from:"Eneas U de Queiroz"

On aarch64, libwolfsslcpu-crypto preinst script needs base-files to get
the target architecture to check for CPU crypto support during offline
instalation.

While at it, fix indentation in Makefile.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 08a1ca7401..a1bd340007 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -83,7 +83,7 @@ define Package/libwolfsslcpu-crypto
 $(call Package/libwolfssl/Default)
   TITLE:=wolfSSL library with AES CPU instructions
   PROVIDES:=libwolfssl libcyassl
-  DEPENDS:=@((aarch64||x86_64)&&(m||!TARGET_bcm27xx))
+  DEPENDS:=@((aarch64||x86_64)&&(m||!TARGET_bcm27xx)) +aarch64:base-files
   ABI_VERSION:=$(PKG_ABI_VERSION)
   VARIANT:=cpu-crypto
 endef
@@ -164,7 +164,7 @@ else ifdef CONFIG_aarch64
 Package/libwolfsslcpu-crypto/preinst=\
$(subst @@WOLFSSL_NOASM_REGEX@@,$(WOLFSSL_NOASM_REGEX),$(file 
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[opkg 3/3] libopkg: pkg_hash: consider names stripped of ABI

When resolving dependencies, packages listed in the cli may not have
the ABI version, and they should have a higher priority over anything
picked automatically.

Use powers of two when computing the score to avoid ties due to
different criteria, and so that it reflects what was matched.

The resulting priorities after this change are:
 - base score is 0
 === USER CHOICE CRITERIA 
 - packages "picked by hand" (local file given in the cli) have absolute
   priority, ending the search regardless of score
 - package whose full name is in the cli: score += 4
 - package whose name stripped of ABI matches one in the cli: score += 2
 === DEVELOPER CRITERIA 
 - package whose full name matches the dependency name: score += 1
 - in case of a tie, the last package that was looked at is chosen

Signed-off-by: Eneas U de Queiroz 
---
 libopkg/pkg_hash.c | 24 +---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c
index f3fb0c6..9494211 100644
--- opkglibopkg/pkg_hash.c
+++ b/libopkg/pkg_hash.c
@@ -413,7 +413,12 @@ pkg_t 
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
for (i = 0; i < matching_pkgs->len; i++) {
pkg_t *matching = matching_pkgs->pkgs[i];
if (constraint_fcn(matching, cdata)) {
-   int score = 1;
+   int score = 0;
+   char *stripped_name = NULL;
+   const char *abiver;
+   size_t abilen, namelen;
+   int cli_score;
+
/* It has been provided by hand, so it is what user 
want */
if (matching->provided_by_hand == 1) {
good_pkg_by_name = matching;
@@ -422,15 +427,28 @@ pkg_t 
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
break;
}
 
+   if ((abiver = pkg_get_string(matching, PKG_ABIVERSION)) 
&&
+   ((namelen = strlen(matching->name))) > ((abilen = 
strlen(abiver))) &&
+   !strncmp(matching->name + namelen - abilen, abiver, 
abilen) &&
+   !(stripped_name = strndup(matching->name, namelen - 
abilen))) {
+   fprintf (stderr, "Out of memory.\n");
+   exit(EXIT_FAILURE);
+   }
+
if (strcmp(matching->name, apkg->name) == 0)
score++;
 
-   for (j = 0; j < opkg_cli_argc; ++j) {
+   for (j = 0, cli_score = 0; j < opkg_cli_argc; ++j) {
if (!strcmp(matching->name, opkg_cli_argv[j])) {
-   score += 2;
+   cli_score = 4;
break;
+   } else if (stripped_name &&
+  !strcmp(stripped_name, 
opkg_cli_argv[j])) {
+   cli_score = 2;
}
}
+   score += cli_score;
+   free(stripped_name);
 
opkg_msg(DEBUG, "Candidate: %s %s (score %d).\n",
 matching->name, pkg_get_string(matching, 
PKG_VERSION),

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[opkg 2/3] libopkg: pkg_hash: bump score of packages in cli

When resolving dependencies, packages whose names are listed in the cli
should have a higher priority over other packages picked from the feeds.
Right now a package from the feeds with the same name as the dependency
is given the same score as one present in the cli.  The one looked at
last would be chosen, which is not ideal.

Since packages in the command line are going to be installed anyway,
they should have a higher priority over new ones.

Signed-off-by: Eneas U de Queiroz 
---
 libopkg/pkg_hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c
index 482efb8..f3fb0c6 100644
--- opkglibopkg/pkg_hash.c
+++ b/libopkg/pkg_hash.c
@@ -427,7 +427,7 @@ pkg_t 
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
 
for (j = 0; j < opkg_cli_argc; ++j) {
if (!strcmp(matching->name, opkg_cli_argv[j])) {
-   score++;
+   score += 2;
break;
}
}

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[opkg 0/3] Rework criteria for dependent package selection

This fixes a problem when generating an image using the firmware
building, to include libwolfsslcpu-crypto.  Before they are sent to the
asu server, the firmware builder strips ABI version from the packages
and sort they alphabetically.  That means libustream-wolfssl will be
installed before libwolfsslcpu-crypto.

Opkg will see that libustream-wolfssl depends on
libwolfssl5.5.1.b24d5f87.  Since it matches the name of the regular
libwolfssl package, it is chosen and installed.  When it comes
libwolfsslcpu-crypto's turn, it will fail because of a clash with the
regular package.  

If you were to run it in the cmdline with the full name of
libwolfsslcpu-crypto5.5.1.b24d5f87, or list it before any dpeendents, 
then it would work as expected.  However, because the firmware selector
sripts ABI version and changes the order of the packages, there's no way
to build an image with both libustrem-wolfssl and libwolfsslcpu-crypto.

The first two commits attempt to add some order to the way they are
currently chosen, by prioritizing packages chosen "by hand" and by
preferring packages listed in the command line arguments over new
packages chosen automatically.

The third commit adds matching the package without ABI suffix, and
establishes a hierarchy among the criteria, prioritizing user choices
(i.e. package names given in as command line arguments), then developer
choices (chosen package names), and resort to alphabetical order as a
last resort.

When resolving dependencies, packages listed in the cli may not have the
ABI version, and they should have a higher priority over anything picked
automatically.

Use powers of two when computing the score to avoid ties due to
different criteria, and so that it reflects what was matched.  The
resulting priorities after this change are:

1. base score is 0

---USER CHOICES (cmdline)---
2. packages "picked by hand" (local file given in the cli) have absolute
   priority, ending the search regardless of score
3. package whose full name is in the cli: score += 4
4. package whose name stripped of ABI matches one in the cli: score += 2

---DEVELOPER CHOICE (pkg data)---
5. package whose full name matches the dependency name: score += 1
   Note: the ABI is recorded in the dependency, so I'm not using the
   stripped name here.

6. in case of a tie, the last package that was looked at is chosen
   (equivalent to being first in alphabetical order)

I tried not to change things so much--aside from restoring the "picked
by hand" case, I just created tie-breakers.  However, I still have some
questions about the necessity of some of this.  For example: if more
than one dependency is listed in the cli, does it matter which package
is chosen?  I imagine it would be equivalent of the picked-by-hand case,
so it would be simpler and faster to end the search.  It could make a
difference if one were to install clashing packages with
--force-overwrite in the same invocation, but I can't see a scenario
where this would be useful.

This was tested with the Image Builder, and by running opkg from command
line on Linksys E8450 (mediatek/mt7622, aarch64_cortex-a53).

Signed-off-by: Eneas U de Queiroz 

Eneas U de Queiroz (3):
  libopkg: pkg_hash: restore picked by hand priority
  libopkg: pkg_hash: bump score of packages in cli
  libopkg: pkg_hash: consider names stripped of ABI

 libopkg/pkg_hash.c | 35 +--
 1 file changed, 29 insertions(+), 6 deletions(-)


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[opkg 1/3] libopkg: pkg_hash: restore picked by hand priority

Historically, package archives that are provided in the cli were given
priority over any version from the feeds to satisfy dependencies.

However, when a score was introduced in 5936c4f (libopkg: pkg_hash:
prefer original packages to satisfy dependencies), it would only look at
the flag if the package had the highest score at the time it was being
assessed.

While one can argue that the intention of the change was to superseed
the by-hand priority, it would still be depended on the order in which
they packages were checked, which is not good.

Perform the "by-hand" check first, and only then go through the score
system.  Add a logging message to show the reason.

Signed-off-by: Eneas U de Queiroz 
---
 libopkg/pkg_hash.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c
index 11b1a06..482efb8 100644
--- opkglibopkg/pkg_hash.c
+++ b/libopkg/pkg_hash.c
@@ -414,6 +414,14 @@ pkg_t 
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
pkg_t *matching = matching_pkgs->pkgs[i];
if (constraint_fcn(matching, cdata)) {
int score = 1;
+   /* It has been provided by hand, so it is what user 
want */
+   if (matching->provided_by_hand == 1) {
+   good_pkg_by_name = matching;
+   opkg_msg(DEBUG, "Candidate: %s %s (picked by 
hand).\n",
+matching->name, 
pkg_get_string(matching, PKG_VERSION));
+   break;
+   }
+
if (strcmp(matching->name, apkg->name) == 0)
score++;
 
@@ -432,9 +440,6 @@ pkg_t 
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
 
good_pkg_by_name = matching;
good_pkg_score = score;
-   /* It has been provided by hand, so it is what user 
want */
-   if (matching->provided_by_hand == 1)
-   break;
}
}
 

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH u-boot] scripts/dtc: Remove redundant YYLOC global declaration

2022-05-05 Thread Eneas U de Queiroz

From: Dirk Mueller 

gcc 10 will default to -fno-common, which causes this error at link
time:

  (.text+0x0): multiple definition of `yylloc'; dtc-lexer.lex.o (symbol from 
plugin):(.text+0x0): first defined here

This is because both dtc-lexer as well as dtc-parser define the same
global symbol yyloc. Before with -fcommon those were merged into one
defintion. The proper solution would be to to mark this as "extern",
however that leads to:

  dtc-lexer.l:26:16: error: redundant redeclaration of 'yylloc' 
[-Werror=redundant-decls]
   26 | extern YYLTYPE yylloc;
  |^~
In file included from dtc-lexer.l:24:
dtc-parser.tab.h:127:16: note: previous declaration of 'yylloc' was here
  127 | extern YYLTYPE yylloc;
  |^~
cc1: all warnings being treated as errors

which means the declaration is completely redundant and can just be
dropped.

Signed-off-by: Dirk Mueller 
Signed-off-by: David Gibson 
[robh: cherry-pick from upstream]
Cc: sta...@vger.kernel.org
Signed-off-by: Rob Herring 
[Cherry-picked from linux e33a814e772cdc36436c8c188d8c42d019fda639]
Signed-off-by: Eneas U de Queiroz 
---

I'm not sure I got the subject line right for this.
This is supposed to go into git.openwrt.org/project/bcm63xx/u-boot.git

I've stumbled upon the error while doing a test build for
https://github.com/openwrt/openwrt/pull/9756

 scripts/dtc/dtc-lexer.l | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/dtc/dtc-lexer.l b/scripts/dtc/dtc-lexer.l
index fd825ebba6..24af549977 100644
--- a/scripts/dtc/dtc-lexer.l
+++ b/scripts/dtc/dtc-lexer.l
@@ -38,7 +38,6 @@ LINECOMMENT   "//".*\n
 #include "srcpos.h"
 #include "dtc-parser.tab.h"
 
-YYLTYPE yylloc;
 extern bool treesource_error;
 
 /* CAUTION: this will stop working if we ever use yyless() or yyunput() */


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v4 3/3] openssl: configure engines with uci

This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

config engine 'devcrypto'
option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile | 13 ++--
 package/libs/openssl/engine.mk| 60 ---
 package/libs/openssl/files/engines.cnf|  7 ---
 package/libs/openssl/files/openssl.init   | 31 ++
 .../150-openssl.cnf-add-engines-conf.patch|  5 +-
 5 files changed, 54 insertions(+), 62 deletions(-)
 delete mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100755 package/libs/openssl/files/openssl.init

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 3a0666ff8e..8ca4d83380 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
 $(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
 $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config 
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
-   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+   $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' 
$(1)/etc/init.d/openssl
+   touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo devcrypto=devcrypto >> 
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
 endef
 
 define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
 
   define Package/$$(OSSL_ENG_PKG)/postinst :=
 #!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
-   Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
 
-   opkg install --force-reinstall libopenssl-conf
-   EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
 
-   Then, you will have to reinstall this package, and any other engine 
package you have
-   you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
 
-   opkg install --force-reinstall $$(OSSL_ENG_PKG) 
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+   option enabled '1'
+EOF
 
-   EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
-   Your /etc/ssl/openssl.cnf file is not loading engine configuration 
files from
-   /etc/ssl/engines.cnf.d.  You should consider start with a fresh, 
updated

[PATCH v4 1/3] openssl: config engines in /etc/ssl/engines.cnf.d

This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

Patches were refreshed with --zero-commit.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile |  28 +++--
 package/libs/openssl/files/afalg.cnf  |   3 +
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/engines.cnf|   7 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 101 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 16 files changed, 82 insertions(+), 119 deletions(-)
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/padlock.cnf

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 9e7482117d..737123930c 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -146,7 +146,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
@@ -163,7 +163,8 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
@@ -179,7 +180,7 @@ endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -376,8 +377,9 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/openssl-util/install
@@ -386,18 +388,24 @@ define Package/openssl-util/install
 endef
 
 define Package/libopenssl-afalg/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-devcrypto/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-padlock/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.

[PATCH v4 2/3] openssl: configure engine packages during install

This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile | 58 +
 package/libs/openssl/engine.mk| 82 +++
 package/libs/openssl/files/engines.cnf| 12 +--
 .../150-openssl.cnf-add-engines-conf.patch|  2 +-
 4 files changed, 111 insertions(+), 43 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 737123930c..3a0666ff8e 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=1
 
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
+include engine.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
 This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
 endef
 
+$(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
-  +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf 
@!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
 
+$(eval $(call Package/openssl/add-engine,devcrypto))
 define Package/libopenssl-devcrypto
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=/dev/crypto hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE 
+PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
-  @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev 
@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
 
+$(eval $(call Package/openssl/add-engine,padlock))
 define Package/libopenssl-padlock
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=VIA Padlock hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 
+PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
-  +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+   $(CP) ./files/devcrypto.

[PATCH v4 0/3] openssl: Engine configuration series

This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
are installed.

The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
  also splits the configuration from one monolithic file to one file per
  engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
  their installation.  It introduces an engine.mk file that provides
  menu placement, basic dependencies and the postinst, postrm functions
  for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
  list generation during startup, or when an engine package is
  installed or removed.

The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.

The second and third commits had testing expanded to checking built-in
engine builds.

I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged.  The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.

I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files.  Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
otherwise.

openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters".  All I could do to help was to point to a header file where
the actual list of supported parameters is defined.

After this is merged, I will adapt the two engines in the packages feed.

