From 829cc60a281b9da1ede262d32f1359b4d997555f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 24 Nov 2022 16:39:10 +0100 Subject: [PATCH 01/11] kernel: backport flow_dissect support for tag_brcm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change helps BCM4908 SoC. It was capable of 940 Mb/s masq NAT while using iperf but users reported lower & unstable speeds for HTTP based tests. For LibreSpeed tests this bumps NAT speed from ~930 Mb/s to ~990 Mb/s (not that this value seems real but speed bump definitely is). Signed-off-by: Rafał Miłecki --- ...ement-flow-dissection-for-tag_brcm.c.patch | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 target/linux/generic/backport-5.4/701-v5.7-net-dsa-Implement-flow-dissection-for-tag_brcm.c.patch diff --git a/target/linux/generic/backport-5.4/701-v5.7-net-dsa-Implement-flow-dissection-for-tag_brcm.c.patch b/target/linux/generic/backport-5.4/701-v5.7-net-dsa-Implement-flow-dissection-for-tag_brcm.c.patch new file mode 100644 index 0000000000..5d7b90f699 --- /dev/null +++ b/target/linux/generic/backport-5.4/701-v5.7-net-dsa-Implement-flow-dissection-for-tag_brcm.c.patch @@ -0,0 +1,62 @@ +From 52015366e361a88c569550a285c71f72bb095661 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Sun, 22 Mar 2020 14:09:57 -0700 +Subject: [PATCH] net: dsa: Implement flow dissection for tag_brcm.c + +Provide a flow_dissect callback which returns the network offset and +where to find the skb protocol, given the tags structure a common +function works for both tagging formats that are supported. + +Signed-off-by: Florian Fainelli +Reviewed-by: Vivien Didelot +Signed-off-by: David S. Miller +--- + net/dsa/tag_brcm.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/net/dsa/tag_brcm.c ++++ b/net/dsa/tag_brcm.c +@@ -144,6 +144,27 @@ static struct sk_buff *brcm_tag_rcv_ll(s + + return skb; + } ++ ++static int brcm_tag_flow_dissect(const struct sk_buff *skb, __be16 *proto, ++ int *offset) ++{ ++ /* We have been called on the DSA master network device after ++ * eth_type_trans() which pulled the Ethernet header already. ++ * Frames have one of these two layouts: ++ * ----------------------------------- ++ * | MAC DA | MAC SA | 4b tag | Type | DSA_TAG_PROTO_BRCM ++ * ----------------------------------- ++ * ----------------------------------- ++ * | 4b tag | MAC DA | MAC SA | Type | DSA_TAG_PROTO_BRCM_PREPEND ++ * ----------------------------------- ++ * skb->data points 2 bytes before the actual Ethernet type field and ++ * we have an offset of 4bytes between where skb->data and where the ++ * payload starts. ++ */ ++ *offset = BRCM_TAG_LEN; ++ *proto = ((__be16 *)skb->data)[1]; ++ return 0; ++} + #endif + + #if IS_ENABLED(CONFIG_NET_DSA_TAG_BRCM) +@@ -179,6 +200,7 @@ static const struct dsa_device_ops brcm_ + .xmit = brcm_tag_xmit, + .rcv = brcm_tag_rcv, + .overhead = BRCM_TAG_LEN, ++ .flow_dissect = brcm_tag_flow_dissect, + }; + + DSA_TAG_DRIVER(brcm_netdev_ops); +@@ -207,6 +229,7 @@ static const struct dsa_device_ops brcm_ + .xmit = brcm_tag_xmit_prepend, + .rcv = brcm_tag_rcv_prepend, + .overhead = BRCM_TAG_LEN, ++ .flow_dissect = brcm_tag_flow_dissect, + }; + + DSA_TAG_DRIVER(brcm_prepend_netdev_ops); From 5c85a3e607df1f7f9e053946810f46158f29658f Mon Sep 17 00:00:00 2001 From: Aleksander Jan Bajkowski Date: Sat, 10 Sep 2022 20:13:58 +0200 Subject: [PATCH 02/11] lantiq: enable interrupts on second VPEs This patch is needed to handle interrupts by the second VPE on the Lantiq ARX100, xRX200, xRX300 and xRX330 SoCs. Switching some ICU interrupts to the second VPE results in a hang. Currently, the vsmp_init_secondary() function is responsible for enabling these interrupts. It only enables Malta-specific interrupts (SW0, SW1, HW4 and HW5). The MIPS core has 8 interrupts defined. On Lantiq SoCs, hardware interrupts are wired to an ICU instance. Each VPE has an independent instance of the ICU. The mapping of the ICU interrupts is shown below: SW0(IP0) - IPI call, SW1(IP1) - IPI resched, HW0(IP2) - ICU 0-31, HW1(IP3) - ICU 32-63, HW2(IP4) - ICU 64-95, HW3(IP5) - ICU 96-127, HW4(IP6) - ICU 128-159, HW5(IP7) - timer. This patch enables all interrupt lines on the second VPE. This problem affects multithreaded SoCs with a custom interrupt controller. SOCs with 1004Kc core and newer use the MIPS GIC. At this point, I am aware that the Realtek RTL839x and RTL930x SoCs may need a similar fix. In the future, this may be replaced with some generic solution. Tested on Lantiq xRX200. Signed-off-by: Aleksander Jan Bajkowski (cherry picked from commit fbd33d61648ae8982fbada7ad3b6d8222b367ab5) --- ...le-all-hardware-interrupts-on-second.patch | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch diff --git a/target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch b/target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch new file mode 100644 index 0000000000..0ac9adfb96 --- /dev/null +++ b/target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch @@ -0,0 +1,86 @@ +From 2025bc9c3a949b65bfd0601f727678b37962c6c5 Mon Sep 17 00:00:00 2001 +From: Aleksander Jan Bajkowski +Date: Fri, 4 Jun 2021 18:27:58 +0200 +Subject: [PATCH] MIPS: lantiq: enable all hardware interrupts on second VPE + +This patch is needed to handle interrupts by the second VPE on the Lantiq +ARX100, xRX200, xRX300 and xRX330 SoCs. Switching some ICU interrupts to +the second VPE results in a hang. Currently, the vsmp_init_secondary() +function is responsible for enabling these interrupts. It only enables +Malta-specific interrupts (SW0, SW1, HW4 and HW5). + +The MIPS core has 8 interrupts defined. On Lantiq SoCs, hardware +interrupts are wired to an ICU instance. Each VPE has an independent +instance of the ICU. The mapping of the ICU interrupts is shown below: +SW0(IP0) - IPI call, +SW1(IP1) - IPI resched, +HW0(IP2) - ICU 0-31, +HW1(IP3) - ICU 32-63, +HW2(IP4) - ICU 64-95, +HW3(IP5) - ICU 96-127, +HW4(IP6) - ICU 128-159, +HW5(IP7) - timer. + +This patch enables all interrupt lines on the second VPE. + +This problem affects multithreaded SoCs with a custom interrupt controller. +SOCs with 1004Kc core and newer use the MIPS GIC. At this point, I am aware +that the Realtek RTL839x and RTL930x SoCs may need a similar fix. In the +future, this may be replaced with some generic solution. + +Tested on Lantiq xRX200. + +Suggested-by: Thomas Bogendoerfer +Signed-off-by: Aleksander Jan Bajkowski +--- + arch/mips/lantiq/prom.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +--- a/arch/mips/lantiq/prom.c ++++ b/arch/mips/lantiq/prom.c +@@ -37,6 +37,14 @@ static struct ltq_soc_info soc_info; + /* for Multithreading (APRP), vpe.c will use it */ + unsigned long cp0_memsize; + ++/* ++ * These structs are used to override vsmp_init_secondary() ++ */ ++#if defined(CONFIG_MIPS_MT_SMP) ++extern const struct plat_smp_ops vsmp_smp_ops; ++static struct plat_smp_ops lantiq_smp_ops; ++#endif ++ + const char *get_system_type(void) + { + return soc_info.sys_type; +@@ -100,6 +108,17 @@ void __init device_tree_init(void) + unflatten_and_copy_device_tree(); + } + ++#if defined(CONFIG_MIPS_MT_SMP) ++static void lantiq_init_secondary(void) ++{ ++ /* ++ * MIPS CPU startup function vsmp_init_secondary() will only ++ * enable some of the interrupts for the second CPU/VPE. ++ */ ++ set_c0_status(ST0_IM); ++} ++#endif ++ + void __init prom_init(void) + { + /* call the soc specific detetcion code and get it to fill soc_info */ +@@ -111,7 +130,10 @@ void __init prom_init(void) + prom_init_cmdline(); + + #if defined(CONFIG_MIPS_MT_SMP) +- if (register_vsmp_smp_ops()) +- panic("failed to register_vsmp_smp_ops()"); ++ if (cpu_has_mipsmt) { ++ lantiq_smp_ops = vsmp_smp_ops; ++ lantiq_smp_ops.init_secondary = lantiq_init_secondary; ++ register_smp_ops(&lantiq_smp_ops); ++ } + #endif + } From 206012e252d86e68487e0bce3ef1a10bd611bf77 Mon Sep 17 00:00:00 2001 From: Aleksander Jan Bajkowski Date: Wed, 5 Oct 2022 23:05:26 +0200 Subject: [PATCH 03/11] lantiq: add 6.1 tag to upstream patch Add 6.1 tag to upstream patch now that 6.1 got tagged. This permits to track patch in a better way and directly drop them on kernel bump. Signed-off-by: Aleksander Jan Bajkowski (cherry picked from commit 802ca492d85e6f6af05676518889d4de50697477) --- ...PS-lantiq-enable-all-hardware-interrupts-on-second.patch} | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) rename target/linux/lantiq/patches-5.4/{0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch => 0320-v6.1-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch} (94%) diff --git a/target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch b/target/linux/lantiq/patches-5.4/0320-v6.1-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch similarity index 94% rename from target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch rename to target/linux/lantiq/patches-5.4/0320-v6.1-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch index 0ac9adfb96..b7b95d6bfc 100644 --- a/target/linux/lantiq/patches-5.4/0320-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch +++ b/target/linux/lantiq/patches-5.4/0320-v6.1-MIPS-lantiq-enable-all-hardware-interrupts-on-second.patch @@ -1,6 +1,6 @@ -From 2025bc9c3a949b65bfd0601f727678b37962c6c5 Mon Sep 17 00:00:00 2001 +From 730320fd770d4114a2ecb6fb223dcc8c3cecdc5b Mon Sep 17 00:00:00 2001 From: Aleksander Jan Bajkowski -Date: Fri, 4 Jun 2021 18:27:58 +0200 +Date: Wed, 21 Sep 2022 22:59:44 +0200 Subject: [PATCH] MIPS: lantiq: enable all hardware interrupts on second VPE This patch is needed to handle interrupts by the second VPE on the Lantiq @@ -32,6 +32,7 @@ Tested on Lantiq xRX200. Suggested-by: Thomas Bogendoerfer Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: Thomas Bogendoerfer --- arch/mips/lantiq/prom.c | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) From 778afce43e26f104ae5af9b16c057b5417055b00 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 6 Jul 2022 20:32:11 +0200 Subject: [PATCH 04/11] kernel: Add missing mediatek configuration options When building the mediatek/mt7629 target in OpenWrt 22.03 the kernel does not have a configuration option for CONFIG_CRYPTO_DEV_MEDIATEK. Add this option to the generic kernel configuration and also add two other configuration options which are removed when we refresh the mt7629 kernel configuration. Fixes: 2bea35cb55d7 ("mediatek: remove crypto-hw-mtk package") Signed-off-by: Hauke Mehrtens (cherry picked from commit dcc0fe24ea216d32300c0f01c8879e586d89cc1e) (cherry picked from commit bfd070e7fa5ad715fb1a8f8449ab5d7750c59338) --- target/linux/generic/config-5.4 | 1 + 1 file changed, 1 insertion(+) diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4 index d793e062b1..73faf7172e 100644 --- a/target/linux/generic/config-5.4 +++ b/target/linux/generic/config-5.4 @@ -1028,6 +1028,7 @@ CONFIG_CRYPTO_BLKCIPHER2=y # CONFIG_CRYPTO_DEV_HISI_ZIP is not set # CONFIG_CRYPTO_DEV_IMGTEC_HASH is not set # CONFIG_CRYPTO_DEV_MARVELL_CESA is not set +# CONFIG_CRYPTO_DEV_MEDIATEK is not set # CONFIG_CRYPTO_DEV_MV_CESA is not set # CONFIG_CRYPTO_DEV_MXC_SCC is not set # CONFIG_CRYPTO_DEV_MXS_DCP is not set From 175a3cb22ab1972ee3364e011b0cce5355fb86fb Mon Sep 17 00:00:00 2001 From: David Bauer Date: Thu, 12 Aug 2021 23:40:32 +0200 Subject: [PATCH 05/11] mediatek: add missing config symbols Signed-off-by: David Bauer (cherry picked from commit 101c0c00a7143a1e50e4c0923f0af88b5176f6ed) --- target/linux/mediatek/mt7629/config-5.4 | 1 + 1 file changed, 1 insertion(+) diff --git a/target/linux/mediatek/mt7629/config-5.4 b/target/linux/mediatek/mt7629/config-5.4 index 46eac73240..8ff33d04cc 100644 --- a/target/linux/mediatek/mt7629/config-5.4 +++ b/target/linux/mediatek/mt7629/config-5.4 @@ -318,6 +318,7 @@ CONFIG_REGMAP_MMIO=y CONFIG_RESET_CONTROLLER=y CONFIG_RFS_ACCEL=y CONFIG_RPS=y +# CONFIG_RTL8367S_GSW is not set CONFIG_RWSEM_SPIN_ON_OWNER=y CONFIG_SCSI=y CONFIG_SERIAL_8250_FSL=y From 04ca5a8678d6fd5b9a79594e0ec3361f1eb68be5 Mon Sep 17 00:00:00 2001 From: John Audia Date: Thu, 3 Nov 2022 09:27:49 -0400 Subject: [PATCH 06/11] openssl: bump to 1.1.1s Changes between 1.1.1r and 1.1.1s [1 Nov 2022] *) Fixed a regression introduced in 1.1.1r version not refreshing the certificate data to be signed before signing the certificate. [Gibeom Gwon] Changes between 1.1.1q and 1.1.1r [11 Oct 2022] *) Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. [Adam Joseph] *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was causing incorrect results in some cases as a result. [Paul Dale] *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases [Matt Caswell] *) Fixed a regression introduced in 1.1.1o for re-signing certificates with different key sizes [Todd Short] *) Added the loongarch64 target [Shi Pujin] *) Fixed a DRBG seed propagation thread safety issue [Bernd Edlinger] *) Fixed a memory leak in tls13_generate_secret [Bernd Edlinger] *) Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. [Bernd Edlinger] *) Added a missing header for memcmp that caused compilation failure on some platforms [Gregor Jasny] Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia (cherry picked from commit a0814f04ed955eb10b25df0ce6666ed91f11ca1b) --- package/libs/openssl/Makefile | 4 +- .../patches/100-Configure-afalg-support.patch | 4 +- .../openssl/patches/110-openwrt_targets.patch | 3 - .../120-strip-cflags-from-binary.patch | 4 +- .../patches/130-dont-build-tests-fuzz.patch | 4 +- .../patches/140-allow-prefer-chacha20.patch | 8 +- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 6 +- ..._devcrypto-add-configuration-options.patch | 20 +- ...ypto-add-command-to-dump-driver-info.patch | 16 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 2630 ++++++++++++++++- ...default-to-not-use-digests-in-engine.patch | 4 +- ...to-ignore-error-when-closing-session.patch | 4 +- 12 files changed, 2527 insertions(+), 180 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 99a2afa3a2..04b00e2bf5 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=q +PKG_BUGFIX:=s PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca +PKG_HASH:=c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index d8789f4b45..906e1bb4b4 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -8,11 +8,9 @@ version to disable building the AFALG engine on openwrt targets. Signed-off-by: Eneas U de Queiroz -diff --git a/Configure b/Configure -index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtra unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch index d0530b4661..b2786e8fee 100644 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -7,9 +7,6 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt Signed-off-by: Eneas U de Queiroz -diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf -new file mode 100644 -index 0000000000..86a86d31e4 --- /dev/null +++ b/Configurations/25-openwrt.conf @@ -0,0 +1,48 @@ diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch index 7faec9ab88..4a7dce366b 100644 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -8,11 +8,9 @@ OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a Signed-off-by: Eneas U de Queiroz -diff --git a/crypto/build.info b/crypto/build.info -index 2c619c62e8..893128345a 100644 --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl DEPEND[cversion.o]=buildinf.h diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch index 7f33cb9dae..1117f7152f 100644 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -7,11 +7,9 @@ This shortens build time. Signed-off-by: Eneas U de Queiroz -diff --git a/Configure b/Configure -index 74d057c219..5813e9f8fe 100755 --- a/Configure +++ b/Configure -@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default +@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads my $default_ranlib; # Top level directories to build diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch index b293db28f7..582b33a871 100644 --- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch +++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch @@ -14,8 +14,6 @@ when the client has it on top of its ciphersuite preference. Signed-off-by: Eneas U de Queiroz -diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index 6724ccf2d2..96d959427e 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -173,9 +173,15 @@ extern "C" { @@ -37,11 +35,9 @@ index 6724ccf2d2..96d959427e 100644 # else # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ "TLS_AES_128_GCM_SHA256" -diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c -index 27a1b2ec68..7039811323 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1467,11 +1467,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1465,11 +1465,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); @@ -71,7 +67,7 @@ index 27a1b2ec68..7039811323 100644 /* * ...and generally, our preferred cipher is AES. -@@ -1527,7 +1545,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, +@@ -1525,7 +1543,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * Within each group, ciphers remain sorted by strength and previous * preference, i.e., * 1) ECDHE > DHE diff --git a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch index 84c68b16a2..57962ec9c7 100644 --- a/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +++ b/package/libs/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch @@ -14,8 +14,6 @@ Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a727c6f646..a2c9a966f7 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -461,6 +461,7 @@ struct digest_ctx { @@ -26,7 +24,7 @@ index a727c6f646..a2c9a966f7 100644 }; static const struct digest_data_st { -@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) +@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx if (digest_ctx == NULL) return 0; @@ -46,7 +44,7 @@ index a727c6f646..a2c9a966f7 100644 } static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) -@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) +@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, if (md == NULL || digest_ctx == NULL) return 0; diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 6d0fbfc982..bad7a37256 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -13,7 +13,6 @@ Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -79,7 +78,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c /* * Code further down must make sure that only NIDs in the table above -@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx) +@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX } /* @@ -185,7 +184,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c static const EVP_CIPHER *get_cipher_method(int nid) { size_t i = get_cipher_data_index(nid); -@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, +@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, return *cipher != NULL; } @@ -246,7 +245,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c /* * Code further down must make sure that only NIDs in the table above -@@ -516,8 +637,8 @@ static const struct digest_data_st *get_digest_data(int nid) +@@ -516,8 +637,8 @@ static const struct digest_data_st *get_ } /* @@ -257,7 +256,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c */ static int digest_init(EVP_MD_CTX *ctx) -@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ctx) +@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ct return clean_devcrypto_session(&digest_ctx->sess); } @@ -402,7 +401,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c } } -@@ -739,8 +909,154 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, +@@ -739,7 +909,153 @@ static int devcrypto_digests(ENGINE *e, return *digest != NULL; } @@ -478,8 +477,8 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c + "DIGESTS", + "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", + ENGINE_CMD_FLAG_STRING}, - #endif - ++#endif ++ + {0, NULL, NULL, 0} +}; + @@ -503,7 +502,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c + use_softdrivers = i; +#ifdef IMPLEMENT_DIGEST + rebuild_known_digest_nids(e); -+#endif + #endif + rebuild_known_cipher_nids(e); + return 1; +#endif /* CIOCGSESSINFO */ @@ -553,10 +552,9 @@ diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c + } + return 0; +} -+ + /****************************************************************************** * - * LOAD / UNLOAD @@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") diff --git a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch index ad83a51a10..b7e1f6a411 100644 --- a/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +++ b/package/libs/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch @@ -11,11 +11,9 @@ Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) -diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index 5ec38ca8f3..64dc6b891d 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c -@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; +@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_D */ struct driver_info_st { enum devcrypto_status_t { @@ -82,7 +80,7 @@ index 5ec38ca8f3..64dc6b891d 100644 #endif /* CIOCGSESSINFO */ } ioctl(cfd, CIOCFSESSION, &sess.ses); -@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(void) +@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(v { size_t i; @@ -95,7 +93,7 @@ index 5ec38ca8f3..64dc6b891d 100644 } static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, -@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) +@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(co return 1; } @@ -190,7 +188,7 @@ index 5ec38ca8f3..64dc6b891d 100644 EVP_MD_meth_free(known_digest_methods[i]); known_digest_methods[i] = NULL; goto finish; -@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(void) +@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(v { size_t i; @@ -203,7 +201,7 @@ index 5ec38ca8f3..64dc6b891d 100644 } static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, -@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(const char *str, int len, void *usr) +@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(co return 1; } @@ -247,7 +245,7 @@ index 5ec38ca8f3..64dc6b891d 100644 #endif /****************************************************************************** -@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { +@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_c ENGINE_CMD_FLAG_STRING}, #endif @@ -259,7 +257,7 @@ index 5ec38ca8f3..64dc6b891d 100644 {0, NULL, NULL, 0} }; -@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) +@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int return 1; #endif /* IMPLEMENT_DIGEST */ diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch index 0b2f345eef..00c74972ab 100644 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -8,8 +8,6 @@ engines/e_devcrypto.c. Signed-off-by: Eneas U de Queiroz -diff --git a/crypto/engine/build.info b/crypto/engine/build.info -index e00802a3fd..47fe948966 100644 --- a/crypto/engine/build.info +++ b/crypto/engine/build.info @@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ @@ -19,11 +17,9 @@ index e00802a3fd..47fe948966 100644 -IF[{- !$disabled{devcryptoeng} -}] - SOURCE[../../libcrypto]=eng_devcrypto.c -ENDIF -diff --git a/crypto/init.c b/crypto/init.c -index 1b0d523bea..ee3e2eb075 100644 --- a/crypto/init.c +++ b/crypto/init.c -@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl) +@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_ engine_load_openssl_int(); return 1; } @@ -42,7 +38,7 @@ index 1b0d523bea..ee3e2eb075 100644 # ifndef OPENSSL_NO_RDRAND static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; -@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic) +@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_ return 1; } # ifndef OPENSSL_NO_STATIC_ENGINE @@ -61,7 +57,7 @@ index 1b0d523bea..ee3e2eb075 100644 # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) -@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) +@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, c if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) return 0; @@ -73,7 +69,7 @@ index 1b0d523bea..ee3e2eb075 100644 # ifndef OPENSSL_NO_RDRAND if ((opts & OPENSSL_INIT_ENGINE_RDRAND) && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) -@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) +@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, c && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) return 0; # ifndef OPENSSL_NO_STATIC_ENGINE @@ -85,8 +81,6 @@ index 1b0d523bea..ee3e2eb075 100644 # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) -diff --git a/engines/build.info b/engines/build.info -index 1db771971c..33a25d7004 100644 --- a/engines/build.info +++ b/engines/build.info @@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] @@ -112,59 +106,1177 @@ index 1db771971c..33a25d7004 100644 ENGINES_NO_INST=ossltest dasync SOURCE[dasync]=e_dasync.c -diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c -similarity index 95% -rename from crypto/engine/eng_devcrypto.c -rename to engines/e_devcrypto.c -index 2c1b52d572..eff1ed3a7d 100644 --- a/crypto/engine/eng_devcrypto.c -+++ b/engines/e_devcrypto.c -@@ -7,7 +7,7 @@ - * https://www.openssl.org/source/license.html - */ - ++++ /dev/null +@@ -1,1277 +0,0 @@ +-/* +- * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +- * +- * Licensed under the OpenSSL license (the "License"). You may not use +- * this file except in compliance with the License. You can obtain a copy +- * in the file LICENSE in the source distribution or at +- * https://www.openssl.org/source/license.html +- */ +- -#include "e_os.h" -+#include "../e_os.h" - #include - #include - #include -@@ -31,18 +31,20 @@ - # define CHECK_BSD_STYLE_MACROS - #endif - -+#define engine_devcrypto_id "devcrypto" -+ - /* - * ONE global file descriptor for all sessions. This allows operations - * such as digest session data copying (see digest_copy()), but is also - * saner... why re-open /dev/crypto for every session? - */ +-#include +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include +-#include +-#include +-#include +-#include +-#include +- +-#include "crypto/engine.h" +- +-/* #define ENGINE_DEVCRYPTO_DEBUG */ +- +-#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX +-# define CHECK_BSD_STYLE_MACROS +-#endif +- +-/* +- * ONE global file descriptor for all sessions. This allows operations +- * such as digest session data copying (see digest_copy()), but is also +- * saner... why re-open /dev/crypto for every session? +- */ -static int cfd; -+static int cfd = -1; - #define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ - #define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ - #define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ - +-#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ +-#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ +-#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ +- -#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE -static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -+#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; - - /* - * cipher/digest status & acceleration definitions -@@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { - OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " - OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) - "=use if acceleration can't be determined) [default=" +- +-/* +- * cipher/digest status & acceleration definitions +- * Make sure the defaults are set to 0 +- */ +-struct driver_info_st { +- enum devcrypto_status_t { +- DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ +- DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ +- DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ +- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ +- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ +- } status; +- +- enum devcrypto_accelerated_t { +- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ +- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ +- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ +- } accelerated; +- +- char *driver_name; +-}; +- +-static int clean_devcrypto_session(struct session_op *sess) { +- if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- memset(sess, 0, sizeof(struct session_op)); +- return 1; +-} +- +-/****************************************************************************** +- * +- * Ciphers +- * +- * Because they all do the same basic operation, we have only one set of +- * method functions for them all to share, and a mapping table between +- * NIDs and cryptodev IDs, with all the necessary size data. +- * +- *****/ +- +-struct cipher_ctx { +- struct session_op sess; +- int op; /* COP_ENCRYPT or COP_DECRYPT */ +- unsigned long mode; /* EVP_CIPH_*_MODE */ +- +- /* to handle ctr mode being a stream cipher */ +- unsigned char partial[EVP_MAX_BLOCK_LENGTH]; +- unsigned int blocksize, num; +-}; +- +-static const struct cipher_data_st { +- int nid; +- int blocksize; +- int keylen; +- int ivlen; +- int flags; +- int devcryptoid; +-} cipher_data[] = { +-#ifndef OPENSSL_NO_DES +- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, +- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, +-#endif +-#ifndef OPENSSL_NO_BF +- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, +-#endif +-#ifndef OPENSSL_NO_CAST +- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, +-#endif +- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, +-#ifndef OPENSSL_NO_RC4 +- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, +-#endif +-#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) +- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, +-#endif +-#if 0 /* Not yet supported */ +- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, +- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, +-#endif +-#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) +- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, +-#endif +-#if 0 /* Not yet supported */ +- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, +-#endif +-#ifndef OPENSSL_NO_CAMELLIA +- { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, +- { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, +- { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, +- CRYPTO_CAMELLIA_CBC }, +-#endif +-}; +- +-static size_t find_cipher_data_index(int nid) +-{ +- size_t i; +- +- for (i = 0; i < OSSL_NELEM(cipher_data); i++) +- if (nid == cipher_data[i].nid) +- return i; +- return (size_t)-1; +-} +- +-static size_t get_cipher_data_index(int nid) +-{ +- size_t i = find_cipher_data_index(nid); +- +- if (i != (size_t)-1) +- return i; +- +- /* +- * Code further down must make sure that only NIDs in the table above +- * are used. If any other NID reaches this function, there's a grave +- * coding error further down. +- */ +- assert("Code that never should be reached" == NULL); +- return -1; +-} +- +-static const struct cipher_data_st *get_cipher_data(int nid) +-{ +- return &cipher_data[get_cipher_data_index(nid)]; +-} +- +-/* +- * Following are the three necessary functions to map OpenSSL functionality +- * with cryptodev. +- */ +- +-static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +- const unsigned char *iv, int enc) +-{ +- struct cipher_ctx *cipher_ctx = +- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); +- const struct cipher_data_st *cipher_d = +- get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); +- +- /* cleanup a previous session */ +- if (cipher_ctx->sess.ses != 0 && +- clean_devcrypto_session(&cipher_ctx->sess) == 0) +- return 0; +- +- cipher_ctx->sess.cipher = cipher_d->devcryptoid; +- cipher_ctx->sess.keylen = cipher_d->keylen; +- cipher_ctx->sess.key = (void *)key; +- cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; +- cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; +- cipher_ctx->blocksize = cipher_d->blocksize; +- if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- +- return 1; +-} +- +-static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +- const unsigned char *in, size_t inl) +-{ +- struct cipher_ctx *cipher_ctx = +- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); +- struct crypt_op cryp; +- unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); +-#if !defined(COP_FLAG_WRITE_IV) +- unsigned char saved_iv[EVP_MAX_IV_LENGTH]; +- const unsigned char *ivptr; +- size_t nblocks, ivlen; +-#endif +- +- memset(&cryp, 0, sizeof(cryp)); +- cryp.ses = cipher_ctx->sess.ses; +- cryp.len = inl; +- cryp.src = (void *)in; +- cryp.dst = (void *)out; +- cryp.iv = (void *)iv; +- cryp.op = cipher_ctx->op; +-#if !defined(COP_FLAG_WRITE_IV) +- cryp.flags = 0; +- +- ivlen = EVP_CIPHER_CTX_iv_length(ctx); +- if (ivlen > 0) +- switch (cipher_ctx->mode) { +- case EVP_CIPH_CBC_MODE: +- assert(inl >= ivlen); +- if (!EVP_CIPHER_CTX_encrypting(ctx)) { +- ivptr = in + inl - ivlen; +- memcpy(saved_iv, ivptr, ivlen); +- } +- break; +- +- case EVP_CIPH_CTR_MODE: +- break; +- +- default: /* should not happen */ +- return 0; +- } +-#else +- cryp.flags = COP_FLAG_WRITE_IV; +-#endif +- +- if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- +-#if !defined(COP_FLAG_WRITE_IV) +- if (ivlen > 0) +- switch (cipher_ctx->mode) { +- case EVP_CIPH_CBC_MODE: +- assert(inl >= ivlen); +- if (EVP_CIPHER_CTX_encrypting(ctx)) +- ivptr = out + inl - ivlen; +- else +- ivptr = saved_iv; +- +- memcpy(iv, ivptr, ivlen); +- break; +- +- case EVP_CIPH_CTR_MODE: +- nblocks = (inl + cipher_ctx->blocksize - 1) +- / cipher_ctx->blocksize; +- do { +- ivlen--; +- nblocks += iv[ivlen]; +- iv[ivlen] = (uint8_t) nblocks; +- nblocks >>= 8; +- } while (ivlen); +- break; +- +- default: /* should not happen */ +- return 0; +- } +-#endif +- +- return 1; +-} +- +-static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +- const unsigned char *in, size_t inl) +-{ +- struct cipher_ctx *cipher_ctx = +- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); +- size_t nblocks, len; +- +- /* initial partial block */ +- while (cipher_ctx->num && inl) { +- (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; +- --inl; +- cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; +- } +- +- /* full blocks */ +- if (inl > (unsigned int) cipher_ctx->blocksize) { +- nblocks = inl/cipher_ctx->blocksize; +- len = nblocks * cipher_ctx->blocksize; +- if (cipher_do_cipher(ctx, out, in, len) < 1) +- return 0; +- inl -= len; +- out += len; +- in += len; +- } +- +- /* final partial block */ +- if (inl) { +- memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); +- if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, +- cipher_ctx->blocksize) < 1) +- return 0; +- while (inl--) { +- out[cipher_ctx->num] = in[cipher_ctx->num] +- ^ cipher_ctx->partial[cipher_ctx->num]; +- cipher_ctx->num++; +- } +- } +- +- return 1; +-} +- +-static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) +-{ +- struct cipher_ctx *cipher_ctx = +- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); +- EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; +- struct cipher_ctx *to_cipher_ctx; +- +- switch (type) { +- case EVP_CTRL_COPY: +- if (cipher_ctx == NULL) +- return 1; +- /* when copying the context, a new session needs to be initialized */ +- to_cipher_ctx = +- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx); +- memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess)); +- return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), +- (cipher_ctx->op == COP_ENCRYPT)); +- +- case EVP_CTRL_INIT: +- memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); +- return 1; +- +- default: +- break; +- } +- +- return -1; +-} +- +-static int cipher_cleanup(EVP_CIPHER_CTX *ctx) +-{ +- struct cipher_ctx *cipher_ctx = +- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); +- +- return clean_devcrypto_session(&cipher_ctx->sess); +-} +- +-/* +- * Keep tables of known nids, associated methods, selected ciphers, and driver +- * info. +- * Note that known_cipher_nids[] isn't necessarily indexed the same way as +- * cipher_data[] above, which the other tables are. +- */ +-static int known_cipher_nids[OSSL_NELEM(cipher_data)]; +-static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ +-static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; +-static int selected_ciphers[OSSL_NELEM(cipher_data)]; +-static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; +- +- +-static int devcrypto_test_cipher(size_t cipher_data_index) +-{ +- return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE +- && selected_ciphers[cipher_data_index] == 1 +- && (cipher_driver_info[cipher_data_index].accelerated +- == DEVCRYPTO_ACCELERATED +- || use_softdrivers == DEVCRYPTO_USE_SOFTWARE +- || (cipher_driver_info[cipher_data_index].accelerated +- != DEVCRYPTO_NOT_ACCELERATED +- && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); +-} +- +-static void prepare_cipher_methods(void) +-{ +- size_t i; +- struct session_op sess; +- unsigned long cipher_mode; +-#ifdef CIOCGSESSINFO +- struct session_info_op siop; +-#endif +- +- memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); +- +- memset(&sess, 0, sizeof(sess)); +- sess.key = (void *)"01234567890123456789012345678901234567890123456789"; +- +- for (i = 0, known_cipher_nids_amount = 0; +- i < OSSL_NELEM(cipher_data); i++) { +- +- selected_ciphers[i] = 1; +- /* +- * Check that the cipher is usable +- */ +- sess.cipher = cipher_data[i].devcryptoid; +- sess.keylen = cipher_data[i].keylen; +- if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; +- continue; +- } +- +- cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; +- +- if ((known_cipher_methods[i] = +- EVP_CIPHER_meth_new(cipher_data[i].nid, +- cipher_mode == EVP_CIPH_CTR_MODE ? 1 : +- cipher_data[i].blocksize, +- cipher_data[i].keylen)) == NULL +- || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], +- cipher_data[i].ivlen) +- || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], +- cipher_data[i].flags +- | EVP_CIPH_CUSTOM_COPY +- | EVP_CIPH_CTRL_INIT +- | EVP_CIPH_FLAG_DEFAULT_ASN1) +- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) +- || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], +- cipher_mode == EVP_CIPH_CTR_MODE ? +- ctr_do_cipher : +- cipher_do_cipher) +- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) +- || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], +- cipher_cleanup) +- || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], +- sizeof(struct cipher_ctx))) { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; +- EVP_CIPHER_meth_free(known_cipher_methods[i]); +- known_cipher_methods[i] = NULL; +- } else { +- cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; +-#ifdef CIOCGSESSINFO +- siop.ses = sess.ses; +- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { +- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; +- } else { +- cipher_driver_info[i].driver_name = +- OPENSSL_strndup(siop.cipher_info.cra_driver_name, +- CRYPTODEV_MAX_ALG_NAME); +- if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) +- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; +- else +- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; +- } +-#endif /* CIOCGSESSINFO */ +- } +- ioctl(cfd, CIOCFSESSION, &sess.ses); +- if (devcrypto_test_cipher(i)) { +- known_cipher_nids[known_cipher_nids_amount++] = +- cipher_data[i].nid; +- } +- } +-} +- +-static void rebuild_known_cipher_nids(ENGINE *e) +-{ +- size_t i; +- +- for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { +- if (devcrypto_test_cipher(i)) +- known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; +- } +- ENGINE_unregister_ciphers(e); +- ENGINE_register_ciphers(e); +-} +- +-static const EVP_CIPHER *get_cipher_method(int nid) +-{ +- size_t i = get_cipher_data_index(nid); +- +- if (i == (size_t)-1) +- return NULL; +- return known_cipher_methods[i]; +-} +- +-static int get_cipher_nids(const int **nids) +-{ +- *nids = known_cipher_nids; +- return known_cipher_nids_amount; +-} +- +-static void destroy_cipher_method(int nid) +-{ +- size_t i = get_cipher_data_index(nid); +- +- EVP_CIPHER_meth_free(known_cipher_methods[i]); +- known_cipher_methods[i] = NULL; +-} +- +-static void destroy_all_cipher_methods(void) +-{ +- size_t i; +- +- for (i = 0; i < OSSL_NELEM(cipher_data); i++) { +- destroy_cipher_method(cipher_data[i].nid); +- OPENSSL_free(cipher_driver_info[i].driver_name); +- cipher_driver_info[i].driver_name = NULL; +- } +-} +- +-static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, +- const int **nids, int nid) +-{ +- if (cipher == NULL) +- return get_cipher_nids(nids); +- +- *cipher = get_cipher_method(nid); +- +- return *cipher != NULL; +-} +- +-static void devcrypto_select_all_ciphers(int *cipher_list) +-{ +- size_t i; +- +- for (i = 0; i < OSSL_NELEM(cipher_data); i++) +- cipher_list[i] = 1; +-} +- +-static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) +-{ +- int *cipher_list = (int *)usr; +- char *name; +- const EVP_CIPHER *EVP; +- size_t i; +- +- if (len == 0) +- return 1; +- if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) +- return 0; +- EVP = EVP_get_cipherbyname(name); +- if (EVP == NULL) +- fprintf(stderr, "devcrypto: unknown cipher %s\n", name); +- else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) +- cipher_list[i] = 1; +- else +- fprintf(stderr, "devcrypto: cipher %s not available\n", name); +- OPENSSL_free(name); +- return 1; +-} +- +-static void dump_cipher_info(void) +-{ +- size_t i; +- const char *name; +- +- fprintf (stderr, "Information about ciphers supported by the /dev/crypto" +- " engine:\n"); +-#ifndef CIOCGSESSINFO +- fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); +-#endif +- for (i = 0; i < OSSL_NELEM(cipher_data); i++) { +- name = OBJ_nid2sn(cipher_data[i].nid); +- fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", +- name ? name : "unknown", cipher_data[i].nid, +- cipher_data[i].devcryptoid); +- if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { +- fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); +- continue; +- } +- fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? +- cipher_driver_info[i].driver_name : "unknown"); +- if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) +- fprintf(stderr, "(hw accelerated)"); +- else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) +- fprintf(stderr, "(software)"); +- else +- fprintf(stderr, "(acceleration status unknown)"); +- if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) +- fprintf (stderr, ". Cipher setup failed"); +- fprintf(stderr, "\n"); +- } +- fprintf(stderr, "\n"); +-} +- +-/* +- * We only support digests if the cryptodev implementation supports multiple +- * data updates and session copying. Otherwise, we would be forced to maintain +- * a cache, which is perilous if there's a lot of data coming in (if someone +- * wants to checksum an OpenSSL tarball, for example). +- */ +-#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) +-#define IMPLEMENT_DIGEST +- +-/****************************************************************************** +- * +- * Digests +- * +- * Because they all do the same basic operation, we have only one set of +- * method functions for them all to share, and a mapping table between +- * NIDs and cryptodev IDs, with all the necessary size data. +- * +- *****/ +- +-struct digest_ctx { +- struct session_op sess; +- /* This signals that the init function was called, not that it succeeded. */ +- int init_called; +- unsigned char digest_res[HASH_MAX_LEN]; +-}; +- +-static const struct digest_data_st { +- int nid; +- int blocksize; +- int digestlen; +- int devcryptoid; +-} digest_data[] = { +-#ifndef OPENSSL_NO_MD5 +- { NID_md5, /* MD5_CBLOCK */ 64, 16, CRYPTO_MD5 }, +-#endif +- { NID_sha1, SHA_CBLOCK, 20, CRYPTO_SHA1 }, +-#ifndef OPENSSL_NO_RMD160 +-# if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_RIPEMD160) +- { NID_ripemd160, /* RIPEMD160_CBLOCK */ 64, 20, CRYPTO_RIPEMD160 }, +-# endif +-#endif +-#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_224) +- { NID_sha224, SHA256_CBLOCK, 224 / 8, CRYPTO_SHA2_224 }, +-#endif +-#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_256) +- { NID_sha256, SHA256_CBLOCK, 256 / 8, CRYPTO_SHA2_256 }, +-#endif +-#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_384) +- { NID_sha384, SHA512_CBLOCK, 384 / 8, CRYPTO_SHA2_384 }, +-#endif +-#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_512) +- { NID_sha512, SHA512_CBLOCK, 512 / 8, CRYPTO_SHA2_512 }, +-#endif +-}; +- +-static size_t find_digest_data_index(int nid) +-{ +- size_t i; +- +- for (i = 0; i < OSSL_NELEM(digest_data); i++) +- if (nid == digest_data[i].nid) +- return i; +- return (size_t)-1; +-} +- +-static size_t