[PATCH] openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids an error, when the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz --- neheb, or anyone else affected, please test this patch to see if what I'm claiming is actually true. At least it does not appear to break compilation in my case ;-) Compile-tested using a Gentoo host, and mvebu as target. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 9696748106..3c0e8c5d2d 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=h PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -333,6 +333,7 @@ define Build/Configure --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ + --cross-compile-prefix="$(TARGET_CROSS)" \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2] openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so that that it will not use the host gcc to figure out, among other things, compiler defines. It avoids errors, if the host 'gcc' is handled by clang: mips-openwrt-linux-musl-gcc: error: unrecognized command-line option '-Qunused-arguments' Signed-off-by: Eneas U de Queiroz --- neheb, or anyone else affected, please test this patch to see if what I'm claiming is actually true. At least it does not appear to break compilation in my case ;-) Compile-tested using a Gentoo host, and mvebu as target. Changelog v1 -> v2 Since the cross prefix is set in Configure, we don't need to overide it when calling make diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 9696748106..77c6d41cec 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=h PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -333,6 +333,7 @@ define Build/Configure --prefix=/usr \ --libdir=lib \ --openssldir=/etc/ssl \ + --cross-compile-prefix="$(TARGET_CROSS)" \ $(TARGET_CPPFLAGS) \ $(TARGET_LDFLAGS) \ $(OPENSSL_OPTIONS) && \ @@ -345,14 +346,12 @@ TARGET_LDFLAGS += -Wl,--gc-sections define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ $(OPENSSL_MAKEFLAGS) \ all $(MAKE) -C $(PKG_BUILD_DIR) \ - CROSS_COMPILE="$(TARGET_CROSS)" \ CC="$(TARGET_CC)" \ DESTDIR="$(PKG_INSTALL_DIR)" \ $(OPENSSL_MAKEFLAGS) \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH 2/2] wolfssl: compile with --enable-opensslall
This enables all OpenSSL API available. It is required to avoid some silent failures, such as when performing client certificate validation. Package size increases from 356.6K to 374.7K for arm_cortex-a9_vfpv3-d16. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 4b891d634a..aeea1b7b7b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -62,6 +62,7 @@ TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ --enable-lighty \ + --enable-opensslall \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH 0/2] wolfssl: build with --enable-opensslall
While looking at lighttpd failure to run with wolfssl as its backend[1], it was suggested to configure wolfssl with both '--enable-lighty', and '--enable-opensslall'. While '--enable-lighty', in theory should make it work, wolfssl's crazy maze of preprocessor macros, combined with many empty functions and different data structures, make its behaviour unpredictable. Nonetheless, use of '--enable-lighty' should be harmless. Size increase is a little over 100 bytes, and it should make it easier for lighttpd to feature-test the library using 'HAVE_LIGHTY' instead of having to rely on support for other software, like 'HAVE_STUNNEL'. Changes in data structures that depend on compile options also make it hard to use alternative packages, like wolfssl-full and wolfssl-light. Pesonally, I think the size increase is not so dramatic, and there are so much code that gets disabled by its absence that I believe it should be enabled. I know that size matters, but having a library that works consistently is even more important. I am marking this RFC, as it has a broad impact. Please notice that the option name opensslall is somewhat misleading, since it is not a superset of opensslextra. Eneas [1] https://github.com/openwrt/packages/issues/14142 Eneas U de Queiroz (2): wolfssl: add lighty support, skip crypttests wolfssl: compile with --enable-opensslall package/libs/wolfssl/Makefile | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH 1/2] wolfssl: add lighty support, skip crypttests
Tnis adds the --enable-lighty option to configure, enabling the minimum API needed to run lighttpd, in the packages feed. Size increase is about 120 bytes for arm_cortex-a9_vfpv3-d16. While at it, speed up build by disabling crypt bench/test. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index dc8ca2b262..4b891d634a 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -61,9 +61,11 @@ TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ + --enable-lighty \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ + --disable-crypttests \ --disable-examples \ --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH ustream] ustream-openssl: fix bio memory leak
Using the patch by Pan Chen as inspiration, this avoids a memory leak by
using a global BIO_METHOD pointer that doesn't ordinarily need to be
freed.
CC: Pan Chen
Signed-off-by: Eneas U de Queiroz
---
Run-tested with a WRT-3200ACM, running uclient_fetch and uhttpd.
I have not run it with valgrind or any other debugger.
diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c
index 606ed4a..26b3ed5 100644
--- a/ustream-io-openssl.c
+++ b/ustream-io-openssl.c
@@ -116,20 +116,23 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num,
void *ptr)
};
}
+static BIO_METHOD *methods_ustream = NULL;
+
static BIO *ustream_bio_new(struct ustream *s)
{
BIO *bio;
- BIO_METHOD *methods_ustream;
-
- methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream");
- BIO_meth_set_write(methods_ustream, s_ustream_write);
- BIO_meth_set_read(methods_ustream, s_ustream_read);
- BIO_meth_set_puts(methods_ustream, s_ustream_puts);
- BIO_meth_set_gets(methods_ustream, s_ustream_gets);
- BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl);
- BIO_meth_set_create(methods_ustream, s_ustream_new);
- BIO_meth_set_destroy(methods_ustream, s_ustream_free);
+ if (methods_ustream == NULL) {
+ methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK,
+ "ustream");
+ BIO_meth_set_write(methods_ustream, s_ustream_write);
+ BIO_meth_set_read(methods_ustream, s_ustream_read);
+ BIO_meth_set_puts(methods_ustream, s_ustream_puts);
+ BIO_meth_set_gets(methods_ustream, s_ustream_gets);
+ BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl);
+ BIO_meth_set_create(methods_ustream, s_ustream_new);
+ BIO_meth_set_destroy(methods_ustream, s_ustream_free);
+ }
bio = BIO_new(methods_ustream);
BIO_set_data(bio, s);
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
On Wed, Dec 9, 2020 at 1:45 PM Petr Štetiar wrote:
>
> Eneas U de Queiroz [2020-12-09 13:06:45]:
>
> Hi,
>
> > Using the patch by Pan Chen as inspiration, this avoids a memory leak by
> > using a global BIO_METHOD pointer that doesn't ordinarily need to be
> > freed.
>
> this sounds weird, how is global pointer avoiding memory leaks? :-)
BIO_METHOD was made opaque by openssl 1.1.0. It's just a table of
methods, and it does change. Before that, one would just fill the
struct without having to make any calls.
I am the one responsible for introducing the bug in 34b0b80
[ustream-ssl: add openssl-1.1.0 compatibility]. The old, openssl 1.0
code was just:
static BIO_METHOD methods_ustream = {
100 | BIO_TYPE_SOURCE_SINK,
"ustream",
s_ustream_write,
s_ustream_read,
s_ustream_puts,
s_ustream_gets,
s_ustream_ctrl,
s_ustream_new,
s_ustream_free,
NULL,
};
So the answer to your question is because you only allocate the table
if methods_ustream is NULL, and it will point to the created table
then. The table won't change during the lifetime of the process, and
will get freed only when the process ends.
We could free it in s_ustream_free, but only to have to create it
again with the same data the next time ustream_bio_new is called. I
wouldn't do it, but if you'd rather, I can add it in a v2.
>
> > CC: Pan Chen
> >
> > Signed-off-by: Eneas U de Queiroz
> >
> > ---
> > Run-tested with a WRT-3200ACM, running uclient_fetch and uhttpd.
> > I have not run it with valgrind or any other debugger.
>
> how do you otherwise verify the correctness? :-) FYI this is my work in
> progress[1].
>
> 1.
> https://gitlab.com/ynezz/openwrt-ustream-ssl/-/commit/807ce1de752e021802a563783dfa580950746a0c
As for testing I don't have valgrind running, so I wasn't able to do
it; but someone else can. That's why I made sure to point it out. As
for the WIP, you're perhaps doing too much work.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
On Wed, Dec 9, 2020 at 1:58 PM Daniel Golle wrote: > > On Wed, Dec 09, 2020 at 05:44:48PM +0100, Petr Štetiar wrote: > > Eneas U de Queiroz [2020-12-09 13:06:45]: > > > > Hi, > > > > > Using the patch by Pan Chen as inspiration, this avoids a memory leak by > > > using a global BIO_METHOD pointer that doesn't ordinarily need to be > > > freed. > > > > this sounds weird, how is global pointer avoiding memory leaks? :-) > > Well, it moves it from "definitely lost" to "still reachable" when > looking at it with valgrind. We will still have to free it as well, > and that could be done just like in the original patch. > See my reply to Petr. I'm not sure if valgrind will be completely pleased with my approach. I'm not an expert with valgrind, but it seems to not like that I left it in the heap to be cleaned up by the process end, but that is my intention. As long as I am not allocating memory again--it will only be created when methods_ustream is NULL, which is when it is initialized, and there's nowhere else in code that touches it. Note the const in the definition of: BIO * BIO_new(const BIO_METHOD *type); Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
Hi Petr On Wed, Dec 9, 2020 at 6:59 PM Petr Štetiar wrote: > > Eneas U de Queiroz [2020-12-09 14:39:06]: > > Hi, > > > So the answer to your question is because you only allocate the table if > > methods_ustream is NULL, and it will point to the created table then. > > I was referencing the missing freeing of allocated resources. > > > We could free it in s_ustream_free, but only to have to create it again > > with the same data the next time ustream_bio_new is called. I wouldn't do > > it, but if you'd rather, I can add it in a v2. > > Is this micro optimization worth it? You're adding global variable in the > library, you're breaking API layer etc. I'm not supposed to study how is it > implemented _now_, because it will likely change with the next release (either > OpenSSL or wolfSSL) and it might be source of regressions. The API boundary is > given so I'm just trying to use it as designed and as seen in the > docs/examples/tests etc. And there is always new/free combo. > The purpose of BIO_METHOD struct is to hold a table of methods for a BIO object to use. In our case, it remains constant for the lifetime of the process. So, the maximum usable lifetime of methods_ustream is up to the lifetime of the program--it does not mean that we can't set a shorter lifetime. In an ideal world, we would free the resource when the library is cleaned up/deinitialized, but we don't have a function for that. So a possible lifetime we can use is the lifetime of the BIO object using it. One thing we need to be aware of is use after free. We pass the pointer to the BIO_new, and we must be sure that openssl will not access that memory after we free it. This would be after we call BIO_free. The thing is, we aren't making that call. so we are leaking that resource as well. That one can't have the lifetime of the program, its lifetime is no larger than the underlying SSL connection, apparently. So we need to take care of that first. After tackling BIO_free, my suggestion would be to determine where the method table variable should go, and where to call BIO_meth_new and BIO_meth_free. I would add it to a defined struct ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and would create and free the object in __ustream_ssl_context_new and __ustream_ssl_context_free, which would give it a possibly larger lifetime than the ssl_session or the BIO object. > > As for the WIP, you're perhaps doing too much work. I was corrected by my own previous point. > I'm spending time on this mainly because of FS#3465, perhaps mbedTLS has > similar issues[1]. In the end I would like to have uclient/ustream-ssl CI > tested (all 3 SSL libs combinations), with static analyzers, various > sanitizers and Valgrind. So I have to fix all the issues those tools expose. > > Maybe it's too much work, but given the constraints (no globals, follow API), > it's currently simplest working solution, but not fully tested yet. > > BTW I'm not discouraging you from v2, I've rejected the v1 patch, because it > doesn't fix the memory leak as advertised in the subject :-) Thanks! We should coordinate efforts. You're the boss, so tell me what you want me to do, if anything. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH ustream] ustream-openssl: fix bio memory leak
Hi Petr On Thu, Dec 10, 2020 at 12:57 PM Petr Štetiar wrote: > > After tackling BIO_free, my suggestion would be to determine where the > > method table variable should go, and where to call BIO_meth_new and > > BIO_meth_free. I would add it to a defined struct > > ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and > > IIRC I've tried that approach already(this WIP solution is like 3rd > iteration), but that struct is opaque. I meant the ustream_ssl_ctx structure, which is an ustream internal structure. For openssl, we're just using a straight cast to the openssl's SSL_CTX struct, so that's why it is opaque, while for mbedtls, it is a defined struct. What I meant was to actually define a ustream_ssl_ctx structure for openssl, just as ustream-mbedtls does, with the BIO_methods and the SSL_CTX as members. > > would create and free the object in __ustream_ssl_context_new and > > __ustream_ssl_context_free, which would give it a possibly larger > > lifetime than the ssl_session or the BIO object. > > AFAIK that's exactly what I'm doing in my current solution. You're doing it at the SSL struct. You can have multiple SSL structs under the same SSL_CTX struct. In a server, for example, you will have one SSL_CTX object, which accepts connections, creating a new SSL structure for each connection. You know I'm just madly fighting for every CPU cycle of performance optimization I can get. ;-) If you look at it from an organization and tidiness POV, you can argue that the BIO methods structure should be placed along with the BIO, which is with the SSL structure. I'll let you pick your side. > > We should coordinate efforts. You're the boss, so tell me what you want me > > to do, if anything. > > I didn't wanted to sound like the boss and I apologize if that was the case, > sorry. I apologize for the bad choice of words. Someone has to take the lead, and that was a rather ill-fated attempt to make it clear that I would follow your lead, and had nothing to do with your tone or anything you had done. > I've just send out some patches for uclient/ustream-ssl, so I would be > grateful if you could review and test those changes on your device(s), ideally > on all three SSL libs and client/server setup. Thanks! I'll do that over the weekend. I'm updating openssl to 1.1.1i, which fixes high severity CVE-2020-1971. I haven't sent it yet because I want to test it first, and I'm low on testing resources right now. I'll probably test openssl tonight, then tackle ustream-ssl. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: update to 1.1.1i
Fixes: CVE-2020-1971, defined as high severity, summarized as: NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS attack. Signed-off-by: Eneas U de Queiroz --- This was run-tested in a WRT-3200ACM diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 77c6d41cec..714ce2059a 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=h +PKG_BUGFIX:=i PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9 +PKG_HASH:=e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: Update to v4.6.0-stable
This version fixes a large number of bugs, although no security
vulnerabilities are listed.
Full changelog at:
https://www.wolfssl.com/docs/wolfssl-changelog/
or, as part of the version's README.md:
https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md
Due a number of API additions, size increases from 374.7K to 408.8K for
arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version.
Backported patches were removed; remaining patch was refreshed.
Signed-off-by: Eneas U de Queiroz
---
Run-tested on a Linksys WRT3200ACM (arm) with uhttpd, uclient-fetch, and
wpad-wolfssl.
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 6758f7dd08..dcc6aca40c 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.5.0-stable
-PKG_RELEASE:=5
+PKG_VERSION:=4.6.0-stable
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c
+PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848
PKG_FIXUP:=libtool
PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 43337ba970..c2793285e7 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
-@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ;
#endif
/* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
deleted file mode 100644
index 3838865559..00
--- a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001
-From: Tesfa Mael
-Date: Wed, 26 Aug 2020 10:13:06 -0700
-Subject: [PATCH] Make ByteReverseWords available for big and little endian
-
- wolfcrypt/src/misc.c | 2 --
- 1 file changed, 2 deletions(-)
-
a/wolfcrypt/src/misc.c
-+++ b/wolfcrypt/src/misc.c
-@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo
- return rotlFixed(value, 16U);
- #endif
- }
--#if defined(LITTLE_ENDIAN_ORDER)
- /* This routine performs a byte swap of words array of a given count. */
- WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
- word32 byteCount)
-@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord
- out[i] = ByteReverseWord32(in[i]);
-
- }
--#endif /* LITTLE_ENDIAN_ORDER */
-
- #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
-
diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
deleted file mode 100644
index aaf14e46d9..00
--- a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001
-From: Eric Blankenhorn
-Date: Fri, 17 Jul 2020 08:37:02 -0500
-Subject: [PATCH] Fix CheckHostName matching
-
- src/internal.c | 18 --
- src/ssl.c | 5 +
- tests/api.c| 30 ++
- 3 files changed, 47 insertions(+), 6 deletions(-)
-
-diff --git a/src/internal.c b/src/internal.c
-index dc57df0242..cda815d875 100644
a/src/internal.c
-+++ b/src/internal.c
-@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char*
domain, int* checkCN)
- altName = dCert->altNames;
-
- if (checkCN != NULL) {
--*checkCN = altName == NULL;
-+*checkCN = (altName == NULL) ? 1 : 0;
- }
-
- while (altName) {
-@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char*
domain, int* checkCN)
- int CheckHostName(DecodedCert* dCert, const char *domainName, size_t
domainNameLen)
- {
- int checkCN;
-+int ret = DOMAIN_NAME_MISMATCH;
-
- /* Assume name is NUL terminated. */
- (void)domainNameLen;
-
- if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
--WOLFSSL_MSG("DomainName match on alt names failed too");
--return DOMAIN_NAME_MISMATCH;
-+WOLFSSL_MSG("DomainName match on alt names failed");
- }
-+else {
-+ret = 0;
-+}
-+
- if (checkCN == 1) {
- if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
--domainName) == 0) {
-+
Re: [PATCH] base-files: sysupgrade: store status of system-services
+1 I agree 100% with Adrian on this one. Enable by default, add option to disable. Disabled services are, intuitively, part of the configuration being saved. So, it should not be saved when '-n' is given. I may be stretching things a bit, but I would consider this a fix, not a feature change ;-). Cheers, Eneas On Mon, Jan 11, 2021 at 9:48 AM Adrian Schmutzler wrote: > > > There are just 2 people (me, Andrew Heider) that would like to see saving > > service status done by default when sysupgrading, and other 2 people that > > would like it in its own setting option (Stjin Segers and Paul Spooren). > > +1 for saving service status by default. This has always annoyed me when > working with "default" images and actually for me it was expected behavior > until I found out it is not happening. > This is a very relevant behavior/feature affecting many of our "standard" > users, e.g. when using OpenWrt for "Dump AP" setups where you disable DHCP > etc. I'm sure a two-digit percentage of users setting up their device like > that won't even be aware that they suddenly have a DHCP running again after > upgrade. > > Of course, if adding an option to _disable_ is fairly easy, we should do so. > > Best > > Adrian > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Deprecate snort in favor of snort3
On Sun, Jan 31, 2021 at 3:45 PM W. Michael Petullo wrote: > > OpenWrt provides two snort packages: snort and snort3. Now that snort3 is > out of beta, I would like to consider deprecating the snort package. One > difficulty of maintaining both packages is that a different version of > the libdaq package is required for each. The two versions cannot coexist, > and this make build-server builds fail. > > I do not know how popular the snort package is. I use snort3. > > Is dropping snort advisable? If so, what is the procedure? > > -- > Mike I was about to open a PR to have each version of libdaq installed into its own directory, which would take care of the build failure. However, I think removing the snort3 package, then bumping the stable snort to the latest version is the best way to go. I would not leave the version number as part of the package name. If you want to keep this status quo a little longer, tell me and I'll open the PR. BTW, I don't use the packages, I was just going to fix the build failure. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] kernel: DSA roaming fix for Marvell Link Street switch series
On Tue, Feb 2, 2021 at 6:15 AM DENG Qingfang wrote:
>
> Marvell Link Street switch series cannot perform MAC learning from
> CPU-injected (FROM_CPU) DSA frames, which results in 2 issues.
> - excessive flooding, due to the fact that DSA treats those addresses
> as unknown
> - the risk of stale routes, which can lead to temporary packet loss
>
> Backport those patch series from netdev mailing list, which solve these
> issues by adding and clearing static entries to the switch's FDB.
>
> Add a hack patch to set default VID to 1 in port_fdb_{add,del}. Otherwise
> the static entries will be added to the switch's private FDB if VLAN
> filtering disabled, which will not work.
>
> Link:
> https://lore.kernel.org/netdev/20210106095136.224739-1-olte...@gmail.com/
> Link:
> https://lore.kernel.org/netdev/20210116012515.3152-1-tob...@waldekranz.com/
> Link: https://lore.kernel.org/netdev/20210130134334.10243-1-dqf...@gmail.com/
> Ref: https://gitlab.nic.cz/turris/turris-build/-/issues/165
> Signed-off-by: DENG Qingfang
Tested-by: Eneas U de Queiroz
I have tested this using WRT3200ACM, and it solves the problem of
clients not able to roam from one AP to the another--my APs are wired,
not using WDS. Clients would not be able to communicate for 300s
after roaming from one AP to another. I consider this a critical bug,
so a fix must be included before 2021.02 branches. I have applied the
patch to 3 APs, and have been using them for days without any real
issue--I'm not considering the 'ATU member violation' messages
reported earlier an issue, as they do appear to be harmless.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs: - CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support SSLv2, but the affected functions still exist. Considered just a bug. - CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. - CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. - Fixed SRP_Calc_client_key so that it runs in constant time. This could be exploited in a side channel attack to recover the password. The 3 CVEs above are currently awaiting analysis. Signed-off-by: Eneas U de Queiroz --- This was run-tested on a WRT3200ACM (mvebu), using nginx, and wpad, and openssl-util. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 714ce2059a..4fb4cb2784 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=i +PKG_BUGFIX:=j PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 +PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs support from the main openssl library. It is a default option in OpenSSL. All that needs to be done here is to not disable it. Package increases by a net 1-byte, so it is not really really worth keeping this optional. This commit also includes a commented-out example engine configuration in openssl.cnf, as it is done for other available engines. Signed-off-by: Eneas U de Queiroz --- Run tested in WRT3200ACM (mvebu), with and without gost-engine 1.1.0.3. GOST engine PR: https://github.com/openwrt/packages/pull/14765 diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index d1281ec6fa..bc2f0584b6 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -293,15 +293,4 @@ config OPENSSL_WITH_ASYNC initiate crypto operations asynchronously. In order to work this will require the presence of an async capable engine. -config OPENSSL_WITH_GOST - bool - prompt "Prepare library for GOST engine" - depends on OPENSSL_ENGINE - help - This option prepares the library to accept engine support - for Russian GOST crypto algorithms. - The gost engine is not included in standard openwrt feeds. - To build such engine yourself, see: - https://github.com/gost-engine/engine - endif diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 4fb4cb2784..378545ac43 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=j PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -50,7 +50,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_DTLS \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ - CONFIG_OPENSSL_WITH_GOST \ CONFIG_OPENSSL_WITH_IDEA \ CONFIG_OPENSSL_WITH_MDC2 \ CONFIG_OPENSSL_WITH_NPN \ @@ -287,10 +286,6 @@ else OPENSSL_OPTIONS += no-engine endif -ifndef CONFIG_OPENSSL_WITH_GOST - OPENSSL_OPTIONS += no-gost -endif - ifndef CONFIG_OPENSSL_WITH_DTLS OPENSSL_OPTIONS += no-dtls endif diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch index 81d41963c6..c90fce2442 100644 --- a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -1,6 +1,6 @@ --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,82 @@ oid_section = new_oids +@@ -22,6 +22,99 @@ oid_section = new_oids # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -14,6 +14,7 @@ +#devcrypto=devcrypto +#afalg=afalg +#padlock=padlock ++##gost=gost + +[afalg] +# Leave this alone and configure algorithms with CIPERS/DIGESTS below @@ -79,6 +80,22 @@ + +[padlock] +default_algorithms = ALL ++ ++[gost] ++default_algorithms = ALL ++# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the ++# user to choose between different parameter sets of symmetric cipher ++# algorithm. RFC 4357 specifies several parameters for the ++# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface ++# to choose one when encrypting. So use engine configuration parameter ++# instead. ++# Value of this parameter can be either short name, defined in OpenSSL ++# obj_dat.h header file or numeric representation of OID, defined in ++# RFC 4357. Defaults to id-tc26-gost-28147-param-Z ++#CRYPT_PARAMS = id-tc26-gost-28147-param-Z ++ ++# PBE_PARAMS: Shortname of default digest alg for PBE ++#PBE_PARAMS = + [ new_oids ] ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here. There are a couple of low severity security bug fixes as
well.
