domenico/openwrt-armor-g5
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit
Some checks failed
Build Kernel / Build all affected Kernels (push) Has been cancelled
Details
Build all core packages / Build all core packages for selected target (push) Has been cancelled
Details
Build and Push prebuilt tools container / Build and Push all prebuilt containers (push) Has been cancelled
Details
Build Toolchains / Build Toolchains for each target (push) Has been cancelled
Details
Build host tools / Build host tools for linux and macos based systems (push) Has been cancelled
Details
Coverity scan build / Coverity x86/64 build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
domenico
2025-06-24 12:51:15 +02:00
commit 27c9d80f51
10493 changed files with 1885777 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

310
package/libs/openssl/Config.in Normal file
View File

@@ -0,0 +1,310 @@
if PACKAGE_libopenssl
comment "Build Options"
config OPENSSL_OPTIMIZE_SPEED
bool
default y if x86_64 || i386
prompt "Enable optimization for speed instead of size"
select OPENSSL_WITH_ASM
help
Enabling this option increases code size and performance.
The increase in performance and size depends on the
target CPU. EC and AES seem to benefit the most.
config OPENSSL_SMALL_FOOTPRINT
bool
depends on !OPENSSL_OPTIMIZE_SPEED
default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
help
This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only
1-3% of of the ipk size. The performance drop depends on
architecture and algorithm. MIPS drops 13% of performance for
a 3% decrease in ipk size. On Aarch64, for a 1% reduction in
size, ghash and GCM performance decreases 90%, while
Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size
for 3% of performance. Other arches have not been tested.
config OPENSSL_WITH_ASM
bool
default y
prompt "Compile with optimized assembly code"
depends on !arc
help
Disabling this option will reduce code size and performance.
The increase in performance and size depends on the target
CPU and on the algorithms being optimized.
config OPENSSL_WITH_SSE2
bool
default y if !TARGET_x86_legacy && !TARGET_x86_geode
prompt "Enable use of x86 SSE2 instructions"
depends on OPENSSL_WITH_ASM && i386
help
Use of SSE2 instructions greatly increase performance with a
minimum increase in package size, but it will bring no benefit
if your hardware does not support them, such as Geode GX and LX.
AMD Geode NX, and Intel Pentium 4 and above support SSE2.
config OPENSSL_WITH_DEPRECATED
bool
default y
prompt "Include deprecated APIs"
help
This drops all deprecated API, including engine support.
config OPENSSL_NO_DEPRECATED
bool
default !OPENSSL_WITH_DEPRECATED
config OPENSSL_WITH_ERROR_MESSAGES
bool
default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
prompt "Include error messages"
help
This option aids debugging, but increases package size and
memory usage.
comment "Protocol Support"
config OPENSSL_WITH_TLS13
bool
default y
prompt "Enable support for TLS 1.3"
help
TLS 1.3 is the newest version of the TLS specification.
It aims:
* to increase the overall security of the protocol,
removing outdated algorithms, and encrypting more of the
protocol;
* to increase performance by reducing the number of round-trips
when performing a full handshake.
config OPENSSL_WITH_DTLS
bool
prompt "Enable DTLS support"
help
Datagram Transport Layer Security (DTLS) provides TLS-like security
for datagram-based (UDP, DCCP, CAPWAP, SCTP & SRTP) applications.
config OPENSSL_WITH_NPN
bool
prompt "Enable NPN support"
help
NPN is a TLS extension, obsoleted and replaced with ALPN,
used to negotiate SPDY, and HTTP/2.
config OPENSSL_WITH_SRP
bool
default y
prompt "Enable SRP support"
help
The Secure Remote Password protocol (SRP) is an augmented
password-authenticated key agreement (PAKE) protocol, specifically
designed to work around existing patents.
config OPENSSL_WITH_CMS
bool
default y
prompt "Enable CMS (RFC 5652) support"
help
Cryptographic Message Syntax (CMS) is used to digitally sign,
digest, authenticate, or encrypt arbitrary message content.
comment "Algorithm Selection"
config OPENSSL_WITH_EC2M
bool
prompt "Enable ec2m support"
help
This option enables the more efficient, yet less common, binary
field elliptic curves.
config OPENSSL_WITH_CHACHA_POLY1305
bool
default y
prompt "Enable ChaCha20-Poly1305 ciphersuite support"
help
ChaCha20-Poly1305 is an AEAD ciphersuite with 256-bit keys,
combining ChaCha stream cipher with Poly1305 MAC.
It is 3x faster than AES, when not using a CPU with AES-specific
instructions, as is the case of most embedded devices.
config OPENSSL_PREFER_CHACHA_OVER_GCM
bool
default y if !x86_64 && !aarch64
prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
depends on OPENSSL_WITH_CHACHA_POLY1305
help
The default openssl preference is for AES-GCM before ChaCha, but
