| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: copyright years updated
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We had a c_rehash shell re-implementation being used for the native
package however the ca-certificates now uses the openssl rehash
internal application so there is no use for the c_rehash anymore.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The old bsd cryptodev engine was removed in
https://github.com/openssl/openssl/pull/3699
and the new one added in:
https://github.com/openssl/openssl/pull/3744
It can be enabled by configuring with "enable-devcryptoeng".
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The fix is heavily based on Khem's previous fix for bn.h/BN_LLONG breakage:
https://git.openembedded.org/openembedded-core/commit/?id=f787b0bb9b0626ddbf2ac94cb206c76716a3773d
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Cc: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It is only needed by 95-test_external_pyca_data which is
actually skipped on the target.
[YOCTO #13204]
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
openssl-ptest was recording now results, despite most tests passing. Fix
so that the successes/skips/failures are reported correctly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Perl and its dependencies have a decent footprint impact. On my
xz compressed filesystem:
634880: /usr/lib/libperl.so.5.24.4
Put c_rehash in the openssl-misc package so the dependency can be
avoided where it isn't needed.
Change-Id: Iae9bccabfb1c8cfa1401ca6785abc39713d3fdf0
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Gcc option '-fmacro-prefix-map' is added to DEBUG_PREFIX_MAP. It has a
patch to deal option '-fdebug-prefix-map' already. Update the patch
0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch to fix
buildpaths qa issue for '-fmacro-prefix-map' too.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
After adding #pragma once to wrapper header ( opensslconf.h ) this
latent issue got to bite us, where it expect bn.h to be including
openssl.h to define BN_* defines, which is fragile. This patch removes
the contraints for nested includes for bn.h
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To avoid issue like below if run "bitbake lib32-core-image-minimal"
with series userspace packages(LAMP,krb5...) added.
Add multilib_script support for openssl's c_rehash which is a perl script.
Error: Transaction check error:
file /usr/bin/c_rehash conflicts between attempted installs of
lib32-openssl-bin-1.1.1-r0.armv7at2hf_neon and openssl-bin-1.1.1-r0.aarch64
Signed-off-by: Xulin Sun <xulin.sun@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
They work well now.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
This code is written for elfv1 ABI in mind and linked as such: disable
all optimizations at the moment when building for powerpc64 with musl.
Signed-off-by: Serhey Popovych <serhe.popovych@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In case of SDK generation, /usr/bin/ path are not correct
and must be replaced by ${bindir}.
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This file contains CC, CPP, CFLAGS, CXXFLAGS and the like.
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Whether the AFALG engine (use of hardware crypto via AF_ALG) is enable or
disable depends on whether the host kernel is 4.1 or above, which has no bearing
on whether the target system supports it.
Remove the complicated logic and simply enable/disable as requested.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
To aid debugging configure, dump the configdata in do_configure.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The openssl build system generates buildinf.h containing the full
compiler command line used to compile objects. This breaks
reproducibility, as the compile command is baked into libcrypto, where
it is used when running `openssl version -f`.
Add stripped build variables for the compiler and cflags lines, and use
those when generating buildinfo.h.
This is based on a similar patch for older openssl versions:
https://patchwork.openembedded.org/patch/147229/
Signed-off-by: Martin Hundebøll <martin@geanix.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patch to fix CVE-2018-0735 for openssl 1.1.1.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patches to fix CVE-2018-0734 for both openssl 1.0.2p and 1.1.1
versions.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
OpenSSL supports out-of-tree builds so we should use them. This makes builds
more reliable, and makes it easier to reduce the size of the ptest package.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously the ptest installation was simply a copy of the entire build tree,
which is terribly ugly.
Instead copy just the pieces we need, symlink to /usr as appropriate, and add
missing dependencies. Remove PRIVATE_LIBS as we don't ship copies of the
libraries now.
Also remember to do 'set -x' in run-ptest, so if the tests fail the runner
knows!
[ YOCTO #12965 ]
[ YOCTO #12967 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The comment here stated that openssl is dual-licensed, but that would
mean that either of the two licenses could be used which is *not* the
case [1]. However LICENSE = "openssl" *is* correct because in OE that
maps to a generic license file which includes both licenses, which
makes sense because there isn't really any such thing as OpenSSL that
would be covered by the "OpenSSL license" and not the "SSLeay license".
Correct the comment to avoid any confusion.
[1] https://www.openssl.org/source/license.html
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1. The building openssl requires to install perl Text::Template module(>=1.46),
but Text::Template is a non core Perl module, openssl chooses to bundle
Text::Template 1.46 into the source, for convenience.
https://github.com/openssl/openssl/commit/8ff2af548303d311ce3591406111f77862875a60
2. While Text::Template < 1.46, the produced build files are gravely faulty.
https://github.com/openssl/openssl/pull/6682
3. If host has installed Text::Template < 1.46 (such as CentOS-7.5 has Text::
Template 1.45). The mismatched old module was used although the right one in
openssl source.
So set PERL5LIB to use deterministic perl Text::Template module bundled
by openssl source and ignore the one of host
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The case in ptest use `nm -Pg libcrypto.so' to check symbol presence,
if library is stripped or debug split, the case will fail.
The test case needs debug symbols then we just disable that test.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The configure script ended up creating Makefile with
LIBDIR=/lib
which got leaked into various places including all
pkg-config .pc files where lines like (note the
double slash //):
libdir=${exec_prefix}//lib
...
