libressl can be built with uclibc on noMMU since bump to version 3.0.2
in commit 26f42106e8 and
f542e84c85
However, uclibc-ng doesn't provide __register_atfork without NPTL
resulting in the following libressl build failure:
/nvmedata/autobuild/instance-28/output-1/host/lib/gcc/arceb-buildroot-linux-uclibc/10.3.0/../../../../arceb-buildroot-linux-uclibc/bin/ld: ../../tls/libtls.a(arc4random.c.o): in function `_rs_stir':
arc4random.c:(.text+0x50c): undefined reference to `__register_atfork'
So fix the dependency and, while at it, drop the double negation for
readability
Fixes:
- http://autobuild.buildroot.org/results/2fa4fa10cf19f1f942b6b49b5f6f05339c008cd4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
If the toolchain does not have threads (e.g. br-arm-full-nothread),
compilation fails:
In file included from /home/fail/br-test-pkg/br-arm-full-nothread/build/libressl-3.3.3/crypto/cryptlib.c:117:
/home/fail/br-test-pkg/br-arm-full-nothread/build/libressl-3.3.3/crypto/../include/compat/pthread.h:114:15: fatal error: pthread.h: No such file or directory
114 | #include_next <pthread.h>
| ^~~~~~~~~~~
compilation terminated.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Now that we have a backport from upstream with a proper fix for the
build on riscv32 *and* a proper implementationfor 64-bit time structs,
we can re-activate the build on riscv32.
This partially reverts commit c72be5dd2f.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Alistair Francis <alistair.francis@wdc.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Mark Corbin <mark@dibsco.co.uk>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
riscv32 is (surprise!) a 32-bit architecture. But it has been Y2038-safe
from its inception. As such, there are no legacy binaries that may use
the 32-bit time syscalls, and thus they are not available on riscv32.
Code that directly calls to the syscalls without using the C libraries
wrappers thus need to handle this case by themselves. That's what
upstream tried to do with:
5b5e2985f3
We initially carried that patch with 2bb26c1a1d (package/libopenssl:
fix build on riscv32).
However, as Arnd Bergmann puts it [0]:
The patch looks wrong to me: __NR_io_pgetevents_time64 must be used
whenever time_t is 64-bit wide on a 32-bit architecture, while
__NR_io_getevents/__NR_io_pgetevents must be used when time_t is the
same width as 'long'.
Checking whether __NR_io_getevents is defined is wrong for all
architectures other than riscv
And Arnd agrees that patch should be reverted [1] [2] (there are further
comments in that stream, that are worth reading).
As such, we've reverted 2bb26c1a1d with 6cfb4ad7f7.
This means we have no working solution to enable openssl on riscv32 for
now. So, rather than fail the build, or backport a dysfunctional patch,
let's just forbid openssl on riscv32.
Drop the default from the choice selection; it was anyway superfluous:
the default of a choice, if left unspecified, is the first entry of the
choice. Also, having a default means we'd have to also propagate the
dependencies of the defaulted-to symbol, which is yet a little bit more
maintenance. Since the chances we get a third implementation of openssl
are pretty slim (very, very slim), reasoning about what is the default
is still very easy.
When propagating dependencies to tpm2-tss' users, we've tried to keep
the architecture dependency toward the top when possible, and otherwise
we've added it together with existing arch dependencies (MMU).
While at it, drop a useless redundant comment in ibm-sw-tpm2: if we
select FORCE_LIBOPENSSL, it is obvious that's because libressl is not
supported... Besides none of the other users of FORCE_LIBOPENSSL have
such a comment.
Fixes:
http://autobuild.buildroot.org/results/eb9/eb9a64d4ffae8569b5225083f282cf87ffa7c681/
...
http://autobuild.buildroot.org/results/07e/07e413b24ba8adc9558c80267ce16dda339bf032/
[0] 5b5e2985f3 (commitcomment-44782859)
[1] 5b5e2985f3 (commitcomment-47826509)
[2] 5b5e2985f3 (commitcomment-47830530)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Mark Corbin <mark@dibsco.co.uk>
As we've recently done for libopenssl (openssl, the original),
move the libressl option to a libressl-specific Config.in.
The gain is minimal at best, but this is mostly for symetry with
libopenssl.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since e3159cad71 (package/libopenssl: move target arch selection
to Config.in), we have a Config.in that contains a few options to
configure libopenssl (openSSL, the original).
As such, it makes sense to move the remaining options there too.
