Update libcrypto.a symlink to the proper location.
[YOCTO #9523]
(From OE-Core rev: 3d6884a99a170a2d1925ed347431518fff3cf367)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Debian and other generic distributions has moved the certificates for
sysconfdir (/etc/ssl) and made the libdir content to link for it.
This provides several advantages specially for read-only
rootfs. Another benefit is that it ensures foreign implementations
(e.g: BoringSSL, from Chromium, when running with OpenSSL backend for
the certificates) to find the content correctly.
(From OE-Core rev: 50d63fa346bbb05dafffc0cb55e21e1092272d95)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-2105
CVE-2016-2106
CVE-2016-2109
CVE-2016-2176
https://www.openssl.org/news/secadv/20160503.txt
fixup openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
drop crypto_use_bigint_in_x86-64_perl.patch as that fix is in latest.
(From OE-Core rev: c693f34f54257a8eca9fe8c5a9eee5647b7eeb0c)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For now, if 'openssl' is enabled for ntp, ntp would still be built
without openssl & libcrypto. This is because that ntp thinks openssl
and libcrypto locates under the same directory.
This patch removes the codes of moving libcrypto to base_libdir.
(From OE-Core rev: 0be2ab32f690a2fcba0e821abe11460958bbc6dc)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Apply a patch taken from Gentoo to hopefully fix the remaining parallel make
races.
(From OE-Core rev: 3d806d59a4c5e8ff35c7e7c5a3a6ef85e2b4b259)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Machine specific over-rides for mtx-1 (aka MeshCube) and
mtx-2 (aka SurfBox 2nd generation) don't belong in oe-core.
(From OE-Core rev: cf0b94629d135b2fa211fae89f48e00469974279)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The openssl recipe currently relies on EXTRA_OEMAKE having been set to
"-e MAKEFLAGS=" in bitbake.conf to operate. It is necessary to make this
explicit so that the default in bitbake.conf can be changed.
(From OE-Core rev: a384ab5cb4701fd1c1475bca4449def66b42c799)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
o DH small subgroups (CVE-2016-0701)
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Updated LICENSE hash due to change in copyright year.
(From OE-Core rev: b451e3efc79d29c39c85f7da2dc75becf3fdf5a2)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The code in native.bbclass adds -native suffix to the package
names that don't have it. perl-native-runtime becomes
perl-native-runtime-native because of this.
Renamed perl-native-runtime -> hostperl-runtime-native to avoid
mangling it and to conform with the naming convetion for native
packages.
(From OE-Core rev: f4dade8e765a8c7bfd131728b9e0a34631e24950)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In some recipes overly-split -dbg packages were merged into PN-dbg. Unless
there's a very good reason, recipes should have a single -dev and -dbg package.
(From OE-Core rev: a3b000643898d7402b9e57c02e8d10e677cc9722)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
openssl 1.0.2d fixes the parallel make problems (commit 8e6bb99), so enable
parallel make again.
[ YOCTO #7347 ]
(From OE-Core rev: ea89857f17a374b6095371ebe2422d2e83735cee)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* follow symbolic links while copying sources from test/*
* install required target files to remove Make errors:
make[2]: *** No rule to make target 'xxx', needed by 'yyy'.
* fix hardcode pathes:
/usr/lib -> ${libdir}, /usr/bin -> ${bindir}
(From OE-Core rev: 928adfc807d3c812fcd748e2cf65f392eebd852c)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For clarity and correctness of source archiving, don't move find.pl from WORKDIR
to S in do_configure_prepend but tell the fetcher to put it in the right place
when unpacking.
Also re-order the files in SRC_URI so that patches are grouped together.
(From OE-Core rev: a960b6024f1b17994b0f4683a4e70fd2a079bd90)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The crypto_use_bigint_in_x86-64_perl patch uses the "bigint" module to
transparently support 64-bit integers on 32-bit hosts. Whilst bigint (part of
bignum) is a core Perl module not all distributions install it (notable Fedora
23).
As the error message when bignum isn't installed is obscure, add a task to check
that it is available and alert the user if it isn't.
[ YOCTO #8562 ]
(From OE-Core rev: 2f9a2fbc46aa435a0a7f7662bb62029ac714f25a)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need these to be consistent so they are possible to programmatically
read.
(From OE-Core rev: c64fdfd27103a4962c74c88f4ef7940cda6832eb)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Match target name linux-mips64 as well, all mips64 targets will have
mips(32) userspace.
(From OE-Core rev: 245113ca1075bc3f0c47952e80b437229f855080)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove dependencies for test targets. Otherwise, during ptest
execution, "make" tries to rebuild those executables and fails
there.
[YOCTO #8059]
(From OE-Core rev: 0efdd2236ec7f16f99847c6c372f372f81c56869)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This upgrade fixes CVE-2015-1793
Removed openssl-fix-link.patch. The linking issue has been fixed in openssl.
(From OE-Core rev: 631632addbc81b06b7accfca8f8a9871d6b09111)
Signed-off-by: Jan Wetter <jan.wetter@mikrom.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
upgrade to fix the CVE: CVE-2015-1788..CVE-2015-1792 and CVE-2014-8176
remove a backport patch
update the c_rehash-compat.patch
(From OE-Core rev: 5a70e45b8c6cb0fa7ea4fe1b326ad604508d00cb)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix build on Fedora 21 i686.