Changelog:

v1->v2:
- fixed postinst & postrm logic that was failing when building the final
  image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions

v2->v3:
- actually removed the extra files that I had promised in v2

v3->v4:
- rebased onto current head
- removed non-applicable options from original afalg engine conf file

Eneas U de Queiroz (3):
  openssl: config engines in /etc/ssl/engines.cnf.d
  openssl: configure engine packages during install
  openssl: configure engines with uci

 package/libs/openssl/Makefile |  55 +-
 package/libs/openssl/engine.mk|  46 
 package/libs/openssl/files/afalg.cnf  |   3 +
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/openssl.init   |  31 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 100 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 17 files changed, 160 insertions(+), 137 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100755 package/libs/openssl/files/openssl.init
 create mode 100644 package/libs/openssl/files/padlock.cnf

-- 
2.34.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH 19.07] wolfssl: bump to 5.1.1-stable

On Thu, Feb 17, 2022 at 11:51 AM Petr Štetiar  wrote:
>
> This is amalgamation of backported changes since 4.7.0-stable release:
>
>  Sergey V. Lobanov (2):
>
>   5b13b0b02c70 wolfssl: update to 5.1.1-stable
>   7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support
>
>  Andre Heider (3):
>
>   3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
>   249478ec4850 wolfssl: always build with --enable-reproducible-build
>   4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
>
>  Ivan Pavlov (1):
>
>   16414718f9ae wolfssl: update to 4.8.1-stable
>
>  David Bauer (1):
>
>   f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng
>
>  Christian Lamparter (1):
>
>   86801bd3d806 wolfssl: fix Ed25519 typo in config prompt
>
> The diff of security related changes we would need to backport would be
> so huge, that there would be a high probability of introducing new
> vulnerabilities, so it was decided, that bumping to latest stable
> release is the prefered way for fixing following security issues:
>
>  * OCSP request/response verification issue. (fixed in 4.8.0)
>  * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 
> (fixed in 4.8.1)
>  * Issue with incorrectly validating a certificate (fixed in 5.0.0)
>  * Hang with DSA signature creation when a specific q value is used (fixed in 
> 5.0.0)
>  * Client side session resumption issue (fixed in 5.1.0)
>  * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 
> 5.1.0)
>  * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)
>
> Cc: Hauke Mehrtens 
> Cc: Eneas U de Queiroz 
> Signed-off-by: Petr Štetiar 
> ---

Acked-by: Eneas U de Queiroz 

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh

2022-02-18 Thread Eneas U de Queiroz

Hi David

Thanks for looking into this.

On Fri, Feb 18, 2022 at 3:15 PM David Bauer wrote:

> Just so i get this right - This means the same configuration is
> incompatible between firmware containing this commit and firmware that
> does not? In this case i would not pick it it 21.02.

TLDR: For the use case that was intended, it does not; it will
intentionally break the insecure setup.

Here's the commit message that introduced the defaults:

21eb0a5aa3 hostapd: add default values for r0kh/r1kh

This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)

My understanding is that the intention was to use this for EAP only.
However, the key gets set even if PSK is used. In that case it will
have an unset 'auth_secret', and that's where this becomes a security
issue.
The FT key is derived from "$mobility_domain/$auth_secret". If
'auth_secret' is null, then the key is computed from
"$mobility_domain/" only, and 'mobility_domain' itself is computed
from the SSID by default. At the end, you have an easy, working setup
with a default FT key that can be computed from just the SSID--and
nothing wrong is visible from the user POV.

There are several ways of fixing this: (1) don't compute r0kh/r1kh if
not using EAP.
(2) Use the PSK if auth_secret is unset. (3) warn the user that a key
has not been set, but keep things as they are.

I like (2) because it is useful. You can get FT working with WPA3-SAE
just by turning 802.11r on and turning off ft_psk_generate_local,
without having to set up the key.

Can there be breakage? Yes, and it is intended. It'll break the
insecure PSK/FT default setup I described above, when you have some AP
running with the fix and some without it.

EAP setups will not be affected: even if 'key' is set but
'auth_secret' is unset (a possible breakage scenario), the code in
line 682[1] will set 'auth_secret' from 'key' if the former is empty:
[ -n "$auth_secret" ] || json_get_var auth_secret key
So you can't have an EAP setup with 'auth_secret' unset and 'key' set.

(1) will create the same breakage, without adding anything useful.

Cheers,

Eneas

[1]
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/hostapd/files/hostapd.sh;h=d9d5f348775debade847f267b1ca1dc86444e41d;hb=HEAD#l682

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh

2022-02-18 Thread Eneas U de Queiroz

I have sent this a while ago.  Can anyone review this (Felix, as the
author of r0kh/r1kh generator?).

On Fri, Jan 7, 2022 at 5:19 PM Eneas U de Queiroz  wrote:
>
> The 80211r r0kh and r1kh defaults are generated from the md5sum of
> "$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
> authentication, but the default key is used for SAE/PSK as well.  In
> this case,  auth_secret is empty, and the default value of the key can
> be computed from the SSID alone.
>
> Fallback to using $key when auth_secret is empty.  While at it, rename
> the variable holding the generated key from 'key' to 'ft_key', to avoid
> clobbering the PSK.
>
> Signed-off-by: Eneas U de Queiroz 
> ---
>
> This should be cherry-picked to 21.02 as well.
>
>  package/network/services/hostapd/files/hostapd.sh | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/network/services/hostapd/files/hostapd.sh 
> b/package/network/services/hostapd/files/hostapd.sh
> index d9d5f34877..e00fc21cd9 100644
> --- a/package/network/services/hostapd/files/hostapd.sh
> +++ b/package/network/services/hostapd/files/hostapd.sh
> @@ -876,10 +876,10 @@ hostapd_set_bss_options() {
> set_default pmk_r1_push 0
>
> [ -n "$r0kh" -a -n "$r1kh" ] || {
> -   key=`echo -n 
> "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'`
> +   ft_key=`echo -n 
> "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
>
> -   set_default r0kh 
> "ff:ff:ff:ff:ff:ff,*,$key"
> -   set_default r1kh 
> "00:00:00:00:00:00,00:00:00:00:00:00,$key"
> +   set_default r0kh 
> "ff:ff:ff:ff:ff:ff,*,$ft_key"
> +   set_default r1kh 
> "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key"
> }
>
> [ -n "$r1_key_holder" ] && append bss_conf 
> "r1_key_holder=$r1_key_holder" "$N"


So that one can grasp a bit better what this is about--the commit
message was under par--see this post:

https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81?u=cotequeiroz

Basically, if you have ieee80211r=1, ft_psk_generate_local=0, and have
not setup r0kh or r1kh, then hostapd.sh will generate a 128-bit key
from the 2-byte mobility domain (defaults to the first 2 byes of the
SSID md5sum) and the auth_secret.

The intention of the script originally was to support just EAP, so it
uses the auth_secret to generate a key.  However, it is possible
(ft_psk_generate_local does not work with SAE) to use generated keys
when using PSK, in which case auth_secret will not be ordinarily set,
and the default key can be trivially computed.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH 19.07 v2 0/3] wolfssl security updates

2022-02-17 Thread Eneas U de Queiroz

On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca
 wrote:

> Sure. And I do have interest in getting it fixed.

I've done most of the work here:
https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport

However, I got stuck with this issue, about MitM attack when the
client-side resumption cache is full:
https://www.cybersecurity-help.cz/vulnerabilities/59103/

The patch for it is over 1,500 lines, and I would not be so confident
that backporting changes in many places will not create a new problem.
https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a

libcurl and hostapd use client-side session resumption, so openwrt is
possibly impacted.  I don't know if the session cache can get filled
by hostapd or not, but with libcurl, anything is possible.  They both
use the wolfSSL_get_session call, not the wolfSSL_get1_session that
would avoid/work around the problem.

Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change.

Cheers

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 v2 3/3] wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

From: Andre Heider 

"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."

This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].

This is the recommended solution from upstream [1].

The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793

Signed-off-by: Andre Heider 
[bump PKG_RELEASE]
Signed-off-by: David Bauer 
(cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3)
[adjust to v4.7.0 Makefile]
Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index d123e7a875..4394b9ea4f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
@@ -56,7 +56,11 @@ define Package/libwolfssl/config
source "$(SOURCE)/Config.in"
 endef
 
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer
+TARGET_CFLAGS += \
+   $(FPIC) \
+   -fomit-frame-pointer \
+   -DFP_MAX_BITS=8192 \
+   -DWOLFSSL_ALT_CERT_CHAINS
 
 # --enable-stunnel needed for OpenSSL API compatibility bits
 CONFIGURE_ARGS += \

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 v2 1/3] wolfssl: Fix OCSP request/response verification

In the case that the serial number in the OCSP request differs from the
serial number in the OCSP response the error from the comparison was not
resulting in a failed verification.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile |   2 +-
 .../patches/200-Fix-CompareOcspReqResp.patch  | 224 ++
 2 files changed, 225 insertions(+), 1 deletion(-)
 create mode 100644 
package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 57fcaa03b2..631576a58e 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch 
b/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
new file mode 100644
index 00..9661a2b752
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
@@ -0,0 +1,224 @@
+From  Mon Sep 17 00:00:00 2001
+From: Hayden Roche 
+Date: Tue, 27 Apr 2021 13:54:43 -0700
+Subject: [PATCH] Fix CompareOcspReqResp.
+
+There was a bug in this function that could cause a match to be reported even
+when the OCSP request and response in fact had a mismatch.
+
+(cherry picked from commit 73076940af8904f98eee085994c176fe1876b95a)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 14a160dc2..289ffb941 100644
+--- a/src/ssl.c
 b/src/ssl.c
+@@ -6503,7 +6503,7 @@ WOLFSSL_API int 
wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm,
+ {
+ int ret;
+ 
+-WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple");
++WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSPResponse");
+ if (cm == NULL || response == NULL)
+ return BAD_FUNC_ARG;
+ if (cm->ocspEnabled == 0)
+diff --git a/tests/api.c b/tests/api.c
+index 6b3af3092..72bfc9aae 100644
+--- a/tests/api.c
 b/tests/api.c
+@@ -1091,6 +1091,170 @@ static int test_cm_load_ca_file(const char* 
ca_cert_file)
+ }
+ #endif /* !NO_FILESYSTEM && !NO_CERTS */
+ 
++static void test_wolfSSL_CertManagerCheckOCSPResponse(void)
++{
++#ifdef HAVE_OCSP
++/* Need one of these for wolfSSL_OCSP_REQUEST_new. */
++#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
++defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \
++defined(HAVE_LIGHTY)
++WOLFSSL_CERT_MANAGER* cm = NULL;
++/* Captured with Wireshark using ocsp.test. */
++byte response[] = {
++0x30, 0x82, 0x06, 0x3b, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0x34, 
0x30, 0x82, 0x06, 0x30, 0x06,
++0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 
0x82, 0x06, 0x21, 0x30, 0x82,
++0x06, 0x1d, 0x30, 0x81, 0xbf, 0xa2, 0x16, 0x04, 0x14, 0x21, 0x29, 
0x0a, 0x15, 0x08, 0xdd, 0x79,
++0x01, 0x7c, 0xa3, 0xc6, 0x11, 0xe9, 0xbf, 0x8a, 0x33, 0x82, 0x53, 
0xc4, 0x0c, 0x18, 0x0f, 0x32,
++0x30, 0x32, 0x31, 0x30, 0x34, 0x32, 0x37, 0x32, 0x30, 0x32, 0x35, 
0x35, 0x36, 0x5a, 0x30, 0x6f,
++0x30, 0x6d, 0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 
0x02, 0x1a, 0x05, 0x00, 0x04,
++0x14, 0x9c, 0x4c, 0x71, 0x15, 0xc3, 0x02, 0x19, 0xca, 0x36, 0xdc, 
0xb9, 0x8b, 0x21, 0x33, 0x00,
++0x4c, 0xa4, 0xa7, 0x8e, 0xd3, 0x04, 0x14, 0xdd, 0xb3, 0xe7, 0x6d, 
0xa8, 0x2e, 0xe8, 0xc5, 0x4e,
++0x6e, 0xcf, 0x74, 0xe6, 0x75, 0x3c, 0x94, 0x15, 0xce, 0xe8, 0x1d, 
0x02, 0x0c, 0x6f, 0x9c, 0x01,
++0x78, 0x1c, 0x21, 0x80, 0x32, 0x25, 0x4a, 0x73, 0x2b, 0x80, 0x00, 
0x18, 0x0f, 0x32, 0x30, 0x32,
++0x31, 0x30, 0x34, 0x32, 0x37, 0x32, 0x30, 0x32, 0x35, 0x35, 0x36, 
0x5a, 0xa0, 0x11, 0x18, 0x0f,
++0x32, 0x30, 0x32, 0x31, 0x30, 0x35, 0x30, 0x31, 0x32, 0x30, 0x32, 
0x35, 0x35, 0x36, 0x5a, 0xa1,
++0x23, 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 
0x05, 0x07, 0x30, 0x01, 0x02,
++0x04, 0x12, 0x04, 0x10, 0xc0, 0x42, 0x27, 0x55, 0xaf, 0xc4, 0x5c, 
0x34, 0xe1, 0xc8, 0xef, 0x5b,
++0x31, 0xb1, 0x78, 0xe9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 
0x86, 0xf7, 0x0d, 0x01, 0x01,
++0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x54, 0x1b, 0x9e, 
0x10, 0x0f, 0x82, 0x2c, 0x8e,
++0xd7, 0xdd, 0xf2, 0xec, 0x9c, 0x6c, 0x04, 0x5d, 0x57, 0x69, 0xcd, 
0x30, 0x1b, 0xe8, 0xd4, 0x5d,
++0xd4, 0x03, 0x97, 0xd1, 0x33, 0x78, 0x34, 0xdb, 0xc2, 0x4c, 0xc1, 
0x8a, 0xee, 0xc7, 0x18, 0x6a,
++0xe3, 0x6d, 0x59, 0x1b, 0xed, 0xf5, 0x87, 0xff, 0x9d, 0x11, 0xff, 
0x5a, 0xa5, 0x12, 0x93, 0x0e,
++0xc7, 0x67, 0xa4, 0x37, 0xb2, 0x8b, 0xba, 0xab, 0xe1, 0x29, 0x33, 
0xe9, 0xf8, 0x10, 0x1d, 0xbf,
++0x7c, 0x2b, 0x2e, 0x2e, 0x0b, 0x58, 0x5d, 0x8e, 0x0c, 0x44, 0xe2, 
0x1d, 0x73, 0x2a, 0x8a, 0x6a,
++

[PATCH 19.07 v2 2/3] wolfssl: Fix CVE-2021-38597

OCSP verification issue when response is for a certificate with no
relation to the chain in question BUT that response contains the NoCheck
extension which effectively disables ALL verification of that one cert.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile |  2 +-
 ...-handling-of-OCSP-no-check-extension.patch | 49 +++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 
package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 631576a58e..d123e7a875 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git 
a/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
 
b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
new file mode 100644
index 00..6fb62b2033
--- /dev/null
+++ 
b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
@@ -0,0 +1,49 @@
+From  Mon Sep 17 00:00:00 2001
+From: Sean Parkinson 
+Date: Fri, 16 Jul 2021 12:19:39 +1000
+Subject: [PATCH] OCSP: improve handling of OCSP no check extension
+
+(cherry picked from commit f93083be72a3b3d956b52a7ec13f307a27b6e093)
+
+diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
+index bbf71e3c1..966035f5b 100644
+--- a/wolfcrypt/src/asn.c
 b/wolfcrypt/src/asn.c
+@@ -9751,9 +9751,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int 
verify, void* cm)
+ }
+ 
+ #ifdef HAVE_OCSP
+-/* trust for the lifetime of the responder's cert*/
+-if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
+-verify = NO_VERIFY;
++if (verify == VERIFY_OCSP_CERT) {
++/* trust for the lifetime of the responder's cert*/
++if (cert->ocspNoCheckSet)
++verify = VERIFY;
++else
++verify = VERIFY_OCSP;
++}
+ #endif
+ /* advance past extensions */
+ cert->srcIdx = cert->sigIndex;
+@@ -17542,7 +17546,7 @@ static int DecodeBasicOcspResponse(byte* source, 
word32* ioIndex,
+ 
+ /* Don't verify if we don't have access to Cert Manager. */
+ ret = ParseCertRelative(, CERT_TYPE,
+-noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
++noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
+ if (ret < 0) {
+ WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
+ FreeDecodedCert();
+diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
+index e412c1d06..e3cddf5b4 100644
+--- a/wolfssl/wolfcrypt/asn.h
 b/wolfssl/wolfcrypt/asn.h
+@@ -589,6 +589,7 @@ enum VerifyType {
+ VERIFY_OCSP = 3,
+ VERIFY_NAME = 4,
+ VERIFY_SKIP_DATE = 5,
++VERIFY_OCSP_CERT = 6,
+ };
+ 
+ #ifdef WOLFSSL_CERT_EXT

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 v2 0/3] wolfssl security updates

Since a straight version bump is not feasible, I'm applying a couple of
cherry-picks of security fixes:

73076940a Fix CompareOcspReqResp
f93083be7 OCSP: improve handling of OCSP no check extension
  (CVE-2021-38597)

Also included in the series is a patch to build the library with
the "Alternate certificate validation" option WOLFSSL_ALT_CERT_CHAINS,
allowing uclient-fetch to connect to servers using the default Let's
Encrypt chain that contains the certificate cross-signed by the expired
DST Root CA X3 certificate.

