From be3892284ca77a69615351b106b8dfbadad728c4 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 22 Oct 2018 11:32:56 -0300 Subject: openssl: add configuration options, disable ssl3 Adds the following configuration options: * using optimized assembler code (was always on before) * use of x86 SSE2 instructions * dyanic engine support * include error messages * Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms * RFC3779, CMS protocols * VIA padlock hardware acceleration engine Installs openssl.cnf with the library as it is used by engines independent of the openssl util. Fixes DTLS option that was innefective before. Disables insecure SSL3 protocol and SHA0. Adds openwrt-specific targets to Configure script, including asm support for i386, ppc and mips64. Strips building dirs from CFLAGS shown in binary. Skips the fuzz directory during build. Removed include/crypto/devcrypto.h that was included here, to use the cryptodev-linux package, now that it was been moved from the packages feed to the main openwrt repository. This decreses the size of the ipk binray on MIPS32 by about 3.3%: old: 706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 182 ++++++++++++++++++++++++++++++------------ 1 file changed, 131 insertions(+), 51 deletions(-) (limited to 'package/libs/openssl/Makefile') diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 71c2c9c028..d9b1de2581 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -15,7 +15,7 @@ PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=0 - +PKG_BUILD_DEPENDS:=cryptodev-linux PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ @@ -25,24 +25,35 @@ PKG_SOURCE_URL:= \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ PKG_HASH:=5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 +ENGINES_DIR=engines PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ + CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_ENGINE_CRYPTO \ CONFIG_OPENSSL_ENGINE_DIGEST \ - CONFIG_OPENSSL_WITH_EC \ - CONFIG_OPENSSL_WITH_EC2M \ - CONFIG_OPENSSL_WITH_SSL3 \ - CONFIG_OPENSSL_HARDWARE_SUPPORT \ CONFIG_OPENSSL_NO_DEPRECATED \ - CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_OPTIMIZE_SPEED \ + CONFIG_OPENSSL_WITH_ASM \ + CONFIG_OPENSSL_WITH_CAMELLIA \ + CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ + CONFIG_OPENSSL_WITH_DTLS \ + CONFIG_OPENSSL_WITH_EC \ + CONFIG_OPENSSL_WITH_EC2M \ + CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ + CONFIG_OPENSSL_WITH_GOST \ + CONFIG_OPENSSL_WITH_IDEA \ + CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ CONFIG_OPENSSL_WITH_PSK \ + CONFIG_OPENSSL_WITH_RFC3779 \ + CONFIG_OPENSSL_WITH_SEED \ CONFIG_OPENSSL_WITH_SRP \ - CONFIG_OPENSSL_OPTIMIZE_SPEED + CONFIG_OPENSSL_WITH_SSE2 \ + CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk @@ -54,6 +65,8 @@ endif define Package/openssl/Default TITLE:=Open source SSL toolkit URL:=http://www.openssl.org/ + SECTION:=libs + CATEGORY:=Libraries endef define Package/libopenssl/config @@ -62,16 +75,14 @@ endef define Package/openssl/Default/description The OpenSSL Project is a collaborative effort to develop a robust, -commercial-grade, full-featured, and Open Source toolkit implementing the Secure -Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well -as a full-strength general purpose cryptography library. +commercial-grade, full-featured, and Open Source toolkit implementing the +Transport Layer Security (TLS) protocol as well as a full-strength +general-purpose cryptography library. endef define Package/libopenssl $(call Package/openssl/Default) - SECTION:=libs SUBMENU:=SSL - CATEGORY:=Libraries DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib TITLE+= (libraries) ABI_VERSION:=1.0.0 @@ -100,19 +111,35 @@ $(call Package/openssl/Default/description) This package contains the OpenSSL command-line utility. endef +define Package/libopenssl-gost + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=Russian GOST algorithms engine + DEPENDS:=libopenssl +@OPENSSL_WITH_GOST +endef + +define Package/libopenssl-gost/description +This package adds an engine that enables Russian GOST algorithms. +To use it, you need to configure the engine in /etc/ssl/openssl.cnf +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "gost" +endef -OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5 \ - no-whrlpool no-whirlpool no-seed no-jpake -OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method no-heartbeats +define Package/libopenssl-padlock + $(call Package/openssl/Default) + SUBMENU:=SSL + TITLE:=VIA Padlock hardware acceleration engine + DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +kmod-crypto-hw-padlock +endef -ifdef CONFIG_OPENSSL_ENGINE_CRYPTO - OPENSSL_OPTIONS += -DHAVE_CRYPTODEV - ifdef CONFIG_OPENSSL_ENGINE_DIGEST - OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS - endif -else - OPENSSL_OPTIONS += no-engines -endif +define Package/libopenssl-padlock/description +This package adds an engine that enables VIA Padlock hardware acceleration. +To use it, you need to configure it in /etc/ssl/openssl.cnf. +See https://www.openssl.org/docs/man1.0.2/apps/config.html#ENGINE-CONFIGURATION-MODULE +The engine_id is "padlock" +endef + +OPENSSL_OPTIONS:= shared no-heartbeats no-sha0 no-ssl2-method no-ssl3-method ifndef CONFIG_OPENSSL_WITH_EC OPENSSL_OPTIONS += no-ec @@ -122,20 +149,70 @@ ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif -ifndef CONFIG_OPENSSL_WITH_SSL3 - OPENSSL_OPTIONS += no-ssl3 no-ssl3-method +ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES + OPENSSL_OPTIONS += no-err +endif + +ifndef CONFIG_OPENSSL_WITH_CAMELLIA + OPENSSL_OPTIONS += no-camellia +endif + +ifndef CONFIG_OPENSSL_WITH_IDEA + OPENSSL_OPTIONS += no-idea +endif + +ifndef CONFIG_OPENSSL_WITH_SEED + OPENSSL_OPTIONS += no-seed endif -ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT - OPENSSL_OPTIONS += no-hw +ifndef CONFIG_OPENSSL_WITH_MDC2 + OPENSSL_OPTIONS += no-mdc2 +endif + +ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL + OPENSSL_OPTIONS += no-whirlpool +endif + +ifndef CONFIG_OPENSSL_WITH_CMS + OPENSSL_OPTIONS += no-cms +endif + +ifdef CONFIG_OPENSSL_WITH_RFC3779 + OPENSSL_OPTIONS += enable-rfc3779 endif ifdef CONFIG_OPENSSL_NO_DEPRECATED OPENSSL_OPTIONS += no-deprecated endif +ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) + TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 +else + OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT +endif + +ifdef CONFIG_OPENSSL_ENGINE + ifdef CONFIG_OPENSSL_ENGINE_CRYPTO + OPENSSL_OPTIONS += -DHAVE_CRYPTODEV + ifdef CONFIG_OPENSSL_ENGINE_DIGEST + OPENSSL_OPTIONS += -DUSE_CRYPTODEV_DIGESTS + endif + endif + ifndef CONFIG_PACKAGE_libopenssl-padlock + OPENSSL_OPTIONS += no-hw-padlock + endif +else + OPENSSL_OPTIONS += no-engine +endif + +ifndef CONFIG_OPENSSL_WITH_GOST + OPENSSL_OPTIONS += no-gost +endif + +# Even with no-dtls and no-dtls1 options, the library keeps the DTLS code, +# but openssl util gets built without it ifndef CONFIG_OPENSSL_WITH_DTLS - OPENSSL_OPTIONS += no-dtls + OPENSSL_OPTIONS += no-dtls no-dtls1 endif ifdef CONFIG_OPENSSL_WITH_COMPRESSION @@ -156,27 +233,18 @@ ifndef CONFIG_OPENSSL_WITH_SRP OPENSSL_OPTIONS += no-srp endif -ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) - TARGET_CFLAGS := $(filter-out -Os,$(TARGET_CFLAGS)) -O3 +ifndef CONFIG_OPENSSL_WITH_ASM + OPENSSL_OPTIONS += no-asm endif -ifeq ($(CONFIG_x86_64),y) - OPENSSL_TARGET:=linux-x86_64-openwrt - OPENSSL_MAKEFLAGS += LIBDIR=lib -else - OPENSSL_OPTIONS+=no-sse2 - ifeq ($(CONFIG_mips)$(CONFIG_mipsel),y) - OPENSSL_TARGET:=linux-mips-openwrt - else ifeq ($(CONFIG_aarch64),y) - OPENSSL_TARGET:=linux-aarch64-openwrt - else ifeq ($(CONFIG_arm)$(CONFIG_armeb),y) - OPENSSL_TARGET:=linux-armv4-openwrt - else - OPENSSL_TARGET:=linux-generic-openwrt - OPENSSL_OPTIONS+=no-perlasm +ifdef CONFIG_i386 + ifndef CONFIG_OPENSSL_WITH_SSE2 + OPENSSL_OPTIONS += no-sse2 endif endif +OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt + STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) define Build/Configure @@ -187,11 +255,10 @@ define Build/Configure (cd $(PKG_BUILD_DIR); \ ./Configure $(OPENSSL_TARGET) \ --prefix=/usr \ + --libdir=lib \ --openssldir=/etc/ssl \ $(TARGET_CPPFLAGS) \ - $(TARGET_LDFLAGS) -ldl \ - $(if $(CONFIG_OPENSSL_OPTIMIZE_SPEED),,-DOPENSSL_SMALL_FOOTPRINT) \ - $(OPENSSL_NO_CIPHERS) \ + $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) \ ) +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ @@ -202,7 +269,7 @@ define Build/Configure depend endef -TARGET_CFLAGS += $(FPIC) -I$(CURDIR)/include -ffunction-sections -fdata-sections +TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile @@ -251,20 +318,33 @@ define Build/InstallDev endef define Package/libopenssl/install + $(INSTALL_DIR) $(1)/etc/ssl/certs + $(INSTALL_DIR) $(1)/etc/ssl/private + chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/ + $(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)) endef define Package/openssl-util/install $(INSTALL_DIR) $(1)/etc/ssl $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(INSTALL_DIR) $(1)/etc/ssl/certs - $(INSTALL_DIR) $(1)/etc/ssl/private - chmod 0700 $(1)/etc/ssl/private $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/ endef +define Package/libopenssl-padlock/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR) +endef + +define Package/libopenssl-gost/install + $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/libgost.so $(1)/usr/lib/$(ENGINES_DIR) +endef + $(eval $(call BuildPackage,libopenssl)) +$(eval $(call BuildPackage,libopenssl-gost)) +$(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) -- cgit v1.2.3