[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Ed Swierk]

This patch updates the polarssl package to build the current mbed 1.3.x
release.

It also prefixes the generated binaries with mbed_, to avoid names that
overlap with other packages (like sha1sum) or that are generic and
confusing (like selftest or hello).

Signed-off-by: Ed Swierk <eswierk@skyportsystems.com>
---
 package/polarssl/0001-no-test-suite.patch          | 27 ----------------------
 ...he-standard-CMake-flag-to-drive-the-share.patch | 18 +++++++--------
 package/polarssl/polarssl.hash                     |  4 ++--
 package/polarssl/polarssl.mk                       | 17 +++++++++++---
 4 files changed, 25 insertions(+), 41 deletions(-)
 delete mode 100644 package/polarssl/0001-no-test-suite.patch

diff --git a/package/polarssl/0001-no-test-suite.patch b/package/polarssl/0001-no-test-suite.patch
deleted file mode 100644
index 4c8552a..0000000
--- a/package/polarssl/0001-no-test-suite.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Add BUILD_TESTS option to disable test suite
-
-By default, PolarSSL builds a fairly extensive test suite to validate
-the library. In the context of Buildroot, building this test suite is
-not really useful, so we add a BUILD_TESTS to disable its build.
-
-[Gustavo: update for 1.2.11]
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-
-diff -Nura polarssl-1.2.11.orig/CMakeLists.txt polarssl-1.2.11/CMakeLists.txt
---- polarssl-1.2.11.orig/CMakeLists.txt	2014-07-11 17:14:43.414651327 -0300
-+++ polarssl-1.2.11/CMakeLists.txt	2014-07-11 17:23:00.573498626 -0300
-@@ -49,9 +49,11 @@
- add_subdirectory(library)
- add_subdirectory(include)
- 
--if(CMAKE_COMPILER_IS_GNUCC)
-+option(BUILD_TESTS "Build tests." ON)
-+
-+if(CMAKE_COMPILER_IS_GNUCC AND BUILD_TESTS)
-   add_subdirectory(tests)
--endif(CMAKE_COMPILER_IS_GNUCC)
-+endif(CMAKE_COMPILER_IS_GNUCC AND BUILD_TESTS)
- if(CMAKE_COMPILER_IS_CLANG)
-   add_subdirectory(tests)
- endif(CMAKE_COMPILER_IS_CLANG)
diff --git a/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch b/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch
index d241ae2..2ab80a5 100644
--- a/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch
+++ b/package/polarssl/0002-cmake-use-the-standard-CMake-flag-to-drive-the-share.patch
@@ -17,23 +17,23 @@ index 27bd2e0..2ae0aba 100644
 --- a/library/CMakeLists.txt
 +++ b/library/CMakeLists.txt
 @@ -1,5 +1,15 @@
--option(USE_STATIC_POLARSSL_LIBRARY "Build PolarSSL static library." ON)
--option(USE_SHARED_POLARSSL_LIBRARY "Build PolarSSL shared library." OFF)
+-option(USE_STATIC_MBEDTLS_LIBRARY "Build mbed TLS static library." ON)
+-option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF)
 +# Use the standard CMake flag to drive the shared object build.
-+if(DEFINED BUILD_SHARED_LIBS AND NOT DEFINED USE_STATIC_POLARSSL_LIBRARY AND NOT DEFINED USE_SHARED_POLARSSL_LIBRARY)
-+  set(USE_STATIC_POLARSSL_LIBRARY ON)
++if(DEFINED BUILD_SHARED_LIBS AND NOT DEFINED USE_STATIC_MBEDTLS_LIBRARY AND NOT DEFINED USE_SHARED_MBEDTLS_LIBRARY)
++  set(USE_STATIC_MBEDTLS_LIBRARY ON)
 +  if(BUILD_SHARED_LIBS)
-+    set(USE_SHARED_POLARSSL_LIBRARY ON)
++    set(USE_SHARED_MBEDTLS_LIBRARY ON)
 +  else()
-+    set(USE_SHARED_POLARSSL_LIBRARY OFF)
++    set(USE_SHARED_MBEDTLS_LIBRARY OFF)
 +  endif()
 +else()
-+  option(USE_STATIC_POLARSSL_LIBRARY "Build PolarSSL static library." ON)
-+  option(USE_SHARED_POLARSSL_LIBRARY "Build PolarSSL shared library." OFF)
++  option(USE_STATIC_MBEDTLS_LIBRARY "Build mbed TLS static library." ON)
++  option(USE_SHARED_MBEDTLS_LIBRARY "Build mbed TLS shared library." OFF)
 +endif()
+ option(LINK_WITH_PTHREAD "Explicitly link mbed TLS library to pthread." OFF)
  
