From b7223240b760eeb760820e62bc04664753cf712f Mon Sep 17 00:00:00 2001 From: moonman Date: Thu, 27 Apr 2017 20:07:57 -0600 Subject: [PATCH] core/openssl-cryptodev to 1.1.0.e-1 --- core/openssl-cryptodev/PKGBUILD | 94 +-- core/openssl-cryptodev/ca-dir.patch | 44 +- ..._sig-gen_and_allow_copy_evp_contexts.patch | 617 ------------------ core/openssl-cryptodev/no-rpath.patch | 11 - .../openssl-cryptodev/ssl3-test-failure.patch | 26 - 5 files changed, 53 insertions(+), 739 deletions(-) delete mode 100644 core/openssl-cryptodev/fix_sig-gen_and_allow_copy_evp_contexts.patch delete mode 100644 core/openssl-cryptodev/no-rpath.patch delete mode 100644 core/openssl-cryptodev/ssl3-test-failure.patch diff --git a/core/openssl-cryptodev/PKGBUILD b/core/openssl-cryptodev/PKGBUILD index 3c3f42228..7a1fedbaa 100644 --- a/core/openssl-cryptodev/PKGBUILD +++ b/core/openssl-cryptodev/PKGBUILD @@ -2,84 +2,71 @@ # Maintainer: Pierre Schmitz # ALARM: Kevin Mihelich -# - use linux-armv4 target for our architectures -# - cryptodev-enabled version -# -# moonman -# - get cryptodev.h from cryptodev tarball instead of the kernel headers -# - patches from cryptodev developers for openssl +# - set ARM architecture targets +# Oleg Rakhmanov +# - cryptodev enabled version buildarch=6 pkgname=openssl-cryptodev _pkgname=openssl -_ver=1.0.2h +_ver=1.1.0e # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver -pkgrel=2 +pkgrel=1 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('arm' 'armv7h') url='https://www.openssl.org' license=('custom:BSD') depends=('perl') optdepends=('ca-certificates') -options=('!makeflags') backup=('etc/ssl/openssl.cnf') -conflicts=('openssl-1.0') -provides=("openssl-1.0=${pkgver}") -_cryptover=1.8 +conflicts=('openssl') +provides=("openssl=${pkgver}") +_cryptodevver=1.9 source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz" - 'no-rpath.patch' - 'ssl3-test-failure.patch' + "https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz.asc" 'ca-dir.patch' - "http://download.gna.org/cryptodev-linux/cryptodev-linux-${_cryptover}.tar.gz" - 'fix_sig-gen_and_allow_copy_evp_contexts.patch') - -md5sums=('9392e65072ce4b614c1392eefc1f23d0' - 'dc78d3d06baffc16217519242ce92478' - '62fc492252edd3283871632bb77fadbe' - '3bf51be3a1bbd262be46dc619f92aa90' - '02644cc4cd02301e0b503a332eb2f0b5' - '91c72fe6b89e3134bc61cfb4311bf348') + "https://github.com/cryptodev-linux/cryptodev-linux/archive/cryptodev-linux-${_cryptodevver}.tar.gz") +md5sums=('51c42d152122e474754aea96f66928c6' + 'SKIP' + '02b53865fb70faef763e262b4971aa4b' + 'e5aacd2293cea9c94f71ca2e0b4dea57') validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491') prepare() { - cd $srcdir/${_pkgname}-$_ver + cd $srcdir/$_pkgname-$_ver - # remove rpath: http://bugs.archlinux.org/task/14367 - patch -p0 -i $srcdir/no-rpath.patch - - # disable a test that fails when ssl3 is disabled - patch -p1 -i $srcdir/ssl3-test-failure.patch - - # set ca dir to /etc/ssl by default - patch -p0 -i $srcdir/ca-dir.patch - - msg2 "Patch eng_cryptodev.c" - patch -p1 -i $srcdir/fix_sig-gen_and_allow_copy_evp_contexts.patch - - # Copy the header file - cp -u ${srcdir}/cryptodev-linux-${_cryptover}/crypto/cryptodev.h ${srcdir}/openssl-${_ver}/crypto/ + # set ca dir to /etc/ssl by default + patch -p0 -i $srcdir/ca-dir.patch + # Copy the header file + cp -u ${srcdir}/cryptodev-linux-cryptodev-linux-${_cryptodevver}/crypto/cryptodev.h ${srcdir}/openssl-${_ver}/crypto/ } build() { - cd $srcdir/${_pkgname}-$_ver + cd $srcdir/$_pkgname-$_ver if [ "${CARCH}" == 'x86_64' ]; then openssltarget='linux-x86_64' + optflags='enable-ec_nistp_64_gcc_128' elif [ "${CARCH}" == 'i686' ]; then openssltarget='linux-elf' - elif [ "${CARCH}" == 'arm' -o "${CARCH}" == 'armv7h' ]; then + optflags='' + elif [ "${CARCH}" == 'arm' -o "${CARCH}" == 'armv6h' -o "${CARCH}" == 'armv7h' ]; then openssltarget='linux-armv4' + optflags='' + elif [ "${CARCH}" == 'aarch64' ]; then + openssltarget='linux-aarch64' + optflags='no-afalgeng' fi # mark stack as non-executable: http://bugs.archlinux.org/task/12434 - ./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib/openssl-1.0 \ + ./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \ -DHAVE_CRYPTODEV -DHASH_MAX_LEN=64 \ - shared threads no-ssl3-method \ + shared no-ssl3-method ${optflags} \ "${openssltarget}" \ "-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}" @@ -97,24 +84,7 @@ check() { } package() { - depends=('cryptodev_friendly') - cd "$srcdir/openssl-$_ver" - - make INSTALL_PREFIX="$pkgdir" install_sw - - # Move some files around - install -m755 -d "$pkgdir/usr/include/openssl-1.0" - mv "$pkgdir/usr/include/openssl" "$pkgdir/usr/include/openssl-1.0/" - mv "$pkgdir/usr/lib/openssl-1.0/libcrypto.so.1.0.0" "$pkgdir/usr/lib/" - mv "$pkgdir/usr/lib/openssl-1.0/libssl.so.1.0.0" "$pkgdir/usr/lib/" - ln -sf ../libssl.so.1.0.0 "$pkgdir/usr/lib/openssl-1.0/libssl.so" - ln -sf ../libcrypto.so.1.0.0 "$pkgdir/usr/lib/openssl-1.0/libcrypto.so" - mv "$pkgdir/usr/bin/openssl" "$pkgdir/usr/bin/openssl-1.0" - - # Update includedir in .pc files - sed -e 's|/include$|/include/openssl-1.0|' -i "$pkgdir"/usr/lib/openssl-1.0/pkgconfig/*.pc - - rm -rf "$pkgdir"/{etc,usr/bin/c_rehash} - - install -D -m644 LICENSE $pkgdir/usr/share/licenses/${pkgname}/LICENSE + cd $srcdir/$_pkgname-$_ver + make DESTDIR=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install_sw install_ssldirs install_man_docs + install -D -m644 LICENSE $pkgdir/usr/share/licenses/$_pkgname/LICENSE } diff --git a/core/openssl-cryptodev/ca-dir.patch b/core/openssl-cryptodev/ca-dir.patch index 41d1386d3..1daba849b 100644 --- a/core/openssl-cryptodev/ca-dir.patch +++ b/core/openssl-cryptodev/ca-dir.patch @@ -1,27 +1,16 @@ ---- apps/CA.pl.in 2006-04-28 02:30:49.000000000 +0200 -+++ apps/CA.pl.in 2010-04-01 00:35:02.600553509 +0200 -@@ -53,7 +53,7 @@ - $X509="$openssl x509"; - $PKCS12="$openssl pkcs12"; +--- apps/CA.pl.in 2016-09-26 11:46:04.000000000 +0200 ++++ apps/CA.pl.in 2016-11-01 16:02:16.709616823 +0100 +@@ -33,7 +33,7 @@ + my $PKCS12 = "$openssl pkcs12"; --$CATOP="./demoCA"; -+$CATOP="/etc/ssl"; - $CAKEY="cakey.pem"; - $CAREQ="careq.pem"; - $CACERT="cacert.pem"; ---- apps/CA.sh 2009-10-15 19:27:47.000000000 +0200 -+++ apps/CA.sh 2010-04-01 00:35:02.600553509 +0200 -@@ -68,7 +68,7 @@ - X509="$OPENSSL x509" - PKCS12="openssl pkcs12" - --if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi -+if [ -z "$CATOP" ] ; then CATOP=/etc/ssl ; fi - CAKEY=./cakey.pem - CAREQ=./careq.pem - CACERT=./cacert.pem ---- apps/openssl.cnf 2009-04-04 20:09:43.000000000 +0200 -+++ apps/openssl.cnf 2010-04-01 00:35:02.607220681 +0200 + # default openssl.cnf file has setup as per the following +-my $CATOP = "./demoCA"; ++my $CATOP = "/etc/ssl"; + my $CAKEY = "cakey.pem"; + my $CAREQ = "careq.pem"; + my $CACERT = "cacert.pem"; +--- apps/openssl.cnf 2016-09-26 11:46:04.000000000 +0200 ++++ apps/openssl.cnf 2016-11-01 16:02:48.378503427 +0100 @@ -39,7 +39,7 @@ #################################################################### [ CA_default ] @@ -31,3 +20,12 @@ certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. +@@ -323,7 +323,7 @@ + [ tsa_config1 ] + + # These are used by the TSA reply generation only. +-dir = ./demoCA # TSA root directory ++dir = /etc/ssl # TSA root directory + serial = $dir/tsaserial # The current serial number (mandatory) + crypto_device = builtin # OpenSSL engine to use for signing + signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/core/openssl-cryptodev/fix_sig-gen_and_allow_copy_evp_contexts.patch b/core/openssl-cryptodev/fix_sig-gen_and_allow_copy_evp_contexts.patch deleted file mode 100644 index d5b23e4c9..000000000 --- a/core/openssl-cryptodev/fix_sig-gen_and_allow_copy_evp_contexts.patch +++ /dev/null @@ -1,617 +0,0 @@ -diff -ruN a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c ---- a/crypto/engine/eng_cryptodev.c 2015-01-22 14:58:32.000000000 +0000 -+++ b/crypto/engine/eng_cryptodev.c 2015-01-31 10:34:21.115744912 +0000 -@@ -2,6 +2,7 @@ - * Copyright (c) 2002 Bob Beck - * Copyright (c) 2002 Theo de Raadt - * Copyright (c) 2002 Markus Friedl -+ * Copyright (c) 2012 Nikos Mavrogiannopoulos - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without -@@ -72,7 +73,6 @@ - struct session_op d_sess; - int d_fd; - # ifdef USE_CRYPTODEV_DIGESTS -- char dummy_mac_key[HASH_MAX_LEN]; - unsigned char digest_res[HASH_MAX_LEN]; - char *mac_data; - int mac_len; -@@ -189,8 +189,10 @@ - static struct { - int id; - int nid; -- int keylen; -+ int digestlen; - } digests[] = { -+# if 0 -+ /* HMAC is not supported */ - { - CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16 - }, -@@ -198,15 +200,15 @@ - CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20 - }, - { -- CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16 -- /* ? */ -+ CRYPTO_SHA2_256_HMAC, NID_hmacWithSHA256, 32 - }, - { -- CRYPTO_MD5_KPDK, NID_undef, 0 -+ CRYPTO_SHA2_384_HMAC, NID_hmacWithSHA384, 48 - }, - { -- CRYPTO_SHA1_KPDK, NID_undef, 0 -+ CRYPTO_SHA2_512_HMAC, NID_hmacWithSHA512, 64 - }, -+# endif - { - CRYPTO_MD5, NID_md5, 16 - }, -@@ -214,6 +216,15 @@ - CRYPTO_SHA1, NID_sha1, 20 - }, - { -+ CRYPTO_SHA2_256, NID_sha256, 32 -+ }, -+ { -+ CRYPTO_SHA2_384, NID_sha384, 48 -+ }, -+ { -+ CRYPTO_SHA2_512, NID_sha512, 64 -+ }, -+ { - 0, NID_undef, 0 - }, - }; -@@ -288,13 +299,14 @@ - static int nids[CRYPTO_ALGORITHM_MAX]; - struct session_op sess; - int fd, i, count = 0; -+ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN]; - - if ((fd = get_dev_crypto()) < 0) { - *cnids = NULL; - return (0); - } - memset(&sess, 0, sizeof(sess)); -- sess.key = (caddr_t) "123456789abcdefghijklmno"; -+ sess.key = (void *)fake_key; - - for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { - if (ciphers[i].nid == NID_undef) -@@ -325,6 +337,7 @@ - static int get_cryptodev_digests(const int **cnids) - { - static int nids[CRYPTO_ALGORITHM_MAX]; -+ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN]; - struct session_op sess; - int fd, i, count = 0; - -@@ -333,12 +346,12 @@ - return (0); - } - memset(&sess, 0, sizeof(sess)); -- sess.mackey = (caddr_t) "123456789abcdefghijklmno"; -+ sess.mackey = fake_key; - for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { - if (digests[i].nid == NID_undef) - continue; - sess.mac = digests[i].id; -- sess.mackeylen = digests[i].keylen; -+ sess.mackeylen = 8; - sess.cipher = 0; - if (ioctl(fd, CIOCGSESSION, &sess) != -1 && - ioctl(fd, CIOCFSESSION, &sess.ses) != -1) -@@ -424,14 +437,14 @@ - cryp.ses = sess->ses; - cryp.flags = 0; - cryp.len = inl; -- cryp.src = (caddr_t) in; -- cryp.dst = (caddr_t) out; -+ cryp.src = (void *)in; -+ cryp.dst = (void *)out; - cryp.mac = 0; - - cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; - - if (ctx->cipher->iv_len) { -- cryp.iv = (caddr_t) ctx->iv; -+ cryp.iv = (void *)ctx->iv; - if (!ctx->encrypt) { - iiv = in + inl - ctx->cipher->iv_len; - memcpy(save_iv, iiv, ctx->cipher->iv_len); -@@ -483,7 +496,7 @@ - if ((state->d_fd = get_dev_crypto()) < 0) - return (0); - -- sess->key = (caddr_t) key; -+ sess->key = (void *)key; - sess->keylen = ctx->key_len; - sess->cipher = cipher; - -@@ -534,151 +547,165 @@ - * gets called when libcrypto requests a cipher NID. - */ - -+static int cryptodev_cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, -+ void *p2) -+{ -+ struct dev_crypto_state *state = ctx->cipher_data; -+ struct session_op *sess = &state->d_sess; -+ -+ if (type == EVP_CTRL_COPY) { -+ EVP_CIPHER_CTX *out = p2; -+ return cryptodev_init_key(out, sess->key, ctx->iv, 0); -+ } -+ -+ return 0; -+} -+ - /* RC4 */ - const EVP_CIPHER cryptodev_rc4 = { - NID_rc4, - 1, 16, 0, -- EVP_CIPH_VARIABLE_LENGTH, -+ EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - NULL, - NULL, -- NULL -+ cryptodev_cipher_ctrl - }; - - /* DES CBC EVP */ - const EVP_CIPHER cryptodev_des_cbc = { - NID_des_cbc, - 8, 8, 8, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - /* 3DES CBC EVP */ - const EVP_CIPHER cryptodev_3des_cbc = { - NID_des_ede3_cbc, - 8, 24, 8, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_bf_cbc = { - NID_bf_cbc, - 8, 16, 8, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_cast_cbc = { - NID_cast5_cbc, - 8, 16, 8, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_aes_cbc = { - NID_aes_128_cbc, - 16, 16, 16, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_aes_192_cbc = { - NID_aes_192_cbc, - 16, 24, 16, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_aes_256_cbc = { - NID_aes_256_cbc, - 16, 32, 16, -- EVP_CIPH_CBC_MODE, -+ EVP_CIPH_CBC_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - # ifdef CRYPTO_AES_CTR - const EVP_CIPHER cryptodev_aes_ctr = { - NID_aes_128_ctr, - 16, 16, 14, -- EVP_CIPH_CTR_MODE, -+ EVP_CIPH_CTR_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_aes_ctr_192 = { - NID_aes_192_ctr, - 16, 24, 14, -- EVP_CIPH_CTR_MODE, -+ EVP_CIPH_CTR_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - - const EVP_CIPHER cryptodev_aes_ctr_256 = { - NID_aes_256_ctr, - 16, 32, 14, -- EVP_CIPH_CTR_MODE, -+ EVP_CIPH_CTR_MODE | EVP_CIPH_CUSTOM_COPY, - cryptodev_init_key, - cryptodev_cipher, - cryptodev_cleanup, - sizeof(struct dev_crypto_state), - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, -- NULL -+ cryptodev_cipher_ctrl - }; - # endif - /* -@@ -749,16 +776,6 @@ - return (0); - } - --static int digest_key_length(int nid) --{ -- int i; -- -- for (i = 0; digests[i].id; i++) -- if (digests[i].nid == nid) -- return digests[i].keylen; -- return (0); --} -- - static int cryptodev_digest_init(EVP_MD_CTX *ctx) - { - struct dev_crypto_state *state = ctx->md_data; -@@ -769,7 +786,6 @@ - printf("cryptodev_digest_init: Can't get digest \n"); - return (0); - } -- - memset(state, 0, sizeof(struct dev_crypto_state)); - - if ((state->d_fd = get_dev_crypto()) < 0) { -@@ -777,8 +793,8 @@ - return (0); - } - -- sess->mackey = state->dummy_mac_key; -- sess->mackeylen = digest_key_length(ctx->digest->type); -+ sess->mackey = NULL; -+ sess->mackeylen = 0; - sess->mac = digest; - - if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) { -@@ -794,8 +810,8 @@ - static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, - size_t count) - { -- struct crypt_op cryp; - struct dev_crypto_state *state = ctx->md_data; -+ struct crypt_op cryp; - struct session_op *sess = &state->d_sess; - - if (!data || state->d_fd < 0) { -@@ -804,7 +820,7 @@ - } - - if (!count) { -- return (0); -+ return (1); - } - - if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) { -@@ -828,9 +844,9 @@ - cryp.ses = sess->ses; - cryp.flags = 0; - cryp.len = count; -- cryp.src = (caddr_t) data; -+ cryp.src = (void *)data; - cryp.dst = NULL; -- cryp.mac = (caddr_t) state->digest_res; -+ cryp.mac = (void *)state->digest_res; - if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { - printf("cryptodev_digest_update: digest failed\n"); - return (0); -@@ -844,8 +860,6 @@ - struct dev_crypto_state *state = ctx->md_data; - struct session_op *sess = &state->d_sess; - -- int ret = 1; -- - if (!md || state->d_fd < 0) { - printf("cryptodev_digest_final: illegal input\n"); - return (0); -@@ -859,7 +873,7 @@ - cryp.len = state->mac_len; - cryp.src = state->mac_data; - cryp.dst = NULL; -- cryp.mac = (caddr_t) md; -+ cryp.mac = (void *)md; - if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { - printf("cryptodev_digest_final: digest failed\n"); - return (0); -@@ -870,7 +884,7 @@ - - memcpy(md, state->digest_res, ctx->digest->md_size); - -- return (ret); -+ return 1; - } - - static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx) -@@ -921,8 +935,8 @@ - - digest = digest_nid_to_cryptodev(to->digest->type); - -- sess->mackey = dstate->dummy_mac_key; -- sess->mackeylen = digest_key_length(to->digest->type); -+ sess->mackey = NULL; -+ sess->mackeylen = 0; - sess->mac = digest; - - dstate->d_fd = get_dev_crypto(); -@@ -945,34 +959,112 @@ - return 1; - } - --const EVP_MD cryptodev_sha1 = { -+static const EVP_MD cryptodev_sha1 = { - NID_sha1, -- NID_undef, -+ NID_sha1WithRSAEncryption, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_ONESHOT, -+# if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+# endif -+ EVP_MD_FLAG_ONESHOT, - cryptodev_digest_init, - cryptodev_digest_update, - cryptodev_digest_final, - cryptodev_digest_copy, - cryptodev_digest_cleanup, -- EVP_PKEY_NULL_method, -+ EVP_PKEY_RSA_method, - SHA_CBLOCK, -- sizeof(struct dev_crypto_state), -+ sizeof(EVP_MD *) + sizeof(struct dev_crypto_state), - }; - --const EVP_MD cryptodev_md5 = { -+static const EVP_MD cryptodev_sha256 = { -+ NID_sha256, -+ NID_sha256WithRSAEncryption, -+ SHA256_DIGEST_LENGTH, -+# if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+# endif -+ EVP_MD_FLAG_ONESHOT, -+ cryptodev_digest_init, -+ cryptodev_digest_update, -+ cryptodev_digest_final, -+ cryptodev_digest_copy, -+ cryptodev_digest_cleanup, -+ EVP_PKEY_RSA_method, -+ SHA256_CBLOCK, -+ sizeof(EVP_MD *) + sizeof(struct dev_crypto_state), -+}; -+ -+static const EVP_MD cryptodev_sha224 = { -+ NID_sha224, -+ NID_sha224WithRSAEncryption, -+ SHA224_DIGEST_LENGTH, -+# if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+# endif -+ EVP_MD_FLAG_ONESHOT, -+ cryptodev_digest_init, -+ cryptodev_digest_update, -+ cryptodev_digest_final, -+ cryptodev_digest_copy, -+ cryptodev_digest_cleanup, -+ EVP_PKEY_RSA_method, -+ SHA256_CBLOCK, -+ sizeof(EVP_MD *) + sizeof(struct dev_crypto_state), -+}; -+ -+static const EVP_MD cryptodev_sha384 = { -+ NID_sha384, -+ NID_sha384WithRSAEncryption, -+ SHA384_DIGEST_LENGTH, -+# if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+# endif -+ EVP_MD_FLAG_ONESHOT, -+ cryptodev_digest_init, -+ cryptodev_digest_update, -+ cryptodev_digest_final, -+ cryptodev_digest_copy, -+ cryptodev_digest_cleanup, -+ EVP_PKEY_RSA_method, -+ SHA512_CBLOCK, -+ sizeof(EVP_MD *) + sizeof(struct dev_crypto_state), -+}; -+ -+static const EVP_MD cryptodev_sha512 = { -+ NID_sha512, -+ NID_sha512WithRSAEncryption, -+ SHA512_DIGEST_LENGTH, -+# if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+# endif -+ EVP_MD_FLAG_ONESHOT, -+ cryptodev_digest_init, -+ cryptodev_digest_update, -+ cryptodev_digest_final, -+ cryptodev_digest_copy, -+ cryptodev_digest_cleanup, -+ EVP_PKEY_RSA_method, -+ SHA512_CBLOCK, -+ sizeof(EVP_MD *) + sizeof(struct dev_crypto_state), -+}; -+ -+static const EVP_MD cryptodev_md5 = { - NID_md5, -- NID_undef, -+ NID_md5WithRSAEncryption, - 16 /* MD5_DIGEST_LENGTH */ , -- EVP_MD_FLAG_ONESHOT, -+# if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) -+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE | EVP_MD_FLAG_DIGALGID_ABSENT | -+# endif -+ EVP_MD_FLAG_ONESHOT, - cryptodev_digest_init, - cryptodev_digest_update, - cryptodev_digest_final, - cryptodev_digest_copy, - cryptodev_digest_cleanup, -- EVP_PKEY_NULL_method, -+ EVP_PKEY_RSA_method, - 64 /* MD5_CBLOCK */ , -- sizeof(struct dev_crypto_state), -+ sizeof(EVP_MD *) + sizeof(struct dev_crypto_state), - }; - - # endif /* USE_CRYPTODEV_DIGESTS */ -@@ -992,6 +1084,18 @@ - case NID_sha1: - *digest = &cryptodev_sha1; - break; -+ case NID_sha224: -+ *digest = &cryptodev_sha224; -+ break; -+ case NID_sha256: -+ *digest = &cryptodev_sha256; -+ break; -+ case NID_sha384: -+ *digest = &cryptodev_sha384; -+ break; -+ case NID_sha512: -+ *digest = &cryptodev_sha512; -+ break; - default: - # endif /* USE_CRYPTODEV_DIGESTS */ - *digest = NULL; -@@ -1022,7 +1126,7 @@ - return (1); - memset(b, 0, bytes); - -- crp->crp_p = (caddr_t) b; -+ crp->crp_p = (void *)b; - crp->crp_nbits = bits; - - for (i = 0, j = 0; i < a->top; i++) { -@@ -1277,7 +1381,7 @@ - kop.crk_op = CRK_DSA_SIGN; - - /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */ -- kop.crk_param[0].crp_p = (caddr_t) dgst; -+ kop.crk_param[0].crp_p = (void *)dgst; - kop.crk_param[0].crp_nbits = dlen * 8; - if (bn2crparam(dsa->p, &kop.crk_param[1])) - goto err; -@@ -1317,7 +1421,7 @@ - kop.crk_op = CRK_DSA_VERIFY; - - /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */ -- kop.crk_param[0].crp_p = (caddr_t) dgst; -+ kop.crk_param[0].crp_p = (void *)dgst; - kop.crk_param[0].crp_nbits = dlen * 8; - if (bn2crparam(dsa->p, &kop.crk_param[1])) - goto err; -@@ -1398,9 +1502,10 @@ - goto err; - kop.crk_iparams = 3; - -- kop.crk_param[3].crp_p = (caddr_t) key; -- kop.crk_param[3].crp_nbits = keylen * 8; -+ kop.crk_param[3].crp_p = (void *)key; -+ kop.crk_param[3].crp_nbits = keylen; - kop.crk_oparams = 1; -+ dhret = keylen / 8; - - if (ioctl(fd, CIOCKEY, &kop) == -1) { - const DH_METHOD *meth = DH_OpenSSL(); -@@ -1470,7 +1575,7 @@ - put_dev_crypto(fd); - - if (!ENGINE_set_id(engine, "cryptodev") || -- !ENGINE_set_name(engine, "BSD cryptodev engine") || -+ !ENGINE_set_name(engine, "cryptodev engine") || - !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || - !ENGINE_set_digests(engine, cryptodev_engine_digests) || - !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || diff --git a/core/openssl-cryptodev/no-rpath.patch b/core/openssl-cryptodev/no-rpath.patch deleted file mode 100644 index ebd95e23d..000000000 --- a/core/openssl-cryptodev/no-rpath.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 -+++ Makefile.shared 2005-11-16 22:35:37.000000000 +0100 -@@ -153,7 +153,7 @@ - NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" - --DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" -+DO_GNU_APP=LDFLAGS="$(CFLAGS)" - - #This is rather special. It's a special target with which one can link - #applications without bothering with any features that have anything to diff --git a/core/openssl-cryptodev/ssl3-test-failure.patch b/core/openssl-cryptodev/ssl3-test-failure.patch deleted file mode 100644 index d161c3d4a..000000000 --- a/core/openssl-cryptodev/ssl3-test-failure.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Kurt Roeckx -Date: Sun, 6 Sep 2015 16:04:11 +0200 -Subject: Disable SSLv3 test in test suite - -When testing SSLv3 the test program returns 0 for skip. The test for weak DH -expects a failure, but gets success. - -It should probably be changed to return something other than 0 for a skipped -test. ---- - test/testssl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/test/testssl b/test/testssl -index 747e4ba..1e4370b 100644 ---- a/test/testssl -+++ b/test/testssl -@@ -160,7 +160,7 @@ test_cipher() { - } - - echo "Testing ciphersuites" --for protocol in TLSv1.2 SSLv3; do -+for protocol in TLSv1.2; do - echo "Testing ciphersuites for $protocol" - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do - test_cipher $cipher $protocol