diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl')
9 files changed, 560 insertions, 405 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch new file mode 100644 index 0000000000..aa2e5bb800 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -0,0 +1,374 @@ +From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001 +From: William Lyu <William.Lyu@windriver.com> +Date: Fri, 20 Oct 2023 16:22:37 -0400 +Subject: [PATCH] Added handshake history reporting when test fails + +Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] + +Signed-off-by: William Lyu <William.Lyu@windriver.com> +--- + test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++---------- + test/helpers/handshake.h | 70 +++++++++++++++++++- + test/ssl_test.c | 44 +++++++++++++ + 3 files changed, 218 insertions(+), 35 deletions(-) + +diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c +index e0422469e4..ae2ad59dd4 100644 +--- a/test/helpers/handshake.c ++++ b/test/helpers/handshake.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -24,6 +24,102 @@ + #include <netinet/sctp.h> + #endif + ++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */ ++/* Maps string names to various enumeration type */ ++typedef struct { ++ const char *name; ++ int value; ++} enum_name_map; ++ ++static const enum_name_map connect_phase_names[] = { ++ {"Handshake", HANDSHAKE}, ++ {"RenegAppData", RENEG_APPLICATION_DATA}, ++ {"RenegSetup", RENEG_SETUP}, ++ {"RenegHandshake", RENEG_HANDSHAKE}, ++ {"AppData", APPLICATION_DATA}, ++ {"Shutdown", SHUTDOWN}, ++ {"ConnectionDone", CONNECTION_DONE} ++}; ++ ++static const enum_name_map peer_status_names[] = { ++ {"PeerSuccess", PEER_SUCCESS}, ++ {"PeerRetry", PEER_RETRY}, ++ {"PeerError", PEER_ERROR}, ++ {"PeerWaiting", PEER_WAITING}, ++ {"PeerTestFail", PEER_TEST_FAILURE} ++}; ++ ++static const enum_name_map handshake_status_names[] = { ++ {"HandshakeSuccess", HANDSHAKE_SUCCESS}, ++ {"ClientError", CLIENT_ERROR}, ++ {"ServerError", SERVER_ERROR}, ++ {"InternalError", INTERNAL_ERROR}, ++ {"HandshakeRetry", HANDSHAKE_RETRY} ++}; ++ ++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */ ++static const char *enum_name(const enum_name_map *enums, size_t num_enums, ++ int value) ++{ ++ size_t i; ++ for (i = 0; i < num_enums; i++) { ++ if (enums[i].value == value) { ++ return enums[i].name; ++ } ++ } ++ return "InvalidValue"; ++} ++ ++const char *handshake_connect_phase_name(connect_phase_t phase) ++{ ++ return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names), ++ (int)phase); ++} ++ ++const char *handshake_status_name(handshake_status_t handshake_status) ++{ ++ return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names), ++ (int)handshake_status); ++} ++ ++const char *handshake_peer_status_name(peer_status_t peer_status) ++{ ++ return enum_name(peer_status_names, OSSL_NELEM(peer_status_names), ++ (int)peer_status); ++} ++ ++static void save_loop_history(HANDSHAKE_HISTORY *history, ++ connect_phase_t phase, ++ handshake_status_t handshake_status, ++ peer_status_t server_status, ++ peer_status_t client_status, ++ int client_turn_count, ++ int is_client_turn) ++{ ++ HANDSHAKE_HISTORY_ENTRY *new_entry = NULL; ++ ++ /* ++ * Create a new history entry for a handshake loop with statuses given in ++ * the arguments. Potentially evicting the oldest entry when the ++ * ring buffer is full. ++ */ ++ ++(history->last_idx); ++ history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK; ++ ++ new_entry = &((history->entries)[history->last_idx]); ++ new_entry->phase = phase; ++ new_entry->handshake_status = handshake_status; ++ new_entry->server_status = server_status; ++ new_entry->client_status = client_status; ++ new_entry->client_turn_count = client_turn_count; ++ new_entry->is_client_turn = is_client_turn; ++ ++ /* Evict the oldest handshake loop entry when the ring buffer is full. */ ++ if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) { ++ ++(history->entry_count); ++ } ++} ++ + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) + { + HANDSHAKE_RESULT *ret; +@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, + SSL_set_post_handshake_auth(client, 1); + } + +-/* The status for each connection phase. */ +-typedef enum { +- PEER_SUCCESS, +- PEER_RETRY, +- PEER_ERROR, +- PEER_WAITING, +- PEER_TEST_FAILURE +-} peer_status_t; +- + /* An SSL object and associated read-write buffers. */ + typedef struct peer_st { + SSL *ssl; +@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer) + } + } + +-typedef enum { +- HANDSHAKE, +- RENEG_APPLICATION_DATA, +- RENEG_SETUP, +- RENEG_HANDSHAKE, +- APPLICATION_DATA, +- SHUTDOWN, +- CONNECTION_DONE +-} connect_phase_t; +- +- + static int renegotiate_op(const SSL_TEST_CTX *test_ctx) + { + switch (test_ctx->handshake_mode) { +@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, + } + } + +-typedef enum { +- /* Both parties succeeded. */ +- HANDSHAKE_SUCCESS, +- /* Client errored. */ +- CLIENT_ERROR, +- /* Server errored. */ +- SERVER_ERROR, +- /* Peers are in inconsistent state. */ +- INTERNAL_ERROR, +- /* One or both peers not done. */ +- HANDSHAKE_RETRY +-} handshake_status_t; +- + /* + * Determine the handshake outcome. + * last_status: the status of the peer to have acted last. +@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + + start = time(NULL); + ++ save_loop_history(&(ret->history), ++ phase, status, server.status, client.status, ++ client_turn_count, client_turn); ++ + /* + * Half-duplex handshake loop. + * Client and server speak to each other synchronously in the same process. +@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + 0 /* server went last */); + } + ++ save_loop_history(&(ret->history), ++ phase, status, server.status, client.status, ++ client_turn_count, client_turn); ++ + switch (status) { + case HANDSHAKE_SUCCESS: + client_turn_count = 0; +diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h +index 78b03f9f4b..b9967c2623 100644 +--- a/test/helpers/handshake.h ++++ b/test/helpers/handshake.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -12,6 +12,11 @@ + + #include "ssl_test_ctx.h" + ++#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4 ++#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) ++#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \ ++ ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1) ++ + typedef struct ctx_data_st { + unsigned char *npn_protocols; + size_t npn_protocols_len; +@@ -22,6 +27,63 @@ typedef struct ctx_data_st { + char *session_ticket_app_data; + } CTX_DATA; + ++typedef enum { ++ HANDSHAKE, ++ RENEG_APPLICATION_DATA, ++ RENEG_SETUP, ++ RENEG_HANDSHAKE, ++ APPLICATION_DATA, ++ SHUTDOWN, ++ CONNECTION_DONE ++} connect_phase_t; ++ ++/* The status for each connection phase. */ ++typedef enum { ++ PEER_SUCCESS, ++ PEER_RETRY, ++ PEER_ERROR, ++ PEER_WAITING, ++ PEER_TEST_FAILURE ++} peer_status_t; ++ ++typedef enum { ++ /* Both parties succeeded. */ ++ HANDSHAKE_SUCCESS, ++ /* Client errored. */ ++ CLIENT_ERROR, ++ /* Server errored. */ ++ SERVER_ERROR, ++ /* Peers are in inconsistent state. */ ++ INTERNAL_ERROR, ++ /* One or both peers not done. */ ++ HANDSHAKE_RETRY ++} handshake_status_t; ++ ++/* Stores the various status information in a handshake loop. */ ++typedef struct handshake_history_entry_st { ++ connect_phase_t phase; ++ handshake_status_t handshake_status; ++ peer_status_t server_status; ++ peer_status_t client_status; ++ int client_turn_count; ++ int is_client_turn; ++} HANDSHAKE_HISTORY_ENTRY; ++ ++typedef struct handshake_history_st { ++ /* Implemented using ring buffer. */ ++ /* ++ * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|, ++ * ..., etc., going up to |entry_count| number of entries. Note that when ++ * the index into the array |entries| becomes < 0, we wrap around to ++ * the end of |entries|. ++ */ ++ HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY]; ++ /* The number of valid entries in |entries| array. */ ++ size_t entry_count; ++ /* The index of the last valid entry in the |entries| array. */ ++ size_t