| Age | Commit message (Collapse) | Author |
|---|
|
The openssl Configure script will only select standalone makedepend
(vs running "$CC -M") when building with gcc < 3.x or with an Apple
Xcode version which predates the switch to clang (in approx 2010?).
Neither of these cases are possible when building under OE, therefore
the dependency on makedepend-native can be dropped (ie align the
openssl 1.0 recipe with the 1.1 recipe, which has dropped the
makedepend-native dependency already).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Openssl 1.1 requires perl in order to build (just as openssl 1.0
does). The missing dependency has gone unnoticed up to now since
hostperl-runtime-native is included in ASSUME_PROVIDED.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Squash whitespace in CC_INFO to avoid recipe whitespace changes to
CFLAG affecting the final openssl binaries (the value of CC_INFO gets
embedded in libcrypto, via buildinf.h).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Creating the openssl manpages, which happens as part of do_install(),
can take a significant amount of time (e.g. ~50 seconds on a quad
core laptop). Provide a PACKAGECONFIG option to allow creation of the
manpages to be skipped completely if not required and inherit the
manpages class to automatically control the PACKAGECONFIG option
(based on the "api-documentation" distro feature).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The fact that the darwin support only appears to consider x86 (and
not x86_64) suggests that it's not maintained or tested. In general
oe-core doesn't support building on darwin.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Previously (when EXTRA_OEMAKE contained -e) exporting these variables
over-rode default values in the top-level openssl Makefile. However,
since -e was removed from EXTRA_OEMAKE as part of:
http://git.openembedded.org/openembedded-core/commit/?id=537a404cfbb811fcb526cdb5f2e059257de6ef13
exporting these variables does nothing. The comment from that commit
that only AR is affected by removing -e wasn't correct, but the
effects of letting the openssl Makefile also control AS, EX_LIBS and
DIRS seem to be either benign or beneficial.
Since without -e make ignores DIRS from the environment and always
runs for all subdirs (including "test"), adding "test" to DIRS and
calling "make depend" again from do_compile_ptest() can be dropped.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch adds a second line to the -help output of the CA.pl script
(which lists almost the same command line options as the line above
it but in a slightly different order). Although it's tagged as a
Debian backport, there's no patch like it in recent Debian patch sets
for openssl 1.0.2.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix inconsistent indent (and also make the openssl 1.1 recipe more
consistent and consistent with the openssl 1.0 recipe).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Align the openssl 1.1 recipe with changes made to openssl 1.0:
http://git.openembedded.org/openembedded-core/commit/?id=a072d4620db462c5d3459441d5684cfd99938400
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Align the openssl 1.1 recipe with changes made to openssl 1.0:
http://git.openembedded.org/openembedded-core/commit/?id=e01e7c543a559c8926d72159b5cd55db0c661434
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Currently target builds call make twice as part of do_compile(). It
appears to be an accidental side effect of needing to only pass
CC_INFO on the make command line for target builds, since CC_INFO is
only referenced by the reproducible build patches.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Although passing -no-ssl3 works, comments in the openssl Configure
script suggest doing so isn't really correct:
s /^-no-/no-/; # some people just can't read the instructions
The documented way to pass no-<cipher> config options is without a
leading "-"
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/INSTALL
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Since openssl isn't an autotools recipe, defining cryptodev-linux
related config options via PACKAGECONFIG hasn't worked correctly
since PACKAGECONFIG_CONFARGS stopped being automatically appended to
EXTRA_OECONF in 2016:
http://git.openembedded.org/openembedded-core/commit/?id=c98fb5f5129e71829ffab4449b3d28082bc95ab4
The issue appears to have been hidden as the flags are also hardcoded
in CFLAG - and therefore always enabled, regardless of the state of
the PACKAGECONFIG option. Fix by passing both EXTRA_OECONF and
PACKAGECONFIG_CONFARGS when running the openssl Configure script.
Although the openssl 1.1 recipe doesn't contain any PACKAGECONFIG
options yet, pre-emptively make the same fix there too.
