diff options
| author | Jeff Hatch <Jeff.Hatch@multitech.com> | 2017-02-06 12:37:00 -0600 |
|---|---|---|
| committer | Jeff Hatch <Jeff.Hatch@multitech.com> | 2017-02-06 12:37:00 -0600 |
| commit | c0869201d08e4c0a2a1d5931e34b392ab54572d0 (patch) | |
| tree | 63ff9ec6f57a1e159fd8b00d5a495e8cee4a500e | |
| parent | 511a09c088ffcca591b8793a9d1ad7e4f9ff3994 (diff) | |
| download | meta-mlinux-c0869201d08e4c0a2a1d5931e34b392ab54572d0.tar.gz meta-mlinux-c0869201d08e4c0a2a1d5931e34b392ab54572d0.tar.bz2 meta-mlinux-c0869201d08e4c0a2a1d5931e34b392ab54572d0.zip | |
Upgrade openssl to 1.0.2k
| -rw-r--r-- | recipes-connectivity/openssl/openssl.inc | 103 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch | 33 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl.inc | 249 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch | 43 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/Makefiles-ptest.patch (renamed from recipes-connectivity/openssl/openssl/Makefiles-ptest.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch | 69 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/configure-musl-target.patch (renamed from recipes-connectivity/openssl/openssl/configure-musl-target.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/configure-targets.patch (renamed from recipes-connectivity/openssl/openssl/configure-targets.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/c_rehash-compat.patch (renamed from recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/ca.patch (renamed from recipes-connectivity/openssl/openssl/debian/ca.patch) | 2 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/debian-targets.patch (renamed from recipes-connectivity/openssl/openssl/debian/debian-targets.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/man-dir.patch (renamed from recipes-connectivity/openssl/openssl/debian/man-dir.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/man-section.patch (renamed from recipes-connectivity/openssl/openssl/debian/man-section.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/no-rpath.patch (renamed from recipes-connectivity/openssl/openssl/debian/no-rpath.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/no-symbolic.patch (renamed from recipes-connectivity/openssl/openssl/debian/no-symbolic.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/pic.patch (renamed from recipes-connectivity/openssl/openssl/debian/pic.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian/version-script.patch (renamed from recipes-connectivity/openssl/openssl/debian/version-script.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch (renamed from recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_diginotar.patch (renamed from recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/debian1.0.2/version-script.patch (renamed from recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch) | 31 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/engines-install-in-libdir-ssl.patch (renamed from recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/find.pl (renamed from recipes-connectivity/openssl/openssl/find.pl) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/fix-cipher-des-ede3-cfb1.patch (renamed from recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch) | 2 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/oe-ldflags.patch (renamed from recipes-connectivity/openssl/openssl/oe-ldflags.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/openssl-1.0.2a-x32-asm.patch (renamed from recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch (renamed from recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh | 222 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/openssl-fix-des.pod-error.patch (renamed from recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch | 34 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/openssl_fix_for_x32.patch (renamed from recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch) | 4 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/parallel.patch (renamed from recipes-connectivity/openssl/openssl/parallel.patch) | 17 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/ptest-deps.patch (renamed from recipes-connectivity/openssl/openssl/ptest-deps.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/ptest_makefile_deps.patch (renamed from recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch) | 0 | ||||
| -rwxr-xr-x | recipes-connectivity/openssl/openssl/openssl/run-ptest (renamed from recipes-connectivity/openssl/openssl/run-ptest) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl/shared-libs.patch (renamed from recipes-connectivity/openssl/openssl/shared-libs.patch) | 0 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl/openssl_1.0.2k.bb (renamed from recipes-connectivity/openssl/openssl_1.0.2h.bb) | 23 | ||||
| -rw-r--r-- | recipes-connectivity/openssl/openssl_1.0.2k.bb | 71 |
37 files changed, 797 insertions, 106 deletions
