[OpenWrt-Devel] [PATCH] ustream-ssl: update to 2019-06-24
This adds chacha20-poly1305 support to the mbedtls variant. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index a15f3d8ab8..ca9ad5d98b 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -5,9 +5,9 @@ PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git -PKG_SOURCE_DATE:=2018-07-30 -PKG_SOURCE_VERSION:=23a3f2830341acd1db149175baf7315a33bd0edb -PKG_MIRROR_HASH:=289bef5dac684015b6a40cfd72cf1c8c297bb77cf2efd54e562b628ba3afd83d +PKG_SOURCE_DATE:=2019-06-24 +PKG_SOURCE_VERSION:=738e8d2489fc64f782affd1292388c66f6d69e82 +PKG_MIRROR_HASH:=29e69fce0a334746ed3a68d27f5ca5bffbfc144d04329335be47983fdd7cbdfd CMAKE_INSTALL:=1 PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/3] wolfssl: update to 3.15.7, fix Makefile
This includes a fix for a medium-level potential cache attack with a variant of Bleichenbacher’s attack. Patches were refreshed. Fixed poly1305 build option, and made some Makefile updates. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 50b0bb9cdf..4aa163b361 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -53,7 +53,7 @@ config WOLFSSL_HAS_ECC25519 depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY_1305 +config WOLFSSL_HAS_POLY1305 bool "Include Poly-1305 support" default n diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 23bb1c5220..d96dbea323 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,11 +8,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.3-stable -PKG_RELEASE:=2 +PKG_VERSION:=3.15.7-stable +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a @@ -20,15 +19,16 @@ PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ -PKG_CPE_ID:=cpe:/a:yassl:cyassl +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=LICENSING COPYING +PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ CONFIG_WOLFSSL_HAS_WPAS @@ -42,7 +42,7 @@ define Package/libwolfssl URL:=http://www.wolfssl.com/ MENU:=1 PROVIDES:=libcyassl - ABI_VERSION:=18 + ABI_VERSION:=19 endef define Package/libwolfssl/description diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index d913b5fdea..8a51434633 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ; +@@ -1759,7 +1759,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ @@ -8,4 +8,4 @@ +#if 0 #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \ (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \ - (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS)) + (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \ diff --git a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch index 66582cfc46..6b0861288f 100644 --- a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch +++ b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -4198,7 +4198,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta +@@ -4614,7 +4614,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta AC_CONFIG_FILES([Makefile wolfssl/version.h wolfssl/options.h cyassl/options.h support/wolfssl.pc rpm/spec]) AX_CREATE_GENERIC_CONFIG ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/3] wolfssl update
This series updates wolfssl to version 3.15.7, which includes a security fix. Many of the build options were not being used, and are always built into the library because of an uncondition --enable-stunnel option, so they can be removed. Since they were selected by hostapd, they are being removed there as well. The hostapd change includes the removal of the selection of the library itself, allowing the package to be built as a module. This version adds support to hardware acceleration using /dev/crypto and AF_ALG. The library was run-tested on WRT-3200ACM using uhttpd with different options, turning them on one by one cumulatively. The size varied from 226K with all options off, to 309K with all options. Enabling hardware acelleration and AES-CCM at the same time results in a build failure, which dents my confidence in them. Nonetheless, uhttpd connects without a problem, and I can confirm /dev/crypto or AF_ALG sockets open. The package currently lacks a maintainer, so I've added myself. I've split the changes in 3 commits: one just with the version bump and some minor Makefile changes; a second big one, more prone to trouble, and the third one adjusting removed wolfssl options in hostapd. Eneas U de Queiroz (3): wolfssl: update to 3.15.7, fix Makefile wolfssl: reorganize, add build options hostapd: adjust removed wolfssl options package/libs/wolfssl/Config.in| 53 +--- package/libs/wolfssl/Makefile | 122 +- .../patches/100-disable-hardening-check.patch | 4 +- .../900-remove-broken-autoconf-macros.patch | 2 +- package/network/services/hostapd/Config.in| 4 - 5 files changed, 70 insertions(+), 115 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/3] hostapd: adjust removed wolfssl options
From: Eneas U de Queiroz This adjusts the selection of recently removed wolfssl options which have always been built into the library even in their absence. Also remove the selection of libwolfssl itself, allowing the library to be built as a module. Signed-off-by: Eneas U de Queiroz diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 1966067219..9ce4b243cc 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -51,15 +51,11 @@ config WPA_WOLFSSL PACKAGE_wpad-wolfssl ||\ PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl - select PACKAGE_libwolfssl select WOLFSSL_HAS_AES_CCM select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 - select WOLFSSL_HAS_DES3 select WOLFSSL_HAS_DH - select WOLFSSL_HAS_ECC select WOLFSSL_HAS_OCSP - select WOLFSSL_HAS_PSK select WOLFSSL_HAS_SESSION_TICKET select WOLFSSL_HAS_WPAS ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/3] wolfssl: reorganize, add build options
Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. Mark options turned on when wpad support is selected. Add building options for TLS 1.0 and TLS 1.3. Add hardware crypto support, which due to a bug, only works when CCM support is turned off. Reorganized option conditionals in Makefile. Add Eneas U de Queiroz as maintainer. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4aa163b361..711b789f6e 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -8,12 +8,8 @@ config WOLFSSL_HAS_AES_GCM bool "Include AES-GCM support" default y -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,13 +20,18 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" - default y +if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) + comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" +endif + +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" + depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY + default n config WOLFSSL_HAS_SESSION_TICKET bool "Include session ticket support" @@ -41,20 +42,40 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY1305 - bool "Include Poly-1305 support" - default n +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only" + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index d96dbea323..77a5f9d8fd 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -13,7 +13,7 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=70e4fbeb91284a269b25a84fc526755c670475aee4034a6f237b1f754d108af3 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -21,15 +21,17 @@ PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ - CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ + CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ + CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_HAS_TLSV13 \ CONFIG_WOLFSSL_HA
[OpenWrt-Devel] [PATCH v2 0/3] wolfssl update
This series starts with an update to version 3.15.7, which includes a security fix, and should be cherry-picked to 19.07. I'm not cherry-picking it to 18.06 because it changes ABI, and it would cause package breakage because 18.06 is not ABI version-aware. I've increased the FP_MAX_BITS parameter to 8192, to allow usage of 4096-bit RSA keys. Otherwise it would fail to verify many CA certificates that use 4096-bit keys, including Microsoft's. Update master to 4.0.0. This version adds support to TLS 1.3, hardware acceleration using /dev/crypto and AF_ALG. The features were added in 3.15.7, but only enabled here in 4.0.0. Many of the current build options were not effective, they were always built into the library because of an unconditional --enable-stunnel parameter to configure, so they can be removed. Since hostapd selected some of these options, they are being removed there as well. The hostapd change includes the removal of the selection of the library itself, allowing libwolfssl to be built as a module when hostapd depends on it, and is built as a module. I've ensured dependent packages are successfully built with this version, opening a couple of PRs in the packages feed. They had been broken for a while now, which makes me wonder how many people are actually using wolfssl today. Nonetheless, a TLS library supporting hw crypto acceleration and TLS 1.3 under 300KB seems interesting. The library was run-tested on WRT-3200ACM using uhttpd, uclient-fetch, and curl with different build options, turning them on one by one cumulatively. The size varied from 227K with all options off, to 312K with all options on, and defaults to 297K. Enabling hardware acelleration and AES-CCM at the same time results in a build failure, which dents my confidence. Nonetheless, uhttpd connects without a problem, and I can confirm /dev/crypto or AF_ALG sockets open. The package currently lacks a maintainer, so I've added myself. -- Changelog: v1->v2: * Increased FP_MAX_BITS to allow 4096-bit RSA keys. * Update master to 4.0.0 Eneas U de Queiroz (3): wolfssl: update to 3.15.7, fix Makefile wolfssl: update to 4.0.0-stable hostapd: adjust removed wolfssl options package/libs/wolfssl/Config.in| 51 --- package/libs/wolfssl/Makefile | 124 +- .../patches/100-disable-hardening-check.patch | 4 +- .../101-AR-flags-configure-update.patch | 23 .../900-remove-broken-autoconf-macros.patch | 2 +- package/network/services/hostapd/Config.in| 4 - 6 files changed, 70 insertions(+), 138 deletions(-) delete mode 100644 package/libs/wolfssl/patches/101-AR-flags-configure-update.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 1/3] wolfssl: update to 3.15.7, fix Makefile
This includes a fix for a medium-level potential cache attack with a variant of Bleichenbacher’s attack. Patches were refreshed. Increased FP_MAX_BITS to allow 4096-bit RSA keys. Fixed poly1305 build option, and some Makefile updates. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 50b0bb9cdf..4aa163b361 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -53,7 +53,7 @@ config WOLFSSL_HAS_ECC25519 depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY_1305 +config WOLFSSL_HAS_POLY1305 bool "Include Poly-1305 support" default n diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 23bb1c5220..7aaa562539 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,11 +8,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.3-stable -PKG_RELEASE:=2 +PKG_VERSION:=3.15.7-stable +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a @@ -20,15 +19,16 @@ PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ -PKG_CPE_ID:=cpe:/a:yassl:cyassl +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=LICENSING COPYING +PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ CONFIG_WOLFSSL_HAS_WPAS @@ -42,7 +42,7 @@ define Package/libwolfssl URL:=http://www.wolfssl.com/ MENU:=1 PROVIDES:=libcyassl - ABI_VERSION:=18 + ABI_VERSION:=19 endef define Package/libwolfssl/description @@ -54,7 +54,7 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) +TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index d913b5fdea..8a51434633 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ; +@@ -1759,7 +1759,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ @@ -8,4 +8,4 @@ +#if 0 #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \ (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \ - (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS)) + (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \ diff --git a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch index 66582cfc46..6b0861288f 100644 --- a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch +++ b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -4198,7 +4198,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta +@@ -4614,7 +4614,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta AC_CONFIG_FILES([Makefile wolfssl/version.h wolfssl/options.h cyassl/options.h support/wolfssl.pc rpm/spec]) AX_CREATE_GENERIC_CONFIG ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 3/3] hostapd: adjust removed wolfssl options
This edjusts the selection of recently removed wolfssl options which have always been built into the library even in their abscence. Also remove the selection of libwolfssl itself, allowing the library to be built as a module. Signed-off-by: Eneas U de Queiroz diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 1966067219..9ce4b243cc 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -51,15 +51,11 @@ config WPA_WOLFSSL PACKAGE_wpad-wolfssl ||\ PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl - select PACKAGE_libwolfssl select WOLFSSL_HAS_AES_CCM select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 - select WOLFSSL_HAS_DES3 select WOLFSSL_HAS_DH - select WOLFSSL_HAS_ECC select WOLFSSL_HAS_OCSP - select WOLFSSL_HAS_PSK select WOLFSSL_HAS_SESSION_TICKET select WOLFSSL_HAS_WPAS ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 2/3] wolfssl: update to 4.0.0-stable
Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. Mark options turned on when wpad support is selected. Add building options for TLS 1.0, and TLS 1.3. Add hardware crypto support, which due to a bug, only works when CCM support is turned off. Reorganized option conditionals in Makefile. Add Eneas U de Queiroz as maintainer. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4aa163b361..875ff5e6a3 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -8,12 +8,8 @@ config WOLFSSL_HAS_AES_GCM bool "Include AES-GCM support" default y -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,12 +20,17 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" +if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) + comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" +endif + +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" + depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY default y config WOLFSSL_HAS_SESSION_TICKET @@ -41,20 +42,40 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY1305 - bool "Include Poly-1305 support" - default n +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only" + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 7aaa562539..678eb4936b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.7-stable +PKG_VERSION:=4.0.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=6cf678c72b485d1904047c40c20f85104c96b5f39778822783a2c407ccb23657 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -21,15 +21,17 @@ PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ - CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ + CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ + CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_H
[OpenWrt-Devel] [PATCH] wolfssl: fix PKG_HASH
Commit 3167a57 missed it. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 7aaa562539..264be02496 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -13,7 +13,7 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=70e4fbeb91284a269b25a84fc526755c670475aee4034a6f237b1f754d108af3 PKG_FIXUP:=libtool PKG_INSTALL:=1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/2] Remove eglibc remnants
I've found some remnants from eglibc, removed by 64da662 in Feb/2016. While at it, I stumbled upon a case statement with redundant commands, so I've simplified it as well. Eneas U de Queiroz (2): libs/toolchain: remove eglibc remnant file target/toolchain/files/wrapper.sh: simplify 'case' .../libs/toolchain/eglibc-files/etc/nsswitch.conf | 13 - target/toolchain/files/wrapper.sh | 10 +- 2 files changed, 1 insertion(+), 22 deletions(-) delete mode 100644 package/libs/toolchain/eglibc-files/etc/nsswitch.conf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/2] libs/toolchain: remove eglibc remnant file
This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/toolchain/eglibc-files/etc/nsswitch.conf b/package/libs/toolchain/eglibc-files/etc/nsswitch.conf deleted file mode 100644 index 981c425da6..00 --- a/package/libs/toolchain/eglibc-files/etc/nsswitch.conf +++ /dev/null @@ -1,13 +0,0 @@ -passwd:files -shadow:files -group:files -hosts:dns files -bootparams:files -ethers:files -netmasks:files -networks:files -protocols:files -rpc:files -services:files -automount:files -aliases:files ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] target/toolchain/files/wrapper.sh: simplify 'case'
Removed an eglibc remnant, and while at it, grouped all of the TOOLCHAIN_PLATFORMs using the same FLAGS together. Signed-off-by: Eneas U de Queiroz diff --git a/target/toolchain/files/wrapper.sh b/target/toolchain/files/wrapper.sh index 2b760840d8..4452128382 100755 --- a/target/toolchain/files/wrapper.sh +++ b/target/toolchain/files/wrapper.sh @@ -56,15 +56,7 @@ fi # --dynamic-linker=$TOOLCHAIN_SYSROOT/lib/ld-uClibc.so.0 case $TOOLCHAIN_PLATFORM in - gnu|glibc|eglibc) - GCC_SYSROOT_FLAGS="--sysroot=$TOOLCHAIN_SYSROOT -Wl,-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - LD_SYSROOT_FLAGS="-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - ;; - uclibc) - GCC_SYSROOT_FLAGS="--sysroot=$TOOLCHAIN_SYSROOT -Wl,-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - LD_SYSROOT_FLAGS="-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - ;; - musl) + gnu|glibc|uclibc|musl) GCC_SYSROOT_FLAGS="--sysroot=$TOOLCHAIN_SYSROOT -Wl,-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" LD_SYSROOT_FLAGS="-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" ;; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/1] wolfssl: bump to 4.1.0-stable
Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 875ff5e6a3..a729f73a1d 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,10 +4,6 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - config WOLFSSL_HAS_CHACHA_POLY bool "Include ChaCha20-Poly1305 cipher suite support" default y @@ -24,13 +20,8 @@ config WOLFSSL_HAS_TLSV10 bool "Include TLS 1.0 support" default y -if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) - comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" -endif - config WOLFSSL_HAS_TLSV13 bool "Include TLS 1.3 support" - depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY default y config WOLFSSL_HAS_SESSION_TICKET @@ -56,6 +47,9 @@ config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" default n +config WOLFSSL_HAS_DEVCRYPTO + bool + if WOLFSSL_HAS_AES_CCM comment "! Hardware Acceleration does not build with AES-CCM enabled" endif @@ -72,9 +66,11 @@ if !WOLFSSL_HAS_AES_CCM config WOLFSSL_HAS_DEVCRYPTO_AES bool "/dev/crypto - AES-only" + select WOLFSSL_HAS_DEVCRYPTO config WOLFSSL_HAS_DEVCRYPTO_FULL bool "/dev/crypto - full" + select WOLFSSL_HAS_DEVCRYPTO endchoice endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 678eb4936b..2ad03a5aca 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.0.0-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=6cf678c72b485d1904047c40c20f85104c96b5f39778822783a2c407ccb23657 +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -25,14 +25,13 @@ PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ - CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ - CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ - CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ - CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_HAS_TLSV13 \ - CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \ + CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA_POLY \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL \ + CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ + CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \ + CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \ + CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS include $(INCLUDE_DIR)/package.mk @@ -65,11 +64,9 @@ CONFIGURE_ARGS += \ --enable-sni \ --enable-stunnel \ --disable-examples \ - --disable-leanpsk \ - --disable-leantls \ + --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ --$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \ - --$(if $(CONFIG_WOLFSSL_HAS_AES_GCM),enable,disable)-aesgcm \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-chacha \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-poly1305 \ --$(if $(CONFIG_WOLFSSL_HAS_DH),enable,disable)-dh \ diff --git a/package/libs/wolfssl/patches/400-additional_compatibility.patch b/package/libs/wolfssl/patches/400-additional_compatibility.patch deleted file mode 100644 index 1464e9d2a8..00 --- a/package/libs/wolfssl/patches/400-additional_compatibility.patch +++ /dev/null @@ -1,12 +0,0 @@ a/cyassl/openssl/ssl.h -+++ b/cyassl/openssl/ssl.h -@@ -28,6 +28,9 @@ - #define CYASSL_OPENSSL_H_ - - #include -+#ifndef HAVE_SNI -+#undef CYASSL_SNI_HOS
[OpenWrt-Devel] [PATCH 0/1] wolfssl: bump to 4.1.0-stable
I'm requesting comments about updating this in 18.06. I'm sending this to 19.07 right away, but it won't be so easy with 18.06 because there is an ABI version change from 3.15.3 (current) to 3.15.7. Besides CVE-2019-13628, it is vulnerable to CVE-2018-16870: a variant of the Bleichenbacher attack. I've managed to backport both fixes; * CVE-2019-13628 applied cleanly; * CVE-2018-16870 needed some work. I've run the testsuite, and all tests passed. I've used gdb while running them, and could verify that the tests covered all of the changed lines, except for some of the newly added error conditions. CVE-2019-13628 is scheduled to be issued on Sep 02. So we have three choices: * update to 4.1.0-stable: we have to deal with the ABI version change. If we do nothing, then dependent packages will not work without removal and reinstallation. We can increase PKG_RELEASE for the dependent packages, some of which may be cumbersome: hostapd and ustream-ssl will either require a cumbersome subpackage bump, or have everybody else that do not use wolfssl be prompted to needlessly update their packages. * apply a custom patch that will not be so thoroughly tested. * do nothing: both vulnerabilities are timing attacks, CVE-2018-16870 is rated medium-severity. We can wait for CVE-2019-13628's final grade, but wolfssl states it "is considered difficult to exploit". Even though I'm confident the patches will not do much harm, I'm more comfortable with updating to 4.1.0 and bumping dependent subpackages. A note about the removed patches: 400-additional_compatibility.patch: I couldn't find much about the need for this; it appears to be related to SNI support, which was new at the time. I've compiled all packages that use wolfssl and found no issues with them. ustream-ssl actually defines HAVE_SNI, and I have done extensive runtime tests without any issues. 900-remove-broken-autoconf-macros.patch: this was fixed upstream, and the jobserver was disabled by ./configure --disable-jobserver. Eneas U de Queiroz (1): wolfssl: bump to 4.1.0-stable package/libs/wolfssl/Config.in| 14 --- package/libs/wolfssl/Makefile | 23 --- .../400-additional_compatibility.patch| 12 -- .../900-remove-broken-autoconf-macros.patch | 21 - 4 files changed, 15 insertions(+), 55 deletions(-) delete mode 100644 package/libs/wolfssl/patches/400-additional_compatibility.patch delete mode 100644 package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [19.07 PATCH] wolfssl: bump to 4.1.0-stable
Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. This brings the package up-to-date with master, so it incorporates changes from 4.0.0 in master: * Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. * Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. * Mark options turned on when wpad support is selected. * Add building options for TLS 1.0, and TLS 1.3. * Add hardware crypto support, which due to a bug, only works when CCM support is turned off. * Reorganized option conditionals in Makefile. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4aa163b361..a729f73a1d 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,16 +4,8 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,12 +16,12 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" default y config WOLFSSL_HAS_SESSION_TICKET @@ -41,20 +33,45 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY1305 - bool "Include Poly-1305 support" - default n +config WOLFSSL_HAS_DEVCRYPTO + bool + +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only" + select WOLFSSL_HAS_DEVCRYPTO + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + select WOLFSSL_HAS_DEVCRYPTO + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 264be02496..2ad03a5aca 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.7-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=70e4fbeb91284a269b25a84fc526755c670475aee4034a6f237b1f754d108af3 +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -21,16 +21,17 @@ PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_E
[OpenWrt-Devel] [RFC 18.06 PATCH 3/3] hostapd: bump wolfssl variants, adjust options
wolfssl changed ABI version, so this forces an update to hostapd. Some build options selected by hostapd are always built now, so they were removed. Signed-off-by: Eneas U de Queiroz diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 222cfb7f13..6611958cf1 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -67,15 +67,10 @@ config WPA_WOLFSSL PACKAGE_wpad-wolfssl ||\ PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl - select PACKAGE_libwolfssl select WOLFSSL_HAS_AES_CCM - select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 - select WOLFSSL_HAS_DES3 select WOLFSSL_HAS_DH - select WOLFSSL_HAS_ECC select WOLFSSL_HAS_OCSP - select WOLFSSL_HAS_PSK select WOLFSSL_HAS_SESSION_TICKET select WOLFSSL_HAS_WPAS diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index b548ecdf1b..3412125d2c 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -6,6 +6,15 @@ include $(TOPDIR)/rules.mk +### NOTICE FOR THE NEXT VERSION/RELEASE BUMP. +### +# The wolfssl variants currently have a different RELEASE than the others. +# This is temporary, and was done to avoid to needlessly upgrade the rest of the +# variants. So when the next update happen, things should get back to normal. +# If this package gets a PKG_RELEASE bump, please use PKG_RELEASE:=8, and remove the +# RELEASE:=7 lines under the wolfssl variants, as well as this notice. +# If the VERSION/SOURCE_DATE gets updated, remove the notice and the RELEASE:=7 lines. + PKG_NAME:=hostapd PKG_RELEASE:=6 @@ -170,6 +179,9 @@ Package/hostapd-openssl/description = $(Package/hostapd/description) define Package/hostapd-wolfssl $(call Package/hostapd/Default,$(1)) TITLE+= (full) + + RELEASE:=7 + VARIANT:=full-wolfssl DEPENDS+=+libwolfssl endef @@ -222,6 +234,9 @@ Package/wpad-openssl/description = $(Package/wpad/description) define Package/wpad-wolfssl $(call Package/wpad/Default,$(1)) TITLE+= (full) + + RELEASE:=7 + VARIANT:=wpad-full-wolfssl DEPENDS+=+libwolfssl endef @@ -260,6 +275,9 @@ Package/wpad-mesh-openssl/description = $(Package/wpad-mesh/description) define Package/wpad-mesh-wolfssl $(call Package/wpad-mesh,$(1)) DEPENDS+=+libwolfssl + + RELEASE:=7 + VARIANT:=wpad-mesh-wolfssl endef @@ -290,6 +308,9 @@ endef define Package/wpa-supplicant-wolfssl $(call Package/wpa-supplicant/Default,$(1)) + + RELEASE:=7 + VARIANT:=supplicant-full-wolfssl DEPENDS+=+libwolfssl endef @@ -320,6 +341,9 @@ endef define Package/wpa-supplicant-mesh-wolfssl $(call Package/wpa-supplicant-mesh/Default,$(1)) + + RELEASE:=7 + VARIANT:=supplicant-mesh-wolfssl DEPENDS+=+libwolfssl endef @@ -379,6 +403,9 @@ define Package/eapol-test-wolfssl TITLE:=802.1x authentication test utility SECTION:=net CATEGORY:=Network + + RELEASE:=7 + VARIANT:=supplicant-full-wolfssl CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-wolfssl ,$(EAPOL_TEST_PROVIDERS))) DEPENDS:=$(DRV_DEPENDS) +libwolfssl ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [RFC 18.06 PATCH 2/3] ustream-ssl: bump wolfssl variant
wolfssl changed ABI version. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index 2ea5bf0bd5..c0fd281866 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -3,6 +3,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ustream-ssl PKG_RELEASE:=1 +### NOTICE FOR THE NEXT VERSION/RELEASE BUMP. +### +# libustream-wolfssl currently has a different RELEASE than the rest of the libs. +# This is temporary, and was done to avoid to needlessly upgrade the rest of the +# variants. So when the next update happen, things should get back to normal. +# If this package gets a PKG_RELEASE bump, please use PKG_RELEASE:=3, and remove the +# RELEASE:=2 line under libustream-wolfssl, as well as this notice. +# If the VERSION/SOURCE_DATE gets updated, remove the notice and the RELEASE:=2 line. + PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git PKG_SOURCE_DATE:=2018-07-30 @@ -39,6 +48,9 @@ define Package/libustream-wolfssl $(Package/libustream/default) TITLE += (wolfssl) DEPENDS += +PACKAGE_libustream-wolfssl:libwolfssl + + RELEASE:=2 + VARIANT:=wolfssl endef ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [RFC 18.06 PATCH 1/3] wolfssl: bump to 4.1.0-stable
Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2018-16870: a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS, which may lead to leakage of sensible data. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. This brings some changes from master as well: * Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. * Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. * Mark options turned on when wpad support is selected. * Add building options for TLS 1.0, and TLS 1.3. * Add AF_ALG hardware crypto support, which due to a bug, only works when CCM support is turned off. * Reorganized option conditionals in Makefile. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 50b0bb9cdf..32b0f74089 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,16 +4,8 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,12 +16,12 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" default y config WOLFSSL_HAS_SESSION_TICKET @@ -41,20 +33,34 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY_1305 - bool "Include Poly-1305 support" - default n +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index a01a8949aa..03bbda714d 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,29 +8,29 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.3-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ -PKG_CPE_ID:=cpe:/a:yassl:cyassl +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz +PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ - CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ - CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \ + CONFIG
[OpenWrt-Devel] [RFC 18.06-alt PATCH 1/1] wolfssl: fixes for CVE-2018-16870 & CVE-2019-13628
CVE-2018-16870: medium-severity, new variant of the Bleichenbacher
attack to perform downgrade attacks against TLS, which may lead to
leakage of sensible data. Backported from 3.15.7.
CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack. Backported from 4.1.0.
Signed-off-by: Eneas U de Queiroz
---
This is an alternative to updating 18.06 to 4.1.0, just backporting the
patches. This has been tested on x86_64 with the package's testsuite,
in addition to regular run-testing on WRT3200ACM, using uhttpd,
uclient-fetch, and curl.
CVE-2019-13628's patch applied cleanly, but the other one needed many
adjustments.
package/libs/wolfssl/Makefile | 5 +-
...nstant-time-when-Block-Type-2-messag.patch | 584 ++
.../020-Improve-nonce-use-in-ECC-mulmod.patch | 100 +++
3 files changed, 687 insertions(+), 2 deletions(-)
create mode 100644
package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
create mode 100644
package/libs/wolfssl/patches/020-Improve-nonce-use-in-ECC-mulmod.patch
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index a01a8949aa..6f29cd668d 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=3.15.3-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
# PKG_SOURCE_URL:=https://www.wolfssl.com/
@@ -21,7 +21,8 @@ PKG_INSTALL:=1
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
PKG_LICENSE:=GPL-2.0+
-PKG_CPE_ID:=cpe:/a:yassl:cyassl
+PKG_MAINTAINER:=Eneas U de Queiroz
+PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl
PKG_CONFIG_DEPENDS:=\
CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \
diff --git
a/package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
b/package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
new file mode 100644
index 00..26ceaef4c5
--- /dev/null
+++
b/package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
@@ -0,0 +1,584 @@
+From 278d54d95de9fa80b4ac9f6dd0f900841114ca8c Mon Sep 17 00:00:00 2001
+From: Sean Parkinson
+Date: Mon, 27 Aug 2018 10:16:40 +1000
+Subject: [PATCH] Make RsaUnPad constant time when Block Type 2 message
+
+(cherry picked from commit ab03f9291b040269ae21d33b9f01529ed8311728)
+[cherry-pick changes]
+Signed-off-by: Eneas U de Queiroz
+
+diff --git a/src/internal.c b/src/internal.c
+index dfb3a2fe9..4b2477e7a 100644
+--- a/src/internal.c
b/src/internal.c
+@@ -24766,26 +24766,22 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte*
input, word32* inOutIdx,
+ * indistinguishable from correctly formatted RSA
blocks
+ */
+
+-ret = args->lastErr;
+ args->lastErr = 0; /* reset */
+
+ /* build PreMasterSecret */
+ ssl->arrays->preMasterSecret[0] =
ssl->chVersion.major;
+ ssl->arrays->preMasterSecret[1] =
ssl->chVersion.minor;
+-if (ret == 0 && args->sigSz == SECRET_LEN &&
+- args->output !=
NULL) {
++if (args->output != NULL) {
+ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
+-&args->output[VERSION_SZ],
+-SECRET_LEN - VERSION_SZ);
+-}
+-else {
+-/* preMasterSecret has RNG and version set */
+-/* return proper length and ignore error */
+-/* error will be caught as decryption error */
+-args->sigSz = SECRET_LEN;
+-ret = 0;
++&args->output[VERSION_SZ],
++SECRET_LEN - VERSION_SZ);
+ }
+-
++/* preMasterSecret has RNG and version set
++ * return proper length and ignore error
++ * error will be caught as decryption error
++ */
++args->sigSz = SECRET_LEN;
++ret = 0;
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+diff --git a/src/tls.c b/src/tls.c
+index 9f0c49497..cc985410a 100644
+--- a/src/tls.c
b/src/tls.c
+@@ -1136,12 +1136,12 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byt
[OpenWrt-Devel] [PATCH 1/3] openssl: always build with EC support
Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 63493829ba..d1281ec6fa 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -76,7 +76,6 @@ config OPENSSL_WITH_TLS13 bool default y prompt "Enable support for TLS 1.3" - select OPENSSL_WITH_EC help TLS 1.3 is the newest version of the TLS specification. It aims: @@ -120,19 +119,8 @@ config OPENSSL_WITH_CMS comment "Algorithm Selection" -config OPENSSL_WITH_EC - bool - default y - prompt "Enable elliptic curve support" - help - Elliptic-curve cryptography (ECC) is an approach to public-key - cryptography based on the algebraic structure of elliptic curves - over finite fields. ECC requires smaller keys compared to non-ECC - cryptography to provide equivalent security. - config OPENSSL_WITH_EC2M bool - depends on OPENSSL_WITH_EC prompt "Enable ec2m support" help This option enables the more efficient, yet less common, binary diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index b8f97a82e8..24a84c0c54 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=c PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -28,7 +28,7 @@ PKG_HASH:=f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=Eneas U de Queiroz +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE \ @@ -48,7 +48,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ CONFIG_OPENSSL_WITH_DTLS \ - CONFIG_OPENSSL_WITH_EC \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ CONFIG_OPENSSL_WITH_GOST \ @@ -203,10 +202,6 @@ ifndef CONFIG_OPENSSL_WITH_ASYNC OPENSSL_OPTIONS += no-async endif -ifndef CONFIG_OPENSSL_WITH_EC - OPENSSL_OPTIONS += no-ec -endif - ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/3] support EC keys in px5g/uhttpd
I'm adding support to create EC curves with px5g, and changing uhttpd to use it, adding two config options: key_type, and ec_curve. * key_type should be set to either 'ec' or 'rsa'. In practice, it will silently use 'rsa' unless its value is 'ec'. * ec_curve takes an elliptic curve name, which should match one of the certificate generator's TLS library's name. Unfortunatly, they don't necessarity match between px5g (mbedtls), and openssl. Short names P-256 and P-384 were added to px5g to have an uniform set, and are guaranteed to work. P-521 is there too, but mbedtls is currently built without it. Right now the ciphersuites used with EC keys are stronger than with RSA keys, and I'm sending a patch to widen that gap further. That way you can use the key type to choose the level of strenght vs. broad compatibility you wish to use. A P-256 EC key offers a strenght equivalent of 3072-bit RSA key, and is generated much faster than even a 2048-bit RSA key. uhttpd currently generates a 2048-bit RSA key by default, and that has not been changed. Eneas U de Queiroz (3): openssl: always build with EC support px5g: support EC keys uhttpd: add support to generate EC keys package/libs/openssl/Config.in| 12 --- package/libs/openssl/Makefile | 9 +- package/network/services/uhttpd/Makefile | 2 +- .../services/uhttpd/files/uhttpd.config | 8 ++ .../network/services/uhttpd/files/uhttpd.init | 6 +- package/utils/px5g/Makefile | 4 +- package/utils/px5g/px5g.c | 86 +++ 7 files changed, 87 insertions(+), 40 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/3] px5g: support EC keys
This adds an 'eckey' command to generate an EC key, with an optional
curve name argument, with P-256 as default.
For the 'selfsigned' command, it adds an 'ec' algorithm argument to the
'-newkey' option, and a '-pkeyopt ec_paramgen_curve:' option,
mirroring the way openssl specifies the curve name.
Notice that curve names are not necessarily the same in mbedtls and
openssl. In particular, secp256r1 works for mbedtls, but openssl uses
prime256v1 instead. px5g uses mbedtls, but short NIST curve names P-256
and P-384 are specifically supported.
Package size increased by about 900 bytes (arm).
