Fix dev-libs/libp11 for OpenSSL 1.1 |
|||||
Issue description
dev-libs/libp11-0.2.8-r3 fails to build with dev-libs/openssl-1.1.0f.
The compile errors are:
libp11-0.2.8-r3: p11_ops.c:49:12: error: variable has incomplete type 'X509_SIG' (aka 'struct X509_sig_st')
libp11-0.2.8-r3: X509_SIG digest_info = { &algor, &digest };
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: /usr/include/openssl/x509.h:69:16: note: forward declaration of 'struct X509_sig_st'
libp11-0.2.8-r3: typedef struct X509_sig_st X509_SIG;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_ops.c:53:22: error: incomplete definition of type 'struct asn1_object_st'
libp11-0.2.8-r3: (algor.algorithm->length) &&
libp11-0.2.8-r3: ~~~~~~~~~~~~~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:60:16: note: forward declaration of 'struct asn1_object_st'
libp11-0.2.8-r3: typedef struct asn1_object_st ASN1_OBJECT;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: 2 errors generated.
libp11-0.2.8-r3: p11_key.c:131:8: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
libp11-0.2.8-r3: rsa = RSA_generate_key(bits, 0x10001, NULL, err);
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: /usr/include/openssl/rsa.h:193:1: note: 'RSA_generate_key' has been explicitly marked deprecated here
libp11-0.2.8-r3: DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: /usr/include/x86_64-cros-linux-gnu/openssl/opensslconf.h:136:34: note: expanded from macro 'DEPRECATEDIN_0_9_8'
libp11-0.2.8-r3: # define DEPRECATEDIN_0_9_8(f) DECLARE_DEPRECATED(f)
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: /usr/include/x86_64-cros-linux-gnu/openssl/opensslconf.h:99:53: note: expanded from macro 'DECLARE_DEPRECATED'
libp11-0.2.8-r3: # define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:349:8: error: incomplete definition of type 'struct evp_pkey_st'
libp11-0.2.8-r3: if (pk->type == EVP_PKEY_RSA) {
libp11-0.2.8-r3: ~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'
libp11-0.2.8-r3: typedef struct evp_pkey_st EVP_PKEY;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:362:50: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_MODULUS, rsa->n);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:363:58: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_PUBLIC_EXPONENT, rsa->e);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:364:59: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_PRIVATE_EXPONENT, rsa->d);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:365:50: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_PRIME_1, rsa->p);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:366:50: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_PRIME_2, rsa->q);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:412:8: error: incomplete definition of type 'struct evp_pkey_st'
libp11-0.2.8-r3: if (pk->type == EVP_PKEY_RSA) {
libp11-0.2.8-r3: ~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:93:16: note: forward declaration of 'struct evp_pkey_st'
libp11-0.2.8-r3: typedef struct evp_pkey_st EVP_PKEY;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:423:50: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_MODULUS, rsa->n);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_key.c:424:58: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: pkcs11_addattr_bn(attrs + n++, CKA_PUBLIC_EXPONENT, rsa->e);
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: 1 warning and 9 errors generated.
libp11-0.2.8-r3: p11_rsa.c:54:43: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: if (key_getattr_bn(key, CKA_MODULUS, &rsa->n) ||
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: ./libp11-int.h:146:68: note: expanded from macro 'key_getattr_bn'
libp11-0.2.8-r3: pkcs11_getattr_bn(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (bn))
libp11-0.2.8-r3: ^~
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:55:51: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: key_getattr_bn(key, CKA_PUBLIC_EXPONENT, &rsa->e)) {
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: ./libp11-int.h:146:68: note: expanded from macro 'key_getattr_bn'
libp11-0.2.8-r3: pkcs11_getattr_bn(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (bn))
libp11-0.2.8-r3: ^~
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:64:6: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: rsa->flags |= RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:64:17: error: use of undeclared identifier 'RSA_FLAG_SIGN_VER'
libp11-0.2.8-r3: rsa->flags |= RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:74:5: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: rsa->flags |= RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ~~~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:74:16: error: use of undeclared identifier 'RSA_FLAG_SIGN_VER'
libp11-0.2.8-r3: rsa->flags |= RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:126:7: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: if (r->flags & RSA_FLAG_SIGN_VER) {
libp11-0.2.8-r3: ~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:126:17: error: use of undeclared identifier 'RSA_FLAG_SIGN_VER'
libp11-0.2.8-r3: if (r->flags & RSA_FLAG_SIGN_VER) {
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:127:4: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: r->flags &= ~RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:127:16: error: use of undeclared identifier 'RSA_FLAG_SIGN_VER'
libp11-0.2.8-r3: r->flags &= ~RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:129:4: error: incomplete definition of type 'struct rsa_st'
libp11-0.2.8-r3: r->flags |= RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ~^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:110:16: note: forward declaration of 'struct rsa_st'
libp11-0.2.8-r3: typedef struct rsa_st RSA;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:129:15: error: use of undeclared identifier 'RSA_FLAG_SIGN_VER'
libp11-0.2.8-r3: r->flags |= RSA_FLAG_SIGN_VER;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: p11_rsa.c:142:20: error: variable has incomplete type 'RSA_METHOD' (aka 'struct rsa_meth_st')
libp11-0.2.8-r3: static RSA_METHOD ops;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: /usr/include/openssl/ossl_typ.h:111:16: note: forward declaration of 'struct rsa_meth_st'
libp11-0.2.8-r3: typedef struct rsa_meth_st RSA_METHOD;
libp11-0.2.8-r3: ^
libp11-0.2.8-r3: 13 errors generated.
,
Jul 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/b7f8d517a484cae5a425542a923a4e1fa401da17 commit b7f8d517a484cae5a425542a923a4e1fa401da17 Author: Daniel Kurtz <djkurtz@chromium.org> Date: Fri Jul 07 07:57:19 2017 dev-libs/libp11: Force disable bindist to match openssl libp11 "bindist" USE flag per "equery-soraka uses libp11": "Flag to enable or disable options for prebuilt (GRP) packages (eg. due to licensing issues)" The latest libp11 ebuild (-0.4.4) requires that libp11's bindist USE match that with which openssl was built. Since we build openssl -bindist, assign the same for libp11 here in package.use. Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:739688 TEST=emerge-soraka libp11 engine_pkcs11 Change-Id: If0eee347dbfbb56c94e560380573c05b9ab05719 Reviewed-on: https://chromium-review.googlesource.com/562941 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Daniel Kurtz <djkurtz@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/b7f8d517a484cae5a425542a923a4e1fa401da17/profiles/targets/chromeos/package.use
,
Jul 7 2017
,
Jul 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/6f694ce64e823617911c2530037ffa23b819610e commit 6f694ce64e823617911c2530037ffa23b819610e Author: Daniel Kurtz <djkurtz@chromium.org> Date: Fri Jul 07 20:15:48 2017 dev-libs/libp11: Update to latest from gentoo According to the NEWS [0] 0.4.0 includes support for OpenSSL 1.1 (with additional fixes in 0.4.1 & 0.4.3): [0] https://github.com/OpenSC/libp11/blob/master/NEWS New in 0.4.0; 2016-03-28; Micha Trojnara * Added support for building against OpenSSL 1.1.0-dev (Doug Engert) Update to the ebuild from gentoo with the following small changes: * KEYWORDS="*" * EAPI=5 Note: we were actually carrying a chromium-specific patch in the portage-stable repo: libp11-0.2.8-variable-buffer-size.patch This patch is no longer needed as equivalent fixes were landed upstream by 0.4.0. See patches: a86eed9 Refactored attribute retrieval 74e2238 Memory allocation cleanup 1ba57c6 Eliminated hard coded limit for pkcs11_getattr_bn() Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> CQ-DEPEND=CL:562941 BUG=chromium:739688 TEST=w/ openssl-1.0.2k: sudo emerge libp11 TEST=w/ openssl-1.1.0f: sudo emerge libp11 => Builds ok in both cases. TEST=network_WiFi_SimpleConnect.wifi_check1x_WPA, manual authentication with large certificate Change-Id: I30e4143c5741ce3a6b62bf09a2feb08a7f788028 Reviewed-on: https://chromium-review.googlesource.com/562945 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Daniel Kurtz <djkurtz@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/6f694ce64e823617911c2530037ffa23b819610e/dev-libs/libp11/metadata.xml [modify] https://crrev.com/6f694ce64e823617911c2530037ffa23b819610e/dev-libs/libp11/Manifest [delete] https://crrev.com/1e0caba1f0fa58d4862f59107d094c807b00cdc1/dev-libs/libp11/files/libp11-0.2.8-no-ltdl.patch [add] https://crrev.com/6f694ce64e823617911c2530037ffa23b819610e/dev-libs/libp11/libp11-0.4.4.ebuild [delete] https://crrev.com/1e0caba1f0fa58d4862f59107d094c807b00cdc1/dev-libs/libp11/files/libp11-0.2.8-variable-buffer-size.patch [delete] https://crrev.com/1e0caba1f0fa58d4862f59107d094c807b00cdc1/dev-libs/libp11/libp11-0.2.8-r3.ebuild
,
Jul 10 2017
,
Jul 13 2017
First attempt was reverted because it broke shill's use of wpa_supplicant to do EAP-TLS implementation using the PKCS#11 engine to access the TPM via chaps. Will try again.
