Re: Build problems with packages which are using openssl
On Sun, Apr 23, 2023 at 6:56 PM e9hack wrote: > in the past, it was possible to build packages, which are using crypto > libraries like openssl, wolfssl or mbedtls, in parallel. One was build for > the image, selected as , the others were build as module selected as . > > This doesn't work any more, if a package is selected for usage of openssl > with and any other crypto library is selected with . > > Compiling is successful, but installation complains about to install a binary > twice from two different packages. > > I'm not sure, since when this does occur, but I assume, it was introduced > with the openssl update to 3.0.x. Hi Hartmut I'm trying to reproduce the issue here. I had hit it in my very first try, but then lost it when I tried to reproduce it with a log. From what I could glimpse, it appears to be an issue with the way opkg handles library selection. If a package depends on a library with a generic name, then it would use its own heuristics to install one of the versions found, and it may not be the one that was built into the image. Then, when it tries to install the selected library, it will fail because the file was already installed by the previous package. I submitted a patch series for opkg[1], but it has not caught much attention. You may try it yourself to see if it fixes your problem. I had it backwards in my case. Libustream-openssl was selected, but libustream-mbedtls got installed as a dependency. I couldn't identify the package right away. During the same run, dnsmasq and dnsmasq-full showed the same error, but it did not involve a library. It was strange and my tree was dirty, so I tried to build it from scratch, and the problem was gone. Also, note that menuconfig will let you choose bad combinations with libustream-ssl. It will let you install cache-domains-wolfssl, for example, even when libustream-mbedtls is already selected. That may also break install with the same error. I'm still trying, but if you can give me a config file, or the steps to reproduce it, I can work faster. Cheers, Eneas 1. https://patchwork.ozlabs.org/project/openwrt/cover/20221017170358.3628154-1-cotequei...@gmail.com/ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Anyone working on porting OpenSSL to v3.x?
On Fri, Feb 3, 2023 at 5:02 PM Paul Spooren wrote: > > Hey all, > > We’re still using OpenSSL 1.1.x within OpenWrt and during the last developer > meeting we were wondering if anyone is working on porting it over to v3.x? If > so please share your status, thanks! It's been on my to-do list for ages. I can start working on it now. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: libwolfsslcpu-crypto: add base-files dep
On aarch64, libwolfsslcpu-crypto preinst script needs base-files to get the target architecture to check for CPU crypto support during offline instalation. While at it, fix indentation in Makefile. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 08a1ca7401..a1bd340007 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -83,7 +83,7 @@ define Package/libwolfsslcpu-crypto $(call Package/libwolfssl/Default) TITLE:=wolfSSL library with AES CPU instructions PROVIDES:=libwolfssl libcyassl - DEPENDS:=@((aarch64||x86_64)&&(m||!TARGET_bcm27xx)) + DEPENDS:=@((aarch64||x86_64)&&(m||!TARGET_bcm27xx)) +aarch64:base-files ABI_VERSION:=$(PKG_ABI_VERSION) VARIANT:=cpu-crypto endef @@ -164,7 +164,7 @@ else ifdef CONFIG_aarch64 Package/libwolfsslcpu-crypto/preinst=\ $(subst @@WOLFSSL_NOASM_REGEX@@,$(WOLFSSL_NOASM_REGEX),$(file https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[opkg 3/3] libopkg: pkg_hash: consider names stripped of ABI
When resolving dependencies, packages listed in the cli may not have the ABI version, and they should have a higher priority over anything picked automatically. Use powers of two when computing the score to avoid ties due to different criteria, and so that it reflects what was matched. The resulting priorities after this change are: - base score is 0 === USER CHOICE CRITERIA - packages "picked by hand" (local file given in the cli) have absolute priority, ending the search regardless of score - package whose full name is in the cli: score += 4 - package whose name stripped of ABI matches one in the cli: score += 2 === DEVELOPER CRITERIA - package whose full name matches the dependency name: score += 1 - in case of a tie, the last package that was looked at is chosen Signed-off-by: Eneas U de Queiroz --- libopkg/pkg_hash.c | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c index f3fb0c6..9494211 100644 --- opkglibopkg/pkg_hash.c +++ b/libopkg/pkg_hash.c @@ -413,7 +413,12 @@ pkg_t *pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg, for (i = 0; i < matching_pkgs->len; i++) { pkg_t *matching = matching_pkgs->pkgs[i]; if (constraint_fcn(matching, cdata)) { - int score = 1; + int score = 0; + char *stripped_name = NULL; + const char *abiver; + size_t abilen, namelen; + int cli_score; + /* It has been provided by hand, so it is what user want */ if (matching->provided_by_hand == 1) { good_pkg_by_name = matching; @@ -422,15 +427,28 @@ pkg_t *pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg, break; } + if ((abiver = pkg_get_string(matching, PKG_ABIVERSION)) && + ((namelen = strlen(matching->name))) > ((abilen = strlen(abiver))) && + !strncmp(matching->name + namelen - abilen, abiver, abilen) && + !(stripped_name = strndup(matching->name, namelen - abilen))) { + fprintf (stderr, "Out of memory.\n"); + exit(EXIT_FAILURE); + } + if (strcmp(matching->name, apkg->name) == 0) score++; - for (j = 0; j < opkg_cli_argc; ++j) { + for (j = 0, cli_score = 0; j < opkg_cli_argc; ++j) { if (!strcmp(matching->name, opkg_cli_argv[j])) { - score += 2; + cli_score = 4; break; + } else if (stripped_name && + !strcmp(stripped_name, opkg_cli_argv[j])) { + cli_score = 2; } } + score += cli_score; + free(stripped_name); opkg_msg(DEBUG, "Candidate: %s %s (score %d).\n", matching->name, pkg_get_string(matching, PKG_VERSION), ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[opkg 2/3] libopkg: pkg_hash: bump score of packages in cli
When resolving dependencies, packages whose names are listed in the cli should have a higher priority over other packages picked from the feeds. Right now a package from the feeds with the same name as the dependency is given the same score as one present in the cli. The one looked at last would be chosen, which is not ideal. Since packages in the command line are going to be installed anyway, they should have a higher priority over new ones. Signed-off-by: Eneas U de Queiroz --- libopkg/pkg_hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c index 482efb8..f3fb0c6 100644 --- opkglibopkg/pkg_hash.c +++ b/libopkg/pkg_hash.c @@ -427,7 +427,7 @@ pkg_t *pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg, for (j = 0; j < opkg_cli_argc; ++j) { if (!strcmp(matching->name, opkg_cli_argv[j])) { - score++; + score += 2; break; } } ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[opkg 0/3] Rework criteria for dependent package selection
This fixes a problem when generating an image using the firmware building, to include libwolfsslcpu-crypto. Before they are sent to the asu server, the firmware builder strips ABI version from the packages and sort they alphabetically. That means libustream-wolfssl will be installed before libwolfsslcpu-crypto. Opkg will see that libustream-wolfssl depends on libwolfssl5.5.1.b24d5f87. Since it matches the name of the regular libwolfssl package, it is chosen and installed. When it comes libwolfsslcpu-crypto's turn, it will fail because of a clash with the regular package. If you were to run it in the cmdline with the full name of libwolfsslcpu-crypto5.5.1.b24d5f87, or list it before any dpeendents, then it would work as expected. However, because the firmware selector sripts ABI version and changes the order of the packages, there's no way to build an image with both libustrem-wolfssl and libwolfsslcpu-crypto. The first two commits attempt to add some order to the way they are currently chosen, by prioritizing packages chosen "by hand" and by preferring packages listed in the command line arguments over new packages chosen automatically. The third commit adds matching the package without ABI suffix, and establishes a hierarchy among the criteria, prioritizing user choices (i.e. package names given in as command line arguments), then developer choices (chosen package names), and resort to alphabetical order as a last resort. When resolving dependencies, packages listed in the cli may not have the ABI version, and they should have a higher priority over anything picked automatically. Use powers of two when computing the score to avoid ties due to different criteria, and so that it reflects what was matched. The resulting priorities after this change are: 1. base score is 0 ---USER CHOICES (cmdline)--- 2. packages "picked by hand" (local file given in the cli) have absolute priority, ending the search regardless of score 3. package whose full name is in the cli: score += 4 4. package whose name stripped of ABI matches one in the cli: score += 2 ---DEVELOPER CHOICE (pkg data)--- 5. package whose full name matches the dependency name: score += 1 Note: the ABI is recorded in the dependency, so I'm not using the stripped name here. 6. in case of a tie, the last package that was looked at is chosen (equivalent to being first in alphabetical order) I tried not to change things so much--aside from restoring the "picked by hand" case, I just created tie-breakers. However, I still have some questions about the necessity of some of this. For example: if more than one dependency is listed in the cli, does it matter which package is chosen? I imagine it would be equivalent of the picked-by-hand case, so it would be simpler and faster to end the search. It could make a difference if one were to install clashing packages with --force-overwrite in the same invocation, but I can't see a scenario where this would be useful. This was tested with the Image Builder, and by running opkg from command line on Linksys E8450 (mediatek/mt7622, aarch64_cortex-a53). Signed-off-by: Eneas U de Queiroz Eneas U de Queiroz (3): libopkg: pkg_hash: restore picked by hand priority libopkg: pkg_hash: bump score of packages in cli libopkg: pkg_hash: consider names stripped of ABI libopkg/pkg_hash.c | 35 +-- 1 file changed, 29 insertions(+), 6 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[opkg 1/3] libopkg: pkg_hash: restore picked by hand priority
Historically, package archives that are provided in the cli were given priority over any version from the feeds to satisfy dependencies. However, when a score was introduced in 5936c4f (libopkg: pkg_hash: prefer original packages to satisfy dependencies), it would only look at the flag if the package had the highest score at the time it was being assessed. While one can argue that the intention of the change was to superseed the by-hand priority, it would still be depended on the order in which they packages were checked, which is not good. Perform the "by-hand" check first, and only then go through the score system. Add a logging message to show the reason. Signed-off-by: Eneas U de Queiroz --- libopkg/pkg_hash.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c index 11b1a06..482efb8 100644 --- opkglibopkg/pkg_hash.c +++ b/libopkg/pkg_hash.c @@ -414,6 +414,14 @@ pkg_t *pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg, pkg_t *matching = matching_pkgs->pkgs[i]; if (constraint_fcn(matching, cdata)) { int score = 1; + /* It has been provided by hand, so it is what user want */ + if (matching->provided_by_hand == 1) { + good_pkg_by_name = matching; + opkg_msg(DEBUG, "Candidate: %s %s (picked by hand).\n", +matching->name, pkg_get_string(matching, PKG_VERSION)); + break; + } + if (strcmp(matching->name, apkg->name) == 0) score++; @@ -432,9 +440,6 @@ pkg_t *pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg, good_pkg_by_name = matching; good_pkg_score = score; - /* It has been provided by hand, so it is what user want */ - if (matching->provided_by_hand == 1) - break; } } ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH u-boot] scripts/dtc: Remove redundant YYLOC global declaration
From: Dirk Mueller gcc 10 will default to -fno-common, which causes this error at link time: (.text+0x0): multiple definition of `yylloc'; dtc-lexer.lex.o (symbol from plugin):(.text+0x0): first defined here This is because both dtc-lexer as well as dtc-parser define the same global symbol yyloc. Before with -fcommon those were merged into one defintion. The proper solution would be to to mark this as "extern", however that leads to: dtc-lexer.l:26:16: error: redundant redeclaration of 'yylloc' [-Werror=redundant-decls] 26 | extern YYLTYPE yylloc; |^~ In file included from dtc-lexer.l:24: dtc-parser.tab.h:127:16: note: previous declaration of 'yylloc' was here 127 | extern YYLTYPE yylloc; |^~ cc1: all warnings being treated as errors which means the declaration is completely redundant and can just be dropped. Signed-off-by: Dirk Mueller Signed-off-by: David Gibson [robh: cherry-pick from upstream] Cc: sta...@vger.kernel.org Signed-off-by: Rob Herring [Cherry-picked from linux e33a814e772cdc36436c8c188d8c42d019fda639] Signed-off-by: Eneas U de Queiroz --- I'm not sure I got the subject line right for this. This is supposed to go into git.openwrt.org/project/bcm63xx/u-boot.git I've stumbled upon the error while doing a test build for https://github.com/openwrt/openwrt/pull/9756 scripts/dtc/dtc-lexer.l | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/dtc/dtc-lexer.l b/scripts/dtc/dtc-lexer.l index fd825ebba6..24af549977 100644 --- a/scripts/dtc/dtc-lexer.l +++ b/scripts/dtc/dtc-lexer.l @@ -38,7 +38,6 @@ LINECOMMENT "//".*\n #include "srcpos.h" #include "dtc-parser.tab.h" -YYLTYPE yylloc; extern bool treesource_error; /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v4 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 13 ++-- package/libs/openssl/engine.mk| 60 --- package/libs/openssl/files/engines.cnf| 7 --- package/libs/openssl/files/openssl.init | 31 ++ .../150-openssl.cnf-add-engines-conf.patch| 5 +- 5 files changed, 54 insertions(+), 62 deletions(-) delete mode 100644 package/libs/openssl/files/engines.cnf create mode 100755 package/libs/openssl/files/openssl.init diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 3a0666ff8e..8ca4d83380 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 @@ -128,7 +128,6 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -/etc/ssl/engines.cnf.d/engines.cnf $(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef @@ -378,15 +377,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ - echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ - echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk index 482b5ad5e8..973a989904 100644 --- a/package/libs/openssl/engine.mk +++ b/package/libs/openssl/engine.mk @@ -23,60 +23,24 @@ define Package/openssl/add-engine define Package/$$(OSSL_ENG_PKG)/postinst := #!/bin/sh -# 1 == non-empty: suggest reinstall -error_out() { -[ "$1" ] && cat <<- EOF - Reinstalling the libopenssl-conf package may fix this: +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl" - opkg install --force-reinstall libopenssl-conf - EOF -cat <<- EOF +[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 - Then, you will have to reinstall this package, and any other engine package you have - you have previously installed to ensure they are enabled: +cat << EOF >> "{OPENSSL_UCI}" - opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]... +config engine '$(1)' + option enabled '1' +EOF - EOF -exit 1 -} -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" -OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf" -if [ ! -f "{OPENSSL_CNF}" ]; then -echo -e "ERROR: File {OPENSSL_CNF} not found." -error_out reinstall -fi -if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then -cat <<- EOF - Your /etc/ssl/openssl.cnf file is not loading engine configuration files from - /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated
[PATCH v4 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 28 +++-- package/libs/openssl/files/afalg.cnf | 3 + package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 16 files changed, 82 insertions(+), 119 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 9e7482117d..737123930c 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-padlock/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.
[PATCH v4 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 737123930c..3a0666ff8e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/devcrypto.