that takes into account AES-NI capable chips. It is not the
case with most embedded chips, so it may be better to invert
that preference. This is just for the default case. The
application can always override this.
config OPENSSL_WITH_PSK
bool
default y
prompt "Enable PSK support"
help
Build support for Pre-Shared Key based cipher suites.
comment "Less commonly used build options"
config OPENSSL_WITH_ARIA
bool
prompt "Enable ARIA support"
help
ARIA is a block cipher developed in South Korea, based on AES.
config OPENSSL_WITH_CAMELLIA
bool
prompt "Enable Camellia cipher support"
help
Camellia is a bock cipher with security levels and processing
abilities comparable to AES.
config OPENSSL_WITH_IDEA
bool
default y if !SMALL_FLASH
prompt "Enable IDEA cipher support (needs legacy provider)"
help
IDEA is a block cipher with 128-bit keys.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SEED
bool
default y if !SMALL_FLASH
prompt "Enable SEED cipher support (needs legacy provider)"
help
SEED is a block cipher with 128-bit keys broadly used in
South Korea, but seldom found elsewhere.
To use the cipher, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_SM234
bool
prompt "Enable SM2/3/4 algorithms support"
help
These algorithms are a set of "Commercial Cryptography"
algorithms approved for use in China.
* SM2 is an EC algorithm equivalent to ECDSA P-256
* SM3 is a hash function equivalent to SHA-256
* SM4 is a 128-block cipher equivalent to AES-128
config OPENSSL_WITH_BLAKE2
bool
prompt "Enable BLAKE2 digest support"
help
BLAKE2 is a cryptographic hash function based on the ChaCha
stream cipher.
config OPENSSL_WITH_MDC2
bool
default y if !SMALL_FLASH
prompt "Enable MDC2 digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_WHIRLPOOL
bool
default y if !SMALL_FLASH
prompt "Enable Whirlpool digest support (needs legacy provider)"
help
To use the digest, one must install the libopenssl-legacy
package, using a main libopenssl package compiled with this
option enabled as well.
config OPENSSL_WITH_COMPRESSION
bool
prompt "Enable compression support"
help
TLS compression is not recommended, as it is deemed insecure.
The CRIME attack exploits this weakness.
Even with this option turned on, it is disabled by default, and the
application must explicitly turn it on.
config OPENSSL_WITH_RFC3779
bool
prompt "Enable RFC3779 support (BGP)"
help
RFC 3779 defines two X.509 v3 certificate extensions. The first
binds a list of IP address blocks, or prefixes, to the subject of a
certificate. The second binds a list of autonomous system
identifiers to the subject of a certificate. These extensions may be
used to convey the authorization of the subject to use the IP
addresses and autonomous system identifiers contained in the
extensions.
comment "Engine/Hardware Support"
config OPENSSL_ENGINE
bool "Enable engine support"
select OPENSSL_WITH_DEPRECATED
default y
help
This enables alternative cryptography implementations,
most commonly for interfacing with external crypto devices,
or supporting new/alternative ciphers and digests.
If you compile the library with this option disabled, packages built
using an engine-enabled library (i.e. from the official repo) may
fail to run. Compile and install the packages with engine support
disabled, and you should be fine.
Note that you need to enable KERNEL_AIO to be able to build the
afalg engine package.
config OPENSSL_ENGINE_BUILTIN
bool "Build chosen engines into libcrypto"
depends on OPENSSL_ENGINE
help
This builds all chosen engines into libcrypto.so, instead of building
them as dynamic engines in separate packages.
The benefit of building the engines into libcrypto is that they won't
require any configuration to be used by default.
config OPENSSL_ENGINE_BUILTIN_AFALG
bool
prompt "Acceleration support through AF_ALG sockets engine"
depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
AF_ALG kernel interface.
config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
bool
prompt "Acceleration support through /dev/crypto"
depends on OPENSSL_ENGINE_BUILTIN
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through OpenBSD
Cryptodev API (/dev/crypto) interface.
Even though configuration is not strictly needed, it is worth seeing
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
for information on how to configure the engine.
config OPENSSL_ENGINE_BUILTIN_PADLOCK
bool
prompt "VIA Padlock Acceleration support engine"
depends on OPENSSL_ENGINE_BUILTIN && TARGET_x86
select PACKAGE_libopenssl-conf
help
This enables use of hardware acceleration through the
VIA Padlock module.
config OPENSSL_WITH_ASYNC
bool
prompt "Enable asynchronous jobs support"
depends on OPENSSL_ENGINE && USE_GLIBC
help
Enables async-aware applications to be able to use OpenSSL to
initiate crypto operations asynchronously. In order to work
this will require the presence of an async capable engine.
endif