Three patches are no longer needed, and were removed; the one remaining
was refreshed.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested with master on mvebu using uhttpd and hostapd, and
should be cherry-picked to 21.02, and 19.07. It was compile-tested with
21.02 and 19.07.
---
package/libs/wolfssl/Makefile | 6 +--
.../wolfssl/patches/010-CVE-2021-3336.patch | 53 ---
.../patches/100-disable-hardening-check.patch | 2 +-
...Fix-linking-against-hostapd-with-LTO.patch | 25 -
.../patches/120-enable-secret-callback.patch | 10
5 files changed, 4 insertions(+), 92 deletions(-)
delete mode 100644 package/libs/wolfssl/patches/010-CVE-2021-3336.patch
delete mode 100644
package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch
delete mode 100644
package/libs/wolfssl/patches/120-enable-secret-callback.patch
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 846351f06d..53cd932d1f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.6.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.7.0-stable
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848
+PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
PKG_FIXUP:=libtool libtool-abiver
PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
deleted file mode 100644
index abb9bfdd9b..00
--- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
-From: Sean Parkinson
-Date: Thu, 21 Jan 2021 08:24:38 +1000
-Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
-
- src/tls13.c | 18 +-
- 1 file changed, 13 insertions(+), 5 deletions(-)
-
a/src/tls13.c
-+++ b/src/tls13.c
-@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
- #ifdef HAVE_ED25519
- if (args->sigAlgo == ed25519_sa_algo &&
-
!ssl->peerEd25519KeyPresent) {
--WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
-+WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
- #ifdef HAVE_ED448
- if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
--WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
-+WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
- #ifdef HAVE_ECC
- if (args->sigAlgo == ecc_dsa_sa_algo &&
-
!ssl->peerEccDsaKeyPresent) {
--WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
-+WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
- #ifndef NO_RSA
- if (args->sigAlgo == rsa_sa_algo) {
--WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
-+WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
- ERROR_OUT(INVALID_PARAMETER, exit_dcv);
- }
- if (args->sigAlgo == rsa_pss_sa_algo &&
- (ssl->peerRsaKey == NULL ||
!ssl->peerRsaKeyPresent)) {
--WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
-+WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
-+ret = SIG_VERIFY_E;
-+goto exit_dcv;
- }
- #endif
-
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c2793285e7..c89ff1be9d 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
-@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
#endif
/* warning for
[PATCH] gmp: compile with -DPIC to use correct asm code
The library is always compiled with $(FPIC) (-fPIC or -fpic), even for the static library. There are some assembly sources that decide whether or not to enable PIC code by checking if PIC is defined. It counts on libtool to define it, but libtool does it only when producing code for the dynamic library, while we need it for both. Ensure it is defined by adding it to CFLAGS next to $(FPIC). It avoids linking errors with strongswan on x86_64: ld: libgmp.a(bdiv_q_1.o): relocation R_X86_64_PC32 against symbol `__gmp_binvert_limb_table' can not be used when making a shared object; recompile with -fPIC Cc: Stijn Tintel Signed-off-by: Eneas U de Queiroz --- There's an error on one architecture, and all others work fine without this, so I'm uneasy changing this and then breaking stuff that was working fine otherwise. However, it feels wrong to me to generate PIC code from C files, but not use it in asm sources, which is essentially what I am changing here. I've looked at asm sources for different chitectures, and there are checks for PIC in: arm64, arm, x86_64, x86, and ppc asm sources, but the error only appears on x86_64. For most CPUs, ifdef(`PIC'), is just used to do different definitions of LEA (Load Effective Address). However, both x86 and x86_64 have many other checks. I've looked at bdiv_q_1.asm for different CPUs, and they all do some form of LEA(binvert_limb_table), except for x86, where it will do it only when PIC is defined. That may explain why x86_64 is affected, and x86 is not. I have not investigated further details. Alternatively, we can define it only for x86_64, which is where we know there's a build failure with the linker asking to recompile with -fPIC. package/libs/gmp/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/gmp/Makefile b/package/libs/gmp/Makefile index eb7d808139..d59e8fe947 100644 --- a/package/libs/gmp/Makefile +++ b/package/libs/gmp/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gmp PKG_VERSION:=6.2.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)$(PKG_REVISION).tar.xz PKG_SOURCE_URL:=@GNU/gmp/ @@ -38,7 +38,7 @@ define Package/libgmp/description signed integers, rational numbers, and floating point numbers. endef -TARGET_CFLAGS += $(FPIC) +TARGET_CFLAGS += -DPIC $(FPIC) CONFIGURE_VARS += CC="$(TARGET_CROSS)gcc" CONFIGURE_ARGS += \ --enable-shared \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] gmp: compile with -DPIC to use correct asm code
On Fri, Mar 19, 2021 at 5:08 PM Philip Prindeville wrote: > > > Maybe I'm missing something, but why not just fix rules.mk: > > > ifneq (,$(findstring $(ARCH) , aarch64 aarch64_be powerpc )) > FPIC:=-fPIC > else > FPIC:=-fpic > endif > > HOST_FPIC:=-fPIC > > > To have the FPIC and HOST_FPIC definitions include -DPIC? I think it would be the proper way to handle this. I was initially fearful of changing too much and breaking things, but I think it should be expected behaviour. What else would you use a 'PIC' definition for? I will resend a patch changing rules.mk instead. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
Hi Rosen This patch does not apply as is, but don't write a v2 yet. I'm testing the bump to 1.1.1k, and I'll handle it from there, by using --no-renames with git format-patch. I'm maintaining the patches at https://github.com/cotequeiroz/openssl, and refreshing backports with git is much easier than with quilt. See comments below, as your patchset breaks compilation with QUILT. On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote: > > quilt cannot handle file renames and ends up duplicating the file. > Instead of doing that, handle the renaming in the Makefile so that > the upstream file can change. > > Signed-off-by: Rosen Penev > --- > package/libs/openssl/Makefile |7 + > ...o-make-the-dev-crypto-engine-dynamic.patch | 2633 + > ...default-to-not-use-digests-in-engine.patch |4 +- > ...to-ignore-error-when-closing-session.patch |4 +- > 4 files changed, 151 insertions(+), 2497 deletions(-) > > diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile > index 436abfd94c..f3113cab6e 100644 > --- a/package/libs/openssl/Makefile > +++ b/package/libs/openssl/Makefile > @@ -324,6 +324,13 @@ OPENSSL_TARGET:=linux-$(call > qstrip,$(CONFIG_ARCH))-openwrt > > STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | > mkhash md5) > > +define Build/Prepare > + $(call Build/Prepare/Default) > +ifeq ($(QUILT),) > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > +endif This will break compilation with QUILT, as the rename will never happen then. You're using this strategy with other packages, so I won't mention them individually, but this applies to all. I would handle it at the patch level by removing the old file and creating the new one. Alternatively, you can keep your strategy, adding the rename with QUILT in Build/Configure, with the caveat that it will run every time compile is called, so you'll need to ignore an eventual error, and make sure that the original file was not recreated somewhere in the build process by a previous compile run, which would clobber the patched file. Cheers ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on WRT3200ACM (mvebu, armv7), using nginx, and
openssl util to encrypt & decrypt some files using software and the
devcrypto engine, since there have been some changes in the engine,
related to BSD compatibility, when opening the /dev/crypto device.
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 436abfd94c..7ab4c6ccd0 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
-PKG_BUGFIX:=j
+PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
@@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/
-PKG_HASH:=aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf
+PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
diff --git
a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
index 71dc5bf99b..ea3f8fb8a7 100644
---
a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+++
b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
@@ -116,7 +116,7 @@ diff --git a/crypto/engine/eng_devcrypto.c
b/engines/e_devcrypto.c
similarity index 95%
rename from crypto/engine/eng_devcrypto.c
rename to engines/e_devcrypto.c
-index 0d420e50aa..3fcd81de7a 100644
+index 2c1b52d572..eff1ed3a7d 100644
--- a/crypto/engine/eng_devcrypto.c
+++ b/engines/e_devcrypto.c
@@ -7,7 +7,7 @@
@@ -152,22 +152,6 @@ index 0d420e50aa..3fcd81de7a 100644
/*
* cipher/digest status & acceleration definitions
-@@ -341,6 +343,7 @@ static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int
p1, void* p2)
- struct cipher_ctx *to_cipher_ctx;
-
- switch (type) {
-+
- case EVP_CTRL_COPY:
- if (cipher_ctx == NULL)
- return 1;
-@@ -702,7 +705,6 @@ static int digest_init(EVP_MD_CTX *ctx)
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
- }
--
- return 1;
- }
-
@@ -1058,7 +1060,7 @@ static const ENGINE_CMD_DEFN devcrypto_cmds[] = {
OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, "
OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE)
@@ -177,7 +161,7 @@ index 0d420e50aa..3fcd81de7a 100644
ENGINE_CMD_FLAG_NUMERIC},
#endif
-@@ -1166,55 +1168,70 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i,
void *p, void (*f) (void))
+@@ -1166,32 +1168,22 @@ static int devcrypto_ctrl(ENGINE *e, int cmd, long i,
void *p, void (*f) (void))
*
*/
@@ -201,10 +185,12 @@ index 0d420e50aa..3fcd81de7a 100644
+static int open_devcrypto(void)
{
-ENGINE *e = NULL;
+ int fd;
+
+if (cfd >= 0)
+return 1;
-
- if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
++
+ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) {
#ifndef ENGINE_DEVCRYPTO_DEBUG
if (errno != ENOENT)
#endif
@@ -213,6 +199,19 @@ index 0d420e50aa..3fcd81de7a 100644
+return 0;
}
+ #ifdef CRIOGET
+@@ -1199,35 +1191,61 @@ void engine_load_devcrypto_int()
+ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno));
+ close(fd);
+ cfd = -1;
+-return;
++return 0;
+ }
+ close(fd);
+ #else
+ cfd = fd;
+ #endif
+
-if ((e = ENGINE_new()) == NULL
-|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
-ENGINE_free(e);
@@ -278,7 +277,7 @@ index 0d420e50aa..3fcd81de7a 100644
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
* implementations, it seems to only exist in FreeBSD, and regarding the
-@@ -1237,23 +1254,36 @@ void engine_load_devcrypto_int()
+@@ -1250,23 +1268,36 @@ void engine_load_devcrypto_int()
*/
#if 0
# ifndef OPENSSL_NO_RSA
@@ -324,7 +323,7 @@ index 0d420e50aa..3fcd81de7a 100644
ENGINE_free(e);
return;
}
-@@ -1262,3 +1292,22 @@ void engine_load_devcrypto_int()
+@@ -1275,3 +1306,22 @@ void engine_load_devcrypto_int()
ENGINE_free(e); /* Loose our local reference */
ERR_clear_error();
}
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC PATCH] openssl: make the patches QUILT-friendly
The patches in this package are all made by git format-patches. If one
were to run 'make package/openssl/{refresh,update}', then things will
not work as expected, because quilt QUILT does not deal well with
patches that rename files. For openssl, the problematic patch is
430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch.
So, I've generated a new patch with 'git format-patch --no-renames', and
then 'make package/openssl/{refresh,update}'.
Signed-off-by: Eneas U de Queiroz
---
While I really prefer to leave the git-formatted patches as they are, I
know quilt is the preferred way of handling patches in OpenWRT, so I'm
presenting this as RFC, so the core developers can decide.
ldir has made a similar commit e27ef2da0d, and then reverted it right away
in bbb9c1c2be, and I don't know why.
neheb proposed a patch [1] that does the file renaming in Build/Prepare, so
that it is easier to use quilt while refreshing patches after a package
bump. It has an undesirable side-effect of not running the renaming
portion at all when using QUILT, resulting in a build failure.
Some packages in the packages feed are skipping build steps when running
with QUILT, to speed up automatic refresh of patches, and I've been
fixing them as I stumble upon some of the failures.
At least to me, being able to quickly build with QUILT=1, without having
to start from scratch and go through dependencies is an immensively
useful feature that I would not trade for having tidier patches.
For this package, one could rename the files in Build/Configure when
compiling with QUILT without a problem. So, if desired, it could be
done neheb's way instead.
In my opinion, QUILT is not particularly useful for rebasing large
changes, such as the engine patches here. So even if neheb's proposal
has a nice intention, it is not appropriate for this package.
If the motivation is just to run make package/openssl/{refresh,update},
perhaps automatically to keep patches tidy, then this patch will
suffice.
Cheers,
Eneas
[1]
https://patchwork.ozlabs.org/project/openwrt/patch/20210326092548.14019-1-ros...@gmail.com/
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 7ab4c6ccd0..458b064f13 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 98944103b5..2ae5938bdc 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -1,4 +1,4 @@
-From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
+From 000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
@@ -8,11 +8,9 @@ version to disable building the AFALG engine on openwrt
targets.
Signed-off-by: Eneas U de Queiroz
-diff --git a/Configure b/Configure
-index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
-@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
+@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtra
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch
b/package/libs/openssl/patches/110-openwrt_targets.patch
index d0530b4661..50a9ebe2d6 100644
--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -1,4 +1,4 @@
-From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
+From 0000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
@@ -7,9 +7,6 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz
-diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
-new file mode 100644
-index 00..86a86d31e4
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,48 @@
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
index 7faec9ab88..90282706d1 100644
--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -1,4 +1,4 @@
-From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
+From 0000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:31:38 -0300
Subj
Re: [PATCH] openssl: don't rename a file with quilt
On Fri, Mar 26, 2021 at 4:28 PM Rosen Penev wrote:
>
> On Fri, Mar 26, 2021 at 5:55 AM Eneas U de Queiroz
> wrote:
> >
> > On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote:
> > > +ifeq ($(QUILT),)
> > > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c
> > > $(PKG_BUILD_DIR)/engines/e_devcrypto.c
> > > +endif
> >
> > This will break compilation with QUILT, as the rename will never
> > happen then. You're using this strategy with other packages, so I
> > won't mention them individually, but this applies to all.
> > I would handle it at the patch level by removing the old file and
> > creating the new one.
> It doesn't break quilt as the rename happens separately. Note that the
> patches were modified to refer to the old name.
It breaks 'make package/openssl/compile QUILT=1', because the 'mv'
command will never run when QUILT is not empty. You can't run the
'mv' line with quilt because the patches are not applied in
Build/Prepare. However, you must ensure it is run later, or the
package will not compile with QUILT=1. I can point you to
openwrt/packages#14894 to see why you can't just skip running stuff
when QUILT is defined.
> >
> > Alternatively, you can keep your strategy, adding the rename with
> > QUILT in Build/Configure, with the caveat that it will run every time
> > compile is called, so you'll need to ignore an eventual error, and
> > make sure that the original file was not recreated somewhere in the
> > build process by a previous compile run, which would clobber the
> > patched file.
> I haven't seen any issues. Locally I run make package/x/{clean,refresh}
make package/openssl/compile V=sc QUILT=1
...
make[4]: *** No rule to make target 'engines/e_devcrypto.c', needed by
'engines/e_devcrypto.o'. Stop.
BTW, I imagine you don't build with QUILT=1 much, do you?
make -j4 package/openssl/compile
make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config'
make[1] package/openssl/compile
make[2] -C package/libs/toolchain compile
make[2] -C package/libs/zlib compile
make[2] -C package/firmware/prism54-firmware compile
make[2] -C package/firmware/linux-firmware compile
make[2] -C package/kernel/linux compile
make[2] -C package/kernel/cryptodev-linux compile
make[2] -C package/libs/openssl compile
make -j4 package/openssl/compile QUILT=1
make[2]: Entering directory '/home/equeiroz/src/openwrt/scripts/config'
make[2]: 'conf' is up to date.
make[2]: Leaving directory '/home/equeiroz/src/openwrt/scripts/config'
make[1] package/openssl/compile
make[2] -C package/libs/openssl compile
It does not check dependencies every time you call compile. Try make
package/seafile-server/compile for some fun.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] openssl: don't rename a file with quilt
On Fri, Mar 26, 2021 at 6:57 PM Felix Fietkau wrote: > I fully agree with Eneas here (though I don't like his patch for this > issue either). This is the first time I wrote a patch I do NOT want to be applied. I just want to keep the status quo. > Here's a way to fix this: > > include/package-defaults.mk has this: > > define Build/Prepare/Default > $(PKG_UNPACK) > [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) > $(Build/Patch) > endef However, this is run before the patches are even applied when QUILT=1. $(Build/Patch) just builds the quilt patch tree. A much simpler solution, if we are really going to change the patches, is to just $(CP) the file in Build/Configure. If we move it--no matter where--then we can't go back and forth with quilt push & pop, which would hinder its usefulness. > > You can adjust it to define this in the package Makefile: > > define Build/Prepare > $(PKG_UNPACK) > [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) > mv $(PKG_BUILD_DIR)/crypto/engine/eng_devcrypto.c > $(PKG_BUILD_DIR)/engines/e_devcrypto.c > $(Build/Patch) > endef > > - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [RFC PATCH] openssl: make the patches QUILT-friendly
On Fri, Mar 26, 2021 at 7:35 PM Kevin 'ldir' Darbyshire-Bryant wrote: > > ... I was also frustrated that there was patch fuzz in the tree on a fairly > core package - that really shouldn’t be the case. My apologies. I work in a clone of the openssl git repo, rebasing the changes on top of the current version. I always look at the diffs before sending the patch to openwrt. If they were just line changes, I wouldn't bother to touch the patch, in order to minimize changes. I'll revise my approach and change the files no matter what. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt 21.02-rc1
On Tue, Apr 6, 2021 at 7:30 PM Hauke Mehrtens wrote: > > Hi, > > How do we want to go forward with OpenWrt 21.02-rc1? > > * I think the base system is ok. > * The http (original wolfssl) problem reported by jow is fixed > * LuCI in the 21.02 branch still misses DSA support, this was merged > into master some time ago as far as I understood. Hi I would suggest to have some commits cherry-picked to 21.02: 920eaab1d8 kernel: DSA roaming fix for Marvell mv88e6xxx af22991e03 build: make sure asm gets built with -DPIC I consider the first commit critical: without it clients get disconnected for 5 minutes when roaming from an affected AP (Omnia, WRT3200, among others) WLAN port to a LAN port (roaming between LAN-connected APs, for example). The second one is needed to build strongswan for x86_64 [1]. The support commits have already been pushed to the 21.02 branch of the packages feed. Eneas [1] https://downloads.openwrt.org/releases/faillogs-21.02/x86_64/packages/strongswan/compile.txt ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ustream-ssl: update to 2019-06-24
This adds chacha20-poly1305 support to the mbedtls variant. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index a15f3d8ab8..ca9ad5d98b 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -5,9 +5,9 @@ PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git -PKG_SOURCE_DATE:=2018-07-30 -PKG_SOURCE_VERSION:=23a3f2830341acd1db149175baf7315a33bd0edb -PKG_MIRROR_HASH:=289bef5dac684015b6a40cfd72cf1c8c297bb77cf2efd54e562b628ba3afd83d +PKG_SOURCE_DATE:=2019-06-24 +PKG_SOURCE_VERSION:=738e8d2489fc64f782affd1292388c66f6d69e82 +PKG_MIRROR_HASH:=29e69fce0a334746ed3a68d27f5ca5bffbfc144d04329335be47983fdd7cbdfd CMAKE_INSTALL:=1 PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/3] wolfssl: update to 3.15.7, fix Makefile
This includes a fix for a medium-level potential cache attack with a variant of Bleichenbacher’s attack. Patches were refreshed. Fixed poly1305 build option, and made some Makefile updates. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 50b0bb9cdf..4aa163b361 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -53,7 +53,7 @@ config WOLFSSL_HAS_ECC25519 depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY_1305 +config WOLFSSL_HAS_POLY1305 bool "Include Poly-1305 support" default n diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 23bb1c5220..d96dbea323 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,11 +8,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.3-stable -PKG_RELEASE:=2 +PKG_VERSION:=3.15.7-stable +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a @@ -20,15 +19,16 @@ PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ -PKG_CPE_ID:=cpe:/a:yassl:cyassl +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=LICENSING COPYING +PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ CONFIG_WOLFSSL_HAS_WPAS @@ -42,7 +42,7 @@ define Package/libwolfssl URL:=http://www.wolfssl.com/ MENU:=1 PROVIDES:=libcyassl - ABI_VERSION:=18 + ABI_VERSION:=19 endef define Package/libwolfssl/description diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index d913b5fdea..8a51434633 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ; +@@ -1759,7 +1759,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ @@ -8,4 +8,4 @@ +#if 0 #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \ (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \ - (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS)) + (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \ diff --git a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch index 66582cfc46..6b0861288f 100644 --- a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch +++ b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -4198,7 +4198,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta +@@ -4614,7 +4614,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta AC_CONFIG_FILES([Makefile wolfssl/version.h wolfssl/options.h cyassl/options.h support/wolfssl.pc rpm/spec]) AX_CREATE_GENERIC_CONFIG ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/3] wolfssl update
This series updates wolfssl to version 3.15.7, which includes a security fix. Many of the build options were not being used, and are always built into the library because of an uncondition --enable-stunnel option, so they can be removed. Since they were selected by hostapd, they are being removed there as well. The hostapd change includes the removal of the selection of the library itself, allowing the package to be built as a module. This version adds support to hardware acceleration using /dev/crypto and AF_ALG. The library was run-tested on WRT-3200ACM using uhttpd with different options, turning them on one by one cumulatively. The size varied from 226K with all options off, to 309K with all options. Enabling hardware acelleration and AES-CCM at the same time results in a build failure, which dents my confidence in them. Nonetheless, uhttpd connects without a problem, and I can confirm /dev/crypto or AF_ALG sockets open. The package currently lacks a maintainer, so I've added myself. I've split the changes in 3 commits: one just with the version bump and some minor Makefile changes; a second big one, more prone to trouble, and the third one adjusting removed wolfssl options in hostapd. Eneas U de Queiroz (3): wolfssl: update to 3.15.7, fix Makefile wolfssl: reorganize, add build options hostapd: adjust removed wolfssl options package/libs/wolfssl/Config.in| 53 +--- package/libs/wolfssl/Makefile | 122 +- .../patches/100-disable-hardening-check.patch | 4 +- .../900-remove-broken-autoconf-macros.patch | 2 +- package/network/services/hostapd/Config.in| 4 - 5 files changed, 70 insertions(+), 115 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/3] hostapd: adjust removed wolfssl options
From: Eneas U de Queiroz This adjusts the selection of recently removed wolfssl options which have always been built into the library even in their absence. Also remove the selection of libwolfssl itself, allowing the library to be built as a module. Signed-off-by: Eneas U de Queiroz diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 1966067219..9ce4b243cc 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -51,15 +51,11 @@ config WPA_WOLFSSL PACKAGE_wpad-wolfssl ||\ PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl - select PACKAGE_libwolfssl select WOLFSSL_HAS_AES_CCM select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 - select WOLFSSL_HAS_DES3 select WOLFSSL_HAS_DH - select WOLFSSL_HAS_ECC select WOLFSSL_HAS_OCSP - select WOLFSSL_HAS_PSK select WOLFSSL_HAS_SESSION_TICKET select WOLFSSL_HAS_WPAS ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/3] wolfssl: reorganize, add build options
Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. Mark options turned on when wpad support is selected. Add building options for TLS 1.0 and TLS 1.3. Add hardware crypto support, which due to a bug, only works when CCM support is turned off. Reorganized option conditionals in Makefile. Add Eneas U de Queiroz as maintainer. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4aa163b361..711b789f6e 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -8,12 +8,8 @@ config WOLFSSL_HAS_AES_GCM bool "Include AES-GCM support" default y -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,13 +20,18 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" - default y +if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) + comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" +endif + +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" + depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY + default n config WOLFSSL_HAS_SESSION_TICKET bool "Include session ticket support" @@ -41,20 +42,40 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY1305 - bool "Include Poly-1305 support" - default n +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only" + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index d96dbea323..77a5f9d8fd 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -13,7 +13,7 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=70e4fbeb91284a269b25a84fc526755c670475aee4034a6f237b1f754d108af3 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -21,15 +21,17 @@ PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ - CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ + CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ + CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_HAS_TLSV13 \ CONFIG_WOLFSSL_HA
[OpenWrt-Devel] [PATCH v2 0/3] wolfssl update
This series starts with an update to version 3.15.7, which includes a security fix, and should be cherry-picked to 19.07. I'm not cherry-picking it to 18.06 because it changes ABI, and it would cause package breakage because 18.06 is not ABI version-aware. I've increased the FP_MAX_BITS parameter to 8192, to allow usage of 4096-bit RSA keys. Otherwise it would fail to verify many CA certificates that use 4096-bit keys, including Microsoft's. Update master to 4.0.0. This version adds support to TLS 1.3, hardware acceleration using /dev/crypto and AF_ALG. The features were added in 3.15.7, but only enabled here in 4.0.0. Many of the current build options were not effective, they were always built into the library because of an unconditional --enable-stunnel parameter to configure, so they can be removed. Since hostapd selected some of these options, they are being removed there as well. The hostapd change includes the removal of the selection of the library itself, allowing libwolfssl to be built as a module when hostapd depends on it, and is built as a module. I've ensured dependent packages are successfully built with this version, opening a couple of PRs in the packages feed. They had been broken for a while now, which makes me wonder how many people are actually using wolfssl today. Nonetheless, a TLS library supporting hw crypto acceleration and TLS 1.3 under 300KB seems interesting. The library was run-tested on WRT-3200ACM using uhttpd, uclient-fetch, and curl with different build options, turning them on one by one cumulatively. The size varied from 227K with all options off, to 312K with all options on, and defaults to 297K. Enabling hardware acelleration and AES-CCM at the same time results in a build failure, which dents my confidence. Nonetheless, uhttpd connects without a problem, and I can confirm /dev/crypto or AF_ALG sockets open. The package currently lacks a maintainer, so I've added myself. -- Changelog: v1->v2: * Increased FP_MAX_BITS to allow 4096-bit RSA keys. * Update master to 4.0.0 Eneas U de Queiroz (3): wolfssl: update to 3.15.7, fix Makefile wolfssl: update to 4.0.0-stable hostapd: adjust removed wolfssl options package/libs/wolfssl/Config.in| 51 --- package/libs/wolfssl/Makefile | 124 +- .../patches/100-disable-hardening-check.patch | 4 +- .../101-AR-flags-configure-update.patch | 23 .../900-remove-broken-autoconf-macros.patch | 2 +- package/network/services/hostapd/Config.in| 4 - 6 files changed, 70 insertions(+), 138 deletions(-) delete mode 100644 package/libs/wolfssl/patches/101-AR-flags-configure-update.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 1/3] wolfssl: update to 3.15.7, fix Makefile
This includes a fix for a medium-level potential cache attack with a variant of Bleichenbacher’s attack. Patches were refreshed. Increased FP_MAX_BITS to allow 4096-bit RSA keys. Fixed poly1305 build option, and some Makefile updates. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 50b0bb9cdf..4aa163b361 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -53,7 +53,7 @@ config WOLFSSL_HAS_ECC25519 depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY_1305 +config WOLFSSL_HAS_POLY1305 bool "Include Poly-1305 support" default n diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 23bb1c5220..7aaa562539 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,11 +8,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.3-stable -PKG_RELEASE:=2 +PKG_VERSION:=3.15.7-stable +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a @@ -20,15 +19,16 @@ PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ -PKG_CPE_ID:=cpe:/a:yassl:cyassl +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=LICENSING COPYING +PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ CONFIG_WOLFSSL_HAS_WPAS @@ -42,7 +42,7 @@ define Package/libwolfssl URL:=http://www.wolfssl.com/ MENU:=1 PROVIDES:=libcyassl - ABI_VERSION:=18 + ABI_VERSION:=19 endef define Package/libwolfssl/description @@ -54,7 +54,7 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) +TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index d913b5fdea..8a51434633 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ; +@@ -1759,7 +1759,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ @@ -8,4 +8,4 @@ +#if 0 #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \ (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \ - (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS)) + (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \ diff --git a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch index 66582cfc46..6b0861288f 100644 --- a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch +++ b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -4198,7 +4198,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta +@@ -4614,7 +4614,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta AC_CONFIG_FILES([Makefile wolfssl/version.h wolfssl/options.h cyassl/options.h support/wolfssl.pc rpm/spec]) AX_CREATE_GENERIC_CONFIG ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 3/3] hostapd: adjust removed wolfssl options
This edjusts the selection of recently removed wolfssl options which have always been built into the library even in their abscence. Also remove the selection of libwolfssl itself, allowing the library to be built as a module. Signed-off-by: Eneas U de Queiroz diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 1966067219..9ce4b243cc 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -51,15 +51,11 @@ config WPA_WOLFSSL PACKAGE_wpad-wolfssl ||\ PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl - select PACKAGE_libwolfssl select WOLFSSL_HAS_AES_CCM select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 - select WOLFSSL_HAS_DES3 select WOLFSSL_HAS_DH - select WOLFSSL_HAS_ECC select WOLFSSL_HAS_OCSP - select WOLFSSL_HAS_PSK select WOLFSSL_HAS_SESSION_TICKET select WOLFSSL_HAS_WPAS ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH v2 2/3] wolfssl: update to 4.0.0-stable
Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. Mark options turned on when wpad support is selected. Add building options for TLS 1.0, and TLS 1.3. Add hardware crypto support, which due to a bug, only works when CCM support is turned off. Reorganized option conditionals in Makefile. Add Eneas U de Queiroz as maintainer. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4aa163b361..875ff5e6a3 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -8,12 +8,8 @@ config WOLFSSL_HAS_AES_GCM bool "Include AES-GCM support" default y -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,12 +20,17 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" +if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) + comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" +endif + +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" + depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY default y config WOLFSSL_HAS_SESSION_TICKET @@ -41,20 +42,40 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY1305 - bool "Include Poly-1305 support" - default n +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only" + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 7aaa562539..678eb4936b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.7-stable +PKG_VERSION:=4.0.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=6cf678c72b485d1904047c40c20f85104c96b5f39778822783a2c407ccb23657 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -21,15 +21,17 @@ PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY1305 \ - CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ + CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ + CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_H
[OpenWrt-Devel] [PATCH] wolfssl: fix PKG_HASH
Commit 3167a57 missed it. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 7aaa562539..264be02496 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -13,7 +13,7 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=70e4fbeb91284a269b25a84fc526755c670475aee4034a6f237b1f754d108af3 PKG_FIXUP:=libtool PKG_INSTALL:=1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/2] Remove eglibc remnants
I've found some remnants from eglibc, removed by 64da662 in Feb/2016. While at it, I stumbled upon a case statement with redundant commands, so I've simplified it as well. Eneas U de Queiroz (2): libs/toolchain: remove eglibc remnant file target/toolchain/files/wrapper.sh: simplify 'case' .../libs/toolchain/eglibc-files/etc/nsswitch.conf | 13 - target/toolchain/files/wrapper.sh | 10 +- 2 files changed, 1 insertion(+), 22 deletions(-) delete mode 100644 package/libs/toolchain/eglibc-files/etc/nsswitch.conf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/2] libs/toolchain: remove eglibc remnant file
This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/toolchain/eglibc-files/etc/nsswitch.conf b/package/libs/toolchain/eglibc-files/etc/nsswitch.conf deleted file mode 100644 index 981c425da6..00 --- a/package/libs/toolchain/eglibc-files/etc/nsswitch.conf +++ /dev/null @@ -1,13 +0,0 @@ -passwd:files -shadow:files -group:files -hosts:dns files -bootparams:files -ethers:files -netmasks:files -networks:files -protocols:files -rpc:files -services:files -automount:files -aliases:files ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] target/toolchain/files/wrapper.sh: simplify 'case'
Removed an eglibc remnant, and while at it, grouped all of the TOOLCHAIN_PLATFORMs using the same FLAGS together. Signed-off-by: Eneas U de Queiroz diff --git a/target/toolchain/files/wrapper.sh b/target/toolchain/files/wrapper.sh index 2b760840d8..4452128382 100755 --- a/target/toolchain/files/wrapper.sh +++ b/target/toolchain/files/wrapper.sh @@ -56,15 +56,7 @@ fi # --dynamic-linker=$TOOLCHAIN_SYSROOT/lib/ld-uClibc.so.0 case $TOOLCHAIN_PLATFORM in - gnu|glibc|eglibc) - GCC_SYSROOT_FLAGS="--sysroot=$TOOLCHAIN_SYSROOT -Wl,-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - LD_SYSROOT_FLAGS="-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - ;; - uclibc) - GCC_SYSROOT_FLAGS="--sysroot=$TOOLCHAIN_SYSROOT -Wl,-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - LD_SYSROOT_FLAGS="-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" - ;; - musl) + gnu|glibc|uclibc|musl) GCC_SYSROOT_FLAGS="--sysroot=$TOOLCHAIN_SYSROOT -Wl,-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" LD_SYSROOT_FLAGS="-rpath=$TOOLCHAIN_SYSROOT/lib:$TOOLCHAIN_SYSROOT/usr/lib" ;; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/1] wolfssl: bump to 4.1.0-stable
Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 875ff5e6a3..a729f73a1d 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,10 +4,6 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - config WOLFSSL_HAS_CHACHA_POLY bool "Include ChaCha20-Poly1305 cipher suite support" default y @@ -24,13 +20,8 @@ config WOLFSSL_HAS_TLSV10 bool "Include TLS 1.0 support" default y -if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) - comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" -endif - config WOLFSSL_HAS_TLSV13 bool "Include TLS 1.3 support" - depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY default y config WOLFSSL_HAS_SESSION_TICKET @@ -56,6 +47,9 @@ config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" default n +config WOLFSSL_HAS_DEVCRYPTO + bool + if WOLFSSL_HAS_AES_CCM comment "! Hardware Acceleration does not build with AES-CCM enabled" endif @@ -72,9 +66,11 @@ if !WOLFSSL_HAS_AES_CCM config WOLFSSL_HAS_DEVCRYPTO_AES bool "/dev/crypto - AES-only" + select WOLFSSL_HAS_DEVCRYPTO config WOLFSSL_HAS_DEVCRYPTO_FULL bool "/dev/crypto - full" + select WOLFSSL_HAS_DEVCRYPTO endchoice endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 678eb4936b..2ad03a5aca 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.0.0-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=6cf678c72b485d1904047c40c20f85104c96b5f39778822783a2c407ccb23657 +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -25,14 +25,13 @@ PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ - CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ - CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ - CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ - CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_HAS_TLSV13 \ - CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \ + CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA_POLY \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL \ + CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ + CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \ + CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \ + CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS include $(INCLUDE_DIR)/package.mk @@ -65,11 +64,9 @@ CONFIGURE_ARGS += \ --enable-sni \ --enable-stunnel \ --disable-examples \ - --disable-leanpsk \ - --disable-leantls \ + --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ --$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \ - --$(if $(CONFIG_WOLFSSL_HAS_AES_GCM),enable,disable)-aesgcm \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-chacha \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-poly1305 \ --$(if $(CONFIG_WOLFSSL_HAS_DH),enable,disable)-dh \ diff --git a/package/libs/wolfssl/patches/400-additional_compatibility.patch b/package/libs/wolfssl/patches/400-additional_compatibility.patch deleted file mode 100644 index 1464e9d2a8..00 --- a/package/libs/wolfssl/patches/400-additional_compatibility.patch +++ /dev/null @@ -1,12 +0,0 @@ a/cyassl/openssl/ssl.h -+++ b/cyassl/openssl/ssl.h -@@ -28,6 +28,9 @@ - #define CYASSL_OPENSSL_H_ - - #include -+#ifndef HAVE_SNI -+#undef CYASSL_SNI_HOS
[OpenWrt-Devel] [PATCH 0/1] wolfssl: bump to 4.1.0-stable
I'm requesting comments about updating this in 18.06. I'm sending this to 19.07 right away, but it won't be so easy with 18.06 because there is an ABI version change from 3.15.3 (current) to 3.15.7. Besides CVE-2019-13628, it is vulnerable to CVE-2018-16870: a variant of the Bleichenbacher attack. I've managed to backport both fixes; * CVE-2019-13628 applied cleanly; * CVE-2018-16870 needed some work. I've run the testsuite, and all tests passed. I've used gdb while running them, and could verify that the tests covered all of the changed lines, except for some of the newly added error conditions. CVE-2019-13628 is scheduled to be issued on Sep 02. So we have three choices: * update to 4.1.0-stable: we have to deal with the ABI version change. If we do nothing, then dependent packages will not work without removal and reinstallation. We can increase PKG_RELEASE for the dependent packages, some of which may be cumbersome: hostapd and ustream-ssl will either require a cumbersome subpackage bump, or have everybody else that do not use wolfssl be prompted to needlessly update their packages. * apply a custom patch that will not be so thoroughly tested. * do nothing: both vulnerabilities are timing attacks, CVE-2018-16870 is rated medium-severity. We can wait for CVE-2019-13628's final grade, but wolfssl states it "is considered difficult to exploit". Even though I'm confident the patches will not do much harm, I'm more comfortable with updating to 4.1.0 and bumping dependent subpackages. A note about the removed patches: 400-additional_compatibility.patch: I couldn't find much about the need for this; it appears to be related to SNI support, which was new at the time. I've compiled all packages that use wolfssl and found no issues with them. ustream-ssl actually defines HAVE_SNI, and I have done extensive runtime tests without any issues. 900-remove-broken-autoconf-macros.patch: this was fixed upstream, and the jobserver was disabled by ./configure --disable-jobserver. Eneas U de Queiroz (1): wolfssl: bump to 4.1.0-stable package/libs/wolfssl/Config.in| 14 --- package/libs/wolfssl/Makefile | 23 --- .../400-additional_compatibility.patch| 12 -- .../900-remove-broken-autoconf-macros.patch | 21 - 4 files changed, 15 insertions(+), 55 deletions(-) delete mode 100644 package/libs/wolfssl/patches/400-additional_compatibility.patch delete mode 100644 package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [19.07 PATCH] wolfssl: bump to 4.1.0-stable
Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. This brings the package up-to-date with master, so it incorporates changes from 4.0.0 in master: * Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. * Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. * Mark options turned on when wpad support is selected. * Add building options for TLS 1.0, and TLS 1.3. * Add hardware crypto support, which due to a bug, only works when CCM support is turned off. * Reorganized option conditionals in Makefile. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4aa163b361..a729f73a1d 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,16 +4,8 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,12 +16,12 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" default y config WOLFSSL_HAS_SESSION_TICKET @@ -41,20 +33,45 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY1305 - bool "Include Poly-1305 support" - default n +config WOLFSSL_HAS_DEVCRYPTO + bool + +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only" + select WOLFSSL_HAS_DEVCRYPTO + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + select WOLFSSL_HAS_DEVCRYPTO + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 264be02496..2ad03a5aca 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.7-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=70e4fbeb91284a269b25a84fc526755c670475aee4034a6f237b1f754d108af3 +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -21,16 +21,17 @@ PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_E
[OpenWrt-Devel] [RFC 18.06 PATCH 3/3] hostapd: bump wolfssl variants, adjust options
wolfssl changed ABI version, so this forces an update to hostapd. Some build options selected by hostapd are always built now, so they were removed. Signed-off-by: Eneas U de Queiroz diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 222cfb7f13..6611958cf1 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -67,15 +67,10 @@ config WPA_WOLFSSL PACKAGE_wpad-wolfssl ||\ PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl - select PACKAGE_libwolfssl select WOLFSSL_HAS_AES_CCM - select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 - select WOLFSSL_HAS_DES3 select WOLFSSL_HAS_DH - select WOLFSSL_HAS_ECC select WOLFSSL_HAS_OCSP - select WOLFSSL_HAS_PSK select WOLFSSL_HAS_SESSION_TICKET select WOLFSSL_HAS_WPAS diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index b548ecdf1b..3412125d2c 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -6,6 +6,15 @@ include $(TOPDIR)/rules.mk +### NOTICE FOR THE NEXT VERSION/RELEASE BUMP. +### +# The wolfssl variants currently have a different RELEASE than the others. +# This is temporary, and was done to avoid to needlessly upgrade the rest of the +# variants. So when the next update happen, things should get back to normal. +# If this package gets a PKG_RELEASE bump, please use PKG_RELEASE:=8, and remove the +# RELEASE:=7 lines under the wolfssl variants, as well as this notice. +# If the VERSION/SOURCE_DATE gets updated, remove the notice and the RELEASE:=7 lines. + PKG_NAME:=hostapd PKG_RELEASE:=6 @@ -170,6 +179,9 @@ Package/hostapd-openssl/description = $(Package/hostapd/description) define Package/hostapd-wolfssl $(call Package/hostapd/Default,$(1)) TITLE+= (full) + + RELEASE:=7 + VARIANT:=full-wolfssl DEPENDS+=+libwolfssl endef @@ -222,6 +234,9 @@ Package/wpad-openssl/description = $(Package/wpad/description) define Package/wpad-wolfssl $(call Package/wpad/Default,$(1)) TITLE+= (full) + + RELEASE:=7 + VARIANT:=wpad-full-wolfssl DEPENDS+=+libwolfssl endef @@ -260,6 +275,9 @@ Package/wpad-mesh-openssl/description = $(Package/wpad-mesh/description) define Package/wpad-mesh-wolfssl $(call Package/wpad-mesh,$(1)) DEPENDS+=+libwolfssl + + RELEASE:=7 + VARIANT:=wpad-mesh-wolfssl endef @@ -290,6 +308,9 @@ endef define Package/wpa-supplicant-wolfssl $(call Package/wpa-supplicant/Default,$(1)) + + RELEASE:=7 + VARIANT:=supplicant-full-wolfssl DEPENDS+=+libwolfssl endef @@ -320,6 +341,9 @@ endef define Package/wpa-supplicant-mesh-wolfssl $(call Package/wpa-supplicant-mesh/Default,$(1)) + + RELEASE:=7 + VARIANT:=supplicant-mesh-wolfssl DEPENDS+=+libwolfssl endef @@ -379,6 +403,9 @@ define Package/eapol-test-wolfssl TITLE:=802.1x authentication test utility SECTION:=net CATEGORY:=Network + + RELEASE:=7 + VARIANT:=supplicant-full-wolfssl CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-wolfssl ,$(EAPOL_TEST_PROVIDERS))) DEPENDS:=$(DRV_DEPENDS) +libwolfssl ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [RFC 18.06 PATCH 2/3] ustream-ssl: bump wolfssl variant
wolfssl changed ABI version. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index 2ea5bf0bd5..c0fd281866 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -3,6 +3,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ustream-ssl PKG_RELEASE:=1 +### NOTICE FOR THE NEXT VERSION/RELEASE BUMP. +### +# libustream-wolfssl currently has a different RELEASE than the rest of the libs. +# This is temporary, and was done to avoid to needlessly upgrade the rest of the +# variants. So when the next update happen, things should get back to normal. +# If this package gets a PKG_RELEASE bump, please use PKG_RELEASE:=3, and remove the +# RELEASE:=2 line under libustream-wolfssl, as well as this notice. +# If the VERSION/SOURCE_DATE gets updated, remove the notice and the RELEASE:=2 line. + PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git PKG_SOURCE_DATE:=2018-07-30 @@ -39,6 +48,9 @@ define Package/libustream-wolfssl $(Package/libustream/default) TITLE += (wolfssl) DEPENDS += +PACKAGE_libustream-wolfssl:libwolfssl + + RELEASE:=2 + VARIANT:=wolfssl endef ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [RFC 18.06 PATCH 1/3] wolfssl: bump to 4.1.0-stable
Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2018-16870: a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS, which may lead to leakage of sensible data. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. This brings some changes from master as well: * Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. * Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. * Mark options turned on when wpad support is selected. * Add building options for TLS 1.0, and TLS 1.3. * Add AF_ALG hardware crypto support, which due to a bug, only works when CCM support is turned off. * Reorganized option conditionals in Makefile. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 50b0bb9cdf..32b0f74089 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,16 +4,8 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - -config WOLFSSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config WOLFSSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" +config WOLFSSL_HAS_CHACHA_POLY + bool "Include ChaCha20-Poly1305 cipher suite support" default y config WOLFSSL_HAS_DH @@ -24,12 +16,12 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" +config WOLFSSL_HAS_TLSV10 + bool "Include TLS 1.0 support" default y -config WOLFSSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" +config WOLFSSL_HAS_TLSV13 + bool "Include TLS 1.3 support" default y config WOLFSSL_HAS_SESSION_TICKET @@ -41,20 +33,34 @@ config WOLFSSL_HAS_DTLS default n config WOLFSSL_HAS_OCSP - bool "Include OSCP support" + bool "Include OSCP stapling support" default y config WOLFSSL_HAS_WPAS bool "Include wpa_supplicant support" + select WOLFSSL_HAS_ARC4 + select WOLFSSL_HAS_OCSP + select WOLFSSL_HAS_SESSION_TICKET default y config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" - depends on WOLFSSL_HAS_ECC default n -config WOLFSSL_HAS_POLY_1305 - bool "Include Poly-1305 support" - default n +if WOLFSSL_HAS_AES_CCM + comment "! Hardware Acceleration does not build with AES-CCM enabled" +endif +if !WOLFSSL_HAS_AES_CCM + choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW + + config WOLFSSL_HAS_NO_HW + bool "None" + + config WOLFSSL_HAS_AFALG + bool "AF_ALG" + endchoice +endif endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index a01a8949aa..03bbda714d 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,29 +8,29 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.15.3-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=dc97c07a7667b39a890e14f4b4a209f51524a4cabee7adb6c80822ee78c1f62a +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_USE_MIPS16:=0 PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ -PKG_CPE_ID:=cpe:/a:yassl:cyassl +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=LICENSING COPYING +PKG_MAINTAINER:=Eneas U de Queiroz +PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ - CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ - CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ - CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ - CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \ + CONFIG
[OpenWrt-Devel] [RFC 18.06-alt PATCH 1/1] wolfssl: fixes for CVE-2018-16870 & CVE-2019-13628
CVE-2018-16870: medium-severity, new variant of the Bleichenbacher
attack to perform downgrade attacks against TLS, which may lead to
leakage of sensible data. Backported from 3.15.7.
CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack. Backported from 4.1.0.
Signed-off-by: Eneas U de Queiroz
---
This is an alternative to updating 18.06 to 4.1.0, just backporting the
patches. This has been tested on x86_64 with the package's testsuite,
in addition to regular run-testing on WRT3200ACM, using uhttpd,
uclient-fetch, and curl.
