openssl: Upgrade 3.1.1 -> 3.1.2

https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-311-and-openssl-312-1-aug-2023 Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] * Fix excessive time spent checking DH q parameter value (CVE-2023-3817) * Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) * Do not ignore empty associated data entries with AES-SIV (CVE-2023-2975) * When building with the enable-fips option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret and the Hash and HMAC DRBGs will not operate with truncated digests. (From OE-Core rev: e65802383b02df6f502af859a927309d881bbb27) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2023-08-01 18:36:41 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-08-16 07:54:38 +0100
commit: 71193e58b0df5541d28dd488c211666e40eafa71 (patch)
tree: 79550de879d8d1a214bcafa977d76ed05e5e9133 /meta/recipes-connectivity/openssl/openssl_3.1.2.bb
parent: d724ec6f040dc4eb5965a791b93d9956f37206a2 (diff)
download: poky-71193e58b0df5541d28dd488c211666e40eafa71.tar.gz
1 files changed, 259 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.2.bb b/meta/recipes-connectivity/openssl/openssl_3.1.2.bb
new file mode 100644
index 0000000000..817bfedee1
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.2.bb
@@ -0,0 +1,259 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+           file://run-ptest \
+           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://fix_random_labels.patch \
+           "
+SRC_URI:append:class-nativesdk = " \
+           file://environment.d-openssl.sh \
+           "
+SRC_URI[sha256sum] = "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
+inherit lib_package multilib_header multilib_script ptest perlnative
+MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
+PACKAGECONFIG ?= ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+B = "${WORKDIR}/build"
+do_configure[cleandirs] = "${B}"
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF:append:libc-musl = " no-async"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
+# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+# This allows disabling deprecated or undesirable crypto algorithms.
+# The default is to trust upstream choices.
+DEPRECATED_CRYPTO_FLAGS ?= ""
+do_configure () {
+        # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+        # the issue really clear that perl isn't functional due to symbol mismatch issues.
+        cat <<- EOF > ${WORKDIR}/perltest
+        #!/usr/bin/env perl
+        use POSIX;
+        EOF
+        chmod a+x ${WORKDIR}/perltest
+        ${WORKDIR}/perltest
+        os=${HOST_OS}
+        case $os in
+        linux-gnueabi |\
+        linux-gnuspe |\
+        linux-musleabi |\
+        linux-muslspe |\
+        linux-musl )
+                os=linux
+                ;;
+        *)
+                ;;
+        esac
+        target="$os-${HOST_ARCH}"
+        case $target in
+        linux-arc | linux-microblaze*)
+                target=linux-latomic
+                ;;
+        linux-arm*)
+                target=linux-armv4
+                ;;
+        linux-aarch64*)
+                target=linux-aarch64
+                ;;
+        linux-i?86 | linux-viac3)
+                target=linux-x86
+                ;;
+        linux-gnux32-x86_64 | linux-muslx32-x86_64 )
+                target=linux-x32
+                ;;
+        linux-gnu64-x86_64)
+                target=linux-x86_64
+                ;;
+        linux-mips | linux-mipsel)
+                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+                target="linux-mips32 ${TARGET_CC_ARCH}"
+                ;;
+        linux-gnun32-mips*)
+                target=linux-mips64
+                ;;
+        linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
+                target=linux64-mips64
+                ;;
+        linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+                target=linux-generic32
+                ;;
+        linux-powerpc)
+                target=linux-ppc
+                ;;
+        linux-powerpc64)
+                target=linux-ppc64
+                ;;
+        linux-powerpc64le)
+                target=linux-ppc64le
+                ;;
+        linux-riscv32)
+                target=linux-latomic
+                ;;
+        linux-riscv64)
+                target=linux-generic64
+                ;;
+        linux-sparc | linux-supersparc)
+                target=linux-sparcv9
+                ;;
+        mingw32-x86_64)
+                target=mingw64
+                ;;
+        esac
+        useprefix=${prefix}
+        if [ "x$useprefix" = "x" ]; then
+                useprefix=/
+        fi
+        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+        # environment variables set by bitbake. Adjust the environment variables instead.
