From 96d5e9c186fb83f1b5d9b38ace0b1222c3c04c54 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 28 Mar 2018 15:43:08 +0300 Subject: openssl: update 1.1.0g -> 1.1.0h Please see this security advisory: https://www.openssl.org/news/secadv/20180327.txt Remove 0001-Remove-test-that-requires-running-as-non-root.patch (issue fixed upstream) Remove 0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch (backport) License-Update: copyright years Signed-off-by: Alexander Kanavin Signed-off-by: Ross Burton --- ...ve-test-that-requires-running-as-non-root.patch | 49 ------- ...-armv4-bsaes-armv7-.pl-make-it-work-with-.patch | 88 ----------- .../recipes-connectivity/openssl/openssl_1.1.0g.bb | 163 --------------------- .../recipes-connectivity/openssl/openssl_1.1.0h.bb | 161 ++++++++++++++++++++ 4 files changed, 161 insertions(+), 300 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl_1.1.0g.bb create mode 100644 meta/recipes-connectivity/openssl/openssl_1.1.0h.bb (limited to 'meta/recipes-connectivity/openssl') diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch b/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch deleted file mode 100644 index 736bb39acd..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-Remove-test-that-requires-running-as-non-root.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3fdb1e2a16ea405c6731447a8994f222808ef7e6 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin -Date: Fri, 7 Apr 2017 18:01:52 +0300 -Subject: [PATCH] Remove test that requires running as non-root - -Upstream-Status: Inappropriate [oe-core specific] -Signed-off-by: Alexander Kanavin ---- - test/recipes/40-test_rehash.t | 17 +---------------- - 1 file changed, 1 insertion(+), 16 deletions(-) - -diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t -index f902c23..c7567c1 100644 ---- a/test/recipes/40-test_rehash.t -+++ b/test/recipes/40-test_rehash.t -@@ -23,7 +23,7 @@ setup("test_rehash"); - plan skip_all => "test_rehash is not available on this platform" - unless run(app(["openssl", "rehash", "-help"])); - --plan tests => 5; -+plan tests => 3; - - indir "rehash.$$" => sub { - prepare(); -@@ -42,21 +42,6 @@ indir "rehash.$$" => sub { - 'Testing rehash operations on empty directory'); - }, create => 1, cleanup => 1; - --indir "rehash.$$" => sub { -- prepare(); -- chmod 0500, curdir(); -- SKIP: { -- if (!ok(!open(FOO, ">unwritable.txt"), -- "Testing that we aren't running as a privileged user, such as root")) { -- close FOO; -- skip "It's pointless to run the next test as root", 1; -- } -- isnt(run(app(["openssl", "rehash", curdir()])), 1, -- 'Testing rehash operations on readonly directory'); -- } -- chmod 0700, curdir(); # make it writable again, so cleanup works --}, create => 1, cleanup => 1; -- - sub prepare { - my @pemsourcefiles = sort glob(srctop_file('test', "*.pem")); - my @destfiles = (); --- -2.11.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch b/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch deleted file mode 100644 index bb0a1689ed..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From bcc096a50811bf0f0c4fd34b2993fed7a7015972 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov -Date: Fri, 3 Nov 2017 23:30:01 +0100 -Subject: [PATCH] aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with - binutils-2.29. - -It's not clear if it's a feature or bug, but binutils-2.29[.1] -interprets 'adr' instruction with Thumb2 code reference differently, -in a way that affects calculation of addresses of constants' tables. - -Upstream-Status: Backport - -Reviewed-by: Tim Hudson -Reviewed-by: Bernd Edlinger -Signed-off-by: Stefan Agner -(Merged from https://github.com/openssl/openssl/pull/4669) - -(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda) ---- - crypto/aes/asm/aes-armv4.pl | 6 +++--- - crypto/aes/asm/bsaes-armv7.pl | 6 +++--- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl -index 16d79aae53..c6474b8aad 100644 ---- a/crypto/aes/asm/aes-armv4.pl -+++ b/crypto/aes/asm/aes-armv4.pl -@@ -200,7 +200,7 @@ AES_encrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_encrypt - #else -- adr r3,AES_encrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -@@ -450,7 +450,7 @@ _armv4_AES_set_encrypt_key: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_set_encrypt_key - #else -- adr r3,AES_set_encrypt_key -+ adr r3,. - #endif - teq r0,#0 - #ifdef __thumb2__ -@@ -976,7 +976,7 @@ AES_decrypt: - #ifndef __thumb2__ - sub r3,pc,#8 @ AES_decrypt - #else -- adr r3,AES_decrypt -+ adr r3,. - #endif - stmdb sp!,{r1,r4-r12,lr} - #ifdef __APPLE__ -diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl -index 9f288660ef..a27bb4a179 100644 ---- a/crypto/aes/asm/bsaes-armv7.pl -+++ b/crypto/aes/asm/bsaes-armv7.pl -@@ -744,7 +744,7 @@ $code.