Absolute path symlinks are a bit of a pain for sstate and the native versions
of these recipes currently contain broken symlinks as a result. There are
only a small number of problematic recipes, at least in OE-Core, namely the
three here.
Rather than trying to make sstate handle this magically, which turns out to
be a harder problem than you'd first realise, simply make the symlinks relative
early in the process and avoid all the problems.
The alternative is adding new complexity to sstate which we could really
do without as without the complexity, you can't always tell where the
absolute symlink is relative to (due to prefixes used for native sstate).
(From OE-Core rev: e478550c8cd889f12e336e268e9e3b30827bf840)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
aarch64 target was being configured for linux-generic64 but openssl has
linux-aarch64 target. Change to use linux-aarch64 as default.
(From OE-Core rev: 13e9a692510151383bc3243c3917154896b0e049)
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
"make alltests" is sensitive to the timestamps of the installed
files. Depending on the order in which cp copies files, .o and/or
executables may end up with time stamps older than the source files.
Running tests then triggers recompilation attempts, which typically
will fail because dev tools and files are not installed.
"cp -a" is not enough because the files also have to be newer than
the installed header files. Setting the file time stamps to
the current time explicitly after copying solves the problem because
do_install_ptest_base is guaranteed to run after do_install.
(From OE-Core rev: 101e2a5e0b7822ca3de3d3a73369405c05ab3c5b)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This update fixes several CVEs:
* OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
* SWEET32 Mitigation (CVE-2016-2183)
* OOB write in MDC2_Update() (CVE-2016-6303)
* Malformed SHA512 ticket DoS (CVE-2016-6302)
* OOB write in BN_bn2dec() (CVE-2016-2182)
* OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
* DTLS buffered message DoS (CVE-2016-2179)
* DTLS replay protection DoS (CVE-2016-2181)
* Certificate message OOB reads (CVE-2016-6306)
Of these, only CVE-2016-6304 is considered of high
severity. Everything else is low. CVE-2016-2177 and CVE-2016-2178 were
already fixed via local patches, which can be removed now.
See https://www.openssl.org/news/secadv/20160922.txt for details.
Some patches had to be refreshed and one compile error fix from
upstream's OpenSSL_1_0_2-stable was required. The server.pem
file is needed for test_dtls.
(From OE-Core rev: d6b69279b5d1370d9c4982d5b1842a471cfd2b0e)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
MIPS64 target was being configured for linux-mips which defaults to
MIPS32. Doesn't cause any issue as far as I can see but it would be
wiser to use the correct target configuration.
Also add MIPS64le configuration which is missing.
(From OE-Core rev: 0afec72913bc31d315cba079da317e8b28755ded)
Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Regarding the last commit about missing dependencies, another issue
was found. The problem was found, while ptest has been built with some
set extra settings. It means, when ptest is going to be built,
it is necessary to rebuild dependencies for test directory too.
(From OE-Core rev: 030142d0410bec85aeacfff6be27d5fed41ce808)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Settings from EXTRA_OECONF like en/disable no-ssl3, are transferred
only into DEPFLAGS. It means that settings have no effect on output files.
DEPFLAGS will be transferred into output files with make depend command.
https://wiki.openssl.org/index.php/Compilation_and_Installation#Dependencies
(From OE-Core rev: e3c251427a305780d3257a011260bd978de273d5)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update libcrypto.a symlink to the proper location.
[YOCTO #9523]
(From OE-Core rev: 3d6884a99a170a2d1925ed347431518fff3cf367)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Debian and other generic distributions has moved the certificates for
sysconfdir (/etc/ssl) and made the libdir content to link for it.
This provides several advantages specially for read-only
rootfs. Another benefit is that it ensures foreign implementations
(e.g: BoringSSL, from Chromium, when running with OpenSSL backend for
the certificates) to find the content correctly.
(From OE-Core rev: 50d63fa346bbb05dafffc0cb55e21e1092272d95)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For now, if 'openssl' is enabled for ntp, ntp would still be built
without openssl & libcrypto. This is because that ntp thinks openssl
and libcrypto locates under the same directory.
This patch removes the codes of moving libcrypto to base_libdir.
(From OE-Core rev: 0be2ab32f690a2fcba0e821abe11460958bbc6dc)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Machine specific over-rides for mtx-1 (aka MeshCube) and
mtx-2 (aka SurfBox 2nd generation) don't belong in oe-core.
(From OE-Core rev: cf0b94629d135b2fa211fae89f48e00469974279)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The openssl recipe currently relies on EXTRA_OEMAKE having been set to
"-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make this
explicit so that the default in bitbake.conf can be changed.