Signed-off-by: Eneas U de Queiroz
diff --git a/package/utils/px5g/Makefile b/package/utils/px5g/Makefile
index 7b5748425d..cfd1bfc80e 100644
--- a/package/utils/px5g/Makefile
+++ b/package/utils/px5g/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=px5g
-PKG_RELEASE:=8
+PKG_RELEASE:=9
PKG_LICENSE:=LGPL-2.1
PKG_BUILD_DIR:=$(BUILD_DIR)/px5g-$(BUILD_VARIANT)
@@ -53,7 +53,7 @@ ifeq ($(BUILD_VARIANT),standalone)
TARGET_LDFLAGS := -Wl,-Bstatic $(TARGET_LDFLAGS) -Wl,-Bdynamic
endif
-TARGET_CFLAGS += -Wl,--gc-sections
+TARGET_CFLAGS += -Wl,--gc-sections -Wall -Werror
define Build/Compile
$(TARGET_CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -o
$(PKG_BUILD_DIR)/px5g px5g.c $(TARGET_LDFLAGS)
diff --git a/package/utils/px5g/px5g.c b/package/utils/px5g/px5g.c
index f0fe4dcfd3..0b72154509 100644
--- a/package/utils/px5g/px5g.c
+++ b/package/utils/px5g/px5g.c
@@ -32,6 +32,7 @@
#include
#include
+#include
#include
#include
@@ -73,6 +74,23 @@ static void write_file(const char *path, int len, bool pem)
fclose(f);
}
+static mbedtls_ecp_group_id ecp_curve(const char *name)
+{
+ const mbedtls_ecp_curve_info *curve_info;
+
+ if (!strcmp(name, "P-256"))
+ return MBEDTLS_ECP_DP_SECP256R1;
+ else if (!strcmp(name, "P-384"))
+ return MBEDTLS_ECP_DP_SECP384R1;
+ else if (!strcmp(name, "P-521"))
+ return MBEDTLS_ECP_DP_SECP521R1;
+ curve_info = mbedtls_ecp_curve_info_from_name(name);
+ if (curve_info == NULL)
+ return MBEDTLS_ECP_DP_NONE;
+ else
+ return curve_info->grp_id;
+}
+
static void write_key(mbedtls_pk_context *key, const char *path, bool pem)
{
int len = 0;
@@ -89,24 +107,33 @@ static void write_key(mbedtls_pk_context *key, const char
*path, bool pem)
write_file(path, len, pem);
}
-static void gen_key(mbedtls_pk_context *key, int ksize, int exp, bool pem)
+static void gen_key(mbedtls_pk_context *key, bool rsa, int ksize, int exp,
+ mbedtls_ecp_group_id curve, bool pem)
{
mbedtls_pk_init(key);
- fprintf(stderr, "Generating RSA private key, %i bit long modulus\n",
ksize);
- mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
- if (mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL, ksize,
exp)) {
- fprintf(stderr, "error: key generation failed\n");
- exit(1);
+ if (rsa) {
+ fprintf(stderr, "Generating RSA private key, %i bit long
modulus\n", ksize);
+ mbedtls_pk_setup(key,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+ if (!mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL,
ksize, exp))
+ return;
+ } else {
+ fprintf(stderr, "Generating EC private key\n");
+ mbedtls_pk_setup(key,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
+ if (!mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key), _urandom,
NULL))
+ return;
}
+ fprintf(stderr, "error: key generation failed\n");
+ exit(1);
}
-int rsakey(char **arg)
+int dokey(bool rsa, char **arg)
{
mbedtls_pk_context key;
unsigned int ksize = 512;
int exp = 65537;
char *path = NULL;
bool pem = true;
+ mbedtls_ecp_group_id curve = MBEDTLS_ECP_DP_SECP256R1;
while (*arg && **arg == '-') {
if (!strcmp(*arg, "-out") && arg[1]) {
@@ -120,10 +147,17 @@ int rsakey(char **arg)
arg++;
}
- if (*arg)
+ if (*arg && rsa) {
ksize = (unsigned int)atoi(*arg);
+ } else if (*arg) {
+ curve = ecp_curve((const char *)*arg);
+ if (curve == MBEDTLS_ECP_DP_NONE) {
+ fprintf(stderr, "error: invalid curve name: %s\n",
*arg);
+ return 1;
+ }
+ }
- gen_key(&key, ksize, exp, pem);
+ gen_key(&key, rsa, ksize, exp, curve, pem);
write_key(&key, path, pem);
mbedtls_pk_free(&key);
@@ -146,20 +180,37 @@ int selfsigned(char **arg
[OpenWrt-Devel] [PATCH 3/3] uhttpd: add support to generate EC keys
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/network/services/uhttpd/Makefile
b/package/network/services/uhttpd/Makefile
index 0738ec68f5..247132d2b1 100644
--- a/package/network/services/uhttpd/Makefile
+++ b/package/network/services/uhttpd/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=uhttpd
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
diff --git a/package/network/services/uhttpd/files/uhttpd.config
b/package/network/services/uhttpd/files/uhttpd.config
index a3deb9cf04..39089ca25b 100644
--- a/package/network/services/uhttpd/files/uhttpd.config
+++ b/package/network/services/uhttpd/files/uhttpd.config
@@ -118,9 +118,17 @@ config cert defaults
# Validity time
option days 730
+ # key type: rsa or ec
+ option key_type rsa
+
# RSA key size
option bits 2048
+ # EC curve name
+ # Curve names vary between mbedtls/px5g and openssl
+ # P-256 or P-384 are guaranteed to work
+ option ec_curve P-256
+
# Location
option country ZZ
option stateSomewhere
diff --git a/package/network/services/uhttpd/files/uhttpd.init
b/package/network/services/uhttpd/files/uhttpd.init
index dc496b3e28..6322473b97 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -43,15 +43,19 @@ generate_keys() {
config_get state "$cfg" state
config_get location "$cfg" location
config_get commonname "$cfg" commonname
+ config_get key_type "$cfg" key_type
+ config_get ec_curve "$cfg" ec_curve
# Prefer px5g for certificate generation (existence evaluated last)
local GENKEY_CMD=""
+ local KEY_OPTS="rsa:${bits:-2048}"
local UNIQUEID=$(dd if=/dev/urandom bs=1 count=4 | hexdump -e '1/1
"%02x"')
+ [ "$key_type" = "ec" ] && KEY_OPTS="ec -pkeyopt
ec_paramgen_curve:${ec_curve:-P-256}"
[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256
-outform der -nodes"
[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
[ -n "$GENKEY_CMD" ] && {
$GENKEY_CMD \
- -days ${days:-730} -newkey rsa:${bits:-2048} -keyout
"${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
+ -days ${days:-730} -newkey ${KEY_OPTS} -keyout
"${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
-subj
/C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${commonname:-OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}"
sync
mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [ustream-ssl PATCH 2/2] Revise supported ciphersuites
CBC ciphersuites have been under scrutiny because of the many padding
oracle vulnerabilities that keep popping up; it seems that we won't be
able to patch up the inherent wakness of MAC-then-encrypt forever. They
have been blacklisted by HTTP/2, and recently dropped from Mozilla's
Security/Serverside TLS intermediate compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS
This commit removes ECDSA-CBC ciphersuites. Basically, you can choose a
level of ciphersuite security, using the private-key type as a switch:
For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly
matching Mozilla's Old backward compatibility list.
If you use an EC private key, then only ephemeral-key, authenticated
ciphers will be used, along the lines of what Mozilla's Intermediate
compatibility list prescribes.
The order does not match Mozilla's list 100% because in most embedded
systems, the server is going to be the least-capable machine. So,
chacha20-poly1305 is moved ahead of AES, and the cipher preference is
always given to the server. Also, DHE ciphers are not used for server.
The client list had the order changed to prioritize authenticated
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.
Signed-off-by: Eneas U de Queiroz
---
If you use the intermediate compatibility list, you lose compatibility
with Safari on iOS<=8 and OS X<=10.10. Windows XP will not work either,
but since it is not compatible with EC keys, it does not change what we
had before.
I don't think we should drop ciphers from client-mode yet; none of the
ciphers are terribly bad from a client perspective, and if we disable
them, we can either get locked out of a service, or be forced to use an
unencrypted connection.
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index b7d7629..85bbb1c 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,18 +86,25 @@ static int _urandom(void *ctx, unsigned char *out, size_t
len)
return 0;
}
-#define AES_CIPHERS(v) \
+#define AES_GCM_CIPHERS(v) \
MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \
- MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \
+ MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384
+
+#define AES_CBC_CIPHERS(v) \
MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \
MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
+#define AES_CIPHERS(v) \
+ AES_GCM_CIPHERS(v), \
+ AES_CBC_CIPHERS(v)
+
static const int default_ciphersuites_server[] =
{
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_ECDSA),
+ AES_GCM_CIPHERS(ECDHE_ECDSA),
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_RSA),
+ AES_GCM_CIPHERS(ECDHE_RSA),
+ AES_CBC_CIPHERS(ECDHE_RSA),
AES_CIPHERS(RSA),
0
};
@@ -105,11 +112,14 @@ static const int default_ciphersuites_server[] =
static const int default_ciphersuites_client[] =
{
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_ECDSA),
+ AES_GCM_CIPHERS(ECDHE_ECDSA),
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_RSA),
+ AES_GCM_CIPHERS(ECDHE_RSA),
MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(DHE_RSA),
+ AES_GCM_CIPHERS(DHE_RSA),
+ AES_CBC_CIPHERS(ECDHE_ECDSA),
+ AES_CBC_CIPHERS(ECDHE_RSA),
+ AES_CBC_CIPHERS(DHE_RSA),
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
AES_CIPHERS(RSA),
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 3810d6a..b2df362 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -22,14 +22,16 @@
#include "ustream-ssl.h"
#include "ustream-internal.h"
-
/* Ciphersuite preference:
- * - key exchange: prefer ECDHE, then DHE(client only), then RSA
- * - prefer AEAD ciphers:
+ * - for server, no weak ciphers are used if you use an ECDSA key.
+ * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top:
* chacha20-poly1305, the fastest in software, 256-bits
* aes128-gcm, 128-bits
* aes256-gcm, 256-bits
- * - CBC ciphers
+ * - key exchange: prefer ECDHE, then DHE (client only)
+ * - forward-secret ECDSA CBC ciphers (client-only)
+ * - forward-secret RSA CBC ciphers
+ * - non-pfs ciphers
* aes128, aes256, 3DES(client only)
*/
@@ -38,32 +40,38 @@
"TLS13-CHACHA20-POLY1305-SHA256:" \
"TLS13-AES128-GCM-SHA256:" \
"TLS13-AES256-GCM-SHA384:" \
- ecdhe_ciphers
+ e
[OpenWrt-Devel] [ustream-ssl PATCH 1/2] wolfssl, openssl: use TLS 1.3, set ciphersuites
For wolfssl, instead of hard-coding TLS 1.2, use generic method and
disable older protocols, adding the necessary ciphersuites.
Openssl already had TLS 1.3 compatiblity, but its ciphersuite ordering
needs a separate call, so this sets the ciphersuite preference when
using TLS 1.3.
Signed-off-by: Eneas U de Queiroz
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 7c72ce1..3810d6a 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -33,6 +33,21 @@
* aes128, aes256, 3DES(client only)
*/
+#ifdef WOLFSSL_SSL_H
+# define top_ciphers \
+ "TLS13-CHACHA20-POLY1305-SHA256:" \
+ "TLS13-AES128-GCM-SHA256:" \
+ "TLS13-AES256-GCM-SHA384:" \
+ ecdhe_ciphers
+#else
+# define tls13_ciphersuites"TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256:" \
+ "TLS_AES_256_GCM_SHA384"
+
+# define top_ciphers \
+ ecdhe_ciphers
+#endif
+
#define ecdhe_ciphers \
"ECDHE-ECDSA-CHACHA20-POLY1305:"\
"ECDHE-ECDSA-AES128-GCM-SHA256:"\
@@ -60,11 +75,11 @@
"AES256-SHA"
#define server_cipher_list \
- ecdhe_ciphers ":" \
+ top_ciphers ":" \
non_pfs_aes
#define client_cipher_list \
- ecdhe_ciphers ":" \
+ top_ciphers ":" \
dhe_ciphers ":" \
non_pfs_aes ":" \
"DES-CBC3-SHA"
@@ -83,7 +98,7 @@ __ustream_ssl_context_new(bool server)
SSL_library_init();
_init = true;
}
-# define TLS_server_method TLSv1_2_server_method
+# define TLS_server_method SSLv23_server_method
# define TLS_client_method SSLv23_client_method
#endif
@@ -101,10 +116,15 @@ __ustream_ssl_context_new(bool server)
SSL_OP_CIPHER_SERVER_PREFERENCE);
#if defined(SSL_CTX_set_ecdh_auto) && OPENSSL_VERSION_NUMBER < 0x1010L
SSL_CTX_set_ecdh_auto(c, 1);
+#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
+ SSL_CTX_set_ciphersuites(c, tls13_ciphersuites);
#endif
if (server) {
#if OPENSSL_VERSION_NUMBER >= 0x1010L
SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION);
+#else
+ SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
+ SSL_OP_NO_TLSv1_1);
#endif
SSL_CTX_set_cipher_list(c, server_cipher_list);
} else {
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/2] Bump WolfSSL and libtool
WolfSSL has decided it needs at least libtool 2.4.2 to build. From
their commit 92854a5dd message:
advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current
automated testing coverage.
We could easily patch our way out of it, but I decided to try the
upgrade first. It appears to work just fine. I've just rebuilt the
whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update
with hostapd and uhttpd. I've had no hickups, but of course ymmv.
My major concern while bumping a core building tool was how it could
affect the changes we have in place. I've looked at both our patches,
and at what was changed upstream.
The major changes were related to getting the gnulib sources from git,
and refreshing them when running bootstrap. Since we are applying
patches, getting fresh copies are not viable, but there's a command-line
option to avoid doing it.
I'm not so sure what to do about 21.02.
1. Patch WolfSSL to accept building with libtool 2.4;
2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4,
424 insertions(+), 198 deletions(-).
This was before the gnulib changes. For a comparison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
3. Bump both to keep in sync with master.
My vote: do 1 now, and wait for possible fallout from master. Then,
perhaps try to keep them in sync, at the following point release.
Cheers
Eneas U de Queiroz (2):
libtool: bump to 2.4.6
wolfssl: bump to v4.8.0-stable
package/libs/wolfssl/Makefile | 6 +-
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
12 files changed, 447 insertions(+), 359 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 2/2] wolfssl: bump to v4.8.0-stable
Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..38c284ec5d 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=72c22efcdab0f18f9b0bb45621c213144f88b4a9e9b9cc06878b47744e058885 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches
were renumbered and given a description text. The fix in
160-passthrough-ssp.patch is no longer needed.
A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.
The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources. Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.
Signed-off-by: Eneas U de Queiroz
---
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
11 files changed, 444 insertions(+), 356 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index dd4a7f6380..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libtool
PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4
+PKG_VERSION:=2.4.6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
HOST_BUILD_PARALLEL:=1
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
- (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+ $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+ $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+ $(call Host/Configure/Default)
endef
define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch
b/tools/libtool/patches/000-relocatable.patch
index 55265fe533..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
-
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz
+
--- a/libtoolize.in
+++ b/libtoolize.in
-@@ -326,15 +326,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
-: ${EGREP="@EGREP@"}
-: ${FGREP="@FGREP@"}
-:
[PATCH v2 0/2] Bump WolfSSL and libtool
v1->v2: WolfSSL was updated from 4.8.0, in the original series, to
4.8.1 due to a high-risk vulnerability. Patches were refreshed.
WolfSSL has decided it needs at least libtool 2.4.2 to build. From
their commit 92854a5dd message:
advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current
automated testing coverage.
We could easily patch our way out of it, but I decided to try the
upgrade first. It appears to work just fine. I've just rebuilt the
whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update
with hostapd and uhttpd. I've had no hickups, but of course ymmv.
My major concern while bumping a core building tool was how it could
affect the changes we have in place. I've looked at both our patches,
and at what was changed upstream.
The major changes were related to getting the gnulib sources from git,
and refreshing them when running bootstrap. Since we are applying
patches, getting fresh copies are not viable, but there's a command-line
option to avoid doing it.
I'm not so sure what to do about 21.02.
1. Patch WolfSSL to accept building with libtool 2.4;
2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4,
424 insertions(+), 198 deletions(-).
This was before the gnulib changes. For a comparison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
3. Bump both to keep in sync with master.
My vote: do 1 now, and wait for possible fallout from master. Then,
perhaps try to keep them in sync, at the following point release.
Cheers
Eneas U de Queiroz (2):
libtool: bump to 2.4.6
wolfssl: bump to v4.8.1-stable
package/libs/wolfssl/Makefile | 6 +-
.../patches/100-disable-hardening-check.patch | 2 +-
.../libs/wolfssl/patches/200-ecc-rng.patch| 4 +-
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
14 files changed, 450 insertions(+), 362 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 2/2] wolfssl: bump to v4.8.1-stable
Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [high] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. (fixed in 4.8.0) Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- .../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..6ef80e88a9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.1-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..4141e28750 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index 2d33c06209..d8581be7eb 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void) +@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ @@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h -@@ -584,10 +584,8 @@ WOLFSSL_API +@@ -616,10 +616,8 @@ WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_LOCAL void wc_ecc_fp_init(void); ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 1/2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches
were renumbered and given a description text. The fix in
160-passthrough-ssp.patch is no longer needed.
A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.
The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources. Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.
Signed-off-by: Eneas U de Queiroz
---
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
11 files changed, 444 insertions(+), 356 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index dd4a7f6380..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libtool
PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4
+PKG_VERSION:=2.4.6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
HOST_BUILD_PARALLEL:=1
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
- (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+ $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+ $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+ $(call Host/Configure/Default)
endef
define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch
b/tools/libtool/patches/000-relocatable.patch
index 55265fe533..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
-
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz
+
--- a/libtoolize.in
+++ b/libtoolize.in
-@@ -326,15 +326,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
-: ${EGREP="@EGREP@"}
-: ${FGREP="@FGREP@"}
-:
[PATCH] ethtool: fix recursive dependency
Change the CONFLICTS definition from the alternative package (ethtool-full) to the main one. The CONFLICTS line creates a dependency to the conflicting package. Right now, the dependency would be created in the PACKAGE_ethtool-full symbol: config PACKAGE_ethtool-full depends on m || (PACKAGE_ethtool != y) When the main package is selected by airmon-ng, it selects PACKAGE_ethtool, *depending* on the value of PACKAGE_ethtool-full: config PACKAGE_airmon-ng select PACKAGE_ethtool if PACKAGE_ethtool-full --- package/network/utils/ethtool/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/package/network/utils/ethtool/Makefile b/package/network/utils/ethtool/Makefile index a82e5c92fa..9889677a16 100644 --- a/package/network/utils/ethtool/Makefile +++ b/package/network/utils/ethtool/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ethtool PKG_VERSION:=5.13 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Felix Fietkau PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz @@ -31,6 +31,7 @@ define Package/ethtool TITLE:=Display or change ethernet card settings URL:=http://www.kernel.org/pub/software/network/ethtool/ VARIANT:=tiny + CONFLICTS:=ethtool-full endef define Package/ethtool-full @@ -38,8 +39,8 @@ define Package/ethtool-full TITLE += (full) VARIANT:=full PROVIDES:=ethtool - CONFLICTS:=ethtool DEPENDS:=+libmnl + CONFLICTS:= endef define Package/ethtool/description ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] download: improve handling of invalid local files
4e19cbc5533: [download: handle possibly invalid local tarballs] added a
FORCE rule to downloaded files, so that they will be always checked by
download.pl.
As a side-effect, check-compile will fail, forcing unnecessary package
rebuilds.
The check-compile.txt log shows (for libxml2 for example):
Considering target file '.../dl/libxml2-2.9.12.tar.gz'.
...
prerequisite 'FORCE' of target '.../dl/libxml2-2.9.12.tar.gz' does
not exist.
Must remake target '.../dl/libxml2-2.9.12.tar.gz'.
...
Giving up on target file '...libxml2-2.9.12/.prepared_...'.
Giving up on target file '...libxml2-2.9.12/.configured_...'.
Giving up on target file '...libxml2-2.9.12/.built'.
Giving up on target file '...stamp/.libxml2_installed'.
Giving up on target file '.compile'.
Then the package is rebuilt even if it is not otherwise needed.
To fix this, instead of always forcing the download target to be remade,
check its hash first: if it matches, then the FORCE is not added.
