Re: [LEDE-DEV] [PATCH] [RFC] openssl: update to version 1.1.0f
Hi, Thanks for feedback! On 31-10-17, Philip Prindeville wrote: > I’d also note that some of the compatibility stuff has been deprecated, > hasn’t it? What do you mean? > > define Package/openssl/Default/description > > -The OpenSSL Project is a collaborative effort to develop a robust, > > -commercial-grade, full-featured, and Open Source toolkit implementing the > > Secure > > -Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols > > as well > > -as a full-strength general purpose cryptography library. > > +OpenSSL is a robust, commercial-grade, and full-featured toolkit for the > > +Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. > > +It is also a general-purpose cryptography library. > > > Don’t know where this text is coming from, but it’s important to also note > that OpenSSL provides a full suite of crypto and digest primitives (MD5, > SHA*, AES, RSA, 3DES, Blowfish, etc), as well as PKI support (X.509, etc), > which is useful for non-networking applications as well (file security, code > signing, etc). I took the text from https://www.openssl.org/ I changed the description because the old one was mentioning SSLv2, which is no longer supported. > Nice getting rid of all those patches! How many are we down to after this > round of changes? Basically just one, which defines custom compilation flags for the different architectures supported by OpenWrt. In this RFC I had added a second patch to fix build on aarch64, but it already made it upstream (in 1.1.0g, while this RFC is based 1.1.0f). By the way, did you have a look at dependent packages that fail to build? I remember there was at least wget. Baptiste signature.asc Description: PGP signature ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [PATCH] [RFC] openssl: update to version 1.1.0f
Inline… > On Oct 31, 2017, at 3:56 AM, Baptiste Jonglez> wrote: > > From: Baptiste Jonglez > > This patch is marked [RFC] because this is such a huge change, and some > dependent packages now fail to build because of API changes. Also, there > is no parallel build for now, but this was already the case with 1.0.2l. > Feedback is welcome! > > Here is a summary of the changes: > > 1) complete overhaul of the upstream build system, which allowed to remove > most local patches; > > 2) upstream removal of KRB5, SSL2, JPAKE; > > 3) upstream addition of BLAKE2, CHACHA20, POLY1305, OCB (disabled by > default in the package but configurable); > > 4) clean-up configuration of optional features: in OpenSSL, some options > are enabled by default, while some are disabled by default. As a > result, the package now explicitely enables or disables each optional > feature; Yes, good idea. If the upstream defaults change, we wouldn’t need to change our Makefiles if we continue to explicitly configure everything. > > 5) new upstream async mode, primarily used for crypto engines. It is > disabled in the package because musl does not seem to implement > getcontext/setcontext (see 52739e40ccc1b16cd966ea204bcfea3cc874fec8 > upstream); > > 6) a patch fixing build on Aarch64 has been added and sent upstream > https://github.com/openssl/openssl/pull/4617 I’d also note that some of the compatibility stuff has been deprecated, hasn’t it? > > Here is the size increase for libopenssl.ipk compared to 1.0.2l, first > 1.1.0f with default options and then 1.1.0f with all new options¹: > > | Architecture | 1.0.2l | 1.1.0f | 1.1.0f | > | | Default | Default | All new options¹ | > |---+-+-+--| > | aarch64_cortex-a53| 634K| 831K| 844K | > | aarch64_generic | 628K| 662K| 672K | > | arc_arc700| 573K| 610K| 621K | > | arc_archs | 570K| 605K| 613K | > | arm_arm1176jzf-s_vfp | 631K| 823K| 833K | > | arm_arm926ej-s| 631K| 824K| 835K | > | arm_cortex-a15_neon-vfpv4 | 638K| 831K| 843K | > | arm_cortex-a5 | 639K| 832K| 843K | > | arm_cortex-a7_neon-vfpv4 | 638K| 830K| 843K | > | arm_cortex-a8_vfpv3 | 639K| 831K| 843K | > | armeb_xscale | 639K| 834K| 844K | > | arm_fa526 | 638K| 831K| 841K | > | i386_pentium4 | 784K| 822K| 834K | > | i386_pentium | 795K| 832K| 842K | > | mips_24kc | 701K| 742K| 755K | > | mips64el_mips64 | 674K| 710K| 719K | > | mips64_mips64 | 689K| 725K| 734K | > | mipsel_24kc | 688K| 728K| 740K | > | mipsel_74kc | 693K| 735K| 747K | > | mipsel_mips32 | 691K| 731K| 744K | > | mips_mips32 | 701K| 744K| 757K | > | powerpc_464fp | 664K| 703K| 714K | > | powerpc_8540 | 672K| 712K| 723K | > | x86_64| 949K| 986K| 1002K| > > ¹ All new options: > CONFIG_OPENSSL_WITH_BLAKE2=y > CONFIG_OPENSSL_WITH_CHACHA20=y > CONFIG_OPENSSL_WITH_POLY1305=y > CONFIG_OPENSSL_WITH_OCB=y > --- > package/libs/openssl/Config.in | 20 +++ > package/libs/openssl/Makefile | 110 +++- > ...g-Use-eventfd2-syscall-instead-of-eventfd.patch | 48 ++ > .../openssl/patches/110-optimize-for-size.patch| 