diff --git a/recipes-connectivity/openssl/openssl.inc b/recipes-connectivity/openssl/openssl.inc index 8af423f..3b59e96 100644 --- a/recipes-connectivity/openssl/openssl.inc +++ b/recipes-connectivity/openssl/openssl.inc @@ -8,7 +8,8 @@ SECTION = "libs/network" LICENSE = "openssl" LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" -DEPENDS = "perl-native-runtime" +# DEPENDS = "makedepend-native hostperl-runtime-native" +DEPENDS = "makedepend-native perl-native-runtime" DEPENDS_append_class-target = " openssl-native" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ @@ -18,35 +19,33 @@ S = "${WORKDIR}/openssl-${PV}" PACKAGECONFIG[perl] = ",,," AR_append = " r" +TERMIO_libc-musl = "-DTERMIOS" +TERMIO ?= "-DTERMIO" # Avoid binaries being marked as requiring an executable stack since it # doesn't(which causes and this causes issues with SELinux CFLAG = "${@base_conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \ - -DTERMIO ${CFLAGS} -Wall -Wa,--noexecstack" - -# -02 does not work on mipsel: ssh hangs when it tries to read /dev/urandom -CFLAG_mtx-1 := "${@'${CFLAG}'.replace('-O2', '')}" -CFLAG_mtx-2 := "${@'${CFLAG}'.replace('-O2', '')}" + ${TERMIO} ${CFLAGS} -Wall -Wa,--noexecstack" export DIRS = "crypto ssl apps" export EX_LIBS = "-lgcc -ldl" export AS = "${CC} -c" +EXTRA_OEMAKE = "-e MAKEFLAGS=" inherit pkgconfig siteinfo multilib_header ptest PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" -FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}" -FILES_libssl = "${libdir}/libssl.so.*" +FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES_libssl = "${libdir}/libssl${SOLIBS}" FILES_${PN} =+ " ${libdir}/ssl/*" -FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash" +FILES_${PN}-misc = "${libdir}/ssl/misc" RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" -FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}" # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto # package RRECOMMENDS on this package. This will enable the configuration # file to be installed for both the base openssl package and the libcrypto # package since the base openssl package depends on the libcrypto package. -FILES_openssl-conf = "${libdir}/ssl/openssl.cnf" -CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf" +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS_libcrypto += "openssl-conf" RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" @@ -86,7 +85,7 @@ do_configure () { target=linux-elf-armeb ;; linux-aarch64*) - target=linux-generic64 + target=linux-aarch64 ;; linux-sh3) target=debian-sh3 @@ -109,15 +108,24 @@ do_configure () { linux-gnu64-x86_64) target=linux-x86_64 ;; - linux-mips) - target=debian-mips + linux-gnun32-mips*el) + target=debian-mipsn32el + ;; + linux-gnun32-mips*) + target=debian-mipsn32 ;; - linux-mipsel) + linux-mips*64*el) + target=debian-mips64el + ;; + linux-mips*64*) + target=debian-mips64 + ;; + linux-mips*el) target=debian-mipsel ;; - linux-*-mips64) - target=linux-mips - ;; + linux-mips*) + target=debian-mips + ;; linux-microblaze*|linux-nios2*) target=linux-generic32 ;; @@ -151,10 +159,14 @@ do_compile_prepend_class-target () { } do_compile () { + oe_runmake depend oe_runmake } do_compile_ptest () { + # build dependencies for test directory too + export DIRS="$DIRS test" + oe_runmake depend oe_runmake buildtest } @@ -167,40 +179,63 @@ do_install () { oe_libinstall -so libcrypto ${D}${libdir} oe_libinstall -so libssl ${D}${libdir} - # Moving libcrypto to /lib - if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then - mkdir -p ${D}/${base_libdir}/ - mv ${D}${libdir}/libcrypto* ${D}${base_libdir}/ - sed -i s#libdir=\$\{exec_prefix\}\/lib#libdir=${base_libdir}# ${D}/${libdir}/pkgconfig/libcrypto.pc - fi - install -d ${D}${includedir} cp --dereference -R include/openssl ${D}${includedir} + install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash + sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash + oe_multilib_header openssl/opensslconf.h if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then - install -m 0755 ${S}/tools/c_rehash ${D}${bindir} - sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget - # The c_rehash utility isn't installed by the normal installation process. else - rm -f ${D}${bindir}/c_rehash rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget fi + + # Create SSL structure + install -d ${D}${sysconfdir}/ssl/ + mv ${D}${libdir}/ssl/openssl.cnf \ + ${D}${libdir}/ssl/certs \ + ${D}${libdir}/ssl/private \ + \ + ${D}${sysconfdir}/ssl/ + ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl/certs + ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl/private + ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl/openssl.cnf } do_install_ptest () { - cp -r Makefile test ${D}${PTEST_PATH} + cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH} + cp Configure config e_os.h ${D}${PTEST_PATH} + cp -r -L include ${D}${PTEST_PATH} + ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH} + ln -sf ${libdir}/libssl.a ${D}${PTEST_PATH} + mkdir -p ${D}${PTEST_PATH}/crypto + cp crypto/constant_time_locl.h ${D}${PTEST_PATH}/crypto cp -r certs ${D}${PTEST_PATH} mkdir -p ${D}${PTEST_PATH}/apps - ln -sf /usr/lib/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps - ln -sf /usr/lib/ssl/openssl.cnf ${D}${PTEST_PATH}/apps - ln -sf /usr/bin/openssl ${D}${PTEST_PATH}/apps + ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps + ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps + ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps + cp apps/server.pem ${D}${PTEST_PATH}/apps cp apps/server2.pem ${D}${PTEST_PATH}/apps mkdir -p ${D}${PTEST_PATH}/util install util/opensslwrap.sh ${D}${PTEST_PATH}/util install util/shlib_wrap.sh ${D}${PTEST_PATH}/util + # Time stamps are relevant for "make alltests", otherwise + # make may try to recompile binaries. Not only must the + # binary files be newer than the sources, they also must + # be more recent than the header files in /usr/include. + # + # Using "cp -a" is not sufficient, because do_install + # does not preserve the original time stamps. + # + # So instead of using the original file stamps, we set + # the current time for all files. Binaries will get + # modified again later when stripping them, but that's okay. + touch ${D}${PTEST_PATH} + find ${D}${PTEST_PATH} -type f -print0 | xargs --verbose -0 touch -r ${D}${PTEST_PATH} } do_install_append_class-native() { diff --git