,
Jul 13 2017
@#7: issue 740721 . Revert: https://chromium-review.googlesource.com/#/c/566283/
,
Jul 13 2017
It would also be good to test this with openvpn and L2TP/IPsec (strongSwan) using client certs.
,
Jul 13 2017
Are there some autotests to run?
,
Jul 13 2017
You can try these: network_VPNConnect.l2tpipsec_cert network_VPNConnect.openvpn although personally I prefer testing against a live server if I'm updating components, because the tests have missed a lot of regressions in the past. For instance, bug 716674.
,
Jul 14 2017
The build from #10 didn't quite work either. Trying again, with one more patch: https://chromium-review.googlesource.com/569904 https://chromium-review.googlesource.com/569905 https://chromium-review.googlesource.com/570142 https://chromium-review.googlesource.com/571540 https://uberchromegw.corp.google.com/i/chromiumos.tryserver/builders/release/builds/12819
,
Jul 14 2017
A little history... Currently, Chrome OS uses the following two packages to install a PKCS#11 "OpenSSL Engine" which allows applications to access PKCS#11 "modules" (both packages are from portage-stable): * dev-libs/engine_pkcs11-0.1.8-r1 * dev-libs/libp11-0.2.8-r3 The ebuild dependencies are: net-wireless/wpa_supplicant-2.5-r78 (smartcard ? dev-libs/engine_pkcs11) dev-libs/engine_pkcs11-0.1.8-r1 (>=dev-libs/libp11-0.2.5) The true dependency is probably "shill", not "wpa_supplicant" since shill configures wpa_supplicant to use the "engine_pkcs" PKCS#11 engine using module libchaps.so via its wpa_supplicant.conf file, which is generated by shill and installed by its ebuild when USE=wifi and/or USE=wired_8021x are specified. (see: https://gerrit.chromium.org/gerrit/35813 https://gerrit.chromium.org/gerrit/35938 https://gerrit.chromium.org/gerrit/35937 https://chromium-review.googlesource.com/265120 https://chromium-review.googlesource.com/265614 ) shims/wpa_supplicant.conf.in: pkcs11_engine_path=@libdir@/engines/engine_pkcs11.so pkcs11_module_path=@libdir@/libchaps.so In recognition that it is actually shill that configures wpa_supplicant to use chaps, the "chaps" dependency was moved from wpa_supplicant to shill in [0]. [0] https://gerrit.chromium.org/gerrit/44960 However, this left the dev-libs/engine_pkcs11 dependency intact under USE=ssl. Change [1] then added a new USE=smartcard to wpa_supplicant, and made the engine_pkcs11 dependency conditional on it, to allow boards to not install pkcs11 support if not needed. Upstream wpa_supplicant-2.6-r1.ebuild [2] also has a USE=smartcard, however it just enables building it with "SMARTCARD", it does not use it to pull in any dependencies. [1] https://gerrit.chromium.org/gerrit/46081 [2] https://gitweb.gentoo.org/repo/gentoo.git/tree/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r1.ebuild Is there any other case where wpa_supplicant depends on engine_pkcs11 besides this shill configuration? If not, I think we can also move the "engine_pkcs11" dependency from wpa_supplicant to shill (USE=wifi || USE=wired_8021x). Meanwhile, things have been changing upstream: Sep 15, 2015 (Change in engine_pkcs11 0.2.1) libp11 renames "engine_pkcs11" to "libpkcs11" in accordance to other openssl engines https://github.com/OpenSC/engine_pkcs11/commit/0ab5515fffe4df44c7209156f7f829b8727aff0a Jan 28, 2016 libp11 merges in engine_pkcs11 (before this it was in a separate repository: https://github.com/OpenSC/engine_pkcs11) https://github.com/OpenSC/libp11/commit/41ceb71b3d102ff84027261071a030f26d3109b0 Feb 16, 2016 OpenSSL engines were renamed from "libXXX.so" to just "XXX.so" for 1.1: https://github.com/openssl/openssl/commit/9ee0ed3de66678a15db126d10b3e4226e835b8f5 Feb 22, 2016 "openssl-1.1 lost the ability to find engine" Reported to openssl https://github.com/openssl/openssl/issues/727 Feb 23, 2016 "openssl-1.1 changed the naming