[PATCH v4 0/3] openssl: Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 v3->v4: - rebased onto current head - removed non-applicable options from original afalg engine conf file Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 3 + package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 160 insertions(+), 137 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf -- 2.34.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 19.07] wolfssl: bump to 5.1.1-stable
On Thu, Feb 17, 2022 at 11:51 AM Petr Štetiar wrote: > > This is amalgamation of backported changes since 4.7.0-stable release: > > Sergey V. Lobanov (2): > > 5b13b0b02c70 wolfssl: update to 5.1.1-stable > 7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support > > Andre Heider (3): > > 3f8adcb215ed wolfssl: remove --enable-sha512 configure switch > 249478ec4850 wolfssl: always build with --enable-reproducible-build > 4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS > > Ivan Pavlov (1): > > 16414718f9ae wolfssl: update to 4.8.1-stable > > David Bauer (1): > > f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng > > Christian Lamparter (1): > > 86801bd3d806 wolfssl: fix Ed25519 typo in config prompt > > The diff of security related changes we would need to backport would be > so huge, that there would be a high probability of introducing new > vulnerabilities, so it was decided, that bumping to latest stable > release is the prefered way for fixing following security issues: > > * OCSP request/response verification issue. (fixed in 4.8.0) > * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 > (fixed in 4.8.1) > * Issue with incorrectly validating a certificate (fixed in 5.0.0) > * Hang with DSA signature creation when a specific q value is used (fixed in > 5.0.0) > * Client side session resumption issue (fixed in 5.1.0) > * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in > 5.1.0) > * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) > > Cc: Hauke Mehrtens > Cc: Eneas U de Queiroz > Signed-off-by: Petr Štetiar > --- Acked-by: Eneas U de Queiroz ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh
Hi David Thanks for looking into this. On Fri, Feb 18, 2022 at 3:15 PM David Bauer wrote: > Just so i get this right - This means the same configuration is > incompatible between firmware containing this commit and firmware that > does not? In this case i would not pick it it 21.02. TLDR: For the use case that was intended, it does not; it will intentionally break the insecure setup. Here's the commit message that introduced the defaults: 21eb0a5aa3 hostapd: add default values for r0kh/r1kh This allows WPA enterprise roaming in the same mobility domain without any manual key configuration (aside from radius credentials) My understanding is that the intention was to use this for EAP only. However, the key gets set even if PSK is used. In that case it will have an unset 'auth_secret', and that's where this becomes a security issue. The FT key is derived from "$mobility_domain/$auth_secret". If 'auth_secret' is null, then the key is computed from "$mobility_domain/" only, and 'mobility_domain' itself is computed from the SSID by default. At the end, you have an easy, working setup with a default FT key that can be computed from just the SSID--and nothing wrong is visible from the user POV. There are several ways of fixing this: (1) don't compute r0kh/r1kh if not using EAP. (2) Use the PSK if auth_secret is unset. (3) warn the user that a key has not been set, but keep things as they are. I like (2) because it is useful. You can get FT working with WPA3-SAE just by turning 802.11r on and turning off ft_psk_generate_local, without having to set up the key. Can there be breakage? Yes, and it is intended. It'll break the insecure PSK/FT default setup I described above, when you have some AP running with the fix and some without it. EAP setups will not be affected: even if 'key' is set but 'auth_secret' is unset (a possible breakage scenario), the code in line 682[1] will set 'auth_secret' from 'key' if the former is empty: [ -n "$auth_secret" ] || json_get_var auth_secret key So you can't have an EAP setup with 'auth_secret' unset and 'key' set. (1) will create the same breakage, without adding anything useful. Cheers, Eneas [1] https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/hostapd/files/hostapd.sh;h=d9d5f348775debade847f267b1ca1dc86444e41d;hb=HEAD#l682 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh
I have sent this a while ago. Can anyone review this (Felix, as the author of r0kh/r1kh generator?). On Fri, Jan 7, 2022 at 5:19 PM Eneas U de Queiroz wrote: > > The 80211r r0kh and r1kh defaults are generated from the md5sum of > "$mobility_domain/$auth_secret". auth_secret is only set when using EAP > authentication, but the default key is used for SAE/PSK as well. In > this case, auth_secret is empty, and the default value of the key can > be computed from the SSID alone. > > Fallback to using $key when auth_secret is empty. While at it, rename > the variable holding the generated key from 'key' to 'ft_key', to avoid > clobbering the PSK. > > Signed-off-by: Eneas U de Queiroz > --- > > This should be cherry-picked to 21.02 as well. > > package/network/services/hostapd/files/hostapd.sh | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/network/services/hostapd/files/hostapd.sh > b/package/network/services/hostapd/files/hostapd.sh > index d9d5f34877..e00fc21cd9 100644 > --- a/package/network/services/hostapd/files/hostapd.sh > +++ b/package/network/services/hostapd/files/hostapd.sh > @@ -876,10 +876,10 @@ hostapd_set_bss_options() { > set_default pmk_r1_push 0 > > [ -n "$r0kh" -a -n "$r1kh" ] || { > - key=`echo -n > "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'` > + ft_key=`echo -n > "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'` > > - set_default r0kh > "ff:ff:ff:ff:ff:ff,*,$key" > - set_default r1kh > "00:00:00:00:00:00,00:00:00:00:00:00,$key" > + set_default r0kh > "ff:ff:ff:ff:ff:ff,*,$ft_key" > + set_default r1kh > "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key" > } > > [ -n "$r1_key_holder" ] && append bss_conf > "r1_key_holder=$r1_key_holder" "$N" So that one can grasp a bit better what this is about--the commit message was under par--see this post: https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81?u=cotequeiroz Basically, if you have ieee80211r=1, ft_psk_generate_local=0, and have not setup r0kh or r1kh, then hostapd.sh will generate a 128-bit key from the 2-byte mobility domain (defaults to the first 2 byes of the SSID md5sum) and the auth_secret. The intention of the script originally was to support just EAP, so it uses the auth_secret to generate a key. However, it is possible (ft_psk_generate_local does not work with SAE) to use generated keys when using PSK, in which case auth_secret will not be ordinarily set, and the default key can be trivially computed. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 19.07 v2 0/3] wolfssl security updates
On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca wrote: > Sure. And I do have interest in getting it fixed. I've done most of the work here: https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport However, I got stuck with this issue, about MitM attack when the client-side resumption cache is full: https://www.cybersecurity-help.cz/vulnerabilities/59103/ The patch for it is over 1,500 lines, and I would not be so confident that backporting changes in many places will not create a new problem. https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a libcurl and hostapd use client-side session resumption, so openwrt is possibly impacted. I don't know if the session cache can get filled by hostapd or not, but with libcurl, anything is possible. They both use the wolfSSL_get_session call, not the wolfSSL_get1_session that would avoid/work around the problem. Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change. Cheers ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 v2 3/3] wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
From: Andre Heider "Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider [bump PKG_RELEASE] Signed-off-by: David Bauer (cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3) [adjust to v4.7.0 Makefile] Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index d123e7a875..4394b9ea4f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -56,7 +56,11 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer +TARGET_CFLAGS += \ + $(FPIC) \ + -fomit-frame-pointer \ + -DFP_MAX_BITS=8192 \ + -DWOLFSSL_ALT_CERT_CHAINS # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 v2 1/3] wolfssl: Fix OCSP request/response verification
In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 2 +- .../patches/200-Fix-CompareOcspReqResp.patch | 224 ++ 2 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 57fcaa03b2..631576a58e 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) diff --git a/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch b/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch new file mode 100644 index 00..9661a2b752 --- /dev/null +++ b/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch @@ -0,0 +1,224 @@ +From Mon Sep 17 00:00:00 2001 +From: Hayden Roche +Date: Tue, 27 Apr 2021 13:54:43 -0700 +Subject: [PATCH] Fix CompareOcspReqResp. + +There was a bug in this function that could cause a match to be reported even +when the OCSP request and response in fact had a mismatch. + +(cherry picked from commit 73076940af8904f98eee085994c176fe1876b95a) + +diff --git a/src/ssl.c b/src/ssl.c +index 14a160dc2..289ffb941 100644 +--- a/src/ssl.c b/src/ssl.c +@@ -6503,7 +6503,7 @@ WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, + { + int ret; + +-WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); ++WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSPResponse"); + if (cm == NULL || response == NULL) + return BAD_FUNC_ARG; + if (cm->ocspEnabled == 0) +diff --git a/tests/api.c b/tests/api.c +index 6b3af3092..72bfc9aae 100644 +--- a/tests/api.c b/tests/api.c +@@ -1091,6 +1091,170 @@ static int test_cm_load_ca_file(const char* ca_cert_file) + } + #endif /* !NO_FILESYSTEM && !NO_CERTS */ + ++static void test_wolfSSL_CertManagerCheckOCSPResponse(void) ++{ ++#ifdef HAVE_OCSP ++/* Need one of these for wolfSSL_OCSP_REQUEST_new. */ ++#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ ++defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \ ++defined(HAVE_LIGHTY) ++WOLFSSL_CERT_MANAGER* cm = NULL; ++/* Captured with Wireshark using ocsp.test. */ ++byte response[] = { ++0x30, 0x82, 0x06, 0x3b, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0x34, 0x30, 0x82, 0x06, 0x30, 0x06, ++0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, 0x06, 0x21, 0x30, 0x82, ++0x06, 0x1d, 0x30, 0x81, 0xbf, 0xa2, 0x16, 0x04, 0x14, 0x21, 0x29, 0x0a, 0x15, 0x08, 0xdd, 0x79, ++0x01, 0x7c, 0xa3, 0xc6, 0x11, 0xe9, 0xbf, 0x8a, 0x33, 0x82, 0x53, 0xc4, 0x0c, 0x18, 0x0f, 0x32, ++0x30, 0x32, 0x31, 0x30, 0x34, 0x32, 0x37, 0x32, 0x30, 0x32, 0x35, 0x35, 0x36, 0x5a, 0x30, 0x6f, ++0x30, 0x6d, 0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, ++0x14, 0x9c, 0x4c, 0x71, 0x15, 0xc3, 0x02, 0x19, 0xca, 0x36, 0xdc, 0xb9, 0x8b, 0x21, 0x33, 0x00, ++0x4c, 0xa4, 0xa7, 0x8e, 0xd3, 0x04, 0x14, 0xdd, 0xb3, 0xe7, 0x6d, 0xa8, 0x2e, 0xe8, 0xc5, 0x4e, ++0x6e, 0xcf, 0x74, 0xe6, 0x75, 0x3c, 0x94, 0x15, 0xce, 0xe8, 0x1d, 0x02, 0x0c, 0x6f, 0x9c, 0x01, ++0x78, 0x1c, 0x21, 0x80, 0x32, 0x25, 0x4a, 0x73, 0x2b, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32, ++0x31, 0x30, 0x34, 0x32, 0x37, 0x32, 0x30, 0x32, 0x35, 0x35, 0x36, 0x5a, 0xa0, 0x11, 0x18, 0x0f, ++0x32, 0x30, 0x32, 0x31, 0x30, 0x35, 0x30, 0x31, 0x32, 0x30, 0x32, 0x35, 0x35, 0x36, 0x5a, 0xa1, ++0x23, 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02, ++0x04, 0x12, 0x04, 0x10, 0xc0, 0x42, 0x27, 0x55, 0xaf, 0xc4, 0x5c, 0x34, 0xe1, 0xc8, 0xef, 0x5b, ++0x31, 0xb1, 0x78, 0xe9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, ++0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x54, 0x1b, 0x9e, 0x10, 0x0f, 0x82, 0x2c, 0x8e, ++0xd7, 0xdd, 0xf2, 0xec, 0x9c, 0x6c, 0x04, 0x5d, 0x57, 0x69, 0xcd, 0x30, 0x1b, 0xe8, 0xd4, 0x5d, ++0xd4, 0x03, 0x97, 0xd1, 0x33, 0x78, 0x34, 0xdb, 0xc2, 0x4c, 0xc1, 0x8a, 0xee, 0xc7, 0x18, 0x6a, ++0xe3, 0x6d, 0x59, 0x1b, 0xed, 0xf5, 0x87, 0xff, 0x9d, 0x11, 0xff, 0x5a, 0xa5, 0x12, 0x93, 0x0e, ++0xc7, 0x67, 0xa4, 0x37, 0xb2, 0x8b, 0xba, 0xab, 0xe1, 0x29, 0x33, 0xe9, 0xf8, 0x10, 0x1d, 0xbf, ++0x7c, 0x2b, 0x2e, 0x2e, 0x0b, 0x58, 0x5d, 0x8e, 0x0c, 0x44, 0xe2, 0x1d, 0x73, 0x2a, 0x8a, 0x6a, ++
[PATCH 19.07 v2 2/3] wolfssl: Fix CVE-2021-38597
OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 2 +- ...-handling-of-OCSP-no-check-extension.patch | 49 +++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 631576a58e..d123e7a875 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) diff --git a/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch new file mode 100644 index 00..6fb62b2033 --- /dev/null +++ b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch @@ -0,0 +1,49 @@ +From Mon Sep 17 00:00:00 2001 +From: Sean Parkinson +Date: Fri, 16 Jul 2021 12:19:39 +1000 +Subject: [PATCH] OCSP: improve handling of OCSP no check extension + +(cherry picked from commit f93083be72a3b3d956b52a7ec13f307a27b6e093) + +diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c +index bbf71e3c1..966035f5b 100644 +--- a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c +@@ -9751,9 +9751,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) + } + + #ifdef HAVE_OCSP +-/* trust for the lifetime of the responder's cert*/ +-if (cert->ocspNoCheckSet && verify == VERIFY_OCSP) +-verify = NO_VERIFY; ++if (verify == VERIFY_OCSP_CERT) { ++/* trust for the lifetime of the responder's cert*/ ++if (cert->ocspNoCheckSet) ++verify = VERIFY; ++else ++verify = VERIFY_OCSP; ++} + #endif + /* advance past extensions */ + cert->srcIdx = cert->sigIndex; +@@ -17542,7 +17546,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, + + /* Don't verify if we don't have access to Cert Manager. */ + ret = ParseCertRelative(, CERT_TYPE, +-noVerify ? NO_VERIFY : VERIFY_OCSP, cm); ++noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm); + if (ret < 0) { + WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); + FreeDecodedCert(); +diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h +index e412c1d06..e3cddf5b4 100644 +--- a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h +@@ -589,6 +589,7 @@ enum VerifyType { + VERIFY_OCSP = 3, + VERIFY_NAME = 4, + VERIFY_SKIP_DATE = 5, ++VERIFY_OCSP_CERT = 6, + }; + + #ifdef WOLFSSL_CERT_EXT ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 v2 0/3] wolfssl security updates
Since a straight version bump is not feasible, I'm applying a couple of cherry-picks of security fixes: 73076940a Fix CompareOcspReqResp f93083be7 OCSP: improve handling of OCSP no check extension (CVE-2021-38597) Also included in the series is a patch to build the library with the "Alternate certificate validation" option WOLFSSL_ALT_CERT_CHAINS, allowing uclient-fetch to connect to servers using the default Let's Encrypt chain that contains the certificate cross-signed by the expired DST Root CA X3 certificate. The original series was made when 4.8.1 was the current version in master. Since then, some more low-severity vulnerabilities were discovered: [1] - Issue with incorrectly validating a certificate that has multiple subject alternative names when given a name constraint. In the case where more than one subject alternative name is used in the certificate, previous versions of wolfSSL could incorrectly validate the certificate. Users verifying certificates with multiple alternative names and name constraints, are recommended to either use the certificate verify callback to check for this case or update the version of wolfSSL used. Fixed in 5.0.0. - Hang with DSA signature creation when a specific q value is used in a maliciously crafted key. If a DSA key with an invalid q value of either 1 or 0 was decoded and used for creating a signature, it would result in a hang in wolfSSL. Users that are creating signatures with DSA and are using keys supplied from an outside source are affected. Fixed in 5.0.0. - Client side session resumption issue once the session resumption cache has been filled up. The hijacking of a session resumption has been demonstrated so far with only non verified peer connections. That is where the client is not verifying the server’s CA that it is connecting to. There is the potential though for other cases involving proxies that are verifying the server to be at risk. - CVE-2021-44718: Potential for DoS attack on a wolfSSL client due to processing hello packets of the incorrect side. This affects only connections using TLS v1.2 or less that have also been compromised by a man in the middle attack. A CVE was reserved, but apparently not publicized yet. High-severity CVE-2022-23408 is not included because it affects versions 5.0.0 and 5.1.0 only. I've started to look at the first vulnerability, but it is not as straightforward as I was hoping. Perhaps Luiz Angelo Daros de Luca, reporter and author of the fixes, can help me out with this. Applying a large series of fixes may end up creating a new vulnerability if not done correctly, so we may need to consider the version bump again. The ABI version may create trouble for people running opkg update, but WolfSSL was not the core TLS library in 19.07 yet. Nonetheless, this series includes the one high-severity vulnerability (according to wolfssl [1]) CV-2021-38597, and can be applied before we decide what to do next. Cheers, Eneas --- v2: - Apply two security patches instead of bumping to 4.8.1 - Added patch to build with alternate certificate validation [1] https://www.wolfssl.com/docs/security-vulnerabilities/ Andre Heider (1): wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Eneas U de Queiroz (2): wolfssl: Fix OCSP request/response verification wolfssl: Fix CVE-2021-38597 package/libs/wolfssl/Makefile | 8 +- .../patches/200-Fix-CompareOcspReqResp.patch | 224 ++ ...-handling-of-OCSP-no-check-extension.patch | 49 3 files changed, 279 insertions(+), 2 deletions(-) create mode 100644 package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch create mode 100644 package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07] openssl: bump to 1.1.1m
This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz (cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2) --- package/libs/openssl/Makefile | 4 ++-- .../libs/openssl/patches/100-Configure-afalg-support.patch| 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 0397ab90c4..e8e10524ca 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=l +PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 +PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 98944103b5..d8789f4b45 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -12,7 +12,7 @@ diff --git a/Configure b/Configure index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream-ssl] add compatibility for wolfssl >= 5.0
