Hi nbd had the idea to implement openssl engine more dynamicly to get openssl ocf support when ubsec_ssb is selected ....
here's the patch + some openssl CVE patches ... taken from gentoo... i use the ixp4xx-microcode to add support for ixp4xx because this package gets selected when ixp4xx is selected and i coudn't find a way to implement this in target/linux/ixp4xx/Makefile .... please apply greets
diff --git a/package/ixp4xx-microcode/Makefile b/package/ixp4xx-microcode/Makefile index 9ed9127..2b89f3c 100644 --- a/package/ixp4xx-microcode/Makefile +++ b/package/ixp4xx-microcode/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ixp4xx-microcode PKG_VERSION:=2.4 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=IPL_ixp400NpeLibraryWithCrypto-2_4.zip PKG_SOURCE_URL:=http://downloads.openwrt.org/sources @@ -21,7 +21,7 @@ define Package/ixp4xx-microcode SECTION:=net CATEGORY:=Network TITLE:=Microcode for the IXP4xx network engines - DEPENDS:=...@target_ixp4xx + DEPENDS:=...@target_ixp4xx +...@openssl_engine endef define Package/ixp4xx-microcode/description diff --git a/package/openssl/Config.in b/package/openssl/Config.in new file mode 100644 index 0000000..518d6f9 --- /dev/null +++ b/package/openssl/Config.in @@ -0,0 +1,9 @@ +# OpenSSL configuration + +if PACKAGE_libopenssl + +config OPENSSL_ENGINE + bool + prompt "USE Cryptodev" + +endif diff --git a/package/openssl/Makefile b/package/openssl/Makefile index ac56521..ba8c02d 100644 --- a/package/openssl/Makefile +++ b/package/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_VERSION:=0.9.8l -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.openssl.org/source/ \ @@ -27,6 +27,10 @@ define Package/openssl/Default URL:=http://www.openssl.org/ endef +define Package/libopenssl/config +source "$(SOURCE)/Config.in" +endef + define Package/openssl/Default/description The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the @@ -69,7 +73,7 @@ endef OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-smime \ no-rmd160 no-aes192 no-ripemd no-camellia no-ans1 no-krb5 -ifeq ($(BOARD),ixp4xx) +ifdef CONFIG_OPENSSL_ENGINE OPENSSL_OPTIONS:= shared no-ec no-err no-hw no-threads zlib-dynamic \ no-sse2 --with-cryptodev else diff --git a/package/openssl/patches/900-CVE-2009-1387.patch b/package/openssl/patches/900-CVE-2009-1387.patch new file mode 100644 index 0000000..fab7840 --- /dev/null +++ b/package/openssl/patches/900-CVE-2009-1387.patch @@ -0,0 +1,59 @@ +http://bugs.gentoo.org/270305 + +fix from upstream + +Index: openssl/ssl/d1_both.c +=================================================================== +RCS file: /usr/local/src/openssl/CVSROOT/openssl/ssl/d1_both.c,v +retrieving revision 1.4.2.7 +retrieving revision 1.4.2.8 +diff -u -p -r1.4.2.7 -r1.4.2.8 +--- d1_both.c 17 Oct 2007 21:17:49 -0000 1.4.2.7 ++++ d1_both.c 2 Apr 2009 22:12:13 -0000 1.4.2.8 +@@ -575,30 +575,31 @@ dtls1_process_out_of_seq_message(SSL *s, + } + } + +- frag = dtls1_hm_fragment_new(frag_len); +- if ( frag == NULL) +- goto err; ++ if (frag_len) ++ { ++ frag = dtls1_hm_fragment_new(frag_len); ++ if ( frag == NULL) ++ goto err; + +- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); ++ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + +- if (frag_len) +- { +- /* read the body of the fragment (header has already been read */ ++ /* read the body of the fragment (header has already been read) */ + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + frag->fragment,frag_len,0); + if (i<=0 || (unsigned long)i!