ine option
'-Qunused-arguments'
Signed-off-by: Eneas U de Queiroz
---
neheb, or anyone else affected, please test this patch to see if what
I'm claiming is actually true. At least it does not appear to break
compilation in my case ;-)
Compile-tested using a Gentoo host, and mvebu
ine option
'-Qunused-arguments'
Signed-off-by: Eneas U de Queiroz
---
neheb, or anyone else affected, please test this patch to see if what
I'm claiming is actually true. At least it does not appear to break
compilation in my case ;-)
Compile-tested using a Gentoo host, and mvebu as tar
This enables all OpenSSL API available. It is required to avoid some
silent failures, such as when performing client certificate validation.
Package size increases from 356.6K to 374.7K for
arm_cortex-a9_vfpv3-d16.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/wolfssl/Makefile b
s somewhat misleading,
since it is not a superset of opensslextra.
Eneas
[1] https://github.com/openwrt/packages/issues/14142
Eneas U de Queiroz (2):
wolfssl: add lighty support, skip crypttests
wolfssl: compile with --enable-opensslall
package/libs/wolfss
Tnis adds the --enable-lighty option to configure, enabling the minimum
API needed to run lighttpd, in the packages feed. Size increase is
about 120 bytes for arm_cortex-a9_vfpv3-d16.
While at it, speed up build by disabling crypt bench/test.
Signed-off-by: Eneas U de Queiroz
diff --git a
Using the patch by Pan Chen as inspiration, this avoids a memory leak by
using a global BIO_METHOD pointer that doesn't ordinarily need to be
freed.
CC: Pan Chen
Signed-off-by: Eneas U de Queiroz
---
Run-tested with a WRT-3200ACM, running uclient_fetch and uhttpd.
I have not run it
On Wed, Dec 9, 2020 at 1:45 PM Petr Štetiar wrote:
>
> Eneas U de Queiroz [2020-12-09 13:06:45]:
>
> Hi,
>
> > Using the patch by Pan Chen as inspiration, this avoids a memory leak by
> > using a global BIO_METHOD pointer that doesn't ordinarily need to be
>
On Wed, Dec 9, 2020 at 1:58 PM Daniel Golle wrote:
>
> On Wed, Dec 09, 2020 at 05:44:48PM +0100, Petr Štetiar wrote:
> > Eneas U de Queiroz [2020-12-09 13:06:45]:
> >
> > Hi,
> >
> > > Using the patch by Pan Chen as inspiration, this avoids a memory
Hi Petr
On Wed, Dec 9, 2020 at 6:59 PM Petr Štetiar wrote:
>
> Eneas U de Queiroz [2020-12-09 14:39:06]:
>
> Hi,
>
> > So the answer to your question is because you only allocate the table if
> > methods_ustream is NULL, and it will point to the created table then
Hi Petr
On Thu, Dec 10, 2020 at 12:57 PM Petr Štetiar wrote:
> > After tackling BIO_free, my suggestion would be to determine where the
> > method table variable should go, and where to call BIO_meth_new and
> > BIO_meth_free. I would add it to a defined struct
> > ustream_ssl_ctx--which is now
Fixes: CVE-2020-1971, defined as high severity, summarized as:
NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS
attack.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested in a WRT-3200ACM
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index
tions, size increases from 374.7K to 408.8K for
arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version.
Backported patches were removed; remaining patch was refreshed.
Signed-off-by: Eneas U de Queiroz
---
Run-tested on a Linksys WRT3200ACM (arm) with uhttpd, uclient-fetch, and
+1
I agree 100% with Adrian on this one. Enable by default, add option
to disable. Disabled services are, intuitively, part of the
configuration being saved. So, it should not be saved when '-n' is
given. I may be stretching things a bit, but I would consider this a
fix, not a feature change ;-
On Sun, Jan 31, 2021 at 3:45 PM W. Michael Petullo wrote:
>
> OpenWrt provides two snort packages: snort and snort3. Now that snort3 is
> out of beta, I would like to consider deprecating the snort package. One
> difficulty of maintaining both packages is that a different version of
> the libdaq p
-1-tob...@waldekranz.com/
> Link: https://lore.kernel.org/netdev/20210130134334.10243-1-dqf...@gmail.com/
> Ref: https://gitlab.nic.cz/turris/turris-build/-/issues/165
> Signed-off-by: DENG Qingfang
Tested-by: Eneas U de Queiroz
I have tested this using WRT3200ACM, and it solves the problem
are currently awaiting analysis.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on a WRT3200ACM (mvebu), using nginx, and wpad, and
openssl-util.
