* [Buildroot] [PATCH 01/13] openssl: new virtual package
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 02/13] softether: depend on libopenssl Adam Duskett
` (12 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
To ease the transition to having both OpenSSL and LibreSSL, there has to be
a new virtual package introduced to handle both.
Instead of making a libssl, and adding OpenSSL and libressl to that package,
it will be far easier to move openssl to libopenssl and to make OpenSSL
a virtual package. This offers a few advantages:
- BR2_PACKAGE_OPENSSL is still a visible symbol with no dependencies.
- It does not require a huge patch to convert every instance of
OpenSSL -> libssl)
- Users will be able to update without ever having to select anything new.
- LibreSSL can be added at a later date to the virtual package.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
...time-building-manpages-if-we-re-not-going.patch | 0
...todev-Fix-issue-with-signature-generation.patch | 0
.../openssl.hash => libopenssl/libopenssl.hash} | 0
package/libopenssl/libopenssl.mk | 171 +++++++++++++++++++++
package/openssl/Config.in | 44 ++++--
package/openssl/openssl.mk | 165 +-------------------
6 files changed, 207 insertions(+), 173 deletions(-)
rename package/{openssl => libopenssl}/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch (100%)
rename package/{openssl => libopenssl}/0002-cryptodev-Fix-issue-with-signature-generation.patch (100%)
rename package/{openssl/openssl.hash => libopenssl/libopenssl.hash} (100%)
create mode 100644 package/libopenssl/libopenssl.mk
diff --git a/package/openssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch b/package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
similarity index 100%
rename from package/openssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
rename to package/libopenssl/0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
diff --git a/package/openssl/0002-cryptodev-Fix-issue-with-signature-generation.patch b/package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
similarity index 100%
rename from package/openssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
rename to package/libopenssl/0002-cryptodev-Fix-issue-with-signature-generation.patch
diff --git a/package/openssl/openssl.hash b/package/libopenssl/libopenssl.hash
similarity index 100%
rename from package/openssl/openssl.hash
rename to package/libopenssl/libopenssl.hash
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
new file mode 100644
index 0000000000..90cff585f8
--- /dev/null
+++ b/package/libopenssl/libopenssl.mk
@@ -0,0 +1,171 @@
+################################################################################
+#
+# libopenssl
+#
+################################################################################
+
+LIBOPENSSL_VERSION = 1.0.2l
+LIBOPENSSL_SITE = http://www.openssl.org/source
+LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
+LIBOPENSSL_LICENSE = OpenSSL or SSLeay
+LIBOPENSSL_LICENSE_FILES = LICENSE
+LIBOPENSSL_INSTALL_STAGING = YES
+LIBOPENSSL_DEPENDENCIES = zlib
+HOST_LIBOPENSSL_DEPENDENCIES = host-zlib
+LIBOPENSSL_TARGET_ARCH = generic32
+LIBOPENSSL_CFLAGS = $(TARGET_CFLAGS)
+LIBOPENSSL_PROVIDES = openssl
+LIBOPENSSL_PATCH = \
+ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
+ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
+ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
+ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
+
+# relocation truncated to fit: R_68K_GOT16O
+ifeq ($(BR2_m68k_cf),y)
+LIBOPENSSL_CFLAGS += -mxgot
+endif
+
+ifeq ($(BR2_USE_MMU),)
+LIBOPENSSL_CFLAGS += -DHAVE_FORK=0
+endif
+
+ifeq ($(BR2_PACKAGE_HAS_CRYPTODEV),y)
+LIBOPENSSL_CFLAGS += -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
+LIBOPENSSL_DEPENDENCIES += cryptodev
+endif
+
+# Some architectures are optimized in OpenSSL
+# Doesn't work for thumb-only (Cortex-M?)
+ifeq ($(BR2_ARM_CPU_HAS_ARM),y)
+LIBOPENSSL_TARGET_ARCH = armv4
+endif
+ifeq ($(ARCH),aarch64)
+LIBOPENSSL_TARGET_ARCH = aarch64
+endif
+ifeq ($(ARCH),powerpc)
+# 4xx cores seem to have trouble with openssl's ASM optimizations
+ifeq ($(BR2_powerpc_401)$(BR2_powerpc_403)$(BR2_powerpc_405)$(BR2_powerpc_405fp)$(BR2_powerpc_440)$(BR2_powerpc_440fp),)
+LIBOPENSSL_TARGET_ARCH = ppc
+endif
+endif
+ifeq ($(ARCH),powerpc64)
+LIBOPENSSL_TARGET_ARCH = ppc64
+endif
+ifeq ($(ARCH),powerpc64le)
+LIBOPENSSL_TARGET_ARCH = ppc64le
+endif
+ifeq ($(ARCH),x86_64)
+LIBOPENSSL_TARGET_ARCH = x86_64
+endif
+
+define HOST_LIBOPENSSL_CONFIGURE_CMDS
+ (cd $(@D); \
+ $(HOST_CONFIGURE_OPTS) \
+ ./config \
+ --prefix=$(HOST_DIR) \
+ --openssldir=$(HOST_DIR)/etc/ssl \
+ --libdir=/lib \
+ shared \
+ zlib-dynamic \
+ )
+ $(SED) "s#-O[0-9]#$(HOST_CFLAGS)#" $(@D)/Makefile
+endef
+
+define LIBOPENSSL_CONFIGURE_CMDS
+ (cd $(@D); \
+ $(TARGET_CONFIGURE_ARGS) \
+ $(TARGET_CONFIGURE_OPTS) \
+ ./Configure \
+ linux-$(LIBOPENSSL_TARGET_ARCH) \
+ --prefix=/usr \
+ --openssldir=/etc/ssl \
+ --libdir=/lib \
+ $(if $(BR2_TOOLCHAIN_HAS_THREADS),threads,no-threads) \
+ $(if $(BR2_STATIC_LIBS),no-shared,shared) \
+ no-rc5 \
+ enable-camellia \
+ enable-mdc2 \
+ enable-tlsext \
+ $(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
+ $(if $(BR2_STATIC_LIBS),no-dso) \
+ )
+ $(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
+ $(SED) "s#-O[0-9]#$(LIBOPENSSL_CFLAGS)#" $(@D)/Makefile
+ $(SED) "s# build_tests##" $(@D)/Makefile
+endef
+
+# libdl is not available in a static build, and this is not implied by no-dso
+ifeq ($(BR2_STATIC_LIBS),y)
+define LIBOPENSSL_FIXUP_STATIC_MAKEFILE