last_idx; ++} HANDSHAKE_HISTORY; ++ + typedef struct handshake_result { + ssl_test_result_t result; + /* These alerts are in the 2-byte format returned by the info_callback. */ +@@ -77,6 +139,8 @@ typedef struct handshake_result { + char *cipher; + /* session ticket application data */ + char *result_session_ticket_app_data; ++ /* handshake loop history */ ++ HANDSHAKE_HISTORY history; + } HANDSHAKE_RESULT; + + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); +@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data); + ++const char *handshake_connect_phase_name(connect_phase_t phase); ++const char *handshake_status_name(handshake_status_t handshake_status); ++const char *handshake_peer_status_name(peer_status_t peer_status); ++ + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ +diff --git a/test/ssl_test.c b/test/ssl_test.c +index ea608518f9..9d6b093c81 100644 +--- a/test/ssl_test.c ++++ b/test/ssl_test.c +@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL; + /* Currently the section names are of the form test-<number>, e.g. test-15. */ + #define MAX_TESTCASE_NAME_LENGTH 100 + ++static void print_handshake_history(const HANDSHAKE_HISTORY *history) ++{ ++ size_t first_idx; ++ size_t i; ++ size_t cur_idx; ++ const HANDSHAKE_HISTORY_ENTRY *cur_entry; ++ const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|"; ++ const char body_template[] = "|%14s|%16s|%16s|%16s|%17d|%14s|"; ++ ++ TEST_info("The following is the server/client state " ++ "in the most recent %d handshake loops.", ++ MAX_HANDSHAKE_HISTORY_ENTRY); ++ ++ TEST_note("==================================================" ++ "=================================================="); ++ TEST_note(header_template, ++ "phase", "handshake status", "server status", ++ "client status", "client turn count", "is client turn"); ++ TEST_note("+--------------+----------------+----------------" ++ "+----------------+-----------------+--------------+"); ++ ++ first_idx = (history->last_idx - history->entry_count + 1) & ++ MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK; ++ for (i = 0; i < history->entry_count; ++i) { ++ cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK; ++ cur_entry = &(history->entries)[cur_idx]; ++ TEST_note(body_template, ++ handshake_connect_phase_name(cur_entry->phase), ++ handshake_status_name(cur_entry->handshake_status), ++ handshake_peer_status_name(cur_entry->server_status), ++ handshake_peer_status_name(cur_entry->client_status), ++ cur_entry->client_turn_count, ++ cur_entry->is_client_turn ? "true" : "false"); ++ } ++ TEST_note("==================================================" ++ "=================================================="); ++} ++ + static const char *print_alert(int alert) + { + return alert ? SSL_alert_desc_string_long(alert) : "no alert"; +@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) + ret &= check_client_sign_type(result, test_ctx); + ret &= check_client_ca_names(result, test_ctx); + } ++ ++ /* Print handshake loop history if any check fails. */ ++ if (!ret) { ++ print_handshake_history(&(result->history)); ++ } ++ + return ret; + } + +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 0000000000..502a7aaf32 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -0,0 +1,39 @@ +From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Tue, 30 May 2023 09:11:27 -0700 +Subject: [PATCH] Configure: do not tweak mips cflags + +This conflicts with mips machine definitons from yocto, +e.g. +| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> + +Refreshed for openssl-3.1.1 +Signed-off-by: Tim Orling <tim.orling@konsulko.com> +--- + Configure | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/Configure b/Configure +index 4569952..adf019b 100755 +--- a/Configure ++++ b/Configure +@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) + push @{$config{shared_ldflag}}, "-mno-cygwin"; + } + +-if ($target =~ /linux.*-mips/ && !