The original series was made when 4.8.1 was the current version in
master.  Since then, some more low-severity vulnerabilities were
discovered: [1]

- Issue with incorrectly validating a certificate that has multiple
  subject alternative names when given a name constraint. In the case
  where more than one subject alternative name is used in the
  certificate, previous versions of wolfSSL could incorrectly validate
  the certificate. Users verifying certificates with multiple
  alternative names and name constraints, are recommended to either use
  the certificate verify callback to check for this case or update the
  version of wolfSSL used. Fixed in 5.0.0.

- Hang with DSA signature creation when a specific q value is used in a
  maliciously crafted key. If a DSA key with an invalid q value of
  either 1 or 0 was decoded and used for creating a signature, it would
  result in a hang in wolfSSL. Users that are creating signatures with
  DSA and are using keys supplied from an outside source are affected.
  Fixed in 5.0.0.

- Client side session resumption issue once the session resumption cache
  has been filled up. The hijacking of a session resumption has been
  demonstrated so far with only non verified peer connections. That is
  where the client is not verifying the server’s CA that it is
  connecting to. There is the potential though for other cases involving
  proxies that are verifying the server to be at risk.

- CVE-2021-44718: Potential for DoS attack on a wolfSSL client due to
  processing hello packets of the incorrect side. This affects only
  connections using TLS v1.2 or less that have also been compromised by
  a man in the middle attack.  A CVE was reserved, but apparently not
  publicized yet.

High-severity CVE-2022-23408 is not included because it affects versions
5.0.0 and 5.1.0 only.

I've started to look at the first vulnerability, but it is not as
straightforward as I was hoping.  Perhaps Luiz Angelo Daros de Luca,
reporter and author of the fixes, can help me out with this.

Applying a large series of fixes may end up creating a new vulnerability
if not done correctly, so we may need to consider the version bump
again.  The ABI version may create trouble for people running opkg
update, but WolfSSL was not the core TLS library in 19.07 yet.

Nonetheless, this series includes the one high-severity vulnerability
(according to wolfssl [1]) CV-2021-38597, and can be applied before we
decide what to do next.

Cheers,

Eneas

---

v2:
 - Apply two security patches instead of bumping to 4.8.1
 - Added patch to build with alternate certificate validation

[1] https://www.wolfssl.com/docs/security-vulnerabilities/

Andre Heider (1):
  wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

Eneas U de Queiroz (2):
  wolfssl: Fix OCSP request/response verification
  wolfssl: Fix CVE-2021-38597

 package/libs/wolfssl/Makefile |   8 +-
 .../patches/200-Fix-CompareOcspReqResp.patch  | 224 ++
 ...-handling-of-OCSP-no-check-extension.patch |  49 
 3 files changed, 279 insertions(+), 2 deletions(-)
 create mode 100644 
package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
 create mode 100644 
package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07] openssl: bump to 1.1.1m

2022-01-10 Thread Eneas U de Queiroz

This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz 
(cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2)
---
 package/libs/openssl/Makefile | 4 ++--
 .../libs/openssl/patches/100-Configure-afalg-support.patch| 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 0397ab90c4..e8e10524ca 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=l
+PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch 
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..d8789f4b45 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -12,7 +12,7 @@ diff --git a/Configure b/Configure
 index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
  
  unless ($disabled{afalgeng}) {
  $config{afalgeng}="";

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH ustream-ssl] add compatibility for wolfssl >= 5.0

2022-01-10 Thread Eneas U de Queiroz

Can someone please take a look at this.
The patch is rather trivial.  The affected function,
handle_wolfssl_asn_error is static, and its only caller is passing the
return value of SSL_get_error(), from libwolfssl; so there should be
no ordinary way to pass r=-159, which would be required to trigger a
possible regression.

It's a blocker to update wolfssl to 5.1.1, which fixes a handful of
security vulnerabilities.

Cheers,

Eneas

On Sat, Jan 1, 2022 at 5:09 PM Sergey V. Lobanov  wrote:
> Related PR: https://github.com/openwrt/openwrt/pull/4910
> >
> > NTRU support has been removed in wolfssl 5.0 so it is required to
> > mask NTRU specific code if wolfssl >= 5.0
> >
> > Signed-off-by: Sergey V. Lobanov 
> > ---
> > ustream-openssl.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/ustream-openssl.c b/ustream-openssl.c
> > index 1ce796a..894dddb 100644
> > --- a/ustream-openssl.c
> > +++ b/ustream-openssl.c
> > @@ -308,7 +308,9 @@ static bool handle_wolfssl_asn_error(struct ustream_ssl 
> > *us, int r)
> >   case ASN_SIG_HASH_E:
> >   case ASN_SIG_KEY_E:
> >   case ASN_DH_KEY_E:
> > +#if LIBWOLFSSL_VERSION_HEX < 0x0500
> >   case ASN_NTRU_KEY_E:
> > +#endif
> >   case ASN_CRIT_EXT_E:
> >   case ASN_ALT_NAME_E:
> >   case ASN_NO_PEM_HEADER:
> > --
> > 2.30.1 (Apple Git-130)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] hostapd: fallback to psk when generating r0kh/r1kh

2022-01-07 Thread Eneas U de Queiroz

The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz 
---

This should be cherry-picked to 21.02 as well.

 package/network/services/hostapd/files/hostapd.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh 
b/package/network/services/hostapd/files/hostapd.sh
index d9d5f34877..e00fc21cd9 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -876,10 +876,10 @@ hostapd_set_bss_options() {
set_default pmk_r1_push 0
 
[ -n "$r0kh" -a -n "$r1kh" ] || {
-   key=`echo -n 
"$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'`
+   ft_key=`echo -n 
"$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
 
-   set_default r0kh 
"ff:ff:ff:ff:ff:ff,*,$key"
-   set_default r1kh 
"00:00:00:00:00:00,00:00:00:00:00:00,$key"
+   set_default r0kh 
"ff:ff:ff:ff:ff:ff,*,$ft_key"
+   set_default r1kh 
"00:00:00:00:00:00,00:00:00:00:00:00,$ft_key"
}
 
[ -n "$r1_key_holder" ] && append bss_conf 
"r1_key_holder=$r1_key_holder" "$N"

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 21.02] openssl: bump to 1.1.1m

2022-01-03 Thread Eneas U de Queiroz

This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz 
(cherry picked from commit def9565be632b316c82ffc5a7b28c789e9df75b4)
---
 package/libs/openssl/Makefile | 4 ++--
 .../libs/openssl/patches/100-Configure-afalg-support.patch| 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 0397ab90c4..e8e10524ca 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=l
+PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch 
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..d8789f4b45 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -12,7 +12,7 @@ diff --git a/Configure b/Configure
 index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
  
  unless ($disabled{afalgeng}) {
  $config{afalgeng}="";

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] openssl: bump to 1.1.1m

2021-12-31 Thread Eneas U de Queiroz

This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz 
---

Tested on mediatek/Linksys E8450 using hostapd & nginx.

 package/libs/openssl/Makefile   |  6 +++---
 ...perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch | 13 +++--
 .../patches/100-Configure-afalg-support.patch   |  2 +-
 3 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 0512abdc48..9e7482117d 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=l
+PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git 
a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
 
b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
index bdc0509f8c..e52a3d52ea 100644
--- 
a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
+++ 
b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
@@ -1,7 +1,7 @@
-From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Andy Polyakov 
 Date: Sun, 5 May 2019 18:25:50 +0200
-Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
+Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -14,12 +14,8 @@ endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, 
etc.)
 Reviewed-by: Paul Dale 
 Reviewed-by: Richard Levitte 
 (Merged from https://github.com/openssl/openssl/pull/8883)

- crypto/perlasm/ppc-xlate.pl | 8 
- 1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
-index e52f2f6ea6..5fcd0526df 100755
 --- a/crypto/perlasm/ppc-xlate.pl
 +++ b/crypto/perlasm/ppc-xlate.pl
 @@ -49,7 +49,7 @@ my $globl = sub {
@@ -49,7 +45,7 @@ index e52f2f6ea6..5fcd0526df 100755
  my $mtspr = sub {
  my ($f,$idx,$ra) = @_;
  if ($idx == 256 && $no_vrsave) {
-@@ -320,7 +320,7 @@ while($line=<>) {
+@@ -318,7 +318,7 @@ while($line=<>) {
if ($label) {
my $xlated = ($GLOBALS{$label} or $label);
print "$xlated:";
@@ -58,6 +54,3 @@ index e52f2f6ea6..5fcd0526df 100755
if ($TYPES{$label} =~ /function/) {
printf "\n.localentry   %s,0\n",$xlated;
}
--- 
-2.31.1
-
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch 
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..d8789f4b45 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -12,7 +12,7 @@ diff --git a/Configure b/Configure
 index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
  
  unless ($disabled{afalgeng}) {
  $config{afalgeng}="";

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH 19.07] wolfssl: update to 4.8.1-stable

2021-12-14 Thread Eneas U de Queiroz

On Sun, Dec 12, 2021 at 12:11 PM Petr Štetiar  wrote:
>
> I'm wondering if we can do such an upgrade as the binary compatibility report 
> for
> wolfSSL 4.7.0 vs 4.8.0 looks quite scary to me. Would it be possible to just
> backport those patches which fixes those security related issues?
>

Most wolfSSL releases have binary compatibility issues.  I would not
recommend anyone to update just the package, even if the
abi-laboratory report was less scary.  This illustrates well the
problem with binary package updates that jow wants to address.

I was not sure if it would be acceptable to do the version update, but
then we went from 4.3.0 in 19.07.0 to 4.5.0 in 19.07.4, then 4.6.0 in
19.07.5, and 4.7.0 in 19.07.8, so why not 4.8.1?

OpenWrt 19.07 support is officially limited to security maintenance,
so we can cherry-pick a couple of wolfssl commits instead:
73076940a Fix CompareOcspReqResp.
f93083be7 OCSP: improve handling of OCSP no check extension

(excluding tests):
src/ssl.c   |  2 +-
 wolfcrypt/src/asn.c | 19 ---
 wolfssl/wolfcrypt/asn.h |  1 +
3 files changed, 14 insertions(+), 8 deletions(-)

Just let me know what's the best approach here.

After this is done--whether update or patch--I intend to propose a
patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with
letsencrypt certificates.  One can argue that it is a security fix,
considering that the alternative is to skip certificate validation.
If this is going to be NAKed, then I'll skip the trouble.

BTW, wolfssl, 5.0.0 is out, but I've been unable to make it work with
the letsencrypt certificates even with the build-option active--there
may be other problems that I don't recall now, I haven't looked at it
lately.  I'll return to it when able.  Meanwhile, I'll try to get
patches for the security problems that were fixed.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH 0/1] build: scripts/config - update to kconfig-v5.14

2021-11-25 Thread Eneas U de Queiroz

On Thu, Nov 25, 2021 at 4:54 AM Florian Eckert  wrote:
>
> Hello Eneas,
>
>
> I've been looking at this too and wanted to update.
> Since I wasn't there from the beginning, I don't know what all OpenWrt
> changes.
> Hence my suggestion:
> Can't we put the changes OpenWrt makes to the source code into a patch
> directory
> and then patch that with 'quilt' like we do with all the other packages?
> That would make the task easier for others too update this too.

I don't think we should keep the patches along with the main sources,
but it may be beneficial to create an official repository under the
openwrt infrastructure.

What I had done was to create a fork of 'linux', and applied the
openwrt patches on top of that.  You can see my current version, which
resulted in the patch I just sent, here:
https://github.com/cotequeiroz/linux/commits/openwrt-5.14/scripts/kconfig
I don't think anyone can review the openwrt patch without looking at
the commits I applied.

Getting all of those commits together took some effort when I first
did it.  I was in the same situation as you are, but I really wanted
the much better dependency view that the new kernel had.  That was my
motivation then.  I documented the changes the best I could.
It resulted in this branch:
https://github.com/cotequeiroz/linux/tree/openwrt-b2c55d50f8

Then fast-forwarding them was also time-consuming, because of the high
number of commits to adapt, especially the many changes to the
Makefile.
I remember doing it in two ways: starting from openwrt version of
kconfig and applying the linux updates ("linux-on-top-of-openwrt"
branch, stale after the review); and rebasing the openwrt changes on
top of kconfig-5.6, which ended up being the final version (openwrt
branch--I should have added a version to it), to see how close I would
get both versions. I added the link to the branch I used in the
README.

At least now the Makefile was less subject to change, and our
modifications have become straightforward and clean.  There have been
some syntax adjustments (notably the removal of '---help---'), but
when we moved from 5.4 to 5.10, our kernel patches had to be adapted
as well.

This is why I think it is beneficial to update this regularly, keeping it fresh.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 0/1] build: scripts/config - update to kconfig-v5.14

2021-11-24 Thread Eneas U de Queiroz

I'm updating the Kconfig programs in scripts/config, from Linux 5.6 to
5.14.  The changes are not crytical to openwrt, but regular updates
ease the transition to an eventual newer version with more desirable
features.

The biggest impact here is the removal of obsolete ---help--- symbol,
which had been deprecated in favor of plain 'help'.

This has been menuconfig-tested with different targets for almost a
month without problems.

