Startsida Utforska Hjälp
Registrera dig Logga in
PUBLIC_REPOS
/
buildroot
spegling av git://git.buildroot.net/buildroot
2
1
Fork 0
Filer
Bläddra i källkod

package/ustream-ssl: fix build w/ mbedtls v3.6

Since the mbedtls bump to v3.6 [1] the ustream-ssl package is failling
on the autobuilder with the following error:

```
In file included from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-internal.h:25,
                 from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-ssl.c:25:
/home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-mbedtls.h:24:10: fatal error: mbedtls/certs.h: No such file or directory
   24 | #include <mbedtls/certs.h>
      |          ^~~~~~~~~~~~~~~~~
compilation terminated.
```

This error can be reproduced with the following config:

```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_USTREAM_SSL=y
EOF
make olddefconfig
make
```

This patch backport upstream commit that address the compatibility with
mbedtls v3.6.

 - [2] rename the `_random` function used by the mbedtls functions
 - [3] update `mbedtls_pk_parse_keyfile` function to support new mbedtls
     definition and use `mbedtls_pk_get_type`.

[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 0001-ustream-mbedtls-use-getrandom-instead-of-dev-urandom.patch
[3] 0002-ustream-mbedtls-add-compatibility-with-mbed-tls-3-0-0.patch

Fixes: https://autobuild.buildroot.org/results/c20/c20dac7cbe5def2c6036d2e1d06de0bfea68b57c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Thomas Perale 4 veckor sedan
förälder
2c868ca44d
incheckning
d28ae8b00b
2 ändrade filer med 167 tillägg och 0 borttagningar
Delad Vy Visa Diff Statistik
  1. 88 0
      package/ustream-ssl/0001-ustream-mbedtls-use-getrandom-instead-of-dev-urandom.patch
  2. 79 0
      package/ustream-ssl/0002-ustream-mbedtls-add-compatibility-with-mbed-tls-3-0-0.patch

+ 88 - 0
package/ustream-ssl/0001-ustream-mbedtls-use-getrandom-instead-of-dev-urandom.patch
Visa fil 

@@ -0,0 +1,88 @@
 
+From 498f6e268d4d2b0ad33b430f4ba1abe397d31496 Mon Sep 17 00:00:00 2001
 
+From: Hauke Mehrtens <hauke@hauke-m.de>
 
+Date: Sun, 19 Feb 2023 21:11:12 +0100
 
+Subject: [PATCH] ustream-mbedtls: Use getrandom() instead of /dev/urandom
 
+
 
+Instead of keeping a file descriptor open just use the getrandom syscall
 
+to get random data. This is supported by musl libc, glibc and Linux for
 
+some time now.
 
+
 
+This also improves the error handling in case this function returns not
 
+as many bytes as expected.
 
+
 
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 
+Reviewed-by: Torsten Duwe <duwe@lst.de>
 
+Upstream: https://git.openwrt.org/?p=project/ustream-ssl.git;a=commit;h=498f6e268d4d2b0ad33b430f4ba1abe397d31496
 
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
 
+---
 
+ ustream-mbedtls.c | 25 ++++++-------------------
 
+ 1 file changed, 6 insertions(+), 19 deletions(-)
 
+
 
+diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
 
+index e79e37b..7fc7874 100644
 
+--- a/ustream-mbedtls.c
 
++++ b/ustream-mbedtls.c
 
+@@ -17,6 +17,7 @@
 
+  */
 
+ 
+ #include <sys/types.h>
 
++#include <sys/random.h>
 
+ #include <fcntl.h>
 
+ #include <unistd.h>
 
+ #include <stdlib.h>
 
+@@ -25,8 +26,6 @@
 
+ #include "ustream-ssl.h"
 
+ #include "ustream-internal.h"
 
+ 
+-static int urandom_fd = -1;
 
+-
 
+ static int s_ustream_read(void *ctx, unsigned char *buf, size_t len)
 
+ {
 
+ 	struct ustream *s = ctx;
 
+@@ -66,21 +65,12 @@ __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct ustr
 
+ 	mbedtls_ssl_set_bio(ssl, conn, s_ustream_write, s_ustream_read, NULL);
 
+ }
 
+ 
+-static bool urandom_init(void)
 
++static int _random(void *ctx, unsigned char *out, size_t len)
 
+ {
 
+-	if (urandom_fd > -1)
 
+-		return true;
 
++	ssize_t ret;
 
+ 
+-	urandom_fd = open("/dev/urandom", O_RDONLY);
 
+-	if (urandom_fd < 0)
 
+-		return false;
 
+-
 
+-	return true;
 
+-}
 
+-
 
+-static int _urandom(void *ctx, unsigned char *out, size_t len)
 
+-{
 
+-	if (read(urandom_fd, out, len) < 0)
 
++	ret = getrandom(out, len, 0);
 