We also move the condition there, mimicking what is done for the
external toolchains' options too.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The logic to select the proper OpenSSL target arch in libopenssl.mk is
not easy to read, so let's move it to Config.in where we have some
nice constructs for that kind of value selection.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Similar to toolchains and jpeg, we now offer a way for br2-external
trees to provide their openssl implementation, which gets included in
the openssl choice.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
uClibc doesn't implement __register_atfork() on noMMU systems, causing
a build failure of libressl. Since openssl is available as an
alternative on such platforms, we just disable libressl on
uClibc/noMMU systems.
Fixes:
/home/thomas/projets/buildroot/output/build/libressl-2.5.5/crypto/.libs/libcrypto.a(arc4random.o): In function `_rs_init.part.1':
arc4random.c:(.text+0x74): undefined reference to `__register_atfork'
collect2: error: ld returned 1 exit status
This build issue is not visible in the autobuilders, because libressl
is only selectable through a choice, which isn't randomized by the
autobuilder logic.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
At this point, libressl can be added to the openssl virtual package.
- Remove the entry package/libressl/Config.in from package/Config.in
- Remove the file: package/libressl/Config.in
- Add libressl entry to package/openssl/Config.in
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Some packages that use openssl are not compatible with libressl, only
with the real openssl (known as libopenssl in Buildroot). So before we
add libressl as a provider for the openssl virtual package, we
introduce a BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL hidden option that
packages incompatible with LibreSSL will be able to select.
This will allow packages that need OpenSSL to continue using "select",
without having to change to using "depends on" dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To ease the transition to having both OpenSSL and LibreSSL, there has to be
a new virtual package introduced to handle both.
Instead of making a libssl, and adding OpenSSL and libressl to that package,
it will be far easier to move openssl to libopenssl and to make OpenSSL
a virtual package. This offers a few advantages:
- BR2_PACKAGE_OPENSSL is still a visible symbol with no dependencies.
- It does not require a huge patch to convert every instance of
OpenSSL -> libssl)
- Users will be able to update without ever having to select anything new.
- LibreSSL can be added at a later date to the virtual package.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
[Thomas: define BR2_PACKAGE_PROVIDES_HOST_OPENSSL to the value
"host-libopenssl" as we always want to use the original OpenSSL for
the host variant.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove the redundant usr/ component of the HOST_DIR paths. Since a
previous commit added a symlink from $(HOST_DIR)/usr to $(HOST_DIR),
everything keeps on working.
This is a mechanical change with
git grep -l '\$(HOST_DIR)/usr' | xargs sed -i 's%\(prefix\|PREFIX\)=\("\?\)\$(HOST_DIR)/usr%\1=\2$(HOST_DIR)%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
According to https://www.openssl.org/news/newslog.html this release
does not contain security fixes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2017-3731 - Truncated packet could crash via OOB read.
CVE-2017-3732 - BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055 - Montgomery multiplication may produce incorrect results
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-7052 - Missing CRL sanity check
[Peter: drop CVE 6309 from description as pointed out by Baruch]
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://www.openssl.org/news/secadv/20160922.txt
Fixes
SSL_peek() hang on empty record (CVE-2016-6305)
SWEET32 Mitigation (CVE-2016-2183)
OOB write in MDC2_Update() (CVE-2016-6303)
Malformed SHA512 ticket DoS (CVE-2016-6302)
OOB write in BN_bn2dec() (CVE-2016-2182)
OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
Pointer arithmetic undefined behaviour (CVE-2016-2177)
Constant time flag not preserved in DSA signing (CVE-2016-2178)
DTLS buffered message DoS (CVE-2016-2179)
DTLS replay protection DoS (CVE-2016-2181)
Certificate message OOB reads (CVE-2016-6306)
Excessive allocation of memory in tls_get_message_header()
(CVE-2016-6307)
Excessive allocation of memory in dtls1_preprocess_fragment()
(CVE-2016-6308)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Instead of depending on each provider of cryptodev, make openssl depend
on the virtual package.
This is easy because in both cases the openssl build systems needs the
same configuration options.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The Linux kernel doesn't even support i386 anymore, there is no NPTL
support for i386 and uClibc-ng only supports NPTL on x86, so there is
essentially no usable thread implementation. Most likely glibc and
musl also don't support i386 either. So it's time to remove the
support for this architecture variant.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The previous incarnation was incomplete, it only applied one of the
Gentoo patches, hence it had corner cases.
Apply all 4 patches as pointed out by Mike on the mailing list.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2015-3193 - BN_mod_exp may produce incorrect results on x86_64
CVE-2015-3194 - Certificate verify crash with missing PSS parameter
CVE-2015-3195 - X509_ATTRIBUTE memory leak
Enable IDEA as well since otherwise the build breaks (always great
upstream) - it's no longer patent encumbered.
