[OpenWrt-Devel] [PATCH v2 5/6] openssl: remove some unneeded functionality and algorithms

Dirk Feytons dirk.feytons at gmail.com
Fri Jun 10 04:23:18 EDT 2016


I can make a config option for it if you like and enable it by default.
(FYI: no-srp saves almost 16K on libcrypto and 9,5K on libssl)


Dirk F.

On 9 June 2016 at 23:39, Karl Palsson <karlp at tweak.net.au> wrote:
> On this one, does SRP have to be included? I'm not using it, and
> i know it's super uncommon, but it's like PSK, only easier to
> use, and disabling it in even more places is just guaranteeing
> that it's never going to be used. Totally understand tossing all
> the others though.
>
> Cheers,
> Karl P
>
>
> Dirk Feytons <dirk.feytons at gmail.com> wrote:
>> The patch needed for this commit has been sent upstream:
>> https://github.com/openssl/openssl/pull/1155
>>
>> Signed-off-by: Dirk Feytons <dirk.feytons at gmail.com>
>> ---
>>  package/libs/openssl/Makefile                      |    7 +++---
>>  .../openssl/patches/302-fix_no_cmac_build.patch    |   24 ++++++++++++++++++++
>>  2 files changed, 28 insertions(+), 3 deletions(-)
>>  create mode 100644 package/libs/openssl/patches/302-fix_no_cmac_build.patch
>>
>> diff --git a/package/libs/openssl/Makefile
>> b/package/libs/openssl/Makefile index 2fbb566..4782c42 100644
>> --- a/package/libs/openssl/Makefile
>> +++ b/package/libs/openssl/Makefile
>> @@ -96,8 +96,9 @@ This package contains the OpenSSL command-line utility.
>>  endef
>>
>>
>> -OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0
>> no-camellia no-krb5 -OPENSSL_OPTIONS:= shared no-err no-sse2
>> no-ssl2 +OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5
>> no-sha0 no-camellia no-krb5 no-srp \
>> + no-whrlpool no-whirlpool no-bf no-ripemd no-seed no-cast no-cmac
>> +OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2 no-ssl2-method
>> no-heartbeats
>>
>>  ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
>>    OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
>> @@ -117,7 +118,7 @@ ifndef CONFIG_OPENSSL_WITH_EC2M
>>  endif
>>
>>  ifndef CONFIG_OPENSSL_WITH_SSL3
>> -  OPENSSL_OPTIONS += no-ssl3
>> +  OPENSSL_OPTIONS += no-ssl3 no-ssl3-method
>>  endif
>>
>>  ifndef CONFIG_OPENSSL_HARDWARE_SUPPORT
>> diff --git
>> a/package/libs/openssl/patches/302-fix_no_cmac_build.patch
>> b/package/libs/openssl/patches/302-fix_no_cmac_build.patch new
>> file mode 100644 index 0000000..1b94f24
>> --- /dev/null
>> +++ b/package/libs/openssl/patches/302-fix_no_cmac_build.patch
>> @@ -0,0 +1,24 @@
>> +--- a/crypto/asn1/ameth_lib.c
>> ++++ b/crypto/asn1/ameth_lib.c
>> +@@ -93,7 +93,9 @@ static const EVP_PKEY_ASN1_METHOD *stand
>> +     &eckey_asn1_meth,
>> + #endif
>> +     &hmac_asn1_meth,
>> ++#ifndef OPENSSL_NO_CMAC
>> +     &cmac_asn1_meth,
>> ++#endif
>> + #ifndef OPENSSL_NO_DH
>> +     &dhx_asn1_meth
>> + #endif
>> +--- a/crypto/evp/pmeth_lib.c
>> ++++ b/crypto/evp/pmeth_lib.c
>> +@@ -91,7 +91,9 @@ static const EVP_PKEY_METHOD *standard_m
>> +     &ec_pkey_meth,
>> + #endif
>> +     &hmac_pkey_meth,
>> ++#ifndef OPENSSL_NO_CMAC
>> +     &cmac_pkey_meth,
>> ++#endif
>> + #ifndef OPENSSL_NO_DH
>> +     &dhx_pkey_meth
>> + #endif
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list