From 5acc00bf16900b59a49f8804bda5a5ce507d1917 Mon Sep 17 00:00:00 2001 From: Chunrong Guo Date: Tue, 15 Oct 2019 14:53:45 +0800 Subject: [PATCH] openssl-qoriq: Upgrade 1.1.0g -> 1.1.1d *update to lsdk 1909 tag include the following changes: 894da2f - Prepare for 1.1.1d release 1cb7eff - Update copyright year a95b081 - Remove duplicate CHANGES entry 08229ad - Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey 7ff84d8 - Update CHANGES and NEWS for the new release 79f5e2f - Fix a potential crash in rand_unix.c 1d36536 - Fix a strict warnings error in rand_pool_acquire_entropy 6318018 - drbg: fix issue where DRBG_CTR fails if NO_DF is used (2nd attempt) 5520695 - drbg: add fork id to additional data on UNIX systems 1b0fe00 - drbg: ensure fork-safety without using a pthread_atfork handler 73a683b - [test] ECC: check the bounds for auto computing cofactor 827eab4 - Fix build with VS2008 4bf9781 - Use BN_clear_free in DH_set0_key 8003138 - DH_check_pub_key_ex was accidentally calling DH_check, so results were undefined. 1f9dc86 - Change DH_generate_parameters back to order 2q subgroup 288241b - Fix spacing nit in test/ectest.c 9a43a73 - [ec] Match built-in curves on EC_GROUP_new_from_ecparameters ad9c296 - Configure: clang: move -Wno-unknown-warning-option to the front 9580391 - Append CVE-2019-1547 to related CHANGES entry 87bea65 - Remove x86/x86_64 BSAES and AES_ASM support a6186f3 - CHANGES entry: for ECC parameters with NULL or zero cofactor, compute it eb1ec38 - [test] computing ECC cofactors: regression test 30c22fa - [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it ed0ac11 - [ec/ecp_nistp*.c] restyle: use {} around `else` too Signed-off-by: Chunrong Guo --- .../openssl/files/environment.d-openssl.sh | 1 + ...st-that-requires-running-as-non-root.patch | 49 ---- ...e-linking-flags-from-LDFLAGS-env-var.patch | 43 ---- ...4-bsaes-armv7-.pl-make-it-work-with-.patch | 88 ------- ...sysroot-and-debug-prefix-map-from-co.patch | 76 ++++++ .../0001-skip-test_symbol_presence.patch | 29 +++ .../openssl/openssl-qoriq/afalg.patch | 31 +++ .../openssl/openssl-qoriq/openssl-c_rehash.sh | 222 ------------------ .../openssl/openssl-qoriq/run-ptest | 14 +- .../openssl/openssl-qoriq_1.1.0g.bb | 184 --------------- .../openssl/openssl-qoriq_1.1.1d.bb | 217 +++++++++++++++++ 11 files changed, 365 insertions(+), 589 deletions(-) create mode 100644 recipes-connectivity/openssl/files/environment.d-openssl.sh delete mode 100644 recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch delete mode 100644 recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch delete mode 100644 recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch create mode 100644 recipes-connectivity/openssl/openssl-qoriq/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch create mode 100644 recipes-connectivity/openssl/openssl-qoriq/0001-skip-test_symbol_presence.patch create mode 100644 recipes-connectivity/openssl/openssl-qoriq/afalg.patch delete mode 100644 recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh delete mode 100644 recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb create mode 100644 recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb diff --git a/recipes-connectivity/openssl/files/environment.d-openssl.sh b/recipes-connectivity/openssl/files/environment.d-openssl.sh new file mode 100644 index 00000000..b9cc24a7 --- /dev/null +++ b/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -0,0 +1 @@ +export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" diff --git a/recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch b/recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch deleted file mode 100644 index 736bb39a..00000000 --- a/recipes-connectivity/openssl/openssl-qoriq/0001-Remove-test-that-requires-running-as-non-root.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Fri, 7 Apr 2017 18:01:52 +0300 -Subject: [PATCH] Remove test that requires running as non-root - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin ---- - test/recipes/40-test_rehash.t | 17 +---------------- - 1 file changed, 1 insertion(+), 16 deletions(-) - -diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t -index f902c23..c7567c1 100644 ---- a/test/recipes/40-test_rehash.t -+++ b/test/recipes/40-test_rehash.t -@@ -23,7 +23,7 @@ setup("test_rehash"); - plan skip_all => "test_rehash is not available on this platform" - unless run(app(["openssl", "rehash", "-help"])); - --plan tests => 5; -+plan tests => 3; - - indir "rehash.