get_digest_data_index(int nid) +-{ +- size_t i = find_digest_data_index(nid); +- +- if (i != (size_t)-1) +- return i; +- +- /* +- * Code further down must make sure that only NIDs in the table above +- * are used. If any other NID reaches this function, there's a grave +- * coding error further down. +- */ +- assert("Code that never should be reached" == NULL); +- return -1; +-} +- +-static const struct digest_data_st *get_digest_data(int nid) +-{ +- return &digest_data[get_digest_data_index(nid)]; +-} +- +-/* +- * Following are the five necessary functions to map OpenSSL functionality +- * with cryptodev: init, update, final, cleanup, and copy. +- */ +- +-static int digest_init(EVP_MD_CTX *ctx) +-{ +- struct digest_ctx *digest_ctx = +- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); +- const struct digest_data_st *digest_d = +- get_digest_data(EVP_MD_CTX_type(ctx)); +- +- digest_ctx->init_called = 1; +- +- memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); +- digest_ctx->sess.mac = digest_d->devcryptoid; +- if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- +- return 1; +-} +- +-static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen, +- void *res, unsigned int flags) +-{ +- struct crypt_op cryp; +- +- memset(&cryp, 0, sizeof(cryp)); +- cryp.ses = ctx->sess.ses; +- cryp.len = srclen; +- cryp.src = (void *)src; +- cryp.dst = NULL; +- cryp.mac = res; +- cryp.flags = flags; +- return ioctl(cfd, CIOCCRYPT, &cryp); +-} +- +-static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) +-{ +- struct digest_ctx *digest_ctx = +- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); +- +- if (count == 0) +- return 1; +- +- if (digest_ctx == NULL) +- return 0; +- +- if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { +- if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) +- return 1; +- } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { +- return 1; +- } +- +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +-} +- +-static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) +-{ +- struct digest_ctx *digest_ctx = +- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); +- +- if (md == NULL || digest_ctx == NULL) +- return 0; +- +- if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { +- memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); +- } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- +- return 1; +-} +- +-static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) +-{ +- struct digest_ctx *digest_from = +- (struct digest_ctx *)EVP_MD_CTX_md_data(from); +- struct digest_ctx *digest_to = +- (struct digest_ctx *)EVP_MD_CTX_md_data(to); +- struct cphash_op cphash; +- +- if (digest_from == NULL || digest_from->init_called != 1) +- return 1; +- +- if (!digest_init(to)) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- +- cphash.src_ses = digest_from->sess.ses; +- cphash.dst_ses = digest_to->sess.ses; +- if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { +- SYSerr(SYS_F_IOCTL, errno); +- return 0; +- } +- return 1; +-} +- +-static int digest_cleanup(EVP_MD_CTX *ctx) +-{ +- struct digest_ctx *digest_ctx = +- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); +- +- if (digest_ctx == NULL) +- return 1; +- +- return clean_devcrypto_session(&digest_ctx->sess); +-} +- +-/* +- * Keep tables of known nids, associated methods, selected digests, and +- * driver info. +- * Note that known_digest_nids[] isn't necessarily indexed the same way as +- * digest_data[] above, which the other tables are. +- */ +-static int known_digest_nids[OSSL_NELEM(digest_data)]; +-static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ +-static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; +-static int selected_digests[OSSL_NELEM(digest_data)]; +-static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; +- +-static int devcrypto_test_digest(size_t digest_data_index) +-{ +- return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE +- && selected_digests[digest_data_index] == 1 +- && (digest_driver_info[digest_data_index].accelerated +- == DEVCRYPTO_ACCELERATED +- || use_softdrivers == DEVCRYPTO_USE_SOFTWARE +- || (digest_driver_info[digest_data_index].accelerated +- != DEVCRYPTO_NOT_ACCELERATED +- && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); +-} +- +-static void rebuild_known_digest_nids(ENGINE *e) +-{ +- size_t i; +- +- for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { +- if (devcrypto_test_digest(i)) +- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; +- } +- ENGINE_unregister_digests(e); +- ENGINE_register_digests(e); +-} +- +-static void prepare_digest_methods(void) +-{ +- size_t i; +- struct session_op sess1, sess2; +-#ifdef CIOCGSESSINFO +- struct session_info_op siop; +-#endif +- struct cphash_op cphash; +- +- memset(&digest_driver_info, 0, sizeof(digest_driver_info)); +- +- memset(&sess1, 0, sizeof(sess1)); +- memset(&sess2, 0, sizeof(sess2)); +- +- for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); +- i++) { +- +- selected_digests[i] = 1; +- +- /* +- * Check that the digest is usable +- */ +- sess1.mac = digest_data[i].devcryptoid; +- sess2.ses = 0; +- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; +- goto finish; +- } +- +-#ifdef CIOCGSESSINFO +- /* gather hardware acceleration info from the driver */ +- siop.ses = sess1.ses; +- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { +- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; +- } else { +- digest_driver_info[i].driver_name = +- OPENSSL_strndup(siop.hash_info.cra_driver_name, +- CRYPTODEV_MAX_ALG_NAME); +- if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) +- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; +- else +- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; +- } +-#endif +- +- /* digest must be capable of hash state copy */ +- sess2.mac = sess1.mac; +- if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; +- goto finish; +- } +- cphash.src_ses = sess1.ses; +- cphash.dst_ses = sess2.ses; +- if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; +- goto finish; +- } +- if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, +- NID_undef)) == NULL +- || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], +- digest_data[i].blocksize) +- || !EVP_MD_meth_set_result_size(known_digest_methods[i], +- digest_data[i].digestlen) +- || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) +- || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) +- || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) +- || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) +- || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) +- || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], +- sizeof(struct digest_ctx))) { +- digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; +- EVP_MD_meth_free(known_digest_methods[i]); +- known_digest_methods[i] = NULL; +- goto finish; +- } +- digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; +-finish: +- ioctl(cfd, CIOCFSESSION, &sess1.ses); +- if (sess2.ses != 0) +- ioctl(cfd, CIOCFSESSION, &sess2.ses); +- if (devcrypto_test_digest(i)) +- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; +- } +-} +- +-static const EVP_MD *get_digest_method(int nid) +-{ +- size_t i = get_digest_data_index(nid); +- +- if (i == (size_t)-1) +- return NULL; +- return known_digest_methods[i]; +-} +- +-static int get_digest_nids(const int **nids) +-{ +- *nids = known_digest_nids; +- return known_digest_nids_amount; +-} +- +-static void destroy_digest_method(int nid) +-{ +- size_t i = get_digest_data_index(nid); +- +- EVP_MD_meth_free(known_digest_methods[i]); +- known_digest_methods[i] = NULL; +-} +- +-static void destroy_all_digest_methods(void) +-{ +- size_t i; +- +- for (i = 0; i < OSSL_NELEM(digest_data); i++) { +- destroy_digest_method(digest_data[i].nid); +- OPENSSL_free(digest_driver_info[i].driver_name); +- digest_driver_info[i].driver_name = NULL; +- } +-} +- +-static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, +- const int **nids, int nid) +-{ +- if (digest == NULL) +- return get_digest_nids(nids); +- +- *digest = get_digest_method(nid); +- +- return *digest != NULL; +-} +- +-static void devcrypto_select_all_digests(int *digest_list) +-{ +- size_t i; +- +- for (i = 0; i < OSSL_NELEM(digest_data); i++) +- digest_list[i] = 1; +-} +- +-static int cryptodev_select_digest_cb(const char *str, int len, void *usr) +-{ +- int *digest_list = (int *)usr; +- char *name; +- const EVP_MD *EVP; +- size_t i; +- +- if (len == 0) +- return 1; +- if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) +- return 0; +- EVP = EVP_get_digestbyname(name); +- if (EVP == NULL) +- fprintf(stderr, "devcrypto: unknown digest %s\n", name); +- else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) +- digest_list[i] = 1; +- else +- fprintf(stderr, "devcrypto: digest %s not available\n", name); +- OPENSSL_free(name); +- return 1; +-} +- +-static void dump_digest_info(void) +-{ +- size_t i; +- const char *name; +- +- fprintf (stderr, "Information about digests supported by the /dev/crypto" +- " engine:\n"); +-#ifndef CIOCGSESSINFO +- fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); +-#endif +- +- for (i = 0; i < OSSL_NELEM(digest_data); i++) { +- name = OBJ_nid2sn(digest_data[i].nid); +- fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", +- name ? name : "unknown", digest_data[i].nid, +- digest_data[i].devcryptoid, +- digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); +- if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { +- fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); +- continue; +- } +- if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) +- fprintf(stderr, " (hw accelerated)"); +- else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) +- fprintf(stderr, " (software)"); +- else +- fprintf(stderr, " (acceleration status unknown)"); +- if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) +- fprintf (stderr, ". Cipher setup failed\n"); +- else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) +- fprintf(stderr, ", CIOCCPHASH failed\n"); +- else +- fprintf(stderr, ", CIOCCPHASH capable\n"); +- } +- fprintf(stderr, "\n"); +-} +- +-#endif +- +-/****************************************************************************** +- * +- * CONTROL COMMANDS +- * +- *****/ +- +-#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE +-#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) +-#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) +-#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) +- +-/* Helper macros for CPP string composition */ +-#ifndef OPENSSL_MSTR +-# define OPENSSL_MSTR_HELPER(x) #x +-# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) +-#endif +- +-static const ENGINE_CMD_DEFN devcrypto_cmds[] = { +-#ifdef CIOCGSESSINFO +- {DEVCRYPTO_CMD_USE_SOFTDRIVERS, +- "USE_SOFTDRIVERS", +- "specifies whether to use software (not accelerated) drivers (" +- OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " +- OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " +- OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) +- "=use if acceleration can't be determined) [default=" - OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", - ENGINE_CMD_FLAG_NUMERIC}, - #endif - -@@ -1166,32 +1168,22 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) - * - *****/ - +- ENGINE_CMD_FLAG_NUMERIC}, +-#endif +- +- {DEVCRYPTO_CMD_CIPHERS, +- "CIPHERS", +- "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", +- ENGINE_CMD_FLAG_STRING}, +- +-#ifdef IMPLEMENT_DIGEST +- {DEVCRYPTO_CMD_DIGESTS, +- "DIGESTS", +- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", +- ENGINE_CMD_FLAG_STRING}, +-#endif +- +- {DEVCRYPTO_CMD_DUMP_INFO, +- "DUMP_INFO", +- "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", +- ENGINE_CMD_FLAG_NO_INPUT}, +- +- {0, NULL, NULL, 0} +-}; +- +-static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) +-{ +- int *new_list; +- switch (cmd) { +-#ifdef CIOCGSESSINFO +- case DEVCRYPTO_CMD_USE_SOFTDRIVERS: +- switch (i) { +- case DEVCRYPTO_REQUIRE_ACCELERATED: +- case DEVCRYPTO_USE_SOFTWARE: +- case DEVCRYPTO_REJECT_SOFTWARE: +- break; +- default: +- fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); +- return 0; +- } +- if (use_softdrivers == i) +- return 1; +- use_softdrivers = i; +-#ifdef IMPLEMENT_DIGEST +- rebuild_known_digest_nids(e); +-#endif +- rebuild_known_cipher_nids(e); +- return 1; +-#endif /* CIOCGSESSINFO */ +- +- case DEVCRYPTO_CMD_CIPHERS: +- if (p == NULL) +- return 1; +- if (strcasecmp((const char *)p, "ALL") == 0) { +- devcrypto_select_all_ciphers(selected_ciphers); +- } else if (strcasecmp((const char*)p, "NONE") == 0) { +- memset(selected_ciphers, 0, sizeof(selected_ciphers)); +- } else { +- new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); +- if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { +- OPENSSL_free(new_list); +- return 0; +- } +- memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); +- OPENSSL_free(new_list); +- } +- rebuild_known_cipher_nids(e); +- return 1; +- +-#ifdef IMPLEMENT_DIGEST +- case DEVCRYPTO_CMD_DIGESTS: +- if (p == NULL) +- return 1; +- if (strcasecmp((const char *)p, "ALL") == 0) { +- devcrypto_select_all_digests(selected_digests); +- } else if (strcasecmp((const char*)p, "NONE") == 0) { +- memset(selected_digests, 0, sizeof(selected_digests)); +- } else { +- new_list=OPENSSL_zalloc(sizeof(selected_digests)); +- if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { +- OPENSSL_free(new_list); +- return 0; +- } +- memcpy(selected_digests, new_list, sizeof(selected_digests)); +- OPENSSL_free(new_list); +- } +- rebuild_known_digest_nids(e); +- return 1; +-#endif /* IMPLEMENT_DIGEST */ +- +- case DEVCRYPTO_CMD_DUMP_INFO: +- dump_cipher_info(); +-#ifdef IMPLEMENT_DIGEST +- dump_digest_info(); +-#endif +- return 1; +- +- default: +- break; +- } +- return 0; +-} +- +-/****************************************************************************** +- * +- * LOAD / UNLOAD +- * +- *****/ +- -static int devcrypto_unload(ENGINE *e) -{ - destroy_all_cipher_methods(); @@ -176,42 +1288,35 @@ index 2c1b52d572..eff1ed3a7d 100644 - - return 1; -} - /* +-/* - * This engine is always built into libcrypto, so it doesn't offer any - * ability to be dynamically loadable. -+ * Opens /dev/crypto - */ +- */ -void engine_load_devcrypto_int() -+static int open_devcrypto(void) - { +-{ - ENGINE *e = NULL; - int fd; - -+ if (cfd >= 0) -+ return 1; -+ - if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { - #ifndef ENGINE_DEVCRYPTO_DEBUG - if (errno != ENOENT) - #endif - fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); +- int fd; +- +- if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { +-#ifndef ENGINE_DEVCRYPTO_DEBUG +- if (errno != ENOENT) +-#endif +- fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); - return; -+ return 0; - } - - #ifdef CRIOGET -@@ -1199,35 +1191,61 @@ void engine_load_devcrypto_int() - fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); - close(fd); - cfd = -1; +- } +- +-#ifdef CRIOGET +- if (ioctl(fd, CRIOGET, &cfd) < 0) { +- fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); +- close(fd); +- cfd = -1; - return; -+ return 0; - } - close(fd); - #else - cfd = fd; - #endif - +- } +- close(fd); +-#else +- cfd = fd; +-#endif +- - if ((e = ENGINE_new()) == NULL - || !ENGINE_set_destroy_function(e, devcrypto_unload)) { - ENGINE_free(e); @@ -222,6 +1327,1268 @@ index 2c1b52d572..eff1ed3a7d 100644 - */ - close(cfd); - return; +- } +- +- prepare_cipher_methods(); +-#ifdef IMPLEMENT_DIGEST +- prepare_digest_methods(); +-#endif +- +- if (!ENGINE_set_id(e, "devcrypto") +- || !ENGINE_set_name(e, "/dev/crypto engine") +- || !ENGINE_set_cmd_defns(e, devcrypto_cmds) +- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) +- +-/* +- * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD +- * implementations, it seems to only exist in FreeBSD, and regarding the +- * parameters in its crypt_kop, the manual crypto(4) has this to say: +- * +- * The semantics of these arguments are currently undocumented. +- * +- * Reading through the FreeBSD source code doesn't give much more than +- * their CRK_MOD_EXP implementation for ubsec. +- * +- * It doesn't look much better with cryptodev-linux. They have the crypt_kop +- * structure as well as the command (CRK_*) in cryptodev.h, but no support +- * seems to be implemented at all for the moment. +- * +- * At the time of writing, it seems impossible to write proper support for +- * FreeBSD's asym features without some very deep knowledge and access to +- * specific kernel modules. +- * +- * /Richard Levitte, 2017-05-11 +- */ +-#if 0 +-# ifndef OPENSSL_NO_RSA +- || !ENGINE_set_RSA(e, devcrypto_rsa) +-# endif +-# ifndef OPENSSL_NO_DSA +- || !ENGINE_set_DSA(e, devcrypto_dsa) +-# endif +-# ifndef OPENSSL_NO_DH +- || !ENGINE_set_DH(e, devcrypto_dh) +-# endif +-# ifndef OPENSSL_NO_EC +- || !ENGINE_set_EC(e, devcrypto_ec) +-# endif +-#endif +- || !ENGINE_set_ciphers(e, devcrypto_ciphers) +-#ifdef IMPLEMENT_DIGEST +- || !ENGINE_set_digests(e, devcrypto_digests) +-#endif +- ) { +- ENGINE_free(e); +- return; +- } +- +- ENGINE_add(e); +- ENGINE_free(e); /* Loose our local reference */ +- ERR_clear_error(); +-} +--- /dev/null ++++ b/engines/e_devcrypto.c +@@ -0,0 +1,1327 @@ ++/* ++ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "../e_os.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "crypto/engine.h" ++ ++/* #define ENGINE_DEVCRYPTO_DEBUG */ ++ ++#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX ++# define CHECK_BSD_STYLE_MACROS ++#endif ++ ++#define engine_devcrypto_id "devcrypto" ++ ++/* ++ * ONE global file descriptor for all sessions. This allows operations ++ * such as digest session data copying (see digest_copy()), but is also ++ * saner... why re-open /dev/crypto for every session? ++ */ ++static int cfd = -1; ++#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ ++#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ ++#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ ++ ++#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE ++static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; ++ ++/* ++ * cipher/digest status & acceleration definitions ++ * Make sure the defaults are set to 0 ++ */ ++struct driver_info_st { ++ enum devcrypto_status_t { ++ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ ++ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ ++ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ ++ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ ++ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ ++ } status; ++ ++ enum devcrypto_accelerated_t { ++ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ ++ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ ++ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ ++ } accelerated; ++ ++ char *driver_name; ++}; ++ ++static int clean_devcrypto_session(struct session_op *sess) { ++ if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ memset(sess, 0, sizeof(struct session_op)); ++ return 1; ++} ++ ++/****************************************************************************** ++ * ++ * Ciphers ++ * ++ * Because they all do the same basic operation, we have only one set of ++ * method functions for them all to share, and a mapping table between ++ * NIDs and cryptodev IDs, with all the necessary size data. ++ * ++ *****/ ++ ++struct cipher_ctx { ++ struct session_op sess; ++ int op; /* COP_ENCRYPT or COP_DECRYPT */ ++ unsigned long mode; /* EVP_CIPH_*_MODE */ ++ ++ /* to handle ctr mode being a stream cipher */ ++ unsigned char partial[EVP_MAX_BLOCK_LENGTH]; ++ unsigned int blocksize, num; ++}; ++ ++static const struct cipher_data_st { ++ int nid; ++ int blocksize; ++ int keylen; ++ int ivlen; ++ int flags; ++ int devcryptoid; ++} cipher_data[] = { ++#ifndef OPENSSL_NO_DES ++ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, ++ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, ++#endif ++#ifndef OPENSSL_NO_BF ++ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, ++#endif ++#ifndef OPENSSL_NO_CAST ++ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, ++#endif ++ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, ++ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, ++ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, ++#ifndef OPENSSL_NO_RC4 ++ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, ++#endif ++#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) ++ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, ++ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, ++ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, ++#endif ++#if 0 /* Not yet supported */ ++ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, ++ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, ++#endif ++#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) ++ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, ++#endif ++#if 0 /* Not yet supported */ ++ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, ++ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, ++ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, ++#endif ++#ifndef OPENSSL_NO_CAMELLIA ++ { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, ++ CRYPTO_CAMELLIA_CBC }, ++ { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, ++ CRYPTO_CAMELLIA_CBC }, ++ { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, ++ CRYPTO_CAMELLIA_CBC }, ++#endif ++}; ++ ++static size_t find_cipher_data_index(int nid) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) ++ if (nid == cipher_data[i].nid) ++ return i; ++ return (size_t)-1; ++} ++ ++static size_t get_cipher_data_index(int nid) ++{ ++ size_t i = find_cipher_data_index(nid); ++ ++ if (i != (size_t)-1) ++ return i; ++ ++ /* ++ * Code further down must make sure that only NIDs in the table above ++ * are used. If any other NID reaches this function, there's a grave ++ * coding error further down. ++ */ ++ assert("Code that never should be reached" == NULL); ++ return -1; ++} ++ ++static const struct cipher_data_st *get_cipher_data(int nid) ++{ ++ return &cipher_data[get_cipher_data_index(nid)]; ++} ++ ++/* ++ * Following are the three necessary functions to map OpenSSL functionality ++ * with cryptodev. ++ */ ++ ++static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc) ++{ ++ struct cipher_ctx *cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ const struct cipher_data_st *cipher_d = ++ get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); ++ ++ /* cleanup a previous session */ ++ if (cipher_ctx->sess.ses != 0 && ++ clean_devcrypto_session(&cipher_ctx->sess) == 0) ++ return 0; ++ ++ cipher_ctx->sess.cipher = cipher_d->devcryptoid; ++ cipher_ctx->sess.keylen = cipher_d->keylen; ++ cipher_ctx->sess.key = (void *)key; ++ cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; ++ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; ++ cipher_ctx->blocksize = cipher_d->blocksize; ++ if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ ++ struct cipher_ctx *cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ struct crypt_op cryp; ++ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); ++#if !defined(COP_FLAG_WRITE_IV) ++ unsigned char saved_iv[EVP_MAX_IV_LENGTH]; ++ const unsigned char *ivptr; ++ size_t nblocks, ivlen; ++#endif ++ ++ memset(&cryp, 0, sizeof(cryp)); ++ cryp.ses = cipher_ctx->sess.ses; ++ cryp.len = inl; ++ cryp.src = (void *)in; ++ cryp.dst = (void *)out; ++ cryp.iv = (void *)iv; ++ cryp.op = cipher_ctx->op; ++#if !defined(COP_FLAG_WRITE_IV) ++ cryp.flags = 0; ++ ++ ivlen = EVP_CIPHER_CTX_iv_length(ctx); ++ if (ivlen > 0) ++ switch (cipher_ctx->mode) { ++ case EVP_CIPH_CBC_MODE: ++ assert(inl >= ivlen); ++ if (!EVP_CIPHER_CTX_encrypting(ctx)) { ++ ivptr = in + inl - ivlen; ++ memcpy(saved_iv, ivptr, ivlen); ++ } ++ break; ++ ++ case EVP_CIPH_CTR_MODE: ++ break; ++ ++ default: /* should not happen */ ++ return 0; ++ } ++#else ++ cryp.flags = COP_FLAG_WRITE_IV; ++#endif ++ ++ if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ ++#if !defined(COP_FLAG_WRITE_IV) ++ if (ivlen > 0) ++ switch (cipher_ctx->mode) { ++ case EVP_CIPH_CBC_MODE: ++ assert(inl >= ivlen); ++ if (EVP_CIPHER_CTX_encrypting(ctx)) ++ ivptr = out + inl - ivlen; ++ else ++ ivptr = saved_iv; ++ ++ memcpy(iv, ivptr, ivlen); ++ break; ++ ++ case EVP_CIPH_CTR_MODE: ++ nblocks = (inl + cipher_ctx->blocksize - 1) ++ / cipher_ctx->blocksize; ++ do { ++ ivlen--; ++ nblocks += iv[ivlen]; ++ iv[ivlen] = (uint8_t) nblocks; ++ nblocks >>= 8; ++ } while (ivlen); ++ break; ++ ++ default: /* should not happen */ ++ return 0; ++ } ++#endif ++ ++ return 1; ++} ++ ++static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ ++ struct cipher_ctx *cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ size_t nblocks, len; ++ ++ /* initial partial block */ ++ while (cipher_ctx->num && inl) { ++ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; ++ --inl; ++ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; ++ } ++ ++ /* full blocks */ ++ if (inl > (unsigned int) cipher_ctx->blocksize) { ++ nblocks = inl/cipher_ctx->blocksize; ++ len = nblocks * cipher_ctx->blocksize; ++ if (cipher_do_cipher(ctx, out, in, len) < 1) ++ return 0; ++ inl -= len; ++ out += len; ++ in += len; ++ } ++ ++ /* final partial block */ ++ if (inl) { ++ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); ++ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, ++ cipher_ctx->blocksize) < 1) ++ return 0; ++ while (inl--) { ++ out[cipher_ctx->num] = in[cipher_ctx->num] ++ ^ cipher_ctx->partial[cipher_ctx->num]; ++ cipher_ctx->num++; ++ } ++ } ++ ++ return 1; ++} ++ ++static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) ++{ ++ struct cipher_ctx *cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; ++ struct cipher_ctx *to_cipher_ctx; ++ ++ switch (type) { ++ case EVP_CTRL_COPY: ++ if (cipher_ctx == NULL) ++ return 1; ++ /* when copying the context, a new session needs to be initialized */ ++ to_cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx); ++ memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess)); ++ return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), ++ (cipher_ctx->op == COP_ENCRYPT)); ++ ++ case EVP_CTRL_INIT: ++ memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); ++ return 1; ++ ++ default: ++ break; ++ } ++ ++ return -1; ++} ++ ++static int cipher_cleanup(EVP_CIPHER_CTX *ctx) ++{ ++ struct cipher_ctx *cipher_ctx = ++ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); ++ ++ return clean_devcrypto_session(&cipher_ctx->sess); ++} ++ ++/* ++ * Keep tables of known nids, associated methods, selected ciphers, and driver ++ * info. ++ * Note that known_cipher_nids[] isn't necessarily indexed the same way as ++ * cipher_data[] above, which the other tables are. ++ */ ++static int known_cipher_nids[OSSL_NELEM(cipher_data)]; ++static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ ++static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; ++static int selected_ciphers[OSSL_NELEM(cipher_data)]; ++static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; ++ ++ ++static int devcrypto_test_cipher(size_t cipher_data_index) ++{ ++ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE ++ && selected_ciphers[cipher_data_index] == 1 ++ && (cipher_driver_info[cipher_data_index].accelerated ++ == DEVCRYPTO_ACCELERATED ++ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE ++ || (cipher_driver_info[cipher_data_index].accelerated ++ != DEVCRYPTO_NOT_ACCELERATED ++ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); ++} ++ ++static void prepare_cipher_methods(void) ++{ ++ size_t i; ++ struct session_op sess; ++ unsigned long cipher_mode; ++#ifdef CIOCGSESSINFO ++ struct session_info_op siop; ++#endif ++ ++ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); ++ ++ memset(&sess, 0, sizeof(sess)); ++ sess.key = (void *)"01234567890123456789012345678901234567890123456789"; ++ ++ for (i = 0, known_cipher_nids_amount = 0; ++ i < OSSL_NELEM(cipher_data); i++) { ++ ++ selected_ciphers[i] = 1; ++ /* ++ * Check that the cipher is usable ++ */ ++ sess.cipher = cipher_data[i].devcryptoid; ++ sess.keylen = cipher_data[i].keylen; ++ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; ++ continue; ++ } ++ ++ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; ++ ++ if ((known_cipher_methods[i] = ++ EVP_CIPHER_meth_new(cipher_data[i].nid, ++ cipher_mode == EVP_CIPH_CTR_MODE ? 