The changed I made to the upstream kconfig to this version can be seen
at https://github.com/cotequeiroz/linux/commits/openwrt-5.14/scripts/kconfig

Eneas U de Queiroz (1):
  build: scripts/config - update to kconfig-v5.14

 Config.in  |2 +-
 scripts/config/.gitignore  |   30 +-
 scripts/config/Makefile|   62 +-
 scripts/config/README  |9 +-
 scripts/config/conf.c  |  451 --
 scripts/config/confdata.c  |  279 +---
 scripts/config/expr.h  |6 -
 scripts/config/images.c|   30 +-
 scripts/config/images.h|   30 +-
 scripts/config/internal.h  |9 +
 scripts/config/lexer.l |8 +-
 scripts/config/lexer.lex.c | 2468 ++--
 scripts/config/lkc.h   |   68 +-
 scripts/config/lkc_proto.h |   15 +-
 scripts/config/lxdialog/util.c |4 +-
 scripts/config/mconf-cfg.sh|4 +-
 scripts/config/mconf.c |   15 +-
 scripts/config/menu.c  |   26 +-
 scripts/config/nconf.c |   59 +-
 scripts/config/nconf.gui.c |  284 ++--
 scripts/config/nconf.h |   51 +-
 scripts/config/parser.tab.c| 1804 ++-
 scripts/config/parser.tab.h|  120 +-
 scripts/config/parser.y|   57 +-
 scripts/config/preprocess.c|2 +-
 scripts/config/qconf-cfg.sh|   14 +-
 scripts/config/qconf.cc| 1056 +++---
 scripts/config/qconf.h |  160 +--
 scripts/config/symbol.c|   30 +-
 target/sdk/files/Config.in |2 +-
 30 files changed, 3221 insertions(+), 3934 deletions(-)
 create mode 100644 scripts/config/internal.h


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] ramips: switch to kernel 5.10

2021-09-27 Thread Eneas U de Queiroz

On Thu, Sep 9, 2021 at 5:49 AM Rui Salvaterra  wrote:
>
> Tested on mt7621 (Redmi AC2100) and running stable for several months.
>
> Signed-off-by: Rui Salvaterra 
> ---

Tested on rt3883: Asus RT-N56U

Tested-by: Eneas U de Queiroz 

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] ramips: fix ralink_i2s_debugfs_remove declaration

2021-09-20 Thread Eneas U de Queiroz

Correct ralink_i2s_debugfs_remove declaration in ralink patches when
CONFIG_DEBUG_FS is not selected.

Signed-off-by: Eneas U de Queiroz 
---

Fixes the following error, when compiling without DEBUG_FS:

sound/soc/ralink/ralink-i2s.c:678:53: warning: 'struct fsl_ssi_dbg' declared 
inside parameter list will not be visible outside of this definition or 
declaration
 static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
 ^~~
sound/soc/ralink/ralink-i2s.c: In function 'ralink_i2s_probe':
sound/soc/ralink/ralink-i2s.c:935:28: error: passing argument 1 of 
'ralink_i2s_debugfs_remove' from incompatible pointer type 
[-Werror=incompatible-pointer-types]
  ralink_i2s_debugfs_remove(i2s);
^~~
sound/soc/ralink/ralink-i2s.c:678:66: note: expected 'struct fsl_ssi_dbg *' but 
argument is of type 'struct ralink_i2s *'
 static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
  ^~~
sound/soc/ralink/ralink-i2s.c: In function 'ralink_i2s_remove':
sound/soc/ralink/ralink-i2s.c:947:28: error: passing argument 1 of 
'ralink_i2s_debugfs_remove' from incompatible pointer type 
[-Werror=incompatible-pointer-types]
  ralink_i2s_debugfs_remove(i2s);
^~~
sound/soc/ralink/ralink-i2s.c:678:66: note: expected 'struct fsl_ssi_dbg *' but 
argument is of type 'struct ralink_i2s *'
 static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
  ^~~
At top level:
sound/soc/ralink/ralink-i2s.c:146:13: warning: 'ralink_i2s_dump_regs' defined 
but not used [-Wunused-function]
 static void ralink_i2s_dump_regs(struct ralink_i2s *i2s)
 ^~~~
cc1: some warnings being treated as errors
make[7]: *** [scripts/Makefile.build:280: sound/soc/ralink/ralink-i2s.o] Error 1
make[6]: *** [scripts/Makefile.build:497: sound/soc/ralink] Error 2
make[5]: *** [scripts/Makefile.build:497: sound/soc] Error 2
make[4]: *** [Makefile:1822: sound] Error 2

 .../linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch | 2 +-
 .../linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)



diff --git a/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch 
b/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
index 255c8d751a..680b678168 100644
--- a/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
+++ b/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
@@ -738,7 +738,7 @@ Signed-off-by: John Crispin 
 +  return 0;
 +}
 +
-+static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
++static inline void ralink_i2s_debugfs_remove(struct ralink_i2s *i2s)
 +{
 +}
 +#endif
diff --git a/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch 
b/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
index cffdc4f4a1..4b9c877a7f 100644
--- a/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
+++ b/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
@@ -738,7 +738,7 @@ Signed-off-by: John Crispin 
 +  return 0;
 +}
 +
-+static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
++static inline void ralink_i2s_debugfs_remove(struct ralink_i2s *i2s)
 +{
 +}
 +#endif

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07] wolfssl: update to 4.8.1-stable

From: Ivan Pavlov 

Changes from 4.7.0:
  Fix one high (OCSP verification issue) and two low vulnerabilities
  Improve compatibility layer
  Other improvements and fixes

For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases

Signed-off-by: Ivan Pavlov 
(cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564)
[Added patch to allow compilation with libtool 2.4]
Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile   |  4 ++--
 .../patches/100-disable-hardening-check.patch   |  2 +-
 .../patches/110-build-with-libtool-2.4.patch| 13 +
 3 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 57fcaa03b2..4940316f1b 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
+PKG_VERSION:=4.8.1-stable
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch 
b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c89ff1be9d..4141e28750 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch 
b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
new file mode 100644
index 00..206c6dac6a
--- /dev/null
+++ b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index 144c857e4..de7f6b45a 100644
+--- a/configure.ac
 b/configure.ac
+@@ -32,7 +32,7 @@ AC_ARG_PROGRAM
+ 
+ AC_CONFIG_HEADERS([config.h:config.in])
+ 
+-LT_PREREQ([2.4.2])
++LT_PREREQ([2.4])
+ LT_INIT([disable-static win32-dll])
+ 
+ #shared library versioning

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 21.02 2/2] wolfssl: update to 4.8.1-stable

From: Ivan Pavlov 

Changes from 4.7.0:
  Fix one high (OCSP verification issue) and two low vulnerabilities
  Improve compatibility layer
  Other improvements and fixes

For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases

Signed-off-by: Ivan Pavlov 
(cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564)
[Added patch to allow compilation with libtool 2.4]
Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile   |  6 +++---
 ...m-change-asm-snippets-to-get-compiling.patch | 17 +
 .../patches/100-disable-hardening-check.patch   |  2 +-
 .../patches/110-build-with-libtool-2.4.patch| 13 +
 package/libs/wolfssl/patches/200-ecc-rng.patch  |  4 ++--
 5 files changed, 24 insertions(+), 18 deletions(-)
 create mode 100644 
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 030a0224f5..ba9ec44cd9 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.8.1-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1
diff --git 
a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
 
b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
index 091b241285..763f9e8d06 100644
--- 
a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
+++ 
b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
@@ -13,8 +13,6 @@ SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD.
  wolfcrypt/src/sp_int.c |  6 +++---
  2 files changed, 23 insertions(+), 12 deletions(-)
 
-diff --git a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c
-index b7f53d073..a37e75e02 100644
 --- a/wolfcrypt/src/asm.c
 +++ b/wolfcrypt/src/asm.c
 @@ -698,33 +698,39 @@ __asm__( \
@@ -64,7 +62,7 @@ index b7f53d073..a37e75e02 100644
  
  #define SQRADDAC(i, j)\
  __asm__(  \
-@@ -733,7 +739,9 @@ __asm__(  \
+@@ -733,7 +739,9 @@ __asm__(
   "addl  %%eax,%0 \n\t"\
   "adcl  %%edx,%1 \n\t"\
   "adcl  $0,%2\n\t"\
@@ -75,7 +73,7 @@ index b7f53d073..a37e75e02 100644
  
  #define SQRADDDB  \
  __asm__(  \
-@@ -743,7 +751,10 @@ __asm__(  
\
+@@ -743,7 +751,10 @@ __asm__(
   "addl %6,%0 \n\t"\
   "adcl %7,%1 \n\t"\
   "adcl %8,%2 \n\t"\
@@ -87,11 +85,9 @@ index b7f53d073..a37e75e02 100644
  
  #elif defined(TFM_X86_64)
  /* x86-64 optimized */
-diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c
-index 6070faaa9..d26702e47 100644
 --- a/wolfcrypt/src/sp_int.c
 +++ b/wolfcrypt/src/sp_int.c
-@@ -477,7 +477,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, 
sp_int_digit lo,
+@@ -476,7 +476,7 @@ static WC_INLINE sp_int_digit sp_div_wor
  "addl %%eax, %[l] \n\t"\
  "adcl %%edx, %[h] \n\t"\
  "adcl $0   , %[o] \n\t"\
@@ -100,7 +96,7 @@ index 6070faaa9..d26702e47 100644
  : [a] "r" (va), [b] "r" (vb) \
  : "eax", "edx", "cc" \
  )
-@@ -503,7 +503,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, 
sp_int_digit lo,
+@@ -502,7 +502,7 @@ static WC_INLINE sp_int_digit sp_div_wor
  "addl %%eax, %[l] \n\t"\
  "adcl %%edx, %[h] \n\t"\
  "adcl $0   , %[o] \n\t"\
@@ -109,7 +105,7 @@ index 6070faaa9..d26702e47 100644
  : [a] "r" (va), [b] "r" (vb) \
  : "eax", "edx", "cc" \
  )
-@@ -542,7 +542,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, 
sp_int_digit lo,
+@@ -541,7 +541,7 @@ static WC_INLINE sp_int_digit sp_div_wor

[PATCH 21.02 1/2] wolfssl: fix build with GCC 10 on 32 x86 targets

From: Stijn Tintel 

Backport upstream patch to fix build with GCC 10 on 32 x86 targets.

Signed-off-by: Stijn Tintel 
(cherry picked from commit 718a4f47806da8f68cb8f1fe2ebecf403e14ae96)
---
 ...change-asm-snippets-to-get-compiling.patch | 123 ++
 1 file changed, 123 insertions(+)
 create mode 100644 
package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch

diff --git 
a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
 
b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
new file mode 100644
index 00..091b241285
--- /dev/null
+++ 
b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
@@ -0,0 +1,123 @@
+From fa8f23284d4689c2a737204b337b58d966dcbd8c Mon Sep 17 00:00:00 2001
+From: Sean Parkinson 
+Date: Fri, 20 Aug 2021 10:23:38 +1000
+Subject: [PATCH] Maths x86 asm: change asm snippets to get compiling
+
+TFM:
+  Use register or memory for c0, c1, c2 in SQRADD and SQRADD2.
+SP:
+  Use register or memory for vl, vh, vo in SP_ASM_MUL_ADD,
+SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD.
+---
+ wolfcrypt/src/asm.c| 29 -
+ wolfcrypt/src/sp_int.c |  6 +++---
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c
+index b7f53d073..a37e75e02 100644
+--- a/wolfcrypt/src/asm.c
 b/wolfcrypt/src/asm.c
+@@ -698,33 +698,39 @@ __asm__( \
+ 
+ #define SQRADD(i, j)  \
+ __asm__(  \
+- "movl  %6,%%eax \n\t"\
++ "movl  %3,%%eax \n\t"\
+  "mull  %%eax\n\t"\
+  "addl  %%eax,%0 \n\t"\
+  "adcl  %%edx,%1 \n\t"\
+  "adcl  $0,%2\n\t"\
+- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i) 
:"%eax","%edx","cc");
++ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \
++ : "m"(i) \
++ :"%eax","%edx","cc");
+ 
+ #define SQRADD2(i, j) \
+ __asm__(  \
+- "movl  %6,%%eax \n\t"\
+- "mull  %7   \n\t"\
++ "movl  %3,%%eax \n\t"\
++ "mull  %4   \n\t"\
+  "addl  %%eax,%0 \n\t"\
+  "adcl  %%edx,%1 \n\t"\
+  "adcl  $0,%2\n\t"\
+  "addl  %%eax,%0 \n\t"\
+  "adcl  %%edx,%1 \n\t"\
+  "adcl  $0,%2\n\t"\
+- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i), "m"(j) 
 :"%eax","%edx", "cc");
++ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \
++ : "m"(i), "m"(j) \
++ :"%eax","%edx", "cc");
+ 
+ #define SQRADDSC(i, j)\
+-__asm__( \
++__asm__(  \
+  "movl  %3,%%eax \n\t"\
+  "mull  %4   \n\t"\
+  "movl  %%eax,%0 \n\t"\
+  "movl  %%edx,%1 \n\t"\
+  "xorl  %2,%2\n\t"\
+- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%eax","%edx","cc");
++ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \
++ : "g"(i), "g"(j) \
++ :"%eax","%edx","cc");
+ 
+ #define SQRADDAC(i, j)\
+ __asm__(  \
+@@ -733,7 +739,9 @@ __asm__(  \
+  "addl  %%eax,%0 \n\t"\
+  "adcl  %%edx,%1 \n\t"\
+  "adcl  $0,%2\n\t"\
+- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), 
"g"(j) :"%eax","%edx","cc");
++ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \
++ : "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j)   \
++ :"%eax","%edx","cc");
+ 
+ #define SQRADDDB  \
+ __asm__(  \
+@@ -743,7 +751,10 @@ __asm__(  
\
+  "addl %6,%0 \n\t"\
+  "adcl %7,%1 \n\t"

[PATCH 21.02 0/2] wolfssl: bump to v4.8.1-stable

I've added a trivial patch to allow compilation with libtool 2.4,
currently used in 21.02.  I have not used a separate commit for that, to
not introduce a commit that does not build.  Let me know if I should
rather split this.

I'm cherry-picking a commit to allow compilation with gcc 10, to keep it
in sync with master.  While not the default, building with gcc 10 is an
option for 21.02.

Eneas

Ivan Pavlov (1):
  wolfssl: update to 4.8.1-stable

Stijn Tintel (1):
  wolfssl: fix build with GCC 10 on 32 x86 targets

 package/libs/wolfssl/Makefile |   6 +-
 ...change-asm-snippets-to-get-compiling.patch | 116 ++
 .../patches/100-disable-hardening-check.patch |   2 +-
 .../patches/110-build-with-libtool-2.4.patch  |  13 ++
 .../libs/wolfssl/patches/200-ecc-rng.patch|   4 +-
 5 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 
package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch
 create mode 100644 
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v2] libtool: bump to 2.4.6

2021-09-13 Thread Eneas U de Queiroz

This updates libtool to its current release, from 2015.  Current patches
were renumbered and given a description text.  The fix in
160-passthrough-ssp.patch is no longer needed.

A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.

The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources.  Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.