=frag_len) + goto err; +- } + +- pq_64bit_init(&seq64); +- pq_64bit_assign_word(&seq64, msg_hdr->seq); ++ pq_64bit_init(&seq64); ++ pq_64bit_assign_word(&seq64, msg_hdr->seq); + +- item = pitem_new(seq64, frag); +- pq_64bit_free(&seq64); +- if ( item == NULL) +- goto err; ++ item = pitem_new(seq64, frag); ++ pq_64bit_free(&seq64); ++ if ( item == NULL) ++ goto err; ++ ++ pqueue_insert(s->d1->buffered_messages, item); ++ } + +- pqueue_insert(s->d1->buffered_messages, item); + return DTLS1_HM_FRAGMENT_RETRY; + + err: diff --git a/package/openssl/patches/900-CVE-2009-2409.patch b/package/openssl/patches/900-CVE-2009-2409.patch new file mode 100644 index 0000000..18ea580 --- /dev/null +++ b/package/openssl/patches/900-CVE-2009-2409.patch @@ -0,0 +1,71 @@ +http://bugs.gentoo.org/280591 + +fix from upstream + +http://cvs.openssl.org/chngview?cn=18260 + +Index: openssl/crypto/x509/x509_vfy.c +RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v +rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null +--- x509_vfy.c 2008/07/13 14:33:15 1.77.2.8 ++++ x509_vfy.c 2009/06/15 14:52:38 1.77.2.9 +@@ -986,7 +986,11 @@ + while (n >= 0) + { + ctx->error_depth=n; +- if (!xs->valid) ++ ++ /* Skip signature check for self signed certificates. It ++ * doesn't add any security and just wastes time. ++ */ ++ if (!xs->valid && xs != xi) + { + if ((pkey=X509_get_pubkey(xi)) == NULL) + { +@@ -996,13 +1000,6 @@ + if (!ok) goto end; + } + else if (X509_verify(xs,pkey) <= 0) +- /* XXX For the final trusted self-signed cert, +- * this is a waste of time. That check should +- * optional so that e.g. 'openssl x509' can be +- * used to detect invalid self-signatures, but +- * we don't verify again and again in SSL +- * handshakes and the like once the cert has +- * been declared trusted. */ + { + ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert=xs; + +http://cvs.openssl.org/chngview?cn=18317 + +Index: openssl/crypto/evp/c_alld.c +RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v +rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null +--- c_alld.c 2005/04/30 21:51:40 1.7 ++++ c_alld.c 2009/07/08 08:33:26 1.7.2.1 +@@ -64,9 +64,6 @@ + + void OpenSSL_add_all_digests(void) + { +-#ifndef OPENSSL_NO_MD2 +- EVP_add_digest(EVP_md2()); +-#endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); + #endif +Index: openssl/ssl/ssl_algs.c +RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v +rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null +--- ssl_algs.c 2007/04/23 23:50:21 1.12.2.3 ++++ ssl_algs.c 2009/07/08 08:33:27 1.12.2.4 +@@ -92,9 +92,6 @@ + EVP_add_cipher(EVP_seed_cbc()); + #endif + +-#ifndef OPENSSL_NO_MD2 +- EVP_add_digest(EVP_md2()); +-#endif + #ifndef OPENSSL_NO_MD5 + EVP_add_digest(EVP_md5()); + EVP_add_digest_alias(SN_md5,"ssl2-md5"); diff --git a/package/ubsec_ssb/Makefile b/package/ubsec_ssb/Makefile index 9c108d1..6a14e2a 100644 --- a/package/ubsec_ssb/Makefile +++ b/package/ubsec_ssb/Makefile @@ -10,6 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ubsec-ssb PKG_VERSION:=2009-02-21 +PKG_RELEASE:=1 CRYPTO_MENU:=OCF Configuration @@ -17,7 +18,7 @@ include $(INCLUDE_DIR)/package.mk define KernelPackage/ocf-ubsec-ssb SUBMENU:=$(CRYPTO_MENU) - DEPENDS:=...@target_brcm47xx +kmod-crypto-core +kmod-crypto-ocf + DEPENDS:=...@target_brcm47xx +...@openssl_engine +kmod-crypto-core +kmod-crypto-ocf TITLE:=BCM5365P IPSec Core driver FILES:=$(PKG_BUILD_DIR)/src/ubsec_ssb.$(LINUX_KMOD_SUFFIX) AUTOLOAD:=$(call AutoLoad,09,ubsec_ssb)
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