+        PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+        test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+        perl ${B}/configdata.pm --dump
+}
+do_install () {
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
+        oe_multilib_header openssl/opensslconf.h
+        oe_multilib_header openssl/configuration.h
+        # Create SSL structure for packages such as ca-certificates which
+        # contain hard-coded paths to /etc/ssl. Debian does the same.
+        install -d ${D}${sysconfdir}/ssl
+        mv ${D}${libdir}/ssl-3/certs \
+           ${D}${libdir}/ssl-3/private \
+           ${D}${libdir}/ssl-3/openssl.cnf \
+           ${D}${sysconfdir}/ssl/
+        # Although absolute symlinks would be OK for the target, they become
+        # invalid if native or nativesdk are relocated from sstate.
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+}
+do_install:append:class-native () {
+        create_wrapper ${D}${bindir}/openssl \
+            OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
+            SSL_CERT_DIR=${libdir}/ssl-3/certs \
+            SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
+            OPENSSL_ENGINES=${libdir}/engines-3 \
+            OPENSSL_MODULES=${libdir}/ossl-modules
+}
+do_install:append:class-nativesdk () {
+        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+        sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+}
+PTEST_BUILD_HOST_FILES += "configdata.pm"
+PTEST_BUILD_HOST_PATTERN = "perl_version ="
+do_install_ptest () {
+        install -d ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
+        # Prune the build tree
+        rm -f ${B}/fuzz/*.* ${B}/test/*.*
+        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
+        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
+        # For test_shlibload
+        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
+        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+        install -d ${D}${PTEST_PATH}/apps
+        ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
+        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
+        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
+        install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
+        install -d ${D}${PTEST_PATH}/providers
+        install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
+        install -d ${D}${PTEST_PATH}/Configurations
+        cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
+        # seems to be needed with perl 5.32.1
+        install -d ${D}${PTEST_PATH}/util/perl/recipes
+        cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+}
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the openssl-bin package and the libcrypto
+# package since the openssl-bin package depends on the libcrypto package.
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
+                      ${libdir}/ssl-3/openssl.cnf* \
+                      "
+FILES:${PN}-engines = "${libdir}/engines-3"
+# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
+FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
+FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RDEPENDS:${PN}-misc = "perl"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
+RDEPENDS:${PN}-bin += "openssl-conf"
+BBCLASSEXTEND = "native nativesdk"
+CVE_PRODUCT = "openssl:openssl"
+CVE_VERSION_SUFFIX = "alphabetical"
+# Apache in meta-webserver is already recent enough
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
author	Peter Marko <peter.marko@siemens.com>	2023-08-01 18:36:41 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-08-16 07:54:38 +0100
commit	71193e58b0df5541d28dd488c211666e40eafa71 (patch)
tree	79550de879d8d1a214bcafa977d76ed05e5e9133 /meta/recipes-connectivity/openssl/openssl_3.1.2.bb
parent	d724ec6f040dc4eb5965a791b93d9956f37206a2 (diff)
download	poky-71193e58b0df5541d28dd488c211666e40eafa71.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.2.bb b/meta/recipes-connectivity/openssl/openssl_3.1.2.bb new file mode 100644 index 0000000000..817bfedee1 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl_3.1.2.bb
@@ -0,0 +1,259 @@
	1	SUMMARY = "Secure Socket Layer"
	2	DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
	3	HOMEPAGE = "http://www.openssl.org/"
	4	BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
	5	SECTION = "libs/network"
	6
	7	LICENSE = "Apache-2.0"
	8	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
	9
	10	SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
	11	file://run-ptest \
	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
	13	file://0001-Configure-do-not-tweak-mips-cflags.patch \
	14	file://fix_random_labels.patch \
	15	"
	16
	17	SRC_URI:append:class-nativesdk = " \
	18	file://environment.d-openssl.sh \
	19	"
	20
	21	SRC_URI[sha256sum] = "a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
	22
	23	inherit lib_package multilib_header multilib_script ptest perlnative
	24	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
	25
	26	PACKAGECONFIG ?= ""
	27	PACKAGECONFIG:class-native = ""
	28	PACKAGECONFIG:class-nativesdk = ""
	29
	30	PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
	31	PACKAGECONFIG[no-tls1] = "no-tls1"
	32	PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
	33
	34	B = "${WORKDIR}/build"
	35	do_configure[cleandirs] = "${B}"
	36
	37	#\| ./libcrypto.so: undefined reference to `getcontext'
	38	#\| ./libcrypto.so: undefined reference to `setcontext'
	39	#\| ./libcrypto.so: undefined reference to `makecontext'
	40	EXTRA_OECONF:append:libc-musl = " no-async"
	41	EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
	42
	43	# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
	44	# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
	45	EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
	46	EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
	47
	48	# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
	49	CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
	50	CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
	51
	52	# This allows disabling deprecated or undesirable crypto algorithms.
