mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-20 22:23:27 +00:00
5c7aed8b1e
Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
*) In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further bugs where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection have been
fixed.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where
it is automatically executed. On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
(CVE-2022-2068)
[Daniel Fiala, Tomáš Mráz]
*) When OpenSSL TLS client is connecting without any supported elliptic
curves and TLS-1.3 protocol is disabled the connection will no longer fail
if a ciphersuite that does not use a key exchange based on elliptic
curves can be negotiated.
[Tomáš Mráz]
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit eb7d2abbf0
)
404 lines
11 KiB
Makefile
404 lines
11 KiB
Makefile
#
|
|
# Copyright (C) 2006-2016 OpenWrt.org
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
# See /LICENSE for more information.
|
|
#
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=openssl
|
|
PKG_BASE:=1.1.1
|
|
PKG_BUGFIX:=p
|
|
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
|
|
PKG_RELEASE:=1
|
|
PKG_USE_MIPS16:=0
|
|
|
|
PKG_BUILD_PARALLEL:=1
|
|
|
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
|
PKG_SOURCE_URL:= \
|
|
http://www.openssl.org/source/ \
|
|
http://www.openssl.org/source/old/$(PKG_BASE)/ \
|
|
http://ftp.fi.muni.cz/pub/openssl/source/ \
|
|
http://ftp.fi.muni.cz/pub/openssl/source/old/$(PKG_BASE)/ \
|
|
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
|
|
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
|
|
|
|
PKG_HASH:=bf61b62aaa66c7c7639942a94de4c9ae8280c08f17d4eac2e44644d9fc8ace6f
|
|
|
|
PKG_LICENSE:=OpenSSL
|
|
PKG_LICENSE_FILES:=LICENSE
|
|
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
PKG_CPE_ID:=cpe:/a:openssl:openssl
|
|
PKG_CONFIG_DEPENDS:= \
|
|
CONFIG_OPENSSL_ENGINE \
|
|
CONFIG_OPENSSL_ENGINE_BUILTIN \
|
|
CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \
|
|
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \
|
|
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \
|
|
CONFIG_OPENSSL_NO_DEPRECATED \
|
|
CONFIG_OPENSSL_OPTIMIZE_SPEED \
|
|
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
|
|
CONFIG_OPENSSL_WITH_ARIA \
|
|
CONFIG_OPENSSL_WITH_ASM \
|
|
CONFIG_OPENSSL_WITH_ASYNC \
|
|
CONFIG_OPENSSL_WITH_BLAKE2 \
|
|
CONFIG_OPENSSL_WITH_CAMELLIA \
|
|
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
|
|
CONFIG_OPENSSL_WITH_CMS \
|
|
CONFIG_OPENSSL_WITH_COMPRESSION \
|
|
CONFIG_OPENSSL_WITH_DTLS \
|
|
CONFIG_OPENSSL_WITH_EC2M \
|
|
CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
|
|
CONFIG_OPENSSL_WITH_IDEA \
|
|
CONFIG_OPENSSL_WITH_MDC2 \
|
|
CONFIG_OPENSSL_WITH_NPN \
|
|
CONFIG_OPENSSL_WITH_PSK \
|
|
CONFIG_OPENSSL_WITH_RFC3779 \
|
|
CONFIG_OPENSSL_WITH_SEED \
|
|
CONFIG_OPENSSL_WITH_SM234 \
|
|
CONFIG_OPENSSL_WITH_SRP \
|
|
CONFIG_OPENSSL_WITH_SSE2 \
|
|
CONFIG_OPENSSL_WITH_TLS13 \
|
|
CONFIG_OPENSSL_WITH_WHIRLPOOL
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
include engine.mk
|
|
|
|
ifneq ($(CONFIG_CCACHE),)
|
|
HOSTCC=$(HOSTCC_NOCACHE)
|
|
HOSTCXX=$(HOSTCXX_NOCACHE)
|
|
endif
|
|
|
|
define Package/openssl/Default
|
|
TITLE:=Open source SSL toolkit
|
|
URL:=http://www.openssl.org/
|
|
SECTION:=libs
|
|
CATEGORY:=Libraries
|
|
endef
|
|
|
|
define Package/libopenssl/config
|
|
source "$(SOURCE)/Config.in"
|
|
endef
|
|
|
|
define Package/openssl/Default/description
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
|
commercial-grade, full-featured, and Open Source toolkit implementing the
|
|
Transport Layer Security (TLS) protocol as well as a full-strength
|
|
general-purpose cryptography library.
|
|
endef
|
|
|
|
define Package/libopenssl
|
|
$(call Package/openssl/Default)
|
|
SUBMENU:=SSL
|
|
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
|
|
+OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
|
|
+OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
|
|
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock
|
|
TITLE+= (libraries)
|
|
ABI_VERSION:=1.1
|
|
MENU:=1
|
|
endef
|
|
|
|
define Package/libopenssl/description
|
|
$(call Package/openssl/Default/description)
|
|
This package contains the OpenSSL shared libraries, needed by other programs.