CVE-2019-13628's patch applied cleanly, but the other one needed many
adjustments.
package/libs/wolfssl/Makefile | 5 +-
...nstant-time-when-Block-Type-2-messag.patch | 584 ++
.../020-Improve-nonce-use-in-ECC-mulmod.patch | 100 +++
3 files changed, 687 insertions(+), 2 deletions(-)
create mode 100644
package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
create mode 100644
package/libs/wolfssl/patches/020-Improve-nonce-use-in-ECC-mulmod.patch
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index a01a8949aa..6f29cd668d 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=3.15.3-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
# PKG_SOURCE_URL:=https://www.wolfssl.com/
@@ -21,7 +21,8 @@ PKG_INSTALL:=1
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
PKG_LICENSE:=GPL-2.0+
-PKG_CPE_ID:=cpe:/a:yassl:cyassl
+PKG_MAINTAINER:=Eneas U de Queiroz
+PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl
PKG_CONFIG_DEPENDS:=\
CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \
diff --git
a/package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
b/package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
new file mode 100644
index 00..26ceaef4c5
--- /dev/null
+++
b/package/libs/wolfssl/patches/010-Make-RsaUnPad-constant-time-when-Block-Type-2-messag.patch
@@ -0,0 +1,584 @@
+From 278d54d95de9fa80b4ac9f6dd0f900841114ca8c Mon Sep 17 00:00:00 2001
+From: Sean Parkinson
+Date: Mon, 27 Aug 2018 10:16:40 +1000
+Subject: [PATCH] Make RsaUnPad constant time when Block Type 2 message
+
+(cherry picked from commit ab03f9291b040269ae21d33b9f01529ed8311728)
+[cherry-pick changes]
+Signed-off-by: Eneas U de Queiroz
+
+diff --git a/src/internal.c b/src/internal.c
+index dfb3a2fe9..4b2477e7a 100644
+--- a/src/internal.c
b/src/internal.c
+@@ -24766,26 +24766,22 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte*
input, word32* inOutIdx,
+ * indistinguishable from correctly formatted RSA
blocks
+ */
+
+-ret = args->lastErr;
+ args->lastErr = 0; /* reset */
+
+ /* build PreMasterSecret */
+ ssl->arrays->preMasterSecret[0] =
ssl->chVersion.major;
+ ssl->arrays->preMasterSecret[1] =
ssl->chVersion.minor;
+-if (ret == 0 && args->sigSz == SECRET_LEN &&
+- args->output !=
NULL) {
++if (args->output != NULL) {
+ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
+-&args->output[VERSION_SZ],
+-SECRET_LEN - VERSION_SZ);
+-}
+-else {
+-/* preMasterSecret has RNG and version set */
+-/* return proper length and ignore error */
+-/* error will be caught as decryption error */
+-args->sigSz = SECRET_LEN;
+-ret = 0;
++&args->output[VERSION_SZ],
++SECRET_LEN - VERSION_SZ);
+ }
+-
++/* preMasterSecret has RNG and version set
++ * return proper length and ignore error
++ * error will be caught as decryption error
++ */
++args->sigSz = SECRET_LEN;
++ret = 0;
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+diff --git a/src/tls.c b/src/tls.c
+index 9f0c49497..cc985410a 100644
+--- a/src/tls.c
b/src/tls.c
+@@ -1136,12 +1136,12 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byt
[OpenWrt-Devel] [PATCH 1/3] openssl: always build with EC support
Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in index 63493829ba..d1281ec6fa 100644 --- a/package/libs/openssl/Config.in +++ b/package/libs/openssl/Config.in @@ -76,7 +76,6 @@ config OPENSSL_WITH_TLS13 bool default y prompt "Enable support for TLS 1.3" - select OPENSSL_WITH_EC help TLS 1.3 is the newest version of the TLS specification. It aims: @@ -120,19 +119,8 @@ config OPENSSL_WITH_CMS comment "Algorithm Selection" -config OPENSSL_WITH_EC - bool - default y - prompt "Enable elliptic curve support" - help - Elliptic-curve cryptography (ECC) is an approach to public-key - cryptography based on the algebraic structure of elliptic curves - over finite fields. ECC requires smaller keys compared to non-ECC - cryptography to provide equivalent security. - config OPENSSL_WITH_EC2M bool - depends on OPENSSL_WITH_EC prompt "Enable ec2m support" help This option enables the more efficient, yet less common, binary diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index b8f97a82e8..24a84c0c54 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=c PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -28,7 +28,7 @@ PKG_HASH:=f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=Eneas U de Queiroz +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE \ @@ -48,7 +48,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_CMS \ CONFIG_OPENSSL_WITH_COMPRESSION \ CONFIG_OPENSSL_WITH_DTLS \ - CONFIG_OPENSSL_WITH_EC \ CONFIG_OPENSSL_WITH_EC2M \ CONFIG_OPENSSL_WITH_ERROR_MESSAGES \ CONFIG_OPENSSL_WITH_GOST \ @@ -203,10 +202,6 @@ ifndef CONFIG_OPENSSL_WITH_ASYNC OPENSSL_OPTIONS += no-async endif -ifndef CONFIG_OPENSSL_WITH_EC - OPENSSL_OPTIONS += no-ec -endif - ifndef CONFIG_OPENSSL_WITH_EC2M OPENSSL_OPTIONS += no-ec2m endif ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/3] support EC keys in px5g/uhttpd
I'm adding support to create EC curves with px5g, and changing uhttpd to use it, adding two config options: key_type, and ec_curve. * key_type should be set to either 'ec' or 'rsa'. In practice, it will silently use 'rsa' unless its value is 'ec'. * ec_curve takes an elliptic curve name, which should match one of the certificate generator's TLS library's name. Unfortunatly, they don't necessarity match between px5g (mbedtls), and openssl. Short names P-256 and P-384 were added to px5g to have an uniform set, and are guaranteed to work. P-521 is there too, but mbedtls is currently built without it. Right now the ciphersuites used with EC keys are stronger than with RSA keys, and I'm sending a patch to widen that gap further. That way you can use the key type to choose the level of strenght vs. broad compatibility you wish to use. A P-256 EC key offers a strenght equivalent of 3072-bit RSA key, and is generated much faster than even a 2048-bit RSA key. uhttpd currently generates a 2048-bit RSA key by default, and that has not been changed. Eneas U de Queiroz (3): openssl: always build with EC support px5g: support EC keys uhttpd: add support to generate EC keys package/libs/openssl/Config.in| 12 --- package/libs/openssl/Makefile | 9 +- package/network/services/uhttpd/Makefile | 2 +- .../services/uhttpd/files/uhttpd.config | 8 ++ .../network/services/uhttpd/files/uhttpd.init | 6 +- package/utils/px5g/Makefile | 4 +- package/utils/px5g/px5g.c | 86 +++ 7 files changed, 87 insertions(+), 40 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/3] px5g: support EC keys
This adds an 'eckey' command to generate an EC key, with an optional
curve name argument, with P-256 as default.
For the 'selfsigned' command, it adds an 'ec' algorithm argument to the
'-newkey' option, and a '-pkeyopt ec_paramgen_curve:' option,
mirroring the way openssl specifies the curve name.
Notice that curve names are not necessarily the same in mbedtls and
openssl. In particular, secp256r1 works for mbedtls, but openssl uses
prime256v1 instead. px5g uses mbedtls, but short NIST curve names P-256
and P-384 are specifically supported.
Package size increased by about 900 bytes (arm).
Signed-off-by: Eneas U de Queiroz
diff --git a/package/utils/px5g/Makefile b/package/utils/px5g/Makefile
index 7b5748425d..cfd1bfc80e 100644
--- a/package/utils/px5g/Makefile
+++ b/package/utils/px5g/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=px5g
-PKG_RELEASE:=8
+PKG_RELEASE:=9
PKG_LICENSE:=LGPL-2.1
PKG_BUILD_DIR:=$(BUILD_DIR)/px5g-$(BUILD_VARIANT)
@@ -53,7 +53,7 @@ ifeq ($(BUILD_VARIANT),standalone)
TARGET_LDFLAGS := -Wl,-Bstatic $(TARGET_LDFLAGS) -Wl,-Bdynamic
endif
-TARGET_CFLAGS += -Wl,--gc-sections
+TARGET_CFLAGS += -Wl,--gc-sections -Wall -Werror
define Build/Compile
$(TARGET_CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -o
$(PKG_BUILD_DIR)/px5g px5g.c $(TARGET_LDFLAGS)
diff --git a/package/utils/px5g/px5g.c b/package/utils/px5g/px5g.c
index f0fe4dcfd3..0b72154509 100644
--- a/package/utils/px5g/px5g.c
+++ b/package/utils/px5g/px5g.c
@@ -32,6 +32,7 @@
#include
#include
+#include
#include
#include
@@ -73,6 +74,23 @@ static void write_file(const char *path, int len, bool pem)
fclose(f);
}
+static mbedtls_ecp_group_id ecp_curve(const char *name)
+{
+ const mbedtls_ecp_curve_info *curve_info;
+
+ if (!strcmp(name, "P-256"))
+ return MBEDTLS_ECP_DP_SECP256R1;
+ else if (!strcmp(name, "P-384"))
+ return MBEDTLS_ECP_DP_SECP384R1;
+ else if (!strcmp(name, "P-521"))
+ return MBEDTLS_ECP_DP_SECP521R1;
+ curve_info = mbedtls_ecp_curve_info_from_name(name);
+ if (curve_info == NULL)
+ return MBEDTLS_ECP_DP_NONE;
+ else
+ return curve_info->grp_id;
+}
+
static void write_key(mbedtls_pk_context *key, const char *path, bool pem)
{
int len = 0;
@@ -89,24 +107,33 @@ static void write_key(mbedtls_pk_context *key, const char
*path, bool pem)
write_file(path, len, pem);
}
-static void gen_key(mbedtls_pk_context *key, int ksize, int exp, bool pem)
+static void gen_key(mbedtls_pk_context *key, bool rsa, int ksize, int exp,
+ mbedtls_ecp_group_id curve, bool pem)
{
mbedtls_pk_init(key);
- fprintf(stderr, "Generating RSA private key, %i bit long modulus\n",
ksize);
- mbedtls_pk_setup(key, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
- if (mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL, ksize,
exp)) {
- fprintf(stderr, "error: key generation failed\n");
- exit(1);
+ if (rsa) {
+ fprintf(stderr, "Generating RSA private key, %i bit long
modulus\n", ksize);
+ mbedtls_pk_setup(key,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
+ if (!mbedtls_rsa_gen_key(mbedtls_pk_rsa(*key), _urandom, NULL,
ksize, exp))
+ return;
+ } else {
+ fprintf(stderr, "Generating EC private key\n");
+ mbedtls_pk_setup(key,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY));
+ if (!mbedtls_ecp_gen_key(curve, mbedtls_pk_ec(*key), _urandom,
NULL))
+ return;
}
+ fprintf(stderr, "error: key generation failed\n");
+ exit(1);
}
-int rsakey(char **arg)
+int dokey(bool rsa, char **arg)
{
mbedtls_pk_context key;
unsigned int ksize = 512;
int exp = 65537;
char *path = NULL;
bool pem = true;
+ mbedtls_ecp_group_id curve = MBEDTLS_ECP_DP_SECP256R1;
while (*arg && **arg == '-') {
if (!strcmp(*arg, "-out") && arg[1]) {
@@ -120,10 +147,17 @@ int rsakey(char **arg)
arg++;
}
- if (*arg)
+ if (*arg && rsa) {
ksize = (unsigned int)atoi(*arg);
+ } else if (*arg) {
+ curve = ecp_curve((const char *)*arg);
+ if (curve == MBEDTLS_ECP_DP_NONE) {
+ fprintf(stderr, "error: invalid curve name: %s\n",
*arg);
+ return 1;
+ }
+ }
- gen_key(&key, ksize, exp, pem);
+ gen_key(&key, rsa, ksize, exp, curve, pem);
write_key(&key, path, pem);
mbedtls_pk_free(&key);
@@ -146,20 +180,37 @@ int selfsigned(char **arg
[OpenWrt-Devel] [PATCH 3/3] uhttpd: add support to generate EC keys
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/network/services/uhttpd/Makefile
b/package/network/services/uhttpd/Makefile
index 0738ec68f5..247132d2b1 100644
--- a/package/network/services/uhttpd/Makefile
+++ b/package/network/services/uhttpd/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=uhttpd
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
diff --git a/package/network/services/uhttpd/files/uhttpd.config
b/package/network/services/uhttpd/files/uhttpd.config
index a3deb9cf04..39089ca25b 100644
--- a/package/network/services/uhttpd/files/uhttpd.config
+++ b/package/network/services/uhttpd/files/uhttpd.config
@@ -118,9 +118,17 @@ config cert defaults
# Validity time
option days 730
+ # key type: rsa or ec
+ option key_type rsa
+
# RSA key size
option bits 2048
+ # EC curve name
+ # Curve names vary between mbedtls/px5g and openssl
+ # P-256 or P-384 are guaranteed to work
+ option ec_curve P-256
+
# Location
option country ZZ
option stateSomewhere
diff --git a/package/network/services/uhttpd/files/uhttpd.init
b/package/network/services/uhttpd/files/uhttpd.init
index dc496b3e28..6322473b97 100755
--- a/package/network/services/uhttpd/files/uhttpd.init
+++ b/package/network/services/uhttpd/files/uhttpd.init
@@ -43,15 +43,19 @@ generate_keys() {
config_get state "$cfg" state
config_get location "$cfg" location
config_get commonname "$cfg" commonname
+ config_get key_type "$cfg" key_type
+ config_get ec_curve "$cfg" ec_curve
# Prefer px5g for certificate generation (existence evaluated last)
local GENKEY_CMD=""
+ local KEY_OPTS="rsa:${bits:-2048}"
local UNIQUEID=$(dd if=/dev/urandom bs=1 count=4 | hexdump -e '1/1
"%02x"')
+ [ "$key_type" = "ec" ] && KEY_OPTS="ec -pkeyopt
ec_paramgen_curve:${ec_curve:-P-256}"
[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256
-outform der -nodes"
[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -der"
[ -n "$GENKEY_CMD" ] && {
$GENKEY_CMD \
- -days ${days:-730} -newkey rsa:${bits:-2048} -keyout
"${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
+ -days ${days:-730} -newkey ${KEY_OPTS} -keyout
"${UHTTPD_KEY}.new" -out "${UHTTPD_CERT}.new" \
-subj
/C="${country:-ZZ}"/ST="${state:-Somewhere}"/L="${location:-Unknown}"/O="${commonname:-OpenWrt}$UNIQUEID"/CN="${commonname:-OpenWrt}"
sync
mv "${UHTTPD_KEY}.new" "${UHTTPD_KEY}"
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [ustream-ssl PATCH 2/2] Revise supported ciphersuites
CBC ciphersuites have been under scrutiny because of the many padding
oracle vulnerabilities that keep popping up; it seems that we won't be
able to patch up the inherent wakness of MAC-then-encrypt forever. They
have been blacklisted by HTTP/2, and recently dropped from Mozilla's
Security/Serverside TLS intermediate compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS
This commit removes ECDSA-CBC ciphersuites. Basically, you can choose a
level of ciphersuite security, using the private-key type as a switch:
For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly
matching Mozilla's Old backward compatibility list.
If you use an EC private key, then only ephemeral-key, authenticated
ciphers will be used, along the lines of what Mozilla's Intermediate
compatibility list prescribes.
The order does not match Mozilla's list 100% because in most embedded
systems, the server is going to be the least-capable machine. So,
chacha20-poly1305 is moved ahead of AES, and the cipher preference is
always given to the server. Also, DHE ciphers are not used for server.
The client list had the order changed to prioritize authenticated
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.
Signed-off-by: Eneas U de Queiroz
---
If you use the intermediate compatibility list, you lose compatibility
with Safari on iOS<=8 and OS X<=10.10. Windows XP will not work either,
but since it is not compatible with EC keys, it does not change what we
had before.
I don't think we should drop ciphers from client-mode yet; none of the
ciphers are terribly bad from a client perspective, and if we disable
them, we can either get locked out of a service, or be forced to use an
unencrypted connection.
diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index b7d7629..85bbb1c 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -86,18 +86,25 @@ static int _urandom(void *ctx, unsigned char *out, size_t
len)
return 0;
}
-#define AES_CIPHERS(v) \
+#define AES_GCM_CIPHERS(v) \
MBEDTLS_TLS_##v##_WITH_AES_128_GCM_SHA256, \
- MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384, \
+ MBEDTLS_TLS_##v##_WITH_AES_256_GCM_SHA384
+
+#define AES_CBC_CIPHERS(v) \
MBEDTLS_TLS_##v##_WITH_AES_128_CBC_SHA, \
MBEDTLS_TLS_##v##_WITH_AES_256_CBC_SHA
+#define AES_CIPHERS(v) \
+ AES_GCM_CIPHERS(v), \
+ AES_CBC_CIPHERS(v)
+
static const int default_ciphersuites_server[] =
{
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_ECDSA),
+ AES_GCM_CIPHERS(ECDHE_ECDSA),
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_RSA),
+ AES_GCM_CIPHERS(ECDHE_RSA),
+ AES_CBC_CIPHERS(ECDHE_RSA),
AES_CIPHERS(RSA),
0
};
@@ -105,11 +112,14 @@ static const int default_ciphersuites_server[] =
static const int default_ciphersuites_client[] =
{
MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_ECDSA),
+ AES_GCM_CIPHERS(ECDHE_ECDSA),
MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(ECDHE_RSA),
+ AES_GCM_CIPHERS(ECDHE_RSA),
MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- AES_CIPHERS(DHE_RSA),
+ AES_GCM_CIPHERS(DHE_RSA),
+ AES_CBC_CIPHERS(ECDHE_ECDSA),
+ AES_CBC_CIPHERS(ECDHE_RSA),
+ AES_CBC_CIPHERS(DHE_RSA),
MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
AES_CIPHERS(RSA),
MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 3810d6a..b2df362 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -22,14 +22,16 @@
#include "ustream-ssl.h"
#include "ustream-internal.h"
-
/* Ciphersuite preference:
- * - key exchange: prefer ECDHE, then DHE(client only), then RSA
- * - prefer AEAD ciphers:
+ * - for server, no weak ciphers are used if you use an ECDSA key.
+ * - forward-secret (pfs), authenticated (AEAD) ciphers are at the top:
* chacha20-poly1305, the fastest in software, 256-bits
* aes128-gcm, 128-bits
* aes256-gcm, 256-bits
- * - CBC ciphers
+ * - key exchange: prefer ECDHE, then DHE (client only)
+ * - forward-secret ECDSA CBC ciphers (client-only)
+ * - forward-secret RSA CBC ciphers
+ * - non-pfs ciphers
* aes128, aes256, 3DES(client only)
*/
@@ -38,32 +40,38 @@
"TLS13-CHACHA20-POLY1305-SHA256:" \
"TLS13-AES128-GCM-SHA256:" \
"TLS13-AES256-GCM-SHA384:" \
- ecdhe_ciphers
+ e
[OpenWrt-Devel] [ustream-ssl PATCH 1/2] wolfssl, openssl: use TLS 1.3, set ciphersuites
For wolfssl, instead of hard-coding TLS 1.2, use generic method and
disable older protocols, adding the necessary ciphersuites.
Openssl already had TLS 1.3 compatiblity, but its ciphersuite ordering
needs a separate call, so this sets the ciphersuite preference when
using TLS 1.3.
Signed-off-by: Eneas U de Queiroz
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 7c72ce1..3810d6a 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -33,6 +33,21 @@
* aes128, aes256, 3DES(client only)
*/
+#ifdef WOLFSSL_SSL_H
+# define top_ciphers \
+ "TLS13-CHACHA20-POLY1305-SHA256:" \
+ "TLS13-AES128-GCM-SHA256:" \
+ "TLS13-AES256-GCM-SHA384:" \
+ ecdhe_ciphers
+#else
+# define tls13_ciphersuites"TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_128_GCM_SHA256:" \
+ "TLS_AES_256_GCM_SHA384"
+
+# define top_ciphers \
+ ecdhe_ciphers
+#endif
+
#define ecdhe_ciphers \
"ECDHE-ECDSA-CHACHA20-POLY1305:"\
"ECDHE-ECDSA-AES128-GCM-SHA256:"\
@@ -60,11 +75,11 @@
"AES256-SHA"
#define server_cipher_list \
- ecdhe_ciphers ":" \
+ top_ciphers ":" \
non_pfs_aes
#define client_cipher_list \
- ecdhe_ciphers ":" \
+ top_ciphers ":" \
dhe_ciphers ":" \
non_pfs_aes ":" \
"DES-CBC3-SHA"
@@ -83,7 +98,7 @@ __ustream_ssl_context_new(bool server)
SSL_library_init();
_init = true;
}
-# define TLS_server_method TLSv1_2_server_method
+# define TLS_server_method SSLv23_server_method
# define TLS_client_method SSLv23_client_method
#endif
@@ -101,10 +116,15 @@ __ustream_ssl_context_new(bool server)
SSL_OP_CIPHER_SERVER_PREFERENCE);
#if defined(SSL_CTX_set_ecdh_auto) && OPENSSL_VERSION_NUMBER < 0x1010L
SSL_CTX_set_ecdh_auto(c, 1);
+#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
+ SSL_CTX_set_ciphersuites(c, tls13_ciphersuites);
#endif
if (server) {
#if OPENSSL_VERSION_NUMBER >= 0x1010L
SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION);
+#else
+ SSL_CTX_set_options(c, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
+ SSL_OP_NO_TLSv1_1);
#endif
SSL_CTX_set_cipher_list(c, server_cipher_list);
} else {
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl 1/2] ustream-io-cyassl.c: fix client-mode connections
Starting in v3.13.2, wolfSSL added calls to set the BIO send and recv
callbacks used by the SSL struct. When the SSL session is created, it
inherits the calls from the SSL_CTX, but they do not get updated when
the SSL_CTX callbacks are changed.
ustream-ssl sets the callbacks after the SSL structure is created, so
it needs to use the SSL functions.
Client apps, such as uclient_fetch fail immediately to connect to https
URLs with a 'Connection failed' error message. uhttpd seems unaffected.
This commit adds a check in CMakeLists.txt to detect the presence of the
new call, maintaining backward compatibility.
Signed-off-by: Eneas U de Queiroz
---
This was tested on a WRT3200ACM running openwrt master, using
uclient-fetch and uhttpd.
I've also tested on x86_64 (not on openwrt, though) for compatibility
with previous versions of wolfssl, so it _should_ be safe to use this
for 18.06 as well.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c4a3c44..b99b242 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,6 +1,7 @@
cmake_minimum_required(VERSION 2.6)
INCLUDE(CheckIncludeFiles)
+INCLUDE(CheckSymbolExists)
PROJECT(ustream-ssl C)
ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
@@ -16,6 +17,12 @@ ELSEIF(CYASSL)
SET(CMAKE_EXTRA_INCLUDE_FILES cyassl/ssl.h)
IF (HAVE_CYASSL_VERSION_H)
ADD_DEFINITIONS(-DHAVE_CYASSL_VERSION_H)
+SET(CMAKE_REQUIRED_LIBRARIES "-lwolfssl")
+CHECK_SYMBOL_EXISTS (wolfSSL_SSLSetIORecv "wolfssl/ssl.h"
+HAVE_WOLFSSL_SSLSETIORECV)
+IF (HAVE_WOLFSSL_SSLSETIORECV)
+ ADD_DEFINITIONS(-DWOLFSSL_SSLSETIO_SEND_RECV)
+ENDIF()
ENDIF()
ADD_DEFINITIONS(-DHAVE_CYASSL)
SET(SSL_SRC ustream-io-cyassl.c ustream-openssl.c)
diff --git a/ustream-io-cyassl.c b/ustream-io-cyassl.c
index d97d55e..17a8e94 100644
--- a/ustream-io-cyassl.c
+++ b/ustream-io-cyassl.c
@@ -101,6 +101,11 @@ __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx,
void *ssl, struct ustr
{
CyaSSL_SetIOReadCtx(ssl, conn);
CyaSSL_SetIOWriteCtx(ssl, conn);
+#ifdef WOLFSSL_SSLSETIO_SEND_RECV
+ wolfSSL_SSLSetIORecv((void *) ssl, io_recv_cb);
+ wolfSSL_SSLSetIOSend((void *) ssl, io_send_cb);
+#else
CyaSSL_SetIORecv((void *) ctx, io_recv_cb);
CyaSSL_SetIOSend((void *) ctx, io_send_cb);
+#endif
}
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl 2/2] ustream-openssl.c: do CN validation with wolfssl
ustream uses X509_check_host to perform the validation, and that call is
present in wolfssl since v3.10.4, depending on the build-time configure
options. Currently, openwrt always builds support for it. It currently
does not support X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, so no flags are
being used, which should be good enough.
