[PATCH] mkimage: ecdsa: resolve duplicate symbol error on macOS

nick vincent at systemli.org
Sun Nov 17 19:00:03 CET 2024 

Sorry, there is an error in the commit message of the patch I submitted. 
The current message inaccurately states the issue as "building mkimage 
with LibreSSL version 3.7.3 or higher fails." However, the correct 
description is:

"Building with LibreSSL versions higher than 3.7.3 fails, so the OpenWrt 
project has stuck to version 3.7.3 to avoid these issues."

On 11/17/24 5:57 PM, Nick Hainke wrote:
> When building `mkimage` with LibreSSL version 3.7.3 or higher on macOS,
> CI tests in OpenWrt encounter linker errors caused by duplicate symbols.
> Specifically, the `_ecdsa_verify` and `_ecdsa_sign` symbols appear in both
> `ecdsa-libcrypto.o` and `libcrypto.a`, leading to errors such as:
>
> ```
> duplicate symbol '_ecdsa_verify' in:
>      openwrt/build_dir/host/u-boot-2024.01/tools/generated/lib/ecdsa/ecdsa-libcrypto.o
>      openwrt/staging_dir/host/lib/libcrypto.a[249](libcrypto_la-ecdsa.o)
> duplicate symbol '_ecdsa_sign' in:
>      openwrt/build_dir/host/u-boot-2024.01/tools/generated/lib/ecdsa/ecdsa-libcrypto.o
>      openwrt/staging_dir/host/lib/libcrypto.a[249](libcrypto_la-ecdsa.o)
> ld: 2 duplicate symbols
> ```
>
> The changes in this commit that address this issue were originally written
> by another developer, Linhui Liu, who decided not to send them upstream,
> instead submitting a downstream patch as a PR for OpenWrt.
>
> Given the sensitive nature of cryptographic code, I sought feedback from
> the project maintainers to ensure correctness and encourage the author to
> submit the fix upstream.
>
> Because no action was taken and the original author has been absent for
> several months, the OpenWrt project worked around the issue by holding
> back LibreSSL at a version below 3.7.3. However, we now aim to bump
> LibreSSL to a newer version, making it necessary to apply and upstream
> this fix.
>
> Link:https://github.com/openwrt/openwrt/pull/12799
> Link:https://github.com/openwrt/openwrt/pull/16901
>
> Signed-off-by: Nick Hainke<vincent at systemli.org>
> Cc: Alexandru Gagniuc<mr.nuke.me at gmail.com>
> Cc: Matthias Pritschet<matthias.pritschet at itk-engineering.de>
> Cc: Simon Glass<sjg at chromium.org>
> ---
>
>   include/u-boot/ecdsa.h      | 6 ++++++
>   lib/ecdsa/ecdsa-libcrypto.c | 6 ++++++
>   2 files changed, 12 insertions(+)
>
> diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h
> index f0ac0f327e..f576c79c8f 100644
> --- a/include/u-boot/ecdsa.h
> +++ b/include/u-boot/ecdsa.h
> @@ -9,6 +9,8 @@
>   #include <errno.h>
>   #include <image.h>
>   
> +#ifndef __ECDSA_SIGN__
> +#define __ECDSA_SIGN__
>   /**
>    * crypto_algo API impementation for ECDSA;
>    * @see "struct crypto_algo"
> @@ -33,6 +35,7 @@
>    */
>   int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
>   	       int region_count, uint8_t **sigp, uint *sig_len);
> +#endif
>   
>   /**
>    * add_verify_data() - Add verification information to FDT
> @@ -49,6 +52,8 @@ int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
>    */
>   int ecdsa_add_verify_data(struct image_sign_info *info, void *keydest);
>   
> +#ifndef __ECDSA_VERIFY__
> +#define __ECDSA_VERIFY__
>   /**
>    * verify() - Verify a signature against some data
>    *
> @@ -63,6 +68,7 @@ int ecdsa_verify(struct image_sign_info *info,
>   		 const struct image_region region[], int region_count,
>   		 uint8_t *sig, uint sig_len);
>   /** @} */
> +#endif
>   
>   #define ECDSA256_BYTES	(256 / 8)
>   #define ECDSA384_BYTES	(384 / 8)
> diff --git a/lib/ecdsa/ecdsa-libcrypto.c b/lib/ecdsa/ecdsa-libcrypto.c
> index 1c5dde6069..9a5b7745fc 100644
> --- a/lib/ecdsa/ecdsa-libcrypto.c
> +++ b/lib/ecdsa/ecdsa-libcrypto.c
> @@ -238,6 +238,8 @@ static int do_verify(struct signer *ctx, struct image_sign_info *info,
>   	return ecdsa_check_signature(ctx, info);
>   }
>   
> +#ifndef __ECDSA_SIGN__
> +#define __ECDSA_SIGN__
>   int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
>   	       int region_count, uint8_t **sigp, uint *sig_len)
>   {
> @@ -256,7 +258,10 @@ int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
>   	free_ctx(&ctx);
>   	return ret;
>   }
> +#endif
>   
> +#ifndef __ECDSA_VERIFY__
> +#define __ECDSA_VERIFY__
>   int ecdsa_verify(struct image_sign_info *info,
>   		 const struct image_region region[], int region_count,
>   		 uint8_t *sig, uint sig_len)
> @@ -271,6 +276,7 @@ int ecdsa_verify(struct image_sign_info *info,
>   	free_ctx(&ctx);
>   	return ret;
>   }
> +#endif
>   
>   static int do_add(struct signer *ctx, void *fdt, const char *key_node_name,
>   		  struct image_sign_info *info)

More information about the U-Boot mailing list