From patchwork Fri Jul 5 16:50:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 1128183 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="g9HtFYt1"; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45gLTV1S2Jz9sNp for ; Sat, 6 Jul 2019 02:51:23 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id A7809875E0; Fri, 5 Jul 2019 16:51:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oSXJVdA9vluI; Fri, 5 Jul 2019 16:51:18 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 9D55386A0B; Fri, 5 Jul 2019 16:51:18 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id EE51B1BF588 for ; Fri, 5 Jul 2019 16:51:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id EB78720483 for ; Fri, 5 Jul 2019 16:51:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zQROu+npub9 for ; Fri, 5 Jul 2019 16:51:16 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) by silver.osuosl.org (Postfix) with ESMTPS id E67A22002C for ; Fri, 5 Jul 2019 16:51:15 +0000 (UTC) Received: by mail-wr1-f54.google.com with SMTP id n9so10600911wru.0 for ; Fri, 05 Jul 2019 09:51:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jwh4unx+RrYpXSJhhVqAS90zph86JUZg2MF3kdcH5yc=; b=g9HtFYt1EOAVFcUBiU48HIEgnX6SQBFoSyM6jyayTUNcSCVS9dAO3T3hrNoonTfSCY REVwBhnIox+INRBDtXU86kECN6rBYaHKIprvRiiM+gOvrTWfqWyCo2WUFEURWw8YcdAi mrfG6XkMOu5qEQs7Aza6PeYF0GVRptsUTXtT1jAjglaYhnUVmxBRCBGE50BWlzAac3iI e+98xd3T8f8/t0fwzrscT48CAvQBLVp8A6/NwHbop9CqCcgZwMf+P/0QwvqUgkhSMagr YIfWoShoa0zGxi029s4pzc2KUNoWYBafPe7bPxrCL6i/gIAn1rFhBDCqHPgh5tfWlBpe /iew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jwh4unx+RrYpXSJhhVqAS90zph86JUZg2MF3kdcH5yc=; b=OXfaY6mIDGQktz5dFZsdGdzdoCuubMF8kr/K1TZky2VZulYVmWeBTqy0ekiMqAGtB0 X6QQTahqNtIMOxDDirjrwPKiHKSjSPLlCdrHEOw9+2MJcO+xfGqUTrFl5YVJjDQrcLPN ewGScL3TpCw5Jvu3ZJKtQhy9dyJuB0DewP0MvWyyfY33vELzmz3XSBhHQjmD1KzZu41t 3sQMNSoNbJTUW9BLTrat0z4pXZ5t+bt5V8ER+lNypix2An+7e7OZGBcVj/gT8EDofqDB 0QE7Jp4yOD7qVcx+siLkZRCC0guhGNBy1tPtIpmYk6Ob2bI3YpN/4uZAjrRRaQbBBNzd 8TwA== X-Gm-Message-State: APjAAAXkEsNgdCDToXuhq6/ZlCXX0FZjt8FSin7mNU7Y9poj/70LsOTD lCO/zZyc7lKdq7lSHBK7KaSiHdpi X-Google-Smtp-Source: APXvYqxctvGu5l+Vk8336kKFiO2fDBbMJxgmJuwXojKchVC9mxHPztNEVh44CXbFDz3xNe+OaCoZaQ== X-Received: by 2002:adf:c613:: with SMTP id n19mr4806645wrg.109.1562345473760; Fri, 05 Jul 2019 09:51:13 -0700 (PDT) Received: from kali.home (lfbn-ren-1-605-248.w81-53.abo.wanadoo.fr. [81.53.181.248]) by smtp.gmail.com with ESMTPSA id k124sm230975wmk.47.2019.07.05.09.51.12 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 05 Jul 2019 09:51:12 -0700 (PDT) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Fri, 5 Jul 2019 18:50:40 +0200 Message-Id: <20190705165040.26254-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/1] package/lxc: switch from gnutls to openssl X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fabrice Fontaine , =?utf-8?b?SsOpcsO0bWUg?= =?utf-8?q?Pouiller?= Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes: - http://autobuild.buildroot.org/results/c0a9565ae65336d55cdedc67adff221a7fa1a2c8 Signed-off-by: Fabrice Fontaine --- ...itch-from-gnutls-to-openssl-for-sha1.patch | 232 ++++++++++++++++++ package/lxc/lxc.mk | 16 +- 2 files changed, 241 insertions(+), 7 deletions(-) create mode 100644 package/lxc/0001-Switch-from-gnutls-to-openssl-for-sha1.patch diff --git a/package/lxc/0001-Switch-from-gnutls-to-openssl-for-sha1.patch b/package/lxc/0001-Switch-from-gnutls-to-openssl-for-sha1.patch new file mode 100644 index 0000000000..a5a9bf47cb --- /dev/null +++ b/package/lxc/0001-Switch-from-gnutls-to-openssl-for-sha1.patch @@ -0,0 +1,232 @@ +From fa2bb6ba532c5e7f92df8cbae50a68af519f9997 