Libs: -L${libdir} -lcrypto
which causes pkg-config --libs to include the full absolute path
to the recipe specific sysroot. This isn't a big problem
until something like CMake projects start generating
their own .cmake modules using this absolute path and exposing
them to sysroots of other bitbake recipes thus escaping
their recipe specific sysroots.
Then the fun begins when these users of the .cmake module start
to randomly fail builds with error messages like:
/home/builder/src/base/build/tmp/work/corei7-64-linux/package/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-linux/../../libexec/x86_64-linux/gcc/x86_64-linux/7.3.0/ld: cannot find /lib/libpthread.so.0
/home/builder/src/base/build/tmp/work/corei7-64-linux/package/1.0-r0/recipe-sysroot-native/usr/bin/x86_64-linux/../../libexec/x86_64-linux/gcc/x86_64-linux/7.3.0/ld: cannot find /usr/lib/libpthread_nonshared.a
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.
WARNING: exit code 1 from a shell command.
As luck has it, this problem goes away by recompiling the recipes
alone but repeats with multiple recipes here and there when full
images are build.
A careful inspection of multi page linker command lines shows
that some linker paramaters point to libraries in a different
recipes sysroot than what bitbake was building when the task
failed.
So, fix is to remove this one extra slash from openssl
library path configuration option. This changes openssl
Makefile to have:
LIBDIR=lib
and all users of LIBDIR variable in the Makefile are already
adding slashes as path separators if that is needed.
With this the generated .pc files have:
libdir=${exec_prefix}/lib
and pkg-config --libs knows to strip the already default
sysroot path away.
This then fixes the generated .cmake files to not include
these absolute paths and fixes the random build failures
when building images.
Thanks to Thomas, Michael and Ross for debugging support!
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Cc: Thomas Witt <thomas.witt@bmw.de>
Cc: Michael Ho <michael.ho@bmw.de>
Cc: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Current configuration for debian-mips64 is not correct,
'SIXTY_FOUR_BIT_LONG' need to be specified. otherwise,
it will cause other recipe like crda compile failed since
use default THIRTY_TWO_BIT mode.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This is the new LTS release with support for TLS 1.3.
Release announcement:
https://www.openssl.org/blog/blog/2018/09/11/release111/
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The configuration files from 1.0 and 1.1 conflict:
"""
file /etc/ssl/openssl.cnf conflicts between attempted installs of openssl10-conf-1.0.2p-r0.i586 and openssl-conf-1.1.1+pre9-r0.i586
"""
Ensure that if 1.1 is present, it will overwrite the config file
from 1.0.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The tweaking was not sufficient to prevent package dependency issues,
but there is a standard mechanism to do exactly that kind of prevention
which I wasn't aware of.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
At the moment 1.1.1 is in pre-release stage, however the final release
should be available within a few weeks. The major selling point is that
it supports the new TLS 1.3 specification. It will also be the new long
term support version. More information:
https://www.openssl.org/policies/releasestrat.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
default version
I believe the time has come to do this: openssl 1.0 upstream support stops at the end
of 2019, and we do not want a situation where a supported YP release contains an
unsupported version of a critical security component.
Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Although the relative_symlinks class converts any absolute symlinks
in ${D} into relative symlinks automatically, it's a little clearer
to create relative symlinks directly where possible.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Relying on hardcoded built-in paths causes openssl-native to not be
relocateable from sstate.
Solution for openssl 1.1, based on the existing solution from
openssl 1.0:
http://git.openembedded.org/openembedded-core/commit/?id=771d3123331fbfab1eb9ce47e3013eabcb2248f5
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The aarch64 build issue in the afalg engine appears to have been
fixed upstream since openssl 1.1.0g:
https://github.com/openssl/openssl/commit/a0c262644eab897b51faf1fa013008052c3754c2
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A single version of the openssl.sh environment-setup script is
currently shared by both the openssl 1.0 and 1.1 recipes. The libdir
path in the script needs to be tweaked for openssl 1.1.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The openssl 1.0 recipe puts the libdir symlink to /etc/ssl/openssl.cnf
in the base openssl package (along with the libdir symlinks to
/etc/ssl/certs and /etc/ssl/private). Keep the openssl 1.1 recipe
aligned with that approach until there's a clear reason to do
something else. For more background, see comments in the following
thread:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135176.html
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The openssl 1.1 recipe doesn't have a PACKAGECONFIG option for perl,
so the RDEPENDS for openssl-misc shouldn't be conditional on it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Formatting and comment tweaks only, no functional changes.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
According to comments in Configurations/10-main.conf, the linux-elf
target is "... to be used on older Linux machines where gcc doesn't
understand -m32 and -m64".
The linux-x86 target appears to be the newer replacement (currently
the only difference between the two is that linux-x86 adds -m32 to
cflags).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Merge duplicates + minor reformatting (no functional changes).
Note that the openssl 1.1 recipe still needs to be updated to handle
MIPS Release 6 ISA targets (e.g. linux-mipsisa32r6, etc).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Please see this security advisory:
https://www.openssl.org/news/secadv/20180612.txt
Remove obsolete patch.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Please see this security advisory:
https://www.openssl.org/news/secadv/20180612.txt
Refresh patches
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Otavio Salvador
Ross Burton
Ovidiu Panait
Denys Dmytriyenko
Alexander Kanavin
Richard Purdie
Brad Bishop
Kai Kang
Khem Raj
Xulin Sun
Robert Yang
Serhey Popovych
Christophe PRIOUZEAU
Douglas Royds
Martin Hundebøll
Paul Eggleton
Hongxu Jia
Mikko Rapeli
Alexey Brodkin
Changqing Li
Alexander Kanavin
Andre McCurdy
Andrej Valek