[Buildroot] [PATCH v5 1/4] libopenssl: bump version to 1.1.1a

Vadim Kochan vadim4j at gmail.com
Thu Jan 17 23:28:06 UTC 2019


Hi All,

On Thu, Jan 17, 2019 at 11:39:07AM -0800, Ryan Coe wrote:
> Peter,
> 
> On 1/17/2019 10:16 AM, Peter Seiderer wrote:
> > - remove all parallel build patches (openssl build-system changed)
> > 
> > - rebased 0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
> >    to apply to Configurations/unix-Makefile.tmpl (Makefile template)
> > 
> > - removed 0002-cryptodev-Fix-issue-with-signature-generation.patch
> >    (upstream applied)
> > 
> > - rebased 0003-Reproducible-build-do-not-leak-compiler-path.patch to
> >    apply to crypto/build.info (Makefile template)
> > 
> > - fix musl/uclibc build failure, use '-DOPENSSL_NO_ASYNC'
> > 
> > - remove legacy enable-tlsext configure option
> > 
> > - remove target/host libdir configure options, fixes openssl.pc installation
> >    path, fixes wget compile
> > 
> > - change legacy INSTALL_PREFIX to DESTDIR
> > 
> > - remove 'libraries gets installed read only, so strip fails'
> >    workaround (not needed anymore)
> > 
> > - change engine directory from /usr/lib/engines to
> >    /usr/lib/engines-1.1
> > 
> > - change license file hash, no license change, only the following
> >    hint was removed:
> > 
> >      Actually both licenses are BSD-style Open Source licenses.
> >      In case of any license issues related to OpenSSL please
> >      contact openssl-core at openssl.org.
> > 
> > - fix host-libopenssl compile setting rpath as decribed in
> >    libopenssl-1.1.0h/NOTES.UNIX
> > 
> > Signed-off-by: Peter Seiderer <ps.report at gmx.net>
> > ---
> > Changes v4 -> v5:
> >    - remove libdir config options (suggested by Arnout Vandecappelle)
> > 
> > Changes v3 -> v4:
> >    - bump version to 1.1.1a
> >    - remove all parallel build patches hash file entries
> >    - re-remove 0004-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
> >      (upstream applied)
> >    - fix hist library install path
> >    - removed 0002-cryptodev-Fix-issue-with-signature-generation.patch
> >      (upstram applied)
> >    - remove follow up patch for openssh (not longer needed since
> >      version bump to 7.9p1, see https://www.openssh.com/releasenotes.html
> >      Portability)
> > 
> > Changes v2 -> v3:
> >    - no changes
> > 
> > Changes v1 -> v2:
> >    - add OPENSSL_NO_ASYNC workaround for musl compile too
> >      (suggested by Bernd Kuhls)
> > 
> >    - fix host-libopenssl compile (reported by Ryan Coe) by setting rpath
> >      (suggested by Ryan Coe)
> > 
> >    - fix 0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
> >      and 0003-Reproducible-build-do-not-leak-compiler-path.patch to apply
> >      to the Makefile templates (instead of re-generated Makefile)
> >      (reported by Ryan Coe)
> > 
> >    - add 0004-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
> >      (suggested by Bernd Kuhls)
> > 
> > Notes:
> > 
> >   - There was a previous attempt to bump the openssl version by
> >     David Mosberger <davidm at egauge.net>. I could not find the
> >     corresponding patch in patchwork or on the mailing list,
> >     only a reply by Arnout Vandecappelle (see [2]) and the
> >     answer by David Mosberger (see [3]).
> > 
> >   - Compile checked packages (depending explicit on libopenssl or host-libopenssl):
> >     O.k:
> >       - hostapd
> >       - libpjsip
> >       - host-mariadb (with patch)
> >       - mosquitto
> >       - wpa_supplicant
> > 
> >      Failure:
> >       - softether/host-softether
> >       - mariadb (cmake configure error, maybe unrelated?)
> > 
> >   - Compile checked packages (depending on openssl or host-openssl):
> >      O.k.:
> >        - alljoyn-base
> >        - apache
> >        - apr
> >        - apr-util
> >        - freeswitch
> >        - openssh
> >        - pound (with patch https://patchwork.ozlabs.org/patch/962157 )
> > 
> >      Failure:
> >        - android-tools
> > 
> > [2] http://lists.busybox.net/pipermail/buildroot/2017-August/200859.html
> > [3] http://lists.busybox.net/pipermail/buildroot/2017-August/200898.html
> 
> [snip]
> 
> Tested-by: Ryan Coe <bluemrp9 at gmail.com>
> 