=<<___; - .type _bsaes_decrypt8,%function - .align 4 - _bsaes_decrypt8: -- adr $const,_bsaes_decrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0ISR -@@ -843,7 +843,7 @@ _bsaes_const: - .type _bsaes_encrypt8,%function - .align 4 - _bsaes_encrypt8: -- adr $const,_bsaes_encrypt8 -+ adr $const,. - vldmia $key!, {@XMM[9]} @ round 0 key - #ifdef __APPLE__ - adr $const,.LM0SR -@@ -951,7 +951,7 @@ $code.=<<___; - .type _bsaes_key_convert,%function - .align 4 - _bsaes_key_convert: -- adr $const,_bsaes_key_convert -+ adr $const,. - vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key - #ifdef __APPLE__ - adr $const,.LM0 --- -2.15.0 - diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb deleted file mode 100644 index 0fd6819fff..0000000000 --- a/meta/recipes-connectivity/openssl/openssl_1.1.0g.bb +++ /dev/null @@ -1,163 +0,0 @@ -SUMMARY = "Secure Socket Layer" -DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." -HOMEPAGE = "http://www.openssl.org/" -BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" -SECTION = "libs/network" - -# "openssl | SSLeay" dual license -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=cae6da10f4ffd9703214776d2aabce32" - -BBCLASSEXTEND = "native nativesdk" - -SRC_URI[md5sum] = "ba5f1b8b835b88cadbce9b35ed9531a6" -SRC_URI[sha256sum] = "de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af" - -SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ - file://run-ptest \ - file://openssl-c_rehash.sh \ - file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \ - file://0001-Remove-test-that-requires-running-as-non-root.patch \ - file://0001-aes-asm-aes-armv4-bsaes-armv7-.pl-make-it-work-with-.patch \ - " - -S = "${WORKDIR}/openssl-${PV}" - -inherit lib_package multilib_header ptest - -do_configure () { - os=${HOST_OS} - case $os in - linux-uclibc |\ - linux-uclibceabi |\ - linux-gnueabi |\ - linux-uclibcspe |\ - linux-gnuspe |\ - linux-musl*) - os=linux - ;; - *) - ;; - esac - target="$os-${HOST_ARCH}" - case $target in - linux-arm) - target=linux-armv4 - ;; - linux-armeb) - target=linux-armv4 - ;; - linux-aarch64*) - target=linux-aarch64 - ;; - linux-sh3) - target=linux-generic32 - ;; - linux-sh4) - target=linux-generic32 - ;; - linux-i486) - target=linux-elf - ;; - linux-i586 | linux-viac3) - target=linux-elf - ;; - linux-i686) - target=linux-elf - ;; - linux-gnux32-x86_64) - target=linux-x32 - ;; - linux-gnu64-x86_64) - target=linux-x86_64 - ;; - linux-mips) - # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-mipsel) - target="linux-mips32 ${TARGET_CC_ARCH}" - ;; - linux-gnun32-mips*) - target=linux-mips64 - ;; - linux-*-mips64 | linux-mips64) - target=linux64-mips64 - ;; - linux-*-mips64el | linux-mips64el) - target=linux64-mips64 - ;; - linux-microblaze*|linux-nios2*) - target=linux-generic32 - ;; - linux-powerpc) - target=linux-ppc - ;; - linux-powerpc64) - target=linux-ppc64 - ;; - linux-riscv64) - target=linux-generic64 - ;; - linux-riscv32) - target=linux-generic32 - ;; - linux-supersparc) - target=linux-sparcv9 - ;; - linux-sparc) - target=linux-sparcv9 - ;; - darwin-i386) - target=darwin-i386-cc - ;; - esac - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi - libdirleaf="$(echo ${libdir} | sed s:$useprefix::)" - perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target -} - -#| engines/afalg/e_afalg.c: In function 'eventfd': -#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function) -#| return syscall(__NR_eventfd, n); -#| ^~~~~~~~~~~~ -EXTRA_OECONF_aarch64 += "no-afalgeng" - -#| ./libcrypto.so: undefined reference to `getcontext' -#| ./libcrypto.so: undefined reference to `setcontext' -#| ./libcrypto.so: undefined reference to `makecontext' -EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC" - -do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install - oe_multilib_header openssl/opensslconf.h -} - -do_install_append_class-native () { - # Install a custom version of c_rehash that can handle sysroots properly. - # This version is used for example when installing ca-certificates during - # image creation. - install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash - sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash -} - -do_install_ptest() { - cp -r * ${D}${PTEST_PATH} - - # Putting .so files in ptest package will mess up the dependencies of the main openssl package - # so we rename them to .so.ptest and patch the test accordingly - mv ${D}${PTEST_PATH}/libcrypto.so ${D}${PTEST_PATH}/libcrypto.so.ptest - mv ${D}${PTEST_PATH}/libssl.so ${D}${PTEST_PATH}/libssl.so.ptest - sed -i 's/$target{shared_extension_simple}/".so.ptest"/' ${D}${PTEST_PATH}/test/recipes/90-test_shlibload.t -} - -RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python" - -FILES_${PN} =+ " ${libdir}/ssl-1.1/*" - -PACKAGES =+ "${PN}-engines" -FILES_${PN}-engines = "${libdir}/engines-1.1" - diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb new file mode 100644 index 0000000000..94b75eb92a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl_1.1.0h.bb @@ -0,0 +1,161 @@ +SUMMARY = "Secure Socket Layer" +DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools." +HOMEPAGE = "http://www.openssl.org/" +BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" +SECTION = "libs/network" + +# "openssl | SSLeay" dual license +LICENSE = "openssl" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d57d511030c9d66ef5f5966bee5a7eff" + +BBCLASSEXTEND = "native nativesdk" + +SRC_URI[md5sum] = "5271477e4d93f4ea032b665ef095ff24" +SRC_URI[sha256sum] = "5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517" + +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ + file://run-ptest \ + file://openssl-c_rehash.sh \ + file://0001-Take-linking-flags-from-LDFLAGS-env-var.patch \ + " + +S = "${WORKDIR}/openssl-${PV}" + +inherit lib_package multilib_header ptest + +do_configure () { + os=${HOST_OS} + case $os in + linux-uclibc |\ + linux-uclibceabi |\ + linux-gnueabi |\ + linux-uclibcspe |\ + linux-gnuspe |\ + linux-musl*) + os=linux + ;; + *) + ;; + esac + target="$os-${HOST_ARCH}" + case $target in + linux-arm) + target=linux-armv4 + ;; + linux-armeb) + target=linux-armv4 + ;; + linux-aarch64*) + target=linux-aarch64 + ;; + linux-sh3) + target=linux-generic32 + ;; + linux-sh4) + target=linux-generic32 + ;; + linux-i486) + target=linux-elf + ;; + linux-i586 | linux-viac3) + target=linux-elf + ;; + linux-i686) + target=linux-elf + ;; + linux-gnux32-x86_64) + target=linux-x32 + ;; + linux-gnu64-x86_64) + target=linux-x86_64 + ;; + linux-mips) + # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags + target="linux-mips32 ${TARGET_CC_ARCH}" + ;; + linux-mipsel) + target="linux-mips32 ${TARGET_CC_ARCH}" + ;; + linux-gnun32-mips*) + target=linux-mips64 + ;; + linux-*-mips64 | linux-mips64) + target=linux64-mips64 + ;; + linux-*-mips64el | linux-mips64el) + target=linux64-mips64 + ;; + linux-microblaze*|linux-nios2*) + target=linux-generic32 + ;; + linux-powerpc) + target=linux-ppc + ;; + linux-powerpc64) + target=linux-ppc64 + ;; + linux-riscv64) + target=linux-generic64 + ;; + linux-riscv32) + target=linux-generic32 + ;; + linux-supersparc) + target=linux-sparcv9 + ;; + linux-sparc) + target=linux-sparcv9 + ;; + darwin-i386) + target=darwin-i386-cc + ;; + esac + useprefix=${prefix} + if [ "x$useprefix" = "x" ]; then + useprefix=/ + fi + libdirleaf="$(echo ${libdir} | sed s:$useprefix::)" + perl ./Configure ${EXTRA_OECONF} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdirleaf} $target +} + +#| engines/afalg/e_afalg.c: In function 'eventfd': +#| engines/afalg/e_afalg.c:110:20: error: '__NR_eventfd' undeclared (first use in this function) +#| return syscall(__NR_eventfd, n); +#| ^~~~~~~~~~~~ +EXTRA_OECONF_aarch64 += "no-afalgeng" + +#| ./libcrypto.so: undefined reference to `getcontext' +#| ./libcrypto.so: undefined reference to `setcontext' +#| ./libcrypto.so: undefined reference to `makecontext' +EXTRA_OECONF_libc-musl += "-DOPENSSL_NO_ASYNC" + +do_install () { + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + oe_multilib_header openssl/opensslconf.h +} + +do_install_append_class-native () { + # Install a custom version of c_rehash that can handle sysroots properly. + # This version is used for example when installing ca-certificates during + # image creation. + install -Dm 0755 ${WORKDIR}/openssl-c_rehash.sh ${D}${bindir}/c_rehash + sed -i -e 's,/etc/openssl,${sysconfdir}/ssl,g' ${D}${bindir}/c_rehash +} + +do_install_ptest() { + cp -r * ${D}${PTEST_PATH} + + # Putting .so files in ptest package will mess up the dependencies of the main openssl package + # so we rename them to .so.ptest and patch the test accordingly + mv ${D}${PTEST_PATH}/libcrypto.so ${D}${PTEST_PATH}/libcrypto.so.ptest + mv ${D}${PTEST_PATH}/libssl.so ${D}${PTEST_PATH}/libssl.so.ptest + sed -i 's/$target{shared_extension_simple}/".so.ptest"/' ${D}${PTEST_PATH}/test/recipes/90-test_shlibload.t +} + +RDEPENDS_${PN}-ptest += "perl-module-file-spec-functions bash python" + +FILES_${PN} =+ " ${libdir}/ssl-1.1/*" + +PACKAGES =+ "${PN}-engines" +FILES_${PN}-engines = "${libdir}/engines-1.1" + -- cgit 1.2.3-korg