From 387c2df15cbd7bfa3917209541e1cd94ddc885d0 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Mon, 6 Mar 2023 11:58:56 -0300 Subject: openssl: fix sysupgrade failure with devcrypto The bump to 3.0.8 inadvertently removed patches that are needed here, but were not adopted upstream. The most important one changes the default value of the DIGESTS setting from ALL to NONE. The absence of this patch causes a sysupgrade failure while the engine is in use with digests enabled. When this happens, the system fails to boot with a kernel panic. Also, explicitly set DIGESTS to NONE in the provided config file, and change the default ciphers setting to disable ECB, which has been recommended for a long time and may cause trouble with some apps. The config file change by itself is not enough because the config file may be preserved during sysupgrade. For people affected by this bug: You can either: 1. remove, the libopenssl-devcrypto package 2. disable the engine in /etc/config/openssl; 3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE; 4. update libopenssl-devcrypto to >=3.0.8-3 However, after doing any of the above, **you must reboot the device before running sysupgrade** to ensure no running application is using the engine. Running `/etc/init.d/openssl restart` is not enough. Fixes: 7e7e76afca "openssl: bump to 3.0.8" Signed-off-by: Eneas U de Queiroz --- ...vcrypto-ignore-error-when-closing-session.patch | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch (limited to 'package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch') diff --git a/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch new file mode 100644 index 0000000000..40b1dc78d3 --- /dev/null +++ b/package/libs/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Mon, 11 Mar 2019 10:15:14 -0300 +Subject: e_devcrypto: ignore error when closing session + +In cipher_init, ignore an eventual error when closing the previous +session. It may have been closed by another process after a fork. + +Signed-off-by: Eneas U de Queiroz + +--- a/engines/e_devcrypto.c ++++ b/engines/e_devcrypto.c +@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c + int ret; + + /* cleanup a previous session */ +- if (cipher_ctx->sess.ses != 0 && +- clean_devcrypto_session(&cipher_ctx->sess) == 0) +- return 0; ++ if (cipher_ctx->sess.ses != 0) ++ clean_devcrypto_session(&cipher_ctx->sess); + + cipher_ctx->sess.cipher = cipher_d->devcryptoid; + cipher_ctx->sess.keylen = cipher_d->keylen; -- cgit v1.2.3