ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch
new file mode 100644
index 0000000..e9cd7bf
--- /dev/null
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:29:21 -0300
+Subject: Do not use host kernel version to disable AFALG
+
+This patch prevents the Configure script from using the host kernel
+version to disable building the AFALG engine on openwrt targets.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/Configure
++++ b/Configure
+@@ -1677,7 +1677,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-
+
+ unless ($disabled{afalgeng}) {
+ $config{afalgeng}="";
+- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
++ if ($target =~ m/openwrt$/) {
++ push @{$config{engdirs}}, "afalg";
++ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
+ my $minver = 4*10000 + 1*100 + 0;
+ if ($config{CROSS_COMPILE} eq "") {
+ my $verstr = `uname -r`;
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch
new file mode 100644
index 0000000..d02bc03
--- /dev/null
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:30:24 -0300
+Subject: Add openwrt targets
+
+Targets are named: linux-$(CONFIG_ARCH)-openwrt
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- /dev/null
++++ b/Configurations/25-openwrt.conf
+@@ -0,0 +1,59 @@
++## Openwrt "CONFIG_ARCH" matching targets.
++
++# The targets need to end in '-openwrt' for the AFALG patch to work
++
++my %targets = (
++ "openwrt" => {
++ template => 1,
++ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"),
++ },
++ "linux-aarch64-openwrt" => {
++ inherit_from => [ "linux-aarch64", "openwrt" ],
++ },
++ "linux-arc-openwrt" => {
++ inherit_from => [ "linux-latomic", "openwrt" ],
++ },
++ "linux-arm-openwrt" => {
++ inherit_from => [ "linux-armv4", "openwrt" ],
++ },
++ "linux-armeb-openwrt" => {
++ inherit_from => [ "linux-armv4", "openwrt" ],
++ },
++ "linux-i386-openwrt" => {
++ inherit_from => [ "linux-x86", "openwrt" ],
++ },
++ "linux-loongarch64-openwrt" => {
++ inherit_from => [ "linux64-loongarch64", "openwrt" ],
++ },
++ "linux-mips-openwrt" => {
++ inherit_from => [ "linux-mips32", "openwrt" ],
++ },
++ "linux-mips64-openwrt" => {
++ inherit_from => [ "linux64-mips64", "openwrt" ],
++ },
++ "linux-mips64el-openwrt" => {
++ inherit_from => [ "linux64-mips64", "openwrt" ],
++ },
++ "linux-mipsel-openwrt" => {
++ inherit_from => [ "linux-mips32", "openwrt" ],
++ },
++ "linux-powerpc-openwrt" => {
++ inherit_from => [ "linux-ppc", "openwrt" ],
++ },
++ "linux-powerpc64-openwrt" => {
++ inherit_from => [ "linux-ppc64", "openwrt" ],
++ perlasm_scheme => "linux64v2",
++ },
++ "linux-riscv64-openwrt" => {
++ inherit_from => [ "linux-generic64", "openwrt" ],
++ perlasm_scheme => "linux64",
++ },
++ "linux-x86_64-openwrt" => {
++ inherit_from => [ "linux-x86_64", "openwrt" ],
++ },
++
++### Basic default option
++ "linux-generic32-openwrt" => {
++ inherit_from => [ "linux-generic32", "openwrt" ],
++ },
++);
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
new file mode 100644
index 0000000..ebdb940
--- /dev/null
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -0,0 +1,21 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:31:38 -0300
+Subject: Avoid exposing build directories
+
+The CFLAGS contain the build directories, and are shown by calling
+OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+
+ DEPEND[info.o]=buildinf.h
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)"
+
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
diff --git a/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch
new file mode 100644
index 0000000..60c4663
--- /dev/null
+++ b/package/libs/openssl/patches/130-dont-build-fuzz-docs.patch
@@ -0,0 +1,20 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:34:38 -0300
+Subject: Do not build tests and fuzz directories
+
+This shortens build time.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/build.info
++++ b/build.info
+@@ -1,7 +1,7 @@
+ # Note that some of these directories are filtered in Configure. Look for
+ # %skipdir there for further explanations.
+
+-SUBDIRS=crypto ssl apps util tools fuzz providers doc
++SUBDIRS=crypto ssl apps util tools providers
+ IF[{- !$disabled{tests} -}]
+ SUBDIRS=test
+ ENDIF
diff --git a/package/libs/openssl/patches/140-allow-prefer-chacha20.patch b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
new file mode 100644
index 0000000..fb7bc84
--- /dev/null
+++ b/package/libs/openssl/patches/140-allow-prefer-chacha20.patch
@@ -0,0 +1,92 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Thu, 27 Sep 2018 08:44:39 -0300
+Subject: Add OPENSSL_PREFER_CHACHA_OVER_GCM option
+
+This enables a compile-time option to prefer ChaCha20-Poly1305 over
+AES-GCM in the openssl default ciphersuite, which is useful in systems
+without AES specific CPU instructions.
+OPENSSL_PREFER_CHACHA_OVER_GCM must be defined to enable it.
+
+Note that this does not have the same effect as the
+SL_OP_PRIORITIZE_CHACHA option, which prioritizes ChaCha20-Poly1305 only
+when the client has it on top of its ciphersuite preference.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -1506,11 +1506,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
+ &tail);
+
++ /*
++ * If OPENSSL_PREFER_CHACHA_OVER_GCM is defined, ChaCha20_Poly1305
++ * will be placed before AES-256. Otherwise, the default behavior of
++ * preferring GCM over CHACHA is used.