Signed-off-by: Eneas U de Queiroz
---
include/download.mk | 17 +++--
include/host-build.mk | 2 +-
include/package.mk| 2 +-
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/include/download.mk b/include/download.mk
index 609956b004..76bd374cf7 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -59,6 +59,21 @@ define dl_tar_pack
{TAR_TIMESTAMP:+--mtime="TAR_TIMESTAMP"} -c $(2) |
$(call dl_pack,$(1))
endef
+gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1))
+
+# Used in Build/CoreTargets and HostBuild/Core as an integrity check for
+# downloaded files. It will add a FORCE rule if the sha256 hash does not
+# match, so that the download can be more thoroughly handled by download.pl.
+define check_download_integrity
+ expected_hash:=$(strip $(if $(filter-out x,$(HASH)),$(HASH),$(MIRROR_HASH)))
+ $$(if $$(and $(FILE),$$(wildcard $(DL_DIR)/$(FILE)), \
+ $$(filter undefined,$$(flavor DownloadChecked/$(FILE, \
+$$(eval DownloadChecked/$(FILE):=1) \
+$$(if $$(filter-out $$(call gen_sha256sum,$(FILE)),$$(expected_hash)), \
+ $(DL_DIR)/$(FILE): FORCE) \
+ )
+endef
+
ifdef CHECK
check_escape=$(subst ','\'',$(1))
#')
@@ -74,8 +89,6 @@ else
check_warn = $(if $(filter-out undefined,$(origin F_$(1))),$(filter ,$(shell
$(call F_$(1),$(2),$(3),$(4)) >&2)),$(check_warn_nofix))
endif
-gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1))
-
ifdef FIXUP
F_hash_deprecated = $(SCRIPT_DIR)/fixup-makefile.pl $(CURDIR)/Makefile
fix-hash $(3) $(call gen_sha256sum,$(1)) $(2)
F_hash_mismatch = $(F_hash_deprecated)
diff --git a/include/host-build.mk b/include/host-build.mk
index e4a5c48e72..cfa29419aa 100644
--- a/include/host-build.mk
+++ b/include/host-build.mk
@@ -180,7 +180,7 @@ ifndef DUMP
clean-build: host-clean-build
endif
- $(DL_DIR)/$(FILE): FORCE
+ $(call check_download_integrity)
$(_host_target)host-prepare: $(HOST_STAMP_PREPARED)
$(_host_target)host-configure: $(HOST_STAMP_CONFIGURED)
diff --git a/include/package.mk b/include/package.mk
index db0a869dab..55d9352072 100644
--- a/include/package.mk
+++ b/include/package.mk
@@ -183,7 +183,7 @@ define Build/CoreTargets
$(call Build/Autoclean)
$(call DefaultTargets)
- $(DL_DIR)/$(FILE): FORCE
+ $(call check_download_integrity)
download:
$(foreach hook,$(Hooks/Download),
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile| 4 ++-- .../410-eng_devcrypto-add-configuration-options.patch| 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 11e5ecfccb..3f5fe90d9c 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 21.02] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile| 4 ++-- .../410-eng_devcrypto-add-configuration-options.patch| 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 5a20db660a..0397ab90c4 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 1/2] openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids errors, if the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz Tested-by: Rosen Penev (cherry picked from commit 2f75348923e564f1b73fbc32f7cabc355cd6e2b9) --- Besides the fix for clang, I'm cherry-picking this to sync 21.02 and 19.07 Makefiles. package/libs/openssl/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 8f74fbcf7d..17049dd57e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -335,6 +335,7 @@ define Build/Configure --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ + --cross-compile-prefix="$(TARGET_CROSS)" \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ @@ -347,14 +348,12 @@ TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all $(MAKE) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ DESTDIR="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 2/2] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 6 +++--- .../410-eng_devcrypto-add-configuration-options.patch | 5 ++--- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 17049dd57e..0397ab90c4 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches
were renumbered and given a description text. The fix in
160-passthrough-ssp.patch is no longer needed.
A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.
The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources. Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
Rebased after upgrade to 2.4.2
---
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
10 files changed, 444 insertions(+), 334 deletions(-)
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index 2bc9db7d0d..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libtool
PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4.2
+PKG_VERSION:=2.4.6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=1d7b6862c1ed162e327f083a6f78f40eae29218f0db8c38393d61dab764c4407
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
HOST_BUILD_PARALLEL:=1
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
- (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+ $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+ $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+ $(call Host/Configure/Default)
endef
define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch
b/tools/libtool/patches/000-relocatable.patch
index 6d1651be31..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
-
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz
+
--- a/libtoolize.in
+++ b/libtoolize.in
-@@ -334,15 +334,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
-: ${EGREP="@EGREP@"}
-: ${FGREP="@FGREP@"}
-: ${GREP="@GREP@"}
: ${LN_S="@LN_S@"}
- : ${MAKE="mak
[PATCH 21.02 0/2] wolfssl: bump to v4.8.1-stable
I've added a trivial patch to allow compilation with libtool 2.4, currently used in 21.02. I have not used a separate commit for that, to not introduce a commit that does not build. Let me know if I should rather split this. I'm cherry-picking a commit to allow compilation with gcc 10, to keep it in sync with master. While not the default, building with gcc 10 is an option for 21.02. Eneas Ivan Pavlov (1): wolfssl: update to 4.8.1-stable Stijn Tintel (1): wolfssl: fix build with GCC 10 on 32 x86 targets package/libs/wolfssl/Makefile | 6 +- ...change-asm-snippets-to-get-compiling.patch | 116 ++ .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch | 13 ++ .../libs/wolfssl/patches/200-ecc-rng.patch| 4 +- 5 files changed, 135 insertions(+), 6 deletions(-) create mode 100644 package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 21.02 1/2] wolfssl: fix build with GCC 10 on 32 x86 targets
From: Stijn Tintel Backport upstream patch to fix build with GCC 10 on 32 x86 targets. Signed-off-by: Stijn Tintel (cherry picked from commit 718a4f47806da8f68cb8f1fe2ebecf403e14ae96) --- ...change-asm-snippets-to-get-compiling.patch | 123 ++ 1 file changed, 123 insertions(+) create mode 100644 package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch diff --git a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch new file mode 100644 index 00..091b241285 --- /dev/null +++ b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch @@ -0,0 +1,123 @@ +From fa8f23284d4689c2a737204b337b58d966dcbd8c Mon Sep 17 00:00:00 2001 +From: Sean Parkinson +Date: Fri, 20 Aug 2021 10:23:38 +1000 +Subject: [PATCH] Maths x86 asm: change asm snippets to get compiling + +TFM: + Use register or memory for c0, c1, c2 in SQRADD and SQRADD2. +SP: + Use register or memory for vl, vh, vo in SP_ASM_MUL_ADD, +SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD. +--- + wolfcrypt/src/asm.c| 29 - + wolfcrypt/src/sp_int.c | 6 +++--- + 2 files changed, 23 insertions(+), 12 deletions(-) + +diff --git a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c +index b7f53d073..a37e75e02 100644 +--- a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c +@@ -698,33 +698,39 @@ __asm__( \ + + #define SQRADD(i, j) \ + __asm__( \ +- "movl %6,%%eax \n\t"\ ++ "movl %3,%%eax \n\t"\ + "mull %%eax\n\t"\ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ +- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i) :"%eax","%edx","cc"); ++ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \ ++ : "m"(i) \ ++ :"%eax","%edx","cc"); + + #define SQRADD2(i, j) \ + __asm__( \ +- "movl %6,%%eax \n\t"\ +- "mull %7 \n\t"\ ++ "movl %3,%%eax \n\t"\ ++ "mull %4 \n\t"\ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ +- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i), "m"(j) :"%eax","%edx", "cc"); ++ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \ ++ : "m"(i), "m"(j) \ ++ :"%eax","%edx", "cc"); + + #define SQRADDSC(i, j)\ +-__asm__( \ ++__asm__( \ + "movl %3,%%eax \n\t"\ + "mull %4 \n\t"\ + "movl %%eax,%0 \n\t"\ + "movl %%edx,%1 \n\t"\ + "xorl %2,%2\n\t"\ +- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%eax","%edx","cc"); ++ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \ ++ : "g"(i), "g"(j) \ ++ :"%eax","%edx","cc"); + + #define SQRADDAC(i, j)\ + __asm__( \ +@@ -733,7 +739,9 @@ __asm__( \ + "addl %%eax,%0 \n\t"\ + "adcl %%edx,%1 \n\t"\ + "adcl $0,%2\n\t"\ +- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%eax","%edx","cc"); ++ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \ ++ : "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) \ ++ :"%eax","%edx","cc"); + + #define SQRADDDB \ + __asm__( \ +@@ -743,7 +751,10 @@ __asm__( \ + "addl %6,%0 \n\t"\ + "adcl %7,%1 \n\t"
[PATCH 21.02 2/2] wolfssl: update to 4.8.1-stable
From: Ivan Pavlov Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov (cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564) [Added patch to allow compilation with libtool 2.4] Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- ...m-change-asm-snippets-to-get-compiling.patch | 17 + .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch| 13 + package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 5 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 030a0224f5..ba9ec44cd9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.1-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch index 091b241285..763f9e8d06 100644 --- a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch +++ b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch @@ -13,8 +13,6 @@ SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD. wolfcrypt/src/sp_int.c | 6 +++--- 2 files changed, 23 insertions(+), 12 deletions(-) -diff --git a/wolfcrypt/src/asm.c b/wolfcrypt/src/asm.c -index b7f53d073..a37e75e02 100644 --- a/wolfcrypt/src/asm.c +++ b/wolfcrypt/src/asm.c @@ -698,33 +698,39 @@ __asm__( \ @@ -64,7 +62,7 @@ index b7f53d073..a37e75e02 100644 #define SQRADDAC(i, j)\ __asm__( \ -@@ -733,7 +739,9 @@ __asm__( \ +@@ -733,7 +739,9 @@ __asm__( "addl %%eax,%0 \n\t"\ "adcl %%edx,%1 \n\t"\ "adcl $0,%2\n\t"\ @@ -75,7 +73,7 @@ index b7f53d073..a37e75e02 100644 #define SQRADDDB \ __asm__( \ -@@ -743,7 +751,10 @@ __asm__( \ +@@ -743,7 +751,10 @@ __asm__( "addl %6,%0 \n\t"\ "adcl %7,%1 \n\t"\ "adcl %8,%2 \n\t"\ @@ -87,11 +85,9 @@ index b7f53d073..a37e75e02 100644 #elif defined(TFM_X86_64) /* x86-64 optimized */ -diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c -index 6070faaa9..d26702e47 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c -@@ -477,7 +477,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo, +@@ -476,7 +476,7 @@ static WC_INLINE sp_int_digit sp_div_wor "addl %%eax, %[l] \n\t"\ "adcl %%edx, %[h] \n\t"\ "adcl $0 , %[o] \n\t"\ @@ -100,7 +96,7 @@ index 6070faaa9..d26702e47 100644 : [a] "r" (va), [b] "r" (vb) \ : "eax", "edx", "cc" \ ) -@@ -503,7 +503,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo, +@@ -502,7 +502,7 @@ static WC_INLINE sp_int_digit sp_div_wor "addl %%eax, %[l] \n\t"\ "adcl %%edx, %[h] \n\t"\ "adcl $0 , %[o] \n\t"\ @@ -109,7 +105,7 @@ index 6070faaa9..d26702e47 100644 : [a] "r" (va), [b] "r" (vb) \ : "eax", "edx", "cc" \ ) -@@ -542,7 +542,7 @@ static WC_INLINE sp_int_digit sp_div_word(sp_int_digit hi, sp_int_digit lo, +@@ -541,7 +541,7 @@ static WC_INLINE sp_int_digit sp_div_wor
[PATCH 19.07] wolfssl: update to 4.8.1-stable
From: Ivan Pavlov Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov (cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564) [Added patch to allow compilation with libtool 2.4] Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 4 ++-- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch| 13 + 3 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 57fcaa03b2..4940316f1b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable +PKG_VERSION:=4.8.1-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..4141e28750 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch new file mode 100644 index 00..206c6dac6a --- /dev/null +++ b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch @@ -0,0 +1,13 @@ +diff --git a/configure.ac b/configure.ac +index 144c857e4..de7f6b45a 100644 +--- a/configure.ac b/configure.ac +@@ -32,7 +32,7 @@ AC_ARG_PROGRAM + + AC_CONFIG_HEADERS([config.h:config.in]) + +-LT_PREREQ([2.4.2]) ++LT_PREREQ([2.4]) + LT_INIT([disable-static win32-dll]) + + #shared library versioning ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] ramips: fix ralink_i2s_debugfs_remove declaration
Correct ralink_i2s_debugfs_remove declaration in ralink patches when
CONFIG_DEBUG_FS is not selected.
Signed-off-by: Eneas U de Queiroz
---
Fixes the following error, when compiling without DEBUG_FS:
sound/soc/ralink/ralink-i2s.c:678:53: warning: 'struct fsl_ssi_dbg' declared
inside parameter list will not be visible outside of this definition or
declaration
static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
^~~
sound/soc/ralink/ralink-i2s.c: In function 'ralink_i2s_probe':
sound/soc/ralink/ralink-i2s.c:935:28: error: passing argument 1 of
'ralink_i2s_debugfs_remove' from incompatible pointer type
[-Werror=incompatible-pointer-types]
ralink_i2s_debugfs_remove(i2s);
^~~
sound/soc/ralink/ralink-i2s.c:678:66: note: expected 'struct fsl_ssi_dbg *' but
argument is of type 'struct ralink_i2s *'
static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
^~~
sound/soc/ralink/ralink-i2s.c: In function 'ralink_i2s_remove':
sound/soc/ralink/ralink-i2s.c:947:28: error: passing argument 1 of
'ralink_i2s_debugfs_remove' from incompatible pointer type
[-Werror=incompatible-pointer-types]
ralink_i2s_debugfs_remove(i2s);
^~~
sound/soc/ralink/ralink-i2s.c:678:66: note: expected 'struct fsl_ssi_dbg *' but
argument is of type 'struct ralink_i2s *'
static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
^~~
At top level:
sound/soc/ralink/ralink-i2s.c:146:13: warning: 'ralink_i2s_dump_regs' defined
but not used [-Wunused-function]
static void ralink_i2s_dump_regs(struct ralink_i2s *i2s)
^~~~
cc1: some warnings being treated as errors
make[7]: *** [scripts/Makefile.build:280: sound/soc/ralink/ralink-i2s.o] Error 1
make[6]: *** [scripts/Makefile.build:497: sound/soc/ralink] Error 2
make[5]: *** [scripts/Makefile.build:497: sound/soc] Error 2
make[4]: *** [Makefile:1822: sound] Error 2
.../linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch | 2 +-
.../linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
b/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
index 255c8d751a..680b678168 100644
--- a/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
+++ b/target/linux/ramips/patches-5.10/835-asoc-add-mt7620-support.patch
@@ -738,7 +738,7 @@ Signed-off-by: John Crispin
+ return 0;
+}
+
-+static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
++static inline void ralink_i2s_debugfs_remove(struct ralink_i2s *i2s)
+{
+}
+#endif
diff --git a/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
b/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
index cffdc4f4a1..4b9c877a7f 100644
--- a/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
+++ b/target/linux/ramips/patches-5.4/0048-asoc-add-mt7620-support.patch
@@ -738,7 +738,7 @@ Signed-off-by: John Crispin
+ return 0;
+}
+
-+static inline void ralink_i2s_debugfs_remove(struct fsl_ssi_dbg *ssi_dbg)
++static inline void ralink_i2s_debugfs_remove(struct ralink_i2s *i2s)
+{
+}
+#endif
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] ramips: switch to kernel 5.10
On Thu, Sep 9, 2021 at 5:49 AM Rui Salvaterra wrote: > > Tested on mt7621 (Redmi AC2100) and running stable for several months. > > Signed-off-by: Rui Salvaterra > --- Tested on rt3883: Asus RT-N56U Tested-by: Eneas U de Queiroz ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/1] build: scripts/config - update to kconfig-v5.14
I'm updating the Kconfig programs in scripts/config, from Linux 5.6 to 5.14. The changes are not crytical to openwrt, but regular updates ease the transition to an eventual newer version with more desirable features. The biggest impact here is the removal of obsolete ---help--- symbol, which had been deprecated in favor of plain 'help'. This has been menuconfig-tested with different targets for almost a month without problems. The changed I made to the upstream kconfig to this version can be seen at https://github.com/cotequeiroz/linux/commits/openwrt-5.14/scripts/kconfig Eneas U de Queiroz (1): build: scripts/config - update to kconfig-v5.14 Config.in |2 +- scripts/config/.gitignore | 30 +- scripts/config/Makefile| 62 +- scripts/config/README |9 +- scripts/config/conf.c | 451 -- scripts/config/confdata.c | 279 +--- scripts/config/expr.h |6 - scripts/config/images.c| 30 +- scripts/config/images.h| 30 +- scripts/config/internal.h |9 + scripts/config/lexer.l |8 +- scripts/config/lexer.lex.c | 2468 ++-- scripts/config/lkc.h | 68 +- scripts/config/lkc_proto.h | 15 +- scripts/config/lxdialog/util.c |4 +- scripts/config/mconf-cfg.sh|4 +- scripts/config/mconf.c | 15 +- scripts/config/menu.c | 26 +- scripts/config/nconf.c | 59 +- scripts/config/nconf.gui.c | 284 ++-- scripts/config/nconf.h | 51 +- scripts/config/parser.tab.c| 1804 ++- scripts/config/parser.tab.h| 120 +- scripts/config/parser.y| 57 +- scripts/config/preprocess.c|2 +- scripts/config/qconf-cfg.sh| 14 +- scripts/config/qconf.cc| 1056 +++--- scripts/config/qconf.h | 160 +-- scripts/config/symbol.c| 30 +- target/sdk/files/Config.in |2 +- 30 files changed, 3221 insertions(+), 3934 deletions(-) create mode 100644 scripts/config/internal.h ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 0/1] build: scripts/config - update to kconfig-v5.14
On Thu, Nov 25, 2021 at 4:54 AM Florian Eckert wrote:
>
> Hello Eneas,
>
>
> I've been looking at this too and wanted to update.