	53	# The default is to trust upstream choices.
	54	DEPRECATED_CRYPTO_FLAGS ?= ""
	55
	56	do_configure () {
	57	# When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
	58	# the issue really clear that perl isn't functional due to symbol mismatch issues.
	59	cat <<- EOF > ${WORKDIR}/perltest
	60	#!/usr/bin/env perl
	61	use POSIX;
	62	EOF
	63	chmod a+x ${WORKDIR}/perltest
	64	${WORKDIR}/perltest
	65
	66	os=${HOST_OS}
	67	case $os in
	68	linux-gnueabi \|\
	69	linux-gnuspe \|\
	70	linux-musleabi \|\
	71	linux-muslspe \|\
	72	linux-musl )
	73	os=linux
	74	;;
	75	*)
	76	;;
	77	esac
	78	target="$os-${HOST_ARCH}"
	79	case $target in
	80	linux-arc \| linux-microblaze*)
	81	target=linux-latomic
	82	;;
	83	linux-arm*)
	84	target=linux-armv4
	85	;;
	86	linux-aarch64*)
	87	target=linux-aarch64
	88	;;
	89	linux-i?86 \| linux-viac3)
	90	target=linux-x86
	91	;;
	92	linux-gnux32-x86_64 \| linux-muslx32-x86_64 )
	93	target=linux-x32
	94	;;
	95	linux-gnu64-x86_64)
	96	target=linux-x86_64
	97	;;
	98	linux-mips \| linux-mipsel)
	99	# specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
	100	target="linux-mips32 ${TARGET_CC_ARCH}"
	101	;;
	102	linux-gnun32-mips*)
	103	target=linux-mips64
	104	;;
	105	linux--mips64 \| linux-mips64 \| linux--mips64el \| linux-mips64el)
	106	target=linux64-mips64
	107	;;
	108	linux-nios2* \| linux-sh3 \| linux-sh4 \| linux-arc*)
	109	target=linux-generic32
	110	;;
	111	linux-powerpc)
	112	target=linux-ppc
	113	;;
	114	linux-powerpc64)
	115	target=linux-ppc64
	116	;;
	117	linux-powerpc64le)
	118	target=linux-ppc64le
	119	;;
	120	linux-riscv32)
	121	target=linux-latomic
	122	;;
	123	linux-riscv64)
	124	target=linux-generic64
	125	;;
	126	linux-sparc \| linux-supersparc)
	127	target=linux-sparcv9
	128	;;
	129	mingw32-x86_64)
	130	target=mingw64
	131	;;
	132	esac
	133
	134	useprefix=${prefix}
	135	if [ "x$useprefix" = "x" ]; then
	136	useprefix=/
	137	fi
	138	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
	139	# environment variables set by bitbake. Adjust the environment variables instead.