++ * This is useful for systems that do not have AES-specific CPU
++ * instructions, where ChaCha20-Poly1305 is 3 times faster than AES.
++ * Note that this does not have the same effect as the SSL_OP_PRIORITIZE_CHACHA
++ * option, which prioritizes ChaCha20-Poly1305 only when the client has it on top
++ * of its ciphersuite preference.
++ */
++
++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
++ &head, &tail);
++ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
++ &head, &tail);
++#else
+ /* Within each strength group, we prefer GCM over CHACHA... */
+ ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
+ ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
+ &head, &tail);
++#endif
+
+ /*
+ * ...and generally, our preferred cipher is AES.
+@@ -1565,7 +1583,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+ * Within each group, ciphers remain sorted by strength and previous
+ * preference, i.e.,
+ * 1) ECDHE > DHE
+- * 2) GCM > CHACHA
++ * 2) GCM > CHACHA, reversed if OPENSSL_PREFER_CHACHA_OVER_GCM is defined
+ * 3) AES > rest
+ * 4) TLS 1.2 > legacy
+ *
+@@ -2236,7 +2254,13 @@ const char *OSSL_default_cipher_list(voi
+ */
+ const char *OSSL_default_ciphersuites(void)
+ {
++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++ return "TLS_CHACHA20_POLY1305_SHA256:"
++ "TLS_AES_256_GCM_SHA384:"
++ "TLS_AES_128_GCM_SHA256";
++#else
+ return "TLS_AES_256_GCM_SHA384:"
+ "TLS_CHACHA20_POLY1305_SHA256:"
+ "TLS_AES_128_GCM_SHA256";
++#endif
+ }
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -195,9 +195,15 @@ extern "C" {
+ * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
+ * Update both macro and function simultaneously
+ */
+-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+- "TLS_CHACHA20_POLY1305_SHA256:" \
+- "TLS_AES_128_GCM_SHA256"
++# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM
++# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
++ "TLS_AES_256_GCM_SHA384:" \
++ "TLS_AES_128_GCM_SHA256"
++# else
++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
++ "TLS_CHACHA20_POLY1305_SHA256:" \
++ "TLS_AES_128_GCM_SHA256"
++# endif
+ # endif
+ /*
+ * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
new file mode 100644
index 0000000..9fe9cdf
--- /dev/null
+++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Date: Sat, 27 Mar 2021 17:43:25 -0300
+Subject: openssl.cnf: add engine configuration
+
+This adds configuration options for engines, loading all cnf files under
+/etc/ssl/engines.cnf.d/.
+
+Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7
+
+ [openssl_init]
+ providers = provider_sect
++engines = engines_sect
+
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
++.include /var/etc/ssl/providers.cnf
++
+ # The fips section name should match the section name inside the
+ # included fipsmodule.cnf.
+ # fips = fips_sect
+@@ -69,7 +72,13 @@ default = default_sect
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
+ [default_sect]
+-# activate = 1
++activate = 1
++
++[engines_sect]
++.include /var/etc/ssl/engines.cnf
++
++.include /etc/ssl/modules.cnf.d
++
+
+
+ ####################################################################
diff --git a/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
new file mode 100644
index 0000000..f183263
--- /dev/null
+++ b/package/libs/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 09:29:13 -0300
+Subject: e_devcrypto: default to not use digests in engine
+
+Digests are almost always slower when using /dev/crypto because of the
+cost of the context switches. Only for large blocks it is worth it.
+
+Also, when forking, the open context structures are duplicated, but the
+internal kernel sessions are still shared between forks, which means an
+update/close operation in one fork affects all processes using that
+session.
+
+This affects digests, especially for HMAC, where the session with the
+key hash is used as a source for subsequent operations. At least one
+popular application does this across a fork. Disabling digests by
+default will mitigate the problem, while still allowing the user to
+turn them on if it is safe and fast enough.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -905,7 +905,7 @@ static void prepare_digest_methods(void)
+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
+ i++) {
+
+- selected_digests[i] = 1;
++ selected_digests[i] = 0;
+
+ /*
+ * Check that the digest is usable
+@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c
+ #ifdef IMPLEMENT_DIGEST
+ {DEVCRYPTO_CMD_DIGESTS,
+ "DIGESTS",
+- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]",
++ "either ALL, NONE, or a comma-separated list of digests to enable [default=NONE]",
+ ENGINE_CMD_FLAG_STRING},
+ #endif
+
diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
new file mode 100644
index 0000000..40b1dc7
--- /dev/null
+++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz <cote2004-github@yahoo.com>
+Date: Mon, 11 Mar 2019 10:15:14 -0300
+Subject: e_devcrypto: ignore error when closing session
+
+In cipher_init, ignore an eventual error when closing the previous
+session. It may have been closed by another process after a fork.
+
+Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
+
+--- a/engines/e_devcrypto.c
++++ b/engines/e_devcrypto.c
+@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c
+ int ret;
+
+ /* cleanup a previous session */
+- if (cipher_ctx->sess.ses != 0 &&
+- clean_devcrypto_session(&cipher_ctx->sess) == 0)
+- return 0;
++ if (cipher_ctx->sess.ses != 0)
++ clean_devcrypto_session(&cipher_ctx->sess);
+
+ cipher_ctx->sess.cipher = cipher_d->devcryptoid;
+ cipher_ctx->sess.keylen = cipher_d->keylen;