openssl: bump to 3.0.10

This is a major update to the current LTS version, supported until 2026-09-07. Changelog: https://github.com/openssl/openssl/blob/openssl-3.0.10/CHANGES.md Signed-off-by: Eneas U de Queiroz <[email protected]>
coolsnowwolf · Sep 15, 2023 · 7494eb1 · 7494eb1 · WYC-2020 · Sep 21, 2023
1 parent a2a0e5b
commit 7494eb1
Show file tree

Hide file tree

Showing 23 changed files with 355 additions and 3,884 deletions.
diff --git a/include/openssl-engine.mk b/include/openssl-engine.mk
diff --git a/include/openssl-module.mk b/include/openssl-module.mk
@@ -0,0 +1,79 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2022-2023 Enéas Ulir de Queiroz
+
+ENGINES_DIR=engines-3
+
+define Package/openssl/module/Default
+  SECTION:=libs
+  CATEGORY:=Libraries
+  SUBMENU:=SSL
+  DEPENDS:=libopenssl +libopenssl-conf
+endef
+
+define Package/openssl/engine/Default
+  $(Package/openssl/module/Default)
+  DEPENDS+=@OPENSSL_ENGINE
+endef
+
+
+# 1 = moudule type (engine|provider)
+# 2 = module name
+# 3 = directory to save .so file
+# 4 = [ package name, defaults to libopenssl-$(2) ]
+define Package/openssl/add-module
+  $(eval MOD_TYPE:=$(1))
+  $(eval MOD_NAME:=$(2))
+  $(eval MOD_DIR:=$(3))
+  $(eval OSSL_PKG:=$(if $(4),$(4),libopenssl-$(MOD_NAME)))
+  $(info Package/openssl/add-module 1='$(1)'; 2='$(2)'; 3='$(3)' 4='$(4)')
+  $(info MOD_TYPE='$(MOD_TYPE)'; MOD_NAME='$(MOD_NAME)'; MOD_DIR='$(MOD_DIR)' OSSL_PKG='$(OSSL_PKG)')
+  Package/$(OSSL_PKG)/conffiles:=/etc/ssl/modules.cnf.d/$(MOD_NAME).cnf
+
+  define Package/$(OSSL_PKG)/install
+	$$(INSTALL_DIR)  $$(1)/$(MOD_DIR)
+	$$(INSTALL_BIN)  $$(PKG_INSTALL_DIR)/$(MOD_DIR)/$(MOD_NAME).so \
+			 $$(1)/$(MOD_DIR)
+	$$(INSTALL_DIR)  $$(1)/etc/ssl/modules.cnf.d
+	$$(INSTALL_DATA) ./files/$(MOD_NAME).cnf $$(1)/etc/ssl/modules.cnf.d/
+  endef
+
+  define Package/$(OSSL_PKG)/postinst
+#!/bin/sh
+OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl"
+
+[ -z "$$$${IPKG_INSTROOT}" ] \
+	&& uci -q get openssl.$(MOD_NAME) >/dev/null \
+	&& exit 0
+
+cat << EOF >> "$$$${OPENSSL_UCI}"
+
+config $(MOD_TYPE) '$(MOD_NAME)'
+	option enabled '1'
+EOF
+
+[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload
+exit 0
+  endef
+
+  define Package/$(OSSL_PKG)/postrm
+#!/bin/sh
+[ -n "$$$${IPKG_INSTROOT}" ] && exit 0
+uci -q delete openssl.$(MOD_NAME) && uci commit openssl
+/etc/init.d/openssl reload
+exit 0
+  endef
+endef
+
+# 1 = engine name
+# 2 - package name, defaults to libopenssl-$(1)
+define Package/openssl/add-engine
+  $(call Package/openssl/add-module,engine,$(1),/usr/lib/$(ENGINES_DIR),$(2))
+endef
+
+# 1 = provider name
+# 2 = [ package name, defaults to libopenssl-$(1) ]
+define Package/openssl/add-provider
+  $(call Package/openssl/add-module,provider,$(1),/usr/lib/ossl-modules,$(2))
+endef
+
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
@@ -4,15 +4,27 @@ comment "Build Options"
 
