Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

restore openssl support, make DNS work #57

Open
Habbie opened this issue Feb 20, 2024 · 4 comments
Open

restore openssl support, make DNS work #57

Habbie opened this issue Feb 20, 2024 · 4 comments
Labels
bug Something isn't working device/toon1

Comments

@Habbie
Copy link
Member

Habbie commented Feb 20, 2024
edited
Loading

#47 drops openssl support from curl because of entropy problems on the old Toon1 kernel. We should figure that out and restore openssl, or make openssl presence a compile time choice.

Also, DNS lookups (for HA_WS_URL) don't work because getaddrinfo does not function in static glibc links.
@Habbie Habbie mentioned this issue Feb 20, 2024
Merged
@Habbie
Copy link
Member Author

Habbie commented Sep 4, 2024

After some digging, the problem turns out to be more complex. It's not an entropy problem. It's that fstat from Debian 12's glibc simply does not work on Toon1's 2.6.36 kernel, and openssl relies on it.

openssl first tries getrandom, which we do not have:

syscall_403(0x4, 0xbeb11250, 0x6a0000, 0, 0xbeb11250, 0x4) = -1 (errno 38)

then it opens urandom, and tries to stat it. _397 is statx, which is quite new. newfstatat is nice and old, but the AT_EMPTY_PATH flag was introduced in 2.6.39 (yes, that's very close to .36 !)

openat(AT_FDCWD, "/dev/urandom", O_RDONLY|O_LARGEFILE) = 4
syscall_397(0x4, 0x5a8570, 0x1800, 0x7ff, 0xbeb10d20, 0xbeb10e50) = -1 (errno 38)
newfstatat(4, "", 0xbeb10cb8, AT_EMPTY_PATH) = -1 EINVAL (Invalid argument)
close(4)

openssl then does the same for 3 other names in /dev.

@Habbie Habbie changed the title restore openssl support restore openssl support, make DNS work Sep 4, 2024
@Habbie
Copy link
Member Author

Habbie commented Sep 4, 2024

Ways forward I have thought of:

  • build against musl libc (which might be better at both problems), either statically or ship a chroot. Alpine seems obvious, but Alpine does not have armv5
  • try an older Debian (unlikely to help, glibc has been requiring way newer kernels than 2.6 since basically forever)
  • use the openwrt build system to get a binary that is exactly right, assuming musl gets fstat and DNS right for us
  • solve the TLS and DNS problems in a separate process

@Habbie
Copy link
Member Author

Habbie commented Sep 4, 2024

solve the TLS and DNS problems in a separate process

after taking from Debian 8 armel the socat binary plus the few .so it needs (totalling about 2MB, most of which is OpenSSL), LD_LIBRARY_PATH=. ./socat - OPENSSL:www.7bits.nl:443,verify=0 works. Presumably socat could be our proxy. I don't like this as a final solution.

@Habbie
Copy link
Member Author

Habbie commented Sep 4, 2024

use the openwrt build system to get a binary that is exactly right, assuming musl gets fstat and DNS right for us

this, or any other approach where we accept that we're building all our deps, also allows us more control over how openssl collects entropy, and we can even introduce patches. This path does not make me happy either, but full control is nice.

@Habbie Habbie added bug Something isn't working device/toon1 labels Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working device/toon1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Habbie