$$" => sub { - prepare(); -@@ -42,21 +42,6 @@ indir "rehash.$$" => sub { - 'Testing rehash operations on empty directory'); - }, create => 1, cleanup => 1; - --indir "rehash.$$" => sub { -- prepare(); -- chmod 0500, curdir(); -- SKIP: { -- if (!ok(!open(FOO, ">unwritable.txt"), -- "Testing that we aren't running as a privileged user, such as root")) { -- close FOO; -- skip "It's pointless to run the next test as root", 1; -- } -- isnt(run(app(["openssl", "rehash", curdir()])), 1, -- 'Testing rehash operations on readonly directory'); -- } -- chmod 0700, curdir(); # make it writable again, so cleanup works --}, create => 1, cleanup => 1; -- - sub prepare { - my @pemsourcefiles = sort glob(srctop_file('test', "*.pem")); - my @destfiles = (); --- -2.11.0 - diff --git a/recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch deleted file mode 100644 index 6ce4e47d..00000000 --- a/recipes-connectivity/openssl/openssl-qoriq/0001-Take-linking-flags-from-LDFLAGS-env-var.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Tue, 28 Mar 2017 16:40:12 +0300 -Subject: [PATCH] Take linking flags from LDFLAGS env var - -This fixes "No GNU_HASH in the elf binary" issues. - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin ---- - Configurations/unix-Makefile.tmpl | 2 +- - Configure | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index c029817..43b769b 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -} - CC= $(CROSS_COMPILE){- $target{cc} -} - CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -} - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -} --LDFLAGS= {- $target{lflags} -} -+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -} - PLIB_LDFLAGS= {- $target{plib_lflags} -} - EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -} - LIB_CFLAGS={- $target{shared_cflag} || "" -} -diff --git a/Configure b/Configure -index aee7cc3..274d236 100755 ---- a/Configure -+++ b/Configure -@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file}; - $config{defines} = []; - $config{cflags} = ""; - $config{ex_libs} = ""; --$config{shared_ldflag} = ""; -+$config{shared_ldflag} = $ENV{'LDFLAGS'}; - - # Make sure build_scheme is consistent. - $target{build_scheme} = [ $target{build_scheme} ] --- -2.11.0 - diff --git a/recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch b/recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch deleted file mode 100644 index bb0a1689..00000000 --- a/recipes-connectivity/openssl/openssl-qoriq/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From bcc096a50811bf0f0c4fd34b2993fed7a7015972 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov -Date: Fri, 3 Nov 2017 23:30:01 +0100 -Subject: [PATCH] aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with - binutils-2.29. - -It's not clear if it's a feature or bug, but binutils-2.29[.1] -interprets 'adr' instruction with Thumb2 code reference differently, -in a way that affects calculation of addresses of constants' tables. - -Upstream-Status: Backport - -Reviewed-by: Tim Hudson -Reviewed-by: Bernd Edlinger -Signed-off-by: Stefan Agner -(Merged from https://github.com/openssl/openssl/pull/4669) - -(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda) ---- - crypto/aes/asm/aes-armv4.pl | 6 +++--- - crypto/aes/asm/bsaes-armv7.pl | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl -index 16d79aae53..c6474b8aad 100644 ---- a/crypto/aes/asm/aes-armv4.pl -+++ b/crypto/aes/asm/aes-armv4.pl -@@ -200,7 +200,7 @@ AES_encrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_encrypt - #else -- adr r3,AES_encrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -@@ -450,7 +450,7 @@ _armv4_AES_set_encrypt_key: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_set_encrypt_key - #else -- adr r3,AES_set_encrypt_key -+ adr r3,. - #endif - teq r0,#0 - #ifdef __thumb2__ -@@ -976,7 +976,7 @@ AES_decrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_decrypt - #else -- adr r3,AES_decrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl -index 9f288660ef..a27bb4a179 100644 ---- a/crypto/aes/asm/bsaes-armv7.pl -+++ b/crypto/aes/asm/bsaes-armv7.pl -@@ -744,7 +744,7 @@ $code.