Initial commit

2025-06-24 12:51:15 +02:00
commit 27c9d80f51
10493 changed files with 1885777 additions and 0 deletions
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:29:21 -0300
+Subject: Do not use host kernel version to disable AFALG
+
+This patch prevents the Configure script from using the host kernel
+version to disable building the AFALG engine on openwrt targets.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
+++ b/Configure
+@@ -1677,7 +1677,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
+ 
+ unless ($disabled{afalgeng}) {
+     $config{afalgeng}="";
+-    if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+    if ($target =~ m/openwrt$/) {
+        push @{$config{engdirs}}, "afalg";
+    } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+         my $minver = 4*10000 + 1*100 + 0;
+         if ($config{CROSS_COMPILE} eq "") {
+             my $verstr = `uname -r`;
--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:30:24 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- /dev/null
+++ b/Configurations/25-openwrt.conf
+@@ -0,0 +1,59 @@
+## Openwrt "CONFIG_ARCH" matching targets.
+
+# The targets need to end in '-openwrt' for the AFALG patch to work
+
+my %targets = (
+    "openwrt" => {
+	template	=> 1,
+	CFLAGS		=> add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
+    },
+    "linux-aarch64-openwrt" => {
+        inherit_from    => [ "linux-aarch64", "openwrt" ],
+    },
+    "linux-arc-openwrt" => {
+        inherit_from    => [ "linux-latomic", "openwrt" ],
+    },
+    "linux-arm-openwrt" => {
+        inherit_from    => [ "linux-armv4", "openwrt" ],
+    },
+    "linux-armeb-openwrt" => {
+        inherit_from    => [ "linux-armv4", "openwrt" ],
+    },
+    "linux-i386-openwrt" => {
+        inherit_from    => [ "linux-x86", "openwrt" ],
+    },
+    "linux-loongarch64-openwrt" => {
+        inherit_from    => [ "linux64-loongarch64", "openwrt" ],
+    },
+    "linux-mips-openwrt" => {
+        inherit_from    => [ "linux-mips32", "openwrt" ],
+    },
+    "linux-mips64-openwrt" => {
+        inherit_from    => [ "linux64-mips64", "openwrt" ],
+    },
+    "linux-mips64el-openwrt" => {
+        inherit_from    => [ "linux64-mips64", "openwrt" ],
+    },
+    "linux-mipsel-openwrt" => {
+        inherit_from    => [ "linux-mips32", "openwrt" ],
+    },
+    "linux-powerpc-openwrt" => {
+        inherit_from    => [ "linux-ppc", "openwrt" ],
+    },
+    "linux-powerpc64-openwrt" => {
+        inherit_from    => [ "linux-ppc64", "openwrt" ],
+        perlasm_scheme  => "linux64v2",
+    },
+    "linux-riscv64-openwrt" => {
+        inherit_from    => [ "linux-generic64", "openwrt" ],
+        perlasm_scheme   => "linux64",
+    },
+    "linux-x86_64-openwrt" => {
+        inherit_from    => [ "linux-x86_64", "openwrt" ],
+    },
+
+### Basic default option
+    "linux-generic32-openwrt" => {
+        inherit_from    => [ "linux-generic32", "openwrt" ],
+    },
+);
--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:31:38 -0300
+Subject: Avoid exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/build.info
+++ b/crypto/build.info
+@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+ 
+ DEPEND[info.o]=buildinf.h
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
+ 
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
--- a/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch
+++ b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch
@@ -0,0 +1,20 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:34:38 -0300
+Subject: Do not build tests and fuzz directories
+
+This shortens build time.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/build.info
+++ b/build.info
+@@ -1,7 +1,7 @@
+ # Note that some of these directories are filtered in Configure.  Look for
+ # %skipdir there for further explanations.
+ 
+-SUBDIRS=crypto ssl apps util tools fuzz providers doc
+SUBDIRS=crypto ssl apps util tools providers
+ IF[{- !$disabled{tests} -}]
+   SUBDIRS=test
+ ENDIF
--- a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
+++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
@@ -0,0 +1,92 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:44:39 -0300
+Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
+
+This enables a compile-time option to prefer ChaCha20-Poly1305 over
+AES-GCM in the openssl default ciphersuite, which is useful in systems
+without AES specific CPU instructions.
+OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
+
+Note that this does not have the same effect as the
+SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
+when the client has it on top of its ciphersuite preference.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
+@@ -1506,11 +1506,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
+                           &tail);
+ 
+    /*
+     * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
+     * will be placed before AES-256.  Otherwise, the default behavior of
+     * preferring GCM over CHACHA is used.