When building on x32 systems where the default type is 32bit,
make sure that 64bit integers can be represented transparently.
(From OE-Core rev: cd3eddcf2842b9a360f72caf4337ab2968462bb2)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previous patch had a concern as well and this is a direct backport of
the patch fixing the problem.
(From OE-Core rev: 3d48bb6d2d65d0837dcacc262633a55053652e5f)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch is submitted upstream as well
(From OE-Core rev: 40016c7c19abdbdae4fcd86fab9672631f26712b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
padlock_conf.patch will enable the padlock engine by default,
but this engine does not work on some 32bit machine, and lead
to openssl unable to work
(From OE-Core rev: f7d186abca6ed9b48ae7393b8f244e1bfb46cb41)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The virtclass-native is out of date.
(From OE-Core rev: ed51b382928ee5f14d524e08a00a0c8931c491c5)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed:
- openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
- upgate-vegsion-script-for-1.0.2.patch
Since they are already in the source.
- make-targets.patch
It removed test dir from DIRS, which is not needed any more since we
need build it.
(From OE-Core rev: 5fa533c69f92f2dd46c795509b0830b36413b814)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
on some hosts openssl fails to build with this error:
ghash-x86_64.s: Assembler messages:
ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression
backported fix from community.
(From OE-Core rev: 8230f873921d5c16106e3ebf57053a646bc6ad78)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rebased numerous patches
removed aarch64 initial work since it's part of upstream now
Imported a few additional patches from Debian to support the version-script
and blacklist additional bad certificates.
(From OE-Core rev: 10b689033551c37d6cafa284d82bdccd43f6113e)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit 7502fa5feb.
We keep seeing parallel make failures in openssl :(
(From OE-Core rev: 9afc85a7be203c5a0eac1977e777a24504cb3088)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Because of the SSLv3 POODLE vulnerability, it's preferred to simply disable
SSLv3 even if patched with the TLS_FALLBACK_SCSV
(From OE-Core rev: 4e691d06ffdb4d1fd940996f419308fe53454df7)
Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade includes 8 CVE bug fixes
(From OE-Core rev: 5dc197f0b2a088d8a88480da0afc886c745f551b)
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Map the microblaze architecture to the linux-generic32 target.
(From OE-Core rev: 7ea1979f687777bcafec393b6ab126ec11017074)
Signed-off-by: Nathan Rossi <nathan.rossi@xilinx.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This causes the package to not be relocateable from sstate
The OpenSSL binaries respect a few environment variables for determining
locations of files, so we now use these to point the binaries to the
relocated locations.
[YOCTO #6827]
(From OE-Core rev: 771d3123331fbfab1eb9ce47e3013eabcb2248f5)
Signed-off-by: André Draszik <adraszik@digisoft.tv>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With last restructuring for musl, some of uclibc targets got ignored
fsl/ppc and ARM worked ok since they use special target triplets which
were already considered but other like mips, x86 and so on failed
(From OE-Core rev: 63ab0ce2103bcf3a42ce5812a22409779126e114)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
'make rehash' used the compiled openssl to get hash value
for files, it always failed when cross compiling:
/path/to/openssl/1.0.1i-r0/openssl-1.0.1i/util/shlib_wrap.sh:
line 96: /path/to/openssl/1.0.1i-r0/openssl-1.0.1i/util/../apps/openssl:
cannot execute binary file
so add DEPENDS on openssl-native for target package and use it
instead of the one compiled from target package.
(From OE-Core rev: 9705586b6eca157e8f8fd6071f489a49bf1db181)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add some missing dependencies and fix the Makefile in order to get most
of the ptest tests working (specifically test_bn, test_verify, test_cms,
test_srp and test_heartbeat). test_verify still fails for unknown
reasons (perhaps some of the now expired certificates weren't meant to
have expired as far as the test is concerned?) but at least it has the
certificates to run now.
(From OE-Core rev: c679ec81c19dd2b5e366b713801785ce0ba5b49a)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes the following security issues:
* CVE-2014-0224
* CVE-2014-0221
* CVE-2014-0195
* CVE-2014-3470
The patch for CVE-2010-5298, CVE-2014-0198 and a fix for building the
documentation are integrated upstream in this release and so were
dropped. Additionally, a patch from upstream was added in order to
fix a failure during do_compile_ptest_base.
A similar upgrade was also submitted by Yao Xinpan <yaoxp@cn.fujitsu.com>
and Lei Maohui <leimaohui@cn.fujitsu.com>.
(From OE-Core rev: a3e80de6d423c272a287bf3538196b48ac5ddec1)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
make openssl-CVE-2010-5298.patch truely work
(From OE-Core rev: eab33442480cc27a5cd00b3f46984fea74b7c0f9)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
(From OE-Core rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch is not included in 1.0.1g, but it is included on 1.0.2
branch.
(From OE-Core rev: f99ca886da274fafa212e354f9e4871eb7e59e87)
Signed-off-by: Cristiana Voicu <cristiana.voicu@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