+ $(SED) 's#-ldl##g' $(@D)/Makefile
+endef
+LIBOPENSSL_POST_CONFIGURE_HOOKS += LIBOPENSSL_FIXUP_STATIC_MAKEFILE
+endif
+
+define HOST_LIBOPENSSL_BUILD_CMDS
+ $(HOST_MAKE_ENV) $(MAKE) -C $(@D)
+endef
+
+define LIBOPENSSL_BUILD_CMDS
+ $(TARGET_MAKE_ENV) $(MAKE) -C $(@D)
+endef
+
+define LIBOPENSSL_INSTALL_STAGING_CMDS
+ $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(STAGING_DIR) install
+endef
+
+define HOST_LIBOPENSSL_INSTALL_CMDS
+ $(HOST_MAKE_ENV) $(MAKE) -C $(@D) install
+endef
+
+define LIBOPENSSL_INSTALL_TARGET_CMDS
+ $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(TARGET_DIR) install
+ rm -rf $(TARGET_DIR)/usr/lib/ssl
+ rm -f $(TARGET_DIR)/usr/bin/c_rehash
+endef
+
+# libdl has no business in a static build
+ifeq ($(BR2_STATIC_LIBS),y)
+define LIBOPENSSL_FIXUP_STATIC_PKGCONFIG
+ $(SED) 's#-ldl##' $(STAGING_DIR)/usr/lib/pkgconfig/libcrypto.pc
+ $(SED) 's#-ldl##' $(STAGING_DIR)/usr/lib/pkgconfig/libssl.pc
+ $(SED) 's#-ldl##' $(STAGING_DIR)/usr/lib/pkgconfig/openssl.pc
+endef
+LIBOPENSSL_POST_INSTALL_STAGING_HOOKS += LIBOPENSSL_FIXUP_STATIC_PKGCONFIG
+endif
+
+ifneq ($(BR2_STATIC_LIBS),y)
+# libraries gets installed read only, so strip fails
+define LIBOPENSSL_INSTALL_FIXUPS_SHARED
+ chmod +w $(TARGET_DIR)/usr/lib/engines/lib*.so
+ for i in $(addprefix $(TARGET_DIR)/usr/lib/,libcrypto.so.* libssl.so.*); \
+ do chmod +w $$i; done
+endef
+LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_INSTALL_FIXUPS_SHARED
+endif
+
+ifeq ($(BR2_PACKAGE_PERL),)
+define LIBOPENSSL_REMOVE_PERL_SCRIPTS
+ $(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.pl,tsget}
+endef
+LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_PERL_SCRIPTS
+endif
+
+ifeq ($(BR2_PACKAGE_LIBOPENSSL_BIN),)
+define LIBOPENSSL_REMOVE_BIN
+ $(RM) -f $(TARGET_DIR)/usr/bin/openssl
+ $(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.*,c_*}
+endef
+LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_BIN
+endif
+
+ifneq ($(BR2_PACKAGE_LIBOPENSSL_ENGINES),y)
+define LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
+ rm -rf $(TARGET_DIR)/usr/lib/engines
+endef
+LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
+endif
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
diff --git a/package/openssl/Config.in b/package/openssl/Config.in
index e08b648ba4..1b3e852fdb 100644
--- a/package/openssl/Config.in
+++ b/package/openssl/Config.in
@@ -1,28 +1,52 @@
config BR2_PACKAGE_OPENSSL
+ bool "openssl support"
+ help
+ Select the desired ssl library provider.
+
+if BR2_PACKAGE_OPENSSL
+
+choice
+ prompt "ssl library"
+ default BR2_PACKAGE_LIBOPENSSL
+ help
+ Select OpenSSL.
+
+config BR2_PACKAGE_LIBOPENSSL
bool "openssl"
select BR2_PACKAGE_ZLIB
help
- A collaborative effort to develop a robust, commercial-grade, fully
- featured, and Open Source toolkit implementing the Secure Sockets
- Layer (SSL v2/v3) and Transport Security (TLS v1) as well as a
- full-strength general-purpose cryptography library.
+ A collaborative effort to develop a robust, commercial-grade,
+ fully featured, and Open Source toolkit implementing the
+ Secure Sockets Layer (SSL v2/v3) and Transport Security
+ (TLS v1) as well as a full-strength general-purpose
+ cryptography library.
http://www.openssl.org/
Note: Some helper scripts need perl.
-if BR2_PACKAGE_OPENSSL
+if BR2_PACKAGE_LIBOPENSSL
-config BR2_PACKAGE_OPENSSL_BIN
+config BR2_PACKAGE_LIBOPENSSL_BIN
bool "openssl binary"
help
- Install the openssl binary and the associated helper scripts to the
- target file system. This is a command line tool for doing various
- cryptographic stuff.
+ Install the openssl binary and the associated helper scripts
+ to the target file system. This is a command line tool for
+ doing various cryptographic stuff.
-config BR2_PACKAGE_OPENSSL_ENGINES
+config BR2_PACKAGE_LIBOPENSSL_ENGINES
bool "openssl additional engines"
help
Install additional encryption engine libraries.
endif
+
+endchoice
+
+config BR2_PACKAGE_HAS_OPENSSL
+ bool
+
+config BR2_PACKAGE_PROVIDES_OPENSSL
+ string
+ default "libopenssl" if BR2_PACKAGE_LIBOPENSSL
+endif
diff --git a/package/openssl/openssl.mk b/package/openssl/openssl.mk
index ec8e6f204c..d20e184cfc 100644
--- a/package/openssl/openssl.mk
+++ b/package/openssl/openssl.mk
@@ -4,166 +4,5 @@
#
################################################################################
-OPENSSL_VERSION = 1.0.2l
-OPENSSL_SITE = http://www.openssl.org/source
-OPENSSL_LICENSE = OpenSSL or SSLeay
-OPENSSL_LICENSE_FILES = LICENSE
-OPENSSL_INSTALL_STAGING = YES
-OPENSSL_DEPENDENCIES = zlib
-HOST_OPENSSL_DEPENDENCIES = host-zlib
-OPENSSL_TARGET_ARCH = generic32
-OPENSSL_CFLAGS = $(TARGET_CFLAGS)
-OPENSSL_PATCH = \
- https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2d-parallel-build.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
- https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-obj-headers.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
- https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-install-dirs.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d \
- https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1.0.2a-parallel-symlinking.patch?id=c8abcbe8de5d3b6cdd68c162f398c011ff6e2d9d
-
-# relocation truncated to fit: R_68K_GOT16O
-ifeq ($(BR2_m68k_cf),y)
-OPENSSL_CFLAGS += -mxgot
-endif
-
-ifeq ($(BR2_USE_MMU),)
-OPENSSL_CFLAGS += -DHAVE_FORK=0
-endif
-
-ifeq ($(BR2_PACKAGE_HAS_CRYPTODEV),y)
-OPENSSL_CFLAGS += -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS
-OPENSSL_DEPENDENCIES += cryptodev
-endif
-
-# Some architectures are optimized in OpenSSL
-# Doesn't work for thumb-only (Cortex-M?)