 config OPENSSL_OPTIMIZE_SPEED
 	bool
-	default y
+	default y if (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
 	prompt "Enable optimization for speed instead of size"
 	select OPENSSL_WITH_ASM
 	help
-		Enabling this option increases code size (around 20%) and
-		performance.  The increase in performance and size depends on the
-		target CPU. EC and AES seem to benefit the most, with EC speed
-		increased by 20%-50% (mipsel & x86).
-		AES-GCM is supposed to be 3x faster on x86. YMMV.
+		Enabling this option increases code size and performance.
+		The increase in performance and size depends on the
+		target CPU. EC and AES seem to benefit the most.
+
+config OPENSSL_SMALL_FOOTPRINT
+	bool
+	depends on !OPENSSL_OPTIMIZE_SPEED
+	default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT
+	prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)"
+	help
+		This turns on -DOPENSSL_SMALL_FOOTPRINT.  This will save only
+		1-3% of of the ipk size.  The performance drop depends on
+		architecture and algorithm.  MIPS drops 13% of performance for
+		a 3% decrease in ipk size.  On Aarch64, for a 1% reduction in
+		size, ghash and GCM performance decreases 90%, while
+		Chacha20-Poly1305 is 15% slower.  X86_64 drops 1% of its size
+		for 3% of performance.  Other arches have not been tested.
 
 config OPENSSL_WITH_ASM
 	bool
@@ -22,49 +34,33 @@ config OPENSSL_WITH_ASM
 	help
 		Disabling this option will reduce code size and performance.
 		The increase in performance and size depends on the target
-		CPU and on the algorithms being optimized.  As of 1.1.0i*:
-
-		Platform  Pkg Inc. Algorithms where assembly is used - ~% Speed Increase
-		aarch64   174K     BN, aes, sha1, sha256, sha512, nist256, poly1305
-		arm       152K     BN, aes, sha1, sha256, sha512, nist256, poly1305
-		i386      183K     BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292%
-		mipsel      1.5K   BN+97%, aes+4%, sha1+94%, sha256+60%
-		mips64	    3.7K   BN, aes, sha1, sha256, sha512, poly1305
-		powerpc    20K     BN, aes, sha1, sha256, sha512, poly1305
-		x86_64    228K     BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228%
-
-		* Only most common algorithms shown. Your mileage may vary.
-		  BN (bignum) performance was measured using RSA sign/verify.
+		CPU and on the algorithms being optimized.
 
 config OPENSSL_WITH_SSE2
 	bool
-	default y if x86_64 || i386 && !TARGET_x86_legacy
+	default y if !TARGET_x86_legacy && !TARGET_x86_geode
 	prompt "Enable use of x86 SSE2 instructions"
-	depends on OPENSSL_WITH_ASM && x86_64 || i386
+	depends on OPENSSL_WITH_ASM && i386
 	help
-		Use of SSE2 instructions greatly increase performance (up to
-		3x faster) with a minimum (~0.2%, or 23KB) increase in package
-		size, but it will bring no benefit if your hardware does not
-		support them, such as Geode GX and LX.  In this case you may
-		save 23KB by saying yes here.  AMD Geode NX, and Intel
-		Pentium 4 and above support SSE2.
+		Use of SSE2 instructions greatly increase performance with a
+		minimum increase in package size, but it will bring no benefit
+		if your hardware does not support them, such as Geode GX and LX.
+		AMD Geode NX, and Intel Pentium 4 and above support SSE2.
 
 config OPENSSL_WITH_DEPRECATED
 	bool
 	default y
-	prompt "Include deprecated APIs (See help for a list of packages that need this)"
+	prompt "Include deprecated APIs"
 	help
-		Since openssl 1.1.x is still new to openwrt, some packages
-		requiring this option do not list it as a requirement yet:
-		 * freeswitch-stable, freeswitch, python, python3, squid.
+		This drops all deprecated API, including engine support.
 