Nonetheless, the call is being checked in CMakeLists.txt, just in case
wolfssl build options change.
Without CN validation, uclient-fetch will fail to run unless the
--no-check-certificate option is used.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on WRT3200ACM running openwrt master
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b99b242..8dbdb89 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -23,6 +23,11 @@ ELSEIF(CYASSL)
IF (HAVE_WOLFSSL_SSLSETIORECV)
ADD_DEFINITIONS(-DWOLFSSL_SSLSETIO_SEND_RECV)
ENDIF()
+CHECK_SYMBOL_EXISTS (X509_check_host "openssl/ssl.h"
+HAVE_X509_CHECK_HOST)
+IF (HAVE_X509_CHECK_HOST)
+ ADD_DEFINITIONS(-DHAVE_X509_CHECK_HOST)
+ENDIF()
ENDIF()
ADD_DEFINITIONS(-DHAVE_CYASSL)
SET(SSL_SRC ustream-io-cyassl.c ustream-openssl.c)
diff --git a/ustream-openssl.c b/ustream-openssl.c
index b2df362..ab763f3 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int
ret)
uloop_timeout_set(&us->error_timer, 0);
}
-#ifndef CYASSL_OPENSSL_H_
+#if !defined(CYASSL_OPENSSL_H_) || defined(HAVE_X509_CHECK_HOST)
static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
{
@@ -212,7 +212,11 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us,
X509 *cert)
if (!us->peer_cn)
return false;
+# ifndef CYASSL_OPENSSL_H_
ret = X509_check_host(cert, us->peer_cn, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
+# else
+ ret = X509_check_host(cert, us->peer_cn, 0, 0, NULL);
+# endif
return ret == 1;
}
@@ -252,7 +256,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct
ustream_ssl *us)
r = SSL_connect(ssl);
if (r == 1) {
-#ifndef CYASSL_OPENSSL_H_
+#if !defined(CYASSL_OPENSSL_H_) || defined(HAVE_X509_CHECK_HOST)
ustream_ssl_verify_cert(us);
#endif
return U_SSL_OK;
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wolfssl: allow building with hw-crytpo and AES-CCM
Hardware acceleration was disabled when AES-CCM was selected as a workaround for a build failure. This applies a couple of upstream patches fixing this. Signed-off-by: Eneas U de Queiroz --- This is the result of this upstream issue: https://github.com/wolfSSL/wolfssl/issues/2392 It was tested on WRT3200ACM (mvebu) running openwrt master, using uhttpd, curl, and uclient-fetch (with ustream-ssl fixes applied). This should be cherry-picked to 19.07 as well. diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index a729f73a1d..4ac69f821a 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -50,28 +50,27 @@ config WOLFSSL_HAS_ECC25519 config WOLFSSL_HAS_DEVCRYPTO bool -if WOLFSSL_HAS_AES_CCM - comment "! Hardware Acceleration does not build with AES-CCM enabled" -endif -if !WOLFSSL_HAS_AES_CCM - choice - prompt "Hardware Acceleration" - default WOLFSSL_HAS_NO_HW +choice + prompt "Hardware Acceleration" + default WOLFSSL_HAS_NO_HW - config WOLFSSL_HAS_NO_HW - bool "None" + config WOLFSSL_HAS_NO_HW + bool "None" - config WOLFSSL_HAS_AFALG - bool "AF_ALG" + config WOLFSSL_HAS_AFALG + bool "AF_ALG" - config WOLFSSL_HAS_DEVCRYPTO_AES - bool "/dev/crypto - AES-only" - select WOLFSSL_HAS_DEVCRYPTO + config WOLFSSL_HAS_DEVCRYPTO_CBC + bool "/dev/crytpo - AES-CBC-only" + select WOLFSSL_HAS_DEVCRYPTO - config WOLFSSL_HAS_DEVCRYPTO_FULL - bool "/dev/crypto - full" - select WOLFSSL_HAS_DEVCRYPTO - endchoice -endif + config WOLFSSL_HAS_DEVCRYPTO_AES + bool "/dev/crypto - AES-only (all supported modes)" + select WOLFSSL_HAS_DEVCRYPTO + + config WOLFSSL_HAS_DEVCRYPTO_FULL + bool "/dev/crypto - full" + select WOLFSSL_HAS_DEVCRYPTO +endchoice endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 2ad03a5aca..778754ffdc 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.1.0-stable -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) @@ -77,7 +77,9 @@ CONFIGURE_ARGS += \ --$(if $(CONFIG_WOLFSSL_HAS_DTLS),enable,disable)-dtls \ --$(if $(CONFIG_WOLFSSL_HAS_ECC25519),enable,disable)-curve25519 \ --$(if $(CONFIG_WOLFSSL_HAS_AFALG),enable,disable)-afalg \ - --enable-devcrypto=$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES),aes,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL),yes,no)) + --enable-devcrypto=$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC),cbc\ + ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES),aes\ + ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL),yes,no))) ifeq ($(CONFIG_WOLFSSL_HAS_OCSP),y) CONFIGURE_ARGS += \ diff --git a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch b/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch new file mode 100644 index 00..a9b8aee918 --- /dev/null +++ b/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch @@ -0,0 +1,74 @@ +From e8e1d35744c68b165e172a687e870a549438bdf0 Mon Sep 17 00:00:00 2001 +From: Jacob Barthelmeh +Date: Tue, 13 Aug 2019 14:12:45 -0600 +Subject: [PATCH] build with devcrypto and aesccm + + +diff --git a/configure.ac b/configure.ac +index f943cc6ef..cf03e7f52 100644 +--- a/configure.ac b/configure.ac +@@ -1096,6 +1096,10 @@ then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES" ++if test "$ENABLED_AESCCM" = "yes" ++then ++AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT" ++fi + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW" + ENABLED_DEVCRYPTO=yes +@@ -1106,6 +1110,10 @@ then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC" ++if test "$ENABLED_AESCCM" = "yes" ++then ++AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT" ++fi + ENABLED_DEVCRYPTO=yes + fi + if test "$ENABLED_DEVCRYPTO" = "cbc" +diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c +index beeae72a6..b
[OpenWrt-Devel] [PATCH] openssl: bump to 1.1.1d
This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz
--
Run-tested on WRT3200ACM, mvebu, running openwrt master, using uhttpd,
nginx, openssl-util, and uclient-fetch; devcrypto engine specifically
tested.
This should be cherry-picked to openwrt-19.07 as well.
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 5663fd4b95..28625bad05 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,9 +9,9 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssl
PKG_BASE:=1.1.1
-PKG_BUGFIX:=c
+PKG_BUGFIX:=d
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=2
+PKG_RELEASE:=1
PKG_USE_MIPS16:=0
ENGINES_DIR=engines-1.1
@@ -24,7 +24,7 @@ PKG_SOURCE_URL:= \
ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
http://www.openssl.org/source/ \
http://www.openssl.org/source/old/$(PKG_BASE)/
-PKG_HASH:=f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90
+PKG_HASH:=1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
PKG_LICENSE:=OpenSSL
PKG_LICENSE_FILES:=LICENSE
diff --git a/package/libs/openssl/patches/100-Configure-afalg-support.patch
b/package/libs/openssl/patches/100-Configure-afalg-support.patch
index 274a4f1cf9..0f91a9d5da 100644
--- a/package/libs/openssl/patches/100-Configure-afalg-support.patch
+++ b/package/libs/openssl/patches/100-Configure-afalg-support.patch
@@ -1,4 +1,4 @@
-From bf4f3a5696c65b4a48935599ccba43311c114c95 Mon Sep 17 00:00:00 2001
+From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:29:21 -0300
Subject: Do not use host kernel version to disable AFALG
@@ -8,9 +8,11 @@ version to disable building the AFALG engine on openwrt
targets.
Signed-off-by: Eneas U de Queiroz
+diff --git a/Configure b/Configure
+index 5a699836f3..74d057c219 100755
--- a/Configure
+++ b/Configure
-@@ -1535,7 +1535,9 @@ unless ($disabled{"crypto-mdebug-backtra
+@@ -1532,7 +1532,9 @@ unless ($disabled{"crypto-mdebug-backtrace"})
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
diff --git a/package/libs/openssl/patches/110-openwrt_targets.patch
b/package/libs/openssl/patches/110-openwrt_targets.patch
index bc49e27aeb..d0530b4661 100644
--- a/package/libs/openssl/patches/110-openwrt_targets.patch
+++ b/package/libs/openssl/patches/110-openwrt_targets.patch
@@ -1,4 +1,4 @@
-From 9a83f8fb7c46215dfb8d6dc2e2cc612bc2a0fd01 Mon Sep 17 00:00:00 2001
+From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:30:24 -0300
Subject: Add openwrt targets
@@ -7,6 +7,9 @@ Targets are named: linux-$(CONFIG_ARCH)-openwrt
Signed-off-by: Eneas U de Queiroz
+diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf
+new file mode 100644
+index 00..86a86d31e4
--- /dev/null
+++ b/Configurations/25-openwrt.conf
@@ -0,0 +1,48 @@
diff --git a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
index d6e35b7451..75fb9d1684 100644
--- a/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
+++ b/package/libs/openssl/patches/120-strip-cflags-from-binary.patch
@@ -1,16 +1,18 @@
-From f453f3eccb852740e37e9436dac5670d311c13b0 Mon Sep 17 00:00:00 2001
+From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:31:38 -0300
-Subject: void exposing build directories
+Subject: Avoid exposing build directories
The CFLAGS contain the build directories, and are shown by calling
OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a
Signed-off-by: Eneas U de Queiroz
+diff --git a/crypto/build.info b/crypto/build.info
+index 2c619c62e8..893128345a 100644
--- a/crypto/build.info
+++ b/crypto/build.info
-@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink
+@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
DEPEND[cversion.o]=buildinf.h
diff --git a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
index 7c61b1e292..fa79cc6022 100644
--- a/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
+++ b/package/libs/openssl/patches/130-dont-build-tests-fuzz.patch
@@ -1,4 +1,4 @@
-From e2339aa9c68837089d17cf309022cee497fe2412 Mon Sep 17 00:00:00 2001
+From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz
Date: Thu, 27 Sep 2018 08:34:38 -0300
Subject: Do not build tests and fuzz directories
@@ -7,9 +7,11 @@
[OpenWrt-Devel] [PATCH 18.06] openssl: bump to 1.0.2t, add maintainer
This version fixes 3 low-severity vulnerabilities: - CVE-2019-1547: ECDSA remote timing attack - CVE-2019-1549: Fork Protection - CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey Patches were refreshed, and Eneas U de Queiroz added as maintainer. Signed-off-by: Eneas U de Queiroz -- This was run-tested in openwrt master with 18.06 versions of libustream and openssl with uhttp, uclient-fetch, and openssl-util. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 99f1b861b4..50939568c8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.0.2 -PKG_BUGFIX:=s +PKG_BUGFIX:=t PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -24,10 +24,11 @@ PKG_SOURCE_URL:= \ http://gd.tuwien.ac.at/infosys/security/openssl/source/ \ http://www.openssl.org/source/ \ http://www.openssl.org/source/old/$(PKG_BASE)/ -PKG_HASH:=cabd5c9492825ce5bd23f3c3aeed6a97f8142f606d893df216411f07d1abab96 +PKG_HASH:=14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:openssl:openssl PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE_CRYPTO \ diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch index a518a00496..314075a910 100644 --- a/package/libs/openssl/patches/150-no_engines.patch +++ b/package/libs/openssl/patches/150-no_engines.patch @@ -1,6 +1,6 @@ --- a/Configure +++ b/Configure -@@ -2144,6 +2144,11 @@ EOF +@@ -2145,6 +2145,11 @@ EOF close(OUT); } ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH lede-17.01] openssl: bump to 1.0.2t, Makefile updates
This version fixes 3 low-severity vulnerabilities: - CVE-2019-1547: ECDSA remote timing attack - CVE-2019-1549: Fork Protection - CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey Patches were refreshed, PKG_SOURCE_URL was updated to match openwrt-18.06, and Eneas U de Queiroz added as maintainer. Signed-off-by: Eneas U de Queiroz diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 60357604b1..3f8907cf17 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.0.2 -PKG_BUGFIX:=s +PKG_BUGFIX:=t PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -18,15 +18,17 @@ PKG_BUILD_PARALLEL:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=http://www.openssl.org/source/ \ - ftp://ftp.openssl.org/source/ \ - http://www.openssl.org/source/old/$(PKG_BASE)/ \ - ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \ - ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/ -PKG_HASH:=cabd5c9492825ce5bd23f3c3aeed6a97f8142f606d893df216411f07d1abab96 +PKG_SOURCE_URL:= \ + http://ftp.fi.muni.cz/pub/openssl/source/ \ + http://ftp.linux.hr/pub/openssl/source/ \ + http://gd.tuwien.ac.at/infosys/security/openssl/source/ \ + http://www.openssl.org/source/ \ + http://www.openssl.org/source/old/$(PKG_BASE)/ +PKG_HASH:=14cb464efe7ac6b54799b34456bd69558a749a4931ecfd9cf9f71d7881cac7bc PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Eneas U de Queiroz PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_ENGINE_CRYPTO \ CONFIG_OPENSSL_ENGINE_DIGEST \ diff --git a/package/libs/openssl/patches/150-no_engines.patch b/package/libs/openssl/patches/150-no_engines.patch index a518a00496..314075a910 100644 --- a/package/libs/openssl/patches/150-no_engines.patch +++ b/package/libs/openssl/patches/150-no_engines.patch @@ -1,6 +1,6 @@ --- a/Configure +++ b/Configure -@@ -2144,6 +2144,11 @@ EOF +@@ -2145,6 +2145,11 @@ EOF close(OUT); } ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl v2 0/3] wolfssl updates
ustream-ssl does not currently work with client apps. They fail to connect immediately. uclient-fetch, for example, just show a 'Connection failed' message. This was due to a change in the SSL session struct. While making small changes to my first attempt, I realized my testing was not completely flawed. Because of that, I failed to realize that while the struct change happened in in v3.13.2, but the API to change it at the SSL struct was only created in v4.1.0. Keeping some of the calls using CyaSSL, but then having to add new calls, only available as wolfSSL would become messy. So, I started by cleaning up the code, removing old CyaSSL remnants. After fixing that, uclient-fetch failed to run unless --no-check-certificate is used, which is not ideal. So I added the calls to perform CN validation. r Note that even wolfssl has a X509_check_host function, which could be used for openssl and wolfssl, they are not 100% compatible, and its definition is not really consistent from version to version. X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS is not defined, and even though wolfSSL_X509_check_host apparently only exists to implement the openssl function, they are not both enabled by --enable-opensslextra. The wolfSSL function is, but the openssl isn't. So I'm using the wolfssl call. As for testing, I run-tested each commit with wolfssl versions 3.10.4, 3.12.2, 3.15.3, and 4.1.0. Since the fist commit does not fix client-mode, I tested it using the example client/server apps (using a client built with a different version). Version 3.15.3 did not work with the server app, so I checked the current HEAD, and it does not work either, so it is not somehting I introduced. It works after the next fix is applied. Everything works as expected from the next commit on. Eneas -- Eneas U de Queiroz (3): Remove CyaSSL, WolfSSL < 3.10.4 support ustream-io-cyassl.c: fix client-mode connections wolfssl: enable CN validation CMakeLists.txt | 25 +++ ustream-internal.h | 3 -- ustream-io-cyassl.c => ustream-io-wolfssl.c | 47 + ustream-openssl.c | 14 +++--- ustream-openssl.h | 4 ++ ustream-ssl.c | 3 ++ 6 files changed, 43 insertions(+), 53 deletions(-) rename ustream-io-cyassl.c => ustream-io-wolfssl.c (62%) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl v2 1/3] Remove CyaSSL, WolfSSL < 3.10.4 support
This updates the CyaSSL names to wolfSSL, and removes obsolete code to
support old versions of the library < v3.10.4.
Some #include statements were moved around, so that wolfssl/options.h is
loaded before any other wolfssl/openssl header.
Signed-off-by: Eneas U de Queiroz
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c4a3c44..3b557c3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,7 +1,5 @@
cmake_minimum_required(VERSION 2.6)
-INCLUDE(CheckIncludeFiles)
-
PROJECT(ustream-ssl C)
ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
@@ -11,15 +9,10 @@ IF(MBEDTLS)
ADD_DEFINITIONS(-DHAVE_MBEDTLS)
SET(SSL_SRC ustream-mbedtls.c)
SET(SSL_LIB mbedtls mbedcrypto mbedx509 m)
-ELSEIF(CYASSL)
- CHECK_INCLUDE_FILES (cyassl/version.h HAVE_CYASSL_VERSION_H)
- SET(CMAKE_EXTRA_INCLUDE_FILES cyassl/ssl.h)
- IF (HAVE_CYASSL_VERSION_H)
-ADD_DEFINITIONS(-DHAVE_CYASSL_VERSION_H)
- ENDIF()
- ADD_DEFINITIONS(-DHAVE_CYASSL)
- SET(SSL_SRC ustream-io-cyassl.c ustream-openssl.c)
- SET(SSL_LIB cyassl m)
+ELSEIF(WOLFSSL)
+ ADD_DEFINITIONS(-DHAVE_WOLFSSL)
+ SET(SSL_SRC ustream-io-wolfssl.c ustream-openssl.c)
+ SET(SSL_LIB wolfssl m)
ELSE()
SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
SET(SSL_LIB crypto ssl)
diff --git a/ustream-internal.h b/ustream-internal.h
index a8c534f..8d5d0db 100644
--- a/ustream-internal.h
+++ b/ustream-internal.h
@@ -24,9 +24,6 @@
#if defined(HAVE_MBEDTLS)
#include "ustream-mbedtls.h"
#else
-#if defined(HAVE_CYASSL)
-#include
-#endif
#include "ustream-openssl.h"
#endif
diff --git a/ustream-io-cyassl.c b/ustream-io-wolfssl.c
similarity index 61%
rename from ustream-io-cyassl.c
rename to ustream-io-wolfssl.c
index d97d55e..052518a 100644
--- a/ustream-io-cyassl.c
+++ b/ustream-io-wolfssl.c
@@ -23,12 +23,6 @@
#include "ustream-ssl.h"
#include "ustream-internal.h"
-#ifdef HAVE_CYASSL_VERSION_H
-#include
-#else
-#define LIBCYASSL_VERSION_HEX 0
-#endif
-
static int s_ustream_read(char *buf, int len, void *ctx)
{
struct ustream *s = ctx;
@@ -61,7 +55,6 @@ static int s_ustream_write(char *buf, int len, void *ctx)
return ustream_write(s, buf, len, false);
}
-#if (LIBCYASSL_VERSION_HEX > 0)
static int io_recv_cb(SSL* ssl, char *buf, int sz, void *ctx)
{
return s_ustream_read(buf, sz, ctx);
@@ -71,36 +64,11 @@ static int io_send_cb(SSL* ssl, char *buf, int sz, void
*ctx)
{
return s_ustream_write(buf, sz, ctx);
}
-#else
-/* not defined in the header file */
-typedef int (*CallbackIORecv)(char *buf, int sz, void *ctx);
-typedef int (*CallbackIOSend)(char *buf, int sz, void *ctx);
-
-void SetCallbackIORecv_Ctx(SSL_CTX*, CallbackIORecv);
-void SetCallbackIOSend_Ctx(SSL_CTX*, CallbackIOSend);
-void SetCallbackIO_ReadCtx(SSL* ssl, void *rctx);
-void SetCallbackIO_WriteCtx(SSL* ssl, void *wctx);
-
-#define CyaSSL_SetIOReadCtx SetCallbackIO_ReadCtx
-#define CyaSSL_SetIOWriteCtx SetCallbackIO_WriteCtx
-#define CyaSSL_SetIORecv SetCallbackIORecv_Ctx
-#define CyaSSL_SetIOSend SetCallbackIOSend_Ctx
-
-static int io_recv_cb(char *buf, int sz, void *ctx)
-{
- return s_ustream_read(buf, sz, ctx);
-}
-
-static int io_send_cb(char *buf, int sz, void *ctx)
-{
- return s_ustream_write(buf, sz, ctx);
-}
-#endif
__hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct
ustream *conn)
{
- CyaSSL_SetIOReadCtx(ssl, conn);
- CyaSSL_SetIOWriteCtx(ssl, conn);
- CyaSSL_SetIORecv((void *) ctx, io_recv_cb);
- CyaSSL_SetIOSend((void *) ctx, io_send_cb);
+ wolfSSL_SetIOReadCtx(ssl, conn);
+ wolfSSL_SetIOWriteCtx(ssl, conn);
+ wolfSSL_SetIORecv((void *) ctx, io_recv_cb);
+ wolfSSL_SetIOSend((void *) ctx, io_send_cb);
}
diff --git a/ustream-openssl.c b/ustream-openssl.c
index b2df362..21abf61 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -18,9 +18,9 @@
#include
#include
-#include
#include "ustream-ssl.h"
#include "ustream-internal.h"
+#include
/* Ciphersuite preference:
* - for server, no weak ciphers are used if you use an ECDSA key.
@@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int
ret)
uloop_timeout_set(&us->error_timer, 0);
}
-#ifndef CYASSL_OPENSSL_H_
+#ifndef WOLFSSL_OPENSSL_H_
static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
{
@@ -252,7 +252,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct
ustream_ssl *us)
r = SSL_connect(ssl);
if (r == 1) {
-#ifndef CYASSL_OPENSSL_H_
+#ifndef WOLFSSL_OPENSSL_H_
ustream_ssl_verify_cert(us);
#endif
return U_SSL_OK;
diff --git a/ustream-openssl.h b/ustream-openssl.h
index afff22b..0a6ca91 100644
--- a/ustream-openssl.h
+++ b/ustream-openssl.h
@@ -19,6 +19,10 @@
#ifndef __USTREAM_OPENSSL_H
#define __USTREAM_OPENSSL_H
+#if d
[OpenWrt-Devel] [PATCH ustream-ssl v2 3/3] wolfssl: enable CN validation
WolfSSL added a wolfSSL_X509_check_host function to perform CN
validation in v3.10.4, depending on the build-time configure options:
--enable-nginx enables it for all supported versions;
--enable-opensslextra, since v3.14.2.
If the function is unavailable, then SSL_get_verify_result will be
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.
Signed-off-by: Eneas U de Queiroz
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6b3fc8c..86e1b07 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
ENDIF()
+ CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
+ "wolfssl/options.h;wolfssl/ssl.h"
+ HAVE_WOLFSSL_X509_CHECK_HOST)
+ IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
+ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
+ ENDIF()
ELSE()
SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
SET(SSL_LIB crypto ssl)
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 21abf61..c830618 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int
ret)
uloop_timeout_set(&us->error_timer, 0);
}
-#ifndef WOLFSSL_OPENSSL_H_
+#ifndef NO_X509_CHECK_HOST
static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
{
@@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us,
X509 *cert)
if (!us->peer_cn)
return false;
+# ifndef WOLFSSL_OPENSSL_H_
ret = X509_check_host(cert, us->peer_cn, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
+# else
+ ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
+# endif
return ret == 1;
}
+#endif
static void ustream_ssl_verify_cert(struct ustream_ssl *us)
{
@@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl
*us)
return;
us->valid_cert = true;
+#ifndef NO_X509_CHECK_HOST
us->valid_cn = ustream_ssl_verify_cn(us, cert);
+#endif
X509_free(cert);
}
-#endif
__hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
{
@@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct
ustream_ssl *us)
r = SSL_connect(ssl);
if (r == 1) {
-#ifndef WOLFSSL_OPENSSL_H_
ustream_ssl_verify_cert(us);
-#endif
return U_SSL_OK;
}
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl v2 2/3] ustream-io-cyassl.c: fix client-mode connections
Starting in v3.13.2, wolfSSL stores the BIO send and recv callbacks
in the SSL struct. When the SSL session is created, it inherits the
calls from the SSL_CTX, but they do not get updated when the SSL_CTX
callbacks are changed.