> Since I wasn't there from the beginning, I don't know what all OpenWrt
> changes.
> Hence my suggestion:
> Can't we put the changes OpenWrt makes to the source code into a patch
> directory
> and then patch that with 'quilt' like we do with all the other packages?
> That would make the task easier for others too update this too.
I don't think we should keep the patches along with the main sources,
but it may be beneficial to create an official repository under the
openwrt infrastructure.
What I had done was to create a fork of 'linux', and applied the
openwrt patches on top of that. You can see my current version, which
resulted in the patch I just sent, here:
https://github.com/cotequeiroz/linux/commits/openwrt-5.14/scripts/kconfig
I don't think anyone can review the openwrt patch without looking at
the commits I applied.
Getting all of those commits together took some effort when I first
did it. I was in the same situation as you are, but I really wanted
the much better dependency view that the new kernel had. That was my
motivation then. I documented the changes the best I could.
It resulted in this branch:
https://github.com/cotequeiroz/linux/tree/openwrt-b2c55d50f8
Then fast-forwarding them was also time-consuming, because of the high
number of commits to adapt, especially the many changes to the
Makefile.
I remember doing it in two ways: starting from openwrt version of
kconfig and applying the linux updates ("linux-on-top-of-openwrt"
branch, stale after the review); and rebasing the openwrt changes on
top of kconfig-5.6, which ended up being the final version (openwrt
branch--I should have added a version to it), to see how close I would
get both versions. I added the link to the branch I used in the
README.
At least now the Makefile was less subject to change, and our
modifications have become straightforward and clean. There have been
some syntax adjustments (notably the removal of '---help---'), but
when we moved from 5.4 to 5.10, our kernel patches had to be adapted
as well.
This is why I think it is beneficial to update this regularly, keeping it fresh.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 19.07] wolfssl: update to 4.8.1-stable
On Sun, Dec 12, 2021 at 12:11 PM Petr Å tetiar wrote: > > I'm wondering if we can do such an upgrade as the binary compatibility report > for > wolfSSL 4.7.0 vs 4.8.0 looks quite scary to me. Would it be possible to just > backport those patches which fixes those security related issues? > Most wolfSSL releases have binary compatibility issues. I would not recommend anyone to update just the package, even if the abi-laboratory report was less scary. This illustrates well the problem with binary package updates that jow wants to address. I was not sure if it would be acceptable to do the version update, but then we went from 4.3.0 in 19.07.0 to 4.5.0 in 19.07.4, then 4.6.0 in 19.07.5, and 4.7.0 in 19.07.8, so why not 4.8.1? OpenWrt 19.07 support is officially limited to security maintenance, so we can cherry-pick a couple of wolfssl commits instead: 73076940a Fix CompareOcspReqResp. f93083be7 OCSP: improve handling of OCSP no check extension (excluding tests): src/ssl.c | 2 +- wolfcrypt/src/asn.c | 19 --- wolfssl/wolfcrypt/asn.h | 1 + 3 files changed, 14 insertions(+), 8 deletions(-) Just let me know what's the best approach here. After this is done--whether update or patch--I intend to propose a patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with letsencrypt certificates. One can argue that it is a security fix, considering that the alternative is to skip certificate validation. If this is going to be NAKed, then I'll skip the trouble. BTW, wolfssl, 5.0.0 is out, but I've been unable to make it work with the letsencrypt certificates even with the build-option active--there may be other problems that I don't recall now, I haven't looked at it lately. I'll return to it when able. Meanwhile, I'll try to get patches for the security problems that were fixed. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1m
This is a bugfix release. Changelog:
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz
---
Tested on mediatek/Linksys E8450 using hostapd & nginx.
package/libs/openssl/Makefile | 6 +++---
...perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch | 13 +++--
.../patches/100-Configure-afalg-support.patch | 2 +-
3 files changed, 7 insertions(+), 14 deletions(-)
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 0512abdc48..9e7482117d 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
-PKG_BUGFIX:=l
+PKG_BUGFIX:=m
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
diff --git
a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
index bdc0509f8c..e52a3d52ea 100644
---
a/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
+++
b/package/libs/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch
@@ -1,7 +1,7 @@
-From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001
+From Mon Sep 17 00:00:00 2001
From: Andy Polyakov
Date: Sun, 5 May 2019 18:25:50 +0200
-Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
+Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -14,12 +14,8 @@ endian nowadays (Adélie Linux, Void Linux, possibly Gentoo,
etc.)
Reviewed-by: Paul Dale
Reviewed-by: Richard Levitte
(Merged from https://github.com/openssl/openssl/pull/8883)
- crypto/perlasm/ppc-xlate.pl | 8
- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
-index e52f2f6ea6..5fcd0526df 100755
--- a/crypto/perlasm/ppc-xlate.pl
+++ b/crypto/perlasm/ppc-xlate.pl
@@ -49,7 +49,7 @@ my $globl = sub {
@@ -49,7 +45,7 @@ index e52f2f6ea6..5fcd0526df 100755
my $mtspr = sub {
my ($f,$idx,$ra) = @_;
if ($idx == 256 && $no_vrsave) {
-@@ -320,7 +320,7 @@ while($line=<>) {
+@@ -318,7 +318,7 @@ while($line=<>) {
if ($label) {
my $xlated = ($GLOBALS{$label} or $label);
print "$xlated:";
@@ -58,6 +54,3 @@ index e52f2f6ea6..5fcd0526df 100755
if ($TYPES{$label} =~ /function/) {
printf "\n.localentry %s,0\n",$xlated;
}
---
-2.31.1
-
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..d8789f4b45 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -12,7 +12,7 @@ diff --git a/Configure b/Configure
index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 21.02] openssl: bump to 1.1.1m
This is a bugfix release. Changelog:
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz
(cherry picked from commit def9565be632b316c82ffc5a7b28c789e9df75b4)
---
package/libs/openssl/Makefile | 4 ++--
.../libs/openssl/patches/100-Configure-afalg-support.patch| 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 0397ab90c4..e8e10524ca 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
-PKG_BUGFIX:=l
+PKG_BUGFIX:=m
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..d8789f4b45 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -12,7 +12,7 @@ diff --git a/Configure b/Configure
index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret". auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well. In
this case, auth_secret is empty, and the default value of the key can
be computed from the SSID alone.
Fallback to using $key when auth_secret is empty. While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.
Signed-off-by: Eneas U de Queiroz
---
This should be cherry-picked to 21.02 as well.
package/network/services/hostapd/files/hostapd.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/network/services/hostapd/files/hostapd.sh
b/package/network/services/hostapd/files/hostapd.sh
index d9d5f34877..e00fc21cd9 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -876,10 +876,10 @@ hostapd_set_bss_options() {
set_default pmk_r1_push 0
[ -n "$r0kh" -a -n "$r1kh" ] || {
- key=`echo -n
"$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'`
+ ft_key=`echo -n
"$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
- set_default r0kh
"ff:ff:ff:ff:ff:ff,*,$key"
- set_default r1kh
"00:00:00:00:00:00,00:00:00:00:00:00,$key"
+ set_default r0kh
"ff:ff:ff:ff:ff:ff,*,$ft_key"
+ set_default r1kh
"00:00:00:00:00:00,00:00:00:00:00:00,$ft_key"
}
[ -n "$r1_key_holder" ] && append bss_conf
"r1_key_holder=$r1_key_holder" "$N"
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream-ssl] add compatibility for wolfssl >= 5.0
Can someone please take a look at this. The patch is rather trivial. The affected function, handle_wolfssl_asn_error is static, and its only caller is passing the return value of SSL_get_error(), from libwolfssl; so there should be no ordinary way to pass r=-159, which would be required to trigger a possible regression. It's a blocker to update wolfssl to 5.1.1, which fixes a handful of security vulnerabilities. Cheers, Eneas On Sat, Jan 1, 2022 at 5:09 PM Sergey V. Lobanov wrote: > Related PR: https://github.com/openwrt/openwrt/pull/4910 > > > > NTRU support has been removed in wolfssl 5.0 so it is required to > > mask NTRU specific code if wolfssl >= 5.0 > > > > Signed-off-by: Sergey V. Lobanov > > --- > > ustream-openssl.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/ustream-openssl.c b/ustream-openssl.c > > index 1ce796a..894dddb 100644 > > --- a/ustream-openssl.c > > +++ b/ustream-openssl.c > > @@ -308,7 +308,9 @@ static bool handle_wolfssl_asn_error(struct ustream_ssl > > *us, int r) > > case ASN_SIG_HASH_E: > > case ASN_SIG_KEY_E: > > case ASN_DH_KEY_E: > > +#if LIBWOLFSSL_VERSION_HEX < 0x0500 > > case ASN_NTRU_KEY_E: > > +#endif > > case ASN_CRIT_EXT_E: > > case ASN_ALT_NAME_E: > > case ASN_NO_PEM_HEADER: > > -- > > 2.30.1 (Apple Git-130) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07] openssl: bump to 1.1.1m
This is a bugfix release. Changelog:
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz
(cherry picked from commit 5beaa75d94c4a981c580905b84c7ef33caf0c3e2)
---
package/libs/openssl/Makefile | 4 ++--
.../libs/openssl/patches/100-Configure-afalg-support.patch| 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 0397ab90c4..e8e10524ca 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
-PKG_BUGFIX:=l
+PKG_BUGFIX:=m
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
-PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+PKG_HASH:=f89199be8b23ca45fc7cb9f1d8d3ee67312318286ad030f5316aca6462db6c96
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..d8789f4b45 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -12,7 +12,7 @@ diff --git a/Configure b/Configure
index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 v2 0/3] wolfssl security updates
Since a straight version bump is not feasible, I'm applying a couple of cherry-picks of security fixes: 73076940a Fix CompareOcspReqResp f93083be7 OCSP: improve handling of OCSP no check extension (CVE-2021-38597) Also included in the series is a patch to build the library with the "Alternate certificate validation" option WOLFSSL_ALT_CERT_CHAINS, allowing uclient-fetch to connect to servers using the default Let's Encrypt chain that contains the certificate cross-signed by the expired DST Root CA X3 certificate. The original series was made when 4.8.1 was the current version in master. Since then, some more low-severity vulnerabilities were discovered: [1] - Issue with incorrectly validating a certificate that has multiple subject alternative names when given a name constraint. In the case where more than one subject alternative name is used in the certificate, previous versions of wolfSSL could incorrectly validate the certificate. Users verifying certificates with multiple alternative names and name constraints, are recommended to either use the certificate verify callback to check for this case or update the version of wolfSSL used. Fixed in 5.0.0. - Hang with DSA signature creation when a specific q value is used in a maliciously crafted key. If a DSA key with an invalid q value of either 1 or 0 was decoded and used for creating a signature, it would result in a hang in wolfSSL. Users that are creating signatures with DSA and are using keys supplied from an outside source are affected. Fixed in 5.0.0. - Client side session resumption issue once the session resumption cache has been filled up. The hijacking of a session resumption has been demonstrated so far with only non verified peer connections. That is where the client is not verifying the server’s CA that it is connecting to. There is the potential though for other cases involving proxies that are verifying the server to be at risk. - CVE-2021-44718: Potential for DoS attack on a wolfSSL client due to processing hello packets of the incorrect side. This affects only connections using TLS v1.2 or less that have also been compromised by a man in the middle attack. A CVE was reserved, but apparently not publicized yet. High-severity CVE-2022-23408 is not included because it affects versions 5.0.0 and 5.1.0 only. I've started to look at the first vulnerability, but it is not as straightforward as I was hoping. Perhaps Luiz Angelo Daros de Luca, reporter and author of the fixes, can help me out with this. Applying a large series of fixes may end up creating a new vulnerability if not done correctly, so we may need to consider the version bump again. The ABI version may create trouble for people running opkg update, but WolfSSL was not the core TLS library in 19.07 yet. Nonetheless, this series includes the one high-severity vulnerability (according to wolfssl [1]) CV-2021-38597, and can be applied before we decide what to do next. Cheers, Eneas --- v2: - Apply two security patches instead of bumping to 4.8.1 - Added patch to build with alternate certificate validation [1] https://www.wolfssl.com/docs/security-vulnerabilities/ Andre Heider (1): wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Eneas U de Queiroz (2): wolfssl: Fix OCSP request/response verification wolfssl: Fix CVE-2021-38597 package/libs/wolfssl/Makefile | 8 +- .../patches/200-Fix-CompareOcspReqResp.patch | 224 ++ ...-handling-of-OCSP-no-check-extension.patch | 49 3 files changed, 279 insertions(+), 2 deletions(-) create mode 100644 package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch create mode 100644 package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 v2 2/3] wolfssl: Fix CVE-2021-38597
OCSP verification issue when response is for a certificate with no
relation to the chain in question BUT that response contains the NoCheck
extension which effectively disables ALL verification of that one cert.
Signed-off-by: Eneas U de Queiroz
---
package/libs/wolfssl/Makefile | 2 +-
...-handling-of-OCSP-no-check-extension.patch | 49 +++
2 files changed, 50 insertions(+), 1 deletion(-)
create mode 100644
package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 631576a58e..d123e7a875 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git
a/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
new file mode 100644
index 00..6fb62b2033
--- /dev/null
+++
b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
@@ -0,0 +1,49 @@
+From Mon Sep 17 00:00:00 2001
+From: Sean Parkinson
+Date: Fri, 16 Jul 2021 12:19:39 +1000
+Subject: [PATCH] OCSP: improve handling of OCSP no check extension
+
+(cherry picked from commit f93083be72a3b3d956b52a7ec13f307a27b6e093)
+
+diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
+index bbf71e3c1..966035f5b 100644
+--- a/wolfcrypt/src/asn.c
b/wolfcrypt/src/asn.c
+@@ -9751,9 +9751,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int
verify, void* cm)
+ }
+
+ #ifdef HAVE_OCSP
+-/* trust for the lifetime of the responder's cert*/
+-if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
+-verify = NO_VERIFY;
++if (verify == VERIFY_OCSP_CERT) {
++/* trust for the lifetime of the responder's cert*/
++if (cert->ocspNoCheckSet)
++verify = VERIFY;
++else
++verify = VERIFY_OCSP;
++}
+ #endif
+ /* advance past extensions */
+ cert->srcIdx = cert->sigIndex;
+@@ -17542,7 +17546,7 @@ static int DecodeBasicOcspResponse(byte* source,
word32* ioIndex,
+
+ /* Don't verify if we don't have access to Cert Manager. */
+ ret = ParseCertRelative(&cert, CERT_TYPE,
+-noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
++noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
+ if (ret < 0) {
+ WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
+ FreeDecodedCert(&cert);
+diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
+index e412c1d06..e3cddf5b4 100644
+--- a/wolfssl/wolfcrypt/asn.h
b/wolfssl/wolfcrypt/asn.h
+@@ -589,6 +589,7 @@ enum VerifyType {
+ VERIFY_OCSP = 3,
+ VERIFY_NAME = 4,
+ VERIFY_SKIP_DATE = 5,
++VERIFY_OCSP_CERT = 6,
+ };
+
+ #ifdef WOLFSSL_CERT_EXT
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07 v2 1/3] wolfssl: Fix OCSP request/response verification
In the case that the serial number in the OCSP request differs from the
serial number in the OCSP response the error from the comparison was not
resulting in a failed verification.
Signed-off-by: Eneas U de Queiroz
---
package/libs/wolfssl/Makefile | 2 +-
.../patches/200-Fix-CompareOcspReqResp.patch | 224 ++
2 files changed, 225 insertions(+), 1 deletion(-)
create mode 100644
package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 57fcaa03b2..631576a58e 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
b/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
new file mode 100644
index 00..9661a2b752
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-Fix-CompareOcspReqResp.patch
@@ -0,0 +1,224 @@
+From Mon Sep 17 00:00:00 2001
+From: Hayden Roche
+Date: Tue, 27 Apr 2021 13:54:43 -0700
+Subject: [PATCH] Fix CompareOcspReqResp.
+
+There was a bug in this function that could cause a match to be reported even
+when the OCSP request and response in fact had a mismatch.