Also only enable cryptodev-linux by default for target builds (based
on the historical comments in the recipe, that seems to have been the
original intention).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Make clear distinction between local variables and bitbake variables.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop redundant setting of S to its default value, fix inconsistent
indent and re-order variables to align more closely to the OE
style-guide.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The openssl10.inc include file only has one user, so we can improve
maintainability by merging the include file into the recipe which
uses it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop redundant setting of S to its default value and re-order
variables to align more closely to the OE style-guide.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Using += with an over-ride can be a source of confusion so try to
avoid the construct in core recipes.
The current usage is incorrect and prevents the aarch64 and musl
specific config options from being active together.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When SDK is not installed in the default location, openssl will not be
able to find the the openssl.cnf config file:
"WARNING: can't open config file: XXXX/usr/lib/ssl/openssl.cnf"
To fix this, we need to provide the environment variable $OPENSSL_CONF
pointing to the correct config file location.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ccache and openssl don't get on:
| make[1]: Entering directory '/home/prj/yocto/build/tmp/work/core2-64-poky-linux/openssl/1.0.2o-r0/openssl-1.0.2o/crypto'
| ccache: invalid option -- 'D'
Disable the use of ccache in the openssl recipe until someone root-causes this.
[ YOCTO #12810 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Please see this security advisory:
https://www.openssl.org/news/secadv/20180327.txt
Remove 0001-Remove-test-that-requires-running-as-non-root.patch
(issue fixed upstream)
Remove 0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch
(backport)
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Please see this security advisory:
https://www.openssl.org/news/secadv/20180327.txt
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The recipes were using 'basename' to turn '/usr/lib' into 'lib', which breaks when libdir is '/usr/lib/tuple', leading to libraries ending up in '/usr/tuple', which isn't in FILES_*. Change the logic to use sed to strip the prefix instead.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Improve reproducible build of:
openssl-staticdev
openssl-dbg
libcrypto
There are two main causes that prevent reproducible build, both related to
the generated file "buildinf.h":
1. "buildinf.h" contains build host CFLAGS, containing various build
host references. We need to pass sanitized CFLAGS to the script
generating this file ("mkbuildinf.pl". )
2. We also need to modify the script "mkbuildinf.pl" itsel in order to
generate a build timestamp based on SOURCE_DATE_EPOCH, if present in
the environment.
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch was applied in a completely incorrect spot (due to fuzz),
no one noticed or complained. Meanwhile upstream says the issue
has been resolved differently:
https://rt.openssl.org/Ticket/Display.html?id=3759&user=guest&pass=guest
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop upstreamed 0001-aes-armv4-bsaes-armv7-sha256-armv4-.pl-make-it-work-.patch
Rebase a couple more patches (via devtool upgrade).
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
These functions were moved to meta/lib/oe in 2010 and the base_* functions in
utils.bbclass were intended to be a short-term compatibility layer. They're
still used in a few places, so update the callers to use the new functions.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove buildhost references from Makefile and Configure.
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When compiling OpenSSL with binutils 2.29 for ARM with Thumb2 enabled
crashes and unexpected behavior occurs. E.g. connecting to a OpenSSH
server using the affected binary fails with:
ssh_dispatch_run_fatal: Connection to 192.168.10.171 port 22: incorrect signature
Backport upstream bugfix:
https://github.com/openssl/openssl/issues/4659
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Deals with two CVEs:
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
When compiling OpenSSL with binutils 2.29 for ARM with Thumb2 enabled
crashes and unexpected behavior occurs. E.g. connecting to a OpenSSH
server using the affected binary fails with:
ssh_dispatch_run_fatal: Connection to 192.168.10.171 port 22: incorrect signature
Backport upstream bugfix:
https://github.com/openssl/openssl/issues/4659
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Deals with two CVEs:
* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch works around a rare parallel build race condition using
the force option when soft linking.
The error seen is:
ln: failed to create symbolic link 'libssl.so': File exists
make[4]: *** [Makefile.shared:171: link_a.gnu] Error 1
make[4]: Leaving directory
'/.../build/tmp-glibc/work/x86_64-linux/openssl-native/1.0.2k-r0/openssl-1.0.2k'
Just add the -f flag to the platform independent soft link code to
avoid the collision. This is reasonable since this Makefile removes
the link target before creating a new soft link. The Makefile was
written this way to support platforms that don't allow forcing a
softlink to overwrite an existing link. Only builds on Linux are
supported so that's not a requirement for oe-core recipes.