|
|
endef
|
|
|
|
define Package/openssl-util
|
|
$(call Package/openssl/Default)
|
|
SECTION:=utils
|
|
CATEGORY:=Utilities
|
|
DEPENDS:=+libopenssl +libopenssl-conf
|
|
TITLE+= (utility)
|
|
endef
|
|
|
|
define Package/openssl-util/description
|
|
$(call Package/openssl/Default/description)
|
|
This package contains the OpenSSL command-line utility.
|
|
endef
|
|
|
|
define Package/libopenssl-conf
|
|
$(call Package/openssl/Default)
|
|
SUBMENU:=SSL
|
|
TITLE:=/etc/ssl/openssl.cnf config file
|
|
DEPENDS:=libopenssl
|
|
endef
|
|
|
|
define Package/libopenssl-conf/conffiles
|
|
/etc/ssl/openssl.cnf
|
|
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
|
|
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
|
|
endef
|
|
|
|
define Package/libopenssl-conf/description
|
|
$(call Package/openssl/Default/description)
|
|
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
|
|
endef
|
|
|
|
$(eval $(call Package/openssl/add-engine,afalg))
|
|
define Package/libopenssl-afalg
|
|
$(call Package/openssl/Default)
|
|
$(call Package/openssl/engine/Default)
|
|
TITLE:=AFALG hardware acceleration engine
|
|
DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
|
|
@!OPENSSL_ENGINE_BUILTIN
|
|
endef
|
|
|
|
define Package/libopenssl-afalg/description
|
|
This package adds an engine that enables hardware acceleration
|
|
through the AF_ALG kernel interface.
|
|
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
|
|
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
|
The engine_id is "afalg"
|
|
endef
|
|
|
|
$(eval $(call Package/openssl/add-engine,devcrypto))
|
|
define Package/libopenssl-devcrypto
|
|
$(call Package/openssl/Default)
|
|
$(call Package/openssl/engine/Default)
|
|
TITLE:=/dev/crypto hardware acceleration engine
|
|
DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN
|
|
endef
|
|
|
|
define Package/libopenssl-devcrypto/description
|
|
This package adds an engine that enables hardware acceleration
|
|
through the /dev/crypto kernel interface.
|
|
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
|
|
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
|
The engine_id is "devcrypto"
|
|
endef
|
|
|
|
$(eval $(call Package/openssl/add-engine,padlock))
|
|
define Package/libopenssl-padlock
|
|
$(call Package/openssl/Default)
|
|
$(call Package/openssl/engine/Default)
|
|
TITLE:=VIA Padlock hardware acceleration engine
|
|
DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
|
|
@!OPENSSL_ENGINE_BUILTIN
|
|
endef
|
|
|
|
define Package/libopenssl-padlock/description
|
|
This package adds an engine that enables VIA Padlock hardware acceleration.
|
|
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
|
|
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
|
|
The engine_id is "padlock"
|
|
endef
|
|
|
|
OPENSSL_OPTIONS:= shared
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_BLAKE2
|
|
OPENSSL_OPTIONS += no-blake2
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
|
|
OPENSSL_OPTIONS += no-chacha no-poly1305
|
|
else
|
|
ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
|
|
OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
|
|
endif
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_ASYNC
|
|
OPENSSL_OPTIONS += no-async
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_EC2M
|
|
OPENSSL_OPTIONS += no-ec2m
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
|
|
OPENSSL_OPTIONS += no-err
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_TLS13
|
|
OPENSSL_OPTIONS += no-tls1_3
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_ARIA
|
|
OPENSSL_OPTIONS += no-aria
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_SM234
|
|
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
|
|
OPENSSL_OPTIONS += no-camellia
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_IDEA
|
|
OPENSSL_OPTIONS += no-idea
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_SEED
|
|
OPENSSL_OPTIONS += no-seed
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_MDC2
|
|
OPENSSL_OPTIONS += no-mdc2
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
|
|
OPENSSL_OPTIONS += no-whirlpool
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_CMS
|
|
OPENSSL_OPTIONS += no-cms
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_RFC3779
|
|
OPENSSL_OPTIONS += no-rfc3779
|
|
endif
|
|
|
|
ifdef CONFIG_OPENSSL_NO_DEPRECATED
|
|
OPENSSL_OPTIONS += no-deprecated
|
|
endif
|
|
|
|
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
|
|
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
|
|
else
