Deprecate the "hw" configuration options, make "padlockeng" disablable

The "hw" and "hw-.*" style options are historical artifacts, sprung
from the time when ENGINE was first designed, with hardware crypto
accelerators and HSMs in mind.

Today, these options have largely lost their value, replaced by
options such as "no-{foo}eng" and "no-engine".

This completes the transition by making "hw" and "hw-.*" deprecated,
but automatically translated into more modern variants of the same.

In the process, we get rid of the last regular expression in
Configure's @disablables, a feature that was ill supported anyway.
Also, padlock now gets treated just as every other engine.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8380)
This commit is contained in:
Richard Levitte 2019-03-01 13:18:11 +01:00
parent e3b35d2b29
commit 469ce8ff48
5 changed files with 92 additions and 78 deletions

View File

@ -374,7 +374,6 @@ my @disablables = (
"fuzz-afl",
"gost",
"heartbeats",
"hw(-.+)?",
"idea",
"makedepend",
"md2",
@ -386,6 +385,7 @@ my @disablables = (
"pinshared",
"ocb",
"ocsp",
"padlockeng",
"pic",
"poly1305",
"posix-io",
@ -434,6 +434,8 @@ foreach my $proto ((@tls, @dtls))
my %deprecated_disablables = (
"ssl2" => undef,
"buf-freelists" => undef,
"hw" => "hw", # causes cascade, but no macro
"hw-padlock" => "padlockeng",
"ripemd" => "rmd160",
"ui" => "ui-console",
);
@ -495,7 +497,9 @@ my @disable_cascades = (
# Without position independent code, there can be no shared libraries or DSOs
"pic" => [ "shared" ],
"shared" => [ "dynamic-engine" ],
"engine" => [ "afalgeng", "devcryptoeng" ],
"engine" => [ grep /eng$/, @disablables ],
"hw" => [ "padlockeng" ],
# no-autoalginit is only useful when building non-shared
"autoalginit" => [ "shared", "apps" ],
@ -674,8 +678,9 @@ while (@argvcopy)
if (/^(no|disable|enable)-(.+)$/)
{
my $word = $2;
if (!exists $deprecated_disablables{$word}
&& !grep { $word =~ /^${_}$/ } @disablables)
if ($word !~ m|hw(?:-.+)| # special treatment for hw regexp opt
&& !exists $deprecated_disablables{$word}
&& !grep { $word eq $_ } @disablables)
{
$unsupported_options{$_} = 1;
next;
@ -729,6 +734,10 @@ while (@argvcopy)
$disabled{$deprecated_disablables{$1}} = "option";
}
}
elsif ($1 =~ m|hw(?:-.+)|) # deprecate hw options in regexp form
{
$deprecated_options{$_} = 1;
}
else
{
$disabled{$1} = "option";
@ -1193,6 +1202,10 @@ $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";
my %skipdir = ();
my %disabled_info = (); # For configdata.pm
foreach my $what (sort keys %disabled) {
# There are deprecated disablables that translate to themselves.
# They cause disabling cascades, but should otherwise not regiter.
next if $deprecated_disablables{$what};
$config{options} .= " no-$what";
if (!grep { $what eq $_ } ( 'dso', 'threads', 'shared', 'pic',

View File

@ -396,9 +396,6 @@
available if the GOST algorithms are also available through
loading an externally supplied engine.
no-hw-padlock
Don't build the padlock engine.
no-makedepend
Don't generate dependencies.
@ -413,6 +410,11 @@
no-ocsp
Don't build support for OCSP.
no-padlockeng
no-hw-padlock
Don't build the padlock engine.
('no-hw-padlock' is deprecated and should not be used)
no-pic
Don't build with support for Position Independent Code.

View File

@ -389,7 +389,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto)
return 1;
}
# endif
# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
# if !defined(OPENSSL_NO_PADLOCKENG)
static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock)
{
@ -761,7 +761,7 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
&& !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto))
return 0;
# endif
# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
# if !defined(OPENSSL_NO_PADLOCKENG)
if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
&& !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock))
return 0;