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 714ce2059a..4fb4cb2784 100644
--- a/package/libs/openssl
commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.
Signed-off-by: Eneas U de Queiroz
---
Run tested in WRT3200ACM (mvebu), with and without gost-engine 1.1.0.3.
GOST engine PR: https://github.com/openwrt/packages/pull/14765
Biggest fix for this version is CVE-2021-3336, which has already been
applied here. There are a couple of low severity security bug fixes as
well.
Three patches are no longer needed, and were removed; the one remaining
was refreshed.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested
mpile with -fPIC
Cc: Stijn Tintel
Signed-off-by: Eneas U de Queiroz
---
There's an error on one architecture, and all others work fine without
this, so I'm uneasy changing this and then breaking stuff that was
working fine otherwise. However, it feels wrong to me to generate PIC
co
On Fri, Mar 19, 2021 at 5:08 PM Philip Prindeville
wrote:
>
>
> Maybe I'm missing something, but why not just fix rules.mk:
>
>
> ifneq (,$(findstring $(ARCH) , aarch64 aarch64_be powerpc ))
> FPIC:=-fPIC
> else
> FPIC:=-fpic
> endif
>
> HOST_FPIC:=-fPIC
>
>
> To have the FPIC and HOST_FPIC de
Hi Rosen
This patch does not apply as is, but don't write a v2 yet.
I'm testing the bump to 1.1.1k, and I'll handle it from there, by
using --no-renames with git format-patch. I'm maintaining the patches
at https://github.com/cotequeiroz/openssl, and refreshing backports
with git is much easier t
a client.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on WRT3200ACM (mvebu, armv7), using nginx, and
openssl util to encrypt & decrypt some files using software and the
devcrypto engine, since there have been some changes in the engine,
related to BSD compatibility, when opening
o-make-the-dev-crypto-engine-dynamic.patch.
So, I've generated a new patch with 'git format-patch --no-renames', and
then 'make package/openssl/{refresh,update}'.
Signed-off-by: Eneas U de Queiroz
---
While I really prefer to leave the git-formatted patches as they are
On Fri, Mar 26, 2021 at 4:28 PM Rosen Penev wrote:
>
> On Fri, Mar 26, 2021 at 5:55 AM Eneas U de Queiroz
> wrote:
> >
> > On Fri, Mar 26, 2021 at 6:26 AM Rosen Penev wrote:
> > > +ifeq ($(QUILT),)
> > > + mv $(PKG_BUILD_DIR)/crypto/engine/eng_devc
On Fri, Mar 26, 2021 at 6:57 PM Felix Fietkau wrote:
> I fully agree with Eneas here (though I don't like his patch for this
> issue either).
This is the first time I wrote a patch I do NOT want to be applied. I
just want to keep the status quo.
> Here's a way to fix this:
>
> include/package-d
On Fri, Mar 26, 2021 at 7:35 PM Kevin 'ldir' Darbyshire-Bryant
wrote:
>
> ... I was also frustrated that there was patch fuzz in the tree on a fairly
> core package - that really shouldn’t be the case.
My apologies. I work in a clone of the openssl git repo, rebasing the
changes on top of the c
On Tue, Apr 6, 2021 at 7:30 PM Hauke Mehrtens wrote:
>
> Hi,
>
> How do we want to go forward with OpenWrt 21.02-rc1?
>
> * I think the base system is ok.
> * The http (original wolfssl) problem reported by jow is fixed
> * LuCI in the 21.02 branch still misses DSA support, this was merged
> into
This adds chacha20-poly1305 support to the mbedtls variant.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/ustream-ssl/Makefile
b/package/libs/ustream-ssl/Makefile
index a15f3d8ab8..ca9ad5d98b 100644
--- a/package/libs/ustream-ssl/Makefile
+++ b/package/libs/ustream-ssl/Makefile
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack. Patches were refreshed.
Fixed poly1305 build option, and made some Makefile updates.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl
ed wolfssl options in hostapd.