440
package/libs/openssl/Makefile Normal file
View File

@@ -0,0 +1,440 @@
#
# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_VERSION:=3.0.14
PKG_RELEASE:=2
PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
PKG_BUILD_PARALLEL:=1
PKG_BASE:=$(subst $(space),.,$(wordlist 1,2,$(subst .,$(space),$(PKG_VERSION))))
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/ \
http://ftp.fi.muni.cz/pub/openssl/source/ \
http://ftp.fi.muni.cz/pub/openssl/source/old/$(PKG_BASE)/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
PKG_HASH:=eeca035d4dd4e84fc25846d952da6297484afa0650a6f84c682e39df3a4123ca
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_BUILTIN \
CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
CONFIG_OPENSSL_SMALL_FOOTPRINT \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
CONFIG_OPENSSL_WITH_EC2M \
CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
CONFIG_OPENSSL_WITH_IDEA \
CONFIG_OPENSSL_WITH_MDC2 \
CONFIG_OPENSSL_WITH_NPN \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_WITH_SSE2 \
CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/openssl-module.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
HOSTCXX=$(HOSTCXX_NOCACHE)
endif
define Package/openssl/Default
TITLE:=Open source SSL toolkit
URL:=http://www.openssl.org/
SECTION:=libs
CATEGORY:=Libraries
endef
define Package/libopenssl/config
source "$(SOURCE)/Config.in"
endef
define Package/openssl/Default/description
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the
Transport Layer Security (TLS) protocol as well as a full-strength
general-purpose cryptography library.
endef
define Package/libopenssl
$(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
+OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
+OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock \
+(arm||armeb||mips||mipsel||powerpc||arc):libatomic
TITLE+= (libraries)
ABI_VERSION:=$(firstword $(subst .,$(space),$(PKG_VERSION)))
MENU:=1
endef
define Package/libopenssl/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL shared libraries, needed by other programs.
endef
define Package/openssl-util
$(call Package/openssl/Default)
SECTION:=utils
CATEGORY:=Utilities
DEPENDS:=+libopenssl +libopenssl-conf
TITLE+= (utility)
endef
define Package/openssl-util/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
define Package/libopenssl-conf
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=/etc/ssl/openssl.cnf config file
DEPENDS:=libopenssl
endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf)
endef
define Package/libopenssl-conf/description
$(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
ifneq ($(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK)$(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),)
define Package/libopenssl-conf/postinst
#!/bin/sh
add_engine_config() {
if [ -z "$${IPKG_INSTROOT}" ] && uci -q get "openssl.$$1" >/dev/null; then
[ "$$(uci -q get "openssl.$$1.builtin")" = 1 ] && return
uci set "openssl.$$1.builtin=1" && uci commit openssl
return
fi
}
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),add_engine_config devcrypto)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock)
endef
endif
$(eval $(call Package/openssl/add-provider,legacy))
define Package/libopenssl-legacy
$(call Package/openssl/Default)
$(call Package/openssl/module/Default)
TITLE:=OpenSSL legacy provider
endef
define Package/libopenssl-legacy/description
The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy. Such algorithms have commonly fallen out of use, have
been deemed insecure by the cryptography community, or something similar. See
https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
endef
$(eval $(call Package/openssl/add-engine,afalg))
define Package/libopenssl-afalg
$(call Package/openssl/Default)
$(call Package/openssl/engine/Default)
TITLE:=AFALG hardware acceleration engine
DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
@!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
$(eval $(call Package/openssl/add-engine,devcrypto))
define Package/libopenssl-devcrypto
$(call Package/openssl/Default)
$(call Package/openssl/engine/Default)