Can someone please take a look at this. The patch is rather trivial. The affected function, handle_wolfssl_asn_error is static, and its only caller is passing the return value of SSL_get_error(), from libwolfssl; so there should be no ordinary way to pass r=-159, which would be required to trigger a possible regression. It's a blocker to update wolfssl to 5.1.1, which fixes a handful of security vulnerabilities. Cheers, Eneas On Sat, Jan 1, 2022 at 5:09 PM Sergey V. Lobanov wrote: > Related PR: https://github.com/openwrt/openwrt/pull/4910 > > > > NTRU support has been removed in wolfssl 5.0 so it is required to > > mask NTRU specific code if wolfssl >= 5.0 > > > > Signed-off-by: Sergey V. Lobanov > > --- > > ustream-openssl.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/ustream-openssl.c b/ustream-openssl.c > > index 1ce796a..894dddb 100644 > > --- a/ustream-openssl.c > > +++ b/ustream-openssl.c > > @@ -308,7 +308,9 @@ static bool handle_wolfssl_asn_error(struct ustream_ssl > > *us, int r) > > case ASN_SIG_HASH_E: > > case ASN_SIG_KEY_E: > > case ASN_DH_KEY_E: > > +#if LIBWOLFSSL_VERSION_HEX < 0x0500 > > case ASN_NTRU_KEY_E: > > +#endif > > case ASN_CRIT_EXT_E: > > case ASN_ALT_NAME_E: > > case ASN_NO_PEM_HEADER: > > -- > > 2.30.1 (Apple Git-130) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of "$mobility_domain/$auth_secret". auth_secret is only set when using EAP authentication, but the default key is used for SAE/PSK as well. In this case, auth_secret is empty, and the default value of the key can be computed from the SSID alone. Fallback to using $key when auth_secret is empty. While at it, rename the variable holding the generated key from 'key' to 'ft_key', to avoid clobbering the PSK. Signed-off-by: Eneas U de Queiroz --- This should be cherry-picked to 21.02 as well. package/network/services/hostapd/files/hostapd.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index d9d5f34877..e00fc21cd9 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -876,10 +876,10 @@ hostapd_set_bss_options() { set_default pmk_r1_push 0 [ -n "$r0kh" -a -n "$r1kh" ] || { - key=`echo -n "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'` + ft_key=`echo -n "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'` - set_default r0kh "ff:ff:ff:ff:ff:ff,*,$key" - set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$key" + set_default r0kh "ff:ff:ff:ff:ff:ff,*,$ft_key" + set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key" } [ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N" ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 21.02] openssl: bump to 1.1.1m
This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz (cherry picked from commit def9565be632b316c82ffc5a7b28c789e9df75b4) --- package/libs/openssl/Makefile | 4 ++-- .../libs/openssl/patches/100-Configure-afalg-support.patch| 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 0397ab90c4..e8e10524ca 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=l +PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 +PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 98944103b5..d8789f4b45 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -12,7 +12,7 @@ diff --git a/Configure b/Configure index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1m
This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Tested on mediatek/Linksys E8450 using hostapd & nginx. package/libs/openssl/Makefile | 6 +++--- ...perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch | 13 +++-- .../patches/100-Configure-afalg-support.patch | 2 +- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 0512abdc48..9e7482117d 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=l +PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 +PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch index bdc0509f8c..e52a3d52ea 100644 --- a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch +++ b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch @@ -1,7 +1,7 @@ -From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sun, 5 May 2019 18:25:50 +0200 -Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour +Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -14,12 +14,8 @@ endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.) Reviewed-by: Paul Dale Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/8883) - crypto/perlasm/ppc-xlate.pl | 8 - 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl -index e52f2f6ea6..5fcd0526df 100755 --- a/crypto/perlasm/ppc-xlate.pl +++ b/crypto/perlasm/ppc-xlate.pl @@ -49,7 +49,7 @@ my $globl = sub { @@ -49,7 +45,7 @@ index e52f2f6ea6..5fcd0526df 100755 my $mtspr = sub { my ($f,$idx,$ra) = @_; if ($idx == 256 && $no_vrsave) { -@@ -320,7 +320,7 @@ while($line=<>) { +@@ -318,7 +318,7 @@ while($line=<>) { if ($label) { my $xlated = ($GLOBALS{$label} or $label); print "$xlated:"; @@ -58,6 +54,3 @@ index e52f2f6ea6..5fcd0526df 100755 if ($TYPES{$label} =~ /function/) { printf "\n.localentry %s,0\n",$xlated; } --- -2.31.1 - diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 98944103b5..d8789f4b45 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -12,7 +12,7 @@ diff --git a/Configure b/Configure index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 19.07] wolfssl: update to 4.8.1-stable
On Sun, Dec 12, 2021 at 12:11 PM Petr Štetiar wrote: > > I'm wondering if we can do such an upgrade as the binary compatibility report > for > wolfSSL 4.7.0 vs 4.8.0 looks quite scary to me. Would it be possible to just > backport those patches which fixes those security related issues? > Most wolfSSL releases have binary compatibility issues. I would not recommend anyone to update just the package, even if the abi-laboratory report was less scary. This illustrates well the problem with binary package updates that jow wants to address. I was not sure if it would be acceptable to do the version update, but then we went from 4.3.0 in 19.07.0 to 4.5.0 in 19.07.4, then 4.6.0 in 19.07.5, and 4.7.0 in 19.07.8, so why not 4.8.1? OpenWrt 19.07 support is officially limited to security maintenance, so we can cherry-pick a couple of wolfssl commits instead: 73076940a Fix CompareOcspReqResp. f93083be7 OCSP: improve handling of OCSP no check extension (excluding tests): src/ssl.c | 2 +- wolfcrypt/src/asn.c | 19 --- wolfssl/wolfcrypt/asn.h | 1 + 3 files changed, 14 insertions(+), 8 deletions(-) Just let me know what's the best approach here. After this is done--whether update or patch--I intend to propose a patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with letsencrypt certificates. One can argue that it is a security fix, considering that the alternative is to skip certificate validation. If this is going to be NAKed, then I'll skip the trouble. BTW, wolfssl, 5.0.0 is out, but I've been unable to make it work with the letsencrypt certificates even with the build-option active--there may be other problems that I don't recall now, I haven't looked at it lately. I'll return to it when able. Meanwhile, I'll try to get patches for the security problems that were fixed. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 0/1] build: scripts/config - update to kconfig-v5.14
On Thu, Nov 25, 2021 at 4:54 AM Florian Eckert wrote: > > Hello Eneas, > > > I've been looking at this too and wanted to update. > Since I wasn't there from the beginning, I don't know what all OpenWrt > changes. > Hence my suggestion: > Can't we put the changes OpenWrt makes to the source code into a patch > directory > and then patch that with 'quilt' like we do with all the other packages? > That would make the task easier for others too update this too. I don't think we should keep the patches along with the main sources, but it may be beneficial to create an official repository under the openwrt infrastructure. What I had done was to create a fork of 'linux', and applied the openwrt patches on top of that. You can see my current version, which resulted in the patch I just sent, here: https://github.com/cotequeiroz/linux/commits/openwrt-5.14/scripts/kconfig I don't think anyone can review the openwrt patch without looking at the commits I applied. Getting all of those commits together took some effort when I first did it. I was in the same situation as you are, but I really wanted the much better dependency view that the new kernel had. That was my motivation then. I documented the changes the best I could. It resulted in this branch: https://github.com/cotequeiroz/linux/tree/openwrt-b2c55d50f8 Then fast-forwarding them was also time-consuming, because of the high number of commits to adapt, especially the many changes to the Makefile. I remember doing it in two ways: starting from openwrt version of kconfig and applying the linux updates ("linux-on-top-of-openwrt" branch, stale after the review); and rebasing the openwrt changes on top of kconfig-5.6, which ended up being the final version (openwrt branch--I should have added a version to it), to see how close I would get both versions. I added the link to the branch I used in the README. At least now the Makefile was less subject to change, and our modifications have become straightforward and clean. There have been some syntax adjustments (notably the removal of '---help---'), but when we moved from 5.4 to 5.10, our kernel patches had to be adapted as well. This is why I think it is beneficial to update this regularly, keeping it fresh. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/1] build: scripts/config - update to kconfig-v5.14
I'm updating the Kconfig programs in scripts/config, from Linux 5.6 to 5.14. The changes are not crytical to openwrt, but regular updates ease the transition to an eventual newer version with more desirable features. The biggest impact here is the removal of obsolete ---help--- symbol, which had been deprecated in favor of plain 'help'. This has been menuconfig-tested with different targets for almost a month without problems. The changed I made to the upstream kconfig to this version can be seen at https://github.com/cotequeiroz/linux/commits/openwrt-5.14/scripts/kconfig Eneas U de Queiroz (1): build: scripts/config - update to kconfig-v5.14 Config.in |2 +- scripts/config/.gitignore | 30 +- scripts/config/Makefile| 62 +- scripts/config/README |9 +- scripts/config/conf.c | 451 -- scripts/config/confdata.c | 279 +--- scripts/config/expr.h |6 - scripts/config/images.c| 30 +- scripts/config/images.h| 30 +- scripts/config/internal.h |9 + scripts/config/lexer.l |8 +- scripts/config/lexer.lex.c | 2468 ++-- scripts/config/lkc.h | 68 +- scripts/config/lkc_proto.h | 15 +- scripts/config/lxdialog/util.c |4 +- scripts/config/mconf-cfg.sh|4 +- scripts/config/mconf.c | 15 +- scripts/config/menu.c | 26 +- scripts/config/nconf.c | 59 +- scripts/config/nconf.gui.c | 284 ++-- scripts/config/nconf.h | 51 +- scripts/config/parser.tab.c| 1804 ++- scripts/config/parser.tab.h| 120 +- scripts/config/parser.y| 57 +- scripts/config/preprocess.c|2 +- scripts/config/qconf-cfg.sh| 14 +- scripts/config/qconf.cc| 1056 +++--- scripts/config/qconf.h | 160 +-- scripts/config/symbol.c| 30 +- target/sdk/files/Config.in |2 +- 30 files changed, 3221 insertions(+), 3934 deletions(-) create mode 100644 scripts/config/internal.h ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] ramips: switch to kernel 5.10
On Thu, Sep 9, 2021 at 5:49 AM Rui Salvaterra wrote: > > Tested on mt7621 (Redmi AC2100) and running stable for several months. > > Signed-off-by: Rui Salvaterra > --- Tested on rt3883: Asus RT-N56U Tested-by: Eneas U de Queiroz ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] ramips: fix ralink_i2s_debugfs_remove declaration
Correct ralink_i2s_debugfs_remove declaration in ralink patches when CONFIG_DEBUG_FS is not selected. Signed-off-by: Eneas U de Queiroz --- Fixes the following error, when compiling without DEBUG_FS: sound/soc/ralink/ralink-i2s.c:678:53: warning: 'struct fsl_ssi_dbg' declared inside parameter list will not be visible outside of this definition or declaration static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg) ^~~ sound/soc/ralink/ralink-i2s.c: In function 'ralink_i2s_probe': sound/soc/ralink/ralink-i2s.c:935:28: error: passing argument 1 of 'ralink_i2s_debugfs_remove' from incompatible pointer type [-Werror=incompatible-pointer-types] ralink_i2s_debugfs_remove(i2s); ^~~ sound/soc/ralink/ralink-i2s.c:678:66: note: expected 'struct fsl_ssi_dbg *' but argument is of type 'struct ralink_i2s *' static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg) ^~~ sound/soc/ralink/ralink-i2s.c: In function 'ralink_i2s_remove': sound/soc/ralink/ralink-i2s.c:947:28: error: passing argument 1 of 'ralink_i2s_debugfs_remove' from incompatible pointer type [-Werror=incompatible-pointer-types] ralink_i2s_debugfs_remove(i2s); ^~~ sound/soc/ralink/ralink-i2s.c:678:66: note: expected 'struct fsl_ssi_dbg *' but argument is of type 'struct ralink_i2s *' static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg) ^~~ At top level: sound/soc/ralink/ralink-i2s.c:146:13: warning: 'ralink_i2s_dump_regs' defined but not used [-Wunused-function] static void ralink_i2s_dump_regs(struct ralink_i2s *i2s) ^~~~ cc1: some warnings being treated as errors make[7]: *** [scripts/Makefile.build:280: sound/soc/ralink/ralink-i2s.o] Error 1 make[6]: *** [scripts/Makefile.build:497: sound/soc/ralink] Error 2 make[5]: *** [scripts/Makefile.build:497: sound/soc] Error 2 make[4]: *** [Makefile:1822: sound] Error 2 .../linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch | 2 +- .../linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch b/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch index 255c8d751a..680b678168 100644 --- a/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch +++ b/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch @@ -738,7 +738,7 @@ Signed-off-by: John Crispin + return 0; +} + -+static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg) ++static inline void ralink_i2s_debugfs_remove(struct ralink_i2s *i2s) +{ +} +#endif diff --git a/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch b/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch index cffdc4f4a1..4b9c877a7f 100644 --- a/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch +++ b/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch @@ -738,7 +738,7 @@ Signed-off-by: John Crispin + return 0; +} + -+static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg) ++static inline void ralink_i2s_debugfs_remove(struct ralink_i2s *i2s) +{ +} +#endif ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07] wolfssl: update to 4.8.1-stable
From: Ivan Pavlov Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov (cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564) [Added patch to allow compilation with libtool 2.4] Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 4 ++-- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch| 13 + 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 57fcaa03b2..4940316f1b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable +PKG_VERSION:=4.8.1-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..4141e28750 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch new file mode 100644 index 00..206c6dac6a --- /dev/null +++ b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch @@ -0,0 +1,13 @@ +diff --git a/configure.ac b/configure.ac +index 144c857e4..de7f6b45a 100644 +--- a/configure.ac b/configure.ac +@@ -32,7 +32,7 @@ AC_ARG_PROGRAM + + AC_CONFIG_HEADERS([config.h:config.in]) + +-LT_PREREQ([2.4.2]) ++LT_PREREQ([2.4]) + LT_INIT([disable-static win32-dll]) + + #shared library versioning ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 21.02 2/2] wolfssl: update to 4.8.1-stable
From: Ivan Pavlov Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov (cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564) [Added patch to allow compilation with libtool 2.4] Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- ...m-change-asm-snippets-to-get-compiling.patch | 17 + .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch| 13 + package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 5 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 030a0224f5..ba9ec44cd9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.1-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch index 091b241285..763f9e8d06 100644 --- a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch +++ b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch @@ -13,8 +13,6 @@ SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD. wolfcrypt/src/sp_int.c | 6 +++--- 2 files changed, 23 insertions(+), 12 deletions(-) -diff --git a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c -index b7f53d073..a37e75e02 100644 --- a/wolfcrypt/src/asm.c +++ b/wolfcrypt/src/asm.c @@ -698,33 +698,39 @@ __asm__( \ @@ -64,7 +62,7 @@ index b7f53d073..a37e75e02 100644 #define SQRADDAC(i, j)\ __asm__( \ -@@ -733,7 +739,9 @@ __asm__( \ +@@ -733,7 +739,9 @@ __asm__( "addl %%eax,%0 \n\t"\ "adcl %%edx,%1 \n\t"\ "adcl $0,%2\n\t"\ @@ -75,7 +73,7 @@ index b7f53d073..a37e75e02 100644 #define SQRADDDB \ __asm__( \ -@@ -743,7 +751,10 @@ __asm__( \ +@@ -743,7 +751,10 @@ __asm__( "addl %6,%0 \n\t"\ "adcl %7,%1 \n\t"\ "adcl %8,%2 \n\t"\ @@ -87,11 +85,9 @@ index b7f53d073..a37e75e02 100644 #elif defined(TFM_X86_64) /* x86-64 optimized */ -diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c -index 6070faaa9..d26702e47 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c -@@ -477,7 +477,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo, +@@ -476,7 +476,7 @@ static WC_INLINE sp_int_digit sp_div_wor "addl %%eax, %[l] \n\t"\ "adcl %%edx, %[h] \n\t"\ "adcl $0 , %[o] \n\t"\ @@ -100,7 +96,7 @@ index 6070faaa9..d26702e47 100644 : [a] "r" (va), [b] "r" (vb) \ : "eax", "edx", "cc" \ ) -@@ -503,7 +503,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo, +@@ -502,7 +502,7 @@ static WC_INLINE sp_int_digit sp_div_wor "addl %%eax, %[l] \n\t"\ "adcl %%edx, %[h] \n\t"\ "adcl $0 , %[o] \n\t"\ @@ -109,7 +105,7 @@ index 6070faaa9..d26702e47 100644 : [a] "r" (va), [b] "r" (vb) \ : "eax", "edx", "cc" \ ) -@@ -542,7 +542,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo, +@@ -541,7 +541,7 @@ static WC_INLINE sp_int_digit sp_div_wor
[PATCH 21.02 1/2] wolfssl: fix build with GCC 10 on 32 x86 targets