Signed-off-by: Eneas U de Queiroz 
---
Changelog:

Rebased after upgrade to 2.4.2

---
 tools/libtool/Makefile|  11 +-
 tools/libtool/patches/000-relocatable.patch   | 108 ++---
 tools/libtool/patches/100-libdir-fixes.patch  |  97 +++-
 ...10-dont-use-target-dir-for-relinking.patch |  51 ++--
 .../120-strip-unsafe-dirs-for-relinking.patch |  36 +--
 ...ingslash.patch => 130-trailingslash.patch} |  33 +--
 ...140-don-t-quote-SHELL-in-Makefile.am.patch |  72 ++
 ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
 .../libtool/patches/160-passthrough-ssp.patch |  12 -
 .../patches/200-openwrt-branding.patch| 134 ++-
 10 files changed, 444 insertions(+), 334 deletions(-)
 rename tools/libtool/patches/{150-trailingslash.patch => 
130-trailingslash.patch} (57%)
 create mode 100644 
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
 create mode 100644 
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
 delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch

diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index 2bc9db7d0d..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libtool
 PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4.2
+PKG_VERSION:=2.4.6
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=1d7b6862c1ed162e327f083a6f78f40eae29218f0db8c38393d61dab764c4407
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
 
 HOST_BUILD_PARALLEL:=1
 
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
 define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4 
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
-   (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+   $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release; 
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+   $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release; 
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+   $(call Host/Configure/Default)
 endef
 
 define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch 
b/tools/libtool/patches/000-relocatable.patch
index 6d1651be31..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
 a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+  : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+  : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+  : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+  : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+  : ${EGREP="@EGREP@"}
-+  : ${FGREP="@FGREP@"}
-+      : ${GREP="@GREP@"}
-+  : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
- 
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz 
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz 
+
 --- a/libtoolize.in
 +++ b/libtoolize.in
-@@ -334,15 +334,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
  
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
 -: ${EGREP="@EGREP@"}
 -: ${FGREP="@FGREP@"}
 -: ${GREP="@GREP@"}
  : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR

[PATCH 19.07 2/2] openssl: bump to 1.1.1l

This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile   | 6 +++---
 .../410-eng_devcrypto-add-configuration-options.patch   | 5 ++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 17049dd57e..0397ab90c4 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=k
+PKG_BUGFIX:=l
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
+PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git 
a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
 
b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
index 8745364cf2..6d0fbfc982 100644
--- 
a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
+++ 
b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
@@ -1,4 +1,4 @@
-From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz 
 Date: Sat, 3 Nov 2018 15:41:10 -0300
 Subject: eng_devcrypto: add configuration options
@@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte 
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index a2c9a966f7..5ec38ca8f3 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -16,6 +16,7 @@
@@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644
  
/**
   *
   * LOAD / UNLOAD
-@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int()
+@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int()
  
  if (!ENGINE_set_id(e, "devcrypto")
  || !ENGINE_set_name(e, "/dev/crypto engine")

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 1/2] openssl: use --cross-compile-prefix in Configure

This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines.  It avoids errors, if the host 'gcc' is
handled by clang:

mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'

Signed-off-by: Eneas U de Queiroz 
Tested-by: Rosen Penev 
(cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9)
---

Besides the fix for clang, I'm cherry-picking this to sync 21.02 and
19.07 Makefiles.

 package/libs/openssl/Makefile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 8f74fbcf7d..17049dd57e 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -335,6 +335,7 @@ define Build/Configure
--prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
+   --cross-compile-prefix="$(TARGET_CROSS)" \
$(TARGET_CPPFLAGS) \
$(TARGET_LDFLAGS) \
$(OPENSSL_OPTIONS) && \
@@ -347,14 +348,12 @@ TARGET_LDFLAGS += -Wl,--gc-sections
 
 define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-   CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \
OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \
$(OPENSSL_MAKEFLAGS) \
all
$(MAKE) -C $(PKG_BUILD_DIR) \
-   CROSS_COMPILE="$(TARGET_CROSS)" \
CC="$(TARGET_CC)" \
DESTDIR="$(PKG_INSTALL_DIR)" \
$(OPENSSL_MAKEFLAGS) \

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 21.02] openssl: bump to 1.1.1l

This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile| 4 ++--
 .../410-eng_devcrypto-add-configuration-options.patch| 5 ++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 5a20db660a..0397ab90c4 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=k
+PKG_BUGFIX:=l
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
+PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git 
a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
 
b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
index 8745364cf2..6d0fbfc982 100644
--- 
a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
+++ 
b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
@@ -1,4 +1,4 @@
-From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz 
 Date: Sat, 3 Nov 2018 15:41:10 -0300
 Subject: eng_devcrypto: add configuration options
@@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte 
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index a2c9a966f7..5ec38ca8f3 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -16,6 +16,7 @@
@@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644
  
/**
   *
   * LOAD / UNLOAD
-@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int()
+@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int()
  
  if (!ENGINE_set_id(e, "devcrypto")
  || !ENGINE_set_name(e, "/dev/crypto engine")

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] openssl: bump to 1.1.1l

This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile| 4 ++--
 .../410-eng_devcrypto-add-configuration-options.patch| 5 ++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 11e5ecfccb..3f5fe90d9c 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=k
+PKG_BUGFIX:=l
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
+PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git 
a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
 
b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
index 8745364cf2..6d0fbfc982 100644
--- 
a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
+++ 
b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch
@@ -1,4 +1,4 @@
-From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz 
 Date: Sat, 3 Nov 2018 15:41:10 -0300
 Subject: eng_devcrypto: add configuration options
@@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte 
 (Merged from https://github.com/openssl/openssl/pull/7585)
 
 diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c
-index a2c9a966f7..5ec38ca8f3 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/crypto/engine/eng_devcrypto.c
 @@ -16,6 +16,7 @@
@@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644
  
/**
   *
   * LOAD / UNLOAD
-@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int()
+@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int()
  
  if (!ENGINE_set_id(e, "devcrypto")
  || !ENGINE_set_name(e, "/dev/crypto engine")

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] download: improve handling of invalid local files

2021-08-20 Thread Eneas U de Queiroz

4e19cbc5533: [download: handle possibly invalid local tarballs] added a
FORCE rule to downloaded files, so that they will be always checked by
download.pl.

As a side-effect, check-compile will fail, forcing unnecessary package
rebuilds.
The check-compile.txt log shows (for libxml2 for example):
  Considering target file '.../dl/libxml2-2.9.12.tar.gz'.
...
prerequisite 'FORCE' of target '.../dl/libxml2-2.9.12.tar.gz' does
not exist.
Must remake target '.../dl/libxml2-2.9.12.tar.gz'.
...
   Giving up on target file '...libxml2-2.9.12/.prepared_...'.
   Giving up on target file '...libxml2-2.9.12/.configured_...'.
   Giving up on target file '...libxml2-2.9.12/.built'.
   Giving up on target file '...stamp/.libxml2_installed'.
  Giving up on target file '.compile'.

Then the package is rebuilt even if it is not otherwise needed.

To fix this, instead of always forcing the download target to be remade,
check its hash first: if it matches, then the FORCE is not added.

Signed-off-by: Eneas U de Queiroz 
---
 include/download.mk   | 17 +++--
 include/host-build.mk |  2 +-
 include/package.mk|  2 +-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/include/download.mk b/include/download.mk
index 609956b004..76bd374cf7 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -59,6 +59,21 @@ define dl_tar_pack
{TAR_TIMESTAMP:+--mtime="TAR_TIMESTAMP"} -c $(2) | 
$(call dl_pack,$(1))
 endef
 
+gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1))
+
+# Used in Build/CoreTargets and HostBuild/Core as an integrity check for
+# downloaded files.  It will add a FORCE rule if the sha256 hash does not
+# match, so that the download can be more thoroughly handled by download.pl.
+define check_download_integrity
+  expected_hash:=$(strip $(if $(filter-out x,$(HASH)),$(HASH),$(MIRROR_HASH)))
+  $$(if $$(and $(FILE),$$(wildcard $(DL_DIR)/$(FILE)), \
+  $$(filter undefined,$$(flavor DownloadChecked/$(FILE, \
+$$(eval DownloadChecked/$(FILE):=1) \
+$$(if $$(filter-out $$(call gen_sha256sum,$(FILE)),$$(expected_hash)), \
+  $(DL_DIR)/$(FILE): FORCE) \
+  )
+endef
+
 ifdef CHECK
 check_escape=$(subst ','\'',$(1))
 #')
@@ -74,8 +89,6 @@ else
   check_warn = $(if $(filter-out undefined,$(origin F_$(1))),$(filter ,$(shell 
$(call F_$(1),$(2),$(3),$(4)) >&2)),$(check_warn_nofix))
 endif
 
-gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1))
-
 ifdef FIXUP
 F_hash_deprecated = $(SCRIPT_DIR)/fixup-makefile.pl $(CURDIR)/Makefile 
fix-hash $(3) $(call gen_sha256sum,$(1)) $(2)
 F_hash_mismatch = $(F_hash_deprecated)
diff --git a/include/host-build.mk b/include/host-build.mk
index e4a5c48e72..cfa29419aa 100644
--- a/include/host-build.mk
+++ b/include/host-build.mk
@@ -180,7 +180,7 @@ ifndef DUMP
 clean-build: host-clean-build
   endif
 
-  $(DL_DIR)/$(FILE): FORCE
+  $(call check_download_integrity)
 
   $(_host_target)host-prepare: $(HOST_STAMP_PREPARED)
   $(_host_target)host-configure: $(HOST_STAMP_CONFIGURED)
diff --git a/include/package.mk b/include/package.mk
index db0a869dab..55d9352072 100644
--- a/include/package.mk
+++ b/include/package.mk
@@ -183,7 +183,7 @@ define Build/CoreTargets
   $(call Build/Autoclean)
   $(call DefaultTargets)
 
-  $(DL_DIR)/$(FILE): FORCE
+  $(call check_download_integrity)
 
   download:
$(foreach hook,$(Hooks/Download),

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] ethtool: fix recursive dependency

2021-08-12 Thread Eneas U de Queiroz

Change the CONFLICTS definition from the alternative package
(ethtool-full) to the main one.

The CONFLICTS line creates a dependency to the conflicting package.

Right now, the dependency would be created in the PACKAGE_ethtool-full
symbol:

config PACKAGE_ethtool-full
depends on m || (PACKAGE_ethtool != y)

When the main package is selected by airmon-ng, it selects
PACKAGE_ethtool, *depending* on the value of PACKAGE_ethtool-full:

config PACKAGE_airmon-ng
select PACKAGE_ethtool if PACKAGE_ethtool-full
---
 package/network/utils/ethtool/Makefile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/package/network/utils/ethtool/Makefile 
b/package/network/utils/ethtool/Makefile
index a82e5c92fa..9889677a16 100644
--- a/package/network/utils/ethtool/Makefile
+++ b/package/network/utils/ethtool/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ethtool
 PKG_VERSION:=5.13
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_MAINTAINER:=Felix Fietkau 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
@@ -31,6 +31,7 @@ define Package/ethtool
   TITLE:=Display or change ethernet card settings
   URL:=http://www.kernel.org/pub/software/network/ethtool/
   VARIANT:=tiny
+  CONFLICTS:=ethtool-full
 endef
 
 define Package/ethtool-full
@@ -38,8 +39,8 @@ define Package/ethtool-full
   TITLE += (full)
   VARIANT:=full
   PROVIDES:=ethtool
-  CONFLICTS:=ethtool
   DEPENDS:=+libmnl
+  CONFLICTS:=
 endef
 
 define Package/ethtool/description

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v2 1/2] libtool: bump to 2.4.6

2021-07-28 Thread Eneas U de Queiroz

This updates libtool to its current release, from 2015.  Current patches
were renumbered and given a description text.  The fix in
160-passthrough-ssp.patch is no longer needed.

A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.

The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources.  Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.

Signed-off-by: Eneas U de Queiroz 
---
 tools/libtool/Makefile|  11 +-
 tools/libtool/patches/000-relocatable.patch   | 108 ++---
 .../libtool/patches/001-fix-func_append.patch |  22 --
 tools/libtool/patches/100-libdir-fixes.patch  |  97 +++-
 ...10-dont-use-target-dir-for-relinking.patch |  51 ++--
 .../120-strip-unsafe-dirs-for-relinking.patch |  36 +--
 ...ingslash.patch => 130-trailingslash.patch} |  33 +--
 ...140-don-t-quote-SHELL-in-Makefile.am.patch |  72 ++
 ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
 .../libtool/patches/160-passthrough-ssp.patch |  12 -
 .../patches/200-openwrt-branding.patch| 134 ++-
 11 files changed, 444 insertions(+), 356 deletions(-)
 delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
 rename tools/libtool/patches/{150-trailingslash.patch => 
130-trailingslash.patch} (57%)
 create mode 100644 
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
 create mode 100644 
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
 delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch

diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index dd4a7f6380..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libtool
 PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4
+PKG_VERSION:=2.4.6
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
 
 HOST_BUILD_PARALLEL:=1
 
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
 define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4 
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
-   (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+   $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release; 
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+   $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release; 
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+   $(call Host/Configure/Default)
 endef
 
 define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch 
b/tools/libtool/patches/000-relocatable.patch
index 55265fe533..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
 a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+  : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+  : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+  : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+  : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+  : ${EGREP="@EGREP@"}
-+  : ${FGREP="@FGREP@"}
-+      : ${GREP="@GREP@"}
-+  : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
- 
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz 
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz 
+
 --- a/libtoolize.in
 +++ b/libtoolize.in
-@@ -326,15 +326,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
  
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
 -: ${EGREP="@EGREP@"}
 -: ${FGREP="@FGREP@"}
 -: ${GREP="@GREP@

[PATCH v2 2/2] wolfssl: bump to v4.8.1-stable

2021-07-28 Thread Eneas U de Queiroz

Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features
including this vulnerability:

* [high] OCSP verification issue when response is for a certificate with
  no relation to the chain in question BUT that response contains the
  NoCheck extension which effectively disables ALL verification of that
  one cert.

* [Low] OCSP request/response verification issue. In the case that the
  serial number in the OCSP request differs from the serial number in
  the OCSP response the error from the comparison was not resulting in a
  failed verification. (fixed in 4.8.0)

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile   | 6 +++---
 .../libs/wolfssl/patches/100-disable-hardening-check.patch  | 2 +-
 package/libs/wolfssl/patches/200-ecc-rng.patch  | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 0c95288a2a..6ef80e88a9 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.8.1-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch 
b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c89ff1be9d..4141e28750 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch 
b/package/libs/wolfssl/patches/200-ecc-rng.patch
index 2d33c06209..d8581be7eb 100644
--- a/package/libs/wolfssl/patches/200-ecc-rng.patch
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl.
 
 --- a/wolfcrypt/src/ecc.c
 +++ b/wolfcrypt/src/ecc.c
-@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void)
+@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void)
  
  #endif /* FP_ECC */
  
@@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl.
  
 --- a/wolfssl/wolfcrypt/ecc.h
 +++ b/wolfssl/wolfcrypt/ecc.h
-@@ -584,10 +584,8 @@ WOLFSSL_API
+@@ -616,10 +616,8 @@ WOLFSSL_API
  void wc_ecc_fp_free(void);
  WOLFSSL_LOCAL
  void wc_ecc_fp_init(void);

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v2 0/2] Bump WolfSSL and libtool

2021-07-28 Thread Eneas U de Queiroz

v1->v2: WolfSSL was updated from 4.8.0, in the original series, to
4.8.1 due to a high-risk vulnerability.  Patches were refreshed.

WolfSSL has decided it needs at least libtool 2.4.2 to build.  From
their commit 92854a5dd message:
advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current
automated testing coverage.