+
+(cherry picked from commit 73076940af8904f98eee085994c176fe1876b95a)
+
+diff --git a/src/ssl.c b/src/ssl.c
+index 14a160dc2..289ffb941 100644
+--- a/src/ssl.c
b/src/ssl.c
+@@ -6503,7 +6503,7 @@ WOLFSSL_API int
wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm,
+ {
+ int ret;
+
+-WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple");
++WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSPResponse");
+ if (cm == NULL || response == NULL)
+ return BAD_FUNC_ARG;
+ if (cm->ocspEnabled == 0)
+diff --git a/tests/api.c b/tests/api.c
+index 6b3af3092..72bfc9aae 100644
+--- a/tests/api.c
b/tests/api.c
+@@ -1091,6 +1091,170 @@ static int test_cm_load_ca_file(const char*
ca_cert_file)
+ }
+ #endif /* !NO_FILESYSTEM && !NO_CERTS */
+
++static void test_wolfSSL_CertManagerCheckOCSPResponse(void)
++{
++#ifdef HAVE_OCSP
++/* Need one of these for wolfSSL_OCSP_REQUEST_new. */
++#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
++defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \
++defined(HAVE_LIGHTY)
++WOLFSSL_CERT_MANAGER* cm = NULL;
++/* Captured with Wireshark using ocsp.test. */
++byte response[] = {
++0x30, 0x82, 0x06, 0x3b, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0x34,
0x30, 0x82, 0x06, 0x30, 0x06,
++0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04,
0x82, 0x06, 0x21, 0x30, 0x82,
++0x06, 0x1d, 0x30, 0x81, 0xbf, 0xa2, 0x16, 0x04, 0x14, 0x21, 0x29,
0x0a, 0x15, 0x08, 0xdd, 0x79,
++0x01, 0x7c, 0xa3, 0xc6, 0x11, 0xe9, 0xbf, 0x8a, 0x33, 0x82, 0x53,
0xc4, 0x0c, 0x18, 0x0f, 0x32,
++0x30, 0x32, 0x31, 0x30, 0x34, 0x32, 0x37, 0x32, 0x30, 0x32, 0x35,
0x35, 0x36, 0x5a, 0x30, 0x6f,
++0x30, 0x6d, 0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
0x02, 0x1a, 0x05, 0x00, 0x04,
++0x14, 0x9c, 0x4c, 0x71, 0x15, 0xc3, 0x02, 0x19, 0xca, 0x36, 0xdc,
0xb9, 0x8b, 0x21, 0x33, 0x00,
++0x4c, 0xa4, 0xa7, 0x8e, 0xd3, 0x04, 0x14, 0xdd, 0xb3, 0xe7, 0x6d,
0xa8, 0x2e, 0xe8, 0xc5, 0x4e,
++0x6e, 0xcf, 0x74, 0xe6, 0x75, 0x3c, 0x94, 0x15, 0xce, 0xe8, 0x1d,
0x02, 0x0c, 0x6f, 0x9c, 0x01,
++0x78, 0x1c, 0x21, 0x80, 0x32, 0x25, 0x4a, 0x73, 0x2b, 0x80, 0x00,
0x18, 0x0f, 0x32, 0x30, 0x32,
++0x31, 0x30, 0x34, 0x32, 0x37, 0x32, 0x30, 0x32, 0x35, 0x35, 0x36,
0x5a, 0xa0, 0x11, 0x18, 0x0f,
++0x32, 0x30, 0x32, 0x31, 0x30, 0x35, 0x30, 0x31, 0x32, 0x30, 0x32,
0x35, 0x35, 0x36, 0x5a, 0xa1,
++0x23, 0x30, 0x21, 0x30, 0x1f, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05,
0x05, 0x07, 0x30, 0x01, 0x02,
++0x04, 0x12, 0x04, 0x10, 0xc0, 0x42, 0x27, 0x55, 0xaf, 0xc4, 0x5c,
0x34, 0xe1, 0xc8, 0xef, 0x5b,
++0x31, 0xb1, 0x78, 0xe9, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x01,
++0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x54, 0x1b, 0x9e,
0x10, 0x0f, 0x82, 0x2c, 0x8e,
++0xd7, 0xdd, 0xf2, 0xec, 0x9c, 0x6c, 0x04, 0x5d, 0x57, 0x69, 0xcd,
0x30, 0x1b, 0xe8, 0xd4, 0x5d,
++0xd4, 0x03, 0x97, 0xd1, 0x33, 0x78, 0x34, 0xdb, 0xc2, 0x4c, 0xc1,
0x8a, 0xee, 0xc7, 0x18, 0x6a,
++0xe3, 0x6d, 0x59, 0x1b, 0xed, 0xf5, 0x87, 0xff, 0x9d, 0x11, 0xff,
0x5a, 0xa5, 0x12, 0x93, 0x0e,
++0xc7, 0x67, 0xa4, 0x37, 0xb2, 0x8b, 0xba, 0xab, 0xe1, 0x29, 0x33,
0xe9, 0xf8, 0x10, 0x1d, 0xbf,
++0x7c, 0x2b, 0x2e, 0x2e, 0x0b, 0x58, 0x5d, 0x8e, 0x0c, 0x44, 0xe2,
0x1d, 0x73, 0x2a, 0x8a, 0x6a,
++
[PATCH 19.07 v2 3/3] wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
From: Andre Heider "Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider [bump PKG_RELEASE] Signed-off-by: David Bauer (cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3) [adjust to v4.7.0 Makefile] Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index d123e7a875..4394b9ea4f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -56,7 +56,11 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer +TARGET_CFLAGS += \ + $(FPIC) \ + -fomit-frame-pointer \ + -DFP_MAX_BITS=8192 \ + -DWOLFSSL_ALT_CERT_CHAINS # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 19.07 v2 0/3] wolfssl security updates
On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca wrote: > Sure. And I do have interest in getting it fixed. I've done most of the work here: https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport However, I got stuck with this issue, about MitM attack when the client-side resumption cache is full: https://www.cybersecurity-help.cz/vulnerabilities/59103/ The patch for it is over 1,500 lines, and I would not be so confident that backporting changes in many places will not create a new problem. https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a libcurl and hostapd use client-side session resumption, so openwrt is possibly impacted. I don't know if the session cache can get filled by hostapd or not, but with libcurl, anything is possible. They both use the wolfSSL_get_session call, not the wolfSSL_get1_session that would avoid/work around the problem. Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change. Cheers ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh
I have sent this a while ago. Can anyone review this (Felix, as the
author of r0kh/r1kh generator?).
On Fri, Jan 7, 2022 at 5:19 PM Eneas U de Queiroz wrote:
>
> The 80211r r0kh and r1kh defaults are generated from the md5sum of
> "$mobility_domain/$auth_secret". auth_secret is only set when using EAP
> authentication, but the default key is used for SAE/PSK as well. In
> this case, auth_secret is empty, and the default value of the key can
> be computed from the SSID alone.
>
> Fallback to using $key when auth_secret is empty. While at it, rename
> the variable holding the generated key from 'key' to 'ft_key', to avoid
> clobbering the PSK.
>
> Signed-off-by: Eneas U de Queiroz
> ---
>
> This should be cherry-picked to 21.02 as well.
>
> package/network/services/hostapd/files/hostapd.sh | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/network/services/hostapd/files/hostapd.sh
> b/package/network/services/hostapd/files/hostapd.sh
> index d9d5f34877..e00fc21cd9 100644
> --- a/package/network/services/hostapd/files/hostapd.sh
> +++ b/package/network/services/hostapd/files/hostapd.sh
> @@ -876,10 +876,10 @@ hostapd_set_bss_options() {
> set_default pmk_r1_push 0
>
> [ -n "$r0kh" -a -n "$r1kh" ] || {
> - key=`echo -n
> "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'`
> + ft_key=`echo -n
> "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
>
> - set_default r0kh
> "ff:ff:ff:ff:ff:ff,*,$key"
> - set_default r1kh
> "00:00:00:00:00:00,00:00:00:00:00:00,$key"
> + set_default r0kh
> "ff:ff:ff:ff:ff:ff,*,$ft_key"
> + set_default r1kh
> "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key"
> }
>
> [ -n "$r1_key_holder" ] && append bss_conf
> "r1_key_holder=$r1_key_holder" "$N"
So that one can grasp a bit better what this is about--the commit
message was under par--see this post:
https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81?u=cotequeiroz
Basically, if you have ieee80211r=1, ft_psk_generate_local=0, and have
not setup r0kh or r1kh, then hostapd.sh will generate a 128-bit key
from the 2-byte mobility domain (defaults to the first 2 byes of the
SSID md5sum) and the auth_secret.
The intention of the script originally was to support just EAP, so it
uses the auth_secret to generate a key. However, it is possible
(ft_psk_generate_local does not work with SAE) to use generated keys
when using PSK, in which case auth_secret will not be ordinarily set,
and the default key can be trivially computed.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh
Hi David Thanks for looking into this. On Fri, Feb 18, 2022 at 3:15 PM David Bauer wrote: > Just so i get this right - This means the same configuration is > incompatible between firmware containing this commit and firmware that > does not? In this case i would not pick it it 21.02. TLDR: For the use case that was intended, it does not; it will intentionally break the insecure setup. Here's the commit message that introduced the defaults: 21eb0a5aa3 hostapd: add default values for r0kh/r1kh This allows WPA enterprise roaming in the same mobility domain without any manual key configuration (aside from radius credentials) My understanding is that the intention was to use this for EAP only. However, the key gets set even if PSK is used. In that case it will have an unset 'auth_secret', and that's where this becomes a security issue. The FT key is derived from "$mobility_domain/$auth_secret". If 'auth_secret' is null, then the key is computed from "$mobility_domain/" only, and 'mobility_domain' itself is computed from the SSID by default. At the end, you have an easy, working setup with a default FT key that can be computed from just the SSID--and nothing wrong is visible from the user POV. There are several ways of fixing this: (1) don't compute r0kh/r1kh if not using EAP. (2) Use the PSK if auth_secret is unset. (3) warn the user that a key has not been set, but keep things as they are. I like (2) because it is useful. You can get FT working with WPA3-SAE just by turning 802.11r on and turning off ft_psk_generate_local, without having to set up the key. Can there be breakage? Yes, and it is intended. It'll break the insecure PSK/FT default setup I described above, when you have some AP running with the fix and some without it. EAP setups will not be affected: even if 'key' is set but 'auth_secret' is unset (a possible breakage scenario), the code in line 682[1] will set 'auth_secret' from 'key' if the former is empty: [ -n "$auth_secret" ] || json_get_var auth_secret key So you can't have an EAP setup with 'auth_secret' unset and 'key' set. (1) will create the same breakage, without adding anything useful. Cheers, Eneas [1] https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/hostapd/files/hostapd.sh;h=d9d5f348775debade847f267b1ca1dc86444e41d;hb=HEAD#l682 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 19.07] wolfssl: bump to 5.1.1-stable
On Thu, Feb 17, 2022 at 11:51 AM Petr Å tetiar wrote: > > This is amalgamation of backported changes since 4.7.0-stable release: > > Sergey V. Lobanov (2): > > 5b13b0b02c70 wolfssl: update to 5.1.1-stable > 7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support > > Andre Heider (3): > > 3f8adcb215ed wolfssl: remove --enable-sha512 configure switch > 249478ec4850 wolfssl: always build with --enable-reproducible-build > 4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS > > Ivan Pavlov (1): > > 16414718f9ae wolfssl: update to 4.8.1-stable > > David Bauer (1): > > f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng > > Christian Lamparter (1): > > 86801bd3d806 wolfssl: fix Ed25519 typo in config prompt > > The diff of security related changes we would need to backport would be > so huge, that there would be a high probability of introducing new > vulnerabilities, so it was decided, that bumping to latest stable > release is the prefered way for fixing following security issues: > > * OCSP request/response verification issue. (fixed in 4.8.0) > * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 > (fixed in 4.8.1) > * Issue with incorrectly validating a certificate (fixed in 5.0.0) > * Hang with DSA signature creation when a specific q value is used (fixed in > 5.0.0) > * Client side session resumption issue (fixed in 5.1.0) > * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in > 5.1.0) > * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) > > Cc: Hauke Mehrtens > Cc: Eneas U de Queiroz > Signed-off-by: Petr Å tetiar > --- Acked-by: Eneas U de Queiroz ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v4 0/3] openssl: Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 v3->v4: - rebased onto current head - removed non-applicable options from original afalg engine conf file Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 3 + package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 160 insertions(+), 137 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf -- 2.34.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v4 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 28 +++-- package/libs/openssl/files/afalg.cnf | 3 + package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 16 files changed, 82 insertions(+), 119 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 9e7482117d..737123930c 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-padlock/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/*padlock.
[PATCH v4 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 737123930c..3a0666ff8e 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=m PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/
[PATCH v4 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
package/libs/openssl/files/engines.cnf| 7 ---
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 54 insertions(+), 62 deletions(-)
delete mode 100644 package/libs/openssl/files/engines.cnf
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 3a0666ff8e..8ca4d83380 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=m
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loa
[PATCH u-boot] scripts/dtc: Remove redundant YYLOC global declaration
From: Dirk Mueller gcc 10 will default to -fno-common, which causes this error at link time: (.text+0x0): multiple definition of `yylloc'; dtc-lexer.lex.o (symbol from plugin):(.text+0x0): first defined here This is because both dtc-lexer as well as dtc-parser define the same global symbol yyloc. Before with -fcommon those were merged into one defintion. The proper solution would be to to mark this as "extern", however that leads to: dtc-lexer.l:26:16: error: redundant redeclaration of 'yylloc' [-Werror=redundant-decls] 26 | extern YYLTYPE yylloc; |^~ In file included from dtc-lexer.l:24: dtc-parser.tab.h:127:16: note: previous declaration of 'yylloc' was here 127 | extern YYLTYPE yylloc; |^~ cc1: all warnings being treated as errors which means the declaration is completely redundant and can just be dropped. Signed-off-by: Dirk Mueller Signed-off-by: David Gibson [robh: cherry-pick from upstream] Cc: sta...@vger.kernel.org Signed-off-by: Rob Herring [Cherry-picked from linux e33a814e772cdc36436c8c188d8c42d019fda639] Signed-off-by: Eneas U de Queiroz --- I'm not sure I got the subject line right for this. This is supposed to go into git.openwrt.org/project/bcm63xx/u-boot.git I've stumbled upon the error while doing a test build for https://github.com/openwrt/openwrt/pull/9756 scripts/dtc/dtc-lexer.l | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/dtc/dtc-lexer.l b/scripts/dtc/dtc-lexer.l index fd825ebba6..24af549977 100644 --- a/scripts/dtc/dtc-lexer.l +++ b/scripts/dtc/dtc-lexer.l @@ -38,7 +38,6 @@ LINECOMMENT "//".*\n #include "srcpos.h" #include "dtc-parser.tab.h" -YYLTYPE yylloc; extern bool treesource_error; /* CAUTION: this will stop working if we ever use yyless() or yyunput() */ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: Update to v4.6.0-stable
This version fixes a large number of bugs, although no security
vulnerabilities are listed.
Full changelog at:
https://www.wolfssl.com/docs/wolfssl-changelog/
or, as part of the version's README.md:
https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md
Due a number of API additions, size increases from 374.7K to 408.8K for
arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version.
Backported patches were removed; remaining patch was refreshed.
Signed-off-by: Eneas U de Queiroz
---
Run-tested on a Linksys WRT3200ACM (arm) with uhttpd, uclient-fetch, and
wpad-wolfssl.
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 6758f7dd08..dcc6aca40c 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.5.0-stable
-PKG_RELEASE:=5
+PKG_VERSION:=4.6.0-stable
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c
+PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848
PKG_FIXUP:=libtool
PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 43337ba970..c2793285e7 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
-@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ;
#endif
/* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
deleted file mode 100644
index 3838865559..00
--- a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001
-From: Tesfa Mael
-Date: Wed, 26 Aug 2020 10:13:06 -0700
-Subject: [PATCH] Make ByteReverseWords available for big and little endian
-
- wolfcrypt/src/misc.c | 2 --
- 1 file changed, 2 deletions(-)
-
a/wolfcrypt/src/misc.c
-+++ b/wolfcrypt/src/misc.c
-@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo
- return rotlFixed(value, 16U);
- #endif
- }
--#if defined(LITTLE_ENDIAN_ORDER)
- /* This routine performs a byte swap of words array of a given count. */
- WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
- word32 byteCount)
-@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord
- out[i] = ByteReverseWord32(in[i]);
-
- }
--#endif /* LITTLE_ENDIAN_ORDER */
-
- #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
-
diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
deleted file mode 100644
index aaf14e46d9..00
--- a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001
-From: Eric Blankenhorn
-Date: Fri, 17 Jul 2020 08:37:02 -0500
-Subject: [PATCH] Fix CheckHostName matching
-
- src/internal.c | 18 --
- src/ssl.c | 5 +
- tests/api.c| 30 ++
- 3 files changed, 47 insertions(+), 6 deletions(-)
-
-diff --git a/src/internal.c b/src/internal.c
-index dc57df0242..cda815d875 100644
a/src/internal.c
-+++ b/src/internal.c
-@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char*
domain, int* checkCN)
- altName = dCert->altNames;
-
- if (checkCN != NULL) {
--*checkCN = altName == NULL;
-+*checkCN = (altName == NULL) ? 1 : 0;
- }
-
- while (altName) {
-@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char*
domain, int* checkCN)
- int CheckHostName(DecodedCert* dCert, const char *domainName, size_t
domainNameLen)
- {
- int checkCN;
-+int ret = DOMAIN_NAME_MISMATCH;
-
- /* Assume name is NUL terminated. */
- (void)domainNameLen;
-
- if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
--WOLFSSL_MSG("DomainName match on alt names failed too");
--return DOMAIN_NAME_MISMATCH;
-+WOLFSSL_MSG("DomainName match on alt names failed");
- }
-+else {
-+ret = 0;
-+}
-+
- if (checkCN == 1) {
- if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
--domainName) == 0) {
-+
Re: [PATCH] base-files: sysupgrade: store status of system-services
+1 I agree 100% with Adrian on this one. Enable by default, add option to disable. Disabled services are, intuitively, part of the configuration being saved. So, it should not be saved when '-n' is given. I may be stretching things a bit, but I would consider this a fix, not a feature change ;-). Cheers, Eneas On Mon, Jan 11, 2021 at 9:48 AM Adrian Schmutzler wrote: > > > There are just 2 people (me, Andrew Heider) that would like to see saving > > service status done by default when sysupgrading, and other 2 people that > > would like it in its own setting option (Stjin Segers and Paul Spooren). > > +1 for saving service status by default. This has always annoyed me when > working with "default" images and actually for me it was expected behavior > until I found out it is not happening. > This is a very relevant behavior/feature affecting many of our "standard" > users, e.g. when using OpenWrt for "Dump AP" setups where you disable DHCP > etc. I'm sure a two-digit percentage of users setting up their device like > that won't even be aware that they suddenly have a DHCP running again after > upgrade. > > Of course, if adding an option to _disable_ is fairly easy, we should do so. > > Best > > Adrian > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Deprecate snort in favor of snort3
On Sun, Jan 31, 2021 at 3:45 PM W. Michael Petullo wrote: > > OpenWrt provides two snort packages: snort and snort3. Now that snort3 is > out of beta, I would like to consider deprecating the snort package. One > difficulty of maintaining both packages is that a different version of > the libdaq package is required for each. The two versions cannot coexist, > and this make build-server builds fail. > > I do not know how popular the snort package is. I use snort3. > > Is dropping snort advisable? If so, what is the procedure? > > -- > Mike I was about to open a PR to have each version of libdaq installed into its own directory, which would take care of the build failure. However, I think removing the snort3 package, then bumping the stable snort to the latest version is the best way to go. I would not leave the version number as part of the package name. If you want to keep this status quo a little longer, tell me and I'll open the PR. BTW, I don't use the packages, I was just going to fix the build failure. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] kernel: DSA roaming fix for Marvell Link Street switch series
On Tue, Feb 2, 2021 at 6:15 AM DENG Qingfang wrote:
>
> Marvell Link Street switch series cannot perform MAC learning from
> CPU-injected (FROM_CPU) DSA frames, which results in 2 issues.