From: Stijn Tintel Backport upstream patch to fix build with GCC 10 on 32 x86 targets. Signed-off-by: Stijn Tintel (cherry picked from commit 718a4f47806da8f68cb8f1fe2ebecf403e14ae96) --- ...change-asm-snippets-to-get-compiling.patch | 123 ++ 1 file changed, 123 insertions(+) create mode 100644 package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch diff --git a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch new file mode 100644 index 00..091b241285 --- /dev/null +++ b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch @@ -0,0 +1,123 @@ +From fa8f23284d4689c2a737204b337b58d966dcbd8c Mon Sep 17 00:00:00 2001 +From: Sean Parkinson +Date: Fri, 20 Aug 2021 10:23:38 +1000 +Subject: [PATCH] Maths x86 asm: change asm snippets to get compiling + +TFM: + Use register or memory for c0, c1, c2 in SQRADD and SQRADD2. +SP: + Use register or memory for vl, vh, vo in SP_ASM_MUL_ADD, +SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD. +--- + wolfcrypt/src/asm.c| 29 - + wolfcrypt/src/sp_int.c | 6 +++--- + 2 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c +index b7f53d073..a37e75e02 100644 +--- a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c +@@ -698,33 +698,39 @@ __asm__( \ + + #define SQRADD(i, j) \ + __asm__( \ +- "movl %6,%%eax \n\t"\ ++ "movl %3,%%eax \n\t"\ + "mull %%eax\n\t"\ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ +- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i) :"%eax","%edx","cc"); ++ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \ ++ : "m"(i) \ ++ :"%eax","%edx","cc"); + + #define SQRADD2(i, j) \ + __asm__( \ +- "movl %6,%%eax \n\t"\ +- "mull %7 \n\t"\ ++ "movl %3,%%eax \n\t"\ ++ "mull %4 \n\t"\ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ +- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i), "m"(j) :"%eax","%edx", "cc"); ++ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \ ++ : "m"(i), "m"(j) \ ++ :"%eax","%edx", "cc"); + + #define SQRADDSC(i, j)\ +-__asm__( \ ++__asm__( \ + "movl %3,%%eax \n\t"\ + "mull %4 \n\t"\ + "movl %%eax,%0 \n\t"\ + "movl %%edx,%1 \n\t"\ + "xorl %2,%2\n\t"\ +- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%eax","%edx","cc"); ++ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \ ++ : "g"(i), "g"(j) \ ++ :"%eax","%edx","cc"); + + #define SQRADDAC(i, j)\ + __asm__( \ +@@ -733,7 +739,9 @@ __asm__( \ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ +- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%eax","%edx","cc"); ++ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \ ++ : "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) \ ++ :"%eax","%edx","cc"); + + #define SQRADDDB \ + __asm__( \ +@@ -743,7 +751,10 @@ __asm__( \ + "addl %6,%0 \n\t"\ + "adcl %7,%1 \n\t"
[PATCH 21.02 0/2] wolfssl: bump to v4.8.1-stable
I've added a trivial patch to allow compilation with libtool 2.4, currently used in 21.02. I have not used a separate commit for that, to not introduce a commit that does not build. Let me know if I should rather split this. I'm cherry-picking a commit to allow compilation with gcc 10, to keep it in sync with master. While not the default, building with gcc 10 is an option for 21.02. Eneas Ivan Pavlov (1): wolfssl: update to 4.8.1-stable Stijn Tintel (1): wolfssl: fix build with GCC 10 on 32 x86 targets package/libs/wolfssl/Makefile | 6 +- ...change-asm-snippets-to-get-compiling.patch | 116 ++ .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch | 13 ++ .../libs/wolfssl/patches/200-ecc-rng.patch| 4 +- 5 files changed, 135 insertions(+), 6 deletions(-) create mode 100644 package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches were renumbered and given a description text. The fix in 160-passthrough-ssp.patch is no longer needed. A patch to speed up build was cherry-picked, and another openwrt specific patch was needed to not use quotes in $(SHELL), to acommodate our "SHELL=/usr/bin/env bash" usage. The already present call to ./bootstrap ensures that generated files are refreshed, so the patches are applied only to their sources. Also, that bootstrap call was adjusted to run at the appropriate time when QUILT=1. Signed-off-by: Eneas U de Queiroz --- Changelog: Rebased after upgrade to 2.4.2 --- tools/libtool/Makefile| 11 +- tools/libtool/patches/000-relocatable.patch | 108 ++--- tools/libtool/patches/100-libdir-fixes.patch | 97 +++- ...10-dont-use-target-dir-for-relinking.patch | 51 ++-- .../120-strip-unsafe-dirs-for-relinking.patch | 36 +-- ...ingslash.patch => 130-trailingslash.patch} | 33 +-- ...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++ ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++ .../libtool/patches/160-passthrough-ssp.patch | 12 - .../patches/200-openwrt-branding.patch| 134 ++- 10 files changed, 444 insertions(+), 334 deletions(-) rename tools/libtool/patches/{150-trailingslash.patch => 130-trailingslash.patch} (57%) create mode 100644 tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch create mode 100644 tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile index 2bc9db7d0d..b237884b64 100644 --- a/tools/libtool/Makefile +++ b/tools/libtool/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libtool PKG_CPE_ID:=cpe:/a:gnu:libtool -PKG_VERSION:=2.4.2 +PKG_VERSION:=2.4.6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GNU/$(PKG_NAME) -PKG_HASH:=1d7b6862c1ed162e327f083a6f78f40eae29218f0db8c38393d61dab764c4407 +PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f HOST_BUILD_PARALLEL:=1 @@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \ define Host/Prepare $(call Host/Prepare/Default) (cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4) - (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap) + $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release; $(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force)) +endef + +define Host/Configure + $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release; $(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force)) + $(call Host/Configure/Default) endef define Host/Install diff --git a/tools/libtool/patches/000-relocatable.patch b/tools/libtool/patches/000-relocatable.patch index 6d1651be31..88d1eaed02 100644 --- a/tools/libtool/patches/000-relocatable.patch +++ b/tools/libtool/patches/000-relocatable.patch @@ -1,46 +1,24 @@ a/libltdl/config/general.m4sh -+++ b/libltdl/config/general.m4sh -@@ -45,15 +45,22 @@ progpath="$0" - M4SH_VERBATIM([[ - : ${CP="cp -f"} - test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} --: ${EGREP="@EGREP@"} --: ${FGREP="@FGREP@"} --: ${GREP="@GREP@"} - : ${LN_S="@LN_S@"} - : ${MAKE="make"} - : ${MKDIR="mkdir"} - : ${MV="mv -f"} - : ${RM="rm -f"} --: ${SED="@SED@"} -+if test -n "$STAGING_DIR"; then -+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"} -+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"} -+ : ${GREP="$STAGING_DIR/../host/bin/grep"} -+ : ${SED="$STAGING_DIR/../host/bin/sed"} -+else -+ : ${EGREP="@EGREP@"} -+ : ${FGREP="@FGREP@"} -+ : ${GREP="@GREP@"} -+ : ${SED="@SED@"} -+fi - : ${SHELL="${CONFIG_SHELL-/bin/sh}"} - : ${Xsed="$SED -e 1s/^X//"} - +From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Tue, 20 Jul 2021 16:41:11 -0300 +Subject: openwrt: make relocatable, search resources relative to STAGING_DIR + +This was originally commited to openwrt by Jo-Philipp Wich +. + +(adjusted to v2.4.6) +Signed-off-by: Eneas U de Queiroz + --- a/libtoolize.in +++ b/libtoolize.in -@@ -334,15 +334,22 @@ as_unset=as_fn_unset +@@ -40,11 +40,18 @@ - : ${CP="cp -f"} - test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} + : ${AUTOCONF="autoconf"} + : ${AUTOMAKE="automake"} -: ${EGREP="@EGREP@"} -: ${FGREP="@FGREP@"} -: ${GREP="@GREP@"} : ${LN_S="@LN_S@"} - : ${MAKE="make"} - : ${MKDIR
[PATCH 19.07 2/2] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 6 +++--- .../410-eng_devcrypto-add-configuration-options.patch | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 17049dd57e..0397ab90c4 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 1/2] openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids errors, if the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz Tested-by: Rosen Penev (cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9) --- Besides the fix for clang, I'm cherry-picking this to sync 21.02 and 19.07 Makefiles. package/libs/openssl/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 8f74fbcf7d..17049dd57e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -335,6 +335,7 @@ define Build/Configure --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ + --cross-compile-prefix="$(TARGET_CROSS)" \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ @@ -347,14 +348,12 @@ TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all $(MAKE) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ DESTDIR="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 21.02] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile| 4 ++-- .../410-eng_devcrypto-add-configuration-options.patch| 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 5a20db660a..0397ab90c4 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile| 4 ++-- .../410-eng_devcrypto-add-configuration-options.patch| 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 11e5ecfccb..3f5fe90d9c 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] download: improve handling of invalid local files
4e19cbc5533: [download: handle possibly invalid local tarballs] added a FORCE rule to downloaded files, so that they will be always checked by download.pl. As a side-effect, check-compile will fail, forcing unnecessary package rebuilds. The check-compile.txt log shows (for libxml2 for example): Considering target file '.../dl/libxml2-2.9.12.tar.gz'. ... prerequisite 'FORCE' of target '.../dl/libxml2-2.9.12.tar.gz' does not exist. Must remake target '.../dl/libxml2-2.9.12.tar.gz'. ... Giving up on target file '...libxml2-2.9.12/.prepared_...'. Giving up on target file '...libxml2-2.9.12/.configured_...'. Giving up on target file '...libxml2-2.9.12/.built'. Giving up on target file '...stamp/.libxml2_installed'. Giving up on target file '.compile'. Then the package is rebuilt even if it is not otherwise needed. To fix this, instead of always forcing the download target to be remade, check its hash first: if it matches, then the FORCE is not added. Signed-off-by: Eneas U de Queiroz --- include/download.mk | 17 +++-- include/host-build.mk | 2 +- include/package.mk| 2 +- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/include/download.mk b/include/download.mk index 609956b004..76bd374cf7 100644 --- a/include/download.mk +++ b/include/download.mk @@ -59,6 +59,21 @@ define dl_tar_pack {TAR_TIMESTAMP:+--mtime="TAR_TIMESTAMP"} -c $(2) | $(call dl_pack,$(1)) endef +gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1)) + +# Used in Build/CoreTargets and HostBuild/Core as an integrity check for +# downloaded files. It will add a FORCE rule if the sha256 hash does not +# match, so that the download can be more thoroughly handled by download.pl. +define check_download_integrity + expected_hash:=$(strip $(if $(filter-out x,$(HASH)),$(HASH),$(MIRROR_HASH))) + $$(if $$(and $(FILE),$$(wildcard $(DL_DIR)/$(FILE)), \ + $$(filter undefined,$$(flavor DownloadChecked/$(FILE, \ +$$(eval DownloadChecked/$(FILE):=1) \ +$$(if $$(filter-out $$(call gen_sha256sum,$(FILE)),$$(expected_hash)), \ + $(DL_DIR)/$(FILE): FORCE) \ + ) +endef + ifdef CHECK check_escape=$(subst ','\'',$(1)) #') @@ -74,8 +89,6 @@ else check_warn = $(if $(filter-out undefined,$(origin F_$(1))),$(filter ,$(shell $(call F_$(1),$(2),$(3),$(4)) >&2)),$(check_warn_nofix)) endif -gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1)) - ifdef FIXUP F_hash_deprecated = $(SCRIPT_DIR)/fixup-makefile.pl $(CURDIR)/Makefile fix-hash $(3) $(call gen_sha256sum,$(1)) $(2) F_hash_mismatch = $(F_hash_deprecated) diff --git a/include/host-build.mk b/include/host-build.mk index e4a5c48e72..cfa29419aa 100644 --- a/include/host-build.mk +++ b/include/host-build.mk @@ -180,7 +180,7 @@ ifndef DUMP clean-build: host-clean-build endif - $(DL_DIR)/$(FILE): FORCE + $(call check_download_integrity) $(_host_target)host-prepare: $(HOST_STAMP_PREPARED) $(_host_target)host-configure: $(HOST_STAMP_CONFIGURED) diff --git a/include/package.mk b/include/package.mk index db0a869dab..55d9352072 100644 --- a/include/package.mk +++ b/include/package.mk @@ -183,7 +183,7 @@ define Build/CoreTargets $(call Build/Autoclean) $(call DefaultTargets) - $(DL_DIR)/$(FILE): FORCE + $(call check_download_integrity) download: $(foreach hook,$(Hooks/Download), ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] ethtool: fix recursive dependency
Change the CONFLICTS definition from the alternative package (ethtool-full) to the main one. The CONFLICTS line creates a dependency to the conflicting package. Right now, the dependency would be created in the PACKAGE_ethtool-full symbol: config PACKAGE_ethtool-full depends on m || (PACKAGE_ethtool != y) When the main package is selected by airmon-ng, it selects PACKAGE_ethtool, *depending* on the value of PACKAGE_ethtool-full: config PACKAGE_airmon-ng select PACKAGE_ethtool if PACKAGE_ethtool-full --- package/network/utils/ethtool/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/package/network/utils/ethtool/Makefile b/package/network/utils/ethtool/Makefile index a82e5c92fa..9889677a16 100644 --- a/package/network/utils/ethtool/Makefile +++ b/package/network/utils/ethtool/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ethtool PKG_VERSION:=5.13 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Felix Fietkau PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz @@ -31,6 +31,7 @@ define Package/ethtool TITLE:=Display or change ethernet card settings URL:=http://www.kernel.org/pub/software/network/ethtool/ VARIANT:=tiny + CONFLICTS:=ethtool-full endef define Package/ethtool-full @@ -38,8 +39,8 @@ define Package/ethtool-full TITLE += (full) VARIANT:=full PROVIDES:=ethtool - CONFLICTS:=ethtool DEPENDS:=+libmnl + CONFLICTS:= endef define Package/ethtool/description ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 1/2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches were renumbered and given a description text. The fix in 160-passthrough-ssp.patch is no longer needed. A patch to speed up build was cherry-picked, and another openwrt specific patch was needed to not use quotes in $(SHELL), to acommodate our "SHELL=/usr/bin/env bash" usage. The already present call to ./bootstrap ensures that generated files are refreshed, so the patches are applied only to their sources. Also, that bootstrap call was adjusted to run at the appropriate time when QUILT=1. Signed-off-by: Eneas U de Queiroz --- tools/libtool/Makefile| 11 +- tools/libtool/patches/000-relocatable.patch | 108 ++--- .../libtool/patches/001-fix-func_append.patch | 22 -- tools/libtool/patches/100-libdir-fixes.patch | 97 +++- ...10-dont-use-target-dir-for-relinking.patch | 51 ++-- .../120-strip-unsafe-dirs-for-relinking.patch | 36 +-- ...ingslash.patch => 130-trailingslash.patch} | 33 +-- ...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++ ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++ .../libtool/patches/160-passthrough-ssp.patch | 12 - .../patches/200-openwrt-branding.patch| 134 ++- 11 files changed, 444 insertions(+), 356 deletions(-) delete mode 100644 tools/libtool/patches/001-fix-func_append.patch rename tools/libtool/patches/{150-trailingslash.patch => 130-trailingslash.patch} (57%) create mode 100644 tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch create mode 100644 tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile index dd4a7f6380..b237884b64 100644 --- a/tools/libtool/Makefile +++ b/tools/libtool/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libtool PKG_CPE_ID:=cpe:/a:gnu:libtool -PKG_VERSION:=2.4 +PKG_VERSION:=2.4.6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GNU/$(PKG_NAME) -PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae +PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f HOST_BUILD_PARALLEL:=1 @@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \ define Host/Prepare $(call Host/Prepare/Default) (cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4) - (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap) + $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release; $(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force)) +endef + +define Host/Configure + $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release; $(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force)) + $(call Host/Configure/Default) endef define Host/Install diff --git a/tools/libtool/patches/000-relocatable.patch b/tools/libtool/patches/000-relocatable.patch index 55265fe533..88d1eaed02 100644 --- a/tools/libtool/patches/000-relocatable.patch +++ b/tools/libtool/patches/000-relocatable.patch @@ -1,46 +1,24 @@ a/libltdl/config/general.m4sh -+++ b/libltdl/config/general.m4sh -@@ -45,15 +45,22 @@ progpath="$0" - M4SH_VERBATIM([[ - : ${CP="cp -f"} - test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} --: ${EGREP="@EGREP@"} --: ${FGREP="@FGREP@"} --: ${GREP="@GREP@"} - : ${LN_S="@LN_S@"} - : ${MAKE="make"} - : ${MKDIR="mkdir"} - : ${MV="mv -f"} - : ${RM="rm -f"} --: ${SED="@SED@"} -+if test -n "$STAGING_DIR"; then -+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"} -+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"} -+ : ${GREP="$STAGING_DIR/../host/bin/grep"} -+ : ${SED="$STAGING_DIR/../host/bin/sed"} -+else -+ : ${EGREP="@EGREP@"} -+ : ${FGREP="@FGREP@"} -+ : ${GREP="@GREP@"} -+ : ${SED="@SED@"} -+fi - : ${SHELL="${CONFIG_SHELL-/bin/sh}"} - : ${Xsed="$SED -e 1s/^X//"} - +From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Tue, 20 Jul 2021 16:41:11 -0300 +Subject: openwrt: make relocatable, search resources relative to STAGING_DIR + +This was originally commited to openwrt by Jo-Philipp Wich +. + +(adjusted to v2.4.6) +Signed-off-by: Eneas U de Queiroz + --- a/libtoolize.in +++ b/libtoolize.in -@@ -326,15 +326,22 @@ as_unset=as_fn_unset +@@ -40,11 +40,18 @@ - : ${CP="cp -f"} - test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} + : ${AUTOCONF="autoconf"} + : ${AUTOMAKE="automake"} -: ${EGREP="@EGREP@"} -: ${FGREP="@FGREP@"} -: ${GREP="@GREP@
[PATCH v2 2/2] wolfssl: bump to v4.8.1-stable
Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [high] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. (fixed in 4.8.0) Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- .../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..6ef80e88a9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.1-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..4141e28750 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index 2d33c06209..d8581be7eb 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void) +@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ @@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h -@@ -584,10 +584,8 @@ WOLFSSL_API +@@ -616,10 +616,8 @@ WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_LOCAL void wc_ecc_fp_init(void); ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 0/2] Bump WolfSSL and libtool