  set(src
-      aes.c
 -- 
 2.1.0
 
diff --git a/package/polarssl/polarssl.hash b/package/polarssl/polarssl.hash
index e7883fd..23ed577 100644
--- a/package/polarssl/polarssl.hash
+++ b/package/polarssl/polarssl.hash
@@ -1,2 +1,2 @@
-# From https://polarssl.org/tech-updates/releases/polarssl-1.2.14-released
-sha256	d7cbd8314aa3a5441f6282d13d07df610f49b4bc678088b04188adf093d17d37	polarssl-1.2.14-gpl.tgz
+# From https://tls.mbed.org/code/releases/mbedtls-1.3.11-gpl.tgz
+sha256	67a593027b6a442a4fa5b6c224c4ac8cdae5be721f5a28a11d34f10dcda441cb	mbedtls-1.3.11-gpl.tgz
diff --git a/package/polarssl/polarssl.mk b/package/polarssl/polarssl.mk
index 289a28d..9462253 100644
--- a/package/polarssl/polarssl.mk
+++ b/package/polarssl/polarssl.mk
@@ -5,10 +5,12 @@
 ################################################################################
 
 POLARSSL_SITE = https://tls.mbed.org/code/releases
-POLARSSL_VERSION = 1.2.14
-POLARSSL_SOURCE = polarssl-$(POLARSSL_VERSION)-gpl.tgz
+POLARSSL_VERSION = 1.3.11
+POLARSSL_SOURCE = mbedtls-$(POLARSSL_VERSION)-gpl.tgz
 POLARSSL_CONF_OPTS = \
-	-DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_POLARSSL_PROGRAMS),ON,OFF)
+	-DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_POLARSSL_PROGRAMS),ON,OFF) \
+	-DENABLE_TESTING=OFF \
+	-DCMAKE_EXECUTABLE_SUFFIX_C=_mbed \
 
 POLARSSL_INSTALL_STAGING = YES
 POLARSSL_LICENSE = GPLv2
@@ -26,4 +28,13 @@ else ifeq ($(BR2_microblaze),y)
 POLARSSL_POST_CONFIGURE_HOOKS += POLARSSL_DISABLE_ASM
 endif
 
+# Prefix installed executables with mbed_ to avoid conflicting with
+# other tools like sha1sum
+define POLARSSL_PREFIX_EXECUTABLES
+	cd $(TARGET_DIR)/usr/bin; for f in *_mbed; do [ ! -f $$f ] || mv $$f mbed_$${f%_mbed}; done
+	rm -f $(TARGET_DIR)/usr/lib/libmbedtls.a
+endef
+
+POLARSSL_POST_INSTALL_TARGET_HOOKS += POLARSSL_PREFIX_EXECUTABLES
+
 $(eval $(cmake-package))
-- 
1.9.1

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Gustavo Zacarias]

On 16/07/15 17:58, Ed Swierk wrote:

> This patch updates the polarssl package to build the current mbed 1.3.x
> release.
>
> It also prefixes the generated binaries with mbed_, to avoid names that
> overlap with other packages (like sha1sum) or that are generic and
> confusing (like selftest or hello).

And breaks at least openvpn in the process since 1.2.x and 1.3.x are API 
incompatible (also Hiawatha but a bump would fix that).
I didn't test rtmpdump or shairport-sync for breakage.
So there's more to do than just bump (there's no openvpn release 
compatible with 1.3.x, that's scheduled for the 2.4.x branch).
Regards.

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Thomas Petazzoni]

Dear Ed Swierk,

On Thu, 16 Jul 2015 13:58:49 -0700, Ed Swierk wrote:
> This patch updates the polarssl package to build the current mbed 1.3.x
> release.
> 
> It also prefixes the generated binaries with mbed_, to avoid names that
> overlap with other packages (like sha1sum) or that are generic and
> confusing (like selftest or hello).
> 
> Signed-off-by: Ed Swierk <eswierk@skyportsystems.com>
> ---
>  package/polarssl/0001-no-test-suite.patch          | 27 ----------------------
>  ...he-standard-CMake-flag-to-drive-the-share.patch | 18 +++++++--------
>  package/polarssl/polarssl.hash                     |  4 ++--
>  package/polarssl/polarssl.mk                       | 17 +++++++++++---
>  4 files changed, 25 insertions(+), 41 deletions(-)
>  delete mode 100644 package/polarssl/0001-no-test-suite.patch

Thanks for your patch. However, following Gustavo's comment, I've
marked your patch as "Changes Requested" in our patch tracking system.
Can you resubmit a new version that takes into account Gustavo's
comments?