TITLE:=/dev/crypto hardware acceleration engine
DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
$(eval $(call Package/openssl/add-engine,padlock))
define Package/libopenssl-padlock
$(call Package/openssl/Default)
$(call Package/openssl/engine/Default)
TITLE:=VIA Padlock hardware acceleration engine
DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
@!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
OPENSSL_OPTIONS:= shared no-tests
ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
endif
ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
OPENSSL_OPTIONS += no-chacha no-poly1305
else
ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
endif
endif
ifndef CONFIG_OPENSSL_WITH_ASYNC
OPENSSL_OPTIONS += no-async
endif
ifndef CONFIG_OPENSSL_WITH_EC2M
OPENSSL_OPTIONS += no-ec2m
endif
ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif
ifndef CONFIG_OPENSSL_WITH_TLS13
OPENSSL_OPTIONS += no-tls1_3
endif
ifndef CONFIG_OPENSSL_WITH_ARIA
OPENSSL_OPTIONS += no-aria
endif
ifndef CONFIG_OPENSSL_WITH_SM234
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
endif
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
ifndef CONFIG_OPENSSL_WITH_IDEA
OPENSSL_OPTIONS += no-idea
endif
ifndef CONFIG_OPENSSL_WITH_SEED
OPENSSL_OPTIONS += no-seed
endif
ifndef CONFIG_OPENSSL_WITH_MDC2
OPENSSL_OPTIONS += no-mdc2
endif
ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
OPENSSL_OPTIONS += no-whirlpool
endif
ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif
ifndef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += no-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
OPENSSL_OPTIONS += no-deprecated
endif
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
endif
ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y)
OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
endif
ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
OPENSSL_OPTIONS += disable-dynamic-engine
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG
OPENSSL_OPTIONS += no-afalgeng
endif
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
OPENSSL_OPTIONS += no-padlockeng
endif
else
ifdef CONFIG_PACKAGE_libopenssl-devcrypto
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-padlockeng
endif
endif
else
OPENSSL_OPTIONS += no-engine
endif
ifndef CONFIG_OPENSSL_WITH_DTLS
OPENSSL_OPTIONS += no-dtls
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
OPENSSL_OPTIONS += zlib-dynamic
else
OPENSSL_OPTIONS += no-comp
endif
ifndef CONFIG_OPENSSL_WITH_NPN
OPENSSL_OPTIONS += no-nextprotoneg
endif
ifndef CONFIG_OPENSSL_WITH_PSK
OPENSSL_OPTIONS += no-psk
endif
ifndef CONFIG_OPENSSL_WITH_SRP
OPENSSL_OPTIONS += no-srp
endif
ifndef CONFIG_OPENSSL_WITH_ASM
OPENSSL_OPTIONS += no-asm
endif
ifdef CONFIG_i386
ifndef CONFIG_OPENSSL_WITH_SSE2
OPENSSL_OPTIONS += no-sse2
endif
endif
OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | $(MKHASH) md5)
define Build/Configure
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
--cross-compile-prefix="$(TARGET_CROSS)" \
$(TARGET_CFLAGS) \
$(TARGET_CPPFLAGS) \
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) && \
{ [ -f $(STAMP_CONFIGURED) ] || make clean; } \
)
endef
TARGET_CFLAGS += $(FPIC)
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
$(MAKE) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
install_sw install_ssldirs
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.{a,so*} $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc $(1)/usr/lib/pkgconfig/
[ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc || true
endef
define Package/libopenssl/install
$(INSTALL_DIR) $(1)/etc/ssl/certs
$(INSTALL_DIR) $(1)/etc/ssl/private
chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
endef
define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE),,
$(SED) 's!engines = engines_sect!#&!' $(1)/etc/ssl/openssl.cnf)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "config engine 'devcrypto'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl)
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto))
$(eval $(call BuildPackage,libopenssl-legacy))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))

