From: Robert Marko <robert.marko@sartura.hr>
Date: Mon, 12 Jan 2026 16:28:06 +0000 (+0100)
Subject: boot: arm-trusted-firmware-microchipsw: fix compilation against LibreSSL
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=410277ca12d811daa8040edf75dfd87a2d9dd5f8;p=thirdparty%2Fopenwrt.git

boot: arm-trusted-firmware-microchipsw: fix compilation against LibreSSL

LibreSSL 3.9+ has dropped support for X509V3 extension API so cert_create
tool does not compile against it at all.

This was hidden by the fact that it was compiling against OpenSSL on my
host which still has that API, however we do not ship libssl-dev in the
Buildbot containers so compiling against distro OpenSSL is not possible.

So, after a long time trying to find any docs on that API I resorted to
LLM(Gemini 3 Pro) to get it to compile.

Our libcrypto is linked against pthread so we must pass -lpthread as well
for cert_tool.

Fixes: 5205c0c42607 ("microchipsw: lan969x: add Microchip EV23X71A")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
---

diff --git a/package/boot/arm-trusted-firmware-microchipsw/Makefile b/package/boot/arm-trusted-firmware-microchipsw/Makefile
index 0095cc1c382..e4ec3851d6f 100644
--- a/package/boot/arm-trusted-firmware-microchipsw/Makefile
+++ b/package/boot/arm-trusted-firmware-microchipsw/Makefile
@@ -62,17 +62,6 @@ define Build/Prepare
 	$(TAR) -C $(PKG_BUILD_DIR) -xf $(DL_DIR)/$(MBEDTLS_SOURCE)
 endef
 