-ifeq ($(BR2_ARM_CPU_HAS_ARM),y)
-OPENSSL_TARGET_ARCH = armv4
-endif
-ifeq ($(ARCH),aarch64)
-OPENSSL_TARGET_ARCH = aarch64
-endif
-ifeq ($(ARCH),powerpc)
-# 4xx cores seem to have trouble with openssl's ASM optimizations
-ifeq ($(BR2_powerpc_401)$(BR2_powerpc_403)$(BR2_powerpc_405)$(BR2_powerpc_405fp)$(BR2_powerpc_440)$(BR2_powerpc_440fp),)
-OPENSSL_TARGET_ARCH = ppc
-endif
-endif
-ifeq ($(ARCH),powerpc64)
-OPENSSL_TARGET_ARCH = ppc64
-endif
-ifeq ($(ARCH),powerpc64le)
-OPENSSL_TARGET_ARCH = ppc64le
-endif
-ifeq ($(ARCH),x86_64)
-OPENSSL_TARGET_ARCH = x86_64
-endif
-
-define HOST_OPENSSL_CONFIGURE_CMDS
- (cd $(@D); \
- $(HOST_CONFIGURE_OPTS) \
- ./config \
- --prefix=$(HOST_DIR) \
- --openssldir=$(HOST_DIR)/etc/ssl \
- --libdir=/lib \
- shared \
- zlib-dynamic \
- )
- $(SED) "s#-O[0-9]#$(HOST_CFLAGS)#" $(@D)/Makefile
-endef
-
-define OPENSSL_CONFIGURE_CMDS
- (cd $(@D); \
- $(TARGET_CONFIGURE_ARGS) \
- $(TARGET_CONFIGURE_OPTS) \
- ./Configure \
- linux-$(OPENSSL_TARGET_ARCH) \
- --prefix=/usr \
- --openssldir=/etc/ssl \
- --libdir=/lib \
- $(if $(BR2_TOOLCHAIN_HAS_THREADS),threads,no-threads) \
- $(if $(BR2_STATIC_LIBS),no-shared,shared) \
- no-rc5 \
- enable-camellia \
- enable-mdc2 \
- enable-tlsext \
- $(if $(BR2_STATIC_LIBS),zlib,zlib-dynamic) \
- $(if $(BR2_STATIC_LIBS),no-dso) \
- )
- $(SED) "s#-march=[-a-z0-9] ##" -e "s#-mcpu=[-a-z0-9] ##g" $(@D)/Makefile
- $(SED) "s#-O[0-9]#$(OPENSSL_CFLAGS)#" $(@D)/Makefile
- $(SED) "s# build_tests##" $(@D)/Makefile
-endef
-
-# libdl is not available in a static build, and this is not implied by no-dso
-ifeq ($(BR2_STATIC_LIBS),y)
-define OPENSSL_FIXUP_STATIC_MAKEFILE
- $(SED) 's#-ldl##g' $(@D)/Makefile
-endef
-OPENSSL_POST_CONFIGURE_HOOKS += OPENSSL_FIXUP_STATIC_MAKEFILE
-endif
-
-define HOST_OPENSSL_BUILD_CMDS
- $(HOST_MAKE_ENV) $(MAKE) -C $(@D)
-endef
-
-define OPENSSL_BUILD_CMDS
- $(TARGET_MAKE_ENV) $(MAKE) -C $(@D)
-endef
-
-define OPENSSL_INSTALL_STAGING_CMDS
- $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(STAGING_DIR) install
-endef
-
-define HOST_OPENSSL_INSTALL_CMDS
- $(HOST_MAKE_ENV) $(MAKE) -C $(@D) install
-endef
-
-define OPENSSL_INSTALL_TARGET_CMDS
- $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) INSTALL_PREFIX=$(TARGET_DIR) install
- rm -rf $(TARGET_DIR)/usr/lib/ssl
- rm -f $(TARGET_DIR)/usr/bin/c_rehash
-endef
-
-# libdl has no business in a static build
-ifeq ($(BR2_STATIC_LIBS),y)
-define OPENSSL_FIXUP_STATIC_PKGCONFIG
- $(SED) 's#-ldl##' $(STAGING_DIR)/usr/lib/pkgconfig/libcrypto.pc
- $(SED) 's#-ldl##' $(STAGING_DIR)/usr/lib/pkgconfig/libssl.pc
- $(SED) 's#-ldl##' $(STAGING_DIR)/usr/lib/pkgconfig/openssl.pc
-endef
-OPENSSL_POST_INSTALL_STAGING_HOOKS += OPENSSL_FIXUP_STATIC_PKGCONFIG
-endif
-
-ifneq ($(BR2_STATIC_LIBS),y)
-# libraries gets installed read only, so strip fails
-define OPENSSL_INSTALL_FIXUPS_SHARED
- chmod +w $(TARGET_DIR)/usr/lib/engines/lib*.so
- for i in $(addprefix $(TARGET_DIR)/usr/lib/,libcrypto.so.* libssl.so.*); \
- do chmod +w $$i; done
-endef
-OPENSSL_POST_INSTALL_TARGET_HOOKS += OPENSSL_INSTALL_FIXUPS_SHARED
-endif
-
-ifeq ($(BR2_PACKAGE_PERL),)
-define OPENSSL_REMOVE_PERL_SCRIPTS
- $(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.pl,tsget}
-endef
-OPENSSL_POST_INSTALL_TARGET_HOOKS += OPENSSL_REMOVE_PERL_SCRIPTS
-endif
-
-ifeq ($(BR2_PACKAGE_OPENSSL_BIN),)
-define OPENSSL_REMOVE_BIN
- $(RM) -f $(TARGET_DIR)/usr/bin/openssl
- $(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.*,c_*}
-endef
-OPENSSL_POST_INSTALL_TARGET_HOOKS += OPENSSL_REMOVE_BIN
-endif
-
-ifneq ($(BR2_PACKAGE_OPENSSL_ENGINES),y)
-define OPENSSL_REMOVE_OPENSSL_ENGINES
- rm -rf $(TARGET_DIR)/usr/lib/engines
-endef
-OPENSSL_POST_INSTALL_TARGET_HOOKS += OPENSSL_REMOVE_OPENSSL_ENGINES
-endif
-
-$(eval $(generic-package))
-$(eval $(host-generic-package))
+$(eval $(virtual-package))
+$(eval $(host-virtual-package))
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 02/13] softether: depend on libopenssl
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 01/13] openssl: new " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 03/13] hostapd: add libressl-support.patch Adam Duskett
` (11 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
softether tries to use SSLv3 functionality as a fallback. LibreSSL doesn't
support SSLv3 anymore. Two main issues prevent a patch:
- Trying to wrap the sslv3 functionality from the source with a guard clause
results in linking errors after compiling is done.
- There are multiple security vulnerabilities with using sslv3.
- There are multiple security issues in github pertaining to using sslv3.
- This project seems to not be updated very often, and the security issues
are being ignored it seems.
