openwrt/package/libs/openssl/Makefile
Eneas U de Queiroz 482c9ff289 openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:

- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
  SSLv2, but the affected functions still exist. Considered just a bug.

- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
  EVP_DecryptUpdate may overflow the output length argument in some
  cases where the input length is close to the maximum permissable
  length for an integer on the platform. In such cases the return value
  from the function call will be 1 (indicating success), but the output
  length value will be negative.

- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate. However it was failing to
  correctly handle any errors that may occur while parsing the issuer
  field (which might occur if the issuer field is maliciously
  constructed). This may subsequently result in a NULL pointer deref and
  a crash leading to a potential denial of service attack.

- Fixed SRP_Calc_client_key so that it runs in constant time. This could
  be exploited in a side channel attack to recover the password.

The 3 CVEs above are currently awaiting analysis.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 09:24:47 +01:00

412 lines
11 KiB
Makefile

#
# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=j
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
PKG_BUILD_PARALLEL:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
http://ftp.fi.muni.cz/pub/openssl/source/ \
http://ftp.linux.hr/pub/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
PKG_CPE_ID:=cpe:/a:openssl:openssl
PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_ENGINE \
CONFIG_OPENSSL_ENGINE_BUILTIN \
CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG \
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO \
CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK \
CONFIG_OPENSSL_NO_DEPRECATED \
CONFIG_OPENSSL_OPTIMIZE_SPEED \
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \
CONFIG_OPENSSL_WITH_ARIA \
CONFIG_OPENSSL_WITH_ASM \
CONFIG_OPENSSL_WITH_ASYNC \
CONFIG_OPENSSL_WITH_BLAKE2 \
CONFIG_OPENSSL_WITH_CAMELLIA \
CONFIG_OPENSSL_WITH_CHACHA_POLY1305 \
CONFIG_OPENSSL_WITH_CMS \
CONFIG_OPENSSL_WITH_COMPRESSION \
CONFIG_OPENSSL_WITH_DTLS \
CONFIG_OPENSSL_WITH_EC2M \
CONFIG_OPENSSL_WITH_ERROR_MESSAGES \
CONFIG_OPENSSL_WITH_GOST \
CONFIG_OPENSSL_WITH_IDEA \
CONFIG_OPENSSL_WITH_MDC2 \
CONFIG_OPENSSL_WITH_NPN \
CONFIG_OPENSSL_WITH_PSK \
CONFIG_OPENSSL_WITH_RFC3779 \
CONFIG_OPENSSL_WITH_SEED \
CONFIG_OPENSSL_WITH_SM234 \
CONFIG_OPENSSL_WITH_SRP \
CONFIG_OPENSSL_WITH_SSE2 \
CONFIG_OPENSSL_WITH_TLS13 \
CONFIG_OPENSSL_WITH_WHIRLPOOL
include $(INCLUDE_DIR)/package.mk
ifneq ($(CONFIG_CCACHE),)
HOSTCC=$(HOSTCC_NOCACHE)
HOSTCXX=$(HOSTCXX_NOCACHE)
endif
define Package/openssl/Default
TITLE:=Open source SSL toolkit
URL:=http://www.openssl.org/
SECTION:=libs
CATEGORY:=Libraries
endef
define Package/libopenssl/config
source "$(SOURCE)/Config.in"
endef
define Package/openssl/Default/description
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing the
Transport Layer Security (TLS) protocol as well as a full-strength
general-purpose cryptography library.
endef
define Package/libopenssl
$(call Package/openssl/Default)
SUBMENU:=SSL
DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \
+OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \
+OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \
+OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock
TITLE+= (libraries)
ABI_VERSION:=1.1
MENU:=1
endef
define Package/libopenssl/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL shared libraries, needed by other programs.
endef
define Package/openssl-util
$(call Package/openssl/Default)
SECTION:=utils
CATEGORY:=Utilities
DEPENDS:=+libopenssl +libopenssl-conf
TITLE+= (utility)
endef
define Package/openssl-util/description
$(call Package/openssl/Default/description)
This package contains the OpenSSL command-line utility.
endef
define Package/libopenssl-conf
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=/etc/ssl/openssl.cnf config file
DEPENDS:=libopenssl
endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
endef
define Package/libopenssl-conf/description
$(call Package/openssl/Default/description)
This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
endef
define Package/libopenssl-afalg
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=AFALG hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
+PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-afalg/description
This package adds an engine that enables hardware acceleration
through the AF_ALG kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "afalg"
endef
define Package/libopenssl-devcrypto
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=/dev/crypto hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
@!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-devcrypto/description
This package adds an engine that enables hardware acceleration
through the /dev/crypto kernel interface.
To use it, you need to configure the engine in /etc/ssl/openssl.cnf
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "devcrypto"
endef
