libopenssl-legacy not selected by default for hostapd-basic-openssl

[icecream42]

Describe the bug

For the hostapd-basic-openssl variant libopenssl-legacy is not selected by default. According to this commit a lot of authentication modes fail without it.

depends for hostapd-basic-openssl

depends for other openssl variants

Is this intentioned or was the basic variant overlooked?

OpenWrt version

r25870+1-08639a5e47

OpenWrt release

SNAPSHOT

OpenWrt target/subtarget

ramips/mt7621

Device

D-Link DAP-X1860 A1

Image kind

Self-built image

Steps to reproduce

1. Build with hostapd-basic-openssl variant
2. Observe selected dependencies

Actual behaviour

libopenssl-legacy is not selected as dependency

Expected behaviour

libopenssl-legacy is selected as dependency

Additional info

No response

Diffconfig

CONFIG_TARGET_ramips=y
CONFIG_TARGET_ramips_mt7621=y
CONFIG_TARGET_ramips_mt7621_DEVICE_dlink_dap-x1860-a1=y
CONFIG_DEVEL=y
CONFIG_TOOLCHAINOPTS=y
# CONFIG_BINUTILS_USE_VERSION_2_40 is not set
CONFIG_BINUTILS_USE_VERSION_2_42=y
CONFIG_BINUTILS_VERSION="2.42"
CONFIG_BINUTILS_VERSION_2_42=y
CONFIG_CCACHE=y
CONFIG_CLEAN_IPKG=y
CONFIG_EXPERIMENTAL=y
# CONFIG_GDB is not set
CONFIG_LINUX_6_6=y
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_ENGINE_BUILTIN=y
CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO=y
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_IDEA=y
CONFIG_OPENSSL_WITH_MDC2=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SEED=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_OPENSSL_WITH_WHIRLPOOL=y
CONFIG_PACKAGE_cgi-io=y
# CONFIG_PACKAGE_dnsmasq is not set
CONFIG_PACKAGE_ethtool=y
# CONFIG_PACKAGE_firewall4 is not set
CONFIG_PACKAGE_hostapd-basic-openssl=y
CONFIG_PACKAGE_irqbalance=y
# CONFIG_PACKAGE_jansson is not set
CONFIG_PACKAGE_kmod-crypto-geniv=y
CONFIG_PACKAGE_kmod-crypto-sha3=y
CONFIG_PACKAGE_kmod-cryptodev=y
# CONFIG_PACKAGE_kmod-lib-crc-ccitt is not set
# CONFIG_PACKAGE_kmod-nft-fib is not set
# CONFIG_PACKAGE_kmod-ppp is not set
CONFIG_PACKAGE_libatomic=y
CONFIG_PACKAGE_liblucihttp=y
CONFIG_PACKAGE_liblucihttp-ucode=y
# CONFIG_PACKAGE_libmbedtls is not set
# CONFIG_PACKAGE_libmnl is not set
# CONFIG_PACKAGE_libnftnl is not set
CONFIG_PACKAGE_libopenssl=y
CONFIG_PACKAGE_libopenssl-conf=y
# CONFIG_PACKAGE_libpthread is not set
# CONFIG_PACKAGE_libustream-mbedtls is not set
CONFIG_PACKAGE_libustream-openssl=y
CONFIG_PACKAGE_luci-base=y
CONFIG_PACKAGE_luci-mod-admin-full=y
CONFIG_PACKAGE_luci-mod-network=y
CONFIG_PACKAGE_luci-mod-status=y
CONFIG_PACKAGE_luci-mod-system=y
CONFIG_PACKAGE_luci-theme-bootstrap=y
# CONFIG_PACKAGE_nftables-json is not set
# CONFIG_PACKAGE_odhcp6c is not set
# CONFIG_PACKAGE_odhcpd-ipv6only is not set
# CONFIG_PACKAGE_opkg is not set
# CONFIG_PACKAGE_ppp is not set
CONFIG_PACKAGE_rpcd=y
CONFIG_PACKAGE_rpcd-mod-file=y
CONFIG_PACKAGE_rpcd-mod-iwinfo=y
CONFIG_PACKAGE_rpcd-mod-luci=y
CONFIG_PACKAGE_rpcd-mod-rrdns=y
CONFIG_PACKAGE_rpcd-mod-ucode=y
CONFIG_PACKAGE_ucode-mod-html=y
CONFIG_PACKAGE_ucode-mod-math=y
CONFIG_PACKAGE_uhttpd=y
CONFIG_PACKAGE_uhttpd-mod-ubus=y
# CONFIG_PACKAGE_wpad-basic-mbedtls is not set
CONFIG_TESTING_KERNEL=y

Terms

• I am reporting an issue for OpenWrt, not an unsupported fork.

[github-actions]

Invalid Version reported. r25870+1-08639a5e47
Is this from a clean repository?

[icecream42]

Invalid Version reported. r25870+1-08639a5e47 Is this from a clean repository?

Ah yes well, not exactly. Sorry. It's one commit ahead of main, but that's not touching any relevant files.

[icecream42]

Ah, libopenssl-legacy is required for the IDEA and SEED ciphers and MDC2 and WHIRLPOOL digests.

[rsalvaterra]

I'm confused. The hostapd-basic-* variants are PSK-only. What ciphers exactly are provided by libopenssl-legacy that hostapd-basic-openssl strictly requires? Note that I use hostapd-basic-openssl on my devices and never had any issues whatsoever (with WPA2/WPA3-mixed and OWE). Additionally, from my .config…

# CONFIG_OPENSSL_WITH_ARIA is not set
# CONFIG_OPENSSL_WITH_CAMELLIA is not set
# CONFIG_OPENSSL_WITH_IDEA is not set
# CONFIG_OPENSSL_WITH_SEED is not set
# CONFIG_OPENSSL_WITH_SM234 is not set
# CONFIG_OPENSSL_WITH_BLAKE2 is not set
# CONFIG_OPENSSL_WITH_MDC2 is not set
# CONFIG_OPENSSL_WITH_WHIRLPOOL is not set

… what am I missing?

[icecream42]

I'm confused. The hostapd-basic-* variants are PSK-only. What ciphers exactly are provided by libopenssl-legacy that hostapd-basic-openssl strictly requires? Note that I use hostapd-basic-openssl on my devices and never had any issues whatsoever (with WPA2/WPA3-mixed and OWE). Additionally, from my .config…

# CONFIG_OPENSSL_WITH_ARIA is not set
# CONFIG_OPENSSL_WITH_CAMELLIA is not set
# CONFIG_OPENSSL_WITH_IDEA is not set
# CONFIG_OPENSSL_WITH_SEED is not set
# CONFIG_OPENSSL_WITH_SM234 is not set
# CONFIG_OPENSSL_WITH_BLAKE2 is not set
# CONFIG_OPENSSL_WITH_MDC2 is not set
# CONFIG_OPENSSL_WITH_WHIRLPOOL is not set

… what am I missing?

Huh, I'm confused as well. I tried it from a clean repository again now, deselected the default wpad-basic-mbedtls and selected hostapd-basic-openssl. This is my diffconfig:

CONFIG_TARGET_ramips=y
CONFIG_TARGET_ramips_mt7621=y
CONFIG_TARGET_ramips_mt7621_DEVICE_dlink_dap-x1860-a1=y
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_IDEA=y
CONFIG_OPENSSL_WITH_MDC2=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SEED=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_OPENSSL_WITH_WHIRLPOOL=y
CONFIG_PACKAGE_hostapd-basic-openssl=y
CONFIG_PACKAGE_libatomic=y
CONFIG_PACKAGE_libopenssl=y
# CONFIG_PACKAGE_wpad-basic-mbedtls is not set

(Also @nbd168 commit includes wpad-basic-openssl; why? If these ciphers/digests are not strictly required, why include wpad but not hostapd?)

Edit: These are selected by default if SMALL_FLASH isn't set 🤔

[rsalvaterra]

Huh, I'm confused as well. I tried it from a clean repository again now, deselected the default wpad-basic-mbedtls and selected hostapd-basic-openssl. This is my diffconfig:

CONFIG_TARGET_ramips=y
CONFIG_TARGET_ramips_mt7621=y
CONFIG_TARGET_ramips_mt7621_DEVICE_dlink_dap-x1860-a1=y
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_IDEA=y
CONFIG_OPENSSL_WITH_MDC2=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SEED=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_OPENSSL_WITH_WHIRLPOOL=y
CONFIG_PACKAGE_hostapd-basic-openssl=y
CONFIG_PACKAGE_libatomic=y
CONFIG_PACKAGE_libopenssl=y
# CONFIG_PACKAGE_wpad-basic-mbedtls is not set

Those are just defaults. I do my own builds and my configuration is heavily streamlined and reduced to the bare minimum. I can assure you, however, I never had any issues without those ciphers. And I just remembered that it was actually me who added the hostapd-basic-openssl variant (10e73b1), because, well… it's the one I personally use.

(Also @nbd168 commit includes wpad-basic-openssl; why? If these ciphers/digests are not strictly required, why include wpad but not hostapd?)

Edit: These are selected by default if SMALL_FLASH isn't set 🤔

They are very likely enabled by default for other software that requires them, but certainly not hostapd-basic-openssl.

[icecream42]

Those are just defaults. I do my own builds and my configuration is heavily streamlined and reduced to the bare minimum. I can assure you, however, I never had any issues without those ciphers. And I just remembered that it was actually me who added the hostapd-basic-openssl variant (10e73b1), because, well… it's the one I personally use.

Ah, that makes sense, thank you! I'll go ahead and try it out on mine as well.

They are very likely enabled by default for other software that requires them, but certainly not hostapd-basic-openssl.

Hm, but still: Why though? hostapd-basic-openssl is the only openssl variant that's not included, every other one is. Since wpad-basic-openssl also depends on them: Does wpa_supplicant need those?

[rsalvaterra]

Hm, but still: Why though? hostapd-basic-openssl is the only openssl variant that's not included, every other one is. Since wpad-basic-openssl also depends on them: Does wpa_supplicant need those?

No idea. @nbd168?

[robimarko]

This is an interesting one, I am tempted to merge the PR to include it for hostapd-basic-openssl as it makes no sense why its special

[icecream42]

This is an interesting one, I am tempted to merge the PR to include it for hostapd-basic-openssl as it makes no sense why its special

Just my two cents, but maybe it'd be better to wait for nbd's reply? rsalvaterra is right, I've run it also with libopenssl-legacy omitted and didn't observe any obvious relevant authentication failures. Perhaps it's not required anymore and could be dropped from all other variants as well.

[rsalvaterra]

No, please don't merge this. It's definitely not needed for this hostapd variant. A sábado, 1/06/2024, 14:51, icecream42 ***@***.***> escreveu:

…

This is an interesting one, I am tempted to merge the PR to include it for hostapd-basic-openssl as it makes no sense why its special Just my two cents, but maybe it'd be better to wait for nbd's reply? rsalvaterra is right, I've run it also with libopenssl-legacy omitted and didn't observe any obvious relevant authentication failures. Perhaps it's not required anymore and could be dropped from all other variants as well. — Reply to this email directly, view it on GitHub <#15120 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARUK3JE3QVEFUQCTOLPMWZLZFHGXPAVCNFSM6AAAAABF72GUOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBTGQ2TMNJVGI> . You are receiving this because you commented.Message ID: ***@***.***>