$disabled{asm} +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- # minimally required architecture flags for assembly modules +- my $value; +- $value = '-mips2' if ($target =~ /mips32/); +- $value = '-mips3' if ($target =~ /mips64/); +- unshift @{$config{cflags}}, $value; +- unshift @{$config{cxxflags}}, $value if $config{CXX}; +-} +- + # If threads aren't disabled, check how possible they are + unless ($disabled{threads}) { + if ($auto_threads) { diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch b/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch deleted file mode 100644 index 736bb39acd..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Fri, 7 Apr 2017 18:01:52 +0300 -Subject: [PATCH] Remove test that requires running as non-root - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - test/recipes/40-test_rehash.t | 17 +---------------- - 1 file changed, 1 insertion(+), 16 deletions(-) - -diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t -index f902c23..c7567c1 100644 ---- a/test/recipes/40-test_rehash.t -+++ b/test/recipes/40-test_rehash.t -@@ -23,7 +23,7 @@ setup("test_rehash"); - plan skip_all => "test_rehash is not available on this platform" - unless run(app(["openssl", "rehash", "-help"])); - --plan tests => 5; -+plan tests => 3; - - indir "rehash.$$" => sub { - prepare(); -@@ -42,21 +42,6 @@ indir "rehash.$$" => sub { - 'Testing rehash operations on empty directory'); - }, create => 1, cleanup => 1; - --indir "rehash.$$" => sub { -- prepare(); -- chmod 0500, curdir(); -- SKIP: { -- if (!ok(!open(FOO, ">unwritable.txt"), -- "Testing that we aren't running as a privileged user, such as root")) { -- close FOO; -- skip "It's pointless to run the next test as root", 1; -- } -- isnt(run(app(["openssl", "rehash", curdir()])), 1, -- 'Testing rehash operations on readonly directory'); -- } -- chmod 0700, curdir(); # make it writable again, so cleanup works --}, create => 1, cleanup => 1; -- - sub prepare { - my @pemsourcefiles = sort glob(srctop_file('test', "*.pem")); - my @destfiles = (); --- -2.11.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch b/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch deleted file mode 100644 index 6ce4e47d71..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-Take-linking-flags-from-LDFLAGS-env-var.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 08face4353d80111973aba9c1304c92158cfad0e Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Tue, 28 Mar 2017 16:40:12 +0300 -Subject: [PATCH] Take linking flags from LDFLAGS env var - -This fixes "No GNU_HASH in the elf binary" issues. - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - Configurations/unix-Makefile.tmpl | 2 +- - Configure | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index c029817..43b769b 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -173,7 +173,7 @@ CROSS_COMPILE= {- $config{cross_compile_prefix} -} - CC= $(CROSS_COMPILE){- $target{cc} -} - CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -} - CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -} --LDFLAGS= {- $target{lflags} -} -+LDFLAGS= {- $target{lflags}." ".$ENV{'LDFLAGS'} -} - PLIB_LDFLAGS= {- $target{plib_lflags} -} - EX_LIBS= {- $target{ex_libs} -} {- $config{ex_libs} -} - LIB_CFLAGS={- $target{shared_cflag} || "" -} -diff --git a/Configure b/Configure -index aee7cc3..274d236 100755 ---- a/Configure -+++ b/Configure -@@ -979,7 +979,7 @@ $config{build_file} = $target{build_file}; - $config{defines} = []; - $config{cflags} = ""; - $config{ex_libs} = ""; --$config{shared_ldflag} = ""; -+$config{shared_ldflag} = $ENV{'LDFLAGS'}; - - # Make sure build_scheme is consistent. - $target{build_scheme} = [ $target{build_scheme} ] --- -2.11.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch b/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch deleted file mode 100644 index bb0a1689ed..