- This was compiled-tested on mips_24kc with no relevant size increase; run-tested on Linksys WRT3200ACM/mvebu/arm, Asus RT-N56U/ramips/mipsel_74kc, & Linksys WRT610N/brcm47xx/mipsel_mips32. This superseeds 'openssl: fix devcrypto engine md blocksize', merged upstream before this release. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 732e3eb1cb..ab02f09f0e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=a +PKG_BUGFIX:=b PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -25,7 +25,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 +PKG_HASH:=5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE @@ -295,10 +295,6 @@ OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure - [ -f $(STAMP_CONFIGURED) ] || { \ - rm -f $(PKG_BUILD_DIR)/*.so.* $(PKG_BUILD_DIR)/*.a; \ - find $(PKG_BUILD_DIR) -name \*.o | xargs rm -f; \ - } (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ @@ -306,7 +302,8 @@ define Build/Configure --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ - $(OPENSSL_OPTIONS) \ + $(OPENSSL_OPTIONS) && \ + { [ -f $(STAMP_CONFIGURED) ] || make clean; } \ ) endef diff --git a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch b/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch deleted file mode 100644 index 228654f03c..0000000000 --- a/package/libs/openssl/patches/200-eng_devcrypto-don-t-leak-methods-tables.patch +++ /dev/null @@ -1,42 +0,0 @@ -From be5cf61caa425070ec4f3e925d4e9aa484c8315b Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Mon, 5 Nov 2018 17:59:42 -0200 -Subject: [PATCH 1/7] eng_devcrypto: don't leak methods tables - -Call functions to prepare methods after confirming that /dev/crytpo was -sucessfully open and that the destroy function has been set. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit d9d4dff5c640990d45af115353fc9f88a497a56c) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -619,11 +619,6 @@ void engine_load_devcrypto_int() - return; - } - -- prepare_cipher_methods(); --#ifdef IMPLEMENT_DIGEST -- prepare_digest_methods(); --#endif -- - if ((e = ENGINE_new()) == NULL - || !ENGINE_set_destroy_function(e, devcrypto_unload)) { - ENGINE_free(e); -@@ -636,6 +631,11 @@ void engine_load_devcrypto_int() - return; - } - -+ prepare_cipher_methods(); -+#ifdef IMPLEMENT_DIGEST -+ prepare_digest_methods(); -+#endif -+ - if (!ENGINE_set_id(e, "devcrypto") - || !ENGINE_set_name(e, "/dev/crypto engine") - diff --git a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch b/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch deleted file mode 100644 index 9e59a16ac2..0000000000 --- a/package/libs/openssl/patches/210-eng_devcrypto-expand-digest-failure-cases.patch +++ /dev/null @@ -1,37 +0,0 @@ -From add2ab1f289c24a1563c5b895d5cd133fe874f12 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Wed, 14 Nov 2018 11:22:14 -0200 -Subject: [PATCH 2/7] eng_devcrypto: expand digest failure cases - -Return failure when the digest_ctx is null in digest_update and -digest_final, and when md is null in digest_final. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit 4d9f99654441e36fdcb49540a1dbc9d4c70ccb68) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -438,6 +438,9 @@ static int digest_update(EVP_MD_CTX *ctx - if (count == 0) - return 1; - -+ if (digest_ctx == NULL) -+ return 0; -+ - if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; -@@ -451,6 +454,8 @@ static int digest_final(EVP_MD_CTX *ctx, - struct digest_ctx *digest_ctx = - (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); - -+ if (md == NULL || digest_ctx == NULL) -+ return 0; - if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; diff --git a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch b/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch deleted file mode 100644 index 2cfff604b9..0000000000 --- a/package/libs/openssl/patches/220-eng_devcrypto-fix-copy-of-unitilialized-digest.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 68b02a8ab798b7e916c8141a36ab69d7493fc707 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Wed, 14 Nov 2018 13:58:06 -0200 -Subject: [PATCH 3/7] eng_devcrypto: fix copy of unitilialized digest - -If the source ctx has not been initialized, don't initialize the copy -either. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit ae8183690fa53b978d4647563f5a521c4cafe94c) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -338,7 +338,8 @@ static int devcrypto_ciphers(ENGINE *e, - - struct digest_ctx { - struct session_op sess; -- int init; -+ /* This signals that the init function was called, not that it succeeded. */ -+ int init_called; - }; - - static const struct digest_data_st { -@@ -403,7 +404,7 @@ static int digest_init(EVP_MD_CTX *ctx) - const struct digest_data_st *digest_d = - get_digest_data(EVP_MD_CTX_type(ctx)); - -- digest_ctx->init = 1; -+ digest_ctx->init_called = 1; - - memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); - digest_ctx->sess.mac = digest_d->devcryptoid; -@@ -476,14 +477,9 @@ static int digest_copy(EVP_MD_CTX *to, c - (struct digest_ctx *)EVP_MD_CTX_md_data(to); - struct cphash_op cphash; - -- if (digest_from == NULL) -+ if (digest_from == NULL || digest_from->init_called != 1) - return 1; - -- if (digest_from->init != 1) { -- SYSerr(SYS_F_IOCTL, EINVAL); -- return 0; -- } -- - if (!digest_init(to)) { - SYSerr(SYS_F_IOCTL, errno); - return 0; diff --git a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch b/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch deleted file mode 100644 index 050853a3d1..0000000000 --- a/package/libs/openssl/patches/230-eng_devcrypto-close-session-on-cleanup-not-final.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 5378c582c8d3f1130b17abb2950bfd09cde099c6 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Mon, 5 Nov 2018 15:59:44 -0200 -Subject: [PATCH 4/7] eng_devcrypto: close session on cleanup, not final - -Close the session in digest_cleanup instead of digest_final. A failure -in closing the session does not mean a previous successful digest final -has failed as well. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit a67203a19d379a8cc8b369587c60c46eb4e19014) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -461,10 +461,6 @@ static int digest_final(EVP_MD_CTX *ctx, - SYSerr(SYS_F_IOCTL, errno); - return 0; - } -- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } - - return 1; - } -@@ -496,6 +492,15 @@ static int digest_copy(EVP_MD_CTX *to, c - - static int digest_cleanup(EVP_MD_CTX *ctx) - { -+ struct digest_ctx *digest_ctx = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -+ -+ if (digest_ctx == NULL) -+ return 1; -+ if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } - return 1; - } - diff --git a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch b/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch deleted file mode 100644 index 948ff7c2bc..0000000000 --- a/package/libs/openssl/patches/240-eng_devcrypto-add-cipher-CTX-copy-function.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a19d1a1d370e2959555fccbafc4e970634840352 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Tue, 13 Nov 2018 09:23:22 -0200 -Subject: [PATCH 5/7] eng_devcrypto: add cipher CTX copy function - -The engine needs a custom cipher context copy function to open a new -/dev/crypto session. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit 6d99e238397859f2df58c60e28905193b2dd6762) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -207,6 +207,22 @@ static int cipher_do_cipher(EVP_CIPHER_C - return 1; - } - -+static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) -+{ -+ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; -+ struct cipher_ctx *cipher_ctx; -+ -+ if (type == EVP_CTRL_COPY) { -+ /* when copying the context, a new session needs to be initialized */ -+ cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ return (cipher_ctx == NULL) -+ || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), -+ (cipher_ctx->op == COP_ENCRYPT)); -+ } -+ -+ return -1; -+} -+ - static int cipher_cleanup(EVP_CIPHER_CTX *ctx) - { - struct cipher_ctx *cipher_ctx = -@@ -258,10 +274,12 @@ static void prepare_cipher_methods(void) - cipher_data[i].ivlen) - || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], - cipher_data[i].flags -+ | EVP_CIPH_CUSTOM_COPY - | EVP_CIPH_FLAG_DEFAULT_ASN1) - || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) - || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], - cipher_do_cipher) -+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) - || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], diff --git a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch b/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch deleted file mode 100644 index 54a9236f13..0000000000 --- a/package/libs/openssl/patches/250-eng_devcrypto-fix-ctr-mode.