(From OE-Core rev: a384ab5cb4701fd1c1475bca4449def66b42c799)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The code in native.bbclass adds -native suffix to the package
names that don't have it. perl-native-runtime becomes
perl-native-runtime-native because of this.
Renamed perl-native-runtime -> hostperl-runtime-native to avoid
mangling it and to conform with the naming convetion for native
packages.
(From OE-Core rev: f4dade8e765a8c7bfd131728b9e0a34631e24950)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* follow symbolic links while copying sources from test/*
* install required target files to remove Make errors:
make[2]: *** No rule to make target 'xxx', needed by 'yyy'.
* fix hardcode pathes:
/usr/lib -> ${libdir}, /usr/bin -> ${bindir}
(From OE-Core rev: 928adfc807d3c812fcd748e2cf65f392eebd852c)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Match target name linux-mips64 as well, all mips64 targets will have
mips(32) userspace.
(From OE-Core rev: 245113ca1075bc3f0c47952e80b437229f855080)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The virtclass-native is out of date.
(From OE-Core rev: ed51b382928ee5f14d524e08a00a0c8931c491c5)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
SSLv3 even if patched with the TLS_FALLBACK_SCSV
(From OE-Core rev: 4e691d06ffdb4d1fd940996f419308fe53454df7)
Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Map the microblaze architecture to the linux-generic32 target.
(From OE-Core rev: 7ea1979f687777bcafec393b6ab126ec11017074)
Signed-off-by: Nathan Rossi <nathan.rossi@xilinx.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This causes the package to not be relocateable from sstate
The OpenSSL binaries respect a few environment variables for determining
locations of files, so we now use these to point the binaries to the
relocated locations.
[YOCTO #6827]
(From OE-Core rev: 771d3123331fbfab1eb9ce47e3013eabcb2248f5)
Signed-off-by: André Draszik <adraszik@digisoft.tv>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With last restructuring for musl, some of uclibc targets got ignored
fsl/ppc and ARM worked ok since they use special target triplets which
were already considered but other like mips, x86 and so on failed
(From OE-Core rev: 63ab0ce2103bcf3a42ce5812a22409779126e114)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
'make rehash' used the compiled openssl to get hash value
for files, it always failed when cross compiling:
/path/to/openssl/1.0.1i-r0/openssl-1.0.1i/util/shlib_wrap.sh:
line 96: /path/to/openssl/1.0.1i-r0/openssl-1.0.1i/util/../apps/openssl:
cannot execute binary file
so add DEPENDS on openssl-native for target package and use it
instead of the one compiled from target package.
(From OE-Core rev: 9705586b6eca157e8f8fd6071f489a49bf1db181)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add some missing dependencies and fix the Makefile in order to get most
of the ptest tests working (specifically test_bn, test_verify, test_cms,
test_srp and test_heartbeat). test_verify still fails for unknown
reasons (perhaps some of the now expired certificates weren't meant to
have expired as far as the test is concerned?) but at least it has the
certificates to run now.
(From OE-Core rev: c679ec81c19dd2b5e366b713801785ce0ba5b49a)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install openssl test suite and run it as ptest.
(From OE-Core rev: c48981d2d24a20978a17866fa478dde21bd96b91)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
(From OE-Core rev: d83b16dbf0862be387f84228710cb165c6d2b03b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The trigger for the upgrade was the serious "heartbleed" vulnerability
(CVE-2014-0160). More information:
http://www.itnews.com.au/News/382068,serious-openssl-bug-renders-websites-wide-open.aspx
Dropped obsolete patches, because the new version contains them:
0001-Fix-for-TLS-record-tampering-bug-CVE-2013-4353.patch
0001-Fix-DTLS-retransmission-from-previous-session.patch
0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch
Modified 2 patches (small changes), in order to apply properly:
initial-aarch64-bits.patch
openssl-fix-doc.patch
Addresses CVEs:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
(From OE-Core rev: ff52836e1838590eeec7d7658e15b21d83cf8455)
Signed-off-by: Cristiana Voicu <cristiana.voicu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
we need to map OS string correctly to include linux-uclibcspe
which is what we use with ppc+spe on uclibc, additionally move
gnuspe triplet mapping to same code as well
(From OE-Core rev: d9ee01e4043b8b321d7c374797492ef3c4c2e0de)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adding perl to the RDEPENDS caused a performance hit to the overall build time since this was
the only package that depended on perl. The openssl-misc package is not installed by default
so use a PACKAGECONFIG which can be overridden to allow the perl scripts along with perl to
be installed.
