diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch | 36 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch | 30 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch | 46 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch | 62 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch | 99 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/reproducible.patch | 32 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/run-ptest | 2 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.0.2.bb (renamed from meta/recipes-connectivity/openssl/openssl_1.1.1k.bb) | 149 |
8 files changed, 132 insertions, 324 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 0000000000..5effa6c6f6 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -0,0 +1,36 @@ +From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Tue, 14 Sep 2021 12:18:25 +0200 +Subject: [PATCH] Configure: do not tweak mips cflags + +This conflicts with mips machine definitons from yocto, +e.g. +| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + Configure | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/Configure b/Configure +index 821e680..0387a74 100755 +--- a/Configure ++++ b/Configure +@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) + push @{$config{shared_ldflag}}, "-mno-cygwin"; + } + +-if ($target =~ /linux.*-mips/ && !$disabled{asm} +- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- # minimally required architecture flags for assembly modules +- my $value; +- $value = '-mips2' if ($target =~ /mips32/); +- $value = '-mips3' if ($target =~ /mips64/); +- unshift @{$config{cflags}}, $value; +- unshift @{$config{cxxflags}}, $value if $config{CXX}; +-} +- + # If threads aren't disabled, check how possible they are + unless ($disabled{threads}) { + if ($auto_threads) { diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index 949c788344..60890c666d 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -1,4 +1,4 @@ -From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001 +From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com> Date: Tue, 6 Nov 2018 14:50:47 +0100 Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler @@ -21,20 +21,24 @@ https://patchwork.openembedded.org/patch/147229/ Upstream-Status: Inappropriate [OE specific] Signed-off-by: Martin Hundebøll <martin@geanix.com> - Update to fix buildpaths qa issue for '-fmacro-prefix-map'. Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update to fix buildpaths qa issue for '-ffile-prefix-map'. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- - Configurations/unix-Makefile.tmpl | 10 +++++++++- + Configurations/unix-Makefile.tmpl | 12 +++++++++++- crypto/build.info | 2 +- - 2 files changed, 10 insertions(+), 2 deletions(-) + 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 16af4d2087..54c162784c 100644 +index f88a70f..528cdef 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +@@ -471,13 +471,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -49,6 +53,7 @@ index 16af4d2087..54c162784c 100644 +CFLAGS_Q={- for (@{$config{CFLAGS}}) { + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; + } + join(' ', @{$config{CFLAGS}}) -} + @@ -59,18 +64,15 @@ index 16af4d2087..54c162784c 100644 # For x86 assembler: Set PROCESSOR to 386 if you want to support diff --git a/crypto/build.info b/crypto/build.info -index b515b7318e..8c9cee2a09 100644 +index efca6cc..eda433e 100644 --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl +@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF + DEPEND[info.o]=buildinf.h DEPEND[cversion.o]=buildinf.h -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) --- -2.19.1 - + GENERATE[uplink-x86.s]=../ms/uplink-x86.pl + GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl diff --git a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch deleted file mode 100644 index d8d9651b64..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Tue, 2 Oct 2018 23:58:24 +0800 -Subject: [PATCH] skip test_symbol_presence - -We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared' -as INSTALL told us the shared libraries will not be built. - -[INSTALL snip] - Notes on shared libraries - ------------------------- - - For most systems the OpenSSL Configure script knows what is needed to - build shared libraries for libcrypto and libssl. On these systems - the shared libraries will be created by default. This can be suppressed and - only static libraries created by using the "no-shared" option. On systems - where OpenSSL does not know how to build shared libraries the "no-shared" - option will be forced and only static libraries will be created. -[INSTALL snip] - -Hence directly modification the case to skip it. - -Upstream-Status: Inappropriate [OE Specific] - -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> ---- - test/recipes/01-test_symbol_presence.t | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index 7f2a2d7..0b93745 100644 ---- a/test/recipes/01-test_symbol_presence.t -+++ b/test/recipes/01-test_symbol_presence.t -@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils; - - setup("test_symbol_presence"); - --plan skip_all => "Only useful when building shared libraries" -- if disabled("shared"); -+plan skip_all => "The case needs debug symbols then we just disable it"; - - my @libnames = ("crypto", "ssl"); - my $testcount = scalar @libnames; --- -2.7.4 - diff --git a/meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch deleted file mode 100644 index d62b9344c1..