|
|
OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
|
|
endif
|
|
|
|
ifdef CONFIG_OPENSSL_ENGINE
|
|
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
|
|
OPENSSL_OPTIONS += disable-dynamic-engine
|
|
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG
|
|
OPENSSL_OPTIONS += no-afalgeng
|
|
endif
|
|
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
|
|
OPENSSL_OPTIONS += enable-devcryptoeng
|
|
endif
|
|
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
|
|
OPENSSL_OPTIONS += no-hw-padlock
|
|
endif
|
|
else
|
|
ifdef CONFIG_PACKAGE_libopenssl-devcrypto
|
|
OPENSSL_OPTIONS += enable-devcryptoeng
|
|
endif
|
|
ifndef CONFIG_PACKAGE_libopenssl-afalg
|
|
OPENSSL_OPTIONS += no-afalgeng
|
|
endif
|
|
ifndef CONFIG_PACKAGE_libopenssl-padlock
|
|
OPENSSL_OPTIONS += no-hw-padlock
|
|
endif
|
|
endif
|
|
else
|
|
OPENSSL_OPTIONS += no-engine
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_DTLS
|
|
OPENSSL_OPTIONS += no-dtls
|
|
endif
|
|
|
|
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
|
|
OPENSSL_OPTIONS += zlib-dynamic
|
|
else
|
|
OPENSSL_OPTIONS += no-comp
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_NPN
|
|
OPENSSL_OPTIONS += no-nextprotoneg
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_PSK
|
|
OPENSSL_OPTIONS += no-psk
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_SRP
|
|
OPENSSL_OPTIONS += no-srp
|
|
endif
|
|
|
|
ifndef CONFIG_OPENSSL_WITH_ASM
|
|
OPENSSL_OPTIONS += no-asm
|
|
endif
|
|
|
|
ifdef CONFIG_i386
|
|
ifndef CONFIG_OPENSSL_WITH_SSE2
|
|
OPENSSL_OPTIONS += no-sse2
|
|
endif
|
|
endif
|
|
|
|
OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
|
|
|
|
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | $(MKHASH) md5)
|
|
|
|
define Build/Configure
|
|
(cd $(PKG_BUILD_DIR); \
|
|
./Configure $(OPENSSL_TARGET) \
|
|
--prefix=/usr \
|
|
--libdir=lib \
|
|
--openssldir=/etc/ssl \
|
|
--cross-compile-prefix="$(TARGET_CROSS)" \
|
|
$(TARGET_CPPFLAGS) \
|
|
$(TARGET_LDFLAGS) \
|
|
$(OPENSSL_OPTIONS) && \
|
|
{ [ -f $(STAMP_CONFIGURED) ] || make clean; } \
|
|
)
|
|
endef
|
|
|
|
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
|
|
TARGET_LDFLAGS += -Wl,--gc-sections
|
|
|
|
define Build/Compile
|
|
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
|
|
CC="$(TARGET_CC)" \
|
|
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
|
|
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
|
|
$(OPENSSL_MAKEFLAGS) \
|
|
all
|
|
$(MAKE) -C $(PKG_BUILD_DIR) \
|
|
CC="$(TARGET_CC)" \
|
|
DESTDIR="$(PKG_INSTALL_DIR)" \
|
|
$(OPENSSL_MAKEFLAGS) \
|
|
install_sw install_ssldirs
|
|
endef
|
|
|
|
define Build/InstallDev
|
|
$(INSTALL_DIR) $(1)/usr/include
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(1)/usr/include/
|
|
$(INSTALL_DIR) $(1)/usr/lib/
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.{a,so*} $(1)/usr/lib/
|
|
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc $(1)/usr/lib/pkgconfig/
|
|
[ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc || true
|
|
endef
|
|
|
|
define Package/libopenssl/install
|
|
$(INSTALL_DIR) $(1)/etc/ssl/certs
|
|
$(INSTALL_DIR) $(1)/etc/ssl/private
|
|
chmod 0700 $(1)/etc/ssl/private
|
|
$(INSTALL_DIR) $(1)/usr/lib
|
|
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
|
|
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
|
|
$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
|
|
endef
|
|
|
|
define Package/libopenssl-conf/install
|
|
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d
|
|
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
|
|
$(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
|
|
$(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl
|
|
touch $(1)/etc/config/openssl
|
|
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
|
|
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
|
|
echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
|
|
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
|
|
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
|
|
echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl)
|
|
endef
|
|
|
|
define Package/openssl-util/install
|
|
$(INSTALL_DIR) $(1)/usr/bin
|
|
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
|
|
endef
|
|
|
|
$(eval $(call BuildPackage,libopenssl))
|
|
$(eval $(call BuildPackage,libopenssl-conf))
|
|
$(eval $(call BuildPackage,libopenssl-afalg))
|
|
$(eval $(call BuildPackage,libopenssl-devcrypto))
|
|
$(eval $(call BuildPackage,libopenssl-padlock))
|
|
$(eval $(call BuildPackage,openssl-util))
|