I checked that rtmpdump does not compile with openssl 1.1.x, but the
following patch fix it:

----------------------8<-------------------------------------
>From 7d7953114fc2da7d6cbef0bb3448f45dcad38892 Mon Sep 17 00:00:00 2001
From: Vadim Kochan <vadim4j at gmail.com>
Date: Fri, 18 Jan 2019 01:19:55 +0200
Subject: [PATCH] package/rtmpdump: Fix compilation issues with openssl 1.1.x

Signed-off-by: Vadim Kochan <vadim4j at gmail.com>
---
 ...ibrtmp-Fix-compilation-with-openssl-1.1.x.patch | 276 +++++++++++++++++++++
 1 file changed, 276 insertions(+)
 create mode 100644 package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch

diff --git a/package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch b/package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch
new file mode 100644
index 0000000000..5d6b680b14
--- /dev/null
+++ b/package/rtmpdump/0001-librtmp-Fix-compilation-with-openssl-1.1.x.patch
@@ -0,0 +1,276 @@
+From f3ca4b9450e273afc5b773e5e5637b7fcbc71dd8 Mon Sep 17 00:00:00 2001
+From: Vadim Kochan <vadim4j at gmail.com>
+Date: Fri, 18 Jan 2019 01:15:33 +0200
+Subject: [PATCH] librtmp: Fix compilation with openssl 1.1.x
+
+Signed-off-by: Vadim Kochan <vadim4j at gmail.com>
+---
+ librtmp/dh.h        | 70 +++++++++++++++++++++++++++++++++++++++++++----------
+ librtmp/handshake.h | 13 ++++++----
+ librtmp/hashswf.c   | 18 +++++++++-----
+ librtmp/rtmp.c      |  4 +--
+ 4 files changed, 78 insertions(+), 27 deletions(-)
+
+diff --git a/librtmp/dh.h b/librtmp/dh.h
+index 5fc3f32..2cf6b8c 100644
+--- a/librtmp/dh.h
++++ b/librtmp/dh.h
+@@ -186,6 +186,32 @@ typedef BIGNUM * MP_t;
+ #define MDH_free(dh)	DH_free(dh)
+ #define MDH_generate_key(dh)	DH_generate_key(dh)
+ #define MDH_compute_key(secret, seclen, pub, dh)	DH_compute_key(secret, pub, dh)
++#define MDH_set_g(dh, g) DH_set0_pqg(dh, NULL, NULL, g)
++#define MDH_set_p(dh, p) DH_set0_pqg(dh, p, NULL, NULL)
++#define MDH_set_len(dh, l) DH_set_length(dh, l)
++#define MDH_set_pub_key(dh, pub) DH_set0_key(dh, pub, NULL)
++#define MDH_set_priv_key(dh, priv) DH_set0_key(dh, NULL, priv)
++
++static inline BIGNUM *MDH_get_p(DH *dh)
++{
++  const BIGNUM *p;
++  DH_get0_pqg(dh, &p, NULL, NULL);
++  return (BIGNUM *) p;
++}
++
++static inline BIGNUM *MDH_get_pub_key(DH *dh)
++{
++  const BIGNUM *pub;
++  DH_get0_key(dh, &pub, NULL);
++  return (BIGNUM *) pub;
++}
++
++static inline BIGNUM *MDH_get_priv_key(DH *dh)
++{
++  const BIGNUM *priv;
++  DH_get0_key(dh, NULL, &priv);
++  return (BIGNUM *) priv;
++}
+ 
+ #endif
+ 
+@@ -249,24 +275,28 @@ DHInit(int nKeyBits)
+ {
+   size_t res;
+   MDH *dh = MDH_new();
++  MP_t g, p;
+ 
+   if (!dh)
+     goto failed;
+ 
+-  MP_new(dh->g);
++  MP_new(g);
+ 
+-  if (!dh->g)
++  if (g)
+     goto failed;
+ 
+-  MP_gethex(dh->p, P1024, res);	/* prime P1024, see dhgroups.h */
++  MDH_set_g(dh, g);
++  p = MDH_get_p(dh);
++  MP_gethex(p, P1024, res);	/* prime P1024, see dhgroups.h */
+   if (!res)
+     {
+       goto failed;
+     }
+ 
+-  MP_set_w(dh->g, 2);	/* base 2 */
++  MDH_set_p(dh, p);
++  MP_set_w(g, 2);	/* base 2 */
++  MDH_set_len(dh, nKeyBits);
+ 