Currently, ustream-ssl sets the callbacks after the SSL session is
created, causing failures. Client apps, such as uclient-fetch fail
immediately to connect to https URLs with a 'Connection failed' error
message. uhttpd seems unaffected.
New calls to set them directly to the SSL struct were added in 4.1.0, so
we can use them, with a check in CMakeLists.txt to detect their
presence. Otherwise, another call to ustream_set_io is done before
creating the SSL session to properly set the callbacks.
Signed-off-by: Eneas U de Queiroz
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3b557c3..6b3fc8c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,7 @@
cmake_minimum_required(VERSION 2.6)
+INCLUDE(CheckSymbolExists)
+
PROJECT(ustream-ssl C)
ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
@@ -13,6 +15,12 @@ ELSEIF(WOLFSSL)
ADD_DEFINITIONS(-DHAVE_WOLFSSL)
SET(SSL_SRC ustream-io-wolfssl.c ustream-openssl.c)
SET(SSL_LIB wolfssl m)
+ SET(CMAKE_REQUIRED_LIBRARIES "-lwolfssl -lm")
+ CHECK_SYMBOL_EXISTS (wolfSSL_SSLSetIORecv "wolfssl/ssl.h"
+ HAVE_WOLFSSL_SSLSETIORECV)
+ IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
+ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
+ ENDIF()
ELSE()
SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
SET(SSL_LIB crypto ssl)
diff --git a/ustream-io-wolfssl.c b/ustream-io-wolfssl.c
index 052518a..db69499 100644
--- a/ustream-io-wolfssl.c
+++ b/ustream-io-wolfssl.c
@@ -67,8 +67,15 @@ static int io_send_cb(SSL* ssl, char *buf, int sz, void *ctx)
__hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct
ustream *conn)
{
- wolfSSL_SetIOReadCtx(ssl, conn);
- wolfSSL_SetIOWriteCtx(ssl, conn);
+#ifndef NO_WOLFSSL_SSLSETIO_SEND_RECV
+ wolfSSL_SSLSetIORecv(ssl, io_recv_cb);
+ wolfSSL_SSLSetIOSend(ssl, io_send_cb);
+#else
wolfSSL_SetIORecv((void *) ctx, io_recv_cb);
wolfSSL_SetIOSend((void *) ctx, io_send_cb);
+ if (ssl == NULL)
+ return;
+#endif
+ wolfSSL_SetIOReadCtx(ssl, conn);
+ wolfSSL_SetIOWriteCtx(ssl, conn);
}
diff --git a/ustream-ssl.c b/ustream-ssl.c
index dd0faf9..e6b084b 100644
--- a/ustream-ssl.c
+++ b/ustream-ssl.c
@@ -179,6 +179,9 @@ static int _ustream_ssl_init(struct ustream_ssl *us, struct
ustream *conn, struc
us->conn = conn;
us->ctx = ctx;
+#if defined(HAVE_WOLFSSL) && defined(NO_WOLFSSL_SSLSETIO_SEND_RECV)
+ ustream_set_io(ctx, NULL, conn);
+#endif
us->ssl = __ustream_ssl_session_new(us->ctx);
if (!us->ssl)
return -ENOMEM;
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl] Update example certificate & key, fix typo
The current crypto libraries will fail to load small RSA keys, so a new certificate was generated with a 2048-bit RSA key. Also fixed a typo in ustream-example-client.c Signed-off-by: Eneas U de Queiroz -- This is the output of 'openssl x509 -noout -text -in example.crt', with the public key & signature binary blobs omitted: Certificate: Data: Version: 3 (0x2) Serial Number: 15:bc:7e:f4:04:bd:f3:b4:79:e7:cb:57:d3:99:86:39:7c:d2:a8:df Signature Algorithm: sha256WithRSAEncryption Issuer: CN = f...@bar.com Validity Not Before: Sep 18 17:31:27 2019 GMT Not After : Sep 19 17:31:27 2119 GMT Subject: CN = f...@bar.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: (omitted) Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption diff --git a/example.crt b/example.crt index 9ac235f..815565f 100644 --- a/example.crt +++ b/example.crt @@ -1,9 +1,17 @@ -BEGIN CERTIFICATE- -MIIBHTCByKADAgECAgRo1CQZMA0GCSqGSIb3DQEBBQUAMBYxFDASBgNVBAMTC2Zv -b0BiYXIuY29tMB4XDTEyMTAyMjIyNDg1NFoXDTc2MDgyMjE2MjAzOFowFjEUMBIG -A1UEAxMLZm9vQGJhci5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAqU6orvsW -TP0Q/bV3m41+HSaSA5YhggSSx/w8OYR0/owDz2vhpUfVHKaRGpg+H+Q2M7uPVxms -LyUQNTaA8mNxKwIDAQABMA0GCSqGSIb3DQEBBQUAA0EAKcXv7EsiNYV/5dakVvic -Rg2Rme5PFK2jkLFOhm/jnhNfNiXcMHx5hhtmrLnTugqyAzIkV14r9n63xYErj59M -lQ== +MIICujCCAaKgAwIBAgIUFbx+9AS987R558tX05mGOXzSqN8wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLZm9vQGJhci5jb20wIBcNMTkwOTE4MTczMTI3WhgPMjEx +OTA5MTkxNzMxMjdaMBYxFDASBgNVBAMMC2Zvb0BiYXIuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnvZT9GbaEiwcDFNl7cNSSvzK2cvQr1QmtpmF +VEMeLPwXRxnvEJNvRMFXGWCYhmKMakdOdgcqKM8c6j5TbphYtGAXQRXGV3y0+1wW +StTTaAkIIaarhZpmwgrT6agPYXUzXqhtOk8VmSwlUif/nQFYnOezgd9MR8Fo+Min +YZJPAMWs7yUzQzCgq0S2YguVPUQ/NiXeNzRpxrl42Gh5kotd2RlJ8Ue7oxPOZs4W +L7UH8hBZeRQj3CzWpI5fqOwmozl1LW8GUd91E4+YR+Hm043huhNjvwbA2asIduqd +wXHcVDvKQXwuSojwC9Uo4eN/dMNSZd7q4k0gu3QmgNJZIMbO7QIDAQABMA0GCSqG +SIb3DQEBCwUAA4IBAQAzNar5A+k6fHh3aGw3KB5/4jE7UxRAvTk9mp69/uc4V+qj +oWEtGqP4nPmfL4+nFwoJJ5hvSWzRFvXRr2AtURMV/1anQk41gcMb3G7lNDC+X/zf +t+xPx75O4heIALW84gdHZ7MY7guEFiLfprnX1l65uJeYvrKeG3cHY0YlDd2WFZGF +DLPK61P/wGfOL4U1oDQF2rb09Wwx3rV8IfyPYu6ZTS+u6P43kF/4w+EJHexKhNyX +Utym2sK05eMUWnraZouTeoRri2wvvjmIPZyldNsJ5HI6hU7fhT0B/BjJMrDXWRRS +w72acdYB9pcu+2ABAKIwn07keYntiE4TjG9vBYqJ -END CERTIFICATE- diff --git a/example.key b/example.key index da69d0c..e4b3ba7 100644 --- a/example.key +++ b/example.key @@ -1,9 +1,28 @@ --BEGIN RSA PRIVATE KEY- -MIIBOQIBAAJBAKlOqK77Fkz9EP21d5uNfh0mkgOWIYIEksf8PDmEdP6MA89r4aVH -1RymkRqYPh/kNjO7j1cZrC8lEDU2gPJjcSsCAwEAAQJAAiwxO/Wa5qgEtMzEWSmq -qaMaEpO1oF6Ap7JT74UEn1OVOgnCZVdzUDu0vgWKc16vKfS+vIWU24A1VvHCqOyZ -aQIhAPXuu2zAY1e1C0L8DWXl2BjPiz3Qr0nIMWsd4kE48WidAiEAsDztNFSnaRsy -S3Zten+2uHCyZAMfYvxkUj96uUabomcCIAbAOebfVRrIPnnlP1zntUnhEJpuyxEE -bM7a8CYIMSBFAiAcmrbxUHAfmh9uqhkY0dPJWdlKbEtS2J47zzvPCIvILwIgbtEL -g29/1Fs/KyVa/sE9/oKpIBwux8UHQxg6epUKeuw= --END RSA PRIVATE KEY- +-BEGIN PRIVATE KEY- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCe9lP0ZtoSLBwM +U2Xtw1JK/MrZy9CvVCa2mYVUQx4s/BdHGe8Qk29EwVcZYJiGYoxqR052Byoozxzq +PlNumFi0YBdBFcZXfLT7XBZK1NNoCQghpquFmmbCCtPpqA9hdTNeqG06TxWZLCVS +J/+dAVic57OB30xHwWj4yKdhkk8AxazvJTNDMKCrRLZiC5U9RD82Jd43NGnGuXjY +aHmSi13ZGUnxR7ujE85mzhYvtQfyEFl5FCPcLNakjl+o7CajOXUtbwZR33UTj5hH +4ebTjeG6E2O/BsDZqwh26p3BcdxUO8pBfC5KiPAL1Sjh4390w1Jl3uriTSC7dCaA +0lkgxs7tAgMBAAECggEAFPk9VIbpiPJG9R1f2oIl7nzyKtBohWmd/gO9gsOkTJ0q +WRhD4bUCPlkgK9oB5eFE05T69jm1x1KkZwe4LGRvd8Uh7FV6KPrsSin5SwBPsG9Y +olACW4tmuX2CPlcNSHeVQo0IdGQQ3nfjqLZcVJPj5DfyCFW1E9aiCgk3hHkwcVJu +ZJIqYyHfnRzVsTZrZZjYoeYWg1+oNozW3nlzs0CWi9hRGq9I1fASm1LMRDITgFpW +8zXSrvKY4WALCaqCX1vFBfo/f3pmm0SIom4apTvyH+U+tHFmJofP0Y49cDc/ngHe +fbug/Od5ScfDTu111Fqb5NWz8ju6B7odhBj1RFvWIQKBgQDMzXOOZ969AjEyRsaH +1aG+MNEwU32fSHhiDr7vGTgeAf2Zn2b0/NLxxn5l7dF6t0bvo5hNCIa4q0YTuv62 +grtssbOvKFGb+xdQufYH6gRMFjjGs83QYXoDpDNHjdscBjaTy9aEoo1wUQbYfAaF +4zZqLKQB0Crfaj28lwXqDaCMdQKBgQDGs0cnWX3NTwCpu+CF7czkeUZWgnRWq3Xk +oGHrcPAx4hiNU2+E2+5dR9ZvmU3f4DpSA8ObPMUtsfb1KfOYRq3se98tyB/6nnX5 +IU5WPhpvL+CxxutLt1doMsjknuspbUT/hfTOjwLddCK/KWpRxO7OPwt1hZsCPmie +IZ7rUf/JmQKBgHhlgzxBRcj5Q/CZeNabuST0z9VID76WvOZwYsBuo/XIF8y6z6zQ +ADZQCThksVQh8FqqYrtOetyPG3g34stqWUJRyR78ZdV7q74yRDds1C/ilGgDhcet +tivz2I2FED0OTgFewHJimSFhENQtPSxyYSfTrGrAdKO4ciiu47QvZKWNAoGAKqld +UpaFSyp2Mvsypq66+icLshFKVz1zD4Zb38gc2ij4KofKftUVpZOB9+4LaVDkVK2Y +NuFiWIBITLUYJw6t0wN5lIPOUenp3HaJMj0dQdgevyy9YkFYE/grZ+KzDO74DIC/ +YgYUkGWZ/D8xI6NLvp6MoEvyTxYFMkZ3r4CokakCgYBRma6oAv94NOyAPgqshY8d +vxouqB07N8Km6Helfi5cnuihBejS5q1MJ15IOHdJXTW1mKpTNDT4y5ARzEcBXKNV +3DmOQ4bKhOameOCyG3RCWLOdjXxy4siIfMFkVC29/vlr+O6qZq1sSh355Qzx62Kw +FC1yIKb5d4EfoAejMuKWAA== +-END PRIVATE KEY- diff --git a/ustream-example-client.c b/ustream-example-client.c index 6527362..4fc99f0 100644 --- a/ustream-example-
[OpenWrt-Devel] [PATCH] kernel: fix hw-crypto detection of qce driver
This adds the CRYPTO_ALG_KERN_DRIVER_ONLY flag to Qualcomm crypto engine driver algorithms, so that openssl devcrypto can recognize them as hardware-accelerated. Signed-off-by: Eneas U de Queiroz -- It was reported to me at the forum: https://forum.openwrt.org/t/comparing-cpu-soc-performance/36115/20 I have submitted the patch upstream, but haven't got any feedback yet. This is a basic fix. Nonetheless, I need someone with access to Qualcomm Ahteros IPQ40XX/IPQ806X to confirm that it works. I've successfully compile-tested it for both targets. The output of 'openssl engine -pre DUMP_INFO devcrypto' should show the *-qce drivers as (hw accelerated), instead of (software). The 4.14 patch should be cherry-picked to openwrt-19.07, and I will send a patch for it after this is merged unless someone tell me otherwise. diff --git a/target/linux/generic/pending-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch b/target/linux/generic/pending-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch new file mode 100644 index 00..71ed00af22 --- /dev/null +++ b/target/linux/generic/pending-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch @@ -0,0 +1,31 @@ +From: Eneas U de Queiroz +Subject: [PATCH] crypto: qce - add CRYPTO_ALG_KERN_DRIVER_ONLY flag + +Set the CRYPTO_ALG_KERN_DRIVER_ONLY flag to all algorithms exposed by +the qce driver, since they are all hardware accelerated, accessible +through a kernel driver only, and not available directly to userspace. + +Signed-off-by: Eneas U de Queiroz + +--- a/drivers/crypto/qce/ablkcipher.c b/drivers/crypto/qce/ablkcipher.c +@@ -373,7 +373,7 @@ static int qce_ablkcipher_register_one(const struct qce_ablkcipher_def *def, + + alg->cra_priority = 300; + alg->cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC | +- CRYPTO_ALG_NEED_FALLBACK; ++ CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY; + alg->cra_ctxsize = sizeof(struct qce_cipher_ctx); + alg->cra_alignmask = 0; + alg->cra_type = &crypto_ablkcipher_type; +--- a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +@@ -526,7 +526,7 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, + base = &alg->halg.base; + base->cra_blocksize = def->blocksize; + base->cra_priority = 300; +- base->cra_flags = CRYPTO_ALG_ASYNC; ++ base->cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_KERN_DRIVER_ONLY; + base->cra_ctxsize = sizeof(struct qce_sha_ctx); + base->cra_alignmask = 0; + base->cra_module = THIS_MODULE; diff --git a/target/linux/generic/pending-4.19/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch b/target/linux/generic/pending-4.19/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch new file mode 100644 index 00..b542885d38 --- /dev/null +++ b/target/linux/generic/pending-4.19/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch @@ -0,0 +1,31 @@ +From: Eneas U de Queiroz +Subject: [PATCH] crypto: qce - add CRYPTO_ALG_KERN_DRIVER_ONLY flag + +Set the CRYPTO_ALG_KERN_DRIVER_ONLY flag to all algorithms exposed by +the qce driver, since they are all hardware accelerated, accessible +through a kernel driver only, and not available directly to userspace. + +Signed-off-by: Eneas U de Queiroz + +--- a/drivers/crypto/qce/ablkcipher.c b/drivers/crypto/qce/ablkcipher.c +@@ -370,7 +370,7 @@ static int qce_ablkcipher_register_one(const struct qce_ablkcipher_def *def, + + alg->cra_priority = 300; + alg->cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC | +- CRYPTO_ALG_NEED_FALLBACK; ++ CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY; + alg->cra_ctxsize = sizeof(struct qce_cipher_ctx); + alg->cra_alignmask = 0; + alg->cra_type = &crypto_ablkcipher_type; +--- a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +@@ -503,7 +503,7 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, + base = &alg->halg.base; + base->cra_blocksize = def->blocksize; + base->cra_priority = 300; +- base->cra_flags = CRYPTO_ALG_ASYNC; ++ base->cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_KERN_DRIVER_ONLY; + base->cra_ctxsize = sizeof(struct qce_sha_ctx); + base->cra_alignmask = 0; + base->cra_module = THIS_MODULE; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ipq806x: remove unsupported hw-crypto qce driver
The following symbols, selected by the qce driver were removed: CONFIG_CRYPTO_CBC CONFIG_CRYPTO_CTR CONFIG_CRYPTO_DES CONFIG_CRYPTO_DEV_QCE CONFIG_CRYPTO_ECB CONFIG_CRYPTO_NULL CONFIG_CRYPTO_SEQIV CONFIG_CRYPTO_XTS CONFIG_CRYPTO_GF128MUL was removed as well, since it is only needed by some cipher modes (LRW, GCM), none of which are selected, and it is packaged as a module. Signed-off-by: Eneas U de Queiroz -- > The upstream qce crypto driver does not support the IPQ806x series. > The ipq806x target used to host ipq40xx, so this driver was enabled as > builtin back then. > But since ipq40xx moved out, it's has become a symbol of "hope" > That maybe some day > the NSS support of the IPQ806x can make use of it > > So yeah, if you want to crush the hopes and dreams of the IPQ806X users, > you can disable/remove the driver for the ipq806x target. > > Regards, > Christian My intention is not to "crush the hopes", but to avoid the frustration when you find out something you thought was there not exist. I did not remove CONFIG_CRYPTO_AEAD because it is already selected by CONFIG_CRYPTO_PCRYPT=y in target/linux/generic/config-4.*, although I'm not sure if I should not have dropped it anyway--it won't fail if I do. Here is a dependency tree, showing only the removed symbols: -CRYPTO_DEV_QCE \-CRYPTO_DES \-CRYPTO_ECB \-CRYPTO_CBC \-CRYPTO_XTS \-CRYPTO_CTR \-CRYPTO_SEQIV \-CRYPTO_AEAD* \-CRYPTO_NULL Eneas diff --git a/target/linux/ipq806x/config-4.14 b/target/linux/ipq806x/config-4.14 index 30736ae14e..38f5c94507 100644 --- a/target/linux/ipq806x/config-4.14 +++ b/target/linux/ipq806x/config-4.14 @@ -112,16 +112,10 @@ CONFIG_CRC16=y CONFIG_CRC32_SLICEBY8=y CONFIG_CRYPTO_AEAD=y CONFIG_CRYPTO_AEAD2=y -CONFIG_CRYPTO_CBC=y -CONFIG_CRYPTO_CTR=y CONFIG_CRYPTO_DEFLATE=y -CONFIG_CRYPTO_DES=y -CONFIG_CRYPTO_DEV_QCE=y CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_DRBG_HMAC=y CONFIG_CRYPTO_DRBG_MENU=y -CONFIG_CRYPTO_ECB=y -CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_HMAC=y @@ -130,15 +124,12 @@ CONFIG_CRYPTO_JITTERENTROPY=y CONFIG_CRYPTO_LZO=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y -CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_NULL2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y -CONFIG_CRYPTO_SEQIV=y CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_WORKQUEUE=y -CONFIG_CRYPTO_XTS=y CONFIG_DCACHE_WORD_ACCESS=y CONFIG_DEBUG_GPIO=y # CONFIG_DEBUG_UART_8250 is not set ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] ipq40xx: fix hw-crypto detection of qce driver
This adds the CRYPTO_ALG_KERN_DRIVER_ONLY flag to Qualcomm crypto engine driver algorithms, so that openssl devcrypto can recognize them as hardware-accelerated. Signed-off-by: Eneas U de Queiroz diff --git a/target/linux/ipq40xx/patches-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch b/target/linux/ipq40xx/patches-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch new file mode 100644 index 00..58b0ebf5e7 --- /dev/null +++ b/target/linux/ipq40xx/patches-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY-flag.patch @@ -0,0 +1,31 @@ +From: Eneas U de Queiroz +Subject: [PATCH] crypto: qce - add CRYPTO_ALG_KERN_DRIVER_ONLY flag + +Set the CRYPTO_ALG_KERN_DRIVER_ONLY flag to all algorithms exposed by +the qce driver, since they are all hardware accelerated, accessible +through a kernel driver only, and not available directly to userspace. + +Signed-off-by: Eneas U de Queiroz + +--- a/drivers/crypto/qce/ablkcipher.c b/drivers/crypto/qce/ablkcipher.c +@@ -373,7 +373,7 @@ static int qce_ablkcipher_register_one(c + + alg->cra_priority = 300; + alg->cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER | CRYPTO_ALG_ASYNC | +- CRYPTO_ALG_NEED_FALLBACK; ++ CRYPTO_ALG_NEED_FALLBACK | CRYPTO_ALG_KERN_DRIVER_ONLY; + alg->cra_ctxsize = sizeof(struct qce_cipher_ctx); + alg->cra_alignmask = 0; + alg->cra_type = &crypto_ablkcipher_type; +--- a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +@@ -526,7 +526,7 @@ static int qce_ahash_register_one(const + base = &alg->halg.base; + base->cra_blocksize = def->blocksize; + base->cra_priority = 300; +- base->cra_flags = CRYPTO_ALG_ASYNC; ++ base->cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_KERN_DRIVER_ONLY; + base->cra_ctxsize = sizeof(struct qce_sha_ctx); + base->cra_alignmask = 0; + base->cra_module = THIS_MODULE; -- 2.21.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] openssl: Add engine configuration to openssl.cnf
This adds engine configuration sections to openssl.cnf, with a commented list of engines. To enable an engine, all you have to do is uncomment the engine line. It also adds some useful comments to the devcrypto engine configuration section. Other engines currently don't have configuration commands. Signed-off-by: Eneas U de Queiroz --- This should be cherry-picked to 19.07. Run-tested on WRT3200ACM without engines, and with devcrypto & afalg. diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 28625bad05..eb267f31f0 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=d PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 diff --git a/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch new file mode 100644 index 00..5cfe7866a2 --- /dev/null +++ b/package/libs/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -0,0 +1,56 @@ +--- a/apps/openssl.cnf b/apps/openssl.cnf +@@ -22,6 +22,53 @@ oid_section = new_oids + # (Alternatively, use a configuration file that has only + # X.509v3 extensions in its main [= default] section.) + ++openssl_conf=openssl_conf ++ ++[openssl_conf] ++engines=engines ++ ++[engines] ++# To enable an engine, install the package, and uncomment it here: ++#devcrypto=devcrypto ++#afalg=afalg ++#padlock=padlock ++ ++[afalg] ++default_algorithms = ALL ++ ++[devcrypto] ++# Leave this alone and configure algorithms with CIPERS/DIGESTS below ++default_algorithms = ALL ++ ++# Configuration commands: ++# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a ++# list of supported algorithms, along with their driver, whether they ++# are hw accelerated or not, and the engine's configuration commands. ++ ++# USE_SOFTDRIVERS: specifies whether to use software (not accelerated) ++# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use ++# if acceleration can't be determined) [default=2] ++#USE_SOFTDRIVERS = 2 ++ ++# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to ++# enable [default=ALL] ++# It is recommended to disable the ECB ciphers; in most cases, it will ++# only be used for PRNG, in small blocks, where performance is poor, ++# and there may be problems with apps forking with open crypto ++# contexts, leading to failures. The CBC ciphers work well: ++#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC ++ ++# DIGESTS: either ALL, NONE, or a comma-separated list of digests to ++# enable [default=NONE] ++# It is strongly recommended not to enable digests; their performance ++# is poor, and there are many cases in which they will not work, ++# especially when calling fork with open crypto contexts. Openssh, ++# for example, does this, and you may not be able to login. ++#DIGESTS = NONE ++ ++[padlock] ++default_algorithms = ALL ++ + [ new_oids ] + + # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] hostapd: adjust to removal of WOLFSSL_HAS_AES_GCM
WolfSSL is always built with AES-GCM support now. Signed-off-by: Eneas U de Queiroz --- As for 19.07, it needs 94d131332b5adbcf885a92608c40a22b79b3c708 (hostapd: adjust removed wolfssl options) cherry-picked first, then this as well, since the wolfssl options were all removed in 19.07 too. diff --git a/package/network/services/hostapd/Config.in b/package/network/services/hostapd/Config.in index 9ce4b243cc..9dfa44e313 100644 --- a/package/network/services/hostapd/Config.in +++ b/package/network/services/hostapd/Config.in @@ -52,7 +52,6 @@ config WPA_WOLFSSL PACKAGE_wpad-mesh-wolfssl ||\ PACKAGE_eapol-test-wolfssl select WOLFSSL_HAS_AES_CCM - select WOLFSSL_HAS_AES_GCM select WOLFSSL_HAS_ARC4 select WOLFSSL_HAS_DH select WOLFSSL_HAS_OCSP ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH ustream-ssl] wolfssl: adjust to new API in v4.2.0
WolfSSL has recently added many openssl 1.1+ calls, including
TLS_server_method & TLS_client_method, which were being redefined,
causing compilation failure:
ustream-openssl.c:113:0: error: "TLS_server_method" redefined [-Werror]
ustream-openssl.c:114:0: error: "TLS_client_method" redefined [-Werror]
Only define the symbols if not previously defined.