For people who still want to use softether, they will have to use libopenssl.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/softether/Config.in | 4 +++-
package/softether/softether.hash | 3 ++-
package/softether/softether.mk | 6 +++---
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/package/softether/Config.in b/package/softether/Config.in
index 55e5426775..191b09a650 100644
--- a/package/softether/Config.in
+++ b/package/softether/Config.in
@@ -3,8 +3,9 @@ config BR2_PACKAGE_SOFTETHER
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on BR2_USE_MMU # fork()
depends on BR2_USE_WCHAR
+ depends on BR2_PACKAGE_LIBOPENSSL
select BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE
- select BR2_PACKAGE_OPENSSL
+
select BR2_PACKAGE_READLINE
help
The SoftEther Server is a fully integrated implementation of the SSTP,
@@ -24,4 +25,5 @@ config BR2_PACKAGE_SOFTETHER
comment "softether needs a toolchain w/ wchar, threads"
depends on BR2_USE_MMU
+ depends on BR2_PACKAGE_LIBOPENSSL
depends on !(BR2_USE_WCHAR && BR2_TOOLCHAIN_HAS_THREADS)
diff --git a/package/softether/softether.hash b/package/softether/softether.hash
index 01de10714b..ec6e0603d7 100644
--- a/package/softether/softether.hash
+++ b/package/softether/softether.hash
@@ -1,2 +1,3 @@
# Locally computed
-sha256 a34dca9bdb940f9384ae50096f6485448ca539c557e36b3a7f6f810831ee5946 softether-e9006faf0c8739147ab97e27fe11c5cdd20ed9e6.tar.gz
+sha256 8e6310d36e579ea07171ce5fcb9ebe31235d218444c4e4836ca6c32aa49c1f93 softether-v4.22-9634-beta.tar.gz
+sha256 7aeb873293fa0e44425dabf68a8e46e26c848fe58efcfd3ac7c90a3386f3edd1 LICENSE
diff --git a/package/softether/softether.mk b/package/softether/softether.mk
index 5868438db0..05d2f20fe5 100644
--- a/package/softether/softether.mk
+++ b/package/softether/softether.mk
@@ -4,11 +4,11 @@
#
################################################################################
-SOFTETHER_VERSION = e9006faf0c8739147ab97e27fe11c5cdd20ed9e6
+SOFTETHER_VERSION = v4.22-9634-beta
SOFTETHER_SITE = $(call github,SoftEtherVPN,SoftEtherVPN,$(SOFTETHER_VERSION))
SOFTETHER_LICENSE = GPL-2.0
SOFTETHER_LICENSE_FILES = LICENSE
-SOFTETHER_DEPENDENCIES = host-softether openssl readline
+SOFTETHER_DEPENDENCIES = host-softether libopenssl readline
SOFTETHER_AUTORECONF = YES
ifeq ($(BR2_ENABLE_LOCALE),)
@@ -26,7 +26,7 @@ SOFTETHER_CONF_OPTS = \
--with-zlib="$(STAGING_DIR)/usr"
# host-libiconv does not exist, therefore we need this extra line
-HOST_SOFTETHER_DEPENDENCIES = host-pkgconf host-openssl host-readline
+HOST_SOFTETHER_DEPENDENCIES = host-pkgconf host-libopenssl host-readline
# target build creates the file hamcore.se2 which needs the host variant of
# hamcorebuilder, for details see http://www.vpnusers.com/viewtopic.php?p=5426
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 03/13] hostapd: add libressl-support.patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 01/13] openssl: new " Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 02/13] softether: depend on libopenssl Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 04/13] ffmpeg: add libressl suport patch Adam Duskett
` (10 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
From: https://github.com/gentoo/libressl/blob/master/net-wireless/hostapd/files/hostapd-2.6-libressl.patch
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/hostapd/0001-fix-libressl-support.patch | 38 +++++++++++++++++++++++++
1 file changed, 38 insertions(+)
create mode 100644 package/hostapd/0001-fix-libressl-support.patch
diff --git a/package/hostapd/0001-fix-libressl-support.patch b/package/hostapd/0001-fix-libressl-support.patch
new file mode 100644
index 0000000000..5e8d7afeff
--- /dev/null
+++ b/package/hostapd/0001-fix-libressl-support.patch
@@ -0,0 +1,38 @@
+From 85c1ae0865c7221af98a60cc678c03c78d443389 Mon Sep 17 00:00:00 2001
+From: Aric Belsito <lluixhi@gmail.com>
+Date: Fri, 4 Aug 2017 13:02:17 -0400
+Subject: [PATCH] fix libressl support
+
+From: https://github.com/gentoo/libressl/blob/master/net-wireless/hostapd/files/hostapd-2.6-libressl.patch
+
+Original Author: Aric Belsito <lluixhi@gmail.com>
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ src/crypto/crypto_openssl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 19e0e2b..b3d1b07 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+ struct wpabuf *pubkey = NULL, *privkey = NULL;
+ size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+
+ dh = DH_new();
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 04/13] ffmpeg: add libressl suport patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (2 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 03/13] hostapd: add libressl-support.patch Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 05/13] mosquitto: add libressl support patch Adam Duskett
` (9 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
From: https://github.com/gentoo/libressl/blob/master/media-video/ffmpeg/files/ffmpeg-3.3-libressl.patch
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/ffmpeg/0002-fix-libressl-support.patch | 74 ++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 package/ffmpeg/0002-fix-libressl-support.patch
diff --git a/package/ffmpeg/0002-fix-libressl-support.patch b/package/ffmpeg/0002-fix-libressl-support.patch
new file mode 100644
index 0000000000..5dc2595acf
--- /dev/null
+++ b/package/ffmpeg/0002-fix-libressl-support.patch
@@ -0,0 +1,74 @@
+From b02b11af7f0697a43f6c92011eaca7f914bd3bf1 Mon Sep 17 00:00:00 2001
+From: Aric Belsito <lluixhi@gmail.com>
+Date: Fri, 4 Aug 2017 13:06:15 -0400
+Subject: [PATCH] fix libressl support
+
+From: https://github.com/gentoo/libressl/blob/master/media-video/ffmpeg/files/ffmpeg-3.3-libressl.patch
+
+Original author: Aric Belsito <lluixhi@gmail.com>
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ libavformat/tls_openssl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
+index 38af8a2..0599544 100644
+--- a/libavformat/tls_openssl.c
++++ b/libavformat/tls_openssl.c
+@@ -43,7 +43,7 @@ typedef struct TLSContext {
+ TLSShared tls_shared;
+ SSL_CTX *ctx;
+ SSL *ssl;
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
+ BIO_METHOD* url_bio_method;
+ #endif
+ } TLSContext;
+@@ -68,7 +68,7 @@ static unsigned long openssl_thread_id(void)
+
+ static int url_bio_create(BIO *b)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
+ BIO_set_init(b, 1);
+ BIO_set_data(b, NULL);
+ BIO_set_flags(b, 0);
+@@ -85,7 +85,7 @@ static int url_bio_destroy(BIO *b)
+ return 1;
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
+ #define GET_BIO_DATA(x) BIO_get_data(x)
+ #else
+ #define GET_BIO_DATA(x) (x)->ptr
+@@ -129,7 +129,7 @@ static int url_bio_bputs(BIO *b, const char *str)
+ return url_bio_bwrite(b, str, strlen(str));
+ }
+
+-#if OPENSSL_VERSION_NUMBER < 0x1010000fL
++#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER)
+ static BIO_METHOD url_bio_method = {
+ .type = BIO_TYPE_SOURCE_SINK,
+ .name = "urlprotocol bio",
+@@ -208,7 +208,7 @@ static int tls_close(URLContext *h)
+ SSL_CTX_free(c->ctx);
+ if (c->tls_shared.tcp)
+ ffurl_close(c->tls_shared.tcp);
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
+ if (c->url_bio_method)
+ BIO_meth_free(c->url_bio_method);
+ #endif
+@@ -266,7 +266,7 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op
+ ret = AVERROR(EIO);
+ goto fail;
+ }
+-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
++#if OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
+ p->url_bio_method = BIO_meth_new(BIO_TYPE_SOURCE_SINK, "urlprotocol bio");
+ BIO_meth_set_write(p->url_bio_method, url_bio_bwrite);
+ BIO_meth_set_read(p->url_bio_method, url_bio_bread);
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 05/13] mosquitto: add libressl support patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (3 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 04/13] ffmpeg: add libressl suport patch Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 06/13] opusfile: " Adam Duskett
` (8 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
When a program checks for openssl 1.1 or higher, it will pass that
check because libressl sets it's version number to 2.x.
Add simple checks to see if LIBRESSL_VERSION_NUMBER is defined.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/mosquitto/0001-fix-libressl-support.patch | 68 +++++++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 package/mosquitto/0001-fix-libressl-support.patch
diff --git a/package/mosquitto/0001-fix-libressl-support.patch b/package/mosquitto/0001-fix-libressl-support.patch
new file mode 100644
index 0000000000..8db1e58370
--- /dev/null
+++ b/package/mosquitto/0001-fix-libressl-support.patch
@@ -0,0 +1,68 @@
+From c2c5e05dc606a2f6299245004e222671cc41c625 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Thu, 3 Aug 2017 14:21:14 -0400
+Subject: [PATCH] fix libressl support
+
+When a program checks for openssl 1.1 or higher, it will pass that
+check because libressl sets it's version number to 2.x.
+
+Add simple checks to see if libressl_version_number is defined.