+-  dh->length = nKeyBits;
+   return dh;
+ 
+ failed:
+@@ -286,6 +316,9 @@ DHGenerateKey(MDH *dh)
+   while (!res)
+     {
+       MP_t q1 = NULL;
++      MP_t priv_key;
++      MP_t pub_key;
++      MP_t p;
+ 
+       if (!MDH_generate_key(dh))
+ 	return 0;
+@@ -293,12 +326,17 @@ DHGenerateKey(MDH *dh)
+       MP_gethex(q1, Q1024, res);
+       assert(res);
+ 
+-      res = isValidPublicKey(dh->pub_key, dh->p, q1);
++      priv_key = MDH_get_priv_key(dh);
++      pub_key = MDH_get_pub_key(dh);
++      p = MDH_get_p(dh);
++
++      res = isValidPublicKey(pub_key, p, q1);
+       if (!res)
+ 	{
+-	  MP_free(dh->pub_key);
+-	  MP_free(dh->priv_key);
+-	  dh->pub_key = dh->priv_key = 0;
++	  MP_free(pub_key);
++	  MP_free(priv_key);
++	  MDH_set_pub_key(dh, NULL);
++	  MDH_set_priv_key(dh, NULL);
+ 	}
+ 
+       MP_free(q1);
+@@ -313,16 +351,22 @@ DHGenerateKey(MDH *dh)
+ static int
+ DHGetPublicKey(MDH *dh, uint8_t *pubkey, size_t nPubkeyLen)
+ {
++  MP_t pub_key;
+   int len;
+-  if (!dh || !dh->pub_key)
++
++  if (!dh)
++    return 0;
++
++  pub_key = MDH_get_pub_key(dh);
++  if (!pub_key)
+     return 0;
+ 
+-  len = MP_bytes(dh->pub_key);
++  len = MP_bytes(pub_key);
+   if (len <= 0 || len > (int) nPubkeyLen)
+     return 0;
+ 
+   memset(pubkey, 0, nPubkeyLen);
+-  MP_setbin(dh->pub_key, pubkey + (nPubkeyLen - len), len);
++  MP_setbin(pub_key, pubkey + (nPubkeyLen - len), len);
+   return 1;
+ }
+ 
+@@ -364,7 +408,7 @@ DHComputeSharedSecretKey(MDH *dh, uint8_t *pubkey, size_t nPubkeyLen,
+   MP_gethex(q1, Q1024, len);
+   assert(len);
+ 
+-  if (isValidPublicKey(pubkeyBn, dh->p, q1))
++  if (isValidPublicKey(pubkeyBn, MDH_get_p(dh), q1))
+     res = MDH_compute_key(secret, nPubkeyLen, pubkeyBn, dh);
+   else
+     res = -1;
+diff --git a/librtmp/handshake.h b/librtmp/handshake.h
+index 0438486..1e84b3a 100644
+--- a/librtmp/handshake.h
++++ b/librtmp/handshake.h
+@@ -69,9 +69,9 @@ typedef struct arcfour_ctx*	RC4_handle;
+ #if OPENSSL_VERSION_NUMBER < 0x0090800 || !defined(SHA256_DIGEST_LENGTH)
+ #error Your OpenSSL is too old, need 0.9.8 or newer with SHA256
+ #endif
+-#define HMAC_setup(ctx, key, len)	HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, key, len, EVP_sha256(), 0)
+-#define HMAC_crunch(ctx, buf, len)	HMAC_Update(&ctx, buf, len)
+-#define HMAC_finish(ctx, dig, dlen)	HMAC_Final(&ctx, dig, &dlen); HMAC_CTX_cleanup(&ctx)
++#define HMAC_setup(ctx, key, len)	HMAC_CTX_reset(ctx); HMAC_Init_ex(ctx, key, len, EVP_sha256(), 0)
++#define HMAC_crunch(ctx, buf, len)	HMAC_Update(ctx, buf, len)
++#define HMAC_finish(ctx, dig, dlen)	HMAC_Final(ctx, dig, &dlen);
+ 
+ typedef RC4_KEY *	RC4_handle;
+ #define RC4_alloc(h)	*h = malloc(sizeof(RC4_KEY))
+@@ -117,7 +117,7 @@ static void InitRC4Encryption
+ {
+   uint8_t digest[SHA256_DIGEST_LENGTH];
+   unsigned int digestLen = 0;
+-  HMAC_CTX ctx;
++  HMAC_CTX *ctx = HMAC_CTX_new();
+ 
+   RC4_alloc(rc4keyIn);
+   RC4_alloc(rc4keyOut);
+@@ -139,6 +139,8 @@ static void InitRC4Encryption
+   RTMP_LogHex(RTMP_LOGDEBUG, digest, 16);
+ 
+   RC4_setkey(*rc4keyIn, 16, digest);
++
++  HMAC_CTX_free(ctx);
+ }
+ 