define Package/libopenssl-padlock
$(call Package/openssl/Default)
SUBMENU:=SSL
TITLE:=VIA Padlock hardware acceleration engine
DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
endef
define Package/libopenssl-padlock/description
This package adds an engine that enables VIA Padlock hardware acceleration.
To use it, you need to configure it in /etc/ssl/openssl.cnf.
See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
The engine_id is "padlock"
endef
OPENSSL_OPTIONS:= shared
ifndef CONFIG_OPENSSL_WITH_BLAKE2
OPENSSL_OPTIONS += no-blake2
endif
ifndef CONFIG_OPENSSL_WITH_CHACHA_POLY1305
OPENSSL_OPTIONS += no-chacha no-poly1305
else
ifdef CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM
OPENSSL_OPTIONS += -DOPENSSL_PREFER_CHACHA_OVER_GCM
endif
endif
ifndef CONFIG_OPENSSL_WITH_ASYNC
OPENSSL_OPTIONS += no-async
endif
ifndef CONFIG_OPENSSL_WITH_EC2M
OPENSSL_OPTIONS += no-ec2m
endif
ifndef CONFIG_OPENSSL_WITH_ERROR_MESSAGES
OPENSSL_OPTIONS += no-err
endif
ifndef CONFIG_OPENSSL_WITH_TLS13
OPENSSL_OPTIONS += no-tls1_3
endif
ifndef CONFIG_OPENSSL_WITH_ARIA
OPENSSL_OPTIONS += no-aria
endif
ifndef CONFIG_OPENSSL_WITH_SM234
OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4
endif
ifndef CONFIG_OPENSSL_WITH_CAMELLIA
OPENSSL_OPTIONS += no-camellia
endif
ifndef CONFIG_OPENSSL_WITH_IDEA
OPENSSL_OPTIONS += no-idea
endif
ifndef CONFIG_OPENSSL_WITH_SEED
OPENSSL_OPTIONS += no-seed
endif
ifndef CONFIG_OPENSSL_WITH_MDC2
OPENSSL_OPTIONS += no-mdc2
endif
ifndef CONFIG_OPENSSL_WITH_WHIRLPOOL
OPENSSL_OPTIONS += no-whirlpool
endif
ifndef CONFIG_OPENSSL_WITH_CMS
OPENSSL_OPTIONS += no-cms
endif
ifndef CONFIG_OPENSSL_WITH_RFC3779
OPENSSL_OPTIONS += no-rfc3779
endif
ifdef CONFIG_OPENSSL_NO_DEPRECATED
OPENSSL_OPTIONS += no-deprecated
endif
ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y)
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3
else
OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT
endif
ifdef CONFIG_OPENSSL_ENGINE
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN
OPENSSL_OPTIONS += disable-dynamic-engine
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_AFALG
OPENSSL_OPTIONS += no-afalgeng
endif
ifdef CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK
OPENSSL_OPTIONS += no-hw-padlock
endif
else
ifdef CONFIG_PACKAGE_libopenssl-devcrypto
OPENSSL_OPTIONS += enable-devcryptoeng
endif
ifndef CONFIG_PACKAGE_libopenssl-afalg
OPENSSL_OPTIONS += no-afalgeng
endif
ifndef CONFIG_PACKAGE_libopenssl-padlock
OPENSSL_OPTIONS += no-hw-padlock
endif
endif
else
OPENSSL_OPTIONS += no-engine
endif
ifndef CONFIG_OPENSSL_WITH_GOST
OPENSSL_OPTIONS += no-gost
endif
ifndef CONFIG_OPENSSL_WITH_DTLS
OPENSSL_OPTIONS += no-dtls
endif
ifdef CONFIG_OPENSSL_WITH_COMPRESSION
OPENSSL_OPTIONS += zlib-dynamic
else
OPENSSL_OPTIONS += no-comp
endif
ifndef CONFIG_OPENSSL_WITH_NPN
OPENSSL_OPTIONS += no-nextprotoneg
endif
ifndef CONFIG_OPENSSL_WITH_PSK
OPENSSL_OPTIONS += no-psk
endif
ifndef CONFIG_OPENSSL_WITH_SRP
OPENSSL_OPTIONS += no-srp
endif
ifndef CONFIG_OPENSSL_WITH_ASM
OPENSSL_OPTIONS += no-asm
endif
ifdef CONFIG_i386
ifndef CONFIG_OPENSSL_WITH_SSE2
OPENSSL_OPTIONS += no-sse2
endif
endif
OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt
STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5)
define Build/Configure
(cd $(PKG_BUILD_DIR); \
./Configure $(OPENSSL_TARGET) \
--prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
--cross-compile-prefix="$(TARGET_CROSS)" \
$(TARGET_CPPFLAGS) \
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) && \
{ [ -f $(STAMP_CONFIGURED) ] || make clean; } \
)
endef
TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
$(MAKE) -C $(PKG_BUILD_DIR) \
CC="$(TARGET_CC)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \
install_sw install_ssldirs
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.{a,so*} $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc $(1)/usr/lib/pkgconfig/
[ -n "$(TARGET_LDFLAGS)" ] && $(SED) 's#$(TARGET_LDFLAGS)##g' $(1)/usr/lib/pkgconfig/{openssl,libcrypto,libssl}.pc || true
endef
define Package/libopenssl/install
$(INSTALL_DIR) $(1)/etc/ssl/certs
$(INSTALL_DIR) $(1)/etc/ssl/private
chmod 0700 $(1)/etc/ssl/private
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libcrypto.so.* $(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libssl.so.* $(1)/usr/lib/
$(if $(CONFIG_OPENSSL_ENGINE),$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR))
endef
define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
endef
define Package/openssl-util/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/openssl $(1)/usr/bin/
endef
define Package/libopenssl-afalg/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR)
endef
define Package/libopenssl-devcrypto/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR)
endef
define Package/libopenssl-padlock/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.so $(1)/usr/lib/$(ENGINES_DIR)
endef
$(eval $(call BuildPackage,libopenssl))
$(eval $(call BuildPackage,libopenssl-conf))
$(eval $(call BuildPackage,libopenssl-afalg))
$(eval $(call BuildPackage,libopenssl-devcrypto))
$(eval $(call BuildPackage,libopenssl-padlock))
$(eval $(call BuildPackage,openssl-util))