The openssl team is rewriting their build files so it's not appropriate
for openssl upstream and fixing the root cause of the race condition
was also not pursued.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Vishal Bhoj <vishal.bhoj@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
openssl 1.1 broke 3rd party layers a lot more than was expected; let's flip
the switch at the start of next development cycle.
Add a PROVIDES = "openssl10" to openssl 1.0 recipe; any dependency that is
not compatible with 1.1 should use that in its DEPENDS, as the 1.0
recipe will later be renamed back to openssl10. This does not always work:
http://lists.openembedded.org/pipermail/openembedded-core/2017-August/140957.html
but for many recipes it does.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Use PACKAGECONFIG to add cryptodev.
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ERROR: openssl-1.1.0f-r0 do_package_qa: QA Issue: /usr/lib/openssl/ptest/fuzz/helper.py contained in package openssl-ptest requires /usr/bin/python, but no providers found in RDEPENDS_openssl-ptest? [file-rdeps]
ERROR: openssl-1.1.0f-r0 do_package_qa: QA Issue: /usr/lib/openssl/ptest/test/certs/mkcert.sh contained in package openssl-ptest requires /bin/bash, but no providers found in RDEPENDS_openssl-ptest? [file-rdeps]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The package resolver failes to assemble images because some of the man
pages in openssl10 conflict with the openssl package. In the case
where you want openssl, openssh and the documentation installed in the
same system you will see the failure.
The work around is to rename all the openssl10 man pages and symlinks
to have a prefix of openssl10-.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Existing openssl 1.0 recipe is renamed to openssl10; it will
continue to be provided for as long as upstream supports it
(and there are still several recipes which do not work with openssl
1.1 due to API differences).
A few files (such as openssl binary) are no longer installed by openssl 1.0,
because they clash with openssl 1.1.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Support musl-x32 build which to build openssl with 32 bits.
Signed-off-by: sweeaun <swee.aun.khor@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1. Dropped obsolete patches, because the new version contains them:
- fix-cipher-des-ede3-cfb1.patch
- openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
2. LICENSE checksum change due to copyright years and wording tweak.
3. Test binaries (x86-64) are included in source code. So remove those
only for ptest.
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This adds or fixes the Upstream-Status for all remaining patches missing it
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some of these are clearly dead, e.g. one binutils patch reverts the effects
of the earlier one.
This also removes the uclibc site files. We now have mechanisms to allow these
to be extended from another layer should someone ever wish to do that.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Commit 7933fbbc637 "Security fix Drown via 1.0.2g update" included
a version-script change from Debian that was an ABI change. It did
not include the soname change that Debian did so we have been calling
our ABI 1.0.0 but it really matches what others call 1.0.2.
Bump SONAME to match the ABI. In practice this changes both libcrypto
and libssl sonames from 1.0.0 to 1.0.2.
For background: Upstream does not do sonames so these are set by
distros. In this case the ABI changes based on a build time
configuration! Debian took the ABI changing configuration and bumped
soname but e.g. Ubuntu kept the deprecated API and just made it not
work, keeping soname. So both have same version of openssl but support
different ABI (and expose different SONAME).
Fixes [YOCTO #11396].
Thanks to Alexander Larsson et al for detective work.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This reverts commit 991620f3962a9917fa99abb5582f4b72ebd42a3d.
The commit breaks openssl-native (you can no longer generate keys
because it can't find the configuration file). Also the idea that we
would install configuration files normally but then add the symlinks
pointing to them in a postinstall feels wrong.
Fixes [YOCTO #11296]. The bug contains an alternative fix but I'm
sending a revert as I cannot fully understand the motive of the
original patch. See also discussion in
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135176.html
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This was causing a couple of ptest failures.
[YOCTO #10840]
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Andre McCurdy
Ovidiu Panait
Ross Burton
Alexander Kanavin
Koen Kooi
Juro Bystricky
Denys Dmytriyenko
Stefan Agner
Randy MacLeod
Khem Raj
Vishal Bhoj
Huang Qiyu
Richard Purdie
Jason Wessel
sweeaun
Changhyeok Bae
Jussi Kukkonen