3
package/libs/openssl/files/afalg.cnf Normal file
View File

@@ -0,0 +1,3 @@
[afalg_sect]
default_algorithms = ALL

34
package/libs/openssl/files/devcrypto.cnf Normal file
View File

@@ -0,0 +1,34 @@
[devcrypto_sect]
# Leave this alone and configure algorithms with CIPERS/DIGESTS below
default_algorithms = ALL
# Configuration commands:
# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
# list of supported algorithms, along with their driver, whether they
# are hw accelerated or not, and the engine's configuration commands.
# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
# if acceleration can't be determined) [default=2]
#USE_SOFTDRIVERS = 2
# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
# enable [default=ALL]
# It is recommended to disable the ECB ciphers; in most cases, it will
# only be used for PRNG, in small blocks, where performance is poor,
# and there may be problems with apps forking with open crypto
# contexts, leading to failures. The CBC ciphers work well.
CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \
AES-128-CTR, AES-192-CTR, AES-256-CTR
# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
# enable [default=NONE]
# It is strongly recommended not to enable digests; their performance
# is poor, and there are many cases in which they will not work,
# especially when calling fork with open crypto contexts. Openssh,
# for example, does this, and you may not be able to login.
# Sysupgrade will fail as well. If you're adventurous enough to change
# this, you should change it back to NONE, and reboot before running
# sysupgrade!
DIGESTS = NONE

3
package/libs/openssl/files/legacy.cnf Normal file
View File

@@ -0,0 +1,3 @@
[legacy_sect]
activate = 1

72
package/libs/openssl/files/openssl.init Executable file
View File

@@ -0,0 +1,72 @@
#!/bin/sh /etc/rc.common
START=13
ENGINES_CNF=/var/etc/ssl/engines.cnf
ENGINES_DIR=%ENGINES_DIR%
MODULES_DIR=/usr/lib/ossl-modules
PROVIDERS_CNF=/var/etc/ssl/providers.cnf
#1: cnf file
write_cnf_header() {
mkdir -p "$(dirname "$1")" && \
echo "# This file is automatically generated from /etc/config/openssl." >"$1" || {
echo "Error writing to $1."
return 1
}
}
#1: module name
#2: output cnf file
#3: module.so
enable_module() {
local builtin enabled force
config_get_bool builtin "$1" builtin 0
config_get_bool enabled "$1" enabled 1
config_get_bool force "$1" force 0
if [ "$enabled" = 0 ]; then
[ "$builtin" = 0 ] && return 1
echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI."
echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl."
elif [ "$force" = 1 ]; then
printf "[Forced] "
elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then
echo "$1: Could not find section [$1] in config files."
return 1
elif [ "$builtin" = 1 ]; then
printf "[Builtin] "
elif [ ! -f "$3" ];then
echo "Skipping $1: $3 not found."
return 1
fi
echo "Enabling $1"
echo "$1=$1_sect" >>"$2"
}
config_engine() {
enable_module "$1" "$ENGINES_CNF" \
"${ENGINES_DIR}/${1}.so"
}
config_provider() {
enable_module "$1" "$PROVIDERS_CNF" \
"${MODULES_DIR}/${1}.so"
}
start() {
local ret=0
config_load openssl
echo Generating engines.cnf
write_cnf_header "${ENGINES_CNF}" && \
config_foreach config_engine engine || ret=$?
echo Generating providers.cnf
write_cnf_header "${PROVIDERS_CNF}" && \
config_foreach config_provider provider || ret=$?
return $ret
}