	140	PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
	141	test -d "$PERLEXTERNAL" \|\| bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
	142	HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
	143	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
	144	perl ${B}/configdata.pm --dump
	145	}
	146
	147	do_install () {
	148	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
	149
	150	oe_multilib_header openssl/opensslconf.h
	151	oe_multilib_header openssl/configuration.h
	152
	153	# Create SSL structure for packages such as ca-certificates which
	154	# contain hard-coded paths to /etc/ssl. Debian does the same.
	155	install -d ${D}${sysconfdir}/ssl
	156	mv ${D}${libdir}/ssl-3/certs \
	157	${D}${libdir}/ssl-3/private \
	158	${D}${libdir}/ssl-3/openssl.cnf \
	159	${D}${sysconfdir}/ssl/
	160
	161	# Although absolute symlinks would be OK for the target, they become
	162	# invalid if native or nativesdk are relocated from sstate.
	163	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
	164	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
	165	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
	166	}
	167
	168	do_install:append:class-native () {
	169	create_wrapper ${D}${bindir}/openssl \
	170	OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
	171	SSL_CERT_DIR=${libdir}/ssl-3/certs \
	172	SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
	173	OPENSSL_ENGINES=${libdir}/engines-3 \
	174	OPENSSL_MODULES=${libdir}/ossl-modules
	175	}
	176
	177	do_install:append:class-nativesdk () {
	178	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
	179	install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
	180	sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-3/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
	181	}
	182
	183	PTEST_BUILD_HOST_FILES += "configdata.pm"
	184	PTEST_BUILD_HOST_PATTERN = "perl_version ="
	185	do_install_ptest () {
	186	install -d ${D}${PTEST_PATH}/test
	187	install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
	188	install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
	189
	190	# Prune the build tree
	191	rm -f ${B}/fuzz/. ${B}/test/.
	192
	193	cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
	194	sed 's\|${S}\|${PTEST_PATH}\|g' -i ${D}${PTEST_PATH}/configdata.pm
	195	cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
	196
	197	# For test_shlibload
	198	ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
	199	ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
	200
	201	install -d ${D}${PTEST_PATH}/apps
	202	ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
	203	install -m644 ${S}/apps/.pem ${S}/apps/.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
	204	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
	205
	206	install -d ${D}${PTEST_PATH}/engines
	207	install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
	208	install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
	209	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
	210
	211	install -d ${D}${PTEST_PATH}/providers
	212	install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
	213
	214	install -d ${D}${PTEST_PATH}/Configurations
	215	cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
	216
	217	# seems to be needed with perl 5.32.1
	218	install -d ${D}${PTEST_PATH}/util/perl/recipes
	219	cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
	220
	221	sed 's\|${S}\|${PTEST_PATH}\|g' -i ${D}${PTEST_PATH}/util/wrap.pl
	222	}
	223
	224	# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
	225	# package RRECOMMENDS on this package. This will enable the configuration
	226	# file to be installed for both the openssl-bin package and the libcrypto
	227	# package since the openssl-bin package depends on the libcrypto package.
	228
	229	PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
	230
	231	FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
	232	FILES:libssl = "${libdir}/libssl${SOLIBS}"
	233	FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
	234	${libdir}/ssl-3/openssl.cnf* \
	235	"
	236	FILES:${PN}-engines = "${libdir}/engines-3"
	237	# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
	238	FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
	239	FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
	240	FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
	241	FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
	242	FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
	243
	244	CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
	245
	246	RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
	247	RDEPENDS:${PN}-misc = "perl"
	248	RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
	249
	250	RDEPENDS:${PN}-bin += "openssl-conf"
	251
	252	BBCLASSEXTEND = "native nativesdk"
	253
	254	CVE_PRODUCT = "openssl:openssl"
	255
	256	CVE_VERSION_SUFFIX = "alphabetical"
	257
	258	# Apache in meta-webserver is already recent enough
	259	CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"