(From OE-Core rev: 421e927bd453259f4b3cdbd1676f6e12f97bf34f)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
c_rehash utility is not being installed with openssl.It conveniently
generates hash and symbolic links based on it for CA certificates
stored locally for SSL based server authentication
(From OE-Core rev: 3c2f9cf615c964e8303fd3e225ea7dd7b5485155)
Signed-off-by: Yasir-Khan <yasir_khan@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Add the openssl-conf package to the list of packages to
be created. This package contains the openssl.cnf file
which is used by both the openssl executable in the
openssl package and the libcrypto library.
* This is to avoid messages like:
WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
* When running "openssl req" to request and generate a certificate
the command will fail without the openssl.cnf file being
installed on the target system.
* Made this package an RRECOMMENDS for libcrypto since:
* libcrypto is a RDEPENDS for the openssl package
* Users can specify a configuration file at another
location so it is not stricly required and many
commands will work without it (with warnings)
(From OE-Core rev: 5c3ec044838e23539f9fe4cc74da4db2e5b59166)
Signed-off-by: Chase Maupin <Chase.Maupin@ti.com>
Signed-off-by: Qiang Chen <qiang.chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update configure-targets.patch:
- drop linux-aarch64 configuration
Update do_configure():
- add linux-aarch64* case to cover linux-aarch64 and linux-aarch64_be
- use linux-generic64 target in above case
Backport initial-aarch64-bits.patch:
- first order optimizations for Aarch64
(From OE-Core rev: 3252110ee5c8272a1f09563f2a794cac545e29d5)
Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
opensslconf.h conflicts between 32-bit and 64-bit versions.
(From OE-Core rev: 9b1ba604793015aad15c442f590464d0c224794c)
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is no reason to disable exec-stack only for -native builds;
binaries on the target will suffer from the same SELinux ACLs.
OpenSSL does not use executable stack so this option can be disabled
unconditionally.
(From OE-Core rev: 9c32b62d6494139daf4bab3279779c392fead116)
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The overrides virtclass-native and virtclass-nativesdk are deprecated,
which should be replaced by class-native and class-nativesdk.
[YOCTO #3297]
(From OE-Core rev: 37429a94133c0d0bfae71d1d4329aee6dd5eb98b)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The latter variable is only applicable for target builds and could
result in passing incompatible options (and/or failing to pass
required options) to ${BUILD_CC} for a virtclass-native build.
(From OE-Core rev: 0e90a303bc5cb0ede21ff4346843f9daeddfff45)
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Restore INC_PR to r15 to prevent breakage with out of tree openssl
recipes (e.g, meta-oe).
(From OE-Core rev: 370b186b7c39897b868a5e3798a11a285277f145)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fix is for dhclient. It needs libcrypto at runtime and if
libcrypto is in libdir, it's path can be inaccessible on systems
where /usr is on nfs for example or dhclient is needed before
/usr is mounted.
(From OE-Core rev: 01ea85f7f6c53c66c76d6f832518b28bf06ec072)
Signed-off-by: Andrei Gherzan <andrei@gherzan.ro>
[Fix comment to from /usr -> /lib - sgw]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add BN_ADDR for address type instead of using BN_ULONG or unsigned long:
1. For W64, address type is unsigned long long, not unsigned long.
2. For x32, address type is unsigned long , not BN_ULONG.
Added a new targetlinux-x32 in the config file
The do_install() code to move lib/* to lib64 is not needed now with the
enhanced multilib support.
Make the x86-64 assembly syntax compatible with x32 compiler.
(From OE-Core rev: 340c14ac49afa1559c12f8848bef9b6ecf24ef35)
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Thanks to meta-oe for this contribution
* Add Patch Upstream-Status info
* Merged the meta-oe version of openssl-1.0.inc with openssl.inc
* Fix make install parallel issue with PARALLEL_MAKEINST = ""
(From OE-Core rev: ee3ed78af2303ad41993ed34fa7825a74de288c7)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Without this change the perl path from the build system is used.
(From OE-Core rev: 1ed8fb66c51ce584c13e592176a69a61bae01f2e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie
Fabio Berton
Zubair Lutfullah Kakakhel
Patrick Ohly
Andrej Valek
Maxin B. John
Otavio Salvador
Andre McCurdy
Chen Qi
Mike Crowe
Ed Bartosh
Khem Raj
Wenzong Fan
Marek Vasut
Robert Yang
Brendan Le Foll
Nathan Rossi
André Draszik
Jackie Huang
Paul Eggleton
Maxin B. John
Cristiana Voicu
Saul Wold
mykhani
Qiang Chen
Koen Kooi
Fathi Boudra
Ming Liu
Enrico Scholz
Randy MacLeod
Phil Blundell
Scott Garman
Andrei Gherzan
Nitin A Kamble