a/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch b/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch deleted file mode 100644 index 7ba9eab..0000000 --- a/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch +++ /dev/null @@ -1,33 +0,0 @@ -Upsteram Status: Backport - -When building on x32 systems where the default type is 32bit, make sure -we can transparently represent 64bit integers. Otherwise we end up with -build errors like: -/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s -Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl line 201, <> line 890. -... -ghash-x86_64.s: Assembler messages: -ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression - -We don't enable this globally as there are some cases where we'd get -32bit values interpreted as unsigned when we need them as signed. - -Reported-by: Bertrand Jacquin <bertrand@jacquin.bzh> -URL: https://bugs.gentoo.org/542618 - -Signed-off-By: Armin Kuster <akuster@mvista.com> - -diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl ---- a/crypto/perlasm/x86_64-xlate.pl -+++ b/crypto/perlasm/x86_64-xlate.pl -@@ -196,6 +196,10 @@ my %globals; - my $self = shift; - - $self->{value} =~ s/\b(0b[0-1]+)/oct($1)/eig; -+ # When building on x32 ABIs, the expanded hex value might be too -+ # big to fit into 32bits. Enable transparent 64bit support here -+ # so we can safely print it out. -+ use bigint; - if ($gas) { - # Solaris /usr/ccs/bin/as can't handle multiplications - # in $self->{value} diff --git a/recipes-connectivity/openssl/openssl/openssl.inc b/recipes-connectivity/openssl/openssl/openssl.inc new file mode 100644 index 0000000..3b59e96 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/openssl.inc @@ -0,0 +1,249 @@ +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +# "openssl | SSLeay" dual license +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8" + +# DEPENDS = "makedepend-native hostperl-runtime-native" +DEPENDS = "makedepend-native perl-native-runtime" +DEPENDS_append_class-target = " openssl-native" + +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ + " +S = "${WORKDIR}/openssl-${PV}" + +PACKAGECONFIG[perl] = ",,," + +AR_append = " r" +TERMIO_libc-musl = "-DTERMIOS" +TERMIO ?= "-DTERMIO" +# Avoid binaries being marked as requiring an executable stack since it +# doesn't(which causes and this causes issues with SELinux +CFLAG = "${@base_conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \ + ${TERMIO} ${CFLAGS} -Wall -Wa,--noexecstack" + +export DIRS = "crypto ssl apps" +export EX_LIBS = "-lgcc -ldl" +export AS = "${CC} -c" +EXTRA_OEMAKE = "-e MAKEFLAGS=" + +inherit pkgconfig siteinfo multilib_header ptest + +PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf" +FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}" +FILES_libssl = "${libdir}/libssl${SOLIBS}" +FILES_${PN} =+ " ${libdir}/ssl/*" +FILES_${PN}-misc = "${libdir}/ssl/misc" +RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" + +# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto +# package RRECOMMENDS on this package. This will enable the configuration +# file to be installed for both the base openssl package and the libcrypto +# package since the base openssl package depends on the libcrypto package. +FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf" +RRECOMMENDS_libcrypto += "openssl-conf" +RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc" + +# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE +# vulnerability +EXTRA_OECONF = " -no-ssl3" + +do_configure_prepend_darwin () { + sed -i -e '/version-script=openssl\.ld/d' Configure +} + +do_configure () { + cd util + perl perlpath.pl ${STAGING_BINDIR_NATIVE} + cd .. + ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ + + os=${HOST_OS} + case $os in + linux-uclibc |\ + linux-uclibceabi |\ + linux-gnueabi |\ + linux-uclibcspe |\ + linux-gnuspe |\ + linux-musl*) + os=linux + ;; + *) + ;; + esac + target="$os-${HOST_ARCH}" + case $target in + linux-arm) + target=linux-armv4 + ;; + linux-armeb) + target=linux-elf-armeb + ;; + linux-aarch64*) + target=linux-aarch64 + ;; + linux-sh3) + target=debian-sh3 + ;; + linux-sh4) + target=debian-sh4 + ;; + linux-i486) + target=debian-i386-i486 + ;; + linux-i586 | linux-viac3) + target=debian-i386-i586 + ;; + linux-i686) + target=debian-i386-i686/cmov + ;; + linux-gnux32-x86_64) + target=linux-x32 + ;; + linux-gnu64-x86_64) + target=linux-x86_64 + ;; + linux-gnun32-mips*el) + target=debian-mipsn32el + ;; + linux-gnun32-mips*) + target=debian-mipsn32 + ;; + linux-mips*64*el) + target=debian-mips64el + ;; + linux-mips*64*) + target=debian-mips64 + ;; + linux-mips*el) + target=debian-mipsel + ;; + linux-mips*) + target=debian-mips + ;; + linux-microblaze*|linux-nios2*) + target=linux-generic32 + ;; + linux-powerpc) + target=linux-ppc + ;; + linux-powerpc64) + target=linux-ppc64 + ;; + linux-supersparc) + target=linux-sparcv8 + ;; + linux-sparc) + target=linux-sparcv8 + ;; + darwin-i386) + target=darwin-i386-cc + ;; + esac + # inject machine-specific flags + sed -i -e "s|^\(\"$target\",\s*\"[^:]\+\):\([^:]\+\)|\1:${CFLAG}|g" Configure + useprefix=${prefix} + if [ "x$useprefix" = "x" ]; then + useprefix=/ + fi + perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target +} + +do_compile_prepend_class-target () { + sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile +} + +do_compile () { + oe_runmake depend + oe_runmake +} + +do_compile_ptest () { + # build dependencies for test directory too + export DIRS="$DIRS test" + oe_runmake depend + oe_runmake buildtest +} + +do_install () { + # Create ${D}/${prefix} to fix parallel issues + mkdir -p ${D}/${prefix}/ + + oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install + + oe_libinstall -so libcrypto ${D}${libdir} + oe_libinstall -so libssl ${D}${libdir} + + install -d ${D}${includedir} + cp --dereference -R include/openssl ${D}${includedir} + + install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash + sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash + + oe_multilib_header openssl/opensslconf.h + if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then + sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl + sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget + else + rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget + fi + + # Create SSL structure + install -d ${D}${sysconfdir}/ssl/ + mv ${D}${libdir}/ssl/openssl.cnf \ + ${D}${libdir}/ssl/certs \ + ${D}${libdir}/ssl/private \ + \ + ${D}${sysconfdir}/ssl/ + ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl/certs + ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl/private + ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl/openssl.cnf +} + +do_install_ptest () { + cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH} + cp Configure config e_os.h ${D}${PTEST_PATH} + cp -r -L include ${D}${PTEST_PATH} + ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH} + ln -sf ${libdir}/libssl.a ${D}${PTEST_PATH} + mkdir -p ${D}${PTEST_PATH}/crypto + cp crypto/constant_time_locl.h ${D}${PTEST_PATH}/crypto + cp -r certs ${D}${PTEST_PATH} + mkdir -p ${D}${PTEST_PATH}/apps + ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps + ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps + ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps + cp apps/server.pem ${D}${PTEST_PATH}/apps + cp apps/server2.pem ${D}${PTEST_PATH}/apps + mkdir -p ${D}${PTEST_PATH}/util + install util/opensslwrap.sh ${D}${PTEST_PATH}/util + install util/shlib_wrap.sh ${D}${PTEST_PATH}/util + # Time stamps are relevant for "make alltests", otherwise + # make may try to recompile binaries. Not only must the + # binary files be newer than the sources, they also must + # be more recent than the header files in /usr/include. + # + # Using "cp -a" is not sufficient, because do_install + # does not preserve the original time stamps. + # + # So instead of using the original file stamps, we set + # the current time for all files. Binaries will get + # modified again later when stripping them, but that's okay. + touch ${D}${PTEST_PATH} + find ${D}${PTEST_PATH} -type f -print0 | xargs --verbose -0 touch -r ${D}${PTEST_PATH} +} + +do_install_append_class-native() { + create_wrapper ${D}${bindir}/openssl \ + OPENSSL_CONF=${libdir}/ssl/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl/certs \ + SSL_CERT_FILE=${libdir}/ssl/cert.pem \ + OPENSSL_ENGINES=${libdir}/ssl/engines +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch b/recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch new file mode 100644 index 0000000..83a74cd --- /dev/null +++ b/recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch @@ -0,0 +1,43 @@ +From 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Mon Sep 17 00:00:00 2001 +From: Andy Polyakov <appro@openssl.org> +Date: Sun, 6 Nov 2016 18:33:17 +0100 +Subject: [PATCH] bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity). + +Reviewed-by: Rich Salz <rsalz@openssl.org> +(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a] +CVE: CVE-2016-7055 +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + crypto/bn/asm/x86_64-mont.pl | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl +index 044fd7e..80492d8 100755 +--- a/crypto/bn/asm/x86_64-mont.pl ++++ b/crypto/bn/asm/x86_64-mont.pl +@@ -1148,18 +1148,17 @@ $code.=<<___; + mulx 2*8($aptr),%r15,%r13 # ... + adox -3*8($tptr),%r11 + adcx %r15,%r12 +- adox $zero,%r12 ++ adox -2*8($tptr),%r12 + adcx $zero,%r13 ++ adox $zero,%r13 + + mov $bptr,8(%rsp) # off-load &b[i] +- .byte 0x67 + mov $mi,%r15 + imulq 24(%rsp),$mi # "t[0]"*n0 + xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0 + + mulx 3*8($aptr),%rax,%r14 + mov $mi,%rdx +- adox -2*8($tptr),%r12 + adcx %rax,%r13 + adox -1*8($tptr),%r13 + adcx $zero,%r14 +-- +2.7.4 + diff --git a/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch b/recipes-connectivity/openssl/openssl/openssl/Makefiles-ptest.patch index 249446a..249446a 100644 --- a/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch +++ b/recipes-connectivity/openssl/openssl/openssl/Makefiles-ptest.patch diff --git a/recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch new file mode 100644 index 0000000..58c9ee7 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch @@ -0,0 +1,69 @@ +From d795f5f20a29adecf92c09459a3ee07ffac01a99 Mon Sep 17 00:00:00 2001 +From: Rich Salz <rsalz@akamai.com> +Date: Sat, 13 Jun 2015 17:03:39 -0400 +Subject: [PATCH] Use SHA256 not MD5 as default digest. + +Commit f8547f62c212837dbf44fb7e2755e5774a59a57b upstream. + +Upstream-Status: Backport +Backport from OpenSSL 2.0 to OpenSSL 1.0.2 +Commit f8547f62c212837dbf44fb7e2755e5774a59a57b + +CVE: CVE-2004-2761 + + The MD5 Message-Digest Algorithm is not collision resistant, + which makes it easier for context-dependent attackers to + conduct spoofing attacks, as demonstrated by attacks on the + use of MD5 in the signature algorithm of an X.509 certificate. + +Reviewed-by: Viktor Dukhovni <viktor@openssl.org> +Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com> +Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com> +--- + apps/ca.c | 2 +- + apps/dgst.c | 2 +- + apps/enc.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/apps/ca.c b/apps/ca.c +index 3b7336c..8f3a84b 100644 +--- a/apps/ca.c ++++ b/apps/ca.c +@@ -1612,7 +1612,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, + } else + BIO_printf(bio_err, "Signature ok\n"); + +- if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) ++ if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) + goto err; + + ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, +diff --git a/apps/dgst.c b/apps/dgst.c +index 95e5fa3..0d1529f 100644 +--- a/apps/dgst.c ++++ b/apps/dgst.c +@@ -442,7 +442,7 @@ int MAIN(int argc, char **argv) + goto end; + } + if (md == NULL) +- md = EVP_md5(); ++ md = EVP_sha256(); + if (!EVP_DigestInit_ex(mctx, md, impl)) { + BIO_printf(bio_err, "Error setting digest %s\n", pname); + ERR_print_errors(bio_err); +diff --git a/apps/enc.c b/apps/enc.c +index 7b7c70b..a7d944c 100644 +--- a/apps/enc.c ++++ b/apps/enc.c +@@ -344,7 +344,7 @@ int MAIN(int argc, char **argv) + } + + if (dgst == NULL) { +- dgst = EVP_md5(); ++ dgst = EVP_sha256(); + } + + if (bufsize != NULL) { +-- +1.9.1 + diff --git a/recipes-connectivity/openssl/openssl/configure-musl-target.patch b/recipes-connectivity/openssl/openssl/openssl/configure-musl-target.patch index 613dc7b..613dc7b 100644 --- a/recipes-connectivity/openssl/openssl/configure-musl-target.patch +++ b/recipes-connectivity/openssl/openssl/openssl/configure-musl-target.patch diff --git a/recipes-connectivity/openssl/openssl/configure-targets.patch b/recipes-connectivity/openssl/openssl/openssl/configure-targets.patch index 691e74a..691e74a 100644 --- a/recipes-connectivity/openssl/openssl/configure-targets.patch +++ b/recipes-connectivity/openssl/openssl/openssl/configure-targets.patch diff --git a/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch b/recipes-connectivity/openssl/openssl/openssl/debian/c_rehash-compat.patch index 68e54d5..68e54d5 100644 --- a/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/c_rehash-compat.patch diff --git a/recipes-connectivity/openssl/openssl/debian/ca.patch b/recipes-connectivity/openssl/openssl/openssl/debian/ca.patch index aba4d42..fb745e4 100644 --- a/recipes-connectivity/openssl/openssl/debian/ca.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/ca.patch @@ -7,7 +7,7 @@ Index: openssl-0.9.8m/apps/CA.pl.in @@ -65,6 +65,7 @@ foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { - print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { diff --git a/recipes-connectivity/openssl/openssl/debian/debian-targets.patch b/recipes-connectivity/openssl/openssl/openssl/debian/debian-targets.patch index 39d4328..39d4328 100644 --- a/recipes-connectivity/openssl/openssl/debian/debian-targets.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/debian-targets.patch diff --git a/recipes-connectivity/openssl/openssl/debian/man-dir.patch b/recipes-connectivity/openssl/openssl/openssl/debian/man-dir.patch index 4085e3b..4085e3b 100644 --- a/recipes-connectivity/openssl/openssl/debian/man-dir.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/man-dir.patch diff --git a/recipes-connectivity/openssl/openssl/debian/man-section.patch b/recipes-connectivity/openssl/openssl/openssl/debian/man-section.patch index 21c1d1a..21c1d1a 100644 --- a/recipes-connectivity/openssl/openssl/debian/man-section.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/man-section.patch diff --git a/recipes-connectivity/openssl/openssl/debian/no-rpath.patch b/recipes-connectivity/openssl/openssl/openssl/debian/no-rpath.patch index 1ccb3b8..1ccb3b8 100644 --- a/recipes-connectivity/openssl/openssl/debian/no-rpath.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/no-rpath.patch diff --git a/recipes-connectivity/openssl/openssl/debian/no-symbolic.patch b/recipes-connectivity/openssl/openssl/openssl/debian/no-symbolic.patch index cc4408a..cc4408a 100644 --- a/recipes-connectivity/openssl/openssl/debian/no-symbolic.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/no-symbolic.patch diff --git a/recipes-connectivity/openssl/openssl/debian/pic.patch b/recipes-connectivity/openssl/openssl/openssl/debian/pic.patch index bfda388..bfda388 100644 --- a/recipes-connectivity/openssl/openssl/debian/pic.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/pic.patch diff --git a/recipes-connectivity/openssl/openssl/debian/version-script.patch b/recipes-connectivity/openssl/openssl/openssl/debian/version-script.patch index a249180..a249180 100644 --- a/recipes-connectivity/openssl/openssl/debian/version-script.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian/version-script.patch diff --git a/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch index c43bcd1..c43bcd1 100644 --- a/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch diff --git a/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_diginotar.patch index d81e22c..d81e22c 100644 --- a/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_diginotar.patch diff --git a/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/version-script.patch index f53efdb..29f11a2 100644 --- a/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch +++ b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/version-script.patch @@ -15,8 +15,8 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 22:19:08.601827266 +0100 -@@ -0,0 +1,4621 @@ -+OPENSSL_1.0.0 { +@@ -0,0 +1,4608 @@ ++OPENSSL_1.0.2d { + global: + BIO_f_ssl; + BIO_new_buffer_ssl_connect; @@ -4314,14 +4314,6 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld + CRYPTO_cbc128_decrypt; + CRYPTO_cfb128_encrypt; + CRYPTO_cfb128_8_encrypt; -+ -+ local: -+ *; -+}; -+ -+ -+OPENSSL_1.0.1 { -+ global: + SSL_renegotiate_abbreviated; + TLSv1_1_method; + TLSv1_1_client_method; @@ -4483,15 +4475,7 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld + BIO_s_datagram_sctp; + BIO_dgram_is_sctp; + BIO_dgram_sctp_notification_cb; -+} OPENSSL_1.0.0; -+ -+OPENSSL_1.0.1d { -+ global: + CRYPTO_memcmp; -+} OPENSSL_1.0.1; -+ -+OPENSSL_1.0.2 { -+ global: + SSL_CTX_set_alpn_protos; + SSL_set_alpn_protos; + SSL_CTX_set_alpn_select_cb; @@ -4629,20 +4613,23 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld + BUF_strnlen; + sk_deep_copy; + SSL_test_functions; -+} OPENSSL_1.0.1d; ++ ++ local: ++ *; ++}; + +OPENSSL_1.0.2g { + global: + SRP_VBASE_get1_by_user; + SRP_user_pwd_free; -+} OPENSSL_1.0.2; ++} OPENSSL_1.0.2d; + Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld 2014-02-24 21:02:30.000000000 +0100 @@ -0,0 +1,10 @@ -+OPENSSL_1.0.0 { ++OPENSSL_1.0.2 { + global: + bind_engine; + v_check; @@ -4657,7 +4644,7 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld 2014-02-24 21:02:30.000000000 +0100 @@ -0,0 +1,10 @@ -+OPENSSL_1.0.0 { ++OPENSSL_1.0.2 { + global: + bind_engine; + v_check; diff --git a/recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch b/recipes-connectivity/openssl/openssl/openssl/engines-install-in-libdir-ssl.patch index a574648..a574648 100644 --- a/recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch +++ b/recipes-connectivity/openssl/openssl/openssl/engines-install-in-libdir-ssl.patch diff --git a/recipes-connectivity/openssl/openssl/find.pl b/recipes-connectivity/openssl/openssl/openssl/find.pl index 8e1b42c..8e1b42c 100644 --- a/recipes-connectivity/openssl/openssl/find.pl +++ b/recipes-connectivity/openssl/openssl/openssl/find.pl diff --git a/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch b/recipes-connectivity/openssl/openssl/openssl/fix-cipher-des-ede3-cfb1.patch index 06d1ea6..2a318a4 100644 --- a/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch +++ b/recipes-connectivity/openssl/openssl/openssl/fix-cipher-des-ede3-cfb1.patch @@ -4,7 +4,7 @@ This patch adds the fix for one of the ciphers used in openssl, namely the cipher des-ede3-cfb1. Complete bug log and patch is present here: http://rt.openssl.org/Ticket/Display.html?id=2867 -Signed-Off-By: Muhammad Shakeel <muhammad_shakeel@mentor.com> +Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com> Index: openssl-1.0.2/crypto/evp/e_des3.c =================================================================== diff --git a/recipes-connectivity/openssl/openssl/oe-ldflags.patch b/recipes-connectivity/openssl/openssl/openssl/oe-ldflags.patch index 292e13d..292e13d 100644 --- a/recipes-connectivity/openssl/openssl/oe-ldflags.patch +++ b/recipes-connectivity/openssl/openssl/openssl/oe-ldflags.patch diff --git a/recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-1.0.2a-x32-asm.patch index 1e5bfa1..1e5bfa1 100644 --- a/recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch +++ b/recipes-connectivity/openssl/openssl/openssl/openssl-1.0.2a-x32-asm.patch diff --git a/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch index f736e5c..f736e5c 100644 --- a/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch +++ b/recipes-connectivity/openssl/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch diff --git a/recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh b/recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh new file mode 100644 index 0000000..6620fdc --- /dev/null +++ b/recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh @@ -0,0 +1,222 @@ +#!/bin/sh +# +# Ben Secrest <blsecres@gmail.com> +# +# sh c_rehash script, scan all files in a directory +# and add symbolic links to their hash values. +# +# based on the c_rehash perl script distributed with openssl +# +# LICENSE: See OpenSSL license +# ^^acceptable?^^ +# + +# default certificate location +DIR=/etc/openssl + +# for filetype bitfield +IS_CERT=$(( 1 << 0 )) +IS_CRL=$(( 1 << 1 )) + + +# check to see if a file is a certificate file or a CRL file +# arguments: +# 1. the filename to be scanned +# returns: +# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} +# +check_file() +{ + local IS_TYPE=0 + + # make IFS a newline so we can process grep output line by line + local OLDIFS=${IFS} + IFS=$( printf "\n" ) + + # XXX: could be more efficient to have two 'grep -m' but is -m portable? + for LINE in $( grep '^-----BEGIN .*-----' ${1} ) + do + if echo ${LINE} \ + | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' + then + IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) + + if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] + then + break + fi + elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' + then + IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) + + if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] + then + break + fi + fi + done + + # restore IFS + IFS=${OLDIFS} + + return ${IS_TYPE} +} + + +# +# use openssl to fingerprint a file +# arguments: +# 1. the filename to fingerprint +# 2. the method to use (x509, crl) +# returns: +# none +# assumptions: +# user will capture output from last stage of pipeline +# +fingerprint() +{ + ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' +} + + +# +# link_hash - create links to certificate files +# arguments: +# 1. the filename to create a link for +# 2. the type of certificate being linked (x509, crl) +# returns: +# 0 on success, 1 otherwise +# +link_hash() +{ + local FINGERPRINT=$( fingerprint ${1} ${2} ) + local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) + local SUFFIX=0 + local LINKFILE='' + local TAG='' + + if [ ${2} = "crl" ] + then + TAG='r' + fi + + LINKFILE=${HASH}.${TAG}${SUFFIX} + + while [ -f ${LINKFILE} ] + do + if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] + then + echo "NOTE: Skipping duplicate file ${1}" >&2 + return 1 + fi + + SUFFIX=$(( ${SUFFIX} + 1 )) + LINKFILE=${HASH}.${TAG}${SUFFIX} + done + + echo "${3} => ${LINKFILE}" + + # assume any system with a POSIX shell will either support symlinks or + # do something to handle this gracefully + ln -s ${3} ${LINKFILE} + + return 0 +} + + +# hash_dir create hash links in a given directory +hash_dir() +{ + echo "Doing ${1}" + + cd ${1} + + ls -1 * 2>/dev/null | while read FILE + do + if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ + && [ -h "${FILE}" ] + then + rm ${FILE} + fi + done + + ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE + do + REAL_FILE=${FILE} + # if we run on build host then get to the real files in rootfs + if [ -n "${SYSROOT}" -a -h ${FILE} ] + then + FILE=$( readlink ${FILE} ) + # check the symlink is absolute (or dangling in other word) + if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] + then + REAL_FILE=${SYSROOT}/${FILE} + fi + fi + + check_file ${REAL_FILE} + local FILE_TYPE=${?} + local TYPE_STR='' + + if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] + then + TYPE_STR='x509' + elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] + then + TYPE_STR='crl' + else + echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 + continue + fi + + link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} + done +} + + +# choose the name of an ssl application +if [ -n "${OPENSSL}" ] +then + SSL_CMD=$(which ${OPENSSL} 2>/dev/null) +else + SSL_CMD=/usr/bin/openssl + OPENSSL=${SSL_CMD} + export OPENSSL +fi + +# fix paths +PATH=${PATH}:${DIR}/bin +export PATH + +# confirm existance/executability of ssl command +if ! [ -x ${SSL_CMD} ] +then + echo "${0}: rehashing skipped ('openssl' program not available)" >&2 + exit 0 +fi + +# determine which directories to process +old_IFS=$IFS +if [ ${#} -gt 0 ] +then + IFS=':' + DIRLIST=${*} +elif [ -n "${SSL_CERT_DIR}" ] +then + DIRLIST=$SSL_CERT_DIR +else + DIRLIST=${DIR}/certs +fi + +IFS=':' + +# process directories +for CERT_DIR in ${DIRLIST} +do + if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] + then + IFS=$old_IFS + hash_dir ${CERT_DIR} + IFS=':' + fi +done diff --git a/recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-fix-des.pod-error.patch index de49729..de49729 100644 --- a/recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch +++ b/recipes-connectivity/openssl/openssl/openssl/openssl-fix-des.pod-error.patch diff --git a/recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch new file mode 100644 index 0000000..065b9b1 --- /dev/null +++ b/recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch @@ -0,0 +1,34 @@ +From e427748f3bb5d37e78dc8d70a558c373aa8ababb Mon Sep 17 00:00:00 2001 +From: Robert Yang <liezhi.yang@windriver.com> +Date: Mon, 19 Sep 2016 22:06:28 -0700 +Subject: [PATCH] util/perlpath.pl: make it work when cwd is not in @INC + +Fixed when building on Debian-testing: +| Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7. + +The find.pl is added by oe-core, so once openssl/find.pl is removed, +then this patch can be dropped. + +Upstream-Status: Inappropriate [OE-Specific] + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> +--- + util/perlpath.pl | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/util/perlpath.pl b/util/perlpath.pl +index a1f236b..5599892 100755 +--- a/util/perlpath.pl ++++ b/util/perlpath.pl +@@ -4,6 +4,8 @@ + # line in all scripts that rely on perl. + # + ++BEGIN { unshift @INC, "."; } ++ + require "find.pl"; + + $#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n"; +-- +2.9.0 + diff --git a/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch b/recipes-connectivity/openssl/openssl/openssl/openssl_fix_for_x32.patch index cbce32c..0f08a64 100644 --- a/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch +++ b/recipes-connectivity/openssl/openssl/openssl/openssl_fix_for_x32.patch @@ -2,10 +2,10 @@ Upstream-Status: Pending Received from H J Liu @ Intel Make the assembly syntax compatible with x32 gcc. Othewise x32 gcc throws errors. -Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/07/13 +Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/07/13 ported the patch to the 1.0.0e version -Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/12/01 +Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/12/01 Index: openssl-1.0.2/crypto/bn/bn.h =================================================================== --- openssl-1.0.2.orig/crypto/bn/bn.h diff --git a/recipes-connectivity/openssl/openssl/parallel.patch b/recipes-connectivity/openssl/openssl/openssl/parallel.patch index b6c2c14..f3f4c99 100644 --- a/recipes-connectivity/openssl/openssl/parallel.patch +++ b/recipes-connectivity/openssl/openssl/openssl/parallel.patch @@ -6,6 +6,9 @@ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1 Upstream-Status: Pending Signed-off-by: Ross Burton <ross.burton@intel.com> +Refreshed for 1.0.2i +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + --- openssl-1.0.2g/crypto/Makefile +++ openssl-1.0.2g/crypto/Makefile @@ -85,11 +85,11 @@ @@ -133,7 +136,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> fi; \ --- openssl-1.0.2g/test/Makefile +++ openssl-1.0.2g/test/Makefile -@@ -139,7 +139,7 @@ +@@ -144,7 +144,7 @@ tags: ctags $(SRC) @@ -142,7 +145,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> apps: @(cd ..; $(MAKE) DIRS=apps all) -@@ -421,130 +421,130 @@ +@@ -438,136 +438,136 @@ link_app.$${shlib_target} $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO) @@ -309,13 +312,21 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> - @target=$(CLIENTHELLOTEST) $(BUILD_CMD) + +@target=$(CLIENTHELLOTEST) $(BUILD_CMD) + $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o +- @target=$(BADDTLSTEST) $(BUILD_CMD) ++ +@target=$(BADDTLSTEST) $(BUILD_CMD) + $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o - @target=$(SSLV2CONFTEST) $(BUILD_CMD) + +@target=$(SSLV2CONFTEST) $(BUILD_CMD) + $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO) +- @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD) ++ +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD) + #$(AESTEST).o: $(AESTEST).c # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c -@@ -557,7 +557,7 @@ +@@ -580,6 +580,6 @@ # fi dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) diff --git a/recipes-connectivity/openssl/openssl/ptest-deps.patch b/recipes-connectivity/openssl/openssl/openssl/ptest-deps.patch index ef6d179..ef6d179 100644 --- a/recipes-connectivity/openssl/openssl/ptest-deps.patch +++ b/recipes-connectivity/openssl/openssl/openssl/ptest-deps.patch diff --git a/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch b/recipes-connectivity/openssl/openssl/openssl/ptest_makefile_deps.patch index 4202e61..4202e61 100644 --- a/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch +++ b/recipes-connectivity/openssl/openssl/openssl/ptest_makefile_deps.patch diff --git a/recipes-connectivity/openssl/openssl/run-ptest b/recipes-connectivity/openssl/openssl/openssl/run-ptest index 3b20fce..3b20fce 100755 --- a/recipes-connectivity/openssl/openssl/run-ptest +++ b/recipes-connectivity/openssl/openssl/openssl/run-ptest diff --git a/recipes-connectivity/openssl/openssl/shared-libs.patch b/recipes-connectivity/openssl/openssl/openssl/shared-libs.patch index a7ca0a3..a7ca0a3 100644 --- a/recipes-connectivity/openssl/openssl/shared-libs.patch +++ b/recipes-connectivity/openssl/openssl/openssl/shared-libs.patch diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bb b/recipes-connectivity/openssl/openssl/openssl_1.0.2k.bb index 3f8fb72..9b148b9 100644 --- a/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/recipes-connectivity/openssl/openssl/openssl_1.0.2k.bb @@ -5,13 +5,16 @@ require openssl.inc DEPENDS += "cryptodev-linux" CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" +CFLAG_append_class-native = " -fPIC" LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" export DIRS = "crypto ssl apps engines" export OE_LDFLAGS="${LDFLAGS}" -SRC_URI += "file://configure-targets.patch \ +SRC_URI += "file://run-ptest \ + file://openssl-c_rehash.sh \ + file://configure-targets.patch \ file://shared-libs.patch \ file://oe-ldflags.patch \ file://engines-install-in-libdir-ssl.patch \ @@ -33,20 +36,20 @@ SRC_URI += "file://configure-targets.patch \ file://openssl-fix-des.pod-error.patch \ file://Makefiles-ptest.patch \ file://ptest-deps.patch \ - file://run-ptest \ - file://crypto_use_bigint_in_x86-64_perl.patch \ file://openssl-1.0.2a-x32-asm.patch \ file://ptest_makefile_deps.patch \ + file://configure-musl-target.patch \ + file://parallel.patch \ + file://openssl-util-perlpath.pl-cwd.patch \ " - -SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" -SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" +SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65" +SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0" PACKAGES =+ " \ - ${PN}-engines \ - ${PN}-engines-dbg \ - " - + ${PN}-engines \ + ${PN}-engines-dbg \ + " + FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug" diff --git a/recipes-connectivity/openssl/openssl_1.0.2k.bb b/recipes-connectivity/openssl/openssl_1.0.2k.bb new file mode 100644 index 0000000..9b148b9 --- /dev/null +++ b/recipes-connectivity/openssl/openssl_1.0.2k.bb @@ -0,0 +1,71 @@ +require openssl.inc + +# For target side versions of openssl enable support for OCF Linux driver +# if they are available. +DEPENDS += "cryptodev-linux" + +CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS" +CFLAG_append_class-native = " -fPIC" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6" + +export DIRS = "crypto ssl apps engines" +export OE_LDFLAGS="${LDFLAGS}" + +SRC_URI += "file://run-ptest \ + file://openssl-c_rehash.sh \ + file://configure-targets.patch \ + file://shared-libs.patch \ + file://oe-ldflags.patch \ + file://engines-install-in-libdir-ssl.patch \ + file://debian1.0.2/block_diginotar.patch \ + file://debian1.0.2/block_digicert_malaysia.patch \ + file://debian/ca.patch \ + file://debian/c_rehash-compat.patch \ + file://debian/debian-targets.patch \ + file://debian/man-dir.patch \ + file://debian/man-section.patch \ + file://debian/no-rpath.patch \ + file://debian/no-symbolic.patch \ + file://debian/pic.patch \ + file://debian1.0.2/version-script.patch \ + file://openssl_fix_for_x32.patch \ + file://fix-cipher-des-ede3-cfb1.patch \ + file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \ + file://find.pl \ + file://openssl-fix-des.pod-error.patch \ + file://Makefiles-ptest.patch \ + file://ptest-deps.patch \ + file://openssl-1.0.2a-x32-asm.patch \ + file://ptest_makefile_deps.patch \ + file://configure-musl-target.patch \ + file://parallel.patch \ + file://openssl-util-perlpath.pl-cwd.patch \ + " +SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65" +SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0" + +PACKAGES =+ " \ + ${PN}-engines \ + ${PN}-engines-dbg \ + " + +FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines" +FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug" + +PARALLEL_MAKE = "" +PARALLEL_MAKEINST = "" + +do_configure_prepend() { + cp ${WORKDIR}/find.pl ${S}/util/find.pl +} + +# The crypto_use_bigint patch means that perl's bignum module needs to be +# installed, but some distributions (for example Fedora 23) don't ship it by +# default. As the resulting error is very misleading check for bignum before +# building. +do_configure_prepend() { + if ! perl -Mbigint -e true; then + bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake." + fi +} |