=<<___; - .type _bsaes_decrypt8,%function - .align 4 - _bsaes_decrypt8: -- adr $const,_bsaes_decrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0ISR -@@ -843,7 +843,7 @@ _bsaes_const: - .type _bsaes_encrypt8,%function - .align 4 - _bsaes_encrypt8: -- adr $const,_bsaes_encrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0SR -@@ -951,7 +951,7 @@ $code.=<<___; - .type _bsaes_key_convert,%function - .align 4 - _bsaes_key_convert: -- adr $const,_bsaes_key_convert -+ adr $const,. - vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key - #ifdef __APPLE__ - adr $const,.LM0 --- -2.15.0 - diff --git a/recipes-connectivity/openssl/openssl-qoriq/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/recipes-connectivity/openssl/openssl-qoriq/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch new file mode 100644 index 00000000..949c7883 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -0,0 +1,76 @@ +From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= +Date: Tue, 6 Nov 2018 14:50:47 +0100 +Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler + info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The openssl build system generates buildinf.h containing the full +compiler command line used to compile objects. This breaks +reproducibility, as the compile command is baked into libcrypto, where +it is used when running `openssl version -f`. + +Add stripped build variables for the compiler and cflags lines, and use +those when generating buildinfo.h. + +This is based on a similar patch for older openssl versions: +https://patchwork.openembedded.org/patch/147229/ + +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Martin Hundebøll + + +Update to fix buildpaths qa issue for '-fmacro-prefix-map'. + +Signed-off-by: Kai Kang +--- + Configurations/unix-Makefile.tmpl | 10 +++++++++- + crypto/build.info | 2 +- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 16af4d2087..54c162784c 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), + '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} + BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) + +-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h ++# *_Q variables are used for one thing only: to build up buildinf.h + CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; + $cppflags2 =~ s|([\\"])|\\$1|g; + $lib_cppflags =~ s|([\\"])|\\$1|g; + join(' ', $lib_cppflags || (), $cppflags2 || (), + $cppflags1 || ()) -} + ++CFLAGS_Q={- for (@{$config{CFLAGS}}) { ++ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; ++ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ } ++ join(' ', @{$config{CFLAGS}}) -} ++ ++CC_Q={- $config{CC} =~ s|--sysroot=[^ ]+|--sysroot=recipe-sysroot|g; ++ join(' ', $config{CC}) -} ++ + PERLASM_SCHEME= {- $target{perlasm_scheme} -} + + # For x86 assembler: Set PROCESSOR to 386 if you want to support +diff --git a/crypto/build.info b/crypto/build.info +index b515b7318e..8c9cee2a09 100644 +--- a/crypto/build.info ++++ b/crypto/build.info +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ + ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl + + DEPEND[cversion.o]=buildinf.h +-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" ++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" + DEPEND[buildinf.h]=../configdata.pm + + GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) +-- +2.19.1 + diff --git a/recipes-connectivity/openssl/openssl-qoriq/0001-skip-test_symbol_presence.patch b/recipes-connectivity/openssl/openssl-qoriq/0001-skip-test_symbol_presence.patch new file mode 100644 index 00000000..e632bc45 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/0001-skip-test_symbol_presence.patch @@ -0,0 +1,29 @@ +From 097b9081eced6ffc13c6cbb83abf7110baeca902 Mon Sep 17 00:00:00 2001 +From: Chunrong Guo +Date: Mon, 14 Oct 2019 14:59:11 +0800 +Subject: [PATCH] skip test_symbol_presence + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: BJ DevOps Team +--- + test/recipes/01-test_symbol_presence.t | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 7f2a2d7..918a8a19 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils; + + setup("test_symbol_presence"); + +-plan skip_all => "Only useful when building shared libraries" +- if