We could easily patch our way out of it, but I decided to try the
upgrade first.  It appears to work just fine.  I've just rebuilt the
whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update
with hostapd and uhttpd.  I've had no hickups, but of course ymmv.

My major concern while bumping a core building tool was how it could
affect the changes we have in place.  I've looked at both our patches,
and at what was changed upstream.

The major changes were related to getting the gnulib sources from git,
and refreshing them when running bootstrap.  Since we are applying
patches, getting fresh copies are not viable, but there's a command-line
option to avoid doing it.

I'm not so sure what to do about 21.02.
 1. Patch WolfSSL to accept building with libtool 2.4;
 2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4,
   424 insertions(+),  198 deletions(-).
This was before the gnulib changes.  For a comparison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
 3. Bump both to keep in sync with master.

My vote: do 1 now, and wait for possible fallout from master.  Then,
perhaps try to keep them in sync, at the following point release.

Cheers

Eneas U de Queiroz (2):
  libtool: bump to 2.4.6
  wolfssl: bump to v4.8.1-stable

 package/libs/wolfssl/Makefile |   6 +-
 .../patches/100-disable-hardening-check.patch |   2 +-
 .../libs/wolfssl/patches/200-ecc-rng.patch|   4 +-
 tools/libtool/Makefile|  11 +-
 tools/libtool/patches/000-relocatable.patch   | 108 ++---
 .../libtool/patches/001-fix-func_append.patch |  22 --
 tools/libtool/patches/100-libdir-fixes.patch  |  97 +++-
 ...10-dont-use-target-dir-for-relinking.patch |  51 ++--
 .../120-strip-unsafe-dirs-for-relinking.patch |  36 +--
 ...ingslash.patch => 130-trailingslash.patch} |  33 +--
 ...140-don-t-quote-SHELL-in-Makefile.am.patch |  72 ++
 ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
 .../libtool/patches/160-passthrough-ssp.patch |  12 -
 .../patches/200-openwrt-branding.patch| 134 ++-
 14 files changed, 450 insertions(+), 362 deletions(-)
 delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
 rename tools/libtool/patches/{150-trailingslash.patch => 
130-trailingslash.patch} (57%)
 create mode 100644 
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
 create mode 100644 
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
 delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 1/2] libtool: bump to 2.4.6

2021-07-22 Thread Eneas U de Queiroz

This updates libtool to its current release, from 2015.  Current patches
were renumbered and given a description text.  The fix in
160-passthrough-ssp.patch is no longer needed.

A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.

The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources.  Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.

Signed-off-by: Eneas U de Queiroz 
---
 tools/libtool/Makefile|  11 +-
 tools/libtool/patches/000-relocatable.patch   | 108 ++---
 .../libtool/patches/001-fix-func_append.patch |  22 --
 tools/libtool/patches/100-libdir-fixes.patch  |  97 +++-
 ...10-dont-use-target-dir-for-relinking.patch |  51 ++--
 .../120-strip-unsafe-dirs-for-relinking.patch |  36 +--
 ...ingslash.patch => 130-trailingslash.patch} |  33 +--
 ...140-don-t-quote-SHELL-in-Makefile.am.patch |  72 ++
 ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
 .../libtool/patches/160-passthrough-ssp.patch |  12 -
 .../patches/200-openwrt-branding.patch| 134 ++-
 11 files changed, 444 insertions(+), 356 deletions(-)
 delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
 rename tools/libtool/patches/{150-trailingslash.patch => 
130-trailingslash.patch} (57%)
 create mode 100644 
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
 create mode 100644 
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
 delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch

diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index dd4a7f6380..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libtool
 PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4
+PKG_VERSION:=2.4.6
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
 
 HOST_BUILD_PARALLEL:=1
 
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
 define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4 
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
-   (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+   $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release; 
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+   $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release; 
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+   $(call Host/Configure/Default)
 endef
 
 define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch 
b/tools/libtool/patches/000-relocatable.patch
index 55265fe533..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
 a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+  : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+  : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+  : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+  : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+  : ${EGREP="@EGREP@"}
-+  : ${FGREP="@FGREP@"}
-+      : ${GREP="@GREP@"}
-+  : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
- 
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz 
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz 
+
 --- a/libtoolize.in
 +++ b/libtoolize.in
-@@ -326,15 +326,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
  
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
 -: ${EGREP="@EGREP@"}
 -: ${FGREP="@FGREP@"}
 -: ${GREP="@GREP@

[PATCH 2/2] wolfssl: bump to v4.8.0-stable

2021-07-22 Thread Eneas U de Queiroz

Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features
including this vulnerability:

* [Low] OCSP request/response verification issue. In the case that the
  serial number in the OCSP request differs from the serial number in
  the OCSP response the error from the comparison was not resulting in
  a failed verification.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/wolfssl/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 0c95288a2a..38c284ec5d 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.8.0-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=72c22efcdab0f18f9b0bb45621c213144f88b4a9e9b9cc06878b47744e058885
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 0/2] Bump WolfSSL and libtool

2021-07-22 Thread Eneas U de Queiroz

WolfSSL has decided it needs at least libtool 2.4.2 to build.  From
their commit 92854a5dd message:
advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current
automated testing coverage.

We could easily patch our way out of it, but I decided to try the
upgrade first.  It appears to work just fine.  I've just rebuilt the
whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update
with hostapd and uhttpd.  I've had no hickups, but of course ymmv.

My major concern while bumping a core building tool was how it could
affect the changes we have in place.  I've looked at both our patches,
and at what was changed upstream.

The major changes were related to getting the gnulib sources from git,
and refreshing them when running bootstrap.  Since we are applying
patches, getting fresh copies are not viable, but there's a command-line
option to avoid doing it.

I'm not so sure what to do about 21.02.
 1. Patch WolfSSL to accept building with libtool 2.4;
 2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4,
   424 insertions(+),  198 deletions(-).
This was before the gnulib changes.  For a comparison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
 3. Bump both to keep in sync with master.

My vote: do 1 now, and wait for possible fallout from master.  Then,
perhaps try to keep them in sync, at the following point release.

Cheers

Eneas U de Queiroz (2):
  libtool: bump to 2.4.6
  wolfssl: bump to v4.8.0-stable

 package/libs/wolfssl/Makefile |   6 +-
 tools/libtool/Makefile|  11 +-
 tools/libtool/patches/000-relocatable.patch   | 108 ++---
 .../libtool/patches/001-fix-func_append.patch |  22 --
 tools/libtool/patches/100-libdir-fixes.patch  |  97 +++-
 ...10-dont-use-target-dir-for-relinking.patch |  51 ++--
 .../120-strip-unsafe-dirs-for-relinking.patch |  36 +--
 ...ingslash.patch => 130-trailingslash.patch} |  33 +--
 ...140-don-t-quote-SHELL-in-Makefile.am.patch |  72 ++
 ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
 .../libtool/patches/160-passthrough-ssp.patch |  12 -
 .../patches/200-openwrt-branding.patch| 134 ++-
 12 files changed, 447 insertions(+), 359 deletions(-)
 delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
 rename tools/libtool/patches/{150-trailingslash.patch => 
130-trailingslash.patch} (57%)
 create mode 100644 
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
 create mode 100644 
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
 delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v3 3/3] openssl: configure engines with uci

This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

config engine 'devcrypto'
option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz 
---

Changelog:

v1->v2:
- fixed postinst & postrm logic that was failing when building the final
  image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions

v2->v3:
- actually removed the extra files that I had promised in v2

 package/libs/openssl/Makefile | 13 ++--
 package/libs/openssl/engine.mk| 60 ---
 package/libs/openssl/files/engines.cnf|  7 ---
 package/libs/openssl/files/openssl.init   | 31 ++
 .../150-openssl.cnf-add-engines-conf.patch|  5 +-
 5 files changed, 54 insertions(+), 62 deletions(-)
 delete mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100755 package/libs/openssl/files/openssl.init

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
 $(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
 $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config 
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
-   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+   $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' 
$(1)/etc/init.d/openssl
+   touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo devcrypto=devcrypto >> 
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
 endef
 
 define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
 
   define Package/$$(OSSL_ENG_PKG)/postinst :=
 #!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
-   Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
 
-   opkg install --force-reinstall libopenssl-conf
-   EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
 
-   Then, you will have to reinstall this package, and any other engine 
package you have
-   you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
 
-   opkg install --force-reinstall $$(OSSL_ENG_PKG) 
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+   option enabled '1'
+EOF
 
-   EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error

[PATCH v3 2/3] openssl: configure engine packages during install

This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz 
---

Changelog:

v1->v2: unchanged
v2->v3: unchanged

 package/libs/openssl/Makefile | 58 +
 package/libs/openssl/engine.mk| 82 +++
 package/libs/openssl/files/engines.cnf| 12 +--
 .../150-openssl.cnf-add-engines-conf.patch|  2 +-
 4 files changed, 111 insertions(+), 43 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 69616f01e8..238f7ecf02 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=1
 
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
+include engine.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
 This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
 endef
 
+$(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
-  +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf 
@!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
 
+$(eval $(call Package/openssl/add-engine,devcrypto))
 define Package/libopenssl-devcrypto
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=/dev/crypto hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE 
+PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
-  @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev 
@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
 
+$(eval $(call Package/openssl/add-engine,padlock))
 define Package/libopenssl-padlock
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=VIA Padlock hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 
+PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
-  +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(if $(CONFIG_OPENSSL_ENGINE_BUIL

[PATCH v3 1/3] openssl: config engines in /etc/ssl/engines.cnf.d

This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

All patches were refreshed.

Signed-off-by: Eneas U de Queiroz 
---

Changelog:

v1->v2: unchanged
v2->v3: unchanged

 package/libs/openssl/Makefile |  30 --
 package/libs/openssl/files/afalg.cnf  |  32 ++
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/engines.cnf|   7 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 101 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 17 files changed, 114 insertions(+), 123 deletions(-)
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/padlock.cnf

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..69616f01e8 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -146,7 +146,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
@@ -163,7 +163,8 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
@@ -179,7 +180,7 @@ endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -376,8 +377,9 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/openssl-util/install
@@ -386,18 +388,24 @@ define Package/openssl-util/install
 endef
 
 define Package/libopenssl-afalg/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-devcrypto/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devc

[PATCH v3 0/3] Engine configuration series

This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
are installed.

The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
  also splits the configuration from one monolithic file to one file per
  engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
  their installation.  It introduces an engine.mk file that provides
  menu placement, basic dependencies and the postinst, postrm functions
  for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
  list generation during startup, or when an engine package is
  installed or removed.

The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.

The second and third commits had testing expanded to checking built-in
engine builds.

I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged.  The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.

I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files.  Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
otherwise.

openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters".  All I could do to help was to point to a header file where
the actual list of supported parameters is defined.

After this is merged, I will adapt the two engines in the packages feed.

Changelog:

v1->v2:
- fixed postinst & postrm logic that was failing when building the final
  image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions

v2->v3:
- actually removed the extra files that I had promised in v2

Eneas U de Queiroz (3):
  openssl: config engines in /etc/ssl/engines.cnf.d
  openssl: configure engine packages during install
  openssl: configure engines with uci

 package/libs/openssl/Makefile |  55 +-
 package/libs/openssl/engine.mk|  46 
 package/libs/openssl/files/afalg.cnf  |  32 ++
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/openssl.init   |  31 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 100 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 18 files changed, 191 insertions(+), 140 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100755 package/libs/openssl/files/openssl.init
 create mode 100644 package/libs/openssl/files/padlock.cnf


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v2 2/3] openssl: configure engine packages during install

This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz 
---

Changelog:

v1->v2: unchanged

 package/libs/openssl/Makefile | 58 +
 package/libs/openssl/engine.mk| 82 +++
 package/libs/openssl/files/engines.cnf| 12 +--
 .../150-openssl.cnf-add-engines-conf.patch|  2 +-
 4 files changed, 111 insertions(+), 43 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 69616f01e8..238f7ecf02 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=1
 
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
+include engine.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
 This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
 endef
 
+$(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
-  +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf 
@!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
 
+$(eval $(call Package/openssl/add-engine,devcrypto))
 define Package/libopenssl-devcrypto
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=/dev/crypto hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE 
+PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
-  @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev 
@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
 
+$(eval $(call Package/openssl/add-engine,padlock))
 define Package/libopenssl-padlock
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=VIA Padlock hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 
+PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
-  +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPT

[PATCH v2 1/3] openssl: config engines in /etc/ssl/engines.cnf.d

This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

All patches were refreshed.

Signed-off-by: Eneas U de Queiroz 
---

Changelog:

v1->v2: unchanged
 package/libs/openssl/Makefile |  30 --
 package/libs/openssl/files/afalg.cnf  |  32 ++
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/engines.cnf|   7 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 101 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 17 files changed, 114 insertions(+), 123 deletions(-)
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/padlock.cnf

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..69616f01e8 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -146,7 +146,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
@@ -163,7 +163,8 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
@@ -179,7 +180,7 @@ endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -376,8 +377,9 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/openssl-util/install
@@ -386,18 +388,24 @@ define Package/openssl-util/install
 endef
 
 define Package/libopenssl-afalg/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-devcrypto/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR

[PATCH v2 3/3] openssl: configure engines with uci

This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

config engine 'devcrypto'
option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz 
---

Changelog:

v1->v2:
- fixed postinst & postrm logic that was failing when building the final
  image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions

 package/libs/openssl/Makefile | 13 ++--
 package/libs/openssl/engine.mk| 60 ---
 .../libs/openssl/files/openssl-engines.init   | 19 ++
 package/libs/openssl/files/openssl.init   | 31 ++
 .../150-openssl.cnf-add-engines-conf.patch|  5 +-
 5 files changed, 73 insertions(+), 55 deletions(-)
 create mode 100644 package/libs/openssl/files/openssl-engines.init
 create mode 100755 package/libs/openssl/files/openssl.init

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
 $(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
 $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config 
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
-   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+   $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' 
$(1)/etc/init.d/openssl
+   touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo devcrypto=devcrypto >> 
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
 endef
 
 define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
 
   define Package/$$(OSSL_ENG_PKG)/postinst :=
 #!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
-   Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
 
-   opkg install --force-reinstall libopenssl-conf
-   EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
 
-   Then, you will have to reinstall this package, and any other engine 
package you have
-   you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
 
-   opkg install --force-reinstall $$(OSSL_ENG_PKG) 
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+   option enabled '1'
+EOF
 
-   EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/e

[PATCH v2 0/3] Engine configuration series



This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
are installed.

The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
  also splits the configuration from one monolithic file to one file per
  engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
  their installation.  It introduces an engine.mk file that provides
  menu placement, basic dependencies and the postinst, postrm functions
  for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
  list generation during startup, or when an engine package is
  installed or removed.

The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.

The second and third commits had testing expanded to checking built-in
engine builds.

I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged.  The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.

I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files.  Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
otherwise.

openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters".  All I could do to help was to point to a header file where
the actual list of supported parameters is defined.

After this is merged, I will adapt the two engines in the packages feed.