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001 -From: Alistair Francis <alistair.francis@wdc.com> -Date: Thu, 29 Aug 2019 13:56:21 -0700 -Subject: [PATCH] Add support for io_pgetevents_time64 syscall - -32-bit architectures that are y2038 safe don't include syscalls that use -32-bit time_t. Instead these architectures have suffixed syscalls that -always use a 64-bit time_t. In the case of the io_getevents syscall the -syscall has been replaced with the io_pgetevents_time64 syscall instead. - -This patch changes the io_getevents() function to use the correct -syscall based on the avaliable syscalls and the time_t size. We will -only use the new 64-bit time_t syscall if the architecture is using a -64-bit time_t. This is to avoid having to deal with 32/64-bit -conversions and relying on a 64-bit timespec struct on 32-bit time_t -platforms. As of Linux 5.3 there are no 32-bit time_t architectures -without __NR_io_getevents. In the future if a 32-bit time_t architecture -wants to use the 64-bit syscalls we can handle the conversion. - -This fixes build failures on 32-bit RISC-V. - -Signed-off-by: Alistair Francis <alistair.francis@wdc.com> - -Reviewed-by: Richard Levitte <levitte@openssl.org> -Reviewed-by: Paul Dale <paul.dale@oracle.com> -(Merged from https://github.com/openssl/openssl/pull/9819) -Upstream-Status: Accepted ---- - engines/e_afalg.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/engines/e_afalg.c b/engines/e_afalg.c -index dacbe358cb..99516cb1bb 100644 ---- a/engines/e_afalg.c -+++ b/engines/e_afalg.c -@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, - struct io_event *events, - struct timespec *timeout) - { -+#if defined(__NR_io_getevents) - return syscall(__NR_io_getevents, ctx, min, max, events, timeout); -+#elif defined(__NR_io_pgetevents_time64) -+ /* Let's only support the 64 suffix syscalls for 64-bit time_t. -+ * This simplifies the code for us as we don't need to use a 64-bit -+ * version of timespec with a 32-bit time_t and handle converting -+ * between 64-bit and 32-bit times and check for overflows. -+ */ -+ if (sizeof(timeout->tv_sec) == 8) -+ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); -+ else { -+ errno = ENOSYS; -+ return -1; -+ } -+#else -+# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." -+#endif - } - - static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, --- -2.30.1 - diff --git a/meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch deleted file mode 100644 index c8bc6f5c68..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch +++ /dev/null @@ -1,99 +0,0 @@ -From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001 -From: Alistair Francis <alistair.francis@wdc.com> -Date: Thu, 4 Mar 2021 12:10:11 -0500 -Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall - -This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc -"Add support for io_pgetevents_time64 syscall" that didn't correctly -work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V. - -For a full discussion of the issue see: -https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc - -Signed-off-by: Alistair Francis <alistair.francis@wdc.com> - -Reviewed-by: Tomas Mraz <tomas@openssl.org> -Reviewed-by: Paul Dale <pauli@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/14432) -Upstream-Status: Accepted ---- - engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 42 insertions(+), 13 deletions(-) - -diff --git a/engines/e_afalg.c b/engines/e_afalg.c -index 9480d7c24b..4e9d67db2d 100644 ---- a/engines/e_afalg.c -+++ b/engines/e_afalg.c -@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) - return syscall(__NR_io_submit, ctx, n, iocb); - } - -+/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */ -+struct __timespec32 -+{ -+ __kernel_long_t tv_sec; -+ __kernel_long_t tv_nsec; -+}; -+ - static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, - struct io_event *events, - struct timespec *timeout) - { -+#if defined(__NR_io_pgetevents_time64) -+ /* Check if we are a 32-bit architecture with a 64-bit time_t */ -+ if (sizeof(*timeout) != sizeof(struct __timespec32)) { -+ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events, -+ timeout, NULL); -+ if (ret == 0 || errno != ENOSYS) -+ return ret; -+ } -+#endif -+ - #if defined(__NR_io_getevents) -- return syscall(__NR_io_getevents, ctx, min, max, events, timeout); --#elif defined(__NR_io_pgetevents_time64) -- /* Let's only support the 64 suffix syscalls for 64-bit time_t. -- * This simplifies the code for us as we don't need to use a 64-bit -- * version of timespec with a 32-bit time_t and handle converting -- * between 64-bit and 32-bit times and check for overflows. -- */ -- if (sizeof(timeout->tv_sec) == 