v1->v2: WolfSSL was updated from 4.8.0, in the original series, to 4.8.1 due to a high-risk vulnerability. Patches were refreshed. WolfSSL has decided it needs at least libtool 2.4.2 to build. From their commit 92854a5dd message: advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current automated testing coverage. We could easily patch our way out of it, but I decided to try the upgrade first. It appears to work just fine. I've just rebuilt the whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update with hostapd and uhttpd. I've had no hickups, but of course ymmv. My major concern while bumping a core building tool was how it could affect the changes we have in place. I've looked at both our patches, and at what was changed upstream. The major changes were related to getting the gnulib sources from git, and refreshing them when running bootstrap. Since we are applying patches, getting fresh copies are not viable, but there's a command-line option to avoid doing it. I'm not so sure what to do about 21.02. 1. Patch WolfSSL to accept building with libtool 2.4; 2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4, 424 insertions(+), 198 deletions(-). This was before the gnulib changes. For a comparison, there are 71 files changed, 17143 insertions(+), 5697 deletions(-), when going from 2.4 to 2.4.6. 3. Bump both to keep in sync with master. My vote: do 1 now, and wait for possible fallout from master. Then, perhaps try to keep them in sync, at the following point release. Cheers Eneas U de Queiroz (2): libtool: bump to 2.4.6 wolfssl: bump to v4.8.1-stable package/libs/wolfssl/Makefile | 6 +- .../patches/100-disable-hardening-check.patch | 2 +- .../libs/wolfssl/patches/200-ecc-rng.patch| 4 +- tools/libtool/Makefile| 11 +- tools/libtool/patches/000-relocatable.patch | 108 ++--- .../libtool/patches/001-fix-func_append.patch | 22 -- tools/libtool/patches/100-libdir-fixes.patch | 97 +++- ...10-dont-use-target-dir-for-relinking.patch | 51 ++-- .../120-strip-unsafe-dirs-for-relinking.patch | 36 +-- ...ingslash.patch => 130-trailingslash.patch} | 33 +-- ...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++ ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++ .../libtool/patches/160-passthrough-ssp.patch | 12 - .../patches/200-openwrt-branding.patch| 134 ++- 14 files changed, 450 insertions(+), 362 deletions(-) delete mode 100644 tools/libtool/patches/001-fix-func_append.patch rename tools/libtool/patches/{150-trailingslash.patch => 130-trailingslash.patch} (57%) create mode 100644 tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch create mode 100644 tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches were renumbered and given a description text. The fix in 160-passthrough-ssp.patch is no longer needed. A patch to speed up build was cherry-picked, and another openwrt specific patch was needed to not use quotes in $(SHELL), to acommodate our "SHELL=/usr/bin/env bash" usage. The already present call to ./bootstrap ensures that generated files are refreshed, so the patches are applied only to their sources. Also, that bootstrap call was adjusted to run at the appropriate time when QUILT=1. Signed-off-by: Eneas U de Queiroz --- tools/libtool/Makefile| 11 +- tools/libtool/patches/000-relocatable.patch | 108 ++--- .../libtool/patches/001-fix-func_append.patch | 22 -- tools/libtool/patches/100-libdir-fixes.patch | 97 +++- ...10-dont-use-target-dir-for-relinking.patch | 51 ++-- .../120-strip-unsafe-dirs-for-relinking.patch | 36 +-- ...ingslash.patch => 130-trailingslash.patch} | 33 +-- ...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++ ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++ .../libtool/patches/160-passthrough-ssp.patch | 12 - .../patches/200-openwrt-branding.patch| 134 ++- 11 files changed, 444 insertions(+), 356 deletions(-) delete mode 100644 tools/libtool/patches/001-fix-func_append.patch rename tools/libtool/patches/{150-trailingslash.patch => 130-trailingslash.patch} (57%) create mode 100644 tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch create mode 100644 tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile index dd4a7f6380..b237884b64 100644 --- a/tools/libtool/Makefile +++ b/tools/libtool/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libtool PKG_CPE_ID:=cpe:/a:gnu:libtool -PKG_VERSION:=2.4 +PKG_VERSION:=2.4.6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GNU/$(PKG_NAME) -PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae +PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f HOST_BUILD_PARALLEL:=1 @@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \ define Host/Prepare $(call Host/Prepare/Default) (cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4) - (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap) + $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release; $(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force)) +endef + +define Host/Configure + $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release; $(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force)) + $(call Host/Configure/Default) endef define Host/Install diff --git a/tools/libtool/patches/000-relocatable.patch b/tools/libtool/patches/000-relocatable.patch index 55265fe533..88d1eaed02 100644 --- a/tools/libtool/patches/000-relocatable.patch +++ b/tools/libtool/patches/000-relocatable.patch @@ -1,46 +1,24 @@ a/libltdl/config/general.m4sh -+++ b/libltdl/config/general.m4sh -@@ -45,15 +45,22 @@ progpath="$0" - M4SH_VERBATIM([[ - : ${CP="cp -f"} - test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} --: ${EGREP="@EGREP@"} --: ${FGREP="@FGREP@"} --: ${GREP="@GREP@"} - : ${LN_S="@LN_S@"} - : ${MAKE="make"} - : ${MKDIR="mkdir"} - : ${MV="mv -f"} - : ${RM="rm -f"} --: ${SED="@SED@"} -+if test -n "$STAGING_DIR"; then -+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"} -+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"} -+ : ${GREP="$STAGING_DIR/../host/bin/grep"} -+ : ${SED="$STAGING_DIR/../host/bin/sed"} -+else -+ : ${EGREP="@EGREP@"} -+ : ${FGREP="@FGREP@"} -+ : ${GREP="@GREP@"} -+ : ${SED="@SED@"} -+fi - : ${SHELL="${CONFIG_SHELL-/bin/sh}"} - : ${Xsed="$SED -e 1s/^X//"} - +From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Tue, 20 Jul 2021 16:41:11 -0300 +Subject: openwrt: make relocatable, search resources relative to STAGING_DIR + +This was originally commited to openwrt by Jo-Philipp Wich +. + +(adjusted to v2.4.6) +Signed-off-by: Eneas U de Queiroz + --- a/libtoolize.in +++ b/libtoolize.in -@@ -326,15 +326,22 @@ as_unset=as_fn_unset +@@ -40,11 +40,18 @@ - : ${CP="cp -f"} - test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} + : ${AUTOCONF="autoconf"} + : ${AUTOMAKE="automake"} -: ${EGREP="@EGREP@"} -: ${FGREP="@FGREP@"} -: ${GREP="@GREP@
[PATCH 2/2] wolfssl: bump to v4.8.0-stable
Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..38c284ec5d 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=72c22efcdab0f18f9b0bb45621c213144f88b4a9e9b9cc06878b47744e058885 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/2] Bump WolfSSL and libtool
WolfSSL has decided it needs at least libtool 2.4.2 to build. From their commit 92854a5dd message: advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current automated testing coverage. We could easily patch our way out of it, but I decided to try the upgrade first. It appears to work just fine. I've just rebuilt the whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update with hostapd and uhttpd. I've had no hickups, but of course ymmv. My major concern while bumping a core building tool was how it could affect the changes we have in place. I've looked at both our patches, and at what was changed upstream. The major changes were related to getting the gnulib sources from git, and refreshing them when running bootstrap. Since we are applying patches, getting fresh copies are not viable, but there's a command-line option to avoid doing it. I'm not so sure what to do about 21.02. 1. Patch WolfSSL to accept building with libtool 2.4; 2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4, 424 insertions(+), 198 deletions(-). This was before the gnulib changes. For a comparison, there are 71 files changed, 17143 insertions(+), 5697 deletions(-), when going from 2.4 to 2.4.6. 3. Bump both to keep in sync with master. My vote: do 1 now, and wait for possible fallout from master. Then, perhaps try to keep them in sync, at the following point release. Cheers Eneas U de Queiroz (2): libtool: bump to 2.4.6 wolfssl: bump to v4.8.0-stable package/libs/wolfssl/Makefile | 6 +- tools/libtool/Makefile| 11 +- tools/libtool/patches/000-relocatable.patch | 108 ++--- .../libtool/patches/001-fix-func_append.patch | 22 -- tools/libtool/patches/100-libdir-fixes.patch | 97 +++- ...10-dont-use-target-dir-for-relinking.patch | 51 ++-- .../120-strip-unsafe-dirs-for-relinking.patch | 36 +-- ...ingslash.patch => 130-trailingslash.patch} | 33 +-- ...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++ ...itigate-the-sed_quote_subst-slowdown.patch | 224 ++ .../libtool/patches/160-passthrough-ssp.patch | 12 - .../patches/200-openwrt-branding.patch| 134 ++- 12 files changed, 447 insertions(+), 359 deletions(-) delete mode 100644 tools/libtool/patches/001-fix-func_append.patch rename tools/libtool/patches/{150-trailingslash.patch => 130-trailingslash.patch} (57%) create mode 100644 tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch create mode 100644 tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v3 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 package/libs/openssl/Makefile | 13 ++-- package/libs/openssl/engine.mk| 60 --- package/libs/openssl/files/engines.cnf| 7 --- package/libs/openssl/files/openssl.init | 31 ++ .../150-openssl.cnf-add-engines-conf.patch| 5 +- 5 files changed, 54 insertions(+), 62 deletions(-) delete mode 100644 package/libs/openssl/files/engines.cnf create mode 100755 package/libs/openssl/files/openssl.init diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 238f7ecf02..0bf9e7a45f 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 @@ -128,7 +128,6 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -/etc/ssl/engines.cnf.d/engines.cnf $(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef @@ -378,15 +377,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ - echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ - echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk index 482b5ad5e8..973a989904 100644 --- a/package/libs/openssl/engine.mk +++ b/package/libs/openssl/engine.mk @@ -23,60 +23,24 @@ define Package/openssl/add-engine define Package/$$(OSSL_ENG_PKG)/postinst := #!/bin/sh -# 1 == non-empty: suggest reinstall -error_out() { -[ "$1" ] && cat <<- EOF - Reinstalling the libopenssl-conf package may fix this: +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl" - opkg install --force-reinstall libopenssl-conf - EOF -cat <<- EOF +[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 - Then, you will have to reinstall this package, and any other engine package you have - you have previously installed to ensure they are enabled: +cat << EOF >> "{OPENSSL_UCI}" - opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]... +config engine '$(1)' + option enabled '1' +EOF - EOF -exit 1 -} -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" -OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf" -if [ ! -f "{OPENSSL_CNF}" ]; then -echo -e "ERROR: File {OPENSSL_CNF} not found." -error
[PATCH v3 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUIL
[PATCH v3 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devc
[PATCH v3 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 18 files changed, 191 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPT
[PATCH v2 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR
[PATCH v2 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions package/libs/openssl/Makefile | 13 ++-- package/libs/openssl/engine.mk| 60 --- .../libs/openssl/files/openssl-engines.init | 19 ++ package/libs/openssl/files/openssl.init | 31 ++ .../150-openssl.cnf-add-engines-conf.patch| 5 +- 5 files changed, 73 insertions(+), 55 deletions(-) create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 238f7ecf02..0bf9e7a45f 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 @@ -128,7 +128,6 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -/etc/ssl/engines.cnf.d/engines.cnf $(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef @@ -378,15 +377,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ - echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ - echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk index 482b5ad5e8..973a989904 100644 --- a/package/libs/openssl/engine.mk +++ b/package/libs/openssl/engine.mk @@ -23,60 +23,24 @@ define Package/openssl/add-engine define Package/$$(OSSL_ENG_PKG)/postinst := #!/bin/sh -# 1 == non-empty: suggest reinstall -error_out() { -[ "$1" ] && cat <<- EOF - Reinstalling the libopenssl-conf package may fix this: +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl" - opkg install --force-reinstall libopenssl-conf - EOF -cat <<- EOF +[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 - Then, you will have to reinstall this package, and any other engine package you have - you have previously installed to ensure they are enabled: +cat << EOF >> "{OPENSSL_UCI}" - opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]... +config engine '$(1)' + option enabled '1' +EOF - EOF -exit 1 -} -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" -OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf" -if [ ! -f "{OPENSSL_CNF}" ]; then -echo -e "ERROR: File {OPENSSL_CNF} not found." -error_out reinstall -fi -if ! grep -q "^.include /etc/ssl/e
[PATCH v2 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 217 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 3/3] openssl: configure engines with uci
Hi Florian On Thu, Apr 29, 2021 at 3:44 AM Florian Eckert wrote: > > $(if > > CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) > > $(if > > CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) > > I think AFALG is missing there? > As I mentioned in the earlier thread, builtin AFALG is weird. If I enable it in openssl.cnf, it will always look for afalg.so, and will fail. I think it was on oversight, but AFALG is not part of OPENSSL_INIT_ENGINE_ALL_BUILTIN [1], so it will not be enabled by default, unless you call OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_AFALG, NULL). The AFALG engine does not have any control commands, so configuration is a noop anyway. [1] https://github.com/openssl/openssl/blob/0f077b5fd86e2df0b41608fbd5684fa1a2b58f59/include/openssl/crypto.h.in#L452 > > endef > > @@ -378,15 +377,17 @@ define Package/libopenssl/install > > endef > > > > define Package/libopenssl-conf/install > > - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d > > + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config > > $(1)/etc/init.d > > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ > > - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ > > + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl > > + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' > > $(1)/etc/init.d/openssl > > I do not understand that waht you are doing there. ENGINES_DIR is where the engine so files are stored. It is versioned, so it is stored in a variable in engine.mk. I'm just setting it in /etc/init.d/openssl, from ./files/openssl.init#3: ENGINES_DIR="%ENGINES_DIR%" The final result, installed in /etc/init.d/openssl#3 is: ENGINES_DIR="/usr/lib/engines-1.1" > > $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), > > $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ > > - echo padlock=padlock >> > > $(1)/etc/ssl/engines.cnf.d/engines.cnf) > > + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> > > $(1)/etc/config/openssl) > > What about AFALG? The same explanation above fits here. > > #!/bin/sh > > +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl" > > +if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; > > then > > +cat << EOF >> "{OPENSSL_UCI}" > > +config engine '$(1)' > > + option enabled '1' > > +EOF > > From my point of view, I think it would be better if we used the uci cli > command directly here. > to add the config engine section and enable this engine. However, uci is not available when the package is installed by the buildsystem, such as when building the firmware image. That's why I always check for $IPKG_INSTROOT before calling any commands available in the target only, as seen above. > > > fi > > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload > >endef > > > > - define Package/$$(OSSL_ENG_PKG)/prerm := > > + define Package/$$(OSSL_ENG_PKG)/postrm := > > #!/bin/sh > > -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" > > -[ -f "{ENGINES_CNF}" ] || exit 0 > > -sed -e '/$(1)=$(1)/d' -i "{ENGINES_CNF}" > > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload > > Should we not also remove the uci option on an uninstall wit the uci > command? > I'll change this. My idea was to save the configuration, if user later reinstall the package. However, since the %ENGINE%.cnf file is not removed, then openssl will try to enable the removed engine and fail. > > +++ b/package/libs/openssl/files/openssl-engines.init > > @@ -0,0 +1,19 @@ > > +#!/bin/sh /etc/rc.common > > Is the init script also switched on at the first boot? > So that the service runs immediately? > Not that the service has to be switched on in /etc/rc.d/ first - that > would be unpleasant. Yes, it is: file build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl: symbolic link to ../init.d/openssl > > > + > > +START=05 > > +OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf" > > + > > +enable_engine() { > > + echo "$1=$1" >> "${OSSL_ENGINES_CNF}" > > The writing happens here on the persistent storage at every boot! > This is not so good for embedded target with FLASH. > It would be better to write this to the tmp. > This file, along with engines.cnf were left over from a previous idea, and not are not used. I will take care of them in the v2. The list is actually saved in /var/etc/ssl/engines.cnf. > > + config_list_foreach openssl.openssl[0] engines enable_engine > > How about the named uci section globals > config openssl globals > This is also part of the leftover file. I've spotted a missing fix for the postinst/postrm scripts that were failing when building the final image. I'll send a v2 in a bit. Thanks for the review! Eneas ___
[PATCH 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 13 +++-- package/libs/openssl/engine.mk| 58 +++ .../libs/openssl/files/openssl-engines.init | 19 ++ package/libs/openssl/files/openssl.init | 31 ++ .../150-openssl.cnf-add-engines-conf.patch| 5 +- 5 files changed, 70 insertions(+), 56 deletions(-) create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 238f7ecf02..0bf9e7a45f 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 @@ -128,7 +128,6 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -/etc/ssl/engines.cnf.d/engines.cnf $(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) $(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef @@ -378,15 +377,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl + touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ - echo devcrypto=devcrypto >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ - echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf) + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk index 482b5ad5e8..efa46d7214 100644 --- a/package/libs/openssl/engine.mk +++ b/package/libs/openssl/engine.mk @@ -23,60 +23,20 @@ define Package/openssl/add-engine define Package/$$(OSSL_ENG_PKG)/postinst := #!/bin/sh -# 1 == non-empty: suggest reinstall -error_out() { -[ "$1" ] && cat <<- EOF - Reinstalling the libopenssl-conf package may fix this: +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl" - opkg install --force-reinstall libopenssl-conf - EOF -cat <<- EOF +if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; then +cat << EOF >> "{OPENSSL_UCI}" - Then, you will have to reinstall this package, and any other engine package you have - you have previously installed to ensure they are enabled: - - opkg install --force-reinstall $$(OSSL_ENG_PKG) [OTHER_ENGINE_PKG]... - - EOF -exit 1 -} -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf" -OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf" -if [ ! -f "{OPENSSL_CNF}" ]; then -echo -e "ERROR: File {OPENSSL_CNF} not found." -error_out reinstall -fi -if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then -cat <<- EOF - Your /etc/ssl/openssl.cnf file is not loading engine configuration files from - /etc/ssl/engines.cnf.d. You should consider start with a fresh, updated OpenSSL config by - running: - - opkg
[PATCH 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/devcrypto.