disabled("shared"); ++plan skip_all => "The case needs debug symbols then we just disable it"; + + my @libnames = ("crypto", "ssl"); + my $testcount = scalar @libnames; +-- +2.7.4 + diff --git a/recipes-connectivity/openssl/openssl-qoriq/afalg.patch b/recipes-connectivity/openssl/openssl-qoriq/afalg.patch new file mode 100644 index 00000000..b7c0e969 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq/afalg.patch @@ -0,0 +1,31 @@ +Don't refuse to build afalgeng if cross-compiling or the host kernel is too old. + +Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688] +Signed-off-by: Ross Burton + +diff --git a/Configure b/Configure +index 3baa8ce..9ef52ed 100755 +--- a/Configure ++++ b/Configure +@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"}) + unless ($disabled{afalgeng}) { + $config{afalgeng}=""; + if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { +- my $minver = 4*10000 + 1*100 + 0; +- if ($config{CROSS_COMPILE} eq "") { +- my $verstr = `uname -r`; +- my ($ma, $mi1, $mi2) = split("\\.", $verstr); +- ($mi2) = $mi2 =~ /(\d+)/; +- my $ver = $ma*10000 + $mi1*100 + $mi2; +- if ($ver < $minver) { +- disable('too-old-kernel', 'afalgeng'); +- } else { +- push @{$config{engdirs}}, "afalg"; +- } +- } else { +- disable('cross-compiling', 'afalgeng'); +- } ++ push @{$config{engdirs}}, "afalg"; + } else { + disable('not-linux', 'afalgeng'); + } diff --git a/recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh b/recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh deleted file mode 100644 index 6620fdcb..00000000 --- a/recipes-connectivity/openssl/openssl-qoriq/openssl-c_rehash.sh +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/sh -# -# Ben Secrest -# -# sh c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. -# -# based on the c_rehash perl script distributed with openssl -# -# LICENSE: See OpenSSL license -# ^^acceptable?^^ -# - -# default certificate location -DIR=/etc/openssl - -# for filetype bitfield -IS_CERT=$(( 1 << 0 )) -IS_CRL=$(( 1 << 1 )) - - -# check to see if a file is a certificate file or a CRL file -# arguments: -# 1. the filename to be scanned -# returns: -# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} -# -check_file() -{ - local IS_TYPE=0 - - # make IFS a newline so we can process grep output line by line - local OLDIFS=${IFS} - IFS=$( printf "\n" ) - - # XXX: could be more efficient to have two 'grep -m' but is -m portable? - for LINE in $( grep '^-----BEGIN .*-----' ${1} ) - do - if echo ${LINE} \ - | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) - - if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] - then - break - fi - elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) - - if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] - then - break - fi - fi - done - - # restore IFS - IFS=${OLDIFS} - - return ${IS_TYPE} -} - - -# -# use openssl to fingerprint a file -# arguments: -# 1. the filename to fingerprint -# 2. the method to use (x509, crl) -# returns: -# none -# assumptions: -# user will capture output from last stage of pipeline -# -fingerprint() -{ - ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' -} - - -# -# link_hash - create links to certificate files -# arguments: -# 1. the filename to create a link for -# 2. the type of certificate being linked (x509, crl) -# returns: -# 0 on success, 1 otherwise -# -link_hash() -{ - local FINGERPRINT=$( fingerprint ${1} ${2} ) - local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) - local SUFFIX=0 - local LINKFILE='' - local TAG='' - - if [ ${2} = "crl" ] - then - TAG='r' - fi - - LINKFILE=${HASH}.${TAG}${SUFFIX} - - while [ -f ${LINKFILE} ] - do - if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] - then - echo "NOTE: Skipping duplicate file ${1}" >&2 - return 1 - fi - - SUFFIX=$(( ${SUFFIX} + 1 )) - LINKFILE=${HASH}.