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From bcc096a50811bf0f0c4fd34b2993fed7a7015972 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov <appro@openssl.org> -Date: Fri, 3 Nov 2017 23:30:01 +0100 -Subject: [PATCH] aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with - binutils-2.29. - -It's not clear if it's a feature or bug, but binutils-2.29[.1] -interprets 'adr' instruction with Thumb2 code reference differently, -in a way that affects calculation of addresses of constants' tables. - -Upstream-Status: Backport - -Reviewed-by: Tim Hudson <tjh@openssl.org> -Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> -Signed-off-by: Stefan Agner <stefan.agner@toradex.com> -(Merged from https://github.com/openssl/openssl/pull/4669) - -(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda) ---- - crypto/aes/asm/aes-armv4.pl | 6 +++--- - crypto/aes/asm/bsaes-armv7.pl | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl -index 16d79aae53..c6474b8aad 100644 ---- a/crypto/aes/asm/aes-armv4.pl -+++ b/crypto/aes/asm/aes-armv4.pl -@@ -200,7 +200,7 @@ AES_encrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_encrypt - #else -- adr r3,AES_encrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -@@ -450,7 +450,7 @@ _armv4_AES_set_encrypt_key: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_set_encrypt_key - #else -- adr r3,AES_set_encrypt_key -+ adr r3,. - #endif - teq r0,#0 - #ifdef __thumb2__ -@@ -976,7 +976,7 @@ AES_decrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_decrypt - #else -- adr r3,AES_decrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl -index 9f288660ef..a27bb4a179 100644 ---- a/crypto/aes/asm/bsaes-armv7.pl -+++ b/crypto/aes/asm/bsaes-armv7.pl -@@ -744,7 +744,7 @@ $code.=<<___; - .type _bsaes_decrypt8,%function - .align 4 - _bsaes_decrypt8: -- adr $const,_bsaes_decrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0ISR -@@ -843,7 +843,7 @@ _bsaes_const: - .type _bsaes_encrypt8,%function - .align 4 - _bsaes_encrypt8: -- adr $const,_bsaes_encrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0SR -@@ -951,7 +951,7 @@ $code.=<<___; - .type _bsaes_key_convert,%function - .align 4 - _bsaes_key_convert: -- adr $const,_bsaes_key_convert -+ adr $const,. - vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key - #ifdef __APPLE__ - adr $const,.LM0 --- -2.15.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch new file mode 100644 index 0000000000..bafdbaa46f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -0,0 +1,78 @@ +From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com> +Date: Tue, 6 Nov 2018 14:50:47 +0100 +Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler + info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The openssl build system generates buildinf.h containing the full +compiler command line used to compile objects. This breaks +reproducibility, as the compile command is baked into libcrypto, where +it is used when running `openssl version -f`. + +Add stripped build variables for the compiler and cflags lines, and use +those when generating buildinfo.h. + +This is based on a similar patch for older openssl versions: +https://patchwork.openembedded.org/patch/147229/ + +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Martin Hundebøll <martin@geanix.com> + +Update to fix buildpaths qa issue for '-fmacro-prefix-map'. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update to fix buildpaths qa issue for '-ffile-prefix-map'. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- + Configurations/unix-Makefile.tmpl | 12 +++++++++++- + crypto/build.info | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.4/Configurations/unix-Makefile.tmpl +@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl + '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} + BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) + +-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h ++# *_Q variables are used for one thing only: to build up buildinf.h + CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; + $cppflags2 =~ s|([\\"])|\\$1|g; + $lib_cppflags =~ s|([\\"])|\\$1|g; + join(' ', $lib_cppflags || (), $cppflags2 || (), + $cppflags1 || ()) -} + ++CFLAGS_Q={- for (@{$config{CFLAGS}}) { ++ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; ++ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; ++ } ++ join(' ', @{$config{CFLAGS}}) -} ++ ++CC_Q={- $config{CC} =~ s|--sysroot=[^ ]+|--sysroot=recipe-sysroot|g; ++ join(' ', $config{CC}) -} ++ + PERLASM_SCHEME= {- $target{perlasm_scheme} -} + + # For x86 assembler: Set PROCESSOR to 386 if you want to support +Index: openssl-3.0.4/crypto/build.info +=================================================================== +--- openssl-3.0.4.orig/crypto/build.info ++++ openssl-3.0.4/crypto/build.info +@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF + + DEPEND[info.o]=buildinf.h + DEPEND[cversion.o]=buildinf.h +-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" ++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" + + GENERATE[uplink-x86.S]=../ms/uplink-x86.pl + GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch new file mode 100644 index 0000000000..748576c30c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/bti.patch @@ -0,0 +1,58 @@ +From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001 +From: Tom Cosgrove <tom.cosgrove@arm.com> +Date: Tue, 26 Mar 2024 13:18:00 +0000 +Subject: [PATCH] aarch64: fix BTI in bsaes assembly code + +In Arm systems where BTI is enabled but the Crypto extensions are not (more +likely in FVPs than in real hardware), the bit-sliced assembler code will +be used. However, this wasn't annotated with BTI instructions when BTI was +enabled, so the moment libssl jumps into this code it (correctly) aborts. + +Solve this by adding the missing BTI landing pads. + +Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + crypto/aes/asm/bsaes-armv8.pl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl +index b3c97e439f..c3c5ff3e05 100644 +--- a/crypto/aes/asm/bsaes-armv8.pl ++++ b/crypto/aes/asm/bsaes-armv8.pl +@@ -1018,6 +1018,7 @@ _bsaes_key_convert: + // Initialisation vector overwritten with last quadword of ciphertext + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_cbc_encrypt: ++ AARCH64_VALID_CALL_TARGET + cmp x2, #128 + bhs .Lcbc_do_bsaes + b AES_cbc_encrypt +@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt: + // Output text filled in + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_ctr32_encrypt_blocks: +- ++ AARCH64_VALID_CALL_TARGET + cmp x2, #8 // use plain AES for + blo .Lctr_enc_short // small sizes + +@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks: + // Output ciphertext filled in + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_xts_encrypt: ++ AARCH64_VALID_CALL_TARGET + // Stack layout: + // sp -> + // nrounds*128-96 bytes: key schedule +@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt: + // Output plaintext filled in + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_xts_decrypt: ++ AARCH64_VALID_CALL_TARGET + // Stack layout: + // sp -> + // nrounds*128-96 bytes: key schedule +-- +2.34.1 + diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh deleted file mode 100644 index 6620fdcb53..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh +++ /dev/null @@ -1,222 +0,0 @@ -#!/bin/sh -# -# Ben Secrest <blsecres@gmail.com> -# -# sh c_rehash script, scan all files in a directory -# and add symbolic links to their hash values. -# -# based on the c_rehash perl script distributed with openssl -# -# LICENSE: See OpenSSL license -# ^^acceptable?^^ -# - -# default certificate location -DIR=/etc/openssl - -# for filetype bitfield -IS_CERT=$(( 1 << 0 )) -IS_CRL=$(( 1 << 1 )) - - -# check to see if a file is a certificate file or a CRL file -# arguments: -# 1. the filename to be scanned -# returns: -# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} -# -check_file() -{ - local IS_TYPE=0 - - # make IFS a newline so we can process grep output line by line - local OLDIFS=${IFS} - IFS=$( printf "\n" ) - - # XXX: could be more efficient to have two 'grep -m' but is -m portable? - for LINE in $( grep '^-----BEGIN .