Age | Commit message (Collapse) | Author |
|
Align the openssl 1.1 recipe with changes made to openssl 1.0:
http://git.openembedded.org/openembedded-core/commit/?id=e01e7c543a559c8926d72159b5cd55db0c661434
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Currently target builds call make twice as part of do_compile(). It
appears to be an accidental side effect of needing to only pass
CC_INFO on the make command line for target builds, since CC_INFO is
only referenced by the reproducible build patches.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Although passing -no-ssl3 works, comments in the openssl Configure
script suggest doing so isn't really correct:
s /^-no-/no-/; # some people just can't read the instructions
The documented way to pass no-<cipher> config options is without a
leading "-"
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/INSTALL
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Since openssl isn't an autotools recipe, defining cryptodev-linux
related config options via PACKAGECONFIG hasn't worked correctly
since PACKAGECONFIG_CONFARGS stopped being automatically appended to
EXTRA_OECONF in 2016:
http://git.openembedded.org/openembedded-core/commit/?id=c98fb5f5129e71829ffab4449b3d28082bc95ab4
The issue appears to have been hidden as the flags are also hardcoded
in CFLAG - and therefore always enabled, regardless of the state of
the PACKAGECONFIG option. Fix by passing both EXTRA_OECONF and
PACKAGECONFIG_CONFARGS when running the openssl Configure script.
Although the openssl 1.1 recipe doesn't contain any PACKAGECONFIG
options yet, pre-emptively make the same fix there too.
Also only enable cryptodev-linux by default for target builds (based
on the historical comments in the recipe, that seems to have been the
original intention).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Make clear distinction between local variables and bitbake variables.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop redundant setting of S to its default value, fix inconsistent
indent and re-order variables to align more closely to the OE
style-guide.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The openssl10.inc include file only has one user, so we can improve
maintainability by merging the include file into the recipe which
uses it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Since v0.7 avahi uses /run/avahi-daemon/socket.
libnss searches in $(localstatedir)/run/avahi-daemon/.
Set localstatedir to / to fix mdns resolving.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
include:
CVE-2018-5738
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
As of nfs-utils 2.2.1 libnfsidmap has been integrated and isn't an external
requirement anymore.
Also consolidate nfs-utils patches into a single directory.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop redundant setting of S to its default value and re-order
variables to align more closely to the OE style-guide.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Using += with an over-ride can be a source of confusion so try to
avoid the construct in core recipes.
The current usage is incorrect and prevents the aarch64 and musl
specific config options from being active together.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When SDK is not installed in the default location, openssl will not be
able to find the the openssl.cnf config file:
"WARNING: can't open config file: XXXX/usr/lib/ssl/openssl.cnf"
To fix this, we need to provide the environment variable $OPENSSL_CONF
pointing to the correct config file location.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
with bind 9.11.2+ when the build host has lmdb installed, bind configure looks into
host headers and wrongly interprets that it should be enabling lmdb
disable lmdb to fix
| configure: error: found lmdb include but not library.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* Removed 001-configure-Allow-to-explicitly-disable-nfsidmap.patch,
the nfsidmap is enabled when --enable-nfsv4, so I added a
PACKAGECONFIG[nfsv4], and default is no since keyutils is not in oe-core by
default.
* Removed 0001-include-stdint.h-for-UINT16_MAX-definition.patch and
nfs-utils-1.2.3-sm-notify-res_init.patch since they are already in the
source.
* Taken two patches from git://git.alpinelinux.org/aports to fix build
with musl, and the nfs-utils-musl-res_querydomain.patch is for musl only.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
LIC_FILES_CHKSUM changed do to updated year
removed:
dont-test-on-host.patch, no longer implemented
drop use-python3-and-fix-install-lib-path.patch, they added the ability to pass in lib dir loctions
drop bind-confgen-build-unix.o-once.patch, fix included in update
Refresh other patches:
add python3 flag for PACKAGECONFIG to pull in python
add new config option --with-eddsa=no (needs openssl support not released)
Python support is disaled by default now.