${TAG}${SUFFIX} - done - - echo "${3} => ${LINKFILE}" - - # assume any system with a POSIX shell will either support symlinks or - # do something to handle this gracefully - ln -s ${3} ${LINKFILE} - - return 0 -} - - -# hash_dir create hash links in a given directory -hash_dir() -{ - echo "Doing ${1}" - - cd ${1} - - ls -1 * 2>/dev/null | while read FILE - do - if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ - && [ -h "${FILE}" ] - then - rm ${FILE} - fi - done - - ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE - do - REAL_FILE=${FILE} - # if we run on build host then get to the real files in rootfs - if [ -n "${SYSROOT}" -a -h ${FILE} ] - then - FILE=$( readlink ${FILE} ) - # check the symlink is absolute (or dangling in other word) - if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] - then - REAL_FILE=${SYSROOT}/${FILE} - fi - fi - - check_file ${REAL_FILE} - local FILE_TYPE=${?} - local TYPE_STR='' - - if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] - then - TYPE_STR='x509' - elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] - then - TYPE_STR='crl' - else - echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 - continue - fi - - link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} - done -} - - -# choose the name of an ssl application -if [ -n "${OPENSSL}" ] -then - SSL_CMD=$(which ${OPENSSL} 2>/dev/null) -else - SSL_CMD=/usr/bin/openssl - OPENSSL=${SSL_CMD} - export OPENSSL -fi - -# fix paths -PATH=${PATH}:${DIR}/bin -export PATH - -# confirm existance/executability of ssl command -if ! [ -x ${SSL_CMD} ] -then - echo "${0}: rehashing skipped ('openssl' program not available)" >&2 - exit 0 -fi - -# determine which directories to process -old_IFS=$IFS -if [ ${#} -gt 0 ] -then - IFS=':' - DIRLIST=${*} -elif [ -n "${SSL_CERT_DIR}" ] -then - DIRLIST=$SSL_CERT_DIR -else - DIRLIST=${DIR}/certs -fi - -IFS=':' - -# process directories -for CERT_DIR in ${DIRLIST} -do - if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] - then - IFS=$old_IFS - hash_dir ${CERT_DIR} - IFS=':' - fi -done diff --git a/recipes-connectivity/openssl/openssl-qoriq/run-ptest b/recipes-connectivity/openssl/openssl-qoriq/run-ptest index 65c6cc7b..3fb22471 100644 --- a/recipes-connectivity/openssl/openssl-qoriq/run-ptest +++ b/recipes-connectivity/openssl/openssl-qoriq/run-ptest @@ -1,4 +1,12 @@ #!/bin/sh -cd test -OPENSSL_ENGINES=../engines BLDTOP=.. SRCTOP=.. perl run_tests.pl -cd .. + +set -e + +# Optional arguments are 'list' to lists all tests, or the test name (base name +# ie test_evp, not 03_test_evp.t). + +export TOP=. +# OPENSSL_ENGINES is relative from the test binaries +export OPENSSL_ENGINES=../engines + +perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;' diff --git a/recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb b/recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb deleted file mode 100644 index b0e188ae..00000000 --- a/recipes-connectivity/openssl/openssl-qoriq_1.1.0g.bb +++ /dev/null @@ -1,184 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -DISABLE_STATIC = "" - -# "openssl | SSLeay" dual license -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=cae6da10f4ffd9703214776d2aabce32" - -DEPENDS += "cryptodev-linux hostperl-runtime-native" -DEPENDS_append_class-target = " openssl-native" - -SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/openssl;nobranch=1 \ - file://run-ptest \ - file://openssl-c_rehash.sh \ - file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \ - file://0001-Remove-test-that-requires-running-as-non-root.patch \ - file://0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch \ - " - -SRCREV = "472c9c380669eb7a26819a52598632f257b3e72b" - -PROVIDES = "openssl" - -python() { - pkgs = d.getVar('PACKAGES').split() - for p in pkgs: - if 'openssl-qoriq' in p: - d.appendVar("RPROVIDES_%s" % p, p.replace('openssl-qoriq', 'openssl')) - d.appendVar("RCONFLICTS_%s" % p, p.replace('openssl-qoriq', 'openssl')) - d.appendVar("RREPLACES_%s" % p, p.replace('openssl-qoriq', 'openssl')) -} - -S = "${WORKDIR}/git" - -inherit lib_package multilib_header ptest - -do_configure () { - os=${HOST_OS} - case $os in - linux-uclibc |\ - linux-uclibceabi |\ - linux-gnueabi |\ - linux-uclibcspe |\ - linux-gnuspe |\ - linux-musl*) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm) - target=linux-armv4 - ;; - linux-armeb) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-sh3) - target=linux-generic32 - ;; - linux-sh4) - target=linux-generic32 - ;; - linux-i486) - target=linux-elf - ;; - linux-i586 | linux-viac3) - target=linux-elf - ;; - linux-i686) - target=linux-elf - ;; - linux-gnux32-x86_64) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-mipsel) - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64) - target=linux64-mips64 - ;; - linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze*|linux-nios2*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-supersparc) - target=linux-sparcv9 - ;; - linux-sparc) - target=linux-sparcv9 - ;; - darwin-i386) - target=darwin-i386-cc - ;; - esac - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - libdirleaf="$(echo ${libdir} | sed s:$useprefix::)" - perl ./Configure -DHAVE_CRYPTODEV ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target -} - -#| engines/afalg/e_afalg.c: In function 'eventfd': -#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function) -#| return syscall(__NR_eventfd, n); -#| ^~~~~~~~~~~~ -EXTRA_OECONF_aarch64 += "no-afalgeng" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC" - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - oe_multilib_header openssl/opensslconf.h -} - -do_install_append_class-native () { - # Install a custom version of c_rehash that can handle sysroots properly. - # This version is used for example when installing ca-certificates during - # image creation. - install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash - sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash -} - -do_install_ptest() { - cp -r * ${D}${PTEST_PATH} - - # Putting .so files in ptest package will mess up the dependencies of the main openssl package - # so we rename them to .so.ptest and patch the test accordingly - mv ${D}${PTEST_PATH}/libcrypto.so ${D}${PTEST_PATH}/libcrypto.so.ptest - mv ${D}${PTEST_PATH}/libssl.so ${D}${PTEST_PATH}/libssl.so.ptest - sed -i 's/$target{shared_extension_simple}/".so.ptest"/' ${D}${PTEST_PATH}/test/recipes/90-test_shlibload.t -} - -RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash" -RRECOMMENDS_libcrypto += "openssl-conf" - -FILES_${PN} =+ " ${libdir}/ssl-1.1/*" - -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" -FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" -FILES_libssl = "${libdir}/libssl${SOLIBS}" -FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -FILES_${PN}-engines = "${libdir}/engines-1.1" -FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" - -RPROVIDES_openssl-conf = "openssl10-conf" -RREPLACES_openssl-conf = "openssl10-conf" -RCONFLICTS_openssl-conf = "openssl10-conf" diff --git a/recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb b/recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb new file mode 100644 index 00000000..13d9fe75 --- /dev/null +++ b/recipes-connectivity/openssl/openssl-qoriq_1.1.1d.bb @@ -0,0 +1,217 @@ +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +DISABLE_STATIC = "" + +# "openssl" here actually means both OpenSSL and SSLeay licenses apply +# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" + +DEPENDS = "hostperl-runtime-native" + +SRC_URI = "git://source.codeaurora.org/external/qoriq/qoriq-components/openssl;nobranch=1 \ + file://run-ptest \ + file://0001-skip-test_symbol_presence.patch \ + file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ + file://afalg.patch \ + " + +SRCREV = "894da2fb7ed5d314ee5c2fc9fd2d9b8b74111596" + +SRC_URI_append_class-nativesdk = " \ + file://environment.d-openssl.sh \ + " +inherit lib_package multilib_header multilib_script ptest +MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" + +PROVIDES = "openssl" + +python() { + pkgs = d.getVar('PACKAGES').split() + for p in pkgs: + if 'openssl-qoriq' in p: + d.appendVar("RPROVIDES_%s" % p, p.replace('openssl-qoriq', 'openssl')) + d.appendVar("RCONFLICTS_%s" % p, p.replace('openssl-qoriq', 'openssl')) + d.appendVar("RREPLACES_%s" % p, p.replace('openssl-qoriq', 'openssl')) +} + +PACKAGECONFIG ?