Eneas U de Queiroz (3):
wolfssl: update to 3.15.7, fix Makefile
wolfssl: reorganize, add build options
hostapd: adjust removed wolfssl options
package/libs/wolfssl/Config.in| 53 +---
package/libs/wolfssl/Makefile
From: Eneas U de Queiroz
This adjusts the selection of recently removed wolfssl options which
have always been built into the library even in their absence.
Also remove the selection of libwolfssl itself, allowing the library to
be built as a module.
Signed-off-by: Eneas U de Queiroz
diff
ort is selected.
Add building options for TLS 1.0 and TLS 1.3.
Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
Reorganized option conditionals in Makefile.
Add Eneas U de Queiroz as maintainer.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs
dents my confidence. Nonetheless, uhttpd connects
without a problem, and I can confirm /dev/crypto or AF_ALG sockets open.
The package currently lacks a maintainer, so I've added myself.
--
Changelog:
v1->v2:
* Increased FP_MAX_BITS to allow 4096-bit RSA keys.
* Update master to 4.0.0
Eneas
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack. Patches were refreshed.
Increased FP_MAX_BITS to allow 4096-bit RSA keys.
Fixed poly1305 build option, and some Makefile updates.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs
This edjusts the selection of recently removed wolfssl options which
have always been built into the library even in their abscence.
Also remove the selection of libwolfssl itself, allowing the library to
be built as a module.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/network
ort is selected.
Add building options for TLS 1.0, and TLS 1.3.
Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
Reorganized option conditionals in Makefile.
Add Eneas U de Queiroz as maintainer.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs
Commit 3167a57 missed it.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 7aaa562539..264be02496 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -13,7 +13,7 @@ PKG_RELEASE:=1
PKG_SOURCE
I've found some remnants from eglibc, removed by 64da662 in Feb/2016.
While at it, I stumbled upon a case statement with redundant commands,
so I've simplified it as well.
Eneas U de Queiroz (2):
libs/toolchain: remove eglibc remnant file
target/toolchain/files/wrapper.sh: simp
This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/toolchain/eglibc-files/etc/nsswitch.conf
b/package/libs/toolchain/eglibc-files/etc/nsswitch.conf
deleted file mode 100644
index 981c425da6..00
--- a/package
Removed an eglibc remnant, and while at it, grouped all of the
TOOLCHAIN_PLATFORMs using the same FLAGS together.
Signed-off-by: Eneas U de Queiroz
diff --git a/target/toolchain/files/wrapper.sh
b/target/toolchain/files/wrapper.sh
index 2b760840d8..4452128382 100755
--- a/target/toolchain
operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 875ff5e6a3..a729f73a1d 100644
e compiled all packages that use wolfssl and found no issues
with them. ustream-ssl actually defines HAVE_SNI, and I have done
extensive runtime tests without any issues.
900-remove-broken-autoconf-macros.patch: this was fixed upstream, and
the jobserver was disabled by ./configure --disable-jo
TLS 1.0, and TLS 1.3.
* Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
* Reorganized option conditionals in Makefile.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 4aa163b361..a72
wolfssl changed ABI version, so this forces an update to hostapd.
Some build options selected by hostapd are always built now, so they
were removed.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/network/services/hostapd/Config.in
b/package/network/services/hostapd/Config.in
index
wolfssl changed ABI version.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/ustream-ssl/Makefile
b/package/libs/ustream-ssl/Makefile
index 2ea5bf0bd5..c0fd281866 100644
--- a/package/libs/ustream-ssl/Makefile
+++ b/package/libs/ustream-ssl/Makefile
@@ -3,6 +3,15 @@ include
TLS 1.0, and TLS 1.3.
* Add AF_ALG hardware crypto support, which due to a bug, only works
when CCM support is turned off.
* Reorganized option conditionals in Makefile.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 50
. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack. Backported from 4.1.0.
Signed-off-by: Eneas U de Queiroz
---
This is an alternative to updating 18.06 to 4.1.0, just backporting the
patches. This has been
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/openssl/Config.in b/package/libs/openssl/Config.in
index 63493829ba..d1281ec6fa 100644
--- a/package/libs/openssl/Config.in
+++ b/package/libs/openssl/Config.in
@@ -76,7 +76,6 @@ config OPENSSL_WITH_TLS13
bool
default y
compatibility you wish to use.