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 2887a5c8f9a385b3ebee12b98f68e7d1f9cc0ea0 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Wed, 28 Nov 2018 11:26:27 -0200 -Subject: [PATCH 6/7] eng_devcrypto: fix ctr mode - -Make CTR mode behave like a stream cipher. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit b5015e834aa7d3f0a5d7585a8fae05cecbdbb848) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -47,10 +47,12 @@ static int cfd; - - struct cipher_ctx { - struct session_op sess; -- -- /* to pass from init to do_cipher */ -- const unsigned char *iv; - int op; /* COP_ENCRYPT or COP_DECRYPT */ -+ unsigned long mode; /* EVP_CIPH_*_MODE */ -+ -+ /* to handle ctr mode being a stream cipher */ -+ unsigned char partial[EVP_MAX_BLOCK_LENGTH]; -+ unsigned int blocksize, num; - }; - - static const struct cipher_data_st { -@@ -87,9 +89,9 @@ static const struct cipher_data_st { - { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, - #endif - #if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) -- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, - #endif - #if 0 /* Not yet supported */ - { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -@@ -146,6 +148,8 @@ static int cipher_init(EVP_CIPHER_CTX *c - cipher_ctx->sess.keylen = cipher_d->keylen; - cipher_ctx->sess.key = (void *)key; - cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; -+ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; -+ cipher_ctx->blocksize = cipher_d->blocksize; - if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; -@@ -160,8 +164,11 @@ static int cipher_do_cipher(EVP_CIPHER_C - struct cipher_ctx *cipher_ctx = - (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - struct crypt_op cryp; -+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); - #if !defined(COP_FLAG_WRITE_IV) - unsigned char saved_iv[EVP_MAX_IV_LENGTH]; -+ const unsigned char *ivptr; -+ size_t nblocks, ivlen; - #endif - - memset(&cryp, 0, sizeof(cryp)); -@@ -169,19 +176,28 @@ static int cipher_do_cipher(EVP_CIPHER_C - cryp.len = inl; - cryp.src = (void *)in; - cryp.dst = (void *)out; -- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx); -+ cryp.iv = (void *)iv; - cryp.op = cipher_ctx->op; - #if !defined(COP_FLAG_WRITE_IV) - cryp.flags = 0; - -- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { -- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx)); -- if (!EVP_CIPHER_CTX_encrypting(ctx)) { -- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx); -+ ivlen = EVP_CIPHER_CTX_iv_length(ctx); -+ if (ivlen > 0) -+ switch (cipher_ctx->mode) { -+ case EVP_CIPH_CBC_MODE: -+ assert(inl >= ivlen); -+ if (!EVP_CIPHER_CTX_encrypting(ctx)) { -+ ivptr = in + inl - ivlen; -+ memcpy(saved_iv, ivptr, ivlen); -+ } -+ break; -+ -+ case EVP_CIPH_CTR_MODE: -+ break; - -- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx)); -+ default: /* should not happen */ -+ return 0; - } -- } - #else - cryp.flags = COP_FLAG_WRITE_IV; - #endif -@@ -192,17 +208,74 @@ static int cipher_do_cipher(EVP_CIPHER_C - } - - #if !defined(COP_FLAG_WRITE_IV) -- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) { -- unsigned char *ivptr = saved_iv; -+ if (ivlen > 0) -+ switch (cipher_ctx->mode) { -+ case EVP_CIPH_CBC_MODE: -+ assert(inl >= ivlen); -+ if (EVP_CIPHER_CTX_encrypting(ctx)) -+ ivptr = out + inl - ivlen; -+ else -+ ivptr = saved_iv; -+ -+ memcpy(iv, ivptr, ivlen); -+ break; -+ -+ case EVP_CIPH_CTR_MODE: -+ nblocks = (inl + cipher_ctx->blocksize - 1) -+ / cipher_ctx->blocksize; -+ do { -+ ivlen--; -+ nblocks += iv[ivlen]; -+ iv[ivlen] = (uint8_t) nblocks; -+ nblocks >>= 8; -+ } while (ivlen); -+ break; -+ -+ default: /* should not happen */ -+ return 0; -+ } -+#endif -+ -+ return 1; -+} - -- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx)); -- if (!EVP_CIPHER_CTX_encrypting(ctx)) -- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx); -+static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ size_t nblocks, len; - -- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr, -- EVP_CIPHER_CTX_iv_length(ctx)); -+ /* initial partial block */ -+ while (cipher_ctx->num && inl) { -+ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; -+ --inl; -+ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; -+ } -+ -+ /* full blocks */ -+ if (inl > (unsigned int) cipher_ctx->blocksize) { -+ nblocks = inl/cipher_ctx->blocksize; -+ len = nblocks * cipher_ctx->blocksize; -+ if (cipher_do_cipher(ctx, out, in, len) < 1) -+ return 0; -+ inl -= len; -+ out += len; -+ in += len; -+ } -+ -+ /* final partial block */ -+ if (inl) { -+ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); -+ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, -+ cipher_ctx->blocksize) < 1) -+ return 0; -+ while (inl--) { -+ out[cipher_ctx->num] = in[cipher_ctx->num] -+ ^ cipher_ctx->partial[cipher_ctx->num]; -+ cipher_ctx->num++; -+ } - } --#endif - - return 1; - } -@@ -249,6 +322,7 @@ static void prepare_cipher_methods(void) - { - size_t i; - struct session_op sess; -+ unsigned long cipher_mode; - - memset(&sess, 0, sizeof(sess)); - sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -@@ -266,9 +340,12 @@ static void prepare_cipher_methods(void) - || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) - continue; - -+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; -+ - if ((known_cipher_methods[i] = - EVP_CIPHER_meth_new(cipher_data[i].nid, -- cipher_data[i].blocksize, -+ cipher_mode == EVP_CIPH_CTR_MODE ? 1 : -+ cipher_data[i].blocksize, - cipher_data[i].keylen)) == NULL - || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], - cipher_data[i].ivlen) -@@ -278,6 +355,8 @@ static void prepare_cipher_methods(void) - | EVP_CIPH_FLAG_DEFAULT_ASN1) - || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) - || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], -+ cipher_mode == EVP_CIPH_CTR_MODE ? -+ ctr_do_cipher : - cipher_do_cipher) - || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) - || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], diff --git a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch b/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch deleted file mode 100644 index df871920be..0000000000 --- a/package/libs/openssl/patches/260-eng_devcrypto-make-sure-digest-can-do-copy.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 488521d77fdc1de5ae256ce0d9203e35ebc92993 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Sat, 8 Dec 2018 18:01:04 -0200 -Subject: [PATCH 7/7] eng_devcrypto: make sure digest can do copy - -Digest must be able to do partial-state copy to be used. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7585) - -(cherry picked from commit 16e252a01b754a13e83d5e5e87afbe389997926b) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -601,6 +601,30 @@ static int digest_cleanup(EVP_MD_CTX *ct - return 1; - } - -+static int devcrypto_test_digest(size_t digest_data_index) -+{ -+ struct session_op sess1, sess2; -+ struct cphash_op cphash; -+ int ret=0; -+ -+ memset(&sess1, 0, sizeof(sess1)); -+ memset(&sess2, 0, sizeof(sess2)); -+ sess1.mac = digest_data[digest_data_index].devcryptoid; -+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) -+ return 0; -+ /* Make sure the driver is capable of hash state copy */ -+ sess2.mac = sess1.mac; -+ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { -+ cphash.src_ses = sess1.ses; -+ cphash.dst_ses = sess2.