1 : ++ cipher_data[i].blocksize, ++ cipher_data[i].keylen)) == NULL ++ || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], ++ cipher_data[i].ivlen) ++ || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], ++ cipher_data[i].flags ++ | EVP_CIPH_CUSTOM_COPY ++ | EVP_CIPH_CTRL_INIT ++ | EVP_CIPH_FLAG_DEFAULT_ASN1) ++ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) ++ || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], ++ cipher_mode == EVP_CIPH_CTR_MODE ? ++ ctr_do_cipher : ++ cipher_do_cipher) ++ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) ++ || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], ++ cipher_cleanup) ++ || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], ++ sizeof(struct cipher_ctx))) { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; ++ EVP_CIPHER_meth_free(known_cipher_methods[i]); ++ known_cipher_methods[i] = NULL; ++ } else { ++ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; ++#ifdef CIOCGSESSINFO ++ siop.ses = sess.ses; ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; ++ } else { ++ cipher_driver_info[i].driver_name = ++ OPENSSL_strndup(siop.cipher_info.cra_driver_name, ++ CRYPTODEV_MAX_ALG_NAME); ++ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) ++ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ else ++ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ } ++#endif /* CIOCGSESSINFO */ ++ } ++ ioctl(cfd, CIOCFSESSION, &sess.ses); ++ if (devcrypto_test_cipher(i)) { ++ known_cipher_nids[known_cipher_nids_amount++] = ++ cipher_data[i].nid; ++ } ++ } ++} ++ ++static void rebuild_known_cipher_nids(ENGINE *e) ++{ ++ size_t i; ++ ++ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { ++ if (devcrypto_test_cipher(i)) ++ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; ++ } ++ ENGINE_unregister_ciphers(e); ++ ENGINE_register_ciphers(e); ++} ++ ++static const EVP_CIPHER *get_cipher_method(int nid) ++{ ++ size_t i = get_cipher_data_index(nid); ++ ++ if (i == (size_t)-1) ++ return NULL; ++ return known_cipher_methods[i]; ++} ++ ++static int get_cipher_nids(const int **nids) ++{ ++ *nids = known_cipher_nids; ++ return known_cipher_nids_amount; ++} ++ ++static void destroy_cipher_method(int nid) ++{ ++ size_t i = get_cipher_data_index(nid); ++ ++ EVP_CIPHER_meth_free(known_cipher_methods[i]); ++ known_cipher_methods[i] = NULL; ++} ++ ++static void destroy_all_cipher_methods(void) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { ++ destroy_cipher_method(cipher_data[i].nid); ++ OPENSSL_free(cipher_driver_info[i].driver_name); ++ cipher_driver_info[i].driver_name = NULL; ++ } ++} ++ ++static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, ++ const int **nids, int nid) ++{ ++ if (cipher == NULL) ++ return get_cipher_nids(nids); ++ ++ *cipher = get_cipher_method(nid); ++ ++ return *cipher != NULL; ++} ++ ++static void devcrypto_select_all_ciphers(int *cipher_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) ++ cipher_list[i] = 1; ++} ++ ++static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) ++{ ++ int *cipher_list = (int *)usr; ++ char *name; ++ const EVP_CIPHER *EVP; ++ size_t i; ++ ++ if (len == 0) ++ return 1; ++ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) ++ return 0; ++ EVP = EVP_get_cipherbyname(name); ++ if (EVP == NULL) ++ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); ++ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) ++ cipher_list[i] = 1; ++ else ++ fprintf(stderr, "devcrypto: cipher %s not available\n", name); ++ OPENSSL_free(name); ++ return 1; ++} ++ ++static void dump_cipher_info(void) ++{ ++ size_t i; ++ const char *name; ++ ++ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" ++ " engine:\n"); ++#ifndef CIOCGSESSINFO ++ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); ++#endif ++ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { ++ name = OBJ_nid2sn(cipher_data[i].nid); ++ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", ++ name ? name : "unknown", cipher_data[i].nid, ++ cipher_data[i].devcryptoid); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { ++ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); ++ continue; ++ } ++ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? ++ cipher_driver_info[i].driver_name : "unknown"); ++ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) ++ fprintf(stderr, "(hw accelerated)"); ++ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) ++ fprintf(stderr, "(software)"); ++ else ++ fprintf(stderr, "(acceleration status unknown)"); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) ++ fprintf (stderr, ". Cipher setup failed"); ++ fprintf(stderr, "\n"); ++ } ++ fprintf(stderr, "\n"); ++} ++ ++/* ++ * We only support digests if the cryptodev implementation supports multiple ++ * data updates and session copying. Otherwise, we would be forced to maintain ++ * a cache, which is perilous if there's a lot of data coming in (if someone ++ * wants to checksum an OpenSSL tarball, for example). ++ */ ++#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) ++#define IMPLEMENT_DIGEST ++ ++/****************************************************************************** ++ * ++ * Digests ++ * ++ * Because they all do the same basic operation, we have only one set of ++ * method functions for them all to share, and a mapping table between ++ * NIDs and cryptodev IDs, with all the necessary size data. ++ * ++ *****/ ++ ++struct digest_ctx { ++ struct session_op sess; ++ /* This signals that the init function was called, not that it succeeded. */ ++ int init_called; ++ unsigned char digest_res[HASH_MAX_LEN]; ++}; ++ ++static const struct digest_data_st { ++ int nid; ++ int blocksize; ++ int digestlen; ++ int devcryptoid; ++} digest_data[] = { ++#ifndef OPENSSL_NO_MD5 ++ { NID_md5, /* MD5_CBLOCK */ 64, 16, CRYPTO_MD5 }, ++#endif ++ { NID_sha1, SHA_CBLOCK, 20, CRYPTO_SHA1 }, ++#ifndef OPENSSL_NO_RMD160 ++# if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_RIPEMD160) ++ { NID_ripemd160, /* RIPEMD160_CBLOCK */ 64, 20, CRYPTO_RIPEMD160 }, ++# endif ++#endif ++#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_224) ++ { NID_sha224, SHA256_CBLOCK, 224 / 8, CRYPTO_SHA2_224 }, ++#endif ++#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_256) ++ { NID_sha256, SHA256_CBLOCK, 256 / 8, CRYPTO_SHA2_256 }, ++#endif ++#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_384) ++ { NID_sha384, SHA512_CBLOCK, 384 / 8, CRYPTO_SHA2_384 }, ++#endif ++#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_512) ++ { NID_sha512, SHA512_CBLOCK, 512 / 8, CRYPTO_SHA2_512 }, ++#endif ++}; ++ ++static size_t find_digest_data_index(int nid) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) ++ if (nid == digest_data[i].nid) ++ return i; ++ return (size_t)-1; ++} ++ ++static size_t get_digest_data_index(int nid) ++{ ++ size_t i = find_digest_data_index(nid); ++ ++ if (i != (size_t)-1) ++ return i; ++ ++ /* ++ * Code further down must make sure that only NIDs in the table above ++ * are used. If any other NID reaches this function, there's a grave ++ * coding error further down. ++ */ ++ assert("Code that never should be reached" == NULL); ++ return -1; ++} ++ ++static const struct digest_data_st *get_digest_data(int nid) ++{ ++ return &digest_data[get_digest_data_index(nid)]; ++} ++ ++/* ++ * Following are the five necessary functions to map OpenSSL functionality ++ * with cryptodev: init, update, final, cleanup, and copy. ++ */ ++ ++static int digest_init(EVP_MD_CTX *ctx) ++{ ++ struct digest_ctx *digest_ctx = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); ++ const struct digest_data_st *digest_d = ++ get_digest_data(EVP_MD_CTX_type(ctx)); ++ ++ digest_ctx->init_called = 1; ++ ++ memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); ++ digest_ctx->sess.mac = digest_d->devcryptoid; ++ if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen, ++ void *res, unsigned int flags) ++{ ++ struct crypt_op cryp; ++ ++ memset(&cryp, 0, sizeof(cryp)); ++ cryp.ses = ctx->sess.ses; ++ cryp.len = srclen; ++ cryp.src = (void *)src; ++ cryp.dst = NULL; ++ cryp.mac = res; ++ cryp.flags = flags; ++ return ioctl(cfd, CIOCCRYPT, &cryp); ++} ++ ++static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) ++{ ++ struct digest_ctx *digest_ctx = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); ++ ++ if (count == 0) ++ return 1; ++ ++ if (digest_ctx == NULL) ++ return 0; ++ ++ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { ++ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) ++ return 1; ++ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { ++ return 1; ++ } ++ ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++} ++ ++static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) ++{ ++ struct digest_ctx *digest_ctx = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); ++ ++ if (md == NULL || digest_ctx == NULL) ++ return 0; ++ ++ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { ++ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); ++ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) ++{ ++ struct digest_ctx *digest_from = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(from); ++ struct digest_ctx *digest_to = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(to); ++ struct cphash_op cphash; ++ ++ if (digest_from == NULL || digest_from->init_called != 1) ++ return 1; ++ ++ if (!digest_init(to)) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ ++ cphash.src_ses = digest_from->sess.ses; ++ cphash.dst_ses = digest_to->sess.ses; ++ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { ++ SYSerr(SYS_F_IOCTL, errno); ++ return 0; ++ } ++ return 1; ++} ++ ++static int digest_cleanup(EVP_MD_CTX *ctx) ++{ ++ struct digest_ctx *digest_ctx = ++ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); ++ ++ if (digest_ctx == NULL) ++ return 1; ++ ++ return clean_devcrypto_session(&digest_ctx->sess); ++} ++ ++/* ++ * Keep tables of known nids, associated methods, selected digests, and ++ * driver info. ++ * Note that known_digest_nids[] isn't necessarily indexed the same way as ++ * digest_data[] above, which the other tables are. ++ */ ++static int known_digest_nids[OSSL_NELEM(digest_data)]; ++static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ ++static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; ++static int selected_digests[OSSL_NELEM(digest_data)]; ++static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; ++ ++static int devcrypto_test_digest(size_t digest_data_index) ++{ ++ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE ++ && selected_digests[digest_data_index] == 1 ++ && (digest_driver_info[digest_data_index].accelerated ++ == DEVCRYPTO_ACCELERATED ++ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE ++ || (digest_driver_info[digest_data_index].accelerated ++ != DEVCRYPTO_NOT_ACCELERATED ++ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); ++} ++ ++static void rebuild_known_digest_nids(ENGINE *e) ++{ ++ size_t i; ++ ++ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { ++ if (devcrypto_test_digest(i)) ++ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; ++ } ++ ENGINE_unregister_digests(e); ++ ENGINE_register_digests(e); ++} ++ ++static void prepare_digest_methods(void) ++{ ++ size_t i; ++ struct session_op sess1, sess2; ++#ifdef CIOCGSESSINFO ++ struct session_info_op siop; ++#endif ++ struct cphash_op cphash; ++ ++ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); ++ ++ memset(&sess1, 0, sizeof(sess1)); ++ memset(&sess2, 0, sizeof(sess2)); ++ ++ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); ++ i++) { ++ ++ selected_digests[i] = 1; ++ ++ /* ++ * Check that the digest is usable ++ */ ++ sess1.mac = digest_data[i].devcryptoid; ++ sess2.ses = 0; ++ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; ++ goto finish; ++ } ++ ++#ifdef CIOCGSESSINFO ++ /* gather hardware acceleration info from the driver */ ++ siop.ses = sess1.ses; ++ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; ++ } else { ++ digest_driver_info[i].driver_name = ++ OPENSSL_strndup(siop.hash_info.cra_driver_name, ++ CRYPTODEV_MAX_ALG_NAME); ++ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) ++ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; ++ else ++ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; ++ } ++#endif ++ ++ /* digest must be capable of hash state copy */ ++ sess2.mac = sess1.mac; ++ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; ++ goto finish; ++ } ++ cphash.src_ses = sess1.ses; ++ cphash.dst_ses = sess2.ses; ++ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; ++ goto finish; ++ } ++ if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, ++ NID_undef)) == NULL ++ || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], ++ digest_data[i].blocksize) ++ || !EVP_MD_meth_set_result_size(known_digest_methods[i], ++ digest_data[i].digestlen) ++ || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) ++ || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) ++ || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) ++ || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) ++ || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) ++ || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], ++ sizeof(struct digest_ctx))) { ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; ++ EVP_MD_meth_free(known_digest_methods[i]); ++ known_digest_methods[i] = NULL; ++ goto finish; ++ } ++ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; ++finish: ++ ioctl(cfd, CIOCFSESSION, &sess1.ses); ++ if (sess2.ses != 0) ++ ioctl(cfd, CIOCFSESSION, &sess2.ses); ++ if (devcrypto_test_digest(i)) ++ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; ++ } ++} ++ ++static const EVP_MD *get_digest_method(int nid) ++{ ++ size_t i = get_digest_data_index(nid); ++ ++ if (i == (size_t)-1) ++ return NULL; ++ return known_digest_methods[i]; ++} ++ ++static int get_digest_nids(const int **nids) ++{ ++ *nids = known_digest_nids; ++ return known_digest_nids_amount; ++} ++ ++static void destroy_digest_method(int nid) ++{ ++ size_t i = get_digest_data_index(nid); ++ ++ EVP_MD_meth_free(known_digest_methods[i]); ++ known_digest_methods[i] = NULL; ++} ++ ++static void destroy_all_digest_methods(void) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) { ++ destroy_digest_method(digest_data[i].nid); ++ OPENSSL_free(digest_driver_info[i].driver_name); ++ digest_driver_info[i].driver_name = NULL; ++ } ++} ++ ++static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, ++ const int **nids, int nid) ++{ ++ if (digest == NULL) ++ return get_digest_nids(nids); ++ ++ *digest = get_digest_method(nid); ++ ++ return *digest != NULL; ++} ++ ++static void devcrypto_select_all_digests(int *digest_list) ++{ ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) ++ digest_list[i] = 1; ++} ++ ++static int cryptodev_select_digest_cb(const char *str, int len, void *usr) ++{ ++ int *digest_list = (int *)usr; ++ char *name; ++ const EVP_MD *EVP; ++ size_t i; ++ ++ if (len == 0) ++ return 1; ++ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) ++ return 0; ++ EVP = EVP_get_digestbyname(name); ++ if (EVP == NULL) ++ fprintf(stderr, "devcrypto: unknown digest %s\n", name); ++ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) ++ digest_list[i] = 1; ++ else ++ fprintf(stderr, "devcrypto: digest %s not available\n", name); ++ OPENSSL_free(name); ++ return 1; ++} ++ ++static void dump_digest_info(void) ++{ ++ size_t i; ++ const char *name; ++ ++ fprintf (stderr, "Information about digests supported by the /dev/crypto" ++ " engine:\n"); ++#ifndef CIOCGSESSINFO ++ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); ++#endif ++ ++ for (i = 0; i < OSSL_NELEM(digest_data); i++) { ++ name = OBJ_nid2sn(digest_data[i].nid); ++ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", ++ name ? name : "unknown", digest_data[i].nid, ++ digest_data[i].devcryptoid, ++ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); ++ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { ++ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); ++ continue; ++ } ++ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) ++ fprintf(stderr, " (hw accelerated)"); ++ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) ++ fprintf(stderr, " (software)"); ++ else ++ fprintf(stderr, " (acceleration status unknown)"); ++ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) ++ fprintf (stderr, ". Cipher setup failed\n"); ++ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) ++ fprintf(stderr, ", CIOCCPHASH failed\n"); ++ else ++ fprintf(stderr, ", CIOCCPHASH capable\n"); ++ } ++ fprintf(stderr, "\n"); ++} ++ ++#endif ++ ++/****************************************************************************** ++ * ++ * CONTROL COMMANDS ++ * ++ *****/ ++ ++#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE ++#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) ++#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) ++#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) ++ ++/* Helper macros for CPP string composition */ ++#ifndef OPENSSL_MSTR ++# define OPENSSL_MSTR_HELPER(x) #x ++# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) ++#endif ++ ++static const ENGINE_CMD_DEFN devcrypto_cmds[] = { ++#ifdef CIOCGSESSINFO ++ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, ++ "USE_SOFTDRIVERS", ++ "specifies whether to use software (not accelerated) drivers (" ++ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " ++ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " ++ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) ++ "=use if acceleration can't be determined) [default=" ++ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", ++ ENGINE_CMD_FLAG_NUMERIC}, ++#endif ++ ++ {DEVCRYPTO_CMD_CIPHERS, ++ "CIPHERS", ++ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", ++ ENGINE_CMD_FLAG_STRING}, ++ ++#ifdef IMPLEMENT_DIGEST ++ {DEVCRYPTO_CMD_DIGESTS, ++ "DIGESTS", ++ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", ++ ENGINE_CMD_FLAG_STRING}, ++#endif ++ ++ {DEVCRYPTO_CMD_DUMP_INFO, ++ "DUMP_INFO", ++ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", ++ ENGINE_CMD_FLAG_NO_INPUT}, ++ ++ {0, NULL, NULL, 0} ++}; ++ ++static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) ++{ ++ int *new_list; ++ switch (cmd) { ++#ifdef CIOCGSESSINFO ++ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: ++ switch (i) { ++ case DEVCRYPTO_REQUIRE_ACCELERATED: ++ case DEVCRYPTO_USE_SOFTWARE: ++ case DEVCRYPTO_REJECT_SOFTWARE: ++ break; ++ default: ++ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); ++ return 0; ++ } ++ if (use_softdrivers == i) ++ return 1; ++ use_softdrivers = i; ++#ifdef IMPLEMENT_DIGEST ++ rebuild_known_digest_nids(e); ++#endif ++ rebuild_known_cipher_nids(e); ++ return 1; ++#endif /* CIOCGSESSINFO */ ++ ++ case DEVCRYPTO_CMD_CIPHERS: ++ if (p == NULL) ++ return 1; ++ if (strcasecmp((const char *)p, "ALL") == 0) { ++ devcrypto_select_all_ciphers(selected_ciphers); ++ } else if (strcasecmp((const char*)p, "NONE") == 0) { ++ memset(selected_ciphers, 0, sizeof(selected_ciphers)); ++ } else { ++ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); ++ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { ++ OPENSSL_free(new_list); ++ return 0; ++ } ++ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); ++ OPENSSL_free(new_list); ++ } ++ rebuild_known_cipher_nids(e); ++ return 1; ++ ++#ifdef IMPLEMENT_DIGEST ++ case DEVCRYPTO_CMD_DIGESTS: ++ if (p == NULL) ++ return 1; ++ if (strcasecmp((const char *)p, "ALL") == 0) { ++ devcrypto_select_all_digests(selected_digests); ++ } else if (strcasecmp((const char*)p, "NONE") == 0) { ++ memset(selected_digests, 0, sizeof(selected_digests)); ++ } else { ++ new_list=OPENSSL_zalloc(sizeof(selected_digests)); ++ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { ++ OPENSSL_free(new_list); ++ return 0; ++ } ++ memcpy(selected_digests, new_list, sizeof(selected_digests)); ++ OPENSSL_free(new_list); ++ } ++ rebuild_known_digest_nids(e); ++ return 1; ++#endif /* IMPLEMENT_DIGEST */ ++ ++ case DEVCRYPTO_CMD_DUMP_INFO: ++ dump_cipher_info(); ++#ifdef IMPLEMENT_DIGEST ++ dump_digest_info(); ++#endif ++ return 1; ++ ++ default: ++ break; ++ } ++ return 0; ++} ++ ++/****************************************************************************** ++ * ++ * LOAD / UNLOAD ++ * ++ *****/ ++ ++/* ++ * Opens /dev/crypto ++ */ ++static int open_devcrypto(void) ++{ ++ int fd; ++ ++ if (cfd >= 0) ++ return 1; ++ ++ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { ++#ifndef ENGINE_DEVCRYPTO_DEBUG ++ if (errno != ENOENT) ++#endif ++ fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); ++ return 0; ++ } ++ ++#ifdef CRIOGET ++ if (ioctl(fd, CRIOGET, &cfd) < 0) { ++ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); ++ close(fd); ++ cfd = -1; ++ return 0; ++ } ++ close(fd); ++#else ++ cfd = fd; ++#endif ++ + return 1; +} + @@ -236,20 +2603,17 @@ index 2c1b52d572..eff1ed3a7d 100644 + if (ret != 0) { + fprintf(stderr, "Error closing /dev/crypto: %s\n", strerror(errno)); + return 0; - } ++ } + return 1; +} - -- prepare_cipher_methods(); ++ +static int devcrypto_unload(ENGINE *e) +{ + destroy_all_cipher_methods(); - #ifdef IMPLEMENT_DIGEST -- prepare_digest_methods(); ++#ifdef IMPLEMENT_DIGEST + destroy_all_digest_methods(); - #endif - -- if (!ENGINE_set_id(e, "devcrypto") ++#endif ++ + close_devcrypto(); + + return 1; @@ -258,13 +2622,12 @@ index 2c1b52d572..eff1ed3a7d 100644 +static int bind_devcrypto(ENGINE *e) { + + if (!ENGINE_set_id(e, engine_devcrypto_id) - || !ENGINE_set_name(e, "/dev/crypto engine") ++ || !ENGINE_set_name(e, "/dev/crypto engine") + || !ENGINE_set_destroy_function(e, devcrypto_unload) - || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) ++ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) + || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) + return 0; - ++ + prepare_cipher_methods(); +#ifdef IMPLEMENT_DIGEST + prepare_digest_methods(); @@ -274,34 +2637,40 @@ index 2c1b52d572..eff1ed3a7d 100644 +#ifdef IMPLEMENT_DIGEST + && ENGINE_set_digests(e, devcrypto_digests) +#endif - /* - * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD - * implementations, it seems to only exist in FreeBSD, and regarding the -@@ -1250,23 +1268,36 @@ void engine_load_devcrypto_int() - */ - #if 0 - # ifndef OPENSSL_NO_RSA -- || !ENGINE_set_RSA(e, devcrypto_rsa) ++/* ++ * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD ++ * implementations, it seems to only exist in FreeBSD, and regarding the ++ * parameters in its crypt_kop, the manual crypto(4) has this to say: ++ * ++ * The semantics of these arguments are currently undocumented. ++ * ++ * Reading through the FreeBSD source code doesn't give much more than ++ * their CRK_MOD_EXP implementation for ubsec. ++ * ++ * It doesn't look much better with cryptodev-linux. They have the crypt_kop ++ * structure as well as the command (CRK_*) in cryptodev.h, but no support ++ * seems to be implemented at all for the moment. ++ * ++ * At the time of writing, it seems impossible to write proper support for ++ * FreeBSD's asym features without some very deep knowledge and access to ++ * specific kernel modules. ++ * ++ * /Richard Levitte, 2017-05-11 ++ */ ++#if 0 ++# ifndef OPENSSL_NO_RSA + && ENGINE_set_RSA(e, devcrypto_rsa) - # endif - # ifndef OPENSSL_NO_DSA -- || !ENGINE_set_DSA(e, devcrypto_dsa) ++# endif ++# ifndef OPENSSL_NO_DSA + && ENGINE_set_DSA(e, devcrypto_dsa) - # endif - # ifndef OPENSSL_NO_DH -- || !ENGINE_set_DH(e, devcrypto_dh) ++# endif ++# ifndef OPENSSL_NO_DH + && ENGINE_set_DH(e, devcrypto_dh) - # endif - # ifndef OPENSSL_NO_EC -- || !ENGINE_set_EC(e, devcrypto_ec) ++# endif ++# ifndef OPENSSL_NO_EC + && ENGINE_set_EC(e, devcrypto_ec) - # endif - #endif -- || !ENGINE_set_ciphers(e, devcrypto_ciphers) --#ifdef IMPLEMENT_DIGEST -- || !ENGINE_set_digests(e, devcrypto_digests) --#endif -- ) { ++# endif ++#endif + ); +} + @@ -320,13 +2689,14 @@ index 2c1b52d572..eff1ed3a7d 100644 + if ((e = ENGINE_new()) == NULL + || !bind_devcrypto(e)) { + close_devcrypto(); - ENGINE_free(e); - return; - } -@@ -1275,3 +1306,22 @@ void engine_load_devcrypto_int() - ENGINE_free(e); /* Loose our local reference */ - ERR_clear_error(); - } ++ ENGINE_free(e); ++ return; ++ } ++ ++ ENGINE_add(e); ++ ENGINE_free(e); /* Loose our local reference */ ++ ERR_clear_error(); ++} + +#else + diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch index 1f1cd7a582..df5c16d8d2 100644 --- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -19,8 +19,6 @@ turn them on if it is safe and fast enough. Signed-off-by: Eneas U de Queiroz -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index 3fcd81de7a..d25230d366 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -852,7 +852,7 @@ static void prepare_digest_methods(void) @@ -32,7 +30,7 @@ index 3fcd81de7a..d25230d366 100644 /* * Check that the digest is usable -@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { +@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_c #ifdef IMPLEMENT_DIGEST {DEVCRYPTO_CMD_DIGESTS, "DIGESTS", diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch index bc514b88c9..87792cf9d0 100644 --- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -8,11 +8,9 @@ session. It may have been closed by another process after a fork. Signed-off-by: Eneas U de Queiroz -diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c -index d25230d366..f4570f1666 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, +@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *c get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); /* cleanup a previous session */ From c58384be89a3f6666fdb206fa2c161b69630246f Mon Sep 17 00:00:00 2001 From: Tomasz Maciej Nowak Date: Mon, 3 Oct 2022 15:20:10 +0200 Subject: [PATCH 07/11] ipq40xx: luma_wrtq-acn329: swap ethernet MAC addresses Adjust them according to OEM firmware. Fixes: e24635710c7e (" ipq40xx: add support for Luma Home WRTQ-329ACN") Signed-off-by: Tomasz Maciej Nowak --- .../files/arch/arm/boot/dts/qcom-ipq4018-wrtq-329acn.dts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-wrtq-329acn.dts b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-wrtq-329acn.dts index 2465348a82..1496f145bd 100644 --- a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-wrtq-329acn.dts +++ b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-wrtq-329acn.dts @@ -9,6 +9,11 @@ model = "Luma Home WRTQ-329ACN"; compatible = "luma,wrtq-329acn"; + aliases { + ethernet0 = &gmac1; + ethernet1 = &gmac0; + }; + i2c-gpio { compatible = "i2c-gpio"; sda-gpios = <&tlmm 1 (GPIO_ACTIVE_HIGH|GPIO_OPEN_DRAIN)>; From d604032c2a50fc6228bcaae78baee1048ff9af16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ar=C4=B1n=C3=A7=20=C3=9CNAL?= Date: Wed, 14 Sep 2022 21:31:40 +0300 Subject: [PATCH 08/11] ramips: fix GB-PC1 and GB-PC2 device support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change switch port labels to ethblack & ethblue. Change lan1 & lan2 LEDs to ethblack_act & ethblue_act and fix GPIO pins. Add the external phy with ethyellow label on the GB-PC2 devicetree. Do not claim rgmii2 as gpio, it's used for ethernet with rgmii2 function. Enable ICPlus PHY driver for IP1001 which GB-PC2 has got. Update interface name and change netdev function. Enable lzma compression to make up for the increased size of the kernel. Make spi flash bindings on par with mainline Linux to fix read errors. Tested on GB-PC2 by Petr. Tested-by: Petr Louda Signed-off-by: Arınç ÜNAL (cherry picked from commit 4807bd6a00bcf44dd821047db76a2a799f403cd4) --- .../linux/ramips/dts/mt7621_gnubee_gb-pc1.dts | 47 ++++++------ .../linux/ramips/dts/mt7621_gnubee_gb-pc2.dts | 73 ++++++++++--------- target/linux/ramips/image/mt7621.mk | 2 + .../mt7621/base-files/etc/board.d/01_leds | 4 +- .../mt7621/base-files/etc/board.d/02_network | 6 +- target/linux/ramips/mt7621/config-5.4 | 1 + 6 files changed, 73 insertions(+), 60 deletions(-) diff --git a/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts b/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts index c218521c03..28601445e5 100644 --- a/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts +++ b/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts @@ -8,10 +8,10 @@ model = "GB-PC1"; aliases { - led-boot = &led_status; - led-failsafe = &led_status; - led-running = &led_status; - led-upgrade = &led_status; + led-boot = &led_system; + led-failsafe = &led_system; + led-running = &led_system; + led-upgrade = &led_system; }; keys { @@ -27,24 +27,26 @@ leds { compatible = "gpio-leds"; - system { - label = "green:system"; + ethblack_act { + label = "green:ethblack_act"; + gpios = <&gpio 3 GPIO_ACTIVE_LOW>; + }; + + ethblue_act { + label = "green:ethblue_act"; + gpios = <&gpio 4 GPIO_ACTIVE_LOW>; + }; + + power { + label = "green:power"; gpios = <&gpio 6 GPIO_ACTIVE_LOW>; + linux,default-trigger = "default-on"; }; - led_status: status { - label = "green:status"; + led_system: system { + label = "green:system"; gpios = <&gpio 8 GPIO_ACTIVE_LOW>; - }; - - lan1 { - label = "green:lan1"; - gpios = <&gpio 24 GPIO_ACTIVE_LOW>; - }; - - lan2 { - label = "green:lan2"; - gpios = <&gpio 25 GPIO_ACTIVE_LOW>; + linux,default-trigger = "disk-activity"; }; }; }; @@ -59,9 +61,8 @@ flash@0 { compatible = "jedec,spi-nor"; reg = <0>; - spi-max-frequency = <80000000>; + spi-max-frequency = <50000000>; broken-flash-reset; - m25p,fast-read; partitions { compatible = "fixed-partitions"; @@ -107,19 +108,19 @@ ports { port@0 { status = "okay"; - label = "lan1"; + label = "ethblack"; }; port@4 { status = "okay"; - label = "lan2"; + label = "ethblue"; }; }; }; &state_default { gpio { - groups = "jtag", "rgmii2", "uart3", "wdt"; + groups = "jtag", "uart3", "wdt"; function = "gpio"; }; }; diff --git a/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts b/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts index 613524d1da..c25ca886ae 100644 --- a/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts +++ b/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts @@ -8,10 +8,10 @@ model = "GB-PC2"; aliases { - led-boot = &led_status; - led-failsafe = &led_status; - led-running = &led_status; - led-upgrade = &led_status; + led-boot = &led_system; + led-failsafe = &led_system; + led-running = &led_system; + led-upgrade = &led_system; }; keys { @@ -27,34 +27,26 @@ leds { compatible = "gpio-leds"; - system { - label = "green:system"; + ethblack_act { + label = "green:ethblack_act"; + gpios = <&gpio 3 GPIO_ACTIVE_LOW>; + }; + + ethblue_act { + label = "green:ethblue_act"; + gpios = <&gpio 4 GPIO_ACTIVE_LOW>; + }; + + power { + label = "green:power"; gpios = <&gpio 6 GPIO_ACTIVE_LOW>; + linux,default-trigger = "default-on"; }; - led_status: status { - label = "green:status"; + led_system: system { + label = "green:system"; gpios = <&gpio 8 GPIO_ACTIVE_LOW>; - }; - - lan1 { - label = "green:lan1"; - gpios = <&gpio 24 GPIO_ACTIVE_LOW>; - }; - - lan2 { - label = "green:lan2"; - gpios = <&gpio 25 GPIO_ACTIVE_LOW>; - }; - - lan3-yellow { - label = "yellow:lan3"; - gpios = <&gpio 13 GPIO_ACTIVE_LOW>; - }; - - lan3-green { - label = "green:lan3"; - gpios = <&gpio 15 GPIO_ACTIVE_LOW>; + linux,default-trigger = "disk-activity"; }; }; }; @@ -69,9 +61,8 @@ flash@0 { compatible = "jedec,spi-nor"; reg = <0>; - spi-max-frequency = <80000000>; + spi-max-frequency = <50000000>; broken-flash-reset; - m25p,fast-read; partitions { compatible = "fixed-partitions"; @@ -113,23 +104,39 @@ mtd-mac-address = <&factory 0xe000>; }; +&gmac1 { + status = "okay"; + label = "ethyellow"; + phy-handle = <ðphy5>; + + nvmem-cells = <&macaddr_factory_e000>; + nvmem-cell-names = "mac-address"; +}; + +&mdio { + ethphy5: ethernet-phy@5 { + reg = <5>; + phy-mode = "rgmii-rxid"; + }; +}; + &switch0 { ports { port@0 { status = "okay"; - label = "lan1"; + label = "ethblack"; }; port@4 { status = "okay"; - label = "lan2"; + label = "ethblue"; }; }; }; &state_default { gpio { - groups = "jtag", "rgmii2", "uart3", "wdt"; + groups = "jtag", "uart3", "wdt"; function = "gpio"; }; }; diff --git a/target/linux/ramips/image/mt7621.mk b/target/linux/ramips/image/mt7621.mk index c62087d870..36a03e872f 100644 --- a/target/linux/ramips/image/mt7621.mk +++ b/target/linux/ramips/image/mt7621.mk @@ -594,6 +594,7 @@ TARGET_DEVICES += glinet_gl-mt1300 define Device/gnubee_gb-pc1 $(Device/dsa-migration) + $(Device/uimage-lzma-loader) DEVICE_VENDOR := GnuBee DEVICE_MODEL := Personal Cloud One DEVICE_PACKAGES := kmod-ata-ahci kmod-usb3 kmod-sdhci-mt7620 -wpad-basic-wolfssl @@ -603,6 +604,7 @@ TARGET_DEVICES += gnubee_gb-pc1 define Device/gnubee_gb-pc2 $(Device/dsa-migration) + $(Device/uimage-lzma-loader) DEVICE_VENDOR := GnuBee DEVICE_MODEL := Personal Cloud Two DEVICE_PACKAGES := kmod-ata-ahci kmod-usb3 kmod-sdhci-mt7620 -wpad-basic-wolfssl diff --git a/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds b/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds index 95cf120f2d..5234a773ef 100755 --- a/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds +++ b/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds @@ -44,8 +44,8 @@ dlink,dir-882-r1) ;; gnubee,gb-pc1|\ gnubee,gb-pc2) - ucidef_set_led_netdev "lan1" "lan1" "green:lan1" "lan1" - ucidef_set_led_netdev "lan2" "lan2" "green:lan2" "lan2" + ucidef_set_led_netdev "ethblack_act" "ethblack act" "green:ethblack_act" "ethblack" "tx rx" + ucidef_set_led_netdev "ethblue_act" "ethblue act" "green:ethblue_act" "ethblue" "tx rx" ;; linksys,e5600) ucidef_set_led_netdev "wan" "wan link" "blue:wan" "wan" "link" diff --git a/target/linux/ramips/mt7621/base-files/etc/board.d/02_network b/target/linux/ramips/mt7621/base-files/etc/board.d/02_network index 4d081bed8c..9ebe652f83 100755 --- a/target/linux/ramips/mt7621/base-files/etc/board.d/02_network +++ b/target/linux/ramips/mt7621/base-files/etc/board.d/02_network @@ -45,9 +45,11 @@ ramips_setup_interfaces() xiaomi,mi-router-4a-gigabit) ucidef_set_interfaces_lan_wan "lan1 lan2" "wan" ;; - gnubee,gb-pc1|\ + gnubee,gb-pc1) + ucidef_set_interface_lan "ethblack ethblue" + ;; gnubee,gb-pc2) - ucidef_set_interface_lan "lan1 lan2" + ucidef_set_interface_lan "ethblack ethblue ethyellow" ;; linksys,re6500|\ netgear,wac104) diff --git a/target/linux/ramips/mt7621/config-5.4 b/target/linux/ramips/mt7621/config-5.4 index 642543f588..6ff91a9da7 100644 --- a/target/linux/ramips/mt7621/config-5.4 +++ b/target/linux/ramips/mt7621/config-5.4 @@ -107,6 +107,7 @@ CONFIG_HZ_PERIODIC=y CONFIG_I2C=y CONFIG_I2C_BOARDINFO=y CONFIG_I2C_MT7621=y +CONFIG_ICPLUS_PHY=y CONFIG_INITRAMFS_SOURCE="" CONFIG_IRQCHIP=y CONFIG_IRQ_DOMAIN=y From 794ddf5ca2c67af82f22061a617b2c23c65380fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ar=C4=B1n=C3=A7=20=C3=9CNAL?= Date: Wed, 14 Sep 2022 21:31:41 +0300 Subject: [PATCH 09/11] ramips: fix GB-PC1 and GB-PC2 LEDs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add the missing LEDs for GB-PC2. Some of these LEDs don't exist on the device schematics. Tests on a GB-PC2 by me and Petr proved otherwise. Remove ethblack-green and ethblue-green LEDs for GB-PC1. They are not wired to GPIO 3 or 4 and the wiring is currently unknown. Set ethyellow-orange to display link state and activity of the ethyellow interface for GB-PC2. Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC2_V1.1_schematic.pdf Tested-by: Petr Louda Signed-off-by: Arınç ÜNAL (cherry picked from commit 2a6ef7f53d7b96e4ee0200196c28ed6b0a7c8465) --- .../linux/ramips/dts/mt7621_gnubee_gb-pc1.dts | 10 ---------- .../linux/ramips/dts/mt7621_gnubee_gb-pc2.dts | 18 ++++++++++++++---- .../mt7621/base-files/etc/board.d/01_leds | 4 +--- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts b/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts index 28601445e5..5910f112f6 100644 --- a/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts +++ b/target/linux/ramips/dts/mt7621_gnubee_gb-pc1.dts @@ -27,16 +27,6 @@ leds { compatible = "gpio-leds"; - ethblack_act { - label = "green:ethblack_act"; - gpios = <&gpio 3 GPIO_ACTIVE_LOW>; - }; - - ethblue_act { - label = "green:ethblue_act"; - gpios = <&gpio 4 GPIO_ACTIVE_LOW>; - }; - power { label = "green:power"; gpios = <&gpio 6 GPIO_ACTIVE_LOW>; diff --git a/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts b/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts index c25ca886ae..8d0eaee1d4 100644 --- a/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts +++ b/target/linux/ramips/dts/mt7621_gnubee_gb-pc2.dts @@ -27,16 +27,26 @@ leds { compatible = "gpio-leds"; - ethblack_act { - label = "green:ethblack_act"; + ethblack-green { + label = "green:ethblack"; gpios = <&gpio 3 GPIO_ACTIVE_LOW>; }; - ethblue_act { - label = "green:ethblue_act"; + ethblue-green { + label = "green:ethblue"; gpios = <&gpio 4 GPIO_ACTIVE_LOW>; }; + ethyellow-green { + label = "green:ethyellow"; + gpios = <&gpio 15 GPIO_ACTIVE_LOW>; + }; + + ethyellow-orange { + label = "orange:ethyellow"; + gpios = <&gpio 13 GPIO_ACTIVE_LOW>; + }; + power { label = "green:power"; gpios = <&gpio 6 GPIO_ACTIVE_LOW>; diff --git a/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds b/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds index 5234a773ef..d9df98c63f 100755 --- a/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds +++ b/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds @@ -42,10 +42,8 @@ dlink,dir-882-a1|\ dlink,dir-882-r1) ucidef_set_led_netdev "wan" "wan" "green:net" "wan" ;; -gnubee,gb-pc1|\ gnubee,gb-pc2) - ucidef_set_led_netdev "ethblack_act" "ethblack act" "green:ethblack_act" "ethblack" "tx rx" - ucidef_set_led_netdev "ethblue_act" "ethblue act" "green:ethblue_act" "ethblue" "tx rx" + ucidef_set_led_netdev "ethyellow" "ethyellow" "orange:ethyellow" "ethyellow" "link tx rx" ;; linksys,e5600) ucidef_set_led_netdev "wan" "wan link" "blue:wan" "wan" "link" From e506a0d50fed3d7e3ae2b88682b1d8e94efa9805 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 27 Nov 2022 15:34:18 +0100 Subject: [PATCH 10/11] kernel: bump 5.4 to 5.4.224 Compile-tested: x86/64 Run-tested: x86/64 Signed-off-by: Hauke Mehrtens --- include/kernel-version.mk | 4 ++-- .../950-0043-MMC-added-alternative-MMC-driver.patch | 2 +- target/linux/generic/hack-5.4/221-module_exports.patch | 4 ++-- ...dwc3-Add-workaround-for-host-mode-VBUS-glitch-wh.patch | 8 ++++---- .../mediatek/patches-5.4/0900-bt-mtk-serial-fix.patch | 2 +- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/kernel-version.mk b/include/kernel-version.mk index 9b8325db0a..7480663923 100644 --- a/include/kernel-version.mk +++ b/include/kernel-version.mk @@ -6,9 +6,9 @@ ifdef CONFIG_TESTING_KERNEL KERNEL_PATCHVER:=$(KERNEL_TESTING_PATCHVER) endif -LINUX_VERSION-5.4 = .224 +LINUX_VERSION-5.4 = .225 -LINUX_KERNEL_HASH-5.4.224 = 8b7df25b5560620eb2776d7b7c67569764b3916ff2f596767f72567b38d13d36 +LINUX_KERNEL_HASH-5.4.225 = 59f596f6714317955cf481590babcf015aff2bc1900bd8e8dc8f7af73bc560aa remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1)))) sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1))))))) diff --git a/target/linux/bcm27xx/patches-5.4/950-0043-MMC-added-alternative-MMC-driver.patch b/target/linux/bcm27xx/patches-5.4/950-0043-MMC-added-alternative-MMC-driver.patch index 34ad1be438..e688302597 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0043-MMC-added-alternative-MMC-driver.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0043-MMC-added-alternative-MMC-driver.patch @@ -267,7 +267,7 @@ Signed-off-by: Yaroslav Rosomakho goto out; --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c -@@ -1925,7 +1925,8 @@ EXPORT_SYMBOL(mmc_erase); +@@ -1931,7 +1931,8 @@ EXPORT_SYMBOL(mmc_erase); int mmc_can_erase(struct mmc_card *card) { if ((card->host->caps & MMC_CAP_ERASE) && diff --git a/target/linux/generic/hack-5.4/221-module_exports.patch b/target/linux/generic/hack-5.4/221-module_exports.patch index 47f40ac5e1..446bf53008 100644 --- a/target/linux/generic/hack-5.4/221-module_exports.patch +++ b/target/linux/generic/hack-5.4/221-module_exports.patch @@ -30,7 +30,7 @@ Signed-off-by: Felix Fietkau /* Align . to a 8 byte boundary equals to maximum function alignment. */ #define ALIGN_FUNCTION() . = ALIGN(8) -@@ -407,14 +417,14 @@ +@@ -408,14 +418,14 @@ /* Kernel symbol table: Normal symbols */ \ __ksymtab : AT(ADDR(__ksymtab) - LOAD_OFFSET) { \ __start___ksymtab = .; \ @@ -47,7 +47,7 @@ Signed-off-by: Felix Fietkau __stop___ksymtab_gpl = .; \ } \ \ -@@ -476,7 +486,7 @@ +@@ -477,7 +487,7 @@ \ /* Kernel symbol table: strings */ \ __ksymtab_strings : AT(ADDR(__ksymtab_strings) - LOAD_OFFSET) { \ diff --git a/target/linux/layerscape/patches-5.4/820-usb-0009-usb-dwc3-Add-workaround-for-host-mode-VBUS-glitch-wh.patch b/target/linux/layerscape/patches-5.4/820-usb-0009-usb-dwc3-Add-workaround-for-host-mode-VBUS-glitch-wh.patch index a5b84f3db9..0e2942a3bc 100644 --- a/target/linux/layerscape/patches-5.4/820-usb-0009-usb-dwc3-Add-workaround-for-host-mode-VBUS-glitch-wh.patch +++ b/target/linux/layerscape/patches-5.4/820-usb-0009-usb-dwc3-Add-workaround-for-host-mode-VBUS-glitch-wh.patch @@ -64,9 +64,9 @@ Reviewed-by: Peter Chen --- a/drivers/usb/dwc3/host.c +++ b/drivers/usb/dwc3/host.c -@@ -16,6 +16,44 @@ static const struct xhci_plat_priv dwc3_ - .quirks = XHCI_SKIP_PHY_INIT, - }; +@@ -11,6 +11,44 @@ + + #include "core.h" +#define XHCI_HCSPARAMS1 0x4 +#define XHCI_PORTSC_BASE 0x400 @@ -109,7 +109,7 @@ Reviewed-by: Peter Chen static int dwc3_host_get_irq(struct dwc3 *dwc) { struct platform_device *dwc3_pdev = to_platform_device(dwc->dev); -@@ -55,6 +93,13 @@ int dwc3_host_init(struct dwc3 *dwc) +@@ -50,6 +88,13 @@ int dwc3_host_init(struct dwc3 *dwc) struct platform_device *dwc3_pdev = to_platform_device(dwc->dev); int prop_idx = 0; diff --git a/target/linux/mediatek/patches-5.4/0900-bt-mtk-serial-fix.patch b/target/linux/mediatek/patches-5.4/0900-bt-mtk-serial-fix.patch index 64b556088d..a25c845ffc 100644 --- a/target/linux/mediatek/patches-5.4/0900-bt-mtk-serial-fix.patch +++ b/target/linux/mediatek/patches-5.4/0900-bt-mtk-serial-fix.patch @@ -19,7 +19,7 @@ }, [PORT_NPCM] = { .name = "Nuvoton 16550", -@@ -2612,6 +2612,11 @@ serial8250_do_set_termios(struct uart_po +@@ -2615,6 +2615,11 @@ serial8250_do_set_termios(struct uart_po unsigned long flags; unsigned int baud, quot, frac = 0; From b33090a0faf73d5d03e96c132c413776d6ed8b87 Mon Sep 17 00:00:00 2001 From: Nick Hainke Date: Wed, 16 Nov 2022 08:48:02 +0100 Subject: [PATCH 11/11] wolfssl: update to v5.5.3 Remove "200-ecc-rng.patch" because it was upstramed by: https://github.com/wolfSSL/wolfssl/commit/e2566bab2122949a6a0bb2276d0a52598794d7d0 Refreshed "100-disable-hardening-check.patch". Fixes CVE 2022-42905. Release Notes: - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.3-stable Signed-off-by: Nick Hainke (cherry picked from commit 745f1ca9767716c43864a2b7a43ed60b16c25560) --- package/libs/wolfssl/Makefile | 4 +- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch | 4 +- .../libs/wolfssl/patches/200-ecc-rng.patch | 50 ------------------- 4 files changed, 4 insertions(+), 56 deletions(-) delete mode 100644 package/libs/wolfssl/patches/200-ecc-rng.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index a1c968b81f..8c59872393 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.5.1-stable +PKG_VERSION:=5.5.3-stable PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3 +PKG_HASH:=fd3135b8657d09fb96a8aad16585da850b96ea420ae8ce5ac4d5fdfc614c2683 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 01bb5974ba..904b424fa0 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2445,7 +2445,7 @@ extern void uITRON4_free(void *p) ; +@@ -2455,7 +2455,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch index 206c6dac6a..f773df7a89 100644 --- a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch +++ b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch @@ -1,5 +1,3 @@ -diff --git a/configure.ac b/configure.ac -index 144c857e4..de7f6b45a 100644 --- a/configure.ac +++ b/configure.ac @@ -32,7 +32,7 @@ AC_ARG_PROGRAM @@ -10,4 +8,4 @@ index 144c857e4..de7f6b45a 100644 +LT_PREREQ([2.4]) LT_INIT([disable-static win32-dll]) - #shared library versioning + AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to autoconf-computed arg list. Can also supply directly to make.]) diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch deleted file mode 100644 index d68ef7f385..0000000000 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ /dev/null @@ -1,50 +0,0 @@ -Since commit 6467de5a8840 ("Randomize z ordinates in scalar -mult when timing resistant") wolfssl requires a RNG for an EC -key when the hardened built option is selected. - -wc_ecc_set_rng is only available when built hardened, so there -is no safe way to install the RNG to the key regardless whether -or not wolfssl is compiled hardened. - -Always export wc_ecc_set_rng so tools such as hostapd can install -RNG regardless of the built settings for wolfssl. - ---- a/wolfcrypt/src/ecc.c -+++ b/wolfcrypt/src/ecc.c -@@ -12348,21 +12348,21 @@ void wc_ecc_fp_free(void) - - #endif /* FP_ECC */ - --#ifdef ECC_TIMING_RESISTANT - int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng) - { - int err = 0; - -+#ifdef ECC_TIMING_RESISTANT - if (key == NULL) { - err = BAD_FUNC_ARG; - } - else { - key->rng = rng; - } -+#endif - - return err; - } --#endif - - #ifdef HAVE_ECC_ENCRYPT - ---- a/wolfssl/wolfcrypt/ecc.h -+++ b/wolfssl/wolfcrypt/ecc.h -@@ -650,10 +650,8 @@ WOLFSSL_ABI WOLFSSL_API - void wc_ecc_fp_free(void); - WOLFSSL_LOCAL - void wc_ecc_fp_init(void); --#ifdef ECC_TIMING_RESISTANT - WOLFSSL_API - int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng); --#endif - - WOLFSSL_API - int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);