A P-256 EC key offers a strenght equivalent of 3072-bit RSA key, and is
generated much faster than even a 2048-bit RSA key.
uhttpd currently generates a 2048-bit RSA key by default, and that has
not been changed.
Eneas U de Queiroz (3):
openssl: always build
d.
Package size increased by about 900 bytes (arm).
Signed-off-by: Eneas U de Queiroz
diff --git a/package/utils/px5g/Makefile b/package/utils/px5g/Makefile
index 7b5748425d..cfd1bfc80e 100644
--- a/package/utils/px5g/Makefile
+++ b/package/utils/px5g/Makefile
@@ -8,7 +8,7 @@
include $(
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/network/services/uhttpd/Makefile
b/package/network/services/uhttpd/Makefile
index
ed
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.
Signed-off-by: Eneas U de Queiroz
---
If you use the intermediate compatibility list, you lose compatibility
with Safari on iOS<=8 and OS X<=10.10. Windows XP will not work either,
but since it is not compatible with EC k
: Eneas U de Queiroz
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 7c72ce1..3810d6a 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -33,6 +33,21 @@
* aes128, aes256, 3DES(client only)
*/
+#ifdef WOLFSSL_SSL_H
+# define top_ciphers
aintaining backward compatibility.
Signed-off-by: Eneas U de Queiroz
---
This was tested on a WRT3200ACM running openwrt master, using
uclient-fetch and uhttpd.
I've also tested on x86_64 (not on openwrt, though) for compatibility
with previous versions of wolfssl, so it _should_ be safe to use
used, which should be good enough.
Nonetheless, the call is being checked in CMakeLists.txt, just in case
wolfssl build options change.
Without CN validation, uclient-fetch will fail to run unless the
--no-check-certificate option is used.
Signed-off-by: Eneas U de Queiroz
---
This was run-tested
Hardware acceleration was disabled when AES-CCM was selected as a
workaround for a build failure. This applies a couple of upstream
patches fixing this.
Signed-off-by: Eneas U de Queiroz
---
This is the result of this upstream issue:
https://github.com/wolfSSL/wolfssl/issues/2392
It was tested
This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz
--
Run
This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed, and Eneas U de Queiroz added as maintainer
, and Eneas U de Queiroz added as maintainer.
Signed-off-by: Eneas U de Queiroz
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 60357604b1..3f8907cf17 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR
m the next commit on.
Eneas
--
Eneas U de Queiroz (3):
Remove CyaSSL, WolfSSL < 3.10.4 support
ustream-io-cyassl.c: fix client-mode connections
wolfssl: enable CN validation
CMakeLists.txt | 25 +++
ustream-internal.h | 3
This updates the CyaSSL names to wolfSSL, and removes obsolete code to
support old versions of the library < v3.10.4.
Some #include statements were moved around, so that wolfssl/options.h is
loaded before any other wolfssl/openssl header.
Signed-off-by: Eneas U de Queiroz
diff --gi
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.
Signed-off-by: Eneas U de Queiroz
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6b3fc8c..86e1b07 100644
--- a/
sts.txt to detect their
presence. Otherwise, another call to ustream_set_io is done before
creating the SSL session to properly set the callbacks.
Signed-off-by: Eneas U de Queiroz
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3b557c3..6b3fc8c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@
The current crypto libraries will fail to load small RSA keys, so a new
certificate was generated with a 2048-bit RSA key.
Also fixed a typo in ustream-example-client.c
Signed-off-by: Eneas U de Queiroz
--
This is the output of 'openssl x509 -noout -text -in example.crt', with
the
This adds the CRYPTO_ALG_KERN_DRIVER_ONLY flag to Qualcomm crypto engine
driver algorithms, so that openssl devcrypto can recognize them as
hardware-accelerated.
Signed-off-by: Eneas U de Queiroz
--
It was reported to me at the forum:
https://forum.openwrt.org/t/comparing-cpu-soc-performance
CONFIG_CRYPTO_GF128MUL was removed as well, since it is only needed by
some cipher modes (LRW, GCM), none of which are selected, and it is
packaged as a module.