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) -+ ret = 1; -+ ioctl(cfd, CIOCFSESSION, &sess2.ses); -+ } -+ ioctl(cfd, CIOCFSESSION, &sess1.ses); -+ return ret; -+} -+ - /* - * Keep a table of known nids and associated methods. - * Note that known_digest_nids[] isn't necessarily indexed the same way as -@@ -613,20 +637,14 @@ static EVP_MD *known_digest_methods[OSSL - static void prepare_digest_methods(void) - { - size_t i; -- struct session_op sess; -- -- memset(&sess, 0, sizeof(sess)); - - for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); - i++) { - - /* -- * Check that the algo is really availably by trying to open and close -- * a session. -+ * Check that the algo is usable - */ -- sess.mac = digest_data[i].devcryptoid; -- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 -- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) -+ if (!devcrypto_test_digest(i)) - continue; - - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, diff --git a/package/libs/openssl/patches/300-eng_devcrypto-close-open-session-on-init.patch b/package/libs/openssl/patches/300-eng_devcrypto-close-open-session-on-init.patch deleted file mode 100644 index e857f01532..0000000000 --- a/package/libs/openssl/patches/300-eng_devcrypto-close-open-session-on-init.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 82b269fd77d20aa86d0825d798f3045dfe0a7a86 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz <cote2004-github@yahoo.com> -Date: Tue, 12 Feb 2019 10:44:19 -0200 -Subject: [PATCH] eng_devcrypto: close open session on init - -cipher_init may be called on an already initialized context, without a -necessary cleanup. This separates cleanup from initialization, closing -an eventual open session before creating a new one. - -Move the /dev/crypto session cleanup code to its own function. - -Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -35,6 +35,15 @@ - */ - static int cfd; - -+static int clean_devcrypto_session(struct session_op *sess) { -+ if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ memset(sess, 0, sizeof(struct session_op)); -+ return 1; -+} -+ - /****************************************************************************** - * - * Ciphers -@@ -143,7 +152,11 @@ static int cipher_init(EVP_CIPHER_CTX *c - const struct cipher_data_st *cipher_d = - get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); - -- memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); -+ /* cleanup a previous session */ -+ if (cipher_ctx->sess.ses != 0 && -+ clean_devcrypto_session(&cipher_ctx->sess) == 0) -+ return 0; -+ - cipher_ctx->sess.cipher = cipher_d->devcryptoid; - cipher_ctx->sess.keylen = cipher_d->keylen; - cipher_ctx->sess.key = (void *)key; -@@ -282,15 +295,29 @@ static int ctr_do_cipher(EVP_CIPHER_CTX - - static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) - { -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; -- struct cipher_ctx *cipher_ctx; -+ struct cipher_ctx *to_cipher_ctx; -+ -+ switch (type) { - -- if (type == EVP_CTRL_COPY) { -+ case EVP_CTRL_COPY: -+ if (cipher_ctx == NULL) -+ return 1; - /* when copying the context, a new session needs to be initialized */ -- cipher_ctx = (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -- return (cipher_ctx == NULL) -- || cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), -+ to_cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx); -+ memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess)); -+ return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), - (cipher_ctx->op == COP_ENCRYPT)); -+ -+ case EVP_CTRL_INIT: -+ memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); -+ return 1; -+ -+ default: -+ break; - } - - return -1; -@@ -301,12 +328,7 @@ static int cipher_cleanup(EVP_CIPHER_CTX - struct cipher_ctx *cipher_ctx = - (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); - -- if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- -- return 1; -+ return clean_devcrypto_session(&cipher_ctx->sess); - } - - /* -@@ -352,6 +374,7 @@ static void prepare_cipher_methods(void) - || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], - cipher_data[i].flags - | EVP_CIPH_CUSTOM_COPY -+ | EVP_CIPH_CTRL_INIT - | EVP_CIPH_FLAG_DEFAULT_ASN1) - || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) - || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], -@@ -594,11 +617,8 @@ static int digest_cleanup(EVP_MD_CTX *ct - - if (digest_ctx == NULL) - return 1; -- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- return 1; -+ -+ return clean_devcrypto_session(&digest_ctx->sess); - } - - static int devcrypto_test_digest(size_t digest_data_index) ]