> - excessive flooding, due to the fact that DSA treats those addresses
> as unknown
> - the risk of stale routes, which can lead to temporary packet loss
>
> Backport those patch series from netdev mailing list, which solve these
> issues by adding and clearing static entries to the switch's FDB.
>
> Add a hack patch to set default VID to 1 in port_fdb_{add,del}. Otherwise
> the static entries will be added to the switch's private FDB if VLAN
> filtering disabled, which will not work.
>
> Link:
> https://lore.kernel.org/netdev/20210106095136.224739-1-olte...@gmail.com/
> Link:
> https://lore.kernel.org/netdev/20210116012515.3152-1-tob...@waldekranz.com/
> Link: https://lore.kernel.org/netdev/20210130134334.10243-1-dqf...@gmail.com/
> Ref: https://gitlab.nic.cz/turris/turris-build/-/issues/165
> Signed-off-by: DENG Qingfang
Tested-by: Eneas U de Queiroz
I have tested this using WRT3200ACM, and it solves the problem of
clients not able to roam from one AP to the another--my APs are wired,
not using WDS. Clients would not be able to communicate for 300s
after roaming from one AP to another. I consider this a critical bug,
so a fix must be included before 2021.02 branches. I have applied the
patch to 3 APs, and have been using them for days without any real
issue--I'm not considering the 'ATU member violation' messages
reported earlier an issue, as they do appear to be harmless.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs: - CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support SSLv2, but the affected functions still exist. Considered just a bug. - CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. - CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. - Fixed SRP_Calc_client_key so that it runs in constant time. This could be exploited in a side channel attack to recover the password. The 3 CVEs above are currently awaiting analysis. Signed-off-by: Eneas U de Queiroz --- This was run-tested on a WRT3200ACM (mvebu), using nginx, and wpad, and openssl-util. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 714ce2059a..4fb4cb2784 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=i +PKG_BUGFIX:=j PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 +PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs support from the main openssl library. It is a default option in OpenSSL. All that needs to be done here is to not disable it. Package increases by a net 1-byte, so it is not really really worth keeping this optional. This commit also includes a commented-out example engine configuration in openssl.cnf, as it is done for other available engines. Signed-off-by: Eneas U de Queiroz --- Run tested in WRT3200ACM (mvebu), with and without gost-engine 1.1.0.3. GOST engine PR: https://github.com/openwrt/packages/pull/14765 diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index d1281ec6fa..bc2f0584b6 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC initiate crypto operations asynchronously. In order to work this will require the presence of an async capable engine. -config OPENSSL_WITH_GOST - bool - prompt "Prepare library for GOST engine" - depends on OPENSSL_ENGINE - help - This option prepares the library to accept engine support - for Russian GOST crypto algorithms. - The gost engine is not included in standard openwrt feeds. - To build such engine yourself, see: - https://github.com/gost-engine/engine - endif diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 4fb4cb2784..378545ac43 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=j PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -50,7 +50,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_DTLS \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ - CONFIG_OPENSSL_WITH_GOST \ CONFIG_OPENSSL_WITH_IDEA \ CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ @@ -287,10 +286,6 @@ else OPENSSL_OPTIONS += no-engine endif -ifndef CONFIG_OPENSSL_WITH_GOST - OPENSSL_OPTIONS += no-gost -endif - ifndef CONFIG_OPENSSL_WITH_DTLS OPENSSL_OPTIONS += no-dtls endif diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 81d41963c6..c90fce2442 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,6 @@ --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,82 @@ oid_section = new_oids +@@ -22,6 +22,99 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -14,6 +14,7 @@ +#devcrypto=devcrypto +#afalg=afalg +#padlock=padlock ++##gost=gost + +[afalg] +# Leave this alone and configure algorithms with CIPERS/DIGESTS below @@ -79,6 +80,22 @@ + +[padlock] +default_algorithms = ALL ++ ++[gost] ++default_algorithms = ALL ++# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the ++# user to choose between different parameter sets of symmetric cipher ++# algorithm. RFC 4357 specifies several parameters for the ++# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface ++# to choose one when encrypting. So use engine configuration parameter ++# instead. ++# Value of this parameter can be either short name, defined in OpenSSL ++# obj_dat.h header file or numeric representation of OID, defined in ++# RFC 4357. Defaults to id-tc26-gost-28147-param-Z ++#CRYPT_PARAMS = id-tc26-gost-28147-param-Z ++ ++# PBE_PARAMS: Shortname of default digest alg for PBE ++#PBE_PARAMS = + [ new_oids ] ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here. There are a couple of low severity security bug fixes as
well.
Three patches are no longer needed, and were removed; the one remaining
was refreshed.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested with master on mvebu using uhttpd and hostapd, and
should be cherry-picked to 21.02, and 19.07. It was compile-tested with
21.02 and 19.07.
---
package/libs/wolfssl/Makefile | 6 +--
.../wolfssl/patches/010-CVE-2021-3336.patch | 53 ---
.../patches/100-disable-hardening-check.patch | 2 +-
...Fix-linking-against-hostapd-with-LTO.patch | 25 -
.../patches/120-enable-secret-callback.patch | 10
5 files changed, 4 insertions(+), 92 deletions(-)
delete mode 100644 package/libs/wolfssl/patches/010-CVE-2021-3336.patch
delete mode 100644
package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch
delete mode 100644
package/libs/wolfssl/patches/120-enable-secret-callback.patch
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 846351f06d..53cd932d1f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.6.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.7.0-stable
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848
+PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
PKG_FIXUP:=libtool libtool-abiver
PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
deleted file mode 100644
index abb9bfdd9b..00
--- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
-From: Sean Parkinson
-Date: Thu, 21 Jan 2021 08:24:38 +1000
-Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
-
- src/tls13.c | 18 +-
- 1 file changed, 13 insertions(+), 5 deletions(-)
-
a/src/tls13.c
-+++ b/src/tls13.c
-@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
- #ifdef HAVE_ED25519
- if (args->sigAlgo == ed25519_sa_algo &&
-
!ssl->peerEd25519KeyPresent) {
--WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
-+WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
- #ifdef HAVE_ED448
- if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
--WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
-+WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
- #ifdef HAVE_ECC
- if (args->sigAlgo == ecc_dsa_sa_algo &&
-
!ssl->peerEccDsaKeyPresent) {
--WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
-+WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
- #ifndef NO_RSA
- if (args->sigAlgo == rsa_sa_algo) {
--WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
-+WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
- ERROR_OUT(INVALID_PARAMETER, exit_dcv);
- }
- if (args->sigAlgo == rsa_pss_sa_algo &&
- (ssl->peerRsaKey == NULL ||
!ssl->peerRsaKeyPresent)) {
--WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
-+WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
-
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c2793285e7..c89ff1be9d 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
-@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
#endif
/* warning for
[PATCH] gmp: compile with -DPIC to use correct asm code
The library is always compiled with $(FPIC) (-fPIC or -fpic), even for the static library. There are some assembly sources that decide whether or not to enable PIC code by checking if PIC is defined. It counts on libtool to define it, but libtool does it only when producing code for the dynamic library, while we need it for both. Ensure it is defined by adding it to CFLAGS next to $(FPIC). It avoids linking errors with strongswan on x86_64: ld: libgmp.a(bdiv_q_1.o): relocation R_X86_64_PC32 against symbol `__gmp_binvert_limb_table' can not be used when making a shared object; recompile with -fPIC Cc: Stijn Tintel Signed-off-by: Eneas U de Queiroz --- There's an error on one architecture, and all others work fine without this, so I'm uneasy changing this and then breaking stuff that was working fine otherwise. However, it feels wrong to me to generate PIC code from C files, but not use it in asm sources, which is essentially what I am changing here. I've looked at asm sources for different chitectures, and there are checks for PIC in: arm64, arm, x86_64, x86, and ppc asm sources, but the error only appears on x86_64. For most CPUs, ifdef(`PIC'), is just used to do different definitions of LEA (Load Effective Address). However, both x86 and x86_64 have many other checks. I've looked at bdiv_q_1.asm for different CPUs, and they all do some form of LEA(binvert_limb_table), except for x86, where it will do it only when PIC is defined. That may explain why x86_64 is affected, and x86 is not. I have not investigated further details. Alternatively, we can define it only for x86_64, which is where we know there's a build failure with the linker asking to recompile with -fPIC. package/libs/gmp/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/gmp/Makefile b/package/libs/gmp/Makefile index eb7d808139..d59e8fe947 100644 --- a/package/libs/gmp/Makefile +++ b/package/libs/gmp/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gmp PKG_VERSION:=6.2.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)$(PKG_REVISION).tar.xz PKG_SOURCE_URL:=@GNU/gmp/ @@ -38,7 +38,7 @@ define Package/libgmp/description signed integers, rational numbers, and floating point numbers. endef -TARGET_CFLAGS += $(FPIC) +TARGET_CFLAGS += -DPIC $(FPIC) CONFIGURE_VARS += CC="$(TARGET_CROSS)gcc" CONFIGURE_ARGS += \ --enable-shared \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] gmp: compile with -DPIC to use correct asm code
On Fri, Mar 19, 2021 at 5:08 PM Philip Prindeville wrote: > > > Maybe I'm missing something, but why not just fix rules.mk: > > > ifneq (,$(findstring $(ARCH) , aarch64 aarch64_be powerpc )) > FPIC:=-fPIC > else > FPIC:=-fpic > endif > > HOST_FPIC:=-fPIC > > > To have the FPIC and HOST_FPIC definitions include -DPIC? I think it would be the proper way to handle this. I was initially fearful of changing too much and breaking things, but I think it should be expected behaviour. What else would you use a 'PIC' definition for? I will resend a patch changing rules.mk instead. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
Hi Rosen This patch does not apply as is, but don't write a v2 yet. I'm testing the bump to 1.1.1k, and I'll handle it from there, by using --no-renames with git format-patch. I'm maintaining the patches at https://github.com/cotequeiroz/openssl, and refreshing backports with git is much easier than with quilt. See comments below, as your patchset breaks compilation with QUILT. On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote: > > quilt cannot handle file renames and ends up duplicating the file. > Instead of doing that, handle the renaming in the Makefile so that > the upstream file can change. > > Signed-off-by: Rosen Penev > --- > package/libs/openssl/Makefile |7 + > ...o-make-the-dev-crypto-engine-dynamic.patch | 2633 + > ...default-to-not-use-digests-in-engine.patch |4 +- > ...to-ignore-error-when-closing-session.patch |4 +- > 4 files changed, 151 insertions(+), 2497 deletions(-) > > diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile > index 436abfd94c..f3113cab6e 100644 > --- a/package/libs/openssl/Makefile > +++ b/package/libs/openssl/Makefile > @@ -324,6 +324,13 @@ OPENSSL_TARGET:=linux-$(call > qstrip,$(CONFIG_ARCH))-openwrt > > STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | > mkhash md5) > > +define Build/Prepare > + $(call Build/Prepare/Default) > +ifeq ($(QUILT),) > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > +endif This will break compilation with QUILT, as the rename will never happen then. You're using this strategy with other packages, so I won't mention them individually, but this applies to all. I would handle it at the patch level by removing the old file and creating the new one. Alternatively, you can keep your strategy, adding the rename with QUILT in Build/Configure, with the caveat that it will run every time compile is called, so you'll need to ignore an eventual error, and make sure that the original file was not recreated somewhere in the build process by a previous compile run, which would clobber the patched file. Cheers ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on WRT3200ACM (mvebu, armv7), using nginx, and
openssl util to encrypt & decrypt some files using software and the
devcrypto engine, since there have been some changes in the engine,
related to BSD compatibility, when opening the /dev/crypto device.
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 436abfd94c..7ab4c6ccd0 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
-PKG_BUGFIX:=j
+PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
-PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf
+PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
diff --git
a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
index 71dc5bf99b..ea3f8fb8a7 100644
---
a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+++
b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
@@ -116,7 +116,7 @@ diff --git a/crypto/engine/eng_devcrypto.c
b/engines/e_devcrypto.c
similarity index 95%
rename from crypto/engine/eng_devcrypto.c
rename to engines/e_devcrypto.c
-index 0d420e50aa..3fcd81de7a 100644
+index 2c1b52d572..eff1ed3a7d 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -7,7 +7,7 @@
@@ -152,22 +152,6 @@ index 0d420e50aa..3fcd81de7a 100644
/*
* cipher/digest status & acceleration definitions
-@@ -341,6 +343,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int
p1, void* p2)
- struct cipher_ctx *to_cipher_ctx;
-
- switch (type) {
-+
- case EVP_CTRL_COPY:
- if (cipher_ctx == NULL)
- return 1;
-@@ -702,7 +705,6 @@ static int digest_init(EVP_MD_CTX *ctx)
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
- }
--
- return 1;
- }
-
@@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, "
OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE)
@@ -177,7 +161,7 @@ index 0d420e50aa..3fcd81de7a 100644
ENGINE_CMD_FLAG_NUMERIC},
#endif
-@@ -1166,55 +1168,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i,
void *p, void (*f) (void))
+@@ -1166,32 +1168,22 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i,
void *p, void (*f) (void))
*
*/
@@ -201,10 +185,12 @@ index 0d420e50aa..3fcd81de7a 100644
+static int open_devcrypto(void)
{
-ENGINE *e = NULL;
+ int fd;
+
+if (cfd >= 0)
+return 1;
-
- if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
++
+ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
#ifndef ENGINE_DEVCRYPTO_DEBUG
if (errno != ENOENT)
#endif
@@ -213,6 +199,19 @@ index 0d420e50aa..3fcd81de7a 100644
+return 0;
}
+ #ifdef CRIOGET
+@@ -1199,35 +1191,61 @@ void engine_load_devcrypto_int()
+ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));
+ close(fd);
+ cfd = -1;
+-return;
++return 0;
+ }
+ close(fd);
+ #else
+ cfd = fd;
+ #endif
+
-if ((e = ENGINE_new()) == NULL
-|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
-ENGINE_free(e);
@@ -278,7 +277,7 @@ index 0d420e50aa..3fcd81de7a 100644
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
* implementations, it seems to only exist in FreeBSD, and regarding the
-@@ -1237,23 +1254,36 @@ void engine_load_devcrypto_int()
+@@ -1250,23 +1268,36 @@ void engine_load_devcrypto_int()
*/
#if 0
# ifndef OPENSSL_NO_RSA
@@ -324,7 +323,7 @@ index 0d420e50aa..3fcd81de7a 100644
ENGINE_free(e);
return;
}
-@@ -1262,3 +1292,22 @@ void engine_load_devcrypto_int()
+@@ -1275,3 +1306,22 @@ void engine_load_devcrypto_int()
ENGINE_free(e); /* Loose our local reference */
ERR_clear_error();
}
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH] openssl: make the patches QUILT-friendly
The patches in this package are all made by git format-patches. If one
were to run 'make package/openssl/{refresh,update}', then things will
not work as expected, because quilt QUILT does not deal well with
patches that rename files. For openssl, the problematic patch is
430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch.
So, I've generated a new patch with 'git format-patch --no-renames', and
then 'make package/openssl/{refresh,update}'.
Signed-off-by: Eneas U de Queiroz
---
While I really prefer to leave the git-formatted patches as they are, I
know quilt is the preferred way of handling patches in OpenWRT, so I'm
presenting this as RFC, so the core developers can decide.
ldir has made a similar commit e27ef2da0d, and then reverted it right away
in bbb9c1c2be, and I don't know why.
neheb proposed a patch [1] that does the file renaming in Build/Prepare, so
that it is easier to use quilt while refreshing patches after a package
bump. It has an undesirable side-effect of not running the renaming
portion at all when using QUILT, resulting in a build failure.
Some packages in the packages feed are skipping build steps when running
with QUILT, to speed up automatic refresh of patches, and I've been
fixing them as I stumble upon some of the failures.
At least to me, being able to quickly build with QUILT=1, without having
to start from scratch and go through dependencies is an immensively
useful feature that I would not trade for having tidier patches.
For this package, one could rename the files in Build/Configure when
compiling with QUILT without a problem. So, if desired, it could be
done neheb's way instead.
In my opinion, QUILT is not particularly useful for rebasing large
changes, such as the engine patches here. So even if neheb's proposal
has a nice intention, it is not appropriate for this package.
If the motivation is just to run make package/openssl/{refresh,update},
perhaps automatically to keep patches tidy, then this patch will
suffice.
Cheers,
Eneas
[1]
https://patchwork.ozlabs.org/project/openwrt/patch/20210326092548.14019-1-ros...@gmail.com/
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..458b064f13 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..2ae5938bdc 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -1,4 +1,4 @@
-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From 000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
@@ -8,11 +8,9 @@ version to disable building the AFALG engine on openwrt
targets.
Signed-off-by: Eneas U de Queiroz
-diff --git a/Configure b/Configure
-index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtra
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch
b/package/libs/openssl/patches/110-openwrt_targets.patch
index d0530b4661..50a9ebe2d6 100644
--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -1,4 +1,4 @@
-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From 0000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
@@ -7,9 +7,6 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz
-diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
-new file mode 100644
-index 00..86a86d31e4
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,48 @@
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
index 7faec9ab88..90282706d1 100644
--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -1,4 +1,4 @@
-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From 0000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:31:38 -0300
Subj
Re: [PATCH] openssl: don't rename a file with quilt
On Fri, Mar 26, 2021 at 4:28 PM Rosen Penev wrote:
>
> On Fri, Mar 26, 2021 at 5:55 AM Eneas U de Queiroz
> wrote:
> >
> > On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote:
> > > +ifeq ($(QUILT),)
> > > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c
> > > $(PKG_BUILD_DIR)/engines/e_devcrypto.c
> > > +endif
> >
> > This will break compilation with QUILT, as the rename will never
> > happen then. You're using this strategy with other packages, so I
> > won't mention them individually, but this applies to all.
