Re: [LEDE-DEV] [PATCH] [RFC] openssl: update to version 1.1.0f

2017-11-08 Thread Baptiste Jonglez 
Hi,

Thanks for feedback!

On 31-10-17, Philip Prindeville wrote:
> I’d also note that some of the compatibility stuff has been deprecated, 
> hasn’t it?

What do you mean?

> > define Package/openssl/Default/description
> > -The OpenSSL Project is a collaborative effort to develop a robust,
> > -commercial-grade, full-featured, and Open Source toolkit implementing the 
> > Secure
> > -Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols 
> > as well
> > -as a full-strength general purpose cryptography library.
> > +OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
> > +Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
> > +It is also a general-purpose cryptography library.
> 
> 
> Don’t know where this text is coming from, but it’s important to also note 
> that OpenSSL provides a full suite of crypto and digest primitives (MD5, 
> SHA*, AES, RSA, 3DES, Blowfish, etc), as well as PKI support (X.509, etc), 
> which is useful for non-networking applications as well (file security, code 
> signing, etc).

I took the text from https://www.openssl.org/

I changed the description because the old one was mentioning SSLv2, which
is no longer supported.

> Nice getting rid of all those patches!  How many are we down to after this 
> round of changes?

Basically just one, which defines custom compilation flags for the
different architectures supported by OpenWrt.

In this RFC I had added a second patch to fix build on aarch64, but it
already made it upstream (in 1.1.0g, while this RFC is based 1.1.0f).

By the way, did you have a look at dependent packages that fail to build?
I remember there was at least wget.

Baptiste


signature.asc
Description: PGP signature
___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] [PATCH] [RFC] openssl: update to version 1.1.0f

2017-10-31 Thread Philip Prindeville 
Inline…

> On Oct 31, 2017, at 3:56 AM, Baptiste Jonglez  
> wrote:
> 
> From: Baptiste Jonglez 
> 
> This patch is marked [RFC] because this is such a huge change, and some
> dependent packages now fail to build because of API changes.  Also, there
> is no parallel build for now, but this was already the case with 1.0.2l.
> Feedback is welcome!
> 
> Here is a summary of the changes:
> 
> 1) complete overhaul of the upstream build system, which allowed to remove
>   most local patches;
> 
> 2) upstream removal of KRB5, SSL2, JPAKE;
> 
> 3) upstream addition of BLAKE2, CHACHA20, POLY1305, OCB (disabled by
>   default in the package but configurable);
> 
> 4) clean-up configuration of optional features: in OpenSSL, some options
>   are enabled by default, while some are disabled by default.  As a
>   result, the package now explicitely enables or disables each optional
>   feature;


Yes, good idea.  If the upstream defaults change, we wouldn’t need to change 
our Makefiles if we continue to explicitly configure everything.


> 
> 5) new upstream async mode, primarily used for crypto engines.  It is
>   disabled in the package because musl does not seem to implement
>   getcontext/setcontext (see 52739e40ccc1b16cd966ea204bcfea3cc874fec8
>   upstream);
> 
> 6) a patch fixing build on Aarch64 has been added and sent upstream
>   https://github.com/openssl/openssl/pull/4617


I’d also note that some of the compatibility stuff has been deprecated, hasn’t 
it?