[PATCH 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./fi
[PATCH 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 42 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 213 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
> >> How about if we create a uci default script and check on the running > >> system what is installed? > >> And then we could generate a file and add or remove an include line > >> form > >> the openssl.cnf [1]? > > > > I think we can manage something like that. The .include option can > > load all files in a directory (/etc/ssl/engines.d/), and won't fail if > > there aren't any files--the directory itself must exist. Each engine > > package can install its own file there, ahd have a post-install script > > that adds a line to an "engines.cnf" file if there isn't any: > > > > add_engine() { > > # $1 = engine name (engine .so file without the .so extension) > > grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return > > echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf > > } > > > > /etc/ssl/engines.d/engines.cnf would start out with just the [engines] > > header and some comments explaining its use and warning not to edit > > something that would break things. > > > > What do you think? > > The plan sounds good :+1: > Hi I'm testing that proposal, and it's almost ready. I've expanded it to use uci to enable/disable the engines, but I'm still running tests to catch corner cases. I am not able to test the padlock engine, but its usage should be like devcrypto. Afalg is more complicated if built into the library, because openssl does not initialize it like other builtin engines. There's no way to configure it for general use when built that way. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
On Fri, Apr 23, 2021 at 3:11 AM Florian Eckert wrote: > How about if we create a uci default script and check on the running > system what is installed? > And then we could generate a file and add or remove an include line form > the openssl.cnf [1]? Hi Florian, Daniel I think we can manage something like that. The .include option can load all files in a directory (/etc/ssl/engines.d/), and won't fail if there aren't any files--the directory itself must exist. Each engine package can install its own file there, ahd have a post-install script that adds a line to an "engines.cnf" file if there isn't any: add_engine() { # $1 = engine name (engine .so file without the .so extension) grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf } /etc/ssl/engines.d/engines.cnf would start out with just the [engines] header and some comments explaining its use and warning not to edit something that would break things. What do you think? Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger wrote: > > Automatically enable an engine in the openssl.cnf if it has been build. > Before this change, /etc/openssl.cnf had to be edited manually on the > system to enable the engine. > > +define Package/libopenssl-conf/enable > + $(if $(CONFIG_PACKAGE_libopenssl-$(2)),sed -i > s/^\#*$(2)=$(2)/$(2)=$(2)/ $(1)/etc/ssl/openssl.cnf) > +endef > define Package/libopenssl-conf/install > $(INSTALL_DIR) $(1)/etc/ssl > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ > + $(call Package/libopenssl-conf/enable,$(1),devcrypto) > + $(call Package/libopenssl-conf/enable,$(1),afalg) > + $(call Package/libopenssl-conf/enable,$(1),padlock) Hi Daniel The problem with this is that it will enable the config for all engines in the bots configuration (all packages =m). OpenSSL will stop loading the engines past the point where one of them fails. It may do it silently, or it may show an error. If you run the `openssl engine` command (no flags or with -c), it will show the error; if you add the `-t` flag, the error message is gone. In either case, the engines configured after the first failed one will not load. Suppose that you install the afalg engine, but not devcrypto. When it loads the config file, devcrypto comes first, and openssl will fail to find it; then the afalg engine will not be loaded. I do like the idea, though. My first thought was to add an install script to the engine packages. The problem is that the config file may have been changed in a way that sed may produce unwanted results. It can be mitigated by configuring engines in a separate file, so only that file needs to be changed. It will have a nice effect, that a feed-installed engine can configure itself without needing a config section added to the openssl-conf package. Another option, which may be the easiest and safest, is to use your approach, but only uncomment the engines built into the firmware (=y), and not the ones built as modules. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt 21.02-rc1
On Tue, Apr 6, 2021 at 7:30 PM Hauke Mehrtens wrote: > > Hi, > > How do we want to go forward with OpenWrt 21.02-rc1? > > * I think the base system is ok. > * The http (original wolfssl) problem reported by jow is fixed > * LuCI in the 21.02 branch still misses DSA support, this was merged > into master some time ago as far as I understood. Hi I would suggest to have some commits cherry-picked to 21.02: 920eaab1d8 kernel: DSA roaming fix for Marvell mv88e6xxx af22991e03 build: make sure asm gets built with -DPIC I consider the first commit critical: without it clients get disconnected for 5 minutes when roaming from an affected AP (Omnia, WRT3200, among others) WLAN port to a LAN port (roaming between LAN-connected APs, for example). The second one is needed to build strongswan for x86_64 [1]. The support commits have already been pushed to the 21.02 branch of the packages feed. Eneas [1] https://downloads.openwrt.org/releases/faillogs-21.02/x86_64/packages/strongswan/compile.txt ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [RFC PATCH] openssl: make the patches QUILT-friendly
On Fri, Mar 26, 2021 at 7:35 PM Kevin 'ldir' Darbyshire-Bryant wrote: > > ... I was also frustrated that there was patch fuzz in the tree on a fairly > core package - that really shouldn’t be the case. My apologies. I work in a clone of the openssl git repo, rebasing the changes on top of the current version. I always look at the diffs before sending the patch to openwrt. If they were just line changes, I wouldn't bother to touch the patch, in order to minimize changes. I'll revise my approach and change the files no matter what. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
On Fri, Mar 26, 2021 at 6:57 PM Felix Fietkau wrote: > I fully agree with Eneas here (though I don't like his patch for this > issue either). This is the first time I wrote a patch I do NOT want to be applied. I just want to keep the status quo. > Here's a way to fix this: > > include/package-defaults.mk has this: > > define Build/Prepare/Default > $(PKG_UNPACK) > [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) > $(Build/Patch) > endef However, this is run before the patches are even applied when QUILT=1. $(Build/Patch) just builds the quilt patch tree. A much simpler solution, if we are really going to change the patches, is to just $(CP) the file in Build/Configure. If we move it--no matter where--then we can't go back and forth with quilt push & pop, which would hinder its usefulness. > > You can adjust it to define this in the package Makefile: > > define Build/Prepare > $(PKG_UNPACK) > [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) > mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > $(Build/Patch) > endef > > - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
On Fri, Mar 26, 2021 at 4:28 PM Rosen Penev wrote: > > On Fri, Mar 26, 2021 at 5:55 AM Eneas U de Queiroz > wrote: > > > > On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote: > > > +ifeq ($(QUILT),) > > > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > > > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > > > +endif > > > > This will break compilation with QUILT, as the rename will never > > happen then. You're using this strategy with other packages, so I > > won't mention them individually, but this applies to all. > > I would handle it at the patch level by removing the old file and > > creating the new one. > It doesn't break quilt as the rename happens separately. Note that the > patches were modified to refer to the old name. It breaks 'make package/openssl/compile QUILT=1', because the 'mv' command will never run when QUILT is not empty. You can't run the 'mv' line with quilt because the patches are not applied in Build/Prepare. However, you must ensure it is run later, or the package will not compile with QUILT=1. I can point you to openwrt/packages#14894 to see why you can't just skip running stuff when QUILT is defined. > > > > Alternatively, you can keep your strategy, adding the rename with > > QUILT in Build/Configure, with the caveat that it will run every time > > compile is called, so you'll need to ignore an eventual error, and > > make sure that the original file was not recreated somewhere in the > > build process by a previous compile run, which would clobber the > > patched file. > I haven't seen any issues. Locally I run make package/x/{clean,refresh} make package/openssl/compile V=sc QUILT=1 ... make[4]: *** No rule to make target 'engines/e_devcrypto.c', needed by 'engines/e_devcrypto.o'. Stop. BTW, I imagine you don't build with QUILT=1 much, do you? make -j4 package/openssl/compile make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config' make[2]: 'conf' is up to date. make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config' make[1] package/openssl/compile make[2] -C package/libs/toolchain compile make[2] -C package/libs/zlib compile make[2] -C package/firmware/prism54-firmware compile make[2] -C package/firmware/linux-firmware compile make[2] -C package/kernel/linux compile make[2] -C package/kernel/cryptodev-linux compile make[2] -C package/libs/openssl compile make -j4 package/openssl/compile QUILT=1 make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config' make[2]: 'conf' is up to date. make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config' make[1] package/openssl/compile make[2] -C package/libs/openssl compile It does not check dependencies every time you call compile. Try make package/seafile-server/compile for some fun. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH] openssl: make the patches QUILT-friendly
The patches in this package are all made by git format-patches. If one were to run 'make package/openssl/{refresh,update}', then things will not work as expected, because quilt QUILT does not deal well with patches that rename files. For openssl, the problematic patch is 430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch. So, I've generated a new patch with 'git format-patch --no-renames', and then 'make package/openssl/{refresh,update}'. Signed-off-by: Eneas U de Queiroz --- While I really prefer to leave the git-formatted patches as they are, I know quilt is the preferred way of handling patches in OpenWRT, so I'm presenting this as RFC, so the core developers can decide. ldir has made a similar commit e27ef2da0d, and then reverted it right away in bbb9c1c2be, and I don't know why. neheb proposed a patch [1] that does the file renaming in Build/Prepare, so that it is easier to use quilt while refreshing patches after a package bump. It has an undesirable side-effect of not running the renaming portion at all when using QUILT, resulting in a build failure. Some packages in the packages feed are skipping build steps when running with QUILT, to speed up automatic refresh of patches, and I've been fixing them as I stumble upon some of the failures. At least to me, being able to quickly build with QUILT=1, without having to start from scratch and go through dependencies is an immensively useful feature that I would not trade for having tidier patches. For this package, one could rename the files in Build/Configure when compiling with QUILT without a problem. So, if desired, it could be done neheb's way instead. In my opinion, QUILT is not particularly useful for rebasing large changes, such as the engine patches here. So even if neheb's proposal has a nice intention, it is not appropriate for this package. If the motivation is just to run make package/openssl/{refresh,update}, perhaps automatically to keep patches tidy, then this patch will suffice. Cheers, Eneas [1] https://patchwork.ozlabs.org/project/openwrt/patch/20210326092548.14019-1-ros...@gmail.com/ diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..458b064f13 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 98944103b5..2ae5938bdc 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -1,4 +1,4 @@ -From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:29:21 -0300 Subject: Do not use host kernel version to disable AFALG @@ -8,11 +8,9 @@ version to disable building the AFALG engine on openwrt targets. Signed-off-by: Eneas U de Queiroz -diff --git a/Configure b/Configure -index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtra unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch b/package/libs/openssl/patches/110-openwrt_targets.patch index d0530b4661..50a9ebe2d6 100644 --- a/package/libs/openssl/patches/110-openwrt_targets.patch +++ b/package/libs/openssl/patches/110-openwrt_targets.patch @@ -1,4 +1,4 @@ -From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:30:24 -0300 Subject: Add openwrt targets @@ -7,9 +7,6 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt Signed-off-by: Eneas U de Queiroz -diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf -new file mode 100644 -index 00..86a86d31e4 --- /dev/null +++ b/Configurations/25-openwrt.conf @@ -0,0 +1,48 @@ diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch index 7faec9ab88..90282706d1 100644 --- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch +++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch @@ -1,4 +1,4 @@ -From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 27 Sep 2018 08:31:38 -0300 Subject: Avoid exposing build directories @@ -8,11 +8,9 @@ OpenS
[PATCH] openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes: - CVE-2021-3450: problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Signed-off-by: Eneas U de Queiroz --- This was run-tested on WRT3200ACM (mvebu, armv7), using nginx, and openssl util to encrypt & decrypt some files using software and the devcrypto engine, since there have been some changes in the engine, related to BSD compatibility, when opening the /dev/crypto device. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 436abfd94c..7ab4c6ccd0 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=j +PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf +PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch index 71dc5bf99b..ea3f8fb8a7 100644 --- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch @@ -116,7 +116,7 @@ diff --git a/crypto/engine/eng_devcrypto.c b/engines/e_devcrypto.c similarity index 95% rename from crypto/engine/eng_devcrypto.c rename to engines/e_devcrypto.c -index 0d420e50aa..3fcd81de7a 100644 +index 2c1b52d572..eff1ed3a7d 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/engines/e_devcrypto.c @@ -7,7 +7,7 @@ @@ -152,22 +152,6 @@ index 0d420e50aa..3fcd81de7a 100644 /* * cipher/digest status & acceleration definitions -@@ -341,6 +343,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) - struct cipher_ctx *to_cipher_ctx; - - switch (type) { -+ - case EVP_CTRL_COPY: - if (cipher_ctx == NULL) - return 1; -@@ -702,7 +705,6 @@ static int digest_init(EVP_MD_CTX *ctx) - SYSerr(SYS_F_IOCTL, errno); - return 0; - } -- - return 1; - } - @@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = { OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) @@ -177,7 +161,7 @@ index 0d420e50aa..3fcd81de7a 100644 ENGINE_CMD_FLAG_NUMERIC}, #endif -@@ -1166,55 +1168,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) +@@ -1166,32 +1168,22 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) * */ @@ -201,10 +185,12 @@ index 0d420e50aa..3fcd81de7a 100644 +static int open_devcrypto(void) { -ENGINE *e = NULL; + int fd; + +if (cfd >= 0) +return 1; - - if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) { ++ + if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { #ifndef ENGINE_DEVCRYPTO_DEBUG if (errno != ENOENT) #endif @@ -213,6 +199,19 @@ index 0d420e50aa..3fcd81de7a 100644 +return 0; } + #ifdef CRIOGET +@@ -1199,35 +1191,61 @@ void engine_load_devcrypto_int() + fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); + close(fd); + cfd = -1; +-return; ++return 0; + } + close(fd); + #else + cfd = fd; + #endif + -if ((e = ENGINE_new()) == NULL -|| !ENGINE_set_destroy_function(e, devcrypto_unload)) { -ENGINE_free(e); @@ -278,7 +277,7 @@ index 0d420e50aa..3fcd81de7a 100644 /* * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD * implementations, it seems to only exist in FreeBSD, and regarding the -@@ -1237,23 +1254,36 @@ void engine_load_devcrypto_int() +@@ -1250,23 +1268,36 @@ void engine_load_devcrypto_int() */ #if 0 # ifndef OPENSSL_NO_RSA @@ -324,7 +323,7 @@ index 0d420e50aa..3fcd81de7a 100644 ENGINE_free(e); return; } -@@ -1262,3 +1292,22 @@ void engine_load_devcrypto_int() +@@ -1275,3 +1306,22 @@ void engine_load_devcrypto_int() ENGINE_free(e); /* Loose our local reference */ ERR_clear_error(); } ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
Hi Rosen This patch does not apply as is, but don't write a v2 yet. I'm testing the bump to 1.1.1k, and I'll handle it from there, by using --no-renames with git format-patch. I'm maintaining the patches at https://github.com/cotequeiroz/openssl, and refreshing backports with git is much easier than with quilt. See comments below, as your patchset breaks compilation with QUILT. On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote: > > quilt cannot handle file renames and ends up duplicating the file. > Instead of doing that, handle the renaming in the Makefile so that > the upstream file can change. > > Signed-off-by: Rosen Penev > --- > package/libs/openssl/Makefile |7 + > ...o-make-the-dev-crypto-engine-dynamic.patch | 2633 + > ...default-to-not-use-digests-in-engine.patch |4 +- > ...to-ignore-error-when-closing-session.patch |4 +- > 4 files changed, 151 insertions(+), 2497 deletions(-) > > diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile > index 436abfd94c..f3113cab6e 100644 > --- a/package/libs/openssl/Makefile > +++ b/package/libs/openssl/Makefile > @@ -324,6 +324,13 @@ OPENSSL_TARGET:=linux-$(call > qstrip,$(CONFIG_ARCH))-openwrt > > STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | > mkhash md5) > > +define Build/Prepare > + $(call Build/Prepare/Default) > +ifeq ($(QUILT),) > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > +endif This will break compilation with QUILT, as the rename will never happen then. You're using this strategy with other packages, so I won't mention them individually, but this applies to all. I would handle it at the patch level by removing the old file and creating the new one. Alternatively, you can keep your strategy, adding the rename with QUILT in Build/Configure, with the caveat that it will run every time compile is called, so you'll need to ignore an eventual error, and make sure that the original file was not recreated somewhere in the build process by a previous compile run, which would clobber the patched file. Cheers ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] gmp: compile with -DPIC to use correct asm code
On Fri, Mar 19, 2021 at 5:08 PM Philip Prindeville wrote: > > > Maybe I'm missing something, but why not just fix rules.mk: > > > ifneq (,$(findstring $(ARCH) , aarch64 aarch64_be powerpc )) > FPIC:=-fPIC > else > FPIC:=-fpic > endif > > HOST_FPIC:=-fPIC > > > To have the FPIC and HOST_FPIC definitions include -DPIC? I think it would be the proper way to handle this. I was initially fearful of changing too much and breaking things, but I think it should be expected behaviour. What else would you use a 'PIC' definition for? I will resend a patch changing rules.mk instead. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] gmp: compile with -DPIC to use correct asm code
The library is always compiled with $(FPIC) (-fPIC or -fpic), even for the static library. There are some assembly sources that decide whether or not to enable PIC code by checking if PIC is defined. It counts on libtool to define it, but libtool does it only when producing code for the dynamic library, while we need it for both. Ensure it is defined by adding it to CFLAGS next to $(FPIC). It avoids linking errors with strongswan on x86_64: ld: libgmp.a(bdiv_q_1.o): relocation R_X86_64_PC32 against symbol `__gmp_binvert_limb_table' can not be used when making a shared object; recompile with -fPIC Cc: Stijn Tintel Signed-off-by: Eneas U de Queiroz --- There's an error on one architecture, and all others work fine without this, so I'm uneasy changing this and then breaking stuff that was working fine otherwise. However, it feels wrong to me to generate PIC code from C files, but not use it in asm sources, which is essentially what I am changing here. I've looked at asm sources for different chitectures, and there are checks for PIC in: arm64, arm, x86_64, x86, and ppc asm sources, but the error only appears on x86_64. For most CPUs, ifdef(`PIC'), is just used to do different definitions of LEA (Load Effective Address). However, both x86 and x86_64 have many other checks. I've looked at bdiv_q_1.asm for different CPUs, and they all do some form of LEA(binvert_limb_table), except for x86, where it will do it only when PIC is defined. That may explain why x86_64 is affected, and x86 is not. I have not investigated further details. Alternatively, we can define it only for x86_64, which is where we know there's a build failure with the linker asking to recompile with -fPIC. package/libs/gmp/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/gmp/Makefile b/package/libs/gmp/Makefile index eb7d808139..d59e8fe947 100644 --- a/package/libs/gmp/Makefile +++ b/package/libs/gmp/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gmp PKG_VERSION:=6.2.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)$(PKG_REVISION).tar.xz PKG_SOURCE_URL:=@GNU/gmp/ @@ -38,7 +38,7 @@ define Package/libgmp/description signed integers, rational numbers, and floating point numbers. endef -TARGET_CFLAGS += $(FPIC) +TARGET_CFLAGS += -DPIC $(FPIC) CONFIGURE_VARS += CC="$(TARGET_CROSS)gcc" CONFIGURE_ARGS += \ --enable-shared \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. Signed-off-by: Eneas U de Queiroz --- This was run-tested with master on mvebu using uhttpd and hostapd, and should be cherry-picked to 21.02, and 19.07. It was compile-tested with 21.02 and 19.07. --- package/libs/wolfssl/Makefile | 6 +-- .../wolfssl/patches/010-CVE-2021-3336.patch | 53 --- .../patches/100-disable-hardening-check.patch | 2 +- ...Fix-linking-against-hostapd-with-LTO.patch | 25 - .../patches/120-enable-secret-callback.patch | 10 5 files changed, 4 insertions(+), 92 deletions(-) delete mode 100644 package/libs/wolfssl/patches/010-CVE-2021-3336.patch delete mode 100644 package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch delete mode 100644 package/libs/wolfssl/patches/120-enable-secret-callback.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 846351f06d..53cd932d1f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.6.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.7.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 +PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch deleted file mode 100644 index abb9bfdd9b..00 --- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001 -From: Sean Parkinson -Date: Thu, 21 Jan 2021 08:24:38 +1000 -Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify - - src/tls13.c | 18 +- - 1 file changed, 13 insertions(+), 5 deletions(-) - a/src/tls13.c -+++ b/src/tls13.c -@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF - #ifdef HAVE_ED25519 - if (args->sigAlgo == ed25519_sa_algo && - !ssl->peerEd25519KeyPresent) { --WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); -+WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert"); -+ret = SIG_VERIFY_E; -+goto exit_dcv; - } - #endif - #ifdef HAVE_ED448 - if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { --WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); -+WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert"); -+ret = SIG_VERIFY_E; -+goto exit_dcv; - } - #endif - #ifdef HAVE_ECC - if (args->sigAlgo == ecc_dsa_sa_algo && - !ssl->peerEccDsaKeyPresent) { --WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); -+WOLFSSL_MSG("Peer sent ECC sig but not ECC cert"); -+ret = SIG_VERIFY_E; -+goto exit_dcv; - } - #endif - #ifndef NO_RSA - if (args->sigAlgo == rsa_sa_algo) { --WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature"); -+WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate"); - ERROR_OUT(INVALID_PARAMETER, exit_dcv); - } - if (args->sigAlgo == rsa_pss_sa_algo && - (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { --WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); -+WOLFSSL_MSG("Peer sent RSA sig but not RSA cert"); -+ret = SIG_VERIFY_E; -+goto exit_dcv; - } - #endif - diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c2793285e7..c89ff1be9d 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; +@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for