> > I would handle it at the patch level by removing the old file and
> > creating the new one.
> It doesn't break quilt as the rename happens separately. Note that the
> patches were modified to refer to the old name.
It breaks 'make package/openssl/compile QUILT=1', because the 'mv'
command will never run when QUILT is not empty. You can't run the
'mv' line with quilt because the patches are not applied in
Build/Prepare. However, you must ensure it is run later, or the
package will not compile with QUILT=1. I can point you to
openwrt/packages#14894 to see why you can't just skip running stuff
when QUILT is defined.
> >
> > Alternatively, you can keep your strategy, adding the rename with
> > QUILT in Build/Configure, with the caveat that it will run every time
> > compile is called, so you'll need to ignore an eventual error, and
> > make sure that the original file was not recreated somewhere in the
> > build process by a previous compile run, which would clobber the
> > patched file.
> I haven't seen any issues. Locally I run make package/x/{clean,refresh}
make package/openssl/compile V=sc QUILT=1
...
make[4]: *** No rule to make target 'engines/e_devcrypto.c', needed by
'engines/e_devcrypto.o'. Stop.
BTW, I imagine you don't build with QUILT=1 much, do you?
make -j4 package/openssl/compile
make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config'
make[1] package/openssl/compile
make[2] -C package/libs/toolchain compile
make[2] -C package/libs/zlib compile
make[2] -C package/firmware/prism54-firmware compile
make[2] -C package/firmware/linux-firmware compile
make[2] -C package/kernel/linux compile
make[2] -C package/kernel/cryptodev-linux compile
make[2] -C package/libs/openssl compile
make -j4 package/openssl/compile QUILT=1
make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config'
make[1] package/openssl/compile
make[2] -C package/libs/openssl compile
It does not check dependencies every time you call compile. Try make
package/seafile-server/compile for some fun.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
On Fri, Mar 26, 2021 at 6:57 PM Felix Fietkau wrote: > I fully agree with Eneas here (though I don't like his patch for this > issue either). This is the first time I wrote a patch I do NOT want to be applied. I just want to keep the status quo. > Here's a way to fix this: > > include/package-defaults.mk has this: > > define Build/Prepare/Default > $(PKG_UNPACK) > [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) > $(Build/Patch) > endef However, this is run before the patches are even applied when QUILT=1. $(Build/Patch) just builds the quilt patch tree. A much simpler solution, if we are really going to change the patches, is to just $(CP) the file in Build/Configure. If we move it--no matter where--then we can't go back and forth with quilt push & pop, which would hinder its usefulness. > > You can adjust it to define this in the package Makefile: > > define Build/Prepare > $(PKG_UNPACK) > [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) > mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > $(Build/Patch) > endef > > - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [RFC PATCH] openssl: make the patches QUILT-friendly
On Fri, Mar 26, 2021 at 7:35 PM Kevin 'ldir' Darbyshire-Bryant wrote: > > ... I was also frustrated that there was patch fuzz in the tree on a fairly > core package - that really shouldn’t be the case. My apologies. I work in a clone of the openssl git repo, rebasing the changes on top of the current version. I always look at the diffs before sending the patch to openwrt. If they were just line changes, I wouldn't bother to touch the patch, in order to minimize changes. I'll revise my approach and change the files no matter what. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt 21.02-rc1
On Tue, Apr 6, 2021 at 7:30 PM Hauke Mehrtens wrote: > > Hi, > > How do we want to go forward with OpenWrt 21.02-rc1? > > * I think the base system is ok. > * The http (original wolfssl) problem reported by jow is fixed > * LuCI in the 21.02 branch still misses DSA support, this was merged > into master some time ago as far as I understood. Hi I would suggest to have some commits cherry-picked to 21.02: 920eaab1d8 kernel: DSA roaming fix for Marvell mv88e6xxx af22991e03 build: make sure asm gets built with -DPIC I consider the first commit critical: without it clients get disconnected for 5 minutes when roaming from an affected AP (Omnia, WRT3200, among others) WLAN port to a LAN port (roaming between LAN-connected APs, for example). The second one is needed to build strongswan for x86_64 [1]. The support commits have already been pushed to the 21.02 branch of the packages feed. Eneas [1] https://downloads.openwrt.org/releases/faillogs-21.02/x86_64/packages/strongswan/compile.txt ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger wrote: > > Automatically enable an engine in the openssl.cnf if it has been build. > Before this change, /etc/openssl.cnf had to be edited manually on the > system to enable the engine. > > +define Package/libopenssl-conf/enable > + $(if $(CONFIG_PACKAGE_libopenssl-$(2)),sed -i > s/^\#*$(2)=$(2)/$(2)=$(2)/ $(1)/etc/ssl/openssl.cnf) > +endef > define Package/libopenssl-conf/install > $(INSTALL_DIR) $(1)/etc/ssl > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ > + $(call Package/libopenssl-conf/enable,$(1),devcrypto) > + $(call Package/libopenssl-conf/enable,$(1),afalg) > + $(call Package/libopenssl-conf/enable,$(1),padlock) Hi Daniel The problem with this is that it will enable the config for all engines in the bots configuration (all packages =m). OpenSSL will stop loading the engines past the point where one of them fails. It may do it silently, or it may show an error. If you run the `openssl engine` command (no flags or with -c), it will show the error; if you add the `-t` flag, the error message is gone. In either case, the engines configured after the first failed one will not load. Suppose that you install the afalg engine, but not devcrypto. When it loads the config file, devcrypto comes first, and openssl will fail to find it; then the afalg engine will not be loaded. I do like the idea, though. My first thought was to add an install script to the engine packages. The problem is that the config file may have been changed in a way that sed may produce unwanted results. It can be mitigated by configuring engines in a separate file, so only that file needs to be changed. It will have a nice effect, that a feed-installed engine can configure itself without needing a config section added to the openssl-conf package. Another option, which may be the easiest and safest, is to use your approach, but only uncomment the engines built into the firmware (=y), and not the ones built as modules. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
On Fri, Apr 23, 2021 at 3:11 AM Florian Eckert wrote:
> How about if we create a uci default script and check on the running
> system what is installed?
> And then we could generate a file and add or remove an include line form
> the openssl.cnf [1]?
Hi Florian, Daniel
I think we can manage something like that. The .include option can
load all files in a directory (/etc/ssl/engines.d/), and won't fail if
there aren't any files--the directory itself must exist. Each engine
package can install its own file there, ahd have a post-install script
that adds a line to an "engines.cnf" file if there isn't any:
add_engine() {
# $1 = engine name (engine .so file without the .so extension)
grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
}
/etc/ssl/engines.d/engines.cnf would start out with just the [engines]
header and some comments explaining its use and warning not to edit
something that would break things.
What do you think?
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
> >> How about if we create a uci default script and check on the running
> >> system what is installed?
> >> And then we could generate a file and add or remove an include line
> >> form
> >> the openssl.cnf [1]?
> >
> > I think we can manage something like that. The .include option can
> > load all files in a directory (/etc/ssl/engines.d/), and won't fail if
> > there aren't any files--the directory itself must exist. Each engine
> > package can install its own file there, ahd have a post-install script
> > that adds a line to an "engines.cnf" file if there isn't any:
> >
> > add_engine() {
> > # $1 = engine name (engine .so file without the .so extension)
> > grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
> > echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
> > }
> >
> > /etc/ssl/engines.d/engines.cnf would start out with just the [engines]
> > header and some comments explaining its use and warning not to edit
> > something that would break things.
> >
> > What do you think?
>
> The plan sounds good :+1:
>
Hi
I'm testing that proposal, and it's almost ready. I've expanded it to
use uci to enable/disable the engines, but I'm still running tests to
catch corner cases. I am not able to test the padlock engine, but its
usage should be like devcrypto. Afalg is more complicated if built
into the library, because openssl does not initialize it like other
builtin engines. There's no way to configure it for general use when
built that way.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 42 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 213 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./fi
[PATCH 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/
[PATCH 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
package/libs/openssl/Makefile | 13 +++--
package/libs/openssl/engine.mk| 58 +++
.../libs/openssl/files/openssl-engines.init | 19 ++
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 70 insertions(+), 56 deletions(-)
create mode 100644 package/libs/openssl/files/openssl-engines.init
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..efa46d7214 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,20 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; then
+cat << EOF >> "{OPENSSL_UCI}"
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
-
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
-
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration
files from
- /etc/ssl/engines.cnf.d. Yo
Re: [PATCH 3/3] openssl: configure engines with uci
Hi Florian
On Thu, Apr 29, 2021 at 3:44 AM Florian Eckert wrote:
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
>
> I think AFALG is missing there?
>
As I mentioned in the earlier thread, builtin AFALG is weird. If I
enable it in openssl.cnf, it will always look for afalg.so, and will
fail. I think it was on oversight, but AFALG is not part of
OPENSSL_INIT_ENGINE_ALL_BUILTIN [1], so it will not be enabled by
default, unless you call
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_AFALG, NULL). The AFALG
engine does not have any control commands, so configuration is a noop
anyway.
[1]
https://github.com/openssl/openssl/blob/0f077b5fd86e2df0b41608fbd5684fa1a2b58f59/include/openssl/crypto.h.in#L452
> > endef
> > @@ -378,15 +377,17 @@ define Package/libopenssl/install
> > endef
> >
> > define Package/libopenssl-conf/install
> > - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
> > + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
> > $(1)/etc/init.d
> > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
> > - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
> > + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
> > + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
> > $(1)/etc/init.d/openssl
>
> I do not understand that waht you are doing there.
ENGINES_DIR is where the engine so files are stored. It is versioned,
so it is stored in a variable in engine.mk. I'm just setting it in
/etc/init.d/openssl, from ./files/openssl.init#3:
ENGINES_DIR="%ENGINES_DIR%"
The final result, installed in /etc/init.d/openssl#3 is:
ENGINES_DIR="/usr/lib/engines-1.1"
> > $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
> > $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
> > - echo padlock=padlock >>
> > $(1)/etc/ssl/engines.cnf.d/engines.cnf)
> > + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
> > $(1)/etc/config/openssl)
>
> What about AFALG?
The same explanation above fits here.
> > #!/bin/sh
> > +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
> > +if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null;
> > then
> > +cat << EOF >> "{OPENSSL_UCI}"
> > +config engine '$(1)'
> > + option enabled '1'
> > +EOF
>
> From my point of view, I think it would be better if we used the uci cli
> command directly here.
> to add the config engine section and enable this engine.
However, uci is not available when the package is installed by the
buildsystem, such as when building the firmware image. That's why I
always check for $IPKG_INSTROOT before calling any commands available
in the target only, as seen above.
>
> > fi
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
> >endef
> >
> > - define Package/$$(OSSL_ENG_PKG)/prerm :=
> > + define Package/$$(OSSL_ENG_PKG)/postrm :=
> > #!/bin/sh
> > -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
> > -[ -f "{ENGINES_CNF}" ] || exit 0
> > -sed -e '/$(1)=$(1)/d' -i "{ENGINES_CNF}"
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
>
> Should we not also remove the uci option on an uninstall wit the uci
> command?
>
I'll change this. My idea was to save the configuration, if user
later reinstall the package. However, since the %ENGINE%.cnf file is
not removed, then openssl will try to enable the removed engine and
fail.
> > +++ b/package/libs/openssl/files/openssl-engines.init
> > @@ -0,0 +1,19 @@
> > +#!/bin/sh /etc/rc.common
>
> Is the init script also switched on at the first boot?
> So that the service runs immediately?
> Not that the service has to be switched on in /etc/rc.d/ first - that
> would be unpleasant.
Yes, it is: file
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl:
symbolic link to ../init.d/openssl
>
> > +
> > +START=05
> > +OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
> > +
> > +enable_engine() {
> > + echo "$1=$1" >> "${OSSL_ENGINES_CNF}"
>
> The writing happens here on the persistent storage at every boot!
> This is not so good for embedded target with FLASH.
> It would be better to write this to the tmp.
>
This file, along with engines.cnf were left over from a previous idea,
and not are not used. I will take care of them in the v2. The list
is actually saved in /var/etc/ssl/engines.cnf.
> > + config_list_foreach openssl.openssl[0] engines enable_engine
>
> How about the named uci section globals
> config openssl globals
>
This is also part of the leftover file.
I've spotted a missing fix for the postinst/postrm scripts that were
failing when building the final image. I'll send a v2 in a bit.
Thanks for the review!
Eneas
___
openwrt-dev
[PATCH v2 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 217 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2:
- fixed postinst & postrm logic that was failing when building the final
image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
.../libs/openssl/files/openssl-engines.init | 19 ++
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 73 insertions(+), 55 deletions(-)
create mode 100644 package/libs/openssl/files/openssl-engines.init
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e &q
[PATCH v2 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR
[PATCH v2 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTI
[PATCH v3 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 18 files changed, 191 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v3 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devc
[PATCH v3 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_E
[PATCH v3 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2:
- fixed postinst & postrm logic that was failing when building the final
image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
v2->v3:
- actually removed the extra files that I had promised in v2
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
package/libs/openssl/files/engines.cnf| 7 ---
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 54 insertions(+), 62 deletions(-)
delete mode 100644 package/libs/openssl/files/engines.cnf
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [
[opkg 1/3] libopkg: pkg_hash: restore picked by hand priority
Historically, package archives that are provided in the cli were given
priority over any version from the feeds to satisfy dependencies.
However, when a score was introduced in 5936c4f (libopkg: pkg_hash:
prefer original packages to satisfy dependencies), it would only look at
the flag if the package had the highest score at the time it was being
assessed.
While one can argue that the intention of the change was to superseed
the by-hand priority, it would still be depended on the order in which
they packages were checked, which is not good.
Perform the "by-hand" check first, and only then go through the score
system. Add a logging message to show the reason.
Signed-off-by: Eneas U de Queiroz
---
libopkg/pkg_hash.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git opkglibopkg/pkg_hash.c b/libopkg/pkg_hash.c
index 11b1a06..482efb8 100644
--- opkglibopkg/pkg_hash.c
+++ b/libopkg/pkg_hash.c
@@ -414,6 +414,14 @@ pkg_t
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
pkg_t *matching = matching_pkgs->pkgs[i];
if (constraint_fcn(matching, cdata)) {
int score = 1;
+ /* It has been provided by hand, so it is what user
want */
+ if (matching->provided_by_hand == 1) {
+ good_pkg_by_name = matching;
+ opkg_msg(DEBUG, "Candidate: %s %s (picked by
hand).\n",
+matching->name,
pkg_get_string(matching, PKG_VERSION));
+ break;
+ }
+
if (strcmp(matching->name, apkg->name) == 0)
score++;
@@ -432,9 +440,6 @@ pkg_t
*pkg_hash_fetch_best_installation_candidate(abstract_pkg_t * apkg,
good_pkg_by_name = matching;
good_pkg_score = score;
- /* It has been provided by hand, so it is what user
want */
- if (matching->provided_by_hand == 1)
- break;
}
}
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[opkg 0/3] Rework criteria for dependent package selection
This fixes a problem when generating an image using the firmware building, to include libwolfsslcpu-crypto. Before they are sent to the asu server, the firmware builder strips ABI version from the packages and sort they alphabetically. That means libustream-wolfssl will be installed before libwolfsslcpu-crypto. Opkg will see that libustream-wolfssl depends on libwolfssl5.5.1.b24d5f87. Since it matches the name of the regular libwolfssl package, it is chosen and installed. When it comes libwolfsslcpu-crypto's turn, it will fail because of a clash with the regular package. If you were to run it in the cmdline with the full name of libwolfsslcpu-crypto5.5.1.b24d5f87, or list it before any dpeendents, then it would work as expected. However, because the firmware selector sripts ABI version and changes the order of the packages, there's no way to build an image with both libustrem-wolfssl and libwolfsslcpu-crypto. The first two commits attempt to add some order to the way they are currently chosen, by prioritizing packages chosen "by hand" and by preferring packages listed in the command line arguments over new packages chosen automatically. The third commit adds matching the package without ABI suffix, and establishes a hierarchy among the criteria, prioritizing user choices (i.e. package names given in as command line arguments), then developer choices (chosen package names), and resort to alphabetical order as a last resort. When resolving dependencies, packages listed in the cli may not have the ABI version, and they should have a higher priority over anything picked automatically. Use powers of two when computing the score to avoid ties due to different criteria, and so that it reflects what was matched. The resulting priorities after this change are: 1. base score is 0 ---USER CHOICES (cmdline)--- 2. packages "picked by hand" (local file given in the cli) have absolute priority, ending the search regardless of score 3. package whose full name is in the cli: score += 4 4. package whose name stripped of ABI matches one in the cli: score += 2 ---DEVELOPER CHOICE (pkg data)--- 5. package whose full name matches the dependency name: score += 1 Note: the ABI is recorded in the dependency, so I'm not using the stripped name here. 6. in case of a tie, the last package that was looked at is chosen (equivalent to being first in alphabetical order) I tried not to change things so much--aside from restoring the "picked by hand" case, I just created tie-breakers. However, I still have some questions about the necessity of some of this. For example: if more than one dependency is listed in the cli, does it matter which package is chosen? I imagine it would be equivalent of the picked-by-hand case, so it would be simpler and faster to end the search. It could make a difference if one were to install clashing packages with --force-overwrite in the same invocation, but I can't see a scenario where this would be useful. This was tested with the Image Builder, and by running opkg from command line on Linksys E8450 (mediatek/mt7622, aarch64_cortex-a53). Signed-off-by: Eneas U de Queiroz Eneas U de Queiroz (3): libopkg: pkg_hash: restore picked by hand priority libopkg: pkg_hash: bump score of packages in cli libopkg: pkg_hash: consider names stripped of ABI libopkg/pkg_hash.c | 35 +-- 1 file changed, 29 insertions(+), 6 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
