libopenssl-legacy not selected by default for hostapd-basic-openssl about openwrt HOT 11 OPEN

Invalid Version reported. r25870+1-08639a5e47
Is this from a clean repository?

from openwrt.

Invalid Version reported. r25870+1-08639a5e47 Is this from a clean repository?

Ah yes well, not exactly. Sorry. It's one commit ahead of main, but that's not touching any relevant files.

from openwrt.

Ah, libopenssl-legacy is required for the IDEA and SEED ciphers and MDC2 and WHIRLPOOL digests.

from openwrt.

I'm confused. The hostapd-basic-* variants are PSK-only. What ciphers exactly are provided by libopenssl-legacy that hostapd-basic-openssl strictly requires? Note that I use hostapd-basic-openssl on my devices and never had any issues whatsoever (with WPA2/WPA3-mixed and OWE). Additionally, from my .config…

# CONFIG_OPENSSL_WITH_ARIA is not set
# CONFIG_OPENSSL_WITH_CAMELLIA is not set
# CONFIG_OPENSSL_WITH_IDEA is not set
# CONFIG_OPENSSL_WITH_SEED is not set
# CONFIG_OPENSSL_WITH_SM234 is not set
# CONFIG_OPENSSL_WITH_BLAKE2 is not set
# CONFIG_OPENSSL_WITH_MDC2 is not set
# CONFIG_OPENSSL_WITH_WHIRLPOOL is not set

… what am I missing?

from openwrt.

I'm confused. The hostapd-basic-* variants are PSK-only. What ciphers exactly are provided by libopenssl-legacy that hostapd-basic-openssl strictly requires? Note that I use hostapd-basic-openssl on my devices and never had any issues whatsoever (with WPA2/WPA3-mixed and OWE). Additionally, from my .config…

# CONFIG_OPENSSL_WITH_ARIA is not set
# CONFIG_OPENSSL_WITH_CAMELLIA is not set
# CONFIG_OPENSSL_WITH_IDEA is not set
# CONFIG_OPENSSL_WITH_SEED is not set
# CONFIG_OPENSSL_WITH_SM234 is not set
# CONFIG_OPENSSL_WITH_BLAKE2 is not set
# CONFIG_OPENSSL_WITH_MDC2 is not set
# CONFIG_OPENSSL_WITH_WHIRLPOOL is not set

… what am I missing?

Huh, I'm confused as well. I tried it from a clean repository again now, deselected the default wpad-basic-mbedtls and selected hostapd-basic-openssl. This is my diffconfig:

CONFIG_TARGET_ramips=y
CONFIG_TARGET_ramips_mt7621=y
CONFIG_TARGET_ramips_mt7621_DEVICE_dlink_dap-x1860-a1=y
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_IDEA=y
CONFIG_OPENSSL_WITH_MDC2=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SEED=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_OPENSSL_WITH_WHIRLPOOL=y
CONFIG_PACKAGE_hostapd-basic-openssl=y
CONFIG_PACKAGE_libatomic=y
CONFIG_PACKAGE_libopenssl=y
# CONFIG_PACKAGE_wpad-basic-mbedtls is not set

(Also @nbd168 commit includes wpad-basic-openssl; why? If these ciphers/digests are not strictly required, why include wpad but not hostapd?)

Edit: These are selected by default if SMALL_FLASH isn't set 🤔

from openwrt.

Huh, I'm confused as well. I tried it from a clean repository again now, deselected the default wpad-basic-mbedtls and selected hostapd-basic-openssl. This is my diffconfig:

CONFIG_TARGET_ramips=y
CONFIG_TARGET_ramips_mt7621=y
CONFIG_TARGET_ramips_mt7621_DEVICE_dlink_dap-x1860-a1=y
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_IDEA=y
CONFIG_OPENSSL_WITH_MDC2=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SEED=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_OPENSSL_WITH_WHIRLPOOL=y
CONFIG_PACKAGE_hostapd-basic-openssl=y
CONFIG_PACKAGE_libatomic=y
CONFIG_PACKAGE_libopenssl=y
# CONFIG_PACKAGE_wpad-basic-mbedtls is not set

Those are just defaults. I do my own builds and my configuration is heavily streamlined and reduced to the bare minimum. I can assure you, however, I never had any issues without those ciphers. And I just remembered that it was actually me who added the hostapd-basic-openssl variant (10e73b1), because, well… it's the one I personally use.

(Also @nbd168 commit includes wpad-basic-openssl; why? If these ciphers/digests are not strictly required, why include wpad but not hostapd?)

Edit: These are selected by default if SMALL_FLASH isn't set 🤔

They are very likely enabled by default for other software that requires them, but certainly not hostapd-basic-openssl.

from openwrt.

Those are just defaults. I do my own builds and my configuration is heavily streamlined and reduced to the bare minimum. I can assure you, however, I never had any issues without those ciphers. And I just remembered that it was actually me who added the hostapd-basic-openssl variant (10e73b1), because, well… it's the one I personally use.

Ah, that makes sense, thank you! I'll go ahead and try it out on mine as well.

They are very likely enabled by default for other software that requires them, but certainly not hostapd-basic-openssl.

Hm, but still: Why though? hostapd-basic-openssl is the only openssl variant that's not included, every other one is. Since wpad-basic-openssl also depends on them: Does wpa_supplicant need those?

from openwrt.

Hm, but still: Why though? hostapd-basic-openssl is the only openssl variant that's not included, every other one is. Since wpad-basic-openssl also depends on them: Does wpa_supplicant need those?

No idea. @nbd168?

from openwrt.

This is an interesting one, I am tempted to merge the PR to include it for hostapd-basic-openssl as it makes no sense why its special

from openwrt.

This is an interesting one, I am tempted to merge the PR to include it for hostapd-basic-openssl as it makes no sense why its special

Just my two cents, but maybe it'd be better to wait for nbd's reply? rsalvaterra is right, I've run it also with libopenssl-legacy omitted and didn't observe any obvious relevant authentication failures. Perhaps it's not required anymore and could be dropped from all other variants as well.

from openwrt.

from openwrt.