+
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ lib/net_mosq.c | 2 +-
+ src/mosquitto_passwd.c | 4 ++--
+ src/security_default.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/net_mosq.c b/lib/net_mosq.c
+index 063c4a2..cdbc83f 100644
+--- a/lib/net_mosq.c
++++ b/lib/net_mosq.c
+@@ -114,7 +114,7 @@ void _mosquitto_net_init(void)
+ void _mosquitto_net_cleanup(void)
+ {
+ #ifdef WITH_TLS
+- #if OPENSSL_VERSION_NUMBER < 0x10100000L
++ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ ERR_remove_state(0);
+ #endif
+ ENGINE_cleanup();
+diff --git a/src/mosquitto_passwd.c b/src/mosquitto_passwd.c
+index c3dd05a..6305ee0 100644
+--- a/src/mosquitto_passwd.c
++++ b/src/mosquitto_passwd.c
+@@ -90,7 +90,7 @@ int output_new_password(FILE *fptr, const char *username, const char *password)
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned int hash_len;
+ const EVP_MD *digest;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ EVP_MD_CTX context;
+ #else
+ EVP_MD_CTX *context;
+@@ -117,7 +117,7 @@ int output_new_password(FILE *fptr, const char *username, const char *password)
+ return 1;
+ }
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ EVP_MD_CTX_init(&context);
+ EVP_DigestInit_ex(&context, digest, NULL);
+ EVP_DigestUpdate(&context, password, strlen(password));
+diff --git a/src/security_default.c b/src/security_default.c
+index 43cd3f0..e307b7a 100644
+--- a/src/security_default.c
++++ b/src/security_default.c
+@@ -790,7 +790,7 @@ int mosquitto_psk_key_get_default(struct mosquitto_db *db, const char *hint, con
+ int _pw_digest(const char *password, const unsigned char *salt, unsigned int salt_len, unsigned char *hash, unsigned int *hash_len)
+ {
+ const EVP_MD *digest;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ EVP_MD_CTX context;
+
+ digest = EVP_get_digestbyname("sha512");
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 06/13] opusfile: add libressl support patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (4 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 05/13] mosquitto: add libressl support patch Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 07/13] openldap: " Adam Duskett
` (7 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
When a program checks for openssl 1.1 or higher, it will pass that
check because libressl sets it's version number to 2.x.
Add simple checks to see if LIBRESSL_VERSION_NUMBER is defined.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/opusfile/0001-fix-libressl-support.patch | 119 +++++++++++++++++++++++
1 file changed, 119 insertions(+)
create mode 100644 package/opusfile/0001-fix-libressl-support.patch
diff --git a/package/opusfile/0001-fix-libressl-support.patch b/package/opusfile/0001-fix-libressl-support.patch
new file mode 100644
index 0000000000..7965d78bfe
--- /dev/null
+++ b/package/opusfile/0001-fix-libressl-support.patch
@@ -0,0 +1,119 @@
+From 349ddeff80bc2188b75ef3a3a9bf65203bcb9d7e Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Tue, 17 Oct 2017 21:14:59 -0400
+Subject: [PATCH] fix-libressl-support
+
+When a program checks for openssl 1.1 or higher, it will pass that
+check because libressl sets it's version number to 2.x.
+
+Add simple checks to see if libressl_version_number is defined.
+
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ src/http.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/src/http.c b/src/http.c
+index acd0e8c..f6896c2 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -1530,7 +1530,7 @@ static long op_bio_retry_ctrl(BIO *_b,int _cmd,long _num,void *_ptr){
+ return ret;
+ }
+
+-# if OPENSSL_VERSION_NUMBER<0x10100000L
++# if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ # define BIO_set_data(_b,_ptr) ((_b)->ptr=(_ptr))
+ # define BIO_set_init(_b,_init) ((_b)->init=(_init))
+ # define ASN1_STRING_get0_data ASN1_STRING_data
+@@ -1538,7 +1538,7 @@ static long op_bio_retry_ctrl(BIO *_b,int _cmd,long _num,void *_ptr){
+
+ static int op_bio_retry_new(BIO *_b){
+ BIO_set_init(_b,1);
+-# if OPENSSL_VERSION_NUMBER<0x10100000L
++# if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ _b->num=0;
+ # endif
+ BIO_set_data(_b,NULL);
+@@ -1549,7 +1549,7 @@ static int op_bio_retry_free(BIO *_b){
+ return _b!=NULL;
+ }
+
+-# if OPENSSL_VERSION_NUMBER<0x10100000L
++# if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /*This is not const because OpenSSL doesn't allow it, even though it won't
+ write to it.*/
+ static BIO_METHOD op_bio_retry_method={
+@@ -1570,7 +1570,7 @@ static BIO_METHOD op_bio_retry_method={
+ proxying https URL requests.*/
+ static int op_http_conn_establish_tunnel(OpusHTTPStream *_stream,
+ OpusHTTPConn *_conn,op_sock _fd,SSL *_ssl_conn,BIO *_ssl_bio){
+-# if OPENSSL_VERSION_NUMBER>=0x10100000L
++# if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ BIO_METHOD *bio_retry_method;
+ # endif
+ BIO *retry_bio;
+@@ -1583,7 +1583,7 @@ static int op_http_conn_establish_tunnel(OpusHTTPStream *_stream,
+ ret=op_http_conn_write_fully(_conn,
+ _stream->proxy_connect.buf,_stream->proxy_connect.nbuf);
+ if(OP_UNLIKELY(ret<0))return ret;
+-# if OPENSSL_VERSION_NUMBER>=0x10100000L
++# if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ bio_retry_method=BIO_meth_new(BIO_TYPE_NULL,"retry");
+ if(bio_retry_method==NULL)return OP_EFAULT;
+ BIO_meth_set_write(bio_retry_method,op_bio_retry_write);
+@@ -1606,7 +1606,7 @@ static int op_http_conn_establish_tunnel(OpusHTTPStream *_stream,
+ /*This shouldn't succeed, since we can't read yet.*/
+ OP_ALWAYS_TRUE(SSL_connect(_ssl_conn)<0);
+ SSL_set_bio(_ssl_conn,_ssl_bio,_ssl_bio);
+-# if OPENSSL_VERSION_NUMBER>=0x10100000L
++# if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ BIO_meth_free(bio_retry_method);
+ # endif
+ /*Only now do we disable write coalescing, to allow the CONNECT
+@@ -1635,7 +1635,7 @@ static struct addrinfo *op_inet_pton(const char *_host){
+ return NULL;
+ }
+
+-# if OPENSSL_VERSION_NUMBER<0x10002000L
++# if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ /*Match a host name against a host with a possible wildcard pattern according
+ to the rules of RFC 6125 Section 6.4.3.
+ Return: 0 if the pattern doesn't match, and a non-zero value if it does.*/
+@@ -1893,7 +1893,7 @@ static int op_http_conn_start_tls(OpusHTTPStream *_stream,OpusHTTPConn *_conn,
+ SSL_set_tlsext_host_name(_ssl_conn,_stream->url.host);
+ # endif
+ skip_certificate_check=_stream->skip_certificate_check;
+-# if OPENSSL_VERSION_NUMBER>=0x10002000L
++# if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+ /*As of version 1.0.2, OpenSSL can finally do hostname checks automatically.