convention" reported to libp11 https://github.com/OpenSC/libp11/issues/68 Feb 29, 2016 (Change in libp11-0.4.0) libp11 renames engine to pkcs11.so, with a symlink to older name libpkcs11.so: https://github.com/OpenSC/libp11/commit/bfa6ad82f5438e00d1c1ab40a1d9bcc890da0870 May 30, 2016 wpa_supplicant folks realize that their use of ENGINE_by_id() is auto-loading engines without properly setting up the corresponding MODULE, which kicks off a great discussion discussing the exact problem we fell into in issue 740721 . One take-away here is the recommended way for PKCS#11 modules to configured with modules is to use pk11-kit (https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html). http://lists.infradead.org/pipermail/hostap/2016-May/035768.html Jun 09, 2016 (Change in hostap_2_6) wpa_supplicant fixes the ENGINE_by_id() issue: https://w1.fi/cgit/hostap/commit/?id=c3d7fb7e2724150950e1a1eac29460ea255811c3 Oct 28, 2016 "dev-libs/libp11 - revbump to v0.4.2 released 25-Sept-2016" reported to gentoo https://bugs.gentoo.org/show_bug.cgi?id=598394 Oct 29, 2016 gentoo first revbump to 0.4.2 (first to include 0.4.0) https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-libs/libp11?id=aa95525771b2d44a7d8f3c4d9c8e9d38c42f32d3 Sat Mar 18 10:23:46 2017 gentoo removes dev-libs/engine_pkcs11 (-0.2.2) 46aff7a046f dev-libs/engine_pkcs11: remove from tree https://www.mail-archive.com/gentoo-commits@lists.gentoo.org/msg259692.html https://bugs.gentoo.org/show_bug.cgi?id=609668 \\
,
Jul 15 2017
Yes! tryjob for #14 passed: test_that -i trybot-cyan-release/R61-9742.0.0-b12819 -b cyan --pool=wificell :lab: network_WiFi_SimpleConne ct.wifi_check1x_WPA http://cautotest/tko/retrieve_logs.cgi?job=/results/128543030-djkurtz/ https://pantheon.corp.google.com/storage/browser/chromeos-autotest-results/128543033-djkurtz/chromeos9-row4-rack5-host1/ 07/14 19:28:09.022 INFO |wifi_test_context_:0255| Connecting to SimpleConnect_a_e5gjl_ch1. 07/14 19:28:16.469 DEBUG| xmlrpc_types:0056| Constructing AssociationResult object with args=[], kwargs={'configuration_time': 3.4234161376953125, 'association_time': 1.2144880294799805, 'discovery_time': 1.0832350254058838, 'success': True, 'failure_reason': 'SUCCESS(Connection successful)'}
,
Jul 17 2017
Both tests pass w/ patches from #14 network_VPNConnect.l2tpipsec_cert network_VPNConnect.openvpn http://cautotest.corp.google.com/afe/#tab_id=view_job&object_id=128784266
,
Jul 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/d4b1f672b11ae58c36fb4588d8853996b0333966 commit d4b1f672b11ae58c36fb4588d8853996b0333966 Author: Daniel Kurtz <djkurtz@chromium.org> Date: Mon Jul 24 17:40:09 2017 shill: update wpa_supplicant.conf for libp11 0.4.0+ On Sep 15, 2015 upstream engine_pkcs11 (0.2.1) renamed "engine_pkcs11" to "libpkcs11" to match other openssl engines: https://github.com/OpenSC/engine_pkcs11/commit/0ab5515fffe4df44c7209156f7f829b8727aff0a On Jan 28, 2016 upstream libp11 merged engine_pkcs11 into the libp11 repository (previously engine_pkcs11 was a separate repository [0]): https://github.com/OpenSC/libp11/commit/41ceb71b3d102ff84027261071a030f26d3109b0 [0] https://github.com/OpenSC/engine_pkcs11 On Feb 16, 2016 OpenSSL engines were renamed from "libXXX.so" to just "XXX.so" for 1.1: https://github.com/openssl/openssl/commit/9ee0ed3de66678a15db126d10b3e4226e835b8f5 On Feb 29, 2016 libp11 renames engine to pkcs11.so, with a symlink to the older name, libpkcs11.so: https://github.com/OpenSC/libp11/commit/bfa6ad82f5438e00d1c1ab40a1d9bcc890da0870 On Feb 29, 2016 (Change in libp11-0.4.0) libp11 renames engine to pkcs11.so, with a symlink to older name libpkcs11.so: https://github.com/OpenSC/libp11/commit/bfa6ad82f5438e00d1c1ab40a1d9bcc890da0870 The above changes are present as of release libp11-0.4.0. Update shill with the corresponding