Signed-off-by: Eneas U de Queiroz
--
> The upstream qce crypto driver does not support the IPQ806x series.
> The ipq806x target used to host ipq40
This adds the CRYPTO_ALG_KERN_DRIVER_ONLY flag to Qualcomm crypto engine
driver algorithms, so that openssl devcrypto can recognize them as
hardware-accelerated.
Signed-off-by: Eneas U de Queiroz
diff --git
a/target/linux/ipq40xx/patches-4.14/181-crypto-qce-add-CRYPTO_ALG_KERN_DRIVER_ONLY
ation commands.
Signed-off-by: Eneas U de Queiroz
---
This should be cherry-picked to 19.07.
Run-tested on WRT3200ACM without engines, and with devcrypto & afalg.
diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index 28625bad05..eb267f31f0 100644
--- a/package/lib
WolfSSL is always built with AES-GCM support now.
Signed-off-by: Eneas U de Queiroz
---
As for 19.07, it needs 94d131332b5adbcf885a92608c40a22b79b3c708
(hostapd: adjust removed wolfssl options) cherry-picked first, then this
as well, since the wolfssl options were all removed in 19.07 too
t_method" redefined [-Werror]
Only define the symbols if not previously defined.
Signed-off-by: Eneas U de Queiroz
--
There are two CVEs with critical(CVSS 3.1)/high(CVSS2.0) base scores
that have been fixed in wolfssl 4.2.0: CVE-2019-16748 & CVE-2019-15651.
Before we can update wolfssl, thi
openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys
Signed-off-by: Eneas U de Queiroz
---
This was run-tested on WRT3200ACM, using uhttpdi, uclient-fetch, curl
This is needed to export crypto information to netfilter, allowing
the alt. afalg openssl engine to obtain information about the drivers
being used.
Signed-off-by: Eneas U de Queiroz
---
Tested on WRT3200ACM, running openrt master. For mvebu, this
increases the package size from 17,097 to
This update fixes many bugs, and six security vulnerabilities, including
CVE-2019-18840.
Signed-off-by: Eneas U de Queiroz
--
Compile-tested all dependents, and run-tested with wpad, uhttpd, and
curl on WRT3200ACM.
There has been an issue with WPA3 and wolfssl. I am not able to test
it, but I
The old name was dropped and no longer works.
Signed-off-by: Eneas U de Queiroz
--
While testing this with wolfssl, I noticed the package was built without
TLS support. This was run-tested with wolfssl on WRT3200ACM
diff --git a/package/network/utils/curl/Makefile
b/package/network/utils/curl
The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building
the package, and users from downloading it, since they use 'ALL_KMODS=y'
but 'ALL' is not set.
Signed-off-by: Eneas U de Queiroz
--
This was reported here: https://github.com/openwrt/package
On Thu, Apr 22, 2021 at 3:55 AM Daniel Danzberger wrote:
>
> Automatically enable an engine in the openssl.cnf if it has been build.
> Before this change, /etc/openssl.cnf had to be edited manually on the
> system to enable the engine.
>
> +define Package/libopenssl-conf/enable
> + $(if $(C
On Fri, Apr 23, 2021 at 3:11 AM Florian Eckert wrote:
> How about if we create a uci default script and check on the running
> system what is installed?
> And then we could generate a file and add or remove an include line form
> the openssl.cnf [1]?
Hi Florian, Daniel
I think we can manage some
> >> How about if we create a uci default script and check on the running
> >> system what is installed?
> >> And then we could generate a file and add or remove an include line
> >> form
> >> the openssl.cnf [1]?
> >
> > I think we can manage something like that. The .include option can
> > load
supported parameters is defined.
After this is merged, I will adapt the two engines in the packages feed.
Eneas U de Queiroz (3):
openssl: config engines in /etc/ssl/engines.cnf.d
openssl: configure engine packages during install
openssl: configure engines with uci
package/libs/openss
.
Signed-off-by: Eneas U de Queiroz
---
package/libs/openssl/Makefile | 30 --
package/libs/openssl/files/afalg.cnf | 32 ++
package/libs/openssl/files/devcrypto.cnf | 31 ++
package/libs/openssl/files/engines.cnf| 7 ++
package/libs/openssl/files
ut of tree engines as well.