+     * This is useful for systems that do not have AES-specific CPU
+     * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
+     * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
+     * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
+     * of its ciphersuite preference.
+     */
+
+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+                          &head, &tail);
+    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+                          &head, &tail);
+#else
+     /* Within each strength group, we prefer GCM over CHACHA... */
+     ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+                           &head, &tail);
+     ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+                           &head, &tail);
+#endif
+ 
+     /*
+      * ...and generally, our preferred cipher is AES.
+@@ -1565,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * Within each group, ciphers remain sorted by strength and previous
+      * preference, i.e.,
+      * 1) ECDHE > DHE
+-     * 2) GCM > CHACHA
+     * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
+      * 3) AES > rest
+      * 4) TLS 1.2 > legacy
+      *
+@@ -2236,7 +2254,13 @@ const char *OSSL_default_cipher_list(voi
+  */
+ const char *OSSL_default_ciphersuites(void)
+ {
+#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+    return "TLS_CHACHA20_POLY1305_SHA256:"
+           "TLS_AES_256_GCM_SHA384:"
+           "TLS_AES_128_GCM_SHA256";
+#else
+     return "TLS_AES_256_GCM_SHA384:"
+            "TLS_CHACHA20_POLY1305_SHA256:"
+            "TLS_AES_128_GCM_SHA256";
+#endif
+ }
+--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
+@@ -195,9 +195,15 @@ extern "C" {
+  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
+  * Update both macro and function simultaneously
+  */
+-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+-                                   "TLS_CHACHA20_POLY1305_SHA256:" \
+-                                   "TLS_AES_128_GCM_SHA256"
+#  ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
+#   define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+                                    "TLS_AES_256_GCM_SHA384:" \
+                                    "TLS_AES_128_GCM_SHA256"
+#  else
+#   define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+                                    "TLS_CHACHA20_POLY1305_SHA256:" \
+                                    "TLS_AES_128_GCM_SHA256"
+#  endif
+ # endif
+ /*
+  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
--- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 27 Mar 2021 17:43:25 -0300
+Subject: openssl.cnf: add engine configuration
+
+This adds configuration options for engines, loading all cnf files under
+/etc/ssl/engines.cnf.d/.
+
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+
+--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
+@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
+ 
+ [openssl_init]
+ providers = provider_sect
+engines = engines_sect
+ 
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
+.include /var/etc/ssl/providers.cnf
+
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,7 +72,13 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
+activate = 1
+
+[engines_sect]
+.include /var/etc/ssl/engines.cnf
+
+.include /etc/ssl/modules.cnf.d
+
+ 
+ 
+ ####################################################################
--- a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 09:29:13 -0300
+Subject: e_devcrypto: default to not use digests in engine
+
+Digests are almost always slower when using /dev/crypto because of the
+cost of the context switches.  Only for large blocks it is worth it.
+
+Also, when forking, the open context structures are duplicated, but the
+internal kernel sessions are still shared between forks, which means an
+update/close operation in one fork affects all processes using that
+session.
+
+This affects digests, especially for HMAC, where the session with the
+key hash is used as a source for subsequent operations.  At least one
+popular application does this across a fork.  Disabling digests by
+default will mitigate the problem, while still allowing the user to
+turn them on if it is safe and fast enough.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
+@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
+     for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+          i++) {
+ 
+-        selected_digests[i] = 1;
+        selected_digests[i] = 0;
+ 
+         /*
+          * Check that the digest is usable
+@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+ #ifdef IMPLEMENT_DIGEST
+    {DEVCRYPTO_CMD_DIGESTS,
+     "DIGESTS",
+-    "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
+    "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
+     ENGINE_CMD_FLAG_STRING},
+ #endif
+ 
--- a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 10:15:14 -0300
+Subject: e_devcrypto: ignore error when closing session
+
+In cipher_init, ignore an eventual error when closing the previous
+session.  It may have been closed by another process after a fork.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
+++ b/engines/e_devcrypto.c
+@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+     int ret;
+ 
+     /* cleanup a previous session */
+-    if (cipher_ctx->sess.ses != 0 &&
+-        clean_devcrypto_session(&cipher_ctx->sess) == 0)
+-        return 0;
+    if (cipher_ctx->sess.ses != 0)
+        clean_devcrypto_session(&cipher_ctx->sess);
+ 
+     cipher_ctx->sess.cipher = cipher_d->devcryptoid;
+     cipher_ctx->sess.keylen = cipher_d->keylen;