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Arnout Vandecappelle]

On 07/16/15 23:11, Thomas Petazzoni wrote:
> Dear Ed Swierk,
> 
> On Thu, 16 Jul 2015 13:58:49 -0700, Ed Swierk wrote:
>> This patch updates the polarssl package to build the current mbed 1.3.x
>> release.
>>
>> It also prefixes the generated binaries with mbed_, to avoid names that
>> overlap with other packages (like sha1sum) or that are generic and
>> confusing (like selftest or hello).
>>
>> Signed-off-by: Ed Swierk <eswierk@skyportsystems.com>
>> ---
>>  package/polarssl/0001-no-test-suite.patch          | 27 ----------------------
>>  ...he-standard-CMake-flag-to-drive-the-share.patch | 18 +++++++--------
>>  package/polarssl/polarssl.hash                     |  4 ++--
>>  package/polarssl/polarssl.mk                       | 17 +++++++++++---
>>  4 files changed, 25 insertions(+), 41 deletions(-)
>>  delete mode 100644 package/polarssl/0001-no-test-suite.patch
> 
> Thanks for your patch. However, following Gustavo's comment, I've
> marked your patch as "Changes Requested" in our patch tracking system.
> Can you resubmit a new version that takes into account Gustavo's
> comments?

 Since it anyway is not compatible and upstream changed name, perhaps it's
better just to create a new package called mbedtls? When we remove polarssl we
can make a legacy entry to point to mbedtls.

 Regards,
 Arnout


-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Thomas Petazzoni]

Arnout, Ed,

On Fri, 17 Jul 2015 00:32:59 +0200, Arnout Vandecappelle wrote:

> > Thanks for your patch. However, following Gustavo's comment, I've
> > marked your patch as "Changes Requested" in our patch tracking system.
> > Can you resubmit a new version that takes into account Gustavo's
> > comments?
> 
>  Since it anyway is not compatible and upstream changed name, perhaps it's
> better just to create a new package called mbedtls? When we remove polarssl we
> can make a legacy entry to point to mbedtls.

Why would we remove polarssl? Is the project dead? Or is mbedtls its
replacement?

Other than that, yes: if mbedtls is like a new library that is
incompatible with polarssl, then a separate package is the best option.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Gustavo Zacarias]

On 17/07/15 04:52, Thomas Petazzoni wrote:

> Arnout, Ed,
>
> On Fri, 17 Jul 2015 00:32:59 +0200, Arnout Vandecappelle wrote:
>
>>> Thanks for your patch. However, following Gustavo's comment, I've
>>> marked your patch as "Changes Requested" in our patch tracking system.
>>> Can you resubmit a new version that takes into account Gustavo's
>>> comments?
>>
>>   Since it anyway is not compatible and upstream changed name, perhaps it's
>> better just to create a new package called mbedtls? When we remove polarssl we
>> can make a legacy entry to point to mbedtls.
>
> Why would we remove polarssl? Is the project dead? Or is mbedtls its
> replacement?
>
> Other than that, yes: if mbedtls is like a new library that is
> incompatible with polarssl, then a separate package is the best option.

mbedtls is polarssl, it just got renamed when they got bought by ARM.
Adding to confusion this was done with the 1.3+ branches but not with 
1.2 (which is in security maintenance).
It was to reflect that polarssl (now mbedtls) is the crypto library for 
the mbed operating system, even though it still works with linux (likely 
they enabled this with 1.3+ but never backported to 1.2- hence keeping 
the old name).
Last time i've checked the 1.2 and 1.3 series couldn't coexist sanely on 
the same system, and since programs checks for polarssl rather than 
mbedtls for now it's probably still the case.
rtmpdump can use any of the three optionally (gnutls, openssl, 
polarssl), dunno if it can handle 1.3+
curl needs 1.3+ (we never enabled polarssl support).
Newer hiawatha needs 1.3+ (or can use bundled).
shairport-sync can use either polarssl or openssl (mandatory one of 
them), dunno if it can handle 1.3+
openvpn can use openssl or polarssl (not 1.3+).
So it basically narrows down the choices, though it doesn't necessarily 
take down other packages.
Question is, keep 1.2 and some small targets small or go 1.3+ ?
Also there's mbedtls 2.0.0 now, which, again, breaks API. And this has a 
better chance of living side by side with polarssl 1.2 since they've 
renamed everything it seems.
Regards.