wpa_supplicant.conf change. Note: Some day this configuration should probably be reconfigured to use p11-kit: https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> BUG=chromium:739688 TEST=network_WiFi_SimpleConnect.wifi_check1x_WPA CQ-DEPEND=CL:569905,CL:570142,CL:571540 Change-Id: I1ead5ff181b5f695fcd8f5577d4e048bfc91a1f2 Reviewed-on: https://chromium-review.googlesource.com/569904 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Daniel Kurtz <djkurtz@chromium.org> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [modify] https://crrev.com/d4b1f672b11ae58c36fb4588d8853996b0333966/shims/wpa_supplicant.conf.in
,
Jul 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/31736c26284898a69357bc9cfba7011a328154ff commit 31736c26284898a69357bc9cfba7011a328154ff Author: Daniel Kurtz <djkurtz@chromium.org> Date: Mon Jul 24 17:40:09 2017 dev-libs/libp11 & engine_pkcs11: Update to latest from gentoo According to the NEWS [0] 0.4.0 includes support for OpenSSL 1.1 (with additional fixes in 0.4.1 & 0.4.3): [0] https://github.com/OpenSC/libp11/blob/master/NEWS New in 0.4.0; 2016-03-28; Micha Trojnara * Added support for building against OpenSSL 1.1.0-dev (Doug Engert) Update to the ebuild from gentoo with the following small changes: * KEYWORDS="*" * EAPI=5 Note: we were actually carrying a chromium-specific patch in the portage-stable repo: libp11-0.2.8-variable-buffer-size.patch This patch is no longer needed as equivalent fixes were landed upstream by 0.4.0. See patches: a86eed9 Refactored attribute retrieval 74e2238 Memory allocation cleanup 1ba57c6 Eliminated hard coded limit for pkcs11_getattr_bn() Also, as of 0.4.0, libp11 now includes both the library and the "engine" which was formerly installed by the engine_pkcs11 package. The engine_pkcs11 package is now obsolete, and has been removed from upstream gentoo, so we remove it here as well. The engine has also been renamed from "engine_pkcs11" to just "pkcs11" to better match other OpenSSL engines. This requires a corresponding change to shill's wpa_supplicant.conf. Signed-off-by: Daniel Kurtz <djkurtz@chromium.org> CQ-DEPEND=CL:562941,CL:57012,CL:569904,CL:571540 BUG=chromium:739688 TEST=w/ openssl-1.0.2k: sudo emerge libp11 TEST=w/ openssl-1.1.0f: sudo emerge libp11 => Builds ok in both cases. TEST=network_WiFi_SimpleConnect.wifi_check1x_WPA, manual authentication with large certificate Change-Id: Ieb6a1830a8e974a1d3d6364770a783f81188ea19 Reviewed-on: https://chromium-review.googlesource.com/569905 Commit-Ready: Daniel Kurtz <djkurtz@chromium.org> Tested-by: Daniel Kurtz <djkurtz@chromium.org> Reviewed-by: Kevin Cernekee <cernekee@chromium.org> [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/engine_pkcs11/Manifest [modify] https://crrev.com/31736c26284898a69357bc9cfba7011a328154ff/dev-libs/libp11/metadata.xml [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/engine_pkcs11/engine_pkcs11-0.1.8-r1.ebuild [modify] https://crrev.com/31736c26284898a69357bc9cfba7011a328154ff/dev-libs/libp11/Manifest [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/libp11/files/libp11-0.2.8-no-ltdl.patch [add] https://crrev.com/31736c26284898a69357bc9cfba7011a328154ff/dev-libs/libp11/libp11-0.4.4.ebuild [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/libp11/files/libp11-0.2.8-variable-buffer-size.patch [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/engine_pkcs11/metadata.xml [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/libp11/libp11-0.2.8-r3.ebuild [delete] https://crrev.com/45c39894be9c29534aaeddd964b67ede29967156/dev-libs/engine_pkcs11/engine_pkcs11-0.1.8.ebuild
,
Jul 28 2017
The CLs in #14 landed, but caused wpa_supplicant to crash when loading/unloading pkcs11.so multiple times. See issue 748407. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by djkurtz@chromium.org
, Jul 6 2017