Acked-by: Martin Hundebøll <mnhu@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
include several CVE fixes.
CVE: CVE-2018-5733
CVE: CVE-2018-5732
LIC_CHKSUM_FILE updated to SPFX format
https://kb.isc.org/article/AA-01571
remove several patches now included in update.
Shared libarary support is now enabled in configure+lt, use it
and revert to autotools-brokensep
Refresh patches
Aligns support with bind 9.11.x
Add libxml2 support to configure.ac+lt
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
ccache and openssl don't get on:
| make[1]: Entering directory '/home/prj/yocto/build/tmp/work/core2-64-poky-linux/openssl/1.0.2o-r0/openssl-1.0.2o/crypto'
| ccache: invalid option -- 'D'
Disable the use of ccache in the openssl recipe until someone root-causes this.
[ YOCTO #12810 ]
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The following error messages appear now and then at boot time.
avahi-daemon/chroot.c: open() failed: No such file or directory
Failed to open /etc/resolv.conf: Invalid argument
The problem is about /etc/resolv.conf. In Yocto's systemd based
systems, it's a symlink to /etc/resolv-conf.systemd which in turn
is a symlink to /run/systemd/resolve/resolv.conf. The systemd-resolved
service handles creation of /run/systemd/resolve/resolv.conf file.
So if avahi-daemon is started before systemd-resolved, the error messages
appear.
Fix this problem by making avahi-daemon start after systemd-resolved.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch does nothing but reorganizing codes.
avahi.inc is shared by avahi and avahi-ui recipes. Move common things
into it, and move uncommon things out of it.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Refresh the following patch:
0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
And use bitbake variables for install paths to fix nativesdk-openssh
compilation.
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously sshd_check_keys would create a full set of all possible
sshd host keys, even if sshd_config has been set to only enable
certain key types.
Update sshd_check_keys to only create keys which have been enabled in
sshd_config (with a fallback to creating a full set of key types if
no HostKey options are defined, as before).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Changes are mostly related to the removal of support for SSH v.1
protocol, which was dropped from openssh sshd in 7.4p1:
https://www.openssh.com/txt/release-7.4
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The openssh sshd init script contains a mix of indent styles, mostly
inherited from the Debian script from which it is derived. Leave the
indent from Debian as-is, but for lines which are OE specific (e.g.
where Debian's log_daemon_msg helper has been replaced with echo)
make the indent consistent with surrounding lines.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The "ssh-keygen" package no longer seems to be provided by any recipe
in oe-core or meta-oe, so there's no clear reason for the
openssh-keygen package to conflict with it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Openssh takes care of enabling large-file support automatically via
the AC_SYS_LARGEFILE in the configure.ac, so additional help from the
recipe is not required.
Even if it were once required, defining __FILE_OFFSET_BITS (ie with
double leading underscores) looks like a typo and probably never had
any effect anyway?
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When switch PATCHTOOL to patch, applying 'key-replay-cve-multiple.patch' failed:
checking file src/ap/ieee802_11.c
checking file src/ap/wpa_auth.c
checking file src/ap/wpa_auth.h
checking file src/ap/wpa_auth_ft.c
checking file src/ap/wpa_auth_i.h
checking file src/common/wpa_common.h
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/rsn_supp/wpa.c
Hunk #1 FAILED at 709.
Hunk #2 FAILED at 757.
Hunk #3 succeeded at 840 (offset -12 lines).
Hunk #4 FAILED at 868.
Hunk #5 FAILED at 900.
Hunk #6 FAILED at 924.
Hunk #7 succeeded at 1536 (offset -38 lines).
Hunk #8 FAILED at 2386.
Hunk #9 FAILED at 2920.
Hunk #10 succeeded at 2940 (offset -46 lines).
Hunk #11 FAILED at 2998.
8 out of 11 hunks FAILED
checking file src/rsn_supp/wpa_i.h
Hunk #1 FAILED at 32.
1 out of 1 hunk FAILED
checking file src/common/wpa_common.h
Hunk #1 succeeded at 215 with fuzz 1.
checking file src/rsn_supp/wpa.c
checking file src/rsn_supp/wpa_i.h
checking file src/ap/wpa_auth.c
Hunk #1 succeeded at 1898 (offset -3 lines).
Hunk #2 succeeded at 2470 (offset -3 lines).
checking file src/rsn_supp/tdls.c
checking file wpa_supplicant/wnm_sta.c
checking file src/rsn_supp/wpa.c
Hunk #1 succeeded at 2378 (offset -62 lines).
checking file src/rsn_supp/wpa_ft.c
checking file src/rsn_supp/wpa_i.h
Hunk #1 succeeded at 123 (offset -5 lines).
So split the wpa-supplicant/key-replay-cve-multiple to 8 patches.
Signed-off-by: Hong Liu <hongl.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
DSA keys have been deprecated for some time:
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
wireless-tools have been obsolete and superseded by iw for a very long time.
I've checked that images continue to boot and the graphical connman frontend
is still able to list wireless networks; there is no evidence that
wireless-tools are needed by anything.
[YOCTO #12727]
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Don't blindly add mdns_minimal, instead check for existing
mdns_minimal instances. Fixes continuously appending mdns settings
to nssswitch.conf when upgrading.
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This header is used by other apps e.g. ippool
glibc provides an internal version which it should not
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
In multiarch /usr/include and /usr/lib/<tuple/ are not on the same level anymore. This change will pass a correct includedir, but a wrong libdir, but the linker picks it up anyway.
Tested on multiarch and regular build.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Add PACKAGECONFIG for btpclient (BTP client for qualification testing)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.22 -> 1.23
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
0001-iproute2-de-bash-scripts.patch is applied in upstream repo.
Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
While compiling openssl with option `no-des', it caused the openssh
build failure
...
cipher.c:85:41: error: 'EVP_des_ede3_cbc' undeclared here (not in a function);
...
OpenSSL configured that way defines OPENSSL_NO_DES to disable des
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix CVE-2017-3144
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3144
https://kb.isc.org/article/AA-01541
Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commitdiff;h=5097bc0559f592683faac1f67bf350e1bddf6ed4
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Please see this security advisory:
https://www.openssl.org/news/secadv/20180327.txt
Remove 0001-Remove-test-that-requires-running-as-non-root.patch
(issue fixed upstream)
Remove 0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch
(backport)
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Please see this security advisory:
https://www.openssl.org/news/secadv/20180327.txt
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The recipes were using 'basename' to turn '/usr/lib' into 'lib', which breaks when libdir is '/usr/lib/tuple', leading to libraries ending up in '/usr/tuple', which isn't in FILES_*. Change the logic to use sed to strip the prefix instead.
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Now that we have recipe-specific-sysroots we don't need to exclude recipes from
world builds because they conflict with other recipes, as they'll all be built
with their own sysroots.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When rebuilding iproute2, many such instances of the following build failure
occur:
| make[1]: Entering directory '.../iproute2/4.14.1-r0/iproute2-4.14.1/lib'
| Makefile:1: ../config.mk: No such file or directory
| make[1]: *** No rule to make target '../config.mk'. Stop.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Improve reproducible build of:
openssl-staticdev
openssl-dbg
libcrypto
There are two main causes that prevent reproducible build, both related to
the generated file "buildinf.h":
1. "buildinf.h" contains build host CFLAGS, containing various build
host references. We need to pass sanitized CFLAGS to the script
generating this file ("mkbuildinf.pl". )
2. We also need to modify the script "mkbuildinf.pl" itsel in order to
generate a build timestamp based on SOURCE_DATE_EPOCH, if present in
the environment.
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch was applied in a completely incorrect spot (due to fuzz),
no one noticed or complained. Meanwhile upstream says the issue
has been resolved differently:
https://rt.openssl.org/Ticket/Display.html?id=3759&user=guest&pass=guest
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|