Changelog:

v1->v2:
- fixed postinst & postrm logic that was failing when building the final
  image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions

Eneas U de Queiroz (3):
  openssl: config engines in /etc/ssl/engines.cnf.d
  openssl: configure engine packages during install
  openssl: configure engines with uci

 package/libs/openssl/Makefile |  55 +-
 package/libs/openssl/engine.mk|  46 
 package/libs/openssl/files/afalg.cnf  |  32 ++
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/engines.cnf|   7 ++
 .../libs/openssl/files/openssl-engines.init   |  19 
 package/libs/openssl/files/openssl.init   |  31 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 100 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 20 files changed, 217 insertions(+), 140 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/openssl-engines.init
 create mode 100755 package/libs/openssl/files/openssl.init
 create mode 100644 package/libs/openssl/files/padlock.cnf


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH 3/3] openssl: configure engines with uci

Hi Florian

On Thu, Apr 29, 2021 at 3:44 AM Florian Eckert  wrote:
> >  $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
> >  $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
>
> I think AFALG is missing there?
>
As I mentioned in the earlier thread, builtin AFALG is weird.  If I
enable it in openssl.cnf, it will always look for afalg.so, and will
fail.  I think it was on oversight, but AFALG is not part of
OPENSSL_INIT_ENGINE_ALL_BUILTIN [1], so it will not be enabled by
default, unless you call
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_AFALG, NULL).  The AFALG
engine does not have any control commands, so configuration is a noop
anyway.

[1] 
https://github.com/openssl/openssl/blob/0f077b5fd86e2df0b41608fbd5684fa1a2b58f59/include/openssl/crypto.h.in#L452
> >  endef
> > @@ -378,15 +377,17 @@ define Package/libopenssl/install
> >  endef
> >
> >  define Package/libopenssl-conf/install
> > - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
> > + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
> > $(1)/etc/init.d
> >   $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
> > - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
> > + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
> > + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
> > $(1)/etc/init.d/openssl
>
> I do not understand that waht you are doing there.
ENGINES_DIR is where the engine so files are stored.  It is versioned,
so it is stored in a variable in engine.mk.  I'm just setting it in
/etc/init.d/openssl,  from ./files/openssl.init#3:
ENGINES_DIR="%ENGINES_DIR%"
The final result, installed in /etc/init.d/openssl#3 is:
ENGINES_DIR="/usr/lib/engines-1.1"

> >   $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
> >   $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
> > - echo padlock=padlock >> 
> > $(1)/etc/ssl/engines.cnf.d/engines.cnf)
> > + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
> > $(1)/etc/config/openssl)
>
> What about AFALG?
The same explanation above fits here.

> >  #!/bin/sh
> > +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
> > +if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; 
> > then
> > +cat << EOF >> "{OPENSSL_UCI}"
> > +config engine '$(1)'
> > + option enabled '1'
> > +EOF
>
>  From my point of view, I think it would be better if we used the uci cli
> command directly here.
> to add the config engine section and enable this engine.

However, uci is not available when the package is installed by the
buildsystem, such as when building the firmware image.  That's why I
always check for $IPKG_INSTROOT before calling any commands available
in the target only, as seen above.

>
> >  fi
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
> >endef
> >
> > -  define Package/$$(OSSL_ENG_PKG)/prerm :=
> > +  define Package/$$(OSSL_ENG_PKG)/postrm :=
> >  #!/bin/sh
> > -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
> > -[ -f "{ENGINES_CNF}" ] || exit 0
> > -sed -e '/$(1)=$(1)/d' -i "{ENGINES_CNF}"
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
>
> Should we not also remove the uci option on an uninstall wit the uci
> command?
>
I'll change this.  My idea was to save the configuration, if user
later reinstall the package.  However, since the %ENGINE%.cnf file is
not removed, then openssl will try to enable the removed engine and
fail.

> > +++ b/package/libs/openssl/files/openssl-engines.init
> > @@ -0,0 +1,19 @@
> > +#!/bin/sh /etc/rc.common
>
> Is the init script also switched on at the first boot?
> So that the service runs immediately?
> Not that the service has to be switched on in /etc/rc.d/ first - that
> would be unpleasant.

Yes, it is: file
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl:
symbolic link to ../init.d/openssl
>
> > +
> > +START=05
> > +OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
> > +
> > +enable_engine() {
> > + echo "$1=$1" >> "${OSSL_ENGINES_CNF}"
>
> The writing happens here on the persistent storage at every boot!
> This is not so good for embedded target with FLASH.
> It would be better to write this to the tmp.
>

This file, along with engines.cnf were left over from a previous idea,
and not are not used.  I will take care of them in the v2.  The list
is actually saved in /var/etc/ssl/engines.cnf.

> > + config_list_foreach openssl.openssl[0] engines enable_engine
>
> How about the named uci section globals
> config openssl globals
>
This is also part of the leftover file.
I've spotted a missing fix for the postinst/postrm scripts that were
failing when building the final image.  I'll send a v2 in a bit.

Thanks for the review!

Eneas

___

[PATCH 3/3] openssl: configure engines with uci

This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

config engine 'devcrypto'
option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile | 13 +++--
 package/libs/openssl/engine.mk| 58 +++
 .../libs/openssl/files/openssl-engines.init   | 19 ++
 package/libs/openssl/files/openssl.init   | 31 ++
 .../150-openssl.cnf-add-engines-conf.patch|  5 +-
 5 files changed, 70 insertions(+), 56 deletions(-)
 create mode 100644 package/libs/openssl/files/openssl-engines.init
 create mode 100755 package/libs/openssl/files/openssl.init

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
 $(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
 $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config 
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
-   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+   $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' 
$(1)/etc/init.d/openssl
+   touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo devcrypto=devcrypto >> 
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
-   echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+   echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> 
$(1)/etc/config/openssl)
 endef
 
 define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..efa46d7214 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,20 @@ define Package/openssl/add-engine
 
   define Package/$$(OSSL_ENG_PKG)/postinst :=
 #!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
-   Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
 
-   opkg install --force-reinstall libopenssl-conf
-   EOF
-cat <<- EOF
+if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; then
+cat << EOF >> "{OPENSSL_UCI}"
 
-   Then, you will have to reinstall this package, and any other engine 
package you have
-   you have previously installed to ensure they are enabled:
-
-   opkg install --force-reinstall $$(OSSL_ENG_PKG) 
[OTHER_ENGINE_PKG]...
-
-   EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
-   Your /etc/ssl/openssl.cnf file is not loading engine configuration 
files from
-   /etc/ssl/engines.cnf.d.  You should consider start with a fresh, 
updated OpenSSL config by
-   running:
-
-   opkg

[PATCH 2/3] openssl: configure engine packages during install

This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile | 58 +
 package/libs/openssl/engine.mk| 82 +++
 package/libs/openssl/files/engines.cnf| 12 +--
 .../150-openssl.cnf-add-engines-conf.patch|  2 +-
 4 files changed, 111 insertions(+), 43 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 69616f01e8..238f7ecf02 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,9 +11,8 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_USE_MIPS16:=0
-ENGINES_DIR=engines-1.1
 
 PKG_BUILD_PARALLEL:=1
 
@@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_OPENSSL_WITH_WHIRLPOOL
 
 include $(INCLUDE_DIR)/package.mk
+include engine.mk
 
 ifneq ($(CONFIG_CCACHE),)
 HOSTCC=$(HOSTCC_NOCACHE)
@@ -128,6 +128,9 @@ endef
 
 define Package/libopenssl-conf/conffiles
 /etc/ssl/openssl.cnf
+/etc/ssl/engines.cnf.d/engines.cnf
+$(if 
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
+$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
 endef
 
 define Package/libopenssl-conf/description
@@ -135,52 +138,50 @@ $(call Package/openssl/Default/description)
 This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf.
 endef
 
+$(eval $(call Package/openssl/add-engine,afalg))
 define Package/libopenssl-afalg
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=AFALG hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \
-  +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf 
@!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
 endef
 
+$(eval $(call Package/openssl/add-engine,devcrypto))
 define Package/libopenssl-devcrypto
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=/dev/crypto hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE 
+PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \
-  @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev 
@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
-configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
 endef
 
+$(eval $(call Package/openssl/add-engine,padlock))
 define Package/libopenssl-padlock
   $(call Package/openssl/Default)
-  SUBMENU:=SSL
+  $(call Package/openssl/engine/Default)
   TITLE:=VIA Padlock hardware acceleration engine
-  DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 
+PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
-  +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN
+  DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \
+@!OPENSSL_ENGINE_BUILTIN
 endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -380,6 +381,12 @@ define Package/libopenssl-conf/install
$(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
$(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+   $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
+   $(CP) ./files/devcrypto.

[PATCH 1/3] openssl: config engines in /etc/ssl/engines.cnf.d

This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

All patches were refreshed.

Signed-off-by: Eneas U de Queiroz 
---
 package/libs/openssl/Makefile |  30 --
 package/libs/openssl/files/afalg.cnf  |  32 ++
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/engines.cnf|   7 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 101 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 17 files changed, 114 insertions(+), 123 deletions(-)
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/padlock.cnf

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..69616f01e8 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -146,7 +146,7 @@ endef
 define Package/libopenssl-afalg/description
 This package adds an engine that enables hardware acceleration
 through the AF_ALG kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "afalg"
@@ -163,7 +163,8 @@ endef
 define Package/libopenssl-devcrypto/description
 This package adds an engine that enables hardware acceleration
 through the /dev/crypto kernel interface.
-To use it, you need to configure the engine in /etc/ssl/openssl.cnf
+To use it, you need to enable the engine in 
/etc/ssl/engines.cnf.d/engines.cnf.  You may
+configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "devcrypto"
@@ -179,7 +180,7 @@ endef
 
 define Package/libopenssl-padlock/description
 This package adds an engine that enables VIA Padlock hardware acceleration.
-To use it, you need to configure it in /etc/ssl/openssl.cnf.
+To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf.
 See 
https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module
 and 
https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators
 The engine_id is "padlock"
@@ -376,8 +377,9 @@ define Package/libopenssl/install
 endef
 
 define Package/libopenssl-conf/install
-   $(INSTALL_DIR) $(1)/etc/ssl
+   $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
+   $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/openssl-util/install
@@ -386,18 +388,24 @@ define Package/openssl-util/install
 endef
 
 define Package/libopenssl-afalg/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/
 endef
 
 define Package/libopenssl-devcrypto/install
-   $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR)
-   $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DIR)  $(1)/etc/ssl/engines.cnf.d \
+   $(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_BIN)  $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so 
$(1)/usr/lib/$(ENGINES_DIR)
+   $(INSTALL_DATA) ./fi

[PATCH 0/3] Engine configuration series

This series builds upon what was first started by Daniel Danzberger,
with some suggestions by Florian Eckert to enable the engines when they
are installed.

The series split is subject to discussion:
- the first commit does a patch cleanup proposed by Rosen Penev, and
  also splits the configuration from one monolithic file to one file per
  engine, and also an engines list.
- the sencond implements my first proposal, of enabling engines during
  their installation.  It introduces an engine.mk file that provides
  menu placement, basic dependencies and the postinst, postrm functions
  for engine packages, and can be used for out of tree engine packages.
- the third commit introduces uci configuration, and does the engines
  list generation during startup, or when an engine package is
  installed or removed.

The first commit received basic testing on mvebu running master,
covering afalg and devcrpto engines built as modules.

The second and third commits had testing expanded to checking built-in
engine builds.

I have not squashed the commits, but I do think that 2 and 3 may be
squashed if 3 is merged.  The first one is just cleanup, and the second
adds complexity that ended up being removed by the third commit.
Nonetheless, all of them result in a working package.

I thought about expanding uci support to include other configuration
commands, but it would drop the documentation provided by the current
config files.  Besides, each engine has its own options, which would
add complexity to config generation if you are to actually verify them.
Passing unknown commands straight from uci to the config files would be
simple and work, but it would be hard to find what options are
available, compared to just reading the example configs provided
otherwise.

openssl engine -vv would show the commands, with some basic description
of them, but getting the supported arguments may not be straightforward.
For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89
parameters".  All I could do to help was to point to a header file where
the actual list of supported parameters is defined.

After this is merged, I will adapt the two engines in the packages feed.

Eneas U de Queiroz (3):
  openssl: config engines in /etc/ssl/engines.cnf.d
  openssl: configure engine packages during install
  openssl: configure engines with uci

 package/libs/openssl/Makefile |  55 +-
 package/libs/openssl/engine.mk|  42 
 package/libs/openssl/files/afalg.cnf  |  32 ++
 package/libs/openssl/files/devcrypto.cnf  |  31 ++
 package/libs/openssl/files/engines.cnf|   7 ++
 .../libs/openssl/files/openssl-engines.init   |  19 
 package/libs/openssl/files/openssl.init   |  31 ++
 package/libs/openssl/files/padlock.cnf|   3 +
 .../patches/100-Configure-afalg-support.patch |   3 +-
 .../openssl/patches/110-openwrt_targets.patch |   3 +-
 .../120-strip-cflags-from-binary.patch|   3 +-
 .../patches/130-dont-build-tests-fuzz.patch   |   3 +-
 .../patches/140-allow-prefer-chacha20.patch   |   4 +-
 .../150-openssl.cnf-add-engines-conf.patch| 100 +++---
 ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch |   3 +-
 ..._devcrypto-add-configuration-options.patch |   5 +-
 ...ypto-add-command-to-dump-driver-info.patch |   3 +-
 ...o-make-the-dev-crypto-engine-dynamic.patch |   4 -
 ...default-to-not-use-digests-in-engine.patch |   1 -
 ...to-ignore-error-when-closing-session.patch |   1 -
 20 files changed, 213 insertions(+), 140 deletions(-)
 create mode 100644 package/libs/openssl/engine.mk
 create mode 100644 package/libs/openssl/files/afalg.cnf
 create mode 100644 package/libs/openssl/files/devcrypto.cnf
 create mode 100644 package/libs/openssl/files/engines.cnf
 create mode 100644 package/libs/openssl/files/openssl-engines.init
 create mode 100755 package/libs/openssl/files/openssl.init
 create mode 100644 package/libs/openssl/files/padlock.cnf


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] package: openssl: Enable built engines per default

2021-04-27 Thread Eneas U de Queiroz

> >> How about if we create a uci default script and check on the running
> >> system what is installed?
> >> And then we could generate a file and add or remove an include line
> >> form
> >> the openssl.cnf [1]?
> >
> > I think we can manage something like that.  The .include option can
> > load all files in a directory (/etc/ssl/engines.d/), and won't fail if
> > there aren't any files--the directory itself must exist.  Each engine
> > package can install its own file there, ahd have a post-install script
> > that adds a line to an "engines.cnf" file if there isn't any:
> >
> > add_engine() {
> > # $1 = engine name (engine .so file without the .so extension)
> > grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
> > echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
> > }
> >
> > /etc/ssl/engines.d/engines.cnf would start out with just the [engines]
> > header and some comments explaining its use and warning not to edit
> > something that would break things.
> >
> > What do you think?
>
> The plan sounds good :+1:
>
Hi
I'm testing that proposal, and it's almost ready.  I've expanded it to
use uci to enable/disable the engines, but I'm still running tests to
catch corner cases.  I am not able to test the padlock engine, but its
usage should be like devcrypto.  Afalg is more complicated if built
into the library, because openssl does not initialize it like other
builtin engines. There's no way to configure it for general use when
built that way.
Cheers,
Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] package: openssl: Enable built engines per default

2021-04-23 Thread Eneas U de Queiroz

On Fri, Apr 23, 2021 at 3:11 AM Florian Eckert  wrote:
> How about if we create a uci default script and check on the running
> system what is installed?
> And then we could generate a file and add or remove an include line form
> the openssl.cnf [1]?