3
package/libs/openssl/files/padlock.cnf Normal file
View File

@@ -0,0 +1,3 @@
[padlock_sect]
default_algorithms = ALL

23
package/libs/openssl/patches/100-Configure-afalg-support.patch Normal file
View File

@@ -0,0 +1,23 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
This patch prevents the Configure script from using the host kernel
version to disable building the AFALG engine on openwrt targets.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/Configure
+++ b/Configure
@@ -1677,7 +1677,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ if ($target =~ m/openwrt$/) {
+ push @{$config{engdirs}}, "afalg";
+ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $minver = 4*10000 + 1*100 + 0;
if ($config{CROSS_COMPILE} eq "") {
my $verstr = `uname -r`;

71
package/libs/openssl/patches/110-openwrt_targets.patch Normal file
View File

@@ -0,0 +1,71 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,59 @@
+## Openwrt "CONFIG_ARCH" matching targets.
+
+# The targets need to end in '-openwrt' for the AFALG patch to work
+
+my %targets = (
+ "openwrt" => {
+ template => 1,
+ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
+ },
+ "linux-aarch64-openwrt" => {
+ inherit_from => [ "linux-aarch64", "openwrt" ],
+ },
+ "linux-arc-openwrt" => {
+ inherit_from => [ "linux-latomic", "openwrt" ],
+ },
+ "linux-arm-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],
+ },
+ "linux-armeb-openwrt" => {
+ inherit_from => [ "linux-armv4", "openwrt" ],
+ },
+ "linux-i386-openwrt" => {
+ inherit_from => [ "linux-x86", "openwrt" ],
+ },
+ "linux-loongarch64-openwrt" => {
+ inherit_from => [ "linux64-loongarch64", "openwrt" ],
+ },
+ "linux-mips-openwrt" => {
+ inherit_from => [ "linux-mips32", "openwrt" ],
+ },
+ "linux-mips64-openwrt" => {
+ inherit_from => [ "linux64-mips64", "openwrt" ],
+ },
+ "linux-mips64el-openwrt" => {
+ inherit_from => [ "linux64-mips64", "openwrt" ],
+ },
+ "linux-mipsel-openwrt" => {
+ inherit_from => [ "linux-mips32", "openwrt" ],
+ },
+ "linux-powerpc-openwrt" => {
+ inherit_from => [ "linux-ppc", "openwrt" ],
+ },
+ "linux-powerpc64-openwrt" => {
+ inherit_from => [ "linux-ppc64", "openwrt" ],
+ perlasm_scheme => "linux64v2",
+ },
+ "linux-riscv64-openwrt" => {
+ inherit_from => [ "linux-generic64", "openwrt" ],
+ perlasm_scheme => "linux64",
+ },
+ "linux-x86_64-openwrt" => {
+ inherit_from => [ "linux-x86_64", "openwrt" ],
+ },
+
+### Basic default option
+ "linux-generic32-openwrt" => {
+ inherit_from => [ "linux-generic32", "openwrt" ],
+ },
+);

21
package/libs/openssl/patches/120-strip-cflags-from-binary.patch Normal file
View File

@@ -0,0 +1,21 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:31:38 -0300
Subject: Avoid exposing build directories
The CFLAGS contain the build directories, and are shown by calling
OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
DEPEND[info.o]=buildinf.h
DEPEND[cversion.o]=buildinf.h
-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl

20
package/libs/openssl/patches/130-dont-build-fuzz-docs.patch Normal file
View File

@@ -0,0 +1,20 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
This shortens build time.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/build.info
+++ b/build.info
@@ -1,7 +1,7 @@
# Note that some of these directories are filtered in Configure. Look for
# %skipdir there for further explanations.
-SUBDIRS=crypto ssl apps util tools fuzz providers doc
+SUBDIRS=crypto ssl apps util tools providers
IF[{- !$disabled{tests} -}]
SUBDIRS=test
ENDIF

92
package/libs/openssl/patches/140-allow-prefer-chacha20.patch Normal file
View File