8) -- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); -+ if (sizeof(*timeout) == sizeof(struct __timespec32)) -+ /* -+ * time_t matches our architecture length, we can just use -+ * __NR_io_getevents -+ */ -+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout); - else { -- errno = ENOSYS; -- return -1; -+ /* -+ * We don't have __NR_io_pgetevents_time64, but we are using a -+ * 64-bit time_t on a 32-bit architecture. If we can fit the -+ * timeout value in a 32-bit time_t, then let's do that -+ * and then use the __NR_io_getevents syscall. -+ */ -+ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) { -+ struct __timespec32 ts32; -+ -+ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; -+ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; -+ -+ return syscall(__NR_io_getevents, ctx, min, max, events, ts32); -+ } else { -+ return syscall(__NR_io_getevents, ctx, min, max, events, NULL); -+ } - } --#else --# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." - #endif -+ -+ errno = ENOSYS; -+ return -1; - } - - static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, --- -2.30.1 - diff --git a/meta/recipes-connectivity/openssl/openssl/reproducible.patch b/meta/recipes-connectivity/openssl/openssl/reproducible.patch deleted file mode 100644 index a24260c95d..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/reproducible.patch +++ /dev/null @@ -1,32 +0,0 @@ -The value for perl_archname can vary depending on the host, e.g. -x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which -makes the ptest package non-reproducible. Its unused other than -these references so drop it. - -RP 2020/2/6 - -Upstream-Status: Pending -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> - -Index: openssl-1.1.1d/Configure -=================================================================== ---- openssl-1.1.1d.orig/Configure -+++ openssl-1.1.1d/Configure -@@ -286,7 +286,7 @@ if (defined env($local_config_envname)) - # Save away perl command information - $config{perl_cmd} = $^X; - $config{perl_version} = $Config{version}; --$config{perl_archname} = $Config{archname}; -+#$config{perl_archname} = $Config{archname}; - - $config{prefix}=""; - $config{openssldir}=""; -@@ -2517,7 +2517,7 @@ _____ - @{$config{perlargv}}), "\n"; - print "\nPerl information:\n\n"; - print ' ',$config{perl_cmd},"\n"; -- print ' ',$config{perl_version},' for ',$config{perl_archname},"\n"; -+ print ' ',$config{perl_version},"\n"; - } - if ($dump || $options) { - my $longest = 0; diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest index 3fb22471f8..8dff79101f 100644 --- a/meta/recipes-connectivity/openssl/openssl/run-ptest +++ b/meta/recipes-connectivity/openssl/openssl/run-ptest @@ -9,4 +9,4 @@ export TOP=. # OPENSSL_ENGINES is relative from the test binaries export OPENSSL_ENGINES=../engines -perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;' +perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g' diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb b/meta/recipes-connectivity/openssl/openssl_3.0.2.bb index e518cb6a02..ff2a22c6c3 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.2.bb @@ -4,38 +4,28 @@ HOMEPAGE = "http://www.openssl.org/" BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" SECTION = "libs/network" -# "openssl" here actually means both OpenSSL and SSLeay licenses apply -# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" - -DEPENDS = "hostperl-runtime-native" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ - file://reproducible.patch \ + file://0001-Configure-do-not-tweak-mips-cflags.patch \ " -SRC_URI_append_class-nativesdk = " \ +SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI_append_riscv32 = " \ - file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \ - file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ - " - -SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" +SRC_URI[sha256sum] = "98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63" -inherit lib_package multilib_header multilib_script ptest +inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" PACKAGECONFIG ?= "" -PACKAGECONFIG_class-native = "" -PACKAGECONFIG_class-nativesdk = "" +PACKAGECONFIG:class-native = "" +PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" PACKAGECONFIG[no-tls1] = "no-tls1" @@ -47,33 +37,32 @@ do_configure[cleandirs] = "${B}" #| ./libcrypto.so: undefined reference to `getcontext' #| ./libcrypto.so: undefined reference to `setcontext' #| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF_append_libc-musl = " no-async" -EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" +EXTRA_OECONF:append:libc-musl = " no-async" +EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions # (native versions can be built with newer glibc, but then relocated onto a system with older glibc) -EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" -EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" +EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" +EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" - -# Disable deprecated crypto algorithms -# Retained for compatibilty -# des (curl) -# dh (python-ssl) -# dsa (rpm) -# md4 (cyrus-sasl freeradius hostapd) -# bf (wvstreams postgresql x11vnc crda znc cfengine) -# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php) -# rc2 (mailx) -# psk (qt5) -# srp (libest) -# whirlpool (qca) -DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4" +CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" + +# This allows disabling deprecated or undesirable crypto algorithms. +# The default is to trust upstream choices. +DEPRECATED_CRYPTO_FLAGS ?