[PATCH] openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs support from the main openssl library. It is a default option in OpenSSL. All that needs to be done here is to not disable it. Package increases by a net 1-byte, so it is not really really worth keeping this optional. This commit also includes a commented-out example engine configuration in openssl.cnf, as it is done for other available engines. Signed-off-by: Eneas U de Queiroz --- Run tested in WRT3200ACM (mvebu), with and without gost-engine 1.1.0.3. GOST engine PR: https://github.com/openwrt/packages/pull/14765 diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index d1281ec6fa..bc2f0584b6 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC initiate crypto operations asynchronously. In order to work this will require the presence of an async capable engine. -config OPENSSL_WITH_GOST - bool - prompt "Prepare library for GOST engine" - depends on OPENSSL_ENGINE - help - This option prepares the library to accept engine support - for Russian GOST crypto algorithms. - The gost engine is not included in standard openwrt feeds. - To build such engine yourself, see: - https://github.com/gost-engine/engine - endif diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 4fb4cb2784..378545ac43 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=j PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -50,7 +50,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_DTLS \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ - CONFIG_OPENSSL_WITH_GOST \ CONFIG_OPENSSL_WITH_IDEA \ CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ @@ -287,10 +286,6 @@ else OPENSSL_OPTIONS += no-engine endif -ifndef CONFIG_OPENSSL_WITH_GOST - OPENSSL_OPTIONS += no-gost -endif - ifndef CONFIG_OPENSSL_WITH_DTLS OPENSSL_OPTIONS += no-dtls endif diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 81d41963c6..c90fce2442 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,6 @@ --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,82 @@ oid_section = new_oids +@@ -22,6 +22,99 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -14,6 +14,7 @@ +#devcrypto=devcrypto +#afalg=afalg +#padlock=padlock ++##gost=gost + +[afalg] +# Leave this alone and configure algorithms with CIPERS/DIGESTS below @@ -79,6 +80,22 @@ + +[padlock] +default_algorithms = ALL ++ ++[gost] ++default_algorithms = ALL ++# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the ++# user to choose between different parameter sets of symmetric cipher ++# algorithm. RFC 4357 specifies several parameters for the ++# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface ++# to choose one when encrypting. So use engine configuration parameter ++# instead. ++# Value of this parameter can be either short name, defined in OpenSSL ++# obj_dat.h header file or numeric representation of OID, defined in ++# RFC 4357. Defaults to id-tc26-gost-28147-param-Z ++#CRYPT_PARAMS = id-tc26-gost-28147-param-Z ++ ++# PBE_PARAMS: Shortname of default digest alg for PBE ++#PBE_PARAMS = + [ new_oids ] ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs: - CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support SSLv2, but the affected functions still exist. Considered just a bug. - CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. - CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. - Fixed SRP_Calc_client_key so that it runs in constant time. This could be exploited in a side channel attack to recover the password. The 3 CVEs above are currently awaiting analysis. Signed-off-by: Eneas U de Queiroz --- This was run-tested on a WRT3200ACM (mvebu), using nginx, and wpad, and openssl-util. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 714ce2059a..4fb4cb2784 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=i +PKG_BUGFIX:=j PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 +PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] kernel: DSA roaming fix for Marvell Link Street switch series
On Tue, Feb 2, 2021 at 6:15 AM DENG Qingfang wrote: > > Marvell Link Street switch series cannot perform MAC learning from > CPU-injected (FROM_CPU) DSA frames, which results in 2 issues. > - excessive flooding, due to the fact that DSA treats those addresses > as unknown > - the risk of stale routes, which can lead to temporary packet loss > > Backport those patch series from netdev mailing list, which solve these > issues by adding and clearing static entries to the switch's FDB. > > Add a hack patch to set default VID to 1 in port_fdb_{add,del}. Otherwise > the static entries will be added to the switch's private FDB if VLAN > filtering disabled, which will not work. > > Link: > https://lore.kernel.org/netdev/20210106095136.224739-1-olte...@gmail.com/ > Link: > https://lore.kernel.org/netdev/20210116012515.3152-1-tob...@waldekranz.com/ > Link: https://lore.kernel.org/netdev/20210130134334.10243-1-dqf...@gmail.com/ > Ref: https://gitlab.nic.cz/turris/turris-build/-/issues/165 > Signed-off-by: DENG Qingfang Tested-by: Eneas U de Queiroz I have tested this using WRT3200ACM, and it solves the problem of clients not able to roam from one AP to the another--my APs are wired, not using WDS. Clients would not be able to communicate for 300s after roaming from one AP to another. I consider this a critical bug, so a fix must be included before 2021.02 branches. I have applied the patch to 3 APs, and have been using them for days without any real issue--I'm not considering the 'ATU member violation' messages reported earlier an issue, as they do appear to be harmless. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Deprecate snort in favor of snort3
On Sun, Jan 31, 2021 at 3:45 PM W. Michael Petullo wrote: > > OpenWrt provides two snort packages: snort and snort3. Now that snort3 is > out of beta, I would like to consider deprecating the snort package. One > difficulty of maintaining both packages is that a different version of > the libdaq package is required for each. The two versions cannot coexist, > and this make build-server builds fail. > > I do not know how popular the snort package is. I use snort3. > > Is dropping snort advisable? If so, what is the procedure? > > -- > Mike I was about to open a PR to have each version of libdaq installed into its own directory, which would take care of the build failure. However, I think removing the snort3 package, then bumping the stable snort to the latest version is the best way to go. I would not leave the version number as part of the package name. If you want to keep this status quo a little longer, tell me and I'll open the PR. BTW, I don't use the packages, I was just going to fix the build failure. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] base-files: sysupgrade: store status of system-services
+1 I agree 100% with Adrian on this one. Enable by default, add option to disable. Disabled services are, intuitively, part of the configuration being saved. So, it should not be saved when '-n' is given. I may be stretching things a bit, but I would consider this a fix, not a feature change ;-). Cheers, Eneas On Mon, Jan 11, 2021 at 9:48 AM Adrian Schmutzler wrote: > > > There are just 2 people (me, Andrew Heider) that would like to see saving > > service status done by default when sysupgrading, and other 2 people that > > would like it in its own setting option (Stjin Segers and Paul Spooren). > > +1 for saving service status by default. This has always annoyed me when > working with "default" images and actually for me it was expected behavior > until I found out it is not happening. > This is a very relevant behavior/feature affecting many of our "standard" > users, e.g. when using OpenWrt for "Dump AP" setups where you disable DHCP > etc. I'm sure a two-digit percentage of users setting up their device like > that won't even be aware that they suddenly have a DHCP running again after > upgrade. > > Of course, if adding an option to _disable_ is fairly easy, we should do so. > > Best > > Adrian > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: Update to v4.6.0-stable
This version fixes a large number of bugs, although no security vulnerabilities are listed. Full changelog at: https://www.wolfssl.com/docs/wolfssl-changelog/ or, as part of the version's README.md: https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md Due a number of API additions, size increases from 374.7K to 408.8K for arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. Backported patches were removed; remaining patch was refreshed. Signed-off-by: Eneas U de Queiroz --- Run-tested on a Linksys WRT3200ACM (arm) with uhttpd, uclient-fetch, and wpad-wolfssl. diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 6758f7dd08..dcc6aca40c 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=5 +PKG_VERSION:=4.6.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c +PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 43337ba970..c2793285e7 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ; +@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch deleted file mode 100644 index 3838865559..00 --- a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001 -From: Tesfa Mael -Date: Wed, 26 Aug 2020 10:13:06 -0700 -Subject: [PATCH] Make ByteReverseWords available for big and little endian - - wolfcrypt/src/misc.c | 2 -- - 1 file changed, 2 deletions(-) - a/wolfcrypt/src/misc.c -+++ b/wolfcrypt/src/misc.c -@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo - return rotlFixed(value, 16U); - #endif - } --#if defined(LITTLE_ENDIAN_ORDER) - /* This routine performs a byte swap of words array of a given count. */ - WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, - word32 byteCount) -@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord - out[i] = ByteReverseWord32(in[i]); - - } --#endif /* LITTLE_ENDIAN_ORDER */ - - #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) - diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch deleted file mode 100644 index aaf14e46d9..00 --- a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch +++ /dev/null @@ -1,123 +0,0 @@ -From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001 -From: Eric Blankenhorn -Date: Fri, 17 Jul 2020 08:37:02 -0500 -Subject: [PATCH] Fix CheckHostName matching - - src/internal.c | 18 -- - src/ssl.c | 5 + - tests/api.c| 30 ++ - 3 files changed, 47 insertions(+), 6 deletions(-) - -diff --git a/src/internal.c b/src/internal.c -index dc57df0242..cda815d875 100644 a/src/internal.c -+++ b/src/internal.c -@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) - altName = dCert->altNames; - - if (checkCN != NULL) { --*checkCN = altName == NULL; -+*checkCN = (altName == NULL) ? 1 : 0; - } - - while (altName) { -@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) - int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) - { - int checkCN; -+int ret = DOMAIN_NAME_MISMATCH; - - /* Assume name is NUL terminated. */ - (void)domainNameLen; - - if (CheckForAltNames(dCert, domainName, ) != 1) { --WOLFSSL_MSG("DomainName match on alt names failed too"); --return DOMAIN_NAME_MISMATCH; -+WOLFSSL_MSG("DomainName match on alt names failed"); - } -+else { -+ret = 0; -+} -+ - if (checkCN == 1) { - if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, --domainName) == 0) { -+doma
[PATCH] openssl: update to 1.1.1i
Fixes: CVE-2020-1971, defined as high severity, summarized as: NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS attack. Signed-off-by: Eneas U de Queiroz --- This was run-tested in a WRT-3200ACM diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 77c6d41cec..714ce2059a 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=h +PKG_BUGFIX:=i PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 +PKG_HASH:=e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
Hi Petr On Thu, Dec 10, 2020 at 12:57 PM Petr Štetiar wrote: > > After tackling BIO_free, my suggestion would be to determine where the > > method table variable should go, and where to call BIO_meth_new and > > BIO_meth_free. I would add it to a defined struct > > ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and > > IIRC I've tried that approach already(this WIP solution is like 3rd > iteration), but that struct is opaque. I meant the ustream_ssl_ctx structure, which is an ustream internal structure. For openssl, we're just using a straight cast to the openssl's SSL_CTX struct, so that's why it is opaque, while for mbedtls, it is a defined struct. What I meant was to actually define a ustream_ssl_ctx structure for openssl, just as ustream-mbedtls does, with the BIO_methods and the SSL_CTX as members. > > would create and free the object in __ustream_ssl_context_new and > > __ustream_ssl_context_free, which would give it a possibly larger > > lifetime than the ssl_session or the BIO object. > > AFAIK that's exactly what I'm doing in my current solution. You're doing it at the SSL struct. You can have multiple SSL structs under the same SSL_CTX struct. In a server, for example, you will have one SSL_CTX object, which accepts connections, creating a new SSL structure for each connection. You know I'm just madly fighting for every CPU cycle of performance optimization I can get. ;-) If you look at it from an organization and tidiness POV, you can argue that the BIO methods structure should be placed along with the BIO, which is with the SSL structure. I'll let you pick your side. > > We should coordinate efforts. You're the boss, so tell me what you want me > > to do, if anything. > > I didn't wanted to sound like the boss and I apologize if that was the case, > sorry. I apologize for the bad choice of words. Someone has to take the lead, and that was a rather ill-fated attempt to make it clear that I would follow your lead, and had nothing to do with your tone or anything you had done. > I've just send out some patches for uclient/ustream-ssl, so I would be > grateful if you could review and test those changes on your device(s), ideally > on all three SSL libs and client/server setup. Thanks! I'll do that over the weekend. I'm updating openssl to 1.1.1i, which fixes high severity CVE-2020-1971. I haven't sent it yet because I want to test it first, and I'm low on testing resources right now. I'll probably test openssl tonight, then tackle ustream-ssl. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
Hi Petr On Wed, Dec 9, 2020 at 6:59 PM Petr Štetiar wrote: > > Eneas U de Queiroz [2020-12-09 14:39:06]: > > Hi, > > > So the answer to your question is because you only allocate the table if > > methods_ustream is NULL, and it will point to the created table then. > > I was referencing the missing freeing of allocated resources. > > > We could free it in s_ustream_free, but only to have to create it again > > with the same data the next time ustream_bio_new is called. I wouldn't do > > it, but if you'd rather, I can add it in a v2. > > Is this micro optimization worth it? You're adding global variable in the > library, you're breaking API layer etc. I'm not supposed to study how is it > implemented _now_, because it will likely change with the next release (either > OpenSSL or wolfSSL) and it might be source of regressions. The API boundary is > given so I'm just trying to use it as designed and as seen in the > docs/examples/tests etc. And there is always new/free combo. > The purpose of BIO_METHOD struct is to hold a table of methods for a BIO object to use. In our case, it remains constant for the lifetime of the process. So, the maximum usable lifetime of methods_ustream is up to the lifetime of the program--it does not mean that we can't set a shorter lifetime. In an ideal world, we would free the resource when the library is cleaned up/deinitialized, but we don't have a function for that. So a possible lifetime we can use is the lifetime of the BIO object using it. One thing we need to be aware of is use after free. We pass the pointer to the BIO_new, and we must be sure that openssl will not access that memory after we free it. This would be after we call BIO_free. The thing is, we aren't making that call. so we are leaking that resource as well. That one can't have the lifetime of the program, its lifetime is no larger than the underlying SSL connection, apparently. So we need to take care of that first. After tackling BIO_free, my suggestion would be to determine where the method table variable should go, and where to call BIO_meth_new and BIO_meth_free. I would add it to a defined struct ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and would create and free the object in __ustream_ssl_context_new and __ustream_ssl_context_free, which would give it a possibly larger lifetime than the ssl_session or the BIO object. > > As for the WIP, you're perhaps doing too much work. I was corrected by my own previous point. > I'm spending time on this mainly because of FS#3465, perhaps mbedTLS has > similar issues[1]. In the end I would like to have uclient/ustream-ssl CI > tested (all 3 SSL libs combinations), with static analyzers, various > sanitizers and Valgrind. So I have to fix all the issues those tools expose. > > Maybe it's too much work, but given the constraints (no globals, follow API), > it's currently simplest working solution, but not fully tested yet. > > BTW I'm not discouraging you from v2, I've rejected the v1 patch, because it > doesn't fix the memory leak as advertised in the subject :-) Thanks! We should coordinate efforts. You're the boss, so tell me what you want me to do, if anything. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
On Wed, Dec 9, 2020 at 1:58 PM Daniel Golle wrote: > > On Wed, Dec 09, 2020 at 05:44:48PM +0100, Petr Štetiar wrote: > > Eneas U de Queiroz [2020-12-09 13:06:45]: > > > > Hi, > > > > > Using the patch by Pan Chen as inspiration, this avoids a memory leak by > > > using a global BIO_METHOD pointer that doesn't ordinarily need to be > > > freed. > > > > this sounds weird, how is global pointer avoiding memory leaks? :-) > > Well, it moves it from "definitely lost" to "still reachable" when > looking at it with valgrind. We will still have to free it as well, > and that could be done just like in the original patch. > See my reply to Petr. I'm not sure if valgrind will be completely pleased with my approach. I'm not an expert with valgrind, but it seems to not like that I left it in the heap to be cleaned up by the process end, but that is my intention. As long as I am not allocating memory again--it will only be created when methods_ustream is NULL, which is when it is initialized, and there's nowhere else in code that touches it. Note the const in the definition of: BIO * BIO_new(const BIO_METHOD *type); Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
On Wed, Dec 9, 2020 at 1:45 PM Petr Štetiar wrote: > > Eneas U de Queiroz [2020-12-09 13:06:45]: > > Hi, > > > Using the patch by Pan Chen as inspiration, this avoids a memory leak by > > using a global BIO_METHOD pointer that doesn't ordinarily need to be > > freed. > > this sounds weird, how is global pointer avoiding memory leaks? :-) BIO_METHOD was made opaque by openssl 1.1.0. It's just a table of methods, and it does change. Before that, one would just fill the struct without having to make any calls. I am the one responsible for introducing the bug in 34b0b80 [ustream-ssl: add openssl-1.1.0 compatibility]. The old, openssl 1.0 code was just: static BIO_METHOD methods_ustream = { 100 | BIO_TYPE_SOURCE_SINK, "ustream", s_ustream_write, s_ustream_read, s_ustream_puts, s_ustream_gets, s_ustream_ctrl, s_ustream_new, s_ustream_free, NULL, }; So the answer to your question is because you only allocate the table if methods_ustream is NULL, and it will point to the created table then. The table won't change during the lifetime of the process, and will get freed only when the process ends. We could free it in s_ustream_free, but only to have to create it again with the same data the next time ustream_bio_new is called. I wouldn't do it, but if you'd rather, I can add it in a v2. > > > CC: Pan Chen > > > > Signed-off-by: Eneas U de Queiroz > > > > --- > > Run-tested with a WRT-3200ACM, running uclient_fetch and uhttpd. > > I have not run it with valgrind or any other debugger. > > how do you otherwise verify the correctness? :-) FYI this is my work in > progress[1]. > > 1. > https://gitlab.com/ynezz/openwrt-ustream-ssl/-/commit/807ce1de752e021802a563783dfa580950746a0c As for testing I don't have valgrind running, so I wasn't able to do it; but someone else can. That's why I made sure to point it out. As for the WIP, you're perhaps doing too much work. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH ustream] ustream-openssl: fix bio memory leak