+ typedef unsigned int (getoff)(uint8_t *buf, unsigned int len);
+@@ -266,12 +268,13 @@ HMACsha256(const uint8_t *message, size_t messageLen, const uint8_t *key,
+ 	   size_t keylen, uint8_t *digest)
+ {
+   unsigned int digestLen;
+-  HMAC_CTX ctx;
++  HMAC_CTX *ctx = HMAC_CTX_new();
+ 
+   HMAC_setup(ctx, key, keylen);
+   HMAC_crunch(ctx, message, messageLen);
+   HMAC_finish(ctx, digest, digestLen);
+ 
++  HMAC_CTX_free(ctx);
+   assert(digestLen == 32);
+ }
+ 
+diff --git a/librtmp/hashswf.c b/librtmp/hashswf.c
+index 9f4e2c0..ba2c228 100644
+--- a/librtmp/hashswf.c
++++ b/librtmp/hashswf.c
+@@ -57,10 +57,10 @@
+ #include <openssl/sha.h>
+ #include <openssl/hmac.h>
+ #include <openssl/rc4.h>
+-#define HMAC_setup(ctx, key, len)	HMAC_CTX_init(&ctx); HMAC_Init_ex(&ctx, (unsigned char *)key, len, EVP_sha256(), 0)
+-#define HMAC_crunch(ctx, buf, len)	HMAC_Update(&ctx, (unsigned char *)buf, len)
+-#define HMAC_finish(ctx, dig, dlen)	HMAC_Final(&ctx, (unsigned char *)dig, &dlen);
+-#define HMAC_close(ctx)	HMAC_CTX_cleanup(&ctx)
++#define HMAC_setup(ctx, key, len)	HMAC_CTX_reset(ctx); HMAC_Init_ex(ctx, (unsigned char *)key, len, EVP_sha256(), 0)
++#define HMAC_crunch(ctx, buf, len)	HMAC_Update(ctx, (unsigned char *)buf, len)
++#define HMAC_finish(ctx, dig, dlen)	HMAC_Final(ctx, (unsigned char *)dig, &dlen);
++#define HMAC_close(ctx)
+ #endif
+ 
+ extern void RTMP_TLS_Init();
+@@ -289,7 +289,7 @@ leave:
+ struct info
+ {
+   z_stream *zs;
+-  HMAC_CTX ctx;
++  HMAC_CTX *ctx;
+   int first;
+   int zlib;
+   int size;
+@@ -582,6 +582,10 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
+     }
+ 
+   in.first = 1;
++  in.ctx = HMAC_CTX_new();
++  if (!in.ctx)
++    goto out;
++
+   HMAC_setup(in.ctx, "Genuine Adobe Flash Player 001", 30);
+   inflateInit(&zs);
+   in.zs = &zs;
+@@ -621,7 +625,7 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
+ 		  "%s: couldn't open %s for writing, errno %d (%s)",
+ 		  __FUNCTION__, path, err, strerror(err));
+ 	      ret = -1;
+-	      goto out;
++	      goto free_ctx;
+ 	    }
+ 	  fseek(f, 0, SEEK_END);
+ 	  q = strchr(url, '?');
+@@ -649,6 +653,8 @@ RTMP_HashSWF(const char *url, unsigned int *size, unsigned char *hash,
+ 	}
+     }
+   HMAC_close(in.ctx);
++free_ctx:
++  HMAC_CTX_free(in.ctx);
+ out:
+   free(path);
+   if (f)
+diff --git a/librtmp/rtmp.c b/librtmp/rtmp.c
+index a2863b0..c995568 100644
+--- a/librtmp/rtmp.c
++++ b/librtmp/rtmp.c
+@@ -245,9 +245,7 @@ RTMP_TLS_Init()
+   	"ca.pem", GNUTLS_X509_FMT_PEM);
+ #elif !defined(NO_SSL) /* USE_OPENSSL */
+   /* libcrypto doesn't need anything special */
+-  SSL_load_error_strings();
+-  SSL_library_init();
+-  OpenSSL_add_all_digests();
++  OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+   RTMP_TLS_ctx = SSL_CTX_new(SSLv23_method());
+   SSL_CTX_set_options(RTMP_TLS_ctx, SSL_OP_ALL);
+   SSL_CTX_set_default_verify_paths(RTMP_TLS_ctx);
+-- 
+2.14.1
+
-- 
2.14.1

------------------------------>8--------------------------------

but .... I did not check the software actually)

Regards,
Vadim Kochan



More information about the buildroot mailing list