[Peter: correct sha256]
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switch from : to # since CFLAGS can include :'s spilled in from
BR2_TARGET_OPTIMIZATION, for example:
BR2_TARGET_OPTIMIZATION="-Wl,-rpath,/lib:/usr/lib" would cause the sed
expression to fail thus breaking the build.
Changed all of the SEDs to # for consistency.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a patch that is originally based on a patch Thomas P.
submitted for an earlier version of this package. I have adopted this
patch to use the latest available Gentoo parallel patch. I have also
seen about a minute improvement on my build times of openssl.
Part of Thomas P's original message:
On my build server, the current build of OpenSSL takes 1 minutes and
20 seconds. With this commit applied, enabling parallel build and
installation, the build only takes 28 seconds.
All the patches are downloaded from Gentoo.
There is apparently some interest in upstream OpenSSL to enable
parallel build, see for example commit
c3f22253b1. This
commit is not part of any OpenSSL release, but we can hope that the
problem will resolved in the future.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Gustavo Zacarias <gustavo@zacarias.com.ar>
CC: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Using Git formatted patches makes it easier to adjust the patches when
needed.
[Thomas: remove patch numbering.]
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CC: Gustavo Zacarias <gustavo@zacarias.com.ar>
CC: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The dependency doesn't make sense now that the option only controls if the
built binary gets installed into the target or not, so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If configured with no-dso, the openssl binary still gets linked with
-ldl, while libdl is not available for static-only builds. The OpenSSL
framework does not support automatically dropping -ldl with no-dso, so
-ldl has to be removed from Makefile after calling ./Configure as
explained in PROBLEMS.
Fixes http://autobuild.buildroot.org/results/cbb35f2582f1cfeb3d11cb4952a80784ff660baf
[Peter: add reference to PROBLEMS file]
Signed-off-by: Benoît Thébaudeau <benoit@wsystem.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that building the openssl binary without MMU is supported, the only
reason left for not building apps if the openssl binary is disabled is
to save build time. Moreover, the commit
720893b625 "openssl: disable apps for
NOMMU", which added this behavior, had a side effect: the scripts from
apps (CA.pl, CA.sh and tsget) and the default configuration file
(openssl.cnf) were no longer installed, which is not advertized by the
BR2_PACKAGE_OPENSSL_BIN option. CA.pl and CA.sh use the openssl binary,
so not installing them without the latter makes sense. But tsget does
not use the openssl binary, and openssl.cnf can be used by libcrypto, so
it is preferable to handle BR2_PACKAGE_OPENSSL_BIN like before the
commit mentioned above, i.e. to always build and install apps and to
just remove the openssl binary afterwards if needed.
This is what the current commit does, but installing only the helper
scripts having their dependencies (perl or the openssl binary)
satisfied. The help text is updated accordingly.
Signed-off-by: Benoît Thébaudeau <benoit@wsystem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The commit 720893b625 "openssl: disable
apps for NOMMU" prevented the openssl binary from being built without
MMU in order to fix a build failure without fork(). However, openssl is
designed to support the lack of fork() with -DHAVE_FORK=0, so allow the
openssl binary to be enabled without MMU thanks to this option.
Signed-off-by: Benoît Thébaudeau <benoit@wsystem.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes HMAC ABI breakage from 1.0.2b
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes
/home/br/br3/output/host/usr/lib/gcc/i586-buildroot-linux-uclibc/4.8.4/../../../../i586-buildroot-linux-uclibc/bin/ld: cannot find -ldl
using this defconfig
BR2_STATIC_LIBS=y
BR2_PACKAGE_OPENSSL=y
BR2_PACKAGE_OPENSSL_BIN=y
Quoting PROBLEMS:
"We don't have framework to associate -ldl with no-dso, therefore the only
way is to edit Makefile right after ./config no-dso and remove -ldl from
EX_LIBS line."
To not make the build procedure more complicated disable static building of
bin/openssl.
[Thomas: add corresponding kconfig comment.]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit doesn't touch infra packages.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The adaptation from commit 74dd54bf is incomplete/bad causing segfaults when
using cryptodev for digest offload, examples: openssh, openssl speed, others.
Tested on real hardware (talitos).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The new c_rehash from openssl 1.0.2 can't take a minus in the directory
string since the regex for matching commands checks for - in any
position instead of just the beginning to trigger the command parser. Fixes:
http://autobuild.buildroot.net/results/ee6/ee683569350d5deaf0ccc603ed7066bffb83cbe3/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Bump version to 1.0.2
- Adapt patches to new version
- Update hash value
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