-# We must not pass OPENSSL_DIR as locally built mbedtls is used
-define Build/Compile
-	+unset CC; \
-	$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
-		CROSS_COMPILE=$(TARGET_CROSS) \
-		$(if $(DTC),DTC="$(DTC)") \
-		PLAT=$(PLAT) \
-		BUILD_STRING="OpenWrt $(PKG_VERSION_PREFIX)$(PKG_VERSION)-$(PKG_RELEASE) ($(VARIANT))" \
-		$(TFA_MAKE_FLAGS)
-endef
-
 TFA_MAKE_FLAGS += \
 	MBEDTLS_DIR=$(PKG_BUILD_DIR)/$(MBEDTLS_NAME) \
 	BL33=$(STAGING_DIR_IMAGE)/$(BUILD_VARIANT)-u-boot.bin \
diff --git a/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch b/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch
new file mode 100644
index 00000000000..55a053418e7
--- /dev/null
+++ b/package/boot/arm-trusted-firmware-microchipsw/patches/0002-cert_create-add-LibreSSL-3.9-compatibility.patch
@@ -0,0 +1,95 @@
+From 40166fd8d88f33c621d3cca0b936f31816f3fe2e Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko@sartura.hr>
+Date: Mon, 12 Jan 2026 14:40:23 +0100
+Subject: [PATCH] cert_create: add LibreSSL 3.9+ compatibility
+
+LibreSSL 3.9+ has dropped the whole support for X509V3 extensions.
+
+Generated by Gemini 3 Pro.
+
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+---
+ tools/cert_create/src/ext.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/tools/cert_create/src/ext.c
++++ b/tools/cert_create/src/ext.c
+@@ -51,15 +51,18 @@ int ext_init(void)
+ {
+ 	cmd_opt_t cmd_opt;
+ 	ext_t *ext;
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L
+ 	X509V3_EXT_METHOD *m;
+-	int nid, ret;
++	int ret, nid;
++#endif
+ 	unsigned int i;
+ 
+ 	extensions = malloc((num_def_extensions * sizeof(def_extensions[0]))
+ #ifdef PDEF_EXTS
+ 			    + (num_pdef_extensions * sizeof(pdef_extensions[0]))
+ #endif
+-			    );
++		);
++
+ 	if (extensions == NULL) {
+ 		ERROR("%s:%d Failed to allocate memory.\n", __func__, __LINE__);
+ 		return 1;
+@@ -69,7 +72,7 @@ int ext_init(void)
+ 	       (num_def_extensions * sizeof(def_extensions[0])));
+ #ifdef PDEF_EXTS
+ 	memcpy(&extensions[num_def_extensions], &pdef_extensions[0],
+-		(num_pdef_extensions * sizeof(pdef_extensions[0])));
++	       (num_pdef_extensions * sizeof(pdef_extensions[0])));
+ 	num_extensions = num_def_extensions + num_pdef_extensions;
+ #else
+ 	num_extensions = num_def_extensions;
+@@ -86,11 +89,15 @@ int ext_init(void)
+ 			cmd_opt.help_msg = ext->help_msg;
+ 			cmd_opt_add(&cmd_opt);
+ 		}
++
+ 		/* Register the extension OID in OpenSSL */
+ 		if (ext->oid == NULL) {
+ 			continue;
+ 		}
++
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L
+ 		nid = OBJ_create(ext->oid, ext->sn, ext->ln);
++
+ 		if (ext->alias) {
+ 			X509V3_EXT_add_alias(nid, ext->alias);
+ 		} else {
+@@ -117,7 +124,16 @@ int ext_init(void)
+ 				return 1;
+ 			}
+ 		}
++#else
++		/*
++		 * LibreSSL 4.2.0+ removed X509V3_EXT_add/alias.
++		 * We still register the OID, but ignore the returned NID
++		 * as we skip method registration.
++		 */
++		OBJ_create(ext->oid, ext->sn, ext->ln);
++#endif
+ 	}
++
+ 	return 0;
+ }
+ 
+@@ -323,12 +339,14 @@ void ext_cleanup(void)
+ 	for (i = 0; i < num_extensions; i++) {
+ 		if (extensions[i].arg != NULL) {
+ 			void *ptr = (void *)extensions[i].arg;
+-
+ 			extensions[i].arg = NULL;
+ 			free(ptr);
+ 		}
+ 	}
+ 	free(extensions);
++
++#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x40200000L
+ 	X509V3_EXT_cleanup();
++#endif
+ }
+ 
diff --git a/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch b/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch
new file mode 100644
index 00000000000..2d8f6ac022f
--- /dev/null
+++ b/package/boot/arm-trusted-firmware-microchipsw/patches/0003-cert_create-pass-pthread-in-LDFLAGS.patch
@@ -0,0 +1,36 @@
+From 11ff8b5e67830d5a09f39e8c1f000b0ddcf8e88f Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko@sartura.hr>
+Date: Mon, 12 Jan 2026 15:16:07 +0100
+Subject: [PATCH] cert_create: pass pthread in LDFLAGS
+
+OpenWrt-s LibreSSL is linked against pthread, so we have to make sure to
+pass -lpthread in LDFLAGS to avoid:
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-crypto_init.o): in function `OPENSSL_init_crypto':
+crypto_init.c:(.text+0x67): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-err.o): in function `ERR_load_ERR_strings':
+err.c:(.text+0x812): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-conf_sap.o): in function `OpenSSL_config':
+conf_sap.c:(.text+0xc0): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-conf_sap.o): in function `OpenSSL_no_config':
+conf_sap.c:(.text+0x107): undefined reference to `pthread_once'
+/usr/bin/ld: /openwrt/staging_dir/host/lib/libcrypto.a(libcrypto_la-err_all.o): in function `ERR_load_crypto_strings':
+err_all.c:(.text+0xa3): undefined reference to `pthread_once'
+collect2: error: ld returned 1 exit status
+make[4]: *** [Makefile:93: cert_create] Error 1
+
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+---
+ tools/cert_create/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/cert_create/Makefile
++++ b/tools/cert_create/Makefile
+@@ -79,7 +79,7 @@ INC_DIR += -I ./include -I ${PLAT_INCLUD
+ # located under the main project directory (i.e.: ${OPENSSL_DIR}, not
+ # ${OPENSSL_DIR}/lib/).
+ LIB_DIR := -L ${OPENSSL_DIR}/lib -L ${OPENSSL_DIR}
+-LIB := -lssl -lcrypto
++LIB := -lssl -lcrypto -pthread
+ 
+ HOSTCC ?= gcc
+