> 
> Here is the size increase for libopenssl.ipk compared to 1.0.2l, first
> 1.1.0f with default options and then 1.1.0f with all new options¹:
> 
> | Architecture  | 1.0.2l  | 1.1.0f  | 1.1.0f   |
> |   | Default | Default | All new options¹ |
> |---+-+-+--|
> | aarch64_cortex-a53| 634K| 831K| 844K |
> | aarch64_generic   | 628K| 662K| 672K |
> | arc_arc700| 573K| 610K| 621K |
> | arc_archs | 570K| 605K| 613K |
> | arm_arm1176jzf-s_vfp  | 631K| 823K| 833K |
> | arm_arm926ej-s| 631K| 824K| 835K |
> | arm_cortex-a15_neon-vfpv4 | 638K| 831K| 843K |
> | arm_cortex-a5 | 639K| 832K| 843K |
> | arm_cortex-a7_neon-vfpv4  | 638K| 830K| 843K |
> | arm_cortex-a8_vfpv3   | 639K| 831K| 843K |
> | armeb_xscale  | 639K| 834K| 844K |
> | arm_fa526 | 638K| 831K| 841K |
> | i386_pentium4 | 784K| 822K| 834K |
> | i386_pentium  | 795K| 832K| 842K |
> | mips_24kc | 701K| 742K| 755K |
> | mips64el_mips64   | 674K| 710K| 719K |
> | mips64_mips64 | 689K| 725K| 734K |
> | mipsel_24kc   | 688K| 728K| 740K |
> | mipsel_74kc   | 693K| 735K| 747K |
> | mipsel_mips32 | 691K| 731K| 744K |
> | mips_mips32   | 701K| 744K| 757K |
> | powerpc_464fp | 664K| 703K| 714K |
> | powerpc_8540  | 672K| 712K| 723K |
> | x86_64| 949K| 986K| 1002K|
> 
> ¹ All new options:
> CONFIG_OPENSSL_WITH_BLAKE2=y
> CONFIG_OPENSSL_WITH_CHACHA20=y
> CONFIG_OPENSSL_WITH_POLY1305=y
> CONFIG_OPENSSL_WITH_OCB=y
> ---
> package/libs/openssl/Config.in |  20 +++
> package/libs/openssl/Makefile  | 110 +++-
> ...g-Use-eventfd2-syscall-instead-of-eventfd.patch |  48 ++
> .../openssl/patches/110-optimize-for-size.patch|  43 +++--
> package/libs/openssl/patches/130-perl-path.patch   |  64 ---
> .../libs/openssl/patches/140-makefile-dirs.patch   |  11 --
> package/libs/openssl/patches/150-no_engines.patch  |  81 -
> .../openssl/patches/160-disable_doc_tests.patch|  58 ---
> package/libs/openssl/patches/170-bash_path.patch   |   8 -
> .../openssl/patches/180-fix_link_segfault.patch|  18 --
> .../patches/190-remove_timestamp_check.patch   |  23 ---
> .../libs/openssl/patches/200-parallel_build.patch  | 184 -
> 12 files changed, 168 insertions(+), 500 deletions(-)
> create mode 100644 
> package/libs/openssl/patches/0001-afalg-Use-eventfd2-syscall-instead-of-eventfd.patch
> delete mode 100644 package/libs/openssl/patches/130-perl-path.patch
> delete mode 100644 package/libs/openssl/patches/140-makefile-dirs.patch
> delete mode 100644 package/libs/openssl/patches/150-no_engines.patch
> delete mode 100644

[LEDE-DEV] [PATCH] [RFC] openssl: update to version 1.1.0f

2017-10-31 Thread Baptiste Jonglez 
From: Baptiste Jonglez 

This patch is marked [RFC] because this is such a huge change, and some
dependent packages now fail to build because of API changes.  Also, there
is no parallel build for now, but this was already the case with 1.0.2l.
Feedback is welcome!

Here is a summary of the changes:

1) complete overhaul of the upstream build system, which allowed to remove
   most local patches;

2) upstream removal of KRB5, SSL2, JPAKE;

3) upstream addition of BLAKE2, CHACHA20, POLY1305, OCB (disabled by
   default in the package but configurable);

4) clean-up configuration of optional features: in OpenSSL, some options
   are enabled by default, while some are disabled by default.  As a
   result, the package now explicitely enables or disables each optional
   feature;

5) new upstream async mode, primarily used for crypto engines.  It is
   disabled in the package because musl does not seem to implement
   getcontext/setcontext (see 52739e40ccc1b16cd966ea204bcfea3cc874fec8
   upstream);

6) a patch fixing build on Aarch64 has been added and sent upstream
   https://github.com/openssl/openssl/pull/4617