Signed-off-by: Eneas U de Queiroz
--
There are two CVEs with critical(CVSS 3.1)/high(CVSS2.0) base scores
that have been fixed in wolfssl 4.2.0: CVE-2019-16748 & CVE-2019-15651.
Before we can update wolfssl, this needs to be applied, along with
https://patchwork.ozlabs.org/patch/1164316/. It's also possible to come
up with a shorter patch than 1164316, doing just what's necessary for
compilation. Let me know how I should go ahead with this.
Here's the error after this, but without 1164316 applied:
/ustream-openssl.h:47:2: error: implicit declaration of function
'SSL_set_tlsext_host_name'; did you mean 'SSL_set_tlsext_debug_arg'?
[-Werror=implicit-function-declaration]
SSL_set_tlsext_host_name(us->ssl, us->server_name);
It's been tested on WRT3200ACM with master, using current wolfssl 4.1.0,
and also with 4.2.0 + https://patchwork.ozlabs.org/patch/1164316/
running uhttpd.
diff --git a/ustream-openssl.c b/ustream-openssl.c
index b2df362..c09106f 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -110,8 +110,12 @@ __ustream_ssl_context_new(bool server)
SSL_library_init();
_init = true;
}
-# define TLS_server_method SSLv23_server_method
-# define TLS_client_method SSLv23_client_method
+# ifndef TLS_server_method
+# define TLS_server_method SSLv23_server_method
+# endif
+# ifndef TLS_client_method
+# define TLS_client_method SSLv23_client_method
+# endif
#endif
if (server) {
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wolfssl: update to v4.2.0-stable
Many bugs were fixed--2 patches removed here.
This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:
- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on WRT3200ACM, using uhttpdi, uclient-fetch, curl &
wpad-wolfssl.
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 778754ffdc..3d2a56a97f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.1.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.2.0-stable
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8
+PKG_HASH:=3562af485c26cd7abe94d9404fbfc0c5c9bceb4aab29b81ebf5e6c2467507e12
PKG_FIXUP:=libtool
PKG_INSTALL:=1
@@ -44,7 +44,7 @@ define Package/libwolfssl
MENU:=1
PROVIDES:=libcyassl
DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev
+WOLFSSL_HAS_AFALG:kmod-crypto-user
- ABI_VERSION:=19
+ ABI_VERSION:=23
endef
define Package/libwolfssl/description
diff --git
a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
b/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
deleted file mode 100644
index a9b8aee918..00
--- a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From e8e1d35744c68b165e172a687e870a549438bdf0 Mon Sep 17 00:00:00 2001
-From: Jacob Barthelmeh
-Date: Tue, 13 Aug 2019 14:12:45 -0600
-Subject: [PATCH] build with devcrypto and aesccm
-
-
-diff --git a/configure.ac b/configure.ac
-index f943cc6ef..cf03e7f52 100644
a/configure.ac
-+++ b/configure.ac
-@@ -1096,6 +1096,10 @@ then
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
-+if test "$ENABLED_AESCCM" = "yes"
-+then
-+AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+fi
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
- ENABLED_DEVCRYPTO=yes
-@@ -1106,6 +1110,10 @@ then
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
-+if test "$ENABLED_AESCCM" = "yes"
-+then
-+AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+fi
- ENABLED_DEVCRYPTO=yes
- fi
- if test "$ENABLED_DEVCRYPTO" = "cbc"
-diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
-index beeae72a6..b583d03e9 100644
a/wolfcrypt/src/aes.c
-+++ b/wolfcrypt/src/aes.c
-@@ -760,6 +760,14 @@
- #elif defined(WOLFSSL_DEVCRYPTO_AES)
- /* if all AES is enabled with devcrypto then tables are not needed */
-
-+#if defined(HAVE_AESCCM)
-+static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
-+{
-+wc_AesEncryptDirect(aes, outBlock, inBlock);
-+return 0;
-+}
-+#endif
-+
- #else
-
- /* using wolfCrypt software implementation */
-@@ -1314,7 +1322,8 @@ static const word32 Td[4][256] = {
- };
-
-
--#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)
-+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \
-+ || defined(WOLFSSL_AES_DIRECT)
- static const byte Td4[256] =
- {
- 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
-diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-index 5c63421e2..d5061f364 100644
a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-+++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-@@ -168,7 +168,7 @@ static int wc_DevCrypto_AesDirect(Aes* aes, byte* out,
const byte* in,
- #endif
-
-
--#if defined(WOLFSSL_AES_DIRECT)
-+#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM)
- void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
- {
- wc_DevCrypto_AesDirect(aes, out, in, AES_BLOCK_SIZE, COP_ENCRYPT);
diff --git
a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
b/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
deleted file mode 100644
index bb4c6fd04b..00
---
a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-F
[OpenWrt-Devel] [PATCH] kernel: add crypto_user mod to crypto-user pkg
This is needed to export crypto information to netfilter, allowing the alt. afalg openssl engine to obtain information about the drivers being used. Signed-off-by: Eneas U de Queiroz --- Tested on WRT3200ACM, running openrt master. For mvebu, this increases the package size from 17,097 to 20,452. diff --git a/package/kernel/linux/modules/crypto.mk b/package/kernel/linux/modules/crypto.mk index 5ce6795895..d95f234d93 100644 --- a/package/kernel/linux/modules/crypto.mk +++ b/package/kernel/linux/modules/crypto.mk @@ -786,6 +786,7 @@ define KernelPackage/crypto-user TITLE:=CryptoAPI userspace interface DEPENDS:=+kmod-crypto-hash +kmod-crypto-manager KCONFIG:= \ + CONFIG_CRYPTO_USER \ CONFIG_CRYPTO_USER_API \ CONFIG_CRYPTO_USER_API_AEAD \ CONFIG_CRYPTO_USER_API_HASH \ @@ -796,8 +797,9 @@ define KernelPackage/crypto-user $(LINUX_DIR)/crypto/algif_aead.ko \ $(LINUX_DIR)/crypto/algif_hash.ko \ $(LINUX_DIR)/crypto/algif_rng.ko \ - $(LINUX_DIR)/crypto/algif_skcipher.ko - AUTOLOAD:=$(call AutoLoad,09,af_alg algif_aead algif_hash algif_rng algif_skcipher) + $(LINUX_DIR)/crypto/algif_skcipher.ko \ + $(LINUX_DIR)/crypto/crypto_user.ko + AUTOLOAD:=$(call AutoLoad,09,af_alg algif_aead algif_hash algif_rng algif_skcipher crypto_user) $(call AddDepends/crypto) endef ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wolfssl: bump to 4.3.0-stable
This update fixes many bugs, and six security vulnerabilities, including CVE-2019-18840. Signed-off-by: Eneas U de Queiroz -- Compile-tested all dependents, and run-tested with wpad, uhttpd, and curl on WRT3200ACM. There has been an issue with WPA3 and wolfssl. I am not able to test it, but I am hoping this may fix the problem. diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 3d2a56a97f..cb1ab1b64c 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.2.0-stable +PKG_VERSION:=4.3.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=3562af485c26cd7abe94d9404fbfc0c5c9bceb4aab29b81ebf5e6c2467507e12 +PKG_HASH:=6896f8ad6c44aff3e583006839600848a0e37118ebbb7514eca9409ae08b PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -44,7 +44,7 @@ define Package/libwolfssl MENU:=1 PROVIDES:=libcyassl DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user - ABI_VERSION:=23 + ABI_VERSION:=24 endef define Package/libwolfssl/description ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] curl: rename cyassl->wolfssl
The old name was dropped and no longer works. Signed-off-by: Eneas U de Queiroz -- While testing this with wolfssl, I noticed the package was built without TLS support. This was run-tested with wolfssl on WRT3200ACM diff --git a/package/network/utils/curl/Makefile b/package/network/utils/curl/Makefile index 830d5a7192..8ccfaedc46 100644 --- a/package/network/utils/curl/Makefile +++ b/package/network/utils/curl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=curl PKG_VERSION:=7.67.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://dl.uxnr.de/mirror/curl/ \ @@ -118,7 +118,7 @@ CONFIGURE_ARGS += \ \ $(call autoconf_bool,CONFIG_IPV6,ipv6) \ \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-cyassl="$(STAGING_DIR)/usr",--without-cyassl) \ + $(if $(CONFIG_LIBCURL_WOLFSSL),--with-wolfssl="$(STAGING_DIR)/usr",--without-wolfssl) \ $(if $(CONFIG_LIBCURL_GNUTLS),--with-gnutls="$(STAGING_DIR)/usr",--without-gnutls) \ $(if $(CONFIG_LIBCURL_OPENSSL),--with-ssl="$(STAGING_DIR)/usr",--without-ssl) \ $(if $(CONFIG_LIBCURL_MBEDTLS),--with-mbedtls="$(STAGING_DIR)/usr",--without-mbedtls) \ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] cryptodev-linux: remove DEFAULT redefinition
The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building the package, and users from downloading it, since they use 'ALL_KMODS=y' but 'ALL' is not set. Signed-off-by: Eneas U de Queiroz -- This was reported here: https://github.com/openwrt/packages/issues/10987 This should be cherry-picked to openwrt-19.07 as well. Note that in 18.06, to actually be able to use cryptodev, you'd have to custom-build openssl (or gnutls), since the engine was always built into the main library. Therefore there's little benefit in applying this patch. From 19.07, the openssl devcrypto engine is built into a separate package, which has kmod-cryptodev as a dependency. It was compile/behavior-tested on mvebu and using the ramips-mt7620 SDK. I decided not to bump PKG_RELEASE, since this does not change the package, just whether it gets built or not. diff --git a/package/kernel/cryptodev-linux/Makefile b/package/kernel/cryptodev-linux/Makefile index 2a8890286d..9bea63ebd1 100644 --- a/package/kernel/cryptodev-linux/Makefile +++ b/package/kernel/cryptodev-linux/Makefile @@ -27,7 +27,6 @@ include $(INCLUDE_DIR)/package.mk define KernelPackage/cryptodev SUBMENU:=Cryptographic API modules - DEFAULT:=m if ALL TITLE:=Driver for cryptographic acceleration URL:=http://cryptodev-linux.org/ VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger wrote: > > Automatically enable an engine in the openssl.cnf if it has been build. > Before this change, /etc/openssl.cnf had to be edited manually on the > system to enable the engine. > > +define Package/libopenssl-conf/enable > + $(if $(CONFIG_PACKAGE_libopenssl-$(2)),sed -i > s/^\#*$(2)=$(2)/$(2)=$(2)/ $(1)/etc/ssl/openssl.cnf) > +endef > define Package/libopenssl-conf/install > $(INSTALL_DIR) $(1)/etc/ssl > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ > + $(call Package/libopenssl-conf/enable,$(1),devcrypto) > + $(call Package/libopenssl-conf/enable,$(1),afalg) > + $(call Package/libopenssl-conf/enable,$(1),padlock) Hi Daniel The problem with this is that it will enable the config for all engines in the bots configuration (all packages =m). OpenSSL will stop loading the engines past the point where one of them fails. It may do it silently, or it may show an error. If you run the `openssl engine` command (no flags or with -c), it will show the error; if you add the `-t` flag, the error message is gone. In either case, the engines configured after the first failed one will not load. Suppose that you install the afalg engine, but not devcrypto. When it loads the config file, devcrypto comes first, and openssl will fail to find it; then the afalg engine will not be loaded. I do like the idea, though. My first thought was to add an install script to the engine packages. The problem is that the config file may have been changed in a way that sed may produce unwanted results. It can be mitigated by configuring engines in a separate file, so only that file needs to be changed. It will have a nice effect, that a feed-installed engine can configure itself without needing a config section added to the openssl-conf package. Another option, which may be the easiest and safest, is to use your approach, but only uncomment the engines built into the firmware (=y), and not the ones built as modules. Cheers, Eneas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
On Fri, Apr 23, 2021 at 3:11 AM Florian Eckert wrote:
> How about if we create a uci default script and check on the running
> system what is installed?
> And then we could generate a file and add or remove an include line form
> the openssl.cnf [1]?
Hi Florian, Daniel
I think we can manage something like that. The .include option can
load all files in a directory (/etc/ssl/engines.d/), and won't fail if
there aren't any files--the directory itself must exist. Each engine
package can install its own file there, ahd have a post-install script
that adds a line to an "engines.cnf" file if there isn't any:
add_engine() {
# $1 = engine name (engine .so file without the .so extension)
grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
}
/etc/ssl/engines.d/engines.cnf would start out with just the [engines]
header and some comments explaining its use and warning not to edit
something that would break things.
What do you think?
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] package: openssl: Enable built engines per default
> >> How about if we create a uci default script and check on the running
> >> system what is installed?
> >> And then we could generate a file and add or remove an include line
> >> form
> >> the openssl.cnf [1]?
> >
> > I think we can manage something like that. The .include option can
> > load all files in a directory (/etc/ssl/engines.d/), and won't fail if
> > there aren't any files--the directory itself must exist. Each engine
> > package can install its own file there, ahd have a post-install script
> > that adds a line to an "engines.cnf" file if there isn't any:
> >
> > add_engine() {
> > # $1 = engine name (engine .so file without the .so extension)
> > grep -q "$1=$1" /etc/ssl/engines.d/engines.cnf && return
> > echo "$1=$1" >> /etc/ssl/engines.d/engines.cnf
> > }
> >
> > /etc/ssl/engines.d/engines.cnf would start out with just the [engines]
> > header and some comments explaining its use and warning not to edit
> > something that would break things.
> >
> > What do you think?
>
> The plan sounds good :+1:
>
Hi
I'm testing that proposal, and it's almost ready. I've expanded it to
use uci to enable/disable the engines, but I'm still running tests to
catch corner cases. I am not able to test the padlock engine, but its
usage should be like devcrypto. Afalg is more complicated if built
into the library, because openssl does not initialize it like other
builtin engines. There's no way to configure it for general use when
built that way.
Cheers,
Eneas
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 42 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 213 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./fi
[PATCH 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), + $(CP) ./files/
[PATCH 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
package/libs/openssl/Makefile | 13 +++--
package/libs/openssl/engine.mk| 58 +++
.../libs/openssl/files/openssl-engines.init | 19 ++
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 70 insertions(+), 56 deletions(-)
create mode 100644 package/libs/openssl/files/openssl-engines.init
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..efa46d7214 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,20 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null; then
+cat << EOF >> "{OPENSSL_UCI}"
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
-
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
-
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e "ERROR: File {OPENSSL_CNF} not found."
-error_out reinstall
-fi
-if ! grep -q "^.include /etc/ssl/engines.cnf.d" "{OPENSSL_CNF}"; then
-cat <<- EOF
- Your /etc/ssl/openssl.cnf file is not loading engine configuration
files from
- /etc/ssl/engines.cnf.d. Yo
Re: [PATCH 3/3] openssl: configure engines with uci
Hi Florian
On Thu, Apr 29, 2021 at 3:44 AM Florian Eckert wrote:
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
>
> I think AFALG is missing there?
>
As I mentioned in the earlier thread, builtin AFALG is weird. If I
enable it in openssl.cnf, it will always look for afalg.so, and will
fail. I think it was on oversight, but AFALG is not part of
OPENSSL_INIT_ENGINE_ALL_BUILTIN [1], so it will not be enabled by
default, unless you call
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_AFALG, NULL). The AFALG
engine does not have any control commands, so configuration is a noop
anyway.
[1]
https://github.com/openssl/openssl/blob/0f077b5fd86e2df0b41608fbd5684fa1a2b58f59/include/openssl/crypto.h.in#L452
> > endef
> > @@ -378,15 +377,17 @@ define Package/libopenssl/install
> > endef
> >
> > define Package/libopenssl-conf/install
> > - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
> > + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
> > $(1)/etc/init.d
> > $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
> > - $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
> > + $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
> > + $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
> > $(1)/etc/init.d/openssl
>
> I do not understand that waht you are doing there.
ENGINES_DIR is where the engine so files are stored. It is versioned,
so it is stored in a variable in engine.mk. I'm just setting it in
/etc/init.d/openssl, from ./files/openssl.init#3:
ENGINES_DIR="%ENGINES_DIR%"
The final result, installed in /etc/init.d/openssl#3 is:
ENGINES_DIR="/usr/lib/engines-1.1"
> > $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
> > $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
> > - echo padlock=padlock >>
> > $(1)/etc/ssl/engines.cnf.d/engines.cnf)
> > + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
> > $(1)/etc/config/openssl)
>
> What about AFALG?
The same explanation above fits here.
> > #!/bin/sh
> > +OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
> > +if [ -n "{IPKG_INSTROOT}" ] || ! uci -q get openssl.$(1) >/dev/null;
> > then
> > +cat << EOF >> "{OPENSSL_UCI}"
> > +config engine '$(1)'
> > + option enabled '1'
> > +EOF
>
> From my point of view, I think it would be better if we used the uci cli
> command directly here.
> to add the config engine section and enable this engine.
However, uci is not available when the package is installed by the
buildsystem, such as when building the firmware image. That's why I
always check for $IPKG_INSTROOT before calling any commands available
in the target only, as seen above.
>
> > fi
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
> >endef
> >
> > - define Package/$$(OSSL_ENG_PKG)/prerm :=
> > + define Package/$$(OSSL_ENG_PKG)/postrm :=
> > #!/bin/sh
> > -ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
> > -[ -f "{ENGINES_CNF}" ] || exit 0
> > -sed -e '/$(1)=$(1)/d' -i "{ENGINES_CNF}"
> > +[ -z "{IPKG_INSTROOT}" ] && /etc/init.d/openssl reload
>
> Should we not also remove the uci option on an uninstall wit the uci
> command?
>
I'll change this. My idea was to save the configuration, if user
later reinstall the package. However, since the %ENGINE%.cnf file is
not removed, then openssl will try to enable the removed engine and
fail.
> > +++ b/package/libs/openssl/files/openssl-engines.init
> > @@ -0,0 +1,19 @@
> > +#!/bin/sh /etc/rc.common
>
> Is the init script also switched on at the first boot?
> So that the service runs immediately?
> Not that the service has to be switched on in /etc/rc.d/ first - that
> would be unpleasant.
Yes, it is: file
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl
build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/root-mvebu/etc/rc.d/S13openssl:
symbolic link to ../init.d/openssl
>
> > +
> > +START=05
> > +OSSL_ENGINES_CNF="/etc/ssl/engines.cnf.d/engines.cnf"
> > +
> > +enable_engine() {
> > + echo "$1=$1" >> "${OSSL_ENGINES_CNF}"
>
> The writing happens here on the persistent storage at every boot!
> This is not so good for embedded target with FLASH.
> It would be better to write this to the tmp.
>
This file, along with engines.cnf were left over from a previous idea,
and not are not used. I will take care of them in the v2. The list
is actually saved in /var/etc/ssl/engines.cnf.
> > + config_list_foreach openssl.openssl[0] engines enable_engine
>
> How about the named uci section globals
> config openssl globals
>
This is also part of the leftover file.
I've spotted a missing fix for the postinst/postrm scripts that were
failing when building the final image. I'll send a v2 in a bit.
Thanks for the review!