View File

@ -1,9 +1,10 @@
IF[{- !$disabled{"engine"} -}]
IF[{- $disabled{"dynamic-engine"} -}]
LIBS=../libcrypto
SOURCE[../libcrypto]=\
e_padlock.c {- $target{padlock_asm_src} -}
IF[{- !$disabled{padlockeng} -}]
SOURCE[../libcrypto]=\
e_padlock.c {- $target{padlock_asm_src} -}
ENDIF
IF[{- !$disabled{capieng} -}]
SOURCE[../libcrypto]=e_capi.c
ENDIF
@ -14,13 +15,18 @@ IF[{- !$disabled{"engine"} -}]
SOURCE[../libcrypto]=e_devcrypto.c
ENDIF
ELSE
MODULES{engine}=padlock
SOURCE[padlock]=e_padlock.c {- $target{padlock_asm_src} -}
DEPEND[padlock]=../libcrypto
INCLUDE[padlock]=../include
IF[{- defined $target{shared_defflag} -}]
SHARED_SOURCE[padlock]=padlock.ld
GENERATE[padlock.ld]=../util/engines.num
IF[{- !$disabled{padlockeng} -}]
MODULES{engine}=padlock
SOURCE[padlock]=e_padlock.c {- $target{padlock_asm_src} -}
DEPEND[padlock]=../libcrypto
INCLUDE[padlock]=../include
GENERATE[e_padlock-x86.s]=asm/e_padlock-x86.pl \
$(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
GENERATE[e_padlock-x86_64.s]=asm/e_padlock-x86_64.pl $(PERLASM_SCHEME)
IF[{- defined $target{shared_defflag} -}]
SHARED_SOURCE[padlock]=padlock.ld
GENERATE[padlock.ld]=../util/engines.num
ENDIF
ENDIF
IF[{- !$disabled{capieng} -}]
MODULES{engine}=capi
@ -69,8 +75,4 @@ IF[{- !$disabled{"engine"} -}]
GENERATE[ossltest.ld]=../util/engines.num
ENDIF
ENDIF
GENERATE[e_padlock-x86.s]=asm/e_padlock-x86.pl \
$(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
GENERATE[e_padlock-x86_64.s]=asm/e_padlock-x86_64.pl $(PERLASM_SCHEME)
ENDIF