+ Of course, they make it much more complicated than it needs to be.*/
+ if(!skip_certificate_check){
+@@ -1956,13 +1956,13 @@ static int op_http_conn_start_tls(OpusHTTPStream *_stream,OpusHTTPConn *_conn,
+ if(OP_UNLIKELY(ret<=0))return OP_FALSE;
+ ssl_session=_stream->ssl_session;
+ if(ssl_session==NULL
+-# if OPENSSL_VERSION_NUMBER<0x10002000L
++# if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ ||!skip_certificate_check
+ # endif
+ ){
+ ret=op_do_ssl_step(_ssl_conn,_fd,SSL_do_handshake);
+ if(OP_UNLIKELY(ret<=0))return OP_FALSE;
+-# if OPENSSL_VERSION_NUMBER<0x10002000L
++# if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+ /*OpenSSL before version 1.0.2 does not do automatic hostname verification,
+ despite the fact that we just passed it the hostname above in the call
+ to SSL_set_tlsext_host_name().
+@@ -2314,7 +2314,7 @@ static int op_http_stream_open(OpusHTTPStream *_stream,const char *_url,
+ /*Initialize the SSL library if necessary.*/
+ if(OP_URL_IS_SSL(&_stream->url)&&_stream->ssl_ctx==NULL){
+ SSL_CTX *ssl_ctx;
+-# if OPENSSL_VERSION_NUMBER<0x10100000L
++# if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ # if !defined(OPENSSL_NO_LOCKING)
+ /*The documentation says SSL_library_init() is not reentrant.
+ We don't want to add our own depenencies on a threading library, and it
+--
+2.13.6
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 07/13] openldap: add libressl support patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (5 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 06/13] opusfile: " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 08/13] heirloom-mailx: " Adam Duskett
` (6 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
When a program checks for openssl 1.1 or higher, it will pass that
check because libressl sets it's version number to 2.x.
Add simple checks to see if LIBRESSL_VERSION_NUMBER is defined.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/openldap/0004-fix-libressl-support.patch | 104 +++++++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 package/openldap/0004-fix-libressl-support.patch
diff --git a/package/openldap/0004-fix-libressl-support.patch b/package/openldap/0004-fix-libressl-support.patch
new file mode 100644
index 0000000000..8f3bf5423c
--- /dev/null
+++ b/package/openldap/0004-fix-libressl-support.patch
@@ -0,0 +1,104 @@
+From 8093c506228e28c5cc8db9fd90b687004712168b Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Thu, 3 Aug 2017 17:09:39 -0400
+Subject: [PATCH] fix libressl support
+
+When a program checks for openssl 1.1 or higher, it will pass that
+check because libressl sets it's version number to 2.x.
+
+Add simple checks to see if libressl_version_number is defined.
+
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ libraries/libldap/tls_o.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 2025c9f..41faf0d 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -47,7 +47,7 @@
+ #include <ssl.h>
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000
++#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+ #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
+ #endif
+
+@@ -157,7 +157,7 @@ tlso_init( void )
+ (void) tlso_seed_PRNG( lo->ldo_tls_randfile );
+ #endif
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
+ SSL_load_error_strings();
+ SSL_library_init();
+ OpenSSL_add_all_digests();
+@@ -205,7 +205,7 @@ static void
+ tlso_ctx_ref( tls_ctx *ctx )
+ {
+ tlso_ctx *c = (tlso_ctx *)ctx;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
+ #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX )
+ #endif
+ SSL_CTX_up_ref( c );
+@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
+ if (!x) return LDAP_INVALID_CREDENTIALS;
+
+ xn = X509_get_subject_name(x);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
+ der_dn->bv_len = i2d_X509_NAME( xn, NULL );
+ der_dn->bv_val = xn->bytes->data;
+ #else
+@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
+ return LDAP_INVALID_CREDENTIALS;
+
+ xn = X509_get_subject_name(x);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
+ der_dn->bv_len = i2d_X509_NAME( xn, NULL );
+ der_dn->bv_val = xn->bytes->data;
+ #else
+@@ -721,7 +721,7 @@ struct tls_data {
+ Sockbuf_IO_Desc *sbiod;
+ };
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
+ #define BIO_set_init(b, x) b->init = x
+ #define BIO_set_data(b, x) b->ptr = x
+ #define BIO_clear_flags(b, x) b->flags &= ~(x)
+@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
+ return tlso_bio_write( b, str, strlen( str ) );
+ }
+
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000
++#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
+ struct bio_method_st {
+ int type;
+ const char *name;
+@@ -1187,10 +1187,17 @@ tlso_seed_PRNG( const char *randfile )
+ */
+ randfile = RAND_file_name( buffer, sizeof( buffer ) );
+
+- } else if (RAND_egd(randfile) > 0) {
++ }
++ #ifndef OPENSSL_NO_EGD
++ else if (RAND_egd(randfile) > 0) {
+ /* EGD socket */
+ return 0;
+ }
++ #else
++ else {
++ return 0;
++ }
++ #endif
+
+ if (randfile == NULL) {
+ Debug( LDAP_DEBUG_ANY,
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 08/13] heirloom-mailx: add libressl support patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (6 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 07/13] openldap: " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 09/13] libevent: " Adam Duskett
` (5 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
heirloom-mailx has two small issues when compiling against LibreSSL:
- RAND_egd is used (LibreSSL does not support RAND_egd)
Solution: "Guard" the code calling RAND_egd
- SSLv3_client_method function is used (LibreSSL does not support SSLv3)
Solution: "Guard" the code with #ifndef OPENSSL_NO_SSL3
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
.../heirloom-mailx/0002-fix-libressl-support.patch | 54 ++++++++++++++++++++++
1 file changed, 54 insertions(+)
create mode 100644 package/heirloom-mailx/0002-fix-libressl-support.patch
diff --git a/package/heirloom-mailx/0002-fix-libressl-support.patch b/package/heirloom-mailx/0002-fix-libressl-support.patch
new file mode 100644
index 0000000000..0fafa4ae0b
--- /dev/null
+++ b/package/heirloom-mailx/0002-fix-libressl-support.patch
@@ -0,0 +1,54 @@
+From aad28d30af6c3a74c522dd61943788e908860c84 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Fri, 4 Aug 2017 07:22:47 -0400
+Subject: [PATCH] fix libressl support
+
+heirloom-mailx has two small issues when compiling against LibreSSL:
+ - RAND_egd is used (LibreSSL does not support RAND_egd)
+ Solution: "Guard" the code calling RAND_egd
+
+ - SSLv3_client_method function is used (LibreSSL does not support SSLv3)
+ Solution: "Guard" the code with #ifndef OPENSSL_NO_SSL3
+
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ openssl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/openssl.c b/openssl.c
+index 44fe4e5..c4a1bb7 100644
+--- a/openssl.c
++++ b/openssl.c
+@@ -137,11 +137,13 @@ ssl_rand_init(void)
+
+ if ((cp = value("ssl-rand-egd")) != NULL) {
+ cp = expand(cp);
++#ifndef OPENSSL_NO_EGD
+ if (RAND_egd(cp) == -1) {
+ fprintf(stderr, catgets(catd, CATSET, 245,
+ "entropy daemon at \"%s\" not available\n"),
+ cp);
+ } else
++#endif
+ state = 1;
+ } else if ((cp = value("ssl-rand-file")) != NULL) {
+ cp = expand(cp);
+@@ -216,10 +218,15 @@ ssl_select_method(const char *uhp)
+
+ cp = ssl_method_string(uhp);
+ if (cp != NULL) {
++ #ifndef OPENSSL_NO_SSL3
+ if (equal(cp, "ssl3"))
+ method = SSLv3_client_method();
+ else if (equal(cp, "tls1"))
+ method = TLSv1_client_method();
++ #else
++ if (equal(cp, "tls1"))
++ method = TLSv1_client_method();
++ #endif
+ else {
+ fprintf(stderr, catgets(catd, CATSET, 244,
+ "Invalid SSL method \"%s\"\n"), cp);
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 09/13] libevent: add libressl support patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (7 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 08/13] heirloom-mailx: " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 10/13] wpa_supplicant: " Adam Duskett
` (4 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
When a program checks for openssl 1.1 or higher, it will pass that
check because libressl sets it's version number to 2.x.