@@ -0,0 +1,92 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Thu, 27 Sep 2018 08:44:39 -0300
Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
This enables a compile-time option to prefer ChaCha20-Poly1305 over
AES-GCM in the openssl default ciphersuite, which is useful in systems
without AES specific CPU instructions.
OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
Note that this does not have the same effect as the
SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
when the client has it on top of its ciphersuite preference.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1506,11 +1506,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
&tail);
+ /*
+ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
+ * will be placed before AES-256. Otherwise, the default behavior of
+ * preferring GCM over CHACHA is used.
+ * This is useful for systems that do not have AES-specific CPU
+ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
+ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
+ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
+ * of its ciphersuite preference.
+ */
+
+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
+ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
+#else
/* Within each strength group, we prefer GCM over CHACHA... */
ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
&head, &tail);
ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
&head, &tail);
+#endif
/*
* ...and generally, our preferred cipher is AES.
@@ -1565,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* Within each group, ciphers remain sorted by strength and previous
* preference, i.e.,
* 1) ECDHE > DHE
- * 2) GCM > CHACHA
+ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
* 3) AES > rest
* 4) TLS 1.2 > legacy
*
@@ -2236,7 +2254,13 @@ const char *OSSL_default_cipher_list(voi
*/
const char *OSSL_default_ciphersuites(void)
{
+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+ return "TLS_CHACHA20_POLY1305_SHA256:"
+ "TLS_AES_256_GCM_SHA384:"
+ "TLS_AES_128_GCM_SHA256";
+#else
return "TLS_AES_256_GCM_SHA384:"
"TLS_CHACHA20_POLY1305_SHA256:"
"TLS_AES_128_GCM_SHA256";
+#endif
}
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -195,9 +195,15 @@ extern "C" {
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
* Update both macro and function simultaneously
*/
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
- "TLS_AES_128_GCM_SHA256"
+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
+ "TLS_AES_128_GCM_SHA256"
+# else
+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+ "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256"
+# endif
# endif
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always

41
package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch Normal file
View File

@@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
Date: Sat, 27 Mar 2021 17:43:25 -0300
Subject: openssl.cnf: add engine configuration
This adds configuration options for engines, loading all cnf files under
/etc/ssl/engines.cnf.d/.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+engines = engines_sect
# List of providers to load
[provider_sect]
default = default_sect
+.include /var/etc/ssl/providers.cnf
+
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -69,7 +72,13 @@ default = default_sect
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
-# activate = 1
+activate = 1
+
+[engines_sect]
+.include /var/etc/ssl/engines.cnf
+
+.include /etc/ssl/modules.cnf.d
+
####################################################################

41
package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch Normal file
View File

@@ -0,0 +1,41 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 11 Mar 2019 09:29:13 -0300
Subject: e_devcrypto: default to not use digests in engine
Digests are almost always slower when using /dev/crypto because of the
cost of the context switches. Only for large blocks it is worth it.
Also, when forking, the open context structures are duplicated, but the
internal kernel sessions are still shared between forks, which means an
update/close operation in one fork affects all processes using that
session.
This affects digests, especially for HMAC, where the session with the
key hash is used as a source for subsequent operations. At least one
popular application does this across a fork. Disabling digests by
default will mitigate the problem, while still allowing the user to
turn them on if it is safe and fast enough.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
- selected_digests[i] = 1;
+ selected_digests[i] = 0;
/*
* Check that the digest is usable
@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
#ifdef IMPLEMENT_DIGEST
{DEVCRYPTO_CMD_DIGESTS,
"DIGESTS",
- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
+ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
ENGINE_CMD_FLAG_STRING},
#endif

24
package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch Normal file
View File

@@ -0,0 +1,24 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cote2004-github@yahoo.com>
Date: Mon, 11 Mar 2019 10:15:14 -0300
Subject: e_devcrypto: ignore error when closing session
In cipher_init, ignore an eventual error when closing the previous
session. It may have been closed by another process after a fork.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
int ret;
/* cleanup a previous session */
- if (cipher_ctx->sess.ses != 0 &&
- clean_devcrypto_session(&cipher_ctx->sess) == 0)
- return 0;
+ if (cipher_ctx->sess.ses != 0)
+ clean_devcrypto_session(&cipher_ctx->sess);
cipher_ctx->sess.cipher = cipher_d->devcryptoid;
cipher_ctx->sess.keylen = cipher_d->keylen;