= "" do_configure () { + # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make + # the issue really clear that perl isn't functional due to symbol mismatch issues. + cat <<- EOF > ${WORKDIR}/perltest + #!/usr/bin/env perl + use POSIX; + EOF + chmod a+x ${WORKDIR}/perltest + ${WORKDIR}/perltest + os=${HOST_OS} case $os in linux-gnueabi |\ @@ -88,6 +77,9 @@ do_configure () { esac target="$os-${HOST_ARCH}" case $target in + linux-arc) + target=linux-latomic + ;; linux-arm*) target=linux-armv4 ;; @@ -146,7 +138,7 @@ do_configure () { # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } @@ -154,43 +146,50 @@ do_install () { oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install oe_multilib_header openssl/opensslconf.h + oe_multilib_header openssl/configuration.h # Create SSL structure for packages such as ca-certificates which # contain hard-coded paths to /etc/ssl. Debian does the same. install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ + mv ${D}${libdir}/ssl-3/certs \ + ${D}${libdir}/ssl-3/private \ + ${D}${libdir}/ssl-3/openssl.cnf \ ${D}${sysconfdir}/ssl/ # Although absolute symlinks would be OK for the target, they become # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf } -do_install_append_class-native () { +do_install:append:class-native () { create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-1.1 + OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-3/certs \ + SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \ + OPENSSL_ENGINES=${libdir}/engines-3 \ + OPENSSL_MODULES=${libdir}/ossl-modules } -do_install_append_class-nativesdk () { +do_install:append:class-nativesdk () { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh } PTEST_BUILD_HOST_FILES += "configdata.pm" PTEST_BUILD_HOST_PATTERN = "perl_version =" do_install_ptest () { + install -d ${D}${PTEST_PATH}/test + install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test + install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test + # Prune the build tree rm -f ${B}/fuzz/*.* ${B}/test/*.* cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} + sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} # For test_shlibload @@ -203,11 +202,21 @@ do_install_ptest () { install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines - # seems to be needed with perl 5.32.1 - install -d ${D}${PTEST_PATH}/util/perl/recipes - cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ + install -d ${D}${PTEST_PATH}/providers + install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers + + install -d ${D}${PTEST_PATH}/Configurations + cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/ + + # seems to be needed with perl 5.32.1 + install -d ${D}${PTEST_PATH}/util/perl/recipes + cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ + + sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl } # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto @@ -217,25 +226,25 @@ do_install_ptest () { PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" -FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES_libssl = "${libdir}/libssl${SOLIBS}" -FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ - ${libdir}/ssl-1.1/openssl.cnf* \ +FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES:libssl = "${libdir}/libssl${SOLIBS}" +FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ + ${libdir}/ssl-3/openssl.cnf* \ " -FILES_${PN}-engines = "${libdir}/engines-1.1" +FILES:${PN}-engines = "${libdir}/engines-3" # ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) -FILES_${PN}-engines_append_mingw32_class-nativesdk = " ${prefix}${libdir}/engines-1_1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" -FILES_${PN} =+ "${libdir}/ssl-1.1/*" -FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" +FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" +FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" +FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" +FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" -CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -RRECOMMENDS_libcrypto += "openssl-conf" -RDEPENDS_${PN}-misc = "perl" -RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" +RRECOMMENDS:libcrypto += "openssl-conf" +RDEPENDS:${PN}-misc = "perl" +RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed" -RDEPENDS_${PN}-bin += "openssl-conf" +RDEPENDS:${PN}-bin += "openssl-conf" BBCLASSEXTEND = "native nativesdk" @@ -245,4 +254,4 @@ CVE_VERSION_SUFFIX = "alphabetical" # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough -CVE_CHECK_WHITELIST += "CVE-2019-0190" +CVE_CHECK_IGNORE += "CVE-2019-0190" |