*-----' ${1} ) - do - if echo ${LINE} \ - | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) - - if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] - then - break - fi - elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' - then - IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) - - if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] - then - break - fi - fi - done - - # restore IFS - IFS=${OLDIFS} - - return ${IS_TYPE} -} - - -# -# use openssl to fingerprint a file -# arguments: -# 1. the filename to fingerprint -# 2. the method to use (x509, crl) -# returns: -# none -# assumptions: -# user will capture output from last stage of pipeline -# -fingerprint() -{ - ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' -} - - -# -# link_hash - create links to certificate files -# arguments: -# 1. the filename to create a link for -# 2. the type of certificate being linked (x509, crl) -# returns: -# 0 on success, 1 otherwise -# -link_hash() -{ - local FINGERPRINT=$( fingerprint ${1} ${2} ) - local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) - local SUFFIX=0 - local LINKFILE='' - local TAG='' - - if [ ${2} = "crl" ] - then - TAG='r' - fi - - LINKFILE=${HASH}.${TAG}${SUFFIX} - - while [ -f ${LINKFILE} ] - do - if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] - then - echo "NOTE: Skipping duplicate file ${1}" >&2 - return 1 - fi - - SUFFIX=$(( ${SUFFIX} + 1 )) - LINKFILE=${HASH}.${TAG}${SUFFIX} - done - - echo "${3} => ${LINKFILE}" - - # assume any system with a POSIX shell will either support symlinks or - # do something to handle this gracefully - ln -s ${3} ${LINKFILE} - - return 0 -} - - -# hash_dir create hash links in a given directory -hash_dir() -{ - echo "Doing ${1}" - - cd ${1} - - ls -1 * 2>/dev/null | while read FILE - do - if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ - && [ -h "${FILE}" ] - then - rm ${FILE} - fi - done - - ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE - do - REAL_FILE=${FILE} - # if we run on build host then get to the real files in rootfs - if [ -n "${SYSROOT}" -a -h ${FILE} ] - then - FILE=$( readlink ${FILE} ) - # check the symlink is absolute (or dangling in other word) - if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ] - then - REAL_FILE=${SYSROOT}/${FILE} - fi - fi - - check_file ${REAL_FILE} - local FILE_TYPE=${?} - local TYPE_STR='' - - if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] - then - TYPE_STR='x509' - elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] - then - TYPE_STR='crl' - else - echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2 - continue - fi - - link_hash ${REAL_FILE} ${TYPE_STR} ${FILE} - done -} - - -# choose the name of an ssl application -if [ -n "${OPENSSL}" ] -then - SSL_CMD=$(which ${OPENSSL} 2>/dev/null) -else - SSL_CMD=/usr/bin/openssl - OPENSSL=${SSL_CMD} - export OPENSSL -fi - -# fix paths -PATH=${PATH}:${DIR}/bin -export PATH - -# confirm existance/executability of ssl command -if ! [ -x ${SSL_CMD} ] -then - echo "${0}: rehashing skipped ('openssl' program not available)" >&2 - exit 0 -fi - -# determine which directories to process -old_IFS=$IFS -if [ ${#} -gt 0 ] -then - IFS=':' - DIRLIST=${*} -elif [ -n "${SSL_CERT_DIR}" ] -then - DIRLIST=$SSL_CERT_DIR -else - DIRLIST=${DIR}/certs -fi - -IFS=':' - -# process directories -for CERT_DIR in ${DIRLIST} -do - if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] - then - IFS=$old_IFS - hash_dir ${CERT_DIR} - IFS=':' - fi -done diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest index 65c6cc7b86..c89ec5afa1 100644 --- a/meta/recipes-connectivity/openssl/openssl/run-ptest +++ b/meta/recipes-connectivity/openssl/openssl/run-ptest @@ -1,4 +1,12 @@ #!/bin/sh -cd test -OPENSSL_ENGINES=../engines BLDTOP=.. SRCTOP=.. perl run_tests.pl -cd .. + +set -e + +# Optional arguments are 'list' to lists all tests, or the test name (base name +# ie test_evp, not 03_test_evp.t). + +export TOP=. +# OPENSSL_ENGINES is relative from the test binaries +export OPENSSL_ENGINES=../engines + +{ HARNESS_JOBS=4 perl ./test/run_tests.pl $* || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g' |