43 +++-- > package/libs/openssl/patches/130-perl-path.patch | 64 --- > .../libs/openssl/patches/140-makefile-dirs.patch | 11 -- > package/libs/openssl/patches/150-no_engines.patch | 81 - > .../openssl/patches/160-disable_doc_tests.patch| 58 --- > package/libs/openssl/patches/170-bash_path.patch | 8 - > .../openssl/patches/180-fix_link_segfault.patch| 18 -- > .../patches/190-remove_timestamp_check.patch | 23 --- > .../libs/openssl/patches/200-parallel_build.patch | 184 - > 12 files changed, 168 insertions(+), 500 deletions(-) > create mode 100644 > package/libs/openssl/patches/0001-afalg-Use-eventfd2-syscall-instead-of-eventfd.patch > delete mode 100644 package/libs/openssl/patches/130-perl-path.patch > delete mode 100644 package/libs/openssl/patches/140-makefile-dirs.patch > delete mode 100644 package/libs/openssl/patches/150-no_engines.patch > delete mode 100644
[LEDE-DEV] [PATCH] [RFC] openssl: update to version 1.1.0f
From: Baptiste JonglezThis patch is marked [RFC] because this is such a huge change, and some dependent packages now fail to build because of API changes. Also, there is no parallel build for now, but this was already the case with 1.0.2l. Feedback is welcome! Here is a summary of the changes: 1) complete overhaul of the upstream build system, which allowed to remove most local patches; 2) upstream removal of KRB5, SSL2, JPAKE; 3) upstream addition of BLAKE2, CHACHA20, POLY1305, OCB (disabled by default in the package but configurable); 4) clean-up configuration of optional features: in OpenSSL, some options are enabled by default, while some are disabled by default. As a result, the package now explicitely enables or disables each optional feature; 5) new upstream async mode, primarily used for crypto engines. It is disabled in the package because musl does not seem to implement getcontext/setcontext (see 52739e40ccc1b16cd966ea204bcfea3cc874fec8 upstream); 6) a patch fixing build on Aarch64 has been added and sent upstream https://github.com/openssl/openssl/pull/4617 Here is the size increase for libopenssl.ipk compared to 1.0.2l, first 1.1.0f with default options and then 1.1.0f with all new options¹: | Architecture | 1.0.2l | 1.1.0f | 1.1.0f | | | Default | Default | All new options¹ | |---+-+-+--| | aarch64_cortex-a53| 634K| 831K| 844K | | aarch64_generic | 628K| 662K| 672K | | arc_arc700| 573K| 610K| 621K | | arc_archs | 570K| 605K| 613K | | arm_arm1176jzf-s_vfp | 631K| 823K| 833K | | arm_arm926ej-s| 631K| 824K| 835K | | arm_cortex-a15_neon-vfpv4 | 638K| 831K| 843K | | arm_cortex-a5 | 639K| 832K| 843K | | arm_cortex-a7_neon-vfpv4 | 638K| 830K| 843K | | arm_cortex-a8_vfpv3 | 639K| 831K| 843K | | armeb_xscale | 639K| 834K| 844K | | arm_fa526 | 638K| 831K| 841K | | i386_pentium4 | 784K| 822K| 834K | | i386_pentium | 795K| 832K| 842K | | mips_24kc | 701K| 742K| 755K | | mips64el_mips64 | 674K| 710K| 719K | | mips64_mips64 | 689K| 725K| 734K | | mipsel_24kc | 688K| 728K| 740K | | mipsel_74kc | 693K| 735K| 747K | | mipsel_mips32 | 691K| 731K| 744K | | mips_mips32 | 701K| 744K| 757K | | powerpc_464fp | 664K| 703K| 714K | | powerpc_8540 | 672K| 712K| 723K | | x86_64| 949K| 986K| 1002K| ¹ All new options: CONFIG_OPENSSL_WITH_BLAKE2=y CONFIG_OPENSSL_WITH_CHACHA20=y CONFIG_OPENSSL_WITH_POLY1305=y CONFIG_OPENSSL_WITH_OCB=y --- package/libs/openssl/Config.in | 20 +++ package/libs/openssl/Makefile | 110 +++- ...g-Use-eventfd2-syscall-instead-of-eventfd.patch | 48 ++ .../openssl/patches/110-optimize-for-size.patch| 43 +++-- package/libs/openssl/patches/130-perl-path.patch | 64 --- .../libs/openssl/patches/140-makefile-dirs.patch | 11 -- package/libs/openssl/patches/150-no_engines.patch | 81 - .../openssl/patches/160-disable_doc_tests.patch| 58 --- package/libs/openssl/patches/170-bash_path.patch | 8 - .../openssl/patches/180-fix_link_segfault.patch| 18 -- .../patches/190-remove_timestamp_check.patch | 23 --- .../libs/openssl/patches/200-parallel_build.patch | 184 - 12 files changed, 168 insertions(+), 500 deletions(-) create mode 100644 package/libs/openssl/patches/0001-afalg-Use-eventfd2-syscall-instead-of-eventfd.patch delete mode 100644 package/libs/openssl/patches/130-perl-path.patch delete mode 100644 package/libs/openssl/patches/140-makefile-dirs.patch delete mode 100644 package/libs/openssl/patches/150-no_engines.patch delete mode 100644 package/libs/openssl/patches/160-disable_doc_tests.patch delete mode 100644 package/libs/openssl/patches/170-bash_path.patch delete mode 100644 package/libs/openssl/patches/180-fix_link_segfault.patch delete mode 100644 package/libs/openssl/patches/190-remove_timestamp_check.patch delete mode 100644 package/libs/openssl/patches/200-parallel_build.patch diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index dbcd11abfc..4b395281a7 100644 --- a/package/libs/openssl/Config.in +++