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Arnout Vandecappelle]

On 07/17/15 12:30, Gustavo Zacarias wrote:
> On 17/07/15 04:52, Thomas Petazzoni wrote:
> 
>> Arnout, Ed,
>>
>> On Fri, 17 Jul 2015 00:32:59 +0200, Arnout Vandecappelle wrote:
>>
>>>> Thanks for your patch. However, following Gustavo's comment, I've
>>>> marked your patch as "Changes Requested" in our patch tracking system.
>>>> Can you resubmit a new version that takes into account Gustavo's
>>>> comments?
>>>
>>>   Since it anyway is not compatible and upstream changed name, perhaps it's
>>> better just to create a new package called mbedtls? When we remove polarssl we
>>> can make a legacy entry to point to mbedtls.
>>
>> Why would we remove polarssl? Is the project dead? Or is mbedtls its
>> replacement?
>>
>> Other than that, yes: if mbedtls is like a new library that is
>> incompatible with polarssl, then a separate package is the best option.
> 
> mbedtls is polarssl, it just got renamed when they got bought by ARM.
> Adding to confusion this was done with the 1.3+ branches but not with 1.2 (which
> is in security maintenance).
> It was to reflect that polarssl (now mbedtls) is the crypto library for the mbed
> operating system, even though it still works with linux (likely they enabled
> this with 1.3+ but never backported to 1.2- hence keeping the old name).
> Last time i've checked the 1.2 and 1.3 series couldn't coexist sanely on the
> same system, and since programs checks for polarssl rather than mbedtls for now
> it's probably still the case.
> rtmpdump can use any of the three optionally (gnutls, openssl, polarssl), dunno
> if it can handle 1.3+
> curl needs 1.3+ (we never enabled polarssl support).
> Newer hiawatha needs 1.3+ (or can use bundled).
> shairport-sync can use either polarssl or openssl (mandatory one of them), dunno
> if it can handle 1.3+
> openvpn can use openssl or polarssl (not 1.3+).
> So it basically narrows down the choices, though it doesn't necessarily take
> down other packages.
> Question is, keep 1.2 and some small targets small or go 1.3+ ?
> Also there's mbedtls 2.0.0 now, which, again, breaks API. And this has a better
> chance of living side by side with polarssl 1.2 since they've renamed everything
> it seems.

 So the tarball called mbedtls installs a library called polarssl? Or does it
install a library called mbedtls with a symlink from polarssl?

 Either way, since there's an API change, I still think it makes sense to make
it a new package - that's what we do with webkitgtk24 as well. If side-by-side
is not possible, we can just make it depend on !polarssl or vice versa. It's a
bit of a pain while we have both polarssl and mbedtls because of the extra
select/depends stuff in the packages using it, but anyway most packages only
have automatic dependencies in the .mk file.

 With the API breakage in mbedtls 2.0 in mind, it's probably best to call the
new package mbedtls13 so we can eventually (when everything has migrated to 2.0
API) end up with just a single package mbedtls.

 All this for a TLS library that has simplicity as its USP :-)

 Regards,
 Arnout

-- 
Arnout Vandecappelle      arnout dot vandecappelle at essensium dot com
Senior Embedded Software Architect . . . . . . +32-478-010353 (mobile)
Essensium, Mind division . . . . . . . . . . . . . . http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium . . . . . BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH] Update from polarssl to mbed 1.3.11

[Gustavo Zacarias]

On 17/07/15 08:11, Arnout Vandecappelle wrote:

>   So the tarball called mbedtls installs a library called polarssl? Or does it
> install a library called mbedtls with a symlink from polarssl?

The 1.3 series installs as polarssl for compatbility purposes.
I haven't looked at the 2.0 tarball but according to the release notes 
it should install as mbedtls since they broke API anyway (unless they're 
too shortsighted).

>   Either way, since there's an API change, I still think it makes sense to make
> it a new package - that's what we do with webkitgtk24 as well. If side-by-side
> is not possible, we can just make it depend on !polarssl or vice versa. It's a
> bit of a pain while we have both polarssl and mbedtls because of the extra
> select/depends stuff in the packages using it, but anyway most packages only
> have automatic dependencies in the .mk file.
>
>   With the API breakage in mbedtls 2.0 in mind, it's probably best to call the
> new package mbedtls13 so we can eventually (when everything has migrated to 2.0
> API) end up with just a single package mbedtls.

Question is, Ed, are you using mbedtls for your project?
Because that would make 2.0 more reasonable, in general we prefer the 
latest versions unless there's a special need in the form of BR packages 
that can't work with the latest version.
Regarding openvpn killing 1.2 would leave it in just-openssl ground, 
which isn't too ideal since openvpn+polarssl is probably smaller than 
openssl alone.
The openvpn 2.4 milestone/branch contains 1.3 support but it's no easy 
backport, in general we tend to avoid that and there's no release date 
set either. It also remains to be seen if that works with 2.0.

>   All this for a TLS library that has simplicity as its USP :-)

Heh, don't mention it, even openssl kept the API compatible (not ABI 
though, arguably that's it's main bloat problem).
Regards.