Using the patch by Pan Chen as inspiration, this avoids a memory leak by using a global BIO_METHOD pointer that doesn't ordinarily need to be freed. CC: Pan Chen Signed-off-by: Eneas U de Queiroz --- Run-tested with a WRT-3200ACM, running uclient_fetch and uhttpd. I have not run it with valgrind or any other debugger. diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c index 606ed4a..26b3ed5 100644 --- a/ustream-io-openssl.c +++ b/ustream-io-openssl.c @@ -116,20 +116,23 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num, void *ptr) }; } +static BIO_METHOD *methods_ustream = NULL; + static BIO *ustream_bio_new(struct ustream *s) { BIO *bio; - BIO_METHOD *methods_ustream; - - methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream"); - BIO_meth_set_write(methods_ustream, s_ustream_write); - BIO_meth_set_read(methods_ustream, s_ustream_read); - BIO_meth_set_puts(methods_ustream, s_ustream_puts); - BIO_meth_set_gets(methods_ustream, s_ustream_gets); - BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl); - BIO_meth_set_create(methods_ustream, s_ustream_new); - BIO_meth_set_destroy(methods_ustream, s_ustream_free); + if (methods_ustream == NULL) { + methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, + "ustream"); + BIO_meth_set_write(methods_ustream, s_ustream_write); + BIO_meth_set_read(methods_ustream, s_ustream_read); + BIO_meth_set_puts(methods_ustream, s_ustream_puts); + BIO_meth_set_gets(methods_ustream, s_ustream_gets); + BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl); + BIO_meth_set_create(methods_ustream, s_ustream_new); + BIO_meth_set_destroy(methods_ustream, s_ustream_free); + } bio = BIO_new(methods_ustream); BIO_set_data(bio, s); ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH 2/2] wolfssl: compile with --enable-opensslall
This enables all OpenSSL API available. It is required to avoid some silent failures, such as when performing client certificate validation. Package size increases from 356.6K to 374.7K for arm_cortex-a9_vfpv3-d16. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 4b891d634a..aeea1b7b7b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -62,6 +62,7 @@ TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ --enable-lighty \ + --enable-opensslall \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH 0/2] wolfssl: build with --enable-opensslall
While looking at lighttpd failure to run with wolfssl as its backend[1], it was suggested to configure wolfssl with both '--enable-lighty', and '--enable-opensslall'. While '--enable-lighty', in theory should make it work, wolfssl's crazy maze of preprocessor macros, combined with many empty functions and different data structures, make its behaviour unpredictable. Nonetheless, use of '--enable-lighty' should be harmless. Size increase is a little over 100 bytes, and it should make it easier for lighttpd to feature-test the library using 'HAVE_LIGHTY' instead of having to rely on support for other software, like 'HAVE_STUNNEL'. Changes in data structures that depend on compile options also make it hard to use alternative packages, like wolfssl-full and wolfssl-light. Pesonally, I think the size increase is not so dramatic, and there are so much code that gets disabled by its absence that I believe it should be enabled. I know that size matters, but having a library that works consistently is even more important. I am marking this RFC, as it has a broad impact. Please notice that the option name opensslall is somewhat misleading, since it is not a superset of opensslextra. Eneas [1] https://github.com/openwrt/packages/issues/14142 Eneas U de Queiroz (2): wolfssl: add lighty support, skip crypttests wolfssl: compile with --enable-opensslall package/libs/wolfssl/Makefile | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH 1/2] wolfssl: add lighty support, skip crypttests
Tnis adds the --enable-lighty option to configure, enabling the minimum API needed to run lighttpd, in the packages feed. Size increase is about 120 bytes for arm_cortex-a9_vfpv3-d16. While at it, speed up build by disabling crypt bench/test. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index dc8ca2b262..4b891d634a 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -61,9 +61,11 @@ TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ + --enable-lighty \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ + --disable-crypttests \ --disable-examples \ --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2] openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids errors, if the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz --- neheb, or anyone else affected, please test this patch to see if what I'm claiming is actually true. At least it does not appear to break compilation in my case ;-) Compile-tested using a Gentoo host, and mvebu as target. Changelog v1 -> v2 Since the cross prefix is set in Configure, we don't need to overide it when calling make diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 9696748106..77c6d41cec 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=h PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -333,6 +333,7 @@ define Build/Configure --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ + --cross-compile-prefix="$(TARGET_CROSS)" \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ @@ -345,14 +346,12 @@ TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all $(MAKE) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ DESTDIR="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids an error, when the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz --- neheb, or anyone else affected, please test this patch to see if what I'm claiming is actually true. At least it does not appear to break compilation in my case ;-) Compile-tested using a Gentoo host, and mvebu as target. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 9696748106..3c0e8c5d2d 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=h PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -333,6 +333,7 @@ define Build/Configure --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ + --cross-compile-prefix="$(TARGET_CROSS)" \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07] openssl: bump to 1.1.1h
This is a bug-fix release. Patches were refreshed. Signed-off-by: Eneas U de Queiroz (cherry picked from commit 475838de1a33d49d1a0b81aad374a8db6dd2b3c8) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 8fe00d970b..9696748106 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=g +PKG_BUGFIX:=h PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 +PKG_HASH:=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 0f91a9d5da..98944103b5 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -12,7 +12,7 @@ diff --git a/Configure b/Configure index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch index fa79cc6022..7f33cb9dae 100644 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -11,7 +11,7 @@ diff --git a/Configure b/Configure index 74d057c219..5813e9f8fe 100755 --- a/Configure +++ b/Configure -@@ -296,7 +296,7 @@ my $auto_threads=1;# enable threads automatically? true by default +@@ -318,7 +318,7 @@ my $auto_threads=1;# enable threads automatically? true by default my $default_ranlib; # Top level directories to build @@ -20,7 +20,7 @@ index 74d057c219..5813e9f8fe 100755 # crypto/ subdirectories to build $config{sdirs} = [ "objects", -@@ -308,7 +308,7 @@ $config{sdirs} = [ +@@ -330,7 +330,7 @@ $config{sdirs} = [ "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; # test/ subdirectories to build ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1h
This is a bug-fix release. Patches were refreshed. Signed-off-by: Eneas U de Queiroz -- Run-tested on mvebu/WRT3200ACM using nginx and uhttpd. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 8fe00d970b..9696748106 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=g +PKG_BUGFIX:=h PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 +PKG_HASH:=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch b/package/libs/openssl/patches/100-Configure-afalg-support.patch index 0f91a9d5da..98944103b5 100644 --- a/package/libs/openssl/patches/100-Configure-afalg-support.patch +++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch @@ -12,7 +12,7 @@ diff --git a/Configure b/Configure index 5a699836f3..74d057c219 100755 --- a/Configure +++ b/Configure -@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) +@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch index fa79cc6022..7f33cb9dae 100644 --- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch +++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch @@ -11,7 +11,7 @@ diff --git a/Configure b/Configure index 74d057c219..5813e9f8fe 100755 --- a/Configure +++ b/Configure -@@ -296,7 +296,7 @@ my $auto_threads=1;# enable threads automatically? true by default +@@ -318,7 +318,7 @@ my $auto_threads=1;# enable threads automatically? true by default my $default_ranlib; # Top level directories to build @@ -20,7 +20,7 @@ index 74d057c219..5813e9f8fe 100755 # crypto/ subdirectories to build $config{sdirs} = [ "objects", -@@ -308,7 +308,7 @@ $config{sdirs} = [ +@@ -330,7 +330,7 @@ $config{sdirs} = [ "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; # test/ subdirectories to build ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wolfssl: use -fomit-frame-pointer to fix asm error
32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz --- i386 builds currently fail with: ./wolfcrypt/src/asm.c:700:1: error: 'asm' operand has impossible constraints This is because wolfssl uses all of the available register for [at least] a couple of its fast-math inline asm functions. The frame-pointer uses up one of them causing the above failure. gcc documentation indicates that -fomit-frame-pointer is used in -O1, so it should be enabled without the flag, but this compile error indicates otherwise. I'm not experienced enough to know why this is happening. There are other alternatives: - use -fomit-frame-pointer only for i386 - disable asm for i386 - disable fast-math for i386 - patch asm.c to loosen the constraint of one of the arguments from r= to g= in the affected functions The last 3 are there for completeness, I'm not really considering them. Eneas diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index b186a087e7..159cfbc53f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.4.0-stable -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -56,7 +56,7 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 +TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] build: always use -minterlink-mips16 if USE_MIPS16
Individual packages may turn off MIPS16 ISA individually with PKG_USE_MIPS16. However, they may link to a library compiled with MIPS16. In such cases, the -minterlink-mips16 is needed to ensure there are no direct jumps to code compiled with a different ISA. Instead of adding -minterlink-mips16 only when PKG_USE_MIPS16 is on, add it when global USE_MIPS16 is on. Signed-off-by: Eneas U de Queiroz --- Tested by compiling all packages in base, packages, routing and telephony feeds for mips_74kc, with MIPS16 enabled. This was discovered while working on lxc fixes (https://github.com/openwrt/packages/pull/12241), where compilation with mips16 would fail because of '-fstack-check=specific not implemented for MIPS16', and it would fail with PKG_USE_MIPS16=0 because of jumping to a different ISA mode: lxc-4.0.2/src/lxc/caps.c:24:(.text+0xa4): unsupported jump between ISA modes; consider recompiling with interlinking enabled In theory this could happen in more places, so set interlinking on whenever MIPS16 is turned on globally. diff --git a/include/package.mk b/include/package.mk index 0575692742..f2c699ef2f 100644 --- a/include/package.mk +++ b/include/package.mk @@ -25,10 +25,11 @@ else PKG_JOBS?=$(if $(PKG_BUILD_PARALLEL),$(MAKE_J),-j1) endif ifdef CONFIG_USE_MIPS16 + TARGET_ASFLAGS_DEFAULT = $(filter-out -mips16 -minterlink-mips16,$(TARGET_CFLAGS)) ifeq ($(strip $(PKG_USE_MIPS16)),1) -TARGET_ASFLAGS_DEFAULT = $(filter-out -mips16 -minterlink-mips16,$(TARGET_CFLAGS)) -TARGET_CFLAGS += -mips16 -minterlink-mips16 +TARGET_CFLAGS += -mips16 endif + TARGET_CFLAGS += -minterlink-mips16 endif ifeq ($(strip $(PKG_IREMAP)),1) IREMAP_CFLAGS = $(call iremap,$(PKG_BUILD_DIR),$(notdir $(PKG_BUILD_DIR))) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wolfssl: update to 4.4.0-stable
This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz --- This is a straight update, no change in ABI. Tested with wpad (WPA2), uhttpd, and curl. diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index cb1ab1b64c..b186a087e7 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.3.0-stable +PKG_VERSION:=4.4.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=6896f8ad6c44aff3e583006839600848a0e37118ebbb7514eca9409ae08b +PKG_HASH:=7f854804c8ae0ca49cc77809e38e9a3b5a8c91ba7855ea928e6d6651b0d35f18 PKG_FIXUP:=libtool PKG_INSTALL:=1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v3 3/3] build: have config-clean deal with old temp files
This is a temporary commit to have 'make config-clean' remove temporary files from the previous scripts/config version. The .gitignore file is updated to deal with the old files as well. Cc: Kevin Darbyshire-Bryant Signed-off-by: Eneas U de Queiroz diff --git a/scripts/config/.gitignore b/scripts/config/.gitignore index b5bf92f66d..737c5b7953 100644 --- a/scripts/config/.gitignore +++ b/scripts/config/.gitignore @@ -12,3 +12,10 @@ mconf nconf qconf gconf + +# +# temporary files from older version. Should be removed +# +zconf.???.c +zconf.hash.c +.tmp_qtcheck diff --git a/scripts/config/Makefile b/scripts/config/Makefile index eb55b759a8..d98f15c393 100644 --- a/scripts/config/Makefile +++ b/scripts/config/Makefile @@ -7,7 +7,10 @@ all: conf mconf clean: rm -f *.o lxdialog/*.o *.moc $(clean-files) conf mconf qconf -clean-files:= +# This clean-files definition is here to ensure that temporary files from the +# previous version are removed by make config-clean. +# It should be removed or emptied when this Makefile get updated again. +clean-files:= zconf.tab.c zconf.lex.c zconf.hash.c .tmp_qtcheck # === # Variables needed by the upstream Makefile ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v3 2/3] build: add option to treat recursive deps as error
Running make with RECURSIVE_DEP_IS_ERROR=1 will cause a hard failure when a recursive dependency is detected. This is useful to apply stricter Ci tests, for example. Signed-off-by: Eneas U de Queiroz diff --git a/include/toplevel.mk b/include/toplevel.mk index ad8e5b8f20..5cf93ce7ef 100644 --- a/include/toplevel.mk +++ b/include/toplevel.mk @@ -99,6 +99,9 @@ prepare-tmpinfo: FORCE $(_SINGLE)$(NO_TRACE_MAKE) menuconfig $(PREP_MK); \ fi +ifeq ($(RECURSIVE_DEP_IS_ERROR),1) + KCONF_FLAGS=--fatalrecursive +endif ifneq ($(DISTRO_PKG_CONFIG),) scripts/config/%onf: export PATH:=$(dir $(DISTRO_PKG_CONFIG)):$(PATH) endif @@ -111,7 +114,7 @@ $(eval $(call rdep,scripts/config,scripts/config/mconf)) config: scripts/config/conf prepare-tmpinfo FORCE [ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \ - $< Config.in + $< $(KCONF_FLAGS) Config.in config-clean: FORCE $(_SINGLE)$(NO_TRACE_MAKE) -C scripts/config clean @@ -120,7 +123,7 @@ defconfig: scripts/config/conf prepare-tmpinfo FORCE touch .config @if [ ! -s .config -a -e $(HOME)/.openwrt/defconfig ]; then cp $(HOME)/.openwrt/defconfig .config; fi [ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \ - $< --defconfig=.config Config.in + $< $(KCONF_FLAGS) --defconfig=.config Config.in confdefault-y=allyes confdefault-m=allmod @@ -129,7 +132,7 @@ confdefault:=$(confdefault-$(CONFDEFAULT)) oldconfig: scripts/config/conf prepare-tmpinfo FORCE [ -L .config ] && export KCONFIG_OVERWRITECONFIG=1; \ - $< --$(if $(confdefault),$(confdefault),old)config Config.in + $< $(KCONF_FLAGS) --$(if $(confdefault),$(confdefault),old)config Config.in menuconfig: scripts/config/mconf prepare-tmpinfo FORCE if [ \! -e .config -a -e $(HOME)/.openwrt/defconfig ]; then \ @@ -210,7 +213,7 @@ ifeq ($(SDK),1) %:: @+$(PREP_MK) $(NO_TRACE_MAKE) -r -s prereq - @./scripts/config/conf --defconfig=.config Config.in + @./scripts/config/conf $(KCONF_FLAGS) --defconfig=.config Config.in @+$(ULIMIT_FIX) $(SUBMAKE) -r $@ else @@ -219,7 +222,7 @@ else @+$(PREP_MK) $(NO_TRACE_MAKE) -r -s prereq @( \ cp .config tmp/.config; \ - ./scripts/config/conf --defconfig=tmp/.config -w tmp/.config Config.in > /dev/null 2>&1; \ + ./scripts/config/conf $(KCONF_FLAGS) --defconfig=tmp/.config -w tmp/.config Config.in > /dev/null 2>&1; \ if ./scripts/kconfig.pl '>' .config tmp/.config | grep -q CONFIG; then \ printf "$(_R)WARNING: your configuration is out of sync. Please run make menuconfig, oldconfig or defconfig!$(_N)\n" >&2; \ fi \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v3 0/3] build: update scripts/config to kconfig-v5.6
After breaking the build bots for a couple of days, this is another attempt to update scripts/config to linux kconfig-v5.6. This time I've spent some time testing it with the SDK, which is heavily dependent on recursive dependencies. While testing it, I found some minor bugs, which I've sent separate patches to fix. I've kept them out of this series, as they are independent anyway. I've changed the default behavior to treat them as warnings, not errors. Instead of a compile-time choice, I've added a command-line option to scripts/config/conf, --fatalrecursive, to error out when detecing a recursive dependency. The option is activated in openwrt by running make with RECURSIVE_DEP_IS_ERROR=1. Another change from v2 was that the commit handling the selection of a module from a bool, 9bfa6971ae ("scripts/config: properly handle select on symbols with unmet direct dependencies"), which was not done right in v2, was properly fixed here. The commits to get from upstream kconfig-v5.6 to the openwrt version here can be seen at https://github.com/cotequeiroz/linux/commits/openwrt/scripts/kconfig The last commit of this series is optional. Previously, ldir had included leftover temporary files from previous version to .gitignore, so git would not complain about untracked files. I took that one step further and added them to make config-clean. I do intend this to be temporary, to be reverted before the next branch, and added comments to the affected lines as a reminder. I don't have the resources to do a full buildbot setup, but I've used jow's suggested simpler way of testing it with the SDK. I've compared the output of the failed run with the v2 of this patch applied, from the bots and with the SDK, and the errors do appear to be the same. I've tested this with a self-compiled SKD for ath79, and compared the resulting .config files against master at 508462a399. I've also used several config.buildinfo from snapshots of different targets on full build root. I used this to compare the generated .config files: diff -I '^\(# end of.*\)\?$' openwrt.{old,new}/.config The new version adds '# end of ' comments, which are being ignored. While working with the SDK, I've applied a previously submitted patch ("sdk: add OpenWrt branding to menuconfig & .config") https://patchwork.ozlabs.org/project/openwrt/patch/20200418214931.24983-1-cotequei...@gmail.com/ so that the titles of the .config files would match. I also tested the behavior of menuconfig when selecting multiple targets, to ensure the selection of a module from a bool was working as intended. Eneas U de Queiroz (3): build: scripts/config - update to kconfig-v5.6 build: add option to treat recursive deps as error build: have config-clean deal with old temp files include/toplevel.mk | 13 +- scripts/config/.gitignore | 34 +- scripts/config/Makefile | 177 +- scripts/config/README | 29 +- scripts/config/conf.c | 255 +- scripts/config/confdata.c | 533 +- scripts/config/expr.c | 216 +- scripts/config/expr.h | 110 +- scripts/config/images.c | 34 +- scripts/config/images.h | 33 + scripts/config/{zconf.l => lexer.l} | 340 +- scripts/config/lexer.lex.c| 4499 + scripts/config/list.h |1 + scripts/config/lkc.h | 59 +- scripts/config/lkc_proto.h| 21 +- scripts/config/lxdialog/.gitignore|2 - scripts/config/lxdialog/check-lxdialog.sh | 91 - scripts/config/lxdialog/checklist.c | 19 +- scripts/config/lxdialog/dialog.h | 23 +- scripts/config/lxdialog/inputbox.c| 22 +- scripts/config/lxdialog/menubox.c | 25 +- scripts/config/lxdialog/textbox.c | 17 +- scripts/config/lxdialog/util.c| 15 +- scripts/config/lxdialog/yesno.c | 19 +- scripts/config/mconf-cfg.sh | 50 + scripts/config/mconf.c| 179 +- scripts/config/menu.c | 451 +- .../{zconf.tab.c_shipped => parser.tab.c} | 939 ++-- scripts/config/parser.tab.h | 129 + scripts/config/{zconf.y => parser.y} | 429 +- scripts/config/preprocess.c | 575 +++ scripts/config/qconf-cfg.sh | 32 + scripts/config/qconf.cc | 174 +- scripts/config/qconf.h|3 +- scripts/config/symbol.c | 272 +- scripts/config/util.c | 86 +- scripts/config/zconf.gperf| 49 - scripts/config/zconf.hash.c_shipped | 250 - s
[OpenWrt-Devel] [PATCH] sdk: add OpenWrt branding to menuconfig & .config
Set the mainmenu symbol in SDK Config.in to "OpenWrt Configuration", the same as the main OpenWrt Config.in. This string is is used as the name of the top menu in menuconfig, and at the top of the .config file. If unset, current kconfig will use "Linux Kernel Configuration". Signed-off-by: Eneas U de Queiroz diff --git a/target/sdk/files/Config.in b/target/sdk/files/Config.in index 0dab240959..4393daab5b 100644 --- a/target/sdk/files/Config.in +++ b/target/sdk/files/Config.in @@ -1,3 +1,5 @@ +mainmenu "OpenWrt Configuration" + menu "Global build settings" config ALL_NONSHARED ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] build: show make output in scripts/config when V=s
This should make debugging build errors in scripts/config a bit easier. Signed-off-by: Eneas U de Queiroz diff --git a/include/toplevel.mk b/include/toplevel.mk index 2965f75c7c..ad8e5b8f20 100644 --- a/include/toplevel.mk +++ b/include/toplevel.mk @@ -104,7 +104,8 @@ scripts/config/%onf: export PATH:=$(dir $(DISTRO_PKG_CONFIG)):$(PATH) endif scripts/config/%onf: CFLAGS+= -O2 scripts/config/%onf: - @$(_SINGLE)$(SUBMAKE) -s -C scripts/config $(notdir $@) CC="$(HOSTCC_WRAPPER)" + @$(_SINGLE)$(SUBMAKE) $(if $(findstring s,$(OPENWRT_VERBOSE)),,-s) \ + -C scripts/config $(notdir $@) CC="$(HOSTCC_WRAPPER)" $(eval $(call rdep,scripts/config,scripts/config/mconf)) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel