summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--recipes-connectivity/openssl/openssl.inc103
-rw-r--r--recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch33
-rw-r--r--recipes-connectivity/openssl/openssl/openssl.inc249
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch43
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/Makefiles-ptest.patch (renamed from recipes-connectivity/openssl/openssl/Makefiles-ptest.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch69
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/configure-musl-target.patch (renamed from recipes-connectivity/openssl/openssl/configure-musl-target.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/configure-targets.patch (renamed from recipes-connectivity/openssl/openssl/configure-targets.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/c_rehash-compat.patch (renamed from recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/ca.patch (renamed from recipes-connectivity/openssl/openssl/debian/ca.patch)2
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/debian-targets.patch (renamed from recipes-connectivity/openssl/openssl/debian/debian-targets.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/man-dir.patch (renamed from recipes-connectivity/openssl/openssl/debian/man-dir.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/man-section.patch (renamed from recipes-connectivity/openssl/openssl/debian/man-section.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/no-rpath.patch (renamed from recipes-connectivity/openssl/openssl/debian/no-rpath.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/no-symbolic.patch (renamed from recipes-connectivity/openssl/openssl/debian/no-symbolic.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/pic.patch (renamed from recipes-connectivity/openssl/openssl/debian/pic.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian/version-script.patch (renamed from recipes-connectivity/openssl/openssl/debian/version-script.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch (renamed from recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_diginotar.patch (renamed from recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/debian1.0.2/version-script.patch (renamed from recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch)31
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/engines-install-in-libdir-ssl.patch (renamed from recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/find.pl (renamed from recipes-connectivity/openssl/openssl/find.pl)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/fix-cipher-des-ede3-cfb1.patch (renamed from recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch)2
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/oe-ldflags.patch (renamed from recipes-connectivity/openssl/openssl/oe-ldflags.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/openssl-1.0.2a-x32-asm.patch (renamed from recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch (renamed from recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh222
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/openssl-fix-des.pod-error.patch (renamed from recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch34
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/openssl_fix_for_x32.patch (renamed from recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch)4
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/parallel.patch (renamed from recipes-connectivity/openssl/openssl/parallel.patch)17
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/ptest-deps.patch (renamed from recipes-connectivity/openssl/openssl/ptest-deps.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/ptest_makefile_deps.patch (renamed from recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch)0
-rwxr-xr-xrecipes-connectivity/openssl/openssl/openssl/run-ptest (renamed from recipes-connectivity/openssl/openssl/run-ptest)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl/shared-libs.patch (renamed from recipes-connectivity/openssl/openssl/shared-libs.patch)0
-rw-r--r--recipes-connectivity/openssl/openssl/openssl_1.0.2k.bb (renamed from recipes-connectivity/openssl/openssl_1.0.2h.bb)23
-rw-r--r--recipes-connectivity/openssl/openssl_1.0.2k.bb71
37 files changed, 797 insertions, 106 deletions
diff --git a/recipes-connectivity/openssl/openssl.inc b/recipes-connectivity/openssl/openssl.inc
index 8af423f..3b59e96 100644
--- a/recipes-connectivity/openssl/openssl.inc
+++ b/recipes-connectivity/openssl/openssl.inc
@@ -8,7 +8,8 @@ SECTION = "libs/network"
LICENSE = "openssl"
LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
-DEPENDS = "perl-native-runtime"
+# DEPENDS = "makedepend-native hostperl-runtime-native"
+DEPENDS = "makedepend-native perl-native-runtime"
DEPENDS_append_class-target = " openssl-native"
SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
@@ -18,35 +19,33 @@ S = "${WORKDIR}/openssl-${PV}"
PACKAGECONFIG[perl] = ",,,"
AR_append = " r"
+TERMIO_libc-musl = "-DTERMIOS"
+TERMIO ?= "-DTERMIO"
# Avoid binaries being marked as requiring an executable stack since it
# doesn't(which causes and this causes issues with SELinux
CFLAG = "${@base_conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
- -DTERMIO ${CFLAGS} -Wall -Wa,--noexecstack"
-
-# -02 does not work on mipsel: ssh hangs when it tries to read /dev/urandom
-CFLAG_mtx-1 := "${@'${CFLAG}'.replace('-O2', '')}"
-CFLAG_mtx-2 := "${@'${CFLAG}'.replace('-O2', '')}"
+ ${TERMIO} ${CFLAGS} -Wall -Wa,--noexecstack"
export DIRS = "crypto ssl apps"
export EX_LIBS = "-lgcc -ldl"
export AS = "${CC} -c"
+EXTRA_OEMAKE = "-e MAKEFLAGS="
inherit pkgconfig siteinfo multilib_header ptest
PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf"
-FILES_libcrypto = "${base_libdir}/libcrypto${SOLIBS}"
-FILES_libssl = "${libdir}/libssl.so.*"
+FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl = "${libdir}/libssl${SOLIBS}"
FILES_${PN} =+ " ${libdir}/ssl/*"
-FILES_${PN}-misc = "${libdir}/ssl/misc ${bindir}/c_rehash"
+FILES_${PN}-misc = "${libdir}/ssl/misc"
RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}"
-FILES_${PN}-dev += "${base_libdir}/libcrypto${SOLIBSDEV}"
# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
# package RRECOMMENDS on this package. This will enable the configuration
# file to be installed for both the base openssl package and the libcrypto
# package since the base openssl package depends on the libcrypto package.
-FILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
-CONFFILES_openssl-conf = "${libdir}/ssl/openssl.cnf"
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
RRECOMMENDS_libcrypto += "openssl-conf"
RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
@@ -86,7 +85,7 @@ do_configure () {
target=linux-elf-armeb
;;
linux-aarch64*)
- target=linux-generic64
+ target=linux-aarch64
;;
linux-sh3)
target=debian-sh3
@@ -109,15 +108,24 @@ do_configure () {
linux-gnu64-x86_64)
target=linux-x86_64
;;
- linux-mips)
- target=debian-mips
+ linux-gnun32-mips*el)
+ target=debian-mipsn32el
+ ;;
+ linux-gnun32-mips*)
+ target=debian-mipsn32
;;
- linux-mipsel)
+ linux-mips*64*el)
+ target=debian-mips64el
+ ;;
+ linux-mips*64*)
+ target=debian-mips64
+ ;;
+ linux-mips*el)
target=debian-mipsel
;;
- linux-*-mips64)
- target=linux-mips
- ;;
+ linux-mips*)
+ target=debian-mips
+ ;;
linux-microblaze*|linux-nios2*)
target=linux-generic32
;;
@@ -151,10 +159,14 @@ do_compile_prepend_class-target () {
}
do_compile () {
+ oe_runmake depend
oe_runmake
}
do_compile_ptest () {
+ # build dependencies for test directory too
+ export DIRS="$DIRS test"
+ oe_runmake depend
oe_runmake buildtest
}
@@ -167,40 +179,63 @@ do_install () {
oe_libinstall -so libcrypto ${D}${libdir}
oe_libinstall -so libssl ${D}${libdir}
- # Moving libcrypto to /lib
- if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
- mkdir -p ${D}/${base_libdir}/
- mv ${D}${libdir}/libcrypto* ${D}${base_libdir}/
- sed -i s#libdir=\$\{exec_prefix\}\/lib#libdir=${base_libdir}# ${D}/${libdir}/pkgconfig/libcrypto.pc
- fi
-
install -d ${D}${includedir}
cp --dereference -R include/openssl ${D}${includedir}
+ install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
+ sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+
oe_multilib_header openssl/opensslconf.h
if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then
- install -m 0755 ${S}/tools/c_rehash ${D}${bindir}
- sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${bindir}/c_rehash
sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl
sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget
- # The c_rehash utility isn't installed by the normal installation process.
else
- rm -f ${D}${bindir}/c_rehash
rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget
fi
+
+ # Create SSL structure
+ install -d ${D}${sysconfdir}/ssl/
+ mv ${D}${libdir}/ssl/openssl.cnf \
+ ${D}${libdir}/ssl/certs \
+ ${D}${libdir}/ssl/private \
+ \
+ ${D}${sysconfdir}/ssl/
+ ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl/certs
+ ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl/private
+ ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl/openssl.cnf
}
do_install_ptest () {
- cp -r Makefile test ${D}${PTEST_PATH}
+ cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH}
+ cp Configure config e_os.h ${D}${PTEST_PATH}
+ cp -r -L include ${D}${PTEST_PATH}
+ ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH}
+ ln -sf ${libdir}/libssl.a ${D}${PTEST_PATH}
+ mkdir -p ${D}${PTEST_PATH}/crypto
+ cp crypto/constant_time_locl.h ${D}${PTEST_PATH}/crypto
cp -r certs ${D}${PTEST_PATH}
mkdir -p ${D}${PTEST_PATH}/apps
- ln -sf /usr/lib/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps
- ln -sf /usr/lib/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
- ln -sf /usr/bin/openssl ${D}${PTEST_PATH}/apps
+ ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps
+ ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
+ ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps
+ cp apps/server.pem ${D}${PTEST_PATH}/apps
cp apps/server2.pem ${D}${PTEST_PATH}/apps
mkdir -p ${D}${PTEST_PATH}/util
install util/opensslwrap.sh ${D}${PTEST_PATH}/util
install util/shlib_wrap.sh ${D}${PTEST_PATH}/util
+ # Time stamps are relevant for "make alltests", otherwise
+ # make may try to recompile binaries. Not only must the
+ # binary files be newer than the sources, they also must
+ # be more recent than the header files in /usr/include.
+ #
+ # Using "cp -a" is not sufficient, because do_install
+ # does not preserve the original time stamps.
+ #
+ # So instead of using the original file stamps, we set
+ # the current time for all files. Binaries will get
+ # modified again later when stripping them, but that's okay.
+ touch ${D}${PTEST_PATH}
+ find ${D}${PTEST_PATH} -type f -print0 | xargs --verbose -0 touch -r ${D}${PTEST_PATH}
}
do_install_append_class-native() {
diff --git a/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch b/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch
deleted file mode 100644
index 7ba9eab..0000000
--- a/recipes-connectivity/openssl/openssl/crypto_use_bigint_in_x86-64_perl.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Upsteram Status: Backport
-
-When building on x32 systems where the default type is 32bit, make sure
-we can transparently represent 64bit integers. Otherwise we end up with
-build errors like:
-/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s
-Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl line 201, <> line 890.
-...
-ghash-x86_64.s: Assembler messages:
-ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression
-
-We don't enable this globally as there are some cases where we'd get
-32bit values interpreted as unsigned when we need them as signed.
-
-Reported-by: Bertrand Jacquin <bertrand@jacquin.bzh>
-URL: https://bugs.gentoo.org/542618
-
-Signed-off-By: Armin Kuster <akuster@mvista.com>
-
-diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl
---- a/crypto/perlasm/x86_64-xlate.pl
-+++ b/crypto/perlasm/x86_64-xlate.pl
-@@ -196,6 +196,10 @@ my %globals;
- my $self = shift;
-
- $self->{value} =~ s/\b(0b[0-1]+)/oct($1)/eig;
-+ # When building on x32 ABIs, the expanded hex value might be too
-+ # big to fit into 32bits. Enable transparent 64bit support here
-+ # so we can safely print it out.
-+ use bigint;
- if ($gas) {
- # Solaris /usr/ccs/bin/as can't handle multiplications
- # in $self->{value}
diff --git a/recipes-connectivity/openssl/openssl/openssl.inc b/recipes-connectivity/openssl/openssl/openssl.inc
new file mode 100644
index 0000000..3b59e96
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/openssl.inc
@@ -0,0 +1,249 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+
+# "openssl | SSLeay" dual license
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
+
+# DEPENDS = "makedepend-native hostperl-runtime-native"
+DEPENDS = "makedepend-native perl-native-runtime"
+DEPENDS_append_class-target = " openssl-native"
+
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+ "
+S = "${WORKDIR}/openssl-${PV}"
+
+PACKAGECONFIG[perl] = ",,,"
+
+AR_append = " r"
+TERMIO_libc-musl = "-DTERMIOS"
+TERMIO ?= "-DTERMIO"
+# Avoid binaries being marked as requiring an executable stack since it
+# doesn't(which causes and this causes issues with SELinux
+CFLAG = "${@base_conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
+ ${TERMIO} ${CFLAGS} -Wall -Wa,--noexecstack"
+
+export DIRS = "crypto ssl apps"
+export EX_LIBS = "-lgcc -ldl"
+export AS = "${CC} -c"
+EXTRA_OEMAKE = "-e MAKEFLAGS="
+
+inherit pkgconfig siteinfo multilib_header ptest
+
+PACKAGES =+ "libcrypto libssl ${PN}-misc openssl-conf"
+FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES_libssl = "${libdir}/libssl${SOLIBS}"
+FILES_${PN} =+ " ${libdir}/ssl/*"
+FILES_${PN}-misc = "${libdir}/ssl/misc"
+RDEPENDS_${PN}-misc = "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}"
+
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the base openssl package and the libcrypto
+# package since the base openssl package depends on the libcrypto package.
+FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS_libcrypto += "openssl-conf"
+RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
+
+# Remove this to enable SSLv3. SSLv3 is defaulted to disabled due to the POODLE
+# vulnerability
+EXTRA_OECONF = " -no-ssl3"
+
+do_configure_prepend_darwin () {
+ sed -i -e '/version-script=openssl\.ld/d' Configure
+}
+
+do_configure () {
+ cd util
+ perl perlpath.pl ${STAGING_BINDIR_NATIVE}
+ cd ..
+ ln -sf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/
+
+ os=${HOST_OS}
+ case $os in
+ linux-uclibc |\
+ linux-uclibceabi |\
+ linux-gnueabi |\
+ linux-uclibcspe |\
+ linux-gnuspe |\
+ linux-musl*)
+ os=linux
+ ;;
+ *)
+ ;;
+ esac
+ target="$os-${HOST_ARCH}"
+ case $target in
+ linux-arm)
+ target=linux-armv4
+ ;;
+ linux-armeb)
+ target=linux-elf-armeb
+ ;;
+ linux-aarch64*)
+ target=linux-aarch64
+ ;;
+ linux-sh3)
+ target=debian-sh3
+ ;;
+ linux-sh4)
+ target=debian-sh4
+ ;;
+ linux-i486)
+ target=debian-i386-i486
+ ;;
+ linux-i586 | linux-viac3)
+ target=debian-i386-i586
+ ;;
+ linux-i686)
+ target=debian-i386-i686/cmov
+ ;;
+ linux-gnux32-x86_64)
+ target=linux-x32
+ ;;
+ linux-gnu64-x86_64)
+ target=linux-x86_64
+ ;;
+ linux-gnun32-mips*el)
+ target=debian-mipsn32el
+ ;;
+ linux-gnun32-mips*)
+ target=debian-mipsn32
+ ;;
+ linux-mips*64*el)
+ target=debian-mips64el
+ ;;
+ linux-mips*64*)
+ target=debian-mips64
+ ;;
+ linux-mips*el)
+ target=debian-mipsel
+ ;;
+ linux-mips*)
+ target=debian-mips
+ ;;
+ linux-microblaze*|linux-nios2*)
+ target=linux-generic32
+ ;;
+ linux-powerpc)
+ target=linux-ppc
+ ;;
+ linux-powerpc64)
+ target=linux-ppc64
+ ;;
+ linux-supersparc)
+ target=linux-sparcv8
+ ;;
+ linux-sparc)
+ target=linux-sparcv8
+ ;;
+ darwin-i386)
+ target=darwin-i386-cc
+ ;;
+ esac
+ # inject machine-specific flags
+ sed -i -e "s|^\(\"$target\",\s*\"[^:]\+\):\([^:]\+\)|\1:${CFLAG}|g" Configure
+ useprefix=${prefix}
+ if [ "x$useprefix" = "x" ]; then
+ useprefix=/
+ fi
+ perl ./Configure ${EXTRA_OECONF} shared --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target
+}
+
+do_compile_prepend_class-target () {
+ sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile
+}
+
+do_compile () {
+ oe_runmake depend
+ oe_runmake
+}
+
+do_compile_ptest () {
+ # build dependencies for test directory too
+ export DIRS="$DIRS test"
+ oe_runmake depend
+ oe_runmake buildtest
+}
+
+do_install () {
+ # Create ${D}/${prefix} to fix parallel issues
+ mkdir -p ${D}/${prefix}/
+
+ oe_runmake INSTALL_PREFIX="${D}" MANDIR="${mandir}" install
+
+ oe_libinstall -so libcrypto ${D}${libdir}
+ oe_libinstall -so libssl ${D}${libdir}
+
+ install -d ${D}${includedir}
+ cp --dereference -R include/openssl ${D}${includedir}
+
+ install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash
+ sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash
+
+ oe_multilib_header openssl/opensslconf.h
+ if [ "${@bb.utils.contains('PACKAGECONFIG', 'perl', 'perl', '', d)}" = "perl" ]; then
+ sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/CA.pl
+ sed -i -e '1s,.*,#!${bindir}/env perl,' ${D}${libdir}/ssl/misc/tsget
+ else
+ rm -f ${D}${libdir}/ssl/misc/CA.pl ${D}${libdir}/ssl/misc/tsget
+ fi
+
+ # Create SSL structure
+ install -d ${D}${sysconfdir}/ssl/
+ mv ${D}${libdir}/ssl/openssl.cnf \
+ ${D}${libdir}/ssl/certs \
+ ${D}${libdir}/ssl/private \
+ \
+ ${D}${sysconfdir}/ssl/
+ ln -sf ${sysconfdir}/ssl/certs ${D}${libdir}/ssl/certs
+ ln -sf ${sysconfdir}/ssl/private ${D}${libdir}/ssl/private
+ ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${libdir}/ssl/openssl.cnf
+}
+
+do_install_ptest () {
+ cp -r -L Makefile.org Makefile test ${D}${PTEST_PATH}
+ cp Configure config e_os.h ${D}${PTEST_PATH}
+ cp -r -L include ${D}${PTEST_PATH}
+ ln -sf ${libdir}/libcrypto.a ${D}${PTEST_PATH}
+ ln -sf ${libdir}/libssl.a ${D}${PTEST_PATH}
+ mkdir -p ${D}${PTEST_PATH}/crypto
+ cp crypto/constant_time_locl.h ${D}${PTEST_PATH}/crypto
+ cp -r certs ${D}${PTEST_PATH}
+ mkdir -p ${D}${PTEST_PATH}/apps
+ ln -sf ${libdir}/ssl/misc/CA.sh ${D}${PTEST_PATH}/apps
+ ln -sf ${sysconfdir}/ssl/openssl.cnf ${D}${PTEST_PATH}/apps
+ ln -sf ${bindir}/openssl ${D}${PTEST_PATH}/apps
+ cp apps/server.pem ${D}${PTEST_PATH}/apps
+ cp apps/server2.pem ${D}${PTEST_PATH}/apps
+ mkdir -p ${D}${PTEST_PATH}/util
+ install util/opensslwrap.sh ${D}${PTEST_PATH}/util
+ install util/shlib_wrap.sh ${D}${PTEST_PATH}/util
+ # Time stamps are relevant for "make alltests", otherwise
+ # make may try to recompile binaries. Not only must the
+ # binary files be newer than the sources, they also must
+ # be more recent than the header files in /usr/include.
+ #
+ # Using "cp -a" is not sufficient, because do_install
+ # does not preserve the original time stamps.
+ #
+ # So instead of using the original file stamps, we set
+ # the current time for all files. Binaries will get
+ # modified again later when stripping them, but that's okay.
+ touch ${D}${PTEST_PATH}
+ find ${D}${PTEST_PATH} -type f -print0 | xargs --verbose -0 touch -r ${D}${PTEST_PATH}
+}
+
+do_install_append_class-native() {
+ create_wrapper ${D}${bindir}/openssl \
+ OPENSSL_CONF=${libdir}/ssl/openssl.cnf \
+ SSL_CERT_DIR=${libdir}/ssl/certs \
+ SSL_CERT_FILE=${libdir}/ssl/cert.pem \
+ OPENSSL_ENGINES=${libdir}/ssl/engines
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch b/recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch
new file mode 100644
index 0000000..83a74cd
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/openssl/CVE-2016-7055.patch
@@ -0,0 +1,43 @@
+From 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Sun, 6 Nov 2016 18:33:17 +0100
+Subject: [PATCH] bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a)
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a]
+CVE: CVE-2016-7055
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ crypto/bn/asm/x86_64-mont.pl | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
+index 044fd7e..80492d8 100755
+--- a/crypto/bn/asm/x86_64-mont.pl
++++ b/crypto/bn/asm/x86_64-mont.pl
+@@ -1148,18 +1148,17 @@ $code.=<<___;
+ mulx 2*8($aptr),%r15,%r13 # ...
+ adox -3*8($tptr),%r11
+ adcx %r15,%r12
+- adox $zero,%r12
++ adox -2*8($tptr),%r12
+ adcx $zero,%r13
++ adox $zero,%r13
+
+ mov $bptr,8(%rsp) # off-load &b[i]
+- .byte 0x67
+ mov $mi,%r15
+ imulq 24(%rsp),$mi # "t[0]"*n0
+ xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
+
+ mulx 3*8($aptr),%rax,%r14
+ mov $mi,%rdx
+- adox -2*8($tptr),%r12
+ adcx %rax,%r13
+ adox -1*8($tptr),%r13
+ adcx $zero,%r14
+--
+2.7.4
+
diff --git a/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch b/recipes-connectivity/openssl/openssl/openssl/Makefiles-ptest.patch
index 249446a..249446a 100644
--- a/recipes-connectivity/openssl/openssl/Makefiles-ptest.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/Makefiles-ptest.patch
diff --git a/recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
new file mode 100644
index 0000000..58c9ee7
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
@@ -0,0 +1,69 @@
+From d795f5f20a29adecf92c09459a3ee07ffac01a99 Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz@akamai.com>
+Date: Sat, 13 Jun 2015 17:03:39 -0400
+Subject: [PATCH] Use SHA256 not MD5 as default digest.
+
+Commit f8547f62c212837dbf44fb7e2755e5774a59a57b upstream.
+
+Upstream-Status: Backport
+Backport from OpenSSL 2.0 to OpenSSL 1.0.2
+Commit f8547f62c212837dbf44fb7e2755e5774a59a57b
+
+CVE: CVE-2004-2761
+
+ The MD5 Message-Digest Algorithm is not collision resistant,
+ which makes it easier for context-dependent attackers to
+ conduct spoofing attacks, as demonstrated by attacks on the
+ use of MD5 in the signature algorithm of an X.509 certificate.
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com>
+---
+ apps/ca.c | 2 +-
+ apps/dgst.c | 2 +-
+ apps/enc.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/apps/ca.c b/apps/ca.c
+index 3b7336c..8f3a84b 100644
+--- a/apps/ca.c
++++ b/apps/ca.c
+@@ -1612,7 +1612,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+ } else
+ BIO_printf(bio_err, "Signature ok\n");
+
+- if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
++ if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL)
+ goto err;
+
+ ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
+diff --git a/apps/dgst.c b/apps/dgst.c
+index 95e5fa3..0d1529f 100644
+--- a/apps/dgst.c
++++ b/apps/dgst.c
+@@ -442,7 +442,7 @@ int MAIN(int argc, char **argv)
+ goto end;
+ }
+ if (md == NULL)
+- md = EVP_md5();
++ md = EVP_sha256();
+ if (!EVP_DigestInit_ex(mctx, md, impl)) {
+ BIO_printf(bio_err, "Error setting digest %s\n", pname);
+ ERR_print_errors(bio_err);
+diff --git a/apps/enc.c b/apps/enc.c
+index 7b7c70b..a7d944c 100644
+--- a/apps/enc.c
++++ b/apps/enc.c
+@@ -344,7 +344,7 @@ int MAIN(int argc, char **argv)
+ }
+
+ if (dgst == NULL) {
+- dgst = EVP_md5();
++ dgst = EVP_sha256();
+ }
+
+ if (bufsize != NULL) {
+--
+1.9.1
+
diff --git a/recipes-connectivity/openssl/openssl/configure-musl-target.patch b/recipes-connectivity/openssl/openssl/openssl/configure-musl-target.patch
index 613dc7b..613dc7b 100644
--- a/recipes-connectivity/openssl/openssl/configure-musl-target.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/configure-musl-target.patch
diff --git a/recipes-connectivity/openssl/openssl/configure-targets.patch b/recipes-connectivity/openssl/openssl/openssl/configure-targets.patch
index 691e74a..691e74a 100644
--- a/recipes-connectivity/openssl/openssl/configure-targets.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/configure-targets.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch b/recipes-connectivity/openssl/openssl/openssl/debian/c_rehash-compat.patch
index 68e54d5..68e54d5 100644
--- a/recipes-connectivity/openssl/openssl/debian/c_rehash-compat.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/c_rehash-compat.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/ca.patch b/recipes-connectivity/openssl/openssl/openssl/debian/ca.patch
index aba4d42..fb745e4 100644
--- a/recipes-connectivity/openssl/openssl/debian/ca.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/ca.patch
@@ -7,7 +7,7 @@ Index: openssl-0.9.8m/apps/CA.pl.in
@@ -65,6 +65,7 @@
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
- print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
+ print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
diff --git a/recipes-connectivity/openssl/openssl/debian/debian-targets.patch b/recipes-connectivity/openssl/openssl/openssl/debian/debian-targets.patch
index 39d4328..39d4328 100644
--- a/recipes-connectivity/openssl/openssl/debian/debian-targets.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/debian-targets.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/man-dir.patch b/recipes-connectivity/openssl/openssl/openssl/debian/man-dir.patch
index 4085e3b..4085e3b 100644
--- a/recipes-connectivity/openssl/openssl/debian/man-dir.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/man-dir.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/man-section.patch b/recipes-connectivity/openssl/openssl/openssl/debian/man-section.patch
index 21c1d1a..21c1d1a 100644
--- a/recipes-connectivity/openssl/openssl/debian/man-section.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/man-section.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/no-rpath.patch b/recipes-connectivity/openssl/openssl/openssl/debian/no-rpath.patch
index 1ccb3b8..1ccb3b8 100644
--- a/recipes-connectivity/openssl/openssl/debian/no-rpath.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/no-rpath.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/no-symbolic.patch b/recipes-connectivity/openssl/openssl/openssl/debian/no-symbolic.patch
index cc4408a..cc4408a 100644
--- a/recipes-connectivity/openssl/openssl/debian/no-symbolic.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/no-symbolic.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/pic.patch b/recipes-connectivity/openssl/openssl/openssl/debian/pic.patch
index bfda388..bfda388 100644
--- a/recipes-connectivity/openssl/openssl/debian/pic.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/pic.patch
diff --git a/recipes-connectivity/openssl/openssl/debian/version-script.patch b/recipes-connectivity/openssl/openssl/openssl/debian/version-script.patch
index a249180..a249180 100644
--- a/recipes-connectivity/openssl/openssl/debian/version-script.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian/version-script.patch
diff --git a/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
index c43bcd1..c43bcd1 100644
--- a/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch
diff --git a/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_diginotar.patch
index d81e22c..d81e22c 100644
--- a/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/block_diginotar.patch
diff --git a/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/version-script.patch
index f53efdb..29f11a2 100644
--- a/recipes-connectivity/openssl/openssl/debian1.0.2/version-script.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/debian1.0.2/version-script.patch
@@ -15,8 +15,8 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld 2014-02-24 22:19:08.601827266 +0100
-@@ -0,0 +1,4621 @@
-+OPENSSL_1.0.0 {
+@@ -0,0 +1,4608 @@
++OPENSSL_1.0.2d {
+ global:
+ BIO_f_ssl;
+ BIO_new_buffer_ssl_connect;
@@ -4314,14 +4314,6 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
+ CRYPTO_cbc128_decrypt;
+ CRYPTO_cfb128_encrypt;
+ CRYPTO_cfb128_8_encrypt;
-+
-+ local:
-+ *;
-+};
-+
-+
-+OPENSSL_1.0.1 {
-+ global:
+ SSL_renegotiate_abbreviated;
+ TLSv1_1_method;
+ TLSv1_1_client_method;
@@ -4483,15 +4475,7 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
+ BIO_s_datagram_sctp;
+ BIO_dgram_is_sctp;
+ BIO_dgram_sctp_notification_cb;
-+} OPENSSL_1.0.0;
-+
-+OPENSSL_1.0.1d {
-+ global:
+ CRYPTO_memcmp;
-+} OPENSSL_1.0.1;
-+
-+OPENSSL_1.0.2 {
-+ global:
+ SSL_CTX_set_alpn_protos;
+ SSL_set_alpn_protos;
+ SSL_CTX_set_alpn_select_cb;
@@ -4629,20 +4613,23 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/openssl.ld
+ BUF_strnlen;
+ sk_deep_copy;
+ SSL_test_functions;
-+} OPENSSL_1.0.1d;
++
++ local:
++ *;
++};
+
+OPENSSL_1.0.2g {
+ global:
+ SRP_VBASE_get1_by_user;
+ SRP_user_pwd_free;
-+} OPENSSL_1.0.2;
++} OPENSSL_1.0.2d;
+
Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/openssl.ld 2014-02-24 21:02:30.000000000 +0100
@@ -0,0 +1,10 @@
-+OPENSSL_1.0.0 {
++OPENSSL_1.0.2 {
+ global:
+ bind_engine;
+ v_check;
@@ -4657,7 +4644,7 @@ Index: openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2~beta1.obsolete.0.0498436515490575/engines/ccgost/openssl.ld 2014-02-24 21:02:30.000000000 +0100
@@ -0,0 +1,10 @@
-+OPENSSL_1.0.0 {
++OPENSSL_1.0.2 {
+ global:
+ bind_engine;
+ v_check;
diff --git a/recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch b/recipes-connectivity/openssl/openssl/openssl/engines-install-in-libdir-ssl.patch
index a574648..a574648 100644
--- a/recipes-connectivity/openssl/openssl/engines-install-in-libdir-ssl.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/engines-install-in-libdir-ssl.patch
diff --git a/recipes-connectivity/openssl/openssl/find.pl b/recipes-connectivity/openssl/openssl/openssl/find.pl
index 8e1b42c..8e1b42c 100644
--- a/recipes-connectivity/openssl/openssl/find.pl
+++ b/recipes-connectivity/openssl/openssl/openssl/find.pl
diff --git a/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch b/recipes-connectivity/openssl/openssl/openssl/fix-cipher-des-ede3-cfb1.patch
index 06d1ea6..2a318a4 100644
--- a/recipes-connectivity/openssl/openssl/fix-cipher-des-ede3-cfb1.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/fix-cipher-des-ede3-cfb1.patch
@@ -4,7 +4,7 @@ This patch adds the fix for one of the ciphers used in openssl, namely
the cipher des-ede3-cfb1. Complete bug log and patch is present here:
http://rt.openssl.org/Ticket/Display.html?id=2867
-Signed-Off-By: Muhammad Shakeel <muhammad_shakeel@mentor.com>
+Signed-off-by: Muhammad Shakeel <muhammad_shakeel@mentor.com>
Index: openssl-1.0.2/crypto/evp/e_des3.c
===================================================================
diff --git a/recipes-connectivity/openssl/openssl/oe-ldflags.patch b/recipes-connectivity/openssl/openssl/openssl/oe-ldflags.patch
index 292e13d..292e13d 100644
--- a/recipes-connectivity/openssl/openssl/oe-ldflags.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/oe-ldflags.patch
diff --git a/recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-1.0.2a-x32-asm.patch
index 1e5bfa1..1e5bfa1 100644
--- a/recipes-connectivity/openssl/openssl/openssl-1.0.2a-x32-asm.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/openssl-1.0.2a-x32-asm.patch
diff --git a/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
index f736e5c..f736e5c 100644
--- a/recipes-connectivity/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
diff --git a/recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh b/recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh
new file mode 100644
index 0000000..6620fdc
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/openssl/openssl-c_rehash.sh
@@ -0,0 +1,222 @@
+#!/bin/sh
+#
+# Ben Secrest <blsecres@gmail.com>
+#
+# sh c_rehash script, scan all files in a directory
+# and add symbolic links to their hash values.
+#
+# based on the c_rehash perl script distributed with openssl
+#
+# LICENSE: See OpenSSL license
+# ^^acceptable?^^
+#
+
+# default certificate location
+DIR=/etc/openssl
+
+# for filetype bitfield
+IS_CERT=$(( 1 << 0 ))
+IS_CRL=$(( 1 << 1 ))
+
+
+# check to see if a file is a certificate file or a CRL file
+# arguments:
+# 1. the filename to be scanned
+# returns:
+# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
+#
+check_file()
+{
+ local IS_TYPE=0
+
+ # make IFS a newline so we can process grep output line by line
+ local OLDIFS=${IFS}
+ IFS=$( printf "\n" )
+
+ # XXX: could be more efficient to have two 'grep -m' but is -m portable?
+ for LINE in $( grep '^-----BEGIN .*-----' ${1} )
+ do
+ if echo ${LINE} \
+ | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
+ then
+ IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
+
+ if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
+ then
+ break
+ fi
+ elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
+ then
+ IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
+
+ if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
+ then
+ break
+ fi
+ fi
+ done
+
+ # restore IFS
+ IFS=${OLDIFS}
+
+ return ${IS_TYPE}
+}
+
+
+#
+# use openssl to fingerprint a file
+# arguments:
+# 1. the filename to fingerprint
+# 2. the method to use (x509, crl)
+# returns:
+# none
+# assumptions:
+# user will capture output from last stage of pipeline
+#
+fingerprint()
+{
+ ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
+}
+
+
+#
+# link_hash - create links to certificate files
+# arguments:
+# 1. the filename to create a link for
+# 2. the type of certificate being linked (x509, crl)
+# returns:
+# 0 on success, 1 otherwise
+#
+link_hash()
+{
+ local FINGERPRINT=$( fingerprint ${1} ${2} )
+ local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
+ local SUFFIX=0
+ local LINKFILE=''
+ local TAG=''
+
+ if [ ${2} = "crl" ]
+ then
+ TAG='r'
+ fi
+
+ LINKFILE=${HASH}.${TAG}${SUFFIX}
+
+ while [ -f ${LINKFILE} ]
+ do
+ if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
+ then
+ echo "NOTE: Skipping duplicate file ${1}" >&2
+ return 1
+ fi
+
+ SUFFIX=$(( ${SUFFIX} + 1 ))
+ LINKFILE=${HASH}.${TAG}${SUFFIX}
+ done
+
+ echo "${3} => ${LINKFILE}"
+
+ # assume any system with a POSIX shell will either support symlinks or
+ # do something to handle this gracefully
+ ln -s ${3} ${LINKFILE}
+
+ return 0
+}
+
+
+# hash_dir create hash links in a given directory
+hash_dir()
+{
+ echo "Doing ${1}"
+
+ cd ${1}
+
+ ls -1 * 2>/dev/null | while read FILE
+ do
+ if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
+ && [ -h "${FILE}" ]
+ then
+ rm ${FILE}
+ fi
+ done
+
+ ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
+ do
+ REAL_FILE=${FILE}
+ # if we run on build host then get to the real files in rootfs
+ if [ -n "${SYSROOT}" -a -h ${FILE} ]
+ then
+ FILE=$( readlink ${FILE} )
+ # check the symlink is absolute (or dangling in other word)
+ if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ]
+ then
+ REAL_FILE=${SYSROOT}/${FILE}
+ fi
+ fi
+
+ check_file ${REAL_FILE}
+ local FILE_TYPE=${?}
+ local TYPE_STR=''
+
+ if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
+ then
+ TYPE_STR='x509'
+ elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
+ then
+ TYPE_STR='crl'
+ else
+ echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2
+ continue
+ fi
+
+ link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
+ done
+}
+
+
+# choose the name of an ssl application
+if [ -n "${OPENSSL}" ]
+then
+ SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
+else
+ SSL_CMD=/usr/bin/openssl
+ OPENSSL=${SSL_CMD}
+ export OPENSSL
+fi
+
+# fix paths
+PATH=${PATH}:${DIR}/bin
+export PATH
+
+# confirm existance/executability of ssl command
+if ! [ -x ${SSL_CMD} ]
+then
+ echo "${0}: rehashing skipped ('openssl' program not available)" >&2
+ exit 0
+fi
+
+# determine which directories to process
+old_IFS=$IFS
+if [ ${#} -gt 0 ]
+then
+ IFS=':'
+ DIRLIST=${*}
+elif [ -n "${SSL_CERT_DIR}" ]
+then
+ DIRLIST=$SSL_CERT_DIR
+else
+ DIRLIST=${DIR}/certs
+fi
+
+IFS=':'
+
+# process directories
+for CERT_DIR in ${DIRLIST}
+do
+ if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
+ then
+ IFS=$old_IFS
+ hash_dir ${CERT_DIR}
+ IFS=':'
+ fi
+done
diff --git a/recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-fix-des.pod-error.patch
index de49729..de49729 100644
--- a/recipes-connectivity/openssl/openssl/openssl-fix-des.pod-error.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/openssl-fix-des.pod-error.patch
diff --git a/recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch b/recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
new file mode 100644
index 0000000..065b9b1
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl/openssl/openssl-util-perlpath.pl-cwd.patch
@@ -0,0 +1,34 @@
+From e427748f3bb5d37e78dc8d70a558c373aa8ababb Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Mon, 19 Sep 2016 22:06:28 -0700
+Subject: [PATCH] util/perlpath.pl: make it work when cwd is not in @INC
+
+Fixed when building on Debian-testing:
+| Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7.
+
+The find.pl is added by oe-core, so once openssl/find.pl is removed,
+then this patch can be dropped.
+
+Upstream-Status: Inappropriate [OE-Specific]
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ util/perlpath.pl | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/util/perlpath.pl b/util/perlpath.pl
+index a1f236b..5599892 100755
+--- a/util/perlpath.pl
++++ b/util/perlpath.pl
+@@ -4,6 +4,8 @@
+ # line in all scripts that rely on perl.
+ #
+
++BEGIN { unshift @INC, "."; }
++
+ require "find.pl";
+
+ $#ARGV == 0 || print STDERR "usage: perlpath newpath (eg /usr/bin)\n";
+--
+2.9.0
+
diff --git a/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch b/recipes-connectivity/openssl/openssl/openssl/openssl_fix_for_x32.patch
index cbce32c..0f08a64 100644
--- a/recipes-connectivity/openssl/openssl/openssl_fix_for_x32.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/openssl_fix_for_x32.patch
@@ -2,10 +2,10 @@ Upstream-Status: Pending
Received from H J Liu @ Intel
Make the assembly syntax compatible with x32 gcc. Othewise x32 gcc throws errors.
-Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/07/13
+Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/07/13
ported the patch to the 1.0.0e version
-Signed-Off-By: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/12/01
+Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com> 2011/12/01
Index: openssl-1.0.2/crypto/bn/bn.h
===================================================================
--- openssl-1.0.2.orig/crypto/bn/bn.h
diff --git a/recipes-connectivity/openssl/openssl/parallel.patch b/recipes-connectivity/openssl/openssl/openssl/parallel.patch
index b6c2c14..f3f4c99 100644
--- a/recipes-connectivity/openssl/openssl/parallel.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/parallel.patch
@@ -6,6 +6,9 @@ https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/openssl/files/openssl-1
Upstream-Status: Pending
Signed-off-by: Ross Burton <ross.burton@intel.com>
+Refreshed for 1.0.2i
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
--- openssl-1.0.2g/crypto/Makefile
+++ openssl-1.0.2g/crypto/Makefile
@@ -85,11 +85,11 @@
@@ -133,7 +136,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
fi; \
--- openssl-1.0.2g/test/Makefile
+++ openssl-1.0.2g/test/Makefile
-@@ -139,7 +139,7 @@
+@@ -144,7 +144,7 @@
tags:
ctags $(SRC)
@@ -142,7 +145,7 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
apps:
@(cd ..; $(MAKE) DIRS=apps all)
-@@ -421,130 +421,130 @@
+@@ -438,136 +438,136 @@
link_app.$${shlib_target}
$(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
@@ -309,13 +312,21 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
- @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+ +@target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+ $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
+- @target=$(BADDTLSTEST) $(BUILD_CMD)
++ +@target=$(BADDTLSTEST) $(BUILD_CMD)
+
$(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
- @target=$(SSLV2CONFTEST) $(BUILD_CMD)
+ +@target=$(SSLV2CONFTEST) $(BUILD_CMD)
+ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
+- @target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
++ +@target=$(DTLSTEST); exobj=ssltestlib.o; $(BUILD_CMD)
+
#$(AESTEST).o: $(AESTEST).c
# $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
-@@ -557,7 +557,7 @@
+@@ -580,6 +580,6 @@
# fi
dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
diff --git a/recipes-connectivity/openssl/openssl/ptest-deps.patch b/recipes-connectivity/openssl/openssl/openssl/ptest-deps.patch
index ef6d179..ef6d179 100644
--- a/recipes-connectivity/openssl/openssl/ptest-deps.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/ptest-deps.patch
diff --git a/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch b/recipes-connectivity/openssl/openssl/openssl/ptest_makefile_deps.patch
index 4202e61..4202e61 100644
--- a/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/ptest_makefile_deps.patch
diff --git a/recipes-connectivity/openssl/openssl/run-ptest b/recipes-connectivity/openssl/openssl/openssl/run-ptest
index 3b20fce..3b20fce 100755
--- a/recipes-connectivity/openssl/openssl/run-ptest
+++ b/recipes-connectivity/openssl/openssl/openssl/run-ptest
diff --git a/recipes-connectivity/openssl/openssl/shared-libs.patch b/recipes-connectivity/openssl/openssl/openssl/shared-libs.patch
index a7ca0a3..a7ca0a3 100644
--- a/recipes-connectivity/openssl/openssl/shared-libs.patch
+++ b/recipes-connectivity/openssl/openssl/openssl/shared-libs.patch
diff --git a/recipes-connectivity/openssl/openssl_1.0.2h.bb b/recipes-connectivity/openssl/openssl/openssl_1.0.2k.bb
index 3f8fb72..9b148b9 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2h.bb
+++ b/recipes-connectivity/openssl/openssl/openssl_1.0.2k.bb
@@ -5,13 +5,16 @@ require openssl.inc
DEPENDS += "cryptodev-linux"
CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
+CFLAG_append_class-native = " -fPIC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"
export DIRS = "crypto ssl apps engines"
export OE_LDFLAGS="${LDFLAGS}"
-SRC_URI += "file://configure-targets.patch \
+SRC_URI += "file://run-ptest \
+ file://openssl-c_rehash.sh \
+ file://configure-targets.patch \
file://shared-libs.patch \
file://oe-ldflags.patch \
file://engines-install-in-libdir-ssl.patch \
@@ -33,20 +36,20 @@ SRC_URI += "file://configure-targets.patch \
file://openssl-fix-des.pod-error.patch \
file://Makefiles-ptest.patch \
file://ptest-deps.patch \
- file://run-ptest \
- file://crypto_use_bigint_in_x86-64_perl.patch \
file://openssl-1.0.2a-x32-asm.patch \
file://ptest_makefile_deps.patch \
+ file://configure-musl-target.patch \
+ file://parallel.patch \
+ file://openssl-util-perlpath.pl-cwd.patch \
"
-
-SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0"
-SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
+SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65"
+SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0"
PACKAGES =+ " \
- ${PN}-engines \
- ${PN}-engines-dbg \
- "
-
+ ${PN}-engines \
+ ${PN}-engines-dbg \
+ "
+
FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug"
diff --git a/recipes-connectivity/openssl/openssl_1.0.2k.bb b/recipes-connectivity/openssl/openssl_1.0.2k.bb
new file mode 100644
index 0000000..9b148b9
--- /dev/null
+++ b/recipes-connectivity/openssl/openssl_1.0.2k.bb
@@ -0,0 +1,71 @@
+require openssl.inc
+
+# For target side versions of openssl enable support for OCF Linux driver
+# if they are available.
+DEPENDS += "cryptodev-linux"
+
+CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
+CFLAG_append_class-native = " -fPIC"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"
+
+export DIRS = "crypto ssl apps engines"
+export OE_LDFLAGS="${LDFLAGS}"
+
+SRC_URI += "file://run-ptest \
+ file://openssl-c_rehash.sh \
+ file://configure-targets.patch \
+ file://shared-libs.patch \
+ file://oe-ldflags.patch \
+ file://engines-install-in-libdir-ssl.patch \
+ file://debian1.0.2/block_diginotar.patch \
+ file://debian1.0.2/block_digicert_malaysia.patch \
+ file://debian/ca.patch \
+ file://debian/c_rehash-compat.patch \
+ file://debian/debian-targets.patch \
+ file://debian/man-dir.patch \
+ file://debian/man-section.patch \
+ file://debian/no-rpath.patch \
+ file://debian/no-symbolic.patch \
+ file://debian/pic.patch \
+ file://debian1.0.2/version-script.patch \
+ file://openssl_fix_for_x32.patch \
+ file://fix-cipher-des-ede3-cfb1.patch \
+ file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
+ file://find.pl \
+ file://openssl-fix-des.pod-error.patch \
+ file://Makefiles-ptest.patch \
+ file://ptest-deps.patch \
+ file://openssl-1.0.2a-x32-asm.patch \
+ file://ptest_makefile_deps.patch \
+ file://configure-musl-target.patch \
+ file://parallel.patch \
+ file://openssl-util-perlpath.pl-cwd.patch \
+ "
+SRC_URI[md5sum] = "f965fc0bf01bf882b31314b61391ae65"
+SRC_URI[sha256sum] = "6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0"
+
+PACKAGES =+ " \
+ ${PN}-engines \
+ ${PN}-engines-dbg \
+ "
+
+FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
+FILES_${PN}-engines-dbg = "${libdir}/ssl/engines/.debug"
+
+PARALLEL_MAKE = ""
+PARALLEL_MAKEINST = ""
+
+do_configure_prepend() {
+ cp ${WORKDIR}/find.pl ${S}/util/find.pl
+}
+
+# The crypto_use_bigint patch means that perl's bignum module needs to be
+# installed, but some distributions (for example Fedora 23) don't ship it by
+# default. As the resulting error is very misleading check for bignum before
+# building.
+do_configure_prepend() {
+ if ! perl -Mbigint -e true; then
+ bbfatal "The perl module 'bignum' was not found but this is required to build openssl. Please install this module (often packaged as perl-bignum) and re-run bitbake."
+ fi
+}