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn +Date: Fri, 14 Jun 2019 03:08:26 +0000 +Subject: [PATCH] Switch from gnutls to openssl for sha1 + +The reason for this is because openssl can be statically linked +against, gnutls cannot. + +Signed-off-by: Serge Hallyn +[Retrieved from: +https://github.com/lxc/lxc/commit/fa2bb6ba532c5e7f92df8cbae50a68af519f9997] +Signed-off-by: Fabrice Fontaine +--- + configure.ac | 27 +++++++++++++++------------ + src/lxc/Makefile.am | 8 ++++---- + src/lxc/lxccontainer.c | 18 +++++++++++------- + src/lxc/utils.c | 29 +++++++++++++++++++++-------- + src/lxc/utils.h | 5 ++--- + 5 files changed, 53 insertions(+), 34 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 3caa45ba8e..a041f2fdb0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -257,6 +257,8 @@ fi + + AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"]) + ++AC_CONFIG_MACRO_DIRS([config]) ++ + # Apparmor + AC_ARG_ENABLE([apparmor], + [AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])], +@@ -267,20 +269,21 @@ if test "$enable_apparmor" = "auto" ; then + fi + AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" = "xyes"]) + +-# GnuTLS +-AC_ARG_ENABLE([gnutls], +- [AC_HELP_STRING([--enable-gnutls], [enable GnuTLS support [default=auto]])], +- [], [enable_gnutls=auto]) ++# OpenSSL ++# libssl-dev ++AC_ARG_ENABLE([openssl], ++ [AC_HELP_STRING([--enable-openssl], [enable OpenSSL support [default=auto]])], ++ [], [enable_openssl=auto]) ++ ++if test "$enable_openssl" = "auto" ; then ++ AC_CHECK_LIB([ssl], [OPENSSL_init_ssl], [enable_openssl=yes], [enable_openssl=no]) + +-if test "$enable_gnutls" = "auto" ; then +- AC_CHECK_LIB([gnutls], [gnutls_hash_fast], [enable_gnutls=yes], [enable_gnutls=no]) + fi +-AM_CONDITIONAL([ENABLE_GNUTLS], [test "x$enable_gnutls" = "xyes"]) ++AM_CONDITIONAL([ENABLE_OPENSSL], [test "x$enable_openssl" = "xyes"]) + +-AM_COND_IF([ENABLE_GNUTLS], +- [AC_CHECK_HEADER([gnutls/gnutls.h],[],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])]) +- AC_CHECK_LIB([gnutls], [gnutls_hash_fast],[true],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])]) +- AC_SUBST([GNUTLS_LIBS], [-lgnutls])]) ++AM_COND_IF([ENABLE_OPENSSL], ++ [AC_CHECK_HEADER([openssl/engine.h],[],[AC_MSG_ERROR([You must install the OpenSSL development package in order to compile lxc])]) ++ AC_SUBST([OPENSSL_LIBS], '-lssl -lcrypto')]) + + # SELinux + AC_ARG_ENABLE([selinux], +@@ -1014,7 +1017,7 @@ Environment: + - distribution: $with_distro + - init script type(s): $init_script + - rpath: $enable_rpath +- - GnuTLS: $enable_gnutls ++ - OpenSSL: $enable_openssl + - Bash integration: $enable_bash + + Security features: +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index 49b3b014d1..4b18ac5d82 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -210,8 +210,8 @@ if ENABLE_APPARMOR + AM_CFLAGS += -DHAVE_APPARMOR + endif + +-if ENABLE_GNUTLS +-AM_CFLAGS += -DHAVE_LIBGNUTLS ++if ENABLE_OPENSSL ++AM_CFLAGS += -DHAVE_OPENSSL + endif + + if ENABLE_SECCOMP +@@ -248,7 +248,7 @@ liblxc_la_LDFLAGS = -pthread \ + -version-info @LXC_ABI_MAJOR@ + + liblxc_la_LIBADD = $(CAP_LIBS) \ +- $(GNUTLS_LIBS) \ ++ $(OPENSSL_LIBS) \ + $(SELINUX_LIBS) \ + $(SECCOMP_LIBS) \ + $(DLOG_LIBS) +@@ -307,7 +307,7 @@ endif + + LDADD = liblxc.la \ + @CAP_LIBS@ \ +- @GNUTLS_LIBS@ \ ++ @OPENSSL_LIBS@ \ + @SECCOMP_LIBS@ \ + @SELINUX_LIBS@ \ + @DLOG_LIBS@ +diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c +index 253f07f683..a618645f81 100644 +--- a/src/lxc/lxccontainer.c ++++ b/src/lxc/lxccontainer.c +@@ -79,6 +79,10 @@ + #include "utils.h" + #include "version.h" + ++#if HAVE_OPENSSL ++#include ++#endif ++ + /* major()/minor() */ + #ifdef MAJOR_IN_MKDEV + #include +@@ -1654,9 +1658,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[]) + char *contents; + FILE *f; + int ret = -1; +-#if HAVE_LIBGNUTLS +- int i; +- unsigned char md_value[SHA_DIGEST_LENGTH]; ++#if HAVE_OPENSSL ++ int i, md_len = 0; ++ unsigned char md_value[EVP_MAX_MD_SIZE]; + char *tpath; + #endif + +@@ -1697,14 +1701,14 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[]) + if (ret < 0) + goto out_free_contents; + +-#if HAVE_LIBGNUTLS ++#if HAVE_OPENSSL + tpath = get_template_path(t); + if (!tpath) { + ERROR("Invalid template \"%s\" specified", t); + goto out_free_contents; + } + +- ret = sha1sum_file(tpath, md_value); ++ ret = sha1sum_file(tpath, md_value, &md_len); + if (ret < 0) { + ERROR("Failed to get sha1sum of %s", tpath); + free(tpath); +@@ -1730,9 +1734,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[]) + fprintf(f, "\n"); + } + +-#if HAVE_LIBGNUTLS ++#if HAVE_OPENSSL + fprintf(f, "# Template script checksum (SHA-1): "); +- for (i=0; i +-#include ++#ifdef HAVE_OPENSSL ++#include + +-__attribute__((constructor)) +-static void gnutls_lxc_init(void) ++static int do_sha1_hash(const char *buf, int buflen, unsigned char *md_value, int *md_len) + { +- gnutls_global_init(); ++ EVP_MD_CTX *mdctx; ++ const EVP_MD *md; ++ ++ md = EVP_get_digestbyname("sha1"); ++ if(!md) { ++ printf("Unknown message digest: sha1\n"); ++ return -1; ++ } ++ ++ mdctx = EVP_MD_CTX_new(); ++ EVP_DigestInit_ex(mdctx, md, NULL); ++ EVP_DigestUpdate(mdctx, buf, buflen); ++ EVP_DigestFinal_ex(mdctx, md_value, md_len); ++ EVP_MD_CTX_free(mdctx); ++ ++ return 0; + } + +-int sha1sum_file(char *fnam, unsigned char *digest) ++int sha1sum_file(char *fnam, unsigned char *digest, int *md_len) + { + char *buf; + int ret; +@@ -394,7 +407,7 @@ int sha1sum_file(char *fnam, unsigned char *digest) + } + + buf[flen] = '\0'; +- ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, flen, (void *)digest); ++ ret = do_sha1_hash(buf, flen, (void *)digest, md_len); + free(buf); + return ret; + } +diff --git a/src/lxc/utils.h b/src/lxc/utils.h +index 9f1c21dddb..dd6404f0b3 100644 +--- a/src/lxc/utils.h ++++ b/src/lxc/utils.h +@@ -98,9 +98,8 @@ extern int lxc_pclose(struct lxc_popen_FILE *fp); + extern int wait_for_pid(pid_t pid); + extern int lxc_wait_for_pid_status(pid_t pid); + +-#if HAVE_LIBGNUTLS +-#define SHA_DIGEST_LENGTH 20 +-extern int sha1sum_file(char *fnam, unsigned char *md_value); ++#if HAVE_OPENSSL ++extern int sha1sum_file(char *fnam, unsigned char *md_value, int *md_len); + #endif + + /* initialize rand with urandom */ diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk index a059fd578e..0f5790b4b5 100644 --- a/package/lxc/lxc.mk +++ b/package/lxc/lxc.mk @@ -10,6 +10,8 @@ LXC_LICENSE = LGPL-2.1+ LXC_LICENSE_FILES = COPYING LXC_DEPENDENCIES = host-pkgconf LXC_INSTALL_STAGING = YES +# We're patching configure.ac +LXC_AUTORECONF = YES LXC_CONF_OPTS = --disable-apparmor --with-distro=buildroot \ --disable-werror \ @@ -19,13 +21,6 @@ ifeq ($(BR2_PACKAGE_BASH_COMPLETION),y) LXC_DEPENDENCIES += bash-completion endif -ifeq ($(BR2_PACKAGE_GNUTLS),y) -LXC_CONF_OPTS += --enable-gnutls -LXC_DEPENDENCIES += gnutls -else -LXC_CONF_OPTS += --disable-gnutls -endif - ifeq ($(BR2_PACKAGE_LIBCAP),y) LXC_CONF_OPTS += --enable-capabilities LXC_DEPENDENCIES += libcap @@ -47,4 +42,11 @@ else LXC_CONF_OPTS += --disable-selinux endif +ifeq ($(BR2_PACKAGE_OPENSSL),y) +LXC_CONF_OPTS += --enable-openssl +LXC_DEPENDENCIES += openssl +else +LXC_CONF_OPTS += --disable-openssl +endif + $(eval $(autotools-package))