Hi Florian, Daniel

I think we can manage something like that.  The .include option can
load all files in a directory (/etc/ssl/engines.d/), and won't fail if
there aren't any files--the directory itself must exist.  Each engine
package can install its own file there, ahd have a post-install script
that adds a line to an "engines.cnf" file if there isn't any:

add_engine() {
# $1 = engine name (engine .so file without the .so extension)
grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
}

/etc/ssl/engines.d/engines.cnf would start out with just the [engines]
header and some comments explaining its use and warning not to edit
something that would break things.

What do you think?

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] package: openssl: Enable built engines per default

2021-04-22 Thread Eneas U de Queiroz

On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger  wrote:
>
> Automatically enable an engine in the openssl.cnf if it has been build.
> Before this change, /etc/openssl.cnf had to be edited manually on the
> system to enable the engine.
>

> +define Package/libopenssl-conf/enable
> +   $(if $(CONFIG_PACKAGE_libopenssl-$(2)),sed -i 
> s/^\#*$(2)=$(2)/$(2)=$(2)/ $(1)/etc/ssl/openssl.cnf)
> +endef

>  define Package/libopenssl-conf/install
> $(INSTALL_DIR) $(1)/etc/ssl
> $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
> +   $(call Package/libopenssl-conf/enable,$(1),devcrypto)
> +   $(call Package/libopenssl-conf/enable,$(1),afalg)
> +   $(call Package/libopenssl-conf/enable,$(1),padlock)

Hi Daniel

The problem with this is that it will enable the config for all
engines in the bots configuration (all packages =m).  OpenSSL will
stop loading the engines past the point where one of them fails.  It
may do it silently, or it may show an error.  If you run the `openssl
engine` command (no flags or with -c), it will show the error; if you
add the `-t` flag, the error message is gone.  In either case, the
engines configured after the first failed one will not load.  Suppose
that you install the afalg engine, but not devcrypto.  When it loads
the config file, devcrypto comes first, and openssl will fail to find
it; then the afalg engine will not be loaded.

I do like the idea, though. My first thought was to add an install
script to the engine packages.  The problem is that the config file
may have been changed in a way that sed may produce unwanted results.
It can be mitigated by configuring engines in a separate file, so only
that file needs to be changed.  It will have a nice effect, that a
feed-installed engine can configure itself without needing a config
section added to the openssl-conf package.

Another option, which may be the easiest and safest, is to use your
approach, but only uncomment the engines built into the firmware (=y),
and not the ones built as modules.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: OpenWrt 21.02-rc1

2021-04-07 Thread Eneas U de Queiroz

On Tue, Apr 6, 2021 at 7:30 PM Hauke Mehrtens  wrote:
>
> Hi,
>
> How do we want to go forward with OpenWrt 21.02-rc1?
>
> * I think the base system is ok.
> * The http (original wolfssl) problem reported by jow is fixed
> * LuCI in the 21.02 branch still misses DSA support, this was merged
> into master some time ago as far as I understood.

Hi

I would suggest to have some commits cherry-picked to 21.02:

920eaab1d8 kernel: DSA roaming fix for Marvell mv88e6xxx
af22991e03 build: make sure asm gets built with -DPIC

I consider the first commit critical: without it clients get
disconnected for 5 minutes  when roaming from an affected AP (Omnia,
WRT3200, among others) WLAN port to a LAN port (roaming between
LAN-connected APs, for example).

The second one is needed to build strongswan for x86_64 [1].  The
support commits have already been pushed to the 21.02 branch of the
packages feed.

Eneas

[1] 
https://downloads.openwrt.org/releases/faillogs-21.02/x86_64/packages/strongswan/compile.txt

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [RFC PATCH] openssl: make the patches QUILT-friendly

On Fri, Mar 26, 2021 at 7:35 PM Kevin 'ldir' Darbyshire-Bryant
 wrote:
>
> ... I was also frustrated that there was patch fuzz in the tree on a fairly 
> core package - that really shouldn’t be the case.

My apologies.  I work in a clone of the openssl git repo, rebasing the
changes on top of the current version.  I always look at the diffs
before sending the patch to openwrt.  If they were just line changes,
I wouldn't bother to touch the patch, in order to minimize changes.
I'll revise my approach and change the files no matter what.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] openssl: don't rename a file with quilt

On Fri, Mar 26, 2021 at 6:57 PM Felix Fietkau  wrote:
> I fully agree with Eneas here (though I don't like his patch for this
> issue either).

This is the first time I wrote a patch I do NOT want to be applied.  I
just want to keep the status quo.

> Here's a way to fix this:
>
> include/package-defaults.mk has this:
>
>   define Build/Prepare/Default
> $(PKG_UNPACK)
> [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR)
> $(Build/Patch)
>   endef

However, this is run before the patches are even applied when QUILT=1.
$(Build/Patch) just builds the quilt patch tree.  A much simpler
solution, if we are really going to change the patches, is to just
$(CP) the file in Build/Configure.  If we move it--no matter
where--then we can't go back and forth with quilt push & pop, which
would hinder its usefulness.

>
> You can adjust it to define this in the package Makefile:
>
> define Build/Prepare
> $(PKG_UNPACK)
> [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR)
> mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c 
> $(PKG_BUILD_DIR)/engines/e_devcrypto.c
> $(Build/Patch)
> endef
>
> - Felix

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] openssl: don't rename a file with quilt

On Fri, Mar 26, 2021 at 4:28 PM Rosen Penev  wrote:
>
> On Fri, Mar 26, 2021 at 5:55 AM Eneas U de Queiroz
>  wrote:
> >
> > On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev  wrote:
> > > +ifeq ($(QUILT),)
> > > +   mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c 
> > > $(PKG_BUILD_DIR)/engines/e_devcrypto.c
> > > +endif
> >
> > This will break compilation with QUILT, as the rename will never
> > happen then.  You're using this strategy with other packages, so I
> > won't mention them individually, but this applies to all.
> > I would handle it at the patch level by removing the old file and
> > creating the new one.
> It doesn't break quilt as the rename happens separately. Note that the
> patches were modified to refer to the old name.
It breaks 'make package/openssl/compile QUILT=1', because the 'mv'
command will never run when QUILT is not empty.  You can't run the
'mv' line with quilt because the patches are not applied in
Build/Prepare.  However, you must ensure it is run later, or the
package will not compile with QUILT=1.  I can point you to
openwrt/packages#14894 to see why you can't just skip running stuff
when QUILT is defined.
> >
> > Alternatively, you can keep your strategy, adding the rename with
> > QUILT in Build/Configure, with the caveat that it will run every time
> > compile is called, so you'll need to ignore an eventual error, and
> > make sure that the original file was not recreated somewhere in the
> > build process by a previous compile run, which would clobber the
> > patched file.
> I haven't seen any issues. Locally I run make package/x/{clean,refresh}
make package/openssl/compile V=sc  QUILT=1
...
make[4]: *** No rule to make target 'engines/e_devcrypto.c', needed by
'engines/e_devcrypto.o'.  Stop.

BTW, I imagine you don't build with QUILT=1 much, do you?

make -j4 package/openssl/compile
make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config'
 make[1] package/openssl/compile
 make[2] -C package/libs/toolchain compile
 make[2] -C package/libs/zlib compile
 make[2] -C package/firmware/prism54-firmware compile
 make[2] -C package/firmware/linux-firmware compile
 make[2] -C package/kernel/linux compile
 make[2] -C package/kernel/cryptodev-linux compile
 make[2] -C package/libs/openssl compile

make -j4 package/openssl/compile QUILT=1
make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config'
 make[1] package/openssl/compile
 make[2] -C package/libs/openssl compile

It does not check dependencies every time you call compile.  Try make
package/seafile-server/compile for some fun.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[RFC PATCH] openssl: make the patches QUILT-friendly

The patches in this package are all made by git format-patches.  If one
were to run 'make package/openssl/{refresh,update}', then things will
not work as expected, because quilt QUILT does not deal well with
patches that rename files.  For openssl, the problematic patch is
430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch.

So, I've generated a new patch with 'git format-patch --no-renames', and
then 'make package/openssl/{refresh,update}'.

Signed-off-by: Eneas U de Queiroz 
---

While I really prefer to leave the git-formatted patches as they are, I
know quilt is the preferred way of handling patches in OpenWRT, so I'm
presenting this as RFC, so the core developers can decide.

ldir has made a similar commit e27ef2da0d, and then reverted it right away
in bbb9c1c2be, and I don't know why.

neheb proposed a patch [1] that does the file renaming in Build/Prepare, so
that it is easier to use quilt while refreshing patches after a package
bump.  It has an undesirable side-effect of not running the renaming
portion at all when using QUILT, resulting in a build failure.

Some packages in the packages feed are skipping build steps when running
with QUILT, to speed up automatic refresh of patches, and I've been
fixing them as I stumble upon some of the failures.

At least to me, being able to quickly build with QUILT=1, without having
to start from scratch and go through dependencies is an immensively
useful feature that I would not trade for having tidier patches.

For this package, one could rename the files in Build/Configure when
compiling with QUILT without a problem.  So, if desired, it could be
done neheb's way instead.

In my opinion, QUILT is not particularly useful for rebasing large
changes, such as the engine patches here.  So even if neheb's proposal
has a nice intention, it is not appropriate for this package.

If the motivation is just to run make package/openssl/{refresh,update},
perhaps automatically to keep patches tidy, then this patch will
suffice.

Cheers,

Eneas

[1] 
https://patchwork.ozlabs.org/project/openwrt/patch/20210326092548.14019-1-ros...@gmail.com/

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..458b064f13 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
 PKG_BASE:=1.1.1
 PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch 
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..2ae5938bdc 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -1,4 +1,4 @@
-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz 
 Date: Thu, 27 Sep 2018 08:29:21 -0300
 Subject: Do not use host kernel version to disable AFALG
@@ -8,11 +8,9 @@ version to disable building the AFALG engine on openwrt 
targets.
 
 Signed-off-by: Eneas U de Queiroz 
 
-diff --git a/Configure b/Configure
-index 5a699836f3..74d057c219 100755
 --- a/Configure
 +++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtra
  
  unless ($disabled{afalgeng}) {
  $config{afalgeng}="";
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch 
b/package/libs/openssl/patches/110-openwrt_targets.patch
index d0530b4661..50a9ebe2d6 100644
--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -1,4 +1,4 @@
-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz 
 Date: Thu, 27 Sep 2018 08:30:24 -0300
 Subject: Add openwrt targets
@@ -7,9 +7,6 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt
 
 Signed-off-by: Eneas U de Queiroz 
 
-diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
-new file mode 100644
-index 00..86a86d31e4
 --- /dev/null
 +++ b/Configurations/25-openwrt.conf
 @@ -0,0 +1,48 @@
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch 
b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
index 7faec9ab88..90282706d1 100644
--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -1,4 +1,4 @@
-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From  Mon Sep 17 00:00:00 2001
 From: Eneas U de Queiroz 
 Date: Thu, 27 Sep 2018 08:31:38 -0300
 Subject: Avoid exposing build directories
@@ -8,11 +8,9 @@ OpenS

[PATCH] openssl: bump to 1.1.1k

This version fixes 2 security vulnerabilities, among other changes:

 - CVE-2021-3450: problem with verifying a certificate chain when using
   the X509_V_FLAG_X509_STRICT flag.

 - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
   crafted renegotiation ClientHello message from a client.

Signed-off-by: Eneas U de Queiroz 
---

This was run-tested on WRT3200ACM (mvebu, armv7), using nginx, and
openssl util to encrypt & decrypt some files using software and the
devcrypto engine, since there have been some changes in the engine,
related to BSD compatibility, when opening the /dev/crypto device.

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 436abfd94c..7ab4c6ccd0 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=j
+PKG_BUGFIX:=k
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 ENGINES_DIR=engines-1.1
 
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
 
-PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf
+PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
diff --git 
a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
 
b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
index 71dc5bf99b..ea3f8fb8a7 100644
--- 
a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+++ 
b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
@@ -116,7 +116,7 @@ diff --git a/crypto/engine/eng_devcrypto.c 
b/engines/e_devcrypto.c
 similarity index 95%
 rename from crypto/engine/eng_devcrypto.c
 rename to engines/e_devcrypto.c
-index 0d420e50aa..3fcd81de7a 100644
+index 2c1b52d572..eff1ed3a7d 100644
 --- a/crypto/engine/eng_devcrypto.c
 +++ b/engines/e_devcrypto.c
 @@ -7,7 +7,7 @@
@@ -152,22 +152,6 @@ index 0d420e50aa..3fcd81de7a 100644
  
  /*
   * cipher/digest status & acceleration definitions
-@@ -341,6 +343,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int 
p1, void* p2)
- struct cipher_ctx *to_cipher_ctx;
- 
- switch (type) {
-+
- case EVP_CTRL_COPY:
- if (cipher_ctx == NULL)
- return 1;
-@@ -702,7 +705,6 @@ static int digest_init(EVP_MD_CTX *ctx)
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
- }
--
- return 1;
- }
- 
 @@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
  OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, "
  OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE)
@@ -177,7 +161,7 @@ index 0d420e50aa..3fcd81de7a 100644
  ENGINE_CMD_FLAG_NUMERIC},
  #endif
  
-@@ -1166,55 +1168,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, 
void *p, void (*f) (void))
+@@ -1166,32 +1168,22 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, 
void *p, void (*f) (void))
   *
   */
  
@@ -201,10 +185,12 @@ index 0d420e50aa..3fcd81de7a 100644
 +static int open_devcrypto(void)
  {
 -ENGINE *e = NULL;
+ int fd;
+ 
 +if (cfd >= 0)
 +return 1;
- 
- if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
++
+ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
  #ifndef ENGINE_DEVCRYPTO_DEBUG
  if (errno != ENOENT)
  #endif
@@ -213,6 +199,19 @@ index 0d420e50aa..3fcd81de7a 100644
 +return 0;
  }
  
+ #ifdef CRIOGET
+@@ -1199,35 +1191,61 @@ void engine_load_devcrypto_int()
+ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));
+ close(fd);
+ cfd = -1;
+-return;
++return 0;
+ }
+ close(fd);
+ #else
+ cfd = fd;
+ #endif
+ 
 -if ((e = ENGINE_new()) == NULL
 -|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
 -ENGINE_free(e);
@@ -278,7 +277,7 @@ index 0d420e50aa..3fcd81de7a 100644
  /*
   * Asymmetric ciphers aren't well supported with /dev/crypto.  Among the BSD
   * implementations, it seems to only exist in FreeBSD, and regarding the
-@@ -1237,23 +1254,36 @@ void engine_load_devcrypto_int()
+@@ -1250,23 +1268,36 @@ void engine_load_devcrypto_int()
   */
  #if 0
  # ifndef OPENSSL_NO_RSA
@@ -324,7 +323,7 @@ index 0d420e50aa..3fcd81de7a 100644
  ENGINE_free(e);
  return;
  }
-@@ -1262,3 +1292,22 @@ void engine_load_devcrypto_int()
+@@ -1275,3 +1306,22 @@ void engine_load_devcrypto_int()
  ENGINE_free(e);  /* Loose our local reference */
  ERR_clear_error();
  }

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] openssl: don't rename a file with quilt