Add simple checks to see if LIBRESSL_VERSION_NUMBER is defined.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/libevent/0002-fix-libressl-support.patch | 31 ++++++++++++++++++++++++
1 file changed, 31 insertions(+)
create mode 100644 package/libevent/0002-fix-libressl-support.patch
diff --git a/package/libevent/0002-fix-libressl-support.patch b/package/libevent/0002-fix-libressl-support.patch
new file mode 100644
index 0000000000..ff4ecc3e8a
--- /dev/null
+++ b/package/libevent/0002-fix-libressl-support.patch
@@ -0,0 +1,31 @@
+From 10ca825cf8f52b14b6230db7de5e5df307212499 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <aduskett@gmail.com>
+Date: Wed, 2 Aug 2017 11:38:11 -0400
+Subject: [PATCH 1/1] add libressl support
+
+When a program checks for openssl 1.1 or higher, it will pass that
+check because libressl sets it's version number to 2.x.
+
+Add simple checks to see if libressl_version_number is defined.
+
+Signed-off-by: Adam Duskett <aduskett@gmail.com>
+---
+ openssl-compat.h | 2 +-
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/openssl-compat.h b/openssl-compat.h
+index 69afc71..937fa4d 100644
+--- a/openssl-compat.h
++++ b/openssl-compat.h
+@@ -1,7 +1,7 @@
+ #ifndef OPENSSL_COMPAT_H
+ #define OPENSSL_COMPAT_H
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
+
+ static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
+ {
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 10/13] wpa_supplicant: add libressl support patch
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (8 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 09/13] libevent: " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 11/13] ca-certificates: fix installation against libressl Adam Duskett
` (3 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
From: https://github.com/OpenELEC/OpenELEC.tv/blob/master/packages/network/wpa_supplicant/patches/wpa_supplicant-libressl.patch
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
.../wpa_supplicant/0001-fix-libressl-support.patch | 70 ++++++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 package/wpa_supplicant/0001-fix-libressl-support.patch
diff --git a/package/wpa_supplicant/0001-fix-libressl-support.patch b/package/wpa_supplicant/0001-fix-libressl-support.patch
new file mode 100644
index 0000000000..d6706ad48d
--- /dev/null
+++ b/package/wpa_supplicant/0001-fix-libressl-support.patch
@@ -0,0 +1,70 @@
+From fd08ab1edce039ebefd305f7d8241cef6e4a397c Mon Sep 17 00:00:00 2001
+From: Stephan Raue <stephan@openelec.tv>
+Date: Fri, 4 Aug 2017 12:51:58 -0400
+Subject: [PATCH] fix libressl support
+
+From: https://github.com/OpenELEC/OpenELEC.tv/blob/master/packages/network/wpa_supplicant/patches/wpa_supplicant-libressl.patch
+
+Original author: Stephan Raue <stephan@openelec.tv>
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ src/crypto/crypto_openssl.c | 4 ++--
+ src/crypto/tls_openssl.c | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
+index 19e0e2b..b3d1b07 100644
+--- a/src/crypto/crypto_openssl.c
++++ b/src/crypto/crypto_openssl.c
+@@ -611,7 +611,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
+
+ void * dh5_init(struct wpabuf **priv, struct wpabuf **publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+ struct wpabuf *pubkey = NULL, *privkey = NULL;
+ size_t publen, privlen;
+@@ -712,7 +712,7 @@ err:
+
+ void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ DH *dh;
+
+ dh = DH_new();
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 23ac64b..8ddcb7e 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -919,7 +919,7 @@ void * tls_init(const struct tls_config *conf)
+ }
+ #endif /* OPENSSL_FIPS */
+ #endif /* CONFIG_FIPS */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ SSL_load_error_strings();
+ SSL_library_init();
+ #ifndef OPENSSL_NO_SHA256
+@@ -1043,7 +1043,7 @@ void tls_deinit(void *ssl_ctx)
+
+ tls_openssl_ref_count--;
+ if (tls_openssl_ref_count == 0) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #ifndef OPENSSL_NO_ENGINE
+ ENGINE_cleanup();
+ #endif /* OPENSSL_NO_ENGINE */
+@@ -3976,7 +3976,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
+ engine_id = "pkcs11";
+
+ #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ if (params->flags & TLS_CONN_EAP_FAST) {
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: Use TLSv1_method() for EAP-FAST");
+--
+2.13.3
+
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 11/13] ca-certificates: fix installation against libressl
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (9 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 10/13] wpa_supplicant: " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 12/13] mosquitto: fix building " Adam Duskett
` (2 subsequent siblings)
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
ca-certificates uses the c_rehash script from openssl to create
symlinks to the certificates by their hash value.
LibreSSL moved this functionality into the openssl binary itself.
Check to see if LibreSSL is installed, and if so, call the host openssl
itself instead of the c_rehash script.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/ca-certificates/ca-certificates.mk | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/package/ca-certificates/ca-certificates.mk b/package/ca-certificates/ca-certificates.mk
index f712e7988e..735284c7a3 100644
--- a/package/ca-certificates/ca-certificates.mk
+++ b/package/ca-certificates/ca-certificates.mk
@@ -19,6 +19,18 @@ define CA_CERTIFICATES_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) all
endef
+ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
+define CA_CERTIFICATES_CREATE_SYMLINKS
+ $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
+endef
+endif
+
+ifeq ($(BR2_PACKAGE_LIBRESSL),y)
+define CA_CERTIFICATES_CREATE_SYMLINKS
+ $(HOST_DIR)/bin/openssl certhash $(TARGET_DIR)/etc/ssl/certs
+endef
+endif
+
define CA_CERTIFICATES_INSTALL_TARGET_CMDS
$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/share/ca-certificates
$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/ssl/certs
@@ -37,7 +49,7 @@ define CA_CERTIFICATES_INSTALL_TARGET_CMDS
done
# Create symlinks to the certificates by their hash values
- $(HOST_DIR)/bin/c_rehash $(TARGET_DIR)/etc/ssl/certs
+ $(CA_CERTIFICATES_CREATE_SYMLINKS)
endef
$(eval $(generic-package))
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 12/13] mosquitto: fix building against libressl
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (10 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 11/13] ca-certificates: fix installation against libressl Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-18 2:32 ` [Buildroot] [PATCH 13/13] openssl: add libressl to virtual package Adam Duskett
2017-10-21 19:33 ` [Buildroot] [PATCH 00/13] Turn OpenSSL into a " Thomas Petazzoni
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
mosquitto has tls_psk enabled by default, which libressl does not support.