Eneas
___
openwrt-dev
[PATCH v2 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ .../libs/openssl/files/openssl-engines.init | 19 package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 20 files changed, 217 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/openssl-engines.init create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2:
- fixed postinst & postrm logic that was failing when building the final
image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
.../libs/openssl/files/openssl-engines.init | 19 ++
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 73 insertions(+), 55 deletions(-)
create mode 100644 package/libs/openssl/files/openssl-engines.init
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [ ! -f "{OPENSSL_CNF}" ]; then
-echo -e &q
[PATCH v2 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR
[PATCH v2 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_ENGINE_BUILTI
[PATCH v3 0/3] Engine configuration series
This series builds upon what was first started by Daniel Danzberger, with some suggestions by Florian Eckert to enable the engines when they are installed. The series split is subject to discussion: - the first commit does a patch cleanup proposed by Rosen Penev, and also splits the configuration from one monolithic file to one file per engine, and also an engines list. - the sencond implements my first proposal, of enabling engines during their installation. It introduces an engine.mk file that provides menu placement, basic dependencies and the postinst, postrm functions for engine packages, and can be used for out of tree engine packages. - the third commit introduces uci configuration, and does the engines list generation during startup, or when an engine package is installed or removed. The first commit received basic testing on mvebu running master, covering afalg and devcrpto engines built as modules. The second and third commits had testing expanded to checking built-in engine builds. I have not squashed the commits, but I do think that 2 and 3 may be squashed if 3 is merged. The first one is just cleanup, and the second adds complexity that ended up being removed by the third commit. Nonetheless, all of them result in a working package. I thought about expanding uci support to include other configuration commands, but it would drop the documentation provided by the current config files. Besides, each engine has its own options, which would add complexity to config generation if you are to actually verify them. Passing unknown commands straight from uci to the config files would be simple and work, but it would be hard to find what options are available, compared to just reading the example configs provided otherwise. openssl engine -vv would show the commands, with some basic description of them, but getting the supported arguments may not be straightforward. For example, gost engine has "CRYPT_PARAMS: OID of default GOST 28147-89 parameters". All I could do to help was to point to a header file where the actual list of supported parameters is defined. After this is merged, I will adapt the two engines in the packages feed. Changelog: v1->v2: - fixed postinst & postrm logic that was failing when building the final image - deleted engine uci section when removing the package - removed extra files leftover from previous development versions v2->v3: - actually removed the extra files that I had promised in v2 Eneas U de Queiroz (3): openssl: config engines in /etc/ssl/engines.cnf.d openssl: configure engine packages during install openssl: configure engines with uci package/libs/openssl/Makefile | 55 +- package/libs/openssl/engine.mk| 46 package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/openssl.init | 31 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 100 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 18 files changed, 191 insertions(+), 140 deletions(-) create mode 100644 package/libs/openssl/engine.mk create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100755 package/libs/openssl/files/openssl.init create mode 100644 package/libs/openssl/files/padlock.cnf ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v3 1/3] openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. All patches were refreshed. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 30 -- package/libs/openssl/files/afalg.cnf | 32 ++ package/libs/openssl/files/devcrypto.cnf | 31 ++ package/libs/openssl/files/engines.cnf| 7 ++ package/libs/openssl/files/padlock.cnf| 3 + .../patches/100-Configure-afalg-support.patch | 3 +- .../openssl/patches/110-openwrt_targets.patch | 3 +- .../120-strip-cflags-from-binary.patch| 3 +- .../patches/130-dont-build-tests-fuzz.patch | 3 +- .../patches/140-allow-prefer-chacha20.patch | 4 +- .../150-openssl.cnf-add-engines-conf.patch| 101 +++--- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 3 +- ..._devcrypto-add-configuration-options.patch | 5 +- ...ypto-add-command-to-dump-driver-info.patch | 3 +- ...o-make-the-dev-crypto-engine-dynamic.patch | 4 - ...default-to-not-use-digests-in-engine.patch | 1 - ...to-ignore-error-when-closing-session.patch | 1 - 17 files changed, 114 insertions(+), 123 deletions(-) create mode 100644 package/libs/openssl/files/afalg.cnf create mode 100644 package/libs/openssl/files/devcrypto.cnf create mode 100644 package/libs/openssl/files/engines.cnf create mode 100644 package/libs/openssl/files/padlock.cnf diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 7ab4c6ccd0..69616f01e8 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,7 +11,7 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 ENGINES_DIR=engines-1.1 @@ -146,7 +146,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" @@ -163,7 +163,8 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to configure the engine in /etc/ssl/openssl.cnf +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may +configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" @@ -179,7 +180,7 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to configure it in /etc/ssl/openssl.cnf. +To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -376,8 +377,9 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ + $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/openssl-util/install @@ -386,18 +388,24 @@ define Package/openssl-util/install endef define Package/libopenssl-afalg/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/afalg.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DATA) ./files/afalg.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/libopenssl-devcrypto/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devcrypto.so $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d \ + $(1)/usr/lib/$(ENGINES_DIR) + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/devc
[PATCH v3 2/3] openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz --- Changelog: v1->v2: unchanged v2->v3: unchanged package/libs/openssl/Makefile | 58 + package/libs/openssl/engine.mk| 82 +++ package/libs/openssl/files/engines.cnf| 12 +-- .../150-openssl.cnf-add-engines-conf.patch| 2 +- 4 files changed, 111 insertions(+), 43 deletions(-) create mode 100644 package/libs/openssl/engine.mk diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 69616f01e8..238f7ecf02 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -11,9 +11,8 @@ PKG_NAME:=openssl PKG_BASE:=1.1.1 PKG_BUGFIX:=k PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_USE_MIPS16:=0 -ENGINES_DIR=engines-1.1 PKG_BUILD_PARALLEL:=1 @@ -65,6 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk +include engine.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -128,6 +128,9 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf +/etc/ssl/engines.cnf.d/engines.cnf +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf) +$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -135,52 +138,50 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +$(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=AFALG hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @KERNEL_AIO \ - +PACKAGE_libopenssl-afalg:kmod-crypto-user +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @KERNEL_AIO +PACKAGE_libopenssl-afalg:kmod-crypto-user \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef +$(eval $(call Package/openssl/add-engine,devcrypto)) define Package/libopenssl-devcrypto $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=/dev/crypto hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE +PACKAGE_libopenssl-devcrypto:kmod-cryptodev +libopenssl-conf \ - @!OPENSSL_ENGINE_BUILTIN + DEPENDS += +PACKAGE_libopenssl-devcrypto:kmod-cryptodev @!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. You may -configure the engine by editing /etc/ssl/engines.cnf.d/devcrypto.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef +$(eval $(call Package/openssl/add-engine,padlock)) define Package/libopenssl-padlock $(call Package/openssl/Default) - SUBMENU:=SSL + $(call Package/openssl/engine/Default) TITLE:=VIA Padlock hardware acceleration engine - DEPENDS:=libopenssl @OPENSSL_ENGINE @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ - +libopenssl-conf @!OPENSSL_ENGINE_BUILTIN + DEPENDS += @TARGET_x86 +PACKAGE_libopenssl-padlock:kmod-crypto-hw-padlock \ +@!OPENSSL_ENGINE_BUILTIN endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -To use it, you need to enable the engine in /etc/ssl/engines.cnf.d/engines.cnf. See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" @@ -380,6 +381,12 @@ define Package/libopenssl-conf/install $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/ + $(if $(CONFIG_OPENSSL_E
[PATCH v3 3/3] openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2:
- fixed postinst & postrm logic that was failing when building the final
image
- deleted engine uci section when removing the package
- removed extra files leftover from previous development versions
v2->v3:
- actually removed the extra files that I had promised in v2
package/libs/openssl/Makefile | 13 ++--
package/libs/openssl/engine.mk| 60 ---
package/libs/openssl/files/engines.cnf| 7 ---
package/libs/openssl/files/openssl.init | 31 ++
.../150-openssl.cnf-add-engines-conf.patch| 5 +-
5 files changed, 54 insertions(+), 62 deletions(-)
delete mode 100644 package/libs/openssl/files/engines.cnf
create mode 100755 package/libs/openssl/files/openssl.init
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 238f7ecf02..0bf9e7a45f 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -11,7 +11,7 @@ PKG_NAME:=openssl
PKG_BASE:=1.1.1
PKG_BUGFIX:=k
PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_USE_MIPS16:=0
PKG_BUILD_PARALLEL:=1
@@ -128,7 +128,6 @@ endef
define Package/libopenssl-conf/conffiles
/etc/ssl/openssl.cnf
-/etc/ssl/engines.cnf.d/engines.cnf
$(if
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
$(if CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
endef
@@ -378,15 +377,17 @@ define Package/libopenssl/install
endef
define Package/libopenssl-conf/install
- $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config
$(1)/etc/init.d
$(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/
- $(CP) ./files/engines.cnf $(1)/etc/ssl/engines.cnf.d/
+ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl
+ $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!'
$(1)/etc/init.d/openssl
+ touch $(1)/etc/config/openssl
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),
$(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/
- echo devcrypto=devcrypto >>
$(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "config engine 'devcrypto'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),
$(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/
- echo padlock=padlock >> $(1)/etc/ssl/engines.cnf.d/engines.cnf)
+ echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >>
$(1)/etc/config/openssl)
endef
define Package/openssl-util/install
diff --git a/package/libs/openssl/engine.mk b/package/libs/openssl/engine.mk
index 482b5ad5e8..973a989904 100644
--- a/package/libs/openssl/engine.mk
+++ b/package/libs/openssl/engine.mk
@@ -23,60 +23,24 @@ define Package/openssl/add-engine
define Package/$$(OSSL_ENG_PKG)/postinst :=
#!/bin/sh
-# 1 == non-empty: suggest reinstall
-error_out() {
-[ "$1" ] && cat <<- EOF
- Reinstalling the libopenssl-conf package may fix this:
+OPENSSL_UCI="{IPKG_INSTROOT}/etc/config/openssl"
- opkg install --force-reinstall libopenssl-conf
- EOF
-cat <<- EOF
+[ -z "{IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0
- Then, you will have to reinstall this package, and any other engine
package you have
- you have previously installed to ensure they are enabled:
+cat << EOF >> "{OPENSSL_UCI}"
- opkg install --force-reinstall $$(OSSL_ENG_PKG)
[OTHER_ENGINE_PKG]...
+config engine '$(1)'
+ option enabled '1'
+EOF
- EOF
-exit 1
-}
-ENGINES_CNF="{IPKG_INSTROOT}/etc/ssl/engines.cnf.d/engines.cnf"
-OPENSSL_CNF="{IPKG_INSTROOT}/etc/ssl/openssl.cnf"
-if [
[PATCH 0/2] Bump WolfSSL and libtool
WolfSSL has decided it needs at least libtool 2.4.2 to build. From
their commit 92854a5dd message:
advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current
automated testing coverage.
We could easily patch our way out of it, but I decided to try the
upgrade first. It appears to work just fine. I've just rebuilt the
whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update
with hostapd and uhttpd. I've had no hickups, but of course ymmv.
My major concern while bumping a core building tool was how it could
affect the changes we have in place. I've looked at both our patches,
and at what was changed upstream.
The major changes were related to getting the gnulib sources from git,
and refreshing them when running bootstrap. Since we are applying
patches, getting fresh copies are not viable, but there's a command-line
option to avoid doing it.
I'm not so sure what to do about 21.02.
1. Patch WolfSSL to accept building with libtool 2.4;
2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4,
424 insertions(+), 198 deletions(-).
This was before the gnulib changes. For a comparison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
3. Bump both to keep in sync with master.
My vote: do 1 now, and wait for possible fallout from master. Then,
perhaps try to keep them in sync, at the following point release.
Cheers
Eneas U de Queiroz (2):
libtool: bump to 2.4.6
wolfssl: bump to v4.8.0-stable
package/libs/wolfssl/Makefile | 6 +-
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
12 files changed, 447 insertions(+), 359 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 2/2] wolfssl: bump to v4.8.0-stable
Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..38c284ec5d 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=72c22efcdab0f18f9b0bb45621c213144f88b4a9e9b9cc06878b47744e058885 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches
were renumbered and given a description text. The fix in
160-passthrough-ssp.patch is no longer needed.
A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.
The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources. Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.
Signed-off-by: Eneas U de Queiroz
---
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
11 files changed, 444 insertions(+), 356 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index dd4a7f6380..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libtool
PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4
+PKG_VERSION:=2.4.6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
HOST_BUILD_PARALLEL:=1
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
- (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+ $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+ $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+ $(call Host/Configure/Default)
endef
define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch
b/tools/libtool/patches/000-relocatable.patch
index 55265fe533..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
-
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz
+
--- a/libtoolize.in
+++ b/libtoolize.in
-@@ -326,15 +326,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
-: ${EGREP="@EGREP@"}
-: ${FGREP="@FGREP@"}
-:
[PATCH v2 0/2] Bump WolfSSL and libtool
v1->v2: WolfSSL was updated from 4.8.0, in the original series, to
4.8.1 due to a high-risk vulnerability. Patches were refreshed.
WolfSSL has decided it needs at least libtool 2.4.2 to build. From
their commit 92854a5dd message:
advance LT_PREREQ from 2.2 (2008) to 2.4.2 (2011) to reflect current
automated testing coverage.
We could easily patch our way out of it, but I decided to try the
upgrade first. It appears to work just fine. I've just rebuilt the
whole tree for my Linksys E8450 (mt7622), and tested the WolfSSL update
with hostapd and uhttpd. I've had no hickups, but of course ymmv.
My major concern while bumping a core building tool was how it could
affect the changes we have in place. I've looked at both our patches,
and at what was changed upstream.
The major changes were related to getting the gnulib sources from git,
and refreshing them when running bootstrap. Since we are applying
patches, getting fresh copies are not viable, but there's a command-line
option to avoid doing it.
I'm not so sure what to do about 21.02.
1. Patch WolfSSL to accept building with libtool 2.4;
2. Bump libtool to 2.4.2: 11 *relevant* files changed from 2.4,
424 insertions(+), 198 deletions(-).
This was before the gnulib changes. For a comparison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
3. Bump both to keep in sync with master.
My vote: do 1 now, and wait for possible fallout from master. Then,
perhaps try to keep them in sync, at the following point release.
Cheers
Eneas U de Queiroz (2):
libtool: bump to 2.4.6
wolfssl: bump to v4.8.1-stable
package/libs/wolfssl/Makefile | 6 +-
.../patches/100-disable-hardening-check.patch | 2 +-
.../libs/wolfssl/patches/200-ecc-rng.patch| 4 +-
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
14 files changed, 450 insertions(+), 362 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 2/2] wolfssl: bump to v4.8.1-stable
Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [high] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. (fixed in 4.8.0) Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- .../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..6ef80e88a9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.1-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..4141e28750 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index 2d33c06209..d8581be7eb 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void) +@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ @@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h -@@ -584,10 +584,8 @@ WOLFSSL_API +@@ -616,10 +616,8 @@ WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_LOCAL void wc_ecc_fp_init(void); ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH v2 1/2] libtool: bump to 2.4.6
This updates libtool to its current release, from 2015. Current patches
were renumbered and given a description text. The fix in
160-passthrough-ssp.patch is no longer needed.
A patch to speed up build was cherry-picked, and another openwrt
specific patch was needed to not use quotes in $(SHELL), to acommodate
our "SHELL=/usr/bin/env bash" usage.
The already present call to ./bootstrap ensures that generated files are
refreshed, so the patches are applied only to their sources. Also, that
bootstrap call was adjusted to run at the appropriate time when QUILT=1.
Signed-off-by: Eneas U de Queiroz
---
tools/libtool/Makefile| 11 +-
tools/libtool/patches/000-relocatable.patch | 108 ++---
.../libtool/patches/001-fix-func_append.patch | 22 --
tools/libtool/patches/100-libdir-fixes.patch | 97 +++-
...10-dont-use-target-dir-for-relinking.patch | 51 ++--
.../120-strip-unsafe-dirs-for-relinking.patch | 36 +--
...ingslash.patch => 130-trailingslash.patch} | 33 +--
...140-don-t-quote-SHELL-in-Makefile.am.patch | 72 ++
...itigate-the-sed_quote_subst-slowdown.patch | 224 ++
.../libtool/patches/160-passthrough-ssp.patch | 12 -
.../patches/200-openwrt-branding.patch| 134 ++-
11 files changed, 444 insertions(+), 356 deletions(-)
delete mode 100644 tools/libtool/patches/001-fix-func_append.patch
rename tools/libtool/patches/{150-trailingslash.patch =>
130-trailingslash.patch} (57%)
create mode 100644
tools/libtool/patches/140-don-t-quote-SHELL-in-Makefile.am.patch
create mode 100644
tools/libtool/patches/150-libtool-mitigate-the-sed_quote_subst-slowdown.patch
delete mode 100644 tools/libtool/patches/160-passthrough-ssp.patch
diff --git a/tools/libtool/Makefile b/tools/libtool/Makefile
index dd4a7f6380..b237884b64 100644
--- a/tools/libtool/Makefile
+++ b/tools/libtool/Makefile
@@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libtool
PKG_CPE_ID:=cpe:/a:gnu:libtool
-PKG_VERSION:=2.4
+PKG_VERSION:=2.4.6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=afcce660d3dc54c63a0a5ba3cf05272239dc3c54bbeba20f6bad250f9dc007ae
+PKG_HASH:=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
HOST_BUILD_PARALLEL:=1
@@ -24,7 +24,12 @@ HOST_CONFIGURE_VARS += \
define Host/Prepare
$(call Host/Prepare/Default)
(cd $(STAGING_DIR_HOST)/share/aclocal/ && rm -f libtool.m4 ltdl.m4
lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4)
- (cd $(HOST_BUILD_DIR); $(AM_TOOL_PATHS) ./bootstrap)
+ $(if $(QUILT),,(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+endef
+
+define Host/Configure
+ $(if $(QUILT),(cd $(HOST_BUILD_DIR); touch README-release;
$(AM_TOOL_PATHS) ./bootstrap --skip-git --skip-po --force))
+ $(call Host/Configure/Default)
endef
define Host/Install
diff --git a/tools/libtool/patches/000-relocatable.patch
b/tools/libtool/patches/000-relocatable.patch
index 55265fe533..88d1eaed02 100644
--- a/tools/libtool/patches/000-relocatable.patch
+++ b/tools/libtool/patches/000-relocatable.patch
@@ -1,46 +1,24 @@
a/libltdl/config/general.m4sh
-+++ b/libltdl/config/general.m4sh
-@@ -45,15 +45,22 @@ progpath="$0"
- M4SH_VERBATIM([[
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
--: ${EGREP="@EGREP@"}
--: ${FGREP="@FGREP@"}
--: ${GREP="@GREP@"}
- : ${LN_S="@LN_S@"}
- : ${MAKE="make"}
- : ${MKDIR="mkdir"}
- : ${MV="mv -f"}
- : ${RM="rm -f"}
--: ${SED="@SED@"}
-+if test -n "$STAGING_DIR"; then
-+ : ${EGREP="$STAGING_DIR/../host/bin/grep -E"}
-+ : ${FGREP="$STAGING_DIR/../host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
- : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
- : ${Xsed="$SED -e 1s/^X//"}
-
+From ca10caa502f971f90d8c041aa2476de54ef0ce2b Mon Sep 17 00:00:00 2001
+From: Eneas U de Queiroz
+Date: Tue, 20 Jul 2021 16:41:11 -0300
+Subject: openwrt: make relocatable, search resources relative to STAGING_DIR
+
+This was originally commited to openwrt by Jo-Philipp Wich
+.
+
+(adjusted to v2.4.6)
+Signed-off-by: Eneas U de Queiroz
+
--- a/libtoolize.in
+++ b/libtoolize.in
-@@ -326,15 +326,22 @@ as_unset=as_fn_unset
+@@ -40,11 +40,18 @@
- : ${CP="cp -f"}
- test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+ : ${AUTOCONF="autoconf"}
+ : ${AUTOMAKE="automake"}
-: ${EGREP="@EGREP@"}
-: ${FGREP="@FGREP@"}
-:
[PATCH] ethtool: fix recursive dependency
Change the CONFLICTS definition from the alternative package (ethtool-full) to the main one. The CONFLICTS line creates a dependency to the conflicting package. Right now, the dependency would be created in the PACKAGE_ethtool-full symbol: config PACKAGE_ethtool-full depends on m || (PACKAGE_ethtool != y) When the main package is selected by airmon-ng, it selects PACKAGE_ethtool, *depending* on the value of PACKAGE_ethtool-full: config PACKAGE_airmon-ng select PACKAGE_ethtool if PACKAGE_ethtool-full --- package/network/utils/ethtool/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/package/network/utils/ethtool/Makefile b/package/network/utils/ethtool/Makefile index a82e5c92fa..9889677a16 100644 --- a/package/network/utils/ethtool/Makefile +++ b/package/network/utils/ethtool/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ethtool PKG_VERSION:=5.13 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Felix Fietkau PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz @@ -31,6 +31,7 @@ define Package/ethtool TITLE:=Display or change ethernet card settings URL:=http://www.kernel.org/pub/software/network/ethtool/ VARIANT:=tiny + CONFLICTS:=ethtool-full endef define Package/ethtool-full @@ -38,8 +39,8 @@ define Package/ethtool-full TITLE += (full) VARIANT:=full PROVIDES:=ethtool - CONFLICTS:=ethtool DEPENDS:=+libmnl + CONFLICTS:= endef define Package/ethtool/description ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] download: improve handling of invalid local files
4e19cbc5533: [download: handle possibly invalid local tarballs] added a
FORCE rule to downloaded files, so that they will be always checked by
download.pl.
As a side-effect, check-compile will fail, forcing unnecessary package
rebuilds.
The check-compile.txt log shows (for libxml2 for example):
Considering target file '.../dl/libxml2-2.9.12.tar.gz'.
...
prerequisite 'FORCE' of target '.../dl/libxml2-2.9.12.tar.gz' does
not exist.
Must remake target '.../dl/libxml2-2.9.12.tar.gz'.
...
Giving up on target file '...libxml2-2.9.12/.prepared_...'.
Giving up on target file '...libxml2-2.9.12/.configured_...'.
Giving up on target file '...libxml2-2.9.12/.built'.
Giving up on target file '...stamp/.libxml2_installed'.
Giving up on target file '.compile'.
Then the package is rebuilt even if it is not otherwise needed.
To fix this, instead of always forcing the download target to be remade,
check its hash first: if it matches, then the FORCE is not added.
Signed-off-by: Eneas U de Queiroz
---
include/download.mk | 17 +++--
include/host-build.mk | 2 +-
include/package.mk| 2 +-
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/include/download.mk b/include/download.mk
index 609956b004..76bd374cf7 100644
--- a/include/download.mk
+++ b/include/download.mk
@@ -59,6 +59,21 @@ define dl_tar_pack
{TAR_TIMESTAMP:+--mtime="TAR_TIMESTAMP"} -c $(2) |
$(call dl_pack,$(1))
endef
+gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1))
+
+# Used in Build/CoreTargets and HostBuild/Core as an integrity check for
+# downloaded files. It will add a FORCE rule if the sha256 hash does not
+# match, so that the download can be more thoroughly handled by download.pl.
+define check_download_integrity
+ expected_hash:=$(strip $(if $(filter-out x,$(HASH)),$(HASH),$(MIRROR_HASH)))
+ $$(if $$(and $(FILE),$$(wildcard $(DL_DIR)/$(FILE)), \
+ $$(filter undefined,$$(flavor DownloadChecked/$(FILE, \
+$$(eval DownloadChecked/$(FILE):=1) \
+$$(if $$(filter-out $$(call gen_sha256sum,$(FILE)),$$(expected_hash)), \
+ $(DL_DIR)/$(FILE): FORCE) \
+ )
+endef
+
ifdef CHECK
check_escape=$(subst ','\'',$(1))
#')
@@ -74,8 +89,6 @@ else
check_warn = $(if $(filter-out undefined,$(origin F_$(1))),$(filter ,$(shell
$(call F_$(1),$(2),$(3),$(4)) >&2)),$(check_warn_nofix))
endif
-gen_sha256sum = $(shell $(MKHASH) sha256 $(DL_DIR)/$(1))
-
ifdef FIXUP
F_hash_deprecated = $(SCRIPT_DIR)/fixup-makefile.pl $(CURDIR)/Makefile
fix-hash $(3) $(call gen_sha256sum,$(1)) $(2)
F_hash_mismatch = $(F_hash_deprecated)
diff --git a/include/host-build.mk b/include/host-build.mk
index e4a5c48e72..cfa29419aa 100644
--- a/include/host-build.mk
+++ b/include/host-build.mk
@@ -180,7 +180,7 @@ ifndef DUMP
clean-build: host-clean-build
endif
- $(DL_DIR)/$(FILE): FORCE
+ $(call check_download_integrity)
$(_host_target)host-prepare: $(HOST_STAMP_PREPARED)
$(_host_target)host-configure: $(HOST_STAMP_CONFIGURED)
diff --git a/include/package.mk b/include/package.mk
index db0a869dab..55d9352072 100644
--- a/include/package.mk
+++ b/include/package.mk
@@ -183,7 +183,7 @@ define Build/CoreTargets
$(call Build/Autoclean)
$(call DefaultTargets)
- $(DL_DIR)/$(FILE): FORCE
+ $(call check_download_integrity)
download:
$(foreach hook,$(Hooks/Download),
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] openssl: bump to 1.1.1l
This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz --- package/libs/openssl/Makefile| 4 ++-- .../410-eng_devcrypto-add-configuration-options.patch| 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile index 11e5ecfccb..3f5fe90d9c 100644 --- a/package/libs/openssl/Makefile +++ b/package/libs/openssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl PKG_BASE:=1.1.1 -PKG_BUGFIX:=k +PKG_BUGFIX:=l PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) PKG_RELEASE:=1 PKG_USE_MIPS16:=0 @@ -26,7 +26,7 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 PKG_LICENSE:=OpenSSL PKG_LICENSE_FILES:=LICENSE diff --git a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch index 8745364cf2..6d0fbfc982 100644 --- a/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ b/package/libs/openssl/patches/410-eng_devcrypto-add-configuration-options.patch @@ -1,4 +1,4 @@ -From 1c2fabcdb34e436286b4a8760cfbfbff11ea551a Mon Sep 17 00:00:00 2001 +From Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sat, 3 Nov 2018 15:41:10 -0300 Subject: eng_devcrypto: add configuration options @@ -14,7 +14,6 @@ Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7585) diff --git a/crypto/engine/eng_devcrypto.c b/crypto/engine/eng_devcrypto.c -index a2c9a966f7..5ec38ca8f3 100644 --- a/crypto/engine/eng_devcrypto.c +++ b/crypto/engine/eng_devcrypto.c @@ -16,6 +16,7 @@ @@ -558,7 +557,7 @@ index a2c9a966f7..5ec38ca8f3 100644 /** * * LOAD / UNLOAD -@@ -793,6 +1109,8 @@ void engine_load_devcrypto_int() +@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() if (!ENGINE_set_id(e, "devcrypto") || !ENGINE_set_name(e, "/dev/crypto engine") ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