Here is the size increase for libopenssl.ipk compared to 1.0.2l, first
1.1.0f with default options and then 1.1.0f with all new options¹:

| Architecture  | 1.0.2l  | 1.1.0f  | 1.1.0f   |
|   | Default | Default | All new options¹ |
|---+-+-+--|
| aarch64_cortex-a53| 634K| 831K| 844K |
| aarch64_generic   | 628K| 662K| 672K |
| arc_arc700| 573K| 610K| 621K |
| arc_archs | 570K| 605K| 613K |
| arm_arm1176jzf-s_vfp  | 631K| 823K| 833K |
| arm_arm926ej-s| 631K| 824K| 835K |
| arm_cortex-a15_neon-vfpv4 | 638K| 831K| 843K |
| arm_cortex-a5 | 639K| 832K| 843K |
| arm_cortex-a7_neon-vfpv4  | 638K| 830K| 843K |
| arm_cortex-a8_vfpv3   | 639K| 831K| 843K |
| armeb_xscale  | 639K| 834K| 844K |
| arm_fa526 | 638K| 831K| 841K |
| i386_pentium4 | 784K| 822K| 834K |
| i386_pentium  | 795K| 832K| 842K |
| mips_24kc | 701K| 742K| 755K |
| mips64el_mips64   | 674K| 710K| 719K |
| mips64_mips64 | 689K| 725K| 734K |
| mipsel_24kc   | 688K| 728K| 740K |
| mipsel_74kc   | 693K| 735K| 747K |
| mipsel_mips32 | 691K| 731K| 744K |
| mips_mips32   | 701K| 744K| 757K |
| powerpc_464fp | 664K| 703K| 714K |
| powerpc_8540  | 672K| 712K| 723K |
| x86_64| 949K| 986K| 1002K|

¹ All new options:
CONFIG_OPENSSL_WITH_BLAKE2=y
CONFIG_OPENSSL_WITH_CHACHA20=y
CONFIG_OPENSSL_WITH_POLY1305=y
CONFIG_OPENSSL_WITH_OCB=y
---
 package/libs/openssl/Config.in |  20 +++
 package/libs/openssl/Makefile  | 110 +++-
 ...g-Use-eventfd2-syscall-instead-of-eventfd.patch |  48 ++
 .../openssl/patches/110-optimize-for-size.patch|  43 +++--
 package/libs/openssl/patches/130-perl-path.patch   |  64 ---
 .../libs/openssl/patches/140-makefile-dirs.patch   |  11 --
 package/libs/openssl/patches/150-no_engines.patch  |  81 -
 .../openssl/patches/160-disable_doc_tests.patch|  58 ---
 package/libs/openssl/patches/170-bash_path.patch   |   8 -
 .../openssl/patches/180-fix_link_segfault.patch|  18 --
 .../patches/190-remove_timestamp_check.patch   |  23 ---
 .../libs/openssl/patches/200-parallel_build.patch  | 184 -
 12 files changed, 168 insertions(+), 500 deletions(-)
 create mode 100644 
package/libs/openssl/patches/0001-afalg-Use-eventfd2-syscall-instead-of-eventfd.patch
 delete mode 100644 package/libs/openssl/patches/130-perl-path.patch
 delete mode 100644 package/libs/openssl/patches/140-makefile-dirs.patch
 delete mode 100644 package/libs/openssl/patches/150-no_engines.patch
 delete mode 100644 package/libs/openssl/patches/160-disable_doc_tests.patch
 delete mode 100644 package/libs/openssl/patches/170-bash_path.patch
 delete mode 100644 package/libs/openssl/patches/180-fix_link_segfault.patch
 delete mode 100644 
package/libs/openssl/patches/190-remove_timestamp_check.patch
 delete mode 100644 package/libs/openssl/patches/200-parallel_build.patch

diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index dbcd11abfc..4b395281a7 100644
--- a/package/libs/openssl/Config.in
+++