= "" +PACKAGECONFIG_class-native = "" +PACKAGECONFIG_class-nativesdk = "" + +PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux" + +B = "${WORKDIR}/build" +do_configure[cleandirs] = "${B}" + +S = "${WORKDIR}/git" + +#| ./libcrypto.so: undefined reference to `getcontext' +#| ./libcrypto.so: undefined reference to `setcontext' +#| ./libcrypto.so: undefined reference to `makecontext' +EXTRA_OECONF_append_libc-musl = " no-async" +EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm" + +# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions +# (native versions can be built with newer glibc, but then relocated onto a system with older glibc) +EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom" +EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom" + +# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. +CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" + +do_configure () { + os=${HOST_OS} + case $os in + linux-gnueabi |\ + linux-gnuspe |\ + linux-musleabi |\ + linux-muslspe |\ + linux-musl ) + os=linux + ;; + *) + ;; + esac + target="$os-${HOST_ARCH}" + case $target in + linux-arm*) + target=linux-armv4 + ;; + linux-aarch64*) + target=linux-aarch64 + ;; + linux-i?86 | linux-viac3) + target=linux-x86 + ;; + linux-gnux32-x86_64 | linux-muslx32-x86_64 ) + target=linux-x32 + ;; + linux-gnu64-x86_64) + target=linux-x86_64 + ;; + linux-mips | linux-mipsel) + # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags + target="linux-mips32 ${TARGET_CC_ARCH}" + ;; + linux-gnun32-mips*) + target=linux-mips64 + ;; + linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) + target=linux64-mips64 + ;; + linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + target=linux-generic32 + ;; + linux-powerpc) + target=linux-ppc + ;; + linux-powerpc64) + target=linux-ppc64 + ;; + linux-riscv32) + target=linux-generic32 + ;; + linux-riscv64) + target=linux-generic64 + ;; + linux-sparc | linux-supersparc) + target=linux-sparcv9 + ;; + esac + + useprefix=${prefix} + if [ "x$useprefix" = "x" ]; then + useprefix=/ + fi + # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the + # environment variables set by bitbake. Adjust the environment variables instead. + PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + perl ${B}/configdata.pm --dump +} + +do_install () { + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + + oe_multilib_header openssl/opensslconf.h + + # Create SSL structure for packages such as ca-certificates which + # contain hard-coded paths to /etc/ssl. Debian does the same. + install -d ${D}${sysconfdir}/ssl + mv ${D}${libdir}/ssl-1.1/certs \ + ${D}${libdir}/ssl-1.1/private \ + ${D}${libdir}/ssl-1.1/openssl.cnf \ + ${D}${sysconfdir}/ssl/ + + # Although absolute symlinks would be OK for the target, they become + # invalid if native or nativesdk are relocated from sstate. + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private + ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf +} + +do_install_append_class-native () { + create_wrapper ${D}${bindir}/openssl \ + OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ + SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ + OPENSSL_ENGINES=${libdir}/ssl-1.1/engines +} + +do_install_append_class-nativesdk () { + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh +} + +PTEST_BUILD_HOST_FILES += "configdata.pm" +PTEST_BUILD_HOST_PATTERN = "perl_version =" +do_install_ptest () { + # Prune the build tree + rm -f ${B}/fuzz/*.* ${B}/test/*.* + + cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} + cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} + + # For test_shlibload + ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/ + ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/ + + install -d ${D}${PTEST_PATH}/apps + ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps + install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps + install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps + + install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines +} + +# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto +# package RRECOMMENDS on this package. This will enable the configuration +# file to be installed for both the openssl-bin package and the libcrypto +# package since the openssl-bin package depends on the libcrypto package. + +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" + +FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES_libssl = "${libdir}/libssl${SOLIBS}" +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +FILES_${PN}-engines = "${libdir}/engines-1.1" +FILES_${PN}-misc = "${libdir}/ssl-1.1/misc" +FILES_${PN} =+ "${libdir}/ssl-1.1/*" +FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" + +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" + +RRECOMMENDS_libcrypto += "openssl-conf" +RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "openssl:openssl" -- 2.40.1