Signed-off-by: Eneas U de Queiroz
---
package/libs/openssl/Makefile | 58 +
package/libs/openssl/engine.mk| 82 +++
package/libs/openssl/files/engines.cnf| 12 +--
.../150-openssl.cnf-add-engines-conf.pat
lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Si
Hi Florian
On Thu, Apr 29, 2021 at 3:44 AM Florian Eckert wrote:
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO,/etc/ssl/engines.cnf.d/devcrypto.cnf)
> > $(if
> > CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK,/etc/ssl/engines.cnf.d/padlock.cnf)
>
> I think AFALG is missing there?
>
As I mentioned
les leftover from previous development versions
Eneas U de Queiroz (3):
openssl: config engines in /etc/ssl/engines.cnf.d
openssl: configure engine packages during install
openssl: configure engines with uci
package/libs/openssl/Makefile | 55 +-
package/libs/
lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Sign
.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2: unchanged
package/libs/openssl/Makefile | 30 --
package/libs/openssl/files/afalg.cnf | 32 ++
package/libs/openssl/files/devcrypto.cnf | 31 ++
package/libs/openssl/files/engines.cnf|
ut of tree engines as well.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2: unchanged
package/libs/openssl/Makefile | 58 +
package/libs/openssl/engine.mk| 82 +++
package/libs/openssl/files/engines.cnf| 12 +--
.../15
ver from previous development versions
v2->v3:
- actually removed the extra files that I had promised in v2
Eneas U de Queiroz (3):
openssl: config engines in /etc/ssl/engines.cnf.d
openssl: configure engine packages during install
openssl: configure engines with uci
package/l
.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2: unchanged
v2->v3: unchanged
package/libs/openssl/Makefile | 30 --
package/libs/openssl/files/afalg.cnf | 32 ++
package/libs/openssl/files/devcrypto.cnf | 31 ++
package/libs/openssl
ut of tree engines as well.
Signed-off-by: Eneas U de Queiroz
---
Changelog:
v1->v2: unchanged
v2->v3: unchanged
package/libs/openssl/Makefile | 58 +
package/libs/openssl/engine.mk| 82 +++
package/libs/openssl/files/engines
lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Sign
parison, there are
71 files changed, 17143 insertions(+), 5697 deletions(-), when going
from 2.4 to 2.4.6.
3. Bump both to keep in sync with master.
My vote: do 1 now, and wait for possible fallout from master. Then,
perhaps try to keep them in sync, at the following point release.
Chee
resulting in
a failed verification.
Signed-off-by: Eneas U de Queiroz
---
package/libs/wolfssl/Makefile | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 0c95288a2a..38c284ec5d 100644
--- a/package/libs
/host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
-
My vote: do 1 now, and wait for possible fallout from master. Then,
perhaps try to keep them in sync, at the following point release.
Cheers
Eneas U de Queiroz (2):
libtool: bump to 2.4.6
wolfssl: bump to v4.8.1-stable
package/libs/wolfssl/Makefile | 6 +-
.../patches/100-d
: Eneas U de Queiroz
---
package/libs/wolfssl/Makefile | 6 +++---
.../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +-
package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a
/host/bin/grep -F"}
-+ : ${GREP="$STAGING_DIR/../host/bin/grep"}
-+ : ${SED="$STAGING_DIR/../host/bin/sed"}
-+else
-+ : ${EGREP="@EGREP@"}
-+ : ${FGREP="@FGREP@"}
-+ : ${GREP="@GREP@"}
-+ : ${SED="@SED@"}
-+fi
-
Change the CONFLICTS definition from the alternative package
(ethtool-full) to the main one.
The CONFLICTS line creates a dependency to the conflicting package.
Right now, the dependency would be created in the PACKAGE_ethtool-full
symbol:
config PACKAGE_ethtool-full
depends on m || (PAC
age is rebuilt even if it is not otherwise needed.
To fix this, instead of always forcing the download target to be remade,
check its hash first: if it matches, then the FORCE is not added.
Signed-off-by: Eneas U de Queiroz
---
include/download.mk | 17 +++--
include/host-build
This version fixes two vulnerabilities:
- SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High
- Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium
Signed-off-by: Eneas U de Queiroz
---
package/libs/openssl/Makefile
1 - 100 of 239 matches
Mail list logo