++	if (ret < 0 || (size_t)ret != len)
 
+ 		return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
 
+ 
+ 	return 0;
 
+@@ -134,9 +124,6 @@ __ustream_ssl_context_new(bool server)
 
+ 	mbedtls_ssl_config *conf;
 
+ 	int ep;
 
+ 
+-	if (!urandom_init())
 
+-		return NULL;
 
+-
 
+ 	ctx = calloc(1, sizeof(*ctx));
 
+ 	if (!ctx)
 
+ 		return NULL;
 
+@@ -159,7 +146,7 @@ __ustream_ssl_context_new(bool server)
 
+ 
+ 	mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
 
+ 				    MBEDTLS_SSL_PRESET_DEFAULT);
 
+-	mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
++	mbedtls_ssl_conf_rng(conf, _random, NULL);
 
+ 
+ 	if (server) {
 
+ 		mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
 
+-- 
+2.30.2

+ 79 - 0
package/ustream-ssl/0002-ustream-mbedtls-add-compatibility-with-mbed-tls-3-0-0.patch
Visa fil 

@@ -0,0 +1,79 @@
 
+From 91666a38b7bd4bd353394986d8343a33ba61d8e2 Mon Sep 17 00:00:00 2001
 
+From: Hauke Mehrtens <hauke@hauke-m.de>
 
+Date: Sat, 11 Nov 2023 22:13:24 +0100
 
+Subject: [PATCH] ustream-mbedtls: Add compatibility with Mbed TLS 3.0.0
 
+
 
+This adds support for compiling the code against Mbed TLS 3.0.0.
 
+It still compiles against Mbed TLS 2.28.
 
+
 
+The following changes were needed:
 
+ * DES and 3DES was removed
 
+ * mbedtls_pk_context->pk_info is private, use mbedtls_pk_get_type()
 
+   to check if it was initialized
 
+ * mbedtls_pk_parse_keyfile() now gets a random callback
 
+ * mbedtls/certs.h contains test data and is not installed any more and
 
+   not needed.
 
+
 
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 
+Upstream: https://git.openwrt.org/?p=project/ustream-ssl.git;a=commit;h=91666a38b7bd4bd353394986d8343a33ba61d8e2
 
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
 
+---
 
+ ustream-mbedtls.c | 12 +++++++++++-
 
+ ustream-mbedtls.h |  1 -
 
+ 2 files changed, 11 insertions(+), 2 deletions(-)
 
+
 
+diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
 
+index 7fc7874..1c70cac 100644
 
+--- a/ustream-mbedtls.c
 
++++ b/ustream-mbedtls.c
 
+@@ -110,9 +110,15 @@ static const int default_ciphersuites_client[] =
 
+ 	AES_CBC_CIPHERS(ECDHE_ECDSA),
 
+ 	AES_CBC_CIPHERS(ECDHE_RSA),
 
+ 	AES_CBC_CIPHERS(DHE_RSA),
 
++/* Removed in Mbed TLS 3.0.0 */
 
++#ifdef MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 
+ 	MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 
++#endif
 
+ 	AES_CIPHERS(RSA),
 
++/* Removed in Mbed TLS 3.0.0 */
 
++#ifdef MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
 
+ 	MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
 
++#endif
 
+ 	0
 
+ };
 
+ 
+@@ -171,7 +177,7 @@ static void ustream_ssl_update_own_cert(struct ustream_ssl_ctx *ctx)
 
+ 	if (!ctx->cert.version)
 
+ 		return;
 
+ 
+-	if (!ctx->key.pk_info)
 
++	if (mbedtls_pk_get_type(&ctx->key) == MBEDTLS_PK_NONE)
 
+ 		return;
 
+ 
+ 	mbedtls_ssl_conf_own_cert(&ctx->conf, &ctx->cert, &ctx->key);
 
+@@ -206,7 +212,11 @@ __hidden int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char
 
+ {
 
+ 	int ret;
 
+ 
++#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
 
++	ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL, _random, NULL);
 
++#else
 
+ 	ret = mbedtls_pk_parse_keyfile(&ctx->key, file, NULL);
 
++#endif
 
+ 	if (ret)
 
+ 		return -1;
 
+ 
+diff --git a/ustream-mbedtls.h b/ustream-mbedtls.h
 
+index e622e5e..7e7c699 100644
 
+--- a/ustream-mbedtls.h
 
++++ b/ustream-mbedtls.h
 
+@@ -21,7 +21,6 @@
 
+ 
+ #include <mbedtls/net_sockets.h>
 
+ #include <mbedtls/ssl.h>
 
+-#include <mbedtls/certs.h>
 
+ #include <mbedtls/x509.h>
 
+ #include <mbedtls/rsa.h>
 
+ #include <mbedtls/error.h>
 
+-- 
+2.30.2