This is fixed with passing WITH_TLS_PSK=no to the make opts if libressl
is selected, and WITH_TLS_PSK=yes if libopenssl is selected.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/mosquitto/mosquitto.mk | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/package/mosquitto/mosquitto.mk b/package/mosquitto/mosquitto.mk
index c763f48ab1..ef34cee3f0 100644
--- a/package/mosquitto/mosquitto.mk
+++ b/package/mosquitto/mosquitto.mk
@@ -33,6 +33,11 @@ endif
ifeq ($(BR2_PACKAGE_OPENSSL),y)
MOSQUITTO_DEPENDENCIES += openssl
MOSQUITTO_MAKE_OPTS += WITH_TLS=yes
+ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
+MOSQUITTO_MAKE_OPTS += WITH_TLS_PSK=yes
+else ifeq ($(BR2_PACKAGE_LIBRESSL),y)
+MOSQUITTO_MAKE_OPTS += WITH_TLS_PSK=no
+endif
else
MOSQUITTO_MAKE_OPTS += WITH_TLS=no
endif
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 13/13] openssl: add libressl to virtual package
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (11 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 12/13] mosquitto: fix building " Adam Duskett
@ 2017-10-18 2:32 ` Adam Duskett
2017-10-21 19:33 ` [Buildroot] [PATCH 00/13] Turn OpenSSL into a " Thomas Petazzoni
13 siblings, 0 replies; 17+ messages in thread
From: Adam Duskett @ 2017-10-18 2:32 UTC (permalink / raw)
To: buildroot
At this point, libressl can be added to the openssl virtual package.
- Remove the entry package/libressl/Config.in from package/Config.in
- Remove the file: package/libressl/Config.in
- Add libressl entry to package/openssl/Config.in
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
package/Config.in | 2 --
package/libressl/Config.in | 20 --------------------
package/openssl/Config.in | 23 ++++++++++++++++++++++-
3 files changed, 22 insertions(+), 23 deletions(-)
delete mode 100644 package/libressl/Config.in
diff --git a/package/Config.in b/package/Config.in
index d4cf62708a..94004098d1 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1029,8 +1029,6 @@ menu "Crypto"
source "package/libuecc/Config.in"
source "package/mbedtls/Config.in"
source "package/nettle/Config.in"
- # libressl is a openssl replacement
- source "package/libressl/Config.in"
source "package/openssl/Config.in"
source "package/rhash/Config.in"
source "package/tinydtls/Config.in"
diff --git a/package/libressl/Config.in b/package/libressl/Config.in
deleted file mode 100644
index 0a1c9e273e..0000000000
--- a/package/libressl/Config.in
+++ /dev/null
@@ -1,20 +0,0 @@
-config BR2_PACKAGE_LIBRESSL
- bool "libressl"
- depends on !BR2_PACKAGE_OPENSSL
- help
- LibreSSL is a version of the TLS/crypto stack forked from
- OpenSSL in 2014, with goals of modernizing the codebase,
- improving security, and applying best practice development
- processes.
-
- http://www.libressl.org/
-
-if BR2_PACKAGE_LIBRESSL
-
-config BR2_PACKAGE_LIBRESSL_BIN
- bool "openssl binary"
- help
- Install the openssl binary to the target file system. This is
- a command line tool for doing various cryptographic stuff.
-
-endif
diff --git a/package/openssl/Config.in b/package/openssl/Config.in
index 1b3e852fdb..5cb2c5b758 100644
--- a/package/openssl/Config.in
+++ b/package/openssl/Config.in
@@ -9,7 +9,7 @@ choice
prompt "ssl library"
default BR2_PACKAGE_LIBOPENSSL
help
- Select OpenSSL.
+ Select OpenSSL or LibreSSL.
config BR2_PACKAGE_LIBOPENSSL
bool "openssl"
@@ -41,6 +41,26 @@ config BR2_PACKAGE_LIBOPENSSL_ENGINES
endif
+config BR2_PACKAGE_LIBRESSL
+ bool "libressl"
+ help
+ LibreSSL is a version of the TLS/crypto stack forked from
+ OpenSSL in 2014, with goals of modernizing the codebase,
+ improving security, and applying best practice development
+ processes.
+
+ http://www.libressl.org/
+
+if BR2_PACKAGE_LIBRESSL
+
+config BR2_PACKAGE_LIBRESSL_BIN
+ bool "openssl binary"
+ help
+ Install the openssl binary to the target file system. This is
+ a command line tool for doing various cryptographic stuff.
+
+endif
+
endchoice
config BR2_PACKAGE_HAS_OPENSSL
@@ -49,4 +69,5 @@ config BR2_PACKAGE_HAS_OPENSSL
config BR2_PACKAGE_PROVIDES_OPENSSL
string
default "libopenssl" if BR2_PACKAGE_LIBOPENSSL
+ default "libressl" if BR2_PACKAGE_LIBRESSL
endif
--
2.13.6
^ permalink raw reply related [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package
2017-10-18 2:32 [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package Adam Duskett
` (12 preceding siblings ...)
2017-10-18 2:32 ` [Buildroot] [PATCH 13/13] openssl: add libressl to virtual package Adam Duskett
@ 2017-10-21 19:33 ` Thomas Petazzoni
2017-10-21 20:46 ` Arnout Vandecappelle
13 siblings, 1 reply; 17+ messages in thread
From: Thomas Petazzoni @ 2017-10-21 19:33 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 17 Oct 2017 22:32:27 -0400, Adam Duskett wrote:
> Adam Duskett (13):
> openssl: new virtual package
> softether: depend on libopenssl
> hostapd: add libressl-support.patch
> ffmpeg: add libressl suport patch
> mosquitto: add libressl support patch
> opusfile: add libressl support patch
> openldap: add libressl support patch
> heirloom-mailx: add libressl support patch
> libevent: add libressl support patch
> wpa_supplicant: add libressl support patch
> ca-certificates: fix installation against libressl
> mosquitto: fix building against libressl
> openssl: add libressl to virtual package
So, we finally applied this series, but with quite a few changes:
- We were not happy with carrying all those patches to make those
packages compatible with LibreSSL, so instead we made them depend on
libopenssl only.
- For heirloom-mailx, we kept the patch because it looks acceptable
upstream. Could you submit it upstream, please?
- For softether, switching to a "depends on" was not acceptable, as it
would break existing defconfigs. So instead, we introduced a
BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL hidden boolean that tells the
openssl virtual package that only libopenssl is acceptable as a
provider.
- With your series, ca-certificates would not build, because it needs
host-openssl, which would be host-libressl, which doesn't exist.
However, using host-libressl would mean that all packages that
depend on host-openssl would have to be checked. So instead, we
defined BR2_PACKAGE_PROVIDES_HOST_OPENSSL to host-libopenssl, which
forces host-openssl to always point to host-libopenssl.
With those changes, series applied. Now, it would be helpful to update
utils/genrandconfig to randomly enable libressl instead of openssl to
get this situation tested by the autobuilders.
Thanks a lot!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 17+ messages in thread* [Buildroot] [PATCH 00/13] Turn OpenSSL into a virtual package
2017-10-21 19:33 ` [Buildroot] [PATCH 00/13] Turn OpenSSL into a " Thomas Petazzoni
@ 2017-10-21 20:46 ` Arnout Vandecappelle
0 siblings, 0 replies; 17+ messages in thread
From: Arnout Vandecappelle @ 2017-10-21 20:46 UTC (permalink / raw)
To: buildroot
On 21-10-17 21:33, Thomas Petazzoni wrote:
> - We were not happy with carrying all those patches to make those
> packages compatible with LibreSSL, so instead we made them depend on
> libopenssl only.
Let me clarify our reasoning for this.
First of all, patching packages to support libressl is borderline a feature patch.
Second, I'm not sure that the patches that add ||
defined(LIBRESSL_VERSION_NUMBER) are entirely acceptable upstream. The issue is
that as soon as libressl does support the OpenSSL 1.1.0 APIs, the condition is
not correct anymore and it becomes rather complicated to make it correct. So at
least we would want upstream feedback on these patches before we accept them in
Buildroot.
And finally, all those packages don't strictly depend on openssl anyway, they
only optionally use it. So if they don't support libressl it isn't that critical.
Regards,
Arnout
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 17+ messages in thread