View File

@ -19,40 +19,39 @@
#include <openssl/err.h>
#include <openssl/modes.h>
#ifndef OPENSSL_NO_HW
# ifndef OPENSSL_NO_HW_PADLOCK
#ifndef OPENSSL_NO_PADLOCKENG
/*
* VIA PadLock AES is available *ONLY* on some x86 CPUs. Not only that it
* doesn't exist elsewhere, but it even can't be compiled on other platforms!
*/
# undef COMPILE_HW_PADLOCK
# if defined(PADLOCK_ASM)
# define COMPILE_HW_PADLOCK
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
static ENGINE *ENGINE_padlock(void);
# endif
# endif
# undef COMPILE_PADLOCKENG
# if defined(PADLOCK_ASM)
# define COMPILE_PADLOCKENG
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
static ENGINE *ENGINE_padlock(void);
# endif
# endif
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
void engine_load_padlock_int(void);
void engine_load_padlock_int(void)
{
/* On non-x86 CPUs it just returns. */
# ifdef COMPILE_HW_PADLOCK
# ifdef COMPILE_PADLOCKENG
ENGINE *toadd = ENGINE_padlock();
if (!toadd)
return;
ENGINE_add(toadd);
ENGINE_free(toadd);
ERR_clear_error();
# endif
# endif
}
# endif
# endif
# ifdef COMPILE_HW_PADLOCK
# ifdef COMPILE_PADLOCKENG
/* Function for ENGINE detection and control */
static int padlock_available(void);
@ -106,7 +105,7 @@ static int padlock_bind_helper(ENGINE *e)
return 1;
}
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
# ifdef OPENSSL_NO_DYNAMIC_ENGINE
/* Constructor */
static ENGINE *ENGINE_padlock(void)
{
@ -123,7 +122,7 @@ static ENGINE *ENGINE_padlock(void)
return eng;
}
# endif
# endif
/* Check availability of the engine */
static int padlock_init(ENGINE *e)
@ -135,7 +134,7 @@ static int padlock_init(ENGINE *e)
* This stuff is needed if this ENGINE is being compiled into a
* self-contained shared-library.
*/
# ifndef OPENSSL_NO_DYNAMIC_ENGINE
# ifndef OPENSSL_NO_DYNAMIC_ENGINE
static int padlock_bind_fn(ENGINE *e, const char *id)
{
if (id && (strcmp(id, padlock_id) != 0)) {
@ -151,14 +150,14 @@ static int padlock_bind_fn(ENGINE *e, const char *id)
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(padlock_bind_fn)
# endif /* !OPENSSL_NO_DYNAMIC_ENGINE */
# endif /* !OPENSSL_NO_DYNAMIC_ENGINE */
/* ===== Here comes the "real" engine ===== */
/* Some AES-related constants */
# define AES_BLOCK_SIZE 16
# define AES_KEY_SIZE_128 16
# define AES_KEY_SIZE_192 24
# define AES_KEY_SIZE_256 32
# define AES_BLOCK_SIZE 16
# define AES_KEY_SIZE_128 16
# define AES_KEY_SIZE_192 24
# define AES_KEY_SIZE_256 32
/*
* Here we store the status information relevant to the current context.
*/
@ -224,29 +223,29 @@ static int padlock_available(void)
/* ===== AES encryption/decryption ===== */
# if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
# define NID_aes_128_cfb NID_aes_128_cfb128
# endif
# if defined(NID_aes_128_cfb128) && ! defined (NID_aes_128_cfb)
# define NID_aes_128_cfb NID_aes_128_cfb128
# endif
# if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
# define NID_aes_128_ofb NID_aes_128_ofb128
# endif
# if defined(NID_aes_128_ofb128) && ! defined (NID_aes_128_ofb)
# define NID_aes_128_ofb NID_aes_128_ofb128
# endif
# if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
# define NID_aes_192_cfb NID_aes_192_cfb128
# endif
# if defined(NID_aes_192_cfb128) && ! defined (NID_aes_192_cfb)
# define NID_aes_192_cfb NID_aes_192_cfb128
# endif
# if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
# define NID_aes_192_ofb NID_aes_192_ofb128
# endif
# if defined(NID_aes_192_ofb128) && ! defined (NID_aes_192_ofb)
# define NID_aes_192_ofb NID_aes_192_ofb128
# endif
# if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
# define NID_aes_256_cfb NID_aes_256_cfb128
# endif
# if defined(NID_aes_256_cfb128) && ! defined (NID_aes_256_cfb)
# define NID_aes_256_cfb NID_aes_256_cfb128
# endif
# if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
# define NID_aes_256_ofb NID_aes_256_ofb128
# endif
# if defined(NID_aes_256_ofb128) && ! defined (NID_aes_256_ofb)
# define NID_aes_256_ofb NID_aes_256_ofb128
# endif
/* List of supported ciphers. */
static const int padlock_cipher_nids[] = {
@ -276,9 +275,9 @@ static int padlock_cipher_nids_num = (sizeof(padlock_cipher_nids) /
static int padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
# define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
# define NEAREST_ALIGNED(ptr) ( (unsigned char *)(ptr) + \
( (0x10 - ((size_t)(ptr) & 0x0F)) & 0x0F ) )
# define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
# define ALIGNED_CIPHER_DATA(ctx) ((struct padlock_cipher_data *)\
NEAREST_ALIGNED(EVP_CIPHER_CTX_get_cipher_data(ctx)))
static int
@ -453,17 +452,17 @@ padlock_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
return 1;
}
# define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE
# define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE
# define EVP_CIPHER_block_size_OFB 1
# define EVP_CIPHER_block_size_CFB 1
# define EVP_CIPHER_block_size_CTR 1
# define EVP_CIPHER_block_size_ECB AES_BLOCK_SIZE
# define EVP_CIPHER_block_size_CBC AES_BLOCK_SIZE
# define EVP_CIPHER_block_size_OFB 1
# define EVP_CIPHER_block_size_CFB 1
# define EVP_CIPHER_block_size_CTR 1
/*
* Declaring so many ciphers by hand would be a pain. Instead introduce a bit
* of preprocessor magic :-)
*/
# define DECLARE_AES_EVP(ksize,lmode,umode) \
# define DECLARE_AES_EVP(ksize,lmode,umode) \
static EVP_CIPHER *_hidden_aes_##ksize##_##lmode = NULL; \
static const EVP_CIPHER *padlock_aes_##ksize##_##lmode(void) \
{ \
@ -626,12 +625,12 @@ padlock_aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
AES_set_decrypt_key(key, key_len, &cdata->ks);
else
AES_set_encrypt_key(key, key_len, &cdata->ks);
# ifndef AES_ASM
# ifndef AES_ASM
/*
* OpenSSL C functions use byte-swapped extended key.
*/
padlock_key_bswap(&cdata->ks);
# endif
# endif
cdata->cword.b.keygen = 1;
break;
@ -714,12 +713,10 @@ static RAND_METHOD padlock_rand = {
padlock_rand_status, /* rand status */
};
# endif /* COMPILE_HW_PADLOCK */
# endif /* !OPENSSL_NO_HW_PADLOCK */
#endif /* !OPENSSL_NO_HW */
# endif /* COMPILE_PADLOCKENG */
#endif /* !OPENSSL_NO_PADLOCKENG */
#if defined(OPENSSL_NO_HW) || defined(OPENSSL_NO_HW_PADLOCK) \
|| !defined(COMPILE_HW_PADLOCK)
#if defined(OPENSSL_NO_PADLOCKENG) || !defined(COMPILE_PADLOCKENG)
# ifndef OPENSSL_NO_DYNAMIC_ENGINE
OPENSSL_EXPORT
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns);