From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt1-f194.google.com (mail-qt1-f194.google.com [209.85.160.194]) by mail.openembedded.org (Postfix) with ESMTP id 4DE0A7F6AA for ; Wed, 20 Nov 2019 19:44:55 +0000 (UTC) Received: by mail-qt1-f194.google.com with SMTP id g50so861742qtb.4 for ; Wed, 20 Nov 2019 11:44:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Nx7bSHaaOZ6x3Aib08xlLycayKFSHgizctmXOvZ57ds=; b=uRYKKtXJIkwo1tOP1bFL7I3FiSGrvk208I0wG+czIKB/9R0qita9BD8dybDmM0OBhz XlCojCGuXjVKT+lgNvZoUPCunB9KoE9Tctfo1N9UfgBUeDYnLwHUP+DCw36bKD+iTiLx jfEuW78jpn26Pj9LOBhaMcWRlBfQ93Rj6crgGro0xXDuoer0uHbtMPgxx0suyRxiJLVW +PNW7um9hvKTrOv20os967foWlNMobsrUCDHKA1L8qagak4lFIbYSuRUleeXsM6Yz4tt GdiP0NpQIL+FxemhhaK+meZNxzfDimuI4w5mctLoXZHHgDMwzINTjZPoC2uM/dJgPKb8 bsfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Nx7bSHaaOZ6x3Aib08xlLycayKFSHgizctmXOvZ57ds=; b=jFRKMl026Lv6DBXV1lXyQGq/jCk36QF3ksD7yivjrynj9A45uy+2GIBwr+RTA4b2/h yUgVyoaM3f+f6RDjz/c/L/gJ1eOowDzs228zGKYaUFeVOk5HhRfssMmJ+LJv8J939epz VILsI3WvBH5wiLBaRpnSxY+9hIxHdOJMK7+7QGY1AmDCDuZd0K7LZy04JEK3FkoqXc+T CWTiyJtpmX8HkvY//fbFKKpsH+SHJ7xreDLfR78BbBM4RChCp2omEJXvGE9wVHsBA4Bd 2HG9AhULS0gt3/Ah/78o3HbbzVK5Vnr6heQigcd5q+RIU1A59Oxov4OM8agEKL3yYruq YLzg== X-Gm-Message-State: APjAAAX2FYbm/19l8uxTBk+kBoKd5wn56Whu57h0YHtt4nPHPgAcGudk 5p7RK9xIA44TowfihFMQWLqAClW5EjXAxk0MXGwztA== X-Google-Smtp-Source: APXvYqzy4+mbNEBnPznCW2E8TgPL/KN960NuVG85NrHtIngBjPtxtu8RglUNq8ej+EfVMs8k8AlFL8xXikAdKbMs40Q= X-Received: by 2002:aed:27da:: with SMTP id m26mr4423842qtg.138.1574279096022; Wed, 20 Nov 2019 11:44:56 -0800 (PST) MIME-Version: 1.0 References: <5c9cb09a-e0b3-f43b-36cd-bc9a7df2dd6c@kernel.crashing.org> <31b224ae-8e1a-943c-0554-684557ef33bc@kernel.crashing.org> In-Reply-To: From: Ryan Harkin Date: Wed, 20 Nov 2019 19:44:44 +0000 Message-ID: To: Andre McCurdy Cc: Patches and discussions about the oe-core layer Subject: Re: How to backport openssl to Sumo X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Nov 2019 19:44:55 -0000 Content-Type: multipart/alternative; boundary="0000000000004bdc590597cc6a9a" --0000000000004bdc590597cc6a9a Content-Type: text/plain; charset="UTF-8" Hi Andre, On Wed, 20 Nov 2019 at 19:27, Andre McCurdy wrote: > On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle > wrote: > > On 11/20/19 1:06 PM, Ryan Harkin wrote: > > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle < > mark.hatle@kernel.crashing.org > > > > wrote: > > > > > > You know that 1.0.2 and 1.1 APIs are not compatible? So you will > need to update > > > everything that needs OpenSSL to understand the new API. > > > > > > > > > So far, we're only using it in a shell script to sign an image and > later verify > > > the image, so I've assumed, perhaps naively, that the API changes > won't matter... > > > > Correct, but there may be other components of the system that could be > using the > > API that you are unaware of. On a system as old as Sumo, you will need > to take > > precautions to ensure that ONLY the 1.1x version is being used. (There > may be > > an openssl10 for compatibility that will need to be blacklisted.) > > > > > For CVE fixes, typically you would patch 1.0.2p, or update to the > latest > > > (1.0.2t) as you go. (If you have an OSV, this should be part of > the services > > > that they offer you.) > > > > > > > > > In my opinion, 1.0.2 will be around for at least another 4-5 years > due to the > > > number of people actively using it in the world. Until 1.1/3.0 > (won't be a 2.0 > > > from what I read) exists and has a FIPS-140-2 support available -- > people will > > > continue to use 1.0.2 and maintain it as necessary for security. > > > > > > As an FYI: > http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/ > > > > > > This version is for thud, warrior, zeus and master. It is > intended to be > > > maintained until either 1.0.2 is no longer maintainable -- or the > FIPS-140-2 > > > needs have been met by OpenSSL. > > > > > > > > > Great, that looks like a better option anyway, assuming it has the > latest fixes > > > I need, and doesn't give me the same build problem. Thanks for > pointing it out. > > > I'll give it a go. > > > > It's better to work with the Sumo version for your needs. I just posted > that as > > an example of openssl 1.0.2 being needed still by others, even as > oe-core/Yocto > > Project have changed their defaults. > > If you want an up to date openssl 1.0.2 recipe which is compatible > with Sumo, you can find one here: > > https://github.com/armcc/meta-plumewifi > > I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior) > but it should work for all versions in between (and if it doesn't I'll > accept patches or try to fix it). > Thanks! It looks similar to the tree Mark Hatle pointed out to me. Two diffs jump out: - Your repo adds the RPROVIDES for openssl-bin to "Be compatible with the openssl 1.1.x recipe". - Mark's repo has two extra patches: file://0001-Fix-BN_LLONG-breakage.patch \ file://0001-Fix-DES_LONG-breakage.patch \ Regards, Ryan. --0000000000004bdc590597cc6a9a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Andre,

On Wed, 20 Nov 2019 at 19:27, Andre McCurdy = <armccurdy@gmail.com> wrot= e:
On Wed, Nov 2= 0, 2019 at 11:09 AM Mark Hatle
<mar= k.hatle@kernel.crashing.org> wrote:
> On 11/20/19 1:06 PM, Ryan Harkin wrote:
> > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.hatle@kernel.crashing.= org
> > <mailto:mark.hatle@kernel.crashing.org>> wrote:
> >
> >=C2=A0 =C2=A0 =C2=A0You know that 1.0.2 and 1.1 APIs are not compa= tible?=C2=A0 So you will need to update
> >=C2=A0 =C2=A0 =C2=A0everything that needs OpenSSL to understand th= e new API.
> >
> >
> > So far, we're only using it in a shell script to sign an imag= e and later verify
> > the image, so I've assumed, perhaps naively, that the API cha= nges won't matter...
>
> Correct, but there may be other components of the system that could be= using the
> API that you are unaware of.=C2=A0 On a system as old as Sumo, you wil= l need to take
> precautions to ensure that ONLY the 1.1x version is being used.=C2=A0 = (There may be
> an openssl10 for compatibility that will need to be blacklisted.)
>
> >=C2=A0 =C2=A0 =C2=A0For CVE fixes, typically you would patch 1.0.2= p, or update to the latest
> >=C2=A0 =C2=A0 =C2=A0(1.0.2t) as you go.=C2=A0 (If you have an OSV,= this should be part of the services
> >=C2=A0 =C2=A0 =C2=A0that they offer you.)
> >
> >
> >=C2=A0 =C2=A0 =C2=A0In my opinion, 1.0.2 will be around for at lea= st another 4-5 years due to the
> >=C2=A0 =C2=A0 =C2=A0number of people actively using it in the worl= d.=C2=A0 Until 1.1/3.0 (won't be a 2.0
> >=C2=A0 =C2=A0 =C2=A0from what I read) exists and has a FIPS-140-2 = support available -- people will
> >=C2=A0 =C2=A0 =C2=A0continue to use 1.0.2 and maintain it as neces= sary for security.
> >
> >=C2=A0 =C2=A0 =C2=A0As an FYI:=C2=A0 http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/
> >
> >=C2=A0 =C2=A0 =C2=A0This version is for thud, warrior, zeus and ma= ster.=C2=A0 It is intended to be
> >=C2=A0 =C2=A0 =C2=A0maintained until either 1.0.2 is no longer mai= ntainable -- or the FIPS-140-2
> >=C2=A0 =C2=A0 =C2=A0needs have been met by OpenSSL.
> >
> >
> > Great, that looks like a better option anyway, assuming it has th= e latest fixes
> > I need, and doesn't give me the same build problem.=C2=A0 Tha= nks for pointing it out.
> > I'll give it a go.
>
> It's better to work with the Sumo version for your needs.=C2=A0 I = just posted that as
> an example of openssl 1.0.2 being needed still by others, even as oe-c= ore/Yocto
> Project have changed their defaults.

If you want an up to date openssl 1.0.2 recipe which is compatible
with Sumo, you can find one here:

=C2=A0 https://github.com/armcc/meta-plumewifi

I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior) but it should work for all versions in between (and if it doesn't I'= ;ll
accept patches or try to fix it).

Thank= s! It looks similar to the tree Mark Hatle pointed out to me. Two diffs jum= p out:

- Your repo adds the RPROVIDES for openssl-= bin to "Be compatible with the openssl 1.1.x recipe".
-= Mark's repo has two extra patches:
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0file://0001-Fix-BN_LLONG-breakage.patch \
=C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0file://0001-Fix-DES_LONG-breakage.patch \
=

Regards,
Ryan.
--0000000000004bdc590597cc6a9a--