 config OPENSSL_NO_DEPRECATED
 	bool
 	default !OPENSSL_WITH_DEPRECATED
 
 config OPENSSL_WITH_ERROR_MESSAGES
 	bool
-	default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT
+	default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
 	prompt "Include error messages"
 	help
 		This option aids debugging, but increases package size and
@@ -84,7 +80,6 @@ config OPENSSL_WITH_TLS13
 		   protocol;
 		 * to increase performance by reducing the number of round-trips
 		   when performing a full handshake.
-		It increases package size by ~4KB.
 
 config OPENSSL_WITH_DTLS
 	bool
@@ -138,7 +133,7 @@ config OPENSSL_WITH_CHACHA_POLY1305
 
 config OPENSSL_PREFER_CHACHA_OVER_GCM
 	bool
-	default y if !x86_64
+	default y if !x86_64 && !aarch64
 	prompt "Prefer ChaCha20-Poly1305 over AES-GCM by default"
 	depends on OPENSSL_WITH_CHACHA_POLY1305
 	help
@@ -172,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA
 
 config OPENSSL_WITH_IDEA
 	bool
-	prompt "Enable IDEA cipher support"
+	default y if !SMALL_FLASH
+	prompt "Enable IDEA cipher support (needs legacy provider)"
 	help
 		IDEA is a block cipher with 128-bit keys.
+		To use the cipher, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
 
 config OPENSSL_WITH_SEED
 	bool
-	prompt "Enable SEED cipher support"
+	default y if !SMALL_FLASH
+	prompt "Enable SEED cipher support (needs legacy provider)"
 	help
 		SEED is a block cipher with 128-bit keys broadly used in
 		South Korea, but seldom found elsewhere.
+		To use the cipher, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
 
 config OPENSSL_WITH_SM234
 	bool
@@ -202,11 +205,21 @@ config OPENSSL_WITH_BLAKE2
 
 config OPENSSL_WITH_MDC2
 	bool
-	prompt "Enable MDC2 digest support"
+	default y if !SMALL_FLASH
+	prompt "Enable MDC2 digest support (needs legacy provider)"
+	help
+		To use the digest, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
 
 config OPENSSL_WITH_WHIRLPOOL
 	bool
-	prompt "Enable Whirlpool digest support"
+	default y if !SMALL_FLASH
+	prompt "Enable Whirlpool digest support (needs legacy provider)"
+	help
+		To use the digest, one must install the libopenssl-legacy
+		package, using a main libopenssl package compiled with this
+		option enabled as well.
 
 config OPENSSL_WITH_COMPRESSION
 	bool
@@ -233,8 +246,8 @@ comment "Engine/Hardware Support"
 
 config OPENSSL_ENGINE
 	bool "Enable engine support"
+	select OPENSSL_WITH_DEPRECATED
 	default y
-	select PACKAGE_libopenssl-devcrypto
 	help
 		This enables alternative cryptography implementations,
 		most commonly for interfacing with external crypto devices,
@@ -248,7 +261,7 @@ config OPENSSL_ENGINE
 
 config OPENSSL_ENGINE_BUILTIN
 	bool "Build chosen engines into libcrypto"
-	default y
+	default y if !SMALL_FLASH
 	depends on OPENSSL_ENGINE
 	help
 		This builds all chosen engines into libcrypto.so, instead of building
@@ -258,7 +271,7 @@ config OPENSSL_ENGINE_BUILTIN
 
 config OPENSSL_ENGINE_BUILTIN_AFALG
 	bool
-	default y
+	default y if !SMALL_FLASH
 	prompt "Acceleration support through AF_ALG sockets engine"
 	depends on OPENSSL_ENGINE_BUILTIN && KERNEL_AIO
 	select PACKAGE_libopenssl-conf
@@ -268,7 +281,7 @@ config OPENSSL_ENGINE_BUILTIN_AFALG
 
 config OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
 	bool
-	default y
+	default y if !SMALL_FLASH
 	prompt "Acceleration support through /dev/crypto